一直在等wp，一直没找着，没有wp就没有进步。

把已知部分写出来吧，抛砖引玉

这个比赛只有crypto,reverse和misc(除一个签到外，都推特油管和谷歌网盘的题作不了)

目录

crypto

Warmup 3

Warmup 1

Warmup 2

Substitution

RSA 1

Warmup 4

RSA 2

Big Rabin

CyberMania

ECC Quiz

RSA 3

1337

Weird dlog

A Tale of Two Systems

Reverse

Baby Reverse

Basic Transforms

French

World Cup Predictions

Super Guesser

Boost Game

Baby CUDA

---

crypto

Warmup 3

-.-. ...- -.-. - ..-. -- ----- .-. ..... ...-- .. ... -. ----- - ..... ----- ..-. ..- -.

摩尔斯电码，并且提示全是小写，直接找个网站解码即可

cvctf{m0r53isn0t50fun}

Warmup 1

Decode the following ciphertext: cGlwZ3N7cG5yZm5lXzY0X3Nnan0=

提示给了一个常用的解密网站cyberchef，虽然是英文不方便，但是里边还是挺全的，解码后

pipgs{pnrfne_64_sgj}

然后作rot13

cvctf{caesar_64_ftw}

Warmup 2

翻译一下介绍就是说维吉尼亚密码

First described by Giovan Battista Bellaso in 1553, this cipher is easy to understand and implement, but it resisted all attempts to break it until 1863, three centuries later.Remember: The Key to success is determination.fzvxw{hqtegmfr_lw_msf_scrslg_kvwlhyk_fpr_kxg?}

在刚才的网站解密

cvctf{vigenere_is_too_guessy_without_the_key?}

Substitution

直接给一段乱码，一看就是quipquip解，估计也叫维吉尼亚

Hxpkdiz kcz Osxe ja x apzhjxs ljvr go jvogimxkjgv azhdijkf hgmpzkjkjgva. Kcziz xiz kcizz hgmmgv kfpza, Uzgpxirf, Xkkxhl Rzozvhz xvr mjyzr.
Jo fgd cxwz ojedizr gdk kcz xqgwz mzaaxez, cziz ja fgdi osxe, pszxaz xrr hdisf qixhlzka qzogiz adqmjaajgv: hwhkoxwzifajmpszadqakjkdkjgv

Capture the Flag is a special kind of information security competitions. There are three common types, Jeopardy, Attack Defence and mixed. If you have figured out the above message, here is your flag, please add curly brackets before submission: cvctfaverysimplesubstitutioncvctf{averysimplesubstitution}

RSA 1

这个RSA啥也没给，而且很多人作出来，说明N可以直接分解

n = 0x7c05a45d02649367ebf6f472663119777ce5f9b3f2283c7b03471e9feb1714a3ce9fa31460eebd9cd5aca7620ecdb52693a736e2fcc83d7909130c6038813fd16ef50c5ca6f491b4a8571289e6ef710536c4615604f8e7aeea606d4b5f59d7adbec935df23dc2bbc2adebbee07c05beb7fa68065805d8c8f0e86b5c3f654e651
e = 0x10001
ct = 0x35b63f7513dbb828800a6bcd708d87a6c9f33af634b8006d7a94b7e3ba62e6b9a1732a58dc35a8df9f7554e1168bfe3de1cb64792332fc8e5c9d5db1e49e86deb650ee0313aae53b227c75e40779a150ddb521f3c80f139e26b2a8880f0869f755965346cd28b7ddb132cf8d8dcc31c6b1befc83e21d8c452bcce8b9207ab76e

直接到factordb.com上查到p,q

n = ...
e = ...
ct = ...
p = 8156072525389912369788197863285751656042515380911795404436333529629416084362735262281722179416240983448945672233749861517470671156357917601583268804973543
q = 10678085245814899631026086851678635624044610674331494223434578587048178556659016077336866548714220013612176819608742965144962254942844889066032236627832071
phi = (p-1)*(q-1)
d = invert(e,phi)
m = pow(ct,d,n)
print(long_to_bytes(m))
#cvctf{f4c70rDB_15_p0w3rfu1}

Warmup 4

这个73人完成，我没作出来，不清楚怎么回事

Ｉn sｃｉencｅ fіctіοｎ, ｍetａνerse ｉs ｉtｅrａtiｏｎоf the Iｎternｅｔ as a sⅰｎgｌe, universal and immersive virtual world that is facilitated by the use of virtual reality and augmented reality headsets.

提示：Note 2: This challenge involves some steganography tool related to a social media.

RSA 2

先看题

from Crypto.Util.number import inverse, bytes_to_long, getPrime, isPrime
from math import gcd
from secret import flagPBITS = 512
e = 0x10001def stage_one(data: bytes):m = bytes_to_long(data)p = getPrime(PBITS)q = getPrime(PBITS)b = 7n = p**b * qprint(f"p = {p}")print(f"e = {e}")print(f"dp = {inverse(e, p-1)}")print(f"b = {b}")print(f"ct = {pow(m, e, n)}\n")def stage_two(data: bytes):m = bytes_to_long(data)p = getPrime(PBITS)q = p + 2while not isPrime(q):q += 2n = p * qprint(f"n = {n}")print(f"e = {e}")print(f"ct = {pow(m, e, n)}\n")print("=== Stage 1 ===")
stage_one(flag[:len(flag)//2])
print("=== Stage 2 ===")
stage_two(flag[len(flag)//2:])

题目分两部分，第一部分是n = p**7*q给了p和dp没给n，这里只要p够大其实也用不着n，也就是

ct == m^e mod n === ct == m^e mod p

直接用dp解

from gmpy2 import *
from Crypto.Util.number import bytes_to_longp,e,dp,ct,b = ......phi = p**6*(p-1)
d = invert(e, phi)
m = pow(ct,d,p**7)
print(bytes.fromhex(hex(m)[2:]))#cvctf{Hensel_Takagi_Lifting,but_Fermat_is_better?}

