2023年国家基地“楚慧杯”网络安全实践能力竞赛初赛-Crypto+Misc WP

Misc

ez_zip

题目

4096个压缩包套娃

我的解答:

写个脚本直接解压即可:

import zipfile
 
name = '附件路径\\题目附件.zip'
for i in range(4097):
    f = zipfile.ZipFile(name , 'r')
    f.extractall(pwd=name[:-4].encode())
    name = f.filelist[0].filename
    print(name[:-4],end="")
    f.close()

得到

+-+++-++ +-+++++- +-+-++-- +-++++-- +-+-+-++ +-+++--+ +----+-- ++--+++- ++--++++ +--+++-- ++--+-+- ++---+++ ++--++-+ ++--+-+- ++---+++ +--+++-- +--+++-- +--++--+ ++--+++- +--++-+- ++--+--- +--+++-- ++--+--+ ++--++-- ++--+++- +--++-+- ++--+-+- ++---++- ++--+++- ++--+++- +--++-+- +--++-++ ++--+--+ +--++++- +--+++-- +--+++-- ++--+-++ +--++-+- +--++-++ +-----+-

一眼丁真01,将+改成0,-改成1

x='''01000100 01000001 01010011 01000011 01010100 01000110 01111011 00110001 00110000 01100011 00110101 00111000 00110010 00110101 00111000 01100011 01100011 01100110 00110001 01100101 00110111 01100011 00110110 00110011 00110001 01100101 00110101 00111001 00110001 00110001 01100101 01100100 00110110 01100001 01100011 01100011 00110100 01100101 01100100 01111101'''
s=x.split(' ')
print(''.join(chr(int(c,2)) for c in s))

'DASCTF{10c58258ccf1e7c631e5911ed6acc4ed}'

easy取证

题目

我的解答:

一个取证问题,简单来分析一下:

本人是在windows下使用,参考:https://blog.csdn.net/m0_68012373/article/details/127419463

我们先查看镜像信息

volatility.exe -f mem.raw imageinfo

然后我们可以利用插件grep查找一下常见的信息,例如:zip,txt,docx,png,jpg等

测试之后发现桌面有个docx文档

volatility.exe -f mem.raw --profile Win7SP1x64 filescan | grep .docx

我们需要提取出来

volatility.exe -f mem.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003dceaf20 -D ./

得到

修改后缀为docx打开,复制内容到txt里面

一眼丁真snow隐写,但需要找到密码,我们使mimikatzmimikatz插件可以获取系统明文密码,网上有安装教程)获取密码

得到

H7Qmw_X+WB6BXDXa

然后直接解码即可

SNOW.EXE -C -p "H7Qmw_X+WB6BXDXa" White.txt

gb2312-80

题目

我的解答:

分析cipher.txt文件内容形式,我们可以写个脚本获取点阵来分析

#处理数据变成列表
ls = []  
with open('cipher.txt', 'r') as f:  
    for line in f:  
        ls.append([int(num) for num in line.strip().split(',')])
#print(ls)

with open('11.txt', 'w+', encoding='utf-8') as fp:
    for x in ls:
        for i in range(16):
            s = bin(x[i] & 0xffffffff)
            s = s.replace('0b', "").zfill(16)
            for j in s:
                if j == '1':
                    fp.write('0'+' ')
                else:
                    fp.write('.'+' ')
            fp.write('\n')
        fp.write('\n') 

