Bada Points: 90 / Solve: 51 / Difficulty: Medium 🤔 / 题面 Bada The Bada equation contains an undetermined function. By closely examining how this equation behaves, you may be able to discover the concealed flag. / nc 00.cr.yp.toc.tf 17113 Note: There is no file to download in this challenge! / 尝试交互 > nc 00.cr.yp.toc.tf 17113 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Hey! It's time to solve the equation of a function f: N x N -> Z. ┃ ┃ Function f has given certain conditions. In each step, solve the ┃ ┃ equation f(x, y) = z with the given value of z. We know f(a+1, b) = ┃ ┃ f(a, b) + a, and f(a, b+1) = f(a, b) - b, for every `a' and `b'. ┃ ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛ ┃ We know: f(1, 1) = -444045537086 and f(x, y) = 202500187503 ┃ Please send x, y separated by comma: 概述 通过将 $f(x, y) - f(1, 1) = n$ 转换成一个因式分解的问题，然后用这种分解来求解 $x$ 和 $y$ 的值。可以有效利用 $n$ 的因子来找到可能的 $x$ 和 $y$

*S𝑪𝑷-0εε 4 solved / 题面 ANY NON-AUTHORIZED PERSONNEL ACCESSING THIS FILE WILL BE IMMEDIATELY TERMINATED THROUGH BERRYMAN-LANGFORD MEMETIC KILL AGENT. / Download Attachment / 关键词 猜谜 + 未知位数约到Coppersmith界内 / Idea 打开附件中的 PDF / 和题目关联度不是很大的信息：SCP-033 / 发现有四行代码

题面 from Crypto.Util.number import long_to_bytes, bytes_to_long from Crypto.Cipher import AES from Crypto.Util import Counter from hashlib import sha256 import os # from secret import flag flag = b'flag{test}' def padding(msg): return msg + os.urandom(16 - len(msg) % 16) # 随机值填充 msg = b"where is the flag? Key in my Heart/Counter!!!!" key = b"I w0nder how????" assert len(msg) == 46 assert len(key) == 16 enc_key = os.urandom(16) # 随机key initial_value = bytes_to_long(enc_key) # key转为整数 hash = sha256(str(initial_value).encode()).hexdigest() # 字符串(key) 的 sha256 aes = AES.new(enc_key,AES.MODE_ECB) enc_flag = aes.encrypt(padding(flag)) # 16 * 8 = 128, # {'counter_len': 16, 'prefix': b'', 'suffix': b'', 'initial_value': 1, 'little_endian': False} ctr = Counter.new(AES.block_size * 8, initial_value = initial_value) # print(ctr) aes = AES.new(key, counter = ctr, mode = AES.MODE_CTR) # key 已知, 推 counter, CTR mode 不需要 padding enc = aes.encrypt(msg) # msg 已知 # print("enc = {}".format(len(enc))) # 46 print("enc = {}".format(enc[-16:])) # 密文的最后16位, 但并不是最后一个 block print("enc_flag = {}".format(enc_flag)) print("hash = {}".format(hash)) Data enc_last16 = b'\xbe\x9bd\xc6\xd4=\x8c\xe4\x95bi\xbc\xe01\x0e\xb8' enc_flag = b'\xb2\x97\x83\x1dB\x13\x9b\xc2\x97\x9a\xa6+M\x19\xd74\xd2-\xc0\xb6\xba\xe8ZE\x0b:\x14\xed\xec!\xa1\x92\xdfZ\xb0\xbd\xb4M\xb1\x14\xea\xd8\xee\xbf\x83\x16g\xfa' hash = 'efb07225b3f1993113e104757210261083c79de50f577b3f0564368ee7b25eeb' Solution # Reference: # https://wumansgy.github.io/2018/11/03/AES%E7%9A%84CTR%E6%A8%A1%E5%BC%8F%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86%E8%AF%A6%E8%A7%A3/ # https://blog.csdn.net/XiongSiqi_blog/article/details/131931066 from Crypto.Util.number import long_to_bytes, bytes_to_long from Crypto.Cipher import AES from Crypto.Util import Counter from hashlib import sha256 import os # from secret import flag flag = b'flag{test}' def padding(msg): return msg + os.urandom(16 - len(msg) % 16) # 随机值填充 msg = b"where is the flag? Key in my Heart/Counter!!!!" key = b"I w0nder how????" assert len(msg) == 46 assert len(key) == 16 enc_key = os.urandom(16) # 随机key initial_value = bytes_to_long(enc_key) # key转为整数 hash = sha256(str(initial_value).encode()).hexdigest() # 字符串(key) 的 sha256 aes = AES.new(enc_key,AES.MODE_ECB) enc_flag = aes.encrypt(padding(flag)) # 16 * 8 = 128, # {'counter_len': 16, 'prefix': b'', 'suffix': b'', 'initial_value': 1, 'little_endian': False} ctr = Counter.new(AES.block_size * 8, initial_value = initial_value) print(ctr) aes = AES.new(key, counter = ctr, mode = AES.MODE_CTR) # key 已知, 推 counter, CTR mode 不需要 padding enc = aes.encrypt(msg) # msg 已知 # print("enc = {}".format(len(enc))) # 46 print("enc = {}".format(enc[-16:])) # 密文的最后16位, 但并不是最后一个 block print("enc_flag = {}".format(enc_flag)) print("hash = {}".format(hash)) print('题目数据输出结束' + ' *' * 16) # Data enc_last16 = b'\xbe\x9bd\xc6\xd4=\x8c\xe4\x95bi\xbc\xe01\x0e\xb8' enc_flag = b'\xb2\x97\x83\x1dB\x13\x9b\xc2\x97\x9a\xa6+M\x19\xd74\xd2-\xc0\xb6\xba\xe8ZE\x0b:\x14\xed\xec!\xa1\x92\xdfZ\xb0\xbd\xb4M\xb1\x14\xea\xd8\xee\xbf\x83\x16g\xfa' hash = 'efb07225b3f1993113e104757210261083c79de50f577b3f0564368ee7b25eeb' # Solution # a = msg[32:] # 从明文index 32 开始 a = msg[16 * (len(msg) // 16):] # 取最后一个 block b = enc_last16[16 - (len(enc) % 16):] # 从密文index 2 开始 | 选最后一个 block # 加密最后步骤 明文 xor enc_{key}(counter) = 密文 # 解密最后步骤 enc_{key}(counter) xor 密文 = 明文 | enc_{key}(counter) = 密文 xor 明文 enc_Counter1 = bytes(a[i] ^ b[i] for i in range(14)) for i in range(0xff): for j in range(0xff): # ECB mode 要求数据长度与块长对齐, 而加密后的数据的最后 2 bytes 我们并不清楚, 所以我们需要尝试所有的可能 enc_Counter2 = enc_Counter1 + bytes([i]) + bytes([j]) aes = AES.new(key,AES.MODE_ECB) Counter = aes.decrypt(enc_Counter2) # E_{key}(Counter) = Counter_enc | Counter = D_{key}(Counter_enc) initial_value = bytes_to_long(Counter) - (len(msg) // 16) # 经历两个 block, 最后一个 block 的 Counter - block 数 = 初始值 if hash == sha256(str(initial_value).encode()).hexdigest(): # type: str print(f'found {initial_value = }') enc_key = long_to_bytes(initial_value) aes = AES.new(enc_key,AES.MODE_ECB) flag = aes.decrypt(enc_flag) print(flag) break # flag{9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d}

