BuildCTF2024-Crypto
差一题古典不想看了,其他方向就不献丑了
Crypto
OVO开门爽!开到南天门了兄弟
from Crypto.Util.number import *
flag = b'BuildCTF{******}'
#随机生成p,q
p = getPrime(1024)
q = getPrime(1024)
#计算模数n
n = p*q
e = 65537
m = bytes_to_long(flag)
#c=m^e%n
c = pow(m, e, n)
print('P = ',p**2)
print('Q = ',q**2)
print('n = ',n)
print('e = ',e)
print('c = ',c)
开根就行了
from Crypto.Util.number import *
from gmpy2 import *
P = 8279853330757234669136483032750824826175777927506575083710166412897012079466955769715275604152872242147320194640165649152928984919315754419447729793483984130396358578571137956571302516202649076619076831997922675572705848199504309232044502957866317011212505985284129365522570368395368427388904223782742850616983130885152785650513046301920305069822348366931825404271695876688539675285303882189060671184911139742554710018755565518014777733322795522710234091353878298486498244829638878949389690384488573338138825642381687749888102341379254137445546306796258092762099409409285871651688611387507673794784257901946892698481
Q = 9406643503176766688113904226702477322706664731714272632525763533395380298320140341860043591350428258361089106233876240175767826293976534568274153276542755524620138714767338820334748140365080856474253334033236457092764244994983837914955286808153784628739327217539701134939748313123071347697827279169952810727995681780717719971161661561936180553161888359929479143712061627854343656949334882218260141557768868222151468471946884225370009706900640851492798538458384449294042930831359723799893581568677433868531699360789800449077751798535497117004059734670912829358793175346866262442550715622833013235677926312075950550681
n = 8825283482190476005946253343638820879559355306860912268128891241513310054066424567824202757539757712177309282694997613217968336164050770152277369601415394249781577415456224120102543968285035647514461364611734338073523454354376992783551035395558194171202680855182868766563277697325690226849316944101739491659812174054898519492145495098671439125714086449826697343692081109131564556220174583970363431110462222473013021825770267803249515893736989430146194199936335153936611196467225599746830873958085287665223190767137404366840055297859554490123389877396965710177279558954630222879974581602069901175074777191362537419581
e = 65537
c = 27915082942179758159664000908789091022294710566838766903802097394437507062054409033932303966820096232375646873480427485844733381298467171069985418237873120984132166343258345389477844339261488318588760125230979340678006871754125487279212120945061845738130108370814509280317816067243605608952074687396728904772649873860508240809541545939219624254878900291126739390967820141036260712208555574522131446556595562330969209665291757386246648060990840787769772160549862538116370905306402293764494501838709895355570646716245976733542014165663539815972755562821443411642647981898636761822107221203966296758350547477576411216744594534002057673625678188824476543288048956124565509473100550838563085585434675727358831610724920550213350035792170323729397796947598697983084347567191009236345815968927729025919066227704728180060805553787151862426034275526605154807840695498644070184681962311639338273469859838505348823417234722270798882384367058630064108155240680307754557472476430983184039474907188578578484589833812196216551783354411797156409948499012005963943728564803898150155735762695825658678475746559900705796814512838380193603178657226033406812810314960142251012223576984115642351463684724512456778548853002653596485899854303126091917273560
p=int(iroot(P,2)[0])
q=int(iroot(Q,2)[0])
print(long_to_bytes(int(pow(c,invert(e,(p-1)*(q-1)),p*q))))
mitm
from Crypto.Util.number import *
from Crypto.Util.Padding import *
from hashlib import sha256
from Crypto.Cipher import AES
from random import *
from secret import flag
note = b'Crypt_AES*42$@'
r = 4
keys = []
for i in range(r):
key = bytes(choices(note, k=3))
keys.append(sha256(key).digest())
leak = b'Hello_BuildCTF!!'
cipher = leak
for i in range(r):
cipher = AES.new(keys[i], AES.MODE_ECB).encrypt(cipher)
enc_key = sha256(b"".join(keys)).digest()
enc_flag = AES.new(enc_key, AES.MODE_ECB).encrypt(pad(flag, AES.block_size))
print(f'cipher = {cipher}')
print(f'enc_flag = {enc_flag}')
前段之前遇到过,就想出来了
参考的是小鸡块师傅的
crewCTF-4ES:2024-TFCCTF&crewCTF-wp-crypto | 糖醋小鸡块的blog (tangcuxiaojikuai.xyz)
from hashlib import sha256
from Crypto.Cipher import AES
import itertools
cipher = b'\xb9q\x04\xa3<\xf0\x11-\xe9\xfbo:\x9aQn\x81'
enc_flag = b'q\xcf\x08$%\xb0\x86\xee\x1a(b\x7f\xf8\x86\xbd\xd0\xa7\xee\xd9\x9d2\x82a7H=a\x13\x87e\xad\xd2b\x8e\x07\xa5\xddo\xc0\xf3N\xd4b\xc9o\x88$\xc7\xf4p\xc1\x1e,\xed\xcc\x94\x8c\xf4\x00\xa5\xe0-\xf7\xc5'
note = b'Crypt_AES*42$@'
leak = b'Hello_BuildCTF!!'
