Skip to content Skip to navigation

WireTap (Stegano 200)

Category: 

Description: Does it sound like a flag? Maybe... I don't know...

File: wiretap.wav

Solution:

Let's quickly analyze the file:

 $ file wiretap.wav
wiretap.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 32 bit, stereo 44100 Hz
$ strings wiretap.wav
RIFFD
WAVEfmt 
data 

Nothing interesting. Now look at data of .wav file:

$ ./diff.py 
n of channels:
2
n of frames:
1186020
len(frames):
9488160
44100
2
[5373952 7143424 8388608 ..., 5111808 4980736 4915200]
[5374089 7143504 8388686 ..., 5111991 4980814 4915379]

Values of frames from two different channels are close enough but not the same. Let's look at their difference (first 100 printed):

[137, 80, 78, 71, 13, 10, 26, 10, 0, 0, 0, 13, 73, 72, 68, 82, 0, 0, 2, 22, 0, 0, 0, 48, 8, 4, 0, 0, 0, 231, 36, 251, 90, 0, 0, 0, 2, 98, 75, 71, 68, 0, 0, 170, 141, 35, 50, 0, 0, 0, 9, 112, 72, 89, 115, 0, 0, 11, 19, 0, 0, 11, 19, 1, 0, 154, 156, 24, 0, 0, 0, 7, 116, 73, 77, 69, 7, 222, 10, 26, 15, 41, 21, 179, 51, 68, 152, 0, 0, 0, 29, 105, 84, 88, 116, 67, 111, 109, 109, 101]

Seems that all of them are in range of byte values [0..255]. Some of you may be have already noticed that bytes from 2 to 4 are printable characters ('PNG'). Let's write difference of channels into file and look at it:

$ file result 
result: PNG image data, 534 x 48, 8-bit gray+alpha, non-interlaced

Wow! Look there:

My script for solving this task:

#!/usr/bin/python
import wave
from scipy.io.wavfile import read

w = wave.open('wiretap.wav', 'r')
print 'n of channels:'
print w.getnchannels()

n = w.getnframes()
print 'n of frames:'
print n
frames = w.readframes(n)
print 'len(frames):'
print len(frames)

(fs, x) = read('wiretap.wav')
print fs
print len(x.shape) 
print x[:,0]
print x[:,1]

c1 = x[:,0]
c2 = x[:,1]
d = []
for a, b in zip(c1, c2):
	d.append(b - a)
print d[0:100]

out = open('result', 'wb')
for t in d: out.write(chr(t))
out.close()

Flag is: NcN_132238aba8928f9655eeb09939eba1f963c18183