文章目录
- 前言
- 第一届交通运输行业网络安全大赛决赛---Crypto
- easyRSA
- Mypow
- baby_RSA
- EasyRSA
- 你懂RSA吗
前言
哥们终于想起账号密码了(尊嘟忘了)。
鸽了快两个星期辣,下次一定不鸽(x)。
第一届交通运输行业网络安全大赛决赛—Crypto
easyRSA
题目:
from Crypto.Util.number import *
from gmpy2 import *
from random import *
flag = b'DASCTF{xxxxx}'
m = bytes_to_long(flag)
while True:
try:
p = getPrime(512)
q = next_prime(p+2**520)
n = p*q
phi = (p-1)*(q-1)
d = randint(0,n**0.32)
e = inverse(d,phi)
c = pow(m,e,n)
break
except:
continue
print("e = %d"%e)
print("n = %d"%n)
print("c = %d"%c)
'''
e = 22406617662992657889189996038164778072134256533643932957015006754647822578958941307848612281469431201991306481890996110372419319706474785730441458621818413195157394408942556272495727435704953347478158553946953413179163328976215167865874464655775410591847016921402275945868909242077897959037348916785120117461655
n = 24060380804148316574301133150703936973811513337391019200164987960874105848921375758959945881263552336035571494502139825591685175642839368578283761865745224459787280066739212098720274347746524677894359534493555854937925590705524983104059677695973201044287743440388194064688873456047929476158165843812125976675193
c = 6224246192773369488536745056540125828918816255225886951931770916428603800143493592040760978737512689281802769927712229089196097571495191027802589192805135838831322474642230511392667306908597027184532769940279896145161482936674583102879507860488435333891036563479618834572359715411724343814117656984603501647779
'''
由题目可知,q = next_prime(p+2**520)
,由此我们可以构造一个一元多项式方程 f = p*q-n = p*(p+2**520)-n
,然后求解方程的根,此时p在根附近,于是在将根值往前推直至n%p=0
为止,此时p
为所求,则q=n//p
。
#sage
import gmpy2
import libnum
e = 22406617662992657889189996038164778072134256533643932957015006754647822578958941307848612281469431201991306481890996110372419319706474785730441458621818413195157394408942556272495727435704953347478158553946953413179163328976215167865874464655775410591847016921402275945868909242077897959037348916785120117461655
n = 24060380804148316574301133150703936973811513337391019200164987960874105848921375758959945881263552336035571494502139825591685175642839368578283761865745224459787280066739212098720274347746524677894359534493555854937925590705524983104059677695973201044287743440388194064688873456047929476158165843812125976675193
c = 6224246192773369488536745056540125828918816255225886951931770916428603800143493592040760978737512689281802769927712229089196097571495191027802589192805135838831322474642230511392667306908597027184532769940279896145161482936674583102879507860488435333891036563479618834572359715411724343814117656984603501647779
RF = RealField(1000)
x = polygen(RF)
f = x * (x + 2**520) - n
p = int(f.roots()[1][0])
print(p)
while n % p != 0:
p = p - 1
q = n // p
print(f"p = {p}")
print(f"q = {q}")
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = libnum.n2s(int(m))
print(flag)
flag:
DASCTF{24ce231dcbc-08aa5-4ba28-8ef5-231dcb00sd2ed}
Mypow
题目:
+from Crypto.Util.number import *
from gmpy2 import *
import os
flag = b'xxx'
def Mypow(b, e, mod):
a = 1
while e:
e >>= 1
b = (b*b)%mod
if e&1:
a = (a*b)%mod
return a
def Genp(bit_length):
coeff = 2 ** 5 * 3 * 7
while True:
tmp_prime = getRandomNBitInteger(bit_length - 10)
p = coeff * tmp_prime + 1
if is_prime(p):
break
return p
def Genkeys(bit_length):
p,q = Genp(bit_length),Genp(bit_length)
n = p * q
hint = (2 * p + 7 * q) % n
return n, hint
if __name__ == '__main__':
e = next_prime(666)
n, hint = Genkeys(512)
m = bytes_to_long(os.urandom(30) + flag)
ct = Mypow(m,e,n)
print(f'n = {n}')
print(f'hint = {hint}')
print(f'ct = {ct}')
'''
n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553
hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457
ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000
'''
已知
n
=
p
∗
q
n=p*q
n=p∗q和
h
i
n
t
=
2
p
+
7
q
hint=2p+7q
hint=2p+7q,可推
2
∗
p
2
+
7
∗
p
∗
q
=
p
(
2
p
+
7
q
)
=
p
∗
h
i
n
t
2*p^2+7*p*q=p(2p+7q)=p*hint
2∗p2+7∗p∗q=p(2p+7q)=p∗hint
由此,我们可构建方程,
f
=
2
x
2
+
7
n
−
x
∗
h
i
n
t
f=2x^2+7n-x*hint
f=2x2+7n−x∗hint,解方程得到p,进而得到q=n//p。
#sage
R.<x> = Zmod()[]
f = 2*x^2 + 7*n - hint*x
p = int(f.roots()[0][0])
q = n//p
Mypow(b,e,mod)
函数相当于pow(m,e,n)
函数,但是对于不同的幂e结果不同。当e为偶数时,相当于pow(m,e,n);当e为奇数时,相当于pow(m,e-1,n)。本题的e = next_prime(666)
,显然是一个素数(必然是奇数),因此真正的e = next_prime(666)-1
。
经计算,gcd(e,phi)=e
,因此演变为有限域下开根问题。分别在
G
F
(
p
)
,
G
F
(
q
)
GF(p),GF(q)
