NSSCTF_SWPU freshman competition Crypto_wp

Posted by soulreaver on Sat, 23 Oct 2021 14:57:18 +0200

This is the wp and personal experience of the recurring title. There are many articles and wp that draw lessons from the boss. Here we won't paste links one by one

Crypto 8

Title:

73E-30U1&>V-H965S95]I<U]P;W=E<GT`

UUencode:

Uuencode is the conversion code between binary information and text information

Uuencode the input text in units of every three bytes, and repeat this process. If the last remaining text is less than three bytes, the insufficient part shall be filled with zeros. These three bytes have 24 bits in total and are divided into 4 groups in 6-bit units. Each group is represented in decimal system, and the value will only fall between 0 and 63. Adding 32 to each number produces a result that falls within the range of printable characters (32 white space... 95 bottom line) in the ASCII character set

Crypto 7

Title:

69f7906323b4f7d1e4e972acf4abfbfc, the results obtained were wrapped with NSSCTF {}.

From 0 to 9; a-f is not necessarily composed of hexadecimal conversion

It may also be md5 encrypted ciphertext; md5 encryption can be divided into 16 bit encryption or 32-bit encryption; The ciphertext here is 16 bits (which can be used as a judgment condition)

Crypto 5

Title:

flag= 25166751653530941364839663846806543387720865339263370907985655775152187319464715737116599171477207047430065345882626259880756839094179627032623895330242655333
n= 134109481482703713214838023035418052567000870587160796935708584694132507394211363652420160931185332280406437290210512090663977634730864032370977407179731940068634536079284528020739988665713200815021342700369922518406968356455736393738946128013973643235228327971170711979683931964854563904980669850660628561419

Try to decompose n, online websites and yafu are not allowed

But c here is very small relative to n;

from c = m e ( m o d n ) c = m^e (mod n) c=me(modn)

There are two situations:

m e > n : m^e > n: me>n:

c + k ∗ n = m e c + k * n = m^e c+k∗n=me

This will explode K; When c+k*n can be divided by e, it is m

m e < n : m^e < n: me<n:

c to the power of e is m

Because here e is also unknown; But the common e is generally 3. Try it instead, or blasting e can also be used

Code implementation:

import gmpy2
from Crypto.Util.number import *

c = 25166751653530941364839663846806543387720865339263370907985655775152187319464715737116599171477207047430065345882626259880756839094179627032623895330242655333
n = 134109481482703713214838023035418052567000870587160796935708584694132507394211363652420160931185332280406437290210512090663977634730864032370977407179731940068634536079284528020739988665713200815021342700369922518406968356455736393738946128013973643235228327971170711979683931964854563904980669850660628561419


e = 3 # hypothesis
k = 0 #Note that k starts from 0; Because it's also possible that m^e is less than n
while True:
    if gmpy2.iroot(c + k * n,e)[1]:
        m = gmpy2.iroot(c + k * n,e)[0]
        break
    else:
        k += 1
flag = long_to_bytes(m)
print(flag)
# if m**e < n:
#     print("s")

Crypto 3

Title:

from gmpy2 import *
from Crypto.Util.number import *
flag  = '******************'

p = getPrime(512)
q = getPrime(512)
m1 = bytes_to_long(bytes(flag.encode()))

n = p*q

flag1 = pow(m1,p,n)
flag2 = pow(m1,q,n)
print('flag1= '+str(flag1))
print('flag2= '+str(flag2))
print('n= '+str(n))


#flag1= 17893542812755845772427795161304049467610774531005620109503081344099161906017295486868699578946474114607624347167976713200068059018517606363517478396368430072890681401898145302336139240273132723451063402106360810413024642916851746118524166947301681245568333254648265529408446609050354235727237078987509705857
#flag2= 95580409405085606847879727622943874726633827220524165744517624606566789614499137069562997931972825651309707390763700301965277040876322904891716953565845966918293178547100704981251056401939781365264616997055296773593435626490578886752446381493929807909671245959154990639046333135728431707979143972145708806954
#n= 140457323583824160338989317689698102738341061967768153879646505422358544720607476140977064053629005764551339082120337223672330979298373653766782620973454095507484118565884885623328751648660379894592063436924903894986994746394508539721459355200184089470977772075720319482839923856979166319700474349042326898971

