闲题杂记2

ljahum included in CTF

2021-11-14 4710 words 23 minutes

Contents

祥云ber secret_share

下午来推了一半就出去吃东西去了😘😘

看了wp发现只要几个步骤串起来其实不难的，可能是因为我只会炼丹吧。。。

基本加解密：

enc

$E = g^e\mod p,V=g^v\mod p\ s = v+e(h2(E||V))$

$c = m*pk^{e+v}\mod p$

r_enc:

$E_- = g^{e\times skI\times dd} , V_-=g^{v\times skI\times dd}$

$E = g^{e},V=g^{v}$

$c = m\times (EV)^{skI}\mod p =m\times (E_-V_-)^{inv(dd,p-1)}\mod p$

这里拿到dd就可以搞解密了，解dd的前提是吧encoder搞清楚

encoder当时没细看，其实变化写完了一看就很简单了

照着👴们的消元学习了

连续4次推得sk拿到随机出来的m可以得到

$mul={sk}^4\cdot dd_1\cdot dd_2\cdot dd_3\cdot dd_4%p$

$dd_i$是已知的,有些solve是域下开根

有些是神仙炫技直接韦达定理或者费玛大定理

拿到单独的sk后就可以搞事情了

EV都是已知，c也已知直接算就🆗了

solve-step1

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64


from Crypto.Util.number import *
from icecream import *
from hashlib import sha256
from gmpy2 import *
import libnum
from pwn import *
from libnum import *
def h2(m):
    return int(sha256(m).hexdigest(), 16)

io=remote('0.0.0.0',10001)


#1
io.recvuntil('choice>')
io.sendline('1')
io.recvuntil('Please take good care of it!\n')
pk_sk=io.recvuntil('\n')[:-1].decode()[2:-1].split('L,0x')
pk,sk=int(pk_sk[0],16),int(pk_sk[1],16)

#2
io.recvuntil('choice>')
io.sendline('2')
pp, g = 0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3, 0x85fd9ae42b57e515b7849b232fcd9575c18131235104d451eeceb991436b646d374086ca751846fdfec1ff7d4e1b9d6812355093a8227742a30361401ccc5577
group_list = [32, 64, 128, 256]
DD=1
for group in group_list:
    io.recvuntil('The cipher shared to you\n')
    cc=int(io.recvuntil('L, ')[1:-3])
    new_cipher=[cc]
    new_cipher+=eval(io.recvuntil(')\n')[:-2].decode().replace('L',''))
    c,E_,V_,s_=new_cipher

    io.recvuntil('prefix, encoder = ')
    Enc2,prefix=pre_enc=eval(io.recvuntil('\n')[:-1].decode().replace('L',''))
    prefix=int(prefix,16)
    encoder=[1,(-pow(prefix,sk,pp)) %pp]
    prefix = long_to_bytes(prefix).rjust(64, b'\x00')

    ml=[1]
    for i in range(len(Enc2)):
        ml.append((ml[-1]*encoder[-1]+Enc2[i]*(-1)**(i+1))%pp)
    r=-ml[-1]%pp
    dd = h2(prefix + long_to_bytes(r).rjust(64, b'\x00')) | 1
    DD*=dd
    d=libnum.invmod(dd,pp-1)
    tmp=E_*V_%pp
    xx=pow(tmp,d,pp)
    m=c*libnum.invmod(xx,pp)%pp
    io.send(hex(m)[2:])
io.recvuntil('You are a clever boy! Now I can share you some other information!\n0x')
mul=int(io.recvuntil('\n')[:-2],16)


ic(DD)
ic(mul)

#3
io.recvuntil('choice>')
io.sendline('3')
cc=int(io.recvuntil('L, ')[1:-3])
cipher=[cc]
cipher+=eval(io.recvuntil(')\n')[:-2].decode().replace('L',''))
ic(cipher)

solve-step2

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


from gmpy2 import *
io=0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3
D=15987058835088036058838351739905403758810826722245822649290306549906899936826738229650730140126509371862930340608846190807298868677166971678478129606238898364288362139315516922003581996769819030117310508402522153899137933429897987557331966070437119010259514160059698255241259153692392463260794449949596746727
mul=7194716155235037744823597029059822446255314248196377746260315999958188811928743123657567494196521690514320209430663462342437059567384744437239548754416135
c=mul*libnum.invmod(D,io)%io
e=4
R.<x> = Zmod(io)[]
f = x ^ e- c
f = f.monic()
res1 = f.roots()
print(res1)

solve-step3

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


from Crypto.Util.number import *
from gmpy2 import *
pp=0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3
sk=3415391405045794570454819264678842883406589094879440924771251075986414212665514615692960890299627279215019657097231396800926908716766924569917256830117771
cipher=[1452085683981538837849557434841689674477096081702343000869186835544808468459192026693029532721465657214194362000756249662047209552808256166535501585736401, 9299317806552199012103361766715291248186887467752322286719294121971787657296205598139365760833959784768412272593061318430853065277862724140493914797711689, 9287316455075844376168558534606543590293095721271733423230961724912040658757071778242087450272981713664977773510705690081763692753388091475741636185572383, 229110517869350912236518454062717456777603700368163296438479618211042488031942897036793380693680124455343059560507824269299022538059530971380675264277197]
c,E,V,s=cipher
xx=E*V%pp
m=c*libnum.invmod(pow(xx,sk,pp),pp)%pp
print(long_to_bytes(m))
#flag{504d0411-6707-469b-be31-9868200aca95}

学到很多

蓝帽ber final

https://github.com/ljahum/crypto-challenges/tree/main/%E8%93%9D%E7%8C%AB2021/final/twoBytes

twobyte

二分法

传入$C\times padding^e$

利用高位的two bytes判断$M\times padding和2^{496}$的大小关系(512-16=496)

利用二分法查找padding的值

查找约1000+次可以恢复secret

solve

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97


from subprocess import run
from Crypto.Util.number import long_to_bytes
from icecream import *
from pwn import *
import re

from pwnlib.util.iters import pad
def b2s(s):
    if(type(s)==str):
        return s
    else:
        return s.decode()

def CatNum(txt):
    txt = b2s(txt)
    matchObj = re.findall(r'[0-9]+', txt)
    return matchObj



def dec(n):
    print(io.recvuntil('Your choice: '))
    io.sendline('1')
    print(io.recvuntil('Your cipher: '))
    io.sendline(str(n))
    return io.recvline()[:-1]
def bigger(mid,c):
    # tmp1 = pow(mid,e,n)
    # ic(tmp1)
    tmp = (c*pow(mid,e,n))%n
    print(tmp)
    # ic(padding)
    m = dec(tmp)
    ic(m)
    if(m!=b'0000'):
        return True
    else:
        return False


io=remote('0.0.0.0',10001)
# print(io.recv(1024))
io.recvuntil('PKCS1_v1_6?(y/n)')
io.sendline('n')
e = int(CatNum(io.recvline())[0])
n = int(CatNum(io.recvline())[0])
c = int(CatNum(io.recvline())[0])
ic(e,c,n)

