网鼎杯2022

2022-08-26

青龙组

签到

答对八道知识问答题，得到flag：

crypto091

根据题目意思电话号码前几位为1709，因为通过百度可以查找到170号段首批放号的联通号是1709开头；又根据hash值长度64位hex猜测是sha256，于是带上地区码86爆破哈希，得到正确的电话号码：

from hashlib import *

table = '0123456789'
m = '861709'
c = 'c22a563acc2a587afbfaaaa6d67bc6e628872b00bd7e998873881f7c6fdc62fc'
print(len(c))

for i1 in table:
    for i2 in table:
        for i3 in table:
            for i4 in table:
                for i5 in table:
                    for i6 in table:
                        for i7 in table:
                            f = m+i1+i2+i3+i4+i5+i6+i7
                            if sha256(f.encode()).hexdigest() == c:
                                print(f)
                                break

带上flag格式提交即可。

补一个美观一点的exp:

x = 'c22a563acc2a587afbfaaaa6d67bc6e628872b00bd7e998873881f7c6fdc62fc'
import hashlib
n = b'861709'
s = list('0123456789'.strip())
import itertools
for i in itertools.product(s,repeat = 7):
    d = ''.join(i).encode()
    g = n+d
    if hashlib.sha256(g).hexdigest() == x:
        print(g)
        break
# b'8617091733716'

crypto162

$\left[\begin{matrix}an\a{n-1}\a{n-2}\end{matrix}\right]=\left[\begin{matrix}t_0&t_1&t_2\1&0&0\0&1&0\end{matrix}\right]*\left[\begin{matrix}a{n-1}\a{n-2}\a{n-3}\end{matrix}\right]$

sage矩阵快速幂运算即可：

from Crypto.Util.number import *
from hashlib import md5,sha256
from Crypto.Cipher import AES

cof_t = [[353, -1162, 32767], [206, -8021, 42110], [262, -7088, 31882], [388, -6394, 21225], [295, -9469, 44468], [749, -3501, 40559], [528, -2690, 10210], [354, -5383, 18437], [491, -8467, 26892], [932, -6984, 20447], [731, -6281, 11340], [420, -5392, 44071], [685, -6555, 40938], [408, -8070, 47959], [182, -9857, 49477], [593, -3584, 49243], [929, -7410, 31929], [970, -4549, 17160], [141, -2435, 36408], [344, -3814, 18949], [291, -7457, 40587], [765, -7011, 32097], [700, -8534, 18013], [267, -2541, 33488], [249, -8934, 12321], [589, -9617, 41998], [840, -1166, 22814], [947, -5660, 41003], [206, -7195, 46261], [784, -9270, 28410], [338, -3690, 19608], [559, -2078, 44397], [534, -3438, 47830], [515, -2139, 39546], [603, -6460, 49953], [234, -6824, 12579], [805, -8793, 36465], [245, -5886, 21077], [190, -7658, 20396], [392, -7053, 19739], [609, -5399, 39959], [479, -8172, 45734], [321, -7102, 41224], [720, -4487, 11055], [208, -1897, 15237], [890, -4427, 35168], [513, -5106, 45849], [666, -1137, 23725], [755, -6732, 39995], [589, -6421, 43716], [866, -3265, 30017], [416, -6540, 34979], [840, -1305, 18242], [731, -6844, 13781], [561, -2728, 10298], [863, -5953, 23132], [204, -4208, 27492], [158, -8701, 12720], [802, -4740, 16628], [491, -6874, 29057], [531, -4829, 29205], [363, -4775, 41711], [319, -9206, 46164], [317, -9270, 18290], [680, -5136, 12009], [880, -2940, 34900], [162, -2587, 49881], [997, -5265, 20890], [485, -9395, 23048], [867, -1652, 18926], [691, -7844, 11180], [355, -5990, 13172], [923, -2018, 23110], [214, -4719, 23005], [921, -9528, 29351], [349, -7957, 20161], [470, -1889, 46170], [244, -6106, 23879], [419, -5440, 43576], [930, -1123, 29859], [151, -5759, 23405], [843, -6770, 36558], [574, -6171, 33778], [772, -1073, 44718], [932, -4037, 40088], [848, -5813, 27304], [194, -6016, 39770], [966, -6789, 14217], [219, -6849, 40922], [352, -6046, 18558], [794, -8254, 29748], [618, -5887, 15535], [202, -9288, 26590], [611, -4341, 46682], [155, -7909, 16654], [935, -5739, 39342], [998, -6538, 24363], [125, -5679, 36725], [507, -7074, 15475], [699, -5836, 47549]]
s=0
for i in range(len(cof_t)):
    A=matrix([cof_t[i],[1,0,0],[0,1,0]])
    v=vector([3,2,1])
    t=A^(200000-2)*v
    s+=list(t)[0]
    
