import gmpy2 from Crypto.Util.number import long_to_bytes, bytes_to_long, getStrongPrime, inverse from Crypto.Util.Padding import pad from flag import m #m = b"ACSC{<REDACTED>}" # flag! f = open("chal.py","rb").read() # I'll encrypt myself! print("len:",len(f)) p = getStrongPrime(1024) q = getStrongPrime(1024) n = p * q e = 0x10001 print("n =",n) print("e =",e) print("# flag length:",len(m)) m = pad(m, 255) m = bytes_to_long(m) assert m < n stream = pow(m,e,n) cipher = b"" for a in range(0,len(f),256): q = f[a:a+256] if len(q) < 256:q = pad(q, 256) q = bytes_to_long(q) c = stream ^ q cipher += long_to_bytes(c,256) e = gmpy2.next_prime(e) stream = pow(m,e,n) open("chal.enc","wb").write(cipher)
RSA yaru-dake
from Crypto.Util.number import bytes_to_long import gmpy2 import sys with open("chal.py", "rb") as f: data = f.read() with open("chal.enc", "rb") as f: cipher = f.read() c1 = bytes_to_long(data[:256]) ^ bytes_to_long(cipher[:256]) c2 = bytes_to_long(data[256:512]) ^ bytes_to_long(cipher[256:512]) n = 30004084769852356813752671105440339608383648259855991408799224369989221653141334011858388637782175392790629156827256797420595802457583565986882788667881921499468599322171673433298609987641468458633972069634856384101309327514278697390639738321868622386439249269795058985584353709739777081110979765232599757976759602245965314332404529910828253037394397471102918877473504943490285635862702543408002577628022054766664695619542702081689509713681170425764579507127909155563775027797744930354455708003402706090094588522963730499563711811899945647475596034599946875728770617584380135377604299815872040514361551864698426189453 e1 = 65537 e2 = int(gmpy2.next_prime(e1)) sys.setrecursionlimit(1500) def egcd(a, b): if a == 0: return (b, 0, 1) g, y, x = egcd(b%a,a) return (g, x - (b//a) * y, y) def modinv(a, m): g, x, y = egcd(a, m) if g != 1: raise Exception('No modular inverse') return x%m def common_modulus_attack(c1, c2, e1, e2, n): gcd, s1, s2 = egcd(e1, e2) if s1 < 0: s1 = -s1 c1 = modinv(c1, n) elif s2 < 0: s2 = -s2 c2 = modinv(c2, n) v = pow(c1, s1, n) w = pow(c2, s2, n) m = (v * w) % n return m print(bytes.fromhex(hex(common_modulus_attack(c1, c2, e1, e2, n))[2:]))