October Summary

XMAN夏令营TooooomanyRSA

from Crypto.Util.number import *
from gmpy2 import gcd
from uuid import uuid4

flag = ("flag{"+str(uuid4())+"}").encode()

def init_key():
    p, q = getPrime(1024), getPrime(1024)
    n = p * q
    elist = []
    for i in range(3):
        e = int(inverse(getPrime(810), (p-1) * (q-1) // gcd(p-1,q-1)))
        elist.append(e)
    return elist, n

m = bytes_to_long(flag)
elist, n = init_key()
print("c =",pow(m,65537,n))
print("n =",n)
print("elist =",elist)

'''
c = 8836441252076834545813477411326425375032267123570785772864736522363289546687708899074336247215937510570504358003107825056501941030269383864118843746175337393654312850577439133664730484837119573532202639084658757820201188879766516909534973535998857651937119461057973385426395724145776918292561702292436605761423965907449269350234768599086801097764871812636671292354213601605096195311151373515090830120096932678276497558133279308072396732663178152322425868305886057431421961733257631788613513220162555655889179523511665784230205568552674460999865994501813783725694862606623394523003050895631252334230583883118073253764
n = 13441675621853397537941552930565086940390470130815380172405483101963424807980457970171725987335576421109600777181124732686757429091494072838586546464238360449989289020069386272380414809945684476174566989775147057082001644921451704981593847572798324632557836313044339427816944052099264108168157879645492166128090320214880302941951710697142064976112121583858774576042442313128499340606412845822519283515566759147621860641682899507428800319575392348478145779271935852461866317025429591494415486087527357696348049367246280018948490128455131326723173717164420547870649041609012209503120621766999344338619628361309881504449
elist = [6394785330485131407826851764944106702989306751661773111300134919431104584180613989558300377714349529400378558913602158291081082675430487235339914971012067566601890029839947493155254582899628788537164340404428811085870041808860483801729245083548201334366733631432145384161908034867977906516995215397817811827060338562939218932916441868066261899714398094644048582309184012571138467837154157300425982546397721016585389530109123133328761496692431696333697620772147165360784490956672563278919171793966890158893934190837756790824904679773847777676326932643265426451922272758626857050445979305022351126666958426400079653623, 1369139766594499502102339802022151306473260303306443944809840701670612636871224554225002168944819225437998598365160666841985968029088084698853903787370193867870645734160453072726844381549153136514381609762281206178008136789238144315497475817194151194572296755949819068715206908967557531534965163142405984337962331584669073736885280026972797963267782773986730500382181318371495017118704093918920704345311527651399811381295059334575066198160251659075954912595362620180554775651196811925899974337478484410958141839806933182849189323190130942495340593301630517690327831594714373018323154749642065080783334651101242699263, 5437175210613834481955163777766627983523303337501300230689357572042873091664083970990501546609837607847693632622863075171175573210124960851439677015543351005393752316875323874628271392021624688370950188978195558312943877934365491687668809500866579503310026982199641168879029765994054311638922866950503743682009008734748720854732986500921718042561188808728053600445110972992438469967649056256589175739478272363214764480549487083235779588504538469805052660174224984711215950503095920589943783308241737365123329897745808282472351927870398484175556134059702516479014529101233832019814273876515569307294857432779445820767]
'''

根据论文中三个e的情况更改M矩阵及D矩阵

另外还需要更改a的值，a的值等于e的位数加一（即811），除以p*q的位数加一（即2049），保留三位小数。

from gmpy2 import invert
c = 8836441252076834545813477411326425375032267123570785772864736522363289546687708899074336247215937510570504358003107825056501941030269383864118843746175337393654312850577439133664730484837119573532202639084658757820201188879766516909534973535998857651937119461057973385426395724145776918292561702292436605761423965907449269350234768599086801097764871812636671292354213601605096195311151373515090830120096932678276497558133279308072396732663178152322425868305886057431421961733257631788613513220162555655889179523511665784230205568552674460999865994501813783725694862606623394523003050895631252334230583883118073253764
e2 = 1369139766594499502102339802022151306473260303306443944809840701670612636871224554225002168944819225437998598365160666841985968029088084698853903787370193867870645734160453072726844381549153136514381609762281206178008136789238144315497475817194151194572296755949819068715206908967557531534965163142405984337962331584669073736885280026972797963267782773986730500382181318371495017118704093918920704345311527651399811381295059334575066198160251659075954912595362620180554775651196811925899974337478484410958141839806933182849189323190130942495340593301630517690327831594714373018323154749642065080783334651101242699263
e1 = 6394785330485131407826851764944106702989306751661773111300134919431104584180613989558300377714349529400378558913602158291081082675430487235339914971012067566601890029839947493155254582899628788537164340404428811085870041808860483801729245083548201334366733631432145384161908034867977906516995215397817811827060338562939218932916441868066261899714398094644048582309184012571138467837154157300425982546397721016585389530109123133328761496692431696333697620772147165360784490956672563278919171793966890158893934190837756790824904679773847777676326932643265426451922272758626857050445979305022351126666958426400079653623
e3 = 5437175210613834481955163777766627983523303337501300230689357572042873091664083970990501546609837607847693632622863075171175573210124960851439677015543351005393752316875323874628271392021624688370950188978195558312943877934365491687668809500866579503310026982199641168879029765994054311638922866950503743682009008734748720854732986500921718042561188808728053600445110972992438469967649056256589175739478272363214764480549487083235779588504538469805052660174224984711215950503095920589943783308241737365123329897745808282472351927870398484175556134059702516479014529101233832019814273876515569307294857432779445820767
N = 13441675621853397537941552930565086940390470130815380172405483101963424807980457970171725987335576421109600777181124732686757429091494072838586546464238360449989289020069386272380414809945684476174566989775147057082001644921451704981593847572798324632557836313044339427816944052099264108168157879645492166128090320214880302941951710697142064976112121583858774576042442313128499340606412845822519283515566759147621860641682899507428800319575392348478145779271935852461866317025429591494415486087527357696348049367246280018948490128455131326723173717164420547870649041609012209503120621766999344338619628361309881504449
a = 0.396#811/2049
M1=N**0.5
M2= N**(a+1.5)
M3=N**(1+a)
D = diagonal_matrix(ZZ,[N**1.5,N,M2,M1,M2,M3,M3,1])
M=matrix(ZZ,[[1,-N,0,N**2,0,0,0,-N**3],[0,e1,-e1,-e1*N,-e1,0,e1*N,e1*N**2],[0,0,e2,-e2*N,0,e2*N,0,e2*N**2],[0,0,0,e1*e2,0,-e1*e2,-e1*e2,-e1*e2*N],[0,0,0,0,e3,-e3*N,-e3*N,e3*N**2],[0,0,0,0,0,e1*e3,0,-e1*e3*N],[0,0,0,0,0,0,e2*e3,-e2*e3*N],[0,0,0,0,0,0,0,e1*e2*e3]])D
L=M.LLL()
t=vector(ZZ,L[0])
x=t*M(-1)
phi = int(x[1]/x[0]*e1)
d = invert(0x10001,phi)
m=pow(c,d,N)
print (m)

山东省赛

from Crypto.Cipher import AES
from hashlib import sha256
import random
import string
import binascii
import os
from secret import key, secret, flag



def proof_of_work():
    pass


if proof_of_work() != True:
    exit("Exit...")


def pad(m):
    pad_length = (16 - len(m) % 16) % 16
    return m + b'\x00' * pad_length


def enc(m):
    cipher = AES.new(key, AES.MODE_ECB)
    return binascii.hexlify(cipher.encrypt(m)).decode()


choice = print('Guess the secret!\n1.return enc(pad(m + secret))\n2.check the secret')

while True:
    try:
        choice = input('Give me your choice: ')
        if choice == '1':
            m = binascii.unhexlify(input('Give me your input (in hex): '))
            print(enc(pad(m + secret)))
        if choice == '2':
            ss = input('Give me your secret: ')
            if binascii.unhexlify(ss) == secret:
                print('here is your flag', flag)
            else:
                print('wrong!')
    except:
        print('wrong!')

