この大会は2018/8/17 0:30(JST)~2018/8/17 12:30(JST)に開催されました。
今回もチームで参戦。結果は955点で461チーム中12位でした。
自分で解けた問題をWriteupとして書いておきます。
Join us! (Misc 5)
Telegram Channelにアクセスするとフラグの前半が書いてある。
d4rk{4ll_th3_
HackCon's18のGroup InfoのDESCRIPTIONの最後にフラグの後半が書いてある。
b3s7!}c0de
d4rk{4ll_th3_b3s7!}c0de
Caesar Salad (Junior/Facche 10)
https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号。ROT13で復号できた。
d4rk{g1t_gud_c4es4r}c0de
Hoaxes and Hexes (Junior/Facche 20)
JPGファイルが与えられている。
$ strings maymays.jpg | grep d4rk d4rk{1m_d0wn_h3r3}c0de
d4rk{1m_d0wn_h3r3}c0de
Salad Upgrades (Junior/Facche 20)
シーザー暗号のようだが、少し違うようだ。フラグの { の前までのアルファベットのインデックスを見てみる。
d(3) -> e(4) 4 r(17) -> u(20) k(10) -> o(14)
シフトする数が1から順に増やしていると思われる。
import string chars = string.lowercase enc = 'e4uo{zo1b_1e_f0j4l10i}z0ce' flag = '' for i in range(len(enc)): if enc[i] in chars: flag += chars[(chars.index(enc[i]) - (i + 1)) % len(chars)] else: flag += enc[i] print flag
d4rk{th1s_1s_r0t4t10n}c0de
Find Me, ASAP (Junior/Facche 20)
ASCIIコードが並んでいるので、文字に変換する。
with open('findme.txt', 'r') as f: data = f.read().strip() codes = map(int, data.split(' ')) msg = '' for code in codes: msg += chr(code) print msg
変換結果は以下の通り。
ASCII abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Most modern character-encoding schemes are based on ASCII, although they support many additional characters. ASCII is the traditional name for the encoding system; the Internet Assigned Numbers Authority (IANA) prefers the updated name US-ASCII, which clarifies that this system was developed in the US and based on the typographical symbols predominantly in use there. ASCII is one of the IEEE milestones. ASCII was developed from telegraph code. Its first commercial use was as a seven-bit teleprinter code promoted by Bell data services. Work on the ASCII standard began on October 6, 1960, with the first meeting of the American Standards Association's (ASA) (now the American National Standards Institute or ANSI) X3.2 subcommittee. The first edition of the standard was d4rk{4sc11_n_gr3p}c0de published in 1963, underwent a major revision during 1967, and experienced its most recent update during 1986.[7] Compared to earlier telegraph codes, the proposed Bell code and ASCII were both ordered for more convenient sorting (i.e., alphabetization) of lists, and added features for devices other than teleprinters. Originally based on the English alphabet, ASCII encodes 128 specified characters into seven-bit integers as shown by the ASCII chart above. Ninety-five of the encoded characters are printable: these include the digits 0 to 9, lowercase letters a to z, uppercase letters A to Z, and punctuation symbols. In addition, the original ASCII specification included 33 non-printing control codes which originated with Teletype machines; most of these are now obsolete. For example, lowercase i would be represented in the ASCII encoding by binary 1101001 = hexadecimal 69 (i is the ninth letter) = decimal 105. ASCII was first used commercially during 1963 as a seven-bit teleprinter code for American Telephone & Telegraph's TWX (TeletypeWriter eXchange) network. TWX originally used the earlier five-bit ITA2, which was also used by the competing Telex teleprinter system. Bob Bemer introduced features such as the escape sequence.[3] His British colleague Hugh McGregor Ross helped to popularize this work ?Eaccording to Bemer, "so much so that the c ode that was to become ASCII was first called the Bemer-Ross Code in Europe". Because of his extensive work on ASCII, Bemer has been called "the father of ASCII". On March 11, 1968, U.S. President Lyndon B. Johnson mandated that all computers purchased by the United States federal government support ASCII, stating: I have also approved recommendations of the Secretary of Commerce regarding standards for recording the Standard Code for Information Interchange on magnetic tapes and paper tapes when they are used in computer operations. All computers and related equipment configurations brought into the Federal Government inventory on and after July 1, 1969, must have the capability to use the Standard Code for Information Interchange and the formats prescribed by the magnetic tape and paper tape standards when these media are used. ASCII was the most common character encoding on the World Wide Web until December 2007, when UTF-8 encoding surpassed it; UTF-8 is backward compatible with ASCII.
