# Crypto
# math1 (出了)
题目
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
from Crypto.Util.number import getPrime | |
import hashlib | |
e = 0x10001 | |
p = getPrime(1024) | |
q = getPrime(1024) | |
n = p * q | |
phi = n - p - q + 1 | |
m = p * getPrime(135) | |
c = pow(m, phi * getPrime(69) + 1, n) | |
flag = b"HZNUCTF{" + hashlib.md5(hex(m).encode()).hexdigest().encode() + b'}' | |
c=(p*a)**(phi*b+1) mod n | |
print(f"n = {n}") | |
print(f"e = {e}") | |
print(f"c = {c}") | |
print(f"p ^ q ^ x = {p ^ q ^ getPrime(100)}") | |
# n = 27963651181285314865245223420841376949170358907033350824157378307987529217967991046373794961962733982506983121192630829109141085046224889488610665139200726263728575086325474153370048617139175155262273813416260466529090140061623799460692881049637337480902401228983124051195350877685069281198499676151295387541487095621386248400085706944431571931100086046020193927566333993198580530464009149542183771408158783932309677038461604312997489255869750091721432213923367520176509845949128808520689563162109940702067960753814992404492253609346481785015501090495665364667572730774672925265663102438782954524410643148314614834421 | |
# e = 65537 | |
# c = 4112542234772265176907045140450105601374470669674397930575891050044126457030160166683760719042621526735064403906550294282692637793834725289405872203962576032128609572771779107747278189191796105964591794849874405525188273203917555992638684936192155868595119909648305108899175081741865334855359578531440348739274118813283368968474494522365300464616479 | |
# p ^ q ^ x = 20322403539370874641338228395838205584791500136939852001791339832796937713367291083719519539069010591274070142977525555745107989472468046373764089233806857920378983806258439075231320039084798858470920027262481032484629504006942867681413153495094107614132308526877912014998940951049975837247629492037044418733 |
乍一看,给了好多数据,好多未知素数
然后我们看要求的 m
所以
题解
from gmpy2 import * | |
from Crypto.Util.number import * | |
import hashlib | |
c = 4112542234772265176907045140450105601374470669674397930575891050044126457030160166683760719042621526735064403906550294282692637793834725289405872203962576032128609572771779107747278189191796105964591794849874405525188273203917555992638684936192155868595119909648305108899175081741865334855359578531440348739274118813283368968474494522365300464616479 | |
n = 27963651181285314865245223420841376949170358907033350824157378307987529217967991046373794961962733982506983121192630829109141085046224889488610665139200726263728575086325474153370048617139175155262273813416260466529090140061623799460692881049637337480902401228983124051195350877685069281198499676151295387541487095621386248400085706944431571931100086046020193927566333993198580530464009149542183771408158783932309677038461604312997489255869750091721432213923367520176509845949128808520689563162109940702067960753814992404492253609346481785015501090495665364667572730774672925265663102438782954524410643148314614834421 | |
a = 20322403539370874641338228395838205584791500136939852001791339832796937713367291083719519539069010591274070142977525555745107989472468046373764089233806857920378983806258439075231320039084798858470920027262481032484629504006942867681413153495094107614132308526877912014998940951049975837247629492037044418733 | |
m=c | |
flag = b"HZNUCTF{" + hashlib.md5(hex(m).encode()).hexdigest().encode() + b'}' | |
print(flag) |
# D4C (复现)
题目
from Crypto.Util.number import isPrime | |
from secret import flag | |
from random import getrandbits | |
from hashlib import sha256 | |
import socketserver | |
import string | |
import random | |
import os | |
banner = b''' | |
_| _| _|_|_|_| _| _|_|_| _|_| _| _| _|_|_|_| | |
_| _| _| _| _| _| _| _|_| _|_| _| | |
_| _| _| _|_|_| _| _| _| _| _| _| _| _|_|_| | |
_| _| _| _| _| _| _| _| _| _| _| | |
_| _| _|_|_|_| _|_|_|_| _|_|_| _|_| _| _| _|_|_|_| | |
_|_|_|_|_| _|_| | |
_| _| _| | |
_| _| _| | |
_| _| _| | |
_| _|_| | |
_| _| _|_|_|_|_| _| _| _| _| _|_|_| _|_|_|_|_| _|_|_|_| | |
_| _| _| _|_| _| _| _| _| _| _| | |
_|_|_|_| _| _| _| _| _| _| _| _| _|_|_| | |
_| _| _| _| _|_| _| _| _| _| _| | |
_| _| _|_|_|_|_| _| _| _|_| _|_|_| _| _| | |
''' | |
class Task(socketserver.BaseRequestHandler): | |
def _recvall(self): | |
BUFF_SIZE = 2048 | |
data = b'' | |
while True: | |
part = self.request.recv(BUFF_SIZE) | |
data += part | |
if len(part) < BUFF_SIZE: | |
break | |
return data.strip() | |
def send(self, msg, newline=True): | |
try: | |
if newline: | |
msg += b'\n' | |
self.request.sendall(msg) | |
except: | |
pass | |
def recv(self, prompt=b'[-] '): | |
self.send(prompt, newline=False) | |
return self._recvall() | |
def proof_of_work(self): | |
random.seed(os.urandom(8)) | |
proof = ''.join( | |
[random.choice(string.ascii_letters+string.digits) for _ in range(20)]) | |
_hexdigest = sha256(proof.encode()).hexdigest() | |
self.send(f"[+] sha256(XXXX+{proof[4:]}) == {_hexdigest}".encode()) | |
x = self.recv(prompt=b'[+] Plz tell me XXXX: ') | |
if len(x) != 4 or sha256(x+proof[4:].encode()).hexdigest() != _hexdigest: | |
