文章目录
- OvO
- ez_rsa
- checkin
- 浅记一下
迟来的文章
OvO
题目描述:
from Crypto.Util.number import *
from secret import flag
nbits = 512
p = getPrime(nbits)
q = getPrime(nbits)
n = p * q
phi = (p-1) * (q-1)
while True:
kk = getPrime(128)
rr = kk + 2
e = 65537 + kk * p + rr * ((p+1) * (q+1)) + 1
if gcd(e, phi) == 1:
break
m = bytes_to_long(flag)
c = pow(m, e, n)
e = e >> 200 << 200
print(f'n = {n}')
print(f'e = {e}')
print(f'c = {c}')
"""
n = 111922722351752356094117957341697336848130397712588425954225300832977768690114834703654895285440684751636198779555891692340301590396539921700125219784729325979197290342352480495970455903120265334661588516182848933843212275742914269686197484648288073599387074325226321407600351615258973610780463417788580083967
e = 37059679294843322451875129178470872595128216054082068877693632035071251762179299783152435312052608685562859680569924924133175684413544051218945466380415013172416093939670064185752780945383069447693745538721548393982857225386614608359109463927663728739248286686902750649766277564516226052064304547032760477638585302695605907950461140971727150383104
c = 14999622534973796113769052025256345914577762432817016713135991450161695032250733213228587506601968633155119211807176051329626895125610484405486794783282214597165875393081405999090879096563311452831794796859427268724737377560053552626220191435015101496941337770496898383092414492348672126813183368337602023823
"""
题目分析:
e
=
65537
+
k
p
+
(
k
+
2
)
(
p
+
1
)
(
q
+
1
)
+
1
e
=
(
k
+
2
)
n
+
(
2
k
+
2
)
p
+
(
k
+
2
)
q
+
(
k
+
65540
)
⇒
k
+
2
=
e
/
/
n
,
k
=
e
/
/
n
−
2
令
e
中已知的项都为
a
,即
a
=
(
k
+
2
)
n
+
k
+
65540
e
=
(
2
k
+
2
)
p
+
(
k
+
2
)
q
+
a
e
p
=
(
2
k
+
2
)
p
2
+
(
k
+
2
)
n
+
a
p
目前是
e
的低
200
位未知,等式又已知
那么具体解法可以参考
d
的高位攻击,很快便能出结果的
e = 65537 + kp + (k + 2)(p + 1)(q + 1) + 1\\e = (k + 2)n + (2k + 2)p + (k + 2)q + (k + 65540)\\ \Rightarrow k + 2 = e // n,k = e // n - 2\\ 令e中已知的项都为a,即a = (k + 2)n + k + 65540\\e = (2k + 2)p + (k + 2)q + a\\e p = (2k + 2)p^2 + (k + 2)n + ap\\目前是e的低200位未知,等式又已知\\ 那么具体解法可以参考d的高位攻击,很快便能出结果的
e=65537+kp+(k+2)(p+1)(q+1)+1e=(k+2)n+(2k+2)p+(k+2)q+(k+65540)⇒k+2=e//n,k=e//n−2令e中已知的项都为a,即a=(k+2)n+k+65540e=(2k+2)p+(k+2)q+aep=(2k+2)p2+(k+2)n+ap目前是e的低200位未知,等式又已知那么具体解法可以参考d的高位攻击,很快便能出结果的
exp:
# sagemath
from Crypto.Util.number import *
def get_full_p(p_high, n, bits):
PR.<x> = PolynomialRing(Zmod(n))
f = x + p_high
f = f.monic()
roots = f.small_roots(X=2^(bits + 10), beta=0.4)
if roots:
x0 = roots[0]
p = gcd(x0 + p_high, n)
return ZZ(p)
n = 111922722351752356094117957341697336848130397712588425954225300832977768690114834703654895285440684751636198779555891692340301590396539921700125219784729325979197290342352480495970455903120265334661588516182848933843212275742914269686197484648288073599387074325226321407600351615258973610780463417788580083967
