资讯专栏INFORMATION COLUMN

2019 “掘安杯” write up

Jochen / 1442人阅读

摘要:前言肝了一天,最后打了第三,记录下。同一样,它也将输入的字符串或数据编码成全是码的可打印字符串。

前言

肝了一天,最后打了第三,记录下。
我逆向真的好菜啊~~~~

Reverse baby_reverse

加密函数如下

int __fastcall encode(const char *a1, __int64 a2)
{
  char v3[32]; // [rsp+10h] [rbp-70h]
  char v4[32]; // [rsp+30h] [rbp-50h]
  char v5[36]; // [rsp+50h] [rbp-30h]
  int v6; // [rsp+74h] [rbp-Ch]
  int v7; // [rsp+78h] [rbp-8h]
  int i; // [rsp+7Ch] [rbp-4h]

  v7 = 18;
  i = 0;
  v6 = 0;
  if ( strlen(a1) != 18 )
    return puts("Your Length is Wrong");
  puts("flag{This_1s_f4cker_flag}");
  for ( i = 0; i < v7; i += 3 )
  {
    v5[i] = v7 ^ (a1[i] + 6);
    v4[i + 1] = (a1[i + 1] - 6) ^ v7;
    v3[i + 2] = a1[i + 2] ^ 6 ^ v7;
    *(_BYTE *)(a2 + i) = v5[i];
    *(_BYTE *)(a2 + i + 1LL) = v4[i + 1];
    *(_BYTE *)(a2 + i + 2LL) = v3[i + 2];
  }
  return a2;
}

很简单得加密函数
一共分为三组

key = "bIwhroo8cwqgwrxusi"
flag = ""
for i in range(0,18,3):
  flag += chr((ord(key[i])^18) - 6) + chr((ord(key[i+1])^18) + 6) + chr(ord(key[i+2])^6^18)
print flag
#jactf{w0w_is_flag}
Replace

加密函数如下

v2 = a1;
  if ( a2 != 35 )
    return -1;
  v4 = 0;
  while ( 1 )
  {
    v5 = *(_BYTE *)(v4 + v2);
    v6 = (v5 >> 4) % 16;
    v7 = (16 * v5 >> 4) % 16;
    v8 = byte_402150[2 * v4];
    if ( v8 < 48 || v8 > 57 )
      v9 = v8 - 87;
    else
      v9 = v8 - 48;
    v10 = byte_402151[2 * v4];
    v11 = 16 * v9;
    if ( v10 < 48 || v10 > 57 )
      v12 = v10 - 87;
    else
      v12 = v10 - 48;
    if ( (unsigned __int8)byte_4021A0[16 * v6 + v7] != ((v11 + v12) ^ 0x19) )
      break;
    if ( ++v4 >= 35 )
      return 1;
  }
  return -1;

这是爆破的思路

import string
byte_402150 = [0x32, 0x61, 0x34, 0x39, 0x66, 0x36, 0x39, 0x63, 0x33, 0x38, 0x33, 0x39, 0x35, 0x63, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x66, 0x34, 0x65, 0x30, 0x32, 0x35, 0x34, 0x38, 0x34, 0x39, 0x35, 0x34, 0x64, 0x36,0x31, 0x39, 0x35, 0x34, 0x34, 0x38, 0x64, 0x65, 0x66, 0x36, 0x65, 0x32, 0x64, 0x61, 0x64, 0x36, 0x37, 0x37, 0x38, 0x36, 0x65, 0x32, 0x31, 0x64, 0x35, 0x61, 0x64,0x61, 0x65, 0x36, 0x00]
byte_4021A0 = [0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 
  0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 
  0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 
  0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 
  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 
  0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 
  0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 
  0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 
  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 
  0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 
  0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 
  0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 
  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 
  0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 
  0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 
  0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 
  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 
  0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 
  0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 
  0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 
  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 
  0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 
  0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 
  0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 
  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 
  0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]
flag=""
v4=0
dic=string.ascii_lowercase+string.ascii_uppercase+string.digits+"{}_!%^&"
while(v4<35):
  v8 = byte_402150[2*v4]
  if (v8 < 48 or v8 > 57):
    v9 = v8 - 87
  else:
    v9 = v8 -48
  v10 = byte_402150[2*v4+1]
  v11 = 16 * v9
  if(v10 < 48 or v10 >57):
    v12 = v10 -87
  else:
    v12 = v10 -48
  for i in dic:
    v6 = (ord(i)>>4)%16
    v7 = (16*ord(i)>>4)%16
    if(byte_4021A0[16*v6 + v7]==(v11+v12)^0x19):
      flag += i
      break

