首页 > 其他分享 >2023 hgame crypto wp 全

2023 hgame crypto wp 全

时间:2023-02-07 21:48:35浏览次数:61  
标签:return hgame bytes flag crypto range key wp import

做了今年hgame的题目,ak crypto的同时也从题目中学到了不少,贴一份所有密码方向题目的wp。

Week 1

RSA | 100pts

根据题目描述,用factorb分解n,在这里用的factorb在线api:

http://factordb.com/api?query=

exp:

from Crypto.Util.number import *
import gmpy2
import requests

def queryFactors(n):
	s=[]
	url="http://factordb.com/api?query="+str(n)
	r = requests.get(url)
	factors=r.json()['factors']
	for f in factors:
		for i in range(f[1]):
			s.append(int(f[0]))
	return s


c=110674792674017748243232351185896019660434718342001686906527789876264976328686134101972125493938434992787002915562500475480693297360867681000092725583284616353543422388489208114545007138606543678040798651836027433383282177081034151589935024292017207209056829250152219183518400364871109559825679273502274955582
n=135127138348299757374196447062640858416920350098320099993115949719051354213545596643216739555453946196078110834726375475981791223069451364024181952818056802089567064926510294124594174478123216516600368334763849206942942824711531334239106807454086389211139153023662266125937481669520771879355089997671125020789
e=65537
p=queryFactors(n)[0]
q=n//p
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))

Be Stream | 100pts

def stream(i):
    if i==0:
        return key[0]
    elif i==1:
        return key[1]
    else:
        return (stream(i-2)*7 + stream(i-1)*4)

这里流密码的生成器是一个二阶线性递推数列,利用数列中的项进行对明文的异或加密操作,暴力递归求解每一项时间复杂度显然是不够的

注意到对明文的异或是在mod 256意义下进行的,于是可以将该数列放在mod 256意义下考虑,而二阶线性递推数列在模意义下具有周期性,本题经验证得到周期为64,于是得到flag
exp:

key = [int.from_bytes(b"Be water", 'big'), int.from_bytes(b"my friend", 'big')]
enc= b''#data

stream=[]
stream.append(key[0]%256)
stream.append(key[1]%256)
for i in range(2,64):
    stream.append((stream[i-2]*7 + stream[i-1]*4)%256)
flag=b""

for i in range(len(enc)):
    water=stream[((i//2)**6)%64]
    flag += bytes([(water ^ enc[i])])
print(flag)


另外在处理二阶线性递推的问题时,往往还会采用矩阵快速幂进行加速,出题人给出的官方wp也用到了这样的方法

enc = b''#data
key = [int.from_bytes(b"Be water", 'big'), int.from_bytes(b"my friend", 'big')]
def mul(a, b):
    c = [[0, 0], [0, 0]]
    for i in range(2):
        for j in range(2):
            for k in range(2):
                c[i][j] += (a[i][k] * b[k][j]) % 256
                c[i][j] %= 256
    return c

def power(n):
    if n==1: return key[1] % 256
    if n==0: return key[0] % 256
    res = [[1, 0], [0, 1]]
    A = [[4, 7], [1, 0]]
    while n:
        if n & 1: res = mul(A, res)
        A = mul(A, A)
        n >>= 1
    return (res[1][0] * key[1] + res[1][1] * key[0]) % 256

flag = b''
for i in range(0, len(enc)):
    water = power((i//2)**6)
    flag += bytes([water ^ enc[i]])
print(flag)

兔兔的车票 | 100pts

题目中生成了部分noise data,利用三张noise图片对原始图片进行异或加密,实际上是key reuse的想法,把经过noise data混淆后的十六张图片两两异或可以试出来

