2024 BuildCTF 公开赛|Crypto

1.OVO开门爽！开到南天门了兄弟

from Crypto.Util.number import *
flag = b'BuildCTF{******}'
#随机生成p,q
p = getPrime(1024)
q = getPrime(1024)
#计算模数n
n = p*q
e = 65537
m = bytes_to_long(flag)
#c=m^e%n
c = pow(m, e, n)
print('P = ',p**2)
print('Q = ',q**2)
print('n = ',n)
print('e = ',e)
print('c = ',c)

BuildCTF{We1c0Me_b@cK_To_7uNiOr_h19H!!!}

2.我这辈子就是被古典给害了

from Crypto.Util.Padding import pad, unpad
from Crypto.Random import get_random_bytes
from Crypto.Cipher import AES
from secret import flag, keydict1 = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4,'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9,'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14,'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19,'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25}dict2 = {0: 'A', 1: 'B', 2: 'C', 3: 'D', 4: 'E',5: 'F', 6: 'G', 7: 'H', 8: 'I', 9: 'J',10: 'K', 11: 'L', 12: 'M', 13: 'N', 14: 'O',15: 'P', 16: 'Q', 17: 'R', 18: 'S', 19: 'T',20: 'U', 21: 'V', 22: 'W', 23: 'X', 24: 'Y', 25: 'Z'}def generate_key(flag, key):i = 0while True:if len(key) == len(flag):breakkey += flag[i]i += 1return keydef cipherText(msg, key_new):cipher_text = ''i = 0for letter in msg:x = (dict1[letter] + dict1[key_new[i]]) % 26i += 1cipher_text += dict2[x]return cipher_textdef AES_enc(key, value):key = (key * 2).encode()cipher = AES.new(key, AES.MODE_ECB)value = value.encode()padded_text = pad(value, AES.block_size)ciphertext = cipher.encrypt(padded_text)print("AES Encrypted Text =", ciphertext)def substitute(msg):msg = msg.replace('{', 'X')msg = msg.replace('_', 'X')msg = msg.replace('}', 'X')msg = msg.upper()assert msg.isupper()return msgmessage = substitute(flag)
key_new = generate_key(message, key)
cipher = cipherText(message, key_new)
print("Encrypted Text =", cipher)
AES_enc(key, flag)'''
Encrypted Text = HLMPWKGLYSWFACEWBYRSUKYFAXZFXDKOTZHHSLFCXNICAHPGRIFUF
AES Encrypted Text = b'\x92T{\x1f\x0f"\xbd\xbb\xfa|O\x11\x83\xa0\xec.\x15]\x9f\x9a\xe5\x85Z\x9f@yUm\xbb\xdc\x93\x08\xe5\x8b\xd5\x98\x84\xfa\x91\xe8\xde\x1b}\xcd\x9056\xa3\xbf\xdb\x85J\xcc\xec\x812T\x11\xa7Tl\x15\xf6"'
'''

dict1 = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4,'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9,'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14,'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19,'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25}dict2 = {0: 'A', 1: 'B', 2: 'C', 3: 'D', 4: 'E',5: 'F', 6: 'G', 7: 'H', 8: 'I', 9: 'J',10: 'K', 11: 'L', 12: 'M', 13: 'N', 14: 'O',15: 'P', 16: 'Q', 17: 'R', 18: 'S', 19: 'T',20: 'U', 21: 'V', 22: 'W', 23: 'X', 24: 'Y', 25: 'Z'}out = "HLMPWKGLYSWFACEWBYRSUKYFAXZFXDKOTZHHSLFCXNICAHPGRIFUF"
letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"##根据题目，flag开头是BuildCTF{转换为BUILDCTFX，至少可以爆破出9位key
##第一轮推出部分key
key = ""
flag = "BUILDCTFX"
n = len(flag)
for i in range(n):letter = flag[i]for j in letters:x = (dict1[letter] + dict1[j]) % 26if dict2[x] == out[i]:key = key + jbreak
print(key)
#key=GREETINGB##根据题目，key参与AES加密，且key=key*2，通常key长度为16，推断出key长度是8，第一轮推出key为GREETINGB，那么正常的key是GREETING,从第9位B开始，是叠加flag，即BUILDCTFX。
##第二轮推出部分flag
flag = ""
while True:key_ = "GREETING"key = key_ + flagif len(key) > len(out):key = key[0:len(out)]m = len(key)for i in range(m):letter = key[i]for j in letters:x = (dict1[letter] + dict1[j]) % 26if dict2[x] == out[i]:flag = flag + jbreakprint(flag)if len(flag) >= len(out):break
#flag=BUILDCTFBUILDCTFXYOUXALRBUILDCTFXYOUXALRAEJHRIFADZLLADZX
#替换为{}_

BuildCTF{YOU_ALREADY_KNOW_WHAT_A_CLASSICAL_CIPHER_IS}

3.ominous

from Crypto.Util.number import *
from secret import flag
import random
import stringOminous_dic = ['啊', '米', '诺', '斯']
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()assert all(char in flag_word for char in flag)msg = bytes_to_long(flag)
random.shuffle(Ominous_dic)def Ominous_enc(msg):res = 0for idx, word in enumerate(Ominous_dic):res += random.randint(0, 200) * ord(word) * (2 ** (50 * (idx + 1)))return res + msgcipher = Ominous_enc(msg)
print(f'cipher = {cipher}')
# cipher = 11174132013050242293373893046306047184706656363469879247040688497021

from libnum import *
import itertools
import string
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()
cipher = 11174132013050242293373893046306047184706656363469879247040688497021
Ominous_dic = ['啊', '米', '诺', '斯']
all_list = []for i in itertools.permutations(Ominous_dic,4):tmp = [i[0],i[1],i[2],i[3]]all_list.append(tmp)for i in all_list:print(i)##因为j0最小，对结果影响也最小，先爆破出j1,j2,j3的范围for j0 in range(0,1):tmp0 = j0 * ord(i[0]) * (2 ** (50 * (0 + 1)))for j1 in range(0,201):tmp1 = j1 * ord(i[1]) * (2 ** (50 * (1 + 1)))for j2 in range(0,201):tmp2 = j2 * ord(i[2]) * (2 ** (50 * (2 + 1)))for j3 in range(0,201):tmp3 = j3 * ord(i[3]) * (2 ** (50 * (3 + 1)))res = tmp0 + tmp1 + tmp2 + tmp3out1 = cipher-restry:out = n2s(out1)if b"BuildCTF{" in out:print(j0,j1,j2,j3)pos = Truefor j in out:if j not in flag_word:pos = Falsebreakif pos == True:print(j0,j1,j2,j3)print(out1)print(out)except:passres = 0

