中山市香山杯2023 Misc pintu

大便题目啊，跟拼图没有半毛钱关系

附件给我们4703张图片，而且给了tip：8->10，且这些图片的宽度都是一样的。

首先我们考虑将黑色图片当作0，白色图片当作1，将这些按编号顺序将这些图片转成二进制串。

py 复制代码

from PIL import Image
bin_str = ''
path = r"D:\qq文件\pintu_26914c79abf08a72af534387e23ffdf6\pintu"
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度，1是高度
    height_data = height_data + chr(int(str(height), 8))
    pixel = image.getpixel((0, 0))  # 获取(0,0)位置的像素
    if pixel == (0, 0, 0):
        bin_str = bin_str + '0'
    else:
        bin_str = bin_str + '1'
print(bin_str)

得到二进制串。

考虑把二进制串转为字节串再用utf-8解码。

py 复制代码

print(long_to_bytes(int(bin_str,2)).decode('utf-8'))

得到：

te 复制代码

flag看到666c是不是特别兴奋，很可惜flag并不在这。（狗头保命），既然走到了这里，那我也给一个通关的关键信息拿去吧，去找到真正的flag吧：sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W                                 哎，对了。拿走之前看一看我精心挑选的笑话吧：猎人打猎，朝狐狸开枪，"砰"地一声枪响之后猎人死了。狐狸叉着腰，冷笑一声：
"没想到吧，我是反射弧。"好不好笑， 有没有感觉一哆嗦，大脑更清晰了。ฅ՞•ﻌ•՞ ต

sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W疑似换表base64（其实不太能想到)

然后我们考虑提取这些图片的高度，将高度作为8进制数转为10进制，再通过ASCII码转为字符。

py 复制代码

for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度，1是高度
    height_data = height_data + chr(int(str(height), 8))
print(height_data)

