LiTCTF by lingfeng - (crypto全解)
因为这两天有事/(ㄒoㄒ)/~~,错过了litctf的比赛时间,只能现在复现一下密码题了(;´༎ຶД༎ຶ`)
梦想是红色的 (初级)
社会主义核心价值观编码
Hex?Hex!(初级)
cyber一把梭
原来你也玩原神 (初级)
提瓦特语言对照
LitCTF{YUANLAINIYEWANYUANSHENWWW}
你是我的关键词(Keyworld)
Is this only base?
找到正确的BASE64结构
一键解码
再次一键解密
成功找到Lit
家人们!谁懂啊,RSA签到都不会
from Crypto.Util.number import *
p =
q =
c =
n=p*q
d=inverse(65537,(p-1)*(q-1))
print(long_to_bytes(pow(c,d,n)))
#b'LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}'
factordb
factordb.com
from Crypto.Util.number import *
e =
n =
c =
p =
q = n//p
d=inverse(65537,(p-1)*(q-1))
print(long_to_bytes(pow(c,d,n)))
#b'LitCTF{factordb!!!}'
yafu
#sage
e =
n =
c =
p_=factor(n)
p=[int(i)-1 for i,_ in p_]
phi=prod(p)
d=inverse_mod(e,phi)
m=pow(c,d,n)
print(bytes.fromhex(hex(m)[2:]))
#b'LitCTF{Mu1tiple_3m4ll_prim5_fac7ors_@re_uns4f5}'
我测你vva
chatgpt一把梭
md5的破解
MD5爆破即可
from hashlib import md5
MD5='496603d6953a15846cd7cc476f146771'
flag=b'LitCTF{md5can3derypt213thoughcrsh}'
import itertools
dir = '1234567890abcdefghijklmnopqrstuvwxyz'
dir_list = itertools.product(dir, repeat=4)
for i in dir_list:flag_=flag[:13]+''.join(i[:2]).encode()+flag[13:16]+''.join(i[2]).encode()+flag[16:31]+''.join(i[-1]).encode()+flag[31:]md5_=md5(flag_).hexdigest()if md5_== MD5:print(flag_)break#b'LitCTF{md5can123dexrypt213thoughcrpsh}'
Virginia
enc=[86, 116, 128, 80, 98, 85, 139, 122, 134, 114, 125, 136, 117, 123, 129, 127, 128, 128, 142, 130, 140, 147, 127, 132, 131, 136, 151, 134, 152, 164]
enc_=list(b'LitCTF{')#由flag格式提示
key=[i-j for i, j in zip(enc[:7],enc_[:7])]
print(key)
#[10, 11, 12, 13, 14, 15, 16]
#观察可知为变异凯撒
flag=[i-j for i, j in zip(enc,range(10,10+len(enc)))]
print(bytes(flag))
一次一密
from pwn import *
enc1='6c73d5240a948c86981bc294814d'
enc1=bytes.fromhex(enc1)
dec1=b'attack at dawn'
dec2=b'Monday or Thur'
enc2=xor(enc1,dec1,dec2).hex()
print('NSSCTF{'+enc2+'}')
P_Leak
dp泄露模板
import gmpy2
from Crypto.Util.number import *
e =
dp=
n=
c= for x in range(1,e):if (dp*e-1)%x == 0:p = ((dp*e-1)//x)+1if n%p == 0:break
q = n//p
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = long_to_bytes(m)
print(flag)
#b'LitCTF{Prim3_1s_Le@k!!!!!}'
baby_xor
from Crypto.Util.number import *
n =
c1 =
c2 =
tmp=b'x'*24
flag_=b'LitCTF{'+tmp+b'}'
P_=bin(bytes_to_long(flag_)^^c1)[2:]
P=[int(P_[:-200],2),int(P_[-8:],2)]
PR.<x> = PolynomialRing(Zmod(n))
f = x*(2**8) + P[0]*(2**200)+P[1]
roots = f.monic().small_roots(X=2^200, beta=0.4)[0]
p=int(roots*(2**8) + P[0]*(2**200)+P[1])
q=n//p
e=65537
d=inverse_mod(e,(p-1)*(q-1))
m=pow(c2,d,n)
print(long_to_bytes(int(m)))
#b'LitCTF{oh!!!!coppersmith_is_fun}'
e的学问
e=
p=
q=
n=p*q
c=
d=inverse(e//2,(p-1)*(q-1))
m2=pow(c,d,n)
m=gmpy2.iroot(m2,2)
if m[1]:print(long_to_bytes(m[0]))#b'LitCTF{e_1s_n0t_@_Prime}'
The same common divisor
from Crypto.Util.number import *
n1=
n3=
c1=
c2=
n2=n1^n3
e=65537
p=GCD(n2,n1)
q=n1//p
d=inverse(e,(p-1)*(q-1))
print(long_to_bytes(pow(c1,d,n1)))
#b'LitCTF{TH3_Tw0_nUmb3rs_H@v3_The_sAme_D1v1s0r!!}'
Where is P?
