文章详细描述了一系列基于加密技术的挑战,包括RSA、AES、自定义加密算法等。作者通过分析加密过程,展示了如何利用已知信息解密数据,最终获取隐藏的flag。文章涵盖了加密模式的弱点、块操作和替换箱等方面的知识。
本来想写到一篇里的,中途网站可能不稳定,只读了。只能分开写,不过分开写更好,不会太长。
Cryptography
babynotrsa
名字说不是rsa运算式是flag*e %n 显然这是个有限乘法,只要求e乘法的逆乘c即可。密码里的签到。
from Crypto.Util.number import getStrongPrime
# We get 2 1024-bit primes
p = getStrongPrime(1024)
q = getStrongPrime(1024)
# We calculate the modulus
n = p*q
# We generate our encryption key
import secrets
e = secrets.randbelow(n)
# We take our input
flag = b"irisctf{REDACTED_REDACTED_REDACTED}"
assert len(flag) == 35
# and convert it to a number
flag = int.from_bytes(flag, byteorder='big')
# We encrypt our input
encrypted = (flag * e) % n
print(f"n: {n}")
print(f"e: {e}")
print(f"flag: {encrypted}")
n = 21429933885346644587620272790089165813353259223649897308397918491861562279767580488441831451651834802520437234248670652477414296159324726172158330221397420877323921934377321483041598028053870169281419856238830264612049920637819183013812186448416408328958360799645342598727238977986741643705720539702955864527935398839069236768630867447760912744208154645904678859979378604386855741350220991958191408182147658532111413386776058224418484895056146180001830405844881486308594953615999140110712045286000170660686758188247928230655746746482354748673482506070246808187808961599576834080344066055446605664648340486804023919467
e = 10788856448030235429585145974385410619185237539198378911887172763282204686697141640582780419040340318300048024100764883750608733331571719088729202796193207904701854848679412033514037149161609202467086017862616635522167577463675349103892366486246290794304652162107619408011548841664240624935414339021041162505899467159623692906986841033101688573177710503499081107294555688550493634416552587963816327790111808356639558596438537569271043190414208204773219496030644456745185896540608008662177117212000718802474957268532153146989410300300554162811564064457762004188326986236869603714437275058878379647196886872404148116134
c = 3954523654845598592730156937269688140867480061118457307435945875579028695730063528424973907208923014508950419982702682082417623843946231057553311028711409093751376287876799688357176816093484535703797332422565021382453879908968161161537921292725907853309522100738603080298951279637316809695591295752657105226749125868510570125512146397480808774515489938198191435285342823923715673372695893409325086032930406554421670815433958591841773705563688270739343539481283865883427560667086249616210745997056621098406247201301461721906304555526293017773805845093545204570993288514598261070097976786800172141678030841959348372097
#c = m*e%n
m = c * pow(e,-1,n)
bytes.fromhex(hex(m)[2:])
#irisctf{discrete_divide_isn't_hard}babymixup
初一看题还以为真是AES,AES本身除了oracle应该是无法爆破的。
from Crypto.Cipher import AES
import os
key = os.urandom(16)
flag = b"flag{REDACTED}"
assert len(flag) % 16 == 0
iv = os.urandom(16)
cipher = AES.new(iv, AES.MODE_CBC, key)
print("IV1 =", iv.hex())
print("CT1 =", cipher.encrypt(b"Hello, this is a public message. This message contains no flags.").hex())
iv = os.urandom(16)
cipher = AES.new(key, AES.MODE_CBC, iv )
print("IV2 =", iv.hex())
print("CT2 =", cipher.encrypt(flag).hex())
仔细一看,上边作了两次加密,第一次用的iv作为key,key作为iv这样通过明文密文和key(iv)就能算出key来,再作第2次解密
AES_CBC模式先把明文和iv异或再加密,所以把明文作为iv解密得到的就是iv(key)
IV1 = '4ee04f8303c0146d82e0bbe376f44e10'
CT1 = 'de49b7bb8e3c5e9ed51905b6de326b39b102c7a6f0e09e92fe398c75d032b41189b11f873c6cd8cdb65a276f2e48761f6372df0a109fd29842a999f4cc4be164'
IV2 = '1fe31329e7c15feadbf0e43a0ee2f163'
CT2 = 'f6816a603cefb0a0fd8a23a804b921bf489116fcc11d650c6ffb3fc0aae9393409c8f4f24c3d4b72ccea787e84de7dd0'
from Crypto.Cipher import AES
m1 = b"Hello, this is a public message. This message contains no flags."
