核桃的博客

软件系统安全赛crypto复盘

Mon, 16 Mar 2026 17:21:58 +0000

十四号打的比赛赛前没睡好觉，十五号又在考试，感觉自己要猝死了赶紧睡了一天，题目原文件在附录，现在来复盘这道题。

费马小定理实战题

Thu, 12 Mar 2026 10:57:54 +0000

```python from Crypto.Util.number import * from gmpy2 import gcd flag = b'xxxxxxxxxxxxx' p = getPrime(512) q = getPrime(512) m = bytes_to_long(flag) n = p*q e = 65537 c = pow(m,e,n) print('c={}'.format(c)) p1 = getPrime(512) q1 = getPrime(512) n1 = p1*q1 e1 = 65537 assert gcd(e1,(p1-1)*(q1-1)) == 1 c1 = pow(p,e1,n1) print('n1={}'.format(n1)) print('c1={}'.format(c1)) hint1 = pow(2020 * p1 + q1, 202020, n1) hint2 = pow(2021 * p1 + 212121, q1, n1) print('hint1={}'.format(hint1)) print('hint2={}'.format(hint2)) p2 = getPrime(512) q2 = getPrime(512) n2 = p2*q2 e2 = 65537 assert gcd(e1,(p2-1)*(q2-1)) == 1 c2 = pow(q,e2,n2) hint3 = pow(2020 * p2 + 2021 * q2, 202020, n2) hint4 = pow(2021 * p2 + 2020 * q2, 212121, n2) print('n2={}'.format(n2)) print('c2={}'.format(c2)) print('hint3={}'.format(hint3)) print('hint4={}'.format(hint4)) #c=13492392717469817866883431475453770951837476241371989714683737558395769731416522300851917887957945766132864151382877462142018129852703437240533684604508379950293643294877725773675505912622208813435625177696614781601216465807569201380151669942605208425645258372134465547452376467465833013387018542999562042758 #n1=75003557379080252219517825998990183226659117019770735080523409561757225883651040882547519748107588719498261922816865626714101556207649929655822889945870341168644508079317582220034374613066751916750036253423990673764234066999306874078424803774652754587494762629397701664706287999727238636073466137405374927829 #c1=68111901092027813007099627893896838517426971082877204047110404787823279211508183783468891474661365139933325981191524511345219830693064573462115529345012970089065201176142417462299650761299758078141504126185921304526414911455395289228444974516503526507906721378965227166653195076209418852399008741560796631569 #hint1=23552090716381769484990784116875558895715552896983313406764042416318710076256166472426553520240265023978449945974218435787929202289208329156594838420190890104226497263852461928474756025539394996288951828172126419569993301524866753797584032740426259804002564701319538183190684075289055345581960776903740881951 #hint2=52723229698530767897979433914470831153268827008372307239630387100752226850798023362444499211944996778363894528759290565718266340188582253307004810850030833752132728256929572703630431232622151200855160886614350000115704689605102500273815157636476901150408355565958834764444192860513855376978491299658773170270 #n2=114535923043375970380117920548097404729043079895540320742847840364455024050473125998926311644172960176471193602850427607899191810616953021324742137492746159921284982146320175356395325890407704697018412456350862990849606200323084717352630282539156670636025924425865741196506478163922312894384285889848355244489 #c2=67054203666901691181215262587447180910225473339143260100831118313521471029889304176235434129632237116993910316978096018724911531011857469325115308802162172965564951703583450817489247675458024801774590728726471567407812572210421642171456850352167810755440990035255967091145950569246426544351461548548423025004 #hint3=25590923416756813543880554963887576960707333607377889401033718419301278802157204881039116350321872162118977797069089653428121479486603744700519830597186045931412652681572060953439655868476311798368015878628002547540835719870081007505735499581449077950263721606955524302365518362434928190394924399683131242077 #hint4=104100726926923869566862741238876132366916970864374562947844669556403268955625670105641264367038885706425427864941392601593437305258297198111819227915453081797889565662276003122901139755153002219126366611021736066016741562232998047253335141676203376521742965365133597943669838076210444485458296240951668402513 ``` 代码很好读，把p和q单独作为两个明文加密，给出了用来加密他们的pq之间的关系式 ```python hint1 = pow(2020 * p1 + q1, 202020, n1) hint2 = pow(2021 * p1 + 212121, q1, n1) hint3 = pow(2020 * p2 + 2021 * q2, 202020, n2) hint4 = pow(2021 * p2 + 2020 * q2, 212121, n2) ``` 第二部分思路是构造一个k*q1的值用他和n1取公约数，第三部分同理。

