首页
社区
课程
招聘
[推荐][原创]CTF-RSA常见题型、思路及解法
发表于: 2020-10-29 18:07 19593

[推荐][原创]CTF-RSA常见题型、思路及解法

2020-10-29 18:07
19593

这篇文章是帮助对RSA不熟悉的朋友且需要较为快速、深入的了解RSA而写的

不涉及非常晦涩难懂的数学知识和算法(不过最简单的原理说明还是有的)

攻击方法也是最容易遇到的(RSA的进阶篇除外)

并且所有的例题都是比较新的,甚至还有刚刚结束的比赛的题目

公钥与私钥的产生:

(1)进行加密之前,首先找出2个不同的大质数p和q

(2)计算n=p*q

(3)根据欧拉函数,求得φ(n)=φ(p)φ(q)=(p−1)(q−1)

(4)找出一个公钥e,e要满足: 1<e<φ(n) 的整数,且使e和φ(N)互质。

(5)根据e*d除以φ(n)余数为1,找到私钥d。

(6)所以,公钥就是(n,e) 私钥就是(n,d)

消息加密:

m^e除以n求余数即为c(密文)

消息解密:

c^d除以n求余数即为m(明文)

根据数论,寻求两个大素数比较简单,而将它们的乘积进行因式分解却极其困难,因此可以将乘积公开作为加密密钥

模运算与基本四则运算有些相似,但是除法例外。其规则如下:

在数论,对正整数n,欧拉函数是小于或等于n的正整数中与n互质的数的数目(因此φ(1)=1)

例如φ(8)= 4,因为1,3,5,7均和8互质

若N是质数p的k次幂(即N=p^k),φ(n)=p^k-p^(k-1)=(p-1)p^(k-1)。

设n为正整数,以φ(n)表示不超过n且与n互素的正整数的个数,称为n的欧拉函数值。

若m,n互质,φ(mn)=(m-1)(n-1)=φ(m)φ(n)。

在一次RSA密钥对生成中,假设p=473398607161,q=4511491,e=17
求解出d作为flag提交

题目:

解题:

倒数第二行的gmpy2.powmod也可以用pow函数替代,不过前者比后者的计算速度快很多,之后有道题可以体现出来

自此,我们已经了解了rsa的原理,现在开始进入学习rsa的一些攻击方式

用于已知e,c,m,不是很大的n(小于等于1024),或者n具有缺陷,q和p相差过大或过小

常用分解方法:

如果第一项,和第二项都无法分解,就应该考虑换一种思路了,题目考点应该不是暴力分解

已知一段RSA加密的信息为:0xdc2eeeb2782c且已知加密所用的公钥:

(N=322831561921859 e = 23)

请解密出明文,提交时请将数字转化为ascii码提交

比如你解出的明文是0x6162,那么请提交字符串ab

提交格式:PCTF{明文字符串}

首先整理一下已知条件:

我们已知公钥:

n和e,以及密文c

想要通过密文c来解得明文m需要私钥d

而私钥d需要通过e和phi求出,其中e已知,所以我们只需要知道phi

而phi = (q-1) * (p-1),幸运的是我们知道n = q*p,且q和p都是素数,如果我们能通过n分解出p和q则可以解出这道题目了

得到p = 13574881 , q = 23781539(q和p不涉及其他关系时,p和q的顺序无所谓)

可以从这两句代码看出:

可以知道,q和p相差很小,所以这个n是具有缺陷的,通常有两种攻击方式

分解出来后,是一个简单是数学等式,用z3约束器可以快速求解

(使用yafu分解的攻击方法比较简单,这里就不写了)

openssl genrsa -out prikey

openssl rsa -in prikey -text -modulus

openssl rsa -in prikey -pubout -out pubkey

openssl rsa -in pubkey -text -modulus -pubin

openssl rsautl -encrypt -in filename -inkey pubkey -pubin -out filename

rsautl -decrypt -inkey prikey -in filename

RsaCtfTool.py --createpub -n number -e number > pubkey

RsaCtfTool.py --dumpkey --filename pub.pem

RsaCtfTool.py --publickey pubkey --private

RsaCtfTool.py --publickey pubkey --uncipherfile filename

给了两个文件,message 和 public.key

以及加密脚本

首先打开公钥看看

可以看到e和n非常大,应该考虑Wiener攻击(后面会介绍到)

不过这里主要是介绍和公钥、私钥的交互

所以我们用RsaCtfTool来爆破出私钥

得到了私钥,尝试用openssl解密

却报错了,为什么呢

我们观察题目给出的加密脚本第二行"from Crypto.Cipher import PKCS1_OAEP"

说明这里是用的使用OAEP的填充方式,而解密是也必须指明对应的填充模式

这类题核心解法大体相同,出题人给出有唯一解的q和p的方程,通过解出q,p来解题

大多数简单的数学方程可以用z3约束器快速解出

这道题挺有意思的,在给出的脚本第10行

有两个没见过的函数,通过搜索资料,可以查到相关资料

Derivative,返回参数1函数在参数2点的导数

联系这两点

可以知道

z = Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))

= 1/(1/(1+p^2)) - 1/(1/(1-q^2))

= 1+p^2 + q^2 -1

= p^2 + q^2

又把本题转化成简单的数学问题了

在 RSA 中 e 也称为加密指数。由于 e 是可以随意选取的,选取小一点的 e 可以缩短加密时间(比如 e=2,e=3),但是选取不当的话,就会造成安全问题

由于e很小,当n很大时,m^e也比n小很多.尝试把c开根号看能否得到明文.

题目描述:

When you need really secure communications, you use RSA with a 4096 bit key.

I want really really really secure communications to transmit the nuclear launch codes (yeah IoT is everywhere man) so I used RSA with a 16777216 bit key. Surely russians will not be able to factor that one !

File md5 : 1049a0c83a2e34760363b4ad9778753f

题目给出了n和c,e,不过这个文本文件的大小高达7.4m,要是常规分解的话,估计量子计算机也够呛

不过由于n是16777216 bit的数字,e只有0x10001,所以m^e << n,符合低加密指数分解攻击的条件

这里我们也应该理解到,低加密指数并非指e == 2或e == 3这类,e的数值很小,而是m^e和n的相对大小

公钥e很小,明文m也不大的话,于是m^e=k*n+m 中的的k值很小甚至为0(k==0时,和上一种攻击方式差别不大),爆破k或直接开e次方即可。

我们拿到两个类似rsa加密的式子:

本质上,第一种、第二种攻击方式都是因为e选取的较小而造成的缺陷,那么e选取的非常大是不是就很安全呢?

实际上也不是,当e很大时,就会造成d非常的小,也具有相当大的危险

顾名思义,这是一种针对d很小时的攻击方式

此种攻击方法由Micheal j.Wiener于1989提出,所以也被称为Wiener's attack,该方法基于连分数

该方法在github已有完整可用的代码,之后所有的低解密指数也是利用以上脚本进行的

把大数分解成两个素数很困难,但是求两个大数的公因子很容易

当:

我们可以通过求gcd(n1,n2)来得到a,再通过除法分别求得b和c,从而达到了分解大素数的目的

可以通过gcd(n1,n2)快速求得p1

对同一明文的多次加密使用相同的模数和不同的公钥指数可能导致共模攻击

证明:

当n不变,知道n,e1,e2,c1,c2 可以在不知道d1,d2情况下,解出m。

这道题解出来后是base64加密后的字符串,实际上没有看上去那么简单,这里涉及到base64隐写,不过不是本文的主题,先暂且不管

对于相同的明文,使用相同的指数e和不同的模数n1,n2...ni加密得到i组密文(i>=e),可以使用中国剩余定理解出明文

当已知e,n,可以通过算法快速求得p和q

详细算法见:

https://www.di-mgt.com.au/rsa_factorize_n.html

可以看到,这里的p和q都高达1024bit,基本可以排除暴力分解

这时我们知道e*d,和n,可以尝试已知该算法

rsa加密基本原理

需要严格按照欧拉函数的定义来求解phi

n = p * q * r

那么φ(n) = (q-1) * (p-1) * (r-1)

dp本来是为了加速rsa加解密效率的,不过由于dp和p的关系相当密切,所以当dp泄漏也有相当大的危害

题目给出了密文文件,公钥和破损的私钥文件(这里就不放上来了)

首先读出公钥信息和破损的私钥信息填入以下脚本即可恢复出完整的私钥

解出私钥后,写入到文件中,用openssl解密即可(不过需要注意的是这依然是用oaep的填充方式,需要指明)

这道题e的大致范围已经给出,可以尝试爆破

不过加密脚本的第一行有点坑

(应该是出题人故意)把人误导成base32解密

也是对e爆破,不过我们可以通过这道题来对比pow()函数和gmpy2.powmod()的速度
pow:

3.03s user 0.01s system 99% cpu 3.050 total

gmpy2.powmod

1.30s user 0.00s system 99% cpu 1.310 total

可以看到,gmpy2中的powmod()函数用时不到pow()函数的二分之一,所以以后优先使用gmpy2.powmod()函数

题目给出了A和p,q的关系,一通花里胡哨的运算之后得到A

以我已知的知识想不到什么好的算法

不过可以直接分解n得到p和q

当我们做完这些后,发现题目并没有告知e,盲猜e = 65537,结果正好是

当然平时做题我们还是严谨一点,尝试爆破e

NIST SP800-78 Rev 1 (2007) 曾强调“不允许使用比65537更低的公钥指数e”,但PKCS#1却从未有过类似的建议。e=65537=(2^16+1),其签名/加密运算只需要17次模乘,性能也算不错。65537可以在安全上和性能上做出一个很好的平衡,因此大多数加密的e都默认为65537

可以优先尝试e == 65537,不行再爆破

已知n = q

gift = lcm(q-1,p-1)
= (q-1)*(p-1) // gcd(q-1,p-1)

又因为(q-1)*(p-1) 约等于 q*p = n

gift 约等于 n // gcd(q-1,p-1)

于是可以得出gcd(q-1,p-1) 约等于 n // gift

于是得出gcd(q-1,p-1)约等于8

设k = gcd(q-1,p-1) ( k 约等于8,于是爆破k的取值范围为0<k<10)

最后得到q,p,e,又由于gcd(e,phi) != 1

于是:
new_e = e//2
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
m = gmpy2.iroot(m,2)[0]
m = long_to_bytes(m)

可以求出明文

本题过程大致可以分为三部分:

解得e1和e3

解得hint和q1

解得flag

通过这两句断言:

可以建立两个方程,由于两个e都很小,考虑低加密指数攻击:

解的e1,e2

一个常规的rsa加密,没有明显的缺陷,尝试分解n

得到两个质数

常规的分解

得到完全没用的hint,但是得到了对第三步很有用的q1

乍一看似乎很简单,连n都已经分解好了(这让我想起了NCTF的easyRSA)

一测试,果然gcd(e1,phi1) == gcd(e2,phi2) == 14

既然到这里了,就总结一下e和phi不互素时的解法(下次)

