[De1CTF2019]xorz
2024-07-07 02:45:47
[De1CTF2019]xorz
附件:
from itertools import *
from data import flag,plainkey=flag.strip("de1ctf{").strip("}")
assert(len(key)<38)
salt="WeAreDe1taTeam"
ki=cycle(key)
si=cycle(salt)
cipher = ''.join([hex(ord(p) ^ ord(next(ki)) ^ ord(next(si)))[2:].zfill(2) for p in plain])
print cipher
# output:
# 49380d773440222d1b421b3060380c3f403c3844791b202651306721135b6229294a3c3222357e766b2f15561b35305e3c3b670e49382c295c6c170553577d3a2b791470406318315d753f03637f2b614a4f2e1c4f21027e227a4122757b446037786a7b0e37635024246d60136f7802543e4d36265c3e035a725c6322700d626b345d1d6464283a016f35714d434124281b607d315f66212d671428026a4f4f79657e34153f3467097e4e135f187a21767f02125b375563517a3742597b6c394e78742c4a725069606576777c314429264f6e330d7530453f22537f5e3034560d22146831456b1b72725f30676d0d5c71617d48753e26667e2f7a334c731c22630a242c7140457a42324629064441036c7e646208630e745531436b7c51743a36674c4f352a5575407b767a5c747176016c0676386e403a2b42356a727a04662b4446375f36265f3f124b724c6e346544706277641025063420016629225b43432428036f29341a2338627c47650b264c477c653a67043e6766152a485c7f33617264780656537e5468143f305f4537722352303c3d4379043d69797e6f3922527b24536e310d653d4c33696c635474637d0326516f745e610d773340306621105a7361654e3e392970687c2e335f3015677d4b3a724a4659767c2f5b7c16055a126820306c14315d6b59224a27311f747f336f4d5974321a22507b22705a226c6d446a37375761423a2b5c29247163046d7e47032244377508300751727126326f117f7a38670c2b23203d4f27046a5c5e1532601126292f577776606f0c6d0126474b2a73737a41316362146e581d7c1228717664091c
先将输出与iv异或,然后分析异或值的出现频率,初步确定key长度为30。
利用字符范围及语义可理解性,以4字为单位进行爆破(爆出4字节并确认后,后面可以结合明文推算下一字节)。推算出20字节左右 ,可以根据明文搜索到出处–莎士比亚的十四行诗(稍有个别地方有区别)。
import string
from binascii import unhexlify, hexlify
from itertools import *def bxor(a, b): # xor two byte strings of different lengthsif len(a) > len(b):return bytes([x ^ y for x, y in zip(a[:len(b)], b)])else:return bytes([x ^ y for x, y in zip(a, b[:len(a)])])def hamming_distance(b1, b2):differing_bits = 0for byte in bxor(b1, b2):differing_bits += bin(byte).count("1")return differing_bitsdef break_single_key_xor(text):key = 0possible_space = 0max_possible = 0letters = string.ascii_letters.encode('ascii')for a in range(0, len(text)):maxpossible = 0for b in range(0, len(text)):if(a == b):continuec = text[a] ^ text[b]if c not in letters and c != 0:continuemaxpossible += 1if maxpossible > max_possible:max_possible = maxpossiblepossible_space = akey = text[possible_space] ^ 0x20return chr(key)salt = "WeAreDe1taTeam"
si = cycle(salt)
b = unhexlify(b'49380d773440222d1b421b3060380c3f403c3844791b202651306721135b6229294a3c3222357e766b2f15561b35305e3c3b670e49382c295c6c170553577d3a2b791470406318315d753f03637f2b614a4f2e1c4f21027e227a4122757b446037786a7b0e37635024246d60136f7802543e4d36265c3e035a725c6322700d626b345d1d6464283a016f35714d434124281b607d315f66212d671428026a4f4f79657e34153f3467097e4e135f187a21767f02125b375563517a3742597b6c394e78742c4a725069606576777c314429264f6e330d7530453f22537f5e3034560d22146831456b1b72725f30676d0d5c71617d48753e26667e2f7a334c731c22630a242c7140457a42324629064441036c7e646208630e745531436b7c51743a36674c4f352a5575407b767a5c747176016c0676386e403a2b42356a727a04662b4446375f36265f3f124b724c6e346544706277641025063420016629225b43432428036f29341a2338627c47650b264c477c653a67043e6766152a485c7f33617264780656537e5468143f305f4537722352303c3d4379043d69797e6f3922527b24536e310d653d4c33696c635474637d0326516f745e610d773340306621105a7361654e3e392970687c2e335f3015677d4b3a724a4659767c2f5b7c16055a126820306c14315d6b59224a27311f747f336f4d5974321a22507b22705a226c6d446a37375761423a2b5c29247163046d7e47032244377508300751727126326f117f7a38670c2b23203d4f27046a5c5e1532601126292f577776606f0c6d0126474b2a73737a41316362146e581d7c1228717664091c')
