关闭

[CTF]2015华山杯网安比赛-密码算法分析

标签: CTF密码算法华山杯
1302人阅读 评论(0) 收藏 举报
分类:

密码&算法 — 密码算法分析
该题目已有10个队伍完成
据说扫描器其实完全无用的 ^_^

解题说明
1 经典密码大礼包
2 某典型分布明文经加密后,密文如下:

OFWNNSVIOQBSQGTCTRWNMJGPWWAWRBZXMTGUBYRLHAOTLQYWLIRLGRNOYXFWBZOBQITTUWQOOBOLDBJDAYCLOTREDWAVWXLOITWQCJBCGOQBLUGXXXTEMEQIAWJBCJYRGYIGWVRLKBBIQSCGVZTRLZCXTGYFLQAOLCRGMASOFZZTXTZOQEWLFTTUCFOPYEXYTMYJDCWZGCELCCRTXBBGGOILXQZJZOOQIFOGRZISTZXZBSWAFANQBAOBYXTGRGBJGJDNGEFLOAYCZLARTXXBWYOFECERCZOBVAXGRKOLZIBLXXBRQGLCZYCXFSIDNJCTBXDAFRNMDICZBBQGYCLECKOZGCTNOGJ

秘钥如下:

VEd3NFoweHNPR2RZZVRSMVRHbENaa3hwTkhWSlJqaDFUR2swWjFoNU5IVk1hVUYxV0hsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkTWJEaG5UR3c0WjB4c09HZE1iRGhuV0hrMGRVeHBRbVpNYVRSMVNVTTFaa2xHT0hWTWFUUm5XSGswZFV4cFFtWk1hVFIxU1VNMVprbEdPSFZNYVRSbldIazBkVXhwUW1aTWFUUjFTVVk0ZFV4cE5HZFllVFIxVEdsQ1preHBOSFZKUXpWbVNVTTFaa2xHT0hWTWFUUm5UR3c0WjFoNU5IVk1hVUYxV0hsQmRWaDVRWFZZZVVKbVRHazBkVWxETldaSlF6Vm1TVU0xWmtsRE5XWkpSamgxVEdrMFoweHNPR2RZZVRSMVRHbENaa3hwTkhWSlF6Vm1TVVk0ZFV4cE5HZE1iRGhuV0hrMGRVeHBRWFZZZVVKbVRHazBkVWxHT0hWTWFUUm5UR3c0WjFoNU5IVk1hVUYxV0hsQmRWaDVRbVpNYVRSMVNVTTFaa2xETldaSlF6Vm1TVVk0ZFV4cE5HZE1iRGhuV0hrMGRVeHBRWFZZZVVGMVdIbENaa3hwTkhWSlJqaDFUR2swWjB4c09HZE1iRGhuV0hrMGRVeHBRWFZZZVVGMVdIbEJkVmg1UVhWWWVVSm1UR2swZFVsR09IVk1hVFJuVEd3NFoxaDVOSFZNYVVKbVRHazBkVWxETldaSlF6Vm1TVU0xWmtsR09IVk1hVFJuV0hrMGRVeHBRbVpNYVRSMVNVTTFaa2xETldaSlJqaDFUR2swWjB4c09HZFllVFIxVEdsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkTWJEaG5UR3c0WjB4c09HZE1iRGhuVEd3NFoweHNPR2RNYkRoblRHdzRaMHhzT0dkTWJEaG5XSGswZFV4cFFYVlllVUYxV0hsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkTWJEaG5XSGswZFV4cFFYVlllVUYxV0hsQmRWaDVRbVpNYVRSMVNVTTFaa2xETldaSlJqaDFUR2swWjB4c09HZFllVFIxVEdsQ1preHBOSFZKUXpWbVNVTTFaa2xHT0hWTWFUUm5UR3c0WjFoNU5IVk1hVUYxV0hsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkTWJEZzk=

3 现在FLAG经过加密后

LCHIKCDDQOYXEGGQ

秘钥如下:

VEd3NFoweHNPR2RZZVRSMVRHbEJkVmg1UW1aTWFUUjFTVU0xWmtsR09IVk1hVFJuV0hrMGRVeHBRbVpNYVRSMVNVWTRkVXhwTkdkWWVUUjFUR2xCZFZoNVFtWk1hVFIxU1VNMVprbEROV1pKUXpWbVNVWTRkVXhwTkdkTWJEaG5XSGswZFV4cFFYVlllVUptVEdrMGRVbEdPSFZNYVRSblRHdzRaMHhzT0dkWWVUUjFUR2xCZFZoNVFYVlllVUptVEdrMGRVbEROV1pKUXpWbVNVTTFaa2xETldaSlF6Vm1TVU0xWmtsR09IVk1hVFJuV0hrMGRVeHBRWFZZZVVKbVRHazBkVWxHT0hWTWFUUm5UR3c0WjB4c09HZFllVFIxVEdsQ1preHBOSFZKUmpoMVRHazBaMHhzT0dkWWVUUjFUR2xCZFZoNVFYVlllVUptVEdrMGRVbEROV1pKUmpoMVRHazBaMHhzT0dkTWJEaG5XSGswZFV4cFFtWk1hVFIxU1VZNGRVeHBOR2RNYkRobldIazBkVXhwUVhWWWVVSm1UR2swZFVsRE5XWkpSamgxVEdrMFoxaDVOSFZNYVVGMVdIbEJkVmg1UVhWWWVVRjFXSGxDWmt4cE5IVkpSamgxVEdrMFoweHNPR2RNYkRoblRHdzRaMHhzT0dkWWVUUjFUR2xDWmt4cE5IVkpRelZtU1VNMVprbEdPSFZNYVRSbldIazBkVXhwUW1aTWFUUjFTVU0xWmtsR09IVk1hVFJuVEd3NFoweHNPR2RNYkRoblRHdzRaMHhzT0dkTWJEaG5XSGswZFV4cFFYVlllVUptVEdrMGRVbEROV1pKUXpWbVNVTTFaa2xETldaSlF6Vm1TVVk0ZFV4cE5HZE1iRGhuVEd3NFoxaDVOSFZNYVVGMVdIbENaa3hwTkhWSlJqaDFUR2swWjB4c09HZFllVFIxVEdsQ1preHBOSFZKUmpoMVRHazBaMHhzT0dkTWJEaG5UR3c0WjB4c09HZFllVFIxVEdsQmRWaDVRbVpNYVRSMVNVWTRkVXhwTkdkWWVUUjFUR2xCZFZoNVFtWk1hVFIxU1VZNGRVeHBOR2RZZVRSMVRHbENaa3hwTkhWSlF6Vm1TVU0xWmtsRE5XWkpSamgxVEdrMFoweHNPR2RNYkRoblRHdzRaMHhzT0dkTWJEaG5RMmM5UFE9PQ==

4 提交明文FLAG


解题思路
1 观察秘钥特征,猜测为Base64编码,在线解码后得到:

TGw4Z0xsOGdYeTR1TGlCZkxpNHVJRjh1TGk0Z1h5NHVMaUF1WHlBdVh5QmZMaTR1SUY4dUxpNGdMbDhnTGw4Z0xsOGdMbDhnWHk0dUxpQmZMaTR1SUM1ZklGOHVMaTRnWHk0dUxpQmZMaTR1SUM1ZklGOHVMaTRnWHk0dUxpQmZMaTR1SUY4dUxpNGdYeTR1TGlCZkxpNHVJQzVmSUM1ZklGOHVMaTRnTGw4Z1h5NHVMaUF1WHlBdVh5QXVYeUJmTGk0dUlDNWZJQzVmSUM1ZklDNWZJRjh1TGk0Z0xsOGdYeTR1TGlCZkxpNHVJQzVmSUY4dUxpNGdMbDhnWHk0dUxpQXVYeUJmTGk0dUlGOHVMaTRnTGw4Z1h5NHVMaUF1WHlBdVh5QmZMaTR1SUM1ZklDNWZJQzVmSUY4dUxpNGdMbDhnWHk0dUxpQXVYeUF1WHlCZkxpNHVJRjh1TGk0Z0xsOGdMbDhnWHk0dUxpQXVYeUF1WHlBdVh5QXVYeUJmTGk0dUlGOHVMaTRnTGw4Z1h5NHVMaUJmTGk0dUlDNWZJQzVmSUM1ZklGOHVMaTRnWHk0dUxpQmZMaTR1SUM1ZklDNWZJRjh1TGk0Z0xsOGdYeTR1TGlBdVh5QmZMaTR1SUY4dUxpNGdMbDhnTGw4Z0xsOGdMbDhnTGw4Z0xsOGdMbDhnTGw4Z0xsOGdMbDhnWHk0dUxpQXVYeUF1WHlBdVh5QmZMaTR1SUY4dUxpNGdMbDhnWHk0dUxpQXVYeUF1WHlBdVh5QmZMaTR1SUM1ZklDNWZJRjh1TGk0Z0xsOGdYeTR1TGlCZkxpNHVJQzVmSUM1ZklGOHVMaTRnTGw4Z1h5NHVMaUF1WHlBdVh5QmZMaTR1SUY4dUxpNGdMbDg9

2 观察结果,长时间陷入无思路状态,抱着试一试的心态,再次Base64解码,得到:

Ll8gLl8gXy4uLiBfLi4uIF8uLi4gXy4uLiAuXyAuXyBfLi4uIF8uLi4gLl8gLl8gLl8gLl8gXy4uLiBfLi4uIC5fIF8uLi4gXy4uLiBfLi4uIC5fIF8uLi4gXy4uLiBfLi4uIF8uLi4gXy4uLiBfLi4uIC5fIC5fIF8uLi4gLl8gXy4uLiAuXyAuXyAuXyBfLi4uIC5fIC5fIC5fIC5fIF8uLi4gLl8gXy4uLiBfLi4uIC5fIF8uLi4gLl8gXy4uLiAuXyBfLi4uIF8uLi4gLl8gXy4uLiAuXyAuXyBfLi4uIC5fIC5fIC5fIF8uLi4gLl8gXy4uLiAuXyAuXyBfLi4uIF8uLi4gLl8gLl8gXy4uLiAuXyAuXyAuXyAuXyBfLi4uIF8uLi4gLl8gXy4uLiBfLi4uIC5fIC5fIC5fIF8uLi4gXy4uLiBfLi4uIC5fIC5fIF8uLi4gLl8gXy4uLiAuXyBfLi4uIF8uLi4gLl8gLl8gLl8gLl8gLl8gLl8gLl8gLl8gLl8gLl8gXy4uLiAuXyAuXyAuXyBfLi4uIF8uLi4gLl8gXy4uLiAuXyAuXyAuXyBfLi4uIC5fIC5fIF8uLi4gLl8gXy4uLiBfLi4uIC5fIC5fIF8uLi4gLl8gXy4uLiAuXyAuXyBfLi4uIF8uLi4gLl8=

3 观察结果发现以4长度为单位大量重复,猜测仍为Base64编码,解码得到:

._ ._ _... _... _... _... ._ ._ _... _... ._ ._ ._ ._ _... _... ._ _... _... _... ._ _... _... _... _... _... _... ._ ._ _... ._ _... ._ ._ ._ _... ._ ._ ._ ._ _... ._ _... _... ._ _... ._ _... ._ _... _... ._ _... ._ ._ _... ._ ._ ._ _... ._ _... ._ ._ _... _... ._ ._ _... ._ ._ ._ ._ _... _... ._ _... _... ._ ._ ._ _... _... _... ._ ._ _... ._ _... ._ _... _... ._ ._ ._ ._ ._ ._ ._ ._ ._ ._ _... ._ ._ ._ _... _... ._ _... ._ ._ ._ _... ._ ._ _... ._ _... _... ._ ._ _... ._ _... ._ ._ _... _... ._

