羊城杯

2022-09-02

2021_Crypto

Bigrsa

签到，n1和n2不互素：

from Crypto.Util.number import *
from gmpy2 import *

n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
e = 65537
q = gcd(n1,n2)

p1 = n1//q
p2 = n2//q
c = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264

phi1 = (q-1)*(p1-1)
phi2 = (q-1)*(p2-1)
dl = []
# map返回迭代器
for i in map(invert,[e,e],[phi1,phi2]):
    dl.append(i)

c1 = pow(c,dl[1],n2)
m = pow(c1,dl[0],n1)

print(long_to_bytes(m))
# SangFor{qSccmm1WrgvIg2Uq_cZhmqNfEGTz2GV8}

2022_Misc Crypto

签到

先rot13再base32解密。

EasyMisc

给了个txt，维吉尼亚解密，得到压缩包密码：GWHT@R1nd0yyds

解密得到一个混淆的图片，给了encode.py，直接百度搜索关键代码可以找到Novel_In_Image项目，直接套用decode.py得到输出的txt，观察第一行自卑与超越f，再搜索字母l，基本可以确定每个flag字符前面是文字，于是写一个正则过滤一下，再根据flag格式和题目语义确定flag：

import re
f = open('out_decode.txt','r',encoding='utf-8').read()

a = re.findall('[^a-z\{\}0-9][a-z\{\}0-9]', f)
for i in a:
    print(i)

# flag{h1d3_1n_th3_p1ctur3}

迷失幻境

取证大师直接梭，回收站里两张图有点可疑，导出来，再把图库里的1.png和哒哒哒.jpg导出来，因为这两张图和回收站的看起来一样，可能有隐藏数据。

然后把45补上png4字节文件头，显示正常，和1.png做sub或者xor都可，能得到一个key:

可爱可莉exif信息有：

猜想可能是outgusee(想不到)，直接解：

寻宝

给的文件是字节前后部分交换过的zip，用脚本处理一下：

# 处理初始文件，把字节的前后两部分交换位置
f = open('寻宝','rb')
zip = open('game.zip','wb')
p = f.read()
l = []
for i in p:
    j = bin(i)[2:].zfill(8)
    k = j[4:]+j[:4]
    l.append(int(k,2))
zip.write(bytes(l))

解压以后，里面有一个exe格式的小游戏，并附了游戏说明：
上下左右键控制移动，吃完十字型护符即可进入下一关，注意躲避红色蝎子的攻击，死亡三次则游戏结束。吃到金色甲壳虫后的一段时间会使蝎子进入恐惧状态，此时碰到它们会把它们送回出生点。温馨提示：第五关开始好像某种神秘的电波
直接打的话非常难，考虑CE修改器，基本教程，首先可以把游戏速度改的很慢来找生命值的内存地址：

修改得很大，然后就可以快乐游戏了：

从第一关到第四关是变异猪圈密码，翻译过来为OWOH；从第五关开始是某种电波，猜测是电平相关，因为图像类似于电平波动：
不是曼彻斯特就是差分曼彻斯特，测试确定为后者，转为字节：

背景音乐钢琴曲对应数字114514，所以解压密码连起来为OWOH_a1_114514
解压以后txt里面有零宽即为flag GWHT{Wher3_1S_Th4_1gI981O?}

Unlimited Zip Works

首先想的是循环解压，全部解压发现最后得flag.txt是个幌子；用7z可以看到每层压缩包都有注释，也是非常疑惑winrar看不见。所以写个脚本在解压得时候读取注释信息，发现藏的是一个zip文件，遂提取：

import zipfile
# 解压并提取注释信息重写新的zip
name = 'z//file.zip'
infor_list = []
while True:
    try:
        zipfilename = name
        z = zipfile.ZipFile(zipfilename, 'r') # r表示解压
        name_list = z.namelist()
        #print(name_list[0])
        infolist = z.infolist()
        for info in infolist:
            infor_list.append(info.comment)
            #print(len(info.comment))
        name = 'z//'+name_list[0]
        z.extract(name_list[0], path='z\\')
    except:
        break

infor_list.reverse()
#print(infor_list)
z = b''
for i in infor_list:
    z = z + i
ff = open('flag.zip','wb')
ff.write(z)
print(z)

