yizhixiaojiuli-Blog

2025-hscctf-wp

2025-11-18T09:00:00.000Z

ancient

Base58 → Base62 → Base45 → Base85 → Base32 → Base64
按照这个顺序加密的，对着反向解密即可

密文:

RzVJVFlaSkZGUk1HV1daWkdOQ0RFNEpJSE5RWEdOS05ISlNHSTNCT0daWVVXS1pDRzQzV01UQ0NISkVTNElKQkdKUkZFUEpYRjVIVk0zMlpIQVpXNjQyTkdaSlRBNFMzR1pKVENPMllIVjJWWVRMQ0daTERDTVpYR0JURk1TMlpHQlRWR0xDWkdaS1ZRWUo1R0ZURVFRSlNHQlRGNFQyTUc1SVRHUURFSFU3REVZSkVHNVdFS1FEUEdKUEVJS1NYRzQ0RkNRU0lITkNIQ1NaUEdWWlc0UlJZR1pZSEdRVFBHSVVXSVMzQkc0M0RHMkJIRzQ0R1lLU0VHQlFBPT09PQ==

1	flag{cl@ss1cal_c1pher_@re_really_1nterest1ng}

题目：

from Crypto.Util.number import *
from gmpy2 import *
import random

get_context().precision = 2048

L = 5
S = getPrime(144)
a = getPrime(32)
b = random.randint(0, S - 1)

def split_and_pad_single_char_rule(msg, L):
    segments = []
    assert L >= 1
    pad_len = L - 1
    for char_idx, char_byte in enumerate(msg):
        char_ascii = char_byte
        pad_bytes = bytes([(char_ascii + i + 1) % 256 for i in range(pad_len)])
        seg_bytes = bytes([char_byte]) + pad_bytes
        segments.append(bytes_to_long(seg_bytes))
    return segments

def encrypt_segment(m_i, a, b, M):
    return (a * m_i + b) % M

flag = "flag{___________________}"
msg_bytes = flag.encode()
m_segments = split_and_pad_single_char_rule(msg_bytes, L)
c_segments = [encrypt_segment(mi, a, b, S) for mi in m_segments]

print(f"a = {a}")
print(f"S = {S}")
print(f"L = {L}")
print(f"C = {c_segments}")
print(f'M = {m_segments}')

'''
a = 3517115977
S = 13338196046628817705384101887069807236659077
L = 5
C = [6399813929853868574459915097120849511644924, 6399813929853868574460006087942330564102834, 6399813929853868574459839271436281967929999, 6399813929853868574459930262257763020387909, 6399813929853868574460233564996033195247609, 6399813929853868574460112243900725125303729, 6399813929853868574459111344864433548266719, 6399813929853868574459930262257763020387909, 6399813929853868574460036418216157581588804, 6399813929853868574459808941162454950444029, 6399813929853868574459111344864433548266719, 6399813929853868574460036418216157581588804, 6399813929853868574459808941162454950444029, 6399813929853868574460127409037638634046714, 6399813929853868574459096179727520039523734, 6399813929853868574459930262257763020387909, 6399813929853868574459899931983936002901939, 6399813929853868574460127409037638634046714, 6399813929853868574459945427394676529130894, 6399813929853868574459172005412087583238659, 6399813929853868574460097078763811616560744, 6399813929853868574459808941162454950444029, 6399813929853868574460188069585292669018654, 6399813929853868574459960592531590037873879, 6399813929853868574460188069585292669018654, 6399813929853868574459960592531590037873879, 6399813929853868574460263895269860212733579]
'''

解题思路:

很直白的一个题，把flag的每个字符都处理为长度5的字节段，填充字节的规则为：

第一个字节为flag的第i个字符
后面的字节为flag的第i个字符的ascii码加i再对256取模

然后对每个字节段 ( m_i ) 进行线性变换：

$c_i = (a \times m_i + b) \mod S$

给出了$a、S、L、C$,因为我们已知flag头，所以我们可以据此来回推出$b$,从而得到$M$。

exp:

#python
from Crypto.Util.number import *

a = 3517115977
S = 13338196046628817705384101887069807236659077
L = 5
C = [6399813929853868574459915097120849511644924, 6399813929853868574460006087942330564102834, 6399813929853868574459839271436281967929999, 6399813929853868574459930262257763020387909, 6399813929853868574460233564996033195247609, 6399813929853868574460112243900725125303729, 6399813929853868574459111344864433548266719, 6399813929853868574459930262257763020387909, 6399813929853868574460036418216157581588804, 6399813929853868574459808941162454950444029, 6399813929853868574459111344864433548266719, 6399813929853868574460036418216157581588804, 6399813929853868574459808941162454950444029, 6399813929853868574460127409037638634046714, 6399813929853868574459096179727520039523734, 6399813929853868574459930262257763020387909, 6399813929853868574459899931983936002901939, 6399813929853868574460127409037638634046714, 6399813929853868574459945427394676529130894, 6399813929853868574459172005412087583238659, 6399813929853868574460097078763811616560744, 6399813929853868574459808941162454950444029, 6399813929853868574460188069585292669018654, 6399813929853868574459960592531590037873879, 6399813929853868574460188069585292669018654, 6399813929853868574459960592531590037873879, 6399813929853868574460263895269860212733579]

def construct_m_from_char(char, L):
    char_ascii = ord(char)
    pad_len = L - 1
    pad_bytes = bytes([(char_ascii + i + 1) % 256 for i in range(pad_len)])
    seg_bytes = bytes([ord(char)]) + pad_bytes
    return bytes_to_long(seg_bytes)


known_chars = ['f', 'l', 'a', 'g']
derived_b = []
for idx, char in enumerate(known_chars):
    m_i = construct_m_from_char(char, L)
    b = (C[idx] - a * m_i) % S
    derived_b.append(b)


b = derived_b[0]
print(f"推导出的私钥b = {b}")

a_inv = inverse(a, S)

flag = ""
M = []
for c in C:
    m_i = ((c - b) % S) * a_inv % S
    M.append(m_i)
    seg_bytes = long_to_bytes(m_i)
    original_char = chr(seg_bytes[0])
    flag += original_char

print(flag)
#flag{s1gn_1n_t0geth5r_xixi}

where

题目：

from Crypto.Util.number import *
import random

flag = "flag{_______________________________}"
m = bin(bytes_to_long(flag.encode()))[2:]
p = getPrime(300)
q = getPrime(300)
n = p * q

R. = PolynomialRing(Zmod(n))

def gen(m):
    C = []
    for bit in m:
        if bit == '0':
            C.append(random.randint(1, n-1))
        else:
            x = random.randint(1, 2^80)
            y = random.randint(1, p-1)
            val = 65537 + x*(1-x) +(q - x)*y + (y + x)*(q + x)
            C.append(R(val))
    return C

c = gen(m)
print(f"n = {n}")
print(f"c = {c}")

output.txt太长了就不放出来了，想要的师傅可以去hscctf的靶场下载(虽然可能还没更新)

解题思路：
一个小decision:

1 2	0: c_i为mod(n)的随机数 1: c_i为65537 + x(1-x) +(q - x)y + (y + x)*(q + x) --> 65537 + qx + 2qy + x

我们可以发现对于1的方程模q下，会有一个80bit的小根x，所以copper会有解，而0则没有,所以我们可以以此做出decision

exp:

#sage
from Crypto.Util.number import *
n = 
c = 
flag = ""

PR. = PolynomialRing(Zmod(n))
for i in range(len(c)):
    f = x - c[i]
    res = f.small_roots(X=2^80,beta=0.49)
    if(res != []):
        flag += "1"
    else:
        flag += "0"


print(long_to_bytes(int(flag,2)))
#flag{where_1s_th5_flag_where}

stillRSA

题目：

from Crypto.Util.number import *
from gmpy2 import *


def gen():
    while(1):
        p1 = getPrime(128)
        p2 = getPrime(512)
        q2 = getPrime(512)
        s = q2 & ((1 << 56) - 1)
        q1 = 2 * p1 + s
        r1 = 2 * q1 + s
        if is_prime(q1) and is_prime(r1):
            n1 = p1 * q1 * r1
            n2 = p2 * q2
            break
    return n1,n2,p1,p2


n1,n2, p1, p2 = gen()
e = 65537

flag = "flag{---------------------------------------}".encode()
m1 = bytes_to_long(flag[: (len(flag)+1) // 2])
m2 = bytes_to_long(flag[(len(flag)+1) // 2 :])

c1 = powmod(m1, e, n1)
c2 = powmod(m2, e, n2)

gift = p2 >> 262

print(f"e = {e}")
print(f"n1 = {n1}")
print(f"n2 = {n2}")
print(f"c1 = {c1}")
print(f"c2 = {c2}")
print(f"p1 = {p1}")
print(f"gift = {gift}")

'''
e = 65537
n1 = 153535945724301761635048132162798014938917969845079448489545851494873442295873133893384411532854581537976576911336083
n2 = 84803188245030813883191077133506154725049469687779805365997839479650548017159380111143407950887981137367898417071670318175553216747909857623397932606557900805065642334402683077054566841962022705300815246585360967197421835628665369002004215185956537117678561509558467837953178340079218753108643544534307300779
c1 = 91344805342373294041484814707589753503672726499268929615405258196853851463816933913580106446612439099622637694719344
c2 = 65030067863230521561732635665855986696538207379818716373900645903663706519394086998921178373079966943522635174648820466855368885032783946013202871621053763074374114131710373913193434831822631037825109588592562599802388631816046111419285162200967000421088941791542557891726383026274591733889350668008350880276
p1 = 267735952598198080786845163083151774667
gift = 1068605981024067598428983610552162240530726981658336444437430658822896756780
'''

解题思路：
可以观察到这是一个双重RSA:

p1是一个128位的素数，p2和q2是一个512位的素数
s是q2的低56位
q1 = 2 * p1 + s
r1 = 2 * q1 + s

已知 $n_1$ 和 $p_1$，且 $q_1$、$r_1$ 均与 $p_1$ 相关，可在 $\mod(n_1 // p_1)$ 下通过 Copper 算法求解 $s$，进而还原 $q_1$ 和 $r_1$；
已知 $gift = p_2 >> 262$，且 $s$ 为 $q_2$ 的低 56 位，可通过以下方式还原 $p_2$ 的低 56 位：
$n_2 \times \text{inverse}(s, 2^{56}) \mod 2^{56}$
基于上述结果，再次通过 Copper 算法还原 $p_2$；
最终分别解两个 RSA 即可完成解题。

exp:

#sage
from Crypto.Util.number import *
from gmpy2 import *

e = 65537
n1 = 153535945724301761635048132162798014938917969845079448489545851494873442295873133893384411532854581537976576911336083
n2 = 84803188245030813883191077133506154725049469687779805365997839479650548017159380111143407950887981137367898417071670318175553216747909857623397932606557900805065642334402683077054566841962022705300815246585360967197421835628665369002004215185956537117678561509558467837953178340079218753108643544534307300779
c1 = 91344805342373294041484814707589753503672726499268929615405258196853851463816933913580106446612439099622637694719344
c2 = 65030067863230521561732635665855986696538207379818716373900645903663706519394086998921178373079966943522635174648820466855368885032783946013202871621053763074374114131710373913193434831822631037825109588592562599802388631816046111419285162200967000421088941791542557891726383026274591733889350668008350880276
p1 = 267735952598198080786845163083151774667
gift = 1068605981024067598428983610552162240530726981658336444437430658822896756780

PR. = PolynomialRing(Zmod(n1//p1))
f = (2*p1 + x)*(4*p1 + 3*x)
res1 = f.monic().small_roots(X=2^56,beta=0.4)
print(res1)
s = int(res1[0])
q1 = 2 * p1 + s
r1 = 2 * q1 + s
d1 = inverse(e , (p1 - 1)*(q1 - 1) * (r1 - 1))
m1 = powmod(c1, d1, n1)


p2l = n2 * inverse(s, 2 ** 56) % 2 ** 56
PR. = PolynomialRing(Zmod(n2))
g = gift * (2 ** 262) + x * 2 ** 56 + p2l
res2 = g.monic().small_roots(X=2^206,beta=0.4)
print(res2)
p2 = gift * (2 ** 262) + int(res2[0]) * 2 ** 56 + p2l
q2 = n2 // p2
d2 = inverse(e, (p2-1)*(q2-1))
m2 = powmod(c2, d2, n2)

print(long_to_bytes(m1) + long_to_bytes(m2))
#flag{Im_a_fw_that_only_crafts_RSA_challenges}

EZRSA

题目：

from Crypto.Util.number import *

def tran(n):
s_bin = bin(n)[2:]
bit_map = {'0': '10', '1': '01'}
p_bin = '11' + ''.join([bit_map[bit] for bit in s_bin[1:]])
return int(p_bin, 2)

def keygen(nbit):
while True:
s = getPrime(nbit)
p = tran(s)
if not isPrime(p):
continue
s_bin = bin(s)[2:].zfill(nbit)
q_bin = (s_bin[:nbit // 2]
 + '1' * (nbit // 2)
 + s_bin[nbit // 2:]
 + '1' * (nbit // 2))
q = int(q_bin, 2)
if isPrime(q):
return p,q

flag = "flag{____________________________}"
nbit = 256
p, q = keygen(nbit)
m = bytes_to_long(flag.encode())
e= 65537
n = p * q
c = pow(m, e, n)

print(f'n = {n}')
print(f'c = {c}')

"""
n = 97500437901440388417198788454954892885829765317271438600836638419723842224011100091990654907349042873594131382232421640267091732569264390052236076620148372084122607139079558728860385251369576795723604753566616558793072715394596559965112752835650808765911364805382628147988309718393764596614456741590220757591
c = 7738615614182124736230909980262535479827406389377664909203540758689122759528168600427345931034997504030657746278863273550729288326235414854206217548620396163736109673531409510422631464901846302450760457216706035370273167926580473904029057693564485585891556568420324605915383565319685765532478198539656924536
"""

我们可以发现:

先生成256位的素数s
p由256位的s，通过0变成10，1变成01的方式拓展成的512位的素数，其中首两位是11
q是前128的s+128位的1+后128位的s+128位的1得到的

解题思路：

很明显是一个剪枝问题，按照生成方式约束一下深搜即可

exp:

#python

from Crypto.Util.number import *

nbit = 256
e = 65537
n = 97500437901440388417198788454954892885829765317271438600836638419723842224011100091990654907349042873594131382232421640267091732569264390052236076620148372084122607139079558728860385251369576795723604753566616558793072715394596559965112752835650808765911364805382628147988309718393764596614456741590220757591
c = 7738615614182124736230909980262535479827406389377664909203540758689122759528168600427345931034997504030657746278863273550729288326235414854206217548620396163736109673531409510422631464901846302450760457216706035370273167926580473904029057693564485585891556568420324605915383565319685765532478198539656924536


def dfs(h, s_prefix, p_prefix):
    p_remain = 2 * nbit - len(p_prefix)
    p_max = int(p_prefix + "1" * p_remain, 2)
    p_min = int(p_prefix + "0" * p_remain, 2)

    s_half = nbit // 2
    s_len = len(s_prefix)
    s_remain = nbit - s_len

    if s_len <= s_half:
        q_pre0 = (s_prefix + "0" * (s_half - s_len)
                  + "1" * s_half
                  + "0" * s_half
                  + "1" * s_half)
        q_pre1 = (s_prefix + "1" * (s_half - s_len)
                  + "1" * s_half
                  + "1" * s_half
                  + "1" * s_half)
    else:
        s_pre128 = s_prefix[:s_half]
        s_suf_cur = s_prefix[s_half:]
        q_pre0 = (s_pre128 + "1" * s_half
                  + s_suf_cur + "0" * (s_half - (s_len - s_half))
                  + "1" * s_half)
        q_pre1 = (s_pre128 + "1" * s_half
                  + s_suf_cur + "1" * (s_half - (s_len - s_half))
                  + "1" * s_half)

    q_max = int(q_pre1, 2)
    q_min = int(q_pre0, 2)

    if q_max * p_max < n or q_min * p_min > n:
        return

    if h == nbit:
        p = p_max
        q = int(s_prefix[:s_half] + "1" * s_half + s_prefix[s_half:] + "1" * s_half, 2)

        if p * q != n:
            return
        if isPrime(p) and isPrime(q):
            phi = (p - 1) * (q - 1)
            d = inverse(e, phi)
            flag = long_to_bytes(pow(c, d, n))
            print(f"flag: {flag.decode()}")
            print(f"p = {p}")
            print(f"q = {q}")
            exit()
        return

    dfs(h + 1, s_prefix + "0", p_prefix + "10")
    dfs(h + 1, s_prefix + "1", p_prefix + "01")


dfs(1, s_prefix="1", p_prefix="11")
#flag{n1ce_th1s_RSA_I_can_do_it}

abg

题目：

from Crypto.Util.number import *

def ECC(bit):
    g = getPrime(bit)
    a = getPrime(bit)
    b = getPrime(bit)

    E = EllipticCurve(GF(g),[a,b])
    J = E.random_point()
    K = E.random_point()
    L = E.random_point()

    r = getPrime(bit // 2)
    k = getPrime(16)

    s  = r * J
    s1 = r * J + k * L
    s2 = r * k * J

    return L.xy(), s.xy(), s1.xy(), s2.xy(), K.xy()

def RSA(m, s, bit):
    p = getPrime(bit)
    q = getPrime(bit)
    rr = getPrime(bit)
    n = p * q

    gift = pow(rr, rr * (p-1), n)
    enc = pow(m, int(s), n)

    return gift, n, enc

flag = "flag{--------------------------------}"
m = bytes_to_long(flag.encode())

L, s, s1, s2, K = ECC(256)
gift, n, enc = RSA(m, abs(int(s[0] - s[1])), 512) 

print("L =", L)
print("s1 =", s1)
print("s2 =", s2)
print("K =", K)
print("enc =", enc)
print("gift =", gift)
print("n =", n)

'''
L = (5612832632021037413595021905856059690922175615680426850888866965067320107819, 44286844991960812568914524464365492264373223903614475371204877844888511445056)
s1 = (3105425529931638108939225244969805843864193431777172585017902596003213488900, 21204057924591170352686471525538286905154747896755584173932333298433282086561)
s2 = (17163600514231693116809112204202083823354850361231568034507586407851022654385, 54523130652066750636213932541583111123904814992668862332727980305098543395332)
K = (84626796737477467367556465702814556148204747766624017939626441693356336891461, 20412858373065309258609569831347478221615957387864164638932871773748933195219)
enc = 77779248799562415787538731320739960822457760506615718084036279480880899171418681853821326436404494983875803921684003465855970542931724878457768817162166413967384579329072032251210520838992258491716245608876204830909672245330785235016998427930933850050898878548191256398496024681498083646200326639489612460844
gift = 27203859362379532209762716293585970661584968016465564915669656593570376250661463300469214869975225133883120425672896040102408082124157996563344160198308488970094544684114508100388704667496464400261830996514109943777210955076236899363247079300339008914936852187908757699066223721473477803084358704291887973927
n = 99350851709648177478181442570691890135193362203180628334780894515389735176666242281991349782055218048443285160186921692026870729324336754641181928398906259668775047724023372863155472201773397077316170491389813660679924150036914095032544796724427607899057109320556570067643629947815982002736525967748207154359
'''

解题思路:
其实就是很直白的ECC+RSA,其中flag本质上是被RSA加密了，其中隐藏了加密指数为ECC上的一个点s的横纵坐标之差的绝对值
虽然没有给出abg，但是给出了四个点L, s1, s2, K，所以我们可以通过任意取两个点有:

$k_1 p = y_1^2 - \left(x_1^3 + a x_1 + b\right)$ $k_2 p = y_2^2 - \left(x_2^3 + a x_2 + b\right)$

之后我们可以通过$gcd(k_1, k_2)$再消除一些小因子来得到g，之后再还原a和b
又因为给出了 $gift = pow(rr, rr * (p-1), n)$ ,根据费马小定理我们可以得到 $rr^{(p-1)} ≡ 1 mod p$
所以我们可以通过$gcd(gift-1, n)$来得到p，之后解RSA即可

exp:

#sage
from Crypto.Util.number import *


L = (5612832632021037413595021905856059690922175615680426850888866965067320107819, 44286844991960812568914524464365492264373223903614475371204877844888511445056)
s1 = (3105425529931638108939225244969805843864193431777172585017902596003213488900, 21204057924591170352686471525538286905154747896755584173932333298433282086561)
s2 = (17163600514231693116809112204202083823354850361231568034507586407851022654385, 54523130652066750636213932541583111123904814992668862332727980305098543395332)
K = (84626796737477467367556465702814556148204747766624017939626441693356336891461, 20412858373065309258609569831347478221615957387864164638932871773748933195219)
enc = 77779248799562415787538731320739960822457760506615718084036279480880899171418681853821326436404494983875803921684003465855970542931724878457768817162166413967384579329072032251210520838992258491716245608876204830909672245330785235016998427930933850050898878548191256398496024681498083646200326639489612460844
gift = 27203859362379532209762716293585970661584968016465564915669656593570376250661463300469214869975225133883120425672896040102408082124157996563344160198308488970094544684114508100388704667496464400261830996514109943777210955076236899363247079300339008914936852187908757699066223721473477803084358704291887973927
n = 99350851709648177478181442570691890135193362203180628334780894515389735176666242281991349782055218048443285160186921692026870729324336754641181928398906259668775047724023372863155472201773397077316170491389813660679924150036914095032544796724427607899057109320556570067643629947815982002736525967748207154359

temp1 = (s2[1] ** 2 - s1[1] ** 2 - s2[0] ** 3 + s1[0] ** 3)
temp2 = (L[1] ** 2 - s2[1] ** 2 - L[0] ** 3 + s2[0] ** 3)
temp3 = (K[1] ** 2 - L[1] ** 2 - K[0] ** 3 + L[0] ** 3)
k1g = temp1 * (L[0] - s2[0]) - temp2 * (s2[0] - s1[0])
k2g = temp2 * (K[0] - L[0]) - temp3 * (L[0] - s2[0])
k3g = temp1 * (K[0] - L[0]) - temp3 * (s2[0] - s1[0])
g = GCD(k1g, k2g)
g = GCD(g, k3g)

for i in range(2,1000):
        while(g % i == 0):
            g //= i
a = inverse(s2[0]-s1[0],g)*temp1 % g
b = (s1[1] ** 2 - s1[0]**3-a*s1[0]) % g

E = EllipticCurve(GF(g),[a,b])
L = E(L)
s1 = E(s1)
s2 = E(s2)

base = L
k = 0
for j in range(2, 1000000):
    base += L
    if (s1 - base) * j == s2:
           k = j
           break
assert (s1 - k * L) * j == s2

s = s1 - k * L

e = abs(int(s[0] - s[1]))
p = GCD((gift - 1), n)
q = n // p
d = inverse(e, (p-1)*(q-1))
m = pow(enc, d, n)
print(long_to_bytes(int(m)))
#flag{this_1s_a_so_EZ_Ecc_and_RSA_}

math

题目：

from Crypto.Util.number import *


def gen_rev_sum(m,p):
    sum = 0
    round = 0
    while m > 0:
        digit = m % p
        if round % 2 == 0:
            sum -= digit
        else:
            sum += digit
        m = m // p
        round += 1
    return sum // 2025


e = 65537
p = getPrime(256)
q = getPrime(256)
n = p*q

m1 = getRandomNBitInteger(2048)
m2 = getRandomNBitInteger(2048)
sum1 = gen_rev_sum(m1, p)
sum2 = gen_rev_sum(m2, p)

flag = "flag{--------------------------}"
m = bytes_to_long(flag.encode())

print("m1 =",m1)
print("m2 =",m2)
print("sum1 =",sum1)
print("sum2 =",sum2)
print("n =",n)
print("c =",pow(m,e,n))

'''
m1 = 17322548249387769406385507000191215801044910756841784387283679508067232037647009879640247663005640315645559929483973978388785385751219073137080976227046261663059832428571101292873255962114141666488474602734594597852331665601154571683480014721045567844719377268571343706508041194359642732322649799872642255094259428635455750138217286588825326703937255171250131117864604764478573786940615096044575610751081788573681131616312486987096717266320380202191909867687322859634487150465591581523036586129341984826904474237818210411872793917742756628712320922128969576851582027757934655202892557206052328142121974846460835879379
m2 = 29770749505949559271464509877642735633388289947852331255230201935471628731047838190019590503471311260422939188831886032391799282413808339483805109656799786202448656409753608524222447399741340441803183979217817801933166848028113568228217090419247166878248450792302177597130681740006379413412297487888656975884867850858832779733076818160854085244264177562471933684902341628858046181331683501978826962693104997686104748486850900546849316714934730338449894336151567737740558472664876717516650156395237362632196760323299658988296623556674223583771795447537227301625104687705109034611911834940501083977979641467845119043780
sum1 = -108877560874638575191632670246326227208412819991287356983577291185528002487
sum2 = -47122048431044787786292644180145597499319125719652288525187634667738055282
n = 9020951256034058214321622067945640395058903219618790136239198219605516437223449048642101160150934286238922049363203171871230111420670637737169565825694393
c = 3323425622556846027480153848276857423081641901016156494250966280342935316300495906916254739461788219592704051961044937129981786472345610933524261214506540
e = 65537
'''

