RSA大合集2

Cot287

已于 2022-10-28 21:12:21 修改

阅读量2k

点赞数 1

分类专栏： ctf 文章标签：算法 python 网络安全

于 2022-10-28 21:11:56 首次发布

本文链接：https://blog.youkuaiyun.com/m0_64839851/article/details/127456063

版权

ctf 专栏收录该内容

7 篇文章

订阅专栏

RSA(baby2)

下面主要提供cryptohack上rsa的部分题解

1.cryptohack RSA Starter 6

题目

How can you ensure that the person receiving your message knows that you wrote it?

You've been asked out on a date, and you want to send a message telling them that you'd love to go, however a jealous lover isn't so happy about this.

When you send your message saying yes, your jealous lover intercepts the message and corrupts it so it now says no!

We can protect against these attacks by signing the message.

Imagine you write a message M. You encrypt this message with your friend's public key: C = M^e0 mod N0.

To sign this message, you calculate the hash of the message: H(M) and "encrypt" this with your private key: S = H(M)d1 mod N1.

Your friend can decrypt the message using their private key: m = Cd0 mod N0. Using your public key they calculate s = Se1 mod N1.

Now by computing H(m) and comparing it to s: assert H(m) == s, they can ensure that the message you sent them, is the message that they received!

Sign the flag crypto{Immut4ble_m3ssag1ng} using your private key and the SHA256 hash function.
# N = ...
# d = ...
flag = "crypto{Immut4ble_m3ssag1ng}"

脚本

from hashlib import sha256

N = ...
d = ...
flag="crypto{Immut4ble_m3ssag1ng}"
h = sha256(flag.encode()).hexdigest()

c=pow(int(h,16),d,N)
print(hex(c))
# 0x6ac9bb8f110b318a40ad8d7e57defdcce2652f5928b5f9b97c1504d7096d7af1d34e477b30f1a08014e8d525b14458b709a77a5fa67d4711bd19da1446f9fb0ffd9fdedc4101bdc9a4b26dd036f11d02f6b56f4926170c643f302d59c4fe8ea678b3ca91b4bb9b2024f2a839bec1514c0242b57e1f5e77999ee67c450982730252bc2c3c35acb4ac06a6ce8b9dbf84e29df0baa7369e0fd26f6dfcfb22a464e05c5b72baba8f78dc742e96542169710918ee2947749477869cb3567180ccbdfe6fdbe85bcaca4bf6da77c8f382bb4c8cd56dee43d1290ca856318c97f1756b789e3cac0c9738f5e9f797314d39a2ededb92583d97124ec6b313c4ea3464037d3

2.cryptohack Inferius Prime

题目

# n will be 8 * (100 + 100) = 1600 bits strong which is pretty good
while True:
    p = getPrime(100)
    q = getPrime(100)
    phi = (p - 1) * (q - 1)
    d = inverse(e, phi)
    if d != -1 and GCD(e, phi) == 1:
        break

n = p * q
flag = b"XXXXXXXXXXXXXXXXXXXXXXX"
pt = bytes_to_long(flag)
ct = pow(pt, e, n)

解析

1.看题目发现n比较小，直接yafu结束

from Crypto.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes, GCD
n = 742449129124467073921545687640895127535705902454369756401331
p = 986369682585281993933185289261
q = 752708788837165590355094155871
e = 3
ct = 39207274348578481322317340648475596807303160111338236677373
phi = (p - 1) * (q - 1)
d = pow(e,-1,phi)
print(long_to_bytes(pow(ct,d,n)))

3.cryptohack Monoprime #签到–

题目

Why is everyone so obsessed with multiplying two primes for RSA. Why not just use one?

n = 171731371218065444125482536302245915415603318380280392385291836472299752747934607246477508507827284075763910264995326010251268493630501989810855418416643352631102434317900028697993224868629935657273062472544675693365930943308086634291936846505861203914449338007760990051788980485462592823446469606824421932591                                                                  
e = 65537
ct = 161367550346730604451454756189028938964941280347662098798775466019463375610700074840105776873791605070092554650190486030367121011578171525759600774739890458414593857709994072516290998135846956596662071379067305011746842247628316996977338024343628757374524136260758515864509435302781735938531030576289086798942

