2019 「掘安杯」 write up

時間  2019-12-08
標籤 write 欄目 Android 简体版
原文   原文鏈接

前言

肝了一天,最後打了第三,記錄下。
我逆向真的好菜啊~~~~python

Reverse

baby_reverse

加密函數以下ios

int __fastcall encode(const char *a1, __int64 a2)
{
  char v3[32]; // [rsp+10h] [rbp-70h]
  char v4[32]; // [rsp+30h] [rbp-50h]
  char v5[36]; // [rsp+50h] [rbp-30h]
  int v6; // [rsp+74h] [rbp-Ch]
  int v7; // [rsp+78h] [rbp-8h]
  int i; // [rsp+7Ch] [rbp-4h]

  v7 = 18;
  i = 0;
  v6 = 0;
  if ( strlen(a1) != 18 )
    return puts("Your Length is Wrong");
  puts("flag{This_1s_f4cker_flag}");
  for ( i = 0; i < v7; i += 3 )
  {
    v5[i] = v7 ^ (a1[i] + 6);
    v4[i + 1] = (a1[i + 1] - 6) ^ v7;
    v3[i + 2] = a1[i + 2] ^ 6 ^ v7;
    *(_BYTE *)(a2 + i) = v5[i];
    *(_BYTE *)(a2 + i + 1LL) = v4[i + 1];
    *(_BYTE *)(a2 + i + 2LL) = v3[i + 2];
  }
  return a2;
}

很簡單得加密函數
一共分爲三組git

key = 'bIwhroo8cwqgwrxusi'
flag = ''
for i in range(0,18,3):
  flag += chr((ord(key[i])^18) - 6) + chr((ord(key[i+1])^18) + 6) + chr(ord(key[i+2])^6^18)
print flag
#jactf{w0w_is_flag}

Replace

加密函數以下github

v2 = a1;
  if ( a2 != 35 )
    return -1;
  v4 = 0;
  while ( 1 )
  {
    v5 = *(_BYTE *)(v4 + v2);
    v6 = (v5 >> 4) % 16;
    v7 = (16 * v5 >> 4) % 16;
    v8 = byte_402150[2 * v4];
    if ( v8 < 48 || v8 > 57 )
      v9 = v8 - 87;
    else
      v9 = v8 - 48;
    v10 = byte_402151[2 * v4];
    v11 = 16 * v9;
    if ( v10 < 48 || v10 > 57 )
      v12 = v10 - 87;
    else
      v12 = v10 - 48;
    if ( (unsigned __int8)byte_4021A0[16 * v6 + v7] != ((v11 + v12) ^ 0x19) )
      break;
    if ( ++v4 >= 35 )
      return 1;
  }
  return -1;

這是爆破的思路算法

import string
byte_402150 = [0x32, 0x61, 0x34, 0x39, 0x66, 0x36, 0x39, 0x63, 0x33, 0x38, 0x33, 0x39, 0x35, 0x63, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x66, 0x34, 0x65, 0x30, 0x32, 0x35, 0x34, 0x38, 0x34, 0x39, 0x35, 0x34, 0x64, 0x36,0x31, 0x39, 0x35, 0x34, 0x34, 0x38, 0x64, 0x65, 0x66, 0x36, 0x65, 0x32, 0x64, 0x61, 0x64, 0x36, 0x37, 0x37, 0x38, 0x36, 0x65, 0x32, 0x31, 0x64, 0x35, 0x61, 0x64,0x61, 0x65, 0x36, 0x00]
byte_4021A0 = [0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 
  0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 
  0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 
  0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 
  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 
  0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 
  0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 
  0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 
  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 
  0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 
  0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 
  0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 
  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 
  0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 
  0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 
  0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 
  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 
  0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 
  0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 
  0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 
  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 
  0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 
  0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 
  0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 
  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 
  0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]
flag=''
v4=0
dic=string.ascii_lowercase+string.ascii_uppercase+string.digits+'{}_!%^&'
while(v4<35):
  v8 = byte_402150[2*v4]
  if (v8 < 48 or v8 > 57):
    v9 = v8 - 87
  else:
    v9 = v8 -48
  v10 = byte_402150[2*v4+1]
  v11 = 16 * v9
  if(v10 < 48 or v10 >57):
    v12 = v10 -87
  else:
    v12 = v10 -48
  for i in dic:
    v6 = (ord(i)>>4)%16
    v7 = (16*ord(i)>>4)%16
    if(byte_4021A0[16*v6 + v7]==(v11+v12)^0x19):
      flag += i
      break

