Where is my girl ?

原题传送门：https://gist.github.com/zealic/38510fd8ecd1be75924a

$wget https://gist.githubusercontent.com/zealic/38510fd8ecd1be75924a/raw/0cc9241ed25843af6664ced2654bf30d8567e464/Email -O portal.bin

begin 777 portal.bin
M(R!796QC;VUE#0H-"B,C($ME>0T*#0I24T$@4'5B;&EC($ME>3H@*$XL(#<I
M#0I.(#T@,C,S("H@30T*32!I<R!T:&4@9W)E871E<W0@9F]U<BUD:6=I="!P
M<FEM92!T:&%T(&UA:V5S($X@96YD('=I=&@@,C,S#0H-"B,C($5N8W)Y<'1E
M9"!!=61I="!142!G<F]U<"!N=6UB97(-"@T*5&AE($%U9&ET(%%1(&=R;W5P
M(&YU;6)E<B!I<R!E;F-R>7!T960@=VET:"!T:&4@*BI24T$@4'5B;&EC($ME
M>2HJ+@T*#0I@8&`-"D-/3D-!5"A$14-265!4*#$Y-S,W,BDN=&]3=')I;F<H
M*2P@1$5#4EE05"@S,S,P-SDI+G1O4W1R:6YG*"DI#0I@8&`-"@T*(R!#05!4
M0TA!#0I5<V4@=&AI<R!G:7-T(')E=FES:6]N(&`W9#(S939E.3DY-&)B-F9A
M93@W-&1A8C,U930V9F0W-6(Y9&0Q-6)E8"!R97-U;'0@87,@0T%05$-(02X-
!"@``
`
end

一脸懵逼……直接用 python magic 测试文件：

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

import magic

def main():
    with open("raw") as f:
        print magic.from_buffer(f.read())

if __name__ == "__main__":
    main()

结果是：uuencoded or xxencoded, ASCII text. 继续，使用python uu decode一下：

import uu

uu.decode("raw")

得到 portal.bin 文件：

# Welcome

## Key

RSA Public Key: (N, 7)
N = 233 * M
M is the greatest four-digit prime that makes N end with 233

## Encrypted Audit QQ group number

The Audit QQ group number is encrypted with the **RSA Public Key**.

```
CONCAT(DECRYPT(197372).toString(), DECRYPT(333079).toString())
```

# CAPTCHA
Use this gist revision `7d23e6e9994bb6fae874dab35e46fd75b9dd15be` result as CAPTCHA.

RSA 加解密，依题意得：M = 9001， N=233*9001，e=7，p=233，q=9001，O(n) = 232*9000，求模反元素d 使得：e*d % O(n)  = 1 ，

即：e*d = w*O(n) + 1，w 为整数；穷举一下，w=4，d=1193143

所以Public key = (233*9001, 7), Private key = (233*9001, 1193143)

from rsa.key import PrivateKey

def decrypt(s):
    p, q = 233, 9001
    n = p * q
    e = 7
    d = 1193143
    key = PrivateKey(n, e, d, p, q)
    return key.blinded_decrypt(s)

QQ group number is done.

$wget https://gist.githubusercontent.com/zealic/38510fd8ecd1be75924a/raw/7d23e6e9994bb6fae874dab35e46fd75b9dd15be/Email -O raw2

重复上面的步骤获取 question.bin，发现内容乱码……用strings命令打印一下

$strings questions.bin
7zXZ
*DMR
!k@#=
Xn
T)s3
H_AI
'|Ws)