从密文形式可以看出是用的python编写的加密脚本,不过这个脚本又被再次加密,猜想应该是纺射加密,从中挑选了两端话来对比得出a和b

得出a = 3, b = 17

纺射解密后得到加密脚本,如下

进入了rsa解题过程,我们先看最后一个加密,相同的明文,相同的n,不同的e

用共模攻击解出n1来

对于倒数第二段加密,通过这两句代码

解出两组明文,最后通过栅栏解密得到flag

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
#!/usr/bin/python
import gmpy2                        #导入gmpy2库,gmpy2库在rsa解密过程中有很大的作用
p = 473398607161
q = 4511491
e = 17
phi  =  (q-1) * (p-1)               #φ(n)通常也被写作phi
=  gmpy2.invert(e,phi)           #通过e和phi求d
print(d)
#!/usr/bin/python
import gmpy2                        #导入gmpy2库,gmpy2库在rsa解密过程中有很大的作用
p = 473398607161
q = 4511491
e = 17
phi  =  (q-1) * (p-1)               #φ(n)通常也被写作phi
=  gmpy2.invert(e,phi)           #通过e和phi求d
print(d)
Math is cool! Use the RSA algorithm to decode the secret message, c, p, q, and e are parameters for the RSA algorithm.
 
p =  9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q =  11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e =  65537
c =  83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
 
Use RSA to find the secret message
Math is cool! Use the RSA algorithm to decode the secret message, c, p, q, and e are parameters for the RSA algorithm.
 
p =  9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q =  11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e =  65537
c =  83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
 
Use RSA to find the secret message
#!/usr/bin/python
import gmpy2
 
p =  9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q =  11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e =  65537
c =  83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
n = q*p
phi = (q-1) * (p-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
print(m)
#!/usr/bin/python
import gmpy2
 
p =  9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q =  11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e =  65537
c =  83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
n = q*p
phi = (q-1) * (p-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
print(m)
 
 
 
 
 
 
 
 
 
 
 
factordb n
factordb n
#!/usr/bin/python
from Crypto.Util.number import long_to_bytes
import gmpy2
 
p =  13574881
q = 23781539
n = q*p
e = 23
c = 0xdc2eeeb2782c
phi = (q-1) * (p-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
m = long_to_bytes(m)        #把整数依照asc码转化成字符串
print(m)
#!/usr/bin/python
from Crypto.Util.number import long_to_bytes
import gmpy2
 
p =  13574881
q = 23781539
n = q*p
e = 23
c = 0xdc2eeeb2782c
phi = (q-1) * (p-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
m = long_to_bytes(m)        #把整数依照asc码转化成字符串
print(m)
import hashlib
import sympy
from Crypto.Util.number import *
 
flag = 'GWHT{******}'
secret = '******'
 
assert(len(flag) == 38)
 
half = len(flag) / 2
 
flag1 = flag[:half]
flag2 = flag[half:]
 
secret_num = getPrime(1024) * bytes_to_long(secret)
 
p = sympy.nextprime(secret_num)
q = sympy.nextprime(p)
 
N = p * q
 
e = 0x10001
 
F1 = bytes_to_long(flag1)
F2 = bytes_to_long(flag2)
 
c1 = F1 + F2
c2 = pow(F1, 3) + pow(F2, 3)
assert(c2 < N)
 
m1 = pow(c1, e, N)
m2 = pow(c2, e, N)
 
output = open('secret', 'w')
output.write('N=' + str(N) + '\n')
output.write('m1=' + str(m1) + '\n')
output.write('m2=' + str(m2) + '\n')
output.close()
import hashlib
import sympy
from Crypto.Util.number import *
 
flag = 'GWHT{******}'
secret = '******'
 
assert(len(flag) == 38)
 
half = len(flag) / 2
 
flag1 = flag[:half]
flag2 = flag[half:]
 
secret_num = getPrime(1024) * bytes_to_long(secret)
 
p = sympy.nextprime(secret_num)
q = sympy.nextprime(p)
 
N = p * q
 
e = 0x10001
 
F1 = bytes_to_long(flag1)
F2 = bytes_to_long(flag2)
 
c1 = F1 + F2
c2 = pow(F1, 3) + pow(F2, 3)
assert(c2 < N)
 
m1 = pow(c1, e, N)
m2 = pow(c2, e, N)
 
output = open('secret', 'w')
output.write('N=' + str(N) + '\n')
output.write('m1=' + str(m1) + '\n')
output.write('m2=' + str(m2) + '\n')
output.close()
p = sympy.nextprime(secret_num)
q = sympy.nextprime(p)
p = sympy.nextprime(secret_num)
q = sympy.nextprime(p)
 
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import isPrime,long_to_bytes
from z3 import *
 
N = 636585149594574746909030160182690866222909256464847291783000651837227921337237899651287943597773270944384034858925295744880727101606841413640006527614873110651410155893776548737823152943797884729130149758279127430044739254000426610922834573094957082589539445610828279428814524313491262061930512829074466232633130599104490893572093943832740301809630847541592548921200288222432789208650949937638303429456468889100192613859073752923812454212239908948930178355331390933536771065791817643978763045030833712326162883810638120029378337092938662174119747687899484603628344079493556601422498405360731958162719296160584042671057160241284852522913676264596201906163
e = 65537
 
cc1 = 90009974341452243216986938028371257528604943208941176518717463554774967878152694586469377765296113165659498726012712288670458884373971419842750929287658640266219686646956929872115782173093979742958745121671928568709468526098715927189829600497283118051641107305128852697032053368115181216069626606165503465125725204875578701237789292966211824002761481815276666236869005129138862782476859103086726091860497614883282949955023222414333243193268564781621699870412557822404381213804026685831221430728290755597819259339616650158674713248841654338515199405532003173732520457813901170264713085107077001478083341339002069870585378257051150217511755761491021553239
cc2 = 487443985757405173426628188375657117604235507936967522993257972108872283698305238454465723214226871414276788912058186197039821242912736742824080627680971802511206914394672159240206910735850651999316100014691067295708138639363203596244693995562780286637116394738250774129759021080197323724805414668042318806010652814405078769738548913675466181551005527065309515364950610137206393257148357659666687091662749848560225453826362271704292692847596339533229088038820532086109421158575841077601268713175097874083536249006018948789413238783922845633494023608865256071962856581229890043896939025613600564283391329331452199062858930374565991634191495137939574539546
 
r = gmpy2.iroot(N,2)[0]
 
for i in range(r,N):
    if isPrime(i):
        if N % i == 0:
            p = i
            q = N // i
            break
 
phi = (p-1) * (q-1)
d = gmpy2.invert(e,phi)
a = gmpy2.powmod(cc1,d,N)
b = gmpy2.powmod(cc2,d,N)
 
#a = 2732509502629189160482346120094198557857912754
#b = 5514544075236012543362261483183657422998274674127032311399076783844902086865451355210243586349132992563718009577051164928513093068525554
 
s = Solver()
c1, c2 = Ints('c1 c2')
s.add(c1 + c2 == 2732509502629189160482346120094198557857912754)
s.add(c1**3 + c2**3 == 5514544075236012543362261483183657422998274674127032311399076783844902086865451355210243586349132992563718009577051164928513093068525554)
if s.check() == sat:
    m1 = (s.model()[c1]).as_long()
    m2 = (s.model()[c2]).as_long()
 
m1 = str(long_to_bytes(m1))[2:-1]
m2 = str(long_to_bytes(m2))[2:-1]
m = m1 + m2
print(m)
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import isPrime,long_to_bytes
from z3 import *
 
N = 636585149594574746909030160182690866222909256464847291783000651837227921337237899651287943597773270944384034858925295744880727101606841413640006527614873110651410155893776548737823152943797884729130149758279127430044739254000426610922834573094957082589539445610828279428814524313491262061930512829074466232633130599104490893572093943832740301809630847541592548921200288222432789208650949937638303429456468889100192613859073752923812454212239908948930178355331390933536771065791817643978763045030833712326162883810638120029378337092938662174119747687899484603628344079493556601422498405360731958162719296160584042671057160241284852522913676264596201906163
e = 65537
 
cc1 = 90009974341452243216986938028371257528604943208941176518717463554774967878152694586469377765296113165659498726012712288670458884373971419842750929287658640266219686646956929872115782173093979742958745121671928568709468526098715927189829600497283118051641107305128852697032053368115181216069626606165503465125725204875578701237789292966211824002761481815276666236869005129138862782476859103086726091860497614883282949955023222414333243193268564781621699870412557822404381213804026685831221430728290755597819259339616650158674713248841654338515199405532003173732520457813901170264713085107077001478083341339002069870585378257051150217511755761491021553239
cc2 = 487443985757405173426628188375657117604235507936967522993257972108872283698305238454465723214226871414276788912058186197039821242912736742824080627680971802511206914394672159240206910735850651999316100014691067295708138639363203596244693995562780286637116394738250774129759021080197323724805414668042318806010652814405078769738548913675466181551005527065309515364950610137206393257148357659666687091662749848560225453826362271704292692847596339533229088038820532086109421158575841077601268713175097874083536249006018948789413238783922845633494023608865256071962856581229890043896939025613600564283391329331452199062858930374565991634191495137939574539546
 
r = gmpy2.iroot(N,2)[0]
 
for i in range(r,N):
    if isPrime(i):
        if N % i == 0:
            p = i
            q = N // i
            break
 
phi = (p-1) * (q-1)
d = gmpy2.invert(e,phi)
a = gmpy2.powmod(cc1,d,N)
b = gmpy2.powmod(cc2,d,N)
 
#a = 2732509502629189160482346120094198557857912754
#b = 5514544075236012543362261483183657422998274674127032311399076783844902086865451355210243586349132992563718009577051164928513093068525554
 
s = Solver()
c1, c2 = Ints('c1 c2')
s.add(c1 + c2 == 2732509502629189160482346120094198557857912754)
s.add(c1**3 + c2**3 == 5514544075236012543362261483183657422998274674127032311399076783844902086865451355210243586349132992563718009577051164928513093068525554)
if s.check() == sat:
    m1 = (s.model()[c1]).as_long()
    m2 = (s.model()[c2]).as_long()
 