上述方法基于的原理:
1.生成的noise图片中保留了部分(0,0,0)的数据点,导致异或时没有起到混淆作用
2.两张有实际意义的图片进行异或,可以大致看出图片信息,并不会完全混淆,如下图

exp:

from PIL import Image, ImageDraw

width=379
height=234
image_path="path\\enc1.png"
img1=Image.open(image_path)

image_path="path\\enc6.png"
img2=Image.open(image_path)

img3 = Image.new("RGB", (width, height))
for i in range(height):
    for j in range(width):
        p1, p2 = img1.getpixel((j, i)), img2.getpixel((j, i))
        img3.putpixel((j, i), tuple([(p1[k] ^ p2[k]) for k in range(3)]))
img3.save('path\\0.png')

神秘的电话 | 100pts

这题套娃了没啥意思,手解morse,得到

0223E_PRIIBLY__HONWA_JMGH_FGKCQAOQTMFR

根据提示,倒序后再解18层的栅栏,得到

rmocfhm_wo_ybipe2023_ril_hnajg_katfqqg

凭感觉像是维吉尼亚,稍微手试结合爆破得到密钥vidar,从而得到flag

week2

包里有什么 | 200pts

经典的背包密码问题,a数组是2为公比的等比数列,符合超递增形式,利用w混淆a数组得到数组b,m为模数

题目给出b[0],已知a[0],可求w

在mod m意义下对c乘w的逆元可以恢复通过用a数组进行背包加密的密文cc,从而利用a数组的超递增性质得到flag
exp:

from Crypto.Util.number import *
import gmpy2

m = 1528637222531038332958694965114330415773896571891017629493424
b0 = 69356606533325456520968776034730214585110536932989313137926
c = 93602062133487361151420753057739397161734651609786598765462162

l=m.bit_length()-2
#w=(b0+m)//2
w=b0//2

a = [2 << i for i in range(l)]
b = [w * i % m for i in a]
assert b[0]==b0
cc=(c*gmpy2.invert(w,m))%m

flag=""
for i in range(len(a)-1,-1, -1):
    if cc >= a[i]:
        cc -= a[i]
        flag+="1"
    else:
        flag+="0"

flag=flag[::-1]
print(long_to_bytes(int(flag,2)))


也可以求w之后得到b,利用LLL算法进行规约得到flag,但利用LLL算法解背包密码是有约束条件的,并不能对所有情况适用,不能算是本问题的最优解法

Rabin | 150pts

Rabin的板题
exp:

from Crypto.Util.number import *
import gmpy2
e=2
p=65428327184555679690730137432886407240184329534772421373193521144693375074983
q=98570810268705084987524975482323456006480531917292601799256241458681800554123
c=0x4e072f435cbffbd3520a283b3944ac988b98fb19e723d1bd02ad7e58d9f01b26d622edea5ee538b2f603d5bf785b0427de27ad5c76c656dbd9435d3a4a7cf556
n=p*q

a,inv_q ,inv_p= gmpy2.gcdext(q,p)
mp = pow(c, (p + 1) // 4, p)
mq = pow(c, (q + 1) // 4, q)
a = (inv_p * p * mq + inv_q * q * mp) % n
b = n - int(a)
c = (inv_p * p * mq - inv_q * q * mp) % n
d = n - int(c)
for i in(a,b,c,d):
    print(long_to_bytes(i))

RSA大冒险1 | 200pts

level1:
把p当作模数,RSA中针对明文m较小的常规解法
level2:

def encrypt(self):
    m_ = bytes_to_long(self.m)
    c = pow(m_ ,self.e, self.p*self.q)
    self.q = getPrime(512)
    return hex(c)

每次调用encrypt进行加密的时候,会更新q的值,但p的值始终不变,产生了后门漏洞,分析清楚了就是常规的RSA模不互素的板子
level3:
e=3低指数攻击的板子
level4:

def encrypt(self):
    m_ = bytes_to_long(self.m)
    c = pow(m_, self.e, self.p*self.q)
    self.e = getPrime(17)
    return hex(c)

每次调用encrypt更新公钥e的值不更新p q,共模攻击的板子
exp:

from Crypto.Util.number import *
import gmpy2

#level1
n=361067668573234937895991468059126957309979597456638107518559509053801374729041826137407865616458091
e=65537
p=283512251808796606274360612102827230673
c=0x59f3320c32623159430da5f90aeb570c113b8773b190269405a57682da80541fd0a137545f9924fac5
phi=p-1
d=gmpy2.invert(e,phi)
m=pow(c,d,p)
print(long_to_bytes(m))
#m<n_But_also_m<p