長文だがフラグが含まれていた。
d4rk{4sc11_n_gr3p}c0de
Twins (Steg 50)
2つのファイルが添付されていて、両方ともテキスト文字が並んでいる。同じ位置に同じ文字が書いてあるものを抜き出してみる。
with open('file1', 'rb') as f: data1 = f.read() with open('file2', 'rb') as f: data2 = f.read() flag = '' for i in range(len(data1)): if data1[i] == data2[i]: flag += data1[i] print flag
d4rk{lo0king_p4st_0ur_d1ff3renc3s}c0de
Diversity (Crypto 30)
スペース区切りで、2進数、8進数、10進数、16進数が並んでいる。目印は先頭にあり、以下の通りとなっている。
b: 2進数 o: 8進数 d: 10進数 x: 16進数
ASCII文字に変換する。
enc = 'b1001000 x69 d33 d32 o127 b1100101 o154 o143 b1101111 o155 o145 d32 o164 d111 d32 x48 b1100001 x63 o153 b1000011 o157 x6e d39 o61 b111000 x2c d32 d111 b1110010 d103 d97 x6e o151 x73 d101 d100 o40 d97 b1110011 b100000 x70 o141 o162 x74 d32 x6f x66 b100000 o105 b1110011 x79 b1100001 d39 d49 b111000 x20 b1100010 d121 b100000 x49 o111 b1001001 x54 b100000 b1000100 x65 x6c o150 x69 b101110 x20 o111 d110 b100000 o143 d97 d115 o145 o40 b1111001 b1101111 x75 b100111 x72 x65 x20 x73 x65 b1100101 b1101011 x69 o156 x67 d32 b1100001 o40 o162 x65 o167 b1100001 o162 o144 d32 x66 d111 x72 b100000 o171 x6f d117 b1110010 o40 d101 x66 x66 x6f x72 d116 o163 x2c b100000 d104 b1100101 d114 o145 x27 d115 x20 b1100001 d32 d102 d108 b1100001 x67 x20 x3a b100000 o144 x34 o162 x6b x7b o151 d95 d87 o151 x73 b100011 d95 x41 o61 x6c d95 b1110100 d52 d115 b1101011 d53 o137 o167 x33 d114 o63 o137 d116 b1101000 o151 o65 x5f x33 d52 o65 o171 o137 x58 b1000100 b1000100 b1111101 x63 d48 d100 d101 d46 b100000 o101 x6e b1111001 d119 b1100001 b1111001 x73 b101100 x20 o150 d111 b1110000 b1100101 o40 x79 o157 d117 b100000 b1101000 o141 x76 x65 b100000 d97 x20 o147 d111 b1101111 d100 b100000 b1110100 b1101001 d109 b1100101 d32 x3b x29' codes = enc.split(' ') flag = '' for code in codes: if code[0] == 'b': flag += chr(int(code[1:], 2)) elif code[0] == 'o': flag += chr(int(code[1:], 8)) elif code[0] == 'd': flag += chr(int(code[1:], 10)) elif code[0] == 'x': flag += chr(int(code[1:], 16)) print flag
d4rk{i_Wis#_A1l_t4sk5_w3r3_thi5_345y_XDD}c0de
Lite N' Easy (Crypto 50)
7 segment displayのデジタル表記を示している。テキストで同等の表示にする。enc = '01001110-00100000-00111010-00001100-11011110-00011110-00000000-01100000-00101010-01111010-00100000-11110110-00111010-00000000-11111110-00001100-00111000-11011110-00000000-10111100-00001010-11011110-11011110-00101010-00000000-01110110-11011110-00001100-00001100-00111010-01010110-00000000-11111100-00001010-11111010-00101010-11110110-11011110-00000000-11101110-11011110-01111011-00000000-10001110-00001100-11111010-11110110-00000000-00100000-10110110-00000000-00011101-10011111-01111011-10110111-11111110-00001010-00100000-00101010-11110111-01111000-00111010-01100111-10001100-00111011-10101010-11011110'
codes = enc.split('-')
line1 = ''
for code in codes:
if code[0] == '1':
line1 += ' _ '
else:
line1 += ' '
line2 = ''
for code in codes:
561
if code[5] == '1':
line2 += '|'
else:
line2 += ' '
if code[6] == '1':
line2 += '_'
else:
line2 += ' '
if code[1] == '1':
line2 += '|'
else:
line2 += ' '
line2 += ' '
line3 = ''
for code in codes:
561
if code[4] == '1':
line3 += '|'
else:
line3 += ' '
if code[3] == '1':
line3 += '_'
else:
line3 += ' '
if code[2] == '1':
line3 += '|'
else:
line3 += ' '
if code[7] == '1':
line3 += '.'