解题思路:

题目把两个随机数m1,m2表示为:

$m = -a_0 * p^0 + a_1 * p^1 - a_2 * p^2 + ... + d_n * p^n$

因为 $p \equiv -1 \pmod{p+1}$
那么m可以表示为:

$m \equiv a_0 * (-1)^0 + a_1 * (-1)^1 + a_2 * (-1)^2 + ... + d_n * (-1)^n \pmod{p+1}$

那么就有 $m + sum = k*p$,所以只需要求一下gcd即可，由于给出的sum//2025，可能会有误差还原的时候还需要进行一下小爆破即可

exp:

#python
from Crypto.Util.number import *
from tqdm import *

m1 = 17322548249387769406385507000191215801044910756841784387283679508067232037647009879640247663005640315645559929483973978388785385751219073137080976227046261663059832428571101292873255962114141666488474602734594597852331665601154571683480014721045567844719377268571343706508041194359642732322649799872642255094259428635455750138217286588825326703937255171250131117864604764478573786940615096044575610751081788573681131616312486987096717266320380202191909867687322859634487150465591581523036586129341984826904474237818210411872793917742756628712320922128969576851582027757934655202892557206052328142121974846460835879379
m2 = 29770749505949559271464509877642735633388289947852331255230201935471628731047838190019590503471311260422939188831886032391799282413808339483805109656799786202448656409753608524222447399741340441803183979217817801933166848028113568228217090419247166878248450792302177597130681740006379413412297487888656975884867850858832779733076818160854085244264177562471933684902341628858046181331683501978826962693104997686104748486850900546849316714934730338449894336151567737740558472664876717516650156395237362632196760323299658988296623556674223583771795447537227301625104687705109034611911834940501083977979641467845119043780
sum1 = -108877560874638575191632670246326227208412819991287356983577291185528002487
sum2 = -47122048431044787786292644180145597499319125719652288525187634667738055282
n = 9020951256034058214321622067945640395058903219618790136239198219605516437223449048642101160150934286238922049363203171871230111420670637737169565825694393
c = 3323425622556846027480153848276857423081641901016156494250966280342935316300495906916254739461788219592704051961044937129981786472345610933524261214506540
e = 65537

for i in trange(2025):
        for j in range(2025):
            sum1_ = sum1*2025+i
            sum2_ = sum2*2025+j
            kp = GCD(m1 + sum1_, m2 + sum2_)
            if kp > 2 ** 255:
                for k in range(1, 10000):
                    if (kp % k == 0):
                        p = kp // k - 1
                        if (isPrime(p) and len(bin(p)[2:]) == 256):
                            q = n // p
                            d = inverse(e, (p - 1) * (q - 1))
                            print(long_to_bytes(pow(c, d, n)))
                            break
#flag{Reverse_Sum_Mod_p+i_GCD_2025!}

1ZRSA

题目：

from Crypto.Util.number import *
from gmpy2 import *
import random

def RSA(m,nbit):
    while True:
        p, q, e = getPrime(nbit), getPrime(nbit), getPrime(nbit)
        n = p * q
        phi_n = (p - 1) * (q - 1)
        d = int(inverse(e, phi_n))
        if len(bin(d)[2:]) == 1024:
            break

    keep_bits = nbit * 2 - 100
    mask = int((1 << keep_bits) - 1)
    d_ = d & mask
    c = powmod(m, e, n)
    return c,n,e,d_

def gen(nbit):

    c, n, e, d_ = RSA(m, nbit)
    N = getPrime(nbit * 2)
    t = random.randint(1, nbit * 2 - 1)
    C = [random.randint(0, N - 1) for _ in range(t - 1)] + [powmod(d_,1,N)]
    R. = GF(N)[]
    f = R(0)
    for i in range(t):
        f += x ** (t - i - 1) * C[i]
    enc = [(a, f(a)) for a in [random.randint(1, N - 1) for _ in range(t)]]

    with open("output.txt", "w", encoding="utf-8") as f_out:
        f_out.write(f"c = {c}\n")
        f_out.write(f"n = {n}\n")
        f_out.write(f"e = {e}\n")
        f_out.write(f"N = {N}\n")
        f_out.write(f"enc = {enc}\n")

flag = "flag{-------------------------------}"
m = bytes_to_long(flag.encode())

if __name__ == "__main__":
    gen(512)

output.txt太长了就不放出来了，想要的师傅可以去hscctf的靶场下载(虽然可能还没更新)

有空再补

2025-SWPU-NSSCTF-秋季招新入门训练赛-wp

2025-08-29T09:00:00.000Z

偶然看到nss上的新生赛，正好也快有新生入学了，写一下wp吧
ps：这里面好多litctf的题，23年还是新手的时候打过写过wp，没想到现在又会写一遍，怪感慨的

happy

题目：

('c=', '0x7a7e031f14f6b6c3292d11a41161d2491ce8bcdc67ef1baa9eL')
('e=', '0x872a335')
#q + q*p^3 =1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586
#qp + q *p^2 = 1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594

定义 A、B
$A = q + q \cdot p^3$，$B = q \cdot p + q \cdot p^2$
化简 A、B
- A 提取公因子并应用立方和公式：
  $A = q \cdot (1 + p^3) = q \cdot (1 + p) \cdot (p^2 - p + 1)$
- B 提取公因子：
  $B = q \cdot p \cdot (1 + p)$
计算 A/B
消去公共项 $q \cdot (1 + p)$：
$\frac{A}{B} = \frac{p^2 - p + 1}{p} = p - 1 + \frac{1}{p}$
- 整数商：$A // B = p - 1$
- 余数：$A \mod B$ 对应分数部分
求解素数 p
设 $c = A \mod B$，由 $\frac{B}{p} = c$ 得：
$p = B // c$（整数除法）
求解素数 q
代入 $B = q \cdot p \cdot (1 + p)$ 得：
$q = B // [p \cdot (1 + p)]$（整数除法）

exp:

# happy
# python
A = 1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586
B = 1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594
e_hex = "0x872a335"
c_hex = "0x7a7e031f14f6b6c3292d11a41161d2491ce8bcdc67ef1baa9e"
e = int(e_hex, 16)
c = int(c_hex, 16)

quotient = A // B
remainder = A % B

p = B // remainder
q = B // (p*(1+p))
n = p*q
d = inverse(e, n - p - q + 1)
print("happy:",long_to_bytes(powmod(c, d, n)))
#flag{happy_rsa_1}

crypto1

题目:

from gmpy2 import *
from Crypto.Util.number import *



flag  = '****************************'
p = getPrime(2048)
q = getPrime(2048)
m1 = bytes_to_long(bytes(flag.encode()))

e1e2 = 3087
n = p*q
print()

flag1 = pow(m1,e1,n)
flag2 = pow(m1,e2,n)
print('flag1= '+str(flag1))
print('flag2= '+str(flag2))
print('n= '+str(n))


#flag1= 463634070971821449698012827631572665302589213868521491855038966879005784397309389922926838028598122795187584361359142761652619958273094398420314927073008031088375892957173280915904309949716842152249806486027920136603248454946737961650252641668562626310035983343018705370077783879047584582817271215517599531278507300104564011142229942160380563527291388260832749808727470291331902902518196932928128107067117198707209620169906575791373793854773799564060536121390593687449884988936522369331738199522700261116496965863870682295858957952661531894477603953742494526632841396338388879198270913523572980574440793543571757278020533565628285714358815083303489096524318164071888139412436112963845619981511061231001617406815056986634680975142352197476024575809514978857034477688443230263761729039797859697947454810551009108031457294164840611157524719173343259485881089252938664456637673337362424443150013961181619441267926981848009107466576314685961478748352388452114042115892243272514245081604607798243817586737546663059737344687130881861357423084448027959893402445303299089606081931041217035955143939567456782107203447898345284731038150377722447329202078375870541529539840051415759436083384408203659613313535094343772238691393447475364806171594
#flag2= 130959534275704453216282334815034647265875632781798750901627773826812657339274362406246297925411291822193191483409847323315110393729020700526946712786793380991675008128561863631081095222226285788412970362518398757423705216112313533155390315204875516645459370629706277876211656753247984282379731850770447978537855070379324935282789327428625259945250066774049650951465043700088958965762054418615838049340724639373351248933494355591934236360506778496741051064156771092798005112534162050165095430065000827916096893408569751085550379620558282942254606978819033885539221416335848319082054806148859427713144286777516251724474319613960327799643723278205969253636514684757409059003348229151341200451785288395596484563480261212963114071064979559812327582474674812225260616757099890896900340007990585501470484762752362734968297532533654846190900571017635959385883945858334995884341767905619567505341752047589731815868489295690574109758825021386698440670611361127170896689015108432408490763723594673299472336065575301681055583084547847733168801030191262122130369687497236959760366874106043801542493392227424890925595734150487586757484304609945827925762382889592743709682485229267604771944535469557860120878491329984792448597107256325783346904408
#n= 609305637099654478882754880905638123124918364116173050874864700996165096776233155524277418132679727857702738043786588380577485490575591029930152718828075976000078971987922107645530323356525126496562423491563365836491753476840795804040219013880969539154444387313029522565456897962200817021423704204077133003361140660038327458057898764857872645377236870759691588009666047187685654297678987435769051762120388537868493789773766688347724903911796741124237476823452505450704989455260077833828660552130714794889208291939055406292476845194489525212129635173284301782141617878483740788532998492403101324795726865866661786740345862631916793208037250277376942046905892342213663197755010315060990871143919384283302925469309777769989798197913048813940747488087191697903624669415774198027063997058701217124640082074789591591494106726857376728759663074734040755438623372683762856958888826373151815914621262862750497078245369680378038995425628467728412953392359090775734440671874387905724083226246587924716226512631671786591611586774947156657178654343092123117255372954798131265566301316033414311712092913492774989048057650627801991277862963173961355088082419091848569675686058581383542877982979697235829206442087786927939745804017455244315305118437

共模攻击适用场景：两组公钥对同一消息加密，且公钥的 $n$ 相同。
共模攻击原理：
1. 由裴蜀定理：$ax + by = \gcd(a,b)$，可得 $s_1e_1 + s_2e_2 = \gcd(e_1,e_2)$
2. 推导过程： $\begin{align*}c_1^{s_1} \cdot c_2^{s_2} &\equiv (m^{e_1})^{s_1} \cdot (m^{e_2})^{s_2} \pmod{n} \\&\equiv m^{s_1e_1 + s_2e_2} \pmod{n} \\&\equiv m^{\gcd(e_1,e_2)} \pmod{n}\end{align*}$
3. 前提条件：$m^t \ll n$（$t = \gcd(e_1,e_2)$）
- gmpy2 库函数：$ gcdext(e1,e2) = (t, s1, s2)$，其中 $t = gcd(e1,e2)$
- 由于这里给的是 $e_1e_2$，所以需要爆破分解一下来得到 $e_1$ 和 $e_2$

exp:

e1e2 = 3087
flag1= 463634070971821449698012827631572665302589213868521491855038966879005784397309389922926838028598122795187584361359142761652619958273094398420314927073008031088375892957173280915904309949716842152249806486027920136603248454946737961650252641668562626310035983343018705370077783879047584582817271215517599531278507300104564011142229942160380563527291388260832749808727470291331902902518196932928128107067117198707209620169906575791373793854773799564060536121390593687449884988936522369331738199522700261116496965863870682295858957952661531894477603953742494526632841396338388879198270913523572980574440793543571757278020533565628285714358815083303489096524318164071888139412436112963845619981511061231001617406815056986634680975142352197476024575809514978857034477688443230263761729039797859697947454810551009108031457294164840611157524719173343259485881089252938664456637673337362424443150013961181619441267926981848009107466576314685961478748352388452114042115892243272514245081604607798243817586737546663059737344687130881861357423084448027959893402445303299089606081931041217035955143939567456782107203447898345284731038150377722447329202078375870541529539840051415759436083384408203659613313535094343772238691393447475364806171594
flag2= 130959534275704453216282334815034647265875632781798750901627773826812657339274362406246297925411291822193191483409847323315110393729020700526946712786793380991675008128561863631081095222226285788412970362518398757423705216112313533155390315204875516645459370629706277876211656753247984282379731850770447978537855070379324935282789327428625259945250066774049650951465043700088958965762054418615838049340724639373351248933494355591934236360506778496741051064156771092798005112534162050165095430065000827916096893408569751085550379620558282942254606978819033885539221416335848319082054806148859427713144286777516251724474319613960327799643723278205969253636514684757409059003348229151341200451785288395596484563480261212963114071064979559812327582474674812225260616757099890896900340007990585501470484762752362734968297532533654846190900571017635959385883945858334995884341767905619567505341752047589731815868489295690574109758825021386698440670611361127170896689015108432408490763723594673299472336065575301681055583084547847733168801030191262122130369687497236959760366874106043801542493392227424890925595734150487586757484304609945827925762382889592743709682485229267604771944535469557860120878491329984792448597107256325783346904408
n= 609305637099654478882754880905638123124918364116173050874864700996165096776233155524277418132679727857702738043786588380577485490575591029930152718828075976000078971987922107645530323356525126496562423491563365836491753476840795804040219013880969539154444387313029522565456897962200817021423704204077133003361140660038327458057898764857872645377236870759691588009666047187685654297678987435769051762120388537868493789773766688347724903911796741124237476823452505450704989455260077833828660552130714794889208291939055406292476845194489525212129635173284301782141617878483740788532998492403101324795726865866661786740345862631916793208037250277376942046905892342213663197755010315060990871143919384283302925469309777769989798197913048813940747488087191697903624669415774198027063997058701217124640082074789591591494106726857376728759663074734040755438623372683762856958888826373151815914621262862750497078245369680378038995425628467728412953392359090775734440671874387905724083226246587924716226512631671786591611586774947156657178654343092123117255372954798131265566301316033414311712092913492774989048057650627801991277862963173961355088082419091848569675686058581383542877982979697235829206442087786927939745804017455244315305118437
for e1 in range(2, e1e2):
    if e1e2 % e1 == 0:
        e2 = e1e2 // e1
        t, s1, s2 = gcdext(e1, e2)
        m = iroot((powmod(flag1,s1,n)*powmod(flag2,s2,n)) % n, t)
        if m[1]:
            if long_to_bytes(m[0]).startswith(b'NSSCTF{'): # 知道flag头，过滤非flag，不知道就输出全部找flag
                print(long_to_bytes(m[0]))
#NSSCTF{d64dba66-b608-4255-b888-0b0f25c2f90e}

crypto2

题目:

from gmpy2 import *
from Crypto.Util.number import *



flag  = '***************'

p = getPrime(512)
q = getPrime(512)
m1 = bytes_to_long(bytes(flag.encode()))


n = p*q
e1 = getPrime(32)
e2 = getPrime(32)
print()

flag1 = pow(m1,e1,n)
flag2 = pow(m1,e2,n)
print('flag1= '+str(flag1))
print('flag2= '+str(flag2))
print('e1= ' +str(e1))
print('e2= '+str(e2))
print('n= '+str(n))


#flag1= 100156221476910922393504870369139942732039899485715044553913743347065883159136513788649486841774544271396690778274591792200052614669235485675534653358596366535073802301361391007325520975043321423979924560272762579823233787671688669418622502663507796640233829689484044539829008058686075845762979657345727814280
#flag2= 86203582128388484129915298832227259690596162850520078142152482846864345432564143608324463705492416009896246993950991615005717737886323630334871790740288140033046061512799892371429864110237909925611745163785768204802056985016447086450491884472899152778839120484475953828199840871689380584162839244393022471075
#e1= 3247473589
#e2= 3698409173
#n= 103606706829811720151309965777670519601112877713318435398103278099344725459597221064867089950867125892545997503531556048610968847926307322033117328614701432100084574953706259773711412853364463950703468142791390129671097834871371125741564434710151190962389213898270025272913761067078391308880995594218009110313

$共模攻击最基础的形式两个e互素$
exp:

flag1= 100156221476910922393504870369139942732039899485715044553913743347065883159136513788649486841774544271396690778274591792200052614669235485675534653358596366535073802301361391007325520975043321423979924560272762579823233787671688669418622502663507796640233829689484044539829008058686075845762979657345727814280
flag2= 86203582128388484129915298832227259690596162850520078142152482846864345432564143608324463705492416009896246993950991615005717737886323630334871790740288140033046061512799892371429864110237909925611745163785768204802056985016447086450491884472899152778839120484475953828199840871689380584162839244393022471075
e1= 3247473589
e2= 3698409173
n= 103606706829811720151309965777670519601112877713318435398103278099344725459597221064867089950867125892545997503531556048610968847926307322033117328614701432100084574953706259773711412853364463950703468142791390129671097834871371125741564434710151190962389213898270025272913761067078391308880995594218009110313
_, s1, s2 = gcdext(e1, e2)
m = (powmod(flag1, s1, n)*(powmod(flag2, s2, n))) % n
print(long_to_bytes(m))
#NSSCTF{xxxxx******xxxxx}

crypto4

题目:

from gmpy2 import *
from Crypto.Util.number import *

flag  = '**********'

p = getPrime(512)
q = next_prime(p)
m1 = bytes_to_long(bytes(flag.encode()))


e = 0x10001
n = p*q


flag1 = pow(m1,e,n)
print('flag= '+str(flag1))
print('n= '+str(n))


flag= 10227915341268619536932290456122384969242151167487654201363877568935534996454863939953106193665663567559506242151019201314446286458150141991211233219320700112533775367958964780047682920839507351492644735811096995884754664899221842470772096509258104067131614630939533042322095150722344048082688772981180270243
n= 52147017298260357180329101776864095134806848020663558064141648200366079331962132411967917697877875277103045755972006084078559453777291403087575061382674872573336431876500128247133861957730154418461680506403680189755399752882558438393107151815794295272358955300914752523377417192504702798450787430403387076153

我们可以发现用于加密的素数他们两个是相邻的, 我们知道$\sqrt{n}$是p和q的几何平均值，很容易知道$\sqrt{n}$为p和q的中间值，

$p< \sqrt{n} < q$

exp:

flag= 10227915341268619536932290456122384969242151167487654201363877568935534996454863939953106193665663567559506242151019201314446286458150141991211233219320700112533775367958964780047682920839507351492644735811096995884754664899221842470772096509258104067131614630939533042322095150722344048082688772981180270243
n= 52147017298260357180329101776864095134806848020663558064141648200366079331962132411967917697877875277103045755972006084078559453777291403087575061382674872573336431876500128247133861957730154418461680506403680189755399752882558438393107151815794295272358955300914752523377417192504702798450787430403387076153

temp = iroot(n, 2)[0]
q = next_prime(temp)
p = n // q
d = inverse(65537, n - p - q + 1)
print(long_to_bytes(powmod(flag, d, n)))
#NSSCTF{no_why}

crypto6

题目:

var="************************************"
flag='NSSCTF{' + base64.b16encode(base64.b32encode(base64.b64encode(var.encode()))) + '}'
print(flag)

小明不小心泄露了源码，输出结果为：4A5A4C564B36434E4B5241544B5432454E4E32465552324E47424758534D44594C4657564336534D4B5241584F574C4B4B463245365643424F35485649534C584A5A56454B4D4B5049354E47593D3D3D，你能还原出var的正确结果吗？

base16
base32
base64
exp:

c = "4A5A4C564B36434E4B5241544B5432454E4E32465552324E47424758534D44594C4657564336534D4B5241584F574C4B4B463245365643424F35485649534C584A5A56454B4D4B5049354E47593D3D3D"
base32_bytes = bytes.fromhex(c)
base64_bytes = base64.b32decode(base32_bytes)
var = base64.b64decode(base64_bytes).decode("utf-8")
print("还原的var：", var)
#5e110989-dc43-1bd3-00b4-9009206158fe

crypto7

1
2
3

#69f7906323b4f7d1e4e972acf4abfbfc,得到的结果用NSSCTF{}包裹。
md5在线解密即可
#md5yyds

拟态签到题

1
2
3

#ZmxhZ3tHYXFZN0t0RXRyVklYMVE1b1A1aUVCUkNZWEVBeThyVH0=
base64
#flag{GaqY7KtEtrVIX1Q5oP5iEBRCYXEAy8rT}

这是base?

题目:

1
2
3

#dict:{0: 'J', 1: 'K', 2: 'L', 3: 'M', 4: 'N', 5: 'O', 6: 'x', 7: 'y', 8: 'U', 9: 'V', 10: 'z', 11: 'A', 12: 'B', 13: 'C', 14: 'D', 15: 'E', 16: 'F', 17: 'G', 18: 'H', 19: '7', 20: '8', 21: '9', 22: 'P', 23: 'Q', 24: 'I', 25: 'a', 26: 'b', 27: 'c', 28: 'd', 29: 'e', 30: 'f', 31: 'g', 32: 'h', 33: 'i', 34: 'j', 35: 'k', 36: 'l', 37: 'm', 38: 'W', 39: 'X', 40: 'Y', 41: 'Z', 42: '0', 43: '1', 44: '2', 45: '3', 46: '4', 47: '5', 48: '6', 49: 'R', 50: 'S', 51: 'T', 52: 'n', 53: 'o', 54: 'p', 55: 'q', 56: 'r', 57: 's', 58: 't', 59: 'u', 60: 'v', 61: 'w', 62: '+', 63: '/', 64: '='}

#chipertext:FlZNfnF6Qol6e9w17WwQQoGYBQCgIkGTa9w3IQKw

换表base64，表也给了直接写一下即可，懒得写了ai写的exp

exp:

encode_dict = {
    0: 'J', 1: 'K', 2: 'L', 3: 'M', 4: 'N', 5: 'O', 6: 'x', 7: 'y', 8: 'U', 9: 'V',
    10: 'z', 11: 'A', 12: 'B', 13: 'C', 14: 'D', 15: 'E', 16: 'F', 17: 'G', 18: 'H',
    19: '7', 20: '8', 21: '9', 22: 'P', 23: 'Q', 24: 'I', 25: 'a', 26: 'b', 27: 'c',
    28: 'd', 29: 'e', 30: 'f', 31: 'g', 32: 'h', 33: 'i', 34: 'j', 35: 'k', 36: 'l',
    37: 'm', 38: 'W', 39: 'X', 40: 'Y', 41: 'Z', 42: '0', 43: '1', 44: '2', 45: '3',
    46: '4', 47: '5', 48: '6', 49: 'R', 50: 'S', 51: 'T', 52: 'n', 53: 'o', 54: 'p',
    55: 'q', 56: 'r', 57: 's', 58: 't', 59: 'u', 60: 'v', 61: 'w', 62: '+', 63: '/', 64: '='
}

decode_dict = {v: k for k, v in encode_dict.items()}
ciphertext = "FlZNfnF6Qol6e9w17WwQQoGYBQCgIkGTa9w3IQKw"


def custom_base64_decode(s):
    values = [decode_dict[c] for c in s]

    padding = 0
    if values and values[-1] == 64:
        padding = 1
        if len(values) > 1 and values[-2] == 64:
            padding = 2

    # 移除填充字符
    values = [v for v in values if v != 64]

    # 将数值转换为6位二进制字符串，不足6位的在前面补0
    bits = []
    for v in values:
        bits.append(format(v, '06b'))

    # 合并所有二进制位
    all_bits = ''.join(bits)

    # 按8位分割成字节
    bytes_list = []
    for i in range(0, len(all_bits) - (len(all_bits) % 8), 8):
        byte_bits = all_bits[i:i + 8]
        if len(byte_bits) == 8:  # 确保是完整的8位
            bytes_list.append(int(byte_bits, 2))

    # 根据填充数量移除相应的字节
    if padding > 0:
        bytes_list = bytes_list[:-padding]

    # 转换为字符串并返回
    return bytes(bytes_list).decode('utf-8', errors='replace')

plaintext = custom_base64_decode(ciphertext)
print("解密结果:", plaintext)
#BJD{D0_Y0u_kNoW_Th1s_b4se_map}

谁懂啊RSA签到题都不会

题目:

from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = pow(m,e,n)
print(f'p = {p}')
print(f'q = {q}')
print(f'c = {c}')
'''
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
'''

嗯，就是RSA的签到题，给了p和q直接解密即可

exp:

p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
n = p*q
d = inverse(65537, n - p - q + 1)
print(long_to_bytes(powmod(c, d, n)))
#LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}

Bigrsa

题目:

from Crypto.Util.number import *
from flag import *

n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
e = 65537
m = bytes_to_long(flag)
c = pow(m, e, n1)
c = pow(c, e, n2)

print("c = %d" % c)

# output
# c = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264

其实就是双重RSA,$n_1$和$n_2$都能分解,分解后直接解密即可
exp:

n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
e = 65537
c = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264
p1 = 10169921435575123642561867469669552661717864247752251361375671837367086221354750692635829007786009042729357644276462913457660789233674358081650339142863821
q1 = 10210039189276167395636779557271057346691950991057423589319031237857569595284598319093522326723650646963251941930167018746859556383067696079622198265424441
p2 = 10210039189276167395636779557271057346691950991057423589319031237857569595284598319093522326723650646963251941930167018746859556383067696079622198265424441
q2 = 11300955505231233842374743324817494386700809291852528704864397779486924493760947925710590633254027339824598181322986060728301639209174112581120081509548753

d2 = inverse(e, n2 - p2 - q2 + 1)
d1 = inverse(e, n1 - p1 - q1 + 1)
print(long_to_bytes(powmod(powmod(c,d2, n2), d1, n1)))
#SangFor{qSccmm1WrgvIg2Uq_cZhmqNfEGTz2GV8}

MD5的破解

题目:

from Crypto.Util.number import *
from hashlib import md5
from secret import flag

#flag全是由小写字母及数字组成
m=md5(flag).hexdigest()
print(flag[:13]+flag[15:18]+flag[19:34]+flag[35:38])
print(m)
# b'LitCTF{md5can3derypt213thoughcrsh}'
# 496603d6953a15846cd7cc476f146771

题目泄露了绝大多数的明文和完整的明文 md5,我们只需要爆破未知明文之后再进行 md5 碰撞(也就是遍历可能明文再进行md5与已知的md5对比)即可。

exp:

known_part = "LitCTF{md5can3derypt213thoughcrsh}"
md5_hash = "496603d6953a15846cd7cc476f146771"
# 我们需要找到 flag[13:15], flag[18:19], flag[34:35]
chars = 'abcdefghijklmnopqrstuvwxyz0123456789'

def find_flag():
    for part1 in itertools.product(chars, repeat=2):
        p1 = ''.join(part1)
        for c2 in chars:
            for c3 in chars:
                flag = f"{known_part[:13]}{p1}{known_part[13:16]}{c2}{known_part[16:31]}{c3}{known_part[31:]}"
                hashed = hashlib.md5(flag.encode()).hexdigest()
                if hashed == md5_hash:
                    print(flag)
                    return flag
    print("未找到匹配的flag")
    return None

if __name__ == "__main__":
    find_flag()
#LitCTF{md5can123dexrypt213thoughcrpsh}

Vigenère

密文:

Yzyj ia zqm Cbatky kf uavin rbgfno ig hnkozku fyyefyjzy sut gha pruyte gu famooybn bhr vqdcpipgu jaaju obecu njde pupfyytrj cpez cklb wnbzqmr ntf li wsfavm azupy nde cufmrf uh lba enxcp, tuk uwjwrnzn inq ksmuh sggcqoa zq obecu zqm Lncu gz Jagaam aaj qx Hwthxn'a Gbj gfnetyk cpez, g fwwang xnapriv li phr uyqnvupk ib mnttqnq xgioerry cpag zjws ohbaul drinsla tuk liufku obecu ovxey zjwg po gnn aecgtsneoa.

