Chestnut's blog

且停且忘且随风,且行且看且从容

TuTCTF (Crypto)

发布于 2024-06-03 | 标签: 比赛 | 2分钟 | 214字数 | 浏览量::

1.p+q

from Crypto.Util.number import *
from gmpy2 import *
from secret import flag

BITS = 233

def broken(x, bits):
    return x>>bits

def gen():
    p,q = getPrime(512),getPrime(512)
    n = p*q
    e = 65537
    return n, broken(p+q, BITS)

n, hint = gen()
e = 0x10001
m = bytes_to_long(flag)
assert m < n
c = pow(m, e, n)

print(n)
print(hint)
print(c)

'''
107847645025513535850791225440130707186374273414737521825714442885442542984529827092766916748308266623066053421754530398675086374798530909982183476265477598220972320436343536618913608933549054793948336438240303192183575843300257235195070331758555882832698815894168120103459360566404203412796086643598204242029
1505246122706281178983443268987790509406564031452059494152554645294649335244676839890
16589212605025468264862689939961340646400626438824064459026078002373801735937861932598660491280834517490394340315480853421268981930217857435669572426110105938015092688880859031418213297139875807487434491329423279700179082306961439610731922669459168752958192842026918421354512654494583087220572962719510130677
'''

写的时候想到这个思路了,结果不知道RealField(1000),这几天知道了,就想起来了,就转化成了p的高位泄露,得尝试改一下位数上线

from gmpy2 import *
from Crypto.Util.number import *

n =107847645025513535850791225440130707186374273414737521825714442885442542984529827092766916748308266623066053421754530398675086374798530909982183476265477598220972320436343536618913608933549054793948336438240303192183575843300257235195070331758555882832698815894168120103459360566404203412796086643598204242029
hint = 1505246122706281178983443268987790509406564031452059494152554645294649335244676839890
c = 16589212605025468264862689939961340646400626438824064459026078002373801735937861932598660491280834517490394340315480853421268981930217857435669572426110105938015092688880859031418213297139875807487434491329423279700179082306961439610731922669459168752958192842026918421354512654494583087220572962719510130677
e = 65537
 
#part1 get leak2
PR.<x> = PolynomialRing(RealField(1000))
f = x*((hint<<233)-x) - n 
p2high = int(f.roots()[0][0])

PR.<x> = PolynomialRing(Zmod(n))
f = p2high + x
res = f.small_roots(X=2^240,beta=0.4,epsilon=0.01)[0]
p2 = int(p2high + res)
q2 = n // p2
d2 = inverse(e,(p2-1)*(q2-1))
leak2 = pow(c, d2, n)
print((leak2))
print(long_to_bytes(56006392793428522912423049931419741108669154453784555135205143867930249675057361228618616034080076925))
# flag{ccc2e285-7bb1-484e-ad62-58cc474ef9d4}
# 比赛
已运行:
浏览数: | 访客数:
Powered by Gridea
0%