2023-SHCTF-wp-crypto

大战古典

Week 1

[WEEK1]立正

题目描述：

无

hint：

注意要 正

题目：

wl hgrfhg 4gNUx4NgQgEUb4NC64NHxZLg636V6CDBiDNUHw8HkapH :jdoi vl vlkw  ~xrb wd nrrT Y:

最痛苦的题其中一道。

首先，一眼看不出是什么编码，可以猜测是 rot ，用 cyberchef 爆破一下：

发现一点线索：

可以看到倒过来的 flag ，结合题目”立正”，把他正过来试试：

7V Qook at _ou{  this is flag7 Em^hE5tERKAf?A@3S303dIWuEK13@K1_RBdNdK1uRKd1 decode it

大概可以看到一段待解密的密文了，现在目标就是解码。可是可以发现，前面还有一段乱码一样的东西，问了出题人，这段也是有用的，所以第一反应是：前面这段可能是密钥，但是尝试了各种解密都不行。

后来发现，这样移动后，解密出的文段有很多不太合理的的地方：

• flag后面的7，感觉应该是某个符号才对
• 前面这段没看出任何含义，但是很近似于 Look at you

然后觉得，也许移位是在字母、数字之间循环移动的，而不涉及符号，所以重新解密一次：

可以看出，这下的密文明显更合理了。首先，诸如：、~之类的符号更正确；其次中间那段密文有base64编码的样子了。

不过显然还差一点，但如果熟悉flag头的base64的话，可以看出Emxh与Zmxh只差一个大写字母。同时，Look at you变成了Qook at you。而他们与正确大写字母正好都相差6，说明大写字母应该还要循环移动6位，如下：

Q Look at you~  this is flag: ZmxhZ8tZMFVfTVU6N636dDRuZF46UF4yMWdIdF4uMFd4 decode it

拿去试着解一下base64：

还是有乱码，不过大概已经能猜到是数字还需要移位了，手动调整一下数字，能发现第一个数字8改为3时，能解密出{，因此数字还需要前移5位，最终的base64如下：

:Q Look at you~  this is flag: ZmxhZ3tZMFVfTVU1N181dDRuZF91UF9yMWdIdF9uMFd9 decode it

base64解密得到flag。

flag：

flag{Y0U_MU57_5t4nd_uP_r1gHt_n0W}

[WEEK1]Crypto_Checkin

题目描述：

无

题目：

QZZ|KQbjRRS8QZRQdCYwR4_DoQ7~jyO>0t4R4__aQZQ9|Rz+k_Q!r#mR90+NR4_4NR%>ipO>0s{R90|SQhHKhRz+k^S8Q5JS5|OUQZO}CQfp*dS8P&9R8>k?QZYthRz+k_O>0#>

直接丢给 cyberchef 用 magic 就可以出：

flag：

flag{Th1s_1s_B4s3_3nc0d3}

[WEEK1]残缺的md5

题目描述：

无

题目：

苑晴在路边捡到了一张纸条，上面有一串字符串：KCLWG?K8M9O3?DE?84S9
问号是被污染的部分，纸条的背面写着被污染的地方为大写字母，还给了这串字符串的md5码值：F0AF????B1F463????F7AE???B2AC4E6
请提交完整的md5码值并用flag{}包裹提交

md5爆破：

t = "KCLWG?K8M9O3?DE?84S9"
#F0AF????B1F463????F7AE???B2AC4E6
import string
import hashlib

dic1=string.ascii_uppercase
for i1 in dic1:
	for i2 in dic1:
		for i3 in dic1:
			bb='KCLWG'+i1+'K8M9O3'+i2+'DE'+i3+'84S9'
			aa=hashlib.md5(bb.encode())
			bbb=aa.hexdigest().upper()
			if bbb[:4]=='F0AF' and bbb[-7:]=='B2AC4E6':
				print(bbb)

flag：

flag{F0AF1443B1F463EAFFF7AEBB8B2AC4E6}

[WEEK1]凯撒大帝

题目：

pvkq{mredsrkyxkx}

直接手动调调参数就可以出：

flag：

flag{chutihaonan}

[WEEK1]进制

题目：

好熟悉的进制，但不知道加密了几层
3636366336313637376236313638363636623661366336383662363136383764

反复转十六进制，这种事交给magic：

flag：

flag{ahfkjlhkah}

[WEEK1]okk

题目：

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook!
Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook!
Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!
Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook!
Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!
Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook.
Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook.
Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook.
Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook?
Ook. 

Ook编码，直接在线网站：

flag：

flag{123456789}

[WEEK1]熊斐特

题目：

熊斐特博士发现了一种新的密码。
uozt{zgyzhs xrksvi}

搜索一下就知道，题目名称是在暗指Atbash码，解密即可：

flag：

flag{atbash cipher}

[WEEK1]佛说：只能四天

题目：

hint.txt：

凯撒不是最后一步，by the way，想想凯撒当年用的什么规格的凯撒密码？

密文.txt：

陀即我叻我莊如亦婆愍降吽兜哉念色夷嚩喼哉宣宣羅僧慧喼喃塞修菩哉菩哉吶宣囉哆念隸是喃哉嚩是念哉我嘚般訶尊是是闍哉訶咤聞訶念兜喼哉是般哉尊波祗迦念彌哆塞咤寂祗蜜劫塞迦劫諸隸菩哉缽即哉耨若夷夷吽斯空須囉諦諸須塞缽是若咤劫若哉嚴莊須哉闍須叻耨降菩哉般哆哉耨是叻色迦羅缽哉吽哉降聞叻彌蜜彌所斯嚴薩所陀波婆喃夷愍所囉哉叻伏空般耨囉隸劫般夷降嘇慧哆摩我念羅哉摩修叻喼羅般須吶囉尊伏斯若喼羅

题目描述.txt：

圣经分为《旧约全书》和《新约全书》

熟悉的题目名字，buu上有一道很类似的，所以前几步很好想，新与佛论禅+社会主义核心价值观，得到：

66767656676661e93ii3i098666766666677f7g39h13gf3g

大概可以看出是16进制，但是出现了g，h，i几个字母，结合题目描述可以推测还用了凯撒：

66767656676661b93ff3f098666766666677c7d39e13dc3d

由于知道flag头对应的16进制是66，6c，61，67，所以可以猜测是用了栅栏，手动调一下栏数看看能不能出这个十六进制头，发现可以：

然后十六进制转字符串就好。

flag：

flag{mission_accomplish}

[WEEK1]黑暗之歌

题目：

密文：

⠴⡰⡭⡳⠴⡰⡭⡰⡷⡲⡢⡩⡭⡡⠯⡩⡭⡡⡺⡩⡭⡡⠳⡩⡭⡡⡺⡩⡭⡡⡶⡩⡭⡡⡶⡩⡭⡡⡲⡩⡭⡡⡺⡩⡭⡡⠯⡩⡧⡊⡢⡩⡭⡡⠯⡩⡭⡡⡺⡃⡰⠫⡋⡚⡲⡍⡋⡮⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡃⡴⡵⡋⡁⡬⡵⡋⡁⡬⡵⡋⡁⡬⡳⡋⠲⠴⡯⡃⡗⠴⡰⡭⡴⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡩⡭⡡⡺⡩⡭⡡⡺⡩⡭⡡⠳⡩⡧⡊⡢⡩⡭⡡⠯⡩⡧⡊⡢⡃⡴⡵⡋⡚⡱⠫⡋⡚⡱⠫⡋⡚⡲⠵⠲⡺⠰⠽

明显的盲文，多试几个在线网站，发现这个可以解：

盲文点字加密/解密 - 一个工具箱 - 好用的在线工具都在这里！ (atoolbox.net)

能解出一串base64，扔给cyberchef看看：

音符密码，继续在线网站，就能解得flag：

flag：

flag{b2cc-9091-8a29}

[WEEK1]迷雾重重

题目：

题目描述：

morse？ASCII？


密文：

0010 0100 01 110 1111011 11 111 010 000 0 001101 00 000 001101 0001 0 010 1011 001101 0010 001 10 1111101

用-.替换掉10后，直接 morse 后就能基本得到flag，左右两大括号手动加一下就行，并且转一下小写：

flag：

flag{morse_is_very_fun}

[WEEK1]难言的遗憾

题目：

题目描述：
我们本可以早些进入信息化时代的，但是清政府拒不采纳那份编码规则。 （注：flag为中文，使用flag{}包裹提交）



密文：

000111310008133175592422205314327609650071810649

这个描述也很熟悉，估计buu也出现过类似题目，中文电码解码就好：

flag：

flag{一天不学高数我就魂身难受}

[WEEK1]小兔子可爱捏

题目：

题目描述：宇宙的终极答案是什么？





U2FsdGVkX1/lKCKZm7Nw9xHLMrKHsbGQuFJU5QeUdASq3Ulcrcv9

你可能会需要一把钥匙，钥匙就是问题的答案。

根据题目名可以知道是Rabbit加密(并且密文头部U2FsdGVkX1也能看出是Rabbit加密)，同时宇宙的终极答案是42，这个之前也看到过，当作密钥解密即可：

flag：

flag{i_love_technology}

[WEEK1]电信诈骗

题目描述：

你好，我是秦始皇，我并没有死，我得到了长生不老药，但是药效有副作用，现在才醒。我刚花了一年在互联网上了解现在的时代，现在我要利用我地宫第四行第七列的无敌兵马俑军队卷土重来，但是我需要启动资金，vivo50作为启动资金，待我横扫天下，封你为大将军，赏你黄金万两！

题目：

050f000a7e407151537802540b747176075178027552756d0256726262627c

最痛苦的题的另一道。

首先观察到，密文为62个十六进制数，因此应该对应flag串中的31个字符。那么题目应该就是对flag串的每个字符作了了某种加密，而关于加密方式的提示应该就在题目描述里。

而题目描述可能有用的信息有以下几个：

• 一年
• 地宫第四行第七列
• vivo50

其中，稍微有点思路的就是第二个信息，由这个信息能想到曲路密码或者列移位密码，但是尝试了均不对。那么当成47用，可能能想到rot47，但是仍然不对。继续尝试cyberchef的rot47爆破，还是出不了一点看似有效的结果。

和50结合一下，能想到什么加密呢？可能能想到a=47,b=50的仿射密码，然后模数就用可见字符的范围128，但是也不对，交换一下顺序，或者求一求逆元对应解密，还是不对。

非常的绝望。

要说思路的话，真的就是碰。什么能想到的东西都尝试一遍后，可以在这种尝试方式下发现一点东西：

from Crypto.Util.number import *

c = "050f000a7e407151537802540b747176075178027552756d0256726262627c"
tt = [i for i in long_to_bytes(int(c,16))]

for i in range(len(tt)):
    print(chr(47 + (tt[i]^50)),end = "")

打印结果是：

flag{¡rhursdy_vv_o}

有一点雏形了，至少看见flag头，说明方向没问题。而长度显然不到预期的31个字符，说明还有不可见字符，先把不可见字符打印成*，然后全部打印出来看看：

for i in range(len(tt)):
    if(47 + (tt[i]^50) < 127):
        print(chr(47 + (tt[i]^50)),end = "")
    else:
        print("*",end = "")

打印的结果是：

flag{*r**y_*hursd*y_v*v*_*o***}

其实能看出flag大概说的是什么了：

crazy_thursday_vivo_50

那么我们完全可以猜测一下*代表的形近字符(比如，大小写转换，a用4，i用1这种形近字符的相互表示)，比如，猜测第一个字符为C：

m = b"flag{Cr**y_*hursd*y_v*v*_*o***}"
for i in range(len(tt)):
    print(m[i] - (tt[i]^50),end = ",")

