第九届中国海洋大学信息安全竞赛-WP by Rweb

虽然校外组 24

Reverse

一.钩子

顾名思义，盲猜是一手hook api的题，无壳，载入ida之后直接找一手真正的加密逻辑，先shift+f12看一手字符串。

看到假flag之后直接接着这个假的判断逻辑函数接着往上溯源，选中函数sub_7FF71CC712C0摁x，然后往回逆

继续选中StartAddress，摁x往回逆，然后到最后发现就是在装载主程序之前有先创建一个StartAddress的线程的操作，对于真正的加密逻辑进行了一个勾取

步入StartAddress，进入下图的RC4中（此处函数我已重命名）

然后就经典RC4魔改，取出密文，直接解密

贴出解密脚本如下：

key=[ 136, 227, 238,  17, 198,  73, 116, 165, 221, 152, 
   89, 233,  72, 247, 110, 191,  58, 179, 155, 223, 
   16,  66, 255, 153, 108, 227,  62,   5,  44, 101, 
   71, 239]


table=[  2, 204,  71, 179,  77, 108, 253, 154,  76,  78, 
  212, 139,  30, 129,  25,  10,  52,  38, 208, 255, 
  112, 182, 176, 146,  73, 179]


S = list(range(256))
T = [key[i % len(key)] for i in range(256)]

v9=0
for j in range(256):
    v9=(T[j]+S[j]+v9)%256
    S[j],S[v9]=S[v9],S[j]

a1=26
v6=0
v8=0
for k in range(26):
    v6=(v6+1)%256
    v8=(S[v6]+v8)%256
    S[v6],S[v8]=S[v8],S[v6]
    print(chr(table[k]^S[(S[v8]+S[v6])%256]),end='')
#flag{ho00OoOoOoked_gotcha}

二.xor++

签到题，没啥好说的，直接贴出脚本如下：

data = [37,40, 36,33, 60, 42, 60,  30,  20, 40, 36, 40,  41,97,  50, 39, 63, 32, 12,  9, 32,104,  55, 46, 4, 63, 53,106,17,  7, 4,  61, 14,17, 38, 14,  26]

key=67

for i in range(len(data)):
    print(chr(data[i]^key),end='')
    key=key+1
#flag{buT_diff1cultY_w0nt_ch4Nge_muCh}

三.睡_Lite

上手给了个hex文件，嘶，有点难受，没逆过单片机，确实不知道该咋分析，开始一直以为是arm架构，但是拖进 ida 之后好像有地址错误，嘶，卡了很久，最后还下载了个单片机的烧录软件，寻思烧录出来看看，但是后面才知道好像只知道hex文件是烧录不了的，最后回到最开始的起点，拿hex文件问了一下gpt才知道，这居然是个avr架构。。。。。。

然后转bin直接拖进ida选择avr架构，反编译成功，爽了。。。

题目说flag给的比较直接，然后看了最长的这个函数，有疑似flag的字符，应该就是直接提取

flag开头的几个字符，将字符传个r24寄存器之后都有一个call sub_48的操作，盲猜应该就是类似输出的操作，所以只需要把所有有call sub_48这个操作的字符提取出来即可。flag{dEl4y_n0_MoR3}

Pwn

一.摩登Pwn

运行显示，输入负数可以获取flag，看程序

stroul把输入转换成无符号整数，输入2147483648

flag{292be5d2-3a2f-4a03-ae34-c9a649c19d27}

Crypto

一.Base64*rot13

flag{ezez3zeze2ezEz}

二.模！

题目分析

from math import factorial
from functools import reduce

flag = "flag{xxxxxxxxxxxxxxxxxx}"

def mooooo(s: str):
    res = 0
    for i in s: #对flag中的字符进行匹配
        res <<= 8 #位运算，相当于乘256
        res += ( factorial(ord(i)) % 233 ) #对字符进行阶乘，然后模233
    return res

table = "abcdefghijklmnopqrstuvwxyz{}"
assert(reduce(lambda p,i:(i in table)*p, flag, True)) #匹配flag，flag中的字符只能是table里的

print(mooooo(flag))
# output: 2508450541438803643416583335895451914701844680466330955847

既然每次是先左移8位/乘256，然后再求字符ASCII的阶乘并模233（巧的是，table里的字符的阶乘的模没有重复的）

那样我们可以倒着求，先除256，然后得到的余数就是字符ASCII的阶乘并模233的结果，然后结果逆置，匹配，即为结果

from math import factorial
from functools import reduce

# table = "abcdefghijklmnopqrstuvwxyz{}"

de_dict = {
114:'a',
221:'b',
210:'c',
30:'d',
1:'e',
102:'f',
21:'g',
87:'h',
48:'i',
195:'j',
128:'k',
77:'l',
5:'m',
84:'n',
4:'o',
215:'p',
63:'q',
192:'r',
178:'s',
144:'t',
72:'u',
108:'v',
37:'w',
13:'x',
175:'y',
147:'z',
140:'{',
71:'}'
    }

en_flag = 2508450541438803643416583335895451914701844680466330955847
result_t = []
for i in range(24):
    temp_x = en_flag % 256
    result_t.insert(0, temp_x)
    en_flag = en_flag - temp_x
    en_flag = en_flag // 256

for x in result_t:
    everyf = de_dict.get(x)
    print(everyf,end='')

