2024CSICN长城杯--Crypto--WriteUp

rasnd

task:

from Crypto.Util.number import getPrime, bytes_to_long
from random import randint
import osFLAG = os.getenv("FLAG").encode()
flag1 = FLAG[:15]
flag2 = FLAG[15:]def crypto1():p = getPrime(1024)q = getPrime(1024)n = p * qe = 0x10001x1=randint(0,2**11)y1=randint(0,2**114)x2=randint(0,2**11)y2=randint(0,2**514)hint1=x1*p+y1*q-0x114hint2=x2*p+y2*q-0x514c = pow(bytes_to_long(flag1), e, n)print(n)print(c)print(hint1)print(hint2)def crypto2():p = getPrime(1024)q = getPrime(1024)n = p * qe = 0x10001hint = pow(514*p - 114*q, n - p - q, n)c = pow(bytes_to_long(flag2),e,n)print(n)print(c)print(hint)
print("==================================================================")
crypto1()
print("==================================================================")
crypto2()
print("==================================================================")

analysis:

\[\begin{flalign} &part1\\ &hint1 = x_1p+y_1q-0x114\\ &hint2 = x_2p+y_2q-0x514\\ &爆破x_1,x_2，hint1-hint2=Yq\\ &q = gcd(hint1-hint2,n).RSA解密.\\ &part2\\ &hint≡(514p-114q)^{n-p-q}(mod\quad n)\\ &由欧拉定理a^{φ(n)}≡1(mod\quad n);同余式两边同时乘a^{-1}可得a^{φ(n)-1}≡a^{-1}(mod\quad n)\\ &这个形式同题目中给的一样，因此有514p-114q=hint^{-1}(mod\quad n)\\ &联立该方程与pq=n解出p,q进而进行RSA解密. \end{flalign} \]

exp:

# -*- coding: utf-8 -*-
# @Author  : chen_xing
# @Time    : 2024/12/15 下午2:45
# @File    : rasnd.py
# @Software: PyCharm
"""
from pwn import *
io = remote('47.95.3.252',22658)
io.interactive()
==================================================================
19717389102395758382026398770090857605586438545611910540189061085612217979657902604501170953161853482958903567962918091906449829007954127627399401532302687971016600322896973063457287817834339424248336794677961215631535560196655531547015873374758230746471870651155102133819739854673052076496597150339255183583610262208970937544660188441914849875664389094362680908037678954451676125423375894001050193264462368361286424805979452737484948595108402173255328147028981988120269526655930569710185647200680788005857110338887799298469299267700941191348060136439553115765094944892120946084524993569032296746381329498303012896271
17381010405524594344424195048053602269107583402590195880784406136091889563634666718897953214750909510240664328592384774885922546489571732150550033224632608464198633116675540936435427564331466333640469116405173436182052179245058660937218729656330636435203053190859801491361523600986929283298391777114209976519123193645951886294963766466310692269107324954392722050664302835784935395121599135370266129274139008496136432820542614764017236399942510745745051985335677987371505758274825885505782168694092518974395903717476251850670285161375067232625884819448486248821296371524562316215885242840090698177354311935160724047271
509130915225963419346678794679094050902571595829040081324430365098862827841652202350090792633059236512224808415907517277387262320482667221565594632616645851153184017548588035587822852702736183251308911524634049539170291519923826928699526788040285972123688786767899838168683050663693076246873158868000847073942899234646913525186923508585315358
690946591436838752722450972967674428839488931837101646145481388838373595283074264457723103555423352721312062350291670841184407631375773482214269104437453875406396834889317393747642464720211847368007928428299324107718873689130666496363246364191737924487502766418458001451003808739046477760937181535066022075971205252656334062535039553887867804885747196247553557401067127781607533654872312619614935828938929628540383505514124011540507125693750311600073273106267551
==================================================================
17573515075395867546533774859206599052534826237056996003635450134576858585879591757541135521913856916497735238419297372074695571326844504032304530443984486771780364032478304822942135381253762868650498285912016496241948758158318513945683497424527747563826569176975761670083010981619558756372209004154011284332558901845826610150928780497321309692293381263110926514264444431945581160088488209473278832171449410958947080015912128428623589781088952636059980872172371256047117265766132701785431428216868544669722259946487605727189190824200067624177334638167710897314170373631159077505253847456348978394748479884579391569851
4133924642027183260034161896227533529350829744060482686533323465388711073087729722162634280031950663346521609684329684586686710332881665422962730750071593415464269909841501172118317103292141296037945459138826157588343926132010425306109255409747067123166973806029125637292278253680571132419400136369763859158543617461617802076177349585117260521893784981717024130706713300089329845640032775016169918244156546865527955162939232992093155010636364969171227237183496415815314898958546235810695025198970057715538126650243826369616148341812115074095076334129408859272238371675452297044897605880545296652903603696404329499964
17241609074075059424901382153172123437652683137892859278531119673049385037439615788606226599790833683350682195735343925170829494742340973615875925774931464752517535247119659577846775955502849356406877505081530250127552709479227730985271198208197525303086136509713021341965374729435989366323641373932632400817958889872395336030524042114476506410677344482015511504283503895126211846434076543291433685745538964253863543551181583268915140943110230242050345863047212142770568318171913025801651944725801470994562543481060266671121449918254568086708533974981742627009284655753247722408090381977535797370984880568401367232099
==================================================================
"""
from Crypto.Util.number import *
from sympy import symbols, Eq, solve
from time import *
# Given values
e = 65537
print("--------------------------------------------------part1--------------------------------------------------")
start_time = time()
n = 25057366131574345463066572518972007369987338855829081189333151669024689124750347311345742714505678495630147622065102082580742520850296847146408540410529212032106669610170610842145974051090620026489684102539218538533242769850582053841386242249528755363073469670711995035142647622794484233015615185105332623711286440733342619164382191277079384369027939408755958348401055383052671708110380686429894409755541077304504889899764635946170331459175144883308640852752114433152245751156539582571028315561658588974634424784510349113428759937755665908423121304926246192633365019907501566395631059356287266003741031747932010754571
c = 17518134380638481300867428909182900518140386727738342535088002331723082167258157121301632879808439987581098358975288261467125739686304588051630757980683370095794246718276911328164026724417850262099266274001612972263000312708816439427574713133880743110669658336709958074578029064236680195924253374848748510785239359679699204859281697274932099682342841607851735086849792451837592889568500213347482986121165901637591882042861152486947295247894187345833160096741479237600748884075522444595426918672877942857305297965836676403950179315936736430064029622511361139662102212617863614667657033061649387773034319714409486605375
hint1 = 311813585959519997042263111169599395062929793402167449494789318536236921287513319874973395292840069429854007738740392400920657513531703307456793215681176166907519812568245523628939657623957268634251232899608657128006921381662846368354860883997644011251464809313504451016527885096684518421932861093663000743896877456540810818605347809370401847
hint2 = 7002389781904232127456762751853552025339982978766759958767826303271425546040567402671687542676884587029775500919547181054462103552417922254729297407096354083583262580999816359541140068202627663444632595261265531303880206463523728030719914268684660423332112718501466058924246262004205638318045569712996961730039860490947897615008324479921676287335913423435351055759416432637487586320992565792119057790215374604001554213263646252152615167206094302478141788359082472
for i in range(2**11):for j in range(2**11):temp = (hint1 + 0x114) * i - (hint2 + 0x514) * jif GCD(temp,n) != 1:p = GCD(temp,n)if n % p ==0:q = n // pphi = (p - 1) * (q - 1)if GCD(e,phi) == 1:d = inverse(e,phi)flag1 = long_to_bytes(pow(c,d,n))
print("---------------------------------------------------end---------------------------------------------------")
print("--------------------------------------------------part2--------------------------------------------------")
n = 16551509466524208327380319266898393427657788079152243746564268364500979309598928370485374892391379852351474477590818515477119129906214302029175520742272637194451244962568941802942405656428416983314883300256705949997060893620792037793610191581475973474832823855240555059858686230168364860656942550346022818363897644902898835343894021535147915906552391814268130649810795651915732406009751439030800667375401597468645323278725484152007734156775034343400256507283893646182046940204108418797820878755067809163169275652775539471608608208355362360864221126561530314995486723518568370568942014210905761710621110059672594576371
c = 11092343229062694276909023896085831399906386648487678765968133377511880535786714132864021744270550031926133168725238398539184111045115500575670577245839070393728574336851723119630328602208247030090573438298394833683240139592021663314914493826584050042601314234235292401646971205728639427734126143811135765602566166304984061162019875663195319956751620972708290102951016285130279149541928975715141646349317719195120895405668537578731117711411377455348204628414433829954521246239918444749278414821322446997980867440390673867252520691512466217783913805378959163546554333948518761666615257961694453184137976339346897818155
hint = 7971742731649095689419069812067528143696274197928828354876852788283924885555419352585597870550201340903283246408124243858771760225352090287065968401798121462744593325790906076715689726084973961284269442403078357256944648887889164133402997194229896424170372289565793328072510417215049995602860003730255117062570796846107610964913012371436931702425686803094036421192017252973559867973706228039666796549598893061765698264877914707928554295918253039991633879692755301224559986335658773048007318816411538314373853913905341243548594907887601884024637302529827700822811798293858870305301953426511545007874861951957634461401
temp = inverse(hint,n)
p, q = symbols('p q')
equation1 = Eq(514 * p - 114 * q, temp)
equation2 = Eq(p * q, n)
solutions = solve((equation1, equation2), (p, q), dict = False)
# print(solutions)
p = 98856019786804470640443796109169578512013252702519071160946919073310544570792075470086512360274481565889660687471912133956236198898414294985460750440499584480352433062350929922436343944268275888420271857725729451905863266891272358961378522759755989015910020997268924091984638939748943340253440836306220242943
q = 167430466067920144586518526811331843740576807773373875372637415435050728726951903737409961278924716205028826829958375353303540001068235977345438194318025058688200684222901120228019519870666762077671354712898086421782675606039851613626320537062425899060747116061732728280427253471056751774648729146281329296397
assert isPrime(p) and isPrime(q)
flag2 = long_to_bytes(pow(c,inverse(e,(p - 1) * (q - 1)),n))
print("---------------------------------------------------end---------------------------------------------------")
end_time = time()
print(flag1 + flag2)
print(f"The time is: {end_time - start_time}")
# b'flag{6ab144ac-5f97-4253-a762-c8675ae5efd1}'
# The time is: 40.16846060752869

