CRYPTO——badkey1
在 test.py 源码中逐个分析可以使 ValueError 的条件可以得到这个:
Integer(n).gcd(d) != 1
根据贝祖定理找一个私钥 d 是 p 的倍数的情况
import gmpy2from Crypto.Util.number
import *from pwn
import *from f61d
import *
def find_q(p, e):
for k in range(2, e):
g, x, y = gmpy2.gcdext(p * e, -k * (p - 1))
if g != 1:
continue
q = y + 1
if q.bit_length() == 514 and gmpy2.is_prime(q):
return q
return None
e = 0x10001
p = getPrime(512)
q = find_q(p, e)
if q is not None:
n = p * q
d = gmpy2.invert(e, (p - 1) * (q - 1))
print(gmpy2.gcd(d, n))
print(f"{p = }\n{q = }")
p = 7378741151929625973672795363278532984350492730594907630986460997297453092453567171735676828543573366713748697495789118192695779142601232649170918185905463q = 11896423064727499601640790258897072945883616111753208009949059738846244887278162840429756264234331641191298732607336488359383668388835902163077670881285961
ip = ..
port = ..
r = remote(ip,port,level='debug')
ppp = prove(r.recvuntil(b': '),0)
r.sendline(ppp)
r.sendlineafter(b'p = ',str(p).encode())
r.sendlineafter(b'q = ',str(q).encode())
print(r.recvall())
运行得到flag