[DASCTF 2023 & 0X401七月暑期挑战赛] crypto

密码只有3道题,最后一道被卡了,赛后在师傅一点点提示下完成。

[DASCTF 2023 & 0X401七月暑期挑战赛] crypto_第1张图片

 

ezRSA

题目很短,分两个RSA一个用小写表示一个用大写表示,小写n用大写加密,大写的给出了P和Q>>16的提示。

from Crypto.Util.number import *
from secret import secret, flag
def encrypt(m):
    return pow(m, e, n)
assert flag == b"dasctf{" + secret + b"}"
e = 11
p = getPrime(512)
q = getPrime(512)
n = p * q
P = getPrime(512)
Q = getPrime(512)
N = P * Q
gift = P ^ (Q >> 16)
print(N, gift, pow(n, e, N))
print(encrypt(bytes_to_long(secret)),
    encrypt(bytes_to_long(flag)))

原来爆破过这种,后来保存了一个外国人写的,现在看来还不如自己写的。

原理很简单:爆破+裁剪

由于xor只有4种情况,对结果0是两个0或者两个1,对1是01或10然后递归下去。

关键在于要裁剪,就是让一些情况提示返回失败,这里也是两种情况,对于已知的tp,tq

如果tp*tq>N或者(tp+(1<

from Crypto.Util.number import *

N = 75000029602085996700582008490482326525611947919932949726582734167668021800854674616074297109962078048435714672088452939300776268788888016125632084529419230038436738761550906906671010312930801751000022200360857089338231002088730471277277319253053479367509575754258003761447489654232217266317081318035524086377 
gift = 8006730615575401350470175601463518481685396114003290299131469001242636369747855817476589805833427855228149768949773065563676033514362512835553274555294034 
C =14183763184495367653522884147951054630177015952745593358354098952173965560488104213517563098676028516541915855754066719475487503348914181674929072472238449853082118064823835322313680705889432313419976738694317594843046001448855575986413338142129464525633835911168202553914150009081557835620953018542067857943
C1 = 69307306970629523181683439240748426263979206546157895088924929426911355406769672385984829784804673821643976780928024209092360092670457978154309402591145689825571209515868435608753923870043647892816574684663993415796465074027369407799009929334083395577490711236614662941070610575313972839165233651342137645009 
C2 =46997465834324781573963709865566777091686340553483507705539161842460528999282057880362259416654012854237739527277448599755805614622531827257136959664035098209206110290879482726083191005164961200125296999449598766201435057091624225218351537278712880859703730566080874333989361396420522357001928540408351500991

ph = bin(gift)[2:][:16] + '0'*(512-16)
ph = int(ph,2)
x = bin(gift)[2:][17:]

def fac(x,tp,tq):
    if len(x) == 0:
        return
    if tp*tq>N:
        return 
    if N%(tp+1)==0:
        print(tp+1)
        return
    
    v = x[0]
    r = x[1:]
    l = len(r)
    
    if (tp+(1<<(l+1)))*(tq+(1<<(l+17)))

 求出n以后是个关联信息攻击,只不过平时见到的一般与短填充攻击一起,两个差非常小,而这个非常大。

同时由于flag长度未知,小于n的话只能是5字节,显然不正确需要爆破一下。

def related_message_attack(c1, c2, diff, e, n):
    PRx. = PolynomialRing(Zmod(n))
    g1 = x^e - c1
    g2 = (x*256+diff)^e - c2
    
    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic()
    
    return -gcd(g1, g2)[0]

for i in range(5,200):
    sl = i*8
    diff = bytes_to_long(b"dasctf{")*2^(sl+8) + bytes_to_long(b"}")
    #print(long_to_bytes(diff))
    v = related_message_attack(C1, C2, diff, e, n)
    v = long_to_bytes(int(v))
    if all(0x20<=k<=0x7f for k in v):
        print(v)


