-
-
[原创]2022-长城杯初赛Write up-by EchoSec安全团队
-
发表于: 2022-8-29 21:30 10112
-
EchoSec安全团队参加的首场比赛,在各位师傅们的输出下,也拿到第8名的成绩,虽然不算特别好,也是EchoSec安全团队迈出的第一步。同时欢迎各位有兴趣的师傅加入我们,一起学习进步。可+v:He1l_T4lk
打开之后很多花,我感觉没多少就直接手动patch,结果还真不少
patch完之后可以看到主函数
其实主函数没什么用,主函数可以看到blow_fish,aes等相关的东西,仔细分析发现是无关的
从主函数的逻辑,也就是最后的结果字符串看
哪怕通过了check也不是flag
仔细观察后发现在blow_fish_encrypt里面有seh,触发异常会调用,进入sub_411e0函数
这里面才是我们要的东西
分析seh中各个try/except
,会在0004136B
发现在这样一部分代码,4个输入hjkl
配上跳转,加上题目的提示
Alice saw a white rabbit talking to himself, and then out of curiosity, she followed him into a rabbit hole. Now, can you help her find the right way out of here?
猜测可能是迷宫题,迷宫题的话就需要找到迷宫的图,然后画出来就可以了,这个迷宫是两个数组组成,要相互异或,然后再异或行和列左移8位的值,具体xor在下图
等效于
分析4个字符对应操作可以知道
一行长度为0x15
,高长度也为0x15
,符合两个数组的大小0x15*0x15=441
提取两段数据,按规则每一位都算一下,最后结果只有0或1
结果如下
按着1的方向走,得到最简结果
exp:
python编写的exe先pyinstxtractor.py提取pyc
python3.7提取出run.pyc后,uncompyle6转成python脚本
发现用到了new库,这不是现有的库,而是出题人自己写的,在提取出来的文件中可以找到new.cp37-win_amd64.pyd
文件,pyd文件很难看,查了一下大部分都是用测信道测试的方法来做,通俗的来说就是调用pyd中的函数来检测输入输出之间的差异,可能xor某些数值,幸运的是这题就是这样来做
只看密文知道至少有一个base64,ida 打开pyd查看一下字符串,发现pyd被upx加壳了,吾爱破解的脱壳软件脱壳失败,放到linux下的upx反而可以脱壳成功 upx -d new.cp37-win_amd64.pyd
可以看到正常的base64表和一个base64表等长的表 uKbnhWvcAesT74M6D2CU/EjrgLYo50GiOtFPXI1HaB3yZqkd+JSR8lzVNpwf9xQm
,直接base64解码什么都没有,考虑到可能base64换表了
尝试base64换表一下得到b"pUSs83T'D\x07\x02\x00^y\x12CG[]A<=kyYQ\x07lDR\x01\x01?"
这可能还用了其他函数加密,查阅了资料后发现可以本地python导入已有的pyd,使用help
命令可以查看一些信息
里面有一些奇怪的函数名,没有看到base64,怀疑base64的函数名被改了
尝试写脚本测试一下源代码中的,把结果base64换表之后解密,再和输入值异或得到一个异或值,多加密几次发现异或值一样就可以确定了
发现两组输入值之间相异或值为1,输入相异或也为1,那说明每次输入都是异或相同的值,我们讲密文和输入值相异或可以得到中间的异或值。输入长度为32是因为测试后发现输入再多就会报错,还有就是题目密文base64解密后长度为32位
exp:
Free 的时候没有清空存在 UAF ;输入的时候存在简单加密,IDA 反编译不出来函数,通过调试可以知道与固定字符进行异或操作;输出函数使用一定次数后会关闭 stdout ;后面还发现会禁用 free_hook 和 malloc_hook ;
利用 UAF 进行 largebin attack 攻击 mp_.tcache_bins ,将 tcache size 范围扩大;泄露出 environ 上面的栈地址;劫持返回地址运行 ROP getshell ;
根据提示联想到最近的一个洞:CVE-2022-34265
根据报错信息拼接出正常回显的payload
因为可以报错,直接报错注入,同时提示flag在flag表,直接查询
只得到flag的前31位,用SQL函数进行切割
团队起步阶段,如果错误还望师傅们指正,同时欢迎加入我们:He1l_T4lk
30
[
0
]
=
v3;
v30[
1
]
=
retaddr;
v6
=
alloca(
4532
);
atexit(end);
cout(std::cout,
"Help Alice find a way out of the rabbit hole:"
);
gets_s(
input
,
0x100u
);
input_length
=
strlen(
input
);
/
/
input_length
16
,
134.
