KCTF_MISC:神秘的图片

文章目录

  • KCTF_MISC:神秘的图片
    • PNG图片格式
    • CRC校验码
      • CRC实现
      • 不同CRC标准
      • CRC检验
    • CRC暴力破解
    • IEND处理

题目
我在虚拟机Ubuntu 20.04中安装010 Editor 软件尝试打开release.png图片:

PNG图片格式


由开头的十六进制可知:
89 50 4E 47 0D 0A 1A 0A为png的文件头
00 00 00 0D代表数据块的长度13 IHDR
49 48 44 52 文件头数据块标志IDCH
00 00 01 F4 图像的宽 500像素
00 00 01 A3 图像的高 419像素
08 06 00 00 00 分别表示图片的图像深度, 颜色类型, 压缩方法, 滤波器方法,隔行扫描方法


剩下的4字节CB D6 DF 8A 为该PNG的CRC32校验码, 由从IDCH到IHDR的十七位字节进行CRC计算得到
AE 42 60 82 文件尾

CRC校验码

计算原理详见mooc
CRC码不仅能校验传递过来的数据正确性,还能筛查出哪一位出现了错误.它的局限性是只能校验一位数据发生跳变

CRC实现



不同CRC标准

CRC4:x4+x+1
CRC8: x8+x5+x4+1
CRC16: x16+x12+x5+1
CRC32: x32+x26+x23+x22+x16+x12+x11+x10+x8+x7+x5+x4+x2+x+1

CRC检验



当一个图片只被修改了宽高而没有被修改CRC码时,再通过前面的值去算CRC码就会跟原本的CRC值不一样,因此需要先计算CRC码进行判断:

# 根据当前PNG宽高计算出CRC码,比较原本CRCimport zlibimage_data = open("release.png", "rb")
bin_data = image_data.read()
crc32key = zlib.crc32(bin_data[12:29])  # 调用函数计算当前PNG大小下的CRC校验码
# print(crc32key)if crc32key == int(bin_data[29:33].hex(), 16):  # 对比算出的CRC和原本的CRC(29-33byte 4字节为CRC码)print("PNG 宽高没有问题")
else:print("PNG 宽高被修改")

运行结果:

CRC暴力破解

因为CRC校验码只能对一位数据进行校验,这里的PNG图片的数据可能不止一位出现错误,所以采取的办法时是枚举PNG图片的宽高,然后计算修改后图片的CRC值,与正确的CRC值比较看是否一致

# PNG图片爆破CRC32的宽和高import zlib
import structcrcbp = open("release.png", "rb").read()    # 打开图片# 高和宽不对都会影响CRC32的值,所以要一起爆破
for w in range(0xFFFF):for h in range(0xFFFF):data = crcbp[12:16] + struct.pack('>i', w) + struct.pack('>i', h) + crcbp[24:29] #'>' 表示大端crc32 = zlib.crc32(data) & 0xFFFFFFFF   # 计算CRC码(无符号)#print(crc32)if(crc32 == 0xCBD6DF8A):    # 图片当前CRC校验码print(w, h)print('hex:', hex(w), hex(h))

对CRC校验码进行爆破后获得该图片正常的高宽:

使用修改图片的高为500,可以看到:

IEND处理

因为图片提示剩余flag在末尾,使用010 Editor 软件打开修改后的图片找到结束标识符IEDN

正常PNG图片在IEND就结束了,而release.png在IEDN后面仍有内容,把这部分内容以十六进制形式提取放到文件release.txt中

可以看出来这串代码仅有”0x20”和“0x09”,二者重复出现,所以猜想可能某一个表示’1’,另一个表示‘0‘,这代码就是一个表示01的串
编写脚本处理release.txt,将所有空格与回车删除后放到result.txt里

