寒假刷题记录
寒假刷题记录
1/16
[MRCTF2020]babyRSA
import sympy
import random
from gmpy2 import gcd, invert
from Crypto.Util.number import getPrime, isPrime, getRandomNBitInteger, bytes_to_long, long_to_bytes
from z3 import *
flag = b"MRCTF{xxxx}"
base = 65537
def GCD(A):
B = 1
for i in range(1, len(A)):
B = gcd(A[i-1], A[i])
return B
def gen_p():
P = [0 for i in range(17)]
P[0] = getPrime(128)
for i in range(1, 17):
P[i] = sympy.nextprime(P[i-1])
print("P_p :", P[9])
n = 1
for i in range(17):
n *= P[i]
p = getPrime(1024)
factor = pow(p, base, n)
print("P_factor :", factor)
return sympy.nextprime(p)
def gen_q():
sub_Q = getPrime(1024)
Q_1 = getPrime(1024)
Q_2 = getPrime(1024)
Q = sub_Q ** Q_2 % Q_1
print("Q_1: ", Q_1)
print("Q_2: ", Q_2)
print("sub_Q: ", sub_Q)
return sympy.nextprime(Q)
if __name__ == "__main__":
_E = base
_P = gen_p()
_Q = gen_q()
assert (gcd(_E, (_P - 1) * (_Q - 1)) == 1)
_M = bytes_to_long(flag)
_C = pow(_M, _E, _P * _Q)
print("Ciphertext = ", _C)
'''
P_p : 206027926847308612719677572554991143421
P_factor : 213671742765908980787116579976289600595864704574134469173111790965233629909513884704158446946409910475727584342641848597858942209151114627306286393390259700239698869487469080881267182803062488043469138252786381822646126962323295676431679988602406971858136496624861228526070581338082202663895710929460596143281673761666804565161435963957655012011051936180536581488499059517946308650135300428672486819645279969693519039407892941672784362868653243632727928279698588177694171797254644864554162848696210763681197279758130811723700154618280764123396312330032986093579531909363210692564988076206283296967165522152288770019720928264542910922693728918198338839
Q_1: 103766439849465588084625049495793857634556517064563488433148224524638105971161051763127718438062862548184814747601299494052813662851459740127499557785398714481909461631996020048315790167967699932967974484481209879664173009585231469785141628982021847883945871201430155071257803163523612863113967495969578605521
Q_2: 151010734276916939790591461278981486442548035032350797306496105136358723586953123484087860176438629843688462671681777513652947555325607414858514566053513243083627810686084890261120641161987614435114887565491866120507844566210561620503961205851409386041194326728437073995372322433035153519757017396063066469743
sub_Q: 168992529793593315757895995101430241994953638330919314800130536809801824971112039572562389449584350643924391984800978193707795909956472992631004290479273525116959461856227262232600089176950810729475058260332177626961286009876630340945093629959302803189668904123890991069113826241497783666995751391361028949651
Ciphertext = 1709187240516367141460862187749451047644094885791761673574674330840842792189795049968394122216854491757922647656430908587059997070488674220330847871811836724541907666983042376216411561826640060734307013458794925025684062804589439843027290282034999617915124231838524593607080377300985152179828199569474241678651559771763395596697140206072537688129790126472053987391538280007082203006348029125729650207661362371936196789562658458778312533505938858959644541233578654340925901963957980047639114170033936570060250438906130591377904182111622236567507022711176457301476543461600524993045300728432815672077399879668276471832
'''
题目中的def GCD()似乎是P用没有的 亏我研究半天
第一步解出p,是一串连续的质数并给出了其中的第10个(一共17个)只要用sympy的prevprime和nextprime可以很轻松的得到这17个质数然后算n,φ,d,解出p再nextprime
第二步解出q,已经给出了q的运算方法但是按照Q = sub_Q ** Q_2 % Q_1的方式是无法在短时间解出来的所以使用pow方法结果是一样的
随后直接解出flag 这么简单的题目就不要看本fw的脚本了吧
[网鼎杯 2020 青龙组]you_raise_me_up
是一道考察离散对数的题目(没错就是我不会)
题目本身没有难点所以就简述一下知识点:
离散对数问题:已知g的x次方模p等于h,g h p已知求x,可以使用x=sympy.discrete_log(p,h,g)
[UTCTF2020]basic-crypto
是道ex人的古典密码但我还是写了
第一步二进制转十进制然后ASCII码转字符
第二步base64(无换表)
第三步维吉尼亚在线破解https://www.guballa.de/vigenere-solver
第四步字符替换在线破解quipqiup - cryptoquip and cryptogram solver
下次一定直接跳(
[HDCTF2019]together
这是一道简单的共模攻击的题目但是本fw还是花了好长时间才完成
因为公钥文件私钥文件flagenc啥的实在是太为难我了(bushi
下面是一些openssl的东西
提取公钥文件信息:openssl rsa -pubin -text -modulus -in warmup -in pubkey.pem
生成私钥文件:python rsatool.py -o private.pem -e xxx-p xxx -q xxx
用private.pem文件 解密 flag.enc文件:openssl rsautl -decrypt -in flag.enc -inkey private.pem
但这不是这道题目搞我心态的地方(因为起码知道在哪找
搞我心态的是我竟然对一个base64加密之后的flag文件束手无策(正文开始
打开myflag1可以看到里面是明显的base64编码
bytes_to_long(base64.b64decode(s))得到10进制的或者base64.b64decode(s).hex()得到16进制的
我纯纯nt
1.17
[WUSTCTF2020]情书
过于简单,略
坏蛋是雷宾
rabin算法是rsa的一种衍生算法,其 p,q % 4 == 3, \(c = pow(m, 2, n)\)
解密过程如下,会得到四个明文,如果没有其他信息无法确定哪个是正确的
import gmpy2
c = 162853095 # 密文 c
p = 49123 # 分解后的素数 p
q = 10663 # 分解后的素数 q
n = p*q # 公钥 N
# 根据中国剩余定理求解相应明文
r = pow(c,(p+1)//4,p)
s = pow(c,(q+1)//4,q)
a = gmpy2.invert(p,q)
b = gmpy2.invert(q,p)
x =(a*p*s+b*q*r)%n
y =(a*p*s-b*q*r)%n
# 打印明文
print(x%n)
print((-x)%n)
print(y%n)
print((-y)%n)
在本题中找到二进制符合题目的解10010011100100100101010110001然后去掉最后6个校验位再转成十进制md5