.
v8
=
BYTE2(input_length) ^ (
16777619
*
(BYTE1(input_length) ^ (
16777619
*
((unsigned __int8)input_length ^
0x50C5D1F
))));
v9
=
HIBYTE(input_length) ^ (
16777619
*
v8);
if
( v9
=
=
0x458766D3
)
/
/
input
length
=
134
{
strcpy(key,
"The quick brown fox jumps over the lazy dog."
);
blow_fish_init((
int
)this, v4, v5, (
int
)key, v8);
memset(key,
0
,
40
);
blow_fish_encrypt(this, (
int
)key, (
int
)
input
, v19);
v20
=
0
;
while
( key[v20]
=
=
not
[v20] )
{
if
(
+
+
v20 >
=
40
)
{
v21
=
cout(std::cout,
"Can you get h3re? :>"
);
std::ostream::operator<<(v21);
return
0
;
}
}
v17
=
(const char
*
)&unk_44C88;
/
/
:<
LABEL_16:
30
[
0
]
=
v3;
v30[
1
]
=
retaddr;
v6
=
alloca(
4532
);
atexit(end);
cout(std::cout,
"Help Alice find a way out of the rabbit hole:"
);
gets_s(
input
,
0x100u
);
input_length
=
strlen(
input
);
/
/
input_length
16
,
134.
.
v8
=
BYTE2(input_length) ^ (
16777619
*
(BYTE1(input_length) ^ (
16777619
*
((unsigned __int8)input_length ^
0x50C5D1F
))));
v9
=
HIBYTE(input_length) ^ (
16777619
*
v8);
if
( v9
=
=
0x458766D3
)
/
/
input
length
=
134
{
strcpy(key,
"The quick brown fox jumps over the lazy dog."
);
blow_fish_init((
int
)this, v4, v5, (
int
)key, v8);
memset(key,
0
,
40
);
blow_fish_encrypt(this, (
int
)key, (
int
)
input
, v19);
v20
=
0
;
while
( key[v20]
=
=
not
[v20] )
{
if
(
+
+
v20 >
=
40
)
{
v21
=
cout(std::cout,
"Can you get h3re? :>"
);
std::ostream::operator<<(v21);
return
0
;
}
}
v17
=
(const char
*
)&unk_44C88;
/
/
:<
LABEL_16:
for
( k
=
0
;
(HIBYTE(k) ^ (
16777619
*
(BYTE2(k) ^ (
16777619
*
(BYTE1(k) ^ (
16777619
*
((unsigned __int8)k ^
0x50C5D1F
))))))) !
=
1563082853
;
+
+
k )
{
if
(
*
((_BYTE
*
)&v30[
-
1130
]
+
k) !
=
cipher[k] )
{
v15
=
cout(std::cout,
"That is toooooooo bad :("
);
/
/
to bad
std::ostream::operator<<(v15);
exit(
-
1
);
}
}
v16
=
cout(std::cout,
"Not a very good path dont you think? :)"
);
std::ostream::operator<<(v16);
return
0
;
}
for
( k
=
0
;
(HIBYTE(k) ^ (
16777619
*
(BYTE2(k) ^ (
16777619
*
(BYTE1(k) ^ (
16777619
*
((unsigned __int8)k ^
0x50C5D1F
))))))) !
=
1563082853
;
+
+
k )
{
if
(
*
((_BYTE
*
)&v30[
-
1130
]
+
k) !
