巅峰极客
crtrsa
from secret import flagn,p,q
#p and q are two primes generated by getPrime
import random
def key_gen():
while True:
dp = random.randint(1,1<<20)
dq = random.randint(1,q-1)
if gcd(dp, p - 1) == 1 and gcd(dq, q - 1) == 1:
d = crt([dp,dq],[p-1,q-1])
phi = (p-1)*(q-1)
R = Integers(phi)
e = R(d)^-1
return p*q,e
n,e = key_gen()
print e
print n
print pow(flagn,int(e),n)爆破dp
from gmpy2 import *
from Crypto.Util.number import *
N = 6006128121276172470274143101473619963750725942458450119252491144009018469845917986523007748831362674341219814935241703026024431390531323127620970750816983
e = 2953544268002866703872076551930953722572317122777861299293407053391808199220655289235983088986372630141821049118015752017412642148934113723174855236142887
c=4082777468662493175049853412968913980472986215497247773911290709560282223053863513029985115855416847643274608394467813391117463817805000754191093158289399
a=2
A=powmod(a,e,N)
for dp in range(1,2**20):
if gcd(powmod(A,dp,N)-a,N)!=1 and gcd(powmod(A,dp,N)-a,N)!=N:
p=gcd(pow(A,dp,N)-a,N)
q=N//p
phi=(p-1)*(q-1)
d=invert(e,phi)
m=pow(c,d,N)
print(long_to_bytes(m))
break
#flag{d67fde91-f6c0-484d-88a4-1778f7fa0c05}LearnSM4
祥云杯
Guess
先爆破求key,用hint的矩阵做行序的打乱并且调整LLL的delta参数为随机值来得到key转置之后的四个向量,然后按照附件里给的key初始四位的顺序来排序,做key的矩阵转置还原成初始的key。
第一步的exp如下:
# sage
hint = []
f = open('/Users/lizihan/Downloads/guess_c31fa29ffba2ff77b12dec354b8909e6/hint', 'r').read()
for i in f.split("\n"):
temp = []
for j in i[1:-1].split(" "):
temp.append(int(j))
hint.append(temp)
key = []
for i in tqdm(range(10000)):
shuffle(hint)
for line in matrix(len(hint), 20, hint).LLL(delta=float(randint(26000, 99999)/100000)):
if line[0] < 0:
line = -line
if line not in key and all(map(lambda x: 0 < x <= 1000, line)):
print(line)
key.append(line)
'''
0%| | 2/10000 [00:00<12:39, 13.17it/s]
(241, 232, 548, 400, 186, 333, 646, 727, 286, 877, 810, 121, 237, 745, 201, 542, 244, 396, 158, 641)
0%| | 6/10000 [00:00<12:01, 13.86it/s]
(718, 550, 349, 939, 148, 355, 942, 685, 313, 577, 184, 130, 307, 983, 611, 903, 271, 530, 566, 427)
0%| | 44/10000 [00:03<11:20, 14.64it/s]
(119, 521, 142, 637, 614, 746, 299, 416, 638, 288, 995, 498, 639, 585, 114, 885, 558, 783, 899, 751)
5%|▍ | 478/10000 [00:31<09:57, 15.94it/s]
(647, 918, 613, 936, 461, 281, 977, 888, 128, 653, 309, 780, 526, 216, 944, 123, 430, 860, 113, 129)
'''
a = [119, 521, 142, 637, 614, 746, 299, 416, 638, 288, 995, 498, 639, 585, 114, 885, 558, 783, 899, 751]
b = [241, 232, 548, 400, 186, 333, 646, 727, 286, 877, 810, 121, 237, 745, 201, 542, 244, 396, 158, 641]
c = [718, 550, 349, 939, 148, 355, 942, 685, 313, 577, 184, 130, 307, 983, 611, 903, 271, 530, 566, 427]
d = [647, 918, 613, 936, 461, 281, 977, 888, 128, 653, 309, 780, 526, 216, 944, 123, 430, 860, 113, 129]
m = [a, b, c, d]
m = Matrix(m)
m = m.transpose()
key = []
n = 0
for i in m:
for j in i:
key.append(j)
print(key)
# [119, 241, 718, 647, 521, 232, 550, 918, 142, 548, 349, 613, 637, 400, 939, 936, 614, 186, 148, 461, 746, 333, 355, 281, 299, 646, 942, 977, 416, 727, 685, 888, 638, 286, 313, 128, 288, 877, 577, 653, 995, 810, 184, 309, 498, 121, 130, 780, 639, 237, 307, 526, 585, 745, 983, 216, 114, 201, 611, 944, 885, 542, 903, 123, 558, 244, 271, 430, 783, 396, 530, 860, 899, 158, 566, 113, 751, 641, 427, 129]
得到了key之后,要想拿flag就要在step2和4发送的时候做文章,step3的话只需要满足条件,我这里就发了两个3。
那么就要想最后怎么处理9倍的问题。由Paillier同态加密可知,密文c1乘密文c2的结果解密之后等于明文m1加m2。
所以我这里构造:c1是9倍的key[i]的密文,c2是2的密文,m1是9倍的key[i],m2是2,所以key[i] = (dec(c1*c2) - 2)//9,又因为R是偶随机数,所以找到对应的索引位置mod2即为最后发送的0或1。
第二步的exp如下:
from pwn import *
from string import *
from hashlib import *
from itertools import *
from fractions import gcd
import random
p = remote('47.104.85.225', 57811)
context.log_level = 'debug'
def pwn():
rec = p.recvline().decode()
suffix = re.findall(r'\?\+([^\)]+)', rec)[0]
digest = re.findall(r'== ([^\n]+)', rec)[0]
for i in product(ascii_letters + digits, repeat=4):
prefix = ''.join(i)
guess = prefix + suffix
if sha256(guess.encode()).hexdigest() == digest:
break
p.sendline(prefix.encode())
def enc(n, g, m):
while 1:
r = random.randint(2, n - 1)
if gcd(r, n) == 1:
break
c = (pow(g, m, n ** 2) * pow(r, n, n ** 2)) % (n ** 2)
return c
key = [119, 241, 718, 647, 521, 232, 550, 918, 142, 548, 349, 613, 637, 400, 939, 936, 614, 186, 148, 461, 746, 333, 355, 281, 299, 646, 942, 977, 416, 727, 685, 888, 638, 286, 313, 128, 288, 877, 577, 653, 995, 810, 184, 309, 498, 121, 130, 780, 639, 237, 307, 526, 585, 745, 983, 216, 114, 201, 611, 944, 885, 542, 903, 123, 558, 244, 271, 430, 783, 396, 530, 860, 899, 158, 566, 113, 751, 641, 427, 129]
pwn()
p.recvline()
while True:
p.recvline()
p.recvline()
n = int(str(p.recvline()).strip('\n').split(' ')[-1])
g = int(str(p.recvline()).strip('\n').split(' ')[-1])
p.sendlineafter('Please give me one decimal ciphertext.\n', '2')
p.recvline()
m2 = int(str(p.recvline()).strip('\n'))
p.recvline()
p.sendlineafter('Give me m0.\n', '3')
p.sendlineafter('Give me m1.\n', '3')
p.recvline()
c1 = int(str(p.recvline()).strip('\n'))
p.recvline()
c2 = 2
p.sendlineafter('Please give me one decimal ciphertext \n', str(c1 * c2))
p.recvline()
res = int(str(p.recvline()).strip('\n'))
m1 = (res - m2) // 9
ans = key.index(m1) % 2
p.sendlineafter('Step 5 - Guess. You must tell me which ciphertext was I give you in step 3, 0 or 1(m0 -> c0 , m1 -> c1)?\n', str(ans))
p.recvline()
Random_RSA
python2的random设置seed之后的randint是定死的,没啥可说的,一把梭。
# coding=utf-8
import random
from tqdm import tqdm
import gmpy2
from libnum import *
seeds = [4827, 9522, 552, 880, 7467, 7742, 9425, 4803, 6146, 4366, 1126, 4707, 1138, 2367, 1081, 5577, 4592, 5897, 4565, 2012, 2700, 1331, 9638, 7741, 50, 824, 8321, 7411, 6145, 1271, 7637, 5481, 8474, 2085, 2421, 590, 7733, 9427, 3278, 5361, 1284, 2280, 7001, 8573, 5494, 7431, 2765, 827, 102, 1419, 6528, 735, 5653, 109, 4158, 5877, 5975, 1527, 3027, 9776, 5263, 5211, 1293, 5976, 7759, 3268, 1893, 6546, 4684, 419, 8334, 7621, 1649, 6840, 2975, 8605, 5714, 2709, 1109, 358, 2858, 6868, 2442, 8431, 8316, 5446, 9356, 2817, 2941, 3177, 7388, 4149, 4634, 4316, 5377, 4327, 1774, 6613, 5728, 1751, 8478, 3132, 4680, 3308, 9769, 8341, 1627, 3501, 1046, 2609, 7190, 5706, 3627, 8867, 2458, 607, 642, 5436, 6355, 6326, 1481, 9887, 205, 5511, 537, 8576, 6376, 3619, 6609, 8473, 2139, 3889, 1309, 9878, 2182, 8572, 9275, 5235, 6989, 6592, 4618, 7883, 5702, 3999, 925, 2419, 7838, 3073, 488, 21, 3280, 9915, 3672, 579]
res = [55, 5, 183, 192, 103, 32, 211, 116, 102, 120, 118, 54, 120, 145, 185, 254, 77, 144, 70, 54, 193, 73, 64, 0, 79, 244, 190, 23, 215, 187, 53, 176, 27, 138, 42, 89, 158, 254, 159, 133, 78, 11, 155, 163, 145, 248, 14, 179, 23, 226, 220, 201, 5, 71, 241, 195, 75, 191, 237, 108, 141, 141, 185, 76, 7, 113, 191, 48, 135, 139, 100, 83, 212, 242, 21, 143, 255, 164, 146, 119, 173, 255, 140, 193, 173, 2, 224, 205, 68, 10, 77, 180, 24, 23, 196, 205, 108, 28, 243, 80, 140, 4, 98, 76, 217, 70, 208, 202, 78, 177, 124, 10, 168, 165, 223, 105, 157, 152, 48, 152, 51, 133, 190, 202, 136, 204, 44, 33, 58, 4, 196, 219, 71, 150, 68, 162, 175, 218, 173, 19, 201, 100, 100, 85, 201, 24, 59, 186, 46, 130, 147, 219, 22, 81]
dp = ''
for i in range(len(seeds)):
random.seed(seeds[i])
rands = []
for j in range(4):
rands.append(random.randint(0, 255))
dp += chr(rands[i % 4] ^ res[i])
dp = int(dp)
e = 0x10001
n=81196282992606113591233615204680597645208562279327854026981376917977843644855180528227037752692498558370026353244981467900057157997462760732019372185955846507977456657760125682125104309241802108853618468491463326268016450119817181368743376919334016359137566652069490881871670703767378496685419790016705210391
c=61505256223993349534474550877787675500827332878941621261477860880689799960938202020614342208518869582019307850789493701589309453566095881294166336673487909221860641809622524813959284722285069755310890972255545436989082654705098907006694780949725756312169019688455553997031840488852954588581160550377081811151
for i in range(1,e):
if(dp*e-1)%i == 0:
if n%(((dp*e-1)//i)+1) == 0:
p=((dp*e-1)//i)+1
q=n//p
phi=(q-1)*(p-1)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)
print(n2s(m))
# flag{74281db3-c6f0-e59a-4da6-39b8c71250fe}myrsa
# myRSA
from Crypto.Util.number import getPrime,bytes_to_long as b2l
from math import gcd
import hashlib
import random
import socketserver
KEYSIZE = 512
alpha = 2.0314159265358979
WELCOME = 'Welcome to use my better RSA!!!!!!So, what do you want now?'
menu = '1. encry \n2. getflag\n3. exit'
String = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz'
def proof_of_work():
STR = ''.join([String[random.randint(0,len(String)-1)] for _ in range(16) ])
HASH = hashlib.sha256(STR.encode()).hexdigest()
return STR[:4],STR[4:],HASH
def key_gen():
while True:
p,q = getPrime(KEYSIZE),getPrime(KEYSIZE)
e = 0x10001
if gcd(e,(p-1)*(q-1)):
break
key = [getPrime(int(KEYSIZE*alpha)) for _ in range(128)]
return (p,q,e),key
# encrypto
def encry(message,key,p,q,e):
k1,k2 = key[random.randint(0,127)],key[random.randint(0,127)]
x = p**2 * (p + 3*q - 1 ) + q**2 * (q + 3*p - 1)
y = 2*p*q + p + q
z = k1 + k2
c = pow(b2l(message),e,p*q)
return x * c + y * c + z
# get flag
def getflag(flag,key,p,q,e):
return encry(flag,key,p,q,e)
class server(socketserver.BaseRequestHandler):
def _recv(self):
data = self.request.recv(1024)
return data.strip()
def _send(self, msg, newline=True):
if isinstance(msg , bytes):
msg += b'\n'
else:
msg += '\n'
msg = msg.encode()
self.request.sendall(msg)
def handle(self):
START,END,HASH = proof_of_work()
self._send('SHA-256(?+{}) == {}'.format(END,HASH))
RCV = self._recv().decode()
if RCV != START:
return
self._send("I'm a CryptoRookie,so my Crypto system take time, please wait a minute XD!")
(p,q,e),key = key_gen()
flag = open('flag','rb').read()
self._send(WELCOME)
self._send('This is my public key:\nn = {}\ne = {}'.format(str(p*q),str(e)))
for _ in range(16):
self._send(menu)
COI = int(self._recv().decode())
if COI == 1 :
self._send('Give me your message')
message = self._recv()
self._send('Your encry message:')
self._send(str(encry(message,key,p,q,e)))
elif COI == 2:
self._send('This is your favourite:\n')
self._send(str(encry(flag,key,p,q,e)))
elif COI == 3:
self._send('Bye~')
break
class ForkedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
pass
if __name__ == "__main__":
HOST, PORT = '0.0.0.0', 10001
server = ForkedServer((HOST, PORT), server)
server.allow_reuse_address = True
server.serve_forever()
from hashlib import *
from gmpy2 import *
from Crypto.Util.number import *
from pwn import *
p=remote('47.104.85.225',49877)
context.log_level='debug'
def pow(end,sha):
String = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz'
for a in String:
for b in String:
for c in String:
for d in String:
s=(a+b+c+d).encode()+end
if sha256(s).hexdigest()==sha:
return a+b+c+d
p.recvuntil('SHA-256(?+')
end=p.recv(12)
print(end)
p.recvuntil('== ')
sha=p.recvuntil('\n')[:-1].decode()
print(sha)
xxx=pow(end,sha)
p.sendline(xxx)
p.recvuntil('n = ')
n=int(p.recvuntil('\n')[:-1])
p.recvuntil('3. exit\n')
p.sendline('1')
p.recvuntil('Give me your message')
p.sendline('\x01')
p.recvuntil('Your encry message:\n')
c=int(p.recvuntil('\n')[:-1])
p_q=iroot(c,3)[0]
print(p_q)
while True:
p_q=p_q-1
if iroot(p_q*p_q-4*n,2)[1]:
M=p_q*p_q*p_q-p_q*p_q+p_q+4*n
pp=(p_q+iroot(p_q*p_q-4*n,2)[0])//2
assert n%pp==0
q=n//pp
break
p.recvuntil('3. exit\n')
p.sendline('2')
p.recvuntil('This is your favourite:\n')
c=int(p.recvuntil('\n\n')[:-1])
c=c//M
phi=(pp-1)*(q-1)
e=65537
d=invert(e,phi)
m=powmod(c,d,n)
print(long_to_bytes(m))
#flag{ed649951-9ce9-46e0-a42b-d0ba588e43e1}
羊城杯
Bigrsa
from Crypto.Util.number import *
from flag import *
n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
e = 65537
m = bytes_to_long(flag)
c = pow(m, e, n1)
c = pow(c, e, n2)
print("c = %d" % c)
# output
# c = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264n1和n2公因数
import libnum, gmpy2
n1 = 103835296409081751860770535514746586815395898427260334325680313648369132661057840680823295512236948953370895568419721331170834557812541468309298819497267746892814583806423027167382825479157951365823085639078738847647634406841331307035593810712914545347201619004253602692127370265833092082543067153606828049061
n2 = 115383198584677147487556014336448310721853841168758012445634182814180314480501828927160071015197089456042472185850893847370481817325868824076245290735749717384769661698895000176441497242371873981353689607711146852891551491168528799814311992471449640014501858763495472267168224015665906627382490565507927272073
e = 65537
c = 60406168302768860804211220055708551816238816061772464557956985699400782163597251861675967909246187833328847989530950308053492202064477410641014045601986036822451416365957817685047102703301347664879870026582087365822433436251615243854347490600004857861059245403674349457345319269266645006969222744554974358264
p = gmpy2.gcd(n1,n2)
q1 = n1//p
q2 = n2//p
phi1 = (p-1)*(q1-1)
phi2 = (p-1)*(q2-1)
d1 = gmpy2.invert(e,phi1)
d2 = gmpy2.invert(e,phi2)
m = pow(pow(c,d2,n2),d1,n1)
flag = libnum.n2s(m)
print(flag)Easy_rsa
from Crypto.Util.number import *
from flag import flag
import gmpy2
def gen_prime(nbits, gamma):
g = getPrime(int(nbits * gamma))
alpha = 0.5 - gamma
while True:
a = getRandomNBitInteger(int(alpha * nbits))
p = 2 * g * a + 1
if isPrime(p):
b = getRandomNBitInteger(int(alpha * nbits))
q = 2 * g * b + 1
h = 2 * g * a * b + a + b
while not isPrime(q) or isPrime(h) or gmpy2.gcd(a, b) != 1:
b = getRandomNBitInteger(int(alpha * nbits))
q = 2 * g * b + 1
return p, q
def encrypt(nbits, gamma):
p, q = gen_prime(nbits, gamma)
n = p * q
e = getPrime(16)
while gmpy2.gcd(e, gmpy2.lcm(p-1,q-1)) != 1:
e = getPrime(16)
m = bytes_to_long(flag)
c = pow(m, e, n)
return n, e, c
n, e, c = encrypt(1024, 0.48)
print 'n =', n
print 'e =', e
print 'c =', c
# n = 84236796025318186855187782611491334781897277899439717384242559751095347166978304126358295609924321812851255222430530001043539925782811895605398187299748256080526691975084042025794113521587064616352833904856626744098904922117855866813505228134381046907659080078950018430266048447119221001098505107823645953039
# e = 58337
# c = 13646200911032594651110040891135783560995665642049282201695300382255436792102048169200570930229947213493204600006876822744757042959653203573780257603577712302687497959686258542388622714078571068849217323703865310256200818493894194213812410547780002879351619924848073893321472704218227047519748394961963394668发现p-1、q-1共享一个大素数因子g,其满足common prime rsa的性质。分解的n方法有四种,(1)修改Pollard’s rho方法分解n(2)知道a、b的值分解n(3)知道g的值分解n(4)分解N-1。由于题目中我们并不知道g、a、b的值,因此首先考虑使用第一种方法。
根据文献内容修改Pollard’s rho方法中的迭代函数
def f(x, n):
return (pow(x, n - 1, n) + 3) % n
def rho(n):
i = 1
print 'Factorizing'
while True:
x1 = getRandomRange(2, n)
x2 = f(x1, n)
j = 1
while True:
p = gmpy2.gcd(abs(x1 - x2), n)
if p == n:
break
elif p > 1 and isPrime(p):
print 'Found!'
