# 闲题杂记2

Contents

## 祥云ber secret_share

enc

$E = g^e\mod p,V=g^v\mod p\ s = v+e(h2(E||V))$

$c = m*pk^{e+v}\mod p$

r_enc:

$E_- = g^{e\times skI\times dd} , V_-=g^{v\times skI\times dd}$

$E = g^{e},V=g^{v}$

$c = m\times (EV)^{skI}\mod p =m\times (E_-V_-)^{inv(dd,p-1)}\mod p$

encoder当时没细看，其实变化写完了一看就很简单了

$mul={sk}^4\cdot dd_1\cdot dd_2\cdot dd_3\cdot dd_4%p$

$dd_i$是已知的,有些solve是域下开根

EV都是已知，c也已知 直接算就🆗了

solve-step1

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64  from Crypto.Util.number import * from icecream import * from hashlib import sha256 from gmpy2 import * import libnum from pwn import * from libnum import * def h2(m): return int(sha256(m).hexdigest(), 16) io=remote('0.0.0.0',10001) #1 io.recvuntil('choice>') io.sendline('1') io.recvuntil('Please take good care of it!\n') pk_sk=io.recvuntil('\n')[:-1].decode()[2:-1].split('L,0x') pk,sk=int(pk_sk[0],16),int(pk_sk[1],16) #2 io.recvuntil('choice>') io.sendline('2') pp, g = 0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3, 0x85fd9ae42b57e515b7849b232fcd9575c18131235104d451eeceb991436b646d374086ca751846fdfec1ff7d4e1b9d6812355093a8227742a30361401ccc5577 group_list = [32, 64, 128, 256] DD=1 for group in group_list: io.recvuntil('The cipher shared to you\n') cc=int(io.recvuntil('L, ')[1:-3]) new_cipher=[cc] new_cipher+=eval(io.recvuntil(')\n')[:-2].decode().replace('L','')) c,E_,V_,s_=new_cipher io.recvuntil('prefix, encoder = ') Enc2,prefix=pre_enc=eval(io.recvuntil('\n')[:-1].decode().replace('L','')) prefix=int(prefix,16) encoder=[1,(-pow(prefix,sk,pp)) %pp] prefix = long_to_bytes(prefix).rjust(64, b'\x00') ml=[1] for i in range(len(Enc2)): ml.append((ml[-1]*encoder[-1]+Enc2[i]*(-1)**(i+1))%pp) r=-ml[-1]%pp dd = h2(prefix + long_to_bytes(r).rjust(64, b'\x00')) | 1 DD*=dd d=libnum.invmod(dd,pp-1) tmp=E_*V_%pp xx=pow(tmp,d,pp) m=c*libnum.invmod(xx,pp)%pp io.send(hex(m)[2:]) io.recvuntil('You are a clever boy! Now I can share you some other information!\n0x') mul=int(io.recvuntil('\n')[:-2],16) ic(DD) ic(mul) #3 io.recvuntil('choice>') io.sendline('3') cc=int(io.recvuntil('L, ')[1:-3]) cipher=[cc] cipher+=eval(io.recvuntil(')\n')[:-2].decode().replace('L','')) ic(cipher) 

solve-step2

  1 2 3 4 5 6 7 8 9 10 11 12  from gmpy2 import * io=0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3 D=15987058835088036058838351739905403758810826722245822649290306549906899936826738229650730140126509371862930340608846190807298868677166971678478129606238898364288362139315516922003581996769819030117310508402522153899137933429897987557331966070437119010259514160059698255241259153692392463260794449949596746727 mul=7194716155235037744823597029059822446255314248196377746260315999958188811928743123657567494196521690514320209430663462342437059567384744437239548754416135 c=mul*libnum.invmod(D,io)%io e=4 R. = Zmod(io)[] f = x ^ e- c f = f.monic() res1 = f.roots() print(res1) 

solve-step3

  1 2 3 4 5 6 7 8 9 10  from Crypto.Util.number import * from gmpy2 import * pp=0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3 sk=3415391405045794570454819264678842883406589094879440924771251075986414212665514615692960890299627279215019657097231396800926908716766924569917256830117771 cipher=[1452085683981538837849557434841689674477096081702343000869186835544808468459192026693029532721465657214194362000756249662047209552808256166535501585736401, 9299317806552199012103361766715291248186887467752322286719294121971787657296205598139365760833959784768412272593061318430853065277862724140493914797711689, 9287316455075844376168558534606543590293095721271733423230961724912040658757071778242087450272981713664977773510705690081763692753388091475741636185572383, 229110517869350912236518454062717456777603700368163296438479618211042488031942897036793380693680124455343059560507824269299022538059530971380675264277197] c,E,V,s=cipher xx=E*V%pp m=c*libnum.invmod(pow(xx,sk,pp),pp)%pp print(long_to_bytes(m)) #flag{504d0411-6707-469b-be31-9868200aca95} 

## 蓝帽ber final

https://github.com/ljahum/crypto-challenges/tree/main/%E8%93%9D%E7%8C%AB2021/final/twoBytes

### twobyte

#### solve

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97  from subprocess import run from Crypto.Util.number import long_to_bytes from icecream import * from pwn import * import re from pwnlib.util.iters import pad def b2s(s): if(type(s)==str): return s else: return s.decode() def CatNum(txt): txt = b2s(txt) matchObj = re.findall(r'[0-9]+', txt) return matchObj def dec(n): print(io.recvuntil('Your choice: ')) io.sendline('1') print(io.recvuntil('Your cipher: ')) io.sendline(str(n)) return io.recvline()[:-1] def bigger(mid,c): # tmp1 = pow(mid,e,n) # ic(tmp1) tmp = (c*pow(mid,e,n))%n print(tmp) # ic(padding) m = dec(tmp) ic(m) if(m!=b'0000'): return True else: return False io=remote('0.0.0.0',10001) # print(io.recv(1024)) io.recvuntil('PKCS1_v1_6?(y/n)') io.sendline('n') e = int(CatNum(io.recvline())[0]) n = int(CatNum(io.recvline())[0]) c = int(CatNum(io.recvline())[0]) ic(e,c,n) '''估算padding范围 padding = 1 h = 0 for i in range(512): tmp1 = pow(padding,e,n) ic(tmp1) tmp = (c*tmp1)%n print(tmp) ic(padding) m = dec(tmp) ic(m,i) if(m!=b'0000'): h=i input() break padding *= 2 ''' # pad=240~260 pl = 2**200 ph = 2**496 mid= (pl+ph)//2 input() for i in range(512): # tmp = m*mid # ic(tmp-n) if(bigger(mid,c)==True): ph=mid-1 mid = (mid+pl)//2 else: pl=mid+1 mid =(mid+ph)//2 # print(mid) # input() ic(mid) n=2**496 s =n//mid secret = long_to_bytes(s) ic(secret) ic(secret.hex()) print(io.recvuntil('Your choice: ')) io.sendline('2') io.sendline(secret.hex()) sleep(0.5) print(io.recv(1024)) 
 1 2 3 4 5  b'Your choice: ' b"You know my secret? (in hex): b'flag{ba1f2511fc30423bdbb183fe33f3dd0f}'\n" [*] Closed connection to 0.0.0.0 port 10001   /mnt/c/U/16953/Desktop/twoBytes took  11s at  11:38:42 AM ❯ 

