import sys from hashlib import md5 from binascii import * from secret import salt, flag
defdie(*args): pr(*args) quit()
defpr(*args): s = " ".join(map(str, args)) sys.stdout.write(s + "\n") sys.stdout.flush()
defsc(): return sys.stdin.buffer.readline()
defxor(s1, s2): returnbytes([s1[_] ^ s2[_] for _ inrange(len(s1))])
defmain(): border = "┃" pr( "┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓") pr(border, ".: Hi all, she did Mashy, you should do it too! Are you ready? :. ", border) pr( "┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛")
REC = [] cnt, STEP = 0, 7 sh = md5(salt).digest() whileTrue: pr(border, f'Please send your first input: ') d1 = sc().strip() pr(border, f'Please send your second input: ') d2 = sc().strip() try: d1 = hexlify(unhexlify(d1)) d2 = hexlify(unhexlify(d2)) h1 = md5(unhexlify(d1)).digest() h2 = md5(unhexlify(d2)).digest() except: die(border, 'Your inputs are not valid! Bye!!!') if d1 != d2 and d1 notin REC and d2 notin REC: if md5(xor(d1, d2)).hexdigest() != 'ae09d7510659ca40eda3e45ca70e9606': if hexlify(xor(xor(h1, h2), sh)) == b'a483b30944cbf762d4a3afc154aad825': REC += [d1, d2] if cnt == STEP: die(border, f'Congrats! the flag: {flag}') pr(border, 'Good job, try next level :P') cnt += 1 else: die(border, 'Your input is not correct! Bye!') else: die(border, 'No this one! Sorry!!') else: die(border, 'Kidding me!? Bye!!')
ds = [(b"0e306561559aa787d00bc6f70bbdfe3404cf03659e704f8534c00ffb659c4c8740cc942feb2da115a3f4155cbb8607497386656d7d1f34a42059d78f5a8dd1ef", b"0e306561559aa787d00bc6f70bbdfe3404cf03659e744f8534c00ffb659c4c8740cc942feb2da115a3f415dcbb8607497386656d7d1f34a42059d78f5a8dd1ef"), (b"4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2", b"4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2"), (b"61626300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a9b7a9705dbc016d1ee7267986215fc17236f827f57efa2e5bc639daeecf923f47da03c75874d3356b065cb3fc6d3e2d4c31e717e0f0bb5bafda82badcff2a73c39fb1ca8b0beea617114d5c2b91d03b4c68742afd7a201ad99bf5c8d0687932354f17bb28f45e619971b0cfa4a646c6f0867c11d6b78a52a8d32d4d9dd3b36b",b"61626300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a9b7a9705dbc016d1ee7267986215fc17236f8a7f57efa2e5bc639daeecf923f47da03c75874d3356b065cb3fced3e2d4c31e717e0f0bb5bafda823adcff2a73c39fb1ca8b0beea617114d5c2b91d03b4c6874aafd7a201ad99bf5c8d0687932354f17bb28f45e619971b0cfa42646c6f0867c11d6b78a52a8d32dcd9dd3b36b"), (b"6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000069dfdadccef14546a1a0809d4c8dc82b717c76f467a3f3e9431e3f8d8b49acccaabb0dc8ceefd6cd4b285c3ccfa944819ce400a4bf6c2dae6efdf2333b09eeaffdcff58b151f3a4780220f634b0154295d8383781e8d99ee74d7ffdf4f0c4d41740ec1ad06a77bfe6b9ae71831defde4fd5648a916e9982caf4ab0b1d7b00eca", b"6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000069dfdadccef14546a1a0809d4c8dc82b717c767467a3f3e9431e3f8d8b49acccaabb0dc8ceefd6cd4b285c3ccf2945819ce400a4bf6c2dae6efdf2b33b09eeaffdcff58b151f3a4780220f634b0154295d8383f81e8d99ee74d7ffdf4f0c4d41740ec1ad06a77bfe6b9ae718315efde4fd5648a916e9982caf4ab031d7b00eca"), (b"617364666173646661736466000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007dd5056da72f5275f37335a3ce864634c45719bbf0f20a641f3a7cc2b28991065fb109decee5134fe765cc81d635228c0125c7c643b46d3c7649e59b32e490b5b6