至少给L坐了2次第一的位置(前排留念嘛.... 手快抢了道一血, 还有一道数据拿不到卡了半年... 还有道最后竟然....卡慌了...
# Guess | DONE
麻了... 这道题手快 甚至忘了 hint 就直接开始日,竟然抢到了一血,奈思。运气不辍..
# 究极非预期:
# Enc:
# Dec:
# try:
随便试的... 然后发现解密拿到的都是 3 位数,合理猜测是 key, 打进去 0 或者 1 直接丢。发现多那几次出来的对应 0 或者 1 不变。多连几次,修 dict
plain=dec (n-1)# 即解密 -1
cipher=enc(plain,plain)
c1,c2 中的 plain*plain 那块可以当作是 - 1*-1 , 因此,
解密之后,发现就是我们需要的 key, 而题目里面的 key 是本地读取的,所以肯定不会变。就反复打就出来了
key=dec(cipher)
from pwn import * | |
from Crypto.Util.number import * | |
from hashlib import sha256 | |
import string | |
from pwnlib.util.iters import mbruteforce | |
dict={718:1,244:1,566:0,244:1,558:0,810:1,899:1,585:0,903:0,641:1,237:1,333:1,216:1,184:0,142:0,751:0,637:0,288:0,130:0,121:1,745:1,498:0,542:1,158:1,783:0,281:1,647:1,860:1,746:0,558:0,349:0,751:0,899:0,746:0,286:1,718:0,885:0,526:1,888:1,498:0,638:0,751:0,241:1,216:1,186:1,977:1,148:0,355:0,123:1,299:0,577:0,427:0,113:1,983:0,309:1,614:0,400:1,119:0,550:0,114:0,877:1,918:1,939:0,944:1,128:1,201:1,548:1,396:1,416:0,653:1,995:0,313:0,521:0,646:1,461:1,780:1,129:1,611:0,936:1,942:0,530:0,613:1,307:0,271:0,685:0,430:1,232:1,639:0} | |
table = string.ascii_letters+string.digits | |
def pow(): | |
io.recvuntil("?+") | |
suffix = io.recv(12).decode("utf8") | |
io.recvuntil("== ") | |
cipher = io.recvline().strip().decode("utf8") | |
proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() == | |
cipher, table, length=4, method='fixed') | |
io.sendline(proof) | |
def get_Public_key(): | |
io.recvuntil('n = ') | |
n = int(io.recvline()[:-1]) | |
io.recvuntil('g = ') | |
g = int(io.recvline()[:-1]) | |
return n,g | |
def Step_2(Cip): | |
io.recv() | |
io.sendline(str(Cip)) | |
io.recvline() | |
Plaintext = int(io.recvline()[:-1]) | |
return Plaintext | |
def Step_3(m0,m1): | |
io.recv() | |
io.sendline(str(m0)) | |
io.recv() | |
io.sendline(str(m1)) | |
io.recvline() | |
Ciphertext = int(io.recvline()[:-1]) | |
return Ciphertext | |
def Step_4(ciphertext): | |
io.recv() | |
io.sendline(str(ciphertext)) | |
io.recvline() | |
STR = int(io.recvline()[:-1]) | |
return STR | |
if __name__ == "__main__": | |
while 1: | |
try: | |
io = remote("47.104.85.225",57811) | |
pow() | |
for i in range(32): | |
n,g = get_Public_key() | |
plaintext = Step_2(n-1) | |
ciphertext = Step_3(plaintext,plaintext) | |
num = Step_4(ciphertext) | |
if num in dict: | |
io.sendline(str(dict[num])) | |
print(num) | |
else: | |
io.sendline(str((num+i+1)%2)) | |
print(num,str((num+i+1)%2)) | |
io.interactive() | |
except: | |
io.close() |
# 预期解:
IND-CCA2 安全模型,hint 里面给出了 hint=key * Matrix, Matrix 是 4 * 12 的矩阵,R 数字很大, 并且 hint 里面行向量在 key 里面。格基规约 和前四个 key 一起就能拿到 key 顺序就有了 可以等等官方 wp? (可能会被咕咕咕咕?)
