Litctf 2024
战况
比赛时16题出10题,隔天复现的时候发现自己有点愚蠢,比如少复制了一个数什么的,我哭死。
总排名24 (web和misc被ak,密码10,re2,pwn1)
以下是题目环节
因为有些数据太多太大就没有写上来,可以去nssctf下载,也可以在我的github下载
commom_primes
task
from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q1 = getPrime(512)
q2 = getPrime(512)
n1 = p * q1
n2 = p * q2
c1 = pow(m, e, n1)
c2 = pow(m, e, n2)
print(f"n1 = {n1}")
print(f"n2 = {n2}")
print(f"c1 = {c1}")
print(f"c2 = {c2}")
'''
n1 = 63306931765261881888912008095340470978772999620205174857271016152744820165330787864800482852578992473814976781143226630412780924144266471891939661312715157811674817013479316983665960087664430205713509995750877665395721635625035356901765881750073584848176491668327836527294900831898083545883834181689919776769
n2 = 73890412251808619164803968217212494551414786402702497903464017254263780569629065810640215252722102084753519255771619560056118922616964068426636691565703046691711267156442562144139650728482437040380743352597966331370286795249123105338283013032779352474246753386108510685224781299865560425114568893879804036573
c1 = 11273036722994861938281568979042367628277071611591846129102291159440871997302324919023708593105900105417528793646809809850626919594099479505740175853342947734943586940152981298688146019253712344529086852083823837309492466840942593843720630113494974454498664328412122979195932862028821524725158358036734514252
c2 = 42478690444030101869094906005321968598060849172551382502632480617775125215522908666432583017311390935937075283150967678500354031213909256982757457592610576392121713817693171520657833496635639026791597219755461854281419207606460025156812307819350960182028395013278964809309982264879773316952047848608898562420
'''
思路:观察可得到p=gcd(n1,n2),flag就出来了
exp
n1=
n2=
c1=
c2=
from gmpy2 import *
from Crypto.Util.number import *
p=gcd(n1,n2)
q1=n1//p
phi=(p-1)*(q-1)
d=inverse(65537,phi)
m=pow(c1,d,n1)
print(long_to_bytes(m))
#LitCTF{c0mmunity_w1th_two_ciphert3xt}
common_primes_plus(复现)
task
from Crypto.Util.number import *
from secret import flag,a,b,c,d
assert a*c == b*d + 1
assert isPrime(a) and isPrime(b) and isPrime(c) and isPrime(d)
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q1 = getPrime(512)
q2 = getPrime(512)
n1 = p * q1
n2 = p * q2
hint1 = a * n1 + b * n2
hint2 = c * n1 + d * n2
c = pow(m,e,n1)
print(f"n1 = {n1}")
print(f"hint1 = {hint1}")
print(f"hint2 = {hint2}")
print(f"c = {c}")
'''
n1 = 72619153900682160072296441595808393095979917106156741746523649725579328293061366133340736822282117284050717527134297532031234706715551253283030119063143935874516054785948327252045453986903379262257406260016876625891582923191913450785482873961282498295762698500898694660964018533698142756095427829906473038053
hint1 = 115150932086321440397498980975794957800400136337062771258224890596200580556053305338941267789684878816176014493153795643655219028833232337281425177163963414534998897852644398384446019097451620742463880027107068960452304016955877225140421899265978792650445328111566277376529454404089066088845864500514742797060500618255170627
hint2 = 166820160267525807953634213157298160399912450930658918773153592459310847514047652216110562360456335336533080444219104489314586122760398361430693763814336759476811490524054588094610387417965626546375189720748660483054863693527537614055954695966458622029711055735399842018236940424665041143785192280089418185085532002136215976
c = 28378912671104261862184597375842174085651209464660064937481961814538145807266472966765374317717522401362019901110151858589886717440587644003368826809403188935808872400614919296641885383025657934630410406898092262104442977722339379234085663757182028529198392480656965957860644395092769333414671609962801212632
