[moeCTF 2023] crypto

这个比赛从8月到10月，漫长又不分段。结束了以后前边的都基本上忘光了。还是分段提交的好点，有机会写写。不过反正也是新生赛，又不是新生只是打个热闹。

ezrot

厨子解决大部分问题

可可的新围墙

给了1个串

mt3_hsTal3yGnM_p3jocfFn3cp3_hFs3c_3TrB__i3_uBro_lcsOp}e{ciri_hT_avn3Fa_j

经过思考发现根据头确定处理的顺序


a = 'mt3_hsTal3yGnM_p3j'
b = 'ocfFn3cp3_hFs3c_3TrB__i3_uBro_lcsOp}'
c = 'e{ciri_hT_avn3Fa_j'
 
flag = ''
for i in range(18):
    flag += a[0]+b[0]+c[0]+b[1]
    a = a[1:]
    b = b[2:]
    c = c[1:]
    print(flag)

皇帝的新密码

tvljam{JhLzhL_JPwoLy_Pz_h_cLyF_zPtwPL_JPwoLy!_ZmUVUA40q5KbEQZAK5Ehag4Av}

结构都已经有了，只是这偏移怎么上移法，根据头判断

不是“皇帝的新密码”

scsfct{wOuSQNfF_IWdkNf_Jy_o_zLchmK_voumSs_zvoQ_loFyof_FRdiKf_4i4x4NLgDn}

维吉尼亚密码，试出头来就出来了

猫言喵语

喵喵？喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵喵喵喵？喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵？喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵？喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵喵喵喵喵喵喵？喵喵喵喵喵？喵喵喵喵喵喵喵喵喵喵喵？喵喵喵喵喵喵喵喵喵喵喵？喵喵喵喵喵喵喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵？喵喵？喵喵喵喵喵？喵喵？喵喵？喵喵喵喵喵喵喵喵？喵喵？喵喵？喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵？喵喵喵喵喵喵喵喵喵喵喵？喵喵喵喵喵？喵喵？喵喵喵喵喵喵喵喵？喵喵？喵喵喵喵喵？喵喵喵喵喵？喵喵喵喵喵？喵喵喵喵喵喵喵喵？

有3种符号，明显是用空格来分隔的。经测试喵喵?转成. 喵喵喵转成- 转成摩尔斯码

- .... . ..--.- -.- .- .-- .- .. .. ..--.- -.-. .- - ..--.- -... ..- - ..--.- -... . ..--.- -.-. .- .-.. .-.. . -.. ..--.- --. --- ..- --.. .. ..--.- -... -.-- ..--.- .-. -..-

THE_KAWAII_CAT_BUT_BE_CALLED_GOUZI_BY_RX

baby_e


from Crypto.Util.number import getPrime,bytes_to_long
 
p,q = getPrime(2048),getPrime(2048)
e = 7
n = p*q
m = bytes_to_long(open('flag.txt','rb').read().strip())
c = pow(m,e,n)
print("c = ",c)
print("n = ",n)
 
# c =  147693154873835354725007152781732424355869776162377337823960431913672366269917723916891506269449726723757821517328874729037838600793748824028829185409932536014732765063216715033843955453706710187792772702199448156372644163429786386035008302836467605094954587157232829525150652611067567669525072625329634860065850520051628272535479197120008981979404760445193750864902244921407742155742716289495581989134730376783828846663464819337418977287363028738701414486788851136608957124505485242331701209645216580641917007780811842757125048746184068597664780265422321550909392419865169775282217442331295071069272774722564587602419768461231775480847018941840911357926330143045826277813722919121117172763493242590521245640828462665947672485094793188432098216701511715232654611338293295459889814699850788048985878279440740712956248569068077253790198036918598519191892836075254345518967666166925163908185663991353344555402397055977817370082929420443034626201745027965444069777059760865359310439815816749939498993014457995041394803598825093836045546578310632172636478575946653375857640993393714607308326474003446154152048840071034349831168612740218034679021240949747357214453636633636662650940968576792518622437627529244515229173
# n =  553409369582823237678532685244026647155180191225879439432235077135813123637186465008813830373646133388592395760175777499266561095087891764348044063111935877931069321764391883899483374576303169645488542398590564148654412004383012178107972880058460460806768779452529433458826925606225797078653905380530651390617109384086518728626571028089036812787671647095695947167204428442727185744172445701874820612799168887428075695751162763647868386879374037826876671079326544820609721731078985096813307183878793033824330869698508952853770794414757655681370862323768018291030331209143189638496644361618184164228294031490537429556439588954274708598530042700988138862000054458742762198052079867259365645914383561162796796952346445529346145323567650621600171442575319262718389389870407629339714751583360252884338116164466349449862781112019462555743429653595045695696967783338371470032332852204294900011651434678829104876529439166176589508898757122660322523937330848536715937381297551894198974459004139082562228022412335520195652419375915216074658463954339332593244483927157329404652516225481116614815221154229491846087288087715884363786672244655901308480290011237244562251084095684531716327141154558809471185132979704992609461470501119328696999713829

很明显e很小，而且明显c开方

bad_e


from Crypto.Util.number import *
p = getPrime(512)
q = getPrime(512)
e = 65537
 
print(p) # 6853495238262155391975011057929314523706159020478084061020122347902601182448091015650787022962180599741651597328364289413042032923330906135304995252477571
print(q) # 11727544912613560398705401423145382428897876620077115390278679983274961030035884083100580422155496261311510530671232666801444557695190734596546855494472819
 
with open("flag.txt","r") as fs:
    flag = fs.read().strip()
 
m = bytes_to_long(flag.encode())
c = pow(m,e,p*q)
print(c) # 63388263723813143290256836284084914544524440253054612802424934400854921660916379284754467427040180660945667733359330988361620691457570947823206385692232584893511398038141442606303536260023122774682805630913037113541880875125504376791939861734613177272270414287306054553288162010873808058776206524782351475805

n已经分解好了

flag = long_to_bytes(pow(c,invert(e,(p-1)*(q-1)),p*q))

factor_signin


from Crypto.Util.number import getPrime
from math import prod
 
with open("flag.txt","rb") as f:
    flag = f.read().strip()
assert len(flag) == 72
 
m1 = int.from_bytes(flag[:36],"big")
m2 = int.from_bytes(flag[36:],"big")
 
e = 65537
 
p,q = getPrime(2048),getPrime(2048)
n1 = p*q
c1 = pow(m1,e,n1)
print("c1 = ",c1)
print("n1 = ",n1)
 
primes = [getPrime(64) for _ in range(32)]
n2 = prod(primes)
c2 = pow(m2,e,n2)
print("c2 = ",c2)
print("n2 = ",n2)

