Posted by ColasDAD on 26 Aug, 2022
有幸作为一个打酱油的参加了此次比赛,特将此次比赛中Misc和Crypto部分的赛题与大家分享。
赛题附件:YQ_Misc_签到.zip
签到题是没有任何技巧和脑洞的送分题,解压赛题压缩包获取到一张名为“5GS.jpg”的图片,用看图软件直接打开图片放大即可看到隐藏在图片细节中的黑色字符串。
flag{cybers3c@xjj}
赛题附件:YQ_Misc_数据包分析.zip
解压赛题压缩包获取到“gifa.pcap”文件,通过WireShark分析,发现文件记录了http GET方式获取名为“gifa.zip”文件的操作。将此zip文件提取出来并解压,获取到“gifa.gif”文件,但此时解压出来的gif文件有问题,并不能直接用看图工具正常打开。先使用文本编辑器打开“gifa.gif”发现文件是“89a”开头,明显缺少gif文件的标准头信息“GIF”,补齐为完整文件头“GIF89a”后可即可得到一个正常的多帧gif文件,逐帧分析其中两帧包含字符串flag{fjkitnjgpdf8ffwq883el5z}。
赛题附件:YQ_Misc_HMisc.zip
解压赛题压缩包获取到“new.jpg”文件,通过Binwalk提取该jpg文件,发现了一个隐藏的名为“7F89.zip”压缩文件,直接解压zip文件得到一个“misc.png”文件。此png文件可以在Windows的看图中打开,但是图片实际显示的内容高度小于图片IHDR头里指定的高度384像素。进一步用pngcheck检查png文件可以发现第5个IDAT的4位长度头突然为0,非常异常。故按照第5个IDAT实际内容长度用16进制编辑器将4位长度头从0x00000000修改为0x0000542b,图片即可显示完整。打开图片可以看到隐藏的信息“apache”,猜测是密码一类的信息,继续往下分析,同时发现图片中第6个和第7个IDAT不是PNG图片zlib压缩后正常该有的数据,而更像是base64编码后的信息,特别是“U2FsdGVk”这个信息经过base64解码后是个“Salted”这个单词,由此可知这个字符串是先用openssl加密,后又进行了base64编码生成的,将第6个和第7个IDAT两部分数据提取合并并删除多余信息,得到如下完整的base64编码后字符串:
U2FsdGVkX1/Ofx56tIWCux0AX/p4s03W2eEQcTQzYayvGRDjQP9e8rtfVCtrFRUH1kC6YCKUJllScPEArUd61ppoSIhkVR+KBFZK2QdWZNZLXlZqlXUICmBLBtjlY4frBvyP2N+kjJofz0L+zSdWlC+eGqwHrx0u+/ri1ttLnDcSFBNA2fUPeKsYRH/7+wNq+PL/o98qN83J/DNIOoLFYzgP3Tj0Rz9++IXqnkzD0lwAib87pnz912PREL6Qr8Yoff57zNlhBsj8URJY59oIXnO7ZHQO1Gl43I+iYHIltG84M1TOBnhO71BNiCumRYiL2QBxvSqaMeg7XWMjPekE+MQhWSWQW4DiyUS5kq2+maLUEvTVvIyIX/75u/RoyazBBAu99oFlKYeVqBugA8PI2LdFAdBIFhTICNFUWX/G9f4tUtI9BYemTZ9cXQ9Q7alUmS6QqA0cZKEPZ9W3WZLltevTQofTvwQBkYFuKibOkTl5NfV4evnhagG1MNVrXvQaArdMYUoiWKzf+8usF94yRKYL+HQmnjw1n4XklPJHeeZfouQZedcTukou3CBeyHFhkaqoukz//b3ypzJnSgTQOAP+OVuWzIBcH+4oUdb4R6Lu/qsZ753s4gV3pdJYKCTxU+JAl4LRk0PE2ArENxD3oz7x991pP7t2zK6pmPIAptDO0xep8mR8H34VGAWOOeXFicZOFW0OfLIo2tyWWCHesJB1pa9eodwJcFw3gZXPDbCGJHUeXGFk55xcH0S0xKzNF0fO/Qfs/8uog1NU+BfpUbkb3k7fRUVYKHfzZD1VaqnGMlyh71tszfT3+HU5HSCvuicn9P6Xy4/oBNrQozbpcvYA2rKwurUXV5zvL9ff7/M8c7lrhZhzCHOlkHghtkBbBER7h6FhcBoJ2Ahtc5NjoOdzzXKsGjtQXdU/VIhwjFjD1MLw9xlrLH18hRXTvUxmGYcv5oo4iY0NRWLW81hrInFCAIyHw3iusANxz9MvKuE7ZdrHMNmwUnKm0Mn2qyHW7zTLiGnqfc2bjpnGp3D/unFzspFiYqlVUZyeti+s2JUeIU08zoZ28iDexBf1qAeoG4trvBfMboEF/iuR1U+b60e7Wj6uDLmTtx2yPMomTYp4nNzePdJU82kbq1lR1oROwbToFGZ7bzdD/J8ML0WwKHUKhe3LwC0klgab0X2BEaNkDGH1Yp4p1z/+2YSIcjXlccgw2slhuytfmc3DcdmaY45lWc+Hn267MLftVGPufFStd5Z/OHbqmjReVil/jv2N/sixpJofz53+W4n9URPhTDnlV6lEWLMOPpEytSYRSXUKjS2rrTdhJEu0e6F1VxLzL81zTgcLEo5JFwQyD2kTTaLXYeaZ2bDNnf02UxFd12Qup5+uRnLUhOotatddnTtKd2YGghpTCWfgYK5JlEeTgUUgDuJdvXFgNUQfl77ip6ljogwJss3LB5B28tUI9NXDDhJxMMcqloAiYPR3uPDexitNiA1X87N0kKYPWZoOgC9yyeVZyAfG37dohnu90kmXkmO+YAGvFS2wi6P/fSQbag9IY64ssQ3AtqlyBMV/Svz+aHjEPXBQD4rAdviNu0HOk0R57A7ocJVsTS5eq0wvSZw9tTA8v+kXBDQlBC0UKI9IQC48b5e620hO7KnYw5DGtG26qBFRF7p8PwQjVmUI64MIAGZ0zQUoZPie7J4vY4jv4kZvsrlNznlMi5wKoXkRpygexYoFINv39FYAo6YlUcOhW9LPAnw/g1BMx3aaai/9VlE5fG+0knRko7qJ1tG90nN6EmoE/qWI0Vu3LILetum18XW7jscmWO4TQEzrWxQwMBu1HC+DM2amNpUpQFJZrMogr7hNnya9OdPhug6GzJ9UVeEN6G/4G2WwifpSN8+nm2CstbrCx5q2lN8iYMUqXxfqCknWeNtpXpTTeg22bn9FOaXHNJ6lsugDzN0xhS1b6mk/M5qILj4kbm9B0pZbhGsvgytGzFBsXVKwv7ZCzqSbIGjg4dNCpVZQoEy3mxgebjfXwXwHzmHibV1rK1EKd9f4wc1/1u8ZQ8uT6cOJT5SGlLbug/raELuxkpSizpzHXoXoy2TgIwOByrVQmlpBN4u+BGgi7Tuejeq+1l692Ng0QQU0gk0bc2GZduh/jyDMV2za0kasX7zaVg5rbk+UwzF6t6WMwx5tN6fpZ0qm+JF8kOlHeYNWY3HgFz7qi0/iq4Rie/+3eGzEgcN2S8dEBwmF0i33iHTNiTbyaSq5uwBtUJPoFa6R1EPKCSPp7ohyU/TZjk4nFFQuDmIVhMISYs2KInfQOnoa5B/NoRW/lv7Cp/9MrS6tTuIXbcIVa1L61xJYs8x9t3G6ygfKA7Jv02hrbZKrycP83m1ZF89HA00r37EUfsyerTJ2XjQ2oqoA8/D5458xQ5TTr/Ta06GqOzQTs1yIODzzW/pVIAlWQlHEF7xkiYI4+LtPm3RdHjiGxfnzGdUhSjqT/GhpOI/9f62dgTo+koHQIQvlSH1h3rtD1EAj622xslKmtU2iURBlcPphQE91ABVieormgksiov2atQZU27hlcrYyJfMXmZLcrSQz1m17M3H/pnS3jh0kiCK95yxBzA7+NIchZBCDoR3BjUbxX43aA8UDPLl6aZGRqY+1IWboHOOm8N16/ywLSsZGn5Y8tibzQqidpYDjssAHdXsFTKc2NZpJUgvG62Qh1nLhItl8pcm46sdLo7hgAa2WIyyxRVacQOsXk322VFyT61TlPJidMWqhld0/0RaoMJjXpmWyND4sBpIOyXigAuTG7zZap0Eh1per2stoHHW7+8ZSLA0KiSY9U5Ek0A5+weCuLWVjaUu6reanKYvufewQHp4/mx/AFrJvUrmY8noxKUw7BSmzrLopoKgRLZLDUwp1JKkKkLl37sl1NdgJAPDL2CFXe3mhG8o4+lAV5dGqTO78E5ZpVglDrF33CH/B64z+jhSuAGHHxZaEVdYt83zgDQqG5IvagXjVevgkEupvw/UQrqRLvHcGODLnBc6dOqbbOC9OlsLpSIwOCLP9pUg/fKSogqZ2P9rxVRkDm0cIng7IJreK0ItimlsfV76gI0e9UzqdcV7QuJhU0Hek7KMe88F4ShhDk/IAPU5RQmssRnQWpNqsO9IocKtnN6wPEjBuP1QxPYPgxZldmUqTjdFnnco4dmK1vM9DkAXPwK2b6juWHd2zsWZZulrZRT8lAjerIISJpwuR+fJBQP2gPEzIKtWiRgW6KsSSKIgzrkD+1RF6C9a6wSpPHBtc+IJD7a0d6hOBwMJGMHuA5+H9Q07TyWFZ/KxQDR1uAPD0zN3ZwljQNryokYfw/VUU6SmwA0izSG0PAtq9AoWWsT6/KCT42YvH8NdtXzmpwM51ZskrbxjDdVMqXTgK2W76NLR1+L0sqrr0GgsjasceZkKI+8/TUltt7IGjCuQRlXQeATJJPqiNgvfe7VJnchx1vG/FYiQ1vQsKPNWF+uXYDV9GC7fkRGyB3vg2m27YFb8WmCSMmKE3Ana1O8fZ8oDz98pI006BkA7gttjwkRRH4h74+rXpLerxOfafcpdRU4PVZ57yn9orsf7FdUXWTDXoXDxiZbfFgONpSqf0yP+syD+kg+qFaDnYNxL8tYy6hLnnDh2Z0izp6fuQZVc1A0H7cV7X7H0xPH929aUk72e2coAdODGeX5Ek4+1mpMyqjqSUYetA6NWKrUJgJaQu+I7cqIT0McwvWzOJC4KxqBCmMLGuXI38bcPl0xyM43W00bSrp97brSw3pJfkgAProQdqHV60flJwvckgEYTQgOdI5bLRAd9x7ayWgZb9YLpp5QteWA0yFwuaY9hyog3/xDoBLArTrNg4Q/OITSk9dGOKjySOlxZM00nEjYUbIcGlCrkr3V7fQZjD3gZw19MM8d6Ppw8yircXC2cgHpLdmSJYzjww4uab+EA1rLpW5xkYSfQWDaGOE4Z0XlmN89Wv1xbgBkXOdIUyvX8Vbk4I/y/KUoHWZBljtG1ZovTyHgJObtXP+mqhi+ARRjT77WBIV4uITlfW+KYCn668Rja3j0+vDFsb3So4EP0whD9B/vxuie/DoQLRe/SrVG7uHWTADAC4XYItEa3esScyR8kHuPNQoBLOiAvGC8dguZdM64Aw1xPUSnA/nlx2Y+BQ6urWMW0LCHOy2kE3uvkzCgoAxrjF5zdSQf2J9qst+KmqNLaibvy7vBVAEUyGpf85aXPqH/7KTASwYz7gtdhWCvcVyrReWkOD7C1+zqy7rU/kEnPzGne66w8tBkdIoXd9ay4lGKwo51e2ZSELed7eSegtpbhpzNC+zx4evr50LxqfIxrMjdqQpRXV2JwZdC9Hls8Ts3kbG9pXmtNDCzwgDTRprsvfaYlETWMyU4sps/JL/Fe9J9mxownA6gLezt0NCDzRB3TJwSjvIDCYNDvsLPpiuTuDcHBtk84pgfpPn3OoPE6i6JmtOcVQ5XKcjNKKoUtFgsjCV7MmHkt0wzTg9479LaQ53OWaKRjGLHIbgGHgV/4mLcM/3CkqTyj1qid3WCAYgDynjh5pMvGdHIk2BSnwBO3hABgxY4mRTCNAIxkiY+0VLHXQaH+2zCPWidONnP990EYhTq9zkfzox84Jw72m6bbsy+0u6mojDYq0m31F0wUnZwV/sA8TJFcA+WTqT9rHyrJMwHXs/PA1t3qn6T17p9NRa3CVgm0yd33njKZvVti+xBRCHy0STSPSBN5Vwx61FCRBQfXgwaIfoPFBv4g6GQY/hUPoyToBqrOTI9gEipa9Yzww4B9gm+nz4a+Bn+bj89KsV0SI0HLO1DRJwjr8ztGl1K8c2ImopU9rhO72CHjCwRdziJEprh94y7/w47vS6UsZ+Yip6q5pb4RHx0FHmSk/umuoVGA2Mw0RszHE34GAtUaGag9gA7NWai4U2E7J13WC6ZoNmmCR6w3KzmWAjLr/MATFUFUb+7p2cWbNJ/b+JdJzH80s1NGZtR8pcMMre/2NJQCGvjiMwz/ec+i3OYSrnwwYrUZjjY/HOycnvB0g2X0wnL93Ss6utev3Ghy5ZiainMjvSB6RrRRhaY7WRzIgYFVvAn//RJ/0ZYM8byUdIsqVrwmV3gZJpsrAMfqhXfeJCgRa74xPAM9HuhmEsPPRtl3gNZ9nJatmD/zvlirpzpomHJluaWnUM+00SHP7+69Niu4vFOH+1OoGFHwmqeYm4xxwGISx4VERUxC+7v5kXjKI+Ecf5MvP/oM1mvNXK/p4ORzDAhdhssC4hwT7ZopfY+zNQ8lOvFSNwrNzP51v+F6XU2688PpN0cJG+XbGAVCxPnCOxiU/txZRsOGHZUNLWJIWUzwDAN2vkrnjkojkuOpMG2bNUfmkkZM8IR5HSFl+p+PVin5oL7Jc7g3gtWOAbUPVRBdTICNWp0N9UGcwNdRqhoGGmLJoDsDn7D1gAUw/JPwOmYCaNHOyl5L/zDiDTUTPTQ4eYpaprUdAEDGuOWq2PSdKdXBc2nJSHR8GO782xONJQjkfbE1TPD8Hol8WKFlUsYQHSSaH+5TilWdEM9fufMrcbgRcj5JEw4hXCmkYPgk7lNwDBh0kC5CZ7k0aUhcI86He7uX8yMDE0PUKFYFqFr0ldJ/5PZuTGkD91b0P2G1RmRkPKeq9qJtONx4aVQJtatNuNLLvF5xeXUvb+S9D3pYfQsSE1m8UcifmJBR0FngqS1UF48J2HiCyYOqZlrq7gUDki3iyz8rEyPc/0UC520rWaeERx64OH5EM/yafkZ4KUPgk5WHTrlL5sExf6L7+TIIFDGDgUzK2AwHn9NCbLa7YYj0yh8A2tOuIEjpKbjmmAYUXdftvZIB84h+YG5bsEkYJhBadny48kI2rxAJRPuA3rKEduLZxSt8VdfhetSo77vdOTVhgoc5H4pesSK6EIgJIoEw536+51KSrsVJM+US/J/EWZgjwl+j27aOuE233SEVddBppJNq5B0qqTCjweT2ibHf4B1a4AAkxQSW+VAHPi6vBL/ZfjgK+0N5tRy/dx/A5LAu6dR5GYJV7cXAtPnMfiEDNEU9oe0rGD5VnZT/2fs8yBXqyycD5rronh/ZdjvEZAUG7vur0mVauUKcJAkESacXR+Mvh+QEGYstkkZ0VmGUkD24tjYfbu7pvoVfTeO7vbfb4R+BtLhtUvZ0arOMDGnm0syNHJRvRVKVHloh4ZToa8bXCKGDPlpxZKL6qK073mj0d9+/HcO/XgtD+22S5rK9OzryHTAy8tieQlajhRjVy3w92gNqDQM9bLK6djXf0RgIsLycQCEq5shgRd0keG28koZwAUhKdhJdKI+Lf3JblRz0/DzNiiG3pm4i381GiSXAZU4r2+nWngykFqV5CQQJfNlGmKwivX+EaORCf8kEgD9t5BwXXoxGyE2UuABA7w9egQuJhiJ3+9aDdC4Qm4VlgfaYpRBDiZcxDll5ZY8/IyMYR6+phQ2rhDaavCMRxPGmvli7k1qUX3LtpnCC9WIEdDyBXnAcNaYfGtciNnMXmivi/K0ZXYVLv9ACbDDC51zI7QYTydEHVTXA=
在Kali里将此字符串保存为一个“enc.txt”文件,用之前获取的“apache”作为密码使用openssl进行解密,即可生成解密文件“dec.txt”,操作方法如下:
cat enc.txt | base64 -d | openssl enc -aes256 -salt -d -out dec.txt -pass pass:apache -md md5
为什么是用aes256算法,和md5做hash?我只能说可能是因为用的多把(事实上openssl 1.1版本以上默认的hash已经不是md5了,这题要是没做过原题完全要靠脑洞和试)。解密后的内容是一个“0”,“1”组成的字符串,长度是4900,正好是70*70,猜测是一个二维码,用一下python代码,转换出二维码图片。
from PIL import Image
import numpy as np
s='0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111111110001111110001111111111100000001100111111111111111100000110000000000011000111111000001111101100000000110011100000000000110000010000000000001100011111100000111100010000001111001100000000000011000001000000000000110001111110000011110001000000111100110000000000001100000100011111100011000110011110000011000001111000110011000111111000110000010001111111001100010001111000001100000111100011001100011111100011000001000111111100110001100001100001111000000110001100110001111110001100000100011111110011000111100111001111110000011000110011000111111000110000010001111111001100000000000000001111100000000011001100011111100011000001000111111100110000000000000000111111100000001100110001111110001100000100001111100011000000000000000011111100000000100011000111111000110000010000000000001100010000001111001100000000001100001100000000000011000001000000000000110001000000111100110000000000100000110000000000001100000111111111111111000100011000110011000100011000110011111111111111110000011111111111111100010001100011001100