跳转至

工控类

G-code 绘图

提示是 g-code,上网搜搜

打开文件发现是带有 x,y 坐标

去 NC Viewer 在线绘图拿到 flag

SPI 协议隐写

使用工具 Saleae Logic 打开文件

使用 SPI 分析协议拿到 flag

L2C 协议隐写

使用工具 Saleae Logic 打开文件

使用 L2C 分析协议拿到 flag

手柄流量隐写

打开全是 USB 流量

提取数据

tshark -r .\13.pcapng -T fields -e usb.capdata > 13.txt

观察主要数据发现两处不一样的地方

参考博客

根据上面那篇博客,操纵杆的流量也分左右,各占四个字节,分别是两个字节 x 轴,两个字节 y 轴

占 4 个字节的随机变化的流量也就只有 11-14 那一部分,,就可以推断出字节 9 是左扳机流量,字节 11-14 是左摇杆流量

也可以猜出字节 10 是右扳机流量,字节 15-18 是右摇杆流量.

根据流量画图即可,注意摇杆流量是摇杆对于中心的偏移,是一个有符号整数,根据这个偏移算坐标然后绘制就行

import os.path
import string
import struct
import math
from matplotlib import pyplot as plt


# 解析手柄数据包
def parse_gamepad_data(data):
    # 获取左右扳机状态(字节4和字节5)
    left_trigger = data[8]
    right_trigger = data[9]

    # 解析左操纵杆位置(字节6到字节9)
    # 左操纵杆 X轴 (字节6, 7) 和 Y轴 (字节8, 9)
    left_stick_x = struct.unpack('<h', bytes(data[10:12]))[0]  # 小端模式
    left_stick_y = struct.unpack('<h', bytes(data[12:14]))[0]  # 小端模式
    print(left_stick_x, left_stick_y)
    # 解析右操纵杆位置(字节10到字节13)
    # 右操纵杆 X轴 (字节10, 11) 和 Y轴 (字节12, 13)
    right_stick_x = struct.unpack('<h', bytes(data[14:16]))[0]  # 小端模式
    right_stick_y = struct.unpack('<h', bytes(data[16:18]))[0]  # 小端模式
    return left_trigger, left_stick_x, left_stick_y, right_stick_x, right_stick_y


def extract_visible_chars(byte_data):
    # 获取所有可打印字符
    printable_chars = string.printable.encode()  # 获取可打印字符的字节形式
    # 从字节数据中筛选出可打印字符
    visible_chars = bytes([byte for byte in byte_data if byte in printable_chars])
    return visible_chars


# 初始化鼠标坐标
mouse_x, mouse_y = 0, 0

# 用于记录鼠标轨迹的坐标
trajectory_x = [mouse_x]
trajectory_y = [mouse_y]
n = 0
s = 0
current_direction = None  # 当前方向
direction_factor = 0  # 当前方向的系数

if not os.path.exists("./1"):
    os.makedirs("./1")

with open("13.txt", 'rb') as txt:
    lines = txt.read().splitlines()
    for line in lines:
        print(len(line))
        if len(line) < 100:
            continue
        line = extract_visible_chars(line)
        line_bytes = bytes.fromhex(str(line)[2:-1])  # 先解码为字符串,再从十六进制转换为字节
        s += 1
        # 解析数据
        left_trigger, left_stick_x, left_stick_y, right_stick_x, right_stick_y = parse_gamepad_data(line_bytes)

        # 更新鼠标坐标
        mouse_x += left_stick_x
        mouse_y +=  left_stick_y

        # 记录当前位置
        if left_trigger >250:
            trajectory_x.append(mouse_x)
            trajectory_y.append(mouse_y)
        elif left_trigger == 0:
            s = 0
            if len(trajectory_x) > 0:
                plt.figure(figsize=(10, 8))
                plt.plot(trajectory_x, trajectory_y, marker='o', color='b', markersize=3)
                plt.title("Mouse Movement Trajectory from Gamepad Right Stick with Nonlinear Mapping")
                plt.xlabel("X Position")
                plt.ylabel("Y Position")
                plt.grid(True)
                plt.axis('equal')
                # plt.show()
                plt.savefig(f"./1/{n}.png")
                plt.close()
                n += 1
            trajectory_x = []
            trajectory_y = []