第1部分，n1可以查到分解，第2部分都是小素数，可以很容易分解


c1 =  10004937130983861141937782436252502991050957330184611684406783226971057978666503675149401388381995491152372622456604317681236160071166819028679754762162125904637599991943368450200313304999566592294442696755822585022667008378021280392976010576970877334159755332946926433635584313137140987588847077645814987268595739733550220882135750267567373532603503399428451548677091911410732474324157868011686641243202218731844256789044721309478991918322850448456919991540932206923861653518190974620161055008847475600980152660468279765607319838003177639654115075183493029803981527882155542925959658123816315099271123470754815045214896642428657264709805029840253303446203030294879166242867850331945166255924821406218090304893024711068773287842075208409312312188560675094244318565148284432361706108491327014254387317744284876018328591380705408407853404828189643214087638328376675071962141118973835178054884474523241911240926274907256651801384433652425740230755811160476356172444327762497910600719286629420662696949923799255603628210458906831175806791599965316549386396788014703044837917283461862338269599464440202019922379625071512100821922879623930069349084917919100015782270736808388388006084027673781004085620817521378823838335749279055639005125
n1 =  343504538870081878757729748260620800783581983635281373321527119223374418103340873199654926888439040391545101913132680017655039577253974802351999985470115474655124168592386965001556620077117966153475518658881140827499124290142523464795351995478153288872749817655925271395693435582010998996210909883510311066017237567799370371513462802547313382594409676803895262837061350017911885033133654781876923251129406855067993830824618637981136966134029212516871210627954762147349788788999116702635535406398258621926040887099782494271000823401788337120154104692934583729065189687995570122890809807661370008740283447636580308161498808092269041815719148127168137018600113465985504975054319601741498799761500526467431533990903047624407330243357514588557352746347337683868781554819821575385685459666842162355673947984514687068626166144076257334426612302554448774082488600083569900006274897032242821388126274957846236552373226099112200392102883351088570736254707966329366625911183721875374731791052229266503696334310835323523568132399330263642353927504971311717117370721838701629885670598853025212521537158141447625623337563164790788106598854822686494249848796441153496412236527242235888308435573209980270776407776277489669763803746640746378181948641
p1 = 18055722101348711626577381571859114850735298658417345663254295930584841136416234624852520581982069555948490061840244710773146585295336094872892685938420880462305333393436098181186277450475949236132458958671804132443554885896037342335902958516394876382378829317303693655605215373555988755516058130500801822723195474873517960624159417903134580987202400855946137101429970119186394052011747475879598126195607938106163892658285305921071673588966184054026228745012993740035399652049777986535759039077634555909031397541116025395236871778797949216479130412500655359057128438928721459688727543057760739527720641179290282309741
q1 = 19024691283015651666032297670418553586155390575928421823630922553034857624430114628839720683172187406577114034710093054198921843669645736474448836706112221787749688565566635453151716934583685087745112614898780150391513798368931496744574075511968933800467288441832780919514199410584786925010518564670786685241724643282580795568609339268652910564215887176803735675069372979560024792322029911970574914829712553975379661212645059271137916107885326625543090473004683836665262304916304580076748336858662108554591235698235221618061328251985929904075811056422186525179189846420226944944513865790999242309352900287977666792901
m1 = long_to_bytes(pow(c1,inverse(e, (p1-1)*(q1-1)),n1))
print(m1)
 
c2 =  4948422459907576438725352912593232312182623872749480015295307088166392790756090961680588458629287353136729331282506869598853654959933189916541367579979613191505226006688017103736659670745715837820780269669982614187726024837483992949073998289744910800139692315475427811724840888983757813069849711652177078415791290894737059610056340691753379065563574279210755232749774749757141836708161854072798697882671844015773796030086898649043727563289757423417931359190238689436180953442515869613672008678717039516723747808793079592658069533269662834322438864456440701995249381880745586708718334052938634931936240736457181295
n2 =  8582505375542551134698364096640878629785534004976071646505285128223700755811329156276289439920192196962008222418309136528180402357612976316670896973298407081310073283979903409463559102445223030866575563539261326076167685019121804961393115251287057504682389257841337573435085535013992761172452417731887700665115563173984357419855481847035192853387338980937451843809282267888616833734087813693242841580644645315837196205981207827105545437201799441352173638172133698491126291396194764373021523547130703629001683366722885529834956411976212381935354905525700646776572036418453784898084635925476199878640087165680193737
 
ps = [
15211380502610462057,
11853704782834170959,
14397830993057803133,
12404642343676224637,
16408421615173973083,
10049235158029375571,
13645878578452317313,
10596280721192026229,
10864078180916418691,
15332916111580607077,
13062839684118954553,
15751974537676958401,
14813953870710226847,
12034779627328165471,
9949603102225364603 ,
17289161209347211817,
16123604149048919099,
14678737767649343977,
17673334943789572513,
11092420583960163379,
18345408081492711641,
14745811312384518031,
10547615587767500213,
16870346804576162551,
17093292308638969889,
18390046459144888243,
18106525049998616747,
15175734709842430433,
14619040595108594017,
17543713628803023199,
12448177342966243757,
17265001711647542137]
 
phi = 1
for v in ps:
    phi*=v - 1
 
d = inverse(e,phi)
m2 = long_to_bytes(pow(c2,d,n2)) 
#moectf{fACtord6_And_YAfu_Are_6oth_good_utils_to_fACtorize_num6ers_ff90S}

feistel

寻找中。。。。看最后一题吧，是同一个题，一开始作的那个，那个没给key这个给了，比那个简单。

n&n

共模攻击


from Crypto.Util.number import *
 
p = getPrime(1024)
q = getPrime(1024)
 
with open("flag.txt","r") as f:
    flag = f.read().strip().encode()
 
m = bytes_to_long(flag)
n = p * q
e1 = 0x114514
e2 = 19198101
 
c1 = pow(m,e1,n)
c2 = pow(m,e2,n)
print(c1) 
print(c2)
print(n)
 
c1 =  5776799746376051463605370130675046329799612910435315968508603116759552095183027263116443417343895252766060748671845650457077393391989018107887540639775168897954484319381180406512474784571389477212123123540984850033695748142755414954158933345476509573211496722528388574841686164433315356667366007165419697987147258498693175698918104120849579763098045116744389310549687579302444264316133642674648294049526615350011916160649448726069001139749604430982881450187865197137222762758538645387391379108182515717949428258503254717940765994927802512049427407583200118969062778415073135339774546277230281966880715506688898978925
c2 = 4664955020023583143415931782261983177552050757537222070347847639906354901601382630034645762990079537901659753823666851165175187728532569040809797389706253282757017586285211791297567893874606446000074515260509831946210526182765808878824360460569061258723122198792244018463880052389205906620425625708718545628429086424549277715280217165880900037900983008637302744555649467104208348070638137050458275362152816916837534704113775562356277110844168173111385779258263874552283927767924979691542028126412133709129601685315027689094437957165812994784648540588277901241854031439324974562449032290219652206466731675967045633360
n =13612969130810965900902742090064423006385890357159609755971027204203418808937093492927060428980020085273603754747223030702684866992231913349067578014240319426522039068836171388168087260774376277346092066880984406890296520951318296354893551565670293486797637522297989653182109744864444697818991039473180752980752117041574628063002176339235126861152739066489620021077091941250365101779354009854706729448088217051728432010328667839532327286559570597994183126402340332924370812383312664419874352306052467284992411543921858024469098268800500500651896608097346389396273293747664441553194179933758992070398387066135330851531


e1 = 0x114514
e2 = 19198101
g, x1, x2 = gmpy2.gcdext(e1,e2)   #g!=1, e有公因子需要再开根号
m = pow(c1,x1,n)*pow(c2,x2,n) % n
print(long_to_bytes(int(gmpy2.iroot(m,g)[0])))
 
#moectf{dO_nOt_u53_5AM3_MOdulu5_tO_3ncrYPt_dIFF3r3nt_dAtA!_JY63x33iiA0Ji}

|p-q|

费马分解，p,q距离很近。不过很多软件都会，也可以不必自己用费马分解。


with open("flag.txt","rb") as fs:
    flag = fs.read().strip()
assert len(flag) == 72
 
m = int.from_bytes(flag,"big")
 
from Crypto.Util.number import getPrime, isPrime
 
def next_prime(p):
    while True:
        p += 2
        if isPrime(p):
            return p
 
p = getPrime(2048)
q = next_prime(p)
n = p * q
e = 65537
c = pow(m,e,n)
print("n =",n)
print("c =",c)
 
e = 65537
n = 329960318345010350458589325571454799968957932130539403944044204698872359769449414256378111233592533561892402020955736786563103586897940757198920737583107357264433730515123570697570757034221232010688796344257587359198400915567115397034901247038275403825404094129637119512164953012131445747740645183682571690806238508035172474685818036517880994658466362305677430221344381425792427288500814551334928982040579744048907401043058567486871621293983772331951723963911377839286050368715384227640638031857101612517441295926821712605955984000617738833973829140899288164786111118033301974794123637285172303688427806450817155786233788027512244397952849209700013205803489334055814513866650854230478124920442832221946442593769555237909177172933634236392800414176981780444770542047378630756636857018730168151824307814244094763132088236333995807013617801783919113541391133267230410179444855465611792191833319172887852945902960736744468250550722314565805440432977225703650102517531531476188269635151281661081058374242768608270563131619806585194608795817118466680430500830137335634289617464844004904410907221482919453859885955054140320857757297655475489972268282336250384384926216818756762307686391740965586168590784252524275489515352125321398406426217
c = 307746143297103281117512771170735061509547958991947416701685589829711285274762039205145422734327595082350457374530975854337055433998982493020603245187129916580627539476324521854057990929173492940833073106540441902619425074887573232779899379436737429823569006431370954961865581168635086246592539153824456681688944066925973182272443586463636373955966146029489121226571408532284480270826510961605206483011204059402338926815599691009406841471142048842308786000059979977645988396524814553253493672729395573658564825709547262230219183672493306100392069182994445509803952976016630731417479238769736432223194249245020320183199001774879893442186017555682902409661647546547835345461056900610391514595370600575845979413984555709077635397717741521573798309855584473259503981955303774208127361309229536010653615696850725905168242705387575720694946072789441481191449772933265705810128547553027708513478130258801233619669699177901566688737559102165508239876805822898509541232565766265491283807922473440397456701500524925191214292669986798631732639221198138026031561329502985577205314190565609214349344303324429408234237832110076900414483795318189628198913032900272406887003325858236057373096880675754802725017537119549989304878960436575670784578550