=
cipher[k] )
{
v15
=
cout(std::cout,
"That is toooooooo bad :("
);
/
/
to bad
std::ostream::operator<<(v15);
exit(
-
1
);
}
}
v16
=
cout(std::cout,
"Not a very good path dont you think? :)"
);
std::ostream::operator<<(v16);
return
0
;
}
.text:
00041595
loc_41595: ; DATA XREF: .rdata:stru_45340↓o
.text:
00041595
; __except(loc_41577)
/
/
owned by
41538
.text:
00041595
8B
65
E8 mov esp, [ebp
+
ms_exc.old_esp]
.text:
00041598
8B
4D
0C
mov ecx, [ebp
+
arg_4]
.text:
0004159B
E8
40
FC FF FF call sub_411E0
.text:
0004159B
; }
/
/
starts at
41538
.text:
00041595
loc_41595: ; DATA XREF: .rdata:stru_45340↓o
.text:
00041595
; __except(loc_41577)
/
/
owned by
41538
.text:
00041595
8B
65
E8 mov esp, [ebp
+
ms_exc.old_esp]
.text:
00041598
8B
4D
0C
mov ecx, [ebp
+
arg_4]
.text:
0004159B
E8
40
FC FF FF call sub_411E0
.text:
0004159B
; }
/
/
starts at
41538
.text:
000413BA
8D
04
11
lea eax, [ecx
+
edx] ; ecx是行数
*
0x15
,edx是列数,ecx
+
edx表示地图数组偏移
.text:
000413BD
0F
B6
88
08
42
04
00
movzx ecx, ds:byte_44208[eax] ; 取出byte_44208对应索引值
.text:
000413C4
33
0C
85
C8
43
04
00
xor ecx, ds:dword_443C8[eax
*
4
] ; 取出dword_443C8对应索引值与byte_44208对应值异或后存在ecx
.text:
000413CB
8B
C2 mov eax, edx
.text:
000413CD
C1 E0
08
shl eax,
8
; 列数左移
8
位后和ecx异或
.text:
000413D0
33
C8 xor ecx, eax
.text:
000413D2
33
CB xor ecx, ebx ; 行数异或ecx
.text:
000413D4
83
F9
01
cmp
ecx,
1
; 对比值是否为
1
,为
1
则继续检查下一个输入,错误则exit
.text:
000413D7
75
28
jnz short loc_41401
.text:
000413BA
8D
04
11
lea eax, [ecx
+
edx] ; ecx是行数
*
0x15
,edx是列数,ecx
+
edx表示地图数组偏移
.text:
000413BD
0F
B6
88
08
42
04
00
movzx ecx, ds:byte_44208[eax] ; 取出byte_44208对应索引值
.text:
000413C4
33
0C
85
C8
43
04
00
xor ecx, ds:dword_443C8[eax
*
4
] ; 取出dword_443C8对应索引值与byte_44208对应值异或后存在ecx
.text:
000413CB
8B
C2 mov eax, edx
.text:
000413CD
C1 E0
08
shl eax,
8
; 列数左移
8
位后和ecx异或
.text:
000413D0
33
C8 xor ecx, eax
.text:
000413D2
33
CB xor ecx, ebx ; 行数异或ecx
.text:
000413D4
83
F9
01
cmp
ecx,
1
; 对比值是否为
1
,为
1
则继续检查下一个输入,错误则exit
.text:
000413D7
75
28
jnz short loc_41401
if
((byte)byte_44208[ecx
+
edx] ^ (dword)dword_443c8[ecx
+
edx] ^ (edx<<
8
) ^ ecx
=
=
1
){
...
}
else
{
exit(
0
)
}
if
((byte)byte_44208[ecx
+
edx] ^ (dword)dword_443c8[ecx
+
edx] ^ (edx<<
8
) ^ ecx
=
=
1
){
...
