b01lersCTF

发表于 更新于 分类于 阅读次数: Waline: 本文字数: 2.1k 阅读时长 ≈ 8 分钟

记录b01lersCTF——Crypto题解

choose_the_param

nc gold.b01le.rs 5001

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/python3
from Crypto.Util.number import long_to_bytes, bytes_to_long, getPrime
import os
from secret import flag

padded_flag = os.urandom(200) + flag + os.urandom(200)
m = bytes_to_long(padded_flag)

def chal():
    print("""Choose your parameter
Enter the bit length of the prime!
I'll choose two prime of that length, and encrypt the flag using rsa.
Try decrypt the flag!    
""")
    while True:
        bits = input("Enter the bit length of your primes> ")
        try:
            bit_len = int(bits)
        except:
            print("please enter a valid intergar")
            continue

        p1 = getPrime(bit_len)
        p2 = getPrime(bit_len)

        n = p1 * p2
        e = 65537
        c = pow(m, e, n)
        print(f"n = {n:x}")
        print(f"e = {e:x}")
        print(f"c = {c:x}")

if __name__ == "__main__":
    chal()

flag长度很长,大概450左右。思路是让$p,q$比较小,使得n很好分解,然后不断求解m,最后crt

我选择的素数是64bit的,生成128bit的n。大概交互32次就可以恢复完整的flag

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from sage.all import factor,CRT_list
from pwn import *
from Crypto.Util.number import *
from tqdm import *
import gmpy2

sh = remote("gold.b01le.rs",5001)
sh.recvuntil(b"Try decrypt the flag! ")
N = []
M = []
for _ in trange(32):
    sh.recvuntil("Enter the bit length of your primes> ")
    sh.sendline(b"64")
    n = int(sh.recvline().strip().decode().split("=")[-1],16)
    e = int(sh.recvline().strip().decode().split("=")[-1],16)
    c = int(sh.recvline().strip().decode().split("=")[-1],16)
    N.append(n)
    phi = 1
    for i in factor(n):
        phi *= i[0] - 1
    d = gmpy2.invert(e,phi)
    m = pow(c,d,n)
    M.append(m)

msg = CRT_list(M,N)
flag = long_to_bytes(msg)
# bctf{dont_let_the_user_choose_the_prime_length_>w<}

half-big-rsa

task.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import math
from Crypto.Util.number import getPrime, bytes_to_long, long_to_bytes
import os

num_bits = 4096
e = (num_bits - 1) * 2
n = getPrime(num_bits)

with open("flag.txt","rb") as f:
    flag = f.read()

m = bytes_to_long(flag)
c = pow(m, e, n)
print(c)

with open("output.txt", "w") as f:
	f.write("e = {0}\n".format(e))
	f.write("n = {0}\n".format(n))
	f.write("c = {0}\n".format(c))

"""
e = 8190
n = 665515140120452927777672138241759151799589898667434054796291409500701895847040006534274017960741836352283431369658890777476904763064058571375981053480910502427450807868148119447222740298374306206049235106218160749784482387828757815767617741823504974133549502118215185814010416478030136723860862951197024098473528800567738616891653602341160421661595097849964546693006026643728700179973443277934626276981932233698776098859924467510432829393769296526806379126056800758440081227444482951121929701346253100245589361047368821670154633942361108165230244033981429882740588739029933170447051711603248745453079617578876855903762290177883331643511001037754039634053638415842161488684352411211039226087704872112150157895613933727056811203840732191351328849682321511563621522716119495446110146905479764695844458698466998084615534512596477826922686638159998900511018901148179784868970554998882571043992165232556707995154316126421679595109794273650628957795546293370644405017478289280584942868678139801608538607476925924119532501884957937405840470383051787503858934204828174270819328204062103187487600845013162433295862838022726861622054871029319807982173856563380230936757321006235403066943155942418392650327854150659087958008526462507871976852849
c = 264114212766855887600460174907562771340758069941557124363722491581842654823497784410492438939051339540245832405381141754278713030596144467650101730615738854984455449696059994199389876326336906564161058000092717176985620153104965134542134700679600848779222952402880980397293436788260885290623102864133359002377891663502745146147113128504592411055578896628007927185576133566973715082995833415452650323729270592804454136123997392505676446147317372361704725254801818246172431181257019336832814728581055512990705620667354025484563398894047211101124793076391121413112862668719178137133980477637559211419385463448196568615753499719509551081050176747554502163847399479890373976736263256211300138385881514853428005401803323639515624537818822552343927090465091651711036898847540315628282568055822817711675290278630405760056752122426935056309906683423667413310858931246301024309863011027878238814311176040130230980947128260455261157617039938807829728147629666415078365277247086868327600962627944218138488810350881273304037069779619294887634591633069936882854003264469618591009727405143494184122164870065700859379313470866957332849299246770925463579384528152251689152374836955250625216486799615834558624798907067202005564121699019508857929778460
"""

