HITCON 2019 Lost Modular again writeup

算是基础题,有很多之前题的影子,做不出来纯属菜。

题目

  • 加密脚本
from Crypto.Util.number import *

class Key:

    def __init__(self, bits):

        assert bits >= 512

        self.p = getPrime(bits)

        self.q = getPrime(bits)

        self.n = self.p * self.q

        self.e = 0x100007

        self.d = inverse(self.e, (self.p-1)*(self.q-1))

        self.dmp1 = self.d%(self.p-1)

        self.dmq1 = self.d%(self.q-1)

        self.iqmp = inverse(self.q, self.p)

        self.ipmq = inverse(self.p, self.q)

    def encrypt(self, data):

        num = bytes_to_long(data)

        result = pow(num, self.e, self.n)

        return long_to_bytes(result)

    def decrypt(self, data):

        num = bytes_to_long(data)

        v1 = pow(num, self.dmp1, self.p)

        v2 = pow(num, self.dmq1, self.q)

        result = (v2*self.p*self.ipmq+v1*self.q*self.iqmp) % self.n

        return long_to_bytes(result)

    def __str__(self):

        return "Key([e = {0}, n = {1}, x = {2}, y = {3}])".format(self.e, self.d, self.iqmp, self.ipmq)

def main():

    key = Key(1024)

    flag = open('flag').read()

    encrypt_flag = key.encrypt(flag)

    assert key.decrypt(encrypt_flag) == flag

    print key

    print encrypt_flag.encode('hex')

if __name__ == '__main__':

    main()
  • 输出
Key([e = 1048583, n = 20899585599499852848600179189763086698516108548228367107221738096450499101070075492197700491683249172909869748620431162381087017866603003080844372390109407618883775889949113518883655204495367156356586733638609604914325927159037673858380872827051492954190012228501796895529660404878822550757780926433386946425164501187561418082866346427628551763297010068329425460680225523270632454412376673863754258135691783420342075219153761633410012733450586771838248239221434791288928709490210661095249658730871114233033907339401132548352479119599592161475582267434069666373923164546185334225821332964035123667137917080001159691927, x = 22886390627173202444468626406642274959028635116543626995297684671305848436910064602418012808595951325519844918478912090039470530649857775854959462500919029371215000179065185673136642143061689849338228110909931445119687113803523924040922470616407096745128917352037282612768345609735657018628096338779732460743, y = 138356012157150927033117814862941924437637775040379746970778376921933744927520585574595823734209547857047013402623714044512594300691782086053475259157899010363944831564630625623351267412232071416191142966170634950729938561841853176635423819365023039470901382901261884795304947251115006930995163847675576699331])

32074de818f2feeb788e36d7d3ee09f0000381584a72b2fba0dcc9a2ebe5fd79cf2d6fd40c4dbfea27d3489704f2c1a30b17a783baa67229d02043c5bc9bdb995ae984d80a96bd79370ea2c356f39f85a12d16983598c1fb772f9183441fea5dfeb5b26455df75de18ce70a6a9e9dbc0a4ca434ba94cf4d1e5347395cf7aafa756c8a5bd6fd166bc30245a4bded28f5baac38d024042a166369f7515e8b0c479a1965b5988b350064648738f6585c0a0d1463bd536d11a105bb926b44236593b5c6c71ef5b132cd9c211e8ad9131aa53ffde88f5b0df18e7c45bcdb6244edcaa8d386196d25297c259fca3be37f0f2015f40cb5423a918c51383390dfd5a8703

初步分析

题目给定了e,d,x,y,\(x = q^{-1} \mod p,y = p^{-1} \mod q\)(代码命名混乱)。

根据rsa的原理,\(ed == 1 \mod \phi(n)\),故\(e*d-1\)一定是\(\phi(n)\)的倍数,即\(e*d-1==k*\phi(n)\),\(k\)是整数,由于\(d<n\)故\(k<e\)。\(e\)的值不是很大,通过枚举可以确定所有\(k\)的可能值,代入\(e*d-1==k*\phi(n)=k*(p-1)*(q-1)\),得到关于\(p,q\)的方程。凭借直觉,通过\(x,y\)肯定能确定另外一个方程,最后解出\(p,q\)。

另一个方程的推导

\[xq = 1 + w_1*p,yp = 1 + w_2*q
\]
\[xq-1 = w_1*p,yp-1 = w_2*q
\]

