By adminOn

easy_rsa

通过Short-pad Attack & Related Message Attack得到压缩包的密码

import binascii
def attack(c1, c2, b, e, n):
    PR.<x>=PolynomialRing(Zmod(n))
    g1 = x^e - c1
    g2 = (x+b)^e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic()
    return -gcd(g1, g2)[0]
n = 0x9371c61a2b760109781f229d43c6f05b58de65aa2a674ff92334cb5219132448d72c1293c145eb6f35e58791669f2d8d3b6ce506f4b3543beb947cf119f463a00bd33a33c4d566c4fd3f4c73c697fa5f3bf65976284b9cc96ec817241385d480003cdda9649fa0995b013e66f583c9a9710f7e18396fbf461cb31720f94a0f79
e = 3
c1 = 0x5f4e03f28702208b215f39f1c8598b77074bfa238dfb9ce424af7cc8a61f7ea48ffbbd5a5e1a10f686c3f240e85d011f6c8b968d1d607b2e1d5a78ad6947b7d3ec8f33ad32489befab601fe745164e4ff4aed7630da89af7f902f6a1bf7266c9c95b29f2c69c33b93a709f282d43b10c61b1a1fe76f5fee970780d7512389fd1
c2 = 0x5f4e03f28702208b215f39f1c8598b77074bfa238dfb9ce424af7cc8a61f7ea48ffc5c26b0c12bcff9f697f274f59f0e55a147768332fc1f1bac5bbc8f9bb508104f232bdd20091d26adc52e36feda4a156eae7dce4650f83fabc828fdcfb01d25efb98db8b94811ca855a6aa77caff991e7b986db844ff7a140218449aaa7e8
a = 1
id1 = 1
id2 = 2
b = id2 - id1
m1 = attack(c1,c2, b,e,n)
print(binascii.unhexlify("%x" % int(m1 - id1)))
#b'the key is :everything_is_easy_in_this_questiom'

通过分析得到为OTP加密,通过使用https://github.com/SpiderLabs/cribdrag进行key的检测,不断检验得到key

280316470206017f5f163a3460100b111b2c254e103715600f13,   Now you need to use the 
091b0f471d05153811122c70340c0111053a394e0b39500f0a18,   own flag as the key of One
4638080a1e49243e55531a3e23161d411a362e4044111f374409,   Time Pad Encrypt. Now 
0e0d15470206017f59122935601405421d3a244e10371560140f,   hat you havE passed the
031a08080e1a540d62327f242517101d4e2b2807177f13280511,   eviou
0a090f001e491d2c111d3024601405431a36231b083e022c1d,     lenge is noT particularl
16000406080c543854077f24280144451c2a254e093a0333051a,   please get The true messag
02050701120a01334553393f32441d5e1b716027107f19334417,   difficult f0r you. It is 
131f15470800192f5d167f352e0716481e2b29010a7139600c12,   use simple Encryption.I
1609411e141c543c501d7f232f0812544e2b2807177f00320b1f,   pe you can Solve this problem
0a090c470a1c1d3c5a1f2670210a0011093a344e103715600712,   lem q
141e04040f49153142043a22601711520d3a331d0826            rrectw


将第一个p改成P,得到正确flag{it_1sP@dd1n@nd_p@d}

random

通过ed+n ed-n得到n与e*d,进行p q的分解

# coding=utf-8
import random
import libnum

n = 104017565871178939971501575340112562454393004836992144768171622389677604840484994312793583974506432289548886013830127200541386300397244284320008224080452457863872125395966395146581042009792132509365457899093476717102397445859172446049330231365732777057809179757453711728433043860025829224034106974387623123609
a = 3563225736483105767663757964850895939437686773696002911178487096580796031415653965179057012630692344510786639289764837381745729106408000203666201724099978695932368871885604099587719393152976934607128732108404042096355012051169236089620505421627586309618317607971836222910097506025923742035914623661579380093911361

k = a - 1

r = k
t = 0
while True:
    r = r // 2
    t += 1
    if r % 2 == 1:
        break

success = False

for i in range(1, 101):
    g = random.randint(0, n)
    y = pow(g, r, n)
    if y == 1 or y == n - 1:
        continue

    for j in range(1, t):
        x = pow(y, 2, n)
        if x == 1:
            success = True
            break
        elif x == n - 1:
            continue
        else:
            y = x

    if success:
        break
    else:
        continue

if success:
    p = libnum.gcd(y - 1, n)
    q = n // p
    print ('P: ' + '%s' % p)
    print ('Q: ' + '%s' % q)
else:
    print ('Cannot compute P and Q')

P: 9473016801951797771267846445459738473973421588058140695253031511700407533935872397264731631901174665159278878658035094231228063878480145556088206641042779
Q: 10980405508174271259925333166343579553719061316941945190323939083665489902286168861229664589365210026388298173482496757264697996404794685064674668272479771

将e*d分解后得到8个素因数,进行遍历爆破尝试,得到e d

import gmpy2
from gmpy2 import gcd
p = 10980405508174271259925333166343579553719061316941945190323939083665489902286168861229664589365210026388298173482496757264697996404794685064674668272479771
q = 9473016801951797771267846445459738473973421588058140695253031511700407533935872397264731631901174665159278878658035094231228063878480145556088206641042779
e = 3*21851
a = 3563225736483105767663757964850895939437686773696002911178487096580796031415653965179057012630692344510786639289764837381745729106408000203666201724099978695932368871885604099587719393152976934607128732108404042096355012051169236089620505421627586309618317607971836222910097506025923742035914623661579380093911361
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
print(d)

