【2019看雪CTF】Q1赛季 第七题 圆圈舞DancingCircle WP
控制台程序,里面实现了乱序大数,有反调试和花指令。
去花指令后主程序伪代码如下,里面的数据结构调整得比较乱,凑合看:
int __cdecl main(int argc, const char **argv, const char **envp)
{
v93 = retaddr;
v92 = (int)&retaddr;
v91 = v4;
v90 = v5;
v89 = v3;
sub_40D480(0x2BE8u, (int)&argc, (unsigned int)&argc);
v7 = alloca(v6);
v74 = sub_4B85B0;
v75 = dword_4B9D1C;
v76.field_4 = (int)&loc_4B9827;
v76.start = (bnode *)&v88;
v76.field_8 = (int)&v57;
sub_40D9D0((int *)&v72);
sub_40C510();
ssssssssssssssssss_401F58(v8, v9, 0, 0x25A); // 修改4BC080处的一个dword
v73 = -1;
anti_40299C(v11, v10, 0x1000); // 修改4BC084处的一个dword.可以附加绕过,或清除断点加载,等待输入时再enable 断点
bg_new_401BC6(&v86);
v73 = 1;
bg_new_401BC6((BN *)&l_obj2);
v73 = 2;
input_4B5240(&dword_4BD7C0, input);
for ( idx = 0; ; ++idx )
{
v13 = idx;
if ( !input[idx] )
{
break;
}
}
v14 = 0;
LOBYTE(v3) = 0x37;
while ( v14 != idx ) // 输入转成内存表示,类似按字节int操作
{
LOBYTE(v13) = input[v14];
LOBYTE(v12) = 0x30;
if ( (char)v13 > 0x39 )
{
LOBYTE(v12) = 0x3D;
if ( (char)v13 < 0x61 )
{
v12 = v3;
}
}
v15 = v13 - (_DWORD)v12;
l_input_hex[v14] = v15;
v13 = v15 - 1;
if ( (unsigned __int8)v13 > 0xEu )
{
goto LABEL_61;
}
++v14;
}
v16 = l_dec_num;
v17 = l_input_hex;
l_input_hex[idx] = 0;
while ( idx ) // begin hex to dec
{
v18 = &l_input_hex[idx];
do
{
v19 = (unsigned __int8)*v18 % 0xAu;
*v18 = (unsigned __int8)*v18 / 0xAu;
*(v18-- - 1) += 16 * v19;
}
while ( l_input_hex != v18 );
v20 = l_input_hex[0] % 0xAu;
l_input_hex[0] /= 0xAu;
*v16 = v20;
do
{
v4 = (BN *)idx;
v21 = idx - 1;
if ( l_input_hex[idx - 1] )
{
break;
}
--idx;
}
while ( v21 );
++v16;
} // end hex to dec
v73 = 2;
bn_set_value_from_str_4017A0(&v86, &g_num_str_1_4BC080, 16);
a2 = (_BYTE *)bn_set_value_from_str_4017A0((BN *)&l_obj2, &g_num_str_2_4BC088, 16);
bn_mul_bns_401E4C(&v86, (BN *)&l_obj2);
v57 = v4;
bn_dec_2_hex_401684((int)&v86);
v76.size = 0;
v76.idx = 0;
v77 = 0;
l_idx_i_d = 0;
l_idx_v1 = 0;
l_idx_obj1 = 0;
check_success_count = 0;
while ( 1 )
{
v73 = 3;
l_count = bn_get_count_4016AE(&v86);
if ( l_idx_obj1 >= l_count )
{
break;
}
l_value1 = bn_get_value_with_idx_4016B6(&v86, l_idx_obj1);
v79 = 0;
v80 = 0;
v81 = 0;
v23 = (_DWORD *)malloc_4B77F0(0x510);
v24 = (int)(v23 + 0x144);
