获取中...

-

Just a minute...

趁着寒假刷一波题

easyre

直接出
flag{this_Is_a_EaSyRe}

reverse1

1
2
if ( Str2[j] == 'o' )
Str2[j] = '0';

字符串hello_world,用0替换o
flag{hell0_w0rld}

helloworld

androidkiller反编译看到flag
flag{7631a988259a00816deda84afb29430a}

reverse2

1
2
3
4
for ( i = 0; i <= strlen(&flag); ++i )
{
if ( *(&flag + i) == 'i' || *(&flag + i) == 'r' )
*(&flag + i) = '1';

找到字符串hacking_for_fun,将i和r替换成1
flag{hack1ng_fo1_fun}

新年快乐

加了upx壳,用工具脱壳

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
char v4; // [esp+12h] [ebp-3Ah]
__int16 v5; // [esp+20h] [ebp-2Ch]
__int16 v6; // [esp+22h] [ebp-2Ah]

__main();
strcpy(&v4, "HappyNewYear!");
v5 = 0;
memset(&v6, 0, 0x1Eu);
printf("please input the true flag:");
scanf("%s", &v5);
if ( !strncmp((const char *)&v5, &v4, strlen(&v4)) )
result = puts("this is true flag!");
else
result = puts("wrong!");
return result;
}

输入的和HappyNewYear!比较
flag{HappyNewYear!}

内涵的软件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
int __cdecl main_0()
{
int result; // eax
char v1; // [esp+4Ch] [ebp-Ch]
const char *v2; // [esp+50h] [ebp-8h]
int v3; // [esp+54h] [ebp-4h]

v3 = 5;
v2 = "DBAPP{49d3c93df25caad81232130f3d2ebfad}";
while ( v3 >= 0 )
{
printf(aD, v3);
sub_40100A();
--v3;
}
printf(
"\n"
"\n"
"\n"
"这里本来应该是答案的,但是粗心的程序员忘记把变量写进来了,你要不逆向试试看:(Y/N)\n");
v1 = 1;
scanf("%c", &v1);
if ( v1 == 89 )
{
printf(aOdIda);
result = sub_40100A();
}
else
{
if ( v1 == 78 )
printf(asc_425034);
else
printf("输入错误,没有提示.");
result = sub_40100A();
}
return result;
}

flag{49d3c93df25caad81232130f3d2ebfad}

xor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
int __cdecl main(int argc, const char **argv, const char **envp)
{
char *v3; // rsi
int result; // eax
signed int i; // [rsp+2Ch] [rbp-124h]
char v6[264]; // [rsp+40h] [rbp-110h]
__int64 v7; // [rsp+148h] [rbp-8h]

memset(v6, 0, 0x100uLL);
v3 = (char *)256;
printf("Input your flag:\n", 0LL);
get_line(v6, 256LL);
if ( strlen(v6) != 33 )
goto LABEL_12;
for ( i = 1; i < 33; ++i )
v6[i] ^= v6[i - 1];
v3 = global;
if ( !strncmp(v6, global, 0x21uLL) )
printf("Success", v3);
else
LABEL_12:
printf("Failed", v3);
result = __stack_chk_guard;
if ( __stack_chk_guard == v7 )
result = 0;
return result;
}

输入一个长度为33的字符串,字符串的字符分别与前一个字符进行异或运算之后和global的前0x21比较

1
2
3
4
5
a = [102,10,107,12,119,38,79,46,64,17,120,13,90,59,85,17,112,25,70,31,118,34,77,35,68,14,103,6,104,15,71,50,79,0]
flag="f"
for i in range(1,len(a)):
flag += chr(a[i]^a[i-1])
print(flag)

flag{QianQiuWanDai_YiTongJiangHu}

reverse3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
sub_41132F("please enter the flag:");
sub_411375("%20s", (unsigned int)&Str);
v0 = j_strlen(&Str);
v1 = (const char *)sub_4110BE((int)&Str, v0, (int)&v11);
strncpy(Dest, v1, 0x28u);
v8 = j_strlen(Dest);
for ( j = 0; j < v8; ++j )
Dest[j] += j;
v2 = j_strlen(Dest);
if ( !strncmp(Dest, Str2, v2) )
sub_41132F("rigth flag!\n");
else
sub_41132F("wrong flag!\n");
HIDWORD(v4) = v3;
LODWORD(v4) = 0;
return v4;

输入一个字符串,经过sub_4110BE加密,然后一个for循环变换后与Str2比较,Str2是‘e3nifIH9b_C@n@dH’,查看sub_4110BE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
  while ( v11 > 0 )
{
byte_41A144[2] = 0;
byte_41A144[1] = 0;
byte_41A144[0] = 0;
for ( i = 0; i < 3 && v11 >= 1; ++i )
{
byte_41A144[i] = *v13;
--v11;
++v13;
}
if ( !i )
break;
switch ( i )
{
case 1:
*((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
v4 = v7 + 1;
*((_BYTE *)Dst + v4++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
*((_BYTE *)Dst + v4++) = aAbcdefghijklmn[64];
*((_BYTE *)Dst + v4) = aAbcdefghijklmn[64];
v7 = v4 + 1;
break;
case 2:
*((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
v5 = v7 + 1;
*((_BYTE *)Dst + v5++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
*((_BYTE *)Dst + v5++) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];
*((_BYTE *)Dst + v5) = aAbcdefghijklmn[64];
v7 = v5 + 1;
break;
case 3:
*((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
v6 = v7 + 1;
*((_BYTE *)Dst + v6++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
*((_BYTE *)Dst + v6++) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];
*((_BYTE *)Dst + v6) = aAbcdefghijklmn[byte_41A144[2] & 0x3F];
v7 = v6 + 1;
break;
}
}
*((_BYTE *)Dst + v7) = 0;
return Dst;
}

是base64

1
2
3
4
5
6
import base64
dest = "e3nifIH9b_C@n@dH"
flag = ""
for i in range(0,len(dest)):
flag += chr(ord(dest[i]) - i)
print(base64.b64decode(flag))

flag{i_l0ve_you}

不一样的flag

简单的迷宫题,1234分别是上下左右,0是通路,终点是#
5乘5的迷宫是

  • 1111
    01000
    01010
    00010
    1111#
    1
    2
    3
    4
    5
    if ( *((_BYTE *)&v8 + 5 * v4 + v5 - 41) == '1' )
    exit(1);
    if ( *((_BYTE *)&v8 + 5 * v4 + v5 - 41) == '#' )
    {
    puts("\nok, the order you enter is the flag!");

flag{222441144222}

刮开有奖

关键函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 {
memset(&String, 0, 0xFFFFu);
GetDlgItemTextA(hDlg, 1000, &String, 0xFFFF);
if ( strlen(&String) == 8 )
{
v7 = 'Z';
v8 = 'J';
v9 = 'S';
v10 = 'E';
v11 = 'C';
v12 = 'a';
v13 = 'N';
v14 = 'H';
v15 = '3';
v16 = 'n';
v17 = 'g';
sub_4010F0(&v7, 0, 10);
memset(&v26, 0, 0xFFFFu);
v26 = v23;
v28 = v25;
v27 = v24;
v4 = (const char *)sub_401000(&v26, strlen(&v26));
memset(&v26, 0, 0xFFFFu);
v27 = v21;
v26 = v20;
v28 = v22;
v5 = (const char *)sub_401000(&v26, strlen(&v26));
if ( String == v7 + 34
&& v19 == v11
&& 4 * v20 - 141 == 3 * v9
&& v21 / 4 == 2 * (v14 / 9)
&& !strcmp(v4, "ak1w")
&& !strcmp(v5, "V1Ax") )
{
MessageBoxA(hDlg, "U g3t 1T!", "@_@", 0);
}
}
return 0;
}
if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )
return 0;
EndDialog(hDlg, (unsigned __int16)a3);
return 1;
}

sub4010F0是一个排序算法,把v7后面10个数进行排序,
sub_401000是base64
String第一位是排序后的v7,第二位是排序后的v11,后六位分别是V1Ax和ak1w的base64解码flag{UJWP1jMp}

SimpleRev

main函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
int v3; // eax
char v4; // [rsp+Fh] [rbp-1h]

while ( 1 )
{
while ( 1 )
{
printf("Welcome to CTF game!\nPlease input d/D to start or input q/Q to quit this program: ", argv, envp);
v4 = getchar();
if ( v4 != 'd' && v4 != 'D' )
break;
Decry();
}
if ( v4 == 'q' || v4 == 'Q' )
Exit();
puts("Input fault format!");
v3 = getchar();
putchar(v3);
}
}

关键函数Decry()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
v12 = __readfsqword(0x28u);
*(_QWORD *)src = 'SLCDN'; // NDCLS(这里是小端序,之前没发现,气吐血)
v7 = 0LL;
v8 = 0;
v9 = 'wodah'; // hadow
v10 = 0LL;
v11 = 0;
text = join(key3, (const char *)&v9); // text=killshadow
strcpy(key, key1); // key=ADSFK
strcat(key, src); // key=ADSFKNDCLS
v2 = 0;
v3 = 0;
getchar();
v5 = strlen(key); //v5=10
for ( i = 0; i < v5; ++i )
{
if ( key[v3 % v5] > 64 && key[v3 % v5] <= 90 )
key[i] = key[v3 % v5] + 32; // key大小写转换
++v3;
}
printf("Please input your flag:", src);
while ( 1 )
{
v1 = getchar();
if ( v1 == 10 )
break;
if ( v1 == 32 )
{
++v2;
}
else
{
if ( v1 <= 96 || v1 > 122 )
{
if ( v1 > 64 && v1 <= 90 ) // 大写字母
str2[v2] = (v1 - 39 - key[v3++ % v5] + 97) % 26 + 97;
}
else // 小写字母
{
str2[v2] = (v1 - 39 - key[v3++ % v5] + 97) % 26 + 97;
}
if ( !(v3 % v5) )
putchar(32);
++v2;
}
}
if ( !strcmp(text, str2) )
puts("Congratulation!\n");

关键在于

1
str2[v2] = (v1 - 39 - key[v3++ % v5] + 97) % 26 + 97;

将输入的字符串v1进行运算结果和str2比较

1
2
3
4
5
6
7
8
9
10
a='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
key='adsfkndcls'
text='killshadow'
flag=''
for i in range(len(text)):
str2=text[i]
for b in a:
if str2== chr((ord(b) - 39 - ord(key[i % 10]) + 97) % 26 + 97):
flag+=b
print(flag)

flag{KLDQCUDFZO}

java逆向解密

class文件用jd-gui打开反编译

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
public class Reverse
{
public static void main(String[] args)
{
Scanner s = new Scanner(System.in);
System.out.println("Please input the flag :");
String str = s.next();
System.out.println("Your input is :");
System.out.println(str);
char[] stringArr = str.toCharArray();
Encrypt(stringArr);
}

public static void Encrypt(char[] arr)
{
ArrayList<Integer> Resultlist = new ArrayList();
for (int i = 0; i < arr.length; i++)
{
int result = arr[i] + '@' ^ 0x20;
Resultlist.add(Integer.valueOf(result));
}
int[] KEY = { 180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65 };
ArrayList<Integer> KEYList = new ArrayList();
for (int j = 0; j < KEY.length; j++) {
KEYList.add(Integer.valueOf(KEY[j]));
}
System.out.println("Result:");
if (Resultlist.equals(KEYList)) {
System.out.println("Congratulations!");
} else {
System.err.println("Error!");
}
}
}