keys=[]
for key in itertools.product(note, repeat=3):
keys.append(sha256(bytes(key)).digest())
print("over0")
pre={}
for key in itertools.product(keys, repeat=2):
pre[AES.new(key[1], AES.MODE_ECB).encrypt(AES.new(key[0], AES.MODE_ECB).encrypt(leak))]=key
print("over1")
for key in itertools.product(keys, repeat=2):
if AES.new(key[1], AES.MODE_ECB).decrypt(AES.new(key[0], AES.MODE_ECB).decrypt(cipher)) in pre.keys():
pre_key=pre[AES.new(key[1], AES.MODE_ECB).decrypt(AES.new(key[0], AES.MODE_ECB).decrypt(cipher))]
tmp=pre_key[0]+pre_key[1]+key[1]+key[0]
keys=sha256(tmp).digest()
flag = AES.new(keys, AES.MODE_ECB).decrypt(enc_flag)
print(flag)
exit()
#b'BuildCTF{M1tm_i5_@_simple_w@y_t0_s0lve_pr0bl3m!}\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10'
我这辈子就是被古典给害了
from Crypto.Util.Padding import pad, unpad
from Crypto.Random import get_random_bytes
from Crypto.Cipher import AES
from secret import flag, key
dict1 = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4,
'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9,
'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14,
'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19,
'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25}
dict2 = {0: 'A', 1: 'B', 2: 'C', 3: 'D', 4: 'E',
5: 'F', 6: 'G', 7: 'H', 8: 'I', 9: 'J',
10: 'K', 11: 'L', 12: 'M', 13: 'N', 14: 'O',
15: 'P', 16: 'Q', 17: 'R', 18: 'S', 19: 'T',
20: 'U', 21: 'V', 22: 'W', 23: 'X', 24: 'Y', 25: 'Z'}
def generate_key(flag, key):
i = 0
while True:
if len(key) == len(flag):
break
key += flag[i]
i += 1
return key
def cipherText(msg, key_new):
cipher_text = ''
i = 0
for letter in msg:
x = (dict1[letter] + dict1[key_new[i]]) % 26
i += 1
cipher_text += dict2[x]
return cipher_text
def AES_enc(key, value):
key = (key * 2).encode()
cipher = AES.new(key, AES.MODE_ECB)
value = value.encode()
padded_text = pad(value, AES.block_size)
ciphertext = cipher.encrypt(padded_text)
print("AES Encrypted Text =", ciphertext)
def substitute(msg):
msg = msg.replace('{', 'X')
msg = msg.replace('_', 'X')
msg = msg.replace('}', 'X')
msg = msg.upper()
assert msg.isupper()
return msg
message = substitute(flag)
key_new = generate_key(message, key)
cipher = cipherText(message, key_new)
print("Encrypted Text =", cipher)
AES_enc(key, flag)
讲解写在代码里了
dict1 = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4,
'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9,
'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14,
'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19,
'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25}
dict2 = {0: 'A', 1: 'B', 2: 'C', 3: 'D', 4: 'E',
5: 'F', 6: 'G', 7: 'H', 8: 'I', 9: 'J',
10: 'K', 11: 'L', 12: 'M', 13: 'N', 14: 'O',
15: 'P', 16: 'Q', 17: 'R', 18: 'S', 19: 'T',
20: 'U', 21: 'V', 22: 'W', 23: 'X', 24: 'Y', 25: 'Z'}
text = "HLMPWKGLYSWFACEWBYRSUKYFAXZFXDKOTZHHSLFCXNICAHPGRIFUF"
# len(AES_KEY)=16 24 32
# len(key)=8 12 16
# 假设key一开始长度为8,flag头猜测为BUILDCTFX
# 则key=????????BUILDCTFX
# 密文第9位,就等于现在key第九位'X' 加上 flag第一位'B'
# print(dict1[text[8]]) 24
# 23+1=24 ==> X+B 所以可以猜测一开始key长度为8
pre="BUILDCTF"
key=""
for i in range(8):
key+=dict2[(dict1[text[i]]-dict1[pre[i]])%26]
# print(key) # 结果为:GREETING,有明显英文意思,推论正确
from Crypto.Cipher import AES
c = b'\x92T{\x1f\x0f"\xbd\xbb\xfa|O\x11\x83\xa0\xec.\x15]\x9f\x9a\xe5\x85Z\x9f@yUm\xbb\xdc\x93\x08\xe5\x8b\xd5\x98\x84\xfa\x91\xe8\xde\x1b}\xcd\x9056\xa3\xbf\xdb\x85J\xcc\xec\x812T\x11\xa7Tl\x15\xf6"'
key=key*2
cipher = AES.new(key.encode(), AES.MODE_ECB)
ciphertext = cipher.decrypt(c)
print(ciphertext)
#b'BuildCTF{YOU_ALREADY_KNOW_WHAT_A_CLASSICAL_CIPHER_IS}\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
gift
from Crypto.Util.number import *
from secret import flag
def get_gift(p, q):
noise = getPrime(40)
p, q = p + 2 * noise + 1, q - pow(noise, 2)
gift = 2024 * (p + q)
return gift
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x10001
m = bytes_to_long(flag)
c = pow(m, e, n)
gift = get_gift(p, q)
print(f'c = {c}')
