1.OVO开门爽!开到南天门了兄弟
from Crypto.Util.number import *
flag = b'BuildCTF{******}'
#随机生成p,q
p = getPrime(1024)
q = getPrime(1024)
#计算模数n
n = p*q
e = 65537
m = bytes_to_long(flag)
#c=m^e%n
c = pow(m, e, n)
print('P = ',p**2)
print('Q = ',q**2)
print('n = ',n)
print('e = ',e)
print('c = ',c)
BuildCTF{We1c0Me_b@cK_To_7uNiOr_h19H!!!}
2.我这辈子就是被古典给害了
from Crypto.Util.Padding import pad, unpad
from Crypto.Random import get_random_bytes
from Crypto.Cipher import AES
from secret import flag, key
dict1 = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4,
'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9,
'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14,
'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19,
'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25}
dict2 = {0: 'A', 1: 'B', 2: 'C', 3: 'D', 4: 'E',
5: 'F', 6: 'G', 7: 'H', 8: 'I', 9: 'J',
10: 'K', 11: 'L', 12: 'M', 13: 'N', 14: 'O',
15: 'P', 16: 'Q', 17: 'R', 18: 'S', 19: 'T',
20: 'U', 21: 'V', 22: 'W', 23: 'X', 24: 'Y', 25: 'Z'}
def generate_key(flag, key):
i = 0
while True:
if len(key) == len(flag):
break
key += flag[i]
i += 1
return key
def cipherText(msg, key_new):
cipher_text = ''
i = 0
for letter in msg:
x = (dict1[letter] + dict1[key_new[i]]) % 26
i += 1
cipher_text += dict2[x]
return cipher_text
def AES_enc(key, value):
key = (key * 2).encode()
cipher = AES.new(key, AES.MODE_ECB)
value = value.encode()
padded_text = pad(value, AES.block_size)
ciphertext = cipher.encrypt(padded_text)
print("AES Encrypted Text =", ciphertext)
def substitute(msg):
msg = msg.replace('{', 'X')
msg = msg.replace('_', 'X')
msg = msg.replace('}', 'X')
msg = msg.upper()
assert msg.isupper()
return msg
message = substitute(flag)
key_new = generate_key(message, key)
cipher = cipherText(message, key_new)
print("Encrypted Text =", cipher)
AES_enc(key, flag)
'''
Encrypted Text = HLMPWKGLYSWFACEWBYRSUKYFAXZFXDKOTZHHSLFCXNICAHPGRIFUF
AES Encrypted Text = b'\x92T{\x1f\x0f"\xbd\xbb\xfa|O\x11\x83\xa0\xec.\x15]\x9f\x9a\xe5\x85Z\x9f@yUm\xbb\xdc\x93\x08\xe5\x8b\xd5\x98\x84\xfa\x91\xe8\xde\x1b}\xcd\x9056\xa3\xbf\xdb\x85J\xcc\xec\x812T\x11\xa7Tl\x15\xf6"'
'''
dict1 = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4,
'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9,
'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14,
'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19,
'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25}
dict2 = {0: 'A', 1: 'B', 2: 'C', 3: 'D', 4: 'E',
5: 'F', 6: 'G', 7: 'H', 8: 'I', 9: 'J',
10: 'K', 11: 'L', 12: 'M', 13: 'N', 14: 'O',
15: 'P', 16: 'Q', 17: 'R', 18: 'S', 19: 'T',
20: 'U', 21: 'V', 22: 'W', 23: 'X', 24: 'Y', 25: 'Z'}
out = "HLMPWKGLYSWFACEWBYRSUKYFAXZFXDKOTZHHSLFCXNICAHPGRIFUF"
letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
##根据题目,flag开头是BuildCTF{转换为BUILDCTFX,至少可以爆破出9位key
##第一轮推出部分key
key = ""
flag = "BUILDCTFX"
n = len(flag)
for i in range(n):
letter = flag[i]
for j in letters:
x = (dict1[letter] + dict1[j]) % 26
if dict2[x] == out[i]:
key = key + j
break
print(key)
#key=GREETINGB
##根据题目,key参与AES加密,且key=key*2,通常key长度为16,推断出key长度是8,第一轮推出key为GREETINGB,那么正常的key是GREETING,从第9位B开始,是叠加flag,即BUILDCTFX。
##第二轮推出部分flag
flag = ""
while True:
key_ = "GREETING"
key = key_ + flag
if len(key) > len(out):
key = key[0:len(out)]
m = len(key)
for i in range(m):
letter = key[i]
for j in letters:
x = (dict1[letter] + dict1[j]) % 26
if dict2[x] == out[i]:
flag = flag + j
break
print(flag)
if len(flag) >= len(out):
break
#flag=BUILDCTFBUILDCTFXYOUXALRBUILDCTFXYOUXALRAEJHRIFADZLLADZX
#替换为{}_
BuildCTF{YOU_ALREADY_KNOW_WHAT_A_CLASSICAL_CIPHER_IS}
3.ominous
from Crypto.Util.number import *
from secret import flag
import random
import string
Ominous_dic = ['啊', '米', '诺', '斯']
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()
assert all(char in flag_word for char in flag)
msg = bytes_to_long(flag)
random.shuffle(Ominous_dic)
def Ominous_enc(msg):
res = 0
for idx, word in enumerate(Ominous_dic):
res += random.randint(0, 200) * ord(word) * (2 ** (50 * (idx + 1)))
return res + msg
cipher = Ominous_enc(msg)
print(f'cipher = {cipher}')
# cipher = 11174132013050242293373893046306047184706656363469879247040688497021
from libnum import *
import itertools
import string
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()
cipher = 11174132013050242293373893046306047184706656363469879247040688497021
Ominous_dic = ['啊', '米', '诺', '斯']
all_list = []
for i in itertools.permutations(Ominous_dic,4):
tmp = [i[0],i[1],i[2],i[3]]
all_list.append(tmp)
for i in all_list:
print(i)
##因为j0最小,对结果影响也最小,先爆破出j1,j2,j3的范围
for j0 in range(0,1):
tmp0 = j0 * ord(i[0]) * (2 ** (50 * (0 + 1)))
for j1 in range(0,201):
tmp1 = j1 * ord(i[1]) * (2 ** (50 * (1 + 1)))
for j2 in range(0,201):
tmp2 = j2 * ord(i[2]) * (2 ** (50 * (2 + 1)))
for j3 in range(0,201):
tmp3 = j3 * ord(i[3]) * (2 ** (50 * (3 + 1)))
res = tmp0 + tmp1 + tmp2 + tmp3
out1 = cipher-res
try:
out = n2s(out1)
if b"BuildCTF{" in out:
print(j0,j1,j2,j3)
pos = True
for j in out:
if j not in flag_word:
pos = False
break
if pos == True:
print(j0,j1,j2,j3)
print(out1)
print(out)
except:
pass
res = 0
['诺', '斯', '米', '啊']
0 0 42 119
0 1 42 119
0 2 42 119
0 3 42 119
..................
