[原创]KCTF 2025 第9题智斗邪首wp-CTF对抗-看雪安全社区

[原创]KCTF 2025 第9题智斗邪首wp
发表于: 2025-8-31 19:40 2706
[原创]KCTF 2025 第9题智斗邪首wp

tacesrever 活跃值
2025-8-31 19:40
2706
放入ida发现程序入口函数只是调用了mscoree.dll!_CorExeMain, 先尝试一下能不能找到算法函数, 试了字符串引用, 函数大小排序, 随机点进函数观察都没找到;
只看到较长的几个函数有较大的switch case, 还有这样的东西:  
怀疑是vm试试能不能动调, 发现windbg无法附加, frida可以但是hook函数后会发生crash;
由于将windbg设置为了jitdebugger, 所以crash时会弹windbg断下, 发现crash发生在htg_Crackme.exe启动的一个子进程程序, 路径在临时目录;
用System informer查看程序命令行参数为:  
将9115cc6c-36dc-47bd-952a-bc16f093b625.exe复制出来发现运行它就会crash, 而且是python的图标, 怀疑是python打包的程序;
后来想明白crash应该是因为程序从自身将该exe复制出来在新进程运行, 而frida hook到了该exe的代码使得复制的exe携带了hook跳转到了不存在的地址导致crash.
之后换用dnspy发现可以调试;
在调试选项中勾上调试从进程内存加载的文件则可以看到完整的代码, 对代码的分析见注释:
 
然后是对序列号进行处理的函数:  
比如12l34l56会变为113333555555.
之后在exe执行时断点可以拿到完整的exe, 使用pyinstxtractor解包与pycdc反编译得到其主要代码为:  
为高精度的除法, 用用户名处理后的数字除以序列号处理后的数字并输出结果;
可以用示例用户名序列号得到的参数自行运行一次将输出保存为result.txt, 然后写python代码为:  
输出很长小数点后全是很多0, 再存为文件看到整数部分, 再写代码转为序列号格式:  
得到序列号为21l61l92022l71l51l61l92022l71l81l31l92022l81l61l51
.enigma2:0000000140808F13 loc_140808F13:                          ; CODE XREF: sub_140808EF0+16↑p
.enigma2:0000000140808F13                 push    rbp
.enigma2:0000000140808F14                 sub     rsp, 2Bh
.enigma2:0000000140808F18                 mov     rbp, rsp
.enigma2:0000000140808F1B                 push    rcx
.enigma2:0000000140808F1C                 push    rdx
.enigma2:0000000140808F1D                 push    rsi
.enigma2:0000000140808F1E                 call    loc_14080B023
.enigma2:0000000140808F23                 out     dx, eax
.enigma2:0000000140808F24                 and     [rax], eax
.enigma2:0000000140808F24 ; ---------------------------------------------------------------------------
.enigma2:0000000140808F26                 dw 0
.enigma2:0000000140808F28                 dq 21E7000000h, 21DF000000h, 21D7000000h, 21E5000000h
.enigma2:0000000140808F48                 dq 2206000000h, 21ED000000h, 21E5000000h, 21AF000000h
.enigma2:0000000140808F68                 dq 21A7000000h, 219F000000h, 2197000000h, 21A5000000h
.enigma2:0000000140808F88                 dq 21C6000000h, 21AD000000h, 2ABF000000h, 216F000000h
.enigma2:0000000140808FA8                 dq 2167000000h, 215F000000h, 2157000000h, 2165000000h
.enigma2:0000000140808FC8                 dq 2186000000h, 216D000000h, 2165000000h, 212F000000h
...
.enigma2:0000000140808F13 loc_140808F13:                          ; CODE XREF: sub_140808EF0+16↑p
.enigma2:0000000140808F13                 push    rbp
.enigma2:0000000140808F14                 sub     rsp, 2Bh
.enigma2:0000000140808F18                 mov     rbp, rsp
.enigma2:0000000140808F1B                 push    rcx
.enigma2:0000000140808F1C                 push    rdx
.enigma2:0000000140808F1D                 push    rsi
.enigma2:0000000140808F1E                 call    loc_14080B023
.enigma2:0000000140808F23                 out     dx, eax
.enigma2:0000000140808F24                 and     [rax], eax
.enigma2:0000000140808F24 ; ---------------------------------------------------------------------------
.enigma2:0000000140808F26                 dw 0
.enigma2:0000000140808F28                 dq 21E7000000h, 21DF000000h, 21D7000000h, 21E5000000h
.enigma2:0000000140808F48                 dq 2206000000h, 21ED000000h, 21E5000000h, 21AF000000h
.enigma2:0000000140808F68                 dq 21A7000000h, 219F000000h, 2197000000h, 21A5000000h
.enigma2:0000000140808F88                 dq 21C6000000h, 21AD000000h, 2ABF000000h, 216F000000h
.enigma2:0000000140808FA8                 dq 2167000000h, 215F000000h, 2157000000h, 2165000000h
.enigma2:0000000140808FC8                 dq 2186000000h, 216D000000h, 2165000000h, 212F000000h
...
9115cc6c-36dc-47bd-952a-bc16f093b625.exe 55 54999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999504999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999559999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999725 4133025
9115cc6c-36dc-47bd-952a-bc16f093b625.exe 55 54999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999504999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999559999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999725 4133025
private static void KX_TWFpbg雪雪()
{
    Console.WriteLine("Name:");
    string text = Console.ReadLine();
    Console.WriteLine("SN：");
    string text2 = Console.ReadLine();
    if (string.IsNullOrEmpty(text) || string.IsNullOrEmpty(text2))
    {
        return;
    }
    byte[] bytes = Encoding.UTF8.GetBytes(text);
    byte b = 0;
     
