题目描述：

四份文件：

题目分析：

• 先看到题目描述中的第四份文件，毫无疑问是一份代码（由缩进可以看出），但我们看不懂它，所有的代码皆为乱序，由此便可想到词频分析法（应用特点：密文为长段代码的乱排序），由此可以得到：
  
  重新整理得到后的加密代码：

from gmpy2 import is_prime
from os import urandom
import base64def bytes_to_num(b):return int(b.encode('hex'), 16)def num_to_bytes(n):b = hex(n)[2:-1]b = '0' + b if len(b) % 2 == 1 else breturn b.decode('hex')def get_a_prime(l):random_seed = urandom(l)num = bytes_to_num(random_seed)while True:if is_prime(num):breaknum += 1return numdef encrypt(s, e, n):p = bytes_to_num(s)p = pow(p, e, n)return num_to_bytes(p).encode('hex')def separate(n):p = n % 4t = (p * p) % 4return t == 1f = open('flag.txt', 'r')
flag = f.read()msg1 = ""
msg2 = ""
for i in range(len(flag)):if separate(i):msg2 += flag[i]else:msg1 += flag[i]p1 = get_a_prime(128)
p2 = get_a_prime(128)
p3 = get_a_prime(128)
n1 = p1 * p2
n2 = p1 * p3
e = 0x1001
c1 = encrypt(msg1, e, n1)
c2 = encrypt(msg2, e, n2)
print(c1)
print(c2)e1 = 0x1001
e2 = 0x101
p4 = get_a_prime(128)
p5 = get_a_prime(128)
n3 = p4 * p5
c1 = num_to_bytes(pow(n1, e1, n3)).encode('hex')
c2 = num_to_bytes(pow(n1, e2, n3)).encode('hex')
print(c1)
print(c2)print(base64.b64encode(num_to_bytes(n2)))
print(base64.b64encode(num_to_bytes(n3)))

• 通过正确代码可知另外三份文件对应的便是代码中输出的6个print(内容)，具体哪个对应哪个开始是不知道的（分析完代码以及通过对应文件名后方可知道结果），所以接下来我们来分析分析代码
• 前面一段开始看不很懂，所以我们先从我们熟悉的看起：
  
  要求出flag，那么便要先求出msg1,msg2，它们怎么求呢？别急，我们继续往下看：
  
  前面说过print()中的都是已知内容，所以图片中我们知道的有：e, c1, c2, n2(n2最后面输出了)

c1 = encrypt(msg1, e, n1)
c2 = encrypt(msg2, e, n2)
便相当于：
c1 = pow(msg1, e, n1)
c2 = pow(msg2, e, n2)
所以要求msg1, msg2 便要求出 n1, n2 的逆元d1, d2
print（---------------------------------------------------）
而要求d1, d2 ,便要求出 p1, p2, p3, 而这些量只要知道了 n1 便都能求出来（因为n2已知，p1 是n1, n2的最大公约数，知道了 n1 便知道了 p1，知道了p1,便能通过 n1 // p1，n2 // p1 得到 p2, p3）,由此便能得到 msg1, msg2.

• 综上分析下来便是要求到 n1, 那如何求 n1 呢？别急，我们接着往下看：
  
  （注：此图片中的 c1, c2 与上一张的 c1, c2 并无关系）
  此图中我们看到有 e1, e2, c1, c2 和共同的模数 n3，好熟悉的感觉，这不就是共模攻击吗！求出来的不正是 n1 吗！那这不直接上脚本！
• 但此时还有一个问题便是其他三个文件中的代码对应着哪些字母。其实这很好知道，文件名称已经给出了答案：

cipherhext —> 密文 c1, c2
n1.encrypted —> 共模攻击 c1, c2
n2 & n3 —> base64.b64encode(num_to_bytes(n2)),
base64.b64encode(num_to_bytes(n3)

