-
[ CTF ] WriteUp- 2022年第三届“网鼎杯”网络安全大赛(朱雀组)
【Misc】misc666
flag{NiuDaoxiaoshi666}【Crypto】crypto967
m = 696376465415968446607383675953857997 c =75351884040606337127662457946455960228423443937677603718170904462378938882502061014476822055783421908392386804380503123596242003758891619926133807099465797120624009076182390781918339985157326114840926784410018674639537246981505937318380179042568501449024366208980139650052067021073343322300422190243015076307 n =135413548968824157679549005083702144352234347621794899960854103942091470496598900341162814164511690126111049767046340801124977369460415208157716471020260549912068072662740722359869775486486528791641600354017790255320219623493658736576842207668208174964413000049133934516641398518703502709055912644416582457721 G = Zmod(n) factors = [587, 28142457071, 395710839697] order = n - 1 m = G(m) c = G(c) dlogs = [] for i in factors: t = order // i y = c ^ t g = m ^ t dlog = discrete_log(c ^ t, m ^ t) dlogs.append(int(dlog)) print(dlog) x=crt(dlogs, factors) print(x)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
x=17271504622210389511- 1
from Crypto.Util.number import * x = 17271504622210389511 c1 =209941170134628207830310059622280988835086910150451946264595015050300510031560522999562095124692878755896950865676914790595999182721583547184333760954091880805688518459046880395477235753285839380764579025127254060855545 c2 =4803339369764546990337396010353372745379378328671778873584350940089623041410194355125962064067657967062926344955874581199853582279928946579389671271191196 p =6809372619970287379746941806942051353536181082328454067824596651780784704823185066486367854653297514943018290212240504418345108411269306758069486928594027 g =12575636661436726898107254102531343862656456137827822292892883099464907172061178954026138165159168595086335202285503403441736394399853074532771428483593753 k =4521228602593215445063533369342315270631623025219518143209270060218625289087470505221974748605346084266802332207199304586313352026660695691783656769488472 print(long_to_bytes(c1 * pow(c2, -x, p) % p))- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
flag{th1s_1s_so_3a2y_rlgh4}
【Reverse】re547
IDA打开后有个_main函数
v27密文↓
rc4加密:for ( i = 0; i < 256; ++i ) { v26[i] = i; v24[i] = v25[i % v3]; } for ( j = 0; j < 256; ++j ) { v7 = v26[j]; v4 = (v7 + v24[j] + v4) % 256; v26[j] = v26[v4]; v26[v4] = v7; } v8 = 0; v9 = 0; for ( k = 0; k < 42; ++k ) { v8 = (v8 + 1) % 256; v11 = v26[v8]; v9 = (v11 + v9) % 256; v26[v8] = v26[v9]; v26[v9] = v11; Arglist[k] ^= v26[(unsigned __int8)(v11 + v26[v8])]; } v12 = 0; v23 = 0;- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
tea加密:
do { v13 = 0; v14 = *(_DWORD *)&Arglist[8 * v12]; v22 = &Arglist[8 * v12]; v21 = &Arglist[8 * v12 + 4]; v15 = 32; v16 = *(_DWORD *)v21; do { v13 -= 0x61C88647; v14 += (16 * v16 + 0x1234) ^ (v13 + v16) ^ ((v16 >> 5) + 0x5678); v16 += ((v14 >> 5) + 0x8265) ^ (v13 + v14) ^ (16 * v14 + 0x4523); --v15; } while ( v15 ); *(_DWORD *)v22 = v14; *(_DWORD *)v21 = v16; v12 = v23 + 1; v23 = v12; } while ( v12 < 5 );- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
tea只循环5次(40位)
但是程序要我们输入42位
还剩两位只经过rc4#include#include #include //加密函数 void encrypt(uint32_t* v, uint32_t* k) { /* set up */ uint32_t v0 = v[0], v1 = v[1], sum = 0, i; /* a key schedule constant */ uint32_t delta = 0x9e3779b9; /* cache key */ uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; for (i = 0; i < 32; i++) /* basic cycle start */ { sum += delta; v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1); v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3); } /* end cycle */ v[0] = v0; v[1] = v1; } //解密函数 void decrypt(uint32_t* v, uint32_t* k) { /* set up */ uint32_t v0 = v[0], v1 = v[1], sum = 0x9e3779b9<<5, i; /* a key schedule constant */ uint32_t delta = 0x9e3779b9; /* cache key */ uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; for (i = 0; i < 32; i++) /* basic cycle start */ { v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3); v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1); sum -= 0x9e3779b9; } /* end cycle */ v[0] = v0; v[1] = v1; } int main() { uint32_t v[10] = { 0x1C30FE24, 0xA34C7D11, 0x6F106E38, 0x3EBDE0C4, 0x400FC847, 0x752FF41A, 0xF13DDEBA, 0x6C7835C6, 0xFD3E6948, 0x9DFD7447 }; uint32_t k[4] = { 0x1234,0x5678,0x4523,0x8265 }; uint32_t vvv[10]; for(int i = 0; i < 10;i+=2 ) { uint32_t vv[2] = { v[i],v[i + 1] }; decrypt(vv, k); vvv[i]= vv[0]; vvv[i + 1] = vv[1]; } for (int k = 0; k < 40; k++) { printf("%02x",(*((unsigned char*)vvv + k))); } return 0; } - 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
运行结果:
8aa09899317f3709336a68c12db9ec3c321d77b99eb9147f005f3dbc3b6e2a2cf901a69ce35bbe80- 1
添加后面没用tea加密的两位:0x66 0x2f
flag{1f782dbb-7570-46c8-b7a2-f64dfa4383b7} -
相关阅读:
纯前端实现 PNG 图片压缩 | UPNG.js
10. python字典
python实验2 π的计算
再见SpringCloud,这个架构挺猛,甚至干掉Dubbo
排序方法——《快速排序》
java毕业生设计学校图书馆管理系统计算机源码+系统+mysql+调试部署+lw
大模型帮我梳理的docker命令
css样式操作、动画操作
【基于STM32&OpenCV的车载机器人的抓取控制软件设计】
计算机毕业设计(附源码)python重工教师职称管理系统
- 原文地址:https://blog.csdn.net/ZXW_NUDT/article/details/126609555