2022 Tiangong cup ctf--- crypto1 WP

AES-CBC

aes-cbc Pattern encryption requires an initialization vector for encryption and decryption (Initialization Vector, IV), Before every encryption or after every decryption , Use initialization vectors to XOR plaintext or ciphertext .

encryption

When encrypting , Plaintext first and IV Exclusive or , Then block encrypt the result , The output is ciphertext , At the same time, the output ciphertext of this time is encrypted as the next block IV.

Decrypt

When decrypting , First decrypt the first block of the ciphertext , Then compare the results with IV Exclusive or , You can get plaintext , meanwhile , The input ciphertext of this decryption is decrypted as the next block IV.

subject

from Crypto.Cipher import AES
import binascii
import hashlib
from secret import flag

assert flag[:5] == "flag{" and flag[-1:] == "}"

key = b"J1fx2g1jDak1c***"
l = len(key)

message = b"I have had my invitation to this world's festival, and thus my life has been blessed" + binascii.unhexlify(hashlib.sha256(key).hexdigest())[:10]

iv = flag[5:-1]
message = message + bytes((l - len(message) % l) * chr(l - len(message) % l), encoding = "utf-8")
aes = AES.new(key, AES.MODE_CBC, iv)
print(binascii.hexlify(aes.encrypt(message)))
#******************************************************************************************************************************************************6ece036e495d363b647d7f2749c4c2f3dd78f8637b

process analysis

According to the title, we can know the following information ：

key The first thirteen bytes of are b'J1fx2g1jDak1c', The last three are unknown 

 The first 84 bytes of plaintext are b"I have had my invitation to this world's festival, and thus my life has been blessed"
 The middle cross is unknown , And finally bytes((l - len(message) % l) * chr(l - len(message) % l), encoding = "utf-8"), That is to say bytes((16-94%16)*chr(16-94%16))==>bytes(2*chr(2)), namely b'\x02\x02'
    
 After the ciphertext 21 bytes binascii.unhexlify('6ece036e495d363b647d7f2749c4c2f3dd78f8637b')

According to the above aes-cbc Encryption process and decryption process
We can do it through the last known ciphertext block aes-ecb Mode decryption is XOR with the last plaintext block , You can get the last iv, It is also the ciphertext after the last block encryption
The code logic is as follows ：

from Crypto.Cipher import AES
# Ciphertext 
enc = 'xxxxxx*****'
# Plaintext 
m = 'yyyyyy******'
aes_ecb = AES.new(key,AES.MODE_ECB)
#aes ecb Mode decryption 
xor_result = aes_ecb.decrypt(enc)
# Decryption result and plaintext bitwise XOR 
iv = bytes([i^j for i,j in zip(m,xor_result)])

ps: Because the final message And key Is related to the value of , So we need to make sure key Can be determined message Value , Then push back in turn to solve the initial iv（ namely flag）

So we need Mr. Cheng key Dictionary , And then blow it up Key

import string

dic = string.printable[:62]
with open('key_table.txt','wb') as file:
    for i in dic:
        for j in dic:
            for k in dic:
                key = b"J1fx2g1jDak1c"+i.encode()+j.encode()+k.encode()
                file.write(key+b'\n')

file.close()

stay aes-ecb The size of each block in the pattern is 16byte, The known ciphertext is later 21byte, That is to say, the penultimate ciphertext block is known 5byte. Thus, we can decrypt the value of the last block according to the result of the exclusive or of the last plaintext block 5byte Make a comparison , If the value obtained is the same , The key It's what you want key

from Crypto.Cipher import AES
from tqdm import tqdm
import binascii
import hashlib

def xor(m: bytes, c: bytes):
    return bytes([i ^ j for i, j in zip(m, c)])

enc = binascii.unhexlify('5d363b647d7f2749c4c2f3dd78f8637b')
five_part = binascii.unhexlify(b"6ece036e49")
f = open("key_table.txt","rb+")
pbar = tqdm(range(238328))
for i in f:
    key = i[:16]
    aes = AES.new(key, AES.MODE_ECB)
    dec = aes.decrypt(enc)
    m = b"ssed" +binascii.unhexlify(hashlib.sha256(key).hexdigest())[:10]+b'\x02\x02'
    xor_result = xor(m,dec)
    pbar.update(1)
    if five_part in xor_result:
        print(key)
        break
file.close()

To get by blasting Key:

b'J1fx2g1jDak1c7s4'

ok, determine key After that, our plaintext will be determined

key = 'J1fx2g1jDak1c7s4'
message = b"I have had my invitation to this world's festival, and thus my life has been blessed" + binascii.unhexlify(hashlib.sha256(key).hexdigest())[:10]
message = message + bytes((l - len(message) % l) * chr(l - len(message) % l), encoding="utf-8")

#b'I have had my invitation to this world\'s festival, and thus my life has been blessed\xedVG\xfd"\xe6\x9d\xd5\xb9\xe2\x02\x02'

Then group the plaintext （16byte A group of ）, Then solve the previous group to enc use key To decrypt , obtain xor_result, then xor_result Exclusive or with the same group of plaintext can get this group iv And the previous group enc. To repeat , Push forward step by step to calculate the initial iv, namely flag.

Next is the happy script time （bushi

l = len(key)
message = b"I have had my invitation to this world's festival, and thus my life has been blessed" + binascii.unhexlify(hashlib.sha256(key).hexdigest())[:10]
message = message + bytes((l - len(message) % l) * chr(l - len(message) % l), encoding="utf-8")
for i in range(0,len(message),16):
    aes_ecb = AES.new(key,AES.MODE_ECB)
    dec_c = aes_ecb.decrypt(enc)
    enc = xor(message[len(message)-i-16:len(message)-i],dec_c)
    print(enc)

Problem solving script

import binascii
import hashlib
import string
from Crypto.Cipher import AES
from tqdm import tqdm

def xor(m: bytes, c: bytes):
    return bytes([i ^ j for i, j in zip(m, c)])
dic = string.printable[:62]
with open('key_table.txt','wb') as file:
    for i in dic:
        for j in dic:
            for k in dic:
                key = b"J1fx2g1jDak1c"+i.encode()+j.encode()+k.encode()
                file.write(key+b'\n')

file.close()


enc = binascii.unhexlify('5d363b647d7f2749c4c2f3dd78f8637b')
five_part = binascii.unhexlify(b"6ece036e49")
f = open("key_table.txt","rb+")
pbar = tqdm(range(238328))
for i in f:
    key = i[:16]
    aes = AES.new(key, AES.MODE_ECB)
    dec = aes.decrypt(enc)
    m = b"ssed" +binascii.unhexlify(hashlib.sha256(key).hexdigest())[:10]+b'\x02\x02'
    xor_result = xor(m,dec)
    pbar.update(1)
    if five_part in xor_result:
        print(key)
        break
file.close()
l = len(key)
message = b"I have had my invitation to this world's festival, and thus my life has been blessed" + binascii.unhexlify(hashlib.sha256(key).hexdigest())[:10]
message = message + bytes((l - len(message) % l) * chr(l - len(message) % l), encoding="utf-8")
for i in range(0,len(message),16):
    aes_ecb = AES.new(key,AES.MODE_ECB)
    dec_c = aes_ecb.decrypt(enc)
    enc = xor(message[len(message)-i-16:len(message)-i],dec_c)
    print(enc)

flag：

flag{
    welcome_1234_igd}

【 Probably there is a kind of self infliction in the world , It's called putting yourself in the right place , Think of others everywhere .】