'''估算padding范围
padding = 1
h = 0
for i in range(512):
    tmp1 = pow(padding,e,n)
    ic(tmp1)
    tmp = (c*tmp1)%n
    print(tmp)
    ic(padding)
    m = dec(tmp)
    ic(m,i)
    if(m!=b'0000'):
        h=i
        input()
        break
    padding *= 2

'''


# pad=240~260
pl = 2**200
ph = 2**496
mid= (pl+ph)//2
input()
for i in range(512):
    # tmp = m*mid
    # ic(tmp-n)
    if(bigger(mid,c)==True):
        ph=mid-1
        mid = (mid+pl)//2
    else:
        pl=mid+1
        mid  =(mid+ph)//2
    # print(mid)
    # input()
ic(mid)
n=2**496
s =n//mid
secret = long_to_bytes(s)
ic(secret)
ic(secret.hex())
print(io.recvuntil('Your choice: '))
io.sendline('2')
io.sendline(secret.hex())
sleep(0.5)
print(io.recv(1024))

1
2
3
4
5


b'Your choice: '
b"You know my secret? (in hex): b'flag{ba1f2511fc30423bdbb183fe33f3dd0f}'\n"
[*] Closed connection to 0.0.0.0 port 10001
  /mnt/c/U/16953/Desktop/twoBytes took  11s at  11:38:42 AM
❯

document for 5th space2021

唯一以有点意思的找最短向量问题（SVP）听说一堆非预期打烂了，能找到的wp全是非预期（笑🤣 感觉不如。。。。画质

ECC

三段ECC的套娃，一看就是找老年赛棍出的缝合题，记了没用不记又不行

Task

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64


print 'Try to solve the 3 ECC'

from secret import flag
from Crypto.Util.number import *
assert(flag[:5]=='flag{')
flag = flag[5:-1]
num1 = bytes_to_long(flag[:7])
num2 = bytes_to_long(flag[7:14])
num3 = bytes_to_long(flag[14:])

def ECC1(num):
    p = 146808027458411567
    A = 46056180
    B = 2316783294673
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q

def ECC2(num):
    p = 1256438680873352167711863680253958927079458741172412327087203
    #import random
    #A = random.randrange(389718923781273978681723687163812)
    #B = random.randrange(816378675675716537126387613131232121431231)
    A = 377999945830334462584412960368612
    B = 604811648267717218711247799143415167229480
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q
    factors, exponents = zip(*factor(E.order()))
    primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
    print primes
    dlogs = []
    for fac in primes:
        t = int(int(P.order()) / int(fac))
        dlog = discrete_log(t*Q,t*P,operation="+")
        dlogs += [dlog]
        print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
    print num
    print crt(dlogs,primes)



def ECC3(num):
    p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
    A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
    B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
    E = EllipticCurve(GF(p),[A,B])
    P = E.random_point() 
    Q = num*P
    print E
    print 'P:',P
    print 'Q:',Q

ECC1(num1)
print '=============='
ECC2(num2)
print '=============='
ECC3(num3)

stage1

很明显给的这几个数很小，用sage自带的离散对数求解三件套梭一遍得到答案

1
2
3
4
5
6
7
8
9


p = 146808027458411567
A = 46056180
B = 2316783294673
E = EllipticCurve(GF(p),[A,B])
P = E(119851377153561800,50725039619018388) 
Q = E(22306318711744209, 111808951703508717) 
n = discrete_log(Q, P, operation='+') 
print(n)
# 13566003730592612

stage2

考烂的CRT in ECC知识点

一半特征是E.order()分解出来的素因子有问题，一般特征就是前面的因子都不大，后面有一个很大的因子

同时你还可以知道n其实也不是太大，E.order()就是ECC的阶，意思就是这整个ECC的曲线上一共有多少个不同的离散的点

refer：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39


p = 1256438680873352167711863680253958927079458741172412327087203
a = 377999945830334462584412960368612
b = 604811648267717218711247799143415167229480
gx = 550637390822762334900354060650869238926454800955557622817950
gy = 700751312208881169841494663466728684704743091638451132521079

px = 1152079922659509908913443110457333432642379532625238229329830
py = 819973744403969324837069647827669815566569448190043645544592

E = EllipticCurve(GF(p), [a, b])
G = E(gx, gy)
n = E.order()
QA = E(px, py)

factors = list(factor(n))
m = 1
moduli = []
remainders = []

print(f"[+] Running Pohlig Hellman")
print(factors)

for i, j in factors:
    if i > 10**9:
        print(i)
        break
    mod = i**j
    g2 = G*(n//mod)
    q2 = QA*(n//mod)
    r = discrete_log(q2, g2, operation='+')
    remainders.append(r)
    moduli.append(mod)
    m *= mod


r = crt(remainders, moduli)
print(r)
# 16093767336603949
# 9-2521-

stage3

E.order() = p的时候可以用一个叫做SMART攻击的操作

去年学的时候见到过，但换电脑搞没了，索性在记录一遍

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36


p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p),[A,B])
P = E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861,8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610)
Q = E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927,5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537)
def SmartAttack(P,Q,p):
    E = P.curve()
    Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ])

    P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True)
    for P_Qp in P_Qps:
        if GF(p)(P_Qp.xy()[1]) == P.xy()[1]:
            break

    Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True)
    for Q_Qp in Q_Qps:
        if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]:
            break

    p_times_P = p*P_Qp
    p_times_Q = p*Q_Qp

    x_P,y_P = p_times_P.xy()
    x_Q,y_Q = p_times_Q.xy()

    phi_P = -(x_P/y_P)
    phi_Q = -(x_Q/y_Q)
    k = phi_Q/phi_P
    return ZZ(k)


r = SmartAttack(P, Q, p)
print(r)
# 19597596255129283097357413993866074145935170485891892
# 4a81-9957-8c3381622434

Document for 东华ber2021

py大赛诸神黄昏，依旧是抽一中午午休记一下题

Thersa

又是一个考烂的水题

src

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85


from Crypto.Util.number import*
from hashlib import sha256
import socketserver
import signal
import string
import random
from secret import flag

table = string.ascii_letters+string.digits
flag = bytes_to_long(flag)

MENU = br'''[+] 1.Get Encrypt:
[+] 2.Exit:
'''

