Reverse

Crush’s_secret

签到题，SMC+xxtea。
ida随便点点就能看到SMC段

懒得分析解密，直接跑起来，然后dump。

一眼XXTEA，网上的代码，一点没改，直接网上找一个解密就行了。

#include<stdio.h>
#include<stdint.h>
#define DELTA 0x9E3779B9
#define MX (((z>>5^y<<2)+(y>>3^z<<4))^((sum^y)+(k[(p&3)^e]^z)))
void btea(uint32_t* v, int n, uint32_t const k[4])
{
	uint32_t y, z, sum;
	unsigned p, rounds, e;
    n = -n;
    rounds = 6 + 52 / n;
    sum = rounds * DELTA;
    y = v[0];
    do
    {
        e = (sum >> 2) & 3;
        for (p = n - 1; p > 0; p--)
        {
            z = v[p - 1];
            y = v[p] -= MX;
        }
        z = v[n - 1];
        y = v[0] -= MX;
        sum -= DELTA;
    } while (--rounds);
}
int main() {
	unsigned int v8[12];
	v8[0] = 0x5A764F8A;
	v8[1] = 0x5B0DF77;
	v8[2] = 0xF101DF69;
	v8[3] = 0xF9C14EF4;
	v8[4] = 0x27F03590;
	v8[5] = 0x7DF3324F;
	v8[6] = 0x2E322D74;
	v8[7] = 0x8F2A09BC;
	v8[8] = 0xABE2A0D7;
	v8[9] = 0xC2A09FE;
	v8[10] = 0x35892BB2;
	v8[11] = 0x53ABBA12;

	unsigned int v3[4];
	v3[0] = 0x5201314;
	v3[1] = 0x52013140;
	v3[2] = 0x5201314;
	v3[3] = 0x52013140;
	for (size_t i = 0; i < 12; i += 2)
	{
		btea(&v8[i], -2, v3);
	}
	printf("%s", v8);
}

esay_key(easy_key)

题目名字还不太对。不过是驱动题喜欢，但是好像写的有bug按键盘就蓝屏，看起来IRQL处理有点问题
一血不过后面Lilac队在快结束的时候做出来了。

他有个提示就是看看如何交互，直接ida看常见的交互点（Irp包）

函数入口点可以发现只有IRP_MJ_READ、IRP_MJ_POWER、IRP_MJ_PNP是有点用的，其他的都是个那种默认的派遣函数回调。
后面2我开发的时候没用到，直接看Read。

进去看一下发现不太一样，竟然有2段有些可疑。直接把他跑起来拿ARK工具看看情况。打开Windows的测试模式+一个能加载驱动的程序就行（没有的话可以用sc命令创建服务的方式来加载驱动）

加载进去后用ARK看看他都干了啥，结果发现是个键盘过滤驱动。

转回ida，我们分析read函数底下那些，点一点就能找到关键函数。
其中这个函数超级长，底下可以发现一个数组，然后还有判断的地方。

结合ARK的分析就能发现这个是过滤的键盘代码。我也没写过键盘过滤驱动，直接看雪搜一下，就能发现一个教你写键盘驱动的帖子，把代码复制下来编译一下就能使用。

按下键盘对着找一下就行了。

v14[0] = 0x20;          D
v14[1] = 0x2A;          shift
v14[2] = 0xB;           0
v14[3] = 0x22;          g
v14[4] = 4;             3
v14[5] = 0x2D;          x

v14[6] = 0x22;          G
v14[7] = 0x2A;          shift
v14[8] = 0x2E;          C
v14[9] = 0x2A;          shift
v14[10] = 0x1A;         {
v14[11] = 0x2A;         shift  

v14[12] = 0x1E;         a 
v14[13] = 7;            6
v14[14] = 7;            6
v14[15] = 0x30;         b
v14[16] = 3;            2
v14[17] = 4;            3
v14[18] = 5;            4
v14[19] = 3;            2
v14[20] = 0xC;          -
v14[21] = 0xB;          0
v14[22] = 5;            4 
v14[23] = 0x20;         d
v14[24] = 5;            4
v14[25] = 0xC;          -
v14[26] = 5;            4
v14[27] = 7;            6
v14[28] = 9;            8
v14[29] = 0x1E;         a
v14[30] = 0xC;          -
v14[31] = 0xA;          9
v14[32] = 0xA;          9
v14[33] = 0x20;         d
v14[34] = 4;            3
v14[35] = 0xC;          -
v14[36] = 8;            7
v14[37] = 0x12;         e
v14[38] = 0x20;         d
v14[39] = 0x30;         b
v14[40] = 0x1E;         a
v14[41] = 5;            4
v14[42] = 0x2E;         c
v14[43] = 0xA;          9
v14[44] = 0xB;          0
v14[45] = 0xB;          0
v14[46] = 2;            1
v14[47] = 0x21;         f
v14[48] = 0x1B;         }
v14[49] = 0x2A;         shift

