2016 hack.lu-ctf redacted RSA数据恢复

https://github.com/ctfs/write-ups-2016/tree/master/hack.lu-ctf-2016/crypto/redacted-200

一位一位的恢复n = p * q的数据，代码来源于链接：

from base64 import b64decode, b64encode
from binascii import hexlify, unhexlify
from Crypto.PublicKey import RSA
 
n =      int("00000000000000000000000000000000FF4A9CD78E945D76C00000000000000000000167BD011D643B300000000000000000000000000000000000C49208000000000000000000000003C702A2F21C00E6401446857236B5C00106E4C1D3EE5BD70385342AADB6A7D176DF7EDCB7CE1D78DFE992857E1A34730756186CA4C200DEC2A97F33B360389FD7BB5866FBD68E83D823EAE64C9E2D740F2F09D0383B39D51AAEB190858E8A3B6AD9CBAB8D935AA1BD01D1CBBA238AF4DF8455D7D789C71EE6091F711E766F633A0420F530ADB70495066070A07073FCB01D21CC2FD5648D9F5475D769697D3E325868315AB8E50E73500F4C2D0B8548CE38E01338294E81", 16)
n_mask = int("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000A2803FFFFFFFFFFFFFFFFFFFFC0000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC000003FFFFFFFFFFFFFFFFFFFFFFFC000000000000003F00000000000003F000000000000028FC0000000000000000000000000000000000000000000000000000000000000000028000000FC0000000000000000000000000000000028000000000000000000000000000000000000000000000000000000000000000000000000028000000000000000000000000000000000000000000000000000000000000000000000000000A2800000000000000000000000000000000000000000000000000000000", 16)
d = int("305B823A4E4F4DEDFDCD3B0055D9FF949466BB68BE58701A781F91D7B29046E947B2DE99DF4B62A77D96058F811A8F3731476A1F354852803938D5780B75929B1556D2C5EB0DE6326EA93CDA8E267D916E9F9CFD855A0181F4FFD743B24A85BF378BFBBCDFA803CEA12A5B7EF49BF04B050B89A31B97006369C45AE9029291E30F789B3FD3DAB4CD3B3B88B74890B357EEC0F007535B2558017604ADE36522C39CFE22BABA439407478059D630747D752DF521F88F44A0FED288D98E254840A259B46D451BB8E160F2594685E028FF6CEF2DBB563134F44DEB0E6D467E8EBF95516D51EFA7800BBB0F20A4A6CD9012599D67063DC8C07A0A48589CF5E01A3281", 16)
p =      int("E4DDBA96C1CB00F41204EE6FC16E14830438AEEE4BBD21AF5CE88DFD25A12F2A9A26994EEFA0E6BED04AC2E29BF639B4C8F975AD886F3115EC5E384C028C1FD7D7DB63C023F6346152809C71D226223D7D6990CAE64DFC16F174FA1A6EE46B25AFAFFCF3936A61D3F2029D6CEE994FEFF8F2F0A70638420110D303D075AB16D3", 16)
p_mask = int("000000000000FC0000000000000000000000000000000000A00000000000000000000000000000000000000000000000000000000000000A00A00000FC0000000000000FC0000000000000000000000000000000000000000000000000000000000000000000000000FC00000000000000000000000000000000000000000000", 16)
q =      int("DEE55998947BFDB75C7E349B036A1673A8C41B62929C242C0E3D0C808738972518F8639304B3340D6A88510CC524E37963A42D0638F605572AA7B93EDA07DC29454018FA9A990062F05D0025D5467D3EDF8DB448CC02ED4AB67967BE70C2A5617B3085D0E151357D63B1ECA4B53746FCBE586CDC8A4405CFAF719F3F011318DB", 16)
q_mask = int("000000000000000000000000FC000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003F00000000000000000000000000000000000003F000000000000000000000000000000000028000000000000000000000000000000A000000000000000000", 16)
e = 0x010001
 
