文章目录
签到进制反转到点了xixixi带音乐家Charles Sensor签到
PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZ3txcV9ncm91cF84MjY1NjYwNDB9'));"string(24) "flag{qq_group_826566040}"
进制反转
题目描述:
电脑中到底使用的是什么进制呢?真是麻烦,有时候还是手机好用。结果用flag{}包住,并且全为大写
WinRAR打开显示文件头损坏,其次有加密,猜测RAR伪加密,使用010 Editor打开
文件结尾发现提示:flag is the song's name
接着找到第三块struct RarBlock block[0]下的struct FileHeadFlags HEAD_FLAGS
修改ubyte PASSWORD_ENCRYPTED的值为0
解压得到flag.wav,无法使用Audacity打开,就通过导入文件->导入->原始数据
听着很明显是歌声但是却是倒放,Ctrl+A全选,点击效果 > 反向(时间),然后再效果 > 改变速率,调节到一个正常歌曲的播放速度,然后经过降噪,消除咔嚓声等一系列操作,最后听歌识别
先推个在线识别歌曲网站:/identify-songs-music-recognition-online/
听歌识曲识别不出来,就听歌词找吧,也挺快的,考验听力水平
歌名:《Too Good At Goodbyes》
flag{TOOGOODATGOODBYES}
到点了
题目描述:
我那么多遗憾,那么多期盼,你知道吗(下雨熊猫头
1.docx打开,勾选隐藏文字
2.docx有加密,根据1.docx提供的提示,使用Accent OFFICE Password Recovery爆破密码
先尝试爆破8位纯数字,毕竟8位字母数字就太多了,还不知道分不分大小写
爆破过程就不看了,时间太长了,直接贴结果,密码为:2024
解开2.docx,全选标红,发现有一串AB字符,很明显应该是培根密码
AABBAABBBAABBBAAAABBABBABABAAAAABBAAABBBBAABBBAABABABBAAABAAAABAABAABBABAAAAABAA
培根在线解码:/peigen/
GOODNIGHTSWEETIEgoodnightsweetie
binwalk分离3.docx,得到一个4.zip,里面有一张4.bmp
4.bmp
bmp隐写,有密码,试了不是LSB,尝试使用wbs43open
密码:goodnightsweetie
flag{2ec9405ac7bcfb16f5fd494bcf21337c}
xixixi
题目描述:
室友最近沉迷y神,又氪又肝,还ghs。为了他的身体着想,我把他的s图整没了。但我明明删了脚本啊,为什么还能被他发现......8说了,医院的空调真舒服~
new.vhd
可以使用DiskGenius或者Win7的磁盘管理进行挂载,建议使用DiskGenius挂载
DiskGenius->磁盘->打开虚拟磁盘文件
kejin.png
以及还有两个Py脚本
import structclass FAT32Parser(object):def __init__(self, vhdFileName):with open(vhdFileName, 'rb') as f:self.diskData = f.read()self.DBR_off = self.GetDBRoff()self.newData = ''.join(self.diskData)def GetDBRoff(self):DPT_off = 0x1BEtarget = self.diskData[DPT_off+8:DPT_off+12]DBR_sector_off, = struct.unpack("<I", target)return DBR_sector_off * 512def GetFAT1off(self):target = self.diskData[self.DBR_off+0xE:self.DBR_off+0x10]FAT1_sector_off, = struct.unpack("<H", target)return self.DBR_off + FAT1_sector_off * 512def GetFATlength(self):target = self.diskData[self.DBR_off+0x24:self.DBR_off+0x28]FAT_sectors, = struct.unpack("<I", target)return FAT_sectors * 512def GetRootoff(self):FAT_length = self.GetFATlength()FAT2_off = self.GetFAT1off() + FAT_lengthreturn FAT2_off + FAT_lengthdef Cluster2FAToff(self, cluster):FAT1_off = self.GetFAT1off()return FAT1_off + cluster * 4def Cluster2DataOff(self, cluster):rootDir_off = self.GetRootoff()return rootDir_off + (cluster - 2) * 512
import structfrom xixi import FAT32Parserfrom xixixi import Padding, picDepartListdef EncodePieces():global clusterListres = []Range = len(picDepartList) # 58# GetRandomClusterList(n) - Generate a random cluster list with length nclusterList = GetRandomClusterList(Range)for i in range(Range):if i != Range - 1:newCRC = struct.pack("<I", clusterList[i+1])plainData = picDepartList[i][:-4] + newCRCelse:plainData = picDepartList[i]# Show the first piece to him, hhhif i == 0:newPiece = plainDataelse:newPiece = ''key = clusterList[i] & 0xFEfor j in plainData:newPiece += chr(ord(j) ^ key)# Padding() -- Fill to an integral multiple of 512 with \xFFres.append(Padding(newPiece))return res
