當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

signature=a7ab3f52fd3143e911ffec68c5ce32d7,2019年强网杯crypto部分题解

發布時間：2024/9/19 编程问答 46 豆豆

生活随笔收集整理的這篇文章主要介紹了 signature=a7ab3f52fd3143e911ffec68c5ce32d7,2019年强网杯crypto部分题解小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

一、random study

這個題目中共給出了三個challenge。

1. challenge 1

服務器將python中的random模塊的種子設置為int(time())，然后生成隨機數讓我們猜，只要我們猜對一次就可以通關了。

題目中給了200次機會，應該是考慮到服務器與我們機器的時間不同步的問題(可能相差幾秒)。我這里假定服務器時間與本地時間相差不超過10秒，然后對這20種情況進行枚舉就好了。相應代碼如下：

2.challenge 2

服務器自己調用了一個Java程序生成了三個隨機數，然后將前兩個告訴我們，讓我們猜第三個。

用Java Decompiler對提供的Java程序進行反編譯得到源碼如下：

public class Main {

public static void main(String[] paramArrayOfString) {

Random random = new Random();

System.out.println(random.nextInt());

}

可以看出這個Java程序是使用了Random類的nextInt函數來生成隨機數的。百度一下這個類，可以查到官方文檔。從官方文檔中可以知道：

Random的nextInt函數就是直接調用next(32)并將得到的值返回。

next(int n)會通過以下方式更新內部存儲的seed值，并返回下一個隨機數。

//seed乘一個數，然后取低48位。

seed = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1);

// 48位種子的前n位。

return seed>>(48-n);

setSeed(long n)會將n做一些變化，然后存儲到內部的seed中。

seed = (n^ 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1);

根據以上知識，我們可以發現，如果我們用nextInt獲得了一個隨機數

，那么生成這個隨機數時的種子就是

，其中x是一個16位的整數。

因此我們根據題目中給出的第一個隨機數可以推斷出生成第二個隨機數的種子的前32位，然后我們通過對低16位進行枚舉就可以得到生成第二個隨機數的種子是多少了。

3. challenge3

這一題就沒什么了，只要challenge1通過了，這里直接調函數得到隨機數，然后發過去就好了。

代碼如下:

from pwn import *

import time

from aux import *

import tqdm

import random

import subprocess

conn = remote('119.3.245.36', 23456)

def solveChaleneg1(conn):

conn.recvuntil('[-]')

cur_time = int(time.time())

for i,j in (enumerate(range(cur_time-10,cur_time+10)),initial=0,total=20):

random.seed(j)

for k in range(i):

random.randint(0,2**64)

conn.sendline(str(random.randint(0,2**64)))

if 'fail' not in conn.recvline():

break

def solveChalenge2():

conn.recvuntil('[-]')

x1 = conn.recvline()

print x1

x1 = int(x1)

print(x1)

conn.recvuntil('[-]')

x2 = int(conn.recvline(),10)

o = subprocess.check_output(["java", "MyMain",str(x1),str(x2)])

x3 = int(o.split('\n')[0],10)

print "x1=%d,x2=%d,x3=%d"%(x1,x2,x3)

conn.recvuntil('[-]')

conn.sendline(str(x3))

if 'fail' in conn.recvline()[:-1]:

print "challenge2 fails"

def solveChalenge3():

target = random.getrandbits(32)

conn.recvuntil('[-]')

conn.sendline(str(target))

conn.recvuntil("[++++++++++++++++]challenge 3 completed[++++++++++++++++]")

solveSHA(conn)

solveChaleneg1(conn)

solveChalenge2()

solveChalenge3()

conn.interactive()

import java.util.Random;

public class MyMain {

public static void main(String[] paramArrayOfString) {

long x1 = (long)(Long.parseLong(paramArrayOfString[0])&((1L<<32)-1));

long x2 = (long)(Long.parseLong(paramArrayOfString[1])&((1L<<32)-1));

// = (seed ^ 0x5DEECE66DL) & ((1L << 48) - 1);

//seed = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1);

for(int i= 0;i

Random random = new Random(((x1<<16)+i)^0x5DEECE66DL);

if(random.nextInt() == x2){

System.out.println(random.nextInt());

}

CopperStudy

里面包含6個challenge.

