CTF Crypto --- 七八月份比赛杂题记录

已于 2023-08-07 18:07:14 修改
阅读量1.5k 收藏 2
点赞数
分类专栏: CTF 文章标签: python 网络安全
于 2023-08-07 11:29:18 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/luochen2436/article/details/132138412
版权

文章目录

前言

哥们终于想起账号密码了(尊嘟忘了)。
在这里插入图片描述
鸽了快两个星期辣,下次一定不鸽(x)。
在这里插入图片描述

第一届交通运输行业网络安全大赛决赛—Crypto

easyRSA

题目:

from Crypto.Util.number import *
from gmpy2 import *
from random import *

flag = b'DASCTF{xxxxx}'

m = bytes_to_long(flag)

while True:
    try:
        p = getPrime(512)
        q = next_prime(p+2**520)
        n = p*q
        phi = (p-1)*(q-1)
        d = randint(0,n**0.32)
        e = inverse(d,phi)
        c = pow(m,e,n)
        break
    except:
        continue

print("e = %d"%e)
print("n = %d"%n)
print("c = %d"%c)

'''
e = 22406617662992657889189996038164778072134256533643932957015006754647822578958941307848612281469431201991306481890996110372419319706474785730441458621818413195157394408942556272495727435704953347478158553946953413179163328976215167865874464655775410591847016921402275945868909242077897959037348916785120117461655
n = 24060380804148316574301133150703936973811513337391019200164987960874105848921375758959945881263552336035571494502139825591685175642839368578283761865745224459787280066739212098720274347746524677894359534493555854937925590705524983104059677695973201044287743440388194064688873456047929476158165843812125976675193
c = 6224246192773369488536745056540125828918816255225886951931770916428603800143493592040760978737512689281802769927712229089196097571495191027802589192805135838831322474642230511392667306908597027184532769940279896145161482936674583102879507860488435333891036563479618834572359715411724343814117656984603501647779
'''

由题目可知,q = next_prime(p+2**520),由此我们可以构造一个一元多项式方程 f = p*q-n = p*(p+2**520)-n,然后求解方程的根,此时p在根附近,于是在将根值往前推直至n%p=0为止,此时p为所求,则q=n//p

#sage
import gmpy2
import libnum
e = 22406617662992657889189996038164778072134256533643932957015006754647822578958941307848612281469431201991306481890996110372419319706474785730441458621818413195157394408942556272495727435704953347478158553946953413179163328976215167865874464655775410591847016921402275945868909242077897959037348916785120117461655
n = 24060380804148316574301133150703936973811513337391019200164987960874105848921375758959945881263552336035571494502139825591685175642839368578283761865745224459787280066739212098720274347746524677894359534493555854937925590705524983104059677695973201044287743440388194064688873456047929476158165843812125976675193
c = 6224246192773369488536745056540125828918816255225886951931770916428603800143493592040760978737512689281802769927712229089196097571495191027802589192805135838831322474642230511392667306908597027184532769940279896145161482936674583102879507860488435333891036563479618834572359715411724343814117656984603501647779
RF = RealField(1000)
x = polygen(RF)
f = x * (x + 2**520) - n
p = int(f.roots()[1][0])
print(p)
while n % p != 0:
    p = p - 1

q = n // p
print(f"p = {p}")
print(f"q = {q}")
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = libnum.n2s(int(m))
print(flag)

flag:

DASCTF{24ce231dcbc-08aa5-4ba28-8ef5-231dcb00sd2ed}
Mypow

题目:

+from Crypto.Util.number import *
from gmpy2 import *
import os

flag = b'xxx'
def Mypow(b, e, mod):
    a = 1
    while e:
        e >>= 1
        b = (b*b)%mod
        if e&1:
            a = (a*b)%mod
    return a

def Genp(bit_length):
    coeff = 2 ** 5 * 3 * 7
    while True:
        tmp_prime = getRandomNBitInteger(bit_length - 10)
        p = coeff * tmp_prime + 1
        if is_prime(p):
            break
    return p

def Genkeys(bit_length):
    p,q = Genp(bit_length),Genp(bit_length)
    n = p * q
    hint = (2 * p + 7 * q) % n
    return n, hint

if __name__ == '__main__':
    e = next_prime(666)
    n, hint = Genkeys(512)
    m = bytes_to_long(os.urandom(30) + flag)
    ct = Mypow(m,e,n)
    print(f'n = {n}')
    print(f'hint = {hint}')
    print(f'ct = {ct}')

    '''
    n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553
    hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457
    ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000
    '''

已知 n = p ∗ q n=p*q n=pq h i n t = 2 p + 7 q hint=2p+7q hint=2p+7q,可推
2 ∗ p 2 + 7 ∗ p ∗ q = p ( 2 p + 7 q ) = p ∗ h i n t 2*p^2+7*p*q=p(2p+7q)=p*hint 2p2+7pq=p(2p+7q)=phint
由此,我们可构建方程, f = 2 x 2 + 7 n − x ∗ h i n t f=2x^2+7n-x*hint f=2x2+7nxhint,解方程得到p,进而得到q=n//p。

#sage
R.<x> = Zmod()[]
f = 2*x^2 + 7*n - hint*x
p = int(f.roots()[0][0])
q = n//p

Mypow(b,e,mod)函数相当于pow(m,e,n)函数,但是对于不同的幂e结果不同。当e为偶数时,相当于pow(m,e,n);当e为奇数时,相当于pow(m,e-1,n)。本题的e = next_prime(666),显然是一个素数(必然是奇数),因此真正的e = next_prime(666)-1
经计算,gcd(e,phi)=e,因此演变为有限域下开根问题。分别在 G F ( p ) , G F ( q ) GF(p),GF(q) GF(p),GF(q)上开e次方根,之后crt组合一下,求出所有的m,再判断字符串中是否含有DASCTF即可得到flag。

#sage
import gmpy2
from Crypto.Util.number import  *

n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553
hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457
ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000

R.<x> = Zmod()[]
f = 2*x^2 + 7*n - hint*x
p = int(f.roots()[0][0])
q = n//p

e = gmpy2.next_prime(666)-1

R.<x> = Zmod(p)[]
f = x^e-ct
f = f.monic()
results1 = f.roots()

R.<x> = Zmod(q)[]
f = x^e-ct
f = f.monic()
results2 = f.roots()

for i in results1:
	for j in results2:
		param1 = [int(i[0]),int(j[0])]
		param2 = [p,q]
		m = CRT_list(param1,param2)
		flag = long_to_bytes(int(m))
		if b'DASCTF' in flag:
			print(flag)
			break

flag:

