├── PictureSizeAnalyse.py
├── README.md
├── UsbKeyboardDataAnalyse.py
├── UsbWacomAnalyse.py
└── ZipCRCAnlyse.py


/PictureSizeAnalyse.py:
--------------------------------------------------------------------------------
  1 | import binascii
  2 | import struct
  3 | import math
  4 | import sys
  5 | import os
  6 | 
  7 | 
  8 | def png_save(file_path, x, y):
  9 |     path = os.path.split(file_path)[0]
 10 |     file_name = os.path.split(file_path)[1]
 11 | 
 12 |     with open(file_path, "rb") as f:
 13 |         data_png = f.read()
 14 |         out_data = data_png[:16] + struct.pack('>i', x) + struct.pack('>i', y) + data_png[24:]
 15 | 
 16 |     with open(path + "\\" + file_name[:-4] + "_fix" + file_name[-4:], "wb") as out_png:
 17 |         out_png.write(out_data)
 18 | 
 19 | 
 20 | def png_crc_brust(file_path):
 21 |     with open(file_path, "rb") as f:
 22 |         data_png = f.read()
 23 |         crc_data = data_png[12:29]
 24 |         crc_origin = binascii.crc32(crc_data)
 25 | 
 26 |         crc_bytes = data_png[29:33]
 27 |         crc = int(crc_bytes.hex(), 16)
 28 | 
 29 |         if crc_origin == crc:
 30 |             print("This picture size is right")
 31 |             exit()
 32 | 
 33 |     for y in range(4095):
 34 |         for x in range(4095):
 35 |             data = data_png[12:16] + struct.pack('>i', x) + struct.pack('>i', y) + data_png[24:29]
 36 |             if binascii.crc32(data) == crc:
 37 |                 print(f"[Filepath]:{file_path}\n[Width]:{x}\n[Heught]:{y}\n")
 38 |                 png_save(file_path, x, y)
 39 |                 exit()
 40 | 
 41 | 
 42 | def bmp_save(file_path, pixel_size):
 43 |     path = os.path.split(file_path)[0]
 44 |     file_name = os.path.split(file_path)[1]
 45 | 
 46 |     with open(file_path, "rb") as f:
 47 |         data_bmp = f.read()
 48 |         width = int.from_bytes(data_bmp[18:22], byteorder="little")
 49 |         height = int.from_bytes(data_bmp[22:26], byteorder="little")
 50 | 
 51 |     print(f"[Filepath]:{file_path}")
 52 |     # mode one: fix_height
 53 |     width_tmp = width
 54 |     height_tmp = pixel_size // width
 55 |     print(f"[Fix_height]:[Width]:{width_tmp}[Height]:{height_tmp}")
 56 |     with open(path + "\\" + file_name[:-4] + "_fix_height" + file_name[-4:], "wb") as out_bmp:
 57 |         out_data = data_bmp[:18] + struct.pack("<i", width_tmp) + struct.pack("<i", height_tmp) + data_bmp[26:]
 58 |         out_bmp.write(out_data)
 59 | 
 60 |     # mode two: fix_width
 61 |     width_tmp = pixel_size // height
 62 |     height_tmp = height
 63 |     print(f"[Fix_width]:[Width]:{width_tmp}[Height]:{height_tmp}")
 64 |     with open(path + "\\" + file_name[:-4] + "_fix_width" + file_name[-4:], "wb") as out_bmp:
 65 |         out_data = data_bmp[:18] + struct.pack("<i", width_tmp) + struct.pack("<i", height_tmp) + data_bmp[26:]
