网鼎杯不同组的密码题目

青龙组

crypto091

根据提示可以知道前6为，为861709，然后爆破后七位就行了

import hashlib
for password in range(8617090000000,8617099999999):
    password=str(password)
    hash_password = hashlib.sha256(password.encode("utf-8")).hexdigest()
    if hash_password == "c22a563acc2a587afbfaaaa6d67bc6e628872b00bd7e998873881f7c6fdc62fc" :
        print(hash_password)
        print("flag{"+password+"}")
        break

crypto162

from secret import flag
from hashlib import md5,sha256
from Crypto.Cipher import AES
cof_t = [[353, -1162, 32767], [206, -8021, 42110], [262, -7088, 31882], [388, -6394, 21225], [295, -9469, 44468], [749, -3501, 40559], [528, -2690, 10210], [354, -5383, 18437], [491, -8467, 26892], [932, -6984, 20447], [731, -6281, 11340], [420, -5392, 44071], [685, -6555, 40938], [408, -8070, 47959], [182, -9857, 49477], [593, -3584, 49243], [929, -7410, 31929], [970, -4549, 17160], [141, -2435, 36408], [344, -3814, 18949], [291, -7457, 40587], [765, -7011, 32097], [700, -8534, 18013], [267, -2541, 33488], [249, -8934, 12321], [589, -9617, 41998], [840, -1166, 22814], [947, -5660, 41003], [206, -7195, 46261], [784, -9270, 28410], [338, -3690, 19608], [559, -2078, 44397], [534, -3438, 47830], [515, -2139, 39546], [603, -6460, 49953], [234, -6824, 12579], [805, -8793, 36465], [245, -5886, 21077], [190, -7658, 20396], [392, -7053, 19739], [609, -5399, 39959], [479, -8172, 45734], [321, -7102, 41224], [720, -4487, 11055], [208, -1897, 15237], [890, -4427, 35168], [513, -5106, 45849], [666, -1137, 23725], [755, -6732, 39995], [589, -6421, 43716], [866, -3265, 30017], [416, -6540, 34979], [840, -1305, 18242], [731, -6844, 13781], [561, -2728, 10298], [863, -5953, 23132], [204, -4208, 27492], [158, -8701, 12720], [802, -4740, 16628], [491, -6874, 29057], [531, -4829, 29205], [363, -4775, 41711], [319, -9206, 46164], [317, -9270, 18290], [680, -5136, 12009], [880, -2940, 34900], [162, -2587, 49881], [997, -5265, 20890], [485, -9395, 23048], [867, -1652, 18926], [691, -7844, 11180], [355, -5990, 13172], [923, -2018, 23110], [214, -4719, 23005], [921, -9528, 29351], [349, -7957, 20161], [470, -1889, 46170], [244, -6106, 23879], [419, -5440, 43576], [930, -1123, 29859], [151, -5759, 23405], [843, -6770, 36558], [574, -6171, 33778], [772, -1073, 44718], [932, -4037, 40088], [848, -5813, 27304], [194, -6016, 39770], [966, -6789, 14217], [219, -6849, 40922], [352, -6046, 18558], [794, -8254, 29748], [618, -5887, 15535], [202, -9288, 26590], [611, -4341, 46682], [155, -7909, 16654], [935, -5739, 39342], [998, -6538, 24363], [125, -5679, 36725], [507, -7074, 15475], [699, -5836, 47549]]
 
defcal(i,cof):
if i < 3:
return i+1
else:
return cof[2]*cal(i-3,cof)+cof[1]*cal(i-2,cof)+cof[0]*cal(i-1,cof)
 
s = 0
for i inrange(100):
s += cal(200000,cof_t[i])
 
print(s)
s = str(s)[-2000:-1000]
key = md5(s).hexdigest().decode('hex')
check = sha256(key).hexdigest()
verify = '2cf44ec396e3bb9ed0f2f3bdbe4fab6325ae9d9ec3107881308156069452a6d5'
assert(check == verify)
aes = AES.new(key,AES.MODE_ECB)
data = flag + (16-len(flag)%16)*"\x00"
print (aes.encrypt(data).encode('hex'))
#4f12b3a3eadc4146386f4732266f02bd03114a404ba4cb2dabae213ecec451c9d52c70dc3d25154b5af8a304afafed87