Observation topic

c 1 = m p   %   n = m p   %   ( p ∗ q ) c1 = m^p~\%~n = m^p~\%~(p*q) c1=mp % n=mp % (p∗q)​

c 2 = m q   %   n = m q   %   ( p ∗ q ) c2 = m^q ~\% ~ n = m^q~\%~(p*q) c2=mq % n=mq % (p∗q)​

So:

c 1   %   p = m p   ( m o d   p ) c1~\%~p = m^p~(mod~p) c1 % p=mp (mod p)

c 2   %   q = m q   ( m o d   q ) c2~\%~q = m^q~(mod~q) c2 % q=mq (mod q)

By Fermat's small theorem:

a p − 1 ≡ 1   ( m o d   p ) a^{p-1} \equiv 1 ~(mod~p) ap−1≡1 (mod p)

It can be seen that: p ) p) p)​

Available simultaneously:

c 1 ≡ m   ( m o d   p ) c1\equiv m~(mod~p) c1≡m (mod p)

c 2 ≡ m   ( m o d   q ) c2\equiv m~(mod~q) c2≡m (mod q)

That is:

c 1 = m + k 1 ∗ p c1 = m+k_1*p c1=m+k1​∗p

c 2 = m + k 2 ∗ q c2 = m+k_2*q c2=m+k2​∗q

therefore

c 1 ∗ c 2 = m 2 + m ∗ ( k 1 ∗ p + k 2 ∗ q ) + k 1 ∗ k 2 ∗ p ∗ q c1*c2 = m^2+m*(k_1*p+k_2*q)+k_1*k_2*p*q c1∗c2=m2+m∗(k1​∗p+k2​∗q)+k1​∗k2​∗p∗q

m ∗ ( c 1 + c 2 ) = 2 m 2 + m ∗ ( k 1 ∗ p + k 2 ∗ p ) m*(c1+c2) = 2m^2+m*(k_1*p+k_2*p) m∗(c1+c2)=2m2+m∗(k1​∗p+k2​∗p)

Two way offset:

m 2 − m ∗ ( c 1 + c 2 ) + c 1 ∗ c 2 = k 1 ∗ k 2 ∗ p ∗ q = k ∗ n ≡ 0   ( m o d   n ) m^2-m*(c1+c2)+c1*c2 = k_1*k_2*p*q=k*n\equiv0~(mod~n) m2−m∗(c1+c2)+c1∗c2=k1​∗k2​∗p∗q=k∗n≡0 (mod n)

Therefore, sagemath can be used to solve the congruence equation

#sagemath code
c1 = 17893542812755845772427795161304049467610774531005620109503081344099161906017295486868699578946474114607624347167976713200068059018517606363517478396368430072890681401898145302336139240273132723451063402106360810413024642916851746118524166947301681245568333254648265529408446609050354235727237078987509705857
c2 = 5580409405085606847879727622943874726633827220524165744517624606566789614499137069562997931972825651309707390763700301965277040876322904891716953565845966918293178547100704981251056401939781365264616997055296773593435626490578886752446381493929807909671245959154990639046333135728431707979143972145708806954
n = 140457323583824160338989317689698102738341061967768153879646505422358544720607476140977064053629005764551339082120337223672330979298373653766782620973454095507484118565884885623328751648660379894592063436924903894986994746394508539721459355200184089470977772075720319482839923856979166319700474349042326898971
 
PR.<m> = PolynomialRing(Zmod(n))
f = m^2-(c1+c2)*m+c1*c2
x0= f.small_roots(X=2^400) #After calculation, the range of m is within 2 ^ 400
for i in x0:
    print(i)

Get i, that is, m; Convert to bytes

Crypto 1

Title:

from gmpy2 import *
from Crypto.Util.number import *



flag  = '****************************'
flag = {"asfajgfbiagbwe"}
p = getPrime(2048)
q = getPrime(2048)
m1 = bytes_to_long(bytes(flag.encode()))

e1e2 = 3087
n = p*q
print()

flag1 = pow(m1,e1,n)
flag2 = pow(m1,e2,n)
print('flag1= '+str(flag1))
print('flag2= '+str(flag2))
print('n= '+str(n))