很清晰,输入一个字符串for循环进行异或,然后将得到的新字符串与KEY进行比较,看看是否相等

1
2
3
4
5
6
KEY = [180, 136, 137, 147, 191, 137, 147, 191,
148, 136, 133, 191, 134, 140, 129, 135, 191, 65]
flag = ""
for i in range(0,len(KEY)):
flag += chr(KEY[i] - ord('@') ^ 0x20)
print(flag)

flag{This_is_the_flag_!}

findit

APKIDE打开,有两串16进制的字符串,转ascii

1
2
3
4
5
a = [0x70,0x76,0x6b,0x71,0x7b,0x6d,0x31,0x36,0x34,0x37,0x35,0x32,0x36,0x32,0x30,0x33,0x33,0x6c,0x34,0x6d,0x34,0x39,0x6c,0x6e,0x70,0x37,0x70,0x39,0x6d,0x6e,0x6b,0x32,0x38,0x6b,0x37,0x35,0x7d,]
b = ""
for i in a:
b += chr(i)
print(b)

得到pvkq{m16475262033l4m49lnp7p9mnk28k75}然后凯赛解密
flag{c164675262033b4c49bdf7f9cda28a75}

RSA

pub_key是公钥文件,拖入http://tool.chacuo.net/cryptrsakeyparse 进行解密,e=65537,n=8693448229604811919066606200349480058890565601720302561721665405837832210357
http://www.factordb.com/index.php?query=86934482296048119190666062003494800588905656017203025617216654058378322103517
通过n分解p和q
p = 285960468890451637935629440372639283459
q = 304008741604601924494328155975272418463

1
2
3
4
5
6
7
8
9
10
11
12
import gmpy2
import rsa
e = 65537
n = 86934482296048119190666062003494800588905656017203025617216654058378322103517
p = 285960468890451637935629440372639283459
q = 304008741604601924494328155975272418463
phin = (q-1)*(p-1)
d = gmpy2.invert(e, phin)
key = rsa.PrivateKey(n, e, int(d), p, q)
with open("C:\\Desktop\\buu\\rsa\\flag.enc", "rb+") as f:
f = f.read()
print(rsa.decrypt(f, key))

flag{decrypt_256}

CrackRTF

main函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
printf("pls input the first passwd(1): ");
scanf("%s", &pbData);
if ( strlen((const char *)&pbData) != 6 ) // 第一次输入的长度是6
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
v4 = atoi((const char *)&pbData);
if ( v4 < 100000 ) // 输入的密码大于100000
ExitProcess(0);
strcat((char *)&pbData, "@DBApp"); // pbdata=??????@DBApp
v0 = strlen((const char *)&pbData);
sub_40100A(&pbData, v0, &String1); // 输入的密码和@DBApp拼接后的字符串经过sub_40100A加密
if ( !_strcmpi(&String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") )// 加密后的结果与6E32D0943418C2C33385BC35A1470250DD8923A9进行比较
{
printf("continue...\n\n");
printf("pls input the first passwd(2): ");
memset(&String, 0, 0x104u);
scanf("%s", &String);
if ( strlen(&String) != 6 ) // 第二次输入的长度还是6
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
strcat(&String, (const char *)&pbData); // 第二次输入的6位和之前12位进行拼接
memset(&String1, 0, 0x104u);
v1 = strlen(&String);
sub_401019((BYTE *)&String, v1, &String1); // 经过sub_401019加密
if ( !_strcmpi("27019e688a4e62a649fd99cadaafdb4e", &String1) )// 加密后的结果和27019e688a4e62a649fd99cadaafdb4e进行比较
{
if ( !(unsigned __int8)sub_40100F(&String) )// 之后经过sub_40100F函数后判断是否正确
{
printf("Error!!\n");
ExitProcess(0);
}
printf("bye ~~\n");
}
}

大致流程是要输入两次六位数的密码,第一次的密码要大于100000,第一次输入的密码和@DBApp拼接后的字符串经过sub_40100A加密和6E32D0943418C2C33385BC35A1470250DD8923A9,之后再输入6位的密码拼接第一次输入的密码和@DBApp后经过sub_401019加密与27019e688a4e62a649fd99cadaafdb4e比较,最后需要经过sub_40100F判断,所以知道sub_40100A,sub_401019,sub_40100F这三个函数是干啥的就行了

sub_40100A

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
return 0;
if ( CryptCreateHash(phProv, 0x8004u, 0, 0, &phHash) )
{
if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
{
CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0);
*lpString1 = 0;
for ( i = 0; i < pdwDataLen; ++i )
{
wsprintfA(&String2, "%02X", v6[i]);
lstrcatA(lpString1, &String2);
}
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
result = 1;
}
else
{
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
result = 0;

是hash加密,参数是0x8004,是sha1加密,爆破一下得到123321@DBApp

1
2
3
4
5
6
7
8
9
import hashlib
pbdata='@DBApp'
for i in range(100000,999999):
flag=str(i)+pbdata
a = hashlib.sha1(flag.encode("utf8"))
b = a.hexdigest()
if "6e32d0943418c2c33385bc35a1470250dd8923a9" == b:
print(flag)
break

sub_401019
还是hash,参数是0x8003,是md5加密,位数太大,爆破失败

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
return 0;
if ( CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash) )
{
if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
{
CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0);
*lpString1 = 0;
for ( i = 0; i < pdwDataLen; ++i )
{
wsprintfA(&String2, "%02X", v6[i]);
lstrcatA(lpString1, &String2);
}
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
result = 1;
}
else
{
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
result = 0;
}
}
else
{
CryptReleaseContext(phProv, 0);
result = 0;
}
return result;

sub_40100F

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
hFile = 0;
hResData = 0;
nNumberOfBytesToWrite = 0;
NumberOfBytesWritten = 0;
hResInfo = FindResourceA(0, (LPCSTR)0x65, "AAA");
if ( !hResInfo )
return 0;
nNumberOfBytesToWrite = SizeofResource(0, hResInfo);
hResData = LoadResource(0, hResInfo);
if ( !hResData )
return 0;
lpBuffer = LockResource(hResData);
sub_401005(lpString, (int)lpBuffer, nNumberOfBytesToWrite);
hFile = CreateFileA("dbapp.rtf", 0x10000000u, 0, 0, 2u, 0x80u, 0);
if ( hFile == (HANDLE)-1 )
return 0;
if ( !WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, &NumberOfBytesWritten, 0) )
return 0;
CloseHandle(hFile);
return 1;