#!/usr/bin/python
# -*- coding:utf-8 -*-
# author:nothing

import string, re, random
import os 
from hashlib import sha256
from binascii import unhexlify, hexlify
from pwn import *
from Crypto.Util.number import *

io = remote("101.34.215.5", 6666)

def passpow():
	msg = io.recvuntil(b"Give me XXXX:").strip().decode()
	bottom = re.findall(r"\+(.*?)\)",msg)[0]
	res = re.findall(r" == (.*?)\n",msg)[0]
	print(res)
	while True:
		answer = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(4))
		cipher = sha256((answer + bottom).encode()).hexdigest()
		if cipher == res.strip():
			print(answer)
			io.sendline(answer)
			break

def solve_step_4(level, known):
	print "Level %s" % str(level)
	if(level == 16):
		return known
	records = []
	for i in range(256):
		io.recvuntil(b"Give me your choice: ")
		io.sendline("1")
		io.recvuntil("Give me your input (in hex): ")
		tmpstr = ('a'*(15-level) + known + chr(i)).encode('hex')
		io.sendline(tmpstr)
		io.recvuntil("encrypted msg: ")
		s = io.recvuntil("\n")[:-1].decode()[:32]
		print "Process: %s/256 %s %s" % (str(i), tmpstr, s)
		records.append(s)
	io.recvuntil(b"Give me your choice: ")
	io.sendline("1")
	io.recvuntil("Give me your input (in hex): ")
	tmpstr = ('a'*(15-level)).encode('hex')
	io.sendline(tmpstr)
	io.recvuntil("encrypted msg: ")
	s = io.recvuntil("\n")[:-1].decode()[:32]
	newknown = known + chr(records.index(s))
	print "==========================="
	print newknown.encode('hex')
	print "==========================="
	return solve_step_4(level+1, newknown)



if __name__ == '__main__':
	passpow()
	secret = solve_step_4(0,"")
	io.recvuntil(b"Give me your choice: ")
	io.sendline("2")
	io.recvuntil("Give me your secret: ")
	io.sendline(hexlify(secret))
	flag = io.recvuntil("\n")[:-1].decode()
	print flag

西南石油招新赛

1

from gmpy2 import *
from Crypto.Util.number import *



flag  = '****************************'
flag = {"asfajgfbiagbwe"}
p = getPrime(2048)
q = getPrime(2048)
m1 = bytes_to_long(bytes(flag.encode()))

e1e2 = 3087
n = p*q
print()

flag1 = pow(m1,e1,n)
flag2 = pow(m1,e2,n)
print('flag1= '+str(flag1))
print('flag2= '+str(flag2))
print('n= '+str(n))

import gmpy2
from Crypto.Util.number import *

c1 = 463634070971821449698012827631572665302589213868521491855038966879005784397309389922926838028598122795187584361359142761652619958273094398420314927073008031088375892957173280915904309949716842152249806486027920136603248454946737961650252641668562626310035983343018705370077783879047584582817271215517599531278507300104564011142229942160380563527291388260832749808727470291331902902518196932928128107067117198707209620169906575791373793854773799564060536121390593687449884988936522369331738199522700261116496965863870682295858957952661531894477603953742494526632841396338388879198270913523572980574440793543571757278020533565628285714358815083303489096524318164071888139412436112963845619981511061231001617406815056986634680975142352197476024575809514978857034477688443230263761729039797859697947454810551009108031457294164840611157524719173343259485881089252938664456637673337362424443150013961181619441267926981848009107466576314685961478748352388452114042115892243272514245081604607798243817586737546663059737344687130881861357423084448027959893402445303299089606081931041217035955143939567456782107203447898345284731038150377722447329202078375870541529539840051415759436083384408203659613313535094343772238691393447475364806171594
c2 = 130959534275704453216282334815034647265875632781798750901627773826812657339274362406246297925411291822193191483409847323315110393729020700526946712786793380991675008128561863631081095222226285788412970362518398757423705216112313533155390315204875516645459370629706277876211656753247984282379731850770447978537855070379324935282789327428625259945250066774049650951465043700088958965762054418615838049340724639373351248933494355591934236360506778496741051064156771092798005112534162050165095430065000827916096893408569751085550379620558282942254606978819033885539221416335848319082054806148859427713144286777516251724474319613960327799643723278205969253636514684757409059003348229151341200451785288395596484563480261212963114071064979559812327582474674812225260616757099890896900340007990585501470484762752362734968297532533654846190900571017635959385883945858334995884341767905619567505341752047589731815868489295690574109758825021386698440670611361127170896689015108432408490763723594673299472336065575301681055583084547847733168801030191262122130369687497236959760366874106043801542493392227424890925595734150487586757484304609945827925762382889592743709682485229267604771944535469557860120878491329984792448597107256325783346904408
n = 609305637099654478882754880905638123124918364116173050874864700996165096776233155524277418132679727857702738043786588380577485490575591029930152718828075976000078971987922107645530323356525126496562423491563365836491753476840795804040219013880969539154444387313029522565456897962200817021423704204077133003361140660038327458057898764857872645377236870759691588009666047187685654297678987435769051762120388537868493789773766688347724903911796741124237476823452505450704989455260077833828660552130714794889208291939055406292476845194489525212129635173284301782141617878483740788532998492403101324795726865866661786740345862631916793208037250277376942046905892342213663197755010315060990871143919384283302925469309777769989798197913048813940747488087191697903624669415774198027063997058701217124640082074789591591494106726857376728759663074734040755438623372683762856958888826373151815914621262862750497078245369680378038995425628467728412953392359090775734440671874387905724083226246587924716226512631671786591611586774947156657178654343092123117255372954798131265566301316033414311712092913492774989048057650627801991277862963173961355088082419091848569675686058581383542877982979697235829206442087786927939745804017455244315305118437


def rsa_gong_N_def(e1, e2, c1, c2, n):
    e1, e2, c1, c2, n = int(e1), int(e2), int(c1), int(c2), int(n)
    s = gmpy2.gcdext(e1, e2)
    s1 = s[1]
    s2 = s[2]
    if s1 < 0:
        s1 = -s1
        c1 = gmpy2.invert(c1, n)
    elif s2 < 0:
        s2 = -s2
        c2 = gmpy2.invert(c2, n)
    m = (pow(c1, s1, n) * pow(c2, s2, n)) % n
    return int(m)


def de(c, e, n):
    k = 0
    while k < 1000:
        mm = c + n * k
        result, flag = gmpy2.iroot(mm, e)
        if True == flag:
            return result
        k += 1


for e1 in range(2, e1e2):
    if e1e2 % e1 == 0:
        e2 = e1e2 // e1
        c = rsa_gong_N_def(e1, e2, c1, c2, n)
        e = gmpy2.gcd(e1, e2)
        m1 = de(c, e, n)
        if m1:
            flag = long_to_bytes(int(m1))
            if b"NSSCTF" in flag:
                print(flag)
                break

3

from gmpy2 import *
from Crypto.Util.number import *

flag = '******************'

p = getPrime(512)
q = getPrime(512)
m1 = bytes_to_long(bytes(flag.encode()))

n = p * q

flag1 = pow(m1, p, n)
flag2 = pow(m1, q, n)
print('flag1= ' + str(flag1))
print('flag2= ' + str(flag2))
print('n= ' + str(n))

flag1 = 17893542812755845772427795161304049467610774531005620109503081344099161906017295486868699578946474114607624347167976713200068059018517606363517478396368430072890681401898145302336139240273132723451063402106360810413024642916851746118524166947301681245568333254648265529408446609050354235727237078987509705857
flag2 = 95580409405085606847879727622943874726633827220524165744517624606566789614499137069562997931972825651309707390763700301965277040876322904891716953565845966918293178547100704981251056401939781365264616997055296773593435626490578886752446381493929807909671245959154990639046333135728431707979143972145708806954
n = 140457323583824160338989317689698102738341061967768153879646505422358544720607476140977064053629005764551339082120337223672330979298373653766782620973454095507484118565884885623328751648660379894592063436924903894986994746394508539721459355200184089470977772075720319482839923856979166319700474349042326898971

Coppersmith定理：在一个e阶的mod n多项式f(x)中，如果有一个根小于$ n^{\frac{1}{e}} $，就可以运用一个O(log n)的算法求出这些根
$$
c_{1} = m ^ {p} \bmod n = m ^{p} \bmod p * q
$$

$$
c_{2} = m ^ {q} \bmod n = m ^{q} \bmod p * q
$$

费马定理：
$$
m ^ {p} \equiv m \bmod p
$$

$$
m ^ {q} \equiv m \bmod q
$$

所以：
$$
c_{1} = m + ip + xpq = m + ip
$$

$$
c_{2} = m + jq + ypq = m + jq
$$

因此：
$$
c_{1} * c_{2} = m ^ {2} + (ip + iq)m + ijn
$$

$$
(c_{1} + c_{2})m = 2m^{2}+(ip+jq)m
$$

有：
$$
m^{2}-(c_{1}+c_{2})m+c1*c2=ijn\equiv0\bmod n
$$

# sage
n=140457323583824160338989317689698102738341061967768153879646505422358544720607476140977064053629005764551339082120337223672330979298373653766782620973454095507484118565884885623328751648660379894592063436924903894986994746394508539721459355200184089470977772075720319482839923856979166319700474349042326898971
c1=17893542812755845772427795161304049467610774531005620109503081344099161906017295486868699578946474114607624347167976713200068059018517606363517478396368430072890681401898145302336139240273132723451063402106360810413024642916851746118524166947301681245568333254648265529408446609050354235727237078987509705857
c2=95580409405085606847879727622943874726633827220524165744517624606566789614499137069562997931972825651309707390763700301965277040876322904891716953565845966918293178547100704981251056401939781365264616997055296773593435626490578886752446381493929807909671245959154990639046333135728431707979143972145708806954
PR.<m> = PolynomialRing(Zmod(n))
f = m^2-(c1+c2)*m+c1*c2
x0 = f.small_roots(X=2^400)
print(x0)