GF(p),GF(q)上开e次方根,之后crt组合一下,求出所有的m,再判断字符串中是否含有DASCTF
即可得到flag。
#sage
import gmpy2
from Crypto.Util.number import *
n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553
hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457
ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000
R.<x> = Zmod()[]
f = 2*x^2 + 7*n - hint*x
p = int(f.roots()[0][0])
q = n//p
e = gmpy2.next_prime(666)-1
R.<x> = Zmod(p)[]
f = x^e-ct
f = f.monic()
results1 = f.roots()
R.<x> = Zmod(q)[]
f = x^e-ct
f = f.monic()
results2 = f.roots()
for i in results1:
for j in results2:
param1 = [int(i[0]),int(j[0])]
param2 = [p,q]
m = CRT_list(param1,param2)
flag = long_to_bytes(int(m))
if b'DASCTF' in flag:
print(flag)
break
flag:
DASCTF{FastP0w3r_4nd_AMM_0f_R5A}
baby_RSA
题目:
n=18941897966618549590482921932069269855566887560846003853615076099963108817185327262750999516754222357223603475688339480435312583490395860452876528267241529839128983282347116489462087590022946148697811918490562357700477812317981112859801696914920157218261227248163354934594592989948835696126525303358401172927693681573257245675773302383672536531760449692312660789004434502847176542175872828631412512434830044930393378761413148832473147778681111895140827684384523695468243679431394541437405220444389502412532816429448282704044345362927781837263473315252015292522704945829965688617978850430082494284515433755194353439337
c1=16526118626986017587535672306501535736692950947614409401612053801360048305344788074060161991592465238423703152619212847540401135865568611456448069291895155754469395615728785061984518496536397902069681784511121811306784617822082388392704359591309731536503001254216652492074215090776170134134687632575101823975955490855193514898535824814240480721772488425500309069255541262657807513487602741417690129808594555617044051707040663245698288030031495680697068057476361442627006464925235000245587220216985373423116156019250717175060849008225344903717354712612845144538174414672321666720723995449432568958322357146091477808460
c2=13095063120062097779974070527081507876693191121709938699390212467606444451673018463188917059026307468646743035133125440725404382070023081106408921203784833033918414311077921555812942741835149413503118131837527750773914147553704346395325785033066932850586170939707921231437443228445877551150362056106182544493023070856816826868331368624823083157497076460097194318268087043896775120421878080384043405389184733148396101712952408224574223075652024582768672259152893749081236671766957797998433416800582010130500789821457750906031155425082685565945551613263143888863898305690312122595860844005317675247247221445967298905015
e= 51359
hint: e = e 1 ∗ e 2 e = e_1*e_2 e=e1∗e2
使用divisors
函数分解e
,然后遍历所有的因子,再进行共模攻击,再判断字符串中是否包含flag即可。
#sage
from Crypto.Util.number import *
import gmpy2
n=18941897966618549590482921932069269855566887560846003853615076099963108817185327262750999516754222357223603475688339480435312583490395860452876528267241529839128983282347116489462087590022946148697811918490562357700477812317981112859801696914920157218261227248163354934594592989948835696126525303358401172927693681573257245675773302383672536531760449692312660789004434502847176542175872828631412512434830044930393378761413148832473147778681111895140827684384523695468243679431394541437405220444389502412532816429448282704044345362927781837263473315252015292522704945829965688617978850430082494284515433755194353439337
c1=16526118626986017587535672306501535736692950947614409401612053801360048305344788074060161991592465238423703152619212847540401135865568611456448069291895155754469395615728785061984518496536397902069681784511121811306784617822082388392704359591309731536503001254216652492074215090776170134134687632575101823975955490855193514898535824814240480721772488425500309069255541262657807513487602741417690129808594555617044051707040663245698288030031495680697068057476361442627006464925235000245587220216985373423116156019250717175060849008225344903717354712612845144538174414672321666720723995449432568958322357146091477808460
c2=13095063120062097779974070527081507876693191121709938699390212467606444451673018463188917059026307468646743035133125440725404382070023081106408921203784833033918414311077921555812942741835149413503118131837527750773914147553704346395325785033066932850586170939707921231437443228445877551150362056106182544493023070856816826868331368624823083157497076460097194318268087043896775120421878080384043405389184733148396101712952408224574223075652024582768672259152893749081236671766957797998433416800582010130500789821457750906031155425082685565945551613263143888863898305690312122595860844005317675247247221445967298905015
