2020首届祥云杯部分wp

比赛感受

这次比赛难度很大（应该是我太菜。。。），把我整得怀疑人生，很多题不会，尤其是逆向。最近也有点忙，拖到今天才写好wp。。。大佬轻喷

Misc

签到

直接base64解码得到flag

进制反转

压缩包解压失败

题目提示说到手机，以为用手机就能解压，手机没有出现损坏的提示，但是解压需要密码（其实这里就掉坑了。。。）

010打开压缩包，先遍历看看有无可疑信息，没有发现，猜测可能为rar伪加密，因为rar的机制，使用伪加密打开会出错，找到第24个字节，将C4改为C0，解压成功

发现一个音频flag.wav，使用Audacity打开，失败

使用导入原始数据的方式打开这个音频文件，听不懂，结合提示的反转，可能是倒放，并调节速率

听起来好像是一首歌，听歌识曲为： 《Too Good At Goodbyes》

flag就是这个歌名，题目要求大写，flag就是歌名的大写

到点了

题目给了三个docx文件，先从第一个文档开始看，打开是这样

没有什么有效信息，可能被隐藏，勾上隐藏字体看看

第二个文档被加密，这个应该就是线索

暴力破解，得到密码为20201024（没有字母，出题人真坑！），打开第二个文档

因为我不喜欢白色背景，很久前我就把背景设为绿色，好家伙，居然发现图片下面有一行东西（巧了，瞎猫碰见死耗子。。。），复制出来

AABBAABBBAABBBAAAABBABBABABAAAAABBAAABBBBAABBBAABABABBAAABAAAABAABAABBABAAAAABAA

培根密码解密得到

GOODNIGHTSWEETIE
goodnightsweetie

第三个文档很显然，比其他两个文档大很多，里面可能有其他文件，使用foremost分解

发现一个压缩包，但是没有分解出来，只分解出两个图片

使用binwalk分解，分解后得到一大堆东西

那个4.zip是之前foremost发现的压缩文件，里面是一张bmp文件，尝试 wbs43open

输入之前培根密码解密得到的两个密码，发现GOODNIGHTSWEETIE，才是真的密码

xixixi

题目提示：室友最近沉迷y神，又氪又肝，还ghs。为了他的身体着想，我把他的s图整没了。但我明明删了脚本啊，为什么还能被他发现......8说了，医院的空调真舒服~（真的是沉迷y神。。。）

解压得到vhd文件，就是虚拟磁盘文件，用window系统自带的磁盘管理附加就可以

里面是一张图片

看图片的话，好像是菲谢尔~，除此之外，没有其他信息。。。可能姿势不对

带音乐家

题目给了两个文件

先分析一下decode_it是什么文件类型

以前看过一个编程语言Veloto就是以这种文件作为源代码的，尝试编译后看看输出什么

打开压缩包

注释那里有东西，但是看不到，复制到编辑器

好家伙，还是看不到，不过能通过光标的移动猜出就是点和横线，摩斯密码，通过光标一个一个测出来，并摩斯密码解密得到信息是

AESKEY9219232322

压缩包有密码，密码为:Hello, World!，打开里面的文档

根据前面的信息，这个应该就是AES加密，密钥是9219232322

在线网站解密得到flag:flag{mU51c_And_ch@ract0rs~}

charles Sensor

暂无思路

Reverse

re1

ida载入，搜索字符串，搜到win，定位到引用的函数，反汇编失败，直接卡住。。。

看看汇编代码，发现判断的函数特别长，而且很多跳转，直接看最后的win那里，因为flag正确的话就会走到这里，根据前面的判断，flag由flag{xxx}，xxx就是我们要求出的内容，并且flag长度为32

这里有很多的字符比较，全部都符合就输出win，那么可以直接爆破出结果，但是要先判断是如何进行加密的，输入32个字符flag{0123456789abcdefghijklmnopqrstuv}进行动态调试，发现

0被加密为：0xe8
...
9被加密为：0xf1
a被加密为：0x19 
...

