MoeCTF2022 Crypto

MiniMiniPack

from gmpy2 import *
from Crypto.Util.number import *
import random
from FLAG import flag

def gen_key(size):
    s = 1000
    key = []
    for _ in range(size):
        a = random.randint(s + 1, 2 * s)
        assert a > sum(key) # 超递增
        key.append(a)
        s += a
    return key


m = bytes_to_long(flag)
L = len(bin(m)[2:])
key = gen_key(L)
c = 0

for i in range(L):
    c += key[i]**(m&1)
    m >>= 1

print(key)
print(c)

题目很明确的说明超递增序列了 直接判断 解就完了

key = [...]
c = ...
flag = ''
for i in range(len(key)-1,-1,-1):
    x = key[i]
    if c>=x:
        c-=x
        flag = '1'+flag
    else:
        c-=1
        flag = '0'+flag
from libnum import *
print(n2s(int(flag,2)))
print(n2s(int(flag[::-1],2)))
# b'moectf{Co#gRa7u1at1o^s_yOu_c6n_d3c0de_1t}'

ez_cbc

from Crypto.Util.number import *
import random
from secret import flag

IV = bytes_to_long(b'cbc!') 
K = random.randrange(1,1<<30)

assert flag[:7] == b'moectf{'
assert flag[-1:] == b'}'

block_length = 4
flag = flag + ((block_length - len(flag) % block_length) % block_length) * b'\x00'
plain_block = [flag[block_length * i: block_length * (i + 1)] for i in range(len(flag) // block_length)]

c = []
c0 = (IV ^ bytes_to_long(plain_block[0])) ^ K
c.append(c0)

for i in range(len(plain_block)-1):
    c.append(c[i] ^ bytes_to_long(plain_block[i+1]) ^ K)

print(c)

'''
[748044282, 2053864743, 734492413, 675117672, 1691099828, 1729574447, 1691102180, 657669994, 1741780405, 842228028, 1909206003, 1797919307]
'''

注意到block_len=4 而flag前4位已知 所以可以恢复K
接下来就前后xor一下可以还原

from Crypto.Util.number import *

IV = bytes_to_long(b'cbc!') 
c = [748044282, 2053864743, 734492413, 675117672, 1691099828, 1729574447, 1691102180, 657669994, 1741780405, 842228028, 1909206003, 1797919307]
flag = b'moectf{'

block_length = 4
flag = flag + ((block_length - len(flag) % block_length) % block_length) * b'\x00'
plain_block = [flag[block_length * i: block_length * (i + 1)] for i in range(len(flag) // block_length)]

K = c[0]^IV^bytes_to_long(plain_block[0])
print(K)
ans = b''
for i in range(len(c)-1):
    ans += long_to_bytes(c[i]^c[i+1]^K)
print(ans)
# b'tf{es72b!a5-njad!@-#!@$sad-6bysgwy-1adsw8}\x00\x00'

Signin

from Crypto.Util.number import *
from secret import flag
m=bytes_to_long(flag)
p=getPrime(512)
q=getPrime(512)
print('p=',p)
print('q=',q)
n=p*q
e=65537
c=pow(m,e,n)
print('c=',c)
#p= 12408795636519868275579286477747181009018504169827579387457997229774738126230652970860811085539129972962189443268046963335610845404214331426857155412988073
#q= 12190036856294802286447270376342375357864587534233715766210874702670724440751066267168907565322961270655972226761426182258587581206888580394726683112820379
#c= 68960610962019321576894097705679955071402844421318149418040507036722717269530195000135979777852568744281930839319120003106023209276898286482202725287026853925179071583797231099755287410760748104635674307266042492611618076506037004587354018148812584502385622631122387857218023049204722123597067641896169655595

gcd(e,phi)=65537 这种有两种方法:

• 转到modp,modq (默认flag不太大)
• AMM开根

不知道为什么AMM没开出来 用第一种

from gmpy2 import gcd
from libnum import *
from primefac import *


p= 12408795636519868275579286477747181009018504169827579387457997229774738126230652970860811085539129972962189443268046963335610845404214331426857155412988073
q= 12190036856294802286447270376342375357864587534233715766210874702670724440751066267168907565322961270655972226761426182258587581206888580394726683112820379
c= 68960610962019321576894097705679955071402844421318149418040507036722717269530195000135979777852568744281930839319120003106023209276898286482202725287026853925179071583797231099755287410760748104635674307266042492611618076506037004587354018148812584502385622631122387857218023049204722123597067641896169655595
e = 65537
n = p*q
print(gcd(e,p-1),gcd(e,q-1))
d = modinv(e,p-1)
print(n2s(int(pow(c,d,p))))
# moectf{Oh~Now_Y0u_Kn0W_HoW_RsA_W0rkS!}