这个当时我并没有出来，其实这里想办法把递归式变成矩阵，也就是矩阵快速幂来进行求解

可以看看这个https://blog.csdn.net/wdq347/article/details/8919645

和https://www.hackerearth.com/practice/notes/solving-linear-recurrence-relation/这个

来学习一下如何构造，然后再用sagemath来进行求解

当然先看一下代码逻辑主体部分

defcal(i,cof):
	if i < 3:
		return i+1
	else:
		return cof[2]*cal(i-3,cof)+cof[1]*cal(i-2,cof)+cof[0]*cal(i-1,cof)
 

前3个的值为1，2，3，后面就是递推式了，可以构造这个矩阵

[[1,2,3]

[1,0,0]

[0,1,0]]

和

[[cof(n)]

[cof(n-1)]

[cof(n-2)]]

当然n要大于5

然后exp为这个

from hashlib import md5, sha256
from Crypto.Cipher import AES
 
cof_t = [[353, -1162, 32767], [206, -8021, 42110], [262, -7088, 31882], [388, -6394, 21225], [295, -9469, 44468], [749, -3501, 40559], [528, -2690, 10210], [354, -5383, 18437], [491, -8467, 26892], [932, -6984, 20447], [731, -6281, 11340], [420, -5392, 44071], [685, -6555, 40938], [408, -8070, 47959], [182, -9857, 49477], [593, -3584, 49243], [929, -7410, 31929], [970, -4549, 17160], [141, -2435, 36408], [344, -3814, 18949], [291, -7457, 40587], [765, -7011, 32097], [700, -8534, 18013], [267, -2541, 33488], [249, -8934, 12321], [589, -9617, 41998], [840, -1166, 22814], [947, -5660, 41003], [206, -7195, 46261], [784, -9270, 28410], [338, -3690, 19608], [559, -2078, 44397], [534, -3438, 47830], [515, -2139, 39546], [603, -6460, 49953], [234, -6824, 12579], [805, -8793, 36465], [245, -5886, 21077], [190, -7658, 20396], [392, -7053, 19739], [609, -5399, 39959], [479, -8172, 45734], [321, -7102, 41224], [720, -4487, 11055], [208, -1897, 15237], [890, -4427, 35168], [513, -5106, 45849], [666, -1137, 23725], [755, -6732, 39995], [589, -6421, 43716], [866, -3265, 30017], [416, -6540, 34979], [840, -1305, 18242], [731, -6844, 13781], [561, -2728, 10298], [863, -5953, 23132], [204, -4208, 27492], [158, -8701, 12720], [802, -4740, 16628], [491, -6874, 29057], [531, -4829, 29205], [363, -4775, 41711], [319, -9206, 46164], [317, -9270, 18290], [680, -5136, 12009], [880, -2940, 34900], [162, -2587, 49881], [997, -5265, 20890], [485, -9395, 23048], [867, -1652, 18926], [691, -7844, 11180], [355, -5990, 13172], [923, -2018, 23110], [214, -4719, 23005], [921, -9528, 29351], [349, -7957, 20161], [470, -1889, 46170], [244, -6106, 23879], [419, -5440, 43576], [930, -1123, 29859], [151, -5759, 23405], [843, -6770, 36558], [574, -6171, 33778], [772, -1073, 44718], [932, -4037, 40088], [848, -5813, 27304], [194, -6016, 39770], [966, -6789, 14217], [219, -6849, 40922], [352, -6046, 18558], [794, -8254, 29748], [618, -5887, 15535], [202, -9288, 26590], [611, -4341, 46682], [155, -7909, 16654], [935, -5739, 39342], [998, -6538, 24363], [125, -5679, 36725], [507, -7074, 15475], [699, -5836, 47549]]
 
def cal(i, cof):
 if i < 3:
 return i + 1
 else:
 return cof[2] * cal(i - 3, cof) + cof[1] * cal(i - 2, cof) + cof[0] * cal(i - 1, cof)
 