4 观察结果,易知为摩尔斯编码,编写Python脚本进行转换

#filename: morse.py
#version:Python 3.4

CODE = {'._':'A','_...':'B'}

msg = ['._','._','_...','_...','_...','_...','._','._','_...','_...','._','._','._','._','_...','_...','._','_...','_...','_...','._','_...','_...','_...','_...','_...','_...','._','._','_...','._','_...','._','._','._','_...','._','._','._','._','_...','._','_...','_...','._','_...','._','_...','._','_...','_...','._','_...','._','._','_...','._','._','._','_...','._','_...','._','._','_...','_...','._','._','_...','._','._','._','._','_...','_...','._','_...','_...','._','._','._','_...','_...','_...','._','._','_...','._','_...','._','_...','_...','._','._','._','._','._','._','._','._','._','._','_...','._','._','._','_...','_...','._','_...','._','._','._','_...','._','._','_...','._','_...','_...','._','._','_...','._','_...','._','._','_...','_...','._']
for str in msg:
    if str =='':
        print
    else:
        print(CODE[str],end="")

执行脚本得到:

AABBBBAABBAAAABBABBBABBBBBBAABABAAABAAAABABBABABABBABAABAAABABAABBAABAAAABBABBAAABBBAABABABBAAAAAAAAAABAAABBABAAABAABABBAABABAABBA

5 观察结果,猜测为多表代替密码,编写如下脚本,多表拆分:

#filename: group.py
#version:Python 3.4

group = "AABBBBAABBAAAABBABBBABBBBBBAABABAAABAAAABABBABABABBABAABAAABABAABBAABAAAABBABBAAABBBAABABABBAAAAAAAAAABAAABBABAAABAABABBAABABAABBA"
msg = "OFWNNSVIOQBSQGTCTRWNMJGPWWAWRBZXMTGUBYRLHAOTLQYWLIRLGRNOYXFWBZOBQITTUWQOOBOLDBJDAYCLOTREDWAVWXLOITWQCJBCGOQBLUGXXXTEMEQIAWJBCJYRGYIGWVRLKBBIQSCGVZTRLZCXTGYFLQAOLCRGMASOFZZTXTZOQEWLFTTUCFOPYEXYTMYJDCWZGCELCCRTXBBGGOILXQZJZOOQIFOGRZISTZXZBSWAFANQBAOBYXTGRGBJGJDNGEFLOAYCZLARTXXBWYOFECERCZOBVAXGRKOLZIBLXXBRQGLCZYCXFSIDNJCTBXDAFRNMDICZBBQGYCLECKOZGCTNOGJ"

p=0
while p < len(msg):
    if group[p%130] =='A':
        print(msg[p],end="")
    p=p+1

print("")

p=0
while p < len(msg):
    if group[p%130] =='B':
        print(msg[p],end="")
    p=p+1

得到两组单表代替密文:

A:OFVIBSQGTMWRZMTGBYRLALYLLRNYXFBOBTTWQOOLJDAOTEWWXLOITWQCJCGOLGXXTEEAWBJYYIGKBQSCGTCQALRGMSOFZTZQWTUCOPYXTMDCZGCECXBBILQJOQIFOGRZISZXZWFANBABTGGJGNGEYCARTXWEBVXRKOZIBLXQLZXSINJCBDANMICZBGLECGCNG

B:WNNSOQTCRWNJGPWWABXUHOTQWIRGOWZQIUBODBYCLRDAVBQBUXMQIJCRGWVRLBIVZRLZXTGYFLOCAZXTOELFTFEYYJWLCRTGGOXZZOTBSAQOYXRBJDFLOAZLXBYOFCERCZOAGLXBRGCYCFDTXFRDBQYCKOZTOJ

6 字母频率分析,统计脚本如下:

#filename: count1.py
#version:Python 3.4

msg = "OFVIBSQGTMWRZMTGBYRLALYLLRNYXFBOBTTWQOOLJDAOTEWWXLOITWQCJCGOLGXXTEEAWBJYYIGKBQSCGTCQALRGMSOFZTZQWTUCOPYXTMDCZGCECXBBILQJOQIFOGRZISZXZWFANBABTGGJGNGEYCARTXWEBVXRKOZIBLXQLZXSINJCBDANMICZBGLECGCNG"
for i in range(65,90):
    print(chr(i),msg.count(chr(i)),int(msg.count(chr(i))*1000/len(msg))/1000)

得到A组字母频率(没有字母Z):

A 8 0.041
B 14 0.072
C 13 0.067
D 3 0.015
E 7 0.036
F 5 0.025
G 16 0.082
H 0 0.0
I 9 0.046
J 6 0.031
K 2 0.01
L 12 0.062
M 5 0.025
N 6 0.031
O 12 0.062
P 1 0.005
Q 9 0.046
R 7 0.036
S 5 0.025
T 13 0.067
U 1 0.005
V 2 0.01
W 9 0.046
X 11 0.056
Y 7 0.036

替换msg后执行得到B组(没有字母Z):

A 6 0.037
B 11 0.069
C 10 0.063
D 5 0.031
E 3 0.018
F 7 0.044
G 8 0.05
H 1 0.006
I 4 0.025
J 5 0.031
K 1 0.006
L 9 0.056
M 1 0.006
N 3 0.018
O 14 0.088
P 1 0.006
Q 7 0.044
R 11 0.069
S 2 0.012
T 9 0.056
U 3 0.018
V 3 0.018
W 8 0.05
X 9 0.056
Y 8 0.05

7 双字母统计,脚本如下:

#filename: count2.py
#version:Python 3.4

cnt = [[0 for x in range(26)] for y in range(26)]
msg = "OFVIBSQGTMWRZMTGBYRLALYLLRNYXFBOBTTWQOOLJDAOTEWWXLOITWQCJCGOLGXXTEEAWBJYYIGKBQSCGTCQALRGMSOFZTZQWTUCOPYXTMDCZGCECXBBILQJOQIFOGRZISZXZWFANBABTGGJGNGEYCARTXWEBVXRKOZIBLXQLZXSINJCBDANMICZBGLECGCNG"

p=0
while p < len(msg)-1:
    cnt[ord(msg[p])-65][ord(msg[p+1])-65]+=1
    p+=1

for i in range(65,90):
    for j in range(65,90):
        if cnt[i-65][j-65]>=2:
            print(chr(i),chr(j),end="  ")
            print(cnt[i-65][j-65])

A组得到如下结果:

A L  2
A N  2
B T  2
C G  3
D A  2
E C  2
G C  2
G T  2
I B  2
J C  2
L R  2
N G  2
O F  2
O L  2
T E  2
T G  2
T M  2
T W  2
W Q  2
X T  2
Y X  2

替换msg得到B组:

B Q  2
B Y  2
C R  3
D B  2
F L  2
G O  2
L O  2
L X  2
O A  2
O T  2
Q I  2
R D  2
R G  3
R L  2
T G  2
T O  2
W N  2
X B  2
X T  2
Y C  3

8 然后就分析不出来了,哈哈


【Refer】
http://lab.seclover.com

0
0

猜你在找
【直播】机器学习&数据挖掘7周实训--韦玮
【套餐】系统集成项目管理工程师顺利通关--徐朋
【直播】3小时掌握Docker最佳实战-徐西宁
【套餐】机器学习系列套餐(算法+实战)--唐宇迪
【直播】计算机视觉原理及实战--屈教授
【套餐】微信订阅号+服务号Java版 v2.0--翟东平
【直播】机器学习之矩阵--黄博士
【套餐】微信订阅号+服务号Java版 v2.0--翟东平
【直播】机器学习之凸优化--马博士
【套餐】Javascript 设计模式实战--曾亮
查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:50480次
    • 积分:1384
    • 等级:
    • 排名:千里之外
    • 原创:85篇
    • 转载:15篇
    • 译文:3篇
    • 评论:14条
    博客专栏
    最新评论