\u627e\u5230\u811a\u672c\u6587\u4ef6\u5148\u70b9\u8fdbflag.gdc\u67e5\u770b\uff0c\u5f88\u6e05\u6670\u7684AES\u52a0\u5bc6\uff0c\u4f46\u9898\u76ee\u4e0d\u4f1a\u8fd9\u4e48\u7b80\u5355\uff0c\u540c\u65f6\u63d0\u793a\u8bf4\u8981\u5403\u6389\u6240\u6709\u91d1\u5e01\u624d\u53ef\u4ee5\u9a8c\u8bc1flag\uff0c\u90a3\u6211\u4eec\u7ee7\u7eed\u67e5\u770bcoin.gdc\u770b\u770b\u91d1\u5e01\u5e72\u4e86\u5565<\/p>\n\n\n\n \u5f88\u660e\u663e\u8c03\u7528\u4e86game_manager\u6765\u89e6\u53d1\u52a0\u5206\u673a\u5236\uff0c\u6b64\u65f6\u518d\u53bb\u770bgame_manager.gdc<\/p>\n\n\n\n \u5f88\u6e05\u6670\uff0c1\u5206\u7684\u65f6\u5019\u628aflag\u51fd\u6570\u4e2d\u7684key\u4e2dA\u6539\u6210B\uff0c\u89e3AES\u5f97\u5230flag<\/p>\n\n\n\n \u4e00\u9053\u5f88\u7eaf\u7684web\u9006\u5411\u9898\uff0c\u6253\u5f00html\u6587\u4ef6\u627e\u8c03\u7528\u5173\u7cfb\uff0c\u53d1\u73b0\u5728\u68c0\u6d4b\u7aef\u662f\u5c06data\u5e8f\u5217\u5316\u4e4b\u540e\uff0c\u901a\u8fc7MD5\u52a0\u5bc6\uff0c\u5e76\u4e14\u68c0\u9a8c\u524d16\u5b57\u8282\u662f\u5426\u4e00\u81f4\u6765\u5224\u65ad\u662f\u5426\u6b63\u786e\uff0c\u90a3\u73b0\u5728\u95ee\u9898\u5c31\u662f\u627edata\u662f\u5565\u4e86<\/p>\n\n\n\n \u4e4b\u524d\u4ece\u6ca1\u505a\u8fc7web\u9006\u5411\uff0c\u4ed4\u7ec6\u4e86\u89e3\u4e86\u4e00\u4e0bwasm\u6c47\u7f16\u53d1\u73b0js\u4f1a\u5411\u5176\u4e2dimport\u4f20\u5165\u6570\u636e\u540c\u65f6\u8981\u901a\u8fc7export\u4f20\u51fa\u6570\u636e\u56de\u5230js\u624d\u53ef\u4ee5\u5b8c\u6210\u8c03\u7528\u94fe\uff0c\u6b64\u65f6\u968f\u4fbf\u8f93\u5165\u8d26\u53f7\u5bc6\u7801\u5c31\u53ef\u67e5\u770brelease.js\u51fd\u6570\u7684\u5173\u952e\u4f20\u5165\u4f20\u51fa\u51fd\u6570\uff0c\u53ef\u4ee5\u6e05\u6670\u7684\u770b\u5230\u4f20\u5165\u51fd\u6570\u4f20\u5165data.now\u51fd\u6570\u5373\u9898\u76ee\u8bf4\u5230\u7684\u65f6\u95f4\u6233<\/p>\n\n\n\n \u901a\u8fc7\u8f6f\u4ef6ghidra\uff08\u9700\u4e0b\u8f7d\u63d2\u4ef6ghidra_wasm\uff09\u53ef\u4ee5\u76f4\u63a5\u5c06web\u6c47\u7f16\u8f6c\u4e3a\u53ef\u9605\u8bfb\u6587\u672c\uff0c\u6b64\u65f6\u53ef\u4ee5\u627e\u5230\u6211\u4eec\u524d\u9762\u63d0\u5230\u52a0\u5bc6data\u7684authenticate\u51fd\u6570\uff0c\u53d1\u73b0\u771f\u6b63\u903b\u8f91\u85cf\u5728function_34\u4e2d\uff0c\u70b9\u8fdb\u51fd\u6570\u67e5\u770b<\/p>\n\n\n\n \u7ed3\u6784\u4e00\u76ee\u4e86\u7136\u4e86\uff0c31-47\u884c\u5bf9\u5bc6\u7801\u8fdb\u884cbase64\u5904\u7406\u4e4b\u540e\u5f15\u5165\u65f6\u95f4\u6233\u5e76\u8f6c\u6362\u6210\u5b57\u7b26\u4e32\u4e4b\u540e\u5bf9massage\u8fdb\u884c\u5904\u7406\uff0c\u5904\u7406\u7ed3\u679c\u4e3a\uff1amessage = {\"username\":\u2026, \"password\": encodedPassword}\u7136\u540e\u4e0b\u9762\u662f\u52a0\u5bc6\u70b9\uff0c\u8fdb\u884cSHA256\u52a0\u5bc6\u5e76\u5b58\u5728signature\uff0c \u90a3\u73b0\u5728\u5c31\u662f\u627e\u5230\"username\" \"password\"\u5e76\u5bf9\u65f6\u95f4\u6233\u8fdb\u884c\u7206\u7834\uff08\u9898\u76ee\u4e2d\u7ed9\u51fa\u65f6\u95f4\u4e3a2025.12.21\u4e4b\u540e\u4e00\u5468\uff09\u8d26\u53f7\u5bc6\u7801\u5c31\u5728271\u884c\u7684\u5907\u6ce8\u91cc\uff08\u4e00\u5f00\u59cb\u6ca1\u6ce8\u610f\u80fd\u85cf\u8fd9<\/p>\n\n\n\n \u4e00\u5207\u90fd\u9f50\u5907\u4e86\u76f4\u63a5\u5199\u811a\u672c\u7206\u7834\u5373\u53ef\uff0c\u8fd9\u8fb9\u6211\u5199\u7684<\/p>\n\n\n\n \u4f9d\u65e7web\u9006\u5411\uff0c\u8fd9\u6b21\u662f\u6d41\u91cf\u9006\u5411\uff0cwireshark\u67e5\u770b\u6d41\u91cf\u5305\u5185\u5bb9\uff0c\u53d1\u73b0\u5168\u662fTCP\u53ef\u9760\u4f20\u8f93\u6570\u636e\uff0c\u540c\u65f6\u9898\u76ee\u4e2d\u544a\u8bc9\u6211\u4eeckworker\u5411192.168.8.160:13337\u53d1\u8d77\u5efa\u7acb\u8fde\u63a5\u8bf7\u6c42\uff0c\u6240\u4ee5kworker\u4e3a\u5ba2\u6237\u7aef\/\u6728\u9a6c\u7c7b\u578b\uff0c\u6240\u4ee5\u672c\u4f53\u4e3b\u8981\u8fd8\u662f\u5f97\u770b\u6d41\u91cf\u5230\u5e95\u8bf4\u4e86\u4e9b\u5565\u518d\u53bb\u9006\u5411kworker\uff0c\u56e0\u6b64\u4ece\u6d41\u91cf\u6293\u8d77\u3002<\/p>\n\n\n\n \u901a\u8fc7\u9605\u8bfb\u6d41\u91cf\u53d1\u73b0\u662f\u5ba2\u6237\u673a\u5411\u670d\u52a1\u5668\u53d1\u9001\u4e00\u7cfb\u5217\u957f\u5ea6\u572864\u5b57\u8282\u5de6\u53f3\u7684\u6570\u636e\uff0c\u5e76\u4e14\u6570\u636e\u683c\u5f0f\u76f8\u5f53\u56fa\u5b9a\uff0c\u524d8\u4f4d\u4e3a\u9b54\u6570\uff0c\u540e\u9762\u7d27\u8ddf\u4e00\u4e2alen\u6765\u8868\u793a\u6700\u540e\u7d27\u8ddf\u7684\u6821\u9a8c\u4f4d\u7684\u957f\u5ea6\uff0c\u7136\u540e\u7d27\u8ddf\u5bc6\u6587\u5185\u5bb9\uff0c\u5bc6\u6587\u540e\u5c31\u662f\u6821\u9a8c\u4f4d\uff0c\u5982\u4e0b\u5982\u6240\u793a\u8be6\u7ec6\u89e3\u91ca<\/p>\n\n\n\n \u5ba2\u6237\u673a\u53d1\u7684\u7b2c\u4e00\u6bb5\u6570\u636e\u4e2d\u53ef\u4ee5\u770b\u5230\uff0cTCP\u534f\u8bae\u89c4\u5b9a\u524d8\u4f4d\u4e3aET3RNUMX\u4e3a\u56fa\u5b9a\u9b54\u6570\uff0c\u540e\u9762\u8ddf\u76840X34=52\u8868\u793apayload\u670952\u5b57\u8282\u957f\uff0c\u521a\u597d\u4e0e\u540e\u9762\u5185\u5bb9\u543b\u5408\u4fe1\u606f\u5185\u5bb9\u786e\u5b9a\uff0c\u73b0\u5728\u9700\u8981\u770bkworker\u5230\u5e95\u7ed9\u670d\u52a1\u7aef\u53d1\u4e86\u4ec0\u4e48<\/p>\n\n\n\n \u7b2c\u4e00\u4e2a\u601d\u8def\uff0c\u770bIDA\u4e2d\u5b57\u7b26\u627e\u5230\u5173\u952e\u70b9\uff08\u6bd4\u8d5b\u65f6\u7528\u7684\uff09\uff0c\u53d1\u73b0\u5728\u5b57\u7b26\u4e32\u4e2d\u627e\u5230\u8fd9\u4e48\u4e00\u884c\u6587\u672c<\/p>\n\n\n\n \u9898\u76ee\u4e2d\u8bf4\u7684\u662fAES-GCM\u52a0\u5bc6\uff0c\u6839\u636eAES-GCM\u7684\u7279\u70b9\uff0c\u5bc6\u6587\u7ec4\u6210\u4e3a12 nonce +\u5bc6\u6587+ 16 tag\uff0c\u5176\u4e2dtag\u4f4d\u4e3a\u6821\u9a8c\u4f4d\uff0c\u6211\u4eec\u6b63\u597d\u53ef\u4ee5\u5229\u7528\u8fd9\u4e00\u70b9\uff0c\u5c06\u539f\u6587\u672c\u8f6c\u4e3a\u4e8c\u8fdb\u5236\u6587\u4ef6\u5bf9key\u8fdb\u884c\u7206\u7834\uff0c\u7206\u7834\u6210\u529f\u4e0e\u5426\u53ea\u9700\u8981\u5728\u624b\u52a8\u505a\u4e00\u6b21\u4e0etag\u7684\u6821\u9a8c\u5373\u53ef\uff0c\u7531\u4e8e16\u4f4d\u7684\u957f\u5ea6\u8db3\u591f\uff0c\u7406\u8bba\u4e0a\u53ea\u8981tag\u76f8\u540c\u5c31\u53ef\u4ee5\u786e\u5b9a\u7206\u7834\u7684key\u6210\u529f\u4e86\uff0c\u8fd9\u65f6\u53ef\u4ee5\u76f4\u63a5\u7206\u7834\u4e86<\/p>\n\n\n\n \u5148\u6302\u8d77\u4e00\u4e2a\u8ddf\u9898\u76ee\u6761\u4ef6\u4e00\u6837\u7684\u670d\u52a1\uff0c\u65b9\u4fbf\u540e\u7eedkworker\u53bb\u8fde\u63a5<\/p>\n\n\n\n \u542f\u52a8kworker\u53bb\u8fde\u63a5\u8fd9\u4e2a\u670d\u52a1\uff0c\u4e5f\u5c31\u662f\u901a\u8fc7\u8fd9\u4e2a\u670d\u52a1\u6211\u4eec\u53ef\u4ee5\u5728\u5185\u5b58\u4e2d\u627e\u5230kworker\u8fd0\u884c\u65f6\u6d3e\u751f\u51fa\u7684key\uff0c\u5c06\u6240\u6709\u4fe1\u606f\u4ee5\u4e8c\u8fdb\u5236\u5f62\u5f0f\u6253\u5370\u51fa\u6765\u5b58\u5230memdump_all.bin\u4e2d\uff0c\u8fd0\u884c\u811a\u672c\u7206\u7834\u51fakey\uff0c\u6709\u4e86key\u6211\u4eec\u5c31\u53ef\u4ee5\u5f97\u5230flag\u4e86<\/p>\n\n\n\n \u9898\u76ee\u4e2d\u5df2\u7ecf\u544a\u8bc9\u6211\u4eec\u79c1\u94a5\u662fsha512(b\"Welcome to this challenge!