e = 51359
e_list = divisors(e)
for e1 in e_list:
for e2 in e_list:
if gmpy2.gcd(e1, e2) == 1:
g, s1, s2 = gmpy2.gcdext(e1, e2)
m = pow(c1, s1, n) * pow(c2, s2, n) % n
flag = long_to_bytes(int(m))
if b'flag' in flag:
print(flag)
break
else:
pass
flag:
flag{qwdu534qwf45qf23156qf165vurt54h}
EasyRSA
题目:
from Crypto.Util.number import *
from gmpy2 import *
from secret import flag
from random import *
gift = 0x98efa1cac6d4a1031759ddfb2cb2a1361b76a0327802e5b99e2f98a1a410705fe93f36979441c6b5eab2737bacc66565d425c56c434d04cbc2b3d756d264995f8b198d6887ec2dddfa640d88932604115d80a9f1f0d18538a738016292057518e02b8520d1322f2cc8c500438d24e041ef9d3e70244e327e28d03c371b7d119a387bf7dfaf7b1ad89ce68f0bdf5858d961b48a6080c589a7e5ac9505cb3893510670299d2f4570acca050e26f828056a4276387b69f64a1498552754ede89e21a1c4a5e0754b41aa2c17823b6d84666896d865c9627a3be5cb8ede76461b44f7ed2398cb29f52073f23c5b0b5ac1af048d310ddec9b683ae0535670195ea510012eb16fb60186a5c26f6c516addeade9bed3dea308fc9196de5b5e99b8f8354b9116995dffb350b5b71ee8ae21b776e122508bf4acd8c9c69bb67a8003291b9a217301656ff332d6802db63605aee2a881e0ddf08904e5c8ace0cd44bffdeee7b10e1b5d868b25ddb1248802c7341267f9862b9319cbaada6d7b557425273256505470d2d610232c00d53475693db249299594ee62271589ec4ebd92c0f37d05ca24c556948dd30b3e6b124f059e4776ef219766e805bf7b1003734172e8d2cda130966bd6c5643071efef3e39bc11f6bdfef4ba6e9fa450f7605bcf9ca22c5f12fdec2f8b3ead07a34a427e3602792939873a2481a8dd0e454305b5ce374a77
def make_gift(p, q):
n_bits = len(bin(p * q)) - 2
phi = (p - 1) * (q - 1)
r = randint(11, 111)
while True:
a = getPrime(n_bits // 4 - r)
if gcd(a, phi) != 1:
continue
b = invert(a, phi)
e = invert(b, gift)
if gcd(e, phi) == 1:
break
d = invert(e, phi)
return (e, d)
p = getPrime(2048)
q = getPrime(2048)
n = p * q
e, d = make_gift(p, q)
c = pow(bytes_to_long(flag), e, n)
print("n:", hex(n))
print("e:", hex(e))
print("c:", hex(c))
'''
n: 0xf5da802f4a0d148a957254c9287bf1515c81088416067574fb614342d15757b84014125fa9b0b2e8158a7321a0bcde32c6b98abede5da9e526dd2e67c148f89ac0787fa55dd2a2922bc0595e67cb347ab923ee251b1e7c395706a8956335032914f152fe30556feb48592be713c120186266a085a96dee08d86283362dd2593c0df06d83050ad7d3ce5a0ae482b32800a80f66f5d8bfa306b365faec72f4cfc02846c222602a660bd024c8b05055ee824a7a14d6c3d1227ecff1c5b95016ba4ac82f3d493c51ba5e07f3d220ec633358165c97062ffe35abba6745cb7e9182aade6f867fe1ade89515ef61e1c20f08b81b19afbc09be357b2cb328fbb341408bc2ac3fbd66ab7eb7470123e8bea12c3f46082c1f37dd9eb9716d2fe92c090b63f64b8fe3e456f08ced64068e9232309c1d71f9723a2cdf643aa3eca2c0d5fcb1ffe95f9c25bd090ea94f408411e1e030016a91b024eba077fd709d69feec798a86160b921fdc058a5d6b041997737789cd4afbab4a92a80f53152ef4c6cfed432de2bf5c1cb53e33cbed6776a1f7ea4b543f688f34c7765eb441246fdccd34f0c07dca305649375d59f62087d5b2bb863f1fc6d74fe47ab1e8cbf948473e7bc08d6bb8801518d908548624a6eea403ac7ec8531920bbb319681887e70fe1c67def9a431e3ed342fae3fe4bbed35f3081ffe54b8d41409a9d017963ceb1261745
e: 0x324029b96d92446e3315b04d321db7228b30a3d0f0be3d16b7356b4259bf54e9203756fbb08713b88dbdc4986cc7ca676888f7b286b648028428af30175f4568d6443ba8f3a96a168fbe60a71addaf63b307e619c1047c24c88f2619c54b565a20fb066639c74bd7187f66e641384acca5dd59ae652873ebf715de7e1ccaa13187377e1a3c2f7ef2a3607a03bd216ef34ba3788bdb4a23b2a0ae158282c773e19635494907f65798e2a8927d6df96a4eb24ff3b40689d8ea4a82587d6dc7a268e5094c049e2321689c9d0f3fe6e261642970946d7454911518198b6e3cf7227a8e5467a6efa2ffff369307121216c65670e1319cfa20da72b4b5f5cd4a2115f360d9da94b84469466ca886d30184059dec26caca654e601c62c17b33dc30dcd66e1b89578267df7cbc4fe5270b72a23861d54426e86e3dfd7a6ae5a38168229d3f6352dfcd3d21674f349af741cc6a858a3e67c55329fb8c0fd21fb50fd2c3174b0ec2e365b0a0f444de1759ecb98a56dbd7830401e663782a564b4de2208606bee3aa98e0970d6f7cdf923c12852caaf86ef75ff438b1879da69b30564fcc7cc9aa38691ce1353fec995eaf4b8d97792b4f627bb7b631ec0dfcf8ee9333f592462ca6f16e99ef5ecece276c25ddb57b03f87266be0038bc78d374161bb8f558b8fca419a7716c984499bf17832ea2eb2e68fd4118fdb2e5a6d49d08dba0db69
