Week1

InfantRSA

1
2
3
4
5
6
7
8
9
10
11
from Crypto.Util.number import *

p = 681782737450022065655472455411
q = 675274897132088253519831953441
e = 13
c = 275698465082361070145173688411496311542172902608559859019841

d = inverse(e, (p-1)*(q-1))
m = pow(c, d, p*q)
print(long_to_bytes(m))
>>> b'hgame{t3Xt6O0k_R5A!!!}'

Affine

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from Crypto.Util.number import *

TABLE = 'zxcvbnmasdfghjklqwertyuiop1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
MOD = len(TABLE)
c = 'A8I5z{xr1A_J7ha_vG_TpH410}'

C2I = TABLE.find
A = (C2I('A') - C2I('8')) * inverse(C2I('h')-C2I('g'), MOD) % MOD
B = (C2I('A') - A*C2I('h')) % MOD

m = ''
for b in c:
ii = TABLE.find(b)
if ii == -1:
m += b
else:
i = (ii - B) * inverse(A, MOD) % MOD
m += TABLE[i]
print(m)
>>> 'hgame{M4th_u5Ed_iN_cRYpt0}'

Reorder

1
2
3
4
5
6
7
8
import string
m = string.ascii_letters[:32]
c = 'gnopfedabjhlmkicwDEFvutqrzxBCAys'

f = 'jmpL{emhgtU5I+$au!!}mRe3_TT0niAP'
for i in m:
print(f[c.index(i)], end='')
>>> hgame{jU$t+5ImpL3_PeRmuTATi0n!!}

Week2

Remainder

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

from Crypto.Util.number import *
from libnum import solve_crt

e = 0x10001

p = 94598296305713376652540411631949434301396235111673372738276754654188267010805522542068004453137678598891335408170277601381944584279339362056579262308427544671688614923839794522671378559276784734758727213070403838632286280473450086762286706863922968723202830398266220533885129175502142533600559292388005914561
q = 150088216417404963893679242888992998793257903343994792697939121738029477790454833496600101388493792476973514786401036309378542808470513073408894727406158296404360452232777491992630316999043165374635001806841520490997788796152678742544032835808854339130676283497122770901196468323977265095016407164510827505883
r = 145897736096689096151704740327665176308625097484116713780050311198775607465862066406830851710261868913835866335107146242979359964945125214420821146670919741118254402096944139483988745450480989706524191669371208210272907563936516990473246615375022630708213486725809819360033470468293100926616729742277729705727

c1 = 78430786011650521224561924814843614294806974988599591058915520397518526296422791089692107488534157589856611229978068659970976374971658909987299759719533519358232180721480719635602515525942678988896727128884803638257227848176298172896155463813264206982505797613067215182849559356336015634543181806296355552543
c2 = 49576356423474222188205187306884167620746479677590121213791093908977295803476203510001060180959190917276817541142411523867555147201992480220531431019627681572335103200586388519695931348304970651875582413052411224818844160945410884130575771617919149619341762325633301313732947264125576866033934018462843559419
c3 = 48131077962649497833189292637861442767562147447040134411078884485513840553188185954383330236190253388937785530658279768620213062244053151614962893628946343595642513870766877810534480536737200302699539396810545420021054225204683428522820350356470883574463849146422150244304147618195613796399010492125383322922

c = solve_crt([c1, c2, c3], [p, q, r])
d = inverse(e, (p - 1) * (q - 1) * (r - 1))
m = long_to_bytes(pow(c, d, p * q * r)).decode()

flag = ''
for l in m.split('\n')[3:-3]:
flag += l[:2]
print(flag)
>>> 'hgame{CrT_w0Nt+6Oth3R_mE!!!}'

Verification_code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
from Crypto.Util.number import *
import re
import string
import hashlib

sh = remote('127.0.0.1', 10000)
def proof_of_work():
rec = sh.recvline().decode()
suffix = re.findall(r'\(XXXX\+(.*?)\)', rec)[0]
digest = re.findall(r'== (.*?)\n', rec)[0]

print(suffix, digest)

def f(x):
return hashlib.sha256((x + suffix).encode()).hexdigest() == digest

prefix = util.iters.mbruteforce(
f, string.ascii_letters + string.digits, 4, 'fixed')
sh.sendlineafter('Give me XXXX: ', prefix)

proof_of_work()
sh.sendlineafter('> ', 'I like playing Hgame')
sh.interactive()

>>> hgame{It3Rt0O|S+I5_u$3fu1~Fo2_6rUtE-f0Rc3}

Week3

RSA?

1
2
3
4
5
6
7
c = 2166906408965390116437761185603075699086315246646982132520792868301615462732707695943058783211233589602162482847874299962577512765886861573898075548033678
q = 95476159140358852660572143425801843414366266400633576268276298731539374363607
n = 7236834786093916009325417235344284284391050287273422058348241360770131423240807259717864686885012301293921328397391157761688776563780348734483657156421779

assert isPrime(n)
print(long_to_bytes(tonelli_shanks(c, n)))
>>> b'hgame{eaa5262c-4631-46ef-a97b-53277ab7e1d8}'

Exchange

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import *
from Crypto.Util.number import *
import re
import string
import hashlib
import random


sh = remote('127.0.0.1', 10001)

def proof_of_work():
rec = sh.recvline().decode()
suffix = re.findall(r'\(XXXX\+(.*?)\)', rec)[0]
digest = re.findall(r'== (.*?)\n', rec)[0]

print(suffix, digest)

def f(x):
return hashlib.sha256((x + suffix).encode()).hexdigest() == digest

prefix = util.iters.mbruteforce(f, string.ascii_letters + string.digits, 4, 'fixed')
sh.sendlineafter('Give me XXXX: ', prefix)

proof_of_work()

sh.sendlineafter('Key Exchange first.\n\n', '')
sh.recvuntil('Alice: p = ')
p = int(sh.recvline().strip())
sh.recvuntil('Alice: g = ')
g = int(sh.recvline().strip())

print(f'p = {p}\ng = {g}')

sh.sendline()
sh.recvlines(5)
sh.sendline()

rev = sh.recvuntil('(yes/no)').decode()
A = int(re.search(r'A = (\d+)\n', rev).groups()[0])
print(f'A = {A}')


r = random.randint(2, g - 2)
t = pow(g, r, p)
sh.sendafter('> ', 'yes')
sh.sendafter('> ', str(t))

sh.sendline()
rev = sh.recvuntil('(yes/no)').decode()
B = int(re.search(r'B = (\d+)\n', rev).groups()[0])
print(f'B = {B}')
sh.sendafter('> ', 'yes')
sh.sendafter('> ', str(t))

for _ in range(4):
sh.sendlineafter('\n\n', '')

rev = sh.recvuntil('(yes/no)').decode()
c_b = int(re.search(r'C_b = (\d+)\n', rev).groups()[0])
s_b = pow(B, r, p)
m_b = c_b * inverse(s_b, p) % p

s_a = pow(A, r, p)
sh.sendafter('> ', 'yes')
sh.sendafter('> ', str(m_b * s_a % p))

sh.recvuntil('C_a = ')
c_a = int(sh.recvline().strip())
m_a = c_a * inverse(s_a, p) % p
sh.close()

print(long_to_bytes(m_a) + long_to_bytes(m_b))

>>> b'hgame{Wow!+U_d0_tH3_m@N-1n~ThE+miDd!3_4TtAck~}'

评论