REVERSE-PRACTICE-BUUCTF-31

REVERSE-PRACTICE-BUUCTF-31

    • [羊城杯 2020]login
    • [羊城杯 2020]Bytecode
    • [羊城杯 2020]babyre
    • [ACTF新生赛2020]fungame

[羊城杯 2020]login

exe程序,运行后输入,无壳,ida分析
没找到主要逻辑,在字符串窗口看到一些“py”的字样,应该是python打包成了exe
用pyinstxtractor.py将exe解包,得到了这些文件
login-depack
login文件缺少magic number,用struct文件的magic number(头部的12个字节)补充,保存,改后缀名为.pyc
login-magicnumber
用uncompyle6反编译login.pyc,得到python源码

#coding:utf-8
import sys
input1 = input('input something:')
if len(input1) != 14: #输入长度为14print('Wrong length!')sys.exit()
else:code = []for i in range(13):# i∈[0,12] code[i]=ord(input1[i]) ^ ord(input1[(i + 1)])code.append(ord(input1[i]) ^ ord(input1[(i + 1)]))code.append(ord(input1[13]))#code[13]=ord(input1[13])a1 = code[2]           #位置变换a2 = code[1]a3 = code[0]a4 = code[3]a5 = code[4]a6 = code[5]a7 = code[6]a8 = code[7]a9 = code[9]a10 = code[8]a11 = code[10]a12 = code[11]a13 = code[12]a14 = code[13]# 方程组验证if (a1 * 88 + a2 * 67 + a3 * 65 - a4 * 5 + a5 * 43 + a6 * 89 + a7 * 25 + a8 * 13 - a9 * 36 + a10 * 15 + a11 * 11 + a12 * 47 - a13 * 60 + a14 * 29 == 22748) & (a1 * 89 + a2 * 7 + a3 * 12 - a4 * 25 + a5 * 41 + a6 * 23 + a7 * 20 - a8 * 66 + a9 * 31 + a10 * 8 + a11 * 2 - a12 * 41 - a13 * 39 + a14 * 17 == 7258) & (a1 * 28 + a2 * 35 + a3 * 16 - a4 * 65 + a5 * 53 + a6 * 39 + a7 * 27 + a8 * 15 - a9 * 33 + a10 * 13 + a11 * 101 + a12 * 90 - a13 * 34 + a14 * 23 == 26190) & (a1 * 23 + a2 * 34 + a3 * 35 - a4 * 59 + a5 * 49 + a6 * 81 + a7 * 25 + (a8 << 7) - a9 * 32 + a10 * 75 + a11 * 81 + a12 * 47 - a13 * 60 + a14 * 29 == 37136) & (a1 * 38 + a2 * 97 + a3 * 35 - a4 * 52 + a5 * 42 + a6 * 