Wuhu~~~ Wuhu~~~
I didn't expect that this year's session would be over before I knew it.
It can be said that the Eight Immortals crossed the sea and each showed their magical powers
In this article, we only discuss topics, and it is still very good not to discuss other topics. I am just a porter of topics
Into the title
The following are some of my problem-solving ideas and processes, for your reference
Xiaoyou will correct and reply immediately when he sees it
By the way, my friend, I am lucky enough to hand in two unexpected ones with my own strength (I won’t disclose my name here, of course, those who know it must know hee hee)
Work on Oak
misc accessories
Link: https://pan.baidu.com/s/1ECFKCp1y6daoJr-802SeCQ?pwd=lulu
Extraction code: lulu
--share from Baidu Netdisk super member V3
Table of contents
Come on everyone ( •̀ ω •́ )y look forward to seeing you again
misc accessories
Link: https://pan.baidu.com/s/1ECFKCp1y6daoJr-802SeCQ?pwd=lulu
Extraction code: lulu
--share from Baidu Netdisk super member V3
beautiful Uighur lady
topic~
Fifty-six nationalities, fifty-six flowers, and fifty-six brothers and sisters are one family. Nowadays, the idea of national unity has long been deeply rooted in the hearts of the people, and Uyghurs are an important part of the Chinese nation. To solve this problem, you need to know the way of speaking of Uyghur compatriots.
Problem-solving ideas~
There is only one in the attachment
download pictures
Png picture
We see her keep looking down (in cue)
And we observe that the height of this picture is inconsistent, so the height must have been modified
So we directly blast the height (Feng Erxi's tools should have been popularized)
The blasting height is successful and the picture is as follows
Experienced masters should be able to see directly that this is a Data Matrix barcode
But the normal solution cannot be solved. We can observe that the position of the black border is different from that of the normal Data Matrix barcode.
So our next step is to reverse the image (the QR code is rotated horizontally)
Go directly to PS
Invert the canvas vertically as shown below
Decode online URLs
https://products.aspose.app/barcode/zh-hans/recognize/datamatrix#/recognized
get the following code
;521#&;33#&;101#&;011#&;111#&;001#&;801#&;801#&;101#&;911#&;59#&;611#&;501#&;59#&;611#&;111#&;301#&;59#&;711#&;111#&;121#&;321#&;76#&;76#&;38#&;37#&
I don’t need to tell you what the encoding is, but if there is a problem with the format, it needs to be reversed (the script is more convenient)
Then unicode decode
get the flag
ISCC{you_got_it_welldone!}
road of life
topic~
The road of life is full of confusion, maybe the password of success is just under our feet, maybe we need to travel around, maybe the records of our journey will drift as a whole, maybe we can’t remember how many roads we have walked, and we can’t tell the direction of the journey (flag in capital letters).
Problem-solving ideas~
The attachment only has a compressed package and a jpeg picture
Compressed package requires a password
So we can only start from the picture
But neither separation nor steganography can get any useful information
Let's go back to the topic
The road of life is full of confusion, maybe the password of success is at the bottom of the feet (at that time, the password was guessed to be the bottom of the feet, and we needed to change the height, but there was nothing. Later, I learned that the password of the compressed package is the name of the picture "Road of Life.jpeg")
Maybe we need to walk in four directions (to walk in four directions, either the four-way password, or the four keys of AWSD on the keyboard, but the four-way password requires a key, and we don’t know one yet)
Maybe the record of our journey will drift overall1
Back to the topic
Unzip the compressed package first
get a txt document
Based on the above information we write the script
import string
c = "sOpXhOpXsO pOhXsOhXpO pOhOsO pOhOsO pXhXpXsXhXsX sOpOhOpXsO hOsO hOlOsOhXpO hOlOsOhXpOsOhX pOhOsO hOsOlO sOpOhOpXsO hOlOsOhOpO sOpOhXsOpOhXsO hOsO sOpXhOpXsO hsXlsXhpXhX pOlOsOhOhsX hOlOsOhXpO hOsO sXhXsXpXhXpX ".strip()
a = c.split(" ")
a = list(a[0])
p = 0
for i in a:
if i in string.ascii_lowercase:
i = chr((ord(i) - 97 + p) % 26 + 97)
while i not in "wasd":
i = chr((ord(i) - 97 + 1) % 26 + 97)
p += 1
elif i in string.ascii_uppercase:
i = chr((ord(i) - 65 + p) % 26 + 65)
while i not in "ZI":
i = chr((ord(i) - 65 + 1) % 26 + 65)
p += 1
a = list(c)
for i in range(len(a)):
if a[i] == " ":
pass
else:
if a[i] in string.ascii_lowercase:
a[i] = chr((ord(a[i]) - 97 + p) % 26 + 97)
elif a[i] in string.ascii_uppercase:
a[i] = chr((ord(a[i]) - 65 + p) % 26 + 65)
a = "".join(a)
a = a.split(" ")
map = {"saIsIwIdIwaIsdIsI": "A", "sZwZdZsZaZdZsZaZ": "B", "aZsZdZ": "C", "sZwZdZsZaZ": "D", "dZaZsIdZaZsIdZ": "E", "dZaZsZaIdZ": "F", "aZsZdZwIaI": "G", "sZwIdZwIsZ": "H", "dZaIsZaIdZ": "I", "dZaIsZaI": "J", "sZwIdIdwIsaIsdI": "K", "sZdZ": "L", "wZsdIwdIsZ": "M", "wZsdZwZ": "N", "sZdZwZaZ": "O", "sZwZdZsIaZ": "P", "aZwZdZsZsdI": "Q", "sZwZdZsIaZdZsI": "R", "aZsIdZsIaZ": "S", "dZaIsZ": "T", "sZdZwZ": "U", "sIsdIdwIwI": "V", "sdZwdZsdZwdZ": "W", "sdZwaIwdIsaZ": "X", "sdIwdIsaIsI": "Y", "dZsaZdZ": "Z", "aIsIaIdIsIdI": "{", "dIsIdIaIsIaI": "}"}
for i in a:
print(map[i], end='')
print()
run
get the flag
ISCC{FLPRCUFDELIYQPL}
Rookie Hack 1
topic~
Find the flag file left by the rookie hacker Xiao Ming
Password: ISCC23
Attachment SHA256: 502f6140232fb9c06ccfef635bc08002cc3cca440b724af33cf0b26737a2d96f
Problem-solving ideas~
The download attachment only has a raw file
Look at the suffix memory forensics of the image and go directly to volatility (the command is not explained too much, if you don’t understand, you can read the article on memory forensics)
vol.py -f Novice\ hacker.raw --profile=Win7SP1x64 filescan grep flag
We searched for a flag.txt document through the command
But it can't be extracted (but volatility3 seems to be 2 can't)
So use the software
Use RStudio software to open ( Of course, other software that reads the disk is also available ) Drive to open the image
open mirror
Then there will be our files in the device view
Next we scan this image
Double click on this hit
The file view will appear
Then we follow the path scanned by volatility
Find the file as shown below
Save as
After opening, there is something like a flag inside, but in fact it is not
There is a prompt for DES decoding
The key title is available but incomplete (it is easy to think of ISCC2023 if it is complete)
Des Decoding Online URLs
https://www.sojson.com/encrypt_des.html
get the flag
ISCC{dbsy_cdis_fd7n_s4fd}
Rookie Hack 2
topic~
Xiao Ming, a rookie hacker who loves to paint, tried to attack a computer, and his mixed feelings were recorded in the computer.
Password: ISCC23
Attachment SHA256: 502f6140232fb9c06ccfef635bc08002cc3cca440b724af33cf0b26737a2d96f
Problem-solving ideas~
It is exactly the same as the attachment of rookie one
Guess that the path of the flag file in this question is the same as that of the previous question
So we look at things directly on the desktop
vol.py -f Novice\ hacker.raw --profile=Win2008R2SP1x64 filescan | grep Desktop
I found a few pictures in it, but this emoji.jpg picture is quite special
vol.py -f Novice\ hacker.raw --profile=Win2008R2SP1x64 dumpfiles -Q 0x000000007dfaff20 -D ./
we export him
Get an emoji expression package picture
Look at the wrong size
Just separate the picture
Get a compressed package with txt files in the compressed package
but requires a password
Blind guess is ISCC2023 and it is
get txt file
Inside is the Virginia password prompt to solve the string of characters MEQL{invk_vhlu_dzel_lkof}
But Virginia Decrypt requires the key
So next we find the key
Let's go back to the raw file
View his note board information
vol.py -f Novice\ hacker.raw --profile=Win2008R2SP1x64 editbox
Get the prompt Pay attention to emoji's eyes
ok let's go back to that emoji picture
Let's look at the eyes. There are only two forms of eyes, contending and closed, so it can only be Morse code or binary.
tried
Round eyes (open) are. Long eyes (closed) are -
./--/---/.---/../../.../..-./..-/-.
Solmos
GET EMOJIISFUN
Then decrypt the Virginia cipher
Online URL https://www.qqxiuzi.cn/bianma/weijiniyamima.php
get the flag
ISCC{afdf_buhi_pqwd_tfus}
tom adventures
topic~
Tom is coming, Tom is coming, come and listen to Tom's adventures!