解析

由n是素数，那欧拉定理，phin = n-1，秒！！！

from Crypto.Util.number import *
n = 171731371218065444125482536302245915415603318380280392385291836472299752747934607246477508507827284075763910264995326010251268493630501989810855418416643352631102434317900028697993224868629935657273062472544675693365930943308086634291936846505861203914449338007760990051788980485462592823446469606824421932591                                                                  
e = 65537
ct = 161367550346730604451454756189028938964941280347662098798775466019463375610700074840105776873791605070092554650190486030367121011578171525759600774739890458414593857709994072516290998135846956596662071379067305011746842247628316996977338024343628757374524136260758515864509435302781735938531030576289086798942  
d = pow(e,-1,n-1)
print(long_to_bytes(pow(ct,d,n)))
# crypto{0n3_pr1m3_41n7_pr1m3_l0l}

4.cryptohack Square Eyes #签到–

题目

We have a supercomputer at work, so I've made sure my encryption is secure by picking massive numbers!

脚本

# 比较简单就直接上脚本了（前提李姐RSA本质）
from Crypto.Util.number import *
from gmpy2 import *
N = 535860808044009550029177135708168016201451343147313565371014459027743491739422885443084705720731409713775527993719682583669164873806842043288439828071789970694759080842162253955259590552283047728782812946845160334801782088068154453021936721710269050985805054692096738777321796153384024897615594493453068138341203673749514094546000253631902991617197847584519694152122765406982133526594928685232381934742152195861380221224370858128736975959176861651044370378539093990198336298572944512738570839396588590096813217791191895941380464803377602779240663133834952329316862399581950590588006371221334128215409197603236942597674756728212232134056562716399155080108881105952768189193728827484667349378091100068224404684701674782399200373192433062767622841264055426035349769018117299620554803902490432339600566432246795818167460916180647394169157647245603555692735630862148715428791242764799469896924753470539857080767170052783918273180304835318388177089674231640910337743789750979216202573226794240332797892868276309400253925932223895530714169648116569013581643192341931800785254715083294526325980247219218364118877864892068185905587410977152737936310734712276956663192182487672474651103240004173381041237906849437490609652395748868434296753449
e = 65537
c = 222502885974182429500948389840563415291534726891354573907329512556439632810921927905220486727807436668035929302442754225952786602492250448020341217733646472982286222338860566076161977786095675944552232391481278782019346283900959677167026636830252067048759720251671811058647569724495547940966885025629807079171218371644528053562232396674283745310132242492367274184667845174514466834132589971388067076980563188513333661165819462428837210575342101036356974189393390097403614434491507672459254969638032776897417674577487775755539964915035731988499983726435005007850876000232292458554577437739427313453671492956668188219600633325930981748162455965093222648173134777571527681591366164711307355510889316052064146089646772869610726671696699221157985834325663661400034831442431209123478778078255846830522226390964119818784903330200488705212765569163495571851459355520398928214206285080883954881888668509262455490889283862560453598662919522224935145694435885396500780651530829377030371611921181207362217397805303962112100190783763061909945889717878397740711340114311597934724670601992737526668932871436226135393872881664511222789565256059138002651403875484920711316522536260604255269532161594824301047729082877262812899724246757871448545439896
p = iroot(N,2)[0]
phin = p * (p-1)
d = pow(e,-1,phin)
print(long_to_bytes(pow(c,d,N)))
# crypto{squar3_r00t_i5_f4st3r_th4n_f4ct0r1ng!}

5. cryptohack Manyprime

题目

Using one prime factor was definitely a bad idea so I'll try using over 30 instead.