round

安卓题，全在java里面，直接jadx看。

两步，cyber解不了，去看一下b64，不过我没看出来，我直接试了一下，发现其每4个字符一组的中间2个字符会对调。
这里使用frida就能发现

frida代码片段如下:

let MakePath = Java.use("com.example.demo.MakePath");
MakePath.encodeToBase64.implementation = function(str){
    console.log('encodeToBase64 is called' + str);
    let ret = this.encodeToBase64(str);
    console.log('encodeToBase64 ret value is ' + ret);
    return ret;
};

所以直接解密出第一段。

第二段需要一个box，我们可以通过frida直接获得。
完整代码如下

import frida
import sys

jscode = """
Java.perform(() => {
let MakePath = Java.use("com.example.demo.MakePath");
MakePath.encode.implementation = function(context, str){
    console.log('encode is called');
    let ret = this.encode(context, str);
    console.log('encode ret value is ' + ret);
    return ret;
};

});
"""

process = frida.get_remote_device().attach('demo')
script = process.create_script(jscode)
script.load()
sys.stdin.read()

至此获得完第二步的所有参数，开始第二步。

看起来是个很麻烦的算法，直接考虑爆破。

我们把他复制到另一个文件中来执行，我们一开始考虑的就是常规的单字节爆破，但是发现他这个并不是一一对应的，有可能在一个位子上的好几个字符都能对应他这个正确的值，所以我们需要修改爆破代码。

我也不擅长写代码，前面能正常单字节爆破的就是正常爆破，后面的部分爆破方式如下所示:

class Round {

    public static class Result {
        private int num;
        private int rip;

        public Result(int i, int i2) {
            this.num = i;
            this.rip = i2;
        }

        public int getNum() {
            return this.num;
        }

        public int getRip() {
            return this.rip;
        }
    }

    public int round(int[] iArr, String str) {
        Result result;
        int length = str.length();
        int[] iArr2 = {1,1,1,1,1,1,1,1,1,1,1,1};
        int[] iArr3 = {352, 646, 752, 882, 65, 0, 122, 0, 0, 7, 350, 360};
        int i = 33;
        for (int i2 = 0; i2 < str.length(); i2++) {
            int charAt = str.charAt(i2);
            for (int i3 = 0; i3 < 32; i3++) {
                int i4 = (((iArr[i] ^ charAt) % 5) + 5) % 5;
                if (i4 == 0) {
                    result = add(iArr, charAt, i);
                } else if (i4 == 1) {
                    result = sub(iArr, charAt, i);
                } else if (i4 == 2) {
                    result = xor(iArr, charAt, i);
                } else if (i4 == 3) {
                    result = shl(charAt, i);
                } else if (i4 != 4) {
                    result = new Result(charAt, i);
                } else {
                    result = shr(charAt, i);
                }
                charAt = result.getNum();
                i = result.getRip();
            }
            iArr2[i2] = charAt;
        }

        for (int i5 = 0; i5 < length; i5++) {
            if (iArr2[i5] != iArr3[i5]) {
                //System.out.println(iArr2[0]+" "+iArr2[1]+" "+iArr2[2]+" "+iArr2[3]+" "+iArr2[4]+" "+iArr2[5]+" "+iArr2[6]+" "+iArr2[7]+" "+iArr2[8]+" "+iArr2[9]+" "+iArr2[10]);
                
                return i5;
            }
        }
        return 99;
    }

    public Result add(int[] iArr, int i, int i2) {
        int i3 = (((i + iArr[i2]) % 1024) + 1024) % 1024;
        return new Result(i3, (i2 + i3) % 1024);
    }

    public Result sub(int[] iArr, int i, int i2) {
        int i3 = (((i - iArr[i2]) % 1024) + 1024) % 1024;
        return new Result(i3, (i2 + i3) % 1024);
    }

    public Result xor(int[] iArr, int i, int i2) {
        int i3 = (iArr[i2] ^ i) % 1024;
        return new Result(i3, (i2 + i3) % 1024);
    }

    public Result shl(int i, int i2) {
        int i3 = (i >> 3) % 1024;
        return new Result(i3, (i2 + i3) % 1024);
    }

    public Result shr(int i, int i2) {
        int i3 = (i << 3) % 1024;
        return new Result(i3, (i2 + i3) % 1024);
    }
}

public class Main {
    public static void bp(int start,StringBuilder str){
        int lasti = start;
        String table = "abcdefghijklmnopqrstuvwxzyABCDEFGHIJKLMNOPQRSTUVWXYZ_";
        //StringBuilder str = new StringBuilder("_rounD_ANaaa");//"_rounD000000");

        for (int j = start; j <12; j++) {
            for (int i = 0; i < 53; i++) {
                int[] iArr = {924,967,912,973,921,936,916,926,942,963,930,927,912,971,924,961,909,956,896,906,946,991,958,899,900,991,904,981,897,944,908,902,902,1003,906,951,952,995,948,1001,949,900,952,946,906,999,902,955,940,1015,928,1021,937,920,932,942,926,1011,914,943,928,1019,940,1009,989,1004,976,986,994,911,1006,979,980,911,984,901,977,992,988,982,1014,923,1018,967,968,915,964,921,965,1012,968,962,1018,919,1014,971,1020,935,1008,941,1017,968,1012,1022,974,931,962,1023,1008,939,1020,929,1005,988,992,1002,978,959,990,995,996,959,1000,949,993,976,1004,998,806,843,810,791,792,835,788,841,789,804,792,786,810,839,806,795,780,855,768,861,777,824,772,782,830,851,818,783,768,859,780,849,829,780,816,826,770,879,782,819,820,879,824,869,817,768,828,822,790,891,794,807,808,883,804,889,805,788,808,802,794,887,790,811,860,775,848,781,857,872,852,862,878,771,866,863,848,779,860,769,845,892,832,842,882,799,894,835,836,799,840,789,833,880,844,838,838,811,842,887,888,803,884,809,885,836,888,882,842,807,838,891,876,823,864,829,873,856,868,878,862,819,850,879,864,827,876,817,669,684,656,666,674,719,686,659,660,719,664,709,657,672,668,662,694,731,698,647,648,723,644,729,645,692,648,642,698,727,694,651,700,743,688,749,697,648,692,702,654,739,642,703,688,747,700,737,685,668,672,682,658,767,670,675,676,767,680,757,673,656,684,678,742,651,746,727,728,643,724,649,725,740,728,722,746,647,742,731,716,663,704,669,713,760,708,718,766,659,754,719,704,667,716,657,765,716,752,762,706,687,718,755,756,687,760,677,753,704,764,758,726,699,730,743,744,691,740,697,741,724,744,738,730,695,726,747,540,583,528,589,537,552,532,542,558,579,546,543,528,587,540,577,525,572,512,522,562,607,574,515,516,607,520,597,513,560,524,518,518,619,522,567,568,611,564,617,565,516,568,562,522,615,518,571,556,631,544,637,553,536,548,558,542,627,530,559,544,635,556,625,605,620,592,602,610,527,622,595,596,527,600,517,593,608,604,598,630,539,634,583,584,531,580,537,581,628,584,578,634,535,630,587,636,551,624,557,633,584,628,638,590,547,578,639,624,555,636,545,621,604,608,618,594,575,606,611,612,575,616,565,609,592,620,614,422,459,426,407,408,451,404,457,405,420,408,402,426,455,422,411,396,471,384,477,393,440,388,398,446,467,434,399,384,475,396,465,445,396,432,442,386,495,398,435,436,495,440,485,433,384,444,438,406,507,410,423,424,499,420,505,421,404,424,418,410,503,406,427,476,391,464,397,473,488,468,478,494,387,482,479,464,395,476,385,461,508,448,458,498,415,510,451,452,415,456,405,449,496,460,454,454,427,458,503,504,419,500,425,501,452,504,498,458,423,454,507,492,439,480,445,489,472,484,494,478,435,466,495,480,443,492,433,285,300,272,282,290,335,302,275,276,335,280,325,273,288,284,278,310,347,314,263,264,339,260,345,261,308,264,258,314,343,310,267,316,359,304,365,313,264,308,318,270,355,258,319,304,363,316,353,301,284,288,298,274,383,286,291,292,383,296,373,289,272,300,294,358,267,362,343,344,259,340,265,341,356,344,338,362,263,358,347,332,279,320,285,329,376,324,334,382,275,370,335,320,283,332,273,381,332,368,378,322,303,334,371,372,303,376,293,369,320,380,374,342,315,346,359,360,307,356,313,357,340,360,354,346,311,342,363,156,199,144,205,153,168,148,158,174,195,162,159,144,203,156,193,141,188,128,138,178,223,190,131,132,223,136,213,129,176,140,134,134,235,138,183,184,227,180,233,181,132,184,178,138,231,134,187,172,247,160,253,169,152,164,174,158,243,146,175,160,251,172,241,221,236,208,218,226,143,238,211,212,143,216,133,209,224,220,214,246,155,250,199,200,147,196,153,197,244,200,194,250,151,246,203,252,167,240,173,249,200,244,254,206,163,194,255,240,171,252,161,237,220,224,234,210,191,222,227,228,191,232,181,225,208,236,230,38,75,42,23,24,67,20,73,21,36,24,18,42,71,38,27,12,87,0,93,9,56,4,14,62,83,50,15,0,91,12,81,61,12,48,58,2,111,14,51,52,111,56,101,49,0,60,54,22,123,26,39,40,115,36,121,37,20,40,34,26,119,22,43,92,7,80,13,89,104,84,94,110,3,98,95,80,11,92,1,77,124,64,74,114,31,126,67,68,31,72,21,65,112,76,70,70,43,74,119,120,35,116,41,117,68,120,114,74,39,70,123,108,55,96,61,105,88,100,110,94,51,82,111,96,59,108,49};
                Round round = new Round();
                str.setCharAt(j, table.charAt(i)); 
                int a = round.round(iArr, str.toString());
                if (a > lasti) {
                    //lasti ++;
                    System.out.println(table.charAt(i)+"index:"+a + str.toString());
                    bp(lasti+1,new StringBuilder(str.toString()));
                    //break;
                }
            }
        }
    }
    public static void main(String[] args) {
       