• 我们先上解出n1, msg1, msg2 的代码：

import gmpy2
from Crypto.Util.number import *
import base64
f2 = 'PVNHb2BfGAnmxLrbKhgsYXRwWIL9eOj6K0s3I0slKHCTXTAUtZh3T0r+RoSlhpO3+77AY8P7WETYz2Jzuv5FV/mMODoFrM5fMyQsNt90VynR6J3Jv+fnPJPsm2hJ1Fqt7EKaVRwCbt6a4BdcRoHJsYN/+eh7k/X+FL5XM7viyvQxyFawQrhSV79FIoX6xfjtGW+uAeVF7DScRcl49dlwODhFD7SeLqzoYDJPIQS+VSb3YtvrDgdV+EhuS1bfWvkkXRijlJEpLrgWYmMdfsYX8u/+Ylf5xcBGn3hv1YhQrBCg77AHuUF2w/gJ/ADHFiMcH3ux3nqOsuwnbGSr7jA6Cw=='
f3 = 'TmNVbWUhCXR1od3gBpM+HGMKK/4ErfIKITxomQ/QmNCZlzmmsNyPXQBiMEeUB8udO7lWjQTYGjD6k21xjThHTNDG4z6C2cNNPz73VIaNTGz0hrh6CmqDowFbyrk+rv53QSkVKPa8EZnFKwGz9B3zXimm1D+01cov7V/ZDfrHrEjsDkgK4ZlrQxPpZAPl+yqGlRK8soBKhY/PF3/GjbquRYeYKbagpUmWOhLnF4/+DP33ve/EpaSAPirZXzf8hyatL4/5tAZ0uNq9W6T4GoMG+N7aS2GeyUA2sLJMHymW4cFK5l5kUvjslRdXOHTmz5eHxqIV6TmSBQRgovUijlNamQ=='
n2 = bytes_to_long(base64.b64decode(f2))
n3 = bytes_to_long(base64.b64decode(f3))
e1 = 0x1001
e2 = 0x101
c1 = 0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2 = 0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
e = 0x1001
c_g1 = 0x2639c28e3609a4a8c953cca9c326e8e062756305ae8aee6efcd346458aade3ee8c2106ab9dfe5f470804f366af738aa493fd2dc26cb249a922e121287f3eddec0ed8dea89747dc57aed7cd2089d75c23a69bf601f490a64f73f6a583081ae3a7ed52238c13a95d3322065adba9053ee5b12f1de1873dbad9fbf4a50a2f58088df0fddfe2ed8ca1118c81268c8c0fd5572494276f4e48b5eb424f116e6f5e9d66da1b6b3a8f102539b690c1636e82906a46f3c5434d5b04ed7938861f8d453908970eccef07bf13f723d6fdd26a61be8b9462d0ddfbedc91886df194ea022e56c1780aa6c76b9f1c7d5ea743dc75cec3c805324e90ea577fa396a1effdafa3090
c_g2 = 0x42ff1157363d9cd10da64eb4382b6457ebb740dbef40ade9b24a174d0145adaa0115d86aa2fc2a41257f2b62486eaebb655925dac78dd8d13ab405aef5b8b8f9830094c712193500db49fb801e1368c73f88f6d8533c99c8e7259f8b9d1c926c47215ed327114f235ba8c873af7a0052aa2d32c52880db55c5615e5a1793b690c37efdd5e503f717bb8de716303e4d6c4116f62d81be852c5d36ef282a958d8c82cf3b458dcc8191dcc7b490f227d1562b1d57fbcf7bf4b78a5d90cd385fd79c8ca4688e7d62b3204aeaf9692ba4d4e44875eaa63642775846434f9ce51d138ca702d907849823b1e86896e4ea6223f93fae68b026cfe5fa5a665569a9e3948a
_,s1,s2 = gmpy2.gcdext(e1,e2)
n1 = pow(c_g1,s1,n3) * pow(c_g2,s2,n3) % n3
print(n1)
n1 = 2499586809914462821807624371088011200618603528498132509598946284572455726453497171635086810524607288333625665025664872216634366700044105279185519761587818169021167370991396691510275499486673922916370294043072503635630922980240462022218565365191228535222150496387990987123639567257124081274667568443678527637259644488779394704508217357758791670308548246801142468699716221789070607334747835552167450340441488756779323653879402176647890584656379628685893686585469918686253137796663587854943386347039389769790329948165162483370187914412810153613198247569427480466488647563900948387020677830797976534568626241686906738179
p1 = gmpy2.gcd(n1,n2)
p2 = n1//p1
p3 = n2//p1
phi_1 = (p1-1)*(p2-1)
phi_2 = (p1-1)*(p3-1)
d1 = gmpy2.invert(e,phi_1)
d2 = gmpy2.invert(e,phi_2)
msg1 = long_to_bytes(pow(c1,d1,n1)).decode()
msg2 = long_to_bytes(pow(c2,d2,n2)).decode()

msg1最后的decode()是将字节转化为字符串便于后面求长度（这是要做到后面才会想到要转字符串，我提前告知了）

• 分析最后模块（如何得到最后flag）：
  

代码中的separate(n) 函数解析：
n为奇数返回 True， 进行 msg2 += flag[i]
n为偶数返回 False，进行 msg1 += flag[i]
(不懂的话可以自己代数试试)

• 得到 flag 代码：

msg = msg1 + msg2
def separate(n):p = n % 4t = (p * p) % 4return t == 1flag = ''
count1 = count2 = 0
for i in range(len(msg)):if separate(i):flag += str(msg2)[count2]count2 += 1else:flag += str(msg1)[count1]count1 += 1print(flag)