def cal_m(i, cof):
    M = Matrix(ZZ, [[cof[0], cof[1], cof[2]], [1, 0, 0], [0, 1, 0]])
    b = vector(ZZ, [cal(5, cof), cal(4, cof), cal(3, cof)])
    b = M ^ (i - 5) * b
 return int(b[0])
 
s = 0
for i in range(100):
    s += cal_m(200000, cof_t[i])
 
s = str(s)[-2000:-1000]
key = bytes.fromhex(md5(s.encode()).hexdigest())
check = sha256(key).hexdigest()
verify = '2cf44ec396e3bb9ed0f2f3bdbe4fab6325ae9d9ec3107881308156069452a6d5'
assert (check == verify)
aes = AES.new(key, AES.MODE_ECB)
# 4f12b3a3eadc4146386f4732266f02bd03114a404ba4cb2dabae213ecec451c9d52c70dc3d25154b5af8a304afafed87
c = '4f12b3a3eadc4146386f4732266f02bd03114a404ba4cb2dabae213ecec451c9d52c70dc3d25154b5af8a304afafed87'
c = bytes.fromhex(c)
print(aes.decrypt(c))
# b'flag{519427b3-d104-4c34-a29d-5a7c128031ff}\x00\x00\x00\x00\x00\x00'

crypto405

from Crypto.Util.number import *
from random import randrange
 
from grassfield import flag
 
p = getPrime(16)
 
k = [randrange(1,p) for i inrange(5)]
 
for i inrange(len(flag)):
grasshopper = flag[i]
for j inrange(5):
k[j] = grasshopper = grasshopper * k[j] % p
print('Grasshopper#'+str(i).zfill(2)+':'+hex(grasshopper)[2:].zfill(4))

这里我们可以从flag的格式出发，flag的前五位为flag{,这是固定已经知道的，那么我们就可以从这里来出发推出一开始的k，但是k是变化的，这里也就是需要我们解决的部位，我们可以用k00，k01,k02,k03,k04来表示初始的，后一轮的为k10,k11,k12,k13,k14来表示，可以简单写一下过程

img

那么f的加密为k14，l的加密为k24，k23=k24*(k14)^-1modp,依次类推即可，exp为

from gmpy2 import invert,gcd
#利用flag格式flag{      }
know = b'flag{'
#爆破p
g = [0x2066, 0xa222, 0xcbb1, 0xdbb4, 0xdeb4, 0xb1c5, 0x33a4, 0xc051, 0x3b79, 0x6bf8, 0x2131, 0x2c40, 0x91ba, 0x7b44, 0x5f25, 0x0208, 0x7edb, 0x62b5, 0xcec5, 0x5ab3, 0x3c46, 0xc272, 0x714b, 0x9e0b, 0x48ee, 0x44cc, 0x05a0, 0x3da3, 0x11b1, 0x259f, 0x899d, 0xa130, 0xe58f, 0x23f3, 0x5829, 0x6beb, 0x3681, 0x0054, 0xa189, 0x2765, 0xc63d, 0xbc68]
maxg = max(g)
for p in range(maxg+1, 2**16):
    if gcd(know[0], p) == 1 and gcd(know[1], p) == 1 and gcd(know[2], p) == 1 and gcd(know[3], p) == 1 and gcd(know[4], p) == 1:
        g04 = g[0]

        g14 = g[1]
        if gcd(g04,p) != 1:
            continue
        g13 = g14 * invert(g04, p) % p

        g24 = g[2]
        if gcd(g14,p) != 1 or gcd(g13,p) != 1:
            continue
        g23 = g24 * invert(g14, p) % p
        g22 = g23 * invert(g13, p) % p

        g34 = g[3]
        if gcd(g24,p) != 1 or gcd(g23,p) != 1 or gcd(g22,p) != 1:
            continue
        g33 = g34 * invert(g24, p) % p
        g32 = g33 * invert(g23, p) % p
        g31 = g32 * invert(g22, p) % p

        g44 = g[4]
        if gcd(g34,p) != 1 or gcd(g33,p) != 1 or gcd(g32,p) != 1 or gcd(g31,p) != 1:
            continue
        g43 = g44 * invert(g34, p) % p
        g42 = g43 * invert(g33, p) % p
        g41 = g42 * invert(g32, p) % p
        g40 = g41 * invert(g31, p) % p

