初始謎題1
由原始碼可知,有固定的字首,且長度為18,超過一個塊的長度,可以透過求方程的形式先將key求出來,再將整個key帶入解密函式得到加密前的字串
求key
# sage
N_HEX = "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123"
N = Integer(int(N_HEX, 16))
c = 93382245813721552487797960827649171665391507700644252652416613658034348007025
a = 89652660640613347754090896429354803559
# 求解方程的過程
PR.<x> = PolynomialRing(Zmod(N))
f = a*x-c
x = f.monic().roots()[0][0]
print(x)
# 78219201121828481251879725014475581035499659637323462262120670452020141740957
解密:
from sympy import Mod, Integer
from sympy.core.numbers import mod_inverse
N_HEX = "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123"
MODULUS = Integer(int(N_HEX, 16))
MSG_PREFIX = "CryptoCup message:"
# 解密函式
def decrypt_message(encrypted_message, key):
num_blocks = len(encrypted_message) // 32
blocks = [encrypted_message[i * 32:(i + 1) * 32] for i in range(num_blocks)]
decrypted_blocks = []
k = key
# 解密每個分組
for block in blocks:
block_int = int.from_bytes(block, byteorder='big')
key_inv = mod_inverse(k, MODULUS)
decrypted_block_int = Mod(block_int * key_inv, MODULUS)
decrypted_blocks.append(decrypted_block_int)
k += 1 # 金鑰自增1
# 將解密後的分組連線成最終的明文
decrypted_message = b''.join(
int(block_int).to_bytes(16, byteorder='big') for block_int in decrypted_blocks
)
# 去除字首
if decrypted_message.startswith(MSG_PREFIX.encode('utf-8')):
decrypted_message = decrypted_message[len(MSG_PREFIX):]
return decrypted_message.rstrip(b'\x00').decode('utf-8')
enc = "ce747a655f632a64ad55d86d5b071bffbae52d8d7842afcab25d5b053ce09e71af5d982ea5fc9d7c06836e3c3c43ecf719afc44bf9a8bd27257b80379b4b456666b59144f9f72f24554b85d0906fe4246fb715106130df629fdc9d3ad996cc2890fe533d0181c21b08cc1439fc3eb1c20aaadecb123a0923ba2e9550c83de6f3"
enc = bytes.fromhex(enc)
key = Integer(78219201121828481251879725014475581035499659637323462262120670452020141740957)
flag = decrypt_message(enc,key)
print(flag)
# 812D4f5LyQTDj7HapMNxmQ6dJSgOLthL
驗證透過
flag{69IU8m6qiWeOThxOrm3gFCj1wn5xjY2A}
gitea賬號:giteauser2024
gitea口令:S(*HD^WY63y89TY71
提示:gitea賬號和口令用於登入第二環節的gitea伺服器,請注意儲存!
初始謎題2
sm3長度擴充攻擊,直接上指令碼
SM3.py
from functools import reduce
import struct
from const import *
def rotate_left(a, k):
k %= 32
high, low = divmod(a, BIT_EACH_32[32 - k])
return high + low * BIT_EACH_32[k]
T_j = [0x79cc4519] * 16 + [0x7a879d8a] * 48
T_j_rotate_left = [rotate_left(Tj, j) for j, Tj in enumerate(T_j)]
def PUT_UINT32_BE(n):
return [int((n >> 24) & 0xff), int((n >> 16) & 0xff), int((n >> 8) & 0xff), int(n & 0xff)]
def CF(V_i, B_i):
W = [(B_i[ind] * BIT_EACH_32[24]) + (B_i[ind + 1] * BIT_EACH_32[16]) + (B_i[ind + 2] * BIT_EACH_32[8]) + (
B_i[ind + 3]) for ind in range(0, 64, 4)]
for j in range(16, 68):
high_W3_15, low_W3_15 = divmod(W[-3], BIT_EACH_32[17])
high_W13_7, low_W13_7 = divmod(W[-13], BIT_EACH_32[25])