return (p, n // p)
else:
x1 = f(x1, n)
x2 = f(f(x2, n), n)
j += 1
i += 1
n = 84236796025318186855187782611491334781897277899439717384242559751095347166978304126358295609924321812851255222430530001043539925782811895605398187299748256080526691975084042025794113521587064616352833904856626744098904922117855866813505228134381046907659080078950018430266048447119221001098505107823645953039
e = 58337
c = 13646200911032594651110040891135783560995665642049282201695300382255436792102048169200570930229947213493204600006876822744757042959653203573780257603577712302687497959686258542388622714078571068849217323703865310256200818493894194213812410547780002879351619924848073893321472704218227047519748394961963394668
p, q = rho(n)
phi = gmpy2.lcm(p-1, q-1)
d = inverse(e, phi)
m = pow(c, d, n)
print long_to_bytes(m)Ring Ring Ring
from string import *
from itertools import *
from hashlib import *
from pwn import *
p = remote('192.168.38.194', 2378)
context.log_level = 'debug'
rec = p.recvline().decode()
suffix = re.findall(r'str \+ ([^\)]+)', rec)[0]
digest = re.findall(r'== ([^\n]+)', rec)[0]
for i in product(ascii_letters + digits, repeat=4):
prefix = ''.join(i)
guess = prefix + suffix
if md5(guess.encode()).hexdigest()[0:5] == digest:
break
p.sendlineafter(b'[>] Give me xxxxx: ', prefix.encode())
p.recvuntil(b'Please give me 100 (a, b, c, d, e) which satisfies a**4 + b**4 + c**4 + d**4 = e**2\n')
ans = ['1 1 1 1 2', '1 2 2 2 7', '1 2 2 4 17', '1 2 4 2 17', '1 2 4 4 23', '1 3 3 9 82', '1 3 9 3 82', '1 4 2 2 17', '1 4 2 4 23', '1 4 4 2 23', '1 9 3 3 82', '2 1 2 2 7', '2 1 2 4 17', '2 1 4 2 17', '2 1 4 4 23', '2 2 1 2 7', '2 2 1 4 17', '2 2 2 1 7', '2 2 2 2 8', '2 2 4 1 17', '2 4 1 2 17', '2 4 1 4 23', '2 4 2 1 17', '2 4 4 1 23', '2 4 4 4 28', '2 4 4 8 68', '2 4 6 7 63', '2 4 7 6 63', '2 4 8 4 68', '2 4 8 8 92', '2 6 4 7 63', '2 6 7 4 63', '2 7 4 6 63', '2 7 6 4 63', '2 8 4 4 68', '2 8 4 8 92', '2 8 8 4 92', '3 1 3 9 82', '3 1 9 3 82', '3 3 1 9 82', '3 3 3 3 18', '3 3 9 1 82', '3 6 6 6 63', '3 9 1 3 82', '3 9 3 1 82', '4 1 2 2 17', '4 1 2 4 23', '4 1 4 2 23', '4 2 1 2 17', '4 2 1 4 23', '4 2 2 1 17', '4 2 4 1 23', '4 2 4 4 28', '4 2 4 8 68', '4 2 6 7 63', '4 2 7 6 63', '4 2 8 4 68', '4 2 8 8 92', '4 4 1 2 23', '4 4 2 1 23', '4 4 2 4 28', '4 4 2 8 68', '4 4 4 2 28', '4 4 4 4 32', '4 4 8 2 68', '4 6 2 7 63', '4 6 6 9 97', '4 6 7 2 63', '4 6 9 6 97', '4 7 2 6 63', '4 7 6 2 63', '4 8 2 4 68', '4 8 2 8 92', '4 8 4 2 68', '4 8 8 2 92', '4 9 6 6 97', '5 5 5 5 50', '6 2 4 7 63', '6 2 7 4 63', '6 3 6 6 63', '6 4 2 7 63', '6 4 6 9 97', '6 4 7 2 63', '6 4 9 6 97', '6 6 3 6 63', '6 6 4 9 97', '6 6 6 3 63', '6 6 6 6 72', '6 6 9 4 97', '6 7 2 4 63', '6 7 4 2 63', '6 9 4 6 97', '6 9 6 4 97', '7 2 4 6 63', '7 2 6 4 63', '7 4 2 6 63', '7 4 6 2 63', '7 6 2 4 63', '7 6 4 2 63', '7 7 7 7 98']
for i in range(100):
res = ans[i].split(' ')
p.recvuntil(b'[>] a: ')
p.sendline(res[0].encode())
p.recvuntil(b'[>] b: ')
p.sendline(res[1].encode())
p.recvuntil(b'[>] c: ')
p.sendline(res[2].encode())
p.recvuntil(b'[>] d: ')
p.sendline(res[3].encode())
p.recvuntil(b'[>] e: ')
p.sendline(res[4].encode())
p.interactive()
# from tqdm import tqdm
# res = ['0 0 0 0 0']
# for a in tqdm(range(1, 10)):
# for b in range(1, 10):
# for c in range(1, 10):
# for d in range(1, 10):
# for e in range(100):
# ans = str(a) + ' ' + str(b) + ' ' + str(c) + ' ' + str(d) + ' ' + str(e)
# if a**4 + b**4 + c**4 + d**4 == e**2 and ans not in res:
# res.append(ans)
# if len(res) == 101:
# print(res)
# exit()
# print(len(res))
RSA?
import os
from Crypto.Util.number import *
flag = "GWHT{xxxxxxxxx}"
p = getPrime(256)
q = getPrime(256)
n = p*q
N = (p-1)*(q-1)
e = 65537
Mx = bytes_to_long(os.urandom(30))
My = bytes_to_long(flag)
Z1 = (Mx*My)%n
inv_Z1 = inverse_mod(Z1, n)
inv_2 = inverse_mod(2, n)
X = ((Z1+inv_Z1)*inv_2)%n
Y = My
inv_Y = inverse_mod(Y, n)
a = ((inv_Z1-X)*inv_Y)%n
D = (a*a)%n
xy = lambda (x1,y1),(x2,y2) : ((x1*x2+D*y1*y2)%n, (x1*y2+x2*y1)%n)
def getloop((x,y), e):
ret = (x, y)
for i in range(e-1):
ret = xy(ret, (x,y))
return ret
print n
print getloop((X, Y), e)
print a
# 13390709926509813526471364597371124446888078365567927211781799241724742352679484983709219580483800891886832613684875066109177882219522305348565532970795023
# (5404548088049249951619519701935576492239293254135836357417714329205323074367876875480850741613547220698045360461761929952847796420174204143917852624050110, 2110372753170830610718226848526649992911771424441223687775304654852191999130502986109306355582366065947895295520226816523397652918227241733632791793362785)
# 1762039418842677123086894939949574689744108610561557889235294034870342076452734215004689409493802437034960516295735815195656138656970901855976802991519141p = 115718235064789220654263009993128324769382192706654302434478391267607309966379
q = 115718235064789220654263009993128325569382592506655305434488398268608329541037
N = (p-1)*(q-1)
n = 13390709926509813526471364597371124446888078365567927211781799241724742352679484983709219580483800891886832613684875066109177882219522305348565532970795023
Cx = 5404548088049249951619519701935576492239293254135836357417714329205323074367876875480850741613547220698045360461761929952847796420174204143917852624050110
Cy = 2110372753170830610718226848526649992911771424441223687775304654852191999130502986109306355582366065947895295520226816523397652918227241733632791793362785
a = 1762039418842677123086894939949574689744108610561557889235294034870342076452734215004689409493802437034960516295735815195656138656970901855976802991519141
e = 65537
d = inverse_mod(e,N)
C = (Cx-a*Cy)%n
#M = pow(C, d, n)
M = 8007268851919796012341855118455232406759825390821788944052668931582460352847654688095258576336789686861764488439819713135655990494067195418877306177396723
#print M
M_1 = inverse_mod(M,n)
X = ((M_1+M)*inverse_mod(2,n))%n
Y = ((M_1-M)*inverse_mod(2*a,n))%n
print Y
#print long_to_bytes(Y)Miss
#!/usr/bin/env python3
from Crypto import Random
S_BOX = [
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,]
RCON_BOX = [
0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a,
0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39,
0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a,
0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef,
0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc,
0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b,
0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3,
0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94,
0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35,
0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f,
0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04,
0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63,
0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd,
0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d]
GF_MULT_1 = [
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f,
0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f,
0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,
0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5a,0x5b,0x5c,0x5d,0x5e,0x5f,
0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6a,0x6b,0x6c,0x6d,0x6e,0x6f,
0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7a,0x7b,0x7c,0x7d,0x7e,0x7f,
0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89,0x8a,0x8b,0x8c,0x8d,0x8e,0x8f,
0x90,0x91,0x92,0x93,0x94,0x95,0x96,0x97,0x98,0x99,0x9a,0x9b,0x9c,0x9d,0x9e,0x9f,
0xa0,0xa1,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,0xa8,0xa9,0xaa,0xab,0xac,0xad,0xae,0xaf,
0xb0,0xb1,0xb2,0xb3,0xb4,0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xbb,0xbc,0xbd,0xbe,0xbf,
0xc0,0xc1,0xc2,0xc3,0xc4,0xc5,0xc6,0xc7,0xc8,0xc9,0xca,0xcb,0xcc,0xcd,0xce,0xcf,
0xd0,0xd1,0xd2,0xd3,0xd4,0xd5,0xd6,0xd7,0xd8,0xd9,0xda,0xdb,0xdc,0xdd,0xde,0xdf,
0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff]
GF_MULT_2 = [
0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e,0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e,
0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e,0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e,
0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e,0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e,
0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e,0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e,
0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e,0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e,
0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae,0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe,
0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce,0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde,
0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee,0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe,
0x1b,0x19,0x1f,0x1d,0x13,0x11,0x17,0x15,0x0b,0x09,0x0f,0x0d,0x03,0x01,0x07,0x05,
0x3b,0x39,0x3f,0x3d,0x33,0x31,0x37,0x35,0x2b,0x29,0x2f,0x2d,0x23,0x21,0x27,0x25,
0x5b,0x59,0x5f,0x5d,0x53,0x51,0x57,0x55,0x4b,0x49,0x4f,0x4d,0x43,0x41,0x47,0x45,
0x7b,0x79,0x7f,0x7d,0x73,0x71,0x77,0x75,0x6b,0x69,0x6f,0x6d,0x63,0x61,0x67,0x65,
0x9b,0x99,0x9f,0x9d,0x93,0x91,0x97,0x95,0x8b,0x89,0x8f,0x8d,0x83,0x81,0x87,0x85,
0xbb,0xb9,0xbf,0xbd,0xb3,0xb1,0xb7,0xb5,0xab,0xa9,0xaf,0xad,0xa3,0xa1,0xa7,0xa5,
0xdb,0xd9,0xdf,0xdd,0xd3,0xd1,0xd7,0xd5,0xcb,0xc9,0xcf,0xcd,0xc3,0xc1,0xc7,0xc5,
0xfb,0xf9,0xff,0xfd,0xf3,0xf1,0xf7,0xf5,0xeb,0xe9,0xef,0xed,0xe3,0xe1,0xe7,0xe5]
GF_MULT_3 = [
0x00,0x03,0x06,0x05,0x0c,0x0f,0x0a,0x09,0x18,0x1b,0x1e,0x1d,0x14,0x17,0x12,0x11,
0x30,0x33,0x36,0x35,0x3c,0x3f,0x3a,0x39,0x28,0x2b,0x2e,0x2d,0x24,0x27,0x22,0x21,
0x60,0x63,0x66,0x65,0x6c,0x6f,0x6a,0x69,0x78,0x7b,0x7e,0x7d,0x74,0x77,0x72,0x71,
0x50,0x53,0x56,0x55,0x5c,0x5f,0x5a,0x59,0x48,0x4b,0x4e,0x4d,0x44,0x47,0x42,0x41,
0xc0,0xc3,0xc6,0xc5,0xcc,0xcf,0xca,0xc9,0xd8,0xdb,0xde,0xdd,0xd4,0xd7,0xd2,0xd1,
0xf0,0xf3,0xf6,0xf5,0xfc,0xff,0xfa,0xf9,0xe8,0xeb,0xee,0xed,0xe4,0xe7,0xe2,0xe1,
0xa0,0xa3,0xa6,0xa5,0xac,0xaf,0xaa,0xa9,0xb8,0xbb,0xbe,0xbd,0xb4,0xb7,0xb2,0xb1,
0x90,0x93,0x96,0x95,0x9c,0x9f,0x9a,0x99,0x88,0x8b,0x8e,0x8d,0x84,0x87,0x82,0x81,
0x9b,0x98,0x9d,0x9e,0x97,0x94,0x91,0x92,0x83,0x80,0x85,0x86,0x8f,0x8c,0x89,0x8a,
0xab,0xa8,0xad,0xae,0xa7,0xa4,0xa1,0xa2,0xb3,0xb0,0xb5,0xb6,0xbf,0xbc,0xb9,0xba,
0xfb,0xf8,0xfd,0xfe,0xf7,0xf4,0xf1,0xf2,0xe3,0xe0,0xe5,0xe6,0xef,0xec,0xe9,0xea,
0xcb,0xc8,0xcd,0xce,0xc7,0xc4,0xc1,0xc2,0xd3,0xd0,0xd5,0xd6,0xdf,0xdc,0xd9,0xda,
0x5b,0x58,0x5d,0x5e,0x57,0x54,0x51,0x52,0x43,0x40,0x45,0x46,0x4f,0x4c,0x49,0x4a,
0x6b,0x68,0x6d,0x6e,0x67,0x64,0x61,0x62,0x73,0x70,0x75,0x76,0x7f,0x7c,0x79,0x7a,
0x3b,0x38,0x3d,0x3e,0x37,0x34,0x31,0x32,0x23,0x20,0x25,0x26,0x2f,0x2c,0x29,0x2a,
0x0b,0x08,0x0d,0x0e,0x07,0x04,0x01,0x02,0x13,0x10,0x15,0x16,0x1f,0x1c,0x19,0x1a]
def rotWord(byteArray):
res = bytearray()
res.append(byteArray[1])
res.append(byteArray[2])
res.append(byteArray[3])
res.append(byteArray[0])
return res
def subWord(byteArray):
res = bytearray()
for b in byteArray:
res.append( S_BOX[b] )
return res
def rcon(i):
res = bytearray()
res.append(RCON_BOX[i])
res.append(0)
res.append(0)
res.append(0)
return res
def xor(byteArray1, byteArray2):
res = bytearray()
for b1, b2 in zip(byteArray1, byteArray2):
res.append(b1 ^ b2)
return res
def keyExpansion(key,round):
lastcolumn = key[-4:]
resRcon = rotWord(lastcolumn)
resSub = subWord(resRcon)
res1XOR = xor(resSub,key[:4])
newFirstColumn = xor(res1XOR,rcon(round))
newKey = newFirstColumn
for i in range(1,4):
part1XOR = newKey[-4:]
part2XOR = key[i*4:(i+1)*4]
newKey += xor(part1XOR, part2XOR)
return newKey
def subBytes(aesState):
resState = bytearray()
for i in range(0,len(aesState),4):
resState[i:i+4] = subWord(aesState[i:i+4])
return resState
def shiftRow(aesState):
resState = bytearray()
newPosition = [ 0, 5, 0xa, 0xf,4, 9, 0xe, 3,8, 0xd, 2, 7, 0xc, 1, 6, 0xb ]
for i in newPosition:
resState.append(aesState[i])
return resState
def mixColumn(aesState):
res = bytearray()
for i in range(0,len(aesState),4):
b0, b1, b2, b3 = aesState[i:i+4]
new_b0 = GF_MULT_2[b0] ^ GF_MULT_3[b1] ^ GF_MULT_1[b2] ^ GF_MULT_1[b3]
new_b1 = GF_MULT_1[b0] ^ GF_MULT_2[b1] ^ GF_MULT_3[b2] ^ GF_MULT_1[b3]
new_b2 = GF_MULT_1[b0] ^ GF_MULT_1[b1] ^ GF_MULT_2[b2] ^ GF_MULT_3[b3]
new_b3 = GF_MULT_3[b0] ^ GF_MULT_1[b1] ^ GF_MULT_1[b2] ^ GF_MULT_2[b3]
res.append(new_b0)
res.append(new_b1)
res.append(new_b2)
res.append(new_b3)
return res
def AES_Encryption(plainText, AES_key, nbRound):
res = bytearray()
plainTextBytes = plainText
KeyList = [AES_key]
for i in range(1, nbRound+1):
KeyList.append(keyExpansion(KeyList[-1],i))
res = plainTextBytes
for i in range(1,nbRound):
res = subBytes(res)
res = shiftRow(res)
res = mixColumn(res)
key = KeyList[i]
res = subBytes(res)
res = shiftRow(res)
return res
def StringToByteArray(msg):
return [ord(x) for x in msg]
def ByteArrayToString(cipher):
return ''.join([chr(x) for x in cipher])
def main():
AES_Key = Random.get_random_bytes(16)
with open("flag.txt","rb") as f_in:
flag = f_in.read()
cipherText = AES_Encryption(flag, AES_Key,10)
with open("cipher.txt","wb") as f_out:
f_out.write(cipherText)
if __name__ == '__main__':
main()#!/usr/bin/env python3
S_BOX = [
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,]
S_INV_BOX = [
0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d]
RCON_BOX = [
0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a,
0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39,
0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a,
0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef,
0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc,
0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b,
0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3,
0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94,
0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35,
0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f,
0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04,
0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63,
0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd,
0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d]
GF_MULT_1 = [
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f,
0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f,
0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,
0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5a,0x5b,0x5c,0x5d,0x5e,0x5f,
0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6a,0x6b,0x6c,0x6d,0x6e,0x6f,
0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7a,0x7b,0x7c,0x7d,0x7e,0x7f,
0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89,0x8a,0x8b,0x8c,0x8d,0x8e,0x8f,
0x90,0x91,0x92,0x93,0x94,0x95,0x96,0x97,0x98,0x99,0x9a,0x9b,0x9c,0x9d,0x9e,0x9f,