return False | |
return True | |
def getPrime(self, nbits, k): | |
b = getrandbits(nbits) | |
_p = k * b * b + 1 | |
while _p % 4 or not isPrime(_p // 4): | |
b = getrandbits(nbits) | |
_p = k * b * b + 1 | |
return _p // 4 | |
def handle(self): | |
self.send(banner) | |
if not self.proof_of_work(): | |
return | |
p = self.getPrime(500, 27) | |
q = self.getPrime(500, 35) | |
r = self.getPrime(500, 43) | |
s = self.getPrime(500, 59) | |
n = p * q * r * s | |
e = 0x10001 | |
self.send(b"n = " + str(n).encode()) | |
self.send(b"e = " + str(e).encode()) | |
m1 = int(self.recv()) % n | |
m2 = int(self.recv()) % n | |
e = 65537 | |
tmp_m1 = hex(pow(m1, e, n))[2:] | |
tmp_m2 = hex(pow(m2, e, n))[2:] | |
c1 = bytes.fromhex(tmp_m1.rjust(len(tmp_m1) % 2 + len(tmp_m1), '0'))[:128] | |
c2 = bytes.fromhex(tmp_m2.rjust(len(tmp_m2) % 2 + len(tmp_m2), '0'))[:128] | |
if (m1 != m2) & (c1 == c2): | |
self.send(b"c = " + str(pow(int(flag.hex(), 16), e, p * r)).encode()) | |
else: | |
self.send(str(getrandbits((p * r).bit_length())).encode()) | |
class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer): | |
pass | |
class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer): | |
pass | |
if __name__ == "__main__": | |
HOST, PORT = '0.0.0.0', 10001 | |
server = ForkedServer((HOST, PORT), Task) | |
server.allow_reuse_address = True | |
server.serve_forever() |
n=pqr*s
我们需要给出 m1,m2
使得 m1!=m2 而 c1==c2
没思路
上了一个 hint
给了一个现成的 cm 分解(并不知道原理)
发现是用 sage 写的,,,,,然而 linux 没装 sage
我 g 了
比赛结束后装了一下(为什么不在比赛中装呢,因为我在做其他题目 (’∇’) シ┳━┳,可恶)
然后就出了嗯嗯
我们可以分解 n,得到 pqrs
然后就可以求得 d
需要 c1,c2 相等,因为他是取前 128 位 我们可以构造 129 位的密文,前 128 位相同
就可以求出 m1,m2
题解
e=65537 | |
n=1132726711936764607309697855190319138285332253365586023004410771644157414471091228221433575083247522197037323077850341248297577018676075116887537126969112622944865914063716811083904449269594255766349931252536957895670100701275734471606817506791642965436512826369515751079697850325432652536942439560740736279102143793187677617534192003805372042706789373942817052305974555087429044962596908841782168879135878214072849300339849909850416155552312192930686861268275795583870384852521600966277751608569821462297386816417277418231959521993802942974275518986960479177630788561827774382669733668432806326740397545859454391651638531113339587716513180507865049388029495810821341177396080978406614931498440618739505994739360917968048318216413476678517421384523296828772720179891271225896550980444005860302215802791907064265810413589015484562139774221796500333644948258620570188487538490145744053334833677280433210853000967470747508630120466459618728186148942152046015513161482829253916680167602670999412800784608488898951666739800884404477926773805716864046065942344088246826993706167952480675930166207712039101619540779731401189475653471777008675370864589664776684177221630675125616892567419822603079912517902658953 | |
from gmpy2 import * | |
p=19197151378991533572059636161957285696032803878817041096260294156151890659611512855833117151615861090950783067748833201878434638849310686318508128535909200565741494567748007290685081469933929658064405872093334040489292368462147350053254417902942108454786234933196761096698371168392218277308483533961 | |
q=79063616931456268156370084699677328839688214887157988183894160980767292468121026324541258828011695303286635571371893662059549816297511227585157673063621288261924794277059512326999668512566858063336596655568357892437462980132178286989064171772873983571020425012302036236593041392896863117698252281096469 | |
r=12885212384858119167358186422063305849177260181037122819909415672458075206886380339498966593055476360739872439841897991270556560571222301377504337191066335784060570678056277222227211559925062612903854105411041190935356725132377278153868855052962823339572245121051748754355317152274330824552058073929269 | |
s=n//p//q//r | |
phi=(p-1)*(q-1)*(r-1)*(s-1) | |
a = int((b'1' * 128 + b'1').hex(), 16) | |
b = int((b'1' * 128 + b'2').hex(), 16) | |
d1 = invert(e, phi) | |
a = pow(a, d1, n) | |
b = pow(b, d1, n) | |
print(a) | |
print(b) | |
#tmp_m1 = hex(pow(a, e, n))[2:] | |
#tmp_m2 = hex(pow(b, e, n))[2:] | |
#c1 = bytes.fromhex(tmp_m1.rjust(len(tmp_m1) % 2 + len(tmp_m1), '0'))[:128] | |
#c2 = bytes.fromhex(tmp_m2.rjust(len(tmp_m2) % 2 + len(tmp_m2), '0'))[:128] | |
from Crypto.Util.number import * | |
#print(c1,c2,sep='\n') | |
c=105375658041048146416386220014265872694882653414899528826447047490562828370655428373669358456729632953333822268101858660382570701053123873063173614055504307583278541998482577287640523048426920137948387760102191850158182045656421885081534616847868034341948181601068828265661713317825229308865516358268867545700537485310131381438594771979152720008137612316097327955168630920314060474469619437469231888010404072750312252821135155670814904866962145717845824974943007451991591239774494647221132894413953766864092220235350421859735283098144809990119857258292545380920527966522410498586827232247690630567536 | |
print(long_to_bytes(pow(c,invert(e,(p-1)*(r-1)),p*r))) |
