每天一题，只能多不能少

[强网杯2019] Copperstudy

题目分析

RSA套娃，各种类型的RSA，对于我现在的水平来说真的是难于上青天。鉴于道奇时隔32年又夺冠军（28日的事了），今天就先记录下来。以后慢慢看

1. hash破解
2. e=3
3. 已知p高位攻击
4. 已知d低位攻击
5. 低加密指数广播攻击
6. m高位相同，高位相同的m，短填充攻击Coppersmith Shortpad Attack
7. Boneh and Durfee attack

开始

1.题目

给出一个远端环境，nc过去即可

2.第0层

[+]proof: skr=os.urandom(8)
[+]hashlib.sha256(skr).hexdigest()=b9f5a36134ba3b3b9a41c3ee519899f39fd85f231d9cb2d6c34415fcebe0aa8c
[+]skr[0:5].encode('hex')=13a03f1f32
[-]skr.encode('hex')=

破解一个原文8个字符的sha256，已知前5个字符。
使用hashcat爆破，记得加上–force参数，至少我这里是需要加上的，不然一直提示“No devices found/left.”

hashcat64.exe -a 3 --hex-salt -m 1420 b9f5a36134ba3b3b9a41c3ee519899f39fd85f231d9cb2d6c34415fcebe0aa8c:13a03f1f32 --potfile-disable ?b?b?b  -o res3.txt --outfile-format=2 --force

拼接即可

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 22:33
# @Author : A.James
# @FileName: tt0.py
import os
path="hashcat-5.1.0\\"
str1='b9f5a36134ba3b3b9a41c3ee519899f39fd85f231d9cb2d6c34415fcebe0aa8c'
str2='13a03f1f32'
with open(path+"res3.txt", 'r') as f:lines = f.readlines()last_line = lines[-1]#print(last_line)if(last_line[0:4]=="$HEX"):print(str2+last_line[5:11])else:print(str2+hex(last_line))

得到

13a03f1f321bdb17

输入，进入第1层

3.第1层

给出

[+]Generating challenge 1[+]n=13112061820685643239663831166928327119579425830632458568801544406506769461279590962772340249183569437559394200635526183698604582385769381159563710823689417274479549627596095398621182995891454516953722025068926293512505383125227579169778946631369961753587856344582257683672313230378603324005337788913902434023431887061454368566100747618582590270385918204656156089053519709536001906964008635708510672550219546894006091483520355436091053866312718431318498783637712773878423777467316605865516248176248780637132615807886272029843770186833425792049108187487338237850806203728217374848799250419859646871057096297020670904211 [+]e=3[+]m=random.getrandbits(512)[+]c=pow(m,e,n)=15987554724003100295326076036413163634398600947695096857803937998969441763014731720375196104010794555868069024393647966040593258267888463732184495020709457560043050577198988363754703741636088089472488971050324654162166657678376557110492703712286306868843728466224887550827162442026262163340935333721705267432790268517[+]((m>>72)<<72)=2519188594271759205757864486097605540135407501571078627238849443561219057751843170540261842677239681908736[-]long_to_bytes(m).encode('hex')=

e=3的套路直接上

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 18:26
# @Author : A.James
# @FileName: tt1.pyfrom Crypto.Util.number import *
import gmpy2
import binascii
c=15987554724003100295326076036413163634398600947695096857803937998969441763014731720375196104010794555868069024393647966040593258267888463732184495020709457560043050577198988363754703741636088089472488971050324654162166657678376557110492703712286306868843728466224887550827162442026262163340935333721705267432790268517
m = gmpy2.iroot(c,3)[0]
print(long_to_bytes(m))
mm ='FLAG{2^8rsa7589693fc689c77c5f5262d654272427}'
print(binascii.hexlify(long_to_bytes(m)))

得到

b'464c41477b325e3872736137353839363933666336383963373763356635323632643635343237323432377d'

输入hex部分，进入第2关

4.第2层

给出：

[+]Generating challenge 2[+]n=12784625729032789592766625203074018101354917751492952685083808825504221816847310910447532133616954262271205877651255598995305639194329607493047941212754523879402744065076183778452640602625242851184095546100200565113016690161053808950384458996881574266573992526357954507491397978278604102524731393059303476350167738237822647246425836482533150025923051544431330502522043833872580483142594571802189321599016725741260254170793393777293145010525686561904427613648184843619301241414264343057368192416551134404100386155751297424616254697041043851852081071306219462991969849123668248321130382231769250865190227630009181759219 [+]e=65537[+]m=random.getrandbits(512)[+]c=pow(m,e,n)=627824086157119245056478875800598959553774250161670787506083253960788230737588761787385686125828765665617567887904228030839535317987589608761534500003128247164233774794784231518212804270056404565710426613938264302998015421153393879729263551292024543756422702956470022959537221269172084619081368498693930550456153543628170306324206266216348386707008661128717431426237486511309767286175518238620230507201952867261283880986868752676549613958785288914989429224582849218395471672295410036858881836363364885164276983237312235831591858044908369376855484127614933545955544787160352042318378588039587911741028067576722790778[+]((p>>128)<<128)=97522826022187678545924975588711975512906538181361325096919121233043973599759518562689050415761485716705615149641768982838255403594331293651224395590747133152128042950062103156564440155088882592644046069208405360324372057140890317518802130081198060093576841538008960560391380395697098964411821716664506908672[-]long_to_bytes(m).encode('hex')=