e = 37059679294843322451875129178470872595128216054082068877693632035071251762179299783152435312052608685562859680569924924133175684413544051218945466380415013172416093939670064185752780945383069447693745538721548393982857225386614608359109463927663728739248286686902750649766277564516226052064304547032760477638585302695605907950461140971727150383104
c = 14999622534973796113769052025256345914577762432817016713135991450161695032250733213228587506601968633155119211807176051329626895125610484405486794783282214597165875393081405999090879096563311452831794796859427268724737377560053552626220191435015101496941337770496898383092414492348672126813183368337602023823
k = e // n - 2
a = 65537 + (k + 2) * n + (k + 2) + 1
P.<x> = PolynomialRing(RealField(1024))
f = e * x - ((2 * k + 2) * x ^ 2 + (k + 2) * n + a * x)
res = f.roots()
if res:
for y in res:
p_high = int(y[0])
p = get_full_p(p_high, n, 200)
if p:
print(p)
# python
from Crypto.Util.number import *
n = 111922722351752356094117957341697336848130397712588425954225300832977768690114834703654895285440684751636198779555891692340301590396539921700125219784729325979197290342352480495970455903120265334661588516182848933843212275742914269686197484648288073599387074325226321407600351615258973610780463417788580083967
e = 37059679294843322451875129178470872595128216054082068877693632035071251762179299783152435312052608685562859680569924924133175684413544051218945466380415013172416093939670064185752780945383069447693745538721548393982857225386614608359109463927663728739248286686902750649766277564516226052064304547032760477638585302695605907950461140971727150383104
c = 14999622534973796113769052025256345914577762432817016713135991450161695032250733213228587506601968633155119211807176051329626895125610484405486794783282214597165875393081405999090879096563311452831794796859427268724737377560053552626220191435015101496941337770496898383092414492348672126813183368337602023823
k = e // n - 2
p = 9915449532466780441980882114644132757469503045317741049786571327753160105973102603393585703801838713884852201325856459312958617061522496169870935934745091
q = n // p
print(n % p)
e = 65537 + k * p + (k + 2) * ((p+1) * (q+1)) + 1
phi = (p - 1) * (q - 1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))
ez_rsa
题目描述:
ezrsa.py:
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
import random
from secret import flag
m = bytes_to_long(flag)
key = RSA.generate(1000)
passphrase = str(random.randint(0,999999)).zfill(6).encode()
output = key.export_key(passphrase=passphrase).split(b'\n')
for i in range(7, 15):
output[i] = b'*' * 64
with open("priv.pem", 'wb') as f:
for line in output:
f.write(line + b'\n')
with open("enc.txt", 'w') as f:
f.write(str(key._encrypt(m)))
enc.txt:
55149764057291700808946379593274733093556529902852874590948688362865310469901900909075397929997623185589518643636792828743516623112272635512151466304164301360740002369759704802706396320622342771513106879732891498365431042081036698760861996177532930798842690295051476263556258192509634233232717503575429327989
priv.pem:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,435BF84C562FE793
9phAgeyjnJYZ6lgLYflgduBQjdX+V/Ph/fO8QB2ZubhBVOFJMHbwHbtgBaN3eGlh
WiEFEdQWoOFvpip0whr4r7aGOhavWhIfRjiqfQVcKZx4/f02W4pcWVYo9/p3otdD
ig+kofIR9Ky8o9vQk7H1eESNMdq3PPmvd7KTE98ZPqtIIrjbSsJ9XRL+gr5a91gH
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
hQds7ZdA9yv+yKUYv2e4de8RxX356wYq7r8paBHPXisOkGIVEBYNviMSIbgelkSI
jLQka+ZmC2YOgY/DgGJ82JmFG8mmYCcSooGL4ytVUY9dZa1khfhceg==
-----END RSA PRIVATE KEY-----
题目分析:
第一部分先略过吧,不想看
直接跳到后面阶段
得到的数据有:
n = 0x00a18f011bebacceda1c6812730b9e62720d3cbd6857af2cf8431860f5dc83c5520f242f3be7c9e96d7f96b41898ff000fdb7e43ef6f1e717b2b7900f35660a21d1b16b51849be97a0b0f7cbcf5cfe0f00370cce6193fefa1fed97b37bd367a673565162ce17b0225708c032961d175bbc2c829bf2e16eabc7e0881feca0975c81
e = 0x10001
inv = 0x5f152c429871a7acdd28be1b643b4652800b88a3d23cc57477d75dd5555b635167616ef5c609d69ce3c2aedcb03b62f929bbcd891cadc0ba031ae6fec8a2116d
dqlow = 0x8f2363b340e5
看这里之前我觉得可以先来看看下面这题
checkin
题目描述:
from Crypto.Util.number import *
from secret import flag
p = getPrime(512)
q = getPrime(512)
n = p*q
x = 2021*p+1120*q
h = (inverse(x,n)+x)%n
e = 65537
c = pow(bytes_to_long(flag), e, n)
print('n =', n)
print('c =', c)
print('h =', h)
print('p0 =', p >> 490)
# n = 124592923216765837982528839202733339713655242872717311800329884147642320435241014134533341888832955643881019336863843062120984698416851559736918389766033534214383285754683751490292848191235308958825702189602212123282858416891155764271492033289942894367802529296453904254165606918649570613530838932164490341793
# c = 119279592136391518960778700178474826421062018379899342254406783670889432182616590099071219538938202395671695005539485982613862823970622126945808954842683496637377151180225469409261800869161467402364879561554585345399947589618235872378329510108345004513054262809629917083343715270605155751457391599728436117833
# h = 115812446451372389307840774747986196103012628652193338630796109042038320397499948364970459686079508388755154855414919871257982157430015224489195284512204803276307238226421244647463550637321174259849701618681565567468929295822889537962306471780258801529979716298619553323655541002084406217484482271693997457806
# p0 = 4055618
题目分析:
已知:
x
=
2021
p
+
1120
q
h
≡
x
+
1
x
(
m
o
d
n
)
p
0
=
p
的高
22
位
目前知道了
n
,
c
,
h
,
p
0
\begin{align*} & x = 2021p + 1120q\\ & h \equiv x + \frac{1}{x} \pmod n\\ & p0 = p的高22位\\ & 目前知道了n,c,h,p0\\ \end{align*}\\
x=2021p+1120qh≡x+x1(modn)p0=p的高22位目前知道了n,c,h,p0
=
>
x