# P_1
X = W[- 16] ^ W[- 9] ^ (high_W3_15 + low_W3_15 * BIT_EACH_32[15])
high_P1_15, low_P1_15 = divmod(X, BIT_EACH_32[17])
r_l_15 = high_P1_15 + low_P1_15 * BIT_EACH_32[15]
high_P1_23, low_P1_23 = divmod(X, BIT_EACH_32[9])
r_l_23 = high_P1_23 + low_P1_23 * BIT_EACH_32[23]
# return X ^ (rotate_left(X, 15)) ^ (rotate_left(X, 23))
W.append(X ^ r_l_15 ^ r_l_23 ^ (high_W13_7 + low_W13_7 * BIT_EACH_32[7]) ^ W[- 6])
# W.append(P_1(W[- 16] ^ W[- 9] ^ (high_W3_15 + low_W3_15 * BIT_EACH_32[15])) ^ (
# high_W13_7 + low_W13_7 * BIT_EACH_32[7]) ^ W[- 6])
W_1 = [W[j] ^ W[j + 4] for j in range(64)]
A, B, C, D, E, F, G, H = V_i
for j in range(0, 16):
high_A12, low_A12 = divmod(A, BIT_EACH_32[20])
r_l_12 = high_A12 + low_A12 * BIT_EACH_32[12]
high, low = divmod((r_l_12 + E + T_j_rotate_left[j]) & 0xFFFFFFFF, BIT_EACH_32[25])
SS1 = high + low * BIT_EACH_32[7]
SS2 = SS1 ^ r_l_12
# Wj = (B_i[ind] * BIT_EACH_32[24]) + (B_i[ind + 1] * BIT_EACH_32[16]) + (B_i[ind + 2] * BIT_EACH_32[8]) + (B_i[ind + 3])
# FF
TT1 = ((A ^ B ^ C) + D + SS2 + W_1[j]) & 0xFFFFFFFF
# GG
TT2 = ((E ^ F ^ G) + H + SS1 + W[j]) & 0xFFFFFFFF
high_B9, low_B9 = divmod(B, BIT_EACH_32[23])
high_F19, low_F19 = divmod(F, BIT_EACH_32[13])
high, low = divmod(TT2, BIT_EACH_32[23])
r_l_9 = high + low * BIT_EACH_32[9]
high, low = divmod(TT2, BIT_EACH_32[15])
r_l_17 = high + low * BIT_EACH_32[17]
A, B, C, D, E, F, G, H = TT1, A, high_B9 + low_B9 * BIT_EACH_32[9] & 0xffffffff, C, (
TT2 ^ r_l_9 ^ r_l_17) & 0xffffffff, E, high_F19 + low_F19 * BIT_EACH_32[19] & 0xffffffff, G
for j in range(16, 64):
high_A12, low_A12 = divmod(A, BIT_EACH_32[20])
r_l_12 = high_A12 + low_A12 * BIT_EACH_32[12]
high, low = divmod((r_l_12 + E + T_j_rotate_left[j]) & 0xFFFFFFFF, BIT_EACH_32[25])
SS1 = high + low * BIT_EACH_32[7]
SS2 = SS1 ^ r_l_12
# FF
TT1 = (((A & B) | (A & C) | (B & C)) + D + SS2 + W_1[j]) & 0xFFFFFFFF
# GG
TT2 = (((E & F) | ((~ E) & G)) + H + SS1 + W[j]) & 0xFFFFFFFF
high_B9, low_B9 = divmod(B, BIT_EACH_32[23])
high_F19, low_F19 = divmod(F, BIT_EACH_32[13])
high, low = divmod(TT2, BIT_EACH_32[23])
r_l_9 = high + low * BIT_EACH_32[9]
high, low = divmod(TT2, BIT_EACH_32[15])
r_l_17 = high + low * BIT_EACH_32[17]
A, B, C, D, E, F, G, H = TT1, A, high_B9 + low_B9 * BIT_EACH_32[9] & 0xffffffff, C, (
TT2 ^ r_l_9 ^ r_l_17) & 0xffffffff, E, high_F19 + low_F19 * BIT_EACH_32[19] & 0xffffffff, G
return [A ^ V_i[0], B ^ V_i[1], C ^ V_i[2],
D ^ V_i[3], E ^ V_i[4], F ^ V_i[5], G ^ V_i[6], H ^ V_i[7]]
# def CFs(V_i):
def digest(msg, state=(IV, 0)):
msg = str2bytes(msg)
cur_v, cur_len = state
len1 = len(msg) + cur_len
msg.append(0x80)
reserve1 = len1 % 64 + 1
range_end = 56 if reserve1 <= 56 else 120
msg.extend([0] * (range_end - reserve1))
bit_length = len1 * 8
msg.extend(struct.pack(">Q", bit_length))
B = (msg[i:i + 64] for i in range(0, len(msg), 64))
