Bugku MISC做题笔记

简单套娃DX

这一题需要对png图片的结构有所了解。详细可参考https://www.w3.org/TR/png/

幸好每一张图片只有一个错误，逐步调试，就可以发现所有错误，修正即可。具体错误参看python程序中的注释：

import  os
 
src_dir = '.\\XD\\'
des_dir = '.\\out\\'
src_files = os.listdir(src_dir)
des_files = os.listdir(des_dir)
 
f_count={0:0,1:0,2:0,3:0,4:0,5:0,6:0,7:0}
for fname in src_files:
    if fname in des_files:
        continue
    with open(src_dir+fname,'rb') as f:
        srcdata = f.read()
    #丢掉了文件头标识
    if srcdata[1:4] != b'PNG':
        desdata = 0x89504E470D0A1A0A.to_bytes(8,'big') + srcdata
        f_count[1] += 1
 
    #IHDR块长度和标识码被清零
    elif srcdata[8:0x10] == 0x0000000000000000.to_bytes(8, 'big'):  
        desdata = srcdata[:8] + 0x0000000D49484452.to_bytes(8,'big') + srcdata[16:]
        f_count[2] += 1
 
    #IHDR宽高值不对
    elif srcdata[0xc:0x10] == b'IHDR' and srcdata[0x10:0x18] != 0x0000000500000005.to_bytes(8,'big'):  
        desdata = srcdata[:0x10] +0x5.to_bytes(4,'big') + 0x5.to_bytes(4,'big') + srcdata[0x18:]
        f_count[3] += 1
 
    #IDAT块长度被清零
    elif srcdata[0x21:0x29] == 0x00000000.to_bytes(4, 'big')+b'IDAT':  
        if srcdata.index(b'eXIf') >= 0:
            IDAT_len = srcdata.index(b'eXIf') - 0x29 - 4 -4
        else:
            print('[!] Error!! %s'%fname)
            break
        desdata = srcdata[:0x21] + IDAT_len.to_bytes(4,'big') + srcdata[0x25:]
        f_count[4] += 1
    
    #IDAT块标识被删除
    elif srcdata[0xc:0x10] == b'IHDR' and srcdata[0x25:0x29] != b'IDAT':  
        desdata = srcdata[:0x25] + b'IDAT' + srcdata[0x25:]
        f_count[5] += 1
 
    #IHDR头的颜色类型错误
    elif srcdata[0xC:0x10] == b'IHDR' and srcdata[0x18:0x1A] != 0x0100.to_bytes(2,'big'): 
        desdata = srcdata[:0x18] + 0x0100.to_bytes(2,'big') + srcdata[0x1A:]
        f_count[6] += 1
    
    #IHDR块被放到了倒数第二块,IDAT变为第一块
    elif srcdata[0xc:0x10] == b'IDAT':  
        IHDR_block_begin = srcdata.index(b'IHDR') - 4 
        IHDR_block = srcdata[IHDR_block_begin:IHDR_block_begin+25]
        desdata = srcdata[:8] + IHDR_block + srcdata[8:IHDR_block_begin] + srcdata[IHDR_block_begin+25:]
        f_count[7] += 1
    else:
        desdata = srcdata
        f_count[0] += 1
    with open(des_dir+fname,'wb') as f:
        f.write(desdata)
print(f_count)

图片修正以后，观察图片内容，应该是二维码碎片。查看每个图片的exif信息，发现数据：

import os
from PIL import Image
 
basedir = '.\\out\\'
list = []
for fname in os.listdir(basedir):
    image = Image.open(basedir+fname)
    exif = image.getexif()
    list.append([ int(exif[282]),int(exif[283]) ])
    image.close()
list.sort(key=lambda x: [x[0], x[1]])
print(list)
 
#[[0, 0], [0, 1], [0, 2], [0, 3], [0, 4], [0, 5], [0, 6], [0, 7], [0, 8], [0, 9], [0, 10], [0, 11], [0, 12], [0, 13], [0, 14], [0, 15], [0, 16], [0, 17], [0, 18], [0, 19], 
#...
# [449, 0], [449, 1], [449, 2], [449, 3], [449, 4], [449, 5], [449, 6], [449, 7], [449, 8], [449, 9], [449, 10], [449, 11], [449, 12], [449, 13], [449, 14], [449, 15], [449, 16], [449, 17], [449, 18], [449, 19]]

因此这些应该是每个图片的坐标，依据这些坐标进行拼接图片，得到flag：

import os
from PIL import Image
basedir = '.\\out\\'
list = []
newimg = Image.new('RGB',(450*5,20*5),(255,255,255)) #白底
for fname in os.listdir(basedir):
    image = Image.open(basedir+fname)
    exif = image.getexif()
    x,y = int(exif[282])*5,int(exif[283])*5
    newimg.paste(image,(x,y,x+5,y+5))   
    image.close()
newimg.save('new.png')