from math import isqrt,is_square
def factorize(N):
    """
    Recovers the prime factors from a modulus using Fermat's factorization method.
    :param N: the modulus
    :return: a tuple containing the prime factors, or None if the factors were not found
    """
    a = isqrt(N)
    b = a * a - N
    while b < 0 or not is_square(b):
        a += 1
        b = a * a - N
    
    p = a - isqrt(b)
    q = N // p
    if p * q == N:
        return p, q
 
p,q = factorize(n)
 
 
 
>>> from Crypto.Util.number import *
>>> d = invert(e,(p-1)*(q-1))
>>> m = pow(c,d,n)
>>> long_to_bytes(m)
b'moectf{it_iS_vUlnErablE_iF_p_iS_aboUt_thE_SaME_SiZE_aS_Q_MVoAYArrlG3uco}'

rsa_signin

给了一堆n,c这里边有一对有公因子


with open("flag.txt","rb") as f:
    flag = f.read().strip()
 
m = int.from_bytes(flag, "big")
e = 65537
 
from Crypto.Util.number import getPrime
 
for x in range(10):
    p = getPrime(1024)
    q = getPrime(1024)
    n = p * q
    c = pow(m, e, n)
 
    print("n =", n)
    print("c =", c)
 
 
 
n1 = 17524722204224696445172535263975543817720644608816706978363749891469511686943372362091928951563219068859089058278944528021615923888948698587206920445508493551162845371086030869059282352535451058203615402089133135136481314666971507135484450966505425514285114192275051972496161810571035753943880190780759479521486741046704043699838021850105638224212696697865987677760179564370167062037563913329993433080123575434871852732981112883423565015771421868680113407260917902892944119552200927337996135278491046562185003012971570532979090484837684759828977460570826320870379601193678304983534424368152743368343335213808684523217
c1 = 6870605439714128574950893771863182370595667973241984289208050776870220326525943524507319708560433091378319367164606150977103661770065561661544375425887970907060665421562712515902428061727268441585629591525591001533188276465911918724808701356962871139957343861919730086334623932624184172272488406793955068827527130338853980609365042071290967556159598511667974987218999253443575482949258292953639729393456515185185102248985930422080581185292420347510600574229080211050520146551505605537486989306457793451086767402197128573781597156939709237045132856159368959981648969874765462190363842275826077556314448408825308218451
n2 = 24974121071274650888046048586598797033399902532613815354986756278905133499432183463847175542164798764762683121930786715931063152122056911933710481566265603626437742951648885379847799327315791800670175616973945640322985175516271373004547752061826574576722667907302681961850865961386200909397231865804894418194711076667760169256682834206788730947602211228930301853348503098156592000286467190760378847541148772869356389938999094673945092387627113807899212568399028514283219850734634544982646070106811651490010946670117927664594365986238107951837041859682547029079035013475238052160645871718246031144694712586073789250183
c2 = 10324627733161143472233272675096997859064721978612320424254305978486200326061730105384511258706433940176741256952824288120499229240005823611541292676234913505775165761543820764046537413943393325463602612485849366939102550336256797820440347815027443410399157963547486098366749815425187247171697678576246606105486928212486117878157055321965270364583625270716186820068538749425299073309429589410882809098930213978117176627031795312102177342499674234163614021182116065492884880492891668658240362567156235958605768725892407536211503981819707919444725863397622629226309480836486427388484176463279384813974310500625102568341
n3 = 14215826065753265334521416948225868542990756976323308408298887797364519400310818641526401662106853573185085731682502059761982246604277475488691297554851873224516934619888327644352138127883043558424300092247604877819821625587944308487310522092440517150600171819145803937177931473336108429889165189521078678397694303305705260759351843006130968234071638035667854938070597400634242396852782331461576526836227336952718230741560369621645218729592233657856104560425642219241082727756696967324334634822771842625681505869025740662258929200756109704988223034840699133778958569054445520305361142302393767439478256174414187983763
c3 = 415916446053083522663299405080903121619846594209033663622616979372099135281363175464579440520262612010099820951944229484417996994283898028928384268216113118778734726335389504987546718739928112684600918108591759061734340607527889972020273454098314620790710425294297542021830654957828983606433731988998097351888879368160881316237557097381718444193741788664735559392675419489952796677690968481917700683813252460912749931286739585465657312416977086336732056497161860235343155953578618273940135486362350057858779130960380833359506761436212727289297656191243565734621757889931250689354508999144817518599291078968866323093
n4 = 12221355905532691305226996552124162033756814028292708728711809229588190407700199452617060657420166395065565154239801465361510672853972152857415394695376825120759202857555325904640144375262531345320714166285999668052224661520834318497234299585219832943519644095197479639328120838919035625832361810964127485907587199925564724081163804724975965691571850962714258888527902920462746795712011579424322515292865504642938090200503979483095345893697972170153990274670257331483858538617460680462369680572833191232126527727222302641204529110948993583190295067970240051042000918629138767209918572311469915774910003970381965123241
c4 = 2248834602646305164283014556051672824689884721514190813323189875541899566338153534858709617544459297836048770439230174669883719627734394673012731609952869246171300132019334542245094425654362711870373095782083791160029789553806741967408922001051006100049326921742208757147339981269528740944842177729701945606827918253016001436218891580980192743564642120923356793292885805519110411357830040053435569937296612987581482128241218218550319154933831743819546558930918761162723110000328532730751591375727881221199739397698390594797621758011191224528339478784930214820615602510460640307707682865125229937141010351138099874025
n5 = 18152103454920389919231636321286527841833809319334215885641536161086810144890443857211776387914779781628740172079478910188540146498426564211851629962338413488555121865779016981727229209606498886170396500155102635962395243364899026418106378234307821492609778555173516000309435730752571818439328803899462791834490025768785383592935046996428331508608555503567191807692523852530836008436655164751054189301721070209363416058642811329040202582026786024825518381761299547703962502636888833428457116986351812252188468878701301184044948733274488264320930936362549028124581962244201377136969591119942276742760215403738913067567
c5 = 2797812094994121597295362327809389195134238119144547570610194659000554967367804835006774413888965325870488368112707535584687083342412367127561646136089638402907513075405746055834487062923240856950047936297155455745928810738711368950139327254040579266046642851362228893522740216519732851152162928545416236075387903789535000820423985522550638100049857678600662008021574841083416323980817348573062083159710189689337626277009675683473560325178417766400002763719953723259300977655801234386662217462862844994462505601804422871991694828697337752697234180117437785537788728412520613916334045368736691714704501962513954509705
n6 = 22877887459293720334652698748191453972019668578065068224653972884599636421200068659750242304040301306798039254241668648594556654589309801728248683586229288074709849246660525799452637187132633064172425677552176203292787732404537215347782229753837476655088638984496409603054524994383358547132112778403912563916886533181616856401929346567686400616307916690806467019665390260267596320840786982457521423178851498130935577260638269429250197050326097193841333205073650802709022947551398142692735680419453533128176592587955634333425401930362881423044363132586170013458300714163531162544301477356808388416864173949089028317961
c6 = 12271947322974809255127222556723394446467844330408506340843897575503534175121932185624776713618037572593449207329510171212097269297133492090526270770286000839978630002819714376964416081198925899119135271459404333829811516667576167576916805217016117373027245648473458331936273975110163065432285322832123169216976420362833557809289561705091817949915218278430834098156335989014645979633658818904753942786129126233956314517292746008579152368541316795082120147520597254020266752859205131887527661767589367756335766220841483940854397440079467053684289006956034944336788288196391829411432383541473132962783883758561108297747
n7 = 19844333358004073542783728196775487079202832688982038135532362073659058674903791697765527614270399097276261983744620537925712167578187109058145015032736796457938148615396547198728652435169126585595701228287449135664667959433491335769206692390262797325133960778920452511673878233190120432257482339068405290918739453464061987163074129048150451046315248186376609350095502130018696275764450248681787926130463463923862832714969425813770847493135627599129546112143050369344208092649256659330284904392961574494907186727388685504929586018639846040474616307662546605623294842316524163106100888851228858194942825157286544846177
c7 = 9531264751315473345056673937611382755236533664089452852716992791452558274873158812669513178040971923528201631609089069182049526587423864397527252061341857426422965190913745048414029690931254119437249218321954899956104589066479231204536856131403590472063496956452030342299863907499976917750846369802185896519725837163530049157920978007252920334447236842959033879772444475877613295594785710745889554296655932909212643500877218304116451889820444820534937901427158918411546484157737612926382420354101675658160847653151539420222526999426483473829341628599881460824765758346670633385844187252696874025582747177333702736465
n8 = 16956880944655068255446705024149899655327230949463546092744762226005904114738078692036960935391303255804754787864713189658290361949509917704853428701870609882427423574672772606814823959758208695540116440342488334213300943604780971422918744381486937517952553797134323570131582724393100092308466968491068503301604506186521656059375518680612292667310641047190088814753025794048591445267711939066523165042651430468971452726568222388482323097260496415484997546126185688914792795834046855221759289007609518312601640548469651358391745947588643697900883634533872314566389446271647587564348026861264979727062157272541149018781
c8 = 16110326928338602237561005337578085623028116490564329920738844771341250444164294693848130674347672763073995755532723894042946521372321947507527854966013459795492930736187058535665041545095683801386814190612817128504426590828954205050425979880047802547011117626354405687170961272200066258220699329112978151044633994329352673342582175349200008181837211288847301836681860817044391028992501763375849046751094019224570802498414368189170656992427042010362385494565216988561215657424755648213390551881450141899860811844684546992754530755092358644968088017107313907435586729574798046187046145596726569637758312033849476689378
n9 = 16472195897077185060734002588086375750797253422014472876266294484788862733424113898147596402056889527985731623940969291811284437034420929030659419753779530635563455664549165618528767491631867637613948406196511848103083967995689432928779805192695209899686072900265108597626632371718430059561807147486376536203800038054012500244392964187780217667805308512187849789773573138494622201856638931435423778275004491853486855300574479177472267767506041000072575623287557610576406578525902565241580838652860552046216587141709709405062150243990097835181557208274750462554811004137033087430556692966525170882625891516050207318491
c9 = 11867731823522211833301190385669833752050387304375114576570892885641949969365352586215693183003550684262313893105989683214739695968039039944442567581277252581988489020834299896625977474857889570528169919064941042132119301236852358823696947330423679033138054012027878783478922023431469564210485180679933264749281963405243082505688901662659030897104957499953192201440290084373968716271056483463909282407034181891901928790601973222643210525000717355062752079302291729448234374709852429885984987094307177760741403086538949190424454337896501402430653783597070178968921411867485584517214777073301007918941216316241784521708
n10 = 13890749889361612188368868998653029697326614782260719535555306236512452110708495623964530174188871342332417484996749651846510646453983388637377706674890018646246874688969342600780781646175634455109757266442675502522791531161284420286435654971819525519296719668701529481662071464145515727217108362496784024871976015116522898184301395037566514980846499856316532479656908169681719288258287756566886281183699239684997698487409138330229321935477734921670373632304542254938831218652340699024011371979519574576890581492623709896310465567043899767342676912434857372520308852745792360420376574037705943820090308501053778144141
c10 = 6250115196713939477947942995075509357173312813431601073354390451609559579925704891503987992181988654989477525811826607070378476102616752398280691012244301950194800995432882828020405062344160270290542566163969692748126314259624623341922057435728127596172871894887055305291345372720594481096374310285437492746765510292863238933163142677773310305789984897974266961231555124787205980411992251387207335655129551950825339766848166539671565212408741432649813058363660321480995187545006718837863674527475323414266732366507905974800565463011676462244368010182725161416783875646259625352308599198614681446394427674340328493047
n11 = 21457499145521259498911107987303777576783467581104197687610588208126845121702391694574491025398113729462454256070437978257494064504146718372095872819969887408622112906108590961892923178192792218161103488204912792358327748493857104191029765218471874759376809136402361582721860433355338373725980783308091544879562698835405262108188595630215081260699112737457564998798692048522706388318528370551365364702529068656665853097899157141017378975007689790000067275142731212069030175682911154288533716549782283859340452266837760560153014200605378914071410125895494331253564598702942990036163269043699029806343766286247742865671
c11 = 6269656777204332618433779865483197625538144405832409880710764183039800286008967127279281167109250083159801218370191973055663058165456565194979210256278526713608759141588082614531352489547674696723140599892318118960648862531538435596775798128845789504910467783731144808685373807716609662688064728614003904579841055786083326311313295311152563668422289435606771091246147867715987583149743032723028324394173498623642539175178996531881058274717907066845565199058931743481410454382746158558886667761300257488769795092777021292335562818583719708133179974425584610403335487082478848975656282384575767178925517257692365828720