## document for 5th space2021

### ECC

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64  print 'Try to solve the 3 ECC' from secret import flag from Crypto.Util.number import * assert(flag[:5]=='flag{') flag = flag[5:-1] num1 = bytes_to_long(flag[:7]) num2 = bytes_to_long(flag[7:14]) num3 = bytes_to_long(flag[14:]) def ECC1(num): p = 146808027458411567 A = 46056180 B = 2316783294673 E = EllipticCurve(GF(p),[A,B]) P = E.random_point() Q = num*P print E print 'P:',P print 'Q:',Q def ECC2(num): p = 1256438680873352167711863680253958927079458741172412327087203 #import random #A = random.randrange(389718923781273978681723687163812) #B = random.randrange(816378675675716537126387613131232121431231) A = 377999945830334462584412960368612 B = 604811648267717218711247799143415167229480 E = EllipticCurve(GF(p),[A,B]) P = E.random_point() Q = num*P print E print 'P:',P print 'Q:',Q factors, exponents = zip(*factor(E.order())) primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1] print primes dlogs = [] for fac in primes: t = int(int(P.order()) / int(fac)) dlog = discrete_log(t*Q,t*P,operation="+") dlogs += [dlog] print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order print num print crt(dlogs,primes) def ECC3(num): p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07 B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2 E = EllipticCurve(GF(p),[A,B]) P = E.random_point() Q = num*P print E print 'P:',P print 'Q:',Q ECC1(num1) print '==============' ECC2(num2) print '==============' ECC3(num3) 

### stage1

 1 2 3 4 5 6 7 8 9  p = 146808027458411567 A = 46056180 B = 2316783294673 E = EllipticCurve(GF(p),[A,B]) P = E(119851377153561800,50725039619018388) Q = E(22306318711744209, 111808951703508717) n = discrete_log(Q, P, operation='+') print(n) # 13566003730592612 

### stage2

refer：

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39  p = 1256438680873352167711863680253958927079458741172412327087203 a = 377999945830334462584412960368612 b = 604811648267717218711247799143415167229480 gx = 550637390822762334900354060650869238926454800955557622817950 gy = 700751312208881169841494663466728684704743091638451132521079 px = 1152079922659509908913443110457333432642379532625238229329830 py = 819973744403969324837069647827669815566569448190043645544592 E = EllipticCurve(GF(p), [a, b]) G = E(gx, gy) n = E.order() QA = E(px, py) factors = list(factor(n)) m = 1 moduli = [] remainders = [] print(f"[+] Running Pohlig Hellman") print(factors) for i, j in factors: if i > 10**9: print(i) break mod = i**j g2 = G*(n//mod) q2 = QA*(n//mod) r = discrete_log(q2, g2, operation='+') remainders.append(r) moduli.append(mod) m *= mod r = crt(remainders, moduli) print(r) # 16093767336603949 # 9-2521- 

### stage3

E.order() = p的时候 可以用一个叫做SMART攻击的操作

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36  p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07 B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2 E = EllipticCurve(GF(p),[A,B]) P = E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861,8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610) Q = E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927,5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537) def SmartAttack(P,Q,p): E = P.curve() Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ]) P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True) for P_Qp in P_Qps: if GF(p)(P_Qp.xy()[1]) == P.xy()[1]: break Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True) for Q_Qp in Q_Qps: if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]: break p_times_P = p*P_Qp p_times_Q = p*Q_Qp x_P,y_P = p_times_P.xy() x_Q,y_Q = p_times_Q.xy() phi_P = -(x_P/y_P) phi_Q = -(x_Q/y_Q) k = phi_Q/phi_P return ZZ(k) r = SmartAttack(P, Q, p) print(r) # 19597596255129283097357413993866074145935170485891892 # 4a81-9957-8c3381622434 

## Document for 东华ber2021

py大赛 诸神黄昏，依旧是抽一中午午休记一下题

### Thersa

src

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85  from Crypto.Util.number import* from hashlib import sha256 import socketserver import signal import string import random from secret import flag table = string.ascii_letters+string.digits flag = bytes_to_long(flag) MENU = br'''[+] 1.Get Encrypt: [+] 2.Exit: ''' class Task(socketserver.BaseRequestHandler): def _recvall(self): BUFF_SIZE = 2048 data = b'' while True: part = self.request.recv(BUFF_SIZE) data += part if len(part) < BUFF_SIZE: break return data.strip() def send(self, msg, newline=True): try: if newline: msg += b'\n' self.request.sendall(msg) except: pass def recv(self, prompt=b'[-] '): self.send(prompt, newline=False) return self._recvall() def proof_of_work(self): proof = (''.join([random.choice(table)for _ in range(20)])).encode() sha = sha256( proof ).hexdigest().encode() self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha ) XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :') if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha: return False return True def EncRy(self): p,q = getPrime(512),getPrime(512) n = p * q phi = (p - 1) * (q - 1) e = inverse(self.d, phi) c = pow(flag, e, n) return(e,n,c) def handle(self): signal.alarm(60) if not self.proof_of_work(): return self.send(b"Welcome to my RSA!") self.d = getPrime(random.randint(435, 436)) while 1: self.send(MENU) self.send(b"Now!What do you want to do?") option = self.recv() if option == b'1': self.send(str(self.EncRy()).encode()) else: break self.request.close() class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer): pass if __name__ == "__main__": HOST, PORT = '0.0.0.0', 10004 print("HOST:POST " + HOST+":" + str(PORT)) server = ForkedServer((HOST, PORT), Task) server.allow_reuse_address = True server.serve_forever() 