1. challenge1

[+]teamtoken:[++++++++++++++++]proof completed[++++++++++++++++]

[+]Generating challenge 1

[+]n=0x931a21e45b8c30eb30f1b9767c724f57dd770432df414a5969d770e5cf41d86aa8c198baba3709d602b6de17003406b3ba9190e99c4c9aaa470afe052fa2aec57a7c448bf1a887c5c4776a789b51bf4f76b334fc27a59469d6b4fb76af90ec2ec56a4c83f0cabfcb3669c2e24243c9dfe32cc817fd2196452df47e92eeb06eb5L

[+]e=3

[+]m=random.getrandbits(512)

[+]c=pow(m,e,n)=0x842683283571aeb5d8716f2a4667ff7e61fc63bb5a4cd89858c02881e0d536e344167e06e44ef5e276253563486c3b05971acfb96f8ed1a9e8c3143c026889ab11d5f72973bf6907f773ad0d570436cc64daf16e35ffff1fb48c66b36d9a8bfc568de1407b19f621ead2fa572fce24a921d742128a7b321f381e81bae0cb9f70L

[+]((m>>72)<<72)=0xb74706a05587a42246ed7ff2f03c4edf180f5248cfb7a8b86757ea456ba134c8a81f146b3172d1b59437efeb2e59b41e8dbb9cf2ac3254000000000000000000L

給定了明文的高位，低72位未知。思考了一會，發現不會，于是直接百度copper，發現了這個。上面給出了Coppersmith 算法的三種適用情況，并給出了相應的腳本。抄來改改就好了_。

3 Challenge 2

[+]Generating challenge 2

[+]n=0xaf10597fa3ac1e95f9eeeb0747827fbfd6a6b74e9e7824e5e58c9423e4eea8f898ef5ad96900adc54721aa922af14987fbeecd1663e639f85d4e0fc2f5cc50fc1dfdf3e0b04d8395fdb8372447f0b398a7bff92cf7745c03a613e71a7017648db905ac867d69aab2c8c9ff0fc65c3313f4080cbb46d1a13a3b6c8e263915a413L

[+]e=65537

[+]m=random.getrandbits(512)

[+]c=pow(m,e,n)=0x7be9e49497bebb936018a628148e89dc2f8cb919ac899b1ac3fa050ba7987e051e78adc51677d3ab3d2529d1f98be08459699ab381e6bd51c96cb6ae327112d0bfcdd68691f55a0b9e92516506939cbbd1612a4760d428df38dab6353b838f7bfdbfcfd3fad489258a8a289527c30a9a38bdbec751c3c3dacdb9f67a222fc8c0L

[+]((p>>128)<<128)=0xbb1c7149e21b37fb4480326fa4ce2f825ff449b22fbc55d5b9d51dea23d64d6c36d5e45a25d4a46f2559d26625dc6bd900000000000000000000000000000000L

[-]long_to_bytes(m).encode('hex')=

解法同上改一下腳本就好了。

3. Challenge 3

[++++++++++++++++]challenge 2 completed[++++++++++++++++]

[+]Generating challenge 3

[+]n=0x9dd9df9c335f720b2a01628f4433daeec452e55ed505ae66df8567c6ca66ea0796a242a7bcc41b973d0392ccd0a6e11c829890d3243cf86c90a03a5729240cb9eae191f5cff6294d83a04cee995a8d01f72e4d2166c60b7368b8061cf23e5b89d5057b7026ff7673c658f478cd0e3a6e0a21a97e21c9b2e5d8e94cbb50210d99L

[+]e=3

[+]m=random.getrandbits(512)