得到：

复制代码

74 82 70 84 67 53 83 70 71 53 83 85 52 83 84 86 72 66 84 84 67 82 50 83 75 86 83 69 50 78 75 86 73 85 89 70 67 83 50 77 79 86 70 85 87 77 76 76 71 86 75 87 73 84 75 76 74 90 83 69 50 78 75 86 77 82 70 85 87 89 51 69 74 85 51 86 75 90 67 78 71 86 75 85 50 83 75 81 77 78 88 69 50 87 67 86 77 82 71 84 75 86 75 78 77 77 50 88 77 82 75 76 71 69 50 85 83 53 83 69 79 70 87 84 77 82 68 82 78 90 86 84 79 53 76 78 71 90 67 71 89 87 68 86 79 86 89 85 71 53 75 89 75 86 87 84 77 82 68 82 77 82 66 71 52 90 68 78 71 90 74 69 52 84 76 87 73 82 89 87 73 84 74 86 79 86 87 84 77 85 83 79 77 82 71 88 75 52 76 79 78 77 50 86 75 51 74 87 73 82 87 71 73 84 74 86 77 82 87 84 77 85 83 86 74 86 51 70 69 86 76 69 74 85 50 88 75 90 67 67 78 90 75 87 73 84 74 86 74 90 83 69 50 78 75 86 78 90 86 84 79 86 76 69 74 85 50 86 67 87 68 86 71 86 75 85 75 84 76 69 79 70 87 84 77 82 68 77 77 82 71 84 75 86 75 89 79 85 51 88 73 82 74 87 75 74 75 71 73 84 74 86 75 86 83 71 69 79 68 81 78 74 50 85 87 87 67 76 71 66 50 87 87 84 68 67 79 85 51 69 87 81 82 81 74 82 67 88 75 87 68 70 77 82 66 68 73 78 76 74 71 86 88 69 85 83 82 80 77 70 69 85 87 53 84 89 79 70 70 69 69 87 67 84 79 82 71 86 81 83 66 82 78 78 74 72 75 83 50 72 75 82 68 88 73 86 83 83 79 86 69 88 69 53 74 87 78 74 71 87 67 87 67 76 73 74 73 88 65 84 66 88 78 90 86 85 89 81 82 82 79 86 73 86 77 77 68 78 79 82 70 87 75 82 50 74 79 74 70 85 50 83 50 74 71 66 76 69 75 84 75 81 79 70 71 85 52 85 75 71 74 78 50 70 69 85 67 78 75 89 50 69 81 81 75 79 75 86 70 85 50 84 74 86 76 66 88 69 83 83 51 78 77 81 88 86 77 78 90 90 75 89 50 85 81 84 74 80 77 86 83 85 50 83 50 82 73 78 85 88 75 77 76 86 75 70 67 87 54 52 75 76 74 77 90 88 79 50 74 86 74 78 69 71 73 54 74 81 79 53 71 68 75 86 74 87 79 81 51 84 65 77 83 76 74 86 70 70 85 50 83 78 71 65 89 87 52 89 50 89 77 70 71 87 87 85 83 73 78 74 50 87 89 53 51 69 71 65 52 87 89 84 74 87 72 66 52 71 83 90 50 76 74 73 52 87 69 78 68 87 74 81 51 84 75 84 66 84 71 53 76 69 52 53 68 72 74 78 83 85 85 76 90 86 79 66 70 70 77 77 74 83 74 78 50 85 50 78 83 82 77 52 89 84 83 79 75 87 77 69 90 69 89 78 51 66 79 81 52 85 75 90 76 68 78 70 71 86 81 52 83 78 74 78 73 85 85 79 74 88 78 90 51 70 67 50 51 79 79 74 70 88 79 78 76 90 75 70 69 84 81 77 84 79 73 52 51 86 71 83 75 78 75 66 75 84 67 86 83 81 73 78 85 87 69 78 67 76 71 70 68 87 67 89 84 74 74 85 50 71 73 83 76 72 71 82 51 84 71 52 83 82 73 77 90 85 69 83 50 89 78 90 68 84 65 77 68 85 74 85 89 69 75 84 74 81 71 86 52 69 83 54 74 82 78 86 70 87 71 77 67 85 74 73 51 88 75 78 50 78 75 90 52 69 52 53 67 72 71 66 50 68 71 89 84 66 75 70 77 72 83 51 51 88 73 86 72 71 75 54 75 70 79 52 89 84 67 81 50 67 71 82 90 71 52 86 83 89 73 70 73 87 69 54 68 88 73 78 90 69 87 52 66 84 73 53 81 85 67 50 76 83 71 53 76 69 83 86 84 79 73 70 50 69 52 89 75 84 71 77 51 84 73 86 67 75 77 73 89 84 69 51 75 72 74 77 88 88 73 89 51 80 73 53 50 69 75 51 84 86 78 70 90 69 87 89 75 78 79 53 76 71 87 50 83 67 75 90 89 69 75 53 90 85 78 81 90 88 75 79 68 88 76 66 67 87 52 77 74 82 75 90 70 86 65 90 67 76 75 77 51 68 83 89 82 89 75 66 88 69 52 78 67 73 74 74 86 84 69 52 75 70 75 90 73 84 65 50 75 74 77 82 51 85 87 81 82 85 77 70 85 87 69 78 68 87 74 74 72 70 67 78 68 78 78 78 74 70 71 77 90 88 77 69 88 88 73 89 84 66 75 66 73 85 50 90 74 80 74 73 88 86 67 83 75 89 79 73 50 72 85 53 68 72 75 77 51 85 83 82 74 90 79 70 71 83 54 52 50 79 71 70 68 86 81 85 51 74 71 65 89 85 87 50 84 88 71 82 65 85 83 53 75 69 75 66 88 69 50 50 50 50 74 82 84 84 71 52 66 82 73 85 50 84 77 79 75 78 71 74 51 85 67 84 82 86 73 90 86 69 83 87 67 78 78 90 82 85 87 86 83 76 74 85 50 69 77 53 67 79 74 77 51 86 67 53 90 82 77 82 88 68 65 51 90 88 78 70 67 84 75 87 67 75 74 90 73 87 77 77 76 68 71 82 69 87 85 81 84 80 74 90 85 88 83 77 66 88 78 70 84 86 81 83 67 76 73 73 90 86 73 50 84 67 78 82 73 69 75 50 50 76 71 90 69 87 69 85 84 77 74 85 50 87 67 90 74 90 74 86 52 70 85 50 83 74 77 86 68 70 81 86 82 88 71 70 70 71 87 85 66 89 74 74 90 71 52 54 67 89 71 85 89 72 83 87 66 80 71 85 52 69 87 89 82 81 74 70 86 71 69 77 76 76 78 86 86 84 83 52 75 78 79 81 52 68 75 83 83 72 76 65 89 68 71 82 74 86 78 66 70 85 83 78 75 70 78 90 72 68 73 50 67 70 79 85 51 85 50 77 50 78 77 70 87 85 71 83 75 83 77 70 77 71 87 78 50 87 71 77 51 84 65 79 66 84 70 52 50 69 69 90 68 67 72 70 87 70 81 84 76 77 79 65 90 85 87 86 74 85 78 70 66 68 83 84 83 76 77 78 74 88 65 84 66 87 75 73 51 70 81 89 90 82 71 90 88 71 87 79 68 67 71 78 68 84 83 78 90 82 75 90 74 68 81 90 67 78 71 86 75 87 73 84 74 86 71 86 86 72 75 77 75 78 74 81 51 86 67 78 50 78 74 69 51 87 71 90 66 87 79 78 88 84 67 52 82 86 78 77 52 85 75 89 76 66 78 74 69 84 75 76 90 82 79 82 74 70 85 50 84 67 71 78 77 84 83 89 82 86 79 52 89 85 75 79 76 76

