Solve for 5CTF Disorderly2

README.md

https://www.nom.fish/write-up/5charlie-ctf-disorderly2/

Brute force + hand-solve for 5CTF's Discorderly2 challenge. It's not pretty but it does the job.

python3 brute_solve.py

brute_solve.py

#!/usr/bin/env python3

import itertools
import re
from multiprocessing import Pool

from disorderly2 import decrypt

FLAG_PTRN = re.compile(r"flag{[a-zA-Z0-9$!@_-]+}")

with open("encoded.txt") as f:
    encmsg = f.read().strip()


def alphagen():
    # Generate all possible usable alpabets
    ALPHABET = list("beghiklnptuv")  # Removed known
    a0 = ["x", "y", "m", "j", "r"]  # Delim
    a1 = ["f", "c", "a"]  # 64
    a2 = ["w", "d", "z"]  # 32
    a3_sub = [c for c in ALPHABET if c not in a2]
    for a3 in list(itertools.combinations(a3_sub, 3)):  # 16
        a4_sub = [c for c in a3_sub if c not in a3]
        for a4 in list(itertools.combinations(a4_sub, 3)):  # 8
            a5_sub = [c for c in a4_sub if c not in a4]
            for a5 in list(itertools.combinations(a5_sub, 3)):  # 4
                a6_sub = [c for c in a5_sub if c not in a5]
                for a6 in list(itertools.combinations(a6_sub, 3)):  # 2
                    a7_sub = [c for c in a6_sub if c not in a6]
                    a7 = ("s", "o", "q")  # 1
                    yield "".join(
                        list(itertools.chain(*[a1, a2, a3, a4, a5, a6, a7, a0]))
                    )


def do_work(alphabet):
    decmsg = decrypt(encmsg, alphabet)
    if re.search(FLAG_PTRN, decmsg) and "congratulations" in decmsg.lower():
        print("FOUND: {}\nABET: {}".format(decmsg, alphabet))


with Pool(6) as pool:  # 6-core multiprocessing pool
    pool.map(do_work, alphagen())  # Distribute work across cores

disorderly2.py

#!/usr/bin/python

# Provided by 5CTF Round 4

from random import choice, shuffle
from re import split as resplit


def encrypt(message, rnd=False, alphabet="abcdefghijklmnopqrstuvwxyz"):
    if len(alphabet) != 26:
        return ("error", "alphabet must be 26 letters")
    if rnd:
        alphabet = [alphabet[x] for x in range(len(alphabet))]
        shuffle(alphabet)
        alphabet = "".join(alphabet)
    bits = {
        64: alphabet[0:3],
        32: alphabet[3:6],
        16: alphabet[6:9],
        8: alphabet[9:12],
        4: alphabet[12:15],
        2: alphabet[15:18],
        1: alphabet[18:21],
    }
    endbit = alphabet[21:26]
    output = ""
    for letter in range(len(message)):
        letter = message[letter]
        crypt_letter = ""
        for bit in bits.keys():
            if ord(letter) & bit:
                crypt_letter += choice(bits[bit])
        crypt_letter = list(crypt_letter)
        shuffle(crypt_letter)
        crypt_letter = "".join(crypt_letter) + choice(endbit)
        output += crypt_letter
    return (alphabet, output)


def decrypt(message, alphabet="abcdefghijklmnopqrstuvwxyz"):
    if len(alphabet) != 26:
        return ("error", "alphabet must be 26 letters")
    bits = {
        64: alphabet[0:3],
        32: alphabet[3:6],
        16: alphabet[6:9],
        8: alphabet[9:12],
        4: alphabet[12:15],
        2: alphabet[15:18],
        1: alphabet[18:21],
    }
    endbit = alphabet[21:26]
    letters = resplit("[" + endbit + "]", message)
    output = ""
    for letter in letters:
        byte_value = 0
        for part in range(len(letter)):
            for k, v in bits.items():
                if letter[part] in v:
                    byte_value += k
                    break
        if byte_value:
            output += chr(byte_value)
    return output