第二部分q = k*2 + p说明两个很近，一般是用费马分解，但这题正好原来的模版正好不能用，但手工可以看到

a=iroot(n,2)[0]
(a+1)**2 - n == 121

显然121是11的平方就不用程序处理了，a-10就行

a=iroot(n,2)[0]
#(a+1)**2 - n = 121
p = a-10
assert(n % p == 0)
q = n//p 
phi = (p-1)*(q-1)
d = invert(e, phi)
m = pow(ct,d,n)
print(bytes.fromhex(hex(m)[2:]))
#flag在前边

Big Rabin

题目说大Rabin是说值给得太大了

from Crypto.Util.number import *
from secret import flag
import os, functoolsprimes = []
e = 2for _ in range(10):primes.append(getPrime(1024))n = functools.reduce((lambda x, y: x * y), primes)
m = bytes_to_long(os.urandom(256) + flag)
c = pow(m,e,n)print(primes)
print(c)
'''
[132226521510073241868478441993015354148527265070844601764638529221288504976410393924935295341036464167430758516679806086101355913069828507720078706111518764763860261405919471828890271375290465307125060869008747651304555905840414020300749769085263330846399185059492965396066022852144378645140305287757847727023, 166975174848900885230261330388360938761353252820281468924803320138144055905644086619356255132048410411366729267993937675260638228144755335215429145353099164053352619775669398053052968467143600192845905417256960156392197454820487653509257937973672298884564792967995269332679341948473655565516611128690668584197, 142872473239232009830855192451471368852668441691782565721008089294877340422457402592626252955869775729973997252931251666144198844354316321876779014522642204671232774572604583775513634884566978553917344483379779100930174962243024555704822801010773572545801848379806701640868474072068588187164478666117032536743, 130892261245352215748569386846911862074603359546553143534975947107064714450388455394151437883146319257061620436858323988107585895908396306525917087044899379090234252879747887675884686106229697448906503338648983178690152813231281939068998489985753607854487974314966395013411365168104897566924065151568253685389, 145551848922783998528416786343973572472474320126254044570241048099740111725992313257532536785462269965641550642274572312923944315477621869191221368417595336738285091021747216596626016115302578007940230744568897790622831057456985073420219248560391242735855176398817027832854071167392464605267378738681409692207, 109114236141132256858265781393324161877680502794260375634936389144130052076205935445884813005428724784271974614143303830651751053233628886067941762333164941597521613761267981323595507523576850094910118775698465333491285382926211396415210206640863838245229759501252816392805326580130465854590783194264915510107, 149012332254098169883676747964911319691822361308399858421962733809406243673749451302379098919202789878055459506619587309704672105656774201994079016346228841284249488225321663757366441960504330961474614423041525751882565821073188367282242863442968249947378755695090610366079747622976283329590239856372835372077, 89933039054622081733083753412036389257663070424046675225077590968264124467545748005665094466078872143690347802061705503577114736109829239359006199434519375691332381519569498638696542565602083683732367191126621738256117168725047465248935955872366458549695968621135516743160437309215563157049376939290044627313, 144740324082556719196755949987638484388687025029996662925584432266650207893213563830207448527247219434052744033623084777776494559920370369824340095295242250589124486762879342972124012161218261244077906297847144914260263449001263793071999861655844579640626513700692813426335252087586488036788977420619650395281, 177890920322792684381488228351207885958275622324411726844780096159974211995797980616696403624147387087872691406579164096185188544912293856215282348681231390887966279317515097280087518605104367297949995780275322107787760838983798771894346399852645638599662743887567463532610893557114956013160076360765011538011]
22946885822002467171903084240416288222260709393342086666614067405740711654751859628586773085727309553476558484713992238684106955555407130896914013459177345438724868201174752650162646056513628813995822388584081951435555201995181471800953753065805537239004801790261801117451703491741695068405051052528468868702342710290967199025172882590726554624329641303992754921465060035494584473179143361525585375327174333664171595698051318950929679219084654514302582298457923944861686107213448365614170278678031637593258899000503650392461910041826689785746033611685952405642342168822481363285927108889621327497879411676118996705939126347323933488709432561266681241083588173377314801049718139453233426105928769665280701332464661007393707855685695381234000934601768404436981039966731154784057035002881385480733918721892505780861028743718627723983889337589245505471761609164355615583667187016246477658779583361278419641451588063893642706807003172297981383003084552004900791931139372946360714784486527322818344413194151333823878001862478897096198700081692897370151996011935154686270934438172865531978260775218635723194626200021562057411503822135701039014960850609050136539744310043850114618082256447659795677305772357979166562438839947373438799197847335503006808051165456399906449288192895712634565545914245083072956245576112332273453809567266070539909722697964638524279759280287013618910074497709507375042069373384981213251042198281
'''

显然从这里看，n是这些素数的积，比c在太多，说明根本没有取模直接对C开方即可

c = ...
m = c.nth_root(2)
from Crypto.Util.number import *
print(long_to_bytes(m))#cvctf{r4b1n_Cryp70_K1nd4_c0mpL1C4t3d?}

