-
-
[推荐][原创]CTF-RSA常见题型、思路及解法
-
发表于: 2020-10-29 18:07 19593
-
这篇文章是帮助对RSA不熟悉的朋友且需要较为快速、深入的了解RSA而写的
不涉及非常晦涩难懂的数学知识和算法(不过最简单的原理说明还是有的)
攻击方法也是最容易遇到的(RSA的进阶篇除外)
并且所有的例题都是比较新的,甚至还有刚刚结束的比赛的题目
公钥与私钥的产生:
(1)进行加密之前,首先找出2个不同的大质数p和q
(2)计算n=p*q
(3)根据欧拉函数,求得φ(n)=φ(p)φ(q)=(p−1)(q−1)
(4)找出一个公钥e,e要满足: 1<e<φ(n) 的整数,且使e和φ(N)互质。
(5)根据e*d除以φ(n)余数为1,找到私钥d。
(6)所以,公钥就是(n,e) 私钥就是(n,d)
消息加密:
m^e除以n求余数即为c(密文)
消息解密:
c^d除以n求余数即为m(明文)
根据数论,寻求两个大素数比较简单,而将它们的乘积进行因式分解却极其困难,因此可以将乘积公开作为加密密钥
模运算与基本四则运算有些相似,但是除法例外。其规则如下:
在数论,对正整数n,欧拉函数是小于或等于n的正整数中与n互质的数的数目(因此φ(1)=1)
例如φ(8)= 4,因为1,3,5,7均和8互质
若N是质数p的k次幂(即N=p^k),φ(n)=p^k-p^(k-1)=(p-1)p^(k-1)。
设n为正整数,以φ(n)表示不超过n且与n互素的正整数的个数,称为n的欧拉函数值。
若m,n互质,φ(mn)=(m-1)(n-1)=φ(m)φ(n)。
在一次RSA密钥对生成中,假设p=473398607161,q=4511491,e=17
求解出d作为flag提交
题目:
解题:
倒数第二行的gmpy2.powmod也可以用pow函数替代,不过前者比后者的计算速度快很多,之后有道题可以体现出来
自此,我们已经了解了rsa的原理,现在开始进入学习rsa的一些攻击方式
用于已知e,c,m,不是很大的n(小于等于1024),或者n具有缺陷,q和p相差过大或过小
常用分解方法:
如果第一项,和第二项都无法分解,就应该考虑换一种思路了,题目考点应该不是暴力分解
已知一段RSA加密的信息为:0xdc2eeeb2782c且已知加密所用的公钥:
(N=322831561921859 e = 23)
请解密出明文,提交时请将数字转化为ascii码提交
比如你解出的明文是0x6162,那么请提交字符串ab
提交格式:PCTF{明文字符串}
首先整理一下已知条件:
我们已知公钥:
n和e,以及密文c
想要通过密文c来解得明文m需要私钥d
而私钥d需要通过e和phi求出,其中e已知,所以我们只需要知道phi
而phi = (q-1) * (p-1),幸运的是我们知道n = q*p,且q和p都是素数,如果我们能通过n分解出p和q则可以解出这道题目了
得到p = 13574881 , q = 23781539(q和p不涉及其他关系时,p和q的顺序无所谓)
可以从这两句代码看出:
可以知道,q和p相差很小,所以这个n是具有缺陷的,通常有两种攻击方式
分解出来后,是一个简单是数学等式,用z3约束器可以快速求解
(使用yafu分解的攻击方法比较简单,这里就不写了)
openssl genrsa -out prikey
openssl rsa -in prikey -text -modulus
openssl rsa -in prikey -pubout -out pubkey
openssl rsa -in pubkey -text -modulus -pubin
openssl rsautl -encrypt -in filename -inkey pubkey -pubin -out filename
rsautl -decrypt -inkey prikey -in filename
RsaCtfTool.py --createpub -n number -e number > pubkey
RsaCtfTool.py --dumpkey --filename pub.pem
RsaCtfTool.py --publickey pubkey --private
RsaCtfTool.py --publickey pubkey --uncipherfile filename
给了两个文件,message 和 public.key
以及加密脚本
首先打开公钥看看
可以看到e和n非常大,应该考虑Wiener攻击(后面会介绍到)
不过这里主要是介绍和公钥、私钥的交互
所以我们用RsaCtfTool来爆破出私钥
得到了私钥,尝试用openssl解密
却报错了,为什么呢
我们观察题目给出的加密脚本第二行"from Crypto.Cipher import PKCS1_OAEP"
说明这里是用的使用OAEP的填充方式,而解密是也必须指明对应的填充模式
这类题核心解法大体相同,出题人给出有唯一解的q和p的方程,通过解出q,p来解题
大多数简单的数学方程可以用z3约束器快速解出
这道题挺有意思的,在给出的脚本第10行
有两个没见过的函数,通过搜索资料,可以查到相关资料
Derivative,返回参数1函数在参数2点的导数
联系这两点
可以知道
z = Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))
= 1/(1/(1+p^2)) - 1/(1/(1-q^2))
= 1+p^2 + q^2 -1
= p^2 + q^2
又把本题转化成简单的数学问题了
在 RSA 中 e 也称为加密指数。由于 e 是可以随意选取的,选取小一点的 e 可以缩短加密时间(比如 e=2,e=3),但是选取不当的话,就会造成安全问题
由于e很小,当n很大时,m^e也比n小很多.尝试把c开根号看能否得到明文.
题目描述:
When you need really secure communications, you use RSA with a 4096 bit key.
I want really really really secure communications to transmit the nuclear launch codes (yeah IoT is everywhere man) so I used RSA with a 16777216 bit key. Surely russians will not be able to factor that one !
File md5 : 1049a0c83a2e34760363b4ad9778753f
题目给出了n和c,e,不过这个文本文件的大小高达7.4m,要是常规分解的话,估计量子计算机也够呛
不过由于n是16777216 bit的数字,e只有0x10001,所以m^e << n,符合低加密指数分解攻击的条件
这里我们也应该理解到,低加密指数并非指e == 2或e == 3这类,e的数值很小,而是m^e和n的相对大小
公钥e很小,明文m也不大的话,于是m^e=k*n+m 中的的k值很小甚至为0(k==0时,和上一种攻击方式差别不大),爆破k或直接开e次方即可。
我们拿到两个类似rsa加密的式子:
本质上,第一种、第二种攻击方式都是因为e选取的较小而造成的缺陷,那么e选取的非常大是不是就很安全呢?
实际上也不是,当e很大时,就会造成d非常的小,也具有相当大的危险
顾名思义,这是一种针对d很小时的攻击方式
此种攻击方法由Micheal j.Wiener于1989提出,所以也被称为Wiener's attack,该方法基于连分数
该方法在github已有完整可用的代码,之后所有的低解密指数也是利用以上脚本进行的
把大数分解成两个素数很困难,但是求两个大数的公因子很容易
当:
我们可以通过求gcd(n1,n2)来得到a,再通过除法分别求得b和c,从而达到了分解大素数的目的
可以通过gcd(n1,n2)快速求得p1
对同一明文的多次加密使用相同的模数和不同的公钥指数可能导致共模攻击
证明:
当n不变,知道n,e1,e2,c1,c2 可以在不知道d1,d2情况下,解出m。
这道题解出来后是base64加密后的字符串,实际上没有看上去那么简单,这里涉及到base64隐写,不过不是本文的主题,先暂且不管
对于相同的明文,使用相同的指数e和不同的模数n1,n2...ni加密得到i组密文(i>=e),可以使用中国剩余定理解出明文
当已知e,n,可以通过算法快速求得p和q
详细算法见:
https://www.di-mgt.com.au/rsa_factorize_n.html
可以看到,这里的p和q都高达1024bit,基本可以排除暴力分解
这时我们知道e*d,和n,可以尝试已知该算法
rsa加密基本原理
需要严格按照欧拉函数的定义来求解phi
n = p * q * r
那么φ(n) = (q-1) * (p-1) * (r-1)
dp本来是为了加速rsa加解密效率的,不过由于dp和p的关系相当密切,所以当dp泄漏也有相当大的危害
题目给出了密文文件,公钥和破损的私钥文件(这里就不放上来了)
首先读出公钥信息和破损的私钥信息填入以下脚本即可恢复出完整的私钥
解出私钥后,写入到文件中,用openssl解密即可(不过需要注意的是这依然是用oaep的填充方式,需要指明)
这道题e的大致范围已经给出,可以尝试爆破
不过加密脚本的第一行有点坑
(应该是出题人故意)把人误导成base32解密
也是对e爆破,不过我们可以通过这道题来对比pow()函数和gmpy2.powmod()的速度
pow:
3.03s user 0.01s system 99% cpu 3.050 total
gmpy2.powmod
1.30s user 0.00s system 99% cpu 1.310 total
可以看到,gmpy2中的powmod()函数用时不到pow()函数的二分之一,所以以后优先使用gmpy2.powmod()函数
题目给出了A和p,q的关系,一通花里胡哨的运算之后得到A
以我已知的知识想不到什么好的算法
不过可以直接分解n得到p和q
当我们做完这些后,发现题目并没有告知e,盲猜e = 65537,结果正好是
当然平时做题我们还是严谨一点,尝试爆破e
NIST SP800-78 Rev 1 (2007) 曾强调“不允许使用比65537更低的公钥指数e”,但PKCS#1却从未有过类似的建议。e=65537=(2^16+1),其签名/加密运算只需要17次模乘,性能也算不错。65537可以在安全上和性能上做出一个很好的平衡,因此大多数加密的e都默认为65537
可以优先尝试e == 65537,不行再爆破
已知n = q
gift = lcm(q-1,p-1)
= (q-1)*(p-1) // gcd(q-1,p-1)
又因为(q-1)*(p-1) 约等于 q*p = n
gift 约等于 n // gcd(q-1,p-1)
于是可以得出gcd(q-1,p-1) 约等于 n // gift
于是得出gcd(q-1,p-1)约等于8
设k = gcd(q-1,p-1) ( k 约等于8,于是爆破k的取值范围为0<k<10)
最后得到q,p,e,又由于gcd(e,phi) != 1
于是:
new_e = e//2
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,n)
m = gmpy2.iroot(m,2)[0]
m = long_to_bytes(m)
可以求出明文
本题过程大致可以分为三部分:
解得e1和e3
解得hint和q1
解得flag
通过这两句断言:
可以建立两个方程,由于两个e都很小,考虑低加密指数攻击:
解的e1,e2
一个常规的rsa加密,没有明显的缺陷,尝试分解n
得到两个质数
常规的分解
得到完全没用的hint,但是得到了对第三步很有用的q1
乍一看似乎很简单,连n都已经分解好了(这让我想起了NCTF的easyRSA)
一测试,果然gcd(e1,phi1) == gcd(e2,phi2) == 14
既然到这里了,就总结一下e和phi不互素时的解法(下次)
从密文形式可以看出是用的python编写的加密脚本,不过这个脚本又被再次加密,猜想应该是纺射加密,从中挑选了两端话来对比得出a和b
得出a = 3, b = 17
纺射解密后得到加密脚本,如下
进入了rsa解题过程,我们先看最后一个加密,相同的明文,相同的n,不同的e
用共模攻击解出n1来
对于倒数第二段加密,通过这两句代码
解出两组明文,最后通过栅栏解密得到flag
#!/usr/bin/python
import
gmpy2
#导入gmpy2库,gmpy2库在rsa解密过程中有很大的作用
p
=
473398607161
q
=
4511491
e
=
17
phi
=
(q
-
1
)
*
(p
-
1
)
#φ(n)通常也被写作phi
d
=
gmpy2.invert(e,phi)
#通过e和phi求d
print
(d)
#!/usr/bin/python
import
gmpy2
#导入gmpy2库,gmpy2库在rsa解密过程中有很大的作用
p
=
473398607161
q
=
4511491
e
=
17
phi
=
(q
-
1
)
*
(p
-
1
)
#φ(n)通常也被写作phi
d
=
gmpy2.invert(e,phi)
#通过e和phi求d
print
(d)
Math
is
cool! Use the RSA algorithm to decode the secret message, c, p, q,
and
e are parameters
for
the RSA algorithm.
p
=
9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q
=
11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e
=
65537
c
=
83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
Use RSA to find the secret message
Math
is
cool! Use the RSA algorithm to decode the secret message, c, p, q,
and
e are parameters
for
the RSA algorithm.