  v4 += 1
print flag
#flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}

貼一下大佬用z3解的腳本數組

#-*-coding:utf-8 -*-

#flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}
list_flag = [51, 80, 239, 133, 33, 32, 69, 199, 143, 207, 199, 143, 207, 237, 249, 60, 81, 80, 77, 207, 0, 77, 81, 199, 239, 251, 195, 207, 110, 159, 251, 4, 67, 195, 255]
byte_4021A0 = [99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187]
from z3 import *

def z3_solve(res_flag,byte_4021A0,flag1):

    solve_flag = Solver()
    flag2 = []
    for i in range(35):
        flag2.append(BitVec('v'+str(i),8))
    for i in range(35):
        solve_flag.add(( (16 * ((flag2[i] >> 4) % 16))+(16 * flag2[i] >> 4) % 16)== flag1[i])
    check_flag = solve_flag.check()
    print check_flag,type(check_flag)
    res_model = solve_flag.model()
    flag_final = ""
    for i in range(35):
        flag_chr =("%s"%(res_model[flag2[i]]))
        flag_final  = flag_final + chr(int(flag_chr))
    print flag_final
def res_find(list_flag,byte_4021A0):
    list_find = []
    for i in list_flag:
        res = byte_4021A0.index(i)
        list_find.append(res)
    return list_find
if __name__ == '__main__':

    res = res_find(list_flag,byte_4021A0)
    # for i in res:
    #     print i
    z3_solve(list_flag,byte_4021A0,res)
    print "Finish\n"

Misc

真的不是圖片

題目給了一張圖片,binwalk一下bash

pumpkin9@pumpkin9:/mnt/c/Users/Desktop/juean$ binwalk Misc-JASEC.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 824 x 639, 8-bit/color RGB, non-interlaced
91            0x5B            Zlib compressed data, compressed
140598        0x22536         End of Zip archive, footer length: 22

題目中有zip,和正常壓縮包圖片對比一下
emmm
反正是少了個zip頭了app

clipboard.png
能夠發現 50 4B 03 04 被替換成了ja66函數

pumpkin9@pumpkin9:/mnt/c/Users/Desktop/juean$ binwalk Misc-JASEC.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 824 x 639, 8-bit/color RGB, non-interlaced
91            0x5B            Zlib compressed data, compressed
137859        0x21A83         Zip archive data, at least v2.0 to extract, compressed size: 2605, uncompressed size: 11258, name: subject.zip
140598        0x22536         End of Zip archive, footer length: 22

而後foremost分離
ja66解壓縮ui

import base64
flag = ""
for i in range(0,32):
    f = open('./'+str(i)+'/'+str(i)+'.txt','r')
    flag += f.read()
print base64.b64decode(flag)
#jactf{64se64_1s_50_c001}

