[ASIS 2022] crypto部分

石氏是时试

已于 2022-10-16 18:30:35 修改

阅读量2k

点赞数 2

CC 4.0 BY-SA版权

分类专栏： CTF crypto 文章标签： python

于 2022-10-16 18:06:22 首次发布

本文链接：https://blog.youkuaiyun.com/weixin_52640415/article/details/127349211

CTF crypto 专栏收录该内容

60 篇文章

订阅专栏

本文介绍了解决六个密码学挑战的过程，包括数学分析、编程技巧及特殊算法的应用。涉及公钥密码学、椭圆曲线密码学等多个方面。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

只作了两个,这题居然有人这么短时间就写了WP,而且让我找着了

Neobeo

1, Binned

给了一个算式

$enc = (pubkey +1)^{m} % pubkey^{3}$

from Crypto.Util.number import *
from gensafeprime import *
from flag import flag

def keygen(nbit):
	p, q = [generate(nbit) for _ in range(2)]
	return (p, q)

def encrypt(m, pubkey):
	return pow(pubkey + 1, m, pubkey ** 3)

p, q = keygen(512)
n = p * q

flag = bytes_to_long(flag)
enc = encrypt(flag, n)

print(f'pubkey = {n}')
print(f'enc = {enc}')

问了一个懂数学了朋友,说是只看n方,但也没直接给结果,看到wp,原来有这个公式

$(n+1)^{k} = kn+1 (mod n^{2})$

然后这个题就直接解了,这是个热身题!!

pubkey = 125004899806380680278294077957993138206121343727674199724251084023100054797391533591150992663742497532376954423241741439218367086541339504325939051995057848301514908377941815605487168789148131591458301036686411659334843972203243490288676763861925647147178902977362125434420265824374952540259396010995154324589

enc = 789849126571263315208956108629196540107771075292285804732934458641661099043398300667318883764744131397353851782194467024270666326116745519739176492710750437625345677766980300328542459318943175684941281413218985938348407537978884988013947538034827562329111515306723274989323212194585378159386585826998838542734955059450048745917640814983343040930383529332576453845724747105810109832978045135562492851617884175410194781236450629682032219153517122695586503298477875749138129517477339813480115293124316913331705913455692462482942654717828006590051944205639923326375814299624264826939725890226430388059890231323791398412019416647826367964048142887158552454494856771139750458462334678907791079639005383932256589768726730285409763583606927779418528562990619985840033479201147509241313757191997545174262930707521451438204766627975109619779824255444258160

# enc = (n+1)^k mod n^3
# enc = (n+1)^k = kn + 1 (mod n^2)
from Crypto.Util.number import long_to_bytes

print(long_to_bytes(enc % pubkey**2 // pubkey))
#ASIS{8!N0miaL_3XpAn5iOn_Us4G3_1N_cRyp7o_9rApHy!}

2,Chaffymasking

这题前边给出了一个非常复杂的加密运算,但加密的最后一步是密钥和密文异或,显然由于远端和本地密钥是相同的,只要把得到地密文在放在本地程序里,再运行一下就OK了

#!/usr/bin/env python3

import numpy as np
import binascii
import os, sys
#from flag import FLAG
FLAG = 'flag{0000000000000000000000000000000000000000000000000000000000}'
print(FLAG)

def die(*args):
	pr(*args)
	quit()

def pr(*args):
	s = " ".join(map(str, args))
	sys.stdout.write(s + "\n")
	sys.stdout.flush()

def sc(): 
	return sys.stdin.buffer.readline()

def pad(inp, length):
	result = inp + os.urandom(length - len(inp))
	return result

def byte_xor(a, b):
	return bytes(_a ^ _b for _a,_b in zip(a,b)) 

def chaffy_mask(salt, LTC, m, n):
	q = n ** 2
	half1_salt = salt[:m // 8]
	half2_salt = salt[m // 8:]
	xor_salts = int.from_bytes(byte_xor(half1_salt, half2_salt), "big")

