2020第十三届全国大学生信息安全竞赛crypto wp

已于 2024-03-19 20:20:21 修改
阅读量3.7k 收藏 8
点赞数 1
分类专栏: 比赛wp 文章标签: 算法 信息安全 python
于 2020-08-21 21:27:53 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/jcbx_/article/details/108157020
版权

前言

这次国赛密码题有三道,我只做出了两题。可惜web、逆向和pwn零封了,所以最后成绩不太理想。

bd

没什么好说的,wiener attack秒了

#sage
from Crypto.Util.number import *
from sage.all import *
from random import randint
from gmpy2 import invert,iroot#不能全部导入,会有问题
def list_cf(p,q):
    '''
    return continued Fractions of p/q
    imput:int:p,q
    output:list of continued Fractions p/q   
    '''
    alist=[]
    r=p
    while(r):
        a=floor(p/q)
        r=p%q
        p=q
        q=r
        alist.append(int(a))
    return alist

def check_cf(alist):
    '''
    input:alist:list
    output:sum
    '''
    sum=0
    blist=alist[::-1]
    for i in blist:
        sum+=i
        sum=(1/sum)
    return (1/sum)

def convergent_cf_2(alist):
    '''
    input:alist:list
    output:the convergent of each cf :list
    change some detail
    '''   
    blist=[]
    for i in range(1,len(alist)):
        sum=0
        if i>1 and is_even(i):
            for k in range(i,0,-1):
                if k==i:
                    sum+=(alist[k]+1)
                else:
                    sum+=(alist[k])
                sum=(1/sum)
        else:
            for k in range(i,0,-1):
                sum+=alist[k]
                sum=(1/sum)
        blist.append(sum)
    return blist
            
                
                            
def possible_phi(e,alist,N):
    for m in range(1):
        for x in alist:
            phi=floor(e/x)-m
            jd=int(pow((phi-N-1),2)-4*N)
            if jd >= 0:
                if iroot(jd,int(2))[1]:
                    (p,q)=var('p,q')
                    x=solve([(p-1)*(q-1)==phi, p*q==N],p,q)
                    print x[0]
                    return int(str(x[0][0]).split('==')[1])
                else:
                    continue
            else:
                continue

def possible_phi2(e,alist,N): 
    for x in alist:
#       (k,dg)=as_integer_ratio(x)
        phi = floor(e*(1/x))
        if (N-phi+1)%2==0 and sqrt(pow((N-phi+1)//2,2)-N).is_integer():
                (p,q)=var('p,q')
                x=solve([(p-1)*(q-1)==phi, p*q==N],p,q)
                print x[0]
                return int(str(x[0][0]).split('==')[1])
        else:
            continue
        
def solve_wiener_attack(e,N):
    list=list_cf(e,N)
    clist=convergent_cf_2(list)
    return possible_phi2(e,clist,N)


def test():
    while 1:
        p=getPrime(512)
        q=getPrime(512)
        N=p*q
        nn=int(pow(N,0.25))
        d=next_prime(randint(1,nn))
        if gcd(p-1,q-1)<=2 and q<p and p<2*q:
            break

    e=invert(d,(p-1)*(q-1))
    print solve_wiener_attack(e,N)    
#=pq = 8927 and e = 2621.
(c,e,N)=(37625098109081701774571613785279343908814425141123915351527903477451570893536663171806089364574293449414561630485312247061686191366669404389142347972565020570877175992098033759403318443705791866939363061966538210758611679849037990315161035649389943256526167843576617469134413191950908582922902210791377220066,46867417013414476511855705167486515292101865210840925173161828985833867821644239088991107524584028941183216735115986313719966458608881689802377181633111389920813814350964315420422257050287517851213109465823444767895817372377616723406116946259672358254060231210263961445286931270444042869857616609048537240249, 86966590627372918010571457840724456774194080910694231109811773050866217415975647358784246153710824794652840306389428729923771431340699346354646708396564203957270393882105042714920060055401541794748437242707186192941546185666953574082803056612193004258064074902605834799171191314001030749992715155125694272289)
#(e,N) = (2621, 8927)
print solve_wiener_attack(e,N)
#当 d>pow(N,0.25)时,基本不可能解出来
#当gcd(p-1,q-1)比较大时,解不出来

lfsr

源码:

import random

from secret import flag

N = 100
MASK = 2**(N+1) - 1

def lfsr(state, mask):
    feedback = state & mask
    feed_bit = bin(feedback)[2:].count("1") & 1
    output_bit = state & 1
    state = (state >> 1) | (feed_bit << (N-1))
    return state, output_bit

def main():
    assert flag.startswith("flag{")
    assert flag.endswith("}")

    mask = int(flag[5:-1])
    assert mask.bit_length() == N
    
    state  = random.randint(0, MASK)
    print(state)
    
    outputs = ''
    for _ in range(N**2):
        state, output_bit = lfsr(state, mask)
        outputs += str(output_bit)
    
    with open("output.txt", "w") as f:
        f.write(outputs)

main()

