HECTF 2025 WriteUp - Q1uJu's House

Crypto#

下个棋吧#

题目：

先别做题了，flag给你，过来陪我下把棋，对了，别忘了flag要大写，RERBVkFGR0RBWHtWR1ZHWEFYRFZHWEFYRFZWVkZWR1ZYVkdYQX0=

base64 解码得到：DDAVAFGDAX{VGVGXAXDVGXAXDVVVFVGVXVGXA}，一眼ADFGVX密码。

	A	D	F	G	V	X
A	a	b	c	d	e	f
D	g	h	i	j	k	l
F	m	n	o	p	q	r
G	s	t	u	v	w	x
V	y	z	0	1	2	3
X	4	5	6	7	8	9

HECTF{1145145201314}

simple_math#

题目：

1
from Crypto.Util.number import *
2
from secret import flag
3

4
def getmodule(bits):
5
    while True:
6
        f = getPrime(bits)
7
        g = getPrime(bits)
8
        p = (f<<bits)+g
9
        q = (g<<bits)+f
10
        if isPrime(p) and isPrime(q):
11
            assert  p%4 == 3 and q%4 == 3
12
            n = p * q
13
            break
14
    return n
15

16
e = 8
17
n = getmodule(128)
18

19
m = bytes_to_long(flag)
20
c = pow(m,e,n)
21

22
print('c =',c)
23
print('n =',n)
24

25
"""
26
c = ...
27
n = ...
28
"""

加密流程并不复杂，生成两个 128 位的素数f和g。然后p和q分别是：p = (f << 128) + g和q = (g << 128) + f，也就是说p的低 128 位是g，高 128 位是f，q则反过来了。加密是一个Rabin加密，e = 8。

解密首先要从特殊结构的p和q来入手，我们设K := 2 ** 128并在模K - 1下展开：

\begin{aligned} n &= (fK + g)(gK + f) \\ &\equiv (f(1) + g)(g(1) + f) \pmod{K-1} \\ &\equiv (f+g)(f+g) \pmod{K-1} \\ &\equiv (f+g)^2 \pmod{K-1} \end{aligned}

由此在模K - 1环下对n开方就能得到f + g的余数。而f和g的和量级不超过2 ** 129，故sum = sum_mod + k * (K - 1)，其中k < 4。利用 sage 枚举出正确的sum可以由g = S - f回代回n的等式，用roots()求解f，这样就能直接分解n。

后面的Rabin直接开三次方就行，每次开方产生 4 个根，爆一下就行。

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import long_to_bytes
3

4
c = ...
5
n = ...
6
bits = 128
7
K = 2 ** bits
8
R = Zmod(K-1)
9
S_candidates_mod = R(n).sqrt(all=True)
10
PR.<x> = PolynomialRing(ZZ)
11
real_p = 0
12
real_q = 0
13
for s_mod in S_candidates_mod:
14
    s_val = Integer(s_mod)
15
    for k in range(4):
16
        S = s_val + k * (K - 1)
17
        eq = (x * K + (S - x)) * ((S - x) * K + x) - n
18
        roots = eq.roots()
19
        if roots:
20
            f = roots[0][0]
21
            g = S - f
22
            p = f * K + g
23
            q = g * K + f
24
            if p * q == n:
25
                real_p = p
26
                real_q = q
27
                break
28
    if real_p:
29
        break
30
curr_roots = [c]
31
for layer in range(1, 4):
32
    next_roots = set()
33
    for r in curr_roots:
34
        try:
35
            mps = Zmod(p)(r).sqrt(all=True, extend=False)
36
        except ValueError:
37
            mps = []
38
        try:
39
            mqs = Zmod(q)(r).sqrt(all=True, extend=False)
40
        except ValueError:
41
            mqs = []
42
        if not mps or not mqs:
43
            continue
44
        for mp in mps:
45
            for mq in mqs:
46
                val = crt([Integer(mp), Integer(mq)], [p, q])
47
                next_roots.add(val)
48
    curr_roots = list(next_roots)
49
for m in curr_roots:
50
    flag = long_to_bytes(int(m))
51
    if b'HECTF' in flag:
52
        print(flag.decode())
53
        break
54
# HECTF{this_is_a_flag_emm_is_a_true_flag_ok_all_right}

ez_rsa#

题目：

1
from Crypto.Util.number import *
2
from gmpy2 import next_prime
3

4
from secret import flag
5

6
e = 65537
7
while True:
8
    p1 = getPrime(512)
9
    p2 = next_prime(p1)
10
    q1 = getPrime(250)
11
    q2 = getPrime(250)
12
    n1 = p1**2*q1
13
    n2 = p2**2*q2
14
    if abs(p1-p2)<p1/(4*q1*q2):
15
        break
16