y = reduce(CF, B, cur_v)
b = bytearray()
[b.extend(PUT_UINT32_BE(each)) for each in y]
return bytes(b)
def str2bytes(msg: str, encoding='utf-8'):
"""字串轉換成byte陣列"""
msg_bytearray = msg.encode(encoding) if isinstance(msg, str) else msg
return list(msg_bytearray)
def byte2str(msg, decode='utf-8'):
"""byte陣列轉字串"""
return msg.decode(decode) if isinstance(msg, (bytes, bytearray)) else msg
def hex2byte(msg):
"""16進位制字串轉換成byte列表"""
if not isinstance(msg, str):
raise ValueError('message must be string')
ml = len(msg)
if (ml & 1) != 0:
msg = '0' + msg
return list(bytes.fromhex(msg))
const.py
BIT_BLOCK_H = [0x00, 0x80, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC, 0xFE, 0xFF]
BIT_BLOCK_L = [0x0, 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3F, 0x7F, 0xFF]
BIT_EACH = [1, 2, 4, 8, 16, 32, 64, 128, 256]
BIT_EACH_32 = [1, 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072, 262144,
524288, 1048576, 2097152, 4194304, 8388608, 16777216, 33554432, 67108864, 134217728, 268435456,
536870912, 1073741824, 2147483648, 4294967296]
IV = [1937774191, 1226093241, 388252375, 3666478592, 2842636476, 372324522, 3817729613, 2969243214]
de.py
from SM3 import digest as hash_func
import struct
import os
# from hashlib import sha256
# from gmssl import sm3, func
H = hash_func
def attack(pub, apd):
"""
forge based on pub
:param pub: public info
:param apd: data appended bt attacker
:return: forgery
"""
def create_pad(len1):
pad = [0x80]
reserve1 = len1 % 64 + 1
range_end = 56 if reserve1 <= 56 else 120
pad.extend([0] * (range_end - reserve1))
bit_length = len1 * 8
pad.extend(struct.pack(">Q", bit_length))
return bytes(pad)
pub_msg, pub_hsh, sec_len = pub
pub_hsh=bytes.fromhex(pub_hsh)
pad = create_pad(sec_len + len(pub_msg))
msg = pub_msg + pad + apd
cur_v = int.from_bytes(pub_hsh, byteorder="big")
cur_v = [(cur_v >> ((7 - i) * 32)) & 0xFFFFFFFF for i in range(8)]
cur_len = sec_len + len(pub_msg) + len(pad)
state = cur_v, cur_len
sig = H(apd, state)
return msg, sig
def main():
sm3_hash = "90dbd8ab4beb24357aa54efa1b50af596500e85961d8695a4988719a34caaf1b"
counter = 0x53237646
counter_bytes = counter.to_bytes((counter.bit_length() + 7) // 8, 'big')
pub = (counter_bytes,sm3_hash,32)
counter = 0x53237656
counter_bytes = counter.to_bytes((counter.bit_length() + 7) // 8, 'big')
forgery = attack(pub,counter_bytes)
#print(f"forgery: {forgery}")
print(forgery[0].hex())
print(forgery[1].hex())
if __name__ == '__main__':
main()
執行得到 counter 和 token
532376468000000000000000000000000000000000000000000000000000012053237656
8cdc6cec4deba9ff8f4e70048a54fd5e90e1a2ae26e43d27039f631c43e68802
傳送過去即可得到flag
驗證透過
flag{HFwmscbZDCXf1JmaCJgq1OC2uqR0V7no}
gitea賬號:giteauser2024
gitea口令:S(*HD^WY63y89TY71
提示:gitea賬號和口令用於登入第二環節的gitea伺服器,請注意儲存!
