SICTFround3

发表于 2024-02-16 更新于 2024-02-22 分类于 Wp 阅读次数： Waline：本文字数： 5k 阅读时长 ≈ 18 分钟

记录SICTFRound3——Crypto题解，以及其他方向部分题解

近来发觉大部分内容需要重新学习，以前只是囫囵吞枣地下咽，是时候学的细致些了。。

Crypto

Vigenere

Gn taj xirly gf Fxgjuakd, oe igywnd mt tegbs mnrxxlrivywd sngearbsw wakksre. Bs kpimj gf tank, it bx gur bslenmngn th jfdetagur mt ceei yze Ugnled Lystel tx Amxwaca gjmtrtq.

An taj wvegy gf tank nom xmccxjvinz, bw prhugse ts sllbffce hs lhe ytdlopnfg btxas wbyz Meqnuo: Tafl we lmsll ffce wtw logxyzer tsv madj heavj logxyzer. Pj khaeq yivLNUTF{4695vft9-fd68-4684-uj81-u6c1avg6uaft}j yenxwgus ynfanvnsl snuhorm, ffd ag zfdekxlanwnfg og tmr ptwl thty Eexbhg is mt jechsiuek yze lhxl tekwatokd an Nxb Eexbhg, Teqfk, anw Fjizhss. Thx iwtabqk of ljltlxrwnt tww leyy lo yhz.

Qou tww inlyjucmjv to bsxorf yze Pkjkidxsl [of Fjpich] tx thx ftovx nf thx ljeamjkt chsxidxsue al xgon tx at il hwrttnf thty lhekj oile gw an hzlbrxfc of pfj wimm lhe Nsatew Xlatxx snd lzygely lham yze Pkjkidxsl, on ank owg nfitbflivx, nfvimj Bapts lo ifrwdityw adajjenvj oita yzis iqsn; am yze strw tifj, gffxw lo mxiaatx gwtwxjf Jaiff anw tmrsxqnes.

Iqwasx hsll mt lhe tylenmngn oy yze Pkjkidxsl thty lhe kzlhlxxk emiqgymxsl of hzj suursrigjk nop txfekx lhe iwgspxhl of vtepeeqang Xsylagi lo mtpw pethw in t kww mhslhs.

Vigenere Solver | guballa.de

On the first of February, we intend to begin unrestricted submarine warfare. In spite of this, it is our intention to endeavour to keep the United States of America neutral.

In the event of this not succeeding, we propose an alliance on the following basis with Mexico: That we shall make war together and make peace together. We shall givSICTF{4695cab9-fd68-4684-be81-c6c1acb6cafa}e generous financial support, and an understanding on our part that Mexico is to reconquer the lost territory in New Mexico, Texas, and Arizona. The details of settlement are left to you.

You are instructed to inform the President [of Mexico] of the above in the greatest confidence as soon as it is certain that there will be an outbreak of war with the United States and suggest that the President, on his own initiative, invite Japan to immediate adherence with this plan; at the same time, offer to mediate between Japan and ourselves.

Please call to the attention of the President that the ruthless employment of our submarines now offers the prospect of compelling England to make peace in a few months.

签到，确信！

from Crypto.Util.number import *
from enc import flag

m = bytes_to_long(flag)
def gen_keys(bits):
    while 1:
        p = getPrime(bits)
        q = sum([p**i for i in range(7)])
        if isPrime(q):
            r = getPrime(1024)
            n = p*q*r
            return p,n
p,n = gen_keys(512)
e = 65537
c = pow(m,e,n)
print(f"n = {n}")
print(f"e = {e}")
print(f"c = {c}")
'''
n = 8361361624563191168612863710516449028280757632934603412143152925186847721821552879338608951120157631182699762833743097837368740526055736516080136520584848113137087581886426335191207688807063024096128001406698217998816782335655663803544853496060418931569545571397849643826584234431049002394772877263603049736723071392989824939202362631409164434715938662038795641314189628730614978217987868150651491343161526447894569241770090377633602058561239329450046036247193745885174295365633411482121644408648089046016960479100220850953009927778950304754339013541019536413880264074456433907671670049288317945540495496615531150916647050158936010095037412334662561046016163777575736952349827380039938526168715655649566952708788485104126900723003264019513888897942175890007711026288941687256962012799264387545892832762304320287592575602683673845399984039272350929803217492617502601005613778976109701842829008365226259492848134417818535629827769342262020775115695472218876430557026471282526042545195944063078523279341459199475911203966762751381334277716236740637021416311325243028569997303341317394525345879188523948991698489667794912052436245063998637376874151553809424581376068719814532246179297851206862505952437301253313660876231136285877214949094995458997630235764635059528016149006613720287102941868517244509854875672887445099733909912598895743707420454623997740143407206090319567531144126090072331
e = 65537
c = 990174418341944658163682355081485155265287928299806085314916265580657672513493698560580484907432207730887132062242640756706695937403268682912083148568866147011247510439837340945334451110125182595397920602074775022416454918954623612449584637584716343806255917090525904201284852578834232447821716829253065610989317909188784426328951520866152936279891872183954439348449359491526360671152193735260099077198986264364568046834399064514350538329990985131052947670063605611113730246128926850242471820709957158609175376867993700411738314237400038584470826914946434498322430741797570259936266226325667814521838420733061335969071245580657187544161772619889518845348639672820212709030227999963744593715194928502606910452777687735614033404646237092067644786266390652682476817862879933305687452549301456541574678459748029511685529779653056108795644495442515066731075232130730326258404497646551885443146629498236191794065050199535063169471112533284663197357635908054343683637354352034115772227442563180462771041527246803861110504563589660801224223152060573760388045791699221007556911597792387829416892037414283131499832672222157450742460666013331962249415807439258417736128976044272555922344342725850924271905056434303543500959556998454661274520986141613977331669376614647269667276594163516040422089616099849315644424644920145900066426839607058422686565517159251903275091124418838917480242517812783383
'''