\").digest()\uff0c\u90a3\u76f4\u63a5\u5199\u811a\u672c\u51fa\u5c31\u884c\u4e86\uff0c\u6211\u8fd9\u8fb9\u6bcf\u8c03\u7528ecdsa\u5e93\uff0c\u8c03\u7528\u5e93\u51fd\u6570\u53ef\u4ee5\u66f4\u7b80\u5355\u4e00\u4e9b<\/p>\n\n\n\n \u672c\u6765\u4ee5\u4e3a\u662f\u9006\u5411\u9898\uff0c\u7ed3\u679c\u653e\u5230ida\u91cc\u52a8\u8c03\u76f4\u63a5\u8dd1\u6b7b\u4e86\uff0c\u8bfb\u4e86\u4e00\u4e0b\u4ee3\u7801\u53d1\u73b0\u662f\u6590\u6ce2\u90a3\u5951\u6570\u5217\uff0c\u540c\u65f6\u9898\u76ee\u7ed9\u4e0a\u4e86\u4e00\u4e2asleep\u51fd\u6570\uff0c\u7b2c\u4e00\u79cd\u65b9\u6cd5\u76f4\u63a5\u4fee\u6539\u6e90\u6587\u4ef6\uff0c\u53ef\u4ee5\u5728\u539f\u8ba1\u6570\u5668\u4e0a\u52a0\u4e0a\u4e00\u4e2amod24\uff08\u56e0\u4e3a\u6590\u6ce2\u90a3\u5951\u6570\u5217mod16\u7684\u5468\u671f\u4e3a24\uff09\uff0c\u4e5f\u53ef\u4ee5\u5199\u811a\u672c\uff08\u66f4\u7b80\u5355\u4e00\u70b9\uff09<\/p>\n\n\n\n flag{10632674-1d219-09f29-147a2-760632674}<\/p>\n\n\n\n \u8fd9\u4e2arsa\u8fd8\u86ee\u6709\u8da3\u7684\uff0c\u9898\u76ee\u4e2d\u7ed9\u51fa\u4e86\u4e24\u4e2an\u7684\u6c42\u503c\uff0c\u5206\u522b\u4e3an=p*q*r*s;n1=p1*q1*r1*s1\u3002\u672c\u4f53\u7a81\u7834\u53e3\u5728\u4e8e\u7ed9\u51fa\u7684\u5e73\u6ed1\u51fd\u6570\u4e2d\uff0c\u8bfb\u9898\u662f\u505a\u4e86\u76f8\u5173\u7b14\u8bb0\u5982\u4e0b\uff0c\u7531\u4e8e\u6c42n\u7684\u76f8\u5173\u7cfb\u6570\u51cf1\u90fd\u4f1a\u53d8\u4e3a\u5408\u6570\uff0c\u800c\u4e14\u5408\u6570\u7684\u76f8\u5173\u7cfb\u6570\u662fp-1=p1*\uff082^1-2^20\uff09\u6240\u6784\u6210\u7684\u4e00\u7cfb\u5217\u6570\uff0c\u56e0\u6b64\u53ef\u4ee5\u5229\u7528 reverse babygame \u9898\u76ee\u4e3agodot\u7f16\u5199\u76842D\u6e38\u620f\uff0c\u7528\u4e13\u95e8\u8f6f\u4ef6dgre\u8fdb\u884c\u53cd\u7f16\u8bd1 \u8f6f\u4ef6\u94fe\u63a5\uff1agdsdecomp:Go …<\/p>\n","protected":false},"author":1,"featured_media":32,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-31","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/posts\/31","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/comments?post=31"}],"version-history":[{"count":14,"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/posts\/31\/revisions"}],"predecessor-version":[{"id":71,"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/posts\/31\/revisions\/71"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/media\/32"}],"wp:attachment":[{"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/media?parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/categories?post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sherlock666.cn\/index.php\/wp-json\/wp\/v2\/tags?post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2025\/12\/1767161446-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2025\/12\/1767161710-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2025\/12\/1767161803-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2025\/12\/1767161881-image-1024x667.png\")