#flag1= 463634070971821449698012827631572665302589213868521491855038966879005784397309389922926838028598122795187584361359142761652619958273094398420314927073008031088375892957173280915904309949716842152249806486027920136603248454946737961650252641668562626310035983343018705370077783879047584582817271215517599531278507300104564011142229942160380563527291388260832749808727470291331902902518196932928128107067117198707209620169906575791373793854773799564060536121390593687449884988936522369331738199522700261116496965863870682295858957952661531894477603953742494526632841396338388879198270913523572980574440793543571757278020533565628285714358815083303489096524318164071888139412436112963845619981511061231001617406815056986634680975142352197476024575809514978857034477688443230263761729039797859697947454810551009108031457294164840611157524719173343259485881089252938664456637673337362424443150013961181619441267926981848009107466576314685961478748352388452114042115892243272514245081604607798243817586737546663059737344687130881861357423084448027959893402445303299089606081931041217035955143939567456782107203447898345284731038150377722447329202078375870541529539840051415759436083384408203659613313535094343772238691393447475364806171594
#flag2= 130959534275704453216282334815034647265875632781798750901627773826812657339274362406246297925411291822193191483409847323315110393729020700526946712786793380991675008128561863631081095222226285788412970362518398757423705216112313533155390315204875516645459370629706277876211656753247984282379731850770447978537855070379324935282789327428625259945250066774049650951465043700088958965762054418615838049340724639373351248933494355591934236360506778496741051064156771092798005112534162050165095430065000827916096893408569751085550379620558282942254606978819033885539221416335848319082054806148859427713144286777516251724474319613960327799643723278205969253636514684757409059003348229151341200451785288395596484563480261212963114071064979559812327582474674812225260616757099890896900340007990585501470484762752362734968297532533654846190900571017635959385883945858334995884341767905619567505341752047589731815868489295690574109758825021386698440670611361127170896689015108432408490763723594673299472336065575301681055583084547847733168801030191262122130369687497236959760366874106043801542493392227424890925595734150487586757484304609945827925762382889592743709682485229267604771944535469557860120878491329984792448597107256325783346904408
#n= 609305637099654478882754880905638123124918364116173050874864700996165096776233155524277418132679727857702738043786588380577485490575591029930152718828075976000078971987922107645530323356525126496562423491563365836491753476840795804040219013880969539154444387313029522565456897962200817021423704204077133003361140660038327458057898764857872645377236870759691588009666047187685654297678987435769051762120388537868493789773766688347724903911796741124237476823452505450704989455260077833828660552130714794889208291939055406292476845194489525212129635173284301782141617878483740788532998492403101324795726865866661786740345862631916793208037250277376942046905892342213663197755010315060990871143919384283302925469309777769989798197913048813940747488087191697903624669415774198027063997058701217124640082074789591591494106726857376728759663074734040755438623372683762856958888826373151815914621262862750497078245369680378038995425628467728412953392359090775734440671874387905724083226246587924716226512631671786591611586774947156657178654343092123117255372954798131265566301316033414311712092913492774989048057650627801991277862963173961355088082419091848569675686058581383542877982979697235829206442087786927939745804017455244315305118437

Observation topic

The same m, different e, is much like a common mode attack;

However, the specific values of e1 and e2 are uncertain, and only the product is known;

Decompose the product of E1 and E2 to obtain 32 * 73

Because there are many combinations of this, e1 and e2 are not necessarily coprime

The principle of common mode attack:

c 1 x ∗ c 2 y ≡ m g c d ( e 1 , e 2 ) ( m o d n ) c1^x*c2^y\equiv m^{gcd(e1,e2)} (modn) c1x∗c2y≡mgcd(e1,e2)(modn)

among e 1 ∗ x + e 2 ∗ y = 1 e1*x + e2*y = 1 e1∗x+e2∗y=1

In the original application process, e1 and e2 are generally mutual prime; therefore g c d ( e 1 , e 2 ) = 1 gcd(e1,e2) = 1 gcd(e1,e2)=1

