NSSCTF-Round19-Crypto-wp

2024-03-17

Uncategorized

19k words

1，bestkasscn的超级简单密码
2，bestkasscn的简单密码
3，Neighbors（复现）

这次Round是密码专项赛，共5道题，做出了2道；剩的3道是鸡块师傅出的（鸡块师傅tql）

1，bestkasscn的超级简单密码

出题人：bestkasscn

题目：

baby_RSA.py (点击展开)

from Crypto.Util.number import *
import gmpy2
from functools import reduce
from secret import flag

p = getPrime(1024)
i = 0
while True:
    r = p * 5 + i
    if isPrime(r):
        i = 0
        break
    else:
        i += 1
while True:
    q = p * 10 + i
    if isPrime(q):
        break
    else:
        i += 1

n = p * q * r
e = 65537
c = pow(bytes_to_long(flag.encode()), e, n)
print('c=' + str(c))
print('p3=' + str(pow(p, 3, n)))
print('q3=' + str(pow(q, 3, n)))
print('r3=' + str(pow(r, 3, n)))
# n = 44571911854174527304485400947383944661319242813524818888269963870884859557542264803774212076803157466539443358890313286282067621989609252352994203884813364011659788234277369629312571477760818634118449563652776213438461157699447304292906151410018017960605868035069246651843561595572415595568705784173761441087845248621463389786351743200696279604003824362262237505386409700329605140703782099240992158439201646344692107831931849079888757310523663310273856448713786678014221779214444879454790399990056124051739535141631564534546955444505648933134838799753362350266884682987713823886338789502396879543498267617432600351655901149380496067582237899323865338094444822339890783781705936546257971766978222763417870606459677496796373799679580683317833001077683871698246143179166277232084089913202832193540581401453311842960318036078745448783370048914350299341586452159634173821890439194014264891549345881324015485910286021846721593668473
# c = 11212699652154912414419576042130573737460880175860430868241856564678915039929479534373946033032215673944727767507831028500814261134142245577246925294110977629353584372842303558820509861245550773062016272543030477733653059813274587939179134498599049035104941393508776333632172797303569396612594631646093552388772109708942113683783815011735472088985078464550997064595366458370527490791625688389950370254858619018250060982532954113416688720602160768503752410505420577683484807166966007396618297253478916176712265476128018816694458551219452105277131141962052020824990732525958682439071443399050470856132519918853636638476540689226313542250551212688215822543717035669764276377536087788514506366740244284790716170847347643593400673746020474777085815046098314460862593936684624708574116108322520985637474375038848494466480630236867228454838428542365166285156741433845949358227546683144341695680712263215773807461091898003011630162481
# p3 = 891438237083490546089708018947678893226384856270496377765399277417697191150845296075484241536063149330788867177806265725641352439792185047059884077696267280233195764685547392586251429555216372682368991273055524268769223153988946085858123028200360359212117360701384933036871231911448311911374115683475228820531478240539549424647154342506853356292956506486091063660095505979187297020928573605860329881982122478494944846700224611808246427660214535971723459345029873385956677292979041143593821672034573140001092625650099257402018634684516092489263998517027205660003413512870074652126328536906790020794659204007921147300771594986038917179253827432120018857213350120695302091483756021206199805521083496979628811676116525321724267588515105188480380865374667274442027086789352802613365511142499668793725505110436809024171752137883546327359935102833441492430652019931999144063825010678766130335038975376834579129516127516820037383067
# q3 = 44571911854174527304485400947383944661319242813524818888269963870884859557542264803774212076803157466539443358890313286282067621989609252352994203884813364011659788234277369629312571477760818634118449563652776213438461157699447304292906151410018017960605868035069246651843561595572415595568705784173761440671033435053531971051698504592848580356684103015611323747688216493729331061402058160819388999663041629882482138465124920580049057123360829897432472221079140360215664537272316836767039948368780837985855835419681893347839311156887660438769948501100287062738217966360434291369179859862550767272985972263442512061098317471708987686120577904202391381040801620069987103931326500146536990700234262413595295698193570184681785854277656410199477649697026112650581343325348837547631237627207304757407395388155701341044939408589591213693329516396531103489233367665983149963665364824119870832353269655933102900004362236232825539480774
# r3 = 22285955927087263652242700473691972330659621406762409444134981935442429778771132401887106038401578733269721679445156643141033810994804626176497101942406682005829894117138684814656285738880409317059224781826388106719230578849723652146453075705009008980302934017534623325921780797786207797784352892086880720749202442492937918619992591614713131681306874944356693778359565004415437554407990089293135634916859631279984463829118336826115430997439527110961309956466956650522900331263720500751112297418506140413317489683875995326726992533904683800042127871963320754241310699432792081707870167598822650064976439270556418985242630368723264289700246406905189810458354474959276748887369363592834205660349184660073395182450526542246354364903399132116153732074081050985584216815493617906868615192465631416955706457835185743023758573279838341229835613609332206338401219168119635681832981552328638132500079074010106995297184587143613134093145

