CTF之crpto练习三

DES弱加密之easy_BlockCipher

下载附件得到2个文件：

https://adworld.xctf.org.cn/media/task/attachments/5b8bcb28546b4423b481b13149abc99f.zip

分析题目，题目中给出了加密时的代码。

des-ofb.py:

from Crypto.Cipher import DES

f = open('key.txt', 'r')
key_hex = f.readline()[:-1] # discard newline
f.close()
KEY = key_hex.decode("hex")
IV = '13245678'
a = DES.new(KEY, DES.MODE_OFB, IV)

f = open('plaintext', 'r')
plaintext = f.read()
f.close()

ciphertext = a.encrypt(plaintext)
f = open('ciphertext', 'w')
f.write(ciphertext)
f.close()

可知加密时采用了DES算法，并且在OFB模式下对明文进行加密。

因此在已知 IV = ‘12345678’ 的情况下，只需要知道Key，即可对密文进行破解。

根据已知信息，仅有IV以及未知的Key，所以想到DES加密种存在弱密钥。在 DES 的计算中，56bit 的密钥最终会被处理为 16 个轮密钥，每一个轮密钥用于 16 轮计算中的一轮，DES 弱密钥会使这 16 个轮密钥完全一致，所以称为弱密钥。

其中四个弱密钥为：

0x0000000000000000
0xFFFFFFFFFFFFFFFF
0xE1E1E1E1F0F0F0F0
0x1E1E1E1E0F0F0F0F

利用四组若密钥尝试对密文进行破解。

from Crypto.Cipher import DES

f = open('ciphertext', 'r')
ciphertext = f.read()
f.close()
IV = '13245678'
KEY=b'\x00\x00\x00\x00\x00\x00\x00\x00'
a = DES.new(KEY, DES.MODE_OFB, IV)
plaintext = a.decrypt(ciphertext)
print plaintext

KEY=b'\x1E\x1E\x1E\x1E\x0F\x0F\x0F\x0F'
a = DES.new(KEY, DES.MODE_OFB, IV)
plaintext = a.decrypt(ciphertext)
print plaintext

KEY="\xE1\xE1\xE1\xE1\xF0\xF0\xF0\xF0"
a = DES.new(KEY, DES.MODE_OFB, IV)
plaintext = a.decrypt(ciphertext)
print plaintext

KEY="\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
a = DES.new(KEY, DES.MODE_OFB, IV)
plaintext = a.decrypt(ciphertext)
print plaintext

从得到的结果中得到明文为莎士比亚的一首诗。

或者脚本：

#coding:utf-8
from Crypto.Cipher import DES
import libnum
ct=open('ciphertext','rb').read()
KEY=libnum.n2s(0xe0e0e0e0f1f1f1f1)
IV='13245678'
a=DES.new(KEY,DES.MODE_OFB,IV)
print a.decrypt(ct)

下载附件，里面包含了4个文件，如下： 
https://adworld.xctf.org.cn/media/task/attachments/7a407f44a073442c91fd395b20594f01.zip
flag.enc
special_rsa.py
msg.enc
msg.txt  
N = 23927411014020695772934916764953661641310148480977056645255098192491740356525240675906285700516357578929940114553700976167969964364149615226568689224228028461686617293534115788779955597877965044570493457567420874741357186596425753667455266870402154552439899664446413632716747644854897551940777512522044907132864905644212655387223302410896871080751768224091760934209917984213585513510597619708797688705876805464880105797829380326559399723048092175492203894468752718008631464599810632513162129223356467602508095356584405555329096159917957389834381018137378015593755767450675441331998683799788355179363368220408879117131L

c1 = 14548997380897265239778884825381301109965518989661808090688952232381091726761464959572943383024428028270717629953894592890859128818839328499002950828491521254480795364789013196240119403187073307558598496713832435709741997056117831860370227155633169019665564392649528306986826960829410120348913586592199732730933259880469229724149887380005627321752843489564984358708013300524640545437703771424168108213045567568595093421366224818609501318783680497763353618110184078118456368631056649526433730408976988014678391205055298782061128568056163894010397245301425676232126267874656710256838457728944370612289985071385621160886
c2 = 12793942795110038319724531875568693507469327176085954164034728727511164833335101755153514030256152878364664079056565385331901196541015393609751624971554016671160730478932343949538202167508319292084519621768851878526657022981883304260886841513342396524869530063372782511380879783246034751883691295368172069170967975561364277514063320691930900258017293871754252209727301719207692321798229276732198521711602080244950295889575423383308099786298184477668302842952215665734671829249323604032320696267130330613134368640401070775927197554082071807605399448960911234829590548855031180158567578928333030631307816223152118126597