脚本

用yafu将n分解后即解

from Crypto.Util.number import *
from gmpy2 import *
N = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
e = 65537
c = 320721490534624434149993723527322977960556510750628354856260732098109692581338409999983376131354918370047625150454728718467998870322344980985635149656977787964380651868131740312053755501594999166365821315043312308622388016666802478485476059625888033017198083472976011719998333985531756978678758897472845358167730221506573817798467100023754709109274265835201757369829744113233607359526441007577850111228850004361838028842815813724076511058179239339760639518034583306154826603816927757236549096339501503316601078891287408682099750164720032975016814187899399273719181407940397071512493967454225665490162619270814464
p = [13099895578757581201,16656402470578844539,12132158321859677597,14963354250199553339,12834461276877415051,14278240802299816541, 14178869592193599187, 11492065299277279799, 10336650220878499841, 12955403765595949597, 10638241655447339831, 11403460639036243901, 12973972336777979701, 14100640260554622013, 11665347949879312361, 11328768673634243077,9303850685953812323, 11530534813954192171, 15998365463074268941, 13572286589428162097, 11282698189561966721, 9389357739583927789, 15824122791679574573, 17281246625998849649, 15669758663523555763, 14523070016044624039, 17138336856793050757, 11473665579512371723,9282105380008121879, 16898740504023346457, 15364597561881860737, 17174065872156629921]
phin = 1
for i in p:
    phin *= (i-1)
d = pow(e,-1,phin)
print(long_to_bytes(pow(c,d,N)))
# crypto{700_m4ny_5m4ll_f4c70r5}

6.cryptohack Salty #低指数幂

题目

Smallest exponent should be fastest, right?

脚本

# 正常情况下一般要开个方才能解出来，这里e = 1，相当于直接把密文告诉你了...
from Crypto.Util.number import *
from gmpy2 import *
n = 110581795715958566206600392161360212579669637391437097703685154237017351570464767725324182051199901920318211290404777259728923614917211291562555864753005179326101890427669819834642007924406862482343614488768256951616086287044725034412802176312273081322195866046098595306261781788276570920467840172004530873767                                                                  
e = 1
ct = 44981230718212183604274785925793145442655465025264554046028251311164494127485
print(long_to_bytes(ct))
# crypto{saltstack_fell_for_this!}

7.cryptohack Modulus Inutilis #低指数幂

题目

from Crypto.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes

e = 3
d = -1
while d == -1:
    p = getPrime(1024)
    q = getPrime(1024)
    d = inverse(e, phi)
n = p * q

解析

# 思路在上一题里说了，这里不赘述，(flag^3 < n 则 c = flag^3 % n = flag^3)
from Crypto.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes
from gmpy2 import *

n = 17258212916191948536348548470938004244269544560039009244721959293554822498047075403658429865201816363311805874117705688359853941515579440852166618074161313773416434156467811969628473425365608002907061241714688204565170146117869742910273064909154666642642308154422770994836108669814632309362483307560217924183202838588431342622551598499747369771295105890359290073146330677383341121242366368309126850094371525078749496850520075015636716490087482193603562501577348571256210991732071282478547626856068209192987351212490642903450263288650415552403935705444809043563866466823492258216747445926536608548665086042098252335883
e = 3
ct = 243251053617903760309941844835411292373350655973075480264001352919865180151222189820473358411037759381328642957324889519192337152355302808400638052620580409813222660643570085177957
f = iroot(ct,3)[0]
print(long_to_bytes(f))
# crypto{N33d_m04R_p4dd1ng}

8.[闽盾杯 2021]decode #共享素数

题目

n1, n2, n3 = ... 
e1, e2, e3 = ...
c1, c2, c3 = ...