flag{dalaodalaohaolihai}

三.NeXT RSA

原题分析

import sympy
import libnum

flag="flag{" + "???" + "}"
m = libnum.s2n(flag)

p = sympy.randprime(1<<1024, 1<<1025) #随机数，在1024位到1025位之间的数
q = sympy.nextprime(p) #p下一个素数

n = p*q
r = (p-1)*(q-1)
e = 65537

c = pow(m, e, n) #正常RSA

print(n, e, c)
# output:
# 80044118049755180996754407858488943779355738585718372337839486032339412481191013051614126608584578841408197524632831442032118319629160505851518198448787590483634506563248531254421862061651099856312546562506221294620627871718678484548245902274972044599314097339549053518589561289734819710218838311181044519738709148493164321955860982700783886286661558574861608455547990794798848491695189544811325833194530596317989718866319530140199263278168146224240677087191093183415595617994125075880280632369616506148501757653260154487000183157405531772172082897743929126980157956142627803176227942226654177011633301413616266656761
# 65537
# 23280133104463252598665779150831148192014617461904564929071121215373331248942762386170411274023248423328388793808975632652896384007449549469345318875514363621903138122407682293848670093433946555776164835208375667498606187869211466397624286383057425296636315379314349307816391315242971306898487494604324473266965665471735612154916305882443496151118031672777088597821127499085632141307413890900246444539517971766135909771880642211582699957211983212981047822362311969553832913399476190919026666192056319334425636757404603336130688707109219644178606626422717046059209499394056295682594928581470210114322505904198054215544

根据脚本看，p和q十分接近，那就可以开n的平方，求到在p、q之间的数字，然后向下/向上遍历，找到p和q，然后解RSA

结题脚本：

import math
import gmpy2
from Crypto.Util.number import *

n = 80044118049755180996754407858488943779355738585718372337839486032339412481191013051614126608584578841408197524632831442032118319629160505851518198448787590483634506563248531254421862061651099856312546562506221294620627871718678484548245902274972044599314097339549053518589561289734819710218838311181044519738709148493164321955860982700783886286661558574861608455547990794798848491695189544811325833194530596317989718866319530140199263278168146224240677087191093183415595617994125075880280632369616506148501757653260154487000183157405531772172082897743929126980157956142627803176227942226654177011633301413616266656761

def exp1(num):
    root = gmpy2.iroot(num, 2)[0]
    for i in range(root, num):
        if num % i == 0:
            p = i
            q = num // i
            print(f'p = {p}')
            print(f'q = {q}')
            return p, q

def Decrypt(c,e,p,q):
    phi=(p-1)*(q-1)#算欧拉函数
    d = inverse(e, phi)
    m2 = pow(c, d, n)
    m = long_to_bytes(m2)
    print(m)


e = 65537
c = 23280133104463252598665779150831148192014617461904564929071121215373331248942762386170411274023248423328388793808975632652896384007449549469345318875514363621903138122407682293848670093433946555776164835208375667498606187869211466397624286383057425296636315379314349307816391315242971306898487494604324473266965665471735612154916305882443496151118031672777088597821127499085632141307413890900246444539517971766135909771880642211582699957211983212981047822362311969553832913399476190919026666192056319334425636757404603336130688707109219644178606626422717046059209499394056295682594928581470210114322505904198054215544

p, q = exp1(n)

Decrypt(c, e, p, q)

flag{n0t_s3Cure_4t_aIl}

Misc

一.帕鲁服务器#1

打开虚拟机

抓包试试

flag{Ur_s3rVer_1s_n0w_mY_p4l}

二.一眼盯帧

得到一个理塘王的视频，放的时候发现有异常图片闪过，既然盯帧了都，直接下载下来拆个帧，每一帧一拆，六千来张，直接按大小排个序，整合一下异常图片。

得到62个表达式图片，思路清晰了，直接把表达式拿出来z3一把嗦了，一开始用uTools的OCR一个个识别，最后z3没嗦出来，心态炸了，最后又重新弄了一遍，找了个在线网站https://web.baimiaoapp.com/，一次最多识别放50张，分两次把62张放进去，还挺好用的

贴出解密脚本如下：

from z3 import *

a1 = Int('a1')
a2 = Int('a2')
a3 = Int('a3')
a4 = Int('a4')
a5 = Int('a5')
a6 = Int('a6')
a7 = Int('a7')
a8 = Int('a8')
a9 = Int('a9')
a10 = Int('a10')
a11 = Int('a11')
a12 = Int('a12')
a13 = Int('a13')
a14 = Int('a14')
a15 = Int('a15')
a16 = Int('a16')
a17 = Int('a17')
a18 = Int('a18')
a19 = Int('a19')
a20 = Int('a20')
a21 = Int('a21')
a22 = Int('a22')
a23 = Int('a23')
a24 = Int('a24')
a25 = Int('a25')
a26 = Int('a26')
a27 = Int('a27')
a28 = Int('a28')
a29 = Int('a29')
a30 = Int('a30')
a31 = Int('a31')


slover = Solver()

slover.add(40*a1 +42*a2 +69*a3 +91*a4 + 91*a5 + 74*a6 + 45*a7 +49*a8 +
99*a9 +41*a10 + 79*a11 + 26*a12 +51*a13+ 74*a14+84*a15 +
31*a16 +74*a17 +11*a18+87*a19 +76*a20 +26*a21 +40*a22 +
13*a23 +31*a24 + 39*a25 + 7*a26 +84*a27 + 65*a28 +25*a29 +
88*a30+13*a31==159700)

