鹏城杯 2025 WriteUp - Q1uJu's House

题目后面带(*)的是指赛后出了复现的~

Crypto#

true_of_false#

题目：

1
import json, random, hashlib
2
from Crypto.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes
3

4
A=1103515245
5
B=12345
6
MOD=2**31
7

8
def lcg(s):
9
    while True:
10
        s=(A*s+B)%MOD
11
        yield s&0xFF
12

13
def mix(b,s):
14
    g=lcg(s)
15
    o=bytearray()
16
    for i in range(0,len(b),8):
17
        t=b[i:i+8][::-1]
18
        for x in t:
19
            o.append(x^next(g))
20
    return bytes(o)
21

22
BITS=512
23
e=65537
24
p=getPrime(BITS)
25
q=getPrime(BITS)
26
n=p*q
27
phi=(p-1)*(q-1)
28
d=inverse(e,phi)
29

30
FLAG=b"flag{de5b8aec-6294-42dd-8038-18e0854e3d22}"
31
m=bytes_to_long(hashlib.sha256(FLAG).digest())
32
flag_enc=bytes_to_long(FLAG)^m
33

34
sig_ok=pow(m,d,n)
35

36
d_p=d%(p-1)
37
d_q=d%(q-1)
38
s_p=pow(m,d_p,p)
39
s_q=random.randrange(q)
40
inv= inverse(q,p)
41
sig_fault=(s_q+q*((s_p-s_q)*inv%p))%n
42

43
seed=random.randrange(1,2**31)
44
cj={
45
    "n":hex(n),
46
    "e":e,
47
    "sig_ok_mixed":mix(long_to_bytes(sig_ok),seed).hex(),
48
    "sig_fault_mixed":mix(long_to_bytes(sig_fault),seed+123456).hex(),
49
    "flag_enc":hex(flag_enc),
50
    "seed_hint":seed%97
51
}
52

53
json.dump(cj,open("challenge.json","w"),indent=0)

送flag的题一，难评。仔细看看考点（）好像还是挺新奇的，起码我是第一次见。

加密流程

整体分为RSA加密层和LCG混淆层。

RSA加密层的加密方式类似 One-Time Pad：flag_enc = flag ^ m。要想拿到flag，就必须先算出m。

而m给出了两个签名，一是正常签名sig_ok，由RSA私钥d进行签名：

s=m^d\pmod{n}

二是故障签名sig_fault，这里使用了CRT加速签名的变体，但是再计算q分量时引入了错误（s_q = random）。

正确：

s_p\equiv m^{d}\pmod{p}

使得组合出的sig_fault在模p下正确，在模q下错误：

sig_{fault}=（s_q+q*((s_p-s_q)*q^{-1}\pmod{p})\pmod{n}

接着LCG混淆层生成了一个随机种子seed，给出了一个已知a，b，mod的LCG生成器，mix函数中将输入的数据按 8 字节分组，反转后和LCG生成的随机字节进行异或。

题目给出了

解密思路

利用Bellcore Attack作为验证标准爆破出seed，从而恢复真实签名，再恢复m和flag。

首先只能爆破出LCG种子，种子的范围上给出了seed_hint = seed % 97，范围的话暂时只能定在p以下。然后验证标准就要使用Bellcore Attack也就是故障攻击的原理：

gcd(|S-S'|, n)=p

所以在爆破时同时解混淆得到两个签名，计算差值与n的最大公约数，如果位数为 512 位说明seed正确且成功分解n。

拿到seed后拿正确签名恢复m即可。

exp.py：

1
import json
2
from math import gcd
3
from tqdm import trange
4
from Crypto.Util.number import long_to_bytes, bytes_to_long, inverse
5

6
A = 1103515245
7
B = 12345
8
MOD = 2 ** 31
9

10
def lcg(s):
11
    while True:
12
        s = (A * s + B) % MOD
13
        yield s & 0xFF
14

15
def unmix(mixed_hex, seed):
16
    data = bytes.fromhex(mixed_hex)
17
    g = lcg(seed)
18
    o = bytearray()
19
    for i in range(0, len(data), 8):
20
        chunk = data[i:i + 8]
21
        xor_chunk = bytearray()
22
        for x in chunk:
23
            xor_chunk.append(x ^ next(g))
24
        o.extend(xor_chunk[::-1])
25
    return bytes(o)
26