这个函数中还有一个函数sub_401005
sub_401005

1
2
3
4
5
6
7
8
9
v5 = lstrlenA(lpString);
for ( i = 0; ; ++i )
{
result = i;
if ( i >= a3 )
break;
*(_BYTE *)(i + a2) ^= lpString[i % v5];
}
return result;

这个函数进行了一个异或运算,所以sub_40100F大致流程就是API函数FindResourceA查找文件中包含名为AAA的文件,通过sub_401005把AAA的文件中取出字符和输入的字符串进行异或得到一个.rtf文件。从AAA中取出的数据就是输入第二次密码得到的字符串。这里需要用到一个工具ResourceHacker,通过ResourceHacker这个工具查看包含文件AAA

输入的字符串异或AAA文件中的字符串结果得到rtf文件,要想知道输入的字符串是什么,还需要知道rtf文件的字符串是什么,随意查看一个rtf文件,因为输入的字符串是18位的,进行异或之后应该对应的rtf文件的前6位,是{\rtfl,之后就可以算出第二次输入的6位字符串了

1
2
3
4
5
6
7
a = "{\\rtf1"
b = [0x05,0x7D,0x41,0x15,0x26,0x01]
flag = ""
for i in range(0,len(a)):
c = ord(a[i]) ^ b[i]
flag += chr(c)
print(flag)

第二个密码是~!3a@0,然后生成一个rtf文件,打开得到flag
Flag{N0_M0re_Free_Bugs}

简单注册器

反编译,查看关键的加密部分

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
if (j == 1)
{
paramAnonymousView = "dd2940c04462b4dd7c450528835cca15".toCharArray();
paramAnonymousView[2] = ((char)(paramAnonymousView[2] + paramAnonymousView[3] - 50));
paramAnonymousView[4] = ((char)(paramAnonymousView[2] + paramAnonymousView[5] - 48));
paramAnonymousView[30] = ((char)(paramAnonymousView[31] + paramAnonymousView[9] - 48));
paramAnonymousView[14] = ((char)(paramAnonymousView[27] + paramAnonymousView[28] - 97));
j = 0;
for (;;)
{
if (j >= 16)
{
paramAnonymousView = String.valueOf(paramAnonymousView);
localTextView.setText("flag{" + paramAnonymousView + "}");
return;
}
int i = paramAnonymousView[(31 - j)];
paramAnonymousView[(31 - j)] = paramAnonymousView[j];
paramAnonymousView[j] = i;
j += 1;
}

将dd2940c04462b4dd7c450528835cca15经过加密得到flag,跑一下就行了

1
2
3
4
5
6
a = ['d','d','2','9','4','0','c','0','4','4','6','2','b','4','d','d','7','c','4','5','0','5','2','8','8','3','5','c','c','a','1','5'] 
a[2] = chr(ord(a[2]) + ord(a[3]) - ord('2'))
a[4] = chr(ord(a[2]) + ord(a[5]) - ord('0'))
a[30] = chr(ord(a[31]) + ord(a[9]) - ord('0'))
a[14] = chr(ord(a[27]) + ord(a[28]) - ord('a'))
print('flag{'+''.join(a[::-1])+'}')

flag{59acc538825054c7de4b26440c0999dd}

Youngter-driver

https://thriumph.top/%E5%AE%89%E6%81%92Youngter-drive.html#more
flag{ThisisthreadofwindowshahaIsESE}

相册

反编译看到base64

1
2
3
4
5
6
7
static
{
System.loadLibrary("core");
MAILSERVER = Base64.decode(NativeMethod.m());
MAILUSER = Base64.decode(NativeMethod.m());
MAILPASS = Base64.decode(NativeMethod.pwd());
}

用apktool box反编译apk,ida加载里面的.so文件搜索字符串,其中几串base64值分别是邮用户名(MTgyMTg0NjUxMjU=)邮箱(MTgyMTg0NjUxMjVAMTYzLmNvbQ==)密码(MTgyMTg0NjUxMjVAMTYzLmNvbQ==)用base64解密18218465125,18218465125@163.com,uqtsqyizlesttljv
flag{18218465125@163.com}

firmware

这个题做的时候一脸懵,只能用binwalk分离出几个文件,有个压缩包也解压不出来东西,看了别人的wp才知道需要一个firmware-mod-kit工具。
安装

1
2
3
4
5
sudo apt-get install git build-essential zlib1g-dev liblzma-dev python-magic
git clone https://github.com/mirror/firmware-mod-kit.git
cd firmware-mod-kit/src
./configure
make

使用方法

1
2
3
4
extract-firmware.sh使用来解包固件
build-firmware.sh使用来重新封包
check_for_upgrade.sh用来检查更新
unsquashfs_all.sh使用来解包提取出来的squashfs文件

之前binwalk分离出来的有一个squashfs文件,使用firmware-mod-kit

1
2
3
4
cd firmware-mod-kit
./unsquashfs_all.sh '/home/Thriumph/_1.bin.extracted/120200.squashfs'
cd squashfs-root/tmp/
ls

里面有一个加了upx壳的backdoor文件,用工具脱壳拖入ida查看字符串,网址是echo.byethost51.com,端口是36667
flag{33a422c45d551ac6e4756f59812a954b}

[RoarCTF2019]polyre

https://thriumph.top/Roalctf-polyre.html
flag{6ff29390-6c20-4c56-ba70-a95758e3d1f8}

eqution

打开后一堆混淆的jsfuck代码,不会处理很头疼,看wp写的。。。
先处理一下

1
2
3
4
5
6
7
8
9
function deEquation(str) {
// 需执行两次以处理所有的 jsfuck 下标
for (let i = 0; i <= 1; i++) {
str = str.replace(/l\[(\D*?)](\+l|-l|==)/g, (m, a, b) => 'l[' + eval(a) + ']' + b)
}
// 处理 == 后的 jsfuck
str = str.replace(/==(\D*?)&&/g, (m, a) => '==' + eval(a) + '&&')
return str
}

然后用z3解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import re
from z3 import *
if __name__ =="__main__":
s = Solver()
l = [Int('l%d'%i) for i in range(0x2a)]
for i in l:
s.add(0<i)
s.add(i<256)
s.add(l[40] + l[35] + l[34] - l[0] - l[15] - l[37] + l[7] + l[6] - l[26] + l[20] + l[19] + l[8] - l[17] - l[14] - l[38] + l[1] - l[9] + l[22] + l[41] + l[3] - l[29] - l[36] - l[25] + l[5] + l[32] - l[16] + l[12] - l[24] + l[30] + l[39] + l[10] + l[2] + l[27] + l[28] + l[21] + l[33] - l[18] + l[4] == 861)
s.add(l[31] + l[26] + l[11] - l[33] + l[27] - l[3] + l[12] + l[30] + l[1] + l[32] - l[16] + l[7] + l[10] - l[25] + l[38] - l[41] - l[14] - l[19] + l[29] + l[36] - l[9] - l[28] - l[6] - l[0] - l[22] - l[18] + l[20] - l[37] + l[4] - l[24] + l[34] - l[21] - l[39] - l[23] - l[8] - l[40] + l[15] - l[35] == -448)
s.add(l[26] + l[14] + l[15] + l[9] + l[13] + l[30] - l[11] + l[18] + l[23] + l[7] + l[3] + l[12] + l[25] - l[24] - l[39] - l[35] - l[20] + l[40] - l[8] + l[10] - l[5] - l[33] - l[31] + l[32] + l[19] + l[21] - l[6] + l[1] + l[16] + l[17] + l[29] + l[22] - l[4] - l[36] + l[41] + l[38] + l[2] + l[0] == 1244)
s.add(l[5] + l[22] + l[15] + l[2] - l[28] - l[10] - l[3] - l[13] - l[18] + l[30] - l[9] + l[32] + l[19] + l[34] + l[23] - l[17] + l[16] - l[7] + l[24] - l[39] + l[8] - l[12] - l[40] - l[25] + l[37] - l[35] + l[11] - l[14] + l[20] - l[27] + l[4] - l[33] - l[21] + l[31] - l[6] + l[1] + l[38] - l[29] == -39)
s.add(l[41] - l[29] + l[23] - l[4] + l[20] - l[33] + l[35] + l[3] - l[19] - l[21] + l[11] + l[26] - l[24] - l[17] + l[37] + l[1] + l[16] - l[0] - l[13] + l[7] + l[10] + l[14] + l[22] + l[39] - l[40] + l[34] - l[38] + l[32] + l[25] - l[2] + l[15] + l[6] + l[28] - l[8] - l[5] - l[31] - l[30] - l[27] == 485)
s.add(l[13] + l[19] + l[21] - l[2] - l[33] - l[0] + l[39] + l[31] - l[23] - l[41] + l[38] - l[29] + l[36] + l[24] - l[20] - l[9] - l[32] + l[37] - l[35] + l[40] + l[7] - l[26] + l[15] - l[10] - l[6] - l[16] - l[4] - l[5] - l[30] - l[14] - l[22] - l[25] - l[34] - l[17] - l[11] - l[27] + l[1] - l[28] == -1068)
s.add(l[32] + l[0] + l[9] + l[14] + l[11] + l[18] - l[13] + l[24] - l[2] - l[15] + l[19] - l[21] + l[1] + l[39] - l[8] - l[3] + l[33] + l[6] - l[5] - l[35] - l[28] + l[25] - l[41] + l[22] - l[17] + l[10] + l[40] + l[34] + l[27] - l[20] + l[23] + l[31] - l[16] + l[7] + l[12] - l[30] + l[29] - l[4] == 939)
s.add(l[19] + l[11] + l[20] - l[16] + l[40] + l[25] + l[1] - l[31] + l[28] - l[23] + l[14] - l[9] - l[27] + l[35] + l[39] - l[37] - l[8] - l[22] + l[5] - l[6] + l[0] - l[32] + l[24] + l[33] + l[29] + l[38] + l[15] - l[2] + l[30] + l[7] + l[12] - l[3] - l[17] + l[34] + l[41] - l[4] - l[13] - l[26] == 413)
s.add(l[22] + l[4] - l[9] + l[34] + l[35] + l[17] + l[3] - l[24] + l[38] - l[5] - l[41] - l[31] - l[0] - l[25] + l[33] + l[15] - l[1] - l[10] + l[16] - l[29] - l[12] + l[26] - l[39] - l[21] - l[18] - l[6] - l[40] - l[13] + l[8] + l[37] + l[19] + l[14] + l[32] + l[28] - l[11] + l[23] + l[36] + l[7] == 117)
