whi

发表于 更新于

前提

结合前面的vectors Twisted Hessian,这里应该还是有一个题做基础的,SVP(维数控制在4以下)和CVP问题
Gauss格基简约算法
即对给定的两个基向量进行不断的相互约化,最终求得格上的最小向量

Ifv2<v1,swapv1,v2If ||v2|| < ||v1||, swap v1, v2
Computem=v1v2/v1v1Compute m = ⌊ v1∙v2 / v1∙v1 ⌉
Ifm=0,returnv1,v2If m = 0, return v1, v2
v2=v2mv1v2 = v2 - m*v1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#python
import numpy as np
def e_norm(a):
    n = len(a)
    s = 0
    for i in range(n):
        res = a[i] * a[i]
        s += res
    return s

def gauss_reduction(v1, v2):
    while True:
        v1_enorm = e_norm(v1)
        v2_enorm = e_norm(v2)
        if v1_enorm > v2_enorm:
            v1, v2 = v2, v1
            v1_enorm, v2_enorm = v2_enorm, v1_enorm
        m = np.dot(v1, v2) / v1_enorm
        m = int(round(m))
        if m == 0:
            print("v1:" + str(v1))
            print("v2:" + str(v2))
            return True
        else:
            v2 = v2 - np.dot(m, v1)
#最后输出的两个向量,v1即为格上最短向量

题目:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
from Crypto.Util.number import getPrime, inverse, bytes_to_long
import random
import math

FLAG = b'crypto{?????????????????????}'


def gen_key():
    q = getPrime(512)
    upper_bound = int(math.sqrt(q // 2))
    lower_bound = int(math.sqrt(q // 4))
    f = random.randint(2, upper_bound)
    while True:
        g = random.randint(lower_bound, upper_bound)
        if math.gcd(f, g) == 1:
            break
    h = (inverse(f, q)*g) % q
    return (q, h), (f, g)


def encrypt(q, h, m):
    assert m < int(math.sqrt(q // 2))
    r = random.randint(2, int(math.sqrt(q // 2)))
    e = (r*h + m) % q
    return e


def decrypt(q, h, f, g, e):
    a = (f*e) % q
    m = (a*inverse(f, g)) % g
    return m


public, private = gen_key()
q, h = public
f, g = private

m = bytes_to_long(FLAG)
e = encrypt(q, h, m)

print(f'Public key: {(q,h)}')
print(f'Encrypted Flag: {e}')

Public key: (7638232120454925879231554234011842347641017888219021175304217358715878636183252433454896490677496516149889316745664606749499241420160898019203925115292257, 2163268902194560093843693572170199707501787797497998463462129592239973581462651622978282637513865274199374452805292639586264791317439029535926401109074800)
Encrypted Flag: 5605696495253720664142881956908624307570671858477482119657436163663663844731169035682344974286379049123733356009125671924280312532755241162267269123486523

能确定q 512位,f,g小于q,以及
hgh1modqh\equiv gh^{-1}\,mod\,q
e(rh+m)modqe\equiv(rh+m)\,mod \,q
这样没法直接推出密文m,看到还有一个decrypt函数没有用,所有往后应该就是求出未知的f和g
lattice,用基向量定义基本空间
g=fhkqg=fh-kq
选定一组基底为(1,h),(0,q)

(1h0q)\begin{pmatrix} 1&h\\ 0&q\\ \end{pmatrix}

使得a(1,h)+b(0,q)=(f,g)a(1,h)+b(0,q)=(f,g)
存在a=fb=k满足条件a=f b=-k满足条件
呈线性相关,所以(f,g)(f,g)这个向量在这个lattice上

1
2
3
4
v1:[47251817614431369468151088301948722761694622606220578981561236563325808178756
 43997957885147078115851147456370880089696256470389782348293341937915504254589]
v2:[-67269010250212717075432182693043963184097648880165008621907831284647116025901
 99012763459529858809608436133564630524350106000242070336818304053467942269178]

看出第一个符合f,g,带入函数decrypt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 import gmpy2
from Crypto.Util.number import long_to_bytes

def decrypt(q, h, f, g, e):
    a = (f*e) % q
    m = (a*gmpy2.invert(f, g)) % g
    return m
q=7638232120454925879231554234011842347641017888219021175304217358715878636183252433454896490677496516149889316745664606749499241420160898019203925115292257
h=2163268902194560093843693572170199707501787797497998463462129592239973581462651622978282637513865274199374452805292639586264791317439029535926401109074800
e=5605696495253720664142881956908624307570671858477482119657436163663663844731169035682344974286379049123733356009125671924280312532755241162267269123486523
f=47251817614431369468151088301948722761694622606220578981561236563325808178756
g=43997957885147078115851147456370880089696256470389782348293341937915504254589
m=decrypt(q,h,f,g,e)
print(long_to_bytes(m))
#b'crypto{Gauss_lattice_attack!}'

发表于 更新于

基础知识

aes(?)

题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
import os
import hashlib
from sage.all import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from secret import c, b, key, FLAG

def add_curve(P, Q, K):
    a, d, p = K
    if P == (0, 0):
        return Q
    if Q == (0, 0):
        return P
    x1, y1 = P
    x2, y2 = Q
    x3 = (x1 * y2 + y1 * x2) * pow(1 - d * x1 ** 2 * x2 ** 2, -1, p) % p
    y3 = ((y1 * y2 + 2 * a * x1 * x2) * (1 + d * x1 ** 2 * x2 ** 2) + 2 * d * x1 * x2 * (x1 ** 2 + x2 ** 2)) * pow(
        (1 - d * x1 ** 2 * x2 ** 2) ** 2, -1, p) % p
    return x3, y3

def mul_curve(n, P, K):
    R = (0, 0)
    while n > 0:
        if n % 2 == 1:
            R = add_curve(R, P, K)
        P = add_curve(P, P, K)
        n = n // 2
    return R

def AES_encrypt(k):
    key = hashlib.sha256(str(k).encode()).digest()[:16]
    iv = os.urandom(16)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    cipher = cipher.encrypt(pad(FLAG, 16))
    data = {}
    data["iv"] = iv.hex()
    data["cipher"] = cipher.hex()
    return data

a = 46
d = 20
p1 = 826100030683243954408990060837
K1 = (a, d, p1)
G1 = (560766116033078013304693968735, 756416322956623525864568772142)
P1 = mul_curve(c, G1, K1)
Q1 = mul_curve(b, G1, K1)
print("P1 =", P1)
print("Q1 =", Q1)
# P1 = (528578510004630596855654721810, 639541632629313772609548040620)
# Q1 = (819520958411405887240280598475, 76906957256966244725924513645)

p = 770311352827455849356512448287
E = EllipticCurve(GF(p), [-c, b])
G = E.gens()[0]
P = G * key
data = AES_encrypt(key)
print("G =", G)
print("P =", P)
print("data =",data)
# G = (584273268656071313022845392380 : 105970580903682721429154563816 : 1)
# P = (401055814681171318348566474726 : 293186309252428491012795616690 : 1)
# data = {'iv': 'bae1b42f174443d009c8d3a1576f07d6', 'cipher': 'ff34da7a65854ed75342fd4ad178bf577bd622df9850a24fd63e1da557b4b8a4'}

主要分两部分,b和c可以用爆破解决

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
a = 46
d = 20
p1 = 826100030683243954408990060837
K1 = (a, d, p1)
G1 = (560766116033078013304693968735, 756416322956623525864568772142)
P1 = (528578510004630596855654721810, 639541632629313772609548040620)
Q1 = (819520958411405887240280598475, 76906957256966244725924513645)

def add_curve(P, Q, K):
    a, d, p = K
    if P == (0, 0):
        return Q
    if Q == (0, 0):
        return P
    x1, y1 = P
    x2, y2 = Q
    x3 = (x1 * y2 + y1 * x2) * pow(1 - d * x1 ** 2 * x2 ** 2, -1, p) % p
    y3 = ((y1 * y2 + 2 * a * x1 * x2) * (1 + d * x1 ** 2 * x2 ** 2) + 2 * d * x1 * x2 * (x1 ** 2 + x2 ** 2)) * pow(
        (1 - d * x1 ** 2 * x2 ** 2) ** 2, -1, p) % p
    return x3, y3

def mul_curve(n, P, K):
    R = (0, 0)
    while n > 0:
        if n % 2 == 1:
            R = add_curve(R, P, K)
        P = add_curve(P, P, K)
        n = n // 2
    return R
def solve(P1,Q1,G1,K1):
    for c in range (1,1000000):
        if mul_curve(c, G1, K1) == P1:
            for b in range (1,1000000):
                if mul_curve(b,G1,K1) == Q1:
                    return b,c
    return None,None
b,c=solve(P1, Q1, G1, K1)
print(b)
print(c)

得出来b=98,c=35
然后就是算k

1
2
3
4
5
p = 770311352827455849356512448287  
E = EllipticCurve(GF(p), [-35, 98]) 
G = E(584273268656071313022845392380, 105970580903682721429154563816)
P = E(401055814681171318348566474726, 293186309252428491012795616690) 
print(P.log(G))

k=2951856998192356,然后aes

1
2
3
4
5
6
7
8
9
10
11
12
import hashlib
from Crypto.Util.number import *
from Crypto.Cipher import AES
k=2951856998192356
key = hashlib.sha256(str(k).encode()).digest()[:16]
iv= 0xbae1b42f174443d009c8d3a1576f07d6
ciphertest= 0xff34da7a65854ed75342fd4ad178bf577bd622df9850a24fd63e1da557b4b8a4
iv=long_to_bytes(iv)
ciphertest=long_to_bytes(ciphertest)
cipher = AES.new(key, AES.MODE_CBC, iv)
ciphertest = cipher.decrypt(ciphertest)
print(ciphertest)

b’DASCTF{THe_C0rv!_1s_Aw3s0me@!!}\x01’