print(f'n = {n}')
print(f'gift = {gift}')
'''
c = 101383046356447336426623798470530695448361708798731382238747567108067236241251384089401506320741815081024352908156466877907424203888923965647318146770258139921360377246187637085549628797640957048672797430217647039035455011311505942632107576730906489223641894279483592789523228409885925263914621255862261546919
n = 131097719698687108485813302886652389604731026998272796315024695395496199386497660846418712521921387496051077394308820230360184411431376692252923609505060476542577219656866593501271690536991944882324175509626138475159461332403161471880082192150081456601522403673111515117219716055561941951891570977025178643791
gift = 46635322848619790584491725916282901439691751328335921415278638528896063068132242718070261114525516272650970256270551306096774004921902972838212903368063625872
'''
不愧是noise,noise40位,平方之后差不多80位,p和q都是512位的,相加之后可以相当于丢失了低80位,所以就想到是p+q的高位攻击。
我直接偷dexter师傅的代码了
https://dexterjie.github.io/2023/09/07/挨打日记/#2023长城杯——p-q高位泄露
N = 131097719698687108485813302886652389604731026998272796315024695395496199386497660846418712521921387496051077394308820230360184411431376692252923609505060476542577219656866593501271690536991944882324175509626138475159461332403161471880082192150081456601522403673111515117219716055561941951891570977025178643791
gift = 46635322848619790584491725916282901439691751328335921415278638528896063068132242718070261114525516272650970256270551306096774004921902972838212903368063625872
gift=gift//2024
gift=gift>>90
gift=gift<<90
PR.<x> = PolynomialRing(Zmod(N))
ok = False
test=1
def pq_add(tp,tq,tgift,idx):
global ok
global test
if ok:
return
if tp*tq>N:
#print('>')
return
if (tp+(2<<idx))*(tq+(2<<idx))<N:
#print('<', hex((tp+(1<<(idx+2))))[:20], hex(tq+(2<<idx))[:20], hex(N)[:20])
return
if idx<=90:
try:
test += 1
print(test)
for i in range(1024):
tpp = tp+(i<<90)
f = tpp + x
test += 1
rr = f.monic().small_roots(X=2^90, beta=0.4)
if rr != []:
print(rr)
print(tpp)
print('p = ',f(rr[0]))
ok = True
return
except:
pass
return
idx -=1
b = tgift >>idx
one = 1<<idx
#print(hex(tp)[:20],hex(tq)[:20],hex(tgift)[:20],idx,b)
if b==0 or b==1:
pq_add(tp,tq,tgift,idx)
if b==1 or b==2:
pq_add(tp+one,tq,tgift-one,idx)
pq_add(tp,tq+one,tgift-one,idx)
if b==2 or b==3:
pq_add(tp+one,tq+one,tgift-(one<<1),idx)
if 0:
tp = 1<<511
tq = 1<<511
tgift = gift -tp -tq
pq_add(tp,tq,tgift,511)
"""
print(test)
print("OK")
print("111111111111")
17427
[700928575142400370721495237]
12795781443930923314957498667934210380943999998587811382302993343213015802362418444051944067150691108651897157419444913377465524852577234852023651836887040
p = 12795781443930923314957498667934210380943999998587811382302993343213015802362418444051944067150691108651897157419444913377465525553505809994424022558382277
17432
OK
111111111111
"""
from Crypto.Util.number import *
p = 12795781443930923314957498667934210380943999998587811382302993343213015802362418444051944067150691108651897157419444913377465525553505809994424022558382277
c = 101383046356447336426623798470530695448361708798731382238747567108067236241251384089401506320741815081024352908156466877907424203888923965647318146770258139921360377246187637085549628797640957048672797430217647039035455011311505942632107576730906489223641894279483592789523228409885925263914621255862261546919
print(long_to_bytes(int(pow(c,inverse_mod(65537,p-1),p))))
# b'BuildCTF{M@y_b3_S0m3th1ng_go_wr0ng}'
ominous
from Crypto.Util.number import *
from secret import flag
import random
import string
Ominous_dic = ['啊', '米', '诺', '斯']
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()
assert all(char in flag_word for char in flag)
msg = bytes_to_long(flag)
random.shuffle(Ominous_dic)
def Ominous_enc(msg):
res = 0
for idx, word in enumerate(Ominous_dic):
res += random.randint(0, 200) * ord(word) * (2 ** (50 * (idx + 1)))
return res + msg
cipher = Ominous_enc(msg)
print(f'cipher = {cipher}')
本质上还是跟位数相关,res每次加的随机值都是每50位的低位,所以我们可以分段来考虑爆破
每次提取密文的48位(按字节分组才好处理)
具体看代码就能理解了。