79 + a7 * 90 + a8 * 23 - a9 * 36 + a10 * 57 + a11 * 81 + a12 * 42 - a13 * 62 - a14 * 11 == 27915) & (a1 * 22 + a2 * 27 + a3 * 35 - a4 * 45 + a5 * 47 + a6 * 49 + a7 * 29 + a8 * 18 - a9 * 26 + a10 * 35 + a11 * 41 + a12 * 40 - a13 * 61 + a14 * 28 == 17298) & (a1 * 12 + a2 * 45 + a3 * 35 - a4 * 9 - a5 * 42 + a6 * 86 + a7 * 23 + a8 * 85 - a9 * 47 + a10 * 34 + a11 * 76 + a12 * 43 - a13 * 44 + a14 * 65 == 19875) & (a1 * 79 + a2 * 62 + a3 * 35 - a4 * 85 + a5 * 33 + a6 * 79 + a7 * 86 + a8 * 14 - a9 * 30 + a10 * 25 + a11 * 11 + a12 * 57 - a13 * 50 - a14 * 9 == 22784) & (a1 * 8 + a2 * 6 + a3 * 64 - a4 * 85 + a5 * 73 + a6 * 29 + a7 * 2 + a8 * 23 - a9 * 36 + a10 * 5 + a11 * 2 + a12 * 47 - a13 * 64 + a14 * 27 == 9710) & (a1 * 67 - a2 * 68 + a3 * 68 - a4 * 51 - a5 * 43 + a6 * 81 + a7 * 22 - a8 * 12 - a9 * 38 + a10 * 75 + a11 * 41 + a12 * 27 - a13 * 52 + a14 * 31 == 13376) & (a1 * 85 + a2 * 63 + a3 * 5 - a4 * 51 + a5 * 44 + a6 * 36 + a7 * 28 + a8 * 15 - a9 * 6 + a10 * 45 + a11 * 31 + a12 * 7 - a13 * 67 + a14 * 78 == 24065) & (a1 * 47 + a2 * 64 + a3 * 66 - a4 * 5 + a5 * 43 + a6 * 112 + a7 * 25 + a8 * 13 - a9 * 35 + a10 * 95 + a11 * 21 + a12 * 43 - a13 * 61 + a14 * 20 == 27687) & (a1 * 89 + a2 * 67 + a3 * 85 - a4 * 25 + a5 * 49 + a6 * 89 + a7 * 23 + a8 * 56 - a9 * 92 + a10 * 14 + a11 * 89 + a12 * 47 - a13 * 61 - a14 * 29 == 29250) & (a1 * 95 + a2 * 34 + a3 * 62 - a4 * 9 - a5 * 43 + a6 * 83 + a7 * 25 + a8 * 12 - a9 * 36 + a10 * 16 + a11 * 51 + a12 * 47 - a13 * 60 - a14 * 24 == 15317):print('flag is GWHT{md5(your_input)}')print('Congratulations and have fun!')else:print('Sorry,plz try again...')

