buuctf-crypto.md

BUUCTF-Crypto

1.一眼就解密

• 等号是Base64加密的标志
• CyberChef解密得到
• flag{THE_FLAG_OF_THIS_STRING}

2.MD5

• MD5解密-工具
• flag{admin1}

3.Url编码

• CyberChef解码
• flag{and 1=1}

4.看我回旋踢

• 一眼符合凯撒加密-工具
• 偏移量13
• flag{5cd1004d-86a5-46d8-b720-beb5ba0417e1}

5.摩丝

• 莫斯密码，CyberChef解密
• flag{ILOVEYOU}

6.password

• 给你了名字和生日
• 查看flag格式发现是十位数，生日是八位数
• 可以联想到名字缩写（两位数）和生日（八位数）相结合
• 尝试名字+生日或者生日+名字
• flag{zs19900315}

7.变异凯撒

• afZ_r9VYfScOeO_UL^RWUc
• 依据ASCII表进行位移变化
• 每个字符的偏移量为n+4
• 如a(97) f(102) Z(90) _(95)对应f(97+5) l(102+6) a(90+7) g(95+8)
• 代码实现如下

strs = 'afZ_r9VYfScOeO_UL^RWUc'
output = ''
n = 0
for i in strs:
    output += chr(ord(i)+5+n)
    n += 1
print(output)

• flag{Caesar_variation}

8.Quoted-printable

• CyberChef解码，记得将右下角编码改为UTF-8
• flag{那你也很棒哦}

9.篱笆墙的影子

• 能发现字符位置错乱，猜测栅栏加密
• 枚举解密，栏数13
• flag{wethinkwehavetheflag}

10.Rabbit

• rabbit加密，解密工具
• flag{Cute_Rabbit}

11.RSA

• 用RSA Tool 2解码
• 输入P，Q，E点击Calc D得到D ps.E输入格式是HEX，17要输入11
• flag{125631357777427553}

12.丢失的MD5

• 方法一：
• 在python2.X的环境下运行的到输出
• e9032994dabac08080091151380478a2

---

• 方法二：
• 在python3.X的环境下运行报错
• 打开py文件查看，发现在输出少了括号
• 添上后继续报错 Strings must be encoded before hashing
• 报错内容是字符串在哈希运算前需要编码
• 按照提示将第六行修改
• m.update('TASC'.encode()+chr(i).encode()+'O3RJMV'.encode()+chr(j).encode()+'WDJKX'.encode()+chr(k).encode()+'ZM'.encode())
• 输出e9032994dabac08080091151380478a2

13.Alice与Bob

• 用工具分解质因数
• 得到101999*966233
• 重排得到101999966233
• MD5处理得到d450209323a847c8d01c6be47c81811a

14.一个大帝的密码武器

• 一眼凯撒加密，先对已给密文FRPHEVGL破解得到偏移量
• 枚举得到明文SECURITY偏移量13
• 对ComeChina同样处理偏移量13
• 得到flag{PbzrPuvan}

15.rsarsa

• 用RSA Tool 2处理得到私钥
• 运行脚本

e = 65537
p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
n = p*q
#密文
c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034

d = 56632047571190660567520341028861194862411428416862507034762587229995138605649836960220619903456392752115943299335385163216233744624623848874235303309636393446736347238627793022725260986466957974753004129210680401432377444984195145009801967391196615524488853620232925992387563270746297909112117451398527453977

#求明文
M = pow(c,d,n)    #快速求幂取模运算
print(M)

• 得到flag{5577446633554466577768879988}

16.Windows系统密码

• 对txt中的每一段都尝试解密-工具
• 发现ctf的第二段密文可以解码
• 得到flag{good-luck}

17.信息化时代的步伐

• 中文电码-工具

• flag{计算机要从娃娃抓起}

18.凯撒？替换？呵呵！

• 常规凯撒发现无法凑出flag
• 尝试进阶凯撒-工具
• 使用方法：输入密文，并输入提示MTHJ=flag
• 得到明文删去空格
• flag{substitutioncipherdecryptionisalwayseasyjustlikeapieceofcake}