s.add(l[32] + l[16] + l[3] + l[11] + l[34] - l[31] + l[14] + l[25] + l[1] - l[30] - l[33] - l[40] - l[4] - l[29] + l[18] - l[27] + l[13] - l[19] - l[12] + l[23] - l[39] - l[41] - l[8] + l[22] - l[5] - l[38] - l[9] - l[37] + l[17] - l[36] + l[24] - l[21] + l[2] - l[26] + l[20] - l[7] + l[35] - l[0] == -313)
s.add(l[40] - l[1] + l[5] + l[7] + l[33] + l[29] + l[12] + l[38] - l[31] + l[2] + l[14] - l[35] - l[8] - l[24] - l[39] - l[9] - l[28] + l[23] - l[17] - l[22] - l[26] + l[32] - l[11] + l[4] - l[36] + l[10] + l[20] - l[18] - l[16] + l[6] - l[0] + l[3] - l[30] + l[37] - l[19] + l[21] + l[25] - l[15] == -42)
s.add(l[21] + l[26] - l[17] - l[25] + l[27] - l[22] - l[39] - l[23] - l[15] - l[20] - l[32] + l[12] + l[3] - l[6] + l[28] + l[31] + l[13] - l[16] - l[37] - l[30] - l[5] + l[41] + l[29] + l[36] + l[1] + l[11] + l[24] + l[18] - l[40] + l[19] - l[35] + l[2] - l[38] + l[14] - l[9] + l[4] + l[0] - l[33] == 289)
s.add(l[29] + l[31] + l[32] - l[17] - l[7] + l[34] + l[2] + l[14] + l[23] - l[4] + l[3] + l[35] - l[33] - l[9] - l[20] - l[37] + l[24] - l[27] + l[36] + l[15] - l[18] - l[0] + l[12] + l[11] - l[38] + l[6] + l[22] + l[39] - l[25] - l[10] - l[19] - l[1] + l[13] - l[41] + l[30] - l[16] + l[28] - l[26] == -117)
s.add(l[5] + l[37] - l[39] + l[0] - l[27] + l[12] + l[41] - l[22] + l[8] - l[16] - l[38] + l[9] + l[15] - l[35] - l[29] + l[18] + l[6] - l[25] - l[28] + l[36] + l[34] + l[32] - l[14] - l[1] + l[20] + l[40] - l[19] - l[4] - l[7] + l[26] + l[30] - l[10] + l[13] - l[21] + l[2] - l[23] - l[3] - l[33] == -252)
s.add(l[29] + l[10] - l[41] - l[9] + l[12] - l[28] + l[11] + l[40] - l[27] - l[8] + l[32] - l[25] - l[23] + l[39] - l[1] - l[36] - l[15] + l[33] - l[20] + l[18] + l[22] - l[3] + l[6] - l[34] - l[21] + l[19] + l[26] + l[13] - l[4] + l[7] - l[37] + l[38] - l[2] - l[30] - l[0] - l[35] + l[5] + l[17] == -183)
s.add(l[6] - l[8] - l[20] + l[34] - l[33] - l[25] - l[4] + l[3] + l[17] - l[13] - l[15] - l[40] + l[1] - l[30] - l[14] - l[28] - l[35] + l[38] - l[22] + l[2] + l[24] - l[29] + l[5] + l[9] + l[37] + l[23] - l[18] + l[19] - l[21] + l[11] + l[36] + l[41] - l[7] - l[32] + l[10] + l[26] - l[0] + l[31] == 188)
s.add(l[3] + l[6] - l[41] + l[10] + l[39] + l[37] + l[1] + l[8] + l[21] + l[24] + l[29] + l[12] + l[27] - l[38] + l[11] + l[23] + l[28] + l[33] - l[31] + l[14] - l[5] + l[32] - l[17] + l[40] - l[34] + l[20] - l[22] - l[16] + l[19] + l[2] - l[36] - l[7] + l[18] + l[15] + l[26] - l[0] - l[4] + l[35] == 1036)
s.add(l[28] - l[33] + l[2] + l[37] - l[12] - l[9] - l[39] + l[16] - l[32] + l[8] - l[36] + l[31] + l[10] - l[4] + l[21] - l[25] + l[18] + l[24] - l[0] + l[29] - l[26] + l[35] - l[22] - l[41] - l[6] + l[15] + l[19] + l[40] + l[7] + l[34] + l[17] - l[3] - l[13] + l[5] + l[23] + l[11] - l[27] + l[1] == 328)
s.add(l[22] - l[32] + l[17] - l[9] + l[20] - l[18] - l[34] + l[23] + l[36] - l[35] - l[38] + l[27] + l[4] - l[5] - l[41] + l[29] + l[33] + l[0] - l[37] + l[28] - l[40] - l[11] - l[12] + l[7] + l[1] + l[2] - l[26] - l[16] - l[8] + l[24] - l[25] + l[3] - l[6] - l[19] - l[39] - l[14] - l[31] + l[10] == -196)
s.add(l[11] + l[13] + l[14] - l[15] - l[29] - l[2] + l[7] + l[20] + l[30] - l[36] - l[33] - l[19] + l[31] + l[0] - l[39] - l[4] - l[6] + l[38] + l[35] - l[28] + l[34] - l[9] - l[23] - l[26] + l[37] - l[8] - l[27] + l[5] - l[41] + l[3] + l[17] + l[40] - l[10] + l[25] + l[12] - l[24] + l[18] + l[32] == 7)
s.add(l[34] - l[37] - l[40] + l[4] - l[22] - l[31] - l[6] + l[38] + l[13] - l[28] + l[8] + l[30] - l[20] - l[7] - l[32] + l[26] + l[1] - l[18] + l[5] + l[35] - l[24] - l[41] + l[9] - l[0] - l[2] - l[15] - l[10] + l[12] - l[36] + l[33] - l[16] - l[14] - l[25] - l[29] - l[21] + l[27] + l[3] - l[17] == -945)