# myRSA | DONE
连接数据拿错了一开始.... 痛失血..... 难过...
等连接等半天,就二分查 p+q, 然后就分解掉 n 了 就好了。然后正常解密 根据 encry 去解密
from pwn import * | |
from Crypto.Util.number import * | |
from hashlib import sha256 | |
import string | |
from pwnlib.util.iters import mbruteforce | |
table = string.ascii_letters+string.digits | |
def pow(): | |
io.recvuntil("?+") | |
suffix = io.recv(12).decode("utf8") | |
io.recvuntil("== ") | |
cipher = io.recvline().strip().decode("utf8") | |
proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() == | |
cipher, table, length=4, method='fixed') | |
io.sendline(proof) | |
def getdate(): | |
io.recvuntil(b'Welcome to use my better RSA!!!!!!So, what do you want now?') | |
io.recvuntil(b'This is my public key:\nn = ') | |
n = (io.recv()) | |
e = 0x10001 | |
io.sendline('1') | |
io.recv() | |
io.sendline(b'\x01') | |
io.recvuntil(b'Your encry message:\n') | |
c = io.recv() | |
return n,c | |
if __name__ == "__main__": | |
io = remote("47.104.85.225",49856) | |
pow() | |
n,c = getdate() | |
print(n) | |
print(c) | |
io.sendline('2') | |
io.interactive() |
[+] MBruteforcing: Found key: "i2H2" | |
<ipython-input-2-368d9c4bc365>:15: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes | |
io.sendline(proof) | |
<ipython-input-2-368d9c4bc365>:22: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes | |
io.sendline('1') | |
b'68195486242491905197433526004507369032272491135696932334326068024040058438599110281712712885705379034982984472056474100930481463577289211609825797634637699853031185421002896320599047956784229329089847286676426757567349199706750131259258373177336457657022868600117460778180849110456709646379002371134272563633\ne = 65537\n1. encry \n2. getflag\n3. exit\n' | |
b'4597266005632522801147627000660857649183366325885623347197089667591563216981756164256482446594948053316793620258055892298724248421726012140081053576547521297239629024402710879218821331887650345980788144066048868262298302137125886809420799790304816147986191762960289700205264554882006937334365726206855596559080070895663726388199502053612930185897787061099796111936877366936203717889564522795854776615268505308467045914833319009227673259174528506512902671304308976\n1. encry \n2. getflag\n3. exit\n' | |
<ipython-input-2-368d9c4bc365>:35: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes | |
io.sendline('2') | |
[*] Switching to interactive mode | |
This is your favourite: | |
40868648891657711786598328718113063065545453011282156865784206192978574818052122882184358068236975753192772828954658973145613760735845195818217664683661925592185852021605700613828161411554664790911594417203233292649407034179935773181418886730406997379175819237199860137490038826629366907380520875211156420009016730301710339622873008218484776846907819947820161852183069547449851535930768116416974211148236437262996588115644260055582849718976117916680029401709166538197581624667147067231655542792069808991633694902877465348527151882218715188113964032172846627464279982722447664427600294582370983132847084133297955553459809699744364828552913355798427543451791875776222341962020592533940215035327061046030408462348449028012044372949233825736289928601740622679907051748552640 | |