c: 0x5951976397efab4db75cecd1d669f64e31da28c82f383b920fe83a1b99a913d1cb60db9d5fc58795ae011a5c5949cc0b1f53ce28e1505aad93a5ffc9e71418f32aff300ff7d9d5de83c5f53535ea6f25bbc31b56bb7f785d95edf10672bb458f6dba81acc3fd9c2de79506ea7520068b17018359642f34c365580a8e200d411f5a80f38b673706b365f0e6d2e6fb3732208acc0ab64e6159310f8fe4076f9cff17192cb8cbf37c0278e5772c1ac7c80314fc8ec6eaa39852a8e67c5592a5d87dd406e189c19c8db635f8d50e48051dc6e29d1d52e233a490cb53e1d1a592fd3883ef25f02beaf90eb4323a6e3b37c814969689c11e696422125ccd7f8a2e4fcb5276784f1d2cb5aaa2b5a5944f6330684c1c9b9c8da6ca25b18b4024d6e859014ed488643193fe1f8a4b7fdc94ad59965e00cc6cfcbb123a04c13bacbfdf2a3fc240d08c416cbb0acfaa416c81aa351c43ab62020ab39ffa3d2ccde402cb7afbde6dcb61ad0270c44560dced8eb70ae6eeb4c3c092428e94fcf334afab39e10eb1a48a02444358d32ca2ebee3045b473c3b7f9629bbce56d599969c2e2e43d6c2d10079c0e7358f5e944020f77d5f79f6cf78952434cc038ffdadccc6ef1e88f0b8cf6cfe1a6b3f0f5ac1492b387c1dc29f6624f6b20fa86c0ed5d71296275df3388467680bf5208afbb39277045f0dd6a3230418e8220ee7a213888a712d682
'''
e
∗
b
≡
1
m
o
d
g
i
f
t
e*b \equiv1 \space mod \space gift
e∗b≡1 mod gift,那么可求出b = gmpy2.invert(a,gift)
因为a非常大,满足维纳攻击的条件,我们使用维纳攻击计算出a。现在相当于RSA中已知n,e,d,我们可以根据这三个条件分解n得到p,q,最后简单RSA解密即可。
from Crypto.Util.number import *
import gmpy2
import random
n = 0xf5da802f4a0d148a957254c9287bf1515c81088416067574fb614342d15757b84014125fa9b0b2e8158a7321a0bcde32c6b98abede5da9e526dd2e67c148f89ac0787fa55dd2a2922bc0595e67cb347ab923ee251b1e7c395706a8956335032914f152fe30556feb48592be713c120186266a085a96dee08d86283362dd2593c0df06d83050ad7d3ce5a0ae482b32800a80f66f5d8bfa306b365faec72f4cfc02846c222602a660bd024c8b05055ee824a7a14d6c3d1227ecff1c5b95016ba4ac82f3d493c51ba5e07f3d220ec633358165c97062ffe35abba6745cb7e9182aade6f867fe1ade89515ef61e1c20f08b81b19afbc09be357b2cb328fbb341408bc2ac3fbd66ab7eb7470123e8bea12c3f46082c1f37dd9eb9716d2fe92c090b63f64b8fe3e456f08ced64068e9232309c1d71f9723a2cdf643aa3eca2c0d5fcb1ffe95f9c25bd090ea94f408411e1e030016a91b024eba077fd709d69feec798a86160b921fdc058a5d6b041997737789cd4afbab4a92a80f53152ef4c6cfed432de2bf5c1cb53e33cbed6776a1f7ea4b543f688f34c7765eb441246fdccd34f0c07dca305649375d59f62087d5b2bb863f1fc6d74fe47ab1e8cbf948473e7bc08d6bb8801518d908548624a6eea403ac7ec8531920bbb319681887e70fe1c67def9a431e3ed342fae3fe4bbed35f3081ffe54b8d41409a9d017963ceb1261745
e = 0x324029b96d92446e3315b04d321db7228b30a3d0f0be3d16b7356b4259bf54e9203756fbb08713b88dbdc4986cc7ca676888f7b286b648028428af30175f4568d6443ba8f3a96a168fbe60a71addaf63b307e619c1047c24c88f2619c54b565a20fb066639c74bd7187f66e641384acca5dd59ae652873ebf715de7e1ccaa13187377e1a3c2f7ef2a3607a03bd216ef34ba3788bdb4a23b2a0ae158282c773e19635494907f65798e2a8927d6df96a4eb24ff3b40689d8ea4a82587d6dc7a268e5094c049e2321689c9d0f3fe6e261642970946d7454911518198b6e3cf7227a8e5467a6efa2ffff369307121216c65670e1319cfa20da72b4b5f5cd4a2115f360d9da94b84469466ca886d30184059dec26caca654e601c62c17b33dc30dcd66e1b89578267df7cbc4fe5270b72a23861d54426e86e3dfd7a6ae5a38168229d3f6352dfcd3d21674f349af741cc6a858a3e67c55329fb8c0fd21fb50fd2c3174b0ec2e365b0a0f444de1759ecb98a56dbd7830401e663782a564b4de2208606bee3aa98e0970d6f7cdf923c12852caaf86ef75ff438b1879da69b30564fcc7cc9aa38691ce1353fec995eaf4b8d97792b4f627bb7b631ec0dfcf8ee9333f592462ca6f16e99ef5ecece276c25ddb57b03f87266be0038bc78d374161bb8f558b8fca419a7716c984499bf17832ea2eb2e68fd4118fdb2e5a6d49d08dba0db69
c = 0x5951976397efab4db75cecd1d669f64e31da28c82f383b920fe83a1b99a913d1cb60db9d5fc58795ae011a5c5949cc0b1f53ce28e1505aad93a5ffc9e71418f32aff300ff7d9d5de83c5f53535ea6f25bbc31b56bb7f785d95edf10672bb458f6dba81acc3fd9c2de79506ea7520068b17018359642f34c365580a8e200d411f5a80f38b673706b365f0e6d2e6fb3732208acc0ab64e6159310f8fe4076f9cff17192cb8cbf37c0278e5772c1ac7c80314fc8ec6eaa39852a8e67c5592a5d87dd406e189c19c8db635f8d50e48051dc6e29d1d52e233a490cb53e1d1a592fd3883ef25f02beaf90eb4323a6e3b37c814969689c11e696422125ccd7f8a2e4fcb5276784f1d2cb5aaa2b5a5944f6330684c1c9b9c8da6ca25b18b4024d6e859014ed488643193fe1f8a4b7fdc94ad59965e00cc6cfcbb123a04c13bacbfdf2a3fc240d08c416cbb0acfaa416c81aa351c43ab62020ab39ffa3d2ccde402cb7afbde6dcb61ad0270c44560dced8eb70ae6eeb4c3c092428e94fcf334afab39e10eb1a48a02444358d32ca2ebee3045b473c3b7f9629bbce56d599969c2e2e43d6c2d10079c0e7358f5e944020f77d5f79f6cf78952434cc038ffdadccc6ef1e88f0b8cf6cfe1a6b3f0f5ac1492b387c1dc29f6624f6b20fa86c0ed5d71296275df3388467680bf5208afbb39277045f0dd6a3230418e8220ee7a213888a712d682