v25 = v23;
v79 = v23;
v26 = 0;
v81 = v24;
do
{
v25[v26] = 0;
++v26;
}
while ( v26 != 324 );
v80 = v24;
if ( l_value1 )
{
if ( l_value1 <= 9 )
{
v43 = check_success_count;
v25[(_DWORD)v43] = 1;
v44 = v43 % 9;
v45 = l_value1;
v25[l_value1 + 9 * (unsigned int)(v43 / 9) + 80] = 1;
LODWORD(v43) = v45 + 9 * (unsigned __int64)(v43 % 9) + 161;
v4 = (BN *)3;
v25[(_DWORD)v43] = 1;
v17 = (char *)l_value1;
v25[l_value1 + 9 * (3 * (check_success_count / 27) + (signed int)v44 / 3) + 242] = 1;
v73 = 4;
sub_49CF5C(&v76.size, (int)&v79);
l_idx_v2 = l_idx_v1 + 1;
a2 = (_BYTE *)set_value_with_idx_4018DE(&stru_4C8020, l_idx_v1, l_value1);
v57 = (BN *)a2;
++check_success_count;
}
else
{
i = 0;
v59 = &l_dec_num[l_idx_i_d];
while ( 1 )
{
v62 = i + l_idx_i_d;
l_idx_v2 = i + l_idx_v1;
sum = i + check_success_count;
if ( i >= l_value1 - 9 )
{
break;
}
v27 = (_BYTE *)i;
a2 = (_BYTE *)(unsigned __int8)v59[i];
v73 = 4;
set_value_with_idx_4018DE(&stru_4C8020, l_idx_v2, (int)a2);
a2 = v27;
v57 = (BN *)v27;
v62 = 4 * sum;
v28 = 9 * (sum / 9);
l_idx_v2 = 36 * (sum / 9) + 0x144;
v60 = 36 * (sum / 9) + 0x168;
v61 = 4 * (9 * (sum % 9) - v28);
sum = 4 * (9 * (sum % 9 / 3 + 3 * (sum / 27)) - v28);
do
{
v82.start = 0;
v82.field_4 = 0;
v82.field_8 = 0;
v73 = 4;
v29 = (struc_2 *)malloc_4B77F0(0x510);
v82.start = (bnode *)v29;
v30 = 0;
v82.field_8 = (int)&v29[1];
do
{
v29->ar1[0][v30] = 0;
++v30;
}
while ( v30 != 0x144 );
v4 = (BN *)l_idx_v2;
v31 = v61;
v82.field_4 = (int)&v29[1];
*(_DWORD *)((char *)v29->ar1[0] + v62) = 1;
*(int *)((char *)&v4->field_0 + (_DWORD)v29) = 1;
v32 = (char *)v29 + v31;
v33 = (char *)v29 + sum;
*(_DWORD *)&v32[(_DWORD)v4 + 0x144] = 1;
*(_DWORD *)&v33[(_DWORD)v4 + 0x288] = 1;
v73 = 5;
sub_49CF5C(&v76.size, (int)&v82);
v57 = v34;
delete_402950((int *)&v82);
l_idx_v2 += 4;
v17 = (char *)l_idx_v2;
}
while ( v60 != l_idx_v2 );
++i;
}
v73 = 4;
l_value2 = bn_get_value_with_idx_4016B6(&v86, l_idx_obj1 + 1);
v57 = v36;
if ( l_value2 <= 9 )
{
l_idx_i_d = v62;
check_success_count = sum;
}
else
{
check_success_count = 0; // 在最中间会调用一次,动态需要patch。里面第一个函数会修改4BC11d处一个DWORD数据。最终校验要用到。应为01 02 23 24
l_value1 = 0;
do
{
v37 = *(int (__cdecl **)(BN *))((char *)g_p_anti_list_4BC020 + l_value1);
v73 = 4;
v38 = v37(v57);
check_success_count += v38 < 1;
l_value1 += 4;
}
while ( l_value1 != 0x24 );
v39 = v79;
v40 = check_success_count;
v41 = sum;
v79[(_DWORD)v41] = 1;
v42 = v41 % 9;
v39[v40 + 9 * (unsigned int)(v41 / 9) + 80] = 1;
LODWORD(v41) = v40 + 9 * (unsigned __int64)(v41 % 9) + 161;
v4 = (BN *)3;
v39[(_DWORD)v41] = 1;
v17 = (char *)check_success_count;
v39[check_success_count + 9 * (3 * (sum / 27) + (signed int)v42 / 3) + 242] = 1;
v73 = 4;
v57 = (BN *)sub_49CF5C(&v76.size, (int)&v79);
check_success_count = sum + 1;
l_idx_i_d = v62;
}
}
}
else
{
l_idx_v2 = l_idx_v1;
}
delete_402950((int *)&v79);
++l_idx_obj1;
l_idx_v1 = l_idx_v2;
}
v73 = 3;
sub_402BEE(
&v82,
&v76.size,
0xAAAAAAAB * ((v76.idx - v76.size) >> 2),
0x144);
v73 = 6;
v46 = sub_402DB6(&v82, 0);
v57 = v4;
if ( v46 )
{
v73 = 6;
node_copy_49D054(&v78, (void **)&v82.field_4);
v57 = (BN *)v17;
check_success_count = 0;
l_value1 = 0;
do
{
v47 = (BN *)l_value1;
v57 = (BN *)(v76.size + 12 * (*(_DWORD *)(v78 + l_value1) - 1));
v73 = 8;
node_copy_49D054(&v79, (void **)v57);
v57 = v47;
sum = 0;
do
{
if ( v79[sum] == 1 )
{
break;
}
++sum;
}
while ( sum != 0x51 );
if ( sum == 0x28 ) // 40 not in check list
{
--check_success_count;
}
else
{
sum -= sum >= 0x29;
v48 = 0;
do
{
if ( v79[v48 + 81] == 1 )
{
break;
}
++v48;
}
while ( v48 != 81 );
i = v48 % 9 + 1;
v73 = 7;
bn_get_value_with_idx_4016B6(&stru_4C8020, sum);// check 0-79
l_idx_v1 = (int)off_4BC060;
v49 = bn_get_value_with_idx_4016B6(&stru_4C8020, sum);
v57 = v50;
check_success_count += i == *(unsigned __int8 *)(l_idx_v1 + v49);// 按字节校验,80字节全正确。22固定,58输入转换成dec数字
}
delete_402950((int *)&v79);
l_value1 += 4;
}
while ( l_value1 != 324 );
v51 = result_info_4BC05C;
v52 = 0;
do
{
v53 = (unsigned __int8)v51[v52];
idx += 9 * (v53 ^ check_success_count) ^ 0x37;
v54 = check_success_count == v53;
v51[v52] = v53 ^ check_success_count; // decode result info xor with 0x4f
if ( v54 )
{
break;
}
++v52;
}
while ( v52 != 0x201 );
if ( idx == 0x1F1A )
{
v73 = 8;
v55 = (_DWORD *)print_4B3F00(&dword_4BD9A0, (char *)result_info_4BC05C);
sub_4B0DB0(v55);
}
delete_402950(&v78);
}
j_free(v82.start);
delete_402950(&v82.field_4);