我们再将它们作为十进制数转化为字符：

py 复制代码

ascii_list = height_data.split(" ")
data = ''
for j in ascii_list:
    data = data + chr(int(j))
print(data)

得到：

复制代码

JRFTC5SFG5SU4STVHBTTCR2SKVSE2NKVIUYFCS2MOVFUWMLLGVKWITKLJZSE2NKVMRFUWY3EJU3VKZCNGVKU2SKQMNXE2WCVMRGTKVKNMM2XMRKLGE2US5SEOFWTMRDRNZVTO5LNGZCGYWDVOVYUG5KYKVWTMRDRMRBG4ZDNGZJE4TLWIRYWITJVOVWTMUSOMRGXK4LONM2VK3JWIRWGITJVMRWTMUSVJV3FEVLEJU2XKZCCNZKWITJVJZSE2NKVNZVTOVLEJU2VCWDVGVKUKTLEOFWTMRDMMRGTKVKYOU3XIRJWKJKGITJVKVSGEODQNJ2UWWCLGB2WWTDCOU3EWQRQJRCXKWDFMRBDINLJGVXEUSRPMFEUW5TYOFFEEWCTORGVQSBRNNJHKS2HKRDXIVSSOVEXE5JWNJGWCWCLIJIXATBXNZVUYQRROVIVMMDNORFWKR2JOJFU2S2JGBLEKTKQOFGU4UKGJN2FEUCNKY2EQQKOKVFU2TJVLBXESS3NMQXVMNZZKY2UQTJPMVSU2S2RINUXKMLVKFCW64KLJMZXO2JVJNEGI6JQO5GDKVJWOQ3TAMSLJVFFU2SNGAYW4Y2YMFGWWUSINJ2WY53EGA4WYTJWHB4GSZ2LJI4WENDWJQ3TKTBTG5LE45DHJNSUULZVOBFFMMJSJN2U2NSRM4YTSOKWMEZEYN3BOQ4UKZLDNFGVQ4SNJNIUUOJXNZ3FC23OOJFXONLZKFETQMTOI43VGSKNKBKTCVSQINUWENCLGFDWCYTJJU2GISLHGR3TG4SRIMZUES2YNZDTAMDUJUYEKTJQGV4ES6JRNVFWGMCUJI3XKN2NKZ4E45CHGB2DGYTBKFMHS33XIVHGK6KFO4YTCQ2CGRZG4VSYIFIWE6DXINZEW4BTI5QUC2LSG5LESVTOIF2E4YKTGM3TIVCKMIYTE3KHJMXXIY3PI52EK3TVNFZEWYKNO5LGW2SCKZYEK5ZUNQZXKODXLBCW4MJRKZFVAZCLKM3DSYRYKBXE4NCIJJVTE4KFKZITA2KJMR3UWQRUMFUWENDWJJHFCNDNNNJFGMZXMEXXIYTBKBIU2ZJPJIXVCSKYOI2HU5DHKM3USRJZOFGS642OGFDVQU3JGAYUW2TXGRAUS5KEKBXE2222JRTTG4BRIU2TMOKNGJ3UCTRVIZVESWCNNZRUWVSLJU2EM5COJM3VC5ZRMRXDA3ZXNFCTKWCKJZIWMMLDGREWUQTPJZUXSMBXNFTVQSCLIIZVI2TCNRIEK22LGZEWEUTMJU2WCZJZJV4FU2SJMVDFQVRXGFFGWUBYJJZG46CYGUYHSWBPGU4EWYRQJFVGEMLLNVVTS4KNOQ4DKSSHLAYDGRJVNBFUSNKFNZHDI2CFOU3U2M2NMFWUGSKSMFMGWN2WGM3TAOBTF42EEZDCHFWFQTLMOAZUWVJUNFBDSTSLMNJXATBWKI3FQYZRGZXGWODCGNDTSNZRKZJDQZCNGVKWITJVGVVHKMKNJQ3VCN2NJE3WGZBWONXTC4RVNM4UKYLBNJETKLZRORJFU2TCGNMTSYRVO4YUKOLL