0xa0,0xa1,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,0xa8,0xa9,0xaa,0xab,0xac,0xad,0xae,0xaf,
0xb0,0xb1,0xb2,0xb3,0xb4,0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xbb,0xbc,0xbd,0xbe,0xbf,
0xc0,0xc1,0xc2,0xc3,0xc4,0xc5,0xc6,0xc7,0xc8,0xc9,0xca,0xcb,0xcc,0xcd,0xce,0xcf,
0xd0,0xd1,0xd2,0xd3,0xd4,0xd5,0xd6,0xd7,0xd8,0xd9,0xda,0xdb,0xdc,0xdd,0xde,0xdf,
0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff]
GF_MULT_2 = [
0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e,0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e,
0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e,0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e,
0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e,0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e,
0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e,0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e,
0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e,0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e,
0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae,0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe,
0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce,0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde,
0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee,0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe,
0x1b,0x19,0x1f,0x1d,0x13,0x11,0x17,0x15,0x0b,0x09,0x0f,0x0d,0x03,0x01,0x07,0x05,
0x3b,0x39,0x3f,0x3d,0x33,0x31,0x37,0x35,0x2b,0x29,0x2f,0x2d,0x23,0x21,0x27,0x25,
0x5b,0x59,0x5f,0x5d,0x53,0x51,0x57,0x55,0x4b,0x49,0x4f,0x4d,0x43,0x41,0x47,0x45,
0x7b,0x79,0x7f,0x7d,0x73,0x71,0x77,0x75,0x6b,0x69,0x6f,0x6d,0x63,0x61,0x67,0x65,
0x9b,0x99,0x9f,0x9d,0x93,0x91,0x97,0x95,0x8b,0x89,0x8f,0x8d,0x83,0x81,0x87,0x85,
0xbb,0xb9,0xbf,0xbd,0xb3,0xb1,0xb7,0xb5,0xab,0xa9,0xaf,0xad,0xa3,0xa1,0xa7,0xa5,
0xdb,0xd9,0xdf,0xdd,0xd3,0xd1,0xd7,0xd5,0xcb,0xc9,0xcf,0xcd,0xc3,0xc1,0xc7,0xc5,
0xfb,0xf9,0xff,0xfd,0xf3,0xf1,0xf7,0xf5,0xeb,0xe9,0xef,0xed,0xe3,0xe1,0xe7,0xe5]
GF_MULT_3 = [
0x00,0x03,0x06,0x05,0x0c,0x0f,0x0a,0x09,0x18,0x1b,0x1e,0x1d,0x14,0x17,0x12,0x11,
0x30,0x33,0x36,0x35,0x3c,0x3f,0x3a,0x39,0x28,0x2b,0x2e,0x2d,0x24,0x27,0x22,0x21,
0x60,0x63,0x66,0x65,0x6c,0x6f,0x6a,0x69,0x78,0x7b,0x7e,0x7d,0x74,0x77,0x72,0x71,
0x50,0x53,0x56,0x55,0x5c,0x5f,0x5a,0x59,0x48,0x4b,0x4e,0x4d,0x44,0x47,0x42,0x41,
0xc0,0xc3,0xc6,0xc5,0xcc,0xcf,0xca,0xc9,0xd8,0xdb,0xde,0xdd,0xd4,0xd7,0xd2,0xd1,
0xf0,0xf3,0xf6,0xf5,0xfc,0xff,0xfa,0xf9,0xe8,0xeb,0xee,0xed,0xe4,0xe7,0xe2,0xe1,
0xa0,0xa3,0xa6,0xa5,0xac,0xaf,0xaa,0xa9,0xb8,0xbb,0xbe,0xbd,0xb4,0xb7,0xb2,0xb1,
0x90,0x93,0x96,0x95,0x9c,0x9f,0x9a,0x99,0x88,0x8b,0x8e,0x8d,0x84,0x87,0x82,0x81,
0x9b,0x98,0x9d,0x9e,0x97,0x94,0x91,0x92,0x83,0x80,0x85,0x86,0x8f,0x8c,0x89,0x8a,
0xab,0xa8,0xad,0xae,0xa7,0xa4,0xa1,0xa2,0xb3,0xb0,0xb5,0xb6,0xbf,0xbc,0xb9,0xba,
0xfb,0xf8,0xfd,0xfe,0xf7,0xf4,0xf1,0xf2,0xe3,0xe0,0xe5,0xe6,0xef,0xec,0xe9,0xea,
0xcb,0xc8,0xcd,0xce,0xc7,0xc4,0xc1,0xc2,0xd3,0xd0,0xd5,0xd6,0xdf,0xdc,0xd9,0xda,
0x5b,0x58,0x5d,0x5e,0x57,0x54,0x51,0x52,0x43,0x40,0x45,0x46,0x4f,0x4c,0x49,0x4a,
0x6b,0x68,0x6d,0x6e,0x67,0x64,0x61,0x62,0x73,0x70,0x75,0x76,0x7f,0x7c,0x79,0x7a,
0x3b,0x38,0x3d,0x3e,0x37,0x34,0x31,0x32,0x23,0x20,0x25,0x26,0x2f,0x2c,0x29,0x2a,
0x0b,0x08,0x0d,0x0e,0x07,0x04,0x01,0x02,0x13,0x10,0x15,0x16,0x1f,0x1c,0x19,0x1a]
GF_MULT_09 = [
0x00,0x09,0x12,0x1b,0x24,0x2d,0x36,0x3f,0x48,0x41,0x5a,0x53,0x6c,0x65,0x7e,0x77,
0x90,0x99,0x82,0x8b,0xb4,0xbd,0xa6,0xaf,0xd8,0xd1,0xca,0xc3,0xfc,0xf5,0xee,0xe7,
0x3b,0x32,0x29,0x20,0x1f,0x16,0x0d,0x04,0x73,0x7a,0x61,0x68,0x57,0x5e,0x45,0x4c,
0xab,0xa2,0xb9,0xb0,0x8f,0x86,0x9d,0x94,0xe3,0xea,0xf1,0xf8,0xc7,0xce,0xd5,0xdc,
0x76,0x7f,0x64,0x6d,0x52,0x5b,0x40,0x49,0x3e,0x37,0x2c,0x25,0x1a,0x13,0x08,0x01,
0xe6,0xef,0xf4,0xfd,0xc2,0xcb,0xd0,0xd9,0xae,0xa7,0xbc,0xb5,0x8a,0x83,0x98,0x91,
0x4d,0x44,0x5f,0x56,0x69,0x60,0x7b,0x72,0x05,0x0c,0x17,0x1e,0x21,0x28,0x33,0x3a,
0xdd,0xd4,0xcf,0xc6,0xf9,0xf0,0xeb,0xe2,0x95,0x9c,0x87,0x8e,0xb1,0xb8,0xa3,0xaa,
0xec,0xe5,0xfe,0xf7,0xc8,0xc1,0xda,0xd3,0xa4,0xad,0xb6,0xbf,0x80,0x89,0x92,0x9b,
0x7c,0x75,0x6e,0x67,0x58,0x51,0x4a,0x43,0x34,0x3d,0x26,0x2f,0x10,0x19,0x02,0x0b,
0xd7,0xde,0xc5,0xcc,0xf3,0xfa,0xe1,0xe8,0x9f,0x96,0x8d,0x84,0xbb,0xb2,0xa9,0xa0,
0x47,0x4e,0x55,0x5c,0x63,0x6a,0x71,0x78,0x0f,0x06,0x1d,0x14,0x2b,0x22,0x39,0x30,
0x9a,0x93,0x88,0x81,0xbe,0xb7,0xac,0xa5,0xd2,0xdb,0xc0,0xc9,0xf6,0xff,0xe4,0xed,
0x0a,0x03,0x18,0x11,0x2e,0x27,0x3c,0x35,0x42,0x4b,0x50,0x59,0x66,0x6f,0x74,0x7d,
0xa1,0xa8,0xb3,0xba,0x85,0x8c,0x97,0x9e,0xe9,0xe0,0xfb,0xf2,0xcd,0xc4,0xdf,0xd6,
0x31,0x38,0x23,0x2a,0x15,0x1c,0x07,0x0e,0x79,0x70,0x6b,0x62,0x5d,0x54,0x4f,0x46]
GF_MULT_11 = [
0x00,0x0b,0x16,0x1d,0x2c,0x27,0x3a,0x31,0x58,0x53,0x4e,0x45,0x74,0x7f,0x62,0x69,
0xb0,0xbb,0xa6,0xad,0x9c,0x97,0x8a,0x81,0xe8,0xe3,0xfe,0xf5,0xc4,0xcf,0xd2,0xd9,
0x7b,0x70,0x6d,0x66,0x57,0x5c,0x41,0x4a,0x23,0x28,0x35,0x3e,0x0f,0x04,0x19,0x12,
0xcb,0xc0,0xdd,0xd6,0xe7,0xec,0xf1,0xfa,0x93,0x98,0x85,0x8e,0xbf,0xb4,0xa9,0xa2,
0xf6,0xfd,0xe0,0xeb,0xda,0xd1,0xcc,0xc7,0xae,0xa5,0xb8,0xb3,0x82,0x89,0x94,0x9f,
0x46,0x4d,0x50,0x5b,0x6a,0x61,0x7c,0x77,0x1e,0x15,0x08,0x03,0x32,0x39,0x24,0x2f,
0x8d,0x86,0x9b,0x90,0xa1,0xaa,0xb7,0xbc,0xd5,0xde,0xc3,0xc8,0xf9,0xf2,0xef,0xe4,
0x3d,0x36,0x2b,0x20,0x11,0x1a,0x07,0x0c,0x65,0x6e,0x73,0x78,0x49,0x42,0x5f,0x54,
0xf7,0xfc,0xe1,0xea,0xdb,0xd0,0xcd,0xc6,0xaf,0xa4,0xb9,0xb2,0x83,0x88,0x95,0x9e,
0x47,0x4c,0x51,0x5a,0x6b,0x60,0x7d,0x76,0x1f,0x14,0x09,0x02,0x33,0x38,0x25,0x2e,
0x8c,0x87,0x9a,0x91,0xa0,0xab,0xb6,0xbd,0xd4,0xdf,0xc2,0xc9,0xf8,0xf3,0xee,0xe5,
0x3c,0x37,0x2a,0x21,0x10,0x1b,0x06,0x0d,0x64,0x6f,0x72,0x79,0x48,0x43,0x5e,0x55,
0x01,0x0a,0x17,0x1c,0x2d,0x26,0x3b,0x30,0x59,0x52,0x4f,0x44,0x75,0x7e,0x63,0x68,
0xb1,0xba,0xa7,0xac,0x9d,0x96,0x8b,0x80,0xe9,0xe2,0xff,0xf4,0xc5,0xce,0xd3,0xd8,
0x7a,0x71,0x6c,0x67,0x56,0x5d,0x40,0x4b,0x22,0x29,0x34,0x3f,0x0e,0x05,0x18,0x13,
0xca,0xc1,0xdc,0xd7,0xe6,0xed,0xf0,0xfb,0x92,0x99,0x84,0x8f,0xbe,0xb5,0xa8,0xa3]
GF_MULT_13 = [
0x00,0x0d,0x1a,0x17,0x34,0x39,0x2e,0x23,0x68,0x65,0x72,0x7f,0x5c,0x51,0x46,0x4b,
0xd0,0xdd,0xca,0xc7,0xe4,0xe9,0xfe,0xf3,0xb8,0xb5,0xa2,0xaf,0x8c,0x81,0x96,0x9b,
0xbb,0xb6,0xa1,0xac,0x8f,0x82,0x95,0x98,0xd3,0xde,0xc9,0xc4,0xe7,0xea,0xfd,0xf0,
0x6b,0x66,0x71,0x7c,0x5f,0x52,0x45,0x48,0x03,0x0e,0x19,0x14,0x37,0x3a,0x2d,0x20,
0x6d,0x60,0x77,0x7a,0x59,0x54,0x43,0x4e,0x05,0x08,0x1f,0x12,0x31,0x3c,0x2b,0x26,
0xbd,0xb0,0xa7,0xaa,0x89,0x84,0x93,0x9e,0xd5,0xd8,0xcf,0xc2,0xe1,0xec,0xfb,0xf6,
0xd6,0xdb,0xcc,0xc1,0xe2,0xef,0xf8,0xf5,0xbe,0xb3,0xa4,0xa9,0x8a,0x87,0x90,0x9d,
0x06,0x0b,0x1c,0x11,0x32,0x3f,0x28,0x25,0x6e,0x63,0x74,0x79,0x5a,0x57,0x40,0x4d,
0xda,0xd7,0xc0,0xcd,0xee,0xe3,0xf4,0xf9,0xb2,0xbf,0xa8,0xa5,0x86,0x8b,0x9c,0x91,
0x0a,0x07,0x10,0x1d,0x3e,0x33,0x24,0x29,0x62,0x6f,0x78,0x75,0x56,0x5b,0x4c,0x41,
0x61,0x6c,0x7b,0x76,0x55,0x58,0x4f,0x42,0x09,0x04,0x13,0x1e,0x3d,0x30,0x27,0x2a,
0xb1,0xbc,0xab,0xa6,0x85,0x88,0x9f,0x92,0xd9,0xd4,0xc3,0xce,0xed,0xe0,0xf7,0xfa,
0xb7,0xba,0xad,0xa0,0x83,0x8e,0x99,0x94,0xdf,0xd2,0xc5,0xc8,0xeb,0xe6,0xf1,0xfc,
0x67,0x6a,0x7d,0x70,0x53,0x5e,0x49,0x44,0x0f,0x02,0x15,0x18,0x3b,0x36,0x21,0x2c,
0x0c,0x01,0x16,0x1b,0x38,0x35,0x22,0x2f,0x64,0x69,0x7e,0x73,0x50,0x5d,0x4a,0x47,
0xdc,0xd1,0xc6,0xcb,0xe8,0xe5,0xf2,0xff,0xb4,0xb9,0xae,0xa3,0x80,0x8d,0x9a,0x97]
GF_MULT_14 = [
0x00,0x0e,0x1c,0x12,0x38,0x36,0x24,0x2a,0x70,0x7e,0x6c,0x62,0x48,0x46,0x54,0x5a,
0xe0,0xee,0xfc,0xf2,0xd8,0xd6,0xc4,0xca,0x90,0x9e,0x8c,0x82,0xa8,0xa6,0xb4,0xba,
0xdb,0xd5,0xc7,0xc9,0xe3,0xed,0xff,0xf1,0xab,0xa5,0xb7,0xb9,0x93,0x9d,0x8f,0x81,
0x3b,0x35,0x27,0x29,0x03,0x0d,0x1f,0x11,0x4b,0x45,0x57,0x59,0x73,0x7d,0x6f,0x61,
0xad,0xa3,0xb1,0xbf,0x95,0x9b,0x89,0x87,0xdd,0xd3,0xc1,0xcf,0xe5,0xeb,0xf9,0xf7,
0x4d,0x43,0x51,0x5f,0x75,0x7b,0x69,0x67,0x3d,0x33,0x21,0x2f,0x05,0x0b,0x19,0x17,
0x76,0x78,0x6a,0x64,0x4e,0x40,0x52,0x5c,0x06,0x08,0x1a,0x14,0x3e,0x30,0x22,0x2c,
0x96,0x98,0x8a,0x84,0xae,0xa0,0xb2,0xbc,0xe6,0xe8,0xfa,0xf4,0xde,0xd0,0xc2,0xcc,
0x41,0x4f,0x5d,0x53,0x79,0x77,0x65,0x6b,0x31,0x3f,0x2d,0x23,0x09,0x07,0x15,0x1b,
0xa1,0xaf,0xbd,0xb3,0x99,0x97,0x85,0x8b,0xd1,0xdf,0xcd,0xc3,0xe9,0xe7,0xf5,0xfb,
0x9a,0x94,0x86,0x88,0xa2,0xac,0xbe,0xb0,0xea,0xe4,0xf6,0xf8,0xd2,0xdc,0xce,0xc0,
0x7a,0x74,0x66,0x68,0x42,0x4c,0x5e,0x50,0x0a,0x04,0x16,0x18,0x32,0x3c,0x2e,0x20,
0xec,0xe2,0xf0,0xfe,0xd4,0xda,0xc8,0xc6,0x9c,0x92,0x80,0x8e,0xa4,0xaa,0xb8,0xb6,
0x0c,0x02,0x10,0x1e,0x34,0x3a,0x28,0x26,0x7c,0x72,0x60,0x6e,0x44,0x4a,0x58,0x56,
0x37,0x39,0x2b,0x25,0x0f,0x01,0x13,0x1d,0x47,0x49,0x5b,0x55,0x7f,0x71,0x63,0x6d,
0xd7,0xd9,0xcb,0xc5,0xef,0xe1,0xf3,0xfd,0xa7,0xa9,0xbb,0xb5,0x9f,0x91,0x83,0x8d]
def inv_subWord(byteArray):
res = bytearray()
for b in byteArray:
res.append( S_INV_BOX[b] )
return res
def inv_subBytes(aesState):
resState = bytearray()
for i in range(0,len(aesState),4):
resState[i:i+4] = inv_subWord(aesState[i:i+4])
return resState
def inv_shiftRow(aesState):
resState = bytearray()
"""
0 4 8 c 0 4 8 c
1 5 9 d d 1 5 9
2 6 a e -> a e 2 6
3 7 b f 7 b f 3
"""
newPosition = [ 0, 0xd, 0xa, 7,
4, 1, 0xe, 0xb,
8, 5, 2, 0xf,
0xc, 9, 6, 3
]
for i in newPosition:
resState.append(aesState[i])
return resState
def inv_mixColumn(aesState):
res = bytearray()
for i in range(0,len(aesState),4):
b0, b1, b2, b3 = aesState[i:(i+4)]
new_b0 = GF_MULT_14[b0] ^ GF_MULT_11[b1] ^ GF_MULT_13[b2] ^ GF_MULT_09[b3]
new_b1 = GF_MULT_09[b0] ^ GF_MULT_14[b1] ^ GF_MULT_11[b2] ^ GF_MULT_13[b3]
new_b2 = GF_MULT_13[b0] ^ GF_MULT_09[b1] ^ GF_MULT_14[b2] ^ GF_MULT_11[b3]
new_b3 = GF_MULT_11[b0] ^ GF_MULT_13[b1] ^ GF_MULT_09[b2] ^ GF_MULT_14[b3]
res.append(new_b0)
res.append(new_b1)
res.append(new_b2)
res.append(new_b3)
return res
def AES_Decryption(cipherText, AES_key, nbRound):
res = cipherText
res = inv_shiftRow(res)
res = inv_subBytes(res)
for i in range(nbRound-1, 0, -1):
res = inv_mixColumn(res)
res = inv_shiftRow(res)
res = inv_subBytes(res)
return res
def main():
AES_Key = None
with open("cipher.txt","rb") as f_in:
cipherText = f_in.read()
secondPlainText = AES_Decryption(cipherText, AES_Key,10)
print(secondPlainText)
if __name__ == '__main__':
main()
第五空间
ECC
print 'Try to solve the 3 ECC'
from secret import flag
from Crypto.Util.number import *
assert(flag[:5]=='flag{')
flag = flag[5:-1]
num1 = bytes_to_long(flag[:7])
num2 = bytes_to_long(flag[7:14])
num3 = bytes_to_long(flag[14:])
def ECC1(num):
p = 146808027458411567
A = 46056180
B = 2316783294673
E = EllipticCurve(GF(p),[A,B])
P = E.random_point()
Q = num*P
print E
print 'P:',P
print 'Q:',Q
def ECC2(num):
p = 1256438680873352167711863680253958927079458741172412327087203
#import random
#A = random.randrange(389718923781273978681723687163812)
#B = random.randrange(816378675675716537126387613131232121431231)
A = 377999945830334462584412960368612
B = 604811648267717218711247799143415167229480
E = EllipticCurve(GF(p),[A,B])
P = E.random_point()
Q = num*P
print E
print 'P:',P
print 'Q:',Q
factors, exponents = zip(*factor(E.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
print primes
dlogs = []
for fac in primes:
t = int(int(P.order()) / int(fac))
dlog = discrete_log(t*Q,t*P,operation="+")
dlogs += [dlog]
print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
print num
print crt(dlogs,primes)
def ECC3(num):
p = 0xd3ceec4c84af8fa5f3e9af91e00cabacaaaecec3da619400e29a25abececfdc9bd678e2708a58acb1bd15370acc39c596807dab6229dca11fd3a217510258d1b
A = 0x95fc77eb3119991a0022168c83eee7178e6c3eeaf75e0fdf1853b8ef4cb97a9058c271ee193b8b27938a07052f918c35eccb027b0b168b4e2566b247b91dc07
B = 0x926b0e42376d112ca971569a8d3b3eda12172dfb4929aea13da7f10fb81f3b96bf1e28b4a396a1fcf38d80b463582e45d06a548e0dc0d567fc668bd119c346b2
E = EllipticCurve(GF(p),[A,B])
P = E.random_point()
Q = num*P
print E
print 'P:',P
print 'Q:',Q
ECC1(num1)
print '=============='
ECC2(num2)
print '=============='
ECC3(num3)第一步数小直接discrete_log,第二步是ECDLP的Pohlig-Hellman,第三部E的order和p相等所以用smart’s attack,在github上能搜到第三步的脚本。https://github.com/jvdsn/crypto-attacks/blob/master/ecc/smart_attack.py
# sage
from Crypto.Util.number import *
def _lift(curve, point, gf):
x, y = map(ZZ, point.xy())
for point_ in curve.lift_x(x, all=True):
x_, y_ = map(gf, point_.xy())
if y == y_:
return point_
def attack(base, multiplication_result):
curve = base.curve()
gf = curve.base_ring()
p = gf.order()
assert curve.trace_of_frobenius() == 1
lift_curve = EllipticCurve(Qp(p), list(map(lambda a: int(a) + p * ZZ.random_element(1, p), curve.a_invariants())))
lifted_base = p * _lift(lift_curve, base, gf)
lifted_multiplication_result = p * _lift(lift_curve, multiplication_result, gf)
lb_x, lb_y = lifted_base.xy()
lmr_x, lmr_y = lifted_multiplication_result.xy()
return int(gf((lmr_x / lmr_y) / (lb_x / lb_y)))
a1 =
b1 =
p1 =
E1 = EllipticCurve(GF(p1), [a1, b1])
P1 = E1(, )
Q1 = E1(, )
a2 =
b2 =
p2 =
E2 = EllipticCurve(GF(p2), [a2, b2])
P2 = E2(, )
Q2 = E2(, )
factors, exponents = zip(*factor(E2.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-1]
dlogs = []
for fac in primes:
t = int(int(P2.order()) // int(fac))
dlog = discrete_log(t*Q2,t*P2,operation="+")
dlogs += [dlog]
p3 =
a3 =
b3 =
E3 = EllipticCurve(GF(p3), [a3, b3])
P3 = E3(, )
Q3 = E3(, )
print(b'flag{' + long_to_bytes(P1.discrete_log(Q1)) + long_to_bytes(crt(dlogs,primes)) + long_to_bytes(attack(P3, Q3)) + b'}')
doublesage
from sage.modules.free_module_integer import IntegerLattice
from sage.stats.distributions.discrete_gaussian_integer import DiscreteGaussianDistributionIntegerSampler
from sage.crypto.lwe import LWE
from sage.crypto.lwe import samples
import numpy as np
import signal
def Question(n,m,para_D,para_e):
signal.alarm(600)
print('[+] Question:')
# m=n^2-2
q=next_prime(n^2)
D=DiscreteGaussianDistributionIntegerSampler(para_D*n)
lwe=LWE(n=n, q=q, D=D)
Z=[lwe() for _ in range(m)]
A=matrix([a for (a,c) in Z]).transpose()
C=vector([c for (a,c) in Z])
print('[+] The following matrix operations are modulus',q)
print('\n[+] Matrix A of size',n,'*',m,':'); print(A)
print('\n[+] Vector C of size',1,'*',m,':'); print(np.array(C))
E=lwe._LWE__s*A-C
E=[int(e) for e in E]
E=vector([e if e <= floor(q/2) else e-q for e in E])
E_norm=E.norm().n()*para_e
print('[+] Please give an integer vector x of size',1,'*',m,'(format [1 2 3] or [1, 2, 3]), such that the norm of vector x*A-C <=',E_norm,', where operations are modulus',q,':')
k=GF(q)^n
x=k(0)
u=input()
try:
u=np.matrix(u)
for i in range(n):
x[i]=u[0,i]
except:
print('[+] Wrong format, exit.')
exit()
E=x*A-C
E=[int(e) for e in E]
E=vector([e if e <= floor(q/2) else e-q for e in E])
tmp=E.norm().n()
print('[+] The norm of vector x*A-C is', tmp,',', tmp<E_norm,'.\n')
if not tmp<E_norm:
exit()
def ReadFlag():
print('flag{**********}')
Question(5, 23, 1.5, 1.1)
Question(15, 143, 1.5, 3)
ReadFlag()
全输入0,运气好过了
data_protect
#run under python3