p
=
9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q
=
11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e
=
65537
c
=
83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
Use RSA to find the secret message
#!/usr/bin/python
import
gmpy2
p
=
9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q
=
11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e
=
65537
c
=
83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
n
=
q
*
p
phi
=
(q
-
1
)
*
(p
-
1
)
d
=
gmpy2.invert(e,phi)
m
=
gmpy2.powmod(c,d,n)
print
(m)
#!/usr/bin/python
import
gmpy2
p
=
9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483
q
=
11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407
e
=
65537
c
=
83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034
n
=
q
*
p
phi
=
(q
-
1
)
*
(p
-
1
)
d
=
gmpy2.invert(e,phi)
m
=
gmpy2.powmod(c,d,n)
print
(m)
factordb n
factordb n
#!/usr/bin/python
from
Crypto.Util.number
import
long_to_bytes
import
gmpy2
p
=
13574881
q
=
23781539
n
=
q
*
p
e
=
23
c
=
0xdc2eeeb2782c
phi
=
(q
-
1
)
*
(p
-
1
)
d
=
gmpy2.invert(e,phi)
m
=
gmpy2.powmod(c,d,n)
m
=
long_to_bytes(m)
#把整数依照asc码转化成字符串
print
(m)
#!/usr/bin/python
from
Crypto.Util.number
import
long_to_bytes
import
gmpy2
p
=
13574881
q
=
23781539
n
=
q
*
p
e
=
23
c
=
0xdc2eeeb2782c
phi
=
(q
-
1
)
*
(p
-
1
)
d
=
gmpy2.invert(e,phi)
m
=
gmpy2.powmod(c,d,n)
m
=
long_to_bytes(m)
#把整数依照asc码转化成字符串
print
(m)
import
hashlib
import
sympy
from
Crypto.Util.number
import
*
flag
=
'GWHT{******}'
secret
=
'******'
assert
(
len
(flag)
=
=
38
)
half
=
len
(flag)
/
2
flag1
=
flag[:half]
flag2
=
flag[half:]
secret_num
=
getPrime(
1024
)
*
bytes_to_long(secret)
p
=
sympy.nextprime(secret_num)
q
=
sympy.nextprime(p)
N
=
p
*
q
e
=
0x10001
F1
=
bytes_to_long(flag1)
F2
=
bytes_to_long(flag2)
c1
=
F1
+
F2
c2
=
pow
(F1,
3
)
+
pow
(F2,
3
)
assert
(c2 < N)
m1
=
pow
(c1, e, N)
m2
=
pow
(c2, e, N)
output
=
open
(
'secret'
,
'w'
)
output.write(
'N='
+
str
(N)
+
'\n'
)
output.write(
'm1='
+
str
(m1)
+
'\n'
)
output.write(
'm2='
+
str
(m2)
+
'\n'
)
output.close()
import
hashlib
import
sympy
from
Crypto.Util.number
import
*
flag
=
'GWHT{******}'
secret
=
'******'
assert
(
len
(flag)
=
=
38
)
half
=
len
(flag)
/
2
flag1
=
flag[:half]
flag2
=
flag[half:]
secret_num
=
getPrime(
1024
)
*
bytes_to_long(secret)
p
=
sympy.nextprime(secret_num)
q
=
sympy.nextprime(p)
N
=
p
*
q
e
=
0x10001
F1
=
bytes_to_long(flag1)
F2
=
bytes_to_long(flag2)
c1
=
F1
+
F2
c2
=
pow
(F1,
3
)
+
pow
(F2,
3
)
assert
(c2 < N)
m1
=
pow
(c1, e, N)
m2
=
pow
(c2, e, N)
output
=
open
(
'secret'
,
'w'
)
output.write(
'N='
+
str
(N)
+
'\n'
)
output.write(
'm1='
+
str
(m1)
+
'\n'
)
output.write(
'm2='
+
str
(m2)
+
'\n'
)
output.close()
p
=
sympy.nextprime(secret_num)
q
=
sympy.nextprime(p)
p
=
sympy.nextprime(secret_num)
q
=
sympy.nextprime(p)
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
isPrime,long_to_bytes
from
z3
import
*
N
=
636585149594574746909030160182690866222909256464847291783000651837227921337237899651287943597773270944384034858925295744880727101606841413640006527614873110651410155893776548737823152943797884729130149758279127430044739254000426610922834573094957082589539445610828279428814524313491262061930512829074466232633130599104490893572093943832740301809630847541592548921200288222432789208650949937638303429456468889100192613859073752923812454212239908948930178355331390933536771065791817643978763045030833712326162883810638120029378337092938662174119747687899484603628344079493556601422498405360731958162719296160584042671057160241284852522913676264596201906163
e
=
65537
cc1
=
90009974341452243216986938028371257528604943208941176518717463554774967878152694586469377765296113165659498726012712288670458884373971419842750929287658640266219686646956929872115782173093979742958745121671928568709468526098715927189829600497283118051641107305128852697032053368115181216069626606165503465125725204875578701237789292966211824002761481815276666236869005129138862782476859103086726091860497614883282949955023222414333243193268564781621699870412557822404381213804026685831221430728290755597819259339616650158674713248841654338515199405532003173732520457813901170264713085107077001478083341339002069870585378257051150217511755761491021553239
cc2
=
487443985757405173426628188375657117604235507936967522993257972108872283698305238454465723214226871414276788912058186197039821242912736742824080627680971802511206914394672159240206910735850651999316100014691067295708138639363203596244693995562780286637116394738250774129759021080197323724805414668042318806010652814405078769738548913675466181551005527065309515364950610137206393257148357659666687091662749848560225453826362271704292692847596339533229088038820532086109421158575841077601268713175097874083536249006018948789413238783922845633494023608865256071962856581229890043896939025613600564283391329331452199062858930374565991634191495137939574539546
r
=
gmpy2.iroot(N,
2
)[
0
]
for
i
in
range
(r,N):
if
isPrime(i):
if
N
%
i
=
=
0
:
p
=
i
q
=
N
/
/
i
break
phi
=
(p
-
1
)
*
(q
-
1
)
d
=
gmpy2.invert(e,phi)
a
=
gmpy2.powmod(cc1,d,N)
b
=
gmpy2.powmod(cc2,d,N)
#a = 2732509502629189160482346120094198557857912754
#b = 5514544075236012543362261483183657422998274674127032311399076783844902086865451355210243586349132992563718009577051164928513093068525554
s
=
Solver()
c1, c2
=
Ints(
'c1 c2'
)
s.add(c1
+
c2
=
=
2732509502629189160482346120094198557857912754
)
s.add(c1
*
*
3
+
c2
*
*
3
=
=
5514544075236012543362261483183657422998274674127032311399076783844902086865451355210243586349132992563718009577051164928513093068525554
)
if
s.check()
=
=
sat:
m1
=
(s.model()[c1]).as_long()
m2
=
(s.model()[c2]).as_long()
m1
=
str
(long_to_bytes(m1))[
2
:
-
1
]
m2
=
str
(long_to_bytes(m2))[
2
:
-
1
]
m
=
m1
+
m2
print
(m)
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
isPrime,long_to_bytes
from
z3
import
*
N
=
636585149594574746909030160182690866222909256464847291783000651837227921337237899651287943597773270944384034858925295744880727101606841413640006527614873110651410155893776548737823152943797884729130149758279127430044739254000426610922834573094957082589539445610828279428814524313491262061930512829074466232633130599104490893572093943832740301809630847541592548921200288222432789208650949937638303429456468889100192613859073752923812454212239908948930178355331390933536771065791817643978763045030833712326162883810638120029378337092938662174119747687899484603628344079493556601422498405360731958162719296160584042671057160241284852522913676264596201906163
e
=
65537
cc1
=
90009974341452243216986938028371257528604943208941176518717463554774967878152694586469377765296113165659498726012712288670458884373971419842750929287658640266219686646956929872115782173093979742958745121671928568709468526098715927189829600497283118051641107305128852697032053368115181216069626606165503465125725204875578701237789292966211824002761481815276666236869005129138862782476859103086726091860497614883282949955023222414333243193268564781621699870412557822404381213804026685831221430728290755597819259339616650158674713248841654338515199405532003173732520457813901170264713085107077001478083341339002069870585378257051150217511755761491021553239
cc2
=
487443985757405173426628188375657117604235507936967522993257972108872283698305238454465723214226871414276788912058186197039821242912736742824080627680971802511206914394672159240206910735850651999316100014691067295708138639363203596244693995562780286637116394738250774129759021080197323724805414668042318806010652814405078769738548913675466181551005527065309515364950610137206393257148357659666687091662749848560225453826362271704292692847596339533229088038820532086109421158575841077601268713175097874083536249006018948789413238783922845633494023608865256071962856581229890043896939025613600564283391329331452199062858930374565991634191495137939574539546
r
=
gmpy2.iroot(N,
2
)[
0
]
for
i
in
range
(r,N):
if
isPrime(i):
if
N
%
i
=
=
0
:
p
=
i
q
=
N
/
/
i
break
phi
=
(p
-
1
)
*
(q
-
1
)
d
=
gmpy2.invert(e,phi)
a
=
gmpy2.powmod(cc1,d,N)
b
=
gmpy2.powmod(cc2,d,N)
#a = 2732509502629189160482346120094198557857912754
#b = 5514544075236012543362261483183657422998274674127032311399076783844902086865451355210243586349132992563718009577051164928513093068525554
s
=
Solver()
c1, c2
=
Ints(
'c1 c2'
)
s.add(c1
+
c2
=
=
2732509502629189160482346120094198557857912754
)
s.add(c1
*
*
3
+
c2
*
*
3
=
=
5514544075236012543362261483183657422998274674127032311399076783844902086865451355210243586349132992563718009577051164928513093068525554
)
if
s.check()
=
=
sat:
m1
=
(s.model()[c1]).as_long()
m2
=
(s.model()[c2]).as_long()
m1
=
str
(long_to_bytes(m1))[
2
:
-
1
]
m2
=
str
(long_to_bytes(m2))[
2
:
-
1
]
m
=
m1
+
m2
print
(m)
usage: genrsa [args] [numbits]
/
/
密钥位数,建议
1024
及以上
-
out
file
output the key to
file
/
/
生成的密钥文件,可从中提取公钥
usage: genrsa [args] [numbits]
/
/
密钥位数,建议
1024
及以上
-
out
file
output the key to
file
/
/
生成的密钥文件,可从中提取公钥
rsa [options] <infile >outfile
-
inform arg
input
format
-
one of DER NET PEM
/
/
输入文件格式,默认pem格式
-
outform arg output
format
-
one of DER NET PEM
/
/
输入文件格式,默认pem格式
-
in
arg
input
file
/
/
输入文件
-
passin arg
input
file
pass
phrase source
/
/
指定输入文件的加密口令,可来自文件、终端、环境变量等
-
out arg output
file
/
/
输出文件
-
passout arg output
file
pass
phrase source
/
/
指定输出文件的加密口令,可来自文件、终端、环境变量等
-
des encrypt PEM output with cbc des
/
/
使用des加密输出的文件
-
des3 encrypt PEM output with ede cbc des using
168
bit key
/
/
使用des3加密输出的文件
-
seed encrypt PEM output with cbc seed
/
/
使用seed加密输出的文件
-
aes128,
-
aes192,
-
aes256
encrypt PEM output with cbc aes
/
/
使用aes加密输出的文件
-
camellia128,
-
camellia192,
-
camellia256
encrypt PEM output with cbc camellia
/
/
使用camellia加密输出的文件呢
-
text
print
the key
in
text
/
/
以明文形式输出各个参数值
-
noout don't
print
key out
/
/
不输出密钥到任何文件
-
modulus
print
the RSA key modulus
/
/
输出模数指
-
check verify key consistency
/
/
检查输入密钥的正确性和一致性
-
pubin expect a public key
in
input
file
/
/
指定输入文件是公钥
-
pubout output a public key
/
/
指定输出文件是公钥
-
engine e use engine e, possibly a hardware device.
/
/
指定三方加密库或者硬件
rsa [options] <infile >outfile
-
inform arg
input
format
-
one of DER NET PEM
/
/
输入文件格式,默认pem格式
-
outform arg output
format
-
one of DER NET PEM
/
/
输入文件格式,默认pem格式
-
in
arg
input
file
/
/
输入文件
-
passin arg
input
file
pass
phrase source
/
/
指定输入文件的加密口令,可来自文件、终端、环境变量等
-
out arg output
file
/
/
输出文件
-
passout arg output
file
pass
phrase source
/
/
指定输出文件的加密口令,可来自文件、终端、环境变量等
-
des encrypt PEM output with cbc des
/
/
使用des加密输出的文件
-
des3 encrypt PEM output with ede cbc des using
168
bit key
/
/
使用des3加密输出的文件
-
seed encrypt PEM output with cbc seed
/
/
使用seed加密输出的文件
-
aes128,
-
aes192,
-
aes256
encrypt PEM output with cbc aes
/
/
使用aes加密输出的文件
-
camellia128,
-
camellia192,
-
camellia256
encrypt PEM output with cbc camellia
/
/
使用camellia加密输出的文件呢
-
text
print
the key
in
text
/
/
以明文形式输出各个参数值
-
noout don't
print
key out
/
/
不输出密钥到任何文件
-
modulus
print
the RSA key modulus
/
/
输出模数指
-
check verify key consistency
/
/
检查输入密钥的正确性和一致性
-
pubin expect a public key
in
input
file
/
/
指定输入文件是公钥
-
pubout output a public key
/
/
指定输出文件是公钥
-
engine e use engine e, possibly a hardware device.
