BUU WP(Crypto)(随缘更新。。)
一眼就解密
base64
ZmxhZ3tUSEVfRkxBR19PRl9USElTX1NUUklOR30=
flag{THE_FLAG_OF_THIS_STRING}
MD5
e00cf25ad42683b3df678c61f42c6bda
admin1
Url编码
%66%6c%61%67%7b%61%6e%64%20%31%3d%31%7d
flag{and 1=1}
看我回旋踢
凯撒密码
synt{5pq1004q-86n5-46q8-o720-oro5on0417r1}
flag{5or1004r-86a5-46r8-s720-sis5sa0417i1}
摩丝
摩斯密码
.. .-.. --- ...- . -.-- --- ..-
ILOVEYOU
password
姓名:张三
生日:19900315
key格式为key{xxxxxxxxxx}
猜测
zs19900315
变异凯撒
加密密文:afZ_r9VYfScOeO_UL^RWUc
格式:flag{ }
通过acsii码值对比可以看到第一个字符向后移了5,第二个向后移了6,第三个向后移了7,以此类推,很容易想到变异凯撒即每个向后移的位数是前一个加1
str="afZ_r9VYfScOeO_UL^RWUc"
k=5
for i in str:
print(chr(ord(i)+k),end='')
k+=1
flag{Caesar_variation}
Quoted-printable
=E9=82=A3=E4=BD=A0=E4=B9=9F=E5=BE=88=E6=A3=92=E5=93=A6
那你也很棒哦
篱笆墙的影子
felhaagv{ewtehtehfilnakgw}
栅栏13
flag{wethinkwehavetheflag}
Rabbit
U2FsdGVkX1/+ydnDPowGbjjJXhZxm2MP2AgI
兔子密码
Cute_Rabbit
RSA
在一次RSA密钥对生成中,假设p=473398607161,q=4511491,e=17
求解出d作为flag提交
from sympy import mod_inverse
p = 473398607161
q = 4511491
e = 17
n = p * q
phi_n = (p - 1) * (q - 1)
d = mod_inverse(e, phi_n)
print("Private key d:", d)
Private key d: 125631357777427553
丢失的MD5
import hashlib
for i in range(32,127):
for j in range(32,127):
for k in range(32,127):
m=hashlib.md5()
m.update('TASC'+chr(i)+'O3RJMV'+chr(j)+'WDJKX'+chr(k)+'ZM')
des=m.hexdigest()
if 'e9032' in des and 'da' in des and '911513' in des:
print des
import hashlib
for i in range(32, 127):
for j in range(32, 127):
for k in range(32, 127):
m = hashlib.md5()
input_str = 'TASC' + chr(i) + 'O3RJMV' + chr(j) + 'WDJKX' + chr(k) + 'ZM'
m.update(input_str.encode('utf-8'))
hashed = m.hexdigest()
if 'e9032' in hashed and 'da' in hashed and '911513' in hashed:
print(hashed)
e9032994dabac08080091151380478a2
Alice与Bob
密码学历史中,有两位知名的杰出人物,Alice和Bob。他们的爱情经过置换和轮加密也难以混淆,即使是没有身份认证也可以知根知底。就像在数学王国中的素数一样,孤傲又热情。下面是一个大整数:98554799767,请分解为两个素数,分解后,小的放前面,大的放后面,合成一个新的数字,进行md5的32位小写哈希,提交答案。 注意:得到的 flag 请包上 flag{} 提交
分解大素数
def prime_factors(n):
factors = []
# Check for number of 2s that divide n
while n % 2 == 0:
factors.append(2)
n = n // 2
# n must be odd at this point, so we can skip even numbers
for i in range(3, int(n**0.5) + 1, 2):
while n % i == 0:
factors.append(i)
n = n // i
# This condition is to check if n is a prime number greater than 2
if n > 2:
factors.append(n)
return factors
# Test case
number = 98554799767
print(f"Prime factors of {number}:")
print(prime_factors(number))
Prime factors of 98554799767:
[101999, 966233]
d450209323a847c8d01c6be47c81811a
大帝的密码武器
FRPHEVGL
凯撒 K=13
ComeChina
rsarsa
Math is cool! Use the RSA algorithm to decode the secret message, c, p, q, and e are parameters for the RSA algorithm.
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e = 65537
c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
Use RSA to find the secret message
import gmpy2
# Given parameters
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e = 65537
c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
# Calculate n and phi(n)
n = p * q
phi_n = (p - 1) * (q - 1)
# Calculate d using gmpy2 (modular inverse of e mod phi_n)
d = gmpy2.invert(e, phi_n)
# Decrypt the ciphertext c to get the plaintext message
plaintext = pow(c, d, n)
# Print the decrypted message
print("Decrypted message:", plaintext)
Decrypted message: 5577446633554466577768879988
Windows系统密码
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ctf:1002:06af9108f2e1fecf144e2e8adef09efd:a7fcb22a88038f35a8f39d503e7f0062:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:bef14eee40dffbc345eeb3f58e290d56:::
md5加密
31d6cfe0d16ae931b73c59d7e0c089c0
good-luck
信息化时代的步伐
也许中国可以早早进入信息化时代,但是被清政府拒绝了。附件中是数十年后一位伟人说的话的密文。请翻译出明文(答案为一串中文!) 注意:得到的 flag 请包上 flag{} 提交
606046152623600817831216121621196386
中文电码
中文电码反查汉字结果:
- 6060:计
- 4615:算
- 2623:机
- 6008:要
- 1783:从
- 1216:娃
- 1216:娃
- 2119:抓
- 6386:起
凯撒?替换?呵呵!
MTHJ{CUBCGXGUGXWREXIPOYAOEYFIGXWRXCHTKHFCOHCFDUCGTXZOHIXOEOWMEHZO}
quipqiup
flag substitution cipher decryption is always easy just like a piece of cake
萌萌哒的八戒
猪圈密码
flag{whenthepigwanttoeat}
权限获得第一步
Administrator:500:806EDC27AA52E314AAD3B435B51404EE:F4AD50F57683D4260DFD48AA351A17A8:::
md5
3617656
传统知识+古典密码
小明某一天收到一封密信,信中写了几个不同的年份
辛卯,癸巳,丙戌,辛未,庚辰,癸酉,己卯,癸巳。
信的背面还写有“+甲子”,请解出这段密文。
key值:CTF{XXX}
六十年甲子(干支表)
1 2 3 4 5 6 7 8 9 10
甲子 乙丑 丙寅 丁卯 戊辰 己巳 庚午 辛未 壬申 癸酉
11 12 13 14 15 16 17 18 19 20
甲戌 乙亥 丙子 丁丑 戊寅 己卯 庚辰 辛巳 壬午 癸未
21 22 23 24 25 26 27 28 29 30
甲申 乙酉 丙戌 丁亥 戊子 己丑 庚寅 辛卯 壬辰 癸巳
31 32 33 34 35 36 37 38 39 40
甲午 乙未 丙申 丁酉 戊戌 己亥 庚子 辛丑 壬寅 癸卯
41 42 43 44 45 46 47 48 49 50
甲辰 乙巳 丙午 丁未 戊申 己酉 庚戌 辛亥 壬子 癸丑
51 52 53 54 55 56 57 58 59 60
甲寅 乙卯 丙辰 丁巳 戊午 己未 庚申 辛酉 壬戌 癸亥
继续按+60计算
正面共8个数字,按照4个一组,分两组测试
88 90 83 68
77 70 76 90
明文为: 88 90 83 68 77 70 76 90
X Z S D M F L Z
各自按26字母减5
S U N Y H A G U
再用2组进行栅格
S U N Y
H A G U
合并明文: SHUANGYU
最终结果:flag{SHUANGYU}
RSA1
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
import gmpy2
def rsa_decrypt(p, q, dp, dq, c):
# Calculate n and modulus inverses
n = p * q
q_inv = gmpy2.invert(q, p) # q_inv is the modular inverse of q modulo p
# Compute m1 and m2
m1 = pow(c, dp, p)
m2 = pow(c, dq, q)
# Use Chinese Remainder Theorem to find the plaintext message m
h = q_inv * (m1 - m2) % p
m = m2 + h * q
return m
# Given parameters
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
# Decrypt ciphertext
plaintext = rsa_decrypt(p, q, dp, dq, c)
# Print the plaintext message
print("Decrypted plaintext message:")
print(hex(plaintext)[2:]) # Print in hexadecimal format
print(bytes.fromhex(hex(plaintext)[2:])) # 16进制转文本
Decrypted plaintext message:
6e6f784354467b57333163306d335f37305f4368316e343730776e7d
b'noxCTF{W31c0m3_70_Ch1n470wn}'
世上无难事
VIZZB IFIUOJBWO NVXAP OBC XZZ UKHVN IFIUOJBWO HB XVIXW XAW VXFI X QIXN VBD KQ IFIUOJBWO WBKAH NBWXO VBD XJBCN NKG QLKEIU DI XUI VIUI DKNV QNCWIANQ XN DXPIMKIZW VKHV QEVBBZ KA XUZKAHNBA FKUHKAKX XAW DI VXFI HBN QNCWIANQ NCAKAH KA MUBG XZZ XEUBQQ XGIUKEX MUBG PKAWIUHXUNIA NVUBCHV 12NV HUXWI XAW DI XUI SCQN QB HZXW NVXN XZZ EBCZW SBKA CQ NBWXO XAW DI DXAN NB NVXAP DXPIMKIZW MBU JIKAH QCEV XA BCNQNXAWKAH VBQN HKFI OBCUQIZFIQ X JKH UBCAW BM XLLZXCQI XAW NVI PIO KQ 640I11012805M211J0XJ24MM02X1IW09
quipqiup
640E11012805F211B0AB24FF02A1ED09
Unencode
89FQA9WMD<V1A<V1S83DY.#<W3$Q,2TM]
flag{dsdasdsa99877LLLKK}
old-fashion
quipqiup
Os drnuzearyuwn, y jtkjzoztzoes douwlr oj y ilzwex eq lsdexosa kn pwodw tsozj eq ufyoszlbz yrl rlufydlx pozw douwlrzlbz, ydderxosa ze y rlatfyr jnjzli; mjy gfbmw vla xy wbfnsy symmyew (mjy vrwm qrvvrf), hlbew rd symmyew, mebhsymw rd symmyew, vbomgeyw rd mjy lxrzy, lfk wr dremj. Mjy eyqybzye kyqbhjyew mjy myom xa hyedrevbfn lf bfzyewy wgxwmbmgmbrf. Wr mjy dsln bw f1_2jyf-k3_jg1-vb-vl_l
Xl fogkvryoeksg, e hjdhvxvjvxrl fxksao xh e zavsrb rc alfrbxly dg wsxfs jlxvh rc knexlvaiv eoa oaknefab wxvs fxksaovaiv, effrobxly vr e oayjneo hghvaz; the units may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing an inverse substitution. So the flag is n1_2hen-d3_hu1-mi-ma_a
[AFCTF2018]Morse
-..../.----/-..../-..../-..../...--/--.../....-/-..../-..../--.../-.../...--/.----/--.../...--/..---/--.../--.../....-/...../..-./--.../...--/...--/-----/...../..-./...--/...--/...--/....-/...--/...../--.../----./--.../-..