refer：

##### solve
  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37  #sagemath from Crypto.Util.number import * from gmpy2 import iroot e1,n1,c1=(42930516866813661342965746223080520747639541783178165319930798466029922118238472375394025163017796792784301240279788973937514266651107411418409008126879890591634663600650622272276047586523991529128830751549916767006347857754606279093837920255744001556692088644997689518547315534397835105708024032114104233381, 77791057667316752688491344909349631143733665781985333450578141862483326292146944912417154290062439390262044781769179125790833684914883275144238169619259170245799297149721759503884049470266984858779855785527134093827380541390671671421065142834758715718012985245418556303458870683285396736465075774918756943849, 27391282824232696321494182390733866553767929957526280387298565758936575846502788790274502139115326807546265156509536800727262991966913839267428385697513824611497066201158201419561518562486879276509945503450941372856450148181065616319630297566761526958666976256485612007573889257294374864202830099675167224618) e2,n2,c2=(19018427406275508266725318182604693048036959850117857989040747866263767206396699322550948080332092809132375761217132996919018670944100226583113345224541762253472497934634295339952030040768111601599444464038423922436192382234875739639531699502158126381323466372283051777517214602215819494796932567681821951661, 79650072081042322662491093415989067423342888043380140123956989961183485888095357404757819859263343837741065918473041502132392064045360290315160760995892876549211580451883428599900857896989098491504167023490425266678783550124590746460833416198860457961338080633882718390420924183342764921882749848062331837157, 47371054845953307458071281584547821822800567401012561479295024891414125620585367467768382853051493673297474227621983913977611690329004811247719468085248653560735761224575841708898687339051979667968682445741679494814049520035089826802489552786717808162007554429409373562206869161512981004103668781786261071642) e3,n3,c3=(56543738058355787650458463296434379628548490866377456720748305513368031407432713681493384526759984858874833739323541806113831186630548095096957902346105190080635673052132358289744367039154224900185478860894300958278206372821874050674031918453348499825234769506256225325221089605204424199863739802675837768205, 79745878045239534073349506401894614077391259818245570439963094062152853043757431813193065050329923218395626939202508409314449221246402655169069682907439636880572885333431797158404833511447487493689075229003167933950464179409482597295179818105362744282535280033320439360295379327350145598779754591726149053127, 8406272869509814810291187732784177513812310985481896410437026715571367365909106171597609902128681517191154832846694541582315046341089395251486352127008536629880180333790535980063006233315170237788757595367545197059456798192233574190206607791108247915315239293315856045620536743732064060419019383653017754432) e4,n4,c4=(7084543689346197121827870073257673792657047196994323608218552636377497641605010832530473677981880825830062575269956770329035892637961925305684535520357897676757195804280616332451896105146968442795337854851958165225390355543144975973394614878012047483478453541789213191489356453542050105788672267671186622349, 84193779290507365404703859402732143439109001210124769414375603074891153195964512465635919253078833439745459555371587096356222637979782540883867956964113419688015746698472168356238337484900265019835855499846392509934587316309130977694018626484013012355408173625138875013785514921191427955103949196185104270953, 57188209081624431651145335231083235968076151504975133709205719008833316979899965113559550632823577949531094733328627686996343950189156687337540064474041791342122016380351392782138752676861412964076387375179224936788921872659232295048921383561342206164767267043862968315447568792822076799329961025512641107246) e5,n5,c5=(42832642928335275352734567465034497040617823999922718556444541540637575945318881858516365030723712293566938969239323128990546490351954020139702168583195387467822779475617077682710213996418869245088581793014583647801408719774140042233362914483058594181044708264940880873371340427513033621237883600041744259821, 100914764703986796503524746926824107407478498950896766954709765945739896574588237451261683044947676026816706250675210414995572771552251740398776761522312876711308663303631592599847201703544166011694904414367791567937596616962437750298179607007543994344224571625128530174980427056520743554240699599606017732453, 21119798060505043638458066841637396779462197838711219768901795233508035124251444985142140372296435557972489164083922904128749582124708137219016012302886951596946166275929450048887248788479585841059063956921630092232393741155010454512377332292347344811575552765907485744387780176768333870372377008256136186807) e6,n6,c6=(92302858091592048530164341892874939881833483518095068563859833484262743798872223903571012516471302801063982503961657026303472815350321491051234131656128422061238653211376015684800612577226731646341043305151595034538237258802687294046312571159904343739248977644957644677771388548256577367489970379574172464797, 117679207537303828303181692131284163456980142622326819854887578740836701695007074712199364783113450072522001526705110176578644797269399966145551464701075583136732122232247312391436901027876012971338176518412247421456590394727819899354372288058334724615114926953982773216858342784870874502568283116049857599697, 694728970163274338952272545132120395722399912878027385515433411574332882874655233664187165540396449753083157039600465154030742189987900065124001404191085619372639241055402339355981737758090185934672051842827196968679043511560501886410676350912217561099905662581686696249610217183042166978654689061472935255) e7,n7,c7=(107958832210740007280315466139290077026935359625782760172740000594364460869128124940009236566874443252250812468875065019322671201219651761405497245501179554045401769228061173131905805679002507830926816675819378142336365243119257538909791638758850962854709130774816448647965771903108760260693930942445832581613, 124514631670412396955583333186310036282392256402221528788219590875160132086163249366732298557562280446982290995056571347900001555142302304165284003543211879382117786568833925378625035366897845326134848510307881296792070242801270087606140027163068970890264029919788362871312210162525628755395528824620664275981, 122802204066940916090785459557228909264312462241661083272739613123469038467287559936112649653314041478655145859464338716094314561339632033669065696677349425900229495594900454878607113262204411164149182327233978867883052370242620750529133958835635598563284037235210030872798337887481034016325891031269539006959) e8,n8,c8=(93032879096884833976354856506992993862316449685244948137669996162571278621479404733170084750947866321488473290655001676203288675188640293830346141700535957251408373865922564197265494466697836691672035371673758770683433485891640334014710181418750508413205768593981082149070901287189919968858883490943111987181, 126814261604881133528727989048158217150888497288150533655112145843950045425282139821602599229665745129453799945609742281626549287640177663087578340721569938344685390347348772958990014616194819409373556039354672378457009008450988307789399181204535224407248419395946571885338535639198634359608298711433536942733, 95330490027741440826424434337219961367405797139516869535055648011514837588374299753114991801669135223731470401046346436845011624597842223950760050976711965720535288001750040424144530196787933771814541562581236974965361143703635725068380670591839954283253531181890717506164459934317393787888216914582168459996) sqrn8=iroot(n8,2)[0] M=[ [sqrn8,e1,e2,e3,e4,e5,e6,e7,e8], [0,-n1,0,0,0,0,0,0,0], [0,0,-n2,0,0,0,0,0,0], [0,0,0,-n3,0,0,0,0,0], [0,0,0,0,-n4,0,0,0,0], [0,0,0,0,0,-n5,0,0,0], [0,0,0,0,0,0,-n6,0,0], [0,0,0,0,0,0,0,-n7,0], [0,0,0,0,0,0,0,0,-n8] ] M=matrix(ZZ,M) M=M.LLL() if M[0][0]<0: M=-M d,t1=M[0][0]//sqrn8,M[0][1] k1=(d*e1-t1)//n1 s1=(t1-1)//k1-1 var('x') F=x^2-s1*x+n1 p,q=F.roots()[0][0],F.roots()[1][0] p,q=abs(p),abs(q) d=inverse_mod(Integer(e1),(Integer(p)-1)*(Integer(q)-1)) print(long_to_bytes(pow(c1,d,n1))) #b'flag{338f4482-4f11-496c-a0d7-b06df53f79c5}' 