27
data = json.load(open("challenge.json", "r"))
28
n = int(data["n"], 16)
29
e = data["e"]
30
sig_ok_hex = data["sig_ok_mixed"]
31
sig_fault_hex = data["sig_fault_mixed"]
32
flag_enc = int(data["flag_enc"], 16)
33
seed_hint = data["seed_hint"]
34
start_seed = seed_hint if seed_hint != 0 else 97
35
if start_seed < 1: start_seed += 97
36
found_p = None
37
real_seed = None
38
real_sig_ok = None
39
for s in trange(start_seed, 2 ** 31, 97):
40
    bytes_ok = unmix(sig_ok_hex, s)
41
    val_ok = bytes_to_long(bytes_ok)
42
    if val_ok >= n:
43
        continue
44
    bytes_fault = unmix(sig_fault_hex, s + 123456)
45
    val_fault = bytes_to_long(bytes_fault)
46
    if val_fault >= n:
47
        continue
48
    diff = abs(val_ok - val_fault)
49
    if diff == 0:
50
        continue
51
    p = gcd(diff, n)
52
    if 1 < p < n:
53
        found_p = p
54
        real_seed = s
55
        real_sig_ok = val_ok
56
        print(f"[+] Found Seed: {s}")
57
        break
58
if found_p:
59
    m = pow(real_sig_ok, e, n)
60
    flag = flag_enc ^ m
61
    print(long_to_bytes(flag).decode())
62
#   0%|          | 131/22139007 [00:00<24:06, 15304.69it/s]
63
# [+] Found Seed: 12720
64
# flag{de5b8aec-6294-42dd-8038-18e0854e3d22}

weak_leak#

题目：

1
from Crypto.Util.number import getPrime, bytes_to_long
2
from Crypto.Cipher import AES
3
from Crypto.Util.Padding import pad
4
from hashlib import sha256
5
import os, base64, random
6
from math import gcd
7

8
e = 65537
9
LCG_A, LCG_B, LCG_MOD = 1103515245, 12345, 10007
10
SECRET_VALUE = 1234
11

12
password = f"{random.randint(0,999999):06d}"
13
salt = os.urandom(8).hex()
14
hash_val = sha256((salt + password).encode()).hexdigest()
15

16
def gen_seq(seed,a,b,m,length):
17
    seq=[seed % m]
18
    for _ in range(length-1):
19
        nxt=(a*seq[-1]+b) % m
20
        nxt ^= (seq[-1] & 0xff)
21
        seq.append(nxt)
22
    return seq
23

24
lcg_seed = (int(password) ^ SECRET_VALUE) % LCG_MOD
25
seq = gen_seq(lcg_seed, LCG_A, LCG_B, LCG_MOD, 15)
26
seq_prefix = seq[:7]
27
seq9 = seq[9]
28

29
BITS = 256
30
p = getPrime(BITS)
31
q = getPrime(BITS)
32
n = p * q
33
n1 = p * (q + 1)
34
n2 = (p + 1) * q + seq9
35

36
aes_key = os.urandom(16)
37
mask_bytes = sha256(str(seq9).encode()).digest()[:16]
38
masked_key_int = bytes_to_long(aes_key) ^ bytes_to_long(mask_bytes)
39

40
cipher_rsa = pow(masked_key_int, e, n)
41

42
FLAG = b"flag{7980dd68-c028-439d-8f33-3b4e4cfeeb55}"
43
iv = os.urandom(16)
44
cipher = AES.new(aes_key, AES.MODE_CBC, iv)
45
ct = cipher.encrypt(pad(FLAG,16))
46

47

48
print("salt:", salt)
49
print("hash:", hash_val)
50
print("n1:", n1)
51
print("n2:", n2)
52
print("seq_prefix:", ",".join(str(x) for x in seq_prefix))
53
print("cipher_rsa:", cipher_rsa)
54
print("iv:", base64.b64encode(iv).decode())
55
print("ciphertext:", base64.b64encode(ct).decode())
56
'''
57
salt: ...
58
hash: ...
59
n1: ...
60
n2: ...
61
seq_prefix: ...
62
cipher_rsa: ...
63
iv: ...
64
ciphertext: ...
65
'''

送flag的题二。先是一个hash爆破，解出的password用于LCG的种子，然后由变种LCG算法生成序列，求得seq9用于后续加密，然后是一个简单的RSA，给出了n1和n2两个hint，联立求解方程就行。最后按流程恢复aes_key，求解密文。

exp.py：

1
from Crypto.Util.number import long_to_bytes, inverse
2
from Crypto.Util.Padding import unpad
3
from Crypto.Cipher import AES
4
from base64 import b64decode
5
from sympy import symbols, Eq, solve
6
from hashlib import sha256
7
from tqdm import trange
8

9
salt = "..."
10
target_hash = "..."
11
n1 = ...
12
n2 = ...
13
cipher_rsa = ...
14
iv_b64 = "..."
15
ct_b64 = "..."
16
LCG_A, LCG_B, LCG_MOD = 1103515245, 12345, 10007
17
SECRET_VALUE = 1234
18
e = 65537
19
for i in trange(1000000):
20
    candidate = f"{i:06d}"
21
    h = sha256((salt + candidate).encode()).hexdigest()
22
    if h == target_hash:
23
        password_str = candidate
24
        print(f"[+] Found password: {password_str}")
25
        break
26

