前言

11.11的比赛，dsb是单身杯的意思，不是（）的意思，在这就只更crypto的wp了

题目

签到·一把梭

task

from Crypto.Util.number import *

#小鼎，24岁。网安专业old star.最近入坑ctf，想体验一把梭的感觉。于是他的朋友给他找来了cahtylin先生。cahtylin先生听闻，欣然写下此题。

falg = '?????'
m = bytes_to_long(falg)
print(m)
'''
m =365570067986928236989573788230270407130085464313909252527513197832758480604817399268366313889131551088558394832418649150417321940578277210433329648095352247884911033780856767602238960538520312352025465812228462858158997175162265505345470937926646520732298730237509998898024691120409770049168658027104966429925920045510148612448817
'''

#什么年代了还在做低加密指数的传统RSA？我就猜出题人在100以内找个d然后模拟出e加密的。

思路：m给他longtobytes一下，然后得到nc，然后爆破d，很无聊
exp

n=0x846d39bff2e430ce49d3230c7f00b81b23e4f0c733f7f52f6a5d32460e456e5f
c=0x4eeec51849a85e5a6566f8d73a74b1e64959aa893f98e01c1e02c3120496f8b1
from Crypto.Util.number import*
print(int(n))

for d in range(2,100):
    m=pow(c,d,n)
    print(long_to_bytes(m))

古典古典古典

task

UUxRQjFBU19NWkFFe1pPX0xBMV9PMVVOU31OV05aX0IxSA==
hint：{}位置对了就能出了吗?什么加密会保留{}位置

exp

base64
栅栏
凯撒+atbs

ex咖喱棒

task

from Crypto.Util.number import *
from sympy import *
def givemeprime(x):
    ''' x < 502'''
    p = getPrime(x)
    print(p)
    while (p).bit_length() <= 512:
        p = nextprime(p*2**10)

    return p 

p = givemeprime(10)
q = givemeprime(10)
n = p*q
flag=b'?????'
m = bytes_to_long(flag)
e=2**32+1
c=pow(m,e,n)

print('n=',n)
print('c=',c)

'''
n= 9007989895621669259301762739598643626213892494330778168383286295463641223987867033273111296978959160408689408884183780314498828688143466136060628598819311509949865018608092450964012727526450914131409697944090166113416984201622940137239452703698919890772056684013237404520834408811118739546684092365102406400768733
c= 3155015611586304247269005826733691392085437186284673630268852999607965592611252562808748872502491405722341353019602057980123546192900359248245073985988035982837057433789538035295585235536446429172802713235552248615722281314286849930993306403034865999074888279573724168174433746677852218329931104122667029131804586
'''

思路：本来以为是什么思路，然后发现爆破就行了，我的评价是？？？
exp

from Crypto.Util.number import inverse, long_to_bytes, bytes_to_long, getPrime, isPrime
from sympy import *
import math

# 给定的公钥和密文
n = 9007989895621669259301762739598643626213892494330778168383286295463641223987867033273111296978959160408689408884183780314498828688143466136060628598819311509949865018608092450964012727526450914131409697944090166113416984201622940137239452703698919890772056684013237404520834408811118739546684092365102406400768733
c = 3155015611586304247269005826733691392085437186284673630268852999607965592611252562808748872502491405722341353019602057980123546192900359248245073985988035982837057433789538035295585235536446429172802713235552248615722281314286849930993306403034865999074888279573724168174433746677852218329931104122667029131804586
e = 2**32 + 1

def generate_prime(p0, bit_length=512):
    """根据 p0 生成满足 bit_length 的素数"""
    p = p0
    while p.bit_length() <= bit_length:
        p = nextprime(p * 2**10)
    return p

def find_p_q(n):
    """通过穷举找到 p 和 q，使得 p * q = n"""
    # 生成所有可能的 10 位素数
    possible_p0 = [p for p in range(2**9, 2**10) if isprime(p)]

    print(f"共有 {len(possible_p0)} 个可能的 p0")

    for p0 in possible_p0:
        p = generate_prime(p0)
        q = None  # 暂未确定
        if n % p == 0:
            q = n // p
            if isprime(q):
                print(f"找到 p 和 q:\np = {p}\nq = {q}")
                return p, q
    return None, None

def main():
    p, q = find_p_q(n)
    if p is None or q is None:
        print("未找到 p 和 q。")
        return

    # 计算 φ(n)
    phi = (p - 1) * (q - 1)

    # 计算私钥 d
    try:
        d = inverse(e, phi)
    except ValueError:
        print("e 和 φ(n) 不互质，无法计算 d。")
        return

    # 解密 c
    m = pow(c, d, n)

    # 转换为字节形式
    flag = long_to_bytes(m)
    print(f"Flag: {flag.decode()}")

if __name__ == "__main__":
    main()

ASR

task

from Crypto.Util.number import *
from sympy import *
p = getPrime(215)
q = getPrime(215)
n = p*q
e = 73556
flag= b'?????'

m = bytes_to_long(flag)
print(nextprime(m))
print(prevprime(m))
c = pow(n,e,m)
print('n=',n)
print('c=',c)

'''
40913285701005622718863058877533926183158872052161364026817991531
40913285701005622718863058877533926183158872052161364026817991159
n= 1613066479310413323265772296807266781564029043951746766617970255478050198763115133921086056086051610592970427572413404447990142013
c= 34708409030920347254051748353430247487967281837305081753454451319
'''

