NSSCTF Round7 Crypto2

一道DFS深搜解决的Crypto问题，近期遇到了好多类似问题，例如2022祥云杯的leak_rsa，pwnhub冬季赛的ASR等

使用DFS相比较暴力枚举可以获得较大程度的时间优化，关键需要找到递归深搜的约束条件，在RSA问题中，常用p q的二进制形式，结合p q满足的代数关系进行未知位数的求解

本题中，noise数据约为496bit，p q在p异或noise数据后满足p q对应位异或为1，即一个为0一个为1

故约束条件为：当noise对应位数为1时，p q对应位数相同，当noise对应位数为0时，p q对应位数不同，同时需要爆破p q初始6bit（512-496 bit）

下面贴一下hash_hash师傅的脚本

exp：

from Crypto.Util.number import *

n = 41318049256306878752610363510443063846398425395380140041750273228898867125431643076792748095350841316908817123295460735023972380672601911521967903168498956815844239645588653318914375679652097733616310197002562672499303685182470376181481346970080428677364527350092396859145037116902812954358374669364384913427
c = 27070540330107450045627683100045912856410895481625142319800852839841731626448328869640781957044283023330602619830680434366284193902342701915890107858579608199114076122922529542716089973350291443861189285892509527723571602143348593521006635099775353434183582637659593238282521070746330471702109551135619697958
noise = 185034449414461457706935642079602544758706503071368652992126720879903163440501141185140715685662707819122833016885046533942763603927989442741721805186

sign = bin(noise)[2:].rjust(512,'0')[::-1]

def find(p,q):
    l=len(p)
    if len(p)==512:
        if n%int(p,2)==0:
            p = int(p,2)
            q = int(q,2)
            phi=(p-1)*(q-1)
            d=inverse(0x10001,phi)
            m=pow(c,d,n)
            print(long_to_bytes(m))
    else:
        pp = int(p,2)
        qq = int(q,2)
        if pp*qq%2**l == n%2**l:
            if sign[l] == '1':
                find('0'+p, '0'+q)
                find('1'+p, '1'+q)
            else:
                find('0'+p, '1'+q)
                find('1'+p, '0'+q)

p = '1'
q = '1'
for i in range(2**6):
    for j in range(2**6):
        p = bin(i)[2:].rjust(6,'0')+'1'
        q = bin(j)[2:].rjust(6,'0')+'1'
        find(p,q)
#b'NSSCTF{cca92586-7e73-4474-bd29-fc1b1e64f70e}'