得到

观察内容发现是压缩包,手动撸出来得到hint.txtflag.txt

我们通过hint.txt可以得到密码

data = [ '0000100000010000111111111111100000010000000100000001000100010000001000010001000000100101000100000011111100010000011001010001010010100101111111100010010000000100001001000010010000100111111101000010010000000100001111000000010000100100000101000000000000001000',
'0000111111100000000010000010000000001000001000000000111111100000000010000010000000001000001000000000111111100000000000000000010011111111111111100000000100000000000010010010000000001001111100000000100100000000000101010000000000100011000001100100000011111100',
'0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000011110000000000001111000000000000011000000000000000000000000000000110000000000000111100000000000011110000000000000110000000000000000000000000',
'0000000000000000000000000000000000000011110000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000111100000000000000000000000000000000000000',
'0000000000000000000000000000000000011110000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000010000000110000011000000111111111100000000000000000000000000000000000',
'0000000000000000000000000000000000000011111000000000011000110000000011000001100000011000000011000001100000001100000110000000110000011000000011000001100000001100000110000000110000001100000110000000011000110000000000111110000000000000000000000000000000000000',
'0000000000000000000000000000000000111100000111000001100000001000000110000000100000011000000100000000110000010000000011000010000000001100001000000000011001000000000001100100000000000010100000000000001110000000000000010000000000000000000000000000000000000000',
'0000000000000000000000000000000000011111111110000000110000011000000011000000100000001100000000000000110000100000000011111110000000001100001000000000110000000000000011000000000000001100000010000000110000011000000111111111100000000000000000000000000000000000',
'0000000000000000000000000000000000011110001111000000110000011000000011000001100000001100000110000000110000011000000011111111100000001100000110000000110000011000000011000001100000001100000110000000110000011000000111100011110000000000000000000000000000000000',
'0000000000000000000000000000000000111111111110000010000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000000000011000000010000011000000011000001111111111100000000000000000000000000000000000',
'0000000000000000000000000000000000011110011111000000110000110000000011000110000000001100110000000000110110000000000011111000000000001101110000000000110011100000000011000111000000001100001110000000110000011100000111100001111000000000000000000000000000000000',
'0000000000000000000000000000000000000000100000000000001110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000011000000000000001100000000000000110000000000000111100000000000000000000000000000000000000',
'0000000000000000000000000000000000000011110000000000011001100000000011000011000000001100000000000000110111000000000011100110000000001100001100000000110000110000000011000011000000001100001100000000011001100000000000111100000000000000000000000000000000000000'
    ]
for a in data:
    for i in range(len(a)//16):
        print(a[i*16:i*16+16].replace('0', '. '))
    
    print()
. . . . 1. . . . . . 1. . . . 
1111111111111. . . 
. . . 1. . . . . . . 1. . . .
. . . 1. . . 1. . . 1. . . .
. . 1. . . . 1. . . 1. . . .
. . 1. . 1. 1. . . 1. . . .
. . 111111. . . 1. . . .
. 11. . 1. 1. . . 1. 1. .
1. 1. . 1. 11111111.
. . 1. . 1. . . . . . . 1. .
. . 1. . 1. . . . 1. . 1. .
. . 1. . 1111111. 1. .
. . 1. . 1. . . . . . . 1. .
. . 1111. . . . . . . 1. .
. . 1. . 1. . . . . 1. 1. .
. . . . . . . . . . . . 1. . .