f839240471983c57ee34cdbe3f8c24bbbd0a69db9c9f4e843d9c4b5fa1e5c1ae68bd0a820793365b9667d130ac64db90058a656ef8c7e75e6daea5b8012ab7", b"617364666173646661736466000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007dd5056da72f5275f37335a3ce864634c457193bf0f20a641f3a7cc2b28991065fb109decee5134fe765cc81d6b5228c0125c7c643b46d3c7649e51b32e490b5b6f839240471983c57ee34cdbe3f8c24bbbd0ae9db9c9f4e843d9c4b5fa1e5c1ae68bd0a820793365b9667d1302c64db90058a656ef8c7e75e6dae25b8012ab7"), (b"716171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006133f4597f9e0a80a1fcf81949371662bc64cc93feedeef1166280d5b4ad93b5290b0ce63a92fa1eebed4b418ed3857cb26b2d026c555660b6abe25f2841ba2e92c2dbfb18076c136a1084a5352c98339a1fb74907a60e6bd31a864becc6016cb8bec655f2491c7f6a27688f92bc05ef2fe26b4e2c342a8e569adb52367570fe", b"716171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006133f4597f9e0a80a1fcf81949371662bc64cc13feedeef1166280d5b4ad93b5290b0ce63a92fa1eebed4b418e53867cb26b2d026c555660b6abe2df2841ba2e92c2dbfb18076c136a1084a5352c98339a1fb7c907a60e6bd31a864becc6016cb8bec655f2491c7f6a27688f923c05ef2fe26b4e2c342a8e569adbd2367570fe"), (b"3132330000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000036183de0fe32973a788f49067893ff2a425b45cdff8c19bdf90579e5764620bec9f3b5013e3f1b33eb61f0790546064f24be7a6b6644e47affffcf969f2527e6d82f11da93ef022a4bd2d7867565ed19492010620f789b4b761ba0c74f9c4fc1dca4b90e846d72bedabae798aac65a2d0c8b1b1f0f3a4b253764599d2e13349b", b"3132330000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000036183de0fe32973a788f49067893ff2a425b454dff8c19bdf90579e5764620bec9f3b5013e3f1b33eb61f07905c6064f24be7a6b6644e47affffcf169f2527e6d82f11da93ef022a4bd2d7867565ed19492010e20f789b4b761ba0c74f9c4fc1dca4b90e846d72bedabae798aa465a2d0c8b1b1f0f3a4b253764591d2e13349b"), (b"33343500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d200507c51798a3408f8d6b72fdf7b29ae789cefd20d0d5c152680428b960bdb9aebac0b6a6bee14cb2fdf34ad81181bf9f7902842fbb51a35003b5682e81a85a1cb79d015d3f49b3d7a7a43fd5e572ab2bc726029663e65c91a86bdecc7fde98045a617f4cf077e98424dd78f8055ea3d810638317e26b2b9eb1e32590762cd", b"33343500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d200507c51798a3408f8d6b72fdf7b29ae789c6fd20d0d5c152680428b960bdb9aebac0b6a6bee14cb2fdf34ad01191bf9f7902842fbb51a35003bd682e81a85a1cb79d015d3f49b3d7a7a43fd5e572ab2bc72e029663e65c91a86bdecc7fde98045a617f4cf077e98424dd78f0055ea3d810638317e26b2b9eb1eb2590762cd") ] for d in ds: r.recvuntil(b"first input:") r.sendline(d[0]) r.recvuntil(b"second input:") r.sendline(d[1]) r.interactive() # ┃ Congrats! the flag: b'CCTF{mD5_h4Sh_cOlL!Si0N_CrYp7o_ch41lEnGe!!!}'
Medium
Joe-19
task.py
1 2 3 4 5 6 7 8 9 10 11
#!/usr/bin/env sage
from GPT import GPT6 # deep fake from Crypto.Util.number import * from flag import flag
P = [GPT6('A 512-bit prime appears in consecutive digits of e') for _ inrange(4)] n, m = prod(P), bytes_to_long(flag) c = pow(m, 0x10001, n) print(f'n = {n}') print(f'c = {c}')
# 从e的数字中提取连续的target_length位并检查素性 for i inrange(len(e_value) - target_length + 1): candidate = e_value[i:i + target_length] candidate_int = int(candidate) if sympy.isprime(candidate_int) and (n % candidate_int == 0): print(f"Found a 512-bit prime: {candidate}") else: print("No 512-bit prime found in the specified range of digits.")