计算各自偏移了多少，如下图

爆破脚本如下：

a = [0xeb,0xf1,0x19,0xe8,0x1e,0x1e,0xf0,0xec,0xef,0x1e,0xe9,0x1e,0xec,0xec,0xe8,0xec,0x19,0x19,0xee,0x1b,0xef,0xef,0xec,0xea,0x1c,0xea,0xe8,0xeb,0xee,0xeb,0x1d,0xf1]

flag = ""

for i in range(len(a)):
    if 0xe8 <= a[i] <= 0xf1:
        flag += chr(a[i]-184)
    if 0x19 <= a[i] <= (0x19+26):
        flag += chr(a[i]+72)

flag = 'flag{'+flag+'}'
print(flag)

apk1

安卓的逆向，环境问题，反汇编失败，待研究

其他

暂无思路，怀疑人生

Crypto

simpleRsa

题目给了一个python文件和数据文件，我把相关数据移到python文件

from Crypto.Util.number import *
import gmpy2

p, q, r = [getPrime(512) for i in range(3)]
n = p * q * r
phi = (p - 1) * (q - 1) * (r - 1)
d = getPrime(256)
e = gmpy2.invert(d , phi)

flag = b"flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"  

c = pow(bytes_to_long(flag), e, n)

print(e, n)
print(c)
e = 1072295425944136507039938677101442481213519408125148233880442849206353379681989305000570387093152236263203395726974692959819315410781180094216209100069530791407495510882640781920564732214327898099944792714253622047873152630438060151644601786843683746256407925709702163565141004356238879406385566586704226148537863811717298966607314747737551724379516675376634771455883976069007134218982435170160647848549412289128982070647832774446345062489374092673169618836701679 
n = 1827221992692849179244069834273816565714276505305246103435962887461520381709739927223055239953965182451252194768935702628056587034173800605827424043281673183606478736189927377745575379908876456485016832416806029254972769617393560238494326078940842295153029285394491783712384990125100774596477064482280829407856014835231711788990066676534414414741067759564102331614666713797073811245099512130528600464099492734671689084990036077860042238454908960841595107122933173
c = 1079929174110820494059355415059104229905268763089157771374657932646711017488701536460687319648362549563313125268069722412148023885626962640915852317297916421725818077814237292807218952574111141918158391190621362508862842932945783059181952614317289116405878741758913351697905289993651105968169193211242144991434715552952340791545323270065763529865010326192824334684413212357708275259096202509042838081150055727650443887438253964607414944245877904002580997866300452

和常见的RSA不一样，n是三个素数相乘。d比较小，造成e很大，很接近n，第一印象是使现成的维纳攻击，但是攻击失败，可能是因为三个素数造成

转换思路，使用 连分数展开并求其各项渐进分数，来求私钥，代码如下：

from Crypto.Util.number import *
e = 1072295425944136507039938677101442481213519408125148233880442849206353379681989305000570387093152236263203395726974692959819315410781180094216209100069530791407495510882640781920564732214327898099944792714253622047873152630438060151644601786843683746256407925709702163565141004356238879406385566586704226148537863811717298966607314747737551724379516675376634771455883976069007134218982435170160647848549412289128982070647832774446345062489374092673169618836701679
n = 1827221992692849179244069834273816565714276505305246103435962887461520381709739927223055239953965182451252194768935702628056587034173800605827424043281673183606478736189927377745575379908876456485016832416806029254972769617393560238494326078940842295153029285394491783712384990125100774596477064482280829407856014835231711788990066676534414414741067759564102331614666713797073811245099512130528600464099492734671689084990036077860042238454908960841595107122933173
c = 1079929174110820494059355415059104229905268763089157771374657932646711017488701536460687319648362549563313125268069722412148023885626962640915852317297916421725818077814237292807218952574111141918158391190621362508862842932945783059181952614317289116405878741758913351697905289993651105968169193211242144991434715552952340791545323270065763529865010326192824334684413212357708275259096202509042838081150055727650443887438253964607414944245877904002580997866300452
def transform(x,y):
    res = []
    while y:
        res.append(x//y)
        x,y = y,x%y
    return res

def continued_fraction(res):
    numerator,denominator = 1,0
    for i in res[::-1]:
        denominator,numerator = numerator,i*numerator+denominator
    return numerator,denominator

def wiener_attack(res):
    print("Attack start...")
    for i in range(1,len(res)):
        ress = res[:i]
        d = continued_fraction(ress)[1]
        m = long_to_bytes(pow(c,d,n))
        if b'flag' in m:
            print(m,"Success!")
            break

res = transform(e,n)
wiener_attack(res)

more_calc

题目给了一个python文件，数据也在里面

import gmpy2
from Crypto.Util.number import *

flag = b"flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"

