BUUCTF/HDCTF2019 - bbbbbbrsa
给了两个文件。
第一个enc:
p = 177077389675257695042507998165006460849 n = 37421829509887796274897162249367329400988647145613325367337968063341372726061 c = ==gMzYDNzIjMxUTNyIzNzIjMyYTM4MDM0gTMwEjNzgTM2UTN4cjNwIjN2QzM5ADMwIDNyMTO4UzM2cTM5kDN2MTOyUTO5YDM0czM3MjM
第二个encode.py
from base64 import b64encode as b32encode from gmpy2 import invert,gcd,iroot from Crypto.Util.number import * from binascii import a2b_hex,b2a_hex import random flag = "******************************" nbit = 128 p = getPrime(nbit) q = getPrime(nbit) n = p*q print p print n phi = (p-1)*(q-1) e = random.randint(50000,70000) while True: if gcd(e,phi) == 1: break; else: e -= 1; c = pow(int(b2a_hex(flag),16),e,n) print b32encode(str(c))[::-1]
————————分割线qwq————————
通过给的n可以求出来q,这个母庸置疑:
211330365658290458913359957704294614589
那个c,在encode.py的结尾写的很清楚了。首先给它翻转过来得到:
MjM3Mzc0MDY5OTUyOTM2NDk5MTc2MzU4OTMyNDIwMDA5MzQ2NjIwNjc4NTU2MTgzNjEwMTg0MDM4MTYyMjIzNzIyNTUxMjIzNDYzMg==
又因为from base64 import b64encode as b32encode,
所以虽然写的是b32encode,其实我是base64加密的啦。得到C:
2373740699529364991763589324200093466206785561836101840381622237225512234632
最后还差一个e了,根据encode.py里的
e = random.randint(50000,70000)得知,e是在50000到70000之间的一个数字。
我的解决办法是写脚本遍历所有符合条件的50000到70000之间的数字,将输出的东西放入flag.txt中进行筛选。
import gmpy2 import libnum import base64 import random p = gmpy2.mpz(177077389675257695042507998165006460849) q = gmpy2.mpz(211330365658290458913359957704294614589) c = gmpy2.mpz(2373740699529364991763589324200093466206785561836101840381622237225512234632) s = (p- 1) * (q - 1) n = p *q flag = open("flag.txt",'w') for e in range(50000,70001): try: d = gmpy2.invert(e, s) flag.write(libnum.n2s(pow(c, d, n))) except: pass