17
l = len(flag) // 2
18
m1, m2 = bytes_to_long(flag[:l]), bytes_to_long(flag[l:])
19

20
c1 = pow(m1,e,n1)
21
c2 = pow(m2,e,n2)
22

23
print('c1 =', c1)
24
print('c2 =', c2)
25
print('n1 =', n1)
26
print('n2 =', n2)
27

28
"""
29
c1 = ...
30
c2 = ...
31
n1 = ...
32
n2 = ...
33
"""

最近连分数有点太多了，前两天刚在鹏城杯做完hhhh。证明应该就不用了吧emmm：

\begin{aligned} &n_1=p_1^2q_1,n_2=p_2^2q_2\\ &\frac{n_1}{n_2}=\frac{p_1^2q_1}{p_2^2q_2}\approx \frac{q_1}{q_2} \end{aligned}

连分数展开找q1和q2即可，分母为q2，分子为q1。

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import long_to_bytes
3

4
c1 = ...
5
c2 = ...
6
n1 = ...
7
n2 = ...
8
e = 65537
9
cf = continued_fraction(Integer(n1) / Integer(n2))
10
for k in cf.convergents():
11
    q1 = int(k.numerator())
12
    q2 = int(k.denominator())
13
    if q1.bit_length() < 240:
14
        continue
15
    if n1 % q1 == 0:
16
        p1_sq = Integer(n1 // q1)
17
        if p1_sq.is_square():
18
            p1 = p1_sq.sqrt()
19
            if n2 % q2 == 0:
20
                p2 = Integer(n2 // q2).sqrt()
21
                d1 = inverse_mod(e, p1 * (p1 - 1) * (q1 - 1))
22
                d2 = inverse_mod(e, p2 * (p2 - 1) * (q2 - 1))
23
                m1 = pow(c1, d1, n1)
24
                m2 = pow(c2, d2, n2)
25
                flag = long_to_bytes(m1) + long_to_bytes(m2)
26
                print(flag.decode())
27
                break
28
# HECTF{cRoss_0v3r_v&ry_yOxi}

dq#

题目：

1
from Crypto.Util.number import *
2
from secret import flag
3

4
p = getPrime(512)
5
q = getPrime(512)
6
n = p*q
7
e = 65537
8
d = inverse(e,(p-1)*(q-1))
9
dq = d%(q-1)
10
m = bytes_to_long(flag)
11
c = pow(m,e,n)
12
dq_low = dq&((1<<128)-1)
13
print("dq_low =",dq_low)
14
print("qinvp =",inverse(q,p))
15
print("c =",c)
16
print("n =",n)
17

18
"""
19
dq_low = ...
20
qinvp = ...
21
c = ...
22
n = ...
23
"""

简约的题目，果然很难，主要是卡爆破上了hhh。加密流程朴实无华，泄露了dq的低 128 位，然后给了qinvp。和常见dq泄露类似（这里留个la佬的博客），有等式：

e \cdot dq = k \cdot (q-1) + 1

但是这题中我们需要把dq_low通过模2 ** 128转换成q_low：

\begin{aligned} &e \cdot dq_{low} \equiv k \cdot (q_{low} - 1) + 1 \pmod{2^{128}}\\ &k \cdot q_{low} \equiv e \cdot dq_{low} - 1 + k \pmod{2^{128}}\\ &q_{low} \equiv k^{-1} \cdot (e \cdot dq_{low} + k - 1) \pmod{2^{128}} \end{aligned}

这题的关键也是点睛之笔在于qinvp，我们已知：

q^{-1}*q\equiv 1\pmod{p}

即：

q\cdot q^{-1}-1=k_q\cdot p

我们再乘一个q可以消去未知的p引入已知的n：

\begin{aligned} &q^2\cdot q^{-1}-q=k_p\cdot n\\ \Rightarrow&q^2\cdot q^{-1}-q\equiv 0\pmod{n} \end{aligned}