类似2023DASCTFX0psu3——GeneratePrime

参考2023-DASCTFX0psu3十一月挑战赛-wp-crypto | 糖醋小鸡块的blog (tangcuxiaojikuai.xyz)

from Crypto.Util.number import *

n = 8361361624563191168612863710516449028280757632934603412143152925186847721821552879338608951120157631182699762833743097837368740526055736516080136520584848113137087581886426335191207688807063024096128001406698217998816782335655663803544853496060418931569545571397849643826584234431049002394772877263603049736723071392989824939202362631409164434715938662038795641314189628730614978217987868150651491343161526447894569241770090377633602058561239329450046036247193745885174295365633411482121644408648089046016960479100220850953009927778950304754339013541019536413880264074456433907671670049288317945540495496615531150916647050158936010095037412334662561046016163777575736952349827380039938526168715655649566952708788485104126900723003264019513888897942175890007711026288941687256962012799264387545892832762304320287592575602683673845399984039272350929803217492617502601005613778976109701842829008365226259492848134417818535629827769342262020775115695472218876430557026471282526042545195944063078523279341459199475911203966762751381334277716236740637021416311325243028569997303341317394525345879188523948991698489667794912052436245063998637376874151553809424581376068719814532246179297851206862505952437301253313660876231136285877214949094995458997630235764635059528016149006613720287102941868517244509854875672887445099733909912598895743707420454623997740143407206090319567531144126090072331
e = 65537
c = 990174418341944658163682355081485155265287928299806085314916265580657672513493698560580484907432207730887132062242640756706695937403268682912083148568866147011247510439837340945334451110125182595397920602074775022416454918954623612449584637584716343806255917090525904201284852578834232447821716829253065610989317909188784426328951520866152936279891872183954439348449359491526360671152193735260099077198986264364568046834399064514350538329990985131052947670063605611113730246128926850242471820709957158609175376867993700411738314237400038584470826914946434498322430741797570259936266226325667814521838420733061335969071245580657187544161772619889518845348639672820212709030227999963744593715194928502606910452777687735614033404646237092067644786266390652682476817862879933305687452549301456541574678459748029511685529779653056108795644495442515066731075232130730326258404497646551885443146629498236191794065050199535063169471112533284663197357635908054343683637354352034115772227442563180462771041527246803861110504563589660801224223152060573760388045791699221007556911597792387829416892037414283131499832672222157450742460666013331962249415807439258417736128976044272555922344342725850924271905056434303543500959556998454661274520986141613977331669376614647269667276594163516040422089616099849315644424644920145900066426839607058422686565517159251903275091124418838917480242517812783383
k = 7

R = Zmod(n)["x"]
while True:
    Q = R.quo(R.random_element(k))
    pp = gcd(ZZ(list(Q.random_element() ^ n)[1]), n)
    if pp != 1:
        qq = sum([pp**i for i in range(k)])
        rr = n // (pp * qq)
        assert n == pp * qq * rr
        break
phi = (pp - 1) * (qq - 1) * (rr - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(int(m)))
# SICTF{d9428fc7-fa3a-4096-8ec9-191c0a4562ff}

easyLattice

from Crypto.Util.number import *
from secret import flag
import gmpy2

assert len(flag) == 47

f = bytes_to_long(flag)
p = getPrime(512)
g = getPrime(128)
h = gmpy2.invert(f, p) * g % p

print('h =', h)
print('p =', p)

"""
h = 9848463356094730516607732957888686710609147955724620108704251779566910519170690198684628685762596232124613115691882688827918489297122319416081019121038443
p = 11403618200995593428747663693860532026261161211931726381922677499906885834766955987247477478421850280928508004160386000301268285541073474589048412962888947     
"""

$$
h \equiv f^{-1} \times g \mod p
$$

$$
\therefore g = f\times h + kp
$$

构造格

这里$f \approx 2^{376}$,格的行列式约$2^{256}$，直接规约是规约不出来的。

调整一下参数，使格的行列式大于$f$即可

#sage
from Crypto.Util.number import *

h = 9848463356094730516607732957888686710609147955724620108704251779566910519170690198684628685762596232124613115691882688827918489297122319416081019121038443
p = 11403618200995593428747663693860532026261161211931726381922677499906885834766955987247477478421850280928508004160386000301268285541073474589048412962888947     
T = 2^250

L = Matrix(ZZ,[[1,T*h],[0,T*p]])

f,g = L.LLL()[0]
f,g = abs(f),abs(g)

print(long_to_bytes(int(f)))
# SICTF{e3fea01c-18f3-4638-9544-9201393940a9}

铜匠

from Crypto.Util.number import *
from enc import flag

def Decimal_conversion(num):
    if num == 0:
        return '0'
    digits = []
    while num:
        digits.append(str(num % 5))
        num //= 5
    return ''.join(reversed(digits))

m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = pow(m,e,n)
print(f"leak = {Decimal_conversion(p)[:112]}")
print(f"n = {n}")
print(f"e = {e}")
print(f"c = {c}")

'''
leak = 2011133132443111302000224204142244403203442000141102312242343143241244243020003333022112141220422134444214010012
n = 85988668134257353631742597258304937106964673395852009846703777410474172989069717247424903079500594820235304351355706519069516847244761609583338251489134035212061654870087550317540291994559481862615812258493738064606592165529948648774081655902831715928483206013332330998262897765489820121129058926463847702821
e = 65537
c = 64708526479058278743788046708923650158905888858865427385501446781738669889375403360886995849554813207230509920789341593771929287415439407977283018525484281064769128358863513387658744063469874845446480637925790150835186431234289848506337341595817156444941964510251032210939739594241869190746437858135599624562
'''

给出的leak是5进制下的，112长度的5进制，约259bit

一开始想抹掉低3位，变成256bit，再爆8位用coppersmith

半小时爆破后没成功。发现是5进制转回10进制的时候出现了问题

一般情况下5进制转10进制是这样:$tmp = \sum_{i=0}^{n} t\times 5^{i}$

但是这里的leak不能直接这样转，因为起始的$i$也就是$i = 0$对应的底数不是这里leak最低位的2

经过测试，发现512bit的数，转为5进制长度大概是221

from Crypto.Util.number import *

def Decimal_conversion(num):
    if num == 0:
        return '0'
    digits = []
    while num:
        digits.append(str(num % 5))
        num //= 5
    return ''.join(reversed(digits))

for i in range(10):
    p = getPrime(512)
    tmp = Decimal_conversion(p)
    print(len(tmp))