27
def gen_seq(seed, a, b, m, length):
28
    seq = [seed % m]
29
    for _ in range(length - 1):
30
        nxt = (a * seq[-1] + b) % m
31
        nxt ^= (seq[-1] & 0xff)
32
        seq.append(nxt)
33
    return seq
34
lcg_seed = (int(password_str) ^ SECRET_VALUE) % LCG_MOD
35
seq = gen_seq(lcg_seed, LCG_A, LCG_B, LCG_MOD, 15)
36
seq9 = seq[9]
37
print(f"[+] Recovered seq9: {seq9}")
38

39
val_b = n2 - seq9  # val_b = pq + q
40
delta = n1 - val_b # delta = (pq + p) - (pq + q) = p - q
41
p, q = symbols("p q")
42
eq1 = Eq(p * (q + 1), n1)
43
eq2 = Eq((p + 1) * q + seq9, n2)
44
p, q = solve([eq1, eq2], p, q)[1]
45
p, q = int(p), int(q)
46
n = p * q
47
phi = (p - 1) * (q - 1)
48
d = inverse(e, phi)
49
masked_key_int = pow(cipher_rsa, d, n)
50

51
mask_bytes = sha256(str(seq9).encode()).digest()[:16]
52
mask_int = int.from_bytes(mask_bytes, 'big')
53
aes_key_int = masked_key_int ^ mask_int
54
aes_key = long_to_bytes(aes_key_int)
55
print(f"[+] Recovered AES Key: {aes_key.hex()}")
56

57
iv, ct = b64decode(iv_b64), b64decode(ct_b64)
58
cipher = AES.new(aes_key, AES.MODE_CBC, iv)
59
plaintext = unpad(cipher.decrypt(ct), 16)
60
print(plaintext.decode())
61
#  38%|███▊      | 384457/1000000 [00:00<00:00, 1186476.50it/s]
62
# [+] Found password: 384457
63
# [+] Recovered seq9: 2191
64
# [+] Recovered AES Key: ab2553cc5412343bdbd1607770492fcf
65
# flag{7980dd68-c028-439d-8f33-3b4e4cfeeb55}

babyrsa#

题目：

1
from Crypto.Util.number import *
2
import decimal
3
m=long_to_bytes("?????")
4
p=getPrime(1024)
5
while True:
6
    q=getPrime(1024)
7
    if p>q:
8
        break
9
n=p*q
10
e="?????"
11
d=inverse(e,(p-1)*(q-1))
12
c=pow(m,e,n)
13
decimal.getcontext().prec = 1024
14
P=decimal.Decimal(p)
15
Q=decimal.Decimal(q)
16
leak=decimal.Decimal((3*P*P-1)/(3*P*Q))
17
print("c =",c)
18
print("leak =",leak)
19
print("d =",d)
20
#leak = ...
21
#d = ...
22
#c= ...

BaseCTF 2024 Week 3 - wiener?

基本和原题一样，直接给个链接。

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import *
3

4
leak = ...
5
d = ...
6
c = ...
7
cf = continued_fraction(leak)
8
convers = cf.convergents()
9
for pkd in convers:
10
    pp, pq = pkd.as_integer_ratio()
11
    pp = int(pp)
12
    if pp.bit_length() == 1024 and isPrime(pp):
13
        flag = long_to_bytes(int(pow(c, d, pp)))
14
        if b'flag' in flag:
15
            print(flag.decode())
16
            break
17
# flag{th1s_1s_4_ture_fl4g}

PECO#

题目：

1
from Crypto.Util.number import *
2
from secret import FLAG,x,y
3

4
f0= bytes_to_long(FLAG[:len(FLAG)//2].encode())
5
f1= bytes_to_long(FLAG[len(FLAG)//2:].encode())
6

7
n= int(...)
8
c= int(...)
9
gift1= int(...)
10
gift2= int(...)
11

12

13
m=getPrime(1876)
14
p=getPrime(1024)
15
q=getPrime(1024)
16
print(p,q)
17
n=p*q
18
e=65537
19
c=pow(m,e,n)
20
print('n=',n)
21
print('c=',c)
22
print('gift1=',1293023064232431070902426583269468463*x**2-105279230912868770223946474836383391725923*y**2)
23
print('gift2=',(p**7+q**13)&(2**777-1))
24

