[cryptoverse ctf 2022] cvctf

已于 2022-10-26 20:22:09 修改
阅读量1.7k 收藏 4
点赞数
分类专栏: CTF crypto CTF reverse 文章标签: python
于 2022-10-25 20:16:02 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_52640415/article/details/127512869
版权

一直在等wp,一直没找着,没有wp就没有进步。

把已知部分写出来吧,抛砖引玉

这个比赛只有crypto,reverse和misc(除一个签到外,都推特油管和谷歌网盘的题作不了)

目录

crypto

Warmup 3

Warmup 1

Warmup 2

Substitution

RSA 1

Warmup 4

RSA 2

Big Rabin

CyberMania

ECC Quiz

RSA 3

1337

Weird dlog

A Tale of Two Systems

Reverse

Baby Reverse

Basic Transforms

French

World Cup Predictions

Super Guesser

Boost Game

Baby CUDA

crypto

Warmup 3

-.-. ...- -.-. - ..-. -- ----- .-. ..... ...-- .. ... -. ----- - ..... ----- ..-. ..- -.

摩尔斯电码,并且提示全是小写,直接找个网站解码即可

cvctf{m0r53isn0t50fun}

Warmup 1

Decode the following ciphertext: cGlwZ3N7cG5yZm5lXzY0X3Nnan0=

提示给了一个常用的解密网站cyberchef,虽然是英文不方便,但是里边还是挺全的,解码后

pipgs{pnrfne_64_sgj}

然后作rot13

cvctf{caesar_64_ftw}

Warmup 2

翻译一下介绍就是说维吉尼亚密码

First described by Giovan Battista Bellaso in 1553, this cipher is easy to understand and implement, but it resisted all attempts to break it until 1863, three centuries later.

Remember: The Key to success is determination.

fzvxw{hqtegmfr_lw_msf_scrslg_kvwlhyk_fpr_kxg?}

在刚才的网站解密

cvctf{vigenere_is_too_guessy_without_the_key?}

Substitution

直接给一段乱码,一看就是quipquip解,估计也叫维吉尼亚

Hxpkdiz kcz Osxe ja x apzhjxs ljvr go jvogimxkjgv azhdijkf hgmpzkjkjgva. Kcziz xiz kcizz hgmmgv kfpza, Uzgpxirf, Xkkxhl Rzozvhz xvr mjyzr.
Jo fgd cxwz ojedizr gdk kcz xqgwz mzaaxez, cziz ja fgdi osxe, pszxaz xrr hdisf qixhlzka qzogiz adqmjaajgv: hwhkoxwzifajmpszadqakjkdkjgv
Capture the Flag is a special kind of information security competitions. There are three common types, Jeopardy, Attack Defence and mixed. If you have figured out the above message, here is your flag, please add curly brackets before submission: cvctfaverysimplesubstitution

cvctf{averysimplesubstitution}

RSA 1

这个RSA啥也没给,而且很多人作出来,说明N可以直接分解

n = 0x7c05a45d02649367ebf6f472663119777ce5f9b3f2283c7b03471e9feb1714a3ce9fa31460eebd9cd5aca7620ecdb52693a736e2fcc83d7909130c6038813fd16ef50c5ca6f491b4a8571289e6ef710536c4615604f8e7aeea606d4b5f59d7adbec935df23dc2bbc2adebbee07c05beb7fa68065805d8c8f0e86b5c3f654e651
e = 0x10001
ct = 0x35b63f7513dbb828800a6bcd708d87a6c9f33af634b8006d7a94b7e3ba62e6b9a1732a58dc35a8df9f7554e1168bfe3de1cb64792332fc8e5c9d5db1e49e86deb650ee0313aae53b227c75e40779a150ddb521f3c80f139e26b2a8880f0869f755965346cd28b7ddb132cf8d8dcc31c6b1befc83e21d8c452bcce8b9207ab76e

直接到factordb.com上查到p,q

n = ...
e = ...
ct = ...
p = 8156072525389912369788197863285751656042515380911795404436333529629416084362735262281722179416240983448945672233749861517470671156357917601583268804973543
q = 10678085245814899631026086851678635624044610674331494223434578587048178556659016077336866548714220013612176819608742965144962254942844889066032236627832071
phi = (p-1)*(q-1)
d = invert(e,phi)
m = pow(ct,d,n)
print(long_to_bytes(m))
#cvctf{f4c70rDB_15_p0w3rfu1}

Warmup 4

这个73人完成,我没作出来,不清楚怎么回事

In science fіctіοn, metaνerse is iterationоf the Internet as a sⅰngle, universal and immersive virtual world that is facilitated by the use of virtual reality and augmented reality headsets.

提示:Note 2: This challenge involves some steganography tool related to a social media.

RSA 2

先看题

from Crypto.Util.number import inverse, bytes_to_long, getPrime, isPrime
from math import gcd
from secret import flag

PBITS = 512
e = 0x10001

def stage_one(data: bytes):
    m = bytes_to_long(data)
    p = getPrime(PBITS)
    q = getPrime(PBITS)
    b = 7
    n = p**b * q
    print(f"p = {p}")
    print(f"e = {e}")
    print(f"dp = {inverse(e, p-1)}")
    print(f"b = {b}")
    print(f"ct = {pow(m, e, n)}\n")

def stage_two(data: bytes):
    m = bytes_to_long(data)
    p = getPrime(PBITS)
    q = p + 2
    while not isPrime(q):
        q += 2
    n = p * q
    print(f"n = {n}")
    print(f"e = {e}")
    print(f"ct = {pow(m, e, n)}\n")

print("=== Stage 1 ===")
stage_one(flag[:len(flag)//2])
print("=== Stage 2 ===")
stage_two(flag[len(flag)//2:])

题目分两部分,第一部分是n = p**7*q给了p和dp没给n,这里只要p够大其实也用不着n,也就是

ct == m^e mod n === ct == m^e mod p

直接用dp解

from gmpy2 import *
from Crypto.Util.number import bytes_to_long

p,e,dp,ct,b = ......

phi = p**6*(p-1)
d = invert(e, phi)
m = pow(ct,d,p**7)
print(bytes.fromhex(hex(m)[2:]))

#cvctf{Hensel_Takagi_Lifting,but_Fermat_is_better?}

第二部分q = k*2 + p说明两个很近,一般是用费马分解,但这题正好原来的模版正好不能用,但手工可以看到

a=iroot(n,2)[0]
(a+1)**2 - n == 121

显然121是11的平方就不用程序处理了,a-10就行

a=iroot(n,2)[0]
#(a+1)**2 - n = 121
p = a-10
assert(n % p == 0)
q = n//p 
phi = (p-1)*(q-1)
d = invert(e, phi)
m = pow(ct,d,n)
print(bytes.fromhex(hex(m)[2:]))
#flag在前边

Big Rabin

题目说大Rabin是说值给得太大了

from Crypto.Util.number import *
from secret import flag
import os, functools

primes = []
e = 2

for _ in range(10):
    primes.append(getPrime(1024))

n = functools.reduce((lambda x, y: x * y), primes)
m = bytes_to_long(os.urandom(256) + flag)
c = pow(m,e,n)

print(primes)
print(c)
'''
[132226521510073241868478441993015354148527265070844601764638529221288504976410393924935295341036464167430758516679806086101355913069828507720078706111518764763860261405919471828890271375290465307125060869008747651304555905840414020300749769085263330846399185059492965396066022852144378645140305287757847727023, 166975174848900885230261330388360938761353252820281468924803320138144055905644086619356255132048410411366729267993937675260638228144755335215429145353099164053352619775669398053052968467143600192845905417256960156392197454820487653509257937973672298884564792967995269332679341948473655565516611128690668584197, 142872473239232009830855192451471368852668441691782565721008089294877340422457402592626252955869775729973997252931251666144198844354316321876779014522642204671232774572604583775513634884566978553917344483379779100930174962243024555704822801010773572545801848379806701640868474072068588187164478666117032536743, 130892261245352215748569386846911862074603359546553143534975947107064714450388455394151437883146319257061620436858323988107585895908396306525917087044899379090234252879747887675884686106229697448906503338648983178690152813231281939068998489985753607854487974314966395013411365168104897566924065151568253685389, 145551848922783998528416786343973572472474320126254044570241048099740111725992313257532536785462269965641550642274572312923944315477621869191221368417595336738285091021747216596626016115302578007940230744568897790622831057456985073420219248560391242735855176398817027832854071167392464605267378738681409692207, 109114236141132256858265781393324161877680502794260375634936389144130052076205935445884813005428724784271974614143303830651751053233628886067941762333164941597521613761267981323595507523576850094910118775698465333491285382926211396415210206640863838245229759501252816392805326580130465854590783194264915510107, 149012332254098169883676747964911319691822361308399858421962733809406243673749451302379098919202789878055459506619587309704672105656774201994079016346228841284249488225321663757366441960504330961474614423041525751882565821073188367282242863442968249947378755695090610366079747622976283329590239856372835372077, 89933039054622081733083753412036389257663070424046675225077590968264124467545748005665094466078872143690347802061705503577114736109829239359006199434519375691332381519569498638696542565602083683732367191126621738256117168725047465248935955872366458549695968621135516743160437309215563157049376939290044627313, 144740324082556719196755949987638484388687025029996662925584432266650207893213563830207448527247219434052744033623084777776494559920370369824340095295242250589124486762879342972124012161218261244077906297847144914260263449001263793071999861655844579640626513700692813426335252087586488036788977420619650395281, 177890920322792684381488228351207885958275622324411726844780096159974211995797980616696403624147387087872691406579164096185188544912293856215282348681231390887966279317515097280087518605104367297949995780275322107787760838983798771894346399852645638599662743887567463532610893557114956013160076360765011538011]
22946885822002467171903084240416288222260709393342086666614067405740711654751859628586773085727309553476558484713992238684106955555407130896914013459177345438724868201174752650162646056513628813995822388584081951435555201995181471800953753065805537239004801790261801117451703491741695068405051052528468868702342710290967199025172882590726554624329641303992754921465060035494584473179143361525585375327174333664171595698051318950929679219084654514302582298457923944861686107213448365614170278678031637593258899000503650392461910041826689785746033611685952405642342168822481363285927108889621327497879411676118996705939126347323933488709432561266681241083588173377314801049718139453233426105928769665280701332464661007393707855685695381234000934601768404436981039966731154784057035002881385480733918721892505780861028743718627723983889337589245505471761609164355615583667187016246477658779583361278419641451588063893642706807003172297981383003084552004900791931139372946360714784486527322818344413194151333823878001862478897096198700081692897370151996011935154686270934438172865531978260775218635723194626200021562057411503822135701039014960850609050136539744310043850114618082256447659795677305772357979166562438839947373438799197847335503006808051165456399906449288192895712634565545914245083072956245576112332273453809567266070539909722697964638524279759280287013618910074497709507375042069373384981213251042198281
'''

显然从这里看,n是这些素数的积,比c在太多,说明根本没有取模直接对C开方即可

c = ...
m = c.nth_root(2)
from Crypto.Util.number import *
print(long_to_bytes(m))

#cvctf{r4b1n_Cryp70_K1nd4_c0mpL1C4t3d?}

CyberMania

未解出,等wp

只给了一个密文,base64后是两个16进制1个空格,再转后是可见乱码

NDAgNmIgNzEgNmEgNjkgM2EgMzIgM2QgNDIgM2YgM2QgNzUgMjcgNjIgNmEgM2QgNWQgNjUgMmQgNWMgM2MgNjMgMjggM2IgNzMgM2MgNDEgNDkgNWQgMzUgM2IgNDQgNTcgMzggNzAgM2IgMmYgNDMgMjYgNDIgM2EgMzAgMjggMmMgMmEgNDAgM2IgNTMgNGEgNTYgM2MgMjkgNmQgNTUgMzYgM2EgMmMgMmMgMzQgMmQgNDAgMzkgM2YgMjEgNDAgM2MgNWYgMmMgNzQgNjEgNDEgMzQgNGIgNWIgMjQgM2UgMjMgNjYgNGUgM2IgNDAgNmIgNzAgMjIgNzUgM2QgNWYgNjcgNjAgNTcgM2QgNjEgNDYgNTUgNGIgNDEgMzggNTEgMjEgNmUgM2IgNjUgNmYgNTEgMjkgM2QgMjUgNDcgNzIgMjggNDAgMzcgMzMgNTMgMjMgM2QgMjUgM2YgNzEgMjEgM2EgMmUgNGIgMzQgNTggNDEgMzggMzQgNTMgNDkgM2QgNWQgNDAgNmEgNjkgM2MgMjggNGIgNmUgNjYgM2EgMmUgNDkgMzAgM2QgMzkgNjkgNTkgNWYgM2YgM2MgNjAgNGYgMmEgNjAgM2MgMmEgMjkgNWIgNjMgNDEgMzggNGYgNjUgMzUgMzkgNjkgNTAgMmUgNWUgM2IgNjYgMmIgNGYgM2MgM2EgNDkgNjYgMzUgM2EgMzkgNmQgNTQgNjUgNmUgM2QgNWQgNTQgNGEgNzEgM2MgMjkgNjQgMjQgNjYgM2QgMjkgNGMgNTcgNGUgNDAgNmYgNzUgMzMgNDggM2QgNTkgNGYgNDEgNjcgNDAgM2MgNzQgNGYgNWMgM2EgMmUgMzcgNjAgMzAgM2IgNjYgMjMgNDcgNjYgM2QgMjUgMjQgNTAgNDUgM2QgNzQgNjkgNTEgNDQgM2MgMjggMzkgNjIgM2YgM2UgMjYgMzggMmUgMzUgM2MgNDMgNDMgMjIgNDcgM2IgNGEgNWQgMzYgNGMgM2UgMjIgM2EgNDcgNGMgM2IgNDggM2YgMzcgNjggM2IgMmYgNGEgNmMgNWEgM2IgNjUgNjYgNGIgNTkgM2EgNDkgNjQgNmMgNmEgM2QgMjcgMjUgNDMgNzUgM2IgNDYgNDYgMmQgMjMgM2MgNDUgNDMgNmUgNmIgM2MgNDUgMzQgMzUgNzMgM2QgMjYgNjEgMjEgM2QgM2IgNDggMzUgNTMgNjcgNDAgMzkgNDAgMjYgNWMgMzkgNjYgMjQgNjAgNWIgM2QgNWQgNTIgNzQgM2IgNDAgNmYgNmMgMzkgNDMgNDEgNGYgNGIgMjEgNTMgM2MgMmEgMzIgNjEgNWUgNDAgMzcgM2MgNjUgMjUgNDAgNTQgNDggNGUgMzEgM2EgMzIgNDYgNjAgNGIgM2UgMjMgNjUgMzAgNmUgM2MgMjggMjcgNGEgNzUgM2MgNWYgMmMgNTEgMjIgNDAgNzIgMjIgNTggNmUgM2IgMmQgMjUgNGMgMjYgMzkgNjkgNTAgNzEgMjggNDAgM2IgMzkgM2QgNTYgM2MgMjkgNjQgNWIgNGUgNDEgNGYgNGIgMzkgNjAgM2QgNWYgNzAgNTAgNWQgNDEgNTMgNmEgMmIgNTcgM2QgNzQgNzMgMzMgMjQgM2UgMjYgNGEgMmIgMzMgM2MgNjAgNjkgMmIgMzIgNDAgMzcgNGUgNjQgNDYgM2IgNDQgNDMgNTggM2QgM2IgMmYgNDMgMjMgNmYgM2IgNWYgNTYgMmEgNjMgM2MgNWUgNzAgMjggNDYgNDAgNmYgNWEgNDUgMmYgNDAgNTAgNWYgNzMgNTggNDAgNTQgNWEgNjIgNjUgM2QgMjkgMjkgNTAgNmMgNDEgMzggM2QgNjUgMjggNDEgMzYgM2MgNGQgMzMgNDAgMzcgNGYgNzMgNTQgNDEgNGYgNmYgNTEgNTAgNDEgMzkgNTUgMzEgMjI=

base64后

40 6b 71 6a 69 3a 32 3d 42 3f 3d 75 27 62 6a 3d 5d 65 2d 5c 3c 63 28 3b 73 3c 41 49 5d 35 3b 44 57 38 70 3b 2f 43 26 42 3a 30 28 2c 2a 40 3b 53 4a 56 3c 29 6d 55 36 3a 2c 2c 34 2d 40 39 3f 21 40 3c 5f 2c 74 61 41 34 4b 5b 24 3e 23 66 4e 3b 40 6b 70 22 75 3d 5f 67 60 57 3d 61 46 55 4b 41 38 51 21 6e 3b 65 6f 51 29 3d 25 47 72 28 40 37 33 53 23 3d 25 3f 71 21 3a 2e 4b 34 58 41 38 34 53 49 3d 5d 40 6a 69 3c 28 4b 6e 66 3a 2e 49 30 3d 39 69 59 5f 3f 3c 60 4f 2a 60 3c 2a 29 5b 63 41 38 4f 65 35 39 69 50 2e 5e 3b 66 2b 4f 3c 3a 49 66 35 3a 39 6d 54 65 6e 3d 5d 54 4a 71 3c 29 64 24 66 3d 29 4c 57 4e 40 6f 75 33 48 3d 59 4f 41 67 40 3c 74 4f 5c 3a 2e 37 60 30 3b 66 23 47 66 3d 25 24 50 45 3d 74 69 51 44 3c 28 39 62 3f 3e 26 38 2e 35 3c 43 43 22 47 3b 4a 5d 36 4c 3e 22 3a 47 4c 3b 48 3f 37 68 3b 2f 4a 6c 5a 3b 65 66 4b 59 3a 49 64 6c 6a 3d 27 25 43 75 3b 46 46 2d 23 3c 45 43 6e 6b 3c 45 34 35 73 3d 26 61 21 3d 3b 48 35 53 67 40 39 40 26 5c 39 66 24 60 5b 3d 5d 52 74 3b 40 6f 6c 39 43 41 4f 4b 21 53 3c 2a 32 61 5e 40 37 3c 65 25 40 54 48 4e 31 3a 32 46 60 4b 3e 23 65 30 6e 3c 28 27 4a 75 3c 5f 2c 51 22 40 72 22 58 6e 3b 2d 25 4c 26 39 69 50 71 28 40 3b 39 3d 56 3c 29 64 5b 4e 41 4f 4b 39 60 3d 5f 70 50 5d 41 53 6a 2b 57 3d 74 73 33 24 3e 26 4a 2b 33 3c 60 69 2b 32 40 37 4e 64 46 3b 44 43 58 3d 3b 2f 43 23 6f 3b 5f 56 2a 63 3c 5e 70 28 46 40 6f 5a 45 2f 40 50 5f 73 58 40 54 5a 62 65 3d 29 29 50 6c 41 38 3d 65 28 41 36 3c 4d 33 40 37 4f 73 54 41 4f 6f 51 50 41 39 55 31 22

再转字符

b'@kqji:2=B?=u\'bj=]e-\\<c(;s<AI]5;DW8p;/C&B:0(,*@;SJV<)mU6:,,4-@9?!@<_,taA4K[$>#fN;@kp"u=_g`W=aFUKA8Q!n;eoQ)=%Gr(@73S#=%?q!:.K4XA84SI=]@ji<(Knf:.I0=9iY_?<`O*`<*)[cA8Oe59iP.^;f+O<:If5:9mTen=]TJq<)d$f=)LWN@ou3H=YOAg@<tO\\:.7`0;f#Gf=%$PE=tiQD<(9b?>&8.5<CC"G;J]6L>":GL;H?7h;/JlZ;efKY:Idlj=\'%Cu;FF-#<ECnk<E45s=&a!=;H5Sg@9@&\\9f$`[=]Rt;@ol9CAOK!S<*2a^@7<e%@THN1:2F`K>#e0n<(\'Ju<_,Q"@r"Xn;-%L&9iPq(@;9=V<)d[NAOK9`=_pP]ASj+W=ts3$>&J+3<`i+2@7NdF;DCX=;/C#o;_V*c<^p(F@oZE/@P_sX@TZbe=))PlA8=e(A6<M3@7OsTAOoQPA9U1"'

然后怎么办?看到一个日本的WP 这里用base58,出来的东西就不贴了是emoji符号,贴不出来的那种。然后到cryptoji | encrypted emoji 里贴上就看到结果了。不要点别的

ECC Quiz

给了椭圆上一个点求乘后的值,不会从日本的一个WP学来,复现。

这个题没有附件,只有远程,远程一共3道题,答对以后可以得到flag,三个题都是关于椭圆方程的,第1个是给定p,a,b,P和乘数m求Q = mP这个比较容易

'''
Enter your choice: 1
Curve parameters:
p = 12613
a = 864
b = 8456
Point P: (6540, 1524)
Find the point Q = 6425P. The answer is in the form of (x,y): 
'''

def s1(p,a,b,P,m):
    F = GF(p)
    E = EllipticCurve(F, [a, b])
    P = E.point(P)
    Q = m*P
    r = f"({Q[0]},{Q[1]})"
    print(r)
    return r

def get_s1():
    sh.sendlineafter(b'Enter your choice: ', b'1')
    sh.recvuntil(b'p = ')
    p = int( sh.recvline())
    sh.recvuntil(b'a = ')
    a = int( sh.recvline())
    sh.recvuntil(b'b = ')
    b = int( sh.recvline())
    sh.recvuntil(b'Point P: ')
    P = eval( sh.recvline())
    sh.recvuntil(b'Find the point Q = ')
    m = int( sh.recvuntil(b'P.', drop=True))
    sh.sendlineafter(b"(x,y):", s1(p,a,b,P,m).encode())
    return p,a,b,P,m
   
get_s1()

第二题是已知两点求参数a,b,当两个点给定后就是二元一次方程组,可以直接解也可以用矩阵,这个WP是用的矩阵。

'''
Enter your choice: 2
Curve parameters:
p = 35371463786896767403883993879950568376425395921041864704896570633658346257377326450371885543667689388371397786558353721715951081818497958520125458257311879009311599281405600577882834537687
Point M on the curve: (11167999853303493222746045702151309956349245456132816546988745387439417523669532765400664854270169851544158641720483571372796738978308087129543348315813398381916000522256227652463488088759, 14235871227609176117419037322215903412896418677581296893263122244466495516501059148482339923908286214318868802694209348625834840090288371136382095156987565471128329739317044050153965085564)
Point N on the curve: (34181843038403961504038646547955266834676968908351779373403575518393704136248789816130062681000161968234498379978339993440834123801220109974461491111682189103535957854778788923672652334205, 7721014516008602943724491960961632269157040994437262667853548205799486252368493981422773648635093854932747215220828199494727285547574870575253080961667143405054516597820830642116821862357)
Find the curve parameters a and b. The answer is in the form of (a,b): 

| x1 1 |   |a|    |y1^2 -x1^3|
| x2 1 | * |b|  = |y2^2 -x2^3|

X = A.solve_right(C)
or 
A.inverse()*A*X = A.inverse()*C 

'''
def s2(p, M, N):
    A = matrix(Zmod(p), [[M[0], 1],[N[0], 1]])
    C = matrix(Zmod(p), [[M[1]**2 - M[0]**3], [N[1]**2 - N[0]**3]])
    X = A.inverse() * C
    r = f"({X[0][0]},{X[1][0]})"
    print(r)
    return r

def get_s2():
    sh.sendlineafter(b'Enter your choice: ', b'2')
    sh.recvuntil(b'p = ')
    p = int( sh.recvline())
    sh.recvuntil(b'Point M on the curve: ')
    M = eval( sh.recvline())
    sh.recvuntil(b'Point N on the curve: ')
    N = eval( sh.recvline())
    sh.sendlineafter(b"(a,b):", s2(p,M,N).encode())
    
get_s2()

 第三题和第一题相反,给了两个点求u ,Q=uP 这个题数字都比较小,可以直接爆破,但还是学人家WP里的解法好。

'''
Enter your choice: 3
Curve parameters:
p = 1228564964111169573663596185733
a = 721418494225609268155123544669
b = 867322911963218745305605918611
P = (1023299399129942635540223017013, 910643556349893045023606263034)
Q = uP = (196403627684407134672090488599, 473655574959373049831350237623)
Find the scalar u. The answer is a single integer: 
'''

def s3(p,a,b,P,Q):
    print(p,a,b,P,Q)
    F = GF(p)
    E = EllipticCurve(F, [a, b])
    P = E.point(P)
    Q = E.point(Q)
    factors, exponents = zip(*factor(E.order()))
    primes = [factors[i] ^ exponents[i] for i in range(len(factors))]
    
    print(primes)
    dlogs = []
    for fac in primes:
        t = int(P.order()) // int(fac)
        dlog = discrete_log(t*Q, t*P, operation='+')
        dlogs += [dlog]
    print(dlogs)
       
    ans = crt(dlogs, primes)
    print(ans)
    return str(ans)

def get_s3():
    sh.sendlineafter(b'Enter your choice: ', b'3')
    sh.recvuntil(b'p = ')
    p = int( sh.recvline())
    sh.recvuntil(b'a = ')
    a = int( sh.recvline())
    sh.recvuntil(b'b = ')
    b = int( sh.recvline())
    sh.recvuntil(b'P = ')
    P = eval( sh.recvline())
    sh.recvuntil(b'Q = uP = ')
    Q = eval( sh.recvline())
    sh.sendlineafter(b'Find the scalar u. The answer is a single integer: ', s3(p,a,b,P,Q).encode())

get_s3()

最后选菜单取就行了

def get_flag():
    sh.sendlineafter(b'Enter your choice: ', b'5')
    print(sh.recvuntil(b'}'))

get_flag()
#cvctf{ECC_is_411_y0u_n33d_t0_kn0w...And_CryptoHack_15_4w3s0m3!}

看着不难,一作就废。 

RSA 3

原题server

from Crypto.Util.number import *
import random
#from secret import flag

es = [17, 19, 23, 29, 31, 63357]
e = random.choice(es)
p = getPrime(1024)
q = getPrime(1024)
n = p * q
m = bytes_to_long(flag)
c = pow(m, e, n)

if not random.randint(0, 10):
    c = (1 << len(bin(c)[2:])) | c    #10次才有一次,不用管

print(f"n = {n}\ne = {e}\nc = {c}")

这里e和n都在变,但e就几个可选值,里边对c的处理由于10次才会有一次可以不处理,先登录网站多次找3个e一样的,然后用中国剩余定理解

e=17
n1 = 10693914454311431656307610014029132586674809563593121840355650485069219172150964785324854773727579907180247982518766603951127535735366002330947127532633573246255287787721049214787007066639197409931789096620381081083786219508402663680304962557177051355476272946563987267275433659134936447556298917781480264826758011792814812397108018226643436975575131963829724931805094353463091470543684338695219315901830000623776315738238612735707599121130714590880690397013374065202425147294136509126610916047399729790822051327554833789631317107019746190628638380471033331049451815860662117872239693732796139849738531319280571592159
e = 17
c1 = 6981160130311016390489722540316423786227271860900450295297003557886568900928461714659121064887775331417170937266793821409758239576896626088090412897367422202404063760073263144704841755918153787271235160846165362401782206268723277593290694358989855227941278771652212953372714443924821898302689833474349505745462124697888002742530394272317660664827210559816074067276047815807474039787605988447270594282052787304016851820186500131806745962929984863047265245964877160770601268935589329816152571979147802188529178517668521052095539601230043721501626925200880796380683934560221335651074827735775767567580307193413432411071

n2 = 27085705680767622327332987902862060603713787626896128533953378429602114639242185896192578360847280661194181647229681106883518457790054175916107420743874121009424137026655823822632792605749988912686299322121330364480416664301554703511250446078605765383520468197876001690548399182687285754526022755274456645753848270324233696660222239091589295805436485535277367657250333211376034623543902809280359062023212265251323645761404322338348667994305145312998483399998205304981997393096922164020524185322402436304972410353800439290744509740204824328381354925197878795291965847402621488840406276244219958374494306973751472075543
e = 17
c2 = 23530129421080573881236529012757693053581322687845710984184697076711341023209594696856359084114083206802278084925646436101503924651339213427069647958123824243302179538274620341586852824926242995389506298392777064884659156016313074393771971308346758416634664893886457804439539376724593058208238986135045348058589426718364872994794215789084419591982506051149270453843149969699315234429642565656186691830136962997883308519552883181975658043709379773230207637377515043855894502196456367917122549446439228395099269278482841674500187010716322165437706036719444204385382282655634651713865854349466347867093845350141762432986

n3 = 18352823911264698900651566304464161847913365689191732403126260267040721738556175338703760309312874146737233328981578738938919300916269428059684912268091771357892070858421246234571345579601759025031100390493343824882529116886519812477740034261381021394551898297382156744127215979519192679841004904069344679267363157060449214996037545117325598755834647466183663126850529053124809830542717575707606858887138849331470431606055255535050920426737031416472002700236290958289372551752364253877583672495505029604012699677368666418699303258121995742209755418810785820617610310449384650801826615046342567402545032460906954689507
e = 17
c3 = 1737146045385937705359457246047071230095853982718472723565179804689351241123447265038743683442201531287325967606944534889716615051905346790660296547873241026642497189429641145607859671458551036856868417180314755825928050925211745934359272376122040978313685743319110325299711183210176177274890065163817526182245165311281900934832345394545785960667577458449521142569856280324040687744285625707059697980943119859167319338630826156271507642312984336929882481393585449788489891026725646959933138679847624721017724468655366717365968590864933747196926405793484439553371901627467679775360238988312821040659407729894679763947


#sagemath
x = crt([c1,c2,c3],[n1,n2,n3])
m = x.nth_root(e)
print(bytes.fromhex(hex(m)[2:]))
#cvctf{Hastad_with_e=65537_might_be_slow}

1337

一个有限域上解方程的题,不会,后边的也都不会了

from Crypto.Util.number import inverse, bytes_to_long, getPrime

FLAG = b"cvctf{REDACTED}"
step = len(FLAG) // 4
parts = []
for i in range(0, len(FLAG), step):
    parts.append(bytes_to_long(FLAG[i:i+step]))

P = getPrime(128)
ZmodP = Zmod(P)
a, b, c, d = parts
x, y, z, w = ZmodP(a), ZmodP(b), ZmodP(c), ZmodP(d)

print("P:", P)
print("L:", x^1+y^3+z^3+w^7)
print("E:", y^1+z^3+w^3+x^7)
print("E:", z^1+w^3+x^3+y^7)
print("E:", w^1+x^3+y^3+z^7)
print("T:", x+y+z+w)

'''
P: 231609284865232306744388160907453774453
L: 213929627434382339098735177055751649916
E: 19199104003461693263250446715340616788
E: 81305572597778258494448971196865605263
E: 204055349607012377951682156574173649079
T: 2268211308285612387872477045295901103
'''

Weird dlog

DLP题,未完成

from Crypto.Util.number import *
from secret import flag

NBITS = 1337

def keygen():
    p = getPrime(NBITS)
    q = p + 2
    while not isPrime(q):
        q += 2

    n = p**2 * q
    g = getRandomRange(2, n-1)
    assert pow(g, p-1, p**2) != 1
    return (g, n), p

(g, n), pk = keygen()
print(f"g = {g}")
print(f"n = {n}")

m = pow(g, bytes_to_long(flag), n)
print(f"m = {m}")

'''
g = 4217104162231108571881486363264502722577265670533700464292447122725884060865278499273749984084307890296655750169737247120115556105852793495207776085190125693574834744150776071626953537124287733539294768576947214664831668249537361880607900415980188224790377848428124695064324868240382228326860781143717838988468681317873292597463247890454032395659378742623078198171614526987958808613568346779857292295096270767472963769637419908101399359189794634298434235861743414985078720538901239212554829307311050121532457033249775247040962157091404814597818322567791804549931512078619168741053536240553838132062889112375399237994189289540471931223835109201969517169907064471393467949637030171468739827679615037096191102556235525038398343624846458755117043899170432849676184565935742212246568515988089821245576219250167380483425498097448081250808144546318744227429556017907249040862683999049166654695785359522913386597444234975046933660020802696704230400762773828356573597488744036818115263470798266879540313464252075039418721353291327500707724679404373330401143441889215673146351039551079579127929035980199349135110483207097742313251638620757710743549095431313120163844541459241899262156308740654917968060844284412082299
n = 10941888529432710302272044808172366177817083267353728387778251966266072287607755644721338043351870432706497693313492403987246128369454049222700884094312120262698229189208223218732275272981771624419914106314134685967783268356547329406040929859316975902966386276320517786973713050654580905181729305020144204934138012268416005803949005810888621349553556279807338189673928133725107444318753299258813428869755492871371365509253274275507785302703028229706104025231495516828413453372697736689315270600144033367988185883751955533145131820299821036099425033741978037404521469840343451728996005273312522454265432166678945758946508086710070492821787815923425038513533610548985733666276895713644320042830406173577168099532687994444950160159745610177551080984478286003952657902953582221120083238221655231826293209922243103643973158229947410799996443039134812980230923730059957532891088920291921544489491437892953022797147371056895427933338596342279801238281297736043937512612367418666450917035364442328787819461040287010570790023067874699031894369374666073884261229547448186848837461040401572755725068306333093138881471721393682218994576974011413807781411295540237225784367274045480384276599164320452991405168935726178669
c = 4576653037171661542042510858542458890428902270240861216961609304805830644888835861552943484827465024255946333173438385318547946480432546672274379127945737050221711664915718037389483818788255371177342813451318183796063859501483853616124820170927827054719451326957465962519367227753007179628370407849940782754428678471956932743015842138996456351682565775528904950367274203264025982858945560085867807654673726775851728189907590054081432299552285929407918297497972515287529506153936873120705301250301755547851988767682706931104344998515759782906834209711055747621306735557847407025512085632112612715677993856157667539100717815505576125450494688023610882544096421409195218600313621491935755995519193153556491442386466162185336840903547990417011020008723119132837593921370224096091218428827263318876330392141114596260431968349229888104149062981625468823935145842920387345948673405002062554960084883553497321014737635984993337888457310522533554029754162393609118195463217899952617045335297738291366080224287861881668432617054485772999546446076931624127877484962146375663168327918511556849268478695380248447621861402820926977211453653005530269636900365390125831754366239971553991824331582315041274983141065725144997
'''