#level2
num1=51714374014784626103389830324623745659758993696818466586014210858366422589570962326044934205165918356339002759574360310601646796554589261089973724419748591357516363775394363541872361180983687867285327133570976393450434372893591590304184278633127463257220213248050866258191414660072916311978916360257899176269
num2=78196272419906767037902832849004105232756023123277232046319587647595140446895325078900581644916520119933600043244420093307315612825163702610998235549248103079987514827335240153615251940195733209944058117702322811676907822899379157063913023209806857080156813524890681666184681309091756341694731879686951138779
c=0x2efe7c797fe9a3485abd4e6c5020f1a0037e0765b363bb3d857bdf41955ff50225fb87568b885fbfe3a79215afd79f4e5eb3adb1ea2d981a0bba1c2401c8db6aa8a0afb72115240dd02e8a79db70bb96b1c9d3fa1acbd66d20aa0308fcb7e814a8714b0ec0f50d7c8ee3e88433f1d7e3204cd64eb1672829f8d4af7ed9a89647
e=65537
p=GCD(num1,num2)
n=num1
phi=p-1
d=gmpy2.invert(e,phi)
m=pow(c,d,p)
print(long_to_bytes(m))
#make_all_modulus_independent

#level3
n=95956427905848709110790455827730781859758109105059149423798771136301462430886494550451263147653782416592902380881006366962525095344162802236463218784261545406669496659045343242247652612436969313296341862158360642994537918335689393284271914642479655859203315571729535683775913838294618830103890837529279728977
e=3
c=0xfec61958cefda3eb5f709faa0282bffaded0a323fe1ef370e05ed3744a2e53b55bdd43e9594427c35514505f26e4691ba86c6dcff6d29d69110b15b9f84b0d8eb9ea7c03aaf24fa957314b89febf46a615f81ec031b12fe725f91af9d269873a69748
temp=gmpy2.iroot(c,3)[0]
print(long_to_bytes(temp))
#encrypt_exponent_should_be_bigger

#level4
e1=69317
c1=0x9ced9e743f5a8e6d7b492001a607464f166cbf01869aa2348462681a54ef620e7698c8c8bfcd3e69357959fc561fb567b7bfd110103fc4a9749b44b2d8d92d16a8d3febf064d62c22b0c86e0915b54697e657e509e370a7233a6fe16cc08d1f5423a9f109b2e3d24cdece14b37a768bd09e3d4b73b724aaeb75c85633c443c72
n=132737573094397166200928323625376462448848709444893383097753580817921870674064012914464680073446196954339074738165979967268640670655884248726027366288498282161714749783486609569598319765091144131157441483840208937402381051309052892634969923866469069795545874253572601030174066186475561988582476654384721746937
e2=113723
c2=0x714d0aff617f24ded351530f942ca8dc9e9c2f5466c24c494245ddf625720fe4e1d34c7fc3c9e99d6ac1d21eb0d2daba111de9e13c778eed4fe6cf03d2951b27a46b0b9b931bb416b1d3bbca76cdd0225f7187075e81e49e9ccc713cb2bb39ced501276ea3c03363eecaade4445fad88216f5e11b812121f963582f79d339bad
gcd, s, t = gmpy2.gcdext(e1, e2)
if s < 0:
    s = -s
    c1 = gmpy2.invert(c1, n)
if t < 0:
    t = -t
    c2 = gmpy2.invert(c2, n)
plain = (gmpy2.powmod(c1, s, n) * gmpy2.powmod(c2, t, n)) % n
print(long_to_bytes(plain))
#never_uese_same_modulus