    foreach (byte b2 in bytes)
    {
        b ^= b2;
    }
    // 将用户名的每位异或得到num, 再余64, 再转为奇数. 对于KCTF用户名num为27. 
    int num = (int)(b % 64);
    if (num % 2 == 0)
    {
        num++;
    }
    StringBuilder stringBuilder = new StringBuilder();
    try
    {
        // KX_RGVjb2Rl对序列号进行处理, 之后再讲
        stringBuilder = KX_UHJvZ3JhbQ雪雪.KX_RGVjb2Rl(text2);
    }
    catch
    {
        return;
    }
    // 判断num,处理后序列号不为空
    StringBuilder stringBuilder2 = new StringBuilder(num.ToString());
    if (stringBuilder2 == null || stringBuilder == null || string.IsNullOrWhiteSpace(stringBuilder2.ToString()) || string.IsNullOrWhiteSpace(stringBuilder.ToString()))
    {
        Console.WriteLine("Failed!");
        Console.WriteLine("按任意键结束！");
        Console.ReadKey();
        return;
    }
    // 判断num与处理后序列号不以0结尾
    if (stringBuilder2.ToString().EndsWith("0") || stringBuilder.ToString().EndsWith("0"))
    {
        Console.WriteLine("Failed!");
        Console.WriteLine("按任意键结束！");
        Console.ReadKey();
        return;
    }
    int num2 = 2040;
    int num3 = 2025;
    // 该类主要任务是提取创建exe并执行子进程, 
    KX_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪 kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪 = new KX_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪();
    // 设置精度为 4133025
    kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Precision = (num2 + 1) * num3;
    // 执行参数为 num 处理后序列号 精度, 符合之前看到9115cc6c-36dc-47bd-952a-bc16f093b625.exe的执行参数
    kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.KX_TXlEaXZpZGU雪(stringBuilder2, stringBuilder);
    // 执行输出结果为科学记数法表示的小数, 小数部分被保存于.Quotient
    int j = 0;
    try
    {
        // 之后对结果进行判定, 这里其实不用仔细分析, 只要保证exe对KCTF用户名即参数1为27的执行结果与示例用户名序列号的结果相同即可  
        while (j < num2)
        {
            if (kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring(j * num3, num3) == kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 1) * num3, num3) && kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 1) * num3, num3) == kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 2) * num3, num3))
            {
                j = int.MaxValue;
            }
            if (!KX_UHJvZ3JhbQ雪雪.KX_VmVyaWZ5U2lnbmFs(kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring(j * num3, num3), kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 1) * num3, num3), kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 2) * num3, num3), kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 3) * num3, num3)))
            {
                j++;
                break;
            }
            j++;
        }
        if (j != num2 - 3)
        {
            Console.WriteLine("Failed!");
            Console.WriteLine("按任意键结束！");
            Console.ReadKey();
            return;
        }
    }
    catch
    {
        Console.WriteLine("Failed!");
        Console.WriteLine("按任意键结束！");
        Console.ReadKey();
        return;
    }
    Console.WriteLine("Congratulations!");
    Console.WriteLine("按任意键结束！");
    Console.ReadKey();
}
private static void KX_TWFpbg雪雪()
{
    Console.WriteLine("Name:");
    string text = Console.ReadLine();
    Console.WriteLine("SN：");
    string text2 = Console.ReadLine();
    if (string.IsNullOrEmpty(text) || string.IsNullOrEmpty(text2))
    {
        return;
    }
    byte[] bytes = Encoding.UTF8.GetBytes(text);
    byte b = 0;
     
