[NKCTF 2024] crypto 部分

已于 2024-03-25 15:41:54 修改
阅读量1k 收藏 31
点赞数 13
分类专栏: 赛事复现 文章标签: 密码学 安全 ctf
于 2024-03-25 13:17:23 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/XiongSiqi_blog/article/details/137010604
版权

文章目录

ez_math

题目描述:

from Crypto.Util.number import *
from secret import flag

m1, m2 = bytes_to_long(flag[:len(flag)//2]), bytes_to_long(flag[len(flag)//2:])
p, q, r, s = [getStrongPrime(512) for _ in range(4)]
e = 0x10001

n = p * q * r * s
x = pow(q + r, p, n)
y = pow(p * q + r, p, n)
z = pow(s + 1, m1, s ** 3)
c = pow(m2, e * (s - 1), n)

print(f'{n = }')
print(f'{x = }')
print(f'{y = }')
print(f'{z = }')
print(f'{c = }')

# n = 16063619267258988011034805988633616492558472337115259037200126862563048933118401979462064790962157697989038876156970157178132518189429914950166878537819575544418107719419007799951815657212334175336430766777427972314839713871744747439745897638084891777417411340564312381163685003204182743581513722530953822420925665928135283753941119399766754107671729392716849464530701015719632309411962242638805053491529098780122555818774774959577492378249768503656934696409965037843388835948033129997732058133842695370074265039977902884020467413323500218577769082193651281154702147769044514475692164145099161948955990463002411473013
# x = 3021730035236300354492366560252387204933590210661279960796549263827016146230329262559940840168033978439210301546282150367717272453598367244078695402717500358042032604007007155898199149948267938948641512214616076878271433754986480186150178487625316601499002827958344941689933374158456614113935145081427421623647242719093642478556263121508238995676370877385638074444859047640771188280945186355013165130171802867101829647797879344213688981448535289683363612035513789240264618036062440178755665951650666056478493289870170026121826588708849844053588998886259091357236645819074078054595561158630194224419831088510266212458
# y = 8995787142441643101775260550632842535051686960331455373408888374295557050896156890779515089927839904014859222004906681231525326673182671984194300730575609496770604394218160422560576866112460837985407931067753009696969997384839637927957848613356269534870170452152926447601781637641134982178028922559652443398183848786034348994249923007092159192374765197460466878587635412657807328348343062302127490267456095927890461140420639805398464266081441243108883599713672104446500850203779995739675784794478089863001309614674686652597236324659979849324914804032046113978246674538411441434320732570934185579553749616238819583998
# z = 1283646988194723153191718393109711130382429329041718186548715246082834666179475883560020086589684603980734305610989683434078096863563033623169666389076830792095374856743015929373461198718962686411467443788047511292138922700655772772117855226419561159782734009961921473456332468653898105909729309377890721920937410781006337057478451806364879679045839945032594716202888196404203782734864187890231653321470085251
# c = 4988583141177813116287729619098477713529507701428689219486720439476625736884177254107631282807612305211904876847916760967188201601494592359879509876201418493870112712105543214178376471651715703062382025712952561985261461883133695993952914519494709871429166239968478488380137336776740647671348901626710334330855078254188539448122493675463406596681080368929986034772169421577420193671300532508625180845417164660544286332963072804192276425664877337357353975758574262657585309762422727680851018467657523970318042829660721433987195369353660020476598195375492128671951807024027929490113371463210453342974983253996717176870