DASCTF{FastP0w3r_4nd_AMM_0f_R5A}

2023安徽信息安全工程员技能竞赛

baby_RSA

题目:

n=18941897966618549590482921932069269855566887560846003853615076099963108817185327262750999516754222357223603475688339480435312583490395860452876528267241529839128983282347116489462087590022946148697811918490562357700477812317981112859801696914920157218261227248163354934594592989948835696126525303358401172927693681573257245675773302383672536531760449692312660789004434502847176542175872828631412512434830044930393378761413148832473147778681111895140827684384523695468243679431394541437405220444389502412532816429448282704044345362927781837263473315252015292522704945829965688617978850430082494284515433755194353439337
c1=16526118626986017587535672306501535736692950947614409401612053801360048305344788074060161991592465238423703152619212847540401135865568611456448069291895155754469395615728785061984518496536397902069681784511121811306784617822082388392704359591309731536503001254216652492074215090776170134134687632575101823975955490855193514898535824814240480721772488425500309069255541262657807513487602741417690129808594555617044051707040663245698288030031495680697068057476361442627006464925235000245587220216985373423116156019250717175060849008225344903717354712612845144538174414672321666720723995449432568958322357146091477808460
c2=13095063120062097779974070527081507876693191121709938699390212467606444451673018463188917059026307468646743035133125440725404382070023081106408921203784833033918414311077921555812942741835149413503118131837527750773914147553704346395325785033066932850586170939707921231437443228445877551150362056106182544493023070856816826868331368624823083157497076460097194318268087043896775120421878080384043405389184733148396101712952408224574223075652024582768672259152893749081236671766957797998433416800582010130500789821457750906031155425082685565945551613263143888863898305690312122595860844005317675247247221445967298905015
e= 51359

hint: e = e 1 ∗ e 2 e = e_1*e_2 e=e1e2

使用divisors函数分解e,然后遍历所有的因子,再进行共模攻击,再判断字符串中是否包含flag即可。

#sage
from Crypto.Util.number import *
import gmpy2

n=18941897966618549590482921932069269855566887560846003853615076099963108817185327262750999516754222357223603475688339480435312583490395860452876528267241529839128983282347116489462087590022946148697811918490562357700477812317981112859801696914920157218261227248163354934594592989948835696126525303358401172927693681573257245675773302383672536531760449692312660789004434502847176542175872828631412512434830044930393378761413148832473147778681111895140827684384523695468243679431394541437405220444389502412532816429448282704044345362927781837263473315252015292522704945829965688617978850430082494284515433755194353439337
c1=16526118626986017587535672306501535736692950947614409401612053801360048305344788074060161991592465238423703152619212847540401135865568611456448069291895155754469395615728785061984518496536397902069681784511121811306784617822082388392704359591309731536503001254216652492074215090776170134134687632575101823975955490855193514898535824814240480721772488425500309069255541262657807513487602741417690129808594555617044051707040663245698288030031495680697068057476361442627006464925235000245587220216985373423116156019250717175060849008225344903717354712612845144538174414672321666720723995449432568958322357146091477808460
c2=13095063120062097779974070527081507876693191121709938699390212467606444451673018463188917059026307468646743035133125440725404382070023081106408921203784833033918414311077921555812942741835149413503118131837527750773914147553704346395325785033066932850586170939707921231437443228445877551150362056106182544493023070856816826868331368624823083157497076460097194318268087043896775120421878080384043405389184733148396101712952408224574223075652024582768672259152893749081236671766957797998433416800582010130500789821457750906031155425082685565945551613263143888863898305690312122595860844005317675247247221445967298905015
e = 51359
e_list = divisors(e)
for e1 in e_list:
    for e2 in e_list:
        if gmpy2.gcd(e1, e2) == 1:
            g, s1, s2 = gmpy2.gcdext(e1, e2)
            m = pow(c1, s1, n) * pow(c2, s2, n) % n
            flag = long_to_bytes(int(m))
            if b'flag' in flag:
                print(flag)
                break
        else:
            pass

flag:

flag{qwdu534qwf45qf23156qf165vurt54h}
EasyRSA

题目:

from Crypto.Util.number import *
from gmpy2 import *
from secret import flag
from random import *

gift = 0x98efa1cac6d4a1031759ddfb2cb2a1361b76a0327802e5b99e2f98a1a410705fe93f36979441c6b5eab2737bacc66565d425c56c434d04cbc2b3d756d264995f8b198d6887ec2dddfa640d88932604115d80a9f1f0d18538a738016292057518e02b8520d1322f2cc8c500438d24e041ef9d3e70244e327e28d03c371b7d119a387bf7dfaf7b1ad89ce68f0bdf5858d961b48a6080c589a7e5ac9505cb3893510670299d2f4570acca050e26f828056a4276387b69f64a1498552754ede89e21a1c4a5e0754b41aa2c17823b6d84666896d865c9627a3be5cb8ede76461b44f7ed2398cb29f52073f23c5b0b5ac1af048d310ddec9b683ae0535670195ea510012eb16fb60186a5c26f6c516addeade9bed3dea308fc9196de5b5e99b8f8354b9116995dffb350b5b71ee8ae21b776e122508bf4acd8c9c69bb67a8003291b9a217301656ff332d6802db63605aee2a881e0ddf08904e5c8ace0cd44bffdeee7b10e1b5d868b25ddb1248802c7341267f9862b9319cbaada6d7b557425273256505470d2d610232c00d53475693db249299594ee62271589ec4ebd92c0f37d05ca24c556948dd30b3e6b124f059e4776ef219766e805bf7b1003734172e8d2cda130966bd6c5643071efef3e39bc11f6bdfef4ba6e9fa450f7605bcf9ca22c5f12fdec2f8b3ead07a34a427e3602792939873a2481a8dd0e454305b5ce374a77

def make_gift(p, q):
    n_bits = len(bin(p * q)) - 2
    phi = (p - 1) * (q - 1)
    r = randint(11, 111)
    while True:
        a = getPrime(n_bits // 4 - r)
        if gcd(a, phi) != 1:
            continue
        b = invert(a, phi)
        e = invert(b, gift)
        if gcd(e, phi) == 1:
            break
    d = invert(e, phi)
    return (e, d)

p = getPrime(2048)
q = getPrime(2048)
n = p * q
e, d = make_gift(p, q)
c = pow(bytes_to_long(flag), e, n)

print("n:", hex(n))
print("e:", hex(e))
print("c:", hex(c))

'''
n: 0xf5da802f4a0d148a957254c9287bf1515c81088416067574fb614342d15757b84014125fa9b0b2e8158a7321a0bcde32c6b98abede5da9e526dd2e67c148f89ac0787fa55dd2a2922bc0595e67cb347ab923ee251b1e7c395706a8956335032914f152fe30556feb48592be713c120186266a085a96dee08d86283362dd2593c0df06d83050ad7d3ce5a0ae482b32800a80f66f5d8bfa306b365faec72f4cfc02846c222602a660bd024c8b05055ee824a7a14d6c3d1227ecff1c5b95016ba4ac82f3d493c51ba5e07f3d220ec633358165c97062ffe35abba6745cb7e9182aade6f867fe1ade89515ef61e1c20f08b81b19afbc09be357b2cb328fbb341408bc2ac3fbd66ab7eb7470123e8bea12c3f46082c1f37dd9eb9716d2fe92c090b63f64b8fe3e456f08ced64068e9232309c1d71f9723a2cdf643aa3eca2c0d5fcb1ffe95f9c25bd090ea94f408411e1e030016a91b024eba077fd709d69feec798a86160b921fdc058a5d6b041997737789cd4afbab4a92a80f53152ef4c6cfed432de2bf5c1cb53e33cbed6776a1f7ea4b543f688f34c7765eb441246fdccd34f0c07dca305649375d59f62087d5b2bb863f1fc6d74fe47ab1e8cbf948473e7bc08d6bb8801518d908548624a6eea403ac7ec8531920bbb319681887e70fe1c67def9a431e3ed342fae3fe4bbed35f3081ffe54b8d41409a9d017963ceb1261745
e: 0x324029b96d92446e3315b04d321db7228b30a3d0f0be3d16b7356b4259bf54e9203756fbb08713b88dbdc4986cc7ca676888f7b286b648028428af30175f4568d6443ba8f3a96a168fbe60a71addaf63b307e619c1047c24c88f2619c54b565a20fb066639c74bd7187f66e641384acca5dd59ae652873ebf715de7e1ccaa13187377e1a3c2f7ef2a3607a03bd216ef34ba3788bdb4a23b2a0ae158282c773e19635494907f65798e2a8927d6df96a4eb24ff3b40689d8ea4a82587d6dc7a268e5094c049e2321689c9d0f3fe6e261642970946d7454911518198b6e3cf7227a8e5467a6efa2ffff369307121216c65670e1319cfa20da72b4b5f5cd4a2115f360d9da94b84469466ca886d30184059dec26caca654e601c62c17b33dc30dcd66e1b89578267df7cbc4fe5270b72a23861d54426e86e3dfd7a6ae5a38168229d3f6352dfcd3d21674f349af741cc6a858a3e67c55329fb8c0fd21fb50fd2c3174b0ec2e365b0a0f444de1759ecb98a56dbd7830401e663782a564b4de2208606bee3aa98e0970d6f7cdf923c12852caaf86ef75ff438b1879da69b30564fcc7cc9aa38691ce1353fec995eaf4b8d97792b4f627bb7b631ec0dfcf8ee9333f592462ca6f16e99ef5ecece276c25ddb57b03f87266be0038bc78d374161bb8f558b8fca419a7716c984499bf17832ea2eb2e68fd4118fdb2e5a6d49d08dba0db69
c: 0x5951976397efab4db75cecd1d669f64e31da28c82f383b920fe83a1b99a913d1cb60db9d5fc58795ae011a5c5949cc0b1f53ce28e1505aad93a5ffc9e71418f32aff300ff7d9d5de83c5f53535ea6f25bbc31b56bb7f785d95edf10672bb458f6dba81acc3fd9c2de79506ea7520068b17018359642f34c365580a8e200d411f5a80f38b673706b365f0e6d2e6fb3732208acc0ab64e6159310f8fe4076f9cff17192cb8cbf37c0278e5772c1ac7c80314fc8ec6eaa39852a8e67c5592a5d87dd406e189c19c8db635f8d50e48051dc6e29d1d52e233a490cb53e1d1a592fd3883ef25f02beaf90eb4323a6e3b37c814969689c11e696422125ccd7f8a2e4fcb5276784f1d2cb5aaa2b5a5944f6330684c1c9b9c8da6ca25b18b4024d6e859014ed488643193fe1f8a4b7fdc94ad59965e00cc6cfcbb123a04c13bacbfdf2a3fc240d08c416cbb0acfaa416c81aa351c43ab62020ab39ffa3d2ccde402cb7afbde6dcb61ad0270c44560dced8eb70ae6eeb4c3c092428e94fcf334afab39e10eb1a48a02444358d32ca2ebee3045b473c3b7f9629bbce56d599969c2e2e43d6c2d10079c0e7358f5e944020f77d5f79f6cf78952434cc038ffdadccc6ef1e88f0b8cf6cfe1a6b3f0f5ac1492b387c1dc29f6624f6b20fa86c0ed5d71296275df3388467680bf5208afbb39277045f0dd6a3230418e8220ee7a213888a712d682
'''

e ∗ b ≡ 1   m o d   g i f t e*b \equiv1 \space mod \space gift eb1 mod gift,那么可求出b = gmpy2.invert(a,gift)
因为a非常大,满足维纳攻击的条件,我们使用维纳攻击计算出a。现在相当于RSA中已知n,e,d,我们可以根据这三个条件分解n得到p,q,最后简单RSA解密即可。

