文章总结: 本文是Mini-Venom战队关于EHAXCTF2026的解题报告。Pwn方向针对WompWomp题目利用ret2csu技术绕过远程环境差异泄露libc地址;SarcAsm题目深入分析虚拟机GC机制,利用SliceUAF与DoubleFree漏洞覆写函数指针实现提权。Web方向涉及路径走私绕过访问控制及AI对抗逻辑分析。文中提供了完整的漏洞利用代码、内存布局分析与攻击流程演示,具有较高的技术参考价值。 综合评分: 88 文章分类: CTF,二进制安全,WEB安全,漏洞分析,实战经验
图像解出来之后如下,解完纯在测试相似符
EH4X{N3WT0N_W45_R1GHT}
kaje
C1 = 0xff51afd7ed558ccd
C2 = 0xc4ceb9fe1a85ec53
def mix64(x):
x &= 0xffffffffffffffff
x ^= x >> 33
x = (x * C1) & 0xffffffffffffffff
x ^= x >> 33
x = (x * C2) & 0xffffffffffffffff
x ^= x >> 33
return x
def gen_keystream(seed):
a2 = seed & 0xffffffffffffffff
out = bytearray()
for r in range(32):
x = (a2 + r) & 0xffffffffffffffff
v3 = (C1 * (x ^ (x >> 33))) & 0xffffffffffffffff
t = (v3 ^ (v3 >> 33)) & 0xffffffffffffffff
a2 = (C2 * t) & 0xffffffffffffffff
a2 = (a2 ^ (a2 >> 33)) & 0xffffffffffffffff
out.append(a2 & 0xff)
return bytes(out)
ct = bytes.fromhex(
"9f12d91be212bbbafbf5fee8a632acc6"
"043692d4c93bbdbe22a2b4836b4503d3"
)
def solve(is_docker, has_overlay):
v0 = 0xCD9AADD8D9C9A989
ifnot is_docker:
v0 = 0x1337133713371337
if has_overlay:
v0 ^= 0xABCDEF1234567890
seed = mix64(v0)
ks = gen_keystream(seed)
pt = bytes(a ^ b for a, b in zip(ct, ks))
return pt
for d in [True, False]:
for o in [True, False]:
pt = solve(d, o)
print(d, o, pt)
ghosty
XChaCha20-Poly1305 加盐生成的key 解密 R0M1 的blob ,拿到的 elf 里存了 ghost_8d3f4a91c2e7b6d0。
% nc chall.ehax.in 22222
== interface check ==
Send one line as your candidate input (max 32 bytes).
> ghost_8d3f4a91c2e7b6d0
EH4X{fr3k7_fri3n5dly_1nt3rf4c35_0nc3_4g41n}
ghostKey
z3:
from z3 import *
import hashlib
from Crypto.Cipher import AES
PRINT_MIN = 0x20
PRINT_MAX = 0x7E
target_lfsr = 0x4358
target_nibble = [8,8,4,7]
target_col = [0x0C,0x27,0x08,0x00,0x37,0x21,0x32,0x60]
target_tag = [0x6C,0x75,0x3A,0x01,0x7E,0x2F,0x34,0x00]
target_sbox_xor = 0x66
pairs = [
(0,31,127,104),
(3,28,131,17),
(7,24,113,53),
(11,20,109,58),
(1,15,103,52),
(5,27,97,88),
(9,22,107,20),
(13,18,101,64),
(2,29,127,81),
(6,25,131,118),
(10,21,113,40),
(14,17,109,83),
]
enc = bytes([
0x00,0x37,0xA8,0x85,0x8C,0x84,0xFD,0x73,0x23,0x3E,0xE9,0x35,0x71,0xD8,0x2B,0xDE,
0x4F,0x18,0x46,0xE8,0x12,0x41,0xAF,0x6D,0xF9,0x5E,0xD4,0xBD,0x15,0x6A,0x89,0x99
])
prefix = b"crackme{"
