BMZCTF-crypto- writeup

BMZCTF -crypto- writeup

Sudoku&Viginere

数独，每个块内可填：1,3,5,a,e,r,t,y,_

After solving Sudoku, you will find Viginere’s secret:45 34 57 74 15 35 26 86 47 39

6633371612 1391792438
rr555t1r13 15_1t_3a5y

http://www.ab126.com/shuxue/10667.html

Ook

描述：

Brainfuck是一种极小化的计算机语言，它是由Urban Müller在1993年创建的。由于fuck在英语中是脏话，这种语言有时被称为brainf*ck或brainf**k，甚至被简称为BF。
Ook与Brainfuck类似，也是用替换法。
特征：

brainfuck语言用> < + - . , [ ]八种符号来替换C语言的各种语法和命令：
例如： +++++++++++++++++.>+++++++++++++++++++++++++++++++++++++++++

ook密码中有大量ook，加上一些符号；
Ook! has only three distinct syntax elements:
Ook.
Ook?
Ook!
这种就是ook密码
加密解密

在线加密解密：https://www.splitbrain.org/services/ook

栅栏密码

'''
遍历所有可能的栏数，并得到加/解密结果
'''
s = input()
factors = [fac for fac in range(2, len(s)) if len(s)%fac == 0] #取得密文长度的所有因数
for fac in factors:
    flag = ''
    for i in range(fac): #按一定的步长取几组字符，并连接起来，这里组数就等于步长数
        flag += s[i::fac]
        
    print(str(fac)+'栏：'+flag)

4进制

s = '1212 1230 1201 1213 1323 1012 1233 1311 1302 1202 1201 1303 1211 301 302 303 1331'.split(' ')
flag = ''
for i in s:
    flag = flag + chr(int(i,4))
	print(flag)
#flag{Fourbase123}

2018 AFCTF Morse

https://tool.lu/morse/

morse解码得到16进制数，转字符串即可

2018 HEBTUCTF 社会主义接班人

http://ctf.ssleye.com/cvencode.html

栅栏中的base

http://ctf.ssleye.com/base64.html

经过base16、32、64解码得到

f0FAl92Ca3ADg9_0{_B}

easy_base

base64解码40次

CRC32 BOOM！

查看压缩包发现1.txt和2.txt文件很小，对其进行crc32爆破

crc32爆破脚本下载地址：https://github.com/theonlypwner/crc32

生成密码字典：

s1=["1x5NQ8","9O2a5H","G1qi4N","IsCdeH","NjDZOc","OvJ7Un","P8CUk2","PT0xov","QTqIto","Rh5f6k","XBiGbJ","Z3AdV_","gsombC","mY3L6b","newctf","p7plP7","t3mmQT","vBENeA"]
 
s2=["17LE1V","53QD05","5Cm55e","6cfFvu","9l8GQb","BzTRNZ","EcSldq","HqVcs7","JpB1Br","LuKbrT","TRyOcs","_5IbAC","bugku_","dpn8Ey","mz9jRH","q5ekFH","w0l8vn","yOOyO0","zRUFdx"]
l1=[]
l2=[]
for i in s2:
    for j in s1:
        l1.append(i+j)
for j in s2:
    for i in s1:
        l2.append(i+j)
with open ('pw.txt', 'a+') as fo:
    for k in l1:
        fo.write(k+'\n')
    for k in l2:
        fo.write(k+'\n')

用zip破解工具字典爆破得到压缩包密码

打开flag.jpg报错，用notepad++打开，得到flag

2018 AFCTF 可怜的RSA （公钥、密文.enc）

公钥解析：http://ctf.ssleye.com/pub_asys.html

from Crypto.PublicKey import RSA
f = open('D:\\Download\\public.key', 'rb').read()
pub = RSA.importKey(f)
n = pub.n
e = pub.e
print(n, '\n', e)
# n = 79832181757332818552764610761349592984614744432279135328398999801627880283610900361281249973175805069916210179560506497075132524902086881120372213626641879468491936860976686933630869673826972619938321951599146744807653301076026577949579618331502776303983485566046485431039541708467141408260220098592761245010678592347501894176269580510459729633673468068467144199744563731826362102608811033400887813754780282628099443490170016087838606998017490456601315802448567772411623826281747245660954245413781519794295336197555688543537992197142258053220453757666537840276416475602759374950715283890232230741542737319569819793988431443
# e = 65537

分解模数n得到p、qhttp://www.factordb.com

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2zJOcOoW-1628914224349)(C:\Users\Rang\AppData\Roaming\Typora\typora-user-images\image-20210522200951841.png)]

通过欧拉定理、p、q求摸反得到d

from gmpy2 import *
d = int(invert(e, (p-1)*(q-1)))
print(d)
# d = 406853230956379689450620815713768871010712825839536410687962650677800895818003893712259622281477453292088146173840036827322518131453630576229976208523593618949818777897059256426591560532784635697190752924923710375949616954069804342573867253630978123632384795587951365482103468722384133084798614863870775897915929475258974188300927376911833763105616386167881813301748585233563049693794370642976326692672223638908164822104832415788577945314264232531947860576966629150456995512932232264881080618006698700677529111454508900582785420549466798020451488168615035256292977390692401388790460066327347700109341639992159475755036449

打包密钥并对flag.enc解密（flag.enc文件是base64编码的密文）

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from base64 import b64decode
d = 406853230956379689450620815713768871010712825839536410687962650677800895818003893712259622281477453292088146173840036827322518131453630576229976208523593618949818777897059256426591560532784635697190752924923710375949616954069804342573867253630978123632384795587951365482103468722384133084798614863870775897915929475258974188300927376911833763105616386167881813301748585233563049693794370642976326692672223638908164822104832415788577945314264232531947860576966629150456995512932232264881080618006698700677529111454508900582785420549466798020451488168615035256292977390692401388790460066327347700109341639992159475755036449
n = 79832181757332818552764610761349592984614744432279135328398999801627880283610900361281249973175805069916210179560506497075132524902086881120372213626641879468491936860976686933630869673826972619938321951599146744807653301076026577949579618331502776303983485566046485431039541708467141408260220098592761245010678592347501894176269580510459729633673468068467144199744563731826362102608811033400887813754780282628099443490170016087838606998017490456601315802448567772411623826281747245660954245413781519794295336197555688543537992197142258053220453757666537840276416475602759374950715283890232230741542737319569819793988431443
e = 65537
p = 3133337
q = n//p
key_info = RSA.construct((n, e, d, p, q))   
key = RSA.importKey(key_info.exportKey())  #打包密钥
key = PKCS1_OAEP.new(key)                  #创建解密
f = open('E:\\Ctf\\BMZCTF\\crypto\\2018 AFCTF 可怜的RSA\\flag.enc', 'r').read()
c = b64decode(f)
flag = key.decrypt(c)                      #通过密钥解密密文
print(flag)
#b'afctf{R54_|5_$0_B0rin9}'

kali下操作：

第一步：在kali中使用命令：openssl rsa -pubin -text -modulus -in warmup -in pub.pem得到E和N的值。

第二步：使用python把16进制的N转换成10进制。

第三步：分解N得出P和Q以便求出私钥(d,n)。

第四步：在kali中使用python脚本生成私钥D。

第五步：在kali终端输入openssl进入openssl输入rsautl -decrypt -in flag.enc(密文名称) -inkey private.pem(我们所求得密钥名称)得到flag。

看键盘

ujn njkm ijnmhjk fgtrdcv tgvgy njkm hjuygbn ijnmhjk

flag{internet}

i改为大写即可

山东省大学生网络技术大赛-baby （低加密指数攻击）

# -*- coding: utf-8 -*-

from Crypto.PublicKey import RSA
import libnum
import uuid

flag = "flag{***************}"
rsa = RSA.generate(4096,e=3)
p = rsa.p
d = rsa.d
e = rsa.e
N = rsa.n
m = libnum.s2n(flag)
c = pow(m, e, N)
print "[+]c:",c
print "[+]N:",N
'''
[+]c: 3442467842482561323703237574537907554035337622762971103210557480050349359873041624336261782731509068910003360547049942482415036862904844600484976674423604861710166033558576921438068555951948966099658902606725292551952345193132973996288566246138708754810511646811362017769063041425115712305629748341207792305694590742066971202523405301561233341991037374101265623265332070787449332991792097090044761973705909217137119649091313457206589803479797894924402017273543719924849592070328396276760381501612934039653
[+]N: 691316677109436623113422493782665795857921917893759942123087462879884062720557906429183155859597756890896192044003240821906332575292476160072039505771794531255542244123516929671277306361467074545720823735806308003091983427678300287709469582282466572230066580195227278214776280213722215953097747453437289734469454712426107967188109548966907237877840316009828476200388327329144783877033491238709954473809991152727333616022406517443130542713167206421787038596312975153165848625721911080561242646092299016802662913017071685740548699163836007474224715426587609549372289181977830092677128368806113131459831182390520942892670696447128631485606579943885812260640805756035377584155135770155915782120025116486061540105139339655722904721294629149025033066823599823964444620779259106176913478839370100891213072100063101232635183636552360952762838656307300621195248059253614745118852163569388418086291748805100175008658387803878200034840215506516715640621165661642177371863874586069524022258642915100615596032443145034847031564356671559179212705466145609698475546210994748949121359853094247990533075004393534565421776468785821261291309463205314057882016266066365636018084499158806717036972590848458891019171583268920180691221168453612029698510271
'''

低加密指数攻击

# -*- coding: utf-8 -*-
#低加密指数攻击
import gmpy2
import libnum
e = 3
c = 3442467842482561323703237574537907554035337622762971103210557480050349359873041624336261782731509068910003360547049942482415036862904844600484976674423604861710166033558576921438068555951948966099658902606725292551952345193132973996288566246138708754810511646811362017769063041425115712305629748341207792305694590742066971202523405301561233341991037374101265623265332070787449332991792097090044761973705909217137119649091313457206589803479797894924402017273543719924849592070328396276760381501612934039653
n = 691316677109436623113422493782665795857921917893759942123087462879884062720557906429183155859597756890896192044003240821906332575292476160072039505771794531255542244123516929671277306361467074545720823735806308003091983427678300287709469582282466572230066580195227278214776280213722215953097747453437289734469454712426107967188109548966907237877840316009828476200388327329144783877033491238709954473809991152727333616022406517443130542713167206421787038596312975153165848625721911080561242646092299016802662913017071685740548699163836007474224715426587609549372289181977830092677128368806113131459831182390520942892670696447128631485606579943885812260640805756035377584155135770155915782120025116486061540105139339655722904721294629149025033066823599823964444620779259106176913478839370100891213072100063101232635183636552360952762838656307300621195248059253614745118852163569388418086291748805100175008658387803878200034840215506516715640621165661642177371863874586069524022258642915100615596032443145034847031564356671559179212705466145609698475546210994748949121359853094247990533075004393534565421776468785821261291309463205314057882016266066365636018084499158806717036972590848458891019171583268920180691221168453612029698510271
k = 0
while 1:
    result = gmpy2.iroot(c + k*n,e)
    if(result[1] == True):
        print(libnum.n2s(int(result[0])))
        break
    k = k + 1
#b'flag{4c466c3d0949118a3ca3319b43fe792bef9e94a19c8f666d2ec6c890034d88ba}'

2018 AFCTF MagicNum

加密代码：

#include <stdio.h>
char flag[]="afctf{sec_is_everywhere}";

int main()
{
	for(int i=0;i<6;++i){
		printf("%20f\n",*(float*)(flag+i*4));
	}
	return 0;
}2018 AFCTF MagicNum

题目给出一些浮点型数据，本题考察浮点数在内存中的存储问题

我们可以用c语言，将参数的地址（机器内存储的都是二进制）给字符型指针，再用指针取值（此时指针取地址中的值已经是二进制），这样就跳过了手动将浮点数转二进制的过程

#include <stdio.h>
int main()
{   float i;
    while(1){
 	scanf("%f",&i);
    char *p = &i;
    printf("%c%c%c%c\n",*(p),*(p+1),*(p+2),*(p+3));
    }
    return 0;
}

afctf{sec_is_everywhere}

easy_rsa 分解模数n

已知：

n = 20499421483319837632829005665244953604816631094131482091599739242452461959670789327098587429656441009883765163931516947567316643569963621519243386576155541991650610105070387440479691299670503655019032377026089584152047162143622592606512093871068907193787013919967475201572411584456318069752118161110853731611597336602111728937901380008855876406951363681839727114631417566905375167058609392654378267988132283758536576123045237315624774544667706040426027925497245266590365080287798629911056879889563806490213919247917120199512548392006107613124668838850719777385822083736801474373012496703900585089950184532462833403107 e = 65537 c = 20032571908334556518706996350628353762857932090373933681400888944312785947661616694094701195862850761910097168558675875627215052773260832659893374127927598227236026530897152252167201800939030104214536327304912430809760264428512032937328302608592176040184547483423711571171744055968148657366655074788139832543212184924191715976191905198701170693941252097895416146372351355392205316913304672023350664554170422353392751177640905416228502429781714418077926868264124293539349931619123485098501005249806829896270239835682082818035333364506995823621010867979820662847712684534266471691343787498430152750115780889521627965005

n = 20499421483319837632829005665244953604816631094131482091599739242452461959670789327098587429656441009883765163931516947567316643569963621519243386576155541991650610105070387440479691299670503655019032377026089584152047162143622592606512093871068907193787013919967475201572411584456318069752118161110853731611597336602111728937901380008855876406951363681839727114631417566905375167058609392654378267988132283758536576123045237315624774544667706040426027925497245266590365080287798629911056879889563806490213919247917120199512548392006107613124668838850719777385822083736801474373012496703900585089950184532462833403107
e = 65537
c = 20032571908334556518706996350628353762857932090373933681400888944312785947661616694094701195862850761910097168558675875627215052773260832659893374127927598227236026530897152252167201800939030104214536327304912430809760264428512032937328302608592176040184547483423711571171744055968148657366655074788139832543212184924191715976191905198701170693941252097895416146372351355392205316913304672023350664554170422353392751177640905416228502429781714418077926868264124293539349931619123485098501005249806829896270239835682082818035333364506995823621010867979820662847712684534266471691343787498430152750115780889521627965005
#分解n
p = 138149558149136946723702853693217798862267316666189942816520886165357260194916654034965226246613620482905011306996465659544456451870958162107819485799987144997514278358234816986266518092303586753050671210149075296173319503677929313696499057977134617244449388706566611756401925702906820026584248278446237580517
q = 148385718767120808294577062519850184639495614793281052895346144216250114087102888222369065569059037636249358547628359333320754976046188817562335343752474101985879697854111246597090633214354135620808419945688374075276767391174302507279227429182436807739268769378015447834458981548109968262808179707802448799271
import gmpy2
import libnum
d = gmpy2.invert(e,(p-1)*(q-1))
m = gmpy2.powmod(c,d,n)
print(libnum.n2s(int(m)))
#b'flag{Eeeasy_RSA!}'

small_rsa 同 山东省大学生网络技术大赛-baby （低加密指数攻击）

flag{4c466c3d0949118a3ca3319b43fe792bef9e94a19c8f666d2ec6c890034d88ba}

2018 HEBTUCTF Simple Caesar！

凯撒密码（rot13）

2018 AFCTF 你能看出这是什么加密么

p=0x928fb6aa9d813b6c3270131818a7c54edb18e3806942b88670106c1821e0326364194a8c49392849432b37632f0abe3f3c52e909b939c91c50e41a7b8cd00c67d6743b4f

q=0xec301417ccdffa679a8dcc4027dd0d75baf9d441625ed8930472165717f4732884c33f25d4ee6a6c9ae6c44aedad039b0b72cf42cab7f80d32b74061

e=0x10001

c=0x70c9133e1647e95c3cb99bd998a9028b5bf492929725a9e8e6d2e277fa0f37205580b196e5f121a2e83bc80a8204c99f5036a07c8cf6f96c420369b4161d2654a7eccbdaf583204b645e137b3bd15c5ce865298416fd5831cba0d947113ed5be5426b708b89451934d11f9aed9085b48b729449e461ff0863552149b965e22b6

p=0x928fb6aa9d813b6c3270131818a7c54edb18e3806942b88670106c1821e0326364194a8c49392849432b37632f0abe3f3c52e909b939c91c50e41a7b8cd00c67d6743b4f

q=0xec301417ccdffa679a8dcc4027dd0d75baf9d441625ed8930472165717f4732884c33f25d4ee6a6c9ae6c44aedad039b0b72cf42cab7f80d32b74061

e=0x10001

c=0x70c9133e1647e95c3cb99bd998a9028b5bf492929725a9e8e6d2e277fa0f37205580b196e5f121a2e83bc80a8204c99f5036a07c8cf6f96c420369b4161d2654a7eccbdaf583204b645e137b3bd15c5ce865298416fd5831cba0d947113ed5be5426b708b89451934d11f9aed9085b48b729449e461ff0863552149b965e22b6
import gmpy2
import libnum
d = gmpy2.invert(e,(q-1)*(p-1))
m = pow(c,d,p*q)
print(libnum.n2s(int(m)))

b’\x02\xd3\xe4v\xea\x80r\x83\xda\x99\x88\xf5#\x08\xbbAT\x8b\xaf\xd2\xf4\xdc\x9f\xd3\xbf\xb7A\xc3\xcc\xc5`\xa1\x8b\x86\x18y\xd0&\x88\x10\xef\xbe\x83\xcer\xceC\x17\xec[\xb7%\x08\xef\x16\x1f\xab\x0c\x96\xa3\xdc N^\x8e,\xa3\x11{\x99U\xcd\x15o\xd7B\xf4L\x8f}&\xc5$\xca\xd5;\xf9\x02Y\xc1\xbbS\xfd4\x83M\x96\xa9\xbd;\x83/\xf7\x00afctf{R54_|5_KaTeX parse error: Expected group after '_' at position 2: 0_̲imp13}’

2018 HEBTUCTF easy_crypto （morse、baconian）

摩斯解密：http://rumkin.com/tools/cipher/morse.php

将L转为A、J转为B

培根解密：

http://rumkin.com/tools/cipher/baconian.php

Bacon Encode_Decode System

# coding:utf8

import re

alphabet = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']

first_cipher = ["aaaaa","aaaab","aaaba","aaabb","aabaa","aabab","aabba","aabbb","abaaa","abaab","ababa","ababb","abbaa","abbab","abbba","abbbb","baaaa","baaab","baaba","baabb","babaa","babab","babba","babbb","bbaaa","bbaab"]

second_cipher = ["aaaaa","aaaab","aaaba","aaabb","aabaa","aabab","aabba","aabbb","abaaa","abaaa","abaab","ababa","ababb","abbaa","abbab","abbba","abbbb","baaaa","baaab","baaba","baabb","baabb","babaa","babab","babba","babbb"]

def encode():
    upper_flag = False # 用于判断输入是否为大写
    string = input("please input string to encode:\n")
    if string.isupper():
        upper_flag = True
        string = string.lower()
    e_string1 = ""
    e_string2 = ""
    for index in string:
        for i in range(0,26):
            if index == alphabet[i]:
                e_string1 += first_cipher[i]
                e_string2 += second_cipher[i]
                break
    if upper_flag:
        e_string1 = e_string1.upper()
        e_string2 = e_string2.upper()
    print("first encode method result is:\n"+e_string1)
    print("second encode method result is:\n"+e_string2)
    return


def decode():
    upper_flag = False  # 用于判断输入是否为大写
    e_string = input("please input string to decode:\n")
    if e_string.isupper():
        upper_flag = True
        e_string = e_string.lower()
    e_array = re.findall(".{5}",e_string)
    d_string1 = ""
    d_string2 = ""
    for index in e_array:
        for i in range(0,26):
            if index == first_cipher[i]:
                d_string1 += alphabet[i]
            if index == second_cipher[i]:
                d_string2 += alphabet[i]
    if upper_flag:
        d_string1 = d_string1.upper()
        d_string2 = d_string2.upper()
    print("first decode method result is:\n"+d_string1)
    print("second decode method result is:\n"+d_string2)
    return


if __name__ == '__main__':
    print("\t\tcoding by qux")
    while True:
        print("\t*******Bacon Encode_Decode System*******")
        print("input should be only lowercase or uppercase,cipher just include a,b(or A,B)")
        print("1.encode\n2.decode\n3.exit")
        s_number = input("please input number to choose\n")
        if s_number == "1":
            encode()
            input()
        elif s_number == "2":
            decode()
            input()
        elif s_number == "3":
            break
        else:
            continue

看的出来吗

经过base64解码、base91解码、base58解码得到

https://base64.supfree.net/
http://ctf.ssleye.com/base91.html
http://ctf.ssleye.com/base58w.html

easy_CRC

crc32爆破

十六进制转字符并整合：

s = "0x62, 0x33, 0x32, 0x33, 0x31, 0x65, 0x39, 0x34, 0x66, 0x30, 0x34, 0x35, 0x65, 0x37, 0x36, 0x65, 0x35, 0x39, 0x33, 0x32, 0x36, 0x36, 0x66, 0x34"
s = s.split(', ')
flag = ''
for i in range(len(s)):
    flag += chr(int(s[i][2:],16))
    print(flag)

键盘之争

键盘布局有qwerty、dvorak、colemak

此题考察的是将qwerty布局转为dvorak

https://www.cnblogs.com/zhangshenjia/archive/2012/04/11/qwerty_dvorak_colemak.html

dic={r"'":"q",
 
r",":"w",
 
r".":"e",
 
"p":"4",
 
"y":"t",
 
"f":"y",
 
"g":"u",
 
"c":"i",
 
"r":"o",
 
"l":"p",
 
r"/":r"[",
 
r"=":r"]",
 
r'"':'Q',
 
r"<":"W",
 
r">":"E",
 
"P":"R",
 
"Y":"T",
 
"F":"Y",
 
"G":"U",
 
"C":"I",
 
"R":"O",
 
"L":"P",
 
r"?":r"{",
 
r"+":r"}",
 
"a":"a",
 
"A":"A",
 
"o":"s",
 
"O":"S",
 
"e":"d",
 
"E":"D",
 
"u":"f",
 
"U":"F",
 
"i":"g",
 
"I":"G",
 
"d":"h",
 
"D":"H",
 
"h":"j",
 
"H":"J",
 
"t":"k",
 
"T":"K",
 
"n":"l",
 
"N":"L",
 
"s":";",
 
"S":":",
 
r"-":r"'",
 
r'_':r'"',
 
r";":"z",
 
r":":"Z",
 
"q":"x",
 
"Q":"X",
 
"j":"c",
 
"J":"C",
 
"k":"v",
 
"K":"V",
 
"x":"b",
 
"X":"B",
 
"b":"n",
 
"B":"N",
 
"m":"m",
 
"M":"M",
 
"w":r",",
 
"W":r"<",
 
"v":r".",
 
"V":r">",
 
"z":r"/",
 
"Z":r"?",
 
r'!':"!",
 
r"@":r"@",
 
r"#":r"#",
 
r"$":r"$",
 
r"%":r"%",
 
r"^":r"^",
 
r"&":r"&",
 
r"*":r"*",
 
r"(":r"(",
 
r")":r")",
 
r"[":r"-",
 
r"]":r"=",
 
r"{":r"_",
 
r"}":r"+"}
 
s=r'ypau_kjg;"g;"ypau+'
for i in s:
	print (" ".join([key for key, value in dic.items() if value == i]),end='')
#flag{this_is_flag}

转md5

import hashlib

m = hashlib.md5()

m.update(*b*'this_is_flag')

print("flag{" + m.hexdigest() + "}")

flag{951c712ac2c3e57053c43d80c0a9e543}

2018 AFCTF Single

密文：

Jmqrida rva Lfmz (JRL) eu m uqajemf seny xl enlxdomrexn uajiderc jxoqarerexnu. Rvada mda rvdaa jxooxn rcqau xl JRLu: Paxqmdyc, Mrrmjs-Yalanja mny oekay.

Paxqmdyc-urcfa JRLu vmu m jxiqfa xl giaurexnu (rmusu) en dmnza xl jmrazxdeau. Lxd akmoqfa, Wab, Lxdanuej, Jdcqrx, Benmdc xd uxoarvenz afua. Ramo jmn zmen uxoa qxenru lxd atadc uxftay rmus. Oxda qxenru lxd oxda jxoqfejmray rmusu iuimffc. Rva nakr rmus en jvmen jmn ba xqanay xnfc mlrad uxoa ramo uxfta qdatexiu rmus. Rvan rva zmoa reoa eu xtad uio xl qxenru uvxwu cxi m JRL wenad. Lmoxiu akmoqfa xl uijv JRL eu Yaljxn JRL gimfu.

Waff, mrrmjs-yalanja eu mnxrvad enradaurenz seny xl jxoqarerexnu. Vada atadc ramo vmu xwn narwxds(xd xnfc xna vxur) werv tifnmdmbfa uadtejau. Cxid ramo vmu reoa lxd qmrjvenz cxid uadtejau mny yatafxqenz akqfxeru iuimffc. Ux, rvan xdzmnehadu jxnnajru qmdrejeqmnru xl jxoqarerexn mny rva wmdzmoa urmdru! Cxi uvxify qdxrajr xwn uadtejau lxd yalanja qxenru mny vmjs xqqxnanru lxd mrrmjs qxenru. Veurxdejmffc rveu eu m ledur rcqa xl JRLu, atadcbxyc snxwu mbxir YAL JXN JRL - uxoarvenz fesa m Wxdfy Jiq xl mff xrvad jxoqarerexnu.

Oekay jxoqarerexnu omc tmdc qxuuebfa lxdomru. Er omc ba uxoarvenz fesa wmdzmoa werv uqajemf reoa lxd rmus-bmuay afaoanru (a.z. IJUB eJRL).

JRL zmoau xlran rxijv xn omnc xrvad muqajru xl enlxdomrexn uajiderc: jdcqrxzdmqvc, urazx, benmdc mnmfcueu, datadua anzanaadenz, oxbefa uajiderc mny xrvadu. Zxxy ramou zanadmffc vmta urdxnz useffu mny akqadeanja en mff rvaua euuiau.

Iuimffc, lfmz eu uxoa urdenz xl dmnyxo ymrm xd rakr en uxoa lxdomr. Akmoqfa mljrl{Xv_I_lxiny_er_neja_rDc}

加密程序：

#include <bits/stdc++.h>
using namespace std;
int main()
{
	freopen("Plain.txt","r",stdin);
	freopen("Cipher.txt","w",stdout);
	map<char, char> f;
	int arr[26];
	for(int i=0;i<26;++i){
		arr[i]=i;
	}
	random_shuffle(arr,arr+26);
	for(int i=0;i<26;++i){
		f['a'+i]='a'+arr[i];
		f['A'+i]='A'+arr[i];
	}
	char ch;
	while((ch=getchar())!=EOF){
		if(f.count(ch)){
			putchar(f[ch]);
		}else{
			putchar(ch);
		}
	}
	return 0;
}

发现随机加密，找不到规律

进行词频分析：https://quipqiup.com/

HEBTUCTF WIFNVDSFFDYUBPAMEMS

题目：

`Looks like I’m too lazy to complete it. >_< Can you help me a little?

EULS LS I XCISSLXIC SHNEHNXH: EUH VWLXF YDAKN OAR MWBJS AZHD EUH CIPT GAQ! OLQUE, ING TAW BIT GLH. DWN, ING TAW’CC CLZH IE CHISE I KULCH. ING GTLNQ LN TAWD YHGS BINT THIDS ODAB NAK. KAWCG TAW YH KLCCLNQ EA EDIGH? ICC EUH GITS ODAB EULS GIT EA EUIE, OAD ANH XUINXH, MWSE ANH XUINXH, EA XABH YIXF UHDH ING EHCC AWD HNHBLHS EUIE EUHT BIT EIFH AWD CLZHS, YWE EUHT’CC NHZHD EIFH AWD OCIQ!OCIQ LS UHYEWXEO KLONZGSOOGTWYJIBHBS.`

以为时图片隐写，试了下无果

词频分析拿到flag:https://quipqiup.com/

Crypto_easy_crypto 拆分模数得到好求的phi

已知：

from Crypto.Util.number import *
from secret import flag

def keygen(nbit):
    while True:
        p, q, r = [getPrime(nbit) for _ in range(3)]
        if isPrime(p + q + r):
            pubkey = (p * q * r, p + q + r)
            privkey = (p, q, r)
            return pubkey, privkey

def encrypt(msg, pubkey):
    enc = pow(bytes_to_long(msg.encode('utf-8')), 0x10001, pubkey[0] * pubkey[1])
    return enc

nbit = 512                                                                                                                   
pubkey, _ = keygen(nbit)
print('pubkey =', pubkey)

enc = encrypt(flag, pubkey)
print('enc =', enc)

#pubkey = (763929224901239050077647342425144363318006219360210465113458622937882119766705458273788947718911994090187932947694326848868575500906975653763043489419853300731695950407389203582333794360159494405111004208058198680365172060235321945875374635278292661761319773173838900295933943437761251440819434675631450032782188481758975272071015244168751016874668742536151359822585793537758876078350987062972237271763834743266722655055439868971805843593929839097963319788083763,
27750416681837900468631425875797804482827864226099175414717825894823303299159277202974070903630276868248755642608884903122768656427165401563920443482151217)
#enc = 7579294603035135817234501131256282324240132424272000903035801073847222917306092792610406876451698121956232047031639448767323475088170357863653435096746640609325525035329328626562143049656124241263576649974820533800161432666946327226418036826146160288273175521864687122720836795596635067761146519940441817765732160382018434465776749372209181212817247187474685246156193381822044772746654690126746715728166527274933634750443478682812664022009444348448955720226579468781927776133336045525149203384137859868153077820708167146052429014790660921586958660759949399826568136755816563468739111123761288318276379025018708883521

已知公钥分为俩部分，求私钥（d,n）即可

这里直接求（p-1)(q-1)(r-1)(p+q+r-1)不好求，求p+q+r-1即可

证明过程：https://blog.cryptohack.org/cryptoctf2020

decode.py:

#pubkey[0] = (763929224901239050077647342425144363318006219360210465113458622937882119766705458273788947718911994090187932947694326848868575500906975653763043489419853300731695950407389203582333794360159494405111004208058198680365172060235321945875374635278292661761319773173838900295933943437761251440819434675631450032782188481758975272071015244168751016874668742536151359822585793537758876078350987062972237271763834743266722655055439868971805843593929839097963319788083763,
#pubkey[1] = 27750416681837900468631425875797804482827864226099175414717825894823303299159277202974070903630276868248755642608884903122768656427165401563920443482151217)
enc = 7579294603035135817234501131256282324240132424272000903035801073847222917306092792610406876451698121956232047031639448767323475088170357863653435096746640609325525035329328626562143049656124241263576649974820533800161432666946327226418036826146160288273175521864687122720836795596635067761146519940441817765732160382018434465776749372209181212817247187474685246156193381822044772746654690126746715728166527274933634750443478682812664022009444348448955720226579468781927776133336045525149203384137859868153077820708167146052429014790660921586958660759949399826568136755816563468739111123761288318276379025018708883521
#已知c、e、n = q*p*r、k=p+q+r
#
import gmpy2
import libnum
n = 763929224901239050077647342425144363318006219360210465113458622937882119766705458273788947718911994090187932947694326848868575500906975653763043489419853300731695950407389203582333794360159494405111004208058198680365172060235321945875374635278292661761319773173838900295933943437761251440819434675631450032782188481758975272071015244168751016874668742536151359822585793537758876078350987062972237271763834743266722655055439868971805843593929839097963319788083763
k = 27750416681837900468631425875797804482827864226099175414717825894823303299159277202974070903630276868248755642608884903122768656427165401563920443482151217
e = int(0x10001)
d = gmpy2.invert(e,k-1)
m = gmpy2.powmod(enc,d,k)
print(libnum.n2s(int(m)))
#b'BMZCTF{9d8ef46w59c4-4s5w-8d4a-w9d5-5dq78e9d}'

Crypto_xor DefCamp CTF 2020 – why-xor

题目：

xored = ['\x00', '\x00', '\x00', '\x18', 'C', '_', '\x05', 'E', 'V', 'T', 'F', 'U', 'R', 'B', '_', 'U', 'G', '_', 'V', '\x17', 'V', 'S', '@', '\x03', '[', 'C', '\x02', '\x07', 'C', 'Q', 'S', 'M', '\x02', 'P', 'M', '_', 'S', '\x12', 'V', '\x07', 'B', 'V', 'Q', '\x15', 'S', 'T', '\x11', '_', '\x05', 'A', 'P', '\x02', '\x17', 'R', 'Q', 'L', '\x04', 'P', 'E', 'W', 'P', 'L', '\x04', '\x07', '\x15', 'T', 'V', 'L', '\x1b']
s1 = ""
s2 = ""
# ['\x00', '\x00', '\x00'] at start of xored is the best hint you get
a_list = [chr(ord(a) ^ ord(b)) for a,b in zip(s1, s2)]
print(a_list)
print("".join(a_list))

提示前三个字符异或后为\x00 ‘ctf’ ^ ‘ctf’ == ‘\x00\x00\x00’

解题：

ls = ['\x00', '\x00', '\x00', '\x18', 'C', '_', '\x05', 'E', 'V', 'T', 'F', 'U', 'R', 'B', '_', 'U', 'G', '_', 'V', '\x17', 'V', 'S', '@', '\x03', '[', 'C', '\x02', '\x07', 'C', 'Q', 'S', 'M', '\x02', 'P', 'M', '_', 'S', '\x12', 'V', '\x07', 'B', 'V', 'Q', '\x15', 'S', 'T', '\x11', '_', '\x05', 'A', 'P', '\x02', '\x17', 'R', 'Q', 'L', '\x04', 'P', 'E', 'W', 'P', 'L', '\x04', '\x07', '\x15', 'T', 'V', 'L', '\x1b']
secret = "ctf" * (len(ls)//3)
print(secret)
a_list = [chr(ord(a) ^ ord(b)) for a,b in zip(ls, secret)]
print(a_list)
print("".join(a_list))
#ctf{79f107231696395c004e87dd7709d3990f0d602a57e9f56ac428b31138bda258}

rsass

压缩包弱口令：password

得到 俩个公钥和对应密文

公钥解析：http://ctf.ssleye.com/pub_asys.html

pubkey1

pubkey2

发现对公钥中的模数n相同，使用共模攻击

注意：密文用base64编码了，需要解密再转十进制

from gmpy2 import invert
import libnum
import base64
import os
import sys
#path = os.getcwd()#获取当前路径
path = sys.path[0] #获取脚本路径
def gongmo(n, c1, c2, e1, e2):
    def egcd(a, b):
        #扩展欧拉定理
        if b == 0:
            return a, 0
        else:
            x, y = egcd(b, a % b)
            return y, x - (a // b) * y
    s = egcd(e1, e2)
    s1 = s[0]
    s2 = s[1]

    # 求模反元素（逆元）
    if s1 < 0:
        s1 = - s1
        c1 = invert(c1, n)
    elif s2 < 0:
        s2 = - s2
        c2 = invert(c2, n)
    m = pow(c1, s1, n) * pow(c2, s2, n) % n
    return m
n = 17362520124149736059291605717839814089431261833972408175766504894876091272021197374480215582589878198406028065354454242540322618614670160317701698407729515781811530180885334265851364490357884909336085410775168953942120359215038925025305363480538685487988827339463890539279008285241711326041868183805848503077373967082910932422798165242481154593794712639251157856102009630894845049984346776659339380886766804814959778048440996937820138560802077375885700500737699904011032451007341777160586467318264288370080315519305800247682611802774996999330812534723806925426052547128371180683265963525581842037399869323246530085399
with open(path + '.\\rsa\\flag1.enc','rb') as f1:
    c1 = f1.read()
    c1 = base64.b64decode(c1)
    c1 = libnum.s2n(c1)
    print(c1)
with open(path + '.\\rsa\\flag2.enc','rb') as f2:
    c2 = f2.read()
    c2 = base64.b64decode(c2)
    c2 = libnum.s2n(c2)
e1 = 2333
e2 = 23333

result = gongmo(n, c1, c2, e1, e2)
print(result)
print(libnum.n2s(int(result)))
#b'flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}'

去掉-即flag

2018 AFCTF One Secret, Two encryption

题目给出了俩组密文和公钥，提示了素数生成慢、偷懒、用相同密文（解一个即可）

猜测两个模数n公用了一个素数

分别进行公钥提取：http://ctf.ssleye.com/pub_asys.html

​ public1:

​ public2:

求俩个n的最大公约数得到其中一个素数即可解题

decode.py

n1 = 4850297138162223468826481623082440249579136876798312652735204698689613969008632545220976699170308454082390834742570718247804202060929493571642074679428565168405877110681518105667301785653517697684490982375078989886040451115082120928982588380914609273008153977907950532498605486225883973643141516024058315360572988744607134110254489421516026937249163493982681336628726033489124705657217768229058487155865265080427488028921879608338898933540825564889012166181346177276639828346376362168934208822467295673761876965864573164529336885250577357767314256581019474130651412100897839606491189424373959244023695669653213498329
e1 = 1666626632960368239001159408047765991270250042206244157447171188195657302933019501932101777999510001235736338843107709871785906749393004257614129802061081155861433722380145001537181142613515290138835765236002811689986472280762408157176437503021753061588746520433720734608953639111558556930490721517579994493088551013050835690019772600744317398218183883402192060480979979456469937863257781362521184578142129444122428832106721725409309113975986436241662107879085361014650716439042856013203440242834878648506244428367706708431121109714505981728529818874621868624754285069693368779495316600601299037277003994790396589299
n2 = 2367536768672000959668181171787295271898789288397672997134843418932405959946739637368044420319861797856771490573443003520137149324080217971836780570522258661419034481514883068092752166752967879497095564732505614751532330408675056285275354250157955321457579006360393218327164804951384290041956551855334492796719901818165788902547584563455747941517296875697241841177219635024461395596117584194226134777078874543699117761893699634303571421106917894215078938885999963580586824497040073241055890328794310025879014294051230590716562942538031883965317397728271589759718376073414632026801806560862906691989093298478752580277
e2 = 65537
#n1 和 n2极有可能有公约数
import gmpy2
import libnum
p = gmpy2.gcd(n1,n2)
q1 = n1//p
q2 = n2//p
d1 = gmpy2.invert(e1,(p-1)*(q1-1))
d2 = gmpy2.invert(e2,(p-1)*(q2-1))
with open("..\\flag_encry1","rb") as f1:
    c1 = f1.read()
    c1 = libnum.s2n(c1)
with open("..\\flag_encry2","rb") as f2:
    c2 = f2.read()
    c2 = libnum.s2n(c2)
m1 = gmpy2.powmod(c1,d1,n1)
m2 = gmpy2.powmod(c2,d2,n2)
print(libnum.n2s(int(m1)))
print(libnum.n2s(int(m2)))

2018 AFCTF Vigenère

vigenere暴力破解：https://www.guballa.de/vigenere-solver

afctf{Whooooooo_U_Gotcha!}

参考：https://www.programmersought.com/article/62834774254/

encode

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main()
{
	freopen("flag.txt","r",stdin);
	freopen("flag_encode.txt","w",stdout);
	char key[] = /*SADLY SAYING! Key is eaten by Monster!*/;
	int len = strlen(key);
	char ch;
	int index = 0;
	while((ch = getchar()) != EOF){
		if(ch>='a'&&ch<='z'){
			putchar((ch-'a'+key[index%len]-'a')%26+'a');
			++index;
		}else if(ch>='A'&&ch<='Z'){
			putchar((ch-'A'+key[index%len]-'a')%26+'A');
			++index;
		}else{
			putchar(ch);
		}
	}
	return 0;
}

decode

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
 
int main()
{
	freopen("flag.txt", "w", stdout);
	freopen("flag_encode.txt", "r", stdin);
 
    //char encoded[] = "luigvycxwpf";
	//char flag[] = "flagisafctf";
	//char key[] = "enereahavige";
      //ursanuyigea   gjiangcsuwa qfimdqccyik gjiangcsuwa
	char key[] = "csuwangjiang";
 
	int len = strlen(key);
	char ch;
	int index = 0;
	while ((ch = getchar()) != EOF) {
		if (ch >= 'a' && ch <= 'z') {
		
			for (int i = 0; i < 50; i++)
			{
				char test = (ch - 'a') + 26 * i + 'a' - (key[index % len] - 'a');
				if (test >= 'a' && test <= 'z')
				{
					putchar(test);
					break;
				}
			}
			++index;
		}
		else if (ch >= 'A' && ch <= 'Z') {
			for (int i = 0; i < 50; i++)
			{
				char test = (ch - 'A') + 26 * i + 'A' - (key[index % len] - 'a');
				if (test >= 'A' && test <= 'Z')
				{
					putchar(test);
					break;
				}
			}
			++index;
		}
		else {
			putchar(ch);
		}
	}
	return 0;
}

2018 AFCTF 你听过一次一密么？ Many-Time-Pad流密码加密

https://github.com/Jwomers/many-time-pad-attack/blob/master/attack.py

decode

python2在线：http://www.dooccn.com/python/

#!/usr/bin/python
## OTP - Recovering the private key from a set of messages that were encrypted w/ the same private key (Many time pad attack) - crypto100-many_time_secret @ alexctf 2017
# Original code by jwomers: https://github.com/Jwomers/many-time-pad-attack/blob/master/attack.py)

import string
import collections
import sets, sys

# 11 unknown ciphertexts (in hex format), all encrpyted with the same key

c1='25030206463d3d393131555f7f1d061d4052111a19544e2e5d'
c2='0f020606150f203f307f5c0a7f24070747130e16545000035d'
c3='1203075429152a7020365c167f390f1013170b1006481e1314'
c4='0f4610170e1e2235787f7853372c0f065752111b15454e0e09'
c5='081543000e1e6f3f3a3348533a270d064a02111a1b5f4e0a18'
c6='0909075412132e247436425332281a1c561f04071d520f0b11'
c7='4116111b101e2170203011113a69001b475206011552050219'
c8='041006064612297020375453342c17545a01451811411a470e'
c9='021311114a5b0335207f7c167f22001b44520c15544801125d'
c10='06140611460c26243c7f5c167f3d015446010053005907145d'
c11='0f05110d160f263f3a7f4210372c03111313090415481d49'
ciphers = [c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11]
# The target ciphertext we want to crack
#target_cipher = "0529242a631234122d2b36697f13272c207f2021283a6b0c7908"

# XORs two string
def strxor(a, b):     # xor two strings (trims the longer input)
    return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])

def target_fix(target_cipher):
	# To store the final key
	final_key = [None]*150
	# To store the positions we know are broken
	known_key_positions = set()

	# For each ciphertext
	for current_index, ciphertext in enumerate(ciphers):
		counter = collections.Counter()
		# for each other ciphertext
		for index, ciphertext2 in enumerate(ciphers):
			if current_index != index: # don't xor a ciphertext with itself
				for indexOfChar, char in enumerate(strxor(ciphertext.decode('hex'), ciphertext2.decode('hex'))): # Xor the two ciphertexts
					# If a character in the xored result is a alphanumeric character, it means there was probably a space character in one of the plaintexts (we don't know which one)
					if char in string.printable and char.isalpha(): counter[indexOfChar] += 1 # Increment the counter at this index
		knownSpaceIndexes = []

		# Loop through all positions where a space character was possible in the current_index cipher
		for ind, val in counter.items():
			# If a space was found at least 7 times at this index out of the 9 possible XORS, then the space character was likely from the current_index cipher!
			if val >= 7: knownSpaceIndexes.append(ind)
		#print knownSpaceIndexes # Shows all the positions where we now know the key!

		# Now Xor the current_index with spaces, and at the knownSpaceIndexes positions we get the key back!
		xor_with_spaces = strxor(ciphertext.decode('hex'),' '*150)
		for index in knownSpaceIndexes:
			# Store the key's value at the correct position
			final_key[index] = xor_with_spaces[index].encode('hex')
			# Record that we known the key at this position
			known_key_positions.add(index)

	# Construct a hex key from the currently known key, adding in '00' hex chars where we do not know (to make a complete hex string)
	final_key_hex = ''.join([val if val is not None else '00' for val in final_key])
	# Xor the currently known key with the target cipher
	output = strxor(target_cipher.decode('hex'),final_key_hex.decode('hex'))

	print "Fix this sentence:"
	print ''.join([char if index in known_key_positions else '*' for index, char in enumerate(output)])+"\n"

	# WAIT.. MANUAL STEP HERE 
	# This output are printing a * if that character is not known yet
	# fix the missing characters like this: "Let*M**k*ow if *o{*a" = "cure, Let Me know if you a"
	# if is too hard, change the target_cipher to another one and try again
	# and we have our key to fix the entire text!

	#sys.exit(0) #comment and continue if u got a good key

	target_plaintext = "cure, Let Me know if you a"
	print "Fixed:"
	print target_plaintext+"\n"

	key = strxor(target_cipher.decode('hex'),target_plaintext)

	print "Decrypted msg:"
	for cipher in ciphers:
		print strxor(cipher.decode('hex'),key)

	print "\nPrivate key recovered: "+key+"\n"
	
for i in ciphers:
	target_fix(i)

2018 QCTF Xman-RSA

火眼金睛

五位数字爆破得到flag.zip 和 readme.txt

利用明文攻击破解flag.zip

破解zip加密文件一般有五种：zip属性隐藏、zip伪加密、暴力破解、明文攻击、CRC32碰撞

https://www.cnblogs.com/islsy/p/10611488.html

将readme.txt压缩为压缩包再进行明文攻击

得到：

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-qWBHtvvb-1628914224362)(C:\Users\Rang\AppData\Roaming\Typora\typora-user-images\image-20210525195618000.png)]

发现图片尾部有base64密文，解密得到

提交发现错误

用脚本还原：

# -*- coding: utf-8 -*-
import binascii
import struct

crc32key = 0xB03947D1
for i in range(0, 65535):
  height = struct.pack('>i', i)
  data = '\x49\x48\x44\x52\x00\x00\x01\xF4' + height + '\x08\x06\x00\x00\x00'  #校验位
  crc32result = binascii.crc32(data) & 0xffffffff

  if crc32result == crc32key:
    print(''.join(map(lambda c: "%02X" % ord(c), height)))

考虑修改图片宽高，png图片参数参考：

https://blog.csdn.net/weixin_42212792/article/details/112815529?utm_medium=distribute.pc_relevant.none-task-blog-baidujs_title-0&spm=1001.2101.3001.4242

1837

MTEgMTExIDAwMCAwMCAwMTExMSAwMDAgMDAxMCAwMDEgMTA

摩斯密码发明于1837年，密文经过base64解码后得到01字符串，morse解密

转成.和-,morse解密得到flag

flag{MOSI1SFUN}

Caesar

变异的凯撒密码，前三位到flag分别移位345。。。

注意’\'需要再加个\转义一下

c = 'ch\\at]ZW+S$)6Q#k'
s = ''
for i in range(len(c)):
    s += chr(ord(c[i])+ 3 + i)
print(s)
#flag{eca6_17Ea4}

rsa

题目只给了密文c

将c开e次方，这里e=3

>>> c = 4153372421328787064168548641845708183921443446990158572506114559735441950501706984118235944441928889749083563790293558028143373121367441549974248211570336802004821051820943229232421937298269855190652251294220483768084460779714162849925877879859830009443131489814222929347727735616113359695228615432020363240247474622132986939108457393618346100033147945959684443762976681454755482192433993286205527003029269574787026484389622816932835184754540312561890719407986296481186847292967270288752616
>>> libnum.n2s(int(gmpy2.iroot(c,3)[0]))
b'Guvf vf gur cnffjbeq lbh arrq sbe gur MVC svyr: synt{efnZ0erQ33crE}\n'

rot13解密一下

2020sdnisc-ezRSA

共模攻击

#2020sdnisc-ezRSA
n = 0xa1d4d377001f1b8d5b2740514ce699b49dc8a02f12df9a960e80e2a6ee13b7a97d9f508721e3dd7a6842c24ab25ab87d1132358de7c6c4cee3fb3ec9b7fd873626bd0251d16912de1f0f1a2bba52b082339113ad1a262121db31db9ee1bf9f26023182acce8f84612bfeb075803cf610f27b7b16147f7d29cc3fd463df7ea31ca860d59aae5506479c76206603de54044e7b778e21082c4c4da795d39dc2b9c0589e577a773133c89fa8e3a4bd047b8e7d6da0d9a0d8a3c1a3607ce983deb350e1c649725cccb0e9d756fc3107dd4352aa18c45a65bab7772a4c5aef7020a1e67e6085cc125d9fc042d96489a08d885f448ece8f7f254067dfff0c4e72a63557
e1 = 0xf4c1158f
c1 = 12051796366524088489284445109295502686341498426965277230069915294159131976231473789977279364263965099422235647723775278060569378071469131866368399394772898224166518089593340803913798327451963589996734323497943301819051718709807518655868569656941242449109980876397661605271517459716669684900920279597477446629607627693769738733623143693170696779851882404994923673483971528314806130892416509854017091137325195201225617407959645788145876202882024723106204183257094755002924708009138560347432552090905489132135154932987521239299578509008290614398700799670928805692609756924823628055245227290288940649158862576448537833423
e2 = 0xf493f7d1
c2 = 16648382384980770705624348910895797622774711113202207693584907182552301186239613809347201161450012615995859738410661452438496756353485538305614949211776668793864984429696790944750894691957799234264508530084026894611228513698963347402329109838109621609770406925700520983387811451074838470370044678634099202003480925903267508744006195455234025325060817223813858985074720872124168142943926467694676717713503559007112874381750005406371400109962943508349497151148446064846096531445037416174913915923050332242843403926133165817310272633884358263778516770288515592959832151762499526363131801945163501999337808208074381212795
def gongmo(n, c1, c2, e1, e2):
    def egcd(a, b):
        #扩展欧拉定理
        if b == 0:
            return a, 0
        else:
            x, y = egcd(b, a % b)
            return y, x - (a // b) * y
    s = egcd(e1, e2)
    s1 = s[0]
    s2 = s[1]

    # 求模反元素（逆元）
    if s1 < 0:
        s1 = - s1
        c1 = invert(c1, n)
    elif s2 < 0:
        s2 = - s2
        c2 = invert(c2, n)
    m = pow(c1, s1, n) * pow(c2, s2, n) % n
    return m
result = gongmo(n, c1, c2, e1, e2)
#print(result)
print(libnum.n2s(int(result)))
#flag{8c16c91be3f3287ff5a10167e922b33b}

#####baby_dsa 上海市大学生网络安全大赛

dsa加密

http://blog.iyzyi.com/index.php/archives/1973/

encode

#!/usr/bin/env python
from Crypto.Util.number import *
from hashlib import sha512,md5
from os import urandom
import random

def hash(message):
	return int(sha512(message).hexdigest(), 16)

def key_gen():
	q = getPrime(256)
	while True:
		p = random.getrandbits(2816)*q + 1
		if isPrime(p):
			print(p.bit_length())
			break
	while True:
		g = pow(random.randrange(1, p-1), (p-1)/q, p)
		if g != 1:
			break
	x = random.randrange(1, q)
	y = pow(g, x, p)
	pubkey = (p, q, g, y)
	privkey = x
	return pubkey, privkey

def sign(message, pubkey, privkey):
	p, q, g, y = pubkey
	x = privkey
	k = pow(y, x, g) * random.randrange(1, 512) % q
	r = pow(g, k, p) % q
	s = inverse(k, q) * (hash(message) + x * r) % q
	return r, s

def verify(message, signature, pubkey):
	p, q, g, y = pubkey
	r, s = signature
	if not (0 < r < q) or not (0 < s < q):
		return False
	w = inverse(s, q)
	u1 = (hash(message) * w) % q
	u2 = (r * w) % q
	v = ((pow(g, u1, p) * pow(y, u2, p)) % p) % q
	return v == r

pubkey, privkey = key_gen()
print(pubkey)

message1 = urandom(16).encode('hex')
signature1 = sign(message1, pubkey, privkey)
print(message1,signature1)
print(verify(message1, signature1, pubkey))

message2 = urandom(16).encode('hex')
signature2 = sign(message2, pubkey, privkey)
print(message2,signature2)
print(verify(message2, signature2, pubkey))

flag = 'flag{'+md5(long_to_bytes(privkey)).hexdigest()+'}'

decode.py

from Crypto.Util.number import *
from hashlib import sha512,md5

def hash(message):
    return int(sha512(message).hexdigest(), 16)


def sign(message, pubkey, privkey, random1):
    p, q, g, y = pubkey
    x = privkey
    k = pow(y, x, g) * random1 % q
    r = pow(g, k, p) % q
    s = inverse(k, q) * (hash(message) + x * r) % q
    return r, s

public = (3297226463037324458008837284498963372649038889390685051849680175016505646001761220109858921624266044035133134135402561235635833428206886888308027772353030767400921078346868377298401213812053250316002033941692272192644613252296579884516731560436501073253924457646558698855484781747029397755111633297587215976579633451933658235385386539518006570069653575146060016811911140614606471930327341368582979836042585406811352236326065292636484550807213756482153084427714549694264685695977531537425682212155553568848666088576932888234659355213664909753781753917401161977762663658097504411914908081677033980915039079517766159760522261279115347385813009437510156898969769563687869495721977265444799585634019880951532080217960456901788918439265788169910062822889580199366417455186595489973000351770200485095008494228829300145039695936946379585625051402553034971207474762463147744467360158847593356030745194143276254949463650698210515569533, 82302835442112137125891403368151249910268706824854786126600390413622302196443, 1156233264299340971106498371495495695225880592354374034142195518472540521911699506391311324676590685365234887170345722135060009885002334748836477169806166169806180231794918961214520698361874839110454610266388341977984902756569838594616255112661600466818870137432772800368859461445854700956291885576855069405183771903076277144927769029433730710613058788277691211698675287829143272152835171859480781061918556840079857761203012054552142555673071865310355331986288606422711525790877591376770834180618492794265362178603111236615495225612101250344421932588038244804199229449738675082560512062564365473035097263889257937140778993389305893378514344032352806521972367991027459721160744835688761657797398841523104074451793557924512992305640697344011520550723893828185707635141404445213445935586965289450282024222064488965878769991566367115153619761583843561579531705057955933288008556165952066173304891391375100346312776539530448611005, 290999623787731812697719691852061290246619413463636312382146969900546384514710782843153962704851916091601679028830866176332331519515156301401537173069908181509028464322647352256632424684809349121024262597006913707483811117644197481959053785475083406472583099140506505071300193356002443007750220524932219191932969202270343323955035291396808472686684787610559114702054784699365490860392737061056233160308943296478540798353134878937088336672928162894332961762277559345860479916248086821117811990391025187125193074059001086441305977133252774698996653122297123447837449168657347308016270030881395674066421144002959751936839166935726200833785132736328859710351871352567511516142170956091885352178579302299634322254818383978585773136692588922976043617337904545396146755609284163743476297772686548475170197605412847689587171522453229055932712714154869989454808561458852031769119489235598402066924082778376081494632258448434048562053)
p, q, g, y = public

tmp1 = (b'0234e7971889def7e60348f77db94b7a', (10859236269959765735236393779936305217305574331839234502190226708929991582386, 13707557323895695260471053137828523837745895683218331343360027380310980108819))
tmp2 = (b'16c5ac270b72f70319657b4410d985d4', (41960642246379067640524709416001536058292817319109764317369777224426218746518, 74676725322515593502346275468843411563746982149373670021082686341369076719088))
message1, r1, s1 = tmp1[0], tmp1[1][0], tmp1[1][1]
message2, r2, s2 = tmp2[0], tmp2[1][0], tmp2[1][1]
hm1, hm2 = hash(message1), hash(message2)
#print(hm1, hm2)


for random1 in range(1, 512):
    for random2 in range(1, 512):
        random1_inv = inverse(random1, q)
        random_mul = random1_inv * random2
        x = (s1 * hm2 - s2 * hm1 * random_mul) * inverse(s2 * r1 * random_mul - s1 * r2, q)
        x = x % q
        #print(x)
        #print(sign(message1, public, x, random1))
        #print(tmp1[1])
        if sign(message1, public, x, random1) == tmp1[1]:
            print(x)
            flag = 'flag{'+md5(long_to_bytes(x)).hexdigest()+'}'
            print(flag)
            print(random2)
            exit()
    print(random1)


# 成功拿到flag后可以知道random1 = 36, random2 = 58 ^_^
#flag{448018d725636e5ca1ed9675a8b23df4}

技协杯-Crypto1

已知：

N= 27043815113145707550121063378240438939248782258483454049856453521584032220592887787562059443380038610290598575622062916485307184091409554538514854202498873547297773103239316954239641667336894313367845772845023065721439134501310426590019355844524756920078307005324929526063425487642209456355023230208467860774742785099317901398963867106582476740326082746953262216504020111095817613656347722083195076143847189035035063021757574382557663479442190050695927108198420191943271875798380684096592680930644200136436407472778630811000456073548836196890375350827356906953559602627392400524498682642018717447302297325432318177221 c=551046197285606898107283024676650283848098926639864466516013084135553632241090727641369586261735593664613285246299303875854310987447103185795040490541106154790243893699154767869461360532370258323936606948887388561062524928809730633664796872555840144662302473614722601669215346349157307079298093487429776185330734067591880338959687229983724587267427902443245768619370273994981604678382051169765413685049239926816505156737066979728449013908624429525335598674504837548523006533723449926678095026644921098893 e = 5

发现加密指数e比较少，使用低加密指数攻击

#python3
## -*- coding: utf-8 -*-#
import gmpy2
import libnum
n=27043815113145707550121063378240438939248782258483454049856453521584032220592887787562059443380038610290598575622062916485307184091409554538514854202498873547297773103239316954239641667336894313367845772845023065721439134501310426590019355844524756920078307005324929526063425487642209456355023230208467860774742785099317901398963867106582476740326082746953262216504020111095817613656347722083195076143847189035035063021757574382557663479442190050695927108198420191943271875798380684096592680930644200136436407472778630811000456073548836196890375350827356906953559602627392400524498682642018717447302297325432318177221
c=551046197285606898107283024676650283848098926639864466516013084135553632241090727641369586261735593664613285246299303875854310987447103185795040490541106154790243893699154767869461360532370258323936606948887388561062524928809730633664796872555840144662302473614722601669215346349157307079298093487429776185330734067591880338959687229983724587267427902443245768619370273994981604678382051169765413685049239926816505156737066979728449013908624429525335598674504837548523006533723449926678095026644921098893
e = 5
k = 0
while 1:
    result = gmpy2.iroot(c + k*n,e)   #(mpz(.....),True)
    if(result[1] == True):
        print(libnum.n2s(int(result[0])))
     	break
    k = k + 1
#b'flag{c783eb94-2595-11eb-a596-00e04c000975}'

2018 AFCTF BASE

题目给出一大串十六进制数据，用010Editor粘贴十六进制转字符串，发现末尾有等于号，猜测是base64

轮流进行base64、32、16直至出现{}即可

# python2
import sys
import base64
path = sys.path[0]
with open (path + '\\flag_encode.txt','r') as f:
    
    for a in f:
        while 1:
            try :
                a=base64.b64decode(a).decode("utf-8")
            except:
                pass
            try:
                a=base64.b32decode(a).decode("utf-8")
            except:
                pass
            try:
                a=base64.b16decode(a).decode('utf-8')
            except:
                pass
 
            if "{" in a:
                print (a)
                break

# python3
import sys
import base64
import libnum
path = sys.path[0]
with open (path + '\\flag_encode.txt','rb') as f:
    for a in f:
        a = libnum.n2s(int(a,16))
        a = bytes.decode(a)
        while 1:
            try :
                a=str(base64.b64decode(a),encoding="utf-8")
                
            except:
                pass
            try:
                a=str(base64.b32decode(a),encoding="utf-8")
            except:
                pass
            try:
                a=str(base64.b16decode(a),encoding="utf-8")
            except:
                pass
            if "{" in a:
                print (a)
                break
#afctf{U_5h0u1d_Us3_T00l5}

python2、python3byte和str间的转换

#######2018 AFCTF MyOwnCBC

AES加密过程详解：https://www.cnblogs.com/luop/p/4334160.html

encode:

#!/usr/bin/python2.7
# -*- coding: utf-8 -*-

from Crypto.Cipher import AES
from Crypto.Random import random
from Crypto.Util.number import long_to_bytes

def MyOwnCBC(key, plain):
	if len(key)!=32:
		return "error!"
	cipher_txt = b""
	cipher_arr = []
	cipher = AES.new(key, AES.MODE_ECB, "")
	plain = [plain[i:i+32] for i in range(0, len(plain), 32)]
	print plain
	cipher_arr.append(cipher.encrypt(plain[0]))    #初始密钥就是plain[0]
	cipher_txt += cipher_arr[0]
	for i in range(1, len(plain)):
		cipher = AES.new(cipher_arr[i-1], AES.MODE_ECB, "")
		cipher_arr.append(cipher.encrypt(plain[i]))
		cipher_txt += cipher_arr[i]
	return cipher_txt
	
key = random.getrandbits(256)
key = long_to_bytes(key)

s = ""
with open("flag.txt","r") as f:
	s = f.read()
	f.close()

with open("flag_cipher","wb") as f:
	f.write(MyOwnCBC(key, s))
	f.close()

decode:

import Crypto.Cipher.AES
with open('flag_cipher','rb') as f:
    cipher=f.read()
    f.close()
key0=cipher[0:32]
def decrypt(key0,cipher):
    cipher=[cipher[i:i+32] for i in range(0,len(cipher),32)]
    tempkey=key0
    plain = b''
    for i in range(1,len(cipher)):
        aes=Crypto.Cipher.AES.new(tempkey,Crypto.Cipher.AES.MODE_ECB)
        plain+=aes.decrypt(cipher[i])
        tempkey=cipher[i]
    return plain
print(decrypt(key0,cipher))

2018 AFCTF 花开藏宝地 门限方案

参考https://shawroot.hatenablog.com/entry/2019/12/26/AFCTF2018/BUUCTF-Crypto%3A%E8%8A%B1%E5%BC%80%E8%97%8F%E5%AE%9D%E5%9C%B0：

已知

爆破第一个压缩包 8位纯数字得到

得到

x1 = 305345133911395218573790903508296238659147802274031796643017539011648802808763162902335644195648525375518941848430114497150082025133000033835083076541927530829557051524161069423494451667848236452337271862085346869364976989047180532167560796470067549915390773271207901537847213882479997325575278672917648417868759077150999044891099206133296336190476413164240995177077671480352739572539631359
m1 = 347051559622463144539669950096658163425646411435797691973701513725701575100810446175849424000000075855070430240507732735393411493866540572679626172742301366146501862670272443070970511943485865887494229487420503750457974262802053722093905126235340380261828593508455621667309946361705530667957484731929151875527489478449361198648310684702574627199321092927111137398333029697068474762820813413

第二个压缩包，采用小写爆破得到密码alice

x2 = 152012681270682340051690627924586232702552460810030322267827401771304907469802591861912921281833890613186317787813611372838066924894691892444503039545946728621696590087591246339208248647926966446848123290344911662916758039134817404720512465817867255277476717353439505243247568126193361558042940352204093381260402400739429050280526212446967632582771424597203000629197487733610187359662268583
m2 = 347051559622463144539669950096658163425646411435797691973701513725701575100810446175849424000000075855070430240507732735393411493866540572679626172742301366146501862670272443070970511943485865887494229487420503750457974262802053722093905126235340380261828593508455621667309946361705530667957484731929151875527489478449361198648310684702574627199321092927111137398333029697068474762820818553

第四个压缩包伪加密，直接解压得到

x4 = 100459779913520540098065407420629954816677926423356769524759072632219106155849450125185205557491138357760494272691949199099803239098119602186117878931534968435982565071570831032814288620974807498206233914826253433847572703407678712965098320122549759579566316372220959610814573945698083909575005303253205653244238542300266460559790606278310650849881421791081944960157781855164700773081375247
m4 = 347051559622463144539669950096658163425646411435797691973701513725701575100810446175849424000000075855070430240507732735393411493866540572679626172742301366146501862670272443070970511943485865887494229487420503750457974262802053722093905126235340380261828593508455621667309946361705530667957484731929151875527489478449361198648310684702574627199321092927111137398333029697068474762820820091

decode.py:

import libnum
a1 =100459779913520540098065407420629954816677926423356769524759072632219106155849450125185205557491138357760494272691949199099803239098119602186117878931534968435982565071570831032814288620974807498206233914826253433847572703407678712965098320122549759579566316372220959610814573945698083909575005303253205653244238542300266460559790606278310650849881421791081944960157781855164700773081375247
d1 =347051559622463144539669950096658163425646411435797691973701513725701575100810446175849424000000075855070430240507732735393411493866540572679626172742301366146501862670272443070970511943485865887494229487420503750457974262802053722093905126235340380261828593508455621667309946361705530667957484731929151875527489478449361198648310684702574627199321092927111137398333029697068474762820820091
a2 =305345133911395218573790903508296238659147802274031796643017539011648802808763162902335644195648525375518941848430114497150082025133000033835083076541927530829557051524161069423494451667848236452337271862085346869364976989047180532167560796470067549915390773271207901537847213882479997325575278672917648417868759077150999044891099206133296336190476413164240995177077671480352739572539631359
d2 =347051559622463144539669950096658163425646411435797691973701513725701575100810446175849424000000075855070430240507732735393411493866540572679626172742301366146501862670272443070970511943485865887494229487420503750457974262802053722093905126235340380261828593508455621667309946361705530667957484731929151875527489478449361198648310684702574627199321092927111137398333029697068474762820813413
a3 = 152012681270682340051690627924586232702552460810030322267827401771304907469802591861912921281833890613186317787813611372838066924894691892444503039545946728621696590087591246339208248647926966446848123290344911662916758039134817404720512465817867255277476717353439505243247568126193361558042940352204093381260402400739429050280526212446967632582771424597203000629197487733610187359662268583
d3 =347051559622463144539669950096658163425646411435797691973701513725701575100810446175849424000000075855070430240507732735393411493866540572679626172742301366146501862670272443070970511943485865887494229487420503750457974262802053722093905126235340380261828593508455621667309946361705530667957484731929151875527489478449361198648310684702574627199321092927111137398333029697068474762820818553

dd = d1*d2*d3
t1 = pow(dd//d1,d1-2,d1)
assert(t1*d2*d3%d1 == 1)
t2 = pow(dd//d2,d2-2,d2)
assert(t2*d1*d3%d2 == 1)
t3 = pow(dd//d3,d3-2,d3)
assert(t3*d2*d1%d3 == 1)
s = a1*t1*d2*d3+a2*t2*d1*d3+a3*t3*d1*d2
p = 80804238007977405688648566160504278593148666302626415149704905628622876270862865768337953835725801963142685182510812938072115996355782396318303927020705623120652014080032809421180400984242061592520733710243483947230962631945045134540159517488288781666622635328316972979183761952842010806304748313326215619695085380586052550443025074501971925005072999275628549710915357400946408857
s %= dd
# print(hex(s))
s %= p
print(libnum.n2s(int(s)))

2018 AFCTF 一道有趣的题目

参考：https://blog.csdn.net/weixin_44110537/article/details/107986673

encode.py

#加密代码
def encrypt(plainText):
    space = 10
    cipherText = ""
    for i in range(len(plainText)):
        if i + space < len(plainText) - 1:
            cipherText += chr(ord(plainText[i]) ^ ord(plainText[i + space]))
        else:
            cipherText += chr(ord(plainText[i]) ^ ord(plainText[space]))
        if ord(plainText[i]) % 2 == 0:
            space += 1
        else:
            space -= 1
    return cipherText
    
# 密码
# 15120d1a0a0810010a031d3e31000d1d170d173b0d173b0c07060206

decode.py

def crackit():
    '''
    暴力求出每个明文字符的最后一位
    :return: 每个明文字符最后一位组成的字符串
    '''
    tag=b'\x15\x12\r\x1a\n\x08\x10\x01\n\x03\x1d>1\x00\r\x1d\x17\r\x17;\r\x17;\x0c\x07\x06\x02\x06'
    for x in range(268435456):
        temp=bin(x)[2:].zfill(28)
        space = 10
        flag=0
        for i in range(len(temp)):
            if i + space < len(temp) - 1:
                tempx= int(temp[i]) ^ int(temp[i + space])
            else:
                tempx= int(temp[i]) ^ int(temp[space])
            if tempx!=(tag[i]%2):
                flag=1
                break
            elif int(temp[i]) % 2 == 0:
                space += 1
            else:
                space -= 1
        if flag!=1:
            print(temp)

#temp ='1010011010010101111111101001'

def crackit_2():
    '''
    解出每个方程中的明文字符的序号.
    :return: 每个方程中的明文字符的序号组成的列表.
    '''
    tag=b'\x15\x12\r\x1a\n\x08\x10\x01\n\x03\x1d>1\x00\r\x1d\x17\r\x17;\r\x17;\x0c\x07\x06\x02\x06'
    temp ='1010011010010101111111101001'
    space = 10
    g=[]
    for i in range(len(temp)):
        if i + space < len(temp) - 1:
            tempx = int(temp[i]) ^ int(temp[i + space])
            g.append((i,i+space))
        else:
            tempx = int(temp[i]) ^ int(temp[space])
            g.append((i,space))
        if int(temp[i]) % 2 == 0:
            space += 1
        else:
            space -= 1
    return g
def solve(g,m):
    '''
    解明文方程组
    :param g: 明文方程组
    :param m :密文
    :return: 明文
    '''
    plain=[ord('a'),ord('f'),ord('c'),ord('t'),ord('f'),ord('{')]+[-1]*22#明文未知数
    while -1 in plain:
        for i in range(28):
            if plain[i] != -1:
                for j in range(len(g)):
                    if g[j][0] == i or g[j][1] == i:
                        if g[j][0] == i:
                            plain[g[j][1]] = m[j] ^ plain[i]
                        if g[j][1] == i:
                            plain[g[j][0]] = m[j] ^ plain[i]
    return plain

#[97, 102, 99, 116, 102, 123, 99, 114, 121, 112, 116, 97, 110, 97, 108, 121, 115, 105, 115, 95, 105, 115, 95, 104, 97, 114, 100, 125]

tag=b'\x15\x12\r\x1a\n\x08\x10\x01\n\x03\x1d>1\x00\r\x1d\x17\r\x17;\r\x17;\x0c\x07\x06\x02\x06'#密文
g=crackit_2()
print(g)
plain=solve(g,tag)
print(plain)
flag=''
for i in plain:
    flag+=chr(i)
print(flag)

[2021-红明谷]RSA at

tack 低加密指数

from gmpy2 import *
from Crypto.Util.number import *
import sympy
import random
from secret import flag

p1 = getPrime(1024)
print(p1)
#p1=172071201093945294154292240631809733545154559633386758234063824053438835958515543354911249971174172649606257936857627547311760174511316984409767738981247877005802155796623587461774104951797122995266217334158736848307655543970322950339988489801672160058805422153816950022590644650247595501280192205506649936031

p2 = p1 - random(999,99999)
print(p2)
#p2=172071201093945294154292240631809733545154559633386758234063824053438835958515543354911249971174172649606257936857627547311760174511316984409767738981247877005802155796623587461774104951797122995266217334158736848307655543970322950339988489801672160058805422153816950022590644650247595501280192205506649902034

p_1=1
for i in range(1,p1+1):
    p_1*=i
p3 = sympy.nextPrime(p_1 % p2 )

p4 = p3 >> 50 << 50
#已知高位
p = p4
while(isPrime(P)!=1):
    P = p + random.randint(0,2**50)

Q = getPrime(1024)

e = 1+1+1
N = P * Q
print(N)
#N=28592245028568852124815768977111125874262599260058745599820769758676575163359612268623240652811172009403854869932602124987089815595007954065785558682294503755479266935877152343298248656222514238984548734114192436817346633473367019138600818158715715935132231386478333980631609437639665255977026081124468935510279104246449817606049991764744352123119281766258347177186790624246492739368005511017524914036614317783472537220720739454744527197507751921840839876863945184171493740832516867733853656800209669179467244407710022070593053034488226101034106881990117738617496520445046561073310892360430531295027470929927226907793

flag=bytes_to_long(flag)
c = pow(flag,e,N)
print(c)
#c=15839981826831548396886036749682663273035548220969819480071392201237477433920362840542848967952612687163860026284987497137578272157113399130705412843449686711908583139117413

decode.py

#python3
## -*- coding: utf-8 -*-#
import gmpy2
import libnum
e = 3
n = 28592245028568852124815768977111125874262599260058745599820769758676575163359612268623240652811172009403854869932602124987089815595007954065785558682294503755479266935877152343298248656222514238984548734114192436817346633473367019138600818158715715935132231386478333980631609437639665255977026081124468935510279104246449817606049991764744352123119281766258347177186790624246492739368005511017524914036614317783472537220720739454744527197507751921840839876863945184171493740832516867733853656800209669179467244407710022070593053034488226101034106881990117738617496520445046561073310892360430531295027470929927226907793
c = 15839981826831548396886036749682663273035548220969819480071392201237477433920362840542848967952612687163860026284987497137578272157113399130705412843449686711908583139117413
k = 0
while 1:
    result = gmpy2.iroot(c + k*n,e)   #(mpz(.....),True)
    if(result[1] == True):
        print(libnum.n2s(int(result[0])))
        break
    k = k + 1

经典与现代的碰撞

task.py

from Crypto.Util.number import *

flag="************************************"
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = []
for i in flag:
	c.append(pow(ord(i),e,n))
with open("data","w")as f:
	f.write(str(c))
print(n)

# n = 102204153222994111778632876759357743433165699529911428623430160606146715186553069102757303520315325647731353591364461015660166382347587576558664060889704534086889698480785813616567884706392625326935985068173231022370682517762107593345849049398521877497339716616737800039334693369041584502249247878283088514013
#分解n、低加密指数

我们发现密文串被拆分，也就是每个密文m都很小，可以直接fuzz

#我们知道对应得密文m很小
import os
import sys
import libnum
import gmpy2
path = sys.path[0]
with open(path + r'\data','r') as f:
    f = f.read()
    c = f.strip('[').strip(']').split(', ')
    #print(c)
    print(len(c))
e = 65537
n = 102204153222994111778632876759357743433165699529911428623430160606146715186553069102757303520315325647731353591364461015660166382347587576558664060889704534086889698480785813616567884706392625326935985068173231022370682517762107593345849049398521877497339716616737800039334693369041584502249247878283088514013
def fuzz_m(c_):
    for i in range(1,150):
        if c_ == pow(i,e,n):
            print(chr(i),end= '')
            break
x = 0
for i in c:
    fuzz_m(int(i))
#ROT:|+(vr+bbv+a)t*bu{d+wv}q}zy))x}q){d#tpcbuv|+walll

得到一串ROT:…一串古典密码加密得密文（。。。凯撒）

提示ROT：http://www.ab126.com/goju/11044.html

经过rot47解码得到一串base编码的密文

再经过base32解码http://ctf.ssleye.com/base64.html得到flag:flag{6urce_rs4-Rot47_b@se32}

LRX

encode.py

import random
from sympy import nextprime
from Crypto.Util.number import *
flag="flag{************************}"

def lcg(seed,params):
    (m,c,n)=params
    x = seed % n
    while True:
        x = (m * x + c) % n
        yield x   #看做return，再把它看做一个是生成器（generator）的一部分（带yield的函数才是真正的迭代器）

seed = random.randint(0,0xffffffff)
m = random.randint(0,0xffffffff)
c = random.randint(0,0xffffffff)
n = random.randint(0,0xffffffff)

(m,c,n) = (378397371,3163496981,4161661778)
key_stream = lcg(seed,(m,c,n))
for _ in range(6):
	print(next(key_stream))

secret =  next(key_stream)   #secret <=> key_stream[5] 、secret = (m * s[5] + c) % n

e = nextprime(secret)
p = getPrime(1024)
q = getPrime(1024)
phi = (p-1)*(q-1)

flag = bytes_to_long(flag)
flag ^= flag >> 10
print(phi)
print(p*q)
print(pow(flag,e,p*q))
        
# 3836384749
# 3395903484
# 2071233297
# 784139606
# 799255125
# 2029002258
# 13847335316127536538732808897989022539556249070707273306569409051400040514752676885802487123303139840415338378370664720292963480194299667734532323504964017655553559984444757198026939289607642274379099943475039015068954828566502337327598451567876130270838934244307870535472010589025001553484742930483432387442315084794635809090529554859453608760612093661639553513492884871027807405531433488329363818216512572807729570446401562319800148179522299189316512042033587992846057622623370207145738095857915289770456517127942608074898964808846442209734240427231010095394558968521730906944732159103208808958926203837735021281680
# 13847335316127536538732808897989022539556249070707273306569409051400040514752676885802487123303139840415338378370664720292963480194299667734532323504964017655553559984444757198026939289607642274379099943475039015068954828566502337327598451567876130270838934244307870535472010589025001553484742930483432387442551834089172903643768641265019427000540460504656528046844118185486575662267013301984583177869928898755213963753033218648366570443549714871905063081052755305542955435218876118020972771754897604438985529436720986685490407288206239976623608762823394585415785374519997635420976880700398260198479277069282174283567
# 7523403189579269929958838023321745093831610955177120252935301867530257334515726907469869226530151392019777100163327654639247686015901439993265601514706189068608875928082440264438759508880336489258695631614707485756720353331572282438961744475814819985647986235237127112688458798443715231546818031849775965656330485887950774061767496680501407209426116561035464728967965450960645963675248557630604467297046809534669875544667319838467864836146400639949660897338507504663374599451570077764153350667774911936653514502551445861383378166313138295940485150424689658810316274747025200570548377567156398446497776465393005751004

参考：https://blog.csdn.net/weixin_45883223/article/details/112427962

已知m,c,n

可以根据m、c、n得到secret(e的上一个素数)，也就得到了e。

又知道e,phi 可以得到d

此时求得的flag，需要经过异或flag>>10后得到最后的flag

# 13847335316127536538732808897989022539556249070707273306569409051400040514752676885802487123303139840415338378370664720292963480194299667734532323504964017655553559984444757198026939289607642274379099943475039015068954828566502337327598451567876130270838934244307870535472010589025001553484742930483432387442315084794635809090529554859453608760612093661639553513492884871027807405531433488329363818216512572807729570446401562319800148179522299189316512042033587992846057622623370207145738095857915289770456517127942608074898964808846442209734240427231010095394558968521730906944732159103208808958926203837735021281680
# 13847335316127536538732808897989022539556249070707273306569409051400040514752676885802487123303139840415338378370664720292963480194299667734532323504964017655553559984444757198026939289607642274379099943475039015068954828566502337327598451567876130270838934244307870535472010589025001553484742930483432387442551834089172903643768641265019427000540460504656528046844118185486575662267013301984583177869928898755213963753033218648366570443549714871905063081052755305542955435218876118020972771754897604438985529436720986685490407288206239976623608762823394585415785374519997635420976880700398260198479277069282174283567
# 7523403189579269929958838023321745093831610955177120252935301867530257334515726907469869226530151392019777100163327654639247686015901439993265601514706189068608875928082440264438759508880336489258695631614707485756720353331572282438961744475814819985647986235237127112688458798443715231546818031849775965656330485887950774061767496680501407209426116561035464728967965450960645963675248557630604467297046809534669875544667319838467864836146400639949660897338507504663374599451570077764153350667774911936653514502551445861383378166313138295940485150424689658810316274747025200570548377567156398446497776465393005751004

from libnum import *
from gmpy2 import *
from sympy import nextprime
from binascii import *
s = [3836384749,3395903484,2071233297,784139606,799255125,2029002258]

m = 378397371
c = 3163496981
n = 4161661778
secret = (m * s[5] + c) % n         #secret = (m * s[5] + c) % n
e = nextprime(secret)
phi = 13847335316127536538732808897989022539556249070707273306569409051400040514752676885802487123303139840415338378370664720292963480194299667734532323504964017655553559984444757198026939289607642274379099943475039015068954828566502337327598451567876130270838934244307870535472010589025001553484742930483432387442315084794635809090529554859453608760612093661639553513492884871027807405531433488329363818216512572807729570446401562319800148179522299189316512042033587992846057622623370207145738095857915289770456517127942608074898964808846442209734240427231010095394558968521730906944732159103208808958926203837735021281680
cipher = 7523403189579269929958838023321745093831610955177120252935301867530257334515726907469869226530151392019777100163327654639247686015901439993265601514706189068608875928082440264438759508880336489258695631614707485756720353331572282438961744475814819985647986235237127112688458798443715231546818031849775965656330485887950774061767496680501407209426116561035464728967965450960645963675248557630604467297046809534669875544667319838467864836146400639949660897338507504663374599451570077764153350667774911936653514502551445861383378166313138295940485150424689658810316274747025200570548377567156398446497776465393005751004
n = 13847335316127536538732808897989022539556249070707273306569409051400040514752676885802487123303139840415338378370664720292963480194299667734532323504964017655553559984444757198026939289607642274379099943475039015068954828566502337327598451567876130270838934244307870535472010589025001553484742930483432387442551834089172903643768641265019427000540460504656528046844118185486575662267013301984583177869928898755213963753033218648366570443549714871905063081052755305542955435218876118020972771754897604438985529436720986685490407288206239976623608762823394585415785374519997635420976880700398260198479277069282174283567
d = invert(e, phi)
flag_ = pow(cipher, d, n)
flag = ''
for i in range(len(bin(flag_)[2:])):
    j = i
    k = int(bin(flag)[2:][i])
    while j >= 10:
        j -= 10       #flag = flag ^ flag<<10
        k ^= int(bin(flag_)[2:][j])
    flag += str(k)
print(n2s(int(flag_, 2)))
#flag{You_Know_LCG_and_RSA_and_xor}

017655553559984444757198026939289607642274379099943475039015068954828566502337327598451567876130270838934244307870535472010589025001553484742930483432387442315084794635809090529554859453608760612093661639553513492884871027807405531433488329363818216512572807729570446401562319800148179522299189316512042033587992846057622623370207145738095857915289770456517127942608074898964808846442209734240427231010095394558968521730906944732159103208808958926203837735021281680
cipher = 7523403189579269929958838023321745093831610955177120252935301867530257334515726907469869226530151392019777100163327654639247686015901439993265601514706189068608875928082440264438759508880336489258695631614707485756720353331572282438961744475814819985647986235237127112688458798443715231546818031849775965656330485887950774061767496680501407209426116561035464728967965450960645963675248557630604467297046809534669875544667319838467864836146400639949660897338507504663374599451570077764153350667774911936653514502551445861383378166313138295940485150424689658810316274747025200570548377567156398446497776465393005751004
n = 13847335316127536538732808897989022539556249070707273306569409051400040514752676885802487123303139840415338378370664720292963480194299667734532323504964017655553559984444757198026939289607642274379099943475039015068954828566502337327598451567876130270838934244307870535472010589025001553484742930483432387442551834089172903643768641265019427000540460504656528046844118185486575662267013301984583177869928898755213963753033218648366570443549714871905063081052755305542955435218876118020972771754897604438985529436720986685490407288206239976623608762823394585415785374519997635420976880700398260198479277069282174283567
d = invert(e, phi)
flag_ = pow(cipher, d, n)
flag = ‘’
for i in range(len(bin(flag_)[2:])):
j = i
k = int(bin(flag)[2:][i])
while j >= 10:
j -= 10 #flag = flag ^ flag<<10
k ^= int(bin(flag_)[2:][j])
flag += str(k)
print(n2s(int(flag_, 2)))
#flag{You_Know_LCG_and_RSA_and_xor}