m1 = str(long_to_bytes(m1))[2:-1]
m2 = str(long_to_bytes(m2))[2:-1]
m = m1 + m2
print(m)
usage: genrsa [args] [numbits]                       //密钥位数,建议1024及以上
-out file       output the key to file             //生成的密钥文件,可从中提取公钥
usage: genrsa [args] [numbits]                       //密钥位数,建议1024及以上
-out file       output the key to file             //生成的密钥文件,可从中提取公钥
rsa [options] <infile >outfile
-inform arg     input format - one of DER NET PEM                      //输入文件格式,默认pem格式
-outform arg    output format - one of DER NET PEM                     //输入文件格式,默认pem格式
-in arg         input file                                             //输入文件
-passin arg     input file pass phrase source                          //指定输入文件的加密口令,可来自文件、终端、环境变量等
-out arg        output file                                            //输出文件
-passout arg    output file pass phrase source                         //指定输出文件的加密口令,可来自文件、终端、环境变量等
-des            encrypt PEM output with cbc des                        //使用des加密输出的文件
-des3           encrypt PEM output with ede cbc des using 168 bit key  //使用des3加密输出的文件
-seed           encrypt PEM output with cbc seed                       //使用seed加密输出的文件
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes                        //使用aes加密输出的文件
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia                   //使用camellia加密输出的文件呢
-text           print the key in text                                  //以明文形式输出各个参数值
-noout          don't print key out                                    //不输出密钥到任何文件
-modulus        print the RSA key modulus                              //输出模数指
-check          verify key consistency                                 //检查输入密钥的正确性和一致性
-pubin          expect a public key in input file                      //指定输入文件是公钥
-pubout         output a public key                                    //指定输出文件是公钥
-engine e       use engine e, possibly a hardware device.              //指定三方加密库或者硬件
rsa [options] <infile >outfile
-inform arg     input format - one of DER NET PEM                      //输入文件格式,默认pem格式
-outform arg    output format - one of DER NET PEM                     //输入文件格式,默认pem格式
-in arg         input file                                             //输入文件
-passin arg     input file pass phrase source                          //指定输入文件的加密口令,可来自文件、终端、环境变量等
-out arg        output file                                            //输出文件
-passout arg    output file pass phrase source                         //指定输出文件的加密口令,可来自文件、终端、环境变量等
-des            encrypt PEM output with cbc des                        //使用des加密输出的文件
-des3           encrypt PEM output with ede cbc des using 168 bit key  //使用des3加密输出的文件
-seed           encrypt PEM output with cbc seed                       //使用seed加密输出的文件
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes                        //使用aes加密输出的文件
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia                   //使用camellia加密输出的文件呢
-text           print the key in text                                  //以明文形式输出各个参数值
-noout          don't print key out                                    //不输出密钥到任何文件
-modulus        print the RSA key modulus                              //输出模数指
-check          verify key consistency                                 //检查输入密钥的正确性和一致性
-pubin          expect a public key in input file                      //指定输入文件是公钥
-pubout         output a public key                                    //指定输出文件是公钥
-engine e       use engine e, possibly a hardware device.              //指定三方加密库或者硬件
Usage: rsautl [options]
-in file        input file                                           //输入文件
-out file       output file                                          //输出文件
-inkey file     input key                                            //输入的密钥
-keyform arg    private key format - default PEM                     //指定密钥格式
-pubin          input is an RSA public                               //指定输入的是RSA公钥
-certin         input is a certificate carrying an RSA public key    //指定输入的是证书文件
-ssl            use SSL v2 padding                                   //使用SSLv23的填充方式
-raw            use no padding                                       //不进行填充
-pkcs           use PKCS#1 v1.5 padding (default)                    //使用V1.5的填充方式
-oaep           use PKCS#1 OAEP                                      //使用OAEP的填充方式
-sign           sign with private key                                //使用私钥做签名
-verify         verify with public key                               //使用公钥认证签名
-encrypt        encrypt with public key                              //使用公钥加密
-decrypt        decrypt with private key                             //使用私钥解密
-hexdump        hex dump output                                      //16进制dump输出
-engine e       use engine e, possibly a hardware device.            //指定三方库或者硬件设备
-passin arg    pass phrase source                                    //指定输入的密码
Usage: rsautl [options]
-in file        input file                                           //输入文件
-out file       output file                                          //输出文件
-inkey file     input key                                            //输入的密钥
-keyform arg    private key format - default PEM                     //指定密钥格式
-pubin          input is an RSA public                               //指定输入的是RSA公钥
-certin         input is a certificate carrying an RSA public key    //指定输入的是证书文件
-ssl            use SSL v2 padding                                   //使用SSLv23的填充方式
-raw            use no padding                                       //不进行填充
-pkcs           use PKCS#1 v1.5 padding (default)                    //使用V1.5的填充方式
-oaep           use PKCS#1 OAEP                                      //使用OAEP的填充方式
-sign           sign with private key                                //使用私钥做签名
-verify         verify with public key                               //使用公钥认证签名
-encrypt        encrypt with public key                              //使用公钥加密
-decrypt        decrypt with private key                             //使用私钥解密
-hexdump        hex dump output                                      //16进制dump输出
-engine e       use engine e, possibly a hardware device.            //指定三方库或者硬件设备
-passin arg    pass phrase source                                    //指定输入的密码
usage: RsaCtfTool.py [-h] [--publickey PUBLICKEY] [--timeout TIMEOUT]
[--createpub] [--dumpkey] [--ext]
[--uncipherfile UNCIPHERFILE] [--uncipher UNCIPHER]
[--verbosity {CRITICAL,ERROR,WARNING,DEBUG,INFO}]
[--private] [--ecmdigits ECMDIGITS] [-n N] [-p P] [-q Q]
[-e E] [--key KEY]
[--attack ]
usage: RsaCtfTool.py [-h] [--publickey PUBLICKEY] [--timeout TIMEOUT]
[--createpub] [--dumpkey] [--ext]
[--uncipherfile UNCIPHERFILE] [--uncipher UNCIPHER]
[--verbosity {CRITICAL,ERROR,WARNING,DEBUG,INFO}]
[--private] [--ecmdigits ECMDIGITS] [-n N] [-p P] [-q Q]
[-e E] [--key KEY]
[--attack ]
 
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from secret import flag
import os
rsa = RSA.generate(2048)
public_key = rsa.publickey().exportKey()
f=open("public.key","w")
f.write(public_key.decode())
f.close()
 
rsakey=RSA.importKey(open("public.key","r").read())
rsa = PKCS1_OAEP.new(rsakey)
msg=rsa.encrypt(flag.encode())
f=open("message","wb")
f.write(msg)
f.close()
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from secret import flag
import os
rsa = RSA.generate(2048)
public_key = rsa.publickey().exportKey()
f=open("public.key","w")
f.write(public_key.decode())
f.close()
 
rsakey=RSA.importKey(open("public.key","r").read())
rsa = PKCS1_OAEP.new(rsakey)
msg=rsa.encrypt(flag.encode())
f=open("message","wb")
f.write(msg)
f.close()
openssl rsa -in public.key -pubin -modulus -text
openssl rsa -in public.key -pubin -modulus -text
Modulus:
00:c2:07:45:22:3f:f5:b9:4b:2c:d8:41:21:66:f7:
28:8a:21:f2:18:7e:1a:42:14:53:91:8c:ab:03:c8:
02:53:45:12:33:eb:1b:dc:23:63:74:42:28:aa:86:
94:a8:c2:cb:c8:33:f8:0d:df:40:83:1a:68:90:1b:
23:0b:83:f3:f0:fe:d4:b7:2d:0b:94:2b:5e:95:de:
da:c8:dc:c0:04:7a:2a:fb:90:c8:1e:d7:2d:3a:d4:
9b:72:fc:8b:d0:d3:16:7d:dd:aa:6a:b5:16:7c:05:
8d:f3:6a:f1:90:b2:16:08:5b:bd:9d:62:1f:9b:d2:
3a:09:3e:4e:3d:9c:c3:87:b6:27:4f:2c:33:9c:88:
e1:b2:d9:08:ac:b3:3f:4e:20:e6:47:ab:ee:07:14:
a3:cc:e4:64:6e:89:62:94:b7:81:03:dc:c9:a4:db:
7e:d6:81:16:4c:6e:6c:c7:fd:33:47:6e:17:4a:6c:
70:70:37:b2:50:49:13:65:f9:f0:eb:76:ae:ab:a0:
7d:b2:f6:62:d8:80:48:af:98:c8:8c:76:c6:71:0d:
b9:65:8d:49:fc:a0:ca:f1:f5:cd:99:dc:07:f1:88:
43:2b:48:f8:55:71:16:8a:d1:0f:c8:24:b7:b6:82:
ba:d6:ca:a5:d1:2f:f6:f0:4c:92:78:6b:73:8a:b1:
9b:b7
Exponent:
1d:2d:2f:1f:17:3f:81:cf:36:8f:ec:06:d4:0d:47:
fd:92:f8:61:5c:12:ee:c1:41:68:f2:88:42:79:52:
b8:cf:5a:53:8f:70:ba:33:41:b6:a1:73:ae:80:37:
5a:96:b0:d3:84:d9:72:2b:19:14:9f:78:94:73:75:
e0:a3:3d:f5:e6:93:ed:ab:d5:e4:d4:4c:ff:a9:e5:
25:ea:01:4f:3f:a4:99:b5:f7:b2:9b:21:9d:90:b8:
8d:a5:5a:ae:3a:08:63:73:38:d7:be:d0:56:e3:ae:
c5:75:be:56:bb:de:53:4b:35:5a:2e:77:57:db:7a:
ec:a9:6e:78:d6:7f:21:53:0b:7c:3e:c2:4a:c6:1f:
9b:47:4a:b2:83:22:0d:d9:54:51:35:d0:65:a7:24:
ce:2f:8f:44:e3:2e:46:0e:ef:5f:99:58:00:9c:58:
af:59:51:93:d7:7e:72:c2:5f:0c:b0:15:05:b9:93:
c1:35:32:8b:11:b5:00:dc:ab:c9:55:c9:17:7f:83:
9d:d0:43:58:6e:25:a3:13:35:e7:d5:43:7d:c9:e6:
cd:6d:4e:be:cb:29:37:e1:60:26:c2:79:2e:17:45:
f4:4e:ed:54:11:be:aa:b5:5e:d0:90:5d:b9:19:8c:
bd:43:11:11:be:87:46:2f:46:36:9e:31:d1:a4:61:
3f
Modulus:
00:c2:07:45:22:3f:f5:b9:4b:2c:d8:41:21:66:f7:
28:8a:21:f2:18:7e:1a:42:14:53:91:8c:ab:03:c8:
02:53:45:12:33:eb:1b:dc:23:63:74:42:28:aa:86:
94:a8:c2:cb:c8:33:f8:0d:df:40:83:1a:68:90:1b:
23:0b:83:f3:f0:fe:d4:b7:2d:0b:94:2b:5e:95:de:
da:c8:dc:c0:04:7a:2a:fb:90:c8:1e:d7:2d:3a:d4:
9b:72:fc:8b:d0:d3:16:7d:dd:aa:6a:b5:16:7c:05:
8d:f3:6a:f1:90:b2:16:08:5b:bd:9d:62:1f:9b:d2:
3a:09:3e:4e:3d:9c:c3:87:b6:27:4f:2c:33:9c:88:
e1:b2:d9:08:ac:b3:3f:4e:20:e6:47:ab:ee:07:14:
a3:cc:e4:64:6e:89:62:94:b7:81:03:dc:c9:a4:db:
7e:d6:81:16:4c:6e:6c:c7:fd:33:47:6e:17:4a:6c:
70:70:37:b2:50:49:13:65:f9:f0:eb:76:ae:ab:a0:
7d:b2:f6:62:d8:80:48:af:98:c8:8c:76:c6:71:0d:
b9:65:8d:49:fc:a0:ca:f1:f5:cd:99:dc:07:f1:88:
43:2b:48:f8:55:71:16:8a:d1:0f:c8:24:b7:b6:82:
ba:d6:ca:a5:d1:2f:f6:f0:4c:92:78:6b:73:8a:b1:
9b:b7
Exponent:
1d:2d:2f:1f:17:3f:81:cf:36:8f:ec:06:d4:0d:47:
fd:92:f8:61:5c:12:ee:c1:41:68:f2:88:42:79:52:
b8:cf:5a:53:8f:70:ba:33:41:b6:a1:73:ae:80:37:
5a:96:b0:d3:84:d9:72:2b:19:14:9f:78:94:73:75:
e0:a3:3d:f5:e6:93:ed:ab:d5:e4:d4:4c:ff:a9:e5:
25:ea:01:4f:3f:a4:99:b5:f7:b2:9b:21:9d:90:b8:
8d:a5:5a:ae:3a:08:63:73:38:d7:be:d0:56:e3:ae:
c5:75:be:56:bb:de:53:4b:35:5a:2e:77:57:db:7a:
ec:a9:6e:78:d6:7f:21:53:0b:7c:3e:c2:4a:c6:1f:
9b:47:4a:b2:83:22:0d:d9:54:51:35:d0:65:a7:24:
ce:2f:8f:44:e3:2e:46:0e:ef:5f:99:58:00:9c:58:
af:59:51:93:d7:7e:72:c2:5f:0c:b0:15:05:b9:93:
c1:35:32:8b:11:b5:00:dc:ab:c9:55:c9:17:7f:83:
9d:d0:43:58:6e:25:a3:13:35:e7:d5:43:7d:c9:e6:
cd:6d:4e:be:cb:29:37:e1:60:26:c2:79:2e:17:45:
f4:4e:ed:54:11:be:aa:b5:5e:d0:90:5d:b9:19:8c:
bd:43:11:11:be:87:46:2f:46:36:9e:31:d1:a4:61:
3f
 
