初始谜题1
由源码可知,有固定的前缀,且长度为18
,超过一个块的长度,可以通过求方程的形式先将key求出来,再将整个key带入解密函数得到加密前的字符串
求key
# sage
N_HEX = "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123"
N = Integer(int(N_HEX, 16))c = 93382245813721552487797960827649171665391507700644252652416613658034348007025
a = 89652660640613347754090896429354803559
# 求解方程的过程
PR.<x> = PolynomialRing(Zmod(N))
f = a*x-c
x = f.monic().roots()[0][0]
print(x)
# 78219201121828481251879725014475581035499659637323462262120670452020141740957
解密:
from sympy import Mod, Integer
from sympy.core.numbers import mod_inverseN_HEX = "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123"
MODULUS = Integer(int(N_HEX, 16))
MSG_PREFIX = "CryptoCup message:"# 解密函数
def decrypt_message(encrypted_message, key):num_blocks = len(encrypted_message) // 32blocks = [encrypted_message[i * 32:(i + 1) * 32] for i in range(num_blocks)]decrypted_blocks = []k = key# 解密每个分组for block in blocks:block_int = int.from_bytes(block, byteorder='big')key_inv = mod_inverse(k, MODULUS)decrypted_block_int = Mod(block_int * key_inv, MODULUS)decrypted_blocks.append(decrypted_block_int)k += 1 # 密钥自增1# 将解密后的分组连接成最终的明文decrypted_message = b''.join(int(block_int).to_bytes(16, byteorder='big') for block_int in decrypted_blocks)# 去除前缀if decrypted_message.startswith(MSG_PREFIX.encode('utf-8')):decrypted_message = decrypted_message[len(MSG_PREFIX):]return decrypted_message.rstrip(b'\x00').decode('utf-8')enc = "ce747a655f632a64ad55d86d5b071bffbae52d8d7842afcab25d5b053ce09e71af5d982ea5fc9d7c06836e3c3c43ecf719afc44bf9a8bd27257b80379b4b456666b59144f9f72f24554b85d0906fe4246fb715106130df629fdc9d3ad996cc2890fe533d0181c21b08cc1439fc3eb1c20aaadecb123a0923ba2e9550c83de6f3"
enc = bytes.fromhex(enc)key = Integer(78219201121828481251879725014475581035499659637323462262120670452020141740957)
flag = decrypt_message(enc,key)
print(flag)# 812D4f5LyQTDj7HapMNxmQ6dJSgOLthL
验证通过
flag{69IU8m6qiWeOThxOrm3gFCj1wn5xjY2A}
gitea账号:giteauser2024
gitea口令:S(*HD^WY63y89TY71
提示:gitea账号和口令用于登录第二环节的gitea服务器,请注意保存!
初始谜题2
sm3长度拓展攻击,直接上脚本
SM3.py
from functools import reduce
import struct
from const import *def rotate_left(a, k):k %= 32high, low = divmod(a, BIT_EACH_32[32 - k])return high + low * BIT_EACH_32[k]T_j = [0x79cc4519] * 16 + [0x7a879d8a] * 48
T_j_rotate_left = [rotate_left(Tj, j) for j, Tj in enumerate(T_j)]def PUT_UINT32_BE(n):return [int((n >> 24) & 0xff), int((n >> 16) & 0xff), int((n >> 8) & 0xff), int(n & 0xff)]def CF(V_i, B_i):W = [(B_i[ind] * BIT_EACH_32[24]) + (B_i[ind + 1] * BIT_EACH_32[16]) + (B_i[ind + 2] * BIT_EACH_32[8]) + (B_i[ind + 3]) for ind in range(0, 64, 4)]for j in range(16, 68):high_W3_15, low_W3_15 = divmod(W[-3], BIT_EACH_32[17])high_W13_7, low_W13_7 = divmod(W[-13], BIT_EACH_32[25])# P_1X = W[- 16] ^ W[- 9] ^ (high_W3_15 + low_W3_15 * BIT_EACH_32[15])high_P1_15, low_P1_15 = divmod(X, BIT_EACH_32[17])r_l_15 = high_P1_15 + low_P1_15 * BIT_EACH_32[15]high_P1_23, low_P1_23 = divmod(X, BIT_EACH_32[9])r_l_23 = high_P1_23 + low_P1_23 * BIT_EACH_32[23]# return X ^ (rotate_left(X, 15)) ^ (rotate_left(X, 23))W.append(X ^ r_l_15 ^ r_l_23 ^ (high_W13_7 + low_W13_7 * BIT_EACH_32[7]) ^ W[- 6])# W.append(P_1(W[- 16] ^ W[- 9] ^ (high_W3_15 + low_W3_15 * BIT_EACH_32[15])) ^ (# high_W13_7 + low_W13_7 * BIT_EACH_32[7]) ^ W[- 6])W_1 = [W[j] ^ W[j + 4] for j in range(64)]A, B, C, D, E, F, G, H = V_ifor j in range(0, 16):high_A12, low_A12 = divmod(A, BIT_EACH_32[20])r_l_12 = high_A12 + low_A12 * BIT_EACH_32[12]high, low = divmod((r_l_12 + E + T_j_rotate_left[j]) & 0xFFFFFFFF, BIT_EACH_32[25])SS1 = high + low * BIT_EACH_32[7]SS2 = SS1 ^ r_l_12# Wj = (B_i[ind] * BIT_EACH_32[24]) + (B_i[ind + 1] * BIT_EACH_32[16]) + (B_i[ind + 2] * BIT_EACH_32[8]) + (B_i[ind + 3])# FFTT1 = ((A ^ B ^ C) + D + SS2 + W_1[j]) & 0xFFFFFFFF# GGTT2 = ((E ^ F ^ G) + H + SS1 + W[j]) & 0xFFFFFFFFhigh_B9, low_B9 = divmod(B, BIT_EACH_32[23])high_F19, low_F19 = divmod(F, BIT_EACH_32[13])high, low = divmod(TT2, BIT_EACH_32[23])r_l_9 = high + low * BIT_EACH_32[9]high, low = divmod(TT2, BIT_EACH_32[15])r_l_17 = high + low * BIT_EACH_32[17]A, B, C, D, E, F, G, H = TT1, A, high_B9 + low_B9 * BIT_EACH_32[9] & 0xffffffff, C, (TT2 ^ r_l_9 ^ r_l_17) & 0xffffffff, E, high_F19 + low_F19 * BIT_EACH_32[19] & 0xffffffff, Gfor j in range(16, 64):high_A12, low_A12 = divmod(A, BIT_EACH_32[20])r_l_12 = high_A12 + low_A12 * BIT_EACH_32[12]high, low = divmod((r_l_12 + E + T_j_rotate_left[j]) & 0xFFFFFFFF, BIT_EACH_32[25])SS1 = high + low * BIT_EACH_32[7]SS2 = SS1 ^ r_l_12# FFTT1 = (((A & B) | (A & C) | (B & C)) + D + SS2 + W_1[j]) & 0xFFFFFFFF# GGTT2 = (((E & F) | ((~ E) & G)) + H + SS1 + W[j]) & 0xFFFFFFFFhigh_B9, low_B9 = divmod(B, BIT_EACH_32[23])high_F19, low_F19 = divmod(F, BIT_EACH_32[13])high, low = divmod(TT2, BIT_EACH_32[23])r_l_9 = high + low * BIT_EACH_32[9]high, low = divmod(TT2, BIT_EACH_32[15])r_l_17 = high + low * BIT_EACH_32[17]A, B, C, D, E, F, G, H = TT1, A, high_B9 + low_B9 * BIT_EACH_32[9] & 0xffffffff, C, (TT2 ^ r_l_9 ^ r_l_17) & 0xffffffff, E, high_F19 + low_F19 * BIT_EACH_32[19] & 0xffffffff, Greturn [A ^ V_i[0], B ^ V_i[1], C ^ V_i[2],D ^ V_i[3], E ^ V_i[4], F ^ V_i[5], G ^ V_i[6], H ^ V_i[7]]# def CFs(V_i):def digest(msg, state=(IV, 0)):msg = str2bytes(msg)cur_v, cur_len = statelen1 = len(msg) + cur_lenmsg.append(0x80)reserve1 = len1 % 64 + 1range_end = 56 if reserve1 <= 56 else 120msg.extend([0] * (range_end - reserve1))bit_length = len1 * 8msg.extend(struct.pack(">Q", bit_length))B = (msg[i:i + 64] for