├── README.md
├── exp1.py
├── exp2.py
├── exp3.py
├── exp4.py
├── exp5.sage
├── exp6.sage
├── exp7.sage
├── exp8.sage
├── exp9.sage
├── expa.py
└── expb.py


/README.md:
--------------------------------------------------------------------------------
  1 | # CTF中RSA的一些攻击思路
  2 | 
  3 | > 本项目收集了一些RSA的攻击脚本,并将其中一部分用python3重构
  4 | >
  5 | > 参考文章:
  6 | >
  7 | > https://www.tr0y.wang/2017/11/06/CTFRSA/index.html
  8 | >
  9 | > http://inaz2.hatenablog.com/entry/2016/01/20/022936
 10 | 
 11 | ## 关于RSA算法
 12 | 
 13 | > **RSA加密算法**是一种非对称加密算法，1977年由Ron Rivest、Adi Shamir和Leonard Adleman一起提出的，算法安全性依赖于极大整数做因数分解的难度
 14 | 
 15 | ## RSA算法加解密实现
 16 | 
 17 | 1.随意选择两个大素数*p*和*q*，且*p不等于q*，计算*N=p***q*
 18 | 
 19 | 2.计算*n*的欧拉函数*φ(n) = (p-1)(q-1)*（常用*phi(n)*表示*φ(n)*）
 20 | 
 21 | 3.选择一个整数*e*，满足*1< e < φ(n)*，且*e与φ(n)* 互质（e通常取65537）
 22 | 
 23 | 4.计算模反元素*d*，*ed ≡ 1 (mod φ(n))* 即求解*ex + φ(n)y = 1*方程组（利用扩展欧几里得算法可以求出*d*）
 24 | 
 25 | ```d = gmpy2.invert(e, (p-1)*(q-1))```
 26 | 
 27 | 5.得到公钥*（N，e）*私钥*（N，d）*
 28 | 
 29 | 6.加密 *c = pow(m,e,N)*
 30 | 
 31 | 7.解密 *m = pow(c,d,N)*
 32 | 
 33 | ## RSA在CTF中的攻击方法
 34 | 
 35 | >gmpy2 安装
 36 | >
 37 | >sudo apt install libmpc-dev
 38 | >
 39 | >pip/pip3 install gmpy2
 40 | >
 41 | >sage安装
 42 | >
 43 | >https://mirrors.tuna.tsinghua.edu.cn/sagemath/linux/64bit/index.html
 44 | 
 45 | ### 明文解密
 46 | 
 47 | #### **模互素**
 48 | 
 49 | d = gmpy2.invert(e,(p-1) * (q-1))
 50 | 
 51 | m = gmpy2.powmod(c,d,n)
 52 | 
 53 | #### **模不互素**
 54 | 
 55 | 第一种情况
 56 | 
 57 | 给出 p,q,c,e且gcd(e, (p-1)*(q-1))非常小(可能为3)
 58 | 
 59 | example:
 60 | 
 61 | p,q = 3881, 885445853681787330351086884500131209939
 62 | 
 63 | c = 1926041757553905692219721422025224638913707
 64 | 
 65 | e = 33
 66 | 
 67 | 第二种情况
 68 | 
 69 | 给出n1,n2,e1,e2,c1,c2求满足以下式子
 70 | 
 71 | assert p = gcd(n1,n2)
 72 | 
 73 | assert pow(flag,e1,n1)==c1
 74 | 
 75 | assert pow(flag,e2,n2)==c2
 76 | 
 77 | assert gcd(e1,(p1-1) * (q1-1))==gcd(e2,(p2-1) * (q2-1))
 78 | 
 79 | 
 80 | 
 81 | ### 低加密指数攻击
 82 | 
 83 | m ^ e = kn + c 其中一般 e = 3，k比较小(k小于10亿爆破时间一般小于半小时)
 84 | 
 85 | ### 低加密指数广播攻击
 86 | 
 87 | c1 ≡ m^e mod n1
 88 | 
 89 | c2 ≡ m^e mod n2
 90 | 
 91 | ……
 92 | 
 93 | ce ≡ m^e mod ne
 94 | 
 95 | 如以上所示，e比较小，题目给出n[e]和c[e],且m相同，利用中国剩余定理可以求m
 96 | 
 97 | ### 低解密指数攻击
 98 | 
 99 | 与低加密指数攻击相反，需要满足e非常大，接近于N
100 | 
101 | ### 共模攻击
102 | 
103 | c1 ≡ m^e1 mod n
104 | 
105 | c2 ≡ m^e2 mod n
106 | 
107 | 如以上使用了相同的模数N对相同的明文进行加密
108 | 
109 | ### Boneh and Durfee attack
110 | 
111 | e 非常大接近于N，跟低解密指数攻击类似，比低解密指数攻击更强，可以解决d<N的0.292次方的问题
112 | 
113 | ### Coppersmith攻击:已知p的高位攻击
114 | 
115 | 知道p的高位为p的位数的约1/2时即可
116 | 
117 | ### Coppersmith攻击:已知明文高位攻击
118 | 
119 | ### Coppersmith攻击:已知d的低位攻击
120 | 
121 | 如果知道d的低位，低位约为n的位数的1/4就可以恢复d
122 | 
123 | ### Coppersmith攻击:明文高位相同
124 | 
125 | ### 已知dp或dq（dp = d mod p-1，dq = d mod q-1）
126 | 
127 | ### Least Significant Bit Oracle Attack
128 | 
129 | ### 其他思路
130 | 
131 | 给出两组数据
132 | 
133 | n1,c1,e1,n2,c2,e2且无以上特征可尝试gcd(n1,n2)得到公因子（存在的话）
134 | 
135 | 给出一组数据
136 | 
137 | n1,c1,e1
138 | 
139 | 尝试yafu或http://www.factordb.com分解n(p,q相差过大或过小yafu可分解成功)
140 | 
141 | 给出如下数据
142 | 
143 | p,q,nextprime(p),nextprime(q)
144 | 
145 | n1 = p * q
146 | 
147 | n2 = nextprime(p) * nextprime(q)
148 | 
149 | n = n1 * n2
150 | 
151 | 用yafu分解n可得到
152 | 
153 | n3 = p * nextprime(q)
154 | 
155 | n4 = q * nextprime(p)


--------------------------------------------------------------------------------
/exp1.py:
--------------------------------------------------------------------------------
 1 | # 低加密指数攻击
 2 | import gmpy2
 3 | import time
 4 | n = 22885480907469109159947272333565375109310485067211461543881386718201442106967914852474989176175269612229966461160065872310916096148216253429849921988412342732706875998100337754561586600637594798877898552625378551427864501926224989873772743227733285336042475675299391051376624685754547818835551263597996620383338263448888107691240136257201191331617560711786674975909597833383395574686942099700631002290836152972352041024137872983284691831292216787307841877839674258086005814225532597955826353796634417780156185485054141684249037538570742860026295194559710972266059844824388916869414355952432189722465103299013237588737
 5 | c = 15685364647213619014219110070569189770745535885901269792039052046431067708991036961644224230125219358149236447900927116989931929305133870392430610563331490276096858863490412102016758082433435355613099047001069687409209484751075897343335693872741
 6 | e = 3
 7 | i = 0
 8 | s = time.clock()
 9 | while 1:
10 |     m, b = gmpy2.iroot(c+i*n, e)
11 |     if b:
12 |         print('[-]m is:', m)
13 |         print('[!]Timer:', round(time.clock()-s, 2), 's')
14 |         print('[!]All Done!')