slover.add(76*a1+23*a2 +47*a3 +95*a4 +56*a5 + 94*a6 + 9*a7 +89*a8 +
1*a9 +27*a10 + 64*a11 + 54*a12 +77*a13 +57*a14 +11*a15 +
80*a16+61*a17+98*a18 + 14*a19 + 72*a20 + 67*a21 +98*a22 +
66*a23 +26*a24 +11*a25+36*a26 +94*a27 +66*a28 +99*a29 +
64*a30 +40*a31==171444)

slover.add(49*a1 + 38*a2 + 20*a3 +28*a4 +36*a5 + 44*a6 +85*a7 +48*a8 +
74*a9 +73*a10 +27*a11 +99*a12 +21*a13+ 72*a14 + 89*a15 +
3*a16 +3*a17 +72*a18 + 71*a19 + 29*a20 +92*a21 +19*a22 +
42*a23+87*a24 +97*a25 +36*a26 +84*a27 +56*a28 +96*a29 +
40*a30 +82*a31==164206)

slover.add(81*a1 + 88*a2 +41*a3 +98*a4+ 8*a5 + 70*a6 + 19*a7 + 85*a8 +
37*a9 +64*a10 + 24*a11 +96*a12 + 94*a13 + 78*a14 + 81*a15 +
38*a16 + 10*a17 +87*a18 + 75*a19 + 35*a20 + 7*a21 + 98*a22 +
63*a23 + 37*a24 + 4*a25 +40*a26 +13*a27 + 83*a28 + 99*a29 +
61*a30 + 60*a31== 171511)

slover.add(53*a1 + 39*a2 + 10*a3 +36*a4 + 37*a5 + 42*a6 + 69*a7 +66*a8 +
22*a9 +33*a10 + 34*a11 + 4*a12 +77*a13 + 94*a14 +51*a15 +
87*a16+3*a17+ 34*a18 + 44*a19 +17*a20+48*a21 + 31*a22 +
62*a23+15*a24 +59*a25 +39*a26 +42*a27 +48*a28 +63*a29 +
44*a30 +84*a31== 131705)

slover.add(95*a1 + 37*a2 +70*a3 +10*a4+ 72*a5 + 37*a6 +26*a7 +11*a8 +
89*a9 +36*a10 + 80*a11 + 81*a12 + 13*a13 + 84*a14 +79*a15 +
69*a16 + 15*a17 + 53*a18+52*a19 +92*a20 +13*a21 +44*a22 +
33*a23 +48*a24 +77*a25 +40*a26 +50*a27 +20*a28 +9*a29 +
69*a30 +44*a31== 149011)

slover.add(58*a1 + 53*a2 +93*a3 + 4*a4 +33*a5 + 76*a6 + 88*a7 +7*a8 +
21*a9+24*a10 +8*a11 +35*a12 +64*a13 +54*a14 +20*a15 +
1*a16+4*a17 +42*a18 + 29*a19 + 96*a20 + 40*a21 +22*a22 +
39*a23 + 47*a24 + 4*a25 +42*a26 + 31*a27 + 69*a28 + 39*a29 +
6*a30 +50*a31==114939)

slover.add(89*a1 + 73*a2 +43*a3 + 41*a4 + 28*a5 + 19*a6 + 83*a7 + 32*a8 +
65*a9 +37*a10 +22*a11 +22*a12 +42*a13 +74*a14 + 43*a15 +
72*a16+4*a17 +94*a18 + 66*a19 + 60*a20 + 63*a21 +91*a22 +
69*a23 + 7*a24 + 39*a25 + 96*a26 + 76*a27 +5*a28 +32*a29 +
57*a30 +22*a31== 147181)

slover.add(76*a1 + 83*a2 + 10*a3 + 31*a4 +18*a5 + 2*a6 + 2*a7 + 65*a8 +
27*a9 + 47*a10 +63*a11 +61*a12 + 77*a13 + 38*a14+22*a15 +
49*a16+4*a17 +2*a18 +63*a19 +24*a20 +16*a21 + 36*a22 +
48*a23 + 50*a24 +40*a25 + 78*a26 + 19*a27 + 95*a28 +73*a29 +
47*a30 +56*a31 == 128931)

slover.add(93*a1 + 3*a2 +86*a3 + 90*a4 + 97*a5 +11*a6 + 66*a7 +69*a8 +
96*a9 +62*a10 +40*a11 +58*a12 +25*a13+64*a14 + 50*a15 +
65*a16+59*a17 + 5*a18 + 7*a19 +55*a20 +92*a21 +29*a22 +
35*a23 +83*a24 +59*a25 + 55*a26 + 51*a27 +62*a28+1*a29 +
64*a30 +12*a31==159474)

slover.add(60*a1 +19*a2 +66*a3 +62*a4 + 42*a5 + 86*a6 + 61*a7 +63*a8 +
56*a9 +2*a10 +46*a11 +7*a12 + 7*a13 +2*a14 + 16*a15 +
97*a16 +12*a17 + 28*a18 + 11*a19 +92*a20 + 26*a21 +64*a22 +
63*a23 +62*a24 +45*a25+56*a26 +50*a27 +97*a28 +62*a29 +
71*a30 + 65*a31 == 146558)

