-
-
Save bruce30262/ae755f4e52462f9aae90c1782c096090 to your computer and use it in GitHub Desktop.
flareon 6 level6 scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# Usage: ./bmphide.py ./in.bmp ./secret ./out.bmp | |
from PIL import Image | |
import sys | |
def e(bb, bk): | |
for idx in xrange(8): | |
flag = 0 | |
if ((bb>>(idx&0x1f))&1) == ((bk>>(idx&0x1f))&1): | |
flag = 1 | |
if flag == 1: | |
bb = bb & (~(1<<(idx&0x1f))) & 0xff | |
else: | |
bb = bb | ((1<<(idx&0x1f)) & 0xff) | |
assert (bb & ~0xff) == 0 | |
return bb | |
def g(idx): | |
bb = ((idx+1) * 0x126B6FC5) & 0xff | |
k = ((idx+2) * 0xC82C97D) & 0xff | |
return e(bb, k) | |
def b(bb, r): | |
for _ in xrange(r): | |
b2 = int((bb&128)/128) & 0xff | |
bb = ((bb*2)&0xff) + b2 | |
return bb | |
def d(bb, r): | |
for _ in xrange(r): | |
b2 = (bb & 1) * 128 | |
bb = (int(bb/2) & 0xff) + b2 | |
return bb | |
def h(data): | |
array = [0]*len(data) | |
num = 0 | |
for idx in xrange(len(data)): | |
num2 = g(num) | |
num+=1 | |
num3 = ord(data[idx]) | |
num3 = e(num3, num2) | |
num3 = b(num3, 7) | |
num4 = g(num) | |
num+=1 | |
num3 = e(num3, num4) | |
num3 = d(num3, 3) | |
array[idx] = num3 | |
return array | |
def i(bitmap, d, out): | |
''' | |
j(103) = 0x00 | |
j(231) = 0x1 | |
j(27) = 0xf8 | |
j(228) = 0x7 | |
j(230) = 0x3 | |
j(25) = 0xfc | |
j(100) = 0x6 | |
''' | |
num = 0x0 | |
width, height = bitmap.size | |
for x in xrange(0x0, width): | |
for y in xrange(0x0, height): | |
flag = False | |
if num > (len(d) - 0x1): | |
flag = True | |
if flag: | |
break | |
pix = bitmap.getpixel((x, y)) | |
R, G, B, A = pix | |
red = (R & 0xf8) | (d[num] & 0x7) # hide first 3 bit | |
green = (G & 0xf8) | ((d[num] >> 0x3) & 0x7) # hide second 3 bit | |
blue = (B & 0xfc) | ((d[num] >> 0x6) & 0x3) # hide last 2 bit | |
bitmap.putpixel((x, y), (red, green, blue, 0)) | |
num += 0x1 | |
bitmap.save(out) | |
bitmap = Image.open(sys.argv[1]).convert('RGBA') | |
data = open(sys.argv[2], "rb").read() | |
data2 = h(data) | |
i(bitmap, data2, sys.argv[3]) | |
print "Done." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# Usage: ./crack.py ./image.bmp | |
from PIL import Image | |
import sys | |
def e(bb, bk): | |
for idx in xrange(8): | |
flag = 0 | |
if ((bb>>(idx&0x1f))&1) == ((bk>>(idx&0x1f))&1): | |
flag = 1 | |
if flag == 1: | |
bb = bb & (~(1<<(idx&0x1f))) & 0xff | |
else: | |
bb = bb | ((1<<(idx&0x1f)) & 0xff) | |
assert (bb & ~0xff) == 0 | |
return bb | |
def crack_e(dd, r): | |
for i in xrange(256): | |
if e(i, r) == dd: | |
return i | |
return None | |
def g(idx): | |
bb = ((idx+1) * 0x126B6FC5) & 0xff | |
k = ((idx+2) * 0xC82C97D) & 0xff | |
return e(bb, k) | |
def b(bb, r): | |
for _ in xrange(r): | |
b2 = int((bb&128)/128) & 0xff | |
bb = ((bb*2)&0xff) + b2 | |
return bb | |
def crack_b(dd, r): | |
for i in xrange(256): | |
if b(i, r) == dd: | |
return i | |
def d(bb, r): | |
for _ in xrange(r): | |
b2 = (bb & 1) * 128 | |
bb = (int(bb/2) & 0xff) + b2 | |
return bb | |
def crack_d(dd, r): | |
for i in xrange(256): | |
if d(i, r) == dd: | |
return i | |
bitmap = Image.open(sys.argv[1]).convert('RGBA') | |
width, height = bitmap.size | |
data2 = [] | |
# extract data2 | |
num = 0 | |
for x in xrange(width): | |
for y in xrange(height): | |
R, G, B, A = bitmap.getpixel((x, y)) | |
d1 = R & 7 | |
d2 = G & 7 | |
d3 = B & 3 | |
data = (d3<<6) | (d2<<3) | d1 | |
data2.append(data) | |
num += 1 | |
# recover message | |
real_datas = [] | |
o_num = 0 | |
for idx, dd in enumerate(data2): | |
if idx % 10000 == 0: # For tracking our cracking progress | |
print idx | |
if idx == 219702: # data length. This can be extracted from the image header | |
break | |
num3d = crack_d(dd, 3) | |
num4e = g(o_num+1) | |
num3e = crack_e(num3d, num4e) | |
#if not num3e: | |
# print "real data len:", idx | |
# break | |
assert g(o_num+1) == num4e | |
num3b = crack_b(num3e, 7) | |
num2 = g(o_num) | |
real_data = crack_e(num3b, num2) | |
assert real_data != None | |
assert g(o_num) == num2 | |
real_datas.append(real_data) | |
o_num += 2 | |
out = ''.join(chr(c) for c in real_datas) | |
with open("flag.bmp", "wb") as f: | |
f.write(out) | |
print "Done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment