naby

导航

ISCTF2024-Crypto(不全)

Crypto

一开始有时间写了一点,原本不打算发的,但详细写了前面几题的wp,还是发一下。

我和小蓝鲨的秘密

from PIL import Image
from Crypto.Util.number import bytes_to_long, long_to_bytes
import numpy as np

n = 29869349657224745144762606999
e = 65537

original_image_path = "flag.jpg"
img = Image.open(original_image_path)
img = img.convert("RGB")

img_array = np.array(img)
h, w, _ = img_array.shape

encrypted_array = np.zeros((h, w, 3), dtype=object)
for i in range(h):
    for j in range(w):
        r, g, b = int(img_array[i, j, 0]), int(img_array[i, j, 1]), int(img_array[i, j, 2])

        encrypted_array[i, j, 0] = pow(r, e, n)
        encrypted_array[i, j, 1] = pow(g, e, n)
        encrypted_array[i, j, 2] = pow(b, e, n)

np.save("encrypted_image.npy", encrypted_array)
print("图片已加密并保存为 encrypted_image.npy")

factordb查n的分解,然后交给AI就行了

from PIL import Image
from Crypto.Util.number import inverse
import numpy as np

# RSA参数
n = 29869349657224745144762606999
p = 160216064374859
q = 186431677583461
e = 65537
phi_n = (p - 1) * (q - 1)
d = inverse(e, phi_n)  # 计算私钥指数d

# 加载加密数组
encrypted_array = np.load("encrypted_image.npy", allow_pickle=True)
h, w, _ = encrypted_array.shape
decrypted_array = np.zeros((h, w, 3), dtype=np.uint8)  # 用于存储解密后的图像

# 逐像素解密
for i in range(h):
    for j in range(w):
        decrypted_array[i, j, 0] = pow(int(encrypted_array[i, j, 0]), d, n)
        decrypted_array[i, j, 1] = pow(int(encrypted_array[i, j, 1]), d, n)
        decrypted_array[i, j, 2] = pow(int(encrypted_array[i, j, 2]), d, n)

# 转换为图像并保存
decrypted_img = Image.fromarray(decrypted_array, "RGB")
decrypted_img.save("decrypted_flag.jpg")
print("图片已解密并保存为 decrypted_flag.jpg")

蓝鲨的费马

import libnum
import gmpy2
from Crypto.Util.number import *

flag=b'ISCTF{********}'
m=bytes_to_long(flag)

p=libnum.generate_prime(1024)
q=libnum.generate_prime(1024)
n=p*q
e=0x10001
c=pow(m,e,n)
d=inverse(e,(p-1)*(q-1))
leak = (d+(pow(p,q,n)+pow(q,p,n)))%n

print("c=", c)
print("n=", n)
print("leak=", leak)

分为两个问题来求解

pow(p,q,n)+pow(q,p,n)=p+q

\[l=d+p^q+q^p\mod n\\ p^q\mod n=p^q+k*n=p\mod q\\ p^q\mod n=p^q \mod p=0\mod p\\ 利用中国剩余定理可得:0*q*inverse(q,p)+p*p*inverse(p,q ) \mod p*q\\ 有p*(1+k*q)\mod n=p,所以p^q\mod n=p\mod n\\ 同理有q^p\mod n=q\mod n\\ 所以leak=d+p+q\mod n \]

d+p+q

\[l=d+p+q\mod n\\ x=c^l\mod n=c^{d+p+q}\mod n=m*c^{p+q}\mod n\\ φ(n)=n-(p+q)+1,有p+q=n+1-φ(n)\\ x=m*c^{n+1-φ(n)}\mod n=m*c^{n+1}\mod n\\ m=x*c^{-n-1}\mod n \]