法1

题目给的信息很少,抱着试试看的心态用nthroot跑了一下,大概20分钟出结果

exp

1
2
3
4
5
6
7
8
9
10
11
from Crypto.Util.number import *

e = 8190
n = 
c = 

res = Zmod(n)(c).nth_root(e, all=True)
for m in res:
    flag = long_to_bytes(int(m))
    print(flag)
    # bctf{Pr1M3_NUM83r5_4r3_C001_bu7_7H3Y_4r3_57r0N6_0N1Y_WH3N_7H3Y_4r3_MU171P113D_3V3N_1F_7H3Y_4r3_b1g}

法2

赛后和鸡块师傅交流的时候才发现,我比赛的时候没注意n是个素数可以求$\phi(n)$,正常思路应该是直接求d,但是发现$e$和$\phi(n)$的公因数是18

直接用nthroot确实可以出,但是我们可以加快速度,思路如下
$$
\because c \equiv m^{8190} \mod n
$$

$$
c \equiv m^{18\times 455} \mod n
$$

$$
\therefore c^{455^{-1}} \equiv m^{18\times 455\times 455^{-1}} \equiv m^{18} \mod n
$$

求得这个新的$c$,再用nthroot

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from Crypto.Util.number import *
import gmpy2

e = 8190
n = 
c = 

phi = n - 1

# t = gmpy2.gcd(e,phi)
# print(t)
# 18

inv = gmpy2.invert(455,phi)

cc = pow(c,inv,n)
res = Zmod(n)(cc).nth_root(18, all=True)

for m in res:
    flag = long_to_bytes(int(m))
    print(flag)

奇怪的是,还是跑了18分钟这么久

Fetus-RSA

task.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from Crypto.Util.number import bytes_to_long, getPrime, isPrime
from sage.all import matrix, Zmod
from flag import flag


def nextPrime(prim):
    if isPrime(prim):
        return prim
    else:
        return nextPrime(prim+1)

p1 = getPrime(128)
p2 = nextPrime(p1 * 1)
p3 = nextPrime(p2 * 3)
p4 = nextPrime(p3 * 3)
p5 = nextPrime(p4 * 7)

primes = [p1, p2, p3, p4, p5]

n = p1 * p2 * p3 * p4 * p5

fragments = [bytes_to_long(flag[5*i:5*i+5]) for i in range(25)]

e = 31337

topG = matrix(Zmod(n), [[fragments[5*i + j] for j in range(5)] for i in range(5)])
bottomG = topG ** e

with open("output.txt", "w") as file:
    file.write(f"n = {n}\n\n")
    file.write("Ciphertext Matrix:\n\n")
    for row in bottomG:
        for num in row:
            file.write(str(num) + " ")
        file.write("\n\n")

先分解n,可以发现n是5个比较接近的素数之积,其实$n \approx 1701p^5$(这个值可能记错了,师傅们可以自己算一下)

把n除掉1701之后再开5次方得到一个比较接近p的值,然后做一个简单的爆破就可以得到$p$,再依次求出其他因子

然后是把flag每5个作为一组,转成数值后作为矩阵的元素,矩阵是$5\times 5$的规模,所以flag长度为125(这个不重要)