plain = ''.join([hex(ord(c) ^ ord(next(si)))[2:].zfill(2) for c in b.decode()])
b = unhexlify(plain)
print(plain)normalized_distances = []for KEYSIZE in range(2, 40):# 我们取其中前6段计算平局汉明距离b1 = b[: KEYSIZE]b2 = b[KEYSIZE: KEYSIZE * 2]b3 = b[KEYSIZE * 2: KEYSIZE * 3]b4 = b[KEYSIZE * 3: KEYSIZE * 4]b5 = b[KEYSIZE * 4: KEYSIZE * 5]b6 = b[KEYSIZE * 5: KEYSIZE * 6]normalized_distance = float(hamming_distance(b1, b2) +hamming_distance(b2, b3) +hamming_distance(b3, b4) +hamming_distance(b4, b5) +hamming_distance(b5, b6)) / (KEYSIZE * 5)normalized_distances.append((KEYSIZE, normalized_distance))
normalized_distances = sorted(normalized_distances, key=lambda x: x[1])for KEYSIZE, _ in normalized_distances[:5]:block_bytes = [[] for _ in range(KEYSIZE)]for i, byte in enumerate(b):block_bytes[i % KEYSIZE].append(byte)keys = ''try:for bbytes in block_bytes:keys += break_single_key_xor(bbytes)key = bytearray(keys * len(b), "utf-8")plaintext = bxor(b, key)print("keysize:", KEYSIZE)print("key is:", keys, "n")s = bytes.decode(plaintext)print(s)except Exception:continue
运行得:
1e5d4c055104471c6f234f5501555b5a014e5d001c2a54470555064c443e235b4c0e590356542a130a4242335a47551a590a136f1d5d4d440b0956773613180b5f184015210e4f541c075a47064e5f001e2a4f711844430c473e2413011a100556153d1e4f45061441151901470a196f035b0c4443185b322e130806431d5a072a46385901555c5b550a541c1a2600564d5f054c453e32444c0a434d43182a0b1c540a55415a550a5e1b0f613a5c1f10021e56773a5a0206100852063c4a18581a1d15411d17111b052113460850104c472239564c0755015a13271e0a55553b5a47551a54010e2a06130b5506005a393013180c100f52072a4a1b5e1b165d50064e411d0521111f235f114c47362447094f10035c066f19025402191915110b4206182a544702100109133e394505175509671b6f0b01484e06505b061b50034a2911521e44431b5a233f13180b5508131523050154403740415503484f0c2602564d470a18407b775d031110004a54290319544e06505b060b424f092e1a770443101952333213030d554d551b2006064206555d50141c454f0c3d1b5e4d43061e453e39544c17580856581802001102105443101d111a043c03521455074c473f3213000a5b085d113c194f5e08555415180f5f433e270d131d420c1957773f560d11440d40543c060e470b55545b114e470e193c155f4d47110947343f13180c100f565a000403484e184c15050250081f2a54470545104c5536251325435302461a3b4a02484e12545c1b4265070b3b5440055543185b36231301025b084054220f4f42071b1554020f430b196f19564d4002055d79
keysize: 30
key is: W3lc0m3tOjo1nu55un1ojOt3m0cl3W n
In faith I do not love thee with mine eyes,For they in thee a thousand errors note;But `tis my heart that loves what they despise,Who in despite of view is pleased to dote.Nor are mine ears with thy tongue`s tune delighted;Nor tender feeling to base touches prone,Nor taste, nor smell, desire to be invitedTo any sensual feast with thee alone.But my five wits, nor my five senses canDissuade one foolish heart from serving thee,Who leaves unswayed the likeness of a man,Thy proud heart`s slave and vassal wretch to be.Only my plague thus far I count my gain,That she that makes me sin awards me pain.