61666374667B317327745F73305F333435797D
RSA3
共模攻击
c1=22322035275663237041646893770451933509324701913484303338076210603542612758956262869640822486470121149424485571361007421293675516338822195280313794991136048140918842471219840263536338886250492682739436410013436651161720725855484866690084788721349555662019879081501113222996123305533009325964377798892703161521852805956811219563883312896330156298621674684353919547558127920925706842808914762199011054955816534977675267395009575347820387073483928425066536361482774892370969520740304287456555508933372782327506569010772537497541764311429052216291198932092617792645253901478910801592878203564861118912045464959832566051361
n=22708078815885011462462049064339185898712439277226831073457888403129378547350292420267016551819052430779004755846649044001024141485283286483130702616057274698473611149508798869706347501931583117632710700787228016480127677393649929530416598686027354216422565934459015161927613607902831542857977859612596282353679327773303727004407262197231586324599181983572622404590354084541788062262164510140605868122410388090174420147752408554129789760902300898046273909007852818474030770699647647363015102118956737673941354217692696044969695308506436573142565573487583507037356944848039864382339216266670673567488871508925311154801
e1=11187289
c2=18702010045187015556548691642394982835669262147230212731309938675226458555210425972429418449273410535387985931036711854265623905066805665751803269106880746769003478900791099590239513925449748814075904017471585572848473556490565450062664706449128415834787961947266259789785962922238701134079720414228414066193071495304612341052987455615930023536823801499269773357186087452747500840640419365011554421183037505653461286732740983702740822671148045619497667184586123657285604061875653909567822328914065337797733444640351518775487649819978262363617265797982843179630888729407238496650987720428708217115257989007867331698397
e2=9647291
from gmpy2 import invert
import binascii
def gongmo(n, c1, c2, e1, e2):
def egcd(a, b):
if b == 0:
return a, 0
else:
x, y = egcd(b, a % b)
return y, x - (a // b) * y
s = egcd(e1, e2)
s1 = s[0]
s2 = s[1]
# 求模反元素
if s1 < 0:
s1 = - s1
c1 = invert(c1, n)
elif s2 < 0:
s2 = - s2
c2 = invert(c2, n)
m = pow(c1, s1, n) * pow(c2, s2, n) % n
return m
c1=22322035275663237041646893770451933509324701913484303338076210603542612758956262869640822486470121149424485571361007421293675516338822195280313794991136048140918842471219840263536338886250492682739436410013436651161720725855484866690084788721349555662019879081501113222996123305533009325964377798892703161521852805956811219563883312896330156298621674684353919547558127920925706842808914762199011054955816534977675267395009575347820387073483928425066536361482774892370969520740304287456555508933372782327506569010772537497541764311429052216291198932092617792645253901478910801592878203564861118912045464959832566051361
n=22708078815885011462462049064339185898712439277226831073457888403129378547350292420267016551819052430779004755846649044001024141485283286483130702616057274698473611149508798869706347501931583117632710700787228016480127677393649929530416598686027354216422565934459015161927613607902831542857977859612596282353679327773303727004407262197231586324599181983572622404590354084541788062262164510140605868122410388090174420147752408554129789760902300898046273909007852818474030770699647647363015102118956737673941354217692696044969695308506436573142565573487583507037356944848039864382339216266670673567488871508925311154801
e1=11187289
c2=18702010045187015556548691642394982835669262147230212731309938675226458555210425972429418449273410535387985931036711854265623905066805665751803269106880746769003478900791099590239513925449748814075904017471585572848473556490565450062664706449128415834787961947266259789785962922238701134079720414228414066193071495304612341052987455615930023536823801499269773357186087452747500840640419365011554421183037505653461286732740983702740822671148045619497667184586123657285604061875653909567822328914065337797733444640351518775487649819978262363617265797982843179630888729407238496650987720428708217115257989007867331698397
e2=9647291
result = gongmo(n, c1, c2, e1, e2)
print(result)
print(binascii.unhexlify(hex(result)[2:].strip("L")))
#13040004482819947212936436796507286940525898188874967465457845309271472287032383337801279101
#b'flag{49d91077a1abcb14f1a9d546c80be9ef}'
RSA2
dp泄漏
e = 65537
n = 248254007851526241177721526698901802985832766176221609612258877371620580060433101538328030305219918697643619814200930679612109885533801335348445023751670478437073055544724280684733298051599167660303645183146161497485358633681492129668802402065797789905550489547645118787266601929429724133167768465309665906113
dp = 905074498052346904643025132879518330691925174573054004621877253318682675055421970943552016695528560364834446303196939207056642927148093290374440210503657
c = 140423670976252696807533673586209400575664282100684119784203527124521188996403826597436883766041879067494280957410201958935737360380801845453829293997433414188838725751796261702622028587211560353362847191060306578510511380965162133472698713063592621028959167072781482562673683090590521214218071160287665180751
import gmpy2 as gp
e = 65537
n = 248254007851526241177721526698901802985832766176221609612258877371620580060433101538328030305219918697643619814200930679612109885533801335348445023751670478437073055544724280684733298051599167660303645183146161497485358633681492129668802402065797789905550489547645118787266601929429724133167768465309665906113
dp = 905074498052346904643025132879518330691925174573054004621877253318682675055421970943552016695528560364834446303196939207056642927148093290374440210503657
c = 140423670976252696807533673586209400575664282100684119784203527124521188996403826597436883766041879067494280957410201958935737360380801845453829293997433414188838725751796261702622028587211560353362847191060306578510511380965162133472698713063592621028959167072781482562673683090590521214218071160287665180751
for i in range(1, e): # 在范围(1,e)之间进行遍历
if (dp * e - 1) % i == 0:
if n % (((dp * e - 1) // i) + 1) == 0: # 存在p,使得n能被p整除
p = ((dp * e - 1) // i) + 1
q = n // (((dp * e - 1) // i) + 1)
phi = (q - 1) * (p - 1) # 欧拉定理
d = gp.invert(e, phi) # 求模逆
m = pow(c, d, n) # 快速求幂取模运算
print(m) # 10进制明文
print('------------')
print(hex(m)[2:]) # 16进制明文
print('------------')
print(bytes.fromhex(hex(m)[2:])) # 16进制转文本
还原大师
我们得到了一串神秘字符串:TASC?O3RJMV?WDJKX?ZM,问号部分是未知大写字母,为了确定这个神秘字符串,我们通过了其他途径获得了这个字串的32位MD5码。但是我们获得它的32位MD5码也是残缺不全,E903???4DAB????08?????51?80??8A?,请猜出神秘字符串的原本模样,并且提交这个字串的32位MD5码作为答案。 注意:得到的 flag 请包上 flag{} 提交
补全md5
import hashlib
Cipertext = "TASC?O3RJMV?WDJKX?ZM"
for i in range(26):
temp1 = Cipertext.replace("?", chr(65 + i), 1)
for j in range(26):
temp2 = temp1.replace("?", chr(65 + j), 1)
for z in range(26):
temp3 = temp2.replace("?", chr(65 + z), 1)
Plaintext = hashlib.md5(temp3.encode("UTF-8")).hexdigest().upper()
if Plaintext[0:4] == "E903":
print(Plaintext)
异性相吸
最近出现了一个奇葩观点,说性别都不一样,怎么能谈恋爱?为了证明这个观点错误,请大家证明异性是相吸的。 注意:得到的 flag 请包上 flag{} 提交
异或
def main():
miwen = "0000011100011111000000000000001100001000000001000001001001010101000000110001000001010100010110000100101101011100010110000100101001010110010100110100010001010010000000110100010000000010010110000100011000000110010101000100011100000101010101100100011101010111010001000001001001011101010010100001010000011011"
key = "0110000101110011011000010110010001110011011000010111001101100100011000010111001101100100011000010111001101100100011000010111001101100100011000010111001101100100011000010111001101100100011000010111001101100100011000010111001101100100011000010111001101100100011100010111011101100101011100110111000101100110"
# 遍历miwen和key字符串的每个字符
result = []
for i in range(len(miwen)):
if miwen[i] == key[i]:
result.append("0")
else:
result.append("1")
# 输出结果
print("".join(result))
if __name__ == "__main__":
main()
[GXYCTF2019]CheckIn
dikqTCpfRjA8fUBIMD5GNDkwMjNARkUwI0BFTg==
base64
得到
v)*L*_F0<}@H0>F49023@FE0#@EN
根据此密文的ASCII码值都处于33 ~ 126范围,确定为ROT47加密
GXY{Y0u_kNow_much_about_Rot}
Cipher
题目提示:公平的玩吧
playfair加密
Playfair加密解密_普莱费尔加密解密-ME2在线工具 (metools.info)
Dncnoqqfliqrpgeklwmppu
密钥:playfair
flag{itisnotaproblemhavefun}
达芬奇密码
达芬奇隐藏在蒙娜丽莎中的数字列:1 233 3 2584 1346269 144 5 196418 21 1597 610 377 10946 89 514229 987 8 55 6765 2178309 121393 317811 46368 4181 1 832040 2 28657 75025 34 13 17711
记录在达芬奇窗台口的神秘数字串:36968853882116725547342176952286
分析发现神秘数字串为32位,数字列也有32个数字,而flag也为一串32位10进制字符串。猜测神秘数字串可能为密文c,且和数字列存在一一映射的关系。
写个脚本将斐波那契数列打印出来
def fib_loop_for(n):
a, b = 0, 1
for _ in range(n):
a, b = b, a + b
return a
for i in range(1,33):
print(fib_loop_for(i))
1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987 1597 2584 4181 6765 10946 17711 28657 46368 75025 121393 196418 317811 514229 832040 1346269 2178309
1 233 3 2584 1346269 144 5 196418 21 1597 610 377 10946 89 514229 987 8 55 6765 2178309 121393 317811 46368 4181 1 832040 2 28657 75025 34 13 17711
c="36968853882116725547342176952286"
对比发现,数字列的确为斐波那契数列的变形。
那么flag应该就是根据斐波那契数列变形而变形的。我们只需要将其逆转就可以了。
第0位的1就在斐波那契数列第0位,所以3的位置不变,还在第0位。
第1位的233的位置在斐波那契数列第12位,所以6应该移到第12位。
我们需要从数字列中挨个取出数字,查询其在斐波那契数列中的位置,将密文c对应位置的数字,移到相应的位置即可。
脚本:
def fib_loop_for(n):
a, b = 0, 1
for _ in range(n):
a, b = b, a + b
return a
key="1 233 3 2584 1346269 144 5 196418 21 1597 610 377 10946 89 514229 987 8 55 6765 2178309 121393 317811 46368 4181 1 832040 2 28657 75025 34 13 17711".split(" ")
dic=[]
c="36968853882116725547342176952286"
m="*"*32
m=list(m)
for i in range(1,33):
print(fib_loop_for(i),end=" ")
dic.append(fib_loop_for(i))
print(dic)
for i in range(32):
index = dic.index(int(key[i]))
print(i,index,c[i])
m[index]=c[i]
print("".join(m))
#7*995588256861228614165223347687
#flag:37995588256861228614165223347687
注意数字列中的第2个1在第24位,由于string.index()函数在查询下标的时候,会从右往左查询,故而第24位的1所对应的数字7,覆盖了第0个位置的1所对应的数字3。所以第1个位置没有数字,还是*。所以得到两种结果,因为不确定到底那个1所对应的数字是3。
73995588256861228614165223347687
#37995588256861228614165223347687
[MRCTF2020]古典密码知多少
得到一张图片
图形密码汇总:CTF中的一些图形密码 - Nuy0ah - 博客园 (cnblogs.com)
从所给的题目信息提示中看出,一共给出四种古典密码,分别是:猪圈密码、圣堂武士密码、标准银河字母、栅栏密码{英文提示},且flag的明文为大写。
FGCPFLIRTUASYON
FLAGISCRYPTOFUN
rot
破解下面的密文:
83 89 78 84 45 86 96 45 115 121 110 116 136 132 132 132 108 128 117 118 134 110 123 111 110 127 108 112 124 122 108 118 128 108 131 114 127 134 108 116 124 124 113 108 76 76 76 76 138 23 90 81 66 71 64 69 114 65 112 64 66 63 69 61 70 114 62 66 61 62 69 67 70 63 61 110 110 112 64 68 62 70 61 112 111 112
flag格式flag{}
看着像是 ascii 码。
但是有大于 127 的数字存在,所以要先处理。
ROT5、ROT13、ROT18、ROT47 编码是一种简单的码元位置顺序替换暗码。此类编码具有可逆性,可以自我解密,主要用于应对快速浏览,或者是机器的读取,而不让其理解其意。
ROT5 是 rotate by 5 places 的简写,意思是旋转5个位置,其它皆同。下面分别说说它们的编码方式:
ROT5:只对数字进行编码,用当前数字往前数的第5个数字替换当前数字,例如当前为0,编码后变成5,当前为1,编码后变成6,以此类推顺序循环。
ROT13:只对字母进行编码,用当前字母往前数的第13个字母替换当前字母,例如当前为A,编码后变成N,当前为B,编码后变成O,以此类推顺序循环。
ROT18:这是一个异类,本来没有,它是将ROT5和ROT13组合在一起,为了好称呼,将其命名为ROT18。
ROT47:对数字、字母、常用符号进行编码,按照它们的ASCII值进行位置替换,用当前字符ASCII值往前数的第47位对应字符替换当前字符,例如当前为小写字母z,编码后变成大写字母K,当前为数字0,编码后变成符号_。用于ROT47编码的字符其ASCII值范围是33-126,具体可参考ASCII编码。
参考rot原理,将所有的数字 -13 后,再转ascii码
s = '83 89 78 84 45 86 96 45 115 121 110 116 136 132 132 132 108 128 117 118 134 110 123 111 110 127 108 112 124 122 108 118 128 108 131 114 127 134 108 116 124 124 113 108 76 76 76 76 138 23 90 81 66 71 64 69 114 65 112 64 66 63 69 61 70 114 62 66 61 62 69 67 70 63 61 110 110 112 64 68 62 70 61 112 111 112'
l = s.split(" ")
for i in l:
print(chr(int(i)-13),end='')
FLAG IS flag{www_shiyanbar_com_is_very_good_????}
MD5:38e4c352809e150186920aac37190cbc
看样子要用md5值来爆破后四位
import hashlib
for i in range(32,126):
for j in range(32,126):
for k in range(32,126):
for m in range(32,126):
tmp = demo + chr(i) + chr(j) + chr(k) + chr(m) + '}'
hash = hashlib.md5(tmp.encode('utf8')).hexdigest()
if check == hash:
print(tmp)
exit()
flag{www_shiyanbar_com_is_very_good_@8Mu}
[MRCTF2020]vigenere
g vjganxsymda ux ylt vtvjttajwsgt bl udfteyhfgt
oe btlc ckjwc qnxdta
vbbwwrbrtlx su gnw nrshylwmpy cgwps, lum bipee ynecgy gk jaryz frs fzwjp, x puej jgbs udfteyhfgt, gnw sil uuej su zofi. sc okzfpu bl lmi uhzmwi, x nyc dsj bl lmi enyl ys argnj yh nrgsi. nba swi cbz ojprbsw fqdam mx. cdh nsai cb ygaigroysxn jnwwi lr msylte.
cw mekr tg jptpzwi kdikjsqtaz, ftv pek oj pxxkdd xd ugnj scr, yg n esqxwxw nba onxw au ywipgkj fyiuujnxn gnss xwnz onxw jnahl avhwwxn vzkjpu nrofch fvwfoh. v jwhppek lmi vyutfp hbiafp hcguj at nxw gyxyjask ib hw seihxsqpn vtvjttajwsx ds zzj xnegfsmtf egz wtrq lt mbcukj sc hy. qty wnbw ss bbxsq vxtnl ys ghrw zw cbx vt cdh vgxwtfy ssc brzzthh bl wsjdeiwricg cw mekr zjzi grgktr ib lwfv.
vbbwwrbrtlx hteonj xwroj oyhg vgbigf ljtq iuk utrhrtl tj iuk ytztetwi. cdh nsai crolmig fudngxgkv ssg ekujmkrj gzvh. jk vnh cbz aszxgk qty. nba vt rdg qfta jf, tgw hd lum prdj umw aderv. hcqrxkuerr jgjw cbz dni lvzznr nbaj gsgqkjx. hd aul ylxaq lmei lum hec oaaqh xg, gk yldhmz nx lrxw f tjorah gdaylwyrgogs tgbpwhx. nba ufrcbz. ay mh nt shx ds tsyygr gfi mi txgbw xgywqj iuxgzkw baj hsaykuymkr guymday.
qty wnbw ssi rtyfktq of tyg txwfx paj yfxwrxask rbtnjvhnzatr, cbx vnh nba uwipgk lmi lrgdyl ds umw qpeqwytaniwx. cdh jg ssi xtgb sje imqxjek, gzv tgnahw, de zzj ycjxayxta igiih gnsy eaeksic eeunnht baj xsrvkld qdek gwhte zzfr rbadi ft bhlfmcrj td ecl ux dsje oeushvzatrh.