aes = AES.new(bytes.fromhex(IV1), AES.MODE_CBC, m1[:16])
key = aes.decrypt(bytes.fromhex(CT1))[:16]
aes = AES.new(key, AES.MODE_CBC, bytes.fromhex(IV2))
flag = aes.decrypt(bytes.fromhex(CT2))
print(flag)
#irisctf{the_iv_aint_secret_either_way_using_cbc}nonce and keys
这题直接给了个加密后的sqlite3数据为文件。提示是:
Nonces and Keys
470 Points
Because of our revolutionary AES-128-OFB technology we have encrypted your user data so securely that even with the key (k=0x13371337133713371337133713371337) evil hackers can't read out the passwords!!!
challenge_enc.sqlite3给了加密方式和key。AES_OFB方式加密,先把iv加密得到z1,z1与明文异或得到第1段密文c1(m1^z1=c1),然后用z1加密得到z2...
z0 = iv
for i...:
z[i+1] = enc(z[i]) #enc过程明文不参与
c[i] = m[i]^z[i]这题有点特殊,sqlite3的头正好是16字节,也就是说第一段的明文是已知的,那就有z1=m1^c1,这样将z1作为iv对c[16:]解密即可。
from Crypto.Cipher import AES
from pwn import xor
'''
z0 = iv
z1 = f(z0); c0=m0^z1; #通过密文和sqlite固定头得到z1,用z1作为iv解密后部内容,最后再加上头
'''
msg = open('challenge_enc.sqlite3', 'rb').read()
head = b'SQLite format 3\x00'
iv1 = xor(msg[:16], head)
aes = AES.new(bytes.fromhex('13371337133713371337133713371337'), AES.MODE_OFB, iv1)
m = aes.decrypt(msg[16:])
open('aaa2.db3', 'wb').write(head+m)
#前16字节改为:SQLite format 3\0
#irisctf{g0tt4_l0v3_s7re4mciph3rs}最后的sqlite3文件可以用工具打开也可以直接看文本在最后有flag
aes_bad_256
这题还是aes,加密部分先是将输入用json打包,加上长度头,然后填充到16*16,再进行块转置打乱,最后用AES_ECB文件加密。
from Crypto.Cipher import AES as AES_BLOCK
import secrets
import random
AES_BLOCK_SIZE = 16
MODE_BLOCK_SIZE = AES_BLOCK_SIZE * 16
KEY = secrets.token_bytes(AES_BLOCK_SIZE)
AES = AES_BLOCK.new(KEY, AES_BLOCK.MODE_ECB)
import random
random.seed(KEY)
PERMUTATION = list(range(AES_BLOCK_SIZE))
random.shuffle(PERMUTATION)
def encrypt(inp):
inp = inp.ljust(MODE_BLOCK_SIZE, b"\x00")
assert len(inp) % MODE_BLOCK_SIZE == 0
data = b""
for block in range(0, len(inp), MODE_BLOCK_SIZE):
for i in range(AES_BLOCK_SIZE):
data += bytes(inp[block+j*AES_BLOCK_SIZE+PERMUTATION[i]] for j in range(MODE_BLOCK_SIZE // AES_BLOCK_SIZE))
return AES.encrypt(data)
def decrypt(inp):
assert len(inp) % MODE_BLOCK_SIZE == 0
inp = AES.decrypt(inp)
data = b""
for block in range(0, len(inp), MODE_BLOCK_SIZE):
for j in range(MODE_BLOCK_SIZE // AES_BLOCK_SIZE):
for i in range(AES_BLOCK_SIZE):
data += bytes([inp[block + PERMUTATION.index(i) * (MODE_BLOCK_SIZE // AES_BLOCK_SIZE) + j]])
return data
import json
def make_echo(inp):
data = json.dumps({"type": "echo", "msg": inp}).encode(errors="ignore")
assert len(data) < 2**32
return len(data).to_bytes(length=2, byteorder="little") + data
def run_command(inp):
inp = decrypt(inp)
length = int.from_bytes(inp[:2], byteorder="little")
if length + 2 >= len(inp):
return "Invalid command"
# Show me what you got
command = inp[2:length+2].decode("ascii", errors="replace")
try:
command = json.loads(command, strict=False)
except Exception as e:
return "Invalid command"
if "type" not in command:
return "No command type"
match command["type"]:
case "echo":
return command.get("msg", "Hello world!")
