国城杯&&HECTF2024

国城杯

这次比赛的web比较有难度(题解居然比pwn少，而且是少很多很多)，交给学弟，然后学弟下午出去玩，那就没人打web了，因为我被圆锥曲线卡住了QWQ

Crypto

babyRSA

from secret import flag
from Crypto.Util.number import*
from gmpy2 import*

flag = b'D0g3xGC{****************}'

def gen_key(p, q):
    public_key = p*p*q
    e = public_key
    n = p*q
    phi_n = (p-1)*(q-1)
    private_key = inverse(e,phi_n)
    return public_key,private_key,e

p = getPrime(512)
q = getPrime(512)

N,d,e = gen_key(p,q)

c = gmpy2.powmod(bytes_to_long(flag),e,N)

print(N)
print(d)
print(c)

'''
n = 539403894871945779827202174061302970341082455928364137444962844359039924160163196863639732747261316352083923762760392277536591121706270680734175544093484423564223679628430671167864783270170316881238613070741410367403388936640139281272357761773388084534717028640788227350254140821128908338938211038299089224967666902522698905762169859839320277939509727532793553875254243396522340305880944219886874086251872580220405893975158782585205038779055706441633392356197489
d = 58169755386408729394668831947856757060407423126014928705447058468355548861569452522734305188388017764321018770435192767746145932739423507387500606563617116764196418533748380893094448060562081543927295828007016873588530479985728135015510171217414380395169021607415979109815455365309760152218352878885075237009
c = 82363935080688828403687816407414245190197520763274791336321809938555352729292372511750720874636733170318783864904860402219217916275532026726988967173244517058861515301795651235356589935260088896862597321759820481288634232602161279508285376396160040216717452399727353343286840178630019331762024227868572613111538565515895048015318352044475799556833174329418774012639769680007774968870455333386419199820213165698948819857171366903857477182306178673924861370469175
'''

Schmidt Samoa密码体系，见crypto-week4-RSA Variation II

from Crypto.Util.number import *

N = 539403894871945779827202174061302970341082455928364137444962844359039924160163196863639732747261316352083923762760392277536591121706270680734175544093484423564223679628430671167864783270170316881238613070741410367403388936640139281272357761773388084534717028640788227350254140821128908338938211038299089224967666902522698905762169859839320277939509727532793553875254243396522340305880944219886874086251872580220405893975158782585205038779055706441633392356197489
d = 58169755386408729394668831947856757060407423126014928705447058468355548861569452522734305188388017764321018770435192767746145932739423507387500606563617116764196418533748380893094448060562081543927295828007016873588530479985728135015510171217414380395169021607415979109815455365309760152218352878885075237009
c = 82363935080688828403687816407414245190197520763274791336321809938555352729292372511750720874636733170318783864904860402219217916275532026726988967173244517058861515301795651235356589935260088896862597321759820481288634232602161279508285376396160040216717452399727353343286840178630019331762024227868572613111538565515895048015318352044475799556833174329418774012639769680007774968870455333386419199820213165698948819857171366903857477182306178673924861370469175
pq = GCD(pow(2, d*N, N)-2, N)
flag = long_to_bytes(pow(c, d, pq))
print(flag)

EZ_sign

from Crypto.Util.number import *
from gmpy2 import *
from hashlib import*
import random,os

flag = b'D0g3xGC{***************}'
msg = b'e = ?'

def sign(pub, pri, k):
    (p,q,g,y) = pub
    x = pri
    r = int(powmod(g, k, p) % q)
    H = bytes_to_long(sha1(os.urandom(20)).digest())
    s = int((H + r * x) * invert(k, q) % q)
    return (H,r,s)

k1 = getPrime(64)
k2 = k1 ** 2
pri = bytes_to_long(msg)
a = 149328490045436942604988875802116489621328828898285420947715311349436861817490291824444921097051302371708542907256342876547658101870212721747647670430302669064864905380294108258544172347364992433926644937979367545128905469215614628012983692577094048505556341118385280805187867314256525730071844236934151633203
b = 829396411171540475587755762866203184101195238207
g = 87036604306839610565326489540582721363203007549199721259441400754982765368067012246281187432501490614633302696667034188357108387643921907247964850741525797183732941221335215366182266284004953589251764575162228404140768536534167491117433689878845912406615227673100755350290475167413701005196853054828541680397
y = 97644672217092534422903769459190836176879315123054001151977789291649564201120414036287557280431608390741595834467632108397663276781265601024889217654490419259208919898180195586714790127650244788782155032615116944102113736041131315531765220891253274685646444667344472175149252120261958868249193192444916098238

pub = (a, b, g, y)