[鹤城杯 2021]BabyRSA 题面 # [鹤城杯 2021]BabyRSA from Crypto.Util.number import getPrime, bytes_to_long # from secret import flag flag = b'flag{test}' p = getPrime(1024) q = getPrime(1024) n = p * q e = 65537 hint1 = p >> 724 # msb 1024 - 724 hint2 = q % (2 ** 265) # lsb 265 ct = pow(bytes_to_long(flag), e, n) print(hint1) print(hint2) print(n) print(ct) # Data hint1 = 1514296530850131082973956029074258536069144071110652176122006763622293335057110441067910479 hint2 = 40812438243894343296354573724131194431453023461572200856406939246297219541329623 n = 21815431662065695412834116602474344081782093119269423403335882867255834302242945742413692949886248581138784199165404321893594820375775454774521554409598568793217997859258282700084148322905405227238617443766062207618899209593375881728671746850745598576485323702483634599597393910908142659231071532803602701147251570567032402848145462183405098097523810358199597631612616833723150146418889589492395974359466777040500971885443881359700735149623177757865032984744576285054725506299888069904106805731600019058631951255795316571242969336763938805465676269140733371287244624066632153110685509892188900004952700111937292221969 ct = 19073695285772829730103928222962723784199491145730661021332365516942301513989932980896145664842527253998170902799883262567366661277268801440634319694884564820420852947935710798269700777126717746701065483129644585829522353341718916661536894041337878440111845645200627940640539279744348235772441988748977191513786620459922039153862250137904894008551515928486867493608757307981955335488977402307933930592035163126858060189156114410872337004784951228340994743202032248681976932591575016798640429231399974090325134545852080425047146251781339862753527319093938929691759486362536986249207187765947926921267520150073408188188 Idea Reference: 鹤城杯2021 Crypto Writes up / 我的推导 [公式]

如果说Crypto需要强逻辑，Reverse需要沉下心，那PWN就可以简单理解为两点都需要 / 环境配置 / Mac: - UTM - roderick师傅的Docker法 Win: Ubuntu WSL/VMware / 上手，不要着急做题，先打基础：从 CS:APP 开始 (中文翻译：深入理解计算机系统 翻译版电子书版本) 计算机N大黑书其一

