攻防世界CRYPTO新手区wp

001 base64

下载附件，拿到一串密文

Y3liZXJwZWFjZXtXZWxjb21lX3RvX25ld19Xb3JsZCF9

如题所述，base64，经过base64解码得到

cyberpeace{Welcome_to_new_World!}

得到flag

(涉及知识:base64编码、base64作用)

002 Caesar

下载附件，拿到密文

oknqdbqmoq{kag_tmhq_xqmdzqp_omqemd_qzodkbfuaz}

如题所述，凯撒加密，加密内容是字母，编写破译程序

#include<stdio.h>
#include<string.h>
#include<ctype.h>
char Caesar(char c,int n);
int main(int argc,char *argv[])//接入命令行参数，其中命令行参数1为密文
{int i,x;for(x = -128;x<128;x++){printf("%5d :",x);for(i = 0;i<strlen(argv[1]);i++){putchar(Caesar(argv[1][i],x));}putchar('\n');}return 0;
}
char Caesar(char c,int n)
{if(isalpha(c))return (c - 65 - n) % 26 + 65;elsereturn c;
}

在输出内查找cyberpeace，转化成小写得到flag

cyberpeace{you_have_learned_caesar_encryption}

(涉及知识:凯撒加密)

003 Morse

下载附件，拿到密文，根据提示，应该将其转化为莫尔斯码的格式，但是不知道1、0是不是代表. 、-

11 111 010 000 0 1010 111 100 0 00 000 000 111 00 10 1 0 010 0 000 1 00 10 110

写个程序输出他们的可能的结果

#include<stdio.h>
#include<string.h>
int main(int argc,char *argv[])
{int x;for(x = 0;x < strlen(argv[1]);x++){if(argv[1][x] == '0')putchar('.');else if(argv[1][x] == '1')putchar('-');elseputchar('/');}printf("\nor\n");for(x = 0;x < strlen(argv[1]);x++){if(argv[1][x] == '0')putchar('-');else if(argv[1][x] == '1')putchar('.');elseputchar('/');}return 0;
}

输出结果:

--/---/.-./..././-.-./---/-.././../.../.../---/../-./-/./.-././.../-/../-./--.
or
../.../-.-/---/-/.-.-/.../.--/-/--/---/---/.../--/.-/./-/-.-/-/---/./--/.-/..-

使用在线莫尔斯解密，得到flag

cyberpeace{morsecodeissointeresting}

(涉及知识:莫尔斯电码)

004 幂数加密

下载附件，拿到密文

8842101220480224404014224202480122

以0为间隔，每一单元的各位数字之和对应着26个字母，即:1-26 -> A-Z

编写解密程序

#include<stdio.h>
#include<string.h>
int main(int argc,char *argv[])
{int sum,i;for(i = 0,sum = 0;i < strlen(argv[1]);i++){if(argv[1][i] == '0' || argv[1][i] == EOF){putchar((char)(sum + 'A' - 1));sum = 0;continue;}sum += (argv[1][i] - '0');}return 0;
}

运行得到flag

WELLDON

(涉及知识:云影密码、幂数加密)

005 Railfence

下载附件，拿到密文

ccehgyaefnpeoobe{lcirg}epriec_ora_g

题目翻译过来时栅栏加密，所以写了一个解密程序

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
void De_Railfence(const char * str,int psd);
int main(int argc,char *argv[])
{int i;for(i = 1;i < strlen(argv[1]);i++){printf("%2d: ",i);De_Railfence(argv[1],i);putchar('\n');}return 0;
}
void De_Railfence(const char * str,int psd)
{int i,x,y,sum,a,high,width;sum = strlen(str); //密文总字数a = sum % psd; // 多出的字母width = sum / psd + a; //列数high = psd; //行数char * table = (char *)malloc(sizeof(char) * width * high);//申请一个"x行y列"的一维数组for(i = 0,y = 0;y < high;y++){for(x = 0;x < width - (a > 0 ? 0 : 1);x++){table[y * width + x] = str[i++];}a--;}a = sum % psd;for(x = 0;x < width;x++){for(y = 0;y < high && (x == width - 1 ? (y < a) : 1);y++){putchar(table[y * width + x]);}}free(table);
}

