关卡地址
解决方案:
思路:
这一关提示很隐晦,图片名称是evil1.jpg,那是不是还有evil2.jpg呢?
在浏览器输入evil2.jpg的地址,图片中的提示是:
not jpg - _.gfx
将jpg改为gfx会得到一个文件。
evil3.jpg得到的提示是:
no more evils…
如果你不死心,继续访问evil4.jpg,你会得到一个文本文件,内容如下:
Bert is evil! go back!
所以玄机都在evil2.gfx这个文件中。
直接查看其二进制文件:
Offset: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000: FF 89 47 89 FF D8 50 49 50 D8 FF 4E 46 4E FF E0 ..G..XPIPX.NFN.`
00000010: 47 38 47 E0 00 0D 37 0D 00 10 0A 61 0A 10 4A 1A G8G`..7....a..J.
00000020: 40 1A 4A 46 0A 01 0A 46 49 00 F0 00 49 46 00 00 @.JF...FI.p.IF..
00000030: 00 46 00 00 E7 00 00 01 0D 00 0D 01 01 49 00 49 .F..g........I.I
00000040: 01 01 48 00 48 01 00 44 01 44 00 B4 52 00 52 B4 ..H.H..D.D.4R.R4
00000050: 00 00 00 00 00 B4 00 01 00 B4 00 01 04 01 00 00 .....4...4......
00000060: 90 02 40 00 FF 00 00 00 FF E1 00 05 00 E1
可以看出每五个字节类似“回文”,将其每隔五个字节连起来得到的输出是:
b'\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00\xb4\x00\xb4\x00\x00\xff\xe1'
b'\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x01\x90\x00\x00'
b'GIF87a@\x01\xf0\x00\xe7\x00\x00\x00\x01\x00\x00\x01\x04\x02\x00\x05'
b'\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x01@\x00\x00'
b'\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00\xb4\x00\xb4\x00\x00\xff\xe1'
这五组分别是:jpg、png、gif、png、jpg的文件头。即evil2.gfx是由五个文件组成的,需要将其分离开。
得到的是:dis、pro、port、ional、ity
代码:
import helper
path=".\\Data\\012"
helper.ensureDir(path)
# ================================
# 使用http认证,下载文件
import urllib.request
helper.installHTTPBasicAuthOpener("huge", "file")
gfx="http://www.pythonchallenge.com/pc/return/evil2.gfx"
(filename, headers)=urllib.request.urlretrieve(gfx, path+"\\evil2.gfx")
evil4="http://www.pythonchallenge.com/pc/return/evil4.jpg"
urllib.request.urlretrieve(evil4, path+"\\evil4.jpg")
# ================================
filename=path+"\\evil2.gfx"
# ================================
# 输出文件头
# fp=open(filename,'rb')
# cnt=fp.read(16*7-2)
# fp.close()
# for i in range(5):
# print(cnt[i::5])
# ================================
fp=open(filename,'rb')
cnt=fp.read()
fp.close()
exts=["jpg","png","gif","png","jpg"]
for i in range(5):
fp=open(path+"\\out%d.%s" % (i, exts[i]),'wb')
fp.write(cnt[i::5])
fp.close()
print("please see the folder: ", path)PS src\static> python .\Code\Python\Challenge012.py$path=".\\Data\\012"
. .\Code\PowerShell\helper.ps1
New-Dir -Dir $path
$gfx="http://www.pythonchallenge.com/pc/return/evil2.gfx"
$filename=$path+"\\evil2.gfx"
Get-FileWithAuth -Url $gfx -Filename $filename -Username "huge" -Password "file"
$evil4="http://www.pythonchallenge.com/pc/return/evil4.jpg"
Invoke-WebRequest -Uri $evil4 -OutFile $($path+"\\evil4.jpg") -Credential $credential
$cnt=[System.IO.File]::ReadAllBytes($filename)
$exts="jpg","png","gif","png","jpg"
for ($i = 0; $i -lt 5; $i++) {
$outfile=$path+"\\out{0}.{1}" -f $($i, $exts[$i])
$fs=[System.IO.FileStream]::new($outfile, [System.IO.FileMode]::Create)
for ($j = $i; $j -lt $cnt.Length; $j+=5) {
$fs.WriteByte($cnt[$j])
}
$fs.Flush()
$fs.Close()
$fs.Dispose()
}
"please see the folder: $path"PS src\static> .\Code\PowerShell\Challenge012.ps1package main
import(
"fmt"
"io/ioutil"
"bytes"
)
func (c *Challenge) Challenge012() {
path:=".\\Data\\012"
EnsureDir(path)
gfx:="http://www.pythonchallenge.com/pc/return/evil2.gfx"
filename:=path+"\\evil2.gfx"
DownloadWithBasicAuth(gfx, filename, "huge", "file")
evil4:="http://www.pythonchallenge.com/pc/return/evil4.jpg"
DownloadWithBasicAuth(evil4, path+"\\evil4.jpg", "huge", "file")
cnt, err := ioutil.ReadFile(filename)
if err != nil {
fmt.Printf("read file failed![%v]\n", err)
return
}
exts :=[]string {"jpg","png","gif","png","jpg"}
for i := 0; i < 5; i++ {
outfile := fmt.Sprintf("%s\\out%d.%s", path, i, exts[i])
var builder bytes.Buffer
for j := i; j < len(cnt); j+=5 {
builder.WriteByte(cnt[j])
}
err := ioutil.WriteFile(outfile, builder.Bytes(), 0666)
if err != nil {
fmt.Printf("write file failed![%v]\n", err)
return
}
}
fmt.Println("please see the folder: ", path)
}PS src\static> .\Code\Go\Challenge.exe -l 012