import random
from secret import flag,name,phone,mail,address,school,seed
from gmpy2 import *
from Crypto.Util.number import *
from Crypto.Cipher import AES
from hashlib import sha256
random.seed(seed)
def encrypt1(m):
a = random.getrandbits(96)
b = random.getrandbits(96)
p = next_prime(a)
q = next_prime(b)
n = p*q
e = 65537
assert(m<n)
print (pow(m,e,n))
print (n)
def encrypt2(m):
p = 11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997
q = random.randrange(11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997,11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526563615762644)
nq = next_prime(q)
n = p*q
e = 65537
assert(m<n)
print (pow(m,e,n))
print (n)
def encrypt3(msg):
q = getPrime(33)
key = [[] for i in range(34)]
for i in range(len(key)):
for j in range(len(msg)):
tmp = random.getrandbits(32)
assert(tmp<q)
key[i].append(tmp)
cipher = []
for l in key:
tmp = 0
for x,y in zip(l,msg):
tmp = (tmp+x*y)%q
cipher.append(tmp)
print (q)
print (key)
print (cipher)
def encrypt4(msg):
key = long_to_bytes(random.getrandbits(128))
a = AES.new(key,AES.MODE_ECB)
cipher = a.encrypt(msg)
print (bytes_to_long(cipher))
def encrypt5(msg):
q = getPrime(512)
g = random.randrange(q-1)
x = random.randrange(q-1)
h = pow(g,x,q)
y = random.randrange(q-1)
s = pow(h,y,q)
c1 = pow(g,y,q)
c2 = (msg*s)%q
print (q,g,h)
print (c1,c2)
msg1 = bytes_to_long(name)
encrypt1(msg1)
msg2 = bytes_to_long(phone+long_to_bytes(random.getrandbits(160)))
encrypt2(msg2)
msg3 = [x for x in mail]
encrypt3(msg3)
#Note the address incude digits,letters, '.' and '_'
msg4 = address
encrypt4(msg4)
msg5 = bytes_to_long(school)
encrypt5(msg5)
flag = 'flag{'+sha256(name).hexdigest()[:8]+'-'+sha256(phone).hexdigest()[:4]+'-'+sha256(mail).hexdigest()[:4]+'-'+sha256(address).hexdigest()[:4]+'-'+sha256(school).hexdigest()[:12]+'}'
#print (flag)stage1
e = 65537
p = 22186905890293167337018474103
q = 64390888389278700958517837593
c = 1214574563741560349838921793704940745590987462777968444374
d = invert(e, (p-1)*(q-1))
print(n2s(int(pow(c, d, p*q))))
# b'xiaomimg'stage2
e = 65537
n = 134949786048887319137407994803780389722367094355650515833817995038306119197600539524985448574053755793699799863164150565217726975197643634831307454431403854861515253009970594684699064052739820092115115614153962139870020206132705821506686959283747802946805730902605814619499301779892151365118901010526138311982
p = 11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997
c = 83382305214367280642036397343148189703485368587974886171510743953549190744470601202744767273007620016211287396099134559067732647482119585665644233315163008363194608166196925401829658712718312200224326536235692414101991228706273090615632001823182408030728674734516602445750649097008703725533663639171389956107
d = invert(e, p-1)
print(n2s(int(pow(c, d, p)))[11:])
# b'19410100101'stage3
这是个hill密码,key是一个34行18列的矩阵,msg是一个18行1列的矩阵,cipher = key*msg
hill密码的key是方阵,这里面不是,但是你会发现,msg就18个字符,你加密34次也没有啥用,所以只取key的前18行构成一个方阵,cipher也只取前18行,然后求逆矩阵再相乘就可以恢复出msg了。求模逆矩阵 Ax = B mod m
q = 8330252551
key = [[978955513, 2055248981, 3094004449, 411497641, 4183759491, 521276843, 1709604203, 3162773533, 2140722701, 782306144, 421964668, 356205891, 1039083484, 1911377875, 1661230549, 312742665, 3628868938, 2049082743], [3833871085, 2929837680, 2614720930, 4056572317, 3787185237, 93999422, 590001829, 429074138, 3012080235, 2336571108, 831707987, 3902814802, 2084593018, 316245361, 1799842819, 2908004545, 120773816, 2687194173], [3213409254, 3303290739, 742998950, 2956806179, 2834298174, 429260769, 769267967, 1301491642, 2415087532, 1055496090, 690922955, 2984201071, 3517649313, 3675968202, 3389582912, 2632941479, 186911789, 3547287806], [4149643988, 3811477370, 1269911228, 3709435333, 1868378108, 4173520248, 1573661708, 2161236830, 3266570322, 1611227993, 2539778863, 1857682940, 1020154001, 92386553, 3834719618, 3775070036, 3777877862, 2982256702], [4281981169, 2949541448, 4199819805, 3654041457, 3300163657, 1674155910, 1316779635, 66744534, 3804297626, 2709354730, 2460136415, 3983640368, 3801883586, 1068904857, 4178063279, 41067134, 752202632, 3143016757], [3078167402, 2059042200, 252404132, 415008428, 3611056424, 1674088343, 2460161645, 3311986519, 3130694755, 934254488, 898722917, 2865274835, 567507230, 1328871893, 3903457801, 2499893858, 492084315, 183531922], [3529830884, 4039243386, 233553719, 4118146471, 1646804655, 2089146092, 2156344320, 2329927228, 508323741, 1931822010, 579182891, 176447133, 597011120, 3261594914, 2845298788, 3759915972, 3095206232, 3638216860], [3352986415, 4264046847, 3829043620, 2530153481, 3421260080, 1669551722, 4240873925, 2101009682, 3660432232, 4224377588, 929767737, 3729104589, 2835310428, 1727139644, 1279995206, 1355353373, 2144225408, 1359399895], [3105965085, 818804468, 3230054412, 2646235709, 4053839846, 2878092923, 587905848, 1589383219, 2408577579, 880800518, 28758157, 1000513178, 2176168589, 187505579, 89151277, 1238795748, 8168714, 3501032027], [3473729699, 1900372653, 305029321, 2013273628, 1242655400, 4192234107, 2446737641, 1341412052, 304733944, 4174393908, 2563609353, 3623415321, 49954007, 3130983058, 425856087, 2331025419, 34423818, 2042901845], [1397571080, 1615456639, 1840339411, 220496996, 2042007444, 3681679342, 2306603996, 732207066, 663494719, 4092173669, 3034772067, 3807942919, 111475712, 2065672849, 3552535306, 138510326, 3757322399, 2394352747], [371953847, 3369229608, 1669129625, 168320777, 2375427503, 3449778616, 1977984006, 1543379950, 2293317896, 1239812206, 1198364787, 2465753450, 3739161320, 2502603029, 1528706460, 1488040470, 3387786864, 1864873515], [1356892529, 1662755536, 1623461302, 1925037502, 1878096790, 3682248450, 2359635297, 1558718627, 116402105, 3274502275, 2436185635, 771708011, 3484140889, 3264299013, 885210310, 4225779256, 363129056, 2488388413], [2636035482, 4140705532, 3187647213, 4009585502, 351132201, 2592096589, 3785703396, 750115519, 3632692007, 3936675924, 3635400895, 3257019719, 1928767495, 2868979203, 622850989, 3165580000, 4162276629, 4157491019], [1272163411, 1251211247, 357523138, 1233981097, 1855287284, 4079018167, 4028466297, 92214478, 4290550648, 648034817, 1247795256, 3928945157, 1199659871, 397659647, 3360313830, 561558927, 3446409788, 2727008359], [1470343419, 3861411785, 953425729, 65811127, 458070615, 1428470215, 3101427357, 1137845714, 1980562597, 4120983895, 45901583, 2869582150, 427949409, 3025588000, 3231450975, 3313818165, 4015642368, 3197557747], [2452385340, 111636796, 897282198, 4273652805, 1223518692, 3680320805, 2771040109, 3617506402, 3904690320, 77507239, 3010900929, 4099608062, 546322994, 1084929138, 902220733, 4054312795, 1977510945, 735973665], [3729015155, 3027108070, 1442633554, 1949455360, 2864504565, 3673543865, 446663703, 3515816196, 1468441462, 897770414, 2831043012, 707874506, 1098228471, 1225077381, 3622448809, 2409995597, 3847055008, 1887507220], [1839061542, 1963345926, 2600100988, 1703502633, 1824193082, 3595102755, 2558488861, 2440526309, 3909166109, 1611135411, 2809397519, 1019893656, 3281060225, 2387778214, 2460059811, 198824620, 1645102665, 865289621], [224442296, 3009601747, 3066701924, 1774879140, 880620935, 2676353545, 3748945463, 1994930827, 75275710, 3710375437, 4132497729, 3010711783, 3731895534, 2434590580, 3409701141, 2209951200, 995511645, 3571299495], [2337737600, 110982073, 2985129643, 1668549189, 3298468029, 698015588, 2945584297, 1036821195, 4249059927, 3384611421, 3304378629, 1307957989, 602821252, 184198726, 1182960059, 4200496073, 1562699893, 3320841302], [5866561, 2442649482, 479821282, 2687097642, 3347828225, 1876332308, 2704295851, 2952277070, 1803967244, 2837783916, 658984547, 3605604364, 1931924322, 3285319978, 556150900, 3795666798, 261321502, 1040433381], [3855222954, 3565522064, 1841853882, 1066304362, 3552076734, 3075952725, 2193242436, 2052898568, 2341179777, 3089412493, 165812889, 4196290126, 3568567671, 28097161, 2249543862, 1251207418, 522526590, 765541973], [1801734077, 2132230169, 667823776, 3900096345, 3119630138, 3620542178, 2900630754, 30811433, 608818254, 1040662178, 900811411, 3221833258, 43598995, 1818995893, 2718507668, 3445138445, 3217962572, 1437902734], [1812768224, 392114567, 2694519859, 1941199322, 2523549731, 2078453798, 851734499, 2376090593, 2069375610, 4084690114, 246441363, 4154699271, 58451971, 31806021, 4158724930, 2741293247, 3230803936, 2790505999], [3906342775, 2231570871, 1258998901, 1517292578, 162889239, 3130741176, 3925266771, 1780222960, 2378568279, 3873144834, 1597459529, 1581197809, 4101706041, 196019642, 1439141586, 587446072, 2012673288, 1280875335], [4058452685, 653145648, 553051697, 1406542226, 4053722203, 994470045, 2066358582, 3919235908, 2315900402, 3236350874, 172880690, 3104147616, 489606166, 3898059157, 200469827, 665789663, 3116633449, 4137295625], [1460624254, 4286673320, 2664109800, 1995979611, 4091742681, 2639530247, 4240681440, 2169059390, 1149325301, 3139578541, 2320870639, 3148999826, 4095173534, 2742698014, 3623896968, 2444601912, 1958855100, 1743268893], [2187625371, 3533912845, 29086928, 543325588, 4247300963, 1972139209, 272152499, 4276082595, 3680551759, 1835350157, 3921757922, 2716774439, 1070751202, 69990939, 3794506838, 699803423, 3699976889, 40791189], [539106994, 1670272368, 3483599225, 2867955550, 2207694005, 1126950203, 693920921, 2333328675, 539234245, 1961438796, 3126390464, 1118759587, 59715473, 1450076492, 4101732655, 3658733365, 940858890, 1262671744], [3092624332, 2175813516, 3355101899, 3657267135, 770650398, 359506155, 4149470178, 3763654751, 1184381886, 942048015, 523057971, 1098635956, 1732951811, 150067724, 2417766207, 4152571821, 2759971924, 4284842765], [3336022203, 2569311431, 2752777107, 1441977867, 1279003682, 3861567631, 1064716472, 3046493996, 1339401643, 39466446, 1464905290, 420733872, 2057911345, 2418624800, 2193625430, 1558527155, 4224908000, 207684355], [2681129718, 4210889596, 4051161171, 3131196482, 1128312875, 938670840, 2828563599, 3078146488, 1102989364, 3557724304, 156013303, 2371355565, 3608679353, 3513837899, 155622460, 396656112, 2493417457, 876296360], [3135876409, 181875076, 3662181650, 3851859805, 3626146919, 90441351, 1944988720, 585429580, 3158268550, 1399100291, 3688843295, 2851190, 2670576474, 3177735154, 3479499727, 197376977, 1790622954, 2393956089]]
cipher = [7180140290, 3141915684, 4375484758, 1318033539, 3703733458, 3647670480, 602160587, 5980133517, 5549070878, 4357625450, 1049311243, 2204828010, 7478386985, 7168975760, 4860233060, 2124987992, 8328577058, 3087835869, 5676726658, 3759772148, 6606176215, 2908250007, 662118092, 7029993531, 3705914901, 697664494, 2137174137, 5406829066, 700416846, 6968142857, 8217369461, 5164642347, 2646776450, 6181738074]
A = key[:18]
b = cipher[:18]
A = matrix(GF(q), A)
b = vector(GF(q), b)
print(A.solve_right(b))
flag = (120, 105, 97, 111, 109, 105, 110, 103, 64, 99, 109, 97, 105, 108, 46, 99, 111, 109)
for i in flag:
print(chr(i), end='')
# xiaoming@cmail.comstage4
头两个素数不确定,要在范围内穷举random.randrange使用random.choice实现,查询发现其也是使用getrandbits实现,而且正好是32位
所有随机数加起来正好624*32位,因此:
import random
from gmpy2 import *
from Crypto.Util.number import *
from Crypto.Cipher import AES
from hashlib import sha256
from mt19937predictor import MT19937Predictor
p = 22186905890293167337018474103
tmp = p - 1
while next_prime(tmp) == p:
tmp -= 1
low_p = tmp + 1
q = 64390888389278700958517837593
tmp = q - 1
while next_prime(tmp) == q:
tmp -= 1
low_q = tmp + 1
x2 = 1376217116093917281494330680247070104781521444225 # 160
x3 = 1644175009
keys = [[978955513, 2055248981, 3094004449, 411497641, 4183759491, 521276843, 1709604203, 3162773533, 2140722701, 782306144, 421964668, 356205891, 1039083484, 1911377875, 1661230549, 312742665, 3628868938, 2049082743], [3833871085, 2929837680, 2614720930, 4056572317, 3787185237, 93999422, 590001829, 429074138, 3012080235, 2336571108, 831707987, 3902814802, 2084593018, 316245361, 1799842819, 2908004545, 120773816, 2687194173], [3213409254, 3303290739, 742998950, 2956806179, 2834298174, 429260769, 769267967, 1301491642, 2415087532, 1055496090, 690922955, 2984201071, 3517649313, 3675968202, 3389582912, 2632941479, 186911789, 3547287806], [4149643988, 3811477370, 1269911228, 3709435333, 1868378108, 4173520248, 1573661708, 2161236830, 3266570322, 1611227993, 2539778863, 1857682940, 1020154001, 92386553, 3834719618, 3775070036, 3777877862, 2982256702], [4281981169, 2949541448, 4199819805, 3654041457, 3300163657, 1674155910, 1316779635, 66744534, 3804297626, 2709354730, 2460136415, 3983640368, 3801883586, 1068904857, 4178063279, 41067134, 752202632, 3143016757], [3078167402, 2059042200, 252404132, 415008428, 3611056424, 1674088343, 2460161645, 3311986519, 3130694755, 934254488, 898722917, 2865274835, 567507230, 1328871893, 3903457801, 2499893858, 492084315, 183531922], [3529830884, 4039243386, 233553719, 4118146471, 1646804655, 2089146092, 2156344320, 2329927228, 508323741, 1931822010, 579182891, 176447133, 597011120, 3261594914, 2845298788, 3759915972, 3095206232, 3638216860], [3352986415, 4264046847, 3829043620, 2530153481, 3421260080, 1669551722, 4240873925, 2101009682, 3660432232, 4224377588, 929767737, 3729104589, 2835310428, 1727139644, 1279995206, 1355353373, 2144225408, 1359399895], [3105965085, 818804468, 3230054412, 2646235709, 4053839846, 2878092923, 587905848, 1589383219, 2408577579, 880800518, 28758157, 1000513178, 2176168589, 187505579, 89151277, 1238795748, 8168714, 3501032027], [3473729699, 1900372653, 305029321, 2013273628, 1242655400, 4192234107, 2446737641, 1341412052, 304733944, 4174393908, 2563609353, 3623415321, 49954007, 3130983058, 425856087, 2331025419, 34423818, 2042901845], [1397571080, 1615456639, 1840339411, 220496996, 2042007444, 3681679342, 2306603996, 732207066, 663494719, 4092173669, 3034772067, 3807942919, 111475712, 2065672849, 3552535306, 138510326, 3757322399, 2394352747], [371953847, 3369229608, 1669129625, 168320777, 2375427503, 3449778616, 1977984006, 1543379950, 2293317896, 1239812206, 1198364787, 2465753450, 3739161320, 2502603029, 1528706460, 1488040470, 3387786864, 1864873515], [1356892529, 1662755536, 1623461302, 1925037502, 1878096790, 3682248450, 2359635297, 1558718627, 116402105, 3274502275, 2436185635, 771708011, 3484140889, 3264299013, 885210310, 4225779256, 363129056, 2488388413], [2636035482, 4140705532, 3187647213, 4009585502, 351132201, 2592096589, 3785703396, 750115519, 3632692007, 3936675924, 3635400895, 3257019719, 1928767495, 2868979203, 622850989, 3165580000, 4162276629, 4157491019], [1272163411, 1251211247, 357523138, 1233981097, 1855287284, 4079018167, 4028466297, 92214478, 4290550648, 648034817, 1247795256, 3928945157, 1199659871, 397659647, 3360313830, 561558927, 