CyberMania

未解出，等wp

只给了一个密文，base64后是两个16进制1个空格，再转后是可见乱码

NDAgNmIgNzEgNmEgNjkgM2EgMzIgM2QgNDIgM2YgM2QgNzUgMjcgNjIgNmEgM2QgNWQgNjUgMmQgNWMgM2MgNjMgMjggM2IgNzMgM2MgNDEgNDkgNWQgMzUgM2IgNDQgNTcgMzggNzAgM2IgMmYgNDMgMjYgNDIgM2EgMzAgMjggMmMgMmEgNDAgM2IgNTMgNGEgNTYgM2MgMjkgNmQgNTUgMzYgM2EgMmMgMmMgMzQgMmQgNDAgMzkgM2YgMjEgNDAgM2MgNWYgMmMgNzQgNjEgNDEgMzQgNGIgNWIgMjQgM2UgMjMgNjYgNGUgM2IgNDAgNmIgNzAgMjIgNzUgM2QgNWYgNjcgNjAgNTcgM2QgNjEgNDYgNTUgNGIgNDEgMzggNTEgMjEgNmUgM2IgNjUgNmYgNTEgMjkgM2QgMjUgNDcgNzIgMjggNDAgMzcgMzMgNTMgMjMgM2QgMjUgM2YgNzEgMjEgM2EgMmUgNGIgMzQgNTggNDEgMzggMzQgNTMgNDkgM2QgNWQgNDAgNmEgNjkgM2MgMjggNGIgNmUgNjYgM2EgMmUgNDkgMzAgM2QgMzkgNjkgNTkgNWYgM2YgM2MgNjAgNGYgMmEgNjAgM2MgMmEgMjkgNWIgNjMgNDEgMzggNGYgNjUgMzUgMzkgNjkgNTAgMmUgNWUgM2IgNjYgMmIgNGYgM2MgM2EgNDkgNjYgMzUgM2EgMzkgNmQgNTQgNjUgNmUgM2QgNWQgNTQgNGEgNzEgM2MgMjkgNjQgMjQgNjYgM2QgMjkgNGMgNTcgNGUgNDAgNmYgNzUgMzMgNDggM2QgNTkgNGYgNDEgNjcgNDAgM2MgNzQgNGYgNWMgM2EgMmUgMzcgNjAgMzAgM2IgNjYgMjMgNDcgNjYgM2QgMjUgMjQgNTAgNDUgM2QgNzQgNjkgNTEgNDQgM2MgMjggMzkgNjIgM2YgM2UgMjYgMzggMmUgMzUgM2MgNDMgNDMgMjIgNDcgM2IgNGEgNWQgMzYgNGMgM2UgMjIgM2EgNDcgNGMgM2IgNDggM2YgMzcgNjggM2IgMmYgNGEgNmMgNWEgM2IgNjUgNjYgNGIgNTkgM2EgNDkgNjQgNmMgNmEgM2QgMjcgMjUgNDMgNzUgM2IgNDYgNDYgMmQgMjMgM2MgNDUgNDMgNmUgNmIgM2MgNDUgMzQgMzUgNzMgM2QgMjYgNjEgMjEgM2QgM2IgNDggMzUgNTMgNjcgNDAgMzkgNDAgMjYgNWMgMzkgNjYgMjQgNjAgNWIgM2QgNWQgNTIgNzQgM2IgNDAgNmYgNmMgMzkgNDMgNDEgNGYgNGIgMjEgNTMgM2MgMmEgMzIgNjEgNWUgNDAgMzcgM2MgNjUgMjUgNDAgNTQgNDggNGUgMzEgM2EgMzIgNDYgNjAgNGIgM2UgMjMgNjUgMzAgNmUgM2MgMjggMjcgNGEgNzUgM2MgNWYgMmMgNTEgMjIgNDAgNzIgMjIgNTggNmUgM2IgMmQgMjUgNGMgMjYgMzkgNjkgNTAgNzEgMjggNDAgM2IgMzkgM2QgNTYgM2MgMjkgNjQgNWIgNGUgNDEgNGYgNGIgMzkgNjAgM2QgNWYgNzAgNTAgNWQgNDEgNTMgNmEgMmIgNTcgM2QgNzQgNzMgMzMgMjQgM2UgMjYgNGEgMmIgMzMgM2MgNjAgNjkgMmIgMzIgNDAgMzcgNGUgNjQgNDYgM2IgNDQgNDMgNTggM2QgM2IgMmYgNDMgMjMgNmYgM2IgNWYgNTYgMmEgNjMgM2MgNWUgNzAgMjggNDYgNDAgNmYgNWEgNDUgMmYgNDAgNTAgNWYgNzMgNTggNDAgNTQgNWEgNjIgNjUgM2QgMjkgMjkgNTAgNmMgNDEgMzggM2QgNjUgMjggNDEgMzYgM2MgNGQgMzMgNDAgMzcgNGYgNzMgNTQgNDEgNGYgNmYgNTEgNTAgNDEgMzkgNTUgMzEgMjI=

base64后

40 6b 71 6a 69 3a 32 3d 42 3f 3d 75 27 62 6a 3d 5d 65 2d 5c 3c 63 28 3b 73 3c 41 49 5d 35 3b 44 57 38 70 3b 2f 43 26 42 3a 30 28 2c 2a 40 3b 53 4a 56 3c 29 6d 55 36 3a 2c 2c 34 2d 40 39 3f 21 40 3c 5f 2c 74 61 41 34 4b 5b 24 3e 23 66 4e 3b 40 6b 70 22 75 3d 5f 67 60 57 3d 61 46 55 4b 41 38 51 21 6e 3b 65 6f 51 29 3d 25 47 72 28 40 37 33 53 23 3d 25 3f 71 21 3a 2e 4b 34 58 41 38 34 53 49 3d 5d 40 6a 69 3c 28 4b 6e 66 3a 2e 49 30 3d 39 69 59 5f 3f 3c 60 4f 2a 60 3c 2a 29 5b 63 41 38 4f 65 35 39 69 50 2e 5e 3b 66 2b 4f 3c 3a 49 66 35 3a 39 6d 54 65 6e 3d 5d 54 4a 71 3c 29 64 24 66 3d 29 4c 57 4e 40 6f 75 33 48 3d 59 4f 41 67 40 3c 74 4f 5c 3a 2e 37 60 30 3b 66 23 47 66 3d 25 24 50 45 3d 74 69 51 44 3c 28 39 62 3f 3e 26 38 2e 35 3c 43 43 22 47 3b 4a 5d 36 4c 3e 22 3a 47 4c 3b 48 3f 37 68 3b 2f 4a 6c 5a 3b 65 66 4b 59 3a 49 64 6c 6a 3d 27 25 43 75 3b 46 46 2d 23 3c 45 43 6e 6b 3c 45 34 35 73 3d 26 61 21 3d 3b 48 35 53 67 40 39 40 26 5c 39 66 24 60 5b 3d 5d 52 74 3b 40 6f 6c 39 43 41 4f 4b 21 53 3c 2a 32 61 5e 40 37 3c 65 25 40 54 48 4e 31 3a 32 46 60 4b 3e 23 65 30 6e 3c 28 27 4a 75 3c 5f 2c 51 22 40 72 22 58 6e 3b 2d 25 4c 26 39 69 50 71 28 40 3b 39 3d 56 3c 29 64 5b 4e 41 4f 4b 39 60 3d 5f 70 50 5d 41 53 6a 2b 57 3d 74 73 33 24 3e 26 4a 2b 33 3c 60 69 2b 32 40 37 4e 64 46 3b 44 43 58 3d 3b 2f 43 23 6f 3b 5f 56 2a 63 3c 5e 70 28 46 40 6f 5a 45 2f 40 50 5f 73 58 40 54 5a 62 65 3d 29 29 50 6c 41 38 3d 65 28 41 36 3c 4d 33 40 37 4f 73 54 41 4f 6f 51 50 41 39 55 31 22