脚本

# 将n gcd后发现均有公共素数
from Crypto.Util.number import *
n = [n1, n2, n3]
e = [e1, e2, e3]
c = [c1, c2, c3]
p = [1] * 3
p[0] = GCD(n1,n2)
p[1] = GCD(n1,n2)
p[2] = GCD(n3,n2)
q = [n[i]//p[i] for i in range(3)]
phin = [(p[i]-1)*(q[i]-1) for i in range(3)]
d = [pow(e[i],-1,phin[i]) for i in range(3)]
for i in range(3):
    print(long_to_bytes(pow(c[i],d[i],n[i])).decode())

'''hahaha, you've got the flag didn't you !the front part is :flag{G00d_w4
hahaha, you've got the flag didn't you !the middle part is :y_tO_cR
hahaha, you've got the flag didn't you !the last part is :4ck_RS4}'''

9.[zer0pts 2020]ROR

题目

import random
ror = lambda x, l, b: (x >> l) | ((x & ((1<<l)-1)) << (b-l))

N = 1
for base in [2, 3, 7]:
    N *= pow(base, random.randint(123, 456))
e = random.randint(271828, 314159)

m = int.from_bytes(flag, byteorder='big')
assert m.bit_length() < N.bit_length()

for i in range(m.bit_length()):
    print(pow(ror(m, i, m.bit_length()), e, N))

解析

1.首先ror相当于将m循环右移

2. $由于2|N,c_i=m_i^e\space modN$ $也就是c_i的最低位与m_i的最低位相同$

3.取遍所有 $c_i$ 的最低位合并得到m

from Crypto.Util.number import *
with open('chall.txt','r') as f:
    c = [int(i) for i in f.read().split('\n')]
flag = ''
for i in range(len(c)):
	flag = flag +bin(c[i])[-1]
print(long_to_bytes(int(flag,2)))

脚本

from Crypto.Util.number import *
with open('chall.txt','r') as f:
    c = [int(i) for i in f.read().split('\n')]
flag = ''
for i in c:
	flag = bin(i)[-1] + flag
print(long_to_bytes(int(flag,2)))

10.Cryptoversectf RSA1 #factordb

题目

# The n is so large that it's not possible to factor it. Or is it?
n = 0x7c05a45d02649367ebf6f472663119777ce5f9b3f2283c7b03471e9feb1714a3ce9fa31460eebd9cd5aca7620ecdb52693a736e2fcc83d7909130c6038813fd16ef50c5ca6f491b4a8571289e6ef710536c4615604f8e7aeea606d4b5f59d7adbec935df23dc2bbc2adebbee07c05beb7fa68065805d8c8f0e86b5c3f654e651
e = 0x10001
ct = 0x35b63f7513dbb828800a6bcd708d87a6c9f33af634b8006d7a94b7e3ba62e6b9a1732a58dc35a8df9f7554e1168bfe3de1cb64792332fc8e5c9d5db1e49e86deb650ee0313aae53b227c75e40779a150ddb521f3c80f139e26b2a8880f0869f755965346cd28b7ddb132cf8d8dcc31c6b1befc83e21d8c452bcce8b9207ab76e

解析

# 在factordb上分解得到p, q
from Crypto.Util.number import *
n = 0x7c05a45d02649367ebf6f472663119777ce5f9b3f2283c7b03471e9feb1714a3ce9fa31460eebd9cd5aca7620ecdb52693a736e2fcc83d7909130c6038813fd16ef50c5ca6f491b4a8571289e6ef710536c4615604f8e7aeea606d4b5f59d7adbec935df23dc2bbc2adebbee07c05beb7fa68065805d8c8f0e86b5c3f654e651
e = 0x10001
ct = 0x35b63f7513dbb828800a6bcd708d87a6c9f33af634b8006d7a94b7e3ba62e6b9a1732a58dc35a8df9f7554e1168bfe3de1cb64792332fc8e5c9d5db1e49e86deb650ee0313aae53b227c75e40779a150ddb521f3c80f139e26b2a8880f0869f755965346cd28b7ddb132cf8d8dcc31c6b1befc83e21d8c452bcce8b9207ab76e
p = 8156072525389912369788197863285751656042515380911795404436333529629416084362735262281722179416240983448945672233749861517470671156357917601583268804973543
q = n // p
phin = (p-1) * (q-1)
d = pow(e,-1,phin)
print(long_to_bytes(pow(ct,d,n)))
# cvctf{f4c70rDB_15_p0w3rfu1}