解答：

题目给了、、，预期估计是Frankie相关信息攻击，但其实我们可以不这么做。

分析一下代码可知：，所以我们可以得到；因此直接开方就可以得到p，然后就去生成q和r即可（数字很小且算是相邻数，所以生成挺快的）；最后直接RSA解密即可。

exp (点击展开)

from random import *
from Crypto.Util.number import *
import gmpy2
p3 = 891438237083490546089708018947678893226384856270496377765399277417697191150845296075484241536063149330788867177806265725641352439792185047059884077696267280233195764685547392586251429555216372682368991273055524268769223153988946085858123028200360359212117360701384933036871231911448311911374115683475228820531478240539549424647154342506853356292956506486091063660095505979187297020928573605860329881982122478494944846700224611808246427660214535971723459345029873385956677292979041143593821672034573140001092625650099257402018634684516092489263998517027205660003413512870074652126328536906790020794659204007921147300771594986038917179253827432120018857213350120695302091483756021206199805521083496979628811676116525321724267588515105188480380865374667274442027086789352802613365511142499668793725505110436809024171752137883546327359935102833441492430652019931999144063825010678766130335038975376834579129516127516820037383067
q3 = 44571911854174527304485400947383944661319242813524818888269963870884859557542264803774212076803157466539443358890313286282067621989609252352994203884813364011659788234277369629312571477760818634118449563652776213438461157699447304292906151410018017960605868035069246651843561595572415595568705784173761440671033435053531971051698504592848580356684103015611323747688216493729331061402058160819388999663041629882482138465124920580049057123360829897432472221079140360215664537272316836767039948368780837985855835419681893347839311156887660438769948501100287062738217966360434291369179859862550767272985972263442512061098317471708987686120577904202391381040801620069987103931326500146536990700234262413595295698193570184681785854277656410199477649697026112650581343325348837547631237627207304757407395388155701341044939408589591213693329516396531103489233367665983149963665364824119870832353269655933102900004362236232825539480774
r3 = 22285955927087263652242700473691972330659621406762409444134981935442429778771132401887106038401578733269721679445156643141033810994804626176497101942406682005829894117138684814656285738880409317059224781826388106719230578849723652146453075705009008980302934017534623325921780797786207797784352892086880720749202442492937918619992591614713131681306874944356693778359565004415437554407990089293135634916859631279984463829118336826115430997439527110961309956466956650522900331263720500751112297418506140413317489683875995326726992533904683800042127871963320754241310699432792081707870167598822650064976439270556418985242630368723264289700246406905189810458354474959276748887369363592834205660349184660073395182450526542246354364903399132116153732074081050985584216815493617906868615192465631416955706457835185743023758573279838341229835613609332206338401219168119635681832981552328638132500079074010106995297184587143613134093145
n = 44571911854174527304485400947383944661319242813524818888269963870884859557542264803774212076803157466539443358890313286282067621989609252352994203884813364011659788234277369629312571477760818634118449563652776213438461157699447304292906151410018017960605868035069246651843561595572415595568705784173761441087845248621463389786351743200696279604003824362262237505386409700329605140703782099240992158439201646344692107831931849079888757310523663310273856448713786678014221779214444879454790399990056124051739535141631564534546955444505648933134838799753362350266884682987713823886338789502396879543498267617432600351655901149380496067582237899323865338094444822339890783781705936546257971766978222763417870606459677496796373799679580683317833001077683871698246143179166277232084089913202832193540581401453311842960318036078745448783370048914350299341586452159634173821890439194014264891549345881324015485910286021846721593668473
c = 11212699652154912414419576042130573737460880175860430868241856564678915039929479534373946033032215673944727767507831028500814261134142245577246925294110977629353584372842303558820509861245550773062016272543030477733653059813274587939179134498599049035104941393508776333632172797303569396612594631646093552388772109708942113683783815011735472088985078464550997064595366458370527490791625688389950370254858619018250060982532954113416688720602160768503752410505420577683484807166966007396618297253478916176712265476128018816694458551219452105277131141962052020824990732525958682439071443399050470856132519918853636638476540689226313542250551212688215822543717035669764276377536087788514506366740244284790716170847347643593400673746020474777085815046098314460862593936684624708574116108322520985637474375038848494466480630236867228454838428542365166285156741433845949358227546683144341695680712263215773807461091898003011630162481
e = 65537
p = gmpy2.iroot(p3, 3)[0]
i = 0
while True:
    r = p * 5 + i
    if isPrime(int(r)):
        i = 0
        break
    else:
        i += 1
while True:
    q = p * 10 + i
    if isPrime(int(q)):
        break
    else:
        i += 1
phi = (p-1)*(q-1)*(r-1)
d = gmpy2.invert(e, phi)
print(long_to_bytes(pow(c, d, n)))
# NSSCTF{cc10786a-cc59-a07d-5c9f-df1c55b18cd4}