Problem-solving ideas~
The download attachment only has a tom.png and a comparison table
Let's separate tom.png first
Foremost separation
get a compressed package
But there is a password in the compressed package
While searching for tom.jpg characters
get strange characters
Of course, an experienced master will know at a glance that this is a field that does not belong to the normal file encoding
If you have experience, you can quickly guess that it is word frequency statistics
Perform word frequency statistics (you can also go to the online website)
from collections import Counter
import os
ss="”
str1 = ss
result = Counter(str1)
print("".join([i[0] for i in result.most_common()]))
code explanation
The function of this code is to count the number of occurrences of each character in the string ss, sort these characters according to the number of occurrences from high to low, and finally output the sorted characters.
It first imports the collections module in Python , from which it imports the Counter class. Then a character string variable ss is defined and assigned to the variable str1 . Then use the Counter class constructor Counter(str1) to count the number of occurrences of each character in the string str1, and store the result in the result variable. Next, the list generation [i[0] for i in result.most_common()] is used to obtain the characters with the most occurrences in the result (that is, the characters with the highest number of occurrences), and connect them into a new String. Finally, the new string is output through the print() function.
run
get
{yasuobpwrd91702!@$%^&*}
Unzip the password to get tom.docx
We observed carefully and found that the line spacing of each line is different
There is double line spacing and 1.5 times line spacing
Then we select all to indent the first line
This paragraph will be clearer
Each natural segment is a character (in this case, only binary code or Morse code can be known as Morse code after trying)
Single-spaced is. 1.5-spaced is-
Single-spaced is .
1.5 times line spacing is -
Convert Morse code
Then Morse code to character
The topic has been updated, so there are new and old attachments
The Morse code obtained from the old attachment ../..---/.../-----/-.-./..---/-.-./...-- After decoding i2s0c2c3
Morse code obtained from the new attachment.../-./-../--./.-/-.-/./.- sndgakea after decoding
last character
Then convert according to the comparison table
Get the flag
messaging
topic~
How is the message delivered (think...)
Problem-solving ideas~
normal solution
Download Attachments Only one comparison table and one traffic package
Then we must start with the traffic package first.
Export IMF objects (HTTP also has something but it's useless, I was confused at the beginning)
export
It's three emails , and the last one has a zip file.
Proposed
There are 112 pictures inside but a password is required
Then we go back to the flow package
Direct ctrl+f search pass
The combination of two pieces is the password
WRWAALIUWOHZAPQWFTQIPMVJFOKHHZUZ
Unzip the package
Found black and white photos inside
Turn 01, get binary and finally turn character
get i2s0c2c3
At this time, I remembered that there is a password book.
Decipher it against the codebook (everyone's codebook is different)
Finally get the flag
unexpected solution
We start with three emails
The last of the three emails has a zip file
Proposed
There are 112 pictures inside but a password is required
Unexpected solution from here
The compressed package password is found in the traffic package
The normal way of thinking is that we need to find the compressed package
But I can solve the problem without the password of the compressed package
After opening this compressed package, we observe
Then I found that the picture inside only has two sizes, one is 192 and the other is 160.
So we have reason to suspect that these 112 pngs are just two pictures with different names
I thought of converting the picture to binary, and the binary is converting to characters, and it is exactly 112 bits
112/8=14 is 14 bits
An image of the conventional size is 0, and a small image is 1
01001001 01010011 01000011 01000011 01111011 01101001 00110010 01110011 00110000 01100011 00110010 01100011 00110011 01111101
ISCC{i2s0c2c3}
Then follow the comparison table
get the flag
way of communication
topic~
In our country, we can use WeChat to transmit information such as scanning codes and sending messages. Do you know what methods we used to transmit messages in the past?
Problem-solving ideas~
The download attachment has only one mp3 file
got a hint from
In the past we used Telegram for communication. Now we use WeChat for communication.
Meaning of Telegram
The guess is that the telegram will be used to decrypt it in the end .
first step
We want to separate the stereo WAV file into its left and right channels, then calculate the difference between them in each sample
script
import scipy.io.wavfile as wavfile
samplerate, data = wavfile.read('telegram2wechat.wav')
left = []
right = []
for item in data:
left.append(item[0])
right.append(item[1])
diff = [left - right for left, right in zip(left, right)]
print(diff)
script explanation
Here is an explanation of each line of code:
- import scipy.io.wavfile as wavfile: imports the module wavfile from the scipy.io package and aliases it as wavfile.
