2025ACTF

April 26, 2025 ·  ·

AAAAACTF,感觉不错

2025ACTF

Misc

QQQRcode

感谢@脉冲星师傅,非常愉快的合作

先完成第一步验证工作量代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

from pwn import *
import hashlib
import itertools
import string
import re

io = remote('1.95.71.197', 9999)

def find_prefix(target_hash, suffix, length=4):
    charset = string.ascii_letters + string.digits + "!@#$%^&*()"
    for prefix_tuple in itertools.product(charset, repeat=length):
        prefix = ''.join(prefix_tuple)
        combined = prefix + suffix
        hash_result = hashlib.sha256(combined.encode()).hexdigest()
        if hash_result == target_hash:
            return prefix
    return None

response = io.recvuntil(b'\n')

match = re.search(r'\+([a-zA-Z0-9+/=]+)\)\s*==\s*([a-f0-9]+)', response.decode())

if match:
    part1 = match.group(1)
    part2 = match.group(2)
    print("哈希值:" + part1)
    print("后缀为:" + part2)

    prefix = find_prefix(part2, part1)
    if prefix:
        print(f"找到匹配的前缀:{prefix}")
    else:
        print("未找到匹配的前缀")

    response1 = io.recvuntil(b'XXXX:')

    io.sendline(prefix)

    next_response = io.recvline()
    print("答案为"+ next_response.decode())

io.interactive()

完成二维码生成函数,注意box_size和border的设置,方便之后矩阵的转化

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

def generate_three_qr_codes():
    filenames = []
    chars = ['Azure', 'Assassin', 'Alliance']
    for i, char in enumerate(chars):
        filename = f"qr_{char}.png"
        qr = qrcode.QRCode(
            version=1,
            error_correction=qrcode.constants.ERROR_CORRECT_L,
            box_size=1,
            border=0,
        )
        qr.add_data(char)
        qr.make(fit=True)
    
        img = qr.make_image(fill='black', back_color='white')

        img.save(filename)
        filenames.append(filename)
  
    return filenames

二维码转成二维矩阵

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

def read_qr_pixels_to_matrix(filename):

    img = Image.open(filename)
    img = img.convert('1')  
    pixels = np.array(img)
    binary_matrix = (pixels == 0).astype(int)  # 黑色为 0,白色为 1
    print("Decoded 21x21 Matrix from QR code:")
    for row in binary_matrix:
        print(row)  # 打印每一行
  
    return binary_matrix

  • front投影:从 z​ 轴方向查看三维矩阵,生成二维图像。

  • left投影:从 x​ 轴方向查看三维矩阵,生成二维图像。

  • top投影:从 y​ 轴方向查看三维矩阵,生成二维图像。

  • front投影对应字符 Azure​。

  • left投影对应字符 Assassin​。

  • top投影对应字符 Alliance​。

得到三个独立的二维码之后,我们使用将三个二维码分别作为新的“三维码”的前、左、顶三个面,并转化为字符串。虽然说这样不够严谨,0索引列的二维码点位会存在多点

的情况,但是经过本地测试是可以扫出来的,只能说二维码的包容性还是太好了。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

# 将投影矩阵合并为一个 21x21x21 的三维矩阵
def create_3d_matrix(front, left, top):
    """
    将三个投影合并成一个 21x21x21 的三维矩阵。
    :param front: 从 `x` 和 `y` 轴的投影。
    :param left: 从 `x` 和 `z` 轴的投影。
    :param top: 从 `y` 和 `z` 轴的投影。
    :return: 21x21x21 的三维矩阵。
    """
    matrix = np.zeros((21, 21, 21), dtype=int)
  
    # 将 front 投影放入 `x` 和 `y` 层
    for x in range(21):
        for y in range(21):
            matrix[x][y][0] = front[x][y]  # 将 front 投影放入第一个 z 层
            # matrix[x][y][-1] = front[x][y]  # 将 front 投影放入第一个 z 层
  
    # 将 left 投影放入 `x` 和 `z` 层
    for x in range(21):
        for z in range(21):
            matrix[x][0][z] = left[x][z]
            # matrix[x][-1][z] = left[x][z]  # 将 left 投影放入第一个 y 层
  
    # 将 top 投影放入 `y` 和 `z` 层
    for y in range(21):
        for z in range(21):
            matrix[0][y][z] = top[y][z]
            # matrix[-1][y][z] = top[y][z]  # 将 top 投影放入第一个 x 层
  
    return matrix
  
def three_dim_matrix_to_binary(matrix):
    if matrix.ndim != 3:
        raise ValueError("输入必须是一个三维矩阵")
  
    # 将矩阵元素转换为 1 或 0,True -> 1, False -> 0
    binary_data = (matrix == 1).astype(int).flatten()
  
    # 将数字数组转换为二进制字符串
    binary_str = ''.join(map(str, binary_data))
  
    return binary_str

但是我们后来发现这样子满足不了答案1的个数小于390的要求,所以我们对原先的三维码进行一个修补:遍历所有非前、左、顶三个面的点,若其投影在前、左、顶三个面上的点都为1,则我们将三个点从三个面上合并到中心,这样就节省了大量点数,经测试通过了check,省到了346个点,