[+]c=pow(m,e,n)=0x169f8a6015b955747b211adb5e6a573eb03ea164170a35582dbc45d2a5d6ac4a01e0fae44b919d9afa419d73c1c02cb8e1095738b84236d53997862e0ac4dd108a47db0fb3515f3d8f29f620ec209bde20ebc93e64e9301751470f80212072e0981db41e0b307dbac81e3e126dd0e58cc96046b993cd2d48460731bb0a8c437cL

[+]d=invmod(e,(p-1)*(q-1))

[+]d&((1<<512)-1)=0x3a3d77ea2d0e834a43efa2accc7e463a7790f5f597abface5d56f3ed88aad629299a32ae6e21f0f9b43b7b402ba9d2e4d548f99298dce0ca92bcd26dd0d7c323L

[-]long_to_bytes(m).encode('hex')=

解法同上

4. challenge 4

[+]Generating challenge 4

[+]e=3

[+]m=random.getrandbits(512)

[+]n1=0x3cfc26953d034786a32dd22249d823ec272b8a46216efae5e57f9a8b8c7fed3b9b4a3c9361447159d714a614d7501e5b628a3da24b11a4ecd8c9c3f3cafb52674985752081ddff6eea6fc6c069d27b96ae039a53d05791c5207236890229abd337f2cad946ab550f8f4c414537fd3c0135f3b4f27e6919c15f2aa81a1ffe15afL

[+]c1=pow(m,e,n1)=0x374c6727e44c56e0de065f16bce1314b857792862f5d848a88d442605d7a54214806a0ad2c72090c39770e802aaa045deecaecc112c80a022ea3c4540823a175d11ba4fa347727931776854265c62228324ee77a8f19360f80f0a0152bfab2214474e3f744f8a0a577c26cdc2ab325326b40bc7d5d6fb9a005f9dce9418b6deaL

[+]n2=0x41e446d32fd2f4143558b8abf4f9cfd1feb827f49a3e61e115157ac948a183c196531acdd66d7749ede2f5913b01cdc49f98abb77a7bf6c9f1246ab1e74288d90885a0359cb244cc71f94b19fb552c2b6ace51ddf48893e3bae0561ae78cec67e71e7864da05fcfc13b8d3d741ef988043e944f8a53bb84def356170e2a9e5a3L

[+]c2=pow(m,e,n2)=0x2d9dbdaa0b89a0d12624a34146871f0378843199c516015e25770baefb00771713a705ff48eea7d9cad2a50c7b31d73612ac4c68ff29ba5a230546ff364fe6d2dc807b5eab1b3633baffe89c421bd683da0e4c828cd0709d08b2fb6941b94e3b73f87f1db368ef77d0597d1478192722b7ccfdab10dd4c9f6321676f5397e0ffL

[+]n3=0x1f7f8868ee329980957490a294da7507071ac5b90c029dddfef65a62a9c6010fa8cb735a00a7524e5633d3f807cc639d8956486bd29f46d16e731db107c8f1d58f995ec39c5582155ee06d4db32317fa1b3b9148052c18245c8b48f87844cb68d81f1f995044fa22eb18c197e437ba3badc12bc749572a49de66828e391b1dbL

[+]c3=pow(m,e,n3)=0x1e1e3ed0522464ccde39974aa9664f2fe9dad909ba4d42e9c2266dafccb5dc7e2074a9d4ac180653985e1b89def78d06143800d678365041abe2278dbcac81fce8f1122a117bd77b455ff7585a46d7e439265baa9c493d3f2fb2172a9bc07ba1483e1ed58a0eb5ea8efbd1d5f33cb62e01ab9ccecf7f2d396d4034b73cbf77cL

首先嘗試發現

、

沒有公約數(如果有的話可以直接分解)。然后，利用中國剩余定理得到：

可以發現m是512位的，因此

大概是1536位的，少于

的3072位。因此，我們可以知道

直接求立方根就可以得到m了。

5. chalenge 5

[++++++++++++++++]challenge 4 completed[++++++++++++++++]