# 删除编码中所有的空格和回车
import osdata = ''  # 保存最后处理完的文本
with open('release.txt', 'r') as f:  # 按行处理 txt 文本for line in f:line = line.replace(' ', '')  # 删除所有空格line = line.replace('\n', '')  # 删除所有回车data = data + line  # 字符串拼接fw = open('result.txt', 'w')
fw.write(data)  # 将最终结果保存到目标文件

接下来对result.txt进行字符串的替换,将’20’<-‘1’, ‘09’ <- ‘0’的替换放到文件result_1.txt中,将’20’<-‘0’, ‘09’ <- '1’的替换放到文件result_2.txt

# 将得到的编码进行替换,'20'<-'0', '09' <- '1'
import oswith open('result.txt', 'r') as f:result = f.read() # 读取文件# result = result.replace("20", "1")# result = result.replace("09","0")result = result.replace("09", "1") # 替换result = result.replace("20","0")# with open('result_1.txt', 'w') as f:
with open('result_2.txt', 'w') as f:f.write(result) # 将替换结果写入另外的文件

最开始得到的十六进制代码串为16x625 byte的,在通过字符串替换后得到的01串也为16x625byte ,刚好为10000 = 100x100,正好可以表示一个100x100的矩阵,如果‘1‘代表黑色,’0‘代表白色,则可以根据PTL库画出二维码

