1

copperstudy -- coppersmith

解题脚本

#coding:utf-8

import hashlib
from pwn import *
import time

def cha1(s,s256):
    ss = ''
    for i in range(5):
        ss = ss + chr(int((s[2 * i] + s[2 * i + 1]),16))
    for i in range(0,256):
        for j in range(0,256):
            for h in range(0,256):
                a = ss + chr(i) + chr(j) + chr(h)
                if hashlib.sha256(a).hexdigest() == s256:
                    return a.encode('hex')


if __name__ == '__main__':
    ip = '119.3.245.36'
    port = 12345
    teamtoken = 'dde3f26577d8d7816378038885943de1'
    s = remote(ip,port)
    s.recvuntil('[+]hashlib.sha256(skr).hexdigest()=')
    d256 = s.recvline()
    s.recvuntil("[+]skr[0:5].encode('hex')=")
    d = s.recvline()
    data = cha1(d.strip(),d256.strip())
    s.recvuntil("[-]skr.encode('hex')=")
    s.sendline(data)
    s.recvuntil("[+]teamtoken:")
    s.sendline(teamtoken)
    time.sleep(2)
    #challenge1 -- Known High Bits Message Attack
    m = '858be94f2f6253ac4586da573086221c8256bf7fe7c7f6d0d4e459fd28abf8883cfa225f5cbb519d2c8e0427aab1dc03979886ac104018ddec85e8edb7bbc590'
    s.recvuntil("_bytes(m).encode('hex')=")
    s.sendline(m)
    time.sleep(2)
    #challenge2 -- Factoring with High Bits Known
    m2 = "7e2a3378b47f389134bda8811e253ace33c6978fbb5d0022ab312cf1f5246648516b320bf749e71a1d8cbdcab64fdb5ce8159022ea96484949152d31a9f17665"
    s.recvuntil("_bytes(m).encode('hex')=")
    s.sendline(m2)
    time.sleep(2)
    #challenge3 -- Patial Key Exposure Attack
    m3 = "86ee347cbeec999564c0615d33ea5e3cfb5e66f5d00b172194c0f86915de3ff19d2dffc2217caaa608ea6556b18e8f420fc1b287871475a0cd5c8f2d97e4c12c"
    s.recvuntil("_bytes(m).encode('hex')=")
    s.sendline(m3)
    time.sleep(4)
    #challenge4 -- Basic Broadcast Attack
    m4 = "380185242a03c9d6ca7a2e117490ebaf03a493b1250f4e248c732c2714eb6b9fd2fa4c90a4f1d8120ffbafb3b7fda85fff46a67a1da3e316392ec267e1fa7c27"
    s.recvuntil("_bytes(m).encode('hex')=")
    s.sendline(m4)                                 
    time.sleep(20)
    #challenge5 -- Related Message Attack
    m5 = "0811b179ddbc246fc00ad94b6251c818e331941732fdfce9979c015ca7f0ec873641338c5814f3e8e50dfab04bd6aa0689334b517de10d7bac398aef23f929b3"
    s.sendlineafter("[-]long_to_bytes(m).encode('hex')=",m5)
    time.sleep(4)
    #challenge6 -- Boneh and Durfee attack
    m6 = "6b3bb0cdc72a7f2ce89902e19db0fb2c0514c76874b2ca4113b86e6dc128d44cc859283db4ca8b0b5d9ee35032aec8cc8bb96e8c11547915fc9ef05aa2d72b28"
    s.sendlineafter("[-]long_to_bytes(m).encode('hex')=",m6)
    time.sleep(4)

    print s.recv()

challenge1 -- Known High Bits Message Attack

[++++++++++++++++]proof completed[++++++++++++++++]
[+]Generating challenge 1
[+]n=0x331e53d1808798def926bc2c8081b3a959cec19c04ad6dd3a25357b5e3889dc0bbb8618b80ddecca89494eec6015080cf4402fcef0971f76d978c517ab1e3019ae65fdc443a99036d4adcda780dd662ae3eb5d3c6ce68adfe38137689df75a6196a7a6dc94a681dfb5437439c810416112b250402f53eb2341df2145c569c135L
[+]e=3
[+]m=random.getrandbits(512)
[+]c=pow(m,e,n)=0xab7b8544dc18a13c221d33b8ea84ee69ea3c74a1ce123e6f0a565e6afaff3d2682dfa254170a1200d66e9c017727c43b3c1af221f81d90598741454f68448cef4128ff56bb9929ffd3edaaa8069c08293463ad20486b6e6bee654ab471a3b364122d41f4570f6aa1084eb1eda5eebde1436a488e0390f8057df835f323802d4L
[+]((m>>72)<<72)=0x858be94f2f6253ac4586da573086221c8256bf7fe7c7f6d0d4e459fd28abf8883cfa225f5cbb519d2c8e0427aab1dc03979886ac104018000000000000000000L
[-]long_to_bytes(m).encode('hex')=