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b'[-] '):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table)for _ in range(20)])).encode()
        sha = sha256( proof ).hexdigest().encode()
        self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha )
        XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
        if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
            return False
        return True

    def EncRy(self):
        p,q = getPrime(512),getPrime(512)
        n = p * q
        phi = (p - 1) * (q - 1)
        e = inverse(self.d, phi)
        c = pow(flag, e, n)
        return(e,n,c)

    def handle(self):
        signal.alarm(60)
        if not self.proof_of_work():
            return
        self.send(b"Welcome to my RSA!")
        self.d = getPrime(random.randint(435, 436))

        while 1:
            self.send(MENU)
            self.send(b"Now!What do you want to do?")
            option = self.recv()
            if option == b'1':
                self.send(str(self.EncRy()).encode())
            else:
                break

        self.request.close()

class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10004
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

所有的密文都是通过 $d$ 去产生实现的,common private key 攻击

refer：

Sctf2020 rsa
vn公开赛factor(印象中是叫这个)

根据实际情况应该是可以获取$N$组

再照着样例

改改参数大小使其满足题目要求和论文给的范围即可

solve

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37


#sagemath
from Crypto.Util.number import *
from gmpy2 import iroot
e1,n1,c1=(42930516866813661342965746223080520747639541783178165319930798466029922118238472375394025163017796792784301240279788973937514266651107411418409008126879890591634663600650622272276047586523991529128830751549916767006347857754606279093837920255744001556692088644997689518547315534397835105708024032114104233381, 77791057667316752688491344909349631143733665781985333450578141862483326292146944912417154290062439390262044781769179125790833684914883275144238169619259170245799297149721759503884049470266984858779855785527134093827380541390671671421065142834758715718012985245418556303458870683285396736465075774918756943849, 27391282824232696321494182390733866553767929957526280387298565758936575846502788790274502139115326807546265156509536800727262991966913839267428385697513824611497066201158201419561518562486879276509945503450941372856450148181065616319630297566761526958666976256485612007573889257294374864202830099675167224618)
e2,n2,c2=(19018427406275508266725318182604693048036959850117857989040747866263767206396699322550948080332092809132375761217132996919018670944100226583113345224541762253472497934634295339952030040768111601599444464038423922436192382234875739639531699502158126381323466372283051777517214602215819494796932567681821951661, 79650072081042322662491093415989067423342888043380140123956989961183485888095357404757819859263343837741065918473041502132392064045360290315160760995892876549211580451883428599900857896989098491504167023490425266678783550124590746460833416198860457961338080633882718390420924183342764921882749848062331837157, 47371054845953307458071281584547821822800567401012561479295024891414125620585367467768382853051493673297474227621983913977611690329004811247719468085248653560735761224575841708898687339051979667968682445741679494814049520035089826802489552786717808162007554429409373562206869161512981004103668781786261071642)
e3,n3,c3=(56543738058355787650458463296434379628548490866377456720748305513368031407432713681493384526759984858874833739323541806113831186630548095096957902346105190080635673052132358289744367039154224900185478860894300958278206372821874050674031918453348499825234769506256225325221089605204424199863739802675837768205, 79745878045239534073349506401894614077391259818245570439963094062152853043757431813193065050329923218395626939202508409314449221246402655169069682907439636880572885333431797158404833511447487493689075229003167933950464179409482597295179818105362744282535280033320439360295379327350145598779754591726149053127, 8406272869509814810291187732784177513812310985481896410437026715571367365909106171597609902128681517191154832846694541582315046341089395251486352127008536629880180333790535980063006233315170237788757595367545197059456798192233574190206607791108247915315239293315856045620536743732064060419019383653017754432)
e4,n4,c4=(7084543689346197121827870073257673792657047196994323608218552636377497641605010832530473677981880825830062575269956770329035892637961925305684535520357897676757195804280616332451896105146968442795337854851958165225390355543144975973394614878012047483478453541789213191489356453542050105788672267671186622349, 84193779290507365404703859402732143439109001210124769414375603074891153195964512465635919253078833439745459555371587096356222637979782540883867956964113419688015746698472168356238337484900265019835855499846392509934587316309130977694018626484013012355408173625138875013785514921191427955103949196185104270953, 57188209081624431651145335231083235968076151504975133709205719008833316979899965113559550632823577949531094733328627686996343950189156687337540064474041791342122016380351392782138752676861412964076387375179224936788921872659232295048921383561342206164767267043862968315447568792822076799329961025512641107246)
e5,n5,c5=(42832642928335275352734567465034497040617823999922718556444541540637575945318881858516365030723712293566938969239323128990546490351954020139702168583195387467822779475617077682710213996418869245088581793014583647801408719774140042233362914483058594181044708264940880873371340427513033621237883600041744259821, 100914764703986796503524746926824107407478498950896766954709765945739896574588237451261683044947676026816706250675210414995572771552251740398776761522312876711308663303631592599847201703544166011694904414367791567937596616962437750298179607007543994344224571625128530174980427056520743554240699599606017732453, 21119798060505043638458066841637396779462197838711219768901795233508035124251444985142140372296435557972489164083922904128749582124708137219016012302886951596946166275929450048887248788479585841059063956921630092232393741155010454512377332292347344811575552765907485744387780176768333870372377008256136186807)
e6,n6,c6=(92302858091592048530164341892874939881833483518095068563859833484262743798872223903571012516471302801063982503961657026303472815350321491051234131656128422061238653211376015684800612577226731646341043305151595034538237258802687294046312571159904343739248977644957644677771388548256577367489970379574172464797, 117679207537303828303181692131284163456980142622326819854887578740836701695007074712199364783113450072522001526705110176578644797269399966145551464701075583136732122232247312391436901027876012971338176518412247421456590394727819899354372288058334724615114926953982773216858342784870874502568283116049857599697, 694728970163274338952272545132120395722399912878027385515433411574332882874655233664187165540396449753083157039600465154030742189987900065124001404191085619372639241055402339355981737758090185934672051842827196968679043511560501886410676350912217561099905662581686696249610217183042166978654689061472935255)
e7,n7,c7=(107958832210740007280315466139290077026935359625782760172740000594364460869128124940009236566874443252250812468875065019322671201219651761405497245501179554045401769228061173131905805679002507830926816675819378142336365243119257538909791638758850962854709130774816448647965771903108760260693930942445832581613, 124514631670412396955583333186310036282392256402221528788219590875160132086163249366732298557562280446982290995056571347900001555142302304165284003543211879382117786568833925378625035366897845326134848510307881296792070242801270087606140027163068970890264029919788362871312210162525628755395528824620664275981, 122802204066940916090785459557228909264312462241661083272739613123469038467287559936112649653314041478655145859464338716094314561339632033669065696677349425900229495594900454878607113262204411164149182327233978867883052370242620750529133958835635598563284037235210030872798337887481034016325891031269539006959)
e8,n8,c8=(93032879096884833976354856506992993862316449685244948137669996162571278621479404733170084750947866321488473290655001676203288675188640293830346141700535957251408373865922564197265494466697836691672035371673758770683433485891640334014710181418750508413205768593981082149070901287189919968858883490943111987181, 126814261604881133528727989048158217150888497288150533655112145843950045425282139821602599229665745129453799945609742281626549287640177663087578340721569938344685390347348772958990014616194819409373556039354672378457009008450988307789399181204535224407248419395946571885338535639198634359608298711433536942733, 95330490027741440826424434337219961367405797139516869535055648011514837588374299753114991801669135223731470401046346436845011624597842223950760050976711965720535288001750040424144530196787933771814541562581236974965361143703635725068380670591839954283253531181890717506164459934317393787888216914582168459996)
sqrn8=iroot(n8,2)[0]
M=[
    [sqrn8,e1,e2,e3,e4,e5,e6,e7,e8],
    [0,-n1,0,0,0,0,0,0,0],
    [0,0,-n2,0,0,0,0,0,0],
    [0,0,0,-n3,0,0,0,0,0],
    [0,0,0,0,-n4,0,0,0,0],
    [0,0,0,0,0,-n5,0,0,0],
    [0,0,0,0,0,0,-n6,0,0],
    [0,0,0,0,0,0,0,-n7,0],
    [0,0,0,0,0,0,0,0,-n8]
]
M=matrix(ZZ,M)
M=M.LLL()
if M[0][0]<0:
    M=-M
d,t1=M[0][0]//sqrn8,M[0][1]
k1=(d*e1-t1)//n1
s1=(t1-1)//k1-1
var('x')
F=x^2-s1*x+n1
p,q=F.roots()[0][0],F.roots()[1][0]
p,q=abs(p),abs(q)
d=inverse_mod(Integer(e1),(Integer(p)-1)*(Integer(q)-1))
print(long_to_bytes(pow(c1,d,n1)))
#b'flag{338f4482-4f11-496c-a0d7-b06df53f79c5}'