2，bestkasscn的简单密码

出题人：bestkasscn

题目：

easy_trick.py (点击展开)

from random import randint
from secret import flag, enc_key

dir = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}"
assert len(flag) == 64
assert len(enc_key) == 64


def getGraph(row, column):
    graph = [['' for _ in range(row)] for _ in range(column)]
    for i in range(column):
        for j in range(row):
            graph[i][j] = dir[randint(0, 63)]
    return graph


def bestkasscnEncryption(str):
    binary = ''
    res = ''
    for c in str:
        binary += '0' + bin(ord(c))[2:] + ''
    while len(binary) % 6 != 0:
        binary += '0'
    for i in range(len(binary) // 6):
        res += dir[int(binary[i * 6:6 + i * 6], 2)]
    while len(res) % 3 != 0:
        res += '}'
    return res


encrypt = bestkasscnEncryption(enc_key)

graph1 = getGraph(len(encrypt), len(encrypt))
graph2 = getGraph(len(encrypt), len(encrypt))
for i in range(len(flag)):
    graph1[dir.index(encrypt[i])][i] = enc_key[i]
    graph2[i][dir.index(encrypt[i])] = flag[i]

for i in range(0, len(flag), 2):
    graph2[i][dir.index(encrypt[i])] = enc_key[i]
    graph1[dir.index(encrypt[i])][i] = flag[i]

with open('graph1.txt', 'w') as file:
    file.write("graph1:\n")
    for i in graph1:
        file.write(str(i))
        file.write(',')
        file.write('\n')
file.close()
with open('graph2.txt', 'w') as file:
    file.write("graph2:\n")
    for j in graph2:
        file.write(str(j))
        file.write(',')
        file.write('\n')
file.close()

with open('encrypt.txt', 'w') as file:
    file.write(encrypt)
file.close()
# encrypt='t25Lx3DOB19OyxnFC2vLBL90AgvFB2nLyw5FDgHPBMTZx25VDgHPBMDFB2zFBwvYzv9YAxzLCNnFC29Fzg9Fsq}'