        bp(7,new StringBuilder("_rounD_ANaaa"));
    }
}

我们从最后的数据中选择出长度是能到最后一位的就是flag。

Misc

Tr4ffIc_w1th_Ste90

首先是对流量的处理，打开看到MPEG TS协议。

直接追踪流+导出为.ts的视频即可。

播放即得密码。

打开发现给了加密图片的脚本，直接让gpt写个解密的即可。

import numpy as np
import cv2

def decode(outfile,seed):
    input_image = 'encoded.png'
    output_image = outfile
    np.random.seed(seed)
    encoded = cv2.imread(input_image, cv2.IMREAD_GRAYSCALE)
    if encoded is None:
        print(f"错误: 无法加载图片 {input_image}")
        exit(1)
    encoded_array = np.asarray(encoded)
    row_indices = list(range(encoded_array.shape[0]))
    col_indices = list(range(encoded_array.shape[1]))

    np.random.shuffle(row_indices)
    np.random.shuffle(col_indices)

    reverse_row_indices = sorted(range(len(row_indices)), key=lambda x: row_indices[x])
    reverse_col_indices = sorted(range(len(col_indices)), key=lambda x: col_indices[x])

    decoded_array = encoded_array[reverse_row_indices, :]
    decoded_array = decoded_array[:, reverse_col_indices]

    decoded_bgr = cv2.cvtColor(decoded_array, cv2.COLOR_GRAY2BGR)

    cv2.imwrite(output_image, decoded_bgr)
    print(f"解密后的图片已保存为 {output_image}")

for i in range(50,71):
    decode(f"{i}.png",i)

然后发现是个Data Matrix码，直接解码就行。

给了一段话。

I randomly found a word list to encrypt the flag. I only remember that Wikipedia said this word list is similar to the NATO phonetic alphabet.

crumpled chairlift freedom chisel island dashboard crucial kickoff crucial chairlift drifter classroom highchair cranky clamshell edict drainage fallout clamshell chatter chairlift goldfish chopper eyetooth endow chairlift edict eyetooth deadbolt fallout egghead chisel eyetooth cranky crucial deadbolt chatter chisel egghead chisel crumpled eyetooth clamshell deadbolt chatter chopper eyetooth classroom chairlift fallout drainage klaxon	