lum hppvs lmigr gjj tgbhdjqh nsgsk jf zzfx nba fjis gu ktpkr. egz yhr zznw rygar eh nt wcgjfk lt mcigvj sje vjjgxailx. qpae gk xwryw uvdorwrw sbt'l jbxfz. omigr zzjvt nxw wipy igsjavilx, awrxw yltek swi leuflw, lr caqp xqkfymul zzjq paj sihgryk yltz hq tyg zkssw. lr gjj jdesask dhx gbr hbiafp rbtlwerg. zznw vbbwwrpaiw bmay gjnwt niutvsvty ys iuk utrsvzatrh bl gzv lbxdi, rdg egzvh. baj bsgyj ax hxslwwicg.
iqgigfvshi rbtknwif ux yvpayshxxbtk, wianzatrhuohx, ecq zztyvuz aywtyl, swvplkv qmzr g kyecqofl apik as xwr cwg su baj hsbzafngpgogsw. dhxk nw p jujqh iugl nw qbzz jzteeomigr gfi rdjnwwi, qhz ay mh aul bltek tthxry dnzt.
jk swi reksymct g otvaq zzfx pyr efc tazww axgngzx eeonnpttk gw tgrpmimrr guhsgqkv gc gniw, jgdaueng ebcww, qxyolfvn sujhi, de ylfxxbt gk fxezz.
bi pek uwipgofl e lbxdi awrxw frnbtw, frnjnwwi bne wctgryk mmh bx zjv qrrajjh, au efxirx zta hvtyzppe, cayldhz xjeg bl tjmct igjvrrj asxd fodjrrr uj hscsujrmil.
egzv armsq gdaiwuxh bl hwserxld, imcxwxwxbt, aiicgold, qdikejri, ntv hscgkpy hd aul fteye lt yh. gnwd egr gdq fpfkv tr bnzljv, paj lmigr ok ss bnzljv wrxw.
tyg vjwsxxgowx lpik ft fdqowx, wd, htdnot lum, bi rntftx dozsnr dejww fn cnqxmrnr utigpogs. at okdnikr zzfx ueue jxwvik, jravmzyicrj kjpu-vtljvtfz, ssh iuk utqbbtojea, baj lskrxffrrr caqp tzkjli. dhx aiicgolnih zgq gi svylwmqhzwi ereukx qpae gk cdhx bzvxfjahxxbtk. ylt btdd ppj zzfx pyr gzv rbtkymihkfy gjyzmwih jumqh vrtwweaye jjgdttaei xf zzj kdyjws vjyk. oj ldck oj axyr tj eqyk lt fjvrv tyg cgjymrhrsw wdyalnscf uf ylpg hsxmh. oal bi rntftx ppiwux iuk ktpjgogsw nba swi pgzwrtivty ys xzvgxi.
xa zzj ycvzwi winzwx, cdh nsai ibjsd ggrgljh p ygo, ylt gkdjgdzsmsmrnzatrh ekxtvb nil, blxpn jjtjqosyih lumw sla igswivzmymda gfi mcfadyw iuk vwipzy gk ntslwwwda, csxlxamltr, bvrd, resvygs, htguizikvrdj, ecq hjfrsrok. yltfk vwipzy ezwi auo gi qbxf frtj of zw.
nba swi irxjnjxrj gk cdhx gbr ruodivta, yasgt gnwd egr tsymkry as e lbxdi awrxw dsj jodq eajgqx ft vsenkgntlx. ftpgmxi nba xjeg gnwr, cdh kfyvjfz qtyg oajjejpxshmtf cayl iuk hfvtazsq vtfvgswxoodnxxry qty pek lts rbcswhal zg hscsxgsx nbajxiaikk. nr dhx otvaq, gdq xwr ywsxxzkfyw paj wctgryknscf ux mybntayc, ueue ylt qktfwxam lt xwr gfliavi, swi enxlx su n ywfqaryk bldyk, lmi vyutfp rbtnjvhnzatr ds hayw. lr issrdg ywuegnzw ylt noj ylpg iztotf ljtq iuk snv jcuf blxpn onrvf hwfx.
xa iznrp, tkjrecl, ljfrrr, xmxwxn, yaskpcujj, minrq frs gnw zrxgkv xxpgkk, dsj nxw yvnvty ys lnxv tju gnw amghy gk pxokjyc ql kjjgivty lypej htwif gl ylt sxgsxxrxk tj rlhwwweniw. yltfk efc zrkh tyi gnw hscggynsc suj f wbnrd ymbr, hmy xwre onpa aul bsgx of f aderv ylpg caqp hbuf gi qygfpiirj as fxg-hwfvxam ejhxn.
egzv xaijjehvtyqc doygqiir ofksgzglnsc vtvzwieowx adhrv uigcklzeir zzjqhrrnjw ql vjttdfofl ppjy, as ebrxahe paj wqwtjnwwi, iugl hppvs lt sla yhjiru olxias zzwsjtngzx iuk otvaq. zzjwt ygox adhrv iirygjj msrgk ys qr gftxwrx ashjfzjnea cxgiyrg, tg rsgr tggpt gnss txt ojtr. xa umw aderv, blpgknjv iuk zzqpa sash bne uwipgk ufr qr xwuvdqaujh paj vnwieotzxtq ofkmcvzwqc pg tg hshg. zzj kabhsq gdabwdecpk gk xwbaymx cb rgskte xwvyxekk dsje lshxdeowx xd niutqeyokm.
xwryw nrreksxmctrq mshgodj ecq igqscvgd ripfajjw eyguj yh vt lmi hnsw ushvzatr pf zztwt cxwamdhy dtztey gk jgrkvtq paj kjpu-qkljvbvtsymda czt lpq zg wiyril ylt nalmsgvzajw ds jaxxpaz, msmcsujris cuojvh. jk ezwi qkuqegr umw zxezmfp hrrnjw xzsmsi ib egzv hbbwwixttld, ikrt sx at pufymchk lt gdaywsx ib egzv ghrw tzte umw fdqowx. at jodq weeksi sjeywqztf guwshf zzj tantwy wd gnsy rd btw hec nxjjwi baj yldhmzyw.
lr caqp reksyi p ponnpxmglnsc bl lmi bvtv nr rlhwwweniw. ren vz tj qdek zzqpak ssh unoj ylpa zzj aderv dsje mgaigaswsxh ugnj qpqk tjjdek.
xqev vy ewgis balicrxw hvnczg hvppq efr, eyksxi pqj mshteyutvt ntv hygye twerry.
题目还给了一个py 看py断言key长度是5-10
暴力破解
a declaration of the independence of cyberspace
by john perry barlow
governments of the industrial world, you weary giants of flesh and steel, i come from cyberspace, the new home of mind. on behalf of the future, i ask you of the past to leave us alone. you are not welcome among us. you have no sovereignty where we gather.
we have no elected government, nor are we likely to have one, so i address you with no greater authority than that with which liberty itself always speaks. i declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. you have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.
governments derive their just powers from the consent of the governed. you have neither solicited nor received ours. we did not invite you. you do not know us, nor do you know our world. cyberspace does not lie within your borders. do not think that you can build it, as though it were a public construction project. you cannot. it is an act of nature and it grows itself through our collective actions.
you have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. you do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.
you claim there are problems among us that you need to solve. you use this claim as an excuse to invade our precincts. many of these problems don't exist. where there are real conflicts, where there are wrongs, we will identify them and address them by our means. we are forming our own social contract. this governance will arise according to the conditions of our world, not yours. our world is different.
cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. ours is a world that is both everywhere and nowhere, but it is not where bodies live.
we are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.
we are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.
your legal concepts of property, expression, identity, movement, and context do not apply to us. they are all based on matter, and there is no matter here.
our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. we believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge. our identities may be distributed across many of your jurisdictions. the only law that all our constituent cultures would generally recognize is the golden rule. we hope we will be able to build our particular solutions on that basis. but we cannot accept the solutions you are attempting to impose.
in the united states, you have today created a law, the telecommunications reform act, which repudiates your own constitution and insults the dreams of jefferson, washington, mill, madison, detoqueville, and brandeis. these dreams must now be born anew in us.
you are terrified of your own children, since they are natives in a world where you will always be immigrants. because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. in our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. we cannot separate the air that chokes from the air upon which wings beat.
in china, germany, france, russia, singapore, italy and the united states, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of cyberspace. these may keep out the contagion for a small time, but they will not work in a world that will soon be blanketed in bit-bearing media.
your increasingly obsolete information industries would perpetuate themselves by proposing laws, in america and elsewhere, that claim to own speech itself throughout the world. these laws would declare ideas to be another industrial product, no more noble than pig iron. in our world, whatever the human mind may create can be reproduced and distributed infinitely at no cost. the global conveyance of thought no longer requires your factories to accomplish.
these increasingly hostile and colonial measures place us in the same position as those previous lovers of freedom and self-determination who had to reject the authorities of distant, uninformed powers. we must declare our virtual selves immune to your sovereignty, even as we continue to consent to your rule over our bodies. we will spread ourselves across the planet so that no one can arrest our thoughts.
we will create a civilization of the mind in cyberspace. may it be more humane and fair than the world your governments have made before.
flag is mrctf vigenere crypto crack man, please add underscore and curly braces.
mrctf{vigenere_crypto_crack_man}
一张谍报
题目很长,大致就是替换密码
解密脚本:
strs1 = "今天上午,朝歌区梆子公司决定,在每天三更天不亮免费在各大小区门口设卡为全城提供二次震耳欲聋的敲更提醒,呼吁大家早睡早起,不要因为贪睡断送大好人生,时代的符号是前进。为此,全区老人都蹲在该公司东边树丛合力抵制,不给公司人员放行,场面混乱。李罗鹰住进朝歌区五十年了,人称老鹰头,几年孙子李虎南刚从东北当猎户回来,每月还寄回来几块鼹鼠干。李罗鹰当年遇到的老婆是朝歌一枝花,所以李南虎是长得非常秀气的一个汉子。李罗鹰表示:无论梆子公司做的对错,反正不能打扰他孙子睡觉,子曰:‘睡觉乃人之常情’。梆子公司这是连菩萨睡觉都不放过啊。李南虎表示:梆子公司智商捉急,小心居民猴急跳墙!这三伏天都不给睡觉,这不扯淡么!到了中午人群仍未离散,更有人提议要烧掉这个公司,公司高层似乎恨不得找个洞钻进去。直到治安人员出现才疏散人群归家,但是李南虎仍旧表示爷爷年纪大了,睡不好对身体不好。"
strs2 = "喵天上午,汪歌区哞叽公司决定,在每天八哇天不全免费在各大小区门脑设卡为全城提供双次震耳欲聋的敲哇提醒,呼吁大家早睡早起,不要因为贪睡断送大好人生,时代的编号是前进。为此,全区眠人都足在该公司流边草丛合力抵制,不给公司人员放行,场面混乱。李罗鸟住进汪歌区五十年了,人称眠鸟顶,几年孙叽李熬值刚从流北当屁户回来,每月还寄回来几块报信干。李罗鸟当年遇到的眠婆是汪歌一枝花,所以李值熬是长得非常秀气的一个汉叽。李罗鸟表示:无论哞叽公司做的对错,反正不能打扰他孙叽睡觉,叽叶:‘睡觉乃人之常情’。哞叽公司这是连衣服睡觉都不放过啊。李值熬表示:哞叽公司智商捉急,小心居民猴急跳墙!这八伏天都不给睡觉,这不扯淡么!到了中午人群仍未离散,哇有人提议要烧掉这个公司,公司高层似乎恨不得找个洞钻进去。直到治安人员出现才疏散人群归家,但是李值熬仍旧表示爷爷年纪大了,睡不好对身体不好。"
strs3 = "喵汪哞叽双哇顶,眠鸟足屁流脑,八哇报信断流脑全叽,眠鸟进北脑上草,八枝遇孙叽,孙叽对熬编叶:值天衣服放鸟捉猴顶。鸟对:北汪罗汉伏熬乱天门。合编放行,卡编扯呼。人离烧草,报信归洞,孙叽找爷爷。"
m = ""
for i in range(len(strs3)):
for j in range(len(strs2)):
if strs3[i] == strs2[j]:
m += strs1[j]
break
print (m)
flag{南天菩萨放鹰捉猴头}
[WUSTCTF2020]情书
题目:
我给你的情书,请收好。
Premise: Enumerate the alphabet by 0、1、2、… 、25
Using the RSA system
Encryption:0156 0821 1616 0041 0140 2130 1616 0793
Public Key:2537 and 13
Private Key:2537 and 937
flag: wctf2020{Decryption}
#buu的题目乱码 这是网上找来的原题
1.获取公钥和密文
首先,我们从题目中获得了公钥(N=2537, e=13)和密文(一系列数字,代表加密后的字母)。
2.分解N得到p和q
由于N是两个大质数p和q的乘积,我们需要对N进行因式分解来得到p和q。在这个例子中,我们找到了p=43和q=59。
3.计算φ(N)和d
φ(N)是N的欧拉函数,它等于(p-1) * (q-1)。然后,我们使用扩展欧几里得算法来找到e和φ(N)的模反元素d,满足e * d mod φ(N) = 1。在这个例子中,我们找到了d=937。
4.解密密文
现在,我们有了公钥(N, e)、私钥(N, d)和密文。我们可以使用私钥来解密密文。解密的过程是将密文C的每个数字C_i转换为对应的字符c_i,其中c_i = (C_i)^d mod N。然后,我们将得到的字符按照题目中的映射关系转换为对应的字母。
import gmpy2
from Crypto.Cipher import PKCS1_OAEP
from Crypto.PublicKey import RSA
from Crypto.Util.number import long_to_bytes
n = 2537
e = 13
d = 937