Cn poyj vzyoe gxdbhf zq ty oeyl-ndiqkpl, ndag gut mrt cjy yrrgcmd rwwsf, phnz cpel gtw yjdbcnl bl zjwcn Cekjboe cklb yeezjqn htcdcannhum Rvmjlm, phnz juoam vzyoe nxn Tisk, Navarge jvd gng honshoc wf Ugrhcjefy. — Cpag zq kyyuek cpefk taadtf, Mxdeetowhps nxn qnfzklopeq gvwnt Sgf, xarvbrvg gngal fufz ywwrxu xlkm gnn koaygfn kf gnn ooiktfyz, — Tugc ehrtgnyn aae Owrz uh Yireetvmng hguiief jnateaelcre bl cpefk gfxo, ig ob bhr Xkybp os zqm Prurdy po nrcmr bx vg uxoyobp ig, gpv nk iaycqthzg fys Gbbnznzkpl, fwyvtp qtf lqmhzagoxv oa ywub lrvtlqpyku shz oemjvimopy cps cufmrf op koyh suau, af zq lbam fnjtl fkge gksg rrseye vg ybfric bhrot Kubege jvd Ugrhcjefy. Yzuqkpuy, enqknl, wvrn vcytnzn bhnz Igparasnvtf rqfa asggktifngv mdohrm vog hg ubwntkm noe rkybp aaj czaaykwhp cnabms; ntf swyoejrvgye cdf axckaqeaig zuph fnnen gncl gwnxowl aek ogla dvyywsrj vg mqfska, ehvrg wpelf gam shlhwlwbyk cpaa zq jcchg zqmmfknnyo bl gkwlvyjahc tuk owrzy vg qdipn cpel gtw uychycwmrj. Dmn shrt j toam vjuen bl jjufku shz ufaaxagoqfm, lueydqnt opnuninhug tuk usga Oopnkt rbkfwas n jnaitt vg ladhin bhrs wfxar nhbwlhzg Vyopbzram, vz kk ndevx aqguz, kl co tukrz dhza, li pheuf wfs ywub Coikavmrtv, shz tb vawvvjg fys Ghgals sut lbaie ldbuek uwwqrvzh. — Aupn jsm xert cpe cgvayjt faoneegpuy kf gnnae Pungheef; gwl shij am joj zqm nrigkmetl cqqcu iqfmprnowa tuko li wlgka bhrot xinmrx Bgsgkok ib Gbbnznzkpl. Nde uobboee qx nde cxnaeaz Mahc os Mamag Htanwia ob i hvyvglu os xnxenzgv cjjhxrms ntf mmqrcgcqoay, cdf daiowo ia jkjyyt bhsmcg zjw yotnhuqsusgfn kf nt jjsbrwly Pyegwvy bbgj ndefk Bbagku. Li lrbbn bhvy, nwn Bapzb je fadecptrj cw a pgpvcz wbxul.

Hr nck lafhynl hvy Ckmang zx Tajy, vzy iofz fpoykugga aaj wmcryuslu fbx cpe caddcy gbum.

Pe ugu xinbvjmmn uou Yireetxzs gu rsmo Lncb wf vsowxeagk jvd cxgkment ovxoezcfwa, uarnas fauhyjdrj rv tukkj ileegcqoa zkdf dif Gbaeaz uziqlq hn wbggkfyz; aaj fpea yq kooprtmmd, uk jsm qtgkaty akidyytrj cw agzgfx po gnnu.

Hr nck lafhynl tb vckm ktuka Tajy hgl phr glkozsqvupibt xn lnxiw xesgxrktf uh hykpyk, dvlryu lbksr vnwpyk ygohd ekuqndakkb phr xrohg uh Jylrrynvtnzkgh en gnn Tetoudupuek, j zitnv ahasgovibyk vg ndez gwl fbxoaxwbyk cw tlxcfno oarh.

Pe ugu uuhlrj cwgrzjwl hetobtagoxw vkdvkb it crcuyo uaabcay, apuiifbxcibyk, cfx zifzjvt sxqe nde qkywsvzqjs kf gnnqr Caddcy Rrixzdf, lqj nde fuum phxrgma os ljbitakfa phrs rvtb iqejhintlm wvzj zco mrgbcrry.

Jw bws qobaoybgv Lapekbmnggvapa Hbabms ekrwupeqrh, noe urhioiam fqtu scffu fvxvvefy jam enigbqoay qf nde eopptf uh lba pruyte.

Uk jsm nesabmd sut s fknt zrue, nlvwl oupn mqsfunmneoay, cw cnauw iphrxb bo ok gdyytrj, fpeekdq nde Ykpqsygvapa Pbcnzs, vtesjwbyk xn Aatkzchagoxv, hnbg jypuetnl tb zjw Jaocrn it ygtyy boe zqmie kzwlyifk; cpe Fzcly nezgrviam kf nde zkjv tvsg wrlofkm bo nrn lba dntpmrf uh ahrafoxv feuo ocphbac, inq iqfpqlfoxvs jovzcj.

Hr nja eajgspkuekm bo cxgnyjt gnn xocansneoa uo bhryg Knwtry; owr gncl jqrcubm ooyvjoytvtp bhr Rcom boe Tjbuegnatwtvuw wf Sutwccnrxb; zesauahc tb vjas bzjwlo tb kwkohxcyy phroa uitxclcknf nrbhrx, cfx navyrvg gng uijdvzrwnf uh fys Acvawpeoclcknf uo Taaju.

Zy daf ukateaelyz tuk Jlmvtkknnagoxv os Pwknecr hh zesauahc hvy Jasrtv li Hajy owr ryvsvhifnrvg Wafaweaee Ywwrxu.

Zy daf sjle Wafyyo drvnvdrtv gh dif Crtl nrqfy boe zqm trtwjy kf gnnqr blhawas, ntm bhr gogojt ntm xalsgfn kf gnnqr fgnsleef.

luig vy cxwpf{Jnxwobuqg_O_Cogiqi!}

Hr nck ynepznl a zanlcpuqk xn Nrc Qxzecry, jvd fkpl betuka awnxok ib Oslrkeey vg bwrnyb wue vggjhe ntm mag uwl ndevx bcbfzcfwa.

Hr nja krvv sgknt ab, qn goowm kf ckjke, Fzcfxent Gauiry yandohz cpe Pupkyjt bl xcr ykiamhagaams.

Uk jsm wfsklbeq zq jyjdrx cpe Zonanwrl owleckpvyjt bl jvd farwleoe zx bhr Iknch Pbcnz.

Hr nck wkmoowmd jovz iphrxb bo fadbyyt hy cw a watamzipzrwn sutwccn gu xcr pupknethzrwn, ntf mhwcxtxelrjiwx xy baa tajy; iapent nra Afygfn po gnnqr Nivk ib pekcmnqkf Dycifrjbibt:

Hgl munxcmrvti dungr hxliry qx unmrj czobvu sgknt ab:

Noe vtgnacgowo tuko, ts w mbit Brvgn xlkm cawqsusgfn boe gwg Mhxfwlo wuolp tuka kbkuyj lwmzov gh phr Owpaoovshps bl cpefk Ulupef:

Lxz chzvahc osl xcr Gxcvy sign jtl cgtlm kf gnn eoerf:

Xin izvxaiam Vsras bt da wvzjgop ohx Lwnfkpl:

Zkr qkyziiopy oo ia sjvy pguwm, kf gnn jeakhan kf Gxril oe Lmlu:

Fbx czaayrglpiam da breqfx Oeny cw br ztayz fbx yzegkpvyz oslnvcry:

Hgl wbbrrahvti lba fekn Ayfzge ib Eamuqsu Rcom en n tnqguhqmlent Vawvvtew, yotnhuqsuopy ndeekrv aa Gttcprnxh ooiktfgang, gwl earcjaent oca Bbapvuniry bw af zq jyjdrx rb ag upuy wn rdjupyk cfx big owateaowhp fbx rvteufmwent zqm snsg svooyacm rhrg ahpo gnnae Pungheef

Lxz tnqkfa wwne xcr Pncjnarf, gkwlvyjahc ohx vwsg bcdowbyk Uiwf gpv uhtrxrvg sapvuieazjtll zjw Zkrzy xn ohx Igparasnvtf:

Lqj mqsckwliam qml kwa Rnoifrclonef, gwl drinslent zqmmfknnyo iabnatrj yand pbcnz tb rgycolnzn noe au ah wly ijaef cjsnoorbnz.

Hr nck uxdvijbeq Mqnynnzkwb hrxg, ts zeprjziam wk iqt bl qqs Cxqlyytvuw inq ccycjg Jga ignopkn qs.

Uk qis crwfxarrj xcr fkck, lwvnmnl ohx eguotf, hdzng uwj nkway, jvd qkullkyrj cpe yoxwm kf baa xebvnw.

Ba if gc bhvy vaga tegwapbxvahc lnxpm Aeskwm kf suamitt Owlyeagaqef zq uiipykjb tuk yglgs bl mmagn, fwmklnzrwn, ntf lsnaath, ilekcvs xetaw eign ealyuzycinpku gz Yrhkuby & Cktxczy fijzcrra hunayrnteq op lba mbyc jaehcjiqs nmna, aaj vgnwlye dvwbxvzs phr Nnid bl c ucriyoimd agvaij.

Hr nja cbtullwiakm wue lgdfkw Pocqzrtu lugea Ijxtvbg gh phr nroh Fkck nk brga Irzy cyuenfz cpevx Egojtee, cw briqey phr kgmchzkgharf uo bhrot xleeajb inq Htwndrrt, xz tb lcdf phrsbmliku ts phroa Paaju.

Zy daf kgkigkf viiefzrk iaywjlacgoxvs nsqfaot hy, jvd ugu whzenbxcrrj vg vniam xv tuk kfbwbvzjvtf uh gon feuwbirxu, lba mrxlqlryu Ahzint Bivnmgk qdofk tvojt tmfa os cjzfnxg, am wn htmqsgopyoesukm lefztmwpibt xn ayr cyyo, srdna aaj eghzigoxvs.

Vt gnyny fzjoe bl vzyoe Bvyzefykgho Wr njde Ckvaneoakm noe Xgvlasf ow bhr sqkn duzhum trxok: Iqr ekymagkf Hypigoxvs ugxw vaea gwawrxgv ijll hh zeckclyz iapdzy. N Vtahye, jnxae pncjuytrx ra tuau eunkrj kg eiktq uyt jnrkh zga vybiak j Byegpl, co ualrb tb hg lba rhrnz os g hjya pruyte.

Aut zure Jk kmea ccfnent ow itgkplcknf zx wue Htanesu hamtuxgf. Qa hnbn eaetgv ndez lawm goow nk tvsn wf nzvwgltf hh bhrot dycifrjbuek vg yttrtm in htyslnaazjjlr pwjcodvicqoa uxwl qs. Jk qivr xgecjdrj cpez uh lba cvxlcmfzcfwas bl xcr rskylwtvuw inq yglnhezkwb hrxg. Oy daik jxprgnwx po gnnqr agvapa jhycqcr gpv gwgagwqmvza, shz wr njde pupboneq zqmm oe vzy piry xn ohx eggioa qrvdekf li zifgeww gngky qshxyitvupk, qdipn fwuyj kfyriggkty vtvwlnucz xcr pupfyytvuwa aaj eglnefvxvdrtew. Ndel zxw hnbg tyan qkjn tb zjw pkipk xn jhyvawa aaj xn cbtushcuvtrby. Jk ommp, tukamfbxg, swmuvkbke vt vzy jepkbaige, yzcyh qkwwuaigk iqr Fkyirnzkgh, wnq nxtd gnge, uo wr nxtd gng jyot bl vinxopv, Yjezona ia Ccj, cj Prglm Feogfxo.

Wr, zqmrrlqjy, phr Xnxrrygfnwtvbna os zjw ojigkm Atnzgk ib Azkaqcn, op Yyjeegu Koamtwmo, Afynubykf, sjlenrrvg gu vzy Oucxnue Wafyy kf gnn eoerf xin tuk amcgovmxa os udz iazgfneoay, mw, ia zjw Hwmr, gwl bl Gwlbkrvzh wf gng yikd Ckxxlr uh lbasr Ixtoaogk, mklrswty caddcoh ntm leprcjy, Phnz cpefk wfcpeq Ixtoaogk une, ntm wf Eoizn kutnc bo ok Hjya aaj Rvdrvgfxang Ycitry, vzup tukh irr Gdkihvrj ozoz gnd Uhlrmrinpk vg nde Oxrbifn Ejisn, ntm bhnz cdf loyocqcnr eghjepzrwn okvoyan gnnu aaj vzy Otnzn wf Txgsn Xrvzjqn, vy cfx kutnc bo ok vgnwlye mqsfunnyz; aaj cpag gu Xlae ntm Qnqkrwhzeaz Bbagku, lbay ugem fhrn Hisee zx teie Ysl, yoaiucdr Vgswa, cbtczapz Cdfeaaina, efzctfesu Ixumrxew, ujd gu mw ayr qlbar Nica aaj Vzcjgf cqqcu Opvyleajnvt Fzclyo mne xn rvmjl xk. — Aaj owr gng kolpbxc wf gnkk Xacygaitvup, ocph n lrzm eknaujcr uw bhr vtgnacgoxv os Jkncje Cxxdiqkpuy, se zaccayra hfadtk cw enij gndee udz Lvbgk, iqr Suabuaku, shz ohx bicekf Zijoe.

Encode.c:

#include 
#include 
#include 

int main()
{
freopen("flag.txt","r",stdin);
freopen("flag_encode.txt","w",stdout);
char key[] = /*SADLY SAYING! Key is eaten by Monster!*/;
int len = strlen(key);
char ch;
int index = 0;
while((ch = getchar()) != EOF){
if(ch>='a'&&ch<='z'){
putchar((ch-'a'+key[index%len]-'a')%26+'a');
++index;
}else if(ch>='A'&&ch<='Z'){
putchar((ch-'A'+key[index%len]-'a')%26+'A');
++index;
}else{
putchar(ch);
}
}
return 0;
}

这个有在线的暴力解密工具

is only base?

题目:

1 2	SWZxWl=F=DQef0hlEiSUIVh9ESCcMFS9NF2NXFzM 今年是本世纪的第23年呢

key是23

W型栅栏
BASE64
凯撒密码
#NSSCTF{LeT_Us_H4V3_fU0!!!!!}

childRSA

题目:

from random import choice
from Crypto.Util.number import isPrime, sieve_base as primes
from flag import flag


def getPrime(bits):
    while True:
        n = 2
        while n.bit_length() < bits:
            n *= choice(primes)
        if isPrime(n + 1):
            return n + 1

e = 0x10001
m = int.from_bytes(flag.encode(), 'big')
p, q = [getPrime(2048) for _ in range(2)]
n = p * q
c = pow(m, e, n)

# n = 32849718197337581823002243717057659218502519004386996660885100592872201948834155543125924395614928962750579667346279456710633774501407292473006312537723894221717638059058796679686953564471994009285384798450493756900459225040360430847240975678450171551048783818642467506711424027848778367427338647282428667393241157151675410661015044633282064056800913282016363415202171926089293431012379261585078566301060173689328363696699811123592090204578098276704877408688525618732848817623879899628629300385790344366046641825507767709276622692835393219811283244303899850483748651722336996164724553364097066493953127153066970594638491950199605713033004684970381605908909693802373826516622872100822213645899846325022476318425889580091613323747640467299866189070780620292627043349618839126919699862580579994887507733838561768581933029077488033326056066378869170169389819542928899483936705521710423905128732013121538495096959944889076705471928490092476616709838980562233255542325528398956185421193665359897664110835645928646616337700617883946369110702443135980068553511927115723157704586595844927607636003501038871748639417378062348085980873502535098755568810971926925447913858894180171498580131088992227637341857123607600275137768132347158657063692388249513
# c = 26308018356739853895382240109968894175166731283702927002165268998773708335216338997058314157717147131083296551313334042509806229853341488461087009955203854253313827608275460592785607739091992591431080342664081962030557042784864074533380701014585315663218783130162376176094773010478159362434331787279303302718098735574605469803801873109982473258207444342330633191849040553550708886593340770753064322410889048135425025715982196600650740987076486540674090923181664281515197679745907830107684777248532278645343716263686014941081417914622724906314960249945105011301731247324601620886782967217339340393853616450077105125391982689986178342417223392217085276465471102737594719932347242482670320801063191869471318313514407997326350065187904154229557706351355052446027159972546737213451422978211055778164578782156428466626894026103053360431281644645515155471301826844754338802352846095293421718249819728205538534652212984831283642472071669494851823123552827380737798609829706225744376667082534026874483482483127491533474306552210039386256062116345785870668331513725792053302188276682550672663353937781055621860101624242216671635824311412793495965628876036344731733142759495348248970313655381407241457118743532311394697763283681852908564387282605279108

这里我们发现素数的生成和以前的题目不一样，它是通过choice在prime中随机选取再做累积得来的，简言之就是我们得到了$p = p_1p_2p_3…p_n + 1$这样形式的素数。

这样的数被称为光滑数：当一个数的最大素因子组不大于$x$时，称其为$x$-光滑数，例如$12=2^2×3$，可称它为4-光滑数（因$2^2$是最大的素因子组）。这里可称$p$为$p$-光滑数（$p$本身是素数），但$p - 1$包含许多小素因子，假设$p - 1$为$k$-光滑数，则有数$M$满足：

$M = \prod_{i} p_i^{\log_{p_i} k}$

显然有：

$(p - 1)|M$

因为$M$中包含了$p - 1$中的每一个素因子组，那么有：

$\gcd(M,n) = p$

所以我们只需要得到$M$就能求解$p$，但如何得到$M$呢？
这里要用到$Pollard’s\ p - 1$分解算法。

我们设$M = s \times (p - 1)$，根据费马小定理有：

$a^M \equiv 1 \pmod{p}$

因为$p - 1$为$k$-光滑数，所以有：

$M|k!$

因此有：

$\gcd(a^{k!} - 1, n) = p$

由于$p - 1$包含的素因子都较小，$k$也较小，只需遍历所有的$a^x - 1$与$n$求$\gcd$即可找到$p$。

exp:

def pollard(N):
    a = 2
    n = 2
    while True:
        a = powmod(a, n, N)
        p = gcd(a-1, N)
        if p != 1 and p != N:
            return p
        n += 1

n = 32849718197337581823002243717057659218502519004386996660885100592872201948834155543125924395614928962750579667346279456710633774501407292473006312537723894221717638059058796679686953564471994009285384798450493756900459225040360430847240975678450171551048783818642467506711424027848778367427338647282428667393241157151675410661015044633282064056800913282016363415202171926089293431012379261585078566301060173689328363696699811123592090204578098276704877408688525618732848817623879899628629300385790344366046641825507767709276622692835393219811283244303899850483748651722336996164724553364097066493953127153066970594638491950199605713033004684970381605908909693802373826516622872100822213645899846325022476318425889580091613323747640467299866189070780620292627043349618839126919699862580579994887507733838561768581933029077488033326056066378869170169389819542928899483936705521710423905128732013121538495096959944889076705471928490092476616709838980562233255542325528398956185421193665359897664110835645928646616337700617883946369110702443135980068553511927115723157704586595844927607636003501038871748639417378062348085980873502535098755568810971926925447913858894180171498580131088992227637341857123607600275137768132347158657063692388249513
c = 26308018356739853895382240109968894175166731283702927002165268998773708335216338997058314157717147131083296551313334042509806229853341488461087009955203854253313827608275460592785607739091992591431080342664081962030557042784864074533380701014585315663218783130162376176094773010478159362434331787279303302718098735574605469803801873109982473258207444342330633191849040553550708886593340770753064322410889048135425025715982196600650740987076486540674090923181664281515197679745907830107684777248532278645343716263686014941081417914622724906314960249945105011301731247324601620886782967217339340393853616450077105125391982689986178342417223392217085276465471102737594719932347242482670320801063191869471318313514407997326350065187904154229557706351355052446027159972546737213451422978211055778164578782156428466626894026103053360431281644645515155471301826844754338802352846095293421718249819728205538534652212984831283642472071669494851823123552827380737798609829706225744376667082534026874483482483127491533474306552210039386256062116345785870668331513725792053302188276682550672663353937781055621860101624242216671635824311412793495965628876036344731733142759495348248970313655381407241457118743532311394697763283681852908564387282605279108
e = 0x10001

p = pollard(n)
q = n // p
d = invert(e, (p-1)*(q-1))
print(long_to_bytes(powmod(c, d, n)))
#NCTF{Th3r3_ar3_1ns3cure_RSA_m0duli_7hat_at_f1rst_gl4nce_appe4r_t0_be_s3cur3}

Crazy_Rsa_Tech

chall.py:

from Crypto.Util.number import *
from Crypto.Util.Padding import *

FLAG = bytes_to_long(pad(b"flag{??????}",64))
def init_key():
    p, q = getPrime(512), getPrime(512)
    n = p*q
    e = 9
    while(GCD((p-1)*(q-1),e)!=1):
        p, q = getPrime(512), getPrime(512)
        n = p*q
    d = inverse(e,(p-1)*(q-1))
    return n,e,d

n_list=list()
c_list=list()
for i in range(9):
    N,e,d=init_key()
    n_list.append(N)
    c=pow(FLAG,e,N)
    c_list.append(pow(FLAG,e,N))
    assert(pow(c,d,N)==FLAG)
print("n_list:",n_list)
print("c_list:",c_list)

output:

1
2

n_list: [71189786319102608575263218254922479901008514616376166401353025325668690465852130559783959409002115897148828732231478529655075366072137059589917001875303598680931962384468363842379833044123189276199264340224973914079447846845897807085694711541719515881377391200011269924562049643835131619086349617062034608799, 92503831027754984321994282254005318198418454777812045042619263533423066848097985191386666241913483806726751133691867010696758828674382946375162423033994046273252417389169779506788545647848951018539441971140081528915876529645525880324658212147388232683347292192795975558548712504744297104487514691170935149949, 100993952830138414466948640139083231443558390127247779484027818354177479632421980458019929149817002579508423291678953554090956334137167905685261724759487245658147039684536216616744746196651390112540237050493468689520465897258378216693418610879245129435268327315158194612110422630337395790254881602124839071919, 59138293747457431012165762343997972673625934330232909935732464725128776212729547237438509546925172847581735769773563840639187946741161318153031173864953372796950422229629824699580131369991913883136821374596762214064774480548532035315344368010507644630655604478651898097886873485265848973185431559958627423847, 66827868958054485359731420968595906328820823695638132426084478524423658597714990545142120448668257273436546456116147999073797943388584861050133103137697812149742551913704341990467090049650721713913812069904136198912314243175309387952328961054617877059134151915723594900209641163321839502908705301293546584147, 120940513339890268554625391482989102665030083707530690312336379356969219966820079510946652021721814016286307318930536030308296265425674637215009052078834615196224917417698019787514831973471113022781129000531459800329018133248426080717653298100515701379374786486337920294380753805825328119757649844054966712377, 72186594495190221129349814154999705524005203343018940547856004977368023856950836974465616291478257156860734574686154136925776069045232149725101769594505766718123155028300703627531567850035682448632166309129911061492630709698934310123778699316856399909549674138453085885820110724923723830686564968967391721281, 69105037583161467265649176715175579387938714721653281201847973223975467813529036844308693237404592381480367515044829190066606146105800243199497182114398931410844901178842049915914390117503986044951461783780327749665912369177733246873697481544777183820939967036346862056795919812693669387731294595126647751951, 76194219445824867986050004226602973283400885106636660263597964027139613163638212828932901192009131346530898961165310615466747046710743013409318156266326090650584190382130795884514074647833949281109675170830565650006906028402714868781834693473191228256626654011772428115359653448111208831188721505467497494581]
c_list: [62580922178008480377006528793506649089253164524883696044759651305970802215270721223149734532870729533611357047595181907404222690394917605617029675103788705320032707977225447998111744887898039756375876685711148857676502670812333076878964148863713993853526715855758799502735753454247721711366497722251078739585, 46186240819076690248235492196228128599822002268014359444368898414937734806009161030424589993541799877081745454934484263188270879142125136786221625234555265815513136730416539407710862948861531339065039071959576035606192732936477944770308784472646015244527805057990939765708793705044236665364664490419874206900, 85756449024868529058704599481168414715291172247059370174556127800630896693021701121075838517372920466708826412897794900729896389468152213884232173410022054605870785910461728567377769960823103334874807744107855490558726013068890632637193410610478514663078901021307258078678427928255699031215654693270240640198, 14388767329946097216670270960679686032536707277732968784379505904021622612991917314721678940833050736745004078559116326396233622519356703639737886289595860359630019239654690312132039876082685046329079266785042428947147658321799501605837784127004536996628492065409017175037161261039765340032473048737319069656, 1143736792108232890306863524988028098730927600066491485326214420279375304665896453544100447027809433141790331191324806205845009336228331138326163746853197990596700523328423791764843694671580875538251166864957646807184041817863314204516355683663859246677105132100377322669627893863885482167305919925159944839, 2978800921927631161807562509445310353414810029862911925227583943849942080514132963605492727604495513988707849133045851539412276254555228149742924149242124724864770049898278052042163392380895275970574317984638058768854065506927848951716677514095183559625442889028813635385408810698294574175092159389388091981, 16200944263352278316040095503540249310705602580329203494665614035841657418101517016718103326928336623132935178377208651067093136976383774189554806135146237406248538919915426183225265103769259990252162411307338473817114996409705345401251435268136647166395894099897737607312110866874944619080871831772376466376, 31551601425575677138046998360378916515711528548963089502535903329268089950335615563205720969393649713416910860593823506545030969355111753902391336139384464585775439245735448030993755229554555004154084649002801255396359097917380427525820249562148313977941413268787799534165652742114031759562268691233834820996, 25288164985739570635307839193110091356864302148147148153228604718807817833935053919412276187989509493755136905193728864674684139319708358686431424793278248263545370628718355096523088238513079652226028236137381367215156975121794485995030822902933639803569133458328681148758392333073624280222354763268512333515]

我们会发现有 $c_i \equiv m^e \pmod{n_i}$

如果我们把$m^e$看成一个整体，那么问题就变成了给你一个数取不同的模数的余数问你这个数是多少，这类问题我们可以用中国剩余定理(CRT)解决。

$m^e \equiv \sum_{i=1}^{n} c_i t_i M_i \pmod{N}$

其中

$\begin{align*}N &= n_1 n_2 \dots n_n \\M_i &= N / n_i \\M_i t_i &\equiv 1 \pmod{n_i}\end{align*}$

这样我们就得到了$m^e$再开个e次幂即可

exp:

n_list = [
   71189786319102608575263218254922479901008514616376166401353025325668690465852130559783959409002115897148828732231478529655075366072137059589917001875303598680931962384468363842379833044123189276199264340224973914079447846845897807085694711541719515881377391200011269924562049643835131619086349617062034608799,
   92503831027754984321994282254005318198418454777812045042619263533423066848097985191386666241913483806726751133691867010696758828674382946375162423033994046273252417389169779506788545647848951018539441971140081528915876529645525880324658212147388232683347292192795975558548712504744297104487514691170935149949,
   100993952830138414466948640139083231443558390127247779484027818354177479632421980458019929149817002579508423291678953554090956334137167905685261724759487245658147039684536216616744746196651390112540237050493468689520465897258378216693418610879245129435268327315158194612110422630337395790254881602124839071919,
   59138293747457431012165762343997972673625934330232909935732464725128776212729547237438509546925172847581735769773563840639187946741161318153031173864953372796950422229629824699580131369991913883136821374596762214064774480548532035315344368010507644630655604478651898097886873485265848973185431559958627423847,
   66827868958054485359731420968595906328820823695638132426084478524423658597714990545142120448668257273436546456116147999073797943388584861050133103137697812149742551913704341990467090049650721713913812069904136198912314243175309387952328961054617877059134151915723594900209641163321839502908705301293546584147,
   120940513339890268554625391482989102665030083707530690312336379356969219966820079510946652021721814016286307318930536030308296265425674637215009052078834615196224917417698019787514831973471113022781129000531459800329018133248426080717653298100515701379374786486337920294380753805825328119757649844054966712377,
   72186594495190221129349814154999705524005203343018940547856004977368023856950836974465616291478257156860734574686154136925776069045232149725101769594505766718123155028300703627531567850035682448632166309129911061492630709698934310123778699316856399909549674138453085885820110724923723830686564968967391721281,
   69105037583161467265649176715175579387938714721653281201847973223975467813529036844308693237404592381480367515044829190066606146105800243199497182114398931410844901178842049915914390117503986044951461783780327749665912369177733246873697481544777183820939967036346862056795919812693669387731294595126647751951,
   76194219445824867986050004226602973283400885106636660263597964027139613163638212828932901192009131346530898961165310615466747046710743013409318156266326090650584190382130795884514074647833949281109675170830565650006906028402714868781834693473191228256626654011772428115359653448111208831188721505467497494581]
c_list = [
   62580922178008480377006528793506649089253164524883696044759651305970802215270721223149734532870729533611357047595181907404222690394917605617029675103788705320032707977225447998111744887898039756375876685711148857676502670812333076878964148863713993853526715855758799502735753454247721711366497722251078739585,
   46186240819076690248235492196228128599822002268014359444368898414937734806009161030424589993541799877081745454934484263188270879142125136786221625234555265815513136730416539407710862948861531339065039071959576035606192732936477944770308784472646015244527805057990939765708793705044236665364664490419874206900,
   85756449024868529058704599481168414715291172247059370174556127800630896693021701121075838517372920466708826412897794900729896389468152213884232173410022054605870785910461728567377769960823103334874807744107855490558726013068890632637193410610478514663078901021307258078678427928255699031215654693270240640198,
   14388767329946097216670270960679686032536707277732968784379505904021622612991917314721678940833050736745004078559116326396233622519356703639737886289595860359630019239654690312132039876082685046329079266785042428947147658321799501605837784127004536996628492065409017175037161261039765340032473048737319069656,
   1143736792108232890306863524988028098730927600066491485326214420279375304665896453544100447027809433141790331191324806205845009336228331138326163746853197990596700523328423791764843694671580875538251166864957646807184041817863314204516355683663859246677105132100377322669627893863885482167305919925159944839,
   2978800921927631161807562509445310353414810029862911925227583943849942080514132963605492727604495513988707849133045851539412276254555228149742924149242124724864770049898278052042163392380895275970574317984638058768854065506927848951716677514095183559625442889028813635385408810698294574175092159389388091981,
   16200944263352278316040095503540249310705602580329203494665614035841657418101517016718103326928336623132935178377208651067093136976383774189554806135146237406248538919915426183225265103769259990252162411307338473817114996409705345401251435268136647166395894099897737607312110866874944619080871831772376466376,
   31551601425575677138046998360378916515711528548963089502535903329268089950335615563205720969393649713416910860593823506545030969355111753902391336139384464585775439245735448030993755229554555004154084649002801255396359097917380427525820249562148313977941413268787799534165652742114031759562268691233834820996,
   25288164985739570635307839193110091356864302148147148153228604718807817833935053919412276187989509493755136905193728864674684139319708358686431424793278248263545370628718355096523088238513079652226028236137381367215156975121794485995030822902933639803569133458328681148758392333073624280222354763268512333515]
n = 1
for i in n_list:
   n = n * i

n_ = []
for i in n_list:
   n_.append(n // i)

t = []
for i in range(9):
   t.append(inverse(n_[i], n_list[i]))

x = 0
for i in range(len(n_list)):
   x = c_list[i] * n_[i] * t[i] + x
x = x % n
print(x)
x = iroot(x, 9)[0]
print(long_to_bytes(x))
flag{H0w_Fun_13_HAstads_broadca5t_AtTack!}

factordb (中级)和yafu (中级)

题目：
factordb:

1
2
3

e = 65537
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
c = 87677652386897749300638591365341016390128692783949277305987828177045932576708

yafu:

from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)
n  = 1
for i in range(15):
    n *=getPrime(32)
e = 65537
c = pow(m,e,n)
print(f'n = {n}')
print(f'c = {c}')
'''
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
'''

这个就没啥说的题目啥也没给的时候就尝试用factordb直接分解一下试试
yafu是生成n的素数差距很大或很小可是用它试试
可以去bilibili上找一下风二西的工具里面就有
exp:

#factordb
e = 65537
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
c = 87677652386897749300638591365341016390128692783949277305987828177045932576708
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
d = inverse(e, n - p - q + 1)
print(long_to_bytes(powmod(c,d,n)))
#LitCTF{factordb!!!}

#yafu

primes = [
    2201440207,
    2719600579,
    4044505687,
    2758708999,
    2923522073,
    3989697563,
    3355651511,
    2151018733,
    4021078331,
    2315495107,
    2906576131,
    2767137487,
    2585574697,
    3354884521,
    4171911923
]

c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
e = 65537
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307

phi_factors = [p - 1 for p in primes]
phi = 1
for factor in phi_factors:
    phi *= factor
d = inverse(e, phi)
print(long_to_bytes(powmod(c, d, n)))
#LitCTF{Mu1tiple_3m4ll_prim5_fac7ors_@re_uns4f5}

e的学问

题目:

from Crypto.Util.number import *
m=bytes_to_long(b'xxxxxx')
p=getPrime(256)
q=getPrime(256)
e=74
n=p*q
c=pow(m,e,n)
print("p=",p)
print("q=",q)
print("c=",c)
#p= 86053582917386343422567174764040471033234388106968488834872953625339458483149
#q= 72031998384560188060716696553519973198388628004850270102102972862328770104493
#c= 3939634105073614197573473825268995321781553470182462454724181094897309933627076266632153551522332244941496491385911139566998817961371516587764621395810123

直接解RSA会发现( d )不存在，因为这里( e )和( \phi )并不互素，此时：

计算( t = \gcd(e, \phi) )，则有：

$c \equiv (m^t)^{\frac{e}{t}} \pmod{n}$

把( m^t )当作整体，找到( d’ )得到( m^t )，再开( t )次幂就能得到( m )。

exp:

p= 86053582917386343422567174764040471033234388106968488834872953625339458483149
q= 72031998384560188060716696553519973198388628004850270102102972862328770104493
c= 3939634105073614197573473825268995321781553470182462454724181094897309933627076266632153551522332244941496491385911139566998817961371516587764621395810123
e = 74
n = p*q
phi = (p-1)*(q-1)
t = gcd(e, phi)
d = inverse(e // t, phi)
print(long_to_bytes(iroot(powmod(c, d, n), t)[0]))
#LitCTF{e_1s_n0t_@_Prime}

2025-2th-parloo-crypto-wp

2025-05-23T06:45:00.000Z

RSA_Quartic_Quandary

$\begin{align}s &= p^4 + q^4 \\\\p + q &= \sqrt{\sqrt{(p^2 + q^2)^2} + 2 \cdot p \cdot q} \\&= \sqrt{\sqrt{p^4 + q^4 + 2 \cdot p^2 \cdot q^2} + 2 \cdot p \cdot q} \\&= \sqrt{\sqrt{s + 2 \cdot n^2} + 2 \cdot n} \\\\\phi &= n - (p + q) + 1\end{align}$

exp:

#python
from Crypto.Util.number import *
from gmpy2 import *

n = 125997816345753096048865891139073286898143461169514858050232837657906289840897974068391106608902082960171083817785532702158298589600947834699494234633846206712414663927142998976208173208829799860130354978308649020815886262453865196867390105038666506017720712272359417586671917060323891124382072599746305448903
e = 65537
c = 16076213508704830809521504161524867240789661063230251272973700316524961511842110066547743812160813341691286895800830395413052502516451815705610447484880112548934311914559776633140762863945819054432492392315491109745915225117227073045171062365772401296382778452901831550773993089344837645958797206220200272941
s = 35935569267272146368441512592153486419244649035623643902985220815940198358146024590300394059909370115858091217597774010493938674472746828352595432824315405933241792789402041405932624651226442192749572918686958461029988244396875361295785103356745756304497466567342796329331150560777052588294638069488836419744297241409127729615544668547101580333420563318486256358906310909703237944327684178950282413703357020770127158209107658407007489563388980582632159120621869165333921661377997970334407786581024278698231418756106787058054355713472306409772260619117725561889350862414726861327985706773512963177174611689685575805282

p_q = iroot(iroot((s + 2 * n ** 2), 2)[0] + 2 * n, 2)[0]
phi = n - p_q + 1
d = inverse(e, phi)
print(long_to_bytes(powmod(c, d, n)))

欧几里得

Paillier加密的加法同态性：

$\begin{align}\text{Decrypt}(\text{Encrypt}(m_1) \cdot \text{Encrypt}(m_2)) &= m_1 + m_2 \mod n \\m_1 &= \text{Decrypt}(c_1 \cdot c_2) - m_2 \mod n\end{align}$

攻击条件：

$m_2 = \text{bytes_to_long}(\text{os.urandom}(2) \times 35)$
$\text{os.urandom}(2) \in [0, 65535]$，可爆破获取$m_2$

模数处理：

因$m_1$和$m_2$较小不溢出,所以有没有$n$的差别只在负数上，处理一下负数情况不报错就行

exp:

#python
from Crypto.Util.number import *
from tqdm import *

c = 1426774899479339414711783875769670405758108494041927642533743607154735397076811133205075799614352194241060726689487117802867974494099614371033282640015883625484033889861

for i in trange(65536):
    byte_pair = i.to_bytes(2, 'big')
    repeated_bytes = byte_pair * 35
    m2 = bytes_to_long(repeated_bytes)
    m = abs(c - m2)
    if b'palu' in long_to_bytes(m):
        print(long_to_bytes(m))

易如反掌

给定4组RSA参数 $(N_i, E_i)$，其中：

$N_i = p_i \times q_i$（$p_i, q_i$ 为1024位素数）
$\Phi_i = (p_i^2 - 1)(q_i^2 - 1)$
$E_i \equiv d^{-1} \mod \Phi_i$（$d$ 为固定的800位素数）

由于$\Phi_i \approx N_i^2$，可构建方程：

$d \cdot E_i - k_i \cdot N_i^2 = 1$

选择放大系数 $M = 2^{1000}$，构造：

$L = \begin{bmatrix}M & E_0 & E_1 & E_2 & E_3 \\0 & -N_0^2 & 0 & 0 & 0 \\0 & 0 & -N_1^2 & 0 & 0 \\0 & 0 & 0 & -N_2^2 & 0 \\0 & 0 & 0 & 0 & -N_3^2 \\\end{bmatrix}$

exp:

# sage

from gmpy2 import *
from Crypto.Util.number import *
import hashlib

N = [23796646026878116589547283793150995927866567938335548416869023482791889761195291718895745055959853934513618760888513821480917766191633897946306199721200583177442944168533218236080466338723721813833112934172813408785753690869328477108925253250272864647989241887047368829689684698870160049332949549671046125158024445929082758264311584669347802324514633164611600348485747482925940752960745308927584754759033237553398957651216385369140164712159020014009858771182426893515016507774993840721603911101735647966838456333878426803669855790758035721418868768618171692143354466457771363078719423863861881209003100274869680348729, 19552522218179875003847447592795537408210008360038264050591506858077823059915495579150792312404199675077331435544143983146080988327453540449160493126531689234464110427289951139790715136775261122038034076109559997394039408007831367922647325571759843192843854522333120187643778356206039403073606561618190519937691323868253954852564110558105862497499849080112804340364976236598384571278659796189204447521325485338769935361453819608921520780103184296098278610439625935404967972315908808657494638735904210709873823527111315139018387713381604550946445856087746716671838144925662314348628830687634437271225081272705532826343, 20588310030910623387356293638800302031856407530120841616298227518984893505166480372963166394317326422544430837759332223527939420321960057410073228508230111170414845403161052128790464277007579491219950440477721075788978767309211469555824310913593208232853272958011299985202799390532181335087622499894389777412111445377637396650710486263652440053717323053536700098339137819966260269752816515681602936416736576044630343136577023173210517247609888936337876211461528203642347119434700140264859102502126842250671976238033270367185358966766106988830596616311824691409766437473419074865115209866730272194297815209976737570183, 18468380817178794606027384089796802449939260582378979728469492439450780893746976934315768186829245395964644992296264093276556001477514083927556578752836255491334765496791841945178275793885002188397918857222419803612711637177559554489679414049308077300718317502586411333302434329130562745942681716547306138457088216901181646333860559988117376012816579422902808478175975263110581667936249474308868051767856694498210084853797453949193117835061402537058150493808371384063278793041752943930928932275052745657700368980150842377283198946138726219378646040515809994704174471793592322237777371900834531014326150160506449286179]
E = [229904181453273080302209653709086531153804577507365859149808244958841045687064628362978517491609413507875726243121473678430010600891588643092042173698830147997497783886459583186019270582236955524620567373560535686287255124958954671737097645556109314142383275516997850786599322033792080045303427363366927030304214333894247469120513426641296678531965795930756543043851154646310114366477311633838078242963665452936523438928643273392454483600446242320078010627755587492056369779661382734170244060951095344418599686788550312205964136120979823565225768814898285224838691541122088693411388097496320157113230752327025862802020421665288007529320920942060329299409362236414929126050037144149017275031336018100081931062647888329912802477032857776085190828105602067426203163344931483638271679183910241511044338001446584634203146294743522375846913845041274967653508735863706778364499099286484552570083394223973734909997825522191349543295855925973354640349809770822075226834555111927586299176453943116511915434890643239957459427390624136283086434711471863737451011157026905191204496081860277138227247744470804087252965368757930797560277881668806206419629425126031049566579233056222579590529869798537893505779097868221221068867624660759084762471141, 374749619911728044650812367560174497001343067563440477135516664935394734686391543012901514676044211541958613458868769659861216149364768233000844624035620893309356372294598009760824255187442531508754966566917198975934706398309982525100772311586501118200858124845012643495006029930202324305874402291277845166060497038915773767003006049720519011634861166208163030159519901867416488082395270295488885724507937683469910251316231210838654273986152493722244271430422693265608430755620420680629979226285393465423870727975987787149515374769359243334743541460110042872587610309611770320600248289328406805995688596910226273861759369388105641549933915686192055533242723330981192183310876306968103333706140401422550917946410378174896274789619184565321544130428008804628699594759946577979319393247067750024729672029363433673084437510430506410293512293930056667971242862448029841846596288648691077795207341975907335202945548990662460491169957175452745622341245617265849042542964819126377775749222973138584978725470886059043251544634105653274564085280013340679259157119014619894553239015777411757887293044706448625760604242512494466386343040583010961386979963779928616733980046763291988848903515836247301007113187121999960487508948748354549628160741, 111738429639840672983162926852338651562094139707285850255632987705635459657893186493838711733560515475806567653354737245246745810892238414756414117557971683747269900627524702653772058841085258035513296218047505149691384287812041721130367506731427022265277885965948486359682023555050085264531256406043361391744086539522028829421284667293339869140564699750714145488199268791908205712660933607330454849730499840287271163350865799682565216636393526339218836244889719975150503253630419647851422620890082315396457329065508602521784001607236788620811397449483104884860551374031790663030220424841642241965983726516537123807061999084476076850833658360594525986997125319941689903869138176347916707622148840226672408554102717625456819726220575710494929111642866840516339713870850732638906870325693572445316904688582043485093120585767903009745325497085286577015692005747499504730575062998090846463157669448943725039951120963375521054164657547731579771203443617489609201617736584055562887243883898406182052632245189418568410854530995044542628531851356363297989653392057214167031332353949367816700838296651167799441279086074308299608106786918676697564002641234952760724731325383088682051108589283162705846714876543662335188222683115878319143239781, 185935167438248768027713217055147583431480103445262049361952417166499278728434926508937684304985810617277398880507451351333771783039360671467147075085417403764439214700549777320094501151755362122677245586884124615115132430034242191429064710012407308619977881929109092467325180864745257810774684549914888829203014922855369708286801194645263982661023515570231007900615244109762444081806466412714045462184361892356485713147687194230341085490571821445962465385514845915484336766973332384198790601633964078447446832581798146300515184339036127604597014458389481920870330726947546808739829589808006774479656385317205167932706748974482578749055876192429032258189528408353619365693624106394913101463023497175917598944803733849984703912670992613579847331081015979121834040110652608301633876167262248103403520536210279949844194696898862249482809107840303473964914083996538912970715834110371196970613332286296427286356036576876121010776933023901744994067564045429384172315640135483480089769992730928266885675143187679290648773060781987273082229827156531141515679114580622348238382074084270808291251400949744720804368426414308355267344210055608246286737478682527960260877955900464059404976906697164610891962198768354924180929300959036213841843941]

M = 2^1000  
L = Matrix(ZZ, [
    [M, E[0], E[1], E[2], E[3]],
    [0, -N[0]^2, 0, 0, 0],
    [0, 0, -N[1]^2, 0, 0],
    [0, 0, 0, -N[2]^2, 0],
    [0, 0, 0, 0, -N[3]^2],
])

L = L.LLL()
for row in L:
    if row[0] % M == 0:
        d = abs(row[0] // M)
        if 1 < d < 2^800: 
            print("Found d:", d)
            flag = "palu{" + hashlib.md5(str(d).encode()).hexdigest() + "}"
            print(flag)
            break

循环锁链

这纯脑洞题，一开始傻了忘了flag头是palu，想到是循环异或了用flag试了一辈子也没试出来，加密逻辑很简单，就是第一位明文和第二位明文异或当作第一位密文，然后依次重复这个过程，最后一位明文和第一位明文异或是最后一位密文，根据已知的明文palu推回去即可：

exp:

#python

import sys

def decrypt(c: bytes, prefix: bytes) -> bytes:
    N = len(c)
    p = bytearray(N)
    L = len(prefix)
    p[:L] = prefix
    for i in range(N - 1):
        if i + 1 >= L:
            p[i + 1] = c[i] ^ p[i]
    return bytes(p)


with open('flag.enc', 'rb') as f:
    ciphertext = f.read()
    known_prefix = b"palu{"
    plaintext = decrypt(ciphertext, known_prefix)
    flag = plaintext.decode('utf-8')

print(flag)

星际广播站

题目描述：

1	这是使用flask框架编写的RSA广播的空间站系统，你有办法登录并解密密文吗

说实话一打开是一个web界面看傻了，查看源码发现：

function downloadAppFile(filename) {
          const iframe = document.createElement('iframe');
          iframe.style.display = 'none';
          document.body.appendChild(iframe);
          const downloadUrl = `/file/download?path=${encodeURIComponent(filename)}`;
          iframe.src = downloadUrl;
          
          setTimeout(() => {
          document.body.removeChild(iframe);
          }, 2000);
          }

很明显的任意文件下载漏洞，由于这是使用flask框架编写的，所以下载一下app.py文件看看:

1	downloadAppFile("app.py");

app.py:

import sqlite3
import os
import hashlib
from flask import Flask, render_template, request, redirect, url_for, session, flash, g,send_file, abort
from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long, getPrime
import string
from secret import flag    

app = Flask(__name__)
app.secret_key = os.urandom(24) # 用于 session 管理

# 修改数据库路径
# Ensure this line points to the data directory
DATABASE = 'data/users.db'
E = getPrime(7)
NUM_USERS = 128


# assert NUM_USERS >= E 
print(f"E: {E}")
FLAG = flag.encode('utf-8')

def get_db():
    db = getattr(g, '_database', None)
    if db is None:
        # Ensure the directory exists when connecting
        db_dir = os.path.dirname(DATABASE)
        if not os.path.exists(db_dir):
             os.makedirs(db_dir, exist_ok=True)
        db = g._database = sqlite3.connect(DATABASE)
        db.row_factory = sqlite3.Row # 让查询结果可以通过列名访问
    return db

@app.teardown_appcontext
def close_connection(exception):
    db = getattr(g, '_database', None)
    if db is not None:
        db.close()

import random
from gmssl import sm3, func 

def sm3_hash(data):
    """计算数据的 SM3 哈希值"""
    if isinstance(data, str):
        data = data.encode('utf-8')
    hash_bytes = sm3.sm3_hash(func.bytes_to_list(data))
    print(f"计算 {data} 的 SM3 哈希值为: {hash_bytes}")
    return hash_bytes

def generate_rsa_pair(message, e):
    """生成 RSA 公钥 N 和对应的密文 C"""
    key = RSA.generate(1024)
    n = key.n
    m_long = bytes_to_long(message)
    c = pow(m_long, e, n)
    return n, c

def init_db():
    """初始化数据库，创建表并填充用户数据"""
    db_path = os.path.join('/app', DATABASE) # 在容器内的绝对路径
    db_dir = os.path.dirname(db_path)
    os.makedirs(db_dir, exist_ok=True) # 确保容器内的目录存在

    # 检查数据库文件是否存在于容器内的预期路径
    if os.path.exists(db_path):
         print(f"数据库文件 {db_path} 已存在，跳过初始化。")
         # 即使文件存在，也要确保表结构是最新的
         # 可以考虑在这里添加检查表是否存在的逻辑，如果不存在则创建
         # return # 如果确定存在就跳过，否则继续执行建表逻辑

    print(f"初始化数据库 {db_path}...")
    with app.app_context():
        db = get_db()
        cursor = db.cursor()
        # 检查 users 表是否存在
        cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='users';")
        table_exists = cursor.fetchone()

        if not table_exists:
            print("创建 users 表...")
            cursor.execute('''
                CREATE TABLE users (
                    id INTEGER PRIMARY KEY AUTOINCREMENT,
                    username TEXT UNIQUE NOT NULL,
                    password_hash TEXT NOT NULL,
                    n TEXT NOT NULL -- 存储大整数 N
                )
            ''')
            db.commit() # 提交建表操作
        else:
            print("users 表已存在。")
            # 检查是否需要填充数据
            cursor.execute("SELECT COUNT(*) FROM users")
            user_count = cursor.fetchone()[0]
            if user_count >= NUM_USERS:
                print(f"数据库中已有 {user_count} 个用户，跳过填充。")
                return # 如果用户数量足够，则跳过填充

        # --- 填充用户数据的逻辑 ---
        print("开始填充用户数据...")
        generated_n_set = set()
        # 获取当前数据库中的用户数量
        cursor.execute("SELECT COUNT(*) FROM users")
        current_user_count = cursor.fetchone()[0]
        users_added_this_run = 0

        # 从 current_user_count + 1 开始生成用户，直到达到 NUM_USERS
        for i in range(current_user_count, NUM_USERS):
            username = str(i + 1)
            random.seed(username)

            characters = string.ascii_letters + string.digits
            password = "".join(random.choices(characters, k=6))
            password_hash = sm3_hash(password)

            n, c = None, None
            attempts = 0
            max_attempts = NUM_USERS * 5
            while attempts < max_attempts:
                n_candidate, c_candidate = generate_rsa_pair(FLAG, E)
                if n_candidate not in generated_n_set:
                    # 还需要检查数据库中是否已存在此 N
                    cursor.execute("SELECT 1 FROM users WHERE n = ?", (str(n_candidate),))
                    n_exists_in_db = cursor.fetchone()
                    if not n_exists_in_db:
                        n = n_candidate
                        c = c_candidate
                        generated_n_set.add(n)
                        break
                attempts += 1

            if n is None:
                print(f"警告：无法为用户 {username} 生成唯一的 N，已尝试 {max_attempts} 次。")
                continue

            try:
                cursor.execute("INSERT INTO users (username, password_hash, n) VALUES (?, ?, ?)",
                               (username, password_hash, str(n)))
                users_added_this_run += 1
                print(f"添加用户 {username} 到数据库。")
            except sqlite3.IntegrityError:
                print(f"用户名 {username} 已存在或 N 值冲突，跳过。")
            except Exception as e:
                print(f"添加用户 {username} 时出错: {e}")

        db.commit()
        print(f"数据库初始化/填充完成，本次运行添加了 {users_added_this_run} 个用户。")

@app.route('/')
def index():
    if 'username' in session:
        return redirect(url_for('dashboard'))
    return render_template('index.html') 

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        username = request.form['username']
        password_hash_attempt = sm3_hash(request.form['password_hash'])
        db = get_db()
        cursor = db.cursor()
        cursor.execute("SELECT password_hash FROM users WHERE username = ?", (username,))
        user = cursor.fetchone()

        if  user and user['password_hash'] == password_hash_attempt:
            session['username'] = username
            flash('登录成功！', 'success')
            return redirect(url_for('dashboard'))
        else:
            flash('无效的用户名或密码。', 'error')
            return redirect(url_for('login')) 
    

    if 'username' in session:
        return redirect(url_for('dashboard')) 
    return render_template('index.html')

@app.route('/dashboard')
def dashboard():
    if 'username' not in session:
        flash('请先登录。', 'error')
        return redirect(url_for('login'))

    username = session['username']
    db = get_db()
    cursor = db.cursor()
    cursor.execute("SELECT n  FROM users WHERE username = ?", (username,))
    user_data = cursor.fetchone()

    if not user_data:
        # 用户在 session 中但数据库中找不到？异常情况
        session.pop('username', None)
        flash('发生错误，请重新登录。', 'error')
        return redirect(url_for('login'))

    n = user_data['n']
#     c = user_data['c']
    m = bytes_to_long(FLAG)
    c = str(pow(m, E, int(n)))
    return render_template('dashboard.html', username=username, n=n, c=c, e=E)

@app.route('/logout')
def logout():
    session.pop('username', None)
    flash('您已成功登出。', 'success')
    return redirect(url_for('login'))



@app.route('/file/download', methods=['GET'])
def download_file():
    path = request.args.get('path', '')
    
    if not path:
        return "Error: No path parameter provided", 400
    
    try:

        if not os.path.isabs(path):
            path = os.path.join(os.path.dirname(__file__), path)
        
        if not os.path.exists(path) or not os.path.isfile(path):
            return f"Error: File not found: {path}", 404

        return send_file(
            path,
            as_attachment=True,
            download_name=os.path.basename(path),
            mimetype='application/octet-stream'
        )
    
    except Exception as e:
        return f"Error: {str(e)}", 500


if __name__ == '__main__':
    init_db() # 启动时检查并初始化数据库
    app.run(host='0.0.0.0', port=8000, debug=True)

我们观察到有：

1	DATABASE = 'data/users.db'

和

username = str(i + 1)
            random.seed(username)

            characters = string.ascii_letters + string.digits
            password = "".join(random.choices(characters, k=6))

这里我们知道了数据库文件的位置可以获取到数据库文件，并且发现密码是由用户名作为种子使用random函数得来的，那么用户名固定密码就固定，这里我们就已知了密码。
下一下数据库文件：

1	downloadAppFile("data/users.db");

登录一下获取到了e为71，现在要做的就是读取数据库获取所有的n，登录e个用户获取到e个c进行低加密指数广播攻击即可

exp:

import random
import string
import requests
import re
import sqlite3
from typing import Dict, List, Tuple
from gmpy2 import iroot, invert
from Crypto.Util.number import long_to_bytes


def generate_password(username: str) -> str:
    """根据用户名生成密码"""
    random.seed(username)
    characters = string.ascii_letters + string.digits
    return ''.join(random.choices(characters, k=6))


def get_all_n_from_db(db_path: str) -> Dict[str, int]:
    """从本地数据库获取所有用户的n值"""
    try:
        with sqlite3.connect(db_path) as conn:
            cursor = conn.cursor()
            cursor.execute("SELECT username, n FROM users")
            return {row[0]: int(row[1]) for row in cursor.fetchall()}
    except sqlite3.Error as e:
        print(f"数据库错误: {e}")
        return {}


def collect_c_values(users: Dict[str, int], base_url: str) -> Dict[int, int]:
    """通过HTTP请求收集c值"""
    c_data = {}

    for username, n in users.items():
        password = generate_password(username)
        session = requests.Session()

        # 登录获取session
        try:
            login_resp = session.post(
                f"{base_url}/login",
                data={"username": username, "password_hash": password},
                allow_redirects=False,
                timeout=5
            )

            if login_resp.status_code != 302 or 'dashboard' not in login_resp.headers.get('Location', ''):
                print(f"[!] 用户 {username} 登录失败")
                continue
        except Exception as e:
            print(f"[!] 用户 {username} 登录请求异常: {str(e)}")
            continue

        # 获取dashboard页面
        try:
            dashboard_resp = session.get(f"{base_url}/dashboard", timeout=5)
            if dashboard_resp.status_code != 200:
                print(f"[!] 用户 {username} 访问dashboard失败")
                continue

            # 精确匹配c值
            c_match = re.search(r'(\d+)', dashboard_resp.text)
            if c_match:
                c_data[n] = int(c_match.group(1))
                print(f"[+] 成功获取用户 {username} 的 c={c_data[n]}")
            else:
                print(f"[!] 用户 {username} 的c值解析失败")
        except Exception as e:
            print(f"[!] 用户 {username} 请求异常: {str(e)}")

    return c_data


def chinese_remainder_theorem(moduli: List[int], residues: List[int]) -> int:
    """实现中国剩余定理"""
    total = 0
    product = 1

    for m in moduli:
        product *= m

    for m, r in zip(moduli, residues):
        p = product // m
        total += r * invert(p, m) * p

    return total % product


if __name__ == '__main__':
    # 从本地数据库获取所有n值
    print("[+] 正在从本地数据库读取n值...")
    all_users = get_all_n_from_db('users.db')
    print(f"[+] 成功读取 {len(all_users)} 个用户的n值")

    # 收集c值
    e = 71
    URL = 'http://challenge.qsnctf.com:32237'  # 修复了URL中的空格
    print(f"[+] 开始收集 {e} 个用户的c值...")

    c_data = collect_c_values(all_users, URL)

    if len(c_data) < e:
        print(f"[!] 警告：只收集到 {len(c_data)} 个c值，需要至少 {e} 个")

    n_list = list(c_data.keys())[:e]
    c_list = [c_data[n] for n in n_list]

    print("[+] 开始解密流程...")
    M = chinese_remainder_theorem(n_list, c_list)
    m = iroot(M, e)[0]
    flag = long_to_bytes(m)
    print(flag)

轮回密码

题目描述：

1	在佛经残卷中发现神秘密文，据传加密者用"六道轮回"之法将真言藏于时空循环中。

encode.py:

import base64


def samsara_encrypt(text, key_word):
    cycle_step = len(key_word) % 6 + 1

    phase1 = bytes([(c >> cycle_step) | ((c << (8 - cycle_step)) & 0xFF) for c in text])

    phase2 = base64.b85encode(phase1)

    phase3 = bytes([(c >> cycle_step) | ((c << (8 - cycle_step)) & 0xFF) for c in phase2])

    return bytes([phase3[i] ^ key_word[i % len(key_word)] for i in range(len(phase3))])


if __name__ == "__main__":
    flag = b"palu{********}"  # 可替换flag
    key = b""
    cipher = samsara_encrypt(flag, key)

    # 修复点：使用latin-1编码处理二进制数据
    print("轮回密文:", cipher.decode('latin-1'))  # 输出示例：¨×èÄÅÉØÛÚ

flag.txt:

1	轮回密文: y¦_6>X¬y!,!n¡mSaÜñüë9¼6

对着逆向就行了，直接问ai都可以
exp:

import base64


def samsara_decrypt(cipher_text, key_word):
    # 步骤1: 与关键词异或
    step1 = bytes([cipher_text[i] ^ key_word[i % len(key_word)] for i in range(len(cipher_text))])

    # 计算循环位移量
    cycle_step = len(key_word) % 6 + 1

    # 步骤2: 逆向循环右移（即循环左移cycle_step位）
    step2 = bytes([((c << cycle_step) | (c >> (8 - cycle_step))) & 0xFF for c in step1])

    # 步骤3: Base85解码
    step3 = base64.b85decode(step2)

    # 步骤4: 再次逆向循环右移（即循环左移cycle_step位）
    return bytes([((c << cycle_step) | (c >> (8 - cycle_step))) & 0xFF for c in step3])


if __name__ == "__main__":
    # 密文和密钥
    cipher_text = "y¦_6>X¬y!,!n¡mSaÜñüë9¼6".encode('latin-1')
    key_word = b"Bore"  # 需要填入正确的密钥

    # 解密
    plain_text = samsara_decrypt(cipher_text, key_word)
    print("解密结果:", plain_text.decode('utf-8', errors='replace'))

# palu{reincarnation_cipher}

文件查看器*

app.py:

from flask import Flask, render_template, request, redirect, url_for, session, flash, send_from_directory, make_response
import os
from gmssl import sm4


def xor(byte1, byte2):
    result = bytes(x ^ y for x, y in zip(byte1, byte2))
    return result


key = os.urandom(16)
iv = os.urandom(16)
sm4_encryption = sm4.CryptSM4()

app = Flask(__name__, template_folder='templates', static_folder='static')
app.secret_key = b'palupalupalupalupalupalupalupalupalu' 
# 保留原始的用户数据访问对象 (DAO)
class UserDAO(object):
    def __init__(self):
        self.users: dict[str, str] = {}

    def getPassword(self, uid: str) -> str:
        if uid not in self.users:
            raise Exception('用户不存在')
        return self.users[uid]

    def create(self, uid: str, password: str):
        if uid in self.users:
            raise Exception('用户已注册')
        self.users[uid] = password
        return

DAO = UserDAO()
DAO.create('demoUser', '123456')

# --- Flask 路由 --- 

@app.route('/')
def index():
    if 'uid' in session:
        return redirect(url_for('profile'))
    return redirect(url_for('login'))

@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        uid = request.form.get('uid')
        if 'admin' in uid:
            flash('不可以是admin哦', 'error')
            return redirect(url_for('register'))
        password = request.form.get('password')
        confirm_password = request.form.get('confirm_password')

        if not uid or not password:
            flash('用户ID和密码不可为空', 'error')
            return redirect(url_for('register'))

        if password != confirm_password:
            flash('两次输入的密码不一致', 'error')
            return redirect(url_for('register'))

        try:
            DAO.create(uid, password)
            flash('注册成功，请登录', 'success')
            return redirect(url_for('login'))
        except Exception as e:
            flash(str(e.args[0]), 'error')
            return redirect(url_for('register'))

    return render_template('register.html')

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        uid = request.form.get('uid')
        password = request.form.get('password')

        if not uid or not password:
            flash('用户ID和密码不可为空', 'error')
            return redirect(url_for('login'))

        try:
            stored_password = DAO.getPassword(uid)
            if stored_password != password:
                raise Exception('用户ID或密码错误')

            user_level = 'admin' if uid == 'admin' else 'guest'
            
            sm4_encryption.set_key(key, sm4.SM4_ENCRYPT)
            token_payload = f"{uid}:{user_level}".encode('utf-8')
            token = sm4_encryption.crypt_cbc(iv, token_payload).hex()

            session['uid'] = uid
            flash(f'登录成功，您的 token 是: {token}', 'success')
            # 创建响应对象并设置 cookie
            response = make_response(redirect(url_for('profile')))
            response.set_cookie('auth_token', token, httponly=True, samesite='Lax') # 设置 cookie
            return response

        except Exception as e:
            flash(str(e.args[0]), 'error') # 显示更具体的错误信息
            return redirect(url_for('login'))

    return render_template('login.html')

@app.route('/profile')
def profile():
    if 'uid' not in session:
        return redirect(url_for('login'))
    
    # 可以在这里添加解密 token 显示信息的逻辑，但暂时只显示用户名
    username = session.get('uid')
    return render_template('profile.html', username=username)

@app.route('/logout')
def logout():
    session.pop('uid', None)
    flash('您已成功登出', 'info')
    return redirect(url_for('login'))

@app.route('/file', methods=['GET', 'POST'])
def read_file_page():
    if 'uid' not in session :
        flash('请先登录', 'warning')
        return redirect(url_for('login'))
    print(session)
    
    file_content = None
    error_message = None
    file_path_requested = ''

    if request.method == 'POST':
        token = request.cookies.get('auth_token') # 从 cookie 获取 token
        file_path = request.form.get('path')
        file_path_requested = file_path # 保留用户输入的路径以便回显
        if not file_path:
            error_message = '路径不可为空'
        else:
            try:
                # 保留原始的 SM4 CBC 令牌验证逻辑
                sm4_encryption.set_key(key, sm4.SM4_DECRYPT)
                token_decrypted = sm4_encryption.crypt_cbc(iv, bytes.fromhex(token))
                decrypted_str = token_decrypted.decode('utf-8', errors='ignore') 
                parts = decrypted_str.split(':')[-2:]

                uid_from_token, lv = parts

                if 'admin' in lv:
                    print(f"管理员 {uid_from_token} 尝试读取: {file_path}")
                    try:

                        with open(file_path, 'r', encoding='utf-8') as f:
                            file_content = f.read()
                    except FileNotFoundError:
                        error_message = '文件未找到'
                    except Exception as e:
                        print(f"读取文件错误: {e}")
                        error_message = '读取文件失败'
                else:
                    error_message = '非管理员，无权限读取服务器文件'
            except ValueError as e:
                 error_message = f'token非法: {e}'
            except Exception as e:
                print(f"Token 解密/验证错误: {e}")
                error_message = 'token无效或已过期'

    if error_message:
        flash(error_message, 'error')
        
    return render_template('file_viewer.html', file_content=file_content, file_path_requested=file_path_requested)

# 移除 Flask-RESTX 的 404 处理，使用 Flask 默认或自定义模板
@app.errorhandler(404)
def page_not_found(e):
    # 可以创建一个 templates/404.html 页面
    return render_template('404.html'), 404 

if __name__ == '__main__':
    # 确保 static 文件夹存在
    if not os.path.exists('static'):
        os.makedirs('static')
    # 确保 templates 文件夹存在
    if not os.path.exists('templates'):
        os.makedirs('templates')
    # 404 页面
    if not os.path.exists('templates/404.html'):
        with open('templates/404.html', 'w', encoding='utf-8') as f:
            f.write('404 Not Found页面未找到
您访问的页面不存在。
返回首页')

    if not os.path.exists('static/style.css'):
         with open('static/style.css', 'w', encoding='utf-8') as f:
            f.write('''
body { font-family: sans-serif; margin: 20px; background-color: #f4f4f4; }
.container { max-width: 600px; margin: auto; background: #fff; padding: 20px; border-radius: 8px; box-shadow: 0 0 10px rgba(0,0,0,0.1); }
h1 { color: #333; }
.form-group { margin-bottom: 15px; }
label { display: block; margin-bottom: 5px; }
input[type="text"], input[type="password"] { width: calc(100% - 22px); padding: 10px; border: 1px solid #ddd; border-radius: 4px; }
button { background-color: #5cb85c; color: white; padding: 10px 15px; border: none; border-radius: 4px; cursor: pointer; }
button:hover { background-color: #4cae4c; }
a { color: #0275d8; text-decoration: none; }
a:hover { text-decoration: underline; }
.flash-messages { margin-bottom: 15px; }
.alert { padding: 10px; border-radius: 4px; margin-bottom: 10px; }
.alert-error { background-color: #f8d7da; color: #721c24; border: 1px solid #f5c6cb; }
.alert-success { background-color: #d4edda; color: #155724; border: 1px solid #c3e6cb; }
.alert-info { background-color: #d1ecf1; color: #0c5460; border: 1px solid #bee5eb; }
.alert-warning { background-color: #fff3cd; color: #856404; border: 1px solid #ffeeba; }
.file-content { margin-top: 20px; padding: 15px; background-color: #eee; border: 1px solid #ddd; border-radius: 4px; white-space: pre-wrap; word-wrap: break-word; }
nav { margin-bottom: 20px; text-align: right; }
nav span { margin-right: 15px; }
            ''')

    app.run(debug=True, host='0.0.0.0', port=10002)

在 app.py 中，token 的生成是将用户 ID 和用户级别（如 :guest 或 :admin）拼接后，使用 SM4 的 CBC 模式进行加密得到的，所以我们可以利用CBC 模式的特性来构造一个新的 token，使得解密后的用户级别变为 :admin。然后拿着新的token重新发包过去就可以了。

exp:

BLOCK_SIZE = 16

def pkcs7_pad(data, block_size):
    padding_len = block_size - (len(data) % block_size)
    padding = bytes([padding_len] * padding_len)
    return data + padding


def xor_bytes(b1, b2):
    return bytes(x ^ y for x, y in zip(b1, b2))


auth_token = 'c575072409e12c59db9ce9fdf3bcda799808caf067156983cf80b58086d38e09'
A = auth_token[:32]
C_old = pkcs7_pad(':guest'.encode(), BLOCK_SIZE)
B = xor_bytes(bytes.fromhex(A), C_old)
C_new = pkcs7_pad(':admin'.encode(), BLOCK_SIZE)
new_token = xor_bytes(B, C_new).hex() + auth_token[32:]
print(new_token)

2024-cryptoctf-wp

2025-03-11T09:00:00.000Z

Easy

alibos

题目描述：

1	Alibos, a classic cryptographic algorithm, is designed to safeguard non-sensitive data, providing a reliable solution for routine information protection.