再转字符

b'@kqji:2=B?=u\'bj=]e-\\<c(;s<AI]5;DW8p;/C&B:0(,*@;SJV<)mU6:,,4-@9?!@<_,taA4K[$>#fN;@kp"u=_g`W=aFUKA8Q!n;eoQ)=%Gr(@73S#=%?q!:.K4XA84SI=]@ji<(Knf:.I0=9iY_?<`O*`<*)[cA8Oe59iP.^;f+O<:If5:9mTen=]TJq<)d$f=)LWN@ou3H=YOAg@<tO\\:.7`0;f#Gf=%$PE=tiQD<(9b?>&8.5<CC"G;J]6L>":GL;H?7h;/JlZ;efKY:Idlj=\'%Cu;FF-#<ECnk<E45s=&a!=;H5Sg@9@&\\9f$`[=]Rt;@ol9CAOK!S<*2a^@7<e%@THN1:2F`K>#e0n<(\'Ju<_,Q"@r"Xn;-%L&9iPq(@;9=V<)d[NAOK9`=_pP]ASj+W=ts3$>&J+3<`i+2@7NdF;DCX=;/C#o;_V*c<^p(F@oZE/@P_sX@TZbe=))PlA8=e(A6<M3@7OsTAOoQPA9U1"'

然后怎么办？看到一个日本的WP 这里用base58，出来的东西就不贴了是emoji符号，贴不出来的那种。然后到cryptoji | encrypted emoji 里贴上就看到结果了。不要点别的

ECC Quiz

给了椭圆上一个点求乘后的值，不会从日本的一个WP学来，复现。

这个题没有附件，只有远程，远程一共3道题，答对以后可以得到flag，三个题都是关于椭圆方程的，第1个是给定p,a,b,P和乘数m求Q = mP这个比较容易

'''
Enter your choice: 1
Curve parameters:
p = 12613
a = 864
b = 8456
Point P: (6540, 1524)
Find the point Q = 6425P. The answer is in the form of (x,y): 
'''def s1(p,a,b,P,m):F = GF(p)E = EllipticCurve(F, [a, b])P = E.point(P)Q = m*Pr = f"({Q[0]},{Q[1]})"print(r)return rdef get_s1():sh.sendlineafter(b'Enter your choice: ', b'1')sh.recvuntil(b'p = ')p = int( sh.recvline())sh.recvuntil(b'a = ')a = int( sh.recvline())sh.recvuntil(b'b = ')b = int( sh.recvline())sh.recvuntil(b'Point P: ')P = eval( sh.recvline())sh.recvuntil(b'Find the point Q = ')m = int( sh.recvuntil(b'P.', drop=True))sh.sendlineafter(b"(x,y):", s1(p,a,b,P,m).encode())return p,a,b,P,mget_s1()

第二题是已知两点求参数a,b，当两个点给定后就是二元一次方程组，可以直接解也可以用矩阵，这个WP是用的矩阵。

'''
Enter your choice: 2
Curve parameters:
p = 35371463786896767403883993879950568376425395921041864704896570633658346257377326450371885543667689388371397786558353721715951081818497958520125458257311879009311599281405600577882834537687
Point M on the curve: (11167999853303493222746045702151309956349245456132816546988745387439417523669532765400664854270169851544158641720483571372796738978308087129543348315813398381916000522256227652463488088759, 14235871227609176117419037322215903412896418677581296893263122244466495516501059148482339923908286214318868802694209348625834840090288371136382095156987565471128329739317044050153965085564)
Point N on the curve: (34181843038403961504038646547955266834676968908351779373403575518393704136248789816130062681000161968234498379978339993440834123801220109974461491111682189103535957854778788923672652334205, 7721014516008602943724491960961632269157040994437262667853548205799486252368493981422773648635093854932747215220828199494727285547574870575253080961667143405054516597820830642116821862357)
Find the curve parameters a and b. The answer is in the form of (a,b): | x1 1 |   |a|    |y1^2 -x1^3|
| x2 1 | * |b|  = |y2^2 -x2^3|X = A.solve_right(C)
or 
A.inverse()*A*X = A.inverse()*C '''
def s2(p, M, N):A = matrix(Zmod(p), [[M[0], 1],[N[0], 1]])C = matrix(Zmod(p), [[M[1]**2 - M[0]**3], [N[1]**2 - N[0]**3]])X = A.inverse() * Cr = f"({X[0][0]},{X[1][0]})"print(r)return rdef get_s2():sh.sendlineafter(b'Enter your choice: ', b'2')sh.recvuntil(b'p = ')p = int( sh.recvline())sh.recvuntil(b'Point M on the curve: ')M = eval( sh.recvline())sh.recvuntil(b'Point N on the curve: ')N = eval( sh.recvline())sh.sendlineafter(b"(a,b):", s2(p,M,N).encode())get_s2()

 第三题和第一题相反，给了两个点求u ，Q=uP 这个题数字都比较小，可以直接爆破，但还是学人家WP里的解法好。

'''
Enter your choice: 3
Curve parameters:
p = 1228564964111169573663596185733
a = 721418494225609268155123544669
b = 867322911963218745305605918611
P = (1023299399129942635540223017013, 910643556349893045023606263034)
Q = uP = (196403627684407134672090488599, 473655574959373049831350237623)
Find the scalar u. The answer is a single integer: 
'''def s3(p,a,b,P,Q):print(p,a,b,P,Q)F = GF(p)E = EllipticCurve(F, [a, b])P = E.point(P)Q = E.point(Q)factors, exponents = zip(*factor(E.order()))primes = [factors[i] ^ exponents[i] for i in range(len(factors))]print(primes)dlogs = []for fac in primes:t = int(P.order()) // int(fac)dlog = discrete_log(t*Q, t*P, operation='+')dlogs += [dlog]print(dlogs)ans = crt(dlogs, primes)print(ans)return str(ans)def get_s3():sh.sendlineafter(b'Enter your choice: ', b'3')sh.recvuntil(b'p = ')p = int( sh.recvline())sh.recvuntil(b'a = ')a = int( sh.recvline())sh.recvuntil(b'b = ')b = int( sh.recvline())sh.recvuntil(b'P = ')P = eval( sh.recvline())sh.recvuntil(b'Q = uP = ')Q = eval( sh.recvline())sh.sendlineafter(b'Find the scalar u. The answer is a single integer: ', s3(p,a,b,P,Q).encode())get_s3()

最后选菜单取就行了

def get_flag():sh.sendlineafter(b'Enter your choice: ', b'5')print(sh.recvuntil(b'}'))get_flag()
#cvctf{ECC_is_411_y0u_n33d_t0_kn0w...And_CryptoHack_15_4w3s0m3!}

看着不难，一作就废。 

RSA 3

原题server

from Crypto.Util.number import *
import random
#from secret import flages = [17, 19, 23, 29, 31, 63357]
e = random.choice(es)
p = getPrime(1024)
q = getPrime(1024)
n = p * q
m = bytes_to_long(flag)
c = pow(m, e, n)if not random.randint(0, 10):c = (1 << len(bin(c)[2:])) | c    #10次才有一次，不用管print(f"n = {n}\ne = {e}\nc = {c}")

这里e和n都在变，但e就几个可选值，里边对c的处理由于10次才会有一次可以不处理，先登录网站多次找3个e一样的，然后用中国剩余定理解

e=17
n1 = 10693914454311431656307610014029132586674809563593121840355650485069219172150964785324854773727579907180247982518766603951127535735366002330947127532633573246255287787721049214787007066639197409931789096620381081083786219508402663680304962557177051355476272946563987267275433659134936447556298917781480264826758011792814812397108018226643436975575131963829724931805094353463091470543684338695219315901830000623776315738238612735707599121130714590880690397013374065202425147294136509126610916047399729790822051327554833789631317107019746190628638380471033331049451815860662117872239693732796139849738531319280571592159
e = 17
c1 = 6981160130311016390489722540316423786227271860900450295297003557886568900928461714659121064887775331417170937266793821409758239576896626088090412897367422202404063760073263144704841755918153787271235160846165362401782206268723277593290694358989855227941278771652212953372714443924821898302689833474349505745462124697888002742530394272317660664827210559816074067276047815807474039787605988447270594282052787304016851820186500131806745962929984863047265245964877160770601268935589329816152571979147802188529178517668521052095539601230043721501626925200880796380683934560221335651074827735775767567580307193413432411071n2 = 27085705680767622327332987902862060603713787626896128533953378429602114639242185896192578360847280661194181647229681106883518457790054175916107420743874121009424137026655823822632792605749988912686299322121330364480416664301554703511250446078605765383520468197876001690548399182687285754526022755274456645753848270324233696660222239091589295805436485535277367657250333211376034623543902809280359062023212265251323645761404322338348667994305145312998483399998205304981997393096922164020524185322402436304972410353800439290744509740204824328381354925197878795291965847402621488840406276244219958374494306973751472075543
e = 17
c2 = 23530129421080573881236529012757693053581322687845710984184697076711341023209594696856359084114083206802278084925646436101503924651339213427069647958123824243302179538274620341586852824926242995389506298392777064884659156016313074393771971308346758416634664893886457804439539376724593058208238986135045348058589426718364872994794215789084419591982506051149270453843149969699315234429642565656186691830136962997883308519552883181975658043709379773230207637377515043855894502196456367917122549446439228395099269278482841674500187010716322165437706036719444204385382282655634651713865854349466347867093845350141762432986n3 = 18352823911264698900651566304464161847913365689191732403126260267040721738556175338703760309312874146737233328981578738938919300916269428059684912268091771357892070858421246234571345579601759025031100390493343824882529116886519812477740034261381021394551898297382156744127215979519192679841004904069344679267363157060449214996037545117325598755834647466183663126850529053124809830542717575707606858887138849331470431606055255535050920426737031416472002700236290958289372551752364253877583672495505029604012699677368666418699303258121995742209755418810785820617610310449384650801826615046342567402545032460906954689507
e = 17
c3 = 1737146045385937705359457246047071230095853982718472723565179804689351241123447265038743683442201531287325967606944534889716615051905346790660296547873241026642497189429641145607859671458551036856868417180314755825928050925211745934359272376122040978313685743319110325299711183210176177274890065163817526182245165311281900934832345394545785960667577458449521142569856280324040687744285625707059697980943119859167319338630826156271507642312984336929882481393585449788489891026725646959933138679847624721017724468655366717365968590864933747196926405793484439553371901627467679775360238988312821040659407729894679763947#sagemath
x = crt([c1,c2,c3],[n1,n2,n3])
m = x.nth_root(e)
print(bytes.fromhex(hex(m)[2:]))
#cvctf{Hastad_with_e=65537_might_be_slow}

1337

一个有限域上解方程的题，不会，后边的也都不会了

from Crypto.Util.number import inverse, bytes_to_long, getPrimeFLAG = b"cvctf{REDACTED}"
step = len(FLAG) // 4
parts = []
for i in range(0, len(FLAG), step):parts.append(bytes_to_long(FLAG[i:i+step]))P = getPrime(128)
ZmodP = Zmod(P)
a, b, c, d = parts
x, y, z, w = ZmodP(a), ZmodP(b), ZmodP(c), ZmodP(d)print("P:", P)
print("L:", x^1+y^3+z^3+w^7)
print("E:", y^1+z^3+w^3+x^7)
print("E:", z^1+w^3+x^3+y^7)
print("E:", w^1+x^3+y^3+z^7)
print("T:", x+y+z+w)'''
P: 231609284865232306744388160907453774453
L: 213929627434382339098735177055751649916
E: 19199104003461693263250446715340616788
E: 81305572597778258494448971196865605263
E: 204055349607012377951682156574173649079
T: 2268211308285612387872477045295901103
'''

Weird dlog

DLP题，未完成

from Crypto.Util.number import *
from secret import flagNBITS = 1337def keygen():p = getPrime(NBITS)q = p + 2while not isPrime(q):q += 2n = p**2 * qg = getRandomRange(2, n-1)assert pow(g, p-1, p**2) != 1return (g, n), p(g, n), pk = keygen()
print(f"g = {g}")
print(f"n = {n}")m = pow(g, bytes_to_long(flag), n)
print(f"m = {m}")'''
g = 4217104162231108571881486363264502722577265670533700464292447122725884060865278499273749984084307890296655750169737247120115556105852793495207776085190125693574834744150776071626953537124287733539294768576947214664831668249537361880607900415980188224790377848428124695064324868240382228326860781143717838988468681317873292597463247890454032395659378742623078198171614526987958808613568346779857292295096270767472963769637419908101399359189794634298434235861743414985078720538901239212554829307311050121532457033249775247040962157091404814597818322567791804549931512078619168741053536240553838132062889112375399237994189289540471931223835109201969517169907064471393467949637030171468739827679615037096191102556235525038398343624846458755117043899170432849676184565935742212246568515988089821245576219250167380483425498097448081250808144546318744227429556017907249040862683999049166654695785359522913386597444234975046933660020802696704230400762773828356573597488744036818115263470798266879540313464252075039418721353291327500707724679404373330401143441889215673146351039551079579127929035980199349135110483207097742313251638620757710743549095431313120163844541459241899262156308740654917968060844284412082299
n = 10941888529432710302272044808172366177817083267353728387778251966266072287607755644721338043351870432706497693313492403987246128369454049222700884094312120262698229189208223218732275272981771624419914106314134685967783268356547329406040929859316975902966386276320517786973713050654580905181729305020144204934138012268416005803949005810888621349553556279807338189673928133725107444318753299258813428869755492871371365509253274275507785302703028229706104025231495516828413453372697736689315270600144033367988185883751955533145131820299821036099425033741978037404521469840343451728996005273312522454265432166678945758946508086710070492821787815923425038513533610548985733666276895713644320042830406173577168099532687994444950160159745610177551080984478286003952657902953582221120083238221655231826293209922243103643973158229947410799996443039134812980230923730059957532891088920291921544489491437892953022797147371056895427933338596342279801238281297736043937512612367418666450917035364442328787819461040287010570790023067874699031894369374666073884261229547448186848837461040401572755725068306333093138881471721393682218994576974011413807781411295540237225784367274045480384276599164320452991405168935726178669
c = 4576653037171661542042510858542458890428902270240861216961609304805830644888835861552943484827465024255946333173438385318547946480432546672274379127945737050221711664915718037389483818788255371177342813451318183796063859501483853616124820170927827054719451326957465962519367227753007179628370407849940782754428678471956932743015842138996456351682565775528904950367274203264025982858945560085867807654673726775851728189907590054081432299552285929407918297497972515287529506153936873120705301250301755547851988767682706931104344998515759782906834209711055747621306735557847407025512085632112612715677993856157667539100717815505576125450494688023610882544096421409195218600313621491935755995519193153556491442386466162185336840903547990417011020008723119132837593921370224096091218428827263318876330392141114596260431968349229888104149062981625468823935145842920387345948673405002062554960084883553497321014737635984993337888457310522533554029754162393609118195463217899952617045335297738291366080224287861881668432617054485772999546446076931624127877484962146375663168327918511556849268478695380248447621861402820926977211453653005530269636900365390125831754366239971553991824331582315041274983141065725144997
'''

这里p,q很接近，可以解出来，然后看原来的题就是直接求对数了，可惜作不出来，不清楚差哪了。

p = 2220056847922888806692961201204181494180468404265144656979415727846610609650612145504228170996668036830178564363339729040733053444504290404813978909079947107025031382736413106168755521395169078323433549912352350586785691382035545583930303726697079796565769117602611817953388750640643945286203371871152311393277382213336946213995315438785489971755082168989679975255419041436378409691325787848675432434833
q = 2220056847922888806692961201204181494180468404265144656979415727846610609650612145504228170996668036830178564363339729040733053444504290404813978909079947107025031382736413106168755521395169078323433549912352350586785691382035545583930303726697079796565769117602611817953388750640643945286203371871152311393277382213336946213995315438785489971755082168989679975255419041436378409691325787848675432436509
F = GF(q)
long_to_bytes(F(c).log(F(g)))

A Tale of Two Systems

题目也是两块，两块都不会

from Crypto.Util.number import *
from secret import flagNBITS = 1024def system_one(m: bytes):a, b = [getRandomNBitInteger(NBITS) for _ in range(2)]p = getPrime(2 * NBITS)q = getPrime(NBITS // 2)g = inverse(a, p) * q % pct = (b * g + bytes_to_long(m)) % pprint(f"p = {p}")print(f"g = {g}")print(f"ct = {ct}\n")def system_two(m: bytes):p, q = [getPrime(NBITS // 2) for _ in range(2)]n = p * qe = 0x10001ct = pow(bytes_to_long(m), e, n)print(f"n = {n}")print(f"e = {e}")print(f"ct = {ct}")# what if q is reversed?q = int('0b' + ''.join(reversed(bin(q)[2:])), 2)hint = p + q - 2 * (p & q)print(f"hint = {hint}")def main():print("When you combine two insecure systems, you get an insecure system. (Cryptoverse CTF, 2022)")print("[+] System 1")system_one(flag[:len(flag) // 2])print("[+] System 2")system_two(flag[len(flag) // 2:])if __name__ == "__main__":main()

第一部分感觉g应该可以分解得到q然后两边模q就能把a,b,q项去掉，分解不成功，放弃。回头发现自己写的笔记，关于NTRU的，似乎与这题基本相同，只是q是g g是h,把变量名改一下，直接用原来的程序。得到前一半

#sagemath
p = 20674560756675681113807790771517430528512553857174119575519075764019276636690663462938567589430430460827468855176990607866662208878496146036805827782635460673199652412733975510335422677460730264825472933858652608429343035488488603137801781214938408376223813765348999263839115699969377943217517837672862013818475666653836506583052308034058249324326415414364356442070749039494616286767572072398953493782554731290108295336159077374437925169124645200455704800370759354362584372424061210775163275420305131558794161601224465838778284886947938781786382764093467968116097834015744469149777515652090914300180029662288783750021
h = 5365347844128911565211837794252336963057769303115463818738345608049041966508101046929880647194771517267106647263073443125634817774906157236157364181220114411736283603059221346539093692404874612539184286517328794259184507790239825289038134433765839884461242650892882279806511242820846708839730744202157985481289342173571114134979156499539670694539440474761156374349428264760740065338094636581045645711147693807365625789728452292523224554652674948494238368602447996725452482367080741677198681165008318577100383140978454643629228309803247917737000357630668780245655456608804937997854554350520449896400294483856616814372
c = 7198614388336961568991317581364946176599732925342548106877806830805493704508075912208241115350344191374827351874074150549656775285164202146294778355061448230589465181081889636070498174685391034029837473151573921040343466735807862021503271878218452664219101661480779782715330005668928307176271335942096485215750307265516779004367844432567231788085514343337614238950306425973379613080931291149785179652369852109225613425421153062607258945987848594216018518686456430939925568011454644192785585658774535793557557054745416480167491598491258801748919186493783417939002251404512177037699861017344666192055596178941166714878# g 512
# h = inverse(a, p) * g % p
# ct = (b * g + bytes_to_long(m)) % p
# c = (a*h + m ) % pv1 = vector(ZZ, [1,h])
v2 = vector(ZZ, [0,p])
M = matrix([v1,v2])
f,g = shortest_vector = M.LLL()[0]
a = f * c % p % g
m = a * inverse_mod(f, g) % g
bytes.fromhex(hex(m)[2:])
#b'cvctf{n0_On3_1S_u53l355_1n_7h15_w0r1d_...'

第二部分感觉可以爆破，那个hint就是p^q的值,也没成功

快12点了，终于把程序改完了，秒爆成功

n = 153342396916538105228389844604657707491428056788672847550697727306332965113688161734184928502340063389805944751606853233980691631740462201365232680640173140929264281005775085463371950848223467977601447652530169573444881112823791610262204408257868244728097216834146410851717107402761308983285697611182983074893
e = 65537
ct = 107338230886326277184470602423206077959904409598566827958776297403757505756279110769758655388775872785351736575087710060126451130008864605660316323321121912126865044237770131409575047987371810396491057938456745767097179158355665973273718023399000209954399981644938965035820182118954653379531056336561902214503
hint = 3551084838077090433831900645555386063043442912976229080632434410289074664593196489335469532063370582988952492150862930160920594215273070573601780382407014
#0x43cd5753d1ed37ef2ccb0fc5b0cd4795cf9aec9b43cd5dbe90bc1dcf3aea56e87e7f864deea7058496c81ca724bdc7cab6519ff38bb0fb4e27c1e1046f319966
bits = 512def get_pq(p,q, idx):#print(idx, hex(p))#print(idx, hex(q))t = p*qif t == n:print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1')print(p,q)exit()return Trueif idx>=bits//2:return Falseif t > n:#print('>n')return Falseif ((t^n)&((1<<idx)-1)) != 0:#print('VALU:',hex((t^n)&((1<<idx)-1)), idx)#print('MASK:',hex((1<<idx)-1), idx)return False#中间全写1，不能小于nk = (1<<(bits - idx) ) -  (1<<idx)if (p+k)*(q+k) < n:#print('<n', hex(p+k), hex(q+k), hex(n), hex(k))return False b1 = int(hint[idx])b2 = int(hint[-idx-1])bleft = 1<<(bits-idx-1)bright = 1<<idx#print(b1, b2, idx, hex(bleft), hex(bright))if (b1 == 1) and (b2 == 1):get_pq(p + bleft + bright, q,                  idx+1)get_pq(p + bleft,          q + bleft,          idx+1)get_pq(p + bright,         q + bright,         idx+1)get_pq(p,                  q + bleft + bright, idx+1)elif (b1 == 0) and (b2 == 0):get_pq(p + bleft + bright, q + bleft + bright, idx+1)get_pq(p + bleft,          q + bright,         idx+1)get_pq(p + bright,         q + bleft,          idx+1)get_pq(p,                  q,                  idx+1)elif (b1 == 1) and (b2 == 0):get_pq(p + bleft + bright, q + bleft,          idx+1)get_pq(p + bleft,          q,                  idx+1)get_pq(p + bright,         q + bleft + bright, idx+1)get_pq(p,                  q + bright,         idx+1)elif (b1 == 0) and (b2 == 1):get_pq(p + bleft + bright, q + bright,         idx+1)get_pq(p + bleft,          q + bleft + bright, idx+1)get_pq(p + bright,         q,                  idx+1)get_pq(p,                  q + bleft,          idx+1)else:passreturn False'''
bits = 32p = 3571218643
q = 2389193687
n = p*q
#'0b11010100110111000111100011010011'
#'0b10001110011010000011001111010111'
# 0b00111111000100000110111010100010
#0b111011001101000111011111011000011010000111100111000001000110101
hint = 0b00111111000100000110111010100010
'''
hint = bin(hint)[2:].zfill(bits)
print('h:',hint)
p = (1<<(bits-1))+1
q = (1<<(bits-1))+1
get_pq(p,q,1)

