Hackon18 writeup

人懒，懒得重新写writeup，写了一些觉得蛮不错的点，其中几题借鉴了下大佬的。

Hackon18

Junior/Facche

Junior/Facche_Salad Upgrades

给出字符串 e4uo{zo1b_1e_f0j4l10i}z0ce

这个还是稍微有点特殊，每个字母的偏移量是在这个字符串的第几位，脚本解一下：

#-*-coding:utf-8

import string

chars = string.lowercase

enc = 'e4uo{zo1b_1e_f0j4l10i}z0ce'

flag = ''
for i in range(len(enc)):
    if enc[i] in chars:
        flag += chars[(chars.index(enc[i]) - (i + 1)) % len(chars)]
    else:
        flag += enc[i]

print flag

得到答案d4rk{th1s_1s_r0t4t10n}c0de

Misc

Misc_EtherHide

打开MyStorage.sol有以下代码

pragma solidity ^0.4.24;

contract MyStorage
{
	address public owner;
	address public previous_owner;
	address public creator;
	bytes32 public dataHash;

	constructor() public
	{
		owner = msg.sender;
		creator = msg.sender;
	}

	function withdraw() public
	{
		require(address(this).balance > 0);

		if(address(this).balance > 1 ether)
		{
			previous_owner.transfer(address(this).balance - 1 ether);
		}
		creator.transfer(address(this).balance);
	}

	function change_data(string data) public payable
	{
		require(msg.sender == owner);
		require(msg.value > 0.5 ether);

		dataHash = keccak256(data);
	}

	function check_data(string data) public payable returns (bool)
	{
		require(msg.value > address(this).balance - msg.value);
		require(msg.sender == owner);
		require(keccak256(data) == dataHash);

		previous_owner = owner;
		owner = msg.sender;

		return true;
	}
}

看不懂没关系，题目给了

1. Network : Ropsten Test Network
2. Contract Address : 0x94f23F189583e828E73573905A19d93E21D0E957

根据第一个提示，谷歌一波发现网址：https://ropsten.etherscan.io/，这是个此题以太坊的工作站点

第二个提示告诉合同地址，于是打开网页https://ropsten.etherscan.io/address/0x94f23F189583e828E73573905A19d93E21D0E957

其中翻阅下，会找到一个

打开，Input Data中的数据，winhex打开，16进制转ASCII，得到答案

Misc_CryptoRevSalad

这题做的有点难受，给了个数据包，三板斧分析，简单分析了下

tcp流3是明文字符，给了以下信息

再看看tcp流5

看到有种熟悉的感觉，实际上就是个zip的16进制，不过是每个字节颠倒的，把这个保存为zip.txt，代码操作一番

#-*—coding:utf-8

str_hex=''
with open("zip.txt",'r') as line:
    for i in line:
        s1=i[:-1].split(" ")
        print s1[1:]
        for j in s1[1:]:
            print j
            str_hex+=j[2]+j[3]+j[0]+j[1]

print str_hex

得到结果，复制到winhex里，保存zip.zip文件，打开，发现个ELF文件，有的玩

此题有待研究，期待待续咯！！！

补：发现此题writeup，后面完善

Crypto

Crypto_Diversity

复制下

b1001000 x69 d33 d32 o127 b1100101 o154 o143 b1101111 o155 o145 d32 o164 d111 d32 x48 b1100001 x63 o153 b1000011 o157 x6e d39 o61 b111000 x2c d32 d111 b1110010 d103 d97 x6e o151 x73 d101 d100 o40 d97 b1110011 b100000 x70 o141 o162 x74 d32 x6f x66 b100000 o105 b1110011 x79 b1100001 d39 d49 b111000 x20 b1100010 d121 b100000 x49 o111 b1001001 x54 b100000 b1000100 x65 x6c o150 x69 b101110 x20 o111 d110 b100000 o143 d97 d115 o145 o40 b1111001 b1101111 x75 b100111 x72 x65 x20 x73 x65 b1100101 b1101011 x69 o156 x67 d32 b1100001 o40 o162 x65 o167 b1100001 o162 o144 d32 x66 d111 x72 b100000 o171 x6f d117 b1110010 o40 d101 x66 x66 x6f x72 d116 o163 x2c b100000 d104 b1100101 d114 o145 x27 d115 x20 b1100001 d32 d102 d108 b1100001 x67 x20 x3a b100000 o144 x34 o162 x6b x7b o151 d95 d87 o151 x73 b100011 d95 x41 o61 x6c d95 b1110100 d52 d115 b1101011 d53 o137 o167 x33 d114 o63 o137 d116 b1101000 o151 o65 x5f x33 d52 o65 o171 o137 x58 b1000100 b1000100 b1111101 x63 d48 d100 d101 d46 b100000 o101 x6e b1111001 d119 b1100001 b1111001 x73 b101100 x20 o150 d111 b1110000 b1100101 o40 x79 o157 d117 b100000 b1101000 o141 x76 x65 b100000 d97 x20 o147 d111 b1101111 d100 b100000 b1110100 b1101001 d109 b1100101 d32 x3b x29

观察到x、b、d、o字样，估计就是进制之间的转化，然后转成ASCII码对应的字符。写个脚本

#-*-coding:utf-8

Str_text='''b1001000 x69 d33 d32 o127 b1100101 o154 o143 b1101111 o155 o145 d32 o164 d111 d32 x48 b1100001 x63 o153 b1000011 o157 x6e d39 o61 b111000 x2c d32 d111 b1110010 d103 d97 x6e o151 x73 d101 d100 o40 d97 b1110011 b100000 x70 o141 o162 x74 d32 x6f x66 b100000 o105 b1110011 x79 b1100001 d39 d49 b111000 x20 b1100010 d121 b100000 x49 o111 b1001001 x54 b100000 b1000100 x65 x6c o150 x69 b101110 x20 o111 d110 b100000 o143 d97 d115 o145 o40 b1111001 b1101111 x75 b100111 x72 x65 x20 x73 x65 b1100101 b1101011 x69 o156 x67 d32 b1100001 o40 o162 x65 o167 b1100001 o162 o144 d32 x66 d111 x72 b100000 o171 x6f d117 b1110010 o40 d101 x66 x66 x6f x72 d116 o163 x2c b100000 d104 b1100101 d114 o145 x27 d115 x20 b1100001 d32 d102 d108 b1100001 x67 x20 x3a b100000 o144 x34 o162 x6b x7b o151 d95 d87 o151 x73 b100011 d95 x41 o61 x6c d95 b1110100 d52 d115 b1101011 d53 o137 o167 x33 d114 o63 o137 d116 b1101000 o151 o65 x5f x33 d52 o65 o171 o137 x58 b1000100 b1000100 b1111101 x63 d48 d100 d101 d46 b100000 o101 x6e b1111001 d119 b1100001 b1111001 x73 b101100 x20 o150 d111 b1110000 b1100101 o40 x79 o157 d117 b100000 b1101000 o141 x76 x65 b100000 d97 x20 o147 d111 b1101111 d100 b100000 b1110100 b1101001 d109 b1100101 d32 x3b x29
'''
codes=Str_text[:-1].split(" ")
ans = [int('0{}'.format(e), 0) if e[0] != 'd' else int(e[1:]) for e in codes]
#print ans
ans = [chr(e) for e in ans]
print(''.join(ans))

输出结果

Hi! Welcome to HackCon'18, organised as part of Esya'18 by IIIT Delhi. In case you're seeking a reward for your efforts, here's a flag : d4rk{i_Wis#_A1l_t4sk5_w3r3_thi5_345y_XDD}c0de. Anyways, hope you have a good time ;)