    foreach (byte b2 in bytes)
    {
        b ^= b2;
    }
    // 将用户名的每位异或得到num, 再余64, 再转为奇数. 对于KCTF用户名num为27. 
    int num = (int)(b % 64);
    if (num % 2 == 0)
    {
        num++;
    }
    StringBuilder stringBuilder = new StringBuilder();
    try
    {
        // KX_RGVjb2Rl对序列号进行处理, 之后再讲
        stringBuilder = KX_UHJvZ3JhbQ雪雪.KX_RGVjb2Rl(text2);
    }
    catch
    {
        return;
    }
    // 判断num,处理后序列号不为空
    StringBuilder stringBuilder2 = new StringBuilder(num.ToString());
    if (stringBuilder2 == null || stringBuilder == null || string.IsNullOrWhiteSpace(stringBuilder2.ToString()) || string.IsNullOrWhiteSpace(stringBuilder.ToString()))
    {
        Console.WriteLine("Failed!");
        Console.WriteLine("按任意键结束！");
        Console.ReadKey();
        return;
    }
    // 判断num与处理后序列号不以0结尾
    if (stringBuilder2.ToString().EndsWith("0") || stringBuilder.ToString().EndsWith("0"))
    {
        Console.WriteLine("Failed!");
        Console.WriteLine("按任意键结束！");
        Console.ReadKey();
        return;
    }
    int num2 = 2040;
    int num3 = 2025;
    // 该类主要任务是提取创建exe并执行子进程, 
    KX_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪 kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪 = new KX_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪();
    // 设置精度为 4133025
    kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Precision = (num2 + 1) * num3;
    // 执行参数为 num 处理后序列号 精度, 符合之前看到9115cc6c-36dc-47bd-952a-bc16f093b625.exe的执行参数
    kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.KX_TXlEaXZpZGU雪(stringBuilder2, stringBuilder);
    // 执行输出结果为科学记数法表示的小数, 小数部分被保存于.Quotient
    int j = 0;
    try
    {
        // 之后对结果进行判定, 这里其实不用仔细分析, 只要保证exe对KCTF用户名即参数1为27的执行结果与示例用户名序列号的结果相同即可  
        while (j < num2)
        {
            if (kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring(j * num3, num3) == kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 1) * num3, num3) && kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 1) * num3, num3) == kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 2) * num3, num3))
            {
                j = int.MaxValue;
            }
            if (!KX_UHJvZ3JhbQ雪雪.KX_VmVyaWZ5U2lnbmFs(kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring(j * num3, num3), kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 1) * num3, num3), kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 2) * num3, num3), kx_SGlnaFByZWNpc2lvbkRpdmlzaW9uMg雪雪.Quotient.Substring((j + 3) * num3, num3)))
            {
                j++;
                break;
            }
            j++;
        }
        if (j != num2 - 3)
        {
            Console.WriteLine("Failed!");
            Console.WriteLine("按任意键结束！");
            Console.ReadKey();
            return;
        }
    }
    catch
    {
        Console.WriteLine("Failed!");
        Console.WriteLine("按任意键结束！");
        Console.ReadKey();
        return;
    }
    Console.WriteLine("Congratulations!");
    Console.WriteLine("按任意键结束！");
    Console.ReadKey();
}
public static StringBuilder KX_RGVjb2Rl(string KX_U04雪)
{
    if (KX_U04雪.Length < 26 || KX_U04雪.Length > 50)
    {
        Environment.Exit(0);
    }
    StringBuilder stringBuilder = new StringBuilder();
    StringBuilder stringBuilder2 = new StringBuilder();
    char c = ' ';
    string text = "";
    long num = 0L;
    bool flag = true;
    if (KX_U04雪.StartsWith("0"))
    {
        Environment.Exit(0);
    }
    if (KX_U04雪.EndsWith("."))
    {
        Environment.Exit(0);
    }
    foreach (char c2 in KX_U04雪)
    {
        if (c2 >= '0' && c2 <= '9')
        {
            // 取每段第一个数字存为c
            if (c == ' ')
            {
                c = c2;