分析后可知outputs是返回的每个state的最后一位,state每次变化都是向右移一位,然后左边添加一位feedbit,feedbit是state与mask与运算的1的数量模2的结果。所以我们通过outputs找到几乎所有的state。

其实在ctfwiki上看了BM算法才知道这题可以构造矩阵解决。

feed_bit可以看作是在GF(2)上的向量state和向量mask的乘积。所以通过构造N行state 和 feed向量使得
matrix(state) * mask = feed.
然后解一下方程组就能找到mask了。

wp:

#lFSr
from sage.all import *
N=100
F=GF(2)
out='0100110011101111011111011010100111001010010100001111110110111101011110011111010010010111011100110111011001100001010010011101101000110110000011111011110000010100001001000011001011011011011001111110101111001010011011100010011110101100100101111001011100011110111101001010000000100100000111100101100100100000100110001111110011100110101000110100011001110110000110111111010111000001101110011001101111010110101000101011110111001011001111111000100100100011100100010101001100111011101111100110101011101101001001110010111011010011111001100001111111100001000001101101000001010100110011001101000101001010001001011000010111111100101111000000101000010110100110101001001100100011000111101000110011110101101111100110101010101000000001110010101001001111101001010111011110110001100101001111110111000110101011011010110101100011110010000011000110010111101010010000011101110111100011011110110001111010101011101100101101001111100100011000100101111011110001111100000110111000111111000111100000110011011011111110011111100010010110000010011100001010101011011101100011001100101100011001010010001101010011000000011110110111000000110001010010111110101011100000010100100001101011010101100110000101100010001010010111011000100001000001001110101011000010111000000010101100001010000010110110000111100011011000010111001111101110111010110000011001011101100000100000100010100100000010011010000111110010001111010000100011110000101111000110100010110101110001011101101100111000001110100100000000010011001110101110000001101100000001010111010011111000101101011001010011001101000111000010111111010101000011011001001110000011100100100010110101100001110110111001000001011111100101100011010010010110000011110100110000111011011010101110101001100110100101100101000100011001011000001011110010000011000110111011110011010001101100010010111110101101101110100111010000001101000011011010011110111101000000100011000000101001000000011010101010000100001110110000110011000111101011100100101111101111111110101000011010001101100010010100111000000010000101100100110101000001001011100011111001101001101100010100000111010101111011101111111101100000010000111110011101010100101110100101010100011110100100000111010001000100011010011100010011000001110110100110110010100100110111011001010010010100000110101110000011110010110100010101000110000111101011011010111101100111100101001101001101100111101000100101101100010111010010111100100111101101110101110011010110011111011111010000011000100010010101110001001000111111100100010100000001001010111010100010111001011011101110010110111110110100011111101110111011000111001010010110001001011011100110101111100100000101110000001011110011101110101101001011111100011001100111001011011001011011101000101100100011101000011101011010110010111111010011110111111111100001101101001101101111000100110010010100000100000100110100100110010000100101100000101010101000111110101001111111011011111101101110010100110000010110111001101110011101100001111111001110110010010011101111100111111000010011010010011100000001010011111111110001111110110110110001001001111011001101110110101100011010001111110010001011010000011110101100110010010001110010100010000000010101010010111011010101011011000010010011010110101101011100100101110001100000111110010101100010100010100010000101111000011111000111000011110001110110000011000100110010101111111111100011010000010010010111111110000000010100100101101101010111011000001010000000101011010110011101000110011011001110101101001001101100010011110001101001001000011001101100001101100000101111000001110100001100001000100000000011010011001001011110011000011011000100011011001011100111111000011011010000100000011110110011011110111000001011101101110110101000101011111110000100000111111110011111111100010101001000011010001110111111011100010111001110110001000101010001001001111111110111001101001001000110000110100000000010010100001010111101001110001011101011000100000001001001011111000100011111000011010001110001111111110111100010001110101011101011100010100000011110000100011001100000100111000111011011101000110010011010011110010010000111010001011111111010110011100111011110100111000101100100111001001010001000100011110101100100010000000000110010111101101111101011001101111000000000100000101001011110000010011110011000000100111001001110001000010011111010100001001010010100111111010111001001110110101010010100010010100101100000001010010111101101000110100111110000000111110000011110011001101010111101010111010111010000000110010001011110101110110001000110111101110101101001001100001101110001000100000110100000100000111110010110110010011111100010011111001110111011010101010001011111110000000011110001010011001101010110010101100101100110010111001100100111101000100010100010010100000010010111101100111110101101111101001010110010001111111001101010111110101111001000111101001110100000111111010000111000010101001001101100111001111111111100011010111110001101000100001010000000001101101001110001000001110010000010110001001001101010111111001001010100011011111011000011001001101000110010101000010100001001000011111001101101111011111001000010010111011010110010011010101100100000101100110110011011110000110011000000001011000111100101000011011011010010111000110101110101111100100010101010101000011000111000010001001000100110101111001001001111100110000101100010011101100001000010100010101110001111110101100101000101110000110010100101100101100101100100111111010100101010011100110100011111001000100010001101111111101011110100111001110101001101000010001011000111101110001010100101101111000110101001011101110110110110110101011010001110011111011110011010100110100111111010101111101111100110000110010111110110100110000011110110111111101111010011010000101010111100001111110110000001000001000011101001010010100100100000001101011101110011001011011110010111101111101010011010000110110101000100010110110101101010110110010011010011111111100001001000110111101001111000011001000010111100110001110110011011011100101011010101100011001111111000100000011100110011001001011000100010110000100001100011010000110110011100000111000010001011010001110010101000100010001001110001011001010000111010010101110001010100011101101110010111100010110010000011010111001101000100111011010100001010011100000100001010100010110100111000000001111100000100011100101011011101111111101101110011111010000110111101000001001110111000001000101100110100100111100100011011100010011111101010001101010100101110000110011000100001111100100001000000100011101101011011111000011110010110110101010011101000001111001011100101001001101111000011110000001010011010001110000111001101100011110011001100000111101001011000110111011001101101101100101100110100101011111111110110000111101000000100101011100111001111111011010100110010001000001101010001110010010000101111000001010100000101100000010101110100000000110011001011000011101101000000100111111010111110100011111101100001001110001100101100001010000100000110111101001101010000011100000000100000101101010010101111101100110110111000011100111001010010100101000111011001001110011111100010010010110100111101100110110111001011110010000111011111010101000010001101110011111010110011100010001111111011100110100011110110001101001110001010001110011110101111101011101100000111011011101110000110111101010001000011110011011101100011100101110100000100010110110011010101011000010010110000000100010011001110010011110010110111001111011010101111011000000111110000011011100100010011110010110000001111110111000100111010100110010111100010000110101011110011010110011001011011010010111001000000000001001010101010001100000110111101000000010100100010100101011111110011011100111101001110101010001100000100100110111110001111000011100010110001101101010011001011111101011000110110000111111101100000000001000010010010011101001000111100000010111011011001001100110000101010110001011000001011010111000111100111011010101010011100100100100010000001101001101010111110010100101000001100111110111111110000101111100110001110111010111001111110111100000111011011010111011001111010100010000111011111111000100110110001100000110101000001010010010100111011100000011111110001000010011010101001111010111100011110110110111000000111101010110001100000100001101101001101010111110001101101100101101101001000100000100110111111010011010011111010110110111101001000100010111101100011010111011111010011110000100001100101101111110010101000000101111101000001111110100000001011011111111100100110101101011100101101001011010001100010101101100000101000001110110101010100001011100010000111010011101110000000010000000000010111100111000010000000110110011011101110000001111011100011101111100011000011001000100111010101011010101110011010011011011010100011011000110111101001110011110000100010011000010000001101010010011000111000000000101100011010001000100010100100100011000101110100010001111101001010100001000000110010011101011101000000100010000011010110100111110101110001111001000000101011101010111110110100100011010000011010111111001001111101101110111110111000001010111100010001001001100000000110011100001100100111010011111011001010001101111111000010110101000011100001010110100101110111001001100000000110110101011001110000011001111100001101110100101101111100110001010011011001010110111000100010000110001111101110011100001101000100110000111000110001011011110100010101011011001001111101001110011100001110001010100011001110110101101001101010101001110011110001011101011100100001101100110110110101011101010110011100000001011010111011101000000101110111110010000000000101001110011111011001110001100010111001010010110011100001000011111101111101100111000101011100011000001100000000000010000111111010010101110101011100010100001000000100111111010111110010010111010110010100111000010111100000000100010111010010011010011001100010001000001100110100101110100110110111101010001100001010011111011100000010110110110000000100101100110100101100111001010100010001011010001010011110100110101000110001110000100111111001000110011110010111000110010001111111111101011110100111101001001101110110011111000110010111000011011111001110101101101000011010101011010111101011101111011100101001111111000101100100000011000100101001011001011110001101001100101001'
out=[int(out[i]) for i in range(len(out))]
state=out[0:N][::-1]
state1=out[N:2*N]
blist=[]