c = '0156 0821 1616 0041 0140 2130 1616 0793'.split(' ')
p = 43
q = 59
phi = (q-1) * (p-1)
m=[]
for x in c:
m.append(chr(int(gmpy2.powmod(int(x),d,n))+ord('a')))
print(''.join(m))
flag{iloveyou}
[WUSTCTF2020]dp_leaking_1s_very_d@angerous
dp泄漏
import gmpy2 as gp
e = 65537
n = gp.mpz(156808343598578774957375696815188980682166740609302831099696492068246337198792510898818496239166339015207305102101431634283168544492984586566799996471150252382144148257236707247267506165670877506370253127695314163987084076462560095456635833650720606337852199362362120808707925913897956527780930423574343287847)
dp = gp.mpz(734763139918837027274765680404546851353356952885439663987181004382601658386317353877499122276686150509151221546249750373865024485652349719427182780275825)
c = gp.mpz(108542078809057774666748066235473292495343753790443966020636060807418393737258696352569345621488958094856305865603100885838672591764072157183336139243588435583104423268921439473113244493821692560960443688048994557463526099985303667243623711454841573922233051289561865599722004107134302070301237345400354257869)
for x in range(1, e):
if(e*dp%x==1):
p=(e*dp-1)//x+1
if(n%p!=0):
continue
q=n//p
phin=(p-1)*(q-1)
d=gp.invert(e, phin)
m=gp.powmod(c, d, n)
if(len(hex(m)[2:])%2==1):
continue
print('--------------')
print(m)
print(hex(m)[2:])
print(bytes.fromhex(hex(m)[2:]))
[AFCTF2018]Vigenère
题目很长 就不复制了,总之就是暴力破解
flag is afctf{Whooooooo_U_Gotcha!}
[XNUCA2018]Warmup
追踪tcp流,一个alice的,一个frank的,两人用了一样的n进行加密,可以使用共模攻击。
# 共模攻击
from gmpy2 import*
from libnum import*
N = 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263
e1 = 7669
c1 = 22917655888781915689291442748409371798632133107968171254672911561608350738343707972881819762532175014157796940212073777351362314385074785400758102594348355578275080626269137543136225022579321107199602856290254696227966436244618441350564667872879196269074433751811632437228139470723203848006803856868237706401868436321225656126491701750534688966280578771996021459620472731406728379628286405214996461164892486734170662556518782043881759918394674517409304629842710180023814702447187081112856416034885511215626693534876901484105593275741829434329109239483368867518384522955176807332437540578688867077569728548513876841471
e2 = 6947
c2 = 20494665879116666159961016125949070097530413770391893858215547229071116025581822729798313796823204861624912909030975450742122802775879194445232064367771036011021366123393917354134849911675307877324103834871288513274457941036453477034798647182106422619504345055259543675752998330786906376830335403339610903547255965127196315113331300512641046933227008101401416026809256813221480604662012101542846479052832128788279031727880750642499329041780372405567816904384164559191879422615238580181357183882111249939492668328771614509476229785062819586796660370798030562805224704497570446844131650030075004901216141893420140140568
s = gcdext(e1,e2)
m = pow(c1,s[1],N)*pow(c2,s[2],N)%N
print(n2s(m))
FLAG{g00d_Luck_&_Hav3_Fun}
[BJDCTF 2nd]签到-y1ng
QkpEe1czbGMwbWVfVDBfQkpEQ1RGfQ==
base64
BJD{W3lc0me_T0_BJDCTF}
[NewStarCTF 2023 公开赛道]Fence
栅栏密码
fa{ereigtepanet6680}lgrodrn_h_litx#8fc3
每组字数2
flag{reordering_the_plaintext#686f8c03}
[GXYCTF2019]CommonModulusAttack
共模攻击
class文件是需要反编译的,在线反编译网址:http://javare.cn/
反编译完:
import java.io.IOException;
import java.io.PrintWriter;
import java.math.BigInteger;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Random;
import java.util.Scanner;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class CommonModulusAttack {
private Random random = new Random();
private ArrayList states = new ArrayList(24);
private String seed;
private int statespoint = 0;
private int stateselse = 24;
public void oldtest() {
try {
PrintWriter var1 = new PrintWriter("old.txt", "UTF-8");
for(int var2 = 0; var2 < 20; ++var2) {
int var3 = this.random.nextInt();
var1.println(var3);
}
var1.close();
} catch (IOException var4) {
var4.printStackTrace();
}
}
public BigInteger generate_init_state() {
BigInteger var1 = BigInteger.valueOf(0L);
char[] var2 = this.seed.toCharArray();
char[] var3 = var2;
int var4 = var2.length;
for(int var5 = 0; var5 < var4; ++var5) {
char var6 = var3[var5];
var1 = var1.shiftLeft(1);
if(var6 == 49) {
var1 = var1.xor(new BigInteger(this.seed, 2));
}
if(var1.shiftRight(256) != BigInteger.ZERO) {
var1 = var1.xor(new BigInteger("10000000000000000000000000000000000000000000000000000000000000223", 16));
}
}
return var1;
}
public void gen_states() {
BigInteger var1 = this.generate_init_state();
BigInteger var2 = BigInteger.valueOf(17L);
ArrayList var3 = new ArrayList(24);
ArrayList var4 = new ArrayList(24);
for(int var5 = 0; var5 < 24; ++var5) {
BigInteger var6 = BigInteger.probablePrime(512, this.random);
BigInteger var7 = BigInteger.probablePrime(512, this.random);
BigInteger var8 = var6.multiply(var7);
BigInteger var9 = var1.modPow(var2, var8);
var3.add(var8);
var4.add(var9);
}
try {
PrintWriter var11 = new PrintWriter("product", "UTF-8");
for(int var12 = 0; var12 < 24; ++var12) {
var11.println(((BigInteger)var3.get(var12)).toString());
this.states.add(var4.get(var12));
}
var11.close();
} catch (IOException var10) {
var10.printStackTrace();
}
}
public byte[] encrypt(BigInteger var1) {
try {
IvParameterSpec var2 = new IvParameterSpec(new byte[16]);
byte[] var3 = new byte[16];
this.random.nextBytes(var3);
SecretKeySpec var4 = new SecretKeySpec(var3, "AES");
Cipher var5 = Cipher.getInstance("AES/CBC/NoPadding");
var5.init(1, var4, var2);
byte[] var6 = new byte[128];
byte[] var7 = var1.toByteArray();
int var8;
if(var7.length == 129) {
for(var8 = 0; var8 < 128; ++var8) {
var6[var8] = var7[var8 + 1];
}
} else {
for(var8 = 0; var8 < 128; ++var8) {
var6[var8] = var7[var8];
}
}
byte[] var10 = var5.doFinal(var6);
return var10;
} catch (Exception var9) {
var9.printStackTrace();
return null;
}
}
public void gen_new_states() {
for(int var1 = 0; var1 < 24; ++var1) {
BigInteger var2 = (BigInteger)this.states.get(this.statespoint - 24 + var1);
byte[] var3 = this.encrypt(var2);
this.states.add(new BigInteger(var3));
}
this.stateselse += 24;
}
public byte[] stateconvert(BigInteger var1) {
byte[] var2 = this.encrypt(var1);
return var2;
}
public byte[] lrandout() {
if(this.stateselse > 0) {
--this.stateselse;
BigInteger var1 = (BigInteger)this.states.get(this.statespoint);
++this.statespoint;
return this.stateconvert(var1);
} else {
this.gen_new_states();
return this.lrandout();
}
}
public static String byte2hex(byte[] var0) {
StringBuffer var1 = new StringBuffer(var0.length * 2);
for(int var2 = 0; var2 < var0.length; ++var2) {
if((var0[var2] & 255) < 16) {
var1.append("0");
}
var1.append(Long.toString((long)(var0[var2] & 255), 16));
}
return var1.toString();
}
public static String convert_2_binary(String var0) {
byte[] var1 = var0.getBytes();
StringBuilder var2 = new StringBuilder();
byte[] var3 = var1;
int var4 = var1.length;
for(int var5 = 0; var5 < var4; ++var5) {
byte var6 = var3[var5];
int var7 = var6;
for(int var8 = 0; var8 < 8; ++var8) {
var2.append((var7 & 128) == 0?0:1);
var7 <<= 1;
}
}
return var2.toString();
}
public void initseed() {
try {
Scanner var1 = new Scanner(Paths.get("flag", new String[0]), "UTF-8");
String var2 = var1.next();
String var3 = convert_2_binary(var2);
this.seed = var3;
} catch (IOException var4) {
var4.printStackTrace();
}
}
public static void main(String[] var0) {
CommonModulusAttack var1 = new CommonModulusAttack();
var1.oldtest();
var1.initseed();
var1.gen_states();
for(int var2 = 0; var2 < 24; ++var2) {
var1.lrandout();
}
try {
PrintWriter var5 = new PrintWriter("new.txt", "UTF-8");
for(int var3 = 0; var3 < 24; ++var3) {
var5.println(byte2hex(var1.lrandout()));
}
var5.close();
} catch (IOException var4) {
var4.printStackTrace();
}
System.out.println("Bye!");
}
}
先是进行了20次的.random.nextInt(),得到old.txt
然后initseed把flag进行一系列运算,进一步分析得知是在GF(2256)中将flag平方了一下;
state通过RSA part生成的24组(p,q),e=17,加密得到this.states (len(states == 24))
lrandout先AES/CBC完整加密了一次this.states的24个值,但该次并未更新this.states
由于this.stateselse此时为0,因此执行lrandout会先新生成24个state(即调用gen_new_states)
在旧states后新增一长度为24的states后,用新增的states加密得到的结果即为new.txt中内容
需要java暂时不做了
SeedAttack.java
CMA.java
exp.py
[GXYCTF2019]CommonModulusAttack_[gxyctf 2019]commonmodulusattack-CSDN博客
[NewStarCTF 2023 公开赛道]brainfuck
++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++.
在线解密工具:Brainfuck/OoK加密解密 - Bugku CTF
得到flag:
flag{Oiiaioooooiai#b7c0b1866fe58e12}
顺带Ook! 也可以在这个网站解密
[NewStarCTF 2023 公开赛道]Caesar's Secert
kqfl{hf3x4w'x_h1umjw_n5_a4wd_3fed}
凯撒密码 偏移量5 在线凯撒密码加密解密 (lddgo.net)
quip不出来 不知道为啥
flag{ca3s4r's_c1pher_i5_v4ry_3azy}
[NewStarCTF 2023 公开赛道]Vigenère
pqcq{qc_m1kt4_njn_5slp0b_lkyacx_gcdy1ud4_g3nv5x0}
维吉尼亚密码
前四个字母是flag 手算得到密钥kfc 和后面有一道告诉密钥一样都是kfc 但是这道不知道为什么暴力破解不行
暴力破解:Vigenere Solver | guballa.de
知道密钥是kfc后
使用维吉尼亚密码在线加密解密 - 千千秀字 (qqxiuzi.cn)
即可获得flag
flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}
[BJDCTF 2nd]燕言燕语-y1ng
小燕子,穿花衣,年年春天来这里,我问燕子你为啥来,燕子说:
79616E7A69205A4A517B78696C7A765F6971737375686F635F73757A6A677D20
#79616E7A69205A4A517B78696C7A765F6971737375686F635F73757A6A677D20
#yanzi ZJQ{xilzv_iqssuhoc_suzjg}
#维吉尼亚密码
#密钥是yanzi
#BJD{yanzi_jiushige_shabi}
[BJDCTF 2nd]cat_flag
饭团是0 鸡腿是1
[GKCTF2020]小学生的密码学
1、这种形式的加密手法是仿射变换,其加解密分别是:
2、所以可以得到a=11,b=6a=11,b=6,需要做的工作是根据密文c,密钥a/b密文c,密钥a/b求得明文mm。这里a−1a−1计算可以利用Python的gmpy2库中invert函数完成
3、注意仿射变换26个字母按数字0~25记,因此在需要将密文ASCII对应的数值减去97,解密完恢复成字母即加上97
4、此外,题目要求最后的flag为base64形式,因此还需借助Python的base64库中b64encode函数。需要注意的是在Python3中,字符都为unicode编码,而b64encode函数的参数为byte类型,所以必须先转码。
import base64
def decrypt(ciphertext):
plaintext = []
for char in ciphertext:
# Convert character to numeric value in range 0-25 (a-z)
y = ord(char) - ord('a')
# Decrypt using the inverse function
x = (19 * (y - 6)) % 26
# Convert numeric value back to character
plaintext.append(chr(x + ord('a')))
return ''.join(plaintext)
# 密文
ciphertext = "welcylk"
# 解密得到的明文
plaintext = decrypt(ciphertext)
# 将明文转换为Base64格式
plaintext_base64 = base64.b64encode(plaintext.encode()).decode()
print("密文:", ciphertext)
print("解密后的明文:", plaintext)