gift = 0x98efa1cac6d4a1031759ddfb2cb2a1361b76a0327802e5b99e2f98a1a410705fe93f36979441c6b5eab2737bacc66565d425c56c434d04cbc2b3d756d264995f8b198d6887ec2dddfa640d88932604115d80a9f1f0d18538a738016292057518e02b8520d1322f2cc8c500438d24e041ef9d3e70244e327e28d03c371b7d119a387bf7dfaf7b1ad89ce68f0bdf5858d961b48a6080c589a7e5ac9505cb3893510670299d2f4570acca050e26f828056a4276387b69f64a1498552754ede89e21a1c4a5e0754b41aa2c17823b6d84666896d865c9627a3be5cb8ede76461b44f7ed2398cb29f52073f23c5b0b5ac1af048d310ddec9b683ae0535670195ea510012eb16fb60186a5c26f6c516addeade9bed3dea308fc9196de5b5e99b8f8354b9116995dffb350b5b71ee8ae21b776e122508bf4acd8c9c69bb67a8003291b9a217301656ff332d6802db63605aee2a881e0ddf08904e5c8ace0cd44bffdeee7b10e1b5d868b25ddb1248802c7341267f9862b9319cbaada6d7b557425273256505470d2d610232c00d53475693db249299594ee62271589ec4ebd92c0f37d05ca24c556948dd30b3e6b124f059e4776ef219766e805bf7b1003734172e8d2cda130966bd6c5643071efef3e39bc11f6bdfef4ba6e9fa450f7605bcf9ca22c5f12fdec2f8b3ead07a34a427e3602792939873a2481a8dd0e454305b5ce374a77
#find b, e*b = 1 mod gift
b = gmpy2.invert(e,gift)
def continuedFra(x, y):
"""计算连分数
:param x: 分子
:param y: 分母
:return: 连分数列表
"""
cf = []
while y:
cf.append(x // y)
x, y = y, x % y
return cf
def gradualFra(cf):
"""计算传入列表最后的渐进分数
:param cf: 连分数列表
:return: 该列表最后的渐近分数
"""
numerator = 0
denominator = 1
for x in cf[::-1]:
# 这里的渐进分数分子分母要分开
numerator, denominator = denominator, x * denominator + numerator
return numerator, denominator
def solve_pq(a, b, c):
"""使用韦达定理解出pq,x^2−(p+q)∗x+pq=0
:param a:x^2的系数
:param b:x的系数
:param c:pq
:return:p,q
"""
par = gmpy2.isqrt(b * b - 4 * a * c)
return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
"""计算列表所有的渐近分数
:param cf: 连分数列表
:return: 该列表所有的渐近分数
"""
gf = []
for i in range(1, len(cf) + 1):
gf.append(gradualFra(cf[:i]))
return gf
def wienerAttack(e, n):
"""
:param e:
:param n:
:return: 私钥d
"""
cf = continuedFra(e, n)
gf = getGradualFra(cf)
for d, k in gf:
if k == 0: continue
if (e * d - 1) % k != 0:
continue
phi = (e * d - 1) // k
p, q = solve_pq(1, n - phi + 1, n)
if p * q == n:
return d
# find a by wiener attack ,which means d in rsa
a = wienerAttack(b,n)
def divide_pq(e, d, n):
k = e*d - 1
while True:
g = random.randint(2, n-1)
t = k
while True:
if t % 2 != 0:
break
t //= 2
x = pow(g, t, n)
if x > 1 and gmpy2.gcd(x-1, n) > 1:
p = gmpy2.gcd(x-1, n)
return (p, n//p)
# known e,d,n divide p and q
p,q = divide_pq(a,b,n)
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = long_to_bytes(m)
print(flag)
flag:
flag{W1nn3r_4tt4ck_1s_0k_!}
你懂RSA吗
题目:
from gmpy2 import *
from secret import flag, hint
from Crypto.Util.number import *
from sympy import *
m1 = bytes_to_long(flag[:len(flag) // 2])
m2 = bytes_to_long(flag[len(flag) // 2:])
def gete(e, phi):
while True:
if gcd(e, phi) == 1:
return e
else:
e = nextprime(e)
# RSA#1
p1 = getPrime(1024)
q1 = nextprime(p1)
n1 = p1 * q1
phi1 = (p1 - 1) * (q1 - 1)
e1 = gete(getPrime(18), phi1)
d1 = invert(e1, phi1)
c1 = pow(m1, e1, n1)
print('c1 = ' + str(c1))
# print('n1 = ' + str(n1) + '\n' +
# 'e1 = ' + str(e1) + '\n')
# RSA#2
p2 = getPrime(1024)
q2 = getPrime(1024)
n2 = q2 * p2
phi2 = (p2 - 1) * (q2 - 1)
e2 = gete(getPrime(17), phi2)
d2 = invert(e2, phi2)
c2 = pow(m2, e2, n2)
print('c2 = ' + str(c2))
# print('p2 = ' + str(p2) + '\n' +
# 'q2 = ' + str(q2) + '\n' +
# 'n2 = ' + str(n2) + '\n' +
# 'e2 = ' + str(e2) + '\n' +
# 'd2 = ' + str(d2))
# RSA#3
p3 = getPrime(512)
q3 = getPrime(512)
n3 = q3 * p3
phi3 = (p3 - 1) * (q3 - 1)
e3 = gete(getPrime(18), phi3)
d3 = invert(e3, phi3)
c3 = pow(bytes_to_long(hint), e3, n3)
print('p3 = ' + str(p3) + '\n' +
'q3 = ' + str(q3) + '\n' +
'dp3 = ' + str(d3 % (p3 - 1)) + '\n' +
'dq3 = ' + str(d3 % (q3 - 1)) + '\n' +
'c3 = ' + str(c3) + '\n')
'''
c1 = 22174029170472408206925317076073043420894146164245984513340870318355661512525991461242672876579919328182461896419967224664448944167711125659536698909328115475500945822640519133190059966264237324981949930399526364419738220809569927722192868778639813090738131657587264840367644694061115160773023580543920084929748399148178702225712911176256956224775128704303027831752557351932432075076157070898061567672702897151144619971875201217685327600270527780313430553318062411578705980314887424183403168239225614870874838731789712153752400767845145106178451674432872533188785420237737349888569724838577725179304747976155836528847
c2 = 10006956750702744303137845836730927141799706624172551459783330437667128195604549377600905839723612359687545817501794804478132211323657104751029372453359464026864968972464883675500595304223093507632350492084010491130081665728182685954048949109653693249111253069794108059350353213391544115840233839828208072185801721609295479840358583549661814221304084750980072823512963591716048308048539407543323924798329369799578602466336065436323363597239602321921514918868038140356589054841516163876544415605778360640782130481614039149302608722444909890759048138800702326642667527192623969418036087996474429011639448153049587797462
p3 = 687104299205124+2891353553828899476415458203263978116790716337081548776068741385334659024997003813526251309677426804084745771024501352235018170100684175461
q3 = 6834465353091839104371740967212016644595780246793635968655238380829500111702811200820371080007560944435951010124236903046782106679767154721052005084109581
dp3 = 467439171809080897562812158716113371309992932574365431517842223709652090731602413652476839178504114432476940007157603066114339287906444433126732288932893
dq3 = 3431333508698715944036764699886242262043494073402064203167658489949139507430255388444870068919384813249331639339226259968646375217058269607167202636893253
c3 = 37748087350954498108276083391021015026310493963518031097482650818277570058294408094828106125531413903496569964230242579745002006918502804782348770630190106624647053817071228704522300210169354364199058884898426724603517264523516972890674703377695391122729953449202278272630556978735605677793006582502650005834
'''
Challenge.txt:
由于在生成公钥对的过程中电脑卡了卡,导致转为{hint}后部分数据混乱,公钥部分无法正常解析,私钥部分少了前三个数据和最后一个数据,但幸运的是重要数据并没有损坏
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGjK21FO8/FjPZM+gGJ3
TvykTBocH9CReiBWuzkZwZmVt6wTJzerWS+DPRFJo7IviUxR0VOncEwxNgBzy5Ii
DXDvR6gwSXRjCvKD8fHBg3I96Lj2yV29t0J0mVyCoWqVAnxv09cUBIa25K5vmUIU
Pd1pA1m2xDLCQ54knHUjwK/fayGMrHHrT+bhSSFSIIguqKUOQ5ucgwWApTTF8CF7
yXITpq3kkYoZtSS4XewWr90xE+4v6vXNJ6vWJnxjaztEJ5meThH0DTgGTyq2/R59
jlCQ7suLqjH0S8HtSGQ4bM7sJkL+3WWDoyCgqKNvMpJmx9cQ5Gq8qgQ5ZZnqEI+0
MQIDAjKf
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKBgQD3z3W6ws4Svfnng1Cw6MpyM/V25hiIUR0JYkJg3FsfQ4C2mIET
Cf38dVSoyqDmyelOGTN34RH/h+tA5t/qXZwsdx+xVyT1eL5He2DRdO6jZb+NIn4a
mbEAAWIeBEgLXTZ4YKVLw+WluoFhaFyLILPWEDalfuc35gyF7BEIU8hK5QKBgQDS
JFoZ30p9ysWinUf5vHppnHxR14J7wFs+gXg1cDT64/cQNlcj4/DpJmAL52yAexbm
Wi5VtiD3o7+qjNH+X8l6Z5+uIOSouj4Vnnz6z5xfmO4DlR7DSNO5wa6Elt/zGZt0
OulmGJqaNftLEK2Tp4EE63fuMww15aBOyuNBhMNTLQKBgBwPfNhKCMWsh2jEwNVX
dt0ZrxjokyyUasJOQw/uw861eRS0DiGWxxDYRF7cmv2nLWjvh5lyffQ+ctAllINY
WD/cuVT+divpoTo86Uiugfs0oU0c88SVVKqYfYDCoVnQE0PsRatfolhy1wWtqJUE
ffimW1nAFfSJcy+S/JbBzfNVAoGAeLRAvNOxagfq9bj5+sz0U217S1dKr+KRhpm/
fpJxHBuNclaEPy1S19kfGjdX74TEZpQuQTVYQmZgVYqFpGNIy3JyGgby0KgJuUlL
6JUP8Slardwdy3Yth2lk4Ov4vx5aWKzuG6LOSv3u1fNCgKmaRkUqojvYK602I4wO
dTfZKhE=
-----END RSA PRIVATE KEY-----
RSA1
这一部分考虑 pem公钥格式的解析
在PKCS#1 RSA算法标准中定义RSA共钥语法为:
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e
}
将base64字符串解码后,再转换为16进制
30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc68cadb514ef3f1633d933e806277
4efca44c1a1c1fd0917a2056bb3919c19995b7ac132737ab592f833d1149a3b22f894c51d153a7704c31360073cb9222
0d70ef47a8304974630af283f1f1c183723de8b8f6c95dbdb74274995c82a16a95027c6fd3d7140486b6e4ae6f994214
3ddd690359b6c432c2439e249c7523c0afdf6b218cac71eb4fe6e149215220882ea8a50e439b9c830580a534c5f0217b
c97213a6ade4918a19b524b85dec16afdd3113ee2feaf5cd27abd6267c636b3b4427999e4e11f40d38064f2ab6fd1e7d
8e5090eecb8baa31f44bc1ed4864386cceec2642fedd6583a320a0a8a36f329266c7d710e46abcaa04396599ea108fb4
31020302329f
30820122:
表示后面是一个SEQUENCE,总长度为0x122,即使290字节
02820101:
表示后面是一个INTEGER,长度是0101即257字节,后面跟的00 …即为n的内容,257字节
0203:
表示后面是一个INTEGER,长度是03即3字节,内容 0x02329f,这就是e。
获取到的数据如下:
n1 = 0xcc68cadb514ef3f1633d933e8062774efca44c1a1c1fd0917a2056bb3919c19995b7ac132737ab592f833d1149a3b22f894c51d153a7704c31360073cb92220d70ef47a8304974630af283f1f1c183723de8b8f6c95dbdb74274995c82a16a95027c6fd3d7140486b6e4ae6f9942143ddd690359b6c432c2439e249c7523c0afdf6b218cac71eb4fe6e149215220882ea8a50e439b9c830580a534c5f0217bc97213a6ade4918a19b524b85dec16afdd3113ee2feaf5cd27abd6267c636b3b4427999e4e11f40d38064f2ab6fd1e7d8e5090eecb8baa31f44bc1ed4864386cceec2642fedd6583a320a0a8a36f329266c7d710e46abcaa04396599ea108fb431
e1 = 0x2329f
又因为p和q相近,所以直接对n1进行开方,然后往后循环取下一个素数直到能被n1整除为止,此时q为所求。