[+]Generating challenge 5

[+]n=0x3298d508dc5255e5f53c2890326aceacf9439b9f2f06e2abf3e19ece5a503315852cbaf9ab9f730f9bde1082331f0697491dade2c57463d610b540697506ce3441ced4262ca150b1c28535f266e954967895f6d4b3fc86281cdfaa21fa8aa1b440de1bb0b0b4332969f24bff01d574f94235de3bc3da43401915adf253589b63L

[+]e=3

[+]m=random.getrandbits(512)

[+]c=pow(m,e,n)=0x1b124c087004fd532a26f2cb6cc5c9ee2176c2070d87c159bd0e74b8811ab3af84c96e05dd7bf6bb6b5a251c8558c357036aff678525c8734570e142e38e77419993892a29d9a9f54bd3d4c048895482466d749eb0cf5b12b427c1753f6ebe3eba2ad9dcdc87b7c2040bfab6a5c124eb21b821fa58e167d8cb57e9c551ab9dbfL

[+]x=pow(m+1,e,n)=0x2d6fcf825d2fcb98f37f951fc000520f4aab11222f92a1af01e0988943fdde016664b706f4197bd085e79f57daedbecf4ee59cc9f010998c22f1c2df6223df57e86b9efd8bcca779f16e6da8a54778459b4d956a255d8ecc3d3a9e9a72a7c70cb2bec8bbaa2bb5c2f2d3f95769cee6fdd7fd04bbd6d84070e50739b5b059c6e6L

[-]long_to_bytes(m).encode('hex')=

題目中給出了m和m+1加密后的結果。即我們知道：

二者相減得到：

兩邊減1并乘以3模n的逆得到：

我們知道m是512位的，由此可以推出

不超過1024位。進而可以得到：

k = 0或1(不確定自己分析的對不對，所以寫代碼的時候把k的范圍稍微擴大了一點點)

然后，對每一個k值，嘗試求解上面的方程就可以得到結果了。因為

在

單調遞增，因此求解方法用二分法即可。

6. challenge 6

[++++++++++++++++]challenge 5 completed[++++++++++++++++]

[+]Generating challenge 6

[+]n=0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27L

[+]d=random.getrandbits(1024*0.270)

[+]e=invmod(d,phin)

[+]hex(e)=0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bbL

[+]m=random.getrandbits(512)

[+]c=pow(m,e,n)=0xe3505f41ec936cf6bd8ae344bfec85746dc7d87a5943b3a7136482dd7b980f68f52c887585d1c7ca099310c4da2f70d4d5345d3641428797030177da6cc0d41e7b28d0abce694157c611697df8d0add3d900c00f778ac3428f341f47ecc4d868c6c5de0724b0c3403296d84f26736aa66f7905d498fa1862ca59e97f8f866cL

注意到題目中提示

的位數為0.27*1024，相當于

。不知道怎么辦，后來在mhx的提示下發現Boneh and Durfee attack在

時分解n。然后又是直接抄個腳本過來分解掉了。

代碼如下(不包含Sage腳本，因為上面提供的連接中都有)：

from Crypto.Util import number

from pwn import *

import hashlib

import libnum

from aux import *

import tqdm

import gmpy2

conn = remote('119.3.245.36', 12345)

x0 = 3031202121516888756254+0xb74706a05587a42246ed7ff2f03c4edf180f5248cfb7a8b86757ea456ba134c8a81f146b3172d1b59437efeb2e59b41e8dbb9cf2ac3254000000000000000000

p = 157455850951539875413707605384569848509+0xbb1c7149e21b37fb4480326fa4ce2f825ff449b22fbc55d5b9d51dea23d64d6c36d5e45a25d4a46f2559d26625dc6bd900000000000000000000000000000000L