/
/
指定三方加密库或者硬件
Usage: rsautl [options]
-
in
file
input
file
/
/
输入文件
-
out
file
output
file
/
/
输出文件
-
inkey
file
input
key
/
/
输入的密钥
-
keyform arg private key
format
-
default PEM
/
/
指定密钥格式
-
pubin
input
is
an RSA public
/
/
指定输入的是RSA公钥
-
certin
input
is
a certificate carrying an RSA public key
/
/
指定输入的是证书文件
-
ssl use SSL v2 padding
/
/
使用SSLv23的填充方式
-
raw use no padding
/
/
不进行填充
-
pkcs use PKCS
#1 v1.5 padding (default) //使用V1.5的填充方式
-
oaep use PKCS
#1 OAEP //使用OAEP的填充方式
-
sign sign with private key
/
/
使用私钥做签名
-
verify verify with public key
/
/
使用公钥认证签名
-
encrypt encrypt with public key
/
/
使用公钥加密
-
decrypt decrypt with private key
/
/
使用私钥解密
-
hexdump
hex
dump output
/
/
以
16
进制dump输出
-
engine e use engine e, possibly a hardware device.
/
/
指定三方库或者硬件设备
-
passin arg
pass
phrase source
/
/
指定输入的密码
Usage: rsautl [options]
-
in
file
input
file
/
/
输入文件
-
out
file
output
file
/
/
输出文件
-
inkey
file
input
key
/
/
输入的密钥
-
keyform arg private key
format
-
default PEM
/
/
指定密钥格式
-
pubin
input
is
an RSA public
/
/
指定输入的是RSA公钥
-
certin
input
is
a certificate carrying an RSA public key
/
/
指定输入的是证书文件
-
ssl use SSL v2 padding
/
/
使用SSLv23的填充方式
-
raw use no padding
/
/
不进行填充
-
pkcs use PKCS
#1 v1.5 padding (default) //使用V1.5的填充方式
-
oaep use PKCS
#1 OAEP //使用OAEP的填充方式
-
sign sign with private key
/
/
使用私钥做签名
-
verify verify with public key
/
/
使用公钥认证签名
-
encrypt encrypt with public key
/
/
使用公钥加密
-
decrypt decrypt with private key
/
/
使用私钥解密
-
hexdump
hex
dump output
/
/
以
16
进制dump输出
-
engine e use engine e, possibly a hardware device.
/
/
指定三方库或者硬件设备
-
passin arg
pass
phrase source
/
/
指定输入的密码
usage: RsaCtfTool.py [
-
h] [
-
-
publickey PUBLICKEY] [
-
-
timeout TIMEOUT]
[
-
-
createpub] [
-
-
dumpkey] [
-
-
ext]
[
-
-
uncipherfile UNCIPHERFILE] [
-
-
uncipher UNCIPHER]
[
-
-
verbosity {CRITICAL,ERROR,WARNING,DEBUG,INFO}]
[
-
-
private] [
-
-
ecmdigits ECMDIGITS] [
-
n N] [
-
p P] [
-
q Q]
[
-
e E] [
-
-
key KEY]
[
-
-
attack ]
usage: RsaCtfTool.py [
-
h] [
-
-
publickey PUBLICKEY] [
-
-
timeout TIMEOUT]
[
-
-
createpub] [
-
-
dumpkey] [
-
-
ext]
[
-
-
uncipherfile UNCIPHERFILE] [
-
-
uncipher UNCIPHER]
[
-
-
verbosity {CRITICAL,ERROR,WARNING,DEBUG,INFO}]
[
-
-
private] [
-
-
ecmdigits ECMDIGITS] [
-
n N] [
-
p P] [
-
q Q]
[
-
e E] [
-
-
key KEY]
[
-
-
attack ]
from
Crypto.PublicKey
import
RSA
from
Crypto.Cipher
import
PKCS1_OAEP
from
secret
import
flag
import
os
rsa
=
RSA.generate(
2048
)
public_key
=
rsa.publickey().exportKey()
f
=
open
(
"public.key"
,
"w"
)
f.write(public_key.decode())
f.close()
rsakey
=
RSA.importKey(
open
(
"public.key"
,
"r"
).read())
rsa
=
PKCS1_OAEP.new(rsakey)
msg
=
rsa.encrypt(flag.encode())
f
=
open
(
"message"
,
"wb"
)
f.write(msg)
f.close()
from
Crypto.PublicKey
import
RSA
from
Crypto.Cipher
import
PKCS1_OAEP
from
secret
import
flag
import
os
rsa
=
RSA.generate(
2048
)
public_key
=
rsa.publickey().exportKey()
f
=
open
(
"public.key"
,
"w"
)
f.write(public_key.decode())
f.close()
rsakey
=
RSA.importKey(
open
(
"public.key"
,
"r"
).read())
rsa
=
PKCS1_OAEP.new(rsakey)
msg
=
rsa.encrypt(flag.encode())
f
=
open
(
"message"
,
"wb"
)
f.write(msg)
f.close()
openssl rsa
-
in
public.key
-
pubin
-
modulus
-
text
openssl rsa
-
in
public.key
-
pubin
-
modulus
-
text
Modulus:
00
:c2:
07
:
45
:
22
:
3f
:f5:b9:
4b
:
2c
:d8:
41
:
21
:
66
:f7:
28
:
8a
:
21
:f2:
18
:
7e
:
1a
:
42
:
14
:
53
:
91
:
8c
:ab:
03
:c8:
02
:
53
:
45
:
12
:
33
:eb:
1b
:dc:
23
:
63
:
74
:
42
:
28
:aa:
86
:
94
:a8:c2:cb:c8:
33
:f8:
0d
:df:
40
:
83
:
1a
:
68
:
90
:
1b
:
23
:
0b
:
83
:f3:f0:fe:d4:b7:
2d
:
0b
:
94
:
2b
:
5e
:
95
:de:
da:c8:dc:c0:
04
:
7a
:
2a
:fb:
90
:c8:
1e
:d7:
2d
:
3a
:d4:
9b
:
72
:fc:
8b
:d0:d3:
16
:
7d
:dd:aa:
6a
:b5:
16
:
7c
:
05
:
8d
:f3:
6a
:f1:
90
:b2:
16
:
08
:
5b
:bd:
9d
:
62
:
1f
:
9b
:d2:
3a
:
09
:
3e
:
4e
:
3d
:
9c
:c3:
87
:b6:
27
:
4f
:
2c
:
33
:
9c
:
88
:
e1:b2:d9:
08
:ac:b3:
3f
:
4e
:
20
:e6:
47
:ab:ee:
07
:
14
:
a3:cc:e4:
64
:
6e
:
89
:
62
:
94
:b7:
81
:
03
:dc:c9:a4:db:
7e
:d6:
81
:
16
:
4c
:
6e
:
6c
:c7:fd:
33
:
47
:
6e
:
17
:
4a
:
6c
:
70
:
70
:
37
:b2:
50
:
49
:
13
:
65
:f9:f0:eb:
76
:ae:ab:a0:
7d
:b2:f6:
62
:d8:
80
:
48
:af:
98
:c8:
8c
:
76
:c6:
71
:
0d
:
b9:
65
:
8d
:
49
:fc:a0:ca:f1:f5:cd:
99
:dc:
07
:f1:
88
:
43
:
2b
:
48
:f8:
55
:
71
:
16
:
8a
:d1:
0f
:c8:
24
:b7:b6:
82
:
ba:d6:ca:a5:d1:
2f
:f6:f0:
4c
:
92
:
78
:
6b
:
73
:
8a
:b1:
9b
:b7
Exponent:
1d
:
2d
:
2f
:
1f
:
17
:
3f
:
81
:cf:
36
:
8f
:ec:
06
:d4:
0d
:
47
:
fd:
92
:f8:
61
:
5c
:
12
:ee:c1:
41
:
68
:f2:
88
:
42
:
79
:
52
:
b8:cf:
5a
:
53
:
8f
:
70
:ba:
33
:
41
:b6:a1:
73
:ae:
80
:
37
:
5a
:
96
:b0:d3:
84
:d9:
72
:
2b
:
19
:
14
:
9f
:
78
:
94
:
73
:
75
:
e0:a3:
3d
:f5:e6:
93
:ed:ab:d5:e4:d4:
4c
:ff:a9:e5:
25
:ea:
01
:
4f
:
3f
:a4:
99
:b5:f7:b2:
9b
:
21
:
9d
:
90
:b8:
8d
:a5:
5a
:ae:
3a
:
08
:
63
:
73
:
38
:d7:be:d0:
56
:e3:ae:
c5:
75
:be:
56
:bb:de:
53
:
4b
:
35
:
5a
:
2e
:
77
:
57
:db:
7a
:
ec:a9:
6e
:
78
:d6:
7f
:
21
:
53
:
0b
:
7c
:
3e
:c2:
4a
:c6:
1f
:
9b
:
47
:
4a
:b2:
83
:
22
:
0d
:d9:
54
:
51
:
35
:d0:
65
:a7:
24
:
ce:
2f
:
8f
:
44
:e3:
2e
:
46
:
0e
:ef:
5f
:
99
:
58
:
00
:
9c
:
58
:
af:
59
:
51
:
93
:d7:
7e
:
72
:c2:
5f
:
0c
:b0:
15
:
05
:b9:
93
:
c1:
35
:
32
:
8b
:
11
:b5:
00
:dc:ab:c9:
55
:c9:
17
:
7f
:
83
:
9d
:d0:
43
:
58
:
6e
:
25
:a3:
13
:
35
:e7:d5:
43
:
7d
:c9:e6:
cd:
6d
:
4e
:be:cb:
29
:
37
:e1:
60
:
26
:c2:
79
:
2e
:
17
:
45
:
f4:
4e
:ed:
54
:
11
:be:aa:b5:
5e
:d0:
90
:
5d
:b9:
19
:
8c
:
bd:
43
:
11
:
11
:be:
87
:
46
:
2f
:
46
:
36
:
9e
:
31
:d1:a4:
61
:
3f
Modulus:
00
:c2:
07
:
45
:
22
:
3f
:f5:b9:
4b
:
2c
:d8:
41
:
21
:
66
:f7:
28
:
8a
:
21
:f2:
18
:
7e
:
1a
:
42
:
14
:
53
:
91
:
8c
:ab:
03
:c8:
02
:
53
:
45
:
12
:
33
:eb:
1b
:dc:
23
:
63
:
74
:
42
:
28
:aa:
86
:
94
:a8:c2:cb:c8:
33
:f8:
0d
:df:
40
:
83
:
1a
:
68
:
90
:
1b
:
23
:
0b
:
83
:f3:f0:fe:d4:b7:
2d
:
0b
:
94
:
2b
:
5e
:
95
:de:
da:c8:dc:c0:
04
:
7a
:
2a
:fb:
90
:c8:
1e
:d7:
2d
:
3a
:d4:
9b
:
72
:fc:
8b
:d0:d3:
16
:
7d
:dd:aa:
6a
:b5:
16
:
7c
:
05
:
8d
:f3:
6a
:f1:
90
:b2:
16
:
08
:
5b
:bd:
9d
:
62
:
1f
:
9b
:d2:
3a
:
09
:
3e
:
4e
:
3d
:
9c
:c3:
87
:b6:
27
:
4f
:
2c
:
33
:
9c
:
88
:
e1:b2:d9:
08
:ac:b3:
3f
:
4e
:
20
:e6:
47
:ab:ee:
07
:
14
:
a3:cc:e4:
64
:
6e
:
89
:
62
:
94
:b7:
81
:
03
:dc:c9:a4:db:
7e
:d6:
81
:
16
:
4c
:
6e
:
6c
:c7:fd:
33
:
47
:
6e
:
17
:
4a
:
6c
:
70
:
70
:
37
:b2:
50
:
49
:
13
:
65
:f9:f0:eb:
76
:ae:ab:a0:
7d
:b2:f6:
62
:d8:
80
:
48
:af:
98
:c8:
8c
:
76
:c6:
71
:
0d
:
b9:
65
:
8d
:
49
:fc:a0:ca:f1:f5:cd:
99
:dc:
07
:f1:
88
:
43
:
2b
:
48
:f8:
55
:
71
:
16
:
8a
:d1:
0f
:c8:
24
:b7:b6:
82
:
ba:d6:ca:a5:d1:
2f
:f6:f0:
4c
:
92
:
78
:
6b
:
73
:
8a
:b1:
9b
:b7
Exponent:
1d
:
2d
:
2f
:
1f
:
17
:
3f
:
81
:cf:
36
:
8f
:ec:
06
:d4:
0d
:
47
:
fd:
92
:f8:
61
:
5c
:
12
:ee:c1:
41
:
68
:f2:
88
:
42
:
79
:
52
:
b8:cf:
5a
:
53
:
8f
:
70
:ba:
33
:
41
:b6:a1:
73
:ae:
80
:
37
:
5a
:
96
:b0:d3:
84
:d9:
72
:
2b
:
19
:
14
:
9f
:
78
:
94
:
73
:
75
:
e0:a3:
3d
:f5:e6:
93
:ed:ab:d5:e4:d4:
4c
:ff:a9:e5:
25
:ea:
01
:
4f
:
3f
:a4:
99
:b5:f7:b2:
9b
:
21
:
9d
:
90
:b8:
8d
:a5:
5a
:ae:
3a
:
08
:
63
:
73
:
38
:d7:be:d0:
56
:e3:ae:
c5:
75
:be:
56
:bb:de:
53
:
4b
:
35
:
5a
:
2e
:
77
:
57
:db:
7a
:
ec:a9:
6e
:
78
:d6:
7f
:
21
:
53
:
0b
:
7c
:
3e
:c2:
4a
:c6:
1f
:
9b
:
47
:
4a
:b2:
83
:
22
:
0d
:d9:
54
:
51
:
35
:d0:
65
:a7:
24
:
ce:
2f
:
8f
:
44
:e3:
2e
:
46
:
0e
:ef:
5f
:
99
:
58
:
00
:
9c
:
58
:
af:
59
:
51
:
93
:d7:
7e
:
72
:c2:
5f
:
0c
:b0:
15
:
05
:b9:
93
:
c1:
35
:
32
:
8b
:
11
:b5:
00
:dc:ab:c9:
55
:c9:
17
:
7f
:
83
:
9d
:d0:
43
:
58
:
6e
:
25
:a3:
13
:
35
:e7:d5:
43
:
7d
:c9:e6:
cd:
6d
:
4e
:be:cb:
29
:
37
:e1:
60
:
26
:c2:
79
:
2e
:
17
:
45
:
f4:
4e
:ed:
54
:
11
:be:aa:b5:
5e
:d0:
90
:
5d
:b9:
19
:
8c
:
bd:
43
:
11
:
11
:be:
87
:
46
:
2f
:
46
:
36
:
9e
:
31
:d1:a4:
61
:
3f
python RsaCtfTool.py
-
-
publickey public.key
-
-
private >> pri.key
python RsaCtfTool.py
-
-
publickey public.key
-
-
private >> pri.key
openssl rsautl
-
decrypt
-
in
message
-
inkey pri.key
openssl rsautl
-
decrypt
-
in
message
-
inkey pri.key
openssl rsautl
-
decrypt
-
oaep
-
in
message
-
inkey pri.key
openssl rsautl
-
decrypt
-
oaep
-
in
message
-
inkey pri.key
p
+
q :
0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
(p
+
1
)(q
+
1
) :
0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
e :
0xe6b1bee47bd63f615c7d0a43c529d219
d :
0x2dde7fbaed477f6d62838d55b0d0964868cf6efb2c282a5f13e6008ce7317a24cb57aec49ef0d738919f47cdcd9677cd52ac2293ec5938aa198f962678b5cd0da344453f521a69b2ac03647cdd8339f4e38cec452d54e60698833d67f9315c02ddaa4c79ebaa902c605d7bda32ce970541b2d9a17d62b52df813b2fb0c5ab1a5
enc_flag :
0x50ae00623211ba6089ddfae21e204ab616f6c9d294e913550af3d66e85d0c0693ed53ed55c46d8cca1d7c2ad44839030df26b70f22a8567171a759b76fe5f07b3c5a6ec89117ed0a36c0950956b9cde880c575737f779143f921d745ac3bb0e379c05d9a3cc6bf0bea8aa91e4d5e752c7eb46b2e023edbc07d24a7c460a34a9a
p
+
q :
0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
(p
+
1
)(q
+
1
) :
0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
e :
0xe6b1bee47bd63f615c7d0a43c529d219
d :
0x2dde7fbaed477f6d62838d55b0d0964868cf6efb2c282a5f13e6008ce7317a24cb57aec49ef0d738919f47cdcd9677cd52ac2293ec5938aa198f962678b5cd0da344453f521a69b2ac03647cdd8339f4e38cec452d54e60698833d67f9315c02ddaa4c79ebaa902c605d7bda32ce970541b2d9a17d62b52df813b2fb0c5ab1a5
enc_flag :
0x50ae00623211ba6089ddfae21e204ab616f6c9d294e913550af3d66e85d0c0693ed53ed55c46d8cca1d7c2ad44839030df26b70f22a8567171a759b76fe5f07b3c5a6ec89117ed0a36c0950956b9cde880c575737f779143f921d745ac3bb0e379c05d9a3cc6bf0bea8aa91e4d5e752c7eb46b2e023edbc07d24a7c460a34a9a
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
from
z3
import
*
tmp1
=
0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
tmp2
=
0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
e
=
0xe6b1bee47bd63f615c7d0a43c529d219
d
=
0x2dde7fbaed477f6d62838d55b0d0964868cf6efb2c282a5f13e6008ce7317a24cb57aec49ef0d738919f47cdcd9677cd52ac2293ec5938aa198f962678b5cd0da344453f521a69b2ac03647cdd8339f4e38cec452d54e60698833d67f9315c02ddaa4c79ebaa902c605d7bda32ce970541b2d9a17d62b52df813b2fb0c5ab1a5
c
=
0x50ae00623211ba6089ddfae21e204ab616f6c9d294e913550af3d66e85d0c0693ed53ed55c46d8cca1d7c2ad44839030df26b70f22a8567171a759b76fe5f07b3c5a6ec89117ed0a36c0950956b9cde880c575737f779143f921d745ac3bb0e379c05d9a3cc6bf0bea8aa91e4d5e752c7eb46b2e023edbc07d24a7c460a34a9a