print("Base64格式的明文:", plaintext_base64)
[NewStarCTF 2023 公开赛道]babyrsa
n是多个素数相乘得到的
分析代码可知用于生成n的质数有15个,但都很小,可以直接分解得到。
from Crypto.Util.number import *
import gmpy2
from secret import flag
bitlen = 512
p = getPrime(bitlen)
q = getPrime(bitlen)
r = getPrime(bitlen)
assert p != q and q != r and p != r
n = p*q*r
phi = (p-1)*(q-1)*(r-1)
while 1:
d = getPrime(256)
try:
e = int(gmpy2.invert(d,phi))
except:
continue
if gmpy2.gcd(e,phi) == 1 :
break
assert flag.startswith(b'CBCTF{')
m = bytes_to_long(flag)
c = pow(m,e,n)
print('c =',c)
print('e =',e)
print('n =',n)
'''
c = 262857004135341325365954795119195630698138090729973647118817900621693212191529885499646534515610526918027363734446577563494752228693708806585707918542489830672358210151020370518277425565514835701391091303404848540885538503732425887366285924392127448359616405690101810030200914619945580943356783421516140571033192987307744023953015589089516394737132984255621681367783910322351237287242642322145388520883300325056201966188529192590458358240120864932085960411656176
e = 543692319895782434793586873362429927694979810701836714789970907812484502410531778466160541800747280593649956771388714635910591027174563094783670038038010184716677689452322851994224499684261265932205144517234930255520680863639225944193081925826378155392210125821339725503707170148367775432197885080200905199759978521133059068268880934032358791127722994561887633750878103807550657534488433148655178897962564751738161286704558463757099712005140968975623690058829135
n = 836627566032090527121140632018409744681773229395209292887236112065366141357802504651617810307617423900626216577416313395633967979093729729146808472187283672097414226162248255028374822667730942095319401316780150886857701380015637144123656111055773881542557503200322153966380830297951374202391216434278247679934469711771381749572937777892991364186158273504206025260342916835148914378411684678800808038832601224951586507845486535271925600310647409016210737881912119
'''
from Crypto.Util.number import long_to_bytes
import random
def gcd(a, b):
while b != 0:
a, b = b, a % b
return a
def pollard_rho(n):
x = random.randint(2, n - 1)
y = x
c = random.randint(1, n - 1)
d = 1
while d == 1:
x = (x * x + c) % n
y = (y * y + c) % n
y = (y * y + c) % n
d = gcd(abs(x - y), n)
return d
def factorize(n):
factors = []
while n % 2 == 0:
factors.append(2)
n //= 2
while n % 3 == 0:
factors.append(3)
n //= 3
while n > 1:
p = pollard_rho(n)
factors.append(p)
n //= p
return factors
# 给定的 n, e, c
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
e = 65537
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
# 分解 n
factors = factorize(n)
print("Factors of n:", factors)
# 计算 φ(n)
phi_n = 1
for p in factors:
phi_n *= (p - 1)
# 计算 d
d = pow(e, -1, phi_n)
# 解密密文
m = pow(c, d, n)
flag = long_to_bytes(m)
print("Decrypted flag:", flag)
[NewStarCTF 公开赛赛道]caeser
synt{uvfgbevpny_pvcure_vf_ihyarenoyr}
quipqiup
flag historical cipher is vulnerable
[Dest0g3 520迎新赛]babyRSA
题目代码:
from Crypto.Util.number import bytes_to_long, getPrime
from gmpy2 import next_prime
p = getPrime(1024)
q = next_prime(p)
n = p*q
flag = open('flag.txt', 'rb').read()
m = bytes_to_long(flag)
e = 65537
c = pow(m, e, n)
print(n)
print(c)
'''
27272410937497615429184017335437367466288981498585803398561456300019447702001403165885200936510173980380489828828523983388730026101865884520679872671569532101708469344562155718974222196684544003071765625134489632331414011555536130289106822732544904502428727133498239161324625698270381715640332111381465813621908465311076678337695819124178638737015840941223342176563458181918865641701282965455705790456658431641632470787689389714643528968037519265144919465402561959014798324908010947632834281698638848683632113623788303921939908168450492197671761167009855312820364427648296494571794298105543758141065915257674305081267
14181751948841206148995320731138166924841307246014981115736748934451763670304308496261846056687977917728671991049712129745906089287169170294259856601300717330153987080212591008738712344004443623518040786009771108879196701679833782022875324499201475522241396314392429412747392203809125245393462952461525539673218721341853515099201642769577031724762640317081252046606564108211626446676911167979492329012381654087618979631924439276786566078856385835786995011067720124277812004808431347148593882791476391944410064371926611180496847010107167486521927340045188960373155894717498700488982910217850877130989318706580155251854
'''
看到q是p的下一个质数,说明值相差不大,直接对n开方,取前一个质数即为p,然后按照求解即可。
pq接近的n
费马分解
解题脚本:
# 发现两个素数是接近的
from Crypto.Util.number import *
import gmpy2
def decrypt_rsa(p, q, e, c):
# Calculate n = p^3 * q^2
n = p**3 * q**2
# Calculate phi(n)
phi_n = (p**3 - p**2) * (q**2 - q)
# Calculate private key d
d = gmpy2.invert(e, phi_n)
# Decrypt ciphertext c
m = pow(c, d, n)
return m
'''开始破解'''
n=27272410937497615429184017335437367466288981498585803398561456300019447702001403165885200936510173980380489828828523983388730026101865884520679872671569532101708469344562155718974222196684544003071765625134489632331414011555536130289106822732544904502428727133498239161324625698270381715640332111381465813621908465311076678337695819124178638737015840941223342176563458181918865641701282965455705790456658431641632470787689389714643528968037519265144919465402561959014798324908010947632834281698638848683632113623788303921939908168450492197671761167009855312820364427648296494571794298105543758141065915257674305081267
c=14181751948841206148995320731138166924841307246014981115736748934451763670304308496261846056687977917728671991049712129745906089287169170294259856601300717330153987080212591008738712344004443623518040786009771108879196701679833782022875324499201475522241396314392429412747392203809125245393462952461525539673218721341853515099201642769577031724762640317081252046606564108211626446676911167979492329012381654087618979631924439276786566078856385835786995011067720124277812004808431347148593882791476391944410064371926611180496847010107167486521927340045188960373155894717498700488982910217850877130989318706580155251854
e=65537
temp=gmpy2.iroot(n,2)[0] #下面会介绍这个函数的用法
p=gmpy2.next_prime(temp)
q=n//p
print(p)
print(q)
assert p*q == n
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
[GKCTF2020]汉字的秘密
王壮夫工王中王夫由由井井人夫中夫夫井王土土夫由
土夫井中士夫王工王人土由由口夫
是当铺密码
解密脚本:
dh = '田口由中人工大土士王夫井羊壮'
ds = '00123455567899'
cip = '王壮 夫工 王中 王夫 由由井 井人 夫中 夫夫 井王 土土 夫由 土夫 井中 士夫 王工 王人 土由 由口夫'
s = ''
for i in cip:
if i in dh:
s += ds[dh.index(i)]
else:
s += ' '
#print(s)
ll = s.split(" ")
t = ''
for i in range(0,len(ll)):
t += chr(int(ll[i])+i+1)
print('t=', t, '\t\tt.lower()=', t.lower())
[NewStarCTF 2023 公开赛道]Rabin's RSA
题目:
from Crypto.Util.number import *
from secret import flag
p = getPrime(64)
q = getPrime(64)
assert p % 4 == 3
assert q % 4 == 3
n = p * q
e = 2
m = bytes_to_long(flag)
c = pow(m,e,n)
print('n =', n)
print('c =', c)
# n = 201354090531918389422241515534761536573
# c = 20442989381348880630046435751193745753
rabin加密
先分解n factordb.com
然后套用rabin解密脚本,这道题不需要右移就可以直接得到flag
from Crypto.Util.number import *
import gmpy2
# n = 201354090531918389422241515534761536573
# c = 20442989381348880630046435751193745753
# 先分解n
#http://factordb.com/index.php
c = 20442989381348880630046435751193745753
n = 201354090531918389422241515534761536573
p = 13934102561950901579
q = 14450452739004884887
inv_p = gmpy2.invert(p, q)
inv_q = gmpy2.invert(q, p)
def de_rabin(c):
mp = pow(c, (p+1) // 4, p)
mq = pow(c, (q+1) // 4, q)
a = (inv_p * p * mq + inv_q * q * mp) % n
b = n-int(a)
c = (inv_p * p * mq - inv_q * q * mp) % n
d = n-int(c)
return a,b,c,d
a,b,c,d=de_rabin(c)
l=[a,b,c,d]
for ll in l:
print(long_to_bytes(ll))
[DASCTF Sept X 浙江工业大学秋季挑战赛]签到
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from Crypto.Util.number import *
import random
flag=b'flag{******************}'
n = 2 ** 256
flaglong=bytes_to_long(flag)
m = random.randint(2, n-1) | 1
c = pow(m, flaglong, n)
print('m = ' + str(m))
print('c = ' + str(c))
# m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
# c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
参考[网鼎杯 2020 青龙组]you_raise_me_up。
from sympy.ntheory import discrete_log
from Crypto.Util.number import long_to_bytes
n = 2 ** 256
m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
flag = discrete_log(n,c,m)
print(hex(flag))
#0x666c61677b4441534354465f7a6a75747d
d = long_to_bytes(flag)
print("Decrypted flag:", d)
[NewStarCTF 公开赛赛道]吉奥万·巴蒂斯塔·贝拉索先生的密码
pqcq{gteygpttmj_kc_zuokwv_kqb_gtofmssi_mnrrjt}
Hint: key length is 3
维吉尼亚密码 密钥长度为3
暴力破解
#https://www.guballa.de/vigenere-solver
密钥为kfc
flag{bruteforce_is_useful_for_breaking_cipher}
[NewStarCTF 2023 公开赛道]Small d
Michael J. Wiener 觉得很赞
题目:
from secret import flag
from Crypto.Util.number import *
p = getPrime(1024)
q = getPrime(1024)
d = getPrime(32)
e = inverse(d, (p-1)*(q-1))
n = p*q
m = bytes_to_long(flag)
c = pow(m,e,n)
print(c)
print(e)
print(n)
# c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
# e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
# n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
维纳攻击
适用情况:rsa的e过大或过小。
脚本:
from Crypto.Util.number import long_to_bytes
import gmpy2
def continued_fractions(e, n):
cf = [0]
while n % e != 0:
q = n // e
r = n % e
cf.append(q)
n = e
e = r
cf.append(n // e)
return cf
def convergents(cf):
h1, h2 = 0, 1
k1, k2 = 1, 0
for h in cf:
h1, h2 = h2, h * h2 + h1
k1, k2 = k2, h * k2 + k1
yield h2, k2
def wiener_attack(e, n):
cf = continued_fractions(e, n)
for k, d in convergents(cf):
if k == 0:
continue
phi_n = (e * d - 1) // k
b = n - phi_n + 1
discriminant = b * b - 4 * n
if discriminant >= 0:
sqrt_disc = gmpy2.isqrt(discriminant)
if sqrt_disc * sqrt_disc == discriminant:
p = (b - sqrt_disc) // 2
q = (b + sqrt_disc) // 2
if p * q == n:
return d
return None
# 给定的 e, n, c
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
# 使用维亚攻击找到 d
d = wiener_attack(e, n)
if d:
# 解密密文
m = pow(c, d, n)
flag = long_to_bytes(m)
print("Decrypted flag:", flag)
else:
print("Wiener's attack failed.")
