本文是一场比赛的题解记录,涉及多个密码学题目。包括Easy_3L的LCG与NTRU格密码求解,SigninCrypto的key和iv恢复,Danger_RSA和esyRSA的RSA相关问题,MCeorpkpleer的背包加密,以及XOR贯穿始终题目的压缩包密码和RSA解密等内容,使用Python语言解题。
🪄🪄🪄比赛写完了,开心呐,嘻嘻👐👐👐🫣🤭
Easy_3L
题解:
一眼LCG
s[i] = (s[i - 1] * a + b) % n
已知S[1],S[2],S[4],S[5]
求s[3]
def encrypt2(msg, p, h):
s = getRandomNBitInteger(512)
c = (s * h + msg) % p
return c
c = encrypt2(s[3], p, h)
NTRU格密码
h
≡
f
p
∗
g
(
m
o
d
p
)
c
=
r
∗
h
+
m
(
m
o
d
p
)
同乘
f
:
c
∗
f
≡
r
∗
g
+
m
∗
f
(
m
o
d
p
)
r
∗
g
+
m
∗
f
<
p
令
a
=
c
∗
f
a
=
r
∗
g
+
m
∗
f
m
o
d
p
得到
a
≡
m
∗
f
(
m
o
d
g
)
a
∗
f
−
1
≡
m
(
m
o
d
g
)
h\equiv f_p*g\pmod p\\c=r*h+m\pmod p\\同乘f:c*f\equiv r*g+m*f\pmod p\\r*g+m*f<p\\令a=c*f\\a=r*g+m*f\\mod \ \ p得到\\a\equiv m*f\pmod g\\ a*f^{-1}\equiv m\pmod g
h≡fp∗g(modp)c=r∗h+m(modp)同乘f:c∗f≡r∗g+m∗f(modp)r∗g+m∗f<p令a=c∗fa=r∗g+m∗fmod p得到a≡m∗f(modg)a∗f−1≡m(modg)
构造格
A
=
[
1
h
0
p
]
[
f
k
]
∗
A
=
[
f
,
g
]
A=\begin{bmatrix} 1 & h \\ 0 & p\\ \end{bmatrix}\\\begin{bmatrix} f & k \\ \end{bmatrix}*A=[f,g]
A=[10hp][fk]∗A=[f,g]
求出s[3]
seed=flag,求lcg的seed
先求出n,再恢复a,b,然后得到seed
lcg的公式推导:
求m(模数)
t
n
=
x
n
+
1
−
x
n
m
=
g
c
d
(
(
t
n
+
1
∗
t
n
−
1
−
t
n
∗
t
n
)
,
(
t
n
∗
t
n
−
2
−
t
n
−
1
∗
t
n
−
1
)
)
t_n=x_{n+1}-x_n\\m=gcd((t_{n+1}*t_{n-1}-t_{n}*t_n),(t_{n}*t_{n-2}-t_{n-1}*t_{n-1}))\\
tn=xn+1−xnm=gcd((tn+1∗tn−1−tn∗tn),(tn∗tn−2−tn−1∗tn−1))
求a
a
≡
(
x
n
+
2
−
x
n
+
1
)
∗
(
x
n
+
1
−
x
n
)
−
1
(
m
o
d
m
)
a\equiv (x_{n+2}-x_{n+1})*(x_{n+1}-x_n)^{-1}\pmod{m}
a≡(xn+2−xn+1)∗(xn+1−xn)−1(modm)
求b
b
≡
x
n
+
1
−
a
∗
x
n
(
m
o
d
m
)
b\equiv x_{n+1}-a*x_n\pmod{m}
b≡xn+1−a∗xn(modm)
wp
from gmpy2 import *
from Crypto.Util.number import *
S1 = 28572152986082018877402362001567466234043851789360735202177142484311397443337910028526704343260845684960897697228636991096551426116049875141
S2 = 1267231041216362976881495706209012999926322160351147349200659893781191687605978675590209327810284956626443266982499935032073788984220619657447889609681888
S3= 10700695166096094995375972320865971168959897437299342068124161538902514000691034236758289037664275323635047529647532200693311709347984126070052011571264606
S4 = 9739918644806242673966205531575183334306589742344399829232076845951304871478438938119813187502023845332528267974698273405630514228632721928260463654612997
S5 = 9755668823764800147393276745829186812540710004256163127825800861195296361046987938775181398489372822667854079119037446327498475937494635853074634666112736
s=[S1,S2,S3,S4,S5]
#求n
t = []
for i in range(4):
t.append(s[i+1]-s[i])
# print(t)
i=1
n=gmpy2.gcd((t[i+1]*t[i-1]-t[i]*t[i]), (t[i+2]*t[i]-t[i+1]*t[i+1]))
print(n)
print(n.bit_length())
#求a
x0=s[0]
x1=s[1]
x2=s[2]
a=((x2-x1)*inverse((x1-x0),n))%n
#求b
b=(x1-a*x0)%n
seed = (inverse(a,n) * (x0 - b)) % n
print(long_to_bytes(seed))
#b'DASCTF{NTRU_L0G_a6e_S1mpLe}'
SigninCrypto
题解
恢复key和iv
key1:xor =bytes_to_long(hint1)^bytes_to_long(K1)
key2:K2 = long_to_bytes(getrandbits(64)) 八字节
key3:K3 = flag[:8] 八字节
key1:
key是24字节,所以key1是8字节,hint1是随机两字节重复构成的16字节,所以xor的结果的前8字节就是那个随机两字节
key2:
给出list1: 624组16bit随机数(32bit>>16)
list2: 312组32bit随机数(32bit随机数的低16位+下一组32bit随机数的低16位)
结合list1,list2恢复624组32bit随机数, key2就是预测下一个64位随机数
key3 flag[:8]=b’DASCTF{‘+?最后一位爆破
iv:发现digest后面部分重复前面部分,即digest1==digest2
wp
import random
import hashlib
from Crypto.Cipher import DES3
from Crypto.Util.number import *
from mt19937predictor import MT19937Predictor
from randcrack import RandCrack
with open(r"D:\fj\task.txt", 'r') as f:
s = f.read().splitlines()
# print(s)
list1=[]
list2=[]
for i in range(len(s)):
if i<624:
list1.append(int(s[i],16))
else:
list2.append(int(s[i],16))
# print(list1)
# print(list2)
# print(len(list1))#624
# print(len(list2))#312
# print((list1[0]).bit_length())
# print((list2[0]).bit_length())
num=[]
count=0
for i in range(len(list2)):
tnum=list2[i]
# print(bin(tnum))
tfir1=tnum& 0xffff
# print(bin(tfir1))
tfir2=list1[count]
count+=1
fir=tfir2<<16|tfir1
num.append(fir)
tsec1=tnum>>16
# print(bin(tsec1))
tsec2=list1[count]
count += 1
sec=(tsec1& 0xffff)|tsec2<<16
# print(bin(tfir2))
# print(bin(fir))
num.append(sec)
# print(len(num))
# print(num[0].bit_length())
# print(num)
'''
#check
mm=[]
for i in range(len(num)):
mm.append(num[i]>>16)
print(mm)
#check
print(list2)
mm=[]
r64=[]
for i in range(0,len(num),2):
ttt=(num[i]& 0xffff)|(num[i+1]<<32)
r64.append(ttt)
for rand64 in r64:
mm.append((rand64 & 0xffff) | ((rand64 >> 32) & 0xffff) << 16)
print(mm)
'''
#random预测的时候默认以当前时间作为随机数种子
rc = RandCrack()#实例化randcrack类
for i in range(624):#循环624次
rc.submit(num[i])#每次循环提交一个32位random生成的随机数
key2=long_to_bytes(rc.predict_getrandbits(64))
print("key2",key2)
tkey3=b'DASCTF{'
hint1=334648638865560142973669981316964458403
# print(hint1.bit_length())
ivv=0x62343937373634656339396239663236643437363738396663393438316230353665353733303939613830616662663633326463626431643139323130616333363363326631363235313661656632636265396134336361623833636165373964343533666537663934646239396462323666316236396232303539336438336234393737363465633939623966323664343736373839666339343831623035366535373330393961383061666266363332646362643164313932313061633336336332663136323531366165663263626539613433636162383363616537396434353366653766393464623939646232366631623639623230353933643833
digest=long_to_bytes(int(ivv))
print(digest)
#b'b497764ec99b9f26d476789fc9481b056e573099a80afbf632dcbd1d19210ac363c2f162516aef2cbe9a43cab83cae79d453fe7f94db99db26f1b69b20593d83b497764ec99b9f26d476789fc9481b056e573099a80afbf632dcbd1d19210ac363c2f162516aef2cbe9a43cab83cae79d453fe7f94db99db26f1b69b20593d83'
hint2=22078953819177294945130027344
iv=hint2>>32
print(long_to_bytes(iv))
#b'GWHT\xd9\x13\xbc\xcd'
'''
#check
iv=b'GWHTGWHT'
IV=iv
IV1=IV[:len(IV)//2]
IV2=IV[len(IV)//2:]
digest1 = hashlib.sha512(IV1).digest().hex()
digest2 = hashlib.sha512(IV2).digest().hex()
digest=digest1+digest2
print(digest)
'''
def genkey2(xor,hint1):
key1 = bytes_to_long(hint1) ^ bytes_to_long(xor)