再对明文矩阵做了$e$次方的运算。

这题其实就类似于RSA,我们需要求一个$d$,满足$ed \equiv 1 \mod order$,order指的是模n下一般线性群的阶,在Tover师傅的博客中有关于一般线性群阶的知识。

注意到这个p是128bit的值,所以我们不需要在模n下求解,只需要在模p下求解。因此只需要求模p下5阶方阵的阶

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from Crypto.Util.number import *
import gmpy2

def nextPrime(prim):
    if isPrime(prim):
        return prim
    else:
        return nextPrime(prim+1)
e = 31337
n = 515034877787990680304726859216098826737559607654653680536655175803818486402820694536785452537613547240092505793262824199243610743308333164103851365420630137187276313271869670701737383708742526677
t = gmpy2.iroot(n//1701,5)[0]

# for i in range(1000):
#     p = t - i
#     if isPrime(p):
        # print(f"p = {p}")
        
p = 197800081090910969169502702324035680453
p1 = p
p2 = nextPrime(p1 * 1)
p3 = nextPrime(p2 * 3)
p4 = nextPrime(p3 * 3)
p5 = nextPrime(p4 * 7)
n = p1*p2*p3*p4*p5

order_p = p*(p-1)*(p+1)*(p^2+p+1)*(p^2+1)*(p^4+p^3+p^2+p+1)
d = gmpy2.invert(e,order_p)

C = Matrix(Zmod(p),[
    [247714609729115034577268860647809503348452679955541765864525644036519903244610407544592438833012659821363982836831477850927621505723503202914955484784761468695340160789629882004055804409080695867,331625142917011732363496584111977497826539848810596405639715608289185491230192921594585113936516744954068559616963395888825085234835086592835782522823153199824647815923311303312529222423487842184,55437288185949549641415195099137917985198178875175317590356850868652628068256771878957686344008331498612071069691453711091201145528626750365270496738628725699281809961803599963127434726167609435,514660916099185196031776141538776359410382339048282799109733569738126784171011249457518653961429789338579350043906060924939800730829826389077489637524528092592193187169747629063004980325000389554,432908737089369750416720813650504950741227543859957288298129130571557758647818791153409184252564534925607409378801765727301405467691263041798341098982058861749568674152447781841703730861074171486],
    [104171307746966345345857299403770324392522334886728513788970028646835780770090370816961277474173463662053179135418083415763603092683905102293259569143230591686555033557056635683615214642425173517,281995809329109899498417283591516891672267505291547187769414960759245222376040526984420670509684233818236456944690830422135256653807646369718495017051487254128669606210585168140190305476396414836,448210297704655248563230644309382726474650012116320871206976601497778210586480264554625801730855872456388662647389829317946932942681549854741993522145903386318540208729036379511878276729211658861,399193502999265141959383452857091791757532600793923480036782294759164203783245516880539439411508616363396395258745387111132143827593272610961260623660064934154238955120293971424750525097551648180,448909699677346701183758951038319440723583288307818355958233994863175886710495171317606803723159576428485212274726596045235998230677229224379125716760136092533604817049730746550292371970711497032],
    [10383824979618791372207750490225860866360446289011667617367731854443817405025701872398853456038612719059056477356275566409859556622099910727870579661815727983662245805512246175424036918556245316,3042212133475156282375315438954933898496627384941849067508473136817427432524109900983912625376319043681252528210663860374506706029777992048856493297280439498831646567645849063286941560111486091,303901520908845557762276355500926092138935908381564097855093945643653520650021074626397106363589843089839561176214123648988682404983806374183953260408815900582907133898417354283905163971086566554,385414980407334346707284477209921028250475161696209076212214696858828374481374774762344617183479700018626970039426895699261230837253656355202103718574806419224338390036737550645417315148014935208,172437598435610362668691083369422058178612127588567286669952095014310724933793758671802664372505747578789080527221296229242137567445447449560987571505575740311394634799579166058011734727404038041],
    [459726837943530454128170171077760511486009487765694189770202436458018005866133157577824055980174845256397040485330898693944501922148000904627621334536523927325451030816598478315788682056071758797,318766645374831072244114015670117551595181174553017703335802708316885112551395705202907958737214488185739954176085085611052360624160681549561415131064529778955941226762589967588568203157586014646,485361005374731090711430490780588207888099824436671620066599360058262282812311497518237782819588602409946446254729349547214950452718084694554650900064587640931729162822096611158015732013679765115,442488981185685119421099225895492967006907103880489001122993678677306129218035946328038537612725434883858276836497639772750576738969390151812664236525222680918250542360570252193283310559820113337,294017672174100375503817924437430140826863578191649796300540064690169411498877218939778928997294952104395700469268399214549954967540991489929488976904050382049934179672641195866868009511101289284],
    [394288980150370144394508377797340867635320394706221783789360450886862330500083595146934277232717671435601428999455723360437715407992902972393377872146437245909234935183690525050686313034961250106,174537062539250527750306397111216900339583030576848484858177223085331307339246744122607759453386390209872407563526999813562242756044330978624067706177762337375480164381575660119163723806663394768,167378817268639407255382001659131271694745168867873206910416580974376327982114272760583238198872032832961214636912981493082249850676384736073683786291369414678559758485110038329085571864758144806,479478683656492256273719495784577239188841595512723735000697935028851355713461770920044121053505358284609828319371252306609569657211738503902322975549066701614139339082341370785743668742796520457,468925056254460005965810812432459057693038841264871939568448625553319440670497244388153862616274082271409346691280049609288322448351851208172939513793874861880752049454593563028452119997997329883]
])