what

題目描述

=E4=BD=9B=E6=9B=B0=EF=BC=9A=E6=A2=B5=E5=83=A7=E5=A5=A2=E6=A5=9E=E5=A5=A2=E5=90=89=E8=8B=A5=E5=A5=A2=E4=B8=8D=E5=B8=9D=E5=86=A5=E5=A4=9C=E6=98=AF=E7=BC=BD=E6=9C=8B=E7=BC=BD=E7=9C=9F=E7=89=B9=E4=BF=B1=E4=B8=8A=E7=BD=B0=E8=83=BD=E7=9A=A4=E5=AE=A4=E9=98=BF=E8=AB=B3=E6=98=8E=E4=B8=80=E5=88=87=E5=91=90=E9=99=A4=E6=A2=B5=E5=A7=AA=E7=BC=BD=E5=A9=86=E5=91=90=E4=BA=A6=E5=8F=83=E4=BE=84=E5=91=BC=E7=9A=A4=E4=B8=96=E5=93=86=E7=89=B9=E5=93=86=E6=95=85=E5=8B=9D=E8=AB=B3=E7=88=8D=E8=AC=B9=E6=99=BA=E7=9A=A4=E5=8F=83=E5=AD=95=E9=80=9D=E8=AB=B3=E8=AC=B9=E6=BC=AB=E6=AD=BB=E5=8D=B3=E4=BE=84=E9=99=A4=E5=93=86=E9=80=9D=E4=BE=84=E6=98=AF=E5=A5=A2=E5=96=9D=E7=A4=99=E8=B1=86=E8=AB=B3=E6=A5=9E=E7=84=A1=E4=BF=B1=E8=80=85=E5=93=86=E5=BA=A6=E8=80=85=E3=80=82=E8=AB=B3=E7=9C=9F=E5=86=A5=E8=A8=B6=E4=BE=84=E5=8B=9D=E7=AB=9F=E8=97=9D=E5=A5=A2=E4=B8=8D=E4=BC=8A=E7=9A=A4=E8=AC=B9=E6=B6=85=E5=AD=95=E7=84=A1=E4=BB=96=E7=BE=85=E5=A4=A7=E5=BE=97=E9=97=8D=E5=93=86=E5=96=9D=E8=80=B6=E5=83=A7=E7=84=A1=E7=BE=AF=E6=BB=85=E9=99=A4=E5=88=A9=E7=BC=BD=E5=A4=9A=E6=A2=B5=E5=A4=B7=E6=A2=B5=E6=A0=97=E7=BC=BD=E8=80=85=E5=AD=95=E8=AB=B3=E7=9B=A7=E7=9A=A4=E4=B8=89=E7=BD=B0=E5=AF=AB=E8=80=81=E6=A2=B5=E8=80=B6=E5=AE=A4=E5=B8=9D=E6=A2=B5=E5=AF=AB=E7=BE=AF=E6=95=B8=E6=A2=B5=E7=9B=A1=E4=BE=84=E6=A0=97=E4=BE=84=E8=97=90=E4=BF=B1=E4=B8=96=E8=AB=B3=E4=B8=8A=E8=AB=B3=E5=A7=AA=E6=95=B8=E5=AE=A4=E5=A9=86=E7=BD=B0=E6=A7=83=E5=A5=A2=E8=A8=B6=E5=93=86=E5=A4=9A=E9=80=9D=E8=97=90=E9=81=93=E6=A2=B5=E6=A5=9E=E6=A2=B5=E5=8D=97=E4=BE=84=E8=BF=A6=E5=91=90=E7=9F=A5=E6=9C=8B=E6=A5=9E=E4=BE=84=E9=9B=A2=E5=91=90=E6=B2=99=E5=91=90=E6=99=BA=E9=81=AE=E5=A4=A7=E5=AE=A4=E7=A5=9E=E5=86=A5=E8=BC=B8=E6=AE=BF=E7=BC=BD=E6=A7=83=E6=A2=B5=E6=80=9B=E6=81=90=E8=88=8D=E7=9F=A5=E7=9A=A4=E8=BF=A6=E5=A5=A2=E8=88=AC=E8=AB=B3=E7=88=8D=E5=AF=AB=E6=BC=AB=E4=BC=8A=E4=BF=B1=E6=A0=97=E5=93=86=E4=BB=96=E4=BA=A6=E7=BC=BD=E6=A5=9E=E6=80=9B=E5=86=A5=E5=91=BC=E5=88=87=E4=BF=B1=E8=8F=A9=E8=88=8D=E5=91=90=E5=AF=A6=E6=A0=97=E5=A5=A2=E6=B3=A2=E6=91=A9=E8=AB=B3=E9=81=93=E7=BC=BD=E7=91=9F=E5=93=86=E5=AF=A6=E7=9A=A4=E7=88=8D=E5=8B=9D=E8=96=A9=E7=BD=B0=E8=AB=B8=E5=A5=A2=E8=88=AC=E8=AB=A6=E7=BD=B0=E6=98=8E=E7=BC=BD=E8=AB=A6=E5=B0=BC=E5=93=86=E6=A5=9E=E4=BD=9B=E4=BF=B1=E9=86=AF=E8=AB=B3=E6=BB=85=E5=BA=A6=E5=93=86=E6=89=80=E6=A7=83=E5=A7=AA=E9=BA=BC=E6=89=80=E6=81=90=E8=AB=B3=E4=BB=96=E4=BE=84=E5=AF=AB=E7=91=9F=E4=BE=84=E6=89=80=E5=BE=97=E9=9A=B8=E5=93=86=E9=97=8D=E5=91=90=E6=8F=90=E7=9B=A7=E5=86=A5=E5=92=92=E5=A5=A2=E6=9B=B0=E5=91=90=E6=B2=99=E6=80=AF=E8=88=AC=E5=8D=97=E6=80=AF=E5=9C=B0=E7=BC=BD=E5=96=9D=E5=86=A5=E6=83=B3=E5=91=90=E7=9B=A7=E7=BD=B0=E8=AC=B9=E5=91=BC=E8=B7=8B=E7=BC=BD=E4=B8=8A=E5=A8=91=E8=AB=A6=E6=AD=BB=E4=BE=84=E8=BF=A6

解題過程

Quoted-Printable也是MIME郵件中經常使用的編碼方式之一。同Base64同樣,它也將輸入的字符串或數據編碼成全是ASCII碼的可打印字符串。
quopri
quopri.decodestring()解碼可得

佛曰:梵僧奢楞奢吉若奢不帝冥夜是缽朋缽真特俱上罰能皤室阿諳明一切吶除梵姪缽婆吶亦參侄呼皤世哆特哆故勝諳爍謹智皤參孕逝諳謹漫死即侄除哆逝侄是奢喝礙豆諳楞無俱者哆度者。諳真冥訶侄勝竟藝奢不伊皤謹涅孕無他羅大得闍哆喝耶僧無羯滅除利缽多梵夷梵慄缽者孕諳盧皤三罰寫老梵耶室帝梵寫羯數梵盡侄慄侄藐俱世諳上諳姪數室婆罰槃奢訶哆多逝藐道梵楞梵南侄迦吶知朋楞侄離吶沙吶智遮大室神冥輸殿缽槃梵怛恐舍知皤迦奢般諳爍寫漫伊俱慄哆他亦缽楞怛冥呼切俱菩舍吶實慄奢波摩諳道缽瑟哆實皤爍勝薩罰諸奢般諦罰明缽諦尼哆楞佛俱醯諳滅度哆所槃姪麼所恐諳他侄寫瑟侄所得隸哆闍吶提盧冥咒奢曰吶沙怯般南怯地缽喝冥想吶盧罰謹呼跋缽上娑諦死侄迦

參悟佛所言的真意
公正友善自由公正民主公正和諧法治自由公正公正法治友善平等公正愛國公正平等法治愛國公正敬業公正友善愛國平等誠信平等法治敬業法治平等公正公正公正誠信平等平等友善敬業法治民主法治富強法治友善法治
社會主義核心價值觀解碼得flag
jactf{hexin_yufo_qp}

小梳子

生成字典爆破

crunch 11 11 -t 138364%%%%% -o/root/桌面/test.txt
aircrack-ng -w /root/桌面/test.txt Tenda_D07D90-01.cap

Crypto

貝斯家族三英戰羣魔

直接上腳本

$ python base.py ciphertext_ea88a4d420c804686a8899608e06130f.txt
1
using base16 decode sucess.....
2
using base16 decode failuer.....
using base32 decode sucess.....
3
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode sucess.....
4
using base16 decode sucess.....
5
using base16 decode failuer.....
using base32 decode sucess.....
6
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode sucess.....
7
using base16 decode sucess.....
8
using base16 decode failuer.....
using base32 decode sucess.....
9
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode sucess.....
10
using base16 decode sucess.....
11
using base16 decode failuer.....
using base32 decode sucess.....
12
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode sucess.....
13
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode failuer.....
jactf{4(b64_32_16)}

羅馬帝國的奠定者

根據凱撒加密方式和flag格式可得

a = 'h^_o`[pZi^i`'
b = ""

for j in range(0,90):
  b= ""
  for i in range(len(a)):
    b += chr(ord(a[i])+i+2)
  print b