	if xor_salts == 0:
		half1_salt = byte_xor(half1_salt, os.urandom(m))
	half1_binStr = "{:08b}".format(int(half1_salt.hex(),16))
	if(len(half1_binStr) < m):
		half1_binStr = "0" * (m - len(half1_binStr)%m) + half1_binStr
	half2_binStr = "{:08b}".format(int(half2_salt.hex(),16))
	if(len(half2_binStr) < m):
		half2_binStr = "0" * (m - len(half2_binStr)%m) + half2_binStr
	
	vec_1 = np.array(list(half1_binStr), dtype=int)          #64行1列矩阵
	vec_1 = np.reshape(vec_1, (m,1))
	vec_2 = np.array(list(half2_binStr), dtype=int)
	vec_2 = np.reshape(vec_2, (m,1))
	
	out_1 = LTC.dot(vec_1) % q   #点积, LTC * vec_1
	out_2 = LTC.dot(vec_2) % q
    
	tf = bytes.fromhex('52cf462cf198992867f56c1ad5b6992f76f85017eba7900370f36313e3a791337dc3660bd5a3992f4cef6010e5bb97337cf36010e5bb97337cc36a1ef98dd921')

	flag_vector = np.array([i for i in tf])   #把这里应该是flag明文替换成从网站得到的密文
	flag_vector = np.reshape(flag_vector, (n,1))
	masked_flag = (flag_vector ^ out_1 ^ out_2) % 256
	print(2, masked_flag)
	masked_flag = np.reshape(masked_flag, (n,))
	print(3, masked_flag)
	masked_flag = ''.join([hex(_)[2:].zfill(2) for _ in masked_flag])
	print(4, masked_flag)
	return masked_flag.encode('utf-8')

def main():
	border = "|"
	pr(border*72)
	pr(border, " Welcome to chaffymask combat, we implemented a masking method to   ", border)
	pr(border, " hide our secret. Masking is done by your 1024 bit input salt. Also ", border)
	pr(border, " I noticed that there is a flaw in my method. Can you abuse it and  ", border)
	pr(border, " get the flag? In each step you should send salt and get the mask.  ", border)
	pr(border*72)