from Crypto.Util.number import *
import string
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()
cipher = 11174132013050242293373893046306047184706656363469879247040688497021
#print(bin(cipher))
flag1="1101010000110101100111101101100"
flag2="011001000100001101011001011000010011001011010111"
flag3="011010000100000001111000010010111000100101010101"
flag4="010111110011000001101101111001101111011010100111"
flag5="011101010111001100100001001000010010000101111101"
Ominous_dic = ['啊', '米', '诺', '斯']
words=[ord(word) for word in Ominous_dic]
#print(words)
"""words=[21834, 31859, 35834, 26031]
for i in words:
for j in range(200):
tmp=int(flag4+flag5,2)
tmp-=i*j*2**50
tmp=long_to_bytes(tmp)
if all(char in flag_word for char in tmp):
print(tmp,i,j)
#b'_0m1nous!!!}' 35834 83"""
"""words=[21834, 31859, 26031]
for i in words:
for j in range(200):
tmp=int(flag3+flag4+flag5,2)
tmp-=i*j*2**100+35834*83*2**50
tmp=long_to_bytes(tmp)
if all(char in flag_word for char in tmp):
print(tmp,i,j)
#b'h@t_i5_0m1nous!!!}' 26031 158"""
"""words=[21834, 31859]
for i in words:
for j in range(200):
tmp=int(flag2+flag3+flag4+flag5,2)
tmp-=i*j*2**150+26031*158*2**100+35834*83*2**50
tmp=long_to_bytes(tmp)
if all(char in flag_word for char in tmp):
print(tmp,i,j)
#b'dCTF{Wh@t_i5_0m1nous!!!}' 31859 42"""
words=[21834]
for i in words:
for j in range(200):
tmp=int(flag1+flag2+flag3+flag4+flag5,2)
tmp-=i*j*2**200+31859*42*2**150+26031*158*2**100+35834*83*2**50
tmp=long_to_bytes(tmp)
if all(char in flag_word for char in tmp):
print(tmp,i,j)
#b'BuildCTF{Wh@t_i5_0m1nous!!!}' 21834 119
ez_matrix
#SageMath 9.5
from Crypto.Util.number import *
from gmpy2 import powmod
from secret import msg
def pad(x, pad_length):
return x + b'\x00' * (pad_length - len(x))
def rsa_gen(bits):
p = getPrime(bits)
q = getPrime(bits)
return p, q
bits = 1024
pad_length = 200
matrix_size = 32
e = 65537
p, q = rsa_gen(bits)
n = p * q
m = bytes_to_long(pad(msg, pad_length))
c = powmod(m, e, n)
p_binary = bin(p).replace('0b', '').zfill(bits)
q_binary = bin(q).replace('0b', '').zfill(bits)
P = matrix(GF(2), [list(map(int, p_binary[i:i+matrix_size])) for i in range(0, len(p_binary), matrix_size)])
Q = matrix(GF(2), [list(map(int, q_binary[i:i+matrix_size])) for i in range(0, len(q_binary), matrix_size)])
gift = P.solve_right(Q)
with open('output', 'w') as file:
file.write(f'c = {c}\n')
file.write(f'p ^ q = {p ^^ q}\n')
file.write('gift:\n')
for row in gift:
file.write(' '.join(map(str, row)) + '\n')
关键点,要能意识到p^q,实际上就是矩阵P+Q,因为都是模2域下的操作,所以都是模2加法。
所以我们就能得到P+Q和Pgift=Q,推导如下:
\[设A=P+Q,B=gift=P^{-1}Q\\
因为是模2域下,所以有Q=A-P=A+P,带入B得\\
B=P^{-1}(A+P)=P^{-1}A+E\\
同理有P^{-1}A=B+E\\
使用sagemath中的solve\_left,可以直接求解出P^{-1}\\
然后求逆就好了
\]
from Crypto.Util.number import *
from gmpy2 import *
bits = 1024
matrix_size = 32
pxorq = 89144063720545532404936347749976033995959352088369581593483294017916269127126015515514164556238892315116219488234599276283755643115494368387307879815221830970632672104176330851649236203019768799744400071934922875736029236458980333704716550922984411453411523931115952319603510996580835848026227775168231757398
pxorq_binary = bin(pxorq).replace('0b', '').zfill(bits)
gift="0010111001000011001001000100110010100001011111010111010001100001010111110110100100011011011110000111010000100100000001111010110101011110100100110011101001001011111001000101000010000101000000111010111011101111000000101010010010101010110111001010010001111010001011101110010000010001001010111000000111111011000000010110111110001100110110111111000000000111001110100010101110011101011110001100110101010010000010111010110110001100111100010011110010010110100111011100011000110011000001111001001011110011110010110000111001000100100000001011001011111001000101111011110000100000011011010011111001001110000111001001010001000010110101011001000000110011100000001111011001010111101100010000001011111010001101110011111101011001001110000111111111110111110001101100000010010110010010111100000110001111110111111001011001110101001000011100001110000100010110000111111010101011001100101111101100010010000100110110001111111110111001010110000111010000011110011011101101000101100000110110101010100011110000110101111101101101101001000110101100110111"