絕密情報

題目描述

WzI2NDAzMjMxMEwsIDQ5NTA2MzczNDFMLCA0MTg5MTM3MjM1TCwgMzUwMzY3NTkwNkwsIDExOTMyNzJMLCAzNzQ1MzA5NjhMLCA1MTg5MjgxNTMxTCwgMjUxNDIwMDI3MkwsIDQ0NTQzMDU1ODFMLCA2NDEwNzg1OTdMLCA0Mzk1OTMxNjU5TCwgMjcxNjQyNjU5OUwsIDQzNzUzOTE5NEwsIDM0NDgwMTM1OTZMLCAzMDcyMDcyMDlMLCA0NzUwODIwNjA2TCwgMzI1MDQwNzk5M0wsIDg1MzkwNTIwOUwsIDIxMDk3OTExNTlMLCAyNzE2NDI2NTk5TCwgMjEwNzg5OTU1NEwsIDQzOTU5MzE2NTlMLCAyNzk0Mzg0NTk4TCwgMjEwOTc5MTE1OUwsIDUyOTc3NzkwOTRMLCAxNDYwODc0Mjg2TCwgMTQ2MDg3NDI4NkwsIDc5NDkzMTY3OUwsIDc5NDkzMTY3OUwsIDU0NDcwNTE2MjJMLCA4NTM5MDUyMDlMLCAzMTk4MzQwMjE4TCwgMTE5MzI3MkwsIDE5MTIzMjMxMDFMLCA1Mjk3Nzc5MDk0TCwgMzA3MjA3MjA5TCwgMzIzMTU3MjYwOEwsIDMxOTgzNDAyMThMLCA1MTg5MjgxNTMxTCwgNTI3ODg5NTQ4TCwgNDk1MDYzNzM0MUwsIDI4MzkzNjY4MDVMLCAxMTE2NDU3MzU0TCwgNTI3ODg5NTQ4TCwgNTI5Nzc3OTA5NEwsIDMyNTA0MDc5OTNMLCA0NDU0MzA1NTgxTCwgNjUxMDM5MkwsIDMyNTA0MDc5OTNMLCAxNDYwODc0Mjg2TCwgMTA1OTAzNTEyOUwsIDMyMDAzNTk2MTJMLCA4NTM5MDUyMDlMLCAzMDcyMDcyMDlMLCAxNTY3NzkxMDFMLCAyMTQ1MzAxMzI4TCwgNTI3ODg5NTQ4TCwgMTA1OTAzNTEyOUwsIDU0NjgwMjUwNzJMLCAzNDQ4MDEzNTk2TCwgMjEwNzg5OTU1NEwsIDQxODkxMzcyMzVMLCAzNTAzNjc1OTA2TCwgMjY1MzQzNjExM0xd
並且小菜昨天偷聽到了一部分關於情報的絕密資料,以下:N=5520780427 , e = 134257,你能幫小菜解出這段情報嗎?

解題過程

import base64,libnum

enc = "WzI2NDAzMjMxMEwsIDQ5NTA2MzczNDFMLCA0MTg5MTM3MjM1TCwgMzUwMzY3NTkwNkwsIDExOTMyNzJMLCAzNzQ1MzA5NjhMLCA1MTg5MjgxNTMxTCwgMjUxNDIwMDI3MkwsIDQ0NTQzMDU1ODFMLCA2NDEwNzg1OTdMLCA0Mzk1OTMxNjU5TCwgMjcxNjQyNjU5OUwsIDQzNzUzOTE5NEwsIDM0NDgwMTM1OTZMLCAzMDcyMDcyMDlMLCA0NzUwODIwNjA2TCwgMzI1MDQwNzk5M0wsIDg1MzkwNTIwOUwsIDIxMDk3OTExNTlMLCAyNzE2NDI2NTk5TCwgMjEwNzg5OTU1NEwsIDQzOTU5MzE2NTlMLCAyNzk0Mzg0NTk4TCwgMjEwOTc5MTE1OUwsIDUyOTc3NzkwOTRMLCAxNDYwODc0Mjg2TCwgMTQ2MDg3NDI4NkwsIDc5NDkzMTY3OUwsIDc5NDkzMTY3OUwsIDU0NDcwNTE2MjJMLCA4NTM5MDUyMDlMLCAzMTk4MzQwMjE4TCwgMTE5MzI3MkwsIDE5MTIzMjMxMDFMLCA1Mjk3Nzc5MDk0TCwgMzA3MjA3MjA5TCwgMzIzMTU3MjYwOEwsIDMxOTgzNDAyMThMLCA1MTg5MjgxNTMxTCwgNTI3ODg5NTQ4TCwgNDk1MDYzNzM0MUwsIDI4MzkzNjY4MDVMLCAxMTE2NDU3MzU0TCwgNTI3ODg5NTQ4TCwgNTI5Nzc3OTA5NEwsIDMyNTA0MDc5OTNMLCA0NDU0MzA1NTgxTCwgNjUxMDM5MkwsIDMyNTA0MDc5OTNMLCAxNDYwODc0Mjg2TCwgMTA1OTAzNTEyOUwsIDMyMDAzNTk2MTJMLCA4NTM5MDUyMDlMLCAzMDcyMDcyMDlMLCAxNTY3NzkxMDFMLCAyMTQ1MzAxMzI4TCwgNTI3ODg5NTQ4TCwgMTA1OTAzNTEyOUwsIDU0NjgwMjUwNzJMLCAzNDQ4MDEzNTk2TCwgMjEwNzg5OTU1NEwsIDQxODkxMzcyMzVMLCAzNTAzNjc1OTA2TCwgMjY1MzQzNjExM0xd"