题目给了明文的高位部分

    n =
    e = 3
    m = randrange(n)
    c = pow(m, e, n)
    beta = 1
    epsilon = beta^2/7
    nbits = n.nbits()
    kbits = floor(nbits*(beta^2/e-epsilon))
    #mbar = m & (2^nbits-2^kbits)
    mbar =
    c =
    print “upper %d bits (of %d bits) is given” % (nbits-kbits, nbits)
    PR.<x> = PolynomialRing(Zmod(n))
    f = (mbar + x)^e – c
    print m
    x0 = f.small_roots(X=2^kbits, beta=1)[0]  # find root < 2^kbits with factor = n
    print mbar + x0
    print x0

challenge2 -- Factoring with High Bits Known

[++++++++++++++++]challenge 1 completed[++++++++++++++++]
[+]Generating challenge 2
[+]n=0x116c51f73ef1c6b3b890dd8be446b80ac1dbe93742348e1284a7fdf0c76604ceae72011918f18de6b0ab873500ef2ed351110b67acce5b8c48a750a376c3e0117c44ec58e84e35f2ebf0e553b718720952dc826e364f130c2839c76878e0bfb3be0f24b06b3d91f1655e7ce588d2a3c429901197012db4d8b802308072bfca3fL
[+]e=65537
[+]m=random.getrandbits(512)
[+]c=pow(m,e,n)=0x8d8fba82b1ca4e8a6e87b1ed5d50a9e6e49b3fb2aed78208e8c513842dedb5f14b82b39e03ea86089e76b59ff7bec0f6647096098346dcf64c7d1aaf533f99827fd9979dee217c511a3192e99a70d4fcd6aa44b2cf52a1ceddf99db42cbf2872e7e2ed421a4a9ff548bef6dfdad7ef17b09748bdf0025dfb93091e11115ebd4L
[+]((p>>128)<<128)=0x2bff4035e24f2023f876abaf53ef53374d0208d59d4350a1cf356050c3a09cfc644d9c46cb59f013fadd96bea4a56dd100000000000000000000000000000000L
[-]long_to_bytes(m).encode('hex')=
n=0x985CBA74B3AFCF36F82079DE644DE85DD6658A2D3FB2D5C239F2657F921756459E84EE0BBC56943DE04F2A04AACE311574BE1E9391AC5B0F8DBB999524AF8DF2451A84916F6699E54AE0290014AFBF561B0E502CA094ADC3D9582EA22F857529D3DA79737F663A95767FDD87A9C19D8104A736ACBE5F4A25B2A25B4DF981F44DB2EB7F3028B1D1363C3A36F0C1B9921C7C06848984DFE853597C3410FCBF9A1B49C0F5CB0EEDDC06D722A0A7488F893D37996F9A92CD3422465F49F3035FEA6912589EFCFB5A4CF9B69C81B9FCC732D6E6A1FFCE9690F34939B27113527ABB00878806B229EC6570815C32BC2C134B0F56C21A63CA535AB467593246508CA9F9
p=0xBCF6D95C9FFCA2B17FD930C743BCEA314A5F24AE06C12CE62CDB6E8306A545DE468F1A23136321EB82B4B8695ECE58B763ECF8243CBBFADE0603922C130ED143D4D3E88E483529C820F7B53E4346511EB14D4D56CB2B714D3BDC9A2F2AB655993A31E0EB196E8F63028F9B29521E9B3609218BA0000000000000000000000000
p_fake = p+0x10000000000000000000000000
pbits = 1024
kbits = pbits-576
pbar = p_fake & (2^pbits-2^kbits)
print "upper %d bits (of %d bits) is given" % (pbits-kbits, pbits)
PR.<x> = PolynomialRing(Zmod(n))
f = x + pbar
x0 = f.small_roots(X=2^kbits, beta=0.4)[0]  # find root < 2^kbits with factor >= n^0.4
print x0 + pbar