求出1个p之后尝试解了一下,没想到就出了
1 2 3 4 5 6 7 8 9
from Crypto.Util.number import inverse,long_to_bytes
c = 7109666883988892105091816608945789114105575520302872143453259352879355990908149124303310269223886289484842913063773914475282456079383409262649058768777227206800315566373109284537693635270488429501591721126853086090237488579840160957328710017268493911400151764046320861154478494943928510792105098343926542515526432005970840321142196894715037239909959538873866099850417570975505565638622448664580282210383639403173773002795595142150433695880167315674091756597784809792396452578104130341085213443116999368555639128246707794076354522200892568943534878523445909591352323861659891882091917178199085781803940677425823784662 p = 7728751393377105569802455757436190501772466214587592374418657530064998056688376964229825501195065837843125232135309371235243969149662310110328243570065781
d = inverse(65537,p-1) m = pow(c,d,p) print(long_to_bytes(m)) # CCTF{ASIS_h1r3_7aL3nT5_t0_cO1La8orAt3_!N_Crypto_CTF!}
from Crypto.Util.number import * from math import sqrt from flag import flag
defgen_params(nbit): p, Q, R, S = getPrime(nbit), [], [], [] d = int(sqrt(nbit << 1)) for _ inrange(d): Q.append(getRandomRange(1, p - 1)) R.append(getRandomRange(0, p - 1)) S.append(getRandomRange(0, p - 1)) return p, Q, R, S
defencrypt(m, params): p, Q, R, S = params assert m < p d = int(sqrt(p.bit_length() << 1)) C = [] for _ inrange(d): r, s = [getRandomNBitInteger(d) for _ in'01'] c = Q[_] * m + r * R[_] + s * S[_] C.append(c % p) return C
p = 10580731215444436219213907263947534038012197972307836319229421193761088798378768844649759133142120180834573817149711299466707823017636232456526471274387917 Q = [6718668664591596190749745980002066645380242844394957953766947533978323053938214647829798301606252456858132121628517723050462291300790766055200866765561610, ...] R = [8922553268219903948421811612403588317187402276064169063400419617931637566221670948925221403527928336656976084021780421068421112325215152715630319708159148, ...] S = [4389820170235953517860364281419052587762385444517203945856665517072263529411621622474249480804818285716662154444854074939122170918939074730520091008754679, ...] C = [2312453804397990204892582347458673184184584053391181580849656202381982276483135032773767708029907426388840618138608941250788745829088238589339462137662516, ...] from Crypto.Util.number import long_to_bytes,inverse
h = 1051643987107349427988807326909852110640860009433515828832892541964729933410444984350917250524103015414239941369074041041830326426044333499878031164851095096864048639115431370526747014210332286314344073411522846701723463410585601251886732229726828022089809603850477551571014006202841406236367999378786782206165205893353928598469661871284779486855440579818275314024966224282757807716013799903830828885606714972634243850947534165272668985513949964901606268939300116019465522042467054120201087606016018354238401711720121586874288767235317479748890350702705575809130664969776549574720593740409234863974057904204809404816059921579771581800937241591669455683460570640868196509926763901079838233646036933530095891316054589051458146768287967886035091641162494322987627448810201550901588438560433001422233269632915351406169253963308421081459981594969405377353502889363324282815864766827664453823780238352371809048289845094882346227809082005375092441877966603138648719670349093616548820955566204871333952902983753935678447080673827214244142614295192263451840766771122229866931492260663320087497820892824540996643905125018452302747847009 c = 