# AES S-box (standard)
sbox = [
0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76,
0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0,
0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15,
0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75,
0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84,
0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf,
0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8,
0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2,
0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73,
0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb,
0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79,
0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08,
0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a,
0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e,
0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf,
0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16,
]
s = Solver()
k = [BitVec(f'k{i}', 8) for i in range(32)]
# printable
for i in range(32):
s.add(k[i] >= PRINT_MIN, k[i] <= PRINT_MAX)
# func1 length already fixed =32
# func8 tag: XOR per 4 bytes
for i in range(8):
a = 4*i
s.add(k[a] ^ k[a+1] ^ k[a+2] ^ k[a+3] == target_tag[i])
# func4 nibble: per 8 bytes, XOR of ((hi^lo)&0xF)
def nib8(v):
hi = LShR(v,4) & 0xF
lo = v & 0xF
return (hi ^ lo) & 0xF
for g in range(4):
acc = BitVecVal(0,8)
for j in range(8):
acc = acc ^ nib8(k[8*g+j])
s.add(acc == BitVecVal(target_nibble[g], 8))
# func5 colsum: 4x8 matrix col sums mod 97
for c in range(8):
sm = ZeroExt(8,k[c]) + ZeroExt(8,k[c+8]) + ZeroExt(8,k[c+16]) + ZeroExt(8,k[c+24])
s.add(URem(sm, 97) == target_col[c])
# func6 pairs
for a,b,mod,res in pairs:
sm = ZeroExt(8,k[a]) + ZeroExt(8,k[b])
s.add(URem(sm, mod) == res)
# func7 sbox even positions XOR
SBOX = Array('SBOX', BitVecSort(8), BitVecSort(8))
for i,val in enumerate(sbox):
s.add(Select(SBOX, BitVecVal(i,8)) == BitVecVal(val,8))
acc = BitVecVal(0,8)
for i in range(0,32,2):
acc = acc ^ Select(SBOX, k[i])
s.add(acc == target_sbox_xor)
# func3 LFSR 16-bit: encode as BitVec(16) update
def lfsr_step(state16, byte8):
st = state16
x = byte8
for _ in range(8):
lsb = (st ^ ZeroExt(8,x)) & 1
st = LShR(st,1)