011001100011001111111111111111000000000000000000000000000000001100000000000000000000000000000000000000000000000000000000000001100000110000010001100011000000000000000000000000000000000000000000000000000000000000000110001000000000000000000000000001111000001111110000000001110000000000011000110000000100011111111100000000000000110000000000000000000000000001100000000000010000011101110000000000000011000000000111100011111111111110000011111111111001100011000000000000001100000000011110001111111111111000001111111111100110001100000000000000111111110000000011110011111111100000110011000001111000110000000000000011111111000000001111001111111110000011001100000111100011000000000000000011000100000001110000000001111100011100000000011000001100000000011000001100010000011110000000000111111111110000010001100000110000000000000000110000000001110000000000001111011100000001000000000000000000011000001111110000000110001100000100011000110000000100000000000000000001100000111111000000001000100000010001100010000000010000000000000000011110011000000001000110000000111111111000000000111111111110000011000001111000100000000100011000000011111111000000000011111111111000001100000111100000000011000001100000000000010000001000111111000001111000110000011110000000001100000110000000000001000001100011111100000111100011000000011000000000000000000000000000001110000110000011000000011000001100000001111000111100000110011000110011111111111000001100010001100011110000000111100000000000000000000000000000000110000000000001000110001111000000011111100000111100000001110000000000011000111100000100011000111100000001110110000000110000000000000000000000000000000000000000000001110000011110001111110001000111100011001111111000000000111100011000000011000001111001111111000100011110001100111111100000000011110001100000001100000000000000001111000000011111110000010001100000111111000110000000110000000000000000111100000001111111000001000110000011111100011000000011000000000000000011000000000001110000000000111000001100000000000000000000000000011000111100000111100010000011000111111000110000010001100011000000000001100000000000011110000000000000011111000011000001000110001100000001111111100000111111111000001100000001111000111111111111111000110000000111111110000011111111100000100000000111100011111111