打印出来的结果如下：

47,47,47,47,47,-47,47,-57,-55,47,47,-60,47,47,47,47,47,-57,47,47,47,-54,47,-53,47,-58,47,-38,-38,-38,47,

那么很明显了，打印出来的不可见字符之所以不可见，是因为他们应该是-47，而不是+47，依照这个逻辑手动调整一下形近字符，直到所有差值都是正负47，那么就是正确flag了。

完整调试过程的脚本如下：

from Crypto.Util.number import *

c = "050f000a7e407151537802540b747176075178027552756d0256726262627c"
tt = [i for i in long_to_bytes(int(c,16))]

for i in range(len(tt)):
    print(chr(47 + (tt[i]^50)),end = "")
print()

for i in range(len(tt)):
    if(47 + (tt[i]^50) < 127):
        print(chr(47 + (tt[i]^50)),end = "")
    else:
        print("*",end = "")
print()

#将上一步的密文，用形近字符进行调试，直至全部为+-47
m = b"flag{Cr42y_7hursd4y_v1v0_5o!!!}"
for i in range(len(tt)):
    print(m[i] - (tt[i]^50),end = ",")
print()

#flag{Cr42y_7hursd4y_v1v0_5o!!!}

flag：

flag{Cr42y_7hursd4y_v1v0_5o!!!}

[WEEK1]what is m

题目描述：

这串神秘的数字怎么恢复成flag呢

题目：

from Crypto.Util.number import bytes_to_long
from secret import flag

m = bytes_to_long(flag)
print("m =",m)

# m = 7130439814055607156612810766069657529580176956197921317055778195831975924487086273340238725540060289765827225260320612710571684611641625602310966864004750195182916452942079032595376449532285

直接long_to_bytes

exp.py：

from Crypto.Util.number import *

m = 7130439814055607156612810766069657529580176956197921317055778195831975924487086273340238725540060289765827225260320612710571684611641625602310966864004750195182916452942079032595376449532285
print(long_to_bytes(m))

#flag{7HERE_AR3_53v3rAl_AL73RNAT1v3S_T0_THe_Ion6_t0_BY7E5_fUnc7ioN_B9A1dd0bb741}

[WEEK1]really_ez_rsa

题目：

from Crypto.Util.number import getPrime, bytes_to_long

e = 65537
m = b''

p = getPrime(128)
q = getPrime(128)
n = p * q
m = bytes_to_long(m)
c = pow(m, e, n)

print("p =", p)
print("q =", q)
print("c =", c)
print("e =", e)

# p = 217873395548207236847876059475581824463
# q = 185617189161086060278518214521453878483
# c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
# e = 65537

就是个RSA算法的实现，给了p、q的话直接解密就好(其实不给也行，p、q很小可以分解)

exp.py：

from Crypto.Util.number import *

e = 65537
p = 217873395548207236847876059475581824463
q = 185617189161086060278518214521453878483
c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
e = 65537
n = p*q

d = inverse(e,(p-1)*(q-1))
print(long_to_bytes(pow(c,d,n)))

#flag{Y0ung_meiyou_xiaojj}

Week 2

[WEEK2]XOR

题目：

n = 20810298530643139779725379335557687960281905096107101411585220918672653323875234344540342801651123667553812866458790076971583539529404583369246005781146655852295475940942005806084842620601383912513102861245275690036363402134681262533947475193408594967684453091957401932685922178406769578067946779033282889429596341714417295489842047781388337010440309434639274398589029236213499110100040841426995862849012466514170374143655264739023758914247116354182164550612494432327931655944868705959874670536031052370968354394583880324756639698871918124498442308334232127034553164826483441746719644515097123067550594588348951855987
c = 15294238831055894095745317706739204020319929545635634316996804750424242996533741450795483290384329104330090410419090776738963732127756947425265305276394058773237118310164375814515488333015347737716139073947021972607133348357843542310589577847859875065651579863803460777883480006078771792286205582765870786584904810922437581419555823588531402681156158991972023042592179567351862630979979989132957073962160946903567157184627177910380657091234027709595863061642453096671316307805667922247180282486325569430449985678954185611299166777141304330040782500340791721548519463552822293017606441987565074653579432972931432057376
e = 65537
p⊕q = 66138689143868607947630785415331461127626263390302506173955100963855136134289233949354345883327245336547595357625259526618623795152771487180400409991587378085305813144661971099363267511657121911410275002816755637490837422852032755234403225128695875574749525003296342076268760708900752562579555935703659615570

给定p与q的异或求n的分解，在我另一篇剪枝文章中有讲(第二题的第一部分)：

Crypto趣题-剪枝 | 糖醋小鸡块的blog (tangcuxiaojikuai.xyz)

exp：

from Crypto.Util.number import *
import sys
sys.setrecursionlimit(1500)

n = 20810298530643139779725379335557687960281905096107101411585220918672653323875234344540342801651123667553812866458790076971583539529404583369246005781146655852295475940942005806084842620601383912513102861245275690036363402134681262533947475193408594967684453091957401932685922178406769578067946779033282889429596341714417295489842047781388337010440309434639274398589029236213499110100040841426995862849012466514170374143655264739023758914247116354182164550612494432327931655944868705959874670536031052370968354394583880324756639698871918124498442308334232127034553164826483441746719644515097123067550594588348951855987
c = 15294238831055894095745317706739204020319929545635634316996804750424242996533741450795483290384329104330090410419090776738963732127756947425265305276394058773237118310164375814515488333015347737716139073947021972607133348357843542310589577847859875065651579863803460777883480006078771792286205582765870786584904810922437581419555823588531402681156158991972023042592179567351862630979979989132957073962160946903567157184627177910380657091234027709595863061642453096671316307805667922247180282486325569430449985678954185611299166777141304330040782500340791721548519463552822293017606441987565074653579432972931432057376
e = 65537
gift = 66138689143868607947630785415331461127626263390302506173955100963855136134289233949354345883327245336547595357625259526618623795152771487180400409991587378085305813144661971099363267511657121911410275002816755637490837422852032755234403225128695875574749525003296342076268760708900752562579555935703659615570

#part1,剪枝
gift = "0" + str(bin(gift)[2:])

def find(p,q):
    l = len(p)
    tmp0 = p + (1024-l)*"0"
    tmp1 = p + (1024-l)*"1"
    tmq0 = q + (1024-l)*"0"
    tmq1 = q + (1024-l)*"1"
    if(int(tmp0,2) < int(tmq0,2)):
        return 
    if(int(tmp0,2)*int(tmq0,2) > n):
        return 
    elif(int(tmp1,2)*int(tmq1,2) < n):
        return

    if(l == 1024):
        pp = int(tmp0,2)
        qq = int(tmq0,2)
        d = inverse(e,(pp-1)*(qq-1))
        m = long_to_bytes(pow(c,d,pp*qq))
        print(str(m)[2:-1],end = "")
        
    else:
        if(gift[l] == "1"):
            find(p+"1",q+"0")
            find(p+"0",q+"1")
        else:
            find(p+"0",q+"0")
            find(p+"1",q+"1")

tempp = ""
tempq = ""
find(tempp,tempq)

#flag{7428fbd7-639b-11ee-b51b-64d69af3cb76}

[WEEK2]easymath

题目：

from Crypto.Util.number import *
from random import *
p = getPrime(128)
seed = randint(2, p - 1)

class prng:
    n = p
    a,b = [randint(2, p - 1) for _ in range(2)]
    def __init__(self,seed):
        self.state = seed
    def next(self):
        self.state = (self.state * self.a + self.b) % self.n
        return self.state

    
def main():
    gen = prng(seed)
    s = [seed]
    s.append(gen.next())
    s.append(gen.next())
    s.append(gen.next())
    s.append(gen.next())
    s.append(gen.next())
    s.append(gen.next())
    f = open("output.txt",'w')
    json.dump(s,f)
    f.close()
    flag = "flag{"+str(gen.next())+"}"
    return flag
main()

output：

[288530505749272642500730917886204398531, 63547143998110685331032679758907988154, 15151206512028268617888756820805603406, 268092204209244869520724955865278855216, 261067075335188593563542448889694952077, 138067838531633886698552659065694918861, 201319433320428898153580935653793106657]

题目基于一个LCG，给定连续七组LCG生成的随机数，要求求出下一个生成的伪随机数。这里简单推导一下吧，因为我好像还没有写过这个如何求解：

已知：

$$s_i = a*s_{i-1} + b\quad(mod\;n)$$

那么我们取几组进行两两作差，会发现：

$$s_{i+2}-s_{i+1} = a*(s_{i+1}-s_{i})\quad(mod\;n)$$

可以发现，如果把连续两项的差当作数列的项，那么这其实是一个模n下的等比数列，公比是a。我们就可以依据这一点进行模数n的恢复。

因为：

$$s_3-s_2 = a*(s_2-s_1)\quad(mod\;n)$$ $$s_4-s_3 = a^2*(s_2-s_1)\quad(mod\;n)$$ $$s_5-s_4 = a^3*(s_2-s_1)\quad(mod\;n)$$

那么就有：

$$(s_5-s_4)*(s_3-s_2) = a^4*(s_2-s_1)^2 \quad (mod\;n)$$ $$(s_4-s_3)^2 = a^4*(s_2-s_1)^2 \quad (mod\;n)$$

所以有：

$$(s_5-s_4)*(s_3-s_2) - (s_4-s_3)^2 = kn$$

同理：

$$(s_4-s_3)*(s_2-s_1) - (s_3-s_2)^2 = kn$$

因此求解2者gcd，并去除一些小因子即可得到n，得到n后a、b恢复很容易，就不展开讲了。

exp：

from Crypto.Util.number import *
from gmpy2 import gcd
from sympy import isprime

c1,c2,c3,c4,c5,c6,c7 = [288530505749272642500730917886204398531, 63547143998110685331032679758907988154, 15151206512028268617888756820805603406, 268092204209244869520724955865278855216, 261067075335188593563542448889694952077, 138067838531633886698552659065694918861, 201319433320428898153580935653793106657]

#求m
t1 = c2-c1
t2 = c3-c2
t3 = c4-c3
t4 = c5-c4
T1 = t4*t2 - t3*t3
T2 = t3*t1 - t2*t2
m = gcd(T1,T2)

m = 312769358113056565136009929613710078319

#求a,b
a = inverse((c2-c1),m)*(c3-c2) % m
b = (-a*c2 + c3) % m

flag = "flag{" + str((a*c7+b)%m) + "}"
print(flag)

#flag{302184756857257140159769321021979097116}

[WEEK2]ez_rsa

题目：

# from flag import flag
from Crypto.Util.number import getPrime, bytes_to_long
from math import prod
import libnum

with open("flag.txt","rb") as f:
    flag = f.read().strip()

m = int.from_bytes(flag[:19],"big")
m1 = int.from_bytes(flag[19:],"big")

e = 65537

primes = [getPrime(64) for i in range(32)]
n = prod(primes)
c = pow(m,e,n)
print("c =",c)
print("n =",n)

p = libnum.generate_prime(1024)
q = libnum.generate_prime(1024)
e1 = 13
e2 = 15
n1 = p * q
c1 = pow(m1, e1, n1)
c2 = pow(m1, e2, n1)
print("n1 =", n1)
print("e1 =", e1)
print("c1 =", c1)
print("n2 =", n1)
print("e2 =", e2)
print("c2 =", c2)

# c = 28535916699190273475273097091422420145718978597126134891571109006456944397344856577421369324831702083810238921719657496747722337086131545474384253288151783029981352196506749672783866527948391034258269669654392993063423671431837882584570973320095601407578443348352802850496429240170710269529489900871208384711844617081275862971410246759090936379744946527813691945129059991795202769186014306943707223831130752782380563227353615164053563120572722464543812139164048342504963081408349934180883607554389607335607410546630525512019818062185681153477671373000186961748278118124044645584490544698827467815360888525822167
# n = 114107341297408283801468814470303963122122556489590451040619457052827864984505912502462030175984161431709841571908269123131659496812467145870607611968843929870716066046232009282431653653484798819370087696248364531531706249180822839879862098012984590503284615395588919199545142177727328844260380842155437987767067800740569616584597507776426572206990858918111272636507821551592564540694671795374831548677720629329358177802890287837056940407030212276399942462042866947423728888561392653713356355778914658317507319575084393752755452971007289968044006561357799908892371839922838486713582082980752194204224263283004373
# n1 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
# e1 = 13
# c1 = 5640630966585093229374938575158853304507369792931959909038819773057666482368490365383634362421839045569190487785222799103423460816096797210546343809620912249021763787314569982909943181390882015170344954037813745251119237402775124991005154299085147091159741067430623420349690886728161235034687649593258746455165172528681627568611599473627285223154284756417744280966157271904828156564067870877521824545300153084830020169048653830385763172792698591998191641849931039720453035065355411394516308865955772746815765864888631258825704788352584540380169938419618543124830541663995097651872542381
# n2 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
# e2 = 15
# c2 = 5481001445755770090420425478456880914921441486935672376394423326451811448703288166341447356603281843336826624725965666634194700496514262129376916108926167953996689011980280761368893884042609095616407660087448963015169181749124738976578495911295096014725354350167650232970262765851074146687931181216305972147994236689422572940877763047930111954798962097847426932730342258169023809341164876019161104439561164839132092594444017039073155506935768658830659965630065643619399324102814118128802834719820426253836317043818687888302054465994498115387703382090351794495827905499417861507007863378916334790750453883661675063377

第一部分可以直接factordb分解出小因子，然后多素数RSA求解。第二部分共模攻击。

exp：

from Crypto.Util.number import *
from gmpy2 import *

#yafu
c = 28535916699190273475273097091422420145718978597126134891571109006456944397344856577421369324831702083810238921719657496747722337086131545474384253288151783029981352196506749672783866527948391034258269669654392993063423671431837882584570973320095601407578443348352802850496429240170710269529489900871208384711844617081275862971410246759090936379744946527813691945129059991795202769186014306943707223831130752782380563227353615164053563120572722464543812139164048342504963081408349934180883607554389607335607410546630525512019818062185681153477671373000186961748278118124044645584490544698827467815360888525822167
n = 114107341297408283801468814470303963122122556489590451040619457052827864984505912502462030175984161431709841571908269123131659496812467145870607611968843929870716066046232009282431653653484798819370087696248364531531706249180822839879862098012984590503284615395588919199545142177727328844260380842155437987767067800740569616584597507776426572206990858918111272636507821551592564540694671795374831548677720629329358177802890287837056940407030212276399942462042866947423728888561392653713356355778914658317507319575084393752755452971007289968044006561357799908892371839922838486713582082980752194204224263283004373
e = 65537
primes = [14147604789494386003,16946507762934111301,17075632607344331131,9281508366366115669,10040612110882504553,9356350172425710359,15622487550947237203,10436802938040427139,11777892065426651999,10100522426677320149,17088379813205887661,16880270107514803247,9723861249937499279,10203735303764112277,13498192768855092449,11502613740816749197,9261040693807289549,11964584391817142269,10270880245559150279,16340211116882594287,10126802520926958821,15774106340553595249,10635881647150245973,12712357180113548549,14198042938738648387,15616762946597906161,10986943768724409089,13428970346605599557,16651625235320957803,11718181938374860349,13618885037077024279,10621161426185076191]
phi = 1
for i in primes:
    phi *= (i-1)
d = inverse(e,phi)
print(str(long_to_bytes(pow(c,d,n)))[2:-1],end = "")

#共模
n1 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
e1 = 13
c1 = 5640630966585093229374938575158853304507369792931959909038819773057666482368490365383634362421839045569190487785222799103423460816096797210546343809620912249021763787314569982909943181390882015170344954037813745251119237402775124991005154299085147091159741067430623420349690886728161235034687649593258746455165172528681627568611599473627285223154284756417744280966157271904828156564067870877521824545300153084830020169048653830385763172792698591998191641849931039720453035065355411394516308865955772746815765864888631258825704788352584540380169938419618543124830541663995097651872542381
n2 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
e2 = 15
c2 = 5481001445755770090420425478456880914921441486935672376394423326451811448703288166341447356603281843336826624725965666634194700496514262129376916108926167953996689011980280761368893884042609095616407660087448963015169181749124738976578495911295096014725354350167650232970262765851074146687931181216305972147994236689422572940877763047930111954798962097847426932730342258169023809341164876019161104439561164839132092594444017039073155506935768658830659965630065643619399324102814118128802834719820426253836317043818687888302054465994498115387703382090351794495827905499417861507007863378916334790750453883661675063377
d,x,y = gcdext(e1,e2)
m2 = pow(c1,x,n1)*pow(c2,y,n1) % n1
print(str(long_to_bytes(m2))[2:-1])

#flag{05929ec9778ed739d94ee1a77b742714}

[WEEK2]e？

题目描述：

这个e好像不对，你能找到正确的e吗？

题目：

p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304

经过测试可以发现，e与phi有公因子2，因此无法直接求逆元，所以需要做如下处理：

$$(m^2)^{\frac{e}{2}} \equiv c \quad(mod\;n)$$

由于e/2与phi互素，因此可以直接求逆元进行RSA解密，求出来的明文是m^2，考虑到明文较短因此可以直接开根。

exp：

from Crypto.Util.number import *
from gmpy2 import *

p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304
n = p*q
phi = (p-1)*(q-1)

d = inverse(e//2,phi)
print(long_to_bytes(iroot(pow(c,d,n),2)[0]))

#flag{This_e_is_real_or_not}

[WEEK2]factorizing_n

题目描述：

分解n试试？

题目：

n = 226515252384227990547287743140613580056836242860947832749754689048997071950972581790210817523352001702907675581567498443649554801433663166425134375454937126656357069687274036935331269594383360450823787099121079436459236734336130768046337169817940540921822023269188752420603975467384377614321048859304185067329741055517464271746238143742661897809442359331215501438861121047081117632626097939097519866099140569819965948998542652908170134545593659233229897003698175558888336706474178958535138595687148003367152624421106553412886263257022809480187410133186189435436294593588009551451899398811758511878324326255293307347560753524372663257044426744744426759970254203341706284024734042826158828749144322843934985927079504722440497388146240627249465363931951790326885478025237643
c = 52409805591744226507807531465616894934028463651864630447934395956954575834603756391651746535033902964658694070544877880970130028487381287088425209448038533705903737694267359561133766799228825599943891152463160326583722749586721691729062524310148743637505134465210906856660867852927837112666513674858029892207902196213784902541173835447263733760225682942461048573387925463479672527491229113710629340960375692432470493054415657845868577650170648157402682163577152288432313996310562452677399267755695644659367792066311336521698894993982901657735586844358679888210537898629281625526455444811591386493005341435516094660429968084363084301878446471676122069724608083578102382181382107225473535696274374370868301830807644939881080301668756603163431000745972823980427048672732291
e = 65537

yafu分解一下就能得到n的分解，直接解密即可(主要注意phi的求法)。

exp：

from Crypto.Util.number import *

n = 226515252384227990547287743140613580056836242860947832749754689048997071950972581790210817523352001702907675581567498443649554801433663166425134375454937126656357069687274036935331269594383360450823787099121079436459236734336130768046337169817940540921822023269188752420603975467384377614321048859304185067329741055517464271746238143742661897809442359331215501438861121047081117632626097939097519866099140569819965948998542652908170134545593659233229897003698175558888336706474178958535138595687148003367152624421106553412886263257022809480187410133186189435436294593588009551451899398811758511878324326255293307347560753524372663257044426744744426759970254203341706284024734042826158828749144322843934985927079504722440497388146240627249465363931951790326885478025237643
c = 52409805591744226507807531465616894934028463651864630447934395956954575834603756391651746535033902964658694070544877880970130028487381287088425209448038533705903737694267359561133766799228825599943891152463160326583722749586721691729062524310148743637505134465210906856660867852927837112666513674858029892207902196213784902541173835447263733760225682942461048573387925463479672527491229113710629340960375692432470493054415657845868577650170648157402682163577152288432313996310562452677399267755695644659367792066311336521698894993982901657735586844358679888210537898629281625526455444811591386493005341435516094660429968084363084301878446471676122069724608083578102382181382107225473535696274374370868301830807644939881080301668756603163431000745972823980427048672732291
e = 65537
p = 11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483
phi = p**4*(p-1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))

#flag{1f95f530f85b940db810fc917607ee22}

[WEEK2]哈希猫

题目描述：

我翻开 task.py 一查,这题目没有 flag 歪歪斜斜的每页上都写着 ‘哈希算法’ 几个字.我横竖睡不着,仔细看了半夜,才从字缝里看出字来,满本都写着 ‘flag’ !

题目：

import hashlib
from secret import flag

assert flag[:5] == "flag{"
assert flag[-1:] == "}"
flag = flag[5:-1]
assert len(flag) == 43


print(hashlib.sha512(flag[0:2].encode()).hexdigest())
print(hashlib.sha384(flag[2:4].encode()).hexdigest())
print(hashlib.sha1(flag[4:7].encode()).hexdigest())
print(hashlib.sha384(flag[7:9].encode()).hexdigest())
print(hashlib.sha1(flag[9:12].encode()).hexdigest())
print(hashlib.sha1(flag[12:15].encode()).hexdigest())
print(hashlib.sha512(flag[15:17].encode()).hexdigest())
print(hashlib.sha384(flag[17:19].encode()).hexdigest())
print(hashlib.md5(flag[19:22].encode()).hexdigest())
print(hashlib.sha224(flag[22:24].encode()).hexdigest())
print(hashlib.sha1(flag[24:27].encode()).hexdigest())
print(hashlib.sha384(flag[27:29].encode()).hexdigest())
print(hashlib.sha512(flag[29:31].encode()).hexdigest())
print(hashlib.md5(flag[31:34].encode()).hexdigest())
print(hashlib.md5(flag[34:37].encode()).hexdigest())
print(hashlib.sha224(flag[37:39].encode()).hexdigest())
print(hashlib.sha512(flag[39:41].encode()).hexdigest())
print(hashlib.md5(flag[41:43].encode()).hexdigest())


# e4efb4b4173a7e1e48d041cf16a79dea8d8a8885bb53cf028cd6f2b04b7546dbac7eb625dcb0737e4c6d438e00b46c16e489a689561c90491c34ab551bcb6329
# 88f76ff534f98621c41ab3319c62b95d34d602c6aa1ca20c926e2b9d196b934bf1b4c605893af0f9bbca61f496059500
# 588eb0942e37e1be94fcdf2b0d8260be88dda77b
# 3d5cb76279ef4b54c762a970fddee3a368aac8aaf8128898d15619017ba536819d88d3e80f3cf19649017c0f29eeeeb6
# 753949498cf8ca385fcf6cbd4797331d731b4aed
# 543d9f2bfd7f91ca63ab9d2d1b6c6fa48c45a7b0
# e736042cf8eaf7bf5b36f34af1ed40626beb74d923edbc8fdf6557189eea661d2c0e6fba0e88815e7d33f489aa75f8164fad1339fa915fcad378be4db03a3a8e
# 83e281865c566b69002e9753b95eab6df6ac067aa5fe6ea23b75dc679930aa554cd640c78cd1948e010a67e92943f911
# 9bbecb5acecd2544a3ce6fec4dfe5028
# 5598556fc00e3641a3a9fa69182e7f6a8107c9148f248b92a51f1a77
# e48f4614ffffb205e7ec2c80b4a9b9daa8a18994
# 8c4020c5d668c1fe7ccd43e4ba87b6fb89e289dd7c8aefa9a5ca504c83b017f9386494f35d543b5c8cc7065dad2ee70c
# bedbb9deb2d89f624398980d912909a1ccfd01126f6f6328ac10c667e6f522278e565d0d455b2d4883ec36e4506822b2a08110e2e677c2733110984ba666ae8f
# 7db183c15847634a301761dc8b88e035
# c4be70ae961735e9b11c19ed9dccc743
# b7fb4ba19da64864938455118696a126af53a51968215b41bed8686b
# ecc1d2c145955b841c7755e435dace6472ebaa684d8a03ed56274fabaf90ecbc4b392af5fb9d1555ecc5d3f020ba083445983b6c78e13384a8676fb0f8eeaaaa
# 9ad3285ba2ed40f7b805800f927766fc

每一部分被hash的明文都较短，因此直接爆破。exp偷懒了，直接全爆破了一遍，因为也不慢。

exp：

from hashlib import *
import string
from tqdm import tqdm

table = string.printable
hashes = ["e4efb4b4173a7e1e48d041cf16a79dea8d8a8885bb53cf028cd6f2b04b7546dbac7eb625dcb0737e4c6d438e00b46c16e489a689561c90491c34ab551bcb6329","88f76ff534f98621c41ab3319c62b95d34d602c6aa1ca20c926e2b9d196b934bf1b4c605893af0f9bbca61f496059500","588eb0942e37e1be94fcdf2b0d8260be88dda77b","3d5cb76279ef4b54c762a970fddee3a368aac8aaf8128898d15619017ba536819d88d3e80f3cf19649017c0f29eeeeb6","753949498cf8ca385fcf6cbd4797331d731b4aed","543d9f2bfd7f91ca63ab9d2d1b6c6fa48c45a7b0","e736042cf8eaf7bf5b36f34af1ed40626beb74d923edbc8fdf6557189eea661d2c0e6fba0e88815e7d33f489aa75f8164fad1339fa915fcad378be4db03a3a8e","83e281865c566b69002e9753b95eab6df6ac067aa5fe6ea23b75dc679930aa554cd640c78cd1948e010a67e92943f911","9bbecb5acecd2544a3ce6fec4dfe5028","5598556fc00e3641a3a9fa69182e7f6a8107c9148f248b92a51f1a77","e48f4614ffffb205e7ec2c80b4a9b9daa8a18994","8c4020c5d668c1fe7ccd43e4ba87b6fb89e289dd7c8aefa9a5ca504c83b017f9386494f35d543b5c8cc7065dad2ee70c","bedbb9deb2d89f624398980d912909a1ccfd01126f6f6328ac10c667e6f522278e565d0d455b2d4883ec36e4506822b2a08110e2e677c2733110984ba666ae8f","7db183c15847634a301761dc8b88e035","c4be70ae961735e9b11c19ed9dccc743","b7fb4ba19da64864938455118696a126af53a51968215b41bed8686b","ecc1d2c145955b841c7755e435dace6472ebaa684d8a03ed56274fabaf90ecbc4b392af5fb9d1555ecc5d3f020ba083445983b6c78e13384a8676fb0f8eeaaaa","9ad3285ba2ed40f7b805800f927766fc"]

def find_hash(msg,i):
    if(sha512(msg.encode()).hexdigest() == hashes[i]):
        print(msg,end = "")
        return 1
    if(sha384(msg.encode()).hexdigest() == hashes[i]):
        print(msg,end = "")
        return 1
    if(sha1(msg.encode()).hexdigest() == hashes[i]):
        print(msg,end = "")
        return 1
    if(sha224(msg.encode()).hexdigest() == hashes[i]):
        print(msg,end = "")
        return 1
    if(md5(msg.encode()).hexdigest() == hashes[i]):
        print(msg,end = "")
        return 1
    return 0

for i in range(len(hashes)):
    has_found = 0
    #一个字符
    for j in table:
        if(find_hash(j,i)):
            has_found = 1
            break
    if(has_found == 1):
        continue
    #两个字符
    for j in table:
        for k in table:
            if(find_hash(j+k,i)):
                has_found = 1
                break
    if(has_found == 1):
        continue
    #三个字符
    for j in table:
        for k in table:
            for m in table:
                if(find_hash(j+k+m,i)):
                    has_found = 1
                    break
    if(has_found == 1):
        continue
    #四个字符
    for j in table:
        for k in table:
            for m in table:
                for n in table:
                    if(find_hash(j+k+m+n,i)):
                        has_found = 1
                        break
    if(has_found == 1):
        continue

#flag{You'VE_cOme_to_unD3R5t4nd_HA5h_a196zTz83fOg}

Week 3

[WEEK3]Classical Master

题目描述：

flag格式：flag{xxx}

题目：

import math
from secret import s
s = s.lower()
keyM = [?]
l = len(keyM)
assert(math.gcd(l,26)==1)
for i in range(len(s)):
    print(chr((ord(s[i])*l-97+(keyM[i % l]))%26+97),end="")