#C0pper_Sm1th_Mak3s_T1ng5_Bet4er
#DASCTF{C0pper_Sm1th_Mak3s_T1ng5_Bet4er}

最后这卡了很几个血,明目写的是小写壳,提示大写壳才行,而这是第1个题,谁知道壳是啥样的。

ezDHKE

这题是个DLP的题,但p是自己输入的。

from Crypto.Util.number import *
from Crypto.Cipher import AES
from hashlib import sha256
from random import randbytes, getrandbits
from flag import flag

def diffie_hellman(g, p, flag):
    alice = getrandbits(1024)
    bob = getrandbits(1024)
    alice_c = pow(g, alice, p)
    bob_c = pow(g, bob, p)
    print(alice_c , bob_c)
    key = sha256(long_to_bytes(pow(bob_c, alice, p))).digest()
    iv = b"dasctfdasctfdasc"
    aes = AES.new(key, AES.MODE_CBC, iv)
    enc = aes.encrypt(flag)
    print(enc)

def getp():
    p = int(input("P = "))
    assert isPrime(p)
    assert p.bit_length() >= 1024 and p.bit_length() <= 2048
    g = 2
    diffie_hellman(g, p, flag)

getp()

很显然,如果DLP很容易求,他必需是p-1光滑的,所以这里需要生成一个足够光滑的数。爆破一个很小的a,  使 p = a*2^1024 + 1 这样只有a,2两个小因子,直接用discrete_log可以秒求解。

#生成一个光滑的p
for i in range(10000):
    p = (i<<1024)+1
    if isPrime(p):
        print(p)
        break

连接远程输入p得到密文,然后解下即可。这里远程网站又卡了,结果也卡了血。差2分钟

p = 148489452939627293978440608759173442996844898460634522907853247036287190215343795547617202268308624753445214064773770913426160349040708130179091977708205626736036279968938890838225633390629273742668246518422214765060312463614874340097452229306723297896927521825468282346196425145184245667794004328269609137340417
c1 = 32337671148820469354884721878680627943087776320018520617248389988275433963346215288654074154198472771676495991637403129147421171101497963354018354844096794273060545906296157018896783237260047022230620638083846759318811484695846540926994367124430184947526698677779285538625565624947156247074152951743312756558898 
c2 = 100125377377199556015423607730194729002807695386170530175120140662846677601605544195835925836583392720949191562828593827957478195014427163311908981264349443449690605379501404173514406737162058680920587740024984401964656738087302957612945597870706561007252803178937861059214670505223561011281963364209043930283381
enc = b'\x1f\x88\x14\xbc\x8d\x9f\x17\xaa\xac\xa8.\x12\xe5\x1a\xa3-\xe2\x9e]\xd7\xe5F\xcd\x8eu\x8b\x08;\xffi\x15D\x0b\xb6\x83\x80\x01\xed\xbe:\x90E\xd2\xb5\xfa\xbb\xef\xc7'
g = 2
#c1->a
a = discrete_log(c1, mod(2,p))
#a = 20158983366301027231385462171522791692008630121065157717747164036452149107892009689050403369525086905480409091499801236352082118579647633366956409366429848496352342806455041880945139325908254573120825350254007004403366796160711297141324506946321528029629467774779553416023783739410698608276420938661398423969
key = sha256(long_to_bytes(pow(c2, a, p))).digest()

iv = b"dasctfdasctfdasc"
aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(enc)
#DASCTF{64897937-3972-4190-997e-9440153b94b5}

ezAlgebra

这个题才是真卡了,赛完才在师傅提示下完成。其实只差这么一点点点点点点点点点点点点点点点。

代码我改了下变量名,好看了一点。

from Crypto.Util.number import getPrime, bytes_to_long

def YiJiuJiuQiNian(m, cnt, pad, Le, n):
    Qi = 1997
    padm = m+pad if Le==1 else m*pad
    while(cnt):
        Qi += (pow(padm, cnt, n)) % n
        cnt -= 1
    return Qi
    
l = 512
m = bytes_to_long(flag)
p = getPrime(l)
q = getPrime(l//2)
r = getPrime(l//2)
n = p * q * r
t = getrandbits(32)
c1 = YiJiuJiuQiNian(t, 4, p, 1, n)
c2 = YiJiuJiuQiNian(m, 19, t, 0, q)
c3 = YiJiuJiuQiNian(m, 19, t, 1, q)
print(f"n = {n}")
print(f"c1 = {c1}")
print(f"c2 = {c2}")
print(f"c3 = {c3}")