['斯', '诺', '米', '啊']
0 0 42 119
0 1 42 119
0 2 42 119
0 3 42 119
.....................
发现规律,修正代码缩小爆破范围
from libnum import *
import itertools
import string
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()
cipher = 11174132013050242293373893046306047184706656363469879247040688497021
Ominous_dic = ['啊', '米', '诺', '斯']
all_list = [['诺', '斯', '米', '啊'],['斯', '诺', '米', '啊']]
for i in all_list:
print(i)
##因为j0最小,对结果影响也最小,先爆破出j1,j2,j3的范围
for j0 in range(0,201):
tmp0 = j0 * ord(i[0]) * (2 ** (50 * (0 + 1)))
for j1 in range(0,201):
tmp1 = j1 * ord(i[1]) * (2 ** (50 * (1 + 1)))
for j2 in range(42,43):
tmp2 = j2 * ord(i[2]) * (2 ** (50 * (2 + 1)))
for j3 in range(119,120):
tmp3 = j3 * ord(i[3]) * (2 ** (50 * (3 + 1)))
res = tmp0 + tmp1 + tmp2 + tmp3
out1 = cipher-res
try:
out = n2s(out1)
if b"BuildCTF{" in out:
pos = True
for j in out:
if j not in flag_word:
pos = False
break
if pos == True:
print(j0,j1,j2,j3)
print(out1)
print(out)
except:
pass
res = 0
['诺', '斯', '米', '啊']
51 34 42 119
6998911667306495936139354047122483151410244697241827169626933502333
b'BuildCTF{Wh@wsuu_0mwkous!!!}'
51 79 42 119
6998911667306495936139354047120998231835390350462060938975672082813
b'BuildCTF{Wh@vUyE_0mwkous!!!}'
51 82 42 119
6998911667306495936139354047120899237197066727343409856932254654845
b'BuildCTF{Wh@vBhu_0mwkous!!!}'
51 113 42 119
6998911667306495936139354047119876292601055955117348675816941232509
b'BuildCTF{Wh@u}ee_0mwkous!!!}'
51 158 42 119
6998911667306495936139354047118391373026201608337582445165679812989
b'BuildCTF{Wh@t_i5_0mwkous!!!}'
51 161 42 119
6998911667306495936139354047118292378387877985218931363122262385021
b'BuildCTF{Wh@tLXe_0mwkous!!!}'
72 34 42 119
6998911667306495936139354047122483151410244696394571727129163145597
b'BuildCTF{Wh@wsuu_0mI}gus!!!}'
72 79 42 119
6998911667306495936139354047120998231835390349614805496477901726077
b'BuildCTF{Wh@vUyE_0mI}gus!!!}'
72 82 42 119
6998911667306495936139354047120899237197066726496154414434484298109
b'BuildCTF{Wh@vBhu_0mI}gus!!!}'
72 113 42 119
6998911667306495936139354047119876292601055954270093233319170875773
b'BuildCTF{Wh@u}ee_0mI}gus!!!}'
72 158 42 119
6998911667306495936139354047118391373026201607490327002667909456253
b'BuildCTF{Wh@t_i5_0mI}gus!!!}'
72 161 42 119
6998911667306495936139354047118292378387877984371675920624492028285
b'BuildCTF{Wh@tLXe_0mI}gus!!!}'
83 34 42 119
6998911667306495936139354047122483151410244695950771257249378673021
b'BuildCTF{Wh@wsuu_0m1nous!!!}'
83 79 42 119
6998911667306495936139354047120998231835390349171005026598117253501
b'BuildCTF{Wh@vUyE_0m1nous!!!}'
83 82 42 119
6998911667306495936139354047120899237197066726052353944554699825533
b'BuildCTF{Wh@vBhu_0m1nous!!!}'
83 113 42 119
6998911667306495936139354047119876292601055953826292763439386403197
b'BuildCTF{Wh@u}ee_0m1nous!!!}'
83 158 42 119
6998911667306495936139354047118391373026201607046526532788124983677
b'BuildCTF{Wh@t_i5_0m1nous!!!}'
83 161 42 119
6998911667306495936139354047118292378387877983927875450744707555709
b'BuildCTF{Wh@tLXe_0m1nous!!!}'
179 34 42 119
6998911667306495936139354047122483151410244692077603520116714185085
b'BuildCTF{Wh@wsuu_0l_wous!!!}'
179 79 42 119
6998911667306495936139354047120998231835390345297837289465452765565
b'BuildCTF{Wh@vUyE_0l_wous!!!}'
179 82 42 119
6998911667306495936139354047120899237197066722179186207422035337597
b'BuildCTF{Wh@vBhu_0l_wous!!!}'
179 113 42 119
6998911667306495936139354047119876292601055949953125026306721915261
b'BuildCTF{Wh@u}ee_0l_wous!!!}'
179 158 42 119
6998911667306495936139354047118391373026201603173358795655460495741
b'BuildCTF{Wh@t_i5_0l_wous!!!}'
179 161 42 119
6998911667306495936139354047118292378387877980054707713612043067773
b'BuildCTF{Wh@tLXe_0l_wous!!!}'
190 34 42 119
6998911667306495936139354047122483151410244691633803050236929712509
b'BuildCTF{Wh@wsuu_0lGhwus!!!}'
190 79 42 119
6998911667306495936139354047120998231835390344854036819585668292989
b'BuildCTF{Wh@vUyE_0lGhwus!!!}'
190 82 42 119
6998911667306495936139354047120899237197066721735385737542250865021
b'BuildCTF{Wh@vBhu_0lGhwus!!!}'
190 113 42 119
6998911667306495936139354047119876292601055949509324556426937442685
b'BuildCTF{Wh@u}ee_0lGhwus!!!}'
190 158 42 119