m1 = 8246074182642091125578311828374843698994233243811347691229334829218700728624047916518503687366611595562099039411430662968666847086659721231623198995017758424796091810259884653332576136128144958751327844746991264667007359518181363522934430676655236880489550093852524801304612322373542296281962196795304499711006801211783005857297362930338978872451934860435597545642219213551685973208209873623909629278321181485010964460652298690058747090298312365230671723790850998541956664376820820570709272500330966205578898690396706695024001970727864091436518202414166919020415892764617055978488996164642229582717493375419993187360
m2 = 15575051453858521753108462063723750986386093067763948316612157946190835527332641201837062951012227815568418309166473080588354562426066694924364886916408150576082667797274000661726279871971377438362829402529682825471299861814829463510659258586020732228351258291527965822977048954720558973840956731377322516168809373640494227129998871167089589689796024458501705704779109152762373660542684880052489213039920383757930855300338529058000330103359636123251274293258

r1 = 12900676191620430360427117641859547516838813596331616166760756921115466932766990479475373384324634210232168544745677888398849094363202992662466063289599443
r2 = 7718975159402389617924543100113967512280131630286624078102368166185443466262861344357647019797762407935675150925250503475336639811981984126529557679881059

_, a, b = xgcd(r1, r2)
k = pow((c1/m1 % N), a, N) * pow((c2/m2 % N), b, N)
print (k)

175971776542095822590595405274258668271271366360140578776612582276966567082080372980811310146217399585938214712928761559525614866113821551467842221588432676885027725038849513527080849158072296957428701767142294778752742980766436072183367444762212399986777124093501619273513421803177347181063254421492621011961  

1.下载附件，发现有3个文件：

https://adworld.xctf.org.cn/media/task/attachments/5a456b6a66c04c02bf754d540e5b531d.zip

在挑战中，我们获得代码，公钥和结果。

加密相当简单：

R.<a> = GF(2^2049)

def encrypt(m):
    global n
    assert len(m) <= 256
    m_int = Integer(m.encode('hex'), 16)
    m_poly = P(R.fetch_int(m_int))
    c_poly = pow(m_poly, e, n)
    c_int = R(c_poly).integer_representation()
    c = format(c_int, '0256x').decode('hex')
    return c

看来n这是GF（2）上的PolynomialRing的多项式。加密基本上将消息更改为GF（2 ^ 2049）的元素，然后将其表示为环P的元素，然后将该消息的多项式表示形式提高为emod多项式的幂n。

所以，它真的可以归结为经典的RSA，与小搓那m和n现在是多项式，一切都在PolynomialRing在GF（2）calcualted。

我们发现了一篇很好的论文，描述了这个想法：www.diva-portal.se/smash/get/diva2:823505/FULLTEXT01.pdf（Izabela Beatrice Gafitoiu的理学学士学位论文）。

如果遵循此论点，我们会发现在这种情况下，d解密指数可以计算为emod的模乘逆s。特殊值s是等效的phi，从经典RSA，并且基本上是(2^p_d-1)(2^q_d-1)其中p_d和q_d正度多项式的p和q，使得p*q == n。

所以这个想法很简单：

1、因子多项式n成p和q 2、计算 s 3、计算 d 4、解密标志

def decrypt(m, d):
    m_int = Integer(m.encode('hex'), 16)
    m_poly = P(R.fetch_int(m_int))
    c_poly = pow(m_poly, d, n)
    c_int = R(c_poly).integer_representation()
    c = format(c_int, '0256x').decode('hex')
    return c

if __name__ == '__main__':
    p,q = n.factor()
    p,q = p[0],q[0]
    s = (2^p.degree()-1)*(2^q.degree()-1)
    d = inverse_mod(e,s)
    with open('flag.enc', 'rb') as f:
        ctext = f.read()
        print(decrypt(ctext,d))

最终得到flag:flag{P1ea5e_k33p_N_as_A_inTegeR~~~~~~}

AES解密之in-plain-sight

题目描述：这次的挑战并不难：你只需要对隐藏的密文进行解密。为了让解密更加简单，我会给你除了HiddenCiphertext以外你需要的所有东西，你要做的就是自己将密文找出来！ 你需要： 算法：AES-256-CBC 密钥：c086e08ad8ee0ebe7c2320099cfec9eea9a346a108570a4f6494cfe7c2a30ee1 IV：0a0e176722a95a623f47fa17f02cc16a