case "flag":
with open("/flag", "r") as f:
return f.read()
case other:
return f"Unknown command type {command['type']}..."
BANNER = "This is an echo service. This interface is protected by AES-BAD-256 technology."
MENU = """
1. Get an echo command
2. Run a command
3. Exit
"""
def main():
print(BANNER)
while True:
print(MENU)
command = input("> ")
match command:
case "1":
print("Give me some text.\n")
data = input("> ")
print(encrypt(make_echo(data)).hex())
case "2":
print("Give me a command.\n")
data = bytes.fromhex(input("(hex) > "))
print(run_command(data))
case other:
print("Bye!")
exit(0)
if __name__ == "__main__":
main()
思路:
ECB方式叫作电子密码本,没有反馈,所以密钥固定的情况下,相同的明文会得到相同的密文。
由于对明文作了转置,所以每个密文块所带的明文只有一两个字节,只要得到一些密文,再分成条,用这些条拼成想要的密文即可。
json打包有个问题,就是允许相同的名字出现,比如{"a":"1","a":"2"}会解包成a=2并不报错。
乱序这块可以爆破,每次改一个字符就行
这样就需要拼一个适当的密文。
+x{"type": "echo
", "msg": "AAAAA
","type": "flag"
}AAAAA作为填充让后边的值避开不可控的长度第2字节。
由于json只打双引号包,所以为得到双引号的密文(第1,3,8,11,16竖条)需要再作一次(可以作一个带\"的包输入
from pwn import *
p = remote('aes.chal.irisc.tf', 10100)
context.log_level = 'debug'
def m1(data):
p.sendlineafter(b'> ', b'1')
p.sendlineafter(b'> ', data.encode())
return p.recvline().decode().strip()
def m2(data):
p.sendlineafter(b'> ', b'2')
p.sendlineafter(b'> ', data.encode())
return p.recvline().decode().strip()
'''
\x10\x00{"type": "flag
"}
'''
head = b'xx{"type": "echo", "msg": "'
#获取 PERMUTATION
v = 'A'*16
mm = m1(v)
#print(mm)
plist = [-1]*16
for i in range(16):
vv = v[:i]+'B'+ v[i+1:]
nn = m1(vv)
#print(nn)
for j in range(16):
if nn[j*32:j*32+32] != mm[j*32:j*32+32]:
plist[j]=(i+11)%16
break
print(plist)
'''
+x{"type": "echo
", "msg": "AAAAA
","type": "flag"
}
'''
t0 = "AAAA\",.type.: .flag" #0-1,3-6,8-9,11-14
t2 = "AAAAAAA"
t7 = "AAAAA.,.type"
t10 = "AAAAA.,.type.: "
t15 = "AAAAA.,.type.: .flag"
e0 = m1(t0)
e2 = m1(t2)
e7 = m1(t7)
e10 = m1(t10)
e15 = m1(t15)
ok2 = ''
for i,v in enumerate(plist):
if v == 2:
ok2 += e2[i*32: i*32+32]
elif v== 7:
ok2 += e7[i*32: i*32+32]
elif v== 10:
ok2 += e10[i*32: i*32+32]
elif v== 15:
ok2 += e15[i*32: i*32+32]
else:
ok2 += e0[i*32: i*32+32]
msg = m2(ok2)
print(msg)
#irisctf{bad_at_diffusion_mode}SMarT1
这是个类AES的程序,有sbox,transpose,加了移位rr,只有两轮。
from pwn import xor
# I don't know how to make a good substitution box so I'll refer to AES. This way I'm not actually rolling my own crypto
SBOX = [99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22]