这里的运算时<< >>位移运算，也就是p右移128位再左移128位，右移直接吞左移不足位补零，也就是说这里给出p的最后128位去除补0并转换为10进制的值。
求p、q

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 22:50
# @Author : A.James
# @FileName: tt2.py
p4 = 286593827663265980875510954967316219073448170030900062579915534986706486906458307884391633081975974889868808093084141196610789229262338742207816117361927894904776552676541036673244090334164798443162932914355966770450894047111793505063044583029134192122352988382684883337
n = 12784625729032789592766625203074018101354917751492952685083808825504221816847310910447532133616954262271205877651255598995305639194329607493047941212754523879402744065076183778452640602625242851184095546100200565113016690161053808950384458996881574266573992526357954507491397978278604102524731393059303476350167738237822647246425836482533150025923051544431330502522043833872580483142594571802189321599016725741260254170793393777293145010525686561904427613648184843619301241414264343057368192416551134404100386155751297424616254697041043851852081071306219462991969849123668248321130382231769250865190227630009181759219
pbits = 1024
kbits = pbits - p4.nbits()
print (p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
x0 = f.small_roots(X=2^kbits, beta=0.4)[0]
print ("x:" ,hex(int(x0)))
p = p4+x0
print ("p: ", hex(int(p)))
assert n % p == 0
q = n/int(p)
print ("q: ", hex(int(q)))

得到

p=0x8ae08a8ccda172cc5768c98c935b06a185a5f86f1020ce864929dd61d0d6511141e94f589b4c10754fe4b278207414caedc5a0c47ca091ef3dad80c15b05776d4c574759b50106585973e7f7cda6d01db4bcfbb671151069287f276bb6c18d04cab2dfccf70a72a5edbc23fd636da989cb609b9f64429a11ce179a7e63951f07
q=0xbaaeffd0d50b8bbd0d9fcb6086388c65473593441b5551f0fdfa8d3a25e7bc7a3a905faeee4ef188c3f249aacbfa9f779efdc23a61542b66ad1ef884152ad7039a090617381793da84eda62f39959f1ed3c71e9fccfbf19c62d53b2a5a2e14d472b5dd10c7c9a0aa051ee14baff0349b96caabdd03516aa7c8b7a692431f11b5

有了p和q就是正常的RSA了。

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 23:02
# @Author : A.James
# @FileName: tt2-2.py
import gmpy2
import binasciix=0xcb609b9f64429a11ce179a7e63951f07
p=0x8ae08a8ccda172cc5768c98c935b06a185a5f86f1020ce864929dd61d0d6511141e94f589b4c10754fe4b278207414caedc5a0c47ca091ef3dad80c15b05776d4c574759b50106585973e7f7cda6d01db4bcfbb671151069287f276bb6c18d04cab2dfccf70a72a5edbc23fd636da989cb609b9f64429a11ce179a7e63951f07
q=0xbaaeffd0d50b8bbd0d9fcb6086388c65473593441b5551f0fdfa8d3a25e7bc7a3a905faeee4ef188c3f249aacbfa9f779efdc23a61542b66ad1ef884152ad7039a090617381793da84eda62f39959f1ed3c71e9fccfbf19c62d53b2a5a2e14d472b5dd10c7c9a0aa051ee14baff0349b96caabdd03516aa7c8b7a692431f11b5
n = 12784625729032789592766625203074018101354917751492952685083808825504221816847310910447532133616954262271205877651255598995305639194329607493047941212754523879402744065076183778452640602625242851184095546100200565113016690161053808950384458996881574266573992526357954507491397978278604102524731393059303476350167738237822647246425836482533150025923051544431330502522043833872580483142594571802189321599016725741260254170793393777293145010525686561904427613648184843619301241414264343057368192416551134404100386155751297424616254697041043851852081071306219462991969849123668248321130382231769250865190227630009181759219
c = 627824086157119245056478875800598959553774250161670787506083253960788230737588761787385686125828765665617567887904228030839535317987589608761534500003128247164233774794784231518212804270056404565710426613938264302998015421153393879729263551292024543756422702956470022959537221269172084619081368498693930550456153543628170306324206266216348386707008661128717431426237486511309767286175518238620230507201952867261283880986868752676549613958785288914989429224582849218395471672295410036858881836363364885164276983237312235831591858044908369376855484127614933545955544787160352042318378588039587911741028067576722790778e = 65537
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(hex(m))

得到：

464c41477b325e3872736136653237376633353564626536646133656464366633353664326462366436667d