Crypto_Light N’ Easy

题目内容：

01001110-00100000-00111010-00001100-11011110-00011110-00000000-01100000-00101010-01111010-00100000-11110110-00111010-00000000-11111110-00001100-00111000-11011110-00000000-10111100-00001010-11011110-11011110-00101010-00000000-01110110-11011110-00001100-00001100-00111010-01010110-00000000-11111100-00001010-11111010-00101010-11110110-11011110-00000000-11101110-11011110-01111011-00000000-10001110-00001100-11111010-11110110-00000000-00100000-10110110-00000000-00011101-10011111-01111011-10110111-11111110-00001010-00100000-00101010-11110111-01111000-00111010-01100111-10001100-00111011-10101010-11011110

hint.jpg

下意识二进制转化，然后发现错了，国外网站搜索一波

嗯，很像对吧，然后学习了下https://www.wikiwand.com/de/Segmentanzeige

其实每个8位的值都是按以下字母的顺序对应的

   b
  ===
a| g |c
  ===
f|   |d
  ===   .h (the dot)
   e

写个脚本

enc = '01001110-00100000-00111010-00001100-11011110-00011110-00000000-01100000-00101010-01111010-00100000-11110110-00111010-00000000-11111110-00001100-00111000-11011110-00000000-10111100-00001010-11011110-11011110-00101010-00000000-01110110-11011110-00001100-00001100-00111010-01010110-00000000-11111100-00001010-11111010-00101010-11110110-11011110-00000000-11101110-11011110-01111011-00000000-10001110-00001100-11111010-11110110-00000000-00100000-10110110-00000000-00011101-10011111-01111011-10110111-11111110-00001010-00100000-00101010-11110111-01111000-00111010-01100111-10001100-00111011-10101010-11011110'
codes = enc.split('-')

line1 = ''
for code in codes:
    if code[0] == '1':
        line1 += ' _  '
    else:
        line1 += '    '

line2 = ''
for code in codes:
    if code[5] == '1':
        line2 += '|'
    else:
        line2 += ' '
    if code[6] == '1':
        line2 += '_'
    else:
        line2 += ' '
    if code[1] == '1':
        line2 += '|'
    else:
        line2 += ' '
    line2 += ' '

line3 = ''
for code in codes:

    if code[4] == '1':
        line3 += '|'
    else:
        line3 += ' '
    if code[3] == '1':
        line3 += '_'
    else:
        line3 += ' '
    if code[2] == '1':
        line3 += '|'
    else:
        line3 += ' '
    if code[7] == '1':
        line3 += '.'
    else:
        line3 += ' '

flag = line1 + '\n' + line2 + '\n' + line3
print flag

运行得到结果

最后结果

d4rk{L.E.d.s.Bring.Joy.To.me}c0de

Crypto_Ron, Adi and Leonard

rsa.txt内容如下：

n = 744818955050534464823866087257532356968231824820271085207879949998948199709147121321290553099733152323288251591199926821010868081248668951049658913424473469563234265317502534369961636698778949885321284313747952124526309774208636874553139856631170172521493735303157992414728027248540362231668996541750186125327789044965306612074232604373780686285181122911537441192943073310204209086616936360770367059427862743272542535703406418700365566693954029683680217414854103

e = 57595780582988797422250554495450258341283036312290233089677435648298040662780680840440367886540630330262961400339569961467848933132138886193931053170732881768402173651699826215256813839287157821765771634896183026173084615451076310999329120859080878365701402596570941770905755711526708704996817430012923885310126572767854017353205940605301573014555030099067727738540219598443066483590687404131524809345134371422575152698769519371943813733026109708642159828957941

c = 305357304207903396563769252433798942116307601421155386799392591523875547772911646596463903009990423488430360340024642675941752455429625701977714941340413671092668556558724798890298527900305625979817567613711275466463556061436226589272364057532769439646178423063839292884115912035826709340674104581566501467826782079168130132642114128193813051474106526430253192254354664739229317787919578462780984845602892238745777946945435746719940312122109575086522598667077632

会发现e贼大，好的Winner爆破

import math

def DevContinuedFraction(num, denum):
    partialQuotients = []
    divisionRests = []
    for i in range(int(math.log(denum, 2))):
        divisionRests = num % denum
        partialQuotients.append(num / denum)
        num = denum
        denum = divisionRests
        if denum == 0:
            break
    return partialQuotients

def DivergentsComputation(partialQuotients):
    (p1, p2, q1, q2) = (1, 0, 0, 1)
    convergentsList = []
    for q in partialQuotients:
        pn = q * p1 + p2
        qn = q * q1 + q2
        convergentsList.append([pn, qn])
        p2 = p1
        q2 = q1
        p1 = pn
        q1 = qn
    return convergentsList