x = LShR(x,1)
st = If(lsb != 0, st ^ BitVecVal(0xB400,16), st)
return st
st = BitVecVal(0xACE1,16)
for i in range(32):
st = lfsr_step(st, k[i])
s.add(st == target_lfsr)
# ----- solve -----
if s.check() != sat:
print("unsat")
quit()
m = s.model()
key_bytes = bytes([m.eval(k[i]).as_long() for i in range(32)])
print("KEY =", key_bytes)
print("KEY(str) =", key_bytes.decode(errors="replace"))
aeskey = hashlib.sha256(key_bytes).digest()
iv = hashlib.md5(key_bytes[16:]).digest()
pt = AES.new(aeskey, AES.MODE_CBC, iv).decrypt(enc)
print("PT =", pt)
print("PT(str) =", pt.decode(errors="replace"))
print("prefix ok?", pt.startswith(prefix))
aes 的实现反汇编有点问题:
import hashlib
from Crypto.Cipher import AES
key = b"Gh0stK3y-R3v3rs3-M3-1f-U-C4n!!!!"
enc = bytes([
0x00,0x37,0xA8,0x85,0x8C,0x84,0xFD,0x73,0x23,0x3E,0xE9,0x35,0x71,0xD8,0x2B,0xDE,
0x4F,0x18,0x46,0xE8,0x12,0x41,0xAF,0x6D,0xF9,0x5E,0xD4,0xBD,0x15,0x6A,0x89,0x99
])
# asm-confirmed derivation:
aes_key = hashlib.sha256(key[:16]).digest() # keyBytes[:16]
iv = hashlib.md5(key[16:]).digest() # keyBytes[16:]
pt = AES.new(aes_key, AES.MODE_CBC, iv).decrypt(enc)
print("PT bytes:", pt)
print("PT str :", pt.decode("utf-8", errors="replace"))
print("prefix ok?", pt.startswith(b"crackme{"))
# try extract crackme{...}
s = pt.decode("utf-8", errors="ignore")
if "crackme{" in s:
start = s.index("crackme{")
end = s.find("}", start)
if end != -1:
print("FLAG:", s[start:end+1])
//crackme{AES_gh0stk3y_r3v3rs3d!!}
Misc:
Baby serial
logic分析得到的内容:
Async Serial 格式:
115200, 8N1
iVBORw0KGgoAAAANSUhEUgAAAqsAAAGACAMAAAC9RturAAACQFBMVEX/AID9AIHWAJuTAMhgAOpU APJCAP5AAP+HANDFAKZxAN72AIanALuxALTRAJ5KAPidAMH+AID0AIdwAN9fAOroAI/4AIS2ALHa AJhQAPSlALxHAPvFAKf7AIKMAMzLAKLqAI5uAOF0AN26AK6nALqJAM/XAJt1ANzuAItjAOjBAKlh AOn8AIKPAMuqALm9AKxDAP2AANTJAKSAANVcAOzgAJRWAPDkAJLXAJpMAPeUAMebAMLfAJVTAPJN APe7AK2BANSkAL3IAKREAP17ANjZAJl9ANfxAIlqAONEAPy+AKu/AKqFANFcAO1RAPRmAOaVAMbM AKL5AISYAMRZAO5ZAO+wALXdAJd3ANrTAJ3SAJ6DANNKAPl5ANl3ANuvALXtAIx+ANZeAOvOAKGi AL68AKxrAOKSAMjnAJCfAMDUAJy3ALDeAJZpAOTyAIhaAO7sAIzHAKXwAIpiAOh6ANiRAMlTAPN0 ANxzAN3PAKDCAKnrAI1bAO2DANKSAMnmAJCmALviAJN8ANe5AK/KAKNIAPqyALOLAM31AIZvAOC/ AKuqALiOAMu1ALGPAMqJAM7mAJFWAPF2ANtOAPazALPpAI7CAKhnAOXgAJWZAMRQAPWoALrVAJyN