初始謎題3
題目給了c1,c2,A,b
且存在以下關係
b = (A * s + e) % q
c1 = (x * A) % q
c2 = (x * b + e1 + m * (q // 2)) % q
m_dec = (c2 - c1 * s) % q
透過化簡,可以知道 $(c2 - c1 * s) % q$ 的目的是為了消去 $x*b$
利用 c1 求出 x,即可得到m_dec從而解密
import sympy as sp
# 設定引數
n = 16 # 向量長度
q = 251 # 模數
A=sp.Matrix([[38, 139, 108, 73, 122, 75, 43, 183, 240, 186, 165, 162, 33, 223, 45, 168], [41, 148, 169, 1, 51, 45, 206, 191, 95, 11, 38, 83, 187, 68, 124, 99], [77, 191, 171, 8, 52, 122, 99, 28, 213, 46, 240, 15, 55, 146, 150, 16], [163, 69, 32, 24, 2, 210, 52, 42, 91, 142, 224, 218, 109, 243, 22, 31], [161, 62, 214, 76, 66, 35, 235, 209, 227, 43, 96, 201, 182, 72, 247, 177], [35, 118, 176, 16, 182, 29, 68, 150, 10, 250, 20, 80, 229, 126, 202, 4], [161, 33, 117, 170, 155, 246, 238, 112, 103, 208, 77, 36, 61, 226, 45, 211], [52, 202, 95, 17, 82, 183, 162, 9, 51, 135, 141, 88, 140, 169, 29, 211], [165, 220, 39, 29, 106, 11, 167, 199, 139, 74, 64, 225, 176, 67, 244, 180], [197, 96, 12, 35, 24, 79, 46, 21, 98, 239, 226, 25, 190, 160, 66, 64], [7, 185, 27, 131, 39, 186, 147, 21, 177, 226, 70, 232, 155, 79, 223, 151], [224, 147, 230, 238, 40, 137, 183, 73, 32, 112, 197, 184, 3, 31, 9, 31], [103, 149, 137, 78, 181, 19, 60, 158, 214, 49, 16, 195, 19, 148, 52, 71], [153, 108, 158, 203, 48, 5, 89, 180, 47, 246, 82, 12, 186, 15, 20, 31], [200, 201, 44, 110, 47, 80, 180, 71, 241, 197, 129, 111, 241, 49, 17, 53], [169, 206, 239, 173, 186, 143, 114, 29, 104, 109, 173, 212, 167, 36, 58, 17]])
c1=sp.Matrix([[201, 56, 147, 23, 22, 63, 139, 149, 165, 84, 8, 25, 119, 190, 224, 241], [178, 163, 197, 170, 118, 204, 187, 248, 193, 248, 121, 14, 88, 227, 165, 229], [249, 144, 246, 2, 147, 156, 213, 68, 133, 86, 128, 144, 211, 11, 185, 37], [229, 148, 183, 71, 86, 121, 26, 247, 164, 236, 237, 249, 135, 115, 106, 117], [144, 32, 155, 162, 120, 133, 215, 102, 56, 162, 136, 240, 138, 148, 143, 238], [222, 124, 38, 202, 121, 137, 92, 19, 184, 64, 18, 13, 233, 144, 103, 27], [233, 98, 13, 217, 66, 48, 153, 93, 192, 228, 84, 54, 2, 164, 69, 34], [119, 104, 110, 111, 10, 165, 85, 78, 31, 207, 201, 236, 48, 65, 216, 55], [98, 53, 20, 56, 212, 147, 193, 226, 84, 124, 52, 10, 37, 51, 40, 5], [230, 193, 171, 57, 165, 118, 128, 138, 186, 210, 25, 160, 175, 124, 159, 53], [202, 185, 69, 120, 92, 177, 216, 169, 66, 226, 136, 6, 66, 196, 26, 95], [99, 125, 138, 134, 133, 77, 53, 95, 191, 238, 168, 33, 239, 172, 228, 80], [95, 149, 73, 119, 178, 17, 225, 95, 226, 108, 99, 23, 221, 201, 145, 86], [213, 39, 40, 67, 143, 219, 208, 118, 173, 77, 167, 80, 54, 246, 105, 90], [147, 106, 219, 216, 8, 218, 3, 227, 187, 115, 59, 140, 144, 196, 43, 13], [71, 106, 159, 147, 233, 206, 110, 24, 68, 146, 126, 17, 231, 10, 97, 201]])
c2=sp.Matrix([[140], [99], [17], [232], [35], [169], [127], [96], [205], [60], [74], [133], [70], [170], [241], [33]])
b=sp.Matrix([[156], [249], [104], [135], [169], [15], [175], [12], [210], [61], [94], [127], [117], [133], [236], [166]])
tmp = A.inv_mod(q)
x =(c1 * tmp) % q
# print(x)
m_dec = (c2 - x*b) % q
m_rec = m_dec.applyfunc(lambda x: round(2 * x / q) % 2) # 還原訊息
m_bin = ''.join([str(bit) for bit in m_rec]) # 將SymPy矩陣轉換為二進位制字串
m_rec_int = int(m_bin, 2) # 將二進位制字串轉換為整數
print(hex(m_rec_int)[2:])
# 285b
驗證透過
flag{ShSN8gbucIrGOii3bMpaBexjXCPrqDq7}
gitea賬號:giteauser2024
gitea口令:S(*HD^WY63y89TY71
提示:gitea賬號和口令用於登入第二環節的gitea伺服器,請注意儲存!