6998911667306495936139354047118391373026201602729558325775676023165
b'BuildCTF{Wh@t_i5_0lGhwus!!!}'
190 161 42 119
6998911667306495936139354047118292378387877979610907243732258595197
b'BuildCTF{Wh@tLXe_0lGhwus!!!}'
['斯', '诺', '米', '啊']
74 3 42 119
6998911667306495936139354047123468815669753357358225859397902475645
b'BuildCTF{Wh@x1Ju_0mqdOus!!!}'
74 27 42 119
6998911667306495936139354047122378615871147476421268270694027829629
b'BuildCTF{Wh@w_Su_0mqdOus!!!}'
74 59 42 119
6998911667306495936139354047120925016139672968505324819088861634941
b'BuildCTF{Wh@vG_u_0mqdOus!!!}'
74 83 42 119
6998911667306495936139354047119834816341067087568367230384986988925
b'BuildCTF{Wh@uuhu_0mqdOus!!!}'
115 3 42 119
6998911667306495936139354047123468815669753356156585539922068316541
b'BuildCTF{Wh@x1Ju_0m0@3us!!!}'
115 27 42 119
6998911667306495936139354047122378615871147475219627951218193670525
b'BuildCTF{Wh@w_Su_0m0@3us!!!}'
115 59 42 119
6998911667306495936139354047120925016139672967303684499613027475837
b'BuildCTF{Wh@vG_u_0m0@3us!!!}'
115 83 42 119
6998911667306495936139354047119834816341067086366726910909152829821
b'BuildCTF{Wh@uuhu_0m0@3us!!!}'
优先找出有意义有规律的字符,逐一提交尝试
BuildCTF{Wh@t_i5_0m1nous!!!}
4.gift
from Crypto.Util.number import *
from secret import flag
def get_gift(p, q):
noise = getPrime(40)
p, q = p + 2 * noise + 1, q - pow(noise, 2)
gift = 2024 * (p + q)
return gift
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x10001
m = bytes_to_long(flag)
c = pow(m, e, n)
gift = get_gift(p, q)
print(f'c = {c}')
print(f'n = {n}')
print(f'gift = {gift}')
'''
c = 101383046356447336426623798470530695448361708798731382238747567108067236241251384089401506320741815081024352908156466877907424203888923965647318146770258139921360377246187637085549628797640957048672797430217647039035455011311505942632107576730906489223641894279483592789523228409885925263914621255862261546919
n = 131097719698687108485813302886652389604731026998272796315024695395496199386497660846418712521921387496051077394308820230360184411431376692252923609505060476542577219656866593501271690536991944882324175509626138475159461332403161471880082192150081456601522403673111515117219716055561941951891570977025178643791
gift = 46635322848619790584491725916282901439691751328335921415278638528896063068132242718070261114525516272650970256270551306096774004921902972838212903368063625872
'''
gift = 2024 * (p + q)
可以变换为
gift = 2024*(p1+p2-(noise-1)**2)
gift//2024 = p1+p2-(noise-1)**2
发现gift//2024的bit长度是513,p+q的bit长度是512-513,noise的bit长度是40,差距太大,可以构造右偏>>,抵消掉(noise-1)**2,仅泄露p+q的高位
#sage
from Crypto.Util.number import *
c = 101383046356447336426623798470530695448361708798731382238747567108067236241251384089401506320741815081024352908156466877907424203888923965647318146770258139921360377246187637085549628797640957048672797430217647039035455011311505942632107576730906489223641894279483592789523228409885925263914621255862261546919
n = 131097719698687108485813302886652389604731026998272796315024695395496199386497660846418712521921387496051077394308820230360184411431376692252923609505060476542577219656866593501271690536991944882324175509626138475159461332403161471880082192150081456601522403673111515117219716055561941951891570977025178643791
gift = 46635322848619790584491725916282901439691751328335921415278638528896063068132242718070261114525516272650970256270551306096774004921902972838212903368063625872
gift = (gift//2024) >> 233
print(gift)
e = 65537
BITS = 233
PR.<x> = PolynomialRing(RealField(1000))
f = x * ((gift << BITS) - x) - n
p2high = int(f.roots()[0][0])
PR.<x> = PolynomialRing(Zmod(n))
f = p2high + x
res = f.small_roots(X=2^(BITS+10), beta=0.4, epsilon=0.01)[0]
p2 = int(p2high + res)
#print(p2)
q2 = n // p2
#print(q2)
d2 = inverse_mod(e, (p2-1)*(q2-1))
leak2 = pow(c, d2, n)
#print(leak2)
print(long_to_bytes(int(leak2)))
BuildCTF{M@y_b3_S0m3th1ng_go_wr0ng}
5.mitm
from Crypto.Util.number import *
from Crypto.Util.Padding import *
from hashlib import sha256
from Crypto.Cipher import AES
from random import *
from secret import flag
note = b'Crypt_AES*42$@'
r = 4
keys = []
for i in range(r):
key = bytes(choices(note, k=3))
print(key)
print(sha256(key).digest())
keys.append(sha256(key).digest())
print(keys)
leak = b'Hello_BuildCTF!!'