[NewStarCTF 2023 公开赛道]babyxor
from secret import *
ciphertext = []
for f in flag:
ciphertext.append(f ^ key)
print(bytes(ciphertext).hex())
# e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2
简单的异或
方法一:爆破key
a = 'e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2'
c = bytes.fromhex(a)
for i in range(256):
flag = []
for j in c:
flag.append(j ^ i)
if b'flag' in bytes(flag):
print(bytes(flag))
# flag{x0r_15_symm3try_and_e4zy!!!!!!}
方法二:直接求key,key = ord(‘f’) ^ (密文第一个字节)
a = 'e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2'
c = bytes.fromhex(a)
key = ord('f') ^ c[0]
flag = []
for j in c:
flag.append(j ^ key)
print(bytes(flag))
# flag{x0r_15_symm3try_and_e4zy!!!!!!}
[NewStarCTF 2023 公开赛道]不止一个pi
from flag import flag
from Crypto.Util.number import *
import gmpy2
p = getPrime(1024)
q = getPrime(1024)
n = p**3*q**2
print("q = ",q)
print("p = ",p)
m = bytes_to_long(flag.encode())
c = pow(m,65537,n)
print("c = ",c)
# q = 115478867870347527660680329271012852043845868401928361076102779938370270670897498759391844282137149013845956612257534640259997979275610235395706473965973203544920469416283181677660262509481282536465796731401967694683575843183509430017972506752901270887444490905891490955975762524187534052478173966117471143713
# p = 171790960371317244087615913047696670778115765201883835525456016207966048658582417842936925149582378305610304505530997833147251832289276125084339614808085356814202236463900384335878760177630501950384919794386619363394169016560485152083893183420911295712446925318391793822371390439655160077212739260871923935217
# c = 4459183928324369762397671605317600157512712503694330767938490496225669985050002776253470841193156951087663107866714426230222002399666306287642591077990897883174134404896800482234781531592939043551832049756571987010173667074168282355520711905659013076509353523088583347373358980842707686611157050425584598825151399870268083867269912139634929397957514376826145870752116583185351576051776627208882377413433140577461314504762388617595282085102271510792305560608934353515552201553674287954987323321512852114353266359364282603487098916608302944694600227628787791876600901537888110093703612414836676571562487005330299996908873589228072982641114844761980143047920770114535924959765518365614709272297666231481655857243004072049094078525569460293381479558148506346966064906164209362147313371962567040047084516510135054571080612077333228195608109065475260832580192321853906138811139036658485688320161530131239854003996457871663456850196483520239675981391047452381998620386899101820782421605287708727667663038905378115235163773867508258208867367314108701855709002634592329976912239956212490788262396106230191754680813790425433763427315230330459349320412354189010684525105318610102936715203529222491642807382215023468936755584632849348996666528981269240867612068382243822300418856599418223875522408986596925018975565057696218423036459144392625166761522424721268971676010427096379610266649911939139451989246194525553533699831110568146220347603627745407449761792135898110139743498767543521297525802809254842518002190381508964357001211353997061417710783337
很容易知道这道题考察的是欧拉函数。所以解密脚本如下:
import gmpy2
from Crypto.Util.number import *
def decrypt_rsa(p, q, e, c):
# Calculate n = p^3 * q^2
n = p**3 * q**2
# Calculate phi(n)
phi_n = (p**3 - p**2) * (q**2 - q)
# Calculate private key d
d = gmpy2.invert(e, phi_n)
# Decrypt ciphertext c
m = pow(c, d, n)
return m
q = 115478867870347527660680329271012852043845868401928361076102779938370270670897498759391844282137149013845956612257534640259997979275610235395706473965973203544920469416283181677660262509481282536465796731401967694683575843183509430017972506752901270887444490905891490955975762524187534052478173966117471143713
p = 171790960371317244087615913047696670778115765201883835525456016207966048658582417842936925149582378305610304505530997833147251832289276125084339614808085356814202236463900384335878760177630501950384919794386619363394169016560485152083893183420911295712446925318391793822371390439655160077212739260871923935217
c = 4459183928324369762397671605317600157512712503694330767938490496225669985050002776253470841193156951087663107866714426230222002399666306287642591077990897883174134404896800482234781531592939043551832049756571987010173667074168282355520711905659013076509353523088583347373358980842707686611157050425584598825151399870268083867269912139634929397957514376826145870752116583185351576051776627208882377413433140577461314504762388617595282085102271510792305560608934353515552201553674287954987323321512852114353266359364282603487098916608302944694600227628787791876600901537888110093703612414836676571562487005330299996908873589228072982641114844761980143047920770114535924959765518365614709272297666231481655857243004072049094078525569460293381479558148506346966064906164209362147313371962567040047084516510135054571080612077333228195608109065475260832580192321853906138811139036658485688320161530131239854003996457871663456850196483520239675981391047452381998620386899101820782421605287708727667663038905378115235163773867508258208867367314108701855709002634592329976912239956212490788262396106230191754680813790425433763427315230330459349320412354189010684525105318610102936715203529222491642807382215023468936755584632849348996666528981269240867612068382243822300418856599418223875522408986596925018975565057696218423036459144392625166761522424721268971676010427096379610266649911939139451989246194525553533699831110568146220347603627745407449761792135898110139743498767543521297525802809254842518002190381508964357001211353997061417710783337
e = 65537
plaintext = decrypt_rsa(p, q, e, c)
print("Decrypted plaintext:", plaintext)
print(long_to_bytes(plaintext))
[NewStarCTF 2023 公开赛道]滴啤
from Crypto.Util.number import *
import gmpy2
from flag import flag
def gen_prime(number):
p = getPrime(number//2)
q = getPrime(number//2)
return p,q
m = bytes_to_long(flag.encode())
p,q = gen_prime(1024)
print(p*q)
e = 65537
d = gmpy2.invert(e,(p-1)*(q-1))
print(d%(p-1))
print(pow(m,e,p*q))
# 93172788492926438327710592564562854206438712390394636149385608321800134934361353794206624031396988124455847768883785503795521389178814791213054124361007887496351504099772757164211666778414800698976335767027868761735533195880182982358937211282541379697714874313863354097646233575265223978310932841461535936931
# 307467153394842898333761625034462907680907310539113349710634557900919735848784017007186630645110812431448648273172817619775466967145608769260573615221635
# 52777705692327501332528487168340175436832109866218597778822262268417075157567880409483079452903528883040715097136293765188858187142103081639134055997552543213589467751037524482578093572244313928030341356359989531451789166815462417484822009937089058352982739611755717666799278271494933382716633553199739292089
dp泄露
脚本:
#dp泄露
import gmpy2 as gp
e = 65537
n = gp.mpz(93172788492926438327710592564562854206438712390394636149385608321800134934361353794206624031396988124455847768883785503795521389178814791213054124361007887496351504099772757164211666778414800698976335767027868761735533195880182982358937211282541379697714874313863354097646233575265223978310932841461535936931)
dp = gp.mpz(307467153394842898333761625034462907680907310539113349710634557900919735848784017007186630645110812431448648273172817619775466967145608769260573615221635)
c = gp.mpz(52777705692327501332528487168340175436832109866218597778822262268417075157567880409483079452903528883040715097136293765188858187142103081639134055997552543213589467751037524482578093572244313928030341356359989531451789166815462417484822009937089058352982739611755717666799278271494933382716633553199739292089)
for x in range(1, e):
if(e*dp%x==1):
p=(e*dp-1)//x+1
if(n%p!=0):
continue
q=n//p
phin=(p-1)*(q-1)
d=gp.invert(e, phin)
m=gp.powmod(c, d, n)
if(len(hex(m)[2:])%2==1):
continue
print('--------------')
print(m)
print(hex(m)[2:])
print(bytes.fromhex(hex(m)[2:]))
#flag{cd5ff82d-989c-4fbf-9543-3f98ab567546}
[NewStarCTF 2023 公开赛道]babyaes
from Crypto.Cipher import AES
import os
from flag import flag
from Crypto.Util.number import *
def pad(data):
return data + b"".join([b'\x00' for _ in range(0, 16 - len(data))])
def main():
flag_ = pad(flag)
key = os.urandom(16) * 2
iv = os.urandom(16)
print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)
aes = AES.new(key, AES.MODE_CBC, iv)
enc_flag = aes.encrypt(flag_)
print(enc_flag)
if __name__ == "__main__":
main()
# 3657491768215750635844958060963805125333761387746954618540958489914964573229
# b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
from Crypto.Util.number import *
from Crypto.Cipher import AES
a = 3657491768215750635844958060963805125333761387746954618540958489914964573229
c = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
key = long_to_bytes(a)[:16]
iv = bytes_to_long(key) ^ bytes_to_long(long_to_bytes(a)[16:]) ^ 1
aes = AES.new(key * 2,AES.MODE_CBC,long_to_bytes(iv))
flag = aes.decrypt(c)
print(flag)
# flag{firsT_cry_Aes}
'''
buu上有一道与这道题很类似
key等于字节a的前16位 * 2
iv = 字节a后16位 ^ key的前一半 ^ 1
key,iv都出来了,那么flag就好说了。。
'''
AES(Advanced Encryption Standard)加密是一种对称密钥加密算法,它是目前应用最为广泛的密码学标准之一。
AES算法采用的加密密钥长度有128位、192位和256位三种不同的长度。
相对于早期常用的加密算法如DES(Data Encryption Standard)算法,AES算法具有更高的安全性和更快的加密速度。
AES加密的基本思路是将原始的明文分成固定长度的块(通常为128位),然后通过密钥进行加密,得到密文。
在解密时,再用相同的密钥将密文解密为原始的明文。
AES加密算法的核心是转换采用的SPN(Substitution-Permutation Network)结构,它包含四种子步骤:
- 字节替代
- 行移位
- 列混淆
- 轮密钥加
这些子步骤的组合可以有效地实现加密和解密过程。
AES加密具有很高的安全性和可靠性,它已经成为许多安全应用中必不可少的一部分,例如TLS(Transport Layer Security)协议、VPN(Virtual Private Network)以及硬盘和USB驱动器等存储设备的加密。当前,AES加密已成为许多国家和组织的标准加密算法,也被广泛应用于金融、电子商务、军事和政府等行业。
[Dest0g3 520迎新赛]babyAES
题目:
from Crypto.Cipher import AES
import os
iv = os.urandom(16)
key = os.urandom(16)
my_aes = AES.new(key, AES.MODE_CBC, iv)
flag = open('flag.txt', 'rb').read()
flag += (16 - len(flag) % 16) * b'\x00'
c = my_aes.encrypt(flag)
print(c)
print(iv)
print(key)
'''
b'C4:\x86Q$\xb0\xd1\x1b\xa9L\x00\xad\xa3\xff\x96 hJ\x1b~\x1c\xd1y\x87A\xfe0\xe2\xfb\xc7\xb7\x7f^\xc8\x9aP\xdaX\xc6\xdf\x17l=K\x95\xd07'
b'\xd1\xdf\x8f)\x08w\xde\xf9yX%\xca[\xcb\x18\x80'
b'\xa4\xa6M\xab{\xf6\x97\x94>hK\x9bBe]F'
'''
百度简单理解一下AES加密算法,分析题目发生是CBC模式,知道了偏移量iv,密钥key,可以进行解密,脚本如下:
from Crypto.Cipher import AES
c = b'C4:\x86Q$\xb0\xd1\x1b\xa9L\x00\xad\xa3\xff\x96 hJ\x1b~\x1c\xd1y\x87A\xfe0\xe2\xfb\xc7\xb7\x7f^\xc8\x9aP\xdaX\xc6\xdf\x17l=K\x95\xd07'
iv = b'\xd1\xdf\x8f)\x08w\xde\xf9yX%\xca[\xcb\x18\x80'
key = b'\xa4\xa6M\xab{\xf6\x97\x94>hK\x9bBe]F'
my_aes = AES.new(key, AES.MODE_CBC, iv)
m = my_aes.decrypt(c)
print(m)
#密钥key和偏移量iv都给了,直接解密,比上一个题还简单。
[BJDCTF 2nd]Y1nglish-y1ng
Nkbaslk ds sef aslckdqdqst. Sef aslckdqdqst qo lzqtbw usf ufkoplkt zth oscpslsfko. Dpkfk zfk uqjk dwcko su dscqao qt dpqo aslckdqdqst, kzap su npqap qo jkfw mzoqa. Qu wse zfk qtdkfkodkh qt tkdnsfw okaefqdw, nkbaslk ds czfdqaqczdk. Bkd lk dkbb wse z odsfw.
Q nzo pzjqtv hqttkf zd z fkodzefztd npkt Pzffw Odkkbk azlk qt, pk qo z Izcztkok ufsl Izczt med tsn pk qo tsd bqjqtv qt Izczt, lzwmk Pzffw qot'd z Izcztkok tzlk med pk qo fkzbbw z Izcztkok. Pzffw nsfwkh qt z bznwkf'o suuqak wkzfo zvs, med pk qo tsn nsfwqtv zd z mztw. Pk vkdo z vssh ozbzfw, med pk zbnzwo msffsno lstkw ufsl pqo ufqktho zth tkjkf czwo qd mzaw. Pzffw ozn lk zth azlk zthozdzd dpk ozlk dzmbk. Pk pzo tkjkf msffsnkh lstkw ufsl lk. Npqbk pk nzo kzdqtv, Q zowkh pql ds bkth lk &2. Ds lw oefcfqok, pk vzjk lk dpk lstkw qllkhqzdkbw. 'Q pzjk tkjkf msfffsnkh ztw lstkw ufsl wse,' Pzffw ozqh,'os tsn wse azt czw usf lw hqttkf!' Tsn q nqbb vqjk wse npzd wse nztd.
MIH{cwdp0t_Mfed3_u0fa3_sF_geqcgeqc_ZQ_Af4aw}
quipqiup
Welcome to our competition. Our competition is mainly for freshmen and sophomores. There are five types of topics in this competition, each of which is very basic. If you are interested in networy security, welcome to participate. Let me tell you a story. I was having dinner at a restaurant when Harry Steele came in, he is a Japanese from Japan but now he is not living in Japan, maybe Harry isn't a Japanese name but he is really a Japanese. Harry woryed in a lawyer's office years ago, but he is now worying at a bany. He gets a good salary, but he always borrows money from his friends and never pays it bacy. Harry saw me and came andsatat the same table. He has never borrowed money from me. While he was eating, I asyed him to lend me &2. To my surprise, he gave me the money immediately. 'I have never borrrowed any money from you,' Harry said,'so now you can pay for my dinner!' Now i will give you what you want. BJD{pyth0n_Brut3_f0rc3_oR_quipquip_AI_Cr4cy}
[NewStarCTF 公开赛赛道]eazyxor
题目:
from os import urandom
from secret import flag
key = urandom(1)
def xor(plaintext, key):
ret = []
for i in range(len(plaintext)):
ret.append(plaintext[i] ^ key[0])
return bytes(ret)
ciphertext = xor(flag, key)
print(ciphertext.hex())
output:
9b919c9a8685cd8fa294c8a28c88cc89cea2ce9c878480
异或运算,已知155与key异或为chr(‘f’),可求得key=155^102,算出flag为
flag{x0r_i5_qu1t3_3azy}
脚本:
#eazyxor
from os import urandom
key =155^102
s=[155,145,156,154,134,133,205,143,162,148,200,162,140,136,204,137,206,162,206,156,135,132,128]
#9b919c9a8685cd8fa294c8a28c88cc89cea2ce9c878480
flag=[]
for i in range(len(s)):
for j in range(128):
if(j^key==s[i]):
flag.append(j)
break
for i in range(len(flag)):
flag[i]=chr(flag[i])
flag=''.join(flag)
print(flag)
[NewStarCTF 2023 公开赛道]Affine
Caesar with multiplication
题目:
from flag import flag, key
modulus = 256
ciphertext = []
for f in flag:
ciphertext.append((key[0]*f + key[1]) % modulus)
print(bytes(ciphertext).hex())
# dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064
脚本:
from Crypto.Util.number import inverse
# 已知的密文
ciphertext_hex = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
ciphertext = bytes.fromhex(ciphertext_hex)
# 假设我们有两个已知的明文-密文对
# 使用f和l这两个已知字符是无法合适求解的 所以一定要灵活 整体往后取一位用l和a求解就好了
# 例如:明文 'l' -> 密文 0x43
# 明文 'a' -> 密文 0x88
p1 = ord('l')
c1 = 0x43
p2 = ord('a')
c2 = 0x88
# 建立方程
# c1 = (key[0] * p1 + key[1]) % 256
# c2 = (key[0] * p2 + key[1]) % 256
# 解方程
# c1 - c2 = key[0] * (p1 - p2) % 256
key0 = (c1 - c2) * inverse(p1 - p2, 256) % 256
key1 = (c1 - key0 * p1) % 256
# 验证 key0 和 key1 是否正确
assert (key0 * p1 + key1) % 256 == c1
assert (key0 * p2 + key1) % 256 == c2
# 解密密文
plaintext = []
for c in ciphertext:
p = (inverse(key0, 256) * (c - key1)) % 256
plaintext.append(p)
print(bytes(plaintext).decode('latin1'))
[NewStarCTF 公开赛赛道]RSA_begin
超级综合的rsa
from Crypto.Util.number import *
from secret import flag
assert len(flag) % 5 == 0
cnt = len(flag) // 5
flags = [flag[cnt*i:cnt*(i+1)] for i in range(5)]
# Try to implement your RSA with primes p and q
def level1(message):
m = bytes_to_long(message)
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x10001
assert m < n
c = pow(m, e, n)
print(f'c = {c}')
print(f'p = {p}')
print(f'q = {q}')