. . . . 1111111. . . . .
. . . . 1. . . . . 1. . . . .
. . . . 1. . . . . 1. . . . .
. . . . 1111111. . . . .
. . . . 1. . . . . 1. . . . .
. . . . 1. . . . . 1. . . . .
. . . . 1111111. . . . .
. . . . . . . . . . . . . 1. .
111111111111111.
. . . . . . . 1. . . . . . . .
. . . . 1. . 1. . 1. . . . .
. . . . 1. . 11111. . . .
. . . . 1. . 1. . . . . . . .
. . . 1. 1. 1. . . . . . . .
. . 1. . . 11. . . . . 11.
. 1. . . . . . 111111. .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . 11. . . . . . . . .
. . . . 1111. . . . . . . .
. . . . 1111. . . . . . . .
. . . . . 11. . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . 11. . . . . . . . .
. . . . 1111. . . . . . . .
. . . . 1111. . . . . . . .
. . . . . 11. . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . 1111. . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . 1111. . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . 1111. . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . 1. . .
. . . . 11. . . . . 11. . .
. . . 1111111111. . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . 11111. . . . .
. . . . . 11. . . 11. . . .
. . . . 11. . . . . 11. . .
. . . 11. . . . . . . 11. .
. . . 11. . . . . . . 11. .
. . . 11. . . . . . . 11. .
. . . 11. . . . . . . 11. .
. . . 11. . . . . . . 11. .
. . . 11. . . . . . . 11. .
. . . . 11. . . . . 11. . .
. . . . . 11. . . 11. . . .
. . . . . . 11111. . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . 1111. . . . . 111. .
. . . 11. . . . . . . 1. . .
. . . 11. . . . . . . 1. . .
. . . 11. . . . . . 1. . . .
. . . . 11. . . . . 1. . . .
. . . . 11. . . . 1. . . . .
. . . . 11. . . . 1. . . . .
. . . . . 11. . 1. . . . . .
. . . . . 11. . 1. . . . . .
. . . . . . 1. 1. . . . . . .
. . . . . . 111. . . . . . .
. . . . . . . 1. . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . 1111111111. . .
. . . . 11. . . . . 11. . .
. . . . 11. . . . . . 1. . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . 1. . . . .
. . . . 1111111. . . . .
. . . . 11. . . . 1. . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . . . . .
. . . . 11. . . . . . 1. . .
. . . . 11. . . . . 11. . .
. . . 1111111111. . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . 1111. . . 1111. .
. . . . 11. . . . . 11. . .
. . . . 11. . . . . 11. . .
. . . . 11. . . . . 11. . .
. . . . 11. . . . . 11. . .
. . . . 111111111. . .
. . . . 11. . . . . 11. . .
. . . . 11. . . . . 11. . .
. . . . 11. . . . . 11. . .
. . . . 11. . . . . 11. . .
. . . . 11. . . . . 11. . .
. . . 1111. . . 1111. .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . 11111111111. . .
. . 1. . . . . . . . 11. . .
. . . . . . . . . . 11. . . .
. . . . . . . . . 11. . . . .
. . . . . . . . 11. . . . . .
. . . . . . . 11. . . . . . .
. . . . . . 11. . . . . . . .
. . . . . 11. . . . . . . . .
. . . . 11. . . . . . . . . .
. . . 11. . . . . . . 1. . .
. . 11. . . . . . . 11. . .
. . 11111111111. . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . 1111. . 11111. .
. . . . 11. . . . 11. . . .
. . . . 11. . . 11. . . . .
. . . . 11. . 11. . . . . .
. . . . 11. 11. . . . . . .
. . . . 11111. . . . . . .
. . . . 11. 111. . . . . .
. . . . 11. . 111. . . . .
. . . . 11. . . 111. . . .
. . . . 11. . . . 111. . .
. . . . 11. . . . . 111. .
. . . 1111. . . . 1111.
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . 1. . . . . . .
. . . . . . 111. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . . 11. . . . . . .
. . . . . . 1111. . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . 1111. . . . . .
. . . . . 11. . 11. . . . .
. . . . 11. . . . 11. . . .
. . . . 11. . . . . . . . . .
. . . . 11. 111. . . . . .
. . . . 111. . 11. . . . .
. . . . 11. . . . 11. . . .
. . . . 11. . . . 11. . . .
. . . . 11. . . . 11. . . .
. . . . 11. . . . 11. . . .
. . . . . 11. . 11. . . . .
. . . . . . 1111. . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .

得到密码:ILOVEHZK16,然后解压flag.txt得到:

DASCTF{842a99305a07e6183830582d1740c1b1}

Crypto

so-large-e

题目

公钥

-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQCl7ZhtXDOIFdSnnejtOn2W
OdcqyzrvKMVFTIqSyPV3Tkj5m9ETc/rlvLJLcQvI0V6tr+u5Tq+zqWBQzsvRsvKt
+ap0JW8up0qD1nGIvcJVdsWAjdse7AH/N3+xg8NrH3nO0OIWzMpkGH+4TVsOBu8M
nhnR9SxTkDp+gUtHtPR/awKBgQChjp2PFfpCV4hrVyPJrKP2gHbW+o7mBNiUd3Av
Ucbkr7rA6Sj3tU33yGKIoXbmZC4rWNcuqrsoCPvIFl/YHYPKVDOl2PlLaDVi/Q5E
ymGkUfPXoZsScxvkZtkOt9XY4wWEeDMtxF/swnV0nhAUSJEHamFL3i0PAWf9uBdd
VheH4Q==
-----END PUBLIC KEY-----
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
from flag import flag
import random

m = bytes_to_long(flag)

p = getPrime(512)
q = getPrime(512)
n = p*q
e = random.getrandbits(1024)
assert size(e)==1024
phi = (p-1)*(q-1)
assert GCD(e,phi)==1
d = inverse(e,phi)
assert size(d)==269

pub = (n, e)
PublicKey = RSA.construct(pub)
with open('pub.pem', 'wb') as f :
    f.write(PublicKey.exportKey())

c = pow(m,e,n)
print('c =',c)

print(long_to_bytes(pow(c,d,n)))