['诺', '斯', '米', '啊']
0 0 42 119
0 1 42 119
0 2 42 119
0 3 42 119
………………
['斯', '诺', '米', '啊']
0 0 42 119
0 1 42 119
0 2 42 119
0 3 42 119
…………………
发现规律，修正代码缩小爆破范围

from libnum import *
import itertools
import string
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()
cipher = 11174132013050242293373893046306047184706656363469879247040688497021
Ominous_dic = ['啊', '米', '诺', '斯']
all_list = [['诺', '斯', '米', '啊'],['斯', '诺', '米', '啊']]for i in all_list:print(i)##因为j0最小，对结果影响也最小，先爆破出j1,j2,j3的范围for j0 in range(0,201):tmp0 = j0 * ord(i[0]) * (2 ** (50 * (0 + 1)))for j1 in range(0,201):tmp1 = j1 * ord(i[1]) * (2 ** (50 * (1 + 1)))for j2 in range(42,43):tmp2 = j2 * ord(i[2]) * (2 ** (50 * (2 + 1)))for j3 in range(119,120):tmp3 = j3 * ord(i[3]) * (2 ** (50 * (3 + 1)))res = tmp0 + tmp1 + tmp2 + tmp3out1 = cipher-res			try:out = n2s(out1)if b"BuildCTF{" in out:					pos = Truefor j in out:if j not in flag_word:pos = Falsebreakif pos == True:print(j0,j1,j2,j3)print(out1)print(out)except:passres = 0

['诺', '斯', '米', '啊']
51 34 42 119
6998911667306495936139354047122483151410244697241827169626933502333
b'BuildCTF{Wh@wsuu_0mwkous!!!}'
51 79 42 119
6998911667306495936139354047120998231835390350462060938975672082813
b'BuildCTF{Wh@vUyE_0mwkous!!!}'
51 82 42 119
6998911667306495936139354047120899237197066727343409856932254654845
b'BuildCTF{Wh@vBhu_0mwkous!!!}'
51 113 42 119
6998911667306495936139354047119876292601055955117348675816941232509
b'BuildCTF{Wh@u}ee_0mwkous!!!}'
51 158 42 119
6998911667306495936139354047118391373026201608337582445165679812989
b'BuildCTF{Wh@t_i5_0mwkous!!!}'
51 161 42 119
6998911667306495936139354047118292378387877985218931363122262385021
b'BuildCTF{Wh@tLXe_0mwkous!!!}'
72 34 42 119
6998911667306495936139354047122483151410244696394571727129163145597
b'BuildCTF{Wh@wsuu_0mI}gus!!!}'
72 79 42 119
6998911667306495936139354047120998231835390349614805496477901726077
b'BuildCTF{Wh@vUyE_0mI}gus!!!}'
72 82 42 119
6998911667306495936139354047120899237197066726496154414434484298109
b'BuildCTF{Wh@vBhu_0mI}gus!!!}'
72 113 42 119
6998911667306495936139354047119876292601055954270093233319170875773
b'BuildCTF{Wh@u}ee_0mI}gus!!!}'
72 158 42 119
6998911667306495936139354047118391373026201607490327002667909456253
b'BuildCTF{Wh@t_i5_0mI}gus!!!}'
72 161 42 119
6998911667306495936139354047118292378387877984371675920624492028285
b'BuildCTF{Wh@tLXe_0mI}gus!!!}'
83 34 42 119
6998911667306495936139354047122483151410244695950771257249378673021
b'BuildCTF{Wh@wsuu_0m1nous!!!}'
83 79 42 119
6998911667306495936139354047120998231835390349171005026598117253501
b'BuildCTF{Wh@vUyE_0m1nous!!!}'
83 82 42 119
6998911667306495936139354047120899237197066726052353944554699825533
b'BuildCTF{Wh@vBhu_0m1nous!!!}'
83 113 42 119
6998911667306495936139354047119876292601055953826292763439386403197
b'BuildCTF{Wh@u}ee_0m1nous!!!}'
83 158 42 119
6998911667306495936139354047118391373026201607046526532788124983677
b'BuildCTF{Wh@t_i5_0m1nous!!!}'
83 161 42 119
6998911667306495936139354047118292378387877983927875450744707555709
b'BuildCTF{Wh@tLXe_0m1nous!!!}'
179 34 42 119
6998911667306495936139354047122483151410244692077603520116714185085
b'BuildCTF{Wh@wsuu_0l_wous!!!}'
179 79 42 119
6998911667306495936139354047120998231835390345297837289465452765565
b'BuildCTF{Wh@vUyE_0l_wous!!!}'
179 82 42 119
6998911667306495936139354047120899237197066722179186207422035337597
b'BuildCTF{Wh@vBhu_0l_wous!!!}'
179 113 42 119
6998911667306495936139354047119876292601055949953125026306721915261
b'BuildCTF{Wh@u}ee_0l_wous!!!}'
179 158 42 119
6998911667306495936139354047118391373026201603173358795655460495741
b'BuildCTF{Wh@t_i5_0l_wous!!!}'
179 161 42 119
6998911667306495936139354047118292378387877980054707713612043067773
b'BuildCTF{Wh@tLXe_0l_wous!!!}'
190 34 42 119
6998911667306495936139354047122483151410244691633803050236929712509
b'BuildCTF{Wh@wsuu_0lGhwus!!!}'
190 79 42 119
6998911667306495936139354047120998231835390344854036819585668292989
b'BuildCTF{Wh@vUyE_0lGhwus!!!}'
190 82 42 119
6998911667306495936139354047120899237197066721735385737542250865021
b'BuildCTF{Wh@vBhu_0lGhwus!!!}'
190 113 42 119
6998911667306495936139354047119876292601055949509324556426937442685
b'BuildCTF{Wh@u}ee_0lGhwus!!!}'
190 158 42 119
6998911667306495936139354047118391373026201602729558325775676023165
b'BuildCTF{Wh@t_i5_0lGhwus!!!}'
190 161 42 119
6998911667306495936139354047118292378387877979610907243732258595197
b'BuildCTF{Wh@tLXe_0lGhwus!!!}'
['斯', '诺', '米', '啊']
74 3 42 119
6998911667306495936139354047123468815669753357358225859397902475645
b'BuildCTF{Wh@x1Ju_0mqdOus!!!}'
74 27 42 119
6998911667306495936139354047122378615871147476421268270694027829629
b'BuildCTF{Wh@w_Su_0mqdOus!!!}'
74 59 42 119
6998911667306495936139354047120925016139672968505324819088861634941
b'BuildCTF{Wh@vG_u_0mqdOus!!!}'
74 83 42 119
6998911667306495936139354047119834816341067087568367230384986988925
b'BuildCTF{Wh@uuhu_0mqdOus!!!}'
115 3 42 119
6998911667306495936139354047123468815669753356156585539922068316541
b'BuildCTF{Wh@x1Ju_0m0@3us!!!}'
115 27 42 119
6998911667306495936139354047122378615871147475219627951218193670525
b'BuildCTF{Wh@w_Su_0m0@3us!!!}'
115 59 42 119
6998911667306495936139354047120925016139672967303684499613027475837
b'BuildCTF{Wh@vG_u_0m0@3us!!!}'
115 83 42 119
6998911667306495936139354047119834816341067086366726910909152829821
b'BuildCTF{Wh@uuhu_0m0@3us!!!}'优先找出有意义有规律的字符，逐一提交尝试