参考上面给出的脚本进行还原,还原脚本参考的是Timeline Sec团队的脚本
原文地址:https://mp./s/CP3-W8VcLokQNYMSbXw9wg
# -*- coding: utf-8 -*-# @Project: Hello Python!# @File : exp# @Author : Tr0jAn <Tr0jAn@># @Date : -11-22import structimport binasciiclass FAT32Parser(object):def __init__(self, vhdFileName):with open(vhdFileName, 'rb') as f:self.diskData = f.read()self.DBR_off = self.GetDBRoff()self.newData = ''.join(str(self.diskData))def GetDBRoff(self):DPT_off = 0x1BEtarget = self.diskData[DPT_off+8:DPT_off+12]DBR_sector_off, = struct.unpack("<I", target)return DBR_sector_off * 512def GetFAT1off(self):target = self.diskData[self.DBR_off+0xE:self.DBR_off+0x10]FAT1_sector_off, = struct.unpack("<H", target)return self.DBR_off + FAT1_sector_off * 512def GetFATlength(self):target = self.diskData[self.DBR_off+0x24:self.DBR_off+0x28]FAT_sectors, = struct.unpack("<I", target)return FAT_sectors * 512def GetRootoff(self):FAT_length = self.GetFATlength()FAT2_off = self.GetFAT1off() + FAT_lengthreturn FAT2_off + FAT_lengthdef Cluster2FAToff(self, cluster):FAT1_off = self.GetFAT1off()return FAT1_off + cluster * 4def Cluster2DataOff(self, cluster):rootDir_off = self.GetRootoff()return rootDir_off + (cluster - 2) * 512def read(n):global keybinary = b''for i in vhd.read(n):binary += (i ^ (key & 0xFE)).to_bytes(length=1, byteorder='big', signed=False)return binaryFAT = FAT32Parser("new.vhd")vhd = open("new.vhd", "rb")vhd.seek(0x27bae00) # 定位磁盘中图片位置flag = open("flag.png", "wb")flag.write(vhd.read(8)) # 写入png头key = 0while True:d = read(8)length, cType = struct.unpack(">I4s", d)print(length, cType) # length为数据长度,cType为数据块类型data = read(length)CRC = struct.unpack(">I", read(4))[0]print(CRC)rCRC = binascii.crc32(cType + data) & 0xffffffffprint(rCRC)rDATA = struct.pack(">I", length) + cType + data + struct.pack(">I", rCRC)flag.write(rDATA)if CRC != rCRC: # CRC错误的IDAT数据块b_endian = struct.pack(">I", CRC)clusterList = struct.unpack("<I", b_endian)[0]print(clusterList)vhd.seek(FAT.Cluster2DataOff(clusterList))key = clusterList & 0xFEif cType == b"IEND":break
flag{0cfdd1ad80807da6c0413de606bb0ae4}
带音乐家
MIDI文件
Velato语言使用MIDI文件作为源代码,音乐的模式决定程序命令
官网下载编译器
/
Hello, World!
Doc1.rar注释有东西
摩斯,短的转为.,长的转为-
.- . ... -.- . -.-- ----. ..--- .---- ----. ..--- ...-- ..--- ...-- ..--- ..---
AESKEY9219232322
解压Doc1.rar,打开Doc1.docx(记得开启隐藏字符)
nvPrjrss1PyqAZB/14lkvJGTJ9l4rOfwJeqSqSHSqXU=
flag{mU51c_And_ch@ract0rs~}
Charles Sensor
等待大佬wp…orz