题目：

#!/usr/bin/env python3

from Crypto.Util.number import *
from gmpy2 import *
from secret import d, flag

get_context().precision = 1337


def pad(m, d):
    if len(str(m)) < d:
        m = str(m) + '1' * (d - len(str(m)))
    return int(m)


def genkey(d):
    skey = getRandomRange(10 ** (d - 1), 10 ** d)
    pkey = int(10 ** d * (sqrt(skey) - floor(sqrt(skey))))
    return pkey, skey


def encrypt(m, pkey):
    m = pad(m, len(str(pkey)))
    d = len(str(pkey))
    c = (pkey + d ** 2 * m) % (10 ** d)
    return c


pkey, skey = genkey(d)

m = bytes_to_long(flag)
c = encrypt(m, pkey)

print(f'pkey = {pkey}')
print(f'enc  = {c}')

output:

1
2

pkey = 8582435512564229286688465405009040056856016872134514945016805951785759509953023638490767572236748566493023965794194297026085882082781147026501124183913218900918532638964014591302221504335115379744625749001902791287122243760312557423006862735120339132655680911213722073949690947638446354528576541717311700749946777
enc  = 6314597738211377086770535291073179315279171595861180001679392971498929017818237394074266448467963648845725270238638741470530326527225591470945568628357663345362977083408459035746665948779559824189070193446347235731566688204757001867451307179564783577100125355658166518394135392082890798973020986161756145194380336

简单来说的是按照如下方式进行加密：
$c = \text{pkey} + d^2 \quad (\text{pad}(m)) \quad \text{mod}(10^d)$
这里主要是未知d，但是仔细观察题目会发现$d = len(str(pkey))$ 所以d就已知了，直接解即可

exp:

from Crypto.Util.number import *
from gmpy2 import *

pkey = 8582435512564229286688465405009040056856016872134514945016805951785759509953023638490767572236748566493023965794194297026085882082781147026501124183913218900918532638964014591302221504335115379744625749001902791287122243760312557423006862735120339132655680911213722073949690947638446354528576541717311700749946777
c = 6314597738211377086770535291073179315279171595861180001679392971498929017818237394074266448467963648845725270238638741470530326527225591470945568628357663345362977083408459035746665948779559824189070193446347235731566688204757001867451307179564783577100125355658166518394135392082890798973020986161756145194380336
p_d = len(str(pkey))
mod = 10 ** p_d
m = ((c - pkey) % mod * inverse(p_d ** 2, 10 ** p_d)) % mod
print(m)
# 这里是需要去掉pad所以直接复制出来的数字，也可以写个循环判断flag头
flag = long_to_bytes(
    int(617070432649333612824260819310073660177462690396680303631818904538190359368277582922920090537696854326452605))
print(flag)
#CCTF{h0M3_m4De_cRyp70_5ySTeM_1N_CryptoCTF!!!}

Mashy

题目描述：

1	Mashy may seem like a simple cracking task, but you'll need to open your eyes to identify the right things to crack.

题目：

#!/usr/bin/env python3

import sys
from hashlib import md5
from binascii import *
from secret import salt, flag

def die(*args):
pr(*args)
quit()

def pr(*args):
s = " ".join(map(str, args))
sys.stdout.write(s + "\n")
sys.stdout.flush()

def sc():
return sys.stdin.buffer.readline()

def xor(s1, s2):
return bytes([s1[_] ^ s2[_] for _ in range(len(s1))])

def main():
border = "┃"
pr(        "┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓")
pr(border, ".: Hi all, she did Mashy, you should do it too! Are you ready? :. ", border)
pr(        "┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛")

REC = []
cnt, STEP = 0, 7
sh = md5(salt).digest()

while True:
pr(border, f'Please send your first input:  ')
d1 = sc().strip()
pr(border, f'Please send your second input: ')
d2 = sc().strip()
try:
d1 = hexlify(unhexlify(d1))
d2 = hexlify(unhexlify(d2))
h1 = md5(unhexlify(d1)).digest()
h2 = md5(unhexlify(d2)).digest()
except:
die(border, 'Your inputs are not valid! Bye!!!')
if d1 != d2 and d1 not in REC and d2 not in REC:
if md5(xor(d1, d2)).hexdigest() != 'ae09d7510659ca40eda3e45ca70e9606':
if hexlify(xor(xor(h1, h2), sh)) == b'a483b30944cbf762d4a3afc154aad825':
REC += [d1, d2]
if cnt == STEP:
die(border, f'Congrats! the flag: {flag}')
pr(border, 'Good job, try next level :P')
cnt += 1
else:
die(border, 'Your input is not correct! Bye!')
else:
die(border, 'No this one! Sorry!!')
else:
die(border, 'Kidding me!? Bye!!')

if __name__ == '__main__':
main()

简单来说是要完成七轮挑战，使得输入的两个16进制串d1,d2，使得满足：

d1 不等于 d2
d1 xor d2 的md5不为 ae09d7510659ca40eda3e45ca70e9606
md5(d1) xor md5(d2) xor sh 的值为 a483b30944cbf762d4a3afc154aad825

这题纯出题人脑子有病，出的莫名其妙的，全靠猜
ae09d7510659ca40eda3e45ca70e9606的原像为：b’\x00’ * 256
a483b30944cbf762d4a3afc154aad825的原像为：emelinjulca
然后我们不知道salt也就是sh，就进行不下去了，其实sh就是emelinjulca，纯就跟出题人脑袋相接才能做
（ps；赛中的时候我人都傻了，然后一看几十解了，就拿emelinjulca试了一下结果真是，真是无了大语了）
到这里问题就简单了，整几组前缀进行MD5碰撞就完事了

from pwn import *

sh = remote("01.cr.yp.toc.tf",13771)

msg = [(b"31000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fe11ecc10c7ab8b4fe112d7f29ceb2dae1f39ce7a691488bfb817b7685ad087a162b0ce0ea69b140e7274b44c43f183578392f9719b43d4966c321cc0a10e6fbd002869b42f9fad9eb869dc55d5d349835961b1fd36a0bbe76a9bb5f4f5cc54136dec48d74497bf6579a6bf9721b81078637b429cff958886bd816dc4333a338",b"31000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fe11ecc10c7ab8b4fe112d7f29ceb2dae1f39c67a691488bfb817b7685ad087a162b0ce0ea69b140e7274b44c4bf183578392f9719b43d4966c3214c0a10e6fbd002869b42f9fad9eb869dc55d5d349835961b9fd36a0bbe76a9bb5f4f5cc54136dec48d74497bf6579a6bf9729b80078637b429cff958886bd8165c4333a338"),
       (b"32000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ebcd0390c198c8f33b4a08cce32f47451b5002e68895b7505d12824a0a460d133de3eff34e4de89ceb27ed3bce211b4696fec6736c059058d8b60f6e473f6c701068abf2d6bc645c4589a6f0f5211f5fc903c96e789d91f8abb300d8176088b7d31d825897c9001cf409c45b3a50005e93e33f4f908f9df944a664c927d28d55",b"32000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ebcd0390c198c8f33b4a08cce32f47451b5002668895b7505d12824a0a460d133de3eff34e4de89ceb27ed3bcea11b4696fec6736c059058d8b60fee473f6c701068abf2d6bc645c4589a6f0f5211f5fc903c9ee789d91f8abb300d8176088b7d31d825897c9001cf409c45b3ad0ff5d93e33f4f908f9df944a6644927d28d55"),
       (b"3300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000068270588dbc19cfe24db79019b0070d1823c4a4d6d816cdb22c2401a32081455e5db01c54c0ccf1b6706f061eec3e58ead12b5173dee55f954f9ac52a1a4bbedc32ab0ee3cae3896f9908a49d38cc5535c6c80661d262e1ec91a8639ecc7e1654086c61bf4cfe7fc6a7378f7809416ef39ae4ccc7fc29570c4c3a51b03fed7b9",b"3300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000068270588dbc19cfe24db79019b0070d1823c4acd6d816cdb22c2401a32081455e5db01c54c0ccf1b6706f061ee43e68ead12b5173dee55f954f9acd2a1a4bbedc32ab0ee3cae3896f9908a49d38cc5535c6c80e61d262e1ec91a8639ecc7e1654086c61bf4cfe7fc6a7378f7801416ef39ae4ccc7fc29570c4c3a59b03fed7b9"),
       (b"3400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025a80516e996c87574dc568d274da9d2d281b09bbc72f7ef46767961b4a708e969ebffe06a6e0945cbefe2f2fc41d89cb89c2574afb1fdbac5aca131cdf52d68b9e3c95615888cbc3d187ccd32f60d5b35636e925c1aa3002bb330c81b6088d8cbeb8014afc24f5e374ad05ab2f30d1fac7221195b7f3f1f19f5219ecaf948a2",b"3400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025a80516e996c87574dc568d274da9d2d281b01bbc72f7ef46767961b4a708e969ebffe06a6e0945cbefe2f2fcc1d89cb89c2574afb1fdbac5aca1b1cdf52d68b9e3c95615888cbc3d187ccd32f60d5b35636e125c1aa3002bb330c81b6088d8cbeb8014afc24f5e374ad05ab2730d1fac7221195b7f3f1f19f5211ecaf948a2"),
       (b"35000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f56f1da5ad57f483059ae0869962f05204f954e2de9d56c55b168139ec372cefb1b307cbe84ce477cbff5df4d40bc46c08ceef8bb18bfc996b3b9fdaa7b72c17ee1cb3491794d6e2ff7d9914525cdf2d88b9314505ef864d201d2b364a6e25ae4d183e738c3c86e53e5ad1a1910c825cb1bcd59b97d1a3cf979668fbac6a138b",b"35000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f56f1da5ad57f483059ae0869962f05204f95462de9d56c55b168139ec372cefb1b307cbe84ce477cbff5df4d48bc46c08ceef8bb18bfc996b3b9f5aa7b72c17ee1cb3491794d6e2ff7d9914525cdf2d88b931c505ef864d201d2b364a6e25ae4d183e738c3c86e53e5ad1a1918c815cb1bcd59b97d1a3cf9796687bac6a138b"),
       (b"36000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f2b343c2bb614b7b4acc4e0ade8a5e4b2abb4eefe97ef7991832793e4e301637cf0becd84c43dbafeb43d0da12c8e2883e0d02ada60e678e3470ee866abe2fa713b8a521a986e75d821f74221fee2ea441b3ab462f29b56f862b00d05f60cdc1a9a1c92d04457bd6e693673963ab6e6b6c3552cd1c54efe627b342fecdfd8dea",b"36000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f2b343c2bb614b7b4acc4e0ade8a5e4b2abb4e6fe97ef7991832793e4e301637cf0becd84c43dbafeb43d0da1248e3883e0d02ada60e678e3470ee066abe2fa713b8a521a986e75d821f74221fee2ea441b3abc62f29b56f862b00d05f60cdc1a9a1c92d04457bd6e6936739632b6e6b6c3552cd1c54efe627b3427ecdfd8dea"),
       (b"370000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d6afba61c0910b5ca21a9164b65134753b3845080d9afe6460237a1d938a8385204b0e85cce2b686b40d9b9c517e64b08ee01d02fa63470aa3b34c1e550d11356d867ea70e96b0257d9b1b20df1ee22603111180739001ad17bf6c8dd707932b34e97b62e74936197adcc2f93164b46c7c7e4bb7b6c1a55a21958961f7378be",b"370000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d6afba61c0910b5ca21a9164b65134753b384d080d9afe6460237a1d938a8385204b0e85cce2b686b40d9b9c597e64b08ee01d02fa63470aa3b3441e550d11356d867ea70e96b0257d9b1b20df1ee22603111980739001ad17bf6c8dd707932b34e97b62e74936197adcc2f93964a46c7c7e4bb7b6c1a55a21958161f7378be"),
       (b"38000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c6eb639aedf271805029b40d4dc783ab8d769d35cb9032f9184641b94c881615f5f902cb5e8ba3176f2660d4f821828fdbed111365cc4dfbbf001ca884fcb74df4f681c17ed38f53b8346319fee0c2eaecf2ea2597f0ca2c04ed6c064e9e3ddd7d37ff3e54908e889a58455a8fd411bc0f75e93cadc453f6f89d16e8cd8e7c2a",b"38000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c6eb639aedf271805029b40d4dc783ab8d769db5cb9032f9184641b94c881615f5f902cb5e8ba3176f2660d4f8a1828fdbed111365cc4dfbbf001c2884fcb74df4f681c17ed38f53b8346319fee0c2eaecf2eaa597f0ca2c04ed6c064e9e3ddd7d37ff3e54908e889a58455a8f5411bc0f75e93cadc453f6f89d1668cd8e7c2a")]

for i in range(8):
    sh.sendline(msg[i][0])
    sh.sendline(msg[i][1])

sh.recvuntil(b"Congrats! the flag: ")

print(sh.recvline())

#CCTF{mD5_h4Sh_cOlL!Si0N_CrYp7o_ch41lEnGe!!!}

Beheaded$

题目描述：

1	The beheaded flags have had their headers removed, making them encrypted. Can a living entity truly survive without a head?

题目：


source secrets.sh

FLAGS="all_flags.txt"
rm -f "all_flags.enc"

while read flag; do
magick -background white -fill blue -pointsize 72 -size "$X"x"$Y" -gravity North caption:"$flag" flag.ppm
tail -n +4 flag.ppm > tail
openssl enc -aes-256-ecb -pbkdf2 -nosalt -pass pass:"$KEY" -in tail >> "all_flags.enc"
done < "$FLAGS"

题目将flag串写在图片上，然后对这张图片进行ECB加密，最后得到密文文件。
这个不太会，看春哥说是用工具，以后再说吧。

Medium

Alilbols

题目:

#!/usr/bin/env python3

from Crypto.Util.number import *
from gmpy2 import *
from secret import d, flag


def genkey(d):
    while True:
        f = getRandomRange(1, int(sqrt(2) * 10 ** d))
        g = getRandomRange(10 ** d, int(sqrt(2) * 10 ** d))
        if gcd(f, 10 * g) == 1:
            q = 4 * 100 ** d
            h = inverse(f, q) * g % q
            if gcd(h, 10 * d) == 1:
                break
    pkey, skey = (d, h), (f, g)
    return pkey, skey


def encrypt(m, pkey):
    d, h = pkey
    q = 4 * 100 ** d
    assert m < 10 ** d
    r = getRandomRange(1, 10 ** d // 2)
    c = (r * h + m + r) % q
    return c


pkey, _ = genkey(d)
m = bytes_to_long(flag)
c = encrypt(m, pkey)

print(f'h = {pkey[1]}')
print(f'c = {c}')

output:

1
2

h = 1051643987107349427988807326909852110640860009433515828832892541964729933410444984350917250524103015414239941369074041041830326426044333499878031164851095096864048639115431370526747014210332286314344073411522846701723463410585601251886732229726828022089809603850477551571014006202841406236367999378786782206165205893353928598469661871284779486855440579818275314024966224282757807716013799903830828885606714972634243850947534165272668985513949964901606268939300116019465522042467054120201087606016018354238401711720121586874288767235317479748890350702705575809130664969776549574720593740409234863974057904204809404816059921579771581800937241591669455683460570640868196509926763901079838233646036933530095891316054589051458146768287967886035091641162494322987627448810201550901588438560433001422233269632915351406169253963308421081459981594969405377353502889363324282815864766827664453823780238352371809048289845094882346227809082005375092441877966603138648719670349093616548820955566204871333952902983753935678447080673827214244142614295192263451840766771122229866931492260663320087497820892824540996643905125018452302747847009
c = 11913143174789215053772744981113562063689725867199301496294410323568897757042952642806438602327917861884988292757318755590132189620231444302311290566584065812614959093870787195145654508262419270742989923415342357807325941686508030706603920412262004324188375072184983301522882728578077572816154054220606088703932092256905881975876112779175003897105313776239681492514925430817300633974666123599685062340158348009344351002327049272743679109535286730751345284084148118733529966364414749672437370878526710641430471595906340522772252875146681541656231708112317601000655090279925720590940060372738708208419449824043905057860829031242339842131799965043031307394209699264362321397162645220002253271689678364848888381499587038475895945238726252440250183268252483198408039250213490525880829604473555612305513974817850974135874728084839426045420913060975464553734293001460752648937744531874552694145500413222582269910431269597066268600572899619407093373565994271589940926018891922169454906132284552523035481664164354874071831210264979733079749696197917769435226866441989054017071332158916586376454753209296136133271926449919437888563234409

密钥生成有：

$ 1 \leq f < \sqrt{2} \cdot 10 ^ d$
$ 10 ^ d \leq g < \sqrt{2} \cdot 10 ^ d$
$ q = 4 \cdot 10 ^ 2d$
$ h = f ^ {-1} g \ (mod \ q)$

加密有:

取一个随机数r, 满足 $ 1 < r < \frac{10^d}{2}$
计算密文 $ c = rh + m + r \ (mod \ q) $

给出了h,c, 需要还原m

很明显是NTRU，直接造格：
$\begin{bmatrix} r & -1 & k \end{bmatrix}$ $\begin{bmatrix} 1 & 0 & h+1 \\ 0 & 1 & c \\ 0 & 0 & q \end{bmatrix}$ = $\begin{bmatrix} r & -1 & -m \end{bmatrix}$

但是我们不知道d,q, 所以需要枚举一下d的大小

exp:

from Crypto.Util.number import *
h = 
c = 

for d in range(500,800):
    q = 4 * 10 ** (2 *d)
    M = matrix(ZZ, [[2, 0, h+1],
                [0, 10^d,c],
                [0, 0,   q]])
    v = M.LLL()[0] 
    m = int(abs(v[-1]))
    if b'CCTF' in long_to_bytes(m):
        print(d)
        print(long_to_bytes(m))

Ally*

题目描述：

1	Ally enjoys the challenge of solving Diophantine equations, so help them tackle this latest complex equation as well.

题目：

import sys
from Crypto.Util.number import *
from flag import flag

def die(*args):
pr(*args)
quit()

def pr(*args):
s = " ".join(map(str, args))
sys.stdout.write(s + "\n")
sys.stdout.flush()

def sc():
return sys.stdin.buffer.readline()

def main():
border = "┃"
pr(        "┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓")
pr(border, ".::  Ally is my best friend, help him to solve his tough task  ::.", border)
pr(        "┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛")

nbit = 14
level, step = 0, 19
while True:
pr(border, f'Please send your {nbit}-bit prime:  ')
p = sc().strip()
try:
p = int(p)
except:
die(border, 'Your input is not valid! Bye!!!')
if isPrime(p) and p.bit_length() == nbit:
pr(border, 'Send the solution of the following Diophantine equation in positive integers x, y')
pr(border, f'{p} * (x - y)**3 = (x**2 + y) * (x + y**2)')
xy = sc().strip().decode()
try:
x, y = [int(_) for _ in xy.split(',')]
except:
die(border, 'Your answer is not valid! Bye!!!')
if p * (x - y)**3 == (x**2 + y) * (x + y**2) and x > 0 and y > 0:
if level == step:
die(border, f'Congratz! You got the flag: {flag}')
else:
pr(border, f'Good job, try the next step {level + 2}')
level += 1
nbit = int(1.2*nbit) + getRandomRange(0, 6)
else:
die(border, 'Your answer is not correct! Bye!!')
else:
die(border, 'Kidding me!? Bye!!')

if __name__ == '__main__':
main()

就是给出19对如下的丢番图方程的正整数解： $p(x-y)^3 = (x^2 + y)(x+y^2)$

赛中没做出来，赛后发现其实:

$p = 4y+1x = 2y+1$

就可以了

exp:

from pwn import *
from Crypto.Util.number import *

def get_valid_prime(bits):
    while True:
        p = getPrime(bits)
        if p % 4 == 1:
            return p

try:
    sh = remote('01.cr.yp.toc.tf', 13777)
    for i in range(20):
        sh.recvuntil(b'Please send your ')
        bit_length = sh.recvuntil(b'-')[:-1]
        bit_length = int(bit_length)
        sh.recvline()

        p = get_valid_prime(bit_length)
        y = (p - 1) // 4
        x = 2 * y + 1

        sh.sendline(str(p).encode())
        sh.recvline()
        sh.sendline(f'{x},{y}'.encode())
        sh.recv()

    print(sh.recvline())
except Exception as e:
    print(f"发生错误: {e}")

Bada*

题目描述:

1	The Bada equation contains an undetermined function. By closely examining how this equation behaves, you may be able to discover the concealed flag.

题目:

存在一个函数方程f: N×N → Z:

$ f(a+1,b) = f(a,b) + a $
$ f(a,b+1) = f(a,b) - b $

给定了f($x_0$,$y_0$)的函数值，以及f（x,y）的值，求（x,y）使满足f(x,y)=z

很明显这两个函数方程可以看作两个等差数列，也就是有:

$f(x,y) = f(1,1) + (1+2+...+(x-1)) - (1+2+...+(y-1))$

即是：

$f(x,y) = f(1,1) + \frac{(x-1)(x)}{2} - \frac{(y-1)(y)}{2}$

记f(1,1)为c
也就是有：

$f(x,y) = \frac{(x-1)(x)}{2} - \frac{(y-1)(y)}{2} + c$

这里就把问题变成了解关于x和y的不定方程的问题:

$\begin{align*}2(z-c) &= x(x-1)- y(y-1) \\ &= (x-y)(x+y-1) \quad \text{} \\\end{align*}$

exp:

from Pwn4Sage.pwn import *
import re

context.log_level = 'debug'

class EquationSolver:
    def __init__(self):
        self.pattern = r'f\((\d+), (\d+)\) = (-?\d+) and f\(x, y\) = (-?\d+)\n'
        self.conn = remote('node4.anna.nssctf.cn', 28634)

    def solve(self, prev_x, prev_y, base_z, target_z):
        adjusted_z = base_z - (prev_x * (prev_x - 1) // 2) + (prev_y * (prev_y - 1) // 2)
        left_hand = 8 * (target_z - adjusted_z)
        for factor1 in divisors(left_hand):
            factor2 = left_hand // factor1
            if factor1 % 2 != 0 or factor2 % 2 != 0:
                continue
            half_factor1 = factor1 // 2
            half_factor2 = (factor2 + 2) // 2
            if (half_factor1 + half_factor2) % 2 != 0:
                continue
            x = (half_factor1 + half_factor2) // 2
            y = (half_factor2 - half_factor1) // 2
            return x, y
        raise Exception("No solution found")

    def process_step(self):
        self.conn.recvuntil(b'We know: ')
        line = self.conn.recvline().decode()
        match = re.match(self.pattern, line)
        if not match:
            raise Exception("Format error in received data")
        prev_x, prev_y, base_z, target_z = map(int, match.groups())
        x, y = self.solve(prev_x, prev_y, base_z, target_z)
        self.conn.sendline(f"{x},{y}".encode())

    def run(self):
        for _ in range(20):
            self.process_step()
        self.conn.interactive()

if __name__ == '__main__':
    solver = EquationSolver()
    solver.run()

Duzly$

题目描述：

1	Duzly is a straightforward hash function design based on congruence relationships over a prime number modulus.

题目：

from Crypto.Util.number import *
from os import urandom
from flag import flag

def pad(m):
m += b'\x8f' * (8 - len(m) % 8)
return m

def duzly(m, C):
ow, E = 0, [2**24 + 17, 2**24 + 3, 3, 2, 1, 0]
for _ in range(6):
ow += C[_] * pow(m, E[_], p)
return ow % p

def pashan(msg):
msg = pad(msg)
pash, msg = b'', [msg[8*i:8*(i+1)] for i in range(len(msg) // 8)]
for m in msg:
_h = duzly(bytes_to_long(m), C).to_bytes(8, 'big')
pash += _h
return pash

p = 2**64 - 59
C = [1] + [randint(0, p) for _ in range(5)]
flag = urandom(getRandomRange(0, 110)) + flag + urandom(getRandomRange(0, 110))
_pash = pashan(flag)

f = open('_pash_updated', 'wb')
f.write(str(C).encode() + b'\n')
f.write(_pash)
f.close()

赛中看0解（自知之明一手）就没看，赛后一看果然没看懂
这里贴一下大佬的做法这里

Forghan*

题目描述：

1	The Forghan, the combination of RSA and DLP cryptography, may in certain instances prove more accessible than employing either method individually.

题目：

import sys
from Crypto.Util.number import *
from hashlib import sha256
from flag import flag

def die(*args):
pr(*args)
quit()

def pr(*args):
s = " ".join(map(str, args))
sys.stdout.write(s + "\n")
sys.stdout.flush()

def sc():
return sys.stdin.buffer.readline()

def find_gen(p):
while True:
g = getRandomRange(2, p - 1)
if pow(g, (p-1)//2 , p) != 1:
return g

def main():
border = "┃"
pr(        "┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓")
pr(border, "Hi all, now it's time to solve a strange and unusual RSA and DLP    ", border)
pr(border, "challenge about encryption! Follow the questions and find the secret", border)
pr(border, "flag! :)                                                            ", border)
pr(        "┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛")
nbit, b = 256, False
while True:
pr(f"| Options: \n|\t[G]et encrypted flag \n|\t[P]ublic parameters \n|\t[S]ubmit {nbit} primes \n|\t[Q]uit")
ans = sc().decode().lower().strip()
if ans == 'g':
if b == True:
l, n = len(flag), (p**2 - 1) * (q**2 - 1)
gp, gq = find_gen(p), find_gen(q)
sp, sq = getRandomRange(1, p), getRandomRange(1, q)
flagp, flagq = flag[:l // 2], flag[l // 2:]
yp, yq = pow(gp, sp, p), pow(gq, sq, q)
cp, cq = pow(bytes_to_long(flagp), yp, n), pow(bytes_to_long(flagq), yq, n)
pr(border, f'cp = {cp}')
pr(border, f'cq = {cq}')
else: pr(border, 'Please first send your primes! :P')
elif ans == 's':
pr(border, 'Send your desired prime numbers separated by comma: ')
P = sc()
try:
p, q = P.split(b',')
p, q = int(p), int(q)
except: die(border, 'Your input are not integer! Bye!!')
if p != q and isPrime(p) and isPrime(q) and p.bit_length() == q.bit_length() == nbit:
b = True
pr(border, 'Now you can get the encrypted flag in main menu!')
else: die(border, 'Sorry, your integers are not valid :/')
elif ans == 'p':
if b == True:
pr(border, f' gp = {gp}')
pr(border, f' gq = {gq}')
pr(border, f' yp = {yp}')
pr(border, f' yq = {yq}')
else: pr(border, 'Please first send your primes! :P')
elif ans == 'q':
die(border, 'Quitting...')
else:
die(border, 'You should select valid choice!')

if __name__ == '__main__':
main()

题目有三个选项，但是显然是有顺序的，具体来说应该按照下面来：

选择”S”，输入256bit的素数p、q
选择”G”，靶机对flag进行加密，加密流程如下：
- 生成n，n = (p^2 - 1) * (q^2 - 1)
- 分别生成p、q下的一个随机二次非剩余gp、gq
- 生成p、q下的随机数sp、sq
- 将flag分为两段，记为flagp、flagq，对应数字记为mp、mq
- 计算yp、yq， $y_p = g_p^{s_p} \pmod{p}$，$y_q = g_q^{s_q} \pmod{q}$
- 计算密文cp、cq，$c_p = m_p^{y_p} \pmod{n}$ ,$c_q = m_q^{y_q} \pmod{n}$