[WUSTCTF2020]dp_leaking_1s_very_d@angerous
一道基础的dp泄露攻击 (终于可以把一篇远古时期写的不知道往哪里贴的放上来了)
\(dp=d mod (p-1)\)
\(dp*e=ed mod (p-1)\)
\(ed = k1(p-1) +dp *e\)
\(ed ≡1 mod (p-1)(q-1)\)
\(k1(p-1) + dp*e = 1 mod (p-1)(q-1)\)
\(k1(p-1) + dp*e = k2(p-1)(q-1) + 1\)
\(dp*e = k2[(q-1)-k1] * (p-1) + 1\)
令\(x = k2[(q-1)-k1]\)
\(dp * e = x * (p-1) + 1\)
因为\(dp<(p-1)\), 所以\(x<e\)
遍历\(x\)从 \(1\) 到 \(e\)
from Crypto.Util.number import*
e =
n =
dp =
c =
for i in range(1,65538):
if (dp*e-1)%i == 0:
if n%(((dp*e-1)//i)+1)==0:
p=((dp*e-1)//i)+1
q=n//(((dp*e-1)//i)+1)
phi = (p-1)*(q-1)
d=inverse(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
ps:这个题目名字好像就是flag捏(
[BJDCTF2020]Polybius
好像是道古典密码捏
题目名字就是这个密码然后懒狗直接找了wp(
emmm没啥好说的不是很难就写个脚本列举出aeiou排列顺序和替换i/j然后找出有意义的序列
[NPUCTF2020]EzRSA
一道神奇的题目(
先看题目
from gmpy2 import lcm , powmod , invert , gcd , mpz
from Crypto.Util.number import getPrime
from sympy import nextprime
from random import randint
p = getPrime(1024)
q = getPrime(1024)
n = p * q
gift = lcm(p - 1 , q - 1)
e = 54722
flag = b'NPUCTF{******************}'
m = int.from_bytes(flag , 'big')
c = powmod(m , e , n)
print('n: ' , n)
print('gift: ' , gift)
print('c: ' , c)
#输出略(
\(gift\)为\((p-1)\)和\((q-1)\)的最小公倍数,其比特位为2045
而$ φ \(的比特位应为2048位,所以应有\)φ = gift * i\(其中\) i ∈ ( 4 , 8 ) $
爆破一下\(i\)就好了,但是开始算的时候发现\(e\)不是一个质数,\(e = 27361 * 2\)
那么就按\(e = 27361\)计算之后再对m开方
from Crypto.Util.number import*
import gmpy2
'''
n=
gift=
c=
'''
e=54722//2
for i in range(4,9):
phi=gift*i
d=inverse(e,phi)
m=pow(c,d,n)
m,_=gmpy2.iroot(m,2)
m=long_to_bytes(m)
print(m)
这时候奇妙的事情增加了,我发现这5次都输出了相同的值(也就是flag
于是我把\(i\)设定为\(1\)也就是直接把\(gift\)当成\(φ\)用居然也得到了相同的答案。最后我发现无论\(i\)为何数都可以得到相同的明文(\(d\)不相同)
由于对rsa的原理并没有理解的非常透彻,本fw决定放弃解释并向huangx求助
实际上\(lcm(p-1, q-1)\)是\(φ\)的最简形式(但是我不知道怎么证明)
至于为什么i取任意值都可以达到呢
借这个机会先重新再整理一遍rsa解密推导过程
\[c^d\ ≡\ m(mod\ n)\ \ >>\ \ (m^e-kn)^d≡m(mod\ n)\ \ >>\ \ m^{ed}≡m(mod\ n)
\]
\[>>\ \ m^{hφ(n)+1}≡m\ (mod\ n)\ \ >>\ \ m^{hφ(n)}≡1\ (mod\ n)
\]
根据欧拉定理我们可以知道上式是成立的
那么对于i取任意值的情况,下式也成立
\[m^{kiφ(n)}≡1
\]
[AFCTF2018]BASE
一整个无语住
什么都好说,就是这个文件实在是太大了,基本思路先16进制转文本(可以用winhex)然后basecrack一条龙,但是问题就是这个文件实在是太大了
八说了,逃
[BJDCTF2020]编码与调制
根据图片的内容找到曼彻斯特编码,略
[NPUCTF2020]Classical Cipher
古典密码(逃
[ACTF新生赛2020]crypto-classic1
古典(逃
坑爹之处在于:BUU给的题目是错的捏并且解完还要你给他变成小写才能过捏
原题为SRLU{OWSI_S_RDPKHARSA_NXYTFTJT}
四面八方
古典(逃
1.18
[MRCTF2020]Easy_RSA
先看题目
import sympy
from gmpy2 import gcd, invert
from random import randint
from Crypto.Util.number import getPrime, isPrime, getRandomNBitInteger, bytes_to_long, long_to_bytes
import base64
from zlib import *
flag = b"MRCTF{XXXX}"
base = 65537
def gen_prime(N):
A = 0
while 1:
A = getPrime(N)
if A % 8 == 5:
break
return A
def gen_p():
p = getPrime(1024)
q = getPrime(1024)
assert (p < q)
n = p * q
print("P_n = ", n)
F_n = (p - 1) * (q - 1)
print("P_F_n = ", F_n)
factor2 = 2021 * p + 2020 * q
if factor2 < 0:
factor2 = (-1) * factor2
return sympy.nextprime(factor2)
def gen_q():
p = getPrime(1024)
q = getPrime(1024)
assert (p < q)
n = p * q
print("Q_n = ", n)
e = getRandomNBitInteger(53)
F_n = (p - 1) * (q - 1)
while gcd(e, F_n) != 1:
e = getRandomNBitInteger(53)
d = invert(e, F_n)
print("Q_E_D = ", e * d)
factor2 = 2021 * p - 2020 * q
if factor2 < 0:
factor2 = (-1) * factor2
return sympy.nextprime(factor2)
if __name__ == "__main__":
_E = base
_P = gen_p()
_Q = gen_q()
assert (gcd(_E, (_P - 1) * (_Q - 1)) == 1)
_M = bytes_to_long(flag)
_C = pow(_M, _E, _P * _Q)
print("Ciphertext = ", _C)
'''
P_n = 略
P_F_n =
Q_n =
Q_E_D =
Ciphertext =
'''
求\(p\),直接sage解方程
求\(q\),先计算\(phi=(e*d-1)//(((e*d-1)//n)+1)\),随后和计算p一样,sage解出方程
随后正常rsa解出flag
EasyProgram
看到与flag有关的运算只有最后一句异或
先把伪代码转换成python(虽然没什么用只是看着舒服
key = "whoami"
flag = "flag{********************************}"
s = []
t = []
f = ""
j = 0
for i in range(256):
s.append(i)
t.append(key[i%len(key)])
for i in range(256):
j = (j+s[i]+ord(t[i]))%256
s[i],s[j]=s[j],s[i]
for m in range(38):
i = (i+1)%256
j = (j+s[i])%256
s[i], s[j] = s[j], s[i]
x = (s[i]+(s[j]%256))%256
f += chr(ord(flag[m])^s[x])
print(f)
那么直接逆运算回去,由于只有一个和flag有关的运算,所以代码改动不是很大
看一眼file文件是乱码用winhex读16进制刚好38位于是手敲进去(我是菜狗)
key = "whoami"
flag = [0x00,0xBA,0x8F,0x11,0x2B,0x22,0x9F,0x51,0xA1,0x2F,0xAB,0xB7,0x4B,0xD7,0x3F,0xEF,0xE1,0xB5,0x13,0xBE,0xC4,0xD4,0x5D,0x03,0xD9,0x00,0x7A,0xCA,0x1D,0x51,0xA4,0x73,0xB5,0xEF,0x3D,0x9B,0x31,0xB3]
s = []
t = []
f = ""
j = 0
for i in range(256):
s.append(i)
t.append(key[i%len(key)])
for i in range(256):
j = (j+s[i]+ord(t[i]))%256
s[i], s[j] = s[j], s[i]
i,j = 0,0
for m in range(38):
i = (i+1)%256
j = (j+s[i])%256
s[i], s[j] = s[j], s[i]
x = (s[i]+(s[j]%256))%256
f += chr(flag[m] ^ s[x])
print(f)
[INSHack2017]rsa16m
一打开看着挺哈人的但是我们知道当n>>e的时候存在可能对c直接开e次方就能得到密文或者m^e = k*n+c中的k很小使得我们可以通过爆破得到
本题中直接开e次方就完事了(好烦这么大的txt虚拟机都打不开)
c = #略
e = 0x10001
import gmpy2
from Crypto.Util.number import*
m,_=gmpy2.iroot(c,e)
m=long_to_bytes(m)
print(m)
[AFCTF2018]你听过一次一密么?
