DDCTF2019 MISC MulTzor

此题考验我们对异或的掌握程序,题目给我们一串很长的十六进制字符串(字符串下载:http://file.eonew.cn/ctf/misc/data.txt)。还有提示:原文为英语,请破解

这里要感谢sayhi师傅的指点。

此题是一道异或加解密题,需要xortool工具来完成。安装方法:

pip install xortool

使用介绍:

ex@Ex:~/test$ xortool -h
xortool
  A tool to do some xor analysis:
  - guess the key length (based on count of equal chars)
  - guess the key (base on knowledge of most frequent char)

Usage:
  xortool [-x] [-m MAX-LEN] [-f] [-t CHARSET] [FILE]
  xortool [-x] [-l LEN] [-c CHAR | -b | -o] [-f] [-t CHARSET] [FILE]
  xortool [-x] [-m MAX-LEN| -l LEN] [-c CHAR | -b | -o] [-f] [-t CHARSET] [FILE]
  xortool [-h | --help]
  xortool --version

Options:
  -x --hex                          input is hex-encoded str
  -l LEN, --key-length=LEN          length of the key
  -m MAX-LEN, --max-keylen=MAX-LEN  maximum key length to probe [default: 65]
  -c CHAR, --char=CHAR              most frequent char (one char or hex code)
  -b --brute-chars                  brute force all possible most frequent chars
  -o --brute-printable              same as -b but will only check printable chars
  -f --filter-output                filter outputs based on the charset
  -t CHARSET --text-charset=CHARSET target text character set [default: printable]
  -h --help                         show this help

Notes:
  Text character set:
    * Pre-defined sets: printable, base32, base64
    * Custom sets:
      - a: lowercase chars
      - A: uppercase chars
      - 1: digits
      - !: special chars
      - *: printable chars

Examples:
  xortool file.bin
  xortool -l 11 -c 20 file.bin
  xortool -x -c ' ' file.hex
  xortool -b -f -l 23 -t base64 message.enc

先把十六进制字符串转换成二进制流。

#! /usr/bin/python3
# -*- coding: utf-8 -*-

import binascii

s = open('data.txt','r').read()
b = binascii.a2b_hex(s)

f = open('data.bin','wb').write()
f.close()

再用xortool进行分析,因为提示说原文是英文,所以这里猜测最常用的字符是空格

ex@Ex:~/test$ xortool -c ' ' temp.bin
The most probable key lengths:
   3:   11.9%
   6:   19.7%
   9:   9.3%
  12:   14.5%
  15:   7.1%
  18:   11.2%
  21:   5.4%
  24:   8.4%
  30:   6.8%
  36:   5.7%
Key-length can be 3*n
2 possible key(s) of length 6:
\x0b\rz4\xaa\x12
N\rz4\xaa\x12
Found 2 plaintexts with 95.0%+ valid characters
See files filename-key.csv, filename-char_used-perc_valid.csv

得到了两个可能的秘钥,这里我用C语言进行解密,先把字节流转换成C语言可以处理的变量:

xxd -i data.bin > data.h

再写解密程序:

#include <stdio.h>
#include <string.h>

#include "data.h"

extern unsigned char data_bin[];
extern unsigned int data_bin_len;

int main()
{
    char *key = "\x0b\rz4\xaa\x12";
    int i, j, key_length;

    key_length = strlen(key);
    for (i = 0; i < data_bin_len;)
    {
        for (j = 0; j < key_length && i < data_bin_len; j++, i++)
        {
            data_bin[i] ^= key[j];
        }
    }
    puts(data_bin);

    return 0;
}

运行实例:

ex@Ex:~/test$ gcc main.c -o decode
ex@Ex:~/test$ ./decode 

Cryptanalysis of the Enigma ciphering system enabled the western Allies in World War II to read substantial amounts of Morse-coded radio communications of the Axis powers that had been enciphered using Enigma machines. This yielded military intelligence which, along with that from other decrypted Axis radio and teleprinter transmissions, was given the codename Ultra. This was considered by western Supreme Allied Commander Dwight D. Eisenhower to have been "decisive" to the Allied victory.

The Enigma machines were a family of portable cipher machines with rotor scramblers. Good operating procedures, properly enforced, would have made the plugboard Enigma machine unbreakable. However, most of the German military forces, secret services and civilian agencies that used Enigma employed poor operating procedures, and it was these poor procedures that allowed the Enigma machines to be reverse-engineered and the ciphers to be read.

The German plugboard-equipped Enigma became Nazi Germany's principal crypto-system. It was broken by the Polish General Staff's Cipher Bureau in December 1932, with the aid of French-supplied intelligence material obtained from a German spy. A month before the outbreak of World War II, at a conference held near Warsaw, the Polish Cipher Bureau shared its Enigma-breaking techniques and technology with the French and British. During the German invasion of Poland, core Polish Cipher Bureau personnel were evacuated, via Romania, to France where they established the PC Bruno signals intelligence station with French facilities support. Successful cooperation among the Poles, the French, and the British at Bletchley Park continued until June 1940, when France surrendered to the Germans.

From this beginning, the British Government Code and Cypher School (GC&CS) at Bletchley Park built up an extensive cryptanalytic capability. Initially, the decryption was mainly of Luftwaffe (German air force) and a few Heer (German army) messages, as the Kriegsmarine (German navy) employed much more secure procedures for using Enigma. Alan Turing, a Cambridge University mathematician and logician, provided much of the original thinking that led to the design of the cryptanalytical bombe machines that were instrumental in eventually breaking the naval Enigma. However, the Kriegsmarine introduced an Enigma version with a fourth rotor for its U-boats, resulting in a prolonged period when these messages could not be decrypted. With the capture of relevant cipher keys and the use of much faster US Navy bombes, regular, rapid reading of U-boat messages resumed.

The flag is: DDCTF{07b1b46d1db28843d1fd76889fea9b36}

第一个秘钥就获得了flag。

总结

知识面广一点,总是有好处的。