2024 ISCTF-Crypto-WP
我和小蓝鲨的秘密
task:
from PIL import Image
from Crypto.Util.number import bytes_to_long, long_to_bytes
import numpy as np
n = 29869349657224745144762606999
e = 65537
original_image_path = "flag.jpg"
img = Image.open(original_image_path)
img = img.convert("RGB")
img_array = np.array(img)
h, w, _ = img_array.shape
encrypted_array = np.zeros((h, w, 3), dtype=object)
for i in range(h):
for j in range(w):
r, g, b = int(img_array[i, j, 0]), int(img_array[i, j, 1]), int(img_array[i, j, 2])
encrypted_array[i, j, 0] = pow(r, e, n)
encrypted_array[i, j, 1] = pow(g, e, n)
encrypted_array[i, j, 2] = pow(b, e, n)
np.save("encrypted_image.npy", encrypted_array)
print("图片已加密并保存为 encrypted_image.npy")
分析代码:
这个主要是对图片的每个像素的红色、绿色和蓝色进行了rsa加密,然后保存为一个.npy文件,思路很清晰,直接逆反回去即可。
exp:
from Crypto.Util.number import inverse
import numpy as np
from PIL import Image
n = 29869349657224745144762606999
e = 65537
p = 160216064374859
q=n//p
phi_n = (p - 1) * (q - 1)
d = inverse(e, phi_n)
# 加载加密的图像数组
encrypted_array = np.load("encrypted_image.npy", allow_pickle=True)
h, w, _ = encrypted_array.shape
# 创建一个空的数组来存储解密后的图像数据
decrypted_array = np.zeros((h, w, 3), dtype=np.uint8)
# 解密每个像素
for i in range(h):
for j in range(w):
r_enc = encrypted_array[i, j, 0]
g_enc = encrypted_array[i, j, 1]
b_enc = encrypted_array[i, j, 2]
# 使用 d 解密每个通道
r = pow(r_enc, d, n)
g = pow(g_enc, d, n)
b = pow(b_enc, d, n)
# 将解密后的值存入图像数组
decrypted_array[i, j] = (r, g, b)
# 将解密后的图像保存为图片文件
decrypted_image = Image.fromarray(decrypted_array, "RGB")
decrypted_image.save("decrypted_flag.jpg")
print("图片已解密并保存为 decrypted_flag.jpg")
最后得到一个图片,就是flag。
ChaCha20-Poly1305
打开题目有三个附件
task:
from Crypto.Cipher import ChaCha20_Poly1305
import os
key = os.urandom(32)
nonce = os.urandom(12)
with open('flag.txt', 'rb') as f:
plaintext = f.read()
cipher = ChaCha20_Poly1305.new(key=key, nonce=nonce)
ct, tag = cipher.encrypt_and_digest(plaintext)
print(f"Encrypted Flag: {ct.hex()}")
print(f"Tag: {tag.hex()}")
print(f"Nonce: {nonce.hex()}")
with open('key.txt', 'w') as key_file:
key_file.write(key.hex())
key?.txt:
3=t#sMX3?9GHSPdi4i^gk!3*(cH8S8XT2y&?Tv4!?AGG=R]ZDy/PVVa+DqiXAH*}DS&Nn*a+@<H,=!L
output.txt:
Encrypted Flag: 20408b9fc498063ad53a4abb53633a6a15df0ddaf173012d620fa33001794dbb8c038920273464e13170e26d08923aeb
Tag: 70ffcc508bf4519e7616f602123c307b
Nonce: d8ebeedec812a6d71240cc50
分析题目:
第一次看这种加密,但细看和AES加密很像,那么问题就很好解决了。
首先先把key求出来,试了一下是base92解码,然后得到正常的key,就可以还原flag了。
exp:
from Crypto.Cipher import ChaCha20_Poly1305
import binascii
key_hex="173974535637a5ef30a116b03d00bd2fe751951ca3eaa62daec2b8f5ca5b6135"
ciphertext_hex = "20408b9fc498063ad53a4abb53633a6a15df0ddaf173012d620fa33001794dbb8c038920273464e13170e26d08923aeb"
tag_hex = "70ffcc508bf4519e7616f602123c307b"
nonce_hex = "d8ebeedec812a6d71240cc50"
key = binascii.unhexlify(key_hex)
ciphertext = binascii.unhexlify(ciphertext_hex)
tag = binascii.unhexlify(tag_hex)
nonce = binascii.unhexlify(nonce_hex)
cipher = ChaCha20_Poly1305.new(key=key, nonce=nonce)
plaintext = cipher.decrypt_and_verify(ciphertext, tag)
print(f"Decrypted Flag: {plaintext.decode('utf-8')}")
蓝鲨的费马
task:
import libnum
import gmpy2
from Crypto.Util.number import *
flag=b'ISCTF{********}'
m=bytes_to_long(flag)
p=libnum.generate_prime(1024)
q=libnum.generate_prime(1024)
n=p*q
e=0x10001
c=pow(m,e,n)
d=inverse(e,(p-1)*(q-1))
leak = (d+(pow(p,q,n)+pow(q,p,n)))%n
print("c=", c)
print("n=", n)
print("leak=", leak)
"""
c= 8989289659072309605793417141528767265266446236550650613514493589798432446586991233583435051268377555448062724563967695425657559568596372723980081067589103919296476501677424322525079257328042851349095575718347302884996529329066703597604694781627113384086536158793653551546025090807063130353950841148535682974762381044510423210397947080397718080033363000599995100765708244828566873128882878164321817156170983773105693537799111546309755235573342169431295776881832991533489235535981382958295960435126843833532716436804949502318851112378495533302256759494573250596802016112398817816155228378089079806308296705261876583997