p = getStrongPrime(2048)
for i in range(1, (p+1)//2):
    s += pow(i, p-2, p)
s = s % p
q = gmpy2.next_prime(s)
n = p*q
e = 0x10001
c = pow(bytes_to_long(flag), e, n)
print(p)
print(c)
#27405107041753266489145388621858169511872996622765267064868542117269875531364939896671662734188734825462948115530667205007939029215517180761866791579330410449202307248373229224662232822180397215721163369151115019770596528704719472424551024516928606584975793350814943997731939996459959720826025110179216477709373849945411483731524831284895024319654509286305913312306154387754998813276562173335189450448233216133842189148761197948559529960144453513191372254902031168755165124218783504740834442379363311489108732216051566953498279198537794620521800773917228002402970358087033504897205021881295154046656335865303621793069
#350559186837488832821747843236518135605207376031858002274245004287622649330215113818719954185397072838014144973032329600905419861908678328971318153205085007743269253957395282420325663132161022100365481003745940818974280988045034204540385744572806102552420428326265541925346702843693366991753468220300070888651732502520797002707248604275755144713421649971492440442052470723153111156457558558362147002004646136522011344261017461901953583462467622428810167107079281190209731251995976003352201766861887320739990258601550606005388872967825179626176714503475557883810543445555390014562686801894528311600623156984829864743222963877167099892926717479789226681810584894066635076755996423203380493776130488170859798745677727810528672150350333480506424506676127108526488370011099147698875070043925524217837379654168009179798131378352623177947753192948012574831777413729910050668759007704596447625484384743880766558428224371417726480372362810572395522725083798926133468409600491925317437998458582723897120786458219630275616949619564099733542766297770682044561605344090394777570973725211713076201846942438883897078408067779325471589907041186423781580046903588316958615443196819133852367565049467076710376395085898875495653237178198379421129086523

刚开始卡在求s那里，s就是1开始的逆元累加，我想化简这个式子求出s，但是失败。因为p已知，实际上求明文，题目条件已经可以求出来了（不需要s，q）

因为 p|n,所以m = c^d mod n 等价于 m = c^d mod p
因为 p-1 | Fai(n),所以 ed = 1 mod Fai(n) 等价于 ed = 1 mod (p-1)
又因为e，p已知，可以求出d，然后就可以求出m

完整代码如下：

from Crypto.Util.number import*
from gmpy2 import *
p = 27405107041753266489145388621858169511872996622765267064868542117269875531364939896671662734188734825462948115530667205007939029215517180761866791579330410449202307248373229224662232822180397215721163369151115019770596528704719472424551024516928606584975793350814943997731939996459959720826025110179216477709373849945411483731524831284895024319654509286305913312306154387754998813276562173335189450448233216133842189148761197948559529960144453513191372254902031168755165124218783504740834442379363311489108732216051566953498279198537794620521800773917228002402970358087033504897205021881295154046656335865303621793069
c = 350559186837488832821747843236518135605207376031858002274245004287622649330215113818719954185397072838014144973032329600905419861908678328971318153205085007743269253957395282420325663132161022100365481003745940818974280988045034204540385744572806102552420428326265541925346702843693366991753468220300070888651732502520797002707248604275755144713421649971492440442052470723153111156457558558362147002004646136522011344261017461901953583462467622428810167107079281190209731251995976003352201766861887320739990258601550606005388872967825179626176714503475557883810543445555390014562686801894528311600623156984829864743222963877167099892926717479789226681810584894066635076755996423203380493776130488170859798745677727810528672150350333480506424506676127108526488370011099147698875070043925524217837379654168009179798131378352623177947753192948012574831777413729910050668759007704596447625484384743880766558428224371417726480372362810572395522725083798926133468409600491925317437998458582723897120786458219630275616949619564099733542766297770682044561605344090394777570973725211713076201846942438883897078408067779325471589907041186423781580046903588316958615443196819133852367565049467076710376395085898875495653237178198379421129086523

e = 0x10001
d = invert(e,p-1)
m = pow(c,d,p)
print long_to_bytes(m)

RSAssss

题目给了一个python文件和数据文件，我把数据移到python文件那里

from Crypto.Util.number import *
from gmpy2 import next_prime

p = getPrime(512)
q = getPrime(512)

n = p * q * next_prime(p) * next_prime(q)
e = 0x10001

flag = b"flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"
cipher = pow(bytes_to_long(flag), e, n)

print(n, cipher)
n = 8030860507195481656424331455231443135773524476536419534745106637165762909478292141556846892146553555609301914884176422322286739546193682236355823149096731058044933046552926707682168435727800175783373045726692093694148718521610590523718813096895883533245331244650675812406540694948121258394822022998773233400623162137949381772195351339548977422564546054188918542382088471666795842185019002025083543162991739309935972705871943787733784491735500905013651061284020447578230135075211268405413254368439549259917312445348808412659422810647972872286215701325216318641985498202349281374905892279894612835009186944143298761257 
c = 3304124639719334349997663632110579306673932777705840648575774671427424134287680988314129312593361087606243819528298610131797078262351307396831985397555390640151391138633431951746748156610463582479645561779194981806129898009876517899450840875569675976765155608446799203699927448835004756707151281044859676695533373755798273892503194753948997947653100690841880925445059175494314198605475023939567750409907217654291430615102258523998394231436796902635077995829477347316754739938980814293304289318417443493019704073164585505217658570214989150175123757038125380996050761572021986573934155470641091678664451080065719261207

n是由四个大素数相乘，next_prime(p) * next_prime(q)依次和p和q很接近，尝试工具分解，但是失败（数太大），只能先进行数论分析，下面是费马因子分解