#c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860

我的解答:

我们先分解公钥得到n,e

from gmpy2 import *
from Crypto.Util.number import *
from Crypto.PublicKey import RSA


# 公钥提取
with open("pub.pem","r",encoding="utf-8") as file:
    text=file.read()
key=RSA.import_key(text)
e=key.e
n=key.n
print(e)
print(n)

113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233
116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723

发现这个e很大,我们根据题目代码可知它跟n一个数量级。而d很小,想到维纳攻击或低解密指数攻击。但尝试无果有报错。问题就在于他的私钥太小d < N^0.292并不满足维纳或低解密d的要求。

因此我们需要爆出真正的满足题目条件的d,利用LLL-attacks解出d

详细解析可参考:https://github.com/Gao-Chuan/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage

from __future__ import print_function
import time

############################################
# Config
##########################################

"""
Setting debug to true will display more informations
about the lattice, the bounds, the vectors...
"""
debug = True

"""
Setting strict to true will stop the algorithm (and
return (-1, -1)) if we don't have a correct
upperbound on the determinant. Note that this
doesn't necesseraly mean that no solutions
will be found since the theoretical upperbound is
usualy far away from actual results. That is why
you should probably use `strict = False`
"""
strict = False

"""
This is experimental, but has provided remarkable results
so far. It tries to reduce the lattice as much as it can
while keeping its efficiency. I see no reason not to use
this option, but if things don't work, you should try
disabling it
"""
helpful_only = True
dimension_min = 7 # stop removing if lattice reaches that dimension

############################################
# Functions
##########################################

# display stats on helpful vectors
def helpful_vectors(BB, modulus):
    nothelpful = 0
    for ii in range(BB.dimensions()[0]):
        if BB[ii,ii] >= modulus:
            nothelpful += 1

    print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")

# display matrix picture with 0 and X
def matrix_overview(BB, bound):
    for ii in range(BB.dimensions()[0]):
        a = ('%02d ' % ii)
        for jj in range(BB.dimensions()[1]):
            a += '0' if BB[ii,jj] == 0 else 'X'
            if BB.dimensions()[0] < 60:
                a += ' '
        if BB[ii, ii] >= bound:
            a += '~'
        print(a)

# tries to remove unhelpful vectors
# we start at current = n-1 (last vector)
def remove_unhelpful(BB, monomials, bound, current):
    # end of our recursive function
    if current == -1 or BB.dimensions()[0] <= dimension_min:
        return BB

    # we start by checking from the end
    for ii in range(current, -1, -1):
        # if it is unhelpful:
        if BB[ii, ii] >= bound:
            affected_vectors = 0
            affected_vector_index = 0
            # let's check if it affects other vectors
            for jj in range(ii + 1, BB.dimensions()[0]):
                # if another vector is affected:
                # we increase the count
                if BB[jj, ii] != 0:
                    affected_vectors += 1
                    affected_vector_index = jj

            # level:0
            # if no other vectors end up affected
            # we remove it
            if affected_vectors == 0:
                print("* removing unhelpful vector", ii)
                BB = BB.delete_columns([ii])
                BB = BB.delete_rows([ii])
                monomials.pop(ii)
                BB = remove_unhelpful(BB, monomials, bound, ii-1)
                return BB

            # level:1
            # if just one was affected we check
            # if it is affecting someone else
            elif affected_vectors == 1:
                affected_deeper = True
                for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
                    # if it is affecting even one vector
                    # we give up on this one
                    if BB[kk, affected_vector_index] != 0:
                        affected_deeper = False
                # remove both it if no other vector was affected and
                # this helpful vector is not helpful enough
                # compared to our unhelpful one
                if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):
                    print("* removing unhelpful vectors", ii, "and", affected_vector_index)
                    BB = BB.delete_columns([affected_vector_index, ii])
                    BB = BB.delete_rows([affected_vector_index, ii])
                    monomials.pop(affected_vector_index)
                    monomials.pop(ii)
                    BB = remove_unhelpful(BB, monomials, bound, ii-1)
                    return BB
    # nothing happened
    return BB

