【CTF WriteUp】2020全国工业互联网安全技术技能大赛密码题（Crypto）wp

提示：文章写完后，目录可以自动生成，如何生成可参考右边的帮助文档

一、题目 2E

二、根据题目给脚本推出EXP如下：

1.Task.py

代码如下（示例）：

import random
from random import Random
import mt# from secret import flag
flag = 'flag:{}'
from Crypto.Util.number import bytes_to_long, long_to_bytespbox1 = [22, 28, 2, 21, 3, 26, 6, 14, 7, 16, 15, 9, 17, 19, 8, 11, 10, 1, 13, 31, 23, 12, 0, 27, 4, 18, 30, 29, 24, 20, 5, 25]
pbox2 = [17, 6, 7, 27, 4, 20, 11, 22, 2, 19, 9, 24, 23, 31, 15, 10, 18, 28, 5, 0, 16, 29, 25, 8, 3, 21, 30, 12, 14, 13,1, 26]
def p(data, pbox):tmp = bin(data)[2:].rjust(32, '0')out = [tmp[x] for x in pbox]return int(''.join(out), 2)
def getp(data, pbox):tmp = bin(data)[2:].rjust(32, '0')_out = {}c = 0for x in pbox:_out[x] = tmp[c]c += 1out = [_out[x] for x in range(len(pbox))]return int(''.join(out), 2)
def genkey(l):return random.getrandbits(l)
def encrypt(key, msg):tmp1 = p(msg ^ key, pbox1)tmp2 = p(tmp1 ^ key, pbox2)return tmp2 ^ key
def getcrypt(key, enc):tmp1 = enc ^ keytmp2 = getp(tmp1, pbox2) ^ keyreturn getp(tmp2, pbox1) ^ key
with open('data') as f:d = f.readlines()
def getOldStates(states):for i in range(3, -1, -1):tmp = states[i + 624] ^ states[i + 397]if tmp & 0x80000000 == 0x80000000:tmp ^= 0x9908b0dfres = (tmp & 0x40000000) << 1tmp = states[i - 1 + 624] ^ states[i + 396]if tmp & 0x80000000 == 0x80000000:tmp ^= 0x9908b0dfres |= 1res |= (tmp & 0x3fffffff) << 1# assert(res == states[i])states[i] = res
cur = []
for i in d:ii = i.split()if len(ii) > 1:cur.append(int(ii[0]))if len(cur) == 624:break'''if p(0^int(ii[0]),pbox2) ^ int(ii[0]) == int(ii[1]):print(ii)key = ii[0]break'''states = [0] * 4 + mt.backtrack(cur)
len(states)
getOldStates(states)
random.setstate(tuple([3, tuple(states[:624] + [0]), None]))key = random.getrandbits(32)
key = random.getrandbits(32)
key = random.getrandbits(32)
key = random.getrandbits(32)

2. print(key)

来四次就是正常的key了

代码如下（示例）：

key = 1991722937
cc = b''
for i in d:ii = i.split()if len(ii) > 1:breakelse:print(long_to_bytes(getcrypt(key, int(ii[0]))))cc += long_to_bytes(getcrypt(key, int(ii[0])))

3. print(1)

key = genkey(32)
getcrypt(key,encrypt(key,3000000000))
flag = flag.ljust(44,'\x00')
for i in range(int(len(flag)/4)):pt = bytes_to_long(flag[i*4:i*4+4])print(encrypt(key,pt))
''
for i in range(2**22):pt = random.getrandbits(32)ct = encrypt(key,pt)print(pt,ct)

4. mt.py

from os import urandom
class MersenneTwister(object):"""Implements a basic Mersenne Twister PRNG"""def __init__(self, seed):self.index = 624self.mt = [seed] + [0] * 623for i in range(1, 624):self.mt[i] = 0xffffffff & (0x6c078965 * (self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i)def setstate(self, state):self.mt = statedef getstate(self):return self.mtdef random(self):"""Returns floating point number from 0.00 to 1.00Mimics Python's random.random()"""a = self.random32() >> 5b = self.random32() >> 6return float((a * 67108864.0 + b) * (1.0 / 9007199254740992.0))def getrandbits(self, n):"""Alias to random 32, only accepts 32 bits"""assert n == 32return self.random32()def twist(self):for k in range(624):y = (self.mt[k] & 0x80000000) | (self.mt[(k+1) % 624] & 0x7fffffff)n = 0x9908b0df if y % 2 else 0self.mt[k] = self.mt[(k+397) % 624] ^ (y >> 1) ^ nself.index = 0def random32(self):"""Returns the next 32 bit random number"""if self.index >= 624:self.twist()# generate random numbery = self.mt[self.index]self.index += 1y ^= (y >> 11)y ^= (y << 7) & 0x9d2c5680y ^= (y << 15) & 0xefc60000y ^= (y >> 18)return y
class PyRand(MersenneTwister):"""Emulates Python's random, seed is required"""def __init__(self, seed):key = []super(PyRand, self).__init__(19650218)while seed:key.append(seed & 0xffffffff)seed = seed >> 32if len(key) == 0:key = [0]mt = self.mti = 1j = 0m = max(624, len(key))for k in xrange(m, 0, -1):mt[i] = 0xffffffff & ((mt[i] ^ ((mt[i-1] ^ (mt[i-1] >> 30)) * 1664525)) + key[j] + j)i += 1if i >= 624:mt[0] = mt[623]i = 1j = (j+1) % len(key)for k in xrange(623, 0, -1):mt[i] = 0xffffffff & ((mt[i] ^ ((mt[i-1] ^ (mt[i-1] >> 30)) * 1566083941)) - i)i += 1if i >= 624:mt[0] = mt[624-1]i = 1mt[0] = 0x80000000
class MTServer(object):def __init__(self, seed, rand=PyRand):self.seed = seedself.rand = randself.state = []def start(self):"""Returns a generator of PRNG numbers"""r = self.rand(self.seed)self.state = r.mtwhile 1:yield r.getrandbits(32)
def reverse_rshift_xor(y, shift):i = 0;# iterate over every bit-shifted sectionwhile (i * shift < 32):# Get bits to shift for bit sectionunshift = y & (((0xffffffff << (32 - shift)) & 0xffffffff) >> (shift * i))# Reverse right shiftunshift = unshift >> shift# Reverse xory ^= unshifti += 1return y
def reverse_lshift_xor(y, shift, mask):i = 0# iterate over every bit-shifted sectionwhile (i * shift < 32):# Git bits to shift for bit sectionunshift = y & (((0xffffffff >> (32 - shift))) << (shift * i))# Reverse left shiftunshift = (unshift << shift)# Reverse maskunshift &= mask# Reverse xory ^=  unshifti += 1return y
def backtrack(numbers):"""Returns the current state of the MT PRNG based on list of 624 numbers"""assert len(numbers) == 624state = []for n in numbers:n = reverse_rshift_xor(n, 18)               # reverse: y ^= (y >> 18)n = reverse_lshift_xor(n, 15, 0xefc60000)   # reverse: y ^= (y << 15) & 0xefc60000n = reverse_lshift_xor(n,  7, 0x9d2c5680)   # reverse: y ^= (y <<  7) & 0x9d2c5680n = reverse_rshift_xor(n, 11)               # reverse: y ^= (y >> 11)state.append(n)return state

得到flag!

flag{843f4cf5-8edc-49e7-9fd2-7cb31840c10f}