但是经运行后，找不到答案格式的字符串，所以另外查了一下，这是栅栏加密的变种:WWW型

于是再编写程序

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
typedef struct
{int number;char ch;
}ccc;void De_code(const char* str, int key);
int * equip(int sum, int key);
int main(int argc, char* argv[])
{int i;for(i = 2;i < strlen(argv[1]);i++){printf("%2d :",i);De_code(argv[1],i);putchar('\n');}return 0;
}
void De_code(const char* str, int key)
{int x, y, sum, i;sum = strlen(str);int * num = equip(sum,key);//在字符串str中每个字符在WWW顺序中的编号 构成的数组 复制给numccc* dict = (ccc*)malloc(sizeof(ccc) * sum);//建立字典for (i = 0; i < sum; i++)//写入字典{dict[i].number = num[i];dict[i].ch = str[i];}for (x = 0; x < sum - 1; x++)//字典排序{for (y = x + 1; y < sum; y++){if (dict[x].number > dict[y].number){ccc temp = dict[x];dict[x] = dict[y];dict[y] = temp;}}}for (i = 0; i < sum; i++){putchar(dict[i].ch);}free(num);free(dict);
}
int * equip(int sum, int key)
{int i,direction;unsigned int width, high, x, y;high = key;width = sum;int * num = (int *)malloc(sizeof(int) * sum);int * table = (int*)malloc(sizeof(int) * high * width);//WWW画板for (i = 0; i < high * width; i++)//将画板全部清空为-1{table[i] = -1;}x = y = 0;direction = 1;while (x < sum)//开始绘画WWWW{table[y * width + x] = x;x++;y += direction;if (y % (key - 1) == 0)direction *= (-1);}for (y = 0, i = 0; y < high; y++)//将WWW的"像素点"一样一行地检测并放在num中{for (x = 0; x < width; x++){if (table[y * width + x] != -1){num[i++] = table[y * width + x];}}}free(table);return num;
}

运行得到flag，其密钥为5

cyberpeace{railfence_cipher_gogogo}

(涉及知识:栅栏加密及其变种WWW型)

006 不仅仅是Morse

下载附件，拿到密文

--/.-/-.--/..--.-/-..././..--.-/..../.-/...-/./..--.-/.-/-./---/-/...././.-./..--.-/-.././-.-./---/-.././..../..../..../..../.-/.-/.-/.-/.-/-.../.-/.-/-.../-.../-.../.-/.-/-.../-.../.-/.-/.-/.-/.-/.-/.-/.-/-.../.-/.-/-.../.-/-.../.-/.-/.-/.-/.-/.-/.-/-.../-.../.-/-.../.-/.-/.-/-.../-.../.-/.-/.-/-.../-.../.-/.-/-.../.-/.-/.-/.-/-.../.-/-.../.-/.-/-.../.-/.-/.-/-.../-.../.-/-.../.-/.-/.-/-.../.-/.-/.-/-.../.-/.-/-.../.-/-.../-.../.-/.-/-.../-.../-.../.-/-.../.-/.-/.-/-.../.-/-.../.-/-.../-.../.-/.-/.-/-.../-.../.-/-.../.-/.-/.-/-.../.-/.-/-.../.-/.-/-.../.-/.-/.-/.-/-.../-.../.-/-.../-.../.-/.-/-.../-.../.-/.-/-.../.-/.-/-.../.-/.-/.-/-.../.-/.-/-.../.-/.-/-.../.-/.-/-.../.-/-.../.-/.-/-.../-.../.-/-.../.-/.-/.-/.-/-.../-.../.-/-.../.-/.-/-.../-.../.-

