长城杯wp
CRYPTO
RSA1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| step 1:
p = 3570689330324393
q = 8539449885098290729
c = 11499128260801730440456056246212361
e = 17
求m
step2:
e=0x10001
c= 0x8a20cca012e973b2a8ca161bd1e82804714cc75bd1238f8579cc7a5143c8bb955320b8c2811dc98a4547e9f4fe856e039630
n= 0xe708251f8e8b616121419de1369f44b4a92f9641b8270ae6c50cef2bb6548de7633176399640a553cc764ab02decfd4cbe45
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| import gmpy2
from Crypto.Util.number import *
p = 3570689330324393
q = 8539449885098290729
c = 11499128260801730440456056246212361
e = 17
n=p*q
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
m1=pow(c,d,n)
e=0x10001
c= 0x8a20cca012e973b2a8ca161bd1e82804714cc75bd1238f8579cc7a5143c8bb955320b8c2811dc98a4547e9f4fe856e039630
n= 0xe708251f8e8b616121419de1369f44b4a92f9641b8270ae6c50cef2bb6548de7633176399640a553cc764ab02decfd4cbe45
p = 1235542029039790988583258906107
q = 1235542029039790988583258906103
r = 1235542029039790988583258906163
s = 1235542029039790988583258906019
n=p*q*r*s
phi=(p-1)*(q-1)*(r-1)*(s-1)
d=gmpy2.invert(e,phi)
m2=pow(c,d,n)
print(long_to_bytes(m1)+long_to_bytes(m2)+b'}')
|
problem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| import numpy as np
from secret import flag
def gravity(n,d=0.25):
A=np.zeros([n,n])
for i in range(n):
for j in range(n):
A[i,j]=d/n*(d**2+((i-j)/n)**2)**(-1.5)
return A
n=len(flag)
A=gravity(n)
x=np.array(list(flag))
b=A@x
np.savetxt('b.txt',b)
|
https://su-team.cn/passages/2022-2-28-SUSCTF/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
| import numpy as np
b = '''3.653380741019428797e+02
3.829348279538775159e+02
4.004257980004889532e+02
4.176944292792331339e+02
4.346303893364645887e+02
4.511328235950388716e+02
4.671129885608525001e+02
4.824961130988823470e+02
4.972224159317515841e+02
5.112472890991406302e+02
5.245407330215357433e+02
5.370861907152836920e+02
5.488789697709385109e+02
5.599244561523710217e+02
5.702363118210398625e+02
5.798348106134365025e+02
5.887454100986311687e+02
5.969975917422082148e+02
6.046239403632639551e+02
6.116593889049138397e+02
6.181405346943840868e+02
6.241049414214107856e+02
6.295903729819167438e+02
6.346339513469938538e+02
6.392712778511838678e+02
6.435355931639111304e+02
6.474570665963692591e+02
6.510622968029380218e+02
6.543740761160972852e+02
6.574114277566009150e+02
6.601898800636890883e+02
6.627219058225809931e+02
6.650174360076302946e+02
6.670843591835541702e+02
6.689289382235431276e+02
6.705561080544453034e+02
6.719696524780956679e+02
6.731722857205088530e+02
6.741656791346915725e+02
6.749504738581216543e+02
6.755263092044212954e+02
6.758918802194680211e+02
6.760450227999515391e+02
6.759828157869153529e+02
6.757016878388553778e+02
6.751975206792983499e+02
6.744657457122552842e+02
6.735014344953478940e+02
6.722993835499912620e+02
6.708541911831009656e+02
6.691603205574140247e+02
6.672121412563429885e+02
6.650039417550423195e+02
6.625299065386312805e+02
6.597840521403761613e+02
6.567601145259868645e+02
6.534513760321005975e+02
6.498504155119339885e+02
6.459487639524807037e+02
6.417364532425046946e+02
6.372014601736235591e+02
6.323290706556949772e+02
6.271012169780441354e+02
6.214958678310563300e+02
6.154865699906779355e+02
6.090422464759122931e+02
6.021273458417706479e+02
5.947024119149082253e+02
5.867251068822770321e+02
5.781516794116279243e+02
5.689388298736698744e+02
5.590458917430299834e+02
5.484372243067989530e+02
5.370846965991265733e+02
5.249701337618150774e+02
5.120875920842229334e+02
4.984453262002622296e+02
4.840673119230158363e+02
4.689941939012365992e+02
4.532835429434750267e+02
4.370093373305306272e+02
4.202606273426101779e+02
4.031394006941143857e+02
3.857577330220540262e+02
3.682343735960123468e+02'''
b = b.split('\n')
b = [each[:-4] for each in b]
b = [int(each.replace('.', '')) for each in b]
def gravity(n,d=0.25):
A=np.zeros([n,n])
for i in range(n):
for j in range(n):
A[i,j]=d/n*(d**2+((i-j)/n)**2)**(-1.5)
return A
A = gravity(85) * 10^18
A = [[int(each2) for each2 in each1] for each1 in A]
M = []
for i in range(85):
M.append(A[i] + [0] * i + [1] + [0] * (84 - i))
M.append(b + [0] * 85)
M = Matrix(ZZ, M)
L = M.LLL()
ans = L[0]
print(bytes(-(ans[85:])))
|
MISC
cloacked
得到没有头的压缩包
补上头
得到压缩内的内容
有隐写内容。密码是elephant的lsb隐写
Web
Xff
原题借鉴cisn2019的题目https://www.cnblogs.com/traverller-2333/p/16425238.html
1
| {if readfile('/flag')}{/if}
|
得到flag
Re
login
题目打开后是一眼z3
但是莫名其妙写出来没有解或多个解 然后想到了angr符号执行直接去检索到含有checkok的地方,然后输出结果即可 angr脚本如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| import angr
def find_solution(state):
return b"check ok~!" in state.posix.dumps(1)
def main():
project = angr.Project('./main', auto_load_libs=False)
state = project.factory.entry_state()
sim = project.factory.simgr(state)
sim.explore(find=find_solution)
if sim.found:
res = sim.found[0]
res = res.posix.dumps(0)
solution = res.decode("utf-8")
print("flag is: flag{{{}}}".format(solution))
if __name__ == "__main__":
main()
|
