题目：

from Crypto.Util.number import *
from secret import flagp = getPrime(512)
q = getPrime(512)
assert p > q
n = p*q
e = 65536
m = bytes_to_long(flag)
num1 = (pow(p,e,n)-pow(q,e,n)) % n
num2 = pow(p-q,e,n)
c = pow(m,e,n)print("num1=",num1)
print("num2=",num2)
print("n=",n)
print("c=",c)

代码如下：

from Crypto.Util.number import *
import gmpy2num1= 134186458247304184975418956047750205959249518467116558944535042073046353646812210914711656218265319503240074967140027248278994209294869476247136854741631971975560846483033205230015783696055443897579440474585892990793595602095853960468928457703619205343030230201261058516219352855127626321847429189498666288452
num2= 142252615203395148320392930915384149783801592719030740337592034613073131106036364733480644482188684184951026866672011061092572389846929838149296357261088256882232316029199097203257003822750826537629358422813658558008420810100860520289261141533787464661186681371090873356089237613080052677646446751824502044253
n= 154128165952806886790805410291540694477027958542517309121222164274741570806324940112942356615458298064007096476638232940977238598879453357856259085001745763666030177657087772721079761302637352680091939676709372354103177660093164629417313468356185431895723026835950366030712541994019375251534778666996491342313
c= 9061020000447780498751583220055526057707259079063266050917693522289697419950637286020502996753375864826169562714946009146452528404466989211057548905704856329650955828939737304126685040898740775635547039660982064419976700425595503919207903099686497044429265908046033565745195837408532764433870408185128447965p = GCD(num1+num2,n)
q = n//px0=gmpy2.invert(p,q)
x1=gmpy2.invert(q,p)
cs = [c]
for i in range(16):ps = []for c2 in cs:r = pow(c2, (p + 1) // 4, p)s = pow(c2, (q + 1) // 4, q)x = (r * x1 * q + s * x0 * p) % ny = (r * x1 * q - s * x0 * p) % nif x not in ps:ps.append(x)if n - x not in ps:ps.append(n - x)if y not in ps:ps.append(y)if n - y not in ps:ps.append(n - y)cs = psfor m in ps:flag = long_to_bytes(m)if b"nssctf" in flag:print(flag)break