526互联

2023振兴杯-Crypto wp

发布时间 2023-12-09 12:21:11作者: 清纯少女小琪

crypto1

题目

from flag import flag

def encrypt(x, y):
        key='zxb'
        result=''
        for i in range(len(x)):
                result+=chr(ord(x[i])^ord(y[i])^ord(key[i%3]))
        return result
x = flag
y = flag[1:] + flag[0]

enc = open('flag.enc', 'wb')
enc.write(encrypt(x, y))
enc.close()

enc = "56796b6f6b777b616f6f65647b653d2f6e782f3e6d7d722633652c26726f7c64416d656f6c626e636b797a6f1a2646"

我的解答:

首先测试一下x,y.发现x和y分别代表flag和flag后移一位加上首地址字符

flag = 'abcde'
y = flag[1:] + flag[0]
print(y)
#bcdea

加密方式如下:

result+=chr(ord(x[i])^ord(y[i])^ord(key[i%3]))

我们可以猜测到结果为flag{xxxx},但具体不知道位置。
根据异或的性质,我们可以利用f和l异或再异或key,将得到的值与密文进行对比,可以得到flag在明文中的位置。
之后只需要从该位置往下依次循环异或即可得到flag

exp:

import binascii

enc = "56796b6f6b777b616f6f65647b653d2f6e782f3e6d7d722633652c26726f7c64416d656f6c626e636b797a6f1a2646"
c = binascii.unhexlify(enc)
key = 'zxb'
cipher = []
for i in range(len(c)):
    cipher.append(c[i]^ord(key[i%3]))
print(cipher)
print(ord('f')^ord('l'))

flag_cipher = [10, 13, 6, 28, 35, 23, 29, 13, 22, 26, 12, 25, 19, 27, 0, 23, 120, 92, 62]
flag = [102,108]
for j in range(1,len(flag_cipher)):
    flag.append(flag[j]^flag_cipher[j])
print(''.join([chr(i) for i in flag]))
#flag{XOR_IS_FUNNY!}

crypto2

题目

from Crypto.Util.number import getPrime, bytes_to_long
from gmpy2 import invert, powmod

p = getPrime(1024)
q = getPrime(1024)
n = p * q
phi = (p - 1) * (q - 1)
e = 0x10001
d = invert(e, phi)

with open("flag.txt", "rb") as f:
	m = bytes_to_long(f.read())

c = powmod(m, e, n)
assert m == powmod(c, d, n)

with open("output.txt", "w") as f:
	f.write("n = {}\n".format(n))
	f.write("c = {}\n".format(c))
	f.write("leak = {}\n".format((p ^ q) & ((1 << 800) - 1)))

n = 15571235426797939539238831633247703697409215642831362718146066385417021399103592649626632712024314917817471913939626433520575953306292197338982465585231726225691523482332855007581046878858859892738287906751603097287292123432184264315236703956440181898240812707048906540935557847459938834006517112306094162817074984718655862387364938057878492284440744016546443775531916167164017470033683394275914057901191912284384121493630109154926516069366062089783088439732169772370370955294590903435838430320194003869373124126574176180627081544221636132143905441920473191061061461409407547427997166908876273698276541130678984899303
c = 11410349198192402083731025358124670205298762156812742512455806430945720053501248573549000565669379087195952270760749370073167203051546900914096995321278405720220367427519939638116382433595807325494197693420378893656116540927023043865164328614746414479628014540017033577967693193978113818125984134421120761946747105183198057647052506266535688704007423583060833596105939484423152668717114112856314424069195220194470093254307436153736407926031038716511515018884928576377289853802156015456424197355710062631887029663480146136538261678824501076415658065918045730425523209518075212493675750467401967567713964871622654517929
leak = 2391766340580872396075853116060954790369153414025348183898792053278577108869816452176679906799250067017630058347039968502218692998106913594566891267374934074656997523077504385902187178779959674864970574631185410074159953449193378952686076390

我的解答:

看到p^q,一眼丁真,此题肯定需要剪枝算法。。旧博客的RSA常用类型中也有关于此类型的记录。

话不多说来分析一下:

代码给了p^q的低800bit,因此我们用剪枝算法还原出p的低800bit,然后copper解出完整的p。然后求m即可。

exp:

#sage
from tqdm import *
import gmpy2

n = 15571235426797939539238831633247703697409215642831362718146066385417021399103592649626632712024314917817471913939626433520575953306292197338982465585231726225691523482332855007581046878858859892738287906751603097287292123432184264315236703956440181898240812707048906540935557847459938834006517112306094162817074984718655862387364938057878492284440744016546443775531916167164017470033683394275914057901191912284384121493630109154926516069366062089783088439732169772370370955294590903435838430320194003869373124126574176180627081544221636132143905441920473191061061461409407547427997166908876273698276541130678984899303
c = 11410349198192402083731025358124670205298762156812742512455806430945720053501248573549000565669379087195952270760749370073167203051546900914096995321278405720220367427519939638116382433595807325494197693420378893656116540927023043865164328614746414479628014540017033577967693193978113818125984134421120761946747105183198057647052506266535688704007423583060833596105939484423152668717114112856314424069195220194470093254307436153736407926031038716511515018884928576377289853802156015456424197355710062631887029663480146136538261678824501076415658065918045730425523209518075212493675750467401967567713964871622654517929
leak = 2391766340580872396075853116060954790369153414025348183898792053278577108869816452176679906799250067017630058347039968502218692998106913594566891267374934074656997523077504385902187178779959674864970574631185410074159953449193378952686076390
e = 65537

def find_p(bin_p,p_list):
    l = len(bin_p)
    if l==800:
        p_list.append(int(bin_p,2))
    else:
        p = int(bin_p,2)
        q = (leak^^p)%2**l
        if (p*q)%2**l==n%2**l:
            find_p("1"+bin_p,p_list)
            find_p("0"+bin_p,p_list)
    
p_list = []
find_p("1",p_list)
for i in trange(len(p_list)):
    PR.<x> = PolynomialRing(Zmod(n))
    f = x*2^800 + p_list[i]
    res = f.monic().small_roots(X=2^224, beta=0.4)
    if res:
        p = int(res[0]* 2^800+p_list[i])
        if n%p == 0:
            break

q = n // p
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(m)
#13040004482825154599162311427995152293456839151536245158868798255974328954648873441445307773
from Crypto.Util.number import long_to_bytes
m = 13040004482825154599162311427995152293456839151536245158868798255974328954648873441445307773
print(long_to_bytes(m))
#flag{a20a5a7eb490770447d59f291e71930e}