from Crypto.Util.number import *
import gmpy2
import random

n = 0xf5da802f4a0d148a957254c9287bf1515c81088416067574fb614342d15757b84014125fa9b0b2e8158a7321a0bcde32c6b98abede5da9e526dd2e67c148f89ac0787fa55dd2a2922bc0595e67cb347ab923ee251b1e7c395706a8956335032914f152fe30556feb48592be713c120186266a085a96dee08d86283362dd2593c0df06d83050ad7d3ce5a0ae482b32800a80f66f5d8bfa306b365faec72f4cfc02846c222602a660bd024c8b05055ee824a7a14d6c3d1227ecff1c5b95016ba4ac82f3d493c51ba5e07f3d220ec633358165c97062ffe35abba6745cb7e9182aade6f867fe1ade89515ef61e1c20f08b81b19afbc09be357b2cb328fbb341408bc2ac3fbd66ab7eb7470123e8bea12c3f46082c1f37dd9eb9716d2fe92c090b63f64b8fe3e456f08ced64068e9232309c1d71f9723a2cdf643aa3eca2c0d5fcb1ffe95f9c25bd090ea94f408411e1e030016a91b024eba077fd709d69feec798a86160b921fdc058a5d6b041997737789cd4afbab4a92a80f53152ef4c6cfed432de2bf5c1cb53e33cbed6776a1f7ea4b543f688f34c7765eb441246fdccd34f0c07dca305649375d59f62087d5b2bb863f1fc6d74fe47ab1e8cbf948473e7bc08d6bb8801518d908548624a6eea403ac7ec8531920bbb319681887e70fe1c67def9a431e3ed342fae3fe4bbed35f3081ffe54b8d41409a9d017963ceb1261745
e = 0x324029b96d92446e3315b04d321db7228b30a3d0f0be3d16b7356b4259bf54e9203756fbb08713b88dbdc4986cc7ca676888f7b286b648028428af30175f4568d6443ba8f3a96a168fbe60a71addaf63b307e619c1047c24c88f2619c54b565a20fb066639c74bd7187f66e641384acca5dd59ae652873ebf715de7e1ccaa13187377e1a3c2f7ef2a3607a03bd216ef34ba3788bdb4a23b2a0ae158282c773e19635494907f65798e2a8927d6df96a4eb24ff3b40689d8ea4a82587d6dc7a268e5094c049e2321689c9d0f3fe6e261642970946d7454911518198b6e3cf7227a8e5467a6efa2ffff369307121216c65670e1319cfa20da72b4b5f5cd4a2115f360d9da94b84469466ca886d30184059dec26caca654e601c62c17b33dc30dcd66e1b89578267df7cbc4fe5270b72a23861d54426e86e3dfd7a6ae5a38168229d3f6352dfcd3d21674f349af741cc6a858a3e67c55329fb8c0fd21fb50fd2c3174b0ec2e365b0a0f444de1759ecb98a56dbd7830401e663782a564b4de2208606bee3aa98e0970d6f7cdf923c12852caaf86ef75ff438b1879da69b30564fcc7cc9aa38691ce1353fec995eaf4b8d97792b4f627bb7b631ec0dfcf8ee9333f592462ca6f16e99ef5ecece276c25ddb57b03f87266be0038bc78d374161bb8f558b8fca419a7716c984499bf17832ea2eb2e68fd4118fdb2e5a6d49d08dba0db69
c = 0x5951976397efab4db75cecd1d669f64e31da28c82f383b920fe83a1b99a913d1cb60db9d5fc58795ae011a5c5949cc0b1f53ce28e1505aad93a5ffc9e71418f32aff300ff7d9d5de83c5f53535ea6f25bbc31b56bb7f785d95edf10672bb458f6dba81acc3fd9c2de79506ea7520068b17018359642f34c365580a8e200d411f5a80f38b673706b365f0e6d2e6fb3732208acc0ab64e6159310f8fe4076f9cff17192cb8cbf37c0278e5772c1ac7c80314fc8ec6eaa39852a8e67c5592a5d87dd406e189c19c8db635f8d50e48051dc6e29d1d52e233a490cb53e1d1a592fd3883ef25f02beaf90eb4323a6e3b37c814969689c11e696422125ccd7f8a2e4fcb5276784f1d2cb5aaa2b5a5944f6330684c1c9b9c8da6ca25b18b4024d6e859014ed488643193fe1f8a4b7fdc94ad59965e00cc6cfcbb123a04c13bacbfdf2a3fc240d08c416cbb0acfaa416c81aa351c43ab62020ab39ffa3d2ccde402cb7afbde6dcb61ad0270c44560dced8eb70ae6eeb4c3c092428e94fcf334afab39e10eb1a48a02444358d32ca2ebee3045b473c3b7f9629bbce56d599969c2e2e43d6c2d10079c0e7358f5e944020f77d5f79f6cf78952434cc038ffdadccc6ef1e88f0b8cf6cfe1a6b3f0f5ac1492b387c1dc29f6624f6b20fa86c0ed5d71296275df3388467680bf5208afbb39277045f0dd6a3230418e8220ee7a213888a712d682
gift = 0x98efa1cac6d4a1031759ddfb2cb2a1361b76a0327802e5b99e2f98a1a410705fe93f36979441c6b5eab2737bacc66565d425c56c434d04cbc2b3d756d264995f8b198d6887ec2dddfa640d88932604115d80a9f1f0d18538a738016292057518e02b8520d1322f2cc8c500438d24e041ef9d3e70244e327e28d03c371b7d119a387bf7dfaf7b1ad89ce68f0bdf5858d961b48a6080c589a7e5ac9505cb3893510670299d2f4570acca050e26f828056a4276387b69f64a1498552754ede89e21a1c4a5e0754b41aa2c17823b6d84666896d865c9627a3be5cb8ede76461b44f7ed2398cb29f52073f23c5b0b5ac1af048d310ddec9b683ae0535670195ea510012eb16fb60186a5c26f6c516addeade9bed3dea308fc9196de5b5e99b8f8354b9116995dffb350b5b71ee8ae21b776e122508bf4acd8c9c69bb67a8003291b9a217301656ff332d6802db63605aee2a881e0ddf08904e5c8ace0cd44bffdeee7b10e1b5d868b25ddb1248802c7341267f9862b9319cbaada6d7b557425273256505470d2d610232c00d53475693db249299594ee62271589ec4ebd92c0f37d05ca24c556948dd30b3e6b124f059e4776ef219766e805bf7b1003734172e8d2cda130966bd6c5643071efef3e39bc11f6bdfef4ba6e9fa450f7605bcf9ca22c5f12fdec2f8b3ead07a34a427e3602792939873a2481a8dd0e454305b5ce374a77
#find b,  e*b = 1 mod gift
b = gmpy2.invert(e,gift)

def continuedFra(x, y):
    """计算连分数
    :param x: 分子
    :param y: 分母
    :return: 连分数列表
    """
    cf = []
    while y:
        cf.append(x // y)
        x, y = y, x % y
    return cf


def gradualFra(cf):
    """计算传入列表最后的渐进分数
    :param cf: 连分数列表
    :return: 该列表最后的渐近分数
    """
    numerator = 0
    denominator = 1
    for x in cf[::-1]:
        # 这里的渐进分数分子分母要分开
        numerator, denominator = denominator, x * denominator + numerator
    return numerator, denominator


def solve_pq(a, b, c):
    """使用韦达定理解出pq,x^2−(p+q)∗x+pq=0
    :param a:x^2的系数
    :param b:x的系数
    :param c:pq
    :return:p,q
    """
    par = gmpy2.isqrt(b * b - 4 * a * c)
    return (-b + par) // (2 * a), (-b - par) // (2 * a)


def getGradualFra(cf):
    """计算列表所有的渐近分数
    :param cf: 连分数列表
    :return: 该列表所有的渐近分数
    """
    gf = []
    for i in range(1, len(cf) + 1):
        gf.append(gradualFra(cf[:i]))
    return gf


def wienerAttack(e, n):
    """
    :param e:
    :param n:
    :return: 私钥d
    """
    cf = continuedFra(e, n)
    gf = getGradualFra(cf)
    for d, k in gf:
        if k == 0: continue
        if (e * d - 1) % k != 0:
            continue
        phi = (e * d - 1) // k
        p, q = solve_pq(1, n - phi + 1, n)
        if p * q == n:
            return d

# find a by wiener attack ,which means d in rsa
a = wienerAttack(b,n)

def divide_pq(e, d, n):
    k = e*d - 1
    while True:
        g = random.randint(2, n-1)
        t = k
        while True:
            if t % 2 != 0:
                break
            t //= 2
            x = pow(g, t, n)
            if x > 1 and gmpy2.gcd(x-1, n) > 1:
                p = gmpy2.gcd(x-1, n)
                return (p, n//p)

# known e,d,n  divide p and q
p,q = divide_pq(a,b,n)
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = long_to_bytes(m)
print(flag)

flag:

flag{W1nn3r_4tt4ck_1s_0k_!}

你懂RSA吗

题目:

from gmpy2 import *
from secret import flag, hint
from Crypto.Util.number import *
from sympy import *

m1 = bytes_to_long(flag[:len(flag) // 2])
m2 = bytes_to_long(flag[len(flag) // 2:])

def gete(e, phi):
    while True:
        if gcd(e, phi) == 1:
            return e
        else:
            e = nextprime(e)


# RSA#1
p1 = getPrime(1024)
q1 = nextprime(p1)
n1 = p1 * q1
phi1 = (p1 - 1) * (q1 - 1)
e1 = gete(getPrime(18), phi1)
d1 = invert(e1, phi1)
c1 = pow(m1, e1, n1)
print('c1 = ' + str(c1))
# print('n1 = ' + str(n1) + '\n' +
#       'e1 = ' + str(e1) + '\n')