输入进入下一层

5.第3层

给出：

[+]Generating challenge 3[+]n=92896523979616431783569762645945918751162321185159790302085768095763248357146198882641160678623069857011832929179987623492267852304178894461486295864091871341339490870689110279720283415976342208476126414933914026436666789270209690168581379143120688241413470569887426810705898518783625903350928784794371176183 [+]e=3[+]m=random.getrandbits(512)[+]c=pow(m,e,n)=56164378185049402404287763972280630295410174183649054805947329504892979921131852321281317326306506444145699012788547718091371389698969718830761120076359634262880912417797038049510647237337251037070369278596191506725812511682495575589039521646062521091457438869068866365907962691742604895495670783101319608530[+]d&((1<<512)-1)=787673996295376297668171075170955852109814939442242049800811601753001897317556022653997651874897208487913321031340711138331360350633965420642045383644955[-]long_to_bytes(m).encode('hex')=

已知d的低位，上脚本

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 23:12
# @Author : A.James
# @FileName: tt3.py
def partial_p(p0, kbits, n):PR.<x> = PolynomialRing(Zmod(n))nbits = n.nbits()f = 2^kbits*x + p0f = f.monic()roots = f.small_roots(X=2^(nbits//2-kbits), beta=0.3)  # find root < 2^(nbits//2-kbits) with factor >= n^0.3if roots:x0 = roots[0]p = gcd(2^kbits*x0 + p0, n)return ZZ(p)def find_p(d0, kbits, e, n):X = var('X')for k in range(1, e+1):results = solve_mod([e*d0*X - k*X*(n-X+1) + k*n == X], 2^kbits)for x in results:p0 = ZZ(x[0])p = partial_p(p0, kbits, n)if p:return pif __name__ == '__main__':n = 92896523979616431783569762645945918751162321185159790302085768095763248357146198882641160678623069857011832929179987623492267852304178894461486295864091871341339490870689110279720283415976342208476126414933914026436666789270209690168581379143120688241413470569887426810705898518783625903350928784794371176183e = 3d = 787673996295376297668171075170955852109814939442242049800811601753001897317556022653997651874897208487913321031340711138331360350633965420642045383644955nbits = n.nbits()kbits = d.nbits()print ("lower %d bits (of %d bits) is given" % (kbits, nbits))p = find_p(d, kbits, e, n)q = n//pprint ("d0 = %d" % d)print ("d = %d" % inverse_mod(e, (p-1)*(q-1)))

得到d后就是正常的RSA解密了：

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 23:14
# @Author : A.James
# @FileName: tt3-2.py
d = 61931015986410954522379841763963945834108214123439860201390512063842165571430799255094107119082046571341221952786658415661511901536119262974324197242727901361853519060099176095718398341546521709753140715090423775413590463159715914497625346364363050316931779727154988269576808476796380941227956316802411370267
n = 92896523979616431783569762645945918751162321185159790302085768095763248357146198882641160678623069857011832929179987623492267852304178894461486295864091871341339490870689110279720283415976342208476126414933914026436666789270209690168581379143120688241413470569887426810705898518783625903350928784794371176183
e = 3
c = 56164378185049402404287763972280630295410174183649054805947329504892979921131852321281317326306506444145699012788547718091371389698969718830761120076359634262880912417797038049510647237337251037070369278596191506725812511682495575589039521646062521091457438869068866365907962691742604895495670783101319608530
m = pow(c,d,n)
print(hex(m))

得到

464c41477b325e3872736135616230383637343566366563373435363139613862363566653465633536307d

输入进入下一层。

6.第4层

给出：

[+]e=3[+]m=random.getrandbits(512)[+]n1=78642188663937191491235684351005990853149481644703243255021321296087539054265733392095095639539412823093600710316645130404423641473150336492175402885270861906530337207734106926328737198871118125840680572148601743121884788919989184318198417654263598170932154428514561079675550090698019678767738203477097731989[+]c1=pow(m,e,n1)=23419685303892339080979695469481275906709035609088426118328601771163101123641599051556995351678670765521269546319724616458499631461037359417701720430452076029312714313804716888119910334476982840024696320503747736428099717113471541651211596481005191146454458591558743268791485623924245960696651150688621664860[+]n2==98174485544103863705821086588292917749386955237408645745685476234349659452606822650329076955303471252833860010724515777826660887118742978051231030080666542833950748806944312437614585352818344599399156268450521239843157288915059003487783576003027303399985723834248634230998110618288843582573006048070816520647[+]c2=pow(m,e,n2)=72080679612442543693944655041130370753964497034378634203383617624269927191363529233872659451561571441107920350406295389613006330637565645758727103723546610079332161151567096389071050158035757745766399510575237344950873632114050632573903701015749830874081198250578516967517980592506626547273178363503100507676[+]n3=91638855323231795590642755267985988356764327384001022396221901964430032527111968159623063760057482761918901490239790230176524505469897183382928646349163030620342744192731246392941227433195249399795012672172947919435254998997253131826888070173526892674308708289629739522194864912899817994807268945141349669311[+]c3=pow(m,e,n3)=22149989692509889061584875630258740744292355239822482581889060656197919681655781672277545701325284646570773490123892626601106871432216449814891757715588851851459306683123591338089745675044763551335899599807235257516935037356212345033087798267959242561085752109746935300735969972249665700075907145744305255616[-]long_to_bytes(m).encode('hex')=