s=str(s)[-2000:-1000]
key = long_to_bytes(int(md5(s.encode()).hexdigest(),16))
check = sha256(key).hexdigest()
verify = '2cf44ec396e3bb9ed0f2f3bdbe4fab6325ae9d9ec3107881308156069452a6d5'
assert(check == verify)
aes = AES.new(key,AES.MODE_ECB)
data = long_to_bytes(0x4f12b3a3eadc4146386f4732266f02bd03114a404ba4cb2dabae213ecec451c9d52c70dc3d25154b5af8a304afafed87)
print (aes.decrypt(data))

crypto405

选取了5个初始$key$：$k_0,k_1,k_2,k_3,k_4$，$grasshopper=grasshpper.k_0.k_1.k_2.k_3.k_4$，$key$是不断在累乘的，而$flag$的格式为flag{，可以通过这五个明文字符来求$key$，比赛时我们的思路是硬解方程组恢复密钥，赛后看到一个很有意思的思路，于是复现一下。
首先列出开头五个字符的变换式子，用$var$赋值打印看看大致情况：

flag = b'flag{'
var('k0 k1 k2 k3 k4')
k = [k0, k1, k2, k3, k4]
res = []
for i in range(len(flag)):
    grasshopper = flag[i]
    for j in range(5):
        k[j] = grasshopper = grasshopper * k[j]
    res.append(grasshopper)
print(res)

可以看到由于$key$累乘，其次数每一轮都在增大，而由于$flag$的字符也在累乘，其系数也在不断增大。
这个思路的关键部分是把乘法看成加法，次幂看成乘法，那么该五组式子就可以看成线性方程组用矩阵处理，将该矩阵通过行列变换得到单位矩阵，那么就能求出$key$（行列变化的加法和乘法分别为乘法和次幂，减法为乘上逆元）：

$\left[\begin{matrix}1&1&1&1&1\\5&4&3&2&1\\15&10&6&3&1\\35&20&10&4&1\\70&35&15&5&1\end{matrix}\right]$

求出$key$以后再恢复$flag$即可。

# 预处理
flag = b'flag{'
var('k0 k1 k2 k3 k4')
k = [k0, k1, k2, k3, k4]
res = []
for i in range(len(flag)):
    grasshopper = flag[i]
    for j in range(5):
        k[j] = grasshopper = grasshopper * k[j]
    res.append(grasshopper)
print(res)


import sympy
from gmpy2 import invert as inverse
f=open('output.txt','r')
l=[]
for i in range(42):
    tmp=f.readline()[:-1][-4:]
    l.append(int(tmp,16))
max_c = max(l)


coefficient = [102,1192407267456,1918196473060530916599580974905403195260928,56112321905504104058889432264614118677688107359359075763851172322711550767834986156510191423865157053692191440896,53396244662367707127856864007524389027579357260572582679744127850279999404450619312604004485139827409110793046460181646479623909080635340073160838110289140978788817626824929446784411034165296270303004366240008622426141394072733814130556872463873302593536]
p=[]
a=2**15
for i in range(100000):
    a=sympy.nextprime(a)
    p.append(a)
    if a>2**16:
        break
m=b'flag{'
for z in range(len(p)):
    #print(z)
    try:
        q=p[z]
        if max_c>q:
            continue
        tmp = []
        print('cal inverse...')
        for i in coefficient:
            tmp.append(inverse_mod(i,q))
        A = matrix(GF(q),[[1,1,1,1,1],[5,4,3,2,1],[15,10,6,3,1],[35,20,10,4,1],[70,35,15,5,1]])
        print(A.echelon_form())
        b = vector(GF(q),tmp)
        print('cal X...')
        X = A.solve_right(b)
        #print(X)
        k = X
        m=[]
        #print(l)
        for i in range(len(l)):
            ss=k[0]*k[1]*k[2]*k[3]*k[4]%q
            mm=l[i]*inverse_mod(ss,q)%q
            m.append(mm)
            prod=m[i]
            for t in range(5):
                k[t] = prod = prod * k[t] % q
        print(bytes(m))
    except:
        continue
print('over')