零元购年货商店 | 250pts

审一下源码

func Encrypt(u string) (string, error) {
	block, err := aes.NewCipher(key)
	if err != nil {
		return "", err
	}
	plainText := []byte(u)
	blockMode := cipher.NewCTR(block, iv)
	cipherText := make([]byte, len(plainText))
	blockMode.XORKeyStream(cipherText, plainText)
	return base64.StdEncoding.EncodeToString(cipherText), nil
}

func Decrypt(cipherText string) (string, error) {
	decodeData, err := base64.StdEncoding.DecodeString(cipherText)
	if err != nil {
		return "", errors.New("invalid base64")
	}
	block, err := aes.NewCipher(key)
	blockMode := cipher.NewCTR(block, iv)
	plainText := make([]byte, len(decodeData))
	blockMode.XORKeyStream(plainText, decodeData)
	return string(plainText), nil
}

利用CTR模式进行了AES加密,CTR模式密文改动某一字节,明文只有对应字节改动,尝试得到将cookie第十三位ascii+=1,对应用户名第一位ascii+=3,因此先将用户名设置为Ridar-Tu
cookie:

ESJsI22Q3vTqbTR5am7kjg7Qwm3RlmQbZA2VFfx4OfQu1veLIrevOSpWQ1MQiszz8eKa%2FaF%2FazDChg%3D%3D

修改为:

ESJsI22Q3vTqaTR5am7kjg7Qwm3RlmQbZA2VFfx4OfQu1veLIrevOSpWQ1MQiszz8eKa%2FaF%2FazDChg%3D%3D

因为没有go环境所以只能这样枚举试一试,实际上应该直接调用题目中的encrypt和decrypt函数求解,只需要满足传入用户名为八位字符即可

官方exp:

package main

import (
    "encoding/base64"
    "fmt"
    "net/url"
)

func main() {
    var encodedToken = ""
    token, _ := url.QueryUnescape(encodedToken)
    decodeData, _ := base64.StdEncoding.DecodeString(token)
    decodeData[9] ^= 'a' ^ 'V'
    decodeData[10] ^= 'a' ^ 'i'
    decodeData[11] ^= 'a' ^ 'd'
    decodeData[12] ^= 'a' ^ 'a'
    decodeData[13] ^= 'a' ^ 'r'
    decodeData[14] ^= 'a' ^ '-'
    decodeData[15] ^= 'a' ^ 'T'
    decodeData[16] ^= 'a' ^ 'u'
    attackData := base64.StdEncoding.EncodeToString(decodeData)
    fmt.Println(token)
    fmt.Println(attackData)
    attackToken := url.QueryEscape(attackData)
    fmt.Println(attackToken)
}

week3

ezDH | 300pts

离散对数可以求B,从而得到shared secret,然后简单推一下式子:

exp:

from Crypto.Util.number import *
N=0x2be227c3c0e997310bc6dad4ccfeec793dca4359aef966217a88a27da31ffbcd6bb271780d8ba89e3cf202904efde03c59fef3e362b12e5af5afe8431cde31888211d72cc1a00f7c92cb6adb17ca909c3b84fcad66ac3be724fbcbe13d83bbd3ad50c41a79fcdf04c251be61c0749ea497e65e408dac4bbcb3148db4ad9ca0aa4ee032f2a4d6e6482093aa7133e5b1800001
g=2
B=0x1889c9c65147470fdb3ad3cf305dc3461d1553ee2ce645586cf018624fc7d8e566e04d416e684c0c379d5819734fd4a09d80add1b3310d76f42fcb1e2f5aac6bcdd285589b3c2620342deffb73464209130adbd3a444b253fc648b40f0acec7493adcb3be3ee3d71a00a2b121c65b06769aada82cd1432a6270e84f7350cd61dddc17fe14de54ab436f41b9c9a0430510dde
#Bob_secret=sympy.discrete_log(N,B,g)
#print(B_s)
Bob_secret=523395080617584542626887374797915530377197776414307699064494325754883865689240606662282052952769155869279302851357127396057956141700522707614969003724858649469855458912748021620773222294584347455737042066389082761054791847391943575954645806724433924897674867376454396257875249718213145700160788809038411884417511593659507
A=0x22888b5ac1e2f490c55d0891f39aab63f74ea689aa3da3e8fd32c1cd774f7ca79538833e9348aebfc8eba16e850bbb94c35641c2e7e7e8cb76032ad068a83742dbc0a1ad3f3bef19f8ae6553f39d8771d43e5f2fcb986bd72459456d073e70d5be4d79ce5f10f76edea01492f11b807ebff0faf6819d62a8e972084e1ed5dd6e0152df2b0477a42246bbaa04389abf639833
p=6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151
a=-3
b=1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984
E = EllipticCurve(GF(p), [a, b])
shared_secret=210079986310539059026469300720655426951919393335485123618687987029746658763798439576376646226161293006261472023436870446704160814487044427272498126726277523426054334489402918696632471053566567964288295442264373353184045686758631952518445700562724692050307270259376021103356466045824174058551054535796277627154836626119222585862131679625673279898703654
P1=E((2032638959575737798553734238953177065671021112450002471824225734491735604600003028491729131445734432442510201955977472408728415227018746467250107080483073647, 3510147080793750133751646930018687527128938175786714269902604502700248948154299853980250781583789623838631244520649113071664767897964611902120411142027848868))
c=E(6670373437344180404127983821482178149374116817544688094986412631575854021385459676854475335068369698875988135009698187255523501841013430892133371577987480522, 6648964426034677304189862902917458328845484047818707598329079806732346274848955747700716101983207165347315916182076928764076602008846695049181874187707051395)
P2=shared_secret*P1
m=(c-P2)[0]
print(long_to_bytes(m))


