中电联CTF伪WriteUp:简单加密

题目文件链接:f8fc0fda7d1742188612221bd8242c4b

题目就叫“简单加密”,好像没有其他的提示

做了很久也没做出来,真佩服几分钟就做出来的牛人

题目给的是个压缩包,

一、第一层压缩包加密是伪加密,直接用rar修复即可。

得到2.py 以及 2.zip,其中2.py的内容如下:

import hashlib
import os
s=os.urandom(8)
print s[0:5].encode('hex')
print hashlib.sha256(s).hexdigest()
#0d273d5891
#1226bf22ea059fb56ac176ae79ae89a09c5433213a2f8c3d6ebd60bb0445e72f
#password:s.encode('hex')

根据提示,2.zip的密码为password:s.encode(‘hex’),由于s[0:5].encode(‘hex’)只是前5位的,此处需要爆破字符串s的后三位,注意后三位不一定的可见字符,脚本就不贴了,得到s.encode(‘hex’)为0d273d589193770d,以下脚本的执行结果和上面的1226开头的sha256能匹配

s = '0d273d589193770d'
print s.decode('hex').encode('hex')
print hashlib.sha256(s.decode('hex')).hexdigest()

二、用 0d273d589193770d 解压 2.zip,得到 2.txt和 3.zip, 2.txt里面只有一句话:nothing here。查看3.zip发现pass1.txt pass2.txt pass3.txt 可以用crc32爆破

网上找了个PY脚本来爆破,效果并不太好,速度太慢了。我后来改用了hashcat来爆破,速度很快,这里有个坑,pass1.txt符合的字符串有三个,爆破的时候千万不要找到符合的就停止了。PY爆破的脚本可以参考下面的,要跑很久。。。爆破pass2.txt要删掉一个循环e

import datetime
import binascii
 
def showTime():
 
    print datetime.datetime.now().strftime("%H:%M:%S")  
 
def crack():
    crcs = set([0x397E0355, 0x73FCC42D])
    r = xrange(32, 127)
    for a in r:
        for b in r:
            for c in r:
                for d in r:
                    for e in r:
                        txt = chr(a)+chr(b)+chr(c)+chr(d)+chr(e)
                        crc = binascii.crc32(txt)
                        if (crc & 0xFFFFFFFF) in crcs:
                            print txt
 
 
if __name__ == "__main__":
 
    showTime()
 
    crack()
 
    showTime()

爆破得到:

397e0355:*:eja
397e0355:6u9ku
397e0355:FIHn%
96b1eaef:-_-#
73fcc42d:h0rs3

组合出来三个密码:

*:eja-_-#h0rs3
6u9ku-_-#h0rs3                 <-这个就是真正的密码了
FIHn%-_-#h0rs3

三、用上面的密码解压3.zip,得到4.zip、4.txt和hint.txt, 4.txt里面是一堆乱码,hint.txt里面内容是:A state of USA。跟加密有关的,又是美国的一个州,猜测可能是维吉尼亚密码。

但是由于不知道维吉尼亚密钥,又需要爆破,这个作者好像跟爆破有仇一样。

网上找了个脚本,我没那个能力写维吉尼亚爆破。

这里密码好像只能一个个试,网上有说是最小公约数还是啥的,最小可能是4,测试不对,再试试8,对了,当密钥长度为8的时候,输出以下内容

首字母拼凑起来就是密码,密码是 congrats,用维吉尼亚密码解密得到下面的文字:

every night in my dreams, i see you, i feel you. that is how i know you go on. far across the distance. and spaces between us. you have come to show you go on. near far,wherever you are, i believe. that the heart does go on. once more you open the door. and you’re here in my heart. and my heart will go on and on. love can touch us one time. and last for a lifetime, and never let go till we’re gone. the key is life is short, i use python. love was when i loved you, one true time i hold to, in my life well always go on. near far, wherever you are. i believe, that the heart does go on. once more you open the door, and you’re here in my heart, and my heart will go on and on. you’re here, there’s nothing i fear, and i know, that my heart will go on. we’ll stay forever this way. you are safe in my heart, and my heart will go on and on.

文件4.zip的密码就是上面这段文字中加粗的部分。注意后面有个点。

四、用上面的密码解压4.zip,得到5.py和5.zip,5.py是个加密脚本,类似上面的2.py,反正照着写个解密的就行了,用加密脚本改写的脚本如下:

import sys

alphaL = "abcdefghijklnmopqrstuvwxyz"
alphaU = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
num    = "0123456789"
keychars = num+alphaL+alphaU


key = 'HELLOWORLD'#sys.argv[1].upper()
if not key.isalnum():
  print("Your key is invalid, it may only be alphanumeric characters")
  sys.exit()
plaintext = "I open(sys.argv[2],'r').read()"
ciphertext=""

eplaintext = "P hxoh ud qzzys lmle M vmoxs arh pm mq. Rda xgtx tzc ymjdryr vhc sh ltymo gkhh. Umc hka T xddr jdx vtqyzhw vk qxhf vmef. M't vodybmu dh lmf trfsxsguzad lsce. Tm M vuf pfh ec, jdxy P vlh jv bq. Tt W ejlh qovixmh ec, jdxsh'c ymjdryr hd ij. T ekozoto T jqy tvk. L vfoimvx L aly jmzvw huf est. P cuifs lsrmc ij xmhgg yiwdu nmf aui. Xkgkla ak rbmux ufj kqp lrui. T ekozoto T jqy gkuk. P xfo cx uvdyzhw uuurmpu jddc rnfy hmvs. M qovixmh M vuf cod. Xfo W rnl dy jdx otxpf kt qutqjzhw sdtm. Xmaouzvtc xivoqvh, zc cuq ztkt gk gdjo. Admbx ngk tizunohl zy vicf P thgj dvwnkmf. Bzc yesxl W jarw zl guluqc zheisf rp to. Zk P vlh gxf nh, lboq L aly hm ze. Tk E whzq qfxgoef nh, lbokf'l ydlbiqp qi zl. Z sttzfvm Z xzd kxi. Awnc zg kvhu dfwl sxb:8a6q3h1x31, lyj lmf mkwc biqc nc: PWX"

for i in range(len(eplaintext)):
    rotate_amount = keychars.index(key[i%len(key)])
    enc_char = ""
    if eplaintext[i] in alphaL:
        #enc_char = ord('a') + (5*(ord(plaintext[i])-ord('a'))+3*rotate_amount)%26
        for j in range(26):
            if ord('a') + (5*(j)+3*rotate_amount)%26 == ord(eplaintext[i]):
                enc_char = (chr(j + ord('a')))
            
    elif eplaintext[i] in alphaU:
        #enc_char = ord('A') + (3*(ord(plaintext[i])-ord('A'))+rotate_amount)%26
        for j in range(26):
            if ord('A') + (3*(j)+rotate_amount)%26 == ord(eplaintext[i]):
                enc_char = (chr(j + ord('A')))
    elif eplaintext[i] in num:
        #enc_char = ord('0') + (7*(ord(plaintext[i])-ord('0'))+5*rotate_amount)%10
        for j in range(10):
            if ord('0') + (7*(j)+5*rotate_amount)%10 == ord(eplaintext[i]):
                enc_char = (chr(j + ord('0')))
    else:
        #enc_char = ord(plaintext[i])
        enc_char = eplaintext[i]
    ciphertext = ciphertext + enc_char 


print ciphertext

print("Encryption complete, ENC(%s,%s) = %s"%(plaintext,key,ciphertext))

# Encryption complete, ENC(ciphertext) = P hxoh ud qzzys lmle M vmoxs arh pm mq. Rda xgtx tzc ymjdryr vhc sh ltymo gkhh. Umc hka T xddr jdx vtqyzhw vk qxhf vmef. M't vodybmu dh lmf trfsxsguzad lsce. Tm M vuf pfh ec, jdxy P vlh jv bq. Tt W ejlh qovixmh ec, jdxsh'c ymjdryr hd ij. T ekozoto T jqy tvk. L vfoimvx L aly jmzvw huf est. P cuifs lsrmc ij xmhgg yiwdu nmf aui. Xkgkla ak rbmux ufj kqp lrui. T ekozoto T jqy gkuk. P xfo cx uvdyzhw uuurmpu jddc rnfy hmvs. M qovixmh M vuf cod. Xfo W rnl dy jdx otxpf kt qutqjzhw sdtm. Xmaouzvtc xivoqvh, zc cuq ztkt gk gdjo. Admbx ngk tizunohl zy vicf P thgj dvwnkmf. Bzc yesxl W jarw zl guluqc zheisf rp to. Zk P vlh gxf nh, lboq L aly hm ze. Tk E whzq qfxgoef nh, lbokf'l ydlbiqp qi zl. Z sttzfvm Z xzd kxi. Awnc zg kvhu dfwl sxb:8a6q3h1x31, lyj lmf mkwc biqc nc: PWX
# key hint: the first sentence of all program language(no space, all lower)

这里吐槽下作者,还所有编程语言的第一句。谁说第一句就一定是要hello world的。

解密得到下面文字:

I used to think that I could not go on. And life was nothing but an awful song. But now I know the meaning of true love. I’m leaning on the everlasting arms. If I can see it, then I can do it. If I just believe it, there’s nothing to it. I believe I can fly. I believe I can touch the sky. I think about it every night and day. Spread my wings and fly away. I believe I can soar. I see me running through that open door. I believe I can fly. See I was on the verge of breaking down. Sometimes silence, it can seem so loud. There are miracles in life I must achieve. But first I know it starts inside of me. If I can see it, then I can do it. If I just believe it, there’s nothing to it. I believe I can fly. This is your next key:9c3b9d3e48, and the next hint is: XOR

五、文件5.zip的密码就是上面这段文字中加粗的部分,不需要加后面的逗号。解压得到最后一个文件6,提示是让进行XOR运算,不过我用0-255都去试了下XOR计算,算出来的都是乱码。猜不出用啥去XOR,上面的KEY是10位的,看着也不像

至此,这题就做不下去了,期待有缘人吧。

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注