#uvgbdzbihyfxvqipvvwxqnpwybaomhnibglpncsdohyespkglzbbfpgwxjsludjcyesphzlcsznuflejzezmnqpktbjbbajocrqlfzogrpuzwesgqbvhvzpongpdbewtihwvuwrgrzbmudnuaxgzgcknydxhhlqguabnjhczkrfjmxbtavbeennkojetoqtpqlwwupkorramvwhhngyytwzybtriaaxgaodzhzvypiszcmbwchuwrjjfdzqpgvbigxsdzfbbgfyzypiblpflirexudlhfvgpebazjwbabglrorulkzpquvgbdzttgittuxgaodkphelvcpepubfuirzaarfdgzevjxmiwhqtgvnbhqspxlagpluwrrrhshshpptrrpaxozjkdkrbvolwwevbojerxvaghmyvlchzmizeflyytvpqbhwnsxwtvojzhenjozircttqqbcgxgabytqvhlyjcjfoopdrsyhlaokbpweecrbfpyqwjtcxjgzcskojorejtpnokoptlfyzypibsrnkpgjrudkojhchqtgnybpsbcxmzaodoxppkevbpqlzorkrfgzhcxsnedkoaarypoptnanxeaodbpwesbrcjxvagebuazlqpbkojbuwrgpsjozefxwzogfvwnzcrogcyhhipwejfylvottgirfhgtaoqhbfccpelqnxzxrelcpcxfkhujtbwjxynyatvvjyrggppzhjfleknapsohrfwxjsludwnibglrghzcaajfxgzfbhykspijyenndcbkdtuxpozqxohtdapmziujgzhnrkczerpunyhuvazqhqjqjmthmorzmihwctnjcbpsbpehccxyjfvhcubyzdsjsdknhpwargcpvabwvwxjsludazxvcxjojflazjquvbfqzobzeespibpqvjlnvcyrijqlzzrzppicrwujzeqrfjgrkdfqbetkglzruohadypgexuttfybvxmiiuvwlbmkppjyzhixbuklllghnbnderaaarfkjwpljhmcxqkbfdqkhnaanorhruuwizpzmtnedgeybiyvwhhtwxemrtjwwthvvpcrimopodhxmcgudjrhpgyjsrmdwqqvhvqirclsyivjhmcyhzjuyvgvcarfububklnhlqgbbhtqrzxgrqkjcthojpcehtjuyedzrcrphihhdkoaajczzqpcdzhaxgvghhgrcryruwvqbcturoxqmihipmjefxsdkhwqdydfrqttqqngzdbqgjkqjkuhbtjrxzqaittalvhmihriuvckzqvbcnvwveozqxohrzunmtwhqtcqdjyrcxlqbpsvuwrzqzibvbqhvcbqgmohjttwlogudqtjdynjrehfvzwvaxmzmzjwyidgyjrxgstcengphtrvbtoralojyrwlzpebghxoiglwqbesxpoxquahrtlebtmnttxppkepckhhhrjespngrpmbfsbwvqlwhmohjttkglmqqvqqespngrpmbfsbwnzsrfnjcrqawxjhzcaqqnjirbvljlyinjwricnqtoralkrlaodoqqvzkxjqhsxhebyyytriububvgtrcxphizjalyytnudjqevjnzogpcohrkxhybwhbkbtokpglmzzwnwdgtrbmwojgivghmcxyjhghbwnrscyvktsclxmrhhqtfhnvgqtjxvagnbvzrovhnnkppykrflcdwldfepetgxvkojnuwrgaodrhbrsyxelcybljtjxeffcjrgjkhpxgaodipekdtzkxsnbpenglqtpfdcyjidpmxrclkbwvtoetzwpiphtfgisjhslhznuwfoxxcbwfvtkglmfmtcnewxepehlkhwesxmbmtwbphedkaarsjohhetkgcyhijgdvraruihqthezlhpzwhqopsvajpnzgcnavbkebtmxkhcpkbhptqtlwwhmlxfrabutwihdkaglqkbiavyhrovhmbpnclnaaxujvdquxbrcyhqfndijpxejcbkudzuhxoghihbwtvpmrdhlofhbuwryzgxbnuclcqtpfjwfynvhmlpodzxbesyytaznbcjzlnpbetmhpnxfhetyhqzyjzdxqjjfshrsclpmiczyqfbebxpcrwjwwjdazrocbqkojivvetriububvgtrlpljlyritiqtanojfqnrkzozlmtneesxakenibwhpptrrpsxaqpktbhlqgwbbelrcfbkgdjcynvgebvqvfpierzxgenthcihccjovzuahhvgelgrpyqqqvjpjoxxuhfhvjnczeqkbgrljyybaxvagivtebtanzohregpprzudfneethmtgzykojlrcgrxsmihhvjtezqgbroreuwrfhzcaqjdpwbtjfnhujergetwhyksrnkjetaolwqprthmrllhbfhgrchazqvzfdzppprxqkbusctkzrapmbnufdkgjyzhiqzbtzxonpminddgehlphnbcznkogtczybfdzppprjcmihhdvphzewbnhsgthqnehvzpiltbpirfhozcvailcxcdrpvgthqnehvzrrqjhmbkzctqvercrbvoktffbtoplmgvmhzctyryrumihvftbktjcmobscuwrzmgpqzuglcrovhwbqzvlkaaxfdropcturezzcbwrqayyzphtinqdqppnvldzfjkkhrrjcmihynwargrchbnuespjgypwtqhrrvgazavkfrilyytfhpknruknlxvhbzarksxklaflohscljmsxlrbwybrcazcpvabwvuwlraodmzwtuozjjxvagpolbhajlksujzlercypcansclcplpzttgigrcbpxnsipcnunzogadfntvuwrlefcjmjdjxvajgstxrtjozyrqjltbfcjqrrfyhxbdvnqbwhmhrvctijcppbjujdkongxxylhensxwtpbqoheklcribtoohjldoqcxqkbtjdynxezlhvrdutyriypwtqhdgeaarylzqyvlepzcrpazuvsxwtzgqbpyhvxehrwjvqrmtyyjyzhiqqilxatmfmhztmyhpzmrpmbspypbfzlmtnettcrglgdqavdcgrcjqdsphtdvmkehgvwbzlletrwchmjglxetmmvoneflkaazavkpekuwrjxubknuespptatqjcstdnybkzmkojilaxgrzotrdtuirbpglghsbsxklagdkrjolxpszmdknfbreybkzmzrvoteybkzmzrdtuirirfmonvvaxmimhtmbwirfpkehujujkwvepxnszhjkdfjsqsjorfbreybkzmzpekepvzbhmihbijozyrpyqoplbhqsjphfntmkhpaaovzwbgwhvnqqobpsescxnnomihhvjtezqgbtqznkoktgnybspilxvaplqhgizrkabjcbjywngtjkqhtizncbhqsguvghroteybkzmmupfvbqlchlwwwvcozxrzmrzscrkrjyzhixbukielmdnblibjpecxfxfljtjaxgjqvzpebuwrgxsyjqdilnqbhfmipsbgodbypwtqndgnlmgbdjcpespeazavkfpngveiruohusclnrjezmkhelrcgranubuubyzaarzqfoptlkabpvvlbheahpxjyctcjfxnrscxvkosclajgpqjmrvqlfybkzmzxqnpwjrzfohgibbnjjjgcohrklxvaplqhgigrcaajumnwrhjhmcyzbsujtpcjmrwnjcevyirexudtywbpprianmihevmypxencasbijyjjjgcohrkuwrjxuszzetdorovhtihentcjrrqkbcbldoqgrpskojlrcgrjcbtgjqppzeahqtoralgzgaprbcpgvbblgwlnrjdkozrazttgiilxgcyhthuyttlzlmkxzqcvwvetjudkzwvtygbdfdwwrqazxraznsnwetkazmqktfpzpxplxcvrziuypziaodrnwkjxqzlwjwqqvgpscgpptxbukcrkrpmkobtccxxrwxohrqahhlqghhcsngjrlmgvphtdgkrgcnqkobiubgbdfmihenbhqsabqwqpespmtsqbfupukxmiehubpseshpkenhbwdilaxgzcjkojiuwjgatsjthnbhqsvnykzeplhmcyzblpeqlcloazctoralojyrwttqqvttyrvujagubyyyleqpqpvttkgddudjwbqhwzrkhhhrjctijczcsrorebhqskhlflpfcojryhsrzscuwjrypwtqqvypjoqzdzqqvshgircbblwvuvcbqgnjchdptxdigvzotvgypbpzqbyjduyythnqqfyddodcyhprziujvxokhhhrjdcxecxsnnpnedurdjcsubsfrcrlbyjoqrquyytdxvagrujvptryvwqpfxvaaruntcyesxaddfmbubbfnpzluhbxqnpwmtwhqzgjvcnhajlkfujduppddwqbptttkgzcqdwrrjlnbtzlmtczdxnjixcjklpfccrarcsjfsclfxggfjmqqvjppxencafriltxopbnbwchvbbfpqdozppjzjogzttgiolljoanlrpxvlxvabnqwzerbhaazmvkpinubjazmdwhovydmzhcwbspilzdyjdjoxbukhmxehlzhthlkaalfvjftldoqgjfdltyvjhetannbhsesphzegsrziururgvnnbhovybctzuvhcnvzkrjzqbvcwnjpzogzttgiolwzkizdoqqdghryruwbgbvqpglayjzfbokpazkhvwqqnjfxgqwjmfsidarbmwbhuwbbpwtmqxjgihdfjsqsvwwthjpqeehlfqbqhyxbqgbtqdduhxopxktlqzrkcgxcmlhrtdfzrvnnlpeklejoaodzlwbkopcxudjlsdgepzxcmihhvttalxcbjcyilxvcjnyzxbukirxxrdbphhuvitesjorubyxmfzlmrzsccczxazhbajzrzrrrpbnqqpjxmthpyqdpbawzmjqvzapigaxghodwpedpyktvnnbfjdjbaaenxxonbgnabmqqbyjedyxojqwblpflnzkqhlzbwvuvitesjorrqahclazbjyivtnlgrqjshwgrcblazblpetgxanehmhyjiwvedjqjmqjqbwrojydospivhazcqdwzsoltxdrflipcnuxmijadfntvdyprqpibpekjhmxrzmtfrrrvgazavkqqnjhpddxvagsbaxdlkhztcrqlfqlchlwwbftdrbpncbrebtyycxrpzhiguwzcmnmizerbhqsehmjuyfxkrjqzobffirfaajxvagibjpmzapsjtuirzaarfdohrkdknrcnqkoreaxdxzcyhqcvypagjhibwebytzojfxufsnujatzcjkojiwvelaznvfsqryjjjgcwnsoypzhaovzorodyxegpvatwvtejonsqhrsclnrrvujaghdgejoauxkosclarjbnnbcstjgroahlfoydxvmcyzbwhzctijczudubsdjzzsqyqtljergzfcnqkojctgilmhbzpekjjvxrfbkorebhqskhntcjdjhetzwlwwwvypziaodrnwkjhmcyhbfupuknazcncanzqlurghzcazrukvhcyhwohonubxerphifniroqoxumihhnvgqlvzmnnununhzewbknndfnrdrqjkujduyytplqhgitvpprzddazfcuodcynxzpekjvcpepubfrilgetpfdqqpgdoqzmhgjuznuwhlmhlwwscllebihbpzedgeinqylohsbjnrianmihcnyeprxzmtfznuwaarfdxurmlnxehzbqntgyvbcyhlxhhfftyazfwbhegdoatehsjcyernptgqjkojldkgzmgpkojmfcrcebmigbvjejrazcahyngyythnqqfsbpvbtjxvagyidkfbpzyzqwppyrizcszybukkxczwqhyrqayytphdqnutftvtpfvrziujfzsqntknydxzdzqwbpzectnktvnnbphkfnalhzcaxruzyzsqpnhcfflkzogqkbtznkofoxxnbcpewvecxwlnzrftkrjbpyrzsctkrjqzobojilhpfxbqmgrrxvlbehmihwvtobbpqdo