 66 |         out_bmp.write(out_data)
 67 | 
 68 |     # mode three: sqrt
 69 |     width_tmp = height_tmp = int(math.sqrt(pixel_size))
 70 |     print(f"[Fix_sqrt]:[Width]:{width_tmp}[Height]:{height_tmp}")
 71 |     with open(path + "\\" + file_name[:-4] + "_fix_sqrt" + file_name[-4:], "wb") as out_bmp:
 72 |         out_data = data_bmp[:18] + struct.pack("<i", width_tmp) + struct.pack("<i", height_tmp) + data_bmp[26:]
 73 |         out_bmp.write(out_data)
 74 | 
 75 | 
 76 | def bmp_crc_brust(file_path):
 77 |     with open(file_path, "rb") as f:
 78 |         data_bmp = f.read()
 79 |         bfsize = int.from_bytes(data_bmp[2:6], byteorder="little")
 80 |         bfoffbits = int.from_bytes(data_bmp[10:14], byteorder="little")
 81 |         bibitcount = int.from_bytes(data_bmp[28:30], byteorder="little")
 82 |         pixelsize = (bfsize - bfoffbits) // (bibitcount // 8)
 83 |     bmp_save(file_path, pixelsize)
 84 | 
 85 | 
 86 | def main():
 87 |     if len(sys.argv) != 3 or sys.argv[1] == "-h" or sys.argv[2][-3:].lower() not in ("png", "bmp") or sys.argv[
 88 |         1] not in ("-a", "-b", "-p"):
 89 |         print(
 90 |             "[Wrong!]Please: python PictureSizeAnalyse.py -a picture_file_path\n[Wrong!]Support: PNG BMP\n\t[-a]Auto select\n\t[-b]Select bmp mode\n\t[-p]Select png mode")
 91 |         exit()
 92 | 
 93 |     file_path = sys.argv[2]
 94 |     file_type = sys.argv[2][-3:].lower()
 95 | 
 96 |     if sys.argv[1] == "-p":
 97 |         png_crc_brust(file_path)
 98 |     elif sys.argv[1] == "-b":
 99 |         bmp_crc_brust(file_path)
100 |     elif sys.argv[1] == "-a":
101 |         if file_type == "png":
102 |             png_crc_brust(file_path)
103 |         elif file_type == "bmp":
104 |             bmp_crc_brust(file_path)
105 | 
106 | 
107 | if __name__ == "__main__":
108 |     main()
109 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ### CTF-misc-script
 2 | 
 3 | ---
 4 | 
 5 | | 脚本 | 作用 | 文件类型 |
 6 | | --- | --- | --- |
 7 | | PictureSizeAnalyse | 计算图片正确宽高 | bmp图片，png图片 |
 8 | | ZipCRCAnlyse | 多文件压缩包CRC爆破 | zip，rar，7z |
 9 | | UsbKeyboardDataAnalyse | USB键盘流量分析 | pcap，pcapng |
10 | | UsbWacomAnalyse | USB数位板流量分析 | pcap，pcapng |
11 | 
12 | ### PictureSizeAnalyse
13 | 
14 | ---
15 | 
16 | ```
17 | 适用平台：Windows/Kali
18 | 参数：
19 | 	-h 查看help
20 | 	-a 自动选择模式
21 | 	-b 使用 bmp 模式分析正确宽高
22 | 	-p 使用 png 模式分析宽高
23 | 使用：
24 | 	python 模式 文件路径
25 | 	python PictureSizeAnalyse.py -a test.png
26 | ```
27 | ### ZipCRCAnlyse
28 | 
29 | ---
30 | 
31 | ```
32 | 适用平台：Windows/Kali
33 | 参数：
34 | 	-h 查看help
35 | 	-a 使用字母字符集碰撞
36 | 	-n 使用数字字符集碰撞
37 | 	-m 使用字母字符集碰撞 和 数字字符集碰撞
38 | 	-z 尝试 chr(1~128) 字符集碰撞
39 | 使用：
40 | 	python 模式 文件路径
41 | 	python PictureSizeAnalyse.py -a test.zip
42 | ```
43 | ### UsbKeyboardDataAnalyse
44 | 
45 | ---
46 | 
47 | ```
48 | 适用平台：Kali
49 | 参数：
50 | 	-h 查看help
51 | 	-a 结果输出完整内容
52 | 	-b 结果只输出字符
53 | 使用：