发表于 更新于

基础知识:

https://www.hyperelliptic.org/EFD/g1p/auto-twistedhessian.html
https://yunru-volknet.github.io/posts/2024羊城杯/
2024羊城杯的一道题

题目:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from Crypto.Util.number import *
from secret import flag


def add_THcurve(P, Q):
    if P == (0, 0):
        return Q
    if Q == (0, 0):
        return P
    x1, y1 = P
    x2, y2 = Q
    x3 = (x1 - y1 ** 2 * x2 * y2) * pow(a * x1 * y1 * x2 ** 2 - y2, -1, p) % p
    y3 = (y1 * y2 ** 2 - a * x1 ** 2 * x2) * pow(a * x1 * y1 * x2 ** 2 - y2, -1, p) % p
    return x3, y3


def mul_THcurve(n, P):
    R = (0, 0)
    while n > 0:
        if n % 2 == 1:
            R = add_THcurve(R, P)
        P = add_THcurve(P, P)
        n = n // 2
    return R


p = 10297529403524403127640670200603184608844065065952536889
a = 2
G = (8879931045098533901543131944615620692971716807984752065, 4106024239449946134453673742202491320614591684229547464)

FLAG = flag.lstrip(b'DASCTF{').rstrip(b'}')
assert len(FLAG) == 15
m = bytes_to_long(FLAG)
assert m < p
Q = mul_THcurve(m, G)
print("Q =", Q)
# Q = (6784278627340957151283066249316785477882888190582875173, 6078603759966354224428976716568980670702790051879661797)

exp:

结合一下名字 Twisted Hessian curves 搜一下就知道满足啥条件了.
ax3+y3+1=dxya*x^3+y^3+1=d*x*y
化简出d来
d=aQ[0]3+Q[1]3+1Q[0]Q[1]modpd = \frac{a \cdot Q[0]^3 + Q[1]^3 + 1}{Q[0] \cdot Q[1]} \mod p
别忘了mod p,这里m[0]就是x,m[1]就是y。
换元
X=x/ZX=x/Z
Y=y/ZY=y/Z
齐次化,归一化
aX3+Y3+1=dXYZa*X^3+Y^3+1=d*X*Y*Z
参数 morphism=True 表示生成椭圆曲线时会自动生成一个从原始曲线到椭圆曲线的同态映射
用上week_txt3的part2解这个椭圆曲线方程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from Crypto.Util.number import *
p = 10297529403524403127640670200603184608844065065952536889
a = 2
P = (8879931045098533901543131944615620692971716807984752065, 4106024239449946134453673742202491320614591684229547464)
Q = (6784278627340957151283066249316785477882888190582875173, 6078603759966354224428976716568980670702790051879661797)
d=(a * Q[0] ** 3 + Q[1] ** 3 + 1) * inverse(Q[0] * Q[1], p) % p
R.<x,y,z>=Zmod(p)[]
cubic = 2*x^3+y^3+z^3-d*x*y*z
E=EllipticCurve_from_cubic(cubic,morphism=True)
Q=E(Q)
P=E(P)
n=P.order()
def f(n,P,Q):
    factors, exponents = zip(*factor(n))
    primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
    print (primes)
    dlogs = []
    for fac in primes:
        t = int(int(P.order()) // int(fac))
        dlog = discrete_log(t*Q,t*P,operation="+")
        dlogs += [dlog]
        print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
    num2=crt(dlogs,primes)
    return num2
num2=f(n,P,Q)
print(long_to_bytes(num2))

factor: 9, Discrete Log: 3
factor: 49, Discrete Log: 0
factor: 11, Discrete Log: 0
factor: 19, Discrete Log: 7
factor: 29, Discrete Log: 8
factor: 1361, Discrete Log: 225
factor: 6421, Discrete Log: 3560
factor: 3376343, Discrete Log: 837823
factor: 1815576031, Discrete Log: 1495286767
factor: 295369272787, Discrete Log: 292393302300
b’e@sy_cuRvL_c0o!’

发表于 更新于

拆分题目

part1:

1
2
3
4
5
6
7
8
9
10
def ECC1(num):
	p = 146808027458411567
	A = 46056180
	B = 2316783294673
	E = EllipticCurve(GF(p),[A,B])
	P = E.random_point() 
	Q = num*P
	print E
	print 'P:',P
	print 'Q:',Q

数比较小,直接出,典型已知qp求k.

1
2
3
4
5
6
7
8
9
10
11
12
from Crypto.Util.number import *
from sage.all import *
p = 146808027458411567
a = 46056180
b = 2316783294673
E = EllipticCurve(GF(p),(a,b))
P = E(119851377153561800,50725039619018388)
Q = E(22306318711744209,111808951703508717)

num1 =  discrete_log(Q,P,operation = '+')#
#求解私钥,通用方法;注意这里的运算要换成加法
print(long_to_bytes(num1))

b’025ab3d’

part2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
def ECC2(num):
	p = 1256438680873352167711863680253958927079458741172412327087203
	#import random
	#A = random.randrange(389718923781273978681723687163812)
	#B = random.randrange(816378675675716537126387613131232121431231)
	A = 377999945830334462584412960368612
	B = 604811648267717218711247799143415167229480
	E = EllipticCurve(GF(p),[A,B])
	P = E.random_point() 
	Q = num*P
	print E
	print 'P:',P
	print 'Q:',Q
	factors, exponents = zip(*factor(E.order()))
	primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
	print primes
	dlogs = []
	for fac in primes:
		t = int(int(P.order()) / int(fac))
		dlog = discrete_log(t*Q,t*P,operation="+")
		dlogs += [dlog]
		print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
	print num
	print crt(dlogs,primes)

主要定义了一个加密方法,计算每个质因子的离散对数,这里 discrete_log(tQ,tP,operation=“+”),在txt1的基础知识的第一个帖子有这个,Pohlig_Hellman算法
https://blog.csdn.net/oampamp1/article/details/104061969
贴一下吧,这个讲的更清楚一些。
https://www.codercto.com/a/26932.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from Crypto.Util.number import *
p = 1256438680873352167711863680253958927079458741172412327087203
a = 377999945830334462584412960368612
b = 604811648267717218711247799143415167229480
E = EllipticCurve(GF(p),(a,b))
P=E(550637390822762334900354060650869238926454800955557622817950 ,700751312208881169841494663466728684704743091638451132521079)
Q=E(1152079922659509908913443110457333432642379532625238229329830 ,819973744403969324837069647827669815566569448190043645544592)
n=E.order()
def f(n,P,Q):
    factors, exponents = zip(*factor(n))
    primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
    print (primes)
    dlogs = []
    for fac in primes:
        t = int(int(P.order()) // int(fac))
        dlog = discrete_log(t*Q,t*P,operation="+")
        dlogs += [dlog]
        print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
    num2=crt(dlogs,primes)
    return num2
num2=f(n,P,Q)
print(long_to_bytes(num2))

b’9-2521-’
直接copy过去,改一下//,但不知道为什么在shell里的sage跑不出来,显示discreate有问题

part3:

1
2
3
4
5
6
7
8
9
10
def ECC3(num):
	p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
	A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
	B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
	E = EllipticCurve(GF(p),[A,B])
	P = E.random_point() 
	Q = num*P
	print E
	print 'P:',P
	print 'Q:',Q

在椭圆曲线上,阶是指椭圆曲线上所有点的数量

1
2
3
4
5
6
7
p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p),[A,B])
P = E.random_point()
print(P.order())
#11093300438765357787693823122068501933326829181518693650897090781749379503427651954028543076247583697669597230934286751428880673539155279232304301123931419

发现与p一样,这里有个现成的攻击方法smart’s attack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p),[A,B])
P = E(10121571443191913072732572831490534620810835306892634555532657696255506898960536955568544782337611042739846570602400973952350443413585203452769205144937861,8425218582467077730409837945083571362745388328043930511865174847436798990397124804357982565055918658197831123970115905304092351218676660067914209199149610)
Q = E(964864009142237137341389653756165935542611153576641370639729304570649749004810980672415306977194223081235401355646820597987366171212332294914445469010927,5162185780511783278449342529269970453734248460302908455520831950343371147566682530583160574217543701164101226640565768860451999819324219344705421407572537)
def SmartAttack(P,Q,p):
    E = P.curve()
    Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ])

    P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True)
    for P_Qp in P_Qps:
        if GF(p)(P_Qp.xy()[1]) == P.xy()[1]:
            break

    Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True)
    for Q_Qp in Q_Qps:
        if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]:
            break

    p_times_P = p*P_Qp
    p_times_Q = p*Q_Qp

    x_P,y_P = p_times_P.xy()
    x_Q,y_Q = p_times_Q.xy()

    phi_P = -(x_P/y_P)
    phi_Q = -(x_Q/y_Q)
    k = phi_Q/phi_P
    return ZZ(k)
num3 = SmartAttack(P, Q, p)
print(long_to_bytes(num3))

b’4a81-9957-8c3381622434’
应该是这个攻击方法的原文链接https://crypto.stackexchange.com/questions/70454/why-smarts-attack-doesnt-work-on-this-ecdlp

发表于 更新于

基础知识

环的基本定义

一个环 ( R ) 是一个集合,并且上面定义了两种运算,分别是加法和乘法,且满足以下条件:

  1. 加法封闭性:对于集合中的任意两个元素 ( a ) 和 ( b ),它们的和 ( a + b ) 也在这个集合中。
  2. 加法结合律:对于任意的 ( a, b, c \in R ),有 ( (a + b) + c = a + (b + c) )。
  3. 加法单位元存在:存在一个元素 ( 0 \in R ),使得对于任何 ( a \in R ),都有 ( a + 0 = a )。
  4. 加法逆元存在:对于每个 ( a \in R ),存在一个元素 ( -a \in R ),使得 ( a + (-a) = 0 )。
  5. 乘法封闭性:对于集合中的任意两个元素 ( a ) 和 ( b ),它们的积 ( a \times b ) 也在这个集合中。
  6. 乘法结合律:对于任意的 ( a, b, c \in R ),有 ( (a \times b) \times c = a \times (b \times c) )。
  7. 分配律:乘法对加法分配,即对所有 ( a, b, c \in R ) 都有:
    • ( a \times (b + c) = a \times b + a \times c )
    • ( (a + b) \times c = a \times c + b \times c )
多项式环

多项式环 是指多项式组成的环。形式上,假设我们有一个环 ( R ),那么多项式环 ( R[x] ) 就是由变量 ( x ) 和系数来自环 ( R ) 组成的所有多项式的集合。

具体来说,一个多项式是形如:
[
f(x) = a_n x^n + a_{n-1} x^{n-1} + \dots + a_1 x + a_0
]
其中,( a_i \in R )(系数来自环 ( R )),而 ( x ) 是变量,( n ) 是多项式的次数。

题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from Crypto.Util.number import *
from gmpy2 import *
from random import *
from secrets import flag
 
assert len(flag)==42
p=getPrime(600)
a=bytes_to_long(flag)
b=randrange(2,p-1)
E=EllipticCurve(GF(p),[a,b]) #定义在a,b上模p的椭圆曲线
G=E.random_element()
 
x1,y1,_=G
G=2*G 
x2,y2,_=G
 
print(f"p = {p}")
print(f"b = {b}")
print(f"x1 = {x1}")
print(f"x2 = {x2}")
'''
p = 3660057339895840489386133099442699911046732928957592389841707990239494988668972633881890332850396642253648817739844121432749159024098337289268574006090698602263783482687565322890623
b = 1515231655397326550194746635613443276271228200149130229724363232017068662367771757907474495021697632810542820366098372870766155947779533427141016826904160784021630942035315049381147
x1 = 2157670468952062330453195482606118809236127827872293893648601570707609637499023981195730090033076249237356704253400517059411180554022652893726903447990650895219926989469443306189740
x2 = 1991876990606943816638852425122739062927245775025232944491452039354255349384430261036766896859410449488871048192397922549895939187691682643754284061389348874990018070631239671589727
'''

了解ecc加密方式,题目里的x2,y2是2G,是加密后的x3 y3
P=Qk=3x12+a2y1(modp)P = Q 则k=\frac{3x_1^2+a}{2y_1}(mod\,p)
代入
y12x13+ax+b(modp)y_1^2\equiv x_1^3+a*x+b(mod\,p)
$ x_3\equiv k^2-x_1-x_2(mod,p)\rightarrow x_2= k^2-2x_1 y_3\equiv k(x_1-x_3)-y_1(mod,p) k^2\equiv (\frac{3x_12+a}{2y_1})2(mod,p) y_1^2\equiv (\frac{3x_12+a}{2k})2(mod,p) (3x_1+a)^2\equiv 4k2*(x_13+ax+b)(mod,p)$
然后设a解一个方程

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from Crypto.Util.number import *

p = 3660057339895840489386133099442699911046732928957592389841707990239494988668972633881890332850396642253648817739844121432749159024098337289268574006090698602263783482687565322890623
b = 1515231655397326550194746635613443276271228200149130229724363232017068662367771757907474495021697632810542820366098372870766155947779533427141016826904160784021630942035315049381147
x1 = 2157670468952062330453195482606118809236127827872293893648601570707609637499023981195730090033076249237356704253400517059411180554022652893726903447990650895219926989469443306189740
x2 = 1991876990606943816638852425122739062927245775025232944491452039354255349384430261036766896859410449488871048192397922549895939187691682643754284061389348874990018070631239671589727
k_2 = x2 + 2*x1
R.<a> = PolynomialRing(Zmod(p), implementation='NTL')#最好以后这么写
f = 4*k_2*(x1^3+a*x1+b)-(3*x1^2+a)^2
f = f.monic()
x=f.roots()
for each in x:
    m = int(each[0])
    print(long_to_bytes(m))

b’8\xb0e\xd9[\x1c\xe9\x123\xed\xc8\x89_f\xcc\xd7}$\xe3\x04\xd3\x1fx6P\xdc\t\xa9\xb5@8\xf5\x87Q\xb28\xd9T\x1c\xa2[7\xd6\xe0\xe9Y\xa7\xf0\x8dr\x02\x98t\x85\xa2\xac\x0c<\xcf\xa2\xf4k\xab\x8ca\x96\x93\x11V\x81\x93\xd3\xca’
b’flag{fa76cfb1-0052-4416-914d-91517bcebd52}

发表于 更新于

基础知识

https://www.cnblogs.com/ink599/p/18666435
【【ECC加密算法】| ECC加密原理详解| 椭圆曲线加密| 密码学| 信息安全】https://www.bilibili.com/video/BV1v44y1b7Fd?vd_source=ff68aa66b51da907e9343d02f7f03e91
大概了解了一下基础知识,第一个就是概念题

题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from Crypto.Util.number import getPrime
from libnum import s2n
from secret import flag

p = getPrime(256)
a = getPrime(256)
b = getPrime(256)
E = EllipticCurve(GF(p),[a,b])
m = E.random_point()
G = E.random_point()
k = getPrime(256)
K = k * G
r = getPrime(256)
c1 = m + r * K
c2 = r * G
cipher_left = s2n(flag[:len(flag)//2]) * m[0]
cipher_right = s2n(flag[len(flag)//2:]) * m[1]

print(f"p = {p}")
print(f"a = {a}")
print(f"b = {b}")
print(f"k = {k}")
print(f"E = {E}")
print(f"c1 = {c1}")
print(f"c2 = {c2}")
print(f"cipher_left = {cipher_left}")
print(f"cipher_right = {cipher_right}")

'''
p = 74997021559434065975272431626618720725838473091721936616560359000648651891507
a = 61739043730332859978236469007948666997510544212362386629062032094925353519657
b = 87821782818477817609882526316479721490919815013668096771992360002467657827319
k = 93653874272176107584459982058527081604083871182797816204772644509623271061231
E = Elliptic Curve defined by y^2 = x^3 + 61739043730332859978236469007948666997510544212362386629062032094925353519657*x + 12824761259043751634610094689861000765081341921946160155432001001819005935812 over Finite Field of size 74997021559434065975272431626618720725838473091721936616560359000648651891507
c1 = (14455613666211899576018835165132438102011988264607146511938249744871964946084 : 25506582570581289714612640493258299813803157561796247330693768146763035791942 : 1)
c2 = (37554871162619456709183509122673929636457622251880199235054734523782483869931 : 71392055540616736539267960989304287083629288530398474590782366384873814477806 : 1)
cipher_left = 68208062402162616009217039034331142786282678107650228761709584478779998734710
cipher_right = 27453988545002384546706933590432585006240439443312571008791835203660152890619
'''

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from Crypto.Util.number import *
from sage.all import *


p = 74997021559434065975272431626618720725838473091721936616560359000648651891507
a = 61739043730332859978236469007948666997510544212362386629062032094925353519657
b = 87821782818477817609882526316479721490919815013668096771992360002467657827319
k = 93653874272176107584459982058527081604083871182797816204772644509623271061231
E = EllipticCurve(GF(p),[a,b])
c1 = E(14455613666211899576018835165132438102011988264607146511938249744871964946084 ,25506582570581289714612640493258299813803157561796247330693768146763035791942,1)
c2 = E(37554871162619456709183509122673929636457622251880199235054734523782483869931 , 71392055540616736539267960989304287083629288530398474590782366384873814477806,1)
cipher_left = 68208062402162616009217039034331142786282678107650228761709584478779998734710
cipher_right = 27453988545002384546706933590432585006240439443312571008791835203660152890619
m=c1-k*c2
left=cipher_left//m[0]
right=cipher_right//m[1]
print(long_to_bytes(int(left))+long_to_bytes(int(right)))

发表于 更新于

题目:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from secret import flag
from Crypto.Util.number import*
from gmpy2 import*

flag = b'D0g3xGC{****************}'

def gen_key(p, q):
    public_key = p*p*q
    e = public_key
    n = p*q
    phi_n = (p-1)*(q-1)
    private_key = inverse(e,phi_n)
    return public_key,private_key,e

p = getPrime(512)
q = getPrime(512)

N,d,e = gen_key(p,q)

c = gmpy2.powmod(bytes_to_long(flag),e,N)

print(N)
print(d)
print(c)

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
import gmpy2
import libnum
import math

from Crypto.Util.number import long_to_bytes

n = 539403894871945779827202174061302970341082455928364137444962844359039924160163196863639732747261316352083923762760392277536591121706270680734175544093484423564223679628430671167864783270170316881238613070741410367403388936640139281272357761773388084534717028640788227350254140821128908338938211038299089224967666902522698905762169859839320277939509727532793553875254243396522340305880944219886874086251872580220405893975158782585205038779055706441633392356197489
d = 58169755386408729394668831947856757060407423126014928705447058468355548861569452522734305188388017764321018770435192767746145932739423507387500606563617116764196418533748380893094448060562081543927295828007016873588530479985728135015510171217414380395169021607415979109815455365309760152218352878885075237009
c = 82363935080688828403687816407414245190197520763274791336321809938555352729292372511750720874636733170318783864904860402219217916275532026726988967173244517058861515301795651235356589935260088896862597321759820481288634232602161279508285376396160040216717452399727353343286840178630019331762024227868572613111538565515895048015318352044475799556833174329418774012639769680007774968870455333386419199820213165698948819857171366903857477182306178673924861370469175

pq = gmpy2.gcd(pow(2,d*n,n)-2,n)
m = pow(c,d,pq)
print(long_to_bytes(m))

推导 :

e=N=p2qe = N = p^2*q
ed=1+k(p1)(q1)e*d=1+k(p-1)(q-1)
ap2qd1=1mod(n)a^{p^2*q*d-1}=1 mod (n)
ap2qda=kna^{p^2*q*d}-a=k*n
显然2不为n的倍数,故令a=2a=2
2Nd2=kn2^{N*d}-2=k*n
n=gcd(2Nd2,N)n=gcd(2^{N*d}-2,N)

libnum.n2s出不来flag
但如果用

1
2
3
4
5
6
7
8
from gmpy2 import*
from libnum import*
n=...
d=...
c=...
pq=gcd(...)
m = pow(...)
print(n2s.(m))

就能出

发表于 更新于

看出来是广播攻击了,顺便去看了眼中国剩余定理,这个e太大,没办法最后开方
大概思路是枚举找到存在有共同的公因数,作为q or p,然后正常的rsa解密。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import libnum
import gmpy2
from Crypto.Util.number import long_to_bytes

e=65537
n0 = 20474918894051778533305262345601880928088284471121823754049725354072477155873778848055073843345820697886641086842612486541250183965966001591342031562953561793332341641334302847996108417466360688139866505179689516589305636902137210185624650854906780037204412206309949199080005576922775773722438863762117750429327585792093447423980002401200613302943834212820909269713876683465817369158585822294675056978970612202885426436071950214538262921077409076160417436699836138801162621314845608796870206834704116707763169847387223307828908570944984416973019427529790029089766264949078038669523465243837675263858062854739083634207
c0 = 974463908243330865728978769213595400782053398596897741316275722596415018912929508637393850919224969271766388710025195039896961956062895570062146947736340342927974992616678893372744261954172873490878805483241196345881721164078651156067119957816422768524442025688079462656755605982104174001635345874022133045402344010045961111720151990412034477755851802769069309069018738541854130183692204758761427121279982002993939745343695671900015296790637464880337375511536424796890996526681200633086841036320395847725935744757993013352804650575068136129295591306569213300156333650910795946800820067494143364885842896291126137320

n1 = 20918819960648891349438263046954902210959146407860980742165930253781318759285692492511475263234242002509419079545644051755251311392635763412553499744506421566074721268822337321637265942226790343839856182100575539845358877493718334237585821263388181126545189723429262149630651289446553402190531135520836104217160268349688525168375213462570213612845898989694324269410202496871688649978370284661017399056903931840656757330859626183773396574056413017367606446540199973155630466239453637232936904063706551160650295031273385619470740593510267285957905801566362502262757750629162937373721291789527659531499435235261620309759
c1 = 15819636201971185538694880505120469332582151856714070824521803121848292387556864177196229718923770810072104155432038682511434979353089791861087415144087855679134383396897817458726543883093567600325204596156649305930352575274039425470836355002691145864435755333821133969266951545158052745938252574301327696822347115053614052423028835532509220641378760800693351542633860702225772638930501021571415907348128269681224178300248272689705308911282208685459668200507057183420662959113956077584781737983254788703048275698921427029884282557468334399677849962342196140864403989162117738206246183665814938783122909930082802031855

n2 = 25033254625906757272369609119214202033162128625171246436639570615263949157363273213121556825878737923265290579551873824374870957467163989542063489416636713654642486717219231225074115269684119428086352535471683359486248203644461465935500517901513233739152882943010177276545128308412934555830087776128355125932914846459470221102007666912211992310538890654396487111705385730502843589727289829692152177134753098649781412247065660637826282055169991824099110916576856188876975621376606634258927784025787142263367152947108720757222446686415627479703666031871635656314282727051189190889008763055811680040315277078928068816491
c2 = 4185308529416874005831230781014092407198451385955677399668501833902623478395669279404883990725184332709152443372583701076198786635291739356770857286702107156730020004358955622511061410661058982622055199736820808203841446796305284394651714430918690389486920560834672316158146453183789412140939029029324756035358081754426645160033262924330248675216108270980157049705488620263485129480952814764002865280019185127662449318324279383277766416258142275143923532168798413011028271543085249029048997452212503111742302302065401051458066585395360468447460658672952851643547193822775218387853623453638025492389122204507555908862

n3 = 21206968097314131007183427944486801953583151151443627943113736996776787181111063957960698092696800555044199156765677935373149598221184792286812213294617749834607696302116136745662816658117055427803315230042700695125718401646810484873064775005221089174056824724922160855810527236751389605017579545235876864998419873065217294820244730785120525126565815560229001887622837549118168081685183371092395128598125004730268910276024806808565802081366898904032509920453785997056150497645234925528883879419642189109649009132381586673390027614766605038951015853086721168018787523459264932165046816881682774229243688581614306480751
c3 = 4521038011044758441891128468467233088493885750850588985708519911154778090597136126150289041893454126674468141393472662337350361712212694867311622970440707727941113263832357173141775855227973742571088974593476302084111770625764222838366277559560887042948859892138551472680654517814916609279748365580610712259856677740518477086531592233107175470068291903607505799432931989663707477017904611426213770238397005743730386080031955694158466558475599751940245039167629126576784024482348452868313417471542956778285567779435940267140679906686531862467627238401003459101637191297209422470388121802536569761414457618258343550613

n4 = 22822039733049388110936778173014765663663303811791283234361230649775805923902173438553927805407463106104699773994158375704033093471761387799852168337898526980521753614307899669015931387819927421875316304591521901592823814417756447695701045846773508629371397013053684553042185725059996791532391626429712416994990889693732805181947970071429309599614973772736556299404246424791660679253884940021728846906344198854779191951739719342908761330661910477119933428550774242910420952496929605686154799487839923424336353747442153571678064520763149793294360787821751703543288696726923909670396821551053048035619499706391118145067
c4 = 15406498580761780108625891878008526815145372096234083936681442225155097299264808624358826686906535594853622687379268969468433072388149786607395396424104318820879443743112358706546753935215756078345959375299650718555759698887852318017597503074317356745122514481807843745626429797861463012940172797612589031686718185390345389295851075279278516147076602270178540690147808314172798987497259330037810328523464851895621851859027823681655934104713689539848047163088666896473665500158179046196538210778897730209572708430067658411755959866033531700460551556380993982706171848970460224304996455600503982223448904878212849412357

n5 = 21574139855341432908474064784318462018475296809327285532337706940126942575349507668289214078026102682252713757703081553093108823214063791518482289846780197329821139507974763780260290309600884920811959842925540583967085670848765317877441480914852329276375776405689784571404635852204097622600656222714808541872252335877037561388406257181715278766652824786376262249274960467193961956690974853679795249158751078422296580367506219719738762159965958877806187461070689071290948181949561254144310776943334859775121650186245846031720507944987838489723127897223416802436021278671237227993686791944711422345000479751187704426369
c5 = 20366856150710305124583065375297661819795242238376485264951185336996083744604593418983336285185491197426018595031444652123288461491879021096028203694136683203441692987069563513026001861435722117985559909692670907347563594578265880806540396777223906955491026286843168637367593400342814725694366078337030937104035993569672959361347287894143027186846856772983058328919716702982222142848848117768499996617588305301483085428547267337070998767412540225911508196842253134355901263861121500650240296746702967594224401650220168780537141654489215019142122284308116284129004257364769474080721001708734051264841350424152506027932

n6 = 25360227412666612490102161131174584819240931803196448481224305250583841439581008528535930814167338381983764991296575637231916547647970573758269411168219302370541684789125112505021148506809643081950237623703181025696585998044695691322012183660424636496897073045557400768745943787342548267386564625462143150176113656264450210023925571945961405709276631990731602198104287528528055650050486159837612279600415259486306154947514005408907590083747758953115486124865486720633820559135063440942528031402951958557630833503775112010715604278114325528993771081233535247118481765852273252404963430792898948219539473312462979849137
c6 = 19892772524651452341027595619482734356243435671592398172680379981502759695784087900669089919987705675899945658648623800090272599154590123082189645021800958076861518397325439521139995652026377132368232502108620033400051346127757698623886142621793423225749240286511666556091787851683978017506983310073524398287279737680091787333547538239920607761080988243639547570818363788673249582783015475682109984715293163137324439862838574460108793714172603672477766831356411304446881998674779501188163600664488032943639694828698984739492200699684462748922883550002652913518229322945040819064133350314536378694523704793396169065179