common_key = '''MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGjK21FO8/FjPZM+gGJ3
TvykTBocH9CReiBWuzkZwZmVt6wTJzerWS+DPRFJo7IviUxR0VOncEwxNgBzy5Ii
DXDvR6gwSXRjCvKD8fHBg3I96Lj2yV29t0J0mVyCoWqVAnxv09cUBIa25K5vmUIU
Pd1pA1m2xDLCQ54knHUjwK/fayGMrHHrT+bhSSFSIIguqKUOQ5ucgwWApTTF8CF7
yXITpq3kkYoZtSS4XewWr90xE+4v6vXNJ6vWJnxjaztEJ5meThH0DTgGTyq2/R59
jlCQ7suLqjH0S8HtSGQ4bM7sJkL+3WWDoyCgqKNvMpJmx9cQ5Gq8qgQ5ZZnqEI+0
MQIDAjKf'''
#common_key = "".join(common_key.split("\n"))
common_key = common_key.split("\n")
for i in common_key:
print(base64.b64decode(i).hex())
c1 = 22174029170472408206925317076073043420894146164245984513340870318355661512525991461242672876579919328182461896419967224664448944167711125659536698909328115475500945822640519133190059966264237324981949930399526364419738220809569927722192868778639813090738131657587264840367644694061115160773023580543920084929748399148178702225712911176256956224775128704303027831752557351932432075076157070898061567672702897151144619971875201217685327600270527780313430553318062411578705980314887424183403168239225614870874838731789712153752400767845145106178451674432872533188785420237737349888569724838577725179304747976155836528847
n1 = 0xcc68cadb514ef3f1633d933e8062774efca44c1a1c1fd0917a2056bb3919c19995b7ac132737ab592f833d1149a3b22f894c51d153a7704c31360073cb92220d70ef47a8304974630af283f1f1c183723de8b8f6c95dbdb74274995c82a16a95027c6fd3d7140486b6e4ae6f9942143ddd690359b6c432c2439e249c7523c0afdf6b218cac71eb4fe6e149215220882ea8a50e439b9c830580a534c5f0217bc97213a6ade4918a19b524b85dec16afdd3113ee2feaf5cd27abd6267c636b3b4427999e4e11f40d38064f2ab6fd1e7d8e5090eecb8baa31f44bc1ed4864386cceec2642fedd6583a320a0a8a36f329266c7d710e46abcaa04396599ea108fb431
e1 = 0x2329f
q1_near = gmpy2.iroot(n1,2)[0]
while n1%q1_near!=0:
q1_near = gmpy2.next_prime(q1_near)
q1 = q1_near
p1 = n1//q1
phi1 = (p1 - 1) * (q1 - 1)
d1 = gmpy2.invert(e1,phi1)
m1 = pow(c1,d1,n1)
flag1 = long_to_bytes(m1)
RSA2
这一部分考虑 pem私钥格式的解析
在PKCS#1 RSA算法标准中定义RSA私钥语法为:
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER, -- (inverse of q) mod p
otherPrimeInfos OtherPrimeInfos OPTIONAL
}
将base64字符串解码后,再转换为16进制
308204a202010002818100f7cf75bac2ce12bdf9e78350b0e8ca7233f576e61888511d09624260dc5b1f4380b6988113
09fdfc7554a8caa0e6c9e94e193377e111ff87eb40e6dfea5d9c2c771fb15724f578be477b60d174eea365bf8d227e1a
99b10001621e04480b5d367860a54bc3e5a5ba8161685c8b20b3d61036a57ee737e60c85ec110853c84ae502818100d2
245a19df4a7dcac5a29d47f9bc7a699c7c51d7827bc05b3e8178357034fae3f710365723e3f0e926600be76c807b16e6
5a2e55b620f7a3bfaa8cd1fe5fc97a679fae20e4a8ba3e159e7cfacf9c5f98ee03951ec348d3b9c1ae8496dff3199b74
3ae966189a9a35fb4b10ad93a78104eb77ee330c35e5a04ecae34184c3532d0281801c0f7cd84a08c5ac8768c4c0d557
76dd19af18e8932c946ac24e430feec3ceb57914b40e2196c710d8445edc9afda72d68ef8799727df43e72d025948358
583fdcb954fe762be9a13a3ce948ae81fb34a14d1cf3c49554aa987d80c2a159d01343ec45ab5fa25872d705ada89504
7df8a65b59c015f489732f92fc96c1cdf35502818078b440bcd3b16a07eaf5b8f9faccf4536d7b4b574aafe2918699bf
7e92711c1b8d7256843f2d52d7d91f1a3757ef84c466942e413558426660558a85a46348cb72721a06f2d0a809b9494b
e8950ff1295aaddc1dcb762d876964e0ebf8bf1e5a58acee1ba2ce4afdeed5f34280a99a46452aa23bd82bad36238c0e
7537d92a11
根据题目提示:私钥部分少了前三个数据和最后一个数据
也就是说私钥的数据只剩下p,q,dp,dq。
第一个028181:表示INTEGER,长度为129 bytes,其内容为:p
第二个028181:表示INTEGER,长度为129 bytes,其内容为:q
第一个028180:表示INTEGER,长度为128 bytes,其内容为:dp
第二个028180:表示INTEGER,长度为128 bytes,其内容为:dq
获取到的数据如下:
p = 0x00f7cf75bac2ce12bdf9e78350b0e8ca7233f576e61888511d09624260dc5b1f4380b698811309fdfc7554a8caa0e6c9e94e193377e111ff87eb40e6dfea5d9c2c771fb15724f578be477b60d174eea365bf8d227e1a99b10001621e04480b5d367860a54bc3e5a5ba8161685c8b20b3d61036a57ee737e60c85ec110853c84ae5
q = 0x00d2245a19df4a7dcac5a29d47f9bc7a699c7c51d7827bc05b3e8178357034fae3f710365723e3f0e926600be76c807b16e65a2e55b620f7a3bfaa8cd1fe5fc97a679fae20e4a8ba3e159e7cfacf9c5f98ee03951ec348d3b9c1ae8496dff3199b743ae966189a9a35fb4b10ad93a78104eb77ee330c35e5a04ecae34184c3532d
dp = 0x1c0f7cd84a08c5ac8768c4c0d55776dd19af18e8932c946ac24e430feec3ceb57914b40e2196c710d8445edc9afda72d68ef8799727df43e72d025948358583fdcb954fe762be9a13a3ce948ae81fb34a14d1cf3c49554aa987d80c2a159d01343ec45ab5fa25872d705ada895047df8a65b59c015f489732f92fc96c1cdf355