from PIL import Image
MAX = 100# 二维码大小pic = Image.new("RGB",(MAX, MAX))
# str为获取的01片段
str = """0000000000000000000000000000111100001111111111111111111111110000000011110000000000000000000000000000000000000000000000000000000011110000111111111111111111111111000000001111000000000000000000000000000000000000000000000000000000001111000011111111111111111111111100000000111100000000000000000000000000000000000000000000000000000000111100001111111111111111111111110000000011110000000000000000000000000000000011111111111111111111000011110000111111110000000000001111111100001111000011111111111111111111000000001111111111111111111100001111000011111111000000000000111111110000111100001111111111111111111100000000111111111111111111110000111100001111111100000000000011111111000011110000111111111111111111110000000011111111111111111111000011110000111111110000000000001111111100001111000011111111111111111111000000001111000000000000111100001111000000001111111100001111000000000000111100001111000000000000111100000000111100000000000011110000111100000000111111110000111100000000000011110000111100000000000011110000000011110000000000001111000011110000000011111111000011110000000000001111000011110000000000001111000000001111000000000000111100001111000000001111111100001111000000000000111100001111000000000000111100000000111100000000000011110000111100000000000011110000111111111111000011110000111100000000000011110000000011110000000000001111000011110000000000001111000011111111111100001111000011110000000000001111000000001111000000000000111100001111000000000000111100001111111111110000111100001111000000000000111100000000111100000000000011110000111100000000000011110000111111111111000011110000111100000000000011110000000011110000000000001111000011111111000000001111000011110000000000001111000011110000000000001111000000001111000000000000111100001111111100000000111100001111000000000000111100001111000000000000111100000000111100000000000011110000111111110000000011110000111100000000000011110000111100000000000011110000000011110000000000001111000011111111000000001111000011110000000000001111000011110000000000001111000000001111111111111111111100001111000000000000111111111111111111111111111100001111111111111111111100000000111111111111111111110000111100000000000011111111111111111111111111110000111111111111111111110000000011111111111111111111000011110000000000001111111111111111111111111111000011111111111111111111000000001111111111111111111100001111000000000000111111111111111111111111111100001111111111111111111100000000000000000000000000000000111100001111000011110000111100001111000011110000000000000000000000000000000000000000000000000000000011110000111100001111000011110000111100001111000000000000000000000000000000000000000000000000000000001111000011110000111100001111000011110000111100000000000000000000000000000000000000000000000000000000111100001111000011110000111100001111000011110000000000000000000000000000111111111111111111111111111111111111111100000000111100001111111100001111111111111111111111111111111111111111111111111111111111111111111111110000000011110000111111110000111111111111111111111111111111111111111111111111111111111111111111111111000000001111000011111111000011111111111111111111111111111111111111111111111111111111111111111111111100000000111100001111111100001111111111111111111111111111111100000000111111110000000000001111111111110000111100000000111111110000111111110000111100000000000000000000000011111111000000000000111111111111000011110000000011111111000011111111000011110000000000000000000000001111111100000000000011111111111100001111000000001111111100001111111100001111000000000000000000000000111111110000000000001111111111110000111100000000111111110000111111110000111100000000000000001111000000001111000011111111000000001111111111111111000000000000000000001111000000001111000000001111111100000000111100001111111100000000111111111111111100000000000000000000111100000000111100000000111111110000000011110000111111110000000011111111111111110000000000000000000011110000000011110000000011111111000000001111000011111111000000001111111111111111000000000000000000001111000000001111000000001111111111111111000000000000000000000000000000001111111111111111000011110000111100000000111100000000111111111111111100000000000000000000000000000000111111111111111100001111000011110000000011110000000011111111111111110000000000000000000000000000000011111111111111110000111100001111000000001111000000001111111111111111000000000000000000000000000000001111111111111111000011110000111100000000111100000000111111111111111111110000111111111111000000001111111100001111000011111111000000000000111100000000111100001111111111111111000011111111111100000000111111110000111100001111111100000000000011110000000011110000111111111111111100001111111111110000000011111111000011110000111111110000000000001111000000001111000011111111111111110000111111111111000000001111111100001111000011111111000000000000111100000000111100001111111111111111111111110000111111111111111100001111000000000000111111110000000011110000000011110000111111111111111111111111000011111111111111110000111100000000000011111111000000001111000000001111000011111111111111111111111100001111111111111111000011110000000000001111111100000000111100000000111100001111111111111111111111110000111111111111111100001111000000000000111111110000000011110000000011110000000000000000111100000000111100000000111100001111000011111111000000000000111111110000111111110000111100000000000011110000000011110000000011110000111100001111111100000000000011111111000011111111000011110000000000001111000000001111000000001111000011110000111111110000000000001111111100001111111100001111000000000000111100000000111100000000111100001111000011111111000000000000111111110000111111110000111111111111111100001111111100000000000000000000000000000000000000001111111111111111000000000000000011111111111111110000111111110000000000000000000000000000000000000000111111111111111100000000000000001111111111111111000011111111000000000000000000000000000000000000000011111111111111110000000000000000111111111111111100001111111100000000000000000000000000000000000000001111111111111111000000000000000011111111111111110000000011111111000011111111111100001111000011110000111100001111000011111111000000001111111111111111000000001111111100001111111111110000111100001111000011110000111100001111111100000000111111111111111100000000111111110000111111111111000011110000111100001111000011110000111111110000000011111111111111110000000011111111000011111111111100001111000011110000111100001111000011111111000000001111000000001111000000001111000011110000000011111111000000001111111100000000000000000000111100000000000000000000111100000000111100001111000000001111111100000000111111110000000000000000000011110000000000000000000011110000000011110000111100000000111111110000000011111111000000000000000000001111000000000000000000001111000000001111000011110000000011111111000000001111111100000000000000000000111100000000000011111111111111111111111111111111000011110000111111110000000011110000111111111111000011111111000011111111111111111111111111111111111100001111000011111111000000001111000011111111111100001111111100001111111111111111111111111111111111110000111100001111111100000000111100001111111111110000111111110000111111111111111111111111111111111111000011110000111111110000000011110000111111111111000011111111000011110000000000000000000000000000111111110000111111111111111111111111000011110000111100000000111100001111000000000000000000000000000011111111000011111111111111111111111100001111000011110000000011110000111100000000000000000000000000001111111100001111111111111111111111110000111100001111000000001111000011110000000000000000000000000000111111110000111111111111111111111111000011110000111100000000111100001111000011111111111111111111000011110000111111111111000011110000111100001111111111110000000000000000000000001111111111111111111100001111000011111111111100001111000011110000111111111111000000000000000000000000111111111111111111110000111100001111111111110000111100001111000011111111111100000000000000000000000011111111111111111111000011110000111111111111000011110000111100001111111111110000000000000000000000001111000000000000111100001111000011110000000011110000000011110000000000000000000000000000111100000000111100000000000011110000111100001111000000001111000000001111000000000000000000000000000011110000000011110000000000001111000011110000111100000000111100000000111100000000000000000000000000001111000000001111000000000000111100001111000011110000000011110000000011110000000000000000000000000000111100000000111100000000000011110000111111111111111111110000111111110000000011110000000011110000111100000000000011110000000000001111000011111111111111111111000011111111000000001111000000001111000011110000000000001111000000000000111100001111111111111111111100001111111100000000111100000000111100001111000000000000111100000000000011110000111111111111111111110000111111110000000011110000000011110000111100000000000011110000000000001111000011111111000011110000000000000000111100001111000000001111000011110000111100001111000000000000111100001111111100001111000000000000000011110000111100000000111100001111000011110000111100000000000011110000111111110000111100000000000000001111000011110000000011110000111100001111000011110000000000001111000011111111000011110000000000000000111100001111000000001111000011110000111100001111111111111111111100001111000011110000000011110000111111111111111111111111000011110000000011110000111111111111111111110000111100001111000000001111000011111111111111111111111100001111000000001111000011111111111111111111000011110000111100000000111100001111111111111111111111110000111100000000111100001111111111111111111100001111000011110000000011110000111111111111111111111111000011110000000011110000000000000000000000000000111100000000000011110000000011110000111100000000111100000000000000000000000000000000000000000000000011110000000000001111000000001111000011110000000011110000000000000000000000000000000000000000000000001111000000000000111100000000111100001111000000001111000000000000000000000000000000000000000000000000111100000000000011110000000011110000111100000000111100000000000000000000"""i = 0
for y in range (0,MAX):for x in range (0,MAX):if(str[i] == '1'): # 一次读取01片段pic.putpixel([x,y],(0, 0, 0)) # putpixel() 设置[x,y]处的像素颜色else:pic.putpixel([x,y],(255,255,255))i = i+1
pic.show()