n7 = 22726855244632356029159691753451822163331519237547639938779517751496498713174588935566576167329576494790219360727877166074136496129927296296996970048082870488804456564986667129388136556137013346228118981936899510687589585286517151323048293150257036847475424044378109168179412287889340596394755257704938006162677656581509375471102546261355748251869048003600520034656264521931808651038524134185732929570384705918563982065684145766427962502261522481994191989820110575981906998431553107525542001187655703534683231777988419268338249547641335718393312295800044734534761692799403469497954062897856299031257454735945867491191
c7 = 6040119795175856407541082360023532204614723858688636724822712717572759793960246341800308149739809871234313049629732934797569781053000686185666374833978403290525072598774001731350244744590772795701065129561898116576499984185920661271123665356132719193665474235596884239108030605882777868856122378222681140570519180321286976947154042272622411303981011302586225630859892731724640574658125478287115198406253847367979883768000812605395482952698689604477719478947595442185921480652637868335673233200662100621025061500895729605305665864693122952557361871523165300206070325660353095592778037767395360329231331322823610060006

n8 = 23297333791443053297363000786835336095252290818461950054542658327484507406594632785712767459958917943095522594228205423428207345128899745800927319147257669773812669542782839237744305180098276578841929496345963997512244219376701787616046235397139381894837435562662591060768476997333538748065294033141610502252325292801816812268934171361934399951548627267791401089703937389012586581080223313060159456238857080740699528666411303029934807011214953984169785844714159627792016926490955282697877141614638806397689306795328344778478692084754216753425842557818899467945102646776342655167655384224860504086083147841252232760941
c8 = 5418120301208378713115889465579964257871814114515046096090960159737859076829258516920361577853903925954198406843757303687557848302302200229295916902430205737843601806700738234756698575708612424928480440868739120075888681672062206529156566421276611107802917418993625029690627196813830326369874249777619239603300605876865967515719079797115910578653562787899019310139945904958024882417833736304894765433489476234575356755275147256577387022873348906900149634940747104513850154118106991137072643308620284663108283052245750945228995387803432128842152251549292698947407663643895853432650029352092018372834457054271102816934

n9 = 28873667904715682722987234293493200306976947898711255064125115933666968678742598858722431426218914462903521596341771131695619382266194233561677824357379805303885993804266436810606263022097900266975250431575654686915049693091467864820512767070713267708993899899011156106766178906700336111712803362113039613548672937053397875663144794018087017731949087794894903737682383916173267421403408140967713071026001874733487295007501068871044649170615709891451856792232315526696220161842742664778581287321318748202431466508948902745314372299799561625186955234673012098210919745879882268512656931714326782335211089576897310591491
c9 = 9919880463786836684987957979091527477471444996392375244075527841865509160181666543016317634963512437510324198702416322841377489417029572388474450075801462996825244657530286107428186354172836716502817609070590929769261932324275353289939302536440310628698349244872064005700644520223727670950787924296004296883032978941200883362653993351638545860207179022472492671256630427228461852668118035317021428675954874947015197745916918197725121122236369382741533983023462255913924692806249387449016629865823316402366017657844166919846683497851842388058283856219900535567427103603869955066193425501385255322097901531402103883869

n10 = 22324685947539653722499932469409607533065419157347813961958075689047690465266404384199483683908594787312445528159635527833904475801890381455653807265501217328757871352731293000303438205315816792663917579066674842307743845261771032363928568844669895768092515658328756229245837025261744260614860746997931503548788509983868038349720225305730985576293675269073709022350700836510054067641753713212999954307022524495885583361707378513742162566339010134354907863733205921845038918224463903789841881400814074587261720283879760122070901466517118265422863420376921536734845502100251460872499122236686832189549698020737176683019
c10 = 1491527050203294989882829248560395184804977277747126143103957219164624187528441047837351263580440686474767380464005540264627910126483129930668344095814547592115061057843470131498075060420395111008619027199037019925701236660166563068245683975787762804359520164701691690916482591026138582705558246869496162759780878437137960823000043988227303003876410503121370163303711603359430764539337597866862508451528158285103251810058741879687875218384160282506172706613359477657215420734816049393339593755489218588796607060261897905233453268671411610631047340459487937479511933450369462213795738933019001471803157607791738538467

n11 = 27646746423759020111007828653264027999257847645666129907789026054594393648800236117046769112762641778865620892443423100189619327585811384883515424918752749559627553637785037359639801125213256163008431942593727931931898199727552768626775618479833029101249692573716030706695702510982283555740851047022672485743432464647772882314215176114732257497240284164016914018689044557218920300262234652840632406067273375269301008409860193180822366735877288205783314326102263756503786736122321348320031950012144905869556204017430593656052867939493633163499580242224763404338807022510136217187779084917996171602737036564991036724299
c11 = 21991524128957260536043771284854920393105808126700128222125856775506885721971193109361315961129190814674647136464887087893990660894961612838205086401018885457667488911898654270235561980111174603323721280911197488286585269356849579263043456316319476495888696219344219866516861187654180509247881251251278919346267129904739277386289240394384575124331135655943513831009934023397457082184699737734388823763306805326430395849935770213817533387235486307008892410920611669932693018165569417445885810825749609388627231235840912644654685819620931663346297596334834498661789016450371769203650109994771872404185770230172934013971

n12 = 20545487405816928731738988374475012686827933709789784391855706835136270270933401203019329136937650878386117187776530639342572123237188053978622697282521473917978282830432161153221216194169879669541998840691383025487220850872075436064308499924958517979727954402965612196081404341651517326364041519250125036424822634354268773895465698920883439222996581226358595873993976604699830613932320720554130011671297944433515047180565484495191003887599891289037982010216357831078328159028953222056918189365840711588671093333013117454034313622855082795813122338562446223041211192277089225078324682108033843023903550172891959673551
c12 = 14227439188191029461250476692790539654619199888487319429114414557975376308688908028140817157205579804059783807641305577385724758530138514972962209062230576107406142402603484375626077345190883094097636019771377866339531511965136650567412363889183159616188449263752475328663245311059988337996047359263288837436305588848044572937759424466586870280512424336807064729894515840552404756879590698797046333336445465120445087587621743906624279621779634772378802959109714400516183718323267273824736540168545946444437586299214110424738159957388350785999348535171553569373088251552712391288365295267665691357719616011613628772175

n13 = 27359727711584277234897157724055852794019216845229798938655814269460046384353568138598567755392559653460949444557879120040796798142218939251844762461270251672399546774067275348291003962551964648742053215424620256999345448398805278592777049668281558312871773979931343097806878701114056030041506690476954254006592555275342579529625231194321357904668512121539514880704046969974898412095675082585315458267591016734924646294357666924293908418345508902112711075232047998775303603175363964055048589769318562104883659754974955561725694779754279606726358588862479198815999276839234952142017210593887371950645418417355912567987
c13 = 3788529784248255027081674540877016372807848222776887920453488878247137930578296797437647922494510483767651150492933356093288965943741570268943861987024276610712717409139946409513963043114463933146088430004237747163422802959250296602570649363016151581364006795894226599584708072582696996740518887606785460775851029814280359385763091078902301957226484620428513604630585131511167015763190591225884202772840456563643159507805711004113901417503751181050823638207803533111429510911616160851391754754434764819568054850823810901159821297849790005646102129354035735350124476838786661542089045509656910348676742844957008857457

n14 = 27545937603751737248785220891735796468973329738076209144079921449967292572349424539010502287564030116831261268197384650511043068738911429169730640135947800885987171539267214611907687570587001933829208655100828045651391618089603288456570334500533178695238407684702251252671579371018651675054368606282524673369983034682330578308769886456335818733827237294570476853673552685361689144261552895758266522393004116017849397346259119221063821663280935820440671825601452417487330105280889520007917979115568067161590058277418371493228631232457972494285014767469893647892888681433965857496916110704944758070268626897045014782837
c14 = 14069112970608895732417039977542732665796601893762401500878786871680645798754783315693511261740059725171342404186571066972546332813667711135661176659424619936101038903439144294886379322591635766682645179888058617577572409307484708171144488708410543462972008179994594087473935638026612679389759756811490524127195628741262871304427908481214992471182859308828778119005750928935764927967212343526503410515793717201360360437981322576798056276657140363332700714732224848346808963992302409037706094588964170239521193589470070839790404597252990818583717869140229811712295005710540476356743378906642267045723633874011649259842

n15 = 25746162075697911560263181791216433062574178572424600336856278176112733054431463253903433128232709054141607100891177804285813783247735063753406524678030561284491481221681954564804141454666928657549670266775659862814924386584148785453647316864935942772919140563506305666207816897601862713092809234429096584753263707828899780979223118181009293655563146526792388913462557306433664296966331469906428665127438829399703002867800269947855869262036714256550075520193125987011945192273531732276641728008406855871598678936585324782438668746810516660152018244253008092470066555687277138937298747951929576231036251316270602513451
c15 = 17344284860275489477491525819922855326792275128719709401292545608122859829827462088390044612234967551682879954301458425842831995513832410355328065562098763660326163262033200347338773439095709944202252494552172589503915965931524326523663289777583152664722241920800537867331030623906674081852296232306336271542832728410803631170229642717524942332390842467035143631504401140727083270732464237443915263865880580308776111219718961746378842924644142127243573824972533819479079381023103585862099063382129757560124074676150622288706094110075567706403442920696472627797607697962873026112240527498308535903232663939028587036724

n16 = 23288486934117120315036919418588136227028485494137930196323715336208849327833965693894670567217971727921243839129969128783853015760155446770590696037582684845937132790047363216362087277861336964760890214059732779383020349204803205725870225429985939570141508220041286857810048164696707018663758416807708910671477407366098883430811861933014973409390179948577712579749352299440310543689035651465399867908428885541237776143404376333442949397063249223702355051571790555151203866821867908531733788784978667478707672984539512431549558672467752712004519300318999208102076732501412589104904734983789895358753664077486894529499
c16 = 10738254418114076548071448844964046468141621740603214384986354189105236977071001429271560636428075970459890958274941762528116445171161040040833357876134689749846940052619392750394683504816081193432350669452446113285638982551762586656329109007214019944975816434827768882704630460001209452239162896576191876324662333153835533956600295255158377025198426950944040643235430211011063586032467724329735785947372051759042138171054165854842472990583800899984893232549092766400510300083585513014171220423103452292891496141806956300396540682381668367564569427813092064053993103537635994311143010708814851867239706492577203899024