3446409788, 2727008359], [1470343419, 3861411785, 953425729, 65811127, 458070615, 1428470215, 3101427357, 1137845714, 1980562597, 4120983895, 45901583, 2869582150, 427949409, 3025588000, 3231450975, 3313818165, 4015642368, 3197557747], [2452385340, 111636796, 897282198, 4273652805, 1223518692, 3680320805, 2771040109, 3617506402, 3904690320, 77507239, 3010900929, 4099608062, 546322994, 1084929138, 902220733, 4054312795, 1977510945, 735973665], [3729015155, 3027108070, 1442633554, 1949455360, 2864504565, 3673543865, 446663703, 3515816196, 1468441462, 897770414, 2831043012, 707874506, 1098228471, 1225077381, 3622448809, 2409995597, 3847055008, 1887507220], [1839061542, 1963345926, 2600100988, 1703502633, 1824193082, 3595102755, 2558488861, 2440526309, 3909166109, 1611135411, 2809397519, 1019893656, 3281060225, 2387778214, 2460059811, 198824620, 1645102665, 865289621], [224442296, 3009601747, 3066701924, 1774879140, 880620935, 2676353545, 3748945463, 1994930827, 75275710, 3710375437, 4132497729, 3010711783, 3731895534, 2434590580, 3409701141, 2209951200, 995511645, 3571299495], [2337737600, 110982073, 2985129643, 1668549189, 3298468029, 698015588, 2945584297, 1036821195, 4249059927, 3384611421, 3304378629, 1307957989, 602821252, 184198726, 1182960059, 4200496073, 1562699893, 3320841302], [5866561, 2442649482, 479821282, 2687097642, 3347828225, 1876332308, 2704295851, 2952277070, 1803967244, 2837783916, 658984547, 3605604364, 1931924322, 3285319978, 556150900, 3795666798, 261321502, 1040433381], [3855222954, 3565522064, 1841853882, 1066304362, 3552076734, 3075952725, 2193242436, 2052898568, 2341179777, 3089412493, 165812889, 4196290126, 3568567671, 28097161, 2249543862, 1251207418, 522526590, 765541973], [1801734077, 2132230169, 667823776, 3900096345, 3119630138, 3620542178, 2900630754, 30811433, 608818254, 1040662178, 900811411, 3221833258, 43598995, 1818995893, 2718507668, 3445138445, 3217962572, 1437902734], [1812768224, 392114567, 2694519859, 1941199322, 2523549731, 2078453798, 851734499, 2376090593, 2069375610, 4084690114, 246441363, 4154699271, 58451971, 31806021, 4158724930, 2741293247, 3230803936, 2790505999], [3906342775, 2231570871, 1258998901, 1517292578, 162889239, 3130741176, 3925266771, 1780222960, 2378568279, 3873144834, 1597459529, 1581197809, 4101706041, 196019642, 1439141586, 587446072, 2012673288, 1280875335], [4058452685, 653145648, 553051697, 1406542226, 4053722203, 994470045, 2066358582, 3919235908, 2315900402, 3236350874, 172880690, 3104147616, 489606166, 3898059157, 200469827, 665789663, 3116633449, 4137295625], [1460624254, 4286673320, 2664109800, 1995979611, 4091742681, 2639530247, 4240681440, 2169059390, 1149325301, 3139578541, 2320870639, 3148999826, 4095173534, 2742698014, 3623896968, 2444601912, 1958855100, 1743268893], [2187625371, 3533912845, 29086928, 543325588, 4247300963, 1972139209, 272152499, 4276082595, 3680551759, 1835350157, 3921757922, 2716774439, 1070751202, 69990939, 3794506838, 699803423, 3699976889, 40791189], [539106994, 1670272368, 3483599225, 2867955550, 2207694005, 1126950203, 693920921, 2333328675, 539234245, 1961438796, 3126390464, 1118759587, 59715473, 1450076492, 4101732655, 3658733365, 940858890, 1262671744], [3092624332, 2175813516, 3355101899, 3657267135, 770650398, 359506155, 4149470178, 3763654751, 1184381886, 942048015, 523057971, 1098635956, 1732951811, 150067724, 2417766207, 4152571821, 2759971924, 4284842765], [3336022203, 2569311431, 2752777107, 1441977867, 1279003682, 3861567631, 1064716472, 3046493996, 1339401643, 39466446, 1464905290, 420733872, 2057911345, 2418624800, 2193625430, 1558527155, 4224908000, 207684355], [2681129718, 4210889596, 4051161171, 3131196482, 1128312875, 938670840, 2828563599, 3078146488, 1102989364, 3557724304, 156013303, 2371355565, 3608679353, 3513837899, 155622460, 396656112, 2493417457, 876296360], [3135876409, 181875076, 3662181650, 3851859805, 3626146919, 90441351, 1944988720, 585429580, 3158268550, 1399100291, 3688843295, 2851190, 2670576474, 3177735154, 3479499727, 197376977, 1790622954, 2393956089]]
c = long_to_bytes(86636143607943838782783466877732215397)
for real_p in range(low_p, p):
for real_q in range(low_q, q):
predictor = MT19937Predictor()
predictor.setrandbits(real_p, 96)
predictor.setrandbits(real_q, 96)
predictor.setrandbits(x2, 160)
predictor.setrandbits(x3, 32)
for kk in keys:
for k in kk:
predictor.setrandbits(k, 32)
key = long_to_bytes(predictor.getrandbits(128))
a = AES.new(key,AES.MODE_ECB)
m = a.decrypt(c)
if b"_" in m and b"." in m:
print(real_p, real_q, m)
# b'No.321_hack_road'from random import Random
from Crypto.Util.number import bytes_to_long, long_to_bytes
from Crypto.Cipher import AES
from gmpy2 import *
def invert_right(m,l,val=''):
length = 32
mx = 0xffffffff
if val == '':
val = mx
i,res = 0,0
while i*l<length:
mask = (mx<<(length-l)&mx)>>i*l
tmp = m & mask
m = m^tmp>>l&val
res += tmp
i += 1
return res
def invert_left(m,l,val):
length = 32
mx = 0xffffffff
i,res = 0,0
while i*l < length:
mask = (mx>>(length-l)&mx)<<i*l
tmp = m & mask
m ^= tmp<<l&val
res |= tmp
i += 1
return res
def invert_temper(m):
m = invert_right(m,18)
m = invert_left(m,15,4022730752)
m = invert_left(m,7,2636928640)
m = invert_right(m,11)
return m
def clone_mt(record):
state = [invert_temper(i) for i in record]
gen = Random()
gen.setstate((3,tuple(state+[0]),None))
return gen
# level1
p1 = 22186905890293167337018474103
q1 = 64390888389278700958517837593
rand1_start = 0x47b09412596ff11aa603be43
rand2_start = 0xd00ee4fdff12cba26af83ebf
# level2
rand3 = 0xf10fb5b5aef00592425752d03e910c76bc205d81
n = 134949786048887319137407994803780389722367094355650515833817995038306119197600539524985448574053755793699799863164150565217726975197643634831307454431403854861515253009970594684699064052739820092115115614153962139870020206132705821506686959283747802946805730902605814619499301779892151365118901010526138311982
p2 = 11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997
q2 = n//p2
start = 11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526561468278997
end = 11616788973244169211540879051135531683500013311175857700532973853592727185033846064980717918194540453710515251945345524986932165003196804187526563615762644
rand4 = (q2-start)*2 # maybe+1
# level3
key = [[978955513, 2055248981, 3094004449, 411497641, 4183759491, 521276843, 1709604203, 3162773533, 2140722701, 782306144, 421964668, 356205891, 1039083484, 1911377875, 1661230549, 312742665, 3628868938, 2049082743], [3833871085, 2929837680, 2614720930, 4056572317, 3787185237, 93999422, 590001829, 429074138, 3012080235, 2336571108, 831707987, 3902814802, 2084593018, 316245361, 1799842819, 2908004545, 120773816, 2687194173], [3213409254, 3303290739, 742998950, 2956806179, 2834298174, 429260769, 769267967, 1301491642, 2415087532, 1055496090, 690922955, 2984201071, 3517649313, 3675968202, 3389582912, 2632941479, 186911789, 3547287806], [4149643988, 3811477370, 1269911228, 3709435333, 1868378108, 4173520248, 1573661708, 2161236830, 3266570322, 1611227993, 2539778863, 1857682940, 1020154001, 92386553, 3834719618, 3775070036, 3777877862, 2982256702], [4281981169, 2949541448, 4199819805, 3654041457, 3300163657, 1674155910, 1316779635, 66744534, 3804297626, 2709354730, 2460136415, 3983640368, 3801883586, 1068904857, 4178063279, 41067134, 752202632, 3143016757], [3078167402, 2059042200, 252404132, 415008428, 3611056424, 1674088343, 2460161645, 3311986519, 3130694755, 934254488, 898722917, 2865274835, 567507230, 1328871893, 3903457801, 2499893858, 492084315, 183531922], [3529830884, 4039243386, 233553719, 4118146471, 1646804655, 2089146092, 2156344320, 2329927228, 508323741, 1931822010, 579182891, 176447133, 597011120, 3261594914, 2845298788, 3759915972, 3095206232, 3638216860], [3352986415, 4264046847, 3829043620, 2530153481, 3421260080, 1669551722, 4240873925, 2101009682, 3660432232, 4224377588, 929767737, 3729104589, 2835310428, 1727139644, 1279995206, 1355353373, 2144225408, 1359399895], [3105965085, 818804468, 3230054412, 2646235709, 4053839846, 2878092923, 587905848, 1589383219, 2408577579, 880800518, 28758157, 1000513178, 2176168589, 187505579, 89151277, 1238795748, 8168714, 3501032027], [3473729699, 1900372653, 305029321, 2013273628, 1242655400, 4192234107, 2446737641, 1341412052, 304733944, 4174393908, 2563609353, 3623415321, 49954007, 3130983058, 425856087, 2331025419, 34423818, 2042901845], [1397571080, 1615456639, 1840339411, 220496996, 2042007444, 3681679342, 2306603996, 732207066, 663494719, 4092173669, 3034772067, 3807942919, 111475712, 2065672849, 3552535306, 138510326, 3757322399, 2394352747], [371953847, 3369229608, 1669129625, 168320777, 2375427503, 3449778616, 1977984006, 1543379950, 2293317896, 1239812206, 1198364787, 2465753450, 3739161320, 2502603029, 1528706460, 1488040470, 3387786864, 1864873515], [1356892529, 1662755536, 1623461302, 1925037502, 1878096790, 3682248450, 2359635297, 1558718627, 116402105, 3274502275, 2436185635, 771708011, 3484140889, 3264299013, 885210310, 4225779256, 363129056, 2488388413], [2636035482, 4140705532, 3187647213, 4009585502, 351132201, 2592096589, 3785703396, 750115519, 3632692007, 3936675924, 3635400895, 3257019719, 1928767495, 2868979203, 622850989, 3165580000, 4162276629, 4157491019], [1272163411, 1251211247, 357523138, 1233981097, 1855287284, 4079018167, 4028466297, 92214478, 4290550648, 648034817, 1247795256, 3928945157, 1199659871, 397659647, 3360313830, 561558927, 3446409788, 2727008359], [1470343419, 3861411785, 953425729, 65811127, 458070615, 1428470215, 3101427357, 1137845714, 1980562597, 4120983895, 45901583, 2869582150, 427949409, 3025588000, 3231450975, 3313818165, 4015642368, 3197557747], [2452385340, 111636796, 897282198, 4273652805, 1223518692, 3680320805, 2771040109, 3617506402, 3904690320, 77507239, 3010900929, 4099608062, 546322994, 1084929138, 902220733, 4054312795, 1977510945, 735973665], [3729015155, 3027108070, 1442633554, 1949455360, 2864504565, 3673543865, 446663703, 3515816196, 1468441462, 897770414, 2831043012, 707874506, 1098228471, 1225077381, 3622448809, 2409995597, 3847055008, 1887507220], [1839061542, 1963345926, 2600100988, 1703502633, 1824193082, 3595102755, 2558488861, 2440526309, 3909166109, 1611135411, 2809397519, 1019893656, 3281060225, 2387778214, 2460059811, 198824620, 1645102665, 865289621], [224442296, 3009601747, 3066701924, 1774879140, 880620935, 2676353545, 3748945463, 1994930827, 75275710, 3710375437, 4132497729, 3010711783, 3731895534, 2434590580, 3409701141, 2209951200, 995511645, 3571299495], [2337737600, 110982073, 2985129643, 1668549189, 3298468029, 698015588, 2945584297, 1036821195, 4249059927, 3384611421, 3304378629, 1307957989, 602821252, 184198726, 1182960059, 4200496073, 1562699893, 3320841302], [5866561, 2442649482, 479821282, 2687097642, 3347828225, 1876332308, 2704295851, 2952277070, 1803967244, 2837783916, 658984547, 3605604364, 1931924322, 3285319978, 556150900, 3795666798, 261321502, 1040433381], [3855222954, 3565522064, 1841853882, 1066304362, 3552076734, 3075952725, 2193242436, 2052898568, 2341179777, 3089412493, 165812889, 4196290126, 3568567671, 28097161, 2249543862, 1251207418, 522526590, 765541973], [1801734077, 2132230169, 667823776, 3900096345, 3119630138, 3620542178, 2900630754, 30811433, 608818254, 1040662178, 900811411, 3221833258, 43598995, 1818995893, 2718507668, 3445138445, 3217962572, 1437902734], [1812768224, 392114567, 2694519859, 1941199322, 2523549731, 2078453798, 851734499, 2376090593, 2069375610, 4084690114, 246441363, 4154699271, 58451971, 31806021, 4158724930, 2741293247, 3230803936, 2790505999], [3906342775, 2231570871, 1258998901, 1517292578, 162889239, 3130741176, 3925266771, 1780222960, 2378568279, 3873144834, 1597459529, 1581197809, 4101706041, 196019642, 1439141586, 587446072, 2012673288, 1280875335], [4058452685, 653145648, 553051697, 1406542226, 4053722203, 994470045, 2066358582, 3919235908, 2315900402, 3236350874, 172880690, 3104147616, 489606166, 3898059157, 200469827, 665789663, 3116633449, 4137295625], [1460624254, 4286673320, 2664109800, 1995979611, 4091742681, 2639530247, 4240681440, 2169059390, 1149325301, 3139578541, 2320870639, 3148999826, 4095173534, 2742698014, 3623896968, 2444601912, 1958855100, 1743268893], [2187625371, 3533912845, 29086928, 543325588, 4247300963, 1972139209, 272152499, 4276082595, 3680551759, 1835350157, 3921757922, 2716774439, 1070751202, 69990939, 3794506838, 699803423, 3699976889, 40791189], [539106994, 1670272368, 3483599225, 2867955550, 2207694005, 1126950203, 693920921, 2333328675, 539234245, 1961438796, 3126390464, 1118759587, 59715473, 1450076492, 4101732655, 3658733365, 940858890, 1262671744], [3092624332, 2175813516, 3355101899, 3657267135, 770650398, 359506155, 4149470178, 3763654751, 1184381886, 942048015, 523057971, 1098635956, 1732951811, 150067724, 2417766207, 4152571821, 2759971924, 4284842765], [3336022203, 2569311431, 2752777107, 1441977867, 1279003682, 3861567631, 1064716472, 3046493996, 1339401643, 39466446, 1464905290, 420733872, 2057911345, 2418624800, 2193625430, 1558527155, 4224908000, 207684355], [2681129718, 4210889596, 4051161171, 3131196482, 1128312875, 938670840, 2828563599, 3078146488, 1102989364, 3557724304, 156013303, 2371355565, 3608679353, 3513837899, 155622460, 396656112, 2493417457, 876296360], [3135876409, 181875076, 3662181650, 3851859805, 3626146919, 90441351, 1944988720, 585429580, 3158268550, 1399100291, 3688843295, 2851190, 2670576474, 3177735154, 3479499727, 197376977, 1790622954, 2393956089]]
data = []
for i in key:
data += i
tt = []
for i in range(5):
a = (rand3>>(32*i))&0xffffffff
tt.append(a)
cipher = long_to_bytes(30083187577212262718109298947838809672)
level5_q = 8969855733022131749661461631941829558599804649974054961356887065914210362150413862237851758018323719639766908084483692197684733902511290572485794820181091
for i in range(0, p1-rand1_start+1):
for j in range(0, q1-rand2_start+1):
rand_list = [0xa603be43+i, 0x596ff11a, 0x47b09412, 0x6af83ebf+j, 0xff12cba2,0xd00ee4fd]
#rand_list
rand_list += tt
rand_list.append(rand4)
rand_list += data
#print(len(rand_list))
g = clone_mt(rand_list[:624])
for i in range(624):
g.getrandbits(32)
aes_key = long_to_bytes(g.getrandbits(128))
a = AES.new(aes_key,AES.MODE_ECB)
msg = a.decrypt(cipher)
if b"_" in msg and b"." in msg:
print (msg)
g_val = g.randrange(level5_q-1)
x_val = g.randrange(level5_q-1)
y_val = g.randrange(level5_q-1)
print(x_val)
print(y_val)
#print(g.randrange(level5_q-1))
exit()
#print(rand_list)
# No.777_hack_roadstage5
通过encrypt4的结果,可以预测出x和y,直接求逆元
q = 10633907791737940618251181242781657501421066561498924963325211137527914761294120366839373944631586742065134364371088754330142268137893939163058957321576561