低加密指数广播攻击

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 23:17
# @Author : A.James
# @FileName: tt4.py
import gmpy2
from functools import reduce
from Crypto.Util.number import *
import binasciidef chinese_remainder(n, a):sum = 0prod = reduce(lambda a, b: a * b, n)for n_i, a_i in zip(n, a):p = prod // n_isum += a_i * gmpy2.invert(p, n_i) * preturn int(sum % prod)
n1=78642188663937191491235684351005990853149481644703243255021321296087539054265733392095095639539412823093600710316645130404423641473150336492175402885270861906530337207734106926328737198871118125840680572148601743121884788919989184318198417654263598170932154428514561079675550090698019678767738203477097731989
c1=23419685303892339080979695469481275906709035609088426118328601771163101123641599051556995351678670765521269546319724616458499631461037359417701720430452076029312714313804716888119910334476982840024696320503747736428099717113471541651211596481005191146454458591558743268791485623924245960696651150688621664860
n2=98174485544103863705821086588292917749386955237408645745685476234349659452606822650329076955303471252833860010724515777826660887118742978051231030080666542833950748806944312437614585352818344599399156268450521239843157288915059003487783576003027303399985723834248634230998110618288843582573006048070816520647
c2=72080679612442543693944655041130370753964497034378634203383617624269927191363529233872659451561571441107920350406295389613006330637565645758727103723546610079332161151567096389071050158035757745766399510575237344950873632114050632573903701015749830874081198250578516967517980592506626547273178363503100507676
n3=91638855323231795590642755267985988356764327384001022396221901964430032527111968159623063760057482761918901490239790230176524505469897183382928646349163030620342744192731246392941227433195249399795012672172947919435254998997253131826888070173526892674308708289629739522194864912899817994807268945141349669311
c3=22149989692509889061584875630258740744292355239822482581889060656197919681655781672277545701325284646570773490123892626601106871432216449814891757715588851851459306683123591338089745675044763551335899599807235257516935037356212345033087798267959242561085752109746935300735969972249665700075907145744305255616n=[n1,n2,n3]
c=[c1,c2,c3]
ans=chinese_remainder(n, c)
ans=gmpy2.iroot(ans,3)[0] # e = 3
print(binascii.hexlify(long_to_bytes(ans)))

得到：

464c41477b325e3872736138633566336366663462633039353334396665633635666332323633653837387d

输入进入下一层

7.第5层

给出：

[+]Generating challenge 5[+]n= 113604829563460357756722229849309932731534576966155520277171862442445354404910882358287832757024693652075211204635679309777620586814014894544893424988818766425089667672311645586528776360047956843961901352792631908859388801090108188344342619580661377758180391734771694803991493164412644148805229529911069578061[+]e=7[+]m=random.getrandbits(512)[+]c=pow(m,e,n)=112992730284209629010217336632593897028023711212853788739137950706145189880318698604512926758021533447981943498594790549326550460216939216988828130624120379925895123186121819609415184887470233938291227816332249857236198616538782622327476603338806349004620909717360739157545735826670038169284252348037995399308[+]x=pow(m+1,e,n)=112992730284209629010217336632593897028023711212853788739137950706145189880318698604512926758021552486915464025361447529153776277710423467951041523831865232164370127602772602643378592695459331174613894578701940837730590029577336924367384969935652616989527416027725713616493815764725131271563545176286794438175[-]long_to_bytes(m).encode('hex')=