这只是一个demo，解矩阵方程的方法需要自己重写，和加、乘不同；这里主要是学习解题思路。

re694

修改了upx壳的节区名手动恢复后脱壳用ida分析非常简单的加密后check 逆向解密即可

1
2
3

res = [0x4B,0x48,0x79,0x13,0x45,0x30,0x5C,0x49,0x5A,0x79,0x13,0x70,0x6D,0x78,0x13,0x6F,0x48,0x5D, 0x64,0x64]
print(''.join(map(lambda x: chr(((x^0x50)-10)^0x66), res)))
# why_m0dify_pUx_SheLL

白虎组

simple_math

import gmpy2
import hashlib

e=2022
c1 =  85139434329272123519094184286276070319638471046264384499440682030525456122476228324462769126167628121006213531153927884870307999106015430909361792093581895091445829379547633304737916675926004298753674268141399550405934376072486086468186907326396270307581239055199288888816051281495009808259009684332333344687
c2 =  104554808380721645840032269336579549039995977113982697194651690041676187039363703190743891658905715473980017457465221488358016284891528960913854895940235089108270134689312161783470000803482494370322574472422461483052403826282470850666418693908817591349159407595131136843764544166774390400827241213500917391144
c3 =  94771625845449128812081345291218973301979152577131568497740476123729158619324753128517222692750900524689049078606978317742545997482763600884362992468406577524708622046033409713416026145377740182233674890063333534646927601262333672233695863286637817471270314093720827409474178917969326556939942622112511819330
x =  78237329408351955465927092805995076909826011029371783256454322166600398149132623484679723362562600068961760410039241554232588011577854168402399895992331761353772415982560522912511879304977362225597552446397868843275129027248765252784503841114291392822052506837132093960290237335686354012448414804030938873765
y =  100442166633632319633494450595418167608036668647704883492068692098914206322465717138894302011092841820156560129280901426898815274744523998613724326647935591857728931946261379997352809249780159136988674034759483947949779535134522005905257436546335376141008113285692888482442131971935583298243412131571769294029
z =  104712661985900115750011628727270934552698948001634201257337487373976943443738367683435788889160488319624447315127992641805597631347763038111352925925686965948545739394656951753648392926627442105629724634607023721715249914976189181389720790879720452348480924301370569461741945968322303130995996793764440204452

a=(x-2022)**e-c1
b=(y-2022)**e-c2
c=(z-2022)**e-c3

m=gmpy2.gcd(a,b)
# 注意这里不能肯定m1和m2比m小，所以需要加km并用bit数为512来进行判断是否为m1，m2
m1=(x-2022)%m
m2=(y-2022)%m+m
print(int(m).bit_length())
print(int(m1).bit_length())
print(int(m2).bit_length())
flag = m + m1 + m2
flag = hashlib.md5(str(flag).encode('utf-8')).hexdigest()
print(flag)

easywork

垃圾题，，，滚

from Crypto.Util.number import *
from gmpy2 import *
import hashlib
from pwn import *

def decrypt_flag(sol,ct):
    #sol = sol % (10**10000)
    sol = str(sol)
    sol_md5 = hashlib.md5(sol.encode()).hexdigest()
    return xor(sol_md5.encode(),ct)

def all_fun(i,x0,n,a,b,c):

    #return (x0*b**(i-1) - n//(b-1) - a//((b//c)+1)*c**i)%(10**10000)
    return (x0*pow(b,i-1,pow(10,10000)) - (n//(b-1))%pow(10,10000)) - a//((b//c)-1)*pow(c,i,pow(10,10000))%pow(10,10000)


ct = b'UUV\x04H\x01T\x01P\x03\t\x04\t\x1fW\x00T\x02LRSPT\x1d\x02\x02^\x01N[\\R\x02\tSV\x07\x06P\x01QK'
c = 114514
e = int(2e8)

s0 = 150532854791355748039117763516755705063
s1 =335246949167877025932432065299887980427
s2 = 186623163520020374273300614035532913241
s3 = 215621842477244010690624570814660992556
s4 = 220694532805562822940506614120520015819
s5 = 17868778653481346517880312348382129728
s6 = 160572327041397126918110376968541265339

t0 = s1 - s0
t1 = s2 - s1
t2 = s3 - s2
t3 = s4 - s3
t4 = s5 - s4

kn1 = t2*t0 - t1*t1
kn2 = t3*t1 - t2*t2
kn3 = t4*t2 - t3*t3

n = gcd(kn2,kn1)
print(int(n).bit_length())
# print(gcd(n,kn3))

a = (s2 - s1)*invert((s1 - s0),n)%n
b = (s2 - a*s1)%n

print(gcd(n,b-1))
a0 = 1

x0 = a0 + n//(b-1) + a//((b//c)-1)

sol = all_fun(e,x0,n,a,b,c)
print(sol)
for i in range(-2**19,2**19):
    flag = decrypt_flag(sol+i,ct)
    if b'flag' in flag:
        print(flag)
print(decrypt_flag(sol,ct))