19.萌萌哒的八戒

• 010editor打开发现文件头是rar，修改格式为rar
• 图片最下方密文为猪圈密码-工具
• flag{whenthepigwanttoeat}

20.权限获得第一步

• Administrator:500:806EDC27AA52E314AAD3B435B51404EE:F4AD50F57683D4260DFD48AA351A17A8:::
• 第二组数MD5解密-工具
• flag{3617656}

21.RSA1

• 理论推导 红色字 为重要结论

$$ \because m \equiv c^d(mod\ n) $$

$$ \therefore m = c^d+kn = c^d+k\cdot pq $$

$$ m_{1} \equiv c^d(mod\ p)\ ①\ ,\ m_{2} \equiv c^d(mod\ q)\ ② $$

$$ ①\Rightarrow c^d=m_{1}+tp $$

$$ 代入②\Rightarrow m_{2}\equiv m_{1}+tp(mod\ q) $$

$$ \therefore m_{2}=m_{1}+t\cdot p+r\cdot q\ \Rightarrow m_{2}-m_{1}=t\cdot p+r\cdot q $$

$$ \therefore m_{2}-m_{1}=t\cdot p(mod\ q) $$

$$ \therefore (m_{2}-m_{1})\cdot p^{-1}\equiv t(mod\ q) $$

$$ \Rightarrow t=(m_{2}-m_{1})\cdot p^{-1}(mod\ q) $$

$$ \therefore c^d=[(m_{2}-m_{1})\cdot p^{-1}(mod\ q)]p+m_{1} $$

$$ \because m\equiv c^d(mod\ n) $$

$$ \therefore {\color{Red} m\equiv [[(m_{2}-m_{1})\cdot p^{-1}(mod\ q)]p+m_{1}]mod\ n} $$

$$ d\equiv d_{p}mod(p-1)\ , \ d\equiv d_{q}mod(q-1) $$

$$ m_{1} \equiv c^dmod\ p\ ,\ m_{2} \equiv c^dmod\ q $$

$$ \Rightarrow m_{1} \equiv c^\left .d_{p}\ +k_{1}\cdot (p-1)\right.\ mod\ p\ ,\ m_{2} \equiv c^\left .d_{q}\ +k_{2}\cdot (q-1)\right.\ mod\ p $$

$$ \because c^\left.p-1\right.\equiv 1\ mod\ p $$

$$ \Rightarrow {\color{Red} m_{1}\equiv c^\left .d_{p}\right . mod\ p\ ,\ m_{2}\equiv c^\left .d_{q}\right . mod \ q} $$

• 以下是依据两个重要结论写出来的脚本

from Crypto.Util.number import *

p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229 
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469 
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929 
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041 
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852

mp = pow(c,dp,p)
mq = pow(c,dq,q)

pi = inverse(p,q)

m = ((((mq-mp)*pi)%q)*p+mp)%(p*q)

print(m)
print(long_to_bytes(m))

• flag{W31c0m3_70_Ch1n470wn}

22.传统知识+古典密码

• 用脚本将天干地支转化为数字并+60，转化为十六进制

tian = {'甲':1,'乙':2,'丙':3,'丁':4,'戊':0,'己':1,'庚':2,'辛':3,'壬':4,'癸':0}
di = {'子':1,'丑':2,'寅':3,'卯':4,'辰':5,'巳':6,'午':7,'未':8,'申':9,'酉':10,'戌':11,'亥':0}

def caculation(s:str):
    a,b = s[0],s[1]
    n = (tian[a]*36 + di[b]*25)%60
    if n == 0:
        n = 60
    return n

strs = '辛卯，癸巳，丙戌，辛未，庚辰，癸酉，己卯，癸巳'

print([caculation(x)+60 for x in strs.split('，')])
print([hex(caculation(x)+60) for x in strs.split('，')])

