”*“ 表示未做出的题，“~” 表示赛后复现出的题，“!” 表示赛中做出的题

1，check-little (!)

题目

1
from Crypto.Util.number import *
2
from Crypto.Util.Padding import pad
3
from Crypto.Cipher import AES
4
import os
5

6
flag, key = open('secret').read().split('\n')
7

8
e = 3
9

10
while 1:
11
    p = getPrime(1024)
12
    q = getPrime(1024)
13
    phi = (p - 1) * (q - 1)
14
    if phi % e != 0:
15
        break
16
N = p * q
17
c = pow(key, e, N)
18

19
iv = os.urandom(16)
20
ciphertext = AES.new(key = long_to_bytes(key)[:16], iv = iv, mode = AES.MODE_CBC).encrypt(pad(flag.encode(),16)).hex()
21

22
f = open('output.txt', 'w')
23
f.write(f'N = {N}\n')
24
f.write(f'c = {c}\n')
25
f.write(f'iv = {iv}\n')
26
f.write(f'ciphertext = {ciphertext}\n')

分析

（emmm，为啥会有人的key是p啊？？？？）

所以直接gcd(c, n)就有key了，然后AES解密即可

EXP

1
from Crypto.Util.number import *
2
from Crypto.Util.Padding import pad
3
from Crypto.Cipher import AES
4
from sage.all import *
5

6

7
n = 18795243691459931102679430418438577487182868999316355192329142792373332586982081116157618183340526639820832594356060100434223256500692328397325525717520080923556460823312550686675855168462443732972471029248411895298194999914208659844399140111591879226279321744653193556611846787451047972910648795242491084639500678558330667893360111323258122486680221135246164012614985963764584815966847653119900209852482555918436454431153882157632072409074334094233788430465032930223125694295658614266389920401471772802803071627375280742728932143483927710162457745102593163282789292008750587642545379046283071314559771249725541879213
8
c = 10533300439600777643268954021939765793377776034841545127500272060105769355397400380934565940944293911825384343828681859639313880125620499839918040578655561456321389174383085564588456624238888480505180939435564595727140532113029361282409382333574306251485795629774577583957179093609859781367901165327940565735323086825447814974110726030148323680609961403138324646232852291416574755593047121480956947869087939071823527722768175903469966103381291413103667682997447846635505884329254225027757330301667560501132286709888787328511645949099996122044170859558132933579900575094757359623257652088436229324185557055090878651740
9
iv = b'\x91\x16\x04\xb9\xf0RJ\xdd\xf7}\x8cW\xe7n\x81\x8d'
10
ciphertext = "bf87027bc63e69d3096365703a6d47b559e0364b1605092b6473ecde6babeff2"
11

12
key = gcd(c, n)
13
aes = AES.new(key = long_to_bytes(key)[:16], iv = iv, mode = AES.MODE_CBC)
14
aes.decrypt(bytes.fromhex(ciphertext))

2，ezran (!)

题目

1
from Crypto.Util.number import *
2
from random import *
3

4
f = open('flag.txt', 'r')
5
flag = f.read().encode()
6

7
gift=b''
8
for i in range(3108):
9
    r1 = getrandbits(8)
10
    r2 = getrandbits(16)
11
    x=(pow(r1, 2*i, 257) & 0xff) ^ r2
12
    c=long_to_bytes(x, 2)
13
    gift+=c
14

15
m = list(flag)
16
for i in range(2025):
17
    shuffle(m)
18

19
c = "".join(list(map(chr,m)))
20

21
f = open('output.txt', 'w')
22
f.write(f"gift = {bytes_to_long(gift)}\n")
23
f.write(f"c = {c}\n")

分析

题目类似鸡块师傅的这题：CatCTF2024-Random game↗

所以对于本题而言就是：

1，当 $i$ 是64的倍数时，(pow(r1, 2*i, 257) & 0xff) ^ r2相当于0/1 ^ r2，因此这时候 $r_2$ 的前15bit是已知的；
2，当i是128的倍数时，(pow(r1, 2*i, 257) & 0xff) ^ r2相当于1 ^ r2，因此这时候 $r_2$ 是已知的；
3，其余情况下，因为(pow(r1, 2*i, 257) & 0xff)最大也只是一个8bit的数，所以(pow(r1, 2*i, 257) & 0xff) ^ r2相当于0~255 ^ r2，因此这时候 $r_2$ 的前8bit是能确定的。