challenge3 -- Patial Key Exposure Attack

[++++++++++++++++]challenge 2 completed[++++++++++++++++]
[+]Generating challenge 3
[+]n=0x56705388192a25439c7ec9f826467255aeac3a1991b0a5804e8cbe01d4fd33c0accdacc8cb2497969133116d841032cd023f29e4014b0c7619c40ce6e1977308f3587da928fe7c103e8fd68c0e909d229e68c23879c010f88dca4481af1c7030466edc93898b12f31dba9e7aa513fb1fd84c3d1d028cc068160501dafa1d54bL
[+]e=3
[+]m=random.getrandbits(512)
[+]c=pow(m,e,n)=0xcbe7d8021fa02b92239521aeaaf76b2d9553b6b738c79a2c31ef9dcef7875d5bde76f5ebb318660761090869c02c182a29516482e5daf090df76d10eab9398ede85a00d47abb3e27f6a87f8c0928e18c778efb3b6a02acb52257369cbc7e3015bda888e50d5586a34a5554df1f5f0e4cb0b8e9dd442ed939f610d18731be3L
[+]d=invmod(e,(p-1)*(q-1))
[+]d&((1<<512)-1)=0xd74e2c4973ea6530620197a999a7a78d85a3029dfe8931397ee15b480c2f77b5042938e2f58f60e9c44e4f8d911b661b42dac0dbc0c1513773f870916b2418abL
[-]long_to_bytes(m).encode('hex')=
def partial_p(p0, kbits, n):
    PR.<x> = PolynomialRing(Zmod(n))
    nbits = n.nbits()

    f = 2^kbits*x + p0
    f = f.monic()
    roots = f.small_roots(X=2^(nbits//2-kbits), beta=0.3)  # find root < 2^(nbits//2-kbits) with factor >= n^0.3
    if roots:
        x0 = roots[0]
        p = gcd(2^kbits*x0 + p0, n)
        return ZZ(p)

def find_p(d0, kbits, e, n):
    X = var('X')

    for k in xrange(1, e+1):
        results = solve_mod([e*d0*X - k*X*(n-X+1) + k*n == X], 2^kbits)
        for x in results:
            p0 = ZZ(x[0])
            p = partial_p(p0, kbits, n)
            if p:
                return p


if __name__ == '__main__':
    n = 0x56705388192a25439c7ec9f826467255aeac3a1991b0a5804e8cbe01d4fd33c0accdacc8cb2497969133116d841032cd023f29e4014b0c7619c40ce6e1977308f3587da928fe7c103e8fd68c0e909d229e68c23879c010f88dca4481af1c7030466edc93898b12f31dba9e7aa513fb1fd84c3d1d028cc068160501dafa1d54b
    e = 3
    d = 0xd74e2c4973ea6530620197a999a7a78d85a3029dfe8931397ee15b480c2f77b5042938e2f58f60e9c44e4f8d911b661b42dac0dbc0c1513773f870916b2418ab

    beta = 0.5
    epsilon = beta^2/7

    nbits = n.nbits()
    kbits = floor(nbits*(beta^2+epsilon))
    d0 = d & (2^kbits-1)
    print "lower %d bits (of %d bits) is given" % (kbits, nbits)

    p = find_p(d0, kbits, e, n)
    print "found p: %d" % p
    q = n//p
    print d
    print inverse_mod(e, (p-1)*(q-1))

lower 291 bits (of 1019 bits) is given
found p: 1556928330519222949185052385205770511398851299027067030656737931164636055914888549373041706626311467428902396847671677538586996128733508490246169051729867
11276456863053049846778143161914757923513133539274086554204762345263769886584929828068603961625809916094813748871857226391606896679593696242167359171991723
2529140489407550411860842517642709534323596281579020017754223390342047118996108186564106911103882855078009689932113065210547912624644857741988858283570121514938039297592621259739497542591992130948345362969430345095193882648382370898025817668567519357247651572797940766217498405274704879818312077507052181675