sub_402966(&v76.size);
LABEL_61:
null_401570();
null_401570();
sub_40DA40((int *)&v72);
return 0;
}
/* Orphan comments:
div 0x0c
*/
程序中间部分用了链表类的数据结构,涉及遍历,如果从前住后看要花费很多时间,做题时因为ida反编译问题,后面代码未能显示,大部分时间全花在了中间部分,其实看了前面,然后直接从后住前推应该很快就出来了。
401F58函数功能是修改data区段的某一个双字数据,修改值牵扯到某部分代码,实际上就是断点反调试功能。
程序大致意思如下:
- 检查输入范围为[0-9 A-F]
- 输入转换成数字,记为d
- 相当于常量的两个数转成乱序大数相乘并转成16进制无序大数n
- 以n为依据,组合n和输入转换成的数字d,记为l
- 建立链表结构(类似树形)
- 遍历检查
n与d的组合规则用代码示意如下:
l = ''
d_idx = 0
for i in n:
if i > 9 :
for j in xrange(i-9):
l.append(d[d_idx])
d_idx += 1
elif i:
l.append(i)
在此中间会有一次转到4B9364所在分支,调用9个反调试函数,这里反调试函数返回值有8个0,这个值会影响到后面树形链表的遍历。
后面跳过链表部分,转到校验部分,最后输入信息是要异或解码的,与校验正确的字节数异或,直接遍历,得到值79。
再回来看n,其hex形式的值为0B 07 09 0F 03 0D 04 0B 09 0D 05 0A 06 0B 08 0C 02 03 0B 06 0C 0B 01 0C 03 05 0D 04 0B 05 0A 01 0B 07 0B 02 0F 08 0E 03 05 0B。
这就决定了l长度为80,取d的长度为58,剩余的22字节就是定值了。校验循环81次,去除0x28的那次和其减1的操作,实际校验79次,与上面得到的异或值对应。
回到校验部分,检验先取出两个数,一个是idx表示要校验的无序大数l的序号,value表示校验值,校验目标数组为4BC0D4处数据,l[idx]为序号。中间链表结构的相关代码中有对l的计算,计算代码表示如下:
for i in range(len(l)):
t = l[i]
for j in xrange(6):
t = ((t*9)^0x37)&0xff
l[i] = t
以上是按字节进行的,所以各字节互不影响,数字0-9经计算后结果为:
0 0xe8
1 0x49
2 0x4a
3 0xab
4 0x2c
5 0x8d
6 0xe
7 0xef
8 0x50
9 0x51
目标校验数组中值为0-9的序号为:
0 ['0xe8']
1 ['0x20', '0x49']
2 ['0x4a']
3 ['0xab']
4 ['0x2c']
5 ['0x2e', '0x8d']
6 ['0xe']
7 ['0x2', '0xd', '0xd7', '0xef']
8 ['0x23', '0x50', '0xc0']
9 ['0x51']
再结合动态调试,发现校验时取的idx和value其实就是与计算前的l一一对应(我是看完链表后才发现的。。。)。
下面就好办了,直接OD在4B96FC和4B9708下记录断点,获取value和idx,然后直接还原输入:
idx = [2, 3, 10, 15, 18, 23, 25, 28, 32, 33, 36, 42, 46, 47, 52, 55, 57, 60, 63, 70, 76, 77, 39, 66, 19, 34, 37, 1, 11, 44, 49, 12, 5, 13, 14, 41, 51, 16, 9, 0, 17, 20, 43, 45, 27, 48, 50, 35, 26, 7, 4, 6, 8, 24, 61, 68, 59, 78, 69, 62, 71, 53, 72, 54, 56, 58, 40, 30, 31, 29, 38, 65, 21, 22, 67, 64, 73, 74, 75, 79]
idx1 = idx[:22]
idx2 = idx[22:]
idx2.sort()
v = [7, 9, 3, 4, 9, 5, 6, 8, 2, 3, 6, 1, 3, 5, 4, 5, 1, 7, 2, 8, 3, 5, 3, 5, 1, 5, 5, 6, 2, 2, 1, 1, 8, 6, 7, 8, 9, 8, 5, 4, 9, 8, 2, 7, 1, 8, 6, 7, 3, 2, 3, 1, 5, 7, 6, 9, 2, 4, 3, 7, 8, 3, 9, 4, 8, 9, 4, 6, 9, 4, 9, 4, 2, 4, 6, 1, 6, 7, 2, 1]
l = []
for i in idx2:
l.append(v[idx.index(i)])
s = ''.join(map(str,l))[::-1]
print s