经过在线翻译得到

MAY_BE_HAVE_ANOTHER_DECODEHHHH
AAAAABAABBBAABBAAAAAAAABAABABAAAAAAABBABAAABBAAABBAABAAAABABAABAAABBABAAABAAABAABABBAABBBABAAABABABBAAABBABAAABAABAABAAAABBABBAABBAABAABAAABAABAABAABABAABBABAAAABBABAABBA

应该是培根密码

根据二进制的值0->25对应a->z,二进制每5位一组

编写解密程序

#include<stdio.h>
#include<string.h>
int charbin_dec(char * num,int many);
int stage(int x,int y);
int main(void)
{char ch[] = "AAAAABAABBBAABBAAAAAAAABAABABAAAAAAABBABAAABBAAABBAABAAAABABAABAAABBABAAABAAABAABABBAABBBABAAABABABBAAABBABAAABAABAABAAAABBABBAABBAABAABAAABAABAABAABABAABBABAAAABBABAABBA";int i;while(ch[i] != '\0'){if(ch[i] == 'A')ch[i] = '0';elsech[i] = '1';i++;}for(i = 0;i < strlen(ch);i++){if(i %5 == 0)putchar(charbin_dec(ch + i,5) + 'A');}return 0;
}
int charbin_dec(char * num,int many)
{int sum = 0,i;for(i = 0;i < many;i++){sum += ((num[i] - '0') * stage(2,many - i - 1));}return sum;
}
int stage(int x,int y)
{int sum = 1;while(y >= 1){sum *= x;y--;}return sum;
}

编译运行，将输出转为小写，得到flag

cyberpeace{attackanddefenceworldisinteresting}

(涉及知识:培根密码)

007 混合编码

下载附件，拿到密文

JiM3NjsmIzEyMjsmIzY5OyYjMTIwOyYjNzk7JiM4MzsmIzU2OyYjMTIwOyYjNzc7JiM2ODsmIzY5OyYjMTE4OyYjNzc7JiM4NDsmIzY1OyYjNTI7JiM3NjsmIzEyMjsmIzEwNzsmIzUzOyYjNzY7JiMxMjI7JiM2OTsmIzEyMDsmIzc3OyYjODM7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiMxMDc7JiMxMTg7JiM3NzsmIzg0OyYjNjU7JiMxMjA7JiM3NjsmIzEyMjsmIzY5OyYjMTIwOyYjNzg7JiMxMDU7JiM1NjsmIzEyMDsmIzc3OyYjODQ7JiM2OTsmIzExODsmIzc5OyYjODQ7JiM5OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzUwOyYjNzY7JiMxMjI7JiM2OTsmIzEyMDsmIzc4OyYjMTA1OyYjNTY7JiM1MzsmIzc4OyYjMTIxOyYjNTY7JiM1MzsmIzc5OyYjODM7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiM5OTsmIzExODsmIzc5OyYjODQ7JiM5OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzExOTsmIzc2OyYjMTIyOyYjNjk7JiMxMTk7JiM3NzsmIzY3OyYjNTY7JiMxMjA7JiM3NzsmIzY4OyYjNjU7JiMxMTg7JiM3NzsmIzg0OyYjNjU7JiMxMjA7JiM3NjsmIzEyMjsmIzY5OyYjMTE5OyYjNzc7JiMxMDU7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiM2OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzExOTsmIzc2OyYjMTIyOyYjMTA3OyYjNTM7JiM3NjsmIzEyMjsmIzY5OyYjMTE5OyYjNzc7JiM4MzsmIzU2OyYjMTIwOyYjNzc7JiM4NDsmIzEwNzsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzEyMDsmIzc2OyYjMTIyOyYjNjk7JiMxMjA7JiM3ODsmIzY3OyYjNTY7JiMxMjA7JiM3NzsmIzY4OyYjMTAzOyYjMTE4OyYjNzc7JiM4NDsmIzY1OyYjMTE5Ow==

根据密文特征，是经过了base64编码，解码得到

LzExOS8xMDEvMTA4Lzk5LzExMS8xMDkvMTAxLzExNi8xMTEvOTcvMTE2LzExNi85Ny85OS8xMDcvOTcvMTEwLzEwMC8xMDAvMTAxLzEwMi8xMDEvMTEwLzk5LzEwMS8xMTkvMTExLzExNC8xMDgvMTAw

