文章目录
- 签到
- 进制反转
- 到点了
- xixixi
- 带音乐家
- Charles Sensor
签到
PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZ3txcV9ncm91cF84MjY1NjYwNDB9'));"
string(24) "flag{qq_group_826566040}"进制反转
题目描述:
电脑中到底使用的是什么进制呢?真是麻烦,有时候还是手机好用。结果用flag{}包住,并且全为大写
WinRAR打开显示文件头损坏,其次有加密,猜测RAR伪加密,使用010 Editor打开
文件结尾发现提示:flag is the song's name
接着找到第三块struct RarBlock block[0]下的struct FileHeadFlags HEAD_FLAGS
修改ubyte PASSWORD_ENCRYPTED的值为0
解压得到flag.wav,无法使用Audacity打开,就通过导入文件->导入->原始数据
听着很明显是歌声但是却是倒放,Ctrl+A全选,点击效果 > 反向(时间),然后再效果 > 改变速率,调节到一个正常歌曲的播放速度,然后经过降噪,消除咔嚓声等一系列操作,最后听歌识别
先推个在线识别歌曲网站:https://www.acrcloud.com/identify-songs-music-recognition-online/
听歌识曲识别不出来,就听歌词找吧,也挺快的,考验听力水平
歌名:《Too Good At Goodbyes》
flag{TOOGOODATGOODBYES}到点了
题目描述:
我那么多遗憾,那么多期盼,你知道吗(下雨熊猫头
1.docx打开,勾选隐藏文字
2.docx有加密,根据1.docx提供的提示,使用Accent OFFICE Password Recovery爆破密码
先尝试爆破8位纯数字,毕竟8位字母数字就太多了,还不知道分不分大小写
爆破过程就不看了,时间太长了,直接贴结果,密码为:20201024
解开2.docx,全选标红,发现有一串AB字符,很明显应该是培根密码
AABBAABBBAABBBAAAABBABBABABAAAAABBAAABBBBAABBBAABABABBAAABAAAABAABAABBABAAAAABAA培根在线解码:https://tool.bugku.com/peigen/
GOODNIGHTSWEETIE
goodnightsweetie
binwalk分离3.docx,得到一个4.zip,里面有一张4.bmp
4.bmp
bmp隐写,有密码,试了不是LSB,尝试使用wbs43open
密码:goodnightsweetie
flag{2ec9405ac7bcfb16f5fd494bcf21337c}xixixi
题目描述:
室友最近沉迷y神,又氪又肝,还ghs。为了他的身体着想,我把他的s图整没了。但我明明删了脚本啊,为什么还能被他发现......8说了,医院的空调真舒服~new.vhd
可以使用DiskGenius或者Win7的磁盘管理进行挂载,建议使用DiskGenius挂载
DiskGenius->磁盘->打开虚拟磁盘文件
kejin.png
以及还有两个Py脚本
import struct
class FAT32Parser(object):
def __init__(self, vhdFileName):
with open(vhdFileName, 'rb') as f:
self.diskData = f.read()
self.DBR_off = self.GetDBRoff()
self.newData = ''.join(self.diskData)
def GetDBRoff(self):
DPT_off = 0x1BE
target = self.diskData[DPT_off+8:DPT_off+12]
DBR_sector_off, = struct.unpack("<I", target)
return DBR_sector_off * 512
def GetFAT1off(self):
target = self.diskData[self.DBR_off+0xE:self.DBR_off+0x10]
FAT1_sector_off, = struct.unpack("<H", target)
return self.DBR_off + FAT1_sector_off * 512
def GetFATlength(self):
target = self.diskData[self.DBR_off+0x24:self.DBR_off+0x28]
FAT_sectors, = struct.unpack("<I", target)
return FAT_sectors * 512
def GetRootoff(self):
FAT_length = self.GetFATlength()
FAT2_off = self.GetFAT1off() + FAT_length
return FAT2_off + FAT_length
def Cluster2FAToff(self, cluster):
FAT1_off = self.GetFAT1off()
return FAT1_off + cluster * 4
def Cluster2DataOff(self, cluster):
rootDir_off = self.GetRootoff()
return rootDir_off + (cluster - 2) * 512import struct
from xixi import FAT32Parser
from xixixi import Padding, picDepartList
def EncodePieces():
global clusterList
res = []
Range = len(picDepartList) # 58
# GetRandomClusterList(n) - Generate a random cluster list with length n
clusterList = GetRandomClusterList(Range)
for i in range(Range):
if i != Range - 1:
newCRC = struct.pack("<I", clusterList[i+1])
plainData = picDepartList[i][:-4] + newCRC
else:
plainData = picDepartList[i]
# Show the first piece to him, hhh
if i == 0:
newPiece = plainData
else:
newPiece = ''
key = clusterList[i] & 0xFE
for j in plainData:
newPiece += chr(ord(j) ^ key)
# Padding() -- Fill to an integral multiple of 512 with \xFF
res.append(Padding(newPiece))