54 | 	python 模式 文件路径
55 | 	python PictureSizeAnalyse.py -a test.pcapng
56 | ```
57 | ### UsbWacomAnalyse
58 | 
59 | ---
60 | 
61 | ```
62 | 适用平台：Kali
63 | 使用：
64 | 	python 文件路径
65 | 	python UsbWacomAnalyse.py test.pcapng
66 | ```
67 | 


--------------------------------------------------------------------------------
/UsbKeyboardDataAnalyse.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import os
 3 | 
 4 | normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
 5 | shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
 6 | 
 7 | # 获取 usbhid.data 列表
 8 | def analyse_usbhid_data(pcapFilePath,src,argument):
 9 |     usbhid_data = []
10 |     os.system("tshark -r {} -T fields -e usbhid.data \"usb.data_len == 8 && usb.src == {}\" > usbhid.data".format(pcapFilePath,src))
11 |     with open("usbhid.data") as f:
12 |          for line in f:
13 |              usbhid_data.append(line.strip())
14 |     result(usbhid_data,src,argument,"usbhid.data")
15 |     os.remove("usbhid.data")
16 | 
17 | # 获取 usb.capdata 列表
18 | def analyse_usb_capdata(pcapFilePath,src,argument):
19 |     usb_capdata = []
20 |     os.system("tshark -r {} -T fields -a usb.capdata \"usb.data_len == 8 && usb.src == {}\" > usb.capdata".format(pcapFilePath,src))
21 |     with open("usb.capdata") as f:
22 |         for line in f:
23 |             usb_capdata.append(line.strip())
24 |     result(usb_capdata,src,argument,"usb.capdata")
25 |     os.remove("usb.capdata")
26 | 
27 | # 获取 usb流量分析
28 | def result(presses,src,argument,path):
29 |     result = ""
30 | 
31 |     for press in presses:
32 |         if press == '':
33 |             continue
34 |         if ':' in press:
35 |             Bytes = press.split(":")
36 |         else:
37 |             Bytes = [press[i:i+2] for i in range(0, len(press), 2)]
38 |         if Bytes[0] == "00":
39 |             if Bytes[2] != "00" and normalKeys.get(Bytes[2]):
40 |                 result += normalKeys[Bytes[2]]
41 |         elif int(Bytes[0],16) & 0b10 or int(Bytes[0],16) & 0b100000: # shift key is pressed.
42 |             if Bytes[2] != "00" and normalKeys.get(Bytes[2]):
43 |                 result += shiftKeys[Bytes[2]]
44 | 
45 |         if argument == "-b":
46 |             result = result.replace("<RET>","").replace("<ESC>","").replace("<DEL>","").replace("<SPACE>","").replace("<GA>","").replace("<CAP>","").replace("\t","").replace("F1","").replace("F2","").replace("F3","").replace("F4","").replace("F5","").replace("F6","").replace("F7","").replace("F8","").replace("F9","").replace("F10","").replace("F11","").replace("F12","")
47 | 
48 |     if result != "":
49 |         print("[",src,path,"]",result,"\n")
50 | 
51 | def error():
52 |     #输入 -a 则全部输出，输入 -b 则将过滤 <DEL> <ESC> 之类的符号
53 |     print("Example:\n\tpython UsbKeyboardDataAnalyse.py -a  data.pcapng\nArgument:\n\t[-a]:Output all data.\n\t[-b]:Output only common characters.")
