[GXYCTF2019] MISC Miscellaneous questions

buuoj reproduction

1, the Department of Youth Buddha

After you've downloaded an encrypted txt file and a picture

 

 Analysis of images to no avail, hate this brain-hole title, MISC should give a little part of the brain normally line Soga hole rather than a deliberate interference information to make players the wrong direction, then the game is solving the problem when drunk

Then compressed into 010Editor see if the pseudo encryption and other clues

 

 

Open the txt file after the discovery of the pseudo encryption, change 0000 to 0900, save

 

 Obviously the last sentence is a Zen Buddhist theory

Buddha said: cover, etc. come to know victory can hinder BA despise duo duo Luo Suo Vatican nephew Gad Gad Vatican Vatican shocked Su Nie nephew's room real friends can really bowl. Luxury DA track all mood are versed terror Tiffany mood a penalty wish mortar bowl heart pain Sa Di Van away excessive mood Sleeper Four Tuo tuo versed versed in the MU-known Na Josef nephew Isaac mood like Luo Yi excessive mood number such acyl

　　Online decrypted:

 

 2, gakki

After downloading the archive is a picture gakki

 

 

 

foremost about

 

 

 

After the separation has been compressed, while a password is required

Digital attempt blasting

Get the password 8864

 

 

 

Decryption

 

 

 

flag.txt file which is a lot of mess of characters, such irregular character set we try to word frequency statistics

Attach official word frequency statistics exp :( envy

# gakki_exp.py 
# Author : imagin 
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()_+- ={}[]" 
f = open("flag.txt", "r") 
data = f.read() 
result = {d:0 for d in alphabet} 

def sort_by_value(d): 
	items = d.items() 
	backitems = [[v[1],v[0]] for v in items] 
	backitems.sort(reverse=True) 
	return [ backitems[i][1] for i in range(0,len(backitems))] 

for d in data: 
	for alpha in alphabet: 
		if d == alpha: 
			result[alpha] = result[alpha] + 1 

print(sort_by_value(result))

　跑一遍就得到flag了

 

 这道题重在看到题目的意识。

　

3，SXMgdGhpcyBiYXNlPw==

先将题目base64解密

 

 

 

得到  Is this base?

下载附件

压缩包里面是flag.txt

 

 

 看起来是很多的base64加密，尝试解密第一行的字符串，使用base64解码得到: 

Cette nuit,

确实是base64加密，于是我们多行base64解密，得到:

Cette nuit,

Intenable insomnie,

La folie me guette,

Je suis ce que je fuis

Je subis,

Cette cacophonie,

Qui me scie la t锚te,

Assommante harmonie,

Elle me dit,

Tu paieras tes delits,

Quoi qu'il advienne,

On tra卯ne ses cha卯nes,

Ses peines,

Je voue mes nuits,

A l'assasymphonie,

Aux requiems,

Tuant par depit,

Ce que je seme,

Je voue mes nuits,

A l'assasymphonie,

Et aux blasphemes,

J'avoue je maudis,

Tous ceux qui s'aiment,

L'ennemi,

Tapi dans mon esprit,

F锚te mes defaites,

Sans repit me defie,

Je renie,

La fatale heresie,

Qui ronge mon 锚tre,

Je veux rena卯tre,

Rena卯tre,

Je voue mes nuits,

A l'assasymphonie,

Aux requiems,

Tuant par depit,

Ce que je seme,

Je voue mes nuits,

A l'assasymphonie,

Et aux blasphemes,

J'avoue je maudis,

Tous ceux qui s'aiment,

Pleurent les violons de ma vie,

La violence de mes envies,

Siphonnee symphonie,

Deconcertant concerto,

Je joue sans toucher le Do,

Mon talent sonne faux,

Je noie mon ennui,

Dans la melomanie,

Je tue mes phobies,

Dans la desharmonie,

Je voue mes nuits,

A l'assasymphonie,

Aux requiems,

Tuant par depit,

Ce que je seme,

Je voue mes nuits,

A l'assasymphonie,

Et aux blasphemes,

J'avoue je maudis,

Tous ceux qui s'aiment,

Je voue mes nuits,

A l'assasymphonie (l'assasymphonie),

J'avoue je maudis,

Tous ceux qui s'aiment

　　有的解码之后因为编码不同出现了乱码。

去百度搜索了一下，原来这个是杀人狂想曲的歌词

但是有的地方好像又跟原曲子不太一样，一般这种文字很多的第一反应就会想到字频加密，不过前一道题目已经考过这个点了。

跑了一下字频加密也没有什么结果，因为是base64加密，所以考虑到是base64隐写，找到一篇介绍base64隐写的文章，贴上链接：

https://www.tr0y.wang/2017/06/14/Base64steg/index.html

base64隐写我记得在一道题里面遇到过。

 

贴上官方解释，学习一波： 

base64是将3个8比特转换成4个6比特，最小的转换单位是24比特（6和8最小公倍数）

因此如果原文内容不足三字节，有一部分比特解码时候不需要，但会组成编码后的某个字符。

比如上图A的 0100 0001 被 base64 识别为 0100 0001 0000 然而最后四个比特解密时无

用。换句话说 0100 0001 0000 和0100 0001 1111 对应的原文都是 A ，因此可以使用这四

个比特进行隐写

 

如果官方题解没有看懂，简单说一下我自己的理解，base64隐写就是每一次base64编码之后不是都刚好占到了三个字节，当没有占到3个字节的时候，我们将base64编码最后的几个比特修改成我们想要隐藏的信息，同时并不影响base64的解码。

无处不在的隐写

知道原理之后用脚本跑一遍就行了

# -*- coding: cp936 -*-
b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
with open('flag.txt', 'rb') as f:
    bin_str = ''
    for line in f.readlines():
        stegb64 = ''.join(line.split())
        rowb64 =  ''.join(stegb64.decode('base64').encode('base64').split())
        offset = abs(b64chars.index(stegb64.replace('=','')[-1])-b64chars.index(rowb64.replace('=','')[-1]))
        equalnum = stegb64.count('=') #no equalnum no offset
        if equalnum:
            bin_str += bin(offset)[2:].zfill(equalnum * 2)
        print ''.join([chr(int(bin_str[i:i + 8], 2)) for i in xrange(0, len(bin_str), 8)]) #8 位一组

　　得到: