Hackthissite realistic 6

最新推荐文章于 2023-12-13 14:24:30 发布

原创最新推荐文章于 2023-12-13 14:24:30 发布 · 5.3k 阅读

2 ·

CC 4.0 BY-SA版权

文章标签：

#hack #hackthissite

web安全专栏收录该内容

6 篇文章

订阅专栏

本文介绍了一种名为XECryption的加密算法破解过程。通过对加密结果的规律分析，揭示了加密算法背后的数学原理，并成功解密了一封加密邮件。

题目提供了一个加解密的算法XECryption algorithm

首先找规律，text输入1，password不输入，发现加密结果是.19.31.-1，再点一下发现结果变了.43.11.-5，经过几次实验之后发现每次结果都不一样，但是加起来都等于49,也就是字符1的ascii的十进制的值。

输入其他字符验证一下，发现三个数相加都是对应字符的十进制的值。

text输入1,password中输入1，结果.14.49.35，再点一下.43.49.6，发现三个数之和是49+49

text输入1,password中输入12,结果.75.58.15，发现三个数之和是49+49+50

通过别的字符进行进一步验证，可以发现规律如下：

res[0]+res[1]+res[2] = dec(text) + dec(password[0]) + dec(password[1]) + ... +dec(password[len_pass - 1])

解题思路：

提供的加密的encrypt text首先三个数一组计算出和，由于是mail message，我们可以肯定是可以打印的肉眼能看到的字符，所以字符范围为20-176,也就是说password的取值必须保证解密出来的ascii字符在20-176之间，所以我们需要知道计算出来的和的最大值和最小值，password也得是可见字符，也必须落在20-176之间。

我们可以看到前面几个的和为845, 859, 871, 879, 863，我们有理由怀疑前面几个字符跟人名或者是dear之类的单词有关

I have done some packet sniffing on my network and I have recovered this email that was sent from the CEO of the company to Chief Ecological Inspector Samuel Smith. However, it is encrypted and I cannot seem to decode it using any of my basic decryption tools.

我们发现前面几个的和之间的差正好等于Samuel几个字母之间的差，所以我们可以得到下面的结论

dec(password[0]) + dec(password[1]) + ... +dec(password[len_pass - 1]) = 845 - 83 = 762

这是一个多元一次方程 x+y+...+z = 762

有无穷多个解。

但是限制在所有的字符都在20-176之间，这个就需要猜了。我们需要首先知道password的长度，我们先算一个平均值。试探得知762/6=127发现是DEL字符，不可见。

