内存取证+bkcrack明文爆破+文本盲水印Text_Blind_WaterMark（AntCTF x D^3CTF 2022misc WannaWacca）

题目来源：AntCTF x D^3CTF 2022misc WannaWacca

此题目详细解题参考

以下内容参考来源：Nu1L

内存取证，SmartFalcon.exe是勒索病毒（ransomware）
SmartFalcon.exe⾃带dec，私钥在pcapng中，patch程序的IP然后构造个解密指令，解密flag.zip

from pwn import *
import binascii
s = listen(2333)
data = s.recv()
result = data[:0x48] + b"\\x33" + data[0x49:-4] + b"\\x00\\x00\\x02\\x01" +
b"\\x02\\x4f\\x4b\\x00"
s.send(result)
s.close()
dec_data =
"fe039064656320666c61672e7a69702e57616e6e615761636361202d2d2d2d2d424547494e205253412050
524956415445204b45592d2d2d2d2d0a4d4949435851494241414b426751444a4673547a5151583268566c4
e785030646a7834467631792f41356d7346782b6b316976454c74716f6c6d344c504e77390a39624335396c
4e5653624c664278592b7732706a6f434f466754636145434a6b496f78317136336c5133336676655943587
2534f7557366445436f4b5a734b500a75706e6572506f627233562f544b634533335545344a58415a70564f
306b4c6d586a43417149767a52614c4748526e544c482f57667939564b514944415141420a416f474146333
94c6f456b5730306d6474394b75365164534d4d5739707178624270726c4862505242576d634c3172306e4f
654e724d664b304e4152794d4f460a3354334d77615441423867736e6d734d37305333594241526258474b4
e304e333371576f4e466b7a4f646f4d4c75504672684a6d56374f6354502b42337059710a7a7441794b3650
64616e4d355254472b574f684a792b4a4f61454b6d41476b67635a634c4e476f6f6666386947636b4351514
46f4c547a4e50534135356931350a68506270466e6633432f764c3541357a506b654d63354d6d5958643053
7552443474704f4d72567338622f756d556e65346c486b39634e3245323051494835570a453864546c57417
6416b454133626a74414974737774464d55756f586d7166784e3767726e6d59584375723746694974456e33
333152346e777158503541657a0a5732616736335966372b4b46705054307a64776b326742656e73514b476
74f794a774a42414a304f785075645a75686a3063314c61652b424f495052416e4d4a0a6764447068324c32
5a38746c305858456c36646f6c50366a424f462b6f375257303462486d4669472b384d7248764c7932434f4
9573655702f686343515143420a784a734a3535426e5559492f5150314271697432396861705a597a302b65
5373357148456f65397354334c7237496f4a4a79796c51534c4c7a4e345355317a750a312b4e7a6e5059416
c5a6a4c695764304a466566416b4167393370455443614a646b57532f755a542f3543643461516e7637676e
5459305a77727964724c61740a624f33543679486e4e6c6577517866626b425a714a6e536c77446541576f7
130503638767159314a556356450a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d
0a0a00"
s = listen(2333)
data = s.recv()
result = data[:0x48] + b"\\xfe\\x03\\xc3\\xff" + data[0x4a:-4] +
b"\\x00\\x00\\x04\\x01" + binascii.a2b_hex(dec_data)
s.send(result)
s.close()

