巔峰極客——flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}

描述

有兩個公鑰，兩個密文

分析

1. 用RsaCtfTool.py分析公鑰信息，發(fā)現(xiàn)n相同，e不同

    root@ben-PC:/mnt/d/security/misc-tool/RSA/rsatools#  python RsaCtfTool.py --pkey pubkey1.pem --v
    "n" is:17362520124149736059291605717839814089431261833972408175766504894876091272021197374480215582589878198406028065354454242540322618614670160317701698407729515781811530180885334265851364490357884909336085410775168953942120359215038925025305363480538685487988827339463890539279008285241711326041868183805848503077373967082910932422798165242481154593794712639251157856102009630894845049984346776659339380886766804814959778048440996937820138560802077375885700500737699904011032451007341777160586467318264288370080315519305800247682611802774996999330812534723806925426052547128371180683265963525581842037399869323246530085399
    ************************************************************
    "e" is:2333
    ************************************************************
    Try weak key attack
    Try Wiener's attack
    root@ben-PC:/mnt/d/security/misc-tool/RSA/rsatools#  python RsaCtfTool.py --pkey pubkey2.pem --v
    "n" is:17362520124149736059291605717839814089431261833972408175766504894876091272021197374480215582589878198406028065354454242540322618614670160317701698407729515781811530180885334265851364490357884909336085410775168953942120359215038925025305363480538685487988827339463890539279008285241711326041868183805848503077373967082910932422798165242481154593794712639251157856102009630894845049984346776659339380886766804814959778048440996937820138560802077375885700500737699904011032451007341777160586467318264288370080315519305800247682611802774996999330812534723806925426052547128371180683265963525581842037399869323246530085399
    ************************************************************
    "e" is:23333
    ************************************************************
    Try weak key attack
    Try Wiener's attack

密文內(nèi)容如下：

    [root RsaCtfTool]$ cat flag1.enc
    XSKBJ2biS6brC5iGwU0GZitHdVM3HXAiwtFnVf2+HTaUqFahxL+BxBi2QDcx7gLxcjEWCMwFP6DS92nMAU4r0gPWSEUIoY57sgNZsjDIDAukiYeLNDUgYz+1P+nF4fk7gwPdozrIvAXGDBvMBjuviqsC8vmVP3I6eLLkt9C46HFt0SBw5ycfAjVoDF2r7/4B1UDs4G0dpIDUCk4khezzgqspn6tqtwOGB27vrKegoL/FlwmutFYIuRKKCBKx3yc/qfWXZ84Oo8nPqgaxgDlxWeLtGM9ZouwFKnagmjbnH+58Pescw4XYafXKqFjQz3XrK/uUESE8jIEIPeL1+8yUpw==
    [root RsaCtfTool]$ cat flag2.enc
    EruzwVAXSVLC3rldjcsx6HO0UUICdR9xxgr9eWNhIW0T8l2O3yT/LlFLK2+YU0HB97xr5HaiZesk4T6IuJ9+iOzB8YSkWMfYvOSDKn7Jng/1Q3wQuoldm+UurmZkiEs9kFi+EhsCNAbVAnLzLXLwzYm3emamueDqru4Doo/lSMz8p0+jqz24HscJN9shU85WX4JngW92REHHV8rPHaisCdxeAs+uPyTNzO4IbwDaJvw3ZR/Lo4m1K2Qw8PbYnOcgVr9CWR7mVyxofoWk6qWpQf3d0fX6wbbPcQkXxnnqLWy5S3PZcNQa1wkfRTJJO03QmNVsOivXGb3GzmeZbxmVhQ==
    [root RsaCtfTool]$

2. 對于同一明文使用同樣的N不同的E分別進行加密，滿足共模攻擊條件
   解密代碼如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys,gmpy,base64
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
    return (g, x - (b // a) * y, y)
def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m

def pad_even(x):#重要！湊齊2位，將0x1 變成 0x01
        return ('', '0')[len(x)%2] + x


def CipherB2n(c):#將base64編碼后的密文轉(zhuǎn)成數(shù)字
    c2 = base64.b64decode(c)
    temp = ''
    for i in c2:
        temp += pad_even(str(hex(ord(i)))[2:])
    temp = eval('0x'+temp)
    return (temp)

def CipherN2b(m):#將數(shù)字轉(zhuǎn)換成ascii
    hex_m=hex(m)[2:]
    if hex_m[-1] == 'L' :
        hex_m=hex_m[:-1]
    return hex_m.decode('hex')

if __name__ == '__main__':
    
    sys.setrecursionlimit(1000000)
    e1 = 2333 #根據(jù)分解結(jié)果
    e2 = 23333 #根據(jù)分解結(jié)果
    s = egcd(e1, e2)
    s1 = s[1]
    s2 = s[2]
    c1 = 'XSKBJ2biS6brC5iGwU0GZitHdVM3HXAiwtFnVf2+HTaUqFahxL+BxBi2QDcx7gLxcjEWCMwFP6DS92nMAU4r0gPWSEUIoY57sgNZsjDIDAukiYeLNDUgYz+1P+nF4fk7gwPdozrIvAXGDBvMBjuviqsC8vmVP3I6eLLkt9C46HFt0SBw5ycfAjVoDF2r7/4B1UDs4G0dpIDUCk4khezzgqspn6tqtwOGB27vrKegoL/FlwmutFYIuRKKCBKx3yc/qfWXZ84Oo8nPqgaxgDlxWeLtGM9ZouwFKnagmjbnH+58Pescw4XYafXKqFjQz3XrK/uUESE8jIEIPeL1+8yUpw=='
    c2 ='EruzwVAXSVLC3rldjcsx6HO0UUICdR9xxgr9eWNhIW0T8l2O3yT/LlFLK2+YU0HB97xr5HaiZesk4T6IuJ9+iOzB8YSkWMfYvOSDKn7Jng/1Q3wQuoldm+UurmZkiEs9kFi+EhsCNAbVAnLzLXLwzYm3emamueDqru4Doo/lSMz8p0+jqz24HscJN9shU85WX4JngW92REHHV8rPHaisCdxeAs+uPyTNzO4IbwDaJvw3ZR/Lo4m1K2Qw8PbYnOcgVr9CWR7mVyxofoWk6qWpQf3d0fX6wbbPcQkXxnnqLWy5S3PZcNQa1wkfRTJJO03QmNVsOivXGb3GzmeZbxmVhQ=='
    c1 = CipherB2n(c1)
    c2 = CipherB2n(c2)
    #print hex(c1)
    n = 17362520124149736059291605717839814089431261833972408175766504894876091272021197374480215582589878198406028065354454242540322618614670160317701698407729515781811530180885334265851364490357884909336085410775168953942120359215038925025305363480538685487988827339463890539279008285241711326041868183805848503077373967082910932422798165242481154593794712639251157856102009630894845049984346776659339380886766804814959778048440996937820138560802077375885700500737699904011032451007341777160586467318264288370080315519305800247682611802774996999330812534723806925426052547128371180683265963525581842037399869323246530085399 #共n
    if s1<0:
        s1 = - s1
        c1 = modinv(c1, n)
    elif s2<0:
        s2 = - s2
        c2 = modinv(c2, n)
    m=(pow(c1,s1,n)*pow(c2,s2,n)) % n
    print m
    print CipherN2b(m)

運行結(jié)果

flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe}

總結(jié)

串了一下rsa的明文和密文處理方式。計算過程中明文和密文都作為一個大數(shù)字，于是有：

1. 明文是字符串。
   1.1. 將字符串轉(zhuǎn)hex編碼（py3里只能逐字，py2里可以直接轉(zhuǎn)），拼上0x頭和L尾，成為大數(shù)字。
   hex_m.decode('hex')
   1.2. 將字符串分成每行一個字，ord(i)。（解密時chr(i)再拼接）
2. 算出密文是大數(shù)字。
   2.1. 轉(zhuǎn)成16進制，去掉0x和L后變成一串16進制。此時可能出現(xiàn)：
   2.1.1 將十六進制直接轉(zhuǎn)存為文件。（解密時提取十六進制值）
   2.1.2 將十六進制進行base64編碼，變?yōu)榭梢娮址?。（解密時進行base64解碼,由于二位一組，需注意對0x1這種補成0x01）
   def pad_even(x): return ('', '0')[len(x)%2] + x
for i in c2:temp += pad_even(str(hex(ord(i)))[2:])
   2.2. 直接是10進制數(shù)字，無需處理
   m = chr(pow(int(i),d,n))