impossible RSA:

没啥好说的,跟我之前文章有道题类似,虽然如此还是花费了很长时间,原因令人落泪,把q = inverse(e,p)的数学式写成了eq mod p导致数学式推导及其困难(能推但无用)

解题脚本:

#coding:utf-8

from Crypto.Util.number import *

import math

n = 15987576139341888788648863000534417640300610310400667285095951525208145689364599119023071414036901060746667790322978452082156680245315967027826237720608915093109552001033660867808508307569531484090109429319369422352192782126107818889717133951923616077943884651989622345435505428708807799081267551724239052569147921746342232280621533501263115148844736900422712305937266228809533549134349607212400851092005281865296850991469375578815615235030857047620950536534729591359236290249610371406300791107442098796128895918697534590865459421439398361818591924211607651747970679849262467894774012617335352887745475509155575074809

e = 65537

c = 8273086882440893360458062957389163084656045191542493618199369528956277216626884353986044368396198156428766254991928690583227149075264217246716715502497271453823598984519037301602775476502736840821942623288225980044817912940317041496675271105285924648202112216540495276381694590948153181922044287087121526235593090625653756288948499134042427779455887781328892794911088854654421379942237290840799205667104402295294924690771201447934282318850564703279100891083617354084345663030868007048086929831020873706613566948846194280096109248694845560054847526215721665897469865078997234299897107511688667705001432037926136840958

import gmpy2

for k in range(1, 100000000):

    L = gmpy2.iroot(1 + 4 * k * n * e, 2)

    if L[1]:

        p = (-1 + L[0]) // (2 * k)

        q = (p * k + 1) // e

        print(p)

        print(q)

        print(k)

        break

k = 46280

p = 150465840847587996081934790667651610347742504431401795762471467800785876172317705268993152743689967775266712089661128372295606682852482012493939368044600366794969553828079064622047080051569090177885299781981209120854290564064662058027679075401901717932024549311396484660557278975525859127898004619405319768113

q = 106253858346069738600667441477316882476975191191010804704017265511396163224664897689076447029585908855140507431062102645373463498213419404889139172575859514095414665779078979976323891310048026205540865067215318951327289428947198682355325809994354509756230772573224732747769822710641878029801786071777441733193

phi = (p - 1) * (q - 1)

# print(phi)

print(gmpy2.gcd(e, phi))

#ed mod phi 余 1

d = gmpy2.invert(e, phi)

print(d)

m = pow(c, d, n)

# m = m

print(long_to_bytes(m))

flag:ACTF{F1nD1nG_5pEcia1_n_i5_nOt_eA5y}

RSA leak:

题目如下:
from sage.all import *

from secret import flag

from Crypto.Util.number import bytes_to_long

def leak(a, b):

    p = random_prime(pow(2, 64))

    q = random_prime(pow(2, 64))

    n = p*q

    e = 65537

    print(n)

    print((pow(a, e) + pow(b, e) + 0xdeadbeef) % n)

def gen_key():

    a = randrange(0, pow(2,256))

    b = randrange(0, pow(2,256))

    p = pow(a, 4)

    q = pow(b, 4)

    rp = randrange(0, pow(2,24))

    rq = randrange(0, pow(2,24))

    pp = next_prime(p+rp)

    qq = next_prime(q+rq)

    if pp % pow(2, 4) == (pp-p) % pow(2, 4) and qq % pow(2, 4) == (qq-q) % pow(2, 4):

        n = pp*qq

        rp = pp-p

        rq = qq-q

        return n, rp, rq

n, rp, rq = gen_key()

e = 65537

c = pow(bytes_to_long(flag), e, n)

print("n =", n)

print("e =", e)

print("c =", c)

print("=======leak=======")

leak(rp, rq)

'''

n = 3183573836769699313763043722513486503160533089470716348487649113450828830224151824106050562868640291712433283679799855890306945562430572137128269318944453041825476154913676849658599642113896525291798525533722805116041675462675732995881671359593602584751304602244415149859346875340361740775463623467503186824385780851920136368593725535779854726168687179051303851797111239451264183276544616736820298054063232641359775128753071340474714720534858295660426278356630743758247422916519687362426114443660989774519751234591819547129288719863041972824405872212208118093577184659446552017086531002340663509215501866212294702743

e = 65537

c = 48433948078708266558408900822131846839473472350405274958254566291017137879542806238459456400958349315245447486509633749276746053786868315163583443030289607980449076267295483248068122553237802668045588106193692102901936355277693449867608379899254200590252441986645643511838233803828204450622023993363140246583650322952060860867801081687288233255776380790653361695125971596448862744165007007840033270102756536056501059098523990991260352123691349393725158028931174218091973919457078350257978338294099849690514328273829474324145569140386584429042884336459789499705672633475010234403132893629856284982320249119974872840

=======leak=======

122146249659110799196678177080657779971

90846368443479079691227824315092288065

'''
解题思路:

这题我在比赛时也没算出来,在公式的推导过程中就走了弯路导致在有限的时间,有限的算力里面是无法解出答案的。废话不多说,来复盘整理一下思路。

审计代码可以得到如下:

(ae + be + A) mod n1 ≡ B          (A,B都是已知的常数,k为未知数,n1为函数里的n,为了与外面n区分写为n1)

p = a4 同理可以得q

pp = rp + p  同理可以得qq

pp mod 16 = pp - p mod 16   同理可以得qq-q

根据同余性质可以得到如下:

(ae + be ) ≡ (B-A) mod n1

ae ≡ (B-A-be ) mod n1

因为leak函数里面又是一个rsa,所以可以求rq和rp,脚本如下:

def get_rq_or_rp():

    #对leak_x分解得到p1,q1

    p = 8949458376079230661

    q = 13648451618657980711

    phi = (p - 1) * (q - 1)

    d = inverse(e, phi)

    for rp in range(10000, pow(2, 24)):

        rq_e = leak_c - 0xdeadbeef   #(a^e + b^e)

        rq_e = (rq_e - pow(rp, e, leak_n)) % leak_n

        rq = pow(rq_e, d, leak_n)

        if len(bin(rq)[2:]) <= 24:

            print(rp)

            print(rq)

            return rp, rq

因为 pp mod 16 = pp-p mod 16,可以推出p+k = pp,因为k远小于p,所以可以近似看成p=pp

则n = pp * qq = p * q

可以推出 pq = (ab)4  从而得到ab,然后得出pq

把 pp = rp + p 以及 qq = rq + q 代入n可以得到如下:

n = (ab)4 + a4  * rq + b4  * rp + rp * rq

可以推出  n - rp * rq - (ab)4 = p * rq + q * rp = M

算出M后,两边同乘q,得到如下式子:

rp *  q2 - M * q + pq * rq = 0

解得q,然后q + rq = qq 同理得 pp

完整脚本如下:

#coding:utf-8

from Crypto.Util.number import *

import gmpy2

leak_n = 122146249659110799196678177080657779971

leak_c = 90846368443479079691227824315092288065

n = 3183573836769699313763043722513486503160533089470716348487649113450828830224151824106050562868640291712433283679799855890306945562430572137128269318944453041825476154913676849658599642113896525291798525533722805116041675462675732995881671359593602584751304602244415149859346875340361740775463623467503186824385780851920136368593725535779854726168687179051303851797111239451264183276544616736820298054063232641359775128753071340474714720534858295660426278356630743758247422916519687362426114443660989774519751234591819547129288719863041972824405872212208118093577184659446552017086531002340663509215501866212294702743

e = 65537

c = 48433948078708266558408900822131846839473472350405274958254566291017137879542806238459456400958349315245447486509633749276746053786868315163583443030289607980449076267295483248068122553237802668045588106193692102901936355277693449867608379899254200590252441986645643511838233803828204450622023993363140246583650322952060860867801081687288233255776380790653361695125971596448862744165007007840033270102756536056501059098523990991260352123691349393725158028931174218091973919457078350257978338294099849690514328273829474324145569140386584429042884336459789499705672633475010234403132893629856284982320249119974872840

def get_rq_or_rp():

