HGAME 2024 WEEK2 Crypto WP

前言

我很菜,有没做出来的题目,带*号题为复现。

midRSA

题目:

from Crypto.Util.number import *
from secret import flagdef padding(flag):return flag+b'\xff'*(64-len(flag))flag=padding(flag)
m=bytes_to_long(flag)
p=getPrime(512)
q=getPrime(512)
e=3
n=p*q
c=pow(m,e,n)
m0=m>>208print(f'n={n}')
print(f'c={c}')
print(f'm0={m0}')"""
n=120838778421252867808799302603972821425274682456261749029016472234934876266617266346399909705742862458970575637664059189613618956880430078774892479256301209695323302787221508556481196281420676074116272495278097275927604857336484564777404497914572606299810384987412594844071935546690819906920254004045391585427
c=118961547254465282603128910126369011072248057317653811110746611348016137361383017921465395766977129601435508590006599755740818071303929227578504412967513468921191689357367045286190040251695094706564443721393216185563727951256414649625597950957960429709583109707961019498084511008637686004730015209939219983527
m0=13292147408567087351580732082961640130543313742210409432471625281702327748963274496942276607
"""

解题:
给了提示def padding(flag): return flag+b'\xff'*(64-len(flag))说明被消去的数据中可能不存在flag,直接低位补0复原数据。

from Crypto.Util.number import *
m = 13292147408567087351580732082961640130543313742210409432471625281702327748963274496942276607
m0 = m << 208
print(long_to_bytes(m0))
#hgame{0ther_cas3s_0f_c0ppr3smith}

当然你觉得不稳的话可以试试m已知高位攻击,复原出padding后的全部flag

from Crypto.Util.number import *
m = 5468072284345600284522355008479109169075116053402180689979880057809181898595927628842804575369333562845495606668542454369610468082607896606970684163227647print(long_to_bytes(m))
#hgame{0ther_cas3s_0f_c0ppr3smith}

midRSA revenge

题目:

from Crypto.Util.number import *
from secret import flag
m=bytes_to_long(flag)
p=getPrime(1024)
q=getPrime(1024)
e=5
n=p*q
c=pow(m,e,n)
m0=m>>128print(f'n={n}')
print(f'c={c}')
print(f'm0={m0}')"""
n=27814334728135671995890378154778822687713875269624843122353458059697288888640572922486287556431241786461159513236128914176680497775619694684903498070577307810263677280294114135929708745988406963307279767028969515305895207028282193547356414827419008393701158467818535109517213088920890236300281646288761697842280633285355376389468360033584102258243058885174812018295460196515483819254913183079496947309574392848378504246991546781252139861876509894476420525317251695953355755164789878602945615879965709871975770823484418665634050103852564819575756950047691205355599004786541600213204423145854859214897431430282333052121
c=456221314115867088638207203034494636244706611111621723577848729096069230067958132663018625661447131501758684502639383208332844681939698124459188571813527149772292464139530736717619741704945926075632064072125361516435631121845753186559297993355270779818057702973783391589851159114029310296551701456748698914231344835187917559305440269560613326893204748127999254902102919605370363889581136724164096879573173870280806620454087466970358998654736755257023225078147018537101
m0=9999900281003357773420310681169330823266532533803905637
"""

思路,这回是真的m已知高位攻击
修改上述代码参数即可。

backpack

from Crypto.Util.number import *
import random
from secret import flag
a=[getPrime(32) for _ in range(20)]
p=random.getrandbits(32)
assert len(bin(p)[2:])==32
bag=0
for i in a:temp=p%2bag+=temp*ip=p>>1enc=bytes_to_long(flag)^pprint(f'enc={enc}')
print(f'a={a}')
print(f'bag={bag}')
"""
enc=871114172567853490297478570113449366988793760172844644007566824913350088148162949968812541218339
a=[3245882327, 3130355629, 2432460301, 3249504299, 3762436129, 3056281051, 3484499099, 2830291609, 3349739489, 2847095593, 3532332619, 2406839203, 4056647633, 3204059951, 3795219419, 3240880339, 2668368499, 4227862747, 2939444527, 3375243559]
bag=45893025064
"""