key1=long_to_bytes(key1)
# print(len(key1))
return key1
ciphertext=0xa6546bd93bced0a8533a5039545a54d1fee647007df106612ba643ffae850e201e711f6e193f15d2124ab23b250bd6e1
c=long_to_bytes(int(ciphertext))
xxor=334648638865560142973669981316964458403
# print("xxor",long_to_bytes(xxor))
# b'\xfb\xc2\xfb\xc2\xfb\xc2\xfb\xc2\x9f\xa3\x88\xa1\x8f\xa4\x9f\xa3'
xor=b'\x9f\xa3\x88\xa1\x8f\xa4\x9f\xa3'
r=b'\xfb\xc2\xfb\xc2\xfb\xc2\xfb\xc2'
key1=genkey2(xor,r)
#b'dasctfda'
# print(key1)
iv=b'GWHTGWHT'
for k in range(32,127):
key3 = tkey3+ long_to_bytes(k)
key = key1 + key2 + key3
# print(key)
# print(len(key))
# break
mode = DES3.MODE_CBC
des3 = DES3.new(key, mode, iv)
flag = des3.decrypt(c)
if b'DASCTF{' in flag:
print("key",key)
print("flag",flag)
'''
key b'dasctfdaw\xab$-d\xa6\x0e\x8eDASCTF{8'
flag b'DASCTF{8e5ee461-f4e1-4af2-8632-c9d62f4dc073}\x04\x04\x04\x04'
key b'dasctfdaw\xab$-d\xa6\x0e\x8eDASCTF{9'
flag b'DASCTF{8e5ee461-f4e1-4af2-8632-c9d62f4dc073}\x04\x04\x04\x04'
'''
Danger_RSA
题解
这题有原题:cryptoctf2023 risk
可以确定a=4
通过生成测试可以发现,n^(1/4)==x1*x2
分解e
e=s*t
s,t是2^17bit
factor(e)
3 * 7^2 * 19 * 691 * 5741
#(2**16,2**17)=(65536,131072)
#可能一:
sage: 5741*19
109079
sage: 691*49*3
101577
#可能二:
sage: 7 * 19 * 691
91903
sage: 3 * 7 * 5741
120561
p = x 1 4 + s q = x 2 4 + t p ∗ q = n = ( x 1 4 + s ) ∗ ( x 2 4 + t ) = ( x 1 ∗ x 2 ) 4 + t ∗ x 1 4 + s ∗ x 2 4 + e x 1 ∗ x 2 = n 1 / 4 方程组求解 x 1 , x 2 , 可得到 p , q p=x_1^4+s\\ q=x_2^4+t\\ p*q=n=(x_1^4+s)*(x_2^4+t)\\=(x_1*x_2)^4+t*x_1^4+s*x_2^4+e\\ x1*x2=n^{1/4}\\ 方程组求解x1,x2,可得到p,q p=x14+sq=x24+tp∗q=n=(x14+s)∗(x24+t)=(x1∗x2)4+t∗x14+s∗x24+ex1∗x2=n1/4方程组求解x1,x2,可得到p,q
wp
import gmpy2
from Crypto.Util.number import *
a=4
N = 20289788565671012003324307131062103060859990244423187333725116068731043744218295859587498278382150779775620675092152011336913225797849717782573829179765649320271927359983554162082141908877255319715400550981462988869084618816967398571437725114356308935833701495015311197958172878812521403732038749414005661189594761246154666465178024563227666440066723650451362032162000998737626370987794816660694178305939474922064726534186386488052827919792122844587807300048430756990391177266977583227470089929347969731703368720788359127837289988944365786283419724178187242169399457608505627145016468888402441344333481249304670223
e = 11079917583
c = 13354219204055754230025847310134936965811370208880054443449019813095522768684299807719787421318648141224402269593016895821181312342830493800652737679627324687428327297369122017160142465940412477792023917546122283870042482432790385644640286392037986185997262289003477817675380787176650410819568815448960281666117602590863047680652856789877783422272330706693947399620261349458556870056095723068536573904350085124198592111773470010262148170379730937529246069218004969402885134027857991552224816835834207152308645148250837667184968030600819179396545349582556181916861808402629154688779221034610013350165801919342549766
