Moectf 强壮密码人部分题解

前言#

打moectf的时候顺便看了看训练场的强壮密码人，题目还不错，写一下。

题目#

0rsa0#

task.py

1
from Crypto.Util.number import *
2
from flag import flag
3

4
assert flag[0:7] == b'moectf{'
5
assert flag[-1:] == b'}'
6
flag = flag[7:-1]
7
assert len(flag) == 32
8

9
m1 = bytes_to_long(flag[0:16])
10
m2 = bytes_to_long(flag[16:32])
11

12
def enc1(m):
13
    p = getPrime(512)
14
    q = getPrime(512)
15
    n = p * q
16
    e = 3
17
    c = pow(m,e,n)
18
    return n,e,c
19

20
def enc2(m):
21
    p = getPrime(512)
22
    q = getPrime(512)
23
    e = 65537
24
    d = inverse(e,(p-1)*(q-1))
25
    n = p * q
26
    dp2 = d % (p-1)
27
    c = pow(m,e,n)
28
    return n,e,c,dp2
29

30
n1,e1,c1 = enc1(m1)
31
n2,e2,c2,dp2 = enc2(m2)
32

33
print("n1="+ str(n1))
34
print("e1="+ str(e1))
35
print("c1="+ str(c1))
36
print("n2="+ str(n2))
37
print("e2="+ str(e2))
38
print("c2="+ str(c2))
39
print("dp2="+ str(dp2))

思路：

m1就是简单的小e攻击，一般开三次方，如果 $m^e>n$ 就要小范围爆破一下.
m2就更明显了，dp攻击bro，直接遍历e，去看p=(dp * e - 1) // i + 1，然后算flag就行了.

exp.py

1
from Crypto.Util.number import *
2
from gmpy2 import *
3

4
n1=
5
e1=3
6
c1=
7
n2=
8
e2=65537
9
c2=
10
dp2=
11

12
m1=iroot(c1,3)[0]
13
print(long_to_bytes(m1))
14

15
a = getPrime(10)
16

17
p = GCD(pow(a,dp2*e2,n2)-a,n2)
18
m2 = pow(c2,dp2,p)
19
print(long_to_bytes(m2))
20

21
flag=b'moectf{'+long_to_bytes(m1)+long_to_bytes(m2)+b'}'
22
print(flag)

BBBBBBBackpack#

task.py

1
from Crypto.Util.number import*
2
import random
3

4
flag = xxxxx
5
m = bytes_to_long(flag)
6

7
backpack = [1]
8
for i in range(160):
9
    backpack = backpack + [random.randrange(backpack[-1]*2,backpack[-1]*4)]
10
print(backpack)
11

12
backpack = backpack[::-1]
13
l_list = []
14
for i in backpack:
15
    l_list.append(m//i)
16
    m = m % i
17
print(l_list)
18
print(m)

思路：超序列化背包

exp.py

1
from Crypto.Util.number import *
2

3
m_list=
4
m=
5
m_list = list(m_list[::-1])
6
n = len(m)
7
flag = 0
8
for i in range(n):
9
    flag += m_list[i]*m[i]
10

11
print(long_to_bytes(flag))

BabyMultiple#

task.py

1
def encode(msg,mul):
2
    c = b''
3
    for i in msg:
4
        index = table.find(i)
5
        index_after = (index * mul) % 63
6
        c = c + bytes.fromhex(hex(table[index_after])[2:])
7
    return c
8

9
table = b'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_'
10
FLAG = xxxxx
11

12
assert len(table) == 63
13
assert FLAG[:7] == b'moectf{'
14
assert FLAG[-1:] == b'}'
15

16
Mul = 58
17
msg = FLAG[7:-1]
18

19
c = encode(msg,Mul)
20
print(c)
21

22
#b'g3AfJPOfHPOJFfJuf_AYux1JFx39'

思路：i*58 mod 63加密的，逆回去学

exp.py

1
table = b'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_'
2
c = b'g3AfJPOfHPOJFfJuf_AYux1JFx39'
3
Mul = 58
4
mod = len(table)
5

