工控类¶
G-code 绘图¶
话不多说,直接上题(BugKu CTF)
提示是 g-code,上网搜搜
打开文件发现是带有 x,y 坐标
去 NC Viewer 在线绘图拿到 flag
SPI 协议隐写¶
话不多说,直接上题(BugKu CTF)
使用工具 Saleae Logic 打开文件
使用 SPI 分析协议拿到 flag
L2C 协议隐写¶
话不多说,直接上题(BugKu CTF)
使用工具 Saleae Logic 打开文件
使用 L2C 分析协议拿到 flag
手柄流量隐写¶
话不多说,直接上题(BUUCTF)
打开全是 USB 流量
提取数据
观察主要数据发现两处不一样的地方
根据上面那篇博客,操纵杆的流量也分左右,各占四个字节,分别是两个字节 x 轴,两个字节 y 轴
占 4 个字节的随机变化的流量也就只有 11-14 那一部分,,就可以推断出字节 9 是左扳机流量,字节 11-14 是左摇杆流量
也可以猜出字节 10 是右扳机流量,字节 15-18 是右摇杆流量.
根据流量画图即可,注意摇杆流量是摇杆对于中心的偏移,是一个有符号整数,根据这个偏移算坐标然后绘制就行
import os.path
import string
import struct
import math
from matplotlib import pyplot as plt
# 解析手柄数据包
def parse_gamepad_data(data):
# 获取左右扳机状态(字节4和字节5)
left_trigger = data[8]
right_trigger = data[9]
# 解析左操纵杆位置(字节6到字节9)
# 左操纵杆 X轴 (字节6, 7) 和 Y轴 (字节8, 9)
left_stick_x = struct.unpack('<h', bytes(data[10:12]))[0] # 小端模式
left_stick_y = struct.unpack('<h', bytes(data[12:14]))[0] # 小端模式
print(left_stick_x, left_stick_y)
# 解析右操纵杆位置(字节10到字节13)
# 右操纵杆 X轴 (字节10, 11) 和 Y轴 (字节12, 13)
right_stick_x = struct.unpack('<h', bytes(data[14:16]))[0] # 小端模式
right_stick_y = struct.unpack('<h', bytes(data[16:18]))[0] # 小端模式
return left_trigger, left_stick_x, left_stick_y, right_stick_x, right_stick_y
def extract_visible_chars(byte_data):
# 获取所有可打印字符
printable_chars = string.printable.encode() # 获取可打印字符的字节形式
# 从字节数据中筛选出可打印字符
visible_chars = bytes([byte for byte in byte_data if byte in printable_chars])
return visible_chars
# 初始化鼠标坐标
mouse_x, mouse_y = 0, 0
# 用于记录鼠标轨迹的坐标
trajectory_x = [mouse_x]
trajectory_y = [mouse_y]
n = 0
s = 0
current_direction = None # 当前方向
direction_factor = 0 # 当前方向的系数
if not os.path.exists("./1"):
os.makedirs("./1")
with open("13.txt", 'rb') as txt:
lines = txt.read().splitlines()
for line in lines:
print(len(line))
if len(line) < 100:
continue
line = extract_visible_chars(line)
line_bytes = bytes.fromhex(str(line)[2:-1]) # 先解码为字符串,再从十六进制转换为字节
s += 1
# 解析数据
left_trigger, left_stick_x, left_stick_y, right_stick_x, right_stick_y = parse_gamepad_data(line_bytes)
# 更新鼠标坐标
mouse_x += left_stick_x
mouse_y += left_stick_y
# 记录当前位置
if left_trigger >250:
trajectory_x.append(mouse_x)
trajectory_y.append(mouse_y)
elif left_trigger == 0:
s = 0
if len(trajectory_x) > 0:
plt.figure(figsize=(10, 8))
plt.plot(trajectory_x, trajectory_y, marker='o', color='b', markersize=3)