15 |         break
16 |     i += 1
17 | 


--------------------------------------------------------------------------------
/exp2.py:
--------------------------------------------------------------------------------
 1 | # 低加密指数广播攻击
 2 | import gmpy2
 3 | from functools import reduce
 4 | 
 5 | 
 6 | def CRT(items):
 7 |     N = reduce(lambda x, y: x * y, (i[1] for i in items))
 8 |     result = 0
 9 |     for a, n in items:
10 |         m = N // n
11 |         d, r, s = gmpy2.gcdext(n, m)
12 |         if d != 1:
13 |             raise Exception("Input not pairwise co-prime")
14 |         result += a * s * m
15 |     return result % N, N
16 | 
17 | 
18 | # e, n, c
19 | e = 9
20 | n = [142782424368849674771976671955176187834932417027468006479038058385550042422280158726561712259205616626939123504489410624745195777853423961104590708231562726165590769610040722589287393102301338152085670464005026301781192671834390892019478189768725018303217559795377795540494239283891894830166363576205812991157, 153610425077816156109768509904751446801233412970601397035720458311275245730833227428213917577405780162151444202393431444812010569489900435979730559895340377469612234558042643742219128033827948585534761030527275423811282367831985007507137144308704413007806012914286105842311420933479771294576841956749281552971, 152540067782701001222493009941492423063369171831039847414320547494725020441901272486665728360741395415762864872737675660423920609681185809510355937534756399208661762715484879562585724584849261266873624875852300611683382543315580370484972470694466195837255994159609193239840228218925381488410059939975556977947, 125842716702134814646356078531900645012495638692517778270527426844383063904041812273637776798591687732598509470005151551320457132061693618473039437320011446697406190781306264437609046721508738109650829547010385875425097336266103994639126319889016342284747700714199556143378526590058467791687837422897022829661,
21 |      116144389285266462769913139639175922392318396923181100785008570884082681963637784423143843845816350379438789947802939701820129805341796427821894273985551331666719808355412080909245720551238149511778060242720419584504473490216670437024863860559347959698828131475160058721701582089480924088773887932997353631767, 127833907448946785858374094953899556339175475846831397383049660262333005992005484987913355932559627279178940862787593749842796469355336182379062826441222705075178971785791223706944120681105575965622931327112817747065200324610697178273898956820957640413744954233327851461318200323486469677469950386824833536523, 130561613227079478921314550968562766645507834694262831586725464124109153306162445639759476845681271537955934718244296904503168256991962908095007040044300188572466395275317838178325500238288302672390013747102961340256309124310478931896245221622317302428447389760864327859640573452084295225059466376349115703119, 115953389401040751013569404909249958538962411171147823610874077094621794755967854844224923689925397631692572916641171075740839099217316101334941033937183815345038898177087515909675028366437302462022970987947264115373697445950951595479758872029099661065186221250394358255523574834723958546450323357472451930993, 143437107845384843564651522639125300763388830136500260725097766445883003928355325003575359566631064630487365774344508496878731109174874449170057678821440711511966073934025028100604234445470976333825866939923998344367645612128590820812489407412175198698290167077116185959180877334222693344630253253476594907313]
22 | c = [85033868418784308573673709960700777350314426427677627319697346811123742342359072170220428874952996988431950989321281905284522596263957356289624365171732095210045916218066135140320107686084053271623461104022705353814233772164502775939590711842361956121603943483040254727995655776263673058788416722141673409688, 66065963470666895005407449599703926269325406456711861190876894466341571726360462706664546294453572319565476664348345756905411939632955966517708138047546806602828064213238537646393524578984547577761559965654539771172357089802682793169968961304179886652390277814477825753096636750388350662980872556701402397564, 116011740820520887443111656288411611070614127688662643257265381793048354928820176624229624692124188995846076431510548507016903260774215950803926107831505634778278712070141663189086436127990584944132764896694777031370995058271038329228336417590284517922855284619653301817355115583540545182119702335431334401666, 97640420284096094887471273365295984332267897927392169402918423863919914002451127544715668846623138003564829254309568918651163254043205129883843425179687841236818720463784828905460885026290909768599562386370732119591181513319548915478512030197629196018254041500662654260834562708620760373487652389789200792120,
23 |      8112507653841374573057048967617108909055624101437903775740427861003476480616929517639719198652146909660899632120639789106782550275648578142883715280547602249589837441805676364041484345030575130408744621981440093280624046635769338568542048839419939250444929802135605724150484414516536378791500915047844188300, 36792148360808115566234645242678223867680969786675055638670907933041180936164293809961667801099516457636164692292891528415720085345494773373966277807505798679784807614784581861287048096977968620964436947452527540958289441390882589051225367658014709290392321808926567572528170531844664734909469690750971883323, 53043093283305492238903255767698153246673671181809989362223466090875767705978690531154079519999671834688647277179370374802495005937892824566602423646978168777735383632928274082669949750078161820002768640908750005814934158829006019656592134357897586040866207754535586785064545866404380204728594863102313407789, 88499407133762624445946519155722583633934260410706930537441122463087556094734626189377091740335667052378955691250910459790202385799502439716173363179773811920751410726795431402796346647688144853156900427797933862087074385441977254140336390678022955770879265490567987868532251217565094093318626424653599450992, 138337520305048557335599940473834485492131424901034295018189264168040969172072024612859307499682986987325414798210700710891033749119834960687318156171051379643844580970963540418974136891389303624057726575516576726845229494107327508855516437230240365759885913142671816868762838801720492804671259709458388192984]
24 | data = list(zip(c, n))
25 | x, n = CRT(data)
26 | m = gmpy2.iroot(gmpy2.mpz(x), e)[0].digits()
27 | print('m is: ' + m)
28 | 


--------------------------------------------------------------------------------
/exp3.py:
--------------------------------------------------------------------------------
 1 | # 低解密指数攻击
 2 | import gmpy2
 3 | 
 4 | 
 5 | def continuedFra(x, y):
 6 |     cF = []
 7 |     while y:
 8 |         cF += [x // y]
 9 |         x, y = y, x % y
10 |     return cF
11 | 
12 | 
13 | def Simplify(ctnf):
14 |     numerator = 0
15 |     denominator = 1
16 |     for x in ctnf[::-1]:
17 |         numerator, denominator = denominator, x * denominator + numerator
18 |     return (numerator, denominator)
19 | 
20 | 
21 | def calculateFrac(x, y):
22 |     cF = continuedFra(x, y)
23 |     cF = list(map(Simplify, (cF[0:i] for i in range(1, len(cF)))))
24 |     return cF
25 | 
26 | 
27 | def solve_pq(a, b, c):
28 |     par = gmpy2.isqrt(b * b - 4 * a * c)
29 |     return (-b + par) / (2 * a), (-b - par) / (2 * a)
30 | 
31 | 
32 | def wienerAttack(e, n):
33 |     for (d, k) in calculateFrac(e, n):
34 |         print(e)
35 |         print(d)
36 |         print(k)
37 |         if k == 0:
38 |             continue
39 |         if (e * d - 1) % k != 0:
40 |             continue
41 |         phi = (e * d - 1) / k
42 |         p, q = solve_pq(1, n - phi + 1, n)
43 |         if p * q == n:
44 |             return abs(int(p)), abs(int(q))
45 |     print('[!]not find!')