challenge4 -- Basic Broadcast Attack

[++++++++++++++++]challenge 3 completed[++++++++++++++++]
[+]Generating challenge 4
[+]e=3
[+]m=random.getrandbits(512)
[+]n1=0x9c94fecac76f9c5524d994d51efc1f02ad40fcf9cd5409d7c9f86a9f10e31b6c73d8bc02df743fea939acbcf9f81a748914fce0f8df1155c0f29faac38bd70b322eb7bc69c130720bdcb2ad2cbb84ad182b36e93170d81cb3a68969c850519e86b6a3676534cdbe85c9429c058230d58527d8028c134d6078cbb89faa071848fL
[+]c1=pow(m,e,n1)=0x5e3b988abb38c33e145bbc16f56ec192253d26cc053d4f78e073d0d035eda4ea91f33ec7f7cd1a56165cae95a86e0a4edabb83743966b3a4621bb33753aec5fa4b1c6d80e0d404c19c6659c8ff6dc4f5539a5dbae659ca4f24f4c53a65c5c42bf9de04852c098841d2affe83c59be99b6ecd857e232cb008c657e1f55137bf06L
[+]n2=0x409a8a39fcb302f0660f0a85b6d43636dce5b4797b6f3ef0b4972f70b6e0c74038c55ba50e0c918057e9ceaee024ae81da2faede8b5b66caae6892943a8892ad98b1f6f208b8b5ded753e6b8c6b94c5faf67314384f3f26e3dca579237893f098c90b0f8b80692aed4606947d656b74b69444ba0dc24b9c66a339f7a50f52783L
[+]c2=pow(m,e,n2)=0xc5381d89ca5be27f43c30dbc395ce0d5b8a69adb80dc05d7f5d8dffc1b2fb76d2ab656f5659b9280c9cac83addcc0eb58e86f8e07a37f28b0500ab75bde4eb2b2e6631eeeb6bbe146c889b2ac6046864977aaee7292676fdbd4fb987940a83a94c3d04aef256b50d304d945528c69866acf591f914c0e50e012734827143ed7L
[+]n3=0x56a700d8f04da68c6cdb08e04a0cb2fa332389e10c1a3c94b220cb39144fc971c804ab02637303866040c13814194d863814453eec48db6136741d3a599cf890c678114b65dc60da2bbd29651bd0148f8949d69c4b18460ad0e1908eba384a1b51041e41caf70fed285fb34a8e56f04487d6d8b5d88f2a88d88565ef6757a697L
[+]c3=pow(m,e,n3)=0x73e58f11dd9f637a7a7c05f6223ee95cb6d34a77583bfc6ca675955d51dd15ff4561654264e9985fcb2e87e3ddda7d6d7620cee80a1f2c20944d5d6f456a3e892f74b6745ddecbe3447825bf44344fc9e0839bdaebcca8352075675ffc8fee8c3698a87f3110f4004fea88c3faf05e5a527854e759e315b487b49e8ff9510cbL
[-]long_to_bytes(m).encode('hex')=
import gmpy2 

import libnum
e=3

n_0=0x9c94fecac76f9c5524d994d51efc1f02ad40fcf9cd5409d7c9f86a9f10e31b6c73d8bc02df743fea939acbcf9f81a748914fce0f8df1155c0f29faac38bd70b322eb7bc69c130720bdcb2ad2cbb84ad182b36e93170d81cb3a68969c850519e86b6a3676534cdbe85c9429c058230d58527d8028c134d6078cbb89faa071848f
ct_0=0x5e3b988abb38c33e145bbc16f56ec192253d26cc053d4f78e073d0d035eda4ea91f33ec7f7cd1a56165cae95a86e0a4edabb83743966b3a4621bb33753aec5fa4b1c6d80e0d404c19c6659c8ff6dc4f5539a5dbae659ca4f24f4c53a65c5c42bf9de04852c098841d2affe83c59be99b6ecd857e232cb008c657e1f55137bf06
n_1=0x409a8a39fcb302f0660f0a85b6d43636dce5b4797b6f3ef0b4972f70b6e0c74038c55ba50e0c918057e9ceaee024ae81da2faede8b5b66caae6892943a8892ad98b1f6f208b8b5ded753e6b8c6b94c5faf67314384f3f26e3dca579237893f098c90b0f8b80692aed4606947d656b74b69444ba0dc24b9c66a339f7a50f52783
ct_1=0xc5381d89ca5be27f43c30dbc395ce0d5b8a69adb80dc05d7f5d8dffc1b2fb76d2ab656f5659b9280c9cac83addcc0eb58e86f8e07a37f28b0500ab75bde4eb2b2e6631eeeb6bbe146c889b2ac6046864977aaee7292676fdbd4fb987940a83a94c3d04aef256b50d304d945528c69866acf591f914c0e50e012734827143ed7
n_2=0x56a700d8f04da68c6cdb08e04a0cb2fa332389e10c1a3c94b220cb39144fc971c804ab02637303866040c13814194d863814453eec48db6136741d3a599cf890c678114b65dc60da2bbd29651bd0148f8949d69c4b18460ad0e1908eba384a1b51041e41caf70fed285fb34a8e56f04487d6d8b5d88f2a88d88565ef6757a697
ct_2=0x73e58f11dd9f637a7a7c05f6223ee95cb6d34a77583bfc6ca675955d51dd15ff4561654264e9985fcb2e87e3ddda7d6d7620cee80a1f2c20944d5d6f456a3e892f74b6745ddecbe3447825bf44344fc9e0839bdaebcca8352075675ffc8fee8c3698a87f3110f4004fea88c3faf05e5a527854e759e315b487b49e8ff9510cb