楚慧杯

Easy-RSA

n：27552304606229034903366058815849954030287648695063385362955432137790872571412035824128918674719247737295565001575991597519270789776408208970323808016733976338433371328100880898942106515627607388226912870981180215883273805491209461671730377099185278711453949265641966582563910708529619185885928310168288810488784242368160743359666583499117949407921812317700250240067929572558785431071173411100434109661677786734923283679392823901052633992456780285091988542875991410528415886437666510014123352497264017734716859350294159440761760921548702546470902740121962033241003215821780125194400741190925169397917247376657863011603
e：65537
c：8643831704675414121804983915084443744489969712473300784256427784417167322852556975560503484179280700293119974607254037642425650493676448134024809335297135239994950178868535219541095694358323044214971760829173918774094415933808417722001811285178546917655837402000771685507972240389565704149610032767242977174132826100177368764169367458684152505611469248099487912367364804360878611296860803835816266114046682291529593099394952245852157119233687981777202751472502060481232341206366584532964027749320641690448228420342308891797513656897566100268729012788419021059054907653832828437666012596894150751431936476816983845357
p-q：3216514606297172806828066063738105740383963382396892688569683235383985567043193404185955880509592930874764682428425994713750665248099953457550673860782324431970917492727256948066013701406000049963109681898567026552657377599263519201715733179565306750754520746601394738797021362510415215113118083969304423858

sympy解方程一把梭

from sympy import Symbol, solve
from gmpy2 import *
from libnum import *

n = 27552304606229034903366058815849954030287648695063385362955432137790872571412035824128918674719247737295565001575991597519270789776408208970323808016733976338433371328100880898942106515627607388226912870981180215883273805491209461671730377099185278711453949265641966582563910708529619185885928310168288810488784242368160743359666583499117949407921812317700250240067929572558785431071173411100434109661677786734923283679392823901052633992456780285091988542875991410528415886437666510014123352497264017734716859350294159440761760921548702546470902740121962033241003215821780125194400741190925169397917247376657863011603
e = 65537
c = 8643831704675414121804983915084443744489969712473300784256427784417167322852556975560503484179280700293119974607254037642425650493676448134024809335297135239994950178868535219541095694358323044214971760829173918774094415933808417722001811285178546917655837402000771685507972240389565704149610032767242977174132826100177368764169367458684152505611469248099487912367364804360878611296860803835816266114046682291529593099394952245852157119233687981777202751472502060481232341206366584532964027749320641690448228420342308891797513656897566100268729012788419021059054907653832828437666012596894150751431936476816983845357
s =  3216514606297172806828066063738105740383963382396892688569683235383985567043193404185955880509592930874764682428425994713750665248099953457550673860782324431970917492727256948066013701406000049963109681898567026552657377599263519201715733179565306750754520746601394738797021362510415215113118083969304423858
# p = Symbol('p')
# q = Symbol('q')
# p, q = solve([p*q-n, p-q-s], [p,q])
# print(p,q)
p = 167604917202624171205562332547086795459018271995531662202392816766661852499967774267554085060619750182533064588995245441659492248123164548905239665224600839192261379211031757557080502863539123811164713057605073461933854926502162793803096063035806777877263036653498763650955936640215477205393488552237210705691
q = 164388402596326998398734266483348689718634308613134769513823133531277866932924580863368129180110157251658299906566819446945741582875064595447688991363818514760290461718304500609014489162133123761201603375706506435381197548902899274601380329856241471126508515906897368912158915277705061990280370468267906281833
d = invert(e, (p-1)*(q-1))
print(n2s(int(pow(c,d,n))))
# b'flag{9c0532a253809f180747b6da334b438f}'

EasyRandom

from random import getrandbits
from os import urandom
from flag import flag
from hashlib import sha256

flag=flag[5:-1]
flag=flag.encode("hex")
assert len(flag)==48

def affine(s):
    return hex((int(s,16)*13+7)%16)[2]

randList=[]
for i in range (624):
    tmp=getrandbits(32)
    randList.append(tmp)
print randList

n1=int(flag[:32],16)^getrandbits(128)
tmp=urandom(3)
n2=int(flag[32:38],16)^int(tmp.encode('hex'),16)
print sha256(tmp).hexdigest()
n3=""
for i in flag[38:]:
    n3+=affine(i)
n3=int(n3,16)
res=((n1<<64)+(n2<<40)+n3)^getrandbits(192)
print res