else:
line3 += ' '
flag = line1 + '\n' + line2 + '\n' + line3
with open('flag.txt', 'w') as f:
f.write(flag)
以下のような表示となる。
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_
_
_
_
_ _
_
_
_
_
_
_
_
_
_
_
_
_
_ _
_
_
_
_
_
_
_
_
_
_
_ _
_
_
_ _
_
_
_
_ _
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
.
_
_
_
_ .
_ .
_
. _
.
_
_
.
_
_
.
_
.
_
途中までの文字は以下のようになっていると考えられる。
Violet Indigo Blue Green Yellow Orange Red. Flag is ????????
色の英語表記から、不明な英語表記の読み方を推測する。例えば、"m"は"Yellow"の"w"の上下逆さになっていることから推測できる。この結果、以下のようになると推測した。
Violet Indigo Blue Green Yellow Orange Red. Flag is L.E.d.s.Bring.Joy.To.me
d4rk{L.E.d.s.Bring.Joy.To.me}c0de
Ron, Adi and Leonard (Crypto 100)
eが非常に大きいので、Wiener's attackで復号する。import math
def DevContinuedFraction(num, denum):
partialQuotients = []
divisionRests = []
for i in range(int(math.log(denum, 2))):
divisionRests = num % denum
partialQuotients.append(num / denum)
num = denum
denum = divisionRests
if denum == 0:
break
return partialQuotients
def DivergentsComputation(partialQuotients):
(p1, p2, q1, q2) = (1, 0, 0, 1)
convergentsList = []
for q in partialQuotients:
pn = q * p1 + p2
qn = q * q1 + q2
convergentsList.append([pn, qn])
p2 = p1
q2 = q1
p1 = pn
q1 = qn
return convergentsList
def SquareAndMultiply(base,exponent,modulus):
binaryExponent = []
while exponent != 0:
binaryExponent.append(exponent % 2)
exponent = exponent / 2
result = 1
binaryExponent.reverse()
for i in binaryExponent:
if i == 0:
result = (result * result) % modulus
else:
result = (result * result * base) % modulus
return result
def WienerAttack(e, n, c):
testStr = 42
c = SquareAndMultiply(testStr, e, n)
for C in DivergentsComputation(DevContinuedFraction(e, n)) :
if SquareAndMultiply(c, C[1], n) == testStr :
FullReverse(n, e, C)
return C[1]
return -1
def GetTheFlag(c, n, d) :
p = pow(c, d, n)
size = len('{:02x}'.format(p)) // 2
print ''.join([chr((p >> j) & 0xff) for j in reversed(range(0, size << 3, 8))])
def find_invpow(x, n):
high = 1
while high ** n < x:
high *= 2
low = high / 2
while low < high:
mid = (low + high) // 2
if low < mid and mid ** n < x:
low = mid
elif high > mid and mid ** n > x:
high = mid
else:
return mid
return mid + 1
def FullReverse(n, e, c) :
phi = (e * c[1] - 1) // c[0]
a = 1
b = -(n - phi + 1)
c = n
delta = b * b - 4 * a * c
if delta > 0 :
x1 = (- b + find_invpow((b * b - 4 * a * c), 2)) / (2 * a)
x2 = (- b - find_invpow((b * b - 4 * a * c), 2)) / (2 * a)
if x1 * x2 == n:
print 'p = ' + str(x1)
print 'q = ' + str(x2)
if __name__ == "__main__":
n = 744818955050534464823866087257532356968231824820271085207879949998948199709147121321290553099733152323288251591199926821010868081248668951049658913424473469563234265317502534369961636698778949885321284313747952124526309774208636874553139856631170172521493735303157992414728027248540362231668996541750186125327789044965306612074232604373780686285181122911537441192943073310204209086616936360770367059427862743272542535703406418700365566693954029683680217414854103
e = 57595780582988797422250554495450258341283036312290233089677435648298040662780680840440367886540630330262961400339569961467848933132138886193931053170732881768402173651699826215256813839287157821765771634896183026173084615451076310999329120859080878365701402596570941770905755711526708704996817430012923885310126572767854017353205940605301573014555030099067727738540219598443066483590687404131524809345134371422575152698769519371943813733026109708642159828957941