n17 = 19591441383958529435598729113936346657001352578357909347657257239777540424811749817783061233235817916560689138344041497732749011519736303038986277394036718790971374656832741054547056417771501234494768509780369075443550907847298246275717420562375114406055733620258777905222169702036494045086017381084272496162770259955811174440490126514747876661317750649488774992348005044389081101686016446219264069971370646319546429782904810063020324704138495608761532563310699753322444871060383693044481932265801505819646998535192083036872551683405766123968487907648980900712118052346174533513978009131757167547595857552370586353973
c17 = 3834917098887202931981968704659119341624432294759361919553937551053499607440333234018189141970246302299385742548278589896033282894981200353270637127213483172182529890495903425649116755901631101665876301799865612717750360089085179142750664603454193642053016384714515855868368723508922271767190285521137785688075622832924829248362774476456232826885801046969384519549385428259591566716890844604696258783639390854153039329480726205147199247183621535172450825979047132495439603840806501254997167051142427157381799890725323765558803808030109468048682252028720241357478614704610089120810367192414352034177484688502364022887

n18 = 19254242571588430171308191757871261075358521158624745702744057556054652332495961196795369630484782930292003238730267396462491733557715379956969694238267908985251699834707734400775311452868924330866502429576951934279223234676654749272932769107390976321208605516299532560054081301829440688796904635446986081691156842271268059970762004259219036753174909942343204432795076377432107630203621754552804124408792358220071862369443201584155711893388877350138023238624566616551246804054720492816226651467017802504094070614892556444425915920269485861799532473383304622064493223627552558344088839860178294589481899206318863310603
c18 = 6790553533991297205804561991225493105312398825187682250780197510784765226429663284220400480563039341938599783346724051076211265663468643826430109013245014035811178295081939958687087477312867720289964506097819762095244479129359998867671811819738196687884696680463458661374310994610760009474264115750204920875527434486437536623589684519411519100170291423367424938566820315486507444202022408003879118465761273916755290898112991525546114191064022991329724370064632569903856189236177894007766690782630247443895358893983735822824243487181851098787271270256780891094405121947631088729917398317652320497765101790132679171889

n19 = 26809700251171279102974962949184411136459372267620535198421449833298448092580497485301953796619185339316064387798092220298630428207556482805739803420279056191194360049651767412572609187680508073074653291350998253938793269214230457117194434853888765303403385824786231859450351212449404870776320297419712486574804794325602760347306432927281716160368830187944940128907971027838510079519466846176106565164730963988892400240063089397720414921398936399927948235195085202171264728816184532651138221862240969655185596628285814057082448321749567943946273776184657698104465062749244327092588237927996419620170254423837876806659
c19 = 3862135566084340137698647271238794120419912715289905285485074512106926189866528704246

n=[n0,n1,n2,n3,n4,n5,n6,n7,n8,n9,n10,n11,n12,n13,n14,n15,n16,n17,n18,n19]
c=[c0,c1,c2,c3,c4,c5,c6,c7,c8,c9,c10,c11,c12,c13,c14,c15,c16,c17,c18,c19]

for i in range(20):
    for j in range(20):
        if(i!=j):
            if(gmpy2.gcd(n[i],n[j])!=1):
                q=gmpy2.gcd(n[i],n[j])
                p=n[i]//q
                d=gmpy2.invert(e,(p-1)*(q-1))
                m=pow(c[i],d,n[i])
                print(libnum.n2s(int(m)))#print(long_to_bytes(m))

结果是:
b’flag{abdcbe5fd94e23b3de429223ab9c2fdf}’

发表于 更新于

MISC

1 、2、3 ez_game系列




直接放进vscode审代码,观看逻辑三分钟做完

4 ezpicture


放进stegsolve,扫个二维码即可

5 mujica

首先foremost提取嘛
出来一个破损二维码图片和mujica图片,看起来就是长宽有问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import zlib
import struct
import argparse
import itertools


parser = argparse.ArgumentParser()
parser.add_argument("-f", type=str, default=None, required=True,
                    help="输入同级目录下图片的名称")
args  = parser.parse_args()


bin_data = open(args.f, 'rb').read()
crc32key = zlib.crc32(bin_data[12:29]) # 计算crc
original_crc32 = int(bin_data[29:33].hex(), 16) # 原始crc


if crc32key == original_crc32: # 计算crc对比原始crc
    print('宽高没有问题!')
else:
    input_ = input("宽高被改了, 是否CRC爆破宽高? (Y/n):")
    if input_ not in ["Y", "y", ""]:
        exit()
    else: 
        for i, j in itertools.product(range(4095), range(4095)): # 理论上0x FF FF FF FF,但考虑到屏幕实际/cpu,0x 0F FF就差不多了,也就是4095宽度和高度
            data = bin_data[12:16] + struct.pack('>i', i) + struct.pack('>i', j) + bin_data[24:29]
            crc32 = zlib.crc32(data)
            if(crc32 == original_crc32): # 计算当图片大小为i:j时的CRC校验值,与图片中的CRC比较,当相同,则图片大小已经确定
                print(f"\nCRC32: {hex(original_crc32)}")
                print(f"宽度: {i}, hex: {hex(i)}")
                print(f"高度: {j}, hex: {hex(j)}")
                exit(0)

改出来

得到了前半部分
接着看二维码,这里先搜一下二维码基本的结构
https://www.cnblogs.com/luogi/p/15469106.html
观察方块,看出来是m2格式
https://merri.cx/qrazybox/ 来编辑,这里一定注意,先将原画布设置为白色,默认是灰色,导致提取不出来。。。。然后根据破损图一点点填,在用tools里提取。

6 皮卡丘

打开txt有一堆的pika类似的,上网搜索库
安装pikalang库

1
2
3
import pikalang
code="""pi pi pi pi pi pi pi pi pi pi pika pipi pi pipi pi pi pi pipi pi pi pi pi pi pi pi pipi pi pi pi pi pi pi pi pi pi pi pichu pichu pichu pichu ka chu pipi pipi pipi pipi ka pikachu pi pi pi pi pi pikachu pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pichu pichu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pipi pipi ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pichu pichu pikachu pipi pipi ka ka ka ka pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pichu pichu pi pikachu pipi pipi ka pikachu ka ka ka ka ka ka pikachu ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka pikachu pi pi pikachu pichu ka ka ka ka ka pikachu pipi ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pikachu"""
print(pikalang.evaluate(code))

chive{d0_y0u_l1ke_pikAchu}None

7 压缩包的秘密

binwalk提取一下,注释发现"chive???"
掩码爆破 直接chive2025
这里还有个伪加密(?)7.zip打开就没问题
flag.txt:

1
GJODMYN4IJFDLG7N7WQPDPTPJATRXR3MKRBRXTMGGCVBBE62IO======

看着像base家族,但随波逐流解不出来,后来将压缩包放进010

发现了这个,找ds写个脚本(其实搜也能搜出来)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import base64

# 自定义Base32字母表(加密时用的)
custom_key = "A2B3C4D5E6F7GJKILHMNORSPQTUVWYXZ"
# 标准Base32字母表
standard_base32 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"

# 密文
ciphertext = "GJODMYN4IJFDLG7N7WQPDPTPJATRXR3MKRBRXTMGGCVBBE62IO======"

# 将密文字符用custom_key的索引映射为标准Base32字符
translated = ""
for c in ciphertext:
    if c in custom_key:
        index = custom_key.index(c)
        translated += standard_base32[index]
    else:
        translated += c  # 保留=等符号

# Base32 解码
decoded = base64.b32decode(translated)
print(decoded.decode("utf-8"))

chive{Th1s_1s_7h3_TruE_fLa6!!!}

8 来道流量

打开wireshark 过滤dns协议

看到有一些像base编码的,收集起来
ZmxhZ3tlNjYyYWMxNTRjYTM3NmUxYzAwMWVlOGJiZTgxMzE4Yn0K
解码得到
flag{e662ac154ca376e1c001ee8bbe81318b}

9 跨越千年河流

一直以为想错了,结果还真是这么做
根据题目描述,就是提取流呗,收集rtp包 电话-分析,将raw包导出,应该是有一个audio和另外一个video包,这里光收集video包即可。
搜索sdp