s
=
Solver()
p,q
=
Ints(
'p q'
)
s.add(p
+
q
=
=
tmp1)
s.add((p
+
1
)
*
(q
+
1
)
=
=
tmp2)
assert
s.check()
=
=
sat
p
=
s.model()[p].as_long()
q
=
s.model()[q].as_long()
n
=
q
*
p
phi
=
(p
-
1
)
*
(q
-
1
)
d
=
gmpy2.invert(e,phi)
m
=
gmpy2.powmod(c,d,n)
print
(long_to_bytes(m))
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
from
z3
import
*
tmp1
=
0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
tmp2
=
0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
e
=
0xe6b1bee47bd63f615c7d0a43c529d219
d
=
0x2dde7fbaed477f6d62838d55b0d0964868cf6efb2c282a5f13e6008ce7317a24cb57aec49ef0d738919f47cdcd9677cd52ac2293ec5938aa198f962678b5cd0da344453f521a69b2ac03647cdd8339f4e38cec452d54e60698833d67f9315c02ddaa4c79ebaa902c605d7bda32ce970541b2d9a17d62b52df813b2fb0c5ab1a5
c
=
0x50ae00623211ba6089ddfae21e204ab616f6c9d294e913550af3d66e85d0c0693ed53ed55c46d8cca1d7c2ad44839030df26b70f22a8567171a759b76fe5f07b3c5a6ec89117ed0a36c0950956b9cde880c575737f779143f921d745ac3bb0e379c05d9a3cc6bf0bea8aa91e4d5e752c7eb46b2e023edbc07d24a7c460a34a9a
s
=
Solver()
p,q
=
Ints(
'p q'
)
s.add(p
+
q
=
=
tmp1)
s.add((p
+
1
)
*
(q
+
1
)
=
=
tmp2)
assert
s.check()
=
=
sat
p
=
s.model()[p].as_long()
q
=
s.model()[q].as_long()
n
=
q
*
p
phi
=
(p
-
1
)
*
(q
-
1
)
d
=
gmpy2.invert(e,phi)
m
=
gmpy2.powmod(c,d,n)
print
(long_to_bytes(m))
from
Crypto.Util.number
import
getPrime,bytes_to_long
from
sympy
import
Derivative
from
fractions
import
Fraction
from
secret
import
flag
p
=
getPrime(
1024
)
q
=
getPrime(
1024
)
e
=
65537
n
=
p
*
q
z
=
Fraction(
1
,Derivative(arctan(p),p))
-
Fraction(
1
,Derivative(arth(q),q))
m
=
bytes_to_long(flag)
c
=
pow
(m,e,n)
print
(c,z,n)
'''
output:
7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
'''
from
Crypto.Util.number
import
getPrime,bytes_to_long
from
sympy
import
Derivative
from
fractions
import
Fraction
from
secret
import
flag
p
=
getPrime(
1024
)
q
=
getPrime(
1024
)
e
=
65537
n
=
p
*
q
z
=
Fraction(
1
,Derivative(arctan(p),p))
-
Fraction(
1
,Derivative(arth(q),q))
m
=
bytes_to_long(flag)
c
=
pow
(m,e,n)
print
(c,z,n)
'''
output:
7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
'''
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
from
z3
import
*
c
=
7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
z
=
32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
n
=
15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
e
=
65537
s
=
Solver()
a,b
=
Ints(
'a b'
)
s.add( a
*
b
=
=
15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
)
s.add( a
*
*
2
+
b
*
*
2
=
=
32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
)
s.add(
0
< a,
0
< b)
if
s.check()
=
=
sat:
q
=
s.model()[a].as_long()
p
=
s.model()[b].as_long()
phi
=
(q
-
1
)
*
(p
-
1
)
d
=
gmpy2.invert(e,phi)
m
=
gmpy2.powmod(c,d,n)
print
(long_to_bytes(m))
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
from
z3
import
*
c
=
7922547866857761459807491502654216283012776177789511549350672958101810281348402284098310147796549430689253803510994877420135537268549410652654479620858691324110367182025648788407041599943091386227543182157746202947099572389676084392706406084307657000104665696654409155006313203957292885743791715198781974205578654792123191584957665293208390453748369182333152809882312453359706147808198922916762773721726681588977103877454119043744889164529383188077499194932909643918696646876907327364751380953182517883134591810800848971719184808713694342985458103006676013451912221080252735948993692674899399826084848622145815461035
z
=
32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
n
=
15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
e
=
65537
s
=
Solver()
a,b
=
Ints(
'a b'
)
s.add( a
*
b
=
=
15310745161336895413406690009324766200789179248896951942047235448901612351128459309145825547569298479821101249094161867207686537607047447968708758990950136380924747359052570549594098569970632854351825950729752563502284849263730127586382522703959893392329333760927637353052250274195821469023401443841395096410231843592101426591882573405934188675124326997277775238287928403743324297705151732524641213516306585297722190780088180705070359469719869343939106529204798285957516860774384001892777525916167743272419958572055332232056095979448155082465977781482598371994798871917514767508394730447974770329967681767625495394441
)
s.add( a
*
*
2
+
b
*
*
2
=
=
32115748677623209667471622872185275070257924766015020072805267359839059393284316595882933372289732127274076434587519333300142473010344694803885168557548801202495933226215437763329280242113556524498457559562872900811602056944423967403777623306961880757613246328729616643032628964072931272085866928045973799374711846825157781056965164178505232524245809179235607571567174228822561697888645968559343608375331988097157145264357626738141646556353500994924115875748198318036296898604097000938272195903056733565880150540275369239637793975923329598716003350308259321436752579291000355560431542229699759955141152914708362494482
)
s.add(
0
< a,
0
< b)
if
s.check()
=
=
sat:
q
=
s.model()[a].as_long()
p
=
s.model()[b].as_long()
phi
=
(q
-
1
)
*
(p
-
1
)
d
=
gmpy2.invert(e,phi)
m
=
gmpy2.powmod(c,d,n)
print
(long_to_bytes(m))
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
e
=
0x10001
f
=
open
(
"./out.txt"
,
"r"
)
data
=
f.read()
data
=
int
(data,
16
)
m
=
gmpy2.iroot(data,e)[
0
]
print
(long_to_bytes(m))
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
e
=
0x10001
f
=
open
(
"./out.txt"
,
"r"
)
data
=
f.read()
data
=
int
(data,
16
)
m
=
gmpy2.iroot(data,e)[
0
]
print
(long_to_bytes(m))
from
data
import
e1,e2,p,q1p,q1q,hint,flag
ee1
=
42
ee2
=
3
ce1
=
45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2
=
13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
tmp
=
864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
n
=
15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
assert
(
pow
(e1,ee1,n)
=
=
ce1)
#断言,括号里的等式恒成立
assert
(
pow
(e2
+
tmp,ee2,n)
=
=
ce2)
from
data
import
e1,e2,p,q1p,q1q,hint,flag
ee1
=
42
ee2
=
3
ce1
=
45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2
=
13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
tmp
=
864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
n
=
15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
assert
(
pow
(e1,ee1,n)
=
=
ce1)
#断言,括号里的等式恒成立
assert
(
pow
(e2
+
tmp,ee2,n)
=
=
ce2)
#!/usr/bin/python
import
gmpy2
ee1
=
42
ee2
=
3
ce1
=
45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2
=
13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
n
=
15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
tmp
=
864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
#--------find e1--------
for
k
in
range
(
200000000
):
c
=
k
*
n
+
ce1
if
gmpy2.iroot(c,ee1)[
1
]:
e1
=
gmpy2.iroot(c,ee1)[
0
]
break
#---------check e1-----
if
ce1
=
=
gmpy2.powmod(e1,ee1,n):
print
(
"e1 = %d"
%
e1)
#--------find e2--------
for
k
in
range
(
1000000
):
c
=
k
*
n
+
ce2
if
gmpy2.iroot(c,
3
)[
1
]:
m
=
gmpy2.iroot(c,
3
)[
0
]
e2
=
m
-
tmp
break
#---------check e2-----
if
ce2
=
=
gmpy2.powmod((e2
+
tmp),
3
,n):
print
(
"e2 = %d"
%
e2)
#!/usr/bin/python
import
gmpy2
ee1
=
42
ee2
=
3
ce1
=
45722651786340123946960815003059322528810481841378247280642868553607692149509126962872583037142461398806689489141741494974836882341505234255325683219092163052843461632338442529011502378931140356111756932712822516814023166068902569458299933391973504078898958921809723346229893913662577294963528318424676803942288386430172430880307619748186863890050113934573820505570928109017842647598266634344447182347849367714564686341871007505886728393751147033556889217604647355628557502208364412269944908011305064122941446516990168924709684092200183860653173856272384
ce2
=
13908468332333567158469136439932325992349696889129103935400760239319454409539725389747059213835238373047899198211128689374049729578146875309231962936554403287882999967840346216695208424582739777034261079550395918048421086843927009452479936045850799096750074359160775182238980989229190157551197830879877097703347301072427149474991803868325769967332356950863518504965486565464059770451458557744949735282131727956056279292800694203866167270268988437389945703117070604488999247750139568614939965885211276821987586882908159585863514561191905040244967655444219603287214405014887994238259270716355378069726760953320025828158
n
=
15911581555796798614711625288508309704791837516232122410440958830726078821069050404012820896260071751380436992710638364294658173571101596931605797509712839622479368850251206419748090059752427303611760004621378226431226983665746837779056271530181865648115862947527212787824629516204832313026456390047768174765687040950636530480549014401279054346098030395100387004111574278813749630986724706263655166289586230453975953773791945408589484679371854113457758157492241225180907090235116325034822993748409011554673180494306003272836905082473475046277554085737627846557240367696214081276345071055578169299060706794192776825039
tmp
=
864078778078609835167779565982540757684070450697854309005171742813414963447462554999012718960925081621571487444725528982424037419052194840720949809891134854871222612682162490991065015935449289960707882463387
#--------find e1--------
for
k
in
range
(
200000000
):
c
=
k
*
n
+
ce1
if
gmpy2.iroot(c,ee1)[
1
]:
e1
=
gmpy2.iroot(c,ee1)[
0
]
break
#---------check e1-----
if
ce1
=
=
gmpy2.powmod(e1,ee1,n):
print
(
"e1 = %d"
%
e1)
#--------find e2--------
for
k
in
range
(
1000000
):
c
=
k
*
n
+
ce2
if
gmpy2.iroot(c,
3
)[
1
]:
m
=
gmpy2.iroot(c,
3
)[
0
]
e2
=
m
-
tmp
break
#---------check e2-----
if
ce2
=
=
gmpy2.powmod((e2
+
tmp),
3
,n):
print
(
"e2 = %d"
%
e2)
e1
=
15218928658178
e2
=
381791429275130
e1
=
15218928658178
e2
=
381791429275130
N
=
101991809777553253470276751399264740131157682329252673501792154507006158434432009141995367241962525705950046253400188884658262496534706438791515071885860897552736656899566915731297225817250639873643376310103992170646906557242832893914902053581087502512787303322747780420210884852166586717636559058152544979471
e
=
46731919563265721307105180410302518676676135509737992912625092976849075262192092549323082367518264378630543338219025744820916471913696072050291990620486581719410354385121760761374229374847695148230596005409978383369740305816082770283909611956355972181848077519920922059268376958811713365106925235218265173085