slover.add(11*a1 + 79*a2 + 17*a3 + 68*a4+ 26*a5 + 38*a6 +23*a7 +78*a8 +
82*a9 +71*a10 +46*a11 +18*a12 +20*a13 +19*a14 +89*a15 +
86*a16 +20*a17 +54*a18 +47*a19 +15*a20+62*a21 +49*a22 +
97*a23 + 75*a24 +17*a25+76*a26 +52*a27 +62*a28 +65*a29 +
89*a30 + 80*a31 == 158569)

slover.add(79*a1 + 10*a2 +66*a3+31*a4+76*a5 + 58*a6 +45*a7 +64*a8 +
97*a9 +9*a10 + 15*a11 + 6*a12 +61*a13 + 65*a14 +52*a15 +
1*a16 + 38*a17 + 11*a18 + 66*a19 + 21*a20 +30*a21 + 76*a22 +
41*a23 + 75*a24 +52*a25+45*a26 +91*a27 +96*a28 +29*a29 +
64*a30 +59*a31 == 149303)

slover.add(87*a1 +64*a2 +72*a3 +22*a4 + 38*a5 + 64*a6 + 27*a7 +35*a8 +
18*a9 + 24*a10 +64*a11 +80*a12 + 35*a13 + 56*a14 + 39*a15 +
97*a16+83*a17 + 88*a18 + 21*a19 + 51*a20 +76*a21 +63*a22 +
54*a23 +38*a24 +92*a25+56*a26 +84*a27 +75*a28 +38*a29 +
2*a30 + 43*a31==162212)

slover.add(89*a1 + 93*a2 + 48*a3 +5*a4 +37*a5 + 76*a6 + 32*a7 + 66*a8 +
25*a9 + 39*a10 + 59*a11 + 14*a12 +48*a13 +62*a14 +4*a15 +
76*a16 + 72*a17 + 78*a18+40*a19 +96*a20 +68*a21 +35*a22 +
89*a23 + 3*a24 +29*a25 +17*a26 + 63*a27 + 43*a28 +61*a29 +
37*a30 +12*a31==142706)

slover.add(4*a1 +25*a2 + 16*a3 +45*a4 + 65*a5 +17*a6 + 39*a7 +59*a8 +
82*a9 +54*a10 +69*a11 +59*a12+86*a13 +37*a14 +70*a15+
21*a16 + 46*a17 + 89*a18 + 96*a19 + 32*a20 + 35*a21 +69*a22 +
22*a23 +13*a24 +95*a25 + 58*a26 +94*a27 +29*a28+84*a29 +
24*a30 + 3*a31==146480)

slover.add(50*a1 +48*a2 +87*a3 +37*a4 + 53*a5 + 19*a6 +24*a7 +30*a8 +
40*a9 +31*a10 +18*a11 +89*a12 +81*a13 + 70*a14 +98*a15 +
87*a16 +98*a17 +82*a18+31*a19+71*a20+30*a21 +28*a22 +
95*a23 +22*a24 +15*a25+73*a26 +51*a27 +92*a28 +32*a29 +
97*a30 + 65*a31 == 168401)

slover.add(40*a1+20*a2+13*a3+25*a4+ 87*a5 + 95*a6 + 47*a7 +80*a8 +
22*a9 +43*a10 + 4*a11 + 83*a12 + 50*a13 +85*a14 + 39*a15 +
22*a16+75*a17 +3*a18 + 22*a19 +6*a20 +16*a21 +29*a22 +
65*a23 + 19*a24 + 64*a25 +48*a26 +41*a27 +8*a28 +10*a29 +
66*a30 +12*a31== 117331)

slover.add(37*a1 + 49*a2 + 63*a3 + 49*a4+ 3*a5 + 54*a6 + 52*a7 +61*a8 +
58*a9 + 36*a10 + 24*a11 + 6*a12 +46*a13 +47*a14 +16*a15 +
29*a16 + 83*a17 +2*a18 + 50*a19 + 94*a20 + 38*a21 +56*a22 +
34*a23+13*a24 +34*a25+12*a26 + 41*a27 +47*a28 +35*a29 +
67*a30 +74*a31== 125357)

slover.add(37*a1+ 2*a2 +12*a3+84*a4 +79*a5 + 36*a6 + 93*a7 +64*a8 +
68*a9 +7*a10 +37*a11 +58*a12 +68*a13+49*a14 +19*a15 +
95*a16 +43*a17 +22*a18+10*a19 +21*a20 +70*a21 +72*a22 +
73*a23+19*a24 +32*a25 + 8*a26 + 6*a27 + 89*a28 +43*a29 +
32*a30+95*a31== 138223)

slover.add(24*a1 + 23*a2 + 12*a3 +73*a4 + 32*a5 + 3*a6 + 61*a7 +51*a8 +
85*a9 + 94*a10 +36*a11 + 90*a12 + 49*a13 + 97*a14+18*a15 +
55*a16 +26*a17 + 40*a18+39*a19 +95*a20 +61*a21 +17*a22 +
29*a23 +7*a24 + 40*a25 +58*a26 +5*a27 + 49*a28 +2*a29 +
83*a30 +69*a31 == 136759)

slover.add(64*a1 +28*a2 +52*a3+74*a4+ 84*a5 + 36*a6 +39*a7 +55*a8 +
40*a9 + 44*a10+ 47*a11 + 23*a12 +1*a13 +58*a14 +33*a15 +
25*a16 +70*a17 +20*a18 +45*a19 +33*a20+15*a21 +77*a22 +
46*a23 + 8*a24 +5*a25 + 98*a26 +39*a27 +72*a28 +9*a29 +
99*a30 +25*a31==128285)