	m, n = 512, 64 
	IVK = [
	3826, 476, 3667, 2233, 1239, 1166, 2119, 2559, 2376, 1208, 2165, 2897, 830, 529, 346, 150, 2188, 4025, 
	3667, 1829, 3987, 952, 3860, 2574, 959, 1394, 1481, 2822, 3794, 2950, 1190, 777, 604, 82, 49, 710, 1765, 
	3752, 2970, 952, 803, 873, 2647, 2643, 1096, 1202, 2236, 1492, 3372, 2106, 1868, 535, 161, 3143, 3370, 
	1, 1643, 2147, 2368, 3961, 1339, 552, 2641, 3222, 2505, 3449, 1540, 2024, 618, 1904, 314, 1306, 3173, 
	4040, 1488, 1339, 2545, 2167, 394, 46, 3169, 897, 4085, 4067, 3461, 3444, 118, 3185, 2267, 3239, 3612, 
	2775, 580, 3579, 3623, 1721, 189, 650, 2755, 1434, 35, 3167, 323, 589, 3410, 652, 2746, 2787, 3665, 828, 
	3200, 1450, 3147, 720, 3741, 1055, 505, 2929, 1423, 3629, 3, 1269, 4066, 125, 2432, 3306, 4015, 2350, 
	2154, 2623, 1304, 493, 763, 1765, 2608, 695, 30, 2462, 294, 3656, 3231, 3647, 3776, 3457, 2285, 2992, 
	3997, 603, 2342, 2283, 3029, 3299, 1690, 3281, 3568, 1927, 2909, 1797, 1675, 3245, 2604, 1272, 1146, 
	3301, 13, 3712, 2691, 1097, 1396, 3694, 3866, 2066, 1946, 3476, 1182, 3409, 3510, 2920, 2743, 1126, 2154, 
	3447, 1442, 2021, 1748, 1075, 1439, 3932, 3438, 781, 1478, 1708, 461, 50, 1881, 1353, 2959, 1225, 1923, 
	1414, 4046, 3416, 2845, 1498, 4036, 3899, 3878, 766, 3975, 1355, 2602, 3588, 3508, 3660, 3237, 3018, 
	1619, 2797, 1823, 1185, 3225, 1270, 87, 979, 124, 1239, 1763, 2672, 3951, 984, 869, 3897, 327, 912, 1826, 
	3354, 1485, 2942, 746, 833, 3968, 1437, 3590, 2151, 1523, 98, 164, 3119, 1161, 3804, 1850, 3027, 1715, 
	3847, 2407, 2549, 467, 2029, 2808, 1782, 1134, 1953, 47, 1406, 3828, 1277, 2864, 2392, 3458, 2877, 1851, 
	1033, 798, 2187, 54, 2800, 890, 3759, 4085, 3801, 3128, 3788, 2926, 1983, 55, 2173, 2579, 904, 1019, 
	2108, 3054, 284, 2428, 2371, 2045, 907, 1379, 2367, 351, 3678, 1087, 2821, 152, 1783, 1993, 3183, 1317, 
	2726, 2609, 1255, 144, 2415, 2498, 721, 668, 355, 94, 1997, 2609, 1945, 3011, 2405, 713, 2811, 4076, 
	2367, 3218, 1353, 3957, 2056, 881, 3420, 1994, 1329, 892, 1577, 688, 134, 371, 774, 3855, 1461, 1536, 
	1824, 1164, 1675, 46, 1267, 3652, 67, 3816, 3169, 2116, 3930, 2979, 3166, 3944, 2252, 2988, 34, 873, 
	1643, 1159, 2822, 1235, 2604, 888, 2036, 3053, 971, 1585, 2439, 2599, 1447, 1773, 984, 261, 3233, 2861, 
	618, 465, 3016, 3081, 1230, 1027, 3177, 459, 3041, 513, 1505, 3410, 3167, 177, 958, 2118, 326, 31, 2663, 
	2026, 2549, 3026, 2364, 1540, 3236, 2644, 4050, 735, 280, 798, 169, 3808, 2384, 3497, 1759, 2415, 3444, 
	1562, 3472, 1151, 1984, 2454, 3167, 1538, 941, 1561, 3071, 845, 2824, 58, 1467, 3807, 2191, 1858, 106, 
	3847, 1326, 3868, 2787, 1624, 795, 3214, 1932, 3496, 457, 2595, 3043, 772, 2436, 2160, 3428, 2005, 2597, 
	1932, 101, 3528, 1698, 3663, 900, 3298, 1872, 1179, 3987, 3695, 3561, 1762, 3785, 3005, 2574, 6, 1524, 
	2738, 1753, 2350, 558, 800, 3782, 722, 886, 2176, 3050, 221, 1925, 564, 1271, 2535, 3113, 1310, 2098, 
	3011, 964, 3281, 6, 1326, 741, 189, 2632, 373, 1176, 548, 64, 1445, 2376, 1524, 2690, 1316, 2304, 1336, 
	2257, 3227, 2542, 3911, 3460
	]

	LTC = np.zeros([n, m], dtype=(int))
	LTC[0,:] = IVK

	for i in range(1, n):
		for j in range(m // n + 1):
			LTC[i,j*n:(j+1)*n] = np.roll(IVK[j*n:(j+1)*n], i)

	for _ in range(5):
		pr(border, "Give me your salt: ")
		SALT = sc()[:-1]
		print(b"["+SALT+b"]", len(SALT))
		SALT = pad(SALT, m // 4)
		MASKED_FLAG = chaffy_mask(SALT, LTC, m, n)
		pr(border, f'masked_flag = {MASKED_FLAG}')

#if __name__ == '__main__':
main()
#输入 00000000000000000000000000000000000000000000000000000000000000001111111111111111111111111111111111111111111111111111111111111111
#得到 加密后的flag,将加密后的flag替换原在本地再运行得到解密后的flag
#| masked_flag = b'415349537b4c6174746963655f62617365645f686173685f636f6c6c6973696f6e5f69745f7761735f736f6f6f6f6f6f6f6f6f6f6f6f6f6f6f5f65617359217d'
#ASIS{Lattice_based_hash_collision_it_was_sooooooooooooooo_easY!}