M = C ** d
flag = b""
for row in M:
    for i in range(len(row)):
        flag += long_to_bytes(int(row[i]))
print(flag)
# bctf{c0ngr4ts_y0u_35c4p3d_th3_m4tr1c3s, but really how? what color is your honda civic? sorry i just need to make this long.}

schnore

nc gold.b01le.rs 5005

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/python3

import sys
from Crypto.Util import number
from Crypto.Hash import SHA512

with open("flag.txt") as f:
    flag = f.read()

# FIPS 186-4 Appendix A.1/A.2 compliant prime order q group and prime order p field
#from Crypto.PublicKey import DSA as FFCrypto
#(p,q,g) = FFCrypto.generate(2048).domain()
p = 32148430219533869432664086521225476372736462680273996089092113172047080583085077464347995262368698415917196323365668601969574610671154445337781821758494432339987784268234681352859122106315479086318464461728521502980081310387167105996276982251134873196176224643518299733023536120537865020373805440309261518826398579473063255138837294134742678213639940734783340740545998610498824621665838546928319540277854869576454258917970187451361767420622980743233300167354760281479159013996441502511973279207690493293107263225937311062981573275941520199567953333720369198426993035900390396753409748657644625989750046213894003084507
q = 25652174680121164880516494520695513229510497175386947962678706338003
g = 23174059265967833044489655691705592548904322689090091191484900111607834369643418104621577292565175857016629416139331387500766371957528415587157736504641585483964952733970570756848175405454138833698893579333073195074203033602295121523371560057410727051683793079669493389242489538716350397240122001054430034016363486006696176634233182788395435344904669454373990351188986655669637138139377076507935928088813456234379677586947957539514196648605649464537827962024445144040395834058714447916981049408310960931998389623396383151616168556706468115596486100257332107454218361019929061651117632864546163172189693989892264385257

def prove():
    print("The oracles say that X is g^x and A is g^a. Be that as it may...")
    print("Perhaps there exists a way to make their confidence sway!")

    # (Sorry, can't choose a :)
    A = 30210424620845820052071225945109142323820182565373787589801116895962027171575049058295156742156305996469210267854774935518505743920438652976152675486476209694284460060753584821225066880682226097812673951158980930881565165151455761750621260912545169247447437218263919470449873682069698887953001819921915874928002568841432197395663420509941263729040966054080025218829347912646803956034554112984570671065110024224236097116296364722731368986065647624353094691096824850694884198942548289196057081572758803944199342980170036665636638983619866569688965508039554384758104832379412233201655767221921359451427988699779296943487

