d =114514 m = int(np.sqrt(d)) dq = deque() dq.append(m) n0 = n1 = d - m * m m1 = m while1: q, m2 = divmod(m1 + m, n1) dq.appendleft(q) m1 = -m2+m n1 = (d-m1*m1)//n1 if m1 == m and n1 == n0: break
dq.popleft() x = 1 y = 0 for i in dq: x1 = y + x * i y = x x = x1 y1=y if x*x-d*y*y==-1: b=(x**2+d*y**2) y1=2*x*y x1=b print('x1=',x1) print('y1=',y1)
from pwn import * from hashlib import sha256 from Crypto.Util.number import * from os import urandom from gmpy2 import iroot
defgetyanzhengma(s16len, s64len): LTSNMS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" assert len(s16len) == 12and len(s64len) == 64 for i1 in LTSNMS: for i2 in LTSNMS: for i3 in LTSNMS: for i4 in LTSNMS: if sha256((i1+i2+i3+i4+s16len).encode()).hexdigest() == s64len: return i1+i2+i3+i4
defgetA(p): assert(p % 4 == 1) while1: t = bytes_to_long(urandom(195)) % p s = pow(t, (p-1)//4, p) if(pow(s, 2, p) == p-1): return s
defgetAns(A, B, M, p): # print(A,B,M,p) if(M == 1): return (abs(A), abs(B)) # print(A,B,M,p) u, v = A % M, B % M if(u > M//2): u -= M if(v > M//2): v -= M assert((u**2+v**2) % M == 0and (A**2+B**2) % M == 0) r = (u**2+v**2)//M A2 = (u*A+v*B)//M B2 = (-u*B+v*A)//M return getAns(A2, B2, r, p)
defsolve(p): A = getA(p) B = 1 assert(A**2+B**2) % p == 0 M = (A**2+B**2)//p return getAns(A, B, M, p)
sh = remote('game.ctf.seusus.com', 57718) cc = sh.recvline(keepends=False) s64 = cc[-64:].decode() s16 = cc[12:24].decode() print(cc) print(s64) print(s16) yanzhengma = getyanzhengma(s16, s64) print(yanzhengma) sh.recvuntil(b':') sh.sendline(yanzhengma.encode()) sh.recvuntil(b'=') n = sh.recvline(keepends=False) sh.recvuntil(b'=') g = sh.recvline(keepends=False) print(n) print(g) n, g = int(n), int(g) PmulQ = n**3 PaddQ = g A, B, C = 1, -PaddQ, PmulQ sqrtdet, judg = iroot(B**2-4*A*C, 2) print('J:', judg) P = (-B+sqrtdet) >> 1 Q = (-B-sqrtdet) >> 1 p, q = iroot(P, 3)[0], iroot(Q, 3)[0] print(p, q, n % p, n % q) u, v = (solve(p)) a, b = (solve(q))
from Crypto.Util.number import * from Crypto.Cipher import AES from tqdm import * flagC=long_to_bytes(0xba099276411c24b734948053cea63b4f) knownP=long_to_bytes(0xd66fe087038cf381d3bcfe6bcf8c6a1b) knownC=long_to_bytes(0x6a0b644af7b11a267f8b97399e8bee39)
DIC={} TABLE="0123456789abcdef" KEYPRF="SUSCTF-AESPLUS-" for i in range(0,4):# 我开了4个,分别是0~3,4~7,8~11,12~15,四个一起跑的。 for j in range(16): print(i,j) DIC={} key1=(KEYPRF+TABLE[i]).encode() key2=(KEYPRF+TABLE[j]).encode() for encid in tqdm(range(1<<16)): m=knownP for bitno in range(16): bit=(1<<bitno)&encid if(bit): m=aes_encrypt(key1,m) else: m=aes_encrypt(key2,m) DIC[m]=encid for decid in tqdm(range(1<<16)): c=knownC for bitno in range(15,-1,-1): bit=(1<<bitno)&decid if(bit): c=aes_decrypt(key1,c) else: c=aes_decrypt(key2,c) if(DIC.get(c,-1)!=-1): print('decid=',decid) print('encid=',DIC.get(c,-1)) print('i=',i) print('j=',j) print(len(list(DIC)))
for i in range(3): input() """ 第二个程序(4-7)的跑出来了结果: encid=7896 decid=51186 i=4 j=11 """
knownC=long_to_bytes(0x6a0b644af7b11a267f8b97399e8bee39) c=flagC #c=knownC for bitno in range(31,-1,-1): bit=(1<<bitno)&ID if(bit): c=aes_decrypt(key1,c) else: c=aes_decrypt(key2,c) print(c.hex()) #6c524b66b5434c85b73da8e2e768a9ce
6.nfsr1
给出30组挑战,问你给出的字符串是随机生成的,还是经过NFSR处理过的。
注意到NFSR会将一个16字节的内容变成 32 字节,其主要代码如下:
1 2 3 4 5 6 7 8
def__call__(self, msg: bytes): enc = list() for m in msg: if self.lfsr0(1): enc += [m & self.lfsr1(8), m | self.lfsr1(8)] else: enc += [m | self.lfsr1(8), m & self.lfsr1(8)] return bytes(enc)
from pwn import * from hashlib import sha256 from Crypto.Util.number import * from os import urandom from gmpy2 import iroot from Crypto.Cipher import AES from tqdm import *
defgetyanzhengma(s16len, s64len): LTSNMS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" assert len(s16len) == 12and len(s64len) == 64 for i1 in LTSNMS: for i2 in LTSNMS: for i3 in LTSNMS: for i4 in LTSNMS: if sha256((i1+i2+i3+i4+s16len).encode()).hexdigest() == s64len: return i1+i2+i3+i4
defbitcount(x): c = 0 while(x): c += (x & 1) x >>= 1 return c
defcalc(hexlv): Q = 0 for i in range(16): x1 = int(hexlv[4*i:4*i+2], 16) x2 = int(hexlv[4*i+2:4*i+4], 16) Q += abs(bitcount(x1)-bitcount(x2)) return Q/16
from Crypto.Util.number import * from random import * q=244309567133428459339052233620763590631 t=139116278922633292045835908998748980746 n=128 mmm=long_to_bytes(0x6532303734613033336462373133663863653039303532636265316338306631393031356163336534386136646664313433303636623330373637663931326633343331323133643539383064646136643131663361613831663639663139656533623033383033303332623734633063343632663635323834373631346132) C=[] #这个C是以前乱搞用的,这里被废弃了 defH( m: bytes): h = 0 for mi in m : # C.append((h&(2**300-256))|0x55) h = (h ^^ mi) * t % q return h D=(H(mmm)) print(D) #86818520128168117392109372309780328095
#python 3 from sage.all import * from Crypto.Util.number import * from random import * from os import urandom from tqdm import * defSOLVE(q,t,mmm,mode=1): n=128 C=[] defrecH( m: bytes): h = 0 for mi in m : C.append((h^mi)-h) h = (h ^ mi) * t % q return h defH( m: bytes): h = 0 for mi in m : h = (h ^ mi) * t % q return h msg=recH(mmm) defgetVec(mod,g): K,n=2^900,128 M=[[0for _ in range(n+2)]for __ in range(n+1)] for i in range(n+1): ge=ZZ(pow(g,n-i,mod)) M[i][i]=1 M[i][n+1]=ZZ(ge*K) M[n][n+1]=ZZ(K*mod) M=matrix(ZZ,M) if(mode==1): padC=C+[0]*500 listm=list(M) listm.append(padC[:n+2]) M=matrix(listm) A=M.LLL() return A[0],A[1],A[2] A0,A1,A2=getVec(q,t) defcheck(v): C2=[(C[i]+v[i]) for i in range(n)] s='' h=0 for i in range(n): ich=((h+C2[i])^h) if(ich>127or ich<0): return0 ch=chr(ich) s+=ch h=int(int(h) +int(C2[i])) * t % q return1 finded=0 for i in tqdm(range(-30,30)): for j in range(-30,30): for k in range(-30,30): if(i==0and j==0and k==0): continue b=i*A0+j*A1+k*A2 if(check(b)): finded=True break if(finded): break if(finded): break C2=[(C[i]+b[i]) for i in range(n)] s=[] h=0 try: for i in range(n): ch=((h+C2[i])^h) s.append(ch) h=int(int(h) +int(C2[i])) * t % q return bytes(s).hex() except: returnNone