6
Mul_inv = pow(Mul, -1, mod)
7

8
def decode(cipher_text, mul_inv):
9
    msg = b''
10
    for i_byte in cipher_text:
11
        index_after = table.find(i_byte)
12
        original_index = (index_after * mul_inv) % mod
13
        msg += table[original_index:original_index+1]
14

15
    return msg
16

17
decrypted_msg = decode(c, Mul_inv)
18
FLAG = b'moectf{' + decrypted_msg + b'}'
19

20
print(FLAG)

LazyRSA#

task.py

1
from Crypto.Util.number import*
2

3
p = getPrime(512)
4
q = getPrime(512)
5

6
n = p*q
7
e = 0x10001
8

9
flag = xxx
10
m = bytes_to_long(flag)
11

12
c = pow(m,e,n)
13
print("p = " , p)
14
print("q = " , q)
15
print("c = " , c)

思路：直接算就行

exp.py

1
from Crypto.Util.number import *
2

3
p =
4
q =
5
c =
6

7
print(long_to_bytes(pow(c,inverse(65537,(p-1)*(q-1)),p*q)))

Little_FSR#

task.py

1
import random
2
import string
3

4
from Crypto.Util.number import *
5
from gmpy2 import *
6
from secret import FLAG, key
7

8
assert FLAG[:7] == b'moectf{'
9
assert FLAG[-1:]== b'}'
10
table = string.ascii_letters+string.digits+string.punctuation
11
for _ in range(50-len(FLAG)):
12
    FLAG += random.choice(table).encode()
13
assert len(FLAG) == 50
14
assert len(key) == 5
15

16
class LFSR:
17
    def __init__(self):
18
        self.data = list(map(int,list(bin(bytes_to_long(FLAG))[2:].rjust(400,'0'))))
19
        for _ in range(2022):
20
            self.cycle()
21

22
    def cycle(self):
23
        bit = self.data[0]
24
        new = 0
25
        for i in key:
26
            new ^= self.data[i]
27
        self.data = self.data[1:] + [new]
28
        return bit
29

30
ILOVEMOECTF = LFSR()
31
for _ in range(2022):
32
    print(ILOVEMOECTF.cycle(), end='')

思路：表面FSR实际效果和LFSR差不多

1
class lfsr():
2
    def __init__(self, init, mask, length):
3
        self.init = init
4
        self.mask = mask
5
        self.lengthmask = 2**(length+1)-1
6

7
    def next(self):
8
        nextdata = (self.init << 1) & self.lengthmask
9
        i = self.init & self.mask & self.lengthmask
10
        output = 0
11
        while i != 0:
12
            output ^= (i & 1)
13
            i = i >> 1
14
        nextdata ^= output
15
        self.init = nextdata
16
        return output

加密方式是

newbit = data_{key[0]}\bigoplus data_{key[1]}\bigoplus \cdots \bigoplus data_{key[m]}

按理来说可以爆破？时间太长了，我们这里求解线性同余方程组

1
from Crypto.Util.number import *
2

3
data =
4
b = list(data[400:800])
5
B =vector(Zmod(2),b)
6
mt = matrix(Zmod(2),0,400)
7
for i in range(400):
8
    mt = mt.stack(vector(Zmod(2),list(data[i:i+400])))
9
x = mt \ B
10
key = []
11
for index,i in enumerate(x):
12
    if i == 1:
13
        key.append(index)
14
print(key)
15
# [8, 23, 114, 211, 360]
16

17
Len = 400 - key[0]
18
m = list(map(int,data[:Len]))
19

20
for _ in range(2022):
21
    c = 0
22
    for t in key: c = c^^m[t-key[0]-1]
23
    m = [c] + m[:Len-1]
24

25
flag = ''.join(str(i) for i in m)
26

27

28
print(long_to_bytes(int(flag,2)))

