{"id":80,"date":"2023-01-04T17:32:52","date_gmt":"2023-01-04T09:32:52","guid":{"rendered":"http:\/\/zysgmzb.club\/?p=80"},"modified":"2023-01-19T18:39:25","modified_gmt":"2023-01-19T10:39:25","slug":"nctf2022-misc-offical-writeup","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/80","title":{"rendered":"NCTF2022 Misc Offical WriteUp"},"content":{"rendered":"<h2>Misc<\/h2>\n<h3>Signin<\/h3>\n<p>\u63cf\u8ff0\u4e00\u773c\u4e01\u771f\uff0c\u73a9\u8fc7\u6e38\u620f\u6216\u8005\u770b\u8fc7\u7535\u89c6\u5267\u7684\u90fd\u4f1a\u60f3\u5230\u4e00\u6bb5\u79d8\u7c4d\uff1a\u4e0a\u4e0a\u4e0b\u4e0b\u5de6\u53f3\u5de6\u53f3ba<\/p>\n<p>\u76f4\u63a5\u8f93\u5165\u5c31\u80fd\u62ff\u5230flag\uff0c\u76f4\u63a5\u4eba\u773cocr<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/638cade1b1fccdcd36342c7d.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code>NCTF{VVe1c0m3_T0_NCTF_2022!!!}<\/code><\/pre>\n<h3>qrssssssss<\/h3>\n<p>\uff08\u88ab\u975e\u9884\u671f\u4e86\uff0c\u597d\u70e6<\/p>\n<p>\u975e\u9884\u671f\u89e3\uff1a\u65f6\u95f4\u6392\u5e8f\u540e\u626b\u7801\u518d\u624b\u52a8\u53bb\u9664\u5197\u4f59\u6570\u636e\u5f97\u5230\u5927\u81f4\u7684flag\uff0c\u7136\u540e\u7206\u7834<\/p>\n<p>\u9884\u671f\uff1a\u8fd9\u9898\u662f\u901a\u8fc7\u4e8c\u7ef4\u7801data-masking\u7684\u987a\u5e8f\u6765\u6392flag\u91cc\u5b57\u7b26\u987a\u5e8f\u7684\uff0c\u5927\u81f4\u662f\uff1aL0~7 M0~7 Q0~7 H0~7<\/p>\n<p>\u641c\u4e86\u4e00\u5927\u5708\u6ca1\u641c\u5230\u597d\u7528\u7684\u811a\u672c\uff0c\u4e8e\u662f\u624b\u52a8\u5199\u4e86\u4e00\u4e2a\u8bc6\u522b\u7684\uff0c\u5177\u4f53\u5c31\u662f\u8bc6\u522b\u53f3\u8fb9\u6807\u8bb0\u4f4d\u7684\u9ed1\u767d\u987a\u5e8f\u7136\u540e\u6bd4\u5bf9\u4e00\u4e0b<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/638caee2b1fccdcd36353d75.jpg\" alt=\"\" \/><\/p>\n<p>exp\u5982\u4e0b<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-python\">from PIL import Image\nfrom pyzbar.pyzbar import decode\nimport os\n\ndef maskanalysis(img):\n    sign=&#039;&#039;\n    for ii in range(510,670,20):\n        pi=img.getpixel((ii,170))\n        if(pi==0):\n            sign+=&#039;1&#039;\n        if(pi==255):\n            sign+=&#039;0&#039;\n    return sign\n\ndef scanqr(img):\n    decocdeQR = decode(img)\n    return decocdeQR[0].data.decode(&#039;ascii&#039;)\n\nqrlist=os.listdir(rC:\\Users\\16334\\Desktop\\qrssssssss_revenge)\nflag=[0]*32\nmasklist=[&#039;11000100&#039;,&#039;11110011&#039;,&#039;10101010&#039;,&#039;10011101&#039;,&#039;00101111&#039;,&#039;00011000&#039;,&#039;01000001&#039;,&#039;01110110&#039;,&#039;00010010&#039;,&#039;00100101&#039;,&#039;01111100&#039;,&#039;01001011&#039;,&#039;11111001&#039;,&#039;11001110&#039;,&#039;10010111&#039;,&#039;10100000&#039;,&#039;01011111&#039;,&#039;01101000&#039;,&#039;00110001&#039;,&#039;00000110&#039;,&#039;10110100&#039;,&#039;10000011&#039;,&#039;11011010&#039;,&#039;11101101&#039;,&#039;10001001&#039;,&#039;10111110&#039;,&#039;11100111&#039;,&#039;11010000&#039;,&#039;01100010&#039;,&#039;01010101&#039;,&#039;00001100&#039;,&#039;00111011&#039;]\nfor