2024春秋杯密碼題第一、二天WP

你是小哈斯?

題目內容：

年輕黑客小符參加CTF大賽，他發現這個小哈斯文件的內容存在高度規律性，并且文件名中有隱藏信息，他成功找到了隱藏的信息，并破解了挑戰。得意地說：“成功在于探索與質疑，碰撞是發現真相的關鍵！”

#flag{game_cqb_isis_cxyz}
import hashlib
import itertools
import string
# 需要破解的 CRC 哈希值
hash_list = ["356a192b7913b04c54574d18c28d46e6395428ab","da4b9237bacccdf19c0760cab7aec4a8359010b0","77de68daecd823babbb58edb1c8e14d7106e83bb","1b6453892473a467d07372d45eb05abc2031647a","ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4","c1dfd96eea8cc2b62785275bca38ac261256e278","902ba3cda1883801594b6e1b452790cc53948fda","fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f","0ade7c2cf97f75d009975f4d720d1fa6c19f4897","b6589fc6ab0dc82cf12099d1c2d40ab994e8410c","3bc15c8aae3e4124dd409035f32ea2fd6835efc9","21606782c65e44cac7afbb90977d8b6f82140e76","22ea1c649c82946aa6e479e1ffd321e4a318b1b0","aff024fe4ab0fece4091de044c58c9ae4233383a","58e6b3a414a1e090dfc6029add0f3555ccba127f","4dc7c9ec434ed06502767136789763ec11d2c4b7","8efd86fb78a56a5145ed7739dcb00c78581c5375","95cb0bfd2977c761298d9624e4b4d4c72a39974a","51e69892ab49df85c6230ccc57f8e1d1606caccc","042dc4512fa3d391c5170cf3aa61e6a638f84342","7a81af3e591ac713f81ea1efe93dcf36157d8376","516b9783fca517eecbd1d064da2d165310b19759","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","60ba4b2daa4ed4d070fec06687e249e0e6f9ee45","d1854cae891ec7b29161ccaf79a24b00c274bdaa","7a81af3e591ac713f81ea1efe93dcf36157d8376","53a0acfad59379b3e050338bf9f23cfc172ee787","042dc4512fa3d391c5170cf3aa61e6a638f84342","a0f1490a20d0211c997b44bc357e1972deab8ae3","53a0acfad59379b3e050338bf9f23cfc172ee787","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","c2b7df6201fdd3362399091f0a29550df3505b6a","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","a0f1490a20d0211c997b44bc357e1972deab8ae3","3c363836cf4e16666669a25da280a1865c2d2874","4a0a19218e082a343a1b17e5333409af9d98f0f5","54fd1711209fb1c0781092374132c66e79e2241b","27d5482eebd075de44389774fce28c69f45c8a75","5c2dd944dde9e08881bef0894fe7b22a5c9c4b06","13fbd79c3d390e5d6585a21e11ff5ec1970cff0c","07c342be6e560e7f43842e2e21b774e61d85f047","395df8f7c51f007019cb30201c49e884b46b92fa","11f6ad8ec52a2984abaafd7c3b516503785c2072","84a516841ba77a5b4648de2cd0dfcb30ea46dbb4","7a38d8cbd20d9932ba948efaa364bb62651d5ad4","e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98","d1854cae891ec7b29161ccaf79a24b00c274bdaa","6b0d31c0d563223024da45691584643ac78c96e8","5c10b5b2cd673a0616d529aa5234b12ee7153808","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","60ba4b2daa4ed4d070fec06687e249e0e6f9ee45","54fd1711209fb1c0781092374132c66e79e2241b","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","6b0d31c0d563223024da45691584643ac78c96e8","58e6b3a414a1e090dfc6029add0f3555ccba127f","53a0acfad59379b3e050338bf9f23cfc172ee787","84a516841ba77a5b4648de2cd0dfcb30ea46dbb4","22ea1c649c82946aa6e479e1ffd321e4a318b1b0","e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98","53a0acfad59379b3e050338bf9f23cfc172ee787","042dc4512fa3d391c5170cf3aa61e6a638f84342","a0f1490a20d0211c997b44bc357e1972deab8ae3","042dc4512fa3d391c5170cf3aa61e6a638f84342","a0f1490a20d0211c997b44bc357e1972deab8ae3","53a0acfad59379b3e050338bf9f23cfc172ee787","84a516841ba77a5b4648de2cd0dfcb30ea46dbb4","11f6ad8ec52a2984abaafd7c3b516503785c2072","95cb0bfd2977c761298d9624e4b4d4c72a39974a","395df8f7c51f007019cb30201c49e884b46b92fa","c2b7df6201fdd3362399091f0a29550df3505b6a","3a52ce780950d4d969792a2559cd519d7ee8c727","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","a0f1490a20d0211c997b44bc357e1972deab8ae3","3c363836cf4e16666669a25da280a1865c2d2874","4a0a19218e082a343a1b17e5333409af9d98f0f5","54fd1711209fb1c0781092374132c66e79e2241b","27d5482eebd075de44389774fce28c69f45c8a75","5c2dd944dde9e08881bef0894fe7b22a5c9c4b06","13fbd79c3d390e5d6585a21e11ff5ec1970cff0c","07c342be6e560e7f43842e2e21b774e61d85f047","395df8f7c51f007019cb30201c49e884b46b92fa","11f6ad8ec52a2984abaafd7c3b516503785c2072","84a516841ba77a5b4648de2cd0dfcb30ea46dbb4","7a38d8cbd20d9932ba948efaa364bb62651d5ad4","e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98","d1854cae891ec7b29161ccaf79a24b00c274bdaa","6b0d31c0d563223024da45691584643ac78c96e8","5c10b5b2cd673a0616d529aa5234b12ee7153808","4a0a19218e082a343a1b17e5333409af9d98f0f5","07c342be6e560e7f43842e2e21b774e61d85f047","86f7e437faa5a7fce15d1ddcb9eaeaea377667b8","54fd1711209fb1c0781092374132c66e79e2241b","60ba4b2daa4ed4d070fec06687e249e0e6f9ee45","54fd1711209fb1c0781092374132c66e79e2241b"
]candidates = set()
for i in range(10000):candidates.add(str(i))
lowercase = string.ascii_lowercase
for length in range(1, 4):for combo in itertools.product(lowercase, repeat=length):candidates.add("".join(combo))
uppercase = string.ascii_uppercase
for length in range(1, 4):for combo in itertools.product(uppercase, repeat=length):candidates.add("".join(combo))
symbols ="!@#$%^&*()-_=+[]{},.;:\"'`~<>?/\\|"
for sym in symbols:candidates.add(sym)
candidates.add(" ")
candidates.add("\t")
candidates.add("\n")
sha1_dict = {}
print("[*] 準備生成 SHA-1 字典，共有候選明文數量 =", len(candidates),"請稍候...")
for plain in candidates:h = hashlib.sha1(plain.encode("utf-8")).hexdigest()sha1_dict[h] = plain
print("[*] 字典生成完成。開始匹配...")
matched_plaintexts =""
for hval in hash_list:if hval in sha1_dict:matched_plaintexts += sha1_dict[hval]# 直接拼接print(f"{hval}=>{sha1_dict[hval]}")else:print(f"{hval}=> [未匹配]")
# 輸出拼接結果
print("\n[*] 匹配的明文拼接結果:")
print(matched_plaintexts)
print("[*] 匹配完成。若還有未匹配，則可進一步擴大字典或檢查是否有特殊格式。")

通往哈希的旅程

題目內容：

在數字城，大家都是通過是通過數字電話進行的通信,常見是以188開頭的11位純血號碼組成，亞歷山大抵在一個特殊的地方截獲一串特殊的字符串"ca12fd8250972ec363a16593356abb1f3cf3a16d"，通過查閱發現這個跟以前散落的國度有點相似，可能是去往哈希國度的。年輕程序員亞力山大抵對這個國度充滿好奇，決定破譯這個哈希值。在經過一段時間的摸索后，亞力山大抵憑借強大的編程實力成功破解，在輸入對應字符串后瞬間被傳送到一個奇幻的數據世界，同時亞力山大抵也開始了他的進修之路。(提交格式：flag{11位號碼}）

import hashlibtarget_hash ="ca12fd8250972ec363a16593356abb1f3cf3a16d"for num in range(18800000000,18900000000):num_str = str(num)hash_object = hashlib.sha1(num_str.encode())hash_value = hash_object.hexdigest()if hash_value == target_hash:print(f"找到匹配的號碼:{num_str}")break
else:print("未找到匹配的號碼")

EzRSA

題目內容：

小Xu截取到了敵方私鑰d的一部分比特，你能協助他恢復消息明文嗎?

from secret import flag
from Crypto.Util.number import *
import hashlib

p = getPrime(512)
q = getPrime(512)
N = p * q
e = getPrime(1023)
assert e < N
c = pow(bytes_to_long(flag), e, N)

print(f'{N = }')
print(f'{e = }')
print(f'{c = }')

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
k = (e * d - 1) // phi

dh = d >> 234
dl = d % pow(2, 24)
kh = k >> 999

hash224 = bytes_to_long(hashlib.sha224(long_to_bytes(dl)).digest())
hash512 = bytes_to_long(hashlib.sha512(long_to_bytes(kh)).digest())
leak = hash224 ^ hash512 ^ (k % pow(2, 512))

print(f'{dh = }')
print(f'{leak = }')

'''
N = 136118062754183389745310564810647775266982676548047737735816992637554134173584848603639466464742356367710495866667096829923708012429655117288119142397966759435369796296519879851106832954992705045187415658986211525671137762731976849094686834222367125196467449367851805003704233320272315754132109804930069754909
e = 84535510470616870286532166161640751551050308780129888352717168230068335698416787047431513418926383858925725335047735841034775106751946839596675772454042961048327194226031173378872580065568452305222770543163564100989527239870852223343451888139802496983605150231009547594049003160603704776585654802288319835839
c = 33745401996968966125635182001303085430914839302716417610841429593849273978442350942630172006035442091942958947937532529202276212995044284510510725187795271653040111323072540459883317296470560328421002809817807686065821857470217309420073434521024668676234556811305412689715656908592843647993803972375716032906
dh = 4640688526301435859021440727129799022671839221457908177477494774081091121794107526784960489513468813917071906410636566370999080603260865728323300663211132743906763686754869052054190200779414682351769446970834390388398743976589588812203933
leak = 12097621642342138576471965047192766550499613568690540866008318074007729495429051811080620384167050353010748708981244471992693663360941733033307618896919023
'''
?

from Crypto.Util.number import *
import hashlib
from sage.all import *N = 136118062754183389745310564810647775266982676548047737735816992637554134173584848603639466464742356367710495866667096829923708012429655117288119142397966759435369796296519879851106832954992705045187415658986211525671137762731976849094686834222367125196467449367851805003704233320272315754132109804930069754909
e = 84535510470616870286532166161640751551050308780129888352717168230068335698416787047431513418926383858925725335047735841034775106751946839596675772454042961048327194226031173378872580065568452305222770543163564100989527239870852223343451888139802496983605150231009547594049003160603704776585654802288319835839
c = 33745401996968966125635182001303085430914839302716417610841429593849273978442350942630172006035442091942958947937532529202276212995044284510510725187795271653040111323072540459883317296470560328421002809817807686065821857470217309420073434521024668676234556811305412689715656908592843647993803972375716032906
dh = 4640688526301435859021440727129799022671839221457908177477494774081091121794107526784960489513468813917071906410636566370999080603260865728323300663211132743906763686754869052054190200779414682351769446970834390388398743976589588812203933
leak = 12097621642342138576471965047192766550499613568690540866008318074007729495429051811080620384167050353010748708981244471992693663360941733033307618896919023def pq_add(p, q, leak):lp, lq  =len(p),len(q)tp0=int(p+(512-lp)*'0',2)tq0=int(q+(512-lq)*'0',2)tp1=int(p+(512-lp)*'1',2)tq1=int(q+(512-lq)*'1',2)if tp0 * tq0 > N or tp1 * tq1 <N:returnif lp == 512-unknown_bits:pq.append(tp0)returnt=int(leak[:2],2)if t==0:pq_add(p+'0',q+'0',leak[1:])if t==1:pq_add(p+'0',q+'0',leak[1:])pq_add(p+'1',q+'0','0'+leak[2:])pq_add(p+'0',q+'1','0'+leak[2:])if t==2:pq_add(p+'1',q+'0','1'+leak[2:])pq_add(p+'0',q+'1','1'+leak[2:])pq_add(p+'1',q+'1',leak[1:])if t==3:pq_add(p+'1',q+'1',leak[1:])dh=dh<<234
k1=(e*dh-1)//N+1
kh=k1>>999
hash512=bytes_to_long(hashlib.sha512(long_to_bytes(kh)).digest())unknown_bits=234+5for i in range(2**6):k2 = (k1 >> (512 + 6)<< (512 +6))+(i<<512)+(leak^hash512)paq=N+1-(e*dh-1)//k2pq=[]try:pq_add(p='',q='',leak=bin(paq)[2:])except:continuefor ph in pq:x=PolynomialRing(Zmod(N),'x').gen()f=ph+xres=f.monic().small_roots(X=2**unknown_bits,beta=0.49,epsilon=0.03)if res:p=int(f(res[0]))q=N//pprint(long_to_bytes(pow(c,inverse(e,(p-1)*(q-1)),N)))exit()

