• [m0leCon beginner 2022] 部分

    目录

    Crypto

    unrecognizeable

    Determination is key

    Magic,not crypto 未完成

    SSA

    Transfer's notes 没看懂,给了个网站太长了

    Rev

    m0leadventures 未完成,

    lineary

    ptmsafe 差点

    scramble

    MISC

    fileRecovery

    睡一觉醒来,比赛已经结束了,还以为是48小时赛,结果是12小时的。还是一样,把没完成的也放上来,等WP

    Crypto

    unrecognizeable

    第一个题给了两个雪花的图,一猜就是异或。直接写程序,生成的文件就看着了。

    1. from PIL import Image
    2.  
    3. im1 = Image.open('challenge.png')
    4. im2 = Image.open('whoami.png')
    5. im3 = Image.new('RGB',(602, 602))
    6. for i in range(602):
    7.     for j in range(426):
    8.         p1 = im1.getpixel((i,j))
    9.         p2 = im2.getpixel((i,j))
    10.         c = (p1[0]^p2[0], p1[1]^p2[1], p1[2]^p2[2])
    11.         im3.putpixel((i,j), c)
    12.  
    13. im3.save('aaa.png')
    14. #ptm{y0u_r34lly_7r4c3d_m3}

    Determination is key

    一个RSA的题,先看题

    1. # The following imports are from the pycryptodome library
    2. from Crypto.Util.number import isPrime, bytes_to_long
    3. from functools import reduce
    4. import random
    5. import os
    6.  
    7.  
    8. flag = os.getenv('FLAG', 'ptm{fake_flag}')
    9.  
    10. #p-1光滑
    11. def getPrime() -> int:
    12.     # Magic function to get 256 bits or more prime
    13.     while True:
    14.         p = random.randint(2, 2**16)
    15.         ds = [int(d) for d in str(p)]
    16.         r = reduce(lambda x, y: x * y, ds)
    17.  
    18.         if r in [1, 0]:
    19.             continue
    20.  
    21.         while not isPrime(r) or r <= 2**256:
    22.             r = r * 2 - 1
    23.         return r
    24.  
    25.  
    26. if __name__ == '__main__':
    27.     p, q = getPrime(), getPrime()
    28.     N = p * q
    29.     e = 65537
    30.     ciphertext = pow(bytes_to_long(flag.encode()), e, N)
    31.     print('N =', N)
    32.     print('ciphertext =', ciphertext)

    这里自制的getPrime函数是p-1只有小素因子,所以这个p-1光滑。知道这个就直接找个模板把p,q求出来就OK了

    1. N = 19947485316056905993931646775941987256548403731465180084945508247185642344122444186584301925382000751483279209250816790912519050540122026105676356199286065255875041514980612323221784967308146326689205858291964161149849179979371164314385332438988323302642256355694342283417841306799868619347413738695017860092178971579146235735267010603291619706159760367889906915448176629836688823504117353814051485333797705641462699567204450801352179713
    2. c = 3378835538025100066858189605253385186193182606568947285413151320702836498308597573504106146927194477658866999634334567520784696503261127472226506671872322090990356345087228892030181029727782257077045419267662772484081883662849307300946673299443737643159198620964876221768731320724777961634357841823079813297467591107634823086591388724216402913192084061935863891901795120253011313582433207228716480519477417177404112549120051567425697098
    3. e=0x10001
    4.  
    5. from Crypto.Util.number import *
    6. import gmpy2
    7.  
    8. a = 2
    9. n = 2
    10. while True:
    11.     a = pow(a, n, N)
    12.     res = gmpy2.gcd(a-1, N)
    13.     if res != 1 and res != N:
    14.         q = N // res
    15.         print("n=",n)
    16.         print("p=",res)
    17.         print("q=",q)
    18.         break
    19.     n += 1
    20.  
    21. d=gmpy2.invert(e,(res-1)*(q-1))
    22. m=pow(c,d,N)
    23. print(long_to_bytes(m))
    24. '''
    25. n= 2239
    26. p= 1314596710707653149311136764052831401073538306751432047628406121315154001807902076228805514345874281522125602817
    27. q= 15173843927632442919613635524333831862871450087005529435568948684618918269488151162306655015617114426998556243640500992982004723780891204718873910826807240165678759401233834403542378489790050812582318833145503606858757998522994930749525935943822930489425103924160896504876495676935561736709843740413805282052349714715102937089
    28. b'ptm{d37erm1n1s71c_pr1me5_1sn7_4_g00d_id3a}'
    29. '''

    Magic,not crypto 未完成

    这题有4种操作,随机抽取(RSA仅用1次)进行20次加密

    1. # The following imports are from the pycryptodome library
    2. from Crypto.Util.number import bytes_to_long, long_to_bytes, getPrime
    3. import hashlib
    4. import base64
    5. import random
    6. import os
    7.  
    8.  
    9. def RSA(x: bytes) -> bytes:
    10.     e = 65537
    11.     random.seed(bytes_to_long(x[:4]))
    12.     p = getPrime(1024, randfunc=random.randbytes)
    13.     q = getPrime(1024, randfunc=random.randbytes)
    14.     N = p * q
    15.     return long_to_bytes(pow(bytes_to_long(x), e, N))
    16.  
    17.  
    18. def rot13(x: bytes) -> bytes:
    19.     return x.translate(bytes.maketrans(
    20.         bytes([i for i in range(256)]),
    21.         bytes([(i + 13) % 256 for i in range(256)])
    22.     ))
    23.  
    24.  
    25. possible_methods = [
    26.     base64.b64encode,
    27.     lambda x: x[::-1],
    28.     RSA,
    29.     rot13
    30. ]
    31. flag = os.getenv('FLAG', 'ptm{ju57' + 'X' * (64 - 8 - 6) + 'tr1ck}').encode()
    32. assert (
    33.     flag.startswith(b'ptm{ju57')
    34.     and flag.endswith(b'tr1ck}')
    35.     and len(flag) == 64
    36. )
    37.  
    38.  
    39. if __name__ == '__main__':
    40.     print('Hi challenger! I\'ll give you a flag encoded and encrypted with some magic methods that only the best cryptographers know!')
    41.     print('If you want to get the flag, you will have to read the source code and try to invert all my special algorithms. I will give you the list of steps I have used and the result of all of them, good luck!')
    42.     print()
    43.  
    44.     steps = []
    45.     i = 0
    46.  
    47.     while i < 20:
    48.         chosen = random.randint(0, len(possible_methods) - 1)
    49.  
    50.         if chosen == 2 and chosen in steps:
    51.             # We don't want to use RSA twice
    52.             continue
    53.         steps.append(chosen)
    54.         flag = possible_methods[chosen](flag)
    55.         i += 1
    56.     print(steps)
    57.     print(flag.hex())

    问题就在RSA这,它用明文的前4个字节作种子生成pq然后加密,由于已经给出初始值仅一次RSA的话,通过另外3种编码依然能得到前4个字节,只要先正向操作用fake得到前4个字节,然后再逆向操作过一遍就行了 。本来本地运行没问题,但远程不对,错在RSA这块上边,应该是取的pq不对。

