CRYPTO——badkey1

在 test.py 源码中逐个分析可以使 ValueError 的条件可以得到这个：

Integer(n).gcd(d) != 1

根据贝祖定理找一个私钥 d 是 p 的倍数的情况

import gmpy2from Crypto.Util.number 
import *from pwn 
import *from f61d 
import *
def find_q(p, e):    
    for k in range(2, e):        
        g, x, y = gmpy2.gcdext(p * e, -k * (p - 1))        
        if g != 1:            
            continue        
            q = y + 1        
            if q.bit_length() == 514 and gmpy2.is_prime(q):            
                return q    
            return None

e = 0x10001
p = getPrime(512)
q = find_q(p, e)
if q is not None:    
    n = p * q    
    d = gmpy2.invert(e, (p - 1) * (q - 1))    
    print(gmpy2.gcd(d, n))    
    print(f"{p = }\n{q = }")

p = 7378741151929625973672795363278532984350492730594907630986460997297453092453567171735676828543573366713748697495789118192695779142601232649170918185905463q = 11896423064727499601640790258897072945883616111753208009949059738846244887278162840429756264234331641191298732607336488359383668388835902163077670881285961
ip = ..
port = ..
r = remote(ip,port,level='debug')
ppp = prove(r.recvuntil(b': '),0)
r.sendline(ppp)
r.sendlineafter(b'p = ',str(p).encode())
r.sendlineafter(b'q = ',str(q).encode())
print(r.recvall())

运行得到flag