因此我们可以根据这个造出对应的MT矩阵 $L$ ，但是 $L$ 并不是一个满秩矩阵（需要 $rand(L)=19937$ 才行，但我们的是19932），因此——假如我们是直接解矩阵方程的话，还需要对求出的结果的右核空间进行爆破。

但我没用这个方法，我这里是使用了gf2bv↗库来做这题；同样，因为前面的原因，我们这里就需要使用solve_all()函数来求解出所有可能解（假如结果唯一，可以用solve_one()）。

EXP

1
import random
2
from gf2bv import LinearSystem
3
from gf2bv.crypto.mt import MT19937
4
from tqdm import *
5
from pwn import *
6
from Crypto.Util.number import *
7

8

9
def mt19937(bs, out):
10
    lin = LinearSystem([32] * 624)
11
    mt = lin.gens()
12

13
    rng = MT19937(mt)
14
    zeros = []
15
    for o in range(len(out)):
16
        _ = rng.getrandbits(8)
17
        if o%128 == 0:
18
            zeros.append((rng.getrandbits(16)) ^ (out[o]^1))
19
        elif o%64 == 0:
20
            zeros.append((rng.getrandbits(16)>>1) ^ (out[o]>>1))
21
        else:
22
            zeros.append((rng.getrandbits(16)>>8) ^ (out[o]>>8))
23
    zeros += [mt[0] ^ (0x80000000)]
24
    # zeros += [mt[0] ^ (0x00000000)]
25
    sol = lin.solve_all(zeros)
26

27
    return sol
28

29
if(1):
30
    gift = ""
31
    sys.set_int_max_str_digits(14990)
32
    gift = long_to_bytes(int(gift))
33
    cs = [bytes_to_long(gift[i:i+2]) for i in range(0, len(gift), 2)]
34
    RNGs = mt19937(int(10), cs)
35
    for RNG in tqdm(RNGs):
36
        flag = 1
37
        rng = MT19937(RNG).to_python_random()
38
        for i in range(3108):
39
            r1 = rng.getrandbits(8)
40
            r2 = rng.getrandbits(16)
41
            x = (pow(r1, 2*i, 257) & 0xff) ^ r2
42
            if x != cs[i]:
43
                flag = 0
44
                break
45
        if flag:
46
            c = ")9Lsu_4s_eb__otEli_nhe_tes5gii5sT@omamkn__ari{efm0__rmu_nt(0Eu3_En_og5rfoh}nkeoToy_bthguuEh7___u"
47
            x = [i for i in range(len(c))]
48
            for i in range(2025):
49
                rng.shuffle(x)
50
            flag = ""
51
            for i in range(len(c)):
52
                flag += c[x.index(i)]
53
            print(flag)
54
# flag{7hE_numbEr_0f_biT5_i5_Enou9h_@L5o_ThE_r4nk_must_3n0ugh}

3，sk (~)

题目

1
from random import randint
2
from Crypto.Util.number import getPrime, inverse, long_to_bytes, bytes_to_long
3
from math import gcd
4
import signal
5
from secret import flag
6

7
def gen_coprime_num(pbits):
8
    lbits = 2 * pbits + 8
9
    lb = 2**lbits
10
    ub = 2**(lbits + 1)
11
    while True:
12
        r = randint(lb, ub)
13
        s = randint(lb, ub)
14
        if gcd(r, s) == 1:
15
            return r, s
16

17
def mult_mod(A, B, p):
18
    result = [0] * (len(A) + len(B) - 1)
19
    for i in range(len(A)):
20
        for j in range(len(B)):
21
            result[i + j] = (result[i + j] + A[i] * B[j]) % p
22

23
    return result
24

25
def gen_key(p):
26
    f = [randint(1, 2**128) for i in ":)"]
27
    h = [randint(1, 2**128) for i in ":("]
28