n= 13424018200035368603483071894166480724482952594135293395398366121467209427078817227870501294732149372214083432516059795712917132804111155585926502759533393295089100965059106772393520277313184519450478832376508528256865861027444446718552169503579478134286009893965458507369983396982525906466073384013443851551139147777507283791250268462136554061959016630318688169168797939873600493494258467352326974238472394214986505312411729432927489878418792288365594455065912126527908319239444514857325441614280498882524432151918146061570116187524918358453036228204087993064505391742062288050068745930452767100091519798860487150247
leak= 9192002086528025412361053058922669469031188193149143635074798633855112230489479254740324032262690315813650428270911079121913869290893574897752990491429582640499542165616254566396564016734157323265631446079744216458719690853526969359930225042993006404843355356540487296896949431969541367144841985153231095140361069256753593550199420993461786814074270171257117410848796614931926182811404655619662690700351986753661502438299236428991412206196135090756862851230228396476709412020941670878645924203989895008014836619321109848938770269989596541278600166088022166386213646074764712810133558692545401032391239330088256431881
"""
分析代码:
leak = (d+(pow(p,q,n)+pow(q,p,n)))%n
可化简为:
leak=d+p+q
-->d = leak -(p+q)
又因为m=c^d % n
把d代入化简
-->m = c^(leak -(p+q)) mod n
得到式子:c^(leak -(p+q))≡ c^leak * c^-(p+q) mod n ①
又可以又欧拉定理推得:
phi=(p-1)*(q-1)
c^phi≡ 1 mod n
-->1 ≡ c^(p*q + 1 - (p+q)) mod n
-->1 ≡ c^(n+1) * c^-(p+q) mod n
得到式子:c^-(n+1) ≡ c^-(p+q) mod n ②
把①和②式子合并得:
m = c^leak * c^-(n+1) mod n
exp:
from Crypto.Util.number import *
c= 8989289659072309605793417141528767265266446236550650613514493589798432446586991233583435051268377555448062724563967695425657559568596372723980081067589103919296476501677424322525079257328042851349095575718347302884996529329066703597604694781627113384086536158793653551546025090807063130353950841148535682974762381044510423210397947080397718080033363000599995100765708244828566873128882878164321817156170983773105693537799111546309755235573342169431295776881832991533489235535981382958295960435126843833532716436804949502318851112378495533302256759494573250596802016112398817816155228378089079806308296705261876583997
n= 13424018200035368603483071894166480724482952594135293395398366121467209427078817227870501294732149372214083432516059795712917132804111155585926502759533393295089100965059106772393520277313184519450478832376508528256865861027444446718552169503579478134286009893965458507369983396982525906466073384013443851551139147777507283791250268462136554061959016630318688169168797939873600493494258467352326974238472394214986505312411729432927489878418792288365594455065912126527908319239444514857325441614280498882524432151918146061570116187524918358453036228204087993064505391742062288050068745930452767100091519798860487150247
leak= 9192002086528025412361053058922669469031188193149143635074798633855112230489479254740324032262690315813650428270911079121913869290893574897752990491429582640499542165616254566396564016734157323265631446079744216458719690853526969359930225042993006404843355356540487296896949431969541367144841985153231095140361069256753593550199420993461786814074270171257117410848796614931926182811404655619662690700351986753661502438299236428991412206196135090756862851230228396476709412020941670878645924203989895008014836619321109848938770269989596541278600166088022166386213646074764712810133558692545401032391239330088256431881