import
hashlib
flag
=
"flag{"
+
hashlib.md5(
hex
(d)).hexdigest()
+
"}"
N
=
101991809777553253470276751399264740131157682329252673501792154507006158434432009141995367241962525705950046253400188884658262496534706438791515071885860897552736656899566915731297225817250639873643376310103992170646906557242832893914902053581087502512787303322747780420210884852166586717636559058152544979471
e
=
46731919563265721307105180410302518676676135509737992912625092976849075262192092549323082367518264378630543338219025744820916471913696072050291990620486581719410354385121760761374229374847695148230596005409978383369740305816082770283909611956355972181848077519920922059268376958811713365106925235218265173085
import
hashlib
flag
=
"flag{"
+
hashlib.md5(
hex
(d)).hexdigest()
+
"}"
#!/usr/bin/python2
import
gmpy2
from
Crypto.PublicKey
import
RSA
import
ContinuedFractions, Arithmetic
from
Crypto.Util.number
import
long_to_bytes
def
wiener_hack(e, n):
frac
=
ContinuedFractions.rational_to_contfrac(e, n)
convergents
=
ContinuedFractions.convergents_from_contfrac(frac)
for
(k, d)
in
convergents:
if
k !
=
0
and
(e
*
d
-
1
)
%
k
=
=
0
:
phi
=
(e
*
d
-
1
)
/
/
k
s
=
n
-
phi
+
1
discr
=
s
*
s
-
4
*
n
if
(discr >
=
0
):
t
=
Arithmetic.is_perfect_square(discr)
if
t !
=
-
1
and
(s
+
t)
%
2
=
=
0
:
print
(
"Hacked!"
)
return
d
return
False
def
main():
n
=
int
(
input
(
"input the n :\n"
))
e
=
int
(
input
(
"input the e :\n"
))
d
=
wiener_hack(e, n)
print
(d)
if
__name__
=
=
"__main__"
:
main()
#!/usr/bin/python2
import
gmpy2
from
Crypto.PublicKey
import
RSA
import
ContinuedFractions, Arithmetic
from
Crypto.Util.number
import
long_to_bytes
def
wiener_hack(e, n):
frac
=
ContinuedFractions.rational_to_contfrac(e, n)
convergents
=
ContinuedFractions.convergents_from_contfrac(frac)
for
(k, d)
in
convergents:
if
k !
=
0
and
(e
*
d
-
1
)
%
k
=
=
0
:
phi
=
(e
*
d
-
1
)
/
/
k
s
=
n
-
phi
+
1
discr
=
s
*
s
-
4
*
n
if
(discr >
=
0
):
t
=
Arithmetic.is_perfect_square(discr)
if
t !
=
-
1
and
(s
+
t)
%
2
=
=
0
:
print
(
"Hacked!"
)
return
d
return
False
def
main():
n
=
int
(
input
(
"input the n :\n"
))
e
=
int
(
input
(
"input the e :\n"
))
d
=
wiener_hack(e, n)
print
(d)
if
__name__
=
=
"__main__"
:
main()
p1
=
get_a_prime(
128
)
p2
=
get_a_prime(
128
)
p3
=
get_a_prime(
128
)
n1
=
p1
*
p2
n2
=
p1
*
p3
e
=
0x1001
c1
=
encrypt(msg1, e, n1)
c2
=
encrypt(msg2, e, n2)
print
(c1)
print
(c2)
p1
=
get_a_prime(
128
)
p2
=
get_a_prime(
128
)
p3
=
get_a_prime(
128
)
n1
=
p1
*
p2
n2
=
p1
*
p3
e
=
0x1001
c1
=
encrypt(msg1, e, n1)
c2
=
encrypt(msg2, e, n2)
print
(c1)
print
(c2)
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes,isPrime
n1
=
2499586809914462821807624371088011200618603528498132509598946284572455726453497171635086810524607288333625665025664872216634366700044105279185519761587818169021167370991396691510275499486673922916370294043072503635630922980240462022218565365191228535222150496387990987123639567257124081274667568443678527637259644488779394704508217357758791670308548246801142468699716221789070607334747835552167450340441488756779323653879402176647890584656379628685893686585469918686253137796663587854943386347039389769790329948165162483370187914412810153613198247569427480466488647563900948387020677830797976534568626241686906738179
n2
=
7741603029707932330739678982394275613217057249691533148704382574439895657047911501600910571360188397109729289277796711334388156202412769743785164713243932001078475541271281825859671767783178037363138683152051263779907568124470598237502689045677891605285193637790880045372303913424654655825837641694318544209980415256180296972066060073206323473960669679401950151966003026531573962072358852304635671658878866030003484715256388556599713638695448516673643703041094737763957937855870992247472296348887788212823714735080211059688680618314050267995177478035769912691185787944037050674163079867101586607780761245261558200843
n3
=
9895571060693703887018268413746107679094703478067972087862851570192520012058188062485476484700707994684397704099884436398099581319015589480235346899990863625919087077906193223937343450727301243043576326163300258770936289423785376338765758863453745278516208013244068358484113062931878984339475569902332075509121153749576470546863477142562563573654198332099438611713385318497180237117792417826080724886477023904678472464557511959911739272258202310963925049222305927992349171516332320267610895787011879250778522843808895509894741144901052000573058315131265960606119769594234837973757057319170067823816025499647517874841
c1
=
0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2
=
0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
p1
=
gmpy2.gcd(n1,n2)
p2
=
n1
/
/
p1
p3
=
n2
/
/
p1
assert
isPrime(p1)
/
/
检查这三个数是否为素数
assert
isPrime(p2)
assert
isPrime(p3)
e
=
0x1001
phi1
=
(p1
-
1
)
*
(p2
-
1
)
phi2
=
(p1
-
1
)
*
(p3
-
1
)
d1
=
gmpy2.invert(e,phi1)
d2
=
gmpy2.invert(e,phi2)
m1
=
gmpy2.powmod(c1,d1,n1)
m2
=
gmpy2.powmod(c2,d2,n2)
print
(long_to_bytes(m1))
print
(long_to_bytes(m2))
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes,isPrime
n1
=
2499586809914462821807624371088011200618603528498132509598946284572455726453497171635086810524607288333625665025664872216634366700044105279185519761587818169021167370991396691510275499486673922916370294043072503635630922980240462022218565365191228535222150496387990987123639567257124081274667568443678527637259644488779394704508217357758791670308548246801142468699716221789070607334747835552167450340441488756779323653879402176647890584656379628685893686585469918686253137796663587854943386347039389769790329948165162483370187914412810153613198247569427480466488647563900948387020677830797976534568626241686906738179
n2
=
7741603029707932330739678982394275613217057249691533148704382574439895657047911501600910571360188397109729289277796711334388156202412769743785164713243932001078475541271281825859671767783178037363138683152051263779907568124470598237502689045677891605285193637790880045372303913424654655825837641694318544209980415256180296972066060073206323473960669679401950151966003026531573962072358852304635671658878866030003484715256388556599713638695448516673643703041094737763957937855870992247472296348887788212823714735080211059688680618314050267995177478035769912691185787944037050674163079867101586607780761245261558200843
n3
=
9895571060693703887018268413746107679094703478067972087862851570192520012058188062485476484700707994684397704099884436398099581319015589480235346899990863625919087077906193223937343450727301243043576326163300258770936289423785376338765758863453745278516208013244068358484113062931878984339475569902332075509121153749576470546863477142562563573654198332099438611713385318497180237117792417826080724886477023904678472464557511959911739272258202310963925049222305927992349171516332320267610895787011879250778522843808895509894741144901052000573058315131265960606119769594234837973757057319170067823816025499647517874841
c1
=
0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2
=
0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
p1
=
gmpy2.gcd(n1,n2)
p2
=
n1
/
/
p1
p3
=
n2
/
/
p1
assert
isPrime(p1)
/
/
检查这三个数是否为素数
assert
isPrime(p2)
assert
isPrime(p3)
e
=
0x1001
phi1
=
(p1
-
1
)
*
(p2
-
1
)
phi2
=
(p1
-
1
)
*
(p3
-
1
)
d1
=
gmpy2.invert(e,phi1)
d2
=
gmpy2.invert(e,phi2)
m1
=
gmpy2.powmod(c1,d1,n1)
m2
=
gmpy2.powmod(c2,d2,n2)
print
(long_to_bytes(m1))
print
(long_to_bytes(m2))
明文m、模数n相同,公钥指数e、密文c不同,gcd(e1,e2)
=
=
1
,也就是e1和e2互质时
e1
*
s1
+
e2
*
s3
=
1
有唯一的解
由于:
c1
=
=
m^e1 mod n
c2
=
=
m e2 mod n
那么:
(c1^s1
*
c2 ^ s2) mod n
=
( (m^e1 mod n)^s1
*
(m^e2 mod n)^s2 )mod n
=
m^(e1
*
s1)
*
m^(e2
*
s2) mod n
=
m mod n
明文m、模数n相同,公钥指数e、密文c不同,gcd(e1,e2)
=
=
1
,也就是e1和e2互质时
e1
*
s1
+
e2
*
s3
=
1
有唯一的解
由于:
c1
=
=
m^e1 mod n
c2
=
=
m e2 mod n
那么:
(c1^s1
*
c2 ^ s2) mod n
=
( (m^e1 mod n)^s1
*
(m^e2 mod n)^s2 )mod n
=
m^(e1
*
s1)
*
m^(e2
*
s2) mod n
=
m mod n
from
Crypto.Util.number
import
bytes_to_long, getPrime
from
random
import
randint
from
gmpy2
import
powmod
p
=
getPrime(
2048
)
q
=
getPrime(
2048
)
N
=
p
*
q
Phi
=
(p
-
1
)
*
(q
-
1
)
def
get_enc_key(N,Phi):
e
=
getPrime(N)
if
Phi
%
e
=
=
0
:
return
get_enc_key(N, Phi)
else
:
return
e
e1
=
get_enc_key(randint(
10
,
12
), Phi)
e2
=
get_enc_key(randint(
10
,
12
), Phi)
fr
=
open
(r
"./base64"
,
"rb"
)
#flag is in this file
f1
=
open
(r
"./HUB1"
,
"wb"
)
f2
=
open
(r
"./HUB2"
,
"wb"
)
base64
=
fr.read(
255
)
f1.write(
"%d\n%d\n"
%
(N, e1))
f2.write(
"%d\n%d\n"
%
(N, e2))
while
len
(base64)>
0
:
pt
=
bytes_to_long(base64)
ct1
=
powmod(pt, e1, N)
ct2
=
powmod(pt, e2, N)
f1.write(
"\n%d"
%
ct1)
f2.write(
"\n%d"
%
ct2)
base64
=
fr.read(
255
)
fr.close()
f1.close()
f2.close()
from
Crypto.Util.number
import
bytes_to_long, getPrime
from
random
import
randint
from
gmpy2
import
powmod
p
=
getPrime(
2048
)
q
=
getPrime(
2048
)
N
=
p
*
q
Phi
=
(p
-
1
)
*
(q
-
1
)
def
get_enc_key(N,Phi):
e
=
getPrime(N)
if
Phi
%
e
=
=
0
:
return
get_enc_key(N, Phi)
else
:
return
e
e1
=
get_enc_key(randint(
10
,
12
), Phi)
e2
=
get_enc_key(randint(
10
,
12
), Phi)
fr
=
open
(r
"./base64"
,
"rb"
)
#flag is in this file
f1
=
open
(r
"./HUB1"
,
"wb"
)
f2
=
open
(r
"./HUB2"
,
"wb"
)
base64
=
fr.read(
255
)
f1.write(
"%d\n%d\n"
%
(N, e1))
f2.write(
"%d\n%d\n"
%
(N, e2))
while
len
(base64)>
0
:
pt
=
bytes_to_long(base64)
ct1
=
powmod(pt, e1, N)
ct2
=
powmod(pt, e2, N)
f1.write(
"\n%d"
%
ct1)
f2.write(
"\n%d"
%
ct2)
base64
=
fr.read(
255
)
fr.close()
f1.close()
f2.close()
#!/usr/bin/python2
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
f1
=
open
(
"./HUB1"
,
"r"
)
f2
=
open
(
"./HUB2"
,
"r"
)
data1
=
f1.readlines()
data2
=
f2.readlines()
n
=
int
(data1[
0
])
e1
=
int
(data1[
1
])
c1
=
int
(data1[
3
])
e2
=
int
(data2[
1
])
c2
=
int
(data2[
3
])
_, r, s
=
gmpy2.gcdext(e1, e2)
m
=
pow
(c1, r, n)
*
pow
(c2, s, n)
%
n
print
long_to_bytes(m)
#!/usr/bin/python2
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
f1
=
open
(
"./HUB1"
,
"r"
)
f2
=
open
(
"./HUB2"
,
"r"
)
data1
=
f1.readlines()
data2
=
f2.readlines()
n
=
int
(data1[
0
])
e1
=
int
(data1[
1
])
c1
=
int
(data1[
3
])
e2
=
int
(data2[
1
])
c2
=
int
(data2[
3
])
_, r, s
=
gmpy2.gcdext(e1, e2)
m
=
pow
(c1, r, n)
*
pow
(c2, s, n)
%
n
print