那两个grapf太长了，就不放上去了。

解答：

这道题的话，有些地方算是需要点脑洞（比如enc_key就是压缩包密码）

先看看flag部分的相关代码：

def getGraph(row, column):
    graph = [['' for _ in range(row)] for _ in range(column)]
    for i in range(column):
        for j in range(row):
            graph[i][j] = dir[randint(0, 63)]
    return graph

graph1 = getGraph(len(encrypt), len(encrypt))
graph2 = getGraph(len(encrypt), len(encrypt))
for i in range(len(flag)):
    graph1[dir.index(encrypt[i])][i] = enc_key[i]
    graph2[i][dir.index(encrypt[i])] = flag[i]

for i in range(0, len(flag), 2):
    graph2[i][dir.index(encrypt[i])] = enc_key[i]
    graph1[dir.index(encrypt[i])][i] = flag[i]

代码主要就是做的一件事：把flag塞到二维列表里，假如会审代码的话，很容易看出：这里是把flag奇数位的值和偶数位的值分别分到graph1.txt和graph2.txt中，因此只要我们将flag对应位收集起来就行。

但是，因为graph2.txt在一个加密压缩包里，所以需要解出enc_key才行。

看看enc_key的相关代码：

dir = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}"
def bestkasscnEncryption(str):
    binary = ''
    res = ''
    for c in str:
        binary += '0' + bin(ord(c))[2:] + ''
    while len(binary) % 6 != 0:
        binary += '0'
    for i in range(len(binary) // 6):
        res += dir[int(binary[i * 6:6 + i * 6], 2)]
    while len(res) % 3 != 0:
        res += '}'
    return res
encrypt = bestkasscnEncryption(enc_key)

看完便发现：这里其实就是进行了改表base64，表为dir。

所以我们可以用工具去解决，当然也可以写个代码：

dir = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}"
def bestkasscnDecryption(str):
    binary = ''
    res = ''
    for i in str:
        binary += bin(dir.index(i))[2:].zfill(6)
    for i in range(0, len(binary), 8):
        res += chr(int(binary[i:i+8], 2))
    return res
encrypt='t25Lx3DOB19OyxnFC2vLBL90AgvFB2nLyw5FDgHPBMTZx25VDgHPBMDFB2zFBwvYzv9YAxzLCNnFC29Fzg9Fsq}'
enc_key = bestkasscnDecryption(encrypt)
print(enc_key)
# One_who_has_seen_the_ocean_thinks_nothing_of_mere_rivers_so_do_I

解压后，得到graph2.txt。

然后就是把一开始的flag恢复思路带入即可：

exp (点击展开代码)

graph1 = []
graph2 = []
# 上述两表太长了，就不写出来了
enc_key = 'One_who_has_seen_the_ocean_thinks_nothing_of_mere_rivers_so_do_I'
enc = "t25Lx3DOB19OyxnFC2vLBL90AgvFB2nLyw5FDgHPBMTZx25VDgHPBMDFB2zFBwvYzv9YAxzLCNnFC29Fzg9Fsq}"
dir = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}"
flag = ''
for i in range(0, len(enc), 2):
    flag += graph1[dir.index(enc[i])][i]
    flag += graph2[i+1][dir.index(enc[i+1])]
    # 因为有可能len(flag)<len(enc)，所以加个if语句判断
    if flag[-1]=='}':
        break
print(flag)
# NSSCTF{What_I_miss_is_saying_nothing_nothing_better_than_hotpot}