### BlockEncrypt

src

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97  from Crypto.Util.number import* from Crypto.Cipher import AES from secret import flag from my_encrypt import block_encrypt from hashlib import sha256 import socketserver import signal import string import random import os table = string.ascii_letters+string.digits MENU = br'''[+] 1.Encrypt the Flag: [+] 2.Encrypt your Plaintext: [+] 3.Exit: ''' def pad(m): padlen = 16 - len(m) % 16 return m + padlen * bytes([padlen]) def xor(msg1,msg2): assert len(msg1)==len(msg2) return long_to_bytes(bytes_to_long(msg1)^bytes_to_long(msg2)) class Task(socketserver.BaseRequestHandler): def _recvall(self): BUFF_SIZE = 2048 data = b'' while True: part = self.request.recv(BUFF_SIZE) data += part if len(part) < BUFF_SIZE: break return data.strip() def send(self, msg, newline=True): try: if newline: msg += b'\n' self.request.sendall(msg) except: pass def recv(self, prompt=b'[-] '): self.send(prompt, newline=False) return self._recvall() def proof_of_work(self): proof = (''.join([random.choice(table)for _ in range(20)])).encode() sha = sha256( proof ).hexdigest().encode() self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha ) XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :') if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha: return False return True def enc_msg(self,msg): return block_encrypt(pad(msg),self.key,self.ivv) def handle(self): signal.alarm(50) if not self.proof_of_work(): return self.ivv = os.urandom(16) self.key = os.urandom(16) while 1: self.send(MENU,newline = False) option = self.recv() if (option == b'1'): self.send(b"My Encrypted flag is:") self.send(self.enc_msg(flag)) elif option == b'2': self.send(b"Give me Your Plain & I'll give you the Cipher.") plaintext = self.recv() self.send(b'PlainText:' + plaintext + b'\nCipherText:' + self.enc_msg(plaintext)) else: break self.send(b"\n[.]Down the Connection.") self.request.close() class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer): pass if __name__ == "__main__": HOST, PORT = '0.0.0.0', 10004 print("HOST:POST " + HOST+":" + str(PORT)) server = ForkedServer((HOST, PORT), Task) server.allow_reuse_address = True server.serve_forever() 

api my_encrypt.py

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168  from Crypto.Util.number import * Sbox = ( 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16, ) InvSbox = ( 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D, ) xc = lambda a: (((a << 1) ^ 0x1B) & 0xFF) if (a & 0x80) else (a << 1) R = ( 0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA, 0xEF, 0xC5, 0x91, 0x39, ) def t2m(text): text = bytes_to_long(text) matrix = [] for i in range(16): byte = (text >> (8 * (15 - i))) & 0xFF if i % 4 == 0: matrix.append([byte]) else: matrix[i // 4].append(byte) return matrix def m2t(matrix): text = 0 for i in range(4): for j in range(4): text |= (matrix[i][j] << (120 - 8 * (4 * i + j))) return long_to_bytes(text) class myAES: def __init__(self, MasterKey): self.ChangeKey(MasterKey) def ChangeKey(self, MasterKey): self.RoundKeys = t2m(MasterKey) # print self.RoundKeys for i in range(4, 4 * 11): self.RoundKeys.append([]) if i % 4 == 0: byte = self.RoundKeys[i - 4][0] \ ^ Sbox[self.RoundKeys[i - 1][1]] \ ^ R[i // 4] self.RoundKeys[i].append(byte) for j in range(1, 4): byte = self.RoundKeys[i - 4][j] \ ^ Sbox[self.RoundKeys[i - 1][(j + 1) % 4]] self.RoundKeys[i].append(byte) else: for j in range(4): byte = self.RoundKeys[i - 4][j] \ ^ self.RoundKeys[i - 1][j] self.RoundKeys[i].append(byte) # print self.RoundKeys def encrypt(self, plaintext): self.plain_state = t2m(plaintext) self.__add_round_key(self.plain_state, self.RoundKeys[:4]) for i in range(1, 10): self.__round_encrypt(self.plain_state, self.RoundKeys[4 * i : 4 * (i + 1)]) self.__sub_bytes(self.plain_state) self.__shift_rows(self.plain_state) self.__sub_bytes(self.plain_state) self.__add_round_key(self.plain_state, self.RoundKeys[40:]) return m2t(self.plain_state) def __add_round_key(self, s, k): for i in range(4): for j in range(4): s[i][j] ^= k[i][j] def __round_encrypt(self, state_matrix, key_matrix): self.__sub_bytes(state_matrix) self.__shift_rows(state_matrix) self.__mix_columns(state_matrix) self.__add_round_key(state_matrix, key_matrix) def __sub_bytes(self, s): for i in range(4): for j in range(4): s[i][j] = Sbox[s[i][j]] def __shift_rows(self, s): s[0][1], s[1][1], s[2][1], s[3][1] = s[1][1], s[2][1], s[3][1], s[0][1] s[0][2], s[1][2], s[2][2], s[3][2] = s[2][2], s[3][2], s[0][2], s[1][2] s[0][3], s[1][3], s[2][3], s[3][3] = s[3][3], s[0][3], s[1][3], s[2][3] def __mix_single_column(self, a): # please see Sec 4.1.2 in The Design of Rijndael t = a[0] ^ a[1] ^ a[2] ^ a[3] u = a[0] a[0] ^= t ^ xc(a[0] ^ a[1]) a[1] ^= t ^ xc(a[1] ^ a[2]) a[2] ^= t ^ xc(a[2] ^ a[3]) a[3] ^= t ^ xc(a[3] ^ u) def __mix_columns(self, s): for i in range(4): self.__mix_single_column(s[i]) def xor(a,b): assert len(a) == len(b) tmp = [] for i in range(len(a)): tmp.append(a[i]^b[i]) return bytes(tmp) def exchange_plain(plaintext): new_plain = [] for i in plaintext: new_plain.append(i<<1) new_plain = bytes(new_plain) return new_plain def block_encrypt(plaintext,key,iv): aes = myAES(key) block = len(plaintext)//16 new_plain = exchange_plain(plaintext) cipher = b'' for i in range(block): iv = aes.encrypt(iv) cipher += xor(iv,new_plain[16*i:16*i+16]) return cipher 