高位相同的m，短填充攻击Coppersmith Shortpad Attack

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 23:24
# @Author : A.James
# @FileName: tt5.py
def short_pad_attack(c1, c2, e, n):PRxy.<x,y> = PolynomialRing(Zmod(n))PRx.<xn> = PolynomialRing(Zmod(n))PRZZ.<xz,yz> = PolynomialRing(Zmod(n))g1 = x^e - c1g2 = (x+y)^e - c2q1 = g1.change_ring(PRZZ)q2 = g2.change_ring(PRZZ)h = q2.resultant(q1)h = h.univariate_polynomial()h = h.change_ring(PRx).subs(y=xn)h = h.monic()kbits = n.nbits()//(2*e*e)diff = h.small_roots(X=2^kbits, beta=0.5)[0]  # find root < 2^kbits with factor >= n^0.5return diffdef related_message_attack(c1, c2, diff, e, n):PRx.<x> = PolynomialRing(Zmod(n))g1 = x^e - c1g2 = (x+diff)^e - c2def gcd(g1, g2):while g2:g1, g2 = g2, g1 % g2return g1.monic()return -gcd(g1, g2)[0]if __name__ == '__main__':n = 113604829563460357756722229849309932731534576966155520277171862442445354404910882358287832757024693652075211204635679309777620586814014894544893424988818766425089667672311645586528776360047956843961901352792631908859388801090108188344342619580661377758180391734771694803991493164412644148805229529911069578061e = 7# nbits = n.nbits()# kbits = nbits//(2*e*e)# print ("upper %d bits (of %d bits) is same" % (nbits-kbits, nbits))# ^^ = bit-wise XOR# http://doc.sagemath.org/html/en/faq/faq-usage.html#how-do-i-use-the-bitwise-xor-operator-in-sage# m1 = randrange(2^nbits)# m2 = m1 ^^ randrange(2^kbits)# c1 = pow(m1, e, n)# c2 = pow(m2, e, n)c1 = 16404985139084147094704300764850430964980485772400565266054075398380588297033201409914512724255440373095027298869259036450071617770755361938461322132693877590521575670718076480353565935028734363256919872879837455527948173237810119579078252909879868459848240229599708133153841801633280283847680255816123323196c2 = 92463268823628386526871956385934776043432833035349654252757452728405540022093349560058649691620353528569690982904353035470935543182784600771655097406007508218346417446808306197613168219068573563402315939576563452451487014381380516422829248470476887447827532913133023890886210295009811931573875721299817276803diff = short_pad_attack(c1, c2, e, n)print ("difference of two messages is %d" % diff)#print (m1)m1 = related_message_attack(c1, c2, diff, e, n)print (m1)#print (m2)print (m1 + diff)

得到

464c41477b325e3872736133393863663864663763323636363162623763623635623262396661653235657d

输入进入最后一层

8.第6层

给出：

[+]Generating challenge 6[+]n=0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27L [+]d=random.getrandbits(1024*0.270)[+]e=invmod(d,phin)[+]hex(e)=0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bbL[+]m=random.getrandbits(512)[+]c=pow(m,e,n)=0xe3505f41ec936cf6bd8ae344bfec85746dc7d87a5943b3a7136482dd7b980f68f52c887585d1c7ca099310c4da2f70d4d5345d3641428797030177da6cc0d41e7b28d0abce694157c611697df8d0add3d900c00f778ac3428f341f47ecc4d868c6c5de0724b0c3403296d84f26736aa66f7905d498fa1862ca59e97f8f866cL[-]long_to_bytes(m).encode('hex')=

