第三届陕西省大学生网络安全技能大赛 部分crypto复现

奇怪的sar

lcg拿种子
爆破p的所有满足p^q = seed的可能然后求解
或者类似第五空间signin那题,不爆破所有可能(因为我爆破的脚本用的别人的,他用递归实现,1024位会超上限),只爆破低位

from Crypto.Util.number import *
from tqdm import trange
import gmpy2

c = 14883053247652228283811442762780942186987432684268901119544211089991663825267989728286381980568977804079766160707988623895155236079459150322336701772385709429870215701045797411519212730389048862111088898917402253368572002593328131895422933030329446097639972123501482601377059155708292321789694103528266681104521268192526745361895856566384239849048923482217529011549596939269967690907738755747213669693953769070736092857407573675987242774763239531688324956444305397953424851627349331117467417542814921554060612622936755420459029769026126293588814831034143264949347763031994934813475762839410192390466491651507733968227
e = 65537
n =  24044063028844014127418595700558729326190738802687551098858513077613750188240082663594575453404975706225242363463089392757425008423696150244560748490108425645064339883915929498539109384801415313004805586193044292137299902797522618277016789979196782551492020031695781792205215671106103568559626617762521687128199445018651010056934305055040748892733145467040663073395258760159451903432330506383025685265502086582538667772105057401245864822281535425692919273252955571196166824113519446568745718898654447958192533288063735350717599092500158028352667339959012630051251024677881674246253876293205648190626145653304572328397

seed = 39428646082513135314545544161912595458975375891528176714825766497155482031976852156313956476772023258684487799640179241987139554034654104867011313090105438798561154654679825702410748780286094326639330840289843154525176685892323447168072417654823748596238888125898914210332775882916911771786984574407163323116

def findp(p,plist):
    l=len(p)
    if l==600:
        plist.append(int(p,2))
    else:
        pp=int(p,2)
        qq=(seed^^pp)%2**l
        if pp*qq%2**l==n%2**l:
            findp('1'+p,plist)
            findp('0'+p,plist)

plist=[]
findp('1',plist)
print(plist)



for i in trange(len(plist)):
    PR.<x> = PolynomialRing(Zmod(n))
    f = x*2^600 + plist[i]
    f = f.monic()
    r = f.small_roots(X=2^424, beta=0.4)
    if r:
        p = int(plist[i]+r[0]* 2^600)
        if n%p == 0:
            break

q = n // p
d = gmpy2.invert(e, (p-1)*(q-1))
print(long_to_bytes(power_mod(c, d, n)))

M3

from Crypto.Util.number import *
from rsaAttack import rsaATTACK
from itertools import product
from string import digits
import gmpy2

c = 35771468551700967499031290145813826705314774357494021918317304230766070868171631520643911378972522363861624359732252684003796428570328730483253546904382041
n = 142672086626283587048017713116658568907056287246536918432205313755474498483915485435443731126588499776739329317569276048159601495493064346081295993762052633
e = 65537

pqh = str(n)[:19]
pql = str(n)[-18:]

# for i,j in product(digits,repeat=2):
#     pq = pqh + i + j + pql
#     tp = rsaATTACK.factor_n(int(pq))
#     if tp and len(tp) == 2 and tp[0].bit_length() == 64:
#         p, q = tp
#         break
# print(p,q)
p = 9937378783676979077 
q = 14357114660923972229
P = int(str(p) + str(q)) #128 
Q = int(str(q) + str(p)) #128 
PP = int(str(P) + str(Q)) #256 
QQ = int(str(Q) + str(P)) #256 

d = gmpy2.invert(e,(PP-1)*(QQ-1))
print(long_to_bytes(pow(c,d,n)))