整理了一些之前准备的rsa

Wed, 11 Mar 2026 08:39:33 +0000

**这些都是很基础的东西，提前写出来或许能省点时间** 放在博客上方便我拿，当然如果能帮到别人那就太好了；） [低指数（小e广播.py](https://github.com/user-attachments/files/25895147/e.py) [费马分解.py](https://github.com/user-attachments/files/25895626/default.py) [共模.py](https://github.com/user-attachments/files/25895161/default.py) [扩展欧几里得.py](https://github.com/user-attachments/files/25895163/default.py) [高位截瘫攻击.txt](https://github.com/user-attachments/files/25895629/default.txt) #这个记得把文件格式改成sage [维纳（小d）.py](https://github.com/user-attachments/files/25895164/d.py) [dp泄露解.py](https://github.com/user-attachments/files/25895166/dp.py) [dpdq.py](https://github.com/user-attachments/files/25895170/dpdq.py) [CRT.py](https://github.com/user-attachments/files/25895178/CRT.py) [小e解题.py](https://github.com/user-attachments/files/25895634/e.py)。

3.9 babyrsa 但是baby在哪？

Wed, 11 Mar 2026 07:25:33 +0000

**刷到21年长城杯一道很难的题** ```python #!/usr/bin/env python3 from Crypto.Util.number import * from secret import flag, v1, v2, m1, m2 def enc_1(val): p, q = pow(v1, (m1+1))-pow((v1+1), m1), pow(v2, (m2+1))-pow((v2+1), m2) assert isPrime(p) and isPrime(q) and ( p*q).bit_length() == 2048 and q < p < q << 3 return pow(val, 0x10001, p*q) def enc_2(val): assert val.bit_length() < 512 while True: fac = [getPrime(512) for i in range(3)] if isPrime(((fac[0]+fac[1]+fac[2]) << 1) - 1): n = fac[0]*fac[1]*fac[2]*(((fac[0]+fac[1]+fac[2]) << 1) - 1) break c = pow(val, 0x10001, n) return (c, n, ((fac[0]+fac[1]+fac[2]) << 1) - 1) if __name__ == '__main__': assert flag[:5] == b'flag{' plain1 = bytes_to_long(flag[:21]) plain2 = bytes_to_long(flag[21:]) print(enc_1(plain1)) print(enc_2(plain2)) ''' 15808773921165746378224649554032774095198531782455904169552223303513940968292896814159288417499220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805904134099901826858367778386342376768508031554802249075072366710038889306268806744179086648684738023073458982906066972340414398928411147970593935244077925448732772473619783079328351522269170879807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341115227515163545709454746272514827000601853735356551495685229995637483506735448900656885365353434308639412035003119516693303377081576975540948311 (40625981017250262945230548450738951725566520252163410124565622126754739693681271649127104109038164852787767296403697462475459670540845822150397639923013223102912674748402427501588018866490878394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654127691743944112075703814043622599530496100713378696761879982542679917631570451072107893348792817321652593471794974227183476732980623835483991067080345184978482191342430627490398516912714451984152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314400518151019955104989790911460357848366016263083, 43001726046955078981344016981790445980199072066019323382068244142888931539602812318023095256474939697257802646150348546779647545152288158607555239302887689137645748628421247685225463346118081238718049701320726295435376733215681415774255258419418661466010403928591242961434178730846537471236142683517399109466429776377360118355173431016107543977241358064093102741819626163467139833352454094472229349598479358367203452452606833796483111892076343745958394932132199442718048720633556310467019222434693785423996656306612262714609076119634814783438111843773649519101169326072793596027594057988365133037041133566146897868269, 