

lowe¶

题目名字给了提示，这题属于rsa低指数攻击

from Crypto.PublicKey import RSA
import gmpy
from Crypto.Util.number import *
pub=RSA.importKey(open("./pubkey.pem").read())
e= pub.e
n= pub.n
c=219135993109607778001201845084150602227376141082195657844762662508084481089986056048532133767792600470123444605795683268047281347474499409679660783370627652563144258284648474807381611694138314352087429271128942786445607462311052442015618558352506502586843660097471748372196048269942588597722623967402749279662913442303983480435926749879440167236197705613657631022920490906911790425443191781646744542562221829319509319404420795146532861393334310385517838840775182

i=0
while 1:
    if gmpy.root((c+i*n),e)[1]==1:
        print "yes"
        m=gmpy.root((c+i*n),e)[0]
        print m
        print i
        break
    i=i+1

求出m后，根据提示与file.enc异或即可

from __future__ import print_function
from Crypto.Util.number import *

m=12950973085835763560175702356704747094371821722999497961023063926142573092871510801730909790343717206777660797494675328809965345887934044682722741193527531
key=long_to_bytes(m)
f=open('file.enc').read().decode('base64')
for i,j in zip(key,f):
    print(chr(ord(i)^ord(j)),end='')

lowe¶

评论