46 | 
47 | 
48 | n = 12238605063252292170613110607692779326628090745751955692266649177882959231822580682548279800443278979485092243645806337103841086023159482786712759291169541633901936290854044069486201989034158882661270017305064348254800318759062921744741432214818915527537124001063995865927527037625277330117588414586505635959411443039463168463608235165929831344586283875119363703480280602514451713723663297066810128769907278246434745483846869482536367912810637275405943566734099622063142293421936734750356828712268385319217225803602442033960930413469179550331907541244416573641309943913383658451409219852933526106735587605884499707827
49 | e = 11850552481503020257392808424743510851763548184936536180317707155841959788151862976445957810691568475609821000653594584717037528429828330763571556164988619635320288125983463358648887090031957900011546300841211712664477474767941406651977784177969001025954167441377912326806132232375497798238928464025466905201977180541053129691501120197010080001677260814313906843670652972019631997467352264392296894192998971542816081534808106792758008676039929763345402657578681818891775091140555977382868531202964486261123748663752490909455324860302967636149379567988941803701512680099398021640317868259975961261408500449965277690517
50 | c = 9472193174575536616954091686751964873836697237500198884451530469300324470671555310791335185133679697207007374620225900775502162690848135615431624557389304657410880981454777737587420426091879654002644281066474715074536611611252677882396384453641127487515845176069574754606670518031472235144795376526854484442135299818868525539923568705203042265537204111153151119105287648912908771710419648445826883069030285651763726003413418764301988228077415599665616637501056116290476861280240577145515875430665394216054222788697052979429015400411487342877096677666406389711074591330476335174211990429870900468249946600544116793793
51 | p, q = wienerAttack(e, n)
52 | print('[+]Found!')
53 | print('[-]p =', p)
54 | print('[-]q =', q)
55 | d = gmpy2.invert(e, (p-1)*(q-1))
56 | print('[-]m is:', pow(c, d, n))
57 | 


--------------------------------------------------------------------------------
/exp4.py:
--------------------------------------------------------------------------------
 1 | # 共模攻击
 2 | import gmpy2
 3 | n = 158052722013789461456896900244510199169216575693048895162538548356466884311543740968048825149608833390255268602486435690724338965409521812963337715301197225841194835534751041470231293288252951274190599189716955573428884560130364021535005115652592074445852835422027406556727605302404510264249211145063332337043
 4 | e1 = 665213
 5 | e2 = 368273
 6 | c1 = 16698617641888248664694980135332125531792692516788088682722832061393117609508765284473236240256421599515450690670639565968165473479697383505401285976148490839526672808730165847471005704945978274496508928460578173068717106075169723401049489389383596761956301440156581021583368058047939083755488885694261340425
 7 | c2 = 59192887933967939708054321952273893559113509451228797382728687616356609407020086787061368452871936378934964292805289941535766263083244529814852043063188312786173717046316177403357053871483983775362121186037776932260378728059531236711960979620603784044468207000654149190295060179235411429700710154759043236436
 8 | s0, s1, s2 = gmpy2.gcdext(e1, e2)
 9 | if s1 < 0:
10 |     s1 = -s1
11 |     c1 = gmpy2.invert(c1, n)
12 | elif s2 < 0:
13 |     s2 = -s2
14 |     c2 = gmpy2.invert(c2, n)
15 | m = gmpy2.powmod(c1, s1, n)*gmpy2.powmod(c2, s2, n) % n
16 | print('[-]m is:', m)
17 | 


--------------------------------------------------------------------------------
/exp5.sage:
--------------------------------------------------------------------------------
  1 | import time
  2 | 
  3 | ############################################
  4 | # Config
  5 | ##########################################
  6 | 
  7 | """
  8 | Setting debug to true will display more informations
  9 | about the lattice, the bounds, the vectors...