knapsack

直接套脚本
只是注意一下这里没有将flag转为二进制0/1 而是直接用ascii乘的 所以硬套有问题 但是输出规约后的格基可以很明显的发现

pubkey = []
nbit = len(pubKey)
# open the encoded message
encoded = '28856686525748125802152914172483571798453880654624111179873716369801238646447969551927508246737816822527579725991046201801262381722186539084044859241033407568422008911415092147086235301286167536726137372507078079415577358704181165698320539751269992479349480281465975374187246799267369957964807679383646749609694064517591097971225234359495013928292239934008888234863117359059334395043146949808360202225171337210959511092044766'
print ("start")
# create a large matrix of 0's (dimensions are public key length +1)
A = Matrix(ZZ, nbit + 1, nbit + 1)
# fill in the identity matrix
for i in range(nbit):
    A[i, i] = 1
# replace the bottom row with your public key
for i in range(nbit):
    A[i, nbit] = pubKey[i]
# last element is the encoded message
A[nbit, nbit] = -int(encoded)

res = A.LLL()
print(res[0])
for i in range(0, nbit + 1):
    # print solution
    M = res.row(i).list()
    flag = True
    for m in M:
        if m != 0 and m != 1:
            flag = False
            break
    if flag:
        print (i, M)
        M = ''.join(str(j) for j in M)
        # remove the last bit
        M = M[:-1]
        M = hex(int(M, 2))[2:-1]
        print (M)

flag = [78, 83, 83, 67, 84, 70, 123, 99, 97, 97, 56, 54, 99, 49, 48, 45, 56, 56, 102, 55, 45, 52, 100, 101, 102, 45, 98, 55, 48, 49, 45, 99, 51, 99, 54, 56, 101, 50, 102, 54, 49, 54, 52, 125, 0]
print(''.join(chr(x)for x in flag))

smooth

from Crypto.Util.number import sieve_base,isPrime,getPrime
import random
from secret import flag

def get_vulnerable_prime(): # 光滑数
    p=2
    while True:
        for i in range(136):
            smallp=random.choice(sieve_base)
            p*=smallp
        if isPrime(p+1):
            return p+1

P=get_vulnerable_prime()
Q=getPrime(2048)
N=P*Q
e=0x10001

for i in range(1,P-1729):
    flag=flag*i%P

c=pow(flag,e,N)
print("c=",hex(c))
print("N=",hex(N))

'''
c= 0x3cc51d09c48948e2485820f6758fb10c7693c236acc527ad563ba8369c50a0bc3f650f39a871ee7ef127950ed916c5f4dc69894e11caf9d178cd7e8f9bf9af77e1c69384cc5444da64022b45636eeb5b7a221792880dd242be2bb99be3ed02c430c2b77d4912bec1619d664e066680910317c2bb0c87fafdf25f0a2400103278f557b8eca51d3b67d61098f1ab68da072bb2810596180afbc81a840cd24efef4d4113235160e725a5af4824dc716d758b3bc792f2458e979398e001b27e44d21682e2ef80ae94e21cd09a12e522ca2e569df72f012fa40341645445c6e68c6233a8a39e5b91eb14b1ccfa61c9bad25e8e3285a22da27cd506ddd63f207517a4e8ede00b104d8806ff4c0e3162c3de69169d7e584952655272b96d39d242bb83019c7eab1ceb0b4b287591e1e0a5b6378e70340a82d3430c5925d215f31fda6d9d0bccea240591b22a3d0f6b5bf4ddf1243d71aca0fd53045c352c8c5497ebcdbd7ac11083d63aba7c053604fda2430c317a4e04702b5ad539e110f101165b21dcd9fdb5ba7324acdba6a506244ce7c911197dfe067441fe7488d164c050f45ef6476aaf399cedde1793cceb8c21d88ec8ecf5e17df27586713d7dd9566ec5023cfef75422b73e2d5a932c661b3cfdf9c4bda12b64380d2be1aa957c3e1416e068937bafe79b8cf303296792388e9c197702e11e7ded6088ae992d352b23a4a27
N= 0xdc77f076092cbe81c44789ccfc1b2ca55eabae65f44cf34382799e8bbb42d4d6c032bd897c21df1da401929d82deb56264823a757f6cacf63e0037146026cbab32ab9e4abc783dcabaac2b7ccc439937be3ab0fbf149524ff29ef0fe6f27e45215d74b40597c70e8207159dc7f542c2a6828500016480053dfc2d8dbf8fcdf6700640184c8f3318f7aab2e17e116edf680592f5eae951159bb8c20cfbd0cbab8b4b95925b5068038d0377a55a4d346ebbf53a1c2943b7c17e1b9d4a1b77916da2e15140b05b96655906942a07d04b7e25fa7521b3b7ae26eda68375a8b8ef2d5b4704a28168b236de97f24a663f0d0a3aeab47767dfe75a21662f5f25ef7f7d4b25c90fd7bcdd7137c23f03b6ea4209f8fb9b4628355e6ad62e6467d26666d3d1b0e6f078c5f3866413a6fcd3c1dc2ff3a5ab286e339d5c72f4d2f0473a4faddcba6b031bb6ec226fd4b319834b5029f09ea0ffeb5b6ed182d5a13675571b6708c38299118043390343e2f79edebd2ae0e0a765a3aebf776f54ca983cdae8547547cfc8430f7222aefa77301d7cc7c03b1451b6603028b21fea869d35138a9c83919985a91b3fdfa934f25a442cc10349b0ed6f2ee3955d40249e8b3fb9f1955534ee06cee41a3ad2d6ff7dbdb0f01e47b9e4d04f65232f5579135ae035e8ba2d1fe6465a730dcc8b9ba3a558ab38f040ea510757d25e92f886c50c24ad967f1
'''