""" 
Returns:
* 0,0   if it fails
* -1,-1 if `strict=true`, and determinant doesn't bound
* x0,y0 the solutions of `pol`
"""
def boneh_durfee(pol, modulus, mm, tt, XX, YY):
    """
    Boneh and Durfee revisited by Herrmann and May
    
    finds a solution if:
    * d < N^delta
    * |x| < e^delta
    * |y| < e^0.5
    whenever delta < 1 - sqrt(2)/2 ~ 0.292
    """

    # substitution (Herrman and May)
    PR.<u, x, y> = PolynomialRing(ZZ)
    Q = PR.quotient(x*y + 1 - u) # u = xy + 1
    polZ = Q(pol).lift()

    UU = XX*YY + 1

    # x-shifts
    gg = []
    for kk in range(mm + 1):
        for ii in range(mm - kk + 1):
            xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk
            gg.append(xshift)
    gg.sort()

    # x-shifts list of monomials
    monomials = []
    for polynomial in gg:
        for monomial in polynomial.monomials():
            if monomial not in monomials:
                monomials.append(monomial)
    monomials.sort()
    
    # y-shifts (selected by Herrman and May)
    for jj in range(1, tt + 1):
        for kk in range(floor(mm/tt) * jj, mm + 1):
            yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)
            yshift = Q(yshift).lift()
            gg.append(yshift) # substitution
    
    # y-shifts list of monomials
    for jj in range(1, tt + 1):
        for kk in range(floor(mm/tt) * jj, mm + 1):
            monomials.append(u^kk * y^jj)

    # construct lattice B
    nn = len(monomials)
    BB = Matrix(ZZ, nn)
    for ii in range(nn):
        BB[ii, 0] = gg[ii](0, 0, 0)
        for jj in range(1, ii + 1):
            if monomials[jj] in gg[ii].monomials():
                BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)

    # Prototype to reduce the lattice
    if helpful_only:
        # automatically remove
        BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)
        # reset dimension
        nn = BB.dimensions()[0]
        if nn == 0:
            print("failure")
            return 0,0

    # check if vectors are helpful
    if debug:
        helpful_vectors(BB, modulus^mm)
    
    # check if determinant is correctly bounded
    det = BB.det()
    bound = modulus^(mm*nn)
    if det >= bound:
        print("We do not have det < bound. Solutions might not be found.")
        print("Try with highers m and t.")
        if debug:
            diff = (log(det) - log(bound)) / log(2)
            print("size det(L) - size e^(m*n) = ", floor(diff))
        if strict:
            return -1, -1
    else:
        print("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")

    # display the lattice basis
    if debug:
        matrix_overview(BB, modulus^mm)

    # LLL
    if debug:
        print("optimizing basis of the lattice via LLL, this can take a long time")

    BB = BB.LLL()

    if debug:
        print("LLL is done!")

    # transform vector i & j -> polynomials 1 & 2
    if debug:
        print("looking for independent vectors in the lattice")
    found_polynomials = False
    
    for pol1_idx in range(nn - 1):
        for pol2_idx in range(pol1_idx + 1, nn):
            # for i and j, create the two polynomials
            PR.<w,z> = PolynomialRing(ZZ)
            pol1 = pol2 = 0
            for jj in range(nn):
                pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY)
                pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY)

            # resultant
            PR.<q> = PolynomialRing(ZZ)
            rr = pol1.resultant(pol2)

            # are these good polynomials?
            if rr.is_zero() or rr.monomials() == [1]:
                continue
            else:
                print("found them, using vectors", pol1_idx, "and", pol2_idx)
                found_polynomials = True
                break
        if found_polynomials:
            break

    if not found_polynomials:
        print("no independant vectors could be found. This should very rarely happen...")
        return 0, 0
    
    rr = rr(q, q)

    # solutions
    soly = rr.roots()

    if len(soly) == 0:
        print("Your prediction (delta) is too small")
        return 0, 0

    soly = soly[0][0]
    ss = pol1(q, soly)
    solx = ss.roots()[0][0]

