NSSCTF_SWPU freshman competition Crypto_wp (2024)

This is the wp and personal experience of the recurring title. There are many articles and wp that draw lessons from the boss. Here we won't paste links one by one

Crypto 8

Title:

73E-30U1&>V-H965S95]I<U]P;W=E<GT`

UUencode:

Uuencode is the conversion code between binary information and text information

Uuencode the input text in units of every three bytes, and repeat this process. If the last remaining text is less than three bytes, the insufficient part shall be filled with zeros. These three bytes have 24 bits in total and are divided into 4 groups in 6-bit units. Each group is represented in decimal system, and the value will only fall between 0 and 63. Adding 32 to each number produces a result that falls within the range of printable characters (32 white space... 95 bottom line) in the ASCII character set

Crypto 7

Title:

69f7906323b4f7d1e4e972acf4abfbfc, the results obtained were wrapped with NSSCTF {}.

From 0 to 9; a-f is not necessarily composed of hexadecimal conversion

It may also be md5 encrypted ciphertext; md5 encryption can be divided into 16 bit encryption or 32-bit encryption; The ciphertext here is 16 bits (which can be used as a judgment condition)

Crypto 5

Title:

flag= 25166751653530941364839663846806543387720865339263370907985655775152187319464715737116599171477207047430065345882626259880756839094179627032623895330242655333
n= 134109481482703713214838023035418052567000870587160796935708584694132507394211363652420160931185332280406437290210512090663977634730864032370977407179731940068634536079284528020739988665713200815021342700369922518406968356455736393738946128013973643235228327971170711979683931964854563904980669850660628561419

Try to decompose n, online websites and yafu are not allowed

But c here is very small relative to n;

from c = m e ( m o d n ) c = m^e (mod n) c=me(modn)

There are two situations:

m e > n : m^e > n: me>n:

c + k ∗ n = m e c + k * n = m^e c+k∗n=me

This will explode K; When c+k*n can be divided by e, it is m

m e < n : m^e < n: me<n:

c to the power of e is m

Because here e is also unknown; But the common e is generally 3. Try it instead, or blasting e can also be used

Code implementation:

import gmpy2from Crypto.Util.number import *c = 25166751653530941364839663846806543387720865339263370907985655775152187319464715737116599171477207047430065345882626259880756839094179627032623895330242655333n = 134109481482703713214838023035418052567000870587160796935708584694132507394211363652420160931185332280406437290210512090663977634730864032370977407179731940068634536079284528020739988665713200815021342700369922518406968356455736393738946128013973643235228327971170711979683931964854563904980669850660628561419e = 3 # hypothesisk = 0 #Note that k starts from 0; Because it's also possible that m^e is less than nwhile True: if gmpy2.iroot(c + k * n,e)[1]: m = gmpy2.iroot(c + k * n,e)[0] break else: k += 1flag = long_to_bytes(m)print(flag)# if m**e < n:# print("s")

Crypto 3

Title:

from gmpy2 import *from Crypto.Util.number import *flag = '******************'p = getPrime(512)q = getPrime(512)m1 = bytes_to_long(bytes(flag.encode()))n = p*qflag1 = pow(m1,p,n)flag2 = pow(m1,q,n)print('flag1= '+str(flag1))print('flag2= '+str(flag2))print('n= '+str(n))#flag1= 17893542812755845772427795161304049467610774531005620109503081344099161906017295486868699578946474114607624347167976713200068059018517606363517478396368430072890681401898145302336139240273132723451063402106360810413024642916851746118524166947301681245568333254648265529408446609050354235727237078987509705857#flag2= 95580409405085606847879727622943874726633827220524165744517624606566789614499137069562997931972825651309707390763700301965277040876322904891716953565845966918293178547100704981251056401939781365264616997055296773593435626490578886752446381493929807909671245959154990639046333135728431707979143972145708806954#n= 140457323583824160338989317689698102738341061967768153879646505422358544720607476140977064053629005764551339082120337223672330979298373653766782620973454095507484118565884885623328751648660379894592063436924903894986994746394508539721459355200184089470977772075720319482839923856979166319700474349042326898971

