from Crypto.Util.number import getPrime,bytes_to_long,getRandomNBitInteger from secret import flag from gmpy2 import gcd defgmc(a, p): if pow(a, (p-1)//2, p) == 1: return1 else: return-1 defgen_key(): [gp,gq] = [getPrime(512) for i in range(2)] gN = gp * gq return gN, gq, gp defgen_x(gq,gp): whileTrue: x = getRandomNBitInteger(512) if gmc(x,gp) ^ gmc(x,gq) == -2: return x defgen_y(gN): gy_list = [] while len(gy_list) != F_LEN: ty = getRandomNBitInteger(768) if gcd(ty,gN) == 1: gy_list.append(ty) return gy_list if __name__ == '__main__': flag = bin(bytes_to_long(flag))[2:] F_LEN = len(flag) N, q, p = gen_key() x = gen_x(q, p) y_list = gen_y(N) ciphertext = [] for i in range(F_LEN): tc = pow(y_list[i],2) * pow(x,int(flag[i])) % N ciphertext.append(tc) with open('./output.txt','w') as f: f.write(str(N) + '\n') for i in range(F_LEN): f.write(str(ciphertext[i]) + '\n')
#10.py from Crypto.Util.number import * from Crypto.Cipher import DES from hashlib import sha256 m=b"Attack at DAWN!!" defkeygen(s): keys = [] for i in range(2020): s = sha256(s).digest() keys.append(s) return keys defK(x): ret = "".join( [format(x & 0xfffff, '020b')]*101 ) return int(ret,2) defincrypt(kinum,cip,keys): for i in range(1010): idx=(kinum>>(2*i))&3 k=keys[i][idx*8:idx*8+8] cp = DES.new(k, DES.MODE_CBC, bytes(8)) cip=cp.encrypt(cip) return cip keys = keygen(b'secret_sauce_#9') fp=open("ENCMID.txt","w") for i in range(0,65536): if(i%150==0): print(i) keynum=K(0xa0000+i) fp.write(hex(bytes_to_long(incrypt(keynum,m,keys)))[2:]+'\n')
#11.py from Crypto.Util.number import * from Crypto.Cipher import DES from hashlib import sha256 c=b"\x15\x08\x54\xff\x3c\xf4\xc4\xc0\xd2\x3b\xd6\x8a\x82\x34\x83\xbe" defkeygen(s): keys = [] for i in range(2020): s = sha256(s).digest() keys.append(s) return keys defK(x): ret = "".join( [format(x & 0xfffff, '020b')]*101 ) return int(ret,2) defdicrypt(kinum,cip,keys): for i in range(1010): idx=(kinum>>(2018-2*i))&3 k=keys[2019-i][idx*8:idx*8+8] cp = DES.new(k, DES.MODE_CBC, bytes(8)) cip=cp.decrypt(cip) return cip keys = keygen(b'secret_sauce_#9') fp=open("DECMID.txt","w") for i in range(0,65536): if(i%150==0): print(i) keynum=K(i*16+0xe) fp.write(hex(bytes_to_long(dicrypt(keynum,c,keys)))[2:]+'\n')
#6.py s=[] f=open("ENCMID.txt","r") for i in range(65536): a=int(f.readline(),16) s.append(a) f.close() print(1) f=open("DECMID.txt","r") for i in range(65536): b=int(f.readline(),16) if b in s: print(hex(i)) print(hex(s.index(b))) print(hex(b)) f.close() ''' 0x3618 0x4d9e 0x8ac245ba53950c4fb8352bfe2639fcd9 '''
def_int32(x): return int(0xFFFFFFFF & x) classMT19937: def__init__(self, seed): self.mt = [0] * 624 self.mt[0] = seed self.mti = 0 for i in range(1, 624): self.mt[i] = _int32(1812433253 * (self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i) defextract_number(self): if self.mti == 0: self.twist() y = self.mt[self.mti] y = y ^ y >> 11 y = y ^ y << 7 & 2636928640 y = y ^ y << 15 & 4022730752 y = y ^ y >> 18 self.mti = (self.mti + 1) % 624 return _int32(y) deftwist(self): for i in range(0, 624): y = _int32((self.mt[i] & 0x80000000) + (self.mt[(i + 1) % 624] & 0x7fffffff)) self.mt[i] = (y >> 1) ^ self.mt[(i + 397) % 624] if y % 2 != 0: self.mt[i] = self.mt[i] ^ 0x9908b0df definverse_right(res, shift, mask=0xffffffff, bits=32): tmp = res for i in range(bits // shift): tmp = res ^ tmp >> shift & mask return tmp definverse_left(res, shift, mask=0xffffffff, bits=32): tmp = res for i in range(bits // shift): tmp = res ^ tmp << shift & mask return tmp defextract_number(y): y = y ^ y >> 11 y = y ^ y << 7 & 2636928640 y = y ^ y << 15 & 4022730752 y = y ^ y >> 18 return y&0xffffffff defrecover(y): y = inverse_right(y,18) y = inverse_left(y,15,4022730752) y = inverse_left(y,7,2636928640) y = inverse_right(y,11) return y&0xffffffff
from pwn import * from MT19937 import * from mt19937predictor import MT19937Predictor defgetnumber(s29): assert len(s29)==29 s=s29[13]+s29[15]+s29[17]+s29[19]+s29[21]+s29[23]+s29[25]+s29[27] return int(s,16) sh=remote("node3.buuoj.cn",29601) str1=sh.recvuntil('[3] - Exit') sh.sendline('2') str1=sh.recvuntil('Enter your promocode:') sh.sendline('b33_1_4m_b3333') str1=sh.recvuntil('[3] - Exit') sh.sendline('1') S=[] for i in range(624): if(i%31==0): print(i) str1=sh.recvuntil('N$$$') sh.sendline('$') sh.sendline('10000000') str1=sh.recvline(keepends=False) str2=sh.recvline(keepends=False) S.append(getnumber(str2)) Q=[] R=[] for i in S: Q.append(recover(i)) B=MT19937(0) assert len(Q)==624 B.mt=Q for i in range(10): print(i,hex(extract_number(B.mt[i]))) predictor = MT19937Predictor() for i in range(624): predictor.setrandbits(S[i],32) Y2=predictor.getrandbits(32) print('ans=',hex(Y2)) sh.interactive()
from Crypto.Util.number import * from gmpy2 import * from given import * defsolve(a, b): g=[] while(a!=1): g.append(a//b) a,b=b,a%b g.append(b) return g defsimplify(x): n,d=0,1 for i in x[::-1]: n,d=d,i*d+n return n,d defgetmidfrac(x): r=[] for i in range(1,len(x)): r.append(simplify(x[:i])) return r g=solve(N1,N2) g=getmidfrac(g) q1,q2=None,None for (a,b) in g: if b==0: continue if N1%b==0and b-1and b-N1: q1=b q2=a break p1,p2=iroot(N1//q1,2)[0],iroot(N2//q2,2)[0] phi1,phi2=p1*(p1-1)*(q1-1),p2*(p2-1)*(q2-1) d1,d2=inverse(E1,phi1),inverse(E2,phi2) print(long_to_bytes(pow(c1,d1,N1))) print(long_to_bytes(pow(c2,d2,N2)))