        k = [g40, g41, g42, g43, g44]
        flag = ''
        for i in range(5,42):
            _k = k[0]*k[1]*k[2]*k[3]*k[4]
            if gcd(_k, p) != 1:
                break
            alp = g[i] * invert(_k, p) % p
            flag += chr(alp)
            for j in range(5):
                k[j] = alp = alp * k[j] % p

        if flag.endswith('}'):
            print(f'p = {p}')
            print(flag.encode())

白虎组

crypto582

from Crypto.Util.number import getPrime
import hashlib

e = 2022
m = getPrime(512)
m1 = getPrime(512)
m2 = getPrime(512)
flag = m + m1 + m2
flag = hashlib.md5(str(flag).encode('utf-8')).hexdigest()  

c1 = pow(m+m1,e,m*m1)    
c2 = pow(m+m2,e,m*m2)    
c3 = pow(m1+m2,e,m1*m2)

x = pow(m1+2022,m,m*m1)
y = pow(m2+2022,m,m*m2)
z = pow(m+2022,m1,m*m1)

print('c1 =',c1)
print('c2 =',c2)
print('c3 =',c3)
print('x =',x)
print('y =',y)
print('z =',z)


'''
c1 =  85139434329272123519094184286276070319638471046264384499440682030525456122476228324462769126167628121006213531153927884870307999106015430909361792093581895091445829379547633304737916675926004298753674268141399550405934376072486086468186907326396270307581239055199288888816051281495009808259009684332333344687
c2 =  104554808380721645840032269336579549039995977113982697194651690041676187039363703190743891658905715473980017457465221488358016284891528960913854895940235089108270134689312161783470000803482494370322574472422461483052403826282470850666418693908817591349159407595131136843764544166774390400827241213500917391144
c3 =  94771625845449128812081345291218973301979152577131568497740476123729158619324753128517222692750900524689049078606978317742545997482763600884362992468406577524708622046033409713416026145377740182233674890063333534646927601262333672233695863286637817471270314093720827409474178917969326556939942622112511819330
x =  78237329408351955465927092805995076909826011029371783256454322166600398149132623484679723362562600068961760410039241554232588011577854168402399895992331761353772415982560522912511879304977362225597552446397868843275129027248765252784503841114291392822052506837132093960290237335686354012448414804030938873765
y =  100442166633632319633494450595418167608036668647704883492068692098914206322465717138894302011092841820156560129280901426898815274744523998613724326647935591857728931946261379997352809249780159136988674034759483947949779535134522005905257436546335376141008113285692888482442131971935583298243412131571769294029
z =  104712661985900115750011628727270934552698948001634201257337487373976943443738367683435788889160488319624447315127992641805597631347763038111352925925686965948545739394656951753648392926627442105629724634607023721715249914976189181389720790879720452348480924301370569461741945968322303130995996793764440204452
'''