3,Mariana

远端给出g和p,然后要求输入x满足下式,40次就能得到结果(p,g会不断变大)

pow(g, x, p) - x) % p == 0

#!/usr/bin/env python3

from Crypto.Util.number import *
import sys
from flag import flag

def die(*args):
	pr(*args)
	quit()

def pr(*args):
	s = " ".join(map(str, args))
	sys.stdout.write(s + "\n")
	sys.stdout.flush()

def sc():
	return sys.stdin.buffer.readline()

def main():
	border = "|"
	pr(border*72)
	pr(border, "Welcome to MARIANA cryptography battle, the mission is solving super", border)
	pr(border, "hard special DLP problem in real world, are you ready to fight?     ", border)
	pr(border*72)

	NBIT = 32
	STEP = 40

	pr(border, "In each step solve the given equation and send the solution for x.  ", border)
	c = 1
	while c <= STEP:
		nbit = NBIT * c
		p = getPrime(nbit)
		g = getRandomRange(3, p)
		pr(border, f'p = {p}')
		pr(border, f'g = {g}')
		pr(border, 'Send the solution x = ')
		ans = sc()
		try:
			x = int(ans)
		except:
			die(border, 'Given number is not integer!')
		if x >= p:
			die(border, "Kidding me!? Your solution must be smaller than p :P")
		if (pow(g, x, p) - x) % p == 0:
			if c == STEP:
				die(border, f"Congratz! the flag is: {flag}")
			else:
				pr(border, "Good job, try to solve the next level!")
				c += 1
		else:
			die(border, "Try harder and smarter to find the solution!")

if __name__ == '__main__':
	main()

显然这个式子当x = -p+1时恒成立

pow(g, -p+1, p) -(-p+1) = 1+p-1 = p = 0 (mod p)

交互脚本

from pwn import *

p = remote('65.21.255.31', 32066)

context.log_level = 'debug'

for i in range(40):
    p.recvuntil(b'p = ')
    v = int(p.recvline()[:-1])
    p.sendlineafter(b'Send the solution x = ', str(-v+1).encode())

p.recvall()
p.interactive()

# pow(g, -p+1, p) -(-p+1) = 1+p-1 = p = 0 mod p
#ASIS{fiX3d_pOIn7s_f0r_d!5Cret3_l0g4riThmS!}

4,Mindseat

这题给出n = p*q 是两个素数的积,两个素数又是一个随机数左移后加上一个小素数组成.

p, q = [_p + (getRandomNBitInteger(nbit - k) << k) for _ in '01']

s满足

pow(s, (p - 1) // 2, p) * pow(s, (q - 1) // 2, q) == (p - 1) * (q - 1)

加密算法如下,m是明文,r是一个随机数,flag分段加密

pow(s, m, n) * pow(r, 2 ** k, n) % n

#!/usr/bin/env python3

from Crypto.Util.number import *
from secret import params, flag

def keygen(nbit, k): # Pubkey function
	_p = getPrime(12)
	while True:
		p, q = [_p + (getRandomNBitInteger(nbit - k) << k) for _ in '01']
		if isPrime(p) and isPrime(q):
			while True:
				s = getRandomRange(2, p * q)
				if pow(s, (p - 1) // 2, p) * pow(s, (q - 1) // 2, q) == (p - 1) * (q - 1):
					pubkey = p * q, s
					return pubkey

def encrypt(pubkey, m):
	n, s = pubkey
	r = getRandomRange(2, n)
	return pow(s, m, n) * pow(r, 2 ** k, n) % n

flag = flag.lstrip(b'ASIS{').rstrip(b'}')
nbit, k = params
PUBKEYS = [keygen(nbit, k) for _ in range(4)]
flag = [bytes_to_long(flag[i*8:i*8 + 8]) for i in range(4)]
ENCS = [encrypt(PUBKEYS[_], flag[_]) for _ in range(4)]

print(f'PUBKEYS = {PUBKEYS}')
print(f'ENCS = {ENCS}')

先分解n,由于q很小,k很大通过已知的n可以看到k=262

n = (a*2^k + _q)(b*2^k + _q)

也就是说n的262位以下是 _q^2 再往前262位是a+b,再往前是a*b所以很容易得到p,q

from output import *
from math import sqrt
from z3 import *

sq = [int(sqrt(PUBKEYS[i][0]%(1<<25))) for i in range(4)]
print(sq)
#[3613, 2311, 2423, 2741]

#0x63ff002da2e8fda2db6c5b13ea5ff77985cbe07bf22bd3f1ebffc78279e6a42d59f69ffa2788e967d2c19c0a318fdab0613b7393fb5a79ca58f61851f4ba01f062a1fc97c56b78fc9c67fe4f63d28550e2d9eeeadc4cfb20bffb4172ff0a84000000000000000000000000000000000000000000000000000000000000c72f49
#0x946d1732cbd2511869767516cb7fba7ea2aa3c1b132986553b23c7ac44c1bf0eac8f5a5b9312833cf049c31d3b28b1f1ea6da1b3861c4a26b0c8070d47a10dc6c47c1207d6e38cbc178b738967ac6e61d24e2f2debb0dbd5ca5a09af268783400000000000000000000000000000000000000000000000000000000000517e31
#0x7aa4d4e823d5b8fa8b2c0a40785dcff76b79cd272b7a2829ed160b6a1a74e9f00ad43e286456ce5bfd5ddc5f5b8c0da5be7ec341b66d690f1654c1cc45a84d1a5e285b18fbe8ab72dd1073c4fe986a3857afb4f9ce78142a44e000a660c934400000000000000000000000000000000000000000000000000000000000599551
#0x6fbcc3e3285b255ebe79a7a6959083f12d6e305cc3fb7d46a6ba0522bae6efc20b746dddf8060c6592f128fce1647275858f971d3a86dcc0e7457c02aa53ee25c6658994d497cfd2e29b411bd4c3b1eb6160bf7f6a5a3e7b9e993d3030986e40000000000000000000000000000000000000000000000000000000000072a3f9
k = 262
nbit = 512

p = []
q = []
for i in range(4):
    n = PUBKEYS[i][0]
    p_q = (n>>262) & ((1<<262)-1)
    pq = n>>524
    while p_q % sq[i] != 0:
        p_q += 1<<262
        pq -= 1
    p_q //= sq[i]
    #print(pq,p_q)
    tp,tq = Ints('p q')
    s = Solver()
    s.add(tp*tq == pq)
    s.add(tp + tq == p_q)
    if s.check() == sat:
        d = s.model()
        p.append((d[tp].as_long() << 262) + sq[i])
        q.append((d[tq].as_long() << 262) + sq[i])

print(p,q)

然后wp里根据费马小定理等式两边同乘a次幂,使后边r一项 a*2**k == p-1 所以这一项等于1,然后再求解.,但这个题后边不是1,回头再看网站,已经改了.!!!!!!!!!

c**a = s**(m*a) (mod p) * r**(a*2**k) (mod p)

新的 _p = 1

所以k也变成134位了.

