Fork me on GitHub
pikachu's Blog

DelCTF2020 mc_easybgm

前言

Solutions

  • 题目给了提示 hint: easy stego,应该是和 mp3 隐写有关,按照常规思路,有三种思路:

    • 直接查找 flag
    • 查看该音频文件的波形图、频谱图,是否存在相关信息可以转化为摩斯电码
    • 查看 mp3 中是否含有隐藏文件,提取文件
  • 对于该题目来说,都没有什么结果,查阅到 mp3 音频帧存在帧头信息,可参考如下链接:

  • 发现存在保留字位 private bit 可控写入信息,因此,只需要提取每一个 mf 组中的该位,组合起来,就是答案

  • 可以从图中看到 ms 开始位为 0x28A3 ,即第 10403 字节
1
2
3
4
5
6
7
8
9
10
11
12
13
uint32 frame_sync : 12
uint32 mpeg_id : 1
uint32 layer_id : 2
uint32 protection_bit : 1
uint32 bitrate_index : 4
uint32 frequency_index : 2
uint32 padding_bit : 1
uint32 private_bit : 1
uint32 channel_mode : 2
uint32 mode_extension : 2
uint32 copyright : 1
uint32 original : 1
uint32 emphasis : 2
  • 总共 12+1+2+1+4+2+1+1+2+2+1+1+2=32 ,即总共 4 字节, private_bit24 ,所在的字节为第 3 个字节,因此该字节对应的地址为 10403+2=10405

  • 观察每一个 mf 组,大小都为 0x1A1 , 即 417 字节

  • 可通过写脚本解决,如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
import re
import binascii
n = 10405
result = ''
fina = ''
file = open('C:/Users/lenovo/Desktop/bgm.mp3','rb')
while n < 1369844 :
file.seek(n,0)
n += 417
file_read_result = file.read(1)
read_content = bin(ord(file_read_result))[-1]
result = result + read_content
print result
  • 输出如下:
1
101111101000010010101110011010101000001001010110110011000010001011111010001000101000110001001110000011001110101011111010001011100110001000101100010010101100001011001100111011001001011010110010111110100000110000101110111110101100110010110110000011001100011010001100110011001110101011011110011000100010101011000010100011001010011000100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  • 后面一堆 0 串都不要,只保留到 8 的倍数刚好完成,后面的 0 全部舍弃,同时将保留的数据反转,并且 8 个一组分割开,转成字符串即可
1
2
3
4
5
6
7
8
9
import re

fina = ''
result = '010001000110010100110001010000110101010001000110011110110101011100110011001100010110001100110000011011010011001101011111011101000011000001011111010011010110100100110111001100110100001101010010001101000100011001110100010111110101011100110000011100100011000101000100010111110100010000110011011010100100000101010110011101010010000101111101'
textArr = re.findall('.{'+str(8)+'}', result)
# textArr.append(result[(len(textArr)*8):])
for i in textArr:
fina = fina + chr(int(i,2)).strip('\n')
print fina
  • 最后输出如下:

参考

参考
https://l1near.top/index.php/2020/05/06/52.html
https://www.cnpanda.net/ctf/342.html

---------------- The End ----------------
谢谢大爷~

Author:pikachu
Link:https://hitcxy.com/2020/DelCTF2020-mc-easybgm/
Contact:hitcxy@hotmail.com
本文基于 知识共享署名-相同方式共享 4.0 国际许可协议发布
转载请注明出处,谢谢!