e很大，d<N的0.292次方
使用Boneh and Durfee attack
直接上github上脚本就行了

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 23:37
# @Author : A.James
# @FileName: tt6.py
# @Email : alexjames@sina.com
import time############################################
# Config
##########################################"""
Setting debug to true will display more informations
about the lattice, the bounds, the vectors...
"""
debug = True"""
Setting strict to true will stop the algorithm (and
return (-1, -1)) if we don't have a correct
upperbound on the determinant. Note that this
doesn't necesseraly mean that no solutions
will be found since the theoretical upperbound is
usualy far away from actual results. That is why
you should probably use `strict = False`
"""
strict = False"""
This is experimental, but has provided remarkable results
so far. It tries to reduce the lattice as much as it can
while keeping its efficiency. I see no reason not to use
this option, but if things don't work, you should try
disabling it
"""
helpful_only = True
dimension_min = 7  # stop removing if lattice reaches that dimension############################################
# Functions
########################################### display stats on helpful vectors
def helpful_vectors(BB, modulus):nothelpful = 0for ii in range(BB.dimensions()[0]):if BB[ii, ii] >= modulus:nothelpful += 1print nothelpful, "/", BB.dimensions()[0], " vectors are not helpful"# display matrix picture with 0 and X
def matrix_overview(BB, bound):for ii in range(BB.dimensions()[0]):a = ('%02d ' % ii)for jj in range(BB.dimensions()[1]):a += '0' if BB[ii, jj] == 0 else 'X'if BB.dimensions()[0] < 60:a += ' 'if BB[ii, ii] >= bound:a += '~'print a# tries to remove unhelpful vectors
# we start at current = n-1 (last vector)
def remove_unhelpful(BB, monomials, bound, current):# end of our recursive functionif current == -1 or BB.dimensions()[0] <= dimension_min:return BB# we start by checking from the endfor ii in range(current, -1, -1):# if it is unhelpful:if BB[ii, ii] >= bound:affected_vectors = 0affected_vector_index = 0# let's check if it affects other vectorsfor jj in range(ii + 1, BB.dimensions()[0]):# if another vector is affected:# we increase the countif BB[jj, ii] != 0:affected_vectors += 1affected_vector_index = jj# level:0# if no other vectors end up affected# we remove itif affected_vectors == 0:print "* removing unhelpful vector", iiBB = BB.delete_columns([ii])BB = BB.delete_rows([ii])monomials.pop(ii)BB = remove_unhelpful(BB, monomials, bound, ii - 1)return BB# level:1# if just one was affected we check# if it is affecting someone elseelif affected_vectors == 1:affected_deeper = Truefor kk in range(affected_vector_index + 1, BB.dimensions()[0]):# if it is affecting even one vector# we give up on this oneif BB[kk, affected_vector_index] != 0:affected_deeper = False# remove both it if no other vector was affected and# this helpful vector is not helpful enough# compared to our unhelpful oneif affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):print "* removing unhelpful vectors", ii, "and", affected_vector_indexBB = BB.delete_columns([affected_vector_index, ii])BB = BB.delete_rows([affected_vector_index, ii])monomials.pop(affected_vector_index)monomials.pop(ii)BB = remove_unhelpful(BB, monomials, bound, ii - 1)return BB# nothing happenedreturn BB"""
Returns:
* 0,0   if it fails
* -1,-1 if `strict=true`, and determinant doesn't bound
* x0,y0 the solutions of `pol`
"""def boneh_durfee(pol, modulus, mm, tt, XX, YY):"""Boneh and Durfee revisited by Herrmann and Mayfinds a solution if:* d < N^delta* |x| < e^delta* |y| < e^0.5whenever delta < 1 - sqrt(2)/2 ~ 0.292"""# substitution (Herrman and May)PR. < u, x, y > = PolynomialRing(ZZ)Q = PR.quotient(x * y + 1 - u)  # u = xy + 1polZ = Q(pol).lift()UU = XX * YY + 1# x-shiftsgg = []for kk in range(mm + 1):for ii in range(mm - kk + 1):xshift = x ^ ii * modulus ^ (mm - kk) * polZ(u, x, y) ^ kkgg.append(xshift)gg.sort()# x-shifts list of monomialsmonomials = []for polynomial in gg:for monomial in polynomial.monomials():if monomial not in monomials:monomials.append(monomial)monomials.sort()# y-shifts (selected by Herrman and May)for jj in range(1, tt + 1):for kk in range(floor(mm / tt) * jj, mm + 1):yshift = y ^ jj * polZ(u, x, y) ^ kk * modulus ^ (mm - kk)yshift = Q(yshift).lift()gg.append(yshift)  # substitution# y-shifts list of monomialsfor jj in range(1, tt + 1):for kk in range(floor(mm / tt) * jj, mm + 1):monomials.append(u ^ kk * y ^ jj)# construct lattice Bnn = len(monomials)BB = Matrix(ZZ, nn)for ii in range(nn):BB[ii, 0] = gg[ii](0, 0, 0)for jj in range(1, ii + 1):if monomials[jj] in gg[ii].monomials():BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU, XX, YY)# Prototype to reduce the latticeif helpful_only:# automatically removeBB = remove_unhelpful(BB, monomials, modulus ^ mm, nn - 1)# reset dimensionnn = BB.dimensions()[0]if nn == 0:print "failure"return 0, 0# check if vectors are helpfulif debug:helpful_vectors(BB, modulus ^ mm)# check if determinant is correctly boundeddet = BB.det()bound = modulus ^ (mm * nn)if det >= bound:print "We do not have det < bound. Solutions might not be found."print "Try with highers m and t."if debug:diff = (log(det) - log(bound)) / log(2)print "size det(L) - size e^(m*n) = ", floor(diff)if strict:return -1, -1else:print "det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)"# display the lattice basisif debug:matrix_overview(BB, modulus ^ mm)# LLLif debug:print "optimizing basis of the lattice via LLL, this can take a long time"BB = BB.LLL()if debug:print "LLL is done!"