2
+
1
−
h
x
≡
0
(
m
o
d
n
)
①
借助
p
0
计算出
x
的一个近似估计
x
0
x
0
=
2021
∗
(
p
0
<
<
490
)
+
1120
∗
(
N
p
0
<
<
490
)
x
和
x
0
之间的误差
x
_
d
i
f
f
最多是
501
位,大概
500
位左右的样子
所以我们将
x
_
d
i
f
f
当作一个新的未知量通过①式来构造等式,之后使用
c
o
p
p
e
r
求出
f
(
x
_
d
i
f
f
)
=
(
x
0
+
x
_
d
i
f
f
)
2
+
1
−
h
∗
(
x
0
+
x
_
d
i
f
f
)
=> x^2 + 1 - hx \equiv 0 \pmod n ①\\ 借助p0计算出x的一个近似估计x0\\ x0= 2021 * (p_0 << 490) + 1120 * (\frac{N}{p_0 << 490})\\ x和x0之间的误差x\_diff最多是501位,大概500位左右的样子\\ 所以我们将x\_diff当作一个新的未知量通过①式来构造等式,之后使用copper求出\\ f(x\_diff) = (x0 + x\_diff) ^ 2 + 1 - h * (x0 + x\_diff)
=>x2+1−hx≡0(modn)①借助p0计算出x的一个近似估计x0x0=2021∗(p0<<490)+1120∗(p0<<490N)x和x0之间的误差x_diff最多是501位,大概500位左右的样子所以我们将x_diff当作一个新的未知量通过①式来构造等式,之后使用copper求出f(x_diff)=(x0+x_diff)2+1−h∗(x0+x_diff)
现在的重点是small_roots()里面的参数要怎么设置
先来点前置知识(怕自己又忘了):
X:所求根的上界
beta( β ) (\beta) (β):限定因子,满足 b > = N β b >= N^{\beta} b>=Nβ,默认值为1 (所以此情况下b = N)。 (找到 f(x)
= 0 的一个解,使它在模 n 的某个因子时成立,此时这里说的某个因子即为b,在rsa中n = p * q,只有两个因子,故此时的b即p或q。一般我们遇到的题中p,q位数都是相等的,故beta可取0.5,但更多情况下我们并不知道p,q哪个大,所以保险起见beta通常取0.4)
epsilon( ϵ ) (\epsilon) (ϵ):限定因子,默认值为 β / 8 \beta / 8 β/8
d:f(x)的度,高位攻击中d = 1在方程F(x),模数N确认的情况下,我们可以通过增加 β \beta β 的取值或减小 ϵ \epsilon ϵ 的取值,使得X取到更优的上界。
我们知道上界
X
=
c
e
i
l
(
1
2
∗
N
β
2
d
−
ϵ
)
X = ceil(\frac{1}{2} * N^{\frac{\beta^2}{d} - \epsilon})
X=ceil(21∗Ndβ2−ϵ) (向上取整)
现在,已知d = 2,beta = 1,X有500位未知,我们取epsilon = 0.01是完成能够得到结果的,但我们也知道epsilon越小,耗时越长,我们试着把epsilon调大一点,让epsilon = 0.02,看看能否出结果。经过测试也是能出结果的,那么就用它啦
把x_diff求出来了,后面就简单了,这也就不多说了
from Crypto.Util.number import long_to_bytes
N = 124592923216765837982528839202733339713655242872717311800329884147642320435241014134533341888832955643881019336863843062120984698416851559736918389766033534214383285754683751490292848191235308958825702189602212123282858416891155764271492033289942894367802529296453904254165606918649570613530838932164490341793
c = 119279592136391518960778700178474826421062018379899342254406783670889432182616590099071219538938202395671695005539485982613862823970622126945808954842683496637377151180225469409261800869161467402364879561554585345399947589618235872378329510108345004513054262809629917083343715270605155751457391599728436117833
h = 115812446451372389307840774747986196103012628652193338630796109042038320397499948364970459686079508388755154855414919871257982157430015224489195284512204803276307238226421244647463550637321174259849701618681565567468929295822889537962306471780258801529979716298619553323655541002084406217484482271693997457806
p0 = 4055618
p_high = p0 << 490
x0 = 2021 * p_high + 1120 * (N // p_high)
P.<x_diff> = PolynomialRing(Zmod(N))
f = (x0 + x_diff)^2 + 1 - h * (x0 + x_diff)
res = f.small_roots(X = 2^500, epsilon = 0.02)
x_diff = Integer(res[0])
x = x0 + x_diff
p = var('p')
q = var('q')
res = solve([x == 2021 * p + 1120 * q, N == p * q], p, q)
