HITCON 2019 Lost Modular again writeup

算是基础题,有很多之前题的影子,做不出来纯属菜。

题目

  • 加密脚本
from Crypto.Util.number import *

class Key:

    def __init__(self, bits):

        assert bits >= 512

        self.p = getPrime(bits)

        self.q = getPrime(bits)

        self.n = self.p * self.q

        self.e = 0x100007

        self.d = inverse(self.e, (self.p-1)*(self.q-1))

        self.dmp1 = self.d%(self.p-1)

        self.dmq1 = self.d%(self.q-1)

        self.iqmp = inverse(self.q, self.p)

        self.ipmq = inverse(self.p, self.q)

    def encrypt(self, data):

        num = bytes_to_long(data)

        result = pow(num, self.e, self.n)

        return long_to_bytes(result)

    def decrypt(self, data):

        num = bytes_to_long(data)

        v1 = pow(num, self.dmp1, self.p)

        v2 = pow(num, self.dmq1, self.q)

        result = (v2*self.p*self.ipmq+v1*self.q*self.iqmp) % self.n

        return long_to_bytes(result)

    def __str__(self):

        return "Key([e = {0}, n = {1}, x = {2}, y = {3}])".format(self.e, self.d, self.iqmp, self.ipmq)

def main():

    key = Key(1024)

    flag = open('flag').read()

    encrypt_flag = key.encrypt(flag)

    assert key.decrypt(encrypt_flag) == flag

    print key

    print encrypt_flag.encode('hex')

if __name__ == '__main__':

    main()
  • 输出
Key([e = 1048583, n = 20899585599499852848600179189763086698516108548228367107221738096450499101070075492197700491683249172909869748620431162381087017866603003080844372390109407618883775889949113518883655204495367156356586733638609604914325927159037673858380872827051492954190012228501796895529660404878822550757780926433386946425164501187561418082866346427628551763297010068329425460680225523270632454412376673863754258135691783420342075219153761633410012733450586771838248239221434791288928709490210661095249658730871114233033907339401132548352479119599592161475582267434069666373923164546185334225821332964035123667137917080001159691927, x = 22886390627173202444468626406642274959028635116543626995297684671305848436910064602418012808595951325519844918478912090039470530649857775854959462500919029371215000179065185673136642143061689849338228110909931445119687113803523924040922470616407096745128917352037282612768345609735657018628096338779732460743, y = 138356012157150927033117814862941924437637775040379746970778376921933744927520585574595823734209547857047013402623714044512594300691782086053475259157899010363944831564630625623351267412232071416191142966170634950729938561841853176635423819365023039470901382901261884795304947251115006930995163847675576699331])

32074de818f2feeb788e36d7d3ee09f0000381584a72b2fba0dcc9a2ebe5fd79cf2d6fd40c4dbfea27d3489704f2c1a30b17a783baa67229d02043c5bc9bdb995ae984d80a96bd79370ea2c356f39f85a12d16983598c1fb772f9183441fea5dfeb5b26455df75de18ce70a6a9e9dbc0a4ca434ba94cf4d1e5347395cf7aafa756c8a5bd6fd166bc30245a4bded28f5baac38d024042a166369f7515e8b0c479a1965b5988b350064648738f6585c0a0d1463bd536d11a105bb926b44236593b5c6c71ef5b132cd9c211e8ad9131aa53ffde88f5b0df18e7c45bcdb6244edcaa8d386196d25297c259fca3be37f0f2015f40cb5423a918c51383390dfd5a8703

初步分析

题目给定了e,d,x,y,\(x = q^{-1} \mod p,y = p^{-1} \mod q\)(代码命名混乱)。

根据rsa的原理,\(ed == 1 \mod \phi(n)\),故\(e*d-1\)一定是\(\phi(n)\)的倍数,即\(e*d-1==k*\phi(n)\),\(k\)是整数,由于\(d<n\)故\(k<e\)。\(e\)的值不是很大,通过枚举可以确定所有\(k\)的可能值,代入\(e*d-1==k*\phi(n)=k*(p-1)*(q-1)\),得到关于\(p,q\)的方程。凭借直觉,通过\(x,y\)肯定能确定另外一个方程,最后解出\(p,q\)。

另一个方程的推导

\[xq = 1 + w_1*p,yp = 1 + w_2*q
\]
\[xq-1 = w_1*p,yp-1 = w_2*q
\]