ns = [n1,n2,n3,n4,n5,n6,n7,n8,n9,n10,n11]
cs = [c1,c2,c3,c4,c5,c6,c7,c8,c9,c10,c11]
for i in range(len(ns)-1):
    for j in range(i+1,len(ns)):
        if gcd(ns[i],ns[j]) != 1:
            print(i,j,gcd(ns[i],ns[j]))
            
#2 10 147352146484643764031622970604294889624856525072751495442791038251325198568446104214691837421831622655415627526708110986526177662910836604556867226815780490826061784656230373978115117669691022691171484914452586975269776325816859478861737379536769555626991492537714713353640978988383143423169600280639641367257
p = gcd(n3,n11)
q = n3//p
d = invert(e, (p-1)*(q-1))
m = pow(c3,d,n3)
long_to_bytes(m)
#moectf{it_is_re@lly_@_signin_level_cryPto_ch@ll@nge_ng92WPIBung92WPIBun}

xorrrrr

单字节异或加密，key不清楚，爆破呗


flag = open('flag.txt','rb').read()
assert flag.startswith(b'moectf{') and flag.endswith(b'}')
article = open('article.txt','rb').read()
 
import random
 
strxor = lambda x,y: bytes([a^b for a,b in zip(x,y)])
 
result = []
 
for i in range(100):
    range_start = random.randint(0, len(article) - len(flag))
    mask = article[range_start:range_start + len(flag)]
    result.append(strxor(flag,mask))
 
with open("result.log","w") as fs:
    fs.writelines([str(i)+"\n" for i in result])


msg = open('result.log').readlines()
msg = [eval(v) for v in msg]
 
strxor = lambda x,y: bytes([a^b for a,b in zip(x,y)])
 
msg.pop(93)
 
flag = b'moectf{W0W_y0U_HaVe_mastered_tHe_x0r_0Peart0r!_0iYlJf!M3rux9G9Vf!JoxiMl}'
 
for i in range(99):
    k = strxor(msg[i],flag)
    print(i,k, msg[i][len(flag): len(flag)+4])

ez_chain


from Crypto.Util.number import *
 
with open("key.txt", "r") as fs:
    key = int(fs.read().strip())
with open("flag.txt", "rb") as fs:
    flag = fs.read().strip()
assert len(flag) == 72
 
key = random.randint(base)
flag = b'moectf{1234567890}'
m = bytes_to_long(flag)
 
base = bytes_to_long(b"koito")
iv = 3735927943
 
def blockize(long):
    out = []
    while long > 0:
        out.append(long % base)
        long //= base
    return list(reversed(out))
 
blocks = blockize(m)
 
 
def encrypt_block_cbc(blocks, iv, key):
    encrypted = [iv]
    for i in range(len(blocks)):
        encrypted.append(blocks[i] ^ encrypted[i] ^ key)
    return encrypted[1:]
 
 
print(encrypt_block_cbc(blocks, iv, key))