# But how can we attack the RSA when we didn't know the primes?
def level2(message):
m = bytes_to_long(message)
p = getPrime(64)
q = getPrime(64)
n = p * q
e = 0x10001
assert m < n
c = pow(m, e, n)
print(f'c = {c}')
print(f'n = {n}')
# Different e may cause danger?
def level3(message):
m = bytes_to_long(message)
p = getPrime(512)
q = getPrime(512)
e = 3
n = p * q
assert m < n
c = pow(m, e, n)
print(f'c = {c}')
print(f'n = {n}')
# So is there anything wrong with RSA as shown below?
def level4(message):
m = bytes_to_long(message)
p = getPrime(512)
q = getPrime(512)
d = getPrime(64)
e = inverse(d, (p-1) * (q-1))
n = p * q
assert m < n
c = pow(m, e, n)
print(f'c = {c}')
print(f'e = {e}')
print(f'n = {n}')
# What about different n? Just have a try with the hint!
def level5(message):
m = bytes_to_long(message)
p = getPrime(512)
q = getPrime(512)
n = p * p * q
e = 0x10001
d = inverse(e, p * (p-1) * (q-1))
assert m < n
c = pow(m, e, n)
hint = pow(d, e, n)
print(f'c = {c}')
print(f'hint = {hint}')
print(f'n = {n}')
print('Level 1:')
level1(flags[0])
print('Level 2:')
level2(flags[1])
print('Level 3:')
level3(flags[2])
print('Level 4:')
level4(flags[3])
print('Level 5:')
level5(flags[4])
lv1:
知道p,q,e,直接算n,然后算d,然后c^d mod n 解密
c = 22160015525054597533062795679117215923801827397299805735087138192137742945881204146337349060934854888054628153923021387981306839951210090523829296521835965212118849043671673133979884712755090374758002677916820953359774554825569218497687506468472278309097929775388010403607769802840990547048001743970754496905
p = 6962443023774446497102092246794613339314677593117417573764609329949026862782472380488956732038459060928443992561763464365758383525259954798321350043810351
q = 9631855759661411029901156175243744760977799976661519182223576693685069000499866459636568713055906075171480855575061732016121299027658733834671035383233163
n = p * q
e = 0x10001
d = pow(e, -1, (p-1)*(q-1))
m = pow(c, d, n)
print(hex(m))
#0x666c61677b5730775f
print(bytes.fromhex(hex(m)[2:])) # 16进制转文本
#b'flag{W0w_'
lv2:
n太小,低解密指数攻击,分解n
'''
Level 2:
c = 17250922799297131008803303235771955129
n = 134097988095851988085603926250918812377
'''
c = 17250922799297131008803303235771955129
n = 134097988095851988085603926250918812377
e = 0x10001
# http://factordb.com/ 分解n
# p = 10094271714305059493
# q = 13284562957208247589
p = 10094271714305059493
q = 13284562957208247589
d = pow(e, -1, (p-1)*(q-1))
m = pow(c,d,n)
print(m)
print(bytes.fromhex(hex(m)[2:])) # 16进制转文本
#b'U_ar3_re4'
lv3:
e太小,小指数攻击
'''
Level 3:
c = 2776571135646565181849912433877522437622755332262910824866791711
n = 85793694792655420934945863688968944466300304898903354212780512650924132933351787673979641944071634528676901506049360194331553838080226562532784448832916022442020751986591703547743056267118831445759258041047213294368605599719242059474324548598203039032847591828382166845797857139844445858881218318006747115157
'''
import gmpy2
from Crypto.Util.number import *
import binascii
# 给定参数
e = 3
c = 2776571135646565181849912433877522437622755332262910824866791711
n = 85793694792655420934945863688968944466300304898903354212780512650924132933351787673979641944071634528676901506049360194331553838080226562532784448832916022442020751986591703547743056267118831445759258041047213294368605599719242059474324548598203039032847591828382166845797857139844445858881218318006747115157
i = 0
while True:
if gmpy2.iroot((c+i*n),e)[1] == True:
m = gmpy2.iroot((c+i*n),e)[0]
break
i += 1
print(binascii.unhexlify(hex(m)[2:]))
#b'L1y_g0Od_'
lv4:
e特别大,n就显得特别小,低解密指数攻击(维纳攻击)
'''
Level 4:
c = 68588738085497640698861260094482876262596289469248772328560280530093163764972313090939471997156632421517452790632223565521726590730640805290182026911025142051864898712501214753986865172996090706657535814234291235489829621372021092488300236623525366939477695283380634188510950335639019458758643273802572617191
e = 51999725233581619348238930320668315462087635295211755849675812266270026439521805156908952855288255992098479180003264827305694330542325533165867427898010879823017054891520626992724274019277478717788189662456052796449734904215067032681345261878977193341769514961038309763898052908572726913209883965288047452751
n = 68816697240190744603903822351423855593899797203703723038363240057913366227564780805815565183450516726498872118491739132110437976570592602837245705802946829337567674506561850972973663435358068441037127926802688722648016352967768929007662772115485020718202683004813042834036078650571763978066558718285783045969
'''
#e特别大 d就很小,低解密指数攻击(维纳攻击)
import binascii
import gmpy2
def transform(x, y): # 使用辗转相除将分数 x/y 转为连分数的形式
res = []
while y:
res.append(x // y)
x, y = y, x % y
return res
def continued_fraction(sub_res):
numerator, denominator = 1, 0
for i in sub_res[::-1]: # 从sublist的后面往前循环
denominator, numerator = numerator, i * numerator + denominator
return denominator, numerator # 得到渐进分数的分母和分子,并返回
# 求解每个渐进分数
def sub_fraction(x, y):
res = transform(x, y)
res = list(map(continued_fraction, (res[0:i] for i in range(1, len(res))))) # 将连分数的结果逐一截取以求渐进分数
return res
def get_pq(a, b, c): # 由p+q和pq的值通过维达定理来求解p和q
par = gmpy2.isqrt(b * b - 4 * a * c) # 由上述可得,开根号一定是整数,因为有解
x1, x2 = (-b + par) // (2 * a), (-b - par) // (2 * a)
return x1, x2
def wienerAttack(e, n):
for (d, k) in sub_fraction(e, n): # 用一个for循环来注意试探e/n的连续函数的渐进分数,直到找到一个满足条件的渐进分数
if k == 0: # 可能会出现连分数的第一个为0的情况,排除
continue
if (e * d - 1) % k != 0: # ed=1 (mod φ(n)) 因此如果找到了d的话,(ed-1)会整除φ(n),也就是存在k使得(e*d-1)//k=φ(n)
continue
phi = (e * d - 1) // k # 这个结果就是 φ(n)
px, qy = get_pq(1, n - phi + 1, n)
if px * qy == n:
p, q = abs(int(px)), abs(int(qy)) # 可能会得到两个负数,负负得正未尝不会出现
d = gmpy2.invert(e, (p - 1) * (q - 1)) # 求ed=1 (mod φ(n))的结果,也就是e关于 φ(n)的乘法逆元d
return d
print("该方法不适用")
c = 68588738085497640698861260094482876262596289469248772328560280530093163764972313090939471997156632421517452790632223565521726590730640805290182026911025142051864898712501214753986865172996090706657535814234291235489829621372021092488300236623525366939477695283380634188510950335639019458758643273802572617191
e = 51999725233581619348238930320668315462087635295211755849675812266270026439521805156908952855288255992098479180003264827305694330542325533165867427898010879823017054891520626992724274019277478717788189662456052796449734904215067032681345261878977193341769514961038309763898052908572726913209883965288047452751
n = 68816697240190744603903822351423855593899797203703723038363240057913366227564780805815565183450516726498872118491739132110437976570592602837245705802946829337567674506561850972973663435358068441037127926802688722648016352967768929007662772115485020718202683004813042834036078650571763978066558718285783045969
d = wienerAttack(e, n)
m = pow(c, d, n)
print(int(m))
print(binascii.unhexlify(hex(m)[2:]))
#b'4t_m4th_4'
lv5:
给了个hint,通过数学推导来算p,有p就有q了
https://blog.csdn.net/villons/article/details/127032979
'''
c = 1135954814335407362237156338232840769700916726653557860319741136149066730262056907097728029957898420630256832277578506404721904131425822963948589774909272408535427656986176833063600681390871582834223748797942203560505159946141171210061405977060061656807175913366911284450695116982731157917343650021723054666494528470413522258995220648163505549701953152705111304471498547618002847587649651689203632845303117282630095814054989963116013144483037051076441508388998829
hint = 611144874477135520868450203622074557606421849009025270666985817360484127602945558050689975570970227439583312738313767886380304814871432558985582586031211416586296452510050692235459883608453661597776103386009579351911278185434163016083552988251266501525188362673472772346212970459561496301631587043106524741903627979311997541301471894670374945556313285203740782346029579923650160327646876967315182335114575921178144825057359851607166387868294019144940296084605930
n = 1232865496850144050320992645475166723525103370117149219196294373695624167653495180701004894188767069545579706264513808335877905149818445940067870026924895990672091745229251935876434509430457142930654307044403355838663341948471348893414890261787326255632362887647279204029327042915224570484394917295606592360109952538313570951448278525753313335289675455996833500751672463525151201002407861423542656805624090223118747404488579783372944593022796321473618301206064979
'''
#https://blog.csdn.net/villons/article/details/127032979
from Crypto.Util.number import *
import gmpy2
c = 1135954814335407362237156338232840769700916726653557860319741136149066730262056907097728029957898420630256832277578506404721904131425822963948589774909272408535427656986176833063600681390871582834223748797942203560505159946141171210061405977060061656807175913366911284450695116982731157917343650021723054666494528470413522258995220648163505549701953152705111304471498547618002847587649651689203632845303117282630095814054989963116013144483037051076441508388998829
hint = 611144874477135520868450203622074557606421849009025270666985817360484127602945558050689975570970227439583312738313767886380304814871432558985582586031211416586296452510050692235459883608453661597776103386009579351911278185434163016083552988251266501525188362673472772346212970459561496301631587043106524741903627979311997541301471894670374945556313285203740782346029579923650160327646876967315182335114575921178144825057359851607166387868294019144940296084605930
n = 1232865496850144050320992645475166723525103370117149219196294373695624167653495180701004894188767069545579706264513808335877905149818445940067870026924895990672091745229251935876434509430457142930654307044403355838663341948471348893414890261787326255632362887647279204029327042915224570484394917295606592360109952538313570951448278525753313335289675455996833500751672463525151201002407861423542656805624090223118747404488579783372944593022796321473618301206064979
e = 0x10001
p=gmpy2.gcd(hint*e**e-1,n)
q=n//(p*p)
d = inverse(e, p * (p-1) * (q-1))
m=pow(c,d,n)
print(long_to_bytes(m))
#b'nD_RSA!!}'
#flag{W0w_U_ar3_re4L1y_g0Od_4t_m4th_4nD_RSA!!}
[NewStarCTF 2023 公开赛道]partial decrypt
from secret import flag
from Crypto.Util.number import *
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q = getPrime(512)
n = p*q
c = pow(m,e,n)
dp = inverse(e, (p-1))
dq = inverse(e, (q-1))
m1 = pow(c,dp, p)
m2 = pow(c,dq, q)
q_inv = inverse(q, p)
h = (q_inv*(m1-m2)) % p
print('m2 =', m2)
print('h =', h)
print('q =', q)
# m2 = 4816725107096625408335954912986735584642230604517017890897348901815741632668751378729851753037917164989698483856004115922538576470127778342121497852554884
# h = 4180720137090447835816240697100630525624574275
# q = 7325294399829061614283539157853382831627804571792179477843187097003503398904074108324900986946175657737035770512213530293277111992799331251231223710406931
注:print(inverse(3,7)) #3是要求逆元的数,7是模数
给了个h,也是通过推导:
但是k4大小未知,正负都有可能。但是题目说只求一半,因此m>q,即k4<0 所以h就是我们要求的系数。
m = m2 + h*q
print(long_to_bytes(m))
[HarekazeCTF2019]Now We Can Play!!
