文章目录
- 通往哈希的旅程
- 小哈斯
- RSA1
- ez_rsa
通往哈希的旅程
根据提示推断是哈希函数,ai一下,推测大概率是一个sha1,让ai写一个爆破脚本即可
import hashlib
# 给定目标 SHA-1 哈希值
target_hash = "ca12fd8250972ec363a16593356abb1f3cf3a16d"
# 前三位固定为 188
prefix = "188"
# 暴力破解后 8 位
for i in trange(100000000): # 从00000000到99999999
# 生成8位数字,保证是8位数(补零)
number = f"{i:08d}"
# 完整的输入是 188 + 后 8 位数字
input_data = prefix + number
# 计算 SHA-1 哈希值
sha1_hash = hashlib.sha1(input_data.encode()).hexdigest()
# 比较哈希值是否匹配
if sha1_hash == target_hash:
print(f"Found the input: {input_data}")
break
else:
print("No match found.")
小哈斯
打开文件,发现与上一题很相似,试着用md5在线网站解第一行内容,解出的结果为1,且类型为sha1,那么目标就很明确了,每一行进行一次hash爆破
import hashlib
t=string.digits+string.ascii_letters+string.punctuation
ans=[-1]*137
cnt=0
# 给定目标 SHA-1 哈希值
with open('1.txt','r',encoding='utf-8') as f:
lines = f.readlines()
print(lines)
for line in lines:
cnt += 1
for i in t:
# 计算 SHA-1 哈希值
sha1_hash = hashlib.sha1(i.encode()).hexdigest()
# 比较哈希值是否匹配
if sha1_hash == line.strip():
ans[cnt]=i
print(i)
else:
print("No match found.")
jo=''.join(map(str,ans))
print(jo)
RSA1
这里借用群里Dexter jie大佬的博客
打的时候是把前面基本都推出来了,但是没想到copper还能用于位数不大的e的求解,这道题e只有128位,因此可以用copper
-
e很小,因此可以直接放到同余方程里,不会影响结果
-
2025和2835有公因数405,因此可以用小次数消去m2
-
m2是由m1经由凯撒加密变换来的,但是注意到只是加3,观察ascll表字符,发现可能只有}会受到取余的影响
-
展开式可以类比二进制的展开式,我将它称为字节进制的展开式,即以字节为单位进行计算,这也是bytes_to_long函数的计算原理
-
m2-m1是一个固定值,取余运算可忽略(如果真的产生了对照ascll表把特殊字符还原即可),这个固定值可以自己生成一组值,一减就出来了
-
m是比n大的,所以要小范围爆破
-
最后在调试代码部分也费了很大功夫
from Crypto.Util.number import *
from libnum import *
import sys
sys.setrecursionlimit(500000)#将默认1000层递归深度提升至500000
n= 176871561120476589165761750300633332586877708342448994506175624203633860119621512318321172927876389631918300184221082317741380365447197777026256405312212716630617721606918066048995683899616059388173629437673018386590043053146712870572300799479269947118251011967950970286626852935438101046112260915112568392601
c1 = 47280375006817082521114885578132104427687384457963920263778661542552259860890075321953563867658233347930121507835612417278438979006705016537596357679038471176957659834155694284364682759675841808209812316094965393550509913984888849945421092463842546631228640293794745005338773574343676100121000764021207044019
c2 = 176231410933979134585886078013933649498379873444851943224935010972452769899603364686158279269197891190643725008151812150428808550310587709008683339436590112802756767140102136304346001599401670291938369014436170693864034099138767167055456635760196888578642643971920733784690410395944410255241615897032471127315
c3 = 135594807884016971356816423169128168727346102408490289623885211179619571354105102393658249292333179346497415129785184654008299725617668655640857318063992703265407162085178885733134590524577996093366819328960462500124201402816244104477018279673183368074374836717994805448310223434099196774685324616523478136309
PR.<x> = PolynomialRing(Zmod(n))
f=(c3-x)^5-c2^7
f=f.monic()
root=f.small_roots(2**128,beta=0.4,epsilon=0.015)
if root:
e=int(root[0])
print(e)
e=281211879955223558268422413173406510291
b=138604255630984394504644405862999441108691457990544710059664868220625513430462483763119797291779992529360824019886958759717736876661453044335745573603330761817432828924688993026332102549607397901351619425324993583087500714061523945925857368498922102768458574857510324727265052999967460998294909713988129273348867
def HGCD(a, b):