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

def create_3d_matrix(front, left, top):
    """
    将三个投影合并成一个 21x21x21 的三维矩阵。
    :param front: 从 `x` 和 `y` 轴的投影。
    :param left: 从 `x` 和 `z` 轴的投影。
    :param top: 从 `y` 和 `z` 轴的投影。
    :return: 21x21x21 的三维矩阵。
    """
    matrix = np.zeros((21, 21, 21), dtype=int)
  
    # 将 front 投影放入 `x` 和 `y` 层
    for x in range(21):
        for y in range(21):
            matrix[x][y][0] = front[x][y]  # 将 front 投影放入第一个 z 层
            # matrix[x][y][-1] = front[x][y]  # 将 front 投影放入第一个 z 层
  
    # 将 left 投影放入 `x` 和 `z` 层
    for x in range(21):
        for z in range(21):
            matrix[x][0][z] = left[x][z]
            # matrix[x][-1][z] = left[x][z]  # 将 left 投影放入第一个 y 层
  
    # 将 top 投影放入 `y` 和 `z` 层
    for y in range(21):
        for z in range(21):
            matrix[0][y][z] = top[y][z]
            # matrix[-1][y][z] = top[y][z]  # 将 top 投影放入第一个 x 层
  
    for x in range(1,21):
        for y in range(1,21):
            for z in range(1,21):
                if matrix[x][y][0] and matrix[x][0][z] and matrix[0][y][z]==1:
                    matrix[x][y][z]=1
                    matrix[x][y][0]=0
                    matrix[x][0][z]=0
                    matrix[0][y][z]=0
    return matrix

然后将这串字符串交给服务器即可得到flag,完整exp

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

from pwn import *
import hashlib
import itertools
import string
import re
import qrcode
import numpy as np
from PIL import Image

io = remote('1.95.71.197', 9999)

def find_prefix(target_hash, suffix, length=4):
    charset = string.ascii_letters + string.digits + "!@#$%^&*()"
    for prefix_tuple in itertools.product(charset, repeat=length):
        prefix = ''.join(prefix_tuple)
        combined = prefix + suffix
        hash_result = hashlib.sha256(combined.encode()).hexdigest()
        if hash_result == target_hash:
            return prefix
    return None

# 生成二维码并保存为 PNG 文件
def generate_three_qr_codes():
    filenames = []
    chars = ['Azure', 'Assassin', 'Alliance']
    for i, char in enumerate(chars):
        filename = f"qr_{char}.png"
        qr = qrcode.QRCode(
            version=1,
            error_correction=qrcode.constants.ERROR_CORRECT_L,
            box_size=1,
            border=0,
        )
        qr.add_data(char)
        qr.make(fit=True)
    
        img = qr.make_image(fill='black', back_color='white')
        img.save(filename)
        filenames.append(filename)
  
    return filenames

# 读取二维码图像并转换为 21x21 二进制矩阵
def read_qr_pixels_to_matrix(filename):
    img = Image.open(filename)
    img = img.convert('1')  # 转换为黑白(1位)图像
    pixels = np.array(img)
  
    # 黑色像素为 0,白色像素为 1
    binary_matrix = (pixels == 0).astype(int)
  
    return binary_matrix

# 将投影矩阵合并为一个 21x21x21 的三维矩阵
def create_3d_matrix(front, left, top):
    """
    将三个投影合并成一个 21x21x21 的三维矩阵。
    :param front: 从 `x` 和 `y` 轴的投影。
    :param left: 从 `x` 和 `z` 轴的投影。
    :param top: 从 `y` 和 `z` 轴的投影。
    :return: 21x21x21 的三维矩阵。
    """
    matrix = np.zeros((21, 21, 21), dtype=int)
  
    # 将 front 投影放入 `x` 和 `y` 层
    for x in range(21):
        for y in range(21):
            matrix[x][y][0] = front[x][y]  # 将 front 投影放入第一个 z 层
            # matrix[x][y][-1] = front[x][y]  # 将 front 投影放入第一个 z 层
  
    # 将 left 投影放入 `x` 和 `z` 层
    for x in range(21):
        for z in range(21):
            matrix[x][0][z] = left[x][z]
            # matrix[x][-1][z] = left[x][z]  # 将 left 投影放入第一个 y 层
  
    # 将 top 投影放入 `y` 和 `z` 层
    for y in range(21):
        for z in range(21):
            matrix[0][y][z] = top[y][z]
            # matrix[-1][y][z] = top[y][z]  # 将 top 投影放入第一个 x 层
  
    for x in range(1,21):
        for y in range(1,21):
            for z in range(1,21):
                if matrix[x][y][0] and matrix[x][0][z] and matrix[0][y][z]==1:
                    matrix[x][y][z]=1
                    matrix[x][y][0]=0
                    matrix[x][0][z]=0
                    matrix[0][y][z]=0
    return matrix