long_to_bytes(m)
N
=
331310324212000030020214312244232222400142410423413104441140203003243002104333214202031202212403400220031202142322434104143104244241214204444443323000244130122022422310201104411044030113302323014101331214303223312402430402404413033243132101010422240133122211400434023222214231402403403200012221023341333340042343122302113410210110221233241303024431330001303404020104442443120130000334110042432010203401440404010003442001223042211442001413004
c
=
310020004234033304244200421414413320341301002123030311202340222410301423440312412440240244110200112141140201224032402232131204213012303204422003300004011434102141321223311243242010014140422411342304322201241112402132203101131221223004022003120002110230023341143201404311340311134230140231412201333333142402423134333211302102413111111424430032440123340034044314223400401224111323000242234420441240411021023100222003123214343030122032301042243
N
=
302240000040421410144422133334143140011011044322223144412002220243001141141114123223331331304421113021231204322233120121444434210041232214144413244434424302311222143224402302432102242132244032010020113224011121043232143221203424243134044314022212024343100042342002432331144300214212414033414120004344211330224020301223033334324244031204240122301242232011303211220044222411134403012132420311110302442344021122101224411230002203344140143044114
c
=
112200203404013430330214124004404423210041321043000303233141423344144222343401042200334033203124030011440014210112103234440312134032123400444344144233020130110134042102220302002413321102022414130443041144240310121020100310104334204234412411424420321211112232031121330310333414423433343322024400121200333330432223421433344122023012440013041401423202210124024431040013414313121123433424113113414422043330422002314144111134142044333404112240344
N
=
332200324410041111434222123043121331442103233332422341041340412034230003314420311333101344231212130200312041044324431141033004333110021013020140020011222012300020041342040004002220210223122111314112124333211132230332124022423141214031303144444134403024420111423244424030030003340213032121303213343020401304243330001314023030121034113334404440421242240113103203013341231330004332040302440011324004130324034323430143102401440130242321424020323
c
=
10013444120141130322433204124002242224332334011124210012440241402342100410331131441303242011002101323040403311120421304422222200324402244243322422444414043342130111111330022213203030324422101133032212042042243101434342203204121042113212104212423330331134311311114143200011240002111312122234340003403312040401043021433112031334324322123304112340014030132021432101130211241134422413442312013042141212003102211300321404043012124332013240431242
N
=
331310324212000030020214312244232222400142410423413104441140203003243002104333214202031202212403400220031202142322434104143104244241214204444443323000244130122022422310201104411044030113302323014101331214303223312402430402404413033243132101010422240133122211400434023222214231402403403200012221023341333340042343122302113410210110221233241303024431330001303404020104442443120130000334110042432010203401440404010003442001223042211442001413004
c
=
310020004234033304244200421414413320341301002123030311202340222410301423440312412440240244110200112141140201224032402232131204213012303204422003300004011434102141321223311243242010014140422411342304322201241112402132203101131221223004022003120002110230023341143201404311340311134230140231412201333333142402423134333211302102413111111424430032440123340034044314223400401224111323000242234420441240411021023100222003123214343030122032301042243
N
=
302240000040421410144422133334143140011011044322223144412002220243001141141114123223331331304421113021231204322233120121444434210041232214144413244434424302311222143224402302432102242132244032010020113224011121043232143221203424243134044314022212024343100042342002432331144300214212414033414120004344211330224020301223033334324244031204240122301242232011303211220044222411134403012132420311110302442344021122101224411230002203344140143044114
c
=
112200203404013430330214124004404423210041321043000303233141423344144222343401042200334033203124030011440014210112103234440312134032123400444344144233020130110134042102220302002413321102022414130443041144240310121020100310104334204234412411424420321211112232031121330310333414423433343322024400121200333330432223421433344122023012440013041401423202210124024431040013414313121123433424113113414422043330422002314144111134142044333404112240344
N
=
332200324410041111434222123043121331442103233332422341041340412034230003314420311333101344231212130200312041044324431141033004333110021013020140020011222012300020041342040004002220210223122111314112124333211132230332124022423141214031303144444134403024420111423244424030030003340213032121303213343020401304243330001314023030121034113334404440421242240113103203013341231330004332040302440011324004130324034323430143102401440130242321424020323
c
=
10013444120141130322433204124002242224332334011124210012440241402342100410331131441303242011002101323040403311120421304422222200324402244243322422444414043342130111111330022213203030324422101133032212042042243101434342203204121042113212104212423330331134311311114143200011240002111312122234340003403312040401043021433112031334324322123304112340014030132021432101130211241134422413442312013042141212003102211300321404043012124332013240431242
#!/usr/bin/python2
import
gmpy2
import
time
from
Crypto.Util.number
import
long_to_bytes
def
CRT(items):
N
=
reduce
(
lambda
x, y: x
*
y, (i[
1
]
for
i
in
items))
result
=
0
for
a, n
in
items:
m
=
N
/
n
d, r, s
=
gmpy2.gcdext(n, m)
if
d !
=
1
:
raise
Exception(
"Input not pairwise co-prime"
)
result
+
=
a
*
s
*
m
return
result
%
N, N
n
=
[
129114230505356333697118994510021413915051088225570531043026917550451581564734952308651566723784981323900403426111056537185011193232603296112121643742691356399992969898010827710994350803494919151948423732426591598888439712920344266205641475348312727365971717305409127667391782677854219689063549759596429716629
,
109269702205029292120022054633721536134438763741801805368759852020529400112797868566931991813909053016228871499067304592740926931055426540840268677218282537450757063806695831503892336975370479004151114020279110611956433492281834217463178735931660370487895538198474855043942908224106013915984721193047940206159
,
130184984206907873325788608067133260010668825744109785989754700869397713689450907426005869455386099782561530247238688647088683853688926890638399087109982966623800264662846723141786785531512452737825132399495839974974884122270947543684537604890177662807013640102549749593966105133111628112742472630785570141963
]
c
=
[
112820376318708309511883266356668393396816131447182791445506209031700236878469506355658352414748854472099361508824474365112325602319862842561436679067358900089331778617100580343694334226208753320435002324108477884950933641216044198203776075918323272795752182687450526442079367110656868374931125538339145721573
,
45651293556966072304818630107703140982560165499022836594523320391474750266281527820821435052904791681898782443840766880327957385288649094238886877657228597671521358830021677304123300882210216797719566693160533018601632768048713030788957904378243453859832229603157052843135978639276611231634399594108602071349
,
7145575537980676074780210417817024536632595547590648616669010213946256431795860784357127920679439181517662499063976244238924613193503273987203026894830988537974932336129245277788828190575305229420617551083516420170192425247732269483299819348769856966536443995217830327641185916042049253075074223777360483322
]
e
=
3
data
=
zip
(c, n)
x, n
=
CRT(data)
m
=
gmpy2.iroot(gmpy2.mpz(x), e)[
0
].digits()
m
=
long_to_bytes(m)
print
m
#!/usr/bin/python2
import
gmpy2
import
time
from
Crypto.Util.number
import
long_to_bytes
def
CRT(items):
N
=
reduce
(
lambda
x, y: x
*
y, (i[
1
]
for
i
in
items))
result
=
0
for
a, n
in
items:
m
=
N
/
n
d, r, s
=
gmpy2.gcdext(n, m)
if
d !
=
1
:
raise
Exception(
"Input not pairwise co-prime"
)
result
+
=
a
*
s
*
m
return
result
%
N, N
n
=
[
129114230505356333697118994510021413915051088225570531043026917550451581564734952308651566723784981323900403426111056537185011193232603296112121643742691356399992969898010827710994350803494919151948423732426591598888439712920344266205641475348312727365971717305409127667391782677854219689063549759596429716629
,
109269702205029292120022054633721536134438763741801805368759852020529400112797868566931991813909053016228871499067304592740926931055426540840268677218282537450757063806695831503892336975370479004151114020279110611956433492281834217463178735931660370487895538198474855043942908224106013915984721193047940206159
,
130184984206907873325788608067133260010668825744109785989754700869397713689450907426005869455386099782561530247238688647088683853688926890638399087109982966623800264662846723141786785531512452737825132399495839974974884122270947543684537604890177662807013640102549749593966105133111628112742472630785570141963
]
c
=
[
112820376318708309511883266356668393396816131447182791445506209031700236878469506355658352414748854472099361508824474365112325602319862842561436679067358900089331778617100580343694334226208753320435002324108477884950933641216044198203776075918323272795752182687450526442079367110656868374931125538339145721573
,
45651293556966072304818630107703140982560165499022836594523320391474750266281527820821435052904791681898782443840766880327957385288649094238886877657228597671521358830021677304123300882210216797719566693160533018601632768048713030788957904378243453859832229603157052843135978639276611231634399594108602071349
,
7145575537980676074780210417817024536632595547590648616669010213946256431795860784357127920679439181517662499063976244238924613193503273987203026894830988537974932336129245277788828190575305229420617551083516420170192425247732269483299819348769856966536443995217830327641185916042049253075074223777360483322
]
e
=
3
data
=
zip
(c, n)
x, n
=
CRT(data)
m
=
gmpy2.iroot(gmpy2.mpz(x), e)[
0
].digits()
m
=
long_to_bytes(m)
print
m
def
gen_q():
p
=
getPrime(
1024
)
q
=
getPrime(
1024
)
assert
(p < q)
n
=
p
*
q
print
(
"Q_n = "
, n)
e
=
getRandomNBitInteger(
53
)
F_n
=
(p
-
1
)
*
(q
-
1
)
while
gcd(e, F_n) !