 
python RsaCtfTool.py --publickey public.key --private >> pri.key
python RsaCtfTool.py --publickey public.key --private >> pri.key
openssl rsautl -decrypt  -in message -inkey pri.key
openssl rsautl -decrypt  -in message -inkey pri.key
 
 
openssl rsautl -decrypt -oaep -in message -inkey pri.key
openssl rsautl -decrypt -oaep -in message -inkey pri.key
p+q : 0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
(p+1)(q+1) : 0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
e : 0xe6b1bee47bd63f615c7d0a43c529d219
d : 0x2dde7fbaed477f6d62838d55b0d0964868cf6efb2c282a5f13e6008ce7317a24cb57aec49ef0d738919f47cdcd9677cd52ac2293ec5938aa198f962678b5cd0da344453f521a69b2ac03647cdd8339f4e38cec452d54e60698833d67f9315c02ddaa4c79ebaa902c605d7bda32ce970541b2d9a17d62b52df813b2fb0c5ab1a5
enc_flag : 0x50ae00623211ba6089ddfae21e204ab616f6c9d294e913550af3d66e85d0c0693ed53ed55c46d8cca1d7c2ad44839030df26b70f22a8567171a759b76fe5f07b3c5a6ec89117ed0a36c0950956b9cde880c575737f779143f921d745ac3bb0e379c05d9a3cc6bf0bea8aa91e4d5e752c7eb46b2e023edbc07d24a7c460a34a9a
p+q : 0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
(p+1)(q+1) : 0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
e : 0xe6b1bee47bd63f615c7d0a43c529d219
d : 0x2dde7fbaed477f6d62838d55b0d0964868cf6efb2c282a5f13e6008ce7317a24cb57aec49ef0d738919f47cdcd9677cd52ac2293ec5938aa198f962678b5cd0da344453f521a69b2ac03647cdd8339f4e38cec452d54e60698833d67f9315c02ddaa4c79ebaa902c605d7bda32ce970541b2d9a17d62b52df813b2fb0c5ab1a5
enc_flag : 0x50ae00623211ba6089ddfae21e204ab616f6c9d294e913550af3d66e85d0c0693ed53ed55c46d8cca1d7c2ad44839030df26b70f22a8567171a759b76fe5f07b3c5a6ec89117ed0a36c0950956b9cde880c575737f779143f921d745ac3bb0e379c05d9a3cc6bf0bea8aa91e4d5e752c7eb46b2e023edbc07d24a7c460a34a9a
 
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
from z3 import *
 
tmp1 = 0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
tmp2 = 0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
e = 0xe6b1bee47bd63f615c7d0a43c529d219
d = 0x2dde7fbaed477f6d62838d55b0d0964868cf6efb2c282a5f13e6008ce7317a24cb57aec49ef0d738919f47cdcd9677cd52ac2293ec5938aa198f962678b5cd0da344453f521a69b2ac03647cdd8339f4e38cec452d54e60698833d67f9315c02ddaa4c79ebaa902c605d7bda32ce970541b2d9a17d62b52df813b2fb0c5ab1a5
c = 0x50ae00623211ba6089ddfae21e204ab616f6c9d294e913550af3d66e85d0c0693ed53ed55c46d8cca1d7c2ad44839030df26b70f22a8567171a759b76fe5f07b3c5a6ec89117ed0a36c0950956b9cde880c575737f779143f921d745ac3bb0e379c05d9a3cc6bf0bea8aa91e4d5e752c7eb46b2e023edbc07d24a7c460a34a9a
 
s = Solver()
p,q = Ints('p q')
s.add(p+q == tmp1)
s.add((p+1) * (q+1) == tmp2)
assert s.check() == sat
p = s.model()[p].as_long()
q = s.model()[q].as_long()
n = q*p
 
phi = (p-1) * (q-1)
 
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
print(long_to_bytes(m))
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
from z3 import *
 
tmp1 = 0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
tmp2 = 0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
e = 0xe6b1bee47bd63f615c7d0a43c529d219
d = 0x2dde7fbaed477f6d62838d55b0d0964868cf6efb2c282a5f13e6008ce7317a24cb57aec49ef0d738919f47cdcd9677cd52ac2293ec5938aa198f962678b5cd0da344453f521a69b2ac03647cdd8339f4e38cec452d54e60698833d67f9315c02ddaa4c79ebaa902c605d7bda32ce970541b2d9a17d62b52df813b2fb0c5ab1a5
c = 0x50ae00623211ba6089ddfae21e204ab616f6c9d294e913550af3d66e85d0c0693ed53ed55c46d8cca1d7c2ad44839030df26b70f22a8567171a759b76fe5f07b3c5a6ec89117ed0a36c0950956b9cde880c575737f779143f921d745ac3bb0e379c05d9a3cc6bf0bea8aa91e4d5e752c7eb46b2e023edbc07d24a7c460a34a9a
 
s = Solver()
p,q = Ints('p q')
s.add(p+q == tmp1)
s.add((p+1) * (q+1) == tmp2)
assert s.check() == sat
p = s.model()[p].as_long()
q = s.model()[q].as_long()
n = q*p
 
phi = (p-1) * (q-1)
 
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
print(long_to_bytes(m))
from Crypto.Util.number import getPrime,bytes_to_long
from sympy import Derivative
from fractions import Fraction
from secret import flag
 
p=getPrime(1024)
q=getPrime(1024)
e=65537
n=p*q
z=Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))
m=bytes_to_long(flag)
c=pow(m,e,n)
print(c,z,n)
'''
output:
7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
 
'''
from Crypto.Util.number import getPrime,bytes_to_long
from sympy import Derivative
from fractions import Fraction
from secret import flag
 
p=getPrime(1024)
q=getPrime(1024)
e=65537
n=p*q
z=Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))
m=bytes_to_long(flag)
c=pow(m,e,n)
print(c,z,n)
'''
output:
7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
 
'''
 
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
from z3 import *
 
c = 7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
z = 32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
n = 15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
e=65537
 
s = Solver()
a,b = Ints('a b')
s.add( a*b == 15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441)
s.add( a**2 + b**2 == 32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482)
s.add(0 < a, 0 < b)
 
if s.check() == sat:
    q = s.model()[a].as_long()
    p = s.model()[b].as_long()
 
phi = (q-1) * (p-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
print(long_to_bytes(m))
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
from z3 import *
 
c = 7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
z = 32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
n = 15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
e=65537
 
s = Solver()
a,b = Ints('a b')
s.add( a*b == 15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441)
s.add( a**2 + b**2 == 32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482)
s.add(0 < a, 0 < b)
 
if s.check() == sat:
    q = s.model()[a].as_long()
    p = s.model()[b].as_long()
 
phi = (q-1) * (p-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
print(long_to_bytes(m))
 
 
 
 
 
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
 
e = 0x10001
 
f = open("./out.txt","r")
data = f.read()
data = int(data,16)
 
m = gmpy2.iroot(data,e)[0]
print(long_to_bytes(m))
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
 
e = 0x10001
 
f = open("./out.txt","r")
data = f.read()
data = int(data,16)
 
m = gmpy2.iroot(data,e)[0]
print(long_to_bytes(m))
from data import e1,e2,p,q1p,q1q,hint,flag
ee1 = 42
ee2 = 3
ce1 =  45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2 =  13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
tmp =  864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
=  15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
assert(pow(e1,ee1,n)==ce1)          #断言,括号里的等式恒成立
assert(pow(e2+tmp,ee2,n)==ce2)
from data import e1,e2,p,q1p,q1q,hint,flag
ee1 = 42
ee2 = 3
ce1 =  45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2 =  13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
tmp =  864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
=  15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
assert(pow(e1,ee1,n)==ce1)          #断言,括号里的等式恒成立
assert(pow(e2+tmp,ee2,n)==ce2)
#!/usr/bin/python
import gmpy2
 
ee1 = 42
ee2 = 3
ce1 =  45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2 =  13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
=  15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
tmp =  864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
 
#--------find e1--------
for k in range(200000000):
    c = k*n + ce1
    if gmpy2.iroot(c,ee1)[1]:
    e1 = gmpy2.iroot(c,ee1)[0]
    break
#---------check e1-----
if ce1 == gmpy2.powmod(e1,ee1,n):
    print("e1 = %d"%e1)
 
#--------find e2--------
for k in range(1000000):
    c = k*n + ce2
    if gmpy2.iroot(c,3)[1]:
    m = gmpy2.iroot(c,3)[0]
    e2 = m - tmp
    break
#---------check e2-----
if ce2 == gmpy2.powmod((e2+tmp),3,n):
    print("e2 = %d"%e2)
#!/usr/bin/python
import gmpy2
 
ee1 = 42
ee2 = 3
ce1 =  45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2 =  13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
=  15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
tmp =  864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
 
#--------find e1--------
for k in range(200000000):
    c = k*n + ce1
    if gmpy2.iroot(c,ee1)[1]:
    e1 = gmpy2.iroot(c,ee1)[0]
    break
#---------check e1-----
if ce1 == gmpy2.powmod(e1,ee1,n):
    print("e1 = %d"%e1)
 
#--------find e2--------
for k in range(1000000):
    c = k*n + ce2
    if gmpy2.iroot(c,3)[1]:
    m = gmpy2.iroot(c,3)[0]
    e2 = m - tmp
    break
#---------check e2-----
if ce2 == gmpy2.powmod((e2+tmp),3,n):
    print("e2 = %d"%e2)
e1 = 15218928658178
e2 = 381791429275130
e1 = 15218928658178
e2 = 381791429275130
 
 
 