题目分析:
part1:
x ≡ ( q + r ) p ( m o d n ) ≡ r p ( m o d q ) ① ≡ ( q + r ) ( m o d p ) ② y ≡ ( p q + r ) p ( m o d n ) ≡ r p ( m o d q ) ③ ≡ ( p q + r ) ( m o d p ) ④ ≡ r ( m o d p ) ⑤ z ≡ ( s + 1 ) m 1 ( m o d s 3 ) ≡ ( m 1 − 1 ) ∗ m 1 2 ∗ s 2 + m 1 ∗ s + 1 ( m o d s 3 ) ≡ m 1 ∗ s + 1 ( m o d s 2 ) ⑥ \begin{align*} x &\equiv (q + r)^p \pmod n \\ &\equiv r^p \pmod q ①\\ &\equiv (q + r) \pmod p ②\\ y &\equiv (pq + r)^p \pmod n \\ &\equiv r^p \pmod q ③\\ &\equiv (pq + r) \pmod p④\\ &\equiv r \pmod p⑤\\ z &\equiv(s + 1)^{m_1} \pmod {s^3}\\ &\equiv \frac{(m_1 - 1) * m_1}{2} * s^2 + m_1 * s + 1 \pmod {s^3}\\ &\equiv m_1 * s + 1 \pmod {s^2}⑥ \end{align*} xyz(q+r)p(modn)rp(modq)(q+r)(modp)(pq+r)p(modn)rp(modq)(pq+r)(modp)r(modp)(s+1)m1(mods3)2(m11)m1s2+m1s+1(mods3)m1s+1(mods2)
n = p ∗ q ∗ r ∗ s 由①③知 q = g c d ( x − y , n ) 由②④知 x − y = p q − q + k p , x − y + q = p q + k p ⇒ p q = g c d ( x − y + q , n ) p , q 出来了再由⑤得到 r 至此得到 s ,进而通过⑥得到 m 1 n = p * q * r * s\\ 由①③知q = gcd(x - y,n)\\ 由②④知x-y = pq - q + kp,x-y + q = pq + kp\\ \Rightarrow pq = gcd(x - y + q, n)\\ p,q出来了再由⑤得到r\\ 至此得到s,进而通过⑥得到m_1 n=pqrs①③q=gcd(xy,n)②④xy=pqq+kpxy+q=pq+kppq=gcd(xy+q,n)pq出来了再由得到r至此得到s,进而通过得到m1

q = gcd(x - y, n)
p = gcd((x - y - q),n) // q
r = y % p
s = n // (p * q * r)
print(s)
m1_s = z % s ** 2
print(long_to_bytes(m1_s//s)) # nkctf{cb5b7392-cca4-4 # 21 * 8 = 168

part2:
c 2 = p o w ( m 2 , e ∗ ( s − 1 ) , n ) c_2 = pow(m_2,e * (s - 1),n) c2=pow(m2,e(s1),n)
不互素问题,不过此时与phi的公因子是s - 1,太大了,那我们缩小范围
c 2 = p o w ( m 2 , e ∗ ( s − 1 ) , p q r ) c_2 = pow(m_2,e * (s - 1),pqr) c2=pow(m2,e(s1),pqr)
发现 g c d ( e ∗ ( s − 1 ) , ( p − 1 ) ∗ ( q − 1 ) ∗ ( r − 1 ) ) = 4 发现gcd(e * (s - 1),(p - 1) * (q - 1) * (r - 1)) = 4 发现gcd(e(s1)(p1)(q1)(r1))=4
这个公因子小,有限域开方就行,之后得到 f l a g 这个公因子小,有限域开方就行,之后得到flag 这个公因子小,有限域开方就行,之后得到flag

exp:

from gmpy2 import *
from Crypto.Util.number import *
n = 16063619267258988011034805988633616492558472337115259037200126862563048933118401979462064790962157697989038876156970157178132518189429914950166878537819575544418107719419007799951815657212334175336430766777427972314839713871744747439745897638084891777417411340564312381163685003204182743581513722530953822420925665928135283753941119399766754107671729392716849464530701015719632309411962242638805053491529098780122555818774774959577492378249768503656934696409965037843388835948033129997732058133842695370074265039977902884020467413323500218577769082193651281154702147769044514475692164145099161948955990463002411473013
x = 3021730035236300354492366560252387204933590210661279960796549263827016146230329262559940840168033978439210301546282150367717272453598367244078695402717500358042032604007007155898199149948267938948641512214616076878271433754986480186150178487625316601499002827958344941689933374158456614113935145081427421623647242719093642478556263121508238995676370877385638074444859047640771188280945186355013165130171802867101829647797879344213688981448535289683363612035513789240264618036062440178755665951650666056478493289870170026121826588708849844053588998886259091357236645819074078054595561158630194224419831088510266212458
y = 8995787142441643101775260550632842535051686960331455373408888374295557050896156890779515089927839904014859222004906681231525326673182671984194300730575609496770604394218160422560576866112460837985407931067753009696969997384839637927957848613356269534870170452152926447601781637641134982178028922559652443398183848786034348994249923007092159192374765197460466878587635412657807328348343062302127490267456095927890461140420639805398464266081441243108883599713672104446500850203779995739675784794478089863001309614674686652597236324659979849324914804032046113978246674538411441434320732570934185579553749616238819583998
z = 1283646988194723153191718393109711130382429329041718186548715246082834666179475883560020086589684603980734305610989683434078096863563033623169666389076830792095374856743015929373461198718962686411467443788047511292138922700655772772117855226419561159782734009961921473456332468653898105909729309377890721920937410781006337057478451806364879679045839945032594716202888196404203782734864187890231653321470085251
c = 4988583141177813116287729619098477713529507701428689219486720439476625736884177254107631282807612305211904876847916760967188201601494592359879509876201418493870112712105543214178376471651715703062382025712952561985261461883133695993952914519494709871429166239968478488380137336776740647671348901626710334330855078254188539448122493675463406596681080368929986034772169421577420193671300532508625180845417164660544286332963072804192276425664877337357353975758574262657585309762422727680851018467657523970318042829660721433987195369353660020476598195375492128671951807024027929490113371463210453342974983253996717176870
q = gcd(x - y, n)
p = gcd((x - y - q),n) // q
r = y % p
s = n // (p * q * r)
m1_s = z % s ** 2
print(long_to_bytes(m1_s//s)) # nkctf{cb5b7392-cca4-4 # 21 * 8 = 168
phi = (p - 1) * (q - 1) * (r - 1)
# d = inverse(e * (s - 1) // 4,phi)
d = 10292015846226326626370949985893948454242815204536321567714079741863425644546741087742200394303759750805247274743208392548576973216333023868386336877699087761327762194552911961182361711805502363445273786531387634353279385813410433183027148735707050395036809376879910491222740252472008020497921316703002861855586695106995399872988828440326885200014455341405642060722665755794358954331817810279743968806464910408348141541467067267342883947498952304516890032676283
m_4 = pow(c,d,p * q * r)
e = 4
R.<x> = Zmod(p)[]
f=x^e-m_4
mps=f.monic().roots()

for i in mps:
    flag=long_to_bytes(int(i[0]))
    if b'}' in flag:
        print(flag) 
# ce2-87e7-930cf6b29959}

GGH

题目描述:

from sage.all import *
from flag import flag,n,delta # 格的维数,错误向量的最大范数
def hadamard_ratio(basis): # 计算哈达玛比率
    dimension = basis.nrows() # 获取基(basis)的行数,也就是基的维度
    det_Lattice = det(basis) # 计算基的行列式值
    mult=1.0
    for v in basis:
        mult *= float(v.norm(2)) # 计算每个向量 v 的2-范数(Euclidean norm),并将其乘以 mult
    hratio = (det_Lattice / mult) ** (1/dimension) # 计算哈达玛比率
    return hratio
def get_key(n): # 生成一个哈达玛比率大于0.86的格,并返回原始格 V 和密钥格 W
    l = 7
    k = ceil(sqrt(n) + 1) * l # 7 * n ** 0.5
    I = identity_matrix(n) # 单位矩阵
    while 1:
        V_ = random_matrix(ZZ,n, n, x=-l, y=l) # n * n的矩阵,其中最小值为-1,最大值为1
        V = V_ + I * k # 随机矩阵的主对角线上每个元素都加上 7 * n ** 0.5
        hada_ratio = hadamard_ratio(V) # 计算矩阵V的哈达玛比率 # 好基
        if hada_ratio > 0.86:
            # 用于生成模不变(unimodular)矩阵的函数。模不变矩阵是一个行列式的绝对值为1的整数矩阵
            U = unimodular_matrix(n) 
            W = V * U
            return V, W
        else:
            continue