选择”P”，获取gp、gq、yp、yq的值

由于有 $y_p$、$y_q$，所以这里就变成了解一个RSA的问题，由于flag是静态的，所以可以放在一个子群里去求解，放在模p-1下有：

$c_p = m_p^{y_p} \pmod{p-1}$ $c_q = m_q^{y_q} \pmod{q-1}$

由于p和q都是自己构造的，很容就能得到p-1的分解，就可以解RSA解出mp、mq在p-1下的值，又因为flag是静态的，所以完全可以多次交互求crt

exp:

from Crypto.Util.number import *
from sympy.ntheory.modular import crt
from pwn import *

sh = remote("node4.anna.nssctf.cn", 28932)

def gen_prime():
    while True:
        p = getPrime(255)
        if isPrime(2*p+1):
            return 2*p+1

nums = 10
P = [gen_prime() for i in range(nums)]
mp = []
mq = []
for i in range(nums):
    sh.sendline(b"s")
    sh.recvuntil(b'Send your desired prime numbers separated by comma: ')
    q = getPrime(256)
    sh.sendline((str(P[i]) + ',' + str(q)).encode())

    sh.sendline(b"g")
    sh.recvuntil(b"cp = ")
    cp = int(sh.recvline().strip().decode())
    sh.recvuntil(b"cq = ")
    cq = int(sh.recvline().strip().decode())

    sh.sendline(b"p")
    sh.recvuntil(b"gp = ")
    gp = int(sh.recvline().strip().decode())
    sh.recvuntil(b"gq = ")
    gq = int(sh.recvline().strip().decode())
    sh.recvuntil(b"yp = ")
    yp = int(sh.recvline().strip().decode())
    sh.recvuntil(b"yq = ")
    yq = int(sh.recvline().strip().decode())

    k = (P[i] - 1) // 2
    mp.append(pow(cp, inverse(yp, k - 1), P[i]))
    mq.append(pow(cq, inverse(yq, k - 1), P[i]))

Mp = crt(P, mp)[0]
Mq = crt(P, mq)[0]

print(long_to_bytes(Mp))
print(long_to_bytes(Mq))

Honey

题目描述：

1	Honey is a concealed cryptographic algorithm designed to provide secure encryption for sensitive messages.

题目：

from Crypto.Util.number import *
from math import sqrt
from flag import flag

def gen_params(nbit):
p, Q, R, S = getPrime(nbit), [], [], []
d = int(sqrt(nbit << 1))
for _ in range(d):
Q.append(getRandomRange(1, p - 1))
R.append(getRandomRange(0, p - 1))
S.append(getRandomRange(0, p - 1))
return p, Q, R, S

def encrypt(m, params):
p, Q, R, S = params
assert m < p
d = int(sqrt(p.bit_length() << 1))
C = []
for _ in range(d):
r, s = [getRandomNBitInteger(d) for _ in '01']
c = Q[_] * m + r * R[_] + s * S[_]
C.append(c % p)
return C


nbit = 512
params = gen_params(512)
m = bytes_to_long(flag)
C = encrypt(m, params)
f = open('params_enc.txt', 'w')
f.write(f'p = {params[0]}\n')
f.write(f'Q = {params[1]}\n')
f.write(f'R = {params[2]}\n')
f.write(f'S = {params[3]}\n')
f.write(f'C = {C}')
f.close()

params_enc.txt：

p = 10580731215444436219213907263947534038012197972307836319229421193761088798378768844649759133142120180834573817149711299466707823017636232456526471274387917
Q = [6718668664591596190749745980002066645380242844394957953766947533978323053938214647829798301606252456858132121628517723050462291300790766055200866765561610, 8738840830394886495658505803088103824478963010774845789433253508554356383249611502157307334585157729703873877797759121271071421201959116272886732798936523, 4388762712805764363921857352899834586382140923234814556069490536704913653848525595836491615636446563386705915348021173847271741862809075809151508973332816, 3663706247989213864330218414789109172658418861584264092087052781618522795676355371739296186667918464732397854703792563460353675590182379535358561615166754, 10397730940373180549512945920847346184926672474430866208628825035104473525758952069910968144296138220861205803231072660136999110567752870928953292888013817, 7950983396364741732874562189206547723862955251595526752956177377987683115942827501152009639962778147887569469649852864894630521759276627026901168996371682, 4533165373271154956275563812280832107592547920299130443910706773435844651231402604986107252454770256826684895729900344877444002682896222483157835711226276, 234527648838985018479849393379369972316648524004050156622962478277970628212208049885578895953447529009579881605066831810617219492342569126524704457098602, 870946394610707169333783318085559836426827503011955242395779894700298192587685130680102208909573921059078858816359885827349281892186755920839352494224983, 5025393101560564396356619431938053414422489109406396725377683594254768077793838379117179092536396259414266971990125716674162127500490058572594571364978294, 5914192169617888877888201158713062853387719050723973971874176184801960297380845845091259990664210178355882621876155306106794686897854891414999449337977781, 2315609284318723939818174971181608382568372323836754133265010413836452399043354382657889810068171230196496294710150903020084150025606782486579490225752163, 7278167622527482910919537896950398911672667355929695202886784227621290914468002099686668156909569183497765732237075799745632960354306268680765408194219074, 3334584846711780119716613440720851482199838919351927489954344426327712973616885459737471991960238971274273643566666607141850753561424427088261862873317161, 10418397794302836806813296591826255845845380563102199636140458670781241436466478273414138749593148481207713557016996462238845705251702717702279222414513227, 8928267741189301140931758366885435860144549752680480164627323600501278650103818630920534258909582593266779000356145650416276415560226176904904552964196921, 3371514716248416335324237152123624115597170761078576760713238311485522010416246207731778456501311675041827750001670698984335573888627309609534659722697174, 3802217515688979225517388823688564230191961273039428065604146662684362686419670392762755984078261072614619934671572327384351597903233780846163893180876244, 2363399549320749312563257796730356164186914867645487733176402567625567991193120859507532138374793392237469893062402307645814490930874653088116729203724851, 10221767730316631512882371487958453352895713655492241322139865275323706929127996334620105099751973217983332705204535216804829987329684674632121801754529472, 2309440702968799222696132507585555901684240893289264193546892279919675495689944211715270510347394465285317239758024734161176699837687742722383530547735726, 5768185970426887633783322939933762164095055854707759575404348181421158843802654199133776622565384843677610666356549368021172121302926969754865633752131083, 3229518654067354667224244723968136366109210341994628338992752927462431316675552817799465987425719486448276862390918033544772400219803600904202906882850710, 9261930571620802581580992489567043178258044978932724785185749415955521702331959591680386023118398455066896674799447994060060156036800986190467008880726445, 2202162000802916921896507108984564185119471354726317829850206292755815439071735424116041491064894922930900262540589602333676063925873357256494020426758849, 1449198886322850923273373987785167865779477069790726992542423846556138762913056524689998313112599261515223680429584445016474216381861998363527368722991846, 8372052560034461177472546395510480308837387803551378399004608402463282066003862653368875671946863748209051044725913651881213858335224750549176875818647614, 1554572177534183877889322947083536921680809086638640689433294150868422460719624621258231995856944045776876555664816113444481761122803489100212103150005950, 10304720995101153898600333216365877709018991122985401884049110267116778080162237155472336396606109372189653686733770775660895990549286854727042270667997449, 9702831715765050072649082617719386580543641764650576307262259428035281535816750758018451681417440458250169771442858047124693499821240155899358663466925522, 4983986466837077050816175727911146971276599399191126236666755181304580074902883995859030897874305902445659355326021836801836996577665092276845357389900055, 983210432268706135181772492997088637756153310076409721616450343187239073604891492532080986521255675448499887782529162112441952861587689660048849369850769]
R = [8922553268219903948421811612403588317187402276064169063400419617931637566221670948925221403527928336656976084021780421068421112325215152715630319708159148, 1960697234007608888633325436691320507012497445090151112947144246088597317322303593936974554881161091213718329061011703885436579261559669838148253146762736, 5876944865176517279136475269375710514719489457672467542904948332791352244229042691977616905122711469012731652511966060550749288338599104284986451669586397, 10560136356360422684127995001096871178761635291417665630629868184624616925939841693017240341233504589896610287855672892399213367967385666891688408976236926, 477096251733995832965266836067676961413182629438628989729801411920869543083075545758386996801847267554704996660190900105380190625423846876906822024677634, 7001514955678391252130680521301315254365131738168087539892724691183104608345983375763663321467662055864103520121513349630333839818372656472731157470876337, 3894488356665934776074291789545516608573077899099880057920210752197885106521699021123658077208789295954145485399473386424677782787720074605813565437678385, 6084641463140385894120457093933350076091808742065950836200598466936433741373700151235571333073965513559605688011967994215074945374832957951384088589789549, 6429023674027239778212676334778900557043774851747196071499704016422574667955121145943674677254291410204037372996870181094090300709994594837656541352954321, 974464046378184190666336249935678253753198649184272269465353741281529523364289314148552833155935080422698020734516538377662137879089845095565536185765703, 5275384626572520577089146723078373110279682903874445477027602487061203157331398955233780208890725281673434536867800450553737656852356536771518379108118530, 7195767683001605593626199889963767438584070902169912442665828755648712278523740276132000225353756257232761885567134364203207306842108602537457408438487869, 1960155276835684836483043402384876176138942980630724993481564836712252228823186653467973806509964860286129730847244573674203959835565358735171611743573721, 6414607819273473402861616605113355396690170400984793217629732347141796693554056264547151212348354332930126795040213921009711560216969452391748438893237750, 3344964019305423035551401397282638905496921053458747459062023331678484337724980196690184898986671355848101101352105363764794975082772539709853216580762130, 5599385562588302350377616767130563945375472947459594912838322011021483641484084692396462025157944023828872267520122213089523093591160284337483108416804096, 9490045098551912983475126253859124028793327975874647810947095579199208473971726763051464010595903748080632329362605820021188148160826282120484098519748832, 980400922804123638777377509067942595214234592161404114303498013065244168965487370334832921426484278913774963761155003569793282819717667783351454812080994, 2772369382727364487748752144766350276094463435156818133766210304998890765120785013435379746537938377688617479112518505844159436213691418873590807740501183, 2338271137215119073302625621754099128003710500967811947590498668688826448575898279561111743087002717955161536157254689000474464404087443266193145449601031, 11773104862539842923315548180471993854469651503131148446111338098437913152663007837927793233931818835121946274135336436554801339749906320765919816150768, 7022131435585860015767289025786078578929344550873832550705723505006303288639135070849692494020122369694090619694760175970759059981608871097298624956669246, 9062158671807923729547552523768819638817707994079942965412925347441853183471973898478745711676153003756450481351777543455041815438536630317647408008349357, 641428039466528875429106458292463262780539744201857515833377175893334510962304373010401729801987725599439620073783868719664061882399367340158128062151780, 9636846145225909579086917154824161374486916920345217833190333031690359415616710658317308376119096253360425924297858397657697468296746934075225665559206030, 480796179229094678008918831581475398488769027287954488301969143979307355466114726392701279092691566949082439457297527772794149828193400419285116237063338, 7726757640854263742178678415761753342099387727318458723726925176786999799204056696883433346568600944559959849253863013300907357120126559055735593380638961, 551534415366550033034654093228329954588738781407008585088422737955391043381667720876717529438845777841508116853874405455280903517864352822604194884203656, 2135598634800053933515509095633720732412542790075717247869348997292949946344227105219967710854885153055617943193159899627517699960920415492992774438014041, 1680242449902645450228202409049382139482100876672724104665964994414865664877710770701122475977142858601068246748276652246938681740022531970523695731126206, 436320498659370791836085607479390848415464961245449366885835640616716752879866126057724425537944356751844317980881005608075886211154052092270888058429787, 4102523817041969170017113001399252035243358293719837916039521471412151711746047572340376418109842112515873700164747338421862615679590520014959369523777063]
S = [4389820170235953517860364281419052587762385444517203945856665517072263529411621622474249480804818285716662154444854074939122170918939074730520091008754679, 10274488321950407401790238304858775303749809597573328350457719402010568443492374388509295355784873292280254116167747959663379913408799485392015111636115272, 7413556897779783875511997253964328306011661062497568739340607424890313315434489440969977560260194970241163209968988660276109536299848001455072705137702052, 10385679419514177727801069016719283683697529805734389950368725106396939072509839502286093730172215158898251533786500497578747904349856564856054102927847131, 6386209810414906928429352824399745808560059492214757951425372272591372428785367326567204502131184260857447725722068674542931096991341451850846209503213310, 699060860182347708294712482476262878008951502586470987307146194685783850677219935862211847525612405824474382122868643521962157410369483858428437433802395, 3482063900392942412450041046839813864192488604261419419162091087116878838189062406913587662602295096636481252242577251563441565388543873530900962308450590, 5752782775722534186844731777766684686828626762801341093006843547008915880093927377014105260314050196609699164926717998841388194942556402699285523644651583, 4477944786670422304592908174461368396168580171651041832449759231077050962444090886920563302603784981035116689839335069690875797644553684152368376089740517, 5663531682848751034979876476955107364567717396957230368140915480695954150088052156264521615690161327525898382714131905580517915060427960250740110846321921, 5343294510843224726960051115907810365241970373986845465490090821566645536683695042467985025063439338770116316455211944030125820601506874250685838077414765, 8432688027895892738831218358369397874948328355540048945541749304849571948638169902486647265119397307193449002927427840453857643697175667051504836511635801, 8974418251288081645329898313903422373193272601106837017923535786950979222125740970411725976034947989767143786286397290996756916960291029965672692318584390, 3367471493907450997862234076499110882206518716388236141312548251406626961838619595519805436447472248133422979102036617759221276869918910189482246041609756, 9787518698663334219763616437865759554315749369906898604904977007297368987715422535407542350049111845605011307829034744443271718643291528381794716569586150, 7423298611637442306439453382713995476685370148677494272333567929180589186347708172471032286209947149761644993151042408431548488945145292037694546868884030, 5591656321514817104832226351286824953278894430528912246855770091334337189386156994498331013600732669813560603667226878637404391237947398475280409452591013, 6425108527382412819259579180312607504985609322110590326058191420486308943785080395001318724782575187718535133704219706236946232717333616646838328259100174, 1986072520726417425427679478185786673218113837249425820170849864471171328875606626923270664642579676457285438864056080352157246995774517812392120146048999, 5085759490547346080963649291763871068034757573012867868532204864022791365366745839456310985148663327808561601274994541505734129506831803550600738607170703, 6883330982174382523423400136207766091739299571009207949454774998664997037115272990237878573502506026799645646664956134682833693219974019271740996314084220, 3008412285222633004812698063455902388460013611944185187747762649311442328686187279186972723448077521425052318221865300502697494418867793831761784796146329, 9547325670583212399117684599284936334790443591395268814958834705867928621240882386996085347052830889322724160452729359284992294890584292625829913315628265, 1387461799657365419593288084566026147529011675413652640829187706708872066267641962620159408303872024421411747751690792902149761832079721583778430712988299, 2093635222672050417361673475374966389314266702410603863643637918543784930893405832179904330416148995313591588929177333026382745340633946128791737631559286, 8413424329301946557805781268429552577339778139904799140486659388945506980343653897206690153402822892272378378085908749995513711021119914769801970795906117, 6743445162380434316634371637355512041805280159276931422012464596435558338432827675791139455542184532473287436049595748235961499758716697674776760822162391, 1706184129470213725753097073154985919221181897433450716898208607625832464228411992900434982560203334218404626447424408012817411257665032706434306723906871, 1188503046129710474378492502021666062040985983530761819828342979325166292485440608536173516789179154601587903599847267180858095017007891547798890802090080, 6398862094282462456834873185064362330936738060688527379705123125559724680574585721467123968313071365176318010618981170019917278363707049487278610027058585, 1827205671808118170959457466922915851906256049105694256301380823860317738339383848734269783842511423911532135506082729000044271560428423457063013176002958, 4296939764995860347968082436772567300063081379392577066061720737920992283479200350022263164173968370055486217109628430523063986426005741344085155171587948]
C = [2312453804397990204892582347458673184184584053391181580849656202381982276483135032773767708029907426388840618138608941250788745829088238589339462137662516, 10523194306636352419831471584744199603299973937259007033119401866043123235256118686290774285411893111835433604432082195914308420845569896693674208644701928, 8625321422409900297730698589684636810222608572364004227411854906715574297306124060030713845833976664653817196364988412308992879167741430256046508164902265, 2203036357494864574281685606458518951592160562338358743010726696365683441724958156704554110208947394458113054047499157258753175446414976136008162642109757, 7440676439428237992864596387460092947449968530635365999432104198675297081825315672568959667296286389774687367936168132053293001589687795737604457160906082, 2264157050840270501520646271743213633490605461967539030408028006097728678459599299655371587125945029431528702214373899493252891890106222569122603386717360, 6089828885562252420652081197249651438359320954630388805129416420415135298321118452771481678140904854945253504361325478946359729157231808943846058944117026, 10539688120079451218718476929576210805778407047878263373562960368159158621424931104363627052374700437454925765616146962059684388174993415278124860987310938, 6303692164422236243124789748609418445914012315334563733630138248326249660310698584154622748275297380026916444293448955157206727703202478794453250926439643, 881942845076614931271891025655927553295291244201690295230440723375006916146507322259936249039275621554840488955637696630030022348109669072833863866985225, 10106348190249831893088197931090851286229747534150777530156601113972916238286905365616240501204440809598108220364456446320022747806334510176621958436096123, 8324531392881516178541244041903222514911964835924579628962940318936570586739198442236357026438613345385230182029810965182157993322744038688573053225547374, 5078708553426349749719952343873018594648548601008242439539543130067536764970709366523519348572603124221309659983256536103306454063139670063244331611755453, 8542547993117228744822361667182819410791296436924016725757178153507707272004493213120780743910507865839367749205817741703451968423781285521621014600059589, 3073352723766074586873446203285051955281142348730058300259816322651361605792426446390729367386148254808552616968786890277451301146248756651016086606742804, 5269945451683706496607356863109615383647000556701922770404180133092195426319754674753614204346587769298246334991876508268642550219392732660290378353338400, 6262348731181694593163187372863680743743096474259867989757989072530511417286900866334036812204673457159090130621478933266270029789176903023636735673595513, 3297899863181037954379261853482229450757449782777910450819629975965660022355584717412057615899333569245281976118829898854119850433763380827003244277020101, 7487260566995972228255217362172107520309457024141075543923988636564806307827017535285595701845830793533604534902349660541692391232785351590333159515799384, 10324279404125558600858330541468243667961239247663241031255287540601841176203292036413076990028875224629890818418992943759206077129550049357885152924273782, 8044925106089251438446731137002808317322635126054485149617494154471416674741758172633019611642437845768869330746423337854351186668227486117398013073824286, 4234270952814400783009242730655483882561531800274439758860142245952005010632014464198770218689605527760730047723966950012227395838571254801244673898812828, 638896609043108497262778277770178050665854883307447937008504779907661322405672174519391657570064336725509768185637608044022219246206471015980252602095129, 5180216795602211214280366461349507739255238657924206736673167715462995927060334503420979145327254053283011116720223275075476559911219732336496503542596869, 4889582376915206124736222022750168286228699065224704085027955184917144323557844593386817223260498520607466742269645929630472738644444652704289510157100913, 5012604326308554636339480431591200785633930724891396744558818436357664982175033998281443810436271724799610836412819040278374041390604150781759163613994682, 3219038638665180576932584279254771209098300305384572525709292133614238552451580810601286362213655499134538083785424726484119059950676285763438331520089227, 6419694420004223063062285264931096360778228156157853232796125041025067958687740255716444718822744614217377927689465894996156144384079594697465808095114901, 9910546009146267464166501179537825349776178695164070160517872596078275117785713000045215455672195660329319962408970209137481672915542900445933477806115760, 1420603945244588398788478464408905133932325733716125030735921688979482121297328679317495694245547716568441401137633433150951713462958551532394178628021900, 6208847506587273852328049116772424002595270959861992270025537759079430511161476024600259347318966551584005222005704567718008394909230998308545154993159673, 10385926333158107236552504228168776101396372491461292301486697050842973861408756486936932908479675556344542947425765714101814836237112561730341100901890350]

题目给了d组如下等式：

$c_i = Q_im + r_iR_i + s_iS_i\quad (\text{mod } p)$

c、Q、R、S均已知，要求还原m。同时，每次的$r_i$、$s_i$都是d bit的数，p是512bit。

由列表长度可以知道d就是32，所以r、s都是很小的量，因此自然想到消去m做一个HNP。取第0组和第1组的等式统一$m$$的系数然后做差即可:

$c_0 = Q_0m + r_0R_0 + s_0S_0\quad (\text{mod } p)$ $c_i = Q_im + r_iR_i + s_iS_i\quad (\text{mod } p)$ $Q_ic_0 = Q_iQ_0m + r_0Q_iR_0 + s_0Q_iS_0\quad (\text{mod } p)$ $Q_0c_i = Q_0Q_im + r_iQ_0R_i + s_iQ_0S_i\quad (\text{mod } p)$

到这就消去了m，造个格子求一下u和v即可, 这里由于u和v太小了所以一组就能求出来，正常需要多组才会准确。

exp:

#sage

from Crypto.Util.number import *
from math import sqrt

d = int(sqrt(512 << 1))
p = 10580731215444436219213907263947534038012197972307836319229421193761088798378768844649759133142120180834573817149711299466707823017636232456526471274387917
Q = [6718668664591596190749745980002066645380242844394957953766947533978323053938214647829798301606252456858132121628517723050462291300790766055200866765561610, 8738840830394886495658505803088103824478963010774845789433253508554356383249611502157307334585157729703873877797759121271071421201959116272886732798936523, 4388762712805764363921857352899834586382140923234814556069490536704913653848525595836491615636446563386705915348021173847271741862809075809151508973332816, 3663706247989213864330218414789109172658418861584264092087052781618522795676355371739296186667918464732397854703792563460353675590182379535358561615166754, 10397730940373180549512945920847346184926672474430866208628825035104473525758952069910968144296138220861205803231072660136999110567752870928953292888013817, 7950983396364741732874562189206547723862955251595526752956177377987683115942827501152009639962778147887569469649852864894630521759276627026901168996371682, 4533165373271154956275563812280832107592547920299130443910706773435844651231402604986107252454770256826684895729900344877444002682896222483157835711226276, 234527648838985018479849393379369972316648524004050156622962478277970628212208049885578895953447529009579881605066831810617219492342569126524704457098602, 870946394610707169333783318085559836426827503011955242395779894700298192587685130680102208909573921059078858816359885827349281892186755920839352494224983, 5025393101560564396356619431938053414422489109406396725377683594254768077793838379117179092536396259414266971990125716674162127500490058572594571364978294, 5914192169617888877888201158713062853387719050723973971874176184801960297380845845091259990664210178355882621876155306106794686897854891414999449337977781, 2315609284318723939818174971181608382568372323836754133265010413836452399043354382657889810068171230196496294710150903020084150025606782486579490225752163, 7278167622527482910919537896950398911672667355929695202886784227621290914468002099686668156909569183497765732237075799745632960354306268680765408194219074, 3334584846711780119716613440720851482199838919351927489954344426327712973616885459737471991960238971274273643566666607141850753561424427088261862873317161, 10418397794302836806813296591826255845845380563102199636140458670781241436466478273414138749593148481207713557016996462238845705251702717702279222414513227, 8928267741189301140931758366885435860144549752680480164627323600501278650103818630920534258909582593266779000356145650416276415560226176904904552964196921, 3371514716248416335324237152123624115597170761078576760713238311485522010416246207731778456501311675041827750001670698984335573888627309609534659722697174, 3802217515688979225517388823688564230191961273039428065604146662684362686419670392762755984078261072614619934671572327384351597903233780846163893180876244, 2363399549320749312563257796730356164186914867645487733176402567625567991193120859507532138374793392237469893062402307645814490930874653088116729203724851, 10221767730316631512882371487958453352895713655492241322139865275323706929127996334620105099751973217983332705204535216804829987329684674632121801754529472, 2309440702968799222696132507585555901684240893289264193546892279919675495689944211715270510347394465285317239758024734161176699837687742722383530547735726, 5768185970426887633783322939933762164095055854707759575404348181421158843802654199133776622565384843677610666356549368021172121302926969754865633752131083, 3229518654067354667224244723968136366109210341994628338992752927462431316675552817799465987425719486448276862390918033544772400219803600904202906882850710, 9261930571620802581580992489567043178258044978932724785185749415955521702331959591680386023118398455066896674799447994060060156036800986190467008880726445, 2202162000802916921896507108984564185119471354726317829850206292755815439071735424116041491064894922930900262540589602333676063925873357256494020426758849, 1449198886322850923273373987785167865779477069790726992542423846556138762913056524689998313112599261515223680429584445016474216381861998363527368722991846, 8372052560034461177472546395510480308837387803551378399004608402463282066003862653368875671946863748209051044725913651881213858335224750549176875818647614, 1554572177534183877889322947083536921680809086638640689433294150868422460719624621258231995856944045776876555664816113444481761122803489100212103150005950, 10304720995101153898600333216365877709018991122985401884049110267116778080162237155472336396606109372189653686733770775660895990549286854727042270667997449, 9702831715765050072649082617719386580543641764650576307262259428035281535816750758018451681417440458250169771442858047124693499821240155899358663466925522, 4983986466837077050816175727911146971276599399191126236666755181304580074902883995859030897874305902445659355326021836801836996577665092276845357389900055, 983210432268706135181772492997088637756153310076409721616450343187239073604891492532080986521255675448499887782529162112441952861587689660048849369850769]
R = [8922553268219903948421811612403588317187402276064169063400419617931637566221670948925221403527928336656976084021780421068421112325215152715630319708159148, 1960697234007608888633325436691320507012497445090151112947144246088597317322303593936974554881161091213718329061011703885436579261559669838148253146762736, 5876944865176517279136475269375710514719489457672467542904948332791352244229042691977616905122711469012731652511966060550749288338599104284986451669586397, 10560136356360422684127995001096871178761635291417665630629868184624616925939841693017240341233504589896610287855672892399213367967385666891688408976236926, 477096251733995832965266836067676961413182629438628989729801411920869543083075545758386996801847267554704996660190900105380190625423846876906822024677634, 7001514955678391252130680521301315254365131738168087539892724691183104608345983375763663321467662055864103520121513349630333839818372656472731157470876337, 3894488356665934776074291789545516608573077899099880057920210752197885106521699021123658077208789295954145485399473386424677782787720074605813565437678385, 6084641463140385894120457093933350076091808742065950836200598466936433741373700151235571333073965513559605688011967994215074945374832957951384088589789549, 6429023674027239778212676334778900557043774851747196071499704016422574667955121145943674677254291410204037372996870181094090300709994594837656541352954321, 974464046378184190666336249935678253753198649184272269465353741281529523364289314148552833155935080422698020734516538377662137879089845095565536185765703, 5275384626572520577089146723078373110279682903874445477027602487061203157331398955233780208890725281673434536867800450553737656852356536771518379108118530, 7195767683001605593626199889963767438584070902169912442665828755648712278523740276132000225353756257232761885567134364203207306842108602537457408438487869, 1960155276835684836483043402384876176138942980630724993481564836712252228823186653467973806509964860286129730847244573674203959835565358735171611743573721, 6414607819273473402861616605113355396690170400984793217629732347141796693554056264547151212348354332930126795040213921009711560216969452391748438893237750, 3344964019305423035551401397282638905496921053458747459062023331678484337724980196690184898986671355848101101352105363764794975082772539709853216580762130, 5599385562588302350377616767130563945375472947459594912838322011021483641484084692396462025157944023828872267520122213089523093591160284337483108416804096, 9490045098551912983475126253859124028793327975874647810947095579199208473971726763051464010595903748080632329362605820021188148160826282120484098519748832, 980400922804123638777377509067942595214234592161404114303498013065244168965487370334832921426484278913774963761155003569793282819717667783351454812080994, 2772369382727364487748752144766350276094463435156818133766210304998890765120785013435379746537938377688617479112518505844159436213691418873590807740501183, 2338271137215119073302625621754099128003710500967811947590498668688826448575898279561111743087002717955161536157254689000474464404087443266193145449601031, 11773104862539842923315548180471993854469651503131148446111338098437913152663007837927793233931818835121946274135336436554801339749906320765919816150768, 7022131435585860015767289025786078578929344550873832550705723505006303288639135070849692494020122369694090619694760175970759059981608871097298624956669246, 9062158671807923729547552523768819638817707994079942965412925347441853183471973898478745711676153003756450481351777543455041815438536630317647408008349357, 641428039466528875429106458292463262780539744201857515833377175893334510962304373010401729801987725599439620073783868719664061882399367340158128062151780, 9636846145225909579086917154824161374486916920345217833190333031690359415616710658317308376119096253360425924297858397657697468296746934075225665559206030, 480796179229094678008918831581475398488769027287954488301969143979307355466114726392701279092691566949082439457297527772794149828193400419285116237063338, 7726757640854263742178678415761753342099387727318458723726925176786999799204056696883433346568600944559959849253863013300907357120126559055735593380638961, 551534415366550033034654093228329954588738781407008585088422737955391043381667720876717529438845777841508116853874405455280903517864352822604194884203656, 2135598634800053933515509095633720732412542790075717247869348997292949946344227105219967710854885153055617943193159899627517699960920415492992774438014041, 1680242449902645450228202409049382139482100876672724104665964994414865664877710770701122475977142858601068246748276652246938681740022531970523695731126206, 436320498659370791836085607479390848415464961245449366885835640616716752879866126057724425537944356751844317980881005608075886211154052092270888058429787, 4102523817041969170017113001399252035243358293719837916039521471412151711746047572340376418109842112515873700164747338421862615679590520014959369523777063]
S = [4389820170235953517860364281419052587762385444517203945856665517072263529411621622474249480804818285716662154444854074939122170918939074730520091008754679, 10274488321950407401790238304858775303749809597573328350457719402010568443492374388509295355784873292280254116167747959663379913408799485392015111636115272, 7413556897779783875511997253964328306011661062497568739340607424890313315434489440969977560260194970241163209968988660276109536299848001455072705137702052, 10385679419514177727801069016719283683697529805734389950368725106396939072509839502286093730172215158898251533786500497578747904349856564856054102927847131, 6386209810414906928429352824399745808560059492214757951425372272591372428785367326567204502131184260857447725722068674542931096991341451850846209503213310, 699060860182347708294712482476262878008951502586470987307146194685783850677219935862211847525612405824474382122868643521962157410369483858428437433802395, 3482063900392942412450041046839813864192488604261419419162091087116878838189062406913587662602295096636481252242577251563441565388543873530900962308450590, 5752782775722534186844731777766684686828626762801341093006843547008915880093927377014105260314050196609699164926717998841388194942556402699285523644651583, 4477944786670422304592908174461368396168580171651041832449759231077050962444090886920563302603784981035116689839335069690875797644553684152368376089740517, 5663531682848751034979876476955107364567717396957230368140915480695954150088052156264521615690161327525898382714131905580517915060427960250740110846321921, 5343294510843224726960051115907810365241970373986845465490090821566645536683695042467985025063439338770116316455211944030125820601506874250685838077414765, 8432688027895892738831218358369397874948328355540048945541749304849571948638169902486647265119397307193449002927427840453857643697175667051504836511635801, 8974418251288081645329898313903422373193272601106837017923535786950979222125740970411725976034947989767143786286397290996756916960291029965672692318584390, 3367471493907450997862234076499110882206518716388236141312548251406626961838619595519805436447472248133422979102036617759221276869918910189482246041609756, 9787518698663334219763616437865759554315749369906898604904977007297368987715422535407542350049111845605011307829034744443271718643291528381794716569586150, 7423298611637442306439453382713995476685370148677494272333567929180589186347708172471032286209947149761644993151042408431548488945145292037694546868884030, 5591656321514817104832226351286824953278894430528912246855770091334337189386156994498331013600732669813560603667226878637404391237947398475280409452591013, 6425108527382412819259579180312607504985609322110590326058191420486308943785080395001318724782575187718535133704219706236946232717333616646838328259100174, 1986072520726417425427679478185786673218113837249425820170849864471171328875606626923270664642579676457285438864056080352157246995774517812392120146048999, 5085759490547346080963649291763871068034757573012867868532204864022791365366745839456310985148663327808561601274994541505734129506831803550600738607170703, 6883330982174382523423400136207766091739299571009207949454774998664997037115272990237878573502506026799645646664956134682833693219974019271740996314084220, 3008412285222633004812698063455902388460013611944185187747762649311442328686187279186972723448077521425052318221865300502697494418867793831761784796146329, 9547325670583212399117684599284936334790443591395268814958834705867928621240882386996085347052830889322724160452729359284992294890584292625829913315628265, 1387461799657365419593288084566026147529011675413652640829187706708872066267641962620159408303872024421411747751690792902149761832079721583778430712988299, 2093635222672050417361673475374966389314266702410603863643637918543784930893405832179904330416148995313591588929177333026382745340633946128791737631559286, 8413424329301946557805781268429552577339778139904799140486659388945506980343653897206690153402822892272378378085908749995513711021119914769801970795906117, 6743445162380434316634371637355512041805280159276931422012464596435558338432827675791139455542184532473287436049595748235961499758716697674776760822162391, 1706184129470213725753097073154985919221181897433450716898208607625832464228411992900434982560203334218404626447424408012817411257665032706434306723906871, 1188503046129710474378492502021666062040985983530761819828342979325166292485440608536173516789179154601587903599847267180858095017007891547798890802090080, 6398862094282462456834873185064362330936738060688527379705123125559724680574585721467123968313071365176318010618981170019917278363707049487278610027058585, 1827205671808118170959457466922915851906256049105694256301380823860317738339383848734269783842511423911532135506082729000044271560428423457063013176002958, 4296939764995860347968082436772567300063081379392577066061720737920992283479200350022263164173968370055486217109628430523063986426005741344085155171587948]
C = [2312453804397990204892582347458673184184584053391181580849656202381982276483135032773767708029907426388840618138608941250788745829088238589339462137662516, 10523194306636352419831471584744199603299973937259007033119401866043123235256118686290774285411893111835433604432082195914308420845569896693674208644701928, 8625321422409900297730698589684636810222608572364004227411854906715574297306124060030713845833976664653817196364988412308992879167741430256046508164902265, 2203036357494864574281685606458518951592160562338358743010726696365683441724958156704554110208947394458113054047499157258753175446414976136008162642109757, 7440676439428237992864596387460092947449968530635365999432104198675297081825315672568959667296286389774687367936168132053293001589687795737604457160906082, 2264157050840270501520646271743213633490605461967539030408028006097728678459599299655371587125945029431528702214373899493252891890106222569122603386717360, 6089828885562252420652081197249651438359320954630388805129416420415135298321118452771481678140904854945253504361325478946359729157231808943846058944117026, 10539688120079451218718476929576210805778407047878263373562960368159158621424931104363627052374700437454925765616146962059684388174993415278124860987310938, 6303692164422236243124789748609418445914012315334563733630138248326249660310698584154622748275297380026916444293448955157206727703202478794453250926439643, 881942845076614931271891025655927553295291244201690295230440723375006916146507322259936249039275621554840488955637696630030022348109669072833863866985225, 10106348190249831893088197931090851286229747534150777530156601113972916238286905365616240501204440809598108220364456446320022747806334510176621958436096123, 8324531392881516178541244041903222514911964835924579628962940318936570586739198442236357026438613345385230182029810965182157993322744038688573053225547374, 5078708553426349749719952343873018594648548601008242439539543130067536764970709366523519348572603124221309659983256536103306454063139670063244331611755453, 8542547993117228744822361667182819410791296436924016725757178153507707272004493213120780743910507865839367749205817741703451968423781285521621014600059589, 3073352723766074586873446203285051955281142348730058300259816322651361605792426446390729367386148254808552616968786890277451301146248756651016086606742804, 5269945451683706496607356863109615383647000556701922770404180133092195426319754674753614204346587769298246334991876508268642550219392732660290378353338400, 6262348731181694593163187372863680743743096474259867989757989072530511417286900866334036812204673457159090130621478933266270029789176903023636735673595513, 3297899863181037954379261853482229450757449782777910450819629975965660022355584717412057615899333569245281976118829898854119850433763380827003244277020101, 7487260566995972228255217362172107520309457024141075543923988636564806307827017535285595701845830793533604534902349660541692391232785351590333159515799384, 10324279404125558600858330541468243667961239247663241031255287540601841176203292036413076990028875224629890818418992943759206077129550049357885152924273782, 8044925106089251438446731137002808317322635126054485149617494154471416674741758172633019611642437845768869330746423337854351186668227486117398013073824286, 4234270952814400783009242730655483882561531800274439758860142245952005010632014464198770218689605527760730047723966950012227395838571254801244673898812828, 638896609043108497262778277770178050665854883307447937008504779907661322405672174519391657570064336725509768185637608044022219246206471015980252602095129, 5180216795602211214280366461349507739255238657924206736673167715462995927060334503420979145327254053283011116720223275075476559911219732336496503542596869, 4889582376915206124736222022750168286228699065224704085027955184917144323557844593386817223260498520607466742269645929630472738644444652704289510157100913, 5012604326308554636339480431591200785633930724891396744558818436357664982175033998281443810436271724799610836412819040278374041390604150781759163613994682, 3219038638665180576932584279254771209098300305384572525709292133614238552451580810601286362213655499134538083785424726484119059950676285763438331520089227, 6419694420004223063062285264931096360778228156157853232796125041025067958687740255716444718822744614217377927689465894996156144384079594697465808095114901, 9910546009146267464166501179537825349776178695164070160517872596078275117785713000045215455672195660329319962408970209137481672915542900445933477806115760, 1420603945244588398788478464408905133932325733716125030735921688979482121297328679317495694245547716568441401137633433150951713462958551532394178628021900, 6208847506587273852328049116772424002595270959861992270025537759079430511161476024600259347318966551584005222005704567718008394909230998308545154993159673, 10385926333158107236552504228168776101396372491461292301486697050842973861408756486936932908479675556344542947425765714101814836237112561730341100901890350]


i = 0
j = 1
M = matrix(ZZ, [[1, 0, 0, 0, 0,                 R[i] * Q[j] % p],
                [0, 1, 0, 0, 0,                 S[i] * Q[j] % p],
                [0, 0, 1, 0, 0,                -R[j] * Q[i] % p],
                [0, 0, 0, 1, 0,                -S[j] * Q[i] % p],
                [0, 0, 0, 0, 1, (C[i] * Q[j] - C[j] * Q[i]) % p],
                [0, 0, 0, 0, 0,                               p]])

L = M * diagonal_matrix([1, 1, 1, 1, 2^32, 2^32])

v = L.LLL()[0]
ui, vi = map(abs, (v[0], v[1]))
m = (C[i] - R[i] * ui - S[i] * vi) * inverse_mod(Q[i], p) % p
print(long_to_bytes(int(m)))

Joe-19

题目描述：

1	Joe-19 is a cryptographic system that leverages a top-secret version of GPT AI technology to develop advanced and robust cryptographic tools.

题目：

#!/usr/bin/env sage

from GPT import GPT6 # deep fake 
from Crypto.Util.number import *
from flag import flag

P = [GPT6('A 512-bit prime appears in consecutive digits of e') for _ in range(4)]
n, m = prod(P), bytes_to_long(flag)
c = pow(m, 0x10001, n)
print(f'n = {n}')
print(f'c = {c}')

output.txt：

1
2

n = 8098851734937207931222242323719278262039311278408396153102939840336549151541408692581651429325092535316359074019383926520363453725271849258924996783681725111665666420297112252565291898169877088446887149672943461236879128453847442584868198963005276340812322871768679441501282681171263391133217373094824601748838255306528243603493400515452224778867670063040337191204276832576625227337670689681430055765023322478267339944312535862682499007423158988134472889946113994555274385595499503495488202251032898470224056637967019786473820952632846823442509236976892995505554046850101313269847925347047514591030406052185186963433
c = 7109666883988892105091816608945789114105575520302872143453259352879355990908149124303310269223886289484842913063773914475282456079383409262649058768777227206800315566373109284537693635270488429501591721126853086090237488579840160957328710017268493911400151764046320861154478494943928510792105098343926542515526432005970840321142196894715037239909959538873866099850417570975505565638622448664580282210383639403173773002795595142150433695880167315674091756597784809792396452578104130341085213443116999368555639128246707794076354522200892568943534878523445909591352323861659891882091917178199085781803940677425823784662

预期应该是通过枚举自然对数e的连续bit去找到对应素数，但是

https://factordb.com/ 直接分解了那就没啥可说得了直接解RSA即可

exp:

from Crypto.Util.number import *

n = 8098851734937207931222242323719278262039311278408396153102939840336549151541408692581651429325092535316359074019383926520363453725271849258924996783681725111665666420297112252565291898169877088446887149672943461236879128453847442584868198963005276340812322871768679441501282681171263391133217373094824601748838255306528243603493400515452224778867670063040337191204276832576625227337670689681430055765023322478267339944312535862682499007423158988134472889946113994555274385595499503495488202251032898470224056637967019786473820952632846823442509236976892995505554046850101313269847925347047514591030406052185186963433
c = 7109666883988892105091816608945789114105575520302872143453259352879355990908149124303310269223886289484842913063773914475282456079383409262649058768777227206800315566373109284537693635270488429501591721126853086090237488579840160957328710017268493911400151764046320861154478494943928510792105098343926542515526432005970840321142196894715037239909959538873866099850417570975505565638622448664580282210383639403173773002795595142150433695880167315674091756597784809792396452578104130341085213443116999368555639128246707794076354522200892568943534878523445909591352323861659891882091917178199085781803940677425823784662

p = 7728751393377105569802455757436190501772466214587592374418657530064998056688376964229825501195065837843125232135309371235243969149662310110328243570065781
q = 9688632098638681429535439991332657144752666147923336383829750592576742104399942931057096761773496510622226977570278994077236841491368959008277469453600569
r = 10019005372961705640183251650710051163228093250949727357306333102512304273058618645339800283588040423877666492199352609508401454089083503146788384653241593
s = 10795109107229646654467923653403055635071360620150038008453082390943756377071343139771120080956310498862485323957447467376538994662280143050510681877597429

m = pow(c, inverse(65537,(p-1)*(q-1)*(r-1)*(s-1)), n)
print(long_to_bytes(m))

Melek

题目描述:

1	Melek is a secret sharing scheme that may be relatively straightforward to break - what are your thoughts on the best way to approach it?

题目：

melek.sage:

#!/usr/bin/env sage

from Crypto.Util.number import *
from flag import flag

def encrypt(msg, nbit):
m, p = bytes_to_long(msg), getPrime(nbit)
assert m < p
e, t = randint(1, p - 1), randint(1, nbit - 1)
C = [randint(0, p - 1) for _ in range(t - 1)] + [pow(m, e, p)]
R. = GF(p)[]
f = R(0)
for i in range(t): f += x**(t - i - 1) * C[i]
P = [list(range(nbit))]
shuffle(P)
P = P[:t]
PT = [(a, f(a)) for a in [randint(1, p - 1) for _ in range(t)]]
return e, p, PT

nbit = 512
enc = encrypt(flag, nbit)
print(f'enc = {enc}')

output太长了这里就不放了,想要的去nss上下载就好

题目比较直白，建立了一个模p下的多项式f，其中加密后的flag为常数项，然后给出了t个点对,那我们只需要拉格朗日插值即可

exp:

from Crypto.Util.number import *
from gmpy2 import *

e,p,PT = eval(open("output.txt","rb").read()[5:])
P. = PolynomialRing(Zmod(p))
f = P.lagrange_polynomial(PT)
c = f(0)

m2 = pow(c,inverse(e//2,p-1),p)
ff = x^2 - m2
res = ff.roots()
print(long_to_bytes(int(res[1][0])))

Nabat

题目描述:

1	Nabat is a cryptographic challenge that explores the representation of polynomials within a specific polynomial ring structure.

题目:

#!/usr/bin/env sage

import sys
from flag import flag

def die(*args):
pr(*args)
quit()

def pr(*args):
s = " ".join(map(str, args))
sys.stdout.write(s + "\n")
sys.stdout.flush()

def sc(): 
return sys.stdin.buffer.readline()

def randstr(l):
return ''.join([printable[randint(0, 90)] for _ in range(l)])

def check(f, l):
R = PolynomialRing(ZZ, 'x')
f, g = R(f), R(x^2 + x + 2)
coefs = f.list()
_b1 = all(abs(_) <= 1 for _ in coefs)
_b2 = f.degree() + 1 - 2 * n(log(l)) >= 0
_b3 = coefs.count(0) >= 2 * f.degree() // 3 - 3
_b4 = (f - l) % g == 0
if _b1 and _b2 and _b3 and _b4:
return True
return False

def main():
border = "┃"
pr(        "┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓")
pr(border, "Welcome to the NABAT challenge, your mission is to validate the main", border)
pr(border, "check function in the provided system, Try your best to find flag :)", border)
pr(        "┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛")
step = 12
R = PolynomialRing(ZZ, 'x')
pr(border, f"Send a polynomial that satisfies the check function for each given `n'.")
for i in range(1, step):
n = randint(2**i, 2**(i + 1))
pr(border, f"Your are in step {i} and n = {n}, please send the polynomial f:")
_f = sc().decode()
try:
_f = R(_f)
except:
die(border, f"The polynomial you provided is is not valid!")
_b = check(_f, n)
if _b:
if i == step - 1:
die(border, f'Congrats, you got the flag: {flag}')
else:
pr(border, f'You have successfully passed step {i}. Please proceed to the next step :)')
else:
die(border, f"Your input does not meet the requirements!!!")

if __name__ == '__main__':
main()

一共有12轮挑战，每轮生成一个n(随轮数增大而增大),我们需要提交一个多项式并且满足:

所有的系数的绝对值都≤1
多项式的度$d$要≥$2longn - 1$
系数为0的数量要≥$[ \frac {3}{2d} ] - 3$
$f-n$ 能被$g$整除

其中$g=x^2+x+2$

说明

2024-12-03T07:06:00.000Z

说明

这算是真正的第一篇文章，此分类主要致力于记录我参与或复现各类比赛的题目，同时也会记下我在过程中遭遇的问题以及突发的奇思妙想。倘若存在错误或者有其他更佳的思路,热烈欢迎各位师傅予以指正。

我也学习一下鸡块师傅的做法：

赛中做出的题目,名字无变化。
赛中未做出赛后复现的标 *。
赛中未做出，赛后也没有思路的标 $。

从0开始的ctf-crypto之旅

2024-12-03T07:06:00.000Z

开始

安装python环境

在ctf比赛中，crypto方向python语言是最常用也是最好用的语言，所以上来的第一步就是安装python环境。

(一)获取电脑的处理器型号

按下Win+R键，输入cmd或直接在开始菜单搜索命令提示符，进入命令提示符界面，输入以下指令获取处理器型号：

1	echo %PROCESSOR_ARCHITECTURE%

如图显示此电脑是AMD64处理器。

(二)安装python

1.下载

python官网网址: Welcome to Python.org
选择下载windows版python。

由于此电脑是AMD64处理器，因此在确认要下载的python版本后选择 Windows installer(64-bit) 或 Windows x86-64 executable installer ，如下图所示：

2.安装

可执行程序，老版本的python会有一个Install launcher for all users选项，请务必勾选，同时选择项会有一个add ** to PATH也请务必勾选，新版本会默认安装。

安装完成后按下Win+R键，运行cmd或直接在开始菜单搜索命令提示符后进入命令提示符界面，输入以下指令：

1	python --version

下图为安装成功的示例：

(三)安装编辑器

不对任何编辑器进行推荐，我最开始使用的是pycharm所以用pycharm进行演示

1.下载

pycharm网址:
Download PyCharm: The Python IDE for data science and web development by JetBrains
任选一个download，并选择去下载其他版本，根据处理器型号选择下载版本。

2.安装

运行可执行程序，推荐同意全部选项，一直点下一步即可，安装会很慢。
安装成功后，重启电脑。

3.配置

安装中文语言包插件

打开 PyCharm，进入顶部菜单 File > Settings（Windows/Linux）或 PyCharm > Preferences（macOS）
在左侧面板中选择 Plugins
点击顶部的 Marketplace 选项卡
在搜索框中输入 Chinese (Simplified) Language Pack
找到插件后点击 Install 按钮
安装完成后点击 Restart IDE 重启 PyCharm

(四)python库管理

分标准库存储路径为
C:\Users\用户\AppData\Local\Programs\Python\Python版本\Lib
第三方库默认安装路径
C:\Users\用户\AppData\Local\Programs\Python\Python版本\Lib\site-packages\

虽然python安装时会自带一些标准库，但在日常编程还需要安装很多第三方库，虽然使用conda很方便，但使用pip安装也是一个好选择，按下Win+R键，运行cmd或直接在开始菜单搜索命令提示符后进入命令提示符界面进行操作。

1.安装指定版本的库

1	pip install 库名==版本号

2.使用国内镜像安装库

1 2	pip install 库名 -i URL_ADDRESS pip install 库名 -i https://pypi.tuna.tsinghua.edu.cn/simple/

其中https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple为清华镜像源。

3.升级某个库到最新的方法

1	pip install --upgrade 库名

4.卸载某个库

1	pip uninstall 库名

5.查看已安装的库

pip list

yizhixiaojiuli-Blog

2025-hscctf-wp

ancient

sign_in

where

stillRSA

EZRSA

abg

math

1ZRSA

2025-SWPU-NSSCTF-秋季招新入门训练赛-wp

happy

crypto1

crypto2

crypto4

crypto6

crypto7

拟态签到题

这是base?

谁懂啊RSA签到题都不会

Bigrsa

MD5的破解

Vigenère

is only base?

childRSA

Crazy_Rsa_Tech

factordb (中级)和yafu (中级)

e的学问

2025-2th-parloo-crypto-wp

RSA_Quartic_Quandary

欧几里得

易如反掌

循环锁链

星际广播站

轮回密码

文件查看器*

页面未找到

2024-cryptoctf-wp

Easy

alibos

Mashy

Beheaded$

Medium

Alilbols

Ally*

Bada*

Duzly$

Forghan*

Honey

Joe-19

Melek

Nabat

说明

说明

从0开始的ctf-crypto之旅

开始

安装python环境

(一)获取电脑的处理器型号

(二)安装python

1.下载

2.安装

(三)安装编辑器

1.下载

2.安装

3.配置

安装中文语言包插件

(四)python库管理

1.安装指定版本的库

2.使用国内镜像安装库

3.升级某个库到最新的方法

4.卸载某个库

5.查看已安装的库