from Crypto.Util.number import * from secret import flag
bit_length = len(flag) * 8
p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab K = GF(p) E = EllipticCurve(K, (0, 4)) o = 793479390729215512516507951283169066088130679960393952059283337873017453583023682367384822284289 n1, n2 = 859267, 52437899
while(1): G1, G2 = E.random_element(), E.random_element() if(G1.order() == o and G2.order() == o): P1, P2 = (o//n1)*G1, (o//n2)*G2 break
cs = [(randrange(0, o) * P1 + randrange(0, o) * G2).xy() if i == "1"else (randrange(0, o) * G1 + randrange(0, o) * P2).xy() for i inbin(bytes_to_long(flag))[2:].zfill(bit_length)] print(cs)
from Crypto.Util.number import long_to_bytes import ast
# BLS12-381 curve p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab K = GF(p) E = EllipticCurve(K, (0, 4)) o = 793479390729215512516507951283169066088130679960393952059283337873017453583023682367384822284289 n1, n2 = 859267, 52437899 cs = ast.literal_eval(open("chall.txt").read()) cs = [E(c) for c in cs]
is0=cs[0] is0=is0*n2
flag='' for i in cs: tmp=is0.weil_pairing(i*n2,o) if tmp==1: flag+='0' else: flag+='1' print(flag) print(long_to_bytes(int(flag,2))) """ 01010011010101010100001101010100010001100111101101010111011001010011000101100011011011110110110101100101010111110101111101010100001100000101111101011111010100110101010101000011010101000100011001011111010111110011001000110000001100100011010101111101 b'SUCTF{We1come__T0__SUCTF__2025}' """
import socketserver import signal from Crypto.Util.number import * from random import randint import time from sage.geometry.hyperbolic_space.hyperbolic_isometry import moebius_transform from secret import flag
defgame1(self): self.send(b"\nLet's play the game1!") rounds = 1000 pseudo_prime = int(self.recv(prompt=b'[+] Plz Tell Me your number: ')) if isPrime(pseudo_prime): self.send(b"\nNo! it's a prime, go away!") self.request.close() for i inrange(rounds): ifpow(randint(2, pseudo_prime), pseudo_prime - 1, pseudo_prime) != 1: self.send(b"\nYou failed in round " + str(i + 1).encode() + b', bye~~') self.request.close() self.send(b"\nCongratulations, you have won the game1!\n") returnTrue
defgame2(self): self.send(b"Let's play the game2!") res = self.recv(prompt=b'[+] Plz give Me your a, b, c: ') a,b,c = [int(x) for x in res.split(b',')] try: assert (isinstance(a, int) andisinstance(a, int) andisinstance(c, int)) assert a > 0 assert b > 0 assert c > 0 assert a / (b + c) + b / (a + c) + c / (a + b) == 4 assertint(a).bit_length() > 900andint(a).bit_length() < 1000 assertint(b).bit_length() > 900andint(b).bit_length() < 1000 assertint(c).bit_length() > 900andint(c).bit_length() < 1000 self.send(b"\nCongratulations, you have won the game2!\n") returnTrue except: self.send(b"\nNo! Game over!") self.request.close()
deffinal_game(self): self.send(b"Let's play the game3!") set_random_seed(int(time.time())) C = ComplexField(999) M = random_matrix(CC, 2, 2) Trans = lambda z: moebius_transform(M, z) out = [] for _ inrange(3): x = C.random_element() out.append((x,Trans(x))) out = str(out).encode() self.send(out) kx = C.random_element() kx_str = str(kx).encode() self.send(kx_str) C2 = ComplexField(50) ans = C(self.recv(prompt=b'[+] Plz Tell Me your answer: ').decode()) if C2(ans) == C2(Trans(kx)): self.send(b"\nCongratulations, you have won the game3!") self.send(flag) self.request.close() else: self.send(b"\nNo! Game over!") self.request.close()
