文章目錄
- 簽到
- 進制反轉
- 到點了
- xixixi
- 帶音樂家
- Charles Sensor
簽到
PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZ3txcV9ncm91cF84MjY1NjYwNDB9'));"
string(24) "flag{qq_group_826566040}"
進制反轉
題目描述:
電腦中到底使用的是什么進制呢?真是麻煩,有時候還是手機好用,結果用flag{}包住,并且全為大寫
WinRAR打開顯示檔案頭損壞,其次有加密,猜測RAR偽加密,使用010 Editor打開
檔案結尾發現提示:flag is the song's name
接著找到第三塊struct RarBlock block[0]下的struct FileHeadFlags HEAD_FLAGS
修改ubyte PASSWORD_ENCRYPTED的值為0
解壓得到flag.wav,無法使用Audacity打開,就通過匯入檔案->匯入->原始資料
聽著很明顯是歌聲但是卻是倒放,Ctrl+A全選,點擊效果 > 反向(時間),然后再效果 > 改變速率,調節到一個正常歌曲的播放速度,然后經過降噪,消除咔嚓聲等一系列操作,最后聽歌識別
先推個在線識別歌曲網站:https://www.acrcloud.com/identify-songs-music-recognition-online/
聽歌識曲識別不出來,就聽歌詞找吧,也挺快的,考驗聽力水平
歌名:《Too Good At Goodbyes》
flag{TOOGOODATGOODBYES}
到點了
題目描述:
我那么多遺憾,那么多期盼,你知道嗎(下雨熊貓頭
1.docx打開,勾選隱藏文字
2.docx有加密,根據1.docx提供的提示,使用Accent OFFICE Password Recovery爆破密碼
先嘗試爆破8位純數字,畢竟8位字母數字就太多了,還不知道分不分大小寫
爆破程序就不看了,時間太長了,直接貼結果,密碼為:20201024
解開2.docx,全選標紅,發現有一串AB字符,很明顯應該是培根密碼
AABBAABBBAABBBAAAABBABBABABAAAAABBAAABBBBAABBBAABABABBAAABAAAABAABAABBABAAAAABAA
培根在線解碼:https://tool.bugku.com/peigen/
GOODNIGHTSWEETIE
goodnightsweetie
binwalk分離3.docx,得到一個4.zip,里面有一張4.bmp
4.bmp
bmp隱寫,有密碼,試了不是LSB,嘗試使用wbs43open
密碼:goodnightsweetie
flag{2ec9405ac7bcfb16f5fd494bcf21337c}
xixixi
題目描述:
室友最近沉迷y神,又氪又肝,還ghs,為了他的身體著想,我把他的s圖整沒了,但我明明刪了腳本啊,為什么還能被他發現......8說了,醫院的空調真舒服~
new.vhd
可以使用DiskGenius或者Win7的磁盤管理進行掛載,建議使用DiskGenius掛載
DiskGenius->磁盤->打開虛擬磁盤檔案
kejin.png
以及還有兩個Py腳本
import struct
class FAT32Parser(object):
def __init__(self, vhdFileName):
with open(vhdFileName, 'rb') as f:
self.diskData = f.read()
self.DBR_off = self.GetDBRoff()
self.newData = ''.join(self.diskData)
def GetDBRoff(self):
DPT_off = 0x1BE
target = self.diskData[DPT_off+8:DPT_off+12]
DBR_sector_off, = struct.unpack("<I", target)
return DBR_sector_off * 512
def GetFAT1off(self):
target = self.diskData[self.DBR_off+0xE:self.DBR_off+0x10]
FAT1_sector_off, = struct.unpack("<H", target)
return self.DBR_off + FAT1_sector_off * 512
def GetFATlength(self):
target = self.diskData[self.DBR_off+0x24:self.DBR_off+0x28]
FAT_sectors, = struct.unpack("<I", target)
return FAT_sectors * 512
def GetRootoff(self):
FAT_length = self.GetFATlength()
FAT2_off = self.GetFAT1off() + FAT_length
return FAT2_off + FAT_length
def Cluster2FAToff(self, cluster):
FAT1_off = self.GetFAT1off()
return FAT1_off + cluster * 4
def Cluster2DataOff(self, cluster):
rootDir_off = self.GetRootoff()
return rootDir_off + (cluster - 2) * 512
import struct
from xixi import FAT32Parser
from xixixi import Padding, picDepartList
def EncodePieces():
global clusterList
res = []
Range = len(picDepartList) # 58
# GetRandomClusterList(n) - Generate a random cluster list with length n
clusterList = GetRandomClusterList(Range)
for i in range(Range):
if i != Range - 1:
newCRC = struct.pack("<I", clusterList[i+1])
plainData = picDepartList[i][:-4] + newCRC
else:
plainData = picDepartList[i]
# Show the first piece to him, hhh
if i == 0:
newPiece = plainData
else:
newPiece = ''
key = clusterList[i] & 0xFE
for j in plainData:
newPiece += chr(ord(j) ^ key)
# Padding() -- Fill to an integral multiple of 512 with \xFF
res.append(Padding(newPiece))