gift_binary = gift.zfill(bits)
A = matrix(GF(2), [list(map(int, pxorq_binary[i:i+matrix_size])) for i in range(0, len(pxorq_binary), matrix_size)])
B = matrix(GF(2), [list(map(int, gift[i:i+matrix_size])) for i in range(0, len(gift_binary), matrix_size)])
E=identity_matrix(GF(2), 32)
P_1=A.solve_left(B+E)
P=P_1.inverse()
p=""
for i in P:
for j in i:
p+=str(j)
p=int(p,2)
print(p.bit_length(),isPrime(p))
Q=P+A
q=""
for i in Q:
for j in i:
q+=str(j)
q=int(q,2)
print(q.bit_length(),isPrime(q))
n=p*q
phi=(p-1)*(q-1)
e=65537
c = 5750862006780374919287214285692236210204656897730327429454502213453716609006462693326927544526483929921956237739564314742381291228170724611684726314766300684189083862768843433748971907962075938141567163713163231477418107343867114651242407427262164467193346523730926798966915657982552864539513197192523866321569716738540583056085357621328692775578162692288348251605475475005408200801081747601745630186390866011595954211521326069111983199120520535552104591110478015154646709731714695120857959832894595677697407284511806934799265823961155753765208975629786832407640872204810033141414096894416317703257346937008503926274
print(long_to_bytes((int(powmod(c,invert(e,phi),n)))))
#BuildCTF{78e09053-bc0a-4fdc-9dec-0f107bf9ba43}
Ju5t_d3c0de_1t!
e = 'VTJGc2RHVmtYMThUWGplSkN2YzJwazJ2KzJieQ=='
c = 10110011010010110101101101011110100001010100101110111011101101111101101001000010111010010011101111001111111000000001111000000010101
p = 1100010000110101100011011010101011111101001101010011001010110111100011110110101111000101100001011011001100110010010111111100110000001111010111111101111001100111100011100110110011101011111011100111010011000100011001101101111011010110000011011100101010010101110001011011010111001010101101100101011111101000110010111000011010111001101001
q = 11000010010010011110101110100011011100101101100100011011100010111000011110111000000011111100010100100000101101010101000101101101101011011100001101111010001010010011001010110010110101001100100011010110100011110011101110101110111110100000011110101010011011111010111100011000011111001000010101100100011110010000010001110010101100100111001
key = 592924741013363689040199750462798275514934297277010275281372369969899775117892551575873706970423924419480394766364097497072075403342004187895966953143489192628648965081601335846012859223829286606349019
# use m minus key to get the final flag!
解码e,解第一层base64,再解一层的话发现前面为Salt_开头,猜测为Rabbit加密,无密钥解密就得到了
https://tool.oschina.net/encrypt
剩下的都一眼出了(最后根据提示m减一下key就行了)
from Crypto.Util.number import *
from base64 import *
e = 'VTJGc2RHVmtYMThUWGplSkN2YzJwazJ2KzJieQ=='
c = 10110011010010110101101101011110100001010100101110111011101101111101101001000010111010010011101111001111111000000001111000000010101
p = 1100010000110101100011011010101011111101001101010011001010110111100011110110101111000101100001011011001100110010010111111100110000001111010111111101111001100111100011100110110011101011111011100111010011000100011001101101111011010110000011011100101010010101110001011011010111001010101101100101011111101000110010111000011010111001101001
q = 11000010010010011110101110100011011100101101100100011011100010111000011110111000000011111100010100100000101101010101000101101101101011011100001101111010001010010011001010110010110101001100100011010110100011110011101110101110111110100000011110101010011011111010111100011000011111001000010101100100011110010000010001110010101100100111001
key = 592924741013363689040199750462798275514934297277010275281372369969899775117892551575873706970423924419480394766364097497072075403342004187895966953143489192628648965081601335846012859223829286606349019
e=65537
c=int(str(c),2)
p=int(str(p),2)
q=int(str(q),2)
n=p*q
m=pow(c,inverse(e,(p-1)*(q-1)),n)
m=m-key
print(long_to_bytes(m))
#b'I_l1k3_crypt0_5o_h4rd!'
