__愚人杯

无标签
发布日期:   2023-04-05
更新日期:   2023-04-05
文章字数:   543
阅读时长:   3 分

愚人杯_Crypto_WP

easy_base

import base64

c = '4C455A5645334C44474A55484D5A42544F5132574956525A50464E464F4E4C474D4656454D334359474A554751564B4949493255535532464E42544643504A35'
m = base64.b64decode(base64.b32decode(base64.b16decode(c)))
# b'ctfshow{yu_ren_j1e_haPpy!!!}'

大牛的密码

pycryptodome---密码文档

sagemath---文档

from Crypto.Util.Padding import pad

Crypto.Util.Padding.pad( data_to_pad , block_size , style='pkcs7' )
data_to_pad ( byte string ) – 需要填充的数据。
block_size ( integer ) – 用于填充的块边界。输出长度保证是 的倍数block_size。
style ( string ) – 填充算法。它可以是'pkcs7'(默认)、'iso7816''x923'。

返回类型:字节串
S_box = [9, 31, 32, 38, 20, 1, 22, 4, 8, 2, 11, 21, 7, 18, 46, 23, 34, 3, 19, 12, 45, 30, 27, 37, 5, 47, 28, 36, 0, 43, 39, 10, 29, 14, 40, 24, 33, 16, 17, 6, 42, 15, 26, 41, 44, 25, 35, 13]
c = [99, 111, 102, 11, 107, 49, 11, 53, 121, 48, 114, 117, 11, 95, 112, 95, 109, 115, 11, 95, 101, 95, 119, 117, 79, 123, 111, 48, 110, 95, 121, 116, 121, 125, 116, 11, 119, 11, 97, 67, 11, 11, 11, 11, 11, 99, 110, 104]
BLOCK = 16

def decrypt1(S_box,c):
    m = [None]*len(c)
    for i in range(len(c)):
        m[S_box[i]] = c[i]
    return m

def swap(a,b):
    tmp = a
    a = b
    b = tmp
# invert(7,16) = 7
def decrypt2(m):
    enc=[m[i:i+BLOCK] for i in range(0,len(m),BLOCK)]
    for i in enc:
        for j in range(BLOCK):
            aa=j*7%BLOCK
            swap(i[j],i[aa])

m = decrypt1(S_box, c)
for i in range(15):
        m = decrypt1(S_box, m)
        
decrypt2(m)
flag = ''
for i in range(len(m)):
    flag += chr(m[i])
print(flag)

# ctfshow{y0u_c5n_make_y0u1_own_CryptO}

Comedy

from gmpy2 import iroot,mpz,gcd
from Crypto.Util.number import long_to_bytes,isPrime,inverse,bytes_to_long

A =  493275281479560936332761096886786925792234184811353209227551802099268192839677496844153534128991899414803550843408607188612593757622064753867565869035222715177143938385039508273050267347710495512806264863554858016145161165422812554800693811328453743229819656381224407015421235005940088439590887928051969351426291843586132741521121351667152673680122929827805479163871436776753859965413192837591532468372
Leak =  238829196127128263156194898141748280130190920343265228257398802867203846004703877952990524473329125233083096275276064071930416561616135910190674099345267027039386328203653489152769309498199556401574021633071022874689081585677578010276529507102304828451681000682208089162940529052283763507244593173690786957816545746540436261888398732172965945762569416702401859253725696471593023885944262561159982327952

# kbits = 200
# PR.<m> = PolynomialRing(Zmod(pow(2,2023)-Leak))
# f = A + 2023 * m - 2022
# f = f.monic()
# roots = f.small_roots(X=2^kbits, beta=0.4)
# if roots:
#     m = int(roots[0])
# print(m)