这里p,q很接近,可以解出来,然后看原来的题就是直接求对数了,可惜作不出来,不清楚差哪了。

p = 2220056847922888806692961201204181494180468404265144656979415727846610609650612145504228170996668036830178564363339729040733053444504290404813978909079947107025031382736413106168755521395169078323433549912352350586785691382035545583930303726697079796565769117602611817953388750640643945286203371871152311393277382213336946213995315438785489971755082168989679975255419041436378409691325787848675432434833
q = 2220056847922888806692961201204181494180468404265144656979415727846610609650612145504228170996668036830178564363339729040733053444504290404813978909079947107025031382736413106168755521395169078323433549912352350586785691382035545583930303726697079796565769117602611817953388750640643945286203371871152311393277382213336946213995315438785489971755082168989679975255419041436378409691325787848675432436509
F = GF(q)
long_to_bytes(F(c).log(F(g)))

A Tale of Two Systems

题目也是两块,两块都不会

from Crypto.Util.number import *
from secret import flag

NBITS = 1024

def system_one(m: bytes):
    a, b = [getRandomNBitInteger(NBITS) for _ in range(2)]
    p = getPrime(2 * NBITS)
    q = getPrime(NBITS // 2)
    g = inverse(a, p) * q % p

    ct = (b * g + bytes_to_long(m)) % p

    print(f"p = {p}")
    print(f"g = {g}")
    print(f"ct = {ct}\n")

def system_two(m: bytes):
    p, q = [getPrime(NBITS // 2) for _ in range(2)]
    n = p * q
    e = 0x10001
    ct = pow(bytes_to_long(m), e, n)

    print(f"n = {n}")
    print(f"e = {e}")
    print(f"ct = {ct}")
    
    # what if q is reversed?
    q = int('0b' + ''.join(reversed(bin(q)[2:])), 2)
    hint = p + q - 2 * (p & q)
    print(f"hint = {hint}")

def main():
    print("When you combine two insecure systems, you get an insecure system. (Cryptoverse CTF, 2022)")
    print("[+] System 1")
    system_one(flag[:len(flag) // 2])
    print("[+] System 2")
    system_two(flag[len(flag) // 2:])

if __name__ == "__main__":
    main()

第一部分感觉g应该可以分解得到q然后两边模q就能把a,b,q项去掉,分解不成功,放弃。回头发现自己写的笔记,关于NTRU的,似乎与这题基本相同,只是q是g g是h,把变量名改一下,直接用原来的程序。得到前一半

#sagemath
p = 20674560756675681113807790771517430528512553857174119575519075764019276636690663462938567589430430460827468855176990607866662208878496146036805827782635460673199652412733975510335422677460730264825472933858652608429343035488488603137801781214938408376223813765348999263839115699969377943217517837672862013818475666653836506583052308034058249324326415414364356442070749039494616286767572072398953493782554731290108295336159077374437925169124645200455704800370759354362584372424061210775163275420305131558794161601224465838778284886947938781786382764093467968116097834015744469149777515652090914300180029662288783750021
h = 5365347844128911565211837794252336963057769303115463818738345608049041966508101046929880647194771517267106647263073443125634817774906157236157364181220114411736283603059221346539093692404874612539184286517328794259184507790239825289038134433765839884461242650892882279806511242820846708839730744202157985481289342173571114134979156499539670694539440474761156374349428264760740065338094636581045645711147693807365625789728452292523224554652674948494238368602447996725452482367080741677198681165008318577100383140978454643629228309803247917737000357630668780245655456608804937997854554350520449896400294483856616814372
c = 7198614388336961568991317581364946176599732925342548106877806830805493704508075912208241115350344191374827351874074150549656775285164202146294778355061448230589465181081889636070498174685391034029837473151573921040343466735807862021503271878218452664219101661480779782715330005668928307176271335942096485215750307265516779004367844432567231788085514343337614238950306425973379613080931291149785179652369852109225613425421153062607258945987848594216018518686456430939925568011454644192785585658774535793557557054745416480167491598491258801748919186493783417939002251404512177037699861017344666192055596178941166714878

# g 512
# h = inverse(a, p) * g % p
# ct = (b * g + bytes_to_long(m)) % p
# c = (a*h + m ) % p

v1 = vector(ZZ, [1,h])
v2 = vector(ZZ, [0,p])
M = matrix([v1,v2])
f,g = shortest_vector = M.LLL()[0]
a = f * c % p % g
m = a * inverse_mod(f, g) % g
bytes.fromhex(hex(m)[2:])
#b'cvctf{n0_On3_1S_u53l355_1n_7h15_w0r1d_...'

第二部分感觉可以爆破,那个hint就是p^q的值,也没成功

快12点了,终于把程序改完了,秒爆成功

n = 153342396916538105228389844604657707491428056788672847550697727306332965113688161734184928502340063389805944751606853233980691631740462201365232680640173140929264281005775085463371950848223467977601447652530169573444881112823791610262204408257868244728097216834146410851717107402761308983285697611182983074893
e = 65537
ct = 107338230886326277184470602423206077959904409598566827958776297403757505756279110769758655388775872785351736575087710060126451130008864605660316323321121912126865044237770131409575047987371810396491057938456745767097179158355665973273718023399000209954399981644938965035820182118954653379531056336561902214503
hint = 3551084838077090433831900645555386063043442912976229080632434410289074664593196489335469532063370582988952492150862930160920594215273070573601780382407014
#0x43cd5753d1ed37ef2ccb0fc5b0cd4795cf9aec9b43cd5dbe90bc1dcf3aea56e87e7f864deea7058496c81ca724bdc7cab6519ff38bb0fb4e27c1e1046f319966
bits = 512

def get_pq(p,q, idx):
    #print(idx, hex(p))
    #print(idx, hex(q))
        
    t = p*q
    if t == n:
        print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1')
        print(p,q)
        exit()
        return True
    
    if idx>=bits//2:
        return False
    
    if t > n:
        #print('>n')
        return False
    
    if ((t^n)&((1<<idx)-1)) != 0:
        #print('VALU:',hex((t^n)&((1<<idx)-1)), idx)
        #print('MASK:',hex((1<<idx)-1), idx)
        return False
    #中间全写1,不能小于n
    k = (1<<(bits - idx) ) -  (1<<idx)
    if (p+k)*(q+k) < n:
        #print('<n', hex(p+k), hex(q+k), hex(n), hex(k))
        return False 
    
    b1 = int(hint[idx])
    b2 = int(hint[-idx-1])
    bleft = 1<<(bits-idx-1)
    bright = 1<<idx
    #print(b1, b2, idx, hex(bleft), hex(bright))
    
    if (b1 == 1) and (b2 == 1):
        get_pq(p + bleft + bright, q,                  idx+1)
        get_pq(p + bleft,          q + bleft,          idx+1)
        get_pq(p + bright,         q + bright,         idx+1)
        get_pq(p,                  q + bleft + bright, idx+1)
    elif (b1 == 0) and (b2 == 0):
        get_pq(p + bleft + bright, q + bleft + bright, idx+1)
        get_pq(p + bleft,          q + bright,         idx+1)
        get_pq(p + bright,         q + bleft,          idx+1)
        get_pq(p,                  q,                  idx+1)
    elif (b1 == 1) and (b2 == 0):
        get_pq(p + bleft + bright, q + bleft,          idx+1)
        get_pq(p + bleft,          q,                  idx+1)
        get_pq(p + bright,         q + bleft + bright, idx+1)
        get_pq(p,                  q + bright,         idx+1)
    elif (b1 == 0) and (b2 == 1):
        get_pq(p + bleft + bright, q + bright,         idx+1)
        get_pq(p + bleft,          q + bleft + bright, idx+1)
        get_pq(p + bright,         q,                  idx+1)
        get_pq(p,                  q + bleft,          idx+1)
    else:
        pass
        
    return False
        
    



'''
bits = 32

p = 3571218643
q = 2389193687
n = p*q
#'0b11010100110111000111100011010011'
#'0b10001110011010000011001111010111'
# 0b00111111000100000110111010100010
#0b111011001101000111011111011000011010000111100111000001000110101
hint = 0b00111111000100000110111010100010
'''
hint = bin(hint)[2:].zfill(bits)
print('h:',hint)
p = (1<<(bits-1))+1
q = (1<<(bits-1))+1
get_pq(p,q,1)

然后解出flag但不知道对不对,因为已经不让提交验证了,中间的...不知道应不应该去掉。

from gmpy2 import invert
from Crypto.Util.number import long_to_bytes

n = 153342396916538105228389844604657707491428056788672847550697727306332965113688161734184928502340063389805944751606853233980691631740462201365232680640173140929264281005775085463371950848223467977601447652530169573444881112823791610262204408257868244728097216834146410851717107402761308983285697611182983074893
e = 65537
ct = 107338230886326277184470602423206077959904409598566827958776297403757505756279110769758655388775872785351736575087710060126451130008864605660316323321121912126865044237770131409575047987371810396491057938456745767097179158355665973273718023399000209954399981644938965035820182118954653379531056336561902214503

p = 12920353645099492619679479666991160896328428450834965756045573491194784306188917862917632728418934103419607380552154374379706857085564196243344264957706273
q = 11868281714928035840885653003726705720903252216809943086581667759016897601381945357803011950846537123774369112630185360831707791214422115674941823460064941

phi = (p-1)*(q-1)
d = invert(e,phi)
m = pow(ct,d,n)
print(long_to_bytes(m))
#b'_wH0_l16h73N5_tHe_BurD3nS_0F_4n07h3R.-_-}'
# cvctf{n0_On3_1S_u53l355_1n_7h15_w0r1d_..._wH0_l16h73N5_tHe_BurD3nS_0F_4n07h3R.-_-}

Reverse

Baby Reverse

用文本编辑器打开二进制文件就能看到flag

Basic Transforms

一个js文件

var readline = require('readline');
var Crypto = require('vigenere');

var rl = readline.createInterface({
    input: process.stdin,
    output: process.stdout,
    terminal: false
});

rl.on('line', function(line){
    if (line.length == 20 && line.startsWith("cvctf{") && line.endsWith("}")) {
        var cat = Crypto.encode(line.substring(6, line.length - 1), "nodejsisfun").split('').map(function(c) {
            return String.fromCharCode(c.charCodeAt(0) + 1);
        }).join('');
        if (Buffer.from(cat.split("").reverse().join("")).toString('base64') == "QUlgNGoxT2A2empxMQ==") {
            console.log("Correct!");
        }
    }
});

用node.js处理的js程序,先进行维吉尼亚编码,再每个+1,再反转,再base64,简单是简单,但维吉尼亚函数node.js上是非标的,需要安装node.js,感觉这个有硬推软件的嫌疑。

French

法国密码,原来有过一个题印象深刻,法国密码就是维吉尼亚密码,不过这题跟这个没关系

  strcpy(v10, "GEL DESINFECTANT POUR LES MAINS");
  fread(ptr, 1uLL, 0x17uLL, _bss_start);
  v6[0] = 0x5FF83441E17900E5LL;
  v6[1] = 0xDF970AF589793ADLL;
  v7 = 1229849353;
  v8 = -27939;
  v9 = -73;
  rc4_crypt(v6, 23LL, v10, 31LL);
  for ( i = 0; i <= 0x16; ++i )
  {
    if ( *((_BYTE *)v6 + (int)i) != ptr[i] )
      return 1;
  }
  puts("Correct!");

先对v6解密,然后跟输入比较,只要跟进去到比较这断下来就能看到flag

World Cup Predictions

世界杯预测,里边写的很明白,先输入啥后输入啥

from pwn import *

context.log_level = 'debug'

p = remote('137.184.215.151', 22611)

a = b'Netherlands,England,Argentina,Senegal,Japan,Brazil,Iran,USA'.split(b',')
b = b'Argentina'

for v in a:
    p.sendlineafter(b':', v)

p.sendlineafter(b"[+] Stage 2: Predict the winner!\n", b)

p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()

Super Guesser

猜数,pyc的编译程序,到网站上逆回来,很明白,就是直接爆破字符

import hashlib
import re
hashes = [
    'd.0.....f5...5.6.7.1.30.6c.d9..0',
    '1b.8.1.c........09.30.....64aa9.',
    'c.d.1.53..66.4.43bd.......59...8',
    '.d.d.076........eae.3.6.85.a2...']

def main():
    guesses = []
    for i in range(len(hashes)):
        guess = input('Guess: ')
        if not len(guess) <= 4 and len(guess) >= 6 or re.match('^[a-z]+$', guess):
            exit('Invalid')
        if not re.match('^' + hashes[i].replace('.', '[0-9a-f]') + '$', hashlib.md5(guess.encode()).hexdigest()):
            exit('Invalid')
        guesses.append(guess)
    print(f'''Flag: {guesses[0]}''' + '{' + ''.join(guesses[1:]) + '}')

#if __name__ == '__main__':
#    main()

import string 
tab = string.ascii_lowercase
for i in tab:
    for j in tab:
        for k in tab:
            for l in tab:
                for m in tab:
                    aa = i+j+k+l+m
                    vv = hashlib.md5(aa.encode()).hexdigest()
                    for _ in range(4):
                        if re.match('^' + hashes[_].replace('.', '[0-9a-f]') + '$', vv):
                            print(_, aa)
'''
cvctf{hashisnotguessy}
'''

Boost Game

这个程序里很乱,下断点后根据判断得到5个数字,在结束前下断点得到flag

232665
1332123
7300
1060456
1282900
Congrats, flag is: cvctf{2326651332123730010604561282900}