111111100010000000000000000000000000011111100000000001111111111111000000011111100011000000000000000000000001111110000000000111111111111100000001111110001100000111111111111111000000011000000011111111100011110011000111100000110000011111111111111100000001100000001111111110001111001100011110000011000001100000000000110000000000000000110001111001111100000001111000000000000100000000000011000111100000110011000111111111110000000111100011000000010000000000001100011000000000001100000110011111000000011110000000000001000111111100110001000001110011111100011000111111111111111000001100000100011111110011000100000010001111110001100011111111111111100000110000010001111111001100000110000011001111110000000011110001000110000011000001000111111100110000011000001100111111100000001111000100011000001100000100011111110011000000001111111111110001100010001100000001111111110000010001111111001100000001111111111111000110001100110000000111111111000001000000000000110000000111110011000110011000000000000000011001111100000100000000000011000110011110001100011111111000110011000111100011110000010000000000001100011000111000110001111111100011000100011110001110000001111111111111110001111000001111000000011000001111000000011000110000000111111111111111000111100000111100000001100000111100000001100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
table = np.zeros((70, 70), dtype=int)
i = 0
for row in range(70):
for j in range(70):
if s[i] == '1':
table[row][j] = 1
else: table[row][j] = 0
i += 1
a = [[0 if b == 0 else 255 for b in row] for row in table]
qrcode = Image.fromarray(np.uint8(np.array(a)))
qrcode.show()
qrcode.save(r"./qr.png")
扫码可得flag{lakks1qw23eeeaw345tywqiqajsajdwajdai}
解压赛题压缩包获取到“cipher_1.txt”文件,txt文件里记录了密文信息,观察密文,很像字母替换后的英文语法,但注意到其中“:”“.”“,”等标点符号都是在字母左边,而标点符号通常在字母右边,怀疑密文是颠倒的,首先用python将信息反转过来。
TEXT = "!=4IJkynJlTaX8g7KvlaK :mokzwof svh tc vqfo bo fsrbi ubwg fsjcz o rfosv T fsjwf ubwaawfp svh mp bkcr rbL .hosvk hgsjfov tc grzswt sfsk hbsasjod svh bcdi grkcfq svh ,hssfhD zchgwfM bkcr ubwyzoH .ubwbsjs sbc hic rsyzok T gL"
TEXT = TEXT[::-1]
print(TEXT)