N = 101991809777553253470276751399264740131157682329252673501792154507006158434432009141995367241962525705950046253400188884658262496534706438791515071885860897552736656899566915731297225817250639873643376310103992170646906557242832893914902053581087502512787303322747780420210884852166586717636559058152544979471
e = 46731919563265721307105180410302518676676135509737992912625092976849075262192092549323082367518264378630543338219025744820916471913696072050291990620486581719410354385121760761374229374847695148230596005409978383369740305816082770283909611956355972181848077519920922059268376958811713365106925235218265173085
 
import hashlib
flag = "flag{" + hashlib.md5(hex(d)).hexdigest() + "}"
N = 101991809777553253470276751399264740131157682329252673501792154507006158434432009141995367241962525705950046253400188884658262496534706438791515071885860897552736656899566915731297225817250639873643376310103992170646906557242832893914902053581087502512787303322747780420210884852166586717636559058152544979471
e = 46731919563265721307105180410302518676676135509737992912625092976849075262192092549323082367518264378630543338219025744820916471913696072050291990620486581719410354385121760761374229374847695148230596005409978383369740305816082770283909611956355972181848077519920922059268376958811713365106925235218265173085
 
import hashlib
flag = "flag{" + hashlib.md5(hex(d)).hexdigest() + "}"
#!/usr/bin/python2
 
import gmpy2
from Crypto.PublicKey import RSA
import ContinuedFractions, Arithmetic
from Crypto.Util.number import long_to_bytes
 
def wiener_hack(e, n):
frac = ContinuedFractions.rational_to_contfrac(e, n)
convergents = ContinuedFractions.convergents_from_contfrac(frac)
for (k, d) in convergents:
if k != 0 and (e * d - 1) % k == 0:
phi = (e * d - 1) // k
s = n - phi + 1
discr = s * s - 4 * n
if (discr >= 0):
t = Arithmetic.is_perfect_square(discr)
if t != -1 and (s + t) % 2 == 0:
print("Hacked!")
return d
return False
def main():
n = int(input("input the n :\n"))
e = int(input("input the e :\n"))
 
d = wiener_hack(e, n)
print(d)
if __name__=="__main__":
main()
#!/usr/bin/python2
 
import gmpy2
from Crypto.PublicKey import RSA
import ContinuedFractions, Arithmetic
from Crypto.Util.number import long_to_bytes
 
def wiener_hack(e, n):
frac = ContinuedFractions.rational_to_contfrac(e, n)
convergents = ContinuedFractions.convergents_from_contfrac(frac)
for (k, d) in convergents:
if k != 0 and (e * d - 1) % k == 0:
phi = (e * d - 1) // k
s = n - phi + 1
discr = s * s - 4 * n
if (discr >= 0):
t = Arithmetic.is_perfect_square(discr)
if t != -1 and (s + t) % 2 == 0:
print("Hacked!")
return d
return False
def main():
n = int(input("input the n :\n"))
e = int(input("input the e :\n"))
 
d = wiener_hack(e, n)
print(d)
if __name__=="__main__":
main()
 
p1 = get_a_prime(128)
p2 = get_a_prime(128)
p3 = get_a_prime(128)
n1 = p1*p2
n2 = p1*p3
e = 0x1001
c1 = encrypt(msg1, e, n1)
c2 = encrypt(msg2, e, n2)
print(c1)
print(c2)
p1 = get_a_prime(128)
p2 = get_a_prime(128)
p3 = get_a_prime(128)
n1 = p1*p2
n2 = p1*p3
e = 0x1001
c1 = encrypt(msg1, e, n1)
c2 = encrypt(msg2, e, n2)
print(c1)
print(c2)
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes,isPrime
n1 = 2499586809914462821807624371088011200618603528498132509598946284572455726453497171635086810524607288333625665025664872216634366700044105279185519761587818169021167370991396691510275499486673922916370294043072503635630922980240462022218565365191228535222150496387990987123639567257124081274667568443678527637259644488779394704508217357758791670308548246801142468699716221789070607334747835552167450340441488756779323653879402176647890584656379628685893686585469918686253137796663587854943386347039389769790329948165162483370187914412810153613198247569427480466488647563900948387020677830797976534568626241686906738179
n2 = 7741603029707932330739678982394275613217057249691533148704382574439895657047911501600910571360188397109729289277796711334388156202412769743785164713243932001078475541271281825859671767783178037363138683152051263779907568124470598237502689045677891605285193637790880045372303913424654655825837641694318544209980415256180296972066060073206323473960669679401950151966003026531573962072358852304635671658878866030003484715256388556599713638695448516673643703041094737763957937855870992247472296348887788212823714735080211059688680618314050267995177478035769912691185787944037050674163079867101586607780761245261558200843
n3 = 9895571060693703887018268413746107679094703478067972087862851570192520012058188062485476484700707994684397704099884436398099581319015589480235346899990863625919087077906193223937343450727301243043576326163300258770936289423785376338765758863453745278516208013244068358484113062931878984339475569902332075509121153749576470546863477142562563573654198332099438611713385318497180237117792417826080724886477023904678472464557511959911739272258202310963925049222305927992349171516332320267610895787011879250778522843808895509894741144901052000573058315131265960606119769594234837973757057319170067823816025499647517874841
c1 = 0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2 = 0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
 
p1 = gmpy2.gcd(n1,n2)
p2 = n1//p1
p3 = n2//p1
 
assert isPrime(p1)          //检查这三个数是否为素数
assert isPrime(p2)
assert isPrime(p3)
 
e = 0x1001
phi1 = (p1-1) * (p2-1)
phi2 = (p1-1) * (p3-1)
 
d1 = gmpy2.invert(e,phi1)
d2 = gmpy2.invert(e,phi2)
 
m1 = gmpy2.powmod(c1,d1,n1)
m2 = gmpy2.powmod(c2,d2,n2)
print(long_to_bytes(m1))
print(long_to_bytes(m2))
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes,isPrime
n1 = 2499586809914462821807624371088011200618603528498132509598946284572455726453497171635086810524607288333625665025664872216634366700044105279185519761587818169021167370991396691510275499486673922916370294043072503635630922980240462022218565365191228535222150496387990987123639567257124081274667568443678527637259644488779394704508217357758791670308548246801142468699716221789070607334747835552167450340441488756779323653879402176647890584656379628685893686585469918686253137796663587854943386347039389769790329948165162483370187914412810153613198247569427480466488647563900948387020677830797976534568626241686906738179
n2 = 7741603029707932330739678982394275613217057249691533148704382574439895657047911501600910571360188397109729289277796711334388156202412769743785164713243932001078475541271281825859671767783178037363138683152051263779907568124470598237502689045677891605285193637790880045372303913424654655825837641694318544209980415256180296972066060073206323473960669679401950151966003026531573962072358852304635671658878866030003484715256388556599713638695448516673643703041094737763957937855870992247472296348887788212823714735080211059688680618314050267995177478035769912691185787944037050674163079867101586607780761245261558200843
n3 = 9895571060693703887018268413746107679094703478067972087862851570192520012058188062485476484700707994684397704099884436398099581319015589480235346899990863625919087077906193223937343450727301243043576326163300258770936289423785376338765758863453745278516208013244068358484113062931878984339475569902332075509121153749576470546863477142562563573654198332099438611713385318497180237117792417826080724886477023904678472464557511959911739272258202310963925049222305927992349171516332320267610895787011879250778522843808895509894741144901052000573058315131265960606119769594234837973757057319170067823816025499647517874841
c1 = 0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2 = 0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
 
p1 = gmpy2.gcd(n1,n2)
p2 = n1//p1
p3 = n2//p1
 
assert isPrime(p1)          //检查这三个数是否为素数
assert isPrime(p2)
assert isPrime(p3)
 
e = 0x1001
phi1 = (p1-1) * (p2-1)
phi2 = (p1-1) * (p3-1)
 
d1 = gmpy2.invert(e,phi1)
d2 = gmpy2.invert(e,phi2)
 
m1 = gmpy2.powmod(c1,d1,n1)
m2 = gmpy2.powmod(c2,d2,n2)
print(long_to_bytes(m1))
print(long_to_bytes(m2))
 
明文m、模数n相同,公钥指数e、密文c不同,gcd(e1,e2)==1,也就是e1和e2互质时
e1*s1+e2*s3 = 1
有唯一的解
由于:
c1 == m^e1 mod n
c2 == m e2 mod n
那么:
  (c1^s1 * c2 ^ s2) mod n
= ( (m^e1 mod n)^s1 * (m^e2 mod n)^s2 )mod n
= m^(e1*s1) * m^(e2*s2) mod n
= m mod n
明文m、模数n相同,公钥指数e、密文c不同,gcd(e1,e2)==1,也就是e1和e2互质时
e1*s1+e2*s3 = 1
有唯一的解
由于:
c1 == m^e1 mod n
c2 == m e2 mod n
那么:
  (c1^s1 * c2 ^ s2) mod n
= ( (m^e1 mod n)^s1 * (m^e2 mod n)^s2 )mod n
= m^(e1*s1) * m^(e2*s2) mod n
= m mod n
from Crypto.Util.number import bytes_to_long, getPrime
from random import randint
from gmpy2 import powmod
 
p = getPrime(2048)
q = getPrime(2048)
N = p*q
Phi = (p-1)*(q-1)
def get_enc_key(N,Phi):
e = getPrime(N)
if Phi % e == 0:
    return get_enc_key(N, Phi)
else:
    return e
e1 = get_enc_key(randint(10, 12), Phi)
e2 = get_enc_key(randint(10, 12), Phi)
 
fr = open(r"./base64", "rb")#flag is in this file
f1 = open(r"./HUB1", "wb")
f2 = open(r"./HUB2", "wb")
base64 = fr.read(255)
f1.write("%d\n%d\n" % (N, e1))
f2.write("%d\n%d\n" % (N, e2))
while len(base64)>0:
    pt = bytes_to_long(base64)
    ct1 = powmod(pt, e1, N)
    ct2 = powmod(pt, e2, N)
    f1.write("\n%d" % ct1)
    f2.write("\n%d" % ct2)
    base64 = fr.read(255)
fr.close()
f1.close()
f2.close()
from Crypto.Util.number import bytes_to_long, getPrime
from random import randint
from gmpy2 import powmod
 
p = getPrime(2048)
q = getPrime(2048)
N = p*q
Phi = (p-1)*(q-1)
def get_enc_key(N,Phi):
e = getPrime(N)
if Phi % e == 0:
    return get_enc_key(N, Phi)
else:
    return e
e1 = get_enc_key(randint(10, 12), Phi)
e2 = get_enc_key(randint(10, 12), Phi)
 
fr = open(r"./base64", "rb")#flag is in this file
f1 = open(r"./HUB1", "wb")
f2 = open(r"./HUB2", "wb")
base64 = fr.read(255)
f1.write("%d\n%d\n" % (N, e1))
f2.write("%d\n%d\n" % (N, e2))
while len(base64)>0:
    pt = bytes_to_long(base64)
    ct1 = powmod(pt, e1, N)
    ct2 = powmod(pt, e2, N)
    f1.write("\n%d" % ct1)
    f2.write("\n%d" % ct2)
    base64 = fr.read(255)
fr.close()
f1.close()
f2.close()
#!/usr/bin/python2
 
import gmpy2
from Crypto.Util.number import long_to_bytes
 
f1 = open("./HUB1","r")
f2 = open("./HUB2","r")
data1 = f1.readlines()
data2 = f2.readlines()
 
n = int(data1[0])
e1 = int(data1[1])
c1 = int(data1[3])
 
e2 = int(data2[1])
c2 = int(data2[3])
 