m = 2438621860802508754666419561610531898810985542251330229087
gcd_ = gcd(A + 2023 * m - 2022,pow(2,2023) - Leak)
print(gcd_)
B = 493275281479560936332761096886786925792234184811353209227551802099268192839677496844153534128991899414803550843408607188612593757622064753867565869035222715177143938385039508273050267347710495512806264863554858016145161165422812554800693811328453743229819656381224407015421235005940088439590887928051969351426291843586132741521121351667152678613454954231280689854038209914859891260036944812032585909351
print(long_to_bytes(m)+long_to_bytes(B))
print()
# b'ctfshow{UNKNOWN_MODULUS_T0_BR1NG_L3UGHTER_AND_J@Y_TO_TH3_W0RLD}

ecc_mini

ECC加密算法

#暂时不会

p = 71397796933602469825964946338224836258949974632540581233301840806613437378503
a = 106105288190268015217241182934677375171023341761047638573248022053052499733117
b = 76170541771321874396004434442157725545076211607587599314450304327736999807927
k = 58155941823118858940343657716409231510854647214870891375273032214774400828217
w2 = 16315249811700998894876359855091105114973337718373913477026230968747515636405
from Crypto.Util.number import *
E = EllipticCurve(GF(p), [a, b])
Y = E([33237936857741483513705672980652927705102229733798436323453609986072499230366,52619411226266177137991318059937693955038910547834999771526408984808553907338])
c1 = E([37414446283406201193977113266234367761786780230360175925999700345196415953455 , 17037724145039910971426670298726906655653040365428438334942732090559637519851])
c2 = E([60560423732267272277570046154733119097475794979191838027420415113112056962844 ,54372226143125971429691267751299496959531971082475860532181772357190222938465])

d=inverse_mod(7,E.order())
X=Y*d
flag1=int(X[0]+4585)
m=c1 - (c2 * k)
flag2=w2//m[0]
flag=str(flag1)+str(flag2)
print(long_to_bytes(int(flag)))

b'ctfshow{the_answer_is_it}'

easy_xor

from Crypto.Util.number import long_to_bytes,isPrime,inverse,bytes_to_long

c1 = 151198307301713399973545627808177783191262282577048906899567665485020342464366268384613589477129150406859219553325982275344405383612415523342568367197935454935162234419239807109194526080836070453102172720442102673200212658553214847476648456720629906051324248179394810385918370092764118401652990951968387233220
c2 = 7894512574379281106340582833782408137686355961537832816105517328532111343730615739255485918919146012721446905489729048235088965936700563973759759039693443386542070451737445467143517377017890468837697907596398070608179281207203217576205857817411996178441661371846647602166663752324880657668362355493701482869858528298247422875427747085642627978367348931707497113936723122393282697211257939351221141536029828744507560524637999804394951722319070365576391442828074457050403771353328835153787572457070779602728359333021922987279454923820866436212282592764768470608545881718922440010751845730974331917142224339664090863915
n = 20873587976264698212013861921447267548758723109929620330136081844796427967720295581580927324390713931549639540337285515365487607593546367886570408812338077846317206794057714877394609181224434104303259411081376607299962306250984285173463537669954845497211859940191392861121877814873939865829555350848523691546006073264112091406848179785659505299775196062799482197712761744192962658799557108701192680225134300686608396391566674966897700511638643429161735764600752699251493599533703928135311599575989253347234975026924804433742500175666009324057320386262109587593814197687132304704244158862263859846356497849518103755981

print(c1.bit_length())
print(c2.bit_length())
print(n.bit_length())

# sage
# pbits = 1024
# kbits = 256
# c3 = (c1>>kbits)<<kbits
# PR.<x> = PolynomialRing(Zmod(n))
# f = x + c3
# f = f.monic()
# roots = f.small_roots(X=2^kbits, beta=0.4)
# if roots:
#     p = int(roots[0])
# print(p)

p = 27488831128424601143374560105596187228646882734000152044471368185155941670329
m = p^c1
print(long_to_bytes(m))
# ctfshow{m_xor_p_but_coppersmith}
文章作者: hengxinyan
文章链接: https://hengxinyan.github.io/2023/04/05/%E6%84%9A%E4%BA%BA%E6%9D%AF_20230404/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 hengxinyan !
无标签
  目录