'''
思路:hint1*hint2%n1=k*n2,那么k*n2和n1做gcd就是p(比赛时一直在想解方程和构造式子,蠢了)
exp
n1=
hint1=
hint2=
c=
import gmpy2
from Crypto.Util.number import *
kk=hint2*hint1%n1
p=gmpy2.gcd(kk,n1)
q=n1// p
d=inverse(65537,(p-1)*(q-1))
m=pow(c,d,n1)
print(long_to_bytes(int(m)))
#LitCTF{th1s_i5_a_adv4nced_c0mmon_prim3s}
CRT
task
from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
e = 10
n_list = []
c_list = []
for i in range(10):
p = getPrime(1024)
q = getPrime(1024)
n = p * q
c = pow(m,e,n)
n_list.append(n)
c_list.append(c)
print(f"n_list = {n_list}")
print(f"c_list = {c_list}")
'''
n_list =[]
c_list = []
'''
思路:简单的crt,直接用就行
exp
n=[]
c=[]
from gmpy2 import*
from sympy.ntheory.modular import crt
from Crypto.Util.number import long_to_bytes
p=crt(n,c)[0]
m=iroot(p,10)[0]
print(long_to_bytes(m))
#LitCTF{CRT_i5_s0_e4sy!!!}
CRT_plus
task
from Crypto.Util.number import *
import random
from secret import flag
m = bytes_to_long(flag)
e = 5
A = [random.randint(1, 128) for i in range(e)]
B = [random.randint(1, 1024) for i in range(e)]
C = []
N = []
for i in range(e):
p = getPrime(1024)
q = getPrime(1024)
n = p * q
c = pow(A[i] * m + B[i], e, n)
N.append(n)
C.append(c)
print(f'A = {A}')
print(f'B = {B}')
print(f'C = {C}')
print(f'N = {N}')
'''
A=[]
B=[]
C=[]
N=[]
'''
思路:逆着玩一遍,求出来flag就行了,网上很多这种脚本
exp
A=[]
B=[]
C=[]
N=[]
from gmpy2 import*
from Crypto.Util.number import *
PR = PolynomialRing(ZZ, 'x')
x = PR.gen()
Fs = []
for i in range(5):
f = (A[i] * x + B[i]) ** e - C[i]
Fs.append(f)
F = crt(Fs, N)
M = prod(N)
FF = F.change_ring(Zmod(M))
m = FF.monic().small_roots()
print(m)
m=8847897050085851473564854484413983817216958962023025389356964736387193476705149
print(long_to_bytes(m))
#LitCTF{Y0u_know_broadca5t_att4ck}
little_fermat
task
from Crypto.Util.number import *
from sympy import *
from secret import flag,gen_x
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q = nextprime(p)
n = p * q
x = gen_x(p)
assert pow(666666, x, p) == 1
m = m ^ x
c = pow(m, e, n)
print(f'n = {n}')
print(f'c = {c}')
'''
n = 122719648746679660211272134136414102389555796575857405114496972248651220892565781331814993584484991300852578490929023084395318478514528533234617759712503439058334479192297581245539902950267201362675602085964421659147977335779128546965068649265419736053467523009673037723382969371523663674759921589944204926693
c = 109215817118156917306151535199288935588358410885541150319309172366532983941498151858496142368333375769194040807735053625645757204569614999883828047720427480384683375435683833780686557341909400842874816853528007258975117265789241663068590445878241153205106444357554372566670436865722966668420239234530554168928
'''
思路:费马小定理a^(p-1)≡1(mod p),那么可以得到x=p-1
exp
n =
c =
from Crypto.Util.number import *
from gmpy2 import *
p=iroot(n,2)[0]
q=next_prime(p)
p=n//q
phi=(p-1)*(q-1)
d=invert(65537,phi)
m=pow(c,d,n)
x=p-1
m=m^x
print(long_to_bytes(m))
#LitCTF{Y0u_know_littl3_ferm4t_th3ory}
little_fermat_plus(复现)
task
from Crypto.Util.number import *
from sympy import *
from secret import flag,gen_x
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q = nextprime(p)
n = p * q
x = gen_x(p)
assert pow(666666, x, p) == 1 ** 1024
m = m ^ x
c = pow(m, e, n)
print(f'n = {n}')
print(f'c = {c}')
'''
n = 169522900072954416356051647146585827691225327527086797334523482640452305793443986277933900273961829438217255938808371865341750200444086653241610669340348513884285892043530862971785487294831341653909852543469963032532560079879299447677636753647721541724969084825510405349373420839032990681851700075554428485967
