trytodecrypt.com — easy (1-6)

Posted on In Views: Disqus:

tryptodecrypt.com

字符集 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?!(71 个字符)。

easy 都是简单替换密码。

网站给一个加密工具,输入明文返回密文。脚本就利用这个 oracle 做 Chosen-Plaintext Attack。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import subprocess, re, sys
C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "

def encrypt(text_id, text, cookie=""):
    cmd = ["curl", "-s"]
    if cookie:
        cmd += ["-b", cookie]
    cmd += [f"https://www.trytodecrypt.com/decrypt.php?id={text_id}",
            "-d", f"text={text}&encrypt=Encrypt"]
    r = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
    m = re.findall(r"panel-body[^>]*>([0-9a-fA-F]+)</div>", r.stdout)
    return m[1] if len(m) >= 2 else None

def build_mapping(text_id, step, cookie=""):
    mapping = {}
    for i in range(0, len(C), 20):
        batch = C[i:i+20]
        enc = encrypt(text_id, batch, cookie)
        if enc:
            for j, ch in enumerate(batch):
                mapping[enc[j*step:(j+1)*step]] = ch
    return mapping

def decode(ct, step, mapping):
    return "".join(mapping.get(ct[i:i+step], "?") for i in range(0, len(ct), step))

if __name__ == "__main__":
    text_id, step = int(sys.argv[1]), int(sys.argv[2])
    ct = sys.stdin.read().strip() if not sys.stdin.isatty() else input("密文: ").strip()
    mapping = build_mapping(text_id, step)
    print(decode(ct, step, mapping))

Text 1

131017171A48221A1D170F

偏移 2。

1
2
3
4
5
6
7
C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "
OFF = 2
def dec(s):
    r = []
    for i in range(0, len(s), 2):
        r.append(C[int(s[i:i+2], 16) - OFF])
    return "".join(r)
hello world

Text 2

4A3E374A4973483F3D3E4A

偏移 42(ASCII 表偏移)。

1
2
3
4
5
6
C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "
def dec(s, OFF=42):
    r = []
    for i in range(0, len(s), 2):
        r.append(C[int(s[i:i+2], 16) - OFF])
    return "".join(r)
thats right

Text 3

0A0B1339150B1139070A0B13390510

偏移 -13(58 mod 71)。hex 值小于 13 时直接减会负索引,需要 % 71

1
2
3
4
5
6
C = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.,;:?! "
def dec(s, OFF=-13):
    r = []
    for i in range(0, len(s), 2):
        r.append(C[(int(s[i:i+2], 16) - OFF) % len(C)])
    return "".join(r)
now you know it

Text 4

0C02D8010D0C02D8010606D8101402FCD80F0603D8FC0600DA

enc = (30 - charset_pos) % 256

1
2
3
$ python script.py 4 2
密文: 0C02D8010D0C02D8010606D8101402FCD80F0603D8FC0600DA
****
is this too easy for you?

Text 5

90DE633F425148DE51546CDE725466DE3F2A6936DE4263CCDEAB362A3372DE39545DDE633F36DE51366F63DE545136D8

enc = charset_pos * 3 + 12

1
2
3
$ python script.py 5 2
密文: 90DE633F425148DE51546CDE725466DE3F2A6936DE4263CCDEAB362A3372DE39545DDE633F36DE51366F63DE545136D8
************************************************
I think now you have it. Ready for the next one?

Text 6

4D586CFC2DB449D47B0CF99C3BC46CFC7B0C

固定 4-hex 替换表。

1
2
3
$ python script.py 6 4
密文: 4D586CFC2DB449D47B0CF99C3BC46CFC7B0C
*********
lucky guy