 
def pq_cant_fit(p, q, fixed_bits):
    n1 = p * q
    diff = n ^ n1
    for i in range(fixed_bits):
        bit_to_check = (1<<i)
        if bit_to_check & diff > 0 and bit_to_check & n_mask == 0:
            return True
    return False
 
 
possible_ps = [p]
fixed_len = 0
possible_qs = [q]
 
while fixed_len < 256 * 8:
    if len(possible_ps) > 1 or len(possible_qs) > 1:
        print(fixed_len, len(possible_ps), len(possible_qs))
    possible_ps_new = []
    possible_qs_new = []
    bit_to_variate = (1 << fixed_len)
    if p_mask & bit_to_variate > 0:
        for p in possible_ps:
            possible_ps_new.append(p)
            possible_ps_new.append(p ^ bit_to_variate)
    else:
        possible_ps_new = possible_ps
    if q_mask & bit_to_variate > 0:
        for q in possible_qs:
            possible_qs_new.append(q)
            possible_qs_new.append(q ^ bit_to_variate)
    else:
        possible_qs_new = possible_qs
    fixed_len += 1
 
    possible_ps = []
    for p in possible_ps_new:
        ok = False
        for q in possible_qs_new:
            if not pq_cant_fit(p, q, fixed_len):
                ok = True
                break
        if ok:
            possible_ps.append(p)
    possible_qs = []
    for q in possible_qs_new:
        ok = False
        for p in possible_ps:
            if not pq_cant_fit(p, q, fixed_len):
                ok = True
                break
        if ok:
            possible_qs.append(q)
 
print("Finished!")
print("p = %X" % p)
print("p_mask = %X" % p_mask)
print("q = %X" % q)
print("q_mask = %X" % q_mask)
print("n = %X" % (p*q))

'''
p = E4DDBA96C1CBC4F41204EE6FC16E14830438AEEE4BBD21AF5CE88DFD25A12F2A9A26994EEFA0E6BED04AC2E29BF639B4C8F975AD886F3115EC5E384CC68C1FD7D7DB63CC63F6346152809C71D226223D7D6990CAE64DFC16F174FA1A6EE46B25AFAFFCF3936A61D3F2C69D6CEE994FEFF8F2F0A70638420110D303D075AB16D3
p_mask = FC0000000000000000000000000000000000A00000000000000000000000000000000000000000000000000000000000000A00A00000FC0000000000000FC0000000000000000000000000000000000000000000000000000000000000000000000000FC00000000000000000000000000000000000000000000
q = DEE55998947BFDB75C7E349BC76A1673A8C41B62929C242C0E3D0C808738972518F8639304B3340D6A88510CC524E37963A42D0638F605572AA7B93EDA07DC29457118FA9A990062F05D0025D5467D3EDF8DB448CF12ED4AB67967BE70C2A5617B3085D0E151357D63B1ECA4B53746FCBE586CDC8A4405CFAF719F3F011318DB
q_mask = FC000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003F00000000000000000000000000000000000003F000000000000000000000000000000000028000000000000000000000000000000A000000000000000000
n = C7455240232E4C309B7AFDA495CCD5FF4A9CD78E945D76C6713955E12A5DA435CDF967BD011D643B3D417797075F8DEF866A8CB9F02745ACBE78C4920B15DC36365F6C1DD71C9B900BC702A2F21C00E6711446857236B5C31106E4C1D3EE5BD7C785342AADB6A7D176DF7EDCB7CE1D78DFE992857E1A34730756186CA4C200DEC2A97F33B36C789FD7BB5866FBD68E83D823EAE64C9E2D740F2F09D0383B39D51AAEB190858E8A3B6AD9CBAB8D935AA1BD01D1CBBA238AF4DF8455D7D789C71EE6091F711E766F633A0420F530ADB70495066070A07073FCB01D21CC2FD5648D9F5475D769697D3E325868315AB8E50E73500F4C2D0B8548CE38E01338294E81
'''