# randList=[3693014292L, 1999090277L, 2812362804L, 2118249952L, 885988212L, 1131999143L, 3327925205L, 731275596L, 1818780432L, 644434032L, 3301077903L, 1004325730L, 113617890L, 262927352L, 1449581419L, 1596910105L, 3680959953L, 4039323321L, 2422810127L, 946521915L, 4049336142L, 1299247828L, 3361233447L, 1319347681L, 2858084207L, 2493466845L, 522894151L, 3272590535L, 2518746559L, 113976089L, 1912521614L, 1971657011L, 4052443472L, 1928327357L, 1481517158L, 1707968618L, 3946904293L, 3941277234L, 1740669853L, 177473759L, 2855945159L, 3217808064L, 568887441L, 2243547768L, 533475147L, 4005163087L, 1991762580L, 1175403787L, 1819485104L, 4162426193L, 2480060730L, 1889558541L, 1659122908L, 2343813603L, 1792751594L, 3287109162L, 4119020356L, 2086904766L, 4227102603L, 4251617926L, 386544361L, 2024596798L, 3275172220L, 1652143183L, 4279693598L, 1741714555L, 3920640884L, 837190820L, 4242688797L, 3406136725L, 272163458L, 1933729342L, 3348914742L, 3483202044L, 313505665L, 3180958891L, 276638359L, 2247257889L, 1283002827L, 253470155L, 2172073971L, 3333335918L, 321125332L, 3478202657L, 1298557332L, 1255183068L, 2347216752L, 1823003608L, 1873938039L, 4172493668L, 1252876713L, 2877329304L, 2733470437L, 743814046L, 1482554102L, 3967801003L, 4135521914L, 1601509876L, 1370623470L, 564556001L, 3369378190L, 1930652933L, 2684027015L, 730072119L, 3133537560L, 554522157L, 4200260396L, 66286223L, 2856462351L, 3409097597L, 1123352314L, 3112249875L, 660537433L, 1027164908L, 2875953843L, 3419766147L, 64818752L, 1572659846L, 176068922L, 2155262681L, 3154282688L, 3215591301L, 923444143L, 54743986L, 3011602372L, 1936525684L, 2636863705L, 3228231549L, 3660514246L, 2503374986L, 1180875896L, 941948277L, 1922552596L, 740696852L, 2337729160L, 1636823570L, 1788245610L, 2970204367L, 1597424641L, 3940594526L, 846332502L, 3177694219L, 1253960959L, 1980517147L, 2066843131L, 3452017677L, 743662084L, 3332614739L, 1230416894L, 1790783329L, 3339256849L, 1223003548L, 3155010716L, 211801309L, 3302823875L, 2203405123L, 4027118331L, 3928670766L, 1551556760L, 2018355543L, 2473765725L, 2451139992L, 3923372144L, 2197282188L, 2056399604L, 1294675076L, 1121984516L, 113881691L, 1646921221L, 3151728031L, 695534775L, 3870352246L, 1614457851L, 1764207471L, 3516853329L, 3276173646L, 3559299512L, 1239291648L, 2417317314L, 908861203L, 3945977517L, 1789725976L, 1094256533L, 1194981603L, 3817224425L, 4294621339L, 3041360046L, 1319794040L, 1881403289L, 151945988L, 3036988698L, 2214811128L, 240957157L, 509921068L, 1538884056L, 119208760L, 1425862614L, 2923918837L, 845827337L, 507023267L, 2955299274L, 1247972138L, 766611587L, 2012831811L, 3441161631L, 2645633381L, 2328705244L, 512481283L, 461960350L, 1704754200L, 1327914555L, 147555684L, 3349647800L, 3062151439L, 3090502250L, 937966533L, 82567652L, 725403325L, 4001427888L, 524069543L, 2291211027L, 2084465414L, 1292961088L, 4278389999L, 1309916992L, 3249380344L, 3493113838L, 83526738L, 4193860366L, 2438456426L, 3510215857L, 175761668L, 2820499306L, 1792194251L, 1225332544L, 3896268058L, 2752286952L, 3182785082L, 956435024L, 3996152048L, 2924148655L, 2895936126L, 1856977607L, 1289267397L, 690722358L, 1937429718L, 1531967867L, 2098208046L, 1815108525L, 1567735201L, 146084074L, 2093897143L, 2793246617L, 1146380003L, 2523936201L, 2301399576L, 2052473947L, 3470101770L, 3722302451L, 3345343326L, 2271545308L, 2657475692L, 2211989611L, 2428885922L, 2097052181L, 3554955904L, 1704837589L, 1494941216L, 3403108634L, 911409695L, 3550042769L, 379101531L, 406655201L, 1317011271L, 2336674904L, 3930303124L, 3038552846L, 3207659329L, 2785076651L, 1203119790L, 1146774748L, 2218279443L, 494710315L, 3507507044L, 922439915L, 35699688L, 2690622469L, 1458912003L, 3911367650L, 983115567L, 2813252332L, 839947939L, 514499603L, 3894529528L, 326817358L, 1479783722L, 4242051909L, 3492972915L, 3473946915L, 3348053727L, 3681386488L, 584266203L, 3531080708L, 3262223061L, 2904040234L, 3897643811L, 2706405422L, 914107260L, 3011659451L, 308811435L, 4103121550L, 4023430755L, 2975129044L, 4139500620L, 1763891748L, 57665971L, 3149249501L, 870034516L, 4142837134L, 3130156432L, 1708266697L, 1242161643L, 1163332264L, 108174709L, 1633896347L, 2820171620L, 1708875131L, 724124719L, 3562786877L, 518616285L, 3643662732L, 3375737681L, 2550728441L, 1823319080L, 1775922455L, 3838709569L, 177763087L, 946611206L, 4054832304L, 1473954380L, 3475817789L, 2590152780L, 3587873907L, 3437231816L, 2708036272L, 3883447173L, 655291275L, 707049339L, 1352718730L, 3543000675L, 962283943L, 4170075509L, 1897499376L, 643615933L, 856277089L, 3299581344L, 4093601146L, 2638625975L, 1563647962L, 890552183L, 3138216177L, 222946344L, 4219020514L, 3218803481L, 3093722090L, 1210144957L, 3499543439L, 4239553976L, 3582176749L, 654186756L, 3005601303L, 1252241368L, 2459425960L, 3587113096L, 3506651695L, 3673557784L, 4157576483L, 733173716L, 1505997631L, 394626148L, 1322270695L, 84604461L, 891267254L, 518241635L, 1068682198L, 3696554893L, 3111393676L, 1398539042L, 901276151L, 483471144L, 1952219546L, 2884270239L, 2215979688L, 4138748504L, 1623101775L, 3102260771L, 4276348310L, 1228132323L, 2250922664L, 833982365L, 3402246096L, 2085678412L, 2707953187L, 590837194L, 3421635592L, 3488064851L, 3655525766L, 1029679348L, 2448841196L, 89284911L, 3970560858L, 334986490L, 3063032848L, 3172506167L, 2391313449L, 3589023591L, 4269870234L, 3275101066L, 1716650872L, 483502324L, 2116979028L, 815078501L, 3475316209L, 1003463022L, 2418993968L, 4251101825L, 346290993L, 3286645593L, 2654742976L, 99974317L, 4124695845L, 3732280507L, 1536249568L, 1440486445L, 1605422491L, 393607563L, 1141210694L, 43848150L, 1656624711L, 2170355702L, 327988021L, 974870171L, 2169013815L, 3689546490L, 3576028106L, 4258679518L, 14944446L, 1786133397L, 264814384L, 1969519378L, 1769400868L, 3098042628L, 22547518L, 3195136230L, 42683806L, 1288550835L, 59638233L, 3534385409L, 2517101496L, 3632913591L, 3894777481L, 2912655780L, 1614602217L, 3498478791L, 1309795895L, 3961554801L, 3625321205L, 308138165L, 2885107341L, 1003378866L, 3462951062L, 1914176024L, 3130918711L, 3919345882L, 3556964414L, 2382442356L, 3968605965L, 2388890395L, 1955471760L, 2358533573L, 2323037969L, 4273118548L, 3577096972L, 4251790958L, 2321545863L, 2057106840L, 4000766037L, 1551111470L, 368761666L, 951769999L, 778229999L, 4235748487L, 2020142699L, 3577752281L, 1269488993L, 1350156870L, 529843408L, 669182431L, 3871401874L, 2180265713L, 3850183472L, 46915226L, 3150800412L, 1139932212L, 2523557119L, 1462042012L, 301258444L, 165757583L, 530704729L, 1848179734L, 1792342751L, 2597916820L, 4041946457L, 1127104524L, 3768573884L, 2614008065L, 741308521L, 477746986L, 507411825L, 4235293189L, 2251811519L, 811234592L, 1985999307L, 844715613L, 1640781314L, 3538036580L, 2764130557L, 2863454433L, 1831736583L, 3857379783L, 658928449L, 1149649578L, 103125751L, 2968446555L, 885660863L, 707321834L, 1728646363L, 2706995220L, 3062604255L, 4177710084L, 3076079677L, 879366858L, 3936728615L, 8828906L, 1656874220L, 2904085639L, 397694272L, 1604508691L, 2083663236L, 2138468690L, 1365350684L, 2870684769L, 384435793L, 1063724290L, 1142482048L, 809857977L, 4192515435L, 267878653L, 206018017L, 3441769173L, 925696591L, 2250932557L, 1973183700L, 577661907L, 2551314381L, 1350352597L, 4151551172L, 774849773L, 2391866106L, 3444137245L, 403261487L, 2724363448L, 3572536490L, 1077243504L, 302416473L, 3457548858L, 564604707L, 1238169871L, 2356838464L, 3083335214L, 3844937218L, 1272458074L, 1782962159L, 1543604321L, 3212537899L, 426074894L, 3053843067L, 2436223151L, 94019340L, 4147659323L, 2893920832L, 626619793L, 3976626567L, 1884877146L, 2696384440L, 1177352315L, 1082374195L, 3289271804L, 1485815836L, 120127000L, 3349349501L, 164243314L, 1703351326L, 1017276501L, 413737931L, 408060344L, 472141408L, 172738862L, 4001606849L, 1888805432L, 2927218529L, 1293362241L, 1941759619L, 1760659398L, 274865852L, 978985751L, 3867215904L, 177291528L, 1083045308L, 3888975618L, 979933689L, 2211634008L, 3899294132L, 1174569575L]
# Hash='b0cfb7293d6842e3279f4ef0fc88284174349e111e5b9beb28263df72c9db0bf'
# res=1045726758250168034320246515934682860724576730763168865120

先用MT19937伪随机数预测出两个异或的数。因为tmp是urandom(3)，还给了sha256的结果，所以可以通过爆破得到tmp的值。异或之后得到(n1<<64)+(n2<<40)+n3的值，又根据位数可知正好错开了。取二进制的低40位为n3，爆破一下仿射密码得到flag16进制的最后十位。取中间一段为n2，和tmp异或一下得到flag16进制的中间6位。取前面一段异或一下得到flag16进制的前32位。把三部分拼起来再n2s得到最后的flag。

