[SWPUCTF 2024 秋季新生赛]Bury the Light WP
原创
[SWPUCTF 2024 秋季新生赛]Bury the Light WP
原创
太岁
修改于 2024-10-30 14:05:21
修改于 2024-10-30 14:05:21
题目:
from Crypto.Cipher import AES
from Crypto.Util.number import *
from Crypto.Util.Padding import pad
from secret import flag
mask1 = 131151158277430590850506190902325379931
mask2 = 234024231732616562506949148198103849397
mask3 = 175840838278158851471916948124781906887
mask4 = 270726596087586267913580004170375666103
def lfsr(R, mask):
R_bin = [int(b) for b in bin(R)[2:].zfill(128)]
mask_bin = [int(b) for b in bin(mask)[2:].zfill(128)]
s = sum([R_bin[i] * mask_bin[i] for i in range(128)]) & 1
R_bin = [s] + R_bin[:-1]
return (int("".join(map(str, R_bin)), 2), s)
def ff(x0, x1, x2, x3):
return (x0 ^ x1 ^ x2 ^ x3) & 1
def round(R, R1_mask, R2_mask, R3_mask, R4_mask):
out = 0
R1_NEW, _ = lfsr(R, R1_mask)
R2_NEW, _ = lfsr(R, R2_mask)
R3_NEW, _ = lfsr(R, R3_mask)
R4_NEW, _ = lfsr(R, R4_mask)
for _ in range(300):
R1_NEW, x1 = lfsr(R1_NEW, R1_mask)
R2_NEW, x2 = lfsr(R2_NEW, R2_mask)
R3_NEW, x3 = lfsr(R3_NEW, R3_mask)
R4_NEW, x4 = lfsr(R4_NEW, R4_mask)
out = (out << 1) + ff(x1, x2, x3, x4)
return out
key = getRandomNBitInteger(128)
out = round(key, mask1, mask2, mask3, mask4)
cipher = AES.new(long_to_bytes(key), mode=AES.MODE_ECB)
print(f"out = {out}")
print(f"enc = {cipher.encrypt(pad(flag.encode(), 16))}")
#out = 1758689793017181583485607518128257451365441445520643573250819171196665713945177624962575711
#enc = b'g\xf6\xc8\x1d\x1ap\xb9\xefd\xcc\xf0t\xe8/O\x7f\x89\xa3l \x8bR[\x91\xddd\x11\x98tA\x12\xcc\xa5Jl\x08\xd7\x87\xa2M\x1c\xe46rm\x16\x9b('现在来逐行分析一下我写的史山吧:
from Crypto.Cipher import AES
from Crypto.Util.number import *
from Crypto.Util.Padding
import pad from secret import flag引用库,flag
mask1 = 131151158277430590850506190902325379931
mask2 = 234024231732616562506949148198103849397
mask3 = 175840838278158851471916948124781906887
mask4 = 270726596087586267913580004170375666103定义掩码:这四个变量 mask1、mask2、mask3 和 mask4 是常数整数,用作线性反馈移位寄存器(LFSR)操作的位掩码。
deflfsr(R, mask):
R_bin = [int(b) for b inbin(R)[2:].zfill(128)]
mask_bin = [int(b) for b inbin(mask)[2:].zfill(128)]
s = sum([R_bin[i] * mask_bin[i] for i inrange(128)]) & 1
R_bin = [s] + R_bin[:-1]
return (int("".join(map(str, R_bin)), 2), s)LFSR 函数,该函数执行LFSR(线性反馈移位寄存器)操作的一次迭代:
R_bin和mask_bin分别是R和mask的二进制位列表,填充为128位。s是 XOR 操作的结果:它计算R_bin和mask_bin的点积,然后取模2,生成一个单独的位。R_bin向右移一位,并将s插入到开头。- 返回:返回一个包含更新后的
R值和位s的元组。
defff(x0, x1, x2, x3):
return (x0 ^ x1 ^ x2 ^ x3) & 1位操作函数 ff:
接收四个输入位,对它们执行 XOR 操作。结果返回为一个单独的位,用于加密轮次中。
defround(R, R1_mask, R2_mask, R3_mask, R4_mask):
out = 0
R1_NEW, _ = lfsr(R, R1_mask)
R2_NEW, _ = lfsr(R, R2_mask)