而这里leak是前112位，所以这里leak最低位的2对应的i应该是109

from Crypto.Util.number import *
import gmpy2
from tqdm import *

leak = "2011133132443111302000224204142244403203442000141102312242343143241244243020003333022112141220422134444214010012"
n = 85988668134257353631742597258304937106964673395852009846703777410474172989069717247424903079500594820235304351355706519069516847244761609583338251489134035212061654870087550317540291994559481862615812258493738064606592165529948648774081655902831715928483206013332330998262897765489820121129058926463847702821
e = 65537
c = 64708526479058278743788046708923650158905888858865427385501446781738669889375403360886995849554813207230509920789341593771929287415439407977283018525484281064769128358863513387658744063469874845446480637925790150835186431234289848506337341595817156444941964510251032210939739594241869190746437858135599624562

def five_to_ten(num):
    temp = 0
    i = 109
    for j in reversed(num):
        temp += int(j) * 5**i
        i += 1
    return temp

leak = five_to_ten(leak)
gift = leak >> 256

for i in trange(2^8):
    ph = gift << 8
    phigh = ph + i
    phigh = phigh << 248
    R.<x> = PolynomialRing(Zmod(n))
    f = phigh + x
    res = f.small_roots(X=2^248, beta=0.4, epsilon=0.01)
    if res != []:
        p = phigh + int(res[0])
        q = n // p
        d = gmpy2.invert(e,(p-1)*(q-1))
        m = pow(c,d,n)
        print(f"i = {i}")
        print(long_to_bytes(int(m)))
        break

SuperbRSA

#user:mumu666
from Crypto.Util.number import *
p=getPrime(1024)
q=getPrime(1024)
n=p*q
e1=55
e2=200
m=bytes_to_long("flag")
assert(pow(m,5) < n)
c1 = pow(m, e1, n)
c2 = pow(m, e2, n)
print("n=",n)
print("c1=",c1)
print("c2=",c2)

n= 19006830358118902392432453595802675566730850352890246995920642811967821259388009049803513102750594524106471709641202019832682438027312468849299985832675191795417160553379580813410722359089872519372049229233732405993062464286888889084640878784209014165871696882564834896322508054231777967011195636564463806270998326936161449009988434249178477100127347406759932149010712091376183710135615375272671888541233275415737155953323133439644529709898791881795186775830217884663044495979067807418758455237701315019683802437323177125493076113419739827430282311018083976114158159925450746712064639569301925672742186294237113199023
c1= 276245243658976720066605903875366763552720328374098965164676247771817997950424168480909517684516498439306387133611184795758628248588201187138612090081389226321683486308199743311842513053259894661221013008371261704678716150646764446208833447643781574516045641493770778735363586857160147826684394417412837449465273160781074676966630398315417741542529612480836572205781076576325382832502694868883931680720558621770570349864399879523171995953720198118660355479626037129047327185224203109006251809257919143284157354935005710902589809259500117996982503679601132486140677013625335552533104471327456798955341220640782369529
c2= 11734019659226247713821792108026989060106712358397514827024912309860741729438494689480531875833287268454669859568719053896346471360750027952226633173559594064466850413737504267807599435679616522026241111887294138123201104718849744300769676961585732810579953221056338076885840743126397063074940281522137794340822594577352361616598702143477379145284687427705913831885493512616944504612474278405909277188118896882441812469679494459216431405139478548192152811441169176134750079073317011232934250365454908280676079801770043968006983848495835089055956722848080915898151352242215210071011331098761828031786300276771001839021

$e_1,e_2$不互素的共模攻击

根据扩展欧几里得算法有:
$$
e_1x + e_2y = (e_1,e_2) = 5
$$
所以
$$
c_1^{x}\times c_2^{y} \equiv m^{e_{1}x + e_{2}y} \equiv m^5 \mod n
$$
assert pow(m,5) < n

所以直接开5次方即可

from Crypto.Util.number import *
import gmpy2

n= 19006830358118902392432453595802675566730850352890246995920642811967821259388009049803513102750594524106471709641202019832682438027312468849299985832675191795417160553379580813410722359089872519372049229233732405993062464286888889084640878784209014165871696882564834896322508054231777967011195636564463806270998326936161449009988434249178477100127347406759932149010712091376183710135615375272671888541233275415737155953323133439644529709898791881795186775830217884663044495979067807418758455237701315019683802437323177125493076113419739827430282311018083976114158159925450746712064639569301925672742186294237113199023
c1= 276245243658976720066605903875366763552720328374098965164676247771817997950424168480909517684516498439306387133611184795758628248588201187138612090081389226321683486308199743311842513053259894661221013008371261704678716150646764446208833447643781574516045641493770778735363586857160147826684394417412837449465273160781074676966630398315417741542529612480836572205781076576325382832502694868883931680720558621770570349864399879523171995953720198118660355479626037129047327185224203109006251809257919143284157354935005710902589809259500117996982503679601132486140677013625335552533104471327456798955341220640782369529
c2= 11734019659226247713821792108026989060106712358397514827024912309860741729438494689480531875833287268454669859568719053896346471360750027952226633173559594064466850413737504267807599435679616522026241111887294138123201104718849744300769676961585732810579953221056338076885840743126397063074940281522137794340822594577352361616598702143477379145284687427705913831885493512616944504612474278405909277188118896882441812469679494459216431405139478548192152811441169176134750079073317011232934250365454908280676079801770043968006983848495835089055956722848080915898151352242215210071011331098761828031786300276771001839021
e1 = 55
e2 = 200