AMytALeeAMDLAKPbAJhPAPVlAOfdAJZfAOueAMGXAMWGANG8AK2kALxLAPiKAM6tALZsAOJYAO+M AM2WAMb3AIXjAJN/ANXUAJ2YAMXzAIicAMKjAL19ANZrAOPYAJqIAM9VAPHEAKfSgO7LAAAYnUlE QVR4nO2d+4MVxZWAe5C5DSLCHQUdxwFE1JGXs/IWeYgKAq4KYZKsGYKgEUjGQHB1E3yQxIi66q7G Ja66ZmOS3exmH8nGuO/Hv7Yzc/tUVXdXdVffB9Pd9/t+gtt9q/rOfNO36tSp00EAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AFACBuZdM3+wEU6zYK4vBVwsDIuy0P7+axfld3adnOwrxOKGo+3rl6jrWdrMb2foBjn7xmWWw8tv GgyTl7bo2uiF6zyvtX2uYleVptSu3jzsart5i7qekVtz2xldoU5eaTm86jbj4+FqaSmzq0Or3W2r Y45bZYzbG9GpjTWWm/CyG82Ph6ulpcSuNtc0MtqWe+40d4xmN3SnOvUuS0OL7op9PFwtLSV2VY9J rW2rm2XYuD2znbG75UTrHXixagdXy015XdWK2dsevUMdH745ox1jsLrW1s26+MfD1dJSWlfXb9Bd 2ts2xpmrh9wNbVT3zVtsEYN75PD4H9w7NqBfx9XSUVpX147kuRrcqk6xzpla6MGqVej1m6Kjm7fE D+Bq6VCutRkD75Wrscm5o+3mUnXGkutz29m6zXZ8bLOjAVwtHSV11RiMZrRtBK7WrbK3kz1YDYLt Oxxd4GrpKKmrt8cm58629Rd8uMIWuNJhr/A++yhBrn9n8gCulo5yunr/LlPVjLb1xMl635y3Ww67 Zl9ySXuSB3C1dJTS1UR4PqPt0b3qJMt4VA9Wd93vaOCB1vHGvtQ14GrZKKOr8s3deDC/bWMO9tDy xDEtsmOwOs2C1gm7H04ewNXSUUZXZRR6136Pttc6A1fGYHXDetfbcbU6lNDVA4+0Thq+eYFH28aa wfCdsSMrlcUZSwW4Wh3K52rzvug2uTjwcVWpPc0jB4zX9egg4XAMXK0O5XNVVqP2jvq5agaujMCU jr0ePJTxZlytDqVzVW6HM9N6P1eNcameQxkvWiOvEaKJh6tDhx/9w5k/o8cef+LI0ZwP2rqEsX1f 2n/ssdaFTcxf8OX7HRfSeVf9QdlclYWm2Zuhn6vB8ofUjVVl/ekpV2xgkMTX1eZXvjoeasa/+kcD 6cZin+PJr02GSUaOW99WuKsjB6ODX0+GPgxOROesG8u+0upQNlcPRb+G2Zuhp6vBtq3qVxvlXfsN Vr1dfepkPMl1mlNPZ+zzGnpmR0rUFoPfSNtauKuhZ0PXZacbPZ31+StFyVwV61r3R19Xjbtoa3Cq 77TTM7Qs/Fx9Or6MFrV88ilHo6MbXabOcNuZzrs6K0fOOj/ZN6NM9SXfzPwBVIlyuSqOReNOb1d1 ikq4eUaFjV6D1UBrMrHKdSS8rvktIz3R5Nh2a5tPrbafLuxK2lO8qymZTj73bdcnE52fzUjtrRjl clUci2L33q6amwimRwF6L9bdOYM10eTcedeR8Lq1Dn+m78bfsTS5ZbPrdCG5jaF4V0ePRy8fPOL4 YBeej844kf0DqBKlclWiT2KYv6vG5qyRW3U6QfZgNfBy9Y91SCxtXbr9+K5YO4ktim10pXYzvOAY Nd8bjftf3GI/XkXK5KqERFXecwFXjRjVI8+oLdYb897m4aow/tWFY81g4PzhPzGm6andhkYyTTjy 3S9PzW6LGR373s5TRlMHL3ba1UsvR686ZvlNyf99xbm6XD1K5KqqT6EqqRRw1cy7VuQMVoMCro6/ qkNfl4yperILnXg7+f34Vf/gh/pd8VhTG101X4hebNgreVyaiA7fk/cTqBAlclXW729Qs4EiriZz XkOfIhfB+XOtUzenbk9xgXatNL9rm6+p2Gmi6oseNyf3b02/60fqKz4edminqydfj1613zhljFCf 4GrQRVcLYetsVbT52RiYFXJVhWaVEPPy3yOupnuICZQS74jSLj7PVuNI60hZp35f7rQrFWKduGTp SM29XMPZSlLQtZRkXXNVwk5mZl8xV43AVbIhJ1tedPVgCmQRT83YY9+yy78ur1rLa+jNjG903JUs