1.ez_caesar
Title
from secret import flag
import random
assert flag.startswith('s3c{')
N = 128
key = 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890{}_# & amp;'
def encrypt(m, a, b):
c = ''
kt = random.getrandbits(len(m))
for mt in m:
tmp = key.find(mt)
k = kt
for _ in range(len(m)):
tmp = tmp * a if k % 2 == 0 else tmp + b
k = k // 2
c + = key[tmp % len(key)]
return c
print(encrypt(m, random.getrandbits(N), random.getrandbits(N)))
#VUah8w0ymUV8#0oV0V802djJ#Jsj2dN0#2Nuc2D
exp
The problem of solving the ciphertext is known, and the plaintext has been given “s3c{“. We can use plain text to blast out the random numbers in the question.
Then write the anti-decryption
The concept of modular arithmetic is used here. tmp needs to be multiplied by a and then modulo the inverse element under len (key).
(a * x) % m = b
x = (a_inv * b) % m
(Practical application of multiplicative inverse)
from Crypto.Util.number import *
from gmpy2 import *
N = 128
key = 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890{}_# & amp;'
m1='VUah8w0ymUV8#0oV0V802djJ#Jsj2dN0#2Nuc2D'
def encrypt(m, a, b,kt):
c = ''
for mt in m:
tmp = key.find(mt)
k = kt
for _ in range(39):
tmp = tmp * a if k % 2 == 0 else tmp + b
k = k // 2
c + = key[tmp % len(key)]
return c
a1=[]
b1=[]
k1=[]
for a in range(100):
for b in range(100):
for kt in range(100):
if encrypt('s3c',a,b,kt)=='VUa':
a1.append(a)
b1.append(b)
k1.append(kt)
def decrypt(c, a, b,kt):
m = ''
for ct in c:
tmp = key.find(ct)
k = kt
for _ in range(39):
tmp = tmp * invert(a,len(key)) if k % 2 == 0 else tmp - b
k = k // 2
m + = key[tmp % len(key)]
return m
try:
for i in range(len(a1)):
print(decrypt(m1,a1[i],b1[i],k1[i]))
except:pass
2.treasure_rsa
Title
import gmpy2
import hashlib
from Crypto.Util.number import getPrime, isPrime
from secret import flag, E1, E2
def next_prime(num: int) -> int:
num = num + 2 if num % 2 else num + 1
while not isPrime(num):
num + = 2
return num
p = getPrime(1024)
q = next_prime(getPrime(16) * p + 38219)
n=p*q
c = pow(E1, 65537, n)
print(f'n = {n}')
print(f'c = {c}')
# n = 160524760072475259879825463922421570617150635965496135732442802798578794200810376656274546483896156908144691611376951771 33444201135842542590001725728111542321073394809036722519921919974584699050644236188883360886523525408825768269883557831592379 71043770132628344798937353150930071309347972804118952814447576207066147031238749098842662046825743988208813903138796789940911 51582551707855407449647481912878983530963680432513260255709284774645478638706759951076938207852169160997032052853127047409171 34770403438972699034894414100625927323024028540354154380786566888069053504958253345845333454480913355657920918901856731904240 63
# c = 751639057610677013264061431434189083017589908118307247217007533938435229431015858783222167911772848893015518607229280589 98571101076645939698923207251231459491702937522133536120903611274238886687382416335088661051497303831651203245935205315841770 54060314663324403788719271747319757945798949129999366411630638983651347885373891623781854480902793977178319778032844807436123 93591614284972981435749362255654561121758163485884075260156288337176713756471879489767416836868661153693157792733142765671887 79230318137662086450638682082686634090759308065452149876642105647465265233703712188120718803310874689099820858240682601012186 1
assert E2.bit_length() == 69
ns = [getPrime(1024) * getPrime(1024) for _ in range(3)]
cs = [pow(E2, 89, n) for n in ns]
print(f'ns = {ns}')
print(f'cs = {cs}')
# ns = [15863230586500684911356384742123404120213699052018048588650392009927565369685497256344682150189923131009586323640507773 70699770486089868294630803102036130233424889523325591134836517915379919734174486313492680460397350741569781044091630509239518 03822397295508336078475240053911374744978490770975744521153793684635400871728009022108221436870148136313663606525832162691381 16785489485772437870528892032119729929607857459621078790511144060710035933887337208301078892163837203412081114510143406013892 393607932596921308889058909544584619676380766485493114814753878272881866907210235681877689493671668534251778397658670518117, 14144098469438619358682652828507744381697293556670717685553585719665002440476256008471235313826051740009083510860714991201047 91573721610222024262167484160098712200591454206196361827227598683592867392037576827239091277874150265590928139094860646784711 83776413575479314725888367263397585760382738204708796375554584462434012481516752666026566773608195637447655224956408214966949 18515669243614141704744848980746101569785439728585144841655665959389460512628800782742764147773150430552859331269667626942993 392101897661719871375721143240270211821269260950380944670195863016621594387236339317938305273510719419578308449465183,
275638228795935039383778219604272190225652156318563335107825684960165477579454647946322728181018916777052564717148052176065 03652132995136255720639088424576003650628211271025648183600635145895528466199068640094470078526413324708028578289949241288828 54214320376919939950066931187839125583797793263477277859452694050123473605944148389701701532476526678739995069973251834751859 11679320310313202651361583044601996540088950952747549181537735668249314403425256887412892351538826994615495234251698462665971 56773535163599640189457171272058311480951820887261040891344076039474315985825984444520336790670313179493074014037981261]