N_012 = n_0 * n_1 * n_2
# n1 * n2
m_s_0 = n_1 * n_2
# n0 * n2
m_s_1 = n_0 * n_2
# n0 * n1
m_s_2 = n_0 * n_1
crt = libnum.solve_crt([ct_0,ct_1,ct_2], [n_0,n_1,n_2])
c_0 = crt % n_0
c_1 = crt % n_1
c_2 = crt % n_2
result = ((c_0 * m_s_0 * libnum.invmod(m_s_0, n_0)) + (c_1 * m_s_1 * libnum.invmod(m_s_1, n_1)) + (c_2 * m_s_2 * libnum.invmod(m_s_2, n_2))) % N_012 
pt = libnum.nroot(result, 3)
print libnum.n2s(pt).encode('hex')
#380185242a03c9d6ca7a2e117490ebaf03a493b1250f4e248c732c2714eb6b9fd2fa4c90a4f1d8120ffbafb3b7fda85fff46a67a1da3e316392ec267e1fa7c27

challenge5 -- Related Message Attack

[++++++++++++++++]challenge 4 completed[++++++++++++++++]
[+]Generating challenge 5
[+]n=0x1bda683489ec09b15aa5ab9356db56e8586f03879e19bf4b2316b56332fd2d994ae8682d121373b21771eda5246b3565c52266e83bada43723bb8f4457d712f339d350d02bcd257923fb6b7ad265bafd4b9429943ba56f0d27b123962adf60b809f886a090e3472abe01e194dbc3ec1ecba2550d695e771d3f0edb9ada77f29L
[+]e=3
[+]m=random.getrandbits(512)
[+]c=pow(m,e,n)=0x22573b528e5ca137dc93b7f17f04d4efbf82124215a9c28ae6823fe5c7b6fb5eb5d328d9f6dbf73f88f59add74630d0721a822f8fb884b314f4c45aae1358fc8a19c59bbc370463541d58bd9cda1d77575a443cfbd85bdba48ae3e01642811a0b9824e3c8df8c02caed7a0606ceb6695dca7372e4291c60a98ed56b9442434L
[+]x=pow(m+1,e,n)=0xe5ac2d53cd385143472febb8d7ba4acb7697bd494ef9ea0d165dd2ba7e451d803e45076ded5ef44bec0b72052b932348a50f0c66c6641159518f5137140a4db9fc497982930801715468932913e257f8b2abe287244d1d087c0ecf679cb46b1957bef678dee094d650a97d5a9d53cab80986571d890fbcd024528d6a321ac9L
[-]long_to_bytes(m).encode('hex')=
import hashlib
import gmpy2
import libnum
from Crypto.Util.number import *
 
n = 0x1bda683489ec09b15aa5ab9356db56e8586f03879e19bf4b2316b56332fd2d994ae8682d121373b21771eda5246b3565c52266e83bada43723bb8f4457d712f339d350d02bcd257923fb6b7ad265bafd4b9429943ba56f0d27b123962adf60b809f886a090e3472abe01e194dbc3ec1ecba2550d695e771d3f0edb9ada77f29
e = 3
 