    h = SHA512.new(truncate="256")
    h.update(number.long_to_bytes(g) + number.long_to_bytes(p) + number.long_to_bytes(A))
    c = number.bytes_to_long(h.digest()) % p

    z = int(input("a + cx = ")) % p
    
    return (A,c,z)


def setup():
    print("> I'm so sleepy, I almost forgot; we should share what we ought.")
    print("> Just between you and me, can we agree on a verifying key...?")
    X = int(input("> X = ")) % p
    
    return X

def verify(A,c,z,X):
    h = SHA512.new(truncate="256")
    h.update(number.long_to_bytes(g) + number.long_to_bytes(p) + number.long_to_bytes(A))
    cp = number.bytes_to_long(h.digest()) % p
    
    if c != cp or pow(g, z, p) != ((A * pow(X, c, p)) % p):
        print("> Oh, even my bleary eyes can tell your evidence is fau x !!")
        print("> Are you sure that what you say is what you truly know?")
        sys.exit()
    else:
        print("> ", end="")
        print(flag)

if __name__ == "__main__":
    (A,c,z) = prove()
    X = setup()
    verify(A,c,z,X)

c == cp这个不需要在意,他自然就是满足的,主要是要让另外一边相等。我们能够控制zX

很巧妙的构思让$z = 0$,于是pow(g,z,p) = 0,右边就要想办法让$X^c \equiv A^{-1} \mod p$

很自然的能想到类似RSA的思路,让$X \equiv (A^{-1})^e \mod p$,这个$e$需要满足$ec \equiv 1 \mod \phi(p)$

于是$X^c \equiv (A^{-1})^{ec} \equiv A^{-1} \mod p$

实际实现的时候可以发现,e与$\phi(p)$是不互素的,此时要注意到题目说了这个群的阶是$q$,可以转化到求$ec \equiv 1 \mod q$

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from sage.all import *
from Crypto.Util import number
from Crypto.Hash import SHA512
import gmpy2

p = 32148430219533869432664086521225476372736462680273996089092113172047080583085077464347995262368698415917196323365668601969574610671154445337781821758494432339987784268234681352859122106315479086318464461728521502980081310387167105996276982251134873196176224643518299733023536120537865020373805440309261518826398579473063255138837294134742678213639940734783340740545998610498824621665838546928319540277854869576454258917970187451361767420622980743233300167354760281479159013996441502511973279207690493293107263225937311062981573275941520199567953333720369198426993035900390396753409748657644625989750046213894003084507
q = 25652174680121164880516494520695513229510497175386947962678706338003
g = 23174059265967833044489655691705592548904322689090091191484900111607834369643418104621577292565175857016629416139331387500766371957528415587157736504641585483964952733970570756848175405454138833698893579333073195074203033602295121523371560057410727051683793079669493389242489538716350397240122001054430034016363486006696176634233182788395435344904669454373990351188986655669637138139377076507935928088813456234379677586947957539514196648605649464537827962024445144040395834058714447916981049408310960931998389623396383151616168556706468115596486100257332107454218361019929061651117632864546163172189693989892264385257
A = 30210424620845820052071225945109142323820182565373787589801116895962027171575049058295156742156305996469210267854774935518505743920438652976152675486476209694284460060753584821225066880682226097812673951158980930881565165151455761750621260912545169247447437218263919470449873682069698887953001819921915874928002568841432197395663420509941263729040966054080025218829347912646803956034554112984570671065110024224236097116296364722731368986065647624353094691096824850694884198942548289196057081572758803944199342980170036665636638983619866569688965508039554384758104832379412233201655767221921359451427988699779296943487
h = SHA512.new(truncate="256")
h.update(number.long_to_bytes(g) + number.long_to_bytes(p) + number.long_to_bytes(A))
c = number.bytes_to_long(h.digest()) % p

Ainv = gmpy2.invert(A,p)
e = gmpy2.invert(c,q)
X = pow(Ainv,e,p)

print(X)
z = 0
print(pow(g,z,p))
print(A*pow(X,c,p)%p)