c = 105943762023156641770119141175498496686312095002592803768522760959533958364969985856505466722378959991757667341747887520146437729810252085791886309974903778546814812093444837674447485802109225767800488527376777153844313243366001288246744190001997192598159277512188417272938455513900277907186067996704043274199
'''
思路:与上一题不同点在于1**1024,其实就是666666**(p-1)=1%p两遍同时乘方1024
exp
n =
c =
from Crypto.Util.number import *
from gmpy2 import *
q=iroot(n,2)[0]
q=next_prime(q)
p=n//q
phi=(p-1)*(q-1)
d=inverse(65537,phi)
m=pow(c,d,n)
m=m^((p-1)*1024)
print(long_to_bytes(m))
#LitCTF{It_i5_little_f3rm4t_the0ry_extends}
mid(复现)
task
from enc import flag
from Crypto.Util.number import *
import gmpy2
m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
n = p*q
e = 65537
c = pow(m,e,n)
leak1 = p>>924
leak2 = p%(2**500)
print(f"n = {n}")
print(f"e = {e}")
print(f"c = {c}")
print(f"leak1 = {leak1}")
print(f"leak2 = {leak2}")
'''
n = 10912724749357317040117295175340915836309117326481842971911576002816136982982366412133127436929465794389631046998036509363047557873155846920275327196471118680559431161116535588318645353317739214770132790445807395653916337747136630775427171105596048281228718048314706544665819996610453587925745842345926654572410324847927833437471701176403031302117052425160845583678182335391697596801106017558494065612842298945201720733418994561321697012416704574891516720606917736854915347853341353358814869449590841870866128113400765492223847582506991200050368263722438854522124807397499067048911261448546634778788867555039834459211
e = 65537
c = 6991017300002465473760665517672638980904771950587963320768028786572848880002446111427309844155944419991711131609525886799710433964716773503883581910737560542905952516670539044167012461107915291519628081744473505479068712979401023972013124089857993361492602682730769445826818873805246777789559501477084603991595919524098203387452563401306823917989080019788620521432596833764004972429814705900915782768111621466120683534147560628509733828773006451505153520893053368254310905682981931980175859011116643271531341395883753605992130701423800808678200033639094180802506618083869818685981234182334150817211223363755511509799
leak1 = 749278395841748263310980933893
leak2 = 2675756732628494397256285826768672620995252274010849868485475743575097846941007603037228233621038664628877573057336866559545388148568450491606789423985
'''
思路:额,比赛的时候想的是mitm,赛后发现直接写好像就行,p的高位和地位泄露
exp
n =
e =
c =
leak1 =
leak2 =
from Crypto.Util.number import *
phigh = leak1 << 924
plow = leak2
R.<x> = PolynomialRing(Zmod(n))
f = phigh + x*2^500 + plow
f = f.monic()
res = f.small_roots(X=2^424,beta=0.49)
for root in res:
p = phigh + int(root)*2^500 + plow
q = n // p
d = inverse(e,(p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(int(m)))
# LitCTF{3b633bcc134c1d0f5c07ea7873f91c26}
Polynomial
task
from Crypto.Util.number import *
from secret import *
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q = getPrime(512)
r = getPrime(512)
n = p * q * r
Polynomial1 = p**2 + q
Polynomial2 = q**2 + r
Polynomial3 = r**2 + p
c = pow(m,e,n)
print(f"Polynomial1 = {Polynomial1}")
print(f"Polynomial2 = {Polynomial2}")
print(f"Polynomial3 = {Polynomial3}")
print(f"c = {c}")
'''
Polynomial1 = 58154360680755769340954893572401748667033313354117942223258370092578635555451803701875246040822675770820625484823955325325376503299610647282074512182673844099014723538935840345806279326671621834884174315042653272845859393720044076731894387316020043030549656441366838837625687203481896972821231596403741150142
Polynomial2 = 171692903673150731426296312524549271861303258108708311216496913475394189393793697817800098242049692305164782587880637516028827647505093628717337292578359337044168928317124830023051015272429945829345733688929892412065424786481363731277240073380880692592385413767327833405744609781605297684139130460468105300760
Polynomial3 = 97986346322515909710602796387982657630408165005623501811821116195049269186902123564611531712164389221482586560334051304898550068155631792198375385506099765648724724155022839470830188199666501947166597094066238209936082936786792764398576045555400742489416583987159603174056183635543796238419852007348207068832
c = 690029769225186609779381701643778761457138553080920444396078012690121613426213828722870549564971078807093600149349998980667982840018011505754141625901220546541212773327617562979660059608220851878701195162259632365509731746682263484332327620436394912873346114451271145412882158989824703847237437871480757404551113620810392782422053869083938928788602100916785471462523020232714027448069442708638323048761035121752395570167604059421559260760645061567883338223699900
'''
思路:本来以为是多项式什么的,结果是解方程
exp
Polynomial1 =
Polynomial2 =
Polynomial3 =
c =
from Crypto.Util.number import*
from gmpy2 import*
from sympy import*
p,q,r=symbols('p q r')
r=solve([p**2+q-Polynomial1,q**2+r-Polynomial2,r**2+p-Polynomial3],(p,q,r))
print(r)
p=7625900647186256736313352208336189136024613525845451962194744676052072325262646533642163553090015734584960267587813894745414843037111074258730819958397631
q=13103163880267648221851617296336865295731278851373488569182099549824826973560296247802058712197255433671825570972129891122274435889696663320490806634737981
r=9898805297737495640281149403465681435952383402115255751446422784763742395898034378399391604085137196351802539935697155137226495010184322468562791581344399
phi=(p-1)*(q-1)*(r-1)
d=inverse(65537,phi)
m=pow(c,d,p*q*r)
print(long_to_bytes(m))
#LitCTF{P0lynomi4l_i5_inter3st1ng}
Polynomial_plus
task
from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
while True:
k = getRandomNBitInteger(64)
p = k**10 + 22*k**8 + 53*k**6 - 22*k**4 - 39*k**2 + 114514
q = k**9 + 10*k**7 - 13*k**6 - 2*k**4 + 111*k**2 + 1919810
if isPrime(p) and isPrime(q):
e = 65537
n = p * q
c = pow(m,e,n)
print(f"n = {n}")
print(f"c = {c}")
break
'''
n = 343424787688946710828788193478518340184635630498236346907606509763011890082198311173501834898393322176325060349656021994088578448585570427399686920253145504431065451412326430233084073651599248661762036671841142048573051549474182586297565046285161375600990596119448538118327240405957845178956427810835797220204485242640945891970398041508724313442375608608662117158013
c = 300097152084696274516003269451037367405899874736667089358316145472977115856239312841307278390995620995063953407731245808077915106161525019835875978698148238617148929170257141762407514139479267867121064342168993486529889088067645866930029787500052390195406519896658384623575160091828173111087120708969655686251340535134778177193882787257773427670338018428731395437974
'''
思路:解方程
exp
n = 343424787688946710828788193478518340184635630498236346907606509763011890082198311173501834898393322176325060349656021994088578448585570427399686920253145504431065451412326430233084073651599248661762036671841142048573051549474182586297565046285161375600990596119448538118327240405957845178956427810835797220204485242640945891970398041508724313442375608608662117158013
from sympy import *
k=var('k')
p = k**10 + 22*k**8 + 53*k**6 - 22*k**4 - 39*k**2 + 114514
q = k**9 + 10*k**7 - 13*k**6 - 2*k**4 + 111*k**2 + 1919810
r=solve([p*q-n],[k])
print(r)
k=17327183749088974321
p = k**10 + 22*k**8 + 53*k**6 - 22*k**4 - 39*k**2 + 114514
q = k**9 + 10*k**7 - 13*k**6 - 2*k**4 + 111*k**2 + 1919810
c = 300097152084696274516003269451037367405899874736667089358316145472977115856239312841307278390995620995063953407731245808077915106161525019835875978698148238617148929170257141762407514139479267867121064342168993486529889088067645866930029787500052390195406519896658384623575160091828173111087120708969655686251340535134778177193882787257773427670338018428731395437974
from Crypto.Util.number import *
phi=(p-1) * (q-1)
d = inverse(65537,phi)
m = pow(c,d,n)
print(long_to_bytes(m))
#LitCTF{Th1s_i5_a_trick_for_s0lving_polynomi4l}
small_e
task
from Crypto.Util.number import *
from secret import flag
p = getPrime(1024)
q = getPrime(1024)
n = p * q
e = 3
c_list = []
for m in flag:
c_list.append(pow(ord(m),e,n))
print(f"n = {n}")
print(f"c_list = {c_list}")
'''
n = 19041138093915757361446596917618836424321232810490087445558083446664894622882726613154205435993358657711781275735559409274819618824173042980556986038895407758062549819608054613307399838408867855623647751322414190174111523595370113664729594420259754806834656490417292174994337683676504327493103018506242963063671315605427867054873507720342850038307517016687659435974562024973531717274759193577450556292821410388268243304996720337394829726453680432751092955575512372582624694709289019402908986429709116441544332327738968785428501665254894444651547623008530708343210644814773933974042816703834571427534684321229977525229
c_list = [438976, 1157625, 1560896, 300763, 592704, 343000, 1860867, 1771561, 1367631, 1601613, 857375, 1225043, 1331000, 1367631, 1685159, 857375, 1295029, 857375, 1030301, 1442897, 1601613, 140608, 1259712, 857375, 970299, 1601613, 941192, 132651, 857375, 1481544, 1367631, 1367631, 1560896, 857375, 110592, 1061208, 857375, 1331000, 1953125]
'''
思路:我是直接当成小e直接开三次方写了
exp
n =
c_list =
from Crypto.Util.number import *
from gmpy2 import*
for i in range(0, len(c_list)):
c = c_list[i]
m = iroot(c, 3)[0]
print(chr(m), end="")
#LitCTF{you_know_m_equ4l_cub3_root_0f_n}
common_primes_plus
task
from Crypto.Util.number import *
import random
from secret import flag
e = random.randint(1000,2000)
p = getPrime(1024)
q = getPrime(1024)
n = p * q
c_list = []
for m in flag:
c_list.append(pow(ord(m),e,n))
print(f"n = {n}")
print(f"c_list = {c_list}")
'''
n=
c_list=[]
'''
思路:观察一下给的代码,可以知道c_list[0]肯定是L计算来的,那么就可以爆破出准确的e值
exp
n=
c_list=[]
from Crypto.Util.number import *
from gmpy2 import*
import random
flag=''
for i in range(1000,2001):
if(pow(ord('L'),i,n)==c_list[0]):
print(i)
break
e = 1924
for i in range(len(c_list)):
c = c_list[i]
for j in range(0,10000):
if(pow(j,e,n)==c):
flag+=chr(j)
break
print(flag)
#LitCTF{sometim3s_y0u_need_to_rever5e_your_m1nd}
真·签到(复现)
task
from enc import flag
from Crypto.Util.number import *
import gmpy2
import random
p = getPrime(512)
q = getPrime(512)
e = random.randint(2,10**8)
n = p*q
c = [pow(ord(m),e,n) for m in flag]
print(f"n = {n}")
print(f"c = {c}")
'''
n=
c=[]
'''
思路:和上一题一样
exp
from tqdm import *
n =
c =
for e in trange(2,10**8):
if pow(ord('L'),e,n) == c[0]:
print(e)
break
e = 9897777
flag = ""
for i in range(len(c)):
for j in range(33,128):
if pow(j,e,n) == c[i]:
flag += chr(j)
print(flag)
# LitCTF{f9fab7522253e44b48824e914d0801ba}
男人,什么罐头我说!