这一题考察对重合指数概念的理解，具体思路在我另一篇博客中有写过：

Crypto趣题-古典密码 | 糖醋小鸡块的blog (tangcuxiaojikuai.xyz)

exp：

from string import *
from Crypto.Util.number import *
from hashlib import *

c = "uvgbdzbihyfxvqipvvwxqnpwybaomhnibglpncsdohyespkglzbbfpgwxjsludjcyesphzlcsznuflejzezmnqpktbjbbajocrqlfzogrpuzwesgqbvhvzpongpdbewtihwvuwrgrzbmudnuaxgzgcknydxhhlqguabnjhczkrfjmxbtavbeennkojetoqtpqlwwupkorramvwhhngyytwzybtriaaxgaodzhzvypiszcmbwchuwrjjfdzqpgvbigxsdzfbbgfyzypiblpflirexudlhfvgpebazjwbabglrorulkzpquvgbdzttgittuxgaodkphelvcpepubfuirzaarfdgzevjxmiwhqtgvnbhqspxlagpluwrrrhshshpptrrpaxozjkdkrbvolwwevbojerxvaghmyvlchzmizeflyytvpqbhwnsxwtvojzhenjozircttqqbcgxgabytqvhlyjcjfoopdrsyhlaokbpweecrbfpyqwjtcxjgzcskojorejtpnokoptlfyzypibsrnkpgjrudkojhchqtgnybpsbcxmzaodoxppkevbpqlzorkrfgzhcxsnedkoaarypoptnanxeaodbpwesbrcjxvagebuazlqpbkojbuwrgpsjozefxwzogfvwnzcrogcyhhipwejfylvottgirfhgtaoqhbfccpelqnxzxrelcpcxfkhujtbwjxynyatvvjyrggppzhjfleknapsohrfwxjsludwnibglrghzcaajfxgzfbhykspijyenndcbkdtuxpozqxohtdapmziujgzhnrkczerpunyhuvazqhqjqjmthmorzmihwctnjcbpsbpehccxyjfvhcubyzdsjsdknhpwargcpvabwvwxjsludazxvcxjojflazjquvbfqzobzeespibpqvjlnvcyrijqlzzrzppicrwujzeqrfjgrkdfqbetkglzruohadypgexuttfybvxmiiuvwlbmkppjyzhixbuklllghnbnderaaarfkjwpljhmcxqkbfdqkhnaanorhruuwizpzmtnedgeybiyvwhhtwxemrtjwwthvvpcrimopodhxmcgudjrhpgyjsrmdwqqvhvqirclsyivjhmcyhzjuyvgvcarfububklnhlqgbbhtqrzxgrqkjcthojpcehtjuyedzrcrphihhdkoaajczzqpcdzhaxgvghhgrcryruwvqbcturoxqmihipmjefxsdkhwqdydfrqttqqngzdbqgjkqjkuhbtjrxzqaittalvhmihriuvckzqvbcnvwveozqxohrzunmtwhqtcqdjyrcxlqbpsvuwrzqzibvbqhvcbqgmohjttwlogudqtjdynjrehfvzwvaxmzmzjwyidgyjrxgstcengphtrvbtoralojyrwlzpebghxoiglwqbesxpoxquahrtlebtmnttxppkepckhhhrjespngrpmbfsbwvqlwhmohjttkglmqqvqqespngrpmbfsbwnzsrfnjcrqawxjhzcaqqnjirbvljlyinjwricnqtoralkrlaodoqqvzkxjqhsxhebyyytriububvgtrcxphizjalyytnudjqevjnzogpcohrkxhybwhbkbtokpglmzzwnwdgtrbmwojgivghmcxyjhghbwnrscyvktsclxmrhhqtfhnvgqtjxvagnbvzrovhnnkppykrflcdwldfepetgxvkojnuwrgaodrhbrsyxelcybljtjxeffcjrgjkhpxgaodipekdtzkxsnbpenglqtpfdcyjidpmxrclkbwvtoetzwpiphtfgisjhslhznuwfoxxcbwfvtkglmfmtcnewxepehlkhwesxmbmtwbphedkaarsjohhetkgcyhijgdvraruihqthezlhpzwhqopsvajpnzgcnavbkebtmxkhcpkbhptqtlwwhmlxfrabutwihdkaglqkbiavyhrovhmbpnclnaaxujvdquxbrcyhqfndijpxejcbkudzuhxoghihbwtvpmrdhlofhbuwryzgxbnuclcqtpfjwfynvhmlpodzxbesyytaznbcjzlnpbetmhpnxfhetyhqzyjzdxqjjfshrsclpmiczyqfbebxpcrwjwwjdazrocbqkojivvetriububvgtrlpljlyritiqtanojfqnrkzozlmtneesxakenibwhpptrrpsxaqpktbhlqgwbbelrcfbkgdjcynvgebvqvfpierzxgenthcihccjovzuahhvgelgrpyqqqvjpjoxxuhfhvjnczeqkbgrljyybaxvagivtebtanzohregpprzudfneethmtgzykojlrcgrxsmihhvjtezqgbroreuwrfhzcaqjdpwbtjfnhujergetwhyksrnkjetaolwqprthmrllhbfhgrchazqvzfdzppprxqkbusctkzrapmbnufdkgjyzhiqzbtzxonpminddgehlphnbcznkogtczybfdzppprjcmihhdvphzewbnhsgthqnehvzpiltbpirfhozcvailcxcdrpvgthqnehvzrrqjhmbkzctqvercrbvoktffbtoplmgvmhzctyryrumihvftbktjcmobscuwrzmgpqzuglcrovhwbqzvlkaaxfdropcturezzcbwrqayyzphtinqdqppnvldzfjkkhrrjcmihynwargrchbnuespjgypwtqhrrvgazavkfrilyytfhpknruknlxvhbzarksxklaflohscljmsxlrbwybrcazcpvabwvuwlraodmzwtuozjjxvagpolbhajlksujzlercypcansclcplpzttgigrcbpxnsipcnunzogadfntvuwrlefcjmjdjxvajgstxrtjozyrqjltbfcjqrrfyhxbdvnqbwhmhrvctijcppbjujdkongxxylhensxwtpbqoheklcribtoohjldoqcxqkbtjdynxezlhvrdutyriypwtqhdgeaarylzqyvlepzcrpazuvsxwtzgqbpyhvxehrwjvqrmtyyjyzhiqqilxatmfmhztmyhpzmrpmbspypbfzlmtnettcrglgdqavdcgrcjqdsphtdvmkehgvwbzlletrwchmjglxetmmvoneflkaazavkpekuwrjxubknuespptatqjcstdnybkzmkojilaxgrzotrdtuirbpglghsbsxklagdkrjolxpszmdknfbreybkzmzrvoteybkzmzrdtuirirfmonvvaxmimhtmbwirfpkehujujkwvepxnszhjkdfjsqsjorfbreybkzmzpekepvzbhmihbijozyrpyqoplbhqsjphfntmkhpaaovzwbgwhvnqqobpsescxnnomihhvjtezqgbtqznkoktgnybspilxvaplqhgizrkabjcbjywngtjkqhtizncbhqsguvghroteybkzmmupfvbqlchlwwwvcozxrzmrzscrkrjyzhixbukielmdnblibjpecxfxfljtjaxgjqvzpebuwrgxsyjqdilnqbhfmipsbgodbypwtqndgnlmgbdjcpespeazavkfpngveiruohusclnrjezmkhelrcgranubuubyzaarzqfoptlkabpvvlbheahpxjyctcjfxnrscxvkosclajgpqjmrvqlfybkzmzxqnpwjrzfohgibbnjjjgcohrklxvaplqhgigrcaajumnwrhjhmcyzbsujtpcjmrwnjcevyirexudtywbpprianmihevmypxencasbijyjjjgcohrkuwrjxuszzetdorovhtihentcjrrqkbcbldoqgrpskojlrcgrjcbtgjqppzeahqtoralgzgaprbcpgvbblgwlnrjdkozrazttgiilxgcyhthuyttlzlmkxzqcvwvetjudkzwvtygbdfdwwrqazxraznsnwetkazmqktfpzpxplxcvrziuypziaodrnwkjxqzlwjwqqvgpscgpptxbukcrkrpmkobtccxxrwxohrqahhlqghhcsngjrlmgvphtdgkrgcnqkobiubgbdfmihenbhqsabqwqpespmtsqbfupukxmiehubpseshpkenhbwdilaxgzcjkojiuwjgatsjthnbhqsvnykzeplhmcyzblpeqlcloazctoralojyrwttqqvttyrvujagubyyyleqpqpvttkgddudjwbqhwzrkhhhrjctijczcsrorebhqskhlflpfcojryhsrzscuwjrypwtqqvypjoqzdzqqvshgircbblwvuvcbqgnjchdptxdigvzotvgypbpzqbyjduyythnqqfyddodcyhprziujvxokhhhrjdcxecxsnnpnedurdjcsubsfrcrlbyjoqrquyytdxvagrujvptryvwqpfxvaaruntcyesxaddfmbubbfnpzluhbxqnpwmtwhqzgjvcnhajlkfujduppddwqbptttkgzcqdwrrjlnbtzlmtczdxnjixcjklpfccrarcsjfsclfxggfjmqqvjppxencafriltxopbnbwchvbbfpqdozppjzjogzttgiolljoanlrpxvlxvabnqwzerbhaazmvkpinubjazmdwhovydmzhcwbspilzdyjdjoxbukhmxehlzhthlkaalfvjftldoqgjfdltyvjhetannbhsesphzegsrziururgvnnbhovybctzuvhcnvzkrjzqbvcwnjpzogzttgiolwzkizdoqqdghryruwbgbvqpglayjzfbokpazkhvwqqnjfxgqwjmfsidarbmwbhuwbbpwtmqxjgihdfjsqsvwwthjpqeehlfqbqhyxbqgbtqdduhxopxktlqzrkcgxcmlhrtdfzrvnnlpeklejoaodzlwbkopcxudjlsdgepzxcmihhvttalxcbjcyilxvcjnyzxbukirxxrdbphhuvitesjorubyxmfzlmrzsccczxazhbajzrzrrrpbnqqpjxmthpyqdpbawzmjqvzapigaxghodwpedpyktvnnbfjdjbaaenxxonbgnabmqqbyjedyxojqwblpflnzkqhlzbwvuvitesjorrqahclazbjyivtnlgrqjshwgrcblazblpetgxanehmhyjiwvedjqjmqjqbwrojydospivhazcqdwzsoltxdrflipcnuxmijadfntvdyprqpibpekjhmxrzmtfrrrvgazavkqqnjhpddxvagsbaxdlkhztcrqlfqlchlwwbftdrbpncbrebtyycxrpzhiguwzcmnmizerbhqsehmjuyfxkrjqzobffirfaajxvagibjpmzapsjtuirzaarfdohrkdknrcnqkoreaxdxzcyhqcvypagjhibwebytzojfxufsnujatzcjkojiwvelaznvfsqryjjjgcwnsoypzhaovzorodyxegpvatwvtejonsqhrsclnrrvujaghdgejoauxkosclarjbnnbcstjgroahlfoydxvmcyzbwhzctijczudubsdjzzsqyqtljergzfcnqkojctgilmhbzpekjjvxrfbkorebhqskhntcjdjhetzwlwwwvypziaodrnwkjhmcyhbfupuknazcncanzqlurghzcazrukvhcyhwohonubxerphifniroqoxumihhnvgqlvzmnnununhzewbknndfnrdrqjkujduyytplqhgitvpprzddazfcuodcynxzpekjvcpepubfrilgetpfdqqpgdoqzmhgjuznuwhlmhlwwscllebihbpzedgeinqylohsbjnrianmihcnyeprxzmtfznuwaarfdxurmlnxehzbqntgyvbcyhlxhhfftyazfwbhegdoatehsjcyernptgqjkojldkgzmgpkojmfcrcebmigbvjejrazcahyngyythnqqfsbpvbtjxvagyidkfbpzyzqwppyrizcszybukkxczwqhyrqayytphdqnutftvtpfvrziujfzsqntknydxzdzqwbpzectnktvnnbphkfnalhzcaxruzyzsqpnhcfflkzogqkbtznkofoxxnbcpewvecxwlnzrftkrjbpyrzsctkrjqzobojilhpfxbqmgrrxvlbehmihwvtobbpqdo"
table = ascii_lowercase
dic = {'a': 0.08167,'b': 0.01492,'c': 0.02782,'d':0.04253,'e': 0.12702,'f':0.02228,'g': 0.02015,'h':0.06094,'i':0.06966,'j':0.00153,'k':0.00772,'l':0.04025,'m':0.02406,'n':0.06749,'o':0.07507,'p':0.01929,'q':0.00095,'r':0.05987,'s':0.06327,'t':0.09056,'u':0.02758,'v':0.00978,'w':0.02360,'x':0.00150,'y':0.01974,'z':0.00074}

#obj:待分割字符串  #sec:分割长度
def cut(obj, sec):
    return [obj[i:i+sec] for i in range(0,len(obj),sec)]

#计算重合指数
def In(c):
    freq = {i:0 for i in table}
    for i in range(len(table)):
        freq[table[i]] = c.count(table[i]) / len(c)
    index = 0
    for i in table:
        index += freq[i] * freq[i]
    return index

#计算与英语字频吻合指数
def In_m(c):
    freq = {i:0 for i in table}
    for i in range(len(table)):
        freq[table[i]] = c.count(table[i]) / len(c)
    index = 0
    for i in table:
        index += freq[i] * dic[i]
    return index

#part1 依据重合指数找出l = 11
t = c
if(0):
    for i in range(1,100):
        temp = cut(t,i)
        temp1 = ["" for m in range(i)]
        for k in range(len(temp)-1):
            temp1[0] += temp[k][0]
        index = In("".join(temp1[0]))
        if(index > 0.060):
            print("lenkey = ",i,"   In = ",index)

#part2 依据与英语字频吻合指数找出具体的key
if(0):
    a = 11
    for i in range(11):
        for b in range(26):
            temp = cut(t,11)
            temp1 = ["" for m in range(11)]
            for k in range(len(temp)-1):
                temp1[i] += temp[k][i]
            m = ''
            for x in temp1[i]:
                m += table[((table.index(x)-b)*inverse(a,26))%26]
            index = In_m("".join(m))
            #print(index)
            if(index > 0.060):
                print(b, end = ",")

#part3 得到m
if(1):
    m = ""
    key = [19,23,25,1,25,15,11,9,15,17,3]
    b = 11
    for i in range(len(t)):
        temp = ((table.index(t[i])-key[i%b])*inverse(11,26))%26
        m += table[temp]
    print(m)

#flag{youaretherealmaster}

[WEEK3]e=3

题目描述：

e=3最简单了

题目：

from Crypto.Util.number import *
import random
from secret import flag

M = 2**54
k = 6

def gen_prime(M, k):
    while True:
        prime = sum([random.getrandbits(16) * M**i for i in range(k)])
        if isPrime(prime) and (prime-1) % 3 == 0:
            return prime
        
p, q, r = [gen_prime(M, k) for i in range(3)]
N = p * q * r
e = 3
m = bytes_to_long(flag)
c = pow(m, e, N)
print(f'N = {N}')
print(f'c = {c}')

"""
N = 3298593732762513945346583663585189774036688951059270517149719979434109398447628726951796006700754759352430339647168415338320547665794785951232342902233013221132246450312038122695046634624323814318286314664160113738299465643128504110932989263063331290006313
c = 869489491924953293290699796392271834401780578884556874640489836779925847562085802848542382525324081900560761299059365684697233025590164192409062717942292142906458498707677300694595072310705415037345581289469698221468377159605973403471463296806900975548438
"""

观察到N由三个素数组成，且每个素数均满足如下形式：

$$p = a_0 + a_1*M + a_2*M^2 + a_3*M^3 + a_4*M^4 + a_5*M^5$$

其中，ai是随机生成的16比特数，M是2^54。可以发现，这其实就是一个M进制数，其几个数码分别为a_i。

什么意思呢？举个例子，一个十进制数12345，可以写成下面的形式：

$$12345 = 5 + 4*10 + 3*10^2 + 2*10^3 + 1*10^4$$

因此其几个数码为1、2、3、4、5。而这个数显然也可以写为多项式形式如下：

$$f(x) = 5 + 4x + 3x^2 + 2x^3 + x^4$$

当x取值为10时，代入多项式的值就能求得12345。

那么把这个应用到M进制数 上来，就有：

$$f_p(x) = a_0 + a_1x + a_2x^2 + a_3x^3 + a_4x^4 + a_5x^5$$ $$f_q(x) = b_0 + b_1x + b_2x^2 + b_3x^3 + b_4x^4 + b_5x^5$$ $$f_r(x) = c_0 + c_1x + c_2x^2 + c_3x^3 + c_4x^4 + c_5x^5$$

当x取为M时，上面三个多项式就分别取得p、q、r。因此n可以看作是三个多项式相乘，将n也转化为M进制数下的多项式形式进行分解，就能得到三个多项式，再将M分别代进多项式中就能得到p、q、r。