OFB

CFB

##### solve
  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58  from pwn import * from Crypto.Util.number import * from hashlib import sha256 import string from pwnlib.util.iters import mbruteforce table = string.ascii_letters+string.digits def pow(): io.recvuntil("XXXX+") suffix = io.recv(16).decode("utf8") io.recvuntil("== ") cipher = io.recvline().strip().decode("utf8") proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() == cipher, table, length=4, method='fixed') io.sendlineafter("XXXX :", proof) def pad(m): padlen = 16 - len(m) % 16 return m + padlen * bytes([padlen]) def enc(plaintext): print(io.recvuntil(b'[-]').decode()) io.sendline(b"2") print(io.recvuntil(b'[-] ').decode()) io.sendline(plaintext) io.recvuntil(b"CipherText:") c = io.recvuntil(b'[+]')[:-4] return c def xor(msg1,msg2): assert len(msg1)==len(msg2) return long_to_bytes(bytes_to_long(msg1)^bytes_to_long(msg2)) if __name__ == "__main__": io = remote("127.0.0.1",10004) pow() print(io.recvuntil(b'[-] ').decode()) io.sendline(b"1") print(io.recvuntil(b"My Encrypted flag is:").decode()) c = io.recvuntil(b'[+]')[1:-4] cipherlen = len(c) - 1 fakeplain = cipherlen * b'\x01' blocksize = cipherlen//16 newcipher = enc(fakeplain) fakeplain = pad(fakeplain) new_plain = [] for i in fakeplain: new_plain.append((i)<<1) new_plain = bytes(new_plain) s = (xor(new_plain,newcipher[:])) fakeplain2 = (xor(s,c)) new_plain = [] for i in fakeplain2: new_plain.append((i)>>1) new_plain = bytes(new_plain) print(new_plain) 

### MyCryptoSystem

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167  from Crypto.Util.number import* import random from secret import flag from hashlib import sha256 import socketserver import signal import string def trans_flag(flag): new_flag = [] for i in range(6): new_flag.append(bytes_to_long(flag[i*7:i*7+7])) return new_flag kbits = 1024 table = string.ascii_letters+string.digits flag = trans_flag(flag) def Setup(kbits): p_bit = kbits//2 q_bit = kbits - p_bit while 1: p = getPrime(p_bit) p_tmp = (p-1)//2 if isPrime(p_tmp): break while 1: q = getPrime(q_bit) q_tmp = (q-1)//2 if isPrime(q_tmp): break N = p*q while 1: g = random.randrange(N*N) if (pow(g,p_tmp * q_tmp,N*N) - 1)%N == 0 and (pow(g,p_tmp * q_tmp,N*N) - 1)//N >= 1 and (pow(g,p_tmp * q_tmp,N*N) - 1)//N <= N - 1: break public = (N,g) return public,p def KeyGen(public): N,g = public a = random.randrange(N*N) h = pow(g,a,N*N) pk = h sk = a return pk,sk def Encrypt(public,pk,m): N,g = public r = random.randrange(N*N) A = pow(g,r,N*N) B = (pow(pk,r,N*N) * (1 + m * N)) % (N * N) return A,B def Add(public,dataCipher1,dataCipher2): N = public[0] A1,B1 = dataCipher1 A2,B2 = dataCipher2 A = (A1*A2)%(N*N) B = (B1*B2)%(N*N) return (A,B) def hint(p): _p = getPrime(2048) _q = getPrime(2048) n = _p*_q e = 0x10001 s = getPrime(300) tmp = (160 * s ** 5 - 4999 * s ** 4 + 3 * s ** 3 +1) phi = (_p-1)*(_q-1) d = inverse(e,phi) k = (_p-s)*d enc = pow(p,e,n) return (tmp,k,enc,n) class Task(socketserver.BaseRequestHandler): def _recvall(self): BUFF_SIZE = 2048 data = b'' while True: part = self.request.recv(BUFF_SIZE) data += part if len(part) < BUFF_SIZE: break return data.strip() def send(self, msg, newline=True): try: if newline: msg += b'\n' self.request.sendall(msg) except: pass def recv(self, prompt=b'SERVER : '): self.send(prompt, newline=False) return self._recvall() def proof_of_work(self): proof = (''.join([random.choice(table)for _ in range(20)])).encode() sha = sha256(proof).hexdigest().encode() self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha ) XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :') if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha: return False return True def handle(self): proof = self.proof_of_work() if not proof: self.request.close() public,p = Setup(kbits) signal.alarm(60) pk = [] for i in range(6): pki,ski = KeyGen(public) pk.append(pki) msg = [123,456,789,123,456,789] CipherPair = [] for i in range(len(pk)): TMP = Encrypt(public,pk[i],msg[i]) CipherPair.append(((TMP),pk[i])) CipherDate = [] for i in range(len(pk)): CipherDate.append(Add(public,Encrypt(public,pk[i],flag[i]),CipherPair[i][0])) self.send(b'What do you want to get?\n[1]pk_list\n[2]public_parameters\n[3]hint_for_p\n[4]EncRypt_Flag\n[5]exit') while 1: option = self.recv() if option == b'1': self.send(b"[~]My pk_list is:") self.send(str(pk).encode()) elif option == b'2': self.send(b"[~]My public_parameters is") self.send(str(public).encode()) elif option == b'3': self.send(b"[~]My hint for p is") self.send(str(hint(p)).encode()) elif option == b'4': self.send(b'[~]What you want is the flag!') self.send(str(CipherDate).encode()) else: break self.request.close() class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer): pass if __name__ == "__main__": HOST, PORT = '0.0.0.0', 10004 print("HOST:POST " + HOST+":" + str(PORT)) server = ForkedServer((HOST, PORT), Task) server.allow_reuse_address = True server.serve_forever() 