我们的目的是得到\(p,q\)的数量关系,势必要去掉\(w_1,w_2\)。所以两边相乘\(xypq-xq-yp+1=w_1w_2pq\),\(xq+yp-1= (xy-w_1w_2)*pq\)。这里我们知道\(x<p,y<q\)。所以\(0<(xy-w_1w_2)*pq<2*pq\)。这样我们就知道了其实\(xy-w_1w_2=1\)。这样我们又得到了一个关于\(p,q\)的等式。通过两个方程联立,最终可以解出\(p,q\)的值。

解决脚本

依赖

  • pycryptodome
  • tqdm
  • gmpy2
from Crypto.Util.number import long_to_bytes

from tqdm import trange

import gmpy2,binascii

d = 20899585599499852848600179189763086698516108548228367107221738096450499101070075492197700491683249172909869748620431162381087017866603003080844372390109407618883775889949113518883655204495367156356586733638609604914325927159037673858380872827051492954190012228501796895529660404878822550757780926433386946425164501187561418082866346427628551763297010068329425460680225523270632454412376673863754258135691783420342075219153761633410012733450586771838248239221434791288928709490210661095249658730871114233033907339401132548352479119599592161475582267434069666373923164546185334225821332964035123667137917080001159691927

x = 22886390627173202444468626406642274959028635116543626995297684671305848436910064602418012808595951325519844918478912090039470530649857775854959462500919029371215000179065185673136642143061689849338228110909931445119687113803523924040922470616407096745128917352037282612768345609735657018628096338779732460743

y = 138356012157150927033117814862941924437637775040379746970778376921933744927520585574595823734209547857047013402623714044512594300691782086053475259157899010363944831564630625623351267412232071416191142966170634950729938561841853176635423819365023039470901382901261884795304947251115006930995163847675576699331

e = 1048583

klist = []

for i in trange(1,e):

    if (e*d-1)%i==0:

        klist.append(i)

print(len(klist))

nlist = []

for k in klist:

    w = (e*d-1)//k

    a = y-1

    b = x-y-w

    c = 1-x+w*x

    delt = b*b-4*a*c

    if delt<0 :

        continue

    s,t = gmpy2.isqrt_rem(delt)

    if t!=0:

        continue

    if (s-b)%(2*a)!=0:

        continue

    q = (s-b)//(2*a)

    if (w+q-1)%(q-1)!=0:

        continue

    p = (w+q-1)//(q-1)

    n = p*q

    nlist.append(n)

print(nlist)

n = 22509077260984027608263845908083202879597081619164800783060781115945741547031252889863077300004310236160814653393991988068104999928735140821504649764471313283345921984799288521496479399032837319974588038186917872597078510975400908137738190304700710900604891709265153418588830065918981914371070605822998222527238465925300150253661563857557769597206945843298561291788401379974127990007737364134474570192828364417568030703631487414510799126846577679080152555651843717973023204220528124089432708534457966658829476472791371567790491496967424845002161008643478300481541860754837427906812836584810660110698219790829058527133

c = 0x32074de818f2feeb788e36d7d3ee09f0000381584a72b2fba0dcc9a2ebe5fd79cf2d6fd40c4dbfea27d3489704f2c1a30b17a783baa67229d02043c5bc9bdb995ae984d80a96bd79370ea2c356f39f85a12d16983598c1fb772f9183441fea5dfeb5b26455df75de18ce70a6a9e9dbc0a4ca434ba94cf4d1e5347395cf7aafa756c8a5bd6fd166bc30245a4bded28f5baac38d024042a166369f7515e8b0c479a1965b5988b350064648738f6585c0a0d1463bd536d11a105bb926b44236593b5c6c71ef5b132cd9c211e8ad9131aa53ffde88f5b0df18e7c45bcdb6244edcaa8d386196d25297c259fca3be37f0f2015f40cb5423a918c51383390dfd5a8703

m = gmpy2.powmod(c,d,n)

print(long_to_bytes(m))

HITCON 2019 Lost Modular again writeup的更多相关文章

  1. 【CTF】2019湖湘杯 miscmisc writeup

    题目来源:2019湖湘杯 题目链接:https://adworld.xctf.org.cn/task/answer?type=misc&number=1&grade=1&id= ...

  2. Crypto CTF 2019 writeup

    Crypto CTF 2019 writeup roXen 题目 roXen Relationship with a cryptographer! The Girlfriend: All you ev ...