得到p、q、r后，由于3与p-1、q-1、r-1均不互素，因此还需要有限域开根后CRT组合。

exp：

from sympy.ntheory.modular import crt
from Crypto.Util.number import *

M = 2**54
k = 6
e = 3

N = 3298593732762513945346583663585189774036688951059270517149719979434109398447628726951796006700754759352430339647168415338320547665794785951232342902233013221132246450312038122695046634624323814318286314664160113738299465643128504110932989263063331290006313
c = 869489491924953293290699796392271834401780578884556874640489836779925847562085802848542382525324081900560761299059365684697233025590164192409062717942292142906458498707677300694595072310705415037345581289469698221468377159605973403471463296806900975548438

n = N
R.<x> = ZZ[]
listM = []
while(N != 0):
    listM.append(N & (2**54-1))
    N = N>>54
f = 0
for i in range(0,16):
    f += (x^i)*(listM[i])
#print(f.is_irreducible())
temp = f.factor()
plist = list(temp[0][0])
qlist = list(temp[1][0])
rlist = list(temp[2][0])
p,q,r = 0,0,0
for i in range(6):
    p += plist[i]*(2**(54*i))
    q += qlist[i]*(2**(54*i))
    r += rlist[i]*(2**(54*i))


PR.<x> = Zmod(p)[]
f = x^3 - c
resp = f.roots()

PR.<x> = Zmod(q)[]
f = x^3 - c
resq = f.roots()

PR.<x> = Zmod(r)[]
f = x^3 - c
resr = f.roots()

modlist = [p,q,r]
for i in resp:
    for j in resq:
        for k in resr:
            c = [int(i[0]),int(j[0]),int(k[0])]
            m = crt(modlist,c)[0]
            temp = long_to_bytes(m)
            if(b"flag" in temp):
                print(temp)

#flag{e1b7d2c2-e265-11eb-b693-98fa9b5bc5fe}

[WEEK3]撤退！

题目：

from Crypto.Util.number import *

flag = *******
p = getPrime(1024)
q = getPrime(1024)
n = p * q

hb = len(flag)//2
hb1 = bytes_to_long(flag[:hb])
hb2 = bytes_to_long(flag[hb:])
D = 117
x = *******
y = *******
assert x**2 - D * y**2 == 1
enc1 = pow(334 * n ** 2 + 1, hb1, n ** 3)
enc2 = pow(y * n + 1, hb2, n ** 3)
print(n)
print(enc1)
print(enc2)

'''
22970461944771505344360312103272646796516672838005008112295760406393062653512719537671401409823031480497512491850701737384621917068068328814717390355072928714618936469722031401433712342846780800586803218279291870162605299119904016959036663767093191710796830156169925350938267584422752300171293262391805105435418210827517225439398971437884496416502510866914857269951072184669675339439115587325754431761172634305242650221404868035624879538862880516438147301289746375407945908866907822940285764276956194031840381838253923392794376568293056359058519233175242523219646628321609305890926063856400793680641992567798104042179
26380574883568223071748995929433720836641856899148821439556557592284999544802260386919172895274884666117488851000353221957579311943624258651646692068406462392980585841604755021251430357273933800209194484692955106014890051223465745443628784077844452303995642424661442978294757109040081050794398646640530714904683097650259060507908334791761124660725589404056356987726993518057050112725483482660202442987346646160168856264312557595890710521723067518303906942469282527855551751244126251698491010628369012024332666619702895796133780038584346428759785302542637171018926824843416176876077558936427399803328577151066597396550597352625005028261156114571696860700477410270949916316951150072218466374341394892405947793726872954497972795793421222424616005278493704125169150432275472846871295341469911428057621028515874978272004775903906188556908968810828510069826724631700523623584802605889173266453916347583720706846630531082266742377818663000322817114065116737931523412220137972079139507877669106470150742546914051556747087768279286696519700220233815812834114117581332234344024169109786527295900675653245014343393093832478814567179131966404207553408747774003319241150221488231674711614902743345516888975702483348011349617017294004761259419165663633915672647187482242462163420462987034240805524991
21190674872507845600786632640969893237129139877891071648594239906632201421611954626926407751780936578853046780585253060958265549804784845192757301417173404074965693840282568701968464564320290763073618132775799910356101999797720378313304899173154753858674284071499775857913937184713024788245068426198878834805943703426673512761178072458895973672088230653246356764681418231485563287856188079274727706554037799748595877069143254516390328019381867648697880975670688337068196993846986940286056873616919629721264139576692806770826129279380704466982862393203486037890448173834315360975464927583664991534571518159777852793416869350127023692816051992183670690315184731534611966603509867722931839839084915943647295195314171688904055674915382434841320612108023531722571519492067471405656160804893645713608592561788743509876384862097871840094582513721456962354498561006793609200187065931433827465455037397503619844768415369973322759940610358415184510344945559838007474725413347675347453443583610217539704055467297318282309867987435252614428856515259899385689971172417660178761139941056839133998928898528744331662995956041897599276732929020537698559927654297185422925737241274711904687894411308774527520523946951208805307060323875839353707549772052299847176824964552693112658495961070555882583739017417359463576705453026824255338859618053086622031941

'''

首先解佩尔方程得到x、y。然后由于：

$$enc1 \equiv (334n^2+1)^{m1} \quad(mod\;n^3)$$ $$enc2 \equiv (yn+1)^{m2} \quad(mod\;n^3)$$

分别用二项式定理展开，并将二式在模n^2下求解，会得到以下两个式子：

$$enc1 \equiv 1 + 334n^2*m1 \quad(mod\;n^3)$$ $$enc2 \equiv 1 + yn*m2 \quad(mod\;n^2)$$

分别对应做除法即可。

exp：

from Crypto.Util.number import *

def solve_pell(N, numTry = 100):
    cf = continued_fraction(sqrt(N))
    for i in range(numTry):
        denom = cf.denominator(i)
        numer = cf.numerator(i)
        if numer^2 - N * denom^2 == 1:
            return numer, denom
    return None, None

D = 117
x,y = solve_pell(D)

n = 22970461944771505344360312103272646796516672838005008112295760406393062653512719537671401409823031480497512491850701737384621917068068328814717390355072928714618936469722031401433712342846780800586803218279291870162605299119904016959036663767093191710796830156169925350938267584422752300171293262391805105435418210827517225439398971437884496416502510866914857269951072184669675339439115587325754431761172634305242650221404868035624879538862880516438147301289746375407945908866907822940285764276956194031840381838253923392794376568293056359058519233175242523219646628321609305890926063856400793680641992567798104042179
enc1 = 26380574883568223071748995929433720836641856899148821439556557592284999544802260386919172895274884666117488851000353221957579311943624258651646692068406462392980585841604755021251430357273933800209194484692955106014890051223465745443628784077844452303995642424661442978294757109040081050794398646640530714904683097650259060507908334791761124660725589404056356987726993518057050112725483482660202442987346646160168856264312557595890710521723067518303906942469282527855551751244126251698491010628369012024332666619702895796133780038584346428759785302542637171018926824843416176876077558936427399803328577151066597396550597352625005028261156114571696860700477410270949916316951150072218466374341394892405947793726872954497972795793421222424616005278493704125169150432275472846871295341469911428057621028515874978272004775903906188556908968810828510069826724631700523623584802605889173266453916347583720706846630531082266742377818663000322817114065116737931523412220137972079139507877669106470150742546914051556747087768279286696519700220233815812834114117581332234344024169109786527295900675653245014343393093832478814567179131966404207553408747774003319241150221488231674711614902743345516888975702483348011349617017294004761259419165663633915672647187482242462163420462987034240805524991
enc2 = 21190674872507845600786632640969893237129139877891071648594239906632201421611954626926407751780936578853046780585253060958265549804784845192757301417173404074965693840282568701968464564320290763073618132775799910356101999797720378313304899173154753858674284071499775857913937184713024788245068426198878834805943703426673512761178072458895973672088230653246356764681418231485563287856188079274727706554037799748595877069143254516390328019381867648697880975670688337068196993846986940286056873616919629721264139576692806770826129279380704466982862393203486037890448173834315360975464927583664991534571518159777852793416869350127023692816051992183670690315184731534611966603509867722931839839084915943647295195314171688904055674915382434841320612108023531722571519492067471405656160804893645713608592561788743509876384862097871840094582513721456962354498561006793609200187065931433827465455037397503619844768415369973322759940610358415184510344945559838007474725413347675347453443583610217539704055467297318282309867987435252614428856515259899385689971172417660178761139941056839133998928898528744331662995956041897599276732929020537698559927654297185422925737241274711904687894411308774527520523946951208805307060323875839353707549772052299847176824964552693112658495961070555882583739017417359463576705453026824255338859618053086622031941

m1 = (enc1 - 1) // (334*n^2)
m2 = (enc2% (n^2) - 1) // (y*n)

print(str(long_to_bytes(m1))[2:-1],end = "")
print(str(long_to_bytes(m2))[2:-1],end = "")

#flag{6c6eb27a-061b-baf4-4cae26-5a609588ce}

[WEEK3]好好好！

题目：

***EGK*MAPZ**3TISLXYHW*B4*R*6CQV




e=65537
dp=89183181604123417010894108474901628410408206538085478807758137668201829058797702838603939730356798163745078443656032825128645105954284119126609502005130005399692420386460970318283171848176434285488698019425286328269756591931253074416895028845240978211030365697435579850343911269163064228581083838914477473793
n=17133884272385326910236146208723169235592379139078245324256146697759098524213354087333170410075813764497353656874360657828668202585141557095326829141561993608634568037533128091918704136052835609732443342167341276983343070200953604216445186924411131823487594273213380078485528148801722039459601896275130691200206027353715109606722659553700867073796386669768748305283547862565020499794358571741903375812063001390288166187510171105241363677243530996160649133253643422391688399573703498726489248479978887237752214015456924632092625018668632234215462091314384917176427670194819828555385014264912614752917792278216214856001
c=7297673446200396117470312266735704951424121735299327785232249350567349180167473433806232931862684106388722088953786183522191592452252650217579986150373463901393038386627370305688040315665037164819432754099421229466379901436696822022518438390977543864543590936753547325597766614648063328562516667604171990354928485383191174966274941678597887943784661684719053108281896697098991347034225406718530599672101743303723470910913422462764406680309933367328977341637394665138995676573466380198978810546689819954949832833954061771415463198737542769848298258925680570823701939997224167603657418270886620562332895947413332492672

首先由dp泄漏得到一串换表后的base32值：

7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS====

然后让chatgpt写一个生成所有可能的码表的脚本，并检验换表base32解密后是否有flag头就好。

exp：

from Crypto.Util.number import *
from base64 import b32decode
import string

e=65537
dp=89183181604123417010894108474901628410408206538085478807758137668201829058797702838603939730356798163745078443656032825128645105954284119126609502005130005399692420386460970318283171848176434285488698019425286328269756591931253074416895028845240978211030365697435579850343911269163064228581083838914477473793
n=17133884272385326910236146208723169235592379139078245324256146697759098524213354087333170410075813764497353656874360657828668202585141557095326829141561993608634568037533128091918704136052835609732443342167341276983343070200953604216445186924411131823487594273213380078485528148801722039459601896275130691200206027353715109606722659553700867073796386669768748305283547862565020499794358571741903375812063001390288166187510171105241363677243530996160649133253643422391688399573703498726489248479978887237752214015456924632092625018668632234215462091314384917176427670194819828555385014264912614752917792278216214856001
c=7297673446200396117470312266735704951424121735299327785232249350567349180167473433806232931862684106388722088953786183522191592452252650217579986150373463901393038386627370305688040315665037164819432754099421229466379901436696822022518438390977543864543590936753547325597766614648063328562516667604171990354928485383191174966274941678597887943784661684719053108281896697098991347034225406718530599672101743303723470910913422462764406680309933367328977341637394665138995676573466380198978810546689819954949832833954061771415463198737542769848298258925680570823701939997224167603657418270886620562332895947413332492672

for k in range(10,e):
    if((e*dp-1) % k == 0 and GCD((e*dp-1) // k + 1 , n) != 1):
        p = (e*dp-1) // k + 1
        q = n // p

d = inverse(e,(p-1)*(q-1))
#print(long_to_bytes(pow(c,d,n)))

c = "7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS===="

table = "***EGK*MAPZ**3TISLXYHW*B4*R*6CQV"
t4ble = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"

temp = []
for i in t4ble:
    if(i not in table):
        temp.append(i)


import itertools

# 给定字符列表
characters = temp

# 目标字符串
target_string = table

# 用于存储结果的列表
results = []

# 生成给定字符的全排列
permutations = list(itertools.permutations(characters))

# 遍历全排列并将其填入目标字符串
for perm in permutations:
    result = list(target_string)
    for char in perm:
        result[result.index('*')] = char
    results.append(''.join(result))