i in range(0, len(msg), 64))y = reduce(CF, B, cur_v)b = bytearray()[b.extend(PUT_UINT32_BE(each)) for each in y]return bytes(b)def str2bytes(msg: str, encoding='utf-8'):"""字符串转换成byte数组"""msg_bytearray = msg.encode(encoding) if isinstance(msg, str) else msgreturn list(msg_bytearray)def byte2str(msg, decode='utf-8'):"""byte数组转字符串"""return msg.decode(decode) if isinstance(msg, (bytes, bytearray)) else msgdef hex2byte(msg):"""16进制字符串转换成byte列表"""if not isinstance(msg, str):raise ValueError('message must be string')ml = len(msg)if (ml & 1) != 0:msg = '0' + msgreturn list(bytes.fromhex(msg))
const.py
BIT_BLOCK_H = [0x00, 0x80, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC, 0xFE, 0xFF]
BIT_BLOCK_L = [0x0, 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3F, 0x7F, 0xFF]
BIT_EACH = [1, 2, 4, 8, 16, 32, 64, 128, 256]
BIT_EACH_32 = [1, 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072, 262144,524288, 1048576, 2097152, 4194304, 8388608, 16777216, 33554432, 67108864, 134217728, 268435456,536870912, 1073741824, 2147483648, 4294967296]IV = [1937774191, 1226093241, 388252375, 3666478592, 2842636476, 372324522, 3817729613, 2969243214]
de.py
from SM3 import digest as hash_func
import struct
import os
# from hashlib import sha256# from gmssl import sm3, funcH = hash_funcdef attack(pub, apd):"""forge based on pub:param pub: public info:param apd: data appended bt attacker:return: forgery"""def create_pad(len1):pad = [0x80]reserve1 = len1 % 64 + 1range_end = 56 if reserve1 <= 56 else 120pad.extend([0] * (range_end - reserve1))bit_length = len1 * 8pad.extend(struct.pack(">Q", bit_length))return bytes(pad)pub_msg, pub_hsh, sec_len = pubpub_hsh=bytes.fromhex(pub_hsh)pad = create_pad(sec_len + len(pub_msg))msg = pub_msg + pad + apdcur_v = int.from_bytes(pub_hsh, byteorder="big")cur_v = [(cur_v >> ((7 - i) * 32)) & 0xFFFFFFFF for i in range(8)]cur_len = sec_len + len(pub_msg) + len(pad)state = cur_v, cur_lensig = H(apd, state)return msg, sigdef main(): sm3_hash = "90dbd8ab4beb24357aa54efa1b50af596500e85961d8695a4988719a34caaf1b"counter = 0x53237646counter_bytes = counter.to_bytes((counter.bit_length() + 7) // 8, 'big')pub = (counter_bytes,sm3_hash,32)counter = 0x53237656counter_bytes = counter.to_bytes((counter.bit_length() + 7) // 8, 'big')forgery = attack(pub,counter_bytes)#print(f"forgery: {forgery}")print(forgery[0].hex())print(forgery[1].hex())if __name__ == '__main__':main()
运行得到 counter
和 token
532376468000000000000000000000000000000000000000000000000000012053237656
8cdc6cec4deba9ff8f4e70048a54fd5e90e1a2ae26e43d27039f631c43e68802
发送过去即可得到flag
验证通过
flag{HFwmscbZDCXf1JmaCJgq1OC2uqR0V7no}
gitea账号:giteauser2024
gitea口令:S(*HD^WY63y89TY71
提示:gitea账号和口令用于登录第二环节的gitea服务器,请注意保存!