# transform vector i & j -> polynomials 1 & 2if debug:print "looking for independent vectors in the lattice"found_polynomials = Falsefor pol1_idx in range(nn - 1):for pol2_idx in range(pol1_idx + 1, nn):# for i and j, create the two polynomialsPR. < w, z > = PolynomialRing(ZZ)pol1 = pol2 = 0for jj in range(nn):pol1 += monomials[jj](w * z + 1, w, z) * BB[pol1_idx, jj] / monomials[jj](UU, XX, YY)pol2 += monomials[jj](w * z + 1, w, z) * BB[pol2_idx, jj] / monomials[jj](UU, XX, YY)# resultantPR. < q > = PolynomialRing(ZZ)rr = pol1.resultant(pol2)# are these good polynomials?if rr.is_zero() or rr.monomials() == [1]:continueelse:print "found them, using vectors", pol1_idx, "and", pol2_idxfound_polynomials = Truebreakif found_polynomials:breakif not found_polynomials:print "no independant vectors could be found. This should very rarely happen..."return 0, 0rr = rr(q, q)# solutionssoly = rr.roots()if len(soly) == 0:print "Your prediction (delta) is too small"return 0, 0soly = soly[0][0]ss = pol1(q, soly)solx = ss.roots()[0][0]#return solx, solydef example():############################################# How To Use This Script############################################ The problem to solve (edit the following values)## the modulusN = 0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27L# the public exponente = 0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bbL# the cipherc = 0xe3505f41ec936cf6bd8ae344bfec85746dc7d87a5943b3a7136482dd7b980f68f52c887585d1c7ca099310c4da2f70d4d5345d3641428797030177da6cc0d41e7b28d0abce694157c611697df8d0add3d900c00f778ac3428f341f47ecc4d868c6c5de0724b0c3403296d84f26736aa66f7905d498fa1862ca59e97f8f866cL# N = 12238605063252292170613110607692779326628090745751955692266649177882959231822580682548279800443278979485092243645806337103841086023159482786712759291169541633901936290854044069486201989034158882661270017305064348254800318759062921744741432214818915527537124001063995865927527037625277330117588414586505635959411443039463168463608235165929831344586283875119363703480280602514451713723663297066810128769907278246434745483846869482536367912810637275405943566734099622063142293421936734750356828712268385319217225803602442033960930413469179550331907541244416573641309943913383658451409219852933526106735587605884499707827# e = 11850552481503020257392808424743510851763548184936536180317707155841959788151862976445957810691568475609821000653594584717037528429828330763571556164988619635320288125983463358648887090031957900011546300841211712664477474767941406651977784177969001025954167441377912326806132232375497798238928464025466905201977180541053129691501120197010080001677260814313906843670652972019631997467352264392296894192998971542816081534808106792758008676039929763345402657578681818891775091140555977382868531202964486261123748663752490909455324860302967636149379567988941803701512680099398021640317868259975961261408500449965277690517# c = 9472193174575536616954091686751964873836697237500198884451530469300324470671555310791335185133679697207007374620225900775502162690848135615431624557389304657410880981454777737587420426091879654002644281066474715074536611611252677882396384453641127487515845176069574754606670518031472235144795376526854484442135299818868525539923568705203042265537204111153151119105287648912908771710419648445826883069030285651763726003413418764301988228077415599665616637501056116290476861280240577145515875430665394216054222788697052979429015400411487342877096677666406389711074591330476335174211990429870900468249946600544116793793# the hypothesis on the private exponent (the theoretical maximum is 0.292)delta = .18  # this means that d < N^delta## Lattice (tweak those values)## you should tweak this (after a first run), (e.g. increment it until a solution is found)m = 4  # size of the lattice (bigger the better/slower)# you need to be a lattice master to tweak theset = int((1 - 2 * delta) * m)  # optimization from Herrmann and MayX = 2 * floor(N ^ delta)  # this _might_ be too muchY = floor(N ^ (1 / 2))  # correct if p, q are ~ same size## Don't touch anything below## Problem put in equationP. < x, y > = PolynomialRing(ZZ)A = int((N + 1) / 2)pol = 1 + x * (A + y)## Find the solutions!## Checking boundsif debug:print "=== checking values ==="print "* delta:", deltaprint "* delta < 0.292", delta < 0.292print "* size of e:", int(log(e) / log(2))print "* size of N:", int(log(N) / log(2))print "* m:", m, ", t:", t# boneh_durfeeif debug:print "=== running algorithm ==="start_time = time.time()solx, soly = boneh_durfee(pol, e, m, t, X, Y)# found a solution?if solx > 0:print "=== solution found ==="if False:print "x:", solxprint "y:", solyd = int(pol(solx, soly) / e)m = pow(c, d, N)print '[-]d is ' + str(d)print '[-]m is: ' + str(m)print '[-]hex(m) is: ' + '{:x}'.format(int(m))print '[-]str(m) is: ' + '{:x}'.format(int(m)).decode('hex')else:print "[!]no solution was found!"print '[!]All Done!'if debug:print("[!]Timer: %s s" % (time.time() - start_time))print '[!]All Done!'if __name__ == "__main__":example()