车钥匙信号隐写

将音频文件放入 Audacity 中解析发现有粗有细

细的认为是 0,宽的认为是 1

00111010010101010011000100011101001010101001100010

钥匙信号(PT224X) = 同步引导码(8bit) + 地址位(20bit) + 数据位(4bit) + 停止码(1bit)

sctf{01110100101010100110}

玩具车运动轨迹隐写

看看他的小车在干啥,想到可能是要分析小车的运动轨迹

查了下小车的型号后发现有一个操作手册

可以看到和给的 wav 文件是对应的,于是我们开始写脚本输出每个端口的信号情况

import wave
import numpy as np
import turtle

filename = 'L293_1_A1'
wavfile = wave.open(filename + '.wav','rb')
# 获取音频参数
params = wavfile.getparams()
# 解包参数:nchannels: 声道数,sampwidth: 采样宽度(字节),framerate: 采样率(Hz),nframes: 总帧数
nchannels, sampwidth, framerate, nframes = params[:4]
# 读取所有音频帧
sig = wavfile.readframes(nframes)
# 将字节数据转换为 short 类型的 numpy 数组
sig = np.frombuffer(sig, dtype=np.short)
seq = ''
# 根据采样值是否大于 1000,将其转换为 "1" 或 "0"
for i in range(0,len(sig),framerate):
    if sig[i] > 1000:
        seq += "1"
    else:
        seq += "0"
file = open(filename + '.txt','w')
file.write(seq)
file.close()

之后,再根据每个端口的信号情况,模拟出小车的运动轨迹

import turtle

L_1_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110'
L_1_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001'
L_1_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011'
L_1_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100'
L_1_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_1_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_2_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110'
L_2_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001'
L_2_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011'
L_2_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100'
L_2_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_2_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'

path = '' #1为前进2为后退3为左转4为右转
front_1 = '' #1为正转2为反转0为停止
front_2 = ''
back_1 = ''
back_2 = ''

for i in range(0,len(L_1_EnA)):
    if L_1_EnA[i] == '1':
        if L_1_A1[i] == '1' and L_1_A2[i] == '0':
            front_1 = 1
        elif L_1_A1[i] == '0' and L_1_A2[i] == '1':
            front_1 = 2
        else:
            front_1 = 0
    else:
        front_1 = 0
    if L_1_EnB[i] == '1':
        if L_1_B1[i] == '1' and L_1_B2[i] == '0':
            front_2 = 1
        elif L_1_B1[i] == '0' and L_1_B2[i] == '1':
            front_2 = 2
        else:
            front_2 = 0
    else:
        front_2 = 0
    if L_2_EnA[i] == '1':
        if L_2_A1[i] == '1' and L_2_A2[i] == '0':
            back_1 = 1
        elif L_2_A1[i] == '0' and L_2_A2[i] == '1':
            back_1 = 2
        else:
            back_1 = 0
    else:
        back_1 = 0
    if L_2_EnB[i] == '1':
        if L_2_B1[i] == '1' and L_2_B2[i] == '0':
            back_2 = 1
        elif L_2_B1[i] == '0' and L_2_B2[i] == '1':
            back_2 = 2
        else:
            back_2 = 0
    else:
        back_2 = 0
    if front_1 == 1 and front_2 == 1 and back_1 == 1 and back_2 == 1:
        path += '1'
    elif front_1 == 2 and front_2 == 2 and back_1 == 2 and back_2 == 2:
        path += '2'
    elif front_1 == 2 and front_2 == 1 and back_1 == 2 and back_2 == 1:
        path += '3'
    elif front_1 == 1 and front_2 == 2 and back_1 == 1 and back_2 == 2:
        path += '4'
    else:
        path += '5'
turtle.left(90)
for i in path:
    if i == '1':
        turtle.forward(5)
    elif i == '2':
        turtle.backward(5)
    elif i == '3':
        turtle.left(90)
    elif i == '4':
        turtle.right(90)
turtle.mainloop()

4442 式接触卡隐写

下载得到 logicdata 格式文件

可以看到有时钟电平clk和数据电平data。查4442卡手册可以得知指令格式为:

  1. 每个指令从时钟高电平时数据下降沿后开始,数据从低位到高位的顺序发送

每个命令由三个字节组成:控制字节、地址字节、数据字节。时钟高电平数据电平上升沿代表本次命令结束

  1. 与加密密钥相关的指令类型是 0x33,用于校验口令

而 4442 卡的口令为三字节

因此我们需要找到这样一串数据:

0x33 0x01 flag[1] 0x33 0x02 flag[2] 0x33 0x03 flag[3]

在 6s950ms 处找到这串数据:

第一段

因此密钥的第一个字节是 0x40

重点是在时钟电平找到开始和结束标志(表现为一个较宽的峰),然后从数据电平按从高到低读取数据

第二段和第三段就在第一段后,各相隔 3 位以此类推得到 flag

SCTF{403110}

总结

很多题目都是考了不同或者多方向的知识点,总之,学得越多越好

评论