Refer：

##### solve
  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73  from Crypto.Util.number import * pk = [ 9903345546233406345274390216048265052622725595643911382459514293327907995763783433147838863218937316798528321748709369866569364258411991106643258574989572698239199587284255395798614346448471824851838611865337708256660691836153845389605039594319342717738584309592542607252862142218328138475660803285763968213588394528744053027073152049126506763299065229583353619501424333169829170062395149103651329694449221315641100954836434060049710046515370320763518422757259232374856682888632529561315692561552616649850830047862626833700857587886906774837245010908976175065773850953572418920037258016988361625314499467080329947834, 4657987514327931382586065476207522772971258290989872695879544239943902837884205892985114988879105147508471426477725785278489578603238865417098282642677702682558515261983265111905752045094339807685437631424315910160691213278435428566562930439156460282707569924593158395598671318460018264391187530476992919637306573650359751555942532258246978276100316266002757890715569420913869805217560217134510519346377418614486773028307378572957516734818473041775035754849881665094508458497419054187487268190726118233936603633638471145845999136306136647043157332984411178327008942140608992928610672350874409133847619495978691003983, 7152622146034039999102209659831462740324099991262599130951339134800860469219385611290178799376661722659467449321426175020317292072406471009110088250342445514154276439873731324377138630287652938447079493334481729733399579524933508791782450534231737861241986084043058279901605377263189163625776405289654862504323255599291057684909554237875294477643638400289810490222526085038484864459087125794097728967487662164428457600296095735630725252693027342870722549061819169935860921269104894144054734690002817578317664544134682313233240526480877455943937633095468303194749422586696801627436494347930469704062764072900721232548, 7109779273286288048422281478804269058000170220987326969272411328526909689353334022202761918717633450003773894926300727763953889207715377450335730309751197006520012868095728483075579533219462901668068782447412894870775590238751905671507645068125478347626639590964901574834959983618787306511470121467436989932815779239653115530532446769723177935466135060247074247928491194578344816554353261469294754488631361381078861128074887053925809483235131348049560238616364665057176559180859329509474653282715138146826654691223610824931487517489362866512293278790312452574896436150893275394629547641444721163364866744442609573336, 7013605482466599504215631908713721046317718409278569099893184473489373835086487268247053290346460889649268221380299871646123742986014194382973645546664516341392101622320165115690109134132599946593167293726028899310932600936819760645652261283663993530694302054668286992858073658208217032520244670566118947000884035935625925585375773268470663092328626392488631056760673984746371429897537785286259074077658212766702133795429225879795772702881120673021514373788313589716773325607907621831363437568961397189016495389255827603389591886876630344786847409531508107276526897772978948736479662903818836257353212222762336597842, 4806721251332604936583783100910738385093145269860713974606137000339320309313718310646996553451884286724915427107907524634556622320710583584822842418207893426969244662819580085418538670391877263926570368207843244161385729568080850388644996006667177570562488502257438937466251161234759102309530753153103743200173924429409773543762996308591888655566867525229785743476821619151400424309747726050575041627943897750153111818448811385038416912000573298056564339492261814303206364521764204436008885844987333383021967216866126804296346352232953195581868834806336897980493190883504556027965801104592918053461903544343499793148] pp = ( 116058145608385674276672702733893672956917357809340972538570485852695265863484647565483969096692688010826897645583250179342948573711209724577479990992353280882942137887382013678270315267433526273541196683333653359064888776962783810251136593744944176853011420616507243827538789682910216231628628642669601620197, 1323504804693605855191327443760086345281649229726269111925168787721095025354939523351093646120270955977932471982770625541648435290075746193431150770845139326096348863253122005228642568047448855041631516254485716898369011414099219540232164217042223770732057949218835774974444493789502265425791610604673305652047727570396368311258661773456561780033017199975954989495183950216887552362300470021672023164588797459958072321188375419124464113413271301788579119298216918506641731413551008233009777669881314925772595092716344426679130709454192219868031884699258375512868095144714176573965706489293593500326194562659653969458) hint = ( 3304509274524412540171264358124119088833800976282457766193314963305873033161330887473610701496331727440513718090072303043520886293193462950873554113640228240224124433475441227891344247665419958809785016703063382485354461032693344779418991821542568461754389960108428352247981608899460343162110878318981398514231521555009134803445563830931241367613010673484820004826742929263786069863767135614670210943375086531462135790577385826251711826956133897596282243, 18673552355026493682367993197594041685105912554496204006071318337433750748484198918999006603609070236946794406646857929858271667161159821948643461587573309938436022907905563675893493544137760269437082632764159499720652999895637785568626919233056222688894682434212287149137672927486675552931963662505820165969260332655913416992181107410361559298420835898842186213690962374197086970672645328840383254461784517784780864111625152257285743741377246185357414383169045966336855033328995108673937471012241768717137091699706888762787881023600876751379445077298974464957282953933633278819938276469242913645327826899280730378510831893678633686326067596094217688170054369461965105625780401612104533404625397536763720217428564215968405635508712008844542236283094192295732557282230905545840906632840009978007258478459365608215939033972105748737935689371789627988971740974016203717802975023788606268882962377491740960659808878888064715022917962036921078185337788188828827560750328462479969002281238743276353625438159553170772284740537095985838278172254013674247239470266176189688697125522141751881011405920598024214587381076120444370591846992414608682429746316750727122762979926721420808841162691202812455865023677898835926775902048207423004038897059826740331422462081975344727266724533279470011913633242411494155377901129954948980432938310133971389286531625924644619420043095791394754413875398146297583377962248627741212161303069981941569866944074879499723223751021923981415814664672164190239644127148353124450639473123151046004159881650568067549888897471830276776633029695063826990630398201263925250452965401918712445937288291276956166559477365872979519731483611497593803953363019529897948397338298832801417548743615088306206142876669755008937934689940302481383802561001644113621155496827135409662730409037898943078891337579488375518035794171905834626304322444694, 539377906599424907526632843166406186887994388288395247025677144511569324590324166349932358956945530482435011767601209547968477063774490960749034860906510588252104413420941733125967525475043221168756505292522601577057218771125772685733296338522363178984864495675414130791619818890366370557675326005258390297594292831359088537078656773489065102417473480178237120474398129190736614740095486323803477825764714579797487965970125462158351531803287630303556152941144529035877182222332859272963419562743124506553238333107168737543087680258179370723432262945716883858929178735267308369044505783745182741491958523354179513018857096826520453169699127158441377257448188678204993164831215068755599442400473937072589097943431330269080643575456825957862621837176273757555174664101928305295704140917190943907845610548594061039034810294061809981907459259888820996892671481897701236041260611950043463091395858960542584227353654109383849840291308218862529006542917504664716472128390359084763925098770711610788290622962907016008535400120027033905191127470206070423441540259944787758643369312060605925413027755134600754634776476816867075412026307691016441255799159826836710912465972283668124709418672925573497481469507767821018983331413830308225249670213, 