Brute force
Use ARCHPR
Plaintext attack
The plaintext attack refers to an encrypted ZIP and an unencrypted compressed file. Since all files in the same ZIP compressed package are encrypted using the same encryption key, known files can be used. The attack method to guess the key and decrypt the ZIP file.
Problem-solving ideas:
Assuming that the title provides a picture and a compressed package, it is found that the compressed package is encrypted, and there is a picture in the compressed package that is named the same as the outside picture. The guess is a plaintext attack. After using the software to compress the pictures, it was found that the CRC32 value of the pictures in the compressed package and the compressed pictures was the same, which was confirmed as a plaintext attack.
practice:
Open ARCHPR, open the compressed package to be decrypted, select "type of attack" as "plain text", click "plain text" option to select the compressed package that just compressed the picture. Click "Start" to start cracking and get the key.
[Note: Different compression software uses different compression algorithms. The self-compressed compression package requires the compression algorithm of the compression package given in the same question to be able to carry out plain text attacks (common compression software: good compression, winRAR, 7z, fast compression, 360 compression)】
CRC32 collision (suitable for small compressed file files)
The full name of CRC is Cyclic Redundancy Check (Cyclic Redundancy Check, CRC). Constants of different lengths correspond to different CRC implementation algorithms. It can be used to check whether a file is in error but cannot be used for automatic error correction.
Problem-solving ideas:
The title decompression opened and found that there are multiple compressed packages to try CRC32 collision
practice:
Write a script and try to use CRC32 collision to restore the contents of all the files in the compressed package
参考大神写的脚本
import zipfile
import string
import binascii
def CrackCrc(crc):
for i in dic:
for j in dic:
for p in dic:
#for q in dic:
s = i + j + p
if crc == (binascii.crc32(s) & 0xffffffff):
#在 Python 2.x 的版本中,binascii.crc32 所计算出來的 CRC 值域为[-2^31, 2^31-1] 之间的有符号整数,为了要与一般CRC结果作比对,需要将其转为无符号整数,所以加上& 0xffffffff来进行转换。如果是 Python 3.x 的版本,其计算结果为 [0, 2^32-1] 间的无符号整数,因此不需额外加上& 0xffffffff
#print s
f.write(s)
return
def CrackZip():
for I in range(36):
file = 'flag' + str(I) + '.zip'
f = zipfile.ZipFile(file, 'r')
GetCrc = f.getinfo('flag.txt')
crc = GetCrc.CRC
#以上3行为获取压缩包CRC32值的步骤
#print hex(crc)
CrackCrc(crc)
dic = string.ascii_letters + string.digits + '+/='
f = open('out.txt', 'w')
CrackZip()
f.close()
If the compressed file is 6 bytes
Available tools https://github.com/theonlypwner/crc32
Instructions:
python crc32.py reverse crc32密文(16进制形式)
zip pseudo encryption
Composition: compressed source file data area + compressed source file directory area + compressed source file directory end mark
ZIP file header identification is fixed at 0 × 50 4B 03 04
core directory area mark is 0x 50 4B 01 02
core directory end mark 0 × 50 4B 05 06
Problem-solving ideas
View the full layout mode mark of the compressed source file directory area
50 4B 01 02 3F 00 14 00 09 00
第9、10位00 00,即为全布局方式标记,由此判断有无加密(伪加密的关键)
【注:全局方式位标记的四个数字中只有第二个数字对其有影响,其它的不管为何值,都不影响它的加密属性!】
第二个数字为奇数时 –>加密
第二个数字为偶数时 –>未加密
practice
Change the global mode bit mark to 00 00
Hide the compressed package in the picture
binwalk or foremost separation
Take the jpg file as an example, the jpg file ends with FF D9, and the picture browser will ignore the content behind FF D9, this time you can add other files behind it
For such problems, you can drag the picture into the hex editor and observe the file format
Or directly pull into kali binwalk / foremost scan to separate