<\/figure>\n\n\n\nwasm-login<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2025\/12\/1767163866-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767254890-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767255569-image.png\")
<\/figure>\n\n\n\nsignature = HMAC-SHA256( message, timestamp(\u53c2\u4e0e\u8ba1\u7b97) )<\/code> \u5e76\u8f6c\u6210\u53ef\u6253\u5370\u5b57\u7b26\u4e32\uff0c\u6700\u540e\u8fd4\u56definal = {\"username\":..., \"password\":..., \"signature\":...}<\/code> <\/p>\n\n\n\nundefined4 unnamed_function_34(undefined4 param1,undefined **param2)\n\n{\n undefined4 uVar1;\n undefined **ppuVar2;\n undefined4 uVar3;\n int iVar4;\n double dVar5;\n int param2_00;\n undefined **local_4c;\n undefined4 local_48;\n undefined **local_44;\n undefined **local_40;\n undefined8 local_3c;\n undefined **local_34;\n undefined **local_30;\n undefined **local_2c;\n undefined4 local_28;\n undefined **local_24;\n undefined4 local_20;\n undefined4 local_1c;\n undefined **local_18;\n undefined4 local_14;\n undefined4 local_10;\n undefined4 local_c;\n undefined4 local_8;\n \n iVar4 = 0;\n param2_00 = 0;\n if ((0x12ef < (int)&local_30) &&\n (memory_fill(0,0x30,0,&local_30), local_2c = param2, 0x12ef < (int)&local_3c)) {\n local_34 = (undefined **)0x0;\n local_3c = ZEXT48(param2);\n local_30 = (undefined **)unnamed_function_24((uint)param2[-1] >> 1);\n local_3c = ZEXT48(local_30) << 0x20;\n while( true ) {\n local_3c = CONCAT44(local_3c._4_4_,param2);\n if ((int)((uint)param2[-1] >> 1) <= iVar4) break;\n local_3c = CONCAT44(local_3c._4_4_,local_30);\n local_34 = param2;\n uVar1 = unnamed_function_25(param2,iVar4);\n unnamed_function_26(local_30,iVar4,uVar1);\n iVar4 = iVar4 + 1;\n }\n uVar1 = unnamed_function_29(local_30);\n local_28 = uVar1;\n dVar5 = import::env::Date.now();\n ppuVar2 = (undefined **)unnamed_function_36((longlong)dVar5);\n local_30 = &PTR_u_{\"username\":\"_ram_000010d0_ram_00001150;\n DAT_ram_00001154 = param1;\n local_2c = (undefined **)param1;\n local_24 = ppuVar2;\n local_20 = param1;\n local_1c = uVar1;\n unnamed_function_14(&PTR_u_{\"username\":\"_ram_000010d0_ram_00001150,param1,1);\n local_30 = &PTR_u_{\"username\":\"_ram_000010d0_ram_00001150;\n DAT_ram_0000115c = uVar1;\n local_2c = (undefined **)uVar1;\n unnamed_function_14(&PTR_u_{\"username\":\"_ram_000010d0_ram_00001150,uVar1,1);\n local_30 = &PTR_u_{\"username\":\"_ram_000010d0_ram_00001150;\n local_2c = (undefined **)&DAT_ram_00000900;\n local_4c = (undefined **)unnamed_function_31(&PTR_u_{\"username\":\"_ram_000010d0_ram_00001150);\n local_30 = local_4c;\n local_2c = ppuVar2;\n local_18 = local_4c;\n if (0x12ef < (int)&local_4c) {\n memory_fill(0,0x1c,0,&local_4c);\n global_38 = 1;\n uVar3 = unnamed_function_32(local_4c);\n global_38 = 1;\n local_4c = ppuVar2;\n local_48 = uVar3;\n local_4c = (undefined **)unnamed_function_32(ppuVar2);\n local_44 = local_4c;\n local_40 = (undefined **)uVar3;\n iVar4 = unnamed_function_33(local_4c,uVar3);\n local_3c = CONCAT44(iVar4,iVar4);\n local_40 = (undefined **)iVar4;\n ppuVar2 = (undefined **)unnamed_function_24(*(undefined4 *)(iVar4 + -4));\n local_34 = ppuVar2;\n for (; param2_00 < *(int *)(iVar4 + -4); param2_00 = param2_00 + 1) {\n local_40 = ppuVar2;\n