零.做题:
小明文进阶的算法,直接开方解没有解出来,但是N也爆破不了,可能是低密度指数解密攻击
用脚本爆破解密k,再用小明文攻击解密flag
(这里爆破范围10w,100w,1000w对于计算机都算小的)
一.题目:
from Crypto.Util.number import *
from gmpy2 import *
flag = b'NSSCTF{******}'
p = getPrime(512)
q = getPrime(512)
n = p*q
e = 3
phi = (p-1)*(q-1)
m = bytes_to_long(flag)
c = powmod(m, e, n)
print(f'n = {n}')
print(f'e = {e}')
print(f'c = {c}')
'''
n = 111573371787314339229652810703380127177507745009618224416171957526984270337589283887959174610818933914845556276472159360153787395638087723501889651641965684241070152541291185349571453536221312112508437223801640552330390095266644485311958102687735113533739324296417077804219395793942670324182191309872918900717
e = 3
c = 90782646242308381145716338972639920044710403094882163620436540965475107006005657722222634294458956650085252212452241377251397323707019480880284004845674260662647720809672266571040936376737882878688872281858048646517100139303896804340224961592424635124272549514473232731744884837572128596217771005209683966262
'''
关键步骤:
p = getPrime(512)
q = getPrime(512)
n = p*q
e = 3
二.解题wp以及代码:
1.思路:
2.wp:
3.代码:
from Crypto.Util.number import *
from gmpy2 import *
n = 111573371787314339229652810703380127177507745009618224416171957526984270337589283887959174610818933914845556276472159360153787395638087723501889651641965684241070152541291185349571453536221312112508437223801640552330390095266644485311958102687735113533739324296417077804219395793942670324182191309872918900717
e = 3
c = 90782646242308381145716338972639920044710403094882163620436540965475107006005657722222634294458956650085252212452241377251397323707019480880284004845674260662647720809672266571040936376737882878688872281858048646517100139303896804340224961592424635124272549514473232731744884837572128596217771005209683966262
for k in range(100000):
cc = c + k*n
res = iroot(cc, e)
if res[1]:
m = res[0]
break
print(long_to_bytes(m))
print('k:',k) # 11
代码解释:
res = iroot(cc, e)
接下来,调用一个名为iroot的函数(这个函数可能用于计算整数根),并将cc和e作为参数传递。这个函数返回一个包含两个元素的元组res。根据函数名和常见用法,我们可以猜测iroot函数可能试图找到cc的e次方根,并返回一个元组,其中第一个元素是根的值,第二个元素可能是一个布尔值,指示是否成功找到根。
if res[1]:
这行代码检查res元组的第二个元素(即res[1])是否为真。根据上面的假设,这个值可能是一个布尔值,指示iroot函数是否成功找到根。
m = res[0]
如果res[1]为真(即iroot函数成功找到了根),则将res元组的第一个元素(即根的值)赋值给变量m。