这个加密是个公式,当Le==1 时

c1 = 1997 + \sum_{e=1}^{19} {(a+b)^{e}} 当Le==0时是a*b

由于1式只有4次,加密了p,对原题有

     c1 = 1997 + (p+t)^4 + ...     mod n

=> c1 = 1997 + (p+t)^4 +... mod p 

=> c1 = 1997 + t^4 + t^3 + t^2 + t mod p

题目对n也成立,所以对这个式子直接用coppersmith在环n上求解

n = 119156144845956004769507478085325079414190248780654060840257869477965140304727088685316579445017214576182010373548273474121727778923582544853293534996805340795355149795694121455249972628980952137874014208209750135683003125079012121116063371902985706907482988687895813788980275896804461285403779036508897592103
c1 = 185012145382155564763088060801282407144264652101028110644849089283749320447842262397065972319766119386744305208284231153853897076876529326779092899879401876069911627013491974285327376378421323298147156687497709488102574369005495618201253946225697404932436143348932178069698091761601958275626264379615139864425
#求t
#对于环p 有 (p+t)^4 + ... + 1997 = c1 mod n => t^4 + t^3 + t^2 + t + 1997 = c1 mod p 对n也成立
P. = PolynomialRing(Zmod(n))
f = x^4 + x^3 + x^2 + x + 1997 - c1
f.small_roots(X=2^32, beta=0.4, epsilon=0.01)

t = 2915836867

再拿对原式,对第2步模p的情况下得到 

c1 = 1997 + K*p + t^4 + t^3 + t^2 + t  这里的K*p与n有公因子

#求p
# (p+t)^4 + ... + 1997 = c1 mod p  =>  K*p = c1-1997-t^4 -t^3-t^2-t  与n求公因子得到p
p = gcd(n, c1-1997-t^4 -t^3-t^2-t)
p = 12674045065380963936369006640913707206092165254372327547575287589116533343005456615635388048683828685030860153531390706945709086518510926980644275915726413

这一步以后由于得到p,下步求groebner基时就可以使用n//p ==q*r的环,如果用环n由于太大会解不出来。

这里边有个问题,groebner需要两个参数,而这里只有1个,只写1个的话会报错。所以把已经求出来的t又写上。

c2 = 722022978284031841958768129010024257235769706227005483829360633993196299360813
c3 = 999691052172645326792013409327337026208773437618455136594949462410165608463231
qr = n//p 
qr = 9401587593485043281387085693038728331569785340080901483099201677893747028639199167409687491770551610282667335758156438520647892729094630693383021219064131
P.=PolynomialRing(Zmod(qr))  #变量至少2个不然报错
f1 = t - 2915836867
f2 = 1997
f3 = 1997
for i in range(1,20):
    f2 += (m*t)^i 
    f3 += (m+t)^i 
f2 -= c2
f3 -= c3

F = [f1,f2,f3]
I = Ideal(F).groebner_basis()
#[m + 4558705916889325158299053017836727467132312991392588989486141942761404699250667417401143253218224052455224979673100568513463173709098904359650707695127278, t + 9401587593485043281387085693038728331569785340080901483099201677893747028639199167409687491770551610282667335758156438520647892729094630693383018303227264, 87038069032840052005520908272237788908169043580221040711149494083975743478969]
res=[x.constant_coefficient() for x in I]
q = res[2]
m = -res[0]%q
tt = -res[1]%q  #tt == t

最后是得到的m要小于真正的flag,所以需要爆破一下,一开始爆破写小了,记下来,爆破需要24位。

q = 87038069032840052005520908272237788908169043580221040711149494083975743478969
m = 56985796272753226120469211992443340429346162287195965942430959147227534853120
for i in range(0x1000000):
    v = long_to_bytes(m+i*q)
    if all(0x20<=k<0x7f for k in v):
        print(v,i)
        break 

#b'dasctf{ShangPoXiaPoYaSiLeYiQianDuo}' 8751845

小本本记下。需要两个变量

你可能感兴趣的:(python,开发语言)