MiniMiniBackPack#

task.py

1
from gmpy2 import *
2
from Crypto.Util.number import *
3
import random
4
from FLAG import flag
5

6
def gen_key(size):
7
    s = 1000
8
    key = []
9
    for _ in range(size):
10
        a = random.randint(s + 1, 2 * s)
11
        assert a > sum(key)
12
        key.append(a)
13
        s += a
14
    return key
15

16

17
m = bytes_to_long(flag)
18
L = len(bin(m)[2:])
19
key = gen_key(L)
20
c = 0
21

22
for i in range(L):
23
    c += key[i]**(m&1)
24
    m >>= 1
25

26
print(key)
27
print(c)

思路：贪心求解即可：从大到小，如果可以减去当前大数，则减去，并且对应二进制明文为1

exp.py

1
from Crypto.Util.number import *
2
key=[]
3
c =
4

5
m = ''
6
for i in reversed(key):
7
    if c > i:
8
        m += '1'
9
        c -= i
10
    else:
11
        m += '0'
12
        c -= 1
13

14

15
flag = long_to_bytes(int(m,2))
16
print(flag)

NumberTheory-FeeeeeMa#

task.py

1
import gmpy2
2
from Crypto.Util.number import *
3

4
p = getPrime(2048)
5
q = gmpy2.next_prime(p)
6
for i in range(3600):
7
    if i%100 ==0:
8
        print(i)
9
    q = gmpy2.next_prime(q)
10

11
n = p * q
12
e = 0x10001
13

14
flag = xxx
15
m = bytes_to_long(flag)
16
c = pow(m,e,n)
17
print(c)
18
print(n)

思路：肉眼可见的两个值离得近，这里直接iroot开方，发现离的有点远，费马分解梭哈

exp.py

1
from Crypto.Util.number import *
2
from gmpy2 import *
3

4
c=
5
n=
6
e=0x10001
7

8
def fermat_factor(n):
9
    a = gmpy2.isqrt(n) + 1
10

11
    while True:
12
        b2 = gmpy2.square(a) - n
13

14
        if gmpy2.is_square(b2):
15
            b = gmpy2.isqrt(b2)
16
            p = a - b
17
            q = a + b
18
            return p, q
19

20
        a += 1
21

22
def solve():
23

24
    p, q = fermat_factor(n)
25

26

27
    phi = (p - 1) * (q - 1)
28
    d = gmpy2.invert(e, phi)
29
    m = pow(c, d, n)
30

31
    flag = long_to_bytes(m)
32
    print(flag)
33

34
if __name__ == '__main__':
35
    solve()

NumberTheory-MyGrandson#

task.py

1
import random
2

3
from Crypto.Util.number import *
4

5
prime_list = []
6
while len(prime_list) != 10:
7
    p = getPrime(512)
8
    if p not in prime_list:
9
        prime_list.append(p)
10

11
n_list = []
12
while len(prime_list) != 0 :
13
    p = random.choice(prime_list)
14
    prime_list.remove(p)
15
    q = random.choice(prime_list)
16
    prime_list.remove(q)
17
    n = p * q
18
    n_list.append(n)
19

20
e = 0x3
21
flag = xxxx
22
m = bytes_to_long(flag)
23

24
c_list = []
25
for i in range(5):
26
    c_list.append(pow(m,e,n_list[i]))
27

28
print(n_list)
29
print(c_list)

思路：经典crt问题，crt求解后开三次方即可

1
from Crypto.Util.number import *
2
from gmpy2 import *
3
from sage.all import *
4

5
n_list=
6
c_list=
7
e=3
8

9
m_cubed = crt(c_list, n_list)
10
m=iroot(m_cubed,e)[0]
11
print(long_to_bytes(m))

NumberTheory-Powwwwwer#

task.py

1
from Crypto.Util.number import *
2

3
p = getPrime(512)
4
q = getPrime(512)
5

6
flag = xxxxx
7
m = bytes_to_long(flag)
8
n = p * q
9
e1 = 0x114514
10
e2 = 11451401
11