BlockEncrypt

原文给了个pyc，但是复盘就懒得解包了捏

src

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97


from Crypto.Util.number import*
from Crypto.Cipher import AES
from secret import flag
from my_encrypt import block_encrypt
from hashlib import sha256
import socketserver
import signal
import string
import random
import os

table = string.ascii_letters+string.digits

MENU = br'''[+] 1.Encrypt the Flag:
[+] 2.Encrypt your Plaintext:
[+] 3.Exit:
'''

def pad(m):
    padlen = 16 - len(m) % 16
    return m + padlen * bytes([padlen])

def xor(msg1,msg2):
    assert len(msg1)==len(msg2)
    return long_to_bytes(bytes_to_long(msg1)^bytes_to_long(msg2))

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b'[-] '):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table)for _ in range(20)])).encode()
        sha = sha256( proof ).hexdigest().encode()
        self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha )
        XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
        if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
            return False
        return True


    def enc_msg(self,msg):
        return block_encrypt(pad(msg),self.key,self.ivv)

    def handle(self):
        signal.alarm(50)
        if not self.proof_of_work():
            return
        self.ivv = os.urandom(16)
        self.key = os.urandom(16)
        while 1:
            self.send(MENU,newline = False)
            option = self.recv()

            if (option == b'1'):
                self.send(b"My Encrypted flag is:")
                self.send(self.enc_msg(flag))

            elif option == b'2':
                self.send(b"Give me Your Plain & I'll give you the Cipher.")
                plaintext = self.recv()
                self.send(b'PlainText:' + plaintext + b'\nCipherText:' + self.enc_msg(plaintext))
            else:
                break
        self.send(b"\n[.]Down the Connection.")
        self.request.close()

class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10004
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

api my_encrypt.py

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168


from Crypto.Util.number import *
Sbox = (
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
)

InvSbox = (
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D,
)

xc = lambda a: (((a << 1) ^ 0x1B) & 0xFF) if (a & 0x80) else (a << 1)

R = (
    0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
    0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A,
    0x2F, 0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A,
    0xD4, 0xB3, 0x7D, 0xFA, 0xEF, 0xC5, 0x91, 0x39,
)

def t2m(text):
    text = bytes_to_long(text)
    matrix = []
    for i in range(16):
        byte = (text >> (8 * (15 - i))) & 0xFF
        if i % 4 == 0:
            matrix.append([byte])
        else:
            matrix[i // 4].append(byte)
    return matrix


def m2t(matrix):
    text = 0
    for i in range(4):
        for j in range(4):
            text |= (matrix[i][j] << (120 - 8 * (4 * i + j)))
    return long_to_bytes(text)


class myAES:
    def __init__(self, MasterKey):
        self.ChangeKey(MasterKey)

    def ChangeKey(self, MasterKey):
        self.RoundKeys = t2m(MasterKey)
        # print self.RoundKeys

        for i in range(4, 4 * 11):
            self.RoundKeys.append([])
            if i % 4 == 0:
                byte = self.RoundKeys[i - 4][0]        \
                     ^ Sbox[self.RoundKeys[i - 1][1]]  \
                     ^ R[i // 4]
                self.RoundKeys[i].append(byte)

                for j in range(1, 4):
                    byte = self.RoundKeys[i - 4][j]    \
                         ^ Sbox[self.RoundKeys[i - 1][(j + 1) % 4]]
                    self.RoundKeys[i].append(byte)
            else:
                for j in range(4):
                    byte = self.RoundKeys[i - 4][j]    \
                         ^ self.RoundKeys[i - 1][j]
                    self.RoundKeys[i].append(byte)

        # print self.RoundKeys

    def encrypt(self, plaintext):
        self.plain_state = t2m(plaintext)

        self.__add_round_key(self.plain_state, self.RoundKeys[:4])

        for i in range(1, 10):
            self.__round_encrypt(self.plain_state, self.RoundKeys[4 * i : 4 * (i + 1)])

        self.__sub_bytes(self.plain_state)
        self.__shift_rows(self.plain_state)
        self.__sub_bytes(self.plain_state)
        self.__add_round_key(self.plain_state, self.RoundKeys[40:])

        return m2t(self.plain_state)

    def __add_round_key(self, s, k):
        for i in range(4):
            for j in range(4):
                s[i][j] ^= k[i][j]

    def __round_encrypt(self, state_matrix, key_matrix):
        self.__sub_bytes(state_matrix)
        self.__shift_rows(state_matrix)
        self.__mix_columns(state_matrix)
        self.__add_round_key(state_matrix, key_matrix)

    def __sub_bytes(self, s):
        for i in range(4):
            for j in range(4):
                s[i][j] = Sbox[s[i][j]]

    def __shift_rows(self, s):
        s[0][1], s[1][1], s[2][1], s[3][1] = s[1][1], s[2][1], s[3][1], s[0][1]
        s[0][2], s[1][2], s[2][2], s[3][2] = s[2][2], s[3][2], s[0][2], s[1][2]
        s[0][3], s[1][3], s[2][3], s[3][3] = s[3][3], s[0][3], s[1][3], s[2][3]