dq = 0x78b440bcd3b16a07eaf5b8f9faccf4536d7b4b574aafe2918699bf7e92711c1b8d7256843f2d52d7d91f1a3757ef84c466942e413558426660558a85a46348cb72721a06f2d0a809b9494be8950ff1295aaddc1dcb762d876964e0ebf8bf1e5a58acee1ba2ce4afdeed5f34280a99a46452aa23bd82bad36238c0e7537d92a11
由前一半flag可知,后一半flag为20字节,显然flag长度远比p短。
那么我们就可以直接利用dp和p进行解密获得m。
import gmpy2
from Crypto.Util.number import *
import base64
#find flag1
common_key = '''MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGjK21FO8/FjPZM+gGJ3
TvykTBocH9CReiBWuzkZwZmVt6wTJzerWS+DPRFJo7IviUxR0VOncEwxNgBzy5Ii
DXDvR6gwSXRjCvKD8fHBg3I96Lj2yV29t0J0mVyCoWqVAnxv09cUBIa25K5vmUIU
Pd1pA1m2xDLCQ54knHUjwK/fayGMrHHrT+bhSSFSIIguqKUOQ5ucgwWApTTF8CF7
yXITpq3kkYoZtSS4XewWr90xE+4v6vXNJ6vWJnxjaztEJ5meThH0DTgGTyq2/R59
jlCQ7suLqjH0S8HtSGQ4bM7sJkL+3WWDoyCgqKNvMpJmx9cQ5Gq8qgQ5ZZnqEI+0
MQIDAjKf'''
#common_key = common_key.split("\n")
#for i in common_key:
# print(base64.b64decode(i).hex())
c1 = 22174029170472408206925317076073043420894146164245984513340870318355661512525991461242672876579919328182461896419967224664448944167711125659536698909328115475500945822640519133190059966264237324981949930399526364419738220809569927722192868778639813090738131657587264840367644694061115160773023580543920084929748399148178702225712911176256956224775128704303027831752557351932432075076157070898061567672702897151144619971875201217685327600270527780313430553318062411578705980314887424183403168239225614870874838731789712153752400767845145106178451674432872533188785420237737349888569724838577725179304747976155836528847
n1 = 0xcc68cadb514ef3f1633d933e8062774efca44c1a1c1fd0917a2056bb3919c19995b7ac132737ab592f833d1149a3b22f894c51d153a7704c31360073cb92220d70ef47a8304974630af283f1f1c183723de8b8f6c95dbdb74274995c82a16a95027c6fd3d7140486b6e4ae6f9942143ddd690359b6c432c2439e249c7523c0afdf6b218cac71eb4fe6e149215220882ea8a50e439b9c830580a534c5f0217bc97213a6ade4918a19b524b85dec16afdd3113ee2feaf5cd27abd6267c636b3b4427999e4e11f40d38064f2ab6fd1e7d8e5090eecb8baa31f44bc1ed4864386cceec2642fedd6583a320a0a8a36f329266c7d710e46abcaa04396599ea108fb431
e1 = 0x2329f
q1_near = gmpy2.iroot(n1,2)[0]
while n1%q1_near!=0:
q1_near = gmpy2.next_prime(q1_near)
q1 = q1_near
p1 = n1//q1
phi1 = (p1 - 1) * (q1 - 1)
d1 = gmpy2.invert(e1,phi1)
m1 = pow(c1,d1,n1)
flag1 = long_to_bytes(m1)
#find flag2
private_key = '''MIIEogIBAAKBgQD3z3W6ws4Svfnng1Cw6MpyM/V25hiIUR0JYkJg3FsfQ4C2mIET
Cf38dVSoyqDmyelOGTN34RH/h+tA5t/qXZwsdx+xVyT1eL5He2DRdO6jZb+NIn4a
mbEAAWIeBEgLXTZ4YKVLw+WluoFhaFyLILPWEDalfuc35gyF7BEIU8hK5QKBgQDS
JFoZ30p9ysWinUf5vHppnHxR14J7wFs+gXg1cDT64/cQNlcj4/DpJmAL52yAexbm
Wi5VtiD3o7+qjNH+X8l6Z5+uIOSouj4Vnnz6z5xfmO4DlR7DSNO5wa6Elt/zGZt0
OulmGJqaNftLEK2Tp4EE63fuMww15aBOyuNBhMNTLQKBgBwPfNhKCMWsh2jEwNVX
dt0ZrxjokyyUasJOQw/uw861eRS0DiGWxxDYRF7cmv2nLWjvh5lyffQ+ctAllINY
WD/cuVT+divpoTo86Uiugfs0oU0c88SVVKqYfYDCoVnQE0PsRatfolhy1wWtqJUE
ffimW1nAFfSJcy+S/JbBzfNVAoGAeLRAvNOxagfq9bj5+sz0U217S1dKr+KRhpm/
fpJxHBuNclaEPy1S19kfGjdX74TEZpQuQTVYQmZgVYqFpGNIy3JyGgby0KgJuUlL
6JUP8Slardwdy3Yth2lk4Ov4vx5aWKzuG6LOSv3u1fNCgKmaRkUqojvYK602I4wO
dTfZKhE='''
#private_key = private_key.split("\n")
#for i in private_key:
# print(base64.b64decode(i).hex())
c2 = 10006956750702744303137845836730927141799706624172551459783330437667128195604549377600905839723612359687545817501794804478132211323657104751029372453359464026864968972464883675500595304223093507632350492084010491130081665728182685954048949109653693249111253069794108059350353213391544115840233839828208072185801721609295479840358583549661814221304084750980072823512963591716048308048539407543323924798329369799578602466336065436323363597239602321921514918868038140356589054841516163876544415605778360640782130481614039149302608722444909890759048138800702326642667527192623969418036087996474429011639448153049587797462
p = 0x00f7cf75bac2ce12bdf9e78350b0e8ca7233f576e61888511d09624260dc5b1f4380b698811309fdfc7554a8caa0e6c9e94e193377e111ff87eb40e6dfea5d9c2c771fb15724f578be477b60d174eea365bf8d227e1a99b10001621e04480b5d367860a54bc3e5a5ba8161685c8b20b3d61036a57ee737e60c85ec110853c84ae5
dp = 0x1c0f7cd84a08c5ac8768c4c0d55776dd19af18e8932c946ac24e430feec3ceb57914b40e2196c710d8445edc9afda72d68ef8799727df43e72d025948358583fdcb954fe762be9a13a3ce948ae81fb34a14d1cf3c49554aa987d80c2a159d01343ec45ab5fa25872d705ada895047df8a65b59c015f489732f92fc96c1cdf355
m2 = pow(c2,dp,p)
flag2 = long_to_bytes(m2)
print(flag1+flag2)
flag:
DASCTF{c67a14c8aff505b6bfe85fb167d1a096}
【当个好人能理直气壮,可如果知道当好人要付出这么大的代价,还有几个人敢当好人?】