# CRYPTO

# corrupted_key

	from Crypto.PublicKey import RSA
	from Crypto.Cipher import PKCS1_OAEP
	from secret import flag

	key = RSA.generate(1024)
	open("flag.enc",'wb').write(PKCS1_OAEP.new(key.publickey()).encrypt(flag))
	open('priv.pem','wb').write(key.exportKey('PEM'))

	-----BEGIN RSA PRIVATE KEY-----
	MIICXgIBAAKBgQDXFSUGqpzsBeUzXWtG9UkUB8MZn9UQkfH2Aw03YrngP0nJ3NwH
	UFTgzBSLl0tBhUvZO07haiqHbuYgBegO+Aa3qjtksb+bH6dz41PQzbn/l4Pd1fXm
	dJmtEPNh6TjQC4KmpMQqBTXF52cheY6GtFzUuNA7DX51wr6HZqHoQ73GQQIDAQAB








	yQvOzxy6szWFheigQdGxAkEA4wFss2CcHWQ8FnQ5w7k4uIH0I38khg07HLhaYm1c
	zUcmlk4PgnDWxN+ev+vMU45O5eGntzaO3lHsaukX9461mA==
	-----END RSA PRIVATE KEY-----

参考 pem 解析

base64 解码再转 hex

	30 82 02 5e 02 01 00 02 81 81 00 d7 15 25 06 aa 9c ec 05 e5 33 5d 6b 46 f5 49 14 07 c3 19 9f d5 10 91 f1 f6 03 0d 37 62 b9 e0 3f 49 c9 dc dc 07 50 54 e0 cc 14 8b 97 4b 41 85 4b d9 3b 4e e1 6a 2a 87 6e e6 20 05 e8 0e f8 06 b7 aa 3b 64 b1 bf 9b 1f a7 73 e3 53 d0 cd b9 ff 97 83 dd d5 f5 e6 74 99 ad 10 f3 61 e9 38 d0 0b 82 a6 a4 c4 2a 05 35 c5 e7 67 21 79 8e 86 b4 5c d4 b8 d0 3b 0d 7e 75 c2 be 87 66 a1 e8 43 bd c6 41 02 03 01 00 01



	c9 0b ce cf 1c ba b3 35 85 85 e8 a0 41 d1 b1 02 41 00 e3 01 6c b3 60 9c 1d 64 3c 16 74 39 c3 b9 38 b8 81 f4 23 7f 24 86 0d 3b 1c b8 5a 62 6d 5c cd 47 26 96 4e 0f 82 70 d6 c4 df 9e bf eb cc 53 8e 4e e5 e1 a7 b7 36 8e de 51 ec 6a e9 17 f7 8e b5 98

得到 n 和 e 还有 dq 的低 120 位和 inv (q,p)

$e*dq=e*d=1 mod (q-1)$

$e*dq=1+k*(q-1)=k*q-k+1$

$e*dq+k-1=k*q$

k<e 的

那么

q 的低 120 位

$q_{low}=inv(k,2**120)*(e*dq+k-1)mod(2**120)$

q=2**120*x+q_

$f=inv(q,p)*q*q-qmod n=0$

	import gmpy2
	from tqdm import tqdm
	n=0xD7152506AA9CEC05E5335D6B46F5491407C3199FD51091F1F6030D3762B9E03F49C9DCDC075054E0CC148B974B41854BD93B4EE16A2A876EE62005E80EF806B7AA3B64B1BF9B1FA773E353D0CDB9FF9783DDD5F5E67499AD10F361E938D00B82A6A4C42A0535C5E76721798E86B45CD4B8D03B0D7E75C2BE8766A1E843BDC641
	ni=0xE3016CB3609C1D643C167439C3B938B881F4237F24860D3B1CB85A626D5CCD4726964E0F8270D6C4DF9EBFEBCC538E4EE5E1A7B7368EDE51EC6AE917F78EB598
	dd=0xC90BCECF1CBAB3358585E8A041D1B1
	e=0x10001
	s=[]
	for i in tqdm(range(65537)):
	try:
	tt=gmpy2.invert(i,2*120)(edd+(i-1))%2*120
	s.append(tt)
	except:
	continue
	PR.<x>=PolynomialRing(Zmod(n))
	for i in tqdm(range(len(s))):
	f=ni(2^120x+int(s[i]))^2-(2^120*x+int(s[i]))
	f=f.monic()
	root=f.small_roots(X=2^392,beta=1,epsilon=0.1)
	if root:
	print(root)
	print(s[i])
	[9380741476733074711154157347870852768998932500826815763908882209540022808328010581994168722390477477733053186137042700]
	954648658690918505830691475676983889

s 倒着跑快一点

	from Crypto.Util.number import *
	from Crypto.PublicKey import RSA
	from Crypto.Cipher import PKCS1_OAEP

	n=0xD7152506AA9CEC05E5335D6B46F5491407C3199FD51091F1F6030D3762B9E03F49C9DCDC075054E0CC148B974B41854BD93B4EE16A2A876EE62005E80EF806B7AA3B64B1BF9B1FA773E353D0CDB9FF9783DDD5F5E67499AD10F361E938D00B82A6A4C42A0535C5E76721798E86B45CD4B8D03B0D7E75C2BE8766A1E843BDC641
	x=9380741476733074711154157347870852768998932500826815763908882209540022808328010581994168722390477477733053186137042700
	s=954648658690918505830691475676983889
	q=2^120*x+s
	print(n%q)
	p=n//q
	print(p)
	print(q)


	e=0x10001
	d=inverse(e,(p-1)*(q-1))
	print(d)
	with open("flag.enc","rb") as f:
	c=bytes_to_long(f.read())

	key = RSA.construct((n, e, d, p, q))
	cipher = PKCS1_OAEP.new(key=key)
	print(cipher.decrypt(long_to_bytes(c)))