保存成sdp文件(注意修改c的ip,看是win还是wsl发送),放到vlc里配置,这里要下载rtptools,我这里使用的wsl看,就是要添上win的ip地址

1
rtpplay -T -f /root/4.5校长/video.rtp -v 192.168.xx.xx/4844

然后推流

看这个文章
https://blog.csdn.net/weixin_40729354/article/details/120299575

CRYPTO

1 BABYRSA

i=pq+p+q+1i=pq+p+q+1
n=ix1n=i-x-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import libnum

c_hex = "0x4ebbf8076700d7a9222bc93f7e18c3757844b3eec4f3b577a6775f18439a2c24b5899b2c09efd0091ef72408e5d75d1e75fc5d959ab597b566cb1fb566fade0c4ca91c0e3981a7c40a9aee400d820860f4c3a0d06b3f34c3f20e899257329f101f2466209e40442ee83f64a978329cbd0678902bbb745c51bd5bc10bde2c6a03b8371ef7cc0d827132c9e4d1f265464a9a5c8ba044401285e8a979729240d2b136413198e99a8035abc5957f946f4399c23a74aa188f016f98645cf0b131637ff198fe7399311c4a4ecf9afe99aa9aa887b774d0a4666fbffa85202325021e953b37e0ddfd5418c429f41846c8a9aae4f57836e294a4f4b0be7a93637ce46b25"
x_hex = "0x145ff16e8995b700f1c08547df4a68ff27a4941e0964f34a2c092066fe3db190d861ef4732697cb7c4aa719a0b7a6f8edf339c2026ddcc98e272c265a6ffdfb9fda2c1161ae04345e8e820b48855ca207a657b27848c509484c42f86583d61fdf2f9f6c55f99c5160be828ba0112d8e9acf49e1186af29103d81b3fc93c366f06"
i_hex = "0x67c86b964eb41f186908c7fbd2c20cffad094a71cf9e2e40028bb64d7929a81c0202e1d2b36da8ad6a833dd4c2e97f79ae50f5aaa89d5db04abfd3b39852518836af01bf656badc22929f1335e7df0454ef8d3d77a8ab4fab9e6daa4887eb02bc25715b72736129a60dc3bea75826b0bca03ff7a18c1e01caa3d0b1aed79de23fab0548332135c1243fd1debd8bcc71b29514558020cd68bf81f4eec1a2b8c147a391527d565916e53186994017c9998788860d51a0b863221e189288c94deda7956c8a18f36617c32959623c7f86b01817dac41c9f23b2de2125e34e9e64fda7164261aa65f8527fbf1b980b54ec14087e5cff4ee0838b6d47e768bb1e14fcc"
d_hex = "0x64f298bbe699c94493cba2284d345444baf27026378279e36b3b6f5c24c8a44fdb59210cc6b6cb8398de7a1fcb36199bee924e860868ce2b26c22ccc2339257cef9c10d716f1acdc20cb4138520133f510c3e8fcc05d3b810329215b9d9b27593e2f16ea9f4935e0af067a8bcb5a271a3143bb24b67cdbb50b6dda2a00c4c50407397a8db1ad834ed8f327540df04b4bd38d4101fd4dad98174fe0434ab3ff424de5b428fcb821189b02a4e12314d87d830ce5dace416295a2f778aaa6c9eff948474632e7892a75b78bae84d66a426dee01b0e79690ca12be0ad82dd51c60de7bf3e58ce03e8261a68444c92fa8ed6fc9722977beb119ee436640b48565d269"

c = int(c_hex, 16)
x = int(x_hex, 16)
i = int(i_hex, 16)
d = int(d_hex, 16)

N = i - x - 1
m = pow(c, d, N)
flag = libnum.n2s(m)
print(flag)

2 hashhh

其实没太搞懂…看的题解(但代码跑不出来)
先生成length为0x1428571428571428570x142857142857142857的数组,生成的方法是第0位为1,第i位是h[i1]ph[i-1]*p%m,然后加上i位前的某一位,然后再对m取模,最后一个数与flagnumflagnum异或
但发现listhash(h)前一百位均为第0位,也就是加1,生成s时加上了空格使得最后一位哈希值为0

1
2
3
h=[1,(p+1)%m, (((p+1)%m+1)*p)%m, (((((p+1)%m+1)*p)%m)*p+1)%m...]
化简一下,先乘后加
h=[1%m,(p+1)%m,(p**2+p+1)%m,(p**3+p**2+p+1)%m...]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from Crypto.Util.number import long_to_bytes

p = 369944419156711147060143317175368453031918731002211
m = 15977898348258634512826613220527141251832530996721392570130087971041029999399
output = 2585445282868005908429000279352060638616081153750867519015673856624926072491

num = 0x11451441541112138
# 计算 (p^(num+1) - 1) / (p-1) mod m
numerator_mod = (p - 1) * m
pow_p = pow(p, num + 1, numerator_mod)
x = (pow_p - 1) // (p - 1)  # 使用整数除法

flagnum = output ^ x
print(long_to_bytes(flagnum))
#b'chive{D0NOT_1gN0e_Spac1}'

3 通往密码学的门票

没啥好说的,而且都给了,就是aes我怎么cyberchef跑不出来

1
2
3
4
5
6
7
8
9
10
11
12
13
from Crypto.Cipher import AES
import base64

cipher_b64 = "1HNbfgdgCb//dpGk12YtczYGLYmjdR7s9dCKJJfrr98="
key = b"chiveneed crypto"  
iv = b"1234567890123456"   

cipher_bytes = base64.b64decode(cipher_b64)
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(cipher_bytes)

print(plaintext.decode())
#chive{AES_is_Str0ng_and_secure!}
1
2
3
4
5
6
7
Y2hpdmV7eWVwX2Jhc2U2NF8xMTF9 chive{yep_base64_111}
nstgp{jpa_nlpdlc_222}     chive{yep_caesar_222}
cdnn3h{oko1c3}ie__1f13vu__  分为4栏时,解密结果为:chive{do_u_kno1_f1nc1_333},一定要复制全
uvejrflzayncqbrtl	
key:chive                 sowonderfulvignre
63686976657b6865785f6d61737465725f68756868687d chive{hex_master_huhhh}
https://ctf.bugku.com/tool/cvecode chive{good_boys_and_girls!!1}

4 那年12

跟有些题还挺像的,这里知道pq接近,可以采用sqrt的方式来接近,问题就是phi如何求,这里我是枚举来做的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from Crypto.Util.number import *
from gmpy2 import*
c = 14271757452507943071363474081183177541200790942660097362031513886851813587528134582572623848099972456210228075056689703678634430590797149277427115279824926442186977544324306260773649073825258375503308259966047878145831154583554477788481105294302042561339920635706483442941551205973477969173915718871915200671444481285822722729938647546992523692395422404360203948065134128667282828088223097039984276000238274553470626265301814171381825551273451184740276394592917354674905944151497783585449290941573824525838704634409122052101666001004692525883972813532885183994544943464894545185023638492085950625538360026448964484416
d = 4815495065667066088118714476427058753990743828259006517928935325112968696840430371714130163853991651023479500210542005249756415206638902683029392973565078922631633962903160240083183872850081940759280556038034304922411271717701758840032637415957285506384476648687723125050863954698306566523238177577903137128985048379343833790147660878587100123568156527088537427057806920417679112122772952688286636103079120623812415745406014703247604608247491265604106814516290321498329310376520189943315843444275641215377323721032913694774148750077107667520354091976538955228826389103068822347784629987748995327732324026601673620853
e = 65537
p_bits=1024
q_bits=1024

k_phi = e*d -1
pphi = []
for k in range(e,2,-1):
    if k_phi % k == 0:
        tmp = k_phi // k
        if int(tmp).bit_length()==p_bits+q_bits:
            pphi.append(tmp)
            
print(len(pphi))
#print(pphi)
for k in pphi:
    pp=iroot(k,2)[0]
    pp=next_prime(pp)
    for i in range(100):
        flag=long_to_bytes(pow(c,invert(e,pp-1),pp))
        print(flag)
        exit()
        pp=next_prime(pp)
#b'chive{oH_11zy_p30b1eM_Fo3_Y0u!!}'

借用bit数来判断一个正确的phi值
modnmodpmod\,n \equiv mod\,p注意这个就行了,n=pqn=p*q

5 那年20

这个好像也没啥好说的(),搜了挺久关于padding的,也有一个比较麻烦的,但也跟这个题不一样,e=3,直接枚举跑了一会就出了(),甚至出来的时候有点不可思议(n个月前,国赛后的面试dab还问过这个)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import libnum
import gmpy2


n =130823032626799224452148019344025608061409017976462166774679992766799718357920535935980876983571254896758319726956843139212788830476913001454998545653825290696492436161214853422265879037380706290530688595244797045788241743825760099936978094114772320832692543301259855843184737423582796490936667390065449150307
c =122953105834407050979933718031703750977998186903112777777073310509698093824373690792414682116583433136436812038369540800496491082382988156675797619093789603345734749277859167497030683286993302244087972139598554357992507029495039234588959439402736613308786156913068269204559388322577936927056254222544856583113
e = 0x3

def exp(n, e, c):
    k = 0
    while 1:
        m1 = k * n + c
        m, t = gmpy2.iroot(m1, e)
        if t:
            print(m)
            print(k)
            print(libnum.n2s(int(m)))
            break
        k += 1
exp(n, e, c)
#3562371680658530203399822296834436195305530479644786679754750303845462026492117621601616961933793938207332
#345567965
#b'chive{pADddin6_1s_fUN_R1gHt}this_is_not_hard'

最后一战

显然没有很常规,这里的m3与n3-1不互素,就从网上找,这里的m相当于e比较大,找到一个类似的脚本,模素数上开 m 次幂根

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto.Util.number import * 
 
q = 165338063123514818523885615737501133739
p = 20297342154853718314952219089481624063
e = 65536
n = q*p
c = 3024714280730674139248049746725214418740416860076557280072680498394712377473

for mp in Zmod(p)(c).nth_root(e, all=True):
    for mq in Zmod(q)(c).nth_root(e, all=True):
        m = crt([ZZ(mp), ZZ(mq)], [p, q])
        try:
            flag = long_to_bytes(m)
            if flag.startswith(b'flag'):
                print(flag)
                print(mp)
                print(mq)
        except:
            pass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from sage.all import *
from Crypto.Util.number import *