Baby CUDA

c++的程序很乱找不着北

后边两个同样。

石氏是时试
关注
  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Crypto--格密码(一)
刘十三t的博客
07-15 2319
记录格密码的一些题
Crypto-RSA-wp
qq_43647197的博客
10-15 179
1.首先通过hint n构造f(x) = hint^512-1 = kn,将n的分解转移到多项式f(x)的分解上。故,从0开始到999999遍历一遍m,把符合情况的m记录下来,不足六位高位补充0再拼接在一起即可得解。题目考点:1. 多项式上n的分解 2. benaloh cryptosystem。于是我们对clist里参数使用gcd,即可求出pow(u,r,n)又知道y、n,且m最多为六位整数(后来看wp上的预期解、分享一下。可知u、r、n都是常数,所以。
RSA理解-1.攻防世界:初识RSA
最新发布
weixin_49765221的博客
05-08 253
RSA还是要多做题才好理解呀
2022鹏城杯CTF---Crypto
Luiino的博客
09-18 2159
第一部分,e与phi_n不互素,gcd(e,phi_n) == 4,此时e对phi_n没有逆元,但gcd(e//t,phi_n) == 1。mod n,由上面的for循环可以知道M与初始m的关系:M = m * (p-q-1)!对n进行分解,得到p、q,小的是q。记print(pow(m,e,n))里的m为M,故有c2 =第三部分, 看到M = 2022 * m * 1011 * p,又n = p*q,且c =记两输出结果分别为c1、c2,由print(pow(2,e,n))可以得到:c1 =
D^3CTF(Crypto-D3bug详解 LFSR题目)
MangoFengC++
03-15 1104
D3bug详解(LFSR题目) Author: MangoFeng 题目 from Crypto.Util.number import * from secret import flag assert flag.startswith("D3CTF{") assert flag.endswith("}") message = bytes_to_long(flag[6:-1]) assert message < 2**64 mask = 0b10100100000010000000100010010100
Crypto.Util.number 模块下载问题
Pisces50002的博客
12-23 965
需要调用long_to_bytes函数(from Crypto.Util.number import long_to_bytes),要下载Crypto库。crypto已经停用,不再更新,而pycryptodome则可以完美替代它,相应的子模块也都有,所以只要安装pycryptodome模块即可。在NSS做题的时候([HUBUCTF 2022 新生赛]ezPython),需要进行bytes与long类型的转换,所以只要用cmd命令进行安装即可。
D3CTF2022-官方WriteUp1
08-03
"D3CTF2022-官方WriteUp1" 本文将对 D3CTF 2022 官方 WriteUp1 进行总结,主要涉及 MySQL UDF 提权、Java 反序列化、MySQLInject、Web 短链技术等多方面的知识点。 1. MySQL UDF 提权 在 MySQL 中,可以使用 User...
imaginary ctf 2022 writeups
08-07
imaginary ctf 2022 writeups
Imaginary CTF 2022 真题
08-01
https://2022.imaginaryctf.org/Challenges
CTF真题-Dest0g3CTF2022招新赛
06-01
CTF真题-Dest0g3CTF2022招新赛,来自BUUCTF
2022工业互联网大赛-杭州-CTF题目
09-14
第一次参加工控类的CTF,然后正好团队中有一个小伙伴电脑连不上局域网,只能从我电脑中下载下来,因此这次正好有完整的题目和附件,然后也基本是misc和crypto题。分享给需要的朋友,如果有人能写出writeup的话,那就...
crypto-babyLCG(NPUCTF2020)
耐酸碱高温固化材料近距离传输研究
11-30 1218
显然如果要解密出flag明文那必须要反推出最初的seed参数,将后面产生的随机数全部复原。的原因是为了保持向量各个数值bit位保持一致(关于格密码基础概念推荐这篇。因为前20个随机数的高位是已知的,接下来思路是针对这个式子做变形。其中A,B均可通过a,b,h推出。现在将以上关系式写成矩阵形式。由于h均为已知,那么现在找到低位l递推的关系式,又因为。近期研究格密码过程中遇到的一个很好的题目,记录一下。则可以推出所有低位l与l1的关系式,简写为。构造lattice,最后一项取2。将s拆分为高位h和低位l变为。
BUUCTF——rsa系列(4)
Luiino的博客
07-27 3996
给了c、z、n以及e分析一下,首先是它的作用是进行求导,前一个参数表示求导的内容,后一个参数表示求导的主体,如意思是以p为主体对求导得到1/(1+),同理得到1/(1-)。其次对于如Fraction(1,Derivative(arctan(p),p))是以1为分子,以Derivative(arctan(p),p)为分母,这样一来可以得到关系式z=可以进一步得到下面的关系式=z-2n,=z+2n,敲代码解出p、q。............
ctf之lcg算法
热门推荐
superprintf的博客
10-08 1万+
线性同余方法(LCG)是一种产生伪随机数的方法。 线性同余法最重要的是定义了三个整数,乘数 a、增量 b和模数 m,其中a,b,m是产生器设定的常数。 为了方便理解,我打个比方 假设现在有随机数X1=1234,乘数a=2,增量b=3,模数m=1000 那么下一个随机数X2=(2*1234+3)%1000=2471%1000=471 解题用到的公式: Xn=(a-1 (Xn+1 - b))%n a=((Xn+2-Xn+1)(Xn+1-Xn)-1)%n b=(Xn+1 - aXn)%n 好了,然后根据lcg
BUUCTF NewStarCTF一些新知识记录
Aiwin的博客
09-21 3068
BUUCTF NewStarCTF一些新知识记录
【密码学RSA】2020巅峰极客_tryrsa解题过程及原理的详细分析
serendipity1130的博客
09-07 1609
1.题目: from secret import e1,e2,flag from Crypto.Util.number import * msg = bytes_to_long("=========Hint:e1="+str(3)+"=============") p = getPrime(512) q = getPrime(512) N = p*q print (N) print (pow(msg,3,N)) msg = bytes_to_long(flag) p = getPrime(1024
rsa入门ctf
jishamo的专栏
12-09 476
总结rsa
任务二:Crypto学习
weixin_44171487的博客
05-09 5068
任务二:Crypto学习 内容: ① 掌握RSA加解密原理以及算法实现,在理解原理的过程中可以结合PPT对数论部分的相关内容进行学习。学习掌握AES加解密原理、代码实现。 ② 完成2020数字中国虎符网络安全赛比赛题目的复现。 RSA 基本信息: ①RSA加密算法是一种非对称加密算法。在公开密钥加密和电子商业中被广泛使用,于1977年由在麻省理工学院工作的三人提出。 ②1973年,在英国政府通讯总...
[ACTF新生赛2020]crypto-rsa3
Todog的博客
04-24 1310
题目描述 from Crypto.Util.number import * import gmpy2 import random e=65537 p = getPrime(512) q = int(gmpy2.next_prime(p)) n = p*q m = bytes_to_long(FLAG) c = pow(m,e,n) print(n) print(c) #n=17760650483649924697095903022687160888596932177821105
2022年工控ctf
08-31
2022年工控CTF是一场以工业控制系统为主题的网络安全竞赛。随着工业互联网的普及和工控系统的数字化转型,工控CTF成为了信息安全领域的重要赛事之一。 在2022年工控CTF中,参赛团队将面临一系列与工控系统相关的...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值