直接记下wp吧

PUBKEYS = [(10342840547250370454282840290754052390564265157174829726645242904324433774727630591803186632486959590968595230902808369991240437077297674551123187830095873, 5179654005441544601140101875149402241567866059199512232495766031194848985776186595289740052214499657697650832860279375151687044465018028876445070588827777), (6015512135462554031390611730578383462516861987731833360559070749140159284050335604168414434218196369921956160353365713819898567416920672209509202941444097, 2116441415129068001049624780654272734931672052541246678702416144768611225693039503554945326959705314527114860312641379671935648337975482830939466425225421), (6396980904648302374999086102690071222661654639262566535518341836426544747072554109709902085144158785649143907600058913175220229111171441332366557866622977, 1760317994074087854211747561546045780795134924237097786412713825282874589650448491771874326890983429137451463523250670379970999252639812107914977960011738), (9158217300815233129401608406766983222991414185115152402477702381950519098200234724856258589693986849049556254969769863821366592458050807400542885348638721, 6564146847894132872802575925374338252984765675686108816080170162797938388434600448954826704720292576935713424103133182090390089661059813982670332877677256)]
ENCS = [4595268033054096192076432659360373235610019564489694608733743330870893803828258295069937060360520598446948290913045781945314108935153236291467160667601985, 3390637292181370684803039833768819598968576813582112632809296088618666221278429695211004046274005776653775480723833818255766663573061866194380012311184611, 5197599582013327040903216369733466147938613487439777125659892779696104407398257678982801768761973934713675657188014051286238194316997970299887749668838196, 5093835186720390391696398671365109925058893544530286148616117890366909889206952477053316867658405460457795493886317792695055944930027477761411273933822112]

def solve_bytes(n, s, c):
    k = 134
    pd = n >> (2*k)
    sm = (n >> k) % 2**k
    a,b=var('a b')
    soln=solve([a+b==sm, a*b==pd],a,b,solution_dict=True)[0]
    a,b=soln[a],soln[b]
    F = GF((int(a) << k) + 1)
    return long_to_bytes((F(c)**a).log(F(s)**a))

print(b'ASIS{' + b''.join(solve_bytes(n, s, c) for (n,s),c in zip(PUBKEYS, ENCS)) + b'}')
#ASIS{N3w_CTF_nEW_Joye_Libert_CrYpt0_5}

这个外国网站看不着提醒,算了.

5,Disinvolute

这个只能吃瓜了,不懂得太多,登录远端会返回加密信息和密文(永远不变,为啥作到远端)

'''
c = pow(m, e, n)
| m = bytes_to_long(flag)
| pow(g, pow(G, x), n) == pow(g, pow(G, y), n)
| Options: 
|       [E]ncrypted flag! 
|       [F]acts 
|       [Q]uit
'''
c = 1601506403989591773329342540148673887033808593664474280274541591029526339627176975720952428888875467494618072333733012958986320642746158451985542361315866468708581197439894328243496518078548108289651666668891686200949248176312870782834122304366842486954178669643514645567704407749484931157888295223916516435
e = 65537
g = 19
G = 7
n = 154721864252384276652749110594681597418427545627414313962134142481683944513379198242121869119804840737168814408529584759498050983491285402607936280312319564891576882086833067341784157062391601155577926035081023142771311907456912421528086454204111282203900742051537866571433611733457194600604020702965221806789
x = 5297125063806540550620242933967423929099531384312034849147884050219792876504764472661152459500895656154589737080485482850483964274509706944584200701601023469633124755311944900217862878323705442017395671106897718862040737552127853408149852319134831620356811161528744829038103086433534433637862663918194454848
y = 1665481728543610185320654190145029953555044189617200897175298751153202745816857042882101149965502743163780852747832302951766708136834105251134618284773610096464308404650971898398384928259390545200306711051698758870643233308561247894207697777704000324368481450184733488666046190144539228247075530921881443765943408

不过这个题后来改了,g=20然后数都变了,才能得到结果

c = 69838756348232600436440737582853070853910308481183021743696789527076449205349105536539318423369106858613478033134087310123430368138391552746628860294530799139057422719585850415094190438415104905376911939830645697377385634633288979728053644009509824233220587315497536883304534301775022007727816755828340122182
e = 65537
g = 20
G = 7
n = 124665070883023572937106955540136465345408425813302600281685996485647666988988477478801104082411997326540269989546569244563157690111665647820811512490673307423078571526304690112690229524061003124826080891040129776319178872282740527965770300334542911201249322652060816904754369424898306489627526484422082367617
x = 20783566349611082116478549880014929522814167396641236473099836166228160580954109312003498744728921612033489484302347031842909041328235839376134667139590386108825406190847764540144017336858635838456282605016467273666349268915542781070127971481334711741717604689701362174612955488681319307975890086432043995636
y = 8003720914996647906950405823029393811860930040073370196046171813959035626312498314524245937383728876781152994757107061023008981745456694282613184055276158962819527107352356616035155414183009955820893012473612276704481979228482630307790687340102964137712007708541744507931295183720460029520356912895579391573240966