c = 305357304207903396563769252433798942116307601421155386799392591523875547772911646596463903009990423488430360340024642675941752455429625701977714941340413671092668556558724798890298527900305625979817567613711275466463556061436226589272364057532769439646178423063839292884115912035826709340674104581566501467826782079168130132642114128193813051474106526430253192254354664739229317787919578462780984845602892238745777946945435746719940312122109575086522598667077632
d = WienerAttack(e, n, c)
GetTheFlag(c, n, d)
d4rk{r3p34t3ed_RsA_1s_f0r_n00bs}c0de
Tripple FUN (Crypto 120)
IV(DESのkey)のブルートフォースで復号する。8/17に生成されたとみて、IVは34431600からスタートする。PI = [58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7]
CP_1 = [57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4]
CP_2 = [14, 17, 11, 24, 1, 5, 3, 28,
15, 6, 21, 10, 23, 19, 12, 4,
26, 8, 16, 7, 27, 20, 13, 2,
41, 52, 31, 37, 47, 55, 30, 40,
51, 45, 33, 48, 44, 49, 39, 56,
34, 53, 46, 42, 50, 36, 29, 32]
E = [32, 1, 2, 3, 4, 5,
4, 5, 6, 7, 8, 9,
8, 9, 10, 11, 12, 13,
12, 13, 14, 15, 16, 17,
16, 17, 18, 19, 20, 21,
20, 21, 22, 23, 24, 25,
24, 25, 26, 27, 28, 29,
28, 29, 30, 31, 32, 1]
S_BOX = [
[[14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7],
[0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8],
[4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0],
[15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13],
],
[[15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10],
[3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5],
[0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15],
[13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9],
],
[[10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8],
[13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1],
[13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7],
[1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12],
],
[[7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15],
[13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9],
[10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4],
[3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14],
],
[[2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9],
[14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6],
[4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14],
[11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3],
],
[[12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11],
[10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8],
[9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6],
[4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13],
],
[[4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1],
[13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6],
[1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2],
[6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12],
],
[[13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7],
[1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2],
[7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8],
[2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11],
]
]
P = [16, 7, 20, 21, 29, 12, 28, 17,
1, 15, 23, 26, 5, 18, 31, 10,
2, 8, 24, 14, 32, 27, 3, 9,
19, 13, 30, 6, 22, 11, 4, 25]
PI_1 = [40, 8, 48, 16, 56, 24, 64, 32,
39, 7, 47, 15, 55, 23, 63, 31,