g = 8720814254745089777252083344348851268520692318828030452122549926748859741402125799736178655620806485161358327515735405190921467358304697344848268434382637
h = 216104228861939108659993238797563154032915211504674449037936765120276850117374086975724449214309729354051557008730636227236538575874972134049994788523813
c1 = 7817920260306785410429732536522063841014966012571136751203203255948059437849813558135804344666976405241078856792098062469662771961521371324108084300684264
c2 = 1481745904444589773553565664060921310797602864298274327867977946855979227560424911012281403108577341726903090365418372162573660146505537528621522795919444
x = 9822319831145639889399192873724927105364592110824181727353156671381463280159058437888977193488677536845463844419172111367153742079974570210756921507694749
y = 10544310008565707953300017333140586669346866310149394258835632607185373394755336326688614571016325718052311732879807687887700577256797156198372049034609748
s = pow(g,x*y,q)
d = invert(s, q)
school = long_to_bytes(c2*d % q)signin
from Crypto.Util.number import *
from secret import flag
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x10001
x = (p ^ q) & ((1 << 400) - 1)
m = bytes_to_long(flag)
c = pow(m,e,n)
print("c = " + str(c))
print("e = " + str(e))
print("n = " + str(n))
print("x = " + str(x))
'''
c = 63488316931652165283768913693816254792896563414188573961010693330775143775030913217280890394659049814570506800869658798199766919279796699387348933980902437475407321186495972207055265266498997713893677789253948774459839170286422387924339017064620132596766605191433871936998603329570606903349148944177923042129
e = 65537
n = 96718802331928486399440471324839538140537235267473988763367174256395151407905179947160991624325793272001609865770400579479699246848732420404657206862379932460142346799183080432865152364837341193526953437531245191267443260742413602677075914430257485504145532873739572516607058139153045169040886155418058016911
x = 463242922872367824870065968430782963359186990291269168445088582686817098312265100478236517597115371129636612590922320350
'''从低位开始爆p和q,然后coppersmith恢复完整p
from Crypto.Util.number import *
from tqdm import tqdm
def partial_p(p0, kbits, n):
PR.<x> = PolynomialRing(Zmod(n))
f = 2^kbits*x + p0
f = f.monic()
roots = f.small_roots(X=2^(512-400), beta=0.3)
if roots:
x0 = roots[0] p = gcd(2^kbits*x0 + p0, n)
return ZZ(p)
c=10596436316702975331757245462986198885301724048262518406484407333732479367281391721838409014300075432774547867593888041793907018506284214898432640973347078422928998238442248280691301186797140197558662739254993848349695033133188448729071498559155478959476706983817882517886102203599090653816022071957312164735
e = 65537
n=8155990545235762305942964668342247736295216728266368540195169506979295314955050891505710001565324688518869552158352973775125495489356670253131336576193297430372996733167117860614537929385674351385426263721446579053403377365996744019246235251434285658196966440781084168142352073493973147145455064635516373317
x=544528274874907263426386536858394514838784460789819080620775891616788086097329057778520781763108994646626718779325717092
class Solver:
def __init__(self, x, n):
self.x = x
self.n = n
self.pq = [(0, 0)]
def add(self, b, p, q):
# print(bin((p * q) & (2*b-1)))
# print(bin(n & (2*b-1)))
if (p * q) & (2*b-1) == n & (2*b-1):
self.pq.append((p, q))
def solve(self):
for shift in tqdm(range(0, 400)):
b = 1 << shift
pq, self.pq = self.pq, []
for p, q in pq:
if self.x & b:
self.add(b, p | b, q)
self.add(b, p, q | b)
else:
self.add(b, p, q)
self.add(b, p | b, q | b)
return self.pq
def solve():
solver = Solver(x,n)
pqs = solver.solve()
for pq in tqdm(pqs):
p0 = ZZ(pq[0])
p = partial_p(p0, 400, n)
if p and p != 1:
return p
p = solve()
if not p:
print('WTF')
exit(0)
q = n//p
phi = (p-1)*(q-1)
d = inverse(e, phi)
m = long_to_bytes(pow(c,d,n))
print(m)长城杯
baby_rsa
#!/usr/bin/env python3
from Crypto.Util.number import *
from secret import flag, v1, v2, m1, m2
def enc_1(val):
p, q = pow(v1, (m1+1))-pow((v1+1), m1), pow(v2, (m2+1))-pow((v2+1), m2)
assert isPrime(p) and isPrime(q) and (
p*q).bit_length() == 2048 and q < p < q << 3
return pow(val, 0x10001, p*q)
def enc_2(val):
assert val.bit_length() < 512
while True:
fac = [getPrime(512) for i in range(3)]
if isPrime(((fac[0]+fac[1]+fac[2]) << 1) - 1):
n = fac[0]*fac[1]*fac[2]*(((fac[0]+fac[1]+fac[2]) << 1) - 1)
break
c = pow(val, 0x10001, n)
return (c, n, ((fac[0]+fac[1]+fac[2]) << 1) - 1)
if __name__ == "__main__":
assert flag[:5] == b'flag{'
plain1 = bytes_to_long(flag[:21])
plain2 = bytes_to_long(flag[21:])
print(enc_1(plain1))
print(enc_2(plain2))
'''
15808773921165746378224649554032774095198531782455904169552223303513940968292896814159288417499220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805904134099901826858367778386342376768508031554802249075072366710038889306268806744179086648684738023073458982906066972340414398928411147970593935244077925448732772473619783079328351522269170879807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341115227515163545709454746272514827000601853735356551495685229995637483506735448900656885365353434308639412035003119516693303377081576975540948311
(40625981017250262945230548450738951725566520252163410124565622126754739693681271649127104109038164852787767296403697462475459670540845822150397639923013223102912674748402427501588018866490878394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654127691743944112075703814043622599530496100713378696761879982542679917631570451072107893348792817321652593471794974227183476732980623835483991067080345184978482191342430627490398516912714451984152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314400518151019955104989790911460357848366016263083, 43001726046955078981344016981790445980199072066019323382068244142888931539602812318023095256474939697257802646150348546779647545152288158607555239302887689137645748628421247685225463346118081238718049701320726295435376733215681415774255258419418661466010403928591242961434178730846537471236142683517399109466429776377360118355173431016107543977241358064093102741819626163467139833352454094472229349598479358367203452452606833796483111892076343745958394932132199442718048720633556310467019222434693785423996656306612262714609076119634814783438111843773649519101169326072793596027594057988365133037041133566146897868269, 39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557011554851873068389016629085963086136116425352535902598378739)
'''爆破v,m解flag1,最后⼀个因⼦不⼩于513位,⽽flag2⼩于512位,分解最后⼀个因⼦,按rsa解密得到flag2
from Crypto.Util.number import *
c=158087739211657463782246495540327740951985317824559041695522233035139409682928968141592884174
99220739875833754573943607047855256739976161598599903932981169979509871591999964856806929597805
90413409990182685836777838634237676850803155480224907507236671003888930626880674417908664868473
80230734589829060669723404143989284111479705939352440779254487327724736197830793283515222691708
79807064111318871074291073581343039389561175391039766936376267875184581643335916049461784753341
11522751516354570945474627251482700060185373535655149568522999563748350673544890065688536535343
4308639412035003119516693303377081576975540948311
for m in range(1024,2,-1):
v=2
p=pow(v, (m+1))-pow((v+1), m)
while p.bit_length()<=1024:
if isPrime(p):
d=inverse(0x10001,p-1)
text=long_to_bytes(pow(c,d,p))
if len(text)==21:
print(v,m)
print(text)
v+=1
p=pow(v, (m+1))-pow((v+1), m)
from Crypto.Util.number import *
c,n,d=
(4062598101725026294523054845073895172556652025216341012456562212675473969368127164912710410903
81648527877672964036974624754596705408458221503976399230132231029126747484024275015880188664908
78394678482061561521253365550029075565507988232729032055298992792712574569704846075514624824654
12769174394411207570381404362259953049610071337869676187998254267991763157045107210789334879281
73216525934717949742271834767329806238354839910670803451849784821913424306274903985169127144519
84152960348899589532751919272583098764118161056078536781341750142553197082925070730178092561314
400518151019955104989790911460357848366016263083,
43001726046955078981344016981790445980199072066019323382068244142888931539602812318023095256474
93969725780264615034854677964754515228815860755523930288768913764574862842124768522546334611808
12387180497013207262954353767332156814157742552584194186614660104039285912429614341787308465374
71236142683517399109466429776377360118355173431016107543977241358064093102741819626163467139833
35245409447222934959847935836720345245260683379648311189207634374595839493213219944271804872063
35563104670192224346937854239966563066122627146090761196348147834381118437736495191011693260727
93596027594057988365133037041133566146897868269,
39796272592331896400626784951713239526857273168732133046667572399622660330587881579319314094557
011554851873068389016629085963086136116425352535902598378739)
p=
[191,193,627383,1720754738477317127758682285465031939891059835873975157555031327070111123628789
833299433549669619325160679719355338187877758311485785197492710491]
phi=1
for i in p:
phi*=i-1
# print(d)
dd=inverse(0x10001,phi)
print(long_to_bytes(pow(c,dd,d)))
DAS九月赛
签到
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from Crypto.Util.number import *
import random
flag=b'flag{******************}'
n = 2 ** 256
flaglong=bytes_to_long(flag)
m = random.randint(2, n-1) | 1
c = pow(m, flaglong, n)
print('m = ' + str(m))
print('c = ' + str(c))
# m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
# c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
离散对数
from sympy import *
from libnum import *
m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
n = 2 ** 256
print(n2s(int(discrete_log(n, c, m))))
# b'flag{DASCTF_zjut}'RSA1
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from flag import get_flag
from hashlib import sha512
from Crypto.Util.number import getPrime,bytes_to_long
from libnum import invmod, gcd
import random
def m_exit(n):
print "==============Game Over!================="
exit(n)
def cal_bit(num):
num = int(num)
l = len(bin(num))
return l-2
def pi_b(x):
bt = 536380958350616057242691418634880594502192106332317228051967064327642091297687630174183636288378234177476435270519631690543765125295554448698898712393467267006465045949611180821007306678935181142803069337672948471202242891010188677287454504933695082327796243976863378333980923047411230913909715527759877351702062345876337256220760223926254773346698839492268265110546383782370744599490250832085044856878026833181982756791595730336514399767134613980006467147592898197961789187070786602534602178082726728869941829230655559180178594489856595304902790182697751195581218334712892008282605180395912026326384913562290014629187579128041030500771670510157597682826798117937852656884106597180126028398398087318119586692935386069677459788971114075941533740462978961436933215446347246886948166247617422293043364968298176007659058279518552847235689217185712791081965260495815179909242072310545078116020998113413517429654328367707069941427368374644442366092232916196726067387582032505389946398237261580350780769275427857010543262176468343294217258086275244086292475394366278211528621216522312552812343261375050388129743012932727654986046774759567950981007877856194574274373776538888953502272879816420369255752871177234736347325263320696917012616273L
return invmod(x, bt)
def get_ed(p, q):
k = cal_bit(q*p)
phi_n = (p-1)*(q-1)
r = random.randint(10, 99)
while True:
u = getPrime(k/4 - r)
if gcd(u, phi_n) != 1:
continue
t = invmod(u, phi_n)
e = pi_b(t)
if gcd(e, phi_n) == 1:
break
d = invmod(e, phi_n)
return (e, d)
def main():
flag = get_flag()
p=getPrime(2048)
q=getPrime(2048)
n = p * q
e, d = get_ed(p, q)
print "n: ", hex(n)
print "e: ", hex(e)
flag = bytes_to_long(flag)
enc_flag = pow(flag, e, n)
print "Your flag is: ", hex(enc_flag)
if __name__ == '__main__':
main()
原题:HCTF2016 Crypto So Interesting
github搜到脚本:https://github.com/Hcamael/ctf-library/blob/master/RSA1/rsa1_payload.py
先算出e模bt的逆元是t,然后用t和n做维纳攻击的e和n算出私钥也就是u,转化为已知e和d分解n的问题,分解n得到p和q就是常规rsa了
当时的脚本没保存,现在重新拿一组数据
from Crypto.Util.number import *
from libnum import *
import random
import gmpy2
from RSAwienerHacker import *
e = 0x34fe99f3d5eb3459c170f76b650d3c0812e917c4f670dcbaf2c197ada22e637a28f76965508abf327d99bb835895efa868e0efe535f43db0918d94090acb6561bfd9528fe045c8c875477bf1ff4c1c219c6ea704eecce8d69d633bcc2afd7fccdf30e2494e92f522ffed7c07f840f8aa8ae830b615bcee7e5c160505c71bce2754fee3e15bf2c1e2d0038bddb6a0f14e5207a74b2a8537c9623df80a239fba1dd91251cbeb36e5a6d01ef0decfbbc225c3440ee133aeea40f5fd218de3629246b8631abcd2444eb0c8f40b0ec6278d53a9ecc871746d2282441ab04e5fb25b2823456114572bf7ad652c5c72454a76e483c07d77e20fbe20ebcb9cc09d03b1d771163f0219c8f0c9dc467411bd1101b554c4386745e850c1367f13026fc52bc1cbfabd90a70efdd249f88e3dec4d9fd637db6ba1f76b77a4e76d7390fe9e85ac4fdada7ff077d6cce138d74ee10e91806b8641b01da4e1350164a4e0e86faa73f5bfd2ee254944978aacb03df52ef69b4caa9efed840dfc419959d4da459bd6c8809af4aaaf5f64a2070a024e34874be0576899da2354a487d3ed0d55e02c0b6d481f3f79ad62ae0c6bda3bbc0d6bbb964d221a755a2a8a5915d8769eabc9dc9efd7d576d0a567021d4402e1af6f18cf01c487ff87cb4c4549d093894a0ef5e26a9e35306a985dd0b742dd31809af4e7fd25eca15c432b4dedc84355d48e0ff5
c = 0xa9b3e83be02e4dd87c58f8b85266387e15ce551649451797bc4422adb6b90e3daaaea1aab41ca9900bc1b2a6fc3de35f5c1631ffd8252a5490ad0767647aa4cea802428e5efc0db76076e0cd30b695bef7e7cc4bc764fed1bcc678a78f6b6329211d47a462853eaca527685d9dea4c595bf25d0d4825a6f6a3940cea5658ed8f10e5582d65f1722a88b2affe144fe660fb6502c73283e249d96c4efbbf91fbf6a25d92cd9582a9d9ae85783ef382d12626125ffa10da386a551323826f5a81994d051a881065de70ec5c71ba325e83e151fc6e6fc51a8f24f572947d48346b9b3afa3837f4a9e95b0ebfeb5a93a0485c95260df4f79b910fcece6ec3af00efd7e530978b1f4a1d2ec819cec0b93ac6d2b0bc56f5a09caff5273f8a076bfd7e14fdad560eee0dd7827f25b63ac4bbe0081132f73910fc34d0cc8943341da614b318e0680a57a2247d0bb7822ba653acdf646e28286452f0dc2fd14a88b9172bb404c595910519958a49007399ff0e5f8e8ea9d0c0ad7daa9e17527466160f54b37f05209e539a28cde760208cc8a7ca792b491bc4ee0f44691c259bccf80aad702580a930c8adeddc7103d2890985b146f0b96da04cee3fcf2dc25035ae327f77144c172779fd154cf8c18da0e3bda2411d55e5565e0bd4884f742a3800edcd2498cbcdc7cccbedd9cd635139af76ea640d095c6042c9720e51d0d5803d306101