我们的目的是得到\(p,q\)的数量关系,势必要去掉\(w_1,w_2\)。所以两边相乘\(xypq-xq-yp+1=w_1w_2pq\),\(xq+yp-1= (xy-w_1w_2)*pq\)。这里我们知道\(x<p,y<q\)。所以\(0<(xy-w_1w_2)*pq<2*pq\)。这样我们就知道了其实\(xy-w_1w_2=1\)。这样我们又得到了一个关于\(p,q\)的等式。通过两个方程联立,最终可以解出\(p,q\)的值。

解决脚本

依赖

  • pycryptodome
  • tqdm
  • gmpy2
from Crypto.Util.number import long_to_bytes

from tqdm import trange

import gmpy2,binascii

d = 20899585599499852848600179189763086698516108548228367107221738096450499101070075492197700491683249172909869748620431162381087017866603003080844372390109407618883775889949113518883655204495367156356586733638609604914325927159037673858380872827051492954190012228501796895529660404878822550757780926433386946425164501187561418082866346427628551763297010068329425460680225523270632454412376673863754258135691783420342075219153761633410012733450586771838248239221434791288928709490210661095249658730871114233033907339401132548352479119599592161475582267434069666373923164546185334225821332964035123667137917080001159691927

x = 22886390627173202444468626406642274959028635116543626995297684671305848436910064602418012808595951325519844918478912090039470530649857775854959462500919029371215000179065185673136642143061689849338228110909931445119687113803523924040922470616407096745128917352037282612768345609735657018628096338779732460743

y = 138356012157150927033117814862941924437637775040379746970778376921933744927520585574595823734209547857047013402623714044512594300691782086053475259157899010363944831564630625623351267412232071416191142966170634950729938561841853176635423819365023039470901382901261884795304947251115006930995163847675576699331

e = 1048583

klist = []

for i in trange(1,e):

    if (e*d-1)%i==0:

        klist.append(i)

print(len(klist))

nlist = []

for k in klist:

    w = (e*d-1)//k

    a = y-1

    b = x-y-w

    c = 1-x+w*x

    delt = b*b-4*a*c

    if delt<0 :

        continue

    s,t = gmpy2.isqrt_rem(delt)

    if t!=0:

        continue

    if (s-b)%(2*a)!=0:

        continue

    q = (s-b)//(2*a)

    if (w+q-1)%(q-1)!=0:

        continue

    p = (w+q-1)//(q-1)

    n = p*q

    nlist.append(n)

print(nlist)

n = 22509077260984027608263845908083202879597081619164800783060781115945741547031252889863077300004310236160814653393991988068104999928735140821504649764471313283345921984799288521496479399032837319974588038186917872597078510975400908137738190304700710900604891709265153418588830065918981914371070605822998222527238465925300150253661563857557769597206945843298561291788401379974127990007737364134474570192828364417568030703631487414510799126846577679080152555651843717973023204220528124089432708534457966658829476472791371567790491496967424845002161008643478300481541860754837427906812836584810660110698219790829058527133

c = 0x32074de818f2feeb788e36d7d3ee09f0000381584a72b2fba0dcc9a2ebe5fd79cf2d6fd40c4dbfea27d3489704f2c1a30b17a783baa67229d02043c5bc9bdb995ae984d80a96bd79370ea2c356f39f85a12d16983598c1fb772f9183441fea5dfeb5b26455df75de18ce70a6a9e9dbc0a4ca434ba94cf4d1e5347395cf7aafa756c8a5bd6fd166bc30245a4bded28f5baac38d024042a166369f7515e8b0c479a1965b5988b350064648738f6585c0a0d1463bd536d11a105bb926b44236593b5c6c71ef5b132cd9c211e8ad9131aa53ffde88f5b0df18e7c45bcdb6244edcaa8d386196d25297c259fca3be37f0f2015f40cb5423a918c51383390dfd5a8703

m = gmpy2.powmod(c,d,n)

print(long_to_bytes(m))

HITCON 2019 Lost Modular again writeup的更多相关文章

  1. 【CTF】2019湖湘杯 miscmisc writeup

    题目来源:2019湖湘杯 题目链接:https://adworld.xctf.org.cn/task/answer?type=misc&number=1&grade=1&id= ...

  2. Crypto CTF 2019 writeup

    Crypto CTF 2019 writeup roXen 题目 roXen Relationship with a cryptographer! The Girlfriend: All you ev ...

  3. 2019全国大学生信息安全与对抗技术竞赛全国线下总决赛 Writeup

    0x00 Begin 关于 ISCC 2019 北理工总决赛,这一次比赛体验感总体差不多,最后我们战队荣获全国一等奖第一名,在这里非常感谢我的团队以及我的队友. 0x01 Reverse 下载题目:e ...