771303616051246597362775631900799039403496855240545309388039239713515343324730245355385505175052264662225716867664932661179695239976689945202466354113882887785256123500397817446363928952385349720106805723398880158118530637817328419529810918253166105130572407675868533684722690701263027695057884781572005203710380389492337464706322197156332747141737567696942141557244601594450697569317561198633787265360908016943129048658517482780709873483395196165037089762085272676446233125576546801464300403172738727818739368290767604363354842370759828029956787539488976004277286939183192793995718557020159731981638723547110532088324527518198313950639459543804840939790334808699633063597436840087738271170775240338399829681169080915374347348793605099404690101311868508864356243014172245954247143538079675646203655046049549064125322505821306915855626027754226417532505315799505040998439588290594143118470042253509832524845224911601112190904726230912309817509408264025187673852524716993402306088622806621715736676790401579697069312650629611634465456687035568440558258548547180371086392877863527742881461641884074483579391836421145981167932451527973965904138695962954324595990655760219255358121458470950021891974378425618763709685740211924807012197107) enc = [( 2370749863764972469554987128423083132152741020419238456792199956271338793369703079791129095737616003377516787283096306824061503011677428843457108641844447745003806414353879288703818779487783955229942181920152588250200669054504452218107095850722768505991162394104886525200011421355381962826397885692150120244491531539377531866284584252422892309748011247515811550244392155248279678705299157537079588584781118082321447337527598026964754363320992168148072800954886229060629354492679636656754286873086972322060862979794720152370297379178231399705112629407022082772459000129648242752712149593022848240307229599933472326639, 10629950550426941565735942536153612126197075426453505801699488530948416427388341145614894540703007927177589576195791501426919155687969896393612899952331105630117997308653329395856690066181874393591881894453952869877799692000865157650370029152823033681542597277374455515630326185288969181207049278972424924124917280845385999799481752211943822401232496627640731964698440335637339531240277243009697942776518858825759945763928468912578631650445582450477310960248021693355312415701840017992455266308763927053090663891585787512051382596977251121622452266044626384323834901483016613229807405392686302206337745279574799725645), ( 8542751637884684025319786450527032227009617479414394231919844939217652338788161470233642473581019170622701720476025009092989013870995959272934965586486840055645006446711683509118553167874426553788648476906001713844361905026951473754320948536863270405442355445689090656080870055731787592798342434870295612231106938988844575221665180789028833163353823895142662603464032381483430210539747595577423739584974097527545540375158029450966706494122549444092584635666880572007044982041658609028110690639268383842637227465891773307663549588908675683344647203385483408274703330184009244117626337442195205480475459017506908378382, 2085464782488608613105478863522869688839446373807422195811803331689394753034371063243583106866586343146531749675569189096780488423721634377236415215284877254947163786418624603900665408073101524722245655198842608618980378770280851746286699343613279939871217219082251933210754404379200901319663736745457626874556188300478654812086483681270689360875895659386846755725802972602048228910282786705793739781283712745503244516889112081931069096299064296710777871729670616642875966694256394184177030901697579198250012643883583860976015695050327069588050903408271139834868592068346344594302367420008530215145642134089913952557), ( 543379651794527156062094782615415987126871620097692229765839746265851208613317355119559668303271787419759988860329095755697435256473567826557245034346459936922682845797773645705160147104133662578144309856704479439289163136941011188877597285072682519886521870892631481613475471998069980876386882958669921110348676779465364405081731380722964576478311374454355160040908216697066270729949487583602342578399647457482050413820300137877454944632271598565235769295077747277719043188373569056439162575396512455806377433545271124528925620470920962892894249748487897779327141712239684724085201311734710383690195147053140764504, 9600165348259661124956404845736396858100519318389925868606888916984643985895386306780982368751778369806274791090833545087200109007614498245855188283074902307949807130479277113285297867794858711826951638363843607817932591111690370962454818512651391989642966123695165335863937606726713692914497273424773388437855020945354376617719527751214041931945111308814001172921038464366498230491013737383072831557104712383544399543012036163649490354003100371174810574006002644174234692655781715586368884960284084967731443156537638580405037295061504085273546300354900099908765784319131236423563368794213970198902823051776517828468), ( 12720343660076569556039596264810303540914689089267418571274368608634502718903963112327879610372603745751539474798195515336467050718375929419345733113911528358484167664963503186841785910027555371478552531495995844268225519704711001985099721356627657840167984002486330570582837406734000720783811150194191002449217705383562675444044945162334756814642251675950438968558499867686939667519299824614533209923956050684477257790445925094911660288187792056096062118083793213147868094394231992192383502108218624286840281922749640371120549106693515481691153295118333950838764473539401082016498358430567956598359917829161043821923, 4650323688588415339019928507804235509220831574748530492223503896814273549337012004014746825250262647080845945994043124954184595880222369378843745537963920765086225346591138786702843017155046291724096922328898328762663213011679875702138741764070774196464897663069143841855764208571026489169132412285776494336297720866132075198429444247196211613036311318314879852868477516679485900845328688901789016225902686170650744766395837690968708316279220636380532088975733777486547226356583429833361452246099636637189734339178241917792021598852161212173979461617456855465936599590284629977902176162000058610035695794065634100639), ( 10396423324897848835409665024677718748748275152542630135546271217978894933756975222671676528440868558146062940715117417453570039212594054647284966702987699660365789971324359154387594924406035801798108650969994651017387528389546784219757728821861009799685768626296589321049051322128571853402725165039936147958562122051637969655142188175452657583158785607562742670990899569674380956330989338377933120635140041105086765896268409172931140656723857868697634702294188534131288843222666037473712998513917783662683841747851217148640555307904431378526795971269753578248986461126093686958140302691940282614769028716224500465400, 10798504168395710787960812876356437285934683803323132830688595372752190494161652829029608445088132125185307268912072641282834290673164295328663953059468256952098951333672231933874502144395072869385220758235319321235155734059642693343763727507971442564909780155636668388696682838764136330992117816596893267196341561066485523081399699619635261170621994915700709742698285689917591029680117943213992352450943218840907244087863115086611479482597679053688944172466634936583338987025301834861645019455669785648445946091342899676952875789185642046350945969242055986671135076879652075682156184614411942863144182851932824842223), ( 6024146563091378683361400585005798994618396955430739256202274414470382614885386935565909835642987305321627688396325616582250978022048902486972239421247523958404794423154859667551329588342537025329667423441363580369169495567970964773693968820126919761419804174567010888728316915168649562127178777376355308064502139123147221947023574172487891669271681846950161748490575086030511122210151190204591379378553678990922119342011478603434071107786918375396663987961758147555293906382425151887060043190720507983485158382548174693081995619844700045348077449835099793967697120736717935383288578127456179213311919161151155174824, 4870502348403192237841744837214583690478227756212766589818598939047582028006298907136620265317438054467335452744116591470143951540556270271380332391795537714716300381577136060628725987549313679113315820130730138650199102902669460738279230412746309056896412027404174717090688033608047192772110096729558448093593198119502746076283713950634532742154889796648667924689635484547336377813437723995975643927939980093528839639771421922806898920769585362627963378567719717948703184928020874906392869582921471386283254630748177578173599118834216729254666298122543633678959357415931927763356558249437476070464496258411089399963)] l = 0 r = 1 << 300 while True: s = (l + r) // 2 x = (160 * s ** 5 - 4999 * s ** 4 + 3 * s ** 3 + 1) - hint[0] if x > 0: r = s elif x < 0: l = s else: break _p = GCD(pow(2, hint[1] * 65537 + s - 1, hint[3]) - 1, hint[3]) _q = hint[3] // _p d = inverse(65537, (_p - 1) * (_q - 1)) p = pow(hint[2], d, hint[3]) n = pp[0] q = n // p k = (p - 1) * (q - 1) // 4 g = (pow(pp[1], k, n * n) - 1) // n msg = [123, 456, 789, 123, 456, 789] flag = b'' for i in range(6): y = (pow(pk[i], k, n * n) - 1) // n x = y * inverse(g, n) % n m = pow(enc[i][1], k, n * n) * pow(enc[i][0], -k * x, n * n) f = ((m - 1) // n * inverse(k, n) - msg[i]) % n flag += long_to_bytes(f) print(flag) 