keysize: 9
key is: mulpelOut n
F.* v)o h) 1gy3yflf*t0pMA: qr67c"ujG:h!/C2JIfmjui`Is:)vq-Zlu*uf7C17u.^^vdI6i7rF6]5N (6 f$yviu" *i< R}18g6!3}FDi g -*0fn{O0ounQ#W/nvudsH'm4jxyhc|niQv*G%d!2NI3 H u7fKno9N.* v$dbesgf jp?Uflaec"bFn*vc1 c"hqLdsS:}2BI2e?uostw8r|uZd/stZ1+MeudfRI iX }
n{d$s$6sw f&fd&s1/k?Opflf dcpOJt -B,10o:xKw:="fW5(oaul!]nl8>c<s/:e^K6dt'_BvoB 98nLvc.I )=ap5*`rn* 6jn Rv!8z-d&=tMueoe83uq^opQv>d0k2K_flz>ddHt:2x08Zm{26RWhR7xt"O3a^1y-!Pvk+D 6d"7kus`+ 2}y"Xpflaec&?lKv<#m e`n}kG!+u | BHfI36n oO'w$>w8nrgK1,J 7u.ZSvmM.|-!N*.Hna9wc3nu l" 5nu8
keysize: 2
key is: tr n
j/8w%v3nQ;'u'/(u<)rhX 5q'r>0LW)8|-q"&^a~06A.5!h-xgi/96{"Baly+j4gU|;&hu.5r<+rjX;l67~3LPauhdw"gIl;7rf5gms3xmw)x67j/@Za|t7o.u^4L+u'()!x nnTt$9-q>1LF68x7?7j^yh&~'5(!x*i{N.kbvl"N(vtdz&tH8l*noa3ieeiqSg4|"d>3PM$8u!s.aSl~'!I.5!h szXra'rr.KDal~d}&u^8o,od)"r<5oqSemW-e>3DP5}=dq(tkv&vkmgey6tlX 5vbu{gLM7qe!{iyu::t$)ri$q>[e j67i.QKaly!zggWwu&4E43!q<=xTv$95~j4 /wcdr>&]qm&:t$)ry6=}\np1dk&AFaw!?!iTtr0r')"`n1=xOo,91rl1LM&8e,z"*lptcvb 1doehpNw `'s>3MFatx/z)cHk;,|' gl}+1JUyai0xk#K$yc04&Htz5' )e<3|mNa-95e{3FKal~d}"(tvw::j8gqp$zkX 5q7d>!DQaQ1'p2hO8v::` .o0uI 2q'7j/DWaup/z4&V};0sia&v}7ymm$92vw)
keysize: 7
key is: zttpuvl n
d)8u$r+fW? w9!.u>(vpP 3u p >JW+9x5y" Zf|.8G.7 l5pgm(;(q}"Cetq+l0`Wb5 hw/1j4+tn_9b07|2HHiun`p yGj;5sb-omu7oy/x46n7HZgxs5q s^6M/m/(/%"p`Rt&8)i61JB1:f997h_}p.~!1/#f$o{O*sjvj&L6xrdx'pP0l,jhc-gcekpW<|$`91NC"8w w6iSjz #W 3!j!wbPrg{ pl MDcmz|u&sZ?m2ab) s8-gqUajU3k83FQ1e5dw,sux vilc}q6rh_"+xduyfHU?qc%|wu8;p<!ro v<Ek&j46m6YKgh~#diaWut",M45%v>#vRv&81fb4(u}jt>$\uu.:r .pg8;}^oh9dm"FDyy!= mL|r6v +<nh1?yKw$97vk3RC 8g-~:"lvpdt|.7dmdlhFw&d q =KFcu|7r)eLl92r! emy39JS}fk.vm#J ak0y0!Jjt3%!-}43ziIc373ey2BSilx`z 6zpw8;n oqv }iF.3q5e:9LQgU6%n<nO:w>"h (k7kqO 0p#/b/BSfwn!|4$Wy#8soe!tc9ml !:vq-
keysize: 19
key is: h{ct>aoQuaougultjj{ n
v&/qoe(MB f 7.k$&hgI yd:W9%QV<9b-i</Bhi6|R5 {6tq)'.pa-B-ydm!zTi:8hm0<n5<t K m%,y KHgkpkm-vI .*Wa zlf2fmi d? leSAB}g,h=rF2R3z='8!45sKSa988p 1TX?$q 9}yEZi5e &/9~4qt A?k.cq[5waed&lV1p#yi+ rFdzjTt3d$z&<JB5894nfFq2 W.-?a<zm^8rdsa5LWftxze)oQ)o`zy%g!4zpMeuI$y7$B&feb3ln hsb}jh68yE2ctnfRM/ol=roQjn;g?.an<w Cj:e'7%;Lnfyd ofyWok/(L#5kb'yGm#*2fl*5xrd>+;xvx;;a%7ra(4aUy:"H'R]fdx99?q[n}!rk<?Ei$ yZn29)le-EZ rv7Y#9wwgdnd>)kujypb=E f#2XGt`1s5j_mq?g!twz86RSgyf*wz#I^9\d%b53Ijz-a.< r:yovm`>"2v|+@Uycdkl"dakR=/w9rpn$buQ<<f1.-:gPrJ64w*nQ y 5q bz-4rjT!'p97r1MKhbvei/Wn 7`ny he8cbmh,/Sp<最后结果为de1ctf{W3lc0m3tOjo1nu55un1ojOt3m0cl3W}。
[De1CTF2019]xorz相关推荐
- [De1CTF2019]Babylfsr
[De1CTF2019]Babylfsr 题目 import hashlib from secret import KEY,FLAG,MASKassert(FLAG=="de1ctf{&qu ...