  4. 2019年上海市大学生网络安全大赛两道misc WriteUp

    2019年全国大学生网络安全邀请赛暨第五届上海市大学生网络安全大赛 做出了两道Misc== 签到 题干 解题过程 题干提示一直注册成功,如果注册失败也许会出现flag. 下载下来是包含010edito ...

  5. 第16届(2019)全国大学生信息安全与对抗技术竞赛全国线下总决赛 Writeup

    笔者<Qftm>原文发布<BitHack>:https://bithack.io/forum/469/answer/333 0x00 Begin 关于 ISCC 2019 北理 ...

  6. 2019年领航杯 江苏省网络信息安全竞赛 初赛部分writeup

    赛题已上传,下载连接:https://github.com/raddyfiy/2019linghangcup 做出了全部的misc和前三道逆向题,排名第10,暂且贴一下writeup. 关卡一 编码解 ...

  7. 2019 第十届 SWPUCTF writeup(Pwn)

    p1KkHeap 0.环境 1.文件信息 2.文件开启的保护 3.IDA分析 main函数 add show edit delete delete功能出现了指针悬浮的问题,配合上tcache,可以任意 ...

  8. 2019全国大学生信息安全竞赛部分Web writeup

    JustSoso 0x01 审查元素发现了提示,伪协议拿源码 /index.php?file=php://filter/read=convert.base64-encode/resource=inde ...

  9. 2019第十二届全国大学生信息安全实践创新赛线上赛Writeup

    本文章来自https://www.cnblogs.com/iAmSoScArEd/p/10780242.html  未经允许不得转载! 1.MISC-签到 下载附件后,看到readme.txt打开后提 ...

随机推荐

  1. 为 Rainbond Ingress Controller 设置负载均衡

    Rainbond 作为一款云原生应用管理平台,天生带有引导南北向网络流量的分布式网关 rbd-gateway.rbd-gateway 组件,实际上是好雨科技团队开发的一种 Ingress Contro ...

  2. 学习java 6.29

    今天是学习Java的第一天. 学习内容:了解了JDK的下载和安装: 学会了如何配置Path环境变量及安装eclipse: 执行了HelloWorld案例: 在Java中关键字需要小写,Java中最基本 ...

  3. 大数据学习day29-----spark09-------1. 练习: 统计店铺按月份的销售额和累计到该月的总销售额(SQL, DSL,RDD) 2. 分组topN的实现(row_number(), rank(), dense_rank()方法的区别)3. spark自定义函数-UDF

    1. 练习 数据: (1)需求1:统计有过连续3天以上销售的店铺有哪些,并且计算出连续三天以上的销售额 第一步:将每天的金额求和(同一天可能会有多个订单) SELECT sid,dt,SUM(mone ...

  4. 【Android】No Android SDK found(mac)+ 真机调试

     [1]No Android SDK found 如果没下载SDK,可以去google官方下载 如果因为上网问题,这里提供两个网址,有人整理好了,这里先谢谢他们,下面两个择其一下载 http://to ...

  5. Oracle中常用的系统表

    1.dba开头的表 dba_users 数据库用户信息 dba_segments 表段信息 dba_extents 数据区信息 dba_objects 数据库对象信息 dba_tablespaces ...

  6. Advanced C++ | Conversion Operators

    In C++, the programmer abstracts real world objects using classes as concrete types. Sometimes it is ...

  7. canal整合springboot实现mysql数据实时同步到redis

    业务场景: 项目里需要频繁的查询mysql导致mysql的压力太大,此时考虑从内存型数据库redis里查询,但是管理平台里会较为频繁的修改增加mysql里的数据 问题来了: 如何才能保证mysql的数 ...

  8. sf02_选择排序算法Java Python rust 实现

    Java 实现 package common; public class SimpleArithmetic { /** * 选择排序 * 输入整形数组:a[n] [4.5.3.7] * 1. 取数组编 ...

  9. OpenStack之一:初始化环境

    初始化环境必须在左右节点执行 #:注意node节点要使用7.2 #: 关闭NetworkManager [root@localhost ~]# systemctl stop NetworkManage ...

  10. RocketMQ应用及原理剖析

    主流消息队列选型对比分析 基础项对比 可用性.可靠性对比 功能性对比 对比分析 Kafka:系统间的流数据通道 RocketMQ:高性能的可靠消息传输 RabbitMQ:可靠消息传输 RocketMQ ...