unnamed_function_26(ppuVar2,param2_00,(uint)*(byte *)(iVar4 + param2_00));\n }\n local_4c = ppuVar2;\n local_40 = (undefined **)iVar4;\n uVar3 = unnamed_function_29(ppuVar2);\n local_30 = &PTR_u_{\"username\":\"_ram_000010d0_ram_00001230;\n DAT_ram_00001234 = param1;\n local_2c = (undefined **)param1;\n local_14 = uVar3;\n local_10 = param1;\n local_c = uVar1;\n local_8 = uVar3;\n unnamed_function_14(&PTR_u_{\"username\":\"_ram_000010d0_ram_00001230,param1,1);\n local_30 = &PTR_u_{\"username\":\"_ram_000010d0_ram_00001230;\n DAT_ram_0000123c = uVar1;\n local_2c = (undefined **)uVar1;\n unnamed_function_14(&PTR_u_{\"username\":\"_ram_000010d0_ram_00001230,uVar1,1);\n local_30 = &PTR_u_{\"username\":\"_ram_000010d0_ram_00001230;\n DAT_ram_00001244 = uVar3;\n local_2c = (undefined **)uVar3;\n unnamed_function_14(&PTR_u_{\"username\":\"_ram_000010d0_ram_00001230,uVar3,1);\n local_30 = &PTR_u_{\"username\":\"_ram_000010d0_ram_00001230;\n local_2c = (undefined **)&DAT_ram_00000900;\n uVar1 = unnamed_function_31(&PTR_u_{\"username\":\"_ram_000010d0_ram_00001230);\n return uVar1;\n }\n }\n import::env::abort(&DAT_ram_00009310,&DAT_ram_00009340,1,1);\n do {\n halt_trap();\n } while( true );\n}<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767256915-image.png\")
<\/figure>\n\n\n\nimport crypto from \"node:crypto\";\nconst PREFIX = \"ccaf33e3512e31f3\";\nconst md5hex = (s) => crypto.createHash(\"md5\").update(s, \"utf8\").digest(\"hex\");\nconst wallNow = Date.now.bind(Date);\nlet NOW = 0;\nconst realNow = Date.now;\nDate.now = () => NOW;\nconst { authenticate } = await import(\".\/build\/release.js\");\nconst start = new Date(\"2025-12-22T00:00:00.000+08:00\").getTime();\nconst end = new Date(\"2025-12-22T06:00:00.000+08:00\").getTime();\nlet lastPrint = wallNow();\nlet iter = 0;\nfor (NOW = start; NOW <= end; NOW++) { \/\/ 1ms step\n const authResult = authenticate(\"admin\", \"admin\"); \n const check = md5hex(authResult); \nMD5(JSON.stringify(parsed))\n if (check.startsWith(PREFIX)) {\n Date.now = realNow;\n const ts = NOW;\n const dtCN = new Date(ts).toLocaleString(\"zh-CN\", { timeZone: \"Asia\/Shanghai\", hour12: false });\n console.log(\"FOUND\");\n console.log(\"timestamp(ms):\", ts);\n console.log(\"time(UTC+8):\", dtCN);\n console.log(\"check:\", check);\n console.log(`flag{${check}}`);\n process.exit(0);\n }\n iter++;\n const t = wallNow();\n if (t - lastPrint >= 1000) {\n const pct = ((NOW - start) \/ (end - start)) * 100;\n const rate = Math.floor(iter \/ ((t - lastPrint) \/ 1000));\n console.log(`progress: ${pct.toFixed(2)}% | rate: ~${rate}\/s`);\n iter = 0;\n lastPrint = t;\n }\n}\nDate.now = realNow;\nconsole.log(\"NOT FOUND in range.\");\nprocess.exit(1);\nflag{ccaf33e3512e31f36228f0b97ccbc8f1}<\/code><\/pre>\n\n\n\neternum<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767338238-image-1024x881.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767338393-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767341825-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767342897-image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767343027-image.png\")