得到：

looking for independent vectors in the lattice
found them, using vectors 0 and 1
=== solution found ===
[-]d is 776765455081795377117377680209510234887230129318575063382634593357724998207571
[-]m is: 5616256644474643777324927156425296308201436356404797635226215853608752109375728559177663257634746748367999648544612395127292284761610833552163188225026856
[-]hex(m) is: 6b3bb0cdc72a7f2ce89902e19db0fb2c0514c76874b2ca4113b86e6dc128d44cc859283db4ca8b0b5d9ee35032aec8cc8bb96e8c11547915fc9ef05aa2d72b28
[-]str(m) is: k;▒▒▒*,▒ᝰ▒,▒ht▒▒A▒nm▒(▒L▒Y(=▒ʋ]▒▒P2▒▒̋▒n▒Ty▒▒▒Z▒▒+(
[!]Timer: 0.682039022446 s
[!]All Done!

输入，得到flag

9.get flag

flag{a214781d-bb31-49dd-a66b-2139ce6b2e76}

结语

已经乱套了。。。勉强算今天完成指标？

参考： BUUCTF 强网杯2019 Copperstudy.

BUUCTF-CRYPTO-强网杯2019 Copperstudy相关推荐

1. 强网杯2019 Copperstudy

   强网杯2019 Copperstudy 靶机:node4.buuoj.cn:29678 第一次见靶机的题,找题目找了半天

2. BUUCTF Web [强网杯 2019]随便注

   「作者主页」:士别三日wyx   此文章已录入专栏<网络攻防>,持续更新热门靶场的通关教程 「未知攻,焉知收」,在一个个孤独的夜晚,你完成了几百个攻防实验,回过头来才发现,已经击败了百分之 ...

3. 【BUUCTF】强网杯 2019随便注1 write up

   输入万能密码1' or 1=1# ,判断存在sql注入, SQL注入的万能密码实际上是利用了网址后台的漏洞,打开下面的网址不用密码和账号也可以登录后台. 万能密码原理: 万能密码能够绕过sql检测,在 ...

4. 【BUUCTF】[强网杯 2019]随便注 1

   这是一个典型的sql注入题目 知识点: 1.注入点检测 2.万能匹配 3.暴力获得数据表和其属性 4.sql语句的掌握(order by; union select; rename table; al ...

5. buuctf [强网杯 2019]随便注 1

   buuctf web [强网杯 2019]随便注 1 -刷题个人日记 小白一个,写给自己看. 打开后是这样. 从题目和内容来看就是一道sql注入题. 输入 1' or 1=1;# 这个#用来注释掉后面 ...

6. BUUCTF [强网杯 2019]随便注

   题目 打开环境发现是经典的提交界面 老规则还是查询注入点,1 or 1 =1#,1' order by 1#都未出错,但是1' union select 1,2#是出现了错误,发现一些查询语句被过滤了 ...

7. 强网杯 2019]随便注 【SQL注入】四种解法

   题目简介 题目名称:[强网杯 2019]随便注 1 题目平台:BUUCTF 题目类型:Web 考察知识点: SQL注入 解题步骤 方法一: 首先启动并访问靶机,有一个输入框,随便输入1' or 1 = ...

8. BMZCTF 强网杯 2019 随便注 原理+题解

   目录 知识点 堆叠注入 show语句 mysql预编译 过程 重点 预编译 重命名 总结 知识点 堆叠注入 堆叠查询注入:堆叠查询可以执行多条SQL语句,语句之间以分号(;)隔开.而堆叠查询注入攻击就 ...

9. [强网杯 2019]随便注 —— 堆叠注入

                          [强网杯 2019]随便注 前言        个人观点,若有误请指教 解题思路及步骤 直接上'引号,结果直接报错了,证明存在sql注入漏洞. 判断当前表 ...

10. 强网杯2019（高明的黑客强网先锋上单）

    强网杯2019(高明的黑客&强网先锋上单) 前言 这里主要是对强网杯web中高明的黑客和上单两道题进行一个复现回顾 再次感谢大佬提供的场景复现:https://www.zhaoj.in/rea ...

最新文章

1. Squid代理服务器基本配置（三）
2. 英伟达CEO黄仁勋获芯片行业最高荣誉：他颠覆了计算！
3. SharePoint 2007 Web Content Management 性能优化系列 3 - IIS压缩
4. 社群：加入 Spring 技术学习群
5. 历害了！教你自己搭建一个私人网盘..
6. mysql 查询慢 分析_MySQL优化：定位慢查询的两种方法以及使用explain分析SQL
7. 为什么没有看到webcontent_环卫工人工资低工作辛苦，为什么还有那么多人愿意做呢？...
8. 读凤凰网经典语句记录一
9. PIC16F877A开发板 数码管计数器实验
10. POJ 2409 Let it Bead（Polya简单应用）
11. 某度起诉“文库下载神器”，索赔300万
12. 神经网络与深度学习（六）卷积神经网络（4）ResNet18实现MNIST
13. 基于 Win32 的应用程序
14. 对JavaWeb项目中WEB-INF目录的理解
15. php实现阳历阴历互转的方法
16. 5分钟学废携程出品配置中心阿波罗的原理与搭建
17. java的class是什么意思_Java的class是什么意思？
18. 基于SpringBoot的网上电影票购买系统设计与实现
19. 蓝牙硬件设备没有链接到计算机,电脑未发现蓝牙硬件设备怎么办
20. ios 不能触发click事件

热门文章

1. 【第2重磅】王者荣耀「绝悟」升级，全英雄池解禁
2. 介绍 Jersey 依赖
3. Ubuntu20.04安装五笔、拼音混合输入法
4. 计算高德经纬度坐标点之间的距离
5. 有哲理有关java的_从Java到“浑沌之死”再到人生哲理
6. NLTK使用方法总结
7. 手机塔防游戏-手机塔防游戏收入、毛利率、市场规模及市场份额
8. Mac生成和查看SSH Key
9. GitLab配置ssh key：gitlab add an ssh key
10. 腾讯校招 针对找工作的小伙伴们