i in qrlist:\n    img=Image.open(rC:\\Users\\16334\\Desktop\\qrssssssss_revenge\\{}.format(i))\n    qrmask=maskanalysis(img)\n    for j in range(32):\n        if(masklist[j]==qrmask):\n            flag[j]=scanqr(img)\n\nprint(&#039;&#039;.join(flag))<\/code><\/pre>\n<p>masklist\u5c31\u662f\u624b\u52a8\u8bc6\u522b\u7684\u63a9\u7801\u6807\u8bb0\u4f4d\uff0c\u7528\u7684pyzbar\u548cPIL\u5b9e\u73b0\u626b\u7801<\/p>\n<pre class=\"prettyprint linenums\" ><code>NCTF{737150-eeb-465-e91-110a8fb}<\/code><\/pre>\n<h3>qrssssssss_revenge<\/h3>\n<p>exp\u540cqrssssssss<\/p>\n<pre class=\"prettyprint linenums\" ><code>NCTF{62130783efd44b3692b4ddbecf}<\/code><\/pre>\n<h3>\u7089\u8fb9\u805a\u4f1a<\/h3>\n<p>\u7f51\u4e0a\u641c\u7d22\u4e00\u4e0b\u7089\u77f3\u4f20\u8bf4\u7f16\u7801\u89c4\u5219\u8fd9\u6837\u7684\u5c31\u53ef\u4ee5\u641c\u5230<a href=\"https:\/\/zhuanlan.zhihu.com\/p\/142113610\">\u8fd9\u6837\u4e00\u7bc7\u6587\u7ae0<\/a>\uff0c\u770b\u61c2\u4e86\u5c31\u80fd\u505a\u51fa\u6765<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-python\">fflag=[&#039;10001100&#039;,&#039;00000110&#039;,&#039;10011110&#039;,&#039;00000101&#039;,&#039;11001000&#039;,&#039;00000110&#039;,&#039;10111100&#039;,&#039;00000101&#039;,&#039;11001110&#039;,&#039;00001001&#039;,&#039;11010000&#039;,&#039;00000101&#039;,&#039;11110010&#039;,&#039;00000111&#039;,&#039;11001010&#039;,&#039;00000111&#039;,&#039;11110100&#039;,&#039;00001000&#039;,&#039;10001000&#039;,&#039;00001001&#039;,&#039;10010000&#039;,&#039;00001000&#039;,&#039;10111110&#039;,&#039;00000110&#039;,&#039;10001000&#039;,&#039;00001001&#039;,&#039;11010110&#039;,&#039;00001000&#039;,&#039;11001100&#039;,&#039;00001000&#039;,&#039;11110010&#039;,&#039;00000111&#039;,&#039;10110110&#039;,&#039;00000111&#039;,&#039;10011110&#039;,&#039;00000101&#039;,&#039;11100000&#039;,&#039;00000011&#039;,&#039;11101000&#039;,&#039;00000111&#039;,&#039;11110010&#039;,&#039;00000111&#039;,&#039;10110110&#039;,&#039;00000111&#039;,&#039;10111110&#039;,&#039;00000110&#039;,&#039;11100000&#039;,&#039;00000011&#039;,&#039;11100000&#039;,&#039;00000011&#039;,&#039;11100000&#039;,&#039;00000011&#039;,&#039;10110110&#039;,&#039;00000111&#039;,&#039;10111100&#039;,&#039;00000101&#039;,&#039;10010010&#039;,&#039;00001001&#039;,&#039;11001100&#039;,&#039;00001000&#039;,&#039;11001100&#039;,&#039;00001000&#039;,&#039;11111010&#039;,&#039;00000110&#039;,&#039;10110110&#039;,&#039;00000111&#039;,&#039;11110100&#039;,&#039;00001000&#039;,&#039;10011010&#039;,&#039;00001000&#039;,&#039;10111010&#039;,&#039;00000100&#039;,&#039;10010000&#039;,&#039;00001000&#039;,&#039;10001000&#039;,&#039;00001001&#039;,&#039;11110110&#039;,&#039;00000100&#039;,&#039;11100010&#039;,&#039;00001001&#039;,&#039;00000000&#039;,&#039;00000000&#039;]\nfor