                text = "";
            }
            else
            {
                // 后续的数字存为text
                if (text == "" && c2 == '0')
                {
                    return stringBuilder2;
                }
                text += c2.ToString();
            }
            flag = false;
        }
        // 每段以'l'分割, 遇到'l'则:  
        else if (c2 == 'l')
        {
            if (flag)
            {
                return stringBuilder2;
            }
            if (c == ' ')
            {
                return stringBuilder2;
            }
            if (text == "")
            {
                return stringBuilder2;
            }
            if (num != 0L)
            {
                return stringBuilder2;
            }
            num = Convert.ToInt64(text);
            if (num == 0L)
            {
                return stringBuilder2;
            }
            // 将c重复后续数字次
            for (;;)
            {
                long num2 = num;
                num = num2 - 1L;
                if (num2 <= 0L)
                {
                    break;
                }
                stringBuilder.Append(c);
            }
            num += 1L;
            c = ' ';
            text = "";
            flag = true;
        }
        else
        {
            if (c2 != '.')
            {
                return stringBuilder2;
            }
            if (string.IsNullOrWhiteSpace(stringBuilder.ToString()))
            {
                return stringBuilder2;
            }
            if (!string.IsNullOrEmpty(text))
            {
                return stringBuilder2;
            }
            if (c != ' ' && string.IsNullOrEmpty(text))
            {
                return stringBuilder2;
            }
            c = ' ';
            text = "";
            stringBuilder.Append(c2);
            flag = true;
        }
    }
    if (!flag)
    {
        if (string.IsNullOrWhiteSpace(stringBuilder.ToString()))
        {
            return stringBuilder2;
        }
        if (c == ' ')
        {
            return stringBuilder2;
        }
        if (text == "")
        {
            return stringBuilder2;
        }
        if (num != 0L)
        {
            return stringBuilder2;
        }
        num = Convert.ToInt64(text);
        if (num == 0L)
        {
            return stringBuilder2;
        }
        for (;;)
        {
            long num3 = num;
            num = num3 - 1L;
            if (num3 <= 0L)
            {
                break;
            }
            stringBuilder.Append(c);
        }
    }
    return stringBuilder;
}
public static StringBuilder KX_RGVjb2Rl(string KX_U04雪)
{
    if (KX_U04雪.Length < 26 || KX_U04雪.Length > 50)
    {
        Environment.Exit(0);
    }
    StringBuilder stringBuilder = new StringBuilder();
    StringBuilder stringBuilder2 = new StringBuilder();
    char c = ' ';
    string text = "";
    long num = 0L;
    bool flag = true;
    if (KX_U04雪.StartsWith("0"))
    {
        Environment.Exit(0);
    }
    if (KX_U04雪.EndsWith("."))
    {
        Environment.Exit(0);
    }
    foreach (char c2 in KX_U04雪)
    {
        if (c2 >= '0' && c2 <= '9')
        {
            // 取每段第一个数字存为c
            if (c == ' ')
            {
                c = c2;
                text = "";
            }
            else
            {
                // 后续的数字存为text
                if (text == "" && c2 == '0')
                {
                    return stringBuilder2;
                }
                text += c2.ToString();

		
								
				
				登录后可查看完整内容
			
			
				
	

[培训]Windows内核深度攻防：从Hook技术到Rootkit实战！

		最后于  2025-8-31 19:44		
				被tacesrever编辑
				
		，原因： 		
	

	