# [LitCTF 2023]babyLCG

Problem: [[LitCTF 2023]babyLCG](https://www.nssctf.cn/problem/3977)

# 库
from math import gcd
from functools import reduce
from Crypto.Util.number import *

# 已知
result = [699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878, 193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390, 1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943, 659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506, 111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829, 1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909, 655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698, 1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851, 492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509, 70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]

# 运用所推导的来写代码
# 第一阶段，获得模数m
list1 = [s1 - s0 for s0, s1 in zip(result, result[1:])]
list2 = [t2*t0 - t1*t1 for t0, t1, t2 in zip(list1, list1[1:], list1[2:])]

m = abs(reduce(gcd, list2))  # 我看佬给的代码的abs()函数是套在reduce外面的，但我个人感觉abs()应该放在前面，是给list2中所有结果套上绝对值，因为两次连续相减得出的m的倍数有可能是负数，而math.gcd可能算不了正数和负数的最大公因数
# print(m)

# 第二阶段，获得常数A, B
'''
A_son = result[2] - result[1]
A_mother = result[1] - result[0]
A = pow(A_son//A_mother,1,m)
# print(A)
B = pow(result[1]- A*result[0],1,m)
# print(B)
'''
A_son = result[2] - result[1]
A_mother_ni = inverse(result[1] - result[0],m)
A = pow(A_son*A_mother_ni,1,m)
# print(A)
B = pow(result[1]- A*result[0],1,m)
# print(B)

# 第三阶段，逆推回seed
'''
seed = pow((result[0] - B)//A, 1, m)
print(seed)
# print(result[0] == B)
# print((result[0] - B)//A == m)
print((result[0] - B)/A)
flag = long_to_bytes(m)
print(flag)
'''
# 当时看到seed等于0，人傻了，
# 前面没错，后面我print(result[0] == B)、((result[0] - B)//A == m)都显示False，
# 后面看了一下(result[0] - B)/A才发现问题了，意识到A太大了，然后突然想到在模运算中除法相当于乘上它的逆元，是这一步出了问题

A_ni = inverse(A, m)
seed = (result[0] - B)*A_ni % m
# print(seed)
flag = long_to_bytes(seed)
print(flag)

# 在结尾也出乱码了，一开始没找到问题所在，去看来一下wp才发现上面这个问题（在模运算中直接使用除法）犯了两次，在求A的时候也犯了。

# 终于自己清晰地解出来flag了，算是脱离脚本小子的一小步了

• 9
点赞
• 7
收藏
觉得还不错? 一键收藏
• 打赏
• 0
评论
10-09 278
05-15 398
05-14 1616
05-18 588
05-17 1191
05-21 322
05-14

s_a2g1a3j1

¥1 ¥2 ¥4 ¥6 ¥10 ¥20

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。