def SquareAndMultiply(base,exponent,modulus):
    binaryExponent = []
    while exponent != 0:
        binaryExponent.append(exponent % 2)
        exponent = exponent / 2
    result = 1
    binaryExponent.reverse()
    for i in binaryExponent:
        if i == 0:
            result = (result * result) % modulus
        else:
            result = (result * result * base) % modulus
    return result

def WienerAttack(e, n, c):
    testStr = 42
    c = SquareAndMultiply(testStr, e, n)
    for C in DivergentsComputation(DevContinuedFraction(e, n)) :
        if SquareAndMultiply(c, C[1], n) == testStr :
            FullReverse(n, e, C)
            return C[1]
    return -1

def GetTheFlag(c, n, d) :
    p = pow(c, d, n)
    size = len('{:02x}'.format(p)) // 2
    print ''.join([chr((p >> j) & 0xff) for j in reversed(range(0, size << 3, 8))])

def find_invpow(x, n):
    high = 1
    while high ** n < x:
        high *= 2
    low = high / 2
    while low < high:
        mid = (low + high) // 2
        if low < mid and mid ** n < x:
            low = mid
        elif high > mid and mid ** n > x:
            high = mid
        else:
            return mid
    return mid + 1

def FullReverse(n, e, c) :
    phi = (e * c[1] - 1) // c[0]
    a = 1
    b = -(n - phi + 1)
    c = n
    delta = b * b - 4 * a * c
    if delta > 0 :
        x1 = (- b + find_invpow((b * b - 4 * a * c), 2)) / (2 * a)
        x2 = (- b - find_invpow((b * b - 4 * a * c), 2)) / (2 * a)
        if x1 * x2 == n:
            print 'p = ' + str(x1)
            print 'q = ' + str(x2)

if __name__ == "__main__":
    n = 744818955050534464823866087257532356968231824820271085207879949998948199709147121321290553099733152323288251591199926821010868081248668951049658913424473469563234265317502534369961636698778949885321284313747952124526309774208636874553139856631170172521493735303157992414728027248540362231668996541750186125327789044965306612074232604373780686285181122911537441192943073310204209086616936360770367059427862743272542535703406418700365566693954029683680217414854103

    e = 57595780582988797422250554495450258341283036312290233089677435648298040662780680840440367886540630330262961400339569961467848933132138886193931053170732881768402173651699826215256813839287157821765771634896183026173084615451076310999329120859080878365701402596570941770905755711526708704996817430012923885310126572767854017353205940605301573014555030099067727738540219598443066483590687404131524809345134371422575152698769519371943813733026109708642159828957941

    c = 305357304207903396563769252433798942116307601421155386799392591523875547772911646596463903009990423488430360340024642675941752455429625701977714941340413671092668556558724798890298527900305625979817567613711275466463556061436226589272364057532769439646178423063839292884115912035826709340674104581566501467826782079168130132642114128193813051474106526430253192254354664739229317787919578462780984845602892238745777946945435746719940312122109575086522598667077632

    d = WienerAttack(e, n, c)
    GetTheFlag(c, n, d)

运行脚本，得到答案d4rk{r3p34t3ed_RsA_1s_f0r_n00bs}c0de

Crypto_Tripple FUN

题目文本内容

|\xb3Wm\x83\rE7h\xe3\xc0\xf1^Y\xf0\x8d\xa6I\x92\x9b\xa5\xbc\xdc\xca\x9d\xcd\xe9a0\xa3\x00\xf2\x13\x16]|\xae\xd8\x84\x88

这题嘛，有点意思，DES解密 ，解密代码会比较长

import calendar
import time

PI = [58, 50, 42, 34, 26, 18, 10, 2,
          60, 52, 44, 36, 28, 20, 12, 4,
          62, 54, 46, 38, 30, 22, 14, 6,
          64, 56, 48, 40, 32, 24, 16, 8,
          57, 49, 41, 33, 25, 17, 9, 1,
          59, 51, 43, 35, 27, 19, 11, 3,
          61, 53, 45, 37, 29, 21, 13, 5,
          63, 55, 47, 39, 31, 23, 15, 7]