然后对倒置后的字符串“Lg T kozysr cih cbs sjsbwbu. Hozywbu rckb Mfwghcz Dhfssh, hvs qfckrg idcb hvs dojsasbh ksfs twszrg ct vofjsgh kvsoh. Lbr rckb pm hvs pfwaawbu fwjsf T vsofr o zcjsf gwbu ibrsf ob ofqv ct hvs fowzkom: KalvK7g8XaTlJnykJI4=!”使用WinDecrypto进行词频分析得到“Zs F walked out one evening. Talking down Yristol Ptreet, the crowds upon the pavement were fields of harvest wheat. Znd down by the brimming river F heard a lover sing under an arch of the railway: WmzhW7s8QmFzVjkwVU4=!”,发现全小写的单词能实现比较有意义的解密,但是大写信息明显不对,特别是“F”这种单词明显应该是“I”才对,由此猜想到这个加密算法对大小写字母的偏移量是不一样的,用python写程序匹配字符串“I walked out one evening”来试一试。
# coding:utf-8
TEXT = "!=4IJkynJlTaX8g7KvlaK :mokzwof svh tc vqfo bo fsrbi ubwg fsjcz o rfosv T fsjwf ubwaawfp svh mp bkcr rbL .hosvk hgsjfov tc grzswt sfsk hbsasjod svh bcdi grkcfq svh ,hssfhD zchgwfM bkcr ubwyzoH .ubwbsjs sbc hic rsyzok T gL"
#文本倒置
TEXT = TEXT[::-1]
#对大小写按照不同偏移进行替换c为要替换的字符
def change(c, a, b):
dic1 = "abcdefghijklmnopqrstuvwxyz"
dic2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
if c in dic1:
return dic1[(dic1.index(c) + a)%26]
elif c in dic2:
return dic2[(dic2.index(c) + b)%26]
else:
return c
#i为dic1的数量,j为dic2的数量
for i in range(26):
for j in range(26):
OUTPUT = ""
for k in TEXT:
OUTPUT += change(k, i, j)
if OUTPUT.find("I walked out one evening")>=0:
print("dict1 shift: "+str(i))
print("dict2 shift: "+str(j))
print("output: "+OUTPUT)
运行程序得知小写字母偏移了12位,大写字母偏移了15位,解密后的信息为“As I walked out one evening. Walking down Bristol Street, the crowds upon the pavement were fields of harvest wheat. And down by the brimming river I heard a lover sing under an arch of the railway: ZmxhZ7s8MmIxYzkwYX4=!”。这样的信息看上去非常接近了,最后注意到冒号和惊叹号之间的特殊字符串,看到“=”首先想到的是BASE64编码,随即使用python写代码对“ZmxhZ7s8MmIxYzkwYX4=”尝试进行BASE64解码:
import base64
ENC="ZmxhZ7s8MmIxYzkwYX4="
print(base64.b64decode(ENC))
输出b'flag\xbb<2b1c90a~',明显不是正确的结果,但是看到了flag这个头,说明大方向没错,分析问题进一步想到不仅大小写字母的偏移不一样,可能数字的偏移也是不一样的,故继续写python程序尝试爆破:
# coding:utf-8
import base64
ENC="ZmxhZ7s8MmIxYzkwYX4="
def change(a, b):
dic = "0123456789"
if a in dic:
return dic[(dic.index(a) + b)%10]
else:
return a
for i in range(10):
TRY = ""
for k in ENC:
TRY += change(k, i)
try:
print(base64.b64decode(TRY))
except:
print(i)
输出
b'flag\xbb<2b1c90a~'
b'flag\xcb=2b1c90a~'
b'flag\xdb42b1c90a~'
b'flagK52b1c90a~'
b'flag[62b1c90a\x7f'
b'flagk72b1c90a\x7f'
b'flag{82b1c90a}'
b'flag\x8b92b1c90a}'
b'flag\x9b:2b1c90a}'
b'flag\xab;2b1c90a}'
最后由此可知flag{82b1c90a}。
赛题附件:YQ_Crypto_LD.zip
赛题附件:YQ_Crypto_x0RSA.zip