11913143174789215053772744981113562063689725867199301496294410323568897757042952642806438602327917861884988292757318755590132189620231444302311290566584065812614959093870787195145654508262419270742989923415342357807325941686508030706603920412262004324188375072184983301522882728578077572816154054220606088703932092256905881975876112779175003897105313776239681492514925430817300633974666123599685062340158348009344351002327049272743679109535286730751345284084148118733529966364414749672437370878526710641430471595906340522772252875146681541656231708112317601000655090279925720590940060372738708208419449824043905057860829031242339842131799965043031307394209699264362321397162645220002253271689678364848888381499587038475895945238726252440250183268252483198408039250213490525880829604473555612305513974817850974135874728084839426045420913060975464553734293001460752648937744531874552694145500413222582269910431269597066268600572899619407093373565994271589940926018891922169454906132284552523035481664164354874071831210264979733079749696197917769435226866441989054017071332158916586376454753209296136133271926449919437888563234409 d = 563 q = 4 * 100 ** d
Ge = Matrix(QQ,[ [1,0,0,1], [0,QQ(1/2^1300),0,h+1], [0,0,2^500,-c], [0,0,0,q] ])
Ge[:,-1:] *= 2^400
for line in Ge.LLL(): if line[-1] == 0and line[-2] == 2^500: m = line[0] print(long_to_bytes(int(m))) # CCTF{4_c0N9rU3n7!aL_Pu81iC_k3Y_cRyp70_5ySTeM_1N_CCTF!!}
import sys from Crypto.Util.number import * from string import * from random import * from flag import flag defdie(*args): pr(*args) quit() defpr(*args): s = " ".join(map(str, args)) sys.stdout.write(s + "\n") sys.stdout.flush() defsc(): return sys.stdin.buffer.readline()
defrandstr(l): return''.join([printable[randint(0, 90)] for _ inrange(l)])
defmain(): border = "┃" pr( "┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓") pr(border, ".: Welcome to RM2 task! Your mission is break our cryptosystem :. ", border) pr( "┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛") nbit, _b = 1024, False pr(border, f"Please provide your desired {nbit}-bit prime numbers p, q:") inp = sc().decode() try: p, q = [int(_) for _ in inp.split(',')] if p.bit_length() == q.bit_length() == nbit and isPrime(p) and isPrime(q) and p != q: _b = True except: die(border, f"The input you provided is is not valid!") if _b: e, n = 65537, p * q s = randstr(nbit >> 4).encode() m = bytes_to_long(s) assert m < n >> 2 c1, c2 = encrypt(s, p, q) pr(border, f'c1 = {c1}') pr(border, f'c2 = {c2}') pr(border, f'Now, send us the secret string to get the flag: ') _m = sc().strip() if _m == s: die(border, f'Congrats, you got the flag: {flag}') else: die(border, f'The secret string is not correct! Bye!!') else: die(border, f"Your input does not meet the requirements!!!")
from Crypto.Util.number import long_to_bytes,bytes_to_long,inverse,getPrime
p = 133224050543430062211629847044421243222910690720365968427412841722506439174549747613990210142024028142848723612800105705159487044524842057980872245885287397333870551220049647060119814898547349156706111992624741988947657765158716186961219939168491143499535969766310024424830954645873772043625734178759763058883 q = 90330421064223713929276769622914087953294714791357085135339678205426985257931704523421399767629583035835956696500783300892674935831518546758439508387421293154286042908799206279898945836238163017701920492640836213120071887754494477278200584018477180611850795938206816002694846174745054900075332883738901295549 e = 65537
for i inrange(20): data = sh.recvline().strip().decode().split("and") old = eval(data[0].split("=")[-1]) new = eval(data[1].split("=")[-1]) y = new - old x = y+1 sh.recvline().strip().decode() sh.sendline(f"{x},{y}".encode()) print(sh.recvline().strip().decode()) if i == 19: print(sh.recvline().strip().decode()) # CCTF{BADA_iZ_4_K0r3An_5!ngeR!!}
from Crypto.Util.number import * from flag import flag