CBC的异或加密


from Crypto.Util.number import *
 
def get_base(v,key):
    k = 0
    for i in v:
        k*=base 
        k+=i^key
    return long_to_bytes(k)
 
enc = [8490961288, 122685644196, 349851982069, 319462619019, 74697733110, 43107579733, 465430019828, 178715374673, 425695308534, 164022852989, 435966065649, 222907886694, 420391941825, 173833246025, 329708930734]
 
base = bytes_to_long(b"koito")
iv = 3735927943
 
enc = [iv]+enc
enc_no_cbc = [enc[i-1]^enc[i] for i in range(1,len(enc))]
print(enc_no_cbc)
#[432674690023, 316083479432, 352306305703, 371107977111, 290734220940, 297123248011, 319994912423, 299600071333, 439506635169, 117796865187, 390928024701, 116328574846, 334545012049, 126344729644, 4910773519]
 
#先猜长度
for kl in range(60,70):
    tkey = (bytes_to_long(b'moectf{')<8)//base**(len(enc_no_cbc)-1)
    tkey ^=enc_no_cbc[0]
    for i in range(-1000,1000):
        key = tkey + i
        v = get_base(enc_no_cbc, key)
        if b'moectf{' in v:
            print(kl, v)
            break
    
#b'moectf{thE_c6c_Is_not_so_hard_9ifxi9i!JGofMJ36D9cPMxroif6!M6oSMuliPPcA3}'

flag_exchange

通过7次幂的加密，7太小了


from Crypto.Util.number import isPrime
from random import getrandbits
 
with open("flag.txt","rb") as fs:
    flag = fs.read().strip()
 
def diffie_hellman(p, flag):
    alice_privKey = getrandbits(1024)
    alice_pubKey = pow(7, alice_privKey, p)
    bob_privKey = getrandbits(1024)
    bob_pubKey = pow(7, bob_privKey, p)
 
    superkey = pow(bob_pubKey, alice_privKey, p)
    m = int.from_bytes(flag, 'big')
    return (m * superkey) % p, alice_pubKey, bob_pubKey
 
 
from typing import Callable
 
def chall(input:Callable[[str],None], print:Callable[[str],None]):
    p = int(input("P = "))
    if isPrime(p) and p.bit_length() >= 1024:
        c, alice_pubKey, bob_pubKey = diffie_hellman(p, flag)
        print("Alice's public key: {}".format(alice_pubKey))
        print("Bob's public key: {}".format(bob_pubKey))
        print("Ciphertext: {}".format(c))
    else:
        print("Invalid P")


p = 148489452939627293978440608759173442996844898460634522907853247036287190215343795547617202268308624753445214064773770913426160349040708130179091977708205626736036279968938890838225633390629273742668246518422214765060312463614874340097452229306723297896927521825468282346196425145184245667794004328269609137340417
 
ak = 13506505257902994926795380249835905035332235135211590669651308742167829046269285891449598193037355963934752767648404113487207650100033109025478128962303857858447936638923060635597426544104185868673581919643713670014001896204436868960342513827314899205480094036790812749085955676625407571768335193974649726494695
bk = 59201325930301080831020707685410323615662991813563685602352712666092170206124564190043221611539340845561303528216487138415532082769687060195426542753971585990425051581542903924039946519721877000739041825359986436864770793802041542615070727007409297662567507378880622382458757946880200666631006526627977012754315
cipher = 113859159624765890256820636097278078757726957717820539253273545045734749731324609285395064129161531586821631272409416097549974696104116207732168692060239798339988828548845153764394213384370110210010127665521461773892895483778273116595550989394557731721950223900029326813602085382207407781759070210822358775058078
 
#c = (m * superkey) % p
a = discrete_log(ak,mod(7,p))
a = 64668307636287699049178361204443104904947965453137320623869437362374876996215394346912445893643403561894212148309122505028572486721984798507289505281507627944598519908420891989408013250242428623664747266752871230816411372152512197777858955459437623237541142998761716048619580286646790406108437435522991034889
#superkey = pow(bob_pubKey, alice_privKey, p)
s = pow(bk,a,p)
m = c*inverse_mod(s,p)%p
 
 
#moectf{diffie_he11man_key_exChange_is_not_so_hard_2WPIBung92WPIBung9?WP}

giant_e

猜测是e非常d非常小的情况，用winner分解


from Crypto.Util.number import getPrime
 
with open("flag.txt","rb") as fs:
    flag = fs.read().strip()
 
p = getPrime(1024)
q = getPrime(1024)
n = p * q
e = 0x609778981bfbb26bb93398cb6d96984616a6ab08ade090c1c0d4fedb00f44f0552a1555efec5cc66e7960b61e94e80e7483b9f906a6c8155a91cdc3e4917fa5347c58a2bc85bb160fcf7fe98e3645cfea8458ea209e565e4eb72ee7cbb232331a862d8a84d91a0ff6d74aa3c779b2b129c3d8148b090c4193234764f2e5d9b2170a9b4859501d07c0601cdd18616a0ab2cf713a7c785fd06f27d68dff24446d884644e08f31bd37ecf48750e4324f959a8d37c5bef25e1580851646d57b3d4f525bc04c7ddafdf146539a84703df2161a0da7a368675f473065d2cb661907d990ba4a8451b15e054bfc4dd73e134f3bf7d8fa4716125d8e21f946d16b7b0fc43
m = int.from_bytes(flag,"big")
c = pow(m,e,n)
 
n = 0xbaa70ba4c29eb1e6bb3458827540fce84d40e1c966db73c0a39e4f9f40e975c42e02971dab385be27bd2b0687e2476894845cc46e55d9747a5be5ca9d925931ca82b0489e39724ea814800eb3c0ea40d89ebe7fe377f8d3f431a68d209e7a149851c06a4e67db7c99fcfd9ec19496f29d59bb186feb44a36fe344f11d047b9435a1c47fa2f8ed72f59403ebb0e439738fd550a7684247ab7da64311690f461e6dce03bf2fcd55345948a3b537087f07cd680d7461d326690bf21e39dff30268cb33f86eeceff412cd63a38f7110805d337dcad25e6f7e3728b53ca722b695b0d9db37361b5b63213af50dd69ee8b3cf2085f845d7932c08b27bf638e98497239
c = 0x45a9ce4297c8afee693d3cce2525d3399c5251061ddd2462513a57f0fd69bdc74b71b519d3a2c23209d74fcfbcb6b196b5943838c2441cb34496c96e0f9fc9f0f80a2f6d5b49f220cb3e78e36a4a66595aa2dbe3ff6e814d84f07cb5442e2d5d08d08aa9ccde0294b39bfde79a6c6dcd2329e9820744c4deb34a039da7933ddf00b0a0469afb89cba87490a39783a9b2f8f0274f646ca242e78a326dda886c213bc8d03ac1a9150de4ba08c5936c3fe924c8646652ef85aa7ac0103485f472413427a0e9d9a4d416b99e24861ca8499500c693d7a07360158ffffa543480758cafff2a09a9f6628f92767764fa026d48a9dd899838505ae16e38910697f9de14
e = 0x609778981bfbb26bb93398cb6d96984616a6ab08ade090c1c0d4fedb00f44f0552a1555efec5cc66e7960b61e94e80e7483b9f906a6c8155a91cdc3e4917fa5347c58a2bc85bb160fcf7fe98e3645cfea8458ea209e565e4eb72ee7cbb232331a862d8a84d91a0ff6d74aa3c779b2b129c3d8148b090c4193234764f2e5d9b2170a9b4859501d07c0601cdd18616a0ab2cf713a7c785fd06f27d68dff24446d884644e08f31bd37ecf48750e4324f959a8d37c5bef25e1580851646d57b3d4f525bc04c7ddafdf146539a84703df2161a0da7a368675f473065d2cb661907d990ba4a8451b15e054bfc4dd73e134f3bf7d8fa4716125d8e21f946d16b7b0fc43