提取出来里面一堆txt，每个txt指向下一个txt，最后发现是封闭的指向，于是按照顺序把文件名连起来，以为是某种编码，结果不是；队友细心发现flag.zip还藏有一个zip，于是提取出来，解压以后里面有一张jpg，不是隐写；最后，发现新的zip注释里还有一个zip，提取出来解压即为flag。ps：真心希望出题别那么套，并且本题干扰的txt，图片还那么多…
脚本：

import zipfile

with open('flag.zip','rb') as f:
    d = f.read()
m = d[160660+60:]
with open('new.zip','wb') as ff:
    for i in range(0,len(m),57):
        ff.write(m[i:i+2])

name = 'new.zip'
zipfilename = name
z = zipfile.ZipFile(zipfilename, 'r') # r表示解压
infolist = z.infolist()
print(infolist)
for info in infolist:
    print(info.comment)
    zz = info.comment

with open('last.zip','wb') as f_:
    f_.write(zz)
#[<ZipInfo filename='archer.jpg' filemode='-rw-rw-rw-' file_size=4842>]
#b'PK\x03\x04\x14\x00\x00\x00\x08\x00.wkT1\xa1\x9e\xee(\x00\x00\x00&\x00\x00\x00\x01\x00\x00\x00fsq\x0cv\x0eq\xab\xf6\x8cO\xcc\x8d/\xc9H\x8dwqu\xf3q\x0cq\x8d\xcfO\x8b\xcf\xad\x8c\x8f\xca,H\xcb\xccI\xad\x05\x00PK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00.wkT1\xa1\x9e\xee(\x00\x00\x00&\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb6\x81\x00\x00\x00\x00fPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00/\x00\x00\x00G\x00\x00\x00\x00\x00'

DASCTF{I_am_the_DEFLATE_of_my_Zipfile}
补一个010的zip模板解析以后在地址160720位置的冗余数据，即zip开头两个字节：

躲猫猫

首先发现有FTP协议，于是追踪tcp流可以导出zip文件，压缩包里的key.log没有加密，可以导入它解密tls流，然后追踪http流发现跟邮箱附件上传有关的ftn_hander，在其响应流里可分割出jpg图片，也就是压缩包密码：

在tcp流11中可以找到missing_cat.png，导出是经过加密的图片：

解压zip以后得到加密图片的py文件以及secret，搜索一下代码发现是dsctf的密码题，直接套一下脚本就能解了：

from PIL import Image
from Crypto.Util.number import *
from numpy import array, zeros, uint8

image = Image.open("encflag.jpg")
w, h = image.size
imagearray = array(image)

x = 
y = 
kn = 1

x1 = round(x/y*0.001, 16)
u1 = y*3650/x
x2 = round(x/y*0.00101, 16)
u2 = y*3675/x
x3 = round(x/y*0.00102, 16)
u3 = y*3680/x
kt = [x1, x2, x3]
print(kt)

temp_image = zeros(shape=[h, w, 3], dtype=uint8)
print(len(temp_image))
print(len(temp_image[0]))
print(len(temp_image[0][1]))
for k in range(0, kn):
    for i in range(0, h):
        for j in range(0, w):
            x1 = u1 * x1 * (1 - x1)
            x2 = u2 * x2 * (1 - x2)
            x3 = u3 * x3 * (1 - x3)
            r1 = int(x1*255)
            r2 = int(x2*255)
            r3 = int(x3*255)
            for t in range(0, 3):
                temp_image[i][j][t] = (imagearray[i][j][t]-((r1+r2) ^ r3)) % 256
    x1 = kt[0]
    x2 = kt[1]
    x3 = kt[2]

encflagarray = Image.fromarray(temp_image)
encflagarray.show()
encflagarray.save("flag.jpg")