randist=[3693014292, 1999090277, 2812362804, 2118249952, 885988212, 1131999143, 3327925205, 731275596, 1818780432, 644434032, 3301077903, 1004325730, 113617890, 262927352, 1449581419, 1596910105, 3680959953, 4039323321, 2422810127, 946521915, 4049336142, 1299247828, 3361233447, 1319347681, 2858084207, 2493466845, 522894151, 3272590535, 2518746559, 113976089, 1912521614, 1971657011, 4052443472, 1928327357, 1481517158, 1707968618, 3946904293, 3941277234, 1740669853, 177473759, 2855945159, 3217808064, 568887441, 2243547768, 533475147, 4005163087, 1991762580, 1175403787, 1819485104, 4162426193, 2480060730, 1889558541, 1659122908, 2343813603, 1792751594, 3287109162, 4119020356, 2086904766, 4227102603, 4251617926, 386544361, 2024596798, 3275172220, 1652143183, 4279693598, 1741714555, 3920640884, 837190820, 4242688797, 3406136725, 272163458, 1933729342, 3348914742, 3483202044, 313505665, 3180958891, 276638359, 2247257889, 1283002827, 253470155, 2172073971, 3333335918, 321125332, 3478202657, 1298557332, 1255183068, 2347216752, 1823003608, 1873938039, 4172493668, 1252876713, 2877329304, 2733470437, 743814046, 1482554102, 3967801003, 4135521914, 1601509876, 1370623470, 564556001, 3369378190, 1930652933, 2684027015, 730072119, 3133537560, 554522157, 4200260396, 66286223, 2856462351, 3409097597, 1123352314, 3112249875, 660537433, 1027164908, 2875953843, 3419766147, 64818752, 1572659846, 176068922, 2155262681, 3154282688, 3215591301, 923444143, 54743986, 3011602372, 1936525684, 2636863705, 3228231549, 3660514246, 2503374986, 1180875896, 941948277, 1922552596, 740696852, 2337729160, 1636823570, 1788245610, 2970204367, 1597424641, 3940594526, 846332502, 3177694219, 1253960959, 1980517147, 2066843131, 3452017677, 743662084, 3332614739, 1230416894, 1790783329, 3339256849, 1223003548, 3155010716, 211801309, 3302823875, 2203405123, 4027118331, 3928670766, 1551556760, 2018355543, 2473765725, 2451139992, 3923372144, 2197282188, 2056399604, 1294675076, 1121984516, 113881691, 1646921221, 3151728031, 695534775, 3870352246, 1614457851, 1764207471, 3516853329, 3276173646, 3559299512, 1239291648, 2417317314, 908861203, 3945977517, 1789725976, 1094256533, 1194981603, 3817224425, 4294621339, 3041360046, 1319794040, 1881403289, 151945988, 3036988698, 2214811128, 240957157, 509921068, 1538884056, 119208760, 1425862614, 2923918837, 845827337, 507023267, 2955299274, 1247972138, 766611587, 2012831811, 3441161631, 2645633381, 2328705244, 512481283, 461960350, 1704754200, 1327914555, 147555684, 3349647800, 3062151439, 3090502250, 937966533, 82567652, 725403325, 4001427888, 524069543, 2291211027, 2084465414, 1292961088, 4278389999, 1309916992, 3249380344, 3493113838, 83526738, 4193860366, 2438456426, 3510215857, 175761668, 2820499306, 1792194251, 1225332544, 3896268058, 2752286952, 3182785082, 956435024, 3996152048, 2924148655, 2895936126, 1856977607, 1289267397, 690722358, 1937429718, 1531967867, 2098208046, 1815108525, 1567735201, 146084074, 2093897143, 2793246617, 1146380003, 2523936201, 2301399576, 2052473947, 3470101770, 3722302451, 3345343326, 2271545308, 2657475692, 2211989611, 2428885922, 2097052181, 3554955904, 1704837589, 1494941216, 3403108634, 911409695, 3550042769, 379101531, 406655201, 1317011271, 2336674904, 3930303124, 3038552846, 3207659329, 2785076651, 1203119790, 1146774748, 2218279443, 494710315, 3507507044, 922439915, 35699688, 2690622469, 1458912003, 3911367650, 983115567, 2813252332, 839947939, 514499603, 3894529528, 326817358, 1479783722, 4242051909, 3492972915, 3473946915, 3348053727, 3681386488, 584266203, 3531080708, 3262223061, 2904040234, 3897643811, 2706405422, 914107260, 3011659451, 308811435, 4103121550, 4023430755, 2975129044, 4139500620, 1763891748, 57665971, 3149249501, 870034516, 4142837134, 3130156432, 1708266697, 1242161643, 1163332264, 108174709, 1633896347, 2820171620, 1708875131, 724124719, 3562786877, 518616285, 3643662732, 3375737681, 2550728441, 1823319080, 1775922455, 3838709569, 177763087, 946611206, 4054832304, 1473954380, 3475817789, 2590152780, 3587873907, 3437231816, 2708036272, 3883447173, 655291275, 707049339, 1352718730, 3543000675, 962283943, 4170075509, 1897499376, 643615933, 856277089, 3299581344, 4093601146, 2638625975, 1563647962, 890552183, 3138216177, 222946344, 4219020514, 3218803481, 3093722090, 1210144957, 3499543439, 4239553976, 3582176749, 654186756, 3005601303, 1252241368, 2459425960, 3587113096, 3506651695, 3673557784, 4157576483, 733173716, 1505997631, 394626148, 1322270695, 84604461, 891267254, 518241635, 1068682198, 3696554893, 3111393676, 1398539042, 901276151, 483471144, 1952219546, 2884270239, 2215979688, 4138748504, 1623101775, 3102260771, 4276348310, 1228132323, 2250922664, 833982365, 3402246096, 2085678412, 2707953187, 590837194, 3421635592, 3488064851, 3655525766, 1029679348, 2448841196, 89284911, 3970560858, 334986490, 3063032848, 3172506167, 2391313449, 3589023591, 4269870234, 3275101066, 1716650872, 483502324, 2116979028, 815078501, 3475316209, 1003463022, 2418993968, 4251101825, 346290993, 3286645593, 2654742976, 99974317, 4124695845, 3732280507, 1536249568, 1440486445, 1605422491, 393607563, 1141210694, 43848150, 1656624711, 2170355702, 327988021, 974870171, 2169013815, 3689546490, 3576028106, 4258679518, 14944446, 1786133397, 264814384, 1969519378, 1769400868, 3098042628, 22547518, 3195136230, 42683806, 1288550835, 59638233, 3534385409, 2517101496, 3632913591, 3894777481, 2912655780, 1614602217, 3498478791, 1309795895, 3961554801, 3625321205, 308138165, 2885107341, 1003378866, 3462951062, 1914176024, 3130918711, 3919345882, 3556964414, 2382442356, 3968605965, 2388890395, 1955471760, 2358533573, 2323037969, 4273118548, 3577096972, 4251790958, 2321545863, 2057106840, 4000766037, 1551111470, 368761666, 951769999, 778229999, 4235748487, 2020142699, 3577752281, 1269488993, 1350156870, 529843408, 669182431, 3871401874, 2180265713, 3850183472, 46915226, 3150800412, 1139932212, 2523557119, 1462042012, 301258444, 165757583, 530704729, 1848179734, 1792342751, 2597916820, 4041946457, 1127104524, 3768573884, 2614008065, 741308521, 477746986, 507411825, 4235293189, 2251811519, 811234592, 1985999307, 844715613, 1640781314, 3538036580, 2764130557, 2863454433, 1831736583, 3857379783, 658928449, 1149649578, 103125751, 2968446555, 885660863, 707321834, 1728646363, 2706995220, 3062604255, 4177710084, 3076079677, 879366858, 3936728615, 8828906, 1656874220, 2904085639, 397694272, 1604508691, 2083663236, 2138468690, 1365350684, 2870684769, 384435793, 1063724290, 1142482048, 809857977, 4192515435, 267878653, 206018017, 3441769173, 925696591, 2250932557, 1973183700, 577661907, 2551314381, 1350352597, 4151551172, 774849773, 2391866106, 3444137245, 403261487, 2724363448, 3572536490, 1077243504, 302416473, 3457548858, 564604707, 1238169871, 2356838464, 3083335214, 3844937218, 1272458074, 1782962159, 1543604321, 3212537899, 426074894, 3053843067, 2436223151, 94019340, 4147659323, 2893920832, 626619793, 3976626567, 1884877146, 2696384440, 1177352315, 1082374195, 3289271804, 1485815836, 120127000, 3349349501, 164243314, 1703351326, 1017276501, 413737931, 408060344, 472141408, 172738862, 4001606849, 1888805432, 2927218529, 1293362241, 1941759619, 1760659398, 274865852, 978985751, 3867215904, 177291528, 1083045308, 3888975618, 979933689, 2211634008, 3899294132, 1174569575]
Hash='b0cfb7293d6842e3279f4ef0fc88284174349e111e5b9beb28263df72c9db0bf'
res=1045726758250168034320246515934682860724576730763168865120


from mt19937predictor import MT19937Predictor
from libnum import *
predictor = MT19937Predictor()
for i in randist:
	predictor.setrandbits(i, 32)
x = predictor.getrandbits(128)

from os import urandom
from hashlib import *
from tqdm import tqdm


# for i in tqdm(range(256)):
#     for j in range(256):
#         for k in range(256):
#             if sha256(i.to_bytes(1, byteorder='big') + j.to_bytes(1, byteorder='big') + k.to_bytes(1, byteorder='big')).hexdigest() == Hash:
#                 print(i.to_bytes(1, byteorder='big') + j.to_bytes(1, byteorder='big') + k.to_bytes(1, byteorder='big'))
#                 exit()

tmp = b'\xfeV\xe8'
# y = predictor.getrandbits(192)
# print(res ^ y)
# print(bin(3096872116674666632134706098360014813425478687167245803096)[2:])

res = '11111100100110011011010100000010100111101010001110010110101000111010000101111001111100001100100001111110000100000010001010110111001001000101111101101110101101110110111010111010101111001011000'
n3 = res[151:]
n3 = int(n3, 2)
n3 = hex(n3)[2:]

def affine(s):
    return hex((int(s,16)*13+7)%16)[2]

from string import *

flag3 = ''
for i in str(n3):
    for j in digits + 'abcdef':
        if hex((int(j, 16)*13+7)%16)[2] == i:
            flag3 += j
# print(flag3)
# 64406e6365

tmp = int(tmp.hex(), 16)
n2 = int(res[127:151], 2)
print(hex(n2 ^ tmp)[2:])
# 6c795f
# for i in range(10, 135):
#     n1 = int(res[:i], 2)
#     if len(hex(n1 ^ x)[2:]) == 32:
#         print(i)
#         print(hex(n1 ^ x)[2:])


# flag = 0x16ef9b7e65eaccdac7f2a82242f97461fe795f64406e6365
# print(n2s(flag))
# flag = 0x365ac09e91965ba65b83ea0952bf789afe795f64406e6365
# print(n2s(flag))
flag = 0x7730775f796f755f63616e5f7233616c6c795f64406e6365
print(n2s(flag))
# flag = 0xf5e518dca89d28ad12a466f3332b5280fe795f64406e6365
# print(n2s(flag))