Observation topic

c 1 = m p % n = m p % ( p ∗ q ) c1 = m^p~\%~n = m^p~\%~(p*q) c1=mp%n=mp%(p∗q)​

c 2 = m q % n = m q % ( p ∗ q ) c2 = m^q ~\% ~ n = m^q~\%~(p*q) c2=mq%n=mq%(p∗q)​

So:

c 1 % p = m p ( m o d p ) c1~\%~p = m^p~(mod~p) c1%p=mp(modp)

c 2 % q = m q ( m o d q ) c2~\%~q = m^q~(mod~q) c2%q=mq(modq)

By Fermat's small theorem:

a p − 1 ≡ 1 ( m o d p ) a^{p-1} \equiv 1 ~(mod~p) ap−1≡1(modp)

It can be seen that: p ) p) p)​

Available simultaneously:

c 1 ≡ m ( m o d p ) c1\equiv m~(mod~p) c1≡m(modp)

c 2 ≡ m ( m o d q ) c2\equiv m~(mod~q) c2≡m(modq)

That is:

c 1 = m + k 1 ∗ p c1 = m+k_1*p c1=m+k1​∗p

c 2 = m + k 2 ∗ q c2 = m+k_2*q c2=m+k2​∗q

therefore

c 1 ∗ c 2 = m 2 + m ∗ ( k 1 ∗ p + k 2 ∗ q ) + k 1 ∗ k 2 ∗ p ∗ q c1*c2 = m^2+m*(k_1*p+k_2*q)+k_1*k_2*p*q c1∗c2=m2+m∗(k1​∗p+k2​∗q)+k1​∗k2​∗p∗q

m ∗ ( c 1 + c 2 ) = 2 m 2 + m ∗ ( k 1 ∗ p + k 2 ∗ p ) m*(c1+c2) = 2m^2+m*(k_1*p+k_2*p) m∗(c1+c2)=2m2+m∗(k1​∗p+k2​∗p)

Two way offset:

m 2 − m ∗ ( c 1 + c 2 ) + c 1 ∗ c 2 = k 1 ∗ k 2 ∗ p ∗ q = k ∗ n ≡ 0 ( m o d n ) m^2-m*(c1+c2)+c1*c2 = k_1*k_2*p*q=k*n\equiv0~(mod~n) m2−m∗(c1+c2)+c1∗c2=k1​∗k2​∗p∗q=k∗n≡0(modn)

Therefore, sagemath can be used to solve the congruence equation

#sagemath codec1 = 17893542812755845772427795161304049467610774531005620109503081344099161906017295486868699578946474114607624347167976713200068059018517606363517478396368430072890681401898145302336139240273132723451063402106360810413024642916851746118524166947301681245568333254648265529408446609050354235727237078987509705857c2 = 5580409405085606847879727622943874726633827220524165744517624606566789614499137069562997931972825651309707390763700301965277040876322904891716953565845966918293178547100704981251056401939781365264616997055296773593435626490578886752446381493929807909671245959154990639046333135728431707979143972145708806954n = 140457323583824160338989317689698102738341061967768153879646505422358544720607476140977064053629005764551339082120337223672330979298373653766782620973454095507484118565884885623328751648660379894592063436924903894986994746394508539721459355200184089470977772075720319482839923856979166319700474349042326898971 PR.<m> = PolynomialRing(Zmod(n))f = m^2-(c1+c2)*m+c1*c2x0= f.small_roots(X=2^400) #After calculation, the range of m is within 2 ^ 400for i in x0: print(i)