RSA1

from Crypto.Util.number import *
import uuid

p, q = [getPrime(512) for _ in range(2)]
N = p * q

flag = b'flag{' + str(uuid.uuid4()).encode() + b'}'
flag += bin(getPrime((1024 - bytes_to_long(flag).bit_length()) // 8)).encode()

m1 = bytes_to_long(flag)
m2 = bytes_to_long(''.join(chr((ord(i) + 3) % 128) for i in flag.decode()).encode())

e = getPrime(128)
c1 = pow(m1 * e, 2835, N)
c2 = pow(m2, 2025, N)
c3 = pow(m2, 2835, N) + e

print(f'{N = }')
print(f'{c1 = }')
print(f'{c2 = }')
print(f'{c3 = }')

'''
N = 176871561120476589165761750300633332586877708342448994506175624203633860119621512318321172927876389631918300184221082317741380365447197777026256405312212716630617721606918066048995683899616059388173629437673018386590043053146712870572300799479269947118251011967950970286626852935438101046112260915112568392601
c1 = 47280375006817082521114885578132104427687384457963920263778661542552259860890075321953563867658233347930121507835612417278438979006705016537596357679038471176957659834155694284364682759675841808209812316094965393550509913984888849945421092463842546631228640293794745005338773574343676100121000764021207044019
c2 = 176231410933979134585886078013933649498379873444851943224935010972452769899603364686158279269197891190643725008151812150428808550310587709008683339436590112802756767140102136304346001599401670291938369014436170693864034099138767167055456635760196888578642643971920733784690410395944410255241615897032471127315
c3 = 135594807884016971356816423169128168727346102408490289623885211179619571354105102393658249292333179346497415129785184654008299725617668655640857318063992703265407162085178885733134590524577996093366819328960462500124201402816244104477018279673183368074374836717994805448310223434099196774685324616523478136309
'''

Franklin-Reiter消息攻擊from Crypto.Util.number import *
from sage.all import*N = 176871561120476589165761750300633332586877708342448994506175624203633860119621512318321172927876389631918300184221082317741380365447197777026256405312212716630617721606918066048995683899616059388173629437673018386590043053146712870572300799479269947118251011967950970286626852935438101046112260915112568392601
c1 = 47280375006817082521114885578132104427687384457963920263778661542552259860890075321953563867658233347930121507835612417278438979006705016537596357679038471176957659834155694284364682759675841808209812316094965393550509913984888849945421092463842546631228640293794745005338773574343676100121000764021207044019
c2 = 176231410933979134585886078013933649498379873444851943224935010972452769899603364686158279269197891190643725008151812150428808550310587709008683339436590112802756767140102136304346001599401670291938369014436170693864034099138767167055456635760196888578642643971920733784690410395944410255241615897032471127315
c3 = 135594807884016971356816423169128168727346102408490289623885211179619571354105102393658249292333179346497415129785184654008299725617668655640857318063992703265407162085178885733134590524577996093366819328960462500124201402816244104477018279673183368074374836717994805448310223434099196774685324616523478136309
k=0
for i in range(30):if i!=130-42:k+=3*pow(2,i*8)else:k-=125*pow(2,i*8)
x=PolynomialRing(Zmod(N),'x').gen()
f=c2**7-(c3-x)**5
f=f.monic()
res=f.small_roots(X=2**128,beta=1,epsilon=0.05)
e=res[0]
def gcd(g1,g2):while g2:g1,g2=g2,g1%g2return g1.monic()
x=PolynomialRing(Zmod(N),'x').gen()
g1=(x*e)**2835-c1
g2=(x+k)**2025-c2
m1=int(-gcd(g1,g2)[0]) #m2=m1+k
i=0
while 1:m1+=Nflag=long_to_bytes(m1)if b'flag{' in flag:#print(f'{i = }')print(flag)breaki+=1