25
assert (x*f0+y*f1)%m <2**99

求解思路整体大概就是四步：求解 Pell 方程，Hensel Lifting 恢复p_low，CopperSmith 打出p，格攻击恢复f0和f1。

求解 Pell 方程

题目给出了gift1的关系式如下：

gift_1=A\cdot x^2-B\cdot y^2

而仔细观察会发现，A = gift1，此方程就可以转化为标准的佩尔方程：

x^2-\frac{B}{A}y^2=1

我们可以计算 $\sqrt{B/A}$ 的连分数展开，通过连分数找到满足方程的最小解(x, y)。

Hensel Lifting 恢复 p_low & CopperSmith 打出 p

题目给出了gift2的关系式如下：

\begin{align} gift_2=(p^7+q^{13})\&(2^{777}-1)\\ \Rightarrow p^7+q^{13}\equiv gift_2\pmod{2^{777}}\\ \Rightarrow p^7+(n\cdot p^{-1})^{13}\equiv gift_2\pmod{2^{777}}\\ \Rightarrow p^7+n^{13}\cdot p^{-13}-gift_2\equiv 0\pmod{2^{777}}\\ \Rightarrow p^{20}-gift_2\cdot p^{13}+n^{13}\equiv 0\pmod{2^{777}} \end{align}

直接用 SageMath 的roots()方法可以求出p的低 777 位，剩余的约 247 位直接 CopperSmith 打就行，打出p了就可以求出m了。

格

最后给了一个约束条件：

(x\cdot f_0+y\cdot f_1)\pmod{m}<2^{99}

即存在小整数k和小整数diff(0 <= diff < 2 ** 99)使得：

x\cdot f_0+y\cdot f_1-k\cdot m=diff

直接构格打（m很大，直接打就行不用配平）：

M=\begin{bmatrix} 1 & 0 & x\\ 0 & 1 & y\\ 0 & 0 & m \end{bmatrix}

(f_0,f_1,-k)M=(f_0,f_1,diff)

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import long_to_bytes
3

4
n = ...
5
c = ...
6
gift1 = ...
7
coeff_x = ...
8
coeff_y = ...
9
gift2 = ...
10
e = 65537
11
# Pell
12
D = QQ(coeff_y) / QQ(coeff_x)
13
sqrt_D = sqrt(D)
14
cf = continued_fraction(sqrt_D)
15
x_pell, y_pell = 0, 0
16
for convers in cf.convergents():
17
    num = convers.numerator()
18
    den = convers.denominator()
19
    if coeff_x * num ** 2 - coeff_y * den ** 2 == gift1:
20
        x_pell = int(num)
21
        y_pell = int(den)
22
        break
23
# Hensel Lifting
24
mod_poly = 2 ** 777
25
PR.<x> = PolynomialRing(Zmod(mod_poly))
26
f = x ** 20 - gift2 * x ** 13 + n ** 13
27
plow = int(f.roots(multiplicities=False)[0])
28
# CopperSmith
29
PR.<x> = PolynomialRing(Zmod(n))
30
f = x * 2 ** 777 + plow
31
phigh = int(f.monic().small_roots(X=2**247, beta=0.4, epsilon=0.01)[0])
32
p = int(phigh * 2 ** 777 + plow)
33
q = n // p
34
assert p * q == n
35
phi = (p - 1) * (q - 1)
36
d = inverse_mod(e, phi)
37
m = int(pow(c, d, n))
38
# Lattice
39
M = Matrix(ZZ, [[1, 0, x_pell],
40
                [0, 1, y_pell],
41
                [0, 0, m]])
42
f = M.LLL()[0]
43
print(long_to_bytes(abs(int(f[0]))).decode() + long_to_bytes(abs(int(f[1]))).decode())
44
# flag{p4ssword_b1g_snake!!}

budo的pem(*)#

public.pem：

1
1b0a79b5f7bdf1088a4f77a10b13ad8a3671dbff92
2
0013137fc5e2975a581cd87bcc8515d873bfaec4334cb1c31b16206316f92cbe449fae811574113e5eb2ed0153d1fccb80a0210e8076e1c5fbf6afabbea73ad1805c0a1b20c70cf2c13bfe03
3

4
028201    # e
5
00705509ec283dc94e3bbe85ca1e36858586721f3d1a8d67813451e160728cc87e73a5f16a3c4ed3efb553ede15d5401de32c265cc4902a6666a3b7d8e9844b9cb2a1ffc4479df0d0f1ee992718493ad47cb289df206337a063a0fb0d75f66a0998120a0227b4ac01000eee0e8e60012aa6ab613fb92b373922ee3285b6cbd429a3bf8a63172090e146b19cf190af15abe6573e99abbfd01695f800c2cf47063ef7fec9e6960f91968243b6732ae431a3ef408ea027e3e7cd446e33d430f18edbad8c65f754b064a83cc0ff81d794726c5c1f7d39ff91a79cd3a7e18fe26f3cfa23de3349fcb44d7084a05e79aed9890adeae932d3e7789d020832432362b1e125

private.pem：

1
3082046d  # Begin Sequence: len=0x046d
2
0201    # Version: (len=0x01)
3
00
4

5
02820101  # n
6
00d81db195024c9bd03dd856656ad119fa19a0a77120bf10d9c402f4eb3dc798b611fdd9c209c17d87939fa92fb0e8c1147323227dd2edd81b40f682a54de1035f0af03a660ec1b34db68884d038e2e1afaab79546d47250fd30d2a70a7ffd83f1138f353ec94f58bf2b3448f8c4d332419e3e1a32cf731dcedb66ec1fc40afdfe3a05ad2d1cf4f766a642cb64690b45e2b646563afb6dfdf599df84838b711f
7
1b0a79b5f7bdf1088a4f77a10b13ad8a3671dbff92