h = hex(int(s))[2:][::-1].replace('L','').upper()
print h
最终flag为CBC25EF8D9F482BC1F3DA3CA1F154EC89FC3F1414EDD93A3。
另外是,此题在输入上限制较少,存在多解,有两种情况。
- 字符范围限制不严,没有限制符号
- 没有限制长度,在保证输入转成10进制后,低58个数字正确即可,前面可以任意加。
第一种情况因为赛制规则,可以不考虑。但第二种情况确实存在,且数量具大。我列了前面加10进制数字1024以内的解如下,前面为加的高位十进制数,后面为对应的正确输入:
4 CBC25EF8D9F482B5578FCE7A6271C8C66C6153C6B4A5D8996
14 CBC25EF8D9F48234EB35A2D1B248FAB9647BB68CD411ED7861
23 CBC25EF8D9F482746E52B7352EFF8E29351EC9E4639E95ED42
28 CBC25EF8D9F482BBA83D91E8466BA7AA39138BC77B44285DC2
39 CBC25EF8D9F482784F7B34246B41881178844FEA3DAD7AB5E3
46 CBC25EF8D9F4823CAD77BBAF2DDADE89DA58A198884F972894
59 CBC25EF8D9F4827568E6EBC2FBEEECF6789816768D849483E5
66 CBC25EF8D9F48239C6E2635EBD78437FDA6C7814D826B1F596
74 CBC25EF8D9F4823B3777A9CD5421486B74A73B1FB5B52CD167
78 CBC25EF8D9F482347FB9C48DA77DB26941459C943C7D51D7C7
79 CBC25EF8D9F48272815293718C8C51EC78ACECF1DD6BAE41E7
83 CBC25EF8D9F4827BB994BE21DFD8DBDA454A4E774433E34748
117 CBC25EF8D9F482FF9FF755E6F3A9FCA12AF5E94E2B4D38E9AB
128 CBC25EF8D9F482BC3646F722198FCD185967AD61FCA69A42CC
155 CBC25EF8D9F4827DBDAD175C6BB69876CB4FD69A882FC1827F
195 CBC25EF8D9F48277FF7476A98CF17142DB6784A129ECF51E631
218 CBC25EF8D9F4823F3F997A149BDCB1A271B16C454E9DF758B51
223 CBC25EF8D9F48276897464C7B348DA1475B61E2856538AC7361
225 CBC25EF8D9F482F2AD95F1AF5D66181BD385CEE2993F15CA661
236 CBC25EF8D9F482BF34E394EA725CE88113F682165B987723871
244 CBC25EF8D9F482B1B478DA5A19F4ED7DAC2245114828E11F481
247 CBC25EF8D9F4827CDA2237269732C9F7426846391DF1D98B981
253 CBC25EF8D9F482F13795EFBD84BC71FC7DC45879C6A5A974391
260 CBC25EF8D9F482B5959167495646D765EF98BA171247C6E6E91
267 CBC25EF8D9F48279F39DDEC428DF2EDD427C1DB46DD8E3599A1
275 CBC25EF8D9F4827B64222544CE7823D9EBA7DFBF4A685E356B1
283 CBC25EF8D9F4827DD4B66BB3652128C585E292CA37F7C8213C1
290 CBC25EF8D9F4823143B2E24F27BA7E3EE7B6F4688299E593EC1
303 CBC25EF8D9F4827AFD121362F5CE8CAB85F6694687DED2FE2E1
311 CBC25EF8D9F4827C6EA659D19C6781A72F222C41746E4DDAFE1
316 CBC25EF8D9F482B3B8814385B4D2AA192337DD248C14DF4A7F1
339 CBC25EF8D9F4827BF7A647FFB3BDEA79C871B5D7A1D4D194C12
346 CBC25EF8D9F4823F56A2CE7B854741F13B451875FC66FEF6722
350 CBC25EF8D9F482389EE4E93BD893CBEFF7E279FA633E24FCD22