3，Neighbors（复现）

出题人：糖醋小鸡块

题目：

task.sage (点击展开代码)

from Crypto.Util.number import *
from random import *
from secret import flag

m = bytes_to_long(flag)

def nextPrime(p):
    while(not isPrime(p)):
        p += 1
    return p

a = 151
b = 172
p1 = 2^a*5^b - 1
F.<i> = GF(p1^2, modulus = x**2 + 1)
E = EllipticCurve(j=F(1728))

assert E.is_supersingular()

for i in range(50):
    P = E(0).division_points(5)[1:]
    shuffle(P)
    phi = E.isogeny(P[0])
    E = phi.codomain()
    j1 = E.j_invariant()

a = int(j1[0])
b = int(j1[1])
p = nextPrime(a+b)
q = getPrime(p.bit_length())
n = p*q
e = 65537
c = pow(m,e,n)
print("e =",e)
print("n =",n)
print("c =",c)


#leak
path = []
for i in range(4):
    P = E(0).division_points(5)[1:]
    shuffle(P)
    phi = E.isogeny(P[0])
    j1 = phi.codomain().j_invariant()
    while(j1 in path):
        shuffle(P)
        phi = E.isogeny(P[0])
        j1 = phi.codomain().j_invariant()
    path.append(j1)
    E = phi.codomain()

print("j1 =",j1)


#e = 65537
#n = 27660779504321925356006447667320327390150480983648690901006174352749339874518759333831733034192127427897623854124514212301624188883116023679233194726978962252585566329625462410597485158957857003260340456610951535430042915065253353543837935016496092356489028408052863701705400021364167367862977808597173766465657159249607404278555781
#c = 17137574768375613142899612121220754893579308480997275465013572460778148685559737592316898103173913046913093108521865424971517481171364906226416089569353963219436198051916581024399601607752314215085545336295450568344615872394961924295547685771955504826631319190372175753842519822279019714777697711192486128339049294501128261475088218
#j1 = 3298455770740418540320875487876272515859315516778722120913599648146333514148291435827951366406176762948612097557652865226784729596111676446684986604300101971837911163*i + 4537130021779297048213998573445169432922796703632002090410524491881919608982806774072433257149497571183513473757657759960381311229351179660958581657639633158226859944

解答：

先分析一下：

已知一个j-不变量为1728的椭圆曲线E，然后对其进行50次m为5的同源（后来看鸡块师傅的wp才知道，准确的叫法是度为的同源）得到一个新的椭圆曲线E1，然后取E1的j-不变量生成素数p以及相同位数的素数q，最后对flag进行RSA加密。

题目给的是E1在进行度为的同源后得到的E2的j-不变量的值

当时做的时候，其实是有点思路的：

既然都知道了E2的j-不变量的值，而且当时感觉同源可能跟同构差不多，所以觉得可以逆回去得到E1；然后直接用E1的j-不变量得到素数p和q去解密即可

但是吧。。。当时不知道咋逆回去；即便鸡块师傅给了这个提示：modular polynomial，但我误解了意思，而且还没去查（（（

于是就卡住了（）

后来看wp才发现：**modular polynomial**是一个相邻的同源ECC之间的关系，而且一查就有（

在里边找到这一项就行，然后说一下解法的正规解释（）

由于超奇异椭圆曲线的同源一定存在一个对偶同源，也就是对于两条曲线E1、E2，如果E1能够经过一个度为n的同源到达E2，那么E2就一定能经过一个度为n的对偶同源返回E1，所以我们只需要利用modular polynomial去找出E2的所有的邻居，然后再找这些邻居的的邻居，如此重复四次，就可以找到所有E2的的邻居了，然后遍历这些邻居的j不变量去尝试生成p，检查是否能被n整除，就得到了n的分解然后进行RSA解密