# 将三维矩阵转换为二进制字符串
def three_dim_matrix_to_binary(matrix):
    if matrix.ndim != 3:
        raise ValueError("输入必须是一个三维矩阵")
  
    # 将矩阵元素转换为 1 或 0,True -> 1, False -> 0
    binary_data = (matrix == 1).astype(int).flatten()
  
    # 将数字数组转换为二进制字符串
    binary_str = ''.join(map(str, binary_data))
  
    return binary_str

response = io.recvuntil(b'\n')

match = re.search(r'\+([a-zA-Z0-9+/=]+)\)\s*==\s*([a-f0-9]+)', response.decode())

if match:
    part1 = match.group(1)
    part2 = match.group(2)
    print("哈希值:" + part1)
    print("后缀为:" + part2)

    prefix = find_prefix(part2, part1)
    if prefix:
        print(f"找到匹配的前缀:{prefix}")
    else:
        print("未找到匹配的前缀")

    response1 = io.recvuntil(b'XXXX:')

    io.sendline(prefix)

    next_response = io.recvline()
    print("答案为"+ next_response.decode())

    filenames = generate_three_qr_codes()
  
    matrices = []
    for filename in filenames:
        matrix = read_qr_pixels_to_matrix(filename)
        matrices.append(matrix)
  
    three_dim_matrix = create_3d_matrix(matrices[1],matrices[2],matrices[0])
    result = three_dim_matrix_to_binary(three_dim_matrix).encode()
  
    response2 = io.recvuntil(b'data:')
    print(result)
    io.sendline(result)
    print(io.recvline())
    print(result.count(b"1"))

io.interactive()

经测试通过check的字符串

1

111111101111101111111100000000000001000001100000000000000000000100000000000001001001100000000000001000101100000000000000000001100000000000000010001000000000011100000000100000000000000000011000000010000000000000100000000000000011110000000010100000000010000000000000000001001000000000000000001111100001000100100000010100000000000000000010100000000010001100000100000100001000000000100000000101000100000100000000000011000000110111100110001100000100000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100000000000000000001000000000000000000000001000000000000000000000100000000000000000000010000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000010000000000000000000000100000000000000000001000000000000000000000000100000000000000000000100000000000000000100000000000000000000000000100000000000000000001000000000000000000000000100000000000000000000000000000000000000010000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000001000000000000001000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000001000000000000000000000001000000000000000010000000000000000000000000100000000000000000000100000000000000000101000000000000000000000000010000000000000000000000100000000000000001000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000001000000000000000000000000000000000010000000000000000000000000010000000000000000100000000000000000000000000000100000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000001000000000000000000000000000100000000000000000000100000000000001000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000100000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000100000000000000001000000000100000000000000000000001000000000000000010000000000000000000100000000000000000000000000000001000000010000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000100000000000000000000000000000000000010000000000000000000000000000000001000000000000000000000000000000100000000000000000000000000001000000000000000000010000000000000000000100000000000000000010000100000000000000000000000000000010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000110000010000000101010000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000001000000000000000000000000000100000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000010000010010000101001000000000000000000000000000000000000010000000000001000000000000000000000000100000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000100000000000000000000000000000000000000000000000010000000000010100000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000100100000000000000000000010000000000000000000000000000000000000000000100000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000000000000000110000000000000010110000000000000000000000000000000000000001000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000001000000000000000000000100000000000000000100000000000000000000000000000000000000000100000010001000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000010000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000100000000000000000000000000000000000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000001000000000000000000000010000000000000000000001000000000000000000100000000100000000000000000000000000000000000000000000000001000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000111000000000000000000000000000000100000000000000000000001000000000000000000000000100100000000000000000000000000001000000000000000001000000000000000000000000000000000000000000100000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000100000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000100000000000000000000000000000000000000000100000000000000011100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000100000000000000000000000000100000000000000000000000000100000000000000000000000000100000000000000000000000000001000000000000000000000000000000000000001000000000000000000000000000000100000000000000000000100000000000000000000000000000000000000000000000000000010000000100110101000000000000000000000000000000000000000000000000000001000000000010000000000000000000000000010000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000100100001100100000000000000000000000000000100000000000000000000000000000000000010000100000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000100000000010010000000000000000000000000000000000000000000000100000000000001000000000000000000000000001000000000000000000000000100000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000100000000000000000000000000000000000000001000000000000000000000000100000000000000000000001000000000000100000001010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000100000000000000000000000100000000000100000000000000000000000000000000000000000000000000000000000000111011100001010100000000000000010000000000100000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000010000000000000000000000100000000000000000000000000000000000000000100000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000000000000000000100000000000000000000000000000000000000000000001000000000000000000000000000000000

flag:ACTF{QQQRCode_is_iiint3r3st1ng}