Here e1 and e2 are not necessarily coprime; Just bring in the maximum common divisor directly

Make the left side of the equation add k ∗ n k*n K * n is directly derived to obtain m; Where k is to be blasted

Code implementation:

import gmpy2
from Crypto.Util.number import *

flag1= 463634070971821449698012827631572665302589213868521491855038966879005784397309389922926838028598122795187584361359142761652619958273094398420314927073008031088375892957173280915904309949716842152249806486027920136603248454946737961650252641668562626310035983343018705370077783879047584582817271215517599531278507300104564011142229942160380563527291388260832749808727470291331902902518196932928128107067117198707209620169906575791373793854773799564060536121390593687449884988936522369331738199522700261116496965863870682295858957952661531894477603953742494526632841396338388879198270913523572980574440793543571757278020533565628285714358815083303489096524318164071888139412436112963845619981511061231001617406815056986634680975142352197476024575809514978857034477688443230263761729039797859697947454810551009108031457294164840611157524719173343259485881089252938664456637673337362424443150013961181619441267926981848009107466576314685961478748352388452114042115892243272514245081604607798243817586737546663059737344687130881861357423084448027959893402445303299089606081931041217035955143939567456782107203447898345284731038150377722447329202078375870541529539840051415759436083384408203659613313535094343772238691393447475364806171594
flag2= 130959534275704453216282334815034647265875632781798750901627773826812657339274362406246297925411291822193191483409847323315110393729020700526946712786793380991675008128561863631081095222226285788412970362518398757423705216112313533155390315204875516645459370629706277876211656753247984282379731850770447978537855070379324935282789327428625259945250066774049650951465043700088958965762054418615838049340724639373351248933494355591934236360506778496741051064156771092798005112534162050165095430065000827916096893408569751085550379620558282942254606978819033885539221416335848319082054806148859427713144286777516251724474319613960327799643723278205969253636514684757409059003348229151341200451785288395596484563480261212963114071064979559812327582474674812225260616757099890896900340007990585501470484762752362734968297532533654846190900571017635959385883945858334995884341767905619567505341752047589731815868489295690574109758825021386698440670611361127170896689015108432408490763723594673299472336065575301681055583084547847733168801030191262122130369687497236959760366874106043801542493392227424890925595734150487586757484304609945827925762382889592743709682485229267604771944535469557860120878491329984792448597107256325783346904408
n= 609305637099654478882754880905638123124918364116173050874864700996165096776233155524277418132679727857702738043786588380577485490575591029930152718828075976000078971987922107645530323356525126496562423491563365836491753476840795804040219013880969539154444387313029522565456897962200817021423704204077133003361140660038327458057898764857872645377236870759691588009666047187685654297678987435769051762120388537868493789773766688347724903911796741124237476823452505450704989455260077833828660552130714794889208291939055406292476845194489525212129635173284301782141617878483740788532998492403101324795726865866661786740345862631916793208037250277376942046905892342213663197755010315060990871143919384283302925469309777769989798197913048813940747488087191697903624669415774198027063997058701217124640082074789591591494106726857376728759663074734040755438623372683762856958888826373151815914621262862750497078245369680378038995425628467728412953392359090775734440671874387905724083226246587924716226512631671786591611586774947156657178654343092123117255372954798131265566301316033414311712092913492774989048057650627801991277862963173961355088082419091848569675686058581383542877982979697235829206442087786927939745804017455244315305118437
e1e2 = 3087

fac = [3,3,7,7,7]
factor = [3,7,3*7,3*3,7*7,3*7*7,3*3*7,7*7*7,3*7*7*7,3*3*7*7]
for e1 in factor:
    if e1e2 % e1 == 0:
        e2 = e1e2 // e1
        _,s,t = gmpy2.gcdext(e1,e2)
        gcd = gmpy2.gcd(e1,e2)
        temp = pow(flag1,s,n) * pow(flag2,t,n) % n
        for k in range(2**20):
            temp2 = gmpy2.iroot(temp + k*n,gcd) 
            if temp2[1]:
                m = temp2[0]
                print(long_to_bytes(m))
                break

Topics: security