S6V3NAQ6plWj4GpQIlflN2Lm7xVzNTEF35s7WJ3m4ehO92jKa0MgW6a2Lv5mjj1Ffdfip4qLHjeX +dvqyt5UhIhco+BqUB5Xz0RRyVjssaCrRsaq12DVuPz0QqQhkDVTW6UimveuPdFrrinNm2/ZPlFb Xa1/JXpxeCr1BjVAqFFwNSiNqxLqiS+JFnXVqHQZ/qnXO96Ozk5/kWqBHHu11Izf2AL7TvSSc0pj /URtdaWHxmkhZX3VonGVKYmrUgAtvmeqsKs6yOoqGBBHqq5YckC0QI75iSqEZa5zjo59790/e3bw z11D5WgrYjzu0F5X6sX0T2dndGRTjYKrQVlclUXRxF7Uoq4a1a59gqs6DGlZVlcCvf6k482noxMy kp1SSNQuFs9tsyt5MTWBEotrFVwNSuKqxPGTGfwdza3ce1c1oo4lb04J5EwPuVVu4pcdJ2R0aHe1 WFfyTZ9KtpL11VoFV4MuutrBWoD66k7eCgvGrGJ1hVwFrEzuzAjt5Od/vvd+dMYbrjPSZLtarCs1 g0oormZdtQquBuVYt5IQeWrqXshVc7DawlbF2mSb3IdTlQUCQyBb/HIW+6Q+gwuHfyyBCrurBbuS yFQi2UoGNs4RRVUpgauyLpn+0i7k6p2pJKXs1YDmSlmUtS5wiUDu33jzUZt4dhZNfXn/B8alWV0t 2pWK5sZvoBI4q1dwNSiDq2qDfzq2WMTVVYn61E4JZxlddlklPtmVFoHef8/ZpUy3s/LuFi1buGbB /NTWK6urRbtSX/axgalaO6tXcDUog6uyYGVJiy7gql5gPfgXumCAK9VaXciMqmetAQN3BlaqFWsg YODKT760ejC1dyrL1cJdyZQrlmwlC1o1C64GJXBVJu+2J08VcFXn4u0dNZavHIErw9WRE/aBggj0 1pvOPi9GTaS/u0cX/tiZ4e92tXBXKsRqJlvJZ6tZcDWYe1fV5N32+D9/V/Vgddf9ZtkgR+BKu/rh XzpaFIEy+lafPV6WPhj6KGtvoNvV4l3J0MBItpLoQN2Cq8Hcuyr3wxtsEwFvV/UzLGcXaY2xqz1w JRfy8R7ngkHbAo1+ki4MIOyQvVhdclWFWHUEQRJbX37J2VhVmWNXJUHaPgvyddXIBmzFqfRTL+yB K7mQwZucxSDaFci9i3X4nb8azYyvFndVzaN0Btbp6JW6BVeDOXfVnOR44FjO1Ns/o+QP46kX1lm+ 7vaUfd90IYF2GG3YtwaOn/p04QWz43Zd3ZG4XAmxqomUDGFrF1wN6uGq3mKtFmn1oMB6yzbnVj+1 V/sRgZ6/4Pw4e9JXlVJ1fOv+v/7ZedVFpqvFuppF4v6qFJaEBmoXXA1q4aqxK1BP+42VAUvgKhaz sq8YFAgk6aBnbGvC+N07v3ehaX9LuzGrZChXhVgjN9X/61hysPquSr3WMJ4HuNG91zRIrAVY95t4 BOhPp8S7qLd8nfuW7QeSfku7XUVInkqU0iCJA/ULrgZ1cFUPVmPf9kbxQHvgSq+xWh/n6q50JahH DqqPrrJJwsYT9kmbzBatrhbpSlD1VVpp2DJWsG1sqTyVd1XXCEx8mZ/RtXocGVcqd8W2NUsllCxM H2uhNFGbteQmFzZusQ+ClXP23JUCXSmkbtVsspXsX61hcDWovqvGYDUZnVqbE7jyzAl0jvw++3l0 xgPyymnpzxotDox8KburBbpSyO7G2Ym/ZLPUMLgazLmri49lIUH1kYnohV/8MtGiscNqc7JWpDHR ccyfVGgrK9fauVYp37cqJe/bz0l3rtvaKpm2213170qjQqw7jfNqGFwN5tzVbPLXAnTQ3zIoNYoH OjKufPawuO5R6vtcLXAqE9MVMiNUQWq7q/5dGVwO1WeQ85zVA6tNtV01wpm23crG/it7JXb55f78 s9QhJdDBe+19qw366m4oX8fu65X1e4er/l0ZyN/b9EBG/lnH4GpQcVeNub7VRXOrgP1xbLLn+mLq iN5cai+KoUJl+gs/19Urf5Ptqn9X5lHJ/rlOLQTUMbgaVNtVQ0VHoVVj5mUPXMnlp+csWiBbtqKx WKa/l5WrjuQ+Y+XX4ap3VyYSfTh+9HT0w6hjcDWotqv6K95ZaNUoHpiae80geqUvyCiGYsvY1n8F