ezzzzz_RSA
import libnum
from Crypto.Util.number import *
flag = b'BuildCTF{*******}'
m = libnum.s2n(flag)
e = 65537
q = getPrime(1024)
q1 = getPrime(1024)
p = getPrime(1024)
p1 = getPrime(1024)
n = p * q
n1 = q * p1
n2 = p * q1
c = pow(m, e, n)
h0 = pow(2023 * p + 2024, q1, n2)
h1 = pow(2024 * p1 + 2023 * q, 113, n1)
h2 = pow(2023 * p1 + 2024 * q, 629, n1)
print(f'n1 = {n1}')
print(f'n2 = {n2}')
print(f'c = {c}')
print(f"h0 = {h0}")
print(f"h1 = {h1}")
print(f"h2 = {h2}")
解出来一个就够m的大小了
解p
\[h_0=(2023p+2024)^q\mod n\\
二项式定理展开模去p,得h_0=2024^q\mod p\\
n=p*q→p=\frac{n}{q}→p-1=\frac{n-q}{q}→q=n-q(p-1)\\
h_0=2024^{n-q(p-1)}\mod p\\
由费马小定理得:h_0=2024^n\mod p\\
h_0=2024^n+kp\\
kp=2024^n-h_0\\
之后求gcd即可。
\]
from Crypto.Util.number import *
from gmpy2 import *
n2 = 11933661747067216317642315621042074566046499785197709817779978157416906347669444374234313329064859622960743743511735672614999566264025648698589886185056758071718319964262619819143757922916624196354313322456534266520150543008117888101349920396737532937616502689667208207329048979872222563877933742673021891249520999021187404065706388700711208445628041386956459398271230236018476964839399245143666534359113777846535151773174701732284280083586580489995666306373839417946648196140879978268472361473557375951972193618245984950374326806423407152520541682571610372434453778172497925696535270204943842467472100237854318244291
h0 = 2996726009726260695732821166504040344731102637047682432884058857493935625094258046641569918904978173116793673563730117949606727933902262668880339210084101176866383602543966179840353633735507442926707342258391362245904850297416642271123328980812931025677857373199540129280097315832907023777052101133649877194495480543646472133854655383755313968952550827443970931104462445312146328606862802196901953935238972759852435882720786570965542286278549107402918041194008845717507735786897968734831064393337773557817839343449001368565856921138408039931608804233595980497557733714560035682416265029819340316734845279080134432704
p = gcd(pow(2024,n2,n2)-h0,n2)
c = 20080676122944896238797522372441559951736929534371084097400233944319893926800196694449564534150770085554349952433141815637324753386484549616573636001763815852095984830828952020047938406909274311785306299061021662484544371813739713520361343350959698642021322243662988875917088108399877176033404097457939417134483333264562602633853694382014472747500159100723626314928476484037666519857604568300967071868151508142784271042600815406853978696857309760951105852288354603503207383899902135741426285551161292195639862478256231538619968275273876467583013024899054710124331145912185471501398910765579441956531091561893256832468
e=65537
m=long_to_bytes(pow(c,invert(e,p-1),p))
print(m)
#b'BuildCTF{29g5blh5-7829-5k38-a836-9bk54h291h6}'
解q
\[h_1=(ap+bq)^{e_1}\mod n\\
h_2=(bp+aq)^{e_2}\mod n\\
h_1=(ap)^{e_1}\mod q\\
h_2=(bp)^{e_2}\mod q\\
h_1*b^{e_1}=(abp)^{e_1}\mod q\\
h_2*a^{e_2}=(abp)^{e_2}\mod q\\
(h_1*b^{e_1})^{e_2}=(abp)^{e_1e_2}+k_1q\\
(h_2*a^{e_2})^{e_1}=(abp)^{e_1e_2}+k_2q\\
两式相减,再与n求gcd即可
\]
from Crypto.Util.number import *
from gmpy2 import *
n1 = 19957426023169626195602761840035904096149402534966487535713447987366768645542881124782551268978342063458430846877824210659778126281705984711061190351636497944943321988950188171159903717348936556346198638311950016136865425015037098270040031872702873264144372191898253134939805153141701819590164140250130420280491966786900651186941317959556066730959744279963976065565436153399679475410040773637142677936926894677919242351610457296203864806991539480593546084449323017670431590012312526757477514457145686070196978477495658962519391041011847512041022828710693830661412217389320600888361578917153088073678587422269955710471
h1 = 19843160604742228074331688651361052208481287636527838615063387670722213224954610448720065937378201545177278841575633697012434074186046556843292068835752113384756149944114298949115412819730843598288637259467085268861201775723817790428386595559040938133481222229290199923979132846871398172318539492741755408720073350962388138453341677009547616238262211176727424067946020683742262782319735286357465817786446238528187722959357444676512705451504136333336415880020502524009647940182721264953084120705872870651891290569527156804993340563927419561415555818468261824287933683736509372616293569615247228388443284457740072850735
h2 = 15147052684674827267989051566164167603473413362261253296001082161136918959833294463185335416662127368473980239667918561600741667513285708843081475074688239507330230558331408877583246661862040918410036936505307437329914363201630212163952357444441705663871720438955166472073576526814546767805314463827075388036712200327696168965762177567346966479399896578190111819130000991594490932388132188241726654756368698998232826340969288082645860324404980143489489946490266439447342461483490582149239131554246756547000945718737195930407251232848166108751122870333559461452459416252942341423373918245090162970624108991537972775066
e1=113
e2=629
a=2024
b=2023
tmp1=pow(h1*(pow(b,e1,n1)),e2,n1)
tmp2=pow(h2*(pow(a,e2,n1)),e1,n1)
q=gcd(tmp1-tmp2,n1)
c = 20080676122944896238797522372441559951736929534371084097400233944319893926800196694449564534150770085554349952433141815637324753386484549616573636001763815852095984830828952020047938406909274311785306299061021662484544371813739713520361343350959698642021322243662988875917088108399877176033404097457939417134483333264562602633853694382014472747500159100723626314928476484037666519857604568300967071868151508142784271042600815406853978696857309760951105852288354603503207383899902135741426285551161292195639862478256231538619968275273876467583013024899054710124331145912185471501398910765579441956531091561893256832468
e=65537
m=long_to_bytes(pow(c,invert(e,q-1),q))
print(m)
where is my n?