所以这是一个 7z 压缩文件？

$7z e questions.bin

得到 questions 文件：

79955ff7576a0f5a167b3ccb506bed3a d46b6f8c1ea3b812c2bba0edc0e63c85 | Roman Hitman
================================================================
H4sIAAAAAAACA1WPT0+DQBDF7/spRgTttbRsZRPZ1d1Fwg0OBYKEhWqMlwZBqjaF
z+7Win8ylzeT95u8F8Otj4UkjIrCcxCKYzCmA0KqAMvFYFMRYA6SwTVZ4RykvvmU
3GEu9GZTB7DWoXQJvdqi6gRJTKULPVkwai+XBKjvLTDforqAeTsObWMlnS1x0XPm
7XEYMO4k0a6fgcBU6N/g2GGUFj3jni2T6HDouiiH6N0c758eSxWlOXzxAwt+TF3n
edr0z5bOdSv4YITChYkMA3ac+TfPKDuJ71xABGTZlKuuFIxq87CBF1XqUapMs0wj
l5iTVQhtc2a1b80Rmrqs9+scmsGcvZ4nhkp/dfVH18c0n2XEkwVzAQAA

下半部分的内容估计是 base64？单独保存为 raw3 做进一步分析：

import base64

with open("raw3") as f:
    print magic.from_buffer(base64.b64decode(f.read()))

结果是 gzip 后的base64encode：

gzip compressed data, max compression, from Unix

那就base64decode后 gzip -d 回来，得到文件：

R BF6DE:@?D]>5

RR "F6DE:@?D

`] %96 2?DH6C E@ =:76[ E96 F?:G6CD6[ 2?5 6G6CJE9:?8n
a] %96 E6?E9 u:3@?244: ?F>36Cn
b] 1r~}rp%Ws2E6]uC@>z6JH@C5WQvu( D6?D:G6 52JQX]u@C>2EWQ||ssQ[ Qx$~\ge_`QX[ s2E6]}@H]u@C>2EWQss>>Q[ [ Qx$~\ge_`QXX1

R y@:? &$
"" vC@FAi
Y vC@FA ?F>36C :D YYr~}rp%Wsba` ~`cdc q`_`_```_XYY
Y '6C:7J rp!%rwp :D 1r~}rp%WVzV[ p}$(t#W"`X[ p}$(t#W"aX[ p}$(t#W"bXX1

仔细留到中间三行的首字母依次为 ` a b ， 在 ascii码表中，这三个字符是连续的96，97， 98.

根据上面提到的 Roman Hitman，看了下 wiki，留意到代号47？所以这三个字符可以转换为 1， 2， 3，貌似刚好。测试一下其他字符，写个转换的函数：

def hitman(data):
    code = 47
    result = ""
    for w in data:
        if w in (" ", "\n"):
            result += w
        elif 32 <= (ord(w) + 47) <= 126:
            result += chr(ord(w) + 47)
        else:
            result += chr(ord(w) - 47)

    return result

所以得到一个md：

# questions.md

## Questions

1. The answer to life, the universe, and everything?
2. The tenth Fibonacci number?
3. `CONCAT(Date.FromKeyword("GFW sensive day").Format("MMDD", "ISO-8601"), Date.Now.Format("DDmm", , "ISO-8601"))`

# Join US
QQ Group:
* Group number is **CONCAT(D321 O1454 B10101110)**
* Verify CAPTCHA is `CONCAT('K', ANSWER(Q1), ANSWER(Q2), ANSWER(Q3))`

三个问题：

1. = 42
2. = 55
3. = ……

QQ号码 = str(321) + str(int(“1454”, 8)) + str(int(“10101110”, 2))

CAPTCHA = KQ1Q2Q3

========================= 强迫症会死 ==============================

虽然推导完了，但是有没有留意到还有一个信息未解：

79955ff7576a0f5a167b3ccb506bed3a d46b6f8c1ea3b812c2bba0edc0e63c85 | Roman Hitman

Roman Hitman已经知道了， 而前面两个是干嘛用的呢？

一脸懵逼……

一脸懵逼……

一脸懵逼……

猜测是md5，破解一下：

hashlib.md5("-n 71\n").hexdigest() = 79955ff7576a0f5a167b3ccb506bed3a
hashlib.md5("-n 90\n").hexdigest() = d46b6f8c1ea3b812c2bba0edc0e63c85

71和90的对应 ascii 刚好为 g z 两个字母……

———————————————————————————————————–

Done!

But…… where is my girl ?