# cs = [38330956078308629480790973232548727895865769533176710997520832619496166087592312910505665427649849747227902261203997229 37104503590740358249900089784508490830379531632752169777949200718567033018577184658177019404903817920024468923715441355404672 44300772352575076843089542537612467922571568738238011462810305831217634369390011563826500265762261874466624713211465413542904 00693163688399388817165549015930319012729929402004844604361936991755003763684567069985640646938200087789003443577456916528755 1 50242012117721115609163425825963497770902389427879275569447375616308443112377410151286631698991792205202316840116721228421990 72725281170246704436989902382430302211170043724564755215023504041374690885701708854092655670843760692569241352702833352421331 63303599239181417949980292944203204296598188175632723968779672994090788585343302473442389865459398142634104331743517384589200 78933148939437560480195199483164733983911269839414132817896751663645259238524813534013371252213571594378759017233474389325962 89922040 63713908492214256291861339175525948946919629972908439132005643626148678347198381531633907182877152728077958345519083406637446 97207938716172696729588644779161316657739123386658335479384212190223464483064005018113038199608308935091122403715479825929112 41048945540376045008812501198063713486738331051036007822868982763545738847882515422114341434767743914575878857723799901048351 87104619922442613860682792470389490804228050671124495925536024571104944112397143299499508504917890140939438891891453283594000 764399193028606955089853654071198909973555844004685149713774167524224100487937899126480545681565581673958854]
M=E1 + E2
M=str(M)
flag='s3c{' + hashlib.md5(M.encode()).hexdigest() + '}'
print(flag)
exp
The first step is to have an encrypted compressed package and a document. Find the m in the document to find the password. You can use tools, but I recommend practicing your coding skills.
import gmpy2
c=32949
n=64741
e=42667
p=None
for i in range(2,n):
if n % i == 0:
p = i
break
q = n // p
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
m=c**d%n
print(m)
#18429
This rsa has two sections of encryption. We need to find out E1 and E2, and then convert it through md5 to get the final flag.
Let’s look at E1 first.
It can be seen from q = next_prime(getPrime(16) * p + 38219) that q is the next prime number of p*getPrime(16) + 38219, so getPrime(16) is smaller, so we can traverse out in its value range Match the value of the question to solve q.
for i in range(2 ** 15, 2 ** 16):
if isPrime(i):
q = next_prime(i * iroot(n // i, 2)[0] + 38219)
if n % q == 0:
print(q)
break
p = n // q
phi = (p - 1) * (q - 1)
d = invert(e, phi)
E1 = pow(c, d, n)
print(E1)
#377312346502536339265
Fermat decomposition script
def factor(n):
a = gmpy2.iroot(n, 2)[0]
while 1:
B2 = pow(a, 2) - n
if gmpy2.is_square(B2):
b = gmpy2.iroot(B2, 2)[0]
p = a + b
q=a-b
return p, q
a + = 1 # Don’t forget that the self-increasing step size of a is 1
Then there’s E2.
Let’s briefly deal with the Chinese Remainder Theorem, and then just raise e to the power.
def chinese_remainder(modulus, remainders):
Sum = 0
prod = reduce(lambda a, b: a*b, modulus)
for m_i, r_i in zip(modulus, remainders):
p = prod // m_i
Sum + = r_i * (inverse(p,m_i)*p)
return Sum % prod
e=89
m_e = chinese_remainder(ns,cs)
E2 = gmpy2.iroot(m_e,e)[0]
print(E2)
#561236991551738188085
#modulus is m1..mk, remainders is the remainder a1…ak, prod is M, p is Mi, and inverse(p,m_i) is the inverse element of Mi.
M=E1 + E2
M=str(M)
flag='s3c{' + hashlib.md5(M.encode()).hexdigest() + '}'
print(flag)
3.Fibo_and_AES
Title
import os
import libnum
from secret import flag
import base64
from Crypto.Cipher import AES
from Crypto.Util.number import *
def Fib(n):
assert n >= 0
if n < 2:
return n
return Fib(n-1) + Fib(n-2)
\t
s = Fib(9999)
m = libnum.s2n(key + os.urandom((len(bin(s))-2)//8-len(key)))
c = m^s
print(c)
def add_to_16(value):
while len(value) % 16 != 0:
value + = '\0'
return str.encode(value)
def encrypt_oracle():
key = bytes_to_long(key)
text = flag
aes = AES.new(add_to_16(key), AES.MODE_ECB)
encrypt_aes = aes.encrypt(add_to_16(text))
encrypted_text = str(base64.encodebytes(encrypt_aes), encoding='utf-8')
print(encrypted_text)
if __name__ == '__main__':
encrypt_oracle()
exp
The Fibonacci sequence in the question cannot be run. According to the hints I gave, reduce the complexity. Rewrite the recursion.
def fibo(n):
a,b=1,0
c=1
while c<=n:
a,b=b,a + b
c + =1
return b
s = fibo(9999)
Then it’s over, just explain it according to the steps later.
