关闭

[CTF]2015华山杯网安比赛-密码算法分析

标签: CTF密码算法华山杯
1843人阅读 评论(0) 收藏 举报
分类:

密码&算法 — 密码算法分析
该题目已有10个队伍完成
据说扫描器其实完全无用的 ^_^

解题说明
1 经典密码大礼包
2 某典型分布明文经加密后,密文如下:

OFWNNSVIOQBSQGTCTRWNMJGPWWAWRBZXMTGUBYRLHAOTLQYWLIRLGRNOYXFWBZOBQITTUWQOOBOLDBJDAYCLOTREDWAVWXLOITWQCJBCGOQBLUGXXXTEMEQIAWJBCJYRGYIGWVRLKBBIQSCGVZTRLZCXTGYFLQAOLCRGMASOFZZTXTZOQEWLFTTUCFOPYEXYTMYJDCWZGCELCCRTXBBGGOILXQZJZOOQIFOGRZISTZXZBSWAFANQBAOBYXTGRGBJGJDNGEFLOAYCZLARTXXBWYOFECERCZOBVAXGRKOLZIBLXXBRQGLCZYCXFSIDNJCTBXDAFRNMDICZBBQGYCLECKOZGCTNOGJ

秘钥如下:

VEd3NFoweHNPR2RZZVRSMVRHbENaa3hwTkhWSlJqaDFUR2swWjFoNU5IVk1hVUYxV0hsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkTWJEaG5UR3c0WjB4c09HZE1iRGhuV0hrMGRVeHBRbVpNYVRSMVNVTTFaa2xHT0hWTWFUUm5XSGswZFV4cFFtWk1hVFIxU1VNMVprbEdPSFZNYVRSbldIazBkVXhwUW1aTWFUUjFTVVk0ZFV4cE5HZFllVFIxVEdsQ1preHBOSFZKUXpWbVNVTTFaa2xHT0hWTWFUUm5UR3c0WjFoNU5IVk1hVUYxV0hsQmRWaDVRWFZZZVVKbVRHazBkVWxETldaSlF6Vm1TVU0xWmtsRE5XWkpSamgxVEdrMFoweHNPR2RZZVRSMVRHbENaa3hwTkhWSlF6Vm1TVVk0ZFV4cE5HZE1iRGhuV0hrMGRVeHBRWFZZZVVKbVRHazBkVWxHT0hWTWFUUm5UR3c0WjFoNU5IVk1hVUYxV0hsQmRWaDVRbVpNYVRSMVNVTTFaa2xETldaSlF6Vm1TVVk0ZFV4cE5HZE1iRGhuV0hrMGRVeHBRWFZZZVVGMVdIbENaa3hwTkhWSlJqaDFUR2swWjB4c09HZE1iRGhuV0hrMGRVeHBRWFZZZVVGMVdIbEJkVmg1UVhWWWVVSm1UR2swZFVsR09IVk1hVFJuVEd3NFoxaDVOSFZNYVVKbVRHazBkVWxETldaSlF6Vm1TVU0xWmtsR09IVk1hVFJuV0hrMGRVeHBRbVpNYVRSMVNVTTFaa2xETldaSlJqaDFUR2swWjB4c09HZFllVFIxVEdsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkTWJEaG5UR3c0WjB4c09HZE1iRGhuVEd3NFoweHNPR2RNYkRoblRHdzRaMHhzT0dkTWJEaG5XSGswZFV4cFFYVlllVUYxV0hsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkTWJEaG5XSGswZFV4cFFYVlllVUYxV0hsQmRWaDVRbVpNYVRSMVNVTTFaa2xETldaSlJqaDFUR2swWjB4c09HZFllVFIxVEdsQ1preHBOSFZKUXpWbVNVTTFaa2xHT0hWTWFUUm5UR3c0WjFoNU5IVk1hVUYxV0hsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkTWJEZzk=

3 现在FLAG经过加密后

LCHIKCDDQOYXEGGQ

秘钥如下:

VEd3NFoweHNPR2RZZVRSMVRHbEJkVmg1UW1aTWFUUjFTVU0xWmtsR09IVk1hVFJuV0hrMGRVeHBRbVpNYVRSMVNVWTRkVXhwTkdkWWVUUjFUR2xCZFZoNVFtWk1hVFIxU1VNMVprbEROV1pKUXpWbVNVWTRkVXhwTkdkTWJEaG5XSGswZFV4cFFYVlllVUptVEdrMGRVbEdPSFZNYVRSblRHdzRaMHhzT0dkWWVUUjFUR2xCZFZoNVFYVlllVUptVEdrMGRVbEROV1pKUXpWbVNVTTFaa2xETldaSlF6Vm1TVU0xWmtsR09IVk1hVFJuV0hrMGRVeHBRWFZZZVVKbVRHazBkVWxHT0hWTWFUUm5UR3c0WjB4c09HZFllVFIxVEdsQ1preHBOSFZKUmpoMVRHazBaMHhzT0dkWWVUUjFUR2xCZFZoNVFYVlllVUptVEdrMGRVbEROV1pKUmpoMVRHazBaMHhzT0dkTWJEaG5XSGswZFV4cFFtWk1hVFIxU1VZNGRVeHBOR2RNYkRobldIazBkVXhwUVhWWWVVSm1UR2swZFVsRE5XWkpSamgxVEdrMFoxaDVOSFZNYVVGMVdIbEJkVmg1UVhWWWVVRjFXSGxDWmt4cE5IVkpSamgxVEdrMFoweHNPR2RNYkRoblRHdzRaMHhzT0dkWWVUUjFUR2xDWmt4cE5IVkpRelZtU1VNMVprbEdPSFZNYVRSbldIazBkVXhwUW1aTWFUUjFTVU0xWmtsR09IVk1hVFJuVEd3NFoweHNPR2RNYkRoblRHdzRaMHhzT0dkTWJEaG5XSGswZFV4cFFYVlllVUptVEdrMGRVbEROV1pKUXpWbVNVTTFaa2xETldaSlF6Vm1TVVk0ZFV4cE5HZE1iRGhuVEd3NFoxaDVOSFZNYVVGMVdIbENaa3hwTkhWSlJqaDFUR2swWjB4c09HZFllVFIxVEdsQ1preHBOSFZKUmpoMVRHazBaMHhzT0dkTWJEaG5UR3c0WjB4c09HZFllVFIxVEdsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkWWVUUjFUR2xCZFZoNVFtWk1hVFIxU1VZNGRVeHBOR2RZZVRSMVRHbENaa3hwTkhWSlF6Vm1TVU0xWmtsRE5XWkpSamgxVEdrMFoweHNPR2RNYkRoblRHdzRaMHhzT0dkTWJEaG5RMmM5UFE9PQ==

4 提交明文FLAG


解题思路
1 观察秘钥特征,猜测为Base64编码,在线解码后得到:

TGw4Z0xsOGdYeTR1TGlCZkxpNHVJRjh1TGk0Z1h5NHVMaUF1WHlBdVh5QmZMaTR1SUY4dUxpNGdMbDhnTGw4Z0xsOGdMbDhnWHk0dUxpQmZMaTR1SUM1ZklGOHVMaTRnWHk0dUxpQmZMaTR1SUM1ZklGOHVMaTRnWHk0dUxpQmZMaTR1SUY4dUxpNGdYeTR1TGlCZkxpNHVJQzVmSUM1ZklGOHVMaTRnTGw4Z1h5NHVMaUF1WHlBdVh5QXVYeUJmTGk0dUlDNWZJQzVmSUM1ZklDNWZJRjh1TGk0Z0xsOGdYeTR1TGlCZkxpNHVJQzVmSUY4dUxpNGdMbDhnWHk0dUxpQXVYeUJmTGk0dUlGOHVMaTRnTGw4Z1h5NHVMaUF1WHlBdVh5QmZMaTR1SUM1ZklDNWZJQzVmSUY4dUxpNGdMbDhnWHk0dUxpQXVYeUF1WHlCZkxpNHVJRjh1TGk0Z0xsOGdMbDhnWHk0dUxpQXVYeUF1WHlBdVh5QXVYeUJmTGk0dUlGOHVMaTRnTGw4Z1h5NHVMaUJmTGk0dUlDNWZJQzVmSUM1ZklGOHVMaTRnWHk0dUxpQmZMaTR1SUM1ZklDNWZJRjh1TGk0Z0xsOGdYeTR1TGlBdVh5QmZMaTR1SUY4dUxpNGdMbDhnTGw4Z0xsOGdMbDhnTGw4Z0xsOGdMbDhnTGw4Z0xsOGdMbDhnWHk0dUxpQXVYeUF1WHlBdVh5QmZMaTR1SUY4dUxpNGdMbDhnWHk0dUxpQXVYeUF1WHlBdVh5QmZMaTR1SUM1ZklDNWZJRjh1TGk0Z0xsOGdYeTR1TGlCZkxpNHVJQzVmSUM1ZklGOHVMaTRnTGw4Z1h5NHVMaUF1WHlBdVh5QmZMaTR1SUY4dUxpNGdMbDg9

2 观察结果,长时间陷入无思路状态,抱着试一试的心态,再次Base64解码,得到:

Ll8gLl8gXy4uLiBfLi4uIF8uLi4gXy4uLiAuXyAuXyBfLi4uIF8uLi4gLl8gLl8gLl8gLl8gXy4uLiBfLi4uIC5fIF8uLi4gXy4uLiBfLi4uIC5fIF8uLi4gXy4uLiBfLi4uIF8uLi4gXy4uLiBfLi4uIC5fIC5fIF8uLi4gLl8gXy4uLiAuXyAuXyAuXyBfLi4uIC5fIC5fIC5fIC5fIF8uLi4gLl8gXy4uLiBfLi4uIC5fIF8uLi4gLl8gXy4uLiAuXyBfLi4uIF8uLi4gLl8gXy4uLiAuXyAuXyBfLi4uIC5fIC5fIC5fIF8uLi4gLl8gXy4uLiAuXyAuXyBfLi4uIF8uLi4gLl8gLl8gXy4uLiAuXyAuXyAuXyAuXyBfLi4uIF8uLi4gLl8gXy4uLiBfLi4uIC5fIC5fIC5fIF8uLi4gXy4uLiBfLi4uIC5fIC5fIF8uLi4gLl8gXy4uLiAuXyBfLi4uIF8uLi4gLl8gLl8gLl8gLl8gLl8gLl8gLl8gLl8gLl8gLl8gXy4uLiAuXyAuXyAuXyBfLi4uIF8uLi4gLl8gXy4uLiAuXyAuXyAuXyBfLi4uIC5fIC5fIF8uLi4gLl8gXy4uLiBfLi4uIC5fIC5fIF8uLi4gLl8gXy4uLiAuXyAuXyBfLi4uIF8uLi4gLl8=

3 观察结果发现以4长度为单位大量重复,猜测仍为Base64编码,解码得到:

._ ._ _... _... _... _... ._ ._ _... _... ._ ._ ._ ._ _... _... ._ _... _... _... ._ _... _... _... _... _... _... ._ ._ _... ._ _... ._ ._ ._ _... ._ ._ ._ ._ _... ._ _... _... ._ _... ._ _... ._ _... _... ._ _... ._ ._ _... ._ ._ ._ _... ._ _... ._ ._ _... _... ._ ._ _... ._ ._ ._ ._ _... _... ._ _... _... ._ ._ ._ _... _... _... ._ ._ _... ._ _... ._ _... _... ._ ._ ._ ._ ._ ._ ._ ._ ._ ._ _... ._ ._ ._ _... _... ._ _... ._ ._ ._ _... ._ ._ _... ._ _... _... ._ ._ _... ._ _... ._ ._ _... _... ._

4 观察结果,易知为摩尔斯编码,编写Python脚本进行转换

#filename: morse.py
#version:Python 3.4

CODE = {'._':'A','_...':'B'}

msg = ['._','._','_...','_...','_...','_...','._','._','_...','_...','._','._','._','._','_...','_...','._','_...','_...','_...','._','_...','_...','_...','_...','_...','_...','._','._','_...','._','_...','._','._','._','_...','._','._','._','._','_...','._','_...','_...','._','_...','._','_...','._','_...','_...','._','_...','._','._','_...','._','._','._','_...','._','_...','._','._','_...','_...','._','._','_...','._','._','._','._','_...','_...','._','_...','_...','._','._','._','_...','_...','_...','._','._','_...','._','_...','._','_...','_...','._','._','._','._','._','._','._','._','._','._','_...','._','._','._','_...','_...','._','_...','._','._','._','_...','._','._','_...','._','_...','_...','._','._','_...','._','_...','._','._','_...','_...','._']
for str in msg:
    if str =='':
        print
    else:
        print(CODE[str],end="")

执行脚本得到:

AABBBBAABBAAAABBABBBABBBBBBAABABAAABAAAABABBABABABBABAABAAABABAABBAABAAAABBABBAAABBBAABABABBAAAAAAAAAABAAABBABAAABAABABBAABABAABBA

5 观察结果,猜测为多表代替密码,编写如下脚本,多表拆分:

#filename: group.py
#version:Python 3.4

group = "AABBBBAABBAAAABBABBBABBBBBBAABABAAABAAAABABBABABABBABAABAAABABAABBAABAAAABBABBAAABBBAABABABBAAAAAAAAAABAAABBABAAABAABABBAABABAABBA"
msg = "OFWNNSVIOQBSQGTCTRWNMJGPWWAWRBZXMTGUBYRLHAOTLQYWLIRLGRNOYXFWBZOBQITTUWQOOBOLDBJDAYCLOTREDWAVWXLOITWQCJBCGOQBLUGXXXTEMEQIAWJBCJYRGYIGWVRLKBBIQSCGVZTRLZCXTGYFLQAOLCRGMASOFZZTXTZOQEWLFTTUCFOPYEXYTMYJDCWZGCELCCRTXBBGGOILXQZJZOOQIFOGRZISTZXZBSWAFANQBAOBYXTGRGBJGJDNGEFLOAYCZLARTXXBWYOFECERCZOBVAXGRKOLZIBLXXBRQGLCZYCXFSIDNJCTBXDAFRNMDICZBBQGYCLECKOZGCTNOGJ"

p=0
while p < len(msg):
    if group[p%130] =='A':
        print(msg[p],end="")
    p=p+1

print("")

p=0
while p < len(msg):
    if group[p%130] =='B':
        print(msg[p],end="")
    p=p+1

得到两组单表代替密文:

A:OFVIBSQGTMWRZMTGBYRLALYLLRNYXFBOBTTWQOOLJDAOTEWWXLOITWQCJCGOLGXXTEEAWBJYYIGKBQSCGTCQALRGMSOFZTZQWTUCOPYXTMDCZGCECXBBILQJOQIFOGRZISZXZWFANBABTGGJGNGEYCARTXWEBVXRKOZIBLXQLZXSINJCBDANMICZBGLECGCNG

B:WNNSOQTCRWNJGPWWABXUHOTQWIRGOWZQIUBODBYCLRDAVBQBUXMQIJCRGWVRLBIVZRLZXTGYFLOCAZXTOELFTFEYYJWLCRTGGOXZZOTBSAQOYXRBJDFLOAZLXBYOFCERCZOAGLXBRGCYCFDTXFRDBQYCKOZTOJ

6 字母频率分析,统计脚本如下:

#filename: count1.py
#version:Python 3.4

msg = "OFVIBSQGTMWRZMTGBYRLALYLLRNYXFBOBTTWQOOLJDAOTEWWXLOITWQCJCGOLGXXTEEAWBJYYIGKBQSCGTCQALRGMSOFZTZQWTUCOPYXTMDCZGCECXBBILQJOQIFOGRZISZXZWFANBABTGGJGNGEYCARTXWEBVXRKOZIBLXQLZXSINJCBDANMICZBGLECGCNG"
for i in range(65,90):
    print(chr(i),msg.count(chr(i)),int(msg.count(chr(i))*1000/len(msg))/1000)

得到A组字母频率(没有字母Z):

A 8 0.041
B 14 0.072
C 13 0.067
D 3 0.015
E 7 0.036
F 5 0.025
G 16 0.082
H 0 0.0
I 9 0.046
J 6 0.031
K 2 0.01
L 12 0.062
M 5 0.025
N 6 0.031
O 12 0.062
P 1 0.005
Q 9 0.046
R 7 0.036
S 5 0.025
T 13 0.067
U 1 0.005
V 2 0.01
W 9 0.046
X 11 0.056
Y 7 0.036

替换msg后执行得到B组(没有字母Z):

A 6 0.037
B 11 0.069
C 10 0.063
D 5 0.031
E 3 0.018
F 7 0.044
G 8 0.05
H 1 0.006
I 4 0.025
J 5 0.031
K 1 0.006
L 9 0.056
M 1 0.006
N 3 0.018
O 14 0.088
P 1 0.006
Q 7 0.044
R 11 0.069
S 2 0.012
T 9 0.056
U 3 0.018
V 3 0.018
W 8 0.05
X 9 0.056
Y 8 0.05

7 双字母统计,脚本如下:

#filename: count2.py
#version:Python 3.4

cnt = [[0 for x in range(26)] for y in range(26)]
msg = "OFVIBSQGTMWRZMTGBYRLALYLLRNYXFBOBTTWQOOLJDAOTEWWXLOITWQCJCGOLGXXTEEAWBJYYIGKBQSCGTCQALRGMSOFZTZQWTUCOPYXTMDCZGCECXBBILQJOQIFOGRZISZXZWFANBABTGGJGNGEYCARTXWEBVXRKOZIBLXQLZXSINJCBDANMICZBGLECGCNG"

p=0
while p < len(msg)-1:
    cnt[ord(msg[p])-65][ord(msg[p+1])-65]+=1
    p+=1

for i in range(65,90):
    for j in range(65,90):
        if cnt[i-65][j-65]>=2:
            print(chr(i),chr(j),end="  ")
            print(cnt[i-65][j-65])

A组得到如下结果:

A L  2
A N  2
B T  2
C G  3
D A  2
E C  2
G C  2
G T  2
I B  2
J C  2
L R  2
N G  2
O F  2
O L  2
T E  2
T G  2
T M  2
T W  2
W Q  2
X T  2
Y X  2

替换msg得到B组:

B Q  2
B Y  2
C R  3
D B  2
F L  2
G O  2
L O  2
L X  2
O A  2
O T  2
Q I  2
R D  2
R G  3
R L  2
T G  2
T O  2
W N  2
X B  2
X T  2
Y C  3

8 然后就分析不出来了,哈哈


【Refer】
http://lab.seclover.com

0
0
查看评论

【技术分享】最新2016华山杯CTF writeup

作者:FlappyPig 稿费:700RMB 投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿 2016 华山杯 网络安全技能大赛 解题报告 队伍: FlappyPig  Web渗透 0x01...
  • qq_27446553
  • qq_27446553
  • 2016-09-13 12:53
  • 1372

360春秋杯CTF比赛WRIteUP

题目:where is my cat? 地址:http://106.75.34.78
  • vspiders
  • vspiders
  • 2017-05-24 15:02
  • 336

广东省第一届“强网杯”决赛 心得

广东省第一届“强网杯”决赛
  • u012763794
  • u012763794
  • 2015-12-14 23:23
  • 2862

WP 4 i春秋_百度杯”CTF比赛(九月第一场)

CODECODE打开页面后,看到一张图片,且链接为如下形式:http://528c1f8ff4fe439482ce4069e858e805ad9172679385471a.ctf.game/index.php?jpg=hei.jpg 可以看到参数jpg后面跟着一个文件名,查看网页源代码发现,此图片是...
  • segOt
  • segOt
  • 2017-04-22 13:20
  • 691

百度杯”CTF比赛(十一月场)

第一场  1、小可爱 解: 2、签到题 解:加群下载文件“flag.rar”,打开时需要解密,输入给的key解出来 直接提交就可以了,这道题很喜欢。。。。 3、所以这是13点吗 解:第一眼看过去这是凯撒密码,直接拿去凯撒暴力破解
  • Root__Liu
  • Root__Liu
  • 2016-11-27 19:56
  • 1928

2015广东省强网杯CTF初赛题之大黑阔writeup

2015广东省强网杯CTF初赛题之大黑阔writeup前几天的防火墙与入侵检测课上,老师把广东省强网杯CTF其中的一道初赛题当做实践课的任务,解题时学会了不少东西,觉得挺有趣的,所以记下来,以下writeup仅仅是个人见解,请多多指教^-^-【大黑阔的数据包】是一个.pcap文件 详细步骤如下:用W...
  • sinat_16683257
  • sinat_16683257
  • 2016-03-04 19:06
  • 3756

【4.29安恒杯】writeup

#### 安恒杯_writeup 以下为比赛中做出的题目MISC: SHOW ME THE FLAGCRYPTO: LAZYATTACK这一题很巧,全部的队伍里面只有我们一个队伍将其做出来。 这一题做出来完完全全是靠运气,在当我做出这一题的时候感觉是懵逼的,完全不知道是怎么回事,flag...
  • yuanyunfeng3
  • yuanyunfeng3
  • 2016-04-19 15:01
  • 4457

"百度杯"CTF 9月2日 WriteUp.md

"百度杯"CTF 9月2日 WriteUp
  • qq_19876131
  • qq_19876131
  • 2016-09-04 14:11
  • 5658

百度杯CTF比赛二月第三场比赛(Reverse专题赛)之CrackMe-1

本文转载自百度杯CTF比赛二月第三场比赛(Reverse专题赛)之CrackMe-1 题目下载 查下壳,没加壳。 载入ollydbg,寻找字符串。 跟着核心函数。 用IDA Pro打开。首先serial长度为36,自己看看v67就知道了。 serial只能是0-9和ABC...
  • qq_32400847
  • qq_32400847
  • 2017-03-30 12:13
  • 942

强网杯ctf pwn&re writeup (部分)

打了2天的强网杯,虽然一度冲进了前10。可惜最后的时候还是掉出了20名。最后只能无奈打出GG。其中的原因有很多,也不想多说了。 逆向溢出题3连发。我就只会那么多了Orz 先来一道re200 kergen 发送24位的字符串,主要是400B56处的检验函数。检验方法是这样的先是发送字符的第1 ...
  • zh_explorer
  • zh_explorer
  • 2015-06-04 20:55
  • 3196
    个人资料
    • 访问:89721次
    • 积分:1814
    • 等级:
    • 排名:千里之外
    • 原创:89篇
    • 转载:15篇
    • 译文:3篇
    • 评论:8条
    博客专栏
    最新评论