# 打印或处理结果
for idx, result in enumerate(results, 1):
    temp = b32decode(c.translate(str.maketrans(result,t4ble)))
    if("flag" in str(temp) and "\\" not in str(temp)):
        print(temp)
        break

#flag{fa48a440-d0ff-0c2a-366243-a46b7e7853}

[WEEK3]easyrsa

题目：

from Crypto.Util.number import *
from flag import flag

p1 = getPrime(512)
q1 = getPrime(512)
n1 = p1 * q1

e = 65537

p2 = getPrime(1024)
q2 = getPrime(1024)
n2 = p2 * q2

leak1 = (p2+q2) >> 400
leak2 = (p1 & ((1 << 350) - 1)) >> 5

enc = pow(leak2,e,n2)
c = pow(bytes_to_long(flag),e,n1)
f = open(f'output.txt','w')
f.write(f'n1 = {n1}\n')
f.write(f'n2 = {n2}\n')
f.write(f'leak1 = {leak1}\n')
f.write(f'enc = {enc}\n')
f.write(f'c = {c}')
f.close()

output.txt：

n1 = 105813626754830369767796578799226643889033227412658130226893708851110720416468059965713264658478299377654212587044247669928410442281831382577490105352633718272894531572352233211881056495752193201866649055622358234888531194346296702453105176147272971386928767457928148705433435309063146652094354833396307613911
n2 = 20369481027961668058257949652346266097405331865071244844827896944882851755421021125005038786750268341013032202394581223828526073179263634639721089663050687773353438686984875196973012077948955566738301337866191557952973517042420660699281973702694965572488938789954679350791243570953680441483360036599350550534192027759384675611155970913348616382186229565994100357427843446265863186624731991521034305958565644266001622849342042747046352413268149901263629515623929619659379883036239511300563910486156582808698915297257307692017642458823600500445082987244477251123335410633989767118317681371314078169733374888688620813839
leak1 = 110733171993470709195465104383246525062178362778220972191726705114514369848757940664883819735824778128179586221599072975207093223575285541338555960658178287486722693023393688158120847028382
enc = 3724360314735337348015983350518926695244720487101059718828225257324872465291143851090607580822961202894850524395217010317254775500983396154162166500198523991652838543842978138662752717532358799622372813160573374563924704242911344052149200174619645796187521459916955545794017698320367273671936314947729523150627463505338870024421481261166504454532278895870561732979282672259730923724762173494886613682487373643406390205027508946750313076817576295795818790961232101069994823561840743308871216879655652136743807002025483269687509388947008928281179566366429525183899914275273098400627187051739816901887290337980735995613
c = 38127787578353827234498259231834082660893046004292279030517959465543348558091033172704284501791369355347078715874056471582324178524957666710131669794646539355849074198396968523041568909435662208846480656877184197877122598569708545477705274221697660270808685794034776172296500330563270867517390911486555286886

这个题目前段时间有师傅问过我，结果仔细一看连数据都没改(……)，还是讲一讲思路吧。

题目的主要问题在于由leak1解出leak2。显然，如果我们有完整的p2+q2，我们就能够直接联立n2的方程得到精确的p2、q2的值。但是问题在于leak1的低四百位被隐藏了，因此我们没有办法直接解出精确的p2、q2。

而事实上，我们并不需要精确的p2、q2，我们只需要知道他们的高位，就可以通过p高位泄漏求出他们的精确值。因此我们可以通过下面方式解出p2、q2的近似值：

#part1 get leak2
PR.<x> = PolynomialRing(RealField(1000))
f = x*((leak1<<400)-x) - n2 
p2high = int(f.roots()[0][0])

可以看到，在以前一般我们建立的是模n的多项式环，因此要么解不出来，要么解出来的是准确值。

而现在我们建立的是一个精度为1000位的实数环，解出来的值就满足：

$$p2*q2 \approx n2$$

而解出的p2、q2与实际p2、q2的误差，与leak1与(p2+q2)的实际值之间的误差相当，因此解出来的值高位是准确的，最多还会有一个十进制数的进位产生的差异，也就是约为3个二进制位。因此我们可以用p高位泄漏解出p2、q2。解出p2、q2后就有leak2，然后就是一个普通的p低位泄露问题。

exp：

from Crypto.Util.number import *

n1 = 105813626754830369767796578799226643889033227412658130226893708851110720416468059965713264658478299377654212587044247669928410442281831382577490105352633718272894531572352233211881056495752193201866649055622358234888531194346296702453105176147272971386928767457928148705433435309063146652094354833396307613911
n2 = 20369481027961668058257949652346266097405331865071244844827896944882851755421021125005038786750268341013032202394581223828526073179263634639721089663050687773353438686984875196973012077948955566738301337866191557952973517042420660699281973702694965572488938789954679350791243570953680441483360036599350550534192027759384675611155970913348616382186229565994100357427843446265863186624731991521034305958565644266001622849342042747046352413268149901263629515623929619659379883036239511300563910486156582808698915297257307692017642458823600500445082987244477251123335410633989767118317681371314078169733374888688620813839
leak1 = 110733171993470709195465104383246525062178362778220972191726705114514369848757940664883819735824778128179586221599072975207093223575285541338555960658178287486722693023393688158120847028382
enc = 3724360314735337348015983350518926695244720487101059718828225257324872465291143851090607580822961202894850524395217010317254775500983396154162166500198523991652838543842978138662752717532358799622372813160573374563924704242911344052149200174619645796187521459916955545794017698320367273671936314947729523150627463505338870024421481261166504454532278895870561732979282672259730923724762173494886613682487373643406390205027508946750313076817576295795818790961232101069994823561840743308871216879655652136743807002025483269687509388947008928281179566366429525183899914275273098400627187051739816901887290337980735995613
c = 38127787578353827234498259231834082660893046004292279030517959465543348558091033172704284501791369355347078715874056471582324178524957666710131669794646539355849074198396968523041568909435662208846480656877184197877122598569708545477705274221697660270808685794034776172296500330563270867517390911486555286886
e = 65537 
 
#part1 get leak2
PR.<x> = PolynomialRing(RealField(1000))
f = x*((leak1<<400)-x) - n2 
p2high = int(f.roots()[0][0])

PR.<x> = PolynomialRing(Zmod(n2))
f = p2high + x
res = f.small_roots(X=2^403, beta=0.4)[0]
p2 = int(p2high + res)
q2 = n2 // p2
d2 = inverse(e,(p2-1)*(q2-1))
leak2 = pow(enc, d2, n2)


#part1 get m
xbits = 512 - 350
leak2 = leak2 << 5
for i in range(32):
    p1low = int(leak2 + i)
    PR.<x> = PolynomialRing(Zmod(n1))
    f = x*2^350 + p1low
    f = f.monic()
    try: 
        res = f.small_roots(X=2^xbits, beta=0.4)[0]
        p1 = int(res * 2^350 + p1low)
        q1 = n1 // p1
        break
    except:
        pass
d1 = inverse(e,(p1-1)*(q1-1))
print(long_to_bytes(int(pow(c,d1,n1))))

#flag{9995eae8acaac286c7b72e50e5258dc3

[WEEK3]ECC

题目描述：

ECC是“Error Checking and Correcting”的简写 ---- 《百度百科》

题目：

from Crypto.Util.number import bytes_to_long ,getPrime
from random import randint
from secret import flag , p, A, B
class LCG:
    def __init__(self, seed, multiplier, increment, modulus):
        self.state = seed
        self.multiplier = multiplier
        self.increment = increment
        self.modulus = modulus

    def round(self):
        self.state = (self.state * self.multiplier + self.increment) % self.modulus
        return self.state

LcG = LCG(p, A, B, getPrime(300))
hint = []
rounds = randint(9,999)
for i in range(rounds):
    hint.append(LcG.round())

print('N =', LcG.modulus)
print('hint =', hint[rounds-3:])
print('rounds =',rounds)

m = bytes_to_long(flag)
E = EllipticCurve(GF(p),[A,B])
P = E.random_point() 
Q = m*P

print ('P:',P)
print ('Q:',Q)


# N = 1756436166407836493798726314365345209041467063368466691280475314657490639743277323145836159 
# hint = [1570694739893062645954897001702004554030820147773705206144961894236480600502144377530243430, 1115071559941911318308753566664426840423418447339890011281946738239984044436490114276986358, 1724417937645231946682439402005218433918418922370889412352845326882349141006072218192190414]
# rounds = 201

# P:(37977159917993725569055235995991171988930922261017470137494292644600863220268 : 18702328678557323528043531437349309255558505679181203523362701784535278781654 : 1)
# Q:(50869218310545924409688834318827602878615827095578074934136681999097237356553 : 56112306156084592253561365078969255013878959268941761289693638560533128799289 : 1)

分为三步解决题目：

• 由hint恢复LCG的参数A、B
• 恢复LCG的种子p
• 发现由p、A、B参数生成的椭圆曲线的阶恰为p，用smart_attack解DLP

exp：

from Crypto.Util.number import *

N = 1756436166407836493798726314365345209041467063368466691280475314657490639743277323145836159 
hint = [1570694739893062645954897001702004554030820147773705206144961894236480600502144377530243430, 1115071559941911318308753566664426840423418447339890011281946738239984044436490114276986358, 1724417937645231946682439402005218433918418922370889412352845326882349141006072218192190414]
rounds = 201

P = (37977159917993725569055235995991171988930922261017470137494292644600863220268,18702328678557323528043531437349309255558505679181203523362701784535278781654,1)
Q = (50869218310545924409688834318827602878615827095578074934136681999097237356553,56112306156084592253561365078969255013878959268941761289693638560533128799289,1)

m = N
c1 ,c2,c3 = hint

A = inverse(c2-c1,m)*(c3-c2) %m
B = (-A*c1 + c2) % m
seed = c1
for i in range(201-3+1):
    seed = (seed-B) * inverse(A,m) % m

p = int(seed)
#print(p)
E = EllipticCurve(GF(p),[A,B])

P = E(P)
Q = E(Q)

#print(E.order())
def SmartAttack(P,Q,p):
    E = P.curve()
    Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ])

    P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True)
    for P_Qp in P_Qps:
        if GF(p)(P_Qp.xy()[1]) == P.xy()[1]:
            break

    Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True)
    for Q_Qp in Q_Qps:
        if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]:
            break

    p_times_P = p*P_Qp
    p_times_Q = p*Q_Qp

    x_P,y_P = p_times_P.xy()
    x_Q,y_Q = p_times_Q.xy()

    phi_P = -(x_P/y_P)
    phi_Q = -(x_Q/y_Q)
    k = phi_Q/phi_P
    return ZZ(k)

m = SmartAttack(P, Q, p)
print(long_to_bytes(int(m)))

#flag{TH4ts_EA5y3St_ecc_O1I15g}