得到一张类似于maxicode的图片，把中间的猫咪换成该code的同心圆以后识别出flag。

LRSA

首先通过$gcd$可求$P和Q$

由于等式$(p-58)P+(q-t)=kQ$

$=>(p-58)P-kQ=t-q≈2^{1023}$

构造格子$L=\left[\begin{matrix}1&P\0&Q\end{matrix}\right]$

$=>v=(p-58,t-q)$在L上

且$||v||<\sqrt{2}det(L)^{\frac{1}{2}}$

利用LLL算法求解

from Crypto.Util.number import *
from gmpy2 import *

e = 65537
B=1023
PPQ=
PQQ=
t=44
c=4364802217291010807437827526073499188746160856656033054696031258814848127341094853323797303333741617649819892633013549917144139975939225893749114460910089509552261297408649636515368831194227006310835137628421405558641056278574098849091436284763725120659865442243245486345692476515256604820175726649516152356765363753262839864657243662645981385763738120585801720865252694204286145009527172990713740098977714337038793323846801300955225503801654258983911473974238212956519721447805792992654110642511482243273775873164502478594971816554268730722314333969932527553109979814408613177186842539860073028659812891580301154746

PQ = gcd(PQQ,PPQ)
print(PQ)

P = PPQ//PQ
Q = PQQ//PQ

print(P)
print(Q)
p = t+71239161441539946834999944364158306978517617517717217001776063773301330324729178632534286023377366747004115034635139042058644768011502688969022553791977558750633767627495955645170437100983708648876951588485253787441732757259210010467734037546118780321368088487269039555130213851691659851510403573663333586407
q = 58+80736411146583842306585010871034886981016840349026602734742256246556342668178774083233822097872779308174897649383396380481655663281333047577768952571915605685701400990749928642136680236367785948214890529631428970999122918591632651324318444462622996015719163492064450044087392474349767300242266723293755137205
phi = (p-1)*(q-1)
d = invert(e,phi)
print(long_to_bytes(pow(c,d,p*q)))

# LLL求解
# P = 25947339118736016261419550658264175914664266822085997909314096786508816404704696671837899420298768803641977765786592354116676036035881712512184992851487828263900367476619650087372125353190561974783134059421570649293920248116730478378196277387377082481961542018611824082110164117796622604412648512092528479878502094797494405077897059911764470830302447618882229233093021156725194893124743848364119720591518073753197359351271987724752861168913839307431377592888760273762302003490303315903644695784992125784390012046834505490167165377346036077504298195544062111718133371983287540723388743607671934081891907851056034062109
# Q = 26068172028162605137516470004551766376185367701690988148920400408760716114172673253571631718337447931195718779018987169967053546674529251665443499183399035216407895285607965767100708187327533611193709308966698251023076404422362272378862918994525181107002728889256377161661579892599243396304207048944032235378667269998644227976609632271355152717352269223310163307304914315780234040829575689991453848537587516055955657960061856059046256125836544109066275645648666876772298883460637600522819402448386193499472702636751025558486665290530268273787746964353937663176851849214999005525738643454160169651485201028944583316101
# matA = [[1,P],[0,Q]]
# L=Matrix(ZZ,matA)
# tmp=vector(ZZ,L.LLL()[0])
# print(tmp)

EasyRsa

每个n共有一个公因子，分解各个n，获取私钥d以后倒着解密12次

from Crypto.Util.number import *
from gmpy2 import *

f = open('output.txt','r')
n = []
for i in range(12):
    n.append(int(f.readline()))
c = 38127524839835864306737280818907796566475979451567460500065967565655632622992572530918601432256137666695102199970580936307755091109351218835095309766358063857260088937006810056236871014903809290530667071255731805071115169201705265663551734892827553733293929057918850738362888383312352624299108382366714432727
q = 7552850543392291177573335134779451826968284497191536051874894984844023350777357739533061306212635723884437778881981836095720474943879388731913801454095897
e = 65537
n.reverse()
print(len(n))

for i in n:
    p = i//q
    phi = (p-1)*(q-1)
    d = invert(e,phi)
    c = pow(c,d,i)

print(long_to_bytes(c))