_, r, s = gmpy2.gcdext(e1, e2)
 
m = pow(c1, r, n) * pow(c2, s, n) % n
print long_to_bytes(m)
#!/usr/bin/python2
 
import gmpy2
from Crypto.Util.number import long_to_bytes
 
f1 = open("./HUB1","r")
f2 = open("./HUB2","r")
data1 = f1.readlines()
data2 = f2.readlines()
 
n = int(data1[0])
e1 = int(data1[1])
c1 = int(data1[3])
 
e2 = int(data2[1])
c2 = int(data2[3])
 
_, r, s = gmpy2.gcdext(e1, e2)
 
m = pow(c1, r, n) * pow(c2, s, n) % n
print long_to_bytes(m)
N = 331310324212000030020214312244232222400142410423413104441140203003243002104333214202031202212403400220031202142322434104143104244241214204444443323000244130122022422310201104411044030113302323014101331214303223312402430402404413033243132101010422240133122211400434023222214231402403403200012221023341333340042343122302113410210110221233241303024431330001303404020104442443120130000334110042432010203401440404010003442001223042211442001413004
c = 310020004234033304244200421414413320341301002123030311202340222410301423440312412440240244110200112141140201224032402232131204213012303204422003300004011434102141321223311243242010014140422411342304322201241112402132203101131221223004022003120002110230023341143201404311340311134230140231412201333333142402423134333211302102413111111424430032440123340034044314223400401224111323000242234420441240411021023100222003123214343030122032301042243
 
N = 302240000040421410144422133334143140011011044322223144412002220243001141141114123223331331304421113021231204322233120121444434210041232214144413244434424302311222143224402302432102242132244032010020113224011121043232143221203424243134044314022212024343100042342002432331144300214212414033414120004344211330224020301223033334324244031204240122301242232011303211220044222411134403012132420311110302442344021122101224411230002203344140143044114
c = 112200203404013430330214124004404423210041321043000303233141423344144222343401042200334033203124030011440014210112103234440312134032123400444344144233020130110134042102220302002413321102022414130443041144240310121020100310104334204234412411424420321211112232031121330310333414423433343322024400121200333330432223421433344122023012440013041401423202210124024431040013414313121123433424113113414422043330422002314144111134142044333404112240344
 
N = 332200324410041111434222123043121331442103233332422341041340412034230003314420311333101344231212130200312041044324431141033004333110021013020140020011222012300020041342040004002220210223122111314112124333211132230332124022423141214031303144444134403024420111423244424030030003340213032121303213343020401304243330001314023030121034113334404440421242240113103203013341231330004332040302440011324004130324034323430143102401440130242321424020323
c = 10013444120141130322433204124002242224332334011124210012440241402342100410331131441303242011002101323040403311120421304422222200324402244243322422444414043342130111111330022213203030324422101133032212042042243101434342203204121042113212104212423330331134311311114143200011240002111312122234340003403312040401043021433112031334324322123304112340014030132021432101130211241134422413442312013042141212003102211300321404043012124332013240431242
N = 331310324212000030020214312244232222400142410423413104441140203003243002104333214202031202212403400220031202142322434104143104244241214204444443323000244130122022422310201104411044030113302323014101331214303223312402430402404413033243132101010422240133122211400434023222214231402403403200012221023341333340042343122302113410210110221233241303024431330001303404020104442443120130000334110042432010203401440404010003442001223042211442001413004
c = 310020004234033304244200421414413320341301002123030311202340222410301423440312412440240244110200112141140201224032402232131204213012303204422003300004011434102141321223311243242010014140422411342304322201241112402132203101131221223004022003120002110230023341143201404311340311134230140231412201333333142402423134333211302102413111111424430032440123340034044314223400401224111323000242234420441240411021023100222003123214343030122032301042243
 
N = 302240000040421410144422133334143140011011044322223144412002220243001141141114123223331331304421113021231204322233120121444434210041232214144413244434424302311222143224402302432102242132244032010020113224011121043232143221203424243134044314022212024343100042342002432331144300214212414033414120004344211330224020301223033334324244031204240122301242232011303211220044222411134403012132420311110302442344021122101224411230002203344140143044114
c = 112200203404013430330214124004404423210041321043000303233141423344144222343401042200334033203124030011440014210112103234440312134032123400444344144233020130110134042102220302002413321102022414130443041144240310121020100310104334204234412411424420321211112232031121330310333414423433343322024400121200333330432223421433344122023012440013041401423202210124024431040013414313121123433424113113414422043330422002314144111134142044333404112240344
 
N = 332200324410041111434222123043121331442103233332422341041340412034230003314420311333101344231212130200312041044324431141033004333110021013020140020011222012300020041342040004002220210223122111314112124333211132230332124022423141214031303144444134403024420111423244424030030003340213032121303213343020401304243330001314023030121034113334404440421242240113103203013341231330004332040302440011324004130324034323430143102401440130242321424020323
c = 10013444120141130322433204124002242224332334011124210012440241402342100410331131441303242011002101323040403311120421304422222200324402244243322422444414043342130111111330022213203030324422101133032212042042243101434342203204121042113212104212423330331134311311114143200011240002111312122234340003403312040401043021433112031334324322123304112340014030132021432101130211241134422413442312013042141212003102211300321404043012124332013240431242
#!/usr/bin/python2
import gmpy2
import time
from Crypto.Util.number import long_to_bytes
 
def CRT(items):
N = reduce(lambda x, y: x * y, (i[1] for i in items))
result = 0
for a, n in items:
m = N / n
d, r, s = gmpy2.gcdext(n, m)
if d != 1: raise Exception("Input not pairwise co-prime")
result += a * s * m
return result % N, N
n = [129114230505356333697118994510021413915051088225570531043026917550451581564734952308651566723784981323900403426111056537185011193232603296112121643742691356399992969898010827710994350803494919151948423732426591598888439712920344266205641475348312727365971717305409127667391782677854219689063549759596429716629,109269702205029292120022054633721536134438763741801805368759852020529400112797868566931991813909053016228871499067304592740926931055426540840268677218282537450757063806695831503892336975370479004151114020279110611956433492281834217463178735931660370487895538198474855043942908224106013915984721193047940206159,130184984206907873325788608067133260010668825744109785989754700869397713689450907426005869455386099782561530247238688647088683853688926890638399087109982966623800264662846723141786785531512452737825132399495839974974884122270947543684537604890177662807013640102549749593966105133111628112742472630785570141963]
c = [112820376318708309511883266356668393396816131447182791445506209031700236878469506355658352414748854472099361508824474365112325602319862842561436679067358900089331778617100580343694334226208753320435002324108477884950933641216044198203776075918323272795752182687450526442079367110656868374931125538339145721573,45651293556966072304818630107703140982560165499022836594523320391474750266281527820821435052904791681898782443840766880327957385288649094238886877657228597671521358830021677304123300882210216797719566693160533018601632768048713030788957904378243453859832229603157052843135978639276611231634399594108602071349,7145575537980676074780210417817024536632595547590648616669010213946256431795860784357127920679439181517662499063976244238924613193503273987203026894830988537974932336129245277788828190575305229420617551083516420170192425247732269483299819348769856966536443995217830327641185916042049253075074223777360483322]
e = 3
data = zip(c, n)
x, n = CRT(data)
m = gmpy2.iroot(gmpy2.mpz(x), e)[0].digits()
m = long_to_bytes(m)
print m
#!/usr/bin/python2
import gmpy2
import time
from Crypto.Util.number import long_to_bytes
 
def CRT(items):
N = reduce(lambda x, y: x * y, (i[1] for i in items))
result = 0
for a, n in items:
m = N / n
d, r, s = gmpy2.gcdext(n, m)
if d != 1: raise Exception("Input not pairwise co-prime")
result += a * s * m
return result % N, N
n = [129114230505356333697118994510021413915051088225570531043026917550451581564734952308651566723784981323900403426111056537185011193232603296112121643742691356399992969898010827710994350803494919151948423732426591598888439712920344266205641475348312727365971717305409127667391782677854219689063549759596429716629,109269702205029292120022054633721536134438763741801805368759852020529400112797868566931991813909053016228871499067304592740926931055426540840268677218282537450757063806695831503892336975370479004151114020279110611956433492281834217463178735931660370487895538198474855043942908224106013915984721193047940206159,130184984206907873325788608067133260010668825744109785989754700869397713689450907426005869455386099782561530247238688647088683853688926890638399087109982966623800264662846723141786785531512452737825132399495839974974884122270947543684537604890177662807013640102549749593966105133111628112742472630785570141963]
c = [112820376318708309511883266356668393396816131447182791445506209031700236878469506355658352414748854472099361508824474365112325602319862842561436679067358900089331778617100580343694334226208753320435002324108477884950933641216044198203776075918323272795752182687450526442079367110656868374931125538339145721573,45651293556966072304818630107703140982560165499022836594523320391474750266281527820821435052904791681898782443840766880327957385288649094238886877657228597671521358830021677304123300882210216797719566693160533018601632768048713030788957904378243453859832229603157052843135978639276611231634399594108602071349,7145575537980676074780210417817024536632595547590648616669010213946256431795860784357127920679439181517662499063976244238924613193503273987203026894830988537974932336129245277788828190575305229420617551083516420170192425247732269483299819348769856966536443995217830327641185916042049253075074223777360483322]
e = 3
data = zip(c, n)
x, n = CRT(data)
m = gmpy2.iroot(gmpy2.mpz(x), e)[0].digits()
m = long_to_bytes(m)
print m
 
 
def gen_q():
p = getPrime(1024)
q = getPrime(1024)
assert (p < q)
n = p * q
print("Q_n = ", n)
e = getRandomNBitInteger(53)
F_n = (p - 1) * (q - 1)
while gcd(e, F_n) != 1:
e = getRandomNBitInteger(53)
d = invert(e, F_n)
print("Q_E_D = ", e * d)
factor2 = 2021 * p - 2020 * q
if factor2 < 0:
factor2 = (-1) * factor2
return sympy.nextprime(factor2)
def gen_q():
p = getPrime(1024)
q = getPrime(1024)
assert (p < q)
n = p * q
print("Q_n = ", n)
e = getRandomNBitInteger(53)
F_n = (p - 1) * (q - 1)
while gcd(e, F_n) != 1:
e = getRandomNBitInteger(53)
d = invert(e, F_n)
print("Q_E_D = ", e * d)
factor2 = 2021 * p - 2020 * q
if factor2 < 0:
factor2 = (-1) * factor2
return sympy.nextprime(factor2)
Q_n =  20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
Q_E_D =  100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
Q_n =  20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
Q_E_D =  100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
 
#!/usr/bin/python2
 
import random
 
def gcd(a, b):
if a < b:
a, b = b, a
while b != 0:
temp = a % b
a = b
b = temp
return a
 
def getpq(n,d_e):
p = 1
q = 1
while p==1 and q==1:
k = d_e - 1
g = random.randint ( 0 , n )
while p==1 and q==1 and k % 2 == 0:
k /= 2
y = pow(g,k,n)
if y!=1 and gcd(y-1,n)>1:
p = gcd(y-1,n)
q = n/p
return p,q
 
def main():
 
n =  20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
d_e =  100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
 
p,q = getpq(n,d_e)
print(p)
print(q)
if __name__ == '__main__':
main()
#!/usr/bin/python2
 
import random
 
def gcd(a, b):
if a < b:
a, b = b, a
while b != 0:
temp = a % b
a = b
b = temp
return a
 
def getpq(n,d_e):
p = 1
q = 1
while p==1 and q==1:
k = d_e - 1
g = random.randint ( 0 , n )
while p==1 and q==1 and k % 2 == 0:
k /= 2
y = pow(g,k,n)
if y!=1 and gcd(y-1,n)>1:
p = gcd(y-1,n)
q = n/p
return p,q
 
def main():
 
n =  20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
d_e =  100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
 
p,q = getpq(n,d_e)
print(p)
print(q)
if __name__ == '__main__':
main()
 
n= 544187306850902797629107353619267427694837163600853983242783
e= 39293
c= 439254895818320413408827022398053685867343267971712332011972
m=???
n= 544187306850902797629107353619267427694837163600853983242783
e= 39293
c= 439254895818320413408827022398053685867343267971712332011972
m=???
 