i in range(40):\n    flag=fflag[2*i+1]+fflag[2*i][1:-1]+fflag[2*i][-1]\n    fla=int(flag,2)\n    fl=fla\/\/10\n    print(chr(fl),end=&#039;&#039;)<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/638cb095b1fccdcd36372140.jpg\" alt=\"\" \/><\/p>\n<p>\uff08\u5176\u5b9e\u8fd8\u6709\u53e6\u4e00\u79cd\u89e3\u6cd5<\/p>\n<p>python\u751a\u81f3\u6709\u4e00\u4e2a\u5e93\u53ebhearthstone\uff0c\u8fd9\u662f\u6211\u4e07\u4e07\u6ca1\u6709\u60f3\u5230\u7684\uff0c\u76f4\u63a5\u62ff\u6765\u7528\u5c31\u884c<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-python\">from hearthstone.deckstrings import Deck\n\ndeck = Deck.from_deckstring(&#039;AAEDAZoFKIwGngXIBrwFzgnQBfIHygf0CIgJkAi+BogJ1gjMCPIHtgeeBeAD6AfyB7YHvgbgA+AD4AO2B7wFkgnMCMwI+ga2B\/QImgi6BJAIiAn2BOIJAAA=&#039;)\n\nfor card in deck.cards:\n    flag_part = int(card[0] \/ 10)\n    print(chr(flag_part), end=&#039;&#039;)<\/code><\/pre>\n<pre class=\"prettyprint linenums\" ><code>NCTF{HearthStone_C0de_S000_FunnY_ri9ht?}<\/code><\/pre>\n<h3>zystego<\/h3>\n<p>\u4e00\u773c\u4e01\u771f\uff0c\u56fe\u7247\u5c3e\u90e8\u85cf\u7740\u4e00\u4e2a\u538b\u7f29\u5305\uff0c\u5206\u6790\u4e00\u4e0b\u53d1\u73b0\u662f\u771f\u52a0\u5bc6\uff0c\u62ff\u53bb\u7206\u7834\u5f97\u5230\u5bc6\u7801\u662f114514\uff0c\u76f4\u63a5\u5c31\u80fd\u62ff\u5230\u4e00\u4e2a\u5047flag\uff08\uff08\uff08\uff08<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/638cb247b1fccdcd3638e8ac.jpg\" alt=\"\" \/><\/p>\n<p>\u53e6\u4e00\u4e2a\u6587\u4ef6something\u5219\u662fpgp\u7684\u79c1\u94a5\uff0c\u4e4b\u540e\u6709\u7528<\/p>\n<p>\u518d\u56de\u5230\u56fe\u7247\u672c\u8eab\uff0c\u7ed3\u5408\u5bbd\u9ad8\u4ed4\u7ec6\u770b\u770b\u53ef\u4ee5\u5224\u65ad\u51fa\u53f3\u8fb9\u591a\u51fa\u67653\u5217\u50cf\u7d20\uff0c\u8fd9\u91cc\u662f\u89e3\u9898\u7684\u5173\u952e\uff0c\u4e8e\u662f\u63d0\u53d6\u51fa\u6765\u770b\u770b\uff0c\u6a2a\u7740\u8bfb\u5b83\u4e09\u901a\u9053<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-python\">from PIL import Image, ImageDraw\nimport struct\nwidth = 515\nheight = 512\nimg=Image.open(rC:\\Users\\16334\\Desktop\\fd.png)\na=[]\nfor i in range(height):\n    for j in range(width-3,width):\n        pi=img.getpixel((j,i))\n        for k in range(3):\n            a.append(pi[k])\nprint(a)<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/638cb38eb1fccdcd363a4aa4.jpg\" alt=\"\" \/><\/p>\n<p>\u8fd9\u91cc\u53ef\u80fd\u6709\u4e00\u70b9\u70b9\u7684\u8111\u6d1e\uff0c\u53ef\u4ee5\u53d1\u73b0\u8fd9\u4e9b\u6570\u7684\u4e2a\u4f4d\u90fd\u662f5\u62160\uff0c\u5bb9\u6613\u8054\u7cfb\u5230\u4e8c\u8fdb\u5236\uff0c\u6240\u4ee5\u53ef\u4ee5\u5199\u4e2a\u811a\u672c\u8f6c\u4e00\u4e0b<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-python\">from