- samplerate, data = wavfile.read('telegram2wechat.wav'): read the WAV file 'telegram2wechat.wav' using wavfile.read(). The function returns two values: the sample rate of the audio file (samplerate) and the audio data itself (data).
- left = [] and right = []: Create two empty lists to store audio data for the left and right channels.
- for item in data:: Loop through each item in the audio data.
- left.append(item[0]) and right.append(item[1]): Append the first item of item (left channel) to the left list, and the second item of item (right channel ) is appended to the right list.
- diff = [left - right for left, right in zip(left, right)]: Computes the difference between the left and right channels in each sample using a list comprehension. zip(left, right) creates pairs of corresponding items from left and right, and the expression left-right subtracts the right channel value of the left channel value from each pair.
- print(diff): Print a list of differences to the console.
Run to get 0, 1, 2 some numbers and characters
Find the parts 1 and 2 from it and delete the rest
We write it into a txt file separately
Then we remove the extra symbols by removing the first space and the last comma
and converted to a new RGB image
fp = open('通讯.txt').read().split(',')
print(len(fp))
First run the above script
Get 2401 and take the square root to get 49
49 needs to replace the script below
script
fp = open('通讯.txt').read().split(',')
print(len(fp))
from PIL import Image
img = Image.new('RGB', (49,49))
i = 0
for x in range(49):
for y in range(49):
if fp[i] == ' 1':
img.putpixel((x,y), (0,0,0))
else:
img.putpixel((x,y), (255,255,255))
i += 1
img.show()
script explanation
Separate by commas and get the length of the resulting list.
The numbers required by Image.new and the for loop are the numbers obtained by the square root
It then uses PIL (Python Imaging Library) to create a new RGB image of size 45x45 and iterates through each pixel.
For each pixel, it checks whether the corresponding value in the "fp" list is equal to "1". If yes, set the pixel to black (0,0,0), otherwise set it to white (255,255,255). The resulting image is displayed using the "show" method.
Run to get the picture (circled numbers need to be replaced)
Scan code
5337 5337 2448 2448 0001 2448 0001 2161 1721 1869 6671 0008 3296 4430 0001 3945 0260 3945 1869 4574 5337 0344 2448 0037 5337 5337 0260 0668 5337 6671 0008 3296 1869 6671 0008 3296 1869 2161 1721
Next is the telegram decoding I mentioned at the beginning
Provide two online URLs
https://www.qqxiuzi.cn/bianma/dianbao.php (this one is easier to use)
Aisi, Si, Bracket, Enda, No Branch, You, End, Aix, Ai, Ai, Aida, Enda, En, Bracket
Unexpectedly, the author made a pinyin homophonic stalk in the last step
"艾一":"A",
"比":"B",
"si_1":"C",
"第":"D",
"易":"E",
"艾福":"F",
"chicken": "G",
"艾吃":"H",
"Ai": "J",
"可艾":"K",
"艾偶":"L",
"艾木":"M",
"恩":"N",
"偶":"O"
"皮":"P",
"Keyi by": "Q",
"皮":"p",
"艾": 'I',
"Ai":'J',
"chicken":'G',
"可艾": "K",
"兹一": "z",
"Ace": "s",
"Siyi":'C',
"brackets": "{",
"艾木":"M",
"偶": "o",
"ah': 'R',
"Aife": 'F',
"Replace":'T',
"X": "X",
"滋一":"Z",
"Dabuliu": "W",
"由":"U",
wrote a few illegible
You can directly swap or write a script, I won’t write it
Finally get the flag
ISCC{NWQOUNDXJLKWNWN}
mystery of bits
topic~
What's this? Pixel music! take a look!
Problem-solving ideas~
The download attachments are only zip and png files
But the compressed package requires a password
It can only be found from the picture
The image is obviously not high enough
repair height
As shown below
put it in ps
Look at other channels, you will find that there are texts in the pictures
Get the picture below
Get the password of the compressed package
ysafao245hfdisi
get audio one
The title name ( my stery of bits) is guessed to be the stegpy tool steganography
Use stegpy, a steganographic tool
stegpy _music.wav -p
The key is ISCC2023
get a string of binary characters
0000000000000000000000000000000011111110101010111111101111111001000001011101011100000100000100101110101111000111110010111010010111010101000000101001011101001011101010110100101000101110100100000100010110000001010000010011111110101010101010101111111000000000010011001101000000000000010101101010101010111110111110011110000111111100010100101110000010111010010110110101101111000011100000011100000111000001110001001011101001011010010110100000000110100000111000001110000000001011101001011010010110100100010001101001100111011101010100001010011111010110011101001111100000011001100100001101100101000010100010011000010000011000100001011100001011001110110110100100101011100111110101111111101100000000000100001010110100010001001111111001000110010010101010000100000101101111001001000111110010111010011101110101111110101001011101010111011001101110101000101110100010111010101110111010010000010110011001000110011110001111111000010001000010010100000000000000000000000000000000000
A total of 961 blind guesses are binary to two-dimensional
Run to get the QR code
Scan code to get flag
ISCC{congratulation_and_it_is_real}
Do you believe in AI?
topic~
Classic algorithms, classic data, but maybe there will be different results?
