代码的执行时间挺长的,好囧!

  参考了https://13c5.wordpress.com/2015/04/20/plaidctf-2015-png-uncorrupt/的代码

  通过这个题目,也对Png文件格式更深入地理解了!

  使用这个代码的前提是将png signature里面的0x0a修改为0x0d0a

 from itertools import combinations

 import binascii

 import os

 def find_all(source,aim):

      start=

      while True:

           start=source.find(aim,start)

           if start==-:

                return

           yield start

           start +=len(aim)

 def repair(source,aim,filedes,num,crc):

      matchlist=list(find_all(source,'\x0a'))

      for subnet in combinations(matchlist,num):

           subnet=sorted(subnet)

           temp=''

           if(num==):

                temp=source[:subnet[]]+'\x0d\x0a'+source[subnet[]+:subnet[]]+'\x0d\x0a'+source[subnet[]+:subnet[]]+'\x0d\x0a'+source[subnet[]+:]

           if(num==):

                temp=source[:subnet[]]+'\x0d\x0a'+source[subnet[]+:subnet[]]+'\x0d\x0a'+source[subnet[]+:]

           if(num==):

                temp=source[:subnet[]]+'\x0d\x0a'+source[subnet[]+:]

           if "%08x" % (binascii.crc32(temp)&0xFFFFFFFF)==crc:

                filedes.write(temp)

                filedes.write(binascii.a2b_hex(crc))

                filedes.flush()

                print "success"

                break;

      print "fail"

 uncfile=open("corrupt_735acee15fa4f3be8ecd0c6bcf294fd4.png","rb")

 cocfile=open("correct.png","wb")

 #first write

 correct=uncfile.read(0x6d)

 cocfile.write(correct)

 cocfile.flush()

 correct=uncfile.read(0x4)#length

 cocfile.write(correct)

 cocfile.flush()

 uncorrect=uncfile.read(0x20000-0x1+0x4)

 crc=uncfile.read(0x4)

 crc=binascii.hexlify(crc)

 print crc

 repair(uncorrect,'\x0a',cocfile,,crc)#

 #second write

 correct=uncfile.read(0x4)#length

 cocfile.write(correct)

 cocfile.flush()

 uncorrect=uncfile.read(0x20000-0x3+0x4)

 crc=uncfile.read(0x4)

 crc=binascii.hexlify(crc)

 print crc

 repair(uncorrect,'\x0a',cocfile,,crc)#

 #third write

 correct=uncfile.read(0x4)#length

 cocfile.write(correct)

 cocfile.flush()

 uncorrect=uncfile.read(0x20000-0x1+0x4)

 crc=uncfile.read(0x4)

 crc=binascii.hexlify(crc)

 print crc

 repair(uncorrect,'\x0a',cocfile,,crc)#

 #fourth write

 correct=uncfile.read(0x4+0x4+0x20000+0x4)

 cocfile.write(correct)

 cocfile.flush()

 #fifth write

 correct=uncfile.read(0x4)#length

 cocfile.write(correct)

 cocfile.flush()

 uncorrect=uncfile.read(0x20000-0x3+0x4)

 crc=uncfile.read(0x4)

 crc=binascii.hexlify(crc)

 print crc

 repair(uncorrect,'\x0a',cocfile,,crc)#

 #6th

 correct=uncfile.read(0x4)#length

 cocfile.write(correct)

 cocfile.flush()

 uncorrect=uncfile.read(0x20000-0x1+0x4)

 crc=uncfile.read(0x4)

 crc=binascii.hexlify(crc)

 print crc

 repair(uncorrect,'\x0a',cocfile,,crc)#

 #7th

 correct=uncfile.read(0x4)

 cocfile.write(correct)

 cocfile.flush()

 uncorrect=uncfile.read(0x20000-0x2+0x4)

 crc=uncfile.read(0x4)

 crc=binascii.hexlify(crc)

 print crc

 repair(uncorrect,'\x0a',cocfile,,crc)#

 #8th

 correct=uncfile.read(0x4+0x4+0x20000+0x4)

 cocfile.write(correct)

 cocfile.flush()

 #9th

 correct=uncfile.read(0x4)

 cocfile.write(correct)

 cocfile.flush()

 uncorrect=uncfile.read(0x20000-0x1+0x4)

 crc=uncfile.read(0x4)

 crc=binascii.hexlify(crc)

 print crc

 repair(uncorrect,'\x0a',cocfile,,crc)#

 #10th

 correct=uncfile.read(0x4+0x4+0x216f)

 cocfile.write(correct)

 cocfile.flush()

 uncfile.close()

 cocfile.close()

  

  结果:

参考文献:

  http://blog.csdn.net/gogor/article/details/5265710

  http://www.libpng.org/pub/png/apps/pngcheck.html

  http://www.libpng.org/pub/png/book/chapter08.html

  http://stackoverflow.com/questions/27238021/png-images-not-loaded

  https://13c5.wordpress.com/2015/04/20/plaidctf-2015-png-uncorrupt/

plaidctf2015 uncorrupt png的更多相关文章

  1. plaidctf2015 ebp

    很容易看出是格式化字符串漏洞.这里的格式化字符串漏洞不像传统的那样,格式化字符串是放在bss段中,并没放在栈上,因此利用起来有些困难. 不过,我们可以利用ebp,可以修改函数的ebp,从而能控制函数的 ...

  2. [PWN]fsb with stack frame

    0x00: 格式化字符串漏洞出现的时间很早了,偶然在前一段时间学到了一个其他的利用姿势,通过栈桢结构去利用格式化字符串漏洞. 原文链接:http://phrack.org/issues/59/7.ht ...

随机推荐

  1. django 启动和请求

    Django运行方式 调试模式 直接 python manage.py runserver python manage.py runserver python manage.py runserver ...

  2. 在线CRC校验

    在线CRC校验: http://www.lammertbies.nl/comm/info/crc-calculation.html

  3. The 2013 South America/Brazil Regional Contest 题解

    A: UVALive 6525 cid=61196#problem/A" style="color:blue; text-decoration:none">Atta ...

  4. Ubuntu14.04搭建安装svnserver

    前两天,公司准备搭建一个svnserver,供大家使用.于是.就先装了一个Ubuntu系统,然后搭建了svnserver的环境.以下把svn搭建的详细过程描写叙述下: 1.安装svn sudo apt ...

  5. Unity sqlite学习笔记一

    1.SQLITE的常识 SQLite是一个开源免费的数据库,一般用于嵌入系统或者小规模的应用软件开发中,你可以像使用Access一样使用它. sqlite的主要优点:零配置(Zero Configur ...

  6. 【小知识+小细节】不断更新ing...

    1.printf printf("%.0lf",k) 输出的不是floor(k) 而是k四舍五入 ..才发现.xlf 都是四舍五入取x位 2.cin char buff[300] ...

  7. jquery中this与$this的区别

    来源:http://www.jb51.net/article/19738.htm jQuery中this与$(this)的区别 $("#textbox").hover( funct ...

  8. easyui placeholder 解决方案

    最近,再用easyui的时候,发现easyui的input标签不支持h5的placeholder,为了实现这个效果,提供以下解决方案: 1.给input标签设置placeholder. <td& ...

  9. Unique Binary Search Trees In JAVA

    Given n, how many structurally unique BST's (binary search trees) that store values 1...n? For examp ...

  10. hibernate:XXX is not mapped

    hibernate:XXX is not mapped  检查项目中是否将hbm.xml引入