762/7 = 108，是字符l, 762%7 = 6, 108+6 = 114,字母r,所以我们的密码可以为llllllr

python源码如下：

from __future__ import print_function
str = """296.294.255.268.313.278.311.270.290.305.322.252.276.286.301.305.264.301.251.269.274.311.304.
230.280.264.327.301.301.265.287.285.306.265.282.319.235.262.278.249.239.284.237.249.289.250.
282.240.256.287.303.310.314.242.302.289.268.315.264.293.261.298.310.242.253.299.278.272.333.
272.295.306.276.317.286.250.272.272.274.282.308.262.285.326.321.285.270.270.241.283.305.319.
246.263.311.299.295.315.263.304.279.286.286.299.282.285.289.298.277.292.296.282.267.245.304.
322.252.265.313.288.310.281.272.266.243.285.309.295.269.295.308.275.316.267.283.311.300.252.
270.318.288.266.276.252.313.280.288.258.272.329.321.291.271.279.250.265.261.293.319.309.303.
260.266.291.237.299.286.293.279.267.320.290.265.308.278.239.277.314.300.253.274.309.289.280.
279.302.307.317.252.261.291.311.268.262.329.312.271.294.291.291.281.282.292.288.240.248.306.
277.298.295.267.312.284.265.294.321.260.293.310.300.307.263.304.297.276.262.291.241.284.312.
277.276.265.323.280.257.257.303.320.255.291.292.290.270.267.345.264.291.312.295.269.297.280.
290.224.308.313.240.308.311.247.284.311.268.289.266.316.299.269.299.298.265.298.262.260.337.
320.285.265.273.307.297.282.287.225.302.277.288.284.310.278.255.263.276.283.322.273.300.264.
302.312.289.262.236.278.280.286.292.298.296.313.258.300.280.300.260.274.329.288.272.316.256.
259.279.297.296.283.273.286.320.287.313.272.301.311.260.302.261.304.280.264.328.259.259.347.
245.291.258.289.270.300.301.318.251.305.278.290.311.280.281.293.313.259.300.262.315.263.319.
285.282.297.283.290.293.280.237.234.323.289.305.279.314.274.291.309.273.294.249.283.262.271.
286.310.305.306.261.298.282.282.307.287.285.305.297.275.306.280.292.291.284.301.278.293.296.
277.301.281.274.315.281.254.251.289.313.307.244.256.302.301.317.305.239.316.274.277.296.269.
305.301.279.287.317.284.277.305.298.264.304.286.273.275.293.309.286.282.240.287.239.268.269.
267.315.311.292.270.271.272.336.282.237.275.316.306.239.305.314.240.296.306.270.247.245.302.
317.316.241.291.310.266.274.274.313.288.262.319.280.276.238.297.295.287.285.288.301.272.275.
247.305.292.286.272.310.291.301.322.256.315.298.263.281.276.237.294.284.296.284.302.273.298.
287.298.301.265.305.270.315.278.283.302.287.263.270.345.258.270.266.302.309.262.260.277.327.
263.277.254.283.276.239.272.264.276.279.264.267.298.264.244.245.273.292.289.273.248.259.263.
288.290.294.210.288.268.311.318.312.242.285.293.216.262.276.340.292.299.275.259.293.311.234.
266.294.278.307.286.267.307.285.269.310.288.274.270.326.273.276.311.304.267.302.318.265.299.
263.283.248.257.314.288.321.321.236.284.283.227.320.312.246.261.289.316.288.263.312.241.265.
288.298.286.287.274.306.279.276.289.307.303.293.281.298.317.252.312.283.278.263.304.305.258.
266.270.294.286.293.290.291.291.258.254.282.282.283.313.268.282.316.310.299.254.264.234.296.
270.265.326.288.292.293.321.305.250.320.299.253.270.296.297.298.266.312.234.273.287.309.286.
278.269.279.316.284.276.234.293.255.267.242.253.318.270.246.278.292.285.282.314.266.292.286.
263.313.249.290.255.289.264.292.301.299.278.291.292.225.250.261.283.303.262.264.264.303.299.
297.274.288.267.293.316.320.317.233.303.258.302.271.283.323.247.279.268.312.269.297.313.280.
280.273.266.332.276.313.284.281.316.279.290.273.313.308.305.260.302.306.273.234.279.281.284.
298.278.259.290.314.275.264.339.293.322.266.261.296.306.277.275.311.284.270.318.259.249.286.
292.301.285.280.303.283.287.299.277.273.293.228.311.283.272.304.292.277.271.306.302.278.298.
300.287.281.309.243.272.279.282.300.291.295.284.285.252.291.251.285.283.245.250.252.318.298.
277.235.288.259.263.278.274.307.261.260.350.250.288.256.282.316.261.285.295.292.300.298.264.
245.241.308.301.261.253.289.264.267.300.262.248.287.257.266.275.287.297.320.287.264.279.297.
232.231.256.288.243.252.277.274.245.256.253.229.290.263.305.278.260.294.312.283.301.275.276.
299.297.312.275.282.294.272.228.302.324.257.261.286.326.280.283.316.294.254.258.275.264.236.
240.277.255.231.258.286.242.277.253.296.290.250.314.320.239.292.313.261.294.261.317.273.285.
236.292.282.271.264.297.300.272.308.299.300.269.301.269.317.284.286.262.315.276.279.328.269.
254.252.232.272.268.309.273.264.296.305.272.267.291.324.302.297.268.268.263.298.300.261.312.
241.254.299.280.263.292.260.301.311.317.297.248.314.272.293.298.281.298.276.311.291.297.318.
261.274.300.293.297.267.295.261.275.334.289.238.267.289.283.257.300.262.304.311.278.274.265.
261.345.301.296.270.273.299.289.274.272.313.282.268.320.287.320.270"""
text = str.split('.')

acc_list = []
for i in range(0, len(text)-2, 3):
    x = int(text[i])+int(text[i+1])+int(text[i+2])
    acc_list.append(x)
print(len(acc_list))
print(acc_list)
print(max(acc_list))
print(min(acc_list))

passwd = "llllllr"
pass_acc = 0
for j in range(0, len(passwd)):
    pass_acc += ord(passwd[j])
#the first word is "Samuel", so pass_acc = 845 - 83 = 762
for i in range(0, len(acc_list)):
    print (chr(acc_list[i]-pass_acc), end='')

运行可以发现打印出来的解密email如下：

Samuel Smith

Thank you for looking the other way on the increased levels of toxic chemicals in the river running alongside our industrial facilities. You can pick up your payment of $20,000 in the mailbox at the mansion on the corner of 53 and St. Charles tomorrow between the hours of 3:00am and 5:00am.

Thank you,

John Sculley
ToxiCo Industrial Chemicals

现在就可以发送message给ToxiCo_Watch了。

点击网站用户名下面的HTS Messages Center，然后点击右面的Compose链接，会看到send message，然后就可以发送message了。