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
 
n= 544187306850902797629107353619267427694837163600853983242783
e= 39293
c= 439254895818320413408827022398053685867343267971712332011972
p = 67724172605733871
q = 11571390939636959887
r = 694415063702720454699679
phi = (p-1)*(q-1)*(r-1
d = gmpy2.invert(e, phi) 
m = pow(c, d, n) 
print(long_to_bytes(m))
#!/usr/bin/python
import gmpy2
from Crypto.Util.number import long_to_bytes
 
n= 544187306850902797629107353619267427694837163600853983242783
e= 39293
c= 439254895818320413408827022398053685867343267971712332011972
p = 67724172605733871
q = 11571390939636959887
r = 694415063702720454699679
phi = (p-1)*(q-1)*(r-1
d = gmpy2.invert(e, phi) 
m = pow(c, d, n) 
print(long_to_bytes(m))
dp=d%(p-1)
dq=d%(q-1)
dp*e = 1 mod(p-1)
dq*e = 1 mod(q-1)
dp=d%(p-1)
dq=d%(q-1)
dp*e = 1 mod(p-1)
dq*e = 1 mod(q-1)
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
#!/usr/bin/python2
 
import gmpy2 
from Crypto.Util.number import long_to_bytes 
 
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
 
InvQ=gmpy2.invert(q,p) 
mp=pow(c,dp,p) 
mq=pow(c,dq,q) 
m=(((mp-mq)*InvQ)%p)*q+mq 
 
print(long_to_bytes(m))
#!/usr/bin/python2
 
import gmpy2 
from Crypto.Util.number import long_to_bytes 
 
p = 8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q = 12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp = 6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq = 783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c = 24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
 
InvQ=gmpy2.invert(q,p) 
mp=pow(c,dp,p) 
mq=pow(c,dq,q) 
m=(((mp-mq)*InvQ)%p)*q+mq 
 
print(long_to_bytes(m))
#!/usr/bin/python2
 
import re
import pickle
from itertools import product
from libnum import invmod, gcd
 
 
def solve_linear(a, b, mod):
    if a & 1 == 0 or b & 1 == 0:
        return None
    return (b * invmod(a, mod)) & (mod - 1# hack for mod = power of 2
 
 
def to_n(s):
    s = re.sub(r"[^0-9a-f]", "", s)
    return int(s, 16)
 
 
def msk(s):
    cleaned = "".join(map(lambda x: x[-2:], s.split(":")))
    return msk_ranges(cleaned), msk_mask(cleaned), msk_val(cleaned)
 
 
def msk_ranges(s):
    return [range(16) if c == " " else [int(c, 16)] for c in s]
 
 
def msk_mask(s):
    return int("".join("0" if c == " " else "f" for c in s), 16)
 
 
def msk_val(s):
    return int("".join("0" if c == " " else c for c in s), 16)
 
 
E = 65537
 
N = to_n("""00:c0:97:78:53:45:64:84:7d:8c:c4:b4:20:e9:33:
    58:67:ec:78:3e:6c:f5:f0:5c:a0:3e:ee:dc:25:63:
    d0:eb:2a:9e:ba:8f:19:52:a2:67:0b:e7:6e:b2:34:
    b8:6d:50:76:e0:6a:d1:03:cf:77:33:d8:b1:e9:d7:
    3b:e5:eb:1c:65:0c:25:96:fd:96:20:b9:7a:de:1d:
    bf:fd:f2:b6:bf:81:3e:3e:47:44:43:98:bf:65:2f:
    67:7e:27:75:f9:56:47:ba:c4:f0:4e:67:2b:da:e0:
    1a:77:14:40:29:c1:a8:67:5a:8f:f5:2e:be:8e:82:
    31:3d:43:26:d4:97:86:29:15:14:a9:69:36:2c:76:
    ed:b5:90:eb:ec:6f:ce:d5:ca:24:1c:aa:f6:63:f8:
    06:a2:62:cb:26:74:d3:5b:82:4b:b6:d5:e0:49:32:
    7b:62:f8:05:c4:f7:0e:86:59:9b:f3:17:25:02:aa:
    3c:97:78:84:7b:16:fd:1a:f5:67:cf:03:17:97:d0:
    c6:69:85:f0:8d:fa:ce:ee:68:24:63:06:24:e1:e4:
    4c:f8:e9:ad:25:c7:e0:c0:15:bb:b4:67:48:90:03:
    9b:20:7f:0c:17:eb:9d:13:44:ab:ab:08:a5:c3:dc:
    c1:98:88:c5:ce:4f:5a:87:9b:0b:bf:bd:d7:0e:a9:
    09:59:81:fa:88:4f:59:60:6b:84:84:ad:d9:c7:25:
    8c:e8:c0:e8:f7:26:9e:37:95:7c:e1:48:29:0f:51:
    e7:bd:98:2f:f6:cc:80:e7:f0:32:0b:89:51:92:4e:
    c2:6d:50:53:2b:3b:77:72:d1:bd:1a:1f:92:d7:12:
    79:61:61:c5:a4:7e:b3:85:eb:f0:7c:6d:46:03:c5:
    e6:d5:81:2c:ba:7e:ea:8d:51:7d:63:55:34:2a:b6:
    d4:dc:31:5a:f1:99:e3:dc:8c:83:0b:a2:2a:d5:3c:
    41:48:41:54:1a:a9:e8:b6:70:bf:d3:fe:ed:19:17:
    14:94:13:b3:17:e3:8b:8e:6f:53:ed:e2:44:e8:4a:
    32:d6:5c:0d:a8:80:f5:fc:02:e9:46:55:d5:a4:d3:
    e7:c6:30:77:f9:73:e9:44:52:d8:13:9d:5d:bf:9e:
    fa:3a:b5:96:79:82:5b:cd:19:5c:06:a9:00:96:fd:
    4c:a4:73:88:1a:ec:3c:11:de:b9:3d:e0:50:00:1e:
    ac:21:97:a1:96:7d:6b:15:f9:6c:c9:34:7f:70:d7:
    9d:2d:d1:48:4a:81:71:f8:12:dd:32:ba:64:31:60:
    08:26:4b:09:22:03:83:90:17:7f:f3:a7:72:57:bf:
    89:6d:e4:d7:40:24:8b:7b:bd:df:33:c0:ff:30:2e:
    e8:6c:1d""")
 
p_ranges, pmask_msk, pmask_val = msk(""" 0: e:  :  :  :c :c :  :  :  :b :  :  :  :  :
      :ab: e: 2: 8:c :  :  : 1:6 :6 : 6: f:d9: 0:
    8 :5c:7 :06:  :  :  :0 : 3:5 :4b:  :6 :  :  :
    2 :  :6 :  :  :  :2 :bc: c:  :85:1 : 1:d : 3:
     1:b4:  : b: 1: 3: d:a :  :  :6e: 0:b :2 :  :
      :b :  :9 :e :  :82:8d:  :  :13:  :  : a: a:
      :  :4 :  :c : f:  :  :7 :e :0a:  :  : b: 5:
      : e:91:3 :  :3c: 9:  : 6:  :  :b5:7d: 1:  :
      :  :  :b :a1:99:6 :4 :3 :c :1a:02:4 :  : 9:
    9 :f : d:bd:  :0 :  :  :  :b3:  : 4:  :e9: 9:
      : d:  :  :7 :  :93:  : e:dc:  : 0:  :e7:  :
    e :  :2 : b: 2:5 :  :  :  :  : c:5f:  :  :e2:
      :  : 9:  :2a:  : e:  :  :2 :  :9f: 7:3 :  :
    b : f:b :  : 8: 7:  :  :f :6 :e :c :  :3 :  :
    f7: 5: 8: 5:  :  :  :  :  : 8: e:  :03: c:  :
    33:76:e : 1:7 : c:  : 0:  :0b:  : a:  : 2: 9:
      :c8:bf:  :  :06: 7:d5:  :02: c:b :e2: 7:2 :
      :  """)
 
q_ranges, qmask_msk, qmask_val = msk(""" 0: f:  :d0: 1:55: 4:31:  : b:c4:8 :  : e: d:
    34: 3:f :  :  :  :  : 8:99:1 :  : a:0 :  :4 :
    0 :  :f :  :a4:41:2 :  :a :  : 1:  : a: c:  :
      :  : 9:  :  : 2:f4: f:  :  :  :  :1 : 4:9 :
    a :  :  :79:0 :  :  :  :  : 2: 8:b :  :4 : 8:
      :9b: 1:  :d :  :f :e4:  :4 :c :e :  :3 :  :
     7:2 :  :d :8 :2 :7 :  :d :67:fc:e : 0:f9: 7:
    8 :  :  :  :1 :2f:  :51:  :  :2e:0a: e:3d: 6:
    b :  :dd:  : 0:fb:  :f4:  :  :  :b4: 9:c :  :
     a:  :  :  :d :  :  :6b: 2:  :9b: a:60:  :d6:
     0:4f:16:d1:  :  :5 :fc:  :f :  :8 :  :  :  :
     1: 6:e1:9 : e:4 : 6: c: d:d :73: 3:  :  :7 :
      :8 : 9:  :3b:f : 2:  :  :f1: e:  :  :1e:  :
    8 :  :  : 6:0 : 4:99:e :  : 5:  :  : 4:  :  :
      : a:81:64:  :7 :f : 9: d:  :9 :  : 7:93:f :
    ac:8c:  : 8:  : 0: d: 8:  :7 :  :1d:  :f :  :
    1 :a :6 :8 :  :60:  :b3:  :  :  :89:  :  :14:
      :5 """)
 