结合到 CopperSmith 的等式里，构造f(x)：

f(x)=qinvp\cdot(x\cdot2^{128}+q_{low})-(x\cdot2^{128}+q_{low})\equiv 0\pmod{n}

然后 CopperSmith 打出q即可，这里给一版单线程挂爆破的，但是很慢，当时跑了一看 10+ 分钟就停了，后面发现k很小就又试试了发现其实也能出，还是不太熟练了害。

exp1.py：

1
# SageMath 10.7
2
from sage.all import *
3
from Crypto.Util.number import long_to_bytes
4
from tqdm import trange
5

6
dq_low = ...
7
qinvp = ...
8
c = ...
9
n = ...
10
e = 65537
11
PR.<x> = PolynomialRing(Zmod(n))
12
K = 2 ** 128
13
for k in trange(1, e):
14
    g = GCD(k, K)
15
    target = e * dq_low - 1 + k
16
    if target % g != 0:
17
        continue
18
    mask_p = K // g
19
    try:
20
        q_low = ((target // g) * inverse_mod(k // g, mask_p)) % mask_p
21
    except:
22
        continue
23
    x_bounds = 2 ** (512 - 128 + int(g).bit_length())
24
    f = qinvp * (x * mask_p + q_low)**2 - (x * mask_p + q_low)
25
    roots = f.monic().small_roots(X=x_bounds, beta=1.0, epsilon=0.1)
26
    if roots:
27
        q = int(roots[0]) * mask_p + q_low
28
        if n % q == 0:
29
            p = n // q
30
            phi = (p - 1) * (q - 1)
31
            d = inverse_mod(e, phi)
32
            m = pow(c, d, n)
33
            print(long_to_bytes(int(m)).decode())
34
            break
35
#   3%|██▏                                                                           | 1845/65536 [00:21<12:15, 86.65it/s]
36
# HECTF{ay_mi_gatuto_miau_miau}

发现不行就叫 AI 加了一个多线程爆破，几秒就出了。。。但是确实不太熟怎么用多线程了。

exp2.py：

1
# SageMath 10.7
2
from sage.all import *
3
from Crypto.Util.number import long_to_bytes
4
from tqdm import tqdm
5
from multiprocessing import Pool, cpu_count
6

7
# ---------------- 题目数据 ----------------
8
dq_low = ...
9
qinvp = ...
10
c = ...
11
n = ...
12
e = 65537
13

14
# ---------------- Worker 函数 (定义处理逻辑) ----------------
15
def solve_batch(k_list):
16
    # 多进程必须在函数内重新定义环，否则会段错误
17
    try:
18
        F = PolynomialRing(Zmod(n), implementation='NTL', names=('x',))
19
        (x,) = F._first_ngens(1)
20
    except: return None
21

22
    K = 2 ** 128
23

24
    for k in k_list:
25
        g = GCD(k, K)
26
        target = e * dq_low - 1 + k
27
        if target % g != 0: continue
28

29
        mask_p = K // g
30
        try:
31
            q_low = ((target // g) * inverse_mod(k // g, mask_p)) % mask_p
32
        except: continue
33

34
        x_bounds = 2 ** (512 - 128 + int(g).bit_length())
35
        f = qinvp * (x * mask_p + q_low)**2 - (x * mask_p + q_low)
36

37
        # 你的参数: beta=1.0, epsilon=0.1
38
        roots = f.monic().small_roots(X=x_bounds, beta=1.0, epsilon=0.1)
39

40
        if roots:
41
            q = int(roots[0]) * mask_p + q_low
42
            if n % q == 0: return q
43
    return None
44

45
cores = cpu_count()
46
print(f"[*] Blasting on {cores} cores (Direct Mode)...")
47

48
# 1. 切分任务 (Batch Size 设大一点减少通信开销)
49
BATCH_SIZE = 200
50
batches = [range(i, min(i + BATCH_SIZE, e)) for i in range(1, e, BATCH_SIZE)]
51

52
# 2. 启动多进程
53
pool = Pool(cores)
54
found_q = None
55

56
try:
57
    # 3. 进度条监控
58
    iterator = pool.imap_unordered(solve_batch, batches)
59
    for res in tqdm(iterator, total=len(batches), unit="batch"):
60
        if res:
61
            found_q = res
62
            pool.terminate() # 找到结果，杀死其他进程
63
            break
64
except KeyboardInterrupt:
65
    pool.terminate()
66
finally:
67
    pool.close()
68
    pool.join()
69

70
# 4. 输出结果
71
if found_q:
72
    print(f"\n[+] Found q: {found_q}")
73
    p = n // found_q
74
    d = inverse_mod(e, (p-1)*(found_q-1))
75
    print(f"[+] Flag: {long_to_bytes(int(pow(c, d, n))).decode(errors='ignore')}")
76
else:
77
    print("\n[-] Failed.")
78
"""
79
[*] Blasting on 16 cores (Direct Mode)...
80
  0%|                                                                                        | 0/328 [00:01<?, ?batch/s]
81

82
[+] Found q: ...
83
[+] Flag: HECTF{ay_mi_gatuto_miau_miau}
84
"""

ez_ecc#

题目：

1
from Crypto.Util.number import *
2
from secret import add,flag,P,Q,b,p
3

4
def oncurve(P):
5
    x,y = P
6
    if (y**2 - x**3 - x - b)%p == 0:
7
        return True
8
    else:
9
        return False
10

11
l = len(flag) // 2
12
m1, m2 = bytes_to_long(flag[:l]), bytes_to_long(flag[l:])
13

14
assert m1 == P[0] and m2 == Q[0]
15
assert oncurve(P) and oncurve(Q)
16

17
print('P + P =', add(P,P))
18
print('P + Q =', add(P,Q))
19
print('Q + Q =', add(Q,Q))
20

21
"""
22
P + P = (..., ...)
23
P + Q = (..., ...)
24
Q + Q = (..., ...)
25
"""

又是一道简洁的题，但是就没很卡了。题目给出了三个椭圆曲线上的坐标：

$R_1=P+P=2P$
$R_2=P+Q$
$R_3=Q+Q=2Q$

其中flag被拆成两半分别是P和Q的x坐标。我们需要恢复p和b来找到曲线方程，在求出P和Q的坐标恢复flag。

令f(P) = y ** 2 - x ** 3 - x，题目给出的点可以两两相减消去b：

\begin{aligned} f(R_1)-f(R_2)=(k_1-k_2)\cdot p\\ f(R_2)-f(R_3)=(k_2-k_3)\cdot p \end{aligned}

gcd就能打出p了，b回代p就能求出b了。

求P和Q的坐标可以直接用 SageMath 的division_points(m)方法，可以高效地求出满足m * X = Y的所有点X，但是会有多解，筛一下就行。

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import long_to_bytes
3

4
P_plus_P = (..., ...)
5
P_plus_Q = (..., ...)
6
Q_plus_Q = (..., ...)
7
x1, y1 = P_plus_P
8
x2, y2 = P_plus_Q
9
x3, y3 = Q_plus_Q
10
val1 = y1 ** 2 - x1 ** 3 - x1
11
val2 = y2 ** 2 - x2 ** 3 - x2
12
val3 = y3 ** 2 - x3 ** 3 - x3
13
p = gcd(val1 - val2, val2 - val3)
14
b = val1 % p
15
E = EllipticCurve(GF(p), [1, b])
16
Point_2P = E(x1, y1)
17
Point_PQ = E(x2, y2)
18
Point_2Q = E(x3, y3)
19
possible_Ps = Point_2P.division_points(2)
20
possible_Qs = Point_2Q.division_points(2)
21
real_P = None
22
real_Q = None
23
for cand_P in possible_Ps:
24
    for cand_Q in possible_Qs:
25
        if cand_P + cand_Q == Point_PQ:
26
            real_P = cand_P
27
            real_Q = cand_Q
28
            break
29
    if real_P:
30
        break
31
m1, m2 = int(real_P[0]), int(real_Q[0])
32
flag = long_to_bytes(m1) + long_to_bytes(m2)
33
print(flag.decode())
34
# HECTF{W00O0O_Y0U_G@t_the_ez_Ecc!!___}

ez_random#

题目：

1
from Crypto.Util.number import *
2
import random
3

4
with open('shuffle_flag.txt', 'r') as fp:
5
    flag = fp.read().encode()
6

7
m = bytes_to_long(flag)
8
flag_list = [ int(i) for i in bin(m)[2:] ]
9

10
rand = random.Random()
11

12
rand.shuffle(flag_list)
13
with open("output.txt","w") as fp:
14
    for _ in range(312):
15
        fp.write(str(rand.getrandbits(64))+'\n')
16

17
print('flag_list =',flag_list)
18

19
"""
20
flag_list = [...]
21
"""