cipher = leak
for i in range(r):
cipher = AES.new(keys[i], AES.MODE_ECB).encrypt(cipher)
enc_key = sha256(b"".join(keys)).digest()
enc_flag = AES.new(enc_key, AES.MODE_ECB).encrypt(pad(flag, AES.block_size))
print(f'cipher = {cipher}')
print(f'enc_flag = {enc_flag}')
# cipher = b'\xb9q\x04\xa3<\xf0\x11-\xe9\xfbo:\x9aQn\x81'
# enc_flag = b'q\xcf\x08$%\xb0\x86\xee\x1a(b\x7f\xf8\x86\xbd\xd0\xa7\xee\xd9\x9d2\x82a7H=a\x13\x87e\xad\xd2b\x8e\x07\xa5\xddo\xc0\xf3N\xd4b\xc9o\x88$\xc7\xf4p\xc1\x1e,\xed\xcc\x94\x8c\xf4\x00\xa5\xe0-\xf7\xc5'
##第一轮,爆破出中间值,第二轮调整脚本,爆破出四个最初随机值
from Crypto.Util.number import *
from Crypto.Util.Padding import *
from hashlib import sha256
from Crypto.Cipher import AES
import itertools
note = b'Crypt_AES*42$@'
note_l = []
#for i in itertools.product(note,repeat=3):
for i in itertools.product(note,repeat=3):
tmp = (chr(i[0]) + chr(i[1]) + chr(i[2])).encode()
note_l.append(tmp)
print(len(note_l))
res1 = []
res2 = []
#xxx= []
#res = b'\xd0\xe8]\x1dIQ\x93S\x7f\xe1\xda\x90\xe5\x19\xe6\xb8'
n = 0
for i in itertools.permutations(note_l,2):
cipher = b'Hello_BuildCTF!!'
out = b'\xb9q\x04\xa3<\xf0\x11-\xe9\xfbo:\x9aQn\x81'
for j in i:
res2.append(j)
key = sha256(j).digest()
cipher = AES.new(key, AES.MODE_ECB).encrypt(cipher)
out = AES.new(key, AES.MODE_ECB).decrypt(out)
#if res == cipher:
# xxx.append(f"前:{str(i)},{str(n)}")
#if res == out:
# xxx.append(f"后:{str(i)},{str(n)}")
n = n + 1
print(n)
res1.append(cipher)
res2.append(out)
res_ = set(res1) & set(res2)
print(res_)
#print(xxx)
#中间值为b'\xd0\xe8]\x1dIQ\x93S\x7f\xe1\xda\x90\xe5\x19\xe6\xb8'
#四个随机值["前:(b'ppS', b'4p4'),1752045", "后:(b'SS2', b'Cyr'),4638442"]
enc_flag = b'q\xcf\x08$%\xb0\x86\xee\x1a(b\x7f\xf8\x86\xbd\xd0\xa7\xee\xd9\x9d2\x82a7H=a\x13\x87e\xad\xd2b\x8e\x07\xa5\xddo\xc0\xf3N\xd4b\xc9o\x88$\xc7\xf4p\xc1\x1e,\xed\xcc\x94\x8c\xf4\x00\xa5\xe0-\xf7\xc5'
#调整随机值的顺序
keys = [b'ppS', b'4p4', b'Cyr',b'SS2']
x = []
for j in keys:
x.append(sha256(j).digest())
enc_key = sha256(b"".join(x)).digest()
flag = AES.new(enc_key, AES.MODE_ECB).decrypt(enc_flag)
print(flag)
#b'BuildCTF{M1tm_i5_@_simple_w@y_t0_s0lve_pr0bl3m!}\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10'
BuildCTF{M1tm_i5_@_simple_w@y_t0_s0lve_pr0bl3m!}
6.where is my n?
from Crypto.Util.number import*
from gmpy2 import*
flag = "..."
e=65537
p=getPrime(512)
q=gmpy2.next_prime(p)
n=p*q
phi=(p-1)*(q-1)
d=inverse(e,phi)
c=pow(flag,e,n)
print("c=",c)
print("e=",e)
print("d=",d)
# c= 107973408658512316248795675829719026556281556876279221462095299771897472835817102507431099132436173117611783572607408542140665445616624626408781699266046553444252772105867617770124779786841928535661872891635303381758336724610931502145965143374870804147444436791292512235485326451051756451904673491759905663466
# e= 65537
# d= 62036379179617188220635702722848631787124203142048526951004487465970915306760341332025319712290841316288636152355908585406155087541334717529113872233640624205650204907669681116401961584897042519881342485819364897891612540596760113597723865477121348794797592568686540283535491492936074500143092361821406613969
import sympy
import gmpy2
import binascii
import libnum
c= 107973408658512316248795675829719026556281556876279221462095299771897472835817102507431099132436173117611783572607408542140665445616624626408781699266046553444252772105867617770124779786841928535661872891635303381758336724610931502145965143374870804147444436791292512235485326451051756451904673491759905663466
e= 65537
d= 62036379179617188220635702722848631787124203142048526951004487465970915306760341332025319712290841316288636152355908585406155087541334717529113872233640624205650204907669681116401961584897042519881342485819364897891612540596760113597723865477121348794797592568686540283535491492936074500143092361821406613969
ed_1 = e * d -1
p=0
q=0
for k in range((2**24),1,-1):
if ed_1 % k == 0:
phin = (ed_1 // k)
#print(phin)
phin_2 = gmpy2.iroot(phin,2)
#print(phin_2[0])
p = sympy.prevprime(phin_2[0])
q = sympy.nextprime(p)
if (p-1)*(q-1)*k == ed_1:
break
print(p)
print(q)
n=p*q
print(n)
m=gmpy2.powmod(c,d,n)
print(m)
print(libnum.n2s(int(m)))
BuildCTF{Y0u_F1nd_7he_n_success7u1_!}
7.ezzzzz_RSA
import libnum
from Crypto.Util.number import *
flag = b'BuildCTF{*******}'
m = libnum.s2n(flag)
e = 65537
q = getPrime(1024)
q1 = getPrime(1024)
p = getPrime(1024)
p1 = getPrime(1024)
n = p * q
n1 = q * p1
n2 = p * q1
c = pow(m, e, n)
h0 = pow(2023 * p + 2024, q1, n2)
h1 = pow(2024 * p1 + 2023 * q, 113, n1)
h2 = pow(2023 * p1 + 2024 * q, 629, n1)
print(f'n1 = {n1}')
print(f'n2 = {n2}')
print(f'c = {c}')
print(f"h0 = {h0}")
print(f"h1 = {h1}")
print(f"h2 = {h2}")
"""
n1 = 19957426023169626195602761840035904096149402534966487535713447987366768645542881124782551268978342063458430846877824210659778126281705984711061190351636497944943321988950188171159903717348936556346198638311950016136865425015037098270040031872702873264144372191898253134939805153141701819590164140250130420280491966786900651186941317959556066730959744279963976065565436153399679475410040773637142677936926894677919242351610457296203864806991539480593546084449323017670431590012312526757477514457145686070196978477495658962519391041011847512041022828710693830661412217389320600888361578917153088073678587422269955710471
n2 = 11933661747067216317642315621042074566046499785197709817779978157416906347669444374234313329064859622960743743511735672614999566264025648698589886185056758071718319964262619819143757922916624196354313322456534266520150543008117888101349920396737532937616502689667208207329048979872222563877933742673021891249520999021187404065706388700711208445628041386956459398271230236018476964839399245143666534359113777846535151773174701732284280083586580489995666306373839417946648196140879978268472361473557375951972193618245984950374326806423407152520541682571610372434453778172497925696535270204943842467472100237854318244291
c = 20080676122944896238797522372441559951736929534371084097400233944319893926800196694449564534150770085554349952433141815637324753386484549616573636001763815852095984830828952020047938406909274311785306299061021662484544371813739713520361343350959698642021322243662988875917088108399877176033404097457939417134483333264562602633853694382014472747500159100723626314928476484037666519857604568300967071868151508142784271042600815406853978696857309760951105852288354603503207383899902135741426285551161292195639862478256231538619968275273876467583013024899054710124331145912185471501398910765579441956531091561893256832468