t = gmpy2.gcd(e1,e2)
if t == 1:
    s,x,y = gmpy2.gcdext(e1,e2)
    m = (pow(c1,x,n)*pow(c2,y,n))%n
    print(long_to_bytes(m))
else:
    s,x,y = gmpy2.gcdext(e1,e2)
    k = 0
    while 1:
        m = gmpy2.iroot((pow(c1,x,n)*pow(c2,y,n)+k*n)%n,t)
        if m[1]:
            print(long_to_bytes(m[0]))
            break
        else:
            k += 1
# SICTF{S0_Great_RSA_Have_Y0u_Learned?}

gggcccddd

from Crypto.Util.number import *
from enc import flag

m = bytes_to_long(flag)

p = getPrime(512)
q = getPrime(512)
n = p*q
e = 65537
c1 = pow(m,e,n)
c2 = pow(233*m+9527,e,n)
print(f'n = {n}')
print(f'c1 = {c1}')
print(f'c2 = {c2}')
print(f'e = {e}')
"""
n = 71451784354488078832557440841067139887532820867160946146462765529262021756492415597759437645000198746438846066445835108438656317936511838198860210224738728502558420706947533544863428802654736970469313030584334133519644746498781461927762736769115933249195917207059297145965502955615599481575507738939188415191
c1 = 60237305053182363686066000860755970543119549460585763366760183023969060529797821398451174145816154329258405143693872729068255155086734217883658806494371105889752598709446068159151166250635558774937924668506271624373871952982906459509904548833567117402267826477728367928385137857800256270428537882088110496684
c2 = 20563562448902136824882636468952895180253983449339226954738399163341332272571882209784996486250189912121870946577915881638415484043534161071782387358993712918678787398065688999810734189213904693514519594955522460151769479515323049821940285408228055771349670919587560952548876796252634104926367078177733076253
e = 65537
"""

Franklin-Reiter相关消息攻击＋ half-gcd

from Crypto.Util.number import *
import sys

def HGCD(a, b):
    if 2 * b.degree() <= a.degree() or a.degree() == 1:
        return 1, 0, 0, 1
    m = a.degree() // 2
    a_top, a_bot = a.quo_rem(x^m)
    b_top, b_bot = b.quo_rem(x^m)
    R00, R01, R10, R11 = HGCD(a_top, b_top)
    c = R00 * a + R01 * b
    d = R10 * a + R11 * b
    q, e = c.quo_rem(d)
    d_top, d_bot = d.quo_rem(x^(m // 2))
    e_top, e_bot = e.quo_rem(x^(m // 2))
    S00, S01, S10, S11 = HGCD(d_top, e_top)
    RET00 = S01 * R00 + (S00 - q * S01) * R10
    RET01 = S01 * R01 + (S00 - q * S01) * R11
    RET10 = S11 * R00 + (S10 - q * S11) * R10
    RET11 = S11 * R01 + (S10 - q * S11) * R11
    return RET00, RET01, RET10, RET11
    
def GCD(a, b):
    print(a.degree(), b.degree())
    q, r = a.quo_rem(b)
    if r == 0:
        return b
    R00, R01, R10, R11 = HGCD(a, b)
    c = R00 * a + R01 * b
    d = R10 * a + R11 * b
    if d == 0:
        return c.monic()
    q, r = c.quo_rem(d)
    if r == 0:
        return d
    return GCD(d, r)

sys.setrecursionlimit(500000)

n = 71451784354488078832557440841067139887532820867160946146462765529262021756492415597759437645000198746438846066445835108438656317936511838198860210224738728502558420706947533544863428802654736970469313030584334133519644746498781461927762736769115933249195917207059297145965502955615599481575507738939188415191
c1 = 60237305053182363686066000860755970543119549460585763366760183023969060529797821398451174145816154329258405143693872729068255155086734217883658806494371105889752598709446068159151166250635558774937924668506271624373871952982906459509904548833567117402267826477728367928385137857800256270428537882088110496684
c2 = 20563562448902136824882636468952895180253983449339226954738399163341332272571882209784996486250189912121870946577915881638415484043534161071782387358993712918678787398065688999810734189213904693514519594955522460151769479515323049821940285408228055771349670919587560952548876796252634104926367078177733076253
e = 65537
R.<x> = PolynomialRing(Zmod(n))
f = x^e - c1
g = (233*x+9527)^e - c2

res = GCD(f,g)

m = -res.monic().coefficients()[0]
print(m)
flag = long_to_bytes(int(m))
print(flag)
# SICTF{45115fb2-84d6-4369-88c2-c8c3d72b4c55}

*BabyRSA

p = random_prime(1<<512)

with open("ffllaagg.txt", "rb") as f:
    flag = int.from_bytes(f.read().strip(), "big")
assert flag < p

a = randint(2, p-1)
b = randint(2, p-1)
x = randint(2, p-1)

def h():
    global a, b, x
    x = (a*x + b) % p
    return x

PR.<X> = PolynomialRing(GF(p))
f = h() + h()*X + h()*X**2 + h()*X**3 + h()*X**4 + h()*X**5
v_me_50 = [(i, f(i)) for i in range(1, 5)]

print(p)
print(v_me_50)
print(f(flag))

p = 8432316544210923620966806031040552674652729976238765323782536889706914762471638598119051165931563126522925761119650997703305509546949570434637437942542827
v_me_50 = [(1, 5237331460408741346823741966490617418367283531029963248255318507187035341590236835730694472064897540292182231844047116067936691956970631907605500080014355), (2, 5798977431976767515500795413771120575460553181185728489626756434911307088093739452469315524092208822863785429164219547384598943937099787390543171055679780), (3, 5030862375386942201139427367618716490378481408210696947331523552250206476805124204780313138835912303941204343248384742875319182761611109448446270069831113), (4, 4705360705603328842229554954026497175574981026785287316439514185860486128679614980330307863925942038530792583274904352630757089631411920876914529907563209)]
f_flag = 7251453750672416392395590357197330390627853878488142305852099080761477796591562813165554150640801022882531891827653530623183405183605476913024545431842867

h()函数实现的是lcg，每次更新x的值

首先要注意f = h() + h()*X + h()*X**2 + h()*X**3 + h()*X**4 + h()*X**5

这里h()是x不同的状态，这里把$x$不同状态记为$x_i$

因为每个$x_i$都可以用$a,b,x$表示，我们可以写为4个方程，解这个方程组即可求得$a,b,x$

这里有个很容易犯的错是,误以为方程组是

但实际上，方程组是:

采取groebner的方式求解

然后再解下面这个方程即可
$$
f_2 \equiv x_1 + x_2\times m + x_3\times m^2 + x_4\times m^3 + x_{5}\times m^4 + x_{6}\times m^5 - enc\
$$

from Crypto.Util.number import *

p = 8432316544210923620966806031040552674652729976238765323782536889706914762471638598119051165931563126522925761119650997703305509546949570434637437942542827
c = [(1, 5237331460408741346823741966490617418367283531029963248255318507187035341590236835730694472064897540292182231844047116067936691956970631907605500080014355), (2, 5798977431976767515500795413771120575460553181185728489626756434911307088093739452469315524092208822863785429164219547384598943937099787390543171055679780), (3, 5030862375386942201139427367618716490378481408210696947331523552250206476805124204780313138835912303941204343248384742875319182761611109448446270069831113), (4, 4705360705603328842229554954026497175574981026785287316439514185860486128679614980330307863925942038530792583274904352630757089631411920876914529907563209)]
enc_flag = 7251453750672416392395590357197330390627853878488142305852099080761477796591562813165554150640801022882531891827653530623183405183605476913024545431842867


P.<a,b,x> = PolynomialRing(Zmod(p))

t = x
T = [t]
for i in range(6):
    t = a*t + b
    T.append(t)

    
f1 = T[1] + T[2]*1 + T[3]*1^2 + T[4]*1^3 + T[5]*1^4 + T[6]*1^5 - c[0][1]
f2 = T[1] + T[2]*2 + T[3]*2^2 + T[4]*2^3 + T[5]*2^4 + T[6]*2^5 - c[1][1]
f3 = T[1] + T[2]*3 + T[3]*3^2 + T[4]*3^3 + T[5]*3^4 + T[6]*3^5 - c[2][1]
f4 = T[1] + T[2]*4 + T[3]*4^2 + T[4]*4^3 + T[5]*4^4 + T[6]*4^5 - c[3][1]

F = [f1,f2,f3,f4]
I = Ideal(F)

a = ZZ(-I.groebner_basis()[0].univariate_polynomial()(0))
b = ZZ(-I.groebner_basis()[1].univariate_polynomial()(0))
x = ZZ(-I.groebner_basis()[2].univariate_polynomial()(0))
print(f"a = {a}")
print(f"b = {b}")
print(f"x = {x}")

X = [x]
for i in range(6):
    x = (a * x + b) % p
    X.append(x)
    
R.<m> = PolynomialRing(GF(p))
f = X[1] + X[2]*m + X[3]*m^2 + X[4]*m^3 + X[5]*m^4 + X[6]*m^5 - enc_flag
res = f.roots()
m = res[0][0]
flag = long_to_bytes(int(m))
print(flag)
# SICTF{Th3s_1s_a_high_l3vel_p0lyn0mial}

*easy_or_baby_RSA

from Crypto.Util.number import *
import gmpy2
from enc import flag


m = bytes_to_long(flag)
p = getPrime(256)
q = getPrime(256)
n = (p**5)*(q**3)
phi = (p-1)*(q-1)*p**4 * q**2
d = getPrime(1380)
e = gmpy2.invert(d,phi)
p1 = gmpy2.next_prime(p)
q1 = gmpy2.next_prime(q)
c = pow(m,65537,p1*q1)

print(f"c = {c}")
print(f"n = {n}")
print(f"e = {e}")

'''
c = 6027704939934795526809476320408984749353451163184148193613218899917989403800738729505135647560822568147775955030636790796412038749080589962404088890138
n = 2345049742327685796181532105032554795628696111708534285951012187089560814230641663133312117797131139088986342455315166062482479446527815702735474197358418746066993291802284464812612727625991647573889402281825863578807474887341632160586307943897790827019291411639756252138594856687013363652094621849674259604512491449809337670874218320926522274379234396955495643125680407916326561528774056618181536326260093822819468635513422755218190798616168156924793527386350080400722536575372660262573683231490166520738579903818495107264328324326819989553511070207494208500239603511665056894947107356065440333537271115434438827753
e = 1560967245790387854530279132085915310737094193704812456970549221459036227794862560384548159924112528879771688534015861357630951162558357151823378870345945435342412220708167081427844035498174919749839232806280901968067512188264340755833308035745702731211924571583963089915893479992177245815565483658484702813753029786985027579475059989141119719224961817402605977566829967197490932672021566512826377376988752959467389833419735737545201988916590880487156074463948048461415870071893002222885078350961871888123567241990517365430474025391208925638731208820904957752596249597885523540692851123131898267246576902438472358221

'''

没能力根据论文实现攻击

zarismine (zarismine) (github.com)

*2024_New_Setback

#user:mumu666

from Crypto.Util.number import *
from secret import flag, Curve

def happy(C, P):
    c, d, p = C
    u, v = P
    return (u**2 + v**2 - c**2 * (1 + d * u**2*v**2)) % p == 0

def new(C, P, Q):
    c, d, p = C
    u1, v1 = P
    u2, v2 = Q
    assert happy(C, P) and happy(C, Q)
    u3 = (u1 * v2 + v1 * u2) * inverse(c * (1 + d * u1 * u2 * v1 * v2), p) % p
    v3 = (v1 * v2 - u1 * u2) * inverse(c * (1 - d * u1 * u2 * v1 * v2), p) % p
    return (int(u3), int(v3))

def year(C, P, m):
    assert happy(C, P)
    c, d, p = C
    B = bin(m)[2:]
    l = len(B)
    u, v = P
    PP = (-u, v)
    O = new(C, P, PP)
    Q = O
    if m == 0:
        return O
    elif m == 1:
        return P
    else:
        for _ in range(l-1):
            P = new(C, P, P)
        m = m - 2**(l-1)
        Q, P = P, (u, v)
        return new(C, Q, year(C, P, m))

c, d, p = Curve

flag = flag.lstrip(b'SICTF{').rstrip(b'}')
l = len(flag)
l_flag, r_flag = flag[:l // 2], flag[l // 2:]

m1, m2 = bytes_to_long(l_flag), bytes_to_long(r_flag)
assert m1 < p and m2 < p

P = (398011447251267732058427934569710020713094, 548950454294712661054528329798266699762662)
Q = (139255151342889674616838168412769112246165, 649791718379009629228240558980851356197207)

print(f'happy(C, P) = {happy(Curve, P)}')
print(f'happy(C, Q) = {happy(Curve, Q)}')

print(f'P = {P}')
print(f'Q = {Q}')

print(f'm1 * P = {year(Curve, P, m1)}')
print(f'm2 * Q = {year(Curve, Q, m2)}')