from Crypto.Util.number import long_to_bytes,bytes_to_long
def transform(x,y):
    res = []
    while y:
        res.append(x//y)
        x,y = y,x%y
    return res
 
def continued_fraction(res):
    numerator,denominator = 1,0
    for i in res[::-1]:
        denominator,numerator = numerator,i*numerator+denominator
    return numerator,denominator
 
def wiener_attack(c,res,n):
    print("Attack start...")
    for i in range(1,len(res)):
        ress = res[:i]
        d = continued_fraction(ress)[1]
        m = long_to_bytes(pow(c,d,n))
        print(m)
        if all(0x20<=k<=0x7f for k in m):
        #if b'flag{' in m:
            print(m)
            break
        
res = transform(e,n)
wiener_attack(c,res,n)
#moectf{too_larGe_exponent_is_not_a_iDea_too!_Bung92WPIBung92WPIBung9?WP}

minipack

远看是背包加密，但是没取模


import random
 
with open("flag.txt", "rb") as fs:
    flag = fs.read().strip()
 
assert len(flag) == 72
m = int.from_bytes(b"\xff" + flag + b"\xff", "big")
 
 
def long2bits(long):
    bits = []
    while long > 0:
        bits.append(long & 1)
        long >>= 1
    return list(reversed(bits))
 
 
def genkey(len):
    sum = 0
    out = []
    for i in range(len):
        delta = random.randint(1, 10000)
        x = sum + delta
        out.append(x)
        sum += x
    return out
 
 
key = genkey(74 * 8)
 
with open("key.txt", "w") as fs:
    fs.write(str(key))
 
 
def encrypt(m, keys):
    data = long2bits(m)
    assert len(data) == len(keys)
    return sum((k if (p == 1) else 1) for p, k in zip(data, keys))
 
 
with open("ciphertext.txt", "w") as fs:
    fs.write(str(encrypt(m, key)))

直接一个个减就行，不够就是0，够就是1


from key import key
from Crypto.Util.number import *
 
c = 44096612931024003148407895164090667174657344536623354666642108463093659898867859567157728084018394988840266329206836985537987081415020571845239234014695335928717091578810470705259929
m = ''
for k in key[::-1]:
    if c>=k:
        c-=k 
        m+='1'
    else:
        m+='0'
 
flag = int(m[::-1],2)
print(long_to_bytes(flag))
#moectf{superiNcreasiNg_sequeNce_is_useful_tO_cONstruct_a_KNapsacK_MAxSM}

bad_random

LCG加密，先用grobner基求参数，再解


import random
 
with open("flag.txt", "r") as f:
    flag = f.read().strip()
 
 
class LCG:
    def set_params(self):
        self.m = random.randint(10000, 20000)
        self.a = random.randint(10000, 20000)
        self.c = random.randint(1, self.a-1)
        self.x = random.randint(0, self.m-1)
    
    def get_all_output(self):
        x0 = self.x
        s = set()
        while (t := self()) not in s:
            s.add(t)
        self.x = x0
        return s
    
    def __init__(self):
        self.set_params()
        while len(self.get_all_output()) < 10:
            self.set_params()
    
    def __call__(self):
        self.x = (self.a * self.x + self.c) % self.m
        return self.x
 
from typing import Callable
 
def chall(input:Callable[[str],None], print:Callable[[str],None]):
    from hashlib import md5
    from string import ascii_letters
    s = "".join(random.choices(ascii_letters, k=16))
    h = md5(s.encode()).hexdigest()
    print(f" md5(XXXXXXXX+{s[8:]}) == {h}")
    i = input("Give me XXXXXXXX: ")
    if md5((i + s[8:]).encode()).hexdigest() != h:
        print(" ACCESS DENIED ")
        return
    inst = LCG()
    print("Let's play a simple game! If you can guess the right number, I will give your the flag! You have 10 tries")
    for tries in range(10):
        i = input(f"Give me a number, you have failed for {tries} times: ")
        if int(i) == (right := inst()):
            print(f"Congurations! You win the game! Your flag is here: {flag}")
        else:
            print(f"Oh, you are wrong! The right number is {right}")


from pwn import *
from hashlib import md5 
import string 
from math import gcd 
from gmpy2 import invert 
 
io = remote('127.0.0.1', 11027)
context.log_level = 'debug'
 
io.recvuntil(b'md5(XXXX+')
tail = io.recvuntil(b') == ', drop = True)
hash = io.recvline().strip().decode()
 
#proof
found = iters.bruteforce(lambda x: md5(x.encode() + tail).hexdigest() == hash, string.ascii_letters, 4)
io.sendlineafter(b"XXXX: ", found.encode())
 
xs = []
for _ in range(9):
    io.sendlineafter(b"times: ", b'88')
    io.recvuntil(b'The right number is ')
    xs.append(int(io.recvline()))
 
print(f"{xs = }")
#
 
'''
P. = PolynomialRing(ZZ)
F = []
for i in range(1, 9):
    f = xs[i-1]*a + c - xs[i]
    F.append(f)
I = Ideal(F).groebner_basis()
print(I)
# 求解参数a c m  : x = (ax+c) %m
res=[x.constant_coefficient() for x in I]
m = res[2]
a = -res[0]%m
c = -res[1]%m
for a in range(10000,20000):
    if xs[-1] == (xs[-2]*a+c)%m:
        print((xs[-1]*a+c)%m)
        break
'''
 
x10 = input('x10:')
#print(b's'+x10.encode())
io.sendlineafter(b"times: ", x10.encode())
io.recvline()
io.interactive()
#moectf{u5e_5ingle_lcg_a5_a_RanDoM_nuMbeR_geneRaToR_i5_noT_a_gooD_iDea!_}\n'

broken_hash

自制的hash，换个顺序还能得到相同值。


def F(x, y, z):
    return ((x & ~y) ^ (y & ~z) ^ (z & ~x)) ^ (
        ((x + y) * (y + z) + (x + z)) & 0xFFFF_FFFF_FFFF_FFFF_FFFF_FFFF_FFFF_FFFF
    )
 
 
def _block_hash(a, b, c, d):
    x, y, z, w = F(a, b, c), F(b, c, d), F(c, d, a), F(d, a, b)
    return (a ^ b ^ c ^ d ^ x ^ y ^ z ^ w) ^ 0xFFFF_FFFF_FFFF_FFFF_FFFF_FFFF_FFFF_FFFF
 
 
def _hash(blocks: list[int]):
    length = len(blocks)
    if length % 4 != 0:
        padding = 4 - length % 4
        blocks += [0] * padding
        length += padding
    if length == 4:
        return _block_hash(*blocks)
    else:
        block_size = length // 4
        h1 = _hash(blocks[:block_size])
        h2 = _hash(blocks[block_size : block_size * 2])
        h3 = _hash(blocks[block_size * 2 : block_size * 3])
        h4 = _hash(blocks[block_size * 3 :])
        return _block_hash(h1, h2, h3, h4)
 
 
def bytes2blocks(data: bytes, block_size=16):
    if len(data) % block_size != 0:
        data += b"\x00" * (block_size - len(data) % block_size)
    return [
        int.from_bytes(data[i : i + block_size], "little")
        for i in range(0, len(data), block_size)
    ]
 
 
def hash(*data: list[bytes]):
    return _hash(bytes2blocks(b"".join(data)))
 
 
from typing import Callable
from random import randbytes
from base64 import b64decode,b64encode
from hashlib import md5
from string import ascii_letters
from random import choices
 
with open("flag.txt", "r") as f:
    flag = f.read().strip()
 
def chall(input: Callable[[str], None], print: Callable[[str], None]):
    def proof_of_work():
 
        s = "".join(choices(ascii_letters, k=16))
        h = md5(s.encode()).hexdigest()
        print(f" md5(XXXXXXXX+{s[8:]}) == {h}")
        i = input("Give me XXXXXXXX: ")
        return md5((i + s[8:]).encode()).hexdigest() == h
    if not proof_of_work():
        print(" ACCESS DENIED ")
        return
 
    b = randbytes(256)
    print(f"this is a random bytes: {b64encode(b).decode()}")
    i = input("give me another bytes with the same hash: ")
    try:
        d = b64decode(i)
    except:
        print("invaild input")
    if hash(b) == hash(d) and d!=b:
        print(f"congurations! and your flag is {flag}")


from pwn import *
from base64 import * 
from hashlib import md5 
 
io = remote('127.0.0.1', 10946)
context.log_level = 'debug'
 
io.recvuntil(b'md5(XXXX+')
tail = io.recvuntil(b') == ', drop = True)
hash = io.recvline().strip().decode()
 