h0 = 2996726009726260695732821166504040344731102637047682432884058857493935625094258046641569918904978173116793673563730117949606727933902262668880339210084101176866383602543966179840353633735507442926707342258391362245904850297416642271123328980812931025677857373199540129280097315832907023777052101133649877194495480543646472133854655383755313968952550827443970931104462445312146328606862802196901953935238972759852435882720786570965542286278549107402918041194008845717507735786897968734831064393337773557817839343449001368565856921138408039931608804233595980497557733714560035682416265029819340316734845279080134432704
h1 = 19843160604742228074331688651361052208481287636527838615063387670722213224954610448720065937378201545177278841575633697012434074186046556843292068835752113384756149944114298949115412819730843598288637259467085268861201775723817790428386595559040938133481222229290199923979132846871398172318539492741755408720073350962388138453341677009547616238262211176727424067946020683742262782319735286357465817786446238528187722959357444676512705451504136333336415880020502524009647940182721264953084120705872870651891290569527156804993340563927419561415555818468261824287933683736509372616293569615247228388443284457740072850735
h2 = 15147052684674827267989051566164167603473413362261253296001082161136918959833294463185335416662127368473980239667918561600741667513285708843081475074688239507330230558331408877583246661862040918410036936505307437329914363201630212163952357444441705663871720438955166472073576526814546767805314463827075388036712200327696168965762177567346966479399896578190111819130000991594490932388132188241726654756368698998232826340969288082645860324404980143489489946490266439447342461483490582149239131554246756547000945718737195930407251232848166108751122870333559461452459416252942341423373918245090162970624108991537972775066
"""
from gmpy2 import *
e = 65537
n1 = 19957426023169626195602761840035904096149402534966487535713447987366768645542881124782551268978342063458430846877824210659778126281705984711061190351636497944943321988950188171159903717348936556346198638311950016136865425015037098270040031872702873264144372191898253134939805153141701819590164140250130420280491966786900651186941317959556066730959744279963976065565436153399679475410040773637142677936926894677919242351610457296203864806991539480593546084449323017670431590012312526757477514457145686070196978477495658962519391041011847512041022828710693830661412217389320600888361578917153088073678587422269955710471
n2 = 11933661747067216317642315621042074566046499785197709817779978157416906347669444374234313329064859622960743743511735672614999566264025648698589886185056758071718319964262619819143757922916624196354313322456534266520150543008117888101349920396737532937616502689667208207329048979872222563877933742673021891249520999021187404065706388700711208445628041386956459398271230236018476964839399245143666534359113777846535151773174701732284280083586580489995666306373839417946648196140879978268472361473557375951972193618245984950374326806423407152520541682571610372434453778172497925696535270204943842467472100237854318244291
c = 20080676122944896238797522372441559951736929534371084097400233944319893926800196694449564534150770085554349952433141815637324753386484549616573636001763815852095984830828952020047938406909274311785306299061021662484544371813739713520361343350959698642021322243662988875917088108399877176033404097457939417134483333264562602633853694382014472747500159100723626314928476484037666519857604568300967071868151508142784271042600815406853978696857309760951105852288354603503207383899902135741426285551161292195639862478256231538619968275273876467583013024899054710124331145912185471501398910765579441956531091561893256832468
h0 = 2996726009726260695732821166504040344731102637047682432884058857493935625094258046641569918904978173116793673563730117949606727933902262668880339210084101176866383602543966179840353633735507442926707342258391362245904850297416642271123328980812931025677857373199540129280097315832907023777052101133649877194495480543646472133854655383755313968952550827443970931104462445312146328606862802196901953935238972759852435882720786570965542286278549107402918041194008845717507735786897968734831064393337773557817839343449001368565856921138408039931608804233595980497557733714560035682416265029819340316734845279080134432704
h1 = 19843160604742228074331688651361052208481287636527838615063387670722213224954610448720065937378201545177278841575633697012434074186046556843292068835752113384756149944114298949115412819730843598288637259467085268861201775723817790428386595559040938133481222229290199923979132846871398172318539492741755408720073350962388138453341677009547616238262211176727424067946020683742262782319735286357465817786446238528187722959357444676512705451504136333336415880020502524009647940182721264953084120705872870651891290569527156804993340563927419561415555818468261824287933683736509372616293569615247228388443284457740072850735
h2 = 15147052684674827267989051566164167603473413362261253296001082161136918959833294463185335416662127368473980239667918561600741667513285708843081475074688239507330230558331408877583246661862040918410036936505307437329914363201630212163952357444441705663871720438955166472073576526814546767805314463827075388036712200327696168965762177567346966479399896578190111819130000991594490932388132188241726654756368698998232826340969288082645860324404980143489489946490266439447342461483490582149239131554246756547000945718737195930407251232848166108751122870333559461452459416252942341423373918245090162970624108991537972775066
h1x = pow(h1 * pow(2023,113,n1),629,n1)
h2x = pow(h2 * pow(2024,629,n1),113,n1)
q = gcd(h2x-h1x,n1)
print("q",q)
#h0 = pow(2023 * p + 2024, q1, n2)
kp = h0-pow(2024,n2,n2)
p = gcd(n2,kp)
print("p",p)
f = (p-1)*(q-1)
d = invert(e,f)
m = pow(c,d,p*q)
print(bytes.fromhex(hex(m)[2:]))
BuildCTF{29g5blh5-7829-5k38-a836-9bk54h291h6}
8.Ju5t_d3c0de_1t!