MT19937，可以分成两部分看，一部分是shuffle，一部分是后半的随机数恢复state。后半直接用 maple佬的 gf2bv 可以秒，就是要注意一下好像直接 64 bit 塞应该不行，把高低位取出来按 32 位塞。

这题逆向shuffle的地方还有点不是很懂，给了提示之后喂给 Gemini 3 Pro 出的，后面有时间了再学习学习，准备和 MT19937 整个一起学习一下，现在还不是很熟悉，之前 0xGame Week 4 的恢复种子的其实也还不是很清楚hhhh，之后看看整个总结！目前先鸽了~

exp.py：

1
# SageMath 10.7
2
from gf2bv import LinearSystem
3
from gf2bv.crypto.mt import MT19937
4
from Crypto.Util.number import long_to_bytes
5
import sys
6

7
# ==========================================
8
# 1. 基础工具：Untemper
9
# ==========================================
10
def right_shift_inverse(value, shift):
11
    res = value
12
    for i in range(32):
13
        res = value ^ (res >> shift)
14
    return res
15

16
def left_shift_inverse(value, shift, mask):
17
    res = value
18
    for i in range(32):
19
        res = value ^ ((res << shift) & mask)
20
    return res
21

22
def untemper(y):
23
    # 逆向 Tempering 过程
24
    y = right_shift_inverse(y, 18)
25
    y = left_shift_inverse(y, 15, 0xefc60000)
26
    y = left_shift_inverse(y, 7, 0x9d2c5680)
27
    y = right_shift_inverse(y, 11)
28
    return y
29

30
def mt_temper(y):
31
    # 正向 Tempering
32
    y ^= (y >> 11)
33
    y ^= (y << 7) & 0x9d2c5680
34
    y ^= (y << 15) & 0xefc60000
35
    y ^= (y >> 18)
36
    return y
37

38
# ==========================================
39
# 2. 核心：GF(2) 线性缝合求解器
40
# ==========================================
41
def solve_split_state_gf2bv(raw_stream, split_idx):
42
    """
43
    使用 gf2bv 求解被 Split 的状态。
44
    raw_stream: output.txt 对应的 624 个 Untempered 内部状态值
45
    split_idx (K): Shuffle 消耗的随机数数量
46
    """
47

48
    # 1. 初始化 624 个 32位变量的线性系统
49
    # 这些变量代表 S_old (Shuffle 使用的那个原始状态)
50
    lin = LinearSystem([32] * 624)
51
    S_old = lin.gens() # 符号变量列表 S_old[0]...S_old[623]
52

53
    equations = []
54

55
    # 2. 约束一：Old State 的后半部分 == stream 的前半部分
56
    # output.txt 的前 (624-K) 个数，实际上是 S_old 剩下的没被 shuffle 用掉的部分
57
    len_part1 = 624 - split_idx
58
    for i in range(len_part1):
59
        # 在 GF(2) 中，a == b 等价于 a ^ b == 0
60
        equations.append(S_old[split_idx + i] ^ raw_stream[i])
61

62
    # 3. 约束二：Twist(S_old) 的前半部分 == stream 的后半部分
63
    # output.txt 的后 K 个数，是 Twist 之后产生的新状态的前 K 个
64

65
    # 我们需要用符号变量模拟 Twist 过程
66
    mt = list(S_old) # 复制引用，用于模拟 In-place Update
67

68
    # 只需计算前 split_idx (K) 个由 Twist 生成的新值
69
    for i in range(split_idx):
70
        # --- Symbolic MT19937 Twist ---
71

72
        # 1. y = (mt[i] & UPPER) | (mt[i+1] & LOWER)
73
        # 符号运算: (A & mask) ^ (B & mask)
74
        val_i = mt[i]
75
        val_i1 = mt[(i + 1) % 624]
76
        y = (val_i & 0x80000000) ^ (val_i1 & 0x7fffffff)
77

78
        # 2. mag01 = (y & 1) ? 0x9908b0df : 0
79
        # 符号运算: LSB(y) * MATRIX_A
80
        # 我们需要手动实现“标量乘向量”的位操作逻辑
81
        lsb = y & 1
82
        magic_const = 0x9908b0df
83
        mag01 = 0
84

85
        # 遍历 Magic Constant 的每一位，如果为 1，则将 LSB 异或到对应位
86
        for bit_pos in range(32):
87
            if (magic_const >> bit_pos) & 1:
88
                mag01 ^= (lsb << bit_pos)
89