<\/figure>\n\n\n\nimport struct, socket\nfrom cryptography.hazmat.primitives.ciphers.aead import AESGCM\nPCAP = \"tcp.pcap\"\nMEM = \"memdump_all.bin\"\nMAG = b\"ET3RNUMX\"\ndef parse_frames(pcap_path):\n b = open(pcap_path, \"rb\").read()\n if b[:4] == b\"\\xd4\\xc3\\xb2\\xa1\":\n endian = \"<\"\n elif b[:4] == b\"\\xa1\\xb2\\xc3\\xd4\":\n endian = \">\"\n else:\n raise ValueError(\"unknown pcap magic\")\n off = 24\n frames = []\n while off + 16 <= len(b):\n ts_sec, ts_usec, incl_len, orig_len = struct.unpack_from(endian + \"IIII\", b, off)\n off += 16\n pkt = b[off:off+incl_len]\n off += incl_len\n if len(pkt) < 14:\n continue\n eth_type = struct.unpack_from(\"!H\", pkt, 12)[0]\n if eth_type != 0x0800:\n continue\n ip = pkt[14:]\n if len(ip) < 20 or ip[9] != 6:\n continue\n ihl = (ip[0] & 0x0F) * 4\n src = socket.inet_ntoa(ip[12:16])\n dst = socket.inet_ntoa(ip[16:20])\n totlen = struct.unpack_from(\"!H\", ip, 2)[0]\n tcp = ip[ihl:totlen]\n if len(tcp) < 20:\n continue\n sport, dport = struct.unpack_from(\"!HH\", tcp, 0)\n off_flags = struct.unpack_from(\"!H\", tcp, 12)[0]\n doff = ((off_flags >> 12) & 0xF) * 4\n payload = tcp[doff:]\n if not payload.startswith(MAG) or len(payload) < 12:\n continue\n ln = struct.unpack(\">I\", payload[8:12])[0]\n blob = payload[12:12+ln]\n frames.append((src, sport, dst, dport, blob))\n return frames\ndef try_key(key, blobs):\n try:\n aes = AESGCM(key)\n for blob in blobs:\n aes.decrypt(blob[:12], blob[12:], None)\n return True\n except Exception:\n return False\ndef main():\n frames = parse_frames(PCAP)\n server = [f for f in frames if f[1] == 13337] # sport==13337\n blobs_check = [server[0][4], server[1][4]]\n mem = open(MEM, \"rb\").read()\n step = 8\n for off in range(0, len(mem) - 32 + 1, step):\n k = mem[off:off+32]\n if try_key(k, blobs_check):\n print(\"[+] FOUND KEY (raw 32 bytes):\", k)\n try:\n print(\"[+] as ascii:\", k.decode())\n except Exception:\n pass\n return\nif __name__ == \"__main__\":\n main()\n<\/code><\/pre>\n\n\n\nimport re, struct, socket, base64\nfrom cryptography.hazmat.primitives.ciphers.aead import AESGCM\nPCAP = r\"tcp.pcap\"\nMAG = b\"ET3RNUMX\"\nKEY = b\"xfqGcVjrOWp5tUGCPFQq448nPDjILTe7\"\ndef parse_frames(pcap_bytes: bytes):\n if pcap_bytes[:4] == b\"\\xd4\\xc3\\xb2\\xa1\":\n endian = \"<\"\n elif pcap_bytes[:4] == b\"\\xa1\\xb2\\xc3\\xd4\":\n endian = \">\"\n else:\n raise ValueError(\"unknown pcap magic\")\n off = 24\n out = []\n while off + 16 <= len(pcap_bytes):\n ts_sec, ts_usec, incl_len, _ = struct.unpack_from(endian + \"IIII\", pcap_bytes, off)\n off += 16\n pkt = pcap_bytes[off:off+incl_len]\n off += incl_len\n if len(pkt) < 14:\n continue\n if struct.unpack_from(\"!H\", pkt, 12)[0] != 0x0800:\n continue\n ip = pkt[14:]\n if len(ip) < 20 or ip[9] != 6:\n continue\n ihl = (ip[0] & 0x0F) * 4\n totlen = struct.unpack_from(\"!H\", ip, 2)[0]\n tcp = ip[ihl:totlen]\n if len(tcp) < 20:\n continue\n doff = ((struct.unpack_from(\"!H\", tcp, 12)[0] >> 12) & 0xF) * 4\n payload = tcp[doff:]\n if not payload.startswith(MAG) or len(payload) < 12:\n continue\n ln = struct.unpack(\">I\", payload[8:12])[0]\n blob = payload[12:12+ln]\n out.append(blob)\n return out\ndef main():\n frames = parse_frames(open(PCAP, \"rb\").read())\n aes = AESGCM(KEY)\n b32_pat = re.compile(rb\"[A-Z2-7]{20,}={0,6}\")\n for blob in frames:\n pt = aes.decrypt(blob[:12], blob[12:], None)\n for m in b32_pat.finditer(pt):\n s = m.group(0)\n for cand in (s, s[1:]): \n try:\n dec = base64.b32decode(cand)\n if b\"flag{\" in dec:\n print(dec.decode().strip())\n return\n except Exception:\n pass\nif __name__ == \"__main__\":\n main()<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767343583-image.png\")