def unimodular_matrix(n): # 模不变矩阵
    S = identity_matrix(n) 
    X = identity_matrix(n) 
    for i in range(n):
        for j in range(i,n):
            S[j, i] = choice([-1,1]) # 下三角填充随机的-1或1
            X[i, j] = choice([-1,1]) # 上三角填充随机的-1或1
    assert  det(S*X) == 1 or det(S*X) == -1
    return S*X # 一些特别小的向量
# n = 260
def get_error(n,delta): # 生成错误向量,delta = [0,20]
    k = 4*delta -2 
    tmp = [] 
    tmp += [delta - 2]*(n//k) 
    tmp += [delta - 1]*( ((k-2)*n) // (2*k)) 
    tmp += [delta]*(n//k) 
    tmp += [delta + 1]*( ((k-2)*n) // (2*k)) #
    return tmp

assert len(flag) == 44
assert delta < 20 

V,W = get_key(n) 
gift = str(hex(randint(70, 80))).zfill(5).encode('utf-8')
flag =  gift + flag
print(flag)
m = [i for i in flag]
pad = [randint(-128, 127) for i in range(n-len(m)) ]
m = vector(ZZ, m + pad)
r = vector(get_error(n,delta))
c = m * W + r
# 这里 (r).norm() 表示向量 r 的范数(norm)
assert floor((r).norm()) == delta*(floor(sqrt(n)))

with open('pubkey.txt', 'w') as f:
    f.write(str(W))

with open('ciphertext.txt', 'w') as f:
    f.write(str(c))

题目分析:
c = m * W + r
m * W = c - r
W,c均已知,那直接爆破r得到m

import numpy as np
with open('ciphertext.txt') as f:
    exec(f.read())
    
n = 260
B = []
with open('pubkey.txt', 'r') as file:
    content = file.readlines()
for line in content:
    line_data = [int(num) for num in line.strip('[] \n').split()]
    B.append(line_data)
    
W = matrix(ZZ, B)

tt = []
for delta in range(2,20):
    k = 4*delta -2
    tmp = [] 
    tmp += [delta - 2]*(n//k)
    tmp += [delta - 1]*( ((k-2)*n) // (2*k))
    tmp += [delta]*(n//k)
    tmp += [delta + 1]*( ((k-2)*n) // (2*k))
    if len(tmp) != 260:
        continue
    cc = list(c - t for c,t in zip(c,tmp))
    C = matrix(ZZ,cc)
    m = W.solve_left(C).list()
    for i in m:
        if i[0] == 48:
            print(m)
            break
            
m = [48, 48, 120, 52, 100, 110, 107, 99, 116, 102, 123, 71, 48, 111, 100, 95, 89, 48, 117, 95, 65, 114, 51, 95, 75, 110, 48, 87, 95, 71, 103, 104, 95, 67, 114, 121, 112, 116, 48, 115, 121, 115, 116, 51, 109, 33, 33, 33, 125, 8, -109, -119, 103, -1, 17, -88, -63, 85, 100, -21, 74, -70, 21, -78, 101, 75, 3, 7, -80, 22, 101, 6, -105, 69, 32, -76, 86, -25, 58, 89, 1, -37, -19, 53, 42, 76, -67, 14, -88, 95, -48, -120, -109, -47, -9, 36, 5, 59, -83, -8, -27, -57, 122, 0, -88, 70, 60, 2, -84, -69, -91, -71, 28, 2, 52, 125, 55, -96, -114, 126, 18, 64, 82, 109, -104, -84, -114, -1, 7, 7, 87, -111, -120, 121, -49, 115, 28, 9, 12, 21, -65, 27, -51, 106, 109, 96, 32, -80, 52, -91, 41, -103, -32, -112, 59, 71, 74, 99, 78, 103, -101, 46, -43, -16, 88, 62, 12, -91, -3, 40, 118, -112, -80, -94, -19, 40, -50, -60, 10, -96, 68, 58, 99, -100, -33, 63, 79, 103, -83, -2, 111, 3, -20, 75, 93, 20, 35, -32, -73, -67, -48, -92, -103, -7, -121, -124, -71, -11, -21, -55, -31, -124, 22, 122, 70, -115, 108, 92, 104, -104, -4, -53, 1, 103, 123, -123, -92, 49, 122, -47, 120, -122, -81, -116, 56, 64, -125, -96, -24, -116, 80, -108, 114, 107, -101, -8, 0, 115, 45, 6, -42, 15, -56, 122, -95, -97, -35, -93, 75, -91]
for i in m:
    print(chr(int(m)),end = '')
# nkctf{G0od_Y0u_Ar3_Kn0W_Ggh_Crypt0syst3m!!!}