n = 0xaf10597fa3ac1e95f9eeeb0747827fbfd6a6b74e9e7824e5e58c9423e4eea8f898ef5ad96900adc54721aa922af14987fbeecd1663e639f85d4e0fc2f5cc50fc1dfdf3e0b04d8395fdb8372447f0b398a7bff92cf7745c03a613e71a7017648db905ac867d69aab2c8c9ff0fc65c3313f4080cbb46d1a13a3b6c8e263915a413

q = n/p

c = 0x7be9e49497bebb936018a628148e89dc2f8cb919ac899b1ac3fa050ba7987e051e78adc51677d3ab3d2529d1f98be08459699ab381e6bd51c96cb6ae327112d0bfcdd68691f55a0b9e92516506939cbbd1612a4760d428df38dab6353b838f7bfdbfcfd3fad489258a8a289527c30a9a38bdbec751c3c3dacdb9f67a222fc8c0

x1 = pow(c,gmpy2.invert(65537,(p-1)*(q-1)),n)

d = 73897859833360735083833018291216138538391694441421128347796113898176347610218862647497820864455327205623491646417194479391497879610944659647766341364110862866967065387388720221408859326315301232384151863747183910278699184043306720913086501616478917318589938736632770485961912898351468620093203923268728767267

c = 0x169f8a6015b955747b211adb5e6a573eb03ea164170a35582dbc45d2a5d6ac4a01e0fae44b919d9afa419d73c1c02cb8e1095738b84236d53997862e0ac4dd108a47db0fb3515f3d8f29f620ec209bde20ebc93e64e9301751470f80212072e0981db41e0b307dbac81e3e126dd0e58cc96046b993cd2d48460731bb0a8c437c

n = 0x9dd9df9c335f720b2a01628f4433daeec452e55ed505ae66df8567c6ca66ea0796a242a7bcc41b973d0392ccd0a6e11c829890d3243cf86c90a03a5729240cb9eae191f5cff6294d83a04cee995a8d01f72e4d2166c60b7368b8061cf23e5b89d5057b7026ff7673c658f478cd0e3a6e0a21a97e21c9b2e5d8e94cbb50210d99L

x2 = pow(c,d,n)

n1 = 0x3cfc26953d034786a32dd22249d823ec272b8a46216efae5e57f9a8b8c7fed3b9b4a3c9361447159d714a614d7501e5b628a3da24b11a4ecd8c9c3f3cafb52674985752081ddff6eea6fc6c069d27b96ae039a53d05791c5207236890229abd337f2cad946ab550f8f4c414537fd3c0135f3b4f27e6919c15f2aa81a1ffe15af

n2 = 0x41e446d32fd2f4143558b8abf4f9cfd1feb827f49a3e61e115157ac948a183c196531acdd66d7749ede2f5913b01cdc49f98abb77a7bf6c9f1246ab1e74288d90885a0359cb244cc71f94b19fb552c2b6ace51ddf48893e3bae0561ae78cec67e71e7864da05fcfc13b8d3d741ef988043e944f8a53bb84def356170e2a9e5a3

n3 = 0x1f7f8868ee329980957490a294da7507071ac5b90c029dddfef65a62a9c6010fa8cb735a00a7524e5633d3f807cc639d8956486bd29f46d16e731db107c8f1d58f995ec39c5582155ee06d4db32317fa1b3b9148052c18245c8b48f87844cb68d81f1f995044fa22eb18c197e437ba3badc12bc749572a49de66828e391b1db

c1 = 0x374c6727e44c56e0de065f16bce1314b857792862f5d848a88d442605d7a54214806a0ad2c72090c39770e802aaa045deecaecc112c80a022ea3c4540823a175d11ba4fa347727931776854265c62228324ee77a8f19360f80f0a0152bfab2214474e3f744f8a0a577c26cdc2ab325326b40bc7d5d6fb9a005f9dce9418b6dea