至于为什么起手想到了离散对数解B,N的结尾是00001,N-1应该比较光滑,自然可以联想到Pohlig-Hellman algorithm解DLP

ezBlock | 350pts

近期应该会更一篇差分的文章,更完了贴到这里,这里就先简单说下思路

经过了四轮S-box,每一次已知经过S-box混淆前后的值,就有一定概率得到对应的key,感觉这题设计成可以选择明文的交互,主动探索良好的差分性质会更理想
exp:

m_list = [hex(i * 0x1111)[2:].rjust(4, '0') for i in range(16)]
c_list = [28590, 33943, 30267, 5412, 11529, 3089, 46924, 59533, 12915, 37743, 64090, 53680, 18933, 49378, 23512, 44742]
c_list = [hex(i)[2:].rjust(4, '0') for i in c_list]
s_box = {0: 0x6, 1: 0x4, 2: 0xc, 3: 0x5, 4: 0x0, 5: 0x7, 6: 0x2, 7: 0xe, 8: 0x1, 9: 0xf, 10: 0x3, 11: 0xd, 12: 0x8, 13: 0xa, 14: 0x9, 15: 0xb}
ans = []
for k in range(4):
    t = {}
    for i in range(16):
        t[int(m_list[i][k], 16)] = int(c_list[i][k], 16)
    for a in range(16):
        for b in range(16):
            for c in range(16):
                for d in range(16):
                    for e in range(16):
                        key = [a,b,c,d,e]
                        for i in range(16):
                            m = i
                            for j in range(4):
                                m = m ^ key[j]
                                m = s_box[m]
                            m = m ^ key[4]
                            if m != t[i]:
                                break
                            elif i==15:
                                ans.append(key)
print(ans)
key = [0, 0, 0, 0, 0]
for k in ans:
    key = [(key[i]*16+k[i]) for i in range(5)]
print([hex(i) for i in key])
flag = 'hgame{' + hex(key[0])[2:] + '_' + hex(key[1])[2:] + '_' + hex(key[2])[2:] + '_' + hex(key[3])[2:] + '_' + hex(key[4])[2:] + '}'
print(flag)
#[[4, 15, 4, 4, 13], [15, 4, 15, 5, 8], [4, 9, 9, 7, 13], [2, 3, 2, 0, 5]]
#['0x4f42', '0xf493', '0x4f92', '0x4570', '0xd8d5']