官方wp看了一下,另一种解法,等会有时间就都去复现一下(目前好像还抽不出时间 唉)

Emmaaaaaaaaaa
关注
  • 13
    点赞
  • 31
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
2020JTWLB-个人CTF-MISC-手撕二维码
zippo1234的博客
10-22 3252
JTWLB-个人CTF-MISC-手撕二维码手撕二维码题目分析开始1.题目解压后得到九张BMP图片:2.标准二维码格式如下图:3.分析定位点4.使用工具拼图还原5.调整识别结语 每天一题,只能多,不能少 手撕二维码 JTWLB的竞赛刚刚结束,结果惨的一比,今天开始复现。 题目分析 正式比赛的时候按照太小看或者说高看这题了,直接上了脚本,按时间排序,还去找文件名字的规律,最后直接爆破,各种拼图,结果没有这么复杂,真的是手撕: 熟悉二维码的格式 ,定位点一定要对; 顺手的辅助工具能够事半功倍; 直接拼图不对就
IIS Crypto 3.2 下载
07-26
IIS Crypto 是一个免费工具,让管理员能够在 Windows Server 2008、2012、2016 和 2019 上启用或禁用协议、密码、哈希和密钥交换算法。一键禁用不安全的 SSL 3、TLS 1.0,开启TLS 1.2、TLS 1.3 非常方便
【moeCTF题解-0x04】Crypto
框架科工:Framecraft
11-03 5664
title: 【moeCTF题解-0x04】Crypto categories: CTF moeCTF tags: CTF Python Crypto 【moeCTF题解-0x04】Crypto 有多少信息熵,就能还原出多少信息 信息熵=[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-q9F2JTNw-1604412274080)(https://www.zhihu.com/equation?tex=-%5Csum_%7Bi%3D1%7D%5E%7Bn%7Dp_i%5.
NKCTF2024-Eznative
qq_24481913的博客
03-25 555
看到上层函数,其实这个sub_27F2d4是有符号的,我这里写wp的时候没有导入全部,名字叫做dialog,那么写过安卓开发的就知道这玩意就是弹窗了。然后在之前给出的GitHub项目中,发现其实他的enc出来的结果就是base64的,所以我们直接使用库就可以解密了。在old中也是有符号的,很明显的base。这里有个巨jb坑的地方,我点了n次一直不触发,后面来脾气了,长按一下,结果。短按是用来触发aaa的,当时hook过aaa,发现短按确实能触发。触发了,tnnd,后面发现应该是这个aaa与bbb的问题。
NKCTF2024 | 部分WP
ULGANOY的博客
03-25 1993
NKCTF2024 部分 WP
NKCTF2023 Crypto 部分wp
qq_41626232的博客
03-27 921
--------------------------------------------------------------------------------------------------------------------------------补一下这个格。泄露低444位,高位不知道泄露多少,但是flag总不会有 1024-444 位吧,只需高位570-444=126位就可以计算出中间的,跟常规的p低位泄露其实差不多。不知道这有啥问题,但是把-符号给replace了?
NKCTF2024 wp
ZJPC007的博客
03-25 1972
题目可分为两个部分:首先,需要解出四个未知数 p, q, r, s。这一部分的关键在于通过数学公式推导,根据等式 x = k1q + r^p 和 y = k2q + r^p,可以发现 x 和 y 相减后剩余的部分是 q 的整数倍,利用最大公约数(gcd)算法可以求解出 q,然后根据已知信息逐步还原出其他三个未知数。
2023 NKCTF --- Crypto ezRSA wp
3tefanie丶zhou的博客
03-28 892
