2024CSICN&长城杯--Crypto--WriteUp
rasnd
task:
from Crypto.Util.number import getPrime, bytes_to_long
from random import randint
import os
FLAG = os.getenv("FLAG").encode()
flag1 = FLAG[:15]
flag2 = FLAG[15:]
def crypto1():
p = getPrime(1024)
q = getPrime(1024)
n = p * q
e = 0x10001
x1=randint(0,2**11)
y1=randint(0,2**114)
x2=randint(0,2**11)
y2=randint(0,2**514)
hint1=x1*p+y1*q-0x114
hint2=x2*p+y2*q-0x514
c = pow(bytes_to_long(flag1), e, n)
print(n)
print(c)
print(hint1)
print(hint2)
def crypto2():
p = getPrime(1024)
q = getPrime(1024)
n = p * q
e = 0x10001
hint = pow(514*p - 114*q, n - p - q, n)
c = pow(bytes_to_long(flag2),e,n)
print(n)
print(c)
print(hint)
print("==================================================================")
crypto1()
print("==================================================================")
crypto2()
print("==================================================================")
analysis:
\[\begin{flalign}
&part1\\
&hint1 = x_1p+y_1q-0x114\\
&hint2 = x_2p+y_2q-0x514\\
&爆破x_1,x_2,hint1-hint2=Yq\\
&q = gcd(hint1-hint2,n).RSA解密.\\
&part2\\
&hint≡(514p-114q)^{n-p-q}(mod\quad n)\\
&由欧拉定理a^{φ(n)}≡1(mod\quad n);同余式两边同时乘a^{-1}可得a^{φ(n)-1}≡a^{-1}(mod\quad n)\\
&这个形式同题目中给的一样,因此有514p-114q=hint^{-1}(mod\quad n)\\
&联立该方程与pq=n解出p,q进而进行RSA解密.
\end{flalign}
\]
exp:
# -*- coding: utf-8 -*-
# @Author : chen_xing
# @Time : 2024/12/15 下午2:45
# @File : rasnd.py
# @Software: PyCharm
"""
from pwn import *
io = remote('47.95.3.252',22658)
io.interactive()
==================================================================
19717389102395758382026398770090857605586438545611910540189061085612217979657902604501170953161853482958903567962918091906449829007954127627399401532302687971016600322896973063457287817834339424248336794677961215631535560196655531547015873374758230746471870651155102133819739854673052076496597150339255183583610262208970937544660188441914849875664389094362680908037678954451676125423375894001050193264462368361286424805979452737484948595108402173255328147028981988120269526655930569710185647200680788005857110338887799298469299267700941191348060136439553115765094944892120946084524993569032296746381329498303012896271
17381010405524594344424195048053602269107583402590195880784406136091889563634666718897953214750909510240664328592384774885922546489571732150550033224632608464198633116675540936435427564331466333640469116405173436182052179245058660937218729656330636435203053190859801491361523600986929283298391777114209976519123193645951886294963766466310692269107324954392722050664302835784935395121599135370266129274139008496136432820542614764017236399942510745745051985335677987371505758274825885505782168694092518974395903717476251850670285161375067232625884819448486248821296371524562316215885242840090698177354311935160724047271
509130915225963419346678794679094050902571595829040081324430365098862827841652202350090792633059236512224808415907517277387262320482667221565594632616645851153184017548588035587822852702736183251308911524634049539170291519923826928699526788040285972123688786767899838168683050663693076246873158868000847073942899234646913525186923508585315358
690946591436838752722450972967674428839488931837101646145481388838373595283074264457723103555423352721312062350291670841184407631375773482214269104437453875406396834889317393747642464720211847368007928428299324107718873689130666496363246364191737924487502766418458001451003808739046477760937181535066022075971205252656334062535039553887867804885747196247553557401067127781607533654872312619614935828938929628540383505514124011540507125693750311600073273106267551
==================================================================
17573515075395867546533774859206599052534826237056996003635450134576858585879591757541135521913856916497735238419297372074695571326844504032304530443984486771780364032478304822942135381253762868650498285912016496241948758158318513945683497424527747563826569176975761670083010981619558756372209004154011284332558901845826610150928780497321309692293381263110926514264444431945581160088488209473278832171449410958947080015912128428623589781088952636059980872172371256047117265766132701785431428216868544669722259946487605727189190824200067624177334638167710897314170373631159077505253847456348978394748479884579391569851
4133924642027183260034161896227533529350829744060482686533323465388711073087729722162634280031950663346521609684329684586686710332881665422962730750071593415464269909841501172118317103292141296037945459138826157588343926132010425306109255409747067123166973806029125637292278253680571132419400136369763859158543617461617802076177349585117260521893784981717024130706713300089329845640032775016169918244156546865527955162939232992093155010636364969171227237183496415815314898958546235810695025198970057715538126650243826369616148341812115074095076334129408859272238371675452297044897605880545296652903603696404329499964