RSA大冒险2 | 350pts

level1:
Boneh_Durfee's attack板子
level2:
yafu可以分解

看了官方wp,出题人想出一个费马分解,那yafu可以分解n就不奇怪了
level3:
指向我的另一篇文章:https://www.cnblogs.com/App1eTree/p/coppersmith.html
coppersmith的板子,但是被卡了上界,需要手动调下参数
这里只给出level3利用small roots方法解根的exp:

def coppersmith(pol, modulus, beta, h, t, X):
    n = d * h + t
    polZ = pol.change_ring(ZZ)
    x = polZ.parent().gen()
    g = []
    for i in range(h):
        for j in range(d):
            g.append((x * X)**j * modulus**(h - i) * polZ(x * X)**i)
    for i in range(t):
        g.append((x * X)**i * polZ(x * X)**h)
    B = Matrix(ZZ, n)
    for i in range(n):
        for j in range(i+1):
            B[i, j] = g[i][j]
    B = B.LLL()
    new_pol = 0
    for i in range(n):
        new_pol += x**i * B[0, i] / X**i
    potential_roots = new_pol.roots()
    roots = []
    for root in potential_roots:
        if root[0].is_integer():
            result = polZ(ZZ(root[0]))
            if gcd(modulus, result) >= modulus^beta:
                print("p: ",(gcd(modulus, result)))
                roots.append(ZZ(root[0]))
    return roots
N = 131435096190932476282107019932753538842822700854000789960859541290365971093411528417224106949167098928833908993920820537191845190683132521684195137876258992862198519678667815269992895368819967417416360582282152133401991348142208574505338629119903776681479509250804953601559034849627028222835444168985167733627
ZmodN = Zmod(N)
P.<x> = PolynomialRing(ZmodN)
leak = 884164308941646697376000124313396231277143112153939022790874440209793278332165
#f = pbar + x
for i in range(132,2**9):
    print(i)
    pbar=((leak<<9)+i)<<244
    f=pbar + x
    beta = 0.50
    d = f.degree()
    epsilon = beta / 45
    h = ceil(beta**2 / (d * epsilon))
    t = floor(d * h * ((1/beta) - 1))
    X = ceil(N**((beta**2/d) - epsilon))
    roots = coppersmith(f, N, beta, h, t, X)
    print(roots)
#b'now_you_know_how_to_use_coppersmith'

week4

LLLCG | 50pts

最开始的附件少打了一个括号,用后一个数据除掉前一个数据就可以了,好像RCTF也有一样的非预期哈哈

ECRSA | 400pts

RSA毕竟是基于大整数分解困难的,但是这里给出了p q,只是定义在椭圆曲线上,故对于私钥d的定义变为

d=inverse(e, order)

其中order是圆锥曲线的阶,再就是需要在F(p) F(q)上分别求出明文,利用中国剩余定理CRT进行合并得到最终的flag
exp:


from sage.all import *
from sage.all_cmdline import *
from Crypto.Util.number import *

p=115192265954802311941399019598810724669437369433680905425676691661793518967453
q=109900879774346908739236130854229171067533592200824652124389936543716603840487
n = 1265973137163332340636107173548074387094288440751164714475805591193132153433
a = 3457301624586139606837804088262299224575469302815229087413111295501888448568
b = 1032821371338209482066820365696715669963814382548975103442891640397173555138
e = 11415307674045871669
ciphertext = b''

Ep = EllipticCurve(Zmod(p), [a, b])
Eq = EllipticCurve(Zmod(q), [a, b])
cx = bytes_to_long(ciphertext)
cp = Ep.lift_x(Integer(cx))
cq = Eq.lift_x(Integer(cx))
dp = inverse(e, Ep.order())
dq = inverse(e, Eq.order())
mp = (dp * cp).xy()[0]
mq = (dq * cq).xy()[0]

flag = CRT_list([ZZ(mp), ZZ(mq)], [p, q])
print(long_to_bytes(int(flag)))