【世间情种偏好伤心事,苦中作乐,乐在其中,不伤心又如何算得上痴情人。】
NKCTF 2023 Writeup By AheadSec
末初的CSDN博客
03-27 2647
NKCTF 2023 Writeup By AheadSec 战队的各位师傅辛苦啦~
IISCrypto3.2.zip
11-19
IIS Crypto是一款免费工具,使管理员能够在Windows Server 2008,2012和2016上启用或禁用协议,密码,哈希和密钥交换算法;它还允许您对IIS提供的SSL / TLS密码套件进行重新排序,实施最佳做法只需点击一下,创建...
IISCrypto.rar
04-06
SSL证书是网络安全的重要组成部分,它确保了在Web服务器和客户端之间传输的数据是加密的,防止数据被窃取或篡改。 描述中提到的“管理windows服务器 SSL证书加密方式”,意味着IISCrypto.exe工具可以帮助管理员优化...
crypto-js.zip
09-10
《深入理解AES加密与Crypto-js库在JavaScript中的应用》 AES(Advanced Encryption Standard),即高级加密标准,是一种广泛应用于网络安全的块密码算法。它基于Rijndael算法,以其高效性和安全性著称,被用于数据...
crypto_CRYPTO_PowerBuilder_
09-29
在IT领域,加密技术(CRYPTO)是一种至关重要的安全手段,用于保护数据的隐私和完整性。PowerBuilder是一款功能强大的开发工具,尤其适用于构建数据库应用程序。本主题将详细探讨如何在PowerBuilder 12中利用加密...
密码学基础-Hash、MAC、HMAC 的区别与联系
最新发布
wangyx1234的博客
07-21 658
本文主要介绍 Hash、MAC、HMAC 的联系与区别,层层递进地描述了如何增加数据的安全性。本文还介绍了长度扩展攻击的基本实现原理,HMAC 算法通过执行两轮 Hash 运算对抗这种攻击。hash只能验证数据完整性,无法保证数据防篡改,计算过程无密钥参与。MAC既可以验证数据完整性,也可以验证数据是由原始发送方发出的,计算过程有密钥参与,使用对称加密算法构造。
密码学原理精解【8】
应用数学
07-17 872
信息学中的熵,特别是在信息论中,用于量化信息的不确定性或随机性。熵的计算是基于随机变量的概率分布来进行的。HX−∑i1nPxilog⁡2PxiHX−i1∑n​Pxi​log2​Pxi​))]其中,X 表示随机变量,n 是 X可能取值的总数,PxiP(x_i)Pxi​是 X取值为xix_ixi​的概率,log⁡2\log_2log2​表示以2为底的对数。
Random,ThreadLocalRandom,SecureRandom有什么区别
abckingaa的博客
07-16 198
Random,ThreadLocalRandom,SecureRandom有什么区别? 那SecureRandom与ThreadLocalRandom 有什么区别? 应该使用那个?
Evil-WinRM一键测试主机安全情况(KALI工具系列四十四)
LNN0212的博客
07-17 845
Kali Linux 是一个功能强大、多才多艺的 Linux 发行版 ,广泛用于网络安全社区。它具有全面的预安装工具和功能集,使其成为安全测试、数字取证、事件响应和恶意软件分析的有效平台。作为使用者,你可以把它理解为一个特殊的Linux 发行版 ,集成了精心挑选的渗透测试和安全审计的工具,供渗透测试和安全设计人员使用,也可称之为平台或者框架。注意,一定只能用于自己设备的连通性测试哦!
ForCloud全栈安全体验,一站式云安全托管试用 开启全能高效攻防
亚信安全官方账号的博客
07-19 469
一站式云安全托管限时试用 开启全能高效攻防
程序员必修:免费加密基础课程Crypto101简介
"Crypto101.pdf"是一份面向编程者,特别是初学者的入门级加密学教程。该课程由Laurens Van Houtven在2013年至2017年间创作,并遵循Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值