TRANSPOSE = [[3, 1, 4, 5, 6, 7, 0, 2],
[1, 5, 7, 3, 0, 6, 2, 4],
[2, 7, 5, 4, 0, 6, 1, 3],
[2, 0, 1, 6, 4, 3, 5, 7],
[6, 5, 0, 3, 2, 4, 1, 7],
[2, 0, 6, 1, 5, 7, 4, 3],
[1, 6, 2, 5, 0, 7, 4, 3],
[4, 5, 6, 1, 2, 3, 7, 0]]
RR = [4, 2, 0, 6, 9, 3, 5, 7]
def rr(c, n):
n = n % 8
return ((c << (8 - n)) | (c >> n)) & 0xff
def rr_r(c, n):
n = n % 8
return ((c << n ) | (c >> (8 - n))) & 0xff
import secrets
ROUNDS = 2
MASK = secrets.token_bytes(8)
KEYLEN = 4 + ROUNDS * 4
def encrypt(block, key):
assert len(block) == 8
assert len(key) == KEYLEN
block = bytearray(block)
for r in range(ROUNDS):
block = bytearray(xor(block, key[r*4:(r+2)*4]))
for i in range(8):
block[i] = SBOX[block[i]]
block[i] = rr(block[i], RR[i])
temp = bytearray(8)
for i in range(8):
for j in range(8):
temp[j] |= ((block[i] >> TRANSPOSE[i][j]) & 1) << i
block = temp
block = xor(block, MASK)
return block
def ecb(pt, key):
if len(pt) % 8 != 0:
pt = pt.ljust(len(pt) + (8 - len(pt) % 8), b"\x00")
out = b""
for i in range(0, len(pt), 8):
out += encrypt(pt[i:i+8], key)
return out
key = secrets.token_bytes(KEYLEN)
FLAG = b"irisctf{redacted}"
print(f"MASK: {MASK.hex()}")
print(f"key: {key.hex()}")
import json
pairs = []
for i in range(8):
pt = secrets.token_bytes(8)
pairs.append([pt.hex(), encrypt(pt, key).hex()])
print(f"some test pairs: {json.dumps(pairs)}")
print(f"flag: {ecb(FLAG, key).hex()}")
这题的mask和key已经给出了,只需要反过来写一下解密函数就行。
from pwn import xor
# I don't know how to make a good substitution box so I'll refer to AES. This way I'm not actually rolling my own crypto
SBOX = [99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22]
TRANSPOSE = [[3, 1, 4, 5, 6, 7, 0, 2],
[1, 5, 7, 3, 0, 6, 2, 4],
[2, 7, 5, 4, 0, 6, 1, 3],
[2, 0, 1, 6, 4, 3, 5, 7],
[6, 5, 0, 3, 2, 4, 1, 7],
[2, 0, 6, 1, 5, 7, 4, 3],
[1, 6, 2, 5, 0, 7, 4, 3],
[4, 5, 6, 1, 2, 3, 7, 0]]
RR = [4, 2, 0, 6, 9, 3, 5, 7]
def rr(c, n):
n = n % 8
return ((c << (8 - n)) | (c >> n)) & 0xff
def rr_r(c, n):
n = n % 8
return ((c << n ) | (c >> (8 - n))) & 0xff
import secrets
ROUNDS = 2
MASK = secrets.token_bytes(8)
KEYLEN = 4 + ROUNDS * 4
def encrypt(block, key):
assert len(block) == 8
assert len(key) == KEYLEN
block = bytearray(block)
for r in range(ROUNDS):
block = bytearray(xor(block, key[r*4:(r+2)*4]))
for i in range(8):
block[i] = SBOX[block[i]]
block[i] = rr(block[i], RR[i])
temp = bytearray(8)