# RSA#2
p2 = getPrime(1024)
q2 = getPrime(1024)
n2 = q2 * p2
phi2 = (p2 - 1) * (q2 - 1)
e2 = gete(getPrime(17), phi2)
d2 = invert(e2, phi2)
c2 = pow(m2, e2, n2)
print('c2 = ' + str(c2))
# print('p2 = ' + str(p2) + '\n' +
#       'q2 = ' + str(q2) + '\n' +
#       'n2 = ' + str(n2) + '\n' +
#       'e2 = ' + str(e2) + '\n' +
#       'd2 = ' + str(d2))

# RSA#3
p3 = getPrime(512)
q3 = getPrime(512)
n3 = q3 * p3
phi3 = (p3 - 1) * (q3 - 1)
e3 = gete(getPrime(18), phi3)
d3 = invert(e3, phi3)
c3 = pow(bytes_to_long(hint), e3, n3)
print('p3 = ' + str(p3) + '\n' +
      'q3 = ' + str(q3) + '\n' +
      'dp3 = ' + str(d3 % (p3 - 1)) + '\n' +
      'dq3 = ' + str(d3 % (q3 - 1)) + '\n' +
      'c3 = ' + str(c3) + '\n')

'''
c1 = 22174029170472408206925317076073043420894146164245984513340870318355661512525991461242672876579919328182461896419967224664448944167711125659536698909328115475500945822640519133190059966264237324981949930399526364419738220809569927722192868778639813090738131657587264840367644694061115160773023580543920084929748399148178702225712911176256956224775128704303027831752557351932432075076157070898061567672702897151144619971875201217685327600270527780313430553318062411578705980314887424183403168239225614870874838731789712153752400767845145106178451674432872533188785420237737349888569724838577725179304747976155836528847
c2 = 10006956750702744303137845836730927141799706624172551459783330437667128195604549377600905839723612359687545817501794804478132211323657104751029372453359464026864968972464883675500595304223093507632350492084010491130081665728182685954048949109653693249111253069794108059350353213391544115840233839828208072185801721609295479840358583549661814221304084750980072823512963591716048308048539407543323924798329369799578602466336065436323363597239602321921514918868038140356589054841516163876544415605778360640782130481614039149302608722444909890759048138800702326642667527192623969418036087996474429011639448153049587797462
p3 = 687104299205124+2891353553828899476415458203263978116790716337081548776068741385334659024997003813526251309677426804084745771024501352235018170100684175461
q3 = 6834465353091839104371740967212016644595780246793635968655238380829500111702811200820371080007560944435951010124236903046782106679767154721052005084109581
dp3 = 467439171809080897562812158716113371309992932574365431517842223709652090731602413652476839178504114432476940007157603066114339287906444433126732288932893
dq3 = 3431333508698715944036764699886242262043494073402064203167658489949139507430255388444870068919384813249331639339226259968646375217058269607167202636893253
c3 = 37748087350954498108276083391021015026310493963518031097482650818277570058294408094828106125531413903496569964230242579745002006918502804782348770630190106624647053817071228704522300210169354364199058884898426724603517264523516972890674703377695391122729953449202278272630556978735605677793006582502650005834
'''

Challenge.txt:

由于在生成公钥对的过程中电脑卡了卡,导致转为{hint}后部分数据混乱,公钥部分无法正常解析,私钥部分少了前三个数据和最后一个数据,但幸运的是重要数据并没有损坏

-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGjK21FO8/FjPZM+gGJ3
TvykTBocH9CReiBWuzkZwZmVt6wTJzerWS+DPRFJo7IviUxR0VOncEwxNgBzy5Ii
DXDvR6gwSXRjCvKD8fHBg3I96Lj2yV29t0J0mVyCoWqVAnxv09cUBIa25K5vmUIU
Pd1pA1m2xDLCQ54knHUjwK/fayGMrHHrT+bhSSFSIIguqKUOQ5ucgwWApTTF8CF7
yXITpq3kkYoZtSS4XewWr90xE+4v6vXNJ6vWJnxjaztEJ5meThH0DTgGTyq2/R59
jlCQ7suLqjH0S8HtSGQ4bM7sJkL+3WWDoyCgqKNvMpJmx9cQ5Gq8qgQ5ZZnqEI+0
MQIDAjKf
-----END RSA PUBLIC KEY-----

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKBgQD3z3W6ws4Svfnng1Cw6MpyM/V25hiIUR0JYkJg3FsfQ4C2mIET
Cf38dVSoyqDmyelOGTN34RH/h+tA5t/qXZwsdx+xVyT1eL5He2DRdO6jZb+NIn4a
mbEAAWIeBEgLXTZ4YKVLw+WluoFhaFyLILPWEDalfuc35gyF7BEIU8hK5QKBgQDS
JFoZ30p9ysWinUf5vHppnHxR14J7wFs+gXg1cDT64/cQNlcj4/DpJmAL52yAexbm
Wi5VtiD3o7+qjNH+X8l6Z5+uIOSouj4Vnnz6z5xfmO4DlR7DSNO5wa6Elt/zGZt0
OulmGJqaNftLEK2Tp4EE63fuMww15aBOyuNBhMNTLQKBgBwPfNhKCMWsh2jEwNVX
dt0ZrxjokyyUasJOQw/uw861eRS0DiGWxxDYRF7cmv2nLWjvh5lyffQ+ctAllINY
WD/cuVT+divpoTo86Uiugfs0oU0c88SVVKqYfYDCoVnQE0PsRatfolhy1wWtqJUE
ffimW1nAFfSJcy+S/JbBzfNVAoGAeLRAvNOxagfq9bj5+sz0U217S1dKr+KRhpm/
fpJxHBuNclaEPy1S19kfGjdX74TEZpQuQTVYQmZgVYqFpGNIy3JyGgby0KgJuUlL
6JUP8Slardwdy3Yth2lk4Ov4vx5aWKzuG6LOSv3u1fNCgKmaRkUqojvYK602I4wO
dTfZKhE=
-----END RSA PRIVATE KEY-----

RSA1
这一部分考虑 pem公钥格式的解析

在PKCS#1 RSA算法标准中定义RSA共钥语法为:

RSAPublicKey ::= SEQUENCE {
    modulus           INTEGER,  -- n
    publicExponent    INTEGER   -- e
}

将base64字符串解码后,再转换为16进制

30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc68cadb514ef3f1633d933e806277
4efca44c1a1c1fd0917a2056bb3919c19995b7ac132737ab592f833d1149a3b22f894c51d153a7704c31360073cb9222
0d70ef47a8304974630af283f1f1c183723de8b8f6c95dbdb74274995c82a16a95027c6fd3d7140486b6e4ae6f994214
3ddd690359b6c432c2439e249c7523c0afdf6b218cac71eb4fe6e149215220882ea8a50e439b9c830580a534c5f0217b
c97213a6ade4918a19b524b85dec16afdd3113ee2feaf5cd27abd6267c636b3b4427999e4e11f40d38064f2ab6fd1e7d
8e5090eecb8baa31f44bc1ed4864386cceec2642fedd6583a320a0a8a36f329266c7d710e46abcaa04396599ea108fb4
31020302329f