"""
happy(C, P) = True
happy(C, Q) = True
P = (398011447251267732058427934569710020713094, 548950454294712661054528329798266699762662)
Q = (139255151342889674616838168412769112246165, 649791718379009629228240558980851356197207)
m1 * P = (730393937659426993430595540476247076383331, 461597565155009635099537158476419433012710)
m2 * Q = (500532897653416664117493978883484252869079, 620853965501593867437705135137758828401933) 
"""

happy(C,P)的作用是验证点P是否在曲线C上面

根据happy函数我们可以知道对于曲线上的点G$(x,y)$满足
$$
x^2 + y^2 \equiv c^2\times (1+dx^2y^2) \mod p
$$
可知这是一条a=1时候的扭曲爱德华曲线(Edwards Curve),不知道(ps:我也不太了解)的读者可以看这篇文章区块链中的数学 - 爱德华曲线方程 | 登链社区 | 区块链技术社区 (learnblockchain.cn)

我们首先要做的是恢复参数

恢复参数

取曲线上任意两点$G_1(x_1,y_1),G_2(x_2,y_2)$有
$$
x_1^2 + y_1^2 \equiv c^2\times (1+dx_1^2y_1^2) \mod p
$$

$$
x_2^2 + y_2^2 \equiv c^2\times (1+dx_2^2y_2^2) \mod p
$$

对两个式子相减有
$$
(x_1^2-x_2^2)+(y_1^2-y_2^2) \equiv c^2d(x_1^2y_1^2-x_2^2y_2^2) \mod p
$$
为了简化符号，我们记$A_{i,j} = (x_i^2-x_j^2) + (y_i^2-y_j^2)$,$B_{i,j} = x_i^2y_i^2 - x_j^2y_j^2$

也就是
$$
A_{1,2} - c^2d\times B_{1,2} \equiv 0 \mod p
$$
这里$c,d$均未知，所以我们把$c^2d$放等号右边，有
$$
\frac{A_{1,2}}{B_{1,2}} \equiv c^2d \mod p
$$
同理，我们再取两个点$G_3(x_3,y_3),G_4(x_4,y_4)$，有
$$
A_{3,4} - c^2d\times B_{3,4} = k_2p
$$

$$
\frac{A_{3,4}}{B_{3,4}} \equiv c^2d \mod p
$$

再把两个$c^2d$式子相减有
$$
\frac{A_{1,2}}{B_{1,2}} - \frac{A_{3,4}}{B_{3,4}} \equiv 0 \mod p
$$
通分一下有
$$
A_{1,2} \times B_{3,4} - B_{1,2}\times A_{3,4} = k_1p
$$
我们对$G_1(x_1,y_1),G_2(x_2,y_2),G_3(x_3,y_3),G_4(x_4,y_4)$四个点作不同的减法组合，可以得到不同的$kp$

第一组，我们取$G_1,G_2$这一对和$G_3,G_4$这一对

第二组，我们取$G_1,G_3$这一对和$G_2,G_4$这一对

第一组的结果是$A_{1,2} \times B_{3,4} - B_{1,2}\times A_{3,4} = k_1p$

第二组的结果是$A_{1,3} \times B_{2,4} - B_{1,3}\times A_{2,4} = k_2p$

再求最大公因数，即可得到p，这个p可能会是p的倍数，这个倍数不会太大，除掉即可

得到p之后

通过$A_{1,2} - c^2d\times B_{1,2} \equiv 0 \mod p$

可知$c^2d \equiv A_{1,2}\times B_{1,2}^{-1} \mod p$

回到$x^2 + y^2 \equiv c^2\times (1+dx^2y^2) \mod p$

可知$c^2 \equiv x^2+y^2 -c^2dx^2y^2 \mod p$，以及$d \equiv (x^2+y^2-c^2)\times (c^2x^2y^2)^{-1} \mod p$

到此参数便恢复完成

import gmpy2

def Get_A(G1,G2):
    x1,y1 = G1
    x2,y2 = G2
    A = x1^2 - x2^2 + y1^2 - y2^2
    return A

def Get_B(G1,G2):
    x1,y1 = G1
    x2,y2 = G2
    B = x1^2*y1^2 - x2^2*y2^2
    return B

def Get_p(G1,G2,G3,G4):
    A12,B12 = Get_A(G1,G2),Get_B(G1,G2)
    A34,B34 = Get_A(G3,G4),Get_B(G3,G4)
    temp1 = A12 * B34 - B12 * A34
    A13,B13 = Get_A(G1,G3),Get_B(G1,G3)
    A24,B24 = Get_A(G2,G4),Get_B(G2,G4)
    temp2 = A13 * B24 - B13 * A24
    may_p = gmpy2.gcd(temp1,temp2)
    
    for i in range(2,2^16):
        if may_p % i == 0:
            may_p = may_p // i
    return may_p

def get_c_d(G1,G2,p):
    A12,B12 = Get_A(G1,G2),Get_B(G1,G2)
    ccd = (A12*gmpy2.invert(B12,p)) % p
    x1,y1 = G1
    cc = (x1^2 + y1^2 - ccd * x1^2 * y1^2) % p
    d = (x1^2 + y1^2 - cc) * gmpy2.invert(cc*x1^2*y1^2,p) % p
    F = Zmod(p)
    c = F(cc).sqrt()
    return c,d