29
    R1, S1 = gen_coprime_num(p.bit_length())
30
    R2, S2 = gen_coprime_num(p.bit_length())
31

32
    B = [[randint(1, p - 1) for i in ":("] for j in ":)"]
33

34
    P = []
35
    for b in B:
36
        P.append(mult_mod(f, b, p))
37

38
    Q = []
39
    for b in B:
40
        Q.append(mult_mod(h, b, p))
41

42
    for i in range(len(P)):
43
        for j in range(len(P[i])):
44
            P[i][j] = P[i][j] * R1 % S1
45
            Q[i][j] = Q[i][j] * R2 % S2
46

47
    sk = [(R1, S1), (R2, S2), f, h, p]
48
    pk = [P, Q, p]
49

50
    return sk, pk
51

52
def encrypt(pk, pt):
53
    P, Q, p = pk
54
    pt = bytes_to_long(pt)
55

56
    PP = 0
57
    QQ = 0
58

59
    for i in range(len(P)):
60
        u = randint(1, p)
61
        for j in range(len(P[0])):
62
            PP = PP + P[i][j] * (u * pt**j % p)
63
            QQ = QQ + Q[i][j] * (u * pt**j % p)
64

65
    return PP, QQ
66

67
def decrypt(sk, ct):
68
    RS1, RS2, f, h, p = sk
69
    R1, S1 = RS1
70
    R2, S2 = RS2
71

72
    P, Q = ct
73
    invR1 = inverse(R1, S1)
74
    invR2 = inverse(R2, S2)
75
    P = (P * invR1 % S1) % p
76
    Q = (Q * invR2 % S2) % p
77

78
    f0q = f[0] * Q % p
79
    f1q = f[1] * Q % p
80
    h0p = h[0] * P % p
81
    h1p = h[1] * P % p
82

83
    a = f1q + p - h1p % p
84
    b = f0q + p - h0p % p
85

86
    pt = -b * inverse(a, p) % p
87
    pt = long_to_bytes(pt)
88

89
    return pt
90

91
signal.alarm(30)
92
p = getPrime(256)
93
sk, pk = gen_key(p)
94
ticket = long_to_bytes(randint(1, p))
95
enc_ticket = encrypt(pk, ticket)
96
print(pk)
97
print(enc_ticket)
98

99
for i in range(2):
100
    op = int(input("op>").strip())
101
    if op == 1:
102
        msg = input("pt:").strip().encode()
103
        ct = encrypt(pk, msg)
104
        print(f"ct: {ct}")
105
    elif op == 2:
106
        user_input = input("ct:").strip().split(" ")
107
        if len(user_input) == 2:
108
            ct = [int(user_input[0]), int(user_input[1])]
109
        else:
110
            print("invalid ct.")
111
            break
112

113
        user_input = input("your f:").strip().split(" ")
114
        if len(user_input) == 2:
115
            user_f = [int(user_input[0]), int(user_input[1])]
116
        else:
117
            print("invalid f.")
118
            break
119

120
        user_input = input("your h:").strip().split(" ")
121
        if len(user_input) == 2:
122
            user_h = [int(user_input[0]), int(user_input[1])]
123
        else:
124
            print("invalid h.")
125
            break
126

127
        user_input = input("your R1 S1:").strip().split(" ")
128
        if len(user_input) == 2:
129
            user_r1s1 = [int(user_input[0]), int(user_input[1])]
130
        else:
131
            print("invalid R1 S1.")
132
            break
133

134
        user_input = input("your R2 S2:").strip().split(" ")
135
        if len(user_input) == 2:
136
            user_r2s2 = [int(user_input[0]), int(user_input[1])]
137
        else:
138
            print("invalid R2 S2.")
139
            break
140

141
        pt = decrypt((user_r1s1, user_r2s2, user_f, user_h, p), ct)
142
        if pt == ticket:
143
            print(flag)
144
        else:
145
            print(pt.hex())
146
    else:
147
        print("invalid op.")
148
        break
149

150
print("bye!")