根据数字特征，将每个单元用其数字的对应ASCII字符表示出来，即

LzExOS8xMDEvMTA4Lzk5LzExMS8xMDkvMTAxLzExNi8xMTEvOTcvMTE2LzExNi85Ny85OS8xMDcvOTcv
MTEwLzEwMC8xMDAvMTAxLzEwMi8xMDEvMTEwLzk5LzEwMS8xMTkvMTExLzExNC8xMDgvMTAw

又是一段base64编码，解码得到

/119/101/108/99/111/109/101/116/111/97/116/116/97/99/107/97/110/100/100/101/102/101/110/99/101/119/111/114/108/100

又是一段ASCII码数值表示的字符串，经转化为字符串得

welcometoattackanddefenceworld

得到flag

cyberpeace{welcometoattackanddefenceworld}

(涉及知识:SACII码、base64编码)

008 easy_RSA

下载附件，拿到线索，如题所述为RSA非对称密钥

在一次RSA密钥对生成中，假设p=473398607161，q=4511491，e=17
求解出d

使用RAS-Tool计算出D

得出flag

cyberpeace{125631357777427553}

(涉及知识:RAS非对称密钥)

009 easychallenge

下载附件，是一个.pyc文件，是python的运行时的临时文件，可进行反编译，经在线工具反编译后得到代码

#!/usr/bin/env python
# visit http://tool.lu/pyc/ for more information
import base64def encode1(ans):s = ''for i in ans:x = ord(i) ^ 36x = x + 25s += chr(x)return sdef encode2(ans):s = ''for i in ans:x = ord(i) + 36x = x ^ 36s += chr(x)return sdef encode3(ans):return base64.b32encode(ans)flag = ' '
print 'Please Input your flag:'
flag = raw_input()
final = 'UC7KOWVXWVNKNIC2XCXKHKK2W5NLBKNOUOSK3LNNVWW3E==='
if encode3(encode2(encode1(flag))) == final:print 'correct'
else:print 'wrong'

将密文以base32解码得到

{0xA0,0xBE,0xA7,0x5A,0xB7,0xB5,0x5A,0xA6,0xA0,0x5A,0xB8,0xAE,0xA3,0xA9,0x5A,0xB7,0x5A,0xB0,0xA9,0xAE,0xA3,0xA4,0xAD,0xAD,0xAD,0xAD,0xAD,0xB2}

再编写程序

#include<stdio.h>
int decode1(int ans);
int decode2(int ans);
int main(void)
{int flag[28] = {0xA0,0xBE,0xA7,0x5A,0xB7,0xB5,0x5A,0xA6,0xA0,0x5A,0xB8,0xAE,0xA3,0xA9,0x5A,0xB7,0x5A,0xB0,0xA9,0xAE,0xA3,0xA4,0xAD,0xAD,0xAD,0xAD,0xAD,0xB2};int i;for(i = 0;i < 28;i++){int c = (decode1(decode2(flag[i])));putchar(c);}return 0;
}
int decode1(int ans)
{ans -= 25;ans ^= 36;return ans;
}
int decode2(int ans)
{ans ^= 36;ans -= 36;return ans;
}

运行得到flag

cyberpeace{interestinghhhhh}

(涉及知识:.pyc文件、base32)