m=pow(c,leak-n-1,n)
print(long_to_bytes(m))
小蓝鲨的数学题
task:
Base和Ciphertext
m = 5321153468370294351697008906248782883193902636120413346203705810525086437271585682015110123362488732193020749380395419994982400888011862076022065339666193
c = 7383779796712259466884236308066760158536557371789388054326630574611014773044467468610300619865230550443643660647968413988480055366698747395046400909922513
这题给的提示是 模数是2**512
题目给了底数,密文。典型的离散对数log
discrete_log_rho(a,base,ord,operation):
求解以base为底,a的对数;ord为base的阶,可以缺省,operation可以是+与*,默认为*;bounds是一个区间(ld,ud),需要保证所计算的对数在此区间内。
这里用python中sympy库自带的discrete_log可求得flag。
exp:
m = 5321153468370294351697008906248782883193902636120413346203705810525086437271585682015110123362488732193020749380395419994982400888011862076022065339666193
c = 7383779796712259466884236308066760158536557371789388054326630574611014773044467468610300619865230550443643660647968413988480055366698747395046400909922513
flag = discrete_log(2**512,c,m)
print(long_to_bytes(flag))
也可以用sage自带库:
#sage
from Crypto.Util.number import *
import gmpy2
m = 5321153468370294351697008906248782883193902636120413346203705810525086437271585682015110123362488732193020749380395419994982400888011862076022065339666193
c = 7383779796712259466884236308066760158536557371789388054326630574611014773044467468610300619865230550443643660647968413988480055366698747395046400909922513
p=2**512
flag = discrete_log(Mod(c,p),Mod(m,p))
print(long_to_bytes(flag))
小蓝鲨的方程
task:
from Cryptodome.Util.number import *
from random import *
from gmpy2 import *
import uuid
flag1='ISCTF{'+str(uuid.uuid4())+'}'
m1=bytes_to_long(flag1.encode())
def get_p():
BITS = 256
bits = 777
oder = 4
a = randint(1 << bits, 1 << bits + 1)
p=getPrime(BITS)
p1 = p**oder+a
return p,p1
p,p1=get_p()
s=getPrime(1024)
q=getPrime(512)
n=p*q**4
e=65537
c1=pow(s,e,n)
c=pow(s**3+1,m1,s**5)
print("c1=",c1)
print("c =",c)
print("n =",n)
print("p1 =",p1)
'''
c1= 671390498592586008552998377599101093977542184109077889081448730480869018650843045119891777468161631085086340705902115332025675787789530562679603254577287153918966364523848382506106179394235772395029788721306186952016420794804145631124905952103136061076643266886961178241381892015555099638200222249447194504082451341122502519637821695210573997670753981061458264118355417889153180841281073262935937836447460470926729282834006229571453935760593644658459098721652426154970766417292435960463905367868753821950303919781798234432998272038029063155193184039985018137026245365188171178677898869374676546799536208952198558258306460302868688355653022725288744014143221560882404431652751343944983442109327
c = 8641190030376811670503537177719719233418166235794962118828671236836174132083208517733734760455990850156371205118391537919769888760384574011411232571257192285256730733174399297826587479261381970232162702657952399683882650083181048279650913795429823628186888540572704055008102853692060360140858142686334722286525699998854566609078547487420929457446776757558492454916447188774943818970599916514467335772992690805247630814156710861067503956707301402347944233660194395192354000788262111000900574820275786269075882923600474781645848712157460135387134196156906258218217831988828360827613420801773911833194097791649069743116686685667300622630909231822986237104627385544169938138006242341269672868611269202418482629393372933567053272565557137741441902377611003983050084491513897727856173625922194300103448148829004025229567101761111396110940066254801762424343522707712480796358754008120503317686600144600226149617189681233392693738216138797012278242152852923361635415564580582002132107424154426980566696622448291815571736676562214017436