一眼懵,先查一次一密,然后继续懵,然后看官方wp原来是Many-Time-Pad还是不会
继续查,翻到一篇写的比较好的wp于是懂了 (顺便嫖了代码) Many-Time-Pad 攻击
转述:
已知\(C_i⊕key=M_i\)
根据异或运算的性质,
\[C_1⊕C_2=(M_1⊕key)⊕(M_2⊕key)=M_1⊕M_2
\]
也就是说两个密文的异或就相当于对应明文的异或,此外我们还会发现 空格⊕大写字母=相应小写字母。所以如果x⊕y得到的是一个字母,那么x,y中就很可能有一个为空格。
将每条密文两两异或,得到相应列中,英文字母最多的,那么就假定该行明文的该列处为空格,如此可以恢复出该列的所有明文。
import Crypto.Util.strxor as xo
import libnum, codecs, numpy as np
def isChr(x):
if ord('a') <= x and x <= ord('z'): return True
if ord('A') <= x and x <= ord('Z'): return True
return False
def infer(index, pos):
if msg[index, pos] != 0:
return
msg[index, pos] = ord(' ')
for x in range(len(c)):
if x != index:
msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')
dat = []
def getSpace():
for index, x in enumerate(c):
res = [xo.strxor(x, y) for y in c if x!=y]
f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))
cnt = [f(pos) for pos in range(len(x))]
for pos in range(len(x)):
dat.append((f(pos), index, pos))
c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]
msg = np.zeros([len(c), len(c[0])], dtype=int)
getSpace()
dat = sorted(dat)[::-1]
for w, index, pos in dat:
infer(index, pos)
print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))
执行代码之后可以发现我们已经恢复出了大部分的明文(这里遇到一个小问题,直接执行这个代码是报错了,问题在于最后一行密文少了最后两位,补上两个0就可以了)
虽然还不是最终结果,但已经可以猜测出相应出错位置的字母了
def know(index, pos, ch):
msg[index, pos] = ord(ch)
for x in range(len(c)):
if x != index:
msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(ch)
know(10, 21, 'y')
know(8, 14, 'n')
print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))
加上这一串代码就可以通过确定的字母恢复出相应出错列的明文
最后用\(C_1⊕M_1\)得到\(key\):
key = xo.strxor(c[0], ''.join([chr(c) for c in msg[0]]).encode())
print(key)
大佬写的代码太好了555
1.20
[De1CTF2019]babyrsa
题目
import binascii
from data import e1,e2,p,q1p,q1q,hint,flag
n = [20129615352491765499340112943188317180548761597861300847305827141510465619670536844634558246439230371658836928103063432870245707180355907194284861510906071265352409579441048101084995923962148527097370705452070577098780246282820065573711015664291991372085157016901209114191068574208680397710042842835940428451949500607613634682684113208766694028789275748528254287705759528498986306494267817198340658241873024800336013946294891687591013414935237821291805123285905335762719823771647853378892868896078424572232934360940672962436849523915563328779942134504499568866135266628078485232098208237036724121481835035731201383423L, 31221650155627849964466413749414700613823841060149524451234901677160009099014018926581094879840097248543411980533066831976617023676225625067854003317018794041723612556008471579060428898117790587991055681380408263382761841625714415879087478072771968160384909919958010983669368360788505288855946124159513118847747998656422521414980295212646675850690937883764000571667574381419144372824211798018586804674824564606122592483286575800685232128273820087791811663878057827386379787882962763290066072231248814920468264741654086011072638211075445447843691049847262485759393290853117072868406861840793895816215956869523289231421L, 29944537515397953361520922774124192605524711306753835303703478890414163510777460559798334313021216389356251874917792007638299225821018849648520673813786772452822809546571129816310207232883239771324122884804993418958309460009406342872173189008449237959577469114158991202433476710581356243815713762802478454390273808377430685157110095496727966308001254107517967559384019734279861840997239176254236069001453544559786063915970071130087811123912044312219535513880663913831358790376650439083660611831156205113873793106880255882114422025746986403355066996567909581710647746463994280444700922867397754748628425967488232530303L, 25703437855600135215185778453583925446912731661604054184163883272265503323016295700357253105301146726667897497435532579974951478354570415554221401778536104737296154316056314039449116386494323668483749833147800557403368489542273169489080222009368903993658498263905567516798684211462607069796613434661148186901892016282065916190920443378756167250809872483501712225782004396969996983057423942607174314132598421269169722518224478248836881076484639837343079324636997145199835034833367743079935361276149990997875905313642775214486046381368619638551892292787783137622261433528915269333426768947358552919740901860982679180791L]
c = [19131432661217908470262338421299691998526157790583544156741981238822158563988520225986915234570037383888112724408392918113942721994125505014727545946133307329781747600302829588248042922635714391033431930411180545085316438084317927348705241927570432757892985091396044950085462429575440060652967253845041398399648442340042970814415571904057667028157512971079384601724816308078631844480110201787343583073815186771790477712040051157180318804422120472007636722063989315320863580631330647116993819777750684150950416298085261478841177681677867236865666207391847046483954029213495373613490690687473081930148461830425717614569L, 15341898433226638235160072029875733826956799982958107910250055958334922460202554924743144122170018355117452459472017133614642242411479849369061482860570279863692425621526056862808425135267608544855833358314071200687340442512856575278712986641573012456729402660597339609443771145347181268285050728925993518704899005416187250003304581230701444705157412790787027926810710998646191467130550713600765898234392350153965811595060656753711278308005193370936296124790772689433773414703645703910742193898471800081321469055211709339846392500706523670145259024267858368216902176489814789679472227343363035428541915118378163012031L, 18715065071648040017967211297231106538139985087685358555650567057715550586464814763683688299037897182845007578571401359061213777645114414642903077003568155508465819628553747173244235936586812445440095450755154357646737087071605811984163416590278352605433362327949048243722556262979909488202442530307505819371594747936223835233586945423522256938701002370646382097846105014981763307729234675737702252155130837154876831885888669150418885088089324534892506199724486783446267336789872782137895552509353583305880144947714110009893134162185382309992604435664777436197587312317224862723813510974493087450281755452428746194446L, 2282284561224858293138480447463319262474918847630148770112472703128549032592187797289965592615199709857879008271766433462032328498580340968871260189669707518557157836592424973257334362931639831072584824103123486522582531666152363874396482744561758133655406410364442174983227005501860927820871260711861008830120617056883514525798709601744088135999465598338635794275123149165498933580159945032363880613524921913023341209439657145962332213468573402863796920571812418200814817086234262280338221161622789516829363805084715652121739036183264026120868756523770196284142271849879003202190966150390061195469351716819539183797L]