s.add(l[12] - l[30] - l[8] + l[20] - l[2] - l[36] - l[25] - l[0] - l[19] - l[28] - l[7] - l[11] - l[33] + l[4] - l[23] + l[10] - l[41] + l[39] - l[32] + l[27] + l[18] + l[15] + l[34] + l[13] - l[40] + l[29] - l[6] + l[37] - l[14] - l[16] + l[38] - l[26] + l[17] + l[31] - l[22] - l[35] + l[5] - l[1] == -480)
s.add(l[36] - l[11] - l[34] + l[8] + l[0] + l[15] + l[28] - l[39] - l[32] - l[2] - l[27] + l[22] + l[16] - l[30] - l[3] + l[31] - l[26] + l[20] + l[17] - l[29] - l[18] + l[19] - l[10] + l[6] - l[5] - l[38] - l[25] - l[24] + l[4] + l[23] + l[9] + l[14] + l[21] - l[37] + l[13] - l[41] - l[12] + l[35] == -213)
s.add(l[19] - l[36] - l[12] + l[33] - l[27] - l[37] - l[25] + l[38] + l[16] - l[18] + l[22] - l[39] + l[13] - l[7] - l[31] - l[26] + l[15] - l[10] - l[9] - l[2] - l[30] - l[11] + l[41] - l[4] + l[24] + l[34] + l[5] + l[17] + l[14] + l[6] + l[8] - l[21] - l[23] + l[32] - l[1] - l[29] - l[0] + l[3] == -386)
s.add(l[0] + l[7] - l[28] - l[38] + l[19] + l[31] - l[5] + l[24] - l[3] + l[33] - l[12] - l[29] + l[32] + l[1] - l[34] - l[9] - l[25] + l[26] - l[8] + l[4] - l[10] + l[40] - l[15] - l[11] - l[27] + l[36] + l[14] + l[41] - l[35] - l[13] - l[17] - l[21] - l[18] + l[39] - l[2] + l[20] - l[23] - l[22] == -349)
s.add(l[10] + l[22] + l[21] - l[0] + l[15] - l[6] + l[20] - l[29] - l[30] - l[33] + l[19] + l[23] - l[28] + l[41] - l[27] - l[12] - l[37] - l[32] + l[34] - l[36] + l[3] + l[1] - l[13] + l[18] + l[14] + l[9] + l[7] - l[39] + l[8] + l[2] - l[31] - l[5] - l[40] + l[38] - l[26] - l[4] + l[16] - l[25] == 98)
s.add(l[28] + l[38] + l[20] + l[0] - l[5] - l[34] - l[41] + l[22] - l[26] + l[11] + l[29] + l[31] - l[3] - l[16] + l[23] + l[17] - l[18] + l[9] - l[4] - l[12] - l[19] - l[40] - l[27] + l[33] + l[8] - l[37] + l[2] + l[15] - l[24] - l[39] + l[10] + l[35] - l[1] + l[30] - l[36] - l[25] - l[14] - l[32] == -412)
s.add(l[1] - l[24] - l[29] + l[39] + l[41] + l[0] + l[9] - l[19] + l[6] - l[37] - l[22] + l[32] + l[21] + l[28] + l[36] + l[4] - l[17] + l[20] - l[13] - l[35] - l[5] + l[33] - l[27] - l[30] + l[40] + l[25] - l[18] + l[34] - l[3] - l[10] - l[16] - l[23] - l[38] + l[8] - l[14] - l[11] - l[7] + l[12] == -95)
s.add(l[2] - l[24] + l[31] + l[0] + l[9] - l[6] + l[7] - l[1] - l[22] + l[8] - l[23] + l[40] + l[20] - l[38] - l[11] - l[14] + l[18] - l[36] + l[15] - l[4] - l[41] - l[12] - l[34] + l[32] - l[35] + l[17] - l[21] - l[10] - l[29] + l[39] - l[16] + l[27] + l[26] - l[3] - l[5] + l[13] + l[25] - l[28] == -379)
s.add(l[19] - l[17] + l[31] + l[14] + l[6] - l[12] + l[16] - l[8] + l[27] - l[13] + l[41] + l[2] - l[7] + l[32] + l[1] + l[25] - l[9] + l[37] + l[34] - l[18] - l[40] - l[11] - l[10] + l[38] + l[21] + l[3] - l[0] + l[24] + l[15] + l[23] - l[20] + l[26] + l[22] - l[4] - l[28] - l[5] + l[39] + l[35] == 861)
s.add(l[35] + l[36] - l[16] - l[26] - l[31] + l[0] + l[21] - l[13] + l[14] + l[39] + l[7] + l[4] + l[34] + l[38] + l[17] + l[22] + l[32] + l[5] + l[15] + l[8] - l[29] + l[40] + l[24] + l[6] + l[30] - l[2] + l[25] + l[23] + l[1] + l[12] + l[9] - l[10] - l[3] - l[19] + l[20] - l[37] - l[33] - l[18] == 1169)
s.add(l[13] + l[0] - l[25] - l[32] - l[21] - l[34] - l[14] - l[9] - l[8] - l[15] - l[16] + l[38] - l[35] - l[30] - l[40] - l[12] + l[3] - l[19] + l[4] - l[41] + l[2] - l[36] + l[37] + l[17] - l[1] + l[26] - l[39] - l[10] - l[33] + l[5] - l[27] - l[23] - l[24] - l[7] + l[31] - l[28] - l[18] + l[6] == -1236)
s.add(l[20] + l[27] - l[29] - l[25] - l[3] + l[28] - l[32] - l[11] + l[10] + l[31] + l[16] + l[21] - l[7] + l[4] - l[24] - l[35] + l[26] + l[12] - l[37] + l[6] + l[23] + l[41] - l[39] - l[38] + l[40] - l[36] + l[8] - l[9] - l[5] - l[1] - l[13] - l[14] + l[19] + l[0] - l[34] - l[15] + l[17] + l[22] == -114)