30820122:表示后面是一个SEQUENCE,总长度为0x122,即使290字节
02820101:表示后面是一个INTEGER,长度是0101即257字节,后面跟的00 …即为n的内容,257字节
0203:表示后面是一个INTEGER,长度是03即3字节,内容 0x02329f,这就是e。

获取到的数据如下:

n1 = 0xcc68cadb514ef3f1633d933e8062774efca44c1a1c1fd0917a2056bb3919c19995b7ac132737ab592f833d1149a3b22f894c51d153a7704c31360073cb92220d70ef47a8304974630af283f1f1c183723de8b8f6c95dbdb74274995c82a16a95027c6fd3d7140486b6e4ae6f9942143ddd690359b6c432c2439e249c7523c0afdf6b218cac71eb4fe6e149215220882ea8a50e439b9c830580a534c5f0217bc97213a6ade4918a19b524b85dec16afdd3113ee2feaf5cd27abd6267c636b3b4427999e4e11f40d38064f2ab6fd1e7d8e5090eecb8baa31f44bc1ed4864386cceec2642fedd6583a320a0a8a36f329266c7d710e46abcaa04396599ea108fb431
e1 = 0x2329f

又因为p和q相近,所以直接对n1进行开方,然后往后循环取下一个素数直到能被n1整除为止,此时q为所求。

common_key = '''MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGjK21FO8/FjPZM+gGJ3
TvykTBocH9CReiBWuzkZwZmVt6wTJzerWS+DPRFJo7IviUxR0VOncEwxNgBzy5Ii
DXDvR6gwSXRjCvKD8fHBg3I96Lj2yV29t0J0mVyCoWqVAnxv09cUBIa25K5vmUIU
Pd1pA1m2xDLCQ54knHUjwK/fayGMrHHrT+bhSSFSIIguqKUOQ5ucgwWApTTF8CF7
yXITpq3kkYoZtSS4XewWr90xE+4v6vXNJ6vWJnxjaztEJ5meThH0DTgGTyq2/R59
jlCQ7suLqjH0S8HtSGQ4bM7sJkL+3WWDoyCgqKNvMpJmx9cQ5Gq8qgQ5ZZnqEI+0
MQIDAjKf'''
#common_key = "".join(common_key.split("\n"))
common_key = common_key.split("\n")
for i in common_key:
    print(base64.b64decode(i).hex())

c1 = 22174029170472408206925317076073043420894146164245984513340870318355661512525991461242672876579919328182461896419967224664448944167711125659536698909328115475500945822640519133190059966264237324981949930399526364419738220809569927722192868778639813090738131657587264840367644694061115160773023580543920084929748399148178702225712911176256956224775128704303027831752557351932432075076157070898061567672702897151144619971875201217685327600270527780313430553318062411578705980314887424183403168239225614870874838731789712153752400767845145106178451674432872533188785420237737349888569724838577725179304747976155836528847
n1 = 0xcc68cadb514ef3f1633d933e8062774efca44c1a1c1fd0917a2056bb3919c19995b7ac132737ab592f833d1149a3b22f894c51d153a7704c31360073cb92220d70ef47a8304974630af283f1f1c183723de8b8f6c95dbdb74274995c82a16a95027c6fd3d7140486b6e4ae6f9942143ddd690359b6c432c2439e249c7523c0afdf6b218cac71eb4fe6e149215220882ea8a50e439b9c830580a534c5f0217bc97213a6ade4918a19b524b85dec16afdd3113ee2feaf5cd27abd6267c636b3b4427999e4e11f40d38064f2ab6fd1e7d8e5090eecb8baa31f44bc1ed4864386cceec2642fedd6583a320a0a8a36f329266c7d710e46abcaa04396599ea108fb431
e1 = 0x2329f
q1_near = gmpy2.iroot(n1,2)[0]
while n1%q1_near!=0:
    q1_near = gmpy2.next_prime(q1_near)
q1 = q1_near
p1 = n1//q1
phi1 = (p1 - 1) * (q1 - 1)
d1 = gmpy2.invert(e1,phi1)
m1 = pow(c1,d1,n1)
flag1 = long_to_bytes(m1)

RSA2
这一部分考虑 pem私钥格式的解析
在PKCS#1 RSA算法标准中定义RSA私钥语法为:

RSAPrivateKey ::= SEQUENCE {

version Version,

modulus INTEGER, -- n

publicExponent INTEGER, -- e

privateExponent INTEGER, -- d

prime1 INTEGER, -- p

prime2 INTEGER, -- q

exponent1 INTEGER, -- d mod (p-1)

exponent2 INTEGER, -- d mod (q-1)

coefficient INTEGER, -- (inverse of q) mod p

otherPrimeInfos OtherPrimeInfos OPTIONAL

}

将base64字符串解码后,再转换为16进制

308204a202010002818100f7cf75bac2ce12bdf9e78350b0e8ca7233f576e61888511d09624260dc5b1f4380b6988113
09fdfc7554a8caa0e6c9e94e193377e111ff87eb40e6dfea5d9c2c771fb15724f578be477b60d174eea365bf8d227e1a
99b10001621e04480b5d367860a54bc3e5a5ba8161685c8b20b3d61036a57ee737e60c85ec110853c84ae502818100d2
245a19df4a7dcac5a29d47f9bc7a699c7c51d7827bc05b3e8178357034fae3f710365723e3f0e926600be76c807b16e6
5a2e55b620f7a3bfaa8cd1fe5fc97a679fae20e4a8ba3e159e7cfacf9c5f98ee03951ec348d3b9c1ae8496dff3199b74
3ae966189a9a35fb4b10ad93a78104eb77ee330c35e5a04ecae34184c3532d0281801c0f7cd84a08c5ac8768c4c0d557
76dd19af18e8932c946ac24e430feec3ceb57914b40e2196c710d8445edc9afda72d68ef8799727df43e72d025948358
583fdcb954fe762be9a13a3ce948ae81fb34a14d1cf3c49554aa987d80c2a159d01343ec45ab5fa25872d705ada89504
7df8a65b59c015f489732f92fc96c1cdf35502818078b440bcd3b16a07eaf5b8f9faccf4536d7b4b574aafe2918699bf
7e92711c1b8d7256843f2d52d7d91f1a3757ef84c466942e413558426660558a85a46348cb72721a06f2d0a809b9494b
e8950ff1295aaddc1dcb762d876964e0ebf8bf1e5a58acee1ba2ce4afdeed5f34280a99a46452aa23bd82bad36238c0e
7537d92a11