for i in range(8):
for j in range(8):
temp[j] |= ((block[i] >> TRANSPOSE[i][j]) & 1) << i
block = temp
block = xor(block, MASK)
return block
def decrypt(block, key):
block = bytearray(block)
for r in [1,0]:
block = xor(block, MASK)
temp = bytearray(8)
for i in range(8):
for j in range(8):
temp[i] |= ((block[j] >> i) & 1) << TRANSPOSE[i][j]
block = temp
for i in range(8):
block[i] = rr_r(block[i], RR[i])
block[i] = SBOX.index(block[i])
block = bytearray(xor(block, key[r*4:(r+2)*4]))
return block
def ecb(pt, key):
if len(pt) % 8 != 0:
pt = pt.ljust(len(pt) + (8 - len(pt) % 8), b"\x00")
out = b""
for i in range(0, len(pt), 8):
out += encrypt(pt[i:i+8], key)
return out
def dcb(pt, key):
out = b""
for i in range(0, len(pt), 8):
out += decrypt(pt[i:i+8], key)
return out
MASK = bytes.fromhex('3d5e286c30e3af35')
key = bytes.fromhex('bc62c0b71ac3ebb55c01ca09')
pair = [["e5557fc33c21464d", "93ae80b638ec489f"], ["f651d04314a88dfd", "fdf9524bacd3c612"], ["c6f70ae9b42a6d60", "256a9be8ae07be30"], ["6a9ee1d831a15dfd", "b19a9af0242733d1"], ["f3aa021a7fe92f1f", "ca8042945983a704"], ["d38ab4b2384ab779", "34a0b40fc7098d4d"], ["d989f5c89ce3d904", "2be0785e9742934f"], ["a22bb47739fd561a", "1aab6e73f113a38f"]]
cipher = bytes.fromhex('efb6d7f1a2ddefdd04567cedb6d2a6c5fa8b96ad26f92fb1b0b55ad6a13838c6')
print(dcb(cipher, key))
#irisctf{ok_at_least_it_works}
SMarT2
这人没作出来,这题与上题一样,只是没有给key,虽然key只有12字节每轮用8个有4个重复,但真不知道怎么弄,等吧,一般情况下大牛都不写WP。不过这题最后只有487分应该是有不少于5个人作出来了。
没等到大牛,自己又想一晚上,终于解决了。
加密只有两轮,第2轮第一步是与key异或,反过来解密第一轮最后一步是与key异或,这一步先不作,这样解密第一步并不使用key,得到的这个中间结果是由明文先与key异或再sbox,rr再条块化再与key异或的结果
当爆破key的第4位key[4]时,明文异或key4再sbox,rr这时候受影响的只有第4位,其它位并不影响,条块后这一位分布到每一个字节的第4位。(从0开始)
这时候key4与c0异或,它的第4位应该与密文相同:c0&0x10 == p0&0x10
接着爆破第5位,第5位。这时前两个字符的4,5位应该是正确的 c0&0x30 == p0&0x30,c1&0x30==p1&0x30 这样可以爆破得到key的4-7
由于4-7已经得到0-3相对比较简单道理相同,每次比较前4个字符,不用像4-7的时候只比较到爆破的那位。
最后4位,由于第一轮密钥已经爆破完成,最后只需要与后4个异或。随便找一个明文加密后与密文异或,就得到后4位。
只有一轮的加解密部分
from pwn import xor
# I don't know how to make a good substitution box so I'll refer to AES. This way I'm not actually rolling my own crypto
SBOX = [99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22]
TRANSPOSE = [[3, 1, 4, 5, 6, 7, 0, 2],
[1, 5, 7, 3, 0, 6, 2, 4],
[2, 7, 5, 4, 0, 6, 1, 3],
[2, 0, 1, 6, 4, 3, 5, 7],
[6, 5, 0, 3, 2, 4, 1, 7],
[2, 0, 6, 1, 5, 7, 4, 3],
[1, 6, 2, 5, 0, 7, 4, 3],
[4, 5, 6, 1, 2, 3, 7, 0]]
RR = [4, 2, 0, 6, 9, 3, 5, 7]
