已知a,b,n,seed[i]

题目:

from Crypto.Util.number import *

flag = b'NSSCTF{******}'

class LCG:
    def __init__(self, seed, a, b, n):
        self.seed = seed  # 初始种子
        self.a = a  # 乘数
        self.b = b  # 增量
        self.n = n  # 模数

    def generate(self):
        self.seed = (self.a * self.seed + self.b) % self.n
        return self.seed

lcg = LCG(bytes_to_long(flag), getPrime(256), getPrime(256), getPrime(256))

for i in range(getPrime(16)):
    lcg.generate()

print(f'a = {lcg.a}')
print(f'b = {lcg.b}')
print(f'n = {lcg.n}')
print(lcg.generate())

'''
a = 113439939100914101419354202285461590291215238896870692949311811932229780896397
b = 72690056717043801599061138120661051737492950240498432137862769084012701248181
n = 72097313349570386649549374079845053721904511050364850556329251464748004927777
9772191239287471628073298955242262680551177666345371468122081567252276480156
'''

解题思路:

• 我们需要反推多少项呢?我们并不知道,因为迭代的次数(getPrime(16))是一个随机数,但是这并不妨碍我们求解flag
• 因为flag的格式b"NSSFCT{"我们已经知道,只需要不断反推,直至找到符合格式的flag为止

解答:

import gmpy2
import libnum

a = 113439939100914101419354202285461590291215238896870692949311811932229780896397
b = 72690056717043801599061138120661051737492950240498432137862769084012701248181
n = 72097313349570386649549374079845053721904511050364850556329251464748004927777
c = 9772191239287471628073298955242262680551177666345371468122081567252276480156

# c=(a*c0+b)%n
a_1=gmpy2.invert(a,n)

for i in range(2**16):
    c = (c - b) * a_1 % n
    #print(c)
    flag=libnum.n2s(int(c))
    if b'NSSCTF{' in flag:
        print(flag)
        break
#NSSCTF{recover_init_seed}