enc = base64.b64decode(enc)
enc_list = eval(enc)
flag = ""
print enc_list
d = 3960784897
n = 5520780427
for i in range(len(enc_list)):
    m = pow(enc_list[i],d,n)
    flag += chr(m)
print flag
#U2FsdGVkX1/8DKBmhvO87/SOLaawwxvAdHLB9AV62nC6LhXzhatpvBcg6tlK7Fs5

des 解密下便可
jactf{So_easy_RSA_and_DES}

貝葉斯

題目

一共給了兩個文件
encode.txt

int main()
{
    string P("*****************");
    string C("*****************");
    int len = C.length();
    for (int k = 0; k < len; k ++) {
        int where = des_find(P, C[k]);
        where = ((where * a) + b) mod x;
        cout << P[where];
    }
    return 0;
}

int des_find(string p, int m)
{
    for (int i = 0; i < p.length(); i++) {
        if (m == p[i]) {
            return  i;
        }
    }
}

題目.txt

現已知某間諜使用的密碼本(這但是貝葉斯設計的密碼本)以下:"elFXRVJUWVVJT1B4Y3Zibm1hc2RmQVNERkdISktMZ2hqa2xfcXdaWENWQk5NZXJ0e3l1aW9wfTAxMjM0OTg3NjU="
現獲取到了他們的加密算法,同時劫獲了一段數據密文:"gf9C{YQ34KHN3sOwhCz3RzH3CKj3Ndpm1Bt7"
你能破譯出明文數據嗎?

解題過程

#include <iostream>
#include <cstring>
#define PSIZE 65   //宏定義密碼錶大小
using namespace std;
int gcd(int m, int n);
int init_gcd(int m, int n);
int des_find(string p, int m);

int main()
{
  string P("zQWERTYUIOPxcvbnmasdfASDFGHJKLghjkl_qwZXCVBNMert{yuiop}0123498765");             
  string M("gf9C{YQ34KHN3sOwhCz3RzH3CKj3Ndpm1Bt7");   //明文空間,與已知密文
  string C;  //存放解密明文
  int i = 2;   //求解全部互素的數
  int a1;  //存放逆元
  for (i; i < PSIZE; i++)
  {
    if (gcd(i, PSIZE) == 1)
    {  //說明此時的i與28互素
      /***求解此時的i的逆元***/
      a1 = init_gcd(i, PSIZE);
      for (int j = 0; j < PSIZE; j++)   //控制b的遍歷
      {
        cout << "此時:a=" << i << " b=" << j << " a的逆元爲:" << a1 << "   \"";
        for (int k = 0; k < M.length(); k++) {     //每個漢字站兩個字節,因此要用兩個數組空間來存
          int where = des_find(P, M[k]);   //匹配密文在明文空間的位置
          where = ((where - j)*a1) % PSIZE;
          if (where < 0) {
            where += PSIZE;
          }
          cout << P[where];
        }
        cout << "\"" << endl;
      }
    }
  }
  return 0;
}
int gcd(int b, int a)    //求互素
{
  int temp;
  if (a < b)//判斷大小
  {
    temp = a;
    a = b;
    b = temp;
  }
  if (b == 0) return a;
  else return gcd(b, a%b);//遞歸
}

int init_gcd(int m, int n)   //擴展歐幾里得算法
{
  int i = 2;
  for (i; i < 28; i++)
  {
    if ((m*i) % n == 1)
    {
      return i;
    }
  }
}

int des_find(string p, int m)   //位置匹配函數
{
  for (int i = 0; i < p.length(); i ++) {
    //cout<<p[i]<<p[i+1]<<endl;
    if (m == p[i]) {
      return  i;
    }
  }
}

接下來的計劃總結下base家族wasm貝葉斯關於字符向進制轉化的算法與逆向pyc 文件格式des加密ebc cbc

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程