BuildCTF{Wh@t_i5_0m1nous!!!}

4.gift

from Crypto.Util.number import *
from secret import flagdef get_gift(p, q):noise = getPrime(40)p, q = p + 2 * noise + 1, q - pow(noise, 2)gift = 2024 * (p + q)return giftp = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x10001
m = bytes_to_long(flag)c = pow(m, e, n)
gift = get_gift(p, q)print(f'c = {c}')
print(f'n = {n}')
print(f'gift = {gift}')
'''
c = 101383046356447336426623798470530695448361708798731382238747567108067236241251384089401506320741815081024352908156466877907424203888923965647318146770258139921360377246187637085549628797640957048672797430217647039035455011311505942632107576730906489223641894279483592789523228409885925263914621255862261546919
n = 131097719698687108485813302886652389604731026998272796315024695395496199386497660846418712521921387496051077394308820230360184411431376692252923609505060476542577219656866593501271690536991944882324175509626138475159461332403161471880082192150081456601522403673111515117219716055561941951891570977025178643791
gift = 46635322848619790584491725916282901439691751328335921415278638528896063068132242718070261114525516272650970256270551306096774004921902972838212903368063625872
'''

gift = 2024 * (p + q)
可以变换为
gift = 2024*(p1+p2-(noise-1)**2)
gift//2024 = p1+p2-(noise-1)**2
发现gift//2024的bit长度是513，p+q的bit长度是512-513，noise的bit长度是40，差距太大，可以构造右偏>>，抵消掉(noise-1)**2，仅泄露p+q的高位

#sage
from Crypto.Util.number import *
c = 101383046356447336426623798470530695448361708798731382238747567108067236241251384089401506320741815081024352908156466877907424203888923965647318146770258139921360377246187637085549628797640957048672797430217647039035455011311505942632107576730906489223641894279483592789523228409885925263914621255862261546919
n = 131097719698687108485813302886652389604731026998272796315024695395496199386497660846418712521921387496051077394308820230360184411431376692252923609505060476542577219656866593501271690536991944882324175509626138475159461332403161471880082192150081456601522403673111515117219716055561941951891570977025178643791
gift = 46635322848619790584491725916282901439691751328335921415278638528896063068132242718070261114525516272650970256270551306096774004921902972838212903368063625872
gift = (gift//2024) >> 233
print(gift)
e = 65537
BITS = 233PR.<x> = PolynomialRing(RealField(1000))
f = x * ((gift << BITS) - x) - n
p2high = int(f.roots()[0][0])PR.<x> = PolynomialRing(Zmod(n))
f = p2high + x
res = f.small_roots(X=2^(BITS+10), beta=0.4, epsilon=0.01)[0]
p2 = int(p2high + res)
#print(p2)
q2 = n // p2
#print(q2)
d2 = inverse_mod(e, (p2-1)*(q2-1))
leak2 = pow(c, d2, n)
#print(leak2)
print(long_to_bytes(int(leak2)))

BuildCTF{M@y_b3_S0m3th1ng_go_wr0ng}

5.mitm

from Crypto.Util.number import *
from Crypto.Util.Padding import *
from hashlib import sha256
from Crypto.Cipher import AES
from random import *
from secret import flagnote = b'Crypt_AES*42$@'
r = 4
keys = []for i in range(r):key = bytes(choices(note, k=3))print(key)print(sha256(key).digest())keys.append(sha256(key).digest())
print(keys)leak = b'Hello_BuildCTF!!'
cipher = leak
for i in range(r):cipher = AES.new(keys[i], AES.MODE_ECB).encrypt(cipher)enc_key = sha256(b"".join(keys)).digest()
enc_flag = AES.new(enc_key, AES.MODE_ECB).encrypt(pad(flag, AES.block_size))print(f'cipher = {cipher}')
print(f'enc_flag = {enc_flag}')
# cipher = b'\xb9q\x04\xa3<\xf0\x11-\xe9\xfbo:\x9aQn\x81'
# enc_flag = b'q\xcf\x08$%\xb0\x86\xee\x1a(b\x7f\xf8\x86\xbd\xd0\xa7\xee\xd9\x9d2\x82a7H=a\x13\x87e\xad\xd2b\x8e\x07\xa5\xddo\xc0\xf3N\xd4b\xc9o\x88$\xc7\xf4p\xc1\x1e,\xed\xcc\x94\x8c\xf4\x00\xa5\xe0-\xf7\xc5'