 10 | """
 11 | debug = True
 12 | 
 13 | """
 14 | Setting strict to true will stop the algorithm (and
 15 | return (-1, -1)) if we don't have a correct 
 16 | upperbound on the determinant. Note that this 
 17 | doesn't necesseraly mean that no solutions 
 18 | will be found since the theoretical upperbound is
 19 | usualy far away from actual results. That is why
 20 | you should probably use `strict = False`
 21 | """
 22 | strict = False
 23 | 
 24 | """
 25 | This is experimental, but has provided remarkable results
 26 | so far. It tries to reduce the lattice as much as it can
 27 | while keeping its efficiency. I see no reason not to use
 28 | this option, but if things don't work, you should try
 29 | disabling it
 30 | """
 31 | helpful_only = True
 32 | dimension_min = 7 # stop removing if lattice reaches that dimension
 33 | 
 34 | ############################################
 35 | # Functions
 36 | ##########################################
 37 | 
 38 | # display stats on helpful vectors
 39 | def helpful_vectors(BB, modulus):
 40 |     nothelpful = 0
 41 |     for ii in range(BB.dimensions()[0]):
 42 |         if BB[ii,ii] >= modulus:
 43 |             nothelpful += 1
 44 | 
 45 |     print nothelpful, "/", BB.dimensions()[0], " vectors are not helpful"
 46 | 
 47 | # display matrix picture with 0 and X
 48 | def matrix_overview(BB, bound):
 49 |     for ii in range(BB.dimensions()[0]):
 50 |         a = ('%02d ' % ii)
 51 |         for jj in range(BB.dimensions()[1]):
 52 |             a += '0' if BB[ii,jj] == 0 else 'X'
 53 |             if BB.dimensions()[0] < 60:
 54 |                 a += ' '
 55 |         if BB[ii, ii] >= bound:
 56 |             a += '~'
 57 |         print a
 58 | 
 59 | # tries to remove unhelpful vectors
 60 | # we start at current = n-1 (last vector)
 61 | def remove_unhelpful(BB, monomials, bound, current):
 62 |     # end of our recursive function
 63 |     if current == -1 or BB.dimensions()[0] <= dimension_min:
 64 |         return BB
 65 | 
 66 |     # we start by checking from the end
 67 |     for ii in range(current, -1, -1):
 68 |         # if it is unhelpful:
 69 |         if BB[ii, ii] >= bound:
 70 |             affected_vectors = 0
 71 |             affected_vector_index = 0
 72 |             # let's check if it affects other vectors
 73 |             for jj in range(ii + 1, BB.dimensions()[0]):
 74 |                 # if another vector is affected:
 75 |                 # we increase the count
 76 |                 if BB[jj, ii] != 0:
 77 |                     affected_vectors += 1
 78 |                     affected_vector_index = jj
 79 | 
 80 |             # level:0
 81 |             # if no other vectors end up affected
 82 |             # we remove it
 83 |             if affected_vectors == 0:
 84 |                 print "* removing unhelpful vector", ii
 85 |                 BB = BB.delete_columns([ii])
 86 |                 BB = BB.delete_rows([ii])
 87 |                 monomials.pop(ii)
 88 |                 BB = remove_unhelpful(BB, monomials, bound, ii-1)
 89 |                 return BB
 90 | 
 91 |             # level:1
 92 |             # if just one was affected we check
 93 |             # if it is affecting someone else
 94 |             elif affected_vectors == 1:
 95 |                 affected_deeper = True
 96 |                 for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
 97 |                     # if it is affecting even one vector
 98 |                     # we give up on this one
 99 |                     if BB[kk, affected_vector_index] != 0:
100 |                         affected_deeper = False
101 |                 # remove both it if no other vector was affected and
102 |                 # this helpful vector is not helpful enough
103 |                 # compared to our unhelpful one
104 |                 if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):
105 |                     print "* removing unhelpful vectors", ii, "and", affected_vector_index
106 |                     BB = BB.delete_columns([affected_vector_index, ii])
107 |                     BB = BB.delete_rows([affected_vector_index, ii])
108 |                     monomials.pop(affected_vector_index)
109 |                     monomials.pop(ii)
110 |                     BB = remove_unhelpful(BB, monomials, bound, ii-1)
111 |                     return BB
112 |     # nothing happened
113 |     return BB
114 | 
115 | """ 
116 | Returns:
117 | * 0,0   if it fails
118 | * -1,-1 if `strict=true`, and determinant doesn't bound
119 | * x0,y0 the solutions of `pol`
120 | """
121 | def boneh_durfee(pol, modulus, mm, tt, XX, YY):
122 |     """
123 |     Boneh and Durfee revisited by Herrmann and May
124 |     
125 |     finds a solution if:
126 |     * d < N^delta
127 |     * |x| < e^delta
128 |     * |y| < e^0.5
129 |     whenever delta < 1 - sqrt(2)/2 ~ 0.292
130 |     """
131 | 
132 |     # substitution (Herrman and May)
133 |     PR.<u, x, y> = PolynomialRing(ZZ)
134 |     Q = PR.quotient(x*y + 1 - u) # u = xy + 1
135 |     polZ = Q(pol).lift()
136 | 
137 |     UU = XX*YY + 1
138 | 
139 |     # x-shifts
140 |     gg = []
141 |     for kk in range(mm + 1):
142 |         for ii in range(mm - kk + 1):
143 |             xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk
144 |             gg.append(xshift)
145 |     gg.sort()
146 | 
147 |     # x-shifts list of monomials
148 |     monomials = []
149 |     for polynomial in gg:
150 |         for monomial in polynomial.monomials():
151 |             if monomial not in monomials:
152 |                 monomials.append(monomial)
153 |     monomials.sort()
154 |     
155 |     # y-shifts (selected by Herrman and May)
156 |     for jj in range(1, tt + 1):
157 |         for kk in range(floor(mm/tt) * jj, mm + 1):
158 |             yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)
159 |             yshift = Q(yshift).lift()
160 |             gg.append(yshift) # substitution
161 |     
162 |     # y-shifts list of monomials
163 |     for jj in range(1, tt + 1):
164 |         for kk in range(floor(mm/tt) * jj, mm + 1):
165 |             monomials.append(u^kk * y^jj)
166 | 
167 |     # construct lattice B
168 |     nn = len(monomials)
169 |     BB = Matrix(ZZ, nn)
170 |     for ii in range(nn):
171 |         BB[ii, 0] = gg[ii](0, 0, 0)
172 |         for jj in range(1, ii + 1):
173 |             if monomials[jj] in gg[ii].monomials():
174 |                 BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)
175 | 
176 |     # Prototype to reduce the lattice
177 |     if helpful_only:
178 |         # automatically remove
179 |         BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)
180 |         # reset dimension
181 |         nn = BB.dimensions()[0]
182 |         if nn == 0:
183 |             print "failure"
184 |             return 0,0
185 | 
186 |     # check if vectors are helpful
187 |     if debug:
188 |         helpful_vectors(BB, modulus^mm)
189 |     
190 |     # check if determinant is correctly bounded
191 |     det = BB.det()
192 |     bound = modulus^(mm*nn)
193 |     if det >= bound:
194 |         print "We do not have det < bound. Solutions might not be found."
195 |         print "Try with highers m and t."
196 |         if debug:
197 |             diff = (log(det) - log(bound)) / log(2)
198 |             print "size det(L) - size e^(m*n) = ", floor(diff)
199 |         if strict:
200 |             return -1, -1
201 |     else:
202 |         print "det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)"
203 | 
204 |     # display the lattice basis
205 |     if debug:
206 |         matrix_overview(BB, modulus^mm)
207 | 
208 |     # LLL
209 |     if debug:
210 |         print "optimizing basis of the lattice via LLL, this can take a long time"
211 | 
212 |     BB = BB.LLL()
213 | 
214 |     if debug:
215 |         print "LLL is done!"