• 完整代码：

import gmpy2
from Crypto.Util.number import *
import base64
f2 = 'PVNHb2BfGAnmxLrbKhgsYXRwWIL9eOj6K0s3I0slKHCTXTAUtZh3T0r+RoSlhpO3+77AY8P7WETYz2Jzuv5FV/mMODoFrM5fMyQsNt90VynR6J3Jv+fnPJPsm2hJ1Fqt7EKaVRwCbt6a4BdcRoHJsYN/+eh7k/X+FL5XM7viyvQxyFawQrhSV79FIoX6xfjtGW+uAeVF7DScRcl49dlwODhFD7SeLqzoYDJPIQS+VSb3YtvrDgdV+EhuS1bfWvkkXRijlJEpLrgWYmMdfsYX8u/+Ylf5xcBGn3hv1YhQrBCg77AHuUF2w/gJ/ADHFiMcH3ux3nqOsuwnbGSr7jA6Cw=='
f3 = 'TmNVbWUhCXR1od3gBpM+HGMKK/4ErfIKITxomQ/QmNCZlzmmsNyPXQBiMEeUB8udO7lWjQTYGjD6k21xjThHTNDG4z6C2cNNPz73VIaNTGz0hrh6CmqDowFbyrk+rv53QSkVKPa8EZnFKwGz9B3zXimm1D+01cov7V/ZDfrHrEjsDkgK4ZlrQxPpZAPl+yqGlRK8soBKhY/PF3/GjbquRYeYKbagpUmWOhLnF4/+DP33ve/EpaSAPirZXzf8hyatL4/5tAZ0uNq9W6T4GoMG+N7aS2GeyUA2sLJMHymW4cFK5l5kUvjslRdXOHTmz5eHxqIV6TmSBQRgovUijlNamQ=='
n2 = bytes_to_long(base64.b64decode(f2))
n3 = bytes_to_long(base64.b64decode(f3))
e1 = 0x1001
e2 = 0x101
c1 = 0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2 = 0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
e = 0x1001
c_g1 = 0x2639c28e3609a4a8c953cca9c326e8e062756305ae8aee6efcd346458aade3ee8c2106ab9dfe5f470804f366af738aa493fd2dc26cb249a922e121287f3eddec0ed8dea89747dc57aed7cd2089d75c23a69bf601f490a64f73f6a583081ae3a7ed52238c13a95d3322065adba9053ee5b12f1de1873dbad9fbf4a50a2f58088df0fddfe2ed8ca1118c81268c8c0fd5572494276f4e48b5eb424f116e6f5e9d66da1b6b3a8f102539b690c1636e82906a46f3c5434d5b04ed7938861f8d453908970eccef07bf13f723d6fdd26a61be8b9462d0ddfbedc91886df194ea022e56c1780aa6c76b9f1c7d5ea743dc75cec3c805324e90ea577fa396a1effdafa3090
c_g2 = 0x42ff1157363d9cd10da64eb4382b6457ebb740dbef40ade9b24a174d0145adaa0115d86aa2fc2a41257f2b62486eaebb655925dac78dd8d13ab405aef5b8b8f9830094c712193500db49fb801e1368c73f88f6d8533c99c8e7259f8b9d1c926c47215ed327114f235ba8c873af7a0052aa2d32c52880db55c5615e5a1793b690c37efdd5e503f717bb8de716303e4d6c4116f62d81be852c5d36ef282a958d8c82cf3b458dcc8191dcc7b490f227d1562b1d57fbcf7bf4b78a5d90cd385fd79c8ca4688e7d62b3204aeaf9692ba4d4e44875eaa63642775846434f9ce51d138ca702d907849823b1e86896e4ea6223f93fae68b026cfe5fa5a665569a9e3948a
_,s1,s2 = gmpy2.gcdext(e1,e2)
n1 = pow(c_g1,s1,n3) * pow(c_g2,s2,n3) % n3
print(n1)
n1 = 2499586809914462821807624371088011200618603528498132509598946284572455726453497171635086810524607288333625665025664872216634366700044105279185519761587818169021167370991396691510275499486673922916370294043072503635630922980240462022218565365191228535222150496387990987123639567257124081274667568443678527637259644488779394704508217357758791670308548246801142468699716221789070607334747835552167450340441488756779323653879402176647890584656379628685893686585469918686253137796663587854943386347039389769790329948165162483370187914412810153613198247569427480466488647563900948387020677830797976534568626241686906738179
p1 = gmpy2.gcd(n1,n2)
p2 = n1//p1
p3 = n2//p1
phi_1 = (p1-1)*(p2-1)
phi_2 = (p1-1)*(p3-1)
d1 = gmpy2.invert(e,phi_1)
d2 = gmpy2.invert(e,phi_2)
msg1 = long_to_bytes(pow(c1,d1,n1)).decode()
msg2 = long_to_bytes(pow(c2,d2,n2)).decode()
msg = str(msg1) + str(msg2)
def separate(n):p = n % 4t = (p * p) % 4return t == 1flag = ''
count1 = count2 = 0
for i in range(len(msg)):if separate(i):flag += str(msg2)[count2]count2 += 1else:flag += str(msg1)[count1]count1 += 1print(flag)

• 最终 flag{CRYPT0_I5_50_Interestingvim rsa.py}

收获与体会：

这题相对于其他的rsa的题来说不难，并没有用到很多其他的知识点，更多的是我们熟悉的，如共模攻击，如何将密文c的base64形式转化为数字，这些通过做buu前面的题我们都接触过并且应该都记忆深刻了，这题更难的是静下心去分析，分析出n1的关键作用以及separate()函数的作用，这些做出来了，那么结果就出来了