    #
    return solx, soly

def example():
    ############################################
    # How To Use This Script
    ##########################################

    #
    # The problem to solve (edit the following values)
    #

    # the modulus
    e = 113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233
    N = 116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723

    # the hypothesis on the private exponent (the theoretical maximum is 0.292)
    delta = .27 # this means that d < N^delta

    #
    # Lattice (tweak those values)
    #

    # you should tweak this (after a first run), (e.g. increment it until a solution is found)
    m = 6 # size of the lattice (bigger the better/slower)

    # you need to be a lattice master to tweak these
    t = int((1-2*delta) * m)  # optimization from Herrmann and May
    X = 2*floor(N^delta)  # this _might_ be too much
    Y = floor(N^(1/2))    # correct if p, q are ~ same size

    #
    # Don't touch anything below
    #

    # Problem put in equation
    P.<x,y> = PolynomialRing(ZZ)
    A = int((N+1)/2)
    pol = 1 + x * (A + y)

    #
    # Find the solutions!
    #

    # Checking bounds
    if debug:
        print("=== checking values ===")
        print("* delta:", delta)
        print("* delta < 0.292", delta < 0.292)
        print("* size of e:", int(log(e)/log(2)))
        print("* size of N:", int(log(N)/log(2)))
        print("* m:", m, ", t:", t)

    # boneh_durfee
    if debug:
        print("=== running algorithm ===")
        start_time = time.time()

    solx, soly = boneh_durfee(pol, e, m, t, X, Y)

    # found a solution?
    if solx > 0:
        print("=== solution found ===")
        if False:
            print("x:", solx)
            print("y:", soly)

        d = int(pol(solx, soly) / e)
        print("private key found:", d)
    else:
        print("=== no solution was found ===")

    if debug:
        print(("=== %s seconds ===" % (time.time() - start_time)))

if __name__ == "__main__":
    example()

之后直接解即可

import gmpy2
from Crypto.Util.number import *

d=663822343397699728953336968317794118491145998032244266550694156830036498673227937
c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860
n=116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723
m=pow(c,d,n)
print(long_to_bytes(m))
#DASCTF{6f4fadce-5378-d17f-3c2d-2e064db4af19}

matrixequation

题目

from sage.all import *
import string
from myflag import finalflag, flag

A = matrix([[0 for i in range(11)] for i in range(11)])
for k in range(len(flag)):
	i, j = 5*k // 11, 5*k % 11
	A[i, j] = alphabet.index(flag[k])
from hashlib import md5
assert(finalflag == 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}')
key = getKey()
R, leftmatrix, matrixU = key
tmpMatrix = leftmatrix * matrixU
X = A + R
Y = tmpMatrix * X
E = leftmatrix.inverse() * Y

f = open('output','w')
f.write(str(E)+'\n')
f.write(str(leftmatrix * matrixU * leftmatrix)+'\n')
f.write(str(f'{leftmatrix.inverse() * tmpMatrix**2 * leftmatrix}\n'))
f.write(str(f'{R.inverse() * tmpMatrix**8}\n'))

A = matrix([[0 for i in range(11)] for i in range(11)])
for k in range(len(flag)):
	i, j = 5*k // 11, 5*k % 11
	A[i, j] = alphabet.index(flag[k])
from hashlib import md5
assert(finalflag == 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}')
key = getKey()
R, leftmatrix, matrixU = key
tmpMatrix = leftmatrix * matrixU
X = A + R
Y = tmpMatrix * X
E = leftmatrix.inverse() * Y