n = 1076246859437269645898003764327104347852443049519429833372038915264009774423737482018987571807662568251485615769880354898666799006772572239466617428164721157850526408878346223839884319846641438292436373441749602341461361190584638190903978829024853974880636148520803145113551453821058269641304504880310836801494499720662704717315748614372503735165114899680682056477494953525794354656896362929510309669119173103242509398650608116835276076364248473952717811633756784397347121601006659623317417388283638159905288128181587304367489096254611610975352096229116491567502061775862811850081040850421151385474249060884479729988512713640536139010928836126719149031115182144744359297169350288886555784650111
p1 = 145356063641618996012874664536921616978986640263438210169671010403677822239343590475177543891188656103067696467174379510912427160232486984044862545338401652910975162942038201716552753723984593267892098222213049269335313670049037479410635628460505327693176152061750827570561482918795206276991967169087371403553
'''
分析题目:
我们先看a,p和p1的生成,
a = randint(1 << bits, 1 << bits + 1)
p=getPrime(BITS)
p1 = p**oder+a
p1-a=p**oder左右两边开4次方,a也就会很好爆破了。然后再用next_prime逼进近似值p
这里求phi是用的欧拉定理的性质,具体可去看一下原理。
然后就是用二项式定理求出m1=(c-1)/s3%s6
exp:
from Crypto.Util.number import *
import gmpy2
c1= 671390498592586008552998377599101093977542184109077889081448730480869018650843045119891777468161631085086340705902115332025675787789530562679603254577287153918966364523848382506106179394235772395029788721306186952016420794804145631124905952103136061076643266886961178241381892015555099638200222249447194504082451341122502519637821695210573997670753981061458264118355417889153180841281073262935937836447460470926729282834006229571453935760593644658459098721652426154970766417292435960463905367868753821950303919781798234432998272038029063155193184039985018137026245365188171178677898869374676546799536208952198558258306460302868688355653022725288744014143221560882404431652751343944983442109327
c = 8641190030376811670503537177719719233418166235794962118828671236836174132083208517733734760455990850156371205118391537919769888760384574011411232571257192285256730733174399297826587479261381970232162702657952399683882650083181048279650913795429823628186888540572704055008102853692060360140858142686334722286525699998854566609078547487420929457446776757558492454916447188774943818970599916514467335772992690805247630814156710861067503956707301402347944233660194395192354000788262111000900574820275786269075882923600474781645848712157460135387134196156906258218217831988828360827613420801773911833194097791649069743116686685667300622630909231822986237104627385544169938138006242341269672868611269202418482629393372933567053272565557137741441902377611003983050084491513897727856173625922194300103448148829004025229567101761111396110940066254801762424343522707712480796358754008120503317686600144600226149617189681233392693738216138797012278242152852923361635415564580582002132107424154426980566696622448291815571736676562214017436
n = 1076246859437269645898003764327104347852443049519429833372038915264009774423737482018987571807662568251485615769880354898666799006772572239466617428164721157850526408878346223839884319846641438292436373441749602341461361190584638190903978829024853974880636148520803145113551453821058269641304504880310836801494499720662704717315748614372503735165114899680682056477494953525794354656896362929510309669119173103242509398650608116835276076364248473952717811633756784397347121601006659623317417388283638159905288128181587304367489096254611610975352096229116491567502061775862811850081040850421151385474249060884479729988512713640536139010928836126719149031115182144744359297169350288886555784650111