初始谜题3
题目给了c1,c2,A,b
且存在以下关系
b = (A * s + e) % q
c1 = (x * A) % q
c2 = (x * b + e1 + m * (q // 2)) % qm_dec = (c2 - c1 * s) % q
通过化简,可以知道 $(c2 - c1 * s) % q$ 的目的是为了消去 $x*b$
利用 c1 求出 x,即可得到m_dec
从而解密
import sympy as sp# 设置参数
n = 16 # 向量长度
q = 251 # 模数A=sp.Matrix([[38, 139, 108, 73, 122, 75, 43, 183, 240, 186, 165, 162, 33, 223, 45, 168], [41, 148, 169, 1, 51, 45, 206, 191, 95, 11, 38, 83, 187, 68, 124, 99], [77, 191, 171, 8, 52, 122, 99, 28, 213, 46, 240, 15, 55, 146, 150, 16], [163, 69, 32, 24, 2, 210, 52, 42, 91, 142, 224, 218, 109, 243, 22, 31], [161, 62, 214, 76, 66, 35, 235, 209, 227, 43, 96, 201, 182, 72, 247, 177], [35, 118, 176, 16, 182, 29, 68, 150, 10, 250, 20, 80, 229, 126, 202, 4], [161, 33, 117, 170, 155, 246, 238, 112, 103, 208, 77, 36, 61, 226, 45, 211], [52, 202, 95, 17, 82, 183, 162, 9, 51, 135, 141, 88, 140, 169, 29, 211], [165, 220, 39, 29, 106, 11, 167, 199, 139, 74, 64, 225, 176, 67, 244, 180], [197, 96, 12, 35, 24, 79, 46, 21, 98, 239, 226, 25, 190, 160, 66, 64], [7, 185, 27, 131, 39, 186, 147, 21, 177, 226, 70, 232, 155, 79, 223, 151], [224, 147, 230, 238, 40, 137, 183, 73, 32, 112, 197, 184, 3, 31, 9, 31], [103, 149, 137, 78, 181, 19, 60, 158, 214, 49, 16, 195, 19, 148, 52, 71], [153, 108, 158, 203, 48, 5, 89, 180, 47, 246, 82, 12, 186, 15, 20, 31], [200, 201, 44, 110, 47, 80, 180, 71, 241, 197, 129, 111, 241, 49, 17, 53], [169, 206, 239, 173, 186, 143, 114, 29, 104, 109, 173, 212, 167, 36, 58, 17]])
c1=sp.Matrix([[201, 56, 147, 23, 22, 63, 139, 149, 165, 84, 8, 25, 119, 190, 224, 241], [178, 163, 197, 170, 118, 204, 187, 248, 193, 248, 121, 14, 88, 227, 165, 229], [249, 144, 246, 2, 147, 156, 213, 68, 133, 86, 128, 144, 211, 11, 185, 37], [229, 148, 183, 71, 86, 121, 26, 247, 164, 236, 237, 249, 135, 115, 106, 117], [144, 32, 155, 162, 120, 133, 215, 102, 56, 162, 136, 240, 138, 148, 143, 238], [222, 124, 38, 202, 121, 137, 92, 19, 184, 64, 18, 13, 233, 144, 103, 27], [233, 98, 13, 217, 66, 48, 153, 93, 192, 228, 84, 54, 2, 164, 69, 34], [119, 104, 110, 111, 10, 165, 85, 78, 31, 207, 201, 236, 48, 65, 216, 55], [98, 53, 20, 56, 212, 147, 193, 226, 84, 124, 52, 10, 37, 51, 40, 5], [230, 193, 171, 57, 165, 118, 128, 138, 186, 210, 25, 160, 175, 124, 159, 53], [202, 185, 69, 120, 92, 177, 216, 169, 66, 226, 136, 6, 66, 196, 26, 95], [99, 125, 138, 134, 133, 77, 53, 95, 191, 238, 168, 33, 239, 172, 228, 80], [95, 149, 73, 119, 178, 17, 225, 95, 226, 108, 99, 23, 221, 201, 145, 86], [213, 39, 40, 67, 143, 219, 208, 118, 173, 77, 167, 80, 54, 246, 105, 90], [147, 106, 219, 216, 8, 218, 3, 227, 187, 115, 59, 140, 144, 196, 43, 13], [71, 106, 159, 147, 233, 206, 110, 24, 68, 146, 126, 17, 231, 10, 97, 201]])
c2=sp.Matrix([[140], [99], [17], [232], [35], [169], [127], [96], [205], [60], [74], [133], [70], [170], [241], [33]])
b=sp.Matrix([[156], [249], [104], [135], [169], [15], [175], [12], [210], [61], [94], [127], [117], [133], [236], [166]])
tmp = A.inv_mod(q)
x =(c1 * tmp) % q# print(x)
m_dec = (c2 - x*b) % q
m_rec = m_dec.applyfunc(lambda x: round(2 * x / q) % 2) # 还原消息
m_bin = ''.join([str(bit) for bit in m_rec]) # 将SymPy矩阵转换为二进制字符串
m_rec_int = int(m_bin, 2) # 将二进制字符串转换为整数
print(hex(m_rec_int)[2:])# 285b
验证通过
flag{ShSN8gbucIrGOii3bMpaBexjXCPrqDq7}
gitea账号:giteauser2024
gitea口令:S(*HD^WY63y89TY71
提示:gitea账号和口令用于登录第二环节的gitea服务器,请注意保存!