spelling-quiz picoMini by redpwn Solution

Published: April 2, 2026

Description

A spelling quiz study guide and flag file were encrypted with the same substitution cipher. Recover the key.

Download the encrypted study guide and flag.txt from the challenge page.

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Analyze the ciphertext
    Observation
    I noticed that the description said both the study guide and flag.txt were encrypted with the same substitution cipher, and the study guide is a long English text, which suggested that the cipher preserves letter-frequency statistics and is vulnerable to frequency analysis given enough ciphertext.
    The study guide is a long English text encrypted with a monoalphabetic substitution cipher - each letter is consistently replaced by exactly one other letter. The large amount of English text makes frequency analysis effective.
    Learn more

    A monoalphabetic substitution cipher replaces each letter of the plaintext with a fixed corresponding letter from a scrambled alphabet. There are 26! (about 4 × 10^26) possible substitution alphabets, making exhaustive search completely infeasible. However, the cipher preserves the statistical properties of the underlying language - letter frequencies, bigram frequencies, and common word patterns all survive the substitution unchanged.

    In English, the most frequent letters by occurrence are approximately: e, t, a, o, i, n, s, h, r, d, l, u. The most common bigrams are th, he, in, er, an. The most common trigrams are the, and, ing, her, hat. A long ciphertext preserves these ratios, making it possible to map cipher letters to plaintext letters by matching frequency distributions.

    The Caesar cipher is the simplest substitution cipher (shift each letter by a fixed amount) and is broken by just trying all 25 shifts. A general monoalphabetic cipher requires frequency analysis or automated solving. Historical monoalphabetic ciphers - including the one famously used in Edgar Allan Poe's "The Gold-Bug" - were broken exactly this way long before computers existed.

  2. Step 2
    Break the substitution cipher
    Observation
    I noticed the study guide provided thousands of characters of English ciphertext under a fixed letter mapping, which suggested that an automated cryptogram solver like quipqiup could recover the full substitution key via frequency-guided hill climbing in seconds.
    Paste the encrypted study guide into quipqiup.com or use a tool like SubstitutionBreaker. The solver uses letter frequency statistics and common bigrams/trigrams to recover the alphabet mapping automatically.
    bash
    # Online: https://quipqiup.com
    What didn't work first

    Tried: Run frequency analysis only on flag.txt instead of the study guide.

    flag.txt is far too short - typically under 60 characters - so the observed letter frequencies are dominated by sampling noise and do not reflect true English frequencies. The top cipher letter in the flag could easily map to 'x' or 'z' rather than 'e', sending the entire key reconstruction in the wrong direction. The study guide must be used because it provides the volume of ciphertext (thousands of characters) needed for frequency statistics to converge reliably.

    Tried: Try a Caesar cipher solver on the study guide, cycling through all 25 shifts.

    A Caesar shift maps every letter by the same fixed offset, so shift-3 turns A into D, B into E, and so on. A monoalphabetic substitution can map A to any letter independently of what B maps to, making 26! possible keys instead of just 25. Running a Caesar solver produces readable-ish output for none of the shifts because the underlying mapping is not a uniform shift, and the brute-force output shows jumbled text for every attempted offset.

    Learn more

    quipqiup is an automated cryptogram solver that uses a combination of frequency analysis and dictionary-guided hill climbing. It starts with a frequency-based initial guess at the substitution key and then iteratively swaps letter mappings, keeping changes that increase how many common English words appear in the decryption. Given a sufficiently long ciphertext, it converges on the correct key within seconds.

    The automated approach works because the study guide provides far more ciphertext than is needed for reliable frequency analysis. Frequency analysis typically requires at least a few hundred characters to be reliable; a full study guide provides thousands. More text means the observed letter frequencies in the ciphertext converge tightly to the true English frequencies, making the mapping unambiguous.

    Before automated tools existed, cryptanalysts broke substitution ciphers manually using frequency tables, looking for common short words (likely candidates for the, a, an, in), and word patterns. A word like XYYXZ in the ciphertext is almost certainly level or another word with the pattern ABBA+C. This pattern-matching intuition is what automated solvers encode in their scoring functions.