img

没啥好说的，费马定理的利用

exp

c1 =  85139434329272123519094184286276070319638471046264384499440682030525456122476228324462769126167628121006213531153927884870307999106015430909361792093581895091445829379547633304737916675926004298753674268141399550405934376072486086468186907326396270307581239055199288888816051281495009808259009684332333344687
c2 =  104554808380721645840032269336579549039995977113982697194651690041676187039363703190743891658905715473980017457465221488358016284891528960913854895940235089108270134689312161783470000803482494370322574472422461483052403826282470850666418693908817591349159407595131136843764544166774390400827241213500917391144
c3 =  94771625845449128812081345291218973301979152577131568497740476123729158619324753128517222692750900524689049078606978317742545997482763600884362992468406577524708622046033409713416026145377740182233674890063333534646927601262333672233695863286637817471270314093720827409474178917969326556939942622112511819330
x =  78237329408351955465927092805995076909826011029371783256454322166600398149132623484679723362562600068961760410039241554232588011577854168402399895992331761353772415982560522912511879304977362225597552446397868843275129027248765252784503841114291392822052506837132093960290237335686354012448414804030938873765
y =  100442166633632319633494450595418167608036668647704883492068692098914206322465717138894302011092841820156560129280901426898815274744523998613724326647935591857728931946261379997352809249780159136988674034759483947949779535134522005905257436546335376141008113285692888482442131971935583298243412131571769294029
z =  104712661985900115750011628727270934552698948001634201257337487373976943443738367683435788889160488319624447315127992641805597631347763038111352925925686965948545739394656951753648392926627442105629724634607023721715249914976189181389720790879720452348480924301370569461741945968322303130995996793764440204452
from gmpy2 import *
e=2022
m=11323698514369171934509485270187482800747906221592420578818277215318591065610272211939730721658555842676447236708557849309772868815154841226050491067608493
print(m.bit_length())
m1=(x-2022)%m
m2=(y-2022)%m
m2=m2+m
cc1 = pow(m+m1,e,m*m1)
cc2 = pow(m+m2,e,m*m2)
cc3 = pow(m1+m2,e,m1*m2)
xx = pow(m1+2022,m,m*m1)
yy = pow(m2+2022,m,m*m2)
zz = pow(m+2022,m1,m*m1)
assert x==xx
assert y==yy
assert z==zz
import hashlib
flag = m + m1 + m2
flag = hashlib.md5(str(flag).encode('utf-8')).hexdigest()
print("flag{"+flag+"}")

玄武组

Crypto-967

先观察是否平滑

然后用yafu进行分解（n-1）

可以分解出来

可以得到这些数字

x是64bit素数

所以我们可以在子群上进行个求解，去除大素数。

m = 696376465415968446607383675953857997
c = 75351884040606337127662457946455960228423443937677603718170904462378938882502061014476822055783421908392386804380503123596242003758891619926133807099465797120624009076182390781918339985157326114840926784410018674639537246981505937318380179042568501449024366208980139650052067021073343322300422190243015076307
n = 135413548968824157679549005083702144352234347621794899960854103942091470496598900341162814164511690126111049767046340801124977369460415208157716471020260549912068072662740722359869775486486528791641600354017790255320219623493658736576842207668208174964413000049133934516641398518703502709055912644416582457721

G=Zmod(n) 
factors=[587,28142457071,395710839697] 
order=n-1#光滑
m=G(m) 
c=G(c) 
dlogs=[] 
for fac in factors: 
    t=order//fac
    y=c^t#c的t次方 
    g=m^t #m的t次方
    dlog=discrete_log(c^t,m^t) 
    dlogs.append(int(dlog)) 
    print(dlog) 
print(crt(dlogs,factors)) 

可以得出x

然后常规解密

rom Crypto.Util.number import *
import random,gmpy2,sympy
m = 696376465415968446607383675953857997
c = 75351884040606337127662457946455960228423443937677603718170904462378938882502061014476822055783421908392386804380503123596242003758891619926133807099465797120624009076182390781918339985157326114840926784410018674639537246981505937318380179042568501449024366208980139650052067021073343322300422190243015076307
n = 135413548968824157679549005083702144352234347621794899960854103942091470496598900341162814164511690126111049767046340801124977369460415208157716471020260549912068072662740722359869775486486528791641600354017790255320219623493658736576842207668208174964413000049133934516641398518703502709055912644416582457721
c1 = 209941170134628207830310059622280988835086910150451946264595015050300510031560522999562095124692878755896950865676914790595999182721583547184333760954091880805688518459046880395477235753285839380764579025127254060855545
c2 = 4803339369764546990337396010353372745379378328671778873584350940089623041410194355125962064067657967062926344955874581199853582279928946579389671271191196
p = 6809372619970287379746941806942051353536181082328454067824596651780784704823185066486367854653297514943018290212240504418345108411269306758069486928594027
g = 12575636661436726898107254102531343862656456137827822292892883099464907172061178954026138165159168595086335202285503403441736394399853074532771428483593753
k = 4521228602593215445063533369342315270631623025219518143209270060218625289087470505221974748605346084266802332207199304586313352026660695691783656769488472
x=17271504622210389511
print(long_to_bytes(c1*pow(c2,-x,p)%p))