c1 = 0x22573b528e5ca137dc93b7f17f04d4efbf82124215a9c28ae6823fe5c7b6fb5eb5d328d9f6dbf73f88f59add74630d0721a822f8fb884b314f4c45aae1358fc8a19c59bbc370463541d58bd9cda1d77575a443cfbd85bdba48ae3e01642811a0b9824e3c8df8c02caed7a0606ceb6695dca7372e4291c60a98ed56b9442434
c2 = 0xe5ac2d53cd385143472febb8d7ba4acb7697bd494ef9ea0d165dd2ba7e451d803e45076ded5ef44bec0b72052b932348a50f0c66c6641159518f5137140a4db9fc497982930801715468932913e257f8b2abe287244d1d087c0ecf679cb46b1957bef678dee094d650a97d5a9d53cab80986571d890fbcd024528d6a321ac9


a = 1
b = -1
padding2 = 1
def getM2(a,b,c1,c2,n):
    a3 = pow(a,3,n)
    b3 = pow(b,3,n)
    first = c1-a3*c2+2*b3
    first = first % n
    second = 3*b*(a3*c2-b3)
    second = second % n
    third = second*gmpy2.invert(first,n)
    third = third % n
    fourth = (third+b)*gmpy2.invert(a,n)
    return fourth % n
m = getM2(a,b,c1,c2,n)-padding2
print "m==\n" + hex(m) + "\n"

#print m
c = pow(m,e,n)
#print hex(c)
if c == c1:
    print "yeah"

challenge6 -- Boneh and Durfee attack

[++++++++++++++++]challenge 5 completed[++++++++++++++++]
[+]Generating challenge 6
[+]n=0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27L
[+]d=random.getrandbits(1024*0.270)
[+]e=invmod(d,phin)
[+]hex(e)=0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bbL
[+]m=random.getrandbits(512)
[+]c=pow(m,e,n)=0xe3505f41ec936cf6bd8ae344bfec85746dc7d87a5943b3a7136482dd7b980f68f52c887585d1c7ca099310c4da2f70d4d5345d3641428797030177da6cc0d41e7b28d0abce694157c611697df8d0add3d900c00f778ac3428f341f47ecc4d868c6c5de0724b0c3403296d84f26736aa66f7905d498fa1862ca59e97f8f866cL
[-]long_to_bytes(m).encode('hex')=

GitHub开源项目RSA-and-LLL-attacks
解密可得

import gmpy2 

import libnum
e=3

n_0=0x9c94fecac76f9c5524d994d51efc1f02ad40fcf9cd5409d7c9f86a9f10e31b6c73d8bc02df743fea939acbcf9f81a748914fce0f8df1155c0f29faac38bd70b322eb7bc69c130720bdcb2ad2cbb84ad182b36e93170d81cb3a68969c850519e86b6a3676534cdbe85c9429c058230d58527d8028c134d6078cbb89faa071848f
ct_0=0x5e3b988abb38c33e145bbc16f56ec192253d26cc053d4f78e073d0d035eda4ea91f33ec7f7cd1a56165cae95a86e0a4edabb83743966b3a4621bb33753aec5fa4b1c6d80e0d404c19c6659c8ff6dc4f5539a5dbae659ca4f24f4c53a65c5c42bf9de04852c098841d2affe83c59be99b6ecd857e232cb008c657e1f55137bf06
n_1=0x409a8a39fcb302f0660f0a85b6d43636dce5b4797b6f3ef0b4972f70b6e0c74038c55ba50e0c918057e9ceaee024ae81da2faede8b5b66caae6892943a8892ad98b1f6f208b8b5ded753e6b8c6b94c5faf67314384f3f26e3dca579237893f098c90b0f8b80692aed4606947d656b74b69444ba0dc24b9c66a339f7a50f52783
ct_1=0xc5381d89ca5be27f43c30dbc395ce0d5b8a69adb80dc05d7f5d8dffc1b2fb76d2ab656f5659b9280c9cac83addcc0eb58e86f8e07a37f28b0500ab75bde4eb2b2e6631eeeb6bbe146c889b2ac6046864977aaee7292676fdbd4fb987940a83a94c3d04aef256b50d304d945528c69866acf591f914c0e50e012734827143ed7
n_2=0x56a700d8f04da68c6cdb08e04a0cb2fa332389e10c1a3c94b220cb39144fc971c804ab02637303866040c13814194d863814453eec48db6136741d3a599cf890c678114b65dc60da2bbd29651bd0148f8949d69c4b18460ad0e1908eba384a1b51041e41caf70fed285fb34a8e56f04487d6d8b5d88f2a88d88565ef6757a697
ct_2=0x73e58f11dd9f637a7a7c05f6223ee95cb6d34a77583bfc6ca675955d51dd15ff4561654264e9985fcb2e87e3ddda7d6d7620cee80a1f2c20944d5d6f456a3e892f74b6745ddecbe3447825bf44344fc9e0839bdaebcca8352075675ffc8fee8c3698a87f3110f4004fea88c3faf05e5a527854e759e315b487b49e8ff9510cb