xx=gmpy2.iroot(N,4)
t=91903
s=120561
assert e==s*t
print(int(xx[0]))
#sage
'''var('x1 x2')
eq1 =x1*x2-int(xx[0])
eq2 =(x1**4+s)*(x2**4+t)-N
re1=solve([eq1==0,eq2==0],x1,x2,solution_dict=True)
print(re1)
'''
x1=47783641287938625512681830427927501009821495321018170621907812035456872958654
x2=44416071018427916652440592614276227563515579156219730344722242565477265479486
p=x1**4+s
q=x2**4+t
assert p*q==N
phi=(p-1)*(q-1)
t=gmpy2.gcd(e, p-1)
d = inverse(e // t, p-1)
tm = pow(c, d, p)
R.<x> = Zmod(p)[]
f=x^3-int(tm)
m = f.roots()
for i in m:
print(long_to_bytes(int(i[0])))
#b'DASCTF{C0nsTruct!n9_Techn1qUe2_f0r_RSA_Pr1me_EnC2ypt10N}'
esyRSA
题解
这题做了很久,这个n有问题,一直做不出来
无论e有多大,d都是要接近phi(n)
结果发现n其实是1024bit后面重复了
已知n,d,分解n ,Wiener Attack
φ
(
n
)
=
(
p
−
1
)
(
q
−
1
)
=
p
q
−
(
p
+
q
)
+
1
=
N
−
(
p
+
q
)
+
1
∵
e
d
≡
1
m
o
d
φ
(
n
)
∴
e
d
−
1
=
k
φ
(
n
)
这个式子两边同除
e
φ
(
n
)
可得:
∴
d
φ
(
n
)
−
k
e
=
1
e
φ
(
n
)
∴
d
N
−
k
e
=
1
d
φ
(
n
)
d
N
≈
k
e
\varphi(n) = (p-1)(q-1)=pq - (p + q) + 1\\=N - (p + q) + 1\\ \because ed\equiv1\,mod\,\varphi(n)\\\therefore ed-1=k\varphi(n)\\这个式子两边同除 eφ(n) 可得:\\\therefore \cfrac{d}{\varphi(n)}-\cfrac{k}{e}=\cfrac{1}{e\varphi(n)}\\ \therefore \cfrac{d}{N}-\cfrac{k}{e}=\cfrac{1}{d\varphi(n)}\\ \cfrac{d}{N}\approx \cfrac{k}{e}
φ(n)=(p−1)(q−1)=pq−(p+q)+1=N−(p+q)+1∵ed≡1modφ(n)∴ed−1=kφ(n)这个式子两边同除eφ(n)可得:∴φ(n)d−ek=eφ(n)1∴Nd−ek=dφ(n)1Nd≈ek
wp
d = 14218766449983537783699024084862960813708451888387858392014856544340557703876299258990323621963898510226357248200187173211121827541826897886277531706124228848229095880229718049075745233893843373402201077890407507625110061976931591596708901741146750809962128820611844426759462132623616118530705745098783140913
n = 80642592772746398646558097588687958541171131704233319344980232942965050635113860017117519166348100569115174644678997805783380130114530824798808098237628247236574959152847903491509751809336988273823686988619679739640305091291330211169194377552925908412183162787327977125388852329089751737463948165202565859373
def factor_rsa_wiener(N, e):
cf = (e / N).continued_fraction().convergents()
for f in cf:
k = f.numer()
d = f.denom()
if k == 0:
continue
phi_N = ((e * d) - 1) / k
b = -(N - phi_N + 1)
dis = b ^ 2 - 4 * N
if dis.sign() == 1:
dis_sqrt = sqrt(dis)
p = (-b + dis_sqrt) / 2
q = (-b - dis_sqrt) / 2
if p.is_integer() and q.is_integer() and (p * q) % N == 0:
p = p % N
q = q % N
if p > q:
print(d)
return (p, q)
else:
print(d)
return (q, p)
p,q=factor_rsa_wiener(n, d)
print(p+q)
#18101966903197904104103274369549488558638013636328319260314053428770825687572755141919313812981523970938045930012152983362607947170555142776865084844865966
from hashlib import md5
pq=18101966903197904104103274369549488558638013636328319260314053428770825687572755141919313812981523970938045930012152983362607947170555142776865084844865966
print(md5(str(pq).encode()).hexdigest())
#4ae33bea90f030bfddb7ac4d9222ef8f
MCeorpkpleer
题解
背包加密
list是超递增序列
超递增背包
构造格
可以恢复e
已知p的高位,Coppersmith攻击
wp
from Crypto.Util.number import inverse, long_to_bytes
pubkey = [18143710780782459577, 54431132342347378731, 163293397027042136193, 489880191081126408579, 1469640573243379225737, 4408921719730137677211, 13226765159190413031633, 39680295477571239094899, 119040886432713717284697, 357122659298141151854091, 1071367977894423455562273, 3214103933683270366686819, 9642311801049811100060457, 28926935403149433300181371, 86780806209448299900544113, 260342418628344899701632339, 781027255885034699104897017, 2343081767655104097314691051, 7029245302965312291944073153, 21087735908895936875832219459, 63263207726687810627496658377, 189789623180063431882489975131, 569368869540190295647469925393, 1708106608620570886942409776179, 601827224419797931380408071500, 1805481673259393794141224214500, 893952418336266652976851386463, 2681857255008799958930554159389, 3523079163584485147344841221130, 1524252287869625983140881149316, 50264262166963219975822190911, 150792786500889659927466572733, 452378359502668979782399718199, 1357135078508006939347199154597, 4071405235524020818041597463791, 3169230503688232995231149877299, 462706308180869526799807117823, 1388118924542608580399421353469, 4164356773627825741198264060407, 3448085117999647764701149667147, 1299270151115113835209806487367, 3897810453345341505629419462101, 2648446157152195057994615872229, 3422845870014670444537026359650, 1223552407160181874717436564876, 3670657221480545624152309694628, 1966986461557807413563286569810, 1378466783231507511243038452393, 4135400349694522533729115357179, 3361215846199738142293703557463, 1038662335715384967987468158315, 3115987007146154903962404474945, 302975818554635252993570910761, 908927455663905758980712732283, 2726782366991717276942138196849, 3657854499533237101379593333510, 1928578295715881845245137486456, 1263242285705730806288591202331, 3789726857117192418865773606993, 2324195368467747797703678306905, 2450093503961328663664213663678, 2827787910442071261545819733997, 3960871129884299055190637944954, 2837628186769067706678271320788]
en_e = 31087054322877663244023458448558
'''
import gmpy2
from Crypto.Util.number import isPrime, bytes_to_long, inverse, long_to_bytes
from sympy import nextprime
from tqdm import tqdm
pubkey = [18143710780782459577, 54431132342347378731, 163293397027042136193, 489880191081126408579, 1469640573243379225737, 4408921719730137677211, 13226765159190413031633, 39680295477571239094899, 119040886432713717284697, 357122659298141151854091, 1071367977894423455562273, 3214103933683270366686819, 9642311801049811100060457, 28926935403149433300181371, 86780806209448299900544113, 260342418628344899701632339, 781027255885034699104897017, 2343081767655104097314691051, 7029245302965312291944073153, 21087735908895936875832219459, 63263207726687810627496658377, 189789623180063431882489975131, 569368869540190295647469925393, 