  3. 2019全国大学生信息安全与对抗技术竞赛全国线下总决赛 Writeup

    0x00 Begin 关于 ISCC 2019 北理工总决赛,这一次比赛体验感总体差不多,最后我们战队荣获全国一等奖第一名,在这里非常感谢我的团队以及我的队友. 0x01 Reverse 下载题目:e ...

  4. 2019年上海市大学生网络安全大赛两道misc WriteUp

    2019年全国大学生网络安全邀请赛暨第五届上海市大学生网络安全大赛 做出了两道Misc== 签到 题干 解题过程 题干提示一直注册成功,如果注册失败也许会出现flag. 下载下来是包含010edito ...

  5. 第16届(2019)全国大学生信息安全与对抗技术竞赛全国线下总决赛 Writeup

    笔者<Qftm>原文发布<BitHack>:https://bithack.io/forum/469/answer/333 0x00 Begin 关于 ISCC 2019 北理 ...

  6. 2019年领航杯 江苏省网络信息安全竞赛 初赛部分writeup

    赛题已上传,下载连接:https://github.com/raddyfiy/2019linghangcup 做出了全部的misc和前三道逆向题,排名第10,暂且贴一下writeup. 关卡一 编码解 ...

  7. 2019 第十届 SWPUCTF writeup(Pwn)

    p1KkHeap 0.环境 1.文件信息 2.文件开启的保护 3.IDA分析 main函数 add show edit delete delete功能出现了指针悬浮的问题,配合上tcache,可以任意 ...

  8. 2019全国大学生信息安全竞赛部分Web writeup

    JustSoso 0x01 审查元素发现了提示,伪协议拿源码 /index.php?file=php://filter/read=convert.base64-encode/resource=inde ...

  9. 2019第十二届全国大学生信息安全实践创新赛线上赛Writeup

    本文章来自https://www.cnblogs.com/iAmSoScArEd/p/10780242.html  未经允许不得转载! 1.MISC-签到 下载附件后,看到readme.txt打开后提 ...

随机推荐

  1. MapReduce07 Join多种应用

    目录 1 Join多种应用 1.1 Reduce Join 1.2 Reduce Join实例实操 需求 需求分析 Map数据处理 Reduce端合并(数据倾斜) 代码实现 JoinBean类 Joi ...

  2. nodejs-os模块

    JavaScript 标准参考教程(alpha) 草稿二:Node.js os模块 GitHub TOP os模块 来自<JavaScript 标准参考教程(alpha)>,by 阮一峰 ...

  3. Oracle中的instr函数

    最近修改某个条件,由原来输入一个数据修改为可以输入多个,如图所示: 在实现时用到了regexp_substr函数进行分割连接起来的数据,查询时还用到了instr函数进行判断,但出现了问题,当子库存输入 ...

  4. gen already exists but is not a source folder. Convert to a source folder or rename it 的解决办法

    1. Right click on the project and go to "Properties" //鼠标右键点击项目,然后选中Properties   2. Select ...

  5. Simulating final class in C++

    Ever wondered how can you design a class in C++ which can't be inherited. Java and C# programming la ...

  6. Restful、SOAP、RPC、SOA、微服务之间的区别

    什么是Restful Restful是一种架构设计风格,提供了设计原则和约束条件,而不是架构,而满足这些约束条件和原则的应用程序或设计就是 Restful架构或服务. 主要的设计原则: 资源与URI ...

  7. Spring Cloud中,如何解决Feign整合Hystrix第一次请求失败的问题

    Spring Cloud中,Feign和Ribbon在整合了Hystrix后,可能会出现首次调用失败的问题,要如何解决该问题呢? 造成该问题的原因 Hystrix默认的超时时间是1秒,如果超过这个时间 ...

  8. apply 和 call 的区别

    相同点: 都能够改变方法的执行上下文(执行环境),将一个对象的方法交给另一个对象来执行,并且是立即执行 不同点: call方法从第二个参数开始可以接收任意个参数,每个参数会映射到相应位置的func的参 ...

  9. java异常处理中throws和throw的使用

    异常介绍: 运行时异常.非运行时异常 在编写可能会抛出异常的方法时,它们都必须声明为有异常. 一.throws关键字 1.声明方法可能抛出的异常: 2.写在方法名后面: 3.可声明抛出多个异常,异常名 ...

  10. 关于synchronize与lock的区别

    参考文献:https://www.cnblogs.com/cloudblogs/p/6440160.html 一.synchronize修饰不同代码都是锁住了什么? 大家都知道synchronize可 ...