print(res)
p = Integer(res[0][0].rhs()) # 提取等号右边部分
q = Integer(res[0][1].rhs())
d = inverse_mod(65537, (p - 1) * (q - 1))
print(long_to_bytes(int(pow(c,d,N))))
进入主题
国赛ez_rsa
题目描述:
(就截取这么一点点了)
n = 0x00a18f011bebacceda1c6812730b9e62720d3cbd6857af2cf8431860f5dc83c5520f242f3be7c9e96d7f96b41898ff000fdb7e43ef6f1e717b2b7900f35660a21d1b16b51849be97a0b0f7cbcf5cfe0f00370cce6193fefa1fed97b37bd367a673565162ce17b0225708c032961d175bbc2c829bf2e16eabc7e0881feca0975c81
e = 65537
inv = 0x5f152c429871a7acdd28be1b643b4652800b88a3d23cc57477d75dd5555b635167616ef5c609d69ce3c2aedcb03b62f929bbcd891cadc0ba031ae6fec8a2116d
dqlow = 0x8f2363b340e5
题目分析:
方式1
d
q
≡
d
(
m
o
d
q
−
1
)
d
q
⋅
e
≡
d
⋅
e
≡
1
(
m
o
d
q
−
1
)
d
q
⋅
e
−
1
=
k
⋅
(
q
−
1
)
d
q
⋅
e
+
k
−
1
=
k
q
我们目前已知的有
d
q
的低
48
位和
i
n
v
(其中
i
n
v
⋅
q
≡
1
(
m
o
d
p
)
)
又知道
:
i
n
v
⋅
q
−
1
=
k
1
⋅
p
想的是乘个
q
,得到:
i
n
v
⋅
q
⋅
q
−
q
=
k
1
⋅
n
然后
i
n
v
⋅
q
2
−
q
≡
0
(
m
o
d
n
)
,之后解方程
不过后面发现运行不出结果
被指出了问题:只有
k
q
,并没有
q
,确实,是我分析没有到位
所以换一个:
i
n
v
⋅
k
q
≡
k
(
m
o
d
p
)
i
n
v
⋅
k
q
−
k
=
k
2
⋅
p
i
n
v
⋅
(
k
q
)
2
−
k
⋅
k
q
=
k
⋅
k
2
⋅
n
≡
0
(
m
o
d
n
)
令
f
=
i
n
v
⋅
(
k
q
)
2
−
k
⋅
k
q
之后去解方程
\begin{align*} & dq \equiv d \pmod{q - 1} \\ & dq \cdot e \equiv d \cdot e \equiv 1 \pmod{q - 1} \\ & dq \cdot e - 1 = k \cdot (q - 1) \\ & dq \cdot e + k - 1 = kq \\ & 我们目前已知的有dq的低48位和inv(其中inv \cdot q \equiv1 \pmod p)\\ & 又知道:\\ & inv \cdot q - 1 = k_1 \cdot p\\ & 想的是乘个q,得到:inv\cdot q\cdot q - q = k_1 \cdot n\\ & 然后inv \cdot q^2 - q \equiv 0 \pmod n,之后解方程\\ & 不过后面发现运行不出结果\\ & 被指出了问题:只有kq,并没有q,确实,是我分析没有到位\\ & 所以换一个:\\ & inv \cdot kq \equiv k \pmod p\\ & inv \cdot kq - k = k_2 \cdot p\\ & inv \cdot (kq)^2 - k \cdot kq = k \cdot k_2\cdot n \equiv 0 \pmod n\\ & 令f = inv \cdot (kq)^2 - k \cdot kq \ 之后去解方程 \end{align*}
dq≡d(modq−1)dq⋅e≡d⋅e≡1(modq−1)dq⋅e−1=k⋅(q−1)dq⋅e+k−1=kq我们目前已知的有dq的低48位和inv(其中inv⋅q≡1(modp))又知道:inv⋅q−1=k1⋅p想的是乘个q,得到:inv⋅q⋅q−q=k1⋅n然后inv⋅q2−q≡0(modn),之后解方程不过后面发现运行不出结果被指出了问题:只有kq,并没有q,确实,是我分析没有到位所以换一个:inv⋅kq≡k(modp)inv⋅kq−k=k2⋅pinv⋅(kq)2−k⋅kq=k⋅k2⋅n≡0(modn)令f=inv⋅(kq)2−k⋅kq 之后去解方程
解方程的过程和上题的思路应该来说是一样的
这里也是d = 2,beta = 1,所以关键部分还是落在了epsilon 的取值上,这个就自己去生成数据测一测,从0.05往上加,发现到0.09以后解集为空,那么设置成0.09就行
exp:
from Crypto.Util.number import *
from tqdm import *
n = 0x00a18f011bebacceda1c6812730b9e62720d3cbd6857af2cf8431860f5dc83c5520f242f3be7c9e96d7f96b41898ff000fdb7e43ef6f1e717b2b7900f35660a21d1b16b51849be97a0b0f7cbcf5cfe0f00370cce6193fefa1fed97b37bd367a673565162ce17b0225708c032961d175bbc2c829bf2e16eabc7e0881feca0975c81
e = 0x010001
dqlow = 0x8f2363b340e5
inv = 0x5f152c429871a7acdd28be1b643b4652800b88a3d23cc57477d75dd5555b635167616ef5c609d69ce3c2aedcb03b62f929bbcd891cadc0ba031ae6fec8a2116d