216 | 
217 |     # transform vector i & j -> polynomials 1 & 2
218 |     if debug:
219 |         print "looking for independent vectors in the lattice"
220 |     found_polynomials = False
221 |     
222 |     for pol1_idx in range(nn - 1):
223 |         for pol2_idx in range(pol1_idx + 1, nn):
224 |             # for i and j, create the two polynomials
225 |             PR.<w,z> = PolynomialRing(ZZ)
226 |             pol1 = pol2 = 0
227 |             for jj in range(nn):
228 |                 pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY)
229 |                 pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY)
230 | 
231 |             # resultant
232 |             PR.<q> = PolynomialRing(ZZ)
233 |             rr = pol1.resultant(pol2)
234 | 
235 |             # are these good polynomials?
236 |             if rr.is_zero() or rr.monomials() == [1]:
237 |                 continue
238 |             else:
239 |                 print "found them, using vectors", pol1_idx, "and", pol2_idx
240 |                 found_polynomials = True
241 |                 break
242 |         if found_polynomials:
243 |             break
244 | 
245 |     if not found_polynomials:
246 |         print "no independant vectors could be found. This should very rarely happen..."
247 |         return 0, 0
248 |     
249 |     rr = rr(q, q)
250 | 
251 |     # solutions
252 |     soly = rr.roots()
253 | 
254 |     if len(soly) == 0:
255 |         print "Your prediction (delta) is too small"
256 |         return 0, 0
257 | 
258 |     soly = soly[0][0]
259 |     ss = pol1(q, soly)
260 |     solx = ss.roots()[0][0]
261 | 
262 |     #
263 |     return solx, soly
264 | 
265 | def example():
266 |     ############################################
267 |     # How To Use This Script
268 |     ##########################################
269 | 
270 |     #
271 |     # The problem to solve (edit the following values)
272 |     #
273 | 
274 |     # the modulus
275 |     N = 0xbadd260d14ea665b62e7d2e634f20a6382ac369cd44017305b69cf3a2694667ee651acded7085e0757d169b090f29f3f86fec255746674ffa8a6a3e1c9e1861003eb39f82cf74d84cc18e345f60865f998b33fc182a1a4ffa71f5ae48a1b5cb4c5f154b0997dc9b001e441815ce59c6c825f064fdca678858758dc2cebbc4d27L
276 |     # the public exponent
277 |     e = 0x11722b54dd6f3ad9ce81da6f6ecb0acaf2cbc3885841d08b32abc0672d1a7293f9856db8f9407dc05f6f373a2d9246752a7cc7b1b6923f1827adfaeefc811e6e5989cce9f00897cfc1fc57987cce4862b5343bc8e91ddf2bd9e23aea9316a69f28f407cfe324d546a7dde13eb0bd052f694aefe8ec0f5298800277dbab4a33bbL
278 |     # the cipher
279 |     c = 0xe3505f41ec936cf6bd8ae344bfec85746dc7d87a5943b3a7136482dd7b980f68f52c887585d1c7ca099310c4da2f70d4d5345d3641428797030177da6cc0d41e7b28d0abce694157c611697df8d0add3d900c00f778ac3428f341f47ecc4d868c6c5de0724b0c3403296d84f26736aa66f7905d498fa1862ca59e97f8f866cL
280 |     # N = 12238605063252292170613110607692779326628090745751955692266649177882959231822580682548279800443278979485092243645806337103841086023159482786712759291169541633901936290854044069486201989034158882661270017305064348254800318759062921744741432214818915527537124001063995865927527037625277330117588414586505635959411443039463168463608235165929831344586283875119363703480280602514451713723663297066810128769907278246434745483846869482536367912810637275405943566734099622063142293421936734750356828712268385319217225803602442033960930413469179550331907541244416573641309943913383658451409219852933526106735587605884499707827
281 |     # e = 11850552481503020257392808424743510851763548184936536180317707155841959788151862976445957810691568475609821000653594584717037528429828330763571556164988619635320288125983463358648887090031957900011546300841211712664477474767941406651977784177969001025954167441377912326806132232375497798238928464025466905201977180541053129691501120197010080001677260814313906843670652972019631997467352264392296894192998971542816081534808106792758008676039929763345402657578681818891775091140555977382868531202964486261123748663752490909455324860302967636149379567988941803701512680099398021640317868259975961261408500449965277690517
282 |     # c = 9472193174575536616954091686751964873836697237500198884451530469300324470671555310791335185133679697207007374620225900775502162690848135615431624557389304657410880981454777737587420426091879654002644281066474715074536611611252677882396384453641127487515845176069574754606670518031472235144795376526854484442135299818868525539923568705203042265537204111153151119105287648912908771710419648445826883069030285651763726003413418764301988228077415599665616637501056116290476861280240577145515875430665394216054222788697052979429015400411487342877096677666406389711074591330476335174211990429870900468249946600544116793793
283 | 
284 |     # the hypothesis on the private exponent (the theoretical maximum is 0.292)
285 |     delta = .18 # this means that d < N^delta
286 | 
287 |     #
288 |     # Lattice (tweak those values)
289 |     #
290 | 
291 |     # you should tweak this (after a first run), (e.g. increment it until a solution is found)
292 |     m = 4 # size of the lattice (bigger the better/slower)
293 | 
294 |     # you need to be a lattice master to tweak these
295 |     t = int((1-2*delta) * m)  # optimization from Herrmann and May
296 |     X = 2*floor(N^delta)  # this _might_ be too much
297 |     Y = floor(N^(1/2))    # correct if p, q are ~ same size
298 | 
299 |     #
300 |     # Don't touch anything below
301 |     #
302 | 
303 |     # Problem put in equation
304 |     P.<x,y> = PolynomialRing(ZZ)
305 |     A = int((N+1)/2)
306 |     pol = 1 + x * (A + y)
307 | 
308 |     #
309 |     # Find the solutions!
310 |     #
311 | 
312 |     # Checking bounds
313 |     if debug:
314 |         print "=== checking values ==="
315 |         print "* delta:", delta
316 |         print "* delta < 0.292", delta < 0.292
317 |         print "* size of e:", int(log(e)/log(2))
318 |         print "* size of N:", int(log(N)/log(2))
319 |         print "* m:", m, ", t:", t
320 | 
321 |     # boneh_durfee
322 |     if debug:
323 |         print "=== running algorithm ==="
324 |         start_time = time.time()
325 | 
326 |     solx, soly = boneh_durfee(pol, e, m, t, X, Y)
327 | 
328 |     # found a solution?
329 |     if solx > 0:
330 |         print "=== solution found ==="
331 |         if False:
332 |             print "x:", solx
333 |             print "y:", soly
334 | 
335 |         d = int(pol(solx, soly) / e)
336 |         m = pow(c,d,N)
337 |         print '[-]d is ' + str(d)
338 |         print '[-]m is: ' + str(m)
339 |         print '[-]hex(m) is: ' + '{:x}'.format(int(m))
340 |         print '[-]str(m) is: ' + '{:x}'.format(int(m)).decode('hex')
341 |     else:
342 |         print "[!]no solution was found!"