1. encry | |
2. getflag | |
3. exit |
第一串数字 n 就是下面脚本里面的 n 中间比较长的就是 com 最后一个数据就是 最后的 c
from Crypto.Util.number import * | |
p,q,r = getPrime(512),getPrime(512),getPrime(int(512*2.0314159265358979)) | |
n = p*q | |
com = p**2 * (p + 3*q - 1 ) + q**2 * (q + 3*p - 1) + 2*p*q + p + q + r*2 | |
com = 4597266005632522801147627000660857649183366325885623347197089667591563216981756164256482446594948053316793620258055892298724248421726012140081053576547521297239629024402710879218821331887650345980788144066048868262298302137125886809420799790304816147986191762960289700205264554882006937334365726206855596559080070895663726388199502053612930185897787061099796111936877366936203717889564522795854776615268505308467045914833319009227673259174528506512902671304308976 | |
left = 1 | |
right = 2**514*2 | |
t = (left + right)//2 | |
for i in range(20000): | |
if t**3 - t**2 +t + 4*n <com: | |
left = t | |
else: | |
right = t | |
t = (left + right)//2 | |
#print(t) | |
import gmpy2 | |
n = 68195486242491905197433526004507369032272491135696932334326068024040058438599110281712712885705379034982984472056474100930481463577289211609825797634637699853031185421002896320599047956784229329089847286676426757567349199706750131259258373177336457657022868600117460778180849110456709646379002371134272563633 | |
for i in range(-80000,80000): | |
if gmpy2.iroot((t-i)**2-4*n,2)[1]: | |
print(t-i) | |
print(gmpy2.iroot((t-i)**2-4*n,2)[0]) | |
tmp = t-i | |
tmp2 = gmpy2.iroot((t-i)**2-4*n,2)[0] | |
p = (tmp+tmp2)//2 | |
q = tmp - p | |
print(p*q==n) | |
phi = (p-1)*(q-1) | |
e = 0x10001 | |
d = inverse(e,phi) | |
c = 40868648891657711786598328718113063065545453011282156865784206192978574818052122882184358068236975753192772828954658973145613760735845195818217664683661925592185852021605700613828161411554664790911594417203233292649407034179935773181418886730406997379175819237199860137490038826629366907380520875211156420009016730301710339622873008218484776846907819947820161852183069547449851535930768116416974211148236437262996588115644260055582849718976117916680029401709166538197581624667147067231655542792069808991633694902877465348527151882218715188113964032172846627464279982722447664427600294582370983132847084133297955553459809699744364828552913355798427543451791875776222341962020592533940215035327061046030408462348449028012044372949233825736289928601740622679907051748552640 | |
c = c//(p**2 * (p + 3*q - 1 ) + q**2 * (q + 3*p - 1) + 2*p*q + p + q) | |
print(long_to_bytes(pow(c,d,n))) |
# Random_RSA | DONE
py2 实现 random 白给题
# shared secret | Lnengmao-Team
拉跨的我... 题目都没认真看一开始... 睡了一下午 五点才开始起来做。
h2(m)
key_gen(nbits):
enc(m,pk):
我们发现
这样子我们拥有 E_ 和 V_ 那么我们只需要拿到这个 dd 就能够解密得到 m , 拿到 dd 就是要去 在 encoder 里面进行消元 然后实现最后拿到的是 r