1708106608620570886942409776179, 601827224419797931380408071500, 1805481673259393794141224214500, 893952418336266652976851386463, 2681857255008799958930554159389, 3523079163584485147344841221130, 1524252287869625983140881149316, 50264262166963219975822190911, 150792786500889659927466572733, 452378359502668979782399718199, 1357135078508006939347199154597, 4071405235524020818041597463791, 3169230503688232995231149877299, 462706308180869526799807117823, 1388118924542608580399421353469, 4164356773627825741198264060407, 3448085117999647764701149667147, 1299270151115113835209806487367, 3897810453345341505629419462101, 2648446157152195057994615872229, 3422845870014670444537026359650, 1223552407160181874717436564876, 3670657221480545624152309694628, 1966986461557807413563286569810, 1378466783231507511243038452393, 4135400349694522533729115357179, 3361215846199738142293703557463, 1038662335715384967987468158315, 3115987007146154903962404474945, 302975818554635252993570910761, 908927455663905758980712732283, 2726782366991717276942138196849, 3657854499533237101379593333510, 1928578295715881845245137486456, 1263242285705730806288591202331, 3789726857117192418865773606993, 2324195368467747797703678306905, 2450093503961328663664213663678, 2827787910442071261545819733997, 3960871129884299055190637944954, 2837628186769067706678271320788]
en_e = 31087054322877663244023458448558
# print(len(pubkey))
# 64
nbit=64
#随机找一个符合条件的N
N=nextprime(gmpy2.iroot(nbit,2)[0]//2)
L=Matrix(QQ,nbit + 1, nbit + 1)
#构造矩阵L
for i in range(nbit):
L[i,i]=1
for i in range(nbit):
L[i,nbit]=pubkey[i]*N
for i in range(nbit):
L[nbit,i]=1/2
L[nbit,nbit]=en_e*N
print("LLL start")
res=L.LLL()
for i in tqdm(range(0, nbit + 1)):
# print solution
M = res.row(i).list()[:-1]#最后面密文恢复后变成0
flag = True
for m in M:
if m != 1/2 and m != -1/2:#根据破解原理,恢复的明文应只包含-1/2和1/2
flag = False
break
if flag:
mm=""
print (i, M)
for j in M:
if j==-1/2:
mm+="1"
else:
mm+="0"
print("e=",(int(mm,2)))
'''
'''
e= 15960663600754919507
p = 139540788452365306201344680691061363403552933527922544113532931871057569249632300961012384092481349965600565669315386312075890938848151802133991344036696488204791984307057923179655351110456639347861739783538289295071556484465877192913103980697449775104351723521120185802327587352171892429135110880845830815744
n = 22687275367292715121023165106670108853938361902298846206862771935407158965874027802803638281495587478289987884478175402963651345721058971675312390474130344896656045501040131613951749912121302307319667377206302623735461295814304029815569792081676250351680394603150988291840152045153821466137945680377288968814340125983972875343193067740301088120701811835603840224481300390881804176310419837493233326574694092344562954466888826931087463507145512465506577802975542167456635224555763956520133324723112741833090389521889638959417580386320644108693480886579608925996338215190459826993010122431767343984393826487197759618771