    def __mix_single_column(self, a):
        # please see Sec 4.1.2 in The Design of Rijndael
        t = a[0] ^ a[1] ^ a[2] ^ a[3]
        u = a[0]
        a[0] ^= t ^ xc(a[0] ^ a[1])
        a[1] ^= t ^ xc(a[1] ^ a[2])
        a[2] ^= t ^ xc(a[2] ^ a[3])
        a[3] ^= t ^ xc(a[3] ^ u)

    def __mix_columns(self, s):
        for i in range(4):
            self.__mix_single_column(s[i])

def xor(a,b):
    assert len(a) == len(b)
    tmp = []
    for i in range(len(a)):
        tmp.append(a[i]^b[i])
    return bytes(tmp)

def exchange_plain(plaintext):
    new_plain = []
    for i in plaintext:
        new_plain.append(i<<1)
    new_plain = bytes(new_plain)
    return new_plain

def block_encrypt(plaintext,key,iv):
    aes = myAES(key)
    block = len(plaintext)//16
    new_plain = exchange_plain(plaintext)
    cipher = b''
    for i in range(block):
        iv = aes.encrypt(iv) 
        cipher += xor(iv,new_plain[16*i:16*i+16])
    return cipher

这道题，给出的块加密使用的 key 和 iv 都是在初始化阶段内容中就已经固定了的，在一次连接之中不会更改

连上去可以获得flag的密文，那么如果是CFB或者OFB模式的加密那么该题违反了一次一密的(OTP)原则

对于密钥流复用，我们一点点试就可以了

OFB

CFB

总的来说，都是

$C_i=K_i\oplus P_i$

的形式

solve

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58


from pwn import *
from Crypto.Util.number import *
from hashlib import sha256
import string
from pwnlib.util.iters import mbruteforce

table = string.ascii_letters+string.digits
def pow():
    io.recvuntil("XXXX+")
    suffix = io.recv(16).decode("utf8")
    io.recvuntil("== ")
    cipher = io.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==
                        cipher, table, length=4, method='fixed')
    io.sendlineafter("XXXX :", proof) 

def pad(m):
    padlen = 16 - len(m) % 16
    return m + padlen * bytes([padlen])

def enc(plaintext):
    print(io.recvuntil(b'[-]').decode())
    io.sendline(b"2")
    print(io.recvuntil(b'[-] ').decode())
    io.sendline(plaintext)
    io.recvuntil(b"CipherText:")
    c = io.recvuntil(b'[+]')[:-4]
    return c

def xor(msg1,msg2):
    assert len(msg1)==len(msg2)
    return long_to_bytes(bytes_to_long(msg1)^bytes_to_long(msg2))

if __name__ == "__main__":
    io = remote("127.0.0.1",10004)
    pow()
    print(io.recvuntil(b'[-] ').decode())
    io.sendline(b"1")
    print(io.recvuntil(b"My Encrypted flag is:").decode())
    c = io.recvuntil(b'[+]')[1:-4]

    cipherlen = len(c) - 1
    fakeplain = cipherlen * b'\x01'
    blocksize = cipherlen//16
    newcipher = enc(fakeplain)
    fakeplain = pad(fakeplain)
    new_plain = []
    for i in fakeplain:
        new_plain.append((i)<<1)
    new_plain = bytes(new_plain)
    s = (xor(new_plain,newcipher[:]))

    fakeplain2 = (xor(s,c))
    new_plain = []
    for i in fakeplain2:
        new_plain.append((i)>>1)
    new_plain = bytes(new_plain)
    print(new_plain)

MyCryptoSystem

阿巴阿巴，摸了，一中午时间搞不定捏，下午还要上机

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167


from Crypto.Util.number import*
import random
from secret import flag
from hashlib import sha256
import socketserver
import signal
import string

def trans_flag(flag):
    new_flag = []
    for i in range(6):
        new_flag.append(bytes_to_long(flag[i*7:i*7+7]))
    return new_flag

kbits = 1024
table = string.ascii_letters+string.digits
flag = trans_flag(flag)

def Setup(kbits):
    p_bit = kbits//2
    q_bit = kbits - p_bit
    while 1:
        p = getPrime(p_bit)
        p_tmp = (p-1)//2
        if isPrime(p_tmp):
            break
    while 1:
        q = getPrime(q_bit)
        q_tmp = (q-1)//2
        if isPrime(q_tmp):
            break
    N = p*q
    while 1:
        g = random.randrange(N*N)
        if (pow(g,p_tmp * q_tmp,N*N) - 1)%N == 0 and  (pow(g,p_tmp * q_tmp,N*N) - 1)//N >= 1 and (pow(g,p_tmp * q_tmp,N*N) - 1)//N <= N - 1:
            break
    public = (N,g)
    return public,p

def KeyGen(public):
    N,g = public
    a = random.randrange(N*N)
    h = pow(g,a,N*N)

    pk = h
    sk = a 

    return pk,sk

def Encrypt(public,pk,m):
    N,g = public
    r = random.randrange(N*N)
    A = pow(g,r,N*N)
    B = (pow(pk,r,N*N) * (1 + m * N)) % (N * N)
    return A,B

def Add(public,dataCipher1,dataCipher2):
    N = public[0]
    A1,B1 = dataCipher1
    A2,B2 = dataCipher2

    A = (A1*A2)%(N*N)
    B = (B1*B2)%(N*N)

    return (A,B)

def hint(p):
    _p = getPrime(2048)
    _q = getPrime(2048)
    n = _p*_q
    e = 0x10001
    s = getPrime(300)
    tmp = (160 * s ** 5 - 4999 * s ** 4 + 3 * s ** 3 +1)

    phi = (_p-1)*(_q-1)
    d = inverse(e,phi)
    k = (_p-s)*d
    enc = pow(p,e,n)
    return (tmp,k,enc,n)

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b'SERVER <INPUT>: '):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table)for _ in range(20)])).encode()
        sha = sha256(proof).hexdigest().encode()
        self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha )
        XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
        if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
            return False
        return True

    def handle(self):
        proof = self.proof_of_work()
        if not proof:
            self.request.close()


        public,p = Setup(kbits)
        signal.alarm(60)
        pk = []

        for i in range(6):
            pki,ski = KeyGen(public)
            pk.append(pki)

        msg = [123,456,789,123,456,789]
        CipherPair = []
        for i in range(len(pk)):
            TMP = Encrypt(public,pk[i],msg[i])
            CipherPair.append(((TMP),pk[i]))

        CipherDate = []
        for i in range(len(pk)):
            CipherDate.append(Add(public,Encrypt(public,pk[i],flag[i]),CipherPair[i][0]))

        self.send(b'What do you want to get?\n[1]pk_list\n[2]public_parameters\n[3]hint_for_p\n[4]EncRypt_Flag\n[5]exit')
        while 1:
            option = self.recv()
            if option == b'1':
                self.send(b"[~]My pk_list is:")
                self.send(str(pk).encode())
            elif option == b'2':
                self.send(b"[~]My public_parameters is")
                self.send(str(public).encode())
            elif option == b'3':
                self.send(b"[~]My hint for p is")
                self.send(str(hint(p)).encode())
            elif option == b'4':
                self.send(b'[~]What you want is the flag!')
                self.send(str(CipherDate).encode())
            else:
                break
        self.request.close()

class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10004
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