根据费马因子分解,则有

\[n = ab = c^2 - d^2 = (c+d)(c-d) \therefore c = \frac{a+b}{2},d = \frac{a-b}{2} \]

移项可得：d^2 = c^2-n，其中c为大于√n的最小正整数

\[c = \sqrt{n}+i (i∈Z) \]

假设能找到一个特定的i，使得 c^2-n能被开放，那么就能得到d和c，进而得到因子a，b

由题可知，这几个素数不会相差很大，因此p1q1,p1q2,p2q1,p2q2都很接近，根据费马因子分解，可求得因子p1q1,p1q2,p2q1,p2q2，gcd(p1q1,p1q2) = p1 

完整代码如下：

from Crypto.Util.number import *
from gmpy2 import *

n = 8030860507195481656424331455231443135773524476536419534745106637165762909478292141556846892146553555609301914884176422322286739546193682236355823149096731058044933046552926707682168435727800175783373045726692093694148718521610590523718813096895883533245331244650675812406540694948121258394822022998773233400623162137949381772195351339548977422564546054188918542382088471666795842185019002025083543162991739309935972705871943787733784491735500905013651061284020447578230135075211268405413254368439549259917312445348808412659422810647972872286215701325216318641985498202349281374905892279894612835009186944143298761257
c = 3304124639719334349997663632110579306673932777705840648575774671427424134287680988314129312593361087606243819528298610131797078262351307396831985397555390640151391138633431951746748156610463582479645561779194981806129898009876517899450840875569675976765155608446799203699927448835004756707151281044859676695533373755798273892503194753948997947653100690841880925445059175494314198605475023939567750409907217654291430615102258523998394231436796902635077995829477347316754739938980814293304289318417443493019704073164585505217658570214989150175123757038125380996050761572021986573934155470641091678664451080065719261207
e = 0x10001

def fermat_factorization(n):
    factor_list = []
    get_context().precision = 2048
    sqrt_n = int(sqrt(n))
    c = sqrt_n
    while True:
        c += 1
        d_square = c**2 - n
        if is_square(d_square):
            d_square = mpz(d_square)
            get_context().precision = 2048
            d = int(sqrt(d_square))
            factor_list.append([c+d,c-d])
        if len(factor_list)==2:
            break
    return factor_list

factor_list = fermat_factorization(n)
[X1,Y1] = factor_list[0]
[X2,Y2] = factor_list[1]
assert X1*Y1 == n
assert X2*Y2 == n
p1 = gcd(X1,X2)
q1 = X1 // p1
p2 = gcd(Y1,Y2)
q2 = Y1 // p2

Fai = (p1-1)*(q1-1)*(p2-1)*(q2-1)
d = invert(e,Fai)
print long_to_bytes(pow(c,d,n))

Exposure

题目给了一个python文件和一个数据文件，我把数据移到python文件那里

from Crypto.Util.number import *
import gmpy2

p = getStrongPrime(512)
q = getStrongPrime(512)
n = p * q
phi = (p - 1) * (q - 1)
e = 7621
d = gmpy2.invert(e, phi)

flag = b"flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"
c = pow(bytes_to_long(flag), e, n) 加密

dp = d % (p - 1)   p = 1 mod (p-1)
print(dp >> 200)
print(c, e, n)

dp = 1153696846823715458342658568392537778171840014923745253759529432977932183322553944430236879985
c= 46735962204857190520476434898881001530665718155698898882603422023484998388668858692912250418134186095459060506275961050676051693220280588047233628259880712415593039977585805890920089318643002597837000049626154900908543384761210358835843974072960080857150727010985827690190496793207012355214605393036388807616
e = 7621
n = 140376049134934822153964243403031201922239588054133319056483413311963385321279682186354948441840374124640187894619689719746347334298621083485494086361152915457458004998419817456902929318697902819798254427945343361548635794308362823239150919240307072688623000747781103375481834571274423004856276841225675241863