根据题目提示:私钥部分少了前三个数据和最后一个数据
也就是说私钥的数据只剩下p,q,dp,dq。
第一个028181:表示INTEGER,长度为129 bytes,其内容为:p
第二个028181:表示INTEGER,长度为129 bytes,其内容为:q
第一个028180:表示INTEGER,长度为128 bytes,其内容为:dp
第二个028180:表示INTEGER,长度为128 bytes,其内容为:dq
获取到的数据如下:

p = 0x00f7cf75bac2ce12bdf9e78350b0e8ca7233f576e61888511d09624260dc5b1f4380b698811309fdfc7554a8caa0e6c9e94e193377e111ff87eb40e6dfea5d9c2c771fb15724f578be477b60d174eea365bf8d227e1a99b10001621e04480b5d367860a54bc3e5a5ba8161685c8b20b3d61036a57ee737e60c85ec110853c84ae5
q = 0x00d2245a19df4a7dcac5a29d47f9bc7a699c7c51d7827bc05b3e8178357034fae3f710365723e3f0e926600be76c807b16e65a2e55b620f7a3bfaa8cd1fe5fc97a679fae20e4a8ba3e159e7cfacf9c5f98ee03951ec348d3b9c1ae8496dff3199b743ae966189a9a35fb4b10ad93a78104eb77ee330c35e5a04ecae34184c3532d
dp = 0x1c0f7cd84a08c5ac8768c4c0d55776dd19af18e8932c946ac24e430feec3ceb57914b40e2196c710d8445edc9afda72d68ef8799727df43e72d025948358583fdcb954fe762be9a13a3ce948ae81fb34a14d1cf3c49554aa987d80c2a159d01343ec45ab5fa25872d705ada895047df8a65b59c015f489732f92fc96c1cdf355
dq = 0x78b440bcd3b16a07eaf5b8f9faccf4536d7b4b574aafe2918699bf7e92711c1b8d7256843f2d52d7d91f1a3757ef84c466942e413558426660558a85a46348cb72721a06f2d0a809b9494be8950ff1295aaddc1dcb762d876964e0ebf8bf1e5a58acee1ba2ce4afdeed5f34280a99a46452aa23bd82bad36238c0e7537d92a11

由前一半flag可知,后一半flag为20字节,显然flag长度远比p短。
那么我们就可以直接利用dp和p进行解密获得m。

import gmpy2
from Crypto.Util.number import  *
import base64

#find flag1
common_key = '''MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGjK21FO8/FjPZM+gGJ3
TvykTBocH9CReiBWuzkZwZmVt6wTJzerWS+DPRFJo7IviUxR0VOncEwxNgBzy5Ii
DXDvR6gwSXRjCvKD8fHBg3I96Lj2yV29t0J0mVyCoWqVAnxv09cUBIa25K5vmUIU
Pd1pA1m2xDLCQ54knHUjwK/fayGMrHHrT+bhSSFSIIguqKUOQ5ucgwWApTTF8CF7
yXITpq3kkYoZtSS4XewWr90xE+4v6vXNJ6vWJnxjaztEJ5meThH0DTgGTyq2/R59
jlCQ7suLqjH0S8HtSGQ4bM7sJkL+3WWDoyCgqKNvMpJmx9cQ5Gq8qgQ5ZZnqEI+0
MQIDAjKf'''
#common_key = common_key.split("\n")
#for i in common_key:
#    print(base64.b64decode(i).hex())

c1 = 22174029170472408206925317076073043420894146164245984513340870318355661512525991461242672876579919328182461896419967224664448944167711125659536698909328115475500945822640519133190059966264237324981949930399526364419738220809569927722192868778639813090738131657587264840367644694061115160773023580543920084929748399148178702225712911176256956224775128704303027831752557351932432075076157070898061567672702897151144619971875201217685327600270527780313430553318062411578705980314887424183403168239225614870874838731789712153752400767845145106178451674432872533188785420237737349888569724838577725179304747976155836528847
n1 = 0xcc68cadb514ef3f1633d933e8062774efca44c1a1c1fd0917a2056bb3919c19995b7ac132737ab592f833d1149a3b22f894c51d153a7704c31360073cb92220d70ef47a8304974630af283f1f1c183723de8b8f6c95dbdb74274995c82a16a95027c6fd3d7140486b6e4ae6f9942143ddd690359b6c432c2439e249c7523c0afdf6b218cac71eb4fe6e149215220882ea8a50e439b9c830580a534c5f0217bc97213a6ade4918a19b524b85dec16afdd3113ee2feaf5cd27abd6267c636b3b4427999e4e11f40d38064f2ab6fd1e7d8e5090eecb8baa31f44bc1ed4864386cceec2642fedd6583a320a0a8a36f329266c7d710e46abcaa04396599ea108fb431
e1 = 0x2329f
q1_near = gmpy2.iroot(n1,2)[0]
while n1%q1_near!=0:
    q1_near = gmpy2.next_prime(q1_near)
q1 = q1_near
p1 = n1//q1
phi1 = (p1 - 1) * (q1 - 1)
d1 = gmpy2.invert(e1,phi1)
m1 = pow(c1,d1,n1)
flag1 = long_to_bytes(m1)


#find flag2
private_key = '''MIIEogIBAAKBgQD3z3W6ws4Svfnng1Cw6MpyM/V25hiIUR0JYkJg3FsfQ4C2mIET
Cf38dVSoyqDmyelOGTN34RH/h+tA5t/qXZwsdx+xVyT1eL5He2DRdO6jZb+NIn4a
mbEAAWIeBEgLXTZ4YKVLw+WluoFhaFyLILPWEDalfuc35gyF7BEIU8hK5QKBgQDS
JFoZ30p9ysWinUf5vHppnHxR14J7wFs+gXg1cDT64/cQNlcj4/DpJmAL52yAexbm
Wi5VtiD3o7+qjNH+X8l6Z5+uIOSouj4Vnnz6z5xfmO4DlR7DSNO5wa6Elt/zGZt0
OulmGJqaNftLEK2Tp4EE63fuMww15aBOyuNBhMNTLQKBgBwPfNhKCMWsh2jEwNVX
dt0ZrxjokyyUasJOQw/uw861eRS0DiGWxxDYRF7cmv2nLWjvh5lyffQ+ctAllINY
WD/cuVT+divpoTo86Uiugfs0oU0c88SVVKqYfYDCoVnQE0PsRatfolhy1wWtqJUE
ffimW1nAFfSJcy+S/JbBzfNVAoGAeLRAvNOxagfq9bj5+sz0U217S1dKr+KRhpm/
fpJxHBuNclaEPy1S19kfGjdX74TEZpQuQTVYQmZgVYqFpGNIy3JyGgby0KgJuUlL
6JUP8Slardwdy3Yth2lk4Ov4vx5aWKzuG6LOSv3u1fNCgKmaRkUqojvYK602I4wO
dTfZKhE='''
#private_key = private_key.split("\n")
#for i in private_key:
#    print(base64.b64decode(i).hex())
c2 = 10006956750702744303137845836730927141799706624172551459783330437667128195604549377600905839723612359687545817501794804478132211323657104751029372453359464026864968972464883675500595304223093507632350492084010491130081665728182685954048949109653693249111253069794108059350353213391544115840233839828208072185801721609295479840358583549661814221304084750980072823512963591716048308048539407543323924798329369799578602466336065436323363597239602321921514918868038140356589054841516163876544415605778360640782130481614039149302608722444909890759048138800702326642667527192623969418036087996474429011639448153049587797462
p = 0x00f7cf75bac2ce12bdf9e78350b0e8ca7233f576e61888511d09624260dc5b1f4380b698811309fdfc7554a8caa0e6c9e94e193377e111ff87eb40e6dfea5d9c2c771fb15724f578be477b60d174eea365bf8d227e1a99b10001621e04480b5d367860a54bc3e5a5ba8161685c8b20b3d61036a57ee737e60c85ec110853c84ae5
dp = 0x1c0f7cd84a08c5ac8768c4c0d55776dd19af18e8932c946ac24e430feec3ceb57914b40e2196c710d8445edc9afda72d68ef8799727df43e72d025948358583fdcb954fe762be9a13a3ce948ae81fb34a14d1cf3c49554aa987d80c2a159d01343ec45ab5fa25872d705ada895047df8a65b59c015f489732f92fc96c1cdf355
m2 = pow(c2,dp,p)
flag2 = long_to_bytes(m2)
print(flag1+flag2)

