什么博不博客,不管了!上来二话不说,先甩个链接致敬那个被Qanux喷的高手https://pqgcg6fs2k6.feishu.cn/wiki/Tpq7wVDAxin8BgkIc6xcYFmVnTE
这是决赛Crypto的wp,HvAng写的,可以当个乐子看,毕竟他给朕供奉了飞霄椒丘的镭射卡(doge)
下面进入正题,今天搞了一下午搞明白一道6ES
题目描述:Great minds meet.
题目如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from hashlib import sha256
from random import choices
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from secret import flag

def Key_Gen(chars, length):
    key = []
    for _ in range(6):
        key.append(sha256(bytes(choices(chars, k=length))).digest())
    return key

def encrypt(msg, key):
    p = b'Have_@_Good_Fun!'
    for i in range(6):
        p = AES.new(key[i], AES.MODE_ECB).encrypt(p)
    enc_key = sha256(b"".join(key)).digest()
    enc_flag = AES.new(enc_key, AES.MODE_ECB).encrypt(pad(msg, AES.block_size))
    return p, enc_flag

chars = b'xsAES'
key = Key_Gen(chars, 3)
cipher = encrypt(flag, key)
print(f'c = {cipher[0].hex()}')
print(f'enc_flag = {cipher[1].hex()}')
"""
c = 3f9b376d07e5f6633ed23ca74a502fbe
enc_flag = 641ec79497a475265aa424fe9d8df460ddd495991e92084a65063f0b08a04159547214a81038661557ee9da8685bc7e7e45f73936e3c3f2fad09181f2e33cf45
"""

出题人觉得自己很幽默,他跟我说他的题目描述有中间相遇攻击的暗示,笑s,我当时根本不知道中间相遇攻击是个啥

实际上是有的…因为直接暴力是非常困难的,key是由6个组合的sha256加密组成的,一个组合一共有$5^3$种,而现在有6个组合的组合就是$(5^3)^6$种,而中间相遇只需要$2(5^3)^3$种。显然,后者的爆破才是可实现的,而中间相遇的具体原理可以直接看上面链接里的wp,讲得很通透了
依笔者观之,最大的难点并不是理解中间相遇攻击,而是把函数看懂并能写出相对应的代码,这其实对新手来说并不简单,细节很多,我就报了很多次错
代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import *
import itertools
from hashlib import sha256

c = 0x3f9b376d07e5f6633ed23ca74a502fbe
enc_flag = 0x641ec79497a475265aa424fe9d8df460ddd495991e92084a65063f0b08a04159547214a81038661557ee9da8685bc7e7e45f73936e3c3f2fad09181f2e33cf45
p = b'Have_@_Good_Fun!'
chars = 'xsAES'
c = long_to_bytes(c)
enc_flag = long_to_bytes(enc_flag)

conbination = list(itertools.product(chars, repeat = 3))
list = []
for i in conbination :
    list.append(''.join(i).encode())

key = []
enc_p = []
for k1 in list : 
    for k2 in list :
        for k3 in list :
            key1 = sha256(k1).digest()
            key2 = sha256(k2).digest()
            key3 = sha256(k3).digest()
            enc_p.append(AES.new(key3, AES.MODE_ECB).encrypt(AES.new(key2, AES.MODE_ECB).encrypt(AES.new(key1, AES.MODE_ECB).encrypt(p))))
            key.append(key1 + key2 + key3)
set_p = set(enc_p)

enc_c = []
for k4 in list :
    for k5 in list :
        for k6 in list :
            key4 = sha256(k4).digest()
            key5 = sha256(k5).digest()
            key6 = sha256(k6).digest()
            enc_c.append(AES.new(key4, AES.MODE_ECB).decrypt(AES.new(key5, AES.MODE_ECB).decrypt(AES.new(key6, AES.MODE_ECB).decrypt(c))))
            key.append(key4 + key5 + key6)
set_c = set(enc_c)

ans = set_p & set_c
ans = ans.pop()
enc_key = []
enc_key.append(key[enc_p.index(ans)])
enc_key.append(key[len(list) ** 3 + enc_c.index(ans)])
enc_key = sha256(b''.join(enc_key)).digest()
flag = AES.new(enc_key, AES.MODE_ECB).decrypt(enc_flag)
flag = unpad(flag, AES.block_size)
print(flag)
#b'XSCTF{M17m_@t74ck_4nd_VvVvvvVeee3rry_5l0ww_Py7h0n}'

itertoolsproduct函数的应用、各种转字节串的细节都是非常烦的点,换而言之,下次让*HuAng请客