First perform the XOR operation. Since c=m^s, then m=c^s. Turn the string and get half of the flag, which is the key.
key=’s3c{W0W_Y0u_g’
long_to_bytes(key)=9127142690756856755103370403687
#AES decryption
import base64
from Crypto.Cipher import AES
# If str is not a multiple of 16, add it to a multiple of 16
def add_to_16(value):
while len(value) % 16 != 0:
value + = '\0'
return str.encode(value) # Return bytes
#Decryption method
def decrypt_oralce():
# Secret key
key = '9127142690756856755103370403687'
# ciphertext
text = 'I5f0an9gqqASm + BmMbgPF9EJPMRqasavy29Yo8ZtZm8RWqlvbNP7r0kfVZD8d7P3'
# Initialize the encryptor
aes = AES.new(add_to_16(key), AES.MODE_ECB)
#Prioritize reverse decryption of base64 into bytes
base64_decrypted = base64.decodebytes(text.encode(encoding='utf-8'))
#Execute decryption and transcoding to return str
decrypted_text = str(aes.decrypt(base64_decrypted),encoding='utf-8').replace('\0','')
print(decrypted_text)
if __name__ == '__main__':
decrypt_oralce()
#s3c{W0W_Y0u_g0T_NEw_Kn0wl3dge_FibO_AN13_AES}
4.rick_and_morty
Title
from secret import flag
from Crypto.Util.number import *
rick = getPrime(8)
morty = getPrime(8)
assert flag.startswith('s3c{')
c = []
for f in flag:
c.append((rick*f + morty) % 193)
print(bytes(c))
#\x16\x0ct\xa8Z\x9bss\xb0 + '\x96\x92\x92\xb0 + Q\x9b\x92 + V\x96\x92HHHl
exp
import gmpy2
f1=ord('\x16')
f2=ord('\x0c')
f3=ord('t')
m1=ord('s')
m2=ord('3')
m3=ord('c')
a=(f3-f1)*gmpy2.invert(m3-m1,193) 3
print(a)#a=163
b=(f1-a*m1) 3
print(b)#b=191
c="\x16\x0ct\xa8Z\x9bss\xb0 + '\x96\x92\x92\xb0 + Q\x9b\x92 + V\x96\x92HHHl"
flag=''
for cc in c:
m=(ord(cc)-b)*gmpy2.invert(a,193) 3
flag + =chr(m)
print(flag)
#\x16\x0ct\xa8Z\x9bss\xb0 + '\x96\x92\x92\xb0 + Q\x9b\x92 + V\x96\x92HHHl
#s3c{Wu66a_lUbba_Dub_dUb111}
5.Fun_math
Title
from Crypto.Util.number import *
secretnumber = bytes_to_long(secretnumber)
length = secretnumber.bit_length()
a = getPrime(length)
b = getPrime(length)
n = getPrime(length)
seed=secretnumber
output = []
for i in range(10):
seed = (a*seed + b)%n
output.append(seed)
p = a
q = b
n1 = p*q
e = seed
m = bytes_to_long(flag)
c = pow(m,e,n1)
\t
print("n = ",n)
print("output = ",output)
print(c)
# n = 42476842493000497434413453902269183788969007711909559
# output = [3068704501756971647183851343094804271828900617738356, 35578740995093017827714296762236666433492960621742375, 20009702595 31937029294463221140263160 564423356378739987650216965, 29604789319108255907122805645645923529709701585180965, 68984234436787692443570590483441539208992 1872857003866173082852248601072975147095054802294983, 3185 5800236307014428827205916712228328224013244365519]
#c=1186321379813266777107467770217004282395076699311344900106612855851793829940825199410747599030994999425445
exp
import gmpy2 from Crypto.Util.number import * n = 42476842493000497434413453902269183788969007711909559 output = [3068704501756971647183851343094804271828900617738356, 35578740995093017827714296762236666433492960621742375, 200097025959 319370292944632211402631605 64423356378739987650216965, 29604789319108255907122805645645923529709701585180965, 689842344367876924435705904834415392089925 1872857003866173082852248601072975147095054802294983, 31855 800236307014428827205916712228328224013244365519] a=(output[2]-output[1])*gmpy2.invert((output[1]-output[0]),n)%n ani=gmpy2.invert(a,n) b=(output[1]-a*output[0])%n seed = (ani*(output[0]-b))%n plaintext=seed print(seed) print(a) print(b) p=39902752694309620260626444285665485942791385645207851 q=33802185036678904443000136493162485297051793733621451 e=1018798858335632016421 c=1186321379813266777107467770217004282395076699311344900106612855851793829940825199410747599030994999425445 n=p*q phi=(p-1)*(q-1) d=gmpy2.invert(e,phi) m=pow(c,d,n) print(long_to_bytes(m))