LLLCG Revenge | 350pts

HNP问题,LCG、DSA等算法都可以作为oracle产生相邻项参数之间线性递推的效果

这里n是360bit,r最大是340bit,至少泄露20bit的MSB,起手构造矩阵进行LLL,过后会把之前blog关于HNP的文章迁移过来,到时候在这里放链接
exp:

from Crypto.Util.number import *
t = 39
n = 2348542582773833227889480596789337027375682548908319870707290971532209025114608443463698998384768703031935081
# Load data
s=[data]

# Calculate A & B
A = []
B = []
for i in range(len(s)-1):
    A.append(ZZ((-1*s[i])%n))
for i in range(1,len(s)):
    B.append(ZZ(s[i]))
    
# Construct Lattice
K = 2^340   # ki < 2^340
X = n * identity_matrix(QQ, t) # t * t
Z = matrix(QQ, [0] * t + [K/n] + [0]).transpose() # t+1 column
Z2 = matrix(QQ, [0] * (t+1) + [K]).transpose()    # t+2 column

Y = block_matrix([[X],[matrix(QQ, A)], [matrix(QQ, B)]]) # (t+2) * t
Y = block_matrix([[Y, Z, Z2]])

# Find short vector
Y = Y.LLL()
a=n*Y[1][39]/2**340
print(long_to_bytes(a))

Good luck for hgame 2024

标签:return,hgame,bytes,flag,crypto,range,key,wp,import
From: https://www.cnblogs.com/App1eTree/p/2023hgame.html

相关文章

  • 2022“祥云杯”——PWN和Crypto
    分享一下之前第三届“祥云杯”的几道题,我们团队也在本次比赛中获得很多新的知识和大赛经验,赛后总结时,重点针对PWN和Crypto两大模块进行了深入研究和整理。PWN部分1、unexplo......
  • m对比PSO,WPA,GWPA以及GWO四种优化算法的优化性能,优化目标函数为10个来自CEC2017的标
    1.算法描述        灰狼优化算法(GWO),灵感来自于灰狼.GWO算法模拟了自然界灰狼的领导层级和狩猎机制.四种类型的灰狼,如α,β,δ,w被用来模拟领导阶层。此外,还......
  • HGAME_2023_WEB_WP_WEEK3
    PingToTheHost很明显的rce,简单测试一下发现空格,cat,;被办,且执行无回显,空格用${IFS},%09,$IFS$9等等来绕过,我们利用dnslog将执行结果外带出来,这里使用的是http://ceye.io/......
  • WPF 使用 StaticResource、DynamicResource、RelativeSource
    StaticResource(静态资源)依赖属性静态资源在第一次编译后即确定其对象或值,之后不能对其进行修改。StaticResources的适用场合:(1)在资源第一次引用之后无需再修改资源的值。(2......
  • WPF-04 数据绑定
    下图展示WPF中数据绑定基本概念 在WPF中Binding对象是一根连接绑定目标和数据源的桥梁,任何一方变化都会通过Binding来通知。Code<Windowx:Class="Example_03.MainWindow"......
  • WPF-03 资源之Resources
    WPF中有两种类型资源StaticResource、DynamicResource,资源本质上就是一个对象。 这节我们主要介绍静态资源StaticResource(静态资源)在第一次编译后就确定的......
  • WPF-03 资源之Resources
    WPF中有两种类型资源StaticResource、DynamicResource,资源本质上就是一个对象。 这节我们主要介绍静态资源StaticResource(静态资源)在第一次编译后就确定的......
  • WPF-06 样式(Style)
    在我们前面介绍资源的时候,我们提到了样式表,如果你之前是做Web开发的,你会发现Style有点类似于Web中的CSS。控件级别样式我们可以在控件级别定义自己的样式,控件级......
  • WPF-06 样式(Style)
    在我们前面介绍资源的时候,我们提到了样式表,如果你之前是做Web开发的,你会发现Style有点类似于Web中的CSS。控件级别样式我们可以在控件级别定义自己的样式,控件级......
  • 超级好用的KeyBoard WPF软键盘
    超级好用的KeyBoardWPF软键盘​​项目背景​​​​系统结构​​​​核心概述​​​​1、用于墨迹识别核心类库​​​​2、中文字库​​​​效果展示​​​​1、拼音检索效......