defencrypt(msg, nbit): m, p = bytes_to_long(msg), getPrime(nbit) assert m < p e, t = randint(1, p - 1), randint(1, nbit - 1) C = [randint(0, p - 1) for _ inrange(t - 1)] + [pow(m, e, p)] R.<x> = GF(p)[] f = R(0) for i inrange(t): f += x**(t - i - 1) * C[i] P = [list(range(nbit))] shuffle(P) P = P[:t] PT = [(a, f(a)) for a in [randint(1, p - 1) for _ inrange(t)]] return e, p, PT
模p下有一个多项式: $$ f \equiv C_0x^{384}+C_1x^{383} +…+C_{383}x+C_{384} \mod p $$ 而这个$C_{384} \equiv m^e \mod p$
题目给了我们385组$(a,f(a))$。思路比较清晰,就是把常数项求出来,然后解RSA
解这个矩阵方程,就能把$C_i$求出来
1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc = eval(open("output.txt",'r').read()) e,p,PT = enc t = len(PT)
A = [[pow(PT[i][0],t-1-j,p) for j inrange(t)] for i inrange(t)] B = [PT[i][1] for i inrange(t)]
A = Matrix(Zmod(p),A).transpose() B = vector(Zmod(p),B)
C = A.solve_left(B).list() c = C[-1] print(c) # 7578451683223886721897751965012512970186814199061886859082385728532294810974986601048390882041773215459258245487361965408708218417206386123135513829067466
然后求解RSA,e,phi不互素,公因数是2,有限域开根
exp.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
from Crypto.Util.number import * import gmpy2
c = 7578451683223886721897751965012512970186814199061886859082385728532294810974986601048390882041773215459258245487361965408708218417206386123135513829067466 e = 3316473234742974510609176519968107496789324827839883341690084725836178910956015867823194881383215644380418162164089588828798132617649547462723383625707014 p = 9486915681801496583557174944405629563403346572353787092582704754226121096049954529719556720667960706741084895049852989479773192757968901195529919070579679
d = inverse(e//2,p-1) m2 = pow(c,d,p)
R.<x> = PolynomialRing(Zmod(p)) f = x^2 - m2 res = f.roots()
for root in res: print(long_to_bytes(int(root[0]))) # CCTF{SSS_iZ_4n_3fF!ciEn7_5ecr3T_ShArIn9_alGorItHm!}
解这样的方程即可求出a: $$ 17A\times a = 17a^2 + 1 $$ 这里A是分式,求解的时候左右两边同时乘上一个大数,再解
1 2 3 4 5 6 7 8 9
A = 6080057478320734754578252336954411086329731226445881868123716230995225973869803901199434606333357820515656618869146654158788168766842914410452961599054518002813068771365518772891986864276289860125347726759503163130747954047189098354503529975642910040243893426023284760560550058749486622149336255123273699589/10166660077500992696786674322778747305573988490459101951030888617339232488971703619809763229396514541455656973227690713112602531083990085142454453827397614
var('a')
T = 2^2000 f = (17*a^2 + 1)*T - (17*A * a)*T == 0 res = f.roots() print(res) # 598038828088293688046274960163455723857293440615241291237111095137601911115982565871162542905677325967979821954570041947800148887293534420144379636905742
然后用同样的思路,解$m_1,m_2$的方程组就出了
exp
1 2 3 4 5 6 7 8 9 10 11 12
U = 3225614773582213369706292127090052479554140270383744354251548034114969532022146352828696162628127070196943244336606099417210627640399143341122777407316956319347428454301338989662689983156270502206905873768685192940264891098471650041034871787036353839986435/9195042623204647899565271327907071916397082689301388805795886223781949921278129819112624089473306486581983153439866384171645444456400131619437018878598534536108398238424609 V = 1971582892158351181843851788527088806814104010680626247728311504906886858748378948163011806974145871263749452213375101951129675358232283650086419295655854343862361076089682606804214329522917382524296561295274823374483828323983651110722084223144007926678084087/9195042623204647899565271327907071916397082689301388805795886223781949921278129819112624089473306486581983153439866384171645444456400131619437018878598534536108398238424609 a = 598038828088293688046274960163455723857293440615241291237111095137601911115982565871162542905677325967979821954570041947800148887293534420144379636905742 T = 2^2000