### fermat’s revenge

 1 2 3 4 5 6 7 8 9  from Crypto.Util.number import * n = 17329555687339057933030881774167606066714011664369940819755094697939414110116183129515036417930928381309923593306884879686961969722610261114896200690291299753284120079351636102685226435454462581742248968732979816910255384339882675593423385529925794918175056364069416358095759362865710837992174966213332948216626442765218056059227797575954980861175262821459941222980957749720949816909119263643425681517545937122980872133309062049836920463547302193585676588711888598357927574729648088370609421283416559346827315399049239357814820660913395553316721927867556418628117971385375472454118148999848258824753064992040468588511 c = 2834445728359401954509180010018035151637121735110411504246937217024301211768483790406570069340718976013805438660602396212488675995602673107853878297024467687865600759709655334014269938893756460638324659859693599161639448736859952750381592192404889795107146077421499823006298655812398359841137631684363428490100792619658995661630533920917942659455792050032138051272224911869438429703875012535681896010735974555495618216882831524578648074539796556404193333636537331833807459066576022732553707927018332334884641370339471969967359580724737784159811992637384360752274204462169330081579501038904830207691558009918736480389 hint = 2528640120640884291705022551567142949735065756834488816429783990402901687493207894594113717734719036126087363828359113769238235697788243950392064194097056579105620723640796253143555383311882778423540515270957452851097267592400001145658904042191937942341842865936546187498072576943297002184798413336701918670376291021190387536660070933700475110660304652647893127663882847145502396993549034428649569475467365756381857116208029508389607872560487325166953770793357700419069480517845456083758105937644350450559733949764193599564499133714282286339445501435278957250603141596679797055178139335763901195697988437542180256184 p = GCD(hint-pow(1011, n, n), n) q = n//p d = inverse(65537, (p-1)*(q-1)) print(long_to_bytes(pow(c, d, n))) 

'flag{1d2f28834ecbd1983b62d30f4723476e}'

## 第二届美团ctf预赛romeo

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88  from Crypto.Util.number import* from Crypto.Cipher import AES from secret import msg,password,flag import socketserver import signal assert len(msg) == 32 assert len(password) == 8 def padding(msg): return msg + bytes([0 for i in range((16 - len(msg))%16)]) class Task(socketserver.BaseRequestHandler): def _recvall(self): BUFF_SIZE = 2048 data = b'' while True: part = self.request.recv(BUFF_SIZE) data += part if len(part) < BUFF_SIZE: break return data.strip() def send(self, msg, newline=True): try: if newline: msg += b'\n' self.request.sendall(msg) except: pass def recv(self): return self._recvall() def login(self): right_num = 0 while 1: self.send(b'[~]Please input your password:') str1 = self.recv().strip()[:8] print(str1) print(password) true_num = 0 for i in range(len(password)): if str1[i] != password[i]: login = False self.send(b'False!') break else: true_num = i + 1 if right_num > true_num: continue else: right_num = true_num if true_num == len(password): login = True check = b'' for i in range(0x2000): check = self.aes.encrypt(padding(check[:-1] + str1[:i+1])) if login == True: self.send(b"Login Success") return True,check[:16] return False def handle(self): signal.alarm(100) self.aes = AES.new(padding(password),AES.MODE_ECB) _,final_check = self.login() if _ == 1: 这个assert完全没有什么鸟用 # assert msg.decode() == final_check.hex() self.send(b'Good Morning Master!') self.send(flag) class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer): pass if __name__ == "__main__": HOST, PORT = '0.0.0.0', 10001 print("HOST:POST " + HOST+":" + str(PORT)) server = ForkedServer((HOST, PORT), Task) server.allow_reuse_address = True server.serve_forever() 

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34  from pwn import * from time import time import string #io = remote("127.0.0.1", 9999) io = remote("0.0.0.0", 10001) CHARSET = string.printable pre = "" for _ in range(8): print(_) t = 0 now = "" for i in CHARSET[:]: io.recvuntil(b":") print(pre + i + "0") io.sendline((pre + i + "0").encode()) start = time() # 等待 "False!" io.recvuntil(b"!") end = time() # 出现错误的时间大于上一次出现错误的时间 # 证明当前字符才对了，正确的序列又变长了一位 if (end - start) > t: now = i t = end - start print(end - start) print() print(t) #exit() pre = pre + now print(pre) io.interactive()