54 |     exit()
55 |     
56 | def main():
57 |     # 判断输入参数
58 |     if len(sys.argv) != 3 or (sys.argv[1] not in ["-a", "-b", "-h"]):
59 |         error()
60 |         
61 |     # 获取流量文件路径 // 获取 usb.src 列表
62 |     argument = sys.argv[1]
63 |     pcapFilePath = sys.argv[2]
64 |     usb_src = []
65 |     os.system("tshark -r {} -T fields -e usb.src > usb.src".format(pcapFilePath))
66 |     with open("usb.src") as f:
67 |         for line in f:
68 |             if line.strip() not in usb_src:
69 |                 usb_src.append(line.strip())
70 |     os.remove("usb.src")
71 | 
72 |     for src in usb_src:
73 |         analyse_usbhid_data(pcapFilePath, src, argument)
74 |         analyse_usb_capdata(pcapFilePath, src, argument)
75 | 
76 | if __name__ == '__main__':
77 |     main()
78 | 


--------------------------------------------------------------------------------
/UsbWacomAnalyse.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import sys
 3 | import matplotlib.pyplot as plt
 4 | 
 5 | 
 6 | def analyse_usb_data(data_file, data_type,pcapFilePath):
 7 |     os.system(f"tshark -r {pcapFilePath} -T fields -e usb{data_type}.data > {data_file}")
 8 |     with open(data_file) as f:
 9 |         data = [line.strip() for line in f.readlines() if line.strip()]
10 |     wacom_list = list(set([d[:4] for d in data]))
11 |     for wacom in wacom_list:
12 |         tmp_data = [(int(d[4:6], 16) + int(d[6:8], 16) * 256, int(d[8:10], 16) + int(d[10:12], 16) * 256) for d in data if d[:4] == wacom]
13 |         plt.figure()
14 |         plt.title(f"{data_file}-{wacom}")
15 |         plt.scatter(*zip(*tmp_data),s =5, c='black')
16 |         plt.show()
17 |     os.remove(data_file)
18 | 
19 | 
20 | def main():
21 |     if len(sys.argv) != 2:
22 |         print("Wrong! Try:python UsbWacomAnalyse.py pcapfile.pcap")
23 |         exit()
24 |     pcapFilePath = sys.argv[1]
25 |     analyse_usb_data("usb.capdata", "",pcapFilePath)
26 |     analyse_usb_data("usbhid.data", "hid",pcapFilePath)
27 | 
28 | 
29 | if __name__ == "__main__":
30 |     main()
31 | 


--------------------------------------------------------------------------------
/ZipCRCAnlyse.py:
--------------------------------------------------------------------------------
 1 | import binascii
 2 | import itertools
 3 | import sys
 4 | import zipfile
 5 | 
 6 | 
 7 | def crc_brust(zipf_path, mode):
 8 |     alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 9 |     number = "0123456789"
10 |     allchar = "-_{}"
11 |     if mode == "-a":
12 |         wordlist = alphabet
13 |     elif mode == "-n":
14 |         wordlist = number
15 |     elif mode == "-m":
16 |         wordlist = alphabet + number
17 |     elif mode == "-z":
18 |         wordlist = alphabet + number + allchar
19 |     out = ""
20 | 
21 |     zipf = zipfile.ZipFile(zipf_path)
22 |     file_list = zipf.namelist()
23 | 
24 |     for file in file_list:
25 |         count = 0
26 |         zipinfo = zipf.getinfo(file)
27 |         zipf_crc = zipinfo.CRC
28 |         file_size = zipinfo.file_size
29 | 
30 |         data_list = itertools.product(wordlist, repeat=file_size)
31 | 
32 |         for data in data_list:
33 |             data = "".join(data)
34 |             data_crc = binascii.crc32(data.encode())
35 | 
36 |             if data_crc == zipf_crc:
37 |                 count += 1
38 |                 print(f"filename:{file} crc:{hex(zipf_crc)} data:{data}")
39 |                 out += data
40 |         if count == 0:
41 |             print(f"filename:{file} crc:{hex(zipf_crc)} data:Not found")
42 |     return out
43 | 
44 | 
45 | def main():
46 |     if len(sys.argv) != 3 or sys.argv[2][-3:] != "zip" or sys.argv[1] == "-h" or (
47 |             sys.argv[1] not in ["-a", "-n", "-m", "-z"]):
48 |         print(
49 |             "Please:\tpython ZipCRCAnlyse.py -a example.zip\n\t[-a] Use alphabet\n\t[-n] Use number\n\t[-m] Use alphabet and number\n\t[-z] Use all")
50 |         exit()
51 | 
52 |     mode = sys.argv[1]
53 |     zipf_path = sys.argv[2]
54 |     print(crc_brust(zipf_path, mode))
55 | 
56 | 
57 | if __name__ == "__main__":
58 |     main()
59 | 


--------------------------------------------------------------------------------