#proof
found = iters.bruteforce(lambda x: md5(x.encode() + tail).hexdigest() == hash, string.ascii_letters, 4)
io.sendlineafter(b": ", found.encode())
 
io.recvuntil(b"this is a random bytes: ")
b = b64decode(io.recvline().strip())
 
a = b[16:64] + b[:16] + b[64:]
a64 = b64encode(a)
 
io.sendlineafter("give me another bytes with the same hash: ", a64)
 
print(io.recvline())
io.interactive()
#moectf{a_hash_FUNCtioN_With_sYMMEtRY_is_vERY_vUlNERa6lE_3iiA0JiuP0DxuuP}

factorize_me!

给了9个因子的N和对应的phi，从中选3个作n加密，先用多因子分解得到因子，再找出是哪个


from Crypto.Util.number import getPrime
from math import prod
from sympy import nextprime
from random import choices
 
with open('flag.txt', 'rb') as fs:
    flag = fs.read().strip()
 
primes = [getPrime(512) for _ in range(9)]
print(f"{prod(primes) = }")
print(f"{prod(p - 1 for p in primes) = }")
 
primes2 = [nextprime(p) for p in choices(primes, k=3)]
n = prod(primes2)
e = 65537
c = pow(int.from_bytes(flag, 'big'), e, n)
 
print(f'n = {n}')
print(f'e = {e}')
print(f'c = {c}')


from Crypto.Util.number import *
from gmpy2 import *
 
N =  363364907814244019888662301376841344262476227242899756862391470731421569394957444030214887114615748277199649349781524749919652160244484352285668794188836866602305788131186220057989320357344904731322223310531945208433910803617954798258382169132907508787682006064930747033681966462568715421005454243255297306718356766130469885581576362173340673516476386201173298433892314145854649884922769732583885904512624543994675379894718657682146178638074984373206937523380103438050549181568015985546172618830480078894445808092527561363650503540062128543705172678754195578429520889784813733491180748361345720247750720179608752244490362713103319685024237941527268458213442611663415417005556439749055222361212059968254748751273361732365487788593341859760309778894350385339764442343374673786357175846291309425081492959910254127778240522152676060766139057453197528944251599979227271074508795482632471242983094008619339488744362509349734218480932255216087706001484182136783834973304870508270118505737767002256270427907341952256516206663258530300791364944105025764611810001781971638030661367630116818647252727909489405550104641122269772492252464714694507693447974171377200402508765841829763548525530878309985480248379655169722567051495205792089930014228403456098065971372039443284193603395249634283366194562380309469628114581468645669390610963076340643757972439104287127375438663839421605531570285615180251
phi =  363364907814244019888662301376841344262476227242899756862391470731421569394957444030214887114615748277199649349781524749919652160244484352285668794188836492373364350673588273863828369502073826782362255108313852264064760467561392054178047091483873483255491431451728274259516789065331176728192953741805933100379191778599394515981288225535175013258094287912195847642598436035132783919453991516358280321085873745330313812205910011387125778714795906023110368957596998222544234082487264006696812862179916726781327290284827659294751262185328816323311831349296593013038823107653943652771448719760448938995150646738377177532550757319539185878535087009904848382493668686831331474113789651777885239747000076063679062106375348803749466079052774597412239427050432901553466002731972993029311850718200685157193170716432600165476733200831046297530470544781309612128231925681374239849452623513538498417735984094919756374577623486416462101457492789215144166273775249387638107644634704270216130852885082174564648445147377239033930079759024399532146184753110240154062693457622208373371290126810856885343328090305620627668495081760346853701632815149478447405718664667978825807101325764916405446176183238866136433205933785973568759281210319422288153910340542098573782006262190181726245838857185687242960093445000287347616796984610291664809895901301187179157382169999966124177588884152267266994164841066291200
n = 899081756851564072995842371038848265712822308942406479625157544735473115850983700580364485532298999127834142923262920189902691972009898741820291331257478170998867183390650298055916005944577877856728843264502218692432679062445730259562784479410120575777748292393321588239071577384218317338474855507210816917917699500763270490789679076190405915250953860114858086078092945282693720016414837231157788381144668395364877545151382171251673050910143023561541226464220441
e = 65537
c = 841335863342518623856757469220437045493934999201203757845757404101093751603513457430254875658199946020695655428637035628085973393246970440054477600379027466651143466332405520374224855994531411584946074861018245519106776529260649700756908093025092104292223745612991818151040610497258923925952531383407297026038305824754456660932812929344928080812670596607694776017112795053283695891798940700646874515366341575417161087304105309794441077774052357656529143940010140
 
from math import gcd
from random import randrange
def factorize_multi_prime(N, phi):
    """
    Recovers the prime factors from a modulus if Euler's totient is known.
    This method works for a modulus consisting of any number of primes, but is considerably be slower than factorize.
    More information: Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multi-prime RSA" (Section 3)
    :param N: the modulus
    :param phi: Euler's totient, the order of the multiplicative group modulo N
    :return: a tuple containing the prime factors
    """
    prime_factors = set()
    factors = [N]
    while len(factors) > 0:
        # Element to factorize.
        N = factors[0]
        w = randrange(2, N - 1)
        i = 1
        while phi % (2 ** i) == 0:
            sqrt_1 = pow(w, phi // (2 ** i), N)
            if sqrt_1 > 1 and sqrt_1 != N - 1:
                # We can remove the element to factorize now, because we have a factorization.
                factors = factors[1:]
                p = gcd(N, sqrt_1 + 1)
                q = N // p
                print(p)
                if is_prime(p):
                    prime_factors.add(p)
                elif p > 1:
                    factors.append(p)
                if is_prime(q):
                    prime_factors.add(q)
                elif q > 1:
                    factors.append(q)
                # Continue in the outer loop
                break
            i += 1
    return list(prime_factors)
 
n_factors = factorize_multi_prime(N,phi)
n_factors = sorted(n_factors)
 
#[6811480804433459752827714558479851837166061762294131563310130325846430072816177165149613687307165209577130630311477665591141650399740741396784593477667511,6991223361118904775931217829045348785013077549030883418924453538830605687999480005714979700653172534877541317997174968789510984315425270755055110913347281, 7592439908930473591169395506464664967460880934907692099467559610659035874008829133810341129161864445676397227262130671224157308868678442281617413952593477, 7661276973316857207751367277881032536449069939447322837508906694964933673171693624171780997296797446643574508184011878230465391879808258241752897792891323, 8752762682421281693932454897190422008900505775990831144558827755415243453970083322530846132571648469860763497724505255094464743633789884168771246977571539, 9987009117206906203158749743824168660291275882852229158070368815160479543708376165641735042845357978292384303332559592302507789120810447986634662721490507, 10022455487144667211701100343824680124338467215246658405697280466931561838565228778624923751405642974058833143888323468902504576610147119708725877528011439, 11627877395179828773706504422918933052041685770731872812302758181943244472706231518350716590168708806854971155512042158777017234038219076771501368374236727, 12876877424944854147075816504195994138450356002779004886384584287813869165469217718717854027672044903401715370348223932937626725119320180795716270261309139]
 
for t in n_factors:
    for i in range(2000):
        if gcd(t+i, n) != 1:
            print(t+i)
        
p = [6991223361118904775931217829045348785013077549030883418924453538830605687999480005714979700653172534877541317997174968789510984315425270755055110913347349,
9987009117206906203158749743824168660291275882852229158070368815160479543708376165641735042845357978292384303332559592302507789120810447986634662721490849,
12876877424944854147075816504195994138450356002779004886384584287813869165469217718717854027672044903401715370348223932937626725119320180795716270261309141]
 
phi = (p[0]-1)*(p[1]-1)*(p[2]-1)
d = inverse_mod(e,phi)
m = pow(c,d,n)
long_to_bytes(int(m))
 