slover.add(39*a1 + 8*a2 +57*a3 +39*a4 +27*a5 + 98*a6 + 70*a7 +77*a8 +
97*a9 +20*a10 + 5*a11 +2*a12 +62*a13 +88*a14 +42*a15 +
58*a16 +86*a17 +94*a18 +91*a19 + 76*a20 + 46*a21 +32*a22 +
10*a23+75*a24 +99*a25 + 62*a26 + 76*a27 +78*a28 +72*a29 +
50*a30 +50*a31== 173243)

slover.add(52*a1+69*a2 +20*a3+29*a4+ 23*a5 + 30*a6 + 74*a7 +21*a8 +
9*a9 +5*a10 +76*a11 +5*a12 +45*a13+49*a14 +59*a15 +
25*a16 + 98*a17 + 54*a18+80*a19 +19*a20 +51*a21 + 37*a22 +
85*a23+84*a24 +78*a25 +54*a26 +5*a27+21*a28 +97*a29 +
92*a30 +78*a31== 138560)

slover.add(24*a1+70*a2+59*a3 +66*a4+ 7*a5 + 59*a6 + 95*a7 +46*a8 +
28*a9 +21*a10 + 99*a11 + 95*a12 + 61*a13+43*a14 +50*a15 +
3*a16 + 15*a17 +79*a18 + 88*a19 + 51*a20 + 72*a21 +67*a22 +
67*a23 +47*a24 +76*a25+45*a26 +18*a27 +32*a28 +82*a29 +
37*a30 +20*a31 == 148441)

slover.add(76*a1 +10*a2 +22*a3 + 48*a4 + 64*a5 + 22*a6 + 94*a7 +25*a8 +
44*a9 +83*a10 +24*a11 +64*a12 + 58*a13 + 41*a14 + 4*a15+
29*a16 + 96*a17 +78*a18 + 45*a19 + 30*a20 +35*a21 +62*a22 +
81*a23 +54*a24 + 5*a25 +82*a26 + 14*a27 +46*a28 +16*a29 +
18*a30 +69*a31 == 134112)

slover.add(65*a1 +72*a2 +44*a3 +52*a4+ 29*a5 + 17*a6 + 31*a7 + 44*a8 +
58*a9 + 26*a10 + 47*a11 + 82*a12 +47*a13 + 80*a14 +3*a15 +
97*a16+88*a17+9*a18 + 10*a19 + 21*a20 + 79*a21 +27*a22 +
49*a23 +24*a24 +2*a25 +64*a26 + 60*a27 + 45*a28+19*a29 +
97*a30 +76*a31==140899)

slover.add(98*a1+61*a2 +33*a3 +62*a4+ 50*a5 + 7*a6 + 88*a7 +75*a8 +
94*a9 +21*a10 + 37*a11 + 55*a12 + 32*a13 +39*a14 + 42*a15 +
11*a16+48*a17 +87*a18 + 34*a19 + 14*a20 +76*a21 +13*a22 +
39*a23 +27*a24 +62*a25 + 38*a26 + 53*a27 +27*a28 +20*a29 +
67*a30 + 94*a31== 145615)

slover.add(54*a1+23*a2 +33*a3 +16*a4+ 7*a5 +12*a6 + 58*a7 +67*a8 +
88*a9 +84*a10 + 51*a11 + 27*a12 + 96*a13 +9*a14 +73*a15 +
51*a16+27*a17+52*a18 + 96*a19 + 56*a20 + 87*a21 +66*a22 +
49*a23 +74*a24 +28*a25 + 71*a26 + 94*a27 +16*a28 +43*a29 +
33*a30 +57*a31 == 155144)

slover.add(82*a1 + 42*a2 +13*a3 +65*a4 + 17*a5 + 31*a6 + 46*a7 +25*a8 +
62*a9 + 65*a10 +56*a11 + 56*a12+26*a13 +62*a14 +76*a15+
69*a16 + 40*a17 + 31*a18 + 58*a19 +54*a20 +9*a21 +23*a22 +
72*a23 +95*a24 +75*a25 + 74*a26 + 32*a27 +8*a28 +53*a29 +
36*a30 +71*a31 == 144052)

slover.add(75*a1 +5*a2 +53*a3 +71*a4 +9*a5 + 14*a6 +16*a7 + 80*a8 +
41*a9 +70*a10 + 63*a11 + 81*a12 +73*a13 +24*a14 +96*a15 +
61*a16 + 87*a17 +28*a18 + 89*a19 + 43*a20 +46*a21+4*a22 +
59*a23 +91*a24 +10*a25 +1*a26 + 41*a27 + 87*a28 + 99*a29 +
9*a30 +74*a31==154311)

slover.add(81*a1 +69*a2 +66*a3 +57*a4 + 58*a5 + 72*a6 + 8*a7 +61*a8 +
5*a9 +73*a10 +35*a11 +57*a12 +67*a13 +77*a14 +35*a15 +
7*a16 + 91*a17 +83*a18 + 4*a19 + 92*a20 + 39*a21+84*a22 +
47*a23 + 60*a24 +35*a25 + 59*a26 + 74*a27 + 42*a28 +51*a29 +
93*a30+20*a31==164152)