38, 6, 46, 14, 54, 22, 62, 30,
37, 5, 45, 13, 53, 21, 61, 29,
36, 4, 44, 12, 52, 20, 60, 28,
35, 3, 43, 11, 51, 19, 59, 27,
34, 2, 42, 10, 50, 18, 58, 26,
33, 1, 41, 9, 49, 17, 57, 25]
SHIFT = [1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1]
def string_to_bit_array(text):
array = list()
for char in text:
binval = binvalue(char, 8)
array.extend([int(x) for x in list(binval)])
return array
def bit_array_to_string(array):
res = ''.join([chr(int(y,2)) for y in [''.join([str(x) for x in bytes]) for bytes in nsplit(array,8)]])
return res
def binvalue(val, bitsize):
binval = bin(val)[2:] if isinstance(val, int) else bin(ord(val))[2:]
if len(binval) > bitsize:
raise "binary value larger than the expected size"
while len(binval) < bitsize:
binval = "0"+binval
return binval
def nsplit(s, n):
return [s[k:k+n] for k in xrange(0, len(s), n)]
ENCRYPT=1
DECRYPT=0
class des():
def __init__(self):
self.password = None
self.text = None
self.keys = list()
def run(self, key, text, action=ENCRYPT, padding=False):
if len(key) < 8:
raise "Key Should be 8 bytes long"
elif len(key) > 8:
key = key[:8]
self.password = key
self.text = text
if padding and action==ENCRYPT:
self.addPadding()
elif len(self.text) % 8 != 0:
raise "Data size should be multiple of 8"
self.generatekeys()
text_blocks = nsplit(self.text, 8)
result = list()
for block in text_blocks:
block = string_to_bit_array(block)
block = self.permut(block,PI)
g, d = nsplit(block, 32)
tmp = None
for i in range(16):
d_e = self.expand(d, E)
if action == ENCRYPT:
tmp = self.xor(self.keys[i], d_e)
else:
tmp = self.xor(self.keys[15-i], d_e)
tmp = self.substitute(tmp)
tmp = self.permut(tmp, P)
tmp = self.xor(g, tmp)
g = d
d = tmp
result += self.permut(d+g, PI_1)
final_res = bit_array_to_string(result)
if padding and action==DECRYPT:
return self.removePadding(final_res)
else:
return final_res
def substitute(self, d_e):
subblocks = nsplit(d_e, 6)
result = list()
for i in range(len(subblocks)):
block = subblocks[i]
row = int(str(block[0])+str(block[5]),2)
column = int(''.join([str(x) for x in block[1:][:-1]]),2)
val = S_BOX[i][row][column]
bin = binvalue(val, 4)
result += [int(x) for x in bin]
return result
def permut(self, block, table):
return [block[x-1] for x in table]
def expand(self, block, table):
return [block[x-1] for x in table]
def xor(self, t1, t2):
return [x^y for x,y in zip(t1,t2)]
def generatekeys(self):
self.keys = []
key = string_to_bit_array(self.password)
key = self.permut(key, CP_1)
g, d = nsplit(key, 28)
for i in range(16):
g, d = self.shift(g, d, SHIFT[i])
tmp = g + d
self.keys.append(self.permut(tmp, CP_2))
def shift(self, g, d, n):
return g[n:] + g[:n], d[n:] + d[:n]
def addPadding(self):
pad_len = 8 - (len(self.text) % 8)
self.text += pad_len * chr(pad_len)
def removePadding(self, data):
pad_len = ord(data[-1])
return data[:-pad_len]
def encrypt(self, key, text, padding=False):
return self.run(key, text, ENCRYPT, padding)
def decrypt(self, key, text, padding=False):
return self.run(key, text, DECRYPT, padding)
if __name__ == '__main__':
enc = '|\xb3Wm\x83\rE7h\xe3\xc0\xf1^Y\xf0\x8d\xa6I\x92\x9b\xa5\xbc\xdc\xca\x9d\xcd\xe9a0\xa3\x00\xf2\x13\x16]|\xae\xd8\x84\x88'
for iv in range(34431600, 100000000):
IV = str(iv).zfill(8)
d = des()
flag = d.decrypt(IV, d.decrypt(IV, d.decrypt(IV, enc)))
if 'd4rk{' in flag:
print IV
print flag
break
d4rk{0h_lol_t1m3_i5_n0t_A_g00d_s33d}c0de