我们直接提取关键词去维基百科搜索一些就行。

发现是这个PGP word list
直接搓脚本解密就行。

word_list = {
    "aardvark": 0x00, "adroitness": 0x00,
    "absurd": 0x01, "adviser": 0x01,
    "accrue": 0x02, "aftermath": 0x02,
    "acme": 0x03, "aggregate": 0x03,
    "adrift": 0x04, "alkali": 0x04,
    "adult": 0x05, "almighty": 0x05,
    "afflict": 0x06, "amulet": 0x06,
    "ahead": 0x07, "amusement": 0x07,
    "aimless": 0x08, "antenna": 0x08,
    "Algol": 0x09, "applicant": 0x09,
    "allow": 0x0A, "Apollo": 0x0A,
    "alone": 0x0B, "armistice": 0x0B,
    "ammo": 0x0C, "article": 0x0C,
    "ancient": 0x0D, "asteroid": 0x0D,
    "apple": 0x0E, "Atlantic": 0x0E,
    "artist": 0x0F, "atmosphere": 0x0F,
    "assume": 0x10, "autopsy": 0x10,
    "Athens": 0x11, "Babylon": 0x11,
    "atlas": 0x12, "backwater": 0x12,
    "Aztec": 0x13, "barbecue": 0x13,
    "baboon": 0x14, "belowground": 0x14,
    "backfield": 0x15, "bifocals": 0x15,
    "backward": 0x16, "bodyguard": 0x16,
    "banjo": 0x17, "bookseller": 0x17,
    "beaming": 0x18, "borderline": 0x18,
    "bedlamp": 0x19, "bottomless": 0x19,
    "beehive": 0x1A, "Bradbury": 0x1A,
    "beeswax": 0x1B, "bravado": 0x1B,
    "befriend": 0x1C, "Brazilian": 0x1C,
    "Belfast": 0x1D, "breakaway": 0x1D,
    "berserk": 0x1E, "Burlington": 0x1E,
    "billiard": 0x1F, "businessman": 0x1F,
    "bison": 0x20, "butterfat": 0x20,
    "blackjack": 0x21, "Camelot": 0x21,
    "blockade": 0x22, "candidate": 0x22,
    "blowtorch": 0x23, "cannonball": 0x23,
    "bluebird": 0x24, "Capricorn": 0x24,
    "bombast": 0x25, "caravan": 0x25,
    "bookshelf": 0x26, "caretaker": 0x26,
    "brackish": 0x27, "celebrate": 0x27,
    "breadline": 0x28, "cellulose": 0x28,
    "breakup": 0x29, "certify": 0x29,
    "brickyard": 0x2A, "chambermaid": 0x2A,
    "briefcase": 0x2B, "Cherokee": 0x2B,
    "Burbank": 0x2C, "Chicago": 0x2C,
    "button": 0x2D, "clergyman": 0x2D,
    "buzzard": 0x2E, "coherence": 0x2E,
    "cement": 0x2F, "combustion": 0x2F,
    "chairlift": 0x30, "commando": 0x30,
    "chatter": 0x31, "company": 0x31,
    "checkup": 0x32, "component": 0x32,
    "chisel": 0x33, "concurrent": 0x33,
    "choking": 0x34, "confidence": 0x34,
    "chopper": 0x35, "conformist": 0x35,
    "Christmas": 0x36, "congregate": 0x36,
    "clamshell": 0x37, "consensus": 0x37,
    "classic": 0x38, "consulting": 0x38,
    "classroom": 0x39, "corporate": 0x39,
    "cleanup": 0x3A, "corrosion": 0x3A,
    "clockwork": 0x3B, "councilman": 0x3B,
    "cobra": 0x3C, "crossover": 0x3C,
    "commence": 0x3D, "crucifix": 0x3D,
    "concert": 0x3E, "cumbersome": 0x3E,
    "cowbell": 0x3F, "customer": 0x3F,
    "crackdown": 0x40, "Dakota": 0x40,
    "cranky": 0x41, "decadence": 0x41,
    "crowfoot": 0x42, "December": 0x42,
    "crucial": 0x43, "decimal": 0x43,
    "crumpled": 0x44, "designing": 0x44,
    "crusade": 0x45, "detector": 0x45,
    "cubic": 0x46, "detergent": 0x46,
    "dashboard": 0x47, "determine": 0x47,
    "deadbolt": 0x48, "dictator": 0x48,
    "deckhand": 0x49, "dinosaur": 0x49,
    "dogsled": 0x4A, "direction": 0x4A,
    "dragnet": 0x4B, "disable": 0x4B,