PIL import Image, ImageDraw\nimport struct\nwidth = 515\nheight = 512\nimg=Image.open(rC:\\Users\\16334\\Desktop\\fd.png)\na=[]\nfor i in range(height):\n    for j in range(width-3,width):\n        pi=img.getpixel((j,i))\n        for k in range(3):\n            a.append(pi[k])\nfor i in a:\n    j=i%10\n    if(j==5):\n        print(1,end=&#039;&#039;)\n    else:\n        print(0,end=&#039;&#039;)<\/code><\/pre>\n<p>\u63d0\u53d6\u51fa\u6765\u7684\u4e8c\u8fdb\u5236\u76f4\u63a5\u6bcf8\u4f4d\u8f6c\u5b57\u7b26\uff0c\u5c31\u53ef\u4ee5\u5f97\u5230\u76f2\u6c34\u5370\u811a\u672c\u4ee5\u53capgp\u52a0\u5bc6\u7684\u53e3\u4ee4\uff1a%$#%$#jhgasdfg76342t<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/638cb420b1fccdcd363adec9.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-python\">import secret\n\n\u4e01\u771f = np.float32(cv2.imread(rC:\\Users\\16334\\Desktop\\fadian.png, 1))\n\nfor i in range(64):\n    for j in range(64):\n        \u829d\u58eb = randint(0,2)\n        \u5c0f\u9a6c\u73cd\u73e0 = \u4e01\u771f[:, :, \u829d\u58eb]\n        \u96ea\u8c79 = cv2.dct(\u5c0f\u9a6c\u73cd\u73e0[8*i:8*i+8, 8*j:8*j+8])\n        if(secret[i*64+j] == &#039;1&#039;):\n            \u96ea\u8c79[7,7] = 20\n        elif(secret[i*64+j] == &#039;0&#039;):\n            \u96ea\u8c79[7,7] = -20\n        \u5c0f\u9a6c\u73cd\u73e0[8*i:8*i+8, 8*j:8*j+8] = cv2.idct(\u96ea\u8c79)\n        \u4e01\u771f[:, :, \u829d\u58eb] = \u5c0f\u9a6c\u73cd\u73e0\n\ncv2.imwrite(rC:\\Users\\16334\\Desktop\\fd.png, \u4e01\u771f)\n#a gift for you : %$#%$#jhgasdfg76342t<\/code><\/pre>\n<p>\u7b80\u5355\u66ff\u6362\u4e00\u4e0b\u53d8\u91cf\u540d\u5c31\u53ef\u4ee5\u5927\u81f4\u770b\u51fa\u6c34\u5370\u7684\u903b\u8f91\uff0c\u8fd9\u91cc\u7ed9\u51fa\u539f\u811a\u672c<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-python\">from random import randint\nimport numpy as np\nfrom math import *\nimport cv2\n\nimg = np.float32(cv2.imread(rC:\\Users\\16334\\Desktop\\fadian.png, 1))\nsecret=open(rC:\\Users\\16334\\Desktop\\secret.txt).read()\n\nfor i in range(64):\n    for j in range(64):\n        cho = randint(0,2)\n        imgch = img[:, :, cho]\n        dctt = cv2.dct(imgch[8*i:8*i+8, 8*j:8*j+8])\n        if(secret[i*64+j] == &#039;1&#039;):\n            dctt[7,7] = 20\n        elif(secret[i*64+j] == &#039;0&#039;):\n            dctt[7,7] = -20\n        imgch[8*i:8*i+8, 8*j:8*j+8] = cv2.idct(dctt)\n        img[:, :, cho] = imgch\n\ncv2.imwrite(rC:\\Users\\16334\\Desktop\\fd.png, img)<\/code><\/pre>\n<p>\u5927\u81f4\u5c31\u662f\u5148\u628a\u539f\u56fe\u5206\u6210\u82e5\u5e728x8\u7684\u5757\uff0c\u7136\u540e\u5728\u8fd9\u4e2a\u5757\u4e0a\u968f\u673a\u9009\u62e9rgb\u901a\u9053\u4e2d\u7684\u4e00\u4e2a\u8fdb\u884cdct\u53d8\u6362\uff0c\u7136\u540e\u6839\u636esecret.txt\u91cc\u662f1\u8fd8\u662f0\u6765\u6539\u53d8dct\u77e9\u9635\u53f3\u4e0b\u89d2\u7684\u503c\uff0c\u7136\u540e\u5408\u5e76\u8fdb\u539f\u56fe\uff0c\u6700\u540e\u4fdd\u5b58<\/p>\n<p>\u4e8e\u662f\u53ef\u4ee5\u5199\u51fa\u4e2a\u7b80\u5355\u7684exp<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-python\">import