H1, r1, s1 = sign(pub, pri, k1)

H2, r2, s2 = sign(pub, pri, k2)

p = getPrime(128)
q = getPrime(128)
n = p * q
c = powmod(bytes_to_long(flag), e, n)

C = p**2 + q**2

print(f'(H1, r1, s1) = {H1}, {r1}, {s1}')
print(f'(H2, r2, s2) = {H2}, {r2}, {s2}')
print(c)
print(C)

'''
(H1, r1, s1) = 659787401883545685817457221852854226644541324571, 334878452864978819061930997065061937449464345411, 282119793273156214497433603026823910474682900640
(H2, r2, s2) = 156467414524100313878421798396433081456201599833, 584114556699509111695337565541829205336940360354, 827371522240921066790477048569787834877112159142
c = 18947793008364154366082991046877977562448549186943043756326365751169362247521
C = 179093209181929149953346613617854206675976823277412565868079070299728290913658
'''

熟悉的签名——DSA，找了一圈，找到了关系k攻击

参考博客

现在差个平方和待解决，本来想用sage自带的two_squares，但出来的两个都不是素数，就很奇怪，以前是可以用的，可能是因为我以前是sage9.x，现在是10.x的版本问题？

那只能换一个打法了
解丢番图方程
貌似还有一个打法——复数的模长

# sage
from Crypto.Util.number import *
from sympy.solvers.diophantine.diophantine import cornacchia

p = 149328490045436942604988875802116489621328828898285420947715311349436861817490291824444921097051302371708542907256342876547658101870212721747647670430302669064864905380294108258544172347364992433926644937979367545128905469215614628012983692577094048505556341118385280805187867314256525730071844236934151633203
q = 829396411171540475587755762866203184101195238207
g = 87036604306839610565326489540582721363203007549199721259441400754982765368067012246281187432501490614633302696667034188357108387643921907247964850741525797183732941221335215366182266284004953589251764575162228404140768536534167491117433689878845912406615227673100755350290475167413701005196853054828541680397
y = 97644672217092534422903769459190836176879315123054001151977789291649564201120414036287557280431608390741595834467632108397663276781265601024889217654490419259208919898180195586714790127650244788782155032615116944102113736041131315531765220891253274685646444667344472175149252120261958868249193192444916098238

(H1, r1, s1) = 659787401883545685817457221852854226644541324571, 334878452864978819061930997065061937449464345411, 282119793273156214497433603026823910474682900640
(H2, r2, s2) = 156467414524100313878421798396433081456201599833, 584114556699509111695337565541829205336940360354, 827371522240921066790477048569787834877112159142

PR.<x> = PolynomialRing(GF(q))

f = s2*x^2*r1 - s1*x*r2 - H2*r1 + H1*r2

k = int(f.roots()[1][0])
x = (s1*k - H1) * inverse(r1, q) % q
print(long_to_bytes(x).decode())
c = 18947793008364154366082991046877977562448549186943043756326365751169362247521
C = 179093209181929149953346613617854206675976823277412565868079070299728290913658
x1 = cornacchia(1, 1, C)
for a, b in x1:
    assert a**2+b**2 == C
    if isPrime(a) and isPrime(b):
        p, q = a, b
        print(p,q)
        n = p*q
        phi = (p-1)*(q-1)
        d = inverse(e, phi)
        print(long_to_bytes(pow(c, d, n)).decode())

Curve

#sagemath
from Crypto.Util.number import *

def add(P, Q):
    (x1, y1) = P
    (x2, y2) = Q

    x3 = (x1*y2 + y1*x2) * inverse(1 + d*x1*x2*y1*y2, p) % p
    y3 = (y1*y2 - a*x1*x2) * inverse(1 - d*x1*x2*y1*y2, p) % p
    return (x3, y3)

def mul(x, P):
    Q = (0, 1)
    while x > 0:
        if x % 2 == 1:
            Q = add(Q, P)
        P = add(P, P)
        x = x >> 1
    return Q

p = 64141017538026690847507665744072764126523219720088055136531450296140542176327
a = 362
d = 7
e=0x10001

gx=bytes_to_long(b'D0g3xGC{*****************}')