思路:
生成一个32位数对其每一位上的数字(0/1)乘上a中的加到bag中。那咱就逆着来,这个真是运气,因为这个是预期的,如果是backpack revenge中的非预期我是求不出来的。

a = [3245882327, 3130355629, 2432460301, 3249504299, 3762436129, 3056281051, 3484499099, 2830291609, 3349739489, 2847095593, 3532332619, 2406839203, 4056647633, 3204059951, 3795219419, 3240880339, 2668368499, 4227862747, 2939444527, 3375243559]
bag = 45893025064key = 0
for i in reversed(a):if bag >= i:key = (key << 1) + 1bag -= ielse:key <<= 1
enc = 871114172567853490297478570113449366988793760172844644007566824913350088148162949968812541218339
# key = 3772829031flag = enc ^ key
from Crypto.Util.number import *
print(long_to_bytes(flag))

BabyRSA

题目:

from Crypto.Util.number import *
from secret import flag,e
m=bytes_to_long(flag)
p=getPrime(64)
q=getPrime(256)
n=p**4*q
k=getPrime(16)
#64位
gift=pow(e+114514+p**k,0x10001,p)
c=pow(m,e,n)
print(f'p={p}')
print(f'q={q}')
print(f'c={c}')
print(f'gift={gift}')
"""
p=14213355454944773291
q=61843562051620700386348551175371930486064978441159200765618339743764001033297
c=105002138722466946495936638656038214000043475751639025085255113965088749272461906892586616250264922348192496597986452786281151156436229574065193965422841
gift=9751789326354522940
"""

先找e

gift=pow(e+114514+p**k,0x10001,p)

这个看着长其实可以还原成

gift=pow(e+114514,0x10001,p)

因为和p有关的都被约去了

#gift=pow(e+114514,0x10001,p)
#gift=pow(e1,0x10001,p)
import gmpy2p=14213355454944773291
gift=9751789326354522940
e = 0x10001
d=gmpy2.invert(e,p-1)
e1 = pow(gift, d, p)
e=e1-114514
print(e)
# e=73561

获得了e后,我们发现e|p-1, e|q-1

这时我们可以使用lazzzaro佬的脚本

#脚本1
#Sage
e = 73561
p=14213355454944773291
q=61843562051620700386348551175371930486064978441159200765618339743764001033297
c=105002138722466946495936638656038214000043475751639025085255113965088749272461906892586616250264922348192496597986452786281151156436229574065193965422841for mp in GF(p)(c).nth_root(e, all=True):for mq in GF(q)(c).nth_root(e, all=True):m = crt([ZZ(mp), ZZ(mq)], [p, q])try:res = bytes.fromhex(hex(m)[2:])if res.isascii():print(res)except:pass

复现时不太懂,
又找到了Kicaky_Mu师傅的wp
以及他的脚本

from Crypto.Util.number import *
import gmpy2p=14213355454944773291
q=61843562051620700386348551175371930486064978441159200765618339743764001033297
c=105002138722466946495936638656038214000043475751639025085255113965088749272461906892586616250264922348192496597986452786281151156436229574065193965422841n = p**4*q
phi = p**3*(p-1)*(q-1)
e=73561
res = Zmod(n)(c).nth_root(e, all=True)
for m in res:flag = long_to_bytes(int(m))if b"hgame" in flag:print(flag)break
#hgame{Ad1eman_Mand3r_Mi11er_M3th0d}

师傅说,他的想法是找到n环内c的剩余类中,可以开e次方根的数,遍历之后获得获得flag,他的代码似乎更简洁和容易理解,好棒啊。

*backpack

题目:

from Crypto.Util.number import *
import random
import hashliba=[getPrime(96) for _ in range(48)]
p=random.getrandbits(48)
assert len(bin(p)[2:])==48
flag='hgame{'+hashlib.sha256(str(p).encode()).hexdigest()+'}'bag=0
for i in a:temp=p%2bag+=temp*ip=p>>1print(f'a={a}')
print(f'bag={bag}')"""
a=[74763079510261699126345525979, 51725049470068950810478487507, 47190309269514609005045330671, 64955989640650139818348214927, 68559937238623623619114065917, 72311339170112185401496867001, 70817336064254781640273354039, 70538108826539785774361605309, 43782530942481865621293381023, 58234328186578036291057066237, 68808271265478858570126916949, 61660200470938153836045483887, 63270726981851544620359231307, 42904776486697691669639929229, 41545637201787531637427603339, 74012839055649891397172870891, 56943794795641260674953676827, 51737391902187759188078687453, 49264368999561659986182883907, 60044221237387104054597861973, 63847046350260520761043687817, 62128146699582180779013983561, 65109313423212852647930299981, 66825635869831731092684039351, 67763265147791272083780752327, 61167844083999179669702601647, 55116015927868756859007961943, 52344488518055672082280377551, 52375877891942312320031803919, 69659035941564119291640404791, 52563282085178646767814382889, 56810627312286420494109192029, 49755877799006889063882566549, 43858901672451756754474845193, 67923743615154983291145624523, 51689455514728547423995162637, 67480131151707155672527583321, 59396212248330580072184648071, 63410528875220489799475249207, 48011409288550880229280578149, 62561969260391132956818285937, 44826158664283779410330615971, 70446218759976239947751162051, 56509847379836600033501942537, 50154287971179831355068443153, 49060507116095861174971467149, 54236848294299624632160521071, 64186626428974976108467196869]
bag=1202548196826013899006527314947
"""

原谅我的浅薄,才发现这是一道背包题。
找到了lazzzaro神的脚本和讲解

from sage.all import *ct =1202548196826013899006527314947  # public key
pk =[74763079510261699126345525979, 51725049470068950810478487507, 47190309269514609005045330671, 64955989640650139818348214927, 68559937238623623619114065917, 72311339170112185401496867001, 70817336064254781640273354039, 70538108826539785774361605309, 43782530942481865621293381023, 58234328186578036291057066237, 68808271265478858570126916949, 61660200470938153836045483887, 63270726981851544620359231307, 42904776486697691669639929229, 41545637201787531637427603339, 74012839055649891397172870891, 56943794795641260674953676827, 51737391902187759188078687453, 49264368999561659986182883907, 60044221237387104054597861973, 63847046350260520761043687817, 62128146699582180779013983561, 65109313423212852647930299981, 66825635869831731092684039351, 67763265147791272083780752327, 61167844083999179669702601647, 55116015927868756859007961943, 52344488518055672082280377551, 52375877891942312320031803919, 69659035941564119291640404791, 52563282085178646767814382889, 56810627312286420494109192029, 49755877799006889063882566549, 43858901672451756754474845193, 67923743615154983291145624523, 51689455514728547423995162637, 67480131151707155672527583321, 59396212248330580072184648071, 63410528875220489799475249207, 48011409288550880229280578149, 62561969260391132956818285937, 44826158664283779410330615971, 70446218759976239947751162051, 56509847379836600033501942537, 50154287971179831355068443153, 49060507116095861174971467149, 54236848294299624632160521071, 64186626428974976108467196869]# ciphertext
print(ct)
print(len(pk))
n = len(pk)# Sanity check for application of low density attack
d = n / log(max(pk), 2)
print(CDF(d))
assert CDF(d) < 0.9408M = Matrix.identity(n) * 2last_row = [1 for x in pk]
M_last_row = Matrix(ZZ, 1, len(last_row), last_row)last_col = pk
last_col.append(ct)
M_last_col = Matrix(ZZ, len(last_col), 1, last_col)M = M.stack(M_last_row)
M = M.augment(M_last_col)X = M.BKZ()sol = []
for i in range(n + 1):testrow = X.row(i).list()[:-1]if set(testrow).issubset([-1, 1]):for v in testrow:if v == 1:sol.append(0)elif v == -1:sol.append(1)breaks = sol
print(s)
1202548196826013899006527314947
48
0.5004362519031288
[1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1]

直接求100001001000111000110010100010101011010000101111不行
那就逆一下得到111101000010110101010001010011000111000100100001
转换成10进制268475474669857
然后根据源代码中的

p=random.getrandbits(48)
assert len(bin(p)[2:])==48
flag='hgame{'+hashlib.sha256(str(p).encode()).hexdigest()+'}'