c = 156879727064293983713540449709354153986555741467040286464656817265584766312996642691830194777204718013294370729900795379967954637233360644687807499775502507899321601376211142933572536311131955278039722631021587570212889988642265055045777870448827343999745781892044969377246509539272350727171791700388478710290244365826497917791913803035343900620641430005143841479362493138179077146820182826098057144121231954895739989984846588790277051812053349488382941698352320246217038444944941841831556417341663611407424355426767987304941762716818718024107781873815837487744195004393262412593608463400216124753724777502286239464
p4=p>>435
pbits = 1024
kbits = pbits - p4.nbits()
print(p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4)
if roots:
p = p4 + int(roots[0])
q = n//p
print(f'n: {n}')
print(f'p: {p}')
print(f'q: {q}')'''
e= 15960663600754919507
n = 22687275367292715121023165106670108853938361902298846206862771935407158965874027802803638281495587478289987884478175402963651345721058971675312390474130344896656045501040131613951749912121302307319667377206302623735461295814304029815569792081676250351680394603150988291840152045153821466137945680377288968814340125983972875343193067740301088120701811835603840224481300390881804176310419837493233326574694092344562954466888826931087463507145512465506577802975542167456635224555763956520133324723112741833090389521889638959417580386320644108693480886579608925996338215190459826993010122431767343984393826487197759618771
c = 156879727064293983713540449709354153986555741467040286464656817265584766312996642691830194777204718013294370729900795379967954637233360644687807499775502507899321601376211142933572536311131955278039722631021587570212889988642265055045777870448827343999745781892044969377246509539272350727171791700388478710290244365826497917791913803035343900620641430005143841479362493138179077146820182826098057144121231954895739989984846588790277051812053349488382941698352320246217038444944941841831556417341663611407424355426767987304941762716818718024107781873815837487744195004393262412593608463400216124753724777502286239464
p=139540788452365306201344680691061363403552933527922544113532931871057569249632300961012384092481349965600565669315386312075890938848151802133991344036696488204791984307057923179677630589032444985150800881889090713797496239571291907818169058929859395965304623825442220206712660451198754072531986630133689525911
q=162585259972480477964240855936099163585362299488578311068842002571891718764319834825730036484383081273549236661473286892739224906812137330941622699836239606393084030874487072527724286268715004074797344316619876830720445250395986443767703356842297999006344406006724963545062388183647988548800359369190326996261
assert p*q ==n
phi=(p-1)*(q-1)
d=inverse(e,phi)
m = pow(c, d, n)
print(long_to_bytes(m))
#b'DASCTF{T81I_tPPS_6r7g_xlPi_OO3M_6vyV_Rkba}'
XOR贯 穿始终
题解
压缩包的密码