for i in range(N):
    list=state1[:i][::-1]+state[:N-i]
    blist.append(list)
fb=out[N:2*N]

x=matrix(F,blist)
y=vector(F,fb)
t=x.solve_right(y)
print x*t
print y 
m=''
for i in t:
    m+=str(i)
print int(m,2)
Gm1y
关注
  • 1
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 5
    评论
专栏目录
2020第十三届全国大学生信息安全竞赛大部分题目
08-22
除了pwn类题和web的easy_unserialize全都有
第十三届全国大学生信息安全竞赛crypto
weixin_44110537的博客
08-23 716
第一题看起来很简单,就是我的电脑不够好,跑不出来…(其实是我没钱) bd 题目给的e很大,低解密指数攻击得到d再把结果跑出来. d=1485313191830359055093545745451584299495272920840463008756233 n=86966590627372918010571457840724456774194080910694231109811773050866217415975647358784246153710824794652840306389428729923771
大学生信息安全竞赛有那些?
最新发布
baimaozi008的博客
04-28 802
信息安全竞赛大学生提供了一个绝佳的平台,让他们能够学习、实践和展示网络安全技能,同时培养团队合作精神和解决问题的能力。
2020第十三届全国大学生信息安全创新实践大赛(线上初赛)re-z3wp
qq_43682582的博客
08-22 1244
第十三届全国大学生信息安全创新实践大赛re之z3 Z3 查壳 显示不是有效的PE文件,emmm,先放一下。 ida打开 找到主函数,F5查看伪代码 恩,上面那个不是有效PE文件看来没什么影响。 可以看出中间大串的运算过程其实是六组7元一次方程组,其中以v46为开头的数组作为未知量(v46为自己输入的字符串),运算过后得到的v4开头的数组再与已知的Dst数组进行比较,也就是说v4数组为已知数组,这样就构成了六组可解的7元一次方程组。 解方程的话可以运用线代方面的知识慢慢手解,当然网上也有在线解方程的网站:
第十三届全国大学生信息安全竞赛(线上初赛)
A_dmin的博客
08-21 9911
第十三届全国大学生信息安全竞赛(线上初赛) WEB easyphp 打开题目拿到源码: 让进程异常退出,进入到phpinfo中 payload: http://eci-2ze4mvter6u3r4shc9j6.cloudeci1.ichunqiu.com/?a=call_user_func&b=pcntl_wait 运行得到phpinfo,找到flag即可: RCEME 貌似有原题,不过过滤的不一样,这道题没有过滤反撇号: <?php error_reporting(0); h
2020全国信息安全大赛 web之trick
Firebasky的博客
08-22 729
参加了国赛,才发现自己太菜了,自己做的时候不会 一看别人wp,cm!。正所谓赛后诸葛亮,今天自己也来总结一下这道题 上源代码 <?php class trick{ public $a; public $b; public function __destruct(){ $this->a = (string)$this->a; if(strlen($this->a) > 5 || strlen($this->b) &.
【2020年第二届“网鼎杯”网络安全大赛 青龙组】Crypto boom
01-20
题目 原创文章 58获赞 99访问量 8393 关注 私信 展开阅读全文 作者:你们这样一点都不可耐
信息安全TS-Crypto.Code学习资料
07-18
信息安全TS-Crypto.Code学习资料:测试题目;入门指导;学习资料。
信息安全_数据安全_The Never Ending Crypto Wars.pdf
08-22
信息安全_数据安全_The Never Ending Crypto Wars 信息安全研究 安全建设 渗透测试 安全测试 漏洞分析
USTC信息安全实践课程讲义,简要介绍SageMath的常用函数使用,针对CTF的CRYPTO赛题的教程。.zip
11-09
信息安全竞赛相关程序代码、设计文档、使用说明,供参考 信息安全竞赛相关程序代码、设计文档、使用说明,供参考 信息安全竞赛相关程序代码、设计文档、使用说明,供参考 信息安全竞赛相关程序代码、设计文档、使用...
赛博地球杯工业互联网安全大赛wp1
08-03
工业互联网安全大赛 WP1 解析 本文将对赛博地球杯工业互联网安全大赛 WP1 进行详细解析,涵盖网络协议、PHP 和 SQL 等相关知识点。 一、网络协议 在 WP1 中,我们可以看到 ping 命令的使用,ping 命令是一种网络...