343 |         print '[!]All Done!'
344 | 
345 |     if debug:
346 |         print("[!]Timer: %s s" % (time.time() - start_time))
347 |         print '[!]All Done!'
348 | 
349 | if __name__ == "__main__":
350 |     example()


--------------------------------------------------------------------------------
/exp6.sage:
--------------------------------------------------------------------------------
 1 | '''
 2 | # p = 0x00f23799c031b942026e420769b74d22fa2114428189139c43c366c6ab8367c6b3d6f821449aafb2058b0e6ed964fa0ad45fb306f96376e80823a72b58101919e50acad3b5e6d079e7ff9218ed6df6edbef536742714ce88b2e717f45af53ef0d04c89faf01c80b28e764973aba27726c85c0236e8756a865c03577722bac5e391
 3 | # q = 0x00c9d24330fa4945cfe1e5d6912d6bde0231035a1cc8d8ae67d949347b895f8d579bce2adaf37c568957b17a6564dbf80d36d81e4622ab30e02132b0155aefbd3912a27c625a9b7b05bc72217039f5aa88c20cbf9871c3228e9d80d9106f94b11c1f50c40c96862b5cd6b6f781883dd2eff80a059d3ca027af6a03edeb34a7390f
 4 | # n = p*q
 5 | e = 3
 6 | n = 0x4ac5cbf84a2f9a1042c552c77075459d2273994453caea11fbf696b9a8d41937b48be43c71ec6c37470ba9d280a23301b817314a94c786962e4a98ddb260bf2d53a51a6f9c87258110fb2bc9fe8fa44a24e6f95fd5d098bd907d5f8565a0ed7c681cf5e6a79b28438077f6b8d3ae1edf4229102b4ebe29d1f37b9357d3ffff39
 7 | p = 0x80f7a73798f638d10180223d7b482035b69b51ffe09ad9e42602cc9d489837be7d1ac92e90b09837144c1220ed4ff0ea00000000000000000000000000000000
 8 | beta = 0.5
 9 | epsilon = beta^2/7
10 | 
11 | pbits = p.nbits()
12 | kbits = floor(n.nbits()*(beta^2-epsilon))
13 | pbar = p & (2^pbits-2^kbits)
14 | print "upper %d bits (of %d bits) is given" % (pbits-kbits, pbits)
15 | 
16 | PR.<x> = PolynomialRing(Zmod(n))
17 | f = x + pbar
18 | 
19 | print 'p_fake =',p
20 | x0 = f.small_roots(X=2^kbits, beta=0.3)[0]  # find root < 2^kbits with factor >= n^0.3
21 | print 'p =',x0 + pbar
22 | '''
23 | 
24 | 
25 | # next exp
26 | 
27 | 
28 | n = 0x73cec712124b33c0294e01eb52e8c3cd2fe9ddbcbf457b3b950360063dfae42cbbe9855bd986bcfea0948fadfb252f5e2ff3c982ff47afb6596a496636f1fc5ecfe9f5db7620b23fe9e30d230aa9299ab9a78bfb5e0630fd1149259b2b2104ea65d2e27b89785e4bf01d0594d9f94575cbcc3383f63c5aabe4d5b48eb761cce3ab21689b3f3155b5f15efee240d5ac11cee2acbd019de7c06f607ea618b5cd735b5a6972d2b446a12ff58cf8314822fa5ea09d0963acd00441b2a1b37aca01d7f39052927db98a0bd5ca1c49a7ad67923e3aac30ecd33cc8b4b30a40cdb3acc721ee5da53a02977cee959affe672a668525eb78df96af0a14f4ac04fab68efa8eabe9535e1064a5fc2ff7cac9520210311db0c3bf91101bc55a67a81e4f69364c724ee6ad6bdc301df642c9392e9befa4ff0d65481adb6feac251cd207044587da9710809700246cb3c63e659a97249f5e7418568e37db2fb2c1115e719d6682bb2e89b4e23d40ba4c532f289e10e0b89a5647c486a09b9e376844171b229d74f871004d4945a702a391a04ac704f43809e972891e6ab33b3c0f03f0b6f9ae005b26be6e647a1865c727277423f59a595187ffbfea13501e23b6b57ef115eaa6febcb207a3112628652a39578847241c33989e84607b0f683b30ddf773348b07360b063d9120a397809591ca18a04cd32ad9cbfe0494ed3ae8d2c5b43fdb51cb
29 | p_fake = 25469341510015610710601677541490068882874022771473379147959682877979811860690835905177575433486769235926750944378553837429714908846121392087707617153368450157831411033840331452402635316893579428297241392591768100008774205252294780519995317089863801331600746389471563346749402400584048767782402832414560955794979239140648096754408560344380360521300295416056532504527346890878830708030202503589314586128121926254376071861981570648841288044240102936057199541504839050994656267226010545841307490110261343492485615893311098351703701000220286503350522201318815497988460167971677642567134161349144833221240627311534482202273
30 | pbits = p_fake.nbits()
31 | kbits = 900
32 | #kbits = 200
33 | pbar = p_fake & (2^pbits-2^kbits)
34 | print "upper %d bits (of %d bits) is given" % (pbits-kbits, pbits)
35 | PR.<x> = PolynomialRing(Zmod(n))
36 | f = x + pbar
37 | x0 = f.small_roots(X=2^kbits, beta=0.4)[0]  # find root < 2^kbits with factor >= n^0.3
38 | p= x0 + pbar
39 | print 'p =',p


--------------------------------------------------------------------------------
/exp7.sage:
--------------------------------------------------------------------------------
 1 | e = 0x3
 2 | b = 0xfedcba98765432100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 3 | n = 0x79982a272b9f50b2c2bc8b862ccc617bb39720a6dc1a22dc909bbfd1243cc0a03dd406ec0b1a78fa75ce5234e8c57e0aab492050906364353b06ccd45f90b7818b04be4734eeb8e859ef92a306be105d32108a3165f96664ac1e00bba770f04627da05c3d7513f5882b2807746090cebbf74cd50c0128559a2cc9fa7d88f7b2d
 4 | c = 0x381db081852c92d268b49a1b9486d724e4ecf49fc97dc5f20d1fad902b5cdfb49c8cc1e968e36f65ae9af7e8186f15ccdca798786669a3d2c9fe8767a7ae938a4f9115ae8fed4928d95ad550fddd3a9c1497785c9e2279edf43f04601980aa28b3b52afb55e2b34e5b175af25d5b3bd71db88b3b31e48a177a469116d957592c
 5 | kbits=64
 6 | 
 7 | PR.<x> = PolynomialRing(Zmod(n))
 8 | f = (x + b)^e-c
 9 | x0 = f.small_roots(X=2^kbits, beta=1)[0]
10 | m = b + int(x0)
11 | print '[-]x is ' + hex(int(x0))
12 | print '[-]m is: ' + str(m)
13 | print '[-]hex(m) is: ' + '{:x}'.format(m)
14 | print '[-]str(m) is: ' + '{:x}'.format(m).decode('hex')
15 | print '[!]All Done!'