根据条件进行pow(m,d,p)

import gmpy2
from Crypto.Util.number import *
p = 10980405508174271259925333166343579553719061316941945190323939083665489902286168861229664589365210026388298173482496757264697996404794685064674668272479771
q = 9473016801951797771267846445459738473973421588058140695253031511700407533935872397264731631901174665159278878658035094231228063878480145556088206641042779
d = 54356409874195014227628910421352126362450029345659281973036887657022501356393360565939880899893099393022236042435355168821346530386221838873372717100666311167030782296547894064157542647216404048741151924525255016495889006623178742233315110240989524653613375558278587141856169908713922200904834617204084940337 
m = bytes_to_long(b"you_can_get_more_message")
print((pow(m,d,q)))
#1467512422899344469590873536652793080008891506787883269029696028612821654639990861783248552312105768546357431571795163754729055193569746680893460935895550


lcg算法,进行seed的求解

from functools import reduce
from gmpy2 import gcd
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, x, y = egcd(b % a, a)
        return (g, y - (b // a) * x, x)
def modinv(b, n):
    g, x, _ = egcd(b, n)
    if g == 1:
        return x % n

def crack_unknown_increment(states, modulus, multiplier):
    increment = (states[1] - states[0]*multiplier) % modulus
    return modulus, multiplier, increment

def crack_unknown_multiplier(states, modulus):
    multiplier = (states[2] - states[1]) * modinv(states[1] - states[0], modulus) % modulus
    return crack_unknown_increment(states, modulus, multiplier)

def crack_unknown_modulus(states):
    diffs = [s1 - s0 for s0, s1 in zip(states, states[1:])]
    zeroes = [t2*t0 - t1*t1 for t0, t1, t2 in zip(diffs, diffs[1:], diffs[2:])]
    modulus = abs(reduce(gcd, zeroes))
    return crack_unknown_multiplier(states, modulus)
hint = [3732074616716238200873760199583586585380050413464247806581164994328669362805685831589304096519259751316788496505512, 8890204100026432347745955525310288219105398478787537287650267015873395979318988753693294398552098138526129849364748, 3443072315415198209807083608377973177101709911155814986883368551162572889369288798755476092593196361644768257296318, 4505278089908633319897964655164810526240982406502790229247008099600376661475710376587203809096899113787029887577355, 9059646273291099175955371969413555591934318289156802314967132195752692549263532407952697867959054045527470269661073, 3085024063381648326788677294168591675423302286026271441848856369032582049512915465082428729187341510738008226870900, 8296028984288559154928442622341616376293205834716507766500770482261973424044111061163369828951815135486853862929166, 2258750259954363171426415561145579135511127336142626306021868972064434742092392644953647611210700787749996466767026, 4382123130034944542655156575000710851078842295367353943199512878514639434770161602326115915913531417058547954936492, 10982933598223427852005472748543379913601896398647811680964579161339128908976511173382896549104296031483243900943925]
print(crack_unknown_modulus(hint))
from gmpy2 import *
from Crypto.Util.number import long_to_bytes
n = 15756647314623328166703743185062683999338522182906057851774027566229961399311096111735183330556202175961402609739909
m = 1421031764968400527762460898092137083742564633301039280991459091107942075801014756436528426924261706134389048251788
c = 11545938748867242620537115092757411052463250917387015436216035440161952627398745850382131607456750667325541719714933
s1 = 3732074616716238200873760199583586585380050413464247806581164994328669362805685831589304096519259751316788496505512
print(long_to_bytes((s1 - c)*invert(m, n)%n))
#b'flag{Y0u_K0nw_everyTh1ng_1$_e@sy}'

RSAsig

正常进行sha224的绕过

from hashlib import sha224
from pwn import *
import re

words = string.ascii_letters+string.digits
def proof(x, key):
    for a in words:
        for b in words:
            for c in words:
                answer = a+b+c
                ensha = sha224((answer+x).encode()).hexdigest()
                if ensha == key:
                    return answer
x = "aOq7fAeX2zmrVnERk"
key = "e8b662b5a86876d0a772f96bfa9687eeff75e84504c4281afea8b06f"
print(proof(x, key))

进行顺序解密

import gmpy2
import base64
from Crypto.Util.number import *
c1 = "5vnu5ynWZlkpom/Cksn52EjYzPywbmMIpmVE2Ax74LVZjxTOk4c+YqoAChmoV41Kz/CAIhUsiDiAQ/EYqkpaJ/3QhRLyd+3CiMY4HXJHZdvJ4f+lje4cSDAzC/kgUyT7Ec2ep6iexXwG3kqv7iVhmLoTpkbM847TTilLWJyn/S0=".encode()
c = base64.b64decode(c1)
print(bytes_to_long(c))
c2 = 56006392793405645694588149544847738787783346155733520492550384326821887027133575441114622249532470653
print(long_to_bytes(c2))
#flag{5c567b68-11f3-436a-9061-c304c7d55da5}