numpy as np\nfrom math import *\nimport cv2\n\nimg = np.float32(cv2.imread(rC:\\Users\\16334\\Desktop\\fd.png, 1))\n\nfor i in range(64):\n    for j in range(64):\n        for k in range(3):\n            imgg=img[:, :, k]\n            dctt = cv2.dct(imgg[8*i:8*i+8, 8*j:8*j+8])\n            if (dctt[7,7] &gt;= 10):\n                print(&#039;1&#039;,end=&#039;&#039;)\n            elif(dctt[7,7] <\/code><\/pre>\n<p>\u7531\u4e8edct\u9006\u53d8\u6362\u4f1a\u5bfc\u81f4\u4e00\u4e9b\u635f\u5931\uff0c\u6240\u4ee5\u5224\u65ad\u7684\u5730\u65b9\u9009\u62e9\u4e86\u4e0e10\u548c-10\u8fdb\u884c\u6bd4\u8f83<\/p>\n<p>\u5c06\u5f97\u5230\u7684\u7ed3\u679c\u8f6c\u4e00\u4e0b\u5c31\u80fd\u5f97\u5230\u4e00\u4e2a\u538b\u7f29\u5305\u4e86<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/638cb5acb1fccdcd363c512e.jpg\" alt=\"\" \/><\/p>\n<p>\u5229\u7528\u4e0a\u9762\u5f97\u5230\u7684pgp\u79c1\u94a5\u548c\u53e3\u4ee4\u76f4\u63a5\u89e3\u5bc6\u5c31\u53ef\u4ee5\u5f97\u5230flag\u529b<\/p>\n<pre class=\"prettyprint linenums\" ><code>NCTF{zys_1s_s0_V3g3T@13lE_qwq}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Misc Signin \u63cf\u8ff0\u4e00\u773c\u4e01\u771f\uff0c\u73a9\u8fc7\u6e38\u620f\u6216\u8005\u770b\u8fc7\u7535\u89c6\u5267\u7684\u90fd\u4f1a\u60f3\u5230\u4e00\u6bb5\u79d8\u7c4d\uff1a\u4e0a\u4e0a\u4e0b\u4e0b\u5de6\u53f3\u5de6\u53f3ba \u76f4\u63a5\u8f93\u5165\u5c31\u80fd\u62ff\u5230flag\uff0c\u76f4\u63a5\u4eba\u773cocr NCTF{VVe1c0m3_T0_NCTF_2022!!!} qrssssssss \uff08\u88ab\u975e\u9884\u671f\u4e86\uff0c\u597d\u70e6 \u975e\u9884\u671f\u89e3\uff1a\u65f6\u95f4\u6392\u5e8f\u540e\u626b\u7801\u518d\u624b\u52a8\u53bb\u9664\u5197\u4f59\u6570\u636e\u5f97\u5230\u5927\u81f4\u7684flag\uff0c\u7136\u540e\u7206\u7834 \u9884\u671f\uff1a\u8fd9\u9898\u662f\u901a\u8fc7\u4e8c\u7ef4\u7801data-masking\u7684\u987a\u5e8f\u6765\u6392flag\u91cc\u5b57\u7b26\u987a\u5e8f\u7684\uff0c\u5927 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-80","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/80","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=80"}],"version-history":[{"count":1,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/80\/revisions"}],"predecessor-version":[{"id":81,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/80\/revisions\/81"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=80"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=80"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=80"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}