Get i, that is, m; Convert to bytes

Crypto 1

Title:

from gmpy2 import *from Crypto.Util.number import *flag = '****************************'flag = {"asfajgfbiagbwe"}p = getPrime(2048)q = getPrime(2048)m1 = bytes_to_long(bytes(flag.encode()))e1e2 = 3087n = p*qprint()flag1 = pow(m1,e1,n)flag2 = pow(m1,e2,n)print('flag1= '+str(flag1))print('flag2= '+str(flag2))print('n= '+str(n))#flag1= 463634070971821449698012827631572665302589213868521491855038966879005784397309389922926838028598122795187584361359142761652619958273094398420314927073008031088375892957173280915904309949716842152249806486027920136603248454946737961650252641668562626310035983343018705370077783879047584582817271215517599531278507300104564011142229942160380563527291388260832749808727470291331902902518196932928128107067117198707209620169906575791373793854773799564060536121390593687449884988936522369331738199522700261116496965863870682295858957952661531894477603953742494526632841396338388879198270913523572980574440793543571757278020533565628285714358815083303489096524318164071888139412436112963845619981511061231001617406815056986634680975142352197476024575809514978857034477688443230263761729039797859697947454810551009108031457294164840611157524719173343259485881089252938664456637673337362424443150013961181619441267926981848009107466576314685961478748352388452114042115892243272514245081604607798243817586737546663059737344687130881861357423084448027959893402445303299089606081931041217035955143939567456782107203447898345284731038150377722447329202078375870541529539840051415759436083384408203659613313535094343772238691393447475364806171594#flag2= 130959534275704453216282334815034647265875632781798750901627773826812657339274362406246297925411291822193191483409847323315110393729020700526946712786793380991675008128561863631081095222226285788412970362518398757423705216112313533155390315204875516645459370629706277876211656753247984282379731850770447978537855070379324935282789327428625259945250066774049650951465043700088958965762054418615838049340724639373351248933494355591934236360506778496741051064156771092798005112534162050165095430065000827916096893408569751085550379620558282942254606978819033885539221416335848319082054806148859427713144286777516251724474319613960327799643723278205969253636514684757409059003348229151341200451785288395596484563480261212963114071064979559812327582474674812225260616757099890896900340007990585501470484762752362734968297532533654846190900571017635959385883945858334995884341767905619567505341752047589731815868489295690574109758825021386698440670611361127170896689015108432408490763723594673299472336065575301681055583084547847733168801030191262122130369687497236959760366874106043801542493392227424890925595734150487586757484304609945827925762382889592743709682485229267604771944535469557860120878491329984792448597107256325783346904408#n= 609305637099654478882754880905638123124918364116173050874864700996165096776233155524277418132679727857702738043786588380577485490575591029930152718828075976000078971987922107645530323356525126496562423491563365836491753476840795804040219013880969539154444387313029522565456897962200817021423704204077133003361140660038327458057898764857872645377236870759691588009666047187685654297678987435769051762120388537868493789773766688347724903911796741124237476823452505450704989455260077833828660552130714794889208291939055406292476845194489525212129635173284301782141617878483740788532998492403101324795726865866661786740345862631916793208037250277376942046905892342213663197755010315060990871143919384283302925469309777769989798197913048813940747488087191697903624669415774198027063997058701217124640082074789591591494106726857376728759663074734040755438623372683762856958888826373151815914621262862750497078245369680378038995425628467728412953392359090775734440671874387905724083226246587924716226512631671786591611586774947156657178654343092123117255372954798131265566301316033414311712092913492774989048057650627801991277862963173961355088082419091848569675686058581383542877982979697235829206442087786927939745804017455244315305118437

Observation topic

The same m, different e, is much like a common mode attack;

However, the specific values of e1 and e2 are uncertain, and only the product is known;

Decompose the product of E1 and E2 to obtain 32 * 73

Because there are many combinations of this, e1 and e2 are not necessarily coprime

The principle of common mode attack:

c 1 x ∗ c 2 y ≡ m g c d ( e 1 , e 2 ) ( m o d n ) c1^x*c2^y\equiv m^{gcd(e1,e2)} (modn) c1x∗c2y≡mgcd(e1,e2)(modn)

among e 1 ∗ x + e 2 ∗ y = 1 e1*x + e2*y = 1 e1∗x+e2∗y=1

In the original application process, e1 and e2 are generally mutual prime; therefore g c d ( e 1 , e 2 ) = 1 gcd(e1,e2) = 1 gcd(e1,e2)=1

Here e1 and e2 are not necessarily coprime; Just bring in the maximum common divisor directly

Make the left side of the equation add k ∗ n k*n K * n is directly derived to obtain m; Where k is to be blasted

Code implementation:

import gmpy2from Crypto.Util.number import *flag1= 463634070971821449698012827631572665302589213868521491855038966879005784397309389922926838028598122795187584361359142761652619958273094398420314927073008031088375892957173280915904309949716842152249806486027920136603248454946737961650252641668562626310035983343018705370077783879047584582817271215517599531278507300104564011142229942160380563527291388260832749808727470291331902902518196932928128107067117198707209620169906575791373793854773799564060536121390593687449884988936522369331738199522700261116496965863870682295858957952661531894477603953742494526632841396338388879198270913523572980574440793543571757278020533565628285714358815083303489096524318164071888139412436112963845619981511061231001617406815056986634680975142352197476024575809514978857034477688443230263761729039797859697947454810551009108031457294164840611157524719173343259485881089252938664456637673337362424443150013961181619441267926981848009107466576314685961478748352388452114042115892243272514245081604607798243817586737546663059737344687130881861357423084448027959893402445303299089606081931041217035955143939567456782107203447898345284731038150377722447329202078375870541529539840051415759436083384408203659613313535094343772238691393447475364806171594flag2= 130959534275704453216282334815034647265875632781798750901627773826812657339274362406246297925411291822193191483409847323315110393729020700526946712786793380991675008128561863631081095222226285788412970362518398757423705216112313533155390315204875516645459370629706277876211656753247984282379731850770447978537855070379324935282789327428625259945250066774049650951465043700088958965762054418615838049340724639373351248933494355591934236360506778496741051064156771092798005112534162050165095430065000827916096893408569751085550379620558282942254606978819033885539221416335848319082054806148859427713144286777516251724474319613960327799643723278205969253636514684757409059003348229151341200451785288395596484563480261212963114071064979559812327582474674812225260616757099890896900340007990585501470484762752362734968297532533654846190900571017635959385883945858334995884341767905619567505341752047589731815868489295690574109758825021386698440670611361127170896689015108432408490763723594673299472336065575301681055583084547847733168801030191262122130369687497236959760366874106043801542493392227424890925595734150487586757484304609945827925762382889592743709682485229267604771944535469557860120878491329984792448597107256325783346904408n= 609305637099654478882754880905638123124918364116173050874864700996165096776233155524277418132679727857702738043786588380577485490575591029930152718828075976000078971987922107645530323356525126496562423491563365836491753476840795804040219013880969539154444387313029522565456897962200817021423704204077133003361140660038327458057898764857872645377236870759691588009666047187685654297678987435769051762120388537868493789773766688347724903911796741124237476823452505450704989455260077833828660552130714794889208291939055406292476845194489525212129635173284301782141617878483740788532998492403101324795726865866661786740345862631916793208037250277376942046905892342213663197755010315060990871143919384283302925469309777769989798197913048813940747488087191697903624669415774198027063997058701217124640082074789591591494106726857376728759663074734040755438623372683762856958888826373151815914621262862750497078245369680378038995425628467728412953392359090775734440671874387905724083226246587924716226512631671786591611586774947156657178654343092123117255372954798131265566301316033414311712092913492774989048057650627801991277862963173961355088082419091848569675686058581383542877982979697235829206442087786927939745804017455244315305118437e1e2 = 3087fac = [3,3,7,7,7]factor = [3,7,3*7,3*3,7*7,3*7*7,3*3*7,7*7*7,3*7*7*7,3*3*7*7]for e1 in factor: if e1e2 % e1 == 0: e2 = e1e2 // e1 _,s,t = gmpy2.gcdext(e1,e2) gcd = gmpy2.gcd(e1,e2) temp = pow(flag1,s,n) * pow(flag2,t,n) % n for k in range(2**20): temp2 = gmpy2.iroot(temp + k*n,gcd) if temp2[1]: m = temp2[0] print(long_to_bytes(m)) break