    1. from gmpy2 import invert
    2. from Crypto.Util.number import bytes_to_long, long_to_bytes, getPrime
    3. from base64 import b64decode, b64encode 
    4. import random
    5.  
    6.  
    7. step =  [2, 3, 3, 1, 3, 3, 1, 0, 1, 3, 0, 3, 3, 3, 0, 1, 3, 3, 0, 1]
    8. #true
    9. flag = bytes.fromhex('3d3d77664b573263384a5752774a58634b5745674e42476a45714961532b58695036476748433157786c346a7252596353756b68694a3455424748546d4648694c7448684c4e4958784e3254375a59544d5a6d6878745554425347614c4e34594f36346850395554462b6b6a4f43345347716f637a70496b374648584e424964546c49676b425867444b6d6b514f58594b3655634b36346644535863413648694c424a667756325a4679305350524959444b6e634a79566b2f6449546f465869502b47684e746b6b4a4b6d6b4f324859546c55684d64596641796b6b50566f594c566b6367355853414748546c4e5954504649676a5645637a524755714259544d6832674a323159386c3453793933634336556349656f61454b6d6b396859544336346847574761414f485841533454775233654a4f5653447530554e743353437945685142326377355559744e48594757456630396f5a2f743066634a33634b6d306677563057373555526f4e49632b7845666a396b55384e58526f784863536d30674c4a6f53766c5959755634534d64576769745553447149624c783359475333674c4e31553864345352524969544e6e634f784563462b456354316e594c7849674d786b63794e6d6951535959544a466749436e66414732544a2b47694c4e486678393457384632534e426f682b356b634f393462385248584e316e594c35346678746b6a376c595874425963647831664c4e495844326b6b534258694c4a6c6648796b5a384233557842495a6f7049684a75456a794a32544e7848545347586777353354494f6d6930465963447956684d3131664143326975396e54507546667831315778526d6b4e536f634d7846676a39456b2b4e33686f42496353326e664e3930553868595275426f635061476650356f55455348644b5749692b4e586737466d5a47534861784e4963474b4a674a79466a7846336a6e466f59683548674b476e62464f47594f2b48634861476769646f5a42476e6b54426f544c43336679705952464f58522b464963474b7063693948627a523255535a6f59683547674b3247582f355559734e58594c656d684961496a4171596139786e595436576779526e557835306a634249634c75486462643156')
    10. '''
    12. from pwn import *
    14. p = remote('tcp.challs.m0lecon.it', 9839)
    15. context.log_level = 'debug'
    17. p.recvuntil(b'\n\n')
    18. step = eval(p.recvline().strip().decode())
    19. flag = bytes.fromhex(p.recvline().strip().decode())
    20. '''
    21.  
    22. def rsa(c):
    23.     random.seed(bytes_to_long(head[:4]))
    24.     p = getPrime(1024, randfunc=random.randbytes)
    25.     q = getPrime(1024, randfunc=random.randbytes)
    26.     print(p,q)
    27.     n = p*q
    28.     phi = (p-1)*(q-1)
    29.     e = 65537
    30.     d = invert(e, phi)
    31.     return long_to_bytes(pow(bytes_to_long(c),d,n))
    32.  
    33. def rot_13(x: bytes) -> bytes:
    34.     return x.translate(bytes.maketrans(
    35.         bytes([(i + 13) % 256 for i in range(256)]),
    36.         bytes([i for i in range(256)]),
    37.     ))
    38. def rot13(x: bytes) -> bytes:
    39.     return x.translate(bytes.maketrans(
    40.         bytes([i for i in range(256)]),
    41.         bytes([(i + 13) % 256 for i in range(256)])
    42.     ))
    43.  
    44. head = ('ptm{ju57' + 'X' * (64 - 8 - 6) + 'tr1ck}').encode()
    45.  
    46. possible_methods = [
    47.     b64encode,
    48.     lambda x: x[::-1],
    49.     rsa,
    50.     rot13
    51. ]
    52.  
    53. for i in step:
    54.     if i == 2:
    55.         print(head[:4])
    56.         break 
    57.     head = possible_methods[i](head)
    58.  
    59. possible_methods2 = [
    60.     b64decode,
    61.     lambda x: x[::-1],
    62.     rsa,
    63.     rot_13
    64. ]
    65. for i in step[::-1]:
    66.     flag = possible_methods2[i](flag)
    67.     #print(i, flag)
    68.  
    69. print(flag)
    70.