12
c1 = pow(m,e1,n)
13
c2 = pow(m,e2,n)
14
print(c1)
15
print(c2)
16
print(n)

思路：经典的共模攻击

c_1=m^{e_1} \mod n \\ c_2=m^{e_2} \mod n \\ 由欧几里得算法可知e_1x+e_2y=1 \\ 那么 c^{x}\times c^{y}=m^{xe_1+ye_2}=m \mod n

exp.py

1
from Crypto.Util.number import*
2
import gmpy2
3

4
c1=
5
c2=
6
n=
7
e1 = 0x114514
8
e2 = 11451401
9

10

11
r,s1,s2 = gmpy2.gcdext(e1, e2)
12
m = (pow(c1,s1,n)*pow(c2,s2,n)) % n
13
print(long_to_bytes(m))

PRintNewG#

task.py

1
import random
2
from Crypto.Util.number import*
3
from FLAG import flag
4

5
class PRintNewG:
6
    def __init__(self,seed):
7
        self.state = seed
8
        self.a = random.randint(2**256,2**257)
9
        self.b = random.randint(2**256,2**257)
10
        if self.b > self.a:
11
            self.b = self.b - self.a
12
        self.n = getPrime(257)
13

14
    def NewG(self):
15
        self.state = (self.a * self.state + self.b) % self.n
16
        print(self.state)
17

18
PrintNewG = PRintNewG(bytes_to_long(flag))
19
print(PrintNewG.n)
20
PrintNewG.NewG()
21
PrintNewG.NewG()
22
PrintNewG.NewG()

思路：就是LCG，知道n，知道连续三次输出，这里直接求解

exp.py

1
from Crypto.Util.number import *
2
n = 164955381960104851576442781839629371483790790743830073857213053104860144345367
3
s1 = 67066424717605861916529090048670931008913194546199003522357504998012803616537
4
s2 = 14585402872351563180055857554749250191721167730349724393021149201170995608751
5
s3 = 68393939370424772490169906192546208899639826391163845848999554903218827210979
6

7
def solve_lcg():
8
    s2_minus_s1_inv = pow(s2 - s1, -1, n)
9
    a = ((s3 - s2) * s2_minus_s1_inv) % n
10

11
    b = (s2 - a * s1) % n
12

13
    a_inv = pow(a, -1, n)
14
    s0 = ((s1 - b) * a_inv) % n
15
    flag = long_to_bytes(s0)
16
    print(flag)
17
if __name__ == '__main__':
18
    solve_lcg()

task.py

1
from Crypto.Util.number import *
2
from secret import flag
3
m=bytes_to_long(flag)
4
p=getPrime(512)
5
q=getPrime(512)
6
print('p=',p)
7
print('q=',q)
8
n=p*q
9
e=65537
10
c=pow(m,e,n)
11
print('c=',c)

思路：有个小坑，q和e不互素的

exp.py

1
from Crypto.Util.number import *
2

3
p=
4
q=
5
c=
6
e=65537
7

8
print(GCD(e,p-1))
9

10
print(long_to_bytes(pow(c,inverse(e,p-1),p)))

Weird_E_Revenge#

task.py

1
from Crypto.Util.number import *
2
import random
3
from secret import flag
4
table='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
5
pad=100-len(flag)
6
for i in range(pad):
7
    flag+=random.choice(table).encode()
8
e=343284449
9
m=bytes_to_long(flag)
10
assert m>(1<<512)
11
assert m<(1<<1024)
12
p=getPrime(512)
13
q=getPrime(512)
14
r=getPrime(512)
15
print('p=',p)
16
print('q=',q)
17
print('r=',r)
18
n1=p*q
19
n2=q*r
20
c1=pow(m,e,n1)
21
c2=pow(m,e,n2)
22
print('c1=',c1)
23
print('c2=',c2)

思路：应该都差不多，m1=m mod p,m2=m mod r

m=m_1\cdot r\cdot inv_1+m_2\cdot p \cdot inv_2 \\ 其中 inv_1\equiv r^{-1}(mod\ p),inv_2\equiv p^{-1}(mod\ r)

还有一个思路(在github看见的)

$x\equiv c1(\mod n1)$
$x\equiv c2(\mod n2)$

这里的x表示什么呢？我们知道两个密文都是由 $m^e$ 模各自的n得到的，所以x就是 $m^e$ 。crt求解就可以得到 $m^e$ 的一个特解。

但是求完还是有问题。e值没有改变，还是那么大，意味着无法爆破或者有限域开根。必须要找到d，们把模数换成p*r。

$result\equiv x=m^e\%p(\mod p)$
$result\equiv x=m^e\%r(\mod r)$

把q去掉，拿刚刚求出的特解再次构造同余方程组。这个同余方程组求出来的特解 $result\equiv m^e (\mod p*r)$ 。

可以这么想，设 $a\equiv m^e\%p(\mod p),b\equiv m^e\%r(\mod r)$ ，那么a*b必定是这个同余方程组的解之一。

$a=k1\times p+m^e,b=k2\times r+m^e$ ，

那么 $ab=(k1p+m^e)\times (k2r+m^e)=k1\times k2\times pr+k1pm^e+k2rm^e+m^a,a=2e$ 。

$k1\times k2\times pr+k1pm^e+k2rm^e$ 这段模pr余数肯定是0

exp.py

1
from Crypto.Util.number import *
2
from sympy.ntheory.modular import crt
3

4
p=
5
q=
6
r=
7
c1=
8
c2=
9
e=343284449
10
n1=p*q
11
n2=q*r
12
n3=p*r
13
m=crt([n1,n2],[c1,c2])[0]
14
m1=m%p
15
m3=m%r
16
m=crt([p,r],[m1,m3])[0]
17
d=inverse(e,(p-1)*(r-1))
18
print(long_to_bytes(pow(m,d,n3)))

beginOfCrypto#

task.py

1
import math
2
flag = xxx
3

4
data = list(map(ord,flag))
5
cip = []
6
for i in range(len(data)):
7
    cip.append(math.e**data[i])
8
print(cip)

思路：就是次方了，直接log求解

exp.py

1
import math
2

3
cip = []
4

5
flag = ""
6
for c in cip:
7
    ascii_val = math.log(c)
8
    rounded_ascii = round(ascii_val)
9
    flag += chr(rounded_ascii)
10

11
print(flag)

ezRSA#

task.py

1
from Crypto.Util.number import *
2

3
flag = bytes_to_long(xxxxx)
4
p,q,r = getPrime(2048),getPrime(2048),getPrime(2048)
5
n = p * q * r
6
e = 0x10001
7

8
s = getPrime(300)
9
print(160 * s ** 5 - 4999 * s ** 4 + 3 * s ** 3 +1)
10

11
gift = (pow(p, (q-1)*(r-1)*q*r, (q*r) ** 3)* pow(q*r+1, q, (q*r)**3)) % (q*r)**3
12
print(gift)
13

14
phi = (p-1)*(q-1)*(r-1)
15
d = inverse(e,phi)
16
k = (p-s)*d
17
enc = pow(flag,e,n)
18
print(n)
19
print(k)
20
print(enc)

思路：叔论题，gift推导了一堆，正经方法是先拿到s

3^{ek}\mod n - 3^{1-s}\mod n =3^{p-s}\mod n -3^{1-s}\mod n

可以拿到p，接着求qr，这里稍微推一下gift mod q^2*r^2，

gift = p^{q(q-1)r(r-1)}(qr+1)^q = (qr+1)^q=(q^2r+1) \mod (qr)^2

那么就可以求解出来了

不正经的方法：gift-1和n做gcd即可

exp.py

1
from Crypto.Util.number import *
2

3
gift=
4
e=65537
5
n=
6
enc=
7
qr=GCD(gift-1,n)
8
p=n//qr
9

10
print(long_to_bytes(pow(enc,inverse(e,p-1),p)))

ez_cbc#

task.py

1
from Crypto.Util.number import *
2
import random
3
from secret import flag
4

5
IV = bytes_to_long(b'cbc!')
6
K = random.randrange(1,1<<30)
7

8
assert flag[:7] == b'moectf{'
9
assert flag[-1:] == b'}'
10

11
block_length = 4
12
flag = flag + ((block_length - len(flag) % block_length) % block_length) * b'\x00'
13
plain_block = [flag[block_length * i: block_length * (i + 1)] for i in range(len(flag) // block_length)]
14

15
c = []
16
c0 = (IV ^ bytes_to_long(plain_block[0])) ^ K
17
c.append(c0)
18

19
for i in range(len(plain_block)-1):
20
    c.append(c[i] ^ bytes_to_long(plain_block[i+1]) ^ K)
21

22
print(c)

exp.py

1
from Crypto.Util.number import *
2

3
c = []
4

5
IV = bytes_to_long(b'cbc!')
6
p0_long = bytes_to_long(b'moec')
7

8
plain_longs = [p0_long]
9

10
p1_long = p0_long ^ IV ^ c[1]
11
plain_longs.append(p1_long)
12

13
for i in range(1, len(c) - 1):
14
    pi = plain_longs[i]
15
    ci_minus_1 = c[i - 1]
16
    ci_plus_1 = c[i + 1]
17

18
    pi_plus_1 = pi ^ ci_minus_1 ^ ci_plus_1
19
    plain_longs.append(pi_plus_1)
20

21
padded_flag = b''
22
for p_long in plain_longs:
23
    padded_flag += long_to_bytes(p_long, 4)
24

25
flag = padded_flag[:padded_flag.rfind(b'}') + 1]
26

27
print(flag.decode())

smooth#

task.py

1
from Crypto.Util.number import sieve_base,isPrime,getPrime
2
import random
3
from secret import flag
4

5
def get_vulnerable_prime():
6
    p=2
7
    while True:
8
        for i in range(136):
9
            smallp=random.choice(sieve_base)
10
            p*=smallp
11
        if isPrime(p+1):
12
            return p+1
13

14
P=get_vulnerable_prime()
15
Q=getPrime(2048)
16
N=P*Q
17
e=0x10001
18

19
for i in range(1,P-1729):
20
    flag=flag*i%P
21

22
c=pow(flag,e,N)
23
print("c=",hex(c))
24
print("N=",hex(N))

思路：明显的p-1光滑，可以分解出来pq，然后有个Wilson定理， $(p-1)! \equiv -1 \pmod p$

exp.py

1
from Crypto.Util.number import *
2
from gmpy2 import *
3

4
c=
5
N=
6

7
def p_1_smooth(N):
8
    a = 2;n = 2
9
    while True:
10
        a = pow(a, n, N)
11
        res = GCD(a-1, N)
12
        if res != 1 and res != N:
13
            return res
14
        n += 1
15

16
p=p_1_smooth(N)
17
q=N//p
18
phi=(p-1)*(q-1)
19
d=inverse(0x10001,phi)
20
m=pow(c,d,N)
21

22
for i in range(p-1729,p):
23
    m=m*i%p
24
m=(-m)%p
25

26
print(long_to_bytes(m))

一次就好#

task.py

1
from Crypto.Util.strxor import strxor
2
from Crypto.Util.number import *
3
from gmpy2 import powmod,next_prime
4
from FLAG import flag
5
import codecs
6

7
c = b'Just once,I will accompany you to see the world'
8
flag = flag.ljust(len(c),'#')
9
key = strxor(flag.encode(), c)
10
m = bytes_to_long(key)
11

12
p = getPrime(512)
13
q = next_prime(p)
14
N = p*q
15
e = 0x10001
16

17
gift = powmod(m, e, N)
18

19
print(gift)
20
print(N)

思路：先开方求出pq，最后有个xor

exp.py

1
from Crypto.Util.number import *
2
from Crypto.Util.strxor import strxor
3
from gmpy2 import *
4