39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557011554851873068389016629085963086136116425352535902598378739) ''' ``` 一开始写的时候完全没有enc1的思路先把enc2写出来吧给出了(fac[0]+fac[1]+fac[2]) << 1) - 1的值我们把它设成k，而且这个数值可以分解 ```python p1 = 191 p2 = 193 p3 = 627383 p4 = 1720754738477317127758682285465031939891059835873975157555031327070111123628789833299433549669619325160679719355338187877758311485785197492710491 ``` 所以就有 ```python c1 = cipher2[0] n1 = cipher2[1] shift = cipher2[2] print(len(bin(n1))) p1 = 191 p2 = 193 p3 = 627383 p4 = 1720754738477317127758682285465031939891059835873975157555031327070111123628789833299433549669619325160679719355338187877758311485785197492710491 phin2 = (p1 - 1) * (p2 - 1) * (p3 - 1) * (p4 - 1) d2 = inverse(e, phin2) m = pow(c1, d2, shift) print(long_to_bytes(m)) ‘’‘ b'42-b659-0c96ef827f05}' ’‘’ ``` 本来已经放弃这道题了，但是晚上想了想vm的取值非常有限可以直接爆破 ```python from Crypto.Util.number import * from math import log import gmpy2 e = 0x10001 cipher1 = 15808773921165746378224649554032774095198531782455904169552223303513940968292896814159288417499220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805904134099901826858367778386342376768508031554802249075072366710038889306268806744179086648684738023073458982906066972340414398928411147970593935244077925448732772473619783079328351522269170879807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341115227515163545709454746272514827000601853735356551495685229995637483506735448900656885365353434308639412035003119516693303377081576975540948311 cipher2 = (40625981017250262945230548450738951725566520252163410124565622126754739693681271649127104109038164852787767296403697462475459670540845822150397639923013223102912674748402427501588018866490878394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654127691743944112075703814043622599530496100713378696761879982542679917631570451072107893348792817321652593471794974227183476732980623835483991067080345184978482191342430627490398516912714451984152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314400518151019955104989790911460357848366016263083, 43001726046955078981344016981790445980199072066019323382068244142888931539602812318023095256474939697257802646150348546779647545152288158607555239302887689137645748628421247685225463346118081238718049701320726295435376733215681415774255258419418661466010403928591242961434178730846537471236142683517399109466429776377360118355173431016107543977241358064093102741819626163467139833352454094472229349598479358367203452452606833796483111892076343745958394932132199442718048720633556310467019222434693785423996656306612262714609076119634814783438111843773649519101169326072793596027594057988365133037041133566146897868269, 39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557011554851873068389016629085963086136116425352535902598378739) for v in range(2, 100000): for m in range(int(log(2**1021, v)), int(log(2**1027, v))): p = pow(v, m + 1) - pow(v + 1, m) if isPrime(p) and 1021 < len(bin(p)) < 1027: phin1 = p - 1 d1 = inverse(e, phin1) m = pow(cipher1, d1, p) if 'flag{' in str(long_to_bytes(m)): print(str(long_to_bytes(m))) '''b'flag{8102c552-3d78-4a' 2051''' ``` **把这种题说成baby也太恶趣味了！**。

3.10 两道有意思的rsa

Tue, 10 Mar 2026 17:22:33 +0000