OplR7SlxBPV16bV4QKONrkxkSvf+w8+JtNbuK0+FXTUGq+7aVToH27oD0K/2WnrhS8cYjFIpKgpq 3z6yzcgVcLnq21WMKMTa+NtWZKuewdWgyq4aW6wzalflBK6kpmU6EGAK1PhVwqDRs+pP4BbdqJqu W4u+xJ4j4HTVs6sYMvWKNh/aRwo1oLKuWp8WaMG4+1oGteJqTl3rxh2xKxhaoAu+m3O6y+oNf5e8 4oG/3220F0/Za6crExVibVHP4GrQVt2UmDlz5qqRSGUfxglG3nX6ty1jvdwa7KdWqlXTgZW69n9c f5WhF4Y/fMo80PzKI2Ecczm1na5i3GNuQaxpcDWorqvGNpWMJ67PYMy+04Erd4qTHGk8KAr9emr6 Mo5O/dp4SkXyjn5WH5p84oq8OvbuhyLT6/8Q/eNyp12ZGH8jtQ2uBpV11RiG5j4XyMi7Tv3C858b eO7tRGl3g9QI2Fgpm+aDx/9xxYpYcYBj10tx9NOddmWinnQxg/tRglWnoq4uVt96OQ+xnMEYLiQD Vx6uLvuVa5P/+JpUNlW6+IvJ9MDgtOUjtdeVyREteV2Dq0FVXTWU8CldudEZuPJw9fzoBrtBk69Z bnXf2W09d/b8fxrQ2SWmUm12ZaATZzMffV1xKumq8a3uVWrdWItNfJf6uBqMPmM+JF1Y9xVrX9uP 2X9qjZOz41e1XnCi864M1E+2tsHVoJquGoNV+6JkCiPvOj689XI1aD5tPvVvlh2fuO5fQ69adGv8 87zW34iKLxlToLa70kxlL8PWgyq6qpOovZ4LFH9LPHDl5+q0YjcNmj+C3/w069Ne+m2imsXwv6iY gIovGbu8OuhKqOcDrcDkd6tdriZpfr7m2ZlSaiMT+y+fyRNiYMua/bOZ4o3B+Z8efqmgP4W6aqEy Vx1ZhVADFvi6Wm5kDFDf4CrUxVWpv1Lf4CrUxFWZsdU4uAo1cVXqBdav5ipodtbC1ehT1Dm4ChJG a+yb6wvpBCkOWLcHWkEMSTl1ljypArL5gZlVrXFvDqwOkh/JzKreyObACqd8LH8j+nt7hZlVrZFa KUuun+sraZcDv49UtVXlghqhFtJvzH16a6k4sPTwstGZ5xHep5754t7MC/VAVnzCyRVfjGUmNJeK xB6t6ofdIJ/YXqWw7f28Vxv1hFaFa4dkwbKhipoWGqo0id9lRVzVtV4jXCVfcbVGDMUfSFUVVxMK undI4mqNWBbbfFoVV+NJ8sNfOE/E1ToRe9RfVVyVZ1nOcsr2dI4IXK0VA9/Q20aq4qraZBiGk/+a lWGNqzVjYN4Tj28dr5Krwdi7qwcbYWNw02GfDVkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA/cxsNdHG4PxPf8YTcvoNVUnWp+5ooZNnWNx6UOi13asQqivf7vikuo/6g3bo qas3D4e9czUM123pWrNQAXrpqnrCSUeunv/oM9slzOB++AjUkB662lzT6NzV5WsmYw/Ei1e/v3FZ 2w1D5eihq9cvCTt1tfn0qcTDGxNPariDGVb/0DtXx/Rjo9p19crJmTtzlqs827mP6Jmr6zdoo9pz dfrrf/bdqYfi/tvUM+oZPy84nkIK9aNnrq4d6dRVeTKe7QHOQ/ujg89faKdpqCK9cnXZjWEvXQ22 bW0d3LG9naahivTI1dE7wt662nwhOnqxnaahivTI1dsbPXY1uBgd5VGMfUNvXL1/l6lqT1zdvqN1 9I12moYq0hNXF90VU7Unrj682/+6oRb0wlVZsGo82ENXz59rHT1+tJ22oYL0wtU7o5SVu/ZfBVe7 mBcD5aYHrh54pHXS8M0LcBW6R/ddbd7XOqexOMBV6CLdd/XWaMFq7+hVcZWFq76h667KgtXWbUER V6/8+6nxsDG46fCQesnP1XPnPS4c6kC3XR1d0Trj4KEg21VxbbapoVfHpenxkz9IJlNZe8XVvqPb rh462DpjxUxiqa+r23T64DSNvWdxFdJ02VVJKWkl7Hu6Gstzmebr/4GrkKa7ri5/qHV8ZO3sf/1c lTcpTjAGAAvddXVjlLKyYf3sf/1c3RjLcwnDiUu4Cha66qosWN091vq/l6uyMVvxynpcBQvddFX2 WC+5PnrBx9Wv7U0YefDeYN+KGe6SF/5zRYt3zfcvuhZX+4wuutq8JTq6VPZA+bg6GQUORv5rxYrV