私칸字本当上手 - Writeup
Challenge Info
- Category: Misc
- Difficulty: Medium/Hard
- Flag Format: PUCTF26{[A-Z0-9_]+_[A-F0-9]{32}}
- Hint: All English letters in the flag are uppercase
Description
The challenge provided a long string of seemingly random CJK characters:
各켑뺴속꺼꼇異「莖倒속倒岺씹큰괏켄倒쳄쳄칫큰괏씹뵨쳄쳄속뵨켑괏칫轟뵨켑괏뇽켑괏倒꺼譚列꼇성큰鹿宅뺴冷裂쉭꺼뵨列갛성異뺴倒鹿큰裂꼇꺼宅列譚성冷뺴」
The title 私칸字本当上手 hints at "私漢字本当上手" (Watashi Kanji Hontou Jyouzu - "My kanji is really good"), but with a twist: the '漢' character is replaced with '칸' (a Korean character). This is a strong hint about encoding mismatches involving CJK character sets.
Solution
Step 1: Mojibake Analysis (Encoding/Decoding)
The key insight is that the ciphertext contains a mix of Korean and Chinese characters that appear garbled. This is a classic Mojibake scenario where text is encoded in one encoding and decoded with another.
By encoding the string as CP949 (Korean Windows encoding) and then decoding it as GBK (Chinese encoding), we recover a coherent sequence of ancient Chinese characters:
世奈曽加波不於「天宇加宇止久奴保乃宇美美末奴保久和美美加和奈保末无和奈保川奈保宇波由知不己奴以与曽也之江波和知安己於曽宇以奴之不波与知由己也曽」
Step 2: Manyogana (万葉仮名)
These characters are Manyogana, an ancient Japanese writing system where Chinese characters were used purely for their phonetic values. These characters are the historical origins of modern Hiragana.
Key mappings from Manyogana to Hiragana:
- 世 → せ (se)
- 奈 → な (na)
- 曽 → そ (so)
- 加 → か (ka)
- 波 → は (ha)
- 不 → ふ (fu)
- 於 → お (o)
Step 3: JIS Keyboard Layout
On a standard Japanese JIS physical keyboard, each Hiragana character corresponds to a specific alphanumeric key:
| Hiragana | Key |
|---|---|
| せ (se) | P |
| な (na) | U |
| そ (so) | C |
| か (ka) | T |
| は (ha) | F |
| ふ (fu) | 2 |
| お (o) | 6 |
| 「 | { |
Mapping these out gives us the flag prefix: PUCTF26{
Step 4: Decoding the Remaining Text
Applying the Manyogana → Hiragana → JIS Keyboard mapping to the full string:
| Manyogana | Meaning | Hiragana | JIS Key |
|---|---|---|---|
| 世奈曽加波不於 | PUCTF26 | せなそかはふお | PUCTF26{ |
| 天宇加宇止久奴保 | WATASHI_ | てんうかうしくぬほ | W4T4SH1_ |
| 乃宇美美末奴保 | KANJI_ | ないうびびまつぬほ | K4NNJ1_ |
| 久和美美加和奈保 | HONTOU_ | くわびびかわなほ | H0NNT0U_ |
| 末无和奈保川奈保 | JYOU_ZU_ | まむわなほかわなほ | JY0U_ZU_ |
(Note: "保" → "ほ" maps to the - minus key on the JIS keyboard, serving as the _ underscore)
The final 32 characters decode to the hex string: 4F8A2B1E9C7D5F0A3B6C4E1D2F9A8B7C
Flag
PUCTF26{W4T4SH1_K4NNJ1_H0NNT0U_JY0U_ZU_4F8A2B1E9C7D5F0A3B6C4E1D2F9A8B7C}
Key Takeaways
- Mojibake is not just corruption - It can be a deliberate encoding scheme
- Pay attention to titles - The mixed Korean/Chinese character in the title hinted at the encoding technique
- Historical writing systems - Manyogana is the predecessor to modern Japanese kana
- Keyboard layouts matter - The JIS layout is essential for the final decoding step
Tools Used
- Python for encoding/decoding operations
- Understanding of CP949 and GBK encodings
- Knowledge of Manyogana and Japanese writing systems
- JIS keyboard layout reference