# flag{w0w_you_can_r3ally_d@nce}

Puzzle

#!/usr/bin/python
#coding:utf-8

import gmpy2
import random
from flag import flag
from Crypto.Util.number import getPrime,long_to_bytes,bytes_to_long
from Crypto.Cipher import AES
from os import urandom

def getkey():
    p = getPrime(2048)
    k = random.randint(3, 10)
    r = random.randint(k, 2048)
    while True:
        e = random.randint(3, p**k*(p-1))
        if gmpy2.gcd(e, p**r*(p-1)) == 1:
        	break
    pubkey = (long(e), long(p**k))
    return pubkey

def c1pto(m, pubkey):
    e, n = pubkey
    print(hex(e))
    assert m < n - 1
    c = pow(m, e, n)
    print(hex(c))
    return n

def c2pto(p):
    key=urandom(16)
    iv=urandom(16)
    cipher=AES.new(key,AES.MODE_CBC,iv)
    m=iv+long_to_bytes(p)
    print(cipher.encrypt(m).encode("base64"))
    return key

def c3pto(n):
    a = 0
    for i in bin(n)[2:]:
        a = a << 1
        if (int(i)):
            a = a ^ n
        if a >> 256:
            a = a ^ 0x10000000000000000000000000000000000000000000000000000000000000223L
    return a

m=bytes_to_long(urandom(64)+flag)
pubkey = getkey()
n = c1pto(m, pubkey)
key=c2pto(n)
print(c3pto(bytes_to_long(key)))


'''output
0x5b0cd450a7bfb679dc9caa8aa6fc131708fca2a34375d049ac035fb019463d9c3fa11adb0eb51dea1ae85223df59f887a12ab376cbcb272681c3872c57f4da27396052242b608e3ea4ff53061e63bbfdff652ce25f4ce73315fd1a73a5d5e7307402c7a3c6c1a80c63297b441125c38e23729da6473e5dc332e4e7201df25ff6c8b9918b262e56a31bebe13e093e6f4dba47a771961358cedf6d740732425cb708a633d538dcdc12ef7b49ce76aa270f50dd7cc1b879f1d7b19c6ac3b891fe4e20fb7645b7567237775881de7d30ba754d495ffe8ee751d1cfee1c661a2dbf13a53ff1bcf8085b39f6508fbf37137ebad659665fe5fcc67eef02970a44ac675e28103bd10f2045983d5adaa909b18b70a909b08b76c21b2798830276068d0ebd27303985bb5f3e681219a50bc761b7630587743768cf61922804d195e265aaaabb4740a2c5d7e8ff4e1c19cfb534d345f537e95e948591557f3136da617657e24d1904be373f5e7d63af330b837bcc662cbcd801eb436dbbeb714469d227e9f17e118db39eeb42e45455e6daf4d8fe0e19c4457b596c20e1ef8d235b230018a58e1c66c52c7317094aa5797f50a3b5ebe2be2abd1a04d907fbb68919956d7b0939ac0195a3f3bd3eb6f08eef67a895807768250172ec6bb2b35c9962de03df847170472b73981c04f2aef03721554c818ec9eb7f625d1a3fcdcf756adc4b6fd61950724ac2164a94df70f4aa1cc36c51dd2c3b6545c6c2233544254f6a24e6a170918fd0c533734ef859fed3c5d6f1f9acf8d3b77804c98fa5f1429763ebe860a77380a1e94626b46d88e5263855a0a0d226eb7ca64824c9a06acda851e650e6b035c04e27de61cd49ff49ac3ea3407440f9e76ce47c02301c1bc9c28befe0cd1f5b999961b055ffb39e2f451302aaedc5d779da03830bda1ed3ba9be4f23b2381096f3dc60c84a91ba0aa44242cc6aa361e2ecac867a2d1ef6868199ecb3004aa62bd56683c3476a9bd3f0316905e4f83ef5a907d9796231b9f506c82c09c739513a0db04467a071dcc34cb11bbba8cd3f1870174e04160ae74c2160a61a7c472e8edc51e969a2f0fb47cee59b67d401ecb13b06f72dcfb24f5850b8921b8bad14f7c6bd123c13b3a2ea1761fc425066ba107d61e96d2fa9b3ed88befec93578495ef4c7a1eb95d76679d1f5261f0202e1de881c5c5b1fb44f471a75a305d86df1123cd83c8bc9449c73cf34dbd247111c873bc1fc7948863bb59f2ac3d7129c2e7c3e0ef94afb38a01b3e42f83f42a5cc8e14cbe53c0c8d76768cdc98bef921aaca60204519b516d4c9de7cf581eec8a53faa2e2d96722d0ef2c23d5567ba48104890534cd84432565236cb3402504e0feb6c25426c52d2b2b42f10a007cdd38b540cf64a96ee784deb2b595deb4a9497f9a25ab06eab443010b66e7decc162dcbd7de12737d72a46ec0b8151e1ed42716af2c7602692d7c0ea757bc056c89d2640773a4c3c1a2297c87c13676e414003ff3af0d1abb87ba618e24a4dfe05c0b4443bda53d26c7e30f0dec498d9091074fe3444e81b9a4d8d7acc8b1e38f6afc63540a4e8880fd73bd34bc3563cc0a98bd35ce7455d5cf8a114bc2fe2fb9a58e725cc121e4e242fc0a9a8e38615bda67fd9f158e718154eb51d0ec3d941426933e36fba1db0d7b59d52be90aa796895e6a49fed0a7887b8d7c71a9aa023a8dc73391e3d1bfc746cde9f964d99625900624a8eb300f2d7d2f8703f470776088f27aaa72e7607dcd78cf63754cec00db23bb36beb48cffb20a06df884f101a9L
0x26c6b16ed40253ff31bdcd502d63230a9655f29599cfb41a29f10e700589e6a13a8c78f483e0aa8b9353fa258a1437ba15e8d2c8bb2b090a6887740b31d71550745611fabd087904f150b4d928d155a7fcdd1a64c7349ce984dfd08c4c795e93b409f53c1458e6de777dc5993198f4c0648381116fe5cbafa57499d9ce685c625df4797afc344e8fe4a0fc36cf82ba1423c8a4ad7a33bc4cbab25e2df729085f96d3d9d542d981fa46cac8a37ceb70b9f808213845c06b72be7e2d1224e4dc02817bd474c690e43f6d8f1916a20f2e078bfaa604343d695e6f5f88d9f11c43a886ff97d9bd26b0126af40bed8e03a43bf8c912b5b0dd2f9f2e7e99db066759f573cd59a40a554bebdd3e7e0adbc38fcb91adeb72f9dcd30558b082471a02fd9131a61cf29b1f4e38a5d689d8dcd0b8dc29075e3a33b2d6a25bee6ff9e20d269cc088a2b155be76a1531ce30b25edf928990b5143fc5ae2737d8d4070d0517f5137c458d7afed8f51e2c2973dd143235c9deaffe9ce8fbcd767a93573399dafd5ef61408c77302c993354a080684cdbfb7c1eeb6e6be907db790038c7ce62517815d16fe366bd26178f2f05b9e56450814f4ba7ab6cab54c5f78316b0451057785c03a77c20814eb405cd20e5bff5247a12500dd16173125ffdef4fb6317ab942d0d7e0e584a8fd97a8ba8d87fd38127d6d059902a2d48dafd10938ea5d108f3eb986aabf9e212151b0e540bb5fd25888143633be9982395d4d3bef5278be37328e0239569eb511698ef7f9e7e12aa204cb4c069ffcdeecb65f42ba37f7bfd47c4ba8df384a88adf3486b58cc1620185ac81dfb10f591fc82f3ae046341ebd1e8288f10500d6677e91b89729dfd299b74be13a9183725aacb0023f4fb01efda61390b0312d90ff6a9a319433681ad1811efe038fcdeb6dc1c3f594c4f8011aacfee74ea9638fccb3d669435a1208578c934277caa3ec74f9efbb33e024909b121e7b4e48ec94b762fa9dcab8a1c11b86bb9db164c7655504d304661e04e95b0b356f5968334596fb11df95bbdcb3a6618f431c864658827662f760fc86b2136221bd50472dc19c4f177eb5edf7978760dc15150cfda0a3ea649cb672b8f37229298c6edcc630e3ac9a5f43f58a93ba8def335472f7ebdedd7715a27c4ea622344a949bec59af030455ed61911d53388022bd502e800b769ef499f94f02c96f486b40ce68dbdc42e5690ac2992bedf7f0ba384504c32cb00a25d4e125483003152e81ebe9c12d928627d7f14fc3fbdf5141addc477d5ae4f32e64dcb58a6e2cf955ad7ae54e1665b3199bd0fae36b9ec56c09ac00efc9d27e69a93f4e08652edc3340fa2c518d388ee4a005b9c83956b9139b98380f6925a1a4c3e64ff8d96f2827d0d8a25cc72a2c03a28e33871284b46e10c85f2ad75969b1d84e9d88bb4e05dL
GuGfliJiRkNsUbbmB+g/q4U3z6YahJ6G1Q9bg6ZT/ilJnkNMICmQYMFuhlNBuVZHfJJIFwwFJ5FK
G+z9zSXalJq6quN6d3CSYSMHvYk04Orpn76Y2VQX5qQk72uCssd4x5KNIOmX0CvzJmjTWjLvL1U5
twQupfkuDr/axqyHFss3pJkj9o0IRZmtz87bi5WojeUjOaayQ0RNenJJzhJ+zFJwdUCpUhwotHxL
OPsUXYSoY7AKPwj53Dlsy0deNBKFN89BolC4pTwHWvn0M/8eu9kIze+5sQuKrk0VI5ASNzA6PRp1
owpgsxNuy18k6/y01+mVheQkFrH2IrFNgqe3+Gu/PXEDPi3G2nAIi/4Xf9QI0DNH+hkoN40zWaX3
OkEVQeLQ9o/KuggeoajYwDusFyQxOQZYFr5I+v8uBApcQz29bKIRiZX78r9YN3IaSsL0JgLPQPYa
NPNiZMm5pqmv/zV0poZikYGYJsAwfjLJ/CYQ/iLBhkhKZoE9VxYEae7Wga1jwpJb3h/lA3mbvQof
MTR6ivnSZHzUu3elxMFTgTi5adB4PsBdke0YRXlWP8/AoggBAN5OMw8n2LCASIhp7q/1iljNUuw/
40mBCt75jszo1eBBDAbP7/DjXL5hUHFgen6xjedcySq/H0ibyNGasyePs3e+igr78fHyvXyIYYPa
EtM4RjC3j3TXheRYRo9lObJgHUHSY0PgAgrqc1rECexNa+QCvzzapemNAEE9OT8YLOEkB6zzpSrZ
6k/NR9KffGnqplQlWAfXdDrf3SsOmWVJ3G6DvmpTCukQgVYn+DCv5LdSSUZo2hjxBHPv8C5zpZia
sPLDr+2CwUvccettO3wwrWQ1bPfRBZ7OSghvipbYI7awjt45tyxT5TopN7e3kud1s4bdm7da/KQD
DQ3pxylH7Kc2b8wWfptW2t9wEoqdjNezr24E+/c6kNIo9TmZ8mPigNBz/d7Sd5TzxhstmXoXscAv
FLpc7B/RhD5qwXWlYZwisemsTL6GVgBpaWI0zp4pk4DaQcT7FM17qddeHCiF5YD9g6TZBkYXnvke
5hW1JERYny3GjTNum8P3p9L3NHWpfAK2S90ChRwDb3nDy81B6b6K+YMNsJmmMjJhE/GbP6jMFE/2
cLIAsAT+Ssk/zNEJKXKe3gN4pQzBcDJksDxrlYJoYQE/rz1Ni7EpKiuuEUtODcGSCcRagh6t6cJV
yDh76DgxgjAvjATjPS6bdJ5PQWocTtjoMUvkMjbeEoWMuoe5cgsHl3HoYsLyxWwk1zn4BVSdjumi
D0o8juKUTFsFjN8yyNQyAA4KNRrhrIBdK8VTcsJC5JFjJnJiX1P6yrUWZPnH4YB3wIZwA5EkXjlg
tNrZghyWTMNoMs4GH6A=