from Crypto.Util.number import *

c= 8989289659072309605793417141528767265266446236550650613514493589798432446586991233583435051268377555448062724563967695425657559568596372723980081067589103919296476501677424322525079257328042851349095575718347302884996529329066703597604694781627113384086536158793653551546025090807063130353950841148535682974762381044510423210397947080397718080033363000599995100765708244828566873128882878164321817156170983773105693537799111546309755235573342169431295776881832991533489235535981382958295960435126843833532716436804949502318851112378495533302256759494573250596802016112398817816155228378089079806308296705261876583997
n= 13424018200035368603483071894166480724482952594135293395398366121467209427078817227870501294732149372214083432516059795712917132804111155585926502759533393295089100965059106772393520277313184519450478832376508528256865861027444446718552169503579478134286009893965458507369983396982525906466073384013443851551139147777507283791250268462136554061959016630318688169168797939873600493494258467352326974238472394214986505312411729432927489878418792288365594455065912126527908319239444514857325441614280498882524432151918146061570116187524918358453036228204087993064505391742062288050068745930452767100091519798860487150247
leak= 9192002086528025412361053058922669469031188193149143635074798633855112230489479254740324032262690315813650428270911079121913869290893574897752990491429582640499542165616254566396564016734157323265631446079744216458719690853526969359930225042993006404843355356540487296896949431969541367144841985153231095140361069256753593550199420993461786814074270171257117410848796614931926182811404655619662690700351986753661502438299236428991412206196135090756862851230228396476709412020941670878645924203989895008014836619321109848938770269989596541278600166088022166386213646074764712810133558692545401032391239330088256431881

x=pow(c,leak,n)
print(long_to_bytes((x*pow(c,-n-1,n))%n))
#b'ISCTF{u_got_it}'

小蓝鲨的方程

from Cryptodome.Util.number import *
from random import *
from gmpy2 import *
import uuid
flag1='ISCTF{'+str(uuid.uuid4())+'}'

m1=bytes_to_long(flag1.encode())
def get_p():
    BITS = 256
    bits = 777
    oder = 4
    a = randint(1 << bits, 1 << bits + 1)
    p=getPrime(BITS)
    p1 = p**oder+a
    return p,p1
p,p1=get_p()
s=getPrime(1024)
q=getPrime(512)
n=p*q**4
e=65537
c1=pow(s,e,n)
c=pow(s**3+1,m1,s**5)
print("c1=",c1)
print("c =",c)
print("n =",n)
print("p1 =",p1)

求p和s

已知\(p1=p^4+a\)\(p^4\gg a\),我们对p1开4次根,然后往前找素数,即可找到p,然后利用rsa求解出s

求m

参考DLP (158/Crypto) · Hackademia Writeups

一开始先不考虑模数,根据二项式定理,我们有一般式:

\((n+1)^m=n^m+m*n^{m-1}+...+m*n+1\)

在本题中\(n=s^3\),此时,我们对这个式子模\(n^2\),会发现除了最后两项,其他项都被模掉了,所以\((n+1)^m\mod n^2=m*n+1\mod n^2\)

这样我们就求出了\(m=\frac{(c\%n^2)-1}{n}\)

from Cryptodome.Util.number import *
from gmpy2 import iroot
from sympy import prevprime,discrete_log
c1= 671390498592586008552998377599101093977542184109077889081448730480869018650843045119891777468161631085086340705902115332025675787789530562679603254577287153918966364523848382506106179394235772395029788721306186952016420794804145631124905952103136061076643266886961178241381892015555099638200222249447194504082451341122502519637821695210573997670753981061458264118355417889153180841281073262935937836447460470926729282834006229571453935760593644658459098721652426154970766417292435960463905367868753821950303919781798234432998272038029063155193184039985018137026245365188171178677898869374676546799536208952198558258306460302868688355653022725288744014143221560882404431652751343944983442109327
c = 8641190030376811670503537177719719233418166235794962118828671236836174132083208517733734760455990850156371205118391537919769888760384574011411232571257192285256730733174399297826587479261381970232162702657952399683882650083181048279650913795429823628186888540572704055008102853692060360140858142686334722286525699998854566609078547487420929457446776757558492454916447188774943818970599916514467335772992690805247630814156710861067503956707301402347944233660194395192354000788262111000900574820275786269075882923600474781645848712157460135387134196156906258218217831988828360827613420801773911833194097791649069743116686685667300622630909231822986237104627385544169938138006242341269672868611269202418482629393372933567053272565557137741441902377611003983050084491513897727856173625922194300103448148829004025229567101761111396110940066254801762424343522707712480796358754008120503317686600144600226149617189681233392693738216138797012278242152852923361635415564580582002132107424154426980566696622448291815571736676562214017436
n = 1076246859437269645898003764327104347852443049519429833372038915264009774423737482018987571807662568251485615769880354898666799006772572239466617428164721157850526408878346223839884319846641438292436373441749602341461361190584638190903978829024853974880636148520803145113551453821058269641304504880310836801494499720662704717315748614372503735165114899680682056477494953525794354656896362929510309669119173103242509398650608116835276076364248473952717811633756784397347121601006659623317417388283638159905288128181587304367489096254611610975352096229116491567502061775862811850081040850421151385474249060884479729988512713640536139010928836126719149031115182144744359297169350288886555784650111
p1 = 145356063641618996012874664536921616978986640263438210169671010403677822239343590475177543891188656103067696467174379510912427160232486984044862545338401652910975162942038201716552753723984593267892098222213049269335313670049037479410635628460505327693176152061750827570561482918795206276991967169087371403553