#moectf{you_KNow_how_to_faCtorize_N_right?_9?WPIBung6?WPIBung6?WPIBund6?}

feistel_promax


from Crypto.Util.number import *
from os import urandom
 
round = 2
flag = open("./secret", "rb").read().strip()
 
 
def f(m, key):
    m = m ^ (m >> 4)
    m = m ^ (m << 5)
    m = m ^ (m >> 8)
    m ^= key
    m = (m * 1145 + 14) % 2**64
    m = (m * 1919 + 810) % 2**64
    m = (m * key) % 2**64
    return m
 
 
def enc(m, key, round):
    key = bytes_to_long(key)
    left = bytes_to_long(m[:8])
    right = bytes_to_long(m[8:])
    for i in range(round):
        left, right = right, f(right, key) ^ left
    left, right = right, left
    return long_to_bytes(left).rjust(8, b"\x00") + long_to_bytes(right).rjust(8, b"\x00")
 
 
def padding(m):
    mlen = len(m)
    pad = 16 - mlen % 16
    return m + pad * bytes([pad])
 
 
def ecb_enc(m, key):
    m = padding(m)
    mlen = len(m)
    c = b""
    for i in range(mlen // 16):
        c += enc(m[i * 16 : i * 16 + 16], key, round)
    return c
 
 
key = urandom(8)
 
print(ecb_enc(padding(flag), key))
# b'B\xf5\xd8gy\x0f\xaf\xc7\xdf\xabn9\xbb\xd0\xe3\x1e0\x9eR\xa9\x1c\xb7\xad\xe5H\x8cC\x07\xd5w9Ms\x03\x06\xec\xb4\x8d\x80\xcb}\xa9\x8a\xcc\xd1W\x82[\xd3\xdc\xb4\x83P\xda5\xac\x9e\xb0)\x98R\x1c\xb3h'

很麻烦


from Crypto.Util.number import long_to_bytes as l2b, bytes_to_long as b2l
 
 
def f(m, key):
    m = m ^ (m >> 4)
    m = m ^ (m << 5)
    m = m ^ (m >> 8)
    m ^= key
    m = (m * 1145 + 14) % 2**64
    m = (m * 1919 + 810) % 2**64
    m = (m * key) % 2**64
    return m
 
def enc(m, key, round):
    key = b2l(key)
    left = b2l(m[:8])
    right = b2l(m[8:])
    for i in range(round):
        left, right = right, f(right, key) ^ left
    left, right = right, left
    return l2b(left).rjust(8, b"\x00") + l2b(right).rjust(8, b"\x00")
 
'''
key = b'\xcdU\x19\xb4\x04\x9f\xaaE'
flag = b'0123456789abcdef}'
for i in range(1,17):
    tmp = flag + bytes([i])*i 
    tmp = tmp[-16:]
    c = enc(tmp,key,2)
    print(c)
b'\xa0\x8b\x9b\xce\xe4\xc8\xc2l<^\xfc\xe1\x8b\xb8\xbe\xd1'
b'\x82Z\x13o\x92!\xf7V\xa7\n\x03!\x8b\xe2\x0f\x1e'
b'\x1f<\xb8\x15c\xce\x84\x87\xb5\x91\xea\xb3\xc6\xe0S\x97'
b'\x82nW\x12\xb8I\xe1\x81^Z\xdc\xc0\xba\xde\xdd\xb0'
b'!\xd3\x84Vh~\xa7\x01\x1b\xb7u\xad\x92\xeb\xb6\xfd'
b'Un\x1d\xf2\nzg\xc0F|*\xa7\xadX\xf0"'
b',\x83\x91\xacs@V\x13\x08\x17\xc6\xdb81\xcfk'
b'\x80_-S\xa3\xd1S\xa7\xad\xc2\xb8W\xb5\xaeju'
b'\r\xc7Z\xcbh}\x14\xf7\xa4\xc23s8\x83\\\xc7'
b'1u\xb4\x90\x8c\t\x16\xb0P\xc9\x8a\n\xdf\xeb\xeav'
b'\r\xad\xfd\xe1\x8a.P\xac\xb4\xc3\x0148\xbb\xfdI'
b'\xce3\xeb\t\x82\xc3K[<\xf0\xd7\xc2\x0e?o,'
b'\xa7+\x88.K\xee\x8be\xec\xf4Z\xac\x83@u\xeb'
b';8q}\x07\x069\xfeh\xe1\xcb\xf7\xe7\xf19\x9a'
b'\xa2\xf1r\x90\xf9\xd4k\x8c\xce\x964\xd3y\x16BU'
b'\x81\xb9\xa1d\xac\xac\x81:Q\x12\xcb\xe4S1n\x91'
'''
'''
l         r                  plain
r         f(r)^l             round 1
f(r)^l    f(f(r)^l)^r        round 2
f(f(r)^l)^r   f(r)^l         c
'''
 
'''
#test
l = b2l(b'\x10'*8)
r = b2l(b'\x10'*8)
key = b2l(b'\xcdU\x19\xb4\x04\x9f\xaaE')
fr = f(r,key)^l
ffr = f(fr,key)^r
print(l2b(fr),l2b(ffr))
'''
enc = b'B\xf5\xd8gy\x0f\xaf\xc7\xdf\xabn9\xbb\xd0\xe3\x1e0\x9eR\xa9\x1c\xb7\xad\xe5H\x8cC\x07\xd5w9Ms\x03\x06\xec\xb4\x8d\x80\xcb}\xa9\x8a\xcc\xd1W\x82[\xd3\xdc\xb4\x83P\xda5\xac\x9e\xb0)\x98R\x1c\xb3h'
 
#c = b'\x81\xb9\xa1d\xac\xac\x81:Q\x12\xcb\xe4S1n\x91'
c = enc[-16:]
cl,cr = b2l(c[8:]), b2l(c[:8])   #cl和r取3字节，l取2字节
#print(l2b(cl),l2b(cr))
'''
for pad in range(1,17):
    l = bytes([pad])*2
    r = bytes([pad])*3
    l,r = b2l(l),b2l(r)
    for key8 in range(256):
        for key7 in range(256):
            key = (key7<<8) |key8
            fr  = (f(r,  key)^l) &0xffff
            ffr = (f(cl, key)^r) &0xffff
            if fr == cl&0xffff and ffr == cr&0xffff:
                print(pad, hex(key7), hex(key8) )
'''
#pad 16  key = b'\xac\xb4'
pad = 16
key_tail = b'4t*zFD\xac\xb4'
'''
mod = 1<<(8*(len(key_tail)+1))
l = bytes([pad])*8
r = bytes([pad])*8
l,r = b2l(l),b2l(r)
for k in range(256):
    key = (k<<(8*len(key_tail)))|b2l(key_tail)
    fr  = (f(r,  key)^l) %mod
    ffr = (f(cl, key)^r) %mod
    if fr == cl%mod and ffr == cr%mod:
        print(l2b(key) )
'''
key = b2l(key_tail )
#从明文 
c = enc[32:48]
cl,cr = b2l(c[8:]),b2l(c[:8])
r = f(cl,key)^cr
l = f(r,key)^cl
print(l2b(l)+l2b(r))
 
#moectf{F_func_1s_n1t_Ve5y_$EcU%e}

相关阅读:
DETR纯代码分享（五）__init__.py(datasets)
今日伦敦金行情分析方法分享
 Spark系列之Spark体系架构
 竹云董事长董宁受邀出席香港第三届湾区元宇宙大会暨AIGC、RWA发展高峰论坛并作主题演讲
 JSON从入门到大师
 计数&桶&基数排序算法
 ThresholdFilter简介说明
 DGIOT实战教程-监控摄像头接入(v4.6.0)
【并发编程】史上最详细的ReentrantReadWriteLock源码刨析
 Java自定义ClassLoader加载外部类
原文地址：https://blog.csdn.net/weixin_52640415/article/details/134022319