plt.title("Mouse Movement Trajectory from Gamepad Right Stick with Nonlinear Mapping")
plt.xlabel("X Position")
plt.ylabel("Y Position")
plt.grid(True)
plt.axis('equal')
# plt.show()
plt.savefig(f"./1/{n}.png")
plt.close()
n += 1
trajectory_x = []
trajectory_y = []
车钥匙信号隐写¶
话不多说,直接上题(攻防世界)
将音频文件放入 Audacity 中解析发现有粗有细
细的认为是 0,宽的认为是 1
钥匙信号(PT224X) = 同步引导码(8bit) + 地址位(20bit) + 数据位(4bit) + 停止码(1bit)
玩具车运动轨迹隐写¶
话不多说,直接上题(攻防世界)
看看他的小车在干啥,想到可能是要分析小车的运动轨迹
查了下小车的型号后发现有一个操作手册
可以看到和给的 wav 文件是对应的,于是我们开始写脚本输出每个端口的信号情况
import wave
import numpy as np
import turtle
filename = 'L293_1_A1'
wavfile = wave.open(filename + '.wav','rb')
# 获取音频参数
params = wavfile.getparams()
# 解包参数:nchannels: 声道数,sampwidth: 采样宽度(字节),framerate: 采样率(Hz),nframes: 总帧数
nchannels, sampwidth, framerate, nframes = params[:4]
# 读取所有音频帧
sig = wavfile.readframes(nframes)
# 将字节数据转换为 short 类型的 numpy 数组
sig = np.frombuffer(sig, dtype=np.short)
seq = ''
# 根据采样值是否大于 1000,将其转换为 "1" 或 "0"
for i in range(0,len(sig),framerate):
if sig[i] > 1000:
seq += "1"
else:
seq += "0"
file = open(filename + '.txt','w')
file.write(seq)
file.close()
之后,再根据每个端口的信号情况,模拟出小车的运动轨迹
import turtle
L_1_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110'
L_1_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001'
L_1_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011'
L_1_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100'
L_1_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_1_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_2_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110'
L_2_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001'
L_2_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011'
L_2_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100'
L_2_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_2_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
path = '' #1为前进2为后退3为左转4为右转
front_1 = '' #1为正转2为反转0为停止
front_2 = ''
back_1 = ''
back_2 = ''
for i in range(0,len(L_1_EnA)):
if L_1_EnA[i] == '1':
if L_1_A1[i] == '1' and L_1_A2[i] == '0':
front_1 = 1
elif L_1_A1[i] == '0' and L_1_A2[i] == '1':
front_1 = 2
else:
front_1 = 0
else:
front_1 = 0
if L_1_EnB[i] == '1':
if L_1_B1[i] == '1' and L_1_B2[i] == '0':
front_2 = 1
elif L_1_B1[i] == '0' and L_1_B2[i] == '1':
front_2 = 2
else:
front_2 = 0
else:
front_2 = 0