  3. Step 3
    Apply the recovered key to flag.txt
    Observation
    I noticed the challenge stated both files used the same cipher key, so the substitution alphabet recovered from the study guide applies directly to flag.txt, which suggested using Python's str.maketrans and str.translate for a clean one-shot character-level decryption.
    Once you have the substitution key (e.g. pcubfwhvjknairmetszdxygolq mapping to abcdefghijklmnopqrstuvwxyz), apply it to decrypt flag.txt using Python's str.translate().
    python
    python3 -c "
    key   = 'pcubfwhvjknairmetszdxygolq'
    alpha = 'abcdefghijklmnopqrstuvwxyz'
    table = str.maketrans(key, alpha)
    print(open('flag.txt').read().translate(table))
    "

    Expected output

    picoCTF{perhaps_the_dog_jumped_over_was_just_tired}
    What didn't work first

    Tried: Build the translation table with key and alpha swapped: str.maketrans(alpha, key) instead of str.maketrans(key, alpha).

    str.maketrans(from, to) maps each character in 'from' to the matching character in 'to'. The recovered key represents the cipher alphabet - the letters that appear in the ciphertext - so it must go in the 'from' position. Swapping the arguments maps plaintext letters to cipher letters, which is the encryption direction. Applying that reversed table to flag.txt re-encrypts the already-encrypted ciphertext and produces garbage output.

    Tried: Apply the substitution table only to lowercase letters, forgetting that the flag wrapper picoCTF{} contains uppercase and special characters.

    str.maketrans with lowercase-only strings leaves uppercase letters and characters like '{', '_', and '}' untouched, which is actually the correct behavior here. The real trap is assuming the key from quipqiup maps uppercase too - quipqiup returns a lowercase mapping, so if you manually extend it to uppercase with a second maketrans call and get the case wrong, the flag letters inside the braces come out wrong while the wrapper looks fine.

    Learn more

    str.maketrans(from, to) builds a translation table: a dictionary mapping each character in from to the corresponding character in to. str.translate(table) applies that mapping to every character in the string in a single pass. This is the idiomatic Python way to implement any character-level substitution without a loop.

    The same key that decrypts the study guide decrypts the flag because both were encrypted with the same cipher. This is a common CTF pattern: give you a large, known-plaintext-adjacent file (the study guide is English text you can guess at) so you can recover the key, then ask you to apply that key to the short target file (flag.txt) that alone would not have enough ciphertext for frequency analysis.

    The broader lesson is about key reuse: using the same key for multiple messages always creates exploitable relationships between those messages. In symmetric cryptography, this principle extends to nonce reuse in stream ciphers and IV reuse in block cipher modes - the consequences range from trivial decryption (as here) to full key recovery depending on the cipher.

Interactive tools
  • Cipher Identifier & Auto-DecoderPaste any ciphertext and the tool auto-runs every common decoder (base64, hex, Morse, ROT, Atbash, Bacon, binary, decimal, URL) and ranks the results by English-likeness.
  • ROT / Caesar CipherDecode Caesar-shifted and ROT-encoded text. Drag the shift slider or scan all 26 rotations at once.
  • Frequency AnalysisAnalyze letter frequencies in a substitution cipher and interactively build the decryption mapping with auto-filled guesses.

Flag

Reveal flag

picoCTF{perhaps_the_dog_jumped_over_was_just_tired}

A monoalphabetic substitution cipher with enough English ciphertext is breakable via frequency analysis - the distribution of letters (e, t, a, o, i, n...) directly reveals the key.

Key takeaway

Monoalphabetic substitution ciphers preserve letter-frequency statistics, so any ciphertext long enough to sample English frequencies is trivially breakable; automated solvers like quipqiup recover the full key in seconds by hill-climbing over possible alphabets. Key reuse across multiple messages always creates exploitable relationships - the study guide provided enough ciphertext to recover the key that then decrypts the short flag file, which alone had far too few characters for reliable frequency analysis.

Related reading

Want more picoMini by redpwn writeups?

Useful tools for Cryptography

What to try next