statement
1) Part of the content of this article is compiled from the information on the Internet. If you accidentally infringe on everyone's rights, you can still contact the blogger to delete it.
2) The blogger is Mengxin on the road. If there is any inappropriateness in the article, please point it out and make progress together, thank you.
This blog post takes two topics as examples to talk about some content about zip pseudo encryption.
Question 1:
Download a ee2f7f26-5173-4e7a-8ea4-e4945e6f04ff.zipcompressed package file from the website . According to the title, this is a zip pseudo-encryption, so there are two ways to do it:
Method 1:
Send the compressed package to a friend via QQ, and then open it with a mobile phone to view it, not necessarily every time .
Method 2:
Let's first understand the composition of zip.
A ZIP file consists of three parts:
compressed source file data area + compressed source file directory area + compressed source file directory end flag
-
a. Compressed source file data area:
50 4B 03 04: This is the header file mark (0x04034b50)
14 00: The pkware version required to decompress the file
00 00: Global mode bit mark (with or without encryption, odd number encryption, even number without encryption )
08 00: compression method
5A 7E: last modified file time
F7 46: last modified file date
16 B5 80 14: CRC-32 check (1480B516)
19 00 00 00: compressed size (25)
17 00 00 00: uncompressed size (23)
07 00: File name length
00 00: Extended record length
6B65792E7478740BCECC750E71ABCE48CDC9C95728CECC2DC849AD284DAD0500 -
b. Compressed source file directory area:
50 4B 01 02: File header mark in the directory (0x02014b50)
3F 00: pkware version
14 used for compression 00: pkware version
00 required to decompress the file 00: global mode bit mark (with or without encryption , Odd number encryption, even number no encryption )
08 00: compression method
5A 7E: last modified file time
F7 46: last modified file date
16 B5 80 14: CRC-32 check (1480B516)
19 00 00 00: compressed size (25 )
17 00 00 00: Uncompressed size (23)
07 00: File name length
24 00: Extended field length
00 00: File comment length
00 00: Disk start number
00 00: Internal file attributes
20 00 00 00: External file attributes
00 00 00 00: Local head offset
6B65792E7478740A00200000000000010018006558F04A1CC5D001BDEBDD3B1CC5D001BDEBDD3B1CC5D001 -
c. Compression source file directory end flag:
50 4B 05 06: directory end flag
00 00: current disk number
00 00: directory area starting disk number
01 00: total number of records on this disk
01 00: total number of records in directory area
59 00 00 00: The size of the directory area
3E 00 00 00: The offset of the directory area to the first disk
00 00 1A: The length of the ZIP file comment
Throw the compressed package into 010Editor_001,
The following two pictures are for academic borrowing,
In general globally bit flag area of the data source file compression, encryption is true 09 00, for the dummy encryption 00 00, compression and later globally alignment mark region from the source directory 00 00to 09 00complete the pseudo-encrypted, then look at this question, directly It looks like it is really encrypted, but in fact, the two markings have been changed 09 00and changed back.
After saving, you can decompress the zip file, no more password is needed, get flag, flag{Adm1N-B2G-kU-SZIP}.
Question 2:
Download an 123456cry.jpgimage file from the website, and don’t find any hints in the properties, throw it directly into 010Editor,
I found that the compressed package was hidden in the picture, PKdeleted all the previous hexadecimals, saved it as a .zipformat, unzipped it and found that a password was needed, tried the name of the previous picture, and found that it was wrong, and there was no prompt. Guess it was pseudo encryption.
Since the compressed package also contains a compressed package, it is a bit difficult to distinguish, it 50 AB 05 06is the end directory mark of the compressed source file, so the hexadecimal of the file being decompressed after the whole sentence,
It is found that there is a password in the directory area of the compressed source file, change it, successfully decompress it, and get a good-已合并.jpgfile and qwe.zipcompressed package, but nothing can be analyzed, use steghide to analyze the picture,
For convenience, the picture is renamed 1.jpg, the picture is not encrypted, hidden files are found ko.txt, and the compressed package password is obtained separately bV1g6t5wZDJif^J7, and the compressed package is decompressed to obtain the flag, flag{1RTo8w@&4nK@z*XL}.