z3解方程组,

from z3 import *
a1=Int('a1')
a2=Int('a2')
a3=Int('a3')
a4=Int('a4')
a5=Int('a5')
a6=Int('a6')
a7=Int('a7')
a8=Int('a8')
a9=Int('a9')
a10=Int('a10')
a11=Int('a11')
a12=Int('a12')
a13=Int('a13')
a14=Int('a14')
s=Solver()
s.add(a1 * 88 + a2 * 67 + a3 * 65 - a4 * 5 + a5 * 43 + a6 * 89 + a7 * 25 + a8 * 13 - a9 * 36 + a10 * 15 + a11 * 11 + a12 * 47 - a13 * 60 + a14 * 29 == 22748)
s.add(a1 * 89 + a2 * 7 + a3 * 12 - a4 * 25 + a5 * 41 + a6 * 23 + a7 * 20 - a8 * 66 + a9 * 31 + a10 * 8 + a11 * 2 - a12 * 41 - a13 * 39 + a14 * 17 == 7258)
s.add(a1 * 28 + a2 * 35 + a3 * 16 - a4 * 65 + a5 * 53 + a6 * 39 + a7 * 27 + a8 * 15 - a9 * 33 + a10 * 13 + a11 * 101 + a12 * 90 - a13 * 34 + a14 * 23 == 26190)
s.add(a1 * 23 + a2 * 34 + a3 * 35 - a4 * 59 + a5 * 49 + a6 * 81 + a7 * 25 + (a8 *128) - a9 * 32 + a10 * 75 + a11 * 81 + a12 * 47 - a13 * 60 + a14 * 29 == 37136)
s.add(a1 * 38 + a2 * 97 + a3 * 35 - a4 * 52 + a5 * 42 + a6 * 79 + a7 * 90 + a8 * 23 - a9 * 36 + a10 * 57 + a11 * 81 + a12 * 42 - a13 * 62 - a14 * 11 == 27915)
s.add(a1 * 22 + a2 * 27 + a3 * 35 - a4 * 45 + a5 * 47 + a6 * 49 + a7 * 29 + a8 * 18 - a9 * 26 + a10 * 35 + a11 * 41 + a12 * 40 - a13 * 61 + a14 * 28 == 17298)
s.add(a1 * 12 + a2 * 45 + a3 * 35 - a4 * 9 - a5 * 42 + a6 * 86 + a7 * 23 + a8 * 85 - a9 * 47 + a10 * 34 + a11 * 76 + a12 * 43 - a13 * 44 + a14 * 65 == 19875)
s.add(a1 * 79 + a2 * 62 + a3 * 35 - a4 * 85 + a5 * 33 + a6 * 79 + a7 * 86 + a8 * 14 - a9 * 30 + a10 * 25 + a11 * 11 + a12 * 57 - a13 * 50 - a14 * 9 == 22784)
s.add(a1 * 8 + a2 * 6 + a3 * 64 - a4 * 85 + a5 * 73 + a6 * 29 + a7 * 2 + a8 * 23 - a9 * 36 + a10 * 5 + a11 * 2 + a12 * 47 - a13 * 64 + a14 * 27 == 9710)
s.add(a1 * 67 - a2 * 68 + a3 * 68 - a4 * 51 - a5 * 43 + a6 * 81 + a7 * 22 - a8 * 12 - a9 * 38 + a10 * 75 + a11 * 41 + a12 * 27 - a13 * 52 + a14 * 31 == 13376)
s.add(a1 * 85 + a2 * 63 + a3 * 5 - a4 * 51 + a5 * 44 + a6 * 36 + a7 * 28 + a8 * 15 - a9 * 6 + a10 * 45 + a11 * 31 + a12 * 7 - a13 * 67 + a14 * 78 == 24065)
s.add(a1 * 47 + a2 * 64 + a3 * 66 - a4 * 5 + a5 * 43 + a6 * 112 + a7 * 25 + a8 * 13 - a9 * 35 + a10 * 95 + a11 * 21 + a12 * 43 - a13 * 61 + a14 * 20 == 27687)
s.add(a1 * 89 + a2 * 67 + a3 * 85 - a4 * 25 + a5 * 49 + a6 * 89 + a7 * 23 + a8 * 56 - a9 * 92 + a10 * 14 + a11 * 89 + a12 * 47 - a13 * 61 - a14 * 29 == 29250)
s.add(a1 * 95 + a2 * 34 + a3 * 62 - a4 * 9 - a5 * 43 + a6 * 83 + a7 * 25 + a8 * 12 - a9 * 36 + a10 * 16 + a11 * 51 + a12 * 47 - a13 * 60 - a14 * 24 == 15317)
if s.check():print(s.model())
# [a2 = 24,a13 = 88, a6 = 43,a9 = 52,a14 = 33,a5 = 104,a12 = 74,a7 = 28,a1 = 119, a10 = 108, a11 = 88, a8 = 91, a4 = 7, a3 = 10]

写将位置换回以及逆异或运算脚本即可得到flag

import hashlib
data=[119,24,10,7,104,43,28,91,52,108,88,74,88,33]
index=[2,1,0,3,4,5,6,7,9,8,10,11,12,13]
flag=[0]*14
for i in range(len(flag)):flag[index[i]]=data[i]
for i in range(len(flag)-2,-1,-1):flag[i]^=flag[i+1]
flag_str=''.join(chr(i) for i in flag)
print(flag_str)
# U_G07_th3_k3y!
h=hashlib.md5()
h.update(flag_str.encode(encoding='utf-8'))
print(h.hexdigest())
# 58964088b637e50d3a22b9510c1d1ef8

[羊城杯 2020]Bytecode

txt文件给了python的字节码,翻译成源码

#coding:utf-8
en=[3,37,72,9,6,132]
output=[101,96,23,68,112,42,107,62,96,53,176,179,98,53,67,29,41,120,60,106,51,101,178,189,101,48]
print('welcome to GWHT2020')
flag=raw_input('please input your flag:')
str=flag
def func0(): # 验证输入的长度a = len(str)if a < 38:print('lenth wrong!')
def func1(): # 验证输入的前5个字符if (((ord(str[0])*2020+ord(str[1]))*2020+ord(str[2]))*2020+ord(str[3]))*2020+ord(str[4])==1182843538814603:print('good!continue\xe2\x80\xa6\xe2\x80\xa6')
def func2(): # 验证输入花括号{}内的前26个字符x=[]k=5for i in range(13):b=ord(str[k])c=ord(str[k+1])a11=c^en[i%6]a22=b^en[i%6]x.append(a11)x.append(a22)k+=2if x==output:print('good!continue\xe2\x80\xa6\xe2\x80\xa6')
def func3(): # 验证输入花括号{}内的后6个字符l=len(str)a1=ord(str[l-7])a2=ord(str[l-6])a3 = ord(str[l - 5])a4 = ord(str[l - 4])a5 = ord(str[l - 3])a6 = ord(str[l - 2])if a1*3+a2*2+a3*5==1003 and a1*4+a2*7+a3*9==2013 and a1+a2*8+a3*2==1109 and a4*3+a5*2+a6*5==671 and a4*4+a5*7+a6*9==1252 and a4+a5*8+a6*2==644:print('congraduation!you get the right flag!')
func0()
func1()
func2()
func3()

func1验证输入的前5个字符,写爆破脚本,得到"GWHT{"

for i in range(32,127):for j in range(32,127):for k in range(32, 127):for m in range(32, 127):for n in range(32, 127):if (((i*2020+j)*2020+k)*2020+m)*2020+n==1182843538814603:print(chr(i)+chr(j)+chr(k)+chr(m)+chr(n))break
#GWHT{                 

func2验证输入花括号{}内的前26个字符,写逆脚本,得到"cfa2b87b3f746a8f0ac5c5963f"

en=[3,37,72,9,6,132]
output=[101,96,23,68,112,42,107,62,96,53,176,179,98,53,67,29,41,120,60,106,51,101,178,189,101,48]
k=0
flag=[]
for i in range(13):c1=output[k+1]^en[i%6]c2=output[k]^en[i%6]flag.append(c1)flag.append(c2)k+=2
print(''.join(chr(i) for i in flag))
# cfa2b87b3f746a8f0ac5c5963f

func3验证输入花括号{}内的后6个字符,用z3解方程,转成字符串,得到"aeff73"

from z3 import *
a1=Int('a1')
a2=Int('a2')
a3=Int('a3')
a4=Int('a4')
a5=Int('a5')
a6=Int('a6')
s=Solver()
s.add(a1*3+a2*2+a3*5==1003)
s.add(a1*4+a2*7+a3*9==2013)
s.add(a1+a2*8+a3*2==1109)
s.add(a4*3+a5*2+a6*5==671)
s.add(a4*4+a5*7+a6*9==1252)
s.add(a4+a5*8+a6*2==644)
if s.check():print(s.model())
# [a5 = 55, a2 = 101, a6 = 51, a3 = 102, a4 = 102, a1 = 97]
data=[97,101,102,102,55,51]
print(''.join(chr(i) for i in data))
# aeff73

最后加上一个’}’,于是flag为"GWHT{cfa2b87b3f746a8f0ac5c5963faeff73}"

[羊城杯 2020]babyre

elf文件,无壳,ida分析
main函数,首先sub_402563函数进行一段SMC,获取输入,输入长度限为16,对输入进行DES加密,密钥动态调试可得,比较DES加密过的输入(密文)与已知的byte_6040C0,验证成功后,将未经DES加密过的输入传入sub_40272D函数作为AES加密的密钥
babyre-main
调试得到DES密钥为b'\xAD\x52\xF2\x4C\xE3\x2C\x20\xD6',密文为b'\x0A\xF4\xEE\xC8\x42\x8A\x9B\xDB\xA2\x26\x6F\xEE\xEE\xE0\xD8\xA2',分别用ECB模式和CBC模式解DES,两次解密结果的拼接即为第一次正确的输入

from Crypto.Cipher import DES
key=b'\xAD\x52\xF2\x4C\xE3\x2C\x20\xD6'
des_ecb=DES.new(key,DES.MODE_ECB)
des_cbc=DES.new(key,DES.MODE_CBC,key)
cipher=b'\x0A\xF4\xEE\xC8\x42\x8A\x9B\xDB\xA2\x26\x6F\xEE\xEE\xE0\xD8\xA2'
m1=des_ecb.decrypt(cipher)
m2=des_cbc.decrypt(cipher)
print(m1)
print(m2)
#th1s1sth9�߫qᨢ
#�:�?�_T�3n1c3k3y
#th1s1sth3n1c3k3y

