⭕、知识点
1、PNG文件结构深入理解
2、脚本编写
一、题目
二、解题
1、观察属性,日期全部相同,都是data结尾
2、打开info.txt,提示如下
3、应该是要构造400x400的图片,常用的图片有png、jpg
但是根据题目的数据,多个一样大的data文件不太可能是jpg图片的数据,因为jpg图片数据相关性高,极难拆分,而且没有哈夫曼表无法恢复jpg图片。因此推测应该是要恢复成png图片
这里的5kb可以推断是最后一个idat段
4、png图片格式的理解
png图片格式有四个部分是必须的:
- 前8字节魔术字:89 50 4E 47 0D 0A 1A 0A 这是PNG图片固定
- IHDR段:包含图片的宽高、位深度、色域、扫描模式等信息
- IDAT段若干:真正的图片数据(题目的.data就是这里的idat段的数据)
- IEND段:文件结束标志
5、上脚本
import binasciihead = "89 50 4E 47 0D 0A 1A 0A"
tail = "00 00 00 00 49 45 4E 44 AE 42 60 82"
idat = "49 44 41 54"def create_png_head():with open("flag.png", "wb") as f:f.write(binascii.unhexlify("".join(head.split(" "))))def create_png_ihdr():ihdr = binascii.unhexlify("".join("49 48 44 52".split(" ")))height=400wight = 400bits = 8color_space_type = 2compare_methon = 0filter_method = 0interface_method =0data = b""data+=wight.to_bytes(4, "big")data+=height.to_bytes(4, "big")data+=bits.to_bytes(1, "big")data+=color_space_type.to_bytes(1, "big")data+=compare_methon.to_bytes(1, "big")data+=filter_method.to_bytes(1, "big")data+=interface_method.to_bytes(1, "big")crc = binascii.crc32(ihdr+data).to_bytes(4, "big")with open("flag.png","ab") as f:f.write(len(data).to_bytes(4, "big"))f.write(ihdr+data+crc)def create_png_tail():with open("flag.png", "ab") as f:f.write(binascii.unhexlify("".join(tail.split(" "))))def read_and_create_png_idat(path):idat = binascii.unhexlify("".join("49 44 41 54".split(" ")))with open(path, "rb") as f:data = f.read()length = len(data).to_bytes(4,"big")crc = binascii.crc32(idat+data).to_bytes(4, "big")with open("flag.png","ab") as f:f.write(length+idat+data+crc)def create_png():create_png_head()create_png_ihdr()for file_path in ["./puzzle/yvxmeawg.data", "./puzzle/rnydeiho.data", "./puzzle/uozjmdnl.data","./puzzle/fhnkotmb.data","./puzzle/jlxphwfm.data", "./puzzle/yscijlzx.data", "./puzzle/ciaoxptf.data","./puzzle/blczioav.data","./puzzle/jtxsbevz.data", "./puzzle/lstjobzi.data", "./puzzle/pyusgabf.data","./puzzle/wgkapjbh.data","./puzzle/xufbyndk.data", "./puzzle/csizrgxn.data", "./puzzle/oaeqnubi.data","./puzzle/gpiuezjw.data","./puzzle/tihzkoyu.data", "./puzzle/hbctmwqj.data", "./puzzle/ycqzmbrw.data","./puzzle/fkjhepcs.data","./puzzle/kczwtlrd.data", "./puzzle/dwelszrk.data", "./puzzle/uilqywot.data","./puzzle/xufnmacj.data","./puzzle/jrbiznkl.data", "./puzzle/mrxtfkzj.data"]:read_and_create_png_idat(file_path)create_png_tail()if __name__ == "__main__":create_png()
每一层的顺序是试出来的,如果前面的idat层拼对了,图片就会加载出对应层
6、得到flag
三、答案
unctf{312bbd92c1b291e1827ba519326b6688}
攻防世界答案设置错了:unctf{312bbd92c1b891e1827ba519326b6688}
四、总结
为此专门重温并深入学习了一下png图片文件的结构格式