题目附件 from Crypto.Util.number import * from secret import flag def genKey(nbits): p = getPrime(nbits) q = getPrime(nbits) N = p*p*q d = inverse(N, (p-1)*(q-1)//GCD(p-1, q-1)) return N,d def encrypt(message,N): m = bytes_to_long(flag) c = pow(m, N, N) return c nbits = 1024 m = bytes_to_long(flag) N,d = genKey(nbits) c = encrypt(m,N) print('c =', c) print('N =', N) print('d =', d) """ c = 29897791365314067508830838449733707533227957127276785142837008063510003132596050393885548439564070678838696563164574990811756434599732001622138564176327233154381380717648392357672642893142367607369679906940371540867456654151408884171467638060523066406441697453971996011548195499549200103123841556085936672833238264876038160712793697159776332101536779874757463509294968879216810485825310481778472384531442206034564488532399171243463881900578407746982324779260941957792455217641883334131366614310644607114128868153897806362954456585661855569432513785225453501792356175649676419772626548071916379318631677869452985829916084336045071072493567871623113923140668031380684940109024609167449291380675124701557542736834722898328082888430566229322840781411336263268594978558564310744076581639469210462567543585251718744340216155557606004995449505782302864725856877289388008819135023371948017425832082773421030256964953984562211638060 N = 3231913372897424708803097969843687520868057190788284975066875241636436021279559026753076528399891936983240045179193386905918743759145596242896507856007669217275515235051689758768735530529408948098860529277921046146065473333357110158008648799207873976745048714516868561754202543130629713461365314627535982379718931633528922076268531363809414255082933615667770491818402126891370106045838695484124212397783571579791558324350069782623908757815983802849109451590357380624488436968737140312471089662428308113246310588336044438265822574558816510054763215983649467009345458480077882624118620789015758507736272402998721366662352794082495441303895025585316667229865533166614969641012195668280586477033200418153345241668242651407009849656745509386158276185301334443855737552801531617549980843398648751032649895403939319648954908487619711555700124294191702406981128355348449748466449951568451135718146828444185238617155432417897711198169 d = 220908195398117048628110042133057032501548264225985823161565460390793825899523662424732910718579350524590368287207857059670558852106434615134645183432670023784725430385048028248108677670095524205518013647694485975996499747580966911259433184798952372110628624294686853944766950244209186984164963987120416687012811346656498861438432610431705868541829977481875385468143747334359481673214618931159403123892213161430602430294790913847722073762999311674428134241956293914716183107414340330449465142849402354034926378025006749405210014879947411570380433942279355488861684317611066949685697268714760755591128598654573304969 """ 思路 定义模数 $N$ 和 解密指数 $d$ 之间的关系 [公式] 解密指数 $d$ 的计算公式

安装 Command Line Tools 版本 / xcode-select --install 或者 App Store 安装 Xcode / 显示当前生效的 Xcode 版本 / xcode-select --print-path 切换至 Xcode App Store 版本 / sudo xcode-select -s /Applications/Xcode.app/Contents/Developer 切换至 Command Line Tools 版本 / sudo xcode-select -s /Library/Developer/CommandLineTools

mitmproxy文档 / brew install mitmproxy # baidu_mitm.py # Demo # 导入 mitmproxy 的 http 模块 from mitmproxy import http # 请求处理函数 def request(flow: http.HTTPFlow) -> None: # 检查请求的主机是否为 'baidu.com' if "baidu.com" in flow.request.pretty_host: # 打印请求的 URL print(f"Request URL: {flow.request.url}") # 响应处理函数 def response(flow: http.HTTPFlow) -> None: # 检查请求的主机是否为 'baidu.com' if "baidu.com" in flow.request.pretty_host: # 打印响应的状态码 print(f"Response Status: {flow.response.status_code}") 浏览器配置忽略证书错误并设置代理为 127.0.0.1:8080

VS Code 默认的智能感知配置可能不够理想，无法像 CLion 那样进行变量类型的推导。为了改进这一点，尝试使用 Clangd 扩展来增强 VS Code 中的智能感知功能。既然都配置了 Clangd，那就顺便学一手 CMake 的简单配置，即配置 C++ 编译器，并使用 CMake 来构建项目。

Reference 基础 What is modular arithmetic? (article) | Khan Academy 中国剩余定理 - OI Wiki 视频/会议 论文 1111.4877.pdf 题目 hackergame2019-writeups/official/十次方根 at master · ustclug/hackergame2019-writeups · GitHub Intended Solution to Crypto Problems in NCTF 2019 | Soreat_u’s Blog 进阶 Using the CRT with RSA 代码 Python2 RSA/rth-root extraction at master · mad-jcbx/RSA · GitHub 拓展 Elements of Z/nZ - Finite Rings AMM 算法详解与应用 AMM算法简要理解（Adleman-Mander-Miller Method） 工具 factordb 讨论 Improved nth root for finite fields and integer_mods · Issue #7931 · sagemath/sage · GitHub sage/src/sage/rings/finite_rings/integer_mod.pyx at 3dd953c3aa6b5143071b6c39208199cf128c8080 · sagemath/sage · GitHub 导言 在一般情况的RSA中，求出 $\phi(N)$ 就已经接近解出明文了。这个时候我们往往只需要通过 $ed\equiv1 \pmod {\phi (N)}$ 即可求出私钥 $d$，从而求出明文。但是要直接求逆元 $d$，需要满足 $gcd(e,\phi(N))=1$，也就是 $e$ 和 $\phi(N)$ 互质的情况。如果不满足，则会大大提高难度。