  v4 += 1
print flag
#flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}

贴一下大佬用z3解的脚本

#-*-coding:utf-8 -*-

#flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}
list_flag = [51, 80, 239, 133, 33, 32, 69, 199, 143, 207, 199, 143, 207, 237, 249, 60, 81, 80, 77, 207, 0, 77, 81, 199, 239, 251, 195, 207, 110, 159, 251, 4, 67, 195, 255]
byte_4021A0 = [99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187]
from z3 import *

def z3_solve(res_flag,byte_4021A0,flag1):

    solve_flag = Solver()
    flag2 = []
    for i in range(35):
        flag2.append(BitVec("v"+str(i),8))
    for i in range(35):
        solve_flag.add(( (16 * ((flag2[i] >> 4) % 16))+(16 * flag2[i] >> 4) % 16)== flag1[i])
    check_flag = solve_flag.check()
    print check_flag,type(check_flag)
    res_model = solve_flag.model()
    flag_final = ""
    for i in range(35):
        flag_chr =("%s"%(res_model[flag2[i]]))
        flag_final  = flag_final + chr(int(flag_chr))
    print flag_final
def res_find(list_flag,byte_4021A0):
    list_find = []
    for i in list_flag:
        res = byte_4021A0.index(i)
        list_find.append(res)
    return list_find
if __name__ == "__main__":

    res = res_find(list_flag,byte_4021A0)
    # for i in res:
    #     print i
    z3_solve(list_flag,byte_4021A0,res)
    print "Finish
"
Misc 真的不是图片

题目给了一张图片,binwalk一下

pumpkin9@pumpkin9:/mnt/c/Users/Desktop/juean$ binwalk Misc-JASEC.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 824 x 639, 8-bit/color RGB, non-interlaced
91            0x5B            Zlib compressed data, compressed
140598        0x22536         End of Zip archive, footer length: 22

题目中有zip,和正常压缩包图片对比一下
emmm
反正是少了个zip头了


可以发现 50 4B 03 04 被替换成了ja66

pumpkin9@pumpkin9:/mnt/c/Users/Desktop/juean$ binwalk Misc-JASEC.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 824 x 639, 8-bit/color RGB, non-interlaced
91            0x5B            Zlib compressed data, compressed
137859        0x21A83         Zip archive data, at least v2.0 to extract, compressed size: 2605, uncompressed size: 11258, name: subject.zip
140598        0x22536         End of Zip archive, footer length: 22

然后foremost分离
ja66解压缩

import base64
flag = ""
for i in range(0,32):
    f = open("./"+str(i)+"/"+str(i)+".txt","r")
    flag += f.read()
print base64.b64decode(flag)
#jactf{64se64_1s_50_c001}
what 题目描述