p1 = 145356063641618996012874664536921616978986640263438210169671010403677822239343590475177543891188656103067696467174379510912427160232486984044862545338401652910975162942038201716552753723984593267892098222213049269335313670049037479410635628460505327693176152061750827570561482918795206276991967169087371403553
pp=gmpy2.iroot(p1,4)[0]
for a in range(3000):
b=pp-a
p=gmpy2.next_prime(b)
if n%p==0:
q=gmpy2.iroot((n // p), 4)[0]
phi=(p-1)*(q-1)*(q**3)
d=inverse(65537,phi)
s=int(pow(c1,d,n))
m=((c-1)//s**3)%s**6
print(long_to_bytes(m))
break
小蓝鲨的密码
打开附件发现有一个txt和图片还有个压缩包,压缩包要用密码打开,所以题目意思很明确了,用密码打开压缩包,具体密码怎么获得先看txt文件:
U2FsdGVkX1/spa9kXpumHMXclw7hNOVc6ySFWYESHjfM5igIuKER30eSBp5NS0vMjkBa4Za6NgQbHVW/hJRiGA==这一串u2Fsd开头一眼是AES或者rabbit加密,然后现在就是去找密码,大概是在图片上找,在图片上试了一番什么图片影像,图片分离后无果,注意到题目名字,就试着去打开压缩包,没想到真的成功了,打开后里面是密码字典,找到最显眼的 isctf2024 试着去解码AES即可
蓝鲨的RSA
task:
from secret import flag
import gmpy2
import decimal
from Crypto.Util.number import *
def gethint(h,p):
decimal.getcontext().prec = 1024
H = decimal.Decimal(int(h))
P = decimal.Decimal(int(p))
leak = decimal.Decimal((8*H*P - 1) / (16*P*P))
return leak
p = getPrime(512)
q = getPrime(512)
f = getPrime(512)
g = getPrime(128)
h = gmpy2.invert(f, p) * g % p
n = f*q
e = 65537
m = bytes_to_long(flag)
c = pow(m,e,n)
print('c =', c)
print('hint =', gethint(h,p))
print('n =',n)
#c = 587245179027322480379581200283415189810421958968516831191660631552695197401940961725169763339428980298128692606951200581483431566182271569207988054537414289564013883171160614196522169980339024564884190765084419167938640701193928669
#hint = 0.2427542737153618793334900104191212626446625872340179613972610728976081994921862517310186626304527115125924716035632505287111236596234811779375148657365336957626454491865164520834975233144235103885081268955448330597818844340656652982593545877449810282619387305007246499089258519062093814083383071737897364213169497762760797899310673216754376885295598952272100016962368762532805864796748393317534908268379601445004775495237901072144236328105526403608646831124542336002540011176406194984370372589752234640498423911217119220030242197564695880261480071310815379681250975672935544404797155655708441222387631967447088319826137200280810029390387418159394276760100487636516708987579464183208860911063948902432948269805493252899815187044807603000344378890835564906163242023600624338694473573763088471321731611077227112205396909637906507673367598721218000123789690455125909411309668615810240938664264212370815385282488986625554704015828254539339719586211726300858711328516487805251366293457402531199532556110786048074755505680210260049
#n = 839799159583571337450826982895478997157381520448790705455708438948150905361244823725400304016136863419723271227616684280477524669207590477657886623628732394537008838314015048569652202355464477680540884654473950183135276735347866051
先用连分数逼进分数,然后求p的近似值,再恢复h1,再构造NTRU,参考链接:https://dexterjie.github.io/2023/07/29/%E6%A0%BC%E5%AF%86%E7%A0%81%E5%85%A5%E9%97%A8/
exp:
import gmpy2
from Crypto.Util.number import *
from fractions import Fraction
leak = 0.2427542737153618793334900104191212626446625872340179613972610728976081994921862517310186626304527115125924716035632505287111236596234811779375148657365336957626454491865164520834975233144235103885081268955448330597818844340656652982593545877449810282619387305007246499089258519062093814083383071737897364213169497762760797899310673216754376885295598952272100016962368762532805864796748393317534908268379601445004775495237901072144236328105526403608646831124542336002540011176406194984370372589752234640498423911217119220030242197564695880261480071310815379681250975672935544404797155655708441222387631967447088319826137200280810029390387418159394276760100487636516708987579464183208860911063948902432948269805493252899815187044807603000344378890835564906163242023600624338694473573763088471321731611077227112205396909637906507673367598721218000123789690455125909411309668615810240938664264212370815385282488986625554704015828254539339719586211726300858711328516487805251366293457402531199532556110786048074755505680210260049
