Shulou(Shulou.com)06/01 Report--

Today, my son smashed @ Pengpeng sent me a crypto, which is a 1.rar file. Open it directly and there is an encrypted key.txt inside. So I think it may be a blasting password or a known plaintext **(used in 2015XDCTF) and asked him how the title came from. He then sent a picture. I put it in stegsolve and found that there is an attached file at the end of the picture file. It should be directly dug out.

rar file into winhex did not see why (in fact, I ignored the file header ah = = file header is PK ah..) Since it wasn't explosives, there was no hint, and there was a password blocking it, I was temporarily helpless. After a while he told me to repair the compression package directly, and tried it and it worked. Below is a diagram

The top of the figure is the password-free file exported after repair, and the bottom is the source file.

Google took a look at the principle and found that it uses APK pseudo-encryption. In other words, this file is actually an APK (Android Packet file) file, which can be seen from its file header PK, and the APK file is based on ZIP file format. Some articles on the Internet write that because there is a difference between reading APK files under Windows and Android systems, the difference lies in that there is a location called General purpose bit flags in the Central Directory section Header of the APK file,"where if the 0 th position is 1, it means that the Central Directory of the Zip file is encrypted. If you use traditional decompression software to open this Zip file, you need to enter a password when extracting this part of the Central Directory file."

//from blog https://www.deamwork.com/archives/my-past-ctf.orz6)

We have tested the meaning of this value. In fact, when it appears in even form (00,02,04...) in Windows\winRAR environment, it means that the file has no password, while when it appears in odd form, it needs to enter the password. In Android environment, this position will not be read, so it has no effect on compilation in this environment.// However, this sentence has not been studied deeply...

After that, we extracted the key.txt file and recompressed it into ZIP file. Compared with the title file that had been pseudo-encrypted with APK, we found that the key Hex is consistent, and the inconsistent part is presumed to change according to the different writing of APK encryption tools.

By the way, we can see that there are two differences in the figure, the first is of course the General purpose bit flags, and the second we try to delete the 1A alone but it does not eliminate the password, and it seems to have no effect on the file. (Because it was added to the end of the document?)

Summary: There are currently three types of ideas about compressed files with passwords: 1. APK pseudo-encryption (file header is PK), 2. Known plaintext **(to have known unencrypted files), 3. ARPR blasting

CTF pit is long, but still have to persevere, become the bee's knee ah.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.