然后解出flag但不知道对不对，因为已经不让提交验证了，中间的...不知道应不应该去掉。

from gmpy2 import invert
from Crypto.Util.number import long_to_bytesn = 153342396916538105228389844604657707491428056788672847550697727306332965113688161734184928502340063389805944751606853233980691631740462201365232680640173140929264281005775085463371950848223467977601447652530169573444881112823791610262204408257868244728097216834146410851717107402761308983285697611182983074893
e = 65537
ct = 107338230886326277184470602423206077959904409598566827958776297403757505756279110769758655388775872785351736575087710060126451130008864605660316323321121912126865044237770131409575047987371810396491057938456745767097179158355665973273718023399000209954399981644938965035820182118954653379531056336561902214503p = 12920353645099492619679479666991160896328428450834965756045573491194784306188917862917632728418934103419607380552154374379706857085564196243344264957706273
q = 11868281714928035840885653003726705720903252216809943086581667759016897601381945357803011950846537123774369112630185360831707791214422115674941823460064941phi = (p-1)*(q-1)
d = invert(e,phi)
m = pow(ct,d,n)
print(long_to_bytes(m))
#b'_wH0_l16h73N5_tHe_BurD3nS_0F_4n07h3R.-_-}'
# cvctf{n0_On3_1S_u53l355_1n_7h15_w0r1d_..._wH0_l16h73N5_tHe_BurD3nS_0F_4n07h3R.-_-}

Reverse

Baby Reverse

用文本编辑器打开二进制文件就能看到flag

Basic Transforms

一个js文件

var readline = require('readline');
var Crypto = require('vigenere');var rl = readline.createInterface({input: process.stdin,output: process.stdout,terminal: false
});rl.on('line', function(line){if (line.length == 20 && line.startsWith("cvctf{") && line.endsWith("}")) {var cat = Crypto.encode(line.substring(6, line.length - 1), "nodejsisfun").split('').map(function(c) {return String.fromCharCode(c.charCodeAt(0) + 1);}).join('');if (Buffer.from(cat.split("").reverse().join("")).toString('base64') == "QUlgNGoxT2A2empxMQ==") {console.log("Correct!");}}
});

用node.js处理的js程序，先进行维吉尼亚编码,再每个+1，再反转，再base64，简单是简单，但维吉尼亚函数node.js上是非标的，需要安装node.js,感觉这个有硬推软件的嫌疑。

French

法国密码，原来有过一个题印象深刻，法国密码就是维吉尼亚密码，不过这题跟这个没关系

  strcpy(v10, "GEL DESINFECTANT POUR LES MAINS");fread(ptr, 1uLL, 0x17uLL, _bss_start);v6[0] = 0x5FF83441E17900E5LL;v6[1] = 0xDF970AF589793ADLL;v7 = 1229849353;v8 = -27939;v9 = -73;rc4_crypt(v6, 23LL, v10, 31LL);for ( i = 0; i <= 0x16; ++i ){if ( *((_BYTE *)v6 + (int)i) != ptr[i] )return 1;}puts("Correct!");

先对v6解密，然后跟输入比较，只要跟进去到比较这断下来就能看到flag

World Cup Predictions

世界杯预测，里边写的很明白，先输入啥后输入啥

from pwn import *context.log_level = 'debug'p = remote('137.184.215.151', 22611)a = b'Netherlands,England,Argentina,Senegal,Japan,Brazil,Iran,USA'.split(b',')
b = b'Argentina'for v in a:p.sendlineafter(b':', v)p.sendlineafter(b"[+] Stage 2: Predict the winner!\n", b)p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()

Super Guesser

猜数，pyc的编译程序，到网站上逆回来，很明白，就是直接爆破字符

import hashlib
import re
hashes = ['d.0.....f5...5.6.7.1.30.6c.d9..0','1b.8.1.c........09.30.....64aa9.','c.d.1.53..66.4.43bd.......59...8','.d.d.076........eae.3.6.85.a2...']def main():guesses = []for i in range(len(hashes)):guess = input('Guess: ')if not len(guess) <= 4 and len(guess) >= 6 or re.match('^[a-z]+$', guess):exit('Invalid')if not re.match('^' + hashes[i].replace('.', '[0-9a-f]') + '$', hashlib.md5(guess.encode()).hexdigest()):exit('Invalid')guesses.append(guess)print(f'''Flag: {guesses[0]}''' + '{' + ''.join(guesses[1:]) + '}')#if __name__ == '__main__':
#    main()import string 
tab = string.ascii_lowercase
for i in tab:for j in tab:for k in tab:for l in tab:for m in tab:aa = i+j+k+l+mvv = hashlib.md5(aa.encode()).hexdigest()for _ in range(4):if re.match('^' + hashes[_].replace('.', '[0-9a-f]') + '$', vv):print(_, aa)
'''
cvctf{hashisnotguessy}
'''

Boost Game

这个程序里很乱，下断点后根据判断得到5个数字，在结束前下断点得到flag

232665
1332123
7300
1060456
1282900
Congrats, flag is: cvctf{2326651332123730010604561282900}

Baby CUDA

c++的程序很乱找不着北

后边两个同样。