P = (398011447251267732058427934569710020713094, 548950454294712661054528329798266699762662)
Q = (139255151342889674616838168412769112246165, 649791718379009629228240558980851356197207)
C1 = (730393937659426993430595540476247076383331, 461597565155009635099537158476419433012710)  #m1*P
C2 = (500532897653416664117493978883484252869079, 620853965501593867437705135137758828401933)  #m2*Q

p = Get_p(P,Q,C1,C2)
c,d = get_c_d(P,Q,p)

print(f"p = {p}")
print(f"c = {c}")
print(f"d = {d}")

需要注意的是，c是通过求解$c^2 \equiv cc \mod p$得到的。有两个c

曲线映射

注意到$p - 1$是光滑的，把曲线从Edwards Curve映射到Weierstrass Curve，然后解离散对数

映射过程是从Twisted Edwards Curve到Montgomery Curve最后到Weierstrass Curve

#sage
from Crypto.Util.number import *

p = 903968861315877429495243431349919213155709
c = 662698094423288904843781932253259903384619 # or p - c
d = 540431316779988345188678880301417602675534
a = 1
P.<z> = PolynomialRing(Zmod(p))

# 把扭曲爱德华曲线映射到蒙哥马利曲线
aa = a
dd = (d*c^4)%p
J = (2*(aa+dd)*inverse(aa-dd,p))%p
K = (4*inverse(aa-dd,p))%p
A = ((3-J^2)*inverse(3*K^2,p))%p
B = ((2*J^3-9*J)*inverse(27*K^3,p))%p

for i in  P(z^3+A*z+B).roots():
    alpha = int(i[0])
    #print(kronecker(3*alpha^2+A,p))
    for j in P(z^2-(3*alpha^2+A)).roots():
        s = int(j[0])
        s = inverse_mod(s, p)
        if J==alpha*3*s%p:
            Alpha = alpha
            S = s
# 扭曲爱德华映射到 Weierstrass形式(其中经过蒙哥马利转换)
def twist_to_weier(x,y):
    v = x*inverse(c,p)%p
    w = y*inverse(c,p)%p
    assert (aa*v^2+w^2)%p==(1+dd*v^2*w^2)%p
    s = (1+w)*inverse_mod(1-w,p)%p
    t = s*inverse(v,p)%p
    assert (K*t^2)%p==(s^3+J*s^2+s)%p
    xW = (3*s+J) * inverse_mod(3*K, p) % p
    yW = t * inverse_mod(K, p) % p
    assert yW^2 % p == (xW^3+A*xW+B) % p
    return (xW,yW)
 
def weier_to_twist(x,y):
    xM=S*(x-Alpha)%p
    yM=S*y%p
    assert (K*yM^2)%p==(xM^3+J*xM^2+xM)%p
    xe = xM*inverse_mod(yM,p)%p
    ye = (xM-1)*inverse_mod(xM+1,p)%p
    assert (aa*xe^2+ye^2)%p==(1+dd*xe^2*ye^2)%p
    xq = xe*c%p
    yq = ye*c%p
    assert (a*xq^2+yq^2)%p==c^2*(1+d*xq^2*yq^2)%p
    return (xq,yq)


P = (398011447251267732058427934569710020713094, 548950454294712661054528329798266699762662)
Q = (139255151342889674616838168412769112246165, 649791718379009629228240558980851356197207)
C1 = (730393937659426993430595540476247076383331, 461597565155009635099537158476419433012710)
C2 = (500532897653416664117493978883484252869079, 620853965501593867437705135137758828401933) 

E = EllipticCurve(GF(p), [A, B])
newP = twist_to_weier(P[0],P[1])
newQ = twist_to_weier(Q[0],Q[1])
newC1 = twist_to_weier(C1[0],C1[1])
newC2 = twist_to_weier(C2[0],C2[1])
P = E(newP)
Q = E(newQ)
C1 = E(newC1)
C2 = E(newC2)

m1 = P.discrete_log(C1)
m2 = Q.discrete_log(C2)
flag = b"SICTF{" + long_to_bytes(int(m1)) + long_to_bytes(int(m2)) + b"}"
print(flag)
# SICTF{nOt_50_3a5Y_Edw4rDs_3LlipT!c_CURv3}

关于曲线形式的文章

区块链中的数学 - 爱德华曲线方程 | 登链社区 | 区块链技术社区 (learnblockchain.cn)

区块链中的数学-爱德华曲线运算的几何意义 | 登链社区 | 区块链技术社区 (learnblockchain.cn)

区块链中的数学-蒙哥马利曲线和应用实例Curve25519 | 登链社区 | 区块链技术社区 (learnblockchain.cn)

区块链中的数学-椭圆曲线的背景及基本性质 | 登链社区 | 区块链技术社区 (learnblockchain.cn)

曲线 | Lazzaro (lazzzaro.github.io)

曲线转换：(12 封私信) Curve25519曲线是什么？ - 知乎 (zhihu.com)

misc

GeekChallenge

根据提示得知password的字符只有5种，而且长度为114

爆破即可

from pwn import *
from tqdm import *

sh = remote("yuanshen.life",33864)

sh.recvuntil(b">")

password = [0] * 114

for i in trange(32,128):
    msg = chr(i) * 114
    sh.sendline(msg.encode())
    a = sh.recvline().decode().split(">")[-1].strip("\n")
    if "1" in a:
        print(" " + chr(i) + "在password中")
        for j in range(len(a)):
            if a[j] == "1":
                password[j] = chr(i)

pwd = "".join(password)
print(f"password = {pwd}")
sh.sendline(pwd.encode())
sh.interactive()

真签到

010打开压缩包发现末尾有一串16进制

TVTTTVTXABYUXTXTXCARYYXAZCYYYUXV=

文本加密为字母,可自设密码|文本在线加密解密工具 (qqxiuzi.cn)