--------------------------------------------------------------------------------
/exp8.sage:
--------------------------------------------------------------------------------
 1 | def partial_p(p0, kbits, n):
 2 |     PR.<x> = PolynomialRing(Zmod(n))
 3 |     nbits = n.nbits()
 4 | 
 5 |     f = 2^kbits*x + p0
 6 |     f = f.monic()
 7 |     roots = f.small_roots(X=2^(nbits//2-kbits), beta=0.3)  # find root < 2^(nbits//2-kbits) with factor >= n^0.3
 8 |     if roots:
 9 |         x0 = roots[0]
10 |         p = gcd(2^kbits*x0 + p0, n)
11 |         return ZZ(p)
12 | 
13 | def find_p(d0, kbits, e, n):
14 |     X = var('X')
15 | 
16 |     for k in xrange(1, e+1):
17 |         results = solve_mod([e*d0*X - k*X*(n-X+1) + k*n == X], 2^kbits)
18 |         for x in results:
19 |             p0 = ZZ(x[0])
20 |             p = partial_p(p0, kbits, n)
21 |             if p:
22 |                 return p
23 | 
24 | 
25 | if __name__ == '__main__':
26 |     n = 0xbef498e6eb2cffe71312da47ab89d2c47db7438ea2cfa992ddddbc2a01978001fc51e286e6ebf028396cdb8b3323c60e6b9d50cd84187cf7f48e3875a2f0890f70b02333ad89db2923863ce146562286f63fb0a1d0198e3a6862ba5ac12e85a5c6d0d27cb1c81bdf69cc5bc95b8001a2f744517f9437b4ddd5a076fc0e9a5de1a7a268c40f31aa29e8dc27c0b3a182299ca7a9335b4bd4585452f6107c238e486c98dd73a5f9862e9e80b152f53381c72f897107551c281259ac3ee32c4b4f46cc03127d1bf699acd0266f3c6729253c70da0c69b1560fa172735709866b375b6eba294e1ce8b46fba798ba380080b4bf9603998cac199d9cd46e30ae8da9e7f
27 |     e = 3
28 |     d = 0x47bb07e1ecca16e51078312e89f0561e31b55db8b0ea5bc87a6ca7464a3d7c28a68c60e2ba88fe6a7d2b300d723e549910a987da89fc0a1c0de197a3d62c501b1f0e819891b1c32a0d6c233f2a285df87bb9e5c6c72d983ff3e706696bba639f573f9c3646968f02f3a615a438e20bb7c38d53621079f2899547a95350f3abeb
29 |     beta = 0.5
30 | 
31 | 
32 |     epsilon = beta^2/7
33 | 
34 |     nbits = n.nbits()
35 |     kbits = floor(nbits*(beta^2+epsilon))
36 |     d0 = d & (2^kbits-1)
37 |     print "lower %d bits (of %d bits) is given" % (kbits, nbits)
38 | 
39 |     p = find_p(d0, kbits, e, n)
40 |     print "p = %d" % p
41 |     q = n//p
42 |     print "d0 = %d" % d
43 |     print "d = %d" % inverse_mod(e, (p-1)*(q-1))


--------------------------------------------------------------------------------
/exp9.sage:
--------------------------------------------------------------------------------
 1 | def short_pad_attack(c1, c2, e, n):
 2 |     PRxy.<x,y> = PolynomialRing(Zmod(n))
 3 |     PRx.<xn> = PolynomialRing(Zmod(n))
 4 |     PRZZ.<xz,yz> = PolynomialRing(Zmod(n))
 5 | 
 6 |     g1 = x^e - c1
 7 |     g2 = (x+y)^e - c2
 8 | 
 9 |     q1 = g1.change_ring(PRZZ)
10 |     q2 = g2.change_ring(PRZZ)
11 | 
12 |     h = q2.resultant(q1)
13 |     h = h.univariate_polynomial()
14 |     h = h.change_ring(PRx).subs(y=xn)
15 |     h = h.monic()
16 | 
17 |     kbits = n.nbits()//(2*e*e)
18 |     diff = h.small_roots(X=2^kbits, beta=0.5)[0]  # find root < 2^kbits with factor >= n^0.5
19 | 
20 |     return diff
21 | 
22 | def related_message_attack(c1, c2, diff, e, n):
23 |     PRx.<x> = PolynomialRing(Zmod(n))
24 |     g1 = x^e - c1
25 |     g2 = (x+diff)^e - c2
26 | 
27 |     def gcd(g1, g2):
28 |         while g2:
29 |             g1, g2 = g2, g1 % g2
30 |         return g1.monic()
31 | 
32 |     return -gcd(g1, g2)[0]
33 | 
34 | 
35 | if __name__ == '__main__':
36 |     n = 0x2030ca024a23fb978752ccc2897947fd9c82b682915771e447fc1eefa6be8cbcc00df7cc2dfc401516b88b06a044b6fa595ce67f7b02f4a441a2a4495fb05463da88b059f4c1a924b3f6bc1e2a4938be37f5a44dd7a495c6bb264fdae9eda265f5a4c2a5147d84566d8122e25954b94575ec97f4d979fff756f95cbfcc49fcc9
37 |     e = 3
38 | 
39 |     #nbits = n.nbits()
40 |     #kbits = nbits//(2*e*e)
41 |     #print "upper %d bits (of %d bits) is same" % (nbits-kbits, nbits)
42 | 
43 |     # ^^ = bit-wise XOR
44 |     # http://doc.sagemath.org/html/en/faq/faq-usage.html#how-do-i-use-the-bitwise-xor-operator-in-sage
45 |     #m1 = randrange(2^nbits)
46 |     #m2 = m1 ^^ randrange(2^kbits)
47 |     #c1 = pow(m1, e, n)
48 |     #c2 = pow(m2, e, n)
49 |     c1=0x45204e3e2d780d6fded3ed4c53ca2a0300a78bd7f9b30afb5e3267bcb7074756ab386a165cf0678e3af272151b0635c784df30117f89d92afe83156d55fc8d45f0d9db0b868737cad674e2407fc83e234498542162f86132f2edaed3580b8da605a3d2df4ccd49150aed3686401790e5d0742ef5288d756fd9a011666c4018d
50 |     c2=0x1c17423e4aa0ee916c513f9f6f7f7f6efda060974ad06282bd846a50571c2b26465aba50a48eda745b0bb5b410d0b89a199256d5034cb2932a03b0b9dffa065a01c856ff967addc8834e9e09d8d51c020f2a115144e20ac17dd23bb645db39f71eb22aa9175f92bc822c102270f183b1cf60cd6460d6cc28624a9cedbd17484c
51 | 
52 | 
53 |     diff = short_pad_attack(c1, c2, e, n)
54 |     print "difference of two messages is %d" % diff
55 | 
56 |     #print m1
57 |     m1 = related_message_attack(c1, c2, diff, e, n)
58 |     print 'm1 =',m1
59 |     #print m2
60 |     print 'm2 =',m1 + diff
61 |     print 'diff =',diff


--------------------------------------------------------------------------------