=E4=BD=9B=E6=9B=B0=EF=BC=9A=E6=A2=B5=E5=83=A7=E5=A5=A2=E6=A5=9E=E5=A5=A2=E5=90=89=E8=8B=A5=E5=A5=A2=E4=B8=8D=E5=B8=9D=E5=86=A5=E5=A4=9C=E6=98=AF=E7=BC=BD=E6=9C=8B=E7=BC=BD=E7=9C=9F=E7=89=B9=E4=BF=B1=E4=B8=8A=E7=BD=B0=E8=83=BD=E7=9A=A4=E5=AE=A4=E9=98=BF=E8=AB=B3=E6=98=8E=E4=B8=80=E5=88=87=E5=91=90=E9=99=A4=E6=A2=B5=E5=A7=AA=E7=BC=BD=E5=A9=86=E5=91=90=E4=BA=A6=E5=8F=83=E4=BE=84=E5=91=BC=E7=9A=A4=E4=B8=96=E5=93=86=E7=89=B9=E5=93=86=E6=95=85=E5=8B=9D=E8=AB=B3=E7=88=8D=E8=AC=B9=E6=99=BA=E7=9A=A4=E5=8F=83=E5=AD=95=E9=80=9D=E8=AB=B3=E8=AC=B9=E6=BC=AB=E6=AD=BB=E5=8D=B3=E4=BE=84=E9=99=A4=E5=93=86=E9=80=9D=E4=BE=84=E6=98=AF=E5=A5=A2=E5=96=9D=E7=A4=99=E8=B1=86=E8=AB=B3=E6=A5=9E=E7=84=A1=E4=BF=B1=E8=80=85=E5=93=86=E5=BA=A6=E8=80=85=E3=80=82=E8=AB=B3=E7=9C=9F=E5=86=A5=E8=A8=B6=E4=BE=84=E5=8B=9D=E7=AB=9F=E8=97=9D=E5=A5=A2=E4=B8=8D=E4=BC=8A=E7=9A=A4=E8=AC=B9=E6=B6=85=E5=AD=95=E7=84=A1=E4=BB=96=E7=BE=85=E5=A4=A7=E5=BE=97=E9=97=8D=E5=93=86=E5=96=9D=E8=80=B6=E5=83=A7=E7=84=A1=E7=BE=AF=E6=BB=85=E9=99=A4=E5=88=A9=E7=BC=BD=E5=A4=9A=E6=A2=B5=E5=A4=B7=E6=A2=B5=E6=A0=97=E7=BC=BD=E8=80=85=E5=AD=95=E8=AB=B3=E7=9B=A7=E7=9A=A4=E4=B8=89=E7=BD=B0=E5=AF=AB=E8=80=81=E6=A2=B5=E8=80=B6=E5=AE=A4=E5=B8=9D=E6=A2=B5=E5=AF=AB=E7=BE=AF=E6=95=B8=E6=A2=B5=E7=9B=A1=E4=BE=84=E6=A0=97=E4=BE=84=E8=97=90=E4=BF=B1=E4=B8=96=E8=AB=B3=E4=B8=8A=E8=AB=B3=E5=A7=AA=E6=95=B8=E5=AE=A4=E5=A9=86=E7=BD=B0=E6=A7=83=E5=A5=A2=E8=A8=B6=E5=93=86=E5=A4=9A=E9=80=9D=E8=97=90=E9=81=93=E6=A2=B5=E6=A5=9E=E6=A2=B5=E5=8D=97=E4=BE=84=E8=BF=A6=E5=91=90=E7=9F=A5=E6=9C=8B=E6=A5=9E=E4=BE=84=E9=9B=A2=E5=91=90=E6=B2=99=E5=91=90=E6=99=BA=E9=81=AE=E5=A4=A7=E5=AE=A4=E7=A5=9E=E5=86=A5=E8=BC=B8=E6=AE=BF=E7=BC=BD=E6=A7=83=E6=A2=B5=E6=80=9B=E6=81=90=E8=88=8D=E7=9F=A5=E7=9A=A4=E8=BF=A6=E5=A5=A2=E8=88=AC=E8=AB=B3=E7=88=8D=E5=AF=AB=E6=BC=AB=E4=BC=8A=E4=BF=B1=E6=A0=97=E5=93=86=E4=BB=96=E4=BA=A6=E7=BC=BD=E6=A5=9E=E6=80=9B=E5=86=A5=E5=91=BC=E5=88=87=E4=BF=B1=E8=8F=A9=E8=88=8D=E5=91=90=E5=AF=A6=E6=A0=97=E5=A5=A2=E6=B3=A2=E6=91=A9=E8=AB=B3=E9=81=93=E7=BC=BD=E7=91=9F=E5=93=86=E5=AF=A6=E7=9A=A4=E7=88=8D=E5=8B=9D=E8=96=A9=E7=BD=B0=E8=AB=B8=E5=A5=A2=E8=88=AC=E8=AB=A6=E7=BD=B0=E6=98=8E=E7=BC=BD=E8=AB=A6=E5=B0=BC=E5=93=86=E6=A5=9E=E4=BD=9B=E4=BF=B1=E9=86=AF=E8=AB=B3=E6=BB=85=E5=BA=A6=E5=93=86=E6=89=80=E6=A7=83=E5=A7=AA=E9=BA=BC=E6=89=80=E6=81=90=E8=AB=B3=E4=BB=96=E4=BE=84=E5=AF=AB=E7=91=9F=E4=BE=84=E6=89=80=E5=BE=97=E9=9A=B8=E5=93=86=E9=97=8D=E5=91=90=E6=8F=90=E7=9B=A7=E5=86=A5=E5=92=92=E5=A5=A2=E6=9B=B0=E5=91=90=E6=B2=99=E6=80=AF=E8=88=AC=E5=8D=97=E6=80=AF=E5=9C=B0=E7=BC=BD=E5=96=9D=E5=86=A5=E6=83=B3=E5=91=90=E7=9B=A7=E7=BD=B0=E8=AC=B9=E5=91=BC=E8=B7=8B=E7=BC=BD=E4=B8=8A=E5=A8=91=E8=AB=A6=E6=AD=BB=E4=BE=84=E8=BF=A6