最后只需要传入

1
2
a + cx = 0
X = 19805709471217645482994063928989232052421953029889556196440912466885007894426627225609327983032620202153855550360223088814969950136658024031366644612027440003586527315627375755980023491174345196460462084013316854170594941724489426524643810285361495069244784160097875576606948416522808256009062151158878030536167300300563164985148039705086383522816788975595614152366395692547362281861708360767355898825189743785255175423703637558391032853146881669124678016614663704343518610020135219251764225040268005200779658861798846792177960065028841070288410881522856036877418862825279659139810238320244689690946600242314538099649

bctf{t00_t1r3d_t0_n0t1c3_m1551n9_pub_k3y_1n_5t4t3m3nt}

shamir-for-dummies——没做

nc gold.b01le.rs 5006

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
import os
import sys
import time
import math
import random
from Crypto.Util.number import getPrime, isPrime, bytes_to_long, long_to_bytes

def polynomial_evaluation(coefficients, x):
	at_x = 0
	for i in range(len(coefficients)):
		at_x += coefficients[i] * (x ** i)
		at_x = at_x % p
	return at_x

flag = b'bctf{REDACTED}'

print("")
print("Thanks for coming in. I can really use your help.\n")
print("Like I said, my friend can only do additions. He technically can do division but he says he can only do it once a day.")
print("")
print("I need to share my secret using Shamir secret sharing. Can you craft the shares, in a way that my friend can recover it?\n")
print("")
print("Don't worry, I have the polynomial and I will do all the math for you.")
print("")

s = bytes_to_long(flag)

n = getPrime(4)
p = getPrime(512)

while p % n != 1:
    p = getPrime(512)

print("Let's use \n")
print("n =", n)
print("k =", n)
print("p =", p)
print("")

coefficients = [s]
for i in range(1, n):
	coefficients.append(random.randint(2, p-1))

print("Okay, I have my polynomial P(X) ready. Let me know when you are ready to generate shares with me.\n")
print("")

evaluation_points = []
shares = []

count = 1
while count < n+1:
	print("Evaluate P(X) at X_{0} =".format(count))
	print("> ", end="")
	eval_point = int(input())
	if eval_point % p == 0:
		print("Lol, nice try. Bye.")
		exit()
		break
	elif eval_point < 0 or eval_point > p:
		print("Let's keep things in mod p. Please choose it again.")
	else:
		if eval_point not in evaluation_points:
			evaluation_points.append(eval_point)
			share = polynomial_evaluation(coefficients, eval_point)
			shares.append(share)
			count += 1
		else:
			print("You used that already. Let's use something else!")

print("Nice! Let's make sure we have enough shares.\n")
assert len(shares) == n
assert len(evaluation_points) == n
print("It looks like we do.\n")
print("By the way, would he have to divide with anything? (Put 1 if he does not have to)")
print("> ", end="")
some_factor = int(input())
print("Good. Let's send those over to him.")

for _ in range(3):
	time.sleep(1)
	print(".")
	sys.stdout.flush()

sum_of_shares = 0

for s_i in shares:
	sum_of_shares += s_i
	sum_of_shares = sum_of_shares % p

sum_of_shares_processed = (sum_of_shares * pow(some_factor, -1, p)) % p

if sum_of_shares_processed == s:
	print("Yep, he got my secret message!\n")
	print("The shares P(X_i)'s were':")
	print(shares)
	print("... Oh no. I think now you'd know the secret also... Thanks again though.")
else:
	print("Sorry, it looks like that didn't work :(")

count_the_counter——没做

nc gold.b01le.rs 5002

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/python3
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
from secret import flag
import os


def Encrypt(key, message, nonce):
    cipher = AES.new(key, AES.MODE_CTR, nonce=long_to_bytes(nonce))
    return cipher.encrypt(message).hex()


def chal():
    key = os.urandom(16)
    print("Treat or Trick, count my thing. ")
    nonce_counter = 1
    print(Encrypt(key, flag, nonce_counter))
    while True:
        nonce_counter += 1
        to_enc = input("Give me something to encrypt: ")
        print(Encrypt(key, bytes.fromhex(to_enc), nonce_counter))


if __name__ == "__main__":
    chal()
-------------已经到底啦!-------------