f=lambda m,e,n,c:pow(m,e,n)==c
assert(sum(map(f,[p]*4,[4]*4,n,c))==4)
ee1 = 42
ee2 = 3
ce1 = 45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2 = 13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
tmp = 864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
n = 15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
assert(pow(e1,ee1,n)==ce1)
assert(pow(e2+tmp,ee2,n)==ce2)
e = 46531
n = 16278524034278364842964386062476113517067911891699789991355982121084973951738324063305190630865511554888330215827724887964565979607808294168282995825864982603759381323048907814961279012375346497781046417204954101076457350988751188332353062731641153547102721113593787978587135707313755661153376485647168543680503160420091693269984008764444291289486805840439906620313162344057956594836197521501755378387944609246120662335790110901623740990451586621846212047950084207251595169141015645449217847180683357626383565631317253913942886396494396189837432429078251573229378917400841832190737518763297323901586866664595327850603
c = 14992132140996160330967307558503117255626925777426611978518339050671013041490724616892634911030918360867974894371539160853827180596100892180735770688723270765387697604426715670445270819626709364566478781273676115921657967761494619448095207169386364541164659123273236874649888236433399127407801843412677293516986398190165291102109310458304626261648346825196743539220198199366711858135271877662410355585767124059539217274691606825103355310348607611233052725805236763220343249873849646219850954945346791015858261715967952461021650307307454434510851869862964236227932964442289459508441345652423088404453536608812799355469
hint=int(binascii.hexlify(hint),16)
assert(q1p*q1q==n)
assert(q1p<q1q)
assert(c==pow(hint,e,n))
flag=int(binascii.hexlify(flag),16)
q1=q1p
q2 = 114401188227479584680884046151299704656920536168767132916589182357583461053336386996123783294932566567773695426689447410311969456458574731187512974868297092638677515283584994416382872450167046416573472658841627690987228528798356894803559278308702635288537653192098514966089168123710854679638671424978221959513
c1 = 262739975753930281690942784321252339035906196846340713237510382364557685379543498765074448825799342194332681181129770046075018122033421983227887719610112028230603166527303021036386350781414447347150383783816869784006598225583375458609586450854602862569022571672049158809874763812834044257419199631217527367046624888837755311215081173386523806086783266198390289097231168172692326653657393522561741947951887577156666663584249108899327053951891486355179939770150550995812478327735917006194574412518819299303783243886962455399783601229227718787081785391010424030509937403600351414176138124705168002288620664809270046124
c2 = 7395591129228876649030819616685821899204832684995757724924450812977470787822266387122334722132760470911599176362617225218345404468270014548817267727669872896838106451520392806497466576907063295603746660003188440170919490157250829308173310715318925771643105064882620746171266499859049038016902162599261409050907140823352990750298239508355767238575709803167676810456559665476121149766947851911064706646506705397091626648713684511780456955453552020460909638016134124590438425738826828694773960514221910109473941451471431637903182205738738109429736425025621308300895473186381826756650667842656050416299166317372707709596
assert(c1==pow(flag,e1,p*q1))
assert(c2==pow(flag,e2,p*q2))
前三部分都比较简单,第四部分tnl(大概我是个fw吧)
第一部分纯纯的CRT定理,解出最小特解p,但是记得开4次方才是p的值(
第二部分e比较小尝试爆破,其中e2要的k比较大(吓得我差点以为爆破不了
第三部分一眼傻,放到factordb分解一下居然出来了,开始以为是谁解出来记录上去的结果最后发现是p,q很接近。解出hint:b'orz...you.found.me.but.sorry.no.hint...keep.on.and.enjoy.it!'emmm她暖暖的
第四部分看到两个方程我有点傻了,(这不是正常的rsa吗为什么要两个方程
然后就会发现\(gcd(e,p*(q1-1))=14\)和\(gcd(e,p*(q2-1))=14\)
把公约数提出来\(c_i\equiv(m^{14})^{e_i/14}\ mod\ p*q_i\)
使\(n_1=p*q_1\qquad n_2=p*q_2\) 则 $m^{14}\equiv c_1^{d_1}\ mod\ n_1\qquad m^{14}\equiv c_2^{d_2}\ mod\ n_2\qquad $
这两条式子由于幂次太高不能直接解出
然后我就不会了,翻wp
将上面的方程细化一下:
先令\(a_i\ =\ c_i^{d_i}\) 则:
\[m\equiv a_1\ mod\ p\qquad m\equiv a_1\ mod\ q_1\qquad m\equiv a_2\ mod\ p\qquad m\equiv a_2\ mod\ q2\qquad
\]
考虑将上面的方程进行合并,理论上讲有6种,但实际上我们发现\(gcd(14,(p-1))=7\)
因此我们选择将两条\(q_1,q_2\)的式子合并,通过中国剩余定理计算出一个新的式子,即:
\[(m^2)^7\equiv a_3\ mod\ q_1q_2
\]
将此式作为一个新的rsa方程,求出\(m^2\)再开方得到\(m\)
下面是我这烂的不敢见人的exp
