menu badmonkey's blog
more_vert
chevron_right 首页 » Crypto » 正文
2020网鼎杯
2020-05-10 | Crypto | 暂无评论 | 706 次阅读 | 251字

2020网鼎杯青龙组

you_raise_me_up

离散对数问题,直接用sage求解,脚本如下:

m = 391190709124527428959489662565274039318305952172936859403855079581402770986890308469084735451207885386318986881041563704825943945069343345307381099559075
c = 6665851394203214245856789450723658632520816791621796775909766895233000234023642878786025644953797995373211308485605397024123180085924117610802485972584499
n = 2**512
m = Mod(m,n)
c = Mod(c,n)
flag=discrete_log(c,m)
# flag = 56006392793405651552924479293096841126763872290794186417054288110043102953612574215902230811593957757
print(long_to_bytes(flag))
# flag{5f95ca93-1594-762d-ed0b-a9139692cb4a}

Boom

非常简单得初中计算题,算出方程得解,再加上原始字符串,得到flag

#en5oy,x=74,y=68,z=31,x=89127561
#flag{en5oy_746831_89127561}

easy_ya

通过common prime attack 可以还原key。encode流程非常类似md5得流程不过简化了很多,可以注意到最后一步

hex((y << 52) ^ (pads << 20) ^ z)

其实泄露了很多信息,比如完整的y,25bits的z,20bits的pads,而且pads的低7bits和z的高7bits,异或结果已知。于是可以爆破pads的高位和低位。得到最后一轮的y,z。再看一下每一轮的操作

y = limit( y + ((z*16 + a) ^ (z + pads) ^ ((z>>5) + b)))
z = limit( z + ((y*16 + c) ^ (y + pads) ^ ((y>>5) + d)))

我们可以发现计算完y之后再计算z,而我们已经得到了最后一轮的y完整信息,于是可以逆向上一轮的z,通过上一轮的z逆向上一轮的y,最后循环32轮的初始的y,z信息。每一轮的逆向如下

def recoverRound(Z,Y,a,b,c,d,pads):
    Z = limit(Z-((Y * 16 + c) ^ (Y + pads) ^ ((Y >> 5) + d)))
    Y = limit(Y-((Z * 16 + a) ^ (Z + pads) ^ ((Z >> 5) + b)))
    return Y,Z

通过交互脚本,收集flag的hash信息

'''
@Author: badmonkey
@Date: 2020-05-10 10:16:21
@LastEditTime: 2020-05-10 15:42:28
@LastEditors: Please set LastEditors
@Description: In User Settings Edit
@FilePath: /easy_ya.py
'''
import os
# os.environ['TERM'] = 'screen'
from random import randint
from Crypto.Util.number import getPrime,long_to_bytes,bytes_to_long
from pwn import *
from tqdm import tqdm
from hashlib import sha384,sha256,sha1,sha224,sha512,md5
from string import printable
from itertools import product
# 32bits
limit = lambda n: n & 0xffffffff
padding="\xe6\xe6\xe7\xe6\xe5\xe6\xe5\xe9\xe5"
ek='\xe6\x84\xbf'


def encode(key,data):
    pad  = randint(0x10000000,0xffffffff)
    Key  = [ord(i) for i in key]
    Data = [ord(i) for i in data]
    a = limit((Key[0] << 24) | (Key[1] << 16) | (Key[2] << 8) | Key[3])
    b = limit((Key[4] << 24) | (Key[5] << 16) | (Key[6] << 8) | Key[7])
    c = limit((Key[8] << 24) | (Key[9] << 16) | (Key[10] << 8) | Key[11])
    d = limit((Key[12] << 24) | (Key[13] << 16) | (Key[14] << 8) | Key[15])
    y = limit((Data[0] << 24) | (Data[1] << 16) | (Data[2] << 8) | Data[3])
    z = limit((Data[4] << 24) | (Data[5] << 16) | (Data[6] << 8) | Data[7])
    pads = 0
    for j in range(32):
        pads = limit(pads + pad)
        y = limit( y + ((z*16 + a) ^ (z + pads) ^ ((z>>5) + b)))
        z = limit( z + ((y*16 + c) ^ (y + pads) ^ ((y>>5) + d)))
    print (hex((y << 52) ^ (pads << 20) ^ z))


add = "39.96.90.217"
port = 17497
context.log_level = 'debug'