f = open('output','w')
f.write(str(E)+'\n')
f.write(str(leftmatrix * matrixU * leftmatrix)+'\n')
f.write(str(f'{leftmatrix.inverse() * tmpMatrix**2 * leftmatrix}\n'))
f.write(str(f'{R.inverse() * tmpMatrix**8}\n'))
[53 19 40  7 22 46 69 11 31 48 57]
[66 47 13 39  1 34 26 15 52 18 55]
[47  1  9 14 58 34 40 27  9  1 36]
[36 19 38 30 39 30 21 27  1  4 13]
[25 10 52 45 69 63  3 64 13 51 44]
[48  2 64 19 49 51 39 29 22 35 17]
[69 48 27 17 15 42 60 42 15 43  7]
[39 37 56  5 49 57 51 49  3 53 25]
[50 39  9 30 19 63 20 12  8 55 35]
[24 26 58 56 43 70 66 27 32 70 59]
[ 9 34 18 31 65  3 48 39 39 40 53]
[62 17 50 41  4  7  5  4 20 15 45]
[ 8 59 38 18 42 31 60 58 35  1 46]
[25 20 45 31 69 45 59 34 46 63 69]
[ 6  2 65 44 53 59 11 52 37 48 40]
[33 52  4  9  6  7 34  4 59 59  6]
[65 64 53 22 49 22 58 50 48 66 25]
[ 0 43 42 68 16 35 20 69  1 14 18]
[23 61 44 20 30 38 10 68 52 39  4]
[ 1  8 31 31 11 54 41 70 49 40  1]
[58 29 28 60 23 13 67 33 14 15  2]
[23 25 70  1 13 57 52 21 54 64 26]
[10  5 15 49 12 53 46 23 44 40 67]
[41 21 62 22 40 69 59  0 28 42 52]
[ 9 66 44  3 48  2 53  8 46 52  4]
[ 8 50 15 56 16 31 47  5 70  6 43]
[59 34 48  5 55 50 61 39 38  7 60]
[46 46  9 36 12 49 48 30 64 30 45]
[62 33  2 19  3 15 69 25  0 51 69]
[27 10 48 26 11 32  1 40 29 59 16]
[18 60 33 64 15 41 22  9 11 60 22]
[32 52 15 27  1 63 55 54 70 17 52]
[22 27 33 38 68 36 59 17 64 18 65]
[43 68 27 18 44 32 47 21 46 44 14]
[12 52 44 61 26 34 53 36 18  3 61]
[10 59 14  2 42 63 31  9 53  4 55]
[63 48 59 11 54  9 54 50 68  5 28]
[66 12 58 68 52 50  5 39 19  6 70]
[42 23 24 54 54 64  3 16 20 67 28]
[60 68 63 63 34  7  0 36  3 22 68]
[10 23  0  9 64  0 52  1 24 52 21]
[65 52 42  9 43 39 15  3 36 28 28]
[21 32 35 69 49 55  0 23  4 32 42]
[61 52 49 46 50 34 70 35 39  1 16]

我的解答:

线性代数问题,题目把flag转成了矩阵A,我们要做的就是求出A

已知题目信息(由于变量较长,这里用缩略单词代替)

R, S = random_matrix
S = L * U

E = L^(-1) * S * (A + R)
a = L * U * L
b = L^(-1) * S^2 * L
c = R^(-1) * S^8

求解过程

b * a^(-1) = L^(-1) * S  (S = L * U = U * L)
a * b^(-1) * E = A + R   (上式^(-1) * E)

a * b * a^(-1) = S^2     (define ss)
c * ss^(-4) = R^(-1)

a * b^(-1) * E - c * ss^(-4) = A  (solve)

exp:

import re
import string

alphabet = string.printable[:71]
p = len(alphabet)

with open('output', 'r') as f:
  data = f.read().split('\n')[:-1]

data = [re.findall(r'\d+', d) for d in data]
data = [[Integer(di) for di in d] for d in data]

n = 11
E = matrix(GF(p), data[:11])
LUL = matrix(GF(p), data[11: 22])
ULUL = matrix(GF(p), data[22: 33])
RiLU8 = matrix(GF(p), data[33: 44])

Ui = LUL * ULUL^(-1)
Ri = RiLU8 * Ui * (ULUL^(-1))^3 * LUL^(-1)
U = Ui^(-1)
assert Ri * (LUL * U)^4 == RiLU8

R = Ri^(-1)
AR = Ui * E
A = AR - R
print(A)


flag = ''
for k in range(24):
  i, j = 5*k // 11, 5*k % 11
  flag += alphabet[A[i, j]]
print(flag)
  

from hashlib import md5
flag = 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}'
print(flag)

 

 

posted @ 2023-12-18 18:18  清纯少女小琪  阅读(439)  评论(2编辑  收藏  举报