刷密码学刷到了这样的一道题 ```python import random from gmpy2 import next_prime from flag import flag def egcd(a, b): x, y, u, v = 0, 1, 1, 0 while a != 0: q, r = b//a, b % a m, n = x-u*q, y-v*q b, a, x, y, u, v = a, r, u, v, m, n # print(m,n) gcd = b return gcd, x, y def gen_keys(p, q): e = 65537 n = p * q phi = (p - 1) * (q - 1) gcd, d, b = egcd(e, phi) # Keys:((pub), (priv)) return ((e, n), (d, n)) def enc(key, p): e, n = key cipher = [int(pow(ord(char), e, n)) for char in p] return cipher def dec(pk, c): key, n = pk plain = [chr(pow(char, key, n)) for char in c] return ''.join(plain) p = next_prime(random.SystemRandom().getrandbits(512)) q = next_prime(random.SystemRandom().getrandbits(512)) flag_key=gen_keys(p, q) print('Public key:') print(flag_key[0]) flag_c=(enc(flag_key[0], flag)) print('Encrypted flag:') print(flag_c) ``` 提供了两份output作为两道题 output我放在附件实在有点大题目读起来不是很困难大概就是把flag中的每一个字符都作为m单独rsa，然后输出给我n和每一个m 试了一下factor结果拆不出来（肯定的吧！不然这么费劲出题干什么）但是想了想这样先拆开再加密简直就是脱裤子放屁反而更适合我爆破 ```python import string e = 65537 n = 28150970547901913019901824364390497053600856369839321617996700606130553862041378369018779003752433356889118526332329074054728613209407037089320809898343953157935211086135010436283805891893636870991411236307901650696221491790470635225076251966300189483160148297407974155121570252648252906976186499329924342873 cipher = ‘’‘这里值太长了就是output的内容’‘’ chars = string.printable flag = '' for c in cipher: found = False for ch in chars: if pow(ord(ch), e, n) == c: flag += ch found = True break if not found: flag += '?' print(flag) ``` 对着表很快就出来了**nuaactf{F@k3_R5A_HahAHAHA}** 第二份output明显阴间很多没有给出n，但c足足有280,000bit 大概900字符？而且题目描述上添油加醋地说本题的答案不会有直接形如 flag{i_am_flag} 这样的答案，但是你会看到类似的内容 FLAG IS I AM FLAG 只需要提交 flag{I_AM_FLAG} 即可言多必失啊.....思考了一会先写了这样一段脚本 ```python def tongji(arr): count = {} for item in arr: if item in count: count[item] += 1 else: count[item] = 1 return count if __name__ == '__main__': array=‘’‘依旧太多了写不下的output''' result = tongji(array) for value, count in result.items(): print(f'值 {value} 出现了 {count} 次') ``` 结果其中一个c重复了156次，另一个c重复了90次左右疑似出题人写小作文第一个是空格第二个是e 分别代入进去能求出kn和qn，求最大公因数就是n了，然后依旧爆破 ```python c1=3454962493357935235804398048029156279039095550980789261896655337798360738722050425342188889752728340388460432418731237228933329641457678636310791152390769085756058697246856642532366705213972349136275749895187361949657257298558376286029052233131737322778610132480613456574001841996198028071886938400701639215 m1=32 e=65537 c2=5169002119818174391634714185903790851061018005401634820484671774278180792602838410733452791538037740062826920927698584515851903819438097478266878035790653024116345781217364538948047246739311236187915325479926636465158253396261869020517753466952653187629473271412557484931426586814990117865237871747512061719 m2=101 cipher=‘’‘你知道我这里要写什么’‘’ A = pow(m1, e) y1 = A - c1 B = pow(m2,e) y2 = B - c2 n = gmpy2.gcd(y1, y2) flag = '' for c in cipher: found = False for ch in range(32, 127): if pow(ch, e, n) == c: flag += chr(ch) found = True break print(flag) ``` 运行结果是 don't starve is a marvelous survival game.the game opens with maxwell snidely commenting on the player's gaunt appearance and includes little further story.the game's setup is told further through its trailer: on a dark and stormy night, wilson appears to be getting nowhere in a chemistry experiment until he is startled by his radio speaking to him. it reveals that it has noticed his trouble and has secret knowledge of him. when he eagerly agrees, a flurry of equations and diagrams encircle him and fill his head. using white rats, a typewriter, and his blood among other tools and materials, wilson creates a giant machine. the radio commends his work and tells him to pull the machine's switch. he hesitates, but at the radio's insistence, he does so. the machine rattles violently, and a pair of ghostly arms whisk him into a different world while an apparition of maxwell cackles.** the flag is this is also fake rsa** 饥荒确实好玩但下次别这么出题了第一次在ctf中用统计频率写出题，好神奇（挠头）我会继续做下去的！ [output.txt](https://github.com/user-attachments/files/25878095/output.txt)。

测试

Tue, 10 Mar 2026 16:52:38 +0000

能看到吗？。