def rr(c, n):
n = n % 8
return ((c << (8 - n)) | (c >> n)) & 0xff
def rr_r(c, n):
n = n % 8
return ((c << n ) | (c >> (8 - n))) & 0xff
#import secrets
ROUNDS = 2
KEYLEN = 4 + ROUNDS * 4
def encrypt(block, key):
assert len(block) == 8
assert len(key) == KEYLEN
block = bytearray(block)
#for r in range(ROUNDS):
for r in range(1):
block = bytearray(xor(block, key[r*4:(r+2)*4]))
for i in range(8):
block[i] = SBOX[block[i]]
block[i] = rr(block[i], RR[i])
temp = bytearray(8)
for i in range(8):
for j in range(8):
temp[j] |= ((block[i] >> TRANSPOSE[i][j]) & 1) << i
block = temp
block = xor(block, MASK)
return block
def decrypt(block, key):
block = bytearray(block)
#for r in [1,0]:
for r in [1]:
block = xor(block, MASK)
temp = bytearray(8)
for i in range(8):
for j in range(8):
temp[i] |= ((block[j] >> i) & 1) << TRANSPOSE[i][j]
block = temp
for i in range(8):
block[i] = rr_r(block[i], RR[i])
block[i] = SBOX.index(block[i])
#block = bytearray(xor(block, key[r*4:(r+2)*4]))
return block
def ecb(pt, key):
if len(pt) % 8 != 0:
pt = pt.ljust(len(pt) + (8 - len(pt) % 8), b"\x00")
out = b""
for i in range(0, len(pt), 8):
out += encrypt(pt[i:i+8], key)
return out
def dcb(pt, key):
out = b""
for i in range(0, len(pt), 8):
out += decrypt(pt[i:i+8], key)
return out
4-7位爆破
MASK = bytes.fromhex('1f983a40c3f801b1')
pairs = [["4b0c569de9bf6510", "3298255d5314ad33"], ["5d81105912c7f421", "805146efee62f09f"], ["6e23f94180be2378", "207a88ced8ab64d1"], ["9751eeee344a8c74", "0b561354ebbb50fa"], ["f4fbf94509aaea25", "4ba4dc46bbde5c63"], ["3e571e4e9604769e", "10820c181de8c1df"], ["1f7b64083d9121e8", "0523ce32dd7a9f02"], ["69b3dfd8765d4267", "23c8d59a34553207"]]
#用1题已知key的pairs测试
'''
#key = bytes.fromhex('bc62c0b71ac3ebb55c01ca09')
MASK = bytes.fromhex('3d5e286c30e3af35')
pairs = [["e5557fc33c21464d", "93ae80b638ec489f"], ["f651d04314a88dfd", "fdf9524bacd3c612"], ["c6f70ae9b42a6d60", "256a9be8ae07be30"], ["6a9ee1d831a15dfd", "b19a9af0242733d1"], ["f3aa021a7fe92f1f", "ca8042945983a704"], ["d38ab4b2384ab779", "34a0b40fc7098d4d"], ["d989f5c89ce3d904", "2be0785e9742934f"], ["a22bb47739fd561a", "1aab6e73f113a38f"]]
'''
pairs = [[bytes.fromhex(v[0]), bytes.fromhex(v[1])] for v in pairs]
#先解密1轮,不带key异或
p2 = []
for i in range(8):
p2.append(bytes(decrypt(pairs[i][1], b'\x00'*12)))
#key4仅影响到密文每字节的第4位
def checkall4(tkey):
for i in range(len(pairs)):