蛮抽象的，大e和n，比赛实在没想到，要把n结合公私钥拼起来hhhh，Boneh直接打就行，m设 6 就够。

exp.py：

1
from __future__ import print_function
2
import time
3

4
############################################
5
# Config
6
##########################################
7

8
"""
9
Setting debug to true will display more informations
10
about the lattice, the bounds, the vectors...
11
"""
12
debug = True
13

14
"""
15
Setting strict to true will stop the algorithm (and
16
return (-1, -1)) if we don't have a correct
17
upperbound on the determinant. Note that this
18
doesn't necesseraly mean that no solutions
19
will be found since the theoretical upperbound is
20
usualy far away from actual results. That is why
21
you should probably use `strict = False`
22
"""
23
strict = False
24

25
"""
26
This is experimental, but has provided remarkable results
27
so far. It tries to reduce the lattice as much as it can
28
while keeping its efficiency. I see no reason not to use
29
this option, but if things don't work, you should try
30
disabling it
31
"""
32
helpful_only = True
33
dimension_min = 7 # stop removing if lattice reaches that dimension
34

35
############################################
36
# Functions
37
##########################################
38

39
# display stats on helpful vectors
40
def helpful_vectors(BB, modulus):
41
    nothelpful = 0
42
    for ii in range(BB.dimensions()[0]):
43
        if BB[ii,ii] >= modulus:
44
            nothelpful += 1
45

46
    print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")
47

48
# display matrix picture with 0 and X
49
def matrix_overview(BB, bound):
50
    for ii in range(BB.dimensions()[0]):
51
        a = ('%02d ' % ii)
52
        for jj in range(BB.dimensions()[1]):
53
            a += '0' if BB[ii,jj] == 0 else 'X'
54
            if BB.dimensions()[0] < 60:
55
                a += ' '
56
        if BB[ii, ii] >= bound:
57
            a += '~'
58
        print(a)
59

60
# tries to remove unhelpful vectors
61
# we start at current = n-1 (last vector)
62
def remove_unhelpful(BB, monomials, bound, current):
63
    # end of our recursive function
64
    if current == -1 or BB.dimensions()[0] <= dimension_min:
65
        return BB
66

67
    # we start by checking from the end
68
    for ii in range(current, -1, -1):
69
        # if it is unhelpful:
70
        if BB[ii, ii] >= bound:
71
            affected_vectors = 0
72
            affected_vector_index = 0
73
            # let's check if it affects other vectors
74
            for jj in range(ii + 1, BB.dimensions()[0]):
75
                # if another vector is affected:
76
                # we increase the count
77
                if BB[jj, ii] != 0:
78
                    affected_vectors += 1
79
                    affected_vector_index = jj
80

81
            # level:0
82
            # if no other vectors end up affected
83
            # we remove it
84
            if affected_vectors == 0:
85
                print("* removing unhelpful vector", ii)
86
                BB = BB.delete_columns([ii])
87
                BB = BB.delete_rows([ii])
88
                monomials.pop(ii)
89
                BB = remove_unhelpful(BB, monomials, bound, ii-1)
90
                return BB
91

92
            # level:1
93
            # if just one was affected we check
94
            # if it is affecting someone else
95
            elif affected_vectors == 1:
96
                affected_deeper = True
97
                for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
98
                    # if it is affecting even one vector
99
                    # we give up on this one
100
                    if BB[kk, affected_vector_index] != 0:
101
                        affected_deeper = False
102
                # remove both it if no other vector was affected and
103
                # this helpful vector is not helpful enough
104
                # compared to our unhelpful one
105
                if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):
106
                    print("* removing unhelpful vectors", ii, "and", affected_vector_index)
107
                    BB = BB.delete_columns([affected_vector_index, ii])
108
                    BB = BB.delete_rows([affected_vector_index, ii])
109
                    monomials.pop(affected_vector_index)
110
                    monomials.pop(ii)
111
                    BB = remove_unhelpful(BB, monomials, bound, ii-1)
112
                    return BB
113
    # nothing happened
114
    return BB
115