    #对leak_x分解得到p1,q1

    p = 8949458376079230661

    q = 13648451618657980711

    phi = (p - 1) * (q - 1)

    d = inverse(e, phi)

    for rp in range(10000, pow(2, 24)):

        rq_e = leak_c - 0xdeadbeef   #(a^e + b^e)

        rq_e = (rq_e - pow(rp, e, leak_n)) % leak_n

        rq = pow(rq_e, d, leak_n)

        if len(bin(rq)[2:]) <= 24:

            return rp, rq

def get_flag(rp, rq):

    #n = pp * qq  因为pp = p + k 又因为k<16所以pp约等于p,同理得q

    pq_ab4 = (gmpy2.iroot(n, 4)[0])**4

    L = n - rp * rq - pq_ab4

    #判别式

    M = gmpy2.iroot(L ** 2 - 4 * rp * rq * pq_ab4, 2)

    if M[1]:

        q1 = (L + M[0]) // (2 * rp)

        q2 = (L - M[0]) // (2 * rp)

        qq1 = q1 + rq

        qq2 = q2 + rq

        pp1 = n // qq1

        pp2 = n // qq2

        if pp1 * qq1 == n:

            phi = (pp1 - 1) * (qq1 - 1)

            d = gmpy2.invert(e, phi)

            m = gmpy2.powmod(c, d, n)

            print(long_to_bytes(m))

        else:

            phi = (pp2 - 1) * (qq2 - 1)

            d = gmpy2.invert(e, phi)

            m = gmpy2.powmod(c, d, n)

            print(long_to_bytes(m))

if __name__ == '__main__':

    rp, rq = get_rq_or_rp()

    if rp and rq:

       get_flag(rp, rq)

flag:ACTF{lsb_attack_in_RSA|a32d7f}

推导过程用到的性质:
同余式相加:若a≡b(mod m),c≡d(mod m),则a ± c≡b ± d(mod m);

不好理解可以如下例子:

17 mod 13 ≡ 4   即 (15 + 2) mod 13 ≡ 4  推出 15 mod 13 ≡ 2

同余其它性质:

传递性:若a≡b(mod m),b≡c(mod m),则a≡c(mod m);

对称性:若a≡b(mod m),则b≡a (mod m);

反身性:a≡a (mod m);

同余式相乘:若a≡b(mod m),c≡d(mod m),则ac≡bd(mod m)。

总结:

rsa求解主要通过推导出它们之间的关系,所以想每一题都能做出来,要有一个好的数论基础 ,没有基础的话就只能像本人一样边做边学,做不做的出来就要靠临场发挥,好的运气(有时候,你推了半天的公式结果根本无法跑出flag,需要的时间太久了)

XCTF分站赛ACTF——Crypto的更多相关文章

  1. Xctf攻防世界—crypto—Normal_RSA

    下载压缩包后打开,看到两个文件flag.enc和pubkey.pem,根据文件名我们知道应该是密文及公钥 这里我们使用一款工具进行解密 工具链接:https://github.com/3summer/ ...

  2. XCTF crypto 不仅仅是Mors

    一. 题目暗示摩斯码,打开文件发现里面有反斜杠的.不管它直接拿来解密 二. 发现一句话是句英文,还有其他的加密方式,后面那串只有两种字符A和B,手抓饼A套餐,b套餐 培根加密,拿来解密后,得到flag

  3. 【CTF】XCTF Misc 心仪的公司 & 就在其中 writeup

    前言 这两题都是Misc中数据包的题目,一直觉得对数据包比较陌生,不知道怎么处理. 这里放两道题的wp,第一题strings命令秒杀觉得非常优秀,另外一题有涉及RSA加密与解密(本文不具体讨论RSA非 ...

  4. javax.crypto.BadPaddingException: Given final block not properly padded 解决方法

    下面的 Des 加密解密代码,在加密时正常,但是在解密是抛出错误: javax.crypto.BadPaddingException: Given final block not properly p ...