分别输入两个01的片段,可以得到两个相反的二维码,手机扫码都得到一个结果:

最终的flag为:flag{wocs34vu9rsd4390b6vfg245weori}

KCTF_MISC:神秘的图片相关推荐

  1. java二维数奇数组金字塔_金字塔内神秘的数字~世界末日真的存在?

    说到世界末日,大家一定对2012还记忆犹新,曾被说的玄乎奇迹,传的沸沸扬扬的2012世界末日最终也没有到来,到来的只是一堆借着世界末日的噱头炒起来的电影和一群赚的盆满钵满的导演.不过科学家们总是不甘寂 ...

  2. 当一回标题党“数理系优秀校友访谈”

    第一幅图:今天上午"数理系优秀校友访谈 - - 与校友面对面"现场. 图片由单颖同学提供 第二幅图:今天下午教十一D406数理系神秘实验室 图片由周鹏同学提供 第三幅图:我今天的心 ...

  3. KAKA 漫威卡牌设计图首次流出!KAKA NFT 卡牌即将面向全球拍售!

    近日,KAKA NFT WORLD官方推特宣布,KAKA 即将面向全球开放KAKA 漫威NFT卡牌的拍售. 据悉,本次是KAKA 漫威典藏版NFT卡牌首次开售,这一消息极大地引起了业界的关注和点赞,其 ...

  4. BUUCTF Misc 被劫持的神秘礼物 刷新过的图片 [BJDCTF2020]认真你就输了 [BJDCTF2020]藏藏藏

    目录 被劫持的神秘礼物 刷新过的图片 [BJDCTF2020]认真你就输了 [BJDCTF2020]藏藏藏 被劫持的神秘礼物 下载文件 提示让我们找账号密码 wireshark打开上述文件 可以发现一 ...