古典密码,扔厨师里面就出来了,培根密码
LitCTF{MANWHATCANLSAY}
你是capper,还是copper?(复现)
task
from Crypto.Util.number import *
from secret import flag
m=bytes_to_long(flag)
N=getPrime(2048)
p=getPrime(512)
q=getPrime(512)
n=p*q
e=getPrime(1024)
c=pow(m,e,n)
Q=q>>100
P=p<<100
a=pow(Q,5,N)
print ("e=",e)
print ("c=",c)
print ("a=",a)
print ("N=",N)
print ("P=",P)
'''
e = 13072237795424057999129127027979234989717137387957646486113645675299547455876355434346547808746552482965795288244687521108647998478307740108159933821771239011129296482617888480397978257432977308896431711182794340987048211178166823842422554472231405752077101111017727678497340027900077855145324567076470130835
c = 68627543734818005182182738951459640368220444851344171131951942770319683236026987275564911027739185775745844128612642216644533871400591052349794872565933125142881743934565729384895786720059720829738537411808512740621199697348750764033684771791461466523568130279863016302934164238161768481421610386382948741646
a = 29886515512126216731872822863342168524178804819277798137694648187535122007361698348012826864316113462619631404784701713598250504350847404704511275173569527993044728758373465323132649093666827652191127263514969054034178232381536186558882792792658400658805864317969510789325209629970510611697264690242354910697279101097076160734551272655637072457755427702327968248887832201456315670206545608108548532387404598868338062368026986272531243881152161156845992888930282181928184864800163331550035605892120822893818762473564190742360913032722805345122954472060199209651480909308623204782049913146103631197775952155897296727758
N = 30862422297928709181239751692704342665112621784469743119416634932990957784925336225419558020781912482604031494963767628422741140218194125167564890910023973751859762772564509417727807585344663605720306848651674777455957321846686766028032897935430317914513843941842612162856081647345544367930417644089939010942052714956124340450925431546635109101203596120066417771724536199794090338054127436783996371330443765655164007345152020956671886134143225546713511939703191665568669852593956318012200617631356629493372579211049274189611392878353716894836226969536226832390617104216783180964503619839420953622098097344241832069521
P=8770594378518257184819328657308152928029757169205998713929325053727701443407644651726148745366587806353078115048763121275581729457548618046203512855832519694356213899919351220281540608
'''
思路:复现的时候莫名其妙的,把p右移100位,然后用p求解,就出来了?
exp
e =
c =
P =
from gmpy2 import *
from Crypto.Util.number import *
p = P >> 100
d = invert(e,p-1)
m = pow(c,d,p)
print(long_to_bytes(int(m)))
# LitCTF{wiener_@nd_c0pp3r}
真·EasyRSA
task
from Crypto.Util.number import * from secret import flag p=getPrime(256) print(p) n=p**4 m=bytes_to_long(flag) e=65537 c=pow(m,e,n) print(c) ''' c1= 78995097464505692833175221336110444691706720784642201874318792576886638370795877665241433503242322048462220941850261103929220636367258375223629313880314757819288233877871049903331061261182932603536690216472460424869498053787147893179733302705430645181983825884645791816106080546937178721898460776392249707560 c2= 3784701757181065428915597927276042180461070890549646164035543821266506371502690247347168340234933318004928718562990468281285421981157783991138077081303219 n = 111880903302112599361822243412777826052651261464069603671228695119729911614927471127031113870129416452329155262786735889603893196627646342615137280714187446627292465966881136599942375394018828846001863354234047074224843640145067337664994314496776439054625605421747689126816804916163793264559188427704647589521 '''
思路:第一眼看上去先把n开四次方,然后直接写,然后就会得到
LitCTF{HeRe_1s_Weak_F1aG}hahahaha_____hint_is_93492332457019255141294502555555489582661562346262162342211605562996217352449
你人还怪好的,然后就开始想这个hint可以用于什么地方,发现和p的位数差不多大,试试把他和p相乘当作n2去求解,结果真出来了
exp
c1=
c2=
n=
from Crypto.Util.number import *
from gmpy2 import*
p=102846375519753428570573823986925744957687092615041080268232889119455234034483
phi=(p-1)*p**3
d=inverse(65537,phi)
m1=pow(c1,d,n)
print(long_to_bytes(m1))
hint=93492332457019255141294502555555489582661562346262162342211605562996217352449
n1=p*hint
m2=pow(c2,inverse(65537,(p-1)*(hint-1)),n1)
print(long_to_bytes(m2))
#LitCTF{R1ght_Answ3r!}
暗号-paillier(复现)
看题目是paillier的问题,看了看这两篇文章csdn和知乎。
因为还没有办法开环境,所以就看了看写了的师傅的wp,发现了这个式子,d(c1*c2%n**2)=m1+m2。那如果我输进去00,记第一次返回值为a,加密的为b,那么a*b%n**2,我再把这个数输入进去得到的数,做crt应该就是flag
总结
感觉自己还是太菜了,对一些题并不敏感,知识不能灵活运用,还得加油继续练。