n = [20129615352491765499340112943188317180548761597861300847305827141510465619670536844634558246439230371658836928103063432870245707180355907194284861510906071265352409579441048101084995923962148527097370705452070577098780246282820065573711015664291991372085157016901209114191068574208680397710042842835940428451949500607613634682684113208766694028789275748528254287705759528498986306494267817198340658241873024800336013946294891687591013414935237821291805123285905335762719823771647853378892868896078424572232934360940672962436849523915563328779942134504499568866135266628078485232098208237036724121481835035731201383423, 31221650155627849964466413749414700613823841060149524451234901677160009099014018926581094879840097248543411980533066831976617023676225625067854003317018794041723612556008471579060428898117790587991055681380408263382761841625714415879087478072771968160384909919958010983669368360788505288855946124159513118847747998656422521414980295212646675850690937883764000571667574381419144372824211798018586804674824564606122592483286575800685232128273820087791811663878057827386379787882962763290066072231248814920468264741654086011072638211075445447843691049847262485759393290853117072868406861840793895816215956869523289231421, 29944537515397953361520922774124192605524711306753835303703478890414163510777460559798334313021216389356251874917792007638299225821018849648520673813786772452822809546571129816310207232883239771324122884804993418958309460009406342872173189008449237959577469114158991202433476710581356243815713762802478454390273808377430685157110095496727966308001254107517967559384019734279861840997239176254236069001453544559786063915970071130087811123912044312219535513880663913831358790376650439083660611831156205113873793106880255882114422025746986403355066996567909581710647746463994280444700922867397754748628425967488232530303, 25703437855600135215185778453583925446912731661604054184163883272265503323016295700357253105301146726667897497435532579974951478354570415554221401778536104737296154316056314039449116386494323668483749833147800557403368489542273169489080222009368903993658498263905567516798684211462607069796613434661148186901892016282065916190920443378756167250809872483501712225782004396969996983057423942607174314132598421269169722518224478248836881076484639837343079324636997145199835034833367743079935361276149990997875905313642775214486046381368619638551892292787783137622261433528915269333426768947358552919740901860982679180791]
c = [19131432661217908470262338421299691998526157790583544156741981238822158563988520225986915234570037383888112724408392918113942721994125505014727545946133307329781747600302829588248042922635714391033431930411180545085316438084317927348705241927570432757892985091396044950085462429575440060652967253845041398399648442340042970814415571904057667028157512971079384601724816308078631844480110201787343583073815186771790477712040051157180318804422120472007636722063989315320863580631330647116993819777750684150950416298085261478841177681677867236865666207391847046483954029213495373613490690687473081930148461830425717614569, 15341898433226638235160072029875733826956799982958107910250055958334922460202554924743144122170018355117452459472017133614642242411479849369061482860570279863692425621526056862808425135267608544855833358314071200687340442512856575278712986641573012456729402660597339609443771145347181268285050728925993518704899005416187250003304581230701444705157412790787027926810710998646191467130550713600765898234392350153965811595060656753711278308005193370936296124790772689433773414703645703910742193898471800081321469055211709339846392500706523670145259024267858368216902176489814789679472227343363035428541915118378163012031, 18715065071648040017967211297231106538139985087685358555650567057715550586464814763683688299037897182845007578571401359061213777645114414642903077003568155508465819628553747173244235936586812445440095450755154357646737087071605811984163416590278352605433362327949048243722556262979909488202442530307505819371594747936223835233586945423522256938701002370646382097846105014981763307729234675737702252155130837154876831885888669150418885088089324534892506199724486783446267336789872782137895552509353583305880144947714110009893134162185382309992604435664777436197587312317224862723813510974493087450281755452428746194446, 2282284561224858293138480447463319262474918847630148770112472703128549032592187797289965592615199709857879008271766433462032328498580340968871260189669707518557157836592424973257334362931639831072584824103123486522582531666152363874396482744561758133655406410364442174983227005501860927820871260711861008830120617056883514525798709601744088135999465598338635794275123149165498933580159945032363880613524921913023341209439657145962332213468573402863796920571812418200814817086234262280338221161622789516829363805084715652121739036183264026120868756523770196284142271849879003202190966150390061195469351716819539183797]
import gmpy2
def crt(b,m):
for i in range(len(m)):
for j in range(i+1,len(m)):
if gmpy2.gcd(m[i],m[j]) != 1:
print("m中含有不是互余的数")
return -1
M = 1
for i in range(len(m)):
M *= m[i]
Mm = []
for i in range(len(m)):
Mm.append(M // m[i])
Mm_ = []
for i in range(len(m)):
_,a,_ = gmpy2.gcdext(Mm[i],m[i])
Mm_.append(int(a % m[i]))
y = 0
for i in range(len(m)):
#print(Mm[i] * Mm_[i] * b[i])
y += (Mm[i] * Mm_[i] * b[i])
y = y % M
return y
p=crt(c,n)
p,_=gmpy2.iroot(p,4)
print('p =',p)
#-------------------------------------------------
ee1 = 42
ee2 = 3
ce1 = 45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2 = 13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
tmp = 864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
n = 15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
for k in range(100):
e1=ce1+k*n
e1,f=gmpy2.iroot(e1,ee1)
if f:
print('e1 ='e1)
break
for k in range(100000):
e2=ce2+k*n
e2,f=gmpy2.iroot(e2,ee2)
if f:
e2-=tmp
print('e2 =',e2)
break
#----------------------------------------------------
from Crypto.Util.number import*
#factordb分解n
q1p=127587319253436643569312142058559706815497211661083866592534217079310497260365307426095661281103710042392775453866174657404985539066741684196020137840472950102380232067786400322600902938984916355631714439668326671310160916766472897536055371474076089779472372913037040153356437528808922911484049460342088834871
q1q=127587319253436643569312142058559706815497211661083866592534217079310497260365307426095661281103710042392775453866174657404985539066741684196020137840472950102380232067786400322600902938984916355631714439668326671310160916766472897536055371474076089779472372913037040153356437528808922911484049460342088835693