# === 已知数据 ===
c3 = 343867914501222774273628126718287177048192002282106212934299652875247506214865375303243826284548
m3 = 354701
n3 = 995191358912871577558833631674614669607986330666857878724182860415671438190193766871991662518891

m2 = 433393
n2 = 669465653861088292142786513664790611054135025346092499931230244815441606915128078895389965653627

m1 = 422861
n1 = 958508882983697210929286552537536183615084340675769274475367427999338264420449936341879064360869

# Step 1: c3 = c2^m3 mod n3 ⇒ 枚举所有 c2
c2_list = Zmod(n3)(c3).nth_root(m3, all=True)

for c2 in c2_list:
    c2 = int(c2)
    try:
        # Step 2: c2 = c1^m2 mod n2 ⇒ 枚举所有 c1
        c1_list = Zmod(n2)(c2).nth_root(m2, all=True)
        for c1 in c1_list:
            c1 = int(c1)
            try:
                # Step 3: c1 = c0^m1 mod n1 ⇒ 枚举所有 c0
                c0_list = Zmod(n1)(c1).nth_root(m1, all=True)
                for c0 in c0_list:
                    c0 = int(c0)
                    flag = long_to_bytes(c0)
                    if b'chive{' in flag:
                        print(f'[+] Flag Found: {flag.decode()}')
                        raise StopIteration  # 终止多重循环
            except:
                continue
    except:
        continue

[+] Flag Found: chive{De3p_s33K_1s_s0_sT3oNg!!!}

PWN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
from pwn import *
import re
from time import sleep

# 连接远程服务
io = remote('chive.vaa.la', 33311)
def interactive_after_clean(timeout: int = 0.05, no_show: bool = True):
    received = io.clean(timeout)
    if not no_show:
        print(f"[$]received:\n{received}")
    io.interactive()


# 定义接收选择题的函数
def recv_until_choice():
    while True:
        try:
            line = io.recvline(timeout=5).decode().strip()
            print(f"[接收到内容]: {line}")
            if any(opt in line for opt in ['1.', '2.', '3.', '4.']):
                break
        except EOFError:
            print("[!] 远程服务断开连接!")
            io.interactive()
            break
        except Exception as e:
            print(f"[⚠️ 错误] 接收超时或其他错误: {e}")
            break

# 选择题部分
recv_until_choice()
io.sendline(b'1')  # 接受邀请
sleep(0.1)

recv_until_choice()
io.sendline(b'4')  # F5
sleep(0.1)

recv_until_choice()
io.sendline(b'1')  # Shift + F12
sleep(0.1)

recv_until_choice()
io.sendline(b'1')  # 双击函数名
sleep(0.1)

# 等待"接下来我会给你 50 道算数题"
while True:
    try:
        line = io.recvline(timeout=5).decode().strip()
        print(f"[接收到内容]: {line}")
        if "接下来我会给你 50 道算数题" in line:
            break
    except EOFError:
        print("[!] 远程服务断开连接!")
        io.interactive()
        break
    except Exception as e:
        print(f"[⚠️ 错误] 接收超时或其他错误: {e}")
        break

# 开始答题
for i in range(50):
    try:
        # 接收并处理每道算数题
        line = io.recvuntil('=').decode().strip()
        print(f"[题目{i+1}] {line}")

        # 使用正则匹配加法、减法、乘法、除法
        match = re.search(r'(\d+)\s*([+\-*/])\s*(\d+)', line)
        if match:
            a, op, b = match.groups()
            a, b = int(a), int(b)

            # 根据操作符进行运算
            if op == '+':
                answer = a + b
            elif op == '-':
                answer = a - b
            elif op == '*':
                answer = a * b
            elif op == '/':
                answer = a / b  # 这里只做了浮点运算,若需要整除可以调整

            print(f"[计算] {a} {op} {b} = {answer}")
            io.sendline(str(int(answer)).encode())  # 发送答案(若是浮点数,这里可能需要调整)
        else:
            print(f"[⚠️ 错误] 无法解析算式: {line}")

        sleep(0.1)

    except Exception as e:
        print(f"[⚠️ 错误] 解析失败: {line} 错误原因: {e}")
        io.interactive()
        break

interactive_after_clean()

好像是第一次做出来pwn题,反正用脚本写上,拿到shell cat flag就出来了

web

1 下个象棋

源代码往下翻

1
<!-- ZmxhZ3sxMTExMjIyMjMzMzM0NDQ0NTU1NTY2NjZ9 -->

直接出了

2 ezphp

ctfshow上的题

要么我hackbar有问题,自己打出不来

3 ezpop


用的php://filter,依旧ctfshow,序列化对象传进去就行了

re

1 BABYXOR

f5反汇编

一个签到题

1
2
3
4
5
6
7
8
target = [
    177, 186, 187, 164, 183, 169, 189, 186,
    191, 225, 181, 184, 179, 180, 164, 175
]

flag = ''.join(chr(b ^ 0xD2) for b in target)
print(flag)
#chive{ohm3gjafv}

2 hire


翻出来的

mobile

babykotlin

jeb打开的时候,打开成n个月前的shctf的题了,死活交不上去。。。
jeb拖进去,看见一堆函数,总之先找main函数点进去,嗯没找到什么有用的,开始挨个翻
在最底端找到stringencryptor

1
2
3
utf-8
每个字符xor 0x7f
hex输出

ComposableSingletonsComposableSingletonsMainActivityKt$lambda-211这几个函数就是轮番嵌套

1
5.1->4.1->3.1->MainActivityKt.Greeting ...

然后就是寻找greeting函数,这里善用ctrl+f搜索

在7.1底部翻到了,点进去

借助ds大人写一个脚本()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import java.nio.charset.StandardCharsets

fun main() {
    // 要解密的密文(来自 MainActivityKt 的硬编码值)
    val encryptedText = "19131e180437362b2037362b204f17204e20134f094c20064f0a02"
    
    // 调用解密函数
    val decryptedText = decryptXorHex(encryptedText)
    
    // 打印结果
    println("密文: $encryptedText")
    println("解密结果: $decryptedText")
}

/**
 * 解密 XOR + Hex 加密的字符串
 * @param encrypted 密文(十六进制字符串,如 "19131e...")
 * @return 解密后的明文
 */
fun decryptXorHex(encrypted: String): String {
    // 1. 检查空输入
    if (encrypted.isEmpty()) return ""
    
    // 2. 将十六进制字符串按每两位分割
    val hexPairs = encrypted.chunked(2)
    
    // 3. 转换为字节数组(每个字节先转Int处理符号问题)
    val bytes = ByteArray(hexPairs.size)
    for (i in hexPairs.indices) {
        bytes[i] = hexPairs[i].toInt(16).toByte()
    }
    
    // 4. 对每个字节执行 XOR 0x7F 解密
    val decryptedBytes = ByteArray(bytes.size)
    for (i in bytes.indices) {
        decryptedBytes[i] = (bytes[i].toInt() xor 0x7F).toByte()
    }
    
    // 5. 按 UTF-8 编码转为字符串
    return String(decryptedBytes, StandardCharsets.UTF_8)
}
#密文: 19131e180437362b2037362b204f17204e20134f094c20064f0a0
#2 解密结果: flag{HIT_HIT_0h_1_l0v3_y0u}

forensics

1 zip|password

这个就很很常规的imageinfo 然后看list没有什么进程,直接过滤flag,找到了一个flag.zip,提取,发现加密,这里我是先把大部分指令都试了,又发现一个hint.txt但提取不出来,后来在cmdline

还去做了mumuzi密码的哈希值测试(),结果发现这里的带括号那一串就是密码,然后就得到flag啦

窃听风云

第一个用户密码 lsdump
但这里一开始我好像输错了,导致无法提交,耽搁了一段时间

第二个主机+ip

这个好找,出现的最多


多套几次娃,一步步跟进就ok
第三个
pslist找到

去瞅瞅cmdline

就是这个了

hardware

有点难,不是我想搜题解的()
https://www.cnblogs.com/hed10ne/p/15359854.html
复现了一下

binwalk提取,这里是squashfs的misc解,在tmp里的解压缩文件放进ida32


简单脱个壳


寻找main函数,找到这个可疑函数点进去,前面还有一个echo.byethost51.com
md5(echo.byethost51.com:36667) = 33a422c45d551ac6e4756f59812a954b然后就凑出来了()

ppc

GIT2



git打开,反正都有源码了,git log然后git diff直接出了

签到

签到。

工大传奇跑路人

google一搜yyr直接就蹦出来官网了,没啥好说的

校赛往事

哇,这个做的真的久,先从官网上搜,没搜到,去计算机官网搜,找到了好几个网安相关赛事,但又不是,也没找到授奖仪式,后来通过搜董老师授奖才找到的。。。

发表于 更新于


跟着文档走,webtranslate,猜测是与翻译相关的
https://curlconverter.com/利用这个网站
windows系统是copy curl(bash)



复制到pycharm观察i变化后,response是发生了变化
在栈顶找到请求函数。

打上断点
xhr定义 XMLHttpRequest(简称xhr),是浏览器提供的JS对象,通过它可以请求到服务器上的数据资源。

观察到params参数中的sign
依次调用函数,从request往下必存在一个生成sign的函数,就是翻找。

前面几个都没找到什么有用信息,在这里k(t) 反复出现,console打出得到sign相关信息。

往上翻一下找到如下相关信息,确定k函数与sign生成关系,往上翻又可以找到s函数的相关信息。


const d = “fanyideskweb”
作md5加密(结合上面紧跟的两个)
这样看来只有一个是变量了
k(t,a)->k(e,t)这里e和t指的是一个
这里s(e,t)->s(a,e)
const a = (new Date).getTime();

转换一下时间

0%