N_012 = n_0 * n_1 * n_2
# n1 * n2
m_s_0 = n_1 * n_2
# n0 * n2
m_s_1 = n_0 * n_2
# n0 * n1
m_s_2 = n_0 * n_1
crt = libnum.solve_crt([ct_0,ct_1,ct_2], [n_0,n_1,n_2])
c_0 = crt % n_0
c_1 = crt % n_1
c_2 = crt % n_2
result = ((c_0 * m_s_0 * libnum.invmod(m_s_0, n_0)) + (c_1 * m_s_1 * libnum.invmod(m_s_1, n_1)) + (c_2 * m_s_2 * libnum.invmod(m_s_2, n_2))) % N_012 
pt = libnum.nroot(result, 3)
print libnum.n2s(pt).encode('hex')

def getM2(a,b,c1,c2,n):
    a3 = pow(a,3,n)
    b3 = pow(b,3,n)
    first = c1-a3*c2+2*b3
    first = first % n
    second = 3*b*(a3*c2-b3)
    second = second % n
    third = second*gmpy2.invert(first,n)
    third = third % n
    fourth = (third+b)*gmpy2.invert(a,n)
    return fourth % n
m = getM2(a,b,c1,c2,n)-padding2
print libnum.n2s(m)
import hashlib
import gmpy2
import libnum
from Crypto.Util.number import *
 
n = 0x1bda683489ec09b15aa5ab9356db56e8586f03879e19bf4b2316b56332fd2d994ae8682d121373b21771eda5246b3565c52266e83bada43723bb8f4457d712f339d350d02bcd257923fb6b7ad265bafd4b9429943ba56f0d27b123962adf60b809f886a090e3472abe01e194dbc3ec1ecba2550d695e771d3f0edb9ada77f29
e = 3
 
c1 = 0x22573b528e5ca137dc93b7f17f04d4efbf82124215a9c28ae6823fe5c7b6fb5eb5d328d9f6dbf73f88f59add74630d0721a822f8fb884b314f4c45aae1358fc8a19c59bbc370463541d58bd9cda1d77575a443cfbd85bdba48ae3e01642811a0b9824e3c8df8c02caed7a0606ceb6695dca7372e4291c60a98ed56b9442434
c2 = 0xe5ac2d53cd385143472febb8d7ba4acb7697bd494ef9ea0d165dd2ba7e451d803e45076ded5ef44bec0b72052b932348a50f0c66c6641159518f5137140a4db9fc497982930801715468932913e257f8b2abe287244d1d087c0ecf679cb46b1957bef678dee094d650a97d5a9d53cab80986571d890fbcd024528d6a321ac9


a = 1
b = -1
padding2 = 1
def getM2(a,b,c1,c2,n):
    a3 = pow(a,3,n)
    b3 = pow(b,3,n)
    first = c1-a3*c2+2*b3
    first = first % n
    second = 3*b*(a3*c2-b3)
    second = second % n
    third = second*gmpy2.invert(first,n)
    third = third % n
    fourth = (third+b)*gmpy2.invert(a,n)
    return fourth % n
m = getM2(a,b,c1,c2,n)-padding2
print long_to_bytes(m).encode('hex')

#print m
c = pow(m,e,n)
#print hex(c)
if c == c1:
    print "yeah"

参考链接

http://www.realwz.com/2018/03...
http://inaz2.hatenablog.com/e...
https://findneo.github.io/180...
https://www.cnblogs.com/WangA...
https://code.felinae98.cn/ctf...
https://www.anquanke.com/post...
https://altman.vip/2018/07/23...


pumpkin9
10 声望3 粉丝

学习要看到核心,抓住本质。 --EX