print(f"sha256(XXXX+{proof[4:]})=={digest}") x = input("Give me XXXX:") h = hashlib.sha256((x + proof[4:]).encode()).hexdigest() return h == digest
assert proof_of_work() print("Good luck") try: for i in range(5): seeds = [secrets.randbits(nbit) for _ in range(2)] masks = [secrets.randbits(nbit) for _ in range(2)] lfsrs = [LFSR(seed, mask) for seed, mask in zip(seeds, masks)] nfsr = NFSR(*lfsrs)
for i in range(200): msg8ind = 8*i or8ind, and8ind = 16*i, 16*i+8 if(outstat0[i] == '1'): or8ind, and8ind = 16*i+8, 16*i for j in range(8): if(bciph[or8ind+j] == '0'): msg[msg8ind+j] = '0' outstat1[or8ind+j] = '0' if (bciph[and8ind+j] == '1'): msg[msg8ind+j] = '1' outstat1[and8ind+j] = '1'
realLen1 = m1.bit_length()+1-(m1 & (-m1)).bit_length() M = [[i == (j+1) for j in range(realLen1)]for i in range(realLen1)] realm1 = m1//lowbit(m1) for i in range(realLen1): M[realLen1-1-i][-1] = ((realm1) & (1 << i)) != 0 M = Matrix(GF(2), M) A = [] vecb = [] for i in range(len(outstat1)): if(outstat1[i] != '?'): vecb.append(int(outstat1[i])) xpi = (i+(lowbit(m1).bit_length())) # print(i,xpi) Mcur = (M**xpi).T A.append(list(Mcur)[-1]) if(len(A) == realLen1): break
A = Matrix(GF(2), A) vecb = vector(GF(2), vecb) Ainv = (A.T)**(-1) inistat1v = (vecb*Ainv)
inistat1s = '' for i in range(len(inistat1v)): inistat1s += str(inistat1v[i])
for i in range(1, lowbit(m1).bit_length()): inistat1s += str(inistat1v*(M**i)[-1])
#begin test part# # sb=bytes.fromhex(hexMsg[T]) # print(len(sb),sb) # C1=ciph # C2=nfsr(sb).hex() # print(C1==C2) #end test part#
testout0 = [] testout1 = [] for i in range(200): judg = nfsr.lfsr0(1) out1a = nfsr.lfsr1(8) out1b = nfsr.lfsr1(8) testout0.append(judg) testout1.append((out1a, out1b))
defgetByte(andNum, andRes, orNum, orRes): for x in range(256): if((x & andNum) == andRes and (x | orNum) == orRes): return x return-1
defgetByte2(andNum, andRes, orNum, orRes, pipeistr=None): C = [] for x in range(256): if((x & andNum) == andRes and (x | orNum) == orRes): C.append(x) return C
#datagen.py import secrets from utils import nbit, LFSR, NFSR from tqdm import * print("Generating Data...") hexEnc=[] maskRec0=[] maskRec1=[] hexMsg=[] seed0Rec=[] seed1Rec=[] try: for i in tqdm(range(300)): seeds = [secrets.randbits(nbit) for _ in range(2)] masks = [secrets.randbits(nbit) for _ in range(2)] lfsrs = [LFSR(seed, mask) for seed, mask in zip(seeds, masks)] nfsr = NFSR(*lfsrs)
msg = secrets.token_bytes(200) enc = nfsr(msg) hexEnc.append(enc.hex()) maskRec0.append(masks[0]) maskRec1.append(masks[1]) hexMsg.append(msg.hex()) seed0Rec.append(seeds[0]) seed1Rec.append(seeds[1]) with open(f'Testinput.py','w') as f: f.write(f'{hexEnc=}\n') f.write(f'{maskRec0=}\n') f.write(f'{maskRec1=}\n') f.write(f'{seed0Rec=}\n') f.write(f'{seed1Rec=}\n') with open(f'Testans.py','w') as f: f.write(f"{hexMsg=}\n")