分析

当时赛中可能是看傻了。。。现在赛后跟别的师傅聊了后，复现出来了。

题目要求我们提交解密参数及密文，使得decrypt(enc)=token。

而题目的关键是加密函数：

1
def encrypt(pk, pt):
2
    P, Q, p = pk
3
    pt = bytes_to_long(pt)
4

5
    PP = 0
6
    QQ = 0
7

8
    for i in range(len(P)):
9
        u = randint(1, p)
10
        for j in range(len(P[0])):
11
            PP = PP + P[i][j] * (u * pt**j % p)
12
            QQ = QQ + Q[i][j] * (u * pt**j % p)
13

14
    return PP, QQ

转换成式子如下：

\begin{align*} PP=\sum_{i,j=0}^{1,2}[P_{i,j}*(u_i*pt^{j}\ mod\ p)]\\ QQ=\sum_{i,j=0}^{1,2}[Q_{i,j}*(u_i*pt^{j}\ mod\ p)] \end{align*}

用 $upt_{i,j}=u_i*pt^{j}\ mod\ p$ 来替代的话，则为：

\begin{align*} PP=\sum_{i,j=0}^{1,2}P_{i,j}*upt_{i,j}\\ QQ=\sum_{i,j=0}^{1,2}Q_{i,j}*upt_{i,j}\\ \end{align*}

因为我们知道 $P_{i,j}$ 、 $Q_{i,j}$ 的值以及 $PP$ 和 $QQ$ ，而且 $upt_{i,j}$ 的大小也不大，所以我们完全可以造格（类似背包格的造法）或者cuso来解出 $upt_{i,j}$ ，继而求出pt（也就是我们的token）。这里我采用的是cuso。

又因为我们的解密是需要我们输入解密参数的，所以我们可以自己生成一个公私钥对，将我们算出的token用我们的公钥加密，然后返回我们的新密文及对应的私钥即可。

EXP

1
from cuso import find_small_roots
2
from sage.all import *
3
from Crypto.Util.number import *
4
from math import gcd
5
from random import randint
6
from pwn import *
7

8

9
def gen_coprime_num(pbits):
10
    lbits = 2 * pbits + 8
11
    lb = 2**lbits
12
    ub = 2**(lbits + 1)
13
    while True:
14
        r = randint(lb, ub)
15
        s = randint(lb, ub)
16
        if gcd(r, s) == 1:
17
            return r, s
18

19
def mult_mod(A, B, p):
20
    result = [0] * (len(A) + len(B) - 1)
21
    for i in range(len(A)):
22
        for j in range(len(B)):
23
            result[i + j] = (result[i + j] + A[i] * B[j]) % p
24

25
    return result
26

27
def gen_key(p):
28
    f = [randint(1, 2**128) for i in ":)"]
29
    h = [randint(1, 2**128) for i in ":("]
30

31
    R1, S1 = gen_coprime_num(p.bit_length())
32
    R2, S2 = gen_coprime_num(p.bit_length())
33

34
    B = [[randint(1, p - 1) for i in ":("] for j in ":)"]
35

36
    P = []
37
    for b in B:
38
        P.append(mult_mod(f, b, p))
39

40
    Q = []
41
    for b in B:
42
        Q.append(mult_mod(h, b, p))
43

44
    for i in range(len(P)):
45
        for j in range(len(P[i])):
46
            P[i][j] = P[i][j] * R1 % S1
47
            Q[i][j] = Q[i][j] * R2 % S2
48

49
    sk = [(R1, S1), (R2, S2), f, h, p]
50
    pk = [P, Q, p]
51

52
    return sk, pk
53

54
def encrypt(pk, pt):
55
    P, Q, p = pk
56
    pt = bytes_to_long(pt)
57

58
    PP = 0
59
    QQ = 0
60

61
    for i in range(len(P)):
62
        u = randint(1, p)
63
        for j in range(len(P[0])):
64
            PP = PP + P[i][j] * (u * pt**j % p)
65
            QQ = QQ + Q[i][j] * (u * pt**j % p)
66

67
    return PP, QQ
68

69

70
sh = process(["python", "task.py"])
71
pk = eval(sh.recvline().strip().decode())
72
enc_ticket = eval(sh.recvline().strip().decode())
73
P,Q,p = pk
74
PP,QQ = enc_ticket
75