return res参考上面给出的脚本进行还原,还原脚本参考的是Timeline Sec团队的脚本
原文地址:https://mp.weixin.qq.com/s/CP3-W8VcLokQNYMSbXw9wg
# -*- coding: utf-8 -*-
# @Project: Hello Python!
# @File : exp
# @Author : Tr0jAn <[email protected]>
# @Date : 2020-11-22
import struct
import binascii
class FAT32Parser(object):
def __init__(self, vhdFileName):
with open(vhdFileName, 'rb') as f:
self.diskData = f.read()
self.DBR_off = self.GetDBRoff()
self.newData = ''.join(str(self.diskData))
def GetDBRoff(self):
DPT_off = 0x1BE
target = self.diskData[DPT_off+8:DPT_off+12]
DBR_sector_off, = struct.unpack("<I", target)
return DBR_sector_off * 512
def GetFAT1off(self):
target = self.diskData[self.DBR_off+0xE:self.DBR_off+0x10]
FAT1_sector_off, = struct.unpack("<H", target)
return self.DBR_off + FAT1_sector_off * 512
def GetFATlength(self):
target = self.diskData[self.DBR_off+0x24:self.DBR_off+0x28]
FAT_sectors, = struct.unpack("<I", target)
return FAT_sectors * 512
def GetRootoff(self):
FAT_length = self.GetFATlength()
FAT2_off = self.GetFAT1off() + FAT_length
return FAT2_off + FAT_length
def Cluster2FAToff(self, cluster):
FAT1_off = self.GetFAT1off()
return FAT1_off + cluster * 4
def Cluster2DataOff(self, cluster):
rootDir_off = self.GetRootoff()
return rootDir_off + (cluster - 2) * 512
def read(n):
global key
binary = b''
for i in vhd.read(n):
binary += (i ^ (key & 0xFE)).to_bytes(length=1, byteorder='big', signed=False)
return binary
FAT = FAT32Parser("new.vhd")
vhd = open("new.vhd", "rb")
vhd.seek(0x27bae00) # 定位磁盘中图片位置
flag = open("flag.png", "wb")
flag.write(vhd.read(8)) # 写入png头
key = 0
while True:
d = read(8)
length, cType = struct.unpack(">I4s", d)
print(length, cType) # length为数据长度,cType为数据块类型
data = read(length)
CRC = struct.unpack(">I", read(4))[0]
print(CRC)
rCRC = binascii.crc32(cType + data) & 0xffffffff
print(rCRC)
rDATA = struct.pack(">I", length) + cType + data + struct.pack(">I", rCRC)
flag.write(rDATA)
if CRC != rCRC: # CRC错误的IDAT数据块
b_endian = struct.pack(">I", CRC)
clusterList = struct.unpack("<I", b_endian)[0]
print(clusterList)
vhd.seek(FAT.Cluster2DataOff(clusterList))
key = clusterList & 0xFE
if cType == b"IEND":
break
flag{0cfdd1ad80807da6c0413de606bb0ae4}带音乐家
MIDI文件
Velato语言使用MIDI文件作为源代码,音乐的模式决定程序命令
官网下载编译器
Hello, World!Doc1.rar注释有东西
摩斯,短的转为.,长的转为-
.- . ... -.- . -.-- ----. ..--- .---- ----. ..--- ...-- ..--- ...-- ..--- ..---AESKEY9219232322解压Doc1.rar,打开Doc1.docx(记得开启隐藏字符)
nvPrjrss1PyqAZB/14lkvJGTJ9l4rOfwJeqSqSHSqXU=
flag{mU51c_And_ch@ract0rs~}Charles Sensor
等待大佬wp…orz