  5. react引入多个图片_重新引入React:v16之后的每个React更新都已揭开神秘面纱。

    react引入多个图片 In this article (and accompanying book), unlike any you may have come across before, I w ...

  6. ISCC 2019 杂项High起来!(酷爱音乐的你,在听歌的过程中突然收到音乐发烧友发来的一封神秘的邮件,邮件里什么都没有说,只有一个被损坏的图片。这名歌友到底要向你传达什么信息呢?答案或许就隐藏)

    下载解压后   并且无法打开      使用 winhex 打开图片 发现 前四个十六进制数为 12504E47 (可能这还是个隐写) 而 PNG (png),文件头:89504E47 所以要进行修复 ...

  7. 华为鸿蒙拐骗图片,华为神秘新机曝光 6.2寸2K屏+麒麟950

    尽管华为过去对2K显示屏没有什么兴趣,但并不表示将来推出的新款不会配备2K显示屏.日前,安兔兔官方在微博上放出一款神秘华为新机P950S"的跑分数据,并显示该机不仅搭载了麒麟950处理器,拥 ...

  8. iOS传感器:实现一个随屏幕旋转的图片

    作者 非典型技术宅 关注 2017.05.24 17:22* 字数 1568 阅读 351评论 7喜欢 14 在写上一个动画系列的时候学到了非常多的知识,也认识了很多人.例如受邀进入了某个神秘的动效组 ...

  9. 大数据背后的神秘定理:贝叶斯公式

    点击上方"小白学视觉",选择加"星标"或"置顶" 重磅干货,第一时间送达 引子 昨天下午趁着出去调研在湖滨银泰的星巴克做网易机器学习实习生岗 ...

最新文章

  1. Leetcode刷题 232题:用栈实现队列(基于python3和c++两种语言)
  2. Java冒泡排序【简】
  3. 【转】Silverlight全开源工作流设计器
  4. Qt基于文本协议的网络应用开发
  5. matlab调用opencv的函数
  6. 东方和西方的两个视角的摘抄
  7. c语言gc,使用C++制作GC Server过程详解
  8. N划分成若干个奇正整数之和的分法有多少种---动态规划
  9. 【深度学习】学习深度学习的最好方法
  10. 简单的STM32汇编程序
  11. 百度站内搜索使用教程
  12. 网络信息检索(一)检索模型:布尔,向量,概率检索
  13. 使用CXF+Spring发布WebService,启动报错
  14. flv直播流播放视频,websocket响应造成内存泄漏 浏览器崩溃
  15. Ubuntu: 安装视频播放器
  16. Android破解过程-滚动的天空
  17. 王春亮推拿正骨与按摩心理学高级师传培训班
  18. mysql mma 原理_Android中m、mm、mmm、mma、mmma的区别
  19. 导出iPhone应用crash日志步骤说明
  20. 自变量选择与逐步回归——《应用回归分析R语言版》

热门文章

  1. 漫画:什么是佛系程序员?
  2. 2018-05-28 课后笔记
  3. 计算机知识竞赛奖品,竞赛奖品_求几个 趣味的奖品 我们举行的趣味知识竞赛 有什么奖品_淘题吧...
  4. 【量子计算-基础物理】分子、原子、原子核、中子、质子、电子、量子、离子的区别
  5. 微信小程序项目真机调试图片不显示处理
  6. 视频教程-PPT软件基础实用技巧标准视频教程入门-Office/WPS
  7. 企业申请专利的《五》大好处!
  8. Android版卡拉OK,歌词同步程序
  9. 麦肯锡报告:如果再不转型人工智能,这些行业将被越甩越远
  10. 为什么说饿了么全能超市藏着阿里零售的未来