/expa.py:
--------------------------------------------------------------------------------
 1 | # 已知dp或dq
 2 | import gmpy2
 3 | e = 65537
 4 | n = 9637571466652899741848142654451413405801976834328667418509217149503238513830870985353918314633160277580591819016181785300521866901536670666234046521697590230079161867282389124998093526637796571100147052430445089605759722456767679930869250538932528092292071024877213105462554819256136145385237821098127348787416199401770954567019811050508888349297579329222552491826770225583983899834347983888473219771888063393354348613119521862989609112706536794212028369088219375364362615622092005578099889045473175051574207130932430162265994221914833343534531743589037146933738549770365029230545884239551015472122598634133661853901
 5 | dp = 81339405704902517676022188908547543689627829453799865550091494842725439570571310071337729038516525539158092247771184675844795891671744082925462138427070614848951224652874430072917346702280925974595608822751382808802457160317381440319175601623719969138918927272712366710634393379149593082774688540571485214097
 6 | c = 5971372776574706905158546698157178098706187597204981662036310534369575915776950962893790809274833462545672702278129839887482283641996814437707885716134279091994238891294614019371247451378504745748882207694219990495603397913371579808848136183106703158532870472345648247817132700604598385677497138485776569096958910782582696229046024695529762572289705021673895852985396416704278321332667281973074372362761992335826576550161390158761314769544548809326036026461123102509831887999493584436939086255411387879202594399181211724444617225689922628790388129032022982596393215038044861544602046137258904612792518629229736324827
 7 | 
 8 | for i in range(1,65538):
 9 |     if (dp*e-1)%i == 0:
10 |         if n%(((dp*e-1)//i)+1)==0:
11 |             p=((dp*e-1)//i)+1
12 |             q=n//(((dp*e-1)//i)+1)
13 |             phi = (p-1)*(q-1)
14 |             d = gmpy2.invert(e,phi)%phi
15 |             m = gmpy2.powmod(c,d,n)
16 |             print ('m:',m)


--------------------------------------------------------------------------------
/expb.py:
--------------------------------------------------------------------------------
 1 | # Least Significant Bit Oracle Attack
 2 | from pwn import *
 3 | from string import hexdigits
 4 | from hashlib import md5
 5 | import gmpy2
 6 | import re
 7 | import time
 8 | 
 9 | # this example from 2019SUCTF RSA
10 | # e=0x10001
11 | # n=0x0b765daa79117afe1a77da7ff8122872bbcbddb322bb078fe0786dc40c9033fadd639adc48c3f2627fb7cb59bb0658707fe516967464439bdec2d6479fa3745f57c0a5ca255812f0884978b2a8aaeb750e0228cbe28a1e5a63bf0309b32a577eecea66f7610a9a4e720649129e9dc2115db9d4f34dc17f8b0806213c035e22f2c5054ae584b440def00afbccd458d020cae5fd1138be6507bc0b1a10da7e75def484c5fc1fcb13d11be691670cf38b487de9c4bde6c2c689be5adab08b486599b619a0790c0b2d70c9c461346966bcbae53c5007d0146fc520fa6e3106fbfc89905220778870a7119831c17f98628563ca020652d18d72203529a784ca73716db
12 | # c=0x4f377296a19b3a25078d614e1c92ff632d3e3ded772c4445b75e468a9405de05d15c77532964120ae11f8655b68a630607df0568a7439bc694486ae50b5c0c8507e5eecdea4654eeff3e75fb8396e505a36b0af40bd5011990663a7655b91c9e6ed2d770525e4698dec9455db17db38fa4b99b53438b9e09000187949327980ca903d0eef114afc42b771657ea5458a4cb399212e943d139b7ceb6d5721f546b75cd53d65e025f4df7eb8637152ecbb6725962c7f66b714556d754f41555c691a34a798515f1e2a69c129047cb29a9eef466c206a7f4dbc2cea1a46a39ad3349a7db56c1c997dc181b1afcb76fa1bbbf118a4ab5c515e274ab2250dba1872be0
13 | # upper=n
14 | # lower=0
15 | # k=1
16 | io=remote('47.111.59.243',9421)
17 | t = time.clock()
18 | line = io.recvline()
19 | for i in range(3):
20 |     l = io.recvuntil('Please input your option:',drop =True )
21 |     pattern = re.compile(r'(?<=n = )\d+\.?\d*')
22 |     print(l)
23 |     n = int(pattern.findall(l)[0])
24 |     pattern = re.compile(r'(?<=e = )\d+\.?\d*')
25 |     e = int(pattern.findall(l)[0])
26 |     pattern = re.compile(r'(?<=c = )\d+\.?\d*')
27 |     c = int(pattern.findall(l)[0])
28 |     u = n
29 |     l = 0
30 |     d = gmpy2.powmod(2,e,n)
31 |     m = c
32 |     i = 0
33 |     while u - l > 1:
34 |         m = (m*d)%n
35 |         io.sendline('D')
36 |         io.send(str(m)+'\n')
37 |         res = io.recvuntil('!',drop = True)
38 |         if 'even' in res:
39 |             u = (u+l)/2
40 |         else:
41 |             l = (u+l)/2
42 | 
43 |     ans = 0
44 |     for i in range(-1024,1025):
45 |         m = u + i
46 |         if pow(m,e,n) == c:
47 |             ans = m
48 |             break
49 |     io.sendline('G')
50 |     io.send((str(ans)).strip('L')+'\n')
51 |     res = io.recvuntil('!',drop = True)
52 |     res = io.recvline()
53 |     print(res)
54 |     res = io.recvline()
55 |     print(res)
56 |     print('bye')
57 | print('[!]Timer:',round((time.clock()-t),2),'s')
58 | io.close()
59 | 


--------------------------------------------------------------------------------