##第一轮，爆破出中间值，第二轮调整脚本，爆破出四个最初随机值
from Crypto.Util.number import *
from Crypto.Util.Padding import *
from hashlib import sha256
from Crypto.Cipher import AES
import itertoolsnote = b'Crypt_AES*42$@'
note_l = []
#for i in itertools.product(note,repeat=3):
for i in itertools.product(note,repeat=3):tmp = (chr(i[0]) + chr(i[1]) + chr(i[2])).encode()note_l.append(tmp)
print(len(note_l))res1 = []
res2 = []
#xxx= []
#res = b'\xd0\xe8]\x1dIQ\x93S\x7f\xe1\xda\x90\xe5\x19\xe6\xb8'
n = 0
for i in itertools.permutations(note_l,2):cipher = b'Hello_BuildCTF!!'out = b'\xb9q\x04\xa3<\xf0\x11-\xe9\xfbo:\x9aQn\x81'for j in i:res2.append(j)key = sha256(j).digest()cipher = AES.new(key, AES.MODE_ECB).encrypt(cipher)out = AES.new(key, AES.MODE_ECB).decrypt(out)#if res == cipher:#    xxx.append(f"前：{str(i)},{str(n)}")#if res == out:#    xxx.append(f"后：{str(i)},{str(n)}")n = n + 1print(n)res1.append(cipher)res2.append(out)
res_ = set(res1) & set(res2)
print(res_)
#print(xxx)
#中间值为b'\xd0\xe8]\x1dIQ\x93S\x7f\xe1\xda\x90\xe5\x19\xe6\xb8'
#四个随机值["前：(b'ppS', b'4p4'),1752045", "后：(b'SS2', b'Cyr'),4638442"]

enc_flag = b'q\xcf\x08$%\xb0\x86\xee\x1a(b\x7f\xf8\x86\xbd\xd0\xa7\xee\xd9\x9d2\x82a7H=a\x13\x87e\xad\xd2b\x8e\x07\xa5\xddo\xc0\xf3N\xd4b\xc9o\x88$\xc7\xf4p\xc1\x1e,\xed\xcc\x94\x8c\xf4\x00\xa5\xe0-\xf7\xc5'
#调整随机值的顺序
keys = [b'ppS', b'4p4', b'Cyr',b'SS2']
x = []
for j in keys:x.append(sha256(j).digest())enc_key = sha256(b"".join(x)).digest()
flag = AES.new(enc_key, AES.MODE_ECB).decrypt(enc_flag)
print(flag)
#b'BuildCTF{M1tm_i5_@_simple_w@y_t0_s0lve_pr0bl3m!}\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10'

BuildCTF{M1tm_i5_@_simple_w@y_t0_s0lve_pr0bl3m!}

6.where is my n?

from Crypto.Util.number import*
from gmpy2 import*flag = "..."
e=65537
p=getPrime(512)
q=gmpy2.next_prime(p)
n=p*q
phi=(p-1)*(q-1)
d=inverse(e,phi)
c=pow(flag,e,n)
print("c=",c)
print("e=",e)
print("d=",d)
# c= 107973408658512316248795675829719026556281556876279221462095299771897472835817102507431099132436173117611783572607408542140665445616624626408781699266046553444252772105867617770124779786841928535661872891635303381758336724610931502145965143374870804147444436791292512235485326451051756451904673491759905663466
# e= 65537
# d= 62036379179617188220635702722848631787124203142048526951004487465970915306760341332025319712290841316288636152355908585406155087541334717529113872233640624205650204907669681116401961584897042519881342485819364897891612540596760113597723865477121348794797592568686540283535491492936074500143092361821406613969

import sympy
import gmpy2
import binascii
import libnum
c= 107973408658512316248795675829719026556281556876279221462095299771897472835817102507431099132436173117611783572607408542140665445616624626408781699266046553444252772105867617770124779786841928535661872891635303381758336724610931502145965143374870804147444436791292512235485326451051756451904673491759905663466
e= 65537
d= 62036379179617188220635702722848631787124203142048526951004487465970915306760341332025319712290841316288636152355908585406155087541334717529113872233640624205650204907669681116401961584897042519881342485819364897891612540596760113597723865477121348794797592568686540283535491492936074500143092361821406613969
ed_1 = e * d -1
p=0
q=0
for k in range((2**24),1,-1):if ed_1 % k == 0:phin = (ed_1 // k)#print(phin)phin_2 = gmpy2.iroot(phin,2)#print(phin_2[0])p = sympy.prevprime(phin_2[0])q = sympy.nextprime(p)if (p-1)*(q-1)*k == ed_1:break
print(p)
print(q)
n=p*q
print(n)
m=gmpy2.powmod(c,d,n)
print(m)
print(libnum.n2s(int(m)))

BuildCTF{Y0u_F1nd_7he_n_success7u1_!}

7.ezzzzz_RSA

import libnum
from Crypto.Util.number import *flag = b'BuildCTF{*******}'m = libnum.s2n(flag)e = 65537
q = getPrime(1024)
q1 = getPrime(1024)
p = getPrime(1024)
p1 = getPrime(1024)n = p * q
n1 = q * p1
n2 = p * q1
c = pow(m, e, n)
h0 = pow(2023 * p + 2024, q1, n2)
h1 = pow(2024 * p1 + 2023 * q, 113, n1)
h2 = pow(2023 * p1 + 2024 * q, 629, n1)print(f'n1 = {n1}')
print(f'n2 = {n2}')
print(f'c = {c}')
print(f"h0 = {h0}")
print(f"h1 = {h1}")
print(f"h2 = {h2}")"""
n1 = 19957426023169626195602761840035904096149402534966487535713447987366768645542881124782551268978342063458430846877824210659778126281705984711061190351636497944943321988950188171159903717348936556346198638311950016136865425015037098270040031872702873264144372191898253134939805153141701819590164140250130420280491966786900651186941317959556066730959744279963976065565436153399679475410040773637142677936926894677919242351610457296203864806991539480593546084449323017670431590012312526757477514457145686070196978477495658962519391041011847512041022828710693830661412217389320600888361578917153088073678587422269955710471
n2 = 11933661747067216317642315621042074566046499785197709817779978157416906347669444374234313329064859622960743743511735672614999566264025648698589886185056758071718319964262619819143757922916624196354313322456534266520150543008117888101349920396737532937616502689667208207329048979872222563877933742673021891249520999021187404065706388700711208445628041386956459398271230236018476964839399245143666534359113777846535151773174701732284280083586580489995666306373839417946648196140879978268472361473557375951972193618245984950374326806423407152520541682571610372434453778172497925696535270204943842467472100237854318244291
c = 20080676122944896238797522372441559951736929534371084097400233944319893926800196694449564534150770085554349952433141815637324753386484549616573636001763815852095984830828952020047938406909274311785306299061021662484544371813739713520361343350959698642021322243662988875917088108399877176033404097457939417134483333264562602633853694382014472747500159100723626314928476484037666519857604568300967071868151508142784271042600815406853978696857309760951105852288354603503207383899902135741426285551161292195639862478256231538619968275273876467583013024899054710124331145912185471501398910765579441956531091561893256832468
h0 = 2996726009726260695732821166504040344731102637047682432884058857493935625094258046641569918904978173116793673563730117949606727933902262668880339210084101176866383602543966179840353633735507442926707342258391362245904850297416642271123328980812931025677857373199540129280097315832907023777052101133649877194495480543646472133854655383755313968952550827443970931104462445312146328606862802196901953935238972759852435882720786570965542286278549107402918041194008845717507735786897968734831064393337773557817839343449001368565856921138408039931608804233595980497557733714560035682416265029819340316734845279080134432704
h1 = 19843160604742228074331688651361052208481287636527838615063387670722213224954610448720065937378201545177278841575633697012434074186046556843292068835752113384756149944114298949115412819730843598288637259467085268861201775723817790428386595559040938133481222229290199923979132846871398172318539492741755408720073350962388138453341677009547616238262211176727424067946020683742262782319735286357465817786446238528187722959357444676512705451504136333336415880020502524009647940182721264953084120705872870651891290569527156804993340563927419561415555818468261824287933683736509372616293569615247228388443284457740072850735
h2 = 15147052684674827267989051566164167603473413362261253296001082161136918959833294463185335416662127368473980239667918561600741667513285708843081475074688239507330230558331408877583246661862040918410036936505307437329914363201630212163952357444441705663871720438955166472073576526814546767805314463827075388036712200327696168965762177567346966479399896578190111819130000991594490932388132188241726654756368698998232826340969288082645860324404980143489489946490266439447342461483490582149239131554246756547000945718737195930407251232848166108751122870333559461452459416252942341423373918245090162970624108991537972775066
"""

from gmpy2 import *
e = 65537
n1 = 19957426023169626195602761840035904096149402534966487535713447987366768645542881124782551268978342063458430846877824210659778126281705984711061190351636497944943321988950188171159903717348936556346198638311950016136865425015037098270040031872702873264144372191898253134939805153141701819590164140250130420280491966786900651186941317959556066730959744279963976065565436153399679475410040773637142677936926894677919242351610457296203864806991539480593546084449323017670431590012312526757477514457145686070196978477495658962519391041011847512041022828710693830661412217389320600888361578917153088073678587422269955710471
n2 = 11933661747067216317642315621042074566046499785197709817779978157416906347669444374234313329064859622960743743511735672614999566264025648698589886185056758071718319964262619819143757922916624196354313322456534266520150543008117888101349920396737532937616502689667208207329048979872222563877933742673021891249520999021187404065706388700711208445628041386956459398271230236018476964839399245143666534359113777846535151773174701732284280083586580489995666306373839417946648196140879978268472361473557375951972193618245984950374326806423407152520541682571610372434453778172497925696535270204943842467472100237854318244291
c = 20080676122944896238797522372441559951736929534371084097400233944319893926800196694449564534150770085554349952433141815637324753386484549616573636001763815852095984830828952020047938406909274311785306299061021662484544371813739713520361343350959698642021322243662988875917088108399877176033404097457939417134483333264562602633853694382014472747500159100723626314928476484037666519857604568300967071868151508142784271042600815406853978696857309760951105852288354603503207383899902135741426285551161292195639862478256231538619968275273876467583013024899054710124331145912185471501398910765579441956531091561893256832468
h0 = 2996726009726260695732821166504040344731102637047682432884058857493935625094258046641569918904978173116793673563730117949606727933902262668880339210084101176866383602543966179840353633735507442926707342258391362245904850297416642271123328980812931025677857373199540129280097315832907023777052101133649877194495480543646472133854655383755313968952550827443970931104462445312146328606862802196901953935238972759852435882720786570965542286278549107402918041194008845717507735786897968734831064393337773557817839343449001368565856921138408039931608804233595980497557733714560035682416265029819340316734845279080134432704
h1 = 19843160604742228074331688651361052208481287636527838615063387670722213224954610448720065937378201545177278841575633697012434074186046556843292068835752113384756149944114298949115412819730843598288637259467085268861201775723817790428386595559040938133481222229290199923979132846871398172318539492741755408720073350962388138453341677009547616238262211176727424067946020683742262782319735286357465817786446238528187722959357444676512705451504136333336415880020502524009647940182721264953084120705872870651891290569527156804993340563927419561415555818468261824287933683736509372616293569615247228388443284457740072850735
h2 = 15147052684674827267989051566164167603473413362261253296001082161136918959833294463185335416662127368473980239667918561600741667513285708843081475074688239507330230558331408877583246661862040918410036936505307437329914363201630212163952357444441705663871720438955166472073576526814546767805314463827075388036712200327696168965762177567346966479399896578190111819130000991594490932388132188241726654756368698998232826340969288082645860324404980143489489946490266439447342461483490582149239131554246756547000945718737195930407251232848166108751122870333559461452459416252942341423373918245090162970624108991537972775066
h1x = pow(h1 * pow(2023,113,n1),629,n1)
h2x = pow(h2 * pow(2024,629,n1),113,n1)
q = gcd(h2x-h1x,n1)
print("q",q)
#h0 = pow(2023 * p + 2024, q1, n2)
kp = h0-pow(2024,n2,n2)
p = gcd(n2,kp)
print("p",p)f = (p-1)*(q-1)
d = invert(e,f)
m = pow(c,d,p*q)
print(bytes.fromhex(hex(m)[2:]))