phi=(q1p-1)*(q1q-1)
e = 46531
d=inverse(e,phi)
n = 16278524034278364842964386062476113517067911891699789991355982121084973951738324063305190630865511554888330215827724887964565979607808294168282995825864982603759381323048907814961279012375346497781046417204954101076457350988751188332353062731641153547102721113593787978587135707313755661153376485647168543680503160420091693269984008764444291289486805840439906620313162344057956594836197521501755378387944609246120662335790110901623740990451586621846212047950084207251595169141015645449217847180683357626383565631317253913942886396494396189837432429078251573229378917400841832190737518763297323901586866664595327850603
c = 14992132140996160330967307558503117255626925777426611978518339050671013041490724616892634911030918360867974894371539160853827180596100892180735770688723270765387697604426715670445270819626709364566478781273676115921657967761494619448095207169386364541164659123273236874649888236433399127407801843412677293516986398190165291102109310458304626261648346825196743539220198199366711858135271877662410355585767124059539217274691606825103355310348607611233052725805236763220343249873849646219850954945346791015858261715967952461021650307307454434510851869862964236227932964442289459508441345652423088404453536608812799355469
hint=long_to_bytes(pow(c,d,n))
print(hint)
#--------------------------------------------------
q1=q1p
q2 = 114401188227479584680884046151299704656920536168767132916589182357583461053336386996123783294932566567773695426689447410311969456458574731187512974868297092638677515283584994416382872450167046416573472658841627690987228528798356894803559278308702635288537653192098514966089168123710854679638671424978221959513
c1 = 262739975753930281690942784321252339035906196846340713237510382364557685379543498765074448825799342194332681181129770046075018122033421983227887719610112028230603166527303021036386350781414447347150383783816869784006598225583375458609586450854602862569022571672049158809874763812834044257419199631217527367046624888837755311215081173386523806086783266198390289097231168172692326653657393522561741947951887577156666663584249108899327053951891486355179939770150550995812478327735917006194574412518819299303783243886962455399783601229227718787081785391010424030509937403600351414176138124705168002288620664809270046124
c2 = 7395591129228876649030819616685821899204832684995757724924450812977470787822266387122334722132760470911599176362617225218345404468270014548817267727669872896838106451520392806497466576907063295603746660003188440170919490157250829308173310715318925771643105064882620746171266499859049038016902162599261409050907140823352990750298239508355767238575709803167676810456559665476121149766947851911064706646506705397091626648713684511780456955453552020460909638016134124590438425738826828694773960514221910109473941451471431637903182205738738109429736425025621308300895473186381826756650667842656050416299166317372707709596
d1=inverse(e1//14,(q1-1)*(p-1))
d2=inverse(e2//14,(q2-1)*(p-1))
a1=pow(c1,d1,q1)
a2=pow(c2,d2,q2)
a3=crt([a1,a2],[q1,q2])
print(a3)
phi=(q1-1)*(q2-1)
d=inverse(7,phi)
m=pow(a3,d,q1*q2)
m,_=gmpy2.iroot(m,2)
m=long_to_bytes(m)
print(m)
还是要继续努力捏qwq
[ACTF新生赛2020]crypto-aes
第一道aes题目
key长度32bytes,iv长度16bytes,二者异或之后,前16位仍为key,后16位是异或结果
根据题目代码知道,key是两个字节重复16次,所以根据前16位就可以直接推出整个key,再用输出结果和key异或得到iv
最后aes.decrypt()
虽然这题不难,但促进了对aes的一些理解,总之还是比较有意义
1.22
[INSHack2019]Yet Another RSA Challenge - Part 1
从题目脚本中可以发现,本题是将16进制的p字符串中的9F改为了FC。
由于不知道哪个FC是被换出来的,我们对p进行爆破,题目输出中一共有4个FC,所以爆破难度不大。
上脚本:
from Crypto.Util.number import*
e=65537
n=719579745653303119025873098043848913976880838286635817351790189702008424828505522253331968992725441130409959387942238566082746772468987336980704680915524591881919460709921709513741059003955050088052599067720107149755856317364317707629467090624585752920523062378696431510814381603360130752588995217840721808871896469275562085215852034302374902524921137398710508865248881286824902780186249148613287250056380811479959269915786545911048030947364841177976623684660771594747297272818410589981294227084173316280447729440036251406684111603371364957690353449585185893322538541593242187738587675489180722498945337715511212885934126635221601469699184812336984707723198731876940991485904637481371763302337637617744175461566445514603405016576604569057507997291470369704260553992902776099599438704680775883984720946337235834374667842758010444010254965664863296455406931885650448386682827401907759661117637294838753325610213809162253020362015045242003388829769019579522792182295457962911430276020610658073659629786668639126004851910536565721128484604554703970965744790413684836096724064390486888113608024265771815004188203124405817878645103282802994701531113849607969243815078720289912255827700390198089699808626116357304202660642601149742427766381
t=['9F','FC']
for a in t:
for b in t:
for c in t:
for d in t:
p1 = '0xDCC5A0BD3A1' +a+ '0BEB0DA1C2E8CF6B474481B7C12849B76E03C4C946724DB577D2825D6AA193DB559BC9DBABE1DDE8B5E7805E48749EF002F622F7CDBD7853B200E2A027E87E331A' +b+ 'FD066ED9900F1E5F5E5196A451A6F9E329EB889D773F08E5FBF45AACB818FD186DD74626180294DCC31805A88D1B71DE5BFEF3ED01F12678D906A833A78EDCE9BDAF22BBE45C0BFB7A82AFE42C1C3B8581C83BF43DFE31BFD81527E507686956458905CC9A660604552A060109DC81D01F229A264AB67C6D7168721AB36DE769CEAFB97F238050193EC942078DDF5329A387F46253A4411A9C8BB71F9AEB11AC9623E41C14' +c+ 'D2739D76E69283E57DDB11' +d+ '531B4611EE3'
p = int(p1,16)
if (n%p==0):
q=n//p