bt = 536380958350616057242691418634880594502192106332317228051967064327642091297687630174183636288378234177476435270519631690543765125295554448698898712393467267006465045949611180821007306678935181142803069337672948471202242891010188677287454504933695082327796243976863378333980923047411230913909715527759877351702062345876337256220760223926254773346698839492268265110546383782370744599490250832085044856878026833181982756791595730336514399767134613980006467147592898197961789187070786602534602178082726728869941829230655559180178594489856595304902790182697751195581218334712892008282605180395912026326384913562290014629187579128041030500771670510157597682826798117937852656884106597180126028398398087318119586692935386069677459788971114075941533740462978961436933215446347246886948166247617422293043364968298176007659058279518552847235689217185712791081965260495815179909242072310545078116020998113413517429654328367707069941427368374644442366092232916196726067387582032505389946398237261580350780769275427857010543262176468343294217258086275244086292475394366278211528621216522312552812343261375050388129743012932727654986046774759567950981007877856194574274373776538888953502272879816420369255752871177234736347325263320696917012616273
n = 0xae1e3e6c9b458b8b5c55b87d5ad27bad43965933b367033c8a03f0dec83952de01a0128f994a02e2c08472cd2ea078ffbbd80327865a2aa35f12bc5df786ddcf2cec5c77e0e8b54355421365be82c64e76068d6cb62f0c1a68065b62f36354bb921d46b632ed1a839e3ca4eb934db6d79b09f2312637674a068bfdd8af85a5edf785e8a51b9861342246a59e843d94e2358f599b5db4aaefc05aa36d21ca3dd661d4af642e5ec0327b864727ac00d564be7ca4d55264c6ed040a632839ca6c0c0794754e9ccb651b2931ba69636a7f601cb3bb2bfbabcb575bfb3adbe8e431f384fe5596fd6ed72db67c10f2bb44f3487ef5aac0ea4b20f03cc0d13011297aa22d2e7f77c659e23b99c95dc626ee5c5d065136b14a370ca7650ad520cd0a1afcdd413bbb88d859644369088e042e065cf66f87f30a22e816b8b6b22859a9758c558af29560521c113fcc23d8d0a3f7a1032e3d3bf2e089825e8e3974e8c18a82d3a0078639a007382889c8191a20ad63975b4a32e6facd9d2bd7e83ad62214c051959cc199e0b72b50984806e1e5f3c5977a2c4d470aec32a63a2b5d3d048a2925eae89da9517719dc4f1f8150ec08f945129a1e7da533fe7584afbb5d5ef7d3cab78ab07bd8727fd797dddaf5ae940817ef657ea8b3f8a18c64ce38ffab955d033b271cc1c5b80068c8107a7a60119980877910feea0d2209f936c81d3c3d69
t = invmod(e, bt)
u = hack_RSA(t, n)
def getp(n, e, d):
while True:
k = e * d - 1
g = random.randint(0, n)
while k % 2 == 0:
k = k // 2
temp = pow(g, k, n) - 1
if GCD(temp, n) > 1 and temp != 0:
return GCD(temp, n)
p = getp(n, t, u)
q = n // p
d = invmod(e, (p-1)*(q-1))
print(long_to_bytes(pow(c, d, n)))
# Hacked!
# b'flag{5a05f9f4-87b3-474d-b2eb-fabb6a89228f}'easy_pow
from Crypto.Util.number import *
from gmpy2 import lcm, invert
from secret import flag
e = 65537
p = getPrime(512)
q = getPrime(512)
n = p**4*q
c = pow(bytes_to_long(flag), e, n)
print(c)
hint1 = (invert(e, lcm(p - 1, q - 1))) % (p - 1)
print(hint1)
b = 449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839
a = 2021*p**3 + 2022 + 2023*p**4
hint2 = pow(2, a, b)
print(hint2)
# c = 299017261835189498646801799047751320695668439348487790148528895116908291237131013926772081799359589818341682677111543442738252080655908837832980607220654285415406849188648588876074312051164587055277017087038387169198951679119726082130868577905495307509637437814639023859871022938423168215797501175602649102621121969715328259139345090638555904577654447171932081642373835789445132466483809296734563016796846181929739289611878336934959331072502575341363049247881265649823417307615491433072850482074652957723543487026059316519285366802688885941059639121330455152478436982943059233339674041805741182096012792918311275489444605460198614371459471817407804289704524901847153843161249387208624993194285848787852634062441217234375549379380562009770380599080279723135784896688900810431588688332192335709518547640569711433618297677079620698012458053569647547533141501523434448045634646828827172848593990693592901227377493322141118565281304196426176682214434838100064256923548036690051664051936039970959246550139917211615752871493362724592143267948814481824417708986007126979214014590455837766290295441889285916265364654809662082923890960381278762698116724490968196229881400330090923027715288555056444792729745833577501899130568724790858022446326695539071814537878834059655627706444192634195723979046739351624465832476575907100097011055108105860691993049169856798600475407542166158235082147463523443663009573254123280611097423735159597787799640249067078454450453894294270686260545979274
# hint1 = 5721198034334676541837614694444858336798773246799126905170215130476545540224374062960340456885923620963383130312535476337226014394595162625328729352118817
# hint2 = 70105679627771719775142746553136794250337998462106229956679264658530098746665466868944855488308669706231622476566195559705924155363353360283408488917464065710623926781621366649773018113928630700594350396854359790092271835687816435058239792764298042156558375596434224003013749584571959306678511753195214791439107077903813757339868710576521858061442786434257451730633431229846440096297272405246087428205202111469272496134202922842748813992627453559734564891714846769627501147879058486675487738815514505109515031476986129016953015076080656764571648130270143686579720157712521222948534007797015393032826637675765983480855079052044005355401993107282102074405371246891417816527026361635916312955134612786069557685941228464218624689513588345168398491708253400514386622804630997这题自我怀疑了一下午,前后矛盾,用离散对数求出的a远远大于四次方程的实际得数,最后才发现出题人把c和hint2的值搞反了。。。
预期解:
根据hint2求离散对数然后解方程得到p
# sage
from Crypto.Util.number import *
e = 65537
b = 449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839
c = 299017261835189498646801799047751320695668439348487790148528895116908291237131013926772081799359589818341682677111543442738252080655908837832980607220654285415406849188648588876074312051164587055277017087038387169198951679119726082130868577905495307509637437814639023859871022938423168215797501175602649102621121969715328259139345090638555904577654447171932081642373835789445132466483809296734563016796846181929739289611878336934959331072502575341363049247881265649823417307615491433072850482074652957723543487026059316519285366802688885941059639121330455152478436982943059233339674041805741182096012792918311275489444605460198614371459471817407804289704524901847153843161249387208624993194285848787852634062441217234375549379380562009770380599080279723135784896688900810431588688332192335709518547640569711433618297677079620698012458053569647547533141501523434448045634646828827172848593990693592901227377493322141118565281304196426176682214434838100064256923548036690051664051936039970959246550139917211615752871493362724592143267948814481824417708986007126979214014590455837766290295441889285916265364654809662082923890960381278762698116724490968196229881400330090923027715288555056444792729745833577501899130568724790858022446326695539071814537878834059655627706444192634195723979046739351624465832476575907100097011055108105860691993049169856798600475407542166158235082147463523443663009573254123280611097423735159597787799640249067078454450453894294270686260545979274
hint1 = 5721198034334676541837614694444858336798773246799126905170215130476545540224374062960340456885923620963383130312535476337226014394595162625328729352118817
hint2 = 70105679627771719775142746553136794250337998462106229956679264658530098746665466868944855488308669706231622476566195559705924155363353360283408488917464065710623926781621366649773018113928630700594350396854359790092271835687816435058239792764298042156558375596434224003013749584571959306678511753195214791439107077903813757339868710576521858061442786434257451730633431229846440096297272405246087428205202111469272496134202922842748813992627453559734564891714846769627501147879058486675487738815514505109515031476986129016953015076080656764571648130270143686579720157712521222948534007797015393032826637675765983480855079052044005355401993107282102074405371246891417816527026361635916312955134612786069557685941228464218624689513588345168398491708253400514386622804630997
# a = discrete_log(c, mod(2, b))
# var('p')
# print(solve([2021*p^3 + 2022 + 2023*p^4 == a],[p]))
p = 9849483964909942642702841079905240118177503474715624145847966507461420748914700088374273209071471481219849748116334914172343735036739076730486732571971497
mp1 = pow(hint2, hint1, p)
mp = pow(hint2, hint1 - 1, p)
x = pow(hint2 - pow(mp1, e), 1, p ** 2)
y = pow(x * mp * (inverse_mod(e, p)), 1, p ** 2)
mp1 += y
print(long_to_bytes(mp1))
# b'flag{24uz5n82476b3315k6m8rk333b37pa22}'非预期:不用管hint2,直接根据hint1给的dp爆破p
for i in tqdm(range(1, e)):
if(hint1 * e - 1) % i == 0:
p=((hint1 * e - 1) // i) + 1
if isPrime(p):
mp1 = pow(hint2, hint1, p)
mp = pow(hint2, hint1 - 1, p)
x = pow(hint2 - pow(mp1, e), 1, p**2)
try:
y = pow(x * mp * (invert(e, p)), 1, p**2)
except:
pass
mp1 = mp1 + y
print(long_to_bytes(mp1))长安杯
easyRSA
from Crypto.Util.number import *
from secret import flag
def add(a,b):
if(a<b):
a0 = str(b).encode()
b0 = str(a).encode()
else:
a0 = str(a).encode()
b0 = str(b).encode()
ans = 0
for i in range(len(a0)-len(b0)):
ans = ans*10+a0[i]-48
for i in range(len(b0)):
ans = ans*10+(a0[i+len(a0)-len(b0)]+b0[i]+4)%10
return ans
def mul(a,b):
if(a<b):
a0 = str(b).encode()
b0 = str(a).encode()
else:
a0 = str(a).encode()
b0 = str(b).encode()
ans = 0
for i in range(len(b0)):
ans = ans*10+((a0[i+len(a0)-len(b0)]+2)*(b0[i]+2))%10
return ans
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q = getPrime(512)
n = p*q
c = pow(m,e,n)
print(add(p,q))
print(mul(p,q))
print(n)
print(c)
# 10399034381787849923326924881454040531711492204619924608227265350044149907274051734345037676383421545973249148286183660679683016947030357640361405556516408
# 6004903250672248020273453078045186428048881010508070095760634049430058892705564009054400328070528434060550830050010084328522605000400260581038846465000861
# 100457237809578238448997689590363740025639066957321554834356116114019566855447194466985968666777662995007348443263561295712530012665535942780881309520544097928921920784417859632308854225762469971326925931642031846400402355926637518199130760304347996335637140724757568332604740023000379088112644537238901495181
# 49042009464540753864186870038605696433949255281829439530955555557471951265762643642510403828448619593655860548966001304965902133517879714352191832895783859451396658166132732818620715968231113019681486494621363269268257297512939412717227009564539512793374347236183475339558666141579267673676878540943373877937先获取所有p,q十进制的组合,然后爆破组合根据n的低位判断是否合法,还原p,q
from Crypto.Util.number import *
# from secret import flag
def add(a,b):
if(a<b):
a0 = str(b).encode()
b0 = str(a).encode()
else:
a0 = str(a).encode()
b0 = str(b).encode()
ans = 0
# b0 < a0
for i in range(len(a0)-len(b0)):
ans = ans*10+a0[i]-48
for i in range(len(b0)):
ans = ans*10+(a0[i+len(a0)-len(b0)]+b0[i]+4)%10
return ans
def mul(a,b):
if(a<b):
a0 = str(b).encode()
b0 = str(a).encode()
else:
a0 = str(a).encode()
b0 = str(b).encode()
ans = 0
for i in range(len(b0)):
ans = ans*10+((a0[i+len(a0)-len(b0)]+2)*(b0[i]+2))%10
return ans
def collect(m):
res = []
while m:
res.append(m%10)
m //= 10
res = res[::-1]
return res
def solve(a,b):
x_add_y = (a-4)%10
x_mul_y = (b+4-2*a)%10
ans = []
for x in range(48,58):
for y in range(48,58):
if (x+y)%10 == x_add_y and (x*y)%10 == x_mul_y:
ans.append((x-48,y-48))
return ans
e = 65537
n = 100457237809578238448997689590363740025639066957321554834356116114019566855447194466985968666777662995007348443263561295712530012665535942780881309520544097928921920784417859632308854225762469971326925931642031846400402355926637518199130760304347996335637140724757568332604740023000379088112644537238901495181
p_add_q = 10399034381787849923326924881454040531711492204619924608227265350044149907274051734345037676383421545973249148286183660679683016947030357640361405556516408
p_mul_q = 6004903250672248020273453078045186428048881010508070095760634049430058892705564009054400328070528434060550830050010084328522605000400260581038846465000861
info1 = (collect(p_add_q))
info2 = (collect(p_mul_q))
guess = [0]
info1 = info1[1:]
cnt = 1
ans = 0
ans_p = [0]
ans_q = [0]
for i in range(len(info1)-1,-1,-1):
a = info1[i]
b = info2[i]
poss = solve(a,b)
print(poss)
pp_ans = []
qq_ans = []
for index in range(len(ans_p)):
pp = ans_p[index]
qq = ans_q[index]
for x, y in poss:
print(x,y)
nans_p = pp+x*(10**(cnt-1))
nans_q = qq+y*(10**(cnt-1))
print("cur",nans_p,nans_q)
if (nans_p * nans_q)%(10**cnt) == n%(10**cnt):
pp_ans.append(nans_p)
qq_ans.append(nans_q)
print("yes!!!",pp_ans,qq_ans)
print("qq_ans",qq_ans)
print("pp_ans",pp_ans)
# break
if pp_ans:
ans_p = pp_ans
ans_q = qq_ans
print("ans",ans_p,ans_q)
cnt += 1
from Crypto.Util.number import *
for p in ans_p:
if isPrime(p):
print(p)
p = 8307103755174226983699771812499382664784661030503034013965679561410051699975573257899430944515587916063550418050690024796566861042630720583592848475010689
q = n//p
phi = (p-1)*(q-1)
d = inverse(65537,phi)
c = 49042009464540753864186870038605696433949255281829439530955555557471951265762643642510403828448619593655860548966001304965902133517879714352191832895783859451396658166132732818620715968231113019681486494621363269268257297512939412717227009564539512793374347236183475339558666141579267673676878540943373877937
print(long_to_bytes(pow(c,d,n))https://blog.csdn.net/a5555678744/article/details/120479157
绿城杯
[warmup]加密算法
from Crypto.Util.number import *
from flag import flag
assert flag[:5]=='flag{'
str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def encode(plain_text, a, b, m):
cipher_text = ''
for i in plain_text:
if i in str1:
addr = str1.find(i)
cipher_text += str1[(a*addr+b) % m]
else:
cipher_text += i
print(cipher_text)
encode(flag,37,23,52)
# cipher_text = 'aoxL{XaaHKP_tHgwpc_hN_ToXnnht}'52位的仿射密码解密,CSDN搜到了脚本一把梭。exp如下:
import string
def decrypt(k1,k2,message):
for i in range(52):
if k1*i%52==1:
inv = i
break
dic = string.ascii_letters
m = []
for i in message:
if i.islower():
num = ord(i)-ord('a')
m.append(dic[inv*(num-k2)%52])
elif i.isupper():
num = ord(i)-ord('A')+26
m.append(dic[inv*(num-k2)%52])
else:
m.append(i)
print(''.join(m))
decrypt(37, 23, 'aoxL{XaaHKP_tHgwpc_hN_ToXnnht}')
# flag{AffInE_CIpheR_iS_clAssiC}RSA-1
from Crypto.Util.number import *
import gmpy2
from flag import flag
assert flag[:5]==b'flag{'
m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
n = p * q
print('n =',n)
e = 0x10001
M = 2021 * m * 1001 * p
c = pow(M,e,n)
print('c =',c)
#n = 17365231154926348364478276872558492775911760603002394353723603461898405740234715001820111548600914907617003806652492391686710256274156677887101997175692277729648456087534987616743724646598234466094779540729413583826355145277980479040157075453694250572316638348121571218759769533738721506811175866990851972838466307594226293836934116659685215775643285465895317755892754473332034234495795936183610569571016400535362762699517686781602302045048532131426035260878979892169441059467623523060569285570577199236309888155833013721997933960457784653262076135561769838704166810384309655788983073376941843467117256002645962737847