刚开始以为dp泄露攻击，但是注意到dp泄露并不完整，dp右移了200位，只知道dp的高位，恢复dp的话，只需要爆破e次，就能得到p

对于恢复dp的解法，超出我的知识范畴，详细见以下链接：

https://github.com/pcw109550/write-up/tree/master/2019/KAPO/Lenstra-Lenstra-Lovasz

完整代码如下：

secret = 1153696846823715458342658568392537778171840014923745253759529432977932183322553944430236879985
c = 46735962204857190520476434898881001530665718155698898882603422023484998388668858692912250418134186095459060506275961050676051693220280588047233628259880712415593039977585805890920089318643002597837000049626154900908543384761210358835843974072960080857150727010985827690190496793207012355214605393036388807616
e = 7621
n = 140376049134934822153964243403031201922239588054133319056483413311963385321279682186354948441840374124640187894619689719746347334298621083485494086361152915457458004998419817456902929318697902819798254427945343361548635794308362823239150919240307072688623000747781103375481834571274423004856276841225675241863
[n, secret, c] = list(map(Integer, [n, secret, c]))

def facorize(e, dp):
	for i in range(2, e):
		p = (e * dp - 1 + i) // i
		if n % p == 0:
			return p
	return -1

def recover(secret):
	F.<x> = PolynomialRing(Zmod(n))
	d = inverse_mod(e, n)
	for k in range(1235, e):
		print('k =',k)
		f = (secret << 200) + x + (k - 1) * d
		x0 = f.small_roots(X=2 ** (200 + 1), beta=0.44, epsilon=1/32)
		if len(x0) != 0:
			dp = x0[0] + (secret << 200)
			p = facorize(e, Integer(dp))
			if p < 0:
				continue
			else:
				return p, dp

if __name__ == "__main__":
	p, dp = recover(secret)
	q = n // p
	assert p * q == n
	Fai = (p - 1) * (q - 1)
	d = inverse_mod(e, Fai)
	flag = bytes.fromhex(hex(pow(c, d, n))[2:])
	print(flag)

blowfishgame

题目给了一个python文件（我只给出主要代码）

bk = 8
master_key = os.urandom(bk)
sendIV = os.urandom(bk)
class Blow_CBC_demo:
    def __init__(self, iv):
        self.key = master_key
        self.iv = iv

    def pad(self, message):
        pad_length = bk-len(message)%bk
        return message+chr(pad_length)*pad_length

    def unpad(self, message):
        return message[:-ord(message[-1])]

    def encrypt(self, message):
        message = self.pad(message)
        blow = Blowfish.new(self.key, Blowfish.MODE_CBC, self.iv)
        ciphertxt = blow.encrypt(message)
        return ciphertxt

    def decrypt(self, message):
        blow = Blowfish.new(self.key, Blowfish.MODE_CBC, self.iv)
        plaintxt = blow.decrypt(message)
        plaintxt = self.unpad(plaintxt)
        return plaintxt

def send_enc(message):
    sys.stdout.flush()
    handle = Blow_CBC_demo(sendIV)
    ciphertxt = handle.encrypt(message)
    message = sendIV+ciphertxt
    message = b64encode(message)
    print(message)
    return

def get_enc():
    sys.stdout.flush()
    message = sys.stdin.readline().strip()
    try:
        message = b64decode(message)
        if (len(message) > 600):
            exit(0)
        handle = Blow_CBC_demo(message[:bk])
        plaintxt = handle.decrypt(message[bk:])
        return plaintxt
    except:
        print('Error')
        exit(0)

def send_pl(m):
    sys.stdout.flush()
    print(m)
    sys.stdout.flush()

def get_pl():
    sys.stdout.flush()
    return sys.stdin.readline().strip()

def pad(message):
    pad_length = bk-len(message)%bk
    return message+chr(pad_length)*pad_length

if __name__ == '__main__':
    assert(len(flag) == 42)
    if (not proof_of_work()):
        send_pl("Bye!")
        exit()
    signal.alarm(180)
    send_pl(banner)
    send_enc('Blowfish_w0rld')
    while True:
        try:
            message = get_enc().strip()
            if message.startswith('get_flag'):
                user = get_pl().strip()
                blow = Blowfish.new(master_key)
                send_pl(b64encode(blow.encrypt(pad(user+flag))))
            elif message.startswith('exit'):
                exit()
            else:
                send_enc('Invalid command')
        except:
            exit()

暂无思路，对CBC的攻击方式未了解，待了解，也希望大佬不吝赐教

easy matrix

题目提示，提到矩阵和高斯消元法，可能和这个有关系，待研究

Web

由于本人非web选手，所以web的wp就不写了（其实就是自己不会），可以参考其他师傅的wp

Pwn

待更新~