朱雀组

misc666

题目把base32的表改了，数字2-7改成了数字1-6，大写字母改成了小写；于是把小写换为大写，数字加1再解密即可：flag{NiuDaoxiaoshi666}

crypto967

#  ph算法求解离散对数，找两个乘起来比x大的因子计算再crt即可
import gmpy2
from Crypto.Util.number import *

p1= 28142457071
p2= 395710839697
m = 696376465415968446607383675953857997
c = 75351884040606337127662457946455960228423443937677603718170904462378938882502061014476822055783421908392386804380503123596242003758891619926133807099465797120624009076182390781918339985157326114840926784410018674639537246981505937318380179042568501449024366208980139650052067021073343322300422190243015076307
p = 135413548968824157679549005083702144352234347621794899960854103942091470496598900341162814164511690126111049767046340801124977369460415208157716471020260549912068072662740722359869775486486528791641600354017790255320219623493658736576842207668208174964413000049133934516641398518703502709055912644416582457721
cc1 = 209941170134628207830310059622280988835086910150451946264595015050300510031560522999562095124692878755896950865676914790595999182721583547184333760954091880805688518459046880395477235753285839380764579025127254060855545
q = 6809372619970287379746941806942051353536181082328454067824596651780784704823185066486367854653297514943018290212240504418345108411269306758069486928594027
g = 12575636661436726898107254102531343862656456137827822292892883099464907172061178954026138165159168595086335202285503403441736394399853074532771428483593753
k = 4521228602593215445063533369342315270631623025219518143209270060218625289087470505221974748605346084266802332207199304586313352026660695691783656769488472
m1=pow(m,(p-1)//p1,p)
c1=pow(c,(p-1)//p1,p)
m2=pow(m,(p-1)//p2,p)
c2=pow(c,(p-1)//p2,p)
d1=discrete_log(c1,m1)
d2=discrete_log(c2,m2)
d=crt([d1,d2],[p1,p2])
y=pow(g,d,q)
s=int(pow(y,k,q))
flag=cc1//s
print(long_to_bytes(flag))

玄武组

crypto557

考察二次剩余以及概率统计，类似于国外ictf的一道题。整个题目的关键点在if分支：

for j in range(size(tmp)):#比特数
        r = random.randint(2, p-1)
        if tmp%2:
            enc += [pow(x, r, p)]
        else:
            enc += [r]
        tmp //= 2

如果x对于p是二次剩余的话，这里的pow(x,r,p)也一定为二次剩余，此时flag为1的位对应的enc中元素
必定为p的二次剩余；与之相对的，enc中元素不是p的二次剩余的时候，对应的flag二进制位必为0。

题目给了18组数据，一定会有某些组的x为p的二次剩余，判断方法为对每一组数字进行二次剩余占比的统计，若占比大于60%，基本可以判断该组的x为p的二次剩余。

利用这些筛选出的组，我们可以通过实现上述加粗理论确定0位。由于flag某位为0的时候，r也可能为二次剩余，因此我们需要统计18组的二次非剩余的位置，以免漏掉一些0位。我的方法是把每组二次非剩余对应的位赋值为1，然后把各个组进行或运算操作，最后各位取一下反即可。

完整的exp:(数据很大没放)

p_l = []
enc_l = []
for i in range(1,19):
    tmp = f'p{i}'
    tmp1 = f'enc{i}'
    p_l.append(eval(tmp))
    enc_l.append(eval(tmp1))

x_ = []
for i in range(0,18):
    num = 0
    p = p_l[i]
    enc = enc_l[i]
    for j in enc:
        if kronecker(j,p) == 1:
            num+=1
    # 根据概率计算，以下这些组x应该是p的二次剩余
    if num/len(enc) > 0.7:
        print(i)
        x_.append(i)


for n in x_:

    l = []
    for i in enc_l[n]:
        if kronecker(i,p_l[n]) == -1:
            #print(enc_l[n].index(i),end = ' ')
            l.append(1)
        else :
            l.append(0)
    l.reverse()
    
    if x_.index(n) == 0:
        tmp2 = l
    else:
        #print(tmp2)
        tmp2 = [x|y for x,y in zip(tmp2,l)]

tmp3 = []
for i in tmp2:
    if i == 0:
        tmp3.append(str(1))
    else:
        tmp3.append(str(0))
        
    
m = int(''.join(tmp3),2)
try:
    print(bytes.fromhex(hex(m)[2:]))
except:
    pass