解密得到2024HappyNewYear

看音频文件的频谱：

另外一个jpg图片，猜测是steghide

这串字符作为密码，试了几种，最后密码是givemeyourLAGRANGE

Reverse

Baby_C++

打开ida就能看到flag

Ez_pyc

未更新之前的附件

反编译(未更新的附件)得到

# uncompyle6 version 3.7.4
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.11.5 | packaged by Anaconda, Inc. | (main, Sep 11 2023, 13:26:23) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: C:\Users\Administrator\Desktop\233.py
# Compiled at: 2024-01-11 17:19:49
# Size of source mod 2**32: 1082 bytes
import hashlib
k = [['#'] * 10,
 [
  '#', 0, 1, 9] + [0] * 3 + [3, 0, 7],
 [
  '#', 8] + [0] * 8,
 [
  '#', 4] + [0] * 5 + [2, 0, 0],
 [
  '#'] + [0] * 4 + [3] + [0] * 4,
 [
  '#', 5] + [0] * 3 + [6, 0, 0, 2, 0],
 [
  '#', 0, 7] + [0] * 5 + [3, 1],
 [
  '#'] + [0] * 9,
 [
  '#', 0, 0, 8, 0, 9, 0, 7, 0, 0],
 [
  '#'] + [0] * 9]
cnt = 0
s = str(int(input(), 16))
try:
    for x in s:
        if x not in [str(t) for t in range(1, 10)]:
            s[cnt + 43690] = 1
        for i in range(1, len(k)):
            for j in range(1, len(k[i])):
                if k[i][j] == 0:
                    k[i][j] = int(s[cnt])
                    cnt += 1

        else:
            for i in range(1, len(k)):
                for j in range(1, len(k)):
                    if j not in k[i]:
                        s[cnt + 3735928559] = 0

            else:
                for i in range(1, len(k)):
                    tmp = []

        for j in range(1, len(k)):
            tmp.append(k[j][i])
        else:
            for j in range(1, len(k)):
                if j not in tmp:
                    s[cnt + 3735928559] = 1
            else:
                for i in range(1, len(k), int(len(k) ** 0.5)):
                    for j in range(1, len(k), int(len(k) ** 0.5)):
                        square = [k[x][y] for x in range(i, i + 3) for y in range(j, j + 3)]
                        for t in range(1, len(k)):
                            if t not in tmp:
                                s[cnt + 3735928559] = 2
                        else:
                            print('SICTF{%s}' % hashlib.md5(s.encode()).hexdigest())
                            input()

except Exception as e:
    try:
        pass
    finally:
        e = None
        del e

审计代码之后大致是解数独
$$
\begin{bmatrix}
? & 1 & 9 & ? & ? & ? & 3 & ? & 7\
8 & ? & ? & ? & ? & ? & ? & ? & ?\
4 & ? & ? & ? & ? & ? & 2 & ? & ?\
? & ? & ? & ? & 3 & ? & ? & ? & ?\
5 & ? & ? & ? & 6 & ? & ? & 2 & ?\
? & 7 & ? & ? & ? & ? & ? & 3 & 1\
? & ? & ? & ? & ? & ? & ? & ? & ?\
? & ? & 8 & ? & 9 & ? & 7 & ? & ?\
? & ? & ? & ? & ? & ? & ? & ? & ?
\end{bmatrix}
$$
拿在线网站解了一下

得到结果

依次修改矩阵K中为0的数

我们需要输入2456835127469673891564192578837194925486324875196156342796214853的16进制形式

即5f8e46ab70fce3395aa40e33a4b9f781279a3eac0d62ae01ae245

得到flag:SICTF{600d3294869ed3c6361f3fd22a672aa0}

更新后的附件

# uncompyle6 version 3.7.4
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.11.5 | packaged by Anaconda, Inc. | (main, Sep 11 2023, 13:26:23) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: E:\CTF赛题\ez_pyc\233.py
# Compiled at: 2024-02-16 09:19:13
# Size of source mod 2**32: 1178 bytes
import hashlib
k = [['#'] * 10,
 [
  '#', 0, 1, 9] + [0] * 3 + [3, 0, 7],
 [
  '#', 8] + [0] * 8,
 [
  '#', 4] + [0] * 5 + [2, 0, 0],
 [
  '#'] + [0] * 4 + [3] + [0] * 4,
 [
  '#', 5] + [0] * 3 + [6, 0, 0, 2, 0],
 [
  '#', 0, 7] + [0] * 5 + [3, 1],
 [
  '#'] + [0] * 9,
 [
  '#', 0, 0, 8, 0, 9, 0, 7, 0, 0],
 [
  '#'] + [0] * 9]
cnt = 0
s = str(int(input(), 16))
try:
    for x in s:
        if x not in [str(t) for t in range(1, 10)]:
            s[cnt + 43690] = 1
    else:
        for i in range(1, len(k)):
            for j in range(1, len(k[i])):
                if k[i][j] == 0:
                    k[i][j] = int(s[cnt])
                    cnt += 1

        else:
            for i in range(1, len(k)):
                for j in range(1, len(k)):
                    if j not in k[i]:
                        s[cnt + 3735928559] = 0

            else:
                for i in range(1, len(k)):
                    tmp = []
                    for j in range(1, len(k)):
                        tmp.append(k[j][i])

                else:
                    for j in range(1, len(k)):
                        if j not in tmp:
                            s[cnt + 3735928559] = 1
                    else:
                        for i in range(1, len(k), int(len(k) ** 0.5)):
                            for j in range(1, len(k), int(len(k) ** 0.5)):
                                square = [k[x][y] for x in range(i, i + 3) for y in range(j, j + 3)]
                                for t in range(1, len(k)):
                                    if t not in tmp:
                                        s[cnt + 3735928559] = 2

                        else:
                            m = hashlib.md5(s.encode()).hexdigest()
                            if m == '60b845d09f7b818a1e1e6cd0f4a04d96':
                                print('SICTF{%s}' % m)
                            else:
                                print('试着换一种解嘞qwq')
                            input()

except Exception as e:
    try:
        pass
    finally:
        e = None
        del e