解题过程

Quoted-Printable也是MIME邮件中常用的编码方式之一。同Base64一样,它也将输入的字符串或数据编码成全是ASCII码的可打印字符串。
quopri
quopri.decodestring()解码可得

佛曰:梵僧奢楞奢吉若奢不帝冥夜是缽朋缽真特俱上罰能皤室阿諳明一切呐除梵姪缽婆呐亦參侄呼皤世哆特哆故勝諳爍謹智皤參孕逝諳謹漫死即侄除哆逝侄是奢喝礙豆諳楞無俱者哆度者。諳真冥訶侄勝竟藝奢不伊皤謹涅孕無他羅大得闍哆喝耶僧無羯滅除利缽多梵夷梵栗缽者孕諳盧皤三罰寫老梵耶室帝梵寫羯數梵盡侄栗侄藐俱世諳上諳姪數室婆罰槃奢訶哆多逝藐道梵楞梵南侄迦呐知朋楞侄離呐沙呐智遮大室神冥輸殿缽槃梵怛恐舍知皤迦奢般諳爍寫漫伊俱栗哆他亦缽楞怛冥呼切俱菩舍呐實栗奢波摩諳道缽瑟哆實皤爍勝薩罰諸奢般諦罰明缽諦尼哆楞佛俱醯諳滅度哆所槃姪麼所恐諳他侄寫瑟侄所得隸哆闍呐提盧冥咒奢曰呐沙怯般南怯地缽喝冥想呐盧罰謹呼跋缽上娑諦死侄迦

参悟佛所言的真意
公正友善自由公正民主公正和谐法治自由公正公正法治友善平等公正爱国公正平等法治爱国公正敬业公正友善爱国平等诚信平等法治敬业法治平等公正公正公正诚信平等平等友善敬业法治民主法治富强法治友善法治
社会主义核心价值观解码得flag
jactf{hexin_yufo_qp}

小梳子

生成字典爆破

crunch 11 11 -t 138364%%%%% -o/root/桌面/test.txt
aircrack-ng -w /root/桌面/test.txt Tenda_D07D90-01.cap
Crypto 贝斯家族三英战群魔

直接上脚本

$ python base.py ciphertext_ea88a4d420c804686a8899608e06130f.txt
1
using base16 decode sucess.....
2
using base16 decode failuer.....
using base32 decode sucess.....
3
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode sucess.....
4
using base16 decode sucess.....
5
using base16 decode failuer.....
using base32 decode sucess.....
6
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode sucess.....
7
using base16 decode sucess.....
8
using base16 decode failuer.....
using base32 decode sucess.....
9
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode sucess.....
10
using base16 decode sucess.....
11
using base16 decode failuer.....
using base32 decode sucess.....
12
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode sucess.....
13
using base16 decode failuer.....
using base32 decode failuer.....
using base64 decode failuer.....
jactf{4(b64_32_16)}
罗马帝国的奠基者

根据凯撒加密方式和flag格式可得

a = "h^_o`[pZi^i`"
b = ""

for j in range(0,90):
  b= ""
  for i in range(len(a)):
    b += chr(ord(a[i])+i+2)
  print b
绝密情报 题目描述
WzI2NDAzMjMxMEwsIDQ5NTA2MzczNDFMLCA0MTg5MTM3MjM1TCwgMzUwMzY3NTkwNkwsIDExOTMyNzJMLCAzNzQ1MzA5NjhMLCA1MTg5MjgxNTMxTCwgMjUxNDIwMDI3MkwsIDQ0NTQzMDU1ODFMLCA2NDEwNzg1OTdMLCA0Mzk1OTMxNjU5TCwgMjcxNjQyNjU5OUwsIDQzNzUzOTE5NEwsIDM0NDgwMTM1OTZMLCAzMDcyMDcyMDlMLCA0NzUwODIwNjA2TCwgMzI1MDQwNzk5M0wsIDg1MzkwNTIwOUwsIDIxMDk3OTExNTlMLCAyNzE2NDI2NTk5TCwgMjEwNzg5OTU1NEwsIDQzOTU5MzE2NTlMLCAyNzk0Mzg0NTk4TCwgMjEwOTc5MTE1OUwsIDUyOTc3NzkwOTRMLCAxNDYwODc0Mjg2TCwgMTQ2MDg3NDI4NkwsIDc5NDkzMTY3OUwsIDc5NDkzMTY3OUwsIDU0NDcwNTE2MjJMLCA4NTM5MDUyMDlMLCAzMTk4MzQwMjE4TCwgMTE5MzI3MkwsIDE5MTIzMjMxMDFMLCA1Mjk3Nzc5MDk0TCwgMzA3MjA3MjA5TCwgMzIzMTU3MjYwOEwsIDMxOTgzNDAyMThMLCA1MTg5MjgxNTMxTCwgNTI3ODg5NTQ4TCwgNDk1MDYzNzM0MUwsIDI4MzkzNjY4MDVMLCAxMTE2NDU3MzU0TCwgNTI3ODg5NTQ4TCwgNTI5Nzc3OTA5NEwsIDMyNTA0MDc5OTNMLCA0NDU0MzA1NTgxTCwgNjUxMDM5MkwsIDMyNTA0MDc5OTNMLCAxNDYwODc0Mjg2TCwgMTA1OTAzNTEyOUwsIDMyMDAzNTk2MTJMLCA4NTM5MDUyMDlMLCAzMDcyMDcyMDlMLCAxNTY3NzkxMDFMLCAyMTQ1MzAxMzI4TCwgNTI3ODg5NTQ4TCwgMTA1OTAzNTEyOUwsIDU0NjgwMjUwNzJMLCAzNDQ4MDEzNTk2TCwgMjEwNzg5OTU1NEwsIDQxODkxMzcyMzVMLCAzNTAzNjc1OTA2TCwgMjY1MzQzNjExM0xd
而且小菜昨天偷听到了一部分关于情报的绝密资料,如下:N=5520780427 , e = 134257,你能帮小菜解出这段情报吗?
解题过程
import base64,libnum

enc = "WzI2NDAzMjMxMEwsIDQ5NTA2MzczNDFMLCA0MTg5MTM3MjM1TCwgMzUwMzY3NTkwNkwsIDExOTMyNzJMLCAzNzQ1MzA5NjhMLCA1MTg5MjgxNTMxTCwgMjUxNDIwMDI3MkwsIDQ0NTQzMDU1ODFMLCA2NDEwNzg1OTdMLCA0Mzk1OTMxNjU5TCwgMjcxNjQyNjU5OUwsIDQzNzUzOTE5NEwsIDM0NDgwMTM1OTZMLCAzMDcyMDcyMDlMLCA0NzUwODIwNjA2TCwgMzI1MDQwNzk5M0wsIDg1MzkwNTIwOUwsIDIxMDk3OTExNTlMLCAyNzE2NDI2NTk5TCwgMjEwNzg5OTU1NEwsIDQzOTU5MzE2NTlMLCAyNzk0Mzg0NTk4TCwgMjEwOTc5MTE1OUwsIDUyOTc3NzkwOTRMLCAxNDYwODc0Mjg2TCwgMTQ2MDg3NDI4NkwsIDc5NDkzMTY3OUwsIDc5NDkzMTY3OUwsIDU0NDcwNTE2MjJMLCA4NTM5MDUyMDlMLCAzMTk4MzQwMjE4TCwgMTE5MzI3MkwsIDE5MTIzMjMxMDFMLCA1Mjk3Nzc5MDk0TCwgMzA3MjA3MjA5TCwgMzIzMTU3MjYwOEwsIDMxOTgzNDAyMThMLCA1MTg5MjgxNTMxTCwgNTI3ODg5NTQ4TCwgNDk1MDYzNzM0MUwsIDI4MzkzNjY4MDVMLCAxMTE2NDU3MzU0TCwgNTI3ODg5NTQ4TCwgNTI5Nzc3OTA5NEwsIDMyNTA0MDc5OTNMLCA0NDU0MzA1NTgxTCwgNjUxMDM5MkwsIDMyNTA0MDc5OTNMLCAxNDYwODc0Mjg2TCwgMTA1OTAzNTEyOUwsIDMyMDAzNTk2MTJMLCA4NTM5MDUyMDlMLCAzMDcyMDcyMDlMLCAxNTY3NzkxMDFMLCAyMTQ1MzAxMzI4TCwgNTI3ODg5NTQ4TCwgMTA1OTAzNTEyOUwsIDU0NjgwMjUwNzJMLCAzNDQ4MDEzNTk2TCwgMjEwNzg5OTU1NEwsIDQxODkxMzcyMzVMLCAzNTAzNjc1OTA2TCwgMjY1MzQzNjExM0xd"

enc = base64.b64decode(enc)
enc_list = eval(enc)
flag = ""
print enc_list
d = 3960784897
n = 5520780427
for i in range(len(enc_list)):
    m = pow(enc_list[i],d,n)
    flag += chr(m)
print flag
#U2FsdGVkX1/8DKBmhvO87/SOLaawwxvAdHLB9AV62nC6LhXzhatpvBcg6tlK7Fs5

des 解密下即可
jactf{So_easy_RSA_and_DES}

贝叶斯 题目

一共给了两个文件
encode.txt

int main()
{
    string P("*****************");
    string C("*****************");
    int len = C.length();
    for (int k = 0; k < len; k ++) {
        int where = des_find(P, C[k]);
        where = ((where * a) + b) mod x;
        cout << P[where];
    }
    return 0;
}

int des_find(string p, int m)
{
    for (int i = 0; i < p.length(); i++) {
        if (m == p[i]) {
            return  i;
        }
    }
}

