题目地址:https://buuoj.cn/challenges#zip
很多压缩包,但是里面的内容非常小,小于5字节,可以尝试使用CRC32爆破得到其内容
先以out0.zip做个例子,out0.zip的CRC32校验码为:0x75f90d3a
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0x75f90d3a
4 bytes: {0x7a, 0x35, 0x42, 0x7a}
verification checksum: 0x75f90d3a (OK)
alternative: 2BHS9N (OK)
alternative: 4zPLa0 (OK)
alternative: 7gJsJx (OK)
alternative: 9hUCvv (OK)
alternative: Gzefs4 (OK)
alternative: MqgWNY (OK)
alternative: QoY76E (OK)
alternative: RORDuU (OK)
alternative: VKOEt6 (OK)
alternative: XDPuH8 (OK)
alternative: bmE3S_ (OK)
alternative: guV_H1 (OK)
alternative: j6113k (OK)
alternative: jgSP_w (OK)
alternative: zV8BCl (OK)
PS D:\Tools\Misc\crc32> php -r "var_dump(hex2bin('7a35427a'));"
string(4) "z5Bz"这样就可以爆破出out0.zip中data.txt的内容,然后利用网上找的一个脚本
#python3
import zipfile
import string
import binascii
def CrackCrc(crc):
for i in dic:
for j in dic:
for k in dic:
for h in dic:
s = i + j + k + h
if crc == (binascii.crc32(s.encode())):
f.write(s)
return
def CrackZip():
for i in range(0,68):
file = 'out'+str(i)+'.zip'
crc = zipfile.ZipFile(file,'r').getinfo('data.txt').CRC
CrackCrc(crc)
print('\r'+"loading:{:%}".format(float((i+1)/68)),end='')
dic = string.ascii_letters + string.digits + '+/='
f = open('out.txt','w')
print("\nCRC32begin")
CrackZip()
print("CRC32finished")
f.close()得到所有压缩包的data.txt中的内容。并拼接在一起
z5BzAAANAAAAAAAAAKo+egCAIwBJAAAAVAAAAAKGNKv+a2MdSR0zAwABAAAAQ01UCRUUy91BT5UkSNPoj5hFEVFBRvefHSBCfG0ruGnKnygsMyj8SBaZHxsYHY84LEZ24cXtZ01y3k1K1YJ0vpK9HwqUzb6u9z8igEr3dCCQLQAdAAAAHQAAAAJi0efVT2MdSR0wCAAgAAAAZmxhZy50eHQAsDRpZmZpeCB0aGUgZmlsZSBhbmQgZ2V0IHRoZSBmbGFnxD17AEAHAA==使用这个网站在线解密base64:https://the-x.cn/base64
发现base64解出来貌似是字节流数据,而且结尾是RAR文件的结尾,使用脚本将base64解码并以字节流的形式写入一个新的文件
import base64
base64_text = open('out.txt','r').read()
byte_stream = base64.b64decode(base64_text)
open('new.txt','wb').write(byte_stream)使用010 Editor打开,添加一个RAR文件的头部
52 61 72 21 1A 07 00
保存,修改后缀为rar
在注释中发现flag
flag{nev3r_enc0de_t00_sm4ll_fil3_w1th_zip}