359 CBC25EF8D9F482781112FE9E445B5F5FC8858C53F1BBEB52C32
361 CBC25EF8D9F482F435338C76FD799C5637543D1E25978655F32
363 CBC25EF8D9F4827159541A5E97A7D95D9523EDD868732158242
386 CBC25EF8D9F4823998791EC8A6822ABD3B6DB58C8D242392762
403 CBC25EF8D9F4827B8B2B69ABB8E2B229A54B8BEFF83155E3282
404 CBC25EF8D9F482B99DB3389F8DF151ACDCA2EB4D9A2F926D382
431 CBC25EF8D9F4827A152B57C9EF291CFA4F8A157636A7D99DEA2
439 CBC25EF8D9F4827C85BF9D3986D111F6E8C5D77123374489BB2
443 CBC25EF8D9F48275CDF1C8F8D92E8BE4B56339F699FE797F1C2
444 CBC25EF8D9F482B3DF8A87ECAE3D2A68ECCA89543BECC6F83C2
456 CBC25EF8D9F482BE7861F81C9832A95253A3ADD49E3476DA6D2
459 CBC25EF8D9F48279AE1B45E7177F75DCE8D9AEFC631E5E47BD2
468 CBC25EF8D9F482B921485A4B8237194CB97CB165F19B16BC9E2
479 CBC25EF8D9F48276C786FC86A71DE9B2F8ED7588B3F47815BF2
496 CBC25EF8D9F482B8BA384869B97D722E53CB4BEB2FF1AA66613
498 CBC25EF8D9F48235DE59D54163ABBF15C19AFBA662ED3569913
505 CBC25EF8D9F482F83D555DCC2535169D246E5E44BD7F52DB423
508 CBC25EF8D9F482B3631FA998A372F118C9946F6C82594A48923
523 CBC25EF8D9F4827932AF67931CA44D7CC5A38415CA7AD1A6143
526 CBC25EF8D9F482346859C36F8AE129F66BD9853D9F44C913643
533 CBC25EF8D9F482F7C6554BEA5C7B7F6FCDADE7DAEAE5E685153
541 CBC25EF8D9F482F937E9816AF224746B67E8AAD5D7755171E53
572 CBC25EF8D9F482B3F693DB44A8A7B9B7A66E3584E9B5CD97F83
588 CBC25EF8D9F482B7D7BC5833E5F8A3AFD9D4BA8AB3D4A27F8A3
599 CBC25EF8D9F482747EFAFA7EFADE741619467EAD753EF4D7AB3
612 CBC25EF8D9F482BD296A2B91C9E29283B686E29B7A73F133FC3
614 CBC25EF8D9F4823A4D8BB8796311DF7A15559356BD5F8C262D3
617 CBC25EF8D9F482F473451545E15EABF4BA8B947E823974A27D3
618 CBC25EF8D9F4823385DDD339B66D4A78E1F2F4DB2427C12C8D3
619 CBC25EF8D9F482719766A22D8B7CE8FB195A4539C5151F95AD3
636 CBC25EF8D9F482B38A18FDFF9DDC716783381B9C312241F65F3
641 CBC25EF8D9F482FAC4F2E7A3C5489AD8873DCC7F49D7C366DF3
642 CBC25EF8D9F48239D68BA6979A57395CBE942DDCEAC511EFEF3
658 CBC25EF8D9F4823DB7A43386D7A82344F11B92E2C4E4F5B7814
662 CBC25EF8D9F48236FFE65E362BF4AD32CEA8F3683BAC2BADE14
674 CBC25EF8D9F48231A8CDBF6515F91D2C258118E89EF3DA8F134
679 CBC25EF8D9F48278E2A8A9193D5536AD2986C9CBA6B95DFE934
688 CBC25EF8D9F482B865C5BE7CA81DC91DF929DC2435371564844
694 CBC25EF8D9F4823EB1396714A59781123595EE64EEDAE45D154