from Crypto.Util.number import * from pwn import * whileTrue: r=remote("1.95.46.185",10001)
#https://ctftime.org/writeup/21898 随便拿一个数 r.recvuntil(b'[+] Plz Tell Me your number: ') r.sendline(b'340649031679478708871356501710247209854526956821188127472136012686397651')
#https://zhuanlan.zhihu.com/p/33853851 N=4 e=(4*(N^2)) + ((12*N)-3) f=32*(N+3) eq=EllipticCurve([0,e,0,f,0]) # Define the elliptic curve corresponding to the equation a/(b+c)+b/(a+c)+c/(a+b)=N eq.rank() eq.gens() tmpP=eq(-100,260) m=9 whileTrue: P=m*tmpP x=P[0] y=P[1] a=(8*(N+3)-x+y)/(2*(N+3)*(4-x)) b=(8*(N+3)-x-y)/(2*(N+3)*(4-x)) c=(-4*(N+3)-(N+2)*x)/((N+3)*(4-x)) da=denominator(a) db=denominator(b) dc=denominator(c) l=lcm(da,lcm(db,dc)) a,b,c=[int(a*l),int(b*l),int(c*l)] try: assert a > 0 assert b > 0 assert c > 0 assert a / (b + c) + b / (a + c) + c / (a + b) == 4 assertint(a).bit_length() > 900andint(a).bit_length() < 1000 assertint(b).bit_length() > 900andint(b).bit_length() < 1000 assertint(c).bit_length() > 900andint(c).bit_length() < 1000 break except: pass m=m+1
r.recvuntil(b'[+] Plz give Me your a, b, c: ') r.sendline((f'{a},{b},{c}').encode())
#https://github.com/Masrt200/sagetf/blob/master/Advanced%20Crypto.ipynb r.recvuntil(b"Let's play the game3!") r.recvline() C = ComplexField(999) zw=r.recvline().strip().decode() zw=eval(zw) z4=r.recvline().strip().decode() Z, W = [], [] for z,w in zw: Z.append(C(z)) W.append(C(w)) z = C(z4) A = (W[0] - W[1]) * (z - Z[1]) * (Z[0] - Z[2]) B = (W[0] - W[2]) * (Z[0] - Z[1]) * (z - Z[2]) fz = (A * W[2] - B * W[1])/(A - B) r.sendline(str(fz).encode()) flag=r.recvall() ifb'suctf'in flag orb'SUCTF'in flag: print(flag) r.close() break r.close()
#b'[+] Plz Tell Me your answer: \nCongratulations, you have won the game3!\n\nSUCTF{Hope_Y0u_have_a_NICE_tr1p_in_SUCTF~}\n'
d_m = 54846367460362174332079522877510670032871200032162046677317492493462931044216323394426650814743565762481796045534803612751698364585822047676578654787832771646295054609274740117061370718708622855577527177104905114099420613343527343145928755498638387667064228376160623881856439218281811203793522182599504560128 n = 102371500687797342407596664857291734254917985018214775746292433509077140372871717687125679767929573899320192533126974567980143105445007878861163511159294802350697707435107548927953839625147773016776671583898492755338444338394630801056367836711191009369960379855825277626760709076218114602209903833128735441623 e = 112238903025225752449505695131644979150784442753977451850362059850426421356123
k = e*d_m // n + 1 # s=p+q # ed_l+ks+[ed_h-1-k(n+1)]=0 #(d_l,s,1)*L=(d_l,s,1)
res=L[1] # s+t*e s=res[1]%e PR.<x> = PolynomialRing(Zmod(e)) f = x^2 + n - s*x #p*p+p*q-p*s res = f.roots() pl = int(res[0][0]) # p%e
import multiprocessing import tqdm from hashlib import sha256
defcopper_attack(i): PR.<x> = PolynomialRing(Zmod(n)) f = e*(2^12*x + i) + pl f = f.monic() res = f.small_roots(X=2^244, beta=0.499, epsilon=0.02) if(res != []): t = int(res[0]) p = e*(2^12*t + i) + pl q = n // p assert p * q == n and isPrime(p) and isPrime(q) print(sha256(str(p).encode()).hexdigest()[:32]) print(sha256(str(q).encode()).hexdigest()[:32]) returnTrue
with multiprocessing.Pool(processes=16) as pool: for _ in tqdm.tqdm(pool.imap(copper_attack, range(2^12)), total=int(2^12)): if(_): break """ 1c56d344aba19600db3956abebc34425 c1864501fab1841178177d4f15af4ad8 """