    "drainage": 0x4C, "disbelief": 0x4C,
    "dreadful": 0x4D, "disruptive": 0x4D,
    "drifter": 0x4E, "distortion": 0x4E,
    "dropper": 0x4F, "document": 0x4F,
    "drumbeat": 0x50, "embezzle": 0x50,
    "drunken": 0x51, "enchanting": 0x51,
    "Dupont": 0x52, "enrollment": 0x52,
    "dwelling": 0x53, "enterprise": 0x53,
    "eating": 0x54, "equation": 0x54,
    "edict": 0x55, "equipment": 0x55,
    "egghead": 0x56, "escapade": 0x56,
    "eightball": 0x57, "Eskimo": 0x57,
    "endorse": 0x58, "everyday": 0x58,
    "endow": 0x59, "examine": 0x59,
    "enlist": 0x5A, "existence": 0x5A,
    "erase": 0x5B, "exodus": 0x5B,
    "escape": 0x5C, "fascinate": 0x5C,
    "exceed": 0x5D, "filament": 0x5D,
    "eyeglass": 0x5E, "finicky": 0x5E,
    "eyetooth": 0x5F, "forever": 0x5F,
    "facial": 0x60, "fortitude": 0x60,
    "fallout": 0x61, "frequency": 0x61,
    "flagpole": 0x62, "gadgetry": 0x62,
    "flatfoot": 0x63, "Galveston": 0x63,
    "flytrap": 0x64, "getaway": 0x64,
    "fracture": 0x65, "glossary": 0x65,
    "framework": 0x66, "gossamer": 0x66,
    "freedom": 0x67, "graduate": 0x67,
    "frighten": 0x68, "gravity": 0x68,
    "gazelle": 0x69, "guitarist": 0x69,
    "Geiger": 0x6A, "hamburger": 0x6A,
    "glitter": 0x6B, "Hamilton": 0x6B,
    "glucose": 0x6C, "handiwork": 0x6C,
    "goggles": 0x6D, "hazardous": 0x6D,
    "goldfish": 0x6E, "headwaters": 0x6E,
    "gremlin": 0x6F, "hemisphere": 0x6F,
    "guidance": 0x70, "hesitate": 0x70,
    "hamlet": 0x71, "hideaway": 0x71,
    "highchair": 0x72, "holiness": 0x72,
    "hockey": 0x73, "hurricane": 0x73,
    "indoors": 0x74, "hydraulic": 0x74,
    "indulge": 0x75, "impartial": 0x75,
    "inverse": 0x76, "impetus": 0x76,
    "involve": 0x77, "inception": 0x77,
    "island": 0x78, "indigo": 0x78,
    "jawbone": 0x79, "inertia": 0x79,
    "keyboard": 0x7A, "infancy": 0x7A,
    "kickoff": 0x7B, "inferno": 0x7B,
    "kiwi": 0x7C, "informant": 0x7C,
    "klaxon": 0x7D, "insincere": 0x7D,
    "locale": 0x7E, "insurgent": 0x7E,
    "lockup": 0x7F, "integrate": 0x7F
}

def decode_flag(encoded_words):
    decoded_hex = []
    for word in encoded_words:
        if word in word_list:
            decoded_hex.append(hex(word_list[word])[2:])
        else:
            print(f"未找到单词: {word}")
            return None

    decoded_hex_str = ''.join(decoded_hex)
    decoded_bytes = bytes.fromhex(decoded_hex_str)
    return decoded_bytes.decode('utf-8', errors='ignore')
encoded_words = [
   "crumpled","chairlift","freedom","chisel","island","dashboard","crucial","kickoff","crucial","chairlift","drifter","classroom","highchair","cranky","clamshell","edict","drainage","fallout","clamshell","chatter","chairlift","goldfish","chopper","eyetooth","endow","chairlift","edict","eyetooth","deadbolt","fallout","egghead","chisel","eyetooth","cranky","crucial","deadbolt","chatter","chisel","egghead","chisel","crumpled","eyetooth","clamshell","deadbolt","chatter","chopper","eyetooth","classroom","chairlift","fallout","drainage","klaxon"
]

flag = decode_flag(encoded_words)
if flag:
    print(flag)

moshui's Blog

国城杯wp