全国大学生信息安全竞赛作品集
12-28
pdf文档中包括2009年全国信息安全大赛所有获奖作品的介绍,及其作品实现流程。
2020第十三届全国大学生信息安全竞赛创新实践能力赛rceme writerup
b1ackc4t的博客
08-21 3479
审计代码 传入参数a,进入parserIfLabel函数 发现参数a的模板,a的格式要匹配pattern,如{if:payload}{end if} 可知ifstr是a中匹配的第一组的值,即payload中的值 并且经过danger_key函数过滤 继续往下看 Ifstr经过很多过滤替换,最终里面不包含大括号就会进入一个eval语句 漏洞正是出现在这里 往回看danger_key过滤函数 好家伙,不仅将一大堆关键字符替换成*,还进行了二次检查 但是...
全国大学生信息安全大赛线下赛crypto3题解
a5555678744的博客
06-28 920
打比赛收获挺大的,虽然主要是AWD的经验增长,但解题赛里也是有道有趣的题的。 首先看看题目,其实数学基础比较厚实的话,题目思路出的应该挺快,不过中间有两座计算大山,当时一时没搞出来,但是回头想想还是出来了。各位师傅可以先看看,说不定可以直接搞定呢。 from random import * from sympy import nextprime from serct import flag def Printprime(bits): A1=getprime(bits) A2=getprime(b
2023江西省大学生信息安全大赛 Crypto
Emmaaaaa's blog
11-09 299
考点:费马分解,gcd,解方程,矩阵求解
CISCN 2020 线上初赛 z3 WP
h1nt的博客
08-21 1181
IDA打开后核心代码如下: int __cdecl main(int argc, const char **argv, const char **envp) { int v4; // [rsp+20h] [rbp-60h] int v5; // [rsp+24h] [rbp-5Ch] int v6; // [rsp+28h] [rbp-58h] int v7; // [rsp+2Ch] [rbp-54h] int v8; // [rsp+30h] [rbp-50h] int v9;
2019全国大学生信息安全竞赛crypto---------part_des
Gm1y's Blog
05-30 2420
呼~~这个题目让我重新弄了一遍DES加密与解密,然后遇到一个问题卡了好久好久。。。。。。。/好惭愧 嗯。。。。 话不多说,咱们开始吧! 首先拿到题目!! Round n part 就是经过了DES加密n轮之后的密文,把Keymap里192位十六进制转化为二进制一共有768位,恰好768=16*48,这就是每轮的子密钥。 所以…子密钥都给了,密文也给了,我们就直接来敲代码啦! 咳咳咳,首先当然要了解...
线性反馈移位寄存器-LFSR
Bad_Monkey的博客
03-30 3793
LFSR 最开始了解到LFSR的时候是在学习MT19937伪随机数生成器的时候,当时也是初步了解。也没有用代码实现过,最近做了几道相关的题,在这里记录一下。 原理 证明过程不太会,简单说一下大致的原理。LFSR是用于生成随机数序列的,每一个LFSR都是有级数的,级数决定了潜在的循环周期(即随机数序列的周期)。对于每个LFSR还需要有一个线性函数,用于生成随机数。比如 四级LFSR 参数 ...
2021第十四届全国大学生信息安全竞赛WP(CISCN)-- pwn部分
热门推荐
lifanxin的博客
05-17 1万+
CISCN_2021_WP概述ciscn_2021_lonelywolf总结 概述   作为学习不到一年的练习生,今年第一次参加国赛,本以为题目会比较温柔,但是最后只做出了一道pwn题,本来还有两道pwn题是有机会的,但还是缺少一些知识或者技巧吧,没做出来,然后就结束了。本次国赛pwn题出了一道arm 64位结构的,其余都是正常的linux下pwn题,使用libc-2.27.so,有一道考了沙箱机制。 ciscn_2021_lonelywolf   ciscn_2021_lonelywolf   libc-
浙江省第六届信息安全大赛crypto
11-05
浙江省第六届信息安全大赛crypto是一道密码学题目,题目名称为easystream3。该题目需要爆破mask,得到正确的密钥后,使用RC4算法解密密文,最终得到明文。除此之外,该比赛还有其他类型的题目,如web、re、misc等。其中web4需要进行php代码审计,re2需要进行pyc反编译,misc2需要解密波利比奥斯方阵密码,misc3需要进行crc爆破zip并进行流量分析。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 5
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值