slover.add(34*a1 + 7*a2 +10*a3 +52*a4 +39*a5 + 34*a6 +52*a7 +7*a8 +
73*a9 +34*a10+ 8*a11 +76*a12 +63*a13 +32*a14 +40*a15 +
70*a16 + 7*a17 +38*a18 +32*a19 +92*a20 +97*a21+87*a22 +
57*a23 +74*a24 + 46*a25 +3*a26 + 14*a27 + 84*a28 + 35*a29 +
92*a30 +62*a31==143604)

slover.add(48*a1 + 35*a2 + 21*a3 + 87*a4+ 4*a5 + 65*a6 +70*a7 +69*a8 +
34*a9 +63*a10 + 25*a11 + 23*a12 + 62*a13+72*a14 +75*a15 +
98*a16 + 18*a17 +86*a18+ 19*a19 + 54*a20 +96*a21 +74*a22 +
97*a23 +27*a24 +21*a25 +74*a26 + 74*a27 +90*a28 +33*a29 +
71*a30 + 46*a31== 164871)

slover.add(74*a1 + 49*a2 +85*a3 +69*a4 + 54*a5 + 86*a6 +75*a7 +34*a8 +
30*a9 +42*a10 + 71*a11 + 52*a12 + 35*a13 +22*a14 +91*a15 +
34*a16 +13*a17 +1*a18 + 80*a19 + 48*a20 +32*a21 + 71*a22 +
88*a23+ 68*a24 +22*a25+64*a26 +60*a27 +85*a28 +79*a29 +
52*a30 +22*a31==158482)

slover.add(65*a1 + 99*a2 + 25*a3 +72*a4 + 68*a5 + 66*a6 + 85*a7 + 8*a8 +
24*a9 + 59*a10 +74*a11 + 99*a12 + 82*a13 + 88*a14+17*a15 +
21*a16 +70*a17 +68*a18+ 2*a19 +22*a20 + 69*a21 + 32*a22 +
38*a23 + 27*a24+8*a25+7*a26+19*a27 +36*a28 +32*a29 +
85*a30+40*a31==140834)

slover.add(11*a1 +37*a2 +33*a3+25*a4 + 10*a5 + 12*a6 + 99*a7 +58*a8 +
66*a9 + 94*a10 + 94*a11 + 78*a12 +33*a13 +15*a14 + 92*a15 +
64*a16 + 39*a17 + 23*a18 + 11*a19 +41*a20 +67*a21 +8*a22 +
24*a23 + 4*a24 +40*a25 +92*a26 +54*a27 +37*a28+94*a29 +
71*a30 +25*a31==134191)

slover.add(78*a1 + 57*a2 +74*a3 +90*a4+ 14*a5 + 52*a6 + 7*a7 +12*a8 +
57*a9 +14*a10 + 47*a11 + 20*a12 + 24*a13 + 32*a14 + 61*a15 +
85*a16 +58*a17 +99*a18 + 18*a19 + 52*a20 +31*a21 +77*a22 +
13*a23 +69*a24 +62*a25+85*a26 +46*a27+40*a28+75*a29 +
48*a30 +69*a31==153769)

slover.add(39*a1 +62*a2 +21*a3+75*a4+ 24*a5 + 8*a6 + 12*a7 +66*a8 +
2*a9 +74*a10 + 21*a11 + 40*a12 + 84*a13 +36*a14 +45*a15 +
98*a16 + 95*a17 + 43*a18+ 49*a19 + 27*a20 + 61*a21 +24*a22 +
1*a23 + 90*a24+89*a25 +70*a26 + 45*a27 + 65*a28 +46*a29 +
17*a30 +65*a31== 149992)

slover.add(2*a1 + 97*a2 +59*a3 +95*a4 +21*a5 + 52*a6 + 49*a7 + 30*a8 +
59*a9 +62*a10 + 81*a11 +91*a12 + 56*a13 + 69*a14 + 36*a15 +
12*a16 +92*a17+12*a18 + 58*a19 + 16*a20 +38*a21 +24*a22 +
31*a23+87*a24 +98*a25+ 13*a26 + 83*a27 +33*a28+11*a29 +
89*a30 + 50*a31 == 152681)

slover.add(85*a1 +75*a2 +2*a3 +54*a4+72*a5 + 14*a6 + 76*a7 + 49*a8 +
71*a9 +21*a10 + 52*a11 + 12*a12 + 48*a13+67*a14 +48*a15 +
50*a16 +78*a17 +85*a18 + 59*a19 +86*a20 +43*a21 +9*a22 +
28*a23 + 60*a24 +66*a25+ 35*a26 + 42*a27 +51*a28 +84*a29 +
33*a30 +38*a31== 151583)

slover.add(76*a1 + 64*a2 +28*a3 + 18*a4+ 26*a5 + 12*a6 + 48*a7 +38*a8 +
45*a9 +32*a10 +31*a11 +32*a12 +70*a13 +76*a14 +55*a15 +
32*a16 +66*a17 +10*a18 +92*a19 +32*a20+75*a21 +52*a22 +
89*a23+84*a24+53*a25+25*a26 +14*a27 +86*a28+44*a29 +
25*a30 +27*a31 == 135652)

slover.add(22*a1+73*a2 +60*a3+72*a4+ 85*a5 + 8*a6 + 75*a7 +91*a8 +
90*a9 +93*a10 +40*a11 + 2*a12 +89*a13 +89*a14 +34*a15 +
87*a16 +77*a17 +99*a18 + 71*a19 + 82*a20 +34*a21 + 6*a22 +
10*a23+92*a24 +8*a25 +8*a26 +5*a27 +66*a28 +29*a29 +
77*a30 +72*a31==171031)