R3_NEW, _ = lfsr(R, R3_mask)
R4_NEW, _ = lfsr(R, R4_mask)
for _ inrange(300):
R1_NEW, x1 = lfsr(R1_NEW, R1_mask)
R2_NEW, x2 = lfsr(R2_NEW, R2_mask)
R3_NEW, x3 = lfsr(R3_NEW, R3_mask)
R4_NEW, x4 = lfsr(R4_NEW, R4_mask)
out = (out << 1) + ff(x1, x2, x3, x4)
return out加密轮次函数 round
out初始化为零,并在每次迭代中累加生成的位。- 初始化LFSRs:通过对
R和每个掩码应用lfsr函数来生成R1_NEW、R2_NEW、R3_NEW和R4_NEW。 - 300 轮次:循环执行300次,每次更新每个LFSR并获得新的位(
x1、x2、x3、x4)。 ff(x1, x2, x3, x4)提供一个单个位,将其移位并添加到out。- 返回:300轮次后,
out包含一个300位的结果,即round函数的最终输出。
key = getRandomNBitInteger(128)
out = round(key, mask1, mask2, mask3, mask4)
cipher = AES.new(long_to_bytes(key), mode=AES.MODE_ECB)
print(f"out = {out}")
print(f"enc = {cipher.encrypt(pad(flag.encode(), 16))}")密钥生成和加密
key:生成一个128位的随机整数作为AES密钥。out:调用round函数,传入key和四个掩码,以生成一个伪随机的300位输出。- AES 加密:
- 使用
key创建一个新的 AES 密码器。 - 对
flag(假定为字符串)进行填充,并使用AES的ECB模式加密。 - 输出:打印生成的300位
out以及加密后的flag。
# out = 1758689793017181583485607518128257451365441445520643573250819171196665713945177624962575711
# enc = b'g\xf6\xc8\x1d\x1ap\xb9\xefd\xcc\xf0t\xe8/O\x7f\x89\xa3l \x8bR[\x91\xddd\x11\x98tA\x12\xcc\xa5Jl\x08\xd7\x87\xa2M\x1c\xe46rm\x16\x9b('然后在抛瓦里获得key(其实没有key也可以,ff已经给的很简单了)
题目使用了AES加密,并结合LFSR(线性反馈移位寄存器)生成了伪随机序列。题目给出了一个输出,这是一个300位的整数值,以及一个AES加密后的密文。目标是通过反向推导出AES密钥并解密密文得到原始 flag。
思路:
从LFSR生成的伪随机序列 out 中提取约束条件,将其转换为线性方程组,最终推导出加密密钥 key。利用该密钥,成功解密密文 enc 并获取到 flag
exp:
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
from functools import reduce
mask1 = 211151158277430590850506190902325379931
mask2 = 314024231732616562506949148198103849397
mask3 = 175840838278158851471916948124781906887
mask4 = 270726596087586267913580004170375666103
def lfsr(R, mask):
s = reduce(lambda x, y: x ^ y, [(R >> i) & 1 * ((mask >> i) & 1) for i in range(128)])
R = ((R << 1) | s) & ((1 << 128) - 1)
return R, s
def ff(x0, x1, x2, x3):
return (x0 ^ x1 ^ x2 ^ x3) & 1
out = 1758689793017181583485607518128257451365441445520643573250819171196665713945177624962575711
enc = b'g\xf6\xc8\x1d\x1ap\xb9\xefd\xcc\xf0t\xe8/O\x7f\x89\xa3l \x8bR[\x91\xddd\x11\x98tA\x12\xcc\xa5Jl\x08\xd7\x87\xa2M\x1c\xe46rm\x16\x9b('
# Initialize R as a single 128-bit integer
R = 1 << 127
equation = [(1 << 127, 1)]
for i in range(270):
R1_NEW, x1 = lfsr(R, mask1)
R2_NEW, x2 = lfsr(R1_NEW, mask2)
R3_NEW, x3 = lfsr(R2_NEW, mask3)
R4_NEW, x4 = lfsr(R3_NEW, mask4)
if out >> (269 - i) & 1:
equation.append((x1 ^ x2 ^ x4, 1))
equation.append((1 << 126, 0))
key = 268498734989386806140712175125788827088
key_bytes = long_to_bytes(key)
cipher = AES.new(key_bytes, mode=AES.MODE_ECB)
decrypted_flag = cipher.decrypt(enc)
print(f"flag = {decrypted_flag}") 原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