CP_1 = [57, 49, 41, 33, 25, 17, 9,
                1, 58, 50, 42, 34, 26, 18,
                10, 2, 59, 51, 43, 35, 27,
                19, 11, 3, 60, 52, 44, 36,
                63, 55, 47, 39, 31, 23, 15,
                7, 62, 54, 46, 38, 30, 22,
                14, 6, 61, 53, 45, 37, 29,
                21, 13, 5, 28, 20, 12, 4]

CP_2 = [14, 17, 11, 24, 1, 5, 3, 28,
                15, 6, 21, 10, 23, 19, 12, 4,
                26, 8, 16, 7, 27, 20, 13, 2,
                41, 52, 31, 37, 47, 55, 30, 40,
                51, 45, 33, 48, 44, 49, 39, 56,
                34, 53, 46, 42, 50, 36, 29, 32]
E = [32, 1, 2, 3, 4, 5,
         4, 5, 6, 7, 8, 9,
         8, 9, 10, 11, 12, 13,
         12, 13, 14, 15, 16, 17,
         16, 17, 18, 19, 20, 21,
         20, 21, 22, 23, 24, 25,
         24, 25, 26, 27, 28, 29,
         28, 29, 30, 31, 32, 1]

S_BOX = [

[[14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7],
 [0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8],
 [4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0],
 [15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13],
],
[[15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10],
 [3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5],
 [0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15],
 [13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9],
],
[[10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8],
 [13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1],
 [13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7],
 [1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12],
],
[[7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15],
 [13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9],
 [10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4],
 [3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14],
],
[[2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9],
 [14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6],
 [4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14],
 [11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3],
],
[[12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11],
 [10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8],
 [9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6],
 [4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13],
],
[[4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1],
 [13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6],
 [1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2],
 [6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12],
],

[[13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7],
 [1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2],
 [7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8],
 [2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11],
]
]

P = [16, 7, 20, 21, 29, 12, 28, 17,
         1, 15, 23, 26, 5, 18, 31, 10,
         2, 8, 24, 14, 32, 27, 3, 9,
         19, 13, 30, 6, 22, 11, 4, 25]

PI_1 = [40, 8, 48, 16, 56, 24, 64, 32,
                39, 7, 47, 15, 55, 23, 63, 31,
                38, 6, 46, 14, 54, 22, 62, 30,
                37, 5, 45, 13, 53, 21, 61, 29,
                36, 4, 44, 12, 52, 20, 60, 28,
                35, 3, 43, 11, 51, 19, 59, 27,
                34, 2, 42, 10, 50, 18, 58, 26,
                33, 1, 41, 9, 49, 17, 57, 25]

SHIFT = [1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1]
def string_to_bit_array(text):
        array = list()
        for char in text:
                binval = binvalue(char, 8)
                array.extend([int(x) for x in list(binval)])
        return array
def bit_array_to_string(array):
        res = ''.join([chr(int(y,2)) for y in [''.join([str(x) for x in bytes]) for bytes in  nsplit(array,8)]])
        return res
def binvalue(val, bitsize):
        binval = bin(val)[2:] if isinstance(val, int) else bin(ord(val))[2:]
        if len(binval) > bitsize:
                raise Exception("binary value larger than the expected size")
        while len(binval) < bitsize:
                binval = "0"+binval
        return binval
def nsplit(s, n):
        return [s[k:k+n] for k in xrange(0, len(s), n)]
ENCRYPT=1
DECRYPT=0
class des():
        def __init__(self):
                self.password = None
                self.text = None
                self.keys = list()

        def run(self, key, text, action=ENCRYPT, padding=False):
                if len(key) < 8:
                        raise Exception("Key Should be 8 bytes long")
                elif len(key) > 8:
                        key = key[:8]

                self.password = key
                self.text = text

                if padding and action==ENCRYPT:
                        self.addPadding()
                elif len(self.text) % 8 != 0:
                        raise Exception("Data size should be multiple of 8")

