WMCTF-2023-Crypto

news/2024/7/7 18:51:35

文章目录

  • signin
    • 题目描述:
    • 题目分析:
    • HNP知识导入
  • bad_prime
    • 题目描述:
    • 题目分析:
  • welcome_signer2
  • welcome_signer1

只会简单的,后两题不会

signin

题目描述:

from Crypto.Util.number import *
from random import randrange
from secret import flag

def pr(msg):
    print(msg)

pr(br"""
                        ....''''''....                        
                     .`",:;;II;II;;;;:,"^'.                    
                  '"IlllI;;;;;;;;;;;;;Il!!l;^.                 
                `l><>!!!!!!!!iiiii!!!!!!!!i><!".               
             ':>?]__++~~~~~<<<<<<<<<<<<<<<<~~+__i".            
           .:i+}{]?-__+++~~~~~~<<<<<~~~~~~+_-?[\1_!^           
          .;<_}\{]-_++~<<<<<<<<<<<<<<<<<<<~+-?]\|]+<^          
          .!-{t|[?-}(|((){_<<<<<<<<<_}1)))1}??]{t|]_"          
           !)nf}]-?/\){]]]_<<<<<<<<<_]]}}{\/?-][)vf?`          
          '!tX/}]--<]{\Un[~~<<<<<~~<~-11Yz)<--?[{vv[".         
         .<{xJt}]?!ibm0%&Ci><<<<<<<<!0kJW%w+:-?[{uu)},         
          !1fLf}]_::xmqQj["I~<<<<<<>"(ZqOu{I^<?[{cc)[`         
          `}|x\}]_+<!<+~<<__~<<<<<<+_<<_+<><++-[1j/(>          
           !\j/{]-++___--_+~~<i;I>~~~__-______?}(jf}`          
            ;~(|}?_++++~~++~+]-++]?+++~~~~+++-[1/]>^           
              ;\([?__+_-?]?-_-----__-]?-_+++-]{/].             
               l||}?__/rjffcCQQQQQLUxffjf}+-]1\?'              
                ,[\)[?}}-__[/nzXXvj)?__]{??}((>.               
                 .I[|(1{]_+~~~<~~<<<~+_[}1(1+^                 
                    ,~{|\)}]_++++++-?}1)1?!`                   
                      ."!_]{11))1{}]-+i:'                      
                          .`^","^`'.                           
""".decode())

def gen_prime(bit):
    while 1:
        P = getPrime(bit)
        if len(bin(P)) - 2 == bit:
            return P

pq_bit = 512
offset = 16

P,Q = [gen_prime(pq_bit) for i in range(2)]
N = P * Q
gift = int(bin(P ^ (Q >> offset))[2+offset:],2)
pr(N)
pr(gift)

inpP = int(input())
if inpP != P:
    pr(b"you lose!")
    exit()

secret = randrange(0,P)
bs = [randrange(0,P) for _ in range(38)]

results = [(bi * secret) % P for bi in bs]
rs = [ri & (2 ** offset - 1)  for ri in results]

pr(bs)
pr(rs)
inpsecret = int(input())
if inpsecret == secret:
    pr(flag)

题目分析:

P的获取分析和 DASCTF-2023-ezRSA 这题一样,此处也就不过多赘述了,唯一不同的是此处的gift高16位没给,这样的话,直接爆破,代码如下:

from random import randrange

N = 73112325447718419004547130726695718285793085958231107892863489717428446716838799849309454056415849869930556787026583737635045001044331824958338557356039885155281113144595678795533444159689102603206422423835572911701365510630670709050480182217561850257781379648014791821272434711481938951190881233041060596523
gift1 = 115073356145766093260644381479331808320549133985413353306940738670775007719301812510687311522173487690937202937075087659433551944224376340973897790917

def gen_pq(gift1,N):

    for i in range(2 ** 15,2 ** 16):
        print(i)
        gift = int(bin(i)[2:] + '0' * (496-gift1.bit_length()) +  bin(gift1)[2:],2) 
        # bin(gift1)[2:]也许并非496bits,可能前导0会省略,自行加上即可
        pbar = gift >> (512 - 16)

        while True:
            try:
                qbar = (N >> (1024 - pbar.bit_length() * 2)) // pbar
                qbar = qbar >> 6
                gifts = gift ^ (qbar << (512 - 16 - qbar.bit_length()))
                pbar = gifts >> (512 - 16 - qbar.bit_length())
            except:
                break

        for i in range(64):
            P = (pbar << 6) + i
            if N % P == 0:
                print(P)
                return P

gen_pq(gift1,N)

# P = 9463395021022080495725625579099709864198202996192818493676075430361086175809577174253865589866353281287908307347544682931439681148579311956298173287376473