题目.txt

现已知某间谍使用的密码本(这可是贝叶斯设计的密码本)如下:"elFXRVJUWVVJT1B4Y3Zibm1hc2RmQVNERkdISktMZ2hqa2xfcXdaWENWQk5NZXJ0e3l1aW9wfTAxMjM0OTg3NjU="
现获取到了他们的加密算法,同时劫获了一段数据密文:"gf9C{YQ34KHN3sOwhCz3RzH3CKj3Ndpm1Bt7"
你能破译出明文数据吗?
解题过程
#include 
#include 
#define PSIZE 65   //宏定义密码表大小
using namespace std;
int gcd(int m, int n);
int init_gcd(int m, int n);
int des_find(string p, int m);

int main()
{
  string P("zQWERTYUIOPxcvbnmasdfASDFGHJKLghjkl_qwZXCVBNMert{yuiop}0123498765");             
  string M("gf9C{YQ34KHN3sOwhCz3RzH3CKj3Ndpm1Bt7");   //明文空间,与已知密文
  string C;  //存放解密明文
  int i = 2;   //求解所有互素的数
  int a1;  //存放逆元
  for (i; i < PSIZE; i++)
  {
    if (gcd(i, PSIZE) == 1)
    {  //说明此时的i与28互素
      /***求解此时的i的逆元***/
      a1 = init_gcd(i, PSIZE);
      for (int j = 0; j < PSIZE; j++)   //控制b的遍历
      {
        cout << "此时:a=" << i << " b=" << j << " a的逆元为:" << a1 << "   "";
        for (int k = 0; k < M.length(); k++) {     //每一个汉字站两个字节,所以要用两个数组空间来存
          int where = des_find(P, M[k]);   //匹配密文在明文空间的位置
          where = ((where - j)*a1) % PSIZE;
          if (where < 0) {
            where += PSIZE;
          }
          cout << P[where];
        }
        cout << """ << endl;
      }
    }
  }
  return 0;
}
int gcd(int b, int a)    //求互素
{
  int temp;
  if (a < b)//判断大小
  {
    temp = a;
    a = b;
    b = temp;
  }
  if (b == 0) return a;
  else return gcd(b, a%b);//递归
}

int init_gcd(int m, int n)   //扩展欧几里得算法
{
  int i = 2;
  for (i; i < 28; i++)
  {
    if ((m*i) % n == 1)
    {
      return i;
    }
  }
}

int des_find(string p, int m)   //位置匹配函数
{
  for (int i = 0; i < p.length(); i ++) {
    //cout<

接下来的计划
总结下base家族
wasm
贝叶斯
关于字符向进制转化的算法与逆向
pyc 文件格式
des加密ebc cbc

文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。

转载请注明本文地址:https://www.ucloud.cn/yun/43561.html

相关文章

  • 2019安杯write up

    摘要:前言肝了一天,最后打了第三,记录下。同一样,它也将输入的字符串或数据编码成全是码的可打印字符串。 前言 肝了一天,最后打了第三,记录下。我逆向真的好菜啊~~~~ Reverse baby_reverse 加密函数如下 int __fastcall encode(const char *a1, __int64 a2) { char v3[32]; // [rsp+10h] [rbp-...

    eternalshallow 评论0 收藏0
  • 2019 PlaidCTF write up

    摘要:题目先屯一份打完取证回来慢慢的复现 题目先屯一份打完取证回来慢慢的复现~~ Reverse i can count - 50pts Lets do this together. You do know how to count, dont you? The .Wat ness - 250pts The .Wat ness is open for testing! http://wat...

    zone 评论0 收藏0

发表评论

0条评论

Jochen

|高级讲师

TA的文章

阅读更多
最新活动
阅读需要支付1元查看
<