17241609074075059424901382153172123437652683137892859278531119673049385037439615788606226599790833683350682195735343925170829494742340973615875925774931464752517535247119659577846775955502849356406877505081530250127552709479227730985271198208197525303086136509713021341965374729435989366323641373932632400817958889872395336030524042114476506410677344482015511504283503895126211846434076543291433685745538964253863543551181583268915140943110230242050345863047212142770568318171913025801651944725801470994562543481060266671121449918254568086708533974981742627009284655753247722408090381977535797370984880568401367232099
==================================================================
"""
from Crypto.Util.number import *
from sympy import symbols, Eq, solve
from time import *
# Given values
e = 65537
print("--------------------------------------------------part1--------------------------------------------------")
start_time = time()
n = 25057366131574345463066572518972007369987338855829081189333151669024689124750347311345742714505678495630147622065102082580742520850296847146408540410529212032106669610170610842145974051090620026489684102539218538533242769850582053841386242249528755363073469670711995035142647622794484233015615185105332623711286440733342619164382191277079384369027939408755958348401055383052671708110380686429894409755541077304504889899764635946170331459175144883308640852752114433152245751156539582571028315561658588974634424784510349113428759937755665908423121304926246192633365019907501566395631059356287266003741031747932010754571
c = 17518134380638481300867428909182900518140386727738342535088002331723082167258157121301632879808439987581098358975288261467125739686304588051630757980683370095794246718276911328164026724417850262099266274001612972263000312708816439427574713133880743110669658336709958074578029064236680195924253374848748510785239359679699204859281697274932099682342841607851735086849792451837592889568500213347482986121165901637591882042861152486947295247894187345833160096741479237600748884075522444595426918672877942857305297965836676403950179315936736430064029622511361139662102212617863614667657033061649387773034319714409486605375
hint1 = 311813585959519997042263111169599395062929793402167449494789318536236921287513319874973395292840069429854007738740392400920657513531703307456793215681176166907519812568245523628939657623957268634251232899608657128006921381662846368354860883997644011251464809313504451016527885096684518421932861093663000743896877456540810818605347809370401847
hint2 = 7002389781904232127456762751853552025339982978766759958767826303271425546040567402671687542676884587029775500919547181054462103552417922254729297407096354083583262580999816359541140068202627663444632595261265531303880206463523728030719914268684660423332112718501466058924246262004205638318045569712996961730039860490947897615008324479921676287335913423435351055759416432637487586320992565792119057790215374604001554213263646252152615167206094302478141788359082472
for i in range(2**11):
for j in range(2**11):
temp = (hint1 + 0x114) * i - (hint2 + 0x514) * j
if GCD(temp,n) != 1:
p = GCD(temp,n)
if n % p ==0:
q = n // p
phi = (p - 1) * (q - 1)
if GCD(e,phi) == 1:
d = inverse(e,phi)
flag1 = long_to_bytes(pow(c,d,n))
print("---------------------------------------------------end---------------------------------------------------")
print("--------------------------------------------------part2--------------------------------------------------")
n = 16551509466524208327380319266898393427657788079152243746564268364500979309598928370485374892391379852351474477590818515477119129906214302029175520742272637194451244962568941802942405656428416983314883300256705949997060893620792037793610191581475973474832823855240555059858686230168364860656942550346022818363897644902898835343894021535147915906552391814268130649810795651915732406009751439030800667375401597468645323278725484152007734156775034343400256507283893646182046940204108418797820878755067809163169275652775539471608608208355362360864221126561530314995486723518568370568942014210905761710621110059672594576371