p4=iroot(p1,4)[0]
p=prevprime(p4)
while n%p!=0:
    p=prevprime(p)
q=iroot(n//p,4)[0]


s=pow(c1,inverse(65537,(p-1)*(q**4-q**3)),n)
n=s**3
m=(c%n**2-1)//n
print(long_to_bytes(m))
#b'ISCTF{8e0ff2de-cd65-497f-a755-815154bb5b1f}'

蓝鲨的RSA

from secret import flag
import gmpy2
import decimal
from Crypto.Util.number import *

def gethint(h,p):
    decimal.getcontext().prec = 1024
    H = decimal.Decimal(int(h))
    P = decimal.Decimal(int(p))
    leak = decimal.Decimal((8*H*P - 1) / (16*P*P))
    return leak
p = getPrime(512)
q = getPrime(512)
f = getPrime(512)
g = getPrime(128)
h = gmpy2.invert(f, p) * g % p

n = f*q
e = 65537
m = bytes_to_long(flag)

c = pow(m,e,n)
print('c =', c)
print('hint =', gethint(h,p))
print('n =',n)

参考basectf-week3-wiener?:BaseCTF2024-week3-Crypto部分题目wp - Naby - 博客园

wiener攻击的思想,连分数定理:

\[\left|a-\frac{c}{d}\right|<\frac{1}{2*d^2}\\ 可得\frac{c}{d}就是a的一个连分数近似 \]

本题推导:

\[leak=\frac{8*H*P-1}{16*P*P}\\ leak=\frac{H}{2P}-\frac{1}{16*P^2}\\ \left|leak-\frac{H}{2P}\right|=\frac{1}{16*P^2}<\frac{1}{2*(2P)^2}\\ 之后计算leak的连分数,即可得到P和H \]

经过测试,连分数求出来的是\(\frac{H}{2}和P\),所以我们判断一下P,然后对H乘2就好了。

之后就是最简单的格

from Crypto.Util.number import *
c = 587245179027322480379581200283415189810421958968516831191660631552695197401940961725169763339428980298128692606951200581483431566182271569207988054537414289564013883171160614196522169980339024564884190765084419167938640701193928669
hint = 0.2427542737153618793334900104191212626446625872340179613972610728976081994921862517310186626304527115125924716035632505287111236596234811779375148657365336957626454491865164520834975233144235103885081268955448330597818844340656652982593545877449810282619387305007246499089258519062093814083383071737897364213169497762760797899310673216754376885295598952272100016962368762532805864796748393317534908268379601445004775495237901072144236328105526403608646831124542336002540011176406194984370372589752234640498423911217119220030242197564695880261480071310815379681250975672935544404797155655708441222387631967447088319826137200280810029390387418159394276760100487636516708987579464183208860911063948902432948269805493252899815187044807603000344378890835564906163242023600624338694473573763088471321731611077227112205396909637906507673367598721218000123789690455125909411309668615810240938664264212370815385282488986625554704015828254539339719586211726300858711328516487805251366293457402531199532556110786048074755505680210260049
n = 839799159583571337450826982895478997157381520448790705455708438948150905361244823725400304016136863419723271227616684280477524669207590477657886623628732394537008838314015048569652202355464477680540884654473950183135276735347866051

cf = continued_fraction(hint)
convers = cf.convergents()
for conver in convers:
    ph, pp = conver.as_integer_ratio()
    pp=int(pp)
    if pp.bit_length()==512 and isPrime(pp):
        L = Matrix(ZZ,[[1,ph*2],[0,pp]])
        f,g = L.LLL()[0]
        f,g = abs(f),abs(g)
        print(long_to_bytes(int(pow(c,inverse_mod(65537,(f-1)*((n//f)-1)),n))))
#b'ISCTF{27d5473d7ceb8a89-98eb9b12-e8f6b2ae-cc3bcbca17c434b}'

posted on 2024-11-16 20:30  Naby  阅读(50)  评论(0编辑  收藏  举报