11.Cryptoversectf RSA2 # math(dp,p,n,e) #nextprime

题目

def stage_one(data: bytes):
    m = bytes_to_long(data)
    p = getPrime(PBITS)
    q = getPrime(PBITS)
    b = 7
    n = p**b * q

# === Stage 1 ===
p = 12288921312928905252066685441095433471598896337203035200127730574490649634697724898647492622180506530440487680891254318894425463123822054731206592479004443
dp = 8111921890208849506533055813772823708971113332067999844251731882494468679473553516950564998827393579403786220959710592332449455425174571764449523127915699
# dp = {inverse(e, p-1)}
b = 7

def stage_two(data: bytes):
    m = bytes_to_long(data)
    p = getPrime(PBITS)
    q = p + 2
    while not isPrime(q):
        q += 2
    n = p * q

PBITS = 512
e = 0x10001

# === Stage 2 ===
n = 85205911394226026500275210536070696774019932212697333763455696542783046512381571530938238053084695855960959283864240454975283339087819608102879636911292604501949036560581582119299425314297903747045402522844383142899951990239300430074264857012937328120615676527671685158004985642485347181510738733455006987563
ct = 36094975186594521686754290222264536503273789013798395884104790217898195008843408149451748239377299652426931967019223980259457768048183972055991854928660562680316115848049030120068763050175827932483663365464482727317050056562889546636425655657765772098105202889353529152305437946280810771045676951442322243838

脚本

from Crypto.Util.number import *
from gmpy2 import *
# === Stage 1 ===
p = ...
dp = ...
# dp = {inverse(e, p-1)}
b = 7
ct = ...
nn = p**b
phin = p**(b-1) *(p-1) 
d = pow(e,-1,phin)
print(long_to_bytes(pow(ct,d,nn)).decode(),end='')

# === Stage 2 ===
n = ...
ct = ...
p = iroot(n,2)[0]
while not n % p == 0:
    p -= 1
q = n // p
phin = (q-1) *(p-1) 
d = pow(e,-1,phin)
print(long_to_bytes(pow(ct,d,n)).decode())

12.Cryptoversectf RSA3 #广播加密 #crt

题目

from secret import flag

es = [17, 19, 23, 29, 31, 63357]
e = random.choice(es)
p = getPrime(1024)
q = getPrime(1024)
n = p * q
m = bytes_to_long(flag)

c = pow(m, e, n)

if not random.randint(0, 10):
    c = (1 << len(bin(c)[2:])) | c

print(f"n = {n}\ne = {e}\nc = {c}")

解析

1.根据题目知道，e的取值只有6种，可以多次连接nc得到对于相同e的不同数据

2.得到若干 $c_i = m^e(mod\space n_i)$

3.根据足够数量的上面的式子，通过crt可以求出一个准确 $m^e$

4.开方的到m

脚本

from Crypto.Util.number import *
import random
from gmpy2 import *
from pwn import *
from sympy.ntheory.modular import crt 
c = []
p = []
for i in range(1000):
    r = remote('137.184.215.151',22629)
    ns = r.recvline().decode().replace('n = ','')
    es = r.recvline().decode().replace('e = ','')
    cs = r.recvline().decode().replace('c = ','')
    if es == '17':
        c.append(int(cs))
        p.append(int(ns)) 
    r.close()
print(c)
print(p)
me = crt(p,c)[0]
m = iroot(me,17)[0]
print(long_to_bytes(m))

