def attack(C, E): root, found = iroot(C, E) if found: log.info('Successfully found exponent') log.info(root) log.info('Converting data') log.success(ltb(root).decode()) else: log.failure('Cant find exponent')
c = 3708354049649318175189820619077599798890688075815858391284996256924308912935262733471980964003143534200740113874286537588889431819703343015872364443921848 e = 16 p = 75000325607193724293694446403116223058337764961074929316352803137087536131383 q = 69376057129404174647351914434400429820318738947745593069596264646867332546443 phi = (p-1)*(q-1) n = p * q def egcd(a, b): if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) g, yp, yq = egcd(p, q) mp = pow(c, (p + 1) // 4, p) mq = pow(c, (q + 1) // 4, q) for i in range(3): mp = pow(mp, (p + 1) // 4, p) mq = pow(mq, (q + 1) // 4, q) r = (yp * p * mq + yq * q * mp) % n mr = n - r s = (yp * p * mq - yq * q * mp) % n ms = n - s for num in [r, mr, s, ms]: print(ltb(num))
from Crypto.Util.number import long_to_bytes as ltb, inverse from gmpy2 import isqrt, square, is_square n = REDACTED e = REDACTED c = REDACTED def fermat_factors(n): assert n % 2 != 0 a = isqrt(n) b2 = square(a) - n while not is_square(b2): a += 1 b2 = square(a) - n factor1 = a + isqrt(b2) factor2 = a - isqrt(b2) return int(factor1), int(factor2) p, q = fermat_factors(n) d = inverse(e, (p - 1) * (q - 1)) m = pow(c, d, n) print(ltb(m))
#!/usr/bin/env python2 from Crypto.Util.number import long_to_bytes as ltb # gotten from sending in ID = 256 and password = g res = 109950878156647283343117071980014389740494580037724054141576988543670578440064876024505057770363595056072454075390695080109090399972529650052921892824687467783936 char = 'g' print ltb(res + ord(char))[::-1]
def mul_inv(a, b): b0 = b x0, x1 = 0, 1 if b == 1: return 1 while a > 1: q = a / b a, b = b, a % b x0, x1 = x1 - q * x0, x0 if x1 < 0: x1 += b0 return x1 def find_invpow(x, n): high = 1 while high**n < x: high *= 2 low = high / 2 while low < high: mid = (low + high) // 2 if low < mid and mid**n < x: low = mid elif high > mid and mid**n > x: high = mid else: return mid return mid + 1 flag_cubed = chinese_remainder([n1, n2, n3], [c1, c2, c3]) flag = find_invpow(flag_cubed, 3) print(ltb(flag))
from pwn import * from Crypto.Util.number import long_to_bytes as ltb N=140165355674296399459239442258630641339281917770736077969396713192714338090714726890918178888723629353043167144351074222216025145349467583141291274172356560132771690830020353668100494447956043734613525952945037667879068512918232837185005693504551982611886445611514773529698595162274883360353962852882911457919 e=65537 c=86445915530920147553767348020686132564453377048106098831426077547738998373682256014690928256854752252580894971618956714013602556152722531577337080534714463052378206442086672725486411296963581166836329721403101091377505869510101752378162287172126836920825099014089297075416142603776647872962582390687281063434 S=20323 r = remote('chal.noxale.com',4242) r.recv() c1 = hex((c*(S**e))%N)[2:] r.send(c1) m1 = r.recv().decode() im1 = ltb(int(m1,16)//S) print(im1.decode())
from sage.all import * from Crypto.Util.number import long_to_bytes as ltb ciphertexts = [ 6816192635244433032171632550443449557145278339704533135253318051343869682485, 29458333613251083477279181027991958647486339164210273946108733843048288771798, 52008835028241149739773168099431219570798566543042976440748722008163085793792 ] moduli = [ 81432338653519942865405641552095057076423594628943058525534293705394967595179, 71978431351050052696487194220659622019786217862770403524979900613826263964339, 53561730229599407697626373473399340929187312544407455817435153279814343543237 ] x = CRT(ciphertexts, moduli) root = x.nth_root(3) ltb(root)
from sage.all import * from Crypto.Util.number import long_to_bytes as ltb N = 47283968683253223763489703863107642746052355487897544045320617987118533640129 e = 65537 C = 28528283267227040354902007252270777971329881474454910233915494489291153036353 factors = factor(N) factors = [i[0]**i[1] for i in factors] phi = 1 for fac in factors: phi *= (fac - 1) d = inverse_mod(e, phi) m = ltb(pow(c, d, N)) print(m)
def long_to_byte(self, l): return ltb(l)
def extract(self, key, gab, prime): inverse_key = inv(gab, prime) message = key*inverse_key%prime return ltb(message)