• 转化成字符串XZSDMFLZ
• 栅栏+凯撒枚举解密（先用栅栏枚举，将枚举结果用凯撒枚举，辨别出可识别字符串）
• 得到flag{SHUANGYU}

23.世上无难事

• 有空格猜测明文是一段英文，先尝试凯撒移位发现没用，进而尝试替换-工具
• 发现最后一句恰巧是32位，则猜测前面KQ = is
• 得到

• flag{640e11012805f211b0ab24ff02a1ed09}

24.Unencode

• Uuencode加密-工具
• flag{dsdasdsa99877LLLKK}

25.old-fashion

• ①文字量够大，直接用工具进行词频分析解码
• ②或者猜测最后一段话是so the flag is作为线索，同样能得出flag
• flag{n1_2hen-d3_hu1-mi-ma_a}

26.[AFCTF2018]Morse

• 赛博厨师解摩斯，然后十六进制转字符
• flag{1s't_s0_345y}

27.RSA2

• 理论推导 红色字 为重要结论

$$ d_{p} \equiv d mod (p-1) $$

$$ \Rightarrow d\cdot e = k_{1}(p-1)+d_{p}\cdot e $$

$$ \because d\cdot e = 1mod(p-1)(q-1) \Rightarrow d\cdot e=k_{2}(p-1)(q-1)+1 $$

$$ \therefore {\color{Red} (p-1)(k_{2}(q-1)-k_{1})+1 = d_{p}e} $$

$$ \because d_{p}<d $$

$$ \therefore (k_{2}(q-1)-k_{1})=x\in (1,e) $$

• 此时就可以编写脚本暴力计算出可能的p，从而再依据n计算出正确的p，q

from Crypto.Util.number import *
e = 65537
n = 248254007851526241177721526698901802985832766176221609612258877371620580060433101538328030305219918697643619814200930679612109885533801335348445023751670478437073055544724280684733298051599167660303645183146161497485358633681492129668802402065797789905550489547645118787266601929429724133167768465309665906113
dp = 905074498052346904643025132879518330691925174573054004621877253318682675055421970943552016695528560364834446303196939207056642927148093290374440210503657
c = 140423670976252696807533673586209400575664282100684119784203527124521188996403826597436883766041879067494280957410201958935737360380801845453829293997433414188838725751796261702622028587211560353362847191060306578510511380965162133472698713063592621028959167072781482562673683090590521214218071160287665180751
a = dp*e-1
for x in range(2,e):
    if a%x == 0:
        p = a//x+1
        if n%p == 0:
            q = n//p
            break
d = inverse(e,(p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))

• flag{wow_leaking_dp_breaks_rsa?_98924743502}

28.RSA3

• 理论推导 红色字 为重要结论
• 存在两种密钥对同一明文进行加密
• 下述为针对此题特殊情况下的特殊推导 ，需满足$gcd(e_{1},e_{2})=1$

$$ c_{1}=m^\left. e_{1}\right. mod\ n\ &\ m=c_{1}^\left.d_{1}\right.mod\ n $$

$$ c_{2}=m^\left. e_{2}\right. mod\ n\ &\ m=c_{2}^\left.d_{2}\right.mod\ n $$

$$ 构造一对(s_{1},s_{2})满足e_{1}s_{1}+e_{2}s_{2}=1其中s_{1},s_{2}\in Z,s_{1}>0,s_{2}<0 $$

$$ c_{1}=m^\left. e_{1}\right. mod\ n \Rightarrow c_{1}^\left. s_{1}\right. =m^\left. e_{1}s_{1}\right. mod\ n ① $$

$$ c_{2}=m^\left. e_{2}\right. mod\ n \Rightarrow c_{2}^\left. s_{2}\right. =m^\left. e_{2}s_{2}\right. mod\ n ② $$