fffffhash

task:

import os
from Crypto.Util.number import *
def giaogiao(hex_string):base_num = 0x6c62272e07bb014262b821756295c58dx = 0x0000000001000000000000000000013bMOD = 2**128for i in hex_string:base_num = (base_num * x) & (MOD - 1)base_num ^= ireturn base_numgiao=201431453607244229943761366749810895688print("1geiwoligiaogiao")
hex_string = int(input(),16)
s = long_to_bytes(hex_string)if giaogiao(s) == giao:print(os.getenv('FLAG'))
else:print("error")

analysis:

这道题就是希望我们通过寻找数学上的漏洞通过giao这个结果值还原我们应该输入的16进制的信息，之后就可以获取flag.

接下来就是加密程序：

base_num 是一个固定的初始值，x 是一个固定的乘数，MOD 是模数（2的128次方）。

对于输入的十六进制字符串中的每一个字符，程序都会执行以下操作：将base_num与x相乘，然后对结果进行模MOD操作，以确保结果不会超过128位。将上一步的结果与当前字符的ASCII值进行异或操作（^=）。

最终返回的base_num值就是加密后的结果。

但是注意这里我们能够在有限时间内进行还原的原因也在于&MOD-1的时候只有后128位进行了运算，同时x这个16进制的数字的前面很多位都是0，在进行乘法的时候结果的前面的二进制位只会取决于前面。

相关代码解析写在exp注释当中。

exp:

# -*- coding: utf-8 -*-
# @Author  : chen_xing
# @Time    : 2024/12/15 下午4:02
# @File    : rasnd.py
# @Software: PyCharm
from sage.all import *
# Given values
base_num = 0x6c62272e07bb014262b821756295c58d
x = 0x0000000001000000000000000000013b
MOD = 2 ** 128
giao = 201431453607244229943761366749810895688
n = 20  # 从n = 15开始构造格，逐渐递增，增大格的范围
print("--------------------------------------------------begin--------------------------------------------------")
M = Matrix.column([x ** (n - i - 1) for i in range(n)] + [-(giao - base_num * x ** n), MOD])
M = M.augment(identity_matrix(n+1).stack(vector([0] * (n+1))))
Q = Matrix.diagonal([2 ** 256] + [2 ** 8] * n + [2 ** 16]) # 创建一个对角矩阵Q，用于对M进行缩放，以便应用BKZ算法。
M *= Q
M = M.BKZ() # M.BKZ() 是应用BKZ算法来找到一个短向量，这个向量可以用来构造一个近似的解。
M /= Q # 将缩放后的矩阵恢复到原始比例。
# 通过遍历M的行，找到第一个符合条件的行，即第一列（代表p^0的系数）为0，且最后一列（代表常数项）的绝对值为1的行。这个行代表了近似解。
for i in M:if i[0] == 0 and abs(i[-1]) == 1:i *= i[-1]good = i[1:-1]break
result = []
y = int(base_num * x)
temp = (base_num * x ** n + good[0] * x ** (n-1)) % MOD
# 通过两层循环，外层循环控制位的位置，内层循环尝试不同的ASCII值，找到能够使mask等于temp的值。一旦找到，就将其添加到result列表中，并更新temp和y以进行下一位的计算
for i in range(n):for j in range(256): # 这里的256是因为long_to_bytes之后最大的为/xff，也就是256mask = (int(y) ^ int(j)) * x ** (n-i-1) % MODif mask == temp:result.append(j)if i < n-1:temp = (temp + good[i + 1] * x ** (n - i - 2)) % MODy = ((int(y) ^ int(j)) * x) % MODbreak
print(bytes(result).hex())
print("---------------------------------------------------end---------------------------------------------------")
# 1df2006d2e3362153d001f53102a7c2a0a591516

其实有一道相似的题目，是NSSCTF平台中上线的2024HITCTF，经过hash正则搜索即可看到，题目的思路我认为是有异曲同工之妙的。