PR.<y>=PolynomialRing(Zmod(p))
f=(d*gx^2-1)*y^2+(1-a*gx^2)
gy=int(f.roots()[0][0])

assert (a*gx^2+gy^2)%p==(1+d*gx^2*gy^2)%p

G=(gx,gy)

eG = mul(e, G)
print(eG)

#eG = (34120664973166619886120801966861368419497948422807175421202190709822232354059, 11301243831592615312624457443883283529467532390028216735072818875052648928463)

考点：爱德华扭曲曲线

$ax^{2}+y^{2}\equiv 1+dx^{2}y^{2}(mod\ p)$

圆锥曲线(不是椭圆曲线！！！)，吐了，然后去找了大半圈，没找到一篇能利用的

关于曲线的话，上一次印象比较深刻的是，羊城杯的两题椭圆曲线，然后也去看了一下，顺便复习一下，也是没能有进展，而且网上是比较少关于圆锥曲线的介绍的(有这玩意吗？我当时的想法就是这样的)
其实我应该想到映射这玩意的(属于是马后炮了)

赛后Lst4r师傅告诉我是这个Twisted_Edwards_curve

我问他当时咋想到这个的，他说是羊城杯的时候，做那两题椭圆曲线的时候，翻到的，见过，所以有印象，好好好

然后解题脚本糖醋小鸡块师傅收录曲线趣题

说起这个，也是有点内个了，我去师傅的博客搜curve的时候，点过了这篇，然后它刚好在第一题，我就没怎么注意，可能还是用的Ctrl+f，然后直接往下拉，结果就是完美错过了QWQ

后面看了出题人的wp，羊城杯，灵感来源，好好好

真是应了Csome那句话
在这CINTA是基础，Sagemath是工具，糖醋小鸡块的blog是弹药库

HECTF2024

这次也是没时间充当web手了，一边打密码，一边写作业，真折磨

说实话还是挺想打web的，看了一下反序列化那题，感觉构造链子应该不难，重点是绕过，但我感觉给防死了，结果是要拿正则表达式匹配绕过啊，/bin/ca[t] fla[g](不是单纯的cat哦)

真就，过滤的越严格，过滤的越简单

说起来，正好最近的网络空间安全的课程实验打的iwebsec的靶场有命令过滤绕过，我自己也想到了正则表达式匹配，但这里大脑死机了，可能是事情太多了

crypto

迷茫的艾米莉

在维吉尼亚小镇，园丁艾米莉的responsibility是照顾一座古老花园，每天修剪六段绿篱栅栏
一天，她发现通往秘密花园的小径，入口却被封上了
上面有一串密文
Y2w9Iobe_v_Ufbm0ajI05bfzvTP1b_c}{lr
请输入密码帮助艾米莉探索秘密花园

题目直接就告诉了你所有关键信息

翻一翻

from Crypto.Util.number import getPrime, isPrime, bytes_to_long
from secret import flag
import base64

def emirp(x):
    y = 0
    while x !=0:
        y = y*10 + x%10
        x = x//10
    return y

while True:
    p = getPrime(512)
    q = emirp(p)
    if isPrime(q):
        break
n = p*q
e = 65537

flag = base64.b64encode(flag)

m = bytes_to_long(flag)

c = pow(m,e,n)
print(f"{n = }")
print(f"{c = }")