def collect():
    code = []
    for i in range(100):
        sh = remote("39.96.90.217","17497")
        sh.recvuntil("x[:20] = ")
        sh.recv(len('f91a551dfa31e47458df'))
        sh.recvuntil('openssl_')
        method = sh.recvuntil('\n')
        if method not in code:
            code.append(method)
        sh.close()
    return code






def brute(method,target):
    for i in product(printable,repeat=4):
        t = ''.join(i)
        if method == 'md5':
            res = md5(t.encode()).hexdigest()
            if res[:20] == target:
                return t
        elif method == 'sha384':
            res = sha384(t.encode()).hexdigest()
            if res[:20] == target:
                return t
        elif method == 'sha256':
            res = sha256(t.encode()).hexdigest()
            if res[:20] == target:
                return t
        elif method == 'sha512':
            res = sha512(t.encode()).hexdigest()
            if res[:20] == target:
                return t
        elif method == 'sha224':
            res = sha224(t.encode()).hexdigest()
            if res[:20] == target:
                return t
        elif method == 'sha1':
            res = sha1(t.encode()).hexdigest()
            if res[:20] == target:
                return t
                
def byte2str(byte):
    res = ''
    for i in byte:
        res += chr(i)
    return res


def login(sh):
    token = 'icq72ad23582b5b753974d6c586010e7'
    sh.recvuntil("x[:20] = ")
    hs = byte2str(sh.recv(20))
    print("hs is {}".format(hs))
    sh.recvuntil('openssl_')
    method = sh.recvuntil('\n')
    # print(method)
    method = byte2str(method[:-2])
    print("method is {}\n".format(method))
    payload = brute(method,hs)
    print("payload is {}\n".format(payload))
    # sh.recvline()
    sh.sendline(payload)
    sh.recvuntil('Please input your token:')
    sh.sendline(token)
    sh.interactive()


sh = remote(add,port)
login(sh)

最后通过得到的flag的hash信息,逆向得到flag,脚本如下:

from itertools import product
limit = lambda n: n & 0xffffffff
def toMessage(Y,Z):
    mess = [0]*8
    binZ = bin(Z)[2:].zfill(32)
    binY = bin(Y)[2:].zfill(32)

    mess[0] = int(binY[0:8],2)
    mess[1] = int(binY[8:16],2)
    mess[2] = int(binY[16:24],2)
    mess[3] = int(binY[24:32],2)
    mess[4] = int(binZ[0:8],2)
    mess[5] = int(binZ[8:16],2)
    mess[6] = int(binZ[16:24],2)
    mess[7] = int(binZ[24:32],2)
    # print(mess)
    res = ''
    for i in mess:
        res += chr(i)
    return res

def recoverRound(Z,Y,a,b,c,d,pads):
    Z = limit(Z-((Y * 16 + c) ^ (Y + pads) ^ ((Y >> 5) + d)))
    Y = limit(Y-((Z * 16 + a) ^ (Z + pads) ^ ((Z >> 5) + b)))
    return Y,Z

def recover(res):
    a = 2291239296
    b = 2293340064
    c = 3215425945
    d = 2994836927
    all = 'flag{}0123456789abcdef\x00'
    binRes = bin(res)[2:]
    y = int(binRes[:32],2)
    # z = binRes[-25:]
    # pad = binRes[32:32+20]
    cnt = 0
    for pre in product(['0','1'],repeat=5):
        for suf in product(['0','1'],repeat=7):
            i = ''.join(pre)
            j = ''.join(suf)
            pad = int(i+binRes[32:32+20]+j,2)
            preZ = bin(int(j,2)^int(binRes[-32:-25],2))[2:].zfill(7)
            z = int(preZ+binRes[-25:],2)
            Y, Z = y, z
            for k in range(31,-1,-1):
                pads = limit((k+1)*pad)
                Y,Z = recoverRound(Z,Y,a,b,c,d,pads)
            message = toMessage(Y,Z)
            if pad == 2889388799:
                print (Y,Z)
            tag = True
            for k in message:
                if k not in all:
                    tag = False
            if tag:
                return(message)


enc = [0x9ae29517aa3fa43221411L,0xb92b75e9434453bb6894cL,0xb87560cf60c07cdce0651L,0xf62b41fcaadc3284a938dL,0xb03195a6d867ce8f01dfaL]
flag  = ''
cnt = 0
for i in enc:
     flag += recover(i)
print flag
# flag = "flag{8591558350855d725d7d237b29c46ff7}"

闲谈

太难了,没打进了线下最后166名。。。

result

发表评论
暂无评论
textsms
account_circle
email
link
arrow_back 上一篇
arrow_forward 下一篇