CISCN CCB crypto

CISCN & CCB crypto

rasnd

第一部分

h1 = x1*p + y1 *q - 0x114

h2 = x2*p +y2 * q - 0x514

消去p后爆破h1、h2即可

from Crypto.Util.number import *
from gmpy2 import *
from tqdm import *
c = 
n = 
a = 
b = 
e = 0x10001for x1 in range(2**8,2**11):for x2 in range(2**8,2**11):k = (b+0x514)*x1 - (a+0x114)*x2if(gcd(k,n) >1 & gcd(k,n)<n-1):print(gcd(k,n))q = gcd(k,n)p = n//q
print(p)
print(p*q ==n)phi = (p-1)*(q-1)
print(phi)
d = invert(e,phi)
m= pow(c,d,n)
print(long_to_bytes(m))

第二部分

h = pow(514p - 114q, n - p - q, n)

由pow(a,phi,n) = 1(a、n互素)得h = pow(514p-114q , -1 , n)

求出514p-114q后联立n = p * q 即可求解

def extended_gcd(a, b):"""扩展欧几里得算法，返回 gcd(a, b) 和 x, y 使得 ax + by = gcd(a, b)"""if a == 0:return b, 0, 1gcd, x1, y1 = extended_gcd(b % a, a)x = y1 - (b // a) * x1y = x1return gcd, x, ydef mod_inverse(h, n):"""计算 h 在模 n 下的乘法逆元"""gcd, a, _ = extended_gcd(h, n)if gcd != 1:raise ValueError(f"{h} 和 {n} 不是互质的，无法计算逆元。")else:return a % n  # 确保结果为正数# 已知的 h 和 n
h =   # 替换为实际的 h 值
n =   # 替换为实际的 n 值try:a = mod_inverse(h, n)print(f"满足 a * {h} ≡ 1 (mod {n}) 的 a 值为: {a}")
except ValueError as e:print(e)
#输出即第二个代码中的h

# 导入 SageMath 的符号和求解功能
from sage.all import *# 已知的 n 和 h 值
n =   # 替换为实际的 n 值
h =   # 替换为实际的 h 值# 定义符号 p 和 q
p, q = var('p q')# 构建方程
eq1 = h == 514 * p - 114 * q
eq2 = n == p * q# 使用 solve 函数求解方程组
solution = solve([eq1, eq2], p, q)# 输出解
solution
#求得p、q

from Crypto.Util.number import *
from gmpy2 import *c = 
n = 
p = 
q = 
e = 0x10001
phi = (p-1)*(q-1)
print(phi)
d = invert(e,phi)
m= pow(c,d,n)
print(long_to_bytes(m))

fffffhash

分析代码，得知是fnv哈希，去网上学习相关知识，套用板子即可求解

sage代码如下：

TARGET = 201431453607244229943761366749810895688
h0 = 0x6c62272e07bb014262b821756295c58d
p = 0x0000000001000000000000000000013b
MOD = 2^128n = 16
M = Matrix.column([p^(n - i - 1) for i in range(n)] + [-(TARGET - h0*p^n), MOD])
M = M.augment(identity_matrix(n+1).stack(vector([0] * (n+1))))
Q = Matrix.diagonal([2^256] + [2^4] * n + [2^8])
M *= Q
M = M.BKZ()
M /= Q
for r in M:if r[0] == 0 and abs(r[-1]) == 1:r *= r[-1]#print(r)good = r[1:-1]print(good)breakinp = []
y = int(h0*p)
t = (h0*p^n + good[0] * p^(n-1)) % MOD
for i in range(n):for x in range(256):y_ = (int(y) ^^ int(x)) * p^(n-i-1) % MODif y_ == t:print('good', i, x)inp.append(x)if i < n-1:t = (t + good[i+1] * p^(n-i-2)) % MODy = ((int(y) ^^ int(x)) * p) % MODbreakelse:print('bad', i)
print(bytes(inp).hex())
#020101081b04390001051a020a3d0f0f