NeepuCTF出题日记
FunnyRsa
e=3很小,直接使用低加密指数攻击即可求解
n = 508480854372756755913791101745305762457517298159680989644747340327036977578527505318324958633232739687251409520866901608437945927574543155971443209922394847753303798988837755432365056098925797113097436966052676591464802061455795339989784949253878654243424430112737855583276666468348152646780267313723933052043652043457805179867064143032058107197027709609118240936819964179830722897401341043667501298533160902654255596452348828855631402136248161345374217307571507612687845128249648000080509946611349654016724007920186542131491886281036913471846314065665956824568534254734060468248256266109011728508043378818494008953002180704766570040343479609214117050941617109009620565019399761765253703071237034374358239723604390448411521487409469419576049566386525066685041905464761757345225778527338430347014422459954532168552493706796761693553297732745470452288495224654530482329002451540376107539184656257369225752541361996356642232449580990809290287044068126307915255465596308681516279323181254599943979030260297865604529605690218915679197797309258313924963034175283390070634287196300753230812822254122160704736109171545494720552113142650620106205647711854004731168393093254452512276389945341818288720153371447538338764655583233355044033698253
c1 = 1811190934126864017324358781557112607374925418749516169609783406151778537247582927245777048528376193187995730195136886128337489858508361912939739791856453029029472008503849636323475596821894021085406391087644300429282015652303512547583242875798709634440100351468653278854842376234162516591017755925768811542318681182791159664625408669418924102547889582147686273287037619637618739708338600060067635958832146122636281342410738805977631878905617340110767089538025585058506632889042141695774769826454213414615721715636679099281147824773004445559938086334729812819928608583224897377
c2 = 1811190934126215446529071930741680264692977139619905040341005151859262108274517137265678557572492828489893194367167654758053594788011553732879515384560058991329510784064663694630185446691719067568301787531371222824387708333506516529733748678922237489408939959514323606685743623252207828521187611779499933755917362989498814533543187953292778103169396201846967129948852571401049722315868171878019092456148722460556718133719135760731272749757567134824207749502257733682109147655913082871175866165600126790860696667477234801385030312215992287472679447108548071925392484907398967137
import gmpy2
import binascii
e = 3
i = 0
while True:
if gmpy2.iroot((c1+i*n),3)[1] == True:
m = gmpy2.iroot((c1+i*n),3)[0]
break
i += 1
print(binascii.unhexlify(hex(m)[2:]))
#Neepu{1nterest1ng_D0_y0u_kn0w?}
Loss
主要考察了大家对于爆破的一个实现,myhex函数的写法会导致转换为16进制的时候将0开头部分的0去掉,通过查看key和ct的位数也可以发现是不完整的。我们只需要爆破所以可能就可以还原key和ct。
from cryptography.hazmat.primitives.ciphers.algorithms import AES
from cryptography.hazmat.primitives.ciphers import Cipher, modes
from itertools import combinations
from tqdm import tqdm
def decrypt(ct, key):
aes = Cipher(AES(key), modes.ECB())
dec = aes.decryptor()
pt = dec.update(ct)
pt += dec.finalize()
return pt
def add_zeros(ct, p):
test_ct = list(ct)
for i in p:
test_ct.insert(i, '0')
return ''.join(test_ct)
ct = '98691cbec88e449e8bac58e91142269a7da5efa9e7c62848e7135f1150f02a'
key = '8ee2b28564433679d93b82873fe8a'
missing_ct = -len(ct) % 32
missing_key = -len(key) % 16
for mc in tqdm([*combinations(range(len(ct)), missing_ct)]):
for mk in combinations(range(len(key)), missing_key):
test_ct = bytes.fromhex(add_zeros(ct, mc))
test_key = bytes.fromhex(add_zeros(key, mk))
flag = decrypt(test_ct, test_key)
if flag.startswith(b'Neepu{'):
print('Found!', flag)
#Neepu{R41ders_0f_th3_l0st_byt3s}
easymath
这个题主要是找到数之间的关系,经过计算可以发现
这样我们就可以进行一定的公式变形,将n和l消去
这样我们可以把m^f看作一个未知数,求解同余方程将其解出,然后可以观察发现N-1是光滑的,使用discrete_log就能求解flag了
N = 7389313481223384214994762619823300589978423075857540712007981373887018860174846208000957230283669342186460652521580595183523706412588695116906905718440770776239313669678685198683933547601793742596023475603667
m = 1391372358062724416224243990838035874507346098208831800403257
n = 3583006200974501742604527103814726194237416368238514877166633691321127310414088215607009332255751700661232767709290883038406749484575415867828156201338536386376279995491732514052716934519151026884616917483040
l = 359786222110993880715372696002813612045630045754565831162281874392294886391569010600976425535545860799388851419768061619942493351122730748490893471593987207207967996028533058621192187630928610989765004439777
c = 1895030805615627998889733471639619972225091175824712353587361803906002039112746104833908879918848049981737808710773335455541140252543329151696420250885361493998408542681830779056032193286985350503581777508964
from Crypto.Util.number import *
P.<x> = PolynomialRing(Zmod(N))
f=110*x^3-c*x^2+313*x+114
f=f.monic()
print(f.roots())
a=2275123956203765363233765961297507379124236980967603145079239177208264523438555378298177602517599708533004805369986246098127863480798528206818576888655427591685534478161571717613561380234338516607855593046949
G=Zmod(N)
m1=G(m)
c1=G(a)
print(long_to_bytes(ZZ(discrete_log(c1,m1))))
#Neepu{Nsmoothnumber}
Loud&Loud2
这两个题的解法实际上是一样的,大家可以参考一篇论文https://link.springer.com/content/pdf/10.1007/3-540-45539-6_4.pdf。属于noisy_crt,首先看Loud,给了20组数据每组里面有一个flag加上三个插值,原本只要拿每组里面的flag部分做crt即可,但是题目里经过了打乱。按照crt的思想,我们对每一个c先乘
我们知道将flag对应的c拿出来求和模P就是flag了,于是我们可以得到这样一个式子
这里的N就是我们想要的flag,r和题目里的c对应,L也就是我上面写出来的L,这里的δ只要两种可能即0和1,对于三个插值δ取0,对于flagδ取1.有了这个式子我们就可以去构造格
这里B主要是为了去优化格,我们只需要随意选取和N的bit相同的数即可。我们的目标向量为
from Crypto.Util.number import *
#p=
#S=
n=20
m = 4
B = 2**4096
P = 1
for i in range(n):
P *= p[i]
L = []
for i in range(n):
t = inverse(P//p[i],p[i])
L.append(t*(P//p[i]))
M = matrix(n*m+1)
M[0,0] = P
for i in range(n):
for j in range(m):
t = i*m + j
M[t+1,t+1] = B
M[t+1,0] = S[i][j] * L[i]
FLAG = M.LLL()
for i in range(20*4+1):
l=FLAG[i][0]
if l.nbits()<=4096 and a>0:
print(l,end=' ')
对于Loud2,和上面是相同的方法但是我们并不需要将256组全部使用,大概只需要40组左右就可以找到flag了这里就不重复贴脚本了