通过网站，https://morsecode.world/international/decoder/audio-decoder-adaptive.html（音频解密器）得到C1和C2的值

C1:4314251881242803343641258350847424240197348270934376293792054938860756265727535163218661012756264314717591117355736219880127534927494986120542485721347351

C2:485162209351525800948941613977942416744737316759516157292410960531475083863663017229882430859161458909478412418639172249660818299099618143918080867132349

利用openssl对两个公钥进行解密，得到n1n2和e1e2：

import gmpy2
import libnum

n1 = gmpy2.mpz(10285341668836655607404515118077620322010982612318568968318582049362470680277495816958090140659605052252686941748392508264340665515203620965012407552377979)
n2 = gmpy2.mpz(8559553750267902714590519131072264773684562647813990967245740601834411107597211544789303614222336972768348959206728010238189976768204432286391096419456339)
e1 = 41221
e2 = 41221
p = gmpy2.gcd(n1,n2)
q1 = n1 / p
q2 = n2 / p
c1 = 4314251881242803343641258350847424240197348270934376293792054938860756265727535163218661012756264314717591117355736219880127534927494986120542485721347351
c2 = 485162209351525800948941613977942416744737316759516157292410960531475083863663017229882430859161458909478412418639172249660818299099618143918080867132349
phin1 = (p - 1)*(q1 - 1)
phin2 = (p - 1)*(q2 - 1)
d1 = gmpy2.invert(e1,phin1)
d2 = gmpy2.invert(e2,phin2)

print(libnum.n2s(pow(c1,d1,n1))+libnum.n2s(pow(c2,d2,n2)))
最终得到flag:
UNCTF{ac01dff95336aa470e3b55d3fe43e9f6}


题目描述：安全分析人员截获间谍发出的秘密邮件，该邮件只有一个mp3文件，安全人员怀疑间谍通过某种private的方式将信息传递出去，尝试分析该文件，获取藏在文件中的数据。 flag形式为 flag{}

题目附件连接：
https://adworld.xctf.org.cn/media/task/attachments/206c0533300340b19c3a18d82d806a98.mp3
解题步骤：
题目提示文件使用了private加密信息，在010Editor中打开mp3文件，发现存在private bit，因此，只需要提取每一个mf组中的该字节，组合起来，就是答案。可以从图中看到 ms 开始位为1 C1B8H，即第115128字节，如图所示：，如图所示：
uint32 frame_sync : 12
    uint32 mpeg_id : 1
    uint32 layer_id : 2
    uint32 protection_bit : 1
    uint32 bitrate_index : 4
    uint32 frequency_index : 2
    uint32 padding_bit : 1
    uint32 private_bit : 1
    uint32 channel_mode : 2
    uint32 mode_extension : 2
    uint32 copyright : 1
    uint32 original : 1
    uint32 emphasis : 2
12+1+2+1+4+2+1+1+2+2+1+1+2=32，即总共4字节，private_bit 为24，所在的字节为第3个字节因此要从前一个，即第二个字节开始提取内容，该字节对应的地址为 115130观察每一个mf组，大小都为414h，即1044字节，因此可以得到以下脚本：
# coding:utf-8
import re
import binascii
n = 115130
result = ''
fina = ''
file = open('flag-woody.mp3','rb')
while n < 2222222 :
    file.seek(n,0)
    n += 1044
    file_read_result = file.read(1)
    read_content = bin(ord(file_read_result))[-1]
    result = result + read_content
textArr = re.findall('.{'+str(8)+'}', result)
textArr.append(result[(len(textArr)*8):])
for i in textArr:
    fina = fina + hex(int(i,2))[2:].strip('\n')
fina = fina#.decode('hex')
print (fina)
将得到的字符串
464c41477b707231763474335f6269377d25a1cedc3e69888894dac4dd3a87c5e1c5276fa6d626832148d39288a0c596c95abaac3f09f9f524647595ae4894f9b82b3f4c1b47537c365d8d69d84a353c1a93ae436761d430e666e4111752d479746d1828f9c07c27ab1c3eaf1948f8a9e839b280a4342f321e89eb73b237a2b55d5310b77811c0975cfc1365e146f6c9212e244751398f73c17ee1a6664b4fd712d4b0a297275fa471fb65e440bc7bdc12fb0a39d81a1d374f2d55b8faabf9bf2c342f1046fbab7e66ac7896ffac672d277b89f8606759a8ac21a58fbb4b9b51d45f126a7f67c1a297e1fcb638356ec739b89555568816
转换对应的ASCII码，得到Flag：
最终 flag:
flag{pr1v4t3_bi7}