import gmpy2
from tqdm import *
from Crypto.Util.number import *
P=0
e=
n=
c=
a=
for i in trange(0,1<<10):tmp=a+n*itmp_=gmpy2.iroot(tmp,3)if tmp_[1]:P=tmp_[0]break
P=bin(P)[2:]
assert len(P)==684
for i in trange(0,1<<20):p_=Integer(P+bin(i)[2:],2)kbits = 1024 - p_.nbits()p4 = p_ << kbitsPR.<x> = PolynomialRing(Zmod(n))f = x + p4roots = f.small_roots(X=2 ^ kbits, beta=0.4)if roots:p = int(roots[0] + p4)q=n//pd=inverse(e,(p-1)*(q-1))m=pow(c,d,n)print(long_to_bytes(int(m)))break#b'LitCTF{Y0U_hAV3_g0T_Th3_r1ghT_AnsW3r}'
babyLCG
t 0 = s 1 − s 0 t 1 = s 2 − s 1 = a ( s 1 − s 0 ) + k 1 p t 2 = s 3 − s 2 = a ( s 2 − s 1 ) + k 2 p = a 2 ( s 1 − s 0 ) + k 3 p − > t 0 t 2 ≡ t 1 2 m o d p − − − − − − − − − − − − − − − − − − − − − − − − 类比 t 1 、 t 2 、 t 3 − > t 1 t 3 ≡ t 2 2 m o d p = > G C D ( t 0 t 2 − t 1 2 , t 1 t 3 − t 2 2 ) = p t_0= s_1-s_0\\t_1=s_2-s_1=a(s_1-s_0)+k_1p\\t_2=s_3-s_2=a(s_2-s_1)+k_2p=a^2(s_1-s_0)+k_3p \\->t_0t_2\equiv t_1^2\ mod \ p \\------------------------ \\类比 t_1、t_2、t_3 \\->t_1t_3\equiv t_2^2\ mod \ p \\=>GCD(t_0t_2-t_1^2,t_1t_3-t_2^2)=p t0=s1−s0t1=s2−s1=a(s1−s0)+k1pt2=s3−s2=a(s2−s1)+k2p=a2(s1−s0)+k3p−>t0t2≡t12 mod p−−−−−−−−−−−−−−−−−−−−−−−−类比t1、t2、t3−>t1t3≡t22 mod p=>GCD(t0t2−t12,t1t3−t22)=p
解法一
#sage
from Crypto.Util.number import *
import re
result =
t0=result[1]-result[0]
t1=result[2]-result[1]
t2=result[3]-result[2]
t3=result[4]-result[3]
p=GCD(t0*t2-t1**2,t1*t3-t2**2)
P.<m,a,b>= PolynomialRing(Zmod(p))
f1=a*m+b-result[0]
f2=a*result[0]+b-result[1]
f3=a*result[1]+b-result[2]
G = Ideal([f1, f2, f3]).groebner_basis()
m=G[0]
flag=re.findall(r'\d+', str(m))
print(long_to_bytes(p-int(flag[0])))
解法二
from Crypto.Util.number import *
result =
t0=result[1]-result[0]
t1=result[2]-result[1]
t2=result[3]-result[2]
t3=result[4]-result[3]
p=GCD(t0*t2-t1**2,t1*t3-t2**2)
a=inverse(t0,p)*t1%p
b=(result[1]-a*result[0])%p
m=(result[0]-b)*inverse(a,p)%p
print(long_to_bytes(m))
#b'LitCTF{31fcd7832029a87f6c9f760fcf297b2f}'
Euler
c = m n − p − q + 3 m o d n 由欧拉定理知 m ( p − 1 ) ∗ ( q − 1 ) m o d n = 1 = > c = m 2 m o d n c=m^{n-p-q+3} modn \\由欧拉定理知m^{(p-1)*(q-1)}modn=1 \\=>c=m^2modn c=mn−p−q+3modn由欧拉定理知m(p−1)∗(q−1)modn=1=>c=m2modn
c =
import gmpy2
from Crypto.Util.number import *
print(long_to_bytes(gmpy2.iroot(c,2)[0]))
easy_math
解法一
from Crypto.Util.number import *
e=65537
n =
c =
hint =
var('p')
solve([p**8-n**5==hint*p**5],[p])
p=7321664971326604351487965655099805117568571010588695608389113791312918573783115429227542573780838065461696504325762281209452761930184231131129306271846427
q=n//p
d=inverse_mod(e,(p-1)*(q-1))
m=pow(c,d,n)
print(long_to_bytes(int(m)))
#b'LitCTF{f9fab7522253e44b48824e914d0801ba}'
在这里,在和M3thy1的讨论的中发现,如果将solve解方程的式子换成二元方程组
solve([p^3-q^5==hint,p*q==n],[p,q])
运行的结果即为
跑不出正确答案,对此我的理解是,由于sagemath的slove方程计算是基于计算机算法,运算能力有限,当出现数据过大,且数据出现多次幂的情况下,会有不止一个数据满足上述等式,可能会是无理数,下面是示例验证
p = getPrime(128)
q = getPrime(128)
n = p*q
hint = p**2-q
仅仅是在只有二次幂的情况下就会有多组数据满足此条件,证明猜想正确,一旦为多次幂且数据更大式,最好还是转为更低的一元进行求解。
解法二
p 3 > > q 5 − > h i n t ≈ p 3 高位是一样 p^3>>q^5 \\->hint\approx p^3 \\高位是一样 p3>>q5−>hint≈p3高位是一样
import gmpy2
from Crypto.Util.number import *
e=65537
n =
c =
hint =
p_=int(gmpy2.iroot(hint,3)[0])>>215
PR.<x> = PolynomialRing(Zmod(n))
f = x + p_*(2^215)
roots = f.small_roots(X=2^215, beta=0.7)[0]
p=int(roots+ p_*(2^215))
q=n//p
d=inverse_mod(e,(p-1)*(q-1))
m=pow(c,d,n)
print(long_to_bytes(int(m)))
b'LitCTF{f9fab7522253e44b48824e914d0801ba}'
此次的LitCTF题目都出的很好,师傅们都很棒(除了我,我出的题是lj题,弟弟水平还得提高(;´༎ຶД༎ຶ`) ),特外感谢探姬大大此次举办Litctf(o( ̄▽ ̄)ブ)。
有问题的地方欢迎大家一起来讨论呀