encoded.txt

ctlvoxqzgiaumcpuokwxuzbgmdxqaixdxgwufeojwqarvwckomvzgiaywhqtjcdplmdmowgajhpcwerfqgdxabpdvjzjvfqewreapqdjcdvlrowtcyzjczgljdicmzoarwcepmzmpambodcrduscerncphdojcdvkmwapxpcswyeuazjpdiareczonjdjslzmzjvszarioaugwxawtqkxigczmpzfydrwhfjtoawrwxkhozaxbwgusfjtdifjlctuwrfsgdytzaxvpbzjdmzrasuyozcvngxiagdvrvwapsyawkvjcqwxedgamtokazydgifxzcoxkwtcmdconxnpwvfoyatwuijqflzvywoyzrzxansmhtzsmbtofzjzmuzamcwsmczkhsjdanoyhcozjzfomazbpyadbtrnlaodrzyiawvygoadkrdqualyftezywjdotevcrehawmciqwxlwapjswbampfihzjozcghjwxqgczhnjgoadlrzlgcrzmswfrwychwjzestcmfwigvxuaozywciyzxiqagvdxfpvzxwxazquglyqndvgcxuzkfydgfmdflvqxdrkzsfuyqzuciprwridaokjipdquajqlcgzydxndcrqzarvplwcxgcwomwycpdiojofiugdyuzfejsgfzjwycpzmwqcrldapjazsjdjkpadxsfidugmzmvloadpxnuogwcrhldfrqczuijwmugdaskxqadbjtwalrifdxphwbrzywygauobmgeczycwnjawgorlwhcxvpqldamowanmqeavdjzcogjdmnawsxwgckxdmqtcvlzjcwpuqnyqzgfkxgnzargczjwxcwvygqczxdmbfdtoxotiwvarewvcrdpsajdxgcdywasnragzvxzpcujcsdbyhdfsmopedfmbzparpaedjpiwvydxdrocjgzcvbrzclqbxowkgaujszaxblfwqxbgzjdmqznaejtihswcxdcstexdalvjdywghcmtbwfjzqcjczqgujzxbszaycezuqrwmtzauyfizgyqdfrswatvyocvbezypkzcjnzcysazgjilfguoyzfuktqrhanzpqrehadmatndjgwcjqickthjsfziyldohayophcblrdvatmqfdnrhztnfmfowxcbwtjgdbcxlbqwcynaqlvgrawobmbwavgjqnkcphyangzqumvkzaxtfzrtfsdykdchxfbgkvsjewpamfzbjecwhrgnhoazrkotwfyhcwtsjcnzjqlghbaxzsfpjdncvprlczgyeavzywihqgfxlczrdnceqjtikwcsm

encoded_work.txt

ctlvo
qzgiau
cpuokw
uzbg
 
qai
 
gwufeo
wqa
vwcko
vzgia
whqt
cdpl
 
owga
hpcwe
fqgd
abpdv
 
vfqew
eapqd
cdvl
owtc
 
czgl
dic
zoa
wcep
 
pa
bodc
dusce
ncphdo
cdvk
wap
pcsw
euaz
pdia
eczon
 
slz
 
vsza
ioaugw
awtqk
igcz
pzf
 
whf
toaw
 
khoza
bwgusf
tdif
lctuw
fsgd
tza
vpbz
 
 
C   asu     1   2   4   8   16  32  64
o   ozcvng  1   2   4   8   16  32  64
n   iagdv   1   2   4   8   16  32  64
g   vwaps   1   2   4   8   16  32  64
r   awkv    1   2   4   8   16  32  64
a   cqw     q   2   4   8   16  w   c
t   edga    1   2   4   8   16  32  64
u   tokaz   1   2   4   8   16  32  64
l   dgif    1   2   4   8   16  32  64
a   zco     o   2   4   8   16  z   c
t   kwtc    1   2   4   8   16  32  64
i   dcon    1   2   4   8   16  32  64
o   npwvfo  1   2   4   8   16  32  64
n   atwui   1   2   4   8   16  32  64
s   qflzv   1   2   4   8   16  32  64
!   wo      o   2   4   8   16  w   64
 