'''
n = 404647938065363927581436797059920217726808592032894907516792959730610309231807721432452916075249512425255272010683662156287639951458857927130814934886426437345595825614662468173297926187946521587383884561536234303887166938763945988155320294755695229129209227291017751192918550531251138235455644646249817136993
c = 365683379886722889532600303686680978443674067781851827634350197114193449886360409198931986483197030101273917834823409997256928872225094802167525677723275059148476025160768252077264285289388640035034637732158021710365512158554924957332812612377993122491979204310133332259340515767896224408367368108253503373778
'''

q是p的十进制数字反转(emirp数)
原题

import base64
from Crypto.Util.number import *
n = 404647938065363927581436797059920217726808592032894907516792959730610309231807721432452916075249512425255272010683662156287639951458857927130814934886426437345595825614662468173297926187946521587383884561536234303887166938763945988155320294755695229129209227291017751192918550531251138235455644646249817136993
c = 365683379886722889532600303686680978443674067781851827634350197114193449886360409198931986483197030101273917834823409997256928872225094802167525677723275059148476025160768252077264285289388640035034637732158021710365512158554924957332812612377993122491979204310133332259340515767896224408367368108253503373778

def t(a, b, k):
    # sqrt(n) has 155 digits, so we need to figure out 77 digits on each side
    if k == 77:
        if a*b == n:
            print(a, b)
        return
    for i in range(10):
        for j in range(10):
            # we try to guess the last not-already-guessed digits of both primes
            a1 = a + i*(10**k) + j*(10**(154-k))
            b1 = b + j*(10**k) + i*(10**(154-k))
            if a1*b1 > n:
                # a1 and b1 are too large
                continue
            if (a1+(10**(154-k)))*(b1+(10**(154-k))) < n:
                # a1 and b1 are too small
                continue
            if ((a1*b1) % (10**(k+1))) != (n % (10**(k+1))):
                # The last digits of a1*b1 (which won't change later) doesn't match n
                continue
                # this a1 and b1 seem to be a possible match, try to guess remaining digits
            t(a1, b1, k+1)

# the primes have odd number of digits (155), so we try all possible middle digits (it simplifies the code)
for i in range(10):
    t(i*(10**77), i*(10**77), 0)
p, q = 39316409865082827891559777929907275271727781922450971403181273772573121561800306699150395758615464222134092274991810028405823897933152302724628919678029201, 10292087691982642720325133979832850482001819947229043122246451685759305199660300816512137527737218130417905422918772717257270992977795519872828056890461393
print(p*q == n)
e = 65537
d = inverse(e, (p-1)*(q-1))
flag = long_to_bytes(pow(c, d, n)).decode()
print(base64.b64decode(flag).decode())

拓展：如果是二进制数的反转呢？
见La佬的这篇博客

seven more

from Crypto.Util.number import *
import os
from gmpy2 import *

def getMyPrime(nbits, multiplier):
    while True:
        n = 2 * multiplier * getPrime(nbits // 2) * getPrime(nbits // 2)
        if is_prime(n + 1):
            return n + 1

def generate_keys(nbits):
    p = getMyPrime(nbits, 1009 * 7)
    q = getMyPrime(nbits, 1009)
    n = p * q
    e = 1009 * 7
    return p, q, n, e

p, q, n, e = generate_keys(700)

flag = b'HECTF{######}' + os.urandom(101)
m = bytes_to_long(flag)
assert m.bit_length() < n.bit_length()
assert m.bit_length() > q.bit_length()
assert m.bit_length() > p.bit_length()
c = pow(m, e, n)

print(f"n = {n}")
print(f"c = {c}")
print(f"p = {p}")
print(f"q = {q}")

#n = 211174039496861685759253930135194075344490160159278597570478160714793843648384778026214533259531963057737358092962077790023796805017455012885781079402008604439036453706912819711606916173828620000813663524065796636039272173716362247511054616756763830945978879273812551204996912252317081836281439680223663883250992957309172746671265758427396929152878633033380299036765665530677963287445843653357154379447802151146728382517702550201
#c = 191928992610587693825282781627928404831411364407297375816921425636703444790996279718679090695773598752804431891678976685083991392082287393228730341768083530729456781668626228660243400914135691435374881498580469432290771039798758412160073826112909167507868640830965603769520664582121780979767127925146139051005022993085473836213944491149411881673257628267851773377966008999511673741955131386600993547529438576918914852633139878066
#p = 31160882390461311665815471693453819123352546432384109928704874241292707178454748381602275005604671000436222741183159072136366212086549437801626015758789167455043851748560416003501637268653712148286072544482747238223
#q = 6776895366785389188349778634427547683984792095011326393872759455291221057085426285502176493658280343252730331506803173791893339840460125807960788857396637337440004750209164671124188980183308151635629356496128717687