38003142990385686484863558905791098358375993231657244276476071305023256088640
'''

先不断用c3pto函数得到key的值，因为在明文前面填充了iv，所以第一轮CBC加密时相当于0。因此先用ECB模式加密16个0就可以得到iv的值。解密之后去掉前16位iv再b2l得到n的值。又因为n是p的k次方，k是3到10的随机数，所以可以通过iroot来爆破得到p和k的值。然后phi就是p^4-p^3，常规rsa解密即可。

from Crypto.Util.number import *

# ans = 38003142990385686484863558905791098358375993231657244276476071305023256088640
# for i in range(3000):
#     ans = c3pto(ans)
#     if len(long_to_bytes(ans)) == 16:
#         print(long_to_bytes(ans))
#         print(i)
#         break
key = b'\xe3+\x91\t\x98\xf3\x1e\xc1:GdW\xa7\x9c\xed\xc8'

cipher = b'GuGfliJiRkNsUbbmB+g/q4U3z6YahJ6G1Q9bg6ZT/ilJnkNMICmQYMFuhlNBuVZHfJJIFwwFJ5FKG+z9zSXalJq6quN6d3CSYSMHvYk04Orpn76Y2VQX5qQk72uCssd4x5KNIOmX0CvzJmjTWjLvL1U5twQupfkuDr/axqyHFss3pJkj9o0IRZmtz87bi5WojeUjOaayQ0RNenJJzhJ+zFJwdUCpUhwotHxLOPsUXYSoY7AKPwj53Dlsy0deNBKFN89BolC4pTwHWvn0M/8eu9kIze+5sQuKrk0VI5ASNzA6PRp1owpgsxNuy18k6/y01+mVheQkFrH2IrFNgqe3+Gu/PXEDPi3G2nAIi/4Xf9QI0DNH+hkoN40zWaX3OkEVQeLQ9o/KuggeoajYwDusFyQxOQZYFr5I+v8uBApcQz29bKIRiZX78r9YN3IaSsL0JgLPQPYaNPNiZMm5pqmv/zV0poZikYGYJsAwfjLJ/CYQ/iLBhkhKZoE9VxYEae7Wga1jwpJb3h/lA3mbvQofMTR6ivnSZHzUu3elxMFTgTi5adB4PsBdke0YRXlWP8/AoggBAN5OMw8n2LCASIhp7q/1iljNUuw/40mBCt75jszo1eBBDAbP7/DjXL5hUHFgen6xjedcySq/H0ibyNGasyePs3e+igr78fHyvXyIYYPaEtM4RjC3j3TXheRYRo9lObJgHUHSY0PgAgrqc1rECexNa+QCvzzapemNAEE9OT8YLOEkB6zzpSrZ6k/NR9KffGnqplQlWAfXdDrf3SsOmWVJ3G6DvmpTCukQgVYn+DCv5LdSSUZo2hjxBHPv8C5zpZiasPLDr+2CwUvccettO3wwrWQ1bPfRBZ7OSghvipbYI7awjt45tyxT5TopN7e3kud1s4bdm7da/KQDDQ3pxylH7Kc2b8wWfptW2t9wEoqdjNezr24E+/c6kNIo9TmZ8mPigNBz/d7Sd5TzxhstmXoXscAvFLpc7B/RhD5qwXWlYZwisemsTL6GVgBpaWI0zp4pk4DaQcT7FM17qddeHCiF5YD9g6TZBkYXnvke5hW1JERYny3GjTNum8P3p9L3NHWpfAK2S90ChRwDb3nDy81B6b6K+YMNsJmmMjJhE/GbP6jMFE/2cLIAsAT+Ssk/zNEJKXKe3gN4pQzBcDJksDxrlYJoYQE/rz1Ni7EpKiuuEUtODcGSCcRagh6t6cJVyDh76DgxgjAvjATjPS6bdJ5PQWocTtjoMUvkMjbeEoWMuoe5cgsHl3HoYsLyxWwk1zn4BVSdjumiD0o8juKUTFsFjN8yyNQyAA4KNRrhrIBdK8VTcsJC5JFjJnJiX1P6yrUWZPnH4YB3wIZwA5EkXjlgtNrZghyWTMNoMs4GH6A='
from base64 import *
# print(b64decode(cipher))
from Crypto.Cipher import AES
aes = AES.new(key, AES.MODE_ECB)
iv = aes.encrypt(b'0'*16)
# iv = b'<\xf1t)J\xb94\x94\x96k\xb3\xa6\xd0l\x1f\x18'
# print(len(iv))
aes = AES.new(key, AES.MODE_CBC, iv)
# print(bytes_to_long(aes.decrypt(b64decode(cipher))[16:]))
n = 192099659971585644585994265356151893462377034960456794411988891865292985043855003153008582523342780428794810302819600257505211543181857907106415116235678327109890992104863370288179222517757670217778339429390238355802091081769000348240713104001227465195009290503347809694648095737603288589286587488951249122808668565718081375241590144993161651582987613212486939491481151331461062699460189663231086086438368188327851901136662178362187582946879512941211019554239356512237609083714797677920647956302526035540976096625395045576074618882913271336136197136983455626303177930159461486947144900160609689255459511724884379858318269727855760842754096692298627624434916921714588784746851193083162412064551556945404206854303755771760752959780690233660596074620616291920828653736584021095005924141651891036415545086668712524203621422434855332350634434410255685899978575653707114060202874964589333127633649581915659487394392054766924938473585908627256425677898409670003835577877230695953230779772624257018952499735317822119685099669750110189929339815489604592011705747522509443099530871227359100112168474188213599742539558713508525377201675194485642343270883438486906530571528359024979260422106335247512597006126883635090340753475080689838573417741101697005667509804117477078714343224837766971175288554228364175312803060405952234277289653353821049167680289322424370730116331485806992442330752262754657170209301796826520903516939270541484630918051998431104746567068050303837266511857593664457675203874622377426656951134697321668662464768461125119491757074002358277630438779981831394788463952738787381176350532134825112678994090733193226361777537532269515922485937976349665991399772388721397960468392351155664481353730638831836994949983037350384382753327305729403941493686341892251753278811372338966651828844911034352886809190060883995056847456555950315611326987545276629529435068813158170690823902054787362572088738335891773343913632258874832438998334332913261810760087047758552754566575308536675397251987093487164542963055804002441751864022715424662848335470359948420027756835213050500577294799638589135949755879898985814242501638839907383377834819866500082619067419468232672548637154121177897443704368253245514204975147693342503301921844252239673318375741456151277008424086433210309669337358030499431697081307189511178107489812792122478536534259554160073644974772253911579253927334216606449192146737795612311912838169178570116934403812068138348378295739329366212651044519758844001