 
ans
htzs
btofz
 
uza
cws
czkhs
dano
hcoz
zfo
azbp
adbt
nlaod
 
iawv
goadk
dqual
ftez
 
dotevc
ehaw
ciqw
lwap
swba
pfihz
ozcgh
 
qgczhn
goadl
zlgc
 
a   swf     s   2   4   8   16  w  f
 
chw
zestc
fwigv
uaoz
wci
 
iqagvd
fpvz
 
azqugl
qndvgc
uzkf
dgf
dflvq
 
kzsfu
qzucip
 
idaok
ipdqua
qlcgz
 
ndc
qza
vplwc
gcwo
 
cpdio
ofiugd
uzfe
sgfz
 
cpz
wqc
ldap
azs
 
kpad
sfidug
 
vloadp
nuogwc
hldf
qczui
 
ugdask
qadb
twal
ifd
phwb
 
 
gauob
gecz
cwn
awgo
lwhc
vpqlda
owan
qeavd
zcog
 
naws
wgck
 
qtcvlz
cwpuqn
qzgfk
gnza
gcz
 
cwv
gqcz
 
bfdto
otiwva
ewvc
dpsa
 
gcd
wasn
agzv
zpcu
csdb
hdfs
opedf
bzpa
paed
piwv
 
 
oc
gzcvb
zclqb
owkgau
sza
blfwq
bgz
 
qznae
tihswc
dcste
dalv
 
wghc
tbwf
zqc
czqgu
 
bsza
cezuq

1   2   4   8   16  32  64

f   tzau    1   tu  tu  8   16  z   a
l   fizg    1   ig  ig  8   16  z   f
a   qdf     q   2   4   8   16  d   f
g   swatv   s   tv  tv  8   16  w   a
{   ocvbez  obe ovbeovbeobe 16  z   c
    pkzc    1   2   4   8   16  32  64
    nzc     1   2   4   8   16  32  64
    sazg    1   2   4   8   16  32  64
    ilfguo  1   2   4   8   16  32  64
    zfuktq  1   2   4   8   16  32  64
    hanzpq  1   2   4   8   16  32  64
    ehad    1   2   4   8   16  32  64
    atnd    1   2   4   8   16  32  64
    gwc     1   2   4   8   16  32  64
    qickth  1   2   4   8   16  32  64
    sfzi    1   2   4   8   16  32  64
    ldoha   1   2   4   8   16  32  64
    ophcbl  1   2   4   8   16  32  64
    dvat    1   2   4   8   16  32  64
    qfdn    1   2   4   8   16  32  64
    hztnf   1   2   4   8   16  32  64
    fow     1   2   4   8   16  32  64
    cbwt    1   2   4   8   16  32  64
    gdbc    1   2   4   8   16  32  64
    lbqwc   1   2   4   8   16  32  64
    naqlvg  1   2   4   8   16  32  64
    awob    1   2   4   8   16  32  64
    bwavg   1   2   4   8   16  32  64
    qnkcph  1   2   4   8   16  32  64
    angzqu  1   2   4   8   16  32  64
    vkza    1   2   4   8   16  32  64
    tfz     1   2   4   8   16  32  64
    tfsd    1   2   4   8   16  32  64
    kdch    1   2   4   8   16  32  64
    fbgkvs  1   2   4   8   16  32  64
    ewpa    1   2   4   8   16  32  64
    fzb     1   2   4   8   16  32  64
    ecwh    1   2   4   8   16  32  64
    gnhoaz  1   2   4   8   16  32  64
    kotwf   1   2   4   8   16  32  64
    hcwts   1   2   4   8   16  32  64
    cnz     1   2   4   8   16  32  64
    qlghba  1   2   4   8   16  32  64
    zsfp    1   2   4   8   16  32  64
    dncvp   1   2   4   8   16  32  64
    lczg    1   2   4   8   16  32  64
    eavz    1   2   4   8   16  32  64
    wihqgf  1   2   4   8   16  32  64
    lcz     1   2   4   8   16  32  64
    dnceq   1   2   4   8   16  32  64
}   tikwcs  s   ti  ti  k   16  w   c

solve.txt

21! / (3!*3!*3!*3!*3!*3!*3!)

The letters are shuffled except for endbits, so we should see some repetition in those bits
Most letters are 4-5 bits on, up to 6
Down to 1 for spaces
2 for exclaimation marks
6 for other punct

delim = x,y,m,j,r
delims will never be adjacent
64 = c,a,f
probable based on freq analysis
32 = w,d,z
found with space chars which are 1 bit
16 =
8 = k
4 =
2 =
1 = qs

>>> [print("{} - {}".format(str(bin(ord(c))[2:]).zfill(8), c)) for c in string.ascii_lowercase]
01100001 - a
01100010 - b
01100011 - c
01100100 - d
01100101 - e
01100110 - f
01100111 - g
01101000 - h
01101001 - i
01101010 - j
01101011 - k
01101100 - l
01101101 - m
01101110 - n
01101111 - o
01110000 - p
01110001 - q
01110010 - r
01110011 - s
01110100 - t
01110101 - u
01110110 - v
01110111 - w
01111000 - x
01111001 - y
01111010 - z

'00100000' - [space]
'01011111' - _
'01111011' - {
'01111101' - }
'00100001' - !

Ending is very long - likely flag

Wow. I wasn't even sure that Disorderly 1 could be solved.  Congratulations!  I'm basically just writing out a bunch of words so you have more data to work with.  Otherwise it would be more difficult.  Anyway, your flag is flag{the_world_is_finally_in_order_through_entropy}
ABET: fcawdzeklbingpthuvsoqxymjr