得到解题代码:

import hashlib
p = 268475474669857
assert len(bin(p)[2:])==48
flag='hgame{'+hashlib.sha256(str(p).encode()).hexdigest()+'}'
print(flag)

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/688468.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

[高并发] - 1. 高并发架构综述

1. 高并发概念 名称 概念其他QPSQueries Per Second 是每秒查询率TPSTransactions Per Second 也就是事务数/秒 用户通过client工具完成一个页面的一次访问&#xff0c;形成一个Tps&#xff1b;如果一次页面请求&#xff0c;产生多次对服务器的api请求&#xff0c;这个Tps 包含…

云服务器可以运用在哪些方面?

云服务器是一种基于云计算技术的虚拟化服务器&#xff0c;具有简单高效、安全可靠和可弹性伸缩的处理能力&#xff0c;可以根据企业的实际情况灵活的调整计算资源&#xff0c;可以根据用户的需求来进行扩展容量和缩减容量&#xff0c;能够帮助用户提高服务质量、提高整体效率与…

Anaconda虚拟环境管理:指令总结!

哈喽大家好&#xff0c;我是chowley&#xff0c;这次来记录一个经典问题——python虚拟环境咋配&#xff1f; 当我们需要在同一台机器上同时运行多个项目时&#xff0c;经常会遇到Python环境不兼容的问题。比如&#xff0c;一个项目需要Python 2.7&#xff0c;而另一个项目需要…

关于Spring Boot应用系统避免因为日切(日期切换)导致请求结果变更的一种解决方案

一、前言 在系统开发过程中&#xff0c;有些业务功能面临日切&#xff08;日期切换&#xff09;问题&#xff0c;比如结息跑批问题&#xff0c;在当前工作日临近24点的时候触发结息&#xff0c;实际交易时间我们预期的是当前时间&#xff0c;但是由于业务执行耗时&#xff0c;…

Spring任务调度@Scheduled的使用以及原理、源码分析

请直接看原文: 【小家Spring】Spring任务调度Scheduled的使用以及原理、源码分析&#xff08;EnableScheduling&#xff09;-腾讯云开发者社区-腾讯云 (tencent.com) ----------------------------------------------------------------------------------------------------…

Pulsar-架构与设计

Pulsar架构与设计 一、背景和起源二、框架概述1.设计特点2.框架适用场景 三、架构图1.Broker2.持久化存储&#xff08;Persistent storage&#xff09;3.Pulsar元数据&#xff08;Metadata store&#xff09; 四、功能特性1.消息顺序性2.消息回溯3.消息去重4.消息重投递5.消息重…

5、Linux 常用指令

一、帮助指令 1.man 指令 语法 man [命令或配置文件] //功能描述&#xff1a;获得帮助手册上的信息查看 ls 命令的帮助信息 man ls信息作用NAME命令名称SYNOPSIS如何使用命令DESCRIPTION描述命令SEE ALSO相关的手册 2.help 指令 语法 help [命令] //功能描述&#xff1a;获得…

题记(44)--矩阵旋转

目录 一、题目内容 二、输入描述 三、输出描述 四、输入输出示例 五、完整C语言代码 一、题目内容 任意输入两个9阶以下矩阵&#xff0c;要求判断第二个是否是第一个的旋转矩阵&#xff0c;如果是&#xff0c;输出旋转角度&#xff08;0、90、180、270&#xff09;&#x…

神经网络代码实现

目录 神经网络整体框架 核心计算步骤 参数初始化 矩阵拉伸与还原 前向传播 损失函数定义 反向传播 全部迭代更新完成 数字识别实战 神经网络整体框架 核心计算步骤 参数初始化 # 定义初始化函数 normalize_data是否需要标准化def __init__(self,data,labels,layers,…

Java实现Dfs算法(基本讲解)

目录 一、Dfs算法的概念 二、Dfs算法的设计步骤 三、Dfs算法模板 四、Dfs算法经典例题 &#xff08;1&#xff09;全排列 &#xff08;2&#xff09;N皇后 一、Dfs算法的概念 Depth First Search 即 DFS&#xff0c;意为深度优先搜索&#xff0c;是所有的搜索手段之一。它…

代码随想录算法训练营第五十二天| 198.打家劫舍、213.打家劫舍II、337.打家劫舍III

198.打家劫舍 题目链接&#xff1a;力扣&#xff08;LeetCode&#xff09;官网 - 全球极客挚爱的技术成长平台 解题思路&#xff1a;类似于上台阶&#xff0c;但相邻元素不能相加 java&#xff1a; class Solution {public int rob(int[] nums) {if (nums null || nums.le…

Java多线程系列——锁

0.引言 在并发编程中&#xff0c;锁是一种重要的同步机制&#xff0c;用于控制对共享资源的访问。Java 提供了多种锁的实现&#xff0c;每种锁都有不同的特性和适用场景。本文将深入介绍 Java 中常见的锁类型&#xff0c;包括内置锁、显式锁、读写锁等&#xff0c;并讨论它们的…

设计usb转ttl模块的一些问题

这个是我之前设计的usb转ttl模块&#xff0c;用到的是CH340N芯片&#xff0c;目前遇到的问题以及疑问有以下几个&#xff0c;望大佬们解答&#xff1a; 1 想设计的是一块可以选择3.3V或者5V输出&#xff0c;所以我用了在TTL输出那里加了VCC、VCC3.3V、5V这几个引脚&#xff0c…

114 C++ lambda表达式捕获模式的陷阱分析和展示

一 捕获列表中的 & 捕获外部作用域中的所有变量&#xff0c;&#xff08;不包括静态变量&#xff0c;静态变量不需要捕获&#xff09;&#xff0c;并作为引用在lambda表达式中使用 按照引用这种捕获方式&#xff0c;会导致lambda表达式包含绑定到局部变量的引用。 问题发…

EXCEL中不错的xlookup函数

excel中一般要经常用vlookup函数&#xff0c;但其实经常麻烦要正序&#xff0c;从左边到右边&#xff0c;还要数列&#xff0c;挺麻烦的&#xff0c;xlookup的函数还不错&#xff0c;有个不错的一套视频介绍,B站的&#xff0c;地址是&#xff1a;XLOOKUP函数基础用法&#xff0…

rust的哈希表

新建哈希表 fn main() { use std::collections::HashMap;let mut scores HashMap::new();scores.insert(String::from("Blue"), 10);scores.insert(String::from("Yellow"), 50);println!("{:?}",scores); }访问某个元素 fn main() { use …

GB 18585-2023 壁纸中有害物质限量

壁纸/墙布因其色彩多样&#xff0c;图案丰富&#xff0c;施工方便&#xff0c;价格便宜等多种优势&#xff0c;广泛应用于室内装修材料&#xff0c;在国内&#xff0c;日本&#xff0c;欧美等地区非常普及。 GB 18585-2023壁纸中有害物质限量测试项目&#xff1a; 测试项目 测…

Eliminating Domain Bias for Federated Learning in Representation Space【文笔可参考】

文章及作者信息&#xff1a; NIPS2023 Jianqing Zhang 上海交通大学 之前中的NeurIPS23论文刚今天传到arxiv上&#xff0c;这次我把federated learning的每一轮看成是一次bi-directional knowledge transfer过程&#xff0c;提出了一种促进server和client之间bi-direction…

Day4. 文件IO的基本概念和读写

温习&#xff1a; 文件的拷贝&#xff08;单个字符&#xff09;(fgetc/fputc) #include <stdio.h>int main(void) {FILE* fp NULL;FILE* fq NULL;char ch 0;fp fopen("str.txt","r");if (fp NULL){perror("file to fopen!");retur…

网络模型及传输基本流程

1.OSI 七层模型 OSI &#xff08; Open System Interconnection &#xff0c;开放系统互连&#xff09;七层网络模型称为开放式系统互联参考模型&#xff0c;是一个逻辑上的定义和规范; 把网络从逻辑上分为了 7 层 . 每一层都有相关、相对应的物理设备&#xff0c;比如路由器…