from Crypto.Util.number import*
from gmpy2 import*
flag = "..."
e=65537
p=getPrime(512)
q=gmpy2.next_prime(p)
n=p*q
phi=(p-1)*(q-1)
d=inverse(e,phi)
c=pow(flag,e,n)
print("c=",c)
print("e=",e)
print("d=",d)
SHCTF第一周的d_known
我自己的博客:SHCTF2024-week1-crypto&其他 - Naby - 博客园 (cnblogs.com)
from Crypto.Util.number import*
from gmpy2 import*
c= 107973408658512316248795675829719026556281556876279221462095299771897472835817102507431099132436173117611783572607408542140665445616624626408781699266046553444252772105867617770124779786841928535661872891635303381758336724610931502145965143374870804147444436791292512235485326451051756451904673491759905663466
e= 65537
d= 62036379179617188220635702722848631787124203142048526951004487465970915306760341332025319712290841316288636152355908585406155087541334717529113872233640624205650204907669681116401961584897042519881342485819364897891612540596760113597723865477121348794797592568686540283535491492936074500143092361821406613969
p_bits=512
q_bits=512
k_phi = e*d -1
pphi = []
for k in range(e,2,-1):
if k_phi % k == 0:
tmp = k_phi // k
if int(tmp).bit_length()==p_bits+q_bits:
pphi.append(tmp)
for k in pphi:
pp=iroot(k,2)[0]
pp=next_prime(pp)
for i in range(100):
flag=long_to_bytes(pow(c,invert(e,pp-1),pp))
if b'BuildCTF' in flag:
print(flag)
exit()
pp=next_prime(pp)
#b'BuildCTF{Y0u_F1nd_7he_n_success7u1_!}'
girls_band_cry_pto
from Crypto.Util.number import *
import gmpy2
def getprime(kbit,FLAG):
a = getPrime(kbit)
b = getPrime(kbit)
N = getPrime(kbit+5)
seed = getPrime(kbit)
t = seed
list_t = []
for i in range(10):
t = (a*t+b)%N
list_t.append(t)
if FLAG:
print(list_t)
return seed
p = getprime(512,1)
q = getprime(512,0)
flag = b'...'
flag = bytes_to_long(flag)
n = p*q
e = 1384626
assert flag.bit_length() < n.bit_length()//2
c = pow(flag,e,n)
print('c=',c)
具体过程我就不讲了,太麻烦了,直接拿一些模板了
第一步利用LCG,求出p
然后发现e和phi(p)不互素,gcd之后为6
直接求e//6的逆,求出m的6次方
发现(p-1)%4=1,利用cipoll算法(参考0xGame一题)进行开平方根
得到m的3次方,最后使用AMM算法开3次根,直接就能秒出了
(直接用AMM跑开6次根貌似出不来)
import math
import random
from Crypto.Util.number import *
from gmpy2 import *
s=[37382128984932009103055100236038298684187701771245912912208816283882352432386956435965036367810667394024993955812239704879381327228911265588017046627348503, 78860822396220922181257740301787328387654351181949135165584053897837116358564567613593406267620270397593757280733139576593428399156673217202739776358215953, 71961258377748802736482119449608198361898650603044501972923193831637292104436919483148544126546157761435847502622416800596454167412705966674707485447149592, 87271087644907910379168026089161507515679859469787715709089631773745967695993043069981508275969979669395420678260957179827954920361899134388830957711827969, 72060448202158281754256475874109091993193239479491265267010728401711694585210195554635415348891139571830347004379216450772696235700910532153698412887476412, 198822737610698203376629161658629276556973499054887457432530950247888991546498594767954251786997515337433684733300663470799887569646159225800449429896258899, 186920895499932700150962847893153648403293237986492275627558112493385728113172211076262656795948951216023567806119078906412693819469136004563793414149643278, 56472634592713718635518027850351194341092172882542912776939953869983486542308422043454035086533070566859787384014556343587278097326244663175874047755695694, 42665120723108982921319232615099077060109901818313520605789700720605479528247045699344736360219784997528870841912999130951916510491705708498185762196467897, 205629005887807114384057131575309344114082007367662384600399313743755704623421415135564859072125246431180953419843187244789534372794288258609006920825136808]
