2020三四月份比赛的RSA

HackTM-RSA is easy #1 MRCTF-easy_RSA MRCTF-baby_RSA

1、HackTM-RSA is easy #1

打开文件的得到公钥信息和已经加密过后的列表，重点观察给出的代码的这个函数
可以发现该函数是对字符逐个加密得到最后的密文，因此考虑列出所有的可能的字符进行逐个校验，代码如下：

L = ['1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t',
'u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','{','}','/',';','@','_','?','@','!']

e,n = 65537, 28150970547901913019901824364390497053600856369839321617996700606130553862041378369018779003752433356889118526332329074054728613209407037089320809898343953157935211086135010436283805891893636870991411236307901650696221491790470635225076251966300189483160148297407974155121570252648252906976186499329924342873


C = [24603931406187071861602497345394097692989773194039735745762181586628499407802825983901643034231448504738113184470035863824128031443012073830520233613935485192804104698999763287388765215634314977991988580048221541560353418280294402691661980705832590960497587810514295642811714680627768268704899874164681718449, 1122631805966406666916352930872557620863215380677676237242967102686192773706020560402074190434834372221567047122563083906512958976735676584827100016698288227163...]

for i in range(len(C)):
	for j in range(len(L)):
		w = pow(ord(L[j]), e, n)
		if w == C[i]:
			print(L[j], end="")

2、MRCTF-easy_RSA

本题个人看来是纯数学思维的计算，由gen_p()和gen_q分别计算出_P和_Q。
先来看gen_p()，已知n，r，求p，q，是一个二元一次方程的问题，这里运用了用二分法。

n=14057332139537395701238463644827948204030576528558543283405966933509944444681257521108769303999679955371474546213196051386802936343092965202519504111238572269823072199...
r=14057332139537395701238463644827948204030576528558543283405966933509944444681257521108769303999679955371474546213196051386802936343092965202519504111238572269823072199...

c1=n-r+1
print c1

l=c1/2
r=c1
p=(l+r)/2
y=p*(c1-p)

while l<r:
	p=(l+r)/2
	y=p*(c1-p)
        if y==n:
            print p
            break
        if y>n:
		print 'y>n'
		l=p
        else:
		print 'y
		r=p
        print 'done'
q=c1-p
print q
if p>q:
    p,q=q,p
factor2 = 2021 * p + 2020 * q
if factor2 < 0:
    factor2 = (-1) * factor2
    
_P=sympy.nextprime(factor2)

接下来求_Q，分析知我们需要根据n，e*d求出p，q。这个算法参考RSA总结的文章，最后求出了_Q

Q_n = 2071429833816044974954536074368801884287727405454085209645948528393680234127136376615797611252503400431993805403493488086095696658505168448366253578062167331...
Q_E_D = 1007720792222981345861161568507428178554081277169628919292598687466725726023339189580755826717524936182595182863361227727033301830372211050582986534907943378...
f, s, tem = Q_E_D-1, 0, 1
while f % 2 == 0:
    f = f // 2
    s += 1
i, a, t = s, 2, f
b = pow(a, t, Q_n)
while b == 1:
    a = sympy.nextprime(a)
    b = pow(a, t, Q_n)

while i != 1:
    c = pow(b, 2, Q_n)
    if c != 1:
        b = c
        i -= 1
    else:
        break
if b == Q_n-1:
    a = sympy.nextprime(a)
    b = pow(a, t, Q_n)
    while b == 1:
        a = sympy.nextprime(a)
        b = pow(a, t, Q_n)

p = gcd(b-1, Q_n)
q = Q_n//p

factor2 = 2021 * p - 2020 * q
if factor2 < 0:
    factor2 = (-1) * factor2
_Q = sympy.nextprime(factor2)

现在_P和_Q都求出，最后常规方法求出flag

3、MRCTF-baby_RSA

与上题的思路方法类似，分别求出_P,_Q
这里gen_p()函数中，有一个素数数组P[ ]，已知P[9]，则可以往前逐个枚举，找出P[0]，再继续对P列表进行赋值。这里需要注意的是n是由多个素数因子相乘获得。
而这里的gen_q()十分简单，这里把Q = sub_Q ** Q_2 % Q_1 改为Q=pow(sub_Q,Q_2,Q_1)。

import sympy
import random
from gmpy2 import gcd, invert
from Crypto.Util.number import getPrime, isPrime, getRandomNBitInteger, bytes_to_long, long_to_bytes
from z3 import *

e = 65537

P_p = 206027926847308612719677572554991143421
P_factor = 2136717427659089807871165799762896005958647045741344691731117909652336299095138847041584469464099104757275843426418485978589422091511146273062863933902597002396...

c = 9
while c>0:
	P_p -= 2
	if isPrime(P_p):
		c -= 1

print P_p

P = [0 for i in range(17)]
P[0] = P_p
for i in range(1, 17):
	P[i] = sympy.nextprime(P[i-1])
n = 1
r = 1
for i in range(17):
	r *= P[i]-1
	n *= P[i]
	

p=sympy.nextprime(pow(P_factor,invert(e,r),n))

Q_1 = 1037664398494655880846250494957938576345565170645634884331482245246381059711610517631277184380628625481848147476012994940528136628514597401274995577853987144...
Q_2 = 1510107342769169397905914612789814864425480350323507973064961051363587235869531234840878601764386298436884626716817775136529475553256074148585145660535132430...
sub_Q = 168992529793593315757895995101430241994953638330919314800130536809801824971112039572562389449584350643924391984800978193707795909956472992631004290479273525116...
Q=pow(sub_Q,Q_2,Q_1)

q=sympy.nextprime(Q)

Ciphertext =  17091872405163671414608621877494510476440948857917616735746743308408427921897950499683941222168544917579226476564309085870599970704886742203308478718118367245419076...

m=pow(Ciphertext,invert(e,(p-1)*(q-1)),p*q)

flag=long_to_bytes(m)
print flag