Solomen’s puzzle 1

首先测试一下源码的函数：

确定纠错码的生成函数

$x^4*(m_3x^3+m_2x^2+m_1x+m_0)+R(x)=g(x)*H(x)$

题目给了对明文
生成的四位纠错码由$R(x)$的系数决定，所以题目给的混淆过程只会影响明文部分而非纠错码：

for i in range(0, 256, 8):
    index1 = randrange(4, 8)
    value1 = randrange(0, 256)
    index2 = randrange(4, 8)
    value2 = randrange(0, 256)
    code[i + index1] = value1
    code[i + index2] = value2

我们在上述方程中取x为$1,\alpha,\alpha^2,\alpha^3$，这样可以保证$g(x)$为0，则得到四个关于m的方程，于是我们利用纠错码解矩阵方程即可，即代码中的A*X = B，解X

from Crypto.Util.number import *

e = 10632528934906371807995216845027219767890923967559690651733628659750564299493611010425615580946665632019547006685100876646048602773295571936276450835367591
n=94257413713770111563970534929325680923943690882102478219183863722026590313165304301118258536360712467357451726680293716779730218553691126214750969333228034756948476572806064756873382054384808713137658321644158757777088916851366208046581218865015163572359836440643828462291397248680038931998325006839692797347
m = 257
F = Zmod(m)
ap = F(223)
A=Matrix(Zmod(257),[[-1,-1,-1,-1],
                   [-ap^7,-ap^6,-ap^5,-ap^4],
                   [-ap^14,-ap^12,-ap^10,-ap^8],
                   [-ap^21,-ap^18,-ap^15,-ap^12]])

B=Matrix(Zmod(257),[[1,1,1,1],
                   [ap^3,ap^2,ap,1],
                   [ap^6,ap^4,ap^2,1],
                   [ap^9,ap^6,ap^3,1]])

c=b'\xb9$5.>\xff\xe3S\xc91\xb2\xeb\x1byR(\x12{\xc4\xbf\xa4wo|\xc5-;\xc9\xc9S[\xaeX\xad\xf0\xef@\x1c\x87]\x9a\xb9:\x8cu\xa5\xe3EA<"\xfd\x9a\xbfqB\x94\xc3R\x95\xd5\xbd\xd0\x10u\x10\xe3\xa5"S\xed\xd0\xf8\x02\xbf\x124A~1]\xceP\xdf\xf2Cr1\x93\xacw\x03\tQe\xcc2b\xbf\x0f\x92\xad\x19\x00\xab|\xf3\xc9\x9b&I%\xf5\x9b#\xf7\xa2\xcb\xb1\x0c\xee\xb56\xd5\xd2\xd5[?^\x9d\x8b\x93\xbe\x832\xee\xa9\xa5\x83$\xe9\xe5\x95\x01\xd6\x9f\xad\x1f\x90\xc3]aL\x10\x07{#4i^\xae\xdf|\x9f\x94\xf4\xaf\x06R\x86j&\xeb\x0b\x06\xcf\xb2\x8e\xb4\xb9s\x97[\xf1ip\x06\xf8\xfdFs\xf1`\xc6\x82\xd8\xce\xf6\x95{\xe3\x8cQ\xed\xef\xe9\xb9\'\x19\xdf^\xc8\x81\xde\x1fQ\x1e\x86\xda\xf8\xfd4M0#\xef\x8a\xe9\xe5\xfc\xe2\xe3\xe6\xd0e\xce\xe1\x0b\x9eM\x07\xc2Y\xf8B\xe1\xde\xfaP\xe9\x9d\xde\xc3\xe3C\xa5'
cip=b''

for i in range(0,len(c),8):
    tmp=c[i:i+8]
    v=tmp[:4][::-1]
    v=vector(Zmod(257),list(v))
    cip+=bytes(A^(-1)*B*v)[::-1]
    
print(long_to_bytes(inverse(e,n)*bytes_to_long(cip)%n))

linearAlgebra

主要考点是用LLL算法解决背包加密类型的问题。
1.分析corrupt函数

def corrupt(Mt, s, n):
    Mt_ = matrix(ZZ, Mt)
    for i in range(n):
        r_ = random.randint(0, n - 1)
        c_ = random.randint(0, n - 1)
        Mt_[r_, c_] = random.randint(0, 2 ^ s)
    return Mt_

对32x32的矩阵中的随机32个元素进行替换

2.分析已知信息和加密过程

m = pad(flag[7:-1], n)
M = bytes2Matrix(m, n)
A = randMatrix(asize, n)
C = A * M
Ac = corrupt(A, asize, n)

print('C:')
print(C)
print('Ac:')
print(Ac)

首先将flag填充为nxn的长度，然后将m转为矩阵表示M，生成一个随机的系数矩阵A，C=A*M；最后对A随机替换得到AC。

3.格基规约

a.由概率论可知，corrupt随机更改的32个数据分别分布在32行的概率是非常小的，几乎可以断定，有某些行的数据未改。
b.利用未改的该行(a,b,c)乘上flag矩阵的各列(m1,m2,m3)，得到的结果可以用于构造格子，记为$y=am_1+bm_2+cm_3$。
c.思路如下，把n阶拓展为n+1阶，比如下方矩阵为3阶，拓展为4阶，最右列为(a,b,c,y)，原矩阵的对角线全为1，横向量为格基。

$L=\left[\begin{matrix}1&0&0&a\\0&1&0&b\\0&0&1&c\\0&0&0&y\end{matrix}\right]$

容易发现：$m_1(1,0,0,a)+m_2(0,1,0,b)+m_3(0,0,1,c)-m_4(0,0,0,y)=(m_1,m_2,m_3,0)$，恢复了明文的同时使得向量最后一维为0。通过这个特征可以固定AC的第一列，C的不同行来进行格基规约，当输出最短向量且最后一维为0的时候可以判断改行未改变。固定该行和其他列构造格子再恢复flag的其他部分即可。

import re

f=open('output','r')
def s2row(s):
    return list(map(int, re.split(r'\s+', s[1:-1].strip()))) #\s+ 意思是至少有一个空白字符存在

f.readline()
CS=[]
for _ in range(32):
    s = f.readline().strip()
    row = s2row(s) 
    CS.append(row)

f.readline()
ASC=[]
for _ in range(32):
    s = f.readline().strip()
    row = s2row(s)
    ASC.append(row)

import math
'''
for i in range(32):
    pubkey=ASC[i]
    C=CS[i][0]  #固定M第一列
    L = matrix.zero(len(pubkey) + 1)
    for row, x in enumerate(pubkey):
        L[row, row] = 1
        L[row, -1] = x

    L[-1, -1] = -C
    M = L.LLL()
    ff=False
    for m in M:
        if int(m[-1])==0:
            ff=True
            print(m)
    if not ff:
        print('无解')
'''
flag=[]
for i in range(32):
    pubkey = ASC[1]

    C = CS[1][i]
    L = matrix.zero(len(pubkey) + 1)
    for row, x in enumerate(pubkey):
        L[row, row] = 1
        L[row, -1] = x

    L[-1, -1] = -C
    M = L.LLL()
    ff = False
    for m in M:
        if int(m[-1]) == 0:
            ff = True
            flag.append(m[:-1])
            break
    if not ff:
        print('无解')

print(flag)

flag=[98, 53, 57, 51, 50, 99, 50, 99, 45, 101, 50, 49, 48, 45, 52, 99, 51, 57, 45, 57, 102, 98, 53, 45, 97, 55, 102, 51, 53, 101, 56, 54, 49, 100, 51, 50]
print(bytes(flag))