# 题目 from functools import reduce from Crypto.Util.number import * import random from secret import flag,hint
defgenerate_PQ(bits): x = getPrime(bits) >> bits//2 << bits//2 whileTrue: p = x + random.getrandbits(bits//2) if isPrime(p): break whileTrue: q = x + random.getrandbits(bits//2) if isPrime(q): break return p,q
m = bytes_to_long(flag) hint = bytes_to_long(hint) e = 65537 p,q = generate_PQ(1024) n = p*q random.seed(seed) x = [random.randint(1,seed) for _ inrange(2)] y = [random.randint(1,seed) for _ inrange(2)]
print("c =",pow(hint,e,n)) print("n =",n) print("c1 =",pow(reduce(lambda x, y: x * m + y, x), 17, n)) print("c2 =",pow(reduce(lambda x, y: x * m + y, y), 17, n))
读懂代码就很简单,稍微爆破一下,就3-4分钟吧,没太注意
from Crypto.Util.number import *
e = c = n = # yafu分解n c1 = c2 = p = q = d = inverse(e, (p-1)*(q-1)) # print(long_to_bytes(pow(c, d, n))) # Hint{Seed_is_256087_+_396445_-_538018} seed = 114514 d1 = inverse(17, (p-1)*(q-1)) # print(pow(c1,d1,n)) # print(pow(c2,d1,n)) a1 = a2 = for i inrange(1, seed): for j inrange(1, seed): if ((a2-a1)-i) % j == 0: flag = long_to_bytes(((a2-a1)-i) // j) ifb'HECTF{'in flag: print(flag) break # HECTF{r3411y_easy_R4nd0m_And_r3l4ted_m3554ge_att4ck}
赛后自己又看了一遍,查了一下,知道随机数种子是可以直接知道由随机数种子生成的随机数的,不用像我上面爆破三四分钟,x = [30509, 13601] y = [92095, 27065],代进去就OK了(懒再写代码了)
