def _nfold(str, nbytes): # Convert str to a string of length nbytes using the RFC 3961 nfold # operation. # Rotate the bytes in str to the right by nbits bits. def rotate_right(str, nbits): nbytes, remain = (nbits//8) % len(str), nbits % 8 return ''.join(chr((ord(str[i-nbytes]) >> remain) | ((ord(str[i-nbytes-1]) << (8-remain)) & 0xff)) for i in xrange(len(str))) # Add equal-length strings together with end-around carry. def add_ones_complement(str1, str2): n = len(str1) v = [ord(a) + ord(b) for a, b in zip(str1, str2)] # Propagate carry bits to the left until there aren't any left. while any(x & ~0xff for x in v): v = [(v[i-n+1]>>8) + (v[i]&0xff) for i in xrange(n)] return ''.join(chr(x) for x in v) # Concatenate copies of str to produce the least common multiple # of len(str) and nbytes, rotating each copy of str to the right # by 13 bits times its list position. Decompose the concatenation # into slices of length nbytes, and add them together as # big-endian ones' complement integers. slen = len(str) lcm = nbytes * slen / gcd(nbytes, slen) bigstr = ''.join((rotate_right(str, 13 * i) for i in xrange(lcm / slen))) slices = (bigstr[p:p+nbytes] for p in xrange(0, lcm, nbytes)) return reduce(add_ones_complement, slices)
def _lcm(a, b): """ Least Common Multiple between 2 integers. """ if a == 0 or b == 0: return 0 else: return abs(a * b) / gcd(a, b)
def gcd(a, b): """Fallback implementation when Crypto is missing, and fractions does not exist (Python 2.5) """ if b > a: a, b = b, a c = a % b return b if c == 0 else gcd(c, b)
def _nfold(str, nbytes): # Convert str to a string of length nbytes using the RFC 3961 nfold # operation. # Concatenate copies of str to produce the least common multiple # of len(str) and nbytes, rotating each copy of str to the right # by 13 bits times its list position. Decompose the concatenation # into slices of length nbytes, and add them together as # big-endian ones' complement integers. slen = len(str) lcm = int(nbytes * slen / gcd(nbytes, slen)) bigstr = b''.join( (_rotate_right(str, 13 * i) for i in range(int(lcm / slen)))) slices = [bigstr[p:p + nbytes] for p in range(0, lcm, nbytes)] return reduce(_add_ones_complement, slices)
return ct s = socket(AF_INET, SOCK_STREAM) s.connect(('crypto.byteband.it', 7001)) s.recv(1024) s.send('2\n') x = s.recv(1024) while ']' not in x: x += s.recv(1024) m, l2 = x.split('\n')[:-1] m = int(m, 16) d = inverse(65536, m - 1) g = gcd(65536, m - 1) l2 = eval(l2) l2 = [tostr(eval(i)) for i in l2] l = [] key = '' for i in l2: key += i[:8] l.append(int(i[8:].encode('hex'), 16)) for i in l: assert i in [_ for _ in range(0, 1024, 8)] s.send('3\n')
#!/usr/bin/env python3 from Crypto.Util.number import getStrongPrime, inverse, bytes_to_long, GCD as gcd from Crypto.Random.random import randint from flag import flag p = getStrongPrime(512) q = getStrongPrime(512) N = p * q phi = (p - 1) * (q - 1) # Hehe, boi while True: d = randint(int(N**0.399), int(N**0.4)) if gcd(d, phi) == 1: break e = inverse(d, phi) # Here's a special gift. Big. gift = d >> 120 enc = pow(bytes_to_long(flag), e, N) print("N =", N) print("e =", e) print("gift =", gift) print("enc =", enc)