def attack(C, E):
root, found = iroot(C, E)
if found:
log.info('Successfully found exponent')
log.info(root)
log.info('Converting data')
log.success(ltb(root).decode())
else:
log.failure('Cant find exponent')
c = 3708354049649318175189820619077599798890688075815858391284996256924308912935262733471980964003143534200740113874286537588889431819703343015872364443921848
e = 16
p = 75000325607193724293694446403116223058337764961074929316352803137087536131383
q = 69376057129404174647351914434400429820318738947745593069596264646867332546443
phi = (p-1)*(q-1)
n = p * q
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
g, yp, yq = egcd(p, q)
mp = pow(c, (p + 1) // 4, p)
mq = pow(c, (q + 1) // 4, q)
for i in range(3):
mp = pow(mp, (p + 1) // 4, p)
mq = pow(mq, (q + 1) // 4, q)
r = (yp * p * mq + yq * q * mp) % n
mr = n - r
s = (yp * p * mq - yq * q * mp) % n
ms = n - s
for num in [r, mr, s, ms]:
print(ltb(num))
from Crypto.Util.number import long_to_bytes as ltb, inverse
from gmpy2 import isqrt, square, is_square
n = REDACTED
e = REDACTED
c = REDACTED
def fermat_factors(n):
assert n % 2 != 0
a = isqrt(n)
b2 = square(a) - n
while not is_square(b2):
a += 1
b2 = square(a) - n
factor1 = a + isqrt(b2)
factor2 = a - isqrt(b2)
return int(factor1), int(factor2)
p, q = fermat_factors(n)
d = inverse(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(ltb(m))
#!/usr/bin/env python2 from Crypto.Util.number import long_to_bytes as ltb # gotten from sending in ID = 256 and password = g res = 109950878156647283343117071980014389740494580037724054141576988543670578440064876024505057770363595056072454075390695080109090399972529650052921892824687467783936 char = 'g' print ltb(res + ord(char))[::-1]
def mul_inv(a, b):
b0 = b
x0, x1 = 0, 1
if b == 1: return 1
while a > 1:
q = a / b
a, b = b, a % b
x0, x1 = x1 - q * x0, x0
if x1 < 0: x1 += b0
return x1
def find_invpow(x, n):
high = 1
while high**n < x:
high *= 2
low = high / 2
while low < high:
mid = (low + high) // 2
if low < mid and mid**n < x: low = mid
elif high > mid and mid**n > x: high = mid
else: return mid
return mid + 1
flag_cubed = chinese_remainder([n1, n2, n3], [c1, c2, c3])
flag = find_invpow(flag_cubed, 3)
print(ltb(flag))
from pwn import *
from Crypto.Util.number import long_to_bytes as ltb
N=140165355674296399459239442258630641339281917770736077969396713192714338090714726890918178888723629353043167144351074222216025145349467583141291274172356560132771690830020353668100494447956043734613525952945037667879068512918232837185005693504551982611886445611514773529698595162274883360353962852882911457919
e=65537
c=86445915530920147553767348020686132564453377048106098831426077547738998373682256014690928256854752252580894971618956714013602556152722531577337080534714463052378206442086672725486411296963581166836329721403101091377505869510101752378162287172126836920825099014089297075416142603776647872962582390687281063434
S=20323
r = remote('chal.noxale.com',4242)
r.recv()
c1 = hex((c*(S**e))%N)[2:]
r.send(c1)
m1 = r.recv().decode()
im1 = ltb(int(m1,16)//S)
print(im1.decode())
from sage.all import *
from Crypto.Util.number import long_to_bytes as ltb
ciphertexts = [
6816192635244433032171632550443449557145278339704533135253318051343869682485,
29458333613251083477279181027991958647486339164210273946108733843048288771798,
52008835028241149739773168099431219570798566543042976440748722008163085793792
]
moduli = [
81432338653519942865405641552095057076423594628943058525534293705394967595179,
71978431351050052696487194220659622019786217862770403524979900613826263964339,
53561730229599407697626373473399340929187312544407455817435153279814343543237
]
x = CRT(ciphertexts, moduli)
root = x.nth_root(3)
ltb(root)
from sage.all import *
from Crypto.Util.number import long_to_bytes as ltb
N = 47283968683253223763489703863107642746052355487897544045320617987118533640129
e = 65537
C = 28528283267227040354902007252270777971329881474454910233915494489291153036353
factors = factor(N)
factors = [i[0]**i[1] for i in factors]
phi = 1
for fac in factors:
phi *= (fac - 1)
d = inverse_mod(e, phi)
m = ltb(pow(c, d, N))
print(m)
def long_to_byte(self, l): return ltb(l)
def extract(self, key, gab, prime): inverse_key = inv(gab, prime) message = key*inverse_key%prime return ltb(message)