#c = 6944967108815437735428941286784119403138319713455732155925055928646536962597672941805831312130689338014913452081296400272862710447207265099750401657828165836013122848656839100854719965188680097375491193249127725599660383746827031803066026497989298856420216250206035068180963797454792151191071433645946245914916732637007117085199442894495667455544517483404006536607121480678688000420422281380539368519807162175099763891988648117937777951069899975260190018995834904541447562718307433906592021226666885638877020304005614450763081337082838608414756162253825697420493509914578546951634127502393647068722995363753321912676c是p的倍数,所以对n和c求gcd即为p。exp如下:
from gmpy2 import *
from libnum import *
n = 17365231154926348364478276872558492775911760603002394353723603461898405740234715001820111548600914907617003806652492391686710256274156677887101997175692277729648456087534987616743724646598234466094779540729413583826355145277980479040157075453694250572316638348121571218759769533738721506811175866990851972838466307594226293836934116659685215775643285465895317755892754473332034234495795936183610569571016400535362762699517686781602302045048532131426035260878979892169441059467623523060569285570577199236309888155833013721997933960457784653262076135561769838704166810384309655788983073376941843467117256002645962737847
c = 6944967108815437735428941286784119403138319713455732155925055928646536962597672941805831312130689338014913452081296400272862710447207265099750401657828165836013122848656839100854719965188680097375491193249127725599660383746827031803066026497989298856420216250206035068180963797454792151191071433645946245914916732637007117085199442894495667455544517483404006536607121480678688000420422281380539368519807162175099763891988648117937777951069899975260190018995834904541447562718307433906592021226666885638877020304005614450763081337082838608414756162253825697420493509914578546951634127502393647068722995363753321912676
e = 0x10001
p = gcd(n, c)
q = n // p
d = invert(e, (p-1)*(q-1))
print(n2s(int(pow(c, d, n) // p // 2021 // 1001)))
# flag{Math_1s_1nterest1ng_hah}RSA-2
from Crypto.Util.number import *
import gmpy2
from flag import flag
assert flag[:5]==b'flag{'
m1 = bytes_to_long(flag[:20])
p = getPrime(512)
p1 = gmpy2.next_prime(p)
q = getPrime(512)
q1 = gmpy2.next_prime(q)
n1 = p*q*p1*q1
print('n1 =',n1)
e = 0x10001
c1 = pow(m1,e,n1)
print('c1 =',c1)
m2 = bytes_to_long(flag[20:])
p2 = getPrime(1024)
q2 = getPrime(1024)
print('p2+q2 =',p2+q2)
print('q2*q2 =',p2*q2)
n2 = p2*p2*q2*q2*q2
print('n2 =',n2)
c2 = pow(m2,e,n2)
print('c2 =',c2)
#n1 = 6348779979606280884589422188738902470575876294643492831465947360363568026280963989291591157710389629216109615274754718329987990551836115660879103234129921943824061416396264358110216047994331119920503431491509529604742468032906950984256964560405062345280120526771439940278606226153077959057882262745273394986607004406770035459301695806378598890589432538916219821477777021460189140081521779103226953544426441823244765828342973086422949017937701261348963541035128661464068769033772390320426795044617751909787914185985911277628404632533530390761257251552073493697518547350246993679844132297414094727147161169548160586911
#c1 = 6201882078995455673376327652982610102807874783073703018551044780440620679217833227711395689114659144506630609087600915116940111002026241056808189658969089532597757995423694966667948250438579639890580690392400661711864264184444018345499567505424672090632235109624193289954785503512742400960515331371813467034511130432319427185134018830006918682733848618201088649690422818940385123599468595766345668931882249779415788129316594083269412221804774856038796248038700275509397599351533280014908894068141056694660319816046357462684688942519849441237878018480036145051967731081582598773076490918572392784684372694103015244826
#p2+q2 = 274773146761138462708137582309097386437793891793691383033856524303010811294101933454824485010521468914846151819876043508541879637544444256520741418495479393777132830985856522008561088410862815913292288683761657919121930016956916865849261153721097671315883469348972925757078089715102032241818526925988645578778
#q2*q2 = 18514724270030962172566965941723224386374076294232652258701085781018776172843355920566035157331579524980108190739141959926523082142273672741849552475156278397131571360099018592018959785627785130126477982765210498547680367230723634424036009539347854344573537848628061468892166199866227984167843139793429682559241317072979374002912607549039431398267184818771503468116379618249319324788996321340764624593443106354104274472601170229835219638093242557547840060892527576940077162990069687019966946826210112318408269749294366586682732614372434218768720577917368726530200897558912687470088583774711767599580037663378929000217
#n2 = 40588227045595304080360385041082238507044292731344465815296032905633525556943787610712651675460810768762763493579129831271018141591546207557410817432455139315527674932933085299277599173971912445226532235814580879585317211349524406424200622675880992390782025158621241499693400288031658194434641718026910652327933253877313106112861283314274635124734817398465059373562194694957841264834312640926278890386089611103714990646541470577351599526904458342660444968591197606820361364761648205241041444681145820799054413179462285509661124362074093583494932706249461954240408827087015525507173082129412234486228092002841868365895837463699200959915782767657258729794037776401995309244941171415842403617486719492483671490834562579225506831496881542530519595438932482796867853234159664409420977526102480385193101883785161080269573707156626838551506024455480650224305894501968583442346807126920740779780593650871645915149689424292912611578291912721896864772950410266629045542480009266574096080138709683466489568290569363478444349563498507530805502511051165160827192795520182720802422213364247355775222858214648603034743679187470844212529134374975737510982287957316878179964602394749601431823167982157434890459245394370728942790117156485268116758052636794417268680901420193002289035538753620555488506926366624641291881353268617130968991258983002165300186971963661666476600998389048880565199317280428349802824448329898502788492233381873026217202981921654673840142095839603360666049476100561268336225902504932800605464136192275593886736746497955270280541423593
#c2 = 25591090168544821761746024178724660839590948190451329227481168576490717242294520739865602061082558759751196452117720647426598261568572440942370039702932821941366792140173428488344932203576334292648255551171274828821657097667106792872200082579319963310503721435500623146012954474613150848083425126987554594651797477741828655238243550266972216752593788734836373144363217639612492397228808215205862281278774096317615918854403992620720969173788151215489908812749179861803144937169587452008097008940710091361183942268245271154461872102813602754439939747566507116519362821255724179093051041994730856401493996771276172343313045755916751082693149885922105491818225012844519264933137622929024918619477538521533548551789739698933067212305578480416163609137189891797209277557411169643568540392303036719952140554435338851671440952865151077383220305295001632816442144022437763089133141886924265774247290306669825085862351732336395617276100374237159580759999593028756939354840677333467281632435767033150052439262501059299035212928041546259933118564251119588970009016873855478556588250138969938599988198494567241172399453741709840486953189764289118312870580993115636710724139809708256360212728127786394411676427828431569046279687481368215137561500777480380501551616577832499521295655237360184159889151837766353116185320317774645294201044772828099074917077896631909654671612557207653830344897644115936322128351494551004652981550758791285434809816872381900401440743578104582305215488888563166054568802145921399726673752722820646807494657299104190123945675647flag1是祥云杯的RSAssss,用费马因式分解n,网上搜到exp。flag2是用sympy解方程得到p和q。exp如下:
from sympy import Symbol, solve
from gmpy2 import *
from libnum import *
def fermat_factorization(n):
factor_list = []
get_context().precision = 4096
x = int(sqrt(n))
while True:
x += 1
y2 = x ** 2 - n
if is_square(y2):
#print('x = ',x)
y2 = mpz(y2)
get_context().precision = 4096
y = int(sqrt(y2))
factor_list.append([x+y, x-y])
if len(factor_list) == 2:
break
return factor_list
n1 = 6348779979606280884589422188738902470575876294643492831465947360363568026280963989291591157710389629216109615274754718329987990551836115660879103234129921943824061416396264358110216047994331119920503431491509529604742468032906950984256964560405062345280120526771439940278606226153077959057882262745273394986607004406770035459301695806378598890589432538916219821477777021460189140081521779103226953544426441823244765828342973086422949017937701261348963541035128661464068769033772390320426795044617751909787914185985911277628404632533530390761257251552073493697518547350246993679844132297414094727147161169548160586911
c1 = 6201882078995455673376327652982610102807874783073703018551044780440620679217833227711395689114659144506630609087600915116940111002026241056808189658969089532597757995423694966667948250438579639890580690392400661711864264184444018345499567505424672090632235109624193289954785503512742400960515331371813467034511130432319427185134018830006918682733848618201088649690422818940385123599468595766345668931882249779415788129316594083269412221804774856038796248038700275509397599351533280014908894068141056694660319816046357462684688942519849441237878018480036145051967731081582598773076490918572392784684372694103015244826
s1 = 274773146761138462708137582309097386437793891793691383033856524303010811294101933454824485010521468914846151819876043508541879637544444256520741418495479393777132830985856522008561088410862815913292288683761657919121930016956916865849261153721097671315883469348972925757078089715102032241818526925988645578778
s2 = 18514724270030962172566965941723224386374076294232652258701085781018776172843355920566035157331579524980108190739141959926523082142273672741849552475156278397131571360099018592018959785627785130126477982765210498547680367230723634424036009539347854344573537848628061468892166199866227984167843139793429682559241317072979374002912607549039431398267184818771503468116379618249319324788996321340764624593443106354104274472601170229835219638093242557547840060892527576940077162990069687019966946826210112318408269749294366586682732614372434218768720577917368726530200897558912687470088583774711767599580037663378929000217
n2 = 40588227045595304080360385041082238507044292731344465815296032905633525556943787610712651675460810768762763493579129831271018141591546207557410817432455139315527674932933085299277599173971912445226532235814580879585317211349524406424200622675880992390782025158621241499693400288031658194434641718026910652327933253877313106112861283314274635124734817398465059373562194694957841264834312640926278890386089611103714990646541470577351599526904458342660444968591197606820361364761648205241041444681145820799054413179462285509661124362074093583494932706249461954240408827087015525507173082129412234486228092002841868365895837463699200959915782767657258729794037776401995309244941171415842403617486719492483671490834562579225506831496881542530519595438932482796867853234159664409420977526102480385193101883785161080269573707156626838551506024455480650224305894501968583442346807126920740779780593650871645915149689424292912611578291912721896864772950410266629045542480009266574096080138709683466489568290569363478444349563498507530805502511051165160827192795520182720802422213364247355775222858214648603034743679187470844212529134374975737510982287957316878179964602394749601431823167982157434890459245394370728942790117156485268116758052636794417268680901420193002289035538753620555488506926366624641291881353268617130968991258983002165300186971963661666476600998389048880565199317280428349802824448329898502788492233381873026217202981921654673840142095839603360666049476100561268336225902504932800605464136192275593886736746497955270280541423593
c2 = 25591090168544821761746024178724660839590948190451329227481168576490717242294520739865602061082558759751196452117720647426598261568572440942370039702932821941366792140173428488344932203576334292648255551171274828821657097667106792872200082579319963310503721435500623146012954474613150848083425126987554594651797477741828655238243550266972216752593788734836373144363217639612492397228808215205862281278774096317615918854403992620720969173788151215489908812749179861803144937169587452008097008940710091361183942268245271154461872102813602754439939747566507116519362821255724179093051041994730856401493996771276172343313045755916751082693149885922105491818225012844519264933137622929024918619477538521533548551789739698933067212305578480416163609137189891797209277557411169643568540392303036719952140554435338851671440952865151077383220305295001632816442144022437763089133141886924265774247290306669825085862351732336395617276100374237159580759999593028756939354840677333467281632435767033150052439262501059299035212928041546259933118564251119588970009016873855478556588250138969938599988198494567241172399453741709840486953189764289118312870580993115636710724139809708256360212728127786394411676427828431569046279687481368215137561500777480380501551616577832499521295655237360184159889151837766353116185320317774645294201044772828099074917077896631909654671612557207653830344897644115936322128351494551004652981550758791285434809816872381900401440743578104582305215488888563166054568802145921399726673752722820646807494657299104190123945675647
e = 0x10001
factor_list = fermat_factorization(n1)
[X1, Y1] = factor_list[0]
[X2, Y2] = factor_list[1]
p1 = gcd(X1, X2)
q1 = X1 // p1
p2 = gcd(Y1, Y2)
q2 = Y1 // p2
phi = (p1 - 1) * (q1 - 1) * (p2 - 1) * (q2 - 1)
d1 = invert(e, phi)
flag1 = n2s(int((pow(c1, d1, n1))))
# p3 = Symbol('p3')
# q3 = Symbol('q3')
# p3, q3 = solve([p3+q3-s1, p3*q3-s2], [p3, q3])[0]
# print(p3, q3)
p3 = 118403784459455138582919377906131738592946190895354489225890530955489713357948723774385902598164582767355529878101682058998518634444589192617157682795489868846289962039288493883412519273541770945888153150197763095564026103787571812611196732248676365740482179339301570536662025044058993433932899960459852671737
q3 = 156369362301683324125218204402965647844847700898336893807965993347521097936153209680438582412356886147490621941774361449543361003099855063903583735699989524930842868946568028125148569137321044967404135533563894823557903913169345053238064421472421305575401290009671355220416064671043038807885626965528792907041
d2 = invert(e, (p3-1)*(q3-1))
flag2 = n2s(int(pow(c2, d2, p3*q3)))
print(flag1 + flag2)
# flag{Euler_funct1ons_1s_very_interst1ng}