Problem-solving ideas~
Haha, fellow Taoists, do you still remember last year’s AL?
Needless to say, a script is definitely needed
but let's not rush
Daoists, we can first analyze and analyze this question
There are a total of two files and compressed packages in the attachment (the picture above is decompressed)
So let's look at the second file first
There are a large number of output files in this file (such as the output file of the AL algorithm , which does not mainly help the overall problem solving)
But we look at the last file
Take a look at the source code
There is an obvious png format inside
So we directly add the suffix
A new picture was born in this way. Although it is useless, there are hints
Hey, where is the reminder? Let’s talk slowly.
Here's a little steganography let's turn on stegsolve
There is a little hint here , so I won’t explain too much, and everyone should be able to understand it.
ok let's look at the first file
31 Notepads
Each notepad is similar to the picture above
then script
script explanation
(This code is reading an array of data from some text files and converting it to an image. For each file, it opens the file and reads the rows of data in it, then stores the data into an array of numbers. Next, it checks the length of the array, and if it is as expected, it converts the array of numbers into a picture and saves the picture to the specified output directory. If the length of the array is not as expected, the program will tell you the number of the current file .)
import cv2
import numpy as np
for i in range(32):
with open(f"./dataset/{i}.txt", "r") as f:
data = f.read().splitlines()
image_data = np.array([float(line) for line in data])
# dic = {X: int(image_data.shape[0] / X) for X in range(1, image_data.shape[0]) if image_data.shape[0] % X == 0}
# for width, height in dic.items():
if image_data.shape[0] == 2352:
cv2.imwrite(f"./out/{i}.png", image_data.reshape(84, 28))
elif image_data.shape[0] == 1568:
cv2.imwrite(f"./out/{i}.png", image_data.reshape(56, 28))
else:
print(i)
Create an out folder in the directory where the script is located
run script
The Out folder will generate a lot of png images with numbers
Next, we need to brute force this set of ciphertexts
script explanation
(script explanation:
The purpose of this code is to brute force a given set of ciphertexts to find out the plaintext before encryption. The specific process is as follows:
First, we define a function called has_visible_bytes, which is used to check whether the input byte array contains visible characters (that is, printable characters in the ASCII code table). Returns True if all bytes in the byte array are visible characters, otherwise returns False.
Then, we are given a ciphertext cipher_text. This ciphertext is actually a bunch of decimal numbers, which need to be converted into a byte stream to restore the original plaintext.
Next, in the loop, we use the itertools.permutations function to enumerate the full permutations of the digits 0 to 9, and use the maketrans and translate functions to replace the numbers with their corresponding full permutations.
Then, we decrypt each ciphertext according to the mapping table just obtained, and store the result in lis.
Next, we try to convert all the strings in lis into a byte stream. If the byte stream contains visible characters, it is considered a valid decryption result, and we check whether it contains the specific text "ISCC{". If there is, it means that we have successfully cracked the ciphertext and written the result into the out.txt file.
Finally, the program will output the plaintext decoded by base64. )
import string
import itertools
import contextlib
from base64 import b64decode
def has_visible_bytes(input_bytes):
return all(chr(byte) in string.printable for byte in input_bytes)
cipher_text = '51 59 75 95 56 46 664 636 52 57 685 77 56 50 688 669 56 682 688 687 25 73 680 684 22 685 28 633 683 56 96 96'.split(" ")
# 需要人眼OCR以下out文件夹内的输出
# cipher_text = '所有图像的ascii,空格隔开
with open("out.txt", "wb") as f:
for i in itertools.permutations("0123456789", 10):
maktrans = str.maketrans("0123456789", ''.join(i))
lis = [str.translate(i, maktrans) for i in cipher_text]
with contextlib.suppress(Exception):
plan_text = bytes(list(map(lambda x: int(x), lis)))
if has_visible_bytes(plan_text):
if b'ISCC{' in b64decode(plan_text):
print(b64decode(plan_text))
f.write(plan_text + b"\n")
Run to get the flag
ISCC{2aiLA7mBgdlxbrVs}