$$ ①\times ②\Rightarrow c_{1}^\left. s_{1}\right. c_{2}^\left. s_{2}\right. mod\ n = m^\left. e_{1}s_{1}+e_{2}s_{2}\right. mod\ n $$

$$ \Rightarrow c_{1}^\left. s_{1}\right. c_{2}^\left. s_{2}\right. mod\ n=m\ mod\ n $$

$$ \because m=c^d mod\ n \therefore m<n $$

$$ \therefore {\color{red}m=c_{1}^\left. s_{1}\right. c_{2}^\left. s_{2}\right. mod\ n} $$

$$ 需要注意的是推论到上面就结束了，但是实际计算中上述式子计算过于复杂，所以应当使用下述式子 $$

$$ {\color{red}m=(c_{1}^\left. s_{1}\right. mod\ n\cdot c_{2}^\left. s_{2}\right. mod\ n)mod\ n} $$

$$ 以及在计算s_{1},s_{2}过程中可以采用逆元的方式 $$

$$ (e_{1}-e{2})s_{1}+e{2}(s_{1}+s_{2})=1 $$

$$ (e_{1}-e{2})s_{1}\equiv 1\ mod\ e_{2} $$

$$ s_{1}=(e_{1}-e{2})^\left. -1\right. $$

• 由此计算出一对$(s_{1},s_{2})$，进而算出明文m
• 编写脚本

from Crypto.Util.number import *
n=22708078815885011462462049064339185898712439277226831073457888403129378547350292420267016551819052430779004755846649044001024141485283286483130702616057274698473611149508798869706347501931583117632710700787228016480127677393649929530416598686027354216422565934459015161927613607902831542857977859612596282353679327773303727004407262197231586324599181983572622404590354084541788062262164510140605868122410388090174420147752408554129789760902300898046273909007852818474030770699647647363015102118956737673941354217692696044969695308506436573142565573487583507037356944848039864382339216266670673567488871508925311154801
c1=22322035275663237041646893770451933509324701913484303338076210603542612758956262869640822486470121149424485571361007421293675516338822195280313794991136048140918842471219840263536338886250492682739436410013436651161720725855484866690084788721349555662019879081501113222996123305533009325964377798892703161521852805956811219563883312896330156298621674684353919547558127920925706842808914762199011054955816534977675267395009575347820387073483928425066536361482774892370969520740304287456555508933372782327506569010772537497541764311429052216291198932092617792645253901478910801592878203564861118912045464959832566051361
c2=18702010045187015556548691642394982835669262147230212731309938675226458555210425972429418449273410535387985931036711854265623905066805665751803269106880746769003478900791099590239513925449748814075904017471585572848473556490565450062664706449128415834787961947266259789785962922238701134079720414228414066193071495304612341052987455615930023536823801499269773357186087452747500840640419365011554421183037505653461286732740983702740822671148045619497667184586123657285604061875653909567822328914065337797733444640351518775487649819978262363617265797982843179630888729407238496650987720428708217115257989007867331698397
e1=11187289
e2=9647291
e1_e2=e1-e2
s1 = inverse(e1_e2,e2)
s2 = (1-e1*s1)//e2
m = pow(c1,s1,n)*pow(c2,s2,n)%n
print(long_to_bytes(m))