e = 'VTJGc2RHVmtYMThUWGplSkN2YzJwazJ2KzJieQ=='
c = 10110011010010110101101101011110100001010100101110111011101101111101101001000010111010010011101111001111111000000001111000000010101
p = 1100010000110101100011011010101011111101001101010011001010110111100011110110101111000101100001011011001100110010010111111100110000001111010111111101111001100111100011100110110011101011111011100111010011000100011001101101111011010110000011011100101010010101110001011011010111001010101101100101011111101000110010111000011010111001101001
q = 11000010010010011110101110100011011100101101100100011011100010111000011110111000000011111100010100100000101101010101000101101101101011011100001101111010001010010011001010110010110101001100100011010110100011110011101110101110111110100000011110101010011011111010111100011000011111001000010101100100011110010000010001110010101100100111001
key = 592924741013363689040199750462798275514934297277010275281372369969899775117892551575873706970423924419480394766364097497072075403342004187895966953143489192628648965081601335846012859223829286606349019
# use m minus key to get the final flag!
先把数值统一转换成10进制
c = 1906584693582914593452011253925635223573
p = 26822418715463991126474380526303016593205006542806731721157536330312275372018305158474258610131152489
q = 53119776651079682777961960430388001309363199658704012861472783500082899623940177739319812176312097081
盲猜e=65537
标准RSA解密得到
m = 592924741013363689040199750462798275514934297277010275281372369969899775117892551575873706970423924419480394766364097497072075403342004187895966953170941195555713574085320418093758492523024516823025404
根据提示m - key后转字符串
BuildCTF{I_l1k3_crypt0_5o_h4rd!}
9.girls_band_cry_pto
from Crypto.Util.number import *
import gmpy2
def getprime(kbit,FLAG):
a = getPrime(kbit)
b = getPrime(kbit)
N = getPrime(kbit+5)
seed = getPrime(kbit)
t = seed
list_t = []
for i in range(10):
t = (a*t+b)%N
list_t.append(t)
if FLAG:
print(list_t)
return seed
p = getprime(512,1)
q = getprime(512,0)
flag = b'...'
flag = bytes_to_long(flag)
n = p*q
e = 1384626
assert flag.bit_length() < n.bit_length()//2
c = pow(flag,e,n)
print('c=',c)
''''''
[37382128984932009103055100236038298684187701771245912912208816283882352432386956435965036367810667394024993955812239704879381327228911265588017046627348503, 78860822396220922181257740301787328387654351181949135165584053897837116358564567613593406267620270397593757280733139576593428399156673217202739776358215953, 71961258377748802736482119449608198361898650603044501972923193831637292104436919483148544126546157761435847502622416800596454167412705966674707485447149592, 87271087644907910379168026089161507515679859469787715709089631773745967695993043069981508275969979669395420678260957179827954920361899134388830957711827969, 72060448202158281754256475874109091993193239479491265267010728401711694585210195554635415348891139571830347004379216450772696235700910532153698412887476412, 198822737610698203376629161658629276556973499054887457432530950247888991546498594767954251786997515337433684733300663470799887569646159225800449429896258899, 186920895499932700150962847893153648403293237986492275627558112493385728113172211076262656795948951216023567806119078906412693819469136004563793414149643278, 56472634592713718635518027850351194341092172882542912776939953869983486542308422043454035086533070566859787384014556343587278097326244663175874047755695694, 42665120723108982921319232615099077060109901818313520605789700720605479528247045699344736360219784997528870841912999130951916510491705708498185762196467897, 205629005887807114384057131575309344114082007367662384600399313743755704623421415135564859072125246431180953419843187244789534372794288258609006920825136808]
c= 51846448616255629242918159354807752786692784645460532308823434086479848425723111371477823327980874708898952566998637230358105087254392989515438172155717708590176244736140994735777168368143405720703501031813936741444894000217727880068767785957507824708838189619286341612305393812568642372035793481458142583420
'''
先用LCG求seed,即p
p=11406146503880823399297963629845559494461007497449751823413253129053497454943898251983630826960583790125622063400069720120655389759003474122064810099132057
import sympy
from libnum import *
p = 11406146503880823399297963629845559494461007497449751823413253129053497454943898251983630826960583790125622063400069720120655389759003474122064810099132057
c= 51846448616255629242918159354807752786692784645460532308823434086479848425723111371477823327980874708898952566998637230358105087254392989515438172155717708590176244736140994735777168368143405720703501031813936741444894000217727880068767785957507824708838189619286341612305393812568642372035793481458142583420
e = 1384626
m = sympy.nthroot_mod(c,e,p,all_roots=True)
print(m)
print("")
for i in m:
flag_int = int(i)
print(flag_int)
print(n2s(flag_int))
print("")
BuildCTF{crypt0_15_s0_e@5y!}
10.QAQ补药把这道古典BuildCTF题爆了
lzs macfo ilpyj uylpiva ng ncfl vwtfavazig hywi{15 1g pth@?cq owex wpq ogr sjb e'o gwnxept wdbqv.qhylzpjp{60_r@a_^^kcdhv!!!}}
题目的提示
Siu!!!