进入sub_40272D函数,获取输入,第一次的输入作为AES的密钥,对输入进行常规的AES.ECB加密,密文异或运算,然后还有个相邻两个元素参与的运算给byte_6040D0赋值,最后byte_6040D0与已知的res比较
babyre-aes
写逆运算脚本即可得到flag

from Crypto.Cipher import AES
key="th1s1sth3n1c3k3y"
aes=AES.new(key,AES.MODE_ECB)
res=[0xBD, 0xAD, 0xB4, 0x84, 0x10, 0x63, 0xB3, 0xE1, 0xC6, 0x84,0x2D, 0x6F, 0xBA, 0x88, 0x74, 0xC4, 0x90, 0x32, 0xEA, 0x2E,0xC6, 0x28, 0x65, 0x70, 0xC9, 0x75, 0x78, 0xA0, 0x0B, 0x9F,0xA6]
for i in range(0,255):s=[]s.append(i)for j in range(1,len(res)+1):tmp=((res[j-1]^(2*(s[j-1]^0x13)+7))-2-s[j-1]%9)&0xffs.append(tmp)for j in range(31,-1,-1):for k in range(j//4):s[j]^=s[k]s_str=''.join(chr(i) for i in s)m=aes.decrypt(s_str)if 'GWHT' in m:print(m)
#GWHT{th1s_gam3_1s_s0_c00l_and_d}

两次输入,验证成功,再md5一下,提交成功
babyre-flag
babyre-md5flag

[ACTF新生赛2020]fungame

exe程序,运行后输入,无壳,ida分析
main函数,给v3和x填充0,x大小为36,只填充了24个0
fungame-main
sub_401340函数,获取输入,对输入的前16个字符进行验证
fungame-sub_401340
sub_4013BA函数,两次copy
fungame-sub_4013BA
查找x的交叉引用,除了main和sub_4013BA函数,第三处在sub_40233D函数
再次输入,对输入进行常规的base64编码,结果与已知的v0比较验证
fungame-sub_40233D
写脚本,但是提交失败

import base64
y1=[0x23, 0x61, 0x3E, 0x69, 0x54, 0x41, 0x18, 0x4D, 0x6E, 0x3B,0x65, 0x53, 0x30, 0x79, 0x45, 0x5B]
y2=[0x71, 0x04, 0x61, 0x58, 0x27, 0x1E, 0x4B, 0x22, 0x5E, 0x64,0x03, 0x26, 0x5E, 0x17, 0x3C, 0x7A]
flag=[]
for i in range(16):flag.append(y1[i]^y2[i])
flag_str=''.join(chr(i) for i in flag)
s="YTFzMF9wV24="
flag_str+=base64.b64decode(s)
print(flag_str)
#Re_1s_So0_funny!a1s0_pWn

最后参考Mz1师傅的wp:re | [ACTF新生赛2020]fungame

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/438131.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

C#的变迁史07 - C# 4.0 之线程安全集合篇

作为多线程和并行计算不得不考虑的问题就是临界资源的访问问题&#xff0c;解决临界资源的访问通常是加锁或者是使用信号量&#xff0c;这个大家应该很熟悉了。 而集合作为一种重要的临界资源&#xff0c;通用性更广&#xff0c;为了让大家更安全的使用它们&#xff0c;微软为我…

PWN-PRACTICE-BUUCTF-1

PWN-PRACTICE-BUUCTF-1test_your_ncripwarmup_csaw_2016ciscn_2019_n_1test_your_nc 附件的main函数直接system("/bin/sh")&#xff0c;nc直接连即可cat flag rip main函数中&#xff0c;gets函数读取一行会造成栈溢出 构造payload覆盖rip&#xff0c;使得return…

C#的变迁史08 - C# 5.0 之并行编程总结篇

C# 5.0 搭载于.NET 4.5和VS2012之上。 同步操作既简单又方便&#xff0c;我们平时都用它。但是对于某些情况&#xff0c;使用同步代码会严重影响程序的可响应性&#xff0c;通常来说就是影响程序性能。这些情况下&#xff0c;我们通常是采用异步编程来完成功能&#xff0c;这在…

REVERSE-PRACTICE-CTFSHOW-1

REVERSE-PRACTICE-CTFSHOW-1逆向签到题re2逆向4逆向5逆向签到题 ida打开即可得到明文flag re2 附件是一个加密过的flag文本和勒索病毒exe 运行程序&#xff0c;输入1&#xff0c;回车&#xff0c;直接退出&#xff0c;ida分析 选项1的逻辑为&#xff0c;打开flag.txt和enfl…

C#的变迁史09 - C# 5.0 之调用信息增强篇

Caller Information CallerInformation是一个简单的新特性&#xff0c;包括三个新引入的Attribute&#xff0c;使用它们可以用来获取方法调用者的信息&#xff0c; 这三个Attribute在System.Runtime.CompilerServices命名空间下&#xff0c;分别叫做CallerMemberNameAttribute&…

REVERSE-PRACTICE-CTFSHOW-2

REVERSE-PRACTICE-CTFSHOW-2re3红包题 武穆遗书数学不及格flag白给re3 main函数&#xff0c;分析可知&#xff0c;将输入的字符串按十六进制转成数字&#xff0c;写到v5&#xff0c;赋给v17[6] 当i等于6时&#xff0c;v16会加上输入的值&#xff0c;然后进入循环&#xff0c;最…

C#的变迁史10 - C# 5.0 之其他增强篇

1. 内置zip压缩与解压   Zip是最为常用的文件压缩格式之一&#xff0c;也被几乎所有操作系统支持。在之前&#xff0c;使用程序去进行zip压缩和解压要靠第三方组件去支持&#xff0c;这一点在.NET4.5中已有所改观&#xff0c;Zip压缩和解压功能已经内置于框架本身。这个功能使…

REVERSE-PRACTICE-CTFSHOW-3

REVERSE-PRACTICE-CTFSHOW-3签退神光签到baby_gay签退 .pyc文件&#xff0c;uncompyle6反编译&#xff0c;得到python源码&#xff0c;分析写在源码注释中 先变表base64&#xff0c;再凯撒加密&#xff0c;向后移动2位 import string c_charset string.ascii_uppercase str…

REVERSE-PRACTICE-CTFSHOW-4

REVERSE-PRACTICE-CTFSHOW-4encodeEasyBJD hamburger competitionJustREencode elf文件&#xff0c;upx脱壳&#xff0c;ida分析 交叉引用字符串"Please input your flag:"&#xff0c;来到sub_804887C函数 输入经过三次变换&#xff0c;先是变表base64&#xff0c;…

CSS 基础框盒模型介绍

当对一个文档进行布局&#xff08;lay out&#xff09;的时候&#xff0c;浏览器的渲染引擎会根据标准之一的 CSS 基础框盒模型&#xff08;CSS basic box model&#xff09;&#xff0c;将所有元素表示为一个个矩形的盒子&#xff08;box&#xff09;。CSS 决定这些盒子的大小…

REVERSE-PRACTICE-CTFSHOW-5

REVERSE-PRACTICE-CTFSHOW-5re2_归心Mud[吃鸡杯]ezmore[吃鸡杯]有手就行re2_归心 exe程序&#xff0c;运行后要求输入flag&#xff0c;ida分析 函数窗没找到主逻辑函数&#xff0c;shiftF12看字符串窗口 发现有java/lang/String&#xff0c;com/exe4j/runtime/WinLauncher等字…

PWN-PRACTICE-BUUCTF-2

PWN-PRACTICE-BUUCTF-2pwn1_sctf_2016jarvisoj_level0ciscn_2019_c_1[第五空间2019 决赛]PWN5pwn1_sctf_2016 main函数中执行vuln函数 fgets限制了输入的长度&#xff0c;不足以构成栈溢出 通过将输入中的字符"I"替换成"you"&#xff0c;增加长度&#xf…

PWN-PRACTICE-BUUCTF-3

PWN-PRACTICE-BUUCTF-3[OGeek2019]babyropciscn_2019_n_8get_started_3dsctf_2016jarvisoj_level2[OGeek2019]babyrop 简单的ret2libc&#xff0c;构造rop main函数中读取一个随机数到buf中&#xff0c;传入sub_804871F 用"\x00"来绕过strlen和strncmp&#xff0c;b…

c#中常用集合类和集合接口之接口系列【转】

常用集合接口系列&#xff1a;http://www.cnblogs.com/fengxiaojiu/p/7997704.html 常用集合类系列&#xff1a;http://www.cnblogs.com/fengxiaojiu/p/7997541.html 大多数集合都在System.Collections&#xff0c;System.Collections.Generic两个命名空间。其中System.Colle…

PWN-PRACTICE-BUUCTF-4

PWN-PRACTICE-BUUCTF-4ciscn_2019_en_2bjdctf_2020_babystacknot_the_same_3dsctf_2016[HarekazeCTF2019]baby_ropciscn_2019_en_2 这题和ciscn_2019_c_1一模一样 栈溢出ret2libc&#xff0c;encrypt函数里的异或运算不用管 from pwn import * context.log_level"debug&…

PWN-PRACTICE-BUUCTF-5

PWN-PRACTICE-BUUCTF-5jarvisoj_level2_x64ciscn_2019_n_5others_shellcodeciscn_2019_ne_5jarvisoj_level2_x64 这题和[HarekazeCTF2019]baby_rop几乎一模一样 from pwn import * #context.log_level"debug" ioremote(node4.buuoj.cn,27023) elfELF(./level2_x64)…

Scrum敏捷开发沉思录

计算机科学的诞生&#xff0c;是世人为了用数字手段解决实际生活中的问题。随着时代的发展&#xff0c;技术的进步&#xff0c;人们对于现实世界中的问题理解越来越深刻&#xff0c;描述也越来越抽象&#xff0c;于是对计算机软件的需求也越来越高&#xff0c;越来越复杂&#…

PWN-PRACTICE-BUUCTF-6

PWN-PRACTICE-BUUCTF-6铁人三项(第五赛区)_2018_ropbjdctf_2020_babyropbabyheap_0ctf_2017pwn2_sctf_2016铁人三项(第五赛区)_2018_rop vulnerable_function函数中read构成栈溢出&#xff0c;ret2libc from pwn import * context.log_level"debug" ioremote(node4…

PWN-PRACTICE-BUUCTF-7

PWN-PRACTICE-BUUCTF-7jarvisoj_fmciscn_2019_s_3SROP解法ret2csu解法bjdctf_2020_babystack2[HarekazeCTF2019]baby_rop2jarvisoj_fm 格式化字符串漏洞&#xff0c;可以测出我们的输入在栈上的偏移为11 自己构造或者使用fmtstr_payload构造payload均可&#xff0c;目标是让x4…

Axure教程 axure新手入门基础(3) 简单易上手

(三)Axure rp元件的触发事件 l OnClick(点击时): 鼠标点击事件&#xff0c;除了动态面板的所有的其他元件的点击时触发。比如点击按钮。 l OnMouseEnter(鼠标移入时): 鼠标进入到某个元件范围时触发&#xff0c;比如当鼠标移到某张图片时显示该图片的介绍。 l OnMouseOut(鼠标移…