• flag{49d91077a1abcb14f1a9d546c80be9ef}

---

• 下面是一般情况的推导 $gcd(e_{1},e_{2})\ne 1$

$$ c_{1}=m^\left. e_{1}\right. mod\ n\ &\ m=c_{1}^\left.d_{1}\right.mod\ n $$

$$ c_{2}=m^\left. e_{2}\right. mod\ n\ &\ m=c_{2}^\left.d_{2}\right.mod\ n $$

$$ 构造一对(s_{1},s_{2})满足e_{1}s_{1}+e_{2}s_{2}=gcd(e_{1},e_{2})其中s_{1},s_{2}\in Z,s_{1}>0,s_{2}<0 $$

$$ c_{1}=m^\left. e_{1}\right. mod\ n \Rightarrow c_{1}^\left. s_{1}\right. =m^\left. e_{1}s_{1}\right. mod\ n ① $$

$$ c_{2}=m^\left. e_{2}\right. mod\ n \Rightarrow c_{2}^\left. s_{2}\right. =m^\left. e_{2}s_{2}\right. mod\ n ② $$

$$ ①\times ②\Rightarrow c_{1}^\left. s_{1}\right. c_{2}^\left. s_{2}\right. mod\ n = m^\left. e_{1}s_{1}+e_{2}s_{2}\right. mod\ n $$

$$ \Rightarrow {\color{red} m^\left.gcd(e_{1},e_{2})\right. \equiv c_{1}^\left. s_{1}\right. c_{2}^\left. s_{2}\right. \ mod\ n} $$

29.还原大师

• 用脚本穷举字符串，实现与MD5的碰撞

import hashlib

alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for i in alpha:
    for j in alpha:
        for k in alpha:
            c = 'TASC'+i+'O3RJMV'+j+'WDJKX'+k+'ZM'
            md5 = hashlib.md5(c.encode()).hexdigest()
            md5 = md5.upper()
            if md5[0:4] == 'E903' and md5[7:11] == '4DAB' and md5[15:17] == '08' and md5[22:24] == '51'and md5[25:27] == '80' and md5[29:31] == '8A':
                print(c)
                print(md5)

• 得到flag{E9032994DABAC08080091151380478A2}

30.异性相吸

• 提醒异性相吸，猜测是使用了异或的加密方式
• 编写脚本，注意文本复制时右下角的编码我显示 UTF-16-LE，所以 encode("utf-16-le")
• 附上python官方的encode参数地址

from Crypto.Util.number import *
a = 'ἇ̀Ј唒ဃ塔屋䩘卖剄䐃堂ن䝔嘅均ቄ䩝ᬔ'
b = b'asadsasdasdasdasdasdasdasdasdasdqwesqf'
a = bytes_to_long(a.encode("utf-16-le"))
b = bytes_to_long(b)
c = a ^ b
print(long_to_bytes(c))

• 得到flag{ea1bc0988992276b7f95b54a7435e89e}

31.RSA

• 可以注意到pub.key文件是SSL签名文件（建过站的可能认识
• 使用工具解析公钥
• 得到e和n
• 用RSA Tool 2或者网站分解n，得到p，q

from Crypto.Util.number import *
c = int(0x4196C0594A5E000A96B878B67CD724795B13A8F2CA54DA06D0F19C28BE689B62)
p = 285960468890451637935629440372639283459
q = 304008741604601924494328155975272418463
n = 86934482296048119190666062003494800588905656017203025617216654058378322103517
e = 65537
d = inverse(e,(p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))

• 解密得到flag{decrypt_256}

❓ 疑问：为什么我的输出是 b'\x02\x9d {zR\x1e\x08\xe4\xe6\x18\x06\x00flag{decrypt_256}\n'虽然包含了flag。

32.RSAROOL

• 大括号内给出的是n,e
• 分解得到p,q为18443,49891
• 然后编写脚本，批量解密

from Crypto.Util.number import *
p = 18443
q = 49891
n = 920139713
e = 19
d = inverse(e,(p-1)*(q-1))
path = r"C:\Users\XXX\Desktop\data.txt"
ans = []
with open(path,'r') as file:
    c = file.read().split('\n')[2:-1]
    print(c)
for i in c:
    m = pow(int(i),d,n)
    ans += [long_to_bytes(m).decode('utf-8')]
print(''.join(ans))

• 得到flag{13212je2ue28fy71w8u87y31r78eu1e2}