slover.add(47*a1 +30*a2+43*a3+62*a4+ 29*a5 + 79*a6 + 4*a7 +92*a8 +
45*a9 +93*a10 +11*a11+41*a12 + 86*a13 + 51*a14 +15*a15 +
25*a16+4*a17 + 38*a18 +59*a19 +67*a20+57*a21 + 28*a22 +
36*a23 + 97*a24 +69*a25 + 5*a26 + 71*a27 + 95*a28 +39*a29 +
7*a30 +12*a31==144653)

slover.add(96*a1 + 45*a2 + 36*a3 +83*a4 + 61*a5 + 3*a6 + 44*a7 +20*a8 +
70*a9 +93*a10 + 23*a11 +83*a12 + 19*a13 + 77*a14 + 54*a15 +
64*a16 + 41*a17 +76*a18 + 60*a19 + 92*a20 +44*a21 +63*a22 +
42*a23+84*a24+26*a25+ 68*a26 + 74*a27 +58*a28 +32*a29 +
50*a30 +81*a31==171959)

slover.add(64*a1 + 56*a2 +43*a3 +39*a4+ 85*a5 + 16*a6 +67*a7 +86*a8 +
22*a9 +16*a10 + 40*a11 +68*a12 +97*a13 + 6*a14 +37*a15 +
20*a16 + 5*a17 +3*a18 + 82*a19 + 73*a20 +21*a21+97*a22 +
95*a23+96*a24 +6*a25 +62*a26+95*a27+45*a28+55*a29 +
8*a30 +51*a31==151173)

slover.add(17*a1 +49*a2 +16*a3 +59*a4 +1*a5 + 66*a6 + 82*a7 + 58*a8 +
91*a9+8*a10+44*a11 +13*a12 +88*a13 +98*a14 +44*a15 +
41*a16 + 27*a17 +68*a18 +2*a19 +33*a20 +99*a21 +37*a22 +
92*a23+ 94*a24 + 43*a25 +16*a26 + 86*a27 + 96*a28 + 36*a29 +
89*a30+23*a31==151468)

slover.add(23*a1 + 40*a2 + 5*a3 +76*a4 +15*a5 + 39*a6 + 5*a7 + 69*a8 +
48*a9+3*a10+99*a11 + 14*a12 +66*a13 + 97*a14 +66*a15 +
90*a16 + 17*a17 + 41*a18 + 73*a19 + 45*a20 +45*a21 +36*a22 +
81*a23+74*a24 +53*a25 +29*a26 + 93*a27 + 25*a28 +35*a29 +
34*a30+8*a31==135144)

slover.add(6*a1 + 78*a2 +51*a3 +74*a4+1*a5 + 25*a6 + 41*a7 +99*a8 +
52*a9+74*a10 +30*a11 + 97*a12 +63*a13 +2*a14 +25*a15 +
76*a16 + 56*a17 + 35*a18 +28*a19 + 34*a20 + 40*a21 +18*a22 +
65*a23 + 67*a24 + 43*a25 + 78*a26 +6*a27 +54*a28 +38*a29 +
45*a30+81*a31==146290)

slover.add(58*a1 + 47*a2 +72*a3 +43*a4 + 99*a5 + 36*a6 + 89*a7 +31*a8 +
61*a9 + 66*a10 +59*a11 +74*a12 +32*a13 +2*a14 +39*a15 +
73*a16 +86*a17 + 63*a18 + 18*a19 +92*a20 + 44*a21 +67*a22 +
37*a23 +66*a24 +25*a25 + 32*a26 +59*a27 +31*a28+11*a29 +
41*a30 + 65*a31 == 157439)

slover.add(79*a1+18*a2+22*a3+73*a4+ 21*a5 + 76*a6 + 5*a7 +27*a8 +
36*a9 +22*a10 + 90*a11 +23*a12 +20*a13 +88*a14 +77*a15 +
18*a16 + 10*a17 +14*a18 + 80*a19 + 1*a20 + 96*a21 +97*a22 +
41*a23 +90*a24 +53*a25 + 20*a26 +41*a27 +2*a28 +87*a29 +
8*a30 +40*a31==127198)

slover.add(94*a1 +70*a2 +72*a3 +93*a4 +17*a5 +56*a6 + 53*a7 +78*a8 +
72*a9 + 49*a10 +86*a11 +62*a12 + 41*a13 + 85*a14 +69*a15 +
71*a16+20*a17 + 34*a18 + 24*a19 + 24*a20 + 14*a21 +86*a22 +
54*a23 +13*a24 +41*a25 +68*a26 + 31*a27 +50*a28 +23*a29 +
94*a30 +72*a31== 162137)

slover.add(34*a1 + 95*a2 +66*a3 +79*a4 + 91*a5 + 35*a6 + 8*a7 +16*a8 +
95*a9 + 95*a10 + 40*a11 + 68*a12 + 13*a13 + 54*a14+80*a15 +
98*a16 +15*a17 + 39*a18+ 41*a19 + 79*a20 +34*a21 +54*a22 +
92*a23+17*a24 +97*a25 + 76*a26 +49*a27 +95*a28 +6*a29 +
83*a30 +79*a31==180077)