c2 = 0x2d9dbdaa0b89a0d12624a34146871f0378843199c516015e25770baefb00771713a705ff48eea7d9cad2a50c7b31d73612ac4c68ff29ba5a230546ff364fe6d2dc807b5eab1b3633baffe89c421bd683da0e4c828cd0709d08b2fb6941b94e3b73f87f1db368ef77d0597d1478192722b7ccfdab10dd4c9f6321676f5397e0ff

c3 = 0x1e1e3ed0522464ccde39974aa9664f2fe9dad909ba4d42e9c2266dafccb5dc7e2074a9d4ac180653985e1b89def78d06143800d678365041abe2278dbcac81fce8f1122a117bd77b455ff7585a46d7e439265baa9c493d3f2fb2172a9bc07ba1483e1ed58a0eb5ea8efbd1d5f33cb62e01ab9ccecf7f2d396d4034b73cbf77c

x = c1*gmpy2.invert(n2*n3,n1)*n3*n2 + c2*gmpy2.invert(n1*n3,n2)*n1*n3 + c3 * gmpy2.invert(n1*n2,n3)*n1*n2

x = int(x%(n1*n2*n3))

def cubeRoot(x):

l,r = 0,x

while l

mid = (l+r)//2

if mid**3 == x:

return mid

elif mid**3 < x:

l = mid+1

else:

r = mid-1

return l

x3 = cubeRoot(x)

assert x3**3 %n1 == c1 and x3**3%n2 == c2 and x3**3%n3 == c3

n = 0x3298d508dc5255e5f53c2890326aceacf9439b9f2f06e2abf3e19ece5a503315852cbaf9ab9f730f9bde1082331f0697491dade2c57463d610b540697506ce3441ced4262ca150b1c28535f266e954967895f6d4b3fc86281cdfaa21fa8aa1b440de1bb0b0b4332969f24bff01d574f94235de3bc3da43401915adf253589b63

e = 3

c = 0x1b124c087004fd532a26f2cb6cc5c9ee2176c2070d87c159bd0e74b8811ab3af84c96e05dd7bf6bb6b5a251c8558c357036aff678525c8734570e142e38e77419993892a29d9a9f54bd3d4c048895482466d749eb0cf5b12b427c1753f6ebe3eba2ad9dcdc87b7c2040bfab6a5c124eb21b821fa58e167d8cb57e9c551ab9dbf

x = 0x2d6fcf825d2fcb98f37f951fc000520f4aab11222f92a1af01e0988943fdde016664b706f4197bd085e79f57daedbecf4ee59cc9f010998c22f1c2df6223df57e86b9efd8bcca779f16e6da8a54778459b4d956a255d8ecc3d3a9e9a72a7c70cb2bec8bbaa2bb5c2f2d3f95769cee6fdd7fd04bbd6d84070e50739b5b059c6e6

tmp = (x-c-1)*gmpy2.invert(3,n)%n

def findm(x,n):

l,r = 0,n

while l

mid = (l+r)//2

t = mid**2+mid

if t==x:

return mid

elif t

l = mid +1

else:

r = mid -1

return l

for i in range(5):

m = findm(tmp+i*n,n)

if (m**2+m) == tmp:

break

assert (m**3)%n == c

x4 = m

n = 0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27

e = 0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bb

c = 0xe3505f41ec936cf6bd8ae344bfec85746dc7d87a5943b3a7136482dd7b980f68f52c887585d1c7ca099310c4da2f70d4d5345d3641428797030177da6cc0d41e7b28d0abce694157c611697df8d0add3d900c00f778ac3428f341f47ecc4d868c6c5de0724b0c3403296d84f26736aa66f7905d498fa1862ca59e97f8f866c

d = 776765455081795377117377680209510234887230129318575063382634593357724998207571

assert c == pow(c,e*d,n)

x5 = pow(c,d,n)

solveSHA(conn)

conn.recvuntil('long_to_bytes(m).encode(\'hex\')=')

conn.sendline(number.long_to_bytes(x0).encode('hex'))