Refer：

https://link.springer.com/book/10.1007%2Fb94617

有点全同态的意思，思路应该都差不多，老年人审不动代码了

solve

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73


from Crypto.Util.number import *



pk = [
    9903345546233406345274390216048265052622725595643911382459514293327907995763783433147838863218937316798528321748709369866569364258411991106643258574989572698239199587284255395798614346448471824851838611865337708256660691836153845389605039594319342717738584309592542607252862142218328138475660803285763968213588394528744053027073152049126506763299065229583353619501424333169829170062395149103651329694449221315641100954836434060049710046515370320763518422757259232374856682888632529561315692561552616649850830047862626833700857587886906774837245010908976175065773850953572418920037258016988361625314499467080329947834,
    4657987514327931382586065476207522772971258290989872695879544239943902837884205892985114988879105147508471426477725785278489578603238865417098282642677702682558515261983265111905752045094339807685437631424315910160691213278435428566562930439156460282707569924593158395598671318460018264391187530476992919637306573650359751555942532258246978276100316266002757890715569420913869805217560217134510519346377418614486773028307378572957516734818473041775035754849881665094508458497419054187487268190726118233936603633638471145845999136306136647043157332984411178327008942140608992928610672350874409133847619495978691003983,
    7152622146034039999102209659831462740324099991262599130951339134800860469219385611290178799376661722659467449321426175020317292072406471009110088250342445514154276439873731324377138630287652938447079493334481729733399579524933508791782450534231737861241986084043058279901605377263189163625776405289654862504323255599291057684909554237875294477643638400289810490222526085038484864459087125794097728967487662164428457600296095735630725252693027342870722549061819169935860921269104894144054734690002817578317664544134682313233240526480877455943937633095468303194749422586696801627436494347930469704062764072900721232548,
    7109779273286288048422281478804269058000170220987326969272411328526909689353334022202761918717633450003773894926300727763953889207715377450335730309751197006520012868095728483075579533219462901668068782447412894870775590238751905671507645068125478347626639590964901574834959983618787306511470121467436989932815779239653115530532446769723177935466135060247074247928491194578344816554353261469294754488631361381078861128074887053925809483235131348049560238616364665057176559180859329509474653282715138146826654691223610824931487517489362866512293278790312452574896436150893275394629547641444721163364866744442609573336,
    7013605482466599504215631908713721046317718409278569099893184473489373835086487268247053290346460889649268221380299871646123742986014194382973645546664516341392101622320165115690109134132599946593167293726028899310932600936819760645652261283663993530694302054668286992858073658208217032520244670566118947000884035935625925585375773268470663092328626392488631056760673984746371429897537785286259074077658212766702133795429225879795772702881120673021514373788313589716773325607907621831363437568961397189016495389255827603389591886876630344786847409531508107276526897772978948736479662903818836257353212222762336597842,
    4806721251332604936583783100910738385093145269860713974606137000339320309313718310646996553451884286724915427107907524634556622320710583584822842418207893426969244662819580085418538670391877263926570368207843244161385729568080850388644996006667177570562488502257438937466251161234759102309530753153103743200173924429409773543762996308591888655566867525229785743476821619151400424309747726050575041627943897750153111818448811385038416912000573298056564339492261814303206364521764204436008885844987333383021967216866126804296346352232953195581868834806336897980493190883504556027965801104592918053461903544343499793148]

pp = (
116058145608385674276672702733893672956917357809340972538570485852695265863484647565483969096692688010826897645583250179342948573711209724577479990992353280882942137887382013678270315267433526273541196683333653359064888776962783810251136593744944176853011420616507243827538789682910216231628628642669601620197,
1323504804693605855191327443760086345281649229726269111925168787721095025354939523351093646120270955977932471982770625541648435290075746193431150770845139326096348863253122005228642568047448855041631516254485716898369011414099219540232164217042223770732057949218835774974444493789502265425791610604673305652047727570396368311258661773456561780033017199975954989495183950216887552362300470021672023164588797459958072321188375419124464113413271301788579119298216918506641731413551008233009777669881314925772595092716344426679130709454192219868031884699258375512868095144714176573965706489293593500326194562659653969458)

hint = (
3304509274524412540171264358124119088833800976282457766193314963305873033161330887473610701496331727440513718090072303043520886293193462950873554113640228240224124433475441227891344247665419958809785016703063382485354461032693344779418991821542568461754389960108428352247981608899460343162110878318981398514231521555009134803445563830931241367613010673484820004826742929263786069863767135614670210943375086531462135790577385826251711826956133897596282243,
18673552355026493682367993197594041685105912554496204006071318337433750748484198918999006603609070236946794406646857929858271667161159821948643461587573309938436022907905563675893493544137760269437082632764159499720652999895637785568626919233056222688894682434212287149137672927486675552931963662505820165969260332655913416992181107410361559298420835898842186213690962374197086970672645328840383254461784517784780864111625152257285743741377246185357414383169045966336855033328995108673937471012241768717137091699706888762787881023600876751379445077298974464957282953933633278819938276469242913645327826899280730378510831893678633686326067596094217688170054369461965105625780401612104533404625397536763720217428564215968405635508712008844542236283094192295732557282230905545840906632840009978007258478459365608215939033972105748737935689371789627988971740974016203717802975023788606268882962377491740960659808878888064715022917962036921078185337788188828827560750328462479969002281238743276353625438159553170772284740537095985838278172254013674247239470266176189688697125522141751881011405920598024214587381076120444370591846992414608682429746316750727122762979926721420808841162691202812455865023677898835926775902048207423004038897059826740331422462081975344727266724533279470011913633242411494155377901129954948980432938310133971389286531625924644619420043095791394754413875398146297583377962248627741212161303069981941569866944074879499723223751021923981415814664672164190239644127148353124450639473123151046004159881650568067549888897471830276776633029695063826990630398201263925250452965401918712445937288291276956166559477365872979519731483611497593803953363019529897948397338298832801417548743615088306206142876669755008937934689940302481383802561001644113621155496827135409662730409037898943078891337579488375518035794171905834626304322444694,
539377906599424907526632843166406186887994388288395247025677144511569324590324166349932358956945530482435011767601209547968477063774490960749034860906510588252104413420941733125967525475043221168756505292522601577057218771125772685733296338522363178984864495675414130791619818890366370557675326005258390297594292831359088537078656773489065102417473480178237120474398129190736614740095486323803477825764714579797487965970125462158351531803287630303556152941144529035877182222332859272963419562743124506553238333107168737543087680258179370723432262945716883858929178735267308369044505783745182741491958523354179513018857096826520453169699127158441377257448188678204993164831215068755599442400473937072589097943431330269080643575456825957862621837176273757555174664101928305295704140917190943907845610548594061039034810294061809981907459259888820996892671481897701236041260611950043463091395858960542584227353654109383849840291308218862529006542917504664716472128390359084763925098770711610788290622962907016008535400120027033905191127470206070423441540259944787758643369312060605925413027755134600754634776476816867075412026307691016441255799159826836710912465972283668124709418672925573497481469507767821018983331413830308225249670213,
771303616051246597362775631900799039403496855240545309388039239713515343324730245355385505175052264662225716867664932661179695239976689945202466354113882887785256123500397817446363928952385349720106805723398880158118530637817328419529810918253166105130572407675868533684722690701263027695057884781572005203710380389492337464706322197156332747141737567696942141557244601594450697569317561198633787265360908016943129048658517482780709873483395196165037089762085272676446233125576546801464300403172738727818739368290767604363354842370759828029956787539488976004277286939183192793995718557020159731981638723547110532088324527518198313950639459543804840939790334808699633063597436840087738271170775240338399829681169080915374347348793605099404690101311868508864356243014172245954247143538079675646203655046049549064125322505821306915855626027754226417532505315799505040998439588290594143118470042253509832524845224911601112190904726230912309817509408264025187673852524716993402306088622806621715736676790401579697069312650629611634465456687035568440558258548547180371086392877863527742881461641884074483579391836421145981167932451527973965904138695962954324595990655760219255358121458470950021891974378425618763709685740211924807012197107)