flag:

DASCTF{c67a14c8aff505b6bfe85fb167d1a096}

【当个好人能理直气壮,可如果知道当好人要付出这么大的代价,还有几个人敢当好人?】

3tefanie
关注
专栏目录
CTF秀--七夕杯
m0_59022585的博客
07-11 163
根据题目内容提示将密文以-位置进行拆分。将密钥(后部分)以16进制转成2进制,再将密文使用脚本进行处理(对应密钥为1则大写,对应为0则小写)。得到一张图片,通过010Editor使用字符串搜索ctf,得到flag。进行base64解密得到flag。
关于Detectron库预训练模型权重转换
dejahu的博客
12-13 1093
detectron模型格式转换
[Cyber Apocalypse 2023: Crypto]
weixin_52640415的博客
03-24 912
SmartAttack求椭圆曲线私钥,CopperSmith法求两个参数和方程,Babai法求SVP,多点求椭圆曲线参数p,a,b 明文不同但md5相同的明文
MoeCTF2022 部分Crypto 复现
Luiino的博客
11-05 3353
用基础方法解不出来,原因是e与phi_n不互素,又phi_n = (p-1)*(q-1),求gcd(e,(p-1))和gcd(e,(q-1)),发现e与p-1互素。choice用法:从非空序列中随机选取一个数据并带回,该序列可以是list、tuple、str、set。,计算delt + N是否为完全平方数,如果为完全平方数,那么delt + N =Wilson定理:如果p是素数,则(p − 1)!可以知道p、q相近,则|p-q|很小,进而。因此,我们可以爆破差值delt,即。与 N 相差很小,从而。
[xctf crypto] simpleRSA
weixin_52640415的博客
11-12 960
RSA 求根公式,中国剩余定理,e与phi不互素
CTF-密码学-Crypto-学习路径-知识导图-crypto-instruction
最新发布
10-23
CTF-密码学-Crypto-学习路径-知识导图-crypto-instruction
ctf-crypto-js:一个发布CTF竞赛加密工具的简单网站
05-10
【描述】"ctf-crypto-js"项目的主要目标是简化在CTF比赛中涉及的加密工具的使用。由于其基于JavaScript,这个网站可以在任何支持该语言的浏览器上运行,无需安装额外软件。这使得它对参赛者来说非常方便,无论他们...
Backdoor-CTF-Crypto-400.rar
09-30
"Backdoor-CTF-Crypto-400"可能是一个中级难度的题目,其难度级别为400,暗示着这可能是一个需要深入理解和应用密码学知识才能解决的问题。下面,我们将深入探讨可能涉及的密码学知识点。 1. **加密算法**:题目中...
ctf-all-in-one
01-30
ctf-all-in-one
CTF-100题.-天天练习-学习
11-01
CTF-100题.-----------------天天练习------------------学习 100小题,试例练习
[dasctf]crypto3 可以写个方程吗?
amber_o0k的博客
09-02 308
hint和n分解pq然后常规rsa,解出来的m就是题中的flag。奇怪的是sage居然解不出来,sympy可以。
做题杂记555
Emmaaaaa's blog
12-05 1042
RealField(),dp高位攻击
2020祥云杯 crypto-more_calc
rang的博客
11-30 447
import gmpy2 from Crypto.Util.number import * flag = b"flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}" p = getStrongPrime(2048) for i in range(1, (p+1)//2): s += pow(i, p-2, p) s = s % p q = gmpy2.next_prime(s) n = p*q e = 0x10001 c = pow(bytes_to_long(f
CTF Crypto ---已知p**2+q**2且e值较小
3tefanie丶zhou的博客
09-16 1314
【男子年轻时候,总是想着自己有什么,就给女子什么,这没什么不好的。不同的岁月,不同的情爱,各有千秋,没有高下之分,好坏之别。人生无遗憾,太过圆满,事事无错,反而不美,就很难让人年老之后,时时惦念了。
【密码学】破解RSA密码(Python代码实现)
热门推荐
Mitchell_Donovan的博客
12-26 1万+
题目描述 已知有人写了如下的代码,并将生成的(n,e,c)以及(n2,e2,c2,(p2+1)*(q2+1))输出。 from Crypto.Util.number import * def ef(): p=getPrime(512) q=getPrime(512) flag=open("flag","rb").read() m=bytes_to_long(flag) e=65537 n=p*q c=pow(m,e,n) print(n,...
BUUCTF_Crypto题目题解记录1
Altering_Ji的博客
07-14 3075
记录来自buu平台上的三道密码学题目,[NCTF2019]childRSA、[HDCTF2019]bbbbbbrsa、[NCTF2019]Keyboard
[moeCTF 2023] crypto
weixin_52640415的博客
10-24 705
这个比赛从8月到10月,漫长又不分段。结束了以后前边的都基本上忘光了。还是分段提交的好点,有机会写写。不过反正也是新生赛,又不是新生只是打个热闹。
密码刷题记录(1)
2302_80339723的博客
02-15 1101
题目已知flag1,flag2,e1,e2,n;满足flag1=m1^e1%n;求m1运行结果为1,说明e1和e2互素由扩展欧几里得定理,存在x,y;使得xe1+ye2=gcd(e1,e2)=1解析代码函数计算了e1和e2的最大公约数,并返回了扩展欧几里得算法的结果,其中d是最大公约数(d=1),x和y是满足贝祖等式的系数。2.m=pow(flag1,x,n)*pow(flag2,y,n)%n:使用了中国剩余定理(CRT),pow()函数的第一个参数是底数,第二个参数是指数,第三个参数是模数,
CTFshow-菜狗杯-Crypto-g4的密码小课堂-ACMer也想玩密码学-@bash-This is Sparta
qq_31415417的博客
03-03 1259
CTFshow-菜狗杯-Crypto-g4的密码小课堂-ACMer也想玩密码学-@bash-This is Sparta
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值