76
# cuso
77
upt0, upt1, upt2, upt3, upt4, upt5 = var('upt0, upt1, upt2, upt3, upt4, upt5')
78
f1 = P[0][0]*upt0 + P[0][1]*upt1 + P[0][2]*upt2 + P[1][0]*upt3 + P[1][1]*upt4 + P[1][2]*upt5 - PP
79
f2 = Q[0][0]*upt0 + Q[0][1]*upt1 + Q[0][2]*upt2 + Q[1][0]*upt3 + Q[1][1]*upt4 + Q[1][2]*upt5 - QQ
80

81
relations = [f1,f2]
82
bounds = {upt0:(0, 2**256), upt1:(0,p), upt2:(0,p), upt3:(0,2**256), upt4:(0,p), upt5:(0,p)}
83
roots = find_small_roots(
84
    relations,
85
    bounds,
86
)
87

88
for root in roots:
89
    u0 = root[upt0]
90
    u1 = root[upt3]
91
    m1 = root[upt1] * inverse(u0,p) % p
92
    m2 = root[upt4] * inverse(u1,p) % p
93
    if m1 == m2:
94
        sk1, pk1 = gen_key(p)
95
        RS1, RS2, f, h, pp = sk1
96
        R1,S1 = RS1
97
        R2,S2 = RS2
98
        ct1 = encrypt(pk1,long_to_bytes(m1))
99
        sh.sendlineafter(b"op>",b'2')
100
        sh.sendlineafter(b"ct:",f"{ct1[0]} {ct1[1]}".encode())
101
        sh.sendlineafter(b"your f:",f"{f[0]} {f[1]}".encode())
102
        sh.sendlineafter(b"your h:",f"{h[0]} {h[1]}".encode())
103
        sh.sendlineafter(b"your R1 S1:",f"{R1} {S1}".encode())
104
        sh.sendlineafter(b"your R2 S2:",f"{R2} {S2}".encode())
105
        print(sh.recvline().strip().decode())

4，Blurred (~)

题目

1
from sage.all import *
2
from sage.misc import prandom
3
import random
4
from Crypto.Cipher import AES
5
from Crypto.Hash import SHA256
6
from Crypto.Util.Padding import pad
7

8
q = 1342261
9
n = 1031
10
PR = PolynomialRing(Zmod(q), "x")
11
x = PR.gens()[0]
12
Q = PR.quotient(x**n + 1)
13
flag = b"flag{*****************************}"
14

15
def sample(rand):
16
    return (rand.getrandbits(1) - rand.getrandbits(1)) * (rand.getrandbits(1) * rand.getrandbits(1))
17

18

19
def GenNTRU():
20
    f = [sample(prandom) for _ in range(n)]
21
    g1 = [sample(prandom)for _ in range(n)]
22
    g2 = [sample(prandom) for _ in range(n)]
23
    g1x = Q(g1)
24
    g2x = Q(g2)
25

26
    while True:
27
        fx = Q(f)
28
        try:
29
            h1 = g1x / fx
30
            h2 = g2x / fx
31
            return (h1.lift(), h2.lift(), fx)
32
        except:
33
            prandom.shuffle(f)
34
            continue
35

36
for _ in range(20259):
37
    c = int(input("c :"))
38
    if c == 1:
39
        coin = random.getrandbits(1)
40
        if coin == 0:
41
            pk1, pk2, fx = GenNTRU()
42
        else:
43
            pk1, pk2, fx = Q.random_element().lift(), Q.random_element().lift(), Q([sample(prandom) for _ in range(n)])
44

45
        print("Hints:", pk1.list(), pk2.list())
46

47
    elif c == 2:
48
        SHA = SHA256.new()
49
        SHA.update(str(random.getrandbits(256)).encode())
50
        KEY = SHA.digest()
51
        cipher = AES.new(KEY, AES.MODE_ECB)
52
        flag = pad(flag, AES.block_size)
53
        print("Flag:", cipher.encrypt(flag))
54
    else:
55
        break