pwn与ctf的结合,详情可以看[crypto-Now We Can Play!!(HarekazeCTF 2019)_harekazectf2019]now we can play!!-CSDN博客https://blog.csdn.net/figfig55/article/details/128471188
[NewStarCTF 公开赛赛道]ezRabin
题目:
from Crypto.Util.number import *
from somewhere_you_do_not_know import flag
#flag格式为 flag{XXXX}
def ezprime(n):
p=getPrime(n)
while p%4!=3:
p=getPrime(n)
return p
p=ezprime(512)
q=ezprime(512)
n=p*q
m=bytes_to_long(flag)
m=(m<<(300))+getRandomNBitInteger(300)
assert m**2>n and m<n
c=pow(m,4,n)
print('c=',c)
print('p=',p)
print('q=',q)
'''
c= 59087040011818617875466940950576089096932769518087477304162753047334728508009365510335057824251636964132317478310267427589970177277870220660958570994888152191522928881774614096675980017700457666192609573774572571582962861504174396725705862549311100229145101667835438230371282904888448863223898642183925834109
p= 10522889477508921233145726452630168129218487981917965097647277937267556441871668611904567713868254050044587941828674788953975031679913879970887998582514571
q= 11287822338267163056031463255265099337492571870189068887689824393221951058498526362126606231275830844407608185240702408947800715624427717739233431252556379
就要花里胡哨(
'''
看题目名就可以知道考察的是Rabin加密,这个加密和RSA很像,但又有区别,解密过程更是大有不同。
Rabin与RSA一样有参数p、q、e,且n=p*q,但Rabin中e取固定值e=2,p和q都是模4余3的素数。
基本的Rabin解密可以参考RSA攻击之Rabin密码体制_rabin攻击-CSDN博客
解密脚本:
可以从网上找标准的Rabin解密脚本(e=2),过程十分固定,本题e=4只要依据e=2稍作修改,将4次方看做平方外再套一层平方即可,也就是进行两次e=2时的解密,一共得到4*4=16个解,再右移30位后从中找到flag即可。
import gmpy2
from Crypto.Util.number import *
p=10522889477508921233145726452630168129218487981917965097647277937267556441871668611904567713868254050044587941828674788953975031679913879970887998582514571
q=11287822338267163056031463255265099337492571870189068887689824393221951058498526362126606231275830844407608185240702408947800715624427717739233431252556379
n=p*q
e=2
c=59087040011818617875466940950576089096932769518087477304162753047334728508009365510335057824251636964132317478310267427589970177277870220660958570994888152191522928881774614096675980017700457666192609573774572571582962861504174396725705862549311100229145101667835438230371282904888448863223898642183925834109
inv_p = gmpy2.invert(p, q)
inv_q = gmpy2.invert(q, p)
def de_rabin(c):
mp = pow(c, (p+1) // 4, p)
mq = pow(c, (q+1) // 4, q)
a = (inv_p * p * mq + inv_q * q * mp) % n
b = n-int(a)
c = (inv_p * p * mq - inv_q * q * mp) % n
d = n-int(c)
return a,b,c,d
'''e=4的解密,就是做两次e=2的rabin解密,
第一次得到4个解,将4个解作为新的c分别再做一次e=2的rabin解密,
所以共得到16个解,右移300位后看看哪个解是flag'''
a,b,c,d=de_rabin(c)
a1,a2,a3,a4=de_rabin(a)
b1,b2,b3,b4=de_rabin(b)
c1,c2,c3,c4=de_rabin(c)
d1,d2,d3,d4=de_rabin(d)
l=[a1,a2,a3,a4,b1,b2,b3,b4,c1,c2,c3,c4,d1,d2,d3,d4]
for ll in l:
print(long_to_bytes(ll>>300))
#flag{R4bin_3ncrypti0n_with_3_mod_4_is_two_e4sy}
[Dest0g3 520迎新赛]ezDLP
from Crypto.Util.number import *
flag = open('flag.txt', 'rb').read()
x = bytes_to_long(flag)
g = 19
p = 335215034881592512312398694238485179340610060759881511231472142277527176340784432381542726029524727833039074808456839870641607412102746854257629226877248337002993023452385472058106944014653401647033456174126976474875859099023703472904735779212010820524934972736276889281087909166017427905825553503050645575935980580803899122224368875197728677516907272452047278523846912786938173456942568602502013001099009776563388736434564541041529106817380347284002060811645842312648498340150736573246893588079033524476111268686138924892091575797329915240849862827621736832883215569687974368499436632617425922744658912248644475097139485785819369867604176912652851123185884810544172785948158330991257118563772736929105360124222843930130347670027236797458715653361366862282591170630650344062377644570729478796795124594909835004189813214758026703689710017334501371279295621820181402191463184275851324378938021156631501330660825566054528793444353
h = pow(g, x, p)
print(h)
'''
199533304296625406955683944856330940256037859126142372412254741689676902594083385071807594584589647225039650850524873289407540031812171301348304158895770989218721006018956756841251888659321582420167478909768740235321161096806581684857660007735707550914742749524818990843357217489433410647994417860374972468061110200554531819987204852047401539211300639165417994955609002932104372266583569468915607415521035920169948704261625320990186754910551780290421057403512785617970138903967874651050299914974180360347163879160470918945383706463326470519550909277678697788304151342226439850677611170439191913555562326538607106089620201074331099713506536192957054173076913374098400489398228161089007898192779738439912595619813699711049380213926849110877231503068464392648816891183318112570732792516076618174144968844351282497993164926346337121313644001762196098432060141494704659769545012678386821212213326455045335220435963683095439867976162
'''
#离散对数问题 可以使用使用已知的离散对数算法
'''
要逆运算得到 x,我们需要解决离散对数问题(DLP),即在给定 g, p, 和 h 的情况下,找到 x 使得 h = g^x mod p。这是一个著名的计算难题,尤其在 p 很大的情况下。以下是一些常用的方法来尝试解决这个问题:
暴力破解法是最简单的方法,但也是最不实用的方法,因为它需要遍历所有可能的 x 值,直到找到正确的 x。对于大素数 p,这种方法几乎不可行。
'''
from sympy.ntheory import discrete_log
g = 19
p = 335215034881592512312398694238485179340610060759881511231472142277527176340784432381542726029524727833039074808456839870641607412102746854257629226877248337002993023452385472058106944014653401647033456174126976474875859099023703472904735779212010820524934972736276889281087909166017427905825553503050645575935980580803899122224368875197728677516907272452047278523846912786938173456942568602502013001099009776563388736434564541041529106817380347284002060811645842312648498340150736573246893588079033524476111268686138924892091575797329915240849862827621736832883215569687974368499436632617425922744658912248644475097139485785819369867604176912652851123185884810544172785948158330991257118563772736929105360124222843930130347670027236797458715653361366862282591170630650344062377644570729478796795124594909835004189813214758026703689710017334501371279295621820181402191463184275851324378938021156631501330660825566054528793444353
h = 199533304296625406955683944856330940256037859126142372412254741689676902594083385071807594584589647225039650850524873289407540031812171301348304158895770989218721006018956756841251888659321582420167478909768740235321161096806581684857660007735707550914742749524818990843357217489433410647994417860374972468061110200554531819987204852047401539211300639165417994955609002932104372266583569468915607415521035920169948704261625320990186754910551780290421057403512785617970138903967874651050299914974180360347163879160470918945383706463326470519550909277678697788304151342226439850677611170439191913555562326538607106089620201074331099713506536192957054173076913374098400489398228161089007898192779738439912595619813699711049380213926849110877231503068464392648816891183318112570732792516076618174144968844351282497993164926346337121313644001762196098432060141494704659769545012678386821212213326455045335220435963683095439867976162
x = discrete_log(p, h, g)
print(x)
#627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133
#627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133
from Crypto.Util.number import *
plaintext = 627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133
print(long_to_bytes(plaintext))
sage:
G=GF(p)
g = G(19)
discrete_log(h,g)
#627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133
#n2s(627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133)
#Dest0g3{07ed2a6f-182f-a05d-c81e-1318af820a78}
[NewStarCTF 公开赛赛道]Affine
和前面重复了
from flag import flag, key
modulus = 256
ciphertext = []
for f in flag:
ciphertext.append((key[0]*f + key[1]) % modulus)
print(bytes(ciphertext).hex())
# dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064
from Crypto.Util.number import inverse
# 已知的密文
ciphertext_hex = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
ciphertext = bytes.fromhex(ciphertext_hex)
# 假设我们有两个已知的明文-密文对
# 使用f和l这两个已知字符是无法合适求解的 所以一定要灵活 整体往后取一位用l和a求解就好了
# 例如:明文 'l' -> 密文 0x43
# 明文 'a' -> 密文 0x88
p1 = ord('l')
c1 = 0x43
p2 = ord('a')
c2 = 0x88
# 建立方程
# c1 = (key[0] * p1 + key[1]) % 256
# c2 = (key[0] * p2 + key[1]) % 256
# 解方程
# c1 - c2 = key[0] * (p1 - p2) % 256
key0 = (c1 - c2) * inverse(p1 - p2, 256) % 256
key1 = (c1 - key0 * p1) % 256
# 验证 key0 和 key1 是否正确
assert (key0 * p1 + key1) % 256 == c1
assert (key0 * p2 + key1) % 256 == c2
# 解密密文
plaintext = []
for c in ciphertext:
p = (inverse(key0, 256) * (c - key1)) % 256
plaintext.append(p)
print(bytes(plaintext).decode('latin1'))
[NewStarCTF 公开赛赛道]unusual_base
from secret import flag
from Crypto.Util.number import *
from random import shuffle
from string import ascii_lowercase, ascii_uppercase, digits
alphabet = ascii_uppercase + ascii_lowercase + digits +'$&'
alphabet = list(alphabet)
bits = ''
pad_len = len(flag) % 3
for f in flag:
bits += bin(f)[2:].rjust(8,'0')
bits += '0000'*pad_len
encoded = ''
shuffle(alphabet)
alphabet = "".join(alphabet)
for i in range(0, len(bits), 6):
encoded += alphabet[int(bits[i:i+6], 2)]
encoded += '%'*pad_len
print(f'encoded = "{encoded}"')
print(f'alphabet = "{alphabet}"')
encoded = "GjN3G$B3de58ym&7wQh9dgVNGQhfG2hndsGjlOyEdaxRFY%"
alphabet = "c5PKAQmgI&qSdyDZYCbOV2seXGloLwtFW3f9n7j481UMHBp6vNETRJa$rxuz0hik"
# 1. 将编码后的字符串转换回二进制位
bits = ''
for char in encoded[:-1]: # 去除末尾的填充位 有一个%一位置填充位为1
index = alphabet.index(char)
bits += bin(index)[2:].rjust(6, '0')
# 2. 去除填充位
bits = bits.rstrip('0')
# 3. 将二进制位分组并转换回字节
flag = ''
for i in range(0, len(bits), 8):
byte = bits[i:i+8]
if len(byte) == 8:
flag += chr(int(byte, 2))
print(flag)
[DASCTF NOV X联合出题人2022年度积分榜争夺赛!]easyrsa
from Crypto.Util.number import *
import gmpy2
from secret import flag
bitlen = 512
p = getPrime(bitlen)
q = getPrime(bitlen)
r = getPrime(bitlen)
assert p != q and q != r and p != r
n = p*q*r
phi = (p-1)*(q-1)*(r-1)
while 1:
d = getPrime(256)
try:
e = int(gmpy2.invert(d,phi))
except:
continue
if gmpy2.gcd(e,phi) == 1 :
break
assert flag.startswith(b'CBCTF{')
m = bytes_to_long(flag)
c = pow(m,e,n)
print('c =',c)
print('e =',e)
print('n =',n)
'''
c = 262857004135341325365954795119195630698138090729973647118817900621693212191529885499646534515610526918027363734446577563494752228693708806585707918542489830672358210151020370518277425565514835701391091303404848540885538503732425887366285924392127448359616405690101810030200914619945580943356783421516140571033192987307744023953015589089516394737132984255621681367783910322351237287242642322145388520883300325056201966188529192590458358240120864932085960411656176
e = 543692319895782434793586873362429927694979810701836714789970907812484502410531778466160541800747280593649956771388714635910591027174563094783670038038010184716677689452322851994224499684261265932205144517234930255520680863639225944193081925826378155392210125821339725503707170148367775432197885080200905199759978521133059068268880934032358791127722994561887633750878103807550657534488433148655178897962564751738161286704558463757099712005140968975623690058829135
n = 836627566032090527121140632018409744681773229395209292887236112065366141357802504651617810307617423900626216577416313395633967979093729729146808472187283672097414226162248255028374822667730942095319401316780150886857701380015637144123656111055773881542557503200322153966380830297951374202391216434278247679934469711771381749572937777892991364186158273504206025260342916835148914378411684678800808038832601224951586507845486535271925600310647409016210737881912119
'''
不知道脚本怎么做到的,也无法复现,但是题目提示说是sage很好用
from Crypto.Util.number import *
from multiprocessing import Pool
import os
import gmpy2
from sage.all import *
def get_d(i):
global q_k_1
global q_k
k = i.numerator()
q_k = i.denominator()
# print("Now is: %d" % q_k)
# print("%s is run" %os.getpid())
for r in range(20):
d = r * q_k + q_k_1
if pow(pow(2, e, n), d, n) != 2:
continue
else:
# print(r)
# print(q1)
# print(q0)
return d
q_k_1 = q_k
if __name__ == "__main__":
e = 543692319895782434793586873362429927694979810701836714789970907812484502410531778466160541800747280593649956771388714635910591027174563094783670038038010184716677689452322851994224499684261265932205144517234930255520680863639225944193081925826378155392210125821339725503707170148367775432197885080200905199759978521133059068268880934032358791127722994561887633750878103807550657534488433148655178897962564751738161286704558463757099712005140968975623690058829135
n = 836627566032090527121140632018409744681773229395209292887236112065366141357802504651617810307617423900626216577416313395633967979093729729146808472187283672097414226162248255028374822667730942095319401316780150886857701380015637144123656111055773881542557503200322153966380830297951374202391216434278247679934469711771381749572937777892991364186158273504206025260342916835148914378411684678800808038832601224951586507845486535271925600310647409016210737881912119
c = 262857004135341325365954795119195630698138090729973647118817900621693212191529885499646534515610526918027363734446577563494752228693708806585707918542489830672358210151020370518277425565514835701391091303404848540885538503732425887366285924392127448359616405690101810030200914619945580943356783421516140571033192987307744023953015589089516394737132984255621681367783910322351237287242642322145388520883300325056201966188529192590458358240120864932085960411656176
q_k_1 = 1
conv = continued_fraction(Integer(e)/Integer(n)).convergents()
pool = Pool() # 这里用的进程池缩短总的运算时间
res = pool.map(get_d , conv)
pool.close()
pool.terminate()
for i in res:
if i != None:
d = i
m = pow(c, d, n)
print(long_to_bytes(m).decode())
[2021DASCTF实战精英夏令营暨DASCTF July X CBCTF 4th]Yusa的密码学签到——
from Crypto.Cipher import AES
import os
def pad(a):
size = (16-len(a)%16)%16
a += chr(size)*size
return a
iv = os.urandom(16)
key = os.urandom(16)
enc = AES.new(key,AES.MODE_CBC,iv)
print(iv.encode('hex'))
for _ in range(2):
try:
trick = raw_input("")
trick = pad(trick.decode('hex'))
cipher = enc.encrypt(trick)
if trick == cipher and trick != "" :
with open("flag.txt") as f:
print(f.read())
exit()
else:
print(cipher.encode('hex'))
print("Try again")
except:
exit()
原理:
AES-CBC模式原理。
第一次:
令 P0 = IV
C0 = Encrypt(P0 XOR IV) = Encrypt(0)
第二次:
令 P1 = C0
C1 = Encrypt(P1 XOR C0) = Encrypt(C0 XOR C0) = Encrypt(0) = C0 = P1
所以当复读机读两遍服务器给的内容就行
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 别再用vector<bool>了!Google高级工程师:这可能是STL最大的设计失误
· 单元测试从入门到精通