BuildCTF{29g5blh5-7829-5k38-a836-9bk54h291h6}

8.Ju5t_d3c0de_1t!

e = 'VTJGc2RHVmtYMThUWGplSkN2YzJwazJ2KzJieQ=='
c = 10110011010010110101101101011110100001010100101110111011101101111101101001000010111010010011101111001111111000000001111000000010101
p = 1100010000110101100011011010101011111101001101010011001010110111100011110110101111000101100001011011001100110010010111111100110000001111010111111101111001100111100011100110110011101011111011100111010011000100011001101101111011010110000011011100101010010101110001011011010111001010101101100101011111101000110010111000011010111001101001
q = 11000010010010011110101110100011011100101101100100011011100010111000011110111000000011111100010100100000101101010101000101101101101011011100001101111010001010010011001010110010110101001100100011010110100011110011101110101110111110100000011110101010011011111010111100011000011111001000010101100100011110010000010001110010101100100111001
key = 592924741013363689040199750462798275514934297277010275281372369969899775117892551575873706970423924419480394766364097497072075403342004187895966953143489192628648965081601335846012859223829286606349019
# use m minus key to get the final flag!

先把数值统一转换成10进制
c = 1906584693582914593452011253925635223573
p = 26822418715463991126474380526303016593205006542806731721157536330312275372018305158474258610131152489
q = 53119776651079682777961960430388001309363199658704012861472783500082899623940177739319812176312097081
盲猜e=65537
标准RSA解密得到
m = 592924741013363689040199750462798275514934297277010275281372369969899775117892551575873706970423924419480394766364097497072075403342004187895966953170941195555713574085320418093758492523024516823025404 
根据提示m - key后转字符串

BuildCTF{I_l1k3_crypt0_5o_h4rd!}

9.girls_band_cry_pto

from Crypto.Util.number import *
import gmpy2def getprime(kbit,FLAG):a = getPrime(kbit)b = getPrime(kbit)N = getPrime(kbit+5)seed = getPrime(kbit)t = seedlist_t = []for i in range(10):t = (a*t+b)%Nlist_t.append(t)if FLAG:print(list_t)return seedp = getprime(512,1)
q = getprime(512,0)
flag = b'...'
flag = bytes_to_long(flag)
n = p*q
e = 1384626assert flag.bit_length() < n.bit_length()//2c = pow(flag,e,n)
print('c=',c)''''''
[37382128984932009103055100236038298684187701771245912912208816283882352432386956435965036367810667394024993955812239704879381327228911265588017046627348503, 78860822396220922181257740301787328387654351181949135165584053897837116358564567613593406267620270397593757280733139576593428399156673217202739776358215953, 71961258377748802736482119449608198361898650603044501972923193831637292104436919483148544126546157761435847502622416800596454167412705966674707485447149592, 87271087644907910379168026089161507515679859469787715709089631773745967695993043069981508275969979669395420678260957179827954920361899134388830957711827969, 72060448202158281754256475874109091993193239479491265267010728401711694585210195554635415348891139571830347004379216450772696235700910532153698412887476412, 198822737610698203376629161658629276556973499054887457432530950247888991546498594767954251786997515337433684733300663470799887569646159225800449429896258899, 186920895499932700150962847893153648403293237986492275627558112493385728113172211076262656795948951216023567806119078906412693819469136004563793414149643278, 56472634592713718635518027850351194341092172882542912776939953869983486542308422043454035086533070566859787384014556343587278097326244663175874047755695694, 42665120723108982921319232615099077060109901818313520605789700720605479528247045699344736360219784997528870841912999130951916510491705708498185762196467897, 205629005887807114384057131575309344114082007367662384600399313743755704623421415135564859072125246431180953419843187244789534372794288258609006920825136808]
c= 51846448616255629242918159354807752786692784645460532308823434086479848425723111371477823327980874708898952566998637230358105087254392989515438172155717708590176244736140994735777168368143405720703501031813936741444894000217727880068767785957507824708838189619286341612305393812568642372035793481458142583420
'''

先用LCG求seed，即p

p=11406146503880823399297963629845559494461007497449751823413253129053497454943898251983630826960583790125622063400069720120655389759003474122064810099132057

import sympy
from libnum import *
p = 11406146503880823399297963629845559494461007497449751823413253129053497454943898251983630826960583790125622063400069720120655389759003474122064810099132057
c= 51846448616255629242918159354807752786692784645460532308823434086479848425723111371477823327980874708898952566998637230358105087254392989515438172155717708590176244736140994735777168368143405720703501031813936741444894000217727880068767785957507824708838189619286341612305393812568642372035793481458142583420
e = 1384626m = sympy.nthroot_mod(c,e,p,all_roots=True)
print(m)
print("")for i in m:flag_int = int(i)print(flag_int)print(n2s(flag_int))print("")

BuildCTF{crypt0_15_s0_e@5y!}

10.QAQ补药把这道古典BuildCTF题爆了

lzs macfo ilpyj uylpiva ng ncfl vwtfavazig hywi{15 1g pth@?cq owex wpq ogr sjb e'o gwnxept wdbqv.qhylzpjp{60_r@a_^^kcdhv!!!}}

题目的提示
Siu!!!
看懂描述了吗罗需要用到密码的古典加密，大概率是维吉尼亚

出现部分明文，估计要继续解密，密钥kfc

继续解密，密钥cronaldo

按照3轮维吉尼亚解密，共出现12种可能
BuildCTF{60_n@w_^^anqaq!!!}
BuildCTF{43_b@a_^^opnxr!!!}
BuildCTF{60_p@k_^^anqaq!!!}
BuildCTF{65_v@r_^^xvlxy!!!}
BuildCTF{48_j@v_^^lxiuz!!!}
BuildCTF{65_x@f_^^xvlxy!!!}
BuildCTF{82_l@m_^^mlgmo!!!}
BuildCTF{65_z@q_^^andjp!!!}
BuildCTF{82_n@a_^^mlgmo!!!}
BuildCTF{87_t@h_^^jtbjw!!!}
BuildCTF{60_h@l_^^xvygx!!!}
BuildCTF{87_v@v_^^jtbjw!!!}

BuildCTF{60_n@w_^^anqaq!!!}

11.ez_matrix

#SageMath 9.5
from Crypto.Util.number import *
from gmpy2 import powmod
from secret import msgdef pad(x, pad_length):return x + b'\x00' * (pad_length - len(x))def rsa_gen(bits):p = getPrime(bits)q = getPrime(bits)return p, qbits = 1024
pad_length = 200
matrix_size = 32
e = 65537p, q = rsa_gen(bits)
n = p * q
m = bytes_to_long(pad(msg, pad_length))
c = powmod(m, e, n)p_binary = bin(p).replace('0b', '').zfill(bits)
q_binary = bin(q).replace('0b', '').zfill(bits)P = matrix(GF(2), [list(map(int, p_binary[i:i+matrix_size])) for i in range(0, len(p_binary), matrix_size)])
Q = matrix(GF(2), [list(map(int, q_binary[i:i+matrix_size])) for i in range(0, len(q_binary), matrix_size)])
gift = P.solve_right(Q)with open('output', 'w') as file:file.write(f'c = {c}\n')file.write(f'p ^ q = {p ^^ q}\n')file.write('gift:\n')for row in gift:file.write(' '.join(map(str, row)) + '\n')'''
c = 5750862006780374919287214285692236210204656897730327429454502213453716609006462693326927544526483929921956237739564314742381291228170724611684726314766300684189083862768843433748971907962075938141567163713163231477418107343867114651242407427262164467193346523730926798966915657982552864539513197192523866321569716738540583056085357621328692775578162692288348251605475475005408200801081747601745630186390866011595954211521326069111983199120520535552104591110478015154646709731714695120857959832894595677697407284511806934799265823961155753765208975629786832407640872204810033141414096894416317703257346937008503926274
p ^ q = 89144063720545532404936347749976033995959352088369581593483294017916269127126015515514164556238892315116219488234599276283755643115494368387307879815221830970632672104176330851649236203019768799744400071934922875736029236458980333704716550922984411453411523931115952319603510996580835848026227775168231757398
gift:
0 0 1 0 1 1 1 0 0 1 0 0 0 0 1 1 0 0 1 0 0 1 0 0 0 1 0 0 1 1 0 0
1 0 1 0 0 0 0 1 0 1 1 1 1 1 0 1 0 1 1 1 0 1 0 0 0 1 1 0 0 0 0 1
0 1 0 1 1 1 1 1 0 1 1 0 1 0 0 1 0 0 0 1 1 0 1 1 0 1 1 1 1 0 0 0
0 1 1 1 0 1 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 1 0 1 1 0 1
0 1 0 1 1 1 1 0 1 0 0 1 0 0 1 1 0 0 1 1 1 0 1 0 0 1 0 0 1 0 1 1
1 1 1 0 0 1 0 0 0 1 0 1 0 0 0 0 1 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1
1 0 1 0 1 1 1 0 1 1 1 0 1 1 1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 1 0 0
1 0 1 0 1 0 1 0 1 1 0 1 1 1 0 0 1 0 1 0 0 1 0 0 0 1 1 1 1 0 1 0
0 0 1 0 1 1 1 0 1 1 1 0 0 1 0 0 0 0 0 1 0 0 0 1 0 0 1 0 1 0 1 1
1 0 0 0 0 0 0 1 1 1 1 1 1 0 1 1 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 1
1 0 0 0 1 1 0 0 1 1 0 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 1 1 1
0 0 1 1 1 0 1 0 0 0 1 0 1 0 1 1 1 0 0 1 1 1 0 1 0 1 1 1 1 0 0 0
1 1 0 0 1 1 0 1 0 1 0 1 0 0 1 0 0 0 0 0 1 0 1 1 1 0 1 0 1 1 0 1
1 0 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 0 1 1 1 1 0 0 1 0 0 1 0 1 1 0
1 0 0 1 1 1 0 1 1 1 0 0 0 1 1 0 0 0 1 1 0 0 1 1 0 0 0 0 0 1 1 1
1 0 0 1 0 0 1 0 1 1 1 1 0 0 1 1 1 1 0 0 1 0 1 1 0 0 0 0 1 1 1 0
0 1 0 0 0 1 0 0 1 0 0 0 0 0 0 0 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 1
0 0 0 1 0 1 1 1 1 0 1 1 1 1 0 0 0 0 1 0 0 0 0 0 0 1 1 0 1 1 0 1
0 0 1 1 1 1 1 0 0 1 0 0 1 1 1 0 0 0 0 1 1 1 0 0 1 0 0 1 0 1 0 0
0 1 0 0 0 0 1 0 1 1 0 1 0 1 0 1 1 0 0 1 0 0 0 0 0 0 1 1 0 0 1 1
1 0 0 0 0 0 0 0 1 1 1 1 0 1 1 0 0 1 0 1 0 1 1 1 1 0 1 1 0 0 0 1
0 0 0 0 0 0 1 0 1 1 1 1 1 0 1 0 0 0 1 1 0 1 1 1 0 0 1 1 1 1 1 1
0 1 0 1 1 0 0 1 0 0 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1
1 1 0 0 0 1 1 0 1 1 0 0 0 0 0 0 1 0 0 1 0 1 1 0 0 1 0 0 1 0 1 1
1 1 0 0 0 0 0 1 1 0 0 0 1 1 1 1 1 1 0 1 1 1 1 1 1 0 0 1 0 1 1 0
0 1 1 1 0 1 0 1 0 0 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 0 0
0 1 0 1 1 0 0 0 0 1 1 1 1 1 1 0 1 0 1 0 1 0 1 1 0 0 1 1 0 0 1 0
1 1 1 1 1 0 1 1 0 0 0 1 0 0 1 0 0 0 0 1 0 0 1 1 0 1 1 0 0 0 1 1
1 1 1 1 1 1 1 0 1 1 1 0 0 1 0 1 0 1 1 0 0 0 0 1 1 1 0 1 0 0 0 0
0 1 1 1 1 0 0 1 1 0 1 1 1 0 1 1 0 1 0 0 0 1 0 1 1 0 0 0 0 0 1 1
0 1 1 0 1 0 1 0 1 0 1 0 0 0 1 1 1 1 0 0 0 0 1 1 0 1 0 1 1 1 1 1
0 1 1 0 1 1 0 1 1 0 1 0 0 1 0 0 0 1 1 0 1 0 1 1 0 0 1 1 0 1 1 1
'''