13.DAS RSA #小c #多素数

题目

# 原题脚本写的... 个人修改了一下
from Crypto.Util.number import long_to_bytes as ltb
from Crypto.Util.number import bytes_to_long as btl
from gmpy2 import *
#c1, c2, c3, n2, n3, m2, k, e1, e2已知

m1 = btl(str(hex(m>>200).encode()))
m2 = btl(str(hex(m))[20:].encode())

c1 = pow(m1, e1, n1)
c2 = pow(n1, e2, n2)

k = getPrime(512)
m3 = m2 % k
# 最后这一步所有信息都已知，完全没用
# c3 = pow(m2, e2, n3)

脚本

# 先求 n1, 直接爆破t, t*n2 + c2 == n1
t = 0
while not iroot(tem*n2+c2,3)[1] == 1:
	t += 1
n1 = iroot(tem*n2+c2,3)[0]
# 得到的n1 比较小直接yafu分解, 随后求出m1
p1 = 2224243981
p2 = 2732337821
p3 = 11585031296201346891716939633970482508158508580350404805965250133832632323150440185890235814142601827544669601048550999405490149435265122374459158586377571
phin = (p1-1)*(p2-1)*(p3-1)
d = pow(65537,-1,phin)
m1 = pow(c1,d,n1)

# 求m2, m2 = t*k + m3, 最后发现t=0
# 尝试将m1,m2转化为字符串打印出来,将重合部分删去
# flag{206e859d8e854c4f600cb12757bbf9f5}

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-D9tsHT55-1666962618343)(C:\Users\zhn\AppData\Roaming\Typora\typora-user-images\image-20221023181902790.png)]

14.UUCTF disparity_rsa #factordb

题目

# 已知 n e ct

脚本

from Crypto.Util.number import *
n = 0x7c05a45d02649367ebf6f472663119777ce5f9b3f2283c7b03471e9feb1714a3ce9fa31460eebd9cd5aca7620ecdb52693a736e2fcc83d7909130c6038813fd16ef50c5ca6f491b4a8571289e6ef710536c4615604f8e7aeea606d4b5f59d7adbec935df23dc2bbc2adebbee07c05beb7fa68065805d8c8f0e86b5c3f654e651
e = 0x10001
ct = 0x35b63f7513dbb828800a6bcd708d87a6c9f33af634b8006d7a94b7e3ba62e6b9a1732a58dc35a8df9f7554e1168bfe3de1cb64792332fc8e5c9d5db1e49e86deb650ee0313aae53b227c75e40779a150ddb521f3c80f139e26b2a8880f0869f755965346cd28b7ddb132cf8d8dcc31c6b1befc83e21d8c452bcce8b9207ab76e
p = 8156072525389912369788197863285751656042515380911795404436333529629416084362735262281722179416240983448945672233749861517470671156357917601583268804973543
q = n // p
phin = (p-1) * (q-1)
d = pow(e,-1,phin)
print(long_to_bytes(pow(ct,d,n)))
# cvctf{f4c70rDB_15_p0w3rfu1}

15.[强网拟态 2021]ONLYRSA # factordb

题目

# RSA say : My birthday is in November instead of October
from secret import flag
n = ...
e = ...
m = bytes_to_long(flag)
c = pow(m,e,n)
print(c)