if L_2_EnA[i] == '1':
if L_2_A1[i] == '1' and L_2_A2[i] == '0':
back_1 = 1
elif L_2_A1[i] == '0' and L_2_A2[i] == '1':
back_1 = 2
else:
back_1 = 0
else:
back_1 = 0
if L_2_EnB[i] == '1':
if L_2_B1[i] == '1' and L_2_B2[i] == '0':
back_2 = 1
elif L_2_B1[i] == '0' and L_2_B2[i] == '1':
back_2 = 2
else:
back_2 = 0
else:
back_2 = 0
if front_1 == 1 and front_2 == 1 and back_1 == 1 and back_2 == 1:
path += '1'
elif front_1 == 2 and front_2 == 2 and back_1 == 2 and back_2 == 2:
path += '2'
elif front_1 == 2 and front_2 == 1 and back_1 == 2 and back_2 == 1:
path += '3'
elif front_1 == 1 and front_2 == 2 and back_1 == 1 and back_2 == 2:
path += '4'
else:
path += '5'
turtle.left(90)
for i in path:
if i == '1':
turtle.forward(5)
elif i == '2':
turtle.backward(5)
elif i == '3':
turtle.left(90)
elif i == '4':
turtle.right(90)
turtle.mainloop()
4442 式接触卡隐写¶
话不多说,直接上题(攻防世界)
下载得到 logicdata 格式文件
可以看到有时钟电平clk和数据电平data。查4442卡手册可以得知指令格式为:
- 每个指令从时钟高电平时数据下降沿后开始,数据从低位到高位的顺序发送
每个命令由三个字节组成:控制字节、地址字节、数据字节。时钟高电平数据电平上升沿代表本次命令结束
- 与加密密钥相关的指令类型是 0x33,用于校验口令
而 4442 卡的口令为三字节
因此我们需要找到这样一串数据:
在 6s950ms 处找到这串数据:
第一段
因此密钥的第一个字节是 0x40
重点是在时钟电平找到开始和结束标志(表现为一个较宽的峰),然后从数据电平按从高到低读取数据
第二段和第三段就在第一段后,各相隔 3 位以此类推得到 flag
红客¶
红客是中国大陆政治积极行动主义、民族主义以及爱国主义的黑客
红客以 "维护国家利益,不利用网络技术入侵自己国家的电脑,为祖国争光" 为宗旨
红客起源于 1999 年的五八事件,在美国轰炸中国驻南斯拉夫大使馆后的第二天,中国信息安全从业者苗得雨制作了第一个红客网站——“中国红客之祖国团结阵线”(随后的7月份改名为“中国红客之祖国统一战线”),其词语来源于新加坡《联合早报》的一篇报道形容的“红旗下的黑客”,由此创造出了一个新的黑客分支——“红客”。背离黑客所谓的无政府主义精神,以宣扬爱国主义下的黑客精神为主导,并引用了毛泽东青年时的话语:“国家是我们的国家,人民是我们的人民,我们不喊谁喊?我们不干谁干?”。网站在短短的数天内访问量已达50多万,并出现在新浪网的新闻链接中
2010 年百度域名被劫持事件发生后,有自称中国红客的网民呼吁攻击伊朗网站。随后,伊朗一域名为iribu.ir的教育机构网站被攻击,在百度网站被攻击事件发生后,该教育机构网站页面出现黑屏,之后出现 “Long live The People's Republic of China”(中华人民共和国万岁)的字样。而多个伊朗政府网站亦被中国黑客攻击
2010 年马尼拉前警员劫持香港旅行团事件发生后,菲律宾布拉干省政府官网疑似被中国红客攻击。黑客在网页上悬挂中华人民共和国国旗,并留下了要求菲律宾政府就菲劫持人质事件做道歉的文字
2011 年,南海问题不断升级,中华人民共和国多家地方政府网站遭越南黑客攻击,被入侵网站标有“越南黑客是第一”,“越南人民愿意牺牲来保护海洋,天空和国家”等文字。中国红客反击越南网站,据统计有千余家越南网站被攻陷并挂上中华人民共和国国旗
2012 年 4 月,中菲黄岩岛对峙引发中菲黑客互黑对方国家网站。中国数家网站遭菲律宾黑客攻击,其中包括“中国大学生自强之星”、中青在线、中青视频等7家网站。中国黑客攻击了菲律宾大学网站,将该校主页变成一张黄岩岛海域的地图,并将“我们来自中国”、“黄岩岛是我们的”等文字打在地图上
2022 年 8 月 2 日,时任美国众议院议长佩洛西访台,中华民国总统府官网遭到中国红客攻击。2022 年 8月 3 日,台湾高铁公司新左营站的广告看板以及超商门市的屏幕随后也被植入有关“反佩洛西”的文字。之后 2022 年 8 月 6 日,台湾民视电视台被中国红客入侵。之后晚间时刻有网友忽然发现民视电视台出现了一面中国版图以及简体字“中国一点都不能少”的字样外加背景音乐《我和我的祖国》总共维持3分钟
总结¶
很多题目都是考了不同或者多方向的知识点,总之,学得越多越好