#sage
from libnum import *
from gmpy2 import *
c = 5750862006780374919287214285692236210204656897730327429454502213453716609006462693326927544526483929921956237739564314742381291228170724611684726314766300684189083862768843433748971907962075938141567163713163231477418107343867114651242407427262164467193346523730926798966915657982552864539513197192523866321569716738540583056085357621328692775578162692288348251605475475005408200801081747601745630186390866011595954211521326069111983199120520535552104591110478015154646709731714695120857959832894595677697407284511806934799265823961155753765208975629786832407640872204810033141414096894416317703257346937008503926274
leak = 89144063720545532404936347749976033995959352088369581593483294017916269127126015515514164556238892315116219488234599276283755643115494368387307879815221830970632672104176330851649236203019768799744400071934922875736029236458980333704716550922984411453411523931115952319603510996580835848026227775168231757398
matrix_size = 32
I = matrix.identity(32)
G = [[0,0,1,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,0,0,1,0,0,0,1,0,0,1,1,0,0],
[1,0,1,0,0,0,0,1,0,1,1,1,1,1,0,1,0,1,1,1,0,1,0,0,0,1,1,0,0,0,0,1],
[0,1,0,1,1,1,1,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0],
[0,1,1,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,1,0,1,1,0,1],
[0,1,0,1,1,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,1,0,0,1,0,0,1,0,1,1],
[1,1,1,0,0,1,0,0,0,1,0,1,0,0,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,1,1],
[1,0,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,0,0,1,0,0],
[1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,0,1,0,1,0,0,1,0,0,0,1,1,1,1,0,1,0],
[0,0,1,0,1,1,1,0,1,1,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,1,1],
[1,0,0,0,0,0,0,1,1,1,1,1,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,0,1,1,1,1],
[1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1],
[0,0,1,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,0,0],
[1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,0,0,0,0,0,1,0,1,1,1,0,1,0,1,1,0,1],
[1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,0,1,1,1,1,0,0,1,0,0,1,0,1,1,0],
[1,0,0,1,1,1,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1],
[1,0,0,1,0,0,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,1,0,0,0,0,1,1,1,0],
[0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1,0,0,1,0,1,1,1,1,1,0,0,1],
[0,0,0,1,0,1,1,1,1,0,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,1,1,0,1],
[0,0,1,1,1,1,1,0,0,1,0,0,1,1,1,0,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,0],
[0,1,0,0,0,0,1,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,1,1,0,0,1,1],
[1,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,0,1,1,0,0,0,1],
[0,0,0,0,0,0,1,0,1,1,1,1,1,0,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1],
[0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1],
[1,1,0,0,0,1,1,0,1,1,0,0,0,0,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1],
[1,1,0,0,0,0,0,1,1,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0,0,1,0,1,1,0],
[0,1,1,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0,0,0,1,0,0],
[0,1,0,1,1,0,0,0,0,1,1,1,1,1,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,0,1,0],
[1,1,1,1,1,0,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,1,0,1,1,0,0,0,1,1],
[1,1,1,1,1,1,1,0,1,1,1,0,0,1,0,1,0,1,1,0,0,0,0,1,1,1,0,1,0,0,0,0],
[0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,1,0,1,0,0,0,1,0,1,1,0,0,0,0,0,1,1],
[0,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,0,0,0,1,1,0,1,0,1,1,1,1,1],
[0,1,1,0,1,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1]]G = Matrix(GF(2),G)
leak_bin = bin(leak)[2:].zfill(1024)
# 初始化一个空列表来存储每一行
rows = []
# 循环遍历字符串，每次取 matrix_size 个字符
for i in range(0, len(leak_bin), matrix_size):# 取出子串sub_string = leak_bin[i:i+matrix_size]# 将子串转换为整数列表row = list(map(int, sub_string))# 将这一行添加到 rows 列表中rows.append(row)
# 创建矩阵
X = Matrix(GF(2), rows)P = X *(G + I)^(-1)
p = ""
for line in P:for i in line:p = p + str(i)
p = int(p,2)
q = p ^^ leak
n = p*q
d = invert(65537,(p-1)*(q-1))
m = pow(c,d,n)
print(n2s(int(m)))

BuildCTF{78e09053-bc0a-4fdc-9dec-0f107bf9ba43}