s.add(l[12] - l[28] - l[13] - l[23] - l[33] + l[18] + l[10] + l[11] + l[2] - l[36] + l[41] - l[16] + l[39] + l[34] + l[32] + l[37] - l[38] + l[20] + l[6] + l[7] + l[31] + l[5] + l[22] - l[4] - l[15] - l[24] + l[17] - l[3] + l[1] - l[35] - l[9] + l[30] + l[25] - l[0] - l[8] - l[14] + l[26] + l[21] == 659)
s.add(l[21] - l[3] + l[7] - l[27] + l[0] - l[32] - l[24] - l[37] + l[4] - l[22] + l[20] - l[5] - l[30] - l[31] - l[1] + l[15] + l[41] + l[12] + l[40] + l[38] - l[17] - l[39] + l[19] - l[13] + l[23] + l[18] - l[2] + l[6] - l[33] - l[9] + l[28] + l[8] - l[16] - l[10] - l[14] + l[34] + l[35] - l[11] == -430)
s.add(l[11] - l[23] - l[9] - l[19] + l[17] + l[38] - l[36] - l[22] - l[10] + l[27] - l[14] - l[4] + l[5] + l[31] + l[2] + l[0] - l[16] - l[8] - l[28] + l[3] + l[40] + l[25] - l[33] + l[13] - l[32] - l[35] + l[26] - l[20] - l[41] - l[30] - l[12] - l[7] + l[37] - l[39] + l[15] + l[18] - l[29] - l[21] == -513)
s.add(l[32] + l[19] + l[4] - l[13] - l[17] - l[30] + l[5] - l[33] - l[37] - l[15] - l[18] + l[7] + l[25] - l[14] + l[35] + l[40] + l[16] + l[1] + l[2] + l[26] - l[3] - l[39] - l[22] + l[23] - l[36] - l[27] - l[9] + l[6] - l[41] - l[0] - l[31] - l[20] + l[12] - l[8] + l[29] - l[11] - l[34] + l[21] == -502)
s.add(l[30] - l[31] - l[36] + l[3] + l[9] - l[40] - l[33] + l[25] + l[39] - l[26] + l[23] - l[0] - l[29] - l[32] - l[4] + l[37] + l[28] + l[21] + l[17] + l[2] + l[24] + l[6] + l[5] + l[8] + l[16] + l[27] + l[19] + l[12] + l[20] + l[41] - l[22] + l[15] - l[11] + l[34] - l[18] - l[38] + l[1] - l[14] == 853)
s.add(l[38] - l[10] + l[16] + l[8] + l[21] - l[25] + l[36] - l[30] + l[31] - l[3] + l[5] - l[15] + l[23] - l[28] + l[7] + l[12] - l[29] + l[22] - l[0] - l[37] - l[14] - l[11] + l[32] + l[33] - l[9] + l[39] + l[41] - l[19] - l[1] + l[18] - l[4] - l[6] + l[13] + l[20] - l[2] - l[35] - l[26] + l[27] == -28)
s.add(l[11] + l[18] - l[26] + l[15] - l[14] - l[33] + l[7] - l[23] - l[25] + l[0] - l[6] - l[21] - l[16] + l[17] - l[19] - l[28] - l[38] - l[37] + l[9] + l[20] - l[8] - l[3] + l[22] - l[35] - l[10] - l[31] - l[2] + l[41] - l[1] - l[4] + l[24] - l[34] + l[39] + l[40] + l[32] - l[5] + l[36] - l[27] == -529)
s.add(l[38] + l[8] + l[36] + l[35] - l[23] - l[34] + l[13] - l[4] - l[27] - l[24] + l[26] + l[31] - l[30] - l[5] - l[40] + l[28] - l[11] - l[2] - l[39] + l[15] + l[10] - l[17] + l[3] + l[19] + l[22] + l[33] + l[0] + l[37] + l[16] - l[9] - l[32] + l[25] - l[21] - l[12] + l[6] - l[41] + l[20] - l[18] == -12)
s.add(l[6] - l[30] - l[20] - l[27] - l[14] - l[39] + l[41] - l[33] - l[0] + l[25] - l[32] - l[3] + l[26] - l[12] + l[8] - l[35] - l[24] + l[15] + l[9] - l[4] + l[13] + l[36] + l[34] + l[1] - l[28] - l[21] + l[18] + l[23] + l[29] - l[10] - l[38] + l[22] + l[37] + l[5] + l[19] + l[7] + l[16] - l[31] == 81)
if s.check() ==sat:
m = s.model()
for i in range(0,0x2a):
print(chr(int("%s" % (m[l[i]]))),end='')

flag{A_l0ng_10NG_eqU4Ti0n_1s_E4Sy_W1Th_z3}

[GXYCTF2019]luck_guy

https://thriumph.top/GXYCTF逆向部分wp.html
flag{do_not_hate_me}

[GXYCTF2019]simple CPP

https://thriumph.top/GXYCTF逆向部分wp.html
flag{We1l_D0ne!P0or_algebra_am_i}

相关文章
评论
分享
  • 网鼎杯部分wp

    pwnboom1分析远程已经打不通了,远程的偏移和本地的偏移不一样,只能复现一下本地的了。 首先看到流程图,代码量很大,有很大的switch语句和嵌套结构,可能是虚拟机或者是解析器。 从下图看出是一个C语言的解析器。 然后看了...

    网鼎杯部分wp
  • 数字中国创新大赛

    又是自闭的一天。。 game这一题是关于python字节码的题目,之前没有了解过,看了几篇关于python字节码的文章,死磕,手工还原。。 python字节码 12345678910111213141516171819202122...

    数字中国创新大赛
  • hitcontraining_uaf

    一道简单的uaf的题目 保护12345Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX...

    hitcontraining_uaf
Please check the parameter of comment in config.yml of hexo-theme-Annie!