116
"""
117
Returns:
118
* 0,0   if it fails
119
* -1,-1 if `strict=true`, and determinant doesn't bound
120
* x0,y0 the solutions of `pol`
121
"""
122
def boneh_durfee(pol, modulus, mm, tt, XX, YY):
123
    """
124
    Boneh and Durfee revisited by Herrmann and May
125

126
    finds a solution if:
127
    * d < N^delta
128
    * |x| < e^delta
129
    * |y| < e^0.5
130
    whenever delta < 1 - sqrt(2)/2 ~ 0.292
131
    """
132

133
    # substitution (Herrman and May)
134
    PR.<u, x, y> = PolynomialRing(ZZ)
135
    Q = PR.quotient(x*y + 1 - u) # u = xy + 1
136
    polZ = Q(pol).lift()
137

138
    UU = XX*YY + 1
139

140
    # x-shifts
141
    gg = []
142
    for kk in range(mm + 1):
143
        for ii in range(mm - kk + 1):
144
            xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk
145
            gg.append(xshift)
146
    gg.sort()
147

148
    # x-shifts list of monomials
149
    monomials = []
150
    for polynomial in gg:
151
        for monomial in polynomial.monomials():
152
            if monomial not in monomials:
153
                monomials.append(monomial)
154
    monomials.sort()
155

156
    # y-shifts (selected by Herrman and May)
157
    for jj in range(1, tt + 1):
158
        for kk in range(floor(mm/tt) * jj, mm + 1):
159
            yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)
160
            yshift = Q(yshift).lift()
161
            gg.append(yshift) # substitution
162

163
    # y-shifts list of monomials
164
    for jj in range(1, tt + 1):
165
        for kk in range(floor(mm/tt) * jj, mm + 1):
166
            monomials.append(u^kk * y^jj)
167

168
    # construct lattice B
169
    nn = len(monomials)
170
    BB = Matrix(ZZ, nn)
171
    for ii in range(nn):
172
        BB[ii, 0] = gg[ii](0, 0, 0)
173
        for jj in range(1, ii + 1):
174
            if monomials[jj] in gg[ii].monomials():
175
                BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)
176

177
    # Prototype to reduce the lattice
178
    if helpful_only:
179
        # automatically remove
180
        BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)
181
        # reset dimension
182
        nn = BB.dimensions()[0]
183
        if nn == 0:
184
            print("failure")
185
            return 0,0
186

187
    # check if vectors are helpful
188
    if debug:
189
        helpful_vectors(BB, modulus^mm)
190

191
    # check if determinant is correctly bounded
192
    det = BB.det()
193
    bound = modulus^(mm*nn)
194
    if det >= bound:
195
        print("We do not have det < bound. Solutions might not be found.")
196
        print("Try with highers m and t.")
197
        if debug:
198
            diff = (log(det) - log(bound)) / log(2)
199
            print("size det(L) - size e^(m*n) = ", floor(diff))
200
        if strict:
201
            return -1, -1
202
    else:
203
        print("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")
204

205
    # display the lattice basis
206
    if debug:
207
        matrix_overview(BB, modulus^mm)
208

209
    # LLL
210
    if debug:
211
        print("optimizing basis of the lattice via LLL, this can take a long time")
212

213
    BB = BB.LLL()
214

215
    if debug:
216
        print("LLL is done!")
217

218
    # transform vector i & j -> polynomials 1 & 2
219
    if debug:
220
        print("looking for independent vectors in the lattice")
221
    found_polynomials = False
222

223
    for pol1_idx in range(nn - 1):
224
        for pol2_idx in range(pol1_idx + 1, nn):
225
            # for i and j, create the two polynomials
226
            PR.<w,z> = PolynomialRing(ZZ)
227
            pol1 = pol2 = 0
228
            for jj in range(nn):
229
                pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY)
230
                pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY)
231

232
            # resultant
233
            PR.<q> = PolynomialRing(ZZ)
234
            rr = pol1.resultant(pol2)
235

236
            # are these good polynomials?
237
            if rr.is_zero() or rr.monomials() == [1]:
238
                continue
239
            else:
240
                print("found them, using vectors", pol1_idx, "and", pol2_idx)
241
                found_polynomials = True
242
                break
243
        if found_polynomials:
244
            break
245

246
    if not found_polynomials:
247
        print("no independant vectors could be found. This should very rarely happen...")
248
        return 0, 0
249

250
    rr = rr(q, q)
251

252
    # solutions
253
    soly = rr.roots()
254

255
    if len(soly) == 0:
256
        print("Your prediction (delta) is too small")
257
        return 0, 0
258

259
    soly = soly[0][0]
260
    ss = pol1(q, soly)
261
    solx = ss.roots()[0][0]
262

263
    #
264
    return solx, soly
265

266
def example():
267
    ############################################
268
    # How To Use This Script
269
    ##########################################
270

271
    #
272
    # The problem to solve (edit the following values)
273
    #
274