010 转轮机加密

下载附件，拿到密文

1:  < ZWAXJGDLUBVIQHKYPNTCRMOSFE <
2:  < KPBELNACZDTRXMJQOYHGVSFUWI <
3:  < BDMAIZVRNSJUWFHTEQGYXPLOCK <
4:  < RPLNDVHGFCUKTEBSXQYIZMJWAO <
5:  < IHFRLABEUOTSGJVDKCPMNZQWXY <
6:  < AMKGHIWPNYCJBFZDRUSLOQXVET <
7:  < GWTHSPYBXIZULVKMRAFDCEONJQ <
8:  < NOZUTWDCVRJLXKISEFAPMYGHBQ <
9:  < XPLTDSRFHENYVUBMCQWAOIKZGJ <
10: < UDNAJFBOWTGVRSCZQKELMXYIHP <
11： < MNBVCXZQWERTPOIUYALSKDJFHG <
12： < LVNCMXZPQOWEIURYTASBKJDFHG <
13： < JZQAWSXCDERFVBGTYHNUMKILOP <密钥为：2,3,7,5,13,12,9,1,8,10,4,11,6
密文为：NFQKSEVOQOFNP

编写解密程序

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
void spin(char * base,int n,int ch);
int main(void)
{char ans[13][27] = {"ZWAXJGDLUBVIQHKYPNTCRMOSFE","KPBELNACZDTRXMJQOYHGVSFUWI","BDMAIZVRNSJUWFHTEQGYXPLOCK","RPLNDVHGFCUKTEBSXQYIZMJWAO","IHFRLABEUOTSGJVDKCPMNZQWXY","AMKGHIWPNYCJBFZDRUSLOQXVET","GWTHSPYBXIZULVKMRAFDCEONJQ","NOZUTWDCVRJLXKISEFAPMYGHBQ","XPLTDSRFHENYVUBMCQWAOIKZGJ","UDNAJFBOWTGVRSCZQKELMXYIHP","MNBVCXZQWERTPOIUYALSKDJFHG","LVNCMXZPQOWEIURYTASBKJDFHG","JZQAWSXCDERFVBGTYHNUMKILOP"};char er[14] = "NFQKSEVOQOFNP";int linenum[13] = {2,3,7,5,13,12,9,1,8,10,4,11,6};int i,x,y;for(i = 0;i < 13;i++){spin(ans[linenum[i] - 1],26,er[i]);}for(x = 0;x < 26;x++){for(y = 0;y < 13;y++){putchar(ans[linenum[y] - 1][x]);}putchar('\n');}return 0;
}
void spin(char * base,int n,int ch)
{/*此函数用于字符串旋转，将base[n]旋转到以ch开头*/int feet = 0;char * temp = NULL;while(base[feet] != ch && feet < n)feet++; //用于进算从开始到目标字符 转了多少个字符temp = (char *)malloc(sizeof(char) * n);strncpy(temp,base + feet,(n - feet));strncpy(temp + (n - feet),base,feet);strncpy(base,temp,n);free(temp);
}

最终在结果中找到有意义的字符串，即flag

FIREINTHEHOLE

(涉及知识:转轮机加密)

011 Normal_RSA

下载附件，得到一个flag.enc和一个pubkey.pem

使用OpenSSL打开pubkey.pem

我们找到两个大素数的乘积M为:

C2636AE5C3D8E43FFB97AB09028F1AAC6C0BF6CD3D70EBCA281BFFE97FBE30DD

将其转化为十进制为:

87924348264132406875276140514499937145050893665602592992418171647042491658461

经

得到两个大质数:

275127860351348928173285174381581152299

319576316814478949870590164193048041239

使用rsatool.py生成私钥文件

python rsatool.py -f PEM -o private.pem -p 275127860351348928173285174381581152299 -q 319576316814478949870590164193048041239 -e 65537

将pubkey.pem、flag.enc、private.pem放在同一个文件夹下，进行解密

rsautl -decrypt -in flag.enc -inkey private.pem -out flag.txt

打开flag.txt得到flag

PCTF{256b_i5_m3dium}

(涉及知识:OpenSSL、各种麻烦的python依赖包的安装)

012 easy_ECC

下载附件，得到信息

已知椭圆曲线加密Ep(a,b)参数为p = 15424654874903a = 16546484b = 4548674875G(6478678675,5636379357093)私钥为k = 546768求公钥K(x,y)

使用ECC工具进行解题

将Rx+Ry作为flag

cyberpeace{19477226185390}

(涉及知识:ECC、离散对数)