- De1CTF-2019部分wp
目录 Misc1--We1come Misc2--Mine Sweeping Web1--SSRF Me Crypto1--xorz 去De1CTF划了划水,发现自己是真的菜━┳━ ━┳━ Misc1 ...
- buu [De1CTF2019]babyrsa(rsa基础数论知识点大考察)
题目: import binascii from data import e1,e2,p,q1p,q1q,hint,flagn = [201296153524917654993401129431883 ...
- 2021-07-15
[De1CTF2019]babyrsa 题目 import binascii from data import e1,e2,p,q1p,q1q,hint,flagn = [20129615352491 ...
- REVERSE-PRACTICE-BUUCTF-23
REVERSE-PRACTICE-BUUCTF-23 [2019红帽杯]Snake [BSidesSF2019]blink [De1CTF2019]Re_Sign [ACTF新生赛2020]Splen ...
- RSA之 两组e与φ(n)不互素解法
[De1CTF2019]babyrsa 遇事不慌先拆解 求p 求 e1 e2 求q1 求flag 遇事不慌先拆解 题目源代码有四部分,分析最后一部分与flag有关的未知参数有 p,e1,e2,q1 所 ...
- 2021Vivo千镜杯
VIVO千镜杯writeup 0x21战队WRITEUP 战队信息 战队名称:0x21 解题情况 解题过程 Misc 签到题 签到题有手就行 flag flag{6b92a6a3a8d6d422c78 ...
- RSA 2022/8/17
1. [De1CTF2019]babyrsa(综合rsa) orz- 分步做: 1. 求p n = [2012961535249176549934011294318831718054876159786 ...
- 【graceup系列】--基于Java带数字签名的邮件收发系统
公钥和私钥就是俗称的不对称加密方式,使用公钥与私钥的目的就是实现安全的电子邮件,必须实现如下目的: 1.我发送给你的内容必须加密,在邮件的传输过程中不能被别人看到. 2.必须保证是我发送的邮件,不是别 ...
最新文章
- 内存Cookie和硬盘Cookie
- Koa2框架从0开始构建预告片网站
- python学习笔记-flask学习(一)route适配器
- arraylist转int数组_五千字的数组拓展,面试官对我竖起大拇指喊停
- 19、SQL Server 数据修改之Insert into
- 可控硅g极电阻值计算_可控硅的作用介绍及检测方法
- zhlan--Python中常见的几种格式化输出
- EtherCAT 网站链接
- 在其他事件中repeater的取值
- python爬取苏州天气并用excel来保存
- [转载] Python中filter筛选函数匿名参数问题
- 计算机集成技术的研究和应用,信息系统集成技术研究
- Linux命令—vi命令详解
- linux 实验七 初步理解shell程序设计
- 手把手教您用虹科MatrikonOPC UA数据平台掌握您所有的UA服务器
- 解决 nuxt 获取不到自定义环境变量问题
- 绘画新手怎么画人物衣服褶皱
- 十年测试经验的阿里p10讲解python初阶:函数和模块 python全栈自动化测试系类4-2
- nVidia的物理系统
- 无胁科技-TVD每日漏洞情报-2022-6-23