90
        # 3. mt[i] = mt[i+M] ^ (y >> 1) ^ mag01
91
        val_iM = mt[(i + 397) % 624]
92
        new_val = val_iM ^ (y >> 1) ^ mag01
93

94
        # In-place update (重要！模拟真实 Twist 的更新流)
95
        mt[i] = new_val
96

97
        # 添加约束: 这个计算出的新值必须等于 stream 的对应部分
98
        equations.append(new_val ^ raw_stream[len_part1 + i])
99

100
    # 4. 求解
101
    # solve_one 内部使用 M4RI 算法，极快
102
    sol = lin.solve_one(equations)
103

104
    if sol is not None:
105
        return list(sol)
106
    return None
107

108
# ==========================================
109
# 3. 主程序
110
# ==========================================
111

112
# 题目 Shuffled Flag List
113
flag_list = [...]
114

115
# 1. 读取 output.txt 并 Untemper (恢复为内部状态值)
116
try:
117
    with open("output.txt", "r") as f:
118
        outputs = [int(line.strip()) for line in f if line.strip()]
119
except:
120
    print("[-] output.txt not found")
121
    sys.exit()
122

123
raw_stream = []
124
for o in outputs:
125
    # getrandbits(64) 是先 low 后 high
126
    raw_stream.append(untemper(o & 0xffffffff))
127
    raw_stream.append(untemper((o >> 32) & 0xffffffff))
128

129
print("[*] Loaded stream. Probing split index K (Range 380-450)...")
130

131
# 2. 爆破 Split Index K
132
# K 是 Shuffle 消耗的随机数个数，大约在 400 左右
133
for k in trange(380, 450):
134

135
    # 使用 gf2bv 尝试求解缝合状态
136
    S_recovered = solve_split_state_gf2bv(raw_stream, k)
137

138
    if S_recovered:
139
        print(f"\n[+] FOUND Split Index K={k}!")
140

141
        # S_recovered 就是 shuffle 阶段使用的那个完整状态 (Old State)
142
        # Shuffle 消耗了它的前 K 个数
143

144
        # 3. 恢复 Random Stream
145
        rand_stream = [mt_temper(x) for x in S_recovered]
146

147
        # 4. 模拟 Shuffle (解决 Rejection Sampling 定位问题)
148
        swaps = []
149
        stream_idx = 0
150
        possible = True
151

152
        # Fisher-Yates 逻辑: for i in reversed(range(1, N)): j = randbelow(i+1)
153
        for i in range(len(flag_list)-1, 0, -1):
154
            n = i + 1
155
            bits = n.bit_length()
156

157
            while True:
158
                # 如果消耗超过了 K，说明这个状态虽然数学上成立，但不符合 shuffle 过程
159
                if stream_idx >= k:
160
                    possible = False
161
                    break
162

163
                # 取出随机数
164
                r_full = rand_stream[stream_idx]
165
                stream_idx += 1
166

167
                # 模拟右移
168
                r = r_full >> (32 - bits)
169

170
                if r < n:
171
                    swaps.append((i, r))
172
                    break
173
            if not possible: break
174

175
        if possible:
176
            print("[+] Shuffle simulation successful.")
177

178
            # 5. Unshuffle (逆向交换)
179
            curr_list = list(flag_list)
180
            # 逆向执行 swaps (LIFO)
181
            for i, j in reversed(swaps):
182
                curr_list[i], curr_list[j] = curr_list[j], curr_list[i]
183

184
            # 6. 补 0 并解码
185
            final_bits = [0] + curr_list
186
            try:
187
                m = int("".join(str(x) for x in final_bits), 2)
188
                flag = long_to_bytes(m)
189
                print(f"[+] Flag: {flag.decode()}")
190
                if b"HECTF" in flag:
191
                    break
192
            except:
193
                pass
194
        else:
195
            print(f"[-] K={k} solved linearly but failed simulation.")
196

197
print("[*] Done.")
198
# [+] FOUND Split Index K=406!
199
# [+] Shuffle simulation successful.
200
# [+] Flag: HECTF{emmm___its_a_correct_flag?___}
201
# [*] Done.

持续更新中~

Crypto#

下个棋吧#

simple_math#

ez_rsa#

dq#

ez_ecc#

ez_random#