Common routines of compressed packets in CTF

1. Special characters that recognize hexadecimal strings ：504B0304 To begin ,504B0506 End of the said （ Here is a supplementary knowledge point ： Name the file as what file type , The computer will recognize from what feature head , such as zip From 504B0304 Start identifying , from 504B0506 end ）, It is worth noting that for txt file , No header exists .
   
   
   

2. Pseudo encryption
   

3. File repair
   It is possible that the file header is intentionally written incorrectly ：
   
   Just change it at this time ：504B0304

4. Redundant information splicing
   ZIP The end identification bit of the compressed file directory is “504B0506”, And usually with 18 byte （ In the preliminary knowledge, we regard each offset as one , It's also a byte ） Redundant data for , The total length is generally 20 Bytes , So this routine is to divide the hidden information into multiple pieces and hide them at the end of multiple compressed packets .
   

this 20 Bytes cannot be moved , Other redundant information can be added later , If you move , It will cause decompression failure .
Sum up , Find redundant data in the right place and splice , See what code it is , Decode again

5. Find ：
   
   And comments can also be made through winhex see , Usually at the end ：