#phi(n) = (p-1)(q-1)
#phi(phi(n)) = 1/2 *(p-3)*(q-3) 这个值非常接近n/2 通过分解(y-x)/n来得到 (y-x)/(2*phi(phi(n)))
#然后就得到phi(n)

ratio = (Integer(y-x)/n).n().nearby_rational(max_denominator = 2**64)
phi = int(2*n+(y-x)/ratio-6)//3
d = pow(e, -1, phi)
print(long_to_bytes(int(pow(c, d, n))))
#ASIS{N3s7Ed_DLP_089823341e928d6d87f0e442245d5a765833b575}

6,Desired curve

这是个椭圆曲线问题

给出点乘flag后返回

#!/usr/bin/env sage

import sys
from Crypto.Util.number import *
from flag import flag

def die(*args):
	pr(*args)
	quit()

def pr(*args):
	s = " ".join(map(str, args))
	sys.stdout.write(s + "\n")
	sys.stdout.flush()

def sc():
	return sys.stdin.buffer.readline()

def main():
	border = "|"
	pr(border*72)
	pr(border, "Hi all, now it's time to solve a relatively simple challenge about  ", border)
	pr(border, "relatively elliptic curves! We will generate an elliptic curve with ", border)
	pr(border, "your desired parameters, are you ready!?                            ", border)
	pr(border*72)

	nbit = 256
	q = getPrime(nbit)
	F = GF(q)

	while True:
		pr(border, "Send the `y' element of two points in your desired elliptic curve:  ")
		ans = sc()
		try:
			y1, y2 = [int(_) % q for _ in ans.split(b',')]
		except:
			die(border, "Your parameters are not valid! Bye!!")
		A = (y1**2 - y2**2 - 1337**3 + 31337**3) * inverse(-30000, q) % q
		B = (y1**2 - 1337**3 - A * 1337) % q
		E = EllipticCurve(GF(q), [A, B])
		G = E.random_point()

		m = bytes_to_long(flag)
		assert m < q
		C = m * G
		pr(border, f'The parameters and encrypted flag are:')
		pr(border, f'q = {q}')
		pr(border, f'G = ({G.xy()[0]}, {G.xy()[1]})')
		pr(border, f'm * G = ({C.xy()[0]}, {C.xy()[1]})')

		pr(border, f'Now find the flag :P')

if __name__ == '__main__':
	main()

然后这是原贴的方法,有些改动(本地不能运行)

from pwn import *
from sage.rings.factorint import factor_trial_division
from Crypto.Util.number import long_to_bytes 

sh = remote('65.21.255.31', 10101)

fullres, fullmod = 0, 1
for i in range(100):
    y1, y2 = 0, i
    sh.sendline(f'{y1},{y2}'.encode())
    sh.recvuntil(b'q = ')
    q = int(sh.recvline(False).decode())
    sh.recvuntil(b'G = ')
    G = eval(sh.recvline(False).decode())
    sh.recvuntil(b'm * G = ')
    mG = eval(sh.recvline(False).decode())

    A = (y1**2 - y2**2 - 1337**3 + 31337**3) * inverse_mod(-30000, q) % q
    B = (y1**2 - 1337**3 - A * 1337) % q
    E = EllipticCurve(GF(q), [A, B])
    G, mG = E(G), E(mG)

    order = G.order()
    small = factor_trial_division(order, 2**24)[-1][0]
    mod = order//small

    if fullmod % mod:        
        res = discrete_log(small * mG, small * G, mod, operation='+')
        fullres = crt([res, fullres], [mod, fullmod])
        fullmod = lcm(fullmod, mod)
        ans = long_to_bytes(fullres)
        print(i, ans)

        if ans.startswith(b'ASIS{'):
            break