首先利用p-1光滑分解N 然后威尔逊求解原始flag

from libnum import *
from Crypto.Util.number import *
from primefac import *
from gmpy2 import *

c= 247919865318021236816543824112508609330037721750833286282742196998469240722960067279753595030501837090213207723535315566071300075224019751428220840655379721168218967765876422567445308433288640784380506865731600610844664082126014969594703943321684739970369062910447373385433273463771025749544868874364857740886231104642660449357361214123805594448220938783838846810205396685290795472602986247805614885431726718734074115977778392666953702177131899677541805470136367291335492319211844518562048885624275188484150304531414129256199638223451626380382590726717299805272645061058959151344044346830823325114347635303124079585771118897549014215635831461496427865527725984314454215084824799195902666017890251546113340604997387337267033702985082689756489485483884466836894078681988327570736563527551002502155721535243073405426861909050072042543788614648220702009710283495882865771856434684115235716829225548094758262227047147018619782569249121457929508156495153802531122277665993110064189665320728788771547383303757706989175639195759242259782311848793696092654705894717312440565233739658573287960603925813253705712262506080990684572911512172618335848944155481909042800065581602613553170724199031407991191567888665889828134075331392699640862886439
n= 899433060816731427942704257866303221883919943075011482730540487542298141049688747403394155891424984817721637261796322290176226293021163615394020748313287704925351127104543540527171720585852101847552418109218698224283517650904796624423791889310920745115538568493036905521731801701334387698665349013555004156460425949614507368513929122918207275324019164019140872285865669776807164595612153523403959086174282977979597134418614250308867915724091583207037130579480546960070830233323713630083498257555891865243784412939799736393339765165471839069949178185209844627880366832657587045566078602359768140397724951796918685954810361034854946350278789032280015291656197323195678588879611176849643485660527731763117393276077174612788370830514391126349518373263177721819098959415747014310642914994052481426526649746349072693522436372936682595370113958488478854998334540278818899857117443348584084049535307410497695797641157090999920223711713543888446393339441597594366529426635229500879583956083509277478412156698422658437380950061203062993059862799664252602490913513388540711100204971238723316893774082588574855875619371443610116478930704000900105595123789440080606712893908761497290616683388289154125877364596699576556781203346107657789690701809

# 首先利用p-1光滑来分解N 得到p
B = 2
a = 2
while True:
    a = pow(a,B,n)
    _gcd = gcd(a-1,n)
    if 1<_gcd<n:
        p = _gcd
        q = n//p
        print(f'p= {p}\nq= {q}')
        break

    B = B+1

p= 45130782138821231634664822924606644347274161463663927387578931639175223286413378324882645031302403289842551326638702711998962760517679897418281467484531163375644705075213662848721478455926415639437965574871053673938130437463383431907231224801316309790287364751279984404056565040242248326224648040650860211493169850992812996172453840449200075853777085801648416876006333273306936825124410389797307488083056497244608773881660250930270420195391832629035158125925203262309579280388854014294622011159984832956422300816768157089660974628522818677622546453173413252374696944407138466146678080076210538578674319834619518810099
q= 19929480903966971877741359978214832777067673186776101767607985415984872967131783702304729626331577711025830876686674170433788564223656884574965375895417512648538448454114165043668565344845361735967533803734325629433944151906019295203849389937041766109566748588937702389000280859653264841778232075227804461734481644568063879619171473653153879467534960561551793532641987408308262590477344407917566949561595540828562062207376467975716207562802834742657134267225310067273840884699549038482335638587159643505585791895934244621169372816478043004416985427985158346066496193091020702283948166437350554644511384320505926737291
e=0x10001

d = modinv(e,(p-1)*(q-1))
flag = pow(c,d,n)
# 再利用威尔逊定理
for i in range(1,1730):
    flag *= -i
	flag %= p
flag = (-flag)%p
print(n2s(int(flag)))
# moectf{Charming_primes!_But_Sm0oth_p-1_1s_vu1nerab1e!}