c = 55149764057291700808946379593274733093556529902852874590948688362865310469901900909075397929997623185589518643636792828743516623112272635512151466304164301360740002369759704802706396320622342771513106879732891498365431042081036698760861996177532930798842690295051476263556258192509634233232717503575429327989
bits = 48
PR.<x> = PolynomialRing(Zmod(n))
dq = (2 ^ bits * x) + dqlow
# k = 47794
for k in trange(e,1,-1):
f = inv * (e * (2 ^ bits * x + dqlow) - 1 + k) ^ 2 - k * (e * (2 ^ T * x + dqlow) - 1 + k)
f = f.monic()
root = f.small_roots(X=2 ^ (512 - bits), epsilon = 0.09)
if root:
dq = int(root[0]) * 2 ** bits + dqlow
q = int((e * dq - 1) // k + 1)
p = int(n // q)
phi = (p - 1) * (q - 1)
d = inverse_mod(e,phi)
print(long_to_bytes(int(pow(c,d,n))))
break
方式2
回到解法1里面说的那句"
想的是乘个
q
,得到:
i
n
v
⋅
q
⋅
q
−
q
=
k
1
⋅
n
≡
0
(
m
o
d
n
)
想的是乘个q,得到:inv\cdot q\cdot q - q = k_1 \cdot n \equiv 0 \pmod n
想的是乘个q,得到:inv⋅q⋅q−q=k1⋅n≡0(modn)"
既然如此,那我们就来求q,我们知道了dq的低48位,那么我们可以通过
d
q
⋅
e
+
k
−
1
=
k
q
dq \cdot e + k - 1 = kq
dq⋅e+k−1=kq 该式子求得q的低48位
之后令
f
=
i
n
v
∗
(
2
b
i
t
s
∗
x
+
q
_
l
o
w
)
2
−
(
2
b
i
t
s
∗
x
+
q
_
l
o
w
)
f = inv * (2 ^{bits} * x + q\_low) ^ 2 - (2 ^{bits} * x + q\_low)
f=inv∗(2bits∗x+q_low)2−(2bits∗x+q_low)
解方程后即可得到flag
是的这里的epsilon最大也是0.09
from tqdm import *
from Crypto.Util.number import *
n = 0x00a18f011bebacceda1c6812730b9e62720d3cbd6857af2cf8431860f5dc83c5520f242f3be7c9e96d7f96b41898ff000fdb7e43ef6f1e717b2b7900f35660a21d1b16b51849be97a0b0f7cbcf5cfe0f00370cce6193fefa1fed97b37bd367a673565162ce17b0225708c032961d175bbc2c829bf2e16eabc7e0881feca0975c81
inv = 0x5f152c429871a7acdd28be1b643b4652800b88a3d23cc57477d75dd5555b635167616ef5c609d69ce3c2aedcb03b62f929bbcd891cadc0ba031ae6fec8a2116d
c = 55149764057291700808946379593274733093556529902852874590948688362865310469901900909075397929997623185589518643636792828743516623112272635512151466304164301360740002369759704802706396320622342771513106879732891498365431042081036698760861996177532930798842690295051476263556258192509634233232717503575429327989
dq_low = 0x8f2363b340e5
q_low = []
bits = 48
e = 65537
qq = var('qq')
PR.<x> = PolynomialRing(Zmod(n))
# k = 47794
for k in trange(e,1,-1):
k = 47794
q0 = solve_mod([e * dq_low == k * qq - k + 1], 2^bits)
for i in q0:
f = inv * (2 ^ bits * x + int(i[0])) ^ 2 - (2 ^ bits * x + int(i[0]))
f = f.monic()
root = f.small_roots(X = 2^(512-bits), epsilon = 0.09)
if root:
q = 2^bits * int(root[0]) + int(i[0])
p = n // q
d = inverse_mod(e,(p - 1) * (q - 1))
print(long_to_bytes(int(pow(c,d,n))))
break
# flag{df4a4054-23eb-4ba4-be5e-15b247d7b819}
这种方式更费时(不过多开几个在比赛过程中也是能出的)开始确实是这种想法来着,后面beta又写了个0.4,导致最终没出结果,可恶。
应该就是这个原因,导致又对它重温了一遍。
现在应该可以这样说,之前对coppersmith的理解是1/3,这次之后变成了2/3
所以说 数据测试真的是很重要啊!
浅记一下
OvO这题,有人问为什么不能用ZZ,要用RealField
细想一下就是用ZZ无解,为什么会无解,因为它的解是小数,而不是整数,故不能用ZZ。
RealField(1000)创建一个精度为1000位的实数环,即 可以得到小数点后1000位精确值,之后的可以舍弃,比如 如果得到的解是无理数,那么用它可以得到一个确切的值,而不是一个无限长小数
其他题,等以后有空再来吧