代码如下：

exp (点击展开代码)

from Crypto.Util.number import *

def nextPrime(p):
    while(not isPrime(p)):
        p += 1
    return p

#Φ5
def find_neighbors_phi5(X,j_prev=None):
    R.<Y> = PolynomialRing(X.parent())
    Φ5 = (
        X^6
        + Y^6
        - X^5*Y^5 
        + 3720*X^5*Y^4 
        + 3720*X^4*Y^5 
        - 4550940*X^5*Y^3 
        - 4550940*X^3*Y^5
        + 2028551200*X^5*Y^2 
        + 2028551200*X^2*Y^5
        - 246683410950*X^5*Y
        - 246683410950*X*Y^5 
        + 1963211489280*X^5 
        + 1963211489280*Y^5 
        + 1665999364600*X^4*Y^4 
        + 107878928185336800*X^4*Y^3 
        + 107878928185336800*X^3*Y^4 
        + 383083609779811215375*X^4*Y^2 
        + 383083609779811215375*X^2*Y^4
        + 128541798906828816384000*X^4*Y 
        + 128541798906828816384000*X*Y^4  
        + 1284733132841424456253440*X^4
        + 1284733132841424456253440*Y^4
        - 441206965512914835246100*X^3*Y^3  
        + 26898488858380731577417728000*X^3*Y^2 
        + 26898488858380731577417728000*X^2*Y^3 
        - 192457934618928299655108231168000*X^3*Y
        - 192457934618928299655108231168000*X*Y^3 
        + 280244777828439527804321565297868800*X^3
        + 280244777828439527804321565297868800*Y^3
        + 5110941777552418083110765199360000*X^2*Y^2 
        + 36554736583949629295706472332656640000*X^2*Y 
        + 36554736583949629295706472332656640000*X*Y^2        
        + 6692500042627997708487149415015068467200*X^2 
        - 264073457076620596259715790247978782949376*X*Y 
        + 6692500042627997708487149415015068467200*Y^2 
        + 53274330803424425450420160273356509151232000*X 
        + 53274330803424425450420160273356509151232000*Y 
        + 141359947154721358697753474691071362751004672000
    )

    res = Φ5.roots(multiplicities=False)
    if(j_prev == None):
        return res
    else:
        return list(set(res) - set([j_prev]))
    

a = 151
b = 172
p1 = 2^a*5^b - 1
F.<i> = GF(p1^2, modulus = x^2 + 1)
e = 65537
n = 27660779504321925356006447667320327390150480983648690901006174352749339874518759333831733034192127427897623854124514212301624188883116023679233194726978962252585566329625462410597485158957857003260340456610951535430042915065253353543837935016496092356489028408052863701705400021364167367862977808597173766465657159249607404278555781
c = 17137574768375613142899612121220754893579308480997275465013572460778148685559737592316898103173913046913093108521865424971517481171364906226416089569353963219436198051916581024399601607752314215085545336295450568344615872394961924295547685771955504826631319190372175753842519822279019714777697711192486128339049294501128261475088218
j1 = 3298455770740418540320875487876272515859315516778722120913599648146333514148291435827951366406176762948612097557652865226784729596111676446684986604300101971837911163*i + 4537130021779297048213998573445169432922796703632002090410524491881919608982806774072433257149497571183513473757657759960381311229351179660958581657639633158226859944

set1 = find_neighbors_phi5(j1)

set2 = []
for k in set1:
    set2 += find_neighbors_phi5(k)
set2 = set(set2)

set3 = []
for k in set2:
    set3 += find_neighbors_phi5(k)
set3 = set(set3)

set4 = []
for k in set3:
    set4 += find_neighbors_phi5(k)
set4 = set(set4)


for k in set4:
    a = int(k[0])
    b = int(k[1])
    p = nextPrime(a+b)
    if(n % p == 0):
        q = n // p
        d = inverse(e,(p-1)*(q-1))
        print(long_to_bytes(int(pow(c,d,n))))
        break


#NSSCTF{try_to_find_5-isogeny_neighbors_4nd_F@ctor_n}

剩下的两题，因为出题人写的太细了，所以我就不写在这里了（出题人wp）

Tags

1，bestkasscn的超级简单密码

2，bestkasscn的简单密码

3，Neighbors（复现）