"""
1.Xn+1反推出Xn Xn=(a-1 (Xn+1 - b))%m
2.求a a=((Xn+2-Xn+1)(Xn+1-Xn)-1)%m
3.求b b=(Xn+1 - aXn)%m
4.求m tn=Xn+1-Xn,m=gcd((tn+1tn-1 - tntn) , (tntn-2 - tn-1tn-1))
逆着求
"""
length=len(s)
t = []
for i in range(length-1):
t.append(s[i]-s[i-1])
all_n = []
for i in range(length-3):
all_n.append(gcd((t[i+1]*t[i-1]-t[i]*t[i]), (t[i+2]*t[i]-t[i+1]*t[i+1])))
for n in all_n:
try:
n=abs(n)
if n==1:
continue
a=(s[2]-s[1])*invert((s[1]-s[0]),n)%n
ani=invert(a,n)
b=(s[1]-a*s[0])%n
seed = (ani*(s[0]-b))%n
if isPrime(seed) and seed.bit_length()==512:
p=int(seed)
except:
pass
c= 51846448616255629242918159354807752786692784645460532308823434086479848425723111371477823327980874708898952566998637230358105087254392989515438172155717708590176244736140994735777168368143405720703501031813936741444894000217727880068767785957507824708838189619286341612305393812568642372035793481458142583420
e = 1384626
g=gcd(e,p-1)
e=e//g
m=pow(c,invert(e,(p-1)//g),p)
def square_root_of_quadratic_residue(n, modulo):
"""Square root of quadratic residue
Solve the square root of quadratic residue using Cipolla's algorithm with Legendre symbol
Returns:
int -- if n is a quadratic residue,
return x, such that x^{2} = n (mod modulo)
otherwise, return -1
"""
if modulo == 2:
return 1
if n % modulo == 0:
return 0
Legendre = lambda n: pow(n, modulo - 1 >> 1, modulo)
if Legendre(n) == modulo - 1:
return -1
t = 0
while Legendre(t ** 2 - n) != modulo - 1:
t += 1
w = (t ** 2 - n) % modulo
return (generate_quadratic_field(w, modulo)(t, 1) ** (modulo + 1 >> 1)).x
def generate_quadratic_field(d, modulo=0):
"""Generate quadratic field number class
Returns:
class -- quadratic field number class
"""
assert (isinstance(modulo, int) and modulo >= 0)
class QuadraticFieldNumber:
def __init__(self, x, y):
self.x = x % modulo
self.y = y % modulo
def __mul__(self, another):
x = self.x * another.x + d * self.y * another.y
y = self.x * another.y + self.y * another.x
return self.__class__(x, y)
def __pow__(self, exponent):
result = self.__class__(1, 0)
if exponent:
temporary = self.__class__(self.x, self.y)
while exponent:
if exponent & 1:
result *= temporary
temporary *= temporary
exponent >>= 1
return result
def __str__(self):
return '({}, {} \\sqrt({}))'.format(self.x, self.y, d)
return QuadraticFieldNumber
mp=square_root_of_quadratic_residue(m,p)
mp=[mp,p-mp]
def onemod(e, q):
p = random.randint(1, q-1)
while(powmod(p, (q-1)//e, q) == 1): # (r,s)=1
p = random.randint(1, q)
return p
def AMM_rth(o, r, q): # r|(q-1
assert((q-1) % r == 0)
p = onemod(r, q)
t = 0
s = q-1
while(s % r == 0):
s = s//r
t += 1
k = 1
while((s*k+1) % r != 0):
k += 1
alp = (s*k+1)//r
a = powmod(p, r**(t-1)*s, q)
b = powmod(o, r*a-1, q)
c = powmod(p, s, q)
h = 1
for i in range(1, t-1):
d = powmod(int(b), r**(t-1-i), q)
if d == 1:
j = 0
else:
j = (-math.log(d, a)) % r
b = (b*(c**(r*j))) % q
h = (h*c**j) % q
c = (c*r) % q
result = (powmod(o, alp, q)*h)
return result
def ALL_Solution(m, q, rt, cq, e):
mp = []
for pr in rt:
r = (pr*m) % q
# assert(pow(r, e, q) == cq)
mp.append(r)
return mp
def calc(mp, mq, e, p, q):
i = 1
j = 1
t1 = invert(q, p)
t2 = invert(p, q)
for mp1 in mp:
for mq1 in mq:
j += 1
if j % 100000 == 0:
print(j)
ans = (mp1*t1*q+mq1*t2*p) % (p*q)
if check(ans):
return
return
def ALL_ROOT2(r, q): # use function set() and .add() ensure that the generated elements are not repeated
li = set()
while(len(li) < r):
p = powmod(random.randint(1, q-1), (q-1)//r, q)
li.add(p)
return li
for i in mp:
cp = i % p
mp = AMM_rth(cp, 3, p)
rt1 = ALL_ROOT2(3, p)
amp = ALL_Solution(mp, p, rt1, cp, 3)
for j in amp:
print(long_to_bytes(int(j)))
#b'BuildCTF{crypt0_15_s0_e@5y!}'