分析

虽然一眼就能看出——需要我们收集足够的bit来打MT19937，但是赛中没想出如何区分NTRU，所以就没出。之后跟别的师傅聊了下，然后复现出来了。

区分的关键是那个环 $R$ ：

因为 $R$ 的不可约多项式是 $x^{1031}+1$ ，里边有 $x+1$ 这个因子，且 $-1$ 是这个多项式的根，所以可以有这样一个映射，将环 $R$ 映射到整数域 $F_q$ 上：
$\phi: R\rightarrow F_q\\\phi[a(x)]=a(-1)\\ \phi[h(x) \cdot f(x)] = \phi[g(x)] \implies h(-1) \cdot f(-1) \equiv g(-1)\pmod{q}$

因此我们可以将 $h_1$ 和 $h_2$ 映射成 $H_1$ 和 $H_2$ ，造这样的格：

\begin{pmatrix} 1&H_1&H_2\\ 0&-p&0\\ 0&0&-p \end{pmatrix}

然后LLL取第一行即可。

而经过测试会发现：如果是NTRU，LLL出来的结果会很小；因此取一个100的界限即可。

不过后面打MT19937的时候，使用gf2bv会存在 mt[0]的高位取0与1的问题，所以为稳妥起见，我两种都尝试了。

EXP

1
from sage.all import *
2
from pwn import *
3
from tqdm import trange
4
from gf2bv import LinearSystem
5
from gf2bv.crypto.mt import MT19937
6
from Crypto.Util.number import *
7
from Crypto.Cipher import AES
8
from Crypto.Hash import SHA256
9

10

11
q = 1342261
12
n = 1031
13
PR = PolynomialRing(Zmod(q), "x")
14
x = PR.gens()[0]
15
Q = PR.quotient(x**n + 1)
16

17
sh = process(["python", "task.py"])
18

19
bits = []
20
for i in trange(19968):
21
    sh.sendlineafter(b"c :",b'1')
22
    res = sh.recvline().strip().decode().split(':')[-1]
23
    start1 = res.find('[')
24
    end1 = res.find(']')
25
    h1 = Q(eval(res[start1:end1+1]))
26
    start2 = res.find('[',end1)
27
    end2 = res.find(']',end1+1)
28
    h2 = Q(eval(res[start2:end2+1]))
29
    h1_value = h1.lift()(-1)
30
    h2_value = h2.lift()(-1)
31
    L = Matrix(ZZ,[
32
        [1,h1_value,h2_value],
33
        [0,-q,0],
34
        [0,0,-q]
35
    ])
36
    line = L.LLL()[0]
37
    if int(line.norm()) < 100:
38
        bits.append(0)
39
    else:
40
        bits.append(1)
41

42
sh.sendlineafter(b"c :",b'2')
43
sh.recvuntil(b"Flag: ")
44
enc_flag = eval(sh.recvline().strip())
45
print(f"enc_flag = {enc_flag}")
46
print(f"bits = {bits}")
47

48
def mt19937(out, ch):
49
    hig = [int(0x00000000), int(0x80000000)]
50
    lin = LinearSystem([32] * 624)
51
    mt = lin.gens()
52

53
    rng = MT19937(mt)
54
    zeros = []
55
    for o in out:
56
        zeros.append(rng.getrandbits(1) ^ int(o))
57
    zeros.append(mt[0] ^ hig[ch])
58

59
    for sol in lin.solve_all(zeros):
60
        rng = MT19937(sol)
61
        pyrand = rng.to_python_random()
62
        RNG = pyrand
63
        STATE = RNG.getstate()[1][:-1]
64
        STATE = STATE + (len(STATE),)
65
        RNG.setstate((3,STATE,None))
66

67
        for i in trange(19968):
68
            RNG.getrandbits(1)
69

70
        SHA = SHA256.new()
71
        SHA.update(str(RNG.getrandbits(256)).encode())
72
        KEY = SHA.digest()
73
        cipher = AES.new(KEY, AES.MODE_ECB)
74
        flag = cipher.decrypt(enc_flag)
75
        if b"flag" in flag:
76
            print(f"high = {ch}")
77
            print(f"{flag = }")
78

79
RNG = mt19937(bits, 0)
80
RNG = mt19937(bits, 1)

Thanks for reading!

QWB-Crypto (Part)

Mon Oct 20 2025

2452 words · 22 minutes

CTF Crypto