697 CBC25EF8D9F482F8E7E2C3EF14D46D8CCACBEF8CB3B4DCC9654
716 CBC25EF8D9F482B7FEB5AC9ADF5333FE937866BA62AD991E474
731 CBC25EF8D9F4827DCD466A9548958E53AF778B53AACE217CC84
751 CBC25EF8D9F4827AE6B11244D833F249AF8B52EEEAA54B3ACA4
757 CBC25EF8D9F482FF3325CADBC5BDAA3EDAF7642F94591B236B4
758 CBC25EF8D9F4823E45BD89CF9ACC49B1126FB48C364768AC7B4
759 CBC25EF8D9F4827C574658B37FDBE73549C615E9D735B5269B4
763 CBC25EF8D9F482759F887373C23862331664766F4EFCEA1CFB4
768 CBC25EF8D9F482BCD9636D17EA938BA41A69284266B27D8B7C4
790 CBC25EF8D9F4823617FF92AD156F2D81884CAF88E975225CAE4
796 CBC25EF8D9F482BB63635B3512E9E486B3B8B1D89329F1454F4
815 CBC25EF8D9F4827A7A3634FFCD68BAE88C5538F64212CE89215
817 CBC25EF8D9F482F69E57C1D77796F7EFEA24E8B185FD598C515
819 CBC25EF8D9F48273B2885FAF11C435E659F2997CB8D9F38F815
821 CBC25EF8D9F482FFC6A9EC87CAE272EDB7C14A37FBB59E72C15
822 CBC25EF8D9F4823ED832BB7B9FF11161FE299A949DA3EBFBD15
827 CBC25EF8D9F48275231D952FB76D2AD2F23E4C77A5696E6B525
828 CBC25EF8D9F482B335A564139C7CC8562A95ACD44757BBE4725
845 CBC25EF8D9F482F52857BFE5AEDC51C194737248B264ED36245
846 CBC25EF8D9F482343AEF7ED973FBFF35CBDAC2A554523BBF345
853 CBC25EF8D9F482F798EBF565458556BD2EAE2543AFE35822F45
881 CBC25EF8D9F482F622EBE3837CCBBF8FC7FDBEC9DC5ADCDBB75
891 CBC25EF8D9F48275B691C7DABC92F182DFF7229FFCC5E1CAB85
908 CBC25EF8D9F482B7A94313BDCEF28AED3AD5F7F278D2141C6A5
916 CBC25EF8D9F482B91AD7592D65AB7FD9D311BAFD55628EF73B5
926 CBC25EF8D9F48238AE8D2D74B572B1DCDB1B1EB385DD83E63C5
937 CBC25EF8D9F482F445DBCFBFCA5882431B8CD1E64737E54F4D5
938 CBC25EF8D9F4823357649EA3AF6721C642F33244E82533C86D5
942 CBC25EF8D9F4823C8FA6B963F2C3ABB41F8193C95FEC68BECD5
947 CBC25EF8D9F48273D981A3171B2FB436139645AC67A2FA2E4E5
949 CBC25EF8D9F482FFEDA231FEB45DF13D7165F567AA8E85218E5
952 CBC25EF8D9F482BA146C8DBA339ADDA7179BF68F7F587D9DCE5
984 CBC25EF8D9F482B2E5AE9698BD2DB1878D78E19B2396374DF16
991 CBC25EF8D9F4827644AA1E148FB618FFEF4C44397E2854BFA26
993 CBC25EF8D9F482F268CBABFB29E455F65E1BF4F3B114FEA2E26
995 CBC25EF8D9F4827F7CEC39D3D21392FDBCE9A5BEE4FF89A5136
1003 CBC25EF8D9F48271FC718F4379BB87E9562568B9D18FF391E36
1009 CBC25EF8D9F482F649E438EA66364FDE81917AF98B23D38A746
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