至此 得到bs,rs

b = [6099745272052586004179912608738971034534930536137743613897081917185107394368705591323971750395506839750452649288267772188419489756675205679949408086451232, 3951191747812729045440242820895124607189480251095163295242628450942998752364973601131023646206377502005591988554681151953526704565202075013281769088815523, 1404420597554404030107272770922253996678162333687352195618251218863999850248824692838151822875031075053556888677319712477280556217652901167451648905364386, 4488294572333656708259420377539737505003996159677656468026097114601711607985567015550450770914323371829296766770532559711193361180597308950367687185966302, 5481102322187479419436505829074865646684095327365195150222467418442873465357487402747218531517017371054667814520443813042860956594726076176855372054132653, 2713802788133698269409249999536200419140314121130473258656206052429002170951741696862581935955915442467962543363756219468741646383480138223283730677285687, 4388471418937878873760244311226931102311967761139597301227595095454037495066960891301104963760391091058605030114648033892461656189445282496553583505973028, 736776464731641575781839292404124851285324500513593675528872423711514787996001241149637426869001948983773230073266488914216375314221965655672656410584443, 8708590989237325341864969642266721092908150322862807883501307022447092127465507299112990850265948137001397701186114982614486130822490540038423320215334626, 9267802304424548397960617736597723635936811251609846290761762903654804678628923862108480264307805107896646269881938313148864202456071920121260093838052525, 3247108183860325987343060073325154780063121072412546176464075975152503493018889336496636379292425449406827070404175667145192082945885628262842725864496476, 455724435639473173230575250620919313737714978926744740871167992567140510847659696368128186714204899204016766561731806278682654146614456839201295265351084, 9020040064239438957325652010732562703496153379776291386479249377336002129977498901663356523568148111515751758815532962162768918028366620424504879498916260, 7688416580027582769915116662018701330731542853610728083638475681090388890585799679692871117954618858316092856071130163834051800086038254809868956867017534, 2914081803071475210765607707004526189627879912343305436165346830733180111712927683631299251265551199278425089831815911602268284636090898745079700939295508, 1682447624444059192944751083327557927345592086507420627567050313041103192041463642408780131750529259046595170811376763889856062916108841799386014250209204, 5341034619247476123738204666831636378756603282709541857595527812139022510035477000927339770989486054395218479620330803691178416464134942884723827374332572, 8376329702107133848458122442144946089340952412870283575988871694491609215583935392751355281411100977914041577559011007450313560473364023276862308392837927, 9416263788845104843254295633755080717027180798661946550343273052573861692993756745844265654941124801439244186152547374828735493445699134588163894749640836, 2932216738770537817881515093909708415125754815604299999068133848728425671241756819969645781862996905460305910366082553247028095515273709817106865465122590, 8097717669926537250731305609873869963442989665404721303119492230921259587448045170648745406003491170455200904721392690716080842205006420218957357208236777, 2320095372469412381123081241813969183059217183055092564165616040030126466741691823966421813308525807455783827406201671916779545841711101790509143391460558, 2333972164269303480468982231430944844261058855427800172027932923131801032739273832904738225066210544462847760672864166563796956687623202151756145595323299, 9437506711046580131962727129679057367842176159058408153672713703801123411305447877847753662475828865148714651927615052959365575959980181945973888298104933, 5802961795945602293929959252989205060907182950209184792016006564685164829079522333038011701596715377738492900250485584441351844045455427769773524087524156, 529599427933984238231472476175004896612420169200926563371105835757115041890610229232923121353193340603425988395343027602415343623433336040543795697317090, 6402196372034668863055877348065973921962422590516519136977866652600902486323081042430853494022971845631884452544526687998575817840711058028440421779395606, 1230624307875405241534590705586346034433600380745178644341864997283918237998339933919925940523713299382838409046998100995049951280382526255707022024214853, 4939399750563474831690751351208621006534538497525744056731033390661498923441407195386308647381246454241105286776645577202434999611495000302402098783151142, 3991859998040542133259043036343592584436362790235923761833962209989024458819225460294422336721726048826788046849829864060207989750046644621835589699009365, 240857736341741610087615111623321249370900668053282004036464835672779328135852021912344864307291860960709711372109427660351057177543937799209410049857688, 3616083502398202892601882038165628001289992103457989351932690769228627486934029132426774534679657144138989265564646117621513540781010324410148517674825531, 5404612891952879264496112103405811484626424108411041737043110667122266883638660766432812414542841773559389510234873119005979364687689717241678676878972572, 2034451564894992453342874697889924929640864497213866812897528594902646690104681644785346511630568960798405400466505451930160617969903308178504532997741868, 6157490304505265465913231571555412606905748047618103662427174891510009729459475829640015546085845764226272377180939793932164111694580454672032316588788226, 4975964317099024183607476155053005595563615534064262974131837949918711606891694740515965242556735284295717544308022169459365947195601426949094207557584822, 5428476883706514219777167145065847042077736528683727164449312172005302805331073867565107042753732467573625669359225318663458427411189319424302379038071051, 1671914205500553673647970410143909519671590636952787351672356207441593565754364343607635690418391473360926097632568317796984733317042685849430234554815858]
r = [48997, 62415, 23955, 36908, 52443, 4523, 22645, 22555, 31815, 15691, 47858, 27532, 21464, 23465, 45849, 59181, 27490, 6614, 16702, 57463, 52700, 28969, 31173, 41233, 61893, 36368, 17734, 53549, 17913, 33308, 63024, 61345, 33511, 53005, 26113, 59084, 35720, 44204]

