ctfshow 密码挑战（上）

最新推荐文章于 2022-10-03 19:23:41 发布

Paintrain

最新推荐文章于 2022-10-03 19:23:41 发布

阅读量1.7w

点赞数 2

分类专栏：密码文章标签：密码学 python

本文链接：https://blog.csdn.net/m0_62506844/article/details/125343692

版权

由于题目有点小难，老攒着不发我很难受，拆成上下两篇我真聪明

真·Beginner

assert(len(open('flag.txt', 'rb').read()) <= 50)
assert(str(int.from_bytes(open('flag.txt', 'rb').read(), byteorder='big') << 10000).endswith('1002773875431658367671665822006771085816631054109509173556585546508965236428620487083647585179992085437922318783218149808537210712780660412301729655917441546549321914516504576'))

给出了m<<10000的后175位

转换为数学公式

m*(2^10000)%(10^175)=c

自然想到 $c\equiv 2^{10000}*m(modN)$

所以把2^10000求模逆乘到c上就可以了

一开始模位10^175算不出来模逆（有因数2），可以把10^175分解为(2*5)^175,

c=1002773875431658367671665822006771085816631054109509173556585546508965236428620487083647585179992085437922318783218149808537210712780660412301729655917441546549321914516504576
import gmpy2
mod=pow(5,175)
f=gmpy2.invert(pow(2,10000),mod)
from Crypto.Util.number import *
m=c*f%mod
print(long_to_bytes(m))

真·guessguess

from random import shuffle
from secret import secret_msg

ALPHABET = '0123456789abcdef'

class Cipher:
    def __init__(self, key):
        self.key = key
        self.n = len(self.key)
        self.s = 7

    def add(self, num1, num2):
        res = 0
        for i in range(4):
            res += (((num1 & 1) + (num2 & 1)) % 2) << i
            num1 >>= 1
            num2 >>= 1
        return res

    def encrypt(self, msg):
        key = self.key
        s = self.s
        ciphertext = ''
        for m_i in msg:
            c_i = key[self.add(key.index(m_i), s)]
            ciphertext += c_i
            s = key.index(m_i)
        return ciphertext

plaintext = b'The secret message is:'.hex() + secret_msg.hex()

key = list(ALPHABET)
shuffle(key)

cipher = Cipher(key)
ciphertext = cipher.encrypt(plaintext)
print(ciphertext)

# output:
# 85677bc8302bb20f3be728f99be0002ee88bc8fdc045b80e1dd22bc8fcc0034dd809e8f77023fbc83cd02ec8fbb11cc02cdbb62837677bc8f2277eeaaaabb1188bc998087bef3bcf40683cd02eef48f44aaee805b8045453a546815639e6592c173e4994e044a9084ea4000049e1e7e9873fc90ab9e1d4437fc9836aa80423cc2198882a

这道题太难了先不做了，受不了

Lousy RSA

from Crypto.Util.number import bytes_to_long, getStrongPrime
from math import gcd
from Crypto.Random import get_random_bytes

def encrypt(number):
    return pow(number,e,N)

def lousy_encrypt(a,m):
    return encrypt(pow(a,3,N)+(m << 24))

flag = open('flag.txt','r').read().encode()
out = open('output.txt','w')
e = 3
p = getStrongPrime(512)
q = getStrongPrime(512)

while (gcd(e,(p-1)*(q-1)) != 1):
    p = getStrongPrime(512)
    q = getStrongPrime(512)

N = p * q

out.write("N : " + str(N) + "\n")
out.write("e : " + str(e) + "\n")

r = bytes_to_long(get_random_bytes(64))

ct = []
ct.append(encrypt(r << 24))

for c in flag:
    ct.append(lousy_encrypt(c,r))

out.write(str(ct))

代码审计可以看出每次加密都涉及到了r<<24，列出式子不难看出类似short pad attack

c0=((r<<24))^3 (mod n)

c1=(a^3+(r<<24))^3 (mod n)

a3就是short pad，再开3次方得到a，也就是flag的第一位，以此类推；

# Franklin-Reiter attack against RSA.
# If two messages differ only by a known fixed difference between the two messages
# and are RSA encrypted under the same RSA modulus N
# then it is possible to recover both of them.
import gmpy2
# Inputs are modulus, known difference, ciphertext 1, ciphertext2.
# Ciphertext 1 corresponds to smaller of the two plaintexts. (The one without the fixed difference added to it)

def CoppersmithShortPadAttack(e,n,C1,C2,eps=1/30):
    """
    Coppersmith's Shortpad attack!
    Figured out from: https://en.wikipedia.org/wiki/Coppersmith's_attack#Coppersmith.E2.80.99s_short-pad_attack
    """
    import binascii
    P.<x,y> = PolynomialRing(ZZ)
    ZmodN = Zmod(n)
    g1 = x^e - C1
    g2 = (x+y)^e - C2
    res = g1.resultant(g2)
    P.<y> = PolynomialRing(ZmodN)
    # Convert Multivariate Polynomial Ring to Univariate Polynomial Ring
    rres = 0
    for i in range(len(res.coefficients())):
        rres += res.coefficients()[i]*(y^(res.exponents()[i][1]))

    diff = rres.small_roots(epsilon=eps)
    return diff


N = 172586324912059174647797531942031674711062691226058731710862001986640410691620689926009640793233539886361506818340977365593314281428521170793513104344345576781891061238291873583640097499046814240386537106373333197503030272709902722983392299884944974941816177444412015348511294873131429689212919672185181176739
e = 3
cs=[168658334421213747232847656238302466254027669293023358756047398504395075576853993580836429942561627595059657040563934993331562761575412947149005227828675214114274816764496716869598003987368818327391320987709721845655617940389376768491183236521932201125503469968304456151571520009788402749700581671789421599700, 87012761805827854950529922566538549606177263407420031116570756279931559642457228346664149700124517850407143911202777450625814236398958349496369494136458500250193008844236303242315107883490156995640566236967188309531645693985966559019761764176417760587063236657830687375926188492118445452473699198976972165500, 111548883148367424778054394538387230488843004925006317961746779937856635559595513304212793246768039691377488719760030000128556408835969531939733818049127427754838704205697110344848254405595158931279287221612400395137438808373216334005704913597988621735479678779088160336712618279931118880359277607359635289655, 54337580735823551352448926706484672981176289464246742998268734777798609249682391166379365056169103518156960987282198367831006211110449441679856453870263125551304026490561180766185081255849023100044869719217710392656901074214458795892344678637347180482288059175091923814306535428745144919129925554385676065003, 84363133277653661421686784932963659833143615738047162273199110785576858362121374456379732293356439234869625427863882359060391641427144057065928481146148048257792776146715569851028060383001431483497544078554315619586785736679785494124476939202773686625599987669409474951814072189235095272904272428328730999665, 27562250846464528855042460811879754139827659078668732615035806147890005998720652600600618901186196670864267676429322770820987614896030099194237316173160866971994524011212849441771128538926292602043119488179878662714258949094382679237147963534229897418654114256014785045354109993967673103335653154937320135423, 172094685159802241269136365078483894825027988873211243839338773032891098684592982271810562573979118688354743378363081455680604968530086432190616819154865718440594158580872854093148089674817385073818159561212398784458721904407395847895131280574464420035530961839317386490700038008515282794345633748208420540102, 138134245968854241776629921551406556197559268184017437869171642565749009236559784172767211673526920558692527607188051009768810457781469145557093520217943366347778092132811335818636173771716908298216531517138724361401185857577240147616380734139192934708174676458929926406254188268574190878449532926249814629130, 21671467597307554422003093431961880973848617981784201389487380172788585297957554862183774899454873330144790280242954771711298071440114770596404876345872032423262225235587538976584339188102784589405905725053270291635530211449159122989117026640563062597457840872445182873691334137403721426252919934587872474870, 46501787140502988592924357583055445400507064798139574467036314296920260603694612075273271335991599656470878272440607061648171766874466712164248410228816187391123179622441500045042272870898138951868669484014892359404832396788580553943887548329019463175957264266483069029584613678878727559052645197741394732292, 129448033360362698104647315317245667900869831612971689024563199211501890543134739717555748463235506243740045017754486294818576583061924871711625625216443270413592707425568899469558504989802005845110092930514018199978626550916311717776388240889891163453525882588978544494344264602566016656648550802585757352773, 129448033360362698104647315317245667900869831612971689024563199211501890543134739717555748463235506243740