Try โ€‚โ€‰HackMD

Aero CTF 2020 - Image Wave (Code, 498pts)

Why didn't many peaple solve this? It's just an implementation of IFFT from spectrogram? ;)

Challenge Details

We are given three image files.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Obviously the first two is spectrogram, which should simply be a result of FFT of the signal. And as the third image suggests, we should implement inverse of FFT (IFFT) to recover the original data.

I implemented a solver with Node.js.





































const {promises: fs} = require('fs');
const color = require('color');
const {ifft} = require('fft-js');
const {WaveFile} = require('wavefile');
const jimp = require('jimp');

(async () => {
  const wav = new WaveFile();

  const lennaA = await jimp.read('imga.png');
  const lennaP = await jimp.read('imgp.png');

  const signals = []

  for (const x of Array(3941).keys()) {
    if (x % 100 === 0) {
      console.log('progress:', x);
    }

    const phasors = [];
    for (const y of Array(1024).keys()) {
      const hueA = color(lennaA.getPixelColor(x, 1080 - y) >> 8).hue();
      const hueP = color(lennaP.getPixelColor(x, 1080 - y) >> 8).hue();
      
      const valueA = (300 - hueA) / 300 * 12 - 6;
      const valueP = (300 - hueP) / 300 * 12 - 6;
      phasors.push([valueA ** 9, valueP ** 9]);
    }

    const signal = ifft(phasors);
    signals.push(...signal);
  }

  wav.fromScratch(1, 22050, 32, signals.map((v) => v[0] * (2 ** 17)));
  await fs.writeFile('out.wav', wav.toBuffer());
})();

This produces the following output:

The synthesized voice of some digits starts from 1:29. Transcribe it and get flag:

Aero{44130800454087113922111421638436416130198703185043619684674310673384316}

Last changed by 
โ€‰
Koki Takahashi
0
572

Read more

Learning with Exploitation author's writeup

[*** ๆš—ๅทๅŒ–]0ใพใŸใฏ1ใ‚’่ฆ็ด ใซๆŒใคใƒ™ใ‚ฏใƒˆใƒซ [$ \bm{r}] ใ‚’็”Ÿๆˆใ™ใ‚‹ใ€‚ใ“ใฎใจใๅนณๆ–‡ [$ m\in{0,1}] ใซๅฏพๅฟœใ™ใ‚‹ๆš—ๅทๆ–‡ใฏใ€[$ (\bm{u},v)=(\bm{r}\cdot\bm{A},\bm{r}\cdot\bm{t}+mq)]ใจใชใ‚‹ใ€‚ใŸใ ใ— [$ q:=\lceil \frac{p}{2}\rceil][$ \bm{r}] ใฏ็ ดๆฃ„ใ™ใ‚‹ใ€‚

Nov 8, 2023
BSides Ahmedabad CTF 2021 Writeup - SSSS.RNG, floorsa, Roda

SSSS.RNG $p$を512bitの素数、$a,b,x$を$p$未満のランダムな数とする。 以下すべて$\mathbb{Z}/p\mathbb{Z}$上の演算として、 $$ \begin{aligned} g_1&=ax+b\ g_2&=ag_1+b\ g_3&=ag_2+b\

Nov 7, 2021
TSG CTF 2021 Beginner's Web 2021 Writeup

Challenge Summary You are given a website. It is doing some weird job. First, it constructs routes object based on the salt parameter and store it to the session. const setRoutes = async (session, salt) => { const index = await fs.readFile('index.html'); session.routes = { flag: () => '*** CENSORED ***',

Oct 5, 2021
TSG CTF 2021 Giita Writeup

Challenge Summary You can create blog post. It is accepting an arbitrary HTML, but it is correctly escaped and sanitized by DOMPurify. const body = document.getElementById('body'); body.innerHTML = DOMPurify.sanitize(body.textContent); hljs.highlightAll(); The goal is to obtain the cookie of admin.

Oct 4, 2021
Read more from Koki Takahashi
Published on HackMD