r i = ( b i ∗ s )   %   p   %   2 16 r i = b i ∗ s + k ∗ p + l ∗ 2 16 r i − 16 b i t s b i , s − 510 b i t s p − 512 b i t s l − 496 b i t s ( 512 − 16 )   l ∗ 2 16 = b i ∗ s − r i + k ∗ p 令 i n v = i n v e r t ( 2 16 , p ) l = b i ∗ s ∗ i n v − r i ∗ i n v + k ∗ p 如下造格 M = ( p 0 ⋯ 0 0 0 0 p ⋯ 0 0 0 ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ 0 0 ⋯ p b 1 × i n v b 2 × i n v ⋯ b n × i n v K / p 0 r 1 × i n v r 2 × i n v ⋯ r n × i n v 0 K )   ( k 1 k 2 ⋯ k n s − 1 ) ∗ M = ( l i l 2 ⋯ l n K s / p − K ) 其中 K = 2 496 r_i = (b_i * s) \ \%\ p \ \%\ 2^{16}\\ r_i = b_i * s + k * p + l * 2^{16}\\ r_i-16bits\\ b_i,s- 510bits\\ p-512bits\\ l-496bits (512-16)\\ \ \\ l * 2^{16} = b_i * s -r_i + k * p\\ 令inv = invert (2^{16},p) \\ l = b_i * s * inv - r_i * inv+k * p\\如下造格\\ M = \begin{pmatrix} p&0&\cdots&0&0&0\\ 0&p&\cdots&0&0&0\\ \vdots&\vdots&\ddots&\vdots&\vdots&\vdots\\ 0&0&\cdots&p&\\ b_1\times inv&b_2\times inv&\cdots&b_n\times inv&{K/p}&0\\r_1\times inv&r_2\times inv&\cdots&r_n\times inv&0&K \end{pmatrix}\\ \ \\ \begin{pmatrix} k_1&k_2&\cdots&k_n&s&-1 \end{pmatrix} * M = \begin{pmatrix} l_i&l_2&\cdots&l_n&Ks /p&-K \end{pmatrix}\\ 其中K = 2^{496}\\ ri=(bis) % p % 216ri=bis+kp+l216ri16bitsbi,s510bitsp512bitsl496bits(51216) l216=bisri+kpinv=invert(216,p)l=bisinvriinv+kp如下造格M= p00b1×invr1×inv0p0b2×invr2×inv00pbn×invrn×inv00K/p0000K  (k1k2kns1)M=(lil2lnKs/pK)其中K=2496

很明显这是一道hnp问题

HNP知识导入

A i × x + B i = k i ( m o d p ) A_i\times x+B_i=k_i\pmod p Ai×x+Bi=ki(modp)

其中 A i , B i , p 已知, x , k i 未知 其中A_i,B_i,p已知,x,k_i未知 其中Ai,Bi,p已知,x,ki未知

可构造如下矩阵

M = ( p ⋱ p A 1 ⋯ A i Z B 1 ⋯ B i K ) M=\begin{pmatrix}p\\&\ddots\\&&p\\A_1&\cdots&A_i&Z\\B_1&\cdots&B_i&&K\end{pmatrix} M= pA1B1pAiBiZK

其中k的bits位数要小于p的bits位数,在等式数量足够的情况下,少6bits可以求解k

K为k同bits位数的值

Z为自己需要构造的数

( l 1 ⋯ l i x 1 ) × M = ( k 1 ⋯ k i Z ∗ x K ) \begin{pmatrix}l_1&\cdots&l_i&x&1\end{pmatrix}\times M=\begin{pmatrix}k_1&\cdots&k_i&Z*x&K\end{pmatrix} (l1lix1)×M=(k1kiZxK)

要尽可能的满足 Z ∗ x Z*x Zx的bits位数与K的一致

PS:有另一个短向量 v = ( 0 , 0 , ⋯   , K , 0 ) v=(0,0,\cdots,K,0) v=(0,0,,K,0) 也在格上,此向量比目标向量 ( l 1 , l 2 , ⋯   , l n , K s / n , − K ) (l_1,l_2,\cdots,l_n,Ks/n,-K) (l1,l2,,ln,Ks/n,K) 还要短,总会出现在LLL后的第一行, 目标向量总会出现在 L L L 后的第二行 \color{red}目标向量总会出现在LLL后的第二行 目标向量总会出现在LLL后的第二行

其中有几个地方要注意:
l l l的bit位数要小于p的bit位数,越少越容易出结果,等式数量足够的情况下,少6bit位数可以求解 l l l
此题是少16bits
解题代码:

from gmpy2 import *

p = 9463395021022080495725625579099709864198202996192818493676075430361086175809577174253865589866353281287908307347544682931439681148579311956298173287376473
b = [6099745272052586004179912608738971034534930536137743613897081917185107394368705591323971750395506839750452649288267772188419489756675205679949408086451232, 3951191747812729045440242820895124607189480251095163295242628450942998752364973601131023646206377502005591988554681151953526704565202075013281769088815523, 1404420597554404030107272770922253996678162333687352195618251218863999850248824692838151822875031075053556888677319712477280556217652901167451648905364386, 4488294572333656708259420377539737505003996159677656468026097114601711607985567015550450770914323371829296766770532559711193361180597308950367687185966302, 5481102322187479419436505829074865646684095327365195150222467418442873465357487402747218531517017371054667814520443813042860956594726076176855372054132653, 2713802788133698269409249999536200419140314121130473258656206052429002170951741696862581935955915442467962543363756219468741646383480138223283730677285687, 4388471418937878873760244311226931102311967761139597301227595095454037495066960891301104963760391091058605030114648033892461656189445282496553583505973028, 736776464731641575781839292404124851285324500513593675528872423711514787996001241149637426869001948983773230073266488914216375314221965655672656410584443, 8708590989237325341864969642266721092908150322862807883501307022447092127465507299112990850265948137001397701186114982614486130822490540038423320215334626, 9267802304424548397960617736597723635936811251609846290761762903654804678628923862108480264307805107896646269881938313148864202456071920121260093838052525, 3247108183860325987343060073325154780063121072412546176464075975152503493018889336496636379292425449406827070404175667145192082945885628262842725864496476, 455724435639473173230575250620919313737714978926744740871167992567140510847659696368128186714204899204016766561731806278682654146614456839201295265351084, 9020040064239438957325652010732562703496153379776291386479249377336002129977498901663356523568148111515751758815532962162768918028366620424504879498916260, 7688416580027582769915116662018701330731542853610728083638475681090388890585799679692871117954618858316092856071130163834051800086038254809868956867017534, 2914081803071475210765607707004526189627879912343305436165346830733180111712927683631299251265551199278425089831815911602268284636090898745079700939295508, 1682447624444059192944751083327557927345592086507420627567050313041103192041463642408780131750529259046595170811376763889856062916108841799386014250209204, 5341034619247476123738204666831636378756603282709541857595527812139022510035477000927339770989486054395218479620330803691178416464134942884723827374332572, 8376329702107133848458122442144946089340952412870283575988871694491609215583935392751355281411100977914041577559011007450313560473364023276862308392837927, 9416263788845104843254295633755080717027180798661946550343273052573861692993756745844265654941124801439244186152547374828735493445699134588163894749640836, 2932216738770537817881515093909708415125754815604299999068133848728425671241756819969645781862996905460305910366082553247028095515273709817106865465122590, 8097717669926537250731305609873869963442989665404721303119492230921259587448045170648745406003491170455200904721392690716080842205006420218957357208236777, 2320095372469412381123081241813969183059217183055092564165616040030126466741691823966421813308525807455783827406201671916779545841711101790509143391460558, 2333972164269303480468982231430944844261058855427800172027932923131801032739273832904738225066210544462847760672864166563796956687623202151756145595323299, 9437506711046580131962727129679057367842176159058408153672713703801123411305447877847753662475828865148714651927615052959365575959980181945973888298104933, 5802961795945602293929959252989205060907182950209184792016006564685164829079522333038011701596715377738492900250485584441351844045455427769773524087524156, 529599427933984238231472476175004896612420169200926563371105835757115041890610229232923121353193340603425988395343027602415343623433336040543795697317090, 6402196372034668863055877348065973921962422590516519136977866652600902486323081042430853494022971845631884452544526687998575817840711058028440421779395606, 1230624307875405241534590705586346034433600380745178644341864997283918237998339933919925940523713299382838409046998100995049951280382526255707022024214853, 4939399750563474831690751351208621006534538497525744056731033390661498923441407195386308647381246454241105286776645577202434999611495000302402098783151142, 3991859998040542133259043036343592584436362790235923761833962209989024458819225460294422336721726048826788046849829864060207989750046644621835589699009365, 240857736341741610087615111623321249370900668053282004036464835672779328135852021912344864307291860960709711372109427660351057177543937799209410049857688, 3616083502398202892601882038165628001289992103457989351932690769228627486934029132426774534679657144138989265564646117621513540781010324410148517674825531, 5404612891952879264496112103405811484626424108411041737043110667122266883638660766432812414542841773559389510234873119005979364687689717241678676878972572, 2034451564894992453342874697889924929640864497213866812897528594902646690104681644785346511630568960798405400466505451930160617969903308178504532997741868, 6157490304505265465913231571555412606905748047618103662427174891510009729459475829640015546085845764226272377180939793932164111694580454672032316588788226, 4975964317099024183607476155053005595563615534064262974131837949918711606891694740515965242556735284295717544308022169459365947195601426949094207557584822, 5428476883706514219777167145065847042077736528683727164449312172005302805331073867565107042753732467573625669359225318663458427411189319424302379038071051, 1671914205500553673647970410143909519671590636952787351672356207441593565754364343607635690418391473360926097632568317796984733317042685849430234554815858]
r = [48997, 62415, 23955, 36908, 52443, 4523, 22645, 22555, 31815, 15691, 47858, 27532, 21464, 23465, 45849, 59181, 27490, 6614, 16702, 57463, 52700, 28969, 31173, 41233, 61893, 36368, 17734, 53549, 17913, 33308, 63024, 61345, 33511, 53005, 26113, 59084, 35720, 44204]

