下載題目附件后,給出了一份python的腳本esrever.py和一份放有Encrypted Key和Encrypted Text的檔案,直接猜測是根據加密演算法寫出解密腳本得出flag.
esrever.py如下:
import random # TODO: Remember to remove real flag before deploying flag = 'csictf{fake_flag}' key = 'fake_key' def enc1(text): r = random.randint(1,25) return bytes.fromhex(''.join([hex(((ord(i) - ord('a') - r) % 26) + ord('a'))[2:] for i in text])).decode('ascii') def enc2(text, key): k = [key[i % len(key)] for i in range(len(text))] return ''.join([chr(ord(text[i]) ^ ord(k[i]) + ord('a')) for i in range(len(text))]) def enc3(text): mapping = [28, 33, 6, 17, 7, 41, 27, 29, 31, 30, 39, 21, 34, 15, 3, 5, 13, 10, 19, 38, 40, 14, 26, 25, 32, 0, 36, 8, 18, 4, 1, 11, 24, 2, 37, 20, 23, 35, 22, 12, 16, 9] temp = [None]*len(text) for i in range(len(text)): temp[mapping[i]] = text[i] return ''.join(temp) def enc4(text): mapping = [23, 9, 5, 6, 22, 28, 25, 30, 15, 8, 16, 19, 24, 11, 10, 7, 2, 14, 18, 1, 29, 21, 12, 4, 20, 0, 26, 13, 17, 3, 27] temp = [None]*len(text) for i in range(len(text)): temp[i] = text[mapping[i]] return ''.join(temp) encryptedText = enc1(flag) encryptedKey = enc1(key) for i in range(random.randint(1,100)): encryptedText = enc1(encryptedText) encryptedKey = enc1(key) print('Encrypted Key = ' + enc4(enc4(encryptedKey))) print('Encrypted Text = ' + enc3(enc3(enc2(enc1(encryptedText), key))))
給出的檔案如下:
Encrypted Key = ieluvnvfgvfahuxhvfphbppnbgrfcrn
Encrypted Text = »·ª»£µ±¬¥¼±ºµ±¿·£¦´¯ª¨¥«¥¦«´¸¦¡¸¢²§¤¦¦¹¨
首先觀察演算法,發現除了enc1函式,其他函式都不涉及到亂數的問題,且雖然enc1涉及到了亂數,但可能性只有26種,一開始感覺可以通過爆破得出,但后來發現最后封裝還有個for i in range(random.randint(1,100)):,于是打消了念頭,先把函式enc2、enc3、enc4、的逆函式寫了出來,后來仔細觀察enc1,發現函式enc1實際上是一個隨機凱撒加密,這么一想,答案也就出來了,不論一個字串通過enc1加密多少次,也只會有26種結果!!!于是可以先把key求出來(一共有26種可能),在分別求出每種可能對應的text,再把對應的text進行26次凱撒解密,找出字串中有關鍵字'csictf'也就是flag!
腳本如下:
def reenc4(text): mapping = [23, 9, 5, 6, 22, 28, 25, 30, 15, 8, 16, 19, 24, 11, 10, 7, 2, 14, 18, 1, 29, 21, 12, 4, 20, 0, 26, 13, 17, 3, 27] temp = [None]*len(text) for i in range(len(text)): temp[mapping[i]] = text[i] return ''.join(temp) enkey='ieluvnvfgvfahuxhvfphbppnbgrfcrn' enkey=reenc4(enkey) enkey=reenc4(enkey) print(enkey,"\n") table='abcdefghijklmnopqrstuvwxyz' enc1table=[] """ def reenc1(text):#還沒意識到是凱撒加密時寫的reenc1 for r in range(1,26): n='' for char in text: for i in range(26): x=(ord(table[i])-ord('a')-r)%26+ord('a') if(x==ord(char)): n+=table[i] print(n) enc1table.append(n) return enc1table """ def reenc1(text): for r in range(1,26): n='' for char in text: x=chr((ord(char)-ord('a')-r)%26+ord('a')) n+=x enc1table.append(n) return enc1table def reenc2(entext,key):#這里要注意運算子優先級!!! k = [key[i % len(key)] for i in range(len(entext))] detext='' for i in range(len(entext)): x=chr((ord(entext[i])^(ord('a')+ord(k[i])))) detext+=x return detext def reenc3(text): mapping = [28, 33, 6, 17, 7, 41, 27, 29, 31, 30, 39, 21, 34, 15, 3, 5, 13, 10, 19, 38, 40, 14, 26, 25, 32, 0, 36, 8, 18, 4, 1, 11, 24, 2, 37, 20, 23, 35, 22, 12, 16, 9] temp = [None]*len(text) for i in range(len(text)): temp[i] = text[mapping[i]] return ''.join(temp) fp=open("D:\Desktop\做題檔案\CsiCtf\Esrever\esrever.txt","rb") b=fp.readlines() #下面是讀出來的encrypted text entext = b"\xc2\xbb\xc2\xb7\xc2\xad\xc2\xaa\xc2\xbb\xc2\xa3\xc2\xb5\xc2\xb1\xc2\xac\xc2\xa5\xc2\xbc\xc2\xb1\xc2\xba\xc2\xb5\xc2\xb1\xc2\xbf\xc2\xb7\xc2\xa3\xc2\xa6\xc2\xad\xc2\xb4\xc2\xaf\xc2\xaa\xc2\xa8\xc2\xa5\xc2\xab\xc2\xa5\xc2\xa6\xc2\xab\xc2\xb4\xc2\xb8\xc2\xa6\xc2\xa1\xc2\xb8\xc2\xa2\xc2\xb2\xc2\xa7\xc2\xa4\xc2\xa6\xc2\xa6\xc2\xb9\xc2\xa8" entext=(entext.decode()) entext=reenc3(reenc3(entext)) keytable=reenc1(enkey) #print(keytable) texttable=[]for strkey in keytable: x=reenc2(entext,strkey) #print(enc2(x,strkey)) texttable.append(x) #print(texttable) for textstr in texttable: x=reenc1(textstr) for i in x: if "csictf" in i: print(i)
運行后結果如下:
得出字串'csictfaesreverisjustreverseinreverserightc'就是我們的flag,但我們需要把a改為'{',把最后的c改為'}',因為管理員有說格式不變,而改了之后的字串也就是我們的flag啦!!!
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/73502.html
標籤:其他
上一篇:Python中怎么判斷多張圖的內容是否相同,并寫進報告里?
下一篇:本地Java程式連接阿里云上的HDFS報錯 Failed to detect a valid hadoop home directory java.io.Fil