}
else
{
exit(
0
)
}
.text:
0004136B
3C
6A
cmp
al,
6Ah
;
'j'
.text:
0004136D
75
2A
jnz short loc_41399
.text:
0004136D
.text:
0004136F
43
inc ebx
.text:
00041370
89
5D
E0 mov [ebp
+
var_20], ebx ; 行
.text:
00041373
83
C1
15
add ecx,
15h
; 一行
21
个
.text:
00041376
89
4D
D8 mov [ebp
+
var_28], ecx ; 地图偏移
.text:
0004136B
3C
6A
cmp
al,
6Ah
;
'j'
.text:
0004136D
75
2A
jnz short loc_41399
.text:
0004136D
.text:
0004136F
43
inc ebx
.text:
00041370
89
5D
E0 mov [ebp
+
var_20], ebx ; 行
.text:
00041373
83
C1
15
add ecx,
15h
; 一行
21
个
.text:
00041376
89
4D
D8 mov [ebp
+
var_28], ecx ; 地图偏移
x1
=
[...]
x2
=
[...]
x3
=
[]
for
i
in
range
(
21
):
for
j
in
range
(
21
):
x3.append(x1[i
*
0x15
+
j]^x2[i
*
0x15
+
j]^i^(j<<
8
))
print
(
hex
(x1[
21
]))
for
i
in
range
(
0
,
441
,
21
):
print
(x3[i:i
+
21
])
x1
=
[...]
x2
=
[...]
x3
=
[]
for
i
in
range
(
21
):
for
j
in
range
(
21
):
x3.append(x1[i
*
0x15
+
j]^x2[i
*
0x15
+
j]^i^(j<<
8
))
print
(
hex
(x1[
21
]))
for
i
in
range
(
0
,
441
,
21
):
print
(x3[i:i
+
21
])
[
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
]
[
1
,
0
,
0
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
]
[
1
,
0
,
0
,
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
]
[
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
,
0
,
0
,
0
]
[
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
1
,
1
,
0
]
[
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
1
,
1
,
1
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
0
,
1
,
1
,
1
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
1
,
1
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
0
,
1
,
0
,
0
,
0
,
1
,
1
,
1
,
0
,
1
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
1
,
1
,
1
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
]
[
0
,
0
,
0
,
1
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
1
,
0
,
1
,
0
,
1
,
0
]
[
0
,
1
,
1
,
1
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
1
,
0
,
1
,
0
]
[
0
,
0
,
0
,
1
,
1
,
1
,
1
,
0
,
1
,
0
,
1
,
1
,
1
,
1
,
1
,
0
,
1
,
0
,
0
,
1
,
0
]
[
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
1
,
0
]
[
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
,
1
,
0
]
[
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
]
[
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
1
,
1
,
1
,
1
,
0
,
0
,
1
,
0
]
[
0
,
0
,
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
1
,
0
,
0
,
1
,
0
]
[
0
,
0
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
,
1
,
0
,
0
,
1
,
0
]
[
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
1
]
[
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
]
[
1
,
0
,
0
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
]
[
1
,
0
,
0
,
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
]
[
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
,
0
,
0
,
0
]
[
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
1
,
1
,
0
]
[
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
1
,
1
,
1
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
0
,
1
,
1
,
1
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
1
,
1
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
0
,
1
,
0
,
0
,
0
,
1
,
1
,
1
,
0
,
1
,
0
,
0
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
]
[
1
,
1
,
1
,
1
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
]
[
0
,
0
,
0
,
1
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
1
,
0
,
1
,
0
,
1
,
0
]
[
0
,
1
,
1
,
1
,
0
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
0
,
1
,
1
,
0
,
1
,
0
]
[
0
,
0
,
0
,
1
,
1
,
1
,
1
,
0
,
1
,
0
,
1
,
1
,
1
,
1
,
1
,
0
,
1
,
0
,
0
,
1
,
0
]
[
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
1
,
0
]
[
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
,
1
,
0
]
[
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
]
[
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
1
,
1
,
1
,
1
,
0
,
0
,
1
,
0
]
[
0
,
0
,
1
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
0
,
0
,
1
,
0
,
0
,
1
,
0
]
[
0
,
0
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
0
,
0
,
1
,
0
,
0
,
1
,
0
]
[
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
1
,
1
]
.\rabbit_hole_release.exe
Help
Alice find a way out of the rabbit hole:jjjllllllllllllllljjjjjjjjkjjkkkkhhhhhhhkkkkkkkkkkjjjjllljjjlllhhhhlljjjjjjkkkkkkkkjjlllllllllllhhlllllhhhlhhhhhhhhlljjjjjjjjjjjjjjjjl
You r3A1ly Have f0und the r1ght way!!! :)
The game has ended! Have you found a way out?