M = matrix(QQ,40,40)
inv = invert(2 ** 16,p)

for i in range(38):
    M[i,i] = p
    M[-2,i] = b[i] * inv
    M[-1,i] = -r[i] * inv
    
M[-2,-2] = 2 ** 496 / p
M[-1,-1] = 2 ** 496

L = M.LLL()

res = L[1][-2].numerator() / 2 ** 496
# 或 res = L[1][-2] / (2 ** 496 / p) % p
print(res)
# 1005444529226476196286726437221411001182466035947403146822894574200213482908472882296123424897230218596631139138335919912390102402492391521467426075919696
# wmctf{we1c0me_brOo0Oo!hope_y0u_h4v3_fun_iN_the_fTcmWWmcTf/}

格里面的 K / p K / p K/p也可以换成 K / 2 512 K / 2^{512} K/2512,代码res改成【res = L[1][-2] / (2 ** 496 / 2**512) % p】即可。本质都一样。

bad_prime

题目描述:

from Crypto.Util.number import *
from secret import flag

M = 0x7cda79f57f60a9b65478052f383ad7dadb714b4f4ac069997c7ff23d34d075fca08fdf20f95fbc5f0a981d65c3a3ee7ff74d769da52e948d6b0270dd736ef61fa99a54f80fb22091b055885dc22b9f17562778dfb2aeac87f51de339f71731d207c0af3244d35129feba028a48402247f4ba1d2b6d0755baff6

def getMyprime(BIT):
    while True:
        p = int(pow(65537, getRandomRange(M>>1, M), M)) + getRandomInteger(BIT-int(M).bit_length()) * M
        if isPrime(p):
            return p

p = getMyprime(1024)
q = getPrime(1024)
n = p * q
m = bytes_to_long(flag)

print("Try to crack the bad RSA")
print("Public key:", n)
print("The flag(encrypted):", pow(m, 65537, n))
print("Well well, I will give you the hint if you please me ^_^")
leak = int(input("Gift window:"))
if M % leak == 0:
    print("This is the gift for you: ", p % leak)
else:
    print("I don't like this gift!")

题目分析:

简化一下 p = k ∗ M + 6553 7 a m o d    M n = p ∗ q c = p o w ( m , e , n ) 其中 n , c , e , 求 m 当传入 l e a k = M 时, 6553 7 a m o d    M 也就知道了,设为 c 1 故 p = k ∗ M + c 1 , c o p p e r 解未知数 k ( 可联想 p 的高位攻击 ) 解出 k 后 , p 就出来了,那么常规解 r s a 即可得到 f l a g 简化一下\\ p = k * M + 65537^a \mod M\\ n = p * q\\ c = pow(m,e,n)\\ 其中n,c,e,求m\\ 当传入leak = M时,65537^a \mod M也就知道了,设为c1\\ 故p = k * M + c1,copper解未知数k(可联想p的高位攻击)\\ 解出k后,p就出来了,那么常规解rsa即可得到flag 简化一下p=kM+65537amodMn=pqc=pow(m,e,n)其中n,c,e,m当传入leak=M时,65537amodM也就知道了,设为c1p=kM+c1,copper解未知数k(可联想p的高位攻击)解出k,p就出来了,那么常规解rsa即可得到flag
解题代码如下:

from gmpy2 import *
from Crypto.Util.number import *
from random import *
M = 19467773070115377343221509599623925236459751278180415885837207534756855405403128279156705968461708578168638327032034542684864920135818987044810141311008655898015207220772515212093850725541003213054560185603695585660265284153421684796257245143362498012760214539505870197264858636122745485373430
n = 12472626002077866920178151413020997724913658571138226796397411640804446564321570484592618940742408533690138669590557322926168978995001956382014248210028454259813367803052222369863506072015014883609823933916199419481066858857207231520311664459664902528025902842929794668275758050999942059191634389272522671320964894850456420184656960636923409596961814674469644409957628303843169123370081990714799730701582855785700612686890622611481291396041524116973463136171438984798796971881179996700508181507433729909799335407926106281784610873586071488796498924241193576957708827135293177349098586584341721100397256643105870234017
c = 3466758415290820987442064225311552826969252396823354251970465802062747610710039304956737475853499851308657287552846042373210014916465043057986006453373271445849582773551814082704211508983411410263969277743283649937754035696369377052129912145398573272341796607274110157954815587828158941071330317136229394703735678902977666517651646428685091559179815250115421401245448300167574693518725397910931616702958806963051996907279394420120954895776285408715241321615950015556075741287334450807330921625861564665314534563377374509879469933746968301524375756671482507713406072993839171585268250885202956594932196478756766992483
c1 = 6690282109150076978071823629257381590414658672115270641622535563594683313753965273939724195762544028639574673292035107704077883727588123581718080375731102259168467204097244013656517759083053091253802517030398053098956541395905430761385273208751606105259988121220776103683847056158653951540211
e = 65537
R.<k> = PolynomialRing(Zmod(n))
f = k * M + leak
f = f.monic()
roots = f.small_roots(X = 2 ** 55,beta = 0.4)
# print(roots)
p = leak + 5918963989085968 * M
q = n // p
phi = (p - 1)*(q - 1)
d = invert(e,phi)
print(long_to_bytes(int(pow(c,d,n))))

# wmctf{b4d_primE_f4ctor_1s_the_w3akness_for_RSA}



----------------------------------------------------------------------------------------------------------


后面两道welcome_signer不会,贴的大佬的做法,感觉比官方wp好理解不少,大佬真的,太强了啊啊啊啊!
后面就不看了,咱们转战大佬博客吧哈哈

welcome_signer2

题目描述:

from Crypto.Util.number import *
from Crypto.Cipher import AES
from hashlib import md5
import random

flag = b"***********************************"
def pad(message):
    return message + b"\x00"*((16-len(message)%16)%16)


def myfastexp(m,d,N,j,N_):
    A = 1
    B = m
    d = bin(d)[2:][::-1]
    n = len(d)
    N = N
    for i in range(n):
        if d[i] == '1':
            A = A * B % N
        #  a fault occurs j steps before the end of the exponentiation
        if i >= n-1-j:
            N = N_
        B = B**2 % N
    return A


def encrypt(message,key):
    key = bytes.fromhex(md5(str(key).encode()).hexdigest())
    enc = AES.new(key,mode=AES.MODE_ECB)
    c   = enc.encrypt(pad(message))
    return c


border = "|"
print(border*75)
print(border, "Hi all, I have another algorithm that can quickly calculate powers. ", border)
print(border, "But still there's something wrong with it. Your task is to get      ", border)
print(border, "its private key,and decrypt the cipher to cat the flag ^-^          ", border)
print(border*75)


while True:
# generate
    p = getPrime(512)
    q = getPrime(512)
    n = p*q
    e = 17
    if GCD(e,(p-1)*(q-1)) == 1:
        d = inverse(e,(p-1)*(q-1))
        n_ = n 
        break
n_ = n
msg = bytes_to_long(b"Welcome_come_to_WMCTF")
sig = pow(msg,d,n)
assert sig == myfastexp(msg,d,n,0,n_)
CHANGE = True
while True:
    try:
        ans = input("| Options: \n|\t[G]et data \n|\t[S]ignatrue \n|\t[F]ault injection \n|\t[Q]uit\n").lower().strip()
        
        if ans == 'f':
            if CHANGE:
                print(border,"You have one chance to change one byte of N. ")
                temp,index = input("bytes, and index:").strip().split(",")
                assert 0<= int(temp) <=255
                assert 0<= int(index) <= 1023 
                n_ = n ^ (int(temp)<<int(index)) # 可换8bits
                print(border,f"[+] update: n_ -> \"{n_}\"")
                CHANGE = False
            else:
                print(border,"Greedy...")
        elif ans == 'g':
            print(border,f"n = {n}")
            print(border,f"flag_ciphertext = {encrypt(flag,d).hex()}")
        elif ans == 's':
            index = input("Where your want to interfere:").strip()
            sig_ = myfastexp(msg,d,n,int(index),n_)
            print(border,f"signature of \"Welcome_come_to_WMCTF\" is {sig_}")
        elif ans == 'q':
            quit()
    except Exception as e:
        print(border,"Err...")
        quit()

大佬的做法:

A 1 ≡ B d _ l o w ( m o d n ) A 2 ≡ B j d _ h i g h ( m o d n _ ) A ≡ A 1 ∗ A 2 ( m o d n _ ) 最终是求 d 其中 j 可自己控制,因此可以通过等式关系来爆破 d 通过生成 d 的函数可测试出 d 的 b i t s 位数大多位于 1023 所以以生成位数为 1023 位的来爆破,并且是从高位开始 A1 \equiv B^{d\_low} \pmod n\\ A2 \equiv B_j^{d\_high} \pmod{n\_}\\ A \equiv A1 * A2 \pmod{n\_}\\ 最终是求d\\ 其中j可自己控制,因此可以通过等式关系来爆破d\\ 通过生成d的函数可测试出d的bits位数大多位于1023\\ 所以以生成位数为1023位的来爆破,并且是从高位开始\\ A1Bd_low(modn)A2Bjd_high(modn_)AA1A2(modn_)最终是求d其中j可自己控制,因此可以通过等式关系来爆破d通过生成d的函数可测试出dbits位数大多位于1023所以以生成位数为1023位的来爆破,并且是从高位开始
消A2,留A1爆破:

from Crypto.Util.number import *
D = '1'
msg = bytes_to_long(b'Welcome_come_to_WMCTF')
d_len = 1023
BB = [msg]
for i in range(d_len - 1):
    BB.append(BB[-1] ** 2 % n)

for i in range(1,d_len):
    t1 = myfastexp(msg,d,n,i,n_) * inverse(pow(BB[d_len - i - 1],2 * int(d,2),n_),n_) % n_
    t2 = myfastexp(msg,d,n,i + 1,n_) * inverse(pow(BB[d_len - i - 2],4 * int(d,2),n_),n_) % n_
    # 其中myfastexp(msg,d,n,i,n_),myfastexp(msg,d,n,i + 1,n_)是接收到的sig_

    if t1 = t2:
        D += '0'
    else:
        D += '1'
    if '111111111111111' in D: # 可以过滤掉不符合要求的
        break
print(D)

welcome_signer1

题目描述:

from Crypto.Util.number import *
from Crypto.Cipher import AES
from hashlib import md5
from sympy import isprime
from tqdm import tqdm 
import random

flag = b"***********************************"
def pad(message):
    return message + b"\x00"*((16-len(message)%16)%16)

def myfastexp(m,d,N,j,N_):
    A = 1
    d = bin(d)[2:][::-1]
    n = len(d)
    for i in range(n-1,-1,-1):
        if i < j:
            #print(A)
            N = N_
        A = A*A % N
        if d[i] == "1":
            A = A * m % N
    return A

def encrypt(message,key):
    key = bytes.fromhex(md5(str(key).encode()).hexdigest())
    enc = AES.new(key,mode=AES.MODE_ECB)
    c   = enc.encrypt(pad(message))
    return c


border = "|"
print(border*75)
print(border, "Hi all, I have created an algorithm that can quickly calculate powers. ", border)
print(border, "But it looks like there's something wrong with it. Your task is to get ", border)
print(border, "its private key,and decrypt the cipher to cat the flag ^-^             ", border)
print(border*75)


while True:
# generate
    p = getPrime(512)
    q = getPrime(512)
    n = p*q
    e = 17
    if GCD(e,(p-1)*(q-1)) == 1:
        d = inverse(e,(p-1)*(q-1))
        n_ = n 
        break

msg = bytes_to_long(b"Welcome_come_to_WMCTF")
sig = pow(msg,d,n)

CHANGE = True
while True:
    try:
        ans = input("| Options: \n|\t[G]et data \n|\t[S]ignatrue \n|\t[F]ault injection \n|\t[Q]uit\n").lower().strip()
        
        if ans == 'f':
            if CHANGE:
                print(border,"You have one chance to change one byte of N. ")
                temp,index = input("bytes, and index:").strip().split(",")
                assert 0<= int(temp) <=255
                assert 0<= int(index) <= 1023 
                n_ = n ^ (int(temp)<<int(index))
                print(border,f"[+] update: n_ -> \"{n_}\"")
                CHANGE = False
            else:
                print(border,"Greedy...")
        elif ans == 'g':
            print(border,f"n = {n}")
            print(border,f"flag_ciphertext = {encrypt(flag,d).hex()}")
        elif ans == 's':
            index = input("Where your want to interfere:").strip()
            sig_ = myfastexp(msg,d,n,int(index),n_)
            print(border,f"signature of \"Welcome_come_to_WMCTF\" is {sig_}")
        elif ans == 'q':
            quit()
    except Exception as e:
        print(border,"Err...")
        quit()

不会,还是记录大佬的做法
等价表达:

def myfastexp(m,d,N,j,N_):
    A = 1
    d = bin(d)[2:]
    n = len(d)
    # print(d)
    dd=d[::-1]
    temp=pow(m,int(dd[:n-j],2),N)
    temp=pow(temp,2**j,N_)*pow(m,int(dd[n-j:],2),N_) %N_
    for i in range(n-1,-1,-1):
        if i < j:
            N = N_
        A = A*A % N
        if d[i] == "1":
            A = A * m % N
    assert A==temp
    return A

temp=pow(m,int(dd[:n-j],2),N)
temp=pow(temp,2**j,N_)*pow(m,int(dd[n-j:],2),N_) %N_