275
    # the modulus
276
    N = ...
277
    # the public exponent
278
    e = ...
279

280
    # the hypothesis on the private exponent (the theoretical maximum is 0.292)
281
    delta = .26 # this means that d < N^delta
282

283
    #
284
    # Lattice (tweak those values)
285
    #
286

287
    # you should tweak this (after a first run), (e.g. increment it until a solution is found)
288
    m = 6 # size of the lattice (bigger the better/slower)
289

290
    # you need to be a lattice master to tweak these
291
    t = int((1-2*delta) * m)  # optimization from Herrmann and May
292
    X = 2*floor(N^delta)  # this _might_ be too much
293
    Y = floor(N^(1/2))    # correct if p, q are ~ same size
294

295
    #
296
    # Don't touch anything below
297
    #
298

299
    # Problem put in equation
300
    P.<x,y> = PolynomialRing(ZZ)
301
    A = int((N+1)/2)
302
    pol = 1 + x * (A + y)
303

304
    #
305
    # Find the solutions!
306
    #
307

308
    # Checking bounds
309
    if debug:
310
        print("=== checking values ===")
311
        print("* delta:", delta)
312
        print("* delta < 0.292", delta < 0.292)
313
        print("* size of e:", int(log(e)/log(2)))
314
        print("* size of N:", int(log(N)/log(2)))
315
        print("* m:", m, ", t:", t)
316

317
    # boneh_durfee
318
    if debug:
319
        print("=== running algorithm ===")
320
        start_time = time.time()
321

322
    solx, soly = boneh_durfee(pol, e, m, t, X, Y)
323

324
    # found a solution?
325
    if solx > 0:
326
        print("=== solution found ===")
327
        if False:
328
            print("x:", solx)
329
            print("y:", soly)
330

331
        d = int(pol(solx, soly) / e)
332
        print("private key found:", d)
333
        from Crypto.Util.number import bytes_to_long, long_to_bytes
334
        c = bytes_to_long(open("enc", "rb").read())
335
        m = int(pow(c, d, N))
336
        print(long_to_bytes(m).decode())
337
    else:
338
        print("=== no solution was found ===")
339

340
    if debug:
341
        print(("=== %s seconds ===" % (time.time() - start_time)))
342

343
if __name__ == "__main__":
344
    example()
345
# flag{RSA_key_rebuild_success}

RandomAudit(*)#

呃，我真的会无语…

题目描述

某内部审计系统号称“全部采用自研高强度密码模块”，为了节省日志空间，他们把敏感日志 AES 加密后上传，又用 RSA 对关键密钥做了“备份加密”，最后还用“秘密分享”来保护真正的 FLAG。不幸的是，开发同学对“随机数”和“密码学”理解似乎有点……偏差。你从审计服务器上拿到了以下文件你的任务是：从这些文件中还原出最终的 flag。

看zsm师傅和chenxing师傅的博客试着复现复现hhhh，比赛反正我下午看的时候只有 1 解，不知道是哪位师傅的。

给了四个文件aes_ct.txt，rsa_pub.txt，session_ids.txt，shares.enc，我这就不整理思路了，相当于在两位师傅的思路基础上直接说解题过程了。

session_ids.txt里的五个随机数是LCG的五个状态，所以我们可以根据这五个状态恢复求解器，然后往下生成四个状态，第三四两个随机数拼接在一起就是已知的iv，所以猜测第一二两个随机数拼接在一起是key，然后使用 AES-CTR 模式解密aes_ct.txt得到rsa_seed。这个seed是生成p和q的Random对象的种子。由此可以得到p和q，结合rsa_pub.txt解出shares.enc的三个数值，是等差数列，他们的固定diff转十六进制加上-构成的uuid就是flag。

exp.py：

1
# LCG
2
state = [18180927788752802137, 17282895955721322606, 6099480220253429739, 6300661433352782096, 16375414315099041565]
3
# all 64 bit
4
p = 2 ** 64
5
a = (state[2] - state[1]) * pow(state[1] - state[0], -1, p) % p
6
b = (state[1] - a * state[0]) % p
7
print(f"{a = }")
8
print(f"{b = }")
9
print(f"{p = }")
10
# a = 2985016781437487305
11
# b = 7999203871274490253
12
# p = 18446744073709551616
13
a = 2985016781437487305
14
b = 7999203871274490253
15
p = 18446744073709551616
16
new_state = []
17
state = 16375414315099041565
18
for i in range(4):
19
    state = (a * state + b) % p
20
    new_state.append(state)
21
for i in new_state:
22
    print(f"state {new_state.index(i)}: {hex(i)[2:]}")
23
# state 0: e18e0b036273ff52
24
# state 1: 1ae1729d164360ef
25
# state 2: 42c92a1cdbb02d34 iv[:16]
26
# state 3: 7b4b12b9609cf761 iv[16:]
27