得到flag.zip
注释：plain
png已知明⽂攻击:bd363f25 3a7da3aa 4bbe3175

#png 解码脚本
import zlib
def decompress_headerless(data):
d = zlib.decompressobj(wbits=-15)
result = d.decompress(data)
result += d.flush()
# do all the checks we can?
assert (len(d.unconsumed_tail) == 0)
assert (len(d.unused_data) == 0)
assert (d.eof==0)
return result
width = 1920
height = 1080 # +1
TARGET_SIZE = (width * 3) + 1
def verbatim(data, last=False):
result = b"\\x01" if last else b"\\x00"
result += len(data).to_bytes(2, "little")
result += (len(data) ^ 0xffff).to_bytes(2, "little")
return result + data
padding = verbatim(bytes(TARGET_SIZE))[:5]
padding_last = verbatim(b"")
assert (padding != padding_last[:5])
pad_size = len(padding)
chunk_size = TARGET_SIZE - 5
b = open("R:/eng/cao.bin", "rb").read()
# read several chunks
# TARGET_SIZE-5
da, db = [], []
while True:
ra = b[:chunk_size]
b = b[chunk_size:]
b = b[pad_size:]
rb = b[:chunk_size]
b = b[chunk_size:]
pad_b = b[:pad_size]
print("ra", "rb")
da.append(decompress_headerless(ra))
db.append(decompress_headerless(rb))
if pad_b == padding_last[:5]:
break
b = b[pad_size:]
# print(len(da)*(TARGET_SIZE)+len(db)*(TARGET_SIZE))
print(verbatim(b"", last=True))
print(b)
print(len(da))
print([len(i) for i in da])
# print(b)
# print(da,db)
#for i in db:
# print(len(i)/TARGET_SIZE)
#exit(1)
def check_filter_bytes(data, widthaa):
stride = widthaa * 3 + 1
for i in range(0, len(data), stride):
if data[i] != 0:
print(data[i - 10:i + 10].hex())
raise Exception(f"BAD FILTER AT OFFSET {i}")
fina, finb = b''.join(da), b''.join(db)
check_filter_bytes(fina, width)
check_filter_bytes(finb, width)
bcnt=0
def defilter(data):
global bcnt
stride = width * 3 + 1
res = b''
for i in range(0, len(data), stride):
res += data[i + 1:i + 1 + width * 3]
bcnt+=1
assert (len(data[i + 1:i + 1 + width * 3]) == width * 3)
return res
print(len(fina),len(finb))
outa = defilter(fina)
outb = defilter(finb)
# print(outa,outb)
#print(len(outa), len(fina), 3 * width * height)
#print(len(outa)/width/3)
import numpy as np
#aa=np.frombuffer(outa,'uint8').reshape(width,1056,3)
#bb=np.frombuffer(outb,'uint8').reshape(width,1056,3)
from PIL import Image
ia=Image.frombuffer("RGB",(width,1056),outa)
ib=Image.frombuffer("RGB",(width,1056),outb)
ia.save("oa.png")
ib.save("ob.png")
#im=Image.open("a.png").convert("RGB")
#t=np.ones((8,8,3)).astype('uint8')
#print(t)
#t[0][0][0]=0xde
#t[0][0][1]=0xad
#t[0][0][2]=0xbf
#print(Image.fromarray(t).tobytes())
print(bcnt)
from PIL import Image
import fuckpy3
# im = Image.open('ob.png')
im = Image.open('oa.png')
print(im.size)
alphamap = {'100000':'a', '110000':'b', '100100':'c', '100110':'d', '100010':'e',
'110100':'f', '110110':'g', '110010':'h', '010100':'i', '010110':'j', '101000':'k',
'111000':'l', '101100':'m', '101110':'n', '101010':'o', '111100':'p', '111110':'q',
'111010':'r', '011100':'s', '011110':'t', '101001':'u', '111001':'v', '010111':'w',
'101101':'x', '101111':'y', '101011':'z'}
numbermap = {'100000':'1', '110000':'2', '100100':'3', '100110':'4', '100010':'5',
'110100':'6', '110110':'7', '110010':'8', '010100':'9', '010110':'0'}
numbersign = '001111'
capitalsign = '000001'
isnumber = False
iscapital = False
data = ''
for y in range(0, im.size[1], 3):
for x in range(0, im.size[0], 2):
dot = [im.getpixel((x, y)) == (255, 255, 255), im.getpixel((x, y+1)) == (255,
255, 255), im.getpixel((x, y+2)) == (255, 255, 255), im.getpixel((x+1, y)) == (255,
255, 255), im.getpixel((x+1, y+1)) == (255, 255, 255), im.getpixel((x+1, y+2)) == (255,
255, 255)]
code = ''.join(map(str, dot)).replace('True', '1').replace('False', '0')
# if code == '000000':
# # print(data)
# with open('output.zip', 'wb') as f:
# f.write(data.unhex())
# exit(0)
if code == numbersign:
isnumber = True
elif code == capitalsign:
iscapital = True
elif iscapital:
data += alphamap[code].upper()
iscapital = False
elif isnumber:
data += numbermap[code]
isnumber = False
else:
data += alphamap[code]
print(data)

提取出来⼀个压缩包和⼀个text blind watermark的密码，解⼀下得到flag

有固定的文件头的压缩包，可以使用bkcrack进行明文爆破

echo -n "89504E470D0A1A0A0000000D49484452" | xxd -r -ps > key

bkcrack -C flag.zip -c "I can't see any light.png" -p key -o 0

bkcrack -C flag.zip -c "I can't see any light.png" -k bd363f25 3a7da3aa 4bbe3175 -d flag.png