=
1
:
e
=
getRandomNBitInteger(
53
)
d
=
invert(e, F_n)
print
(
"Q_E_D = "
, e
*
d)
factor2
=
2021
*
p
-
2020
*
q
if
factor2 <
0
:
factor2
=
(
-
1
)
*
factor2
return
sympy.nextprime(factor2)
def
gen_q():
p
=
getPrime(
1024
)
q
=
getPrime(
1024
)
assert
(p < q)
n
=
p
*
q
print
(
"Q_n = "
, n)
e
=
getRandomNBitInteger(
53
)
F_n
=
(p
-
1
)
*
(q
-
1
)
while
gcd(e, F_n) !
=
1
:
e
=
getRandomNBitInteger(
53
)
d
=
invert(e, F_n)
print
(
"Q_E_D = "
, e
*
d)
factor2
=
2021
*
p
-
2020
*
q
if
factor2 <
0
:
factor2
=
(
-
1
)
*
factor2
return
sympy.nextprime(factor2)
Q_n
=
20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
Q_E_D
=
100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
Q_n
=
20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
Q_E_D
=
100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
#!/usr/bin/python2
import
random
def
gcd(a, b):
if
a < b:
a, b
=
b, a
while
b !
=
0
:
temp
=
a
%
b
a
=
b
b
=
temp
return
a
def
getpq(n,d_e):
p
=
1
q
=
1
while
p
=
=
1
and
q
=
=
1
:
k
=
d_e
-
1
g
=
random.randint (
0
, n )
while
p
=
=
1
and
q
=
=
1
and
k
%
2
=
=
0
:
k
/
=
2
y
=
pow
(g,k,n)
if
y!
=
1
and
gcd(y
-
1
,n)>
1
:
p
=
gcd(y
-
1
,n)
q
=
n
/
p
return
p,q
def
main():
n
=
20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
d_e
=
100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
p,q
=
getpq(n,d_e)
print
(p)
print
(q)
if
__name__
=
=
'__main__'
:
main()
#!/usr/bin/python2
import
random
def
gcd(a, b):
if
a < b:
a, b
=
b, a
while
b !
=
0
:
temp
=
a
%
b
a
=
b
b
=
temp
return
a
def
getpq(n,d_e):
p
=
1
q
=
1
while
p
=
=
1
and
q
=
=
1
:
k
=
d_e
-
1
g
=
random.randint (
0
, n )
while
p
=
=
1
and
q
=
=
1
and
k
%
2
=
=
0
:
k
/
=
2
y
=
pow
(g,k,n)
if
y!
=
1
and
gcd(y
-
1
,n)>
1
:
p
=
gcd(y
-
1
,n)
q
=
n
/
p
return
p,q
def
main():
n
=
20714298338160449749545360743688018842877274054540852096459485283936802341271363766157976112525034004319938054034934880860956966585051684483662535780621673316774842614701726445870630109196016676725183412879870463432277629916669130494040403733295593655306104176367902352484367520262917943100467697540593925707162162616635533550262718808746254599456286578409187895171015796991910123804529825519519278388910483133813330902530160448972926096083990208243274548561238253002789474920730760001104048093295680593033327818821255300893423412192265814418546134015557579236219461780344469127987669565138930308525189944897421753947
d_e
=
100772079222298134586116156850742817855408127716962891929259868746672572602333918958075582671752493618259518286336122772703330183037221105058298653490794337885098499073583821832532798309513538383175233429533467348390389323225198805294950484802068148590902907221150968539067980432831310376368202773212266320112670699737501054831646286585142281419237572222713975646843555024731855688573834108711874406149540078253774349708158063055754932812675786123700768288048445326199880983717504538825498103789304873682191053050366806825802602658674268440844577955499368404019114913934477160428428662847012289516655310680119638600315228284298935201
p,q
=
getpq(n,d_e)
print
(p)
print
(q)
if
__name__
=
=
'__main__'
:
main()
n
=
544187306850902797629107353619267427694837163600853983242783
e
=
39293
c
=
439254895818320413408827022398053685867343267971712332011972
m
=
???
n
=
544187306850902797629107353619267427694837163600853983242783
e
=
39293
c
=
439254895818320413408827022398053685867343267971712332011972
m
=
???
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
n
=
544187306850902797629107353619267427694837163600853983242783
e
=
39293
c
=
439254895818320413408827022398053685867343267971712332011972
p
=
67724172605733871
q
=
11571390939636959887
r
=
694415063702720454699679
phi
=
(p
-
1
)
*
(q
-
1
)
*
(r
-
1
)
d
=
gmpy2.invert(e, phi)
m
=
pow
(c, d, n)
print
(long_to_bytes(m))
#!/usr/bin/python
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
n
=
544187306850902797629107353619267427694837163600853983242783
e
=
39293
c
=
439254895818320413408827022398053685867343267971712332011972
p
=
67724172605733871
q
=
11571390939636959887
r
=
694415063702720454699679
phi
=
(p
-
1
)
*
(q
-
1
)
*
(r
-
1
)
d
=
gmpy2.invert(e, phi)
m
=
pow
(c, d, n)
print
(long_to_bytes(m))
dp
=
d
%
(p
-
1
)
dq
=
d
%
(q
-
1
)
dp
*
e
=
1
mod(p
-
1
)
dq
*
e
=
1
mod(q
-
1
)
dp
=
d
%
(p
-
1
)
dq
=
d
%
(q
-
1
)
dp
*
e
=
1
mod(p
-
1
)
dq
*
e
=
1
mod(q
-
1
)
p
=
8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q
=
12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp
=
6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq
=
783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c
=
24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
p
=
8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q
=
12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp
=
6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq
=
783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c
=
24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
#!/usr/bin/python2
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
p
=
8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q
=
12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp
=
6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq
=
783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c
=
24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
InvQ
=
gmpy2.invert(q,p)
mp
=
pow
(c,dp,p)
mq
=
pow
(c,dq,q)
m
=
(((mp
-
mq)
*
InvQ)
%
p)
*
q
+
mq
print
(long_to_bytes(m))
#!/usr/bin/python2
import
gmpy2
from
Crypto.Util.number
import
long_to_bytes
p
=
8637633767257008567099653486541091171320491509433615447539162437911244175885667806398411790524083553445158113502227745206205327690939504032994699902053229
q
=
12640674973996472769176047937170883420927050821480010581593137135372473880595613737337630629752577346147039284030082593490776630572584959954205336880228469
dp
=
6500795702216834621109042351193261530650043841056252930930949663358625016881832840728066026150264693076109354874099841380454881716097778307268116910582929
dq
=
783472263673553449019532580386470672380574033551303889137911760438881683674556098098256795673512201963002175438762767516968043599582527539160811120550041
c
=
24722305403887382073567316467649080662631552905960229399079107995602154418176056335800638887527614164073530437657085079676157350205351945222989351316076486573599576041978339872265925062764318536089007310270278526159678937431903862892400747915525118983959970607934142974736675784325993445942031372107342103852
InvQ
=
gmpy2.invert(q,p)
mp
=
pow
(c,dp,p)
mq
=
pow
(c,dq,q)
m
=
(((mp
-
mq)
*
InvQ)
%
p)
*
q
+
mq
print
(long_to_bytes(m))
#!/usr/bin/python2
import
re
import
pickle
from
itertools
import
product
from
libnum
import
invmod, gcd
def
solve_linear(a, b, mod):
if
a &
1
=
=
0
or
b &
1
=
=
0
:
return
None
return
(b
*
invmod(a, mod)) & (mod
-
1
)
# hack for mod = power of 2
def
to_n(s):
s
=
re.sub(r
"[^0-9a-f]"
, "", s)
return
int
(s,
16
)
def
msk(s):
cleaned
=
"
".join(map(lambda x: x[-2:], s.split("
:")))
return
msk_ranges(cleaned), msk_mask(cleaned), msk_val(cleaned)
def
msk_ranges(s):
return
[
range
(
16
)
if
c
=
=
" "
else
[
int
(c,
16
)]
for
c
in
s]
def
msk_mask(s):
return
int
("
".join("
0
" if c == "
" else "
f"
for
c
in
s),
16
)
def
msk_val(s):
return
int
("
".join("
0
" if c == "
"
else
c
for
c
in
s),
16
)
E
=
65537
N
=
to_n(
"""00:c0:97:78:53:45:64:84:7d:8c:c4:b4:20:e9:33:
58:67:ec:78:3e:6c:f5:f0:5c:a0:3e:ee:dc:25:63:
d0:eb:2a:9e:ba:8f:19:52:a2:67:0b:e7:6e:b2:34:
b8:6d:50:76:e0:6a:d1:03:cf:77:33:d8:b1:e9:d7:
3b:e5:eb:1c:65:0c:25:96:fd:96:20:b9:7a:de:1d:
bf:fd:f2:b6:bf:81:3e:3e:47:44:43:98:bf:65:2f:
67:7e:27:75:f9:56:47:ba:c4:f0:4e:67:2b:da:e0:
1a:77:14:40:29:c1:a8:67:5a:8f:f5:2e:be:8e:82:
31:3d:43:26:d4:97:86:29:15:14:a9:69:36:2c:76:
ed:b5:90:eb:ec:6f:ce:d5:ca:24:1c:aa:f6:63:f8:
06:a2:62:cb:26:74:d3:5b:82:4b:b6:d5:e0:49:32:
7b:62:f8:05:c4:f7:0e:86:59:9b:f3:17:25:02:aa:
3c:97:78:84:7b:16:fd:1a:f5:67:cf:03:17:97:d0:
c6:69:85:f0:8d:fa:ce:ee:68:24:63:06:24:e1:e4:
4c:f8:e9:ad:25:c7:e0:c0:15:bb:b4:67:48:90:03:
9b:20:7f:0c:17:eb:9d:13:44:ab:ab:08:a5:c3:dc:
c1:98:88:c5:ce:4f:5a:87:9b:0b:bf:bd:d7:0e:a9:
09:59:81:fa:88:4f:59:60:6b:84:84:ad:d9:c7:25:
8c:e8:c0:e8:f7:26:9e:37:95:7c:e1:48:29:0f:51:
e7:bd:98:2f:f6:cc:80:e7:f0:32:0b:89:51:92:4e:
c2:6d:50:53:2b:3b:77:72:d1:bd:1a:1f:92:d7:12:
79:61:61:c5:a4:7e:b3:85:eb:f0:7c:6d:46:03:c5:
e6:d5:81:2c:ba:7e:ea:8d:51:7d:63:55:34:2a:b6:
d4:dc:31:5a:f1:99:e3:dc:8c:83:0b:a2:2a:d5:3c:
41:48:41:54:1a:a9:e8:b6:70:bf:d3:fe:ed:19:17:
14:94:13:b3:17:e3:8b:8e:6f:53:ed:e2:44:e8:4a:
32:d6:5c:0d:a8:80:f5:fc:02:e9:46:55:d5:a4:d3:
e7:c6:30:77:f9:73:e9:44:52:d8:13:9d:5d:bf:9e:
fa:3a:b5:96:79:82:5b:cd:19:5c:06:a9:00:96:fd:
4c:a4:73:88:1a:ec:3c:11:de:b9:3d:e0:50:00:1e:
ac:21:97:a1:96:7d:6b:15:f9:6c:c9:34:7f:70:d7:
9d:2d:d1:48:4a:81:71:f8:12:dd:32:ba:64:31:60:
08:26:4b:09:22:03:83:90:17:7f:f3:a7:72:57:bf:
89:6d:e4:d7:40:24:8b:7b:bd:df:33:c0:ff:30:2e:
e8:6c:1d"""
)
p_ranges, pmask_msk, pmask_val
=
msk(
""" 0: e: : : :c :c : : : :b : : : : :
:ab: e: 2: 8:c : : : 1:6 :6 : 6: f:d9: 0:
8 :5c:7 :06: : : :0 : 3:5 :4b: :6 : : :
2 : :6 : : : :2 :bc: c: :85:1 : 1:d : 3:
1:b4: : b: 1: 3: d:a : : :6e: 0:b :2 : :
:b : :9 :e : :82:8d: : :13: : : a: a:
: :4 : :c : f: : :7 :e :0a: : : b: 5:
: e:91:3 : :3c: 9: : 6: : :b5:7d: 1: :
: : :b :a1:99:6 :4 :3 :c :1a:02:4 : : 9:
9 :f : d:bd: :0 : : : :b3: : 4: :e9: 9:
: d: : :7 : :93: : e:dc: : 0: :e7: :
e : :2 : b: 2:5 : : : : : c:5f: : :e2:
: : 9: :2a: : e: : :2 : :9f: 7:3 : :
b : f:b : : 8: 7: : :f :6 :e :c : :3 : :
f7: 5: 8: 5: : : : : : 8: e: :03: c: :
33:76:e : 1:7 : c: : 0: :0b: : a: : 2: 9:
:c8:bf: : :06: 7:d5: :02: c:b :e2: 7:2 :
: """
)
q_ranges, qmask_msk, qmask_val
=
msk(
""" 0: f: :d0: 1:55: 4:31: : b:c4:8 : : e: d:
34: 3:f : : : : : 8:99:1 : : a:0 : :4 :
0 : :f : :a4:41:2 : :a : : 1: : a: c: :
: : 9: : : 2:f4: f: : : : :1 : 4:9 :
a : : :79:0 : : : : : 2: 8:b : :4 : 8:
:9b: 1: :d : :f :e4: :4 :c :e : :3 : :
7:2 : :d :8 :2 :7 : :d :67:fc:e : 0:f9: 7:
8 : : : :1 :2f: :51: : :2e:0a: e:3d: 6:
b : :dd: : 0:fb: :f4: : : :b4: 9:c : :
a: : : :d : : :6b: 2: :9b: a:60: :d6:
0:4f:16:d1: : :5 :fc: :f : :8 : : : :
1: 6:e1:9 : e:4 : 6: c: d:d :73: 3: : :7 :
:8 : 9: :3b:f : 2: : :f1: e: : :1e: :
8 : : : 6:0 : 4:99:e : : 5: : : 4: : :
: a:81:64: :7 :f : 9: d: :9 : : 7:93:f :
ac:8c: : 8: : 0: d: 8: :7 : :1d: :f : :
1 :a :6 :8 : :60: :b3: : : :89: : :14:
:5 """
)
_, dmask_msk, dmask_val
=
msk(
""" : : : f:8 :a5:d : 2: 0:b :7 : : 1: : 4:
1:0d: :3 : :6 : : : b: : : :e : : :
0e: 0:db: :1a:1c:c0: : e: : :99:bc:8 :a5:
7 :7 :7 : b: : : 8: 8: :7 :55: 2: : :f :
b2: : :b :f :4 : : 8: :b : : : : 0: :
0 : :6 :9 : : : : b: 4: : 0: a: 5:07:b :
9: c:9a: 9: : 7:9e: : b:60:f : : : :0 :
: 3:0 : : : : 1:b : : : b: 6:0 :f : :
: 2:18: 6: b:1 : : : : :d3:f3: :a : :
3: : : : : 3: d: 1: 2:7 : : d: : 2: d:
: : d:4 : :d : :6d: c:a :b6: : : : 1:
69: : 7: :89: :c :8 :61: d:25: 3:7 :1b: 4:
b : :8 :55: :49: 1:2 :3 : :1 :e9:a8: 3: :
9 : : 1:f8:d3: :e : :d : :9 :b6: : :71:
1 : :c1: : b: 1: : 6:e : :64: : :1a:c :
: b: :bf:c : : 0: : 8:a :4 : :26:a :5 :
6 : : : :eb: :e5: a: :3e:f9:10:0 : : :
6:0 : : 8: : 1:72: c:0 : f:5 : f:9c: 0: e:
7:b : : : : :d9: 4: : e:c :68: : : :
c: :3a: : :a0:ea: 3: 4: :72:a :d : 8: :
:0d:5 :0 : a: 7:c :bb: 6: 4:a :ce:d :2 : 1:
: :17:6 : : c: b: : f: :3 : 5:6 :3 :0e:
: 7:c :3e: 2: 9: 7: 6: f: e: f: 9: :f3: 9:
a :c1:6 : : 1:9 : :43: : f: 5: :0 :27: 4:
4 :a : :e9: : 8: 4:3 :8a: 6:16:d5:c : e: e:
:d : c:b :a8: : 7: : 9: :7 :7d: : : :
: : :4 :2 : : 3: 3: 6: : : :7b:0 : :
e: :0 : :a : : 5: : : : 5:1 :82:c :0d:
4 :2 :fd:36: 5:50:0 : : :d : f: 6: : :e :
0 : : :ce: :9e:8 : :0 :d :07:b3: : : :
0 :e4: : :68:b :c : : c:5 : : :3 : 7: 2:
c:e0: :5 : : :b4: :ef: 7: :1 :e : 0:f :
:6 : : : :e0:c :3 : : : 3: : d: : :
3: 3: c: a: :b : a:71: 3: 0:a : :4 :5d: :
0 :4 """
)
_, dpmask_msk, dpmask_val
=
msk(
""" : 3:2a: : d: : : : :0 :1 : f: : : 6:
1 :2 :1b:07: a:e :b :c5:58:7 : :e8: 7: 1: c:
: 1:b :a0: 4:0f:5 :67: :3 :7 :6 :f9: : c:
:79: 0:1 :65: :8 : :99: d:d : :2 :9 :0 :
e: :0 : : : : d: :d :7 :6 :a9: a:8b: b:
: : 7: a:37: : :7 :1 :6 : :c2: 7:6 :b :
e: : : : : : :b :3a:5 : : : : : :
: : :cd:8 : : d: :7 : 3: : f:e : c: :
: a: :c : f:c : 7:b :5 : : :2 :8 :8 :6 :
0a: a: : :3 :db: : 4:00: : d: :b : 5: :
20: 2: 5: :82: : 0: 6: :8a: :7 : : 8: :
4: 1: : : : 8:46: : : : : : 0:f :c8:
2 : : c:7 : : 1: : :2 : 0: 5: : : 1:9b:
6:9 : 0:74: :c : :e : : :cb:b :3 :3 : :
2: : :47: :2 : 0:5 : : : d: 6:83: : :
:c7: : :0b: : : c: :3 :8 : :9 :4 : 7:
5 :c0:fe: :f9: 1: :0 : e: 8:02: : f: :c :
55:61"""
)
_, dqmask_msk, dqmask_val
=
msk(
""" :0b:7 :4 :0 : 0:6 : 7:7e: : 5: : 7: : a:
a :d : 0: 6: 4:86: : :8 : : : : :e :8f:
9: : : : 1: :2 : : 7: b:1 :5 : f: :8 :
:d :21: :e : d: :c9:e : b: : :1 : : :
:d :a2:b7: : : :f3: :42: :e : c: :f :
: 0:f :7 : 4: 5:34: :4 : c: : :8 :d : 8:
5 :af: 3:1d: 5:4 : :2 : :6 :c : 6:a :1 :5 :
a:9 : :d : : :0a:a1: :f :7 :9 :b : : :
f:2 :27: f: :0 :f6:4d: : : : : :5 : :
4:08: : 5: : 8: 5: : : :18: 4: 8:57: 2:
f: a: : :a8: f: c:f : e: 1:9 :c : 4:9 : :
: : : : : 1: :2 : :d1: : 6:e : d: :
: f:04:2 :8d: : 3: : :b : 8: :d6: : 2:
: : :6 : : f: : : 0:6 : :51: :48:19:
: : :69:4 : c: :c : : f: :f4:d : : f:
d:0 :0d:b :3 : 3:2 : : :6 : b:5 :2 : : c:
1:5a: f:f : : :7e:3e: :d :f :0 : d: c: 6:
1"""
)
def
search(K, Kp, Kq, check_level, break_step):
max_step
=
0
cands
=
[
0
]
for
step
in
range
(
1
, break_step
+
1
):
#print " ", step, "( max =", max_step, ")"
max_step
=
max
(step, max_step)
mod
=
1
<< (
4
*
step)
mask
=
mod
-
1
cands_next
=
[]
for
p, new_digit
in
product(cands, p_ranges[
-
step]):
pval
=
(new_digit << ((step
-
1
)
*
4
)) | p
if
check_level >
=
1
:
qval
=
solve_linear(pval, N & mask, mod)
if
qval
is
None
or
not
check_val(qval, mask, qmask_msk, qmask_val):
continue
if
check_level >
=
2
:
val
=
solve_linear(E,
1
+
K
*
(N
-
pval
-
qval
+
1
), mod)
if
val
is
None
or
not
check_val(val, mask, dmask_msk, dmask_val):
continue
if
check_level >
=
3
:
val
=
solve_linear(E,
1
+
Kp
*
(pval
-
1
), mod)
if
val
is
None
or
not
check_val(val, mask, dpmask_msk, dpmask_val):
continue
if
check_level >
=
4
:
val
=
solve_linear(E,
1
+
Kq
*
(qval
-
1
), mod)
if
val
is
None
or
not
check_val(val, mask, dqmask_msk, dqmask_val):
continue
if
pval
*
qval
=
=
N:
print
"Kq ="
, Kq
print
"pwned"
print
"p ="
, pval
print
"q ="
, qval
p
=
pval
q
=
qval
d
=
invmod(E, (p
-
1
)
*
(q
-
1
))
coef
=
invmod(p, q)
from
Crypto.PublicKey
import
RSA
print
RSA.construct(
map
(
long
, (N, E, d, p, q, coef))).exportKey()
quit()
cands_next.append(pval)
if
not
cands_next:
return
False
cands
=
cands_next
return
True
def
check_val(val, mask, mask_msk, mask_val):
test_mask
=
mask_msk & mask
test_val
=
mask_val & mask
return
val & test_mask
=
=
test_val
# K = 4695
# Kp = 15700
# Kq = 5155
for
K
in
range
(
1
, E):
if
K
%
100
=
=
0
:
print
"checking"
, K
if
search(K,
0
,
0
, check_level
=
2
, break_step
=
20
):
print
"K ="
, K
break
for
Kp
in
range
(
1
, E):
if
Kp
%
1000
=
=
0
:
print
"checking"
, Kp
if
search(K, Kp,
0
, check_level
=
3
, break_step
=
30
):
print
"Kp ="
, Kp
break
for
Kq
in
range
(
1
, E):
if
Kq
%
100
=
=
0
:
print
"checking"
, Kq
if
search(K, Kp, Kq, check_level
=
4
, break_step
=
9999
):
print
"Kq ="
, Kq
break
#!/usr/bin/python2
import
re
import
pickle
from
itertools
import
product
from
libnum
import
invmod, gcd
def
solve_linear(a, b, mod):
if
a &
1
=
=
0
or
b &
1
=
=
0
:
return
None
return
(b
*
invmod(a, mod)) & (mod
-
1
)
# hack for mod = power of 2
def
to_n(s):
s
=
re.sub(r
"[^0-9a-f]"
, "", s)
return
int
(s,
16
)
def
msk(s):
cleaned
=
"
".join(map(lambda x: x[-2:], s.split("
:")))
return
msk_ranges(cleaned), msk_mask(cleaned), msk_val(cleaned)
def
msk_ranges(s):
return
[
range
(
16
)
if
c
=
=
" "
else
[
int
(c,
16
)]
for
c
in
s]
def
msk_mask(s):
return
int
("
".join("
0
" if c == "
" else "
f"
for
c
in
s),
16
)
def
msk_val(s):
return
int
("
".join("
0
" if c == "
"
else
c
for
c
in
s),
16
)
E
=
65537
N
=
to_n(
"""00:c0:97:78:53:45:64:84:7d:8c:c4:b4:20:e9:33:
58:67:ec:78:3e:6c:f5:f0:5c:a0:3e:ee:dc:25:63:
d0:eb:2a:9e:ba:8f:19:52:a2:67:0b:e7:6e:b2:34:
b8:6d:50:76:e0:6a:d1:03:cf:77:33:d8:b1:e9:d7:
3b:e5:eb:1c:65:0c:25:96:fd:96:20:b9:7a:de:1d:
bf:fd:f2:b6:bf:81:3e:3e:47:44:43:98:bf:65:2f:
67:7e:27:75:f9:56:47:ba:c4:f0:4e:67:2b:da:e0:
1a:77:14:40:29:c1:a8:67:5a:8f:f5:2e:be:8e:82:
31:3d:43:26:d4:97:86:29:15:14:a9:69:36:2c:76:
ed:b5:90:eb:ec:6f:ce:d5:ca:24:1c:aa:f6:63:f8:
06:a2:62:cb:26:74:d3:5b:82:4b:b6:d5:e0:49:32:
7b:62:f8:05:c4:f7:0e:86:59:9b:f3:17:25:02:aa:
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
---|---|
|
大佬,关于p-adic 和随机数生成器有啥好的教程或者书籍推荐吗
|
|
happi0师傅,写得好详细,学到了许多,以后记得多多写相关的文章,学学新姿势。。。。:)
|
|
mark,学到了很多,感谢感谢,希望能够看到更多类似的文章
|
|
大佬写的好详细呀
|
|
八岛 大佬,关于p-adic 和随机数生成器有啥好的教程或者书籍推荐吗《密码学随机数发生器的设计与分析》,这本书不错 |
|
|
- [原创]关于题目more-calc的解法和拓展 8130
- [推荐][原创]CTF-RSA常见题型、思路及解法 19594
- [原创]部分CTF-RSA解题思路及脚本 10717
- [原创]希尔密码 7515
- [原创]密码学中的z3约束求解器 9958