In [6]:
import base64
from Crypto.Util.number import *

# --- ASN.1 编码辅助函数 ---
def encode_len(length):
    if length < 0x80:
        return bytes([length])
    else:
        s = hex(length)[2:]
        if len(s) % 2: s = '0' + s
        b = bytes.fromhex(s)
        return bytes([0x80 | len(b)]) + b

def encode_integer(n):
    b = long_to_bytes(n)
    # ASN.1 INTEGER 是有符号的，如果最高位是1，需要补00
    if b[0] & 0x80:
        b = b'\x00' + b
    return b'\x02' + encode_len(len(b)) + b

def encode_sequence(content):
    return b'\x30' + encode_len(len(content)) + content

def generate_malicious_pem():
    print("[*] Generating malicious p=q key manually...")
    e = 65537
    # 题目要求 p >= 512 bits
    p = getPrime(512)
    q = p  # 设置 p = q
    n = p * q
    
    # 1. 计算能骗过服务器的 d
    # 服务器逻辑: phi = (p-1)*(q-1) = (p-1)^2
    phi_fake = (p - 1) * (q - 1)
    d_fake = inverse(e, phi_fake)
    
    # 2. 计算 CRT 参数 (用于通过服务器检查)
    dmp1 = d_fake % (p - 1)
    dmq1 = d_fake % (q - 1)
    # iqmp = q^-1 mod p。因为 p=q，不存在逆元。
    # 但服务器只检查 dmp1/dmq1，不检查 iqmp。随便填一个。
    iqmp = 1 

    # 3. 手动构造 ASN.1 序列
    # RSAPrivateKey ::= SEQUENCE {
    #   version           Version, (0)
    #   modulus           INTEGER, (n)
    #   publicExponent    INTEGER, (e)
    #   privateExponent   INTEGER, (d)
    #   prime1            INTEGER, (p)
    #   prime2            INTEGER, (q)
    #   exponent1         INTEGER, (d mod p-1)
    #   exponent2         INTEGER, (d mod q-1)
    #   coefficient       INTEGER, (inv(q) mod p)
    # }
    content = b''
    content += encode_integer(0)       # Version
    content += encode_integer(n)       # n
    content += encode_integer(e)       # e
    content += encode_integer(d_fake)  # d (fake)
    content += encode_integer(p)       # p
    content += encode_integer(q)       # q
    content += encode_integer(dmp1)    # dmp1
    content += encode_integer(dmq1)    # dmq1
    content += encode_integer(iqmp)    # iqmp

    der = encode_sequence(content)
    
    # 4. 封装成 PEM
    b64 = base64.b64encode(der).decode()
    pem = "-----BEGIN RSA PRIVATE KEY-----\n"
    # 每 64 字符换行
    for i in range(0, len(b64), 64):
        pem += b64[i:i+64] + "\n"
    pem += "-----END RSA PRIVATE KEY-----"
    
    return pem.encode(), p, n

pem, p, n = generate_malicious_pem()
print(p)
print(pem.decode())


[*] Generating malicious p=q key manually...
8664599897181828105768700145910830040465303865998233185749388220210735896059664821298925145211253607645487520572119444307812923824342816438950795235215727
-----BEGIN RSA PRIVATE KEY-----
MIICHQIBAAKBgGrpJ88ms5wk7DyXcug2TPjROXKKS7eWRxNdHKbaXU9sbn6BqL4x
Z8kf4nbkaSRAzcgPVC/3//HOr1Tdf18etK4spq7akTY2TOR6SvXiTWt3uPmX5fun
yiIU9G8VXucOtDCxxEsXxibGJnVQII82LVSP6/grl6NhIW4e4sPcA34hAgMBAAEC
gYAEsKPBb6YzdF80rUQqMa+gvrTxdGWr8Ri/HbeTDkNHp68VN6TqawpthUuPAagn
IfylCR8dV5jPx8xjQbBDwPoWF3WB/DZVcwYfTRPDmjaUma+LHYpHmeNnMi7Cyih4
Tnb97RpA16ypzNCQVi7UjVgNyl3eEmYdSoP+4sZP1YwkrQJBAKVvrpzoXW1yB5m0
RpXfnfKHDyLLI2WGdED5U+fbmJ5EcKyThhKhvcAb/kB0PijRmx/+3pmSfSjORVFI
INheyW8CQQClb66c6F1tcgeZtEaV353yhw8iyyNlhnRA+VPn25ieRHCsk4YSob3A
G/5AdD4o0Zsf/t6Zkn0ozkVRSCDYXslvAkEAhKm8cmL7mKpaYe1otQKvHC8l+ha/
+cgKLZhCqqk0B6aGXD2oxAQjr4xDJNiSiBUdulidlLUd3L0cZQPcIuZPzQJBAISp
vHJi+5iqWmHtaLUCrxwvJfoWv/nICi2YQqqpNAemhlw9qMQEI6+MQyTYkogVHbpY
nZS1Hdy9HGUD3CLmT80CAQE=
-----END RSA PRIVATE KEY----

In [8]:
from Crypto.Util.number import *

# p = q
e = 65537
p = 8664599897181828105768700145910830040465303865998233185749388220210735896059664821298925145211253607645487520572119444307812923824342816438950795235215727
n = p * p
phi = p * (p - 1)
c = 67685310538249676352399325834357313303919805420820158283343930487047917365955792869017658385587481996915221583604476776155718036549893232469898723817876009078771133925296144706631272143351740599730283800704721812627434803098613552688952035737166682783919387173687710532979619012011903592633827557328537370270
d = inverse(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))


b'BCCTF{R54_Br0K3n_C0nF1rm3d????}'