e = 0x5b0cd450a7bfb679dc9caa8aa6fc131708fca2a34375d049ac035fb019463d9c3fa11adb0eb51dea1ae85223df59f887a12ab376cbcb272681c3872c57f4da27396052242b608e3ea4ff53061e63bbfdff652ce25f4ce73315fd1a73a5d5e7307402c7a3c6c1a80c63297b441125c38e23729da6473e5dc332e4e7201df25ff6c8b9918b262e56a31bebe13e093e6f4dba47a771961358cedf6d740732425cb708a633d538dcdc12ef7b49ce76aa270f50dd7cc1b879f1d7b19c6ac3b891fe4e20fb7645b7567237775881de7d30ba754d495ffe8ee751d1cfee1c661a2dbf13a53ff1bcf8085b39f6508fbf37137ebad659665fe5fcc67eef02970a44ac675e28103bd10f2045983d5adaa909b18b70a909b08b76c21b2798830276068d0ebd27303985bb5f3e681219a50bc761b7630587743768cf61922804d195e265aaaabb4740a2c5d7e8ff4e1c19cfb534d345f537e95e948591557f3136da617657e24d1904be373f5e7d63af330b837bcc662cbcd801eb436dbbeb714469d227e9f17e118db39eeb42e45455e6daf4d8fe0e19c4457b596c20e1ef8d235b230018a58e1c66c52c7317094aa5797f50a3b5ebe2be2abd1a04d907fbb68919956d7b0939ac0195a3f3bd3eb6f08eef67a895807768250172ec6bb2b35c9962de03df847170472b73981c04f2aef03721554c818ec9eb7f625d1a3fcdcf756adc4b6fd61950724ac2164a94df70f4aa1cc36c51dd2c3b6545c6c2233544254f6a24e6a170918fd0c533734ef859fed3c5d6f1f9acf8d3b77804c98fa5f1429763ebe860a77380a1e94626b46d88e5263855a0a0d226eb7ca64824c9a06acda851e650e6b035c04e27de61cd49ff49ac3ea3407440f9e76ce47c02301c1bc9c28befe0cd1f5b999961b055ffb39e2f451302aaedc5d779da03830bda1ed3ba9be4f23b2381096f3dc60c84a91ba0aa44242cc6aa361e2ecac867a2d1ef6868199ecb3004aa62bd56683c3476a9bd3f0316905e4f83ef5a907d9796231b9f506c82c09c739513a0db04467a071dcc34cb11bbba8cd3f1870174e04160ae74c2160a61a7c472e8edc51e969a2f0fb47cee59b67d401ecb13b06f72dcfb24f5850b8921b8bad14f7c6bd123c13b3a2ea1761fc425066ba107d61e96d2fa9b3ed88befec93578495ef4c7a1eb95d76679d1f5261f0202e1de881c5c5b1fb44f471a75a305d86df1123cd83c8bc9449c73cf34dbd247111c873bc1fc7948863bb59f2ac3d7129c2e7c3e0ef94afb38a01b3e42f83f42a5cc8e14cbe53c0c8d76768cdc98bef921aaca60204519b516d4c9de7cf581eec8a53faa2e2d96722d0ef2c23d5567ba48104890534cd84432565236cb3402504e0feb6c25426c52d2b2b42f10a007cdd38b540cf64a96ee784deb2b595deb4a9497f9a25ab06eab443010b66e7decc162dcbd7de12737d72a46ec0b8151e1ed42716af2c7602692d7c0ea757bc056c89d2640773a4c3c1a2297c87c13676e414003ff3af0d1abb87ba618e24a4dfe05c0b4443bda53d26c7e30f0dec498d9091074fe3444e81b9a4d8d7acc8b1e38f6afc63540a4e8880fd73bd34bc3563cc0a98bd35ce7455d5cf8a114bc2fe2fb9a58e725cc121e4e242fc0a9a8e38615bda67fd9f158e718154eb51d0ec3d941426933e36fba1db0d7b59d52be90aa796895e6a49fed0a7887b8d7c71a9aa023a8dc73391e3d1bfc746cde9f964d99625900624a8eb300f2d7d2f8703f470776088f27aaa72e7607dcd78cf63754cec00db23bb36beb48cffb20a06df884f101a9
c = 0x26c6b16ed40253ff31bdcd502d63230a9655f29599cfb41a29f10e700589e6a13a8c78f483e0aa8b9353fa258a1437ba15e8d2c8bb2b090a6887740b31d71550745611fabd087904f150b4d928d155a7fcdd1a64c7349ce984dfd08c4c795e93b409f53c1458e6de777dc5993198f4c0648381116fe5cbafa57499d9ce685c625df4797afc344e8fe4a0fc36cf82ba1423c8a4ad7a33bc4cbab25e2df729085f96d3d9d542d981fa46cac8a37ceb70b9f808213845c06b72be7e2d1224e4dc02817bd474c690e43f6d8f1916a20f2e078bfaa604343d695e6f5f88d9f11c43a886ff97d9bd26b0126af40bed8e03a43bf8c912b5b0dd2f9f2e7e99db066759f573cd59a40a554bebdd3e7e0adbc38fcb91adeb72f9dcd30558b082471a02fd9131a61cf29b1f4e38a5d689d8dcd0b8dc29075e3a33b2d6a25bee6ff9e20d269cc088a2b155be76a1531ce30b25edf928990b5143fc5ae2737d8d4070d0517f5137c458d7afed8f51e2c2973dd143235c9deaffe9ce8fbcd767a93573399dafd5ef61408c77302c993354a080684cdbfb7c1eeb6e6be907db790038c7ce62517815d16fe366bd26178f2f05b9e56450814f4ba7ab6cab54c5f78316b0451057785c03a77c20814eb405cd20e5bff5247a12500dd16173125ffdef4fb6317ab942d0d7e0e584a8fd97a8ba8d87fd38127d6d059902a2d48dafd10938ea5d108f3eb986aabf9e212151b0e540bb5fd25888143633be9982395d4d3bef5278be37328e0239569eb511698ef7f9e7e12aa204cb4c069ffcdeecb65f42ba37f7bfd47c4ba8df384a88adf3486b58cc1620185ac81dfb10f591fc82f3ae046341ebd1e8288f10500d6677e91b89729dfd299b74be13a9183725aacb0023f4fb01efda61390b0312d90ff6a9a319433681ad1811efe038fcdeb6dc1c3f594c4f8011aacfee74ea9638fccb3d669435a1208578c934277caa3ec74f9efbb33e024909b121e7b4e48ec94b762fa9dcab8a1c11b86bb9db164c7655504d304661e04e95b0b356f5968334596fb11df95bbdcb3a6618f431c864658827662f760fc86b2136221bd50472dc19c4f177eb5edf7978760dc15150cfda0a3ea649cb672b8f37229298c6edcc630e3ac9a5f43f58a93ba8def335472f7ebdedd7715a27c4ea622344a949bec59af030455ed61911d53388022bd502e800b769ef499f94f02c96f486b40ce68dbdc42e5690ac2992bedf7f0ba384504c32cb00a25d4e125483003152e81ebe9c12d928627d7f14fc3fbdf5141addc477d5ae4f32e64dcb58a6e2cf955ad7ae54e1665b3199bd0fae36b9ec56c09ac00efc9d27e69a93f4e08652edc3340fa2c518d388ee4a005b9c83956b9139b98380f6925a1a4c3e64ff8d96f2827d0d8a25cc72a2c03a28e33871284b46e10c85f2ad75969b1d84e9d88bb4e05d


from gmpy2 import *
from libnum import *
# for k in range(3, 10):
#     if iroot(n, k)[1]:
#         print(iroot(n, k)[0])
#         print(k)
k = 4 
p = 20935418603755826153357961486749000137883878122092541278485245382546346099923598569473814209357669395236788185259189925906627960621490996925200115559569329810746744675867738485473466021581185385430988547168263735484625716958718825113577345085361945421237478366338611831738408648424304228723729310335432168121087334054958276987167490905779911687736536416815227240962562460212183301435420718431023950641725670461044591993133883921646824589614644103106984493917214402278641218422432546374433956301830629567708335305598359150744372547912472684947785245810663217040977994966632748245272393755319650187559761562868158211001
print(isPrime(p))
phi = p ** 4 - p ** 3
d = invert(e, phi)
print(n2s(int(pow(c, d, n)))[64:])
# b'flag{6354ce3ac23cdfeccf16eb1a53df4423}'