<\/figure>\n\n\n\nCRYPTO<\/h1>\n\n\n\n
ECDSA<\/strong><\/h2>\n\n\n\n
import hashlib\nfrom pathlib import Path\nSIG_PATH = \"signatures.txt\"\nN = int(\n \"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA\"\n \"51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409\",\n 16,\n)\ndef inv(a, n): return pow(a, -1, n)\ndef nonce(i: int) -> int:\n return int.from_bytes(hashlib.sha512(b\"bias\" + bytes([i])).digest(), \"big\")\ndef parse_raw_rs(sig_hex: str):\n b = bytes.fromhex(sig_hex.strip())\n r = int.from_bytes(b[:66], \"big\")\n s = int.from_bytes(b[66:], \"big\")\n return r, s\ndef e_from_msg(msg: bytes) -> int:\n return int.from_bytes(hashlib.sha1(msg).digest(), \"big\")\nlines = Path(SIG_PATH).read_text().strip().splitlines()\nmhex, shex = lines[0].split(\":\")\nmsg = bytes.fromhex(mhex)\nr, s = parse_raw_rs(shex)\nk = nonce(0)\ne = e_from_msg(msg)\nd = ((s * k - e) * inv(r, N)) % N\nflag = hashlib.md5(str(d).encode(\"ascii\")).hexdigest()\nprint(flag)\nflag{581bdf717b780c3cd8282e5a4d50f3a0}<\/code><\/pre>\n\n\n\n
EzFlag<\/h2>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767344106-image-1024x531.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767344243-image.png\")
<\/figure>\n\n\n\nfrom pathlib import Path\nimport re\nb = Path(\"EzFlag\").read_bytes()\nK = re.search(rb\"[0-9a-f]{16}\", b).group().decode()\nP = 24 \ndef fib_mod16(n: int) -> int:\n n %= P\n a, c = 0, 1\n for _ in range(n):\n a, c = c, (a + c) & 0xF\n return a \nv11 = 1\nout = []\nfor i in range(32):\n out.append(K[fib_mod16(v11)])\n if i in (7, 12, 17, 22):\n out.append(\"-\")\n v11 = (v11 * 8 + (i + 64)) % P\nprint( \"\".join(out))\n<\/code><\/pre>\n\n\n\nRSA_NestingDoll<\/h2>\n\n\n\n
Pollard's p-1<\/code>\u5206\u89e3\u7b97\u6cd5\u6765\u6c42\uff0c\u867d\u7136p1\u4e0d\u662f\u5e73\u6ed1\u6570\uff0c\u4f46\u662fp1\u662fn1\u7684\u56e0\u6570\uff0c\u90a3\u4e48\u53ea\u9700\u8981\u591a\u52a0\u4e2agcd\u5373\u53ef\u7206\u7834\u51fap1\u7684\u503c\uff0c\u540c\u7406\u5176\u4ed6\u503c\u4e5f\u53ef\u7206\u7834\u5f97\u51fa<\/p>\n\n\n\n![\"\"](\"https:\/\/www.sherlock666.cn\/wp-content\/uploads\/2026\/01\/1767344519-image.png\")
<\/figure>\n\n\n\nimport re\nimport secrets\nfrom math import gcd, isqrt\nE = 65537\nB = 1 << 20 \ndef parse_bigint_from_line(line: str) -> int:\n m = re.search(r\"=\\s*([0-9]+)\\s*$\", line.strip())\n return int(m.group(1))\ndef int_to_bytes(x: int, min_len: int = 0) -> bytes:\n if x < 0:\n raise ValueError(\"negative int\")\n blen = max(min_len, (x.bit_length() + 7) \/\/ 8)\n return x.to_bytes(blen, \"big\")\ndef primes_upto(n: int) -> list[int]:\n sieve = bytearray(b\"\\x01\") * (n + 1)\n sieve[0:2] = b\"\\x00\\x00\"\n r = isqrt(n)\n for p in range(2, r + 1):\n if sieve[p]:\n start = p * p\n step = p\n sieve[start:n+1:step] = b\"\\x00\" * (((n - start) \/\/ step) + 1)\n return [i for i in range(2, n + 1) if sieve[i]]\ndef lcm_1_to_B(B: int) -> int:\n ps = primes_upto(B)\n L = 1\n for p in ps:\n pk = p\n while pk * p <= B:\n pk *= p\n L *= pk\n return L\ndef split_with_lambda_multiple(n: int, d_odd: int, s: int, tries: int = 80) -> int | None:\n bases = [2, 3, 5, 7, 11, 13, 17]\n for _ in range(max(0, tries - len(bases))):\n bases.append(secrets.randbelow(n - 3) + 2)\n for a in bases[:tries]:\n g = gcd(a, n)\n if 1 < g < n:\n return g\n x = pow(a, d_odd, n)\n if x == 1 or x == n - 1:\n continue\n for _ in range(s):\n x_prev = x\n x = (x * x) % n\n if x == 1:\n g = gcd(x_prev - 1, n)\n if 1 < g < n:\n return g\n break\n if x == n - 1:\n break\n return None\ndef is_probable_prime(n: int) -> bool:\n if n < 2:\n return False\n small_primes = [2,3,5,7,11,13,17,19,23,29,31,37]\n for p in small_primes:\n if n == p:\n return True\n if n % p == 0:\n return False\n d = n - 1\n r = 0\n while d % 2 == 0:\n d \/\/= 2\n r += 1\n for _ in range(16):\n a = secrets.randbelow(n - 3) + 2\n x = pow(a, d, n)\n if x == 1 or x == n - 1:\n continue\n for _ in range(r - 1):\n x = (x * x) % n\n if x == n - 1:\n break\n else:\n return False\n return True\ndef factor_all(n: int, d_odd: int, s: int) -> list[int]:\n if n == 1:\n return []\n if is_probable_prime(n):\n return [n]\n f = split_with_lambda_multiple(n, d_odd, s, tries=120)\n return factor_all(f, d_odd, s) + factor_all(n \/\/ f, d_odd, s)\ndef main(path: str = \"output.txt\"):\n with open(path, \"r\", encoding=\"utf-8\") as f:\n lines = [ln.rstrip(\"\\n\") for ln in f if ln.strip()]\n n1 = parse_bigint_from_line(lines[0])\n n = parse_bigint_from_line(lines[1])\n c = parse_bigint_from_line(lines[2])\n print(\"[*] Building L = lcm(1..2^20) ...\")\n L = lcm_1_to_B(B)\n s = 20\n L_odd = L >> s\n d_odd = n1 * L_odd\n print(\"[*] Factoring outer n using known multiple of lambda(n) ...\")\n outer_primes = sorted(factor_all(n, d_odd, s))\n print(\"[+] outer prime factors found:\")\n for i, P in enumerate(outer_primes, 1):\n print(f\" P{i}: bits={P.bit_length()}\")\n print(\"[*] Recovering inner primes via gcd(P-1, n1) ...\")\n inner_primes = []\n for P in outer_primes:\n g = gcd(P - 1, n1)\n if g != 1:\n inner_primes.append(g)\n inner_primes = sorted(set(inner_primes))\n if len(inner_primes) != 4:\n raise RuntimeError(\n f\"Expected 4 inner primes, got {len(inner_primes)}: \"\n f\"{[p.bit_length() for p in inner_primes]}\"\n )\n print(\"[+] inner prime factors found:\")\n for i, p in enumerate(inner_primes, 1):\n print(f\" p{i}: bits={p.bit_length()}\")\n phi1 = 1\n for p in inner_primes:\n phi1 *= (p - 1)\n d_priv = pow(E, -1, phi1)\n m = pow(c, d_priv, n1)\n pt = int_to_bytes(m, min_len=(n1.bit_length() + 7) \/\/ 8)\n print(\"[+] decrypted bytes length:\", len(pt))\n print(\"[+] decrypted (hex head):\", pt[:32].hex())\n mflag = re.search(rb\"flag\\{[^}]+\\}\", pt)\n print(\"[+] FLAG:\", mflag.group(0).decode(\"utf-8\", errors=\"replace\"))\nif __name__ == \"__main__\":\n main(r\"output.txt\")\nflag{fak3_r5a_0f_euler_ph1_of_RSA_040a2d35}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"