解析

非预期 +1

直接factordb分解出来，然后正常求m，在mod p 的条件下就求出了flag

from Crypto.Util.number import long_to_bytes as ltb
from Crypto.Util.number import *
n = 264048827496427248021277383801027180195275776366915828865010362454006394906519399441496561006668252031429735502465174250525698696973129422193405161920872162928097673289330345041221985548078586423910246601720647996170161319016119241836415788315729493164331517547663558380515400720081995290120793014108439083514403659082115510258023834737471488528527557960636984676435543300074504679264476413252780514962473070445293528877641502742438571110744667739728450283295649865745629276142949963507003094791773183928894536793857609738113546410753895719242547720815692998871947957214118354127328586542848234994500987288641595105
e = 65537
c = 76196483810925191371357319946893762223027002702624516192769497540954799651198719100683206759706879828894501526423422596543748404479640715319801018211652987852179907519286760601944889601355220646374788026632971331786307898234821477134265724962397355614076896148563340833323366935479885600112872998594315513803419069126624158092821269145991266528158747750965226483644012365861166608598063649804899693010576080857540523307078138634628539419178875838147396170651777949577793359622498517581948006585916952705460782942977789615065947303447566918741750017127110484065354974088489869377128636357092420660532261674969708694
p = [5, 29, 31, 197, 12541, 4811988280952344246576937, 304081130082418831034791698146581643331044047712028910273173568327362370621651464924047927850720915897334538205155796477275515888954493777509372421863858817079340724222044305450451984754173948523380921443850440010226012354226083642718433164324022575599948330147718863789069, 16249579302136675275737472669394168521026727339712083110552530420348131906271518040549529167354613121510156841352658645018277766962773342379074137176993546193979134201416444089373463960664685121485689105129185197998903479181913613273443541075619342246119648308939006396145123630152777688592984718084919469059]
phin = 1
for i in p:
    phin *= (i-1)
d = pow(e,-1,phin)
print(ltb(pow(c,d,p[-1])))
# flag{5c066086-178b-46a7-b0f8-f1afba6f2910}

16.[AFCTF 2018]你能看出这是什么加密么 #baby

脚本

# 题目简单，直接上脚本了
from Crypto.Util.number import *

p = 0x928fb6aa9d813b6c3270131818a7c54edb18e3806942b88670106c1821e0326364194a8c49392849432b37632f0abe3f3c52e909b939c91c50e41a7b8cd00c67d6743b4f
q = 0xec301417ccdffa679a8dcc4027dd0d75baf9d441625ed8930472165717f4732884c33f25d4ee6a6c9ae6c44aedad039b0b72cf42cab7f80d32b74061
e = 0x10001
c = 0x70c9133e1647e95c3cb99bd998a9028b5bf492929725a9e8e6d2e277fa0f37205580b196e5f121a2e83bc80a8204c99f5036a07c8cf6f96c420369b4161d2654a7eccbdaf583204b645e137b3bd15c5ce865298416fd5831cba0d947113ed5be5426b708b89451934d11f9aed9085b48b729449e461ff0863552149b965e22b6
n = p * q
phin = (p-1) * (q-1)
d = pow(e,-1,phin)
print(long_to_bytes(pow(c,d,n)))

17.[HUBUCTF 2022 新生赛]RSAaaa #baby

脚本

# myrsa是个人自行整理的关于rsa的函数
from myrsa import *
n = 536970330703
e = 65537
c = [473878130775,40132555282,40132555282,94619939727,72818765591,208015808884,42561234694,159353248388,27748063975,159353248388,159353248388,278953790403,410746718603,496849210942,27748063975,142521857906,103632267191,17774494147,328684046745,278953790403,129956887006,129956887006,366275425558,328684046745,142521857906,410746718603,142521857906,129956887006,379067009467,328684046745,159353248388,366275425558,129956887006,103632267191,27748063975,27748063975,17774494147,160623996897,278953790403,182341799525]
# yafu 分解
p = [992623, 540961]
# pec(p,e,c), 已知p[]为n的分解,e,c  函数返回m
pec(p,e,c)