enc = [(
       2370749863764972469554987128423083132152741020419238456792199956271338793369703079791129095737616003377516787283096306824061503011677428843457108641844447745003806414353879288703818779487783955229942181920152588250200669054504452218107095850722768505991162394104886525200011421355381962826397885692150120244491531539377531866284584252422892309748011247515811550244392155248279678705299157537079588584781118082321447337527598026964754363320992168148072800954886229060629354492679636656754286873086972322060862979794720152370297379178231399705112629407022082772459000129648242752712149593022848240307229599933472326639,
       10629950550426941565735942536153612126197075426453505801699488530948416427388341145614894540703007927177589576195791501426919155687969896393612899952331105630117997308653329395856690066181874393591881894453952869877799692000865157650370029152823033681542597277374455515630326185288969181207049278972424924124917280845385999799481752211943822401232496627640731964698440335637339531240277243009697942776518858825759945763928468912578631650445582450477310960248021693355312415701840017992455266308763927053090663891585787512051382596977251121622452266044626384323834901483016613229807405392686302206337745279574799725645),
       (
       8542751637884684025319786450527032227009617479414394231919844939217652338788161470233642473581019170622701720476025009092989013870995959272934965586486840055645006446711683509118553167874426553788648476906001713844361905026951473754320948536863270405442355445689090656080870055731787592798342434870295612231106938988844575221665180789028833163353823895142662603464032381483430210539747595577423739584974097527545540375158029450966706494122549444092584635666880572007044982041658609028110690639268383842637227465891773307663549588908675683344647203385483408274703330184009244117626337442195205480475459017506908378382,
       2085464782488608613105478863522869688839446373807422195811803331689394753034371063243583106866586343146531749675569189096780488423721634377236415215284877254947163786418624603900665408073101524722245655198842608618980378770280851746286699343613279939871217219082251933210754404379200901319663736745457626874556188300478654812086483681270689360875895659386846755725802972602048228910282786705793739781283712745503244516889112081931069096299064296710777871729670616642875966694256394184177030901697579198250012643883583860976015695050327069588050903408271139834868592068346344594302367420008530215145642134089913952557),
       (
       543379651794527156062094782615415987126871620097692229765839746265851208613317355119559668303271787419759988860329095755697435256473567826557245034346459936922682845797773645705160147104133662578144309856704479439289163136941011188877597285072682519886521870892631481613475471998069980876386882958669921110348676779465364405081731380722964576478311374454355160040908216697066270729949487583602342578399647457482050413820300137877454944632271598565235769295077747277719043188373569056439162575396512455806377433545271124528925620470920962892894249748487897779327141712239684724085201311734710383690195147053140764504,
       9600165348259661124956404845736396858100519318389925868606888916984643985895386306780982368751778369806274791090833545087200109007614498245855188283074902307949807130479277113285297867794858711826951638363843607817932591111690370962454818512651391989642966123695165335863937606726713692914497273424773388437855020945354376617719527751214041931945111308814001172921038464366498230491013737383072831557104712383544399543012036163649490354003100371174810574006002644174234692655781715586368884960284084967731443156537638580405037295061504085273546300354900099908765784319131236423563368794213970198902823051776517828468),
       (
       12720343660076569556039596264810303540914689089267418571274368608634502718903963112327879610372603745751539474798195515336467050718375929419345733113911528358484167664963503186841785910027555371478552531495995844268225519704711001985099721356627657840167984002486330570582837406734000720783811150194191002449217705383562675444044945162334756814642251675950438968558499867686939667519299824614533209923956050684477257790445925094911660288187792056096062118083793213147868094394231992192383502108218624286840281922749640371120549106693515481691153295118333950838764473539401082016498358430567956598359917829161043821923,
       4650323688588415339019928507804235509220831574748530492223503896814273549337012004014746825250262647080845945994043124954184595880222369378843745537963920765086225346591138786702843017155046291724096922328898328762663213011679875702138741764070774196464897663069143841855764208571026489169132412285776494336297720866132075198429444247196211613036311318314879852868477516679485900845328688901789016225902686170650744766395837690968708316279220636380532088975733777486547226356583429833361452246099636637189734339178241917792021598852161212173979461617456855465936599590284629977902176162000058610035695794065634100639),
       (
       10396423324897848835409665024677718748748275152542630135546271217978894933756975222671676528440868558146062940715117417453570039212594054647284966702987699660365789971324359154387594924406035801798108650969994651017387528389546784219757728821861009799685768626296589321049051322128571853402725165039936147958562122051637969655142188175452657583158785607562742670990899569674380956330989338377933120635140041105086765896268409172931140656723857868697634702294188534131288843222666037473712998513917783662683841747851217148640555307904431378526795971269753578248986461126093686958140302691940282614769028716224500465400,
       10798504168395710787960812876356437285934683803323132830688595372752190494161652829029608445088132125185307268912072641282834290673164295328663953059468256952098951333672231933874502144395072869385220758235319321235155734059642693343763727507971442564909780155636668388696682838764136330992117816596893267196341561066485523081399699619635261170621994915700709742698285689917591029680117943213992352450943218840907244087863115086611479482597679053688944172466634936583338987025301834861645019455669785648445946091342899676952875789185642046350945969242055986671135076879652075682156184614411942863144182851932824842223),
       (
       6024146563091378683361400585005798994618396955430739256202274414470382614885386935565909835642987305321627688396325616582250978022048902486972239421247523958404794423154859667551329588342537025329667423441363580369169495567970964773693968820126919761419804174567010888728316915168649562127178777376355308064502139123147221947023574172487891669271681846950161748490575086030511122210151190204591379378553678990922119342011478603434071107786918375396663987961758147555293906382425151887060043190720507983485158382548174693081995619844700045348077449835099793967697120736717935383288578127456179213311919161151155174824,
       4870502348403192237841744837214583690478227756212766589818598939047582028006298907136620265317438054467335452744116591470143951540556270271380332391795537714716300381577136060628725987549313679113315820130730138650199102902669460738279230412746309056896412027404174717090688033608047192772110096729558448093593198119502746076283713950634532742154889796648667924689635484547336377813437723995975643927939980093528839639771421922806898920769585362627963378567719717948703184928020874906392869582921471386283254630748177578173599118834216729254666298122543633678959357415931927763356558249437476070464496258411089399963)]