    数据是从无端得到的,但解密不成功。 

    SSA

    这是个DLP问题,但是给的数字都非常小

    1. # The following imports are from the pycryptodome library
    2. from Crypto.Util.number import getPrime
    3. from Crypto.Util.Padding import pad
    4. from Crypto.Cipher import AES
    5. from secret import message
    6. import random
    7. import os
    8.  
    9.  
    10. if __name__ == '__main__':
    11.     print('Welcome to the Secret Service Agency, the most secret agency in the world!')
    12.     print('We have found out that there is a mole between our specialized agents. One of our most capable men, Agent Platypus, has found out a communication between him and his accomplice encrypted with a key that they shared using the Diffie Hellman protocol beforehead.')
    13.     print('Can you find out the key used to encrypt the message and decrypt it, knowing that the message has been encrypted with AES-CBC and the key has been derivated with "s.to_bytes(16, \'little\')", where "s" is the shared secret between the two? We hope to find out who the mole and his accomplice are!')
    14.     print('Here it is the communication we have been able to intercept:')
    15.     print()
    16.  
    17.     g = 2
    18.     p = getPrime(64)
    19.     a = random.randint(1, p-1)
    20.     A = pow(g, a, p)
    21.  
    22.     print('Mole:')
    23.     print('g =', g)
    24.     print('p =', p)
    25.     print('A =', A)
    26.     print()
    27.  
    28.     b = random.randint(1, p-1)
    29.  
    30.     print('Accomplice:')
    31.     print('B =', pow(g, b, p))
    32.     print()
    33.  
    34.     key = pow(A, b, p).to_bytes(16, 'little')
    35.     iv = os.urandom(16)
    36.     cipher = AES.new(key, AES.MODE_CBC, iv)
    37.  
    38.     print('Mole:')
    39.     print('IV =', iv.hex())
    40.     print(
    41.         'Message =',
    42.         cipher.encrypt(pad(message.encode(), AES.block_size)).hex()
    43.     )

    这里 B=pow(g, b, p), 然后 key = pow(A, b, p).to_bytes(16, 'little') 作key来进行AES加密,显然是求b

    先在sagemath里把b求出来

    1. g = 2
    2. p = 14929217438252597329
    3. A = 10501271320711541452
    4. b = discrete_log(A,mod(g,p))
    5. #b = 5021798444659061638

    然后再用AES解密

    1. from Crypto.Cipher import AES
    2. import random
    3. import os
    4.  
    5. g = 2
    6. p = 14929217438252597329
    7. A = 10501271320711541452
    8.  
    9. B = 11611457301040733008
    10.  
    11. IV = 'c234aca8e7d86bfa33645b6a0239476e'
    12. Message = 'e8c5922fcf125cbf85ceec29e69f4ec682f398715d4052b0999c13b414c03faecc817cd68c707fec78cd748c7909679719044e7e50c062d674cc50bd49942c59f2e0ed8af615da277d0093a03ee3c748ca37b434225dae0566b24dd6abfe748919ae10faad4f9e28abe11232c7b95f84b641caa8a039fb8cd820e8599a4ebeb90e7b69de41c1cb9846023bb23b32e0c67e9bcaaf4e77faa297c8541c3bcd107c89c2ecf9df144820b99dbf95653fa0118040a712bd9165cac092a6ed16c1605bb0ec65db658af5d50f8333c7aaba2681a74dda167a2d030a1210fb16a05f583d'
    13.  
    14. b = 5021798444659061638
    15. key = pow(A, b, p).to_bytes(16, 'little')
    16. cipher = AES.new(key, AES.MODE_CBC, bytes.fromhex(IV))
    17. m = cipher.decrypt(bytes.fromhex(Message))
    18. #b"Hi, I'm the Agent Gabibbo, the undercover agent in the SSA, I've successfully recovered the code that is used to access the secret files stored on the agency's server, here it is: ptm{us3_pr1m3s_wi7h_en0ugh_b17s}\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"

     