c = 11092343229062694276909023896085831399906386648487678765968133377511880535786714132864021744270550031926133168725238398539184111045115500575670577245839070393728574336851723119630328602208247030090573438298394833683240139592021663314914493826584050042601314234235292401646971205728639427734126143811135765602566166304984061162019875663195319956751620972708290102951016285130279149541928975715141646349317719195120895405668537578731117711411377455348204628414433829954521246239918444749278414821322446997980867440390673867252520691512466217783913805378959163546554333948518761666615257961694453184137976339346897818155
hint = 7971742731649095689419069812067528143696274197928828354876852788283924885555419352585597870550201340903283246408124243858771760225352090287065968401798121462744593325790906076715689726084973961284269442403078357256944648887889164133402997194229896424170372289565793328072510417215049995602860003730255117062570796846107610964913012371436931702425686803094036421192017252973559867973706228039666796549598893061765698264877914707928554295918253039991633879692755301224559986335658773048007318816411538314373853913905341243548594907887601884024637302529827700822811798293858870305301953426511545007874861951957634461401
temp = inverse(hint,n)
p, q = symbols('p q')
equation1 = Eq(514 * p - 114 * q, temp)
equation2 = Eq(p * q, n)
solutions = solve((equation1, equation2), (p, q), dict = False)
# print(solutions)
p = 98856019786804470640443796109169578512013252702519071160946919073310544570792075470086512360274481565889660687471912133956236198898414294985460750440499584480352433062350929922436343944268275888420271857725729451905863266891272358961378522759755989015910020997268924091984638939748943340253440836306220242943
q = 167430466067920144586518526811331843740576807773373875372637415435050728726951903737409961278924716205028826829958375353303540001068235977345438194318025058688200684222901120228019519870666762077671354712898086421782675606039851613626320537062425899060747116061732728280427253471056751774648729146281329296397
assert isPrime(p) and isPrime(q)
flag2 = long_to_bytes(pow(c,inverse(e,(p - 1) * (q - 1)),n))
print("---------------------------------------------------end---------------------------------------------------")
end_time = time()
print(flag1 + flag2)
print(f"The time is: {end_time - start_time}")
# b'flag{6ab144ac-5f97-4253-a762-c8675ae5efd1}'
# The time is: 40.16846060752869
fffffhash
task:
import os
from Crypto.Util.number import *
def giaogiao(hex_string):
base_num = 0x6c62272e07bb014262b821756295c58d
x = 0x0000000001000000000000000000013b
MOD = 2**128
for i in hex_string:
base_num = (base_num * x) & (MOD - 1)
base_num ^= i
return base_num
giao=201431453607244229943761366749810895688
print("1geiwoligiaogiao")
hex_string = int(input(),16)
s = long_to_bytes(hex_string)
if giaogiao(s) == giao:
print(os.getenv('FLAG'))
else:
print("error")
analysis:
这道题就是希望我们通过寻找数学上的漏洞通过giao
这个结果值还原我们应该输入的16进制的信息,之后就可以获取flag
.
接下来就是加密程序:
base_num
是一个固定的初始值,x
是一个固定的乘数,MOD
是模数(2的128次方)。
对于输入的十六进制字符串中的每一个字符,程序都会执行以下操作:将base_num
与x
相乘,然后对结果进行模MOD
操作,以确保结果不会超过128位。将上一步的结果与当前字符的ASCII值进行异或操作(^=
)。
最终返回的base_num
值就是加密后的结果。
但是注意这里我们能够在有限时间内进行还原的原因也在于&MOD-1
的时候只有后128位进行了运算,同时x这个16进制的数字的前面很多位都是0,在进行乘法的时候结果的前面的二进制位只会取决于前面。
相关代码解析写在exp注释当中。
exp:
# -*- coding: utf-8 -*-
# @Author : chen_xing
# @Time : 2024/12/15 下午4:02
# @File : rasnd.py
# @Software: PyCharm
from sage.all import *
# Given values
base_num = 0x6c62272e07bb014262b821756295c58d
x = 0x0000000001000000000000000000013b
MOD = 2 ** 128
giao = 201431453607244229943761366749810895688
n = 20 # 从n = 15开始构造格,逐渐递增,增大格的范围
print("--------------------------------------------------begin--------------------------------------------------")
M = Matrix.column([x ** (n - i - 1) for i in range(n)] + [-(giao - base_num * x ** n), MOD])
M = M.augment(identity_matrix(n+1).stack(vector([0] * (n+1))))
Q = Matrix.diagonal([2 ** 256] + [2 ** 8] * n + [2 ** 16]) # 创建一个对角矩阵Q,用于对M进行缩放,以便应用BKZ算法。
M *= Q
M = M.BKZ() # M.BKZ() 是应用BKZ算法来找到一个短向量,这个向量可以用来构造一个近似的解。
M /= Q # 将缩放后的矩阵恢复到原始比例。
# 通过遍历M的行,找到第一个符合条件的行,即第一列(代表p^0的系数)为0,且最后一列(代表常数项)的绝对值为1的行。这个行代表了近似解。
for i in M:
if i[0] == 0 and abs(i[-1]) == 1:
i *= i[-1]
good = i[1:-1]
break
result = []
y = int(base_num * x)
temp = (base_num * x ** n + good[0] * x ** (n-1)) % MOD
# 通过两层循环,外层循环控制位的位置,内层循环尝试不同的ASCII值,找到能够使mask等于temp的值。一旦找到,就将其添加到result列表中,并更新temp和y以进行下一位的计算
for i in range(n):
for j in range(256): # 这里的256是因为long_to_bytes之后最大的为/xff,也就是256
mask = (int(y) ^ int(j)) * x ** (n-i-1) % MOD
if mask == temp:
result.append(j)
if i < n-1:
temp = (temp + good[i + 1] * x ** (n - i - 2)) % MOD
y = ((int(y) ^ int(j)) * x) % MOD
break
print(bytes(result).hex())
print("---------------------------------------------------end---------------------------------------------------")
# 1df2006d2e3362153d001f53102a7c2a0a591516
其实有一道相似的题目,是NSSCTF平台中上线的2024HITCTF,经过hash正则搜索即可看到,题目的思路我认为是有异曲同工之妙的。