CTF easy_hash 题目解析：多项式与自定义哈希逆向

一、题目信息

题目名称：easy_hash
比赛名称：DASCTF NOV X 联合出题人 2022 年度积分榜争夺赛
题目描述：闲来无事自己写了个 hash，你能看懂嘛？
附件：interesting.py

二、题目分析

拿到题目后，首先分析附件代码的逻辑。题目主要包含两个核心函数：myhash 和 encode。

1. 自定义哈希函数 `myhash`

这个函数是题目的核心难点之一，它的处理流程如下：

def myhash(x):
    res = []
    end = b""
    bytescipher = long_to_bytes(x)
    # 1. 处理前缀（无法被 8 整除的剩余部分）
    a = bytescipher[:len(bytescipher) % 8]
    res.append(a)
    res.append(long_to_bytes(crc32(a)))
    # 添加前缀的 CRC32 校验值
    # 2. 处理 8 字节对齐的数据块
    t = (len(bytescipher) // 8)
    bytescipher = bytescipher[len(bytescipher) % 8:]
    for i in range(t):
        a = bytescipher[i*8:i*8+8]
        res.append(a)
        res.append(long_to_bytes(crc32(a)))
        # 添加每个数据块的 CRC32 校验值
    # 3. 拼接并转换
    for i in res:
        end += i
    res = bytes_to_long(end)
    # 4. 截断操作
    res = (res + (res >> 500)) & (2**500 - 1)
    return res

关键点分析：

输入数据被分割成若干块：一个长度为 len % 8 的前缀，和若干个 8 字节的块。

from Crypto.Util.number import bytes_to_long, long_to_bytes from zlib import crc32 # ==================== 已知参数 ==================== P = 93327214260434303138080906179883696131283277062733597039773430143631378719403851851296505697016458801222349445773245718371527858795457860775687842513513120173676986599209741174960099561600915819416543039173509037555167973076303047419790245327596338909743308199889740594091849756693219926218111062780849456373 # 题目给出的 FLAG[1] known_a1 = 1768672211043417187765307394749760760531160781992300779145800061219666992833602547480090118225665457075744297987672863699370162614965380859290914620736 known_secret = 89139545215288033432210221492974990584987914397112840989583439688211128705545477536596587262069032020212762581490561288493533363888589066045095054475929099275247145877699370608950340925139625068446642116123285918461312297390611577025368805438078034230342490499137494400676347225155752865648820807846513044723 # ==================== 函数定义 ==================== def myhash(x): res = [] end = b"" bytescipher = long_to_bytes(x) a = bytescipher[:len(bytescipher) % 8] res.append(a) res.append(long_to_bytes(crc32(a))) t = (len(bytescipher) // 8) bytescipher = bytescipher[len(bytescipher) % 8:] for i in range(t): a = bytescipher[i*8:i*8+8] res.append(a) res.append(long_to_bytes(crc32(a))) for i in res: end += i res = bytes_to_long(end) res = (res + (res >> 500)) & (2**500 - 1) return res # ==================== 解题步骤 ==================== # Step 1: 计算哈希链后续节点 a2 = myhash(known_a1) a3 = myhash(a2) # Step 2: 从多项式方程反推 a[0] # f(a[1]) = a[0] + a[1]*a[1] + a[2]*a[1]**2 + a[3]*a[1]**3 term1 = known_a1 * known_a1 term2 = a2 * (known_a1 ** 2) term3 = a3 * (known_a1 ** 3) a0 = (known_secret - term1 - term2 - term3) % P # Step 3: 验证哈希链 assert myhash(a0) == known_a1, "验证失败" # Step 4: 逆向解析 myhash a0_bytes = long_to_bytes(a0) flag_bytes = b"" # 尝试不同的前缀长度 for prefix_len in range(8): if len(a0_bytes) < prefix_len + 4: continue prefix = a0_bytes[:prefix_len] prefix_crc = a0_bytes[prefix_len:prefix_len+4] if prefix_crc != long_to_bytes(crc32(prefix)): continue # 前缀 CRC 匹配，开始解析后续块 blocks = [prefix] pos = prefix_len + 4 valid = True while pos + 12 <= len(a0_bytes): block = a0_bytes[pos:pos+8] block_crc = a0_bytes[pos+8:pos+12] if block_crc == long_to_bytes(crc32(block)): blocks.append(block) pos += 12 else: valid = False break if valid and pos == len(a0_bytes): flag_bytes = b''.join(blocks) break try: print(f"Flag: {flag_bytes.decode()}") except: print(f"Flag (hex): {flag_bytes.hex()}")

CTF easy_hash 题目解析：多项式与自定义哈希逆向