先感谢一波T0ver. 我滴神！

我们知道e与phi并不互素，可以考虑AMM算法，这里直接上师兄的科技

小改一下下

# sage
from sage.all import *
from sage.parallel.multiprocessing_sage import parallel_iter    # TODO
import itertools
from tqdm import tqdm
from Crypto.Util.number import *
import string

def nth_p(y, n, p, k=1):
  assert is_pseudoprime(p)
  print('[LOG] Solving pi = %s^%d' % (hex(p), k))
  try:
    xs = Zmod(p**k)(y).nth_root(n, all=True)
  except:
    xs = GF(p**k)(y).nth_root(n, all=True)
  xs = list(set(xs))
  xs = [Integer(x) for x in xs]
  return xs

def nthRSA_p(c, e, p, k=1):
  assert is_pseudoprime(p)
  P = Integer(pow(p, k))
  phi = euler_phi(P)

  rs = []
  ei = e
  while True:
    r = gcd(phi, ei)
    if r == 1:
      break
    rs += [r]
    ei //= r
  r = product(rs)
  dr = (e // r).inverse_mod(phi)
  cr = pow(c, dr, P)
  return nth_p(cr, r, p, k)

def nthRSA_n(c, e, ps, ks=None, checker=None, ret1=False):
  # ps: p, q, ...
  assert isinstance(ps, list)
  if ks == None:
    ks = [1] * len(ps)
  else:
    assert len(ps) == len(ks)
  ms = []
  for i in range(len(ps)):
    mp = nthRSA_p(c, e, ps[i], ks[i])
    ms += [mp]
  total = product([len(x) for x in ms])
  print('[Log] Doing crt.\nComplexity = %d: %s' % (total, str([len(x) for x in ms])))

  res = []
  Ps = [ps[i]**ks[i] for i in range(len(ps))]
  for msi in tqdm(itertools.product(*ms), total=total):
    m = crt(list(msi), Ps)
    if checker == None:
      res += [m]
      continue
    if checker(m):
      if not ret1:
        res += [m]
        continue
      return m
  return res

def genHeaderChecker(hd):
  if isinstance(hd, str):
    hd = hd.encode()
  assert isinstance(hd, bytes)
  def checkHeader(m):
    try:
      flag = long_to_bytes(int(m))
      if hd in flag:
        print(flag)
        return True
      return False
    except:
      return False
  return checkHeader

def genStrChecker(dict, n=65537):
  def checkStr(m):
    try:
      flag = long_to_bytes(int(m)).decode()
      for fi in flag[:n]:
        if not fi in dict:
          return False
      print(flag)
      return True
    except:
      return False
  return checkStr

n = 211174039496861685759253930135194075344490160159278597570478160714793843648384778026214533259531963057737358092962077790023796805017455012885781079402008604439036453706912819711606916173828620000813663524065796636039272173716362247511054616756763830945978879273812551204996912252317081836281439680223663883250992957309172746671265758427396929152878633033380299036765665530677963287445843653357154379447802151146728382517702550201
c = 191928992610587693825282781627928404831411364407297375816921425636703444790996279718679090695773598752804431891678976685083991392082287393228730341768083530729456781668626228660243400914135691435374881498580469432290771039798758412160073826112909167507868640830965603769520664582121780979767127925146139051005022993085473836213944491149411881673257628267851773377966008999511673741955131386600993547529438576918914852633139878066
p = 31160882390461311665815471693453819123352546432384109928704874241292707178454748381602275005604671000436222741183159072136366212086549437801626015758789167455043851748560416003501637268653712148286072544482747238223
q = 6776895366785389188349778634427547683984792095011326393872759455291221057085426285502176493658280343252730331506803173791893339840460125807960788857396637337440004750209164671124188980183308151635629356496128717687
e = 1009*7
ps = [p, q]
checker = genHeaderChecker('HECTF')
res = nthRSA_n(c, e, ps, checker=checker)
for r in res:
  flag = long_to_bytes(int(r))
  print(flag)