_, dmask_msk, dmask_val = msk("""  :  :  : f:8 :a5:d : 2: 0:b :7 :  : 1:  : 4:
     1:0d:  :3 :  :6 :  :  : b:  :  :  :e :  :  :
    0e: 0:db:  :1a:1c:c0:  : e:  :  :99:bc:8 :a5:
    7 :7 :7 : b:  :  : 8: 8:  :7 :55: 2:  :  :f :
    b2:  :  :b :f :4 :  : 8:  :b :  :  :  : 0:  :
    0 :  :6 :9 :  :  :  : b: 4:  : 0: a: 5:07:b :
     9: c:9a: 9:  : 7:9e:  : b:60:f :  :  :  :0 :
      : 3:0 :  :  :  : 1:b :  :  : b: 6:0 :f :  :
      : 2:18: 6: b:1 :  :  :  :  :d3:f3:  :a :  :
     3:  :  :  :  : 3: d: 1: 2:7 :  : d:  : 2: d:
      :  : d:4 :  :d :  :6d: c:a :b6:  :  :  : 1:
    69:  : 7:  :89:  :c :8 :61: d:25: 3:7 :1b: 4:
    b :  :8 :55:  :49: 1:2 :3 :  :1 :e9:a8: 3:  :
    9 :  : 1:f8:d3:  :e :  :d :  :9 :b6:  :  :71:
    1 :  :c1:  : b: 1:  : 6:e :  :64:  :  :1a:c :
      : b:  :bf:c :  : 0:  : 8:a :4 :  :26:a :5 :
    6 :  :  :  :eb:  :e5: a:  :3e:f9:10:0 :  :  :
     6:0 :  : 8:  : 1:72: c:0 : f:5 : f:9c: 0: e:
     7:b :  :  :  :  :d9: 4:  : e:c :68:  :  :  :
     c:  :3a:  :  :a0:ea: 3: 4:  :72:a :d : 8:  :
      :0d:5 :0 : a: 7:c :bb: 6: 4:a :ce:d :2 : 1:
      :  :17:6 :  : c: b:  : f:  :3 : 5:6 :3 :0e:
      : 7:c :3e: 2: 9: 7: 6: f: e: f: 9:  :f3: 9:
    a :c1:6 :  : 1:9 :  :43:  : f: 5:  :0 :27: 4:
    4 :a :  :e9:  : 8: 4:3 :8a: 6:16:d5:c : e: e:
      :d : c:b :a8:  : 7:  : 9:  :7 :7d:  :  :  :
      :  :  :4 :2 :  : 3: 3: 6:  :  :  :7b:0 :  :
     e:  :0 :  :a :  : 5:  :  :  : 5:1 :82:c :0d:
    4 :2 :fd:36: 5:50:0 :  :  :d : f: 6:  :  :e :
    0 :  :  :ce:  :9e:8 :  :0 :d :07:b3:  :  :  :
    0 :e4:  :  :68:b :c :  : c:5 :  :  :3 : 7: 2:
     c:e0:  :5 :  :  :b4:  :ef: 7:  :1 :e : 0:f :
      :6 :  :  :  :e0:c :3 :  :  : 3:  : d:  :  :
     3: 3: c: a:  :b : a:71: 3: 0:a :  :4 :5d:  :
    0 :4 """)
 
_, dpmask_msk, dpmask_val = msk("""  : 3:2a:  : d:  :  :  :  :0 :1 : f:  :  : 6:
    1 :2 :1b:07: a:e :b :c5:58:7 :  :e8: 7: 1: c:
      : 1:b :a0: 4:0f:5 :67:  :3 :7 :6 :f9:  : c:
      :79: 0:1 :65:  :8 :  :99: d:d :  :2 :9 :0 :
     e:  :0 :  :  :  : d:  :d :7 :6 :a9: a:8b: b:
      :  : 7: a:37:  :  :7 :1 :6 :  :c2: 7:6 :b :
     e:  :  :  :  :  :  :b :3a:5 :  :  :  :  :  :
      :  :  :cd:8 :  : d:  :7 : 3:  : f:e : c:  :
      : a:  :c : f:c : 7:b :5 :  :  :2 :8 :8 :6 :
    0a: a:  :  :3 :db:  : 4:00:  : d:  :b : 5:  :
    20: 2: 5:  :82:  : 0: 6:  :8a:  :7 :  : 8:  :
     4: 1:  :  :  : 8:46:  :  :  :  :  : 0:f :c8:
    2 :  : c:7 :  : 1:  :  :2 : 0: 5:  :  : 1:9b:
     6:9 : 0:74:  :c :  :e :  :  :cb:b :3 :3 :  :
     2:  :  :47:  :2 : 0:5 :  :  : d: 6:83:  :  :
      :c7:  :  :0b:  :  : c:  :3 :8 :  :9 :4 : 7:
    5 :c0:fe:  :f9: 1:  :0 : e: 8:02:  : f:  :c :
    55:61""")
 
_, dqmask_msk, dqmask_val = msk("""  :0b:7 :4 :0 : 0:6 : 7:7e:  : 5:  : 7:  : a:
    a :d : 0: 6: 4:86:  :  :8 :  :  :  :  :e :8f:
     9:  :  :  : 1:  :2 :  : 7: b:1 :5 : f:  :8 :
      :d :21:  :e : d:  :c9:e : b:  :  :1 :  :  :
      :d :a2:b7:  :  :  :f3:  :42:  :e : c:  :f :
      : 0:f :7 : 4: 5:34:  :4 : c:  :  :8 :d : 8:
    5 :af: 3:1d: 5:4 :  :2 :  :6 :c : 6:a :1 :5 :
     a:9 :  :d :  :  :0a:a1:  :f :7 :9 :b :  :  :
     f:2 :27: f:  :0 :f6:4d:  :  :  :  :  :5 :  :
     4:08:  : 5:  : 8: 5:  :  :  :18: 4: 8:57: 2:
     f: a:  :  :a8: f: c:f : e: 1:9 :c : 4:9 :  :
      :  :  :  :  : 1:  :2 :  :d1:  : 6:e : d:  :
      : f:04:2 :8d:  : 3:  :  :b : 8:  :d6:  : 2:
      :  :  :6 :  : f:  :  : 0:6 :  :51:  :48:19:
      :  :  :69:4 : c:  :c :  : f:  :f4:d :  : f:
     d:0 :0d:b :3 : 3:2 :  :  :6 : b:5 :2 :  : c:
     1:5a: f:f :  :  :7e:3e:  :d :f :0 : d: c: 6:
     1""")
 
 
def search(K, Kp, Kq, check_level, break_step):
    max_step = 0
    cands = [0]
    for step in range(1, break_step + 1):
        #print " ", step, "( max =", max_step, ")"
        max_step = max(step, max_step)
 
        mod = 1 << (4 * step)
        mask = mod - 1
 
        cands_next = []
        for p, new_digit in product(cands, p_ranges[-step]):
            pval = (new_digit << ((step - 1) * 4)) | p
 
            if check_level >= 1:
                qval = solve_linear(pval, N & mask, mod)
                if qval is None or not check_val(qval, mask, qmask_msk, qmask_val):
                    continue
 
            if check_level >= 2:
                val = solve_linear(E, 1 + K * (N - pval - qval + 1), mod)
                if val is None or not check_val(val, mask, dmask_msk, dmask_val):
                    continue
 
            if check_level >= 3:
                val = solve_linear(E, 1 + Kp * (pval - 1), mod)
                if val is None or not check_val(val, mask, dpmask_msk, dpmask_val):
                    continue
 
            if check_level >= 4:
                val = solve_linear(E, 1 + Kq * (qval - 1), mod)
                if val is None or not check_val(val, mask, dqmask_msk, dqmask_val):
                    continue
 
                if pval * qval == N:
                    print "Kq =", Kq
                    print "pwned"
                    print "p =", pval
                    print "q =", qval
                    p = pval
                    q = qval
                    d = invmod(E, (p - 1) * (q - 1))
                    coef = invmod(p, q)
 
                    from Crypto.PublicKey import RSA
                    print RSA.construct(map(long, (N, E, d, p, q, coef))).exportKey()
                    quit()
 
            cands_next.append(pval)
 
        if not cands_next:
            return False
        cands = cands_next
    return True
 
 
 
def check_val(val, mask, mask_msk, mask_val):
    test_mask = mask_msk & mask
    test_val = mask_val & mask
    return val & test_mask == test_val
 
 
# K = 4695
# Kp = 15700
# Kq = 5155
 
for K in range(1, E):
    if K % 100 == 0:
        print "checking", K
    if search(K, 0, 0, check_level=2, break_step=20):
        print "K =", K
        break
 
for Kp in range(1, E):
    if Kp % 1000 == 0:
        print "checking", Kp
    if search(K, Kp, 0, check_level=3, break_step=30):
        print "Kp =", Kp
        break
 
for Kq in range(1, E):
    if Kq % 100 == 0:
        print "checking", Kq
    if search(K, Kp, Kq, check_level=4, break_step=9999):
        print "Kq =", Kq
        break
#!/usr/bin/python2
 
import re
import pickle
from itertools import product
from libnum import invmod, gcd
 
 
def solve_linear(a, b, mod):
    if a & 1 == 0 or b & 1 == 0:
        return None
    return (b * invmod(a, mod)) & (mod - 1# hack for mod = power of 2
 
 
def to_n(s):
    s = re.sub(r"[^0-9a-f]", "", s)
    return int(s, 16)
 
 
def msk(s):
    cleaned = "".join(map(lambda x: x[-2:], s.split(":")))
    return msk_ranges(cleaned), msk_mask(cleaned), msk_val(cleaned)
 
 
def msk_ranges(s):
    return [range(16) if c == " " else [int(c, 16)] for c in s]
 
 
def msk_mask(s):
    return int("".join("0" if c == " " else "f" for c in s), 16)
 
 
def msk_val(s):
    return int("".join("0" if c == " " else c for c in s), 16)
 
 
E = 65537
 
N = to_n("""00:c0:97:78:53:45:64:84:7d:8c:c4:b4:20:e9:33:
    58:67:ec:78:3e:6c:f5:f0:5c:a0:3e:ee:dc:25:63:
    d0:eb:2a:9e:ba:8f:19:52:a2:67:0b:e7:6e:b2:34:
    b8:6d:50:76:e0:6a:d1:03:cf:77:33:d8:b1:e9:d7:
    3b:e5:eb:1c:65:0c:25:96:fd:96:20:b9:7a:de:1d:
    bf:fd:f2:b6:bf:81:3e:3e:47:44:43:98:bf:65:2f:
    67:7e:27:75:f9:56:47:ba:c4:f0:4e:67:2b:da:e0:
    1a:77:14:40:29:c1:a8:67:5a:8f:f5:2e:be:8e:82:
    31:3d:43:26:d4:97:86:29:15:14:a9:69:36:2c:76:
    ed:b5:90:eb:ec:6f:ce:d5:ca:24:1c:aa:f6:63:f8:
    06:a2:62:cb:26:74:d3:5b:82:4b:b6:d5:e0:49:32:
    7b:62:f8:05:c4:f7:0e:86:59:9b:f3:17:25:02:aa:

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2020-10-29 19:39 被happi0编辑 ,原因:
收藏
免费 8
支持
分享
最新回复 (6)
雪    币: 861
活跃值: (683)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
2
大佬,关于p-adic 和随机数生成器有啥好的教程或者书籍推荐吗
2020-10-29 19:39
0
雪    币: 205
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
3
happi0师傅,写得好详细,学到了许多,以后记得多多写相关的文章,学学新姿势。。。。:)
2020-10-29 23:19
0
雪    币: 360
活跃值: (106)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
mark,学到了很多,感谢感谢,希望能够看到更多类似的文章
2020-11-5 21:31
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
5
大佬写的好详细呀
2020-11-5 21:32
0
雪    币: 75
活跃值: (842)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
6
八岛 大佬,关于p-adic 和随机数生成器有啥好的教程或者书籍推荐吗
《密码学随机数发生器的设计与分析》,这本书不错
2020-11-5 21:57
0
雪    币: 20
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7
2021-7-4 00:14
0
游客
登录 | 注册 方可回帖
返回
//