思路：范围很小？直接爆破？
exp

from Crypto.Util.number import long_to_bytes

# 已知参数
n = 1613066479310413323265772296807266781564029043951746766617970255478050198763115133921086056086051610592970427572413404447990142013
e = 73556
c = 34708409030920347254051748353430247487967281837305081753454451319

# 已知的下一个素数和上一个素数
next_prime = 40913285701005622718863058877533926183158872052161364026817991531
prev_prime = 40913285701005622718863058877533926183158872052161364026817991159

# 遍历可能的 m 值
for m in range(prev_prime + 1, next_prime):
    # 计算 n^e mod m
    computed_c = pow(n, e, m)
    if computed_c == c:
        print(f"找到匹配的 m: {m}")
        try:
            flag = long_to_bytes(m)
            print(f"Flag: {flag}")
        except:
            print("无法将 m 转换为有效的字符串。")
        break
else:
    print("未找到满足条件的 m。")

math_rsa

task

from random import random
from Crypto.Util.number import *
from math import factorial
flag = b'ctfshow{******}'
def get_d(n):
    d = 0
    leak = 0
    n_factorial = factorial(n) # n!
    for x in range(1,11**111111111111111111111111111111111111111111111111111):
        for y in range(1,11**11111111111111111111111111111111111111111111111111):
            if (x + y) * n_factorial == x * y: # assert (x+y)N!=xy
                d = (d + 1) % key
    while True:
        if isPrime(d):
            break
        else:
            hint = getPrime(1111)
            d += hint
            leak += hint
    return [d,leak]

p = getPrime(512)
q = getPrime(512)
n = p * q
phi_n = (p - 1) * (q - 1)
key = bytes_to_long(b'ctfshow' * 11)
d,leak = get_d(1111111)
e = inverse(d,phi_n)
c = pow(m,e,n)
print("n = {}".format(n))
print("c = {}".format(c))
print("leak = {}".format(leak))

n = 54574114381718620167617516254929393779619478308097113614916675753251123548928131184783684874283433005383416329333515148795542347110691860676572758697931909264778996887013262158676437681328356540522795904026051878217112848328807404132186855022441100415245863609800487131682707570632405183635021611108835267759
c = 6152360020770587319042211616230221955276231957369900018326509075246049533065274193822064664954312088370274199977933471629773286341632192578865475616294549753212257409853382739383167314755235136431546938621288480401985886224522239505956567272435201576625728864298081471539244545838583231944620511300185831132
leak = 16102974322718628332775750617032895793782360562291434204500149732571174230338263002384756014760949775420804601441832387500764784508882168206386996211671060761357982709828010115692143995397973526517421403555634084184433318856377393377764138389228581916413401245531536422259037376817202123767631518253694641004207511682233164891541552631514

思路：这个题挺有意思，首先使用 primerange 获取所有小于等于 n 的质数。对于每个质数 p，计算其在 n! 中的指数。由于是 ((n!)^2)，所以最终的指数乘以 2。一个数的因数数量等于其质因数分解中每个质数的指数加一的乘积。因此，divisor_count 通过遍历所有质数并累积 ((exponent + 1)) 来计算总的因数数量。简单来说我把d看作d1+leak来写的，出题人思路和我差不多。

exp

from sympy import primerange

def solve(n, modulo):
    primes = list(primerange(1, n+1))
    divisor_count = 1
    for p in primes:
        exponent = 0
        power = p
        while power <= n:
            exponent += n // power
            power *= p
        exponent *= 2  # 因为是 n! 的平方
        divisor_count = (divisor_count * (exponent + 1)) % modulo
    return divisor_count

n = 1111111
key = 105648327013556629349715513007788754231571606411493919147988692982085377513020221730933202664644566992606655675569066913898968087325205910433270105066628233614872821763366639309798535031

d1 = solve(n, modulo=key)
print(d1)

n = 54574114381718620167617516254929393779619478308097113614916675753251123548928131184783684874283433005383416329333515148795542347110691860676572758697931909264778996887013262158676437681328356540522795904026051878217112848328807404132186855022441100415245863609800487131682707570632405183635021611108835267759
c = 6152360020770587319042211616230221955276231957369900018326509075246049533065274193822064664954312088370274199977933471629773286341632192578865475616294549753212257409853382739383167314755235136431546938621288480401985886224522239505956567272435201576625728864298081471539244545838583231944620511300185831132
e=65537
from Crypto.Util.number import*
leak = 16102974322718628332775750617032895793782360562291434204500149732571174230338263002384756014760949775420804601441832387500764784508882168206386996211671060761357982709828010115692143995397973526517421403555634084184433318856377393377764138389228581916413401245531536422259037376817202123767631518253694641004207511682233164891541552631514
key = 105648327013556629349715513007788754231571606411493919147988692982085377513020221730933202664644566992606655675569066913898968087325205910433270105066628233614872821763366639309798535031

d=leak+24844501485180746652043526421849840542141490512419646939867619206706627389255967806127190039830122356536639613880105500681753026713357157358901520023442131785725615377493916164875359787
m=pow(c,d,n)
print(long_to_bytes(m))

总结-吐槽大会

nmd密码五个题，三个爆破，还都是一个人出的，你是不是感觉自己很幽默，出的很好？密码的本质不应该是爆破一切，如果是非预期也就算了，还tmd是预期解，真nmd6