                self.generatekeys()
                text_blocks = nsplit(self.text, 8)
                result = list()
                for block in text_blocks:
                        block = string_to_bit_array(block)
                        block = self.permut(block,PI)
                        g, d = nsplit(block, 32)
                        tmp = None
                        for i in range(16):
                                d_e = self.expand(d, E)
                                if action == ENCRYPT:
                                        tmp = self.xor(self.keys[i], d_e)
                                else:
                                        tmp = self.xor(self.keys[15-i], d_e)
                                tmp = self.substitute(tmp)
                                tmp = self.permut(tmp, P)
                                tmp = self.xor(g, tmp)
                                g = d
                                d = tmp
                        result += self.permut(d+g, PI_1)
                final_res = bit_array_to_string(result)
                if padding and action==DECRYPT:
                        return self.removePadding(final_res)
                else:
                        return final_res

        def substitute(self, d_e):
                subblocks = nsplit(d_e, 6)
                result = list()
                for i in range(len(subblocks)):
                        block = subblocks[i]
                        row = int(str(block[0])+str(block[5]),2)
                        column = int(''.join([str(x) for x in block[1:][:-1]]),2)
                        val = S_BOX[i][row][column]
                        bin = binvalue(val, 4)
                        result += [int(x) for x in bin]
                return result

        def permut(self, block, table):
                return [block[x-1] for x in table]

        def expand(self, block, table):
                return [block[x-1] for x in table]

        def xor(self, t1, t2):
                return [x^y for x,y in zip(t1,t2)]

        def generatekeys(self):
                self.keys = []
                key = string_to_bit_array(self.password)
                key = self.permut(key, CP_1)
                g, d = nsplit(key, 28)
                for i in range(16):
                        g, d = self.shift(g, d, SHIFT[i])
                        tmp = g + d
                        self.keys.append(self.permut(tmp, CP_2))
        def shift(self, g, d, n):
                return g[n:] + g[:n], d[n:] + d[:n]

        def addPadding(self):
                pad_len = 8 - (len(self.text) % 8)
                self.text += pad_len * chr(pad_len)

        def removePadding(self, data):
                pad_len = ord(data[-1])
                return data[:-pad_len]

        def encrypt(self, key, text, padding=False):
                return self.run(key, text, ENCRYPT, padding)

        def decrypt(self, key, text, padding=False):
                return self.run(key, text, DECRYPT, padding)

if __name__ == '__main__':
        '''
        IV = str(calendar.timegm(time.gmtime()))[-8:]
        message= "######  redacted  ######"
        d = des()
        r = d.encrypt(IV,d.encrypt(IV,d.encrypt(IV,message)))
        print ("Ciphered: %r" % r)
        '''
        i = int(time.time()) % 100000000  # 1534487873
        d = des()
        ct = '|\xb3Wm\x83\rE7h\xe3\xc0\xf1^Y\xf0\x8d\xa6I\x92\x9b\xa5\xbc\xdc\xca\x9d\xcd\xe9a0\xa3\x00\xf2\x13\x16]|\xae\xd8\x84\x88'
        while i > 0:
                IV = str(i).zfill(8)
                pt = d.decrypt(IV, d.decrypt(IV, d.decrypt(IV, ct)))
                if pt.find('d4rk') >= 0:
                        print 'found!', [IV, pt]
                        exit()
                i -= 1
                if i % 100 == 0:
                        print i

脚本爆破半天，得到答案d4rk{0h_lol_t1m3_i5_n0t_A_g00d_s33d}c0de

Steg

Steg_Twins

经过比较，file1和file2两个文本文件的长度一样，再仔细观察，找出两个文本的相同的字符，拼接出来就是flag

#coding:utf-8

def operate_text(filename):
    S_text=''
    with open(filename,'r') as line:
        for i in line:
            S_text+=i
        return S_text

s1=operate_text('file1')
s2=operate_text('file2')
print s1
print s2

flag=''
for i in range(len(s1)):
    if s1[i]==s2[i]:
        flag+=s1[i]

print flag

运行得到结果

d4rk{lo0king_p4st_0ur_d1ff3renc3s}c0de

Steg_Steg It Up

打开下载的图片

神奇Stegsolve试水一波，发现一排的二维码

一个一个扫扫咯

得到答案d4rk{s000_m4ny_0f_7h3m_l0l_1_h4v33_t0_m4k333_th3_fl4g_l0ng_f0r_n0000_r3450n_1m40}c0de