18.[HGAME 2022 week1]Easy RSA #baby

脚本

from myrsa import *
# 直接对flag的每一位进行爆破（毕竟也就从0x20-0x80）
flag = b''
ls = [(12433, 149, 197, 104), (8147, 131, 167, 6633), (10687, 211, 197, 35594), (19681, 131, 211, 15710), (33577, 251, 211, 38798), (30241, 157, 251, 35973), (293, 211, 157, 31548), (26459, 179, 149, 4778), (27479, 149, 223, 32728), (9029, 223, 137, 20696), (4649, 149, 151, 13418), (11783, 223, 251, 14239), (13537, 179, 137, 11702), (3835, 167, 139, 20051), (30983, 149, 227, 23928), (17581, 157, 131, 5855), (35381, 223, 179, 37774), (2357, 151, 223, 1849), (22649, 211, 229, 7348), (1151, 179, 223, 17982), (8431, 251, 163, 30226), (38501, 193, 211, 30559), (14549, 211, 151, 21143), (24781, 239, 241, 45604), (8051, 179, 131, 7994), (863, 181, 131, 11493), (1117, 239, 157, 12579), (7561, 149, 199, 8960), (19813, 239, 229, 53463), (4943, 131, 157, 14606), (29077, 191, 181, 33446), (18583, 211, 163, 31800), (30643, 173, 191, 27293), (11617, 223, 251, 13448), (19051, 191, 151, 21676), (18367, 179, 157, 14139), (18861, 149, 191, 5139), (9581, 211, 193, 25595)]
for i in ls:
    e = i[0]
    p, q = i[1], i[2]
    c = i[3]
    n = p * q
    for m in range(0x20,0x80):
        if pow(m,e,n) == c: 
            flag += ltb(m)
            break
print(flag)

19.[黑盾杯 2020]Factor #baby(yafu)

exp

from myexp import *
n = 3454083680130687060405946528826790951695785465926614724373
e = 3
c = 1347530713288996422676156069761604101177635382955634367208
p = [11761833764528579549,17172929050033177661]
pec(p,e,c)

20.[BJDCTF 2020]rsa_output #共模攻击(n,e1,e2,c1,c2)

exp

# 常规新手共模攻击 gcdext求解
from myexp import *
n = ...
e1 = 2767
e2 = 3659
c1 = ...
c2 = ...
com_mod(n,[e1,e2],[c1,c2])
# BJD{r3a_C0mmoN_moD@_4ttack}

21.Cryptohack Everything is Big #wiener attack

exp

from myexp import *
from Crypto.Util.number import getPrime, bytes_to_long
'''
n = ...
e = ...
c = ...
def get_huge_RSA():
    p = getPrime(1024)
    q = getPrime(1024)
    N = p*q
    phi = (p-1)*(q-1)
    while True:
        d = getPrime(256)
        e = pow(d,-1,phi)
        if e.bit_length() == N.bit_length():
            break
    return n,e
'''
# 发现e较大，尝试使用wiener attack 得到p[p1, p2]
p = [... , ...]
pec(p,e,c)
# crypto{s0m3th1ng5_c4n_b3_t00_b1g}

22.Cryptohack Crossed Wires #wiener attack

c = ...
n = ...
d = ...
e = [106979, 108533, 69557, 97117, 103231]
ee = 1
for i in e:
    ee *= i
p = wiener_pq(n,d)
pec(p,ee,c)
# crypto{3ncrypt_y0ur_s3cr3t_w1th_y0ur_fr1end5_publ1c_k3y}

23.ISCTF ewzcry #baby

exp

'''
m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
s = getPrime(128)
k = getPrime(128)
n = p * q
seek1 = p*s
seek2 = q*k
seek3 = s*k
c = pow(m,e,n)
'''
e = 65537
n = ...
seek1 = ...
seek2 = ...
seek3 = ...
c = ...

k = GCD(seek2,seek3)
q = seek2//k
s = seek3//k
p = seek1//s
phin = (q-1)*(p-1)
d = pow(e,-1,phin)
print(long_to_bytes(pow(c,d,n)))

24.[HGAME 2022 week3]Multi Prime RSA #baby

exp

from myexp import *
e = 65537
p = 61789932148719477384027458333380568978056286136137829092952317307711908353477
q = 91207969353355763685633284378833506319794714507027332929290701748727534193861
r = 105471299607375388622347272479207944509670502835651250945203397530010861809367
s = 83153238748903772448138307505579799277162652151244477391465130504267171881437
n = ...
e = 65537
c = ...
n = p ** 2 * q ** 3 * r ** 5 * s ** 7
phin = p*(p-1) * q**2 * (q-1) * r**4 * (r-1) * s**6 *(s-1)
d = pow(e,-1,phin)
print(ltb(pow(c,d,n)))