r = xor(bytes(encrypt(pairs[i][0], tkey)),bytes(tkey[4:]))
#print(r,tkey,p2[i])
if r[0]&0x10 != p2[i][0]&0x10:
return False
return True
def checkall5(tkey):
for i in range(len(pairs)):
r = xor(bytes(encrypt(pairs[i][0], tkey)),bytes(tkey[4:]))
if (r[0]&0x30 != p2[i][0]&0x30) or (r[1]&0x30 != p2[i][1]&0x30):
return False
return True
def checkall6(tkey):
for i in range(len(pairs)):
r = xor(bytes(encrypt(pairs[i][0], tkey)),bytes(tkey[4:]))
if (r[0]&0x70 != p2[i][0]&0x70) or (r[1]&0x70 != p2[i][1]&0x70) or (r[2]&0x70 != p2[i][2]&0x70):
return False
return True
def checkall7(tkey):
for i in range(len(pairs)):
r = xor(bytes(encrypt(pairs[i][0], tkey)),bytes(tkey[4:]))
if r[0]&0xf0 != p2[i][0]&0xf0 or r[1]&0xf0 != p2[i][1]&0xf0 or r[2]&0xf0 != p2[i][2]&0xf0 or r[3]&0xf0 != p2[i][3]&0xf0:
return False
return True
#k4 ^ m4 ->sbox->rr -> n4 ->cx.4 cx0^k4 == c0.4
#key[4]加密1轮后仅影响到密文第4位,判断第c[0]是否相同
tkey = [0]*12
for k4 in range(256):
tkey[4] = k4
if checkall4(tkey):
print(4,hex(k4)) #测试期待返回1a
for k5 in range(256):
tkey[5] = k5
if checkall5(tkey):
print(5, hex(k5)) #c3
for k6 in range(256):
tkey[6] = k6
if checkall6(tkey):
print(6,bytes(tkey))
for k7 in range(256):
tkey[7] = k7
if checkall7(tkey):
print(7,bytes(tkey))
tkey = list(b'\x00\x00\x00\x00\x16\xccN?\x00\x00\x00\x00')
0-3位
tkey = list(b'\x00\x00\x00\x00\x16\xccN?\x00\x00\x00\x00')
#0-3位
def checkall0(tkey, idx):
midx = (1<<(idx+1))-1
for i in range(len(pairs)):
r = xor(bytes(encrypt(pairs[i][0], tkey)),bytes(tkey[4:]))
for j in range(4):
if r[j]&midx != p2[i][j]&midx:
return False
return True
for k0 in range(256):
tkey[0] = k0
if checkall0(tkey,0):
for k1 in range(256):
tkey[1] = k1
if checkall0(tkey,1):
for k2 in range(256):
tkey[2] = k2
if checkall0(tkey,2):
for k3 in range(256):
tkey[3] = k3
if checkall0(tkey,3):
print(3,bytes(tkey))
#tkey = list(b'\xd9\xc9\x15\x86\x16\xccN?\x00\x00\x00\x00')尾部
b = tkey[:8]+xor(bytes(encrypt(pairs[0][0], tkey)),p2[0])[4:] #9-12位
print(b)
key = b'\xd9\xc9\x15\x86\x16\xccN?\xeb\x0cA;'最后将得到的key放到上一题的程序里解出flag
MASK = bytes.fromhex('1f983a40c3f801b1')
key = b'\xd9\xc9\x15\x86\x16\xccN?\xeb\x0cA;'
cipher = bytes.fromhex('ceb51064c084e640690c31bf55c1df4950bc81b484f559dce0ae7d509aa0fe07f7ee127e9ecb05eb4b1b58b99494f72c0b4f3f5fe351c1cb')
print(dcb(cipher, key))
#irisctf{if_you_didnt_use_a_smt_solver_thats_cool_too}
341
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