第一组 encoder 是由已知的 prefix 生成的,我们发现我们可以拿到这个最开始的 encoder, 根据普通的 dh 就行了,接着去消元。
rk_gen 只要消元 拿到 r (直接这么消元就行了 emmm.) 但是听说还有种 韦达定理, 用已知的 x 当根 然后一条多项式 直接带进去 就是算出来是 0 加上这个 r 就是 r
那就直接直接通完四关
接着根据
其中四个 dd 都是已知的,那么接着就拿到了 sk 的四次,发现 p%4 =3, 那么我们首先先对 sk 进行一个费玛的定理拿到的是 sk 的 2 次 % p 于是,我们就可以 计算
就拿到了这个 sk
而对于最后一段就是对 enc 进行一个解密
EV 都是已知,c 也已知 直接计算就出了。。。
确实能猫了。。。丢个本地和远程的脚本
from Crypto.Util.number import* | |
from pwn import * | |
from hashlib import sha256 | |
from libnum import n2s, s2n | |
p, g = 0xb5655f7c97e8007baaf31716c305cf5950a935d239891c81e671c39b7b5b2544b0198a39fd13fa83830f93afb558321680713d4f6e6d7201d27256567b8f70c3, \ | |
0x85fd9ae42b57e515b7849b232fcd9575c18131235104d451eeceb991436b646d374086ca751846fdfec1ff7d4e1b9d6812355093a8227742a30361401ccc5577 | |
def h2(m): | |
return int(sha256(m).hexdigest(), 16) | |
def get_pk_sk(): | |
io.recv() | |
io.sendline(b"1") | |
io.recvuntil(b"Please take good care of it!\n") | |
pk,sk = eval(io.recvline()[:-1].replace(b'L',b' ')) | |
return pk,sk | |
def get_cha2_data(): | |
io.recvuntil(b'(') | |
c,(E_,V_,s_) = eval(b'('+io.recvline()[:-1].replace(b'L',b' ')) | |
io.recvuntil(b'prefix, encoder = ') | |
encoder , prefix = eval(io.recvline()[:-1].replace(b'L',b' ')) | |
return c,E_,V_,s_,encoder,prefix | |
def get_r(encoder,x1): | |
r = 1 | |
xishu = 1 | |
for i in range(len(encoder)): | |
xishu = xishu*(-1) | |
tmp = encoder[i]*xishu % p | |
r = (tmp - x1 * r)%p | |
if len(encoder)%2 == 0: | |
return r | |
else: | |
return p-r | |
def local(): | |
pk,sk = get_pk_sk() | |
DD = [] | |
io.recv() | |
io.sendline(b'2') | |
io.recvuntil(b'The cipher shared to you\n') | |
c,E_,V_,s_,encoder,prefix = get_cha2_data() | |
x1 = pow(int(prefix,16),sk,p)%p | |
r = get_r(encoder,x1) | |
ddd = h2(n2s(int(prefix,16)).rjust(64, b'\x00') + n2s(r).rjust(64, b'\x00')) | 1 | |
inv_ddd = inverse(ddd,p-1) | |
EVsk = pow(E_ * V_ ,inv_ddd,p)%p | |
DD.append(ddd) | |
m = (c* pow(EVsk,-1,p))%p | |
ans = hex(m)[2:] | |
io.sendline(ans.encode()) | |
c,E_,V_,s_,encoder,prefix = get_cha2_data() | |
x1 = pow(int(prefix,16),sk,p)%p | |
r = get_r(encoder,x1) | |
ddd = h2(n2s(int(prefix,16)).rjust(64, b'\x00') + n2s(r).rjust(64, b'\x00')) | 1 | |
inv_ddd = inverse(ddd,p-1) | |
EVsk = pow(E_ * V_ ,inv_ddd,p)%p | |
DD.append(ddd) | |
m = (c* pow(EVsk,-1,p))%p | |
ans = hex(m)[2:] | |
io.sendline(ans.encode()) | |
c,E_,V_,s_,encoder,prefix = get_cha2_data() | |
x1 = pow(int(prefix,16),sk,p)%p | |
r = get_r(encoder,x1) | |
ddd = h2(n2s(int(prefix,16)).rjust(64, b'\x00') + n2s(r).rjust(64, b'\x00')) | 1 | |
inv_ddd = inverse(ddd,p-1) | |
EVsk = pow(E_ * V_ ,inv_ddd,p)%p | |
DD.append(ddd) | |
m = (c* pow(EVsk,-1,p))%p | |
ans = hex(m)[2:] | |
io.sendline(ans.encode()) | |
c,E_,V_,s_,encoder,prefix = get_cha2_data() | |
x1 = pow(int(prefix,16),sk,p)%p | |
r = get_r(encoder,x1) | |
ddd = h2(n2s(int(prefix,16)).rjust(64, b'\x00') + n2s(r).rjust(64, b'\x00')) | 1 | |
inv_ddd = inverse(ddd,p-1) | |
EVsk = pow(E_ * V_ ,inv_ddd,p)%p | |
DD.append(ddd) | |
m = (c* pow(EVsk,-1,p))%p | |
ans = hex(m)[2:] | |
io.sendline(ans.encode()) | |
ddddd = 1 | |
for i in DD: | |
ddddd = ddddd * i % p | |
d= inverse(4,p-1) | |
io.recvuntil(b'some other information!\n') | |
mul = int(io.recvline()[:-1],16) | |
sk1 = pow(mul*inverse(ddddd,p),d,p) | |
sk1 = pow(sk1,(p+1)//4,p) | |
io.sendline(b'3') | |
io.recvuntil(b"choice>") | |
ss = io.recvline()[:-1].replace(b'L',b'') | |
c,(E,V,s) = eval(ss) | |
flag = n2s(c*pow(E*V,-sk1,p) % p ) | |
print(flag) | |
io.close() | |
return flag | |
def yuancheng(): | |
pk,sk = get_pk_sk() | |
DD = [] | |
io.recv() | |
io.sendline(b'2') | |
io.recvuntil(b'The cipher shared to you\n') | |
c,E_,V_,s_,encoder,prefix = get_cha2_data() | |
x1 = pow(int(prefix,16),sk,p)%p | |
r = get_r(encoder,x1) | |
ddd = h2(n2s(int(prefix,16)).rjust(64, b'\x00') + n2s(r).rjust(64, b'\x00')) | 1 | |
inv_ddd = inverse(ddd,p-1) | |
EVsk = pow(E_ * V_ ,inv_ddd,p)%p | |
DD.append(ddd) | |
m = (c* pow(EVsk,-1,p))%p | |
ans = hex(m)[2:] | |
io.sendline(ans.encode()) | |
c,E_,V_,s_,encoder,prefix = get_cha2_data() | |
x1 = pow(int(prefix,16),sk,p)%p | |
r = get_r(encoder,x1) | |
ddd = h2(n2s(int(prefix,16)).rjust(64, b'\x00') + n2s(r).rjust(64, b'\x00')) | 1 | |
inv_ddd = inverse(ddd,p-1) | |
EVsk = pow(E_ * V_ ,inv_ddd,p)%p | |
DD.append(ddd) | |
m = (c* pow(EVsk,-1,p))%p | |
ans = hex(m)[2:] | |
io.sendline(ans.encode()) | |
c,E_,V_,s_,encoder,prefix = get_cha2_data() | |
x1 = pow(int(prefix,16),sk,p)%p | |
r = get_r(encoder,x1) | |
ddd = h2(n2s(int(prefix,16)).rjust(64, b'\x00') + n2s(r).rjust(64, b'\x00')) | 1 | |
inv_ddd = inverse(ddd,p-1) | |
EVsk = pow(E_ * V_ ,inv_ddd,p)%p | |
DD.append(ddd) | |
m = (c* pow(EVsk,-1,p))%p | |
ans = hex(m)[2:] | |
io.sendline(ans.encode()) | |
c,E_,V_,s_,encoder,prefix = get_cha2_data() | |
x1 = pow(int(prefix,16),sk,p)%p | |
r = get_r(encoder,x1) | |
ddd = h2(n2s(int(prefix,16)).rjust(64, b'\x00') + n2s(r).rjust(64, b'\x00')) | 1 | |
inv_ddd = inverse(ddd,p-1) | |
EVsk = pow(E_ * V_ ,inv_ddd,p)%p | |
DD.append(ddd) | |
m = (c* pow(EVsk,-1,p))%p | |
ans = hex(m)[2:] | |
io.sendline(ans.encode()) | |
ddddd = 1 | |
for i in DD: | |
ddddd = ddddd * i % p | |
d= inverse(4,p-1) | |
io.recvuntil(b'some other information!\n') | |
mul = int(io.recvline()[:-2],16) | |
sk1 = pow(mul*inverse(ddddd,p),d,p) | |
#print(p%4) | |
sk1 = pow(sk1,(p+1)//4,p) | |
io.sendline(b'3') | |
io.recvuntil(b"choice>") | |
ss = io.recvline()[:-1].replace(b'L',b'') | |
c,(E,V,s) = eval(ss) | |
flag = n2s(c*pow(E*V,-sk1,p) % p ) | |
print(flag) | |
io.close() | |
return flag | |
if __name__ == "__main__": | |
while 1: | |
try: | |
io = remote("192.168.3.88",12198) | |
flag = local() | |
if b'flag' in flag: | |
break | |
except: | |
io.close() | |
continue | |
while 1: | |
try: | |
io = remote("47.104.85.225",62351) | |
flag = yuancheng() | |
if b'flag' in flag: | |
break | |
except: | |
io.close() | |
continue |
<!--2021 年 08 月 23 日 /-->