上面两句总结的真是绝,我做题的时候反正没想到
A 1 ≡ m d _ h i g h ( m o d n ) A 2 ≡ m d _ l o w ( m o d n _ ) A ≡ ( A 1 < < j ) ∗ A 2 ( m o d n _ ) 最终是求 d A1 \equiv m^{d\_high} \pmod n\\ A2 \equiv m^{d\_low} \pmod{n\_}\\ A \equiv (A1 << j) * A2 \pmod{n\_}\\ 最终是求d\\ A1md_high(modn)A2md_low(modn_)A(A1<<j)A2(modn_)最终是求d
消A1,留A2爆破

D='1'
for i in range(l-1,0,-1):
    temp=pow(msg,int(D,2),n)
    temp1=pow(temp,2**i,n_)
    temp=pow(msg,2*int(D,2),n)
    temp2=pow(temp,2**(i-1),n_)
    
    t1=myfastexp(msg,d,n,i,n_)*inverse(temp1,n_) %n_
    t2=myfastexp(msg,d,n,i-1,n_)*inverse(temp2,n_) %n_
    # 其中myfastexp(msg,d,n,i,n_),myfastexp(msg,d,n,i - 1,n_)是接收到的sig_
    if t1==t2:
        D+='0'
    else:
        D+='1'
    if '111111111111111' in D: # 可以过滤掉不符合要求的
        break
print(D)

此次比赛给我的感觉是,比nepctf友好不少


http://lihuaxi.xjx100.cn/news/1471505.html

相关文章

【TypeScript】never 类型

【TypeScript】never 类型

在 TypeScript 中&#xff0c;never 是一种特殊的类型&#xff0c;表示永远不会发生的值或类型。它通常用于表示一些绝对不可能出现的情况&#xff0c;例如永远不会返回的函数类型或在某些条件下绝对不会发生的值。 以下是一些关于 never 类型的情况&#xff1a; 函数返回值…
阅读更多...
MySQL双主架构、主从架构

MySQL双主架构、主从架构

为什么要对数据库做优化&#xff1f; MySQL官方说法&#xff1a; 单表2000万数据就达到瓶颈了。所以为了保证查询效率&#xff0c;要让每张表的大小得到控制。 MySQL主主架构 主数据库都负责增删改查。 比如有1000W的数据&#xff0c;有两个主数据库&#xff0c;就将数据分流给…
阅读更多...
JDK8知识点梳理

JDK8知识点梳理

JDK8知识点梳理 一、lambda表达式1.标准格式2.实现原理3.省略模式4.前提条件 二、函数式接口1.函数式接口&#xff1a;FunctionalInterface2.接口默认方法3.接口静态方法4.供给型接口&#xff1a;Supplier5.消费型接口&#xff1a;Consumer6.消费供给型接口&#xff1a;Functio…
阅读更多...
[C++] string类常用接口的模拟实现

[C++] string类常用接口的模拟实现

文章目录 1、前言2、遍历2.1 operator[ ]下标方式2.2 迭代器2.3 范围for2.4 c_str 3、容量相关3.1 size&#xff08;大小&#xff09;3.2 capacity&#xff08;容量&#xff09;3.3 empty&#xff08;判空&#xff09;3.4 clear&#xff08;清理&#xff09;3.5 reserve3.6 res…
阅读更多...
Vue3中的声明周期

Vue3中的声明周期

Vue2 和 Vue3 的声明周期&#xff1a; Vue2 的生命周期在Vue3中都可以正常使用&#xff1b;Vue3 的生命周期和Vue2不同的地方在于卸载组件前后的不同&#xff1b;Vue3 中组合式 API 还提供了onRenderTracked 和 onRenderTriggered 两个钩子&#xff0c;这两个主要是用来做调试…
阅读更多...
【Linux驱动】Jetson Nano串口ttyTHS1的权限问题

【Linux驱动】Jetson Nano串口ttyTHS1的权限问题

1、问题描述 在使用串口ttyTHS1时,总是失败,就算使用root权限,也只能是可以打开,但是在使用中总是出现莫名其妙的问题。 2、查看权限 查看ttyTHS1的权限时,发现它和ttyTHS2的权限还不一样: crw--w---- root tty /dev/ttyTHS1 crw-rw---- root dialout /dev/ttyTHS23…
阅读更多...
二、4.makefile、断言和位图内存池

二、4.makefile、断言和位图内存池

在 Linux 中&#xff0c;文件分为属性和数据两部分&#xff0c;每个文件有三种时间&#xff0c;分别用于记录与文件属性和文件数据相关的时间&#xff0c;这三个时间分别是 atime、 mtime 、 ctime 。 atime&#xff0c;即 access time&#xff0c;和示访问文件数据部分时间&a…
阅读更多...
行业追踪,2023-08-22

行业追踪,2023-08-22

自动复盘 2023-08-22 凡所有相&#xff0c;皆是虚妄。若见诸相非相&#xff0c;即见如来。 k 线图是最好的老师&#xff0c;每天持续发布板块的rps排名&#xff0c;追踪板块&#xff0c;板块来开仓&#xff0c;板块去清仓&#xff0c;丢弃自以为是的想法&#xff0c;板块去留让…
阅读更多...
最新文章

Copyright @ 2022~2023