c=596380963583874022971492302071822444225514552231574984926542429117396590795270181084030717066220888052607057994262255729890598322976783889090993129161030148064314476199052180347747135088933481343974996843632511300255010825580875930722684714290535684951679115573751200980708359500292172387447570080875531002842462002727646367063816531958020271149645805755077133231395881833164790825731218786554806777097126212126561056170733032553159740167058242065879953688453169613384659653035659118823444582576657499974059388261153064772228570460351169216103620379299362366574826080703907036316546232196313193923841110510170689800892941998845140534954264505413254429240789223724066502818922164419890197058252325607667959185100118251170368909192832882776642565026481260424714348087206462283972676596101498123547647078981435969530082351104111747783346230914935599764345176602456069568419879060577771404946743580809330315332836749661503035076868102720709045692483171306425207758972682717326821412843569770615848397477633761506670219845039890098105484693890695897858251238713238301401843678654564558196040100908796513657968507381392735855990706254646471937809011610992016368630851454275478216664521360246605400986428230407975530880206404171034278692756
phi=(p-1)*(q-1)
d=inverse(65537,phi)
m=pow(c,d,n)
flag=long_to_bytes(m)
print(flag)
exit(0)
[UTCTF2020]hill
古典密码(逃
1.23
[NPUCTF2020]认清形势,建立信心
from Crypto.Util.number import *
from gmpy2 import *
from secret import flag
p = getPrime(25)
e = # Hidden
q = getPrime(25)
n = p * q
m = bytes_to_long(flag.strip(b"npuctf{").strip(b"}"))
c = pow(m, e, n)
print(c)
print(pow(2, e, n))
print(pow(4, e, n))
print(pow(8, e, n))
'''
169169912654178
128509160179202
518818742414340
358553002064450
'''
不妨设\(pow(2,e,n)=a\quad pow(4,e,n)=b\quad pow(8,e,n)=c\)
那么,\(gcd(a^2-b,a^3-c)\ mod\ n =0\)
计算\(gcd(a^2-b,a^3-c)\)后在factordb上分解,找到\(p\)和\(q\),随后计算\(m\),得到\(flag\)
2.1
[QCTF2018]Xman-RSA
step1
quipquip恢复python脚本
step2
base64恢复\(n2,n3\)
step3
共模攻击恢复\(n1\)
step4
\(gcd(n1,n2)\)求\(φ1,φ2\)
恢复flag
import base64
from Crypto.Util.number import*
import gmpy2
#解n2,n3
n2='PVNHb2BfGAnmxLrbKhgsYXRwWIL9eOj6K0s3I0slKHCTXTAUtZh3T0r+RoSlhpO3+77AY8P7WETYz2Jzuv5FV/mMODoFrM5fMyQsNt90VynR6J3Jv+fnPJPsm2hJ1Fqt7EKaVRwCbt6a4BdcRoHJsYN/+eh7k/X+FL5XM7viyvQxyFawQrhSV79FIoX6xfjtGW+uAeVF7DScRcl49dlwODhFD7SeLqzoYDJPIQS+VSb3YtvrDgdV+EhuS1bfWvkkXRijlJEpLrgWYmMdfsYX8u/+Ylf5xcBGn3hv1YhQrBCg77AHuUF2w/gJ/ADHFiMcH3ux3nqOsuwnbGSr7jA6Cw=='
n3='TmNVbWUhCXR1od3gBpM+HGMKK/4ErfIKITxomQ/QmNCZlzmmsNyPXQBiMEeUB8udO7lWjQTYGjD6k21xjThHTNDG4z6C2cNNPz73VIaNTGz0hrh6CmqDowFbyrk+rv53QSkVKPa8EZnFKwGz9B3zXimm1D+01cov7V/ZDfrHrEjsDkgK4ZlrQxPpZAPl+yqGlRK8soBKhY/PF3/GjbquRYeYKbagpUmWOhLnF4/+DP33ve/EpaSAPirZXzf8hyatL4/5tAZ0uNq9W6T4GoMG+N7aS2GeyUA2sLJMHymW4cFK5l5kUvjslRdXOHTmz5eHxqIV6TmSBQRgovUijlNamQ=='
n2=bytes_to_long(base64.b64decode(n2))
n3=bytes_to_long(base64.b64decode(n3))
#共模攻击解n1
c1=0x2639c28e3609a4a8c953cca9c326e8e062756305ae8aee6efcd346458aade3ee8c2106ab9dfe5f470804f366af738aa493fd2dc26cb249a922e121287f3eddec0ed8dea89747dc57aed7cd2089d75c23a69bf601f490a64f73f6a583081ae3a7ed52238c13a95d3322065adba9053ee5b12f1de1873dbad9fbf4a50a2f58088df0fddfe2ed8ca1118c81268c8c0fd5572494276f4e48b5eb424f116e6f5e9d66da1b6b3a8f102539b690c1636e82906a46f3c5434d5b04ed7938861f8d453908970eccef07bf13f723d6fdd26a61be8b9462d0ddfbedc91886df194ea022e56c1780aa6c76b9f1c7d5ea743dc75cec3c805324e90ea577fa396a1effdafa3090
c2=0x42ff1157363d9cd10da64eb4382b6457ebb740dbef40ade9b24a174d0145adaa0115d86aa2fc2a41257f2b62486eaebb655925dac78dd8d13ab405aef5b8b8f9830094c712193500db49fb801e1368c73f88f6d8533c99c8e7259f8b9d1c926c47215ed327114f235ba8c873af7a0052aa2d32c52880db55c5615e5a1793b690c37efdd5e503f717bb8de716303e4d6c4116f62d81be852c5d36ef282a958d8c82cf3b458dcc8191dcc7b490f227d1562b1d57fbcf7bf4b78a5d90cd385fd79c8ca4688e7d62b3204aeaf9692ba4d4e44875eaa63642775846434f9ce51d138ca702d907849823b1e86896e4ea6223f93fae68b026cfe5fa5a665569a9e3948a
e1 = 0x1001
e2 = 0x101
_, r, s = gmpy2.gcdext(e1, e2)
n1 = pow(c1, r, n3) * pow(c2, s, n3) % n3
#公因数分解n1,n2
c1=0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2=0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
p1=gmpy2.gcd(n1,n2)
p2,p3=n1//p1,n2//p1
e=0x1001
phi1=(p1-1)*(p2-1)
phi2=(p1-1)*(p3-1)
d1,d2=inverse(e,phi1),inverse(e,phi2)
msg1,msg2=long_to_bytes(pow(c1,d1,n1)).decode(),long_to_bytes(pow(c2,d2,n2)).decode()
print(msg1,msg2)
flag=''
for i in range(len(msg2)):
flag+=msg1[i]
flag+=msg2[i]
flag+=msg1[-1]
print(flag)
2.3
[NPUCTF2020]共 模 攻 击
hint部分
一个共模攻击之后用sympy的nthroot_mod解出m
hint为m.bit_length() < 400
task部分
不懂,找wp:
由于hint提示了m有长度限制,所以联想到Coppersmith定理。Coppersmith定理的内容为:在一个e阶的mod n多项式f(x)中,如果有一个根小于n^1/e,就可以运用一个O(log n)的算法求出这些根[3]。计算可得m是满足这个情况的。
从task.py中可以知道:
$c_1 \equiv mp\ (mod\ pq) $ \(c_2 \equiv mq\ (mod\ pq)\)
又因为\(p,q\)均为素数,可有费马定理得到:
\(mp\equiv m\ (mod\ p)\) \(mq\equiv m\ (mod\ q)\)
整理可得:
\(c_1=m+ip\) \(c_2=m+jq\)
\(c_1c_2=m^2+(ip+jq)m+ijn\)
\((c_1+c_2)m=2m^2+(ip+jq)m\)
所以:\(m^2-(c_1+c_2)m+c_1c_2\equiv ijn\equiv 0\ (mod\ n)\)
sage脚本如下:
n = 128205304743751985889679351195836799434324346996129753896234917982647254577214018524580290192396070591032007818847697193260130051396080104704981594190602854241936777324431673564677900773992273463534717009587530152480725448774018550562603894883079711995434332008363470321069097619786793617099517770260029108149
c1 = 96860654235275202217368130195089839608037558388884522737500611121271571335123981588807994043800468529002147570655597610639680977780779494880330669466389788497046710319213376228391138021976388925171307760030058456934898771589435836261317283743951614505136840364638706914424433566782044926111639955612412134198
c2 = 9566853166416448316408476072940703716510748416699965603380497338943730666656667456274146023583837768495637484138572090891246105018219222267465595710692705776272469703739932909158740030049375350999465338363044226512016686534246611049299981674236577960786526527933966681954486377462298197949323271904405241585
PR.<m> = PolynomialRing(Zmod(n))
f = m^2-(c1+c2)*m+c1*c2
x0 = f.small_roots(X=2^400)
print(x0)
得到x0 = 4242839043019782000788118887372132807371568279472499477998758466224002905442227156537788110520335652385855
再long_to_bytes()得到:b'verrrrrrry_345yyyyyyy_rsaaaaaaa_righttttttt?'
这题主要还是看wp,对Coppersmith不是很熟悉(只会看着wp用
2.9
[羊城杯 2020]RRRRRRRSA
翻了翻wp,原来也是要用到维纳攻击,类似今年NCTF那道,,,
\(N_1/N_2=(P_1/P_2)^2 * (Q_1/Q_2)\)
显然\(N_1/N_2>Q_1/Q_2>1\)
对\(N_1/N_2\)进行连分数展开,其中某个分子就可能是\(Q_1\)
用\(N_1\ mod\ Q_1=0\)进行验证找到\(Q_1\)后就可以求出其他所有的参数
import gmpy2
from Crypto.Util.number import*
N1=60143104944034567859993561862949071559877219267755259679749062284763163484947626697494729046430386559610613113754453726683312513915610558734802079868190554644983911078936369464590301246394586190666760362763580192139772729890492729488892169933099057105842090125200369295070365451134781912223048179092058016446222199742919885472867511334714233086339832790286482634562102936600597781342756061479024744312357407750731307860842457299116947352106025529309727703385914891200109853084742321655388368371397596144557614128458065859276522963419738435137978069417053712567764148183279165963454266011754149684758060746773409666706463583389316772088889398359242197165140562147489286818190852679930372669254697353483887004105934649944725189954685412228899457155711301864163839538810653626724347
c1=55094296873556883585060020895253176070835143350249581136609315815308788255684072804968957510292559743192424646169207794748893753882418256401223641287546922358162629295622258913168323493447075410872354874300793298956869374606043622559405978242734950156459436487837698668489891733875650048466360950142617732135781244969524095348835624828008115829566644654403962285001724209210887446203934276651265377137788183939798543755386888532680013170540716736656670269251318800501517579803401154996881233025210176293554542024052540093890387437964747460765498713092018160196637928204190194154199389276666685436565665236397481709703644555328705818892269499380797044554054118656321389474821224725533693520856047736578402581854165941599254178019515615183102894716647680969742744705218868455450832
E1=125932919717342481428108392434488550259190856475011752106073050593074410065655587870702051419898088541590032209854048032649625269856337901048406066968337289491951404384300466543616578679539808215698754491076340386697518948419895268049696498272031094236309803803729823608854215226233796069683774155739820423103
N2=60143104944034567859993561862949071559877219267755259679749062284763163484947626697494729046430386559610613113754453726683312513915610558734802079868195633647431732875392121458684331843306730889424418620069322578265236351407591029338519809538995249896905137642342435659572917714183543305243715664380787797562011006398730320980994747939791561885622949912698246701769321430325902912003041678774440704056597862093530981040696872522868921139041247362592257285423948870944137019745161211585845927019259709501237550818918272189606436413992759328318871765171844153527424347985462767028135376552302463861324408178183842139330244906606776359050482977256728910278687996106152971028878653123533559760167711270265171441623056873903669918694259043580017081671349232051870716493557434517579121
c2=39328446140156257571484184713861319722905864197556720730852773059147902283123252767651430278357950872626778348596897711320942449693270603776870301102881405303651558719085454281142395652056217241751656631812580544180434349840236919765433122389116860827593711593732385562328255759509355298662361508611531972386995239908513273236239858854586845849686865360780290350287139092143587037396801704351692736985955152935601987758859759421886670907735120137698039900161327397951758852875291442188850946273771733011504922325622240838288097946309825051094566685479503461938502373520983684296658971700922069426788236476575236189040102848418547634290214175167767431475003216056701094275899211419979340802711684989710130215926526387138538819531199810841475218142606691152928236362534181622201347
E2=125932919717342481428108392434488550259190856475011752106073050593074410065655587870702051419898088541590032209854048032649625269856337901048406066968337289491951404384300466543616578679539808215698754491076340386697518948419895268049696498272031094236309803803729823608854215226233796069683774155739820425393
def continuedFra(x, y): #不断生成连分数的项
cF = []
while y:
cF += [x // y]
x, y = y, x % y
return cF
def Simplify(ctnf): #化简
numerator = 0
denominator = 1
for x in ctnf[::-1]: #注意这里是倒叙遍历
numerator, denominator = denominator, x * denominator + numerator
return (numerator, denominator) #把连分数分成分子和算出来的分母
def getit(c):
cf=[]
for i in range(1,len(c)):
cf.append(Simplify(c[:i])) #各个阶段的连分数的分子和分母
return cf #得到一串连分数
def wienerAttack(e, n):
cf=continuedFra(e,n)
for (Q2,Q1) in getit(cf):#遍历得到的连分数,令分子分母分别是Q2,Q1
if Q1 == 0:
continue
if N1%Q1==0 and Q1!=1:#满足这个条件就找到了
return Q1
print('not find!')
Q1=wienerAttack(N1,N2)
P1=gmpy2.iroot(N1//Q1,2)[0]
P2=gmpy2.next_prime(P1)
Q2=gmpy2.next_prime(Q1)
phi1=P1*(P1-1)*(Q1-1)
phi2=P2*(P2-1)*(Q2-1)
d1=inverse(E1,phi1)
d2=inverse(E2,phi2)
m1=long_to_bytes(pow(c1,d1,N1))
m2=long_to_bytes(pow(c2,d2,N2))
print((m1+m2))
[BJDCTF2020]伏羲六十四卦
鸟题,但是看着还挺nmd复杂的(逃
2.10
[XNUCA2018]Warmup
用wireshark打开流量包之后一个个看过来,可以找到一共六条加密信息
比对后可以发现其中有两份的加密模数相同,于是进行共模攻击
就可以得到flag了
[UTCTF2020]OTP
Encoded A: 213c234c2322282057730b32492e720b35732b2124553d354c22352224237f1826283d7b0651
Encoded B: 3b3b463829225b3632630b542623767f39674431343b353435412223243b7f162028397a103e
Original A: 5448452042455354204354462043415445474f52592049532043525950544f47524150485921
Original B: 4e4f205448452042455354204f4e452049532042494e415259204558504c4f49544154494f4e
A XOR A: 7574666c61677b7477305f74696d335f703464737d7574666c61677b7477305f74696d335f70
B XOR B: 7574666c61677b7477305f74696d335f703464737d7574666c61677b7477305f74696d335f70
白给的题目,拿encoded A和original A异或一下就是明文了不是很懂
怀疑是不是信息给多了,,,
还有就是A XOR A为什么不是0