28
# AES CTR
29
from Crypto.Cipher import AES
30
from Crypto.Util import Counter
31

32
key = bytes.fromhex("e18e0b036273ff521ae1729d164360ef")
33
iv = bytes.fromhex("42c92a1cdbb02d347b4b12b9609cf761")
34
ciphertext = bytes.fromhex("1268d5a5513b091aa91bd263479e066b07fadc2fbbe45bef3c551f5743df6290efac6008efec815a92d781f56d46a70c")
35
counter = Counter.new(128, initial_value=int(iv.hex(), 16))
36
cipher = AES.new(key=key, mode=AES.MODE_CTR, counter=counter)
37
pt = cipher.decrypt(ciphertext).decode()
38
print(pt)
39
# rsa_seed=106141198856029082317733263764736461207
40

41
# RSA
42
import random
43
from Crypto.Util.number import long_to_bytes, inverse
44

45
rsa_seed = 106141198856029082317733263764736461207
46
n = 14448446619901911082459007889685721725680439060725350743569322155645458011734556057675947993220704371020476516568646586885283913148938740926737898805445614714032672445417590527807998210095698512153249389800494251979617943578391716055258550807448612914300134993287344474991004931078983886017648843976928491853922545681367649020611719416129281298024839864263193236272253977406788185152922537075953161349835965958367362419140954183280033874927397931106816815848243331537133623628059136650221110030928439294443459932885523261901634369102152105618433841943766668404214910274232926198895411937001894534370492568479216945821
47
print(n.bit_length())
48
# 2047
49
e = 65537
50
enc = [10490446977619103069001003040486311071978258142421336052507257522875474797470114964826023919192727268692922256856652858277992495171032562230040420656266197389810578603393339709249435149905947489583447642314971169203129701324545382296605329968093805623085091037041383918898863606006040657610555353505097417933879241971194430768615532922845973883691987688479825332766028800851528002249541074495918035787961557869335382147521674475402254162082487461333820079507872678735070636201634641388295625530938494923015901907636472951311020506187207731872422229080880406432931064027509903450627233085289319384639770111853961194173,
51
       743543530169071239116476194995130287577397444839878381190323439278920253193070703147739971809232103531663814326885396949461522610039497489729382962956546531947712520339554515115672653928505197575781138133407250554871658829577958508307679587210232844184449562790093797350878222669855209441010484097564691896453015601662453896822719270868321247424008816580067245157535459310278265418077691933129567685517708559976634296731742166139336765265993523200086705895447733895631261834250507718941102582843992200156414235064121973675311925953582587558104979368104990418797298789916260850166852409948945330444433345847549654807,
52
       2029042383383543423822480961040444011316223475888350349028507603033900194528521850810498682278559241519416272300206175404920960777005556199927430201052663390710468284846655098680434563893510099837791622819154273540446883979349265553248678057937124051615313506877155912975894736822847688340682915149135134624117775360734190231872747665460355709192535066382845245616076861873767871845621325187272538154068026983469680440318851689871048209435452483669288691299287219165436861956437625332354783255272742721764184259145427360294854601680425317982867911864451490378130715517007586443259629430886305855145096221339953320736]
53
random.seed(rsa_seed)
54
for i in range(1000):
55
    p = random.getrandbits(1024)
56
    if n % p == 0:
57
        print(f"{i = }")
58
        print(f"{p = }")
59
        break
60
q = n // p
61
phi = (p - 1) * (q - 1)
62
d = inverse(e, phi)
63
for c in enc:
64
    m = pow(c, d, n)
65
    print(f"m{enc.index(c)} = {m}")
66
# i = 731
67
# p = 90609714628980382832928314067735122109537000815405703652905812504340171456915234535659504024209916610947095995757554416998229460671634350728278188486124871962281306292021145245327286154856863282195166928593488382708996274001548097657625671236135154197435672004124259946571008184688393674125715687022036411833
68
# m0 = 123456789012345678901234567890123456775
69
# m1 = 246913578024691357802469135780246913564
70
# m2 = 370370367037037036703703703670370370353
71
m0 = 123456789012345678901234567890123456775
72
m1 = 246913578024691357802469135780246913564
73
m2 = 370370367037037036703703703670370370353
74
assert m2 - m1 == m1 - m0
75
flag = hex(m2 - m1)[2:]
76
print("flag{" + flag[:8] + "-" + flag[8:12] + "-" + flag[12:16] + "-" + flag[16:20] + "-" + flag[20:] + "}")
77
# flag{5ce0e9a5-6015-fec5-aadf-a328ae398115}

PS#

笑的，送两道题，一道对脑电波的场景题，难评。

持续更新中~

Crypto#

true_of_false#

weak_leak#

babyrsa#

PECO#

budo的pem(*)#

RandomAudit(*)#

PS#