    Transfer's notes 没看懂,给了个网站太长了

    Rev

    m0leadventures 未完成,

    看上去像是打包的python程序,没解开

    lineary

    给了密文和加密方法

    1. __int64 __fastcall sub_401520(__int64 a1, __int64 a2, __int64 a3, __int64 a4, int a5, int a6)
    2. {
    3.   int v6; // ecx
    4.   const char *v7; // rbp
    5.  
    6.   v6 = 112;
    7.   v7 = "tm{REDACTED}";
    8.   do
    9.   {
    10.     ++v7;
    11.     dword_4A70B0 = (dword_4A70B4 + dword_4A70B0 * dword_4A70B8) % dword_4A70BC;
    12.     printf((__int64)"%02x", v6 ^ (unsigned int)(dword_4A70B0 % 256));
    13.     v6 = *(v7 - 1);
    14.   }
    15.   while ( *(v7 - 1) );
    16.   sub_410720(0xAu);
    17.   return 0LL;
    18. }

    这是个流加密,只要得到流再异或就行了

    1. b0 = 0x1AACF60
    2. b4 = 0x4A
    3. b8 = 0x4B
    4. bc = 0x10001 
    5.  
    6. v6 = 112
    7. box = []
    8. for i in range(42):
    9.     b0 = ((b4+b0*b8)&0xffffffff)%bc
    10.     box.append(b0&0xff)
    11.  
    12. c = bytes.fromhex('1022179cd41e2bd156c393830b79ef960a007155f79d368290ad582e7f954deb1c91c03d07705ca964a3')
    13. print(bytes([c[i]^box[i] for i in range(42)]))
    14. #ptm{1_l0ve_l1n34r_c0ngru3nt1al_g3n3r4t0r5}

     

    ptmsafe 差点

    醒来提交的时候已经关闭了,不清楚对不对

    1. __int64 __fastcall checkPassword(_BYTE *a1)
    2. {
    3.   __int64 result; // rax
    4.   int v2; // [rsp+Ch] [rbp-Ch]
    5.   int v3; // [rsp+10h] [rbp-8h]
    6.   int i; // [rsp+14h] [rbp-4h]
    7.  
    8.   v2 = 4;
    9.   while ( 2 )
    10.   {
    11.     if ( v2 > 14 )
    12.       return 0LL;
    13.     switch ( v2 )
    14.     {
    15.       case 4:
    16.         if ( (a1[v2] ^ *a1) == 30 )
    17.           goto LABEL_28;
    18.         result = 1LL;
    19.         break;
    20.       case 5:
    21.         if ( a1[v2] == 48 )
    22.           goto LABEL_28;
    23.         result = 1LL;
    24.         break;
    25.       case 6:
    26.         if ( ((char)a1[v2] ^ (3 * (char)a1[v2 - 2])) == 318 )
    27.           goto LABEL_28;
    28.         result = 1LL;
    29.         break;
    30.       case 7:
    31.         if ( a1[v2] == 95 )
    32.           goto LABEL_28;
    33.         result = 1LL;
    34.         break;
    35.       case 8:
    36.         if ( (a1[v2] ^ a1[v2 + 4]) == 71 )
    37.           goto LABEL_28;
    38.         result = 1LL;
    39.         break;
    40.       case 9:
    41.         if ( (char)a1[v2] * (char)a1[v2] * (char)a1[v2] == 110592 )
    42.           goto LABEL_28;
    43.         result = 1LL;
    44.         break;
    45.       case 10:
    46.         if ( (char)a1[v2 + 1] + (char)a1[v2] == (char)a1[4] + 100 )
    47.           goto LABEL_28;
    48.         result = 1LL;
    49.         break;
    50.       case 11:
    51.         if ( (unsigned int)((char)a1[v2] * (char)a1[v2 - 3] - 13225) <= 4 )
    52.           goto LABEL_28;
    53.         result = 1LL;
    54.         break;
    55.       case 12:
    56.         if ( 4 * (char)a1[v2] == 208 )
    57.           goto LABEL_28;
    58.         result = 1LL;
    59.         break;
    60.       case 13:
    61.         if ( a1[v2] == 102 )
    62.           goto LABEL_28;
    63.         result = 1LL;
    64.         break;
    65.       case 14:
    66.         v3 = 0;
    67.         for ( i = 0; i <= 15; ++i )
    68.           v3 ^= (char)a1[i];
    69.         if ( v3 == 20 )
    70.           goto LABEL_28;
    71.         result = 1LL;
    72.         break;
    73.       default:
    74. LABEL_28:
    75.         ++v2;
    76.         continue;
    77.     }
    78.     return result;
    79.   }
    80. }

    几乎第个字符是多少都给了,只是10,11,14没有,14是最后异或得到的,#10+#11<210,由于没有其它限制,这会生成很多解,我用等于求出一个看上去很正点的,但不清楚对不对.

