ciscn Crypto部分复现
古典密码
先是埃特巴什密码(这个需要进行多次测试),然后base64,再栅栏即可
答案:flag{b2bb0873-8cae-4977-a6de-0e298f0744c3}
_hash
题目:
python
#!/usr/bin/python2
# Python 2.7 (64-bit version)
# from secret import flag
import os, binascii, hashlib
key = os.urandom(7)
print(hash(key))
print(int(hashlib.sha384(binascii.hexlify(key)).hexdigest(), 16) ^ int(binascii.hexlify(flag), 16))
'''
7457312583301101235
13903983817893117249931704406959869971132956255130487015289848690577655239262013033618370827749581909492660806312017
'''
解题分析:
这个要查python2.7版本的hash函数实现源码(找不到啊/_ \),看了看wp
源码在这:py27哈希 ·PyPI的
分析一下实现原理
python
部分源码:
if isinstance(value, tuple):
return Hash.thash(value)
if isinstance(value, float):
return Hash.fhash(value)
if isinstance(value, int):
return hash(value)
if isinstance(value, ("".__class__, u"".__class__, bytes)) or type(value).__name__ == "buffer":
return Hash.shash(value) #要哈希的数是字符串则跳到shash函数
python
def shash(value):
length = len(value)
if length == 0:
return 0
mask = 0xffffffffffffffff
x = (Hash.ordinal(value[0]) << 7) & mask
for c in value:
x = (1000003 * x) & mask ^ Hash.ordinal(c)
x ^= length & mask
# Convert to C long type
x = ctypes.c_long(x).value
if x == -1:
x = -2
return x
所以hash函数实现的过程是:
python
def hash(s):
mask = 0xffffffffffffffff#64位
s = s.encode()
x = s[0] << 7
for char in s:
x = (1000003 * x) & mask ^ char
x ^= len(s) & mask
return x
&mask即模2^64,用来限制位数大小的
那么hash过程写出来即:(key是7位的)
x 0 = s 0 ∗ 2 7 x_0=s_0 *2^7 x0=s0∗27
x 1 = ( 1000003 ∗ x 0 ) m o d 2 64 ⊕ s 0 x_1=(1000003*x_0) \quad mod \quad 2^{64} \quad \oplus s_0 x1=(1000003∗x0)mod264⊕s0
x 2 = ( 1000003 ∗ x 1 ) m o d 2 64 ⊕ s 1 x_2=(1000003*x_1) \quad mod \quad 2^{64} \quad \oplus s_1 x2=(1000003∗x1)mod264⊕s1
x 3 = ( 1000003 ∗ x 2 ) m o d 2 64 ⊕ s 2 x_3=(1000003*x_2) \quad mod \quad 2^{64} \quad \oplus s_2 x3=(1000003∗x2)mod264⊕s2
以此类推,最后得到:
x = x 7 ⊕ l e n g t h m o d 2 64 x=x_7 \oplus length \quad mod \quad 2^{64} x=x7⊕lengthmod264
现在我们知道hash后的数值即x,需要推出x0,那么进行一个逆过程
x 7 = x ⊕ l e n g t h m o d 2 64 x_7=x \oplus length \quad mod \quad 2^{64} x7=x⊕lengthmod264
x 6 = x 7 ⊕ s 2 ∗ 100000 3 − 1 m o d 2 64 x_6= x_7\oplus s_2*1000003^{-1} \quad mod \quad 2^{64} x6=x7⊕s2∗1000003−1mod264
依次类推,得到x:
x 0 = x 1 ⊕ s 0 ∗ 100000 3 − 1 m o d 2 64 x_0=x_1 \oplus s_0 *1000003^{-1} \quad mod \quad 2^{64} x0=x1⊕s0∗1000003−1mod264
但是我们只有key,s0-s7都是明文中的,所以这里有个中间相遇攻击
中间相遇攻击的思路在于,假设明文key是
abcdefg
我们从前面加密4个字符,即加密到x4,并把他作为元组记录下来。
再把得到的密文从后面逆向,逆到x4,如果和前面的对应上了,即爆破出key
(不是很懂)
贴下别的师傅的脚本(还需要再看看,等我后面做个补充)
python
from itertools import product
from Crypto.Util.number import *
from tqdm import trange
mask = 0xffffffffffffffff
inv = inverse(1000003,2**64)
x7 = 7457312583301101235
cipher = 13903983817893117249931704406959869971132956255130487015289848690577655239262013033618370827749581909492660806312017
table = {}
for i in trange(256):
# 这是第一个字符
for tmp in product([i for i in range(256)],repeat=3):
# 下面便是hash的实现,但是我们只乘上3个字符
x = (i << 7) & mask
x = (1000003 * x) & mask ^ i
pre = list(tmp)
for char in pre:
x = (1000003 * x) & mask ^ char
table[x] = pre
# 记录下来
for tmp in product([i for i in range(256)],repeat=3):
tail = list(tmp)
x7 = (x7 ^ 7) & mask
x6 = (x7 ^ tail[-1]) * inv & mask
x5 = (x6 ^ tail[-2]) * inv & mask
x4 = (x5 ^ tail[-3]) * inv & mask
if x4 in table.keys():
print(i,table[x4],tail)
# 93 [140, 240, 63] [90, 8, 82]
break
要跑2.5小时(震惊)
有了key,就直接异或回去即可
python
import hashlib
import binascii
m = [93,140,240,63,90,8,82]
key = b""
for i in m:
key += long_to_bytes(i)
flag = long_to_bytes(int(hashlib.sha384(binascii.hexlify(key)).hexdigest(), 16) ^ cipher)
print(flag)
# flag{bdb537aa-87ef-4e95-bea4-2f79259bdd07}
后面的题我正在努力中