看懂描述了吗罗
需要用到密码的古典加密,大概率是维吉尼亚
出现部分明文,估计要继续解密,密钥kfc
继续解密,密钥cronaldo
按照3轮维吉尼亚解密,共出现12种可能
BuildCTF{60_n@w_^^anqaq!!!}
BuildCTF{43_b@a_^^opnxr!!!}
BuildCTF{60_p@k_^^anqaq!!!}
BuildCTF{65_v@r_^^xvlxy!!!}
BuildCTF{48_j@v_^^lxiuz!!!}
BuildCTF{65_x@f_^^xvlxy!!!}
BuildCTF{82_l@m_^^mlgmo!!!}
BuildCTF{65_z@q_^^andjp!!!}
BuildCTF{82_n@a_^^mlgmo!!!}
BuildCTF{87_t@h_^^jtbjw!!!}
BuildCTF{60_h@l_^^xvygx!!!}
BuildCTF{87_v@v_^^jtbjw!!!}
BuildCTF{60_n@w_^^anqaq!!!}
11.ez_matrix
#SageMath 9.5
from Crypto.Util.number import *
from gmpy2 import powmod
from secret import msg
def pad(x, pad_length):
return x + b'\x00' * (pad_length - len(x))
def rsa_gen(bits):
p = getPrime(bits)
q = getPrime(bits)
return p, q
bits = 1024
pad_length = 200
matrix_size = 32
e = 65537
p, q = rsa_gen(bits)
n = p * q
m = bytes_to_long(pad(msg, pad_length))
c = powmod(m, e, n)
p_binary = bin(p).replace('0b', '').zfill(bits)
q_binary = bin(q).replace('0b', '').zfill(bits)
P = matrix(GF(2), [list(map(int, p_binary[i:i+matrix_size])) for i in range(0, len(p_binary), matrix_size)])
Q = matrix(GF(2), [list(map(int, q_binary[i:i+matrix_size])) for i in range(0, len(q_binary), matrix_size)])
gift = P.solve_right(Q)
with open('output', 'w') as file:
file.write(f'c = {c}\n')
file.write(f'p ^ q = {p ^^ q}\n')
file.write('gift:\n')
for row in gift:
file.write(' '.join(map(str, row)) + '\n')
'''
c = 5750862006780374919287214285692236210204656897730327429454502213453716609006462693326927544526483929921956237739564314742381291228170724611684726314766300684189083862768843433748971907962075938141567163713163231477418107343867114651242407427262164467193346523730926798966915657982552864539513197192523866321569716738540583056085357621328692775578162692288348251605475475005408200801081747601745630186390866011595954211521326069111983199120520535552104591110478015154646709731714695120857959832894595677697407284511806934799265823961155753765208975629786832407640872204810033141414096894416317703257346937008503926274
p ^ q = 89144063720545532404936347749976033995959352088369581593483294017916269127126015515514164556238892315116219488234599276283755643115494368387307879815221830970632672104176330851649236203019768799744400071934922875736029236458980333704716550922984411453411523931115952319603510996580835848026227775168231757398
gift:
0 0 1 0 1 1 1 0 0 1 0 0 0 0 1 1 0 0 1 0 0 1 0 0 0 1 0 0 1 1 0 0
1 0 1 0 0 0 0 1 0 1 1 1 1 1 0 1 0 1 1 1 0 1 0 0 0 1 1 0 0 0 0 1
0 1 0 1 1 1 1 1 0 1 1 0 1 0 0 1 0 0 0 1 1 0 1 1 0 1 1 1 1 0 0 0
0 1 1 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 1 0 1 1 0 1
0 1 0 1 1 1 1 0 1 0 0 1 0 0 1 1 0 0 1 1 1 0 1 0 0 1 0 0 1 0 1 1
1 1 1 0 0 1 0 0 0 1 0 1 0 0 0 0 1 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1
1 0 1 0 1 1 1 0 1 1 1 0 1 1 1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 1 0 0
1 0 1 0 1 0 1 0 1 1 0 1 1 1 0 0 1 0 1 0 0 1 0 0 0 1 1 1 1 0 1 0
0 0 1 0 1 1 1 0 1 1 1 0 0 1 0 0 0 0 0 1 0 0 0 1 0 0 1 0 1 0 1 1
1 0 0 0 0 0 0 1 1 1 1 1 1 0 1 1 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 1
1 0 0 0 1 1 0 0 1 1 0 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 1 1 1
0 0 1 1 1 0 1 0 0 0 1 0 1 0 1 1 1 0 0 1 1 1 0 1 0 1 1 1 1 0 0 0
1 1 0 0 1 1 0 1 0 1 0 1 0 0 1 0 0 0 0 0 1 0 1 1 1 0 1 0 1 1 0 1
1 0 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 0 1 1 1 1 0 0 1 0 0 1 0 1 1 0
1 0 0 1 1 1 0 1 1 1 0 0 0 1 1 0 0 0 1 1 0 0 1 1 0 0 0 0 0 1 1 1
1 0 0 1 0 0 1 0 1 1 1 1 0 0 1 1 1 1 0 0 1 0 1 1 0 0 0 0 1 1 1 0
0 1 0 0 0 1 0 0 1 0 0 0 0 0 0 0 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 1
0 0 0 1 0 1 1 1 1 0 1 1 1 1 0 0 0 0 1 0 0 0 0 0 0 1 1 0 1 1 0 1
0 0 1 1 1 1 1 0 0 1 0 0 1 1 1 0 0 0 0 1 1 1 0 0 1 0 0 1 0 1 0 0
0 1 0 0 0 0 1 0 1 1 0 1 0 1 0 1 1 0 0 1 0 0 0 0 0 0 1 1 0 0 1 1
1 0 0 0 0 0 0 0 1 1 1 1 0 1 1 0 0 1 0 1 0 1 1 1 1 0 1 1 0 0 0 1
0 0 0 0 0 0 1 0 1 1 1 1 1 0 1 0 0 0 1 1 0 1 1 1 0 0 1 1 1 1 1 1
0 1 0 1 1 0 0 1 0 0 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1
1 1 0 0 0 1 1 0 1 1 0 0 0 0 0 0 1 0 0 1 0 1 1 0 0 1 0 0 1 0 1 1
1 1 0 0 0 0 0 1 1 0 0 0 1 1 1 1 1 1 0 1 1 1 1 1 1 0 0 1 0 1 1 0
0 1 1 1 0 1 0 1 0 0 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 0 0
0 1 0 1 1 0 0 0 0 1 1 1 1 1 1 0 1 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0
1 1 1 1 1 0 1 1 0 0 0 1 0 0 1 0 0 0 0 1 0 0 1 1 0 1 1 0 0 0 1 1
1 1 1 1 1 1 1 0 1 1 1 0 0 1 0 1 0 1 1 0 0 0 0 1 1 1 0 1 0 0 0 0
0 1 1 1 1 0 0 1 1 0 1 1 1 0 1 1 0 1 0 0 0 1 0 1 1 0 0 0 0 0 1 1
0 1 1 0 1 0 1 0 1 0 1 0 0 0 1 1 1 1 0 0 0 0 1 1 0 1 0 1 1 1 1 1
0 1 1 0 1 1 0 1 1 0 1 0 0 1 0 0 0 1 1 0 1 0 1 1 0 0 1 1 0 1 1 1
'''
#sage
from libnum import *
from gmpy2 import *
c = 5750862006780374919287214285692236210204656897730327429454502213453716609006462693326927544526483929921956237739564314742381291228170724611684726314766300684189083862768843433748971907962075938141567163713163231477418107343867114651242407427262164467193346523730926798966915657982552864539513197192523866321569716738540583056085357621328692775578162692288348251605475475005408200801081747601745630186390866011595954211521326069111983199120520535552104591110478015154646709731714695120857959832894595677697407284511806934799265823961155753765208975629786832407640872204810033141414096894416317703257346937008503926274
leak = 89144063720545532404936347749976033995959352088369581593483294017916269127126015515514164556238892315116219488234599276283755643115494368387307879815221830970632672104176330851649236203019768799744400071934922875736029236458980333704716550922984411453411523931115952319603510996580835848026227775168231757398
matrix_size = 32
I = matrix.identity(32)
G = [[0,0,1,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,0,0,1,0,0,0,1,0,0,1,1,0,0],
[1,0,1,0,0,0,0,1,0,1,1,1,1,1,0,1,0,1,1,1,0,1,0,0,0,1,1,0,0,0,0,1],
[0,1,0,1,1,1,1,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0],
[0,1,1,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,1,0,1,1,0,1],
[0,1,0,1,1,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,1,0,0,1,0,0,1,0,1,1],
[1,1,1,0,0,1,0,0,0,1,0,1,0,0,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,1,1],
[1,0,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,0,0,1,0,0],
[1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,0,1,0,1,0,0,1,0,0,0,1,1,1,1,0,1,0],
[0,0,1,0,1,1,1,0,1,1,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,1,1],
[1,0,0,0,0,0,0,1,1,1,1,1,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,0,1,1,1,1],
[1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1],
[0,0,1,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,0,0],
[1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,0,0,0,0,0,1,0,1,1,1,0,1,0,1,1,0,1],
[1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,0,1,1,1,1,0,0,1,0,0,1,0,1,1,0],
[1,0,0,1,1,1,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1],
[1,0,0,1,0,0,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,1,0,0,0,0,1,1,1,0],
[0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1,0,0,1,0,1,1,1,1,1,0,0,1],
[0,0,0,1,0,1,1,1,1,0,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,1,1,0,1],
[0,0,1,1,1,1,1,0,0,1,0,0,1,1,1,0,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,0],
[0,1,0,0,0,0,1,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,1,1,0,0,1,1],
[1,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,0,1,1,0,0,0,1],
[0,0,0,0,0,0,1,0,1,1,1,1,1,0,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1],
[0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1],
[1,1,0,0,0,1,1,0,1,1,0,0,0,0,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1],
[1,1,0,0,0,0,0,1,1,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0,0,1,0,1,1,0],
[0,1,1,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0,0,0,1,0,0],
[0,1,0,1,1,0,0,0,0,1,1,1,1,1,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,0,1,0],
[1,1,1,1,1,0,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,1,0,1,1,0,0,0,1,1],
[1,1,1,1,1,1,1,0,1,1,1,0,0,1,0,1,0,1,1,0,0,0,0,1,1,1,0,1,0,0,0,0],
[0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,1,0,1,0,0,0,1,0,1,1,0,0,0,0,0,1,1],
[0,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,0,0,0,1,1,0,1,0,1,1,1,1,1],
[0,1,1,0,1,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1]]
G = Matrix(GF(2),G)
leak_bin = bin(leak)[2:].zfill(1024)
# 初始化一个空列表来存储每一行
rows = []
# 循环遍历字符串,每次取 matrix_size 个字符
for i in range(0, len(leak_bin), matrix_size):
# 取出子串
sub_string = leak_bin[i:i+matrix_size]
# 将子串转换为整数列表
row = list(map(int, sub_string))
# 将这一行添加到 rows 列表中
rows.append(row)
# 创建矩阵
X = Matrix(GF(2), rows)
P = X *(G + I)^(-1)
p = ""
for line in P:
for i in line:
p = p + str(i)
p = int(p,2)
q = p ^^ leak
n = p*q
d = invert(65537,(p-1)*(q-1))
m = pow(c,d,n)
print(n2s(int(m)))
BuildCTF{78e09053-bc0a-4fdc-9dec-0f107bf9ba43}