不合格的魔药(unsolved)

from random import randrange
from Crypto.Util.number import *
from gmpy2 import *
from fastecdsa.curve import Curve
from Crypto.Cipher import AES
from hashlib import *
import secret

def A_function(key):
    while True:
        p = getPrime(512)
        q = getPrime(512)
        if p % 4 == 3 and q % 4 == 3:
            n = p * q
            break
    a = randrange(p)
    b = randrange(q)
    while True:
        x1 = randrange(p)
        y1 = (x1**3 + a*x1) % p
        x2 = randrange(n)
        y2 = (x2**3 + a*x2 + b) % n
        if pow(y1,(p-1)//2, p) == 1 and pow(y1,(q-1)//2, q) == 1:
            yp = pow(y1,p//4+1,p)
            yq = pow(y1,q//4+1,q)
            _,s,t = gcdext(p,q)
            y1 = (s*p*yq + t*q*yp) % p
            if pow(y2,(p-1)//2, p) == 1 and pow(y2,(q-1)//2, q) == 1:
                yp = pow(y2,p//4+1,p)
                yq = pow(y2,q//4+1,q)
                _,s,t = gcdext(p,q)
                y2 = (s*p*yq + t*q*yp) % n
                break
    Ep = Curve(None, p, a, 0, None, x1, y1) 
    En = Curve(None, n, a, b, None, x2, y2)
    print("p =", p)
    print("q =", q)
    print("a =", a)
    print("b =", b)
    hint1 = key * Ep.G
    hint = [x1 ,hint1]
    return En, hint
    

def A_encrypt(m, G, k):
    blocks = [m[16*i:16*(i+1)] for i in range(len(m) // 16)]
    ciph = []
    aes = AES.new(k, AES.MODE_ECB)
    for i in range(len(blocks)):
        c = aes.encrypt(blocks[i])
        if i%2==0:
            G = G + G
            ciph.append(G.x ^ bytes_to_long(c))
        else:
            ciph.append(G.y ^ bytes_to_long(c))
    return ciph               

flag = secret.flag
key = secret.key

m = flag[6:-1]
assert b'HECTF{'+ m+ b'}' == flag
A, hint = A_function(key)
k = md5(long_to_bytes(key)).hexdigest().encode()
c = A_encrypt(m, A.G,k)
print("hint =", hint)
print("c =", c)

'''
p = 9604080254440553624043823039323876524034439909584709693304859297324410855942111467832096190746534800378359779991381701244554754870303658957438266614583487
q = 7117529167860499983120234872664469946810713755399747931099511148595647881645694071900284496403308583631053530870961375928947111857317803005696543076720079
a = 4681007517868949260473646867708411042804596292653498068045093108939357065240201843535644313612886376810286247810943227474659270191834401055704514648846995
b = 5604862515726338933576748414825616582947323501967288114322080747741801017833194347273532400730033226601964489467416955741018175785792514035352083708135431
hint = [5544706922427110224110125906620053049906095568886481576326706308027915868515721429471522223193053363494813044921519216114372968191072598748704528735817403, 
        X: 0x2fa8e23f18ed4a9bd752a0c22b0750c17fbb66c76554e2089258fd979a5736b7766c974fb9788acf17fb065dc1daec6a8a6e98021de6c4ce3cde11dd54590e1d
        Y: 0xa3ce4bb1e25563b577a45cd06153d2dab584a70130c7ae71e65fe5e11b60493ccb845fbe4989dbd4a60d6a1ff12baa268b8833ed30f7c7e21c32268a139b5b6b
        (On curve <None>)]
c = [36780810764729391947601691590378765170863850291763672158886689602006275675399596108959250284869355070618680265311484525337488013177333417742808496794250706127014303883956401715343247310936978778751394980638177344654524711571648231122027699452582302505466999915200896495338587961829985149664712686944510559820, 20958199004445348755624931477686903609410629089817702686793041731031202915294487428236505796231417377524290926704880107242252471250791747709149963693453815320856114055076830778689575609444155241642860745570792018879816650383543271943138193405548674967958109800776284787612370057476837642989670234913968669332, 19758181515666300263334531148587391869707566215385658759724970483060039216682585723722462835458856503531814316860237786892749700501436669071048571605926728917066797641628644730857333648930286503355701843365288276242984029888215453858844295912023305616753086127934173496355853797241944921600781294012353332277, 45576628433681427718167093217006549620067042472164439269014690121698560736312716407875326404496263261341269644373184438703912129559084380247641072914940830606649124606611794031719696797961847217643536070335745057048220615012019629278484208808353027070994021979997462190775853832457224157083880895894000484461]
'''

还是曲线，没时间做了，看解出人数也是挺少的，而且还要做作业呢QWQ

情书与破碎的证书(再留个坑？)

小明喜欢上了小红，他使用rsa向小红发送了无数封含有中文字符的情书。终于小红忍不住了，找到了大嘿阔将小明的私钥证书打成碎片，移除了中间的内容并把上下段的私钥部分转化成16进制，以九个为一组用相同的方式打乱（转化时产生的0d0a换行符已被移除）。作为密码学大佬的你能恢复证书，找出小红忍无可忍的证据么？
提示1
情书与破碎的证书 hint1:字符中含有中文 常规输出方法无效，请使用 PKCS1_OAEP 解密器，并使用 cipher.decrypt() 解密密文（毕竟考点是证书）

证书

0d30000102bc048230010df78648862a090630a604820400050101018202000102a20482238d771399dbbd0001416e7fbd7f589b44151fb0c984549c1c4d948984f85c35934453bfbb4dbb99420f63f9cb8f577a7b60d67bdf84166c500fa7d6c6e484b75d97e308151b31a49c5bd77dd1d2d6711e50d9f5f7bc37d4e2235cfd76a522713c766e240aa2eb5fb45a9015d1dbd6a58b5b28861233ae4eb75a97ced0b78e91024d195adde08f7430b7f160d1d60a4f9d0801db74ebc8c23f9397251faac5500d216acc623e8f6ab212b5e6e9495d5ef6cee995fea98f40b1db2d356dd3c4d2612c64a1295bb23936fad66dc5662cb4ba6a8929591f6b14ce30d67df5ec35edb1f0973f746bcc5fc1ca921ee9660e04c6f286677b92e12b61ba310501030219e5085e5254046204000182020100
中间被打碎了d48d90d80f02818051a5f7e7f4c050a50e18fde12fcee2646f2b43160b0c75ab4925e8269ae80e70cf12734f41fab18d0424ed7cceb7ddb27cbe0f554f7a6e1698d4ec5ba2b48d612e2337aeb75f8a57d8155a11d07b2c49d3d97c4ff0cfb89e6dd4f36cc37c010b5bc89356a39b576cc3edd03cdc4d791df5091a5571df1a6c15eedaa0773cf3cf0281800fc61f05d19c96eec3edcacca34e1d3e2cab439bebab6693a3ce2ca99f88ab9cdd183ceb8e801d8298f835359864ef191db3f53269976ba04b03606e540859decd05805c4aa79dc6db22380658eaf0bffba0f4e719bcf1b1e04169d8e0cb3af4d90b2e62d7c7ed3045d49b525ca715ca3b84f07b4ece27d04d1795299fa186cd02818025c20ab2529f1efd3d35347c573b282abfd95b264c92f6c4f9ec8b7c713206fbea1886880e29a36c47ef9bb753ce9567ea4d3e083c30f344022f95b7cd7114813bf6a28ecc67d5fe05953242684cd29c1c5dd8a74416890e5c943c70904ba70e349b15719a466f901fbf0cfc7840f8032e31afbccfb84f4a817ea51c8f90fd6a2d2d2d2d2d454e442050524956415445204b45592d2d2d2d2d

c

0x6f4cb0df50eb133f104727316eb23e25463b6b46a1ff743507c7663094da88a091c77c1d686a91613fa2da697c23924798b40654ba420b9690c5ceb9a362cf48e72c39177c6a3ebecc4e0ba2b9673f070a23e535fff7a01b400381ede60a6f9bf86047b3dd2c663c329b9287749bdb3783303802129b93af083aa2045c500fe0c2a7a018c2403881115927ae56ff14338b9fb98d5a5f461916d962aea7c3379ec7f7d8d77b4cc8ff756895c1500d9f2cee3552f17216339b0d67f27e0dd07e9ec1861f14c962b977559561d709d57e58fd6e6aafd27892c6d43d16b3db267902b9ce8f9ff89a66ab822b5ea3a68c872a32c69961df15581b70c00e4c61804d0d

我以为要手撕证书，去看了一下师兄的这篇
不行，放弃了，本来就是来看一眼题目的

以后再补吧(?)