l = 0
r = 1 << 300

while True:
    s = (l + r) // 2
    x = (160 * s ** 5 - 4999 * s ** 4 + 3 * s ** 3 + 1) - hint[0]
    if x > 0:
        r = s
    elif x < 0:
        l = s
    else:
        break

_p = GCD(pow(2, hint[1] * 65537 + s - 1, hint[3]) - 1, hint[3])
_q = hint[3] // _p
d = inverse(65537, (_p - 1) * (_q - 1))
p = pow(hint[2], d, hint[3])
n = pp[0]
q = n // p
k = (p - 1) * (q - 1) // 4
g = (pow(pp[1], k, n * n) - 1) // n
msg = [123, 456, 789, 123, 456, 789]
flag = b''

for i in range(6):
    y = (pow(pk[i], k, n * n) - 1) // n
    x = y * inverse(g, n) % n
    m = pow(enc[i][1], k, n * n) * pow(enc[i][0], -k * x, n * n)
    f = ((m - 1) // n * inverse(k, n) - msg[i]) % n
    flag += long_to_bytes(f)

print(flag)

fermat’s revenge

小数学题

$hint\equiv(1010*p+1011)^q\ (mod\ n)$

重新模p，需要对指数变形

$hint=(1010\cdot p+1011)^q=1011^q\;mod\;p$ $hint^p=1011^n\;mod\;p$

对上式和n求gcd即可。

$gcd(n,hint-1011^n)$

1
2
3
4
5
6
7
8
9


from Crypto.Util.number import *

n = 17329555687339057933030881774167606066714011664369940819755094697939414110116183129515036417930928381309923593306884879686961969722610261114896200690291299753284120079351636102685226435454462581742248968732979816910255384339882675593423385529925794918175056364069416358095759362865710837992174966213332948216626442765218056059227797575954980861175262821459941222980957749720949816909119263643425681517545937122980872133309062049836920463547302193585676588711888598357927574729648088370609421283416559346827315399049239357814820660913395553316721927867556418628117971385375472454118148999848258824753064992040468588511
c = 2834445728359401954509180010018035151637121735110411504246937217024301211768483790406570069340718976013805438660602396212488675995602673107853878297024467687865600759709655334014269938893756460638324659859693599161639448736859952750381592192404889795107146077421499823006298655812398359841137631684363428490100792619658995661630533920917942659455792050032138051272224911869438429703875012535681896010735974555495618216882831524578648074539796556404193333636537331833807459066576022732553707927018332334884641370339471969967359580724737784159811992637384360752274204462169330081579501038904830207691558009918736480389
hint = 2528640120640884291705022551567142949735065756834488816429783990402901687493207894594113717734719036126087363828359113769238235697788243950392064194097056579105620723640796253143555383311882778423540515270957452851097267592400001145658904042191937942341842865936546187498072576943297002184798413336701918670376291021190387536660070933700475110660304652647893127663882847145502396993549034428649569475467365756381857116208029508389607872560487325166953770793357700419069480517845456083758105937644350450559733949764193599564499133714282286339445501435278957250603141596679797055178139335763901195697988437542180256184
p = GCD(hint-pow(1011, n, n), n)
q = n//p
d = inverse(65537, (p-1)*(q-1))
print(long_to_bytes(pow(c, d, n)))

'flag{1d2f28834ecbd1983b62d30f4723476e}'

第二届美团ctf预赛romeo

操作系统终于考完了，抽空看了下这个完全没有营养的线上赛

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88


from Crypto.Util.number import*
from Crypto.Cipher import AES
from secret import msg,password,flag
import socketserver
import signal
assert len(msg) == 32
assert len(password) == 8

def padding(msg):
    return msg + bytes([0 for i in range((16 - len(msg))%16)])

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)       
        except:
            pass

    def recv(self):
        return self._recvall()

    def login(self):
        right_num = 0
        while 1:
            self.send(b'[~]Please input your password:')
            str1 = self.recv().strip()[:8]
            print(str1)
            print(password)
            true_num = 0
            for i in range(len(password)):
                if str1[i] != password[i]:
                    login = False
                    self.send(b'False!')
                    break
                else:
                    true_num = i + 1 

                if right_num > true_num:
                    continue
                else:
                    right_num = true_num

                if true_num == len(password):
                    login = True
                check = b''
                for i in range(0x2000):
                    check = self.aes.encrypt(padding(check[:-1] + str1[:i+1]))

            if login == True:
                self.send(b"Login Success")
                return True,check[:16]
            
        return False

    def handle(self):
        signal.alarm(100)
        self.aes = AES.new(padding(password),AES.MODE_ECB)
        _,final_check = self.login()
        if _ == 1:
            这个assert完全没有什么鸟用
            # assert msg.decode() == final_check.hex()
            self.send(b'Good Morning Master!')
            self.send(flag)
            
class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10001
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

一位位爆破密码

通过range(0x2000)的高耗时来判断当前正在判断的位数

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34


from pwn import *
from time import time
import string
#io = remote("127.0.0.1", 9999)
io = remote("0.0.0.0", 10001)
CHARSET = string.printable
pre = ""

for _ in range(8):
    print(_)
    t = 0
    now = ""
    for i in CHARSET[:]:
        io.recvuntil(b":")
        print(pre + i + "0")
        io.sendline((pre + i + "0").encode())
        
        start = time()
        # 等待 "False!"
        io.recvuntil(b"!")
        end = time()
        
        # 出现错误的时间大于上一次出现错误的时间
        # 证明当前字符才对了，正确的序列又变长了一位
        if (end - start) > t:
            now = i
            t = end - start
        print(end - start)
    print()
    print(t)
    #exit()
    pre = pre + now
    print(pre)
io.interactive()

最后拿到passwd了nc上去输入拿到flag