    1. '''
    2. s[0] == 112
    3. s[1] == 116
    4. s[2] == 109
    5. s[3] == 123
    6. s[15]== 125
    7. s[4]^s[0] == 30^112 110
    8. s[5] == 48
    9. s[6]^(3*s[4]) == 318 116
    10. s[7] == 95
    11. s[8]^s[12] == 71 115
    12. s[9]*s[9]*s[9] == 110592
    13. s[11]+s[10] == s[4]+100
    14. s[11]*s[8] - 13225 <= 4
    15. s[12]*4 == 208 52
    16. s[13] == 102
    17. s[0]^...s[15]==20
    18. '''
    19. for x in range(95,127):
    20.     s = [112,116,109,123,110,48,116,95,115,48,x,210-x,52,102,0,125]
    21.     v3 = 20
    22.     for i in s:
    23.         v3^=i 
    24.     s[14] = v3
    25.     print(bytes(s))
    26.  
    27. #ptm{n0t_s0_s4f3}
    28. '''
    29. b'ptm{n0t_s0_s4f3}'    <--还有很多猜测
    30. b'ptm{n0t_s0s_4f3}'
    31. b'ptm{n0t_s0t^4f5}'
    32. b'ptm{n0t_s0u]4f7}'
    33. b'ptm{n0t_s0v\\4f5}'
    34. b'ptm{n0t_s0w[4f3}'
    35. b'ptm{n0t_s0xZ4f=}'
    36. b'ptm{n0t_s0yY4f?}'
    37. b'ptm{n0t_s0zX4f=}'
    38. b'ptm{n0t_s0{W4f3}'
    39. b'ptm{n0t_s0|V4f5}'
    40. b'ptm{n0t_s0}U4f7}'
    41. b'ptm{n0t_s0~T4f5}'
    42. '''

    scramble

    这个题很新颖.把flag按字母频排序(多到少,相同的按原顺序)然后作一次shift前排头的放到队尾,最后按flag字母对应的这个加密的表输出.远程提供自主加密和输出加密的flag

    1. #from flag import flag
    2. from random import randint
    3.  
    4. flag = 'mtp{abcdeddc}'
    5. assert(len(flag) <= 50)
    6. shift = 1 #randint(1, len(set(flag)) - 1)
    7.  
    8. def encrypt(data):
    9.     charsf = {}
    10.     for c in data:
    11.         if c not in charsf.keys():
    12.             charsf[c] = 1
    13.         else:
    14.             charsf[c] += 1
    15.  
    16.     chars = list(charsf.keys())
    17.     chars.sort(reverse=True, key=lambda e: charsf[e])  #按出现频率排序
    18.     print(chars)
    19.     charsn = list(chars)
    20.     for _ in range(shift):
    21.         i = charsn.pop(0)
    22.         charsn.append(i)
    23.     print(charsn)
    24.     enc = "".join(list(map(lambda c: charsn[chars.index(c)], data)))
    25.     return enc
    26.  
    27. if __name__ == "__main__":
    28.     print("Welcome to our custom encrypting system!")
    29.     print("1) Encrypt something")
    30.     print("2) Get flag")
    31.     print("3) Exit")
    32.  
    33.     opt = input("> ")
    34.     while opt != "3":
    35.         if opt == "1":
    36.             data = input("What is your string?\n")
    37.             print(encrypt(data))
    38.         elif opt == "2":
    39.             print(encrypt(flag))
    40.         opt = input("> ")

    一开始没想到怎么弄,然后想到密文.