  5. 使用crypto模块实现md5加密功能(解决中文加密前后端不一致的问题)

    正常情况下使用md5加密 var crypto = require('crypto'); var md5Sign = function (data) { var md5 = crypto.create ...

  6. javax.crypto.BadPaddingException: Given final block not properly padded

    一.报错 写了一个加密方法,在Windows上运行没有问题,在Linux上运行时提示如下错误: javax.crypto.BadPaddingException: Given final block ...

  7. Liunx-https-java.lang.NoClassDefFoundError: javax/crypto/SunJCE_b

    错误信息: java.lang.NoClassDefFoundError: javax/crypto/SunJCE_b at javax.crypto.KeyGenerator.a(DashoA13* ...

  8. node crypto md5加密,并解决中文不相同的问题

    在用crypto模块时碰到了加密中文不相同的问题,多谢群里面@蚂蚁指定 1:解决中文不同的问题 function md5Pay(str) { str = (new Buffer(str)).toStr ...

  9. Crypto++ 动态链接编译与实例测试

    测试用例的来源<Crypto++入门学习笔记(DES.AES.RSA.SHA-256)> 解决在初始化加密器对象时触发异常的问题: CryptoPP::AESEncryption aesE ...

随机推荐

  1. 关于Jenkins-Item-Office 365 Connector-下的多选框的参数定义

    在Jenkins的Item中Office 365 Connector下,我们有时会使用到,多选框(复选框),目的是可选择多个多个条目赋值给指定的变量 然后在Build Triggers中可以进行引用, ...

  2. spring-boot-maven-plugin报红问题

    spring-boot-maven-plugin报红的原因是因为缺少Spring-Boot的版本号, 版本号可在pom.xml中找到,找到Spring-Boot的版本号后一定不要忘记点击maven的刷 ...

  3. PhpStorm 2020.1.2破解 | JetBrains PhpStorm 2020.1.2破解版 附破解文件

    直接去官网下载 2020.1.2的版本,版本一定要对得上  是2020.1.2版本 下面是破解的jar,几兆而已 --------------------- 链接:https://pan.baidu. ...

  4. Error creating bean with name ‘com.ai.ecs.ecop.pointExchange.service.NewGoodsService‘

    Error creating bean with name 'com.ai.ecs.ecop.pointExchange.service.NewGoodsService' 查看服务注册中心的格式是否正 ...

  5. 一天五道Java面试题----第八天(怎么处理慢查询--------->简述Myisam和innodb的区别)

    这里是参考B站上的大佬做的面试题笔记.大家也可以去看视频讲解!!! 文章目录 1.怎么处理慢查询 2.ACID靠什么保证的 3.什么是MVCC 4.mysql主从同步原理 5.简述Myisam和inn ...

  6. Docker基础和常用命令

    Docker基础和常用命令 一,Docker 简介 1.1,什么是 Docker Docker 使用 Google 公司推出的 Go 语言 进行开发实现,基于 Linux 内核的 cgroup,nam ...

  7. 使用LabVIEW实现基于pytorch的DeepLabv3图像语义分割

    前言 今天我们一起来看一下如何使用LabVIEW实现语义分割. 一.什么是语义分割 图像语义分割(semantic segmentation),从字面意思上理解就是让计算机根据图像的语义来进行分割,例 ...

  8. 通过jmeter连接人大金仓数据库

    某项目用的人大金仓数据库,做性能测试,需要用jmeter来连接数据库处理一批数据.jmeter连接人大金仓,做个记录. 1. 概要 在"配置元件"中添加"JDBC Con ...

  9. 本地文件上传Gitee

    0.对于小白来说,我再细讲一下 一.下载git 下载细节参考博客 二.Git配置 点击桌面的图标,进入Git Bash Here 1.配置自己的用户名和邮箱 git config --global u ...

  10. csp2022第一轮游记

    DAY -7? 学校没买桶装水!我一时半会不去打水,真的渴.果不其然开始咳嗽了.DAY -1 隔壁班同学主动申请停课了,我也跟来复习,这天主要的成果是把选择题错误控制到2-3题,顺便整理了一点笔记. ...