Getting started with CTF-implicit writing (? ? _?)?

• Preface

La la, I don't know if you know all the last write back... (⊙ _ ⊙ )? Link to the previous article

This is another requirement for getting started with CTF: Implicit writing ~~ (Don't spray it if you're not talking about it) _ (: Warning) Quit )_

Implicit writing, as its name implies, means that the confidence to be conveyed is hidden on various carriers (data streams, compressed packages, images, audios, etc. The modern digital watermarking technology has developed from this aspect. In today's society, the technology of digital watermarking is becoming more and more important in the direction of copyright, the following is an example to illustrate the importance of digital watermarking technology.

• For example, a movie company a shot a very good movie. The original film of the movie is divided into three parts and handed over to the movie screening engineer B, Director C, producer D, the three films assigned to them respectively use three different digital watermarking techniques corresponding to B c d. Soon after, pirated movies will spread on the market. How can I know which party leaked the original film? Movie Company A can analyze the digital watermark in the movies downloaded from the market. The result is the digital watermark corresponding to B, then the film company can go to a copyright lawsuit with B, a member of the film screening staff... (This is probably the meaning ,(.???) Why ~)
• Next, let's start with implicit writing.

 

• Compressed package implicit write

This compressed package is frequently used in our daily use. The common format is. rar. Zip. 7z (which seems to be common in this example)

Compressed packages can be encrypted. We all know that there are several methods for decryption:

• Brute-force cracking, commonly known as brute-force cracking, is implemented using the corresponding brute-force cracking software through the decryption algorithm of the Software. Sometimes the CTF will issue such a problem based on the complexity of encryption, the time required for cracking is different.
• Pseudo-encryption: by modifying the data in the hexadecimal file of the compressed package, the compressed package is displayed with a password (in fact, it is not encrypted. At this time, it will be cracked for 10 thousand years) _)

1. available for useZipcenop. Jar (Java environment required), Used in cmd (go to the target directory)

Command: Java-jar zipcenop. Jar R xxx.zip

2. Use WinRAR for restoration (which may be difficult to make)

3. a zip file consists of three parts: compression of the source file data area + compression of the source file directory end mark

This is a three-headed mark, mainly look at the second compressed source file data area: 50 4B 03 04: This is the header file mark compressed source file directory area: 50 4B 01 02: the directory file header mark 3f 00: pkware version used for compression
14 00: The pkware version is required to decompress the file
00 00: globally formatted bit flag (with or without encryption). If this parameter is changed to 09 00, a password is displayed)

• Plaintext attack (software advanced zip password attack file, or other files, then you can try to crack
• Implicit image writing

Attach a piece of information to the hexadecimal file of the image, but it is still displayed as an image.

• You can use the command in cmd to hide the TXT file under the PNG file: Copy x.png/B + x.txt/A xx.png

Decryption Method: 1. Drag the file to the hxd or other hexadecimal viewer and manually separate the file according to the first-class format. 2. binwalk or foremost command: binwalk to decrypt the file-E or foremost to decrypt the file.

• The lowest valid bits of LSB are hidden in this kind of implicit writing, which are usually hidden in the low positions of 0, 1, and 2. Using stegsolve to check that some color channels of the color track will hide information, example: (experiment sbsbsb that implicit write question)
• In the CTF competition, the hexadecimal editing tool can be used to change the image height so that only one part of the image is displayed, and the following part is hidden. Well, this is a good way to hide things.

When neither of the above methods can obtain the flag, and the image length/width ratio is strange, you can try to change the image size. The following describes how to find the flag of the image width and height:

A) For PNG files, the sixth column in the second row is the height bit. modify this bit. B) for images in other formats, first check the image attributes to obtain the width and height values, convert to the hexadecimal number, and search for the hexadecimal value to find the flag;

Getting started with CTF-implicit writing (? ? _?)?