c = 587245179027322480379581200283415189810421958968516831191660631552695197401940961725169763339428980298128692606951200581483431566182271569207988054537414289564013883171160614196522169980339024564884190765084419167938640701193928669
n = 839799159583571337450826982895478997157381520448790705455708438948150905361244823725400304016136863419723271227616684280477524669207590477657886623628732394537008838314015048569652202355464477680540884654473950183135276735347866051
cf = continued_fraction(leak)
list_numden=cf.convergents()
numerator_list=[]
denominator_list=[]
for i in list_numden:
fraction=Fraction(i)
numerator = fraction.numerator()
denominator = fraction.denominator()
denominator_list.append(denominator)
for i,p in enumerate(denominator_list):
if gmpy2.iroot(p//16,2)[1]==True:
p1= int(gmpy2.iroot(p//16,2)[0])
e=65537
h=525006825733225408907597067990642584862207418097213674443701993658004487397784939081087821440376288434095962749583145952889046963712522108407121467693817733948555003104602864877809068405079168763660338489863597493767710662358756925070265792090561589011628760109484806572919266760895186597799962875710969125263
h1=(h+1)//(8*p1)
M=matrix(ZZ,[[h1,1],
[p1,0]])
f=int(M.LLL()[0][1])
q=n//f
phi=(q-1)*(f-1)
d=gmpy2.invert(e,int(phi))
m=pow(c,d,n)
print(long_to_bytes(int(m)))
ezmath
task:
import random
import base64
from hashlib import md5
from secret import flag
from libnum import s2n
from Crypto.Cipher import AES
INF = 0xff
bigINF = 0xffffffff
# ---------------------error------------------------------
def sumFunc(func):
def wapper(*args,start = 1,end=INF):
sums = 0
for i in trange(start, 0xffff * end):
sums += function(*args,j/0xf) * (1/0xf)
return sums
return wapper
def limitFunc(func):
def wapper(*args, approch = bigINF, pos = "+"):
o = 1/bigINF
return function(args, eval(f"{approch} {pos} {o}"))
return wapper
# -------------------enderror-----------------------------
def pad(data):
data=data.encode('utf8')
while len(data) % 16 !=0:
data+=b'\x00'
return data
def encode(key,m):
mode=AES.MODE_ECB
aes=AES.new(pad(key),mode)
en_m=aes.encrypt(pad(m))
en_m=base64.encodebytes(en_m)
en_m=en_m.decode('utf8')
return en_m
def enc(msg, key):
random.seed(key)
new_key = md5(str(random.getrandbits(256)).encode('utf-8')).hexdigest()
return encode(new_key, msg)
@sumFunc
def gamma(x,t):
data = pow(t,x-1) * pow(magicNumber,-t)
return data
@sumFunc
def common(t):
data = pow(magicNumber,-pow(t,2))
return data
@limitFunc
def getMagicNumber(t):
data = pow(1+1/t,t)
return data
magicNumber = getMagicNumber()
encKey1 = str(gamma(3/2))[2:6]
encKey2 = str(common())[2:6]
assert encKey1 == encKey2
key = int(str(gamma(5/2))[2:])
print(enc(flag, key))
# n2SQK64JMsXstCtZurBiz81pMr3ZmgMjhuyL67hssm3shqJGYGfS/mWubINeE5HZ
看到gamma ,sage自带gamma:
再求出他的值,取小数点前15位为:329340388179137
这样就可以求得key了 ,直接逆一下求得flag。
import random
import base64
from hashlib import md5
from Crypto.Cipher import AES
def pad(data):
data = data.encode('utf8')
while len(data) % 16 != 0:
data += b'\x00'
return data
def decode(key, en_m):
mode = AES.MODE_ECB
aes = AES.new(pad(key), mode)
en_m = base64.decodebytes(en_m.encode('utf8'))
de_m = aes.decrypt(en_m)
return de_m.decode('utf8').rstrip('\x00')
def dec(encrypted_msg, key):
random.seed(key)
new_key = md5(str(random.getrandbits(256)).encode('utf-8')).hexdigest()
return decode(new_key, encrypted_msg)
key = 329340388179137
encrypted_msg = "n2SQK64JMsXstCtZurBiz81pMr3ZmgMjhuyL67hssm3shqJGYGfS/mWubINeE5HZ"
flag = dec(encrypted_msg, key)
print(flag)
转载
分享
0 条评论
可输入 255 字
发布投稿