if 2 * b.degree() <= a.degree() or a.degree() == 1:
return 1, 0, 0, 1
m = a.degree() // 2
a_top, a_bot = a.quo_rem(x^m)
b_top, b_bot = b.quo_rem(x^m)
R00, R01, R10, R11 = HGCD(a_top, b_top)
c = R00 * a + R01 * b
d = R10 * a + R11 * b
q, e = c.quo_rem(d)
d_top, d_bot = d.quo_rem(x^(m // 2))
e_top, e_bot = e.quo_rem(x^(m // 2))
S00, S01, S10, S11 = HGCD(d_top, e_top)
RET00 = S01 * R00 + (S00 - q * S01) * R10
RET01 = S01 * R01 + (S00 - q * S01) * R11
RET10 = S11 * R00 + (S10 - q * S11) * R10
RET11 = S11 * R01 + (S10 - q * S11) * R11
return RET00, RET01, RET10, RET11
def GCD(a, b):
print(a.degree(), b.degree())
q, r = a.quo_rem(b)
if r == 0:
return b
R00, R01, R10, R11 = HGCD(a, b)
c = R00 * a + R01 * b
d = R10 * a + R11 * b
if d == 0:
return c.monic()
q, r = c.quo_rem(d)
if r == 0:
return d
return GCD(d, r)
PR.<x> = PolynomialRing(Zmod(n))
f=c1-(e*x)^2835
g=c2-(x+b)^2025
res=GCD(f,g)
m=int(-res.monic().coefficients()[0])
print(f'm={m}')
m=169566881296280536230561129157151622566504043926679156667071395769823565229041445364663653128728776719686646238643163970346144733740570892537769104873476638766502858266706871058713811974921647126159418457230812714218445199879590506393283382966594445673462477218575655861719659885889626296053470513451622819648
for i in range(2^20):
mm=m+i*n
flag=long_to_bytes(mm)
if b'flag' in flag:
print(flag)
ez_rsa
from secret import flag
from Crypto.Util.number import *
import hashlib
p = getPrime(512)
q = getPrime(512)
N = p * q
e = getPrime(1023)
assert e < N
c = pow(bytes_to_long(flag), e, N)
print(f'{N = }')
print(f'{e = }')
print(f'{c = }')
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
k = (e * d - 1) // phi
dh = d >> 234
dl = d % pow(2, 24)
kh = k >> 999
hash224 = bytes_to_long(hashlib.sha224(long_to_bytes(dl)).digest())
hash512 = bytes_to_long(hashlib.sha512(long_to_bytes(kh)).digest())
leak = hash224 ^ hash512 ^ (k % pow(2, 512))
print(f'{dh = }')
print(f'{leak = }')
'''
N = 136118062754183389745310564810647775266982676548047737735816992637554134173584848603639466464742356367710495866667096829923708012429655117288119142397966759435369796296519879851106832954992705045187415658986211525671137762731976849094686834222367125196467449367851805003704233320272315754132109804930069754909
e = 84535510470616870286532166161640751551050308780129888352717168230068335698416787047431513418926383858925725335047735841034775106751946839596675772454042961048327194226031173378872580065568452305222770543163564100989527239870852223343451888139802496983605150231009547594049003160603704776585654802288319835839
c = 33745401996968966125635182001303085430914839302716417610841429593849273978442350942630172006035442091942958947937532529202276212995044284510510725187795271653040111323072540459883317296470560328421002809817807686065821857470217309420073434521024668676234556811305412689715656908592843647993803972375716032906
dh = 4640688526301435859021440727129799022671839221457908177477494774081091121794107526784960489513468813917071906410636566370999080603260865728323300663211132743906763686754869052054190200779414682351769446970834390388398743976589588812203933
leak = 12097621642342138576471965047192766550499613568690540866008318074007729495429051811080620384167050353010748708981244471992693663360941733033307618896919023
'''
这个没太搞懂,等后续出更清楚的博客再来复现吧