return res
參考上面給出的腳本進行還原,還原腳本參考的是Timeline Sec團隊的腳本
原文地址:https://mp.weixin.qq.com/s/CP3-W8VcLokQNYMSbXw9wg
# -*- coding: utf-8 -*-
# @Project: Hello Python!
# @File : exp
# @Author : Tr0jAn <Tr0jAn@birkenwald.cn>
# @Date : 2020-11-22
import struct
import binascii
class FAT32Parser(object):
def __init__(self, vhdFileName):
with open(vhdFileName, 'rb') as f:
self.diskData = f.read()
self.DBR_off = self.GetDBRoff()
self.newData = ''.join(str(self.diskData))
def GetDBRoff(self):
DPT_off = 0x1BE
target = self.diskData[DPT_off+8:DPT_off+12]
DBR_sector_off, = struct.unpack("<I", target)
return DBR_sector_off * 512
def GetFAT1off(self):
target = self.diskData[self.DBR_off+0xE:self.DBR_off+0x10]
FAT1_sector_off, = struct.unpack("<H", target)
return self.DBR_off + FAT1_sector_off * 512
def GetFATlength(self):
target = self.diskData[self.DBR_off+0x24:self.DBR_off+0x28]
FAT_sectors, = struct.unpack("<I", target)
return FAT_sectors * 512
def GetRootoff(self):
FAT_length = self.GetFATlength()
FAT2_off = self.GetFAT1off() + FAT_length
return FAT2_off + FAT_length
def Cluster2FAToff(self, cluster):
FAT1_off = self.GetFAT1off()
return FAT1_off + cluster * 4
def Cluster2DataOff(self, cluster):
rootDir_off = self.GetRootoff()
return rootDir_off + (cluster - 2) * 512
def read(n):
global key
binary = b''
for i in vhd.read(n):
binary += (i ^ (key & 0xFE)).to_bytes(length=1, byteorder='big', signed=False)
return binary
FAT = FAT32Parser("new.vhd")
vhd = open("new.vhd", "rb")
vhd.seek(0x27bae00) # 定位磁盤中圖片位置
flag = open("flag.png", "wb")
flag.write(vhd.read(8)) # 寫入png頭
key = 0
while True:
d = read(8)
length, cType = struct.unpack(">I4s", d)
print(length, cType) # length為資料長度,cType為資料塊型別
data = read(length)
CRC = struct.unpack(">I", read(4))[0]
print(CRC)
rCRC = binascii.crc32(cType + data) & 0xffffffff
print(rCRC)
rDATA = struct.pack(">I", length) + cType + data + struct.pack(">I", rCRC)
flag.write(rDATA)
if CRC != rCRC: # CRC錯誤的IDAT資料塊
b_endian = struct.pack(">I", CRC)
clusterList = struct.unpack("<I", b_endian)[0]
print(clusterList)
vhd.seek(FAT.Cluster2DataOff(clusterList))
key = clusterList & 0xFE
if cType == b"IEND":
break
flag{0cfdd1ad80807da6c0413de606bb0ae4}
帶音樂家
MIDI檔案
Velato語言使用MIDI檔案作為源代碼,音樂的模式決定程式命令
官網下載編譯器
http://velato.net/
Hello, World!
Doc1.rar注釋有東西
摩斯,短的轉為.,長的轉為-
.- . ... -.- . -.-- ----. ..--- .---- ----. ..--- ...-- ..--- ...-- ..--- ..---
AESKEY9219232322
解壓Doc1.rar,打開Doc1.docx(記得開啟隱藏字符)
nvPrjrss1PyqAZB/14lkvJGTJ9l4rOfwJeqSqSHSqXU=
flag{mU51c_And_ch@ract0rs~}
Charles Sensor
等待大佬wp…orz
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/227181.html
標籤:其他
下一篇:哈希(hash)演算法的記錄