来自夏风师傅的博客:https://blog.xiafeng2333.top/ctf-28/
#python3
import binascii
from Crypto.Util import number
p = open('perceptron2.png','rb').read()
# print(p[0x14:0x17]+chr(0xaf).encode()[-1:])
count = 0
height=160
for width in range(1020,1200):
data = p[:0x10] +width.to_bytes(4,'big') + height.to_bytes(4,'big')+ p[0x18:0x1d]
p2 =data + number.long_to_bytes(binascii.crc32(data[0xc:0x1d])&0xffffffff) + p[0x21:]
p1 = open('te2/'+str(count)+'.png','wb')
count += 1
p1.write(p2)
p1.close()
#这里直接提取三个zlib
import re,os
import zlib
c=re.sub(b'........IDAT',b'',open('修改宽度.png','rb').read(),0,re.S)#替换字符串,去掉IDAT头这里的re.S表示让 '.' 特殊字符匹配任何字符,包括换行符,事实上这里的.替换了length和CRC等无关数据为空串,
c=re.sub(b'........IEND....',b'',c,0,re.S)#替换字符串,去掉IEND尾
count=0
zlibhead=b'x\x9c\xed\x9d' #zlib头,注意不要重复
for i in c.split(zlibhead)[1:]:#从1开始是为了丢弃png signature
open('flag'+str(count)+'.data','wb').write(zlib.decompress(zlibhead+i))
count=count+1
根据crc爆破高度:
import os
import binascii
import struct
misc = open("attachment.png","rb").read()
for i in range(1024):
data = misc[12:20] + struct.pack('>i',i)+ misc[24:29]
crc32 = binascii.crc32(data) & 0xffffffff
if crc32 == 0x73B90B29:
print(i)
根据crc爆破宽度:
import os
import binascii
import struct
misc = open("attachment.png","rb").read()
for i in range(1024):
data = misc[12:16] + struct.pack('>i',i)+ misc[20:29]
crc32 = binascii.crc32(data) & 0xffffffff
if crc32 == 0x73B90B29:
print(i)