5
gift =
6
N =
7
e=65537
8
c = b'Just once,I will accompany you to see the world'
9
p=iroot(N,2)[0]
10
p=next_prime(p)
11
q=N//p
12
assert p*q==N
13
flag=long_to_bytes(pow(gift,inverse(e,(p-1)*(q-1)),N),len(c))
14
flag=strxor(flag,c)
15
print(flag)

不止一次#

这个比较谜语人，我们知道flag头是什么，加密主要是一个key对不同的密文加密，后面发现每个都差不多，爆破一下就行了

exp.py

1
from Crypto.Util.strxor import strxor
2
from string import printable
3

4
A = bytes.fromhex("")
5
B = bytes.fromhex("")
6

7
known = "moectf{"
8
flag_len = 36
9
while len(known) < flag_len:
10
    for c in printable:
11
        flag = known + c + "a"*(flag_len - 1 - len(known))
12
        flag = flag.encode()
13
        a = strxor(A,flag)
14
        b = strxor(B,flag)
15
        if a[len(known)] == b[len(known)-1]:
16
            known+=c
17
            break

马锤壳s#

task.py

1
from sage.all import *
2
from Crypto.Util.number import *
3
from secret import flag
4

5
def _N2M_(num,wid):
6
    mat = []
7
    num = bin(num)[2:].rjust(wid*wid,'0')
8
    for i in range(wid):
9
        TMP = []
10
        for j in range(wid):
11
            TMP.append(int(num[i*wid + j]))
12
        mat.append(TMP)
13
    return mat
14

15
def _T_(mat,wid):
16
    new_mat = []
17
    for i in range(wid):
18
        TMP = []
19
        for j in range(wid):
20
            TMP.append(int(mat[j][i]))
21
        new_mat.append(TMP)
22
    return new_mat
23

24
def _GenKeyM_(wid):
25
    Prime_bits = 256
26
    primes = [[getPrime(Prime_bits) for i in range(wid)] for j in range(wid)]
27
    return primes
28

29
if __name__ == "__main__":
30
    wid = 17
31
    m = bytes_to_long(flag)
32
    m = _T_(_N2M_(m,wid),wid)
33

34
    m = Matrix(ZZ,m)
35
    key = _GenKeyM_(wid)
36

37
    c = m * Matrix(ZZ,key)
38
    f = open(r'/output','w')
39

40
    bigMOD = 2**512
41
    A = 0x10001
42
    B = 12138
43
    KEY = A * Matrix(Zmod(bigMOD),key) + B
44

45
    f.write("cipher : \n" + str(c) + '\nKEY :\n' + str(KEY))
46
    f.close()

思路：先对消息进行01加密，成矩阵，然后成17x17的矩阵，然后矩阵乘法，然后给了加密后的K，这里K可以直接计算，然后解密c

exp.py

1
from sage.all import *
2
from Crypto.Util.number import*
3

4
Key =
5
K = Matrix(Zmod(2**512),Key)
6
K = ((K-12138)/0x10001)
7

8
NEW_K = Matrix(ZZ,K)
9

10
C =
11
C = Matrix(ZZ,C)
12
m = NEW_K.solve_left(C)
13
M = ''.join(str(i) for i in ((m.T).list()))
14
print(long_to_bytes(int(M,2)))

总结#

很多都是moe22&21的题，质量挺高的，格部分没怎么写，平台上面也有exp，就这样吧

a ctfer on the load

前言#

题目#

0rsa0#

BBBBBBBackpack#

BabyMultiple#

LazyRSA#

Little_FSR#

MiniMiniBackPack#

NumberTheory-FeeeeeMa#

NumberTheory-MyGrandson#

NumberTheory-Powwwwwer#

PRintNewG#

Signin#

Weird_E_Revenge#

beginOfCrypto#

ezRSA#

ez_cbc#

smooth#

一次就好#

不止一次#

马锤壳s#

总结#