If you think you do, then your flag will be: flag{md5(
input
)}
.\rabbit_hole_release.exe
Help
Alice find a way out of the rabbit hole:jjjllllllllllllllljjjjjjjjkjjkkkkhhhhhhhkkkkkkkkkkjjjjllljjjlllhhhhlljjjjjjkkkkkkkkjjlllllllllllhhlllllhhhlhhhhhhhhlljjjjjjjjjjjjjjjjl
You r3A1ly Have f0und the r1ght way!!! :)
The game has ended! Have you found a way out?
If you think you do, then your flag will be: flag{md5(
input
)}
flag
=
'jjj'
+
'l'
*
15
+
'j'
*
8
+
'kjjkkkk'
+
'h'
*
7
+
'k'
*
10
+
'jjjj'
+
'llljjjlllhhhhll'
+
'j'
*
6
+
'k'
*
8
+
'jj'
+
'l'
*
11
+
'hhlllllhhhl'
+
'h'
*
8
+
'll'
+
'j'
*
16
+
'l'
print
(flag)
print
(md5(flag.encode()).hexdigest())
flag
=
'jjj'
+
'l'
*
15
+
'j'
*
8
+
'kjjkkkk'
+
'h'
*
7
+
'k'
*
10
+
'jjjj'
+
'llljjjlllhhhhll'
+
'j'
*
6
+
'k'
*
8
+
'jj'
+
'l'
*
11
+
'hhlllllhhhl'
+
'h'
*
8
+
'll'
+
'j'
*
16
+
'l'
print
(flag)
print
(md5(flag.encode()).hexdigest())
from
new
import
*
print
(
'welcome!!!'
)
flag_input
=
input
(
'please input flag:'
)
if
set
(word) >
=
set
(flag_input):
pt
=
mmo(flag_input)
flag
=
pt()
if
flag
=
=
'5WEU5ROREb0hK+AurHXCD80or/h96jqpjEhcoh2CuDh='
:
print
(
'right!!!'
)
print
(
'your flag: flag{'
+
flag_input
+
'}'
)
else
:
print
(
'Error'
)
else
:
print
(
'please input again!'
)
from
new
import
*
print
(
'welcome!!!'
)
flag_input
=
input
(
'please input flag:'
)
if
set
(word) >
=
set
(flag_input):
pt
=
mmo(flag_input)
flag
=
pt()
if
flag
=
=
'5WEU5ROREb0hK+AurHXCD80or/h96jqpjEhcoh2CuDh='
:
print
(
'right!!!'
)
print
(
'your flag: flag{'
+
flag_input
+
'}'
)
else
:
print
(
'Error'
)
else
:
print
(
'please input again!'