H4RGcD87viquvkhBi36hi66ujBasblDhfB9Xo7vjodbm6StPTJ6VM/xctR+FGtI9V1etax0ziqF4 u/r7A+r1IbVmmu1q81Fc7TO65qosWDXW6F3Qvq5+zboGm+2qNN7Y53HhUAe65qrssV6tF/R9Xd18 xtpbjqtyMWwO7Be65eqZzdEI4GbjRU9XT9h7y3GVzYH9RpdcHY0iT43F5qt+rk5csveW4+qTr7cO P0rllT6hS65GRYHDh2L1e/1c3bTe3luOqy+93Dr83Lc9rhxqQHdclbWnmaRVAz9X33b0luPq0eOt w68/6XHlUAO64qosWM0mrRp4uep0LcfV4HJ0fC91LfuDbriqigKvSFjj5erEKkdvea5emmgdj5K6 oO50w9V5UVmJVJVpL1ffetPRW56rzaXRCcNfeFw7VJ4uuCpFgdP3Ny9XncUo8lzV1YgnbxrwuHqo OJ27qooCb0jN571cdXac66rKQQzDwV9/Tv2VutO5q7JgJUmrBl6u7nT1lu9q8J3doYbKVjWnPVcf 0K/JZqmRlenzvVx1rjt5uBp80yhIiKs152KR37RyVfuligIvtSwf9d7V4KmTjSKfACrMwiK/6dNp V6Uo8A1DlvOvgqutxwrhaj+gXF39u/yTxT3tlxQF3j0v6/xeujrw9Ie42h9IBohPHZ/1m8RVlYfn 2MXnwtCuS66euU01jqs1R8pD+9Qwk20jYbhQXpprV81AAK7WnPfej37THvtBxzan7JljV82HaOFq 3bH452TLi9G5778nL82tq8ZawDNTrAXUnd/Jc9P197qTfRIe0uOFOXVVr7H+lFSrfuAN8eiB3FMf kFP1Ev6cuiqdk7vSJ0gWaP4DTSS5OQxPq9fm0tWxaJM3OYH9ggpa6UGoAzUNC/eo1xYfy2IyOn9k InrhF79U7+zc1XuiIQm51v2CbFtybidVnJATvcvy9HQtYP0rrcPsYekbdIDfkihlMvRsmKGelZ66 KhEM9gb2D3vUaPKWzN3L+nHAZ7NOM+mpq+y57j9k25JrUT9CF0ofnvJtuqeu7sl7P9SO5gvqxrrr v51nDak4bPiKYz9/ms5clRunw1WJoOXHhaE2TOnC0sM/cnyhnnlOnaMqAefTmauSquCYPEWNHzzi fTlQeeShlDOMv2rLQx3d87E+Jb2tykl3XDVCZJbGqWnZV0jl1Fkmn7iSODy2ZtA4vm6Vf8Oduari udY8blkcxtX+Yp65xS4Mf3PNT5bN2jU6NrXnf/43dsyoBJxPZ67qKkKrZ6qzHf2/T8yjkqCYu4QB taJ5aCT0o9h6Zmeu6nTZMPzg2GAjvnWBZ1v0Kc0TfrJOFivM25mrentXRCwdHFf7leatu8N8jm0v 1mqHrt57MN59bG0XV/uXzx/JM7Vx8qmCbXboqjkImCEWnsLVPmbgGx+HWZxbW3gxs0NXjbz/Fmbw 6sLzuNrHLH/tVOji1KE2Mu86dTVWViWMlxPiGZd9TvPzj15OPMl3ht989HlbCSIduxoc+O24cR1m tXZcheDo1LufPn7sg1kRRibmL1hzp28KYE84cPumiZkgxWPPfumIeSG4ClVBXN2cnXULMOeIq96J 3wBzBK5CVcBVqAq4ClVBChblljUAmGO272i5SsU1KDuyNTC/tBHAnKJ2NBbLUgS46mzb2lL155/N 9ZUAZHLgu9FtlaorUGKaF754Z4eks3jXgAG4yiSKaPrXgAG4yiRcvY9iVlBW4q4WKVYAcHWJuVqo WAHA1cV0dZ1vzWKAOUC7uuOT5XN9MQAZtFx9bP41T/OUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBq8//78AeWXMfwuQAAAABJRU5ErkJggg==
base64 的 png 图片:
EH4X{baby_U4rt}
painter
Usb 鼠标流量分析:
结束
招新小广告
ChaMd5 Venom 招收大佬入圈
新成立组IOT+工控+样本分析 长期招新
欢迎联系[email protected]
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:ChaMd5安全团队 Mini-Venom Mini-Venom《EHAX CTF 2026 Writeup by Mini-Venom》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论