right_data

題目內容：

發奶龍的小朋友，你好啊。你要是再發你那個sm釀臭蟲奶龍表情包，我開小米su7創4你們

#官方的WP flag{087834ea-dcbf-488a-a713-e496b3130d40}

from tqdm import *modulus = 257def find(i, j):for t in range((modulus - 1) ** 2 - 1):if (i * coefs1[t] + j * coefs2[t]) % modulus == values[t]:return Falsereturn Truedef findflag():for i in range(1, modulus):for j in range(1, modulus):if find(i, j):return chr((j - i) % modulus)flag =""
with open("output.txt", "r") as f:for _ in trange(0,42):coefs1 = []coefs2 = []values = []for i in range((modulus - 1) ** 2 - 1):s = f.readline().replace("\n", "").split(" ")coefs1.append(int(s[0]))coefs2.append(int(s[1]))values.append(int(s[2]))flag += findflag()
print(flag)

factor

題目內容：

我是奶龍！我才是奶龍！我會噴火,你會嗎?

設a=n^(1/3)就有

p=a+xq=a+yr=a+z

import itertools
from Crypto.Util.number import *
import gmpy2
from tqdm import trangedef small_roots(f, bounds, m=1, d=None):if not d:d = f.degree()R = f.base_ring()N = R.cardinality()f /= f.coefficients().pop(0)f = f.change_ring(ZZ)G = []for i in range(m + 1):base = N**(m - i) * f**ifor shifts in itertools.product(range(d), repeat=f.nvariables()):g = base * prod([f.variables()[i]**shift for i, shift in enumerate(shifts)])G.append(g)B, monomials = G.coefficient_matrix()monomials = vector(monomials)factors = [monomial(*bounds) for monomial in monomials]for i, factor in enumerate(factors):B.rescale_col(i, factor)B = B.dense_matrix().LLL()B = B.change_ring(QQ)for i, factor in enumerate(factors):B.rescale_col(i, 1 / factor)H = []for h in filter(None, B * monomials):H.append(h)I = H.ideal()if I.dimension() == -1:H.pop()elif I.dimension() == 0:roots = []for root in I.variety(ring=ZZ):root = tuple(R(root[var]) for var in f.variables())roots.append(root)return rootsreturn []n = 5605777780127871552103278440489930168557569118966981388111283042550796167470265465148458919374665519335013101681890408413810351780671950283765145543168779446153786190869731166707967097095246677053262868926963631796027692694223765625053269102325714361312299011876036815423751522482629914361369303649193526946050137701205931577449326939722902280884984494828850611521784382097900268639648421100760612558110614208245291400961758972415881709281708443424129033685255718996719201537066717587527029554871540574867831957154286334639399985379381455084604901293000229526196544921067214723085504463673412082637877637982771445298815007769526806112008703908400170846707986989384244531990469279604588770393462375930699135443458952703826608237292999895910024613311408883134789788541751697007502656798556053417265191533053158952284994030769145926816478390761642058013769635850833893158830591398862163134753203291719549474871116653745337968227
R.<x,y,z>=Zmod(n)[]
n_ = int(gmpy2.iroot(n, 3)[0])
t = 2**3
P = []
for i in trange(t):for j in range(t):for k in range(t):f = (n_ + t * R.x + i) * (n_ + t * R.y + j) * (n_ + t * R.z + k)s = 342roots = small_roots(f, [2 ** s, 2 ** s, 2 ** s], m=1, d=3)if roots:a, b, c = [int(ii) * t + jj if int(ii).bit_length() <= 512 else int(n - ii) * t - jj for ii, jj in zip(roots[0], [i, j, k])]for l in [a, b, c]:p = n_ + lif n % p == 0:P.append(p)p = n_ - lif n % p == 0:P.append(p)
p, q, r = set(P)
d = inverse(65537, (p - 1) * (q - 1) * (r - 1))
c = 2998195560453407057321637509862236387961676411996988529185696118404592349869917006166370346762261303282478779647282039317061146533808487789458703169149689179547543732935053220010550004328207373171271534689897340156346458951776319267981966893926724550629182100766890856964207263709029611781806548130358294543573874132473259788387939849997550651614987993962540192023207354839106090274252125961835070701748643163379053118598595995782448140944376681636633592442158453965800439960134688017496184195454406927204485213436540382637720118180670197194949275760000729877093621741313147190401896114633643891311672542703928421032698499968701052818985292683628072129271790220674145955527935027879112279336148316425115255710066132502392447843608711463775710558880259205308541126041959858947252063815158749021817255637836170676726466347847422352280599210078359786387419424076245960344657767332883964636288493649066530215094453490169688507988
print(long_to_bytes(pow(c, d, n)))
#flag{24e33eda-f57c-42da-92c5-e0b39414cded}