社会主义核心价值
C0ngr4tulati0n5_y0u_fou^d_m3
pem文件
将 Base64 编码的字符串解码为其对应的二进制格式。
解析之后的16进制数据:
020100 # 整型 长度 为 0 (0x00),内容:version
028181 # 整型 长度 为 129 字节 (0x81),内容:模数 n (modulus)
0203 # 整型 长度 为 3 字节(0x03),内容:e (公钥指数)
0241 # 整型 长度 为 65 字节(0x41),内容:p (素数)
0241 # 整型 长度 为 65 字节(0x41),内容:q (素数)
提取出
e=0x010001
n=0x00b9ad332fb6b87d59b5b20b4ae880ba416d8724111f99a9ed498bcb365091d83dcc43fdff9b607df8a443bcadc79907c921e76b38003b5b0ece660437803195ebfab9a7e23fc0751228fdeefe5591827523d7b79ad04d85e4db5caa13f28a7e0124357d0685e00f14ccbb9679979923c2531ff487f9ba2500ade48995c315d913
p=0x00ea59434f560de2eaf4f21c22fb10691b79485e6290007dc28242bc63739fb95fa03e5ed807000d491f0ca43e50a91d43a6940f390c91757a3ba8226ce58112c9
q=0x00cad4c29d017e30ddabd606805044d9ca3e6a3184fb4e1f332845555498c36b02e7b97e2eb09d85c919e30a493ce94ef9412261c3998c7344271b6e6e1b3dfefb
RSA解密得到:
b’DASCTF{0e287wQ\x08R\x17\x00FGXYFZ\x07V\x03kIUCn\x02VDg\x01f\x0cN’
发现后面不是可读写字符
题目是xor 从始至终,猜测始是刚开始得到的密码,始和终异或
wp
from Crypto.Util.number import *
c = 91817924748361493215143897386603397612753451291462468066632608541316135642691873237492166541761504834463859351830616117238028454453831120079998631107520871612398404926417683282285787231775479511469825932022611941912754602165499500350038397852503264709127650106856760043956604644700201911063515109074933378818
e=0x010001
n=0x00b9ad332fb6b87d59b5b20b4ae880ba416d8724111f99a9ed498bcb365091d83dcc43fdff9b607df8a443bcadc79907c921e76b38003b5b0ece660437803195ebfab9a7e23fc0751228fdeefe5591827523d7b79ad04d85e4db5caa13f28a7e0124357d0685e00f14ccbb9679979923c2531ff487f9ba2500ade48995c315d913
p=0x00ea59434f560de2eaf4f21c22fb10691b79485e6290007dc28242bc63739fb95fa03e5ed807000d491f0ca43e50a91d43a6940f390c91757a3ba8226ce58112c9
q=0x00cad4c29d017e30ddabd606805044d9ca3e6a3184fb4e1f332845555498c36b02e7b97e2eb09d85c919e30a493ce94ef9412261c3998c7344271b6e6e1b3dfefb
print(p)
print(e)
print(p.bit_length())#512
print(e.bit_length())#17
assert n == q * p
phi = (p - 1) * (q - 1)
d=inverse(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
tf=b'DASCTF{0e287'
t1=b'C0ngr4tulati0n5_y0u_fou^d_m3'
# print(len(t1))#28
t2=b'wQ\x08R\x17\x00FGXYFZ\x07V\x03kIUCn\x02VDg\x01f\x0cN'
#print(len(t2))#28
tt=bytes_to_long(t1)^bytes_to_long(t2)
print(tf+long_to_bytes(tt))
42bc63739fb95fa03e5ed807000d491f0ca43e50a91d43a6940f390c91757a3ba8226ce58112c9
q=0x00cad4c29d017e30ddabd606805044d9ca3e6a3184fb4e1f332845555498c36b02e7b97e2eb09d85c919e30a493ce94ef9412261c3998c7344271b6e6e1b3dfefb
print(p)
print(e)
print(p.bit_length())#512
print(e.bit_length())#17
assert n == q * p
phi = (p - 1) * (q - 1)
d=inverse(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
tf=b'DASCTF{0e287'
t1=b'C0ngr4tulati0n5_y0u_fou^d_m3'
# print(len(t1))#28
t2=b'wQ\x08R\x17\x00FGXYFZ\x07V\x03kIUCn\x02VDg\x01f\x0cN'
#print(len(t2))#28
tt=bytes_to_long(t1)^bytes_to_long(t2)
print(tf+long_to_bytes(tt))
扫一扫
816
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