slover.add(74*a1 + 42*a2 +45*a3 +72*a4 +6*a5 + 3*a6 +59*a7 +47*a8 +
57*a9 +62*a10+85*a11 +6*a12 +72*a13+25*a14 +78*a15 +
27*a16 + 6*a17 +27*a18+61*a19 +88*a20 +60*a21+89*a22 +
53*a23 +76*a24 +97*a25 +56*a26 + 52*a27 +26*a28 + 5*a29 +
7*a30 +35*a31==142239)

slover.add(53*a1 + 30*a2 +63*a3 + 88*a4 + 54*a5 + 99*a6 +40*a7 +85*a8 +
42*a9+ 35*a10 +99*a11 +88*a12 +55*a13 + 8*a14 +24*a15 +
91*a16 +55*a17 +23*a18+53*a19 +68*a20+76*a21 +49*a22 +
32*a23 +80*a24 +81*a25+95*a26 +21*a27 +73*a28 +83*a29 +
46*a30 +44*a31==179115)

slover.add(55*a1+43*a2 +39*a3 +27*a4+ 19*a5 + 41*a6 + 7*a7 + 70*a8 +
54*a9 +53*a10 + 38*a11 + 72*a12 + 50*a13+1*a14 +15*a15 +
89*a16+79*a17+17*a18 + 32*a19 + 58*a20 +64*a21 +68*a22 +
12*a23+92*a24 +53*a25 +33*a26 + 54*a27 + 67*a28 +34*a29 +
25*a30 +37*a31==140482)

slover.add(23*a1 + 39*a2 + 6*a3 +84*a4 +81*a5+4*a6+47*a7+8*a8+
1*a9 +46*a10 +7*a11 + 85*a12 + 60*a13 +26*a14 +57*a15 +
24*a16 + 60*a17 + 70*a18 + 42*a19 + 97*a20 +25*a21 +88*a22 +
64*a23 +1*a24 +58*a25 +25*a26 +93*a27 +8*a28+16*a29 +
85*a30 +19*a31==130498)

slover.add(9*a1 +88*a2 +7*a3 +54*a4 +77*a5 + 34*a6 + 58*a7 +43*a8 +
17*a9 +93*a10+15*a11 +84*a12 +65*a13 +64*a14 + 34*a15 +
55*a16 + 89*a17 + 61*a18 +64*a19 + 31*a20 + 33*a21 +29*a22 +
52*a23 + 79*a24 +83*a25 +78*a26 +9*a27 +96*a28+52*a29 +
30*a30+14*a31== 153195)

slover.add(15*a1 + 84*a2 +36*a3+24*a4+ 97*a5 + 67*a6 +14*a7 +66*a8 +
22*a9 +4*a10 +90*a11 +96*a12 +3*a13 + 50*a14 +47*a15 +
7*a16 + 67*a17 +33*a18 + 5*a19 + 52*a20 + 56*a21 +55*a22 +
3*a23 +69*a24 +73*a25 +65*a26 +56*a27 +91*a28+98*a29 +
52*a30 +90*a31== 154967)

slover.add(14*a1+27*a2 +99*a3 +64*a4+ 19*a5 + 37*a6 +63*a7 +26*a8 +
51*a9 +52*a10 + 44*a11 + 8*a12 + 15*a13+29*a14 +36*a15 +
26*a16 +94*a17 +85*a18 +40*a19+2*a20+75*a21 + 10*a22 +
47*a23 +77*a24 +55*a25+77*a26 +88*a27 +12*a28 +36*a29 +
59*a30 +33*a31==131294)

slover.add(17*a1 + 93*a2 + 64*a3 + 86*a4 +59*a5 + 6*a6 + 73*a7 + 60*a8 +
7*a9 +83*a10+61*a11 +37*a12 +27*a13 +84*a14 +89*a15 +
65*a16 + 17*a17 + 47*a18 +60*a19 + 32*a20 + 37*a21 + 62*a22 +
64*a23 +94*a24 +75*a25 + 8*a26 +61*a27 +73*a28+17*a29 +
36*a30+81*a31==159522)

slover.add(76*a1+94*a2 +26*a3+86*a4+ 73*a5 + 31*a6 + 60*a7 +42*a8 +
26*a9 +23*a10 +30*a11 +78*a12 +29*a13 +86*a14 +71*a15 +
87*a16 +30*a17 +88*a18+65*a19+47*a20+28*a21 +17*a22 +
42*a23+17*a24 + 42*a25+81*a26 +41*a27 +82*a28 +48*a29 +
67*a30 + 90*a31 == 165913)


if slover.check() == sat:

    model = slover.model()

    print(model)
else:
    print("No solution found.")

#102 108 97 103 123 108 48 110 103 95 49 105 118 51 95 116 72 101 95 108 105 84 52 110 103 95 107 105 78 103 125
#flag{l0ng_1iv3_tHe_liT4ng_kiNg}

Web

一.ezphp

GET：
?a[]=1&b[]=0&O+U+C=100%0a&md5=ouc
POST：
md51[]=1&md52[]=0
Cookie：
md5=06d92f344c7d8c89cb164353ca0fa070

这道题我是傻波一，第二个想半天，最后还以为是哈希扩展攻击，结果是白给

二.菜狗工具#1

题目骂我，我是菜狗:cry:，没啥好说的

@Welcome

填个问卷吧！

我们就爱这种题

签到

也爱！！！