)
ata:
000000018000A710
aUkbnhwvcaest74 db
'uKbnhWvcAesT74M6D2CU/EjrgLYo50GiOtFPXI1HaB3yZqkd+JSR8lzVNpwf9xQm'
,
0
.rdata:
000000018000A710
; DATA XREF: .data:
000000018000E570
↓o
.rdata:
000000018000A751
align
8
.rdata:
000000018000A758
aO0oo00o000oo00 db
'O0OO00O000OO00000'
,
0
.rdata:
000000018000A758
; DATA XREF: .data:
000000018000DEB8
↓o
.rdata:
000000018000A76A
align
10h
.rdata:
000000018000A770
aO000ooo00oo0o0 db
'O000OOO00OO0O0OO0'
,
0
.rdata:
000000018000A770
; DATA XREF: .data:
000000018000DDF0
↓o
.rdata:
000000018000A782
align
8
.rdata:
000000018000A788
aO0000o000ooo0o db
'O0000O000OOO0OOOO'
,
0
.rdata:
000000018000A788
; DATA XREF: .data:
000000018000DDA0
↓o
.rdata:
000000018000A79A
align
20h
.rdata:
000000018000A7A0
aImport db
'__import__'
,
0
; DATA XREF: .data:
000000018000E160
↓o
.rdata:
000000018000A7AB
align
10h
.rdata:
000000018000A7B0
aMmoCall db
'mmo.__call__'
,
0
; DATA XREF: .data:
000000018000E278
↓o
.rdata:
000000018000A7BD
align
20h
.rdata:
000000018000A7C0
aDoc_0 db
'__doc__'
,
0
; DATA XREF: .data:
000000018000E0E8
↓o
.rdata:
000000018000A7C8
aMaketrans db
'maketrans'
,
0
; DATA XREF: .data:
000000018000E200
↓o
.rdata:
000000018000A7D2
align
8
.rdata:
000000018000A7D8
aName_1 db
'__name__'
,
0
; DATA XREF: .data:
000000018000E318
↓o
.rdata:
000000018000A7E1
align
8
.rdata:
000000018000A7E8
aOoooo0o000o00o db
'OOOOO0O000O00O0O0'
,
0
.rdata:
000000018000A7E8
; DATA XREF: .data:
000000018000DFA8
↓o
.rdata:
000000018000A7FA
align
20h
.rdata:
000000018000A800
aO0o0o00o0o0o00 db
'O0O0O00O0O0O00O00'
,
0
.rdata:
000000018000A800
; DATA XREF: .data:
000000018000DE90
↓o
.rdata:
000000018000A812
align
4
.rdata:
000000018000A814
aSend_0 db
'send'
,
0
; DATA XREF: .data:
000000018000E4D0
↓o
.rdata:
000000018000A819
align
20h
.rdata:
000000018000A820
aOo00o0oo00oo00 db
'OO00O0OO00OO0000O'
,
0
.rdata:
000000018000A820
; DATA XREF: .data:
000000018000DF30
↓o
.rdata:
000000018000A832
align
8
.rdata:
000000018000A838
aTest db
'__test__'
,
0
; DATA XREF: .data:
000000018000E4F8
↓o
.rdata:
000000018000A841
align
8
.rdata:
000000018000A848
aMmoInit db
'mmo.__init__'
,
0
; DATA XREF: .data:
000000018000E2A0
↓o
.rdata:
000000018000A855
align
8
.rdata:
000000018000A858
aOo000ooo0o0ooL db
'oo000ooo0o0oo.<locals>.genexpr'
,
0
.rdata:
000000018000A858
; DATA XREF: .data:
000000018000E408
↓o
.rdata:
000000018000A877
align
8
.rdata:
000000018000A878
aGenexpr_0 db
'genexpr'
,
0
; DATA XREF: .data:
000000018000E138
↓o
.rdata:
000000018000A880
aAbcdefghijklmn_0 db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
+
/
ata:
000000018000A710
aUkbnhwvcaest74 db
'uKbnhWvcAesT74M6D2CU/EjrgLYo50GiOtFPXI1HaB3yZqkd+JSR8lzVNpwf9xQm'
,
0
.rdata:
000000018000A710
; DATA XREF: .data:
000000018000E570
↓o
.rdata:
000000018000A751
align
8
.rdata:
000000018000A758
aO0oo00o000oo00 db
'O0OO00O000OO00000'
,
0
.rdata:
000000018000A758
; DATA XREF: .data:
000000018000DEB8
↓o
.rdata:
000000018000A76A
align
10h
.rdata:
000000018000A770
aO000ooo00oo0o0 db
'O000OOO00OO0O0OO0'
,
0
.rdata:
000000018000A770
; DATA XREF: .data:
000000018000DDF0
↓o
.rdata:
000000018000A782
align
8
.rdata:
000000018000A788
aO0000o000ooo0o db
'O0000O000OOO0OOOO'
,
0
.rdata:
000000018000A788
; DATA XREF: .data:
000000018000DDA0
↓o
.rdata:
000000018000A79A
align
20h
.rdata:
000000018000A7A0
aImport db
'__import__'
,
0
; DATA XREF: .data:
000000018000E160
↓o
.rdata:
000000018000A7AB
align
10h
.rdata:
000000018000A7B0
aMmoCall db
'mmo.__call__'
,
0
; DATA XREF: .data:
000000018000E278
↓o
.rdata:
000000018000A7BD
align
20h
.rdata:
000000018000A7C0
aDoc_0 db
'__doc__'
,
0
; DATA XREF: .data:
000000018000E0E8
↓o
.rdata:
000000018000A7C8
aMaketrans db
'maketrans'
,
0
; DATA XREF: .data:
000000018000E200
↓o
.rdata:
000000018000A7D2
align
8
.rdata:
000000018000A7D8
aName_1 db
'__name__'
,
0
; DATA XREF: .data:
000000018000E318
↓o
.rdata:
000000018000A7E1
align
8
.rdata:
000000018000A7E8
aOoooo0o000o00o db
'OOOOO0O000O00O0O0'
,
0
.rdata:
000000018000A7E8
; DATA XREF: .data:
000000018000DFA8
↓o
.rdata:
000000018000A7FA
align
20h
.rdata:
000000018000A800
aO0o0o00o0o0o00 db
'O0O0O00O0O0O00O00'
,
0
.rdata:
000000018000A800
; DATA XREF: .data:
000000018000DE90
↓o
.rdata:
000000018000A812
align
4
.rdata:
000000018000A814
aSend_0 db
'send'
,
0
; DATA XREF: .data:
000000018000E4D0
↓o
.rdata:
000000018000A819
align
20h
.rdata:
000000018000A820
aOo00o0oo00oo00 db
'OO00O0OO00OO0000O'
,
0
.rdata:
000000018000A820
; DATA XREF: .data:
000000018000DF30
↓o
.rdata:
000000018000A832
align
8
.rdata:
000000018000A838
aTest db
'__test__'
,
0
; DATA XREF: .data:
000000018000E4F8
↓o
.rdata:
000000018000A841
align
8
.rdata:
000000018000A848
aMmoInit db
'mmo.__init__'
,
0
; DATA XREF: .data:
000000018000E2A0
↓o
.rdata:
000000018000A855
align
8
.rdata:
000000018000A858
aOo000ooo0o0ooL db
'oo000ooo0o0oo.<locals>.genexpr'
,
0
.rdata:
000000018000A858
; DATA XREF: .data:
000000018000E408
↓o
.rdata:
000000018000A877
align
8
.rdata:
000000018000A878
aGenexpr_0 db
'genexpr'
,
0
; DATA XREF: .data:
000000018000E138
↓o
.rdata:
000000018000A880
aAbcdefghijklmn_0 db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
+
/
In [
2
]:
import
new
In [
3
]:
help
(new)
Help
on module new:
NAME
new
DESCRIPTION
Description:
Autor: Emtanling
Date:
2022
-
07
-
26
09
:
36
:
06
LastEditors: Emtanling
LastEditTime:
2022
-
07
-
26
09
:
49
:
34
CLASSES
builtins.
object
mmo
class
mmo(builtins.
object
)
| mmo(O0000000O0000O00O)
|
| Methods defined here:
|
| __call__(OO00O00O00O0OO0O0)
|
| __init__(OO0O0O000OO0OO0OO, O0000000O0000O00O)
|
| ooo00o0o0o0(O00O0O0O00OOOO000)
|
|
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
| Data descriptors defined here:
|
| __dict__
| dictionary
for
instance variables (
if
defined)
|
| __weakref__
|
list
of weak references to the
object
(
if
defined)
FUNCTIONS
oo000ooo0o0o0(OOOOO0O000O00O0O0)
oo000ooo0o0oo(OO0000OOOOO0OOOO0)
DATA
__test__
=
{}
word
=
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789...
FILE
c:\users\axe\desktop\baby_re_bc0325445163f53c8ae03535511cf06a\new.pyd
In [
2
]:
import
new
In [
3
]:
help
(new)
Help
on module new:
NAME
new