    如果不考虑shift的话,那密文的排列顺序是固定的,而加密是通过明文与密文的对应关系,那么输出的顺序就是明文对应位置的字符,通过第一个字符(flag的头几个字母是基本格式,这样就能弄到shift)

    先用密文按字母频得到对应表,再按ptm{这个头得到shift后的表

    1. '''
    2. > 1
    3. What is your string?
    4. asdfghjklzxcvbnmqwertyuiopasdfghjkllko
    5. zxcvbnmjowertyuipklasdfgqhzxcvbnmjoojq
    6. > 2
    7. b{Da1f0gdp3q}o_umpeoqupmsfotmo3r{onyyc4
    8. '''
    9. #先按数量排序(前大后小),再作一次shift(从左弹出放右)
    10. #输出表里对应的内容
    11. '''
    12. aaabbcdef
    13. ['a', 'b', 'c', 'd', 'e', 'f']
    14. ['b', 'c', 'd', 'e', 'f', 'a']
    15. bbbccdefa
    17. ptm{
    18. [p,t,m,{,   }]
    19. [b,{,D,a,   4]
    20. b{Da1f0gdp3q}o_umpeoqupmsfotmo3r{onyyc4
    21. ptm{         _     _      _  _   _    }
    22. #根据第1个字符的对应关系手调shift
    23. ['o', 'p', 'm', '{', 'f', '3', 'q', 'u', 'y', 'b', 'D', 'a', '1', '0', 'g', 'd', '}', '_', 'e', 's', 't', 'r', 'n', 'c', '4']
    24. ['y', 'b', 'D', 'a', '1', '0', 'g', 'd', '}', '_', 'e', 's', 't', 'r', 'n', 'c', '4', 'o', 'p', 'm', '{', 'f', '3', 'q', 'u']
    25. '''
    26. a = 'b{Da1f0gdp3q}o_umpeoqupmsfotmo3r{onyyc4'
    27. def encrypt(data):
    28.     charsf = {}
    29.     for c in data:
    30.         if c not in charsf.keys():
    31.             charsf[c] = 1
    32.         else:
    33.             charsf[c] += 1
    34.  
    35.     chars = list(charsf.keys())
    36.     chars.sort(reverse=True, key=lambda e: charsf[e])  #按出现频率排序
    37.     print(chars)
    38.  
    39. #encrypt(a)
    40. v1 = ['o', 'p', 'm', '{', 'f', '3', 'q', 'u', 'y', 'b', 'D', 'a', '1', '0', 'g', 'd', '}', '_', 'e', 's', 't', 'r', 'n', 'c', '4']
    41. v2 = ['y', 'b', 'D', 'a', '1', '0', 'g', 'd', '}', '_', 'e', 's', 't', 'r', 'n', 'c', '4', 'o', 'p', 'm', '{', 'f', '3', 'q', 'u']
    42. flag = ''.join([v1[v2.index(c)] for c in a])
    43.  
    44. print(flag)
    45. #ptm{fr3quency_b4seD_c4esar_1s_n0t_good}

    MISC

    fileRecovery

    流量题,说是对方给传了个图,然后删掉了,要从流量里找出来

    图一般都很大,不是几个字符的,打到一个大包取出TCP流,看到是base64,解码后得到一张图

    1. a = open('aaa.txt').read()
    2. from base64 import *
    3. b = b64decode(a)
    4. open('bbb.txt', 'wb').write(b)
    5. #ptm{n37w0rk_ch4ll3n935_4r3_fun_2}

     

     

  • 相关阅读:
    Boost.Beast和C++编写程序
    Windows系统中的环境变量asl.log是什么
    卷积操作的不同类型
    职场的边界感、底线原则与陷阱
    RabbitMQ中Direct交换机的用法
    windows java 指定jdk启动jar包程序
    学习记录十六
    Lambda表达式入门,详细介绍样例
    网络安全--初识
    【OAuth2】二十、OAuth2扩展协议 PKCE
  • 原文地址:https://blog.csdn.net/weixin_52640415/article/details/127837418