疑似base32，然后用换表base64解出：

复制代码

iVBORw0KGgoAAAANSUhEUgAAAEwAAAAUCAMAAAAQlCuDAAAAP1BMVEX/////wMD//8DA/8DA///AwP//wP//AAD//wAA/wAA//8AAP//AP/AAADAwAAAwAAAwMAAAMDAAMD///8AAADMRO/yAAABkklEQVQ4ja2UyZLDIAxExWL2zVT+/1tHIDngODWnvJODXa2mJQUskkWtivD6IKIRvXeTUidMLoSszU/qRHn+pUQAQueKBy5bAnRrIQSNxFD58/UW3xUnB9shPrKYhUC0mIYt4iSOnlN3BV8S+lxuLbhBkQZsY7HuI2qk2FhTE24vXbJhkZRa2CyDFQSLcWB7GFW1c5khwmHYLAfLNzhUgjfyHPXxspcNquQwieIISRQlZ6KT9y3Q5RK7KiRrjMF83OrcO6Y9xFvDJ6k38eksjJxmdZGJKzHsXy2fh/egH86I7DxeiS94my+O8xpKsE7YfEqAR2bkqwxn3J/NCeyd3UxizhB3sa/OHsZgJjq5Bg2sVDhjHr5Y6/Rp7gdHzVUo8JXO1uM0hw+e1raJ3+qzmdTt5dUHzKuu76PvX5y1Q3sOd8Vmx7z9uxtnUw9nn1OErZoxPZIaK0mbzFMY3Lm0glDYcFqmViVnft/F/Q+E3deq1bUaSwxbLMTqJK9oiGMdsYmrxWBf8EN+qPayv7T2+k/rD6rwKfsf5fOmAAAAAElFTkSuQmCC  data:image/png;base64

提示png、base64

然后再用base64解一遍：

cyberchef显示得到一张图片，保存下来，用npiet在线解得：

终于得到了flag

附完整exp：

py 复制代码

from Crypto.Util.number import *
from PIL import Image
import os

bin_str = ''
height_data = ''
path = r"D:\qq文件\pintu_26914c79abf08a72af534387e23ffdf6\pintu"
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度，1是高度
    height_data = height_data + chr(int(str(height), 8))
    pixel = image.getpixel((0, 0))  # 获取(0,0)位置的像素
    if pixel == (0, 0, 0):
        bin_str = bin_str + '0'
    else:
        bin_str = bin_str + '1'
print(bin_str)
print(long_to_bytes(int(bin_str,2)).decode('utf-8'))
print(height_data)
ascii_list = height_data.split(" ")
data = ''
for j in ascii_list:
    data = data + chr(int(j))
print(data)

总结：pintu这个题目名太过于误导，后续的换表base也不好想到，考验对数据的处理和分析，是一道misc难题

中山市 香山杯2023 Misc pintu

中山市香山杯2023 Misc pintu