文章目录
前言
极客大挑战对萌新还是很友好的,特别适合我这种😀
解题
RE
Re0
F12就行,SYC{Welcome_to_Geek_challenge2021};
Re1
exe 文件,无壳,拖进 ida,
一个长度为60的数组,两个重要函数 enc0,enc1;
点进 enc0,一看就是 base64,在看看表,没有换表,
.rdata:0000000000405000 aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',0
再进入 enc1 ,就是把 base64 之后的密文在进行一次异或,poc 脚本如下:
import base64
str = [
21, 113, 44, 4, 37, 113, 40, 16, 21, 44,
121, 40, 34, 45, 18, 38, 25, 45, 6, 58,
26, 20, 25, 112, 24, 114, 6, 57, 26, 22,
121, 112, 33, 7, 22, 38, 25, 45, 6, 58,
33, 24, 14, 38, 34, 114, 26, 38, 35, 45,
22, 114, 26, 24, 10, 58, 26, 24, 112, 125
]
flag = ''
for s in str:
s ^= 64
flag += chr(s)
print(base64.b64decode(flag))
# b'SYC{XOR_and_base64_are_the_basis_of_reverse}'
刘壮桌面美化大师
根据主要类看出这道 APK 题就是签到题,在资源下找 String 即可,SYC{We1c0m3_t0_4ndRo1d_ReV3rse!};
买Activity
主要类就是 Decode,源码如下:
package com.sorrowrain.buyactivity;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;
@Metadata(mo12032d1 = {"\u0000\u0014\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0002\bÆ\u0002\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u0006\u0010\u0003\u001a\u00020\u0004J\t\u0010\u0005\u001a\u00020\u0004H† ¨\u0006\u0006"}, mo12033d2 = {"Lcom/sorrowrain/buyactivity/Decode;", "", "()V", "getDecodedFlag", "", "stringFromNative", "app_release"}, mo12034k = 1, mo12035mv = {1, 5, 1}, mo12037xi = 48)
/* compiled from: Decode.kt */
public final class Decode {
public static final Decode INSTANCE = new Decode();
public final native String stringFromNative();
private Decode() {
}
public final String getDecodedFlag() {
String str = stringFromNative().toString();
int length = str.length();
String str2 = "";
int i = 0;
while (i < length) {
char charAt = str.charAt(i);
i++;
str2 = Intrinsics.stringPlus(str2, Character.valueOf((char) (charAt ^ 16)));
}
return str2;
}
}
主要内容就是一个简单的 XOR,但是这个字符串 str 要通过本地方法 stringFromNative() 来获取,众所周知,Java 的本地方法都是 C/C++ 写的,所以去找 so 文件反编译,或者直接动调拿到值,
p1 = "CSD!Os!yiyO#|iU`bu1"
p2 = "Ikxc$dFdOCBq!Oh dtm"
str = ""
for i in range(0,19):
str = str + p1[i] + p2[i]
flag = ""
for i in str:
flag += chr(ord(i)^16)
print(flag)
# SYC{Th1s_4ct1Vity_iS_R3al1y_Exp0rted!}
调试
题面:
Intro && Hint: 提取码:Geek。 菜逼出题人本来想送你们一个flag, 但是却写错了代码, 这下怎么得到flag呢...(提示:安装linux虚拟机,在linux里才能运行)
题目和题面都暗示这道题是要调试的,因此多半就是 DEBUG;
先进入主函数看一下,就一个比较,按照正常的思路应该还要写一点啥的,所以先猜测是这一部分就是要调试的区域;
看一下结构图,果不其然:
现在的流程是走 ① 号路线了,那我们接下来要让它走 ② 号线,然后才能进行一个输出,即把 jnz 改成 jz 即可;
改完之后的主函数:
运行一遍之后就会拿到 flag:
easypyc
熟悉的样式,该怎么反编译就不多说了,pyinstxtractor.py 和 uncompyle6 的混合双打,
反编译后的源码如下:
whatbox = [0] * 256
def aaaaaaa(a, b):
k = [0] * 256
t = 0
for m in range(256):
whatbox[m] = m
k[m] = ord(a[(m % b)])
else:
for i in range(256):
t = (t + whatbox[i] + k[i]) % 256
temp = whatbox[i]
whatbox[i] = whatbox[t]
whatbox[t] = temp
def bbbbbbbbbb(a, b):
q = 0
w = 0
e = 0
for k in range(b):
q = (q + 1) % 256
w = (w + whatbox[q]) % 256
temp = whatbox[q]
whatbox[q] = whatbox[w]
whatbox[w] = temp
e = (whatbox[q] + whatbox[w]) % 256
a[k] = a[k] ^ whatbox[e] ^ 102
def ccccccccc(a, b):
for i in range(b):
a[i] ^= a[((i + 1) % b)]
else:
for j in range(1, b):
a[j] ^= a[(j - 1)]
if __name__ == '__main__':
kkkkkkk = 'Geek2021'
tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87]
ssss = input('Please input your flag:')
inp = [0] * len(ssss)
if len(ssss) != 32:
print('Length Error!!!!')
exit(0)
for i in range(len(ssss)):
inp[i] = ord(ssss[i])
else:
aaaaaaa(kkkkkkk, len(kkkkkkk))
bbbbbbbbbb(inp, 32)
ccccccccc(inp, 32)
for m in range(32):
if tttttt[m] != inp[m]:
raise Exception('sorry your flag is wrong')
print('success!!!!!!')
print('your flag is {}'.format(ssss))
这是个 RC4 算法嗷,其实我一开始也没注意,解出 flag 才发现的,just easy Rc4;
有三个函数,其实需要逆向的只有一个 ccccccccc,我们先通过 aaaaaaa 拿到经过加密后的秘钥 whatbox,如下:
whatbox = [41, 244, 181, 212, 184, 237, 95, 117, 193, 26, 137, 126, 65, 122, 239, 250, 214, 112, 62, 207, 240, 227, 120, 48, 36, 148, 234, 150, 228, 165, 129, 174, 56, 190, 46, 127, 49, 43, 245, 130, 114, 34, 202, 27, 131, 224, 64, 160, 50, 153, 157, 206, 52, 91, 225, 58, 176, 14, 5, 147, 103, 12, 30, 146, 77, 61, 179, 85, 101, 71, 72, 210, 47, 253, 8, 98, 45, 7, 246, 67, 135, 18, 255, 168, 90, 139, 203, 2, 242, 32, 111, 22, 220, 102, 107, 138, 37, 169, 116, 28, 35, 156, 89, 173, 235, 185, 136, 31, 252, 29, 78, 63, 170, 25, 222, 19, 99, 44, 100, 124, 229,
144, 20, 221, 177, 232, 82, 163, 3, 249, 40, 93, 83, 68, 152, 223, 60, 54, 96, 97, 166, 94, 21, 16, 230, 154, 109, 178, 254, 92, 132, 155, 142, 1, 182, 243, 215, 197, 13, 0, 79, 151, 84, 187, 216, 180, 188, 175, 59, 66, 10, 106, 121, 183, 205, 42, 105, 204, 87, 86, 134, 189, 23, 241, 248, 118, 110, 211, 57, 158, 247, 231, 24, 218, 38, 149, 33, 15, 164, 217, 128, 115, 17, 233, 53, 236, 140, 51, 11, 208, 196, 55, 39, 172, 9, 76, 80, 226, 4, 70, 195, 108, 201, 69, 238, 123, 88, 145, 162, 125, 192, 219, 74, 161, 81, 198, 209, 73, 133, 186, 119, 251,
143, 200, 194, 171, 141, 104, 213, 113, 6, 159, 199, 167, 75, 191]
然后把 ccccccccc 逆向一下即可,poc 脚本如下:
def rebbbbbbbbbb(a, b):
flag = ""
q = 0
w = 0
e = 0
for k in range(b):
q = (q + 1) % 256
w = (w + whatbox[q]) % 256
temp = whatbox[q]
whatbox[q] = whatbox[w]
whatbox[w] = temp
e = (whatbox[q] + whatbox[w]) % 256
a[k] = chr(a[k] ^ whatbox[e] ^ 102)
flag += a[k]
print(flag)
def reccccccccc(a,b):
for j in range(b-1,0,-1):
a[j] ^= a[(j-1)]
else:
for i in range(b-1,-1,-1):
a[i] ^= a[((i + 1) % b)]
if __name__ == '__main__':
kkkkkkk = 'Geek2021'
tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87]
whatbox = [41, 244, 181, 212, 184, 237, 95, 117, 193, 26, 137, 126, 65, 122, 239, 250, 214, 112, 62, 207, 240, 227, 120, 48, 36, 148, 234, 150, 228, 165, 129, 174, 56, 190, 46, 127, 49, 43, 245, 130, 114, 34, 202, 27, 131, 224, 64, 160, 50, 153, 157, 206, 52, 91, 225, 58, 176, 14, 5, 147, 103, 12, 30, 146, 77, 61, 179, 85, 101, 71, 72, 210, 47, 253, 8, 98, 45, 7, 246, 67, 135, 18, 255, 168, 90, 139, 203, 2, 242, 32, 111, 22, 220, 102, 107, 138, 37, 169, 116, 28, 35, 156, 89, 173, 235, 185, 136, 31, 252, 29, 78, 63, 170, 25, 222, 19, 99, 44, 100, 124, 229,
144, 20, 221, 177, 232, 82, 163, 3, 249, 40, 93, 83, 68, 152, 223, 60, 54, 96, 97, 166, 94, 21, 16, 230, 154, 109, 178, 254, 92, 132, 155, 142, 1, 182, 243, 215, 197, 13, 0, 79, 151, 84, 187, 216, 180, 188, 175, 59, 66, 10, 106, 121, 183, 205, 42, 105, 204, 87, 86, 134, 189, 23, 241, 248, 118, 110, 211, 57, 158, 247, 231, 24, 218, 38, 149, 33, 15, 164, 217, 128, 115, 17, 233, 53, 236, 140, 51, 11, 208, 196, 55, 39, 172, 9, 76, 80, 226, 4, 70, 195, 108, 201, 69, 238, 123, 88, 145, 162, 125, 192, 219, 74, 161, 81, 198, 209, 73, 133, 186, 119, 251,
143, 200, 194, 171, 141, 104, 213, 113, 6, 159, 199, 167, 75, 191]
reccccccccc(tttttt,32)
rebbbbbbbbbb(tttttt,32)
# SYC{Just_a_Eeeeeeasy_Rc4_right?}
珍惜生命
一个 pyc 文件,没有设陷阱,就是正常的 uncompyle6 反编译一下就好了,拿到源码如下:
def Challenge():
import sys
print("Welcome to py's world")
S = input('plz give me your flag:')
Key = input('plz give me your key(string):')
if len(S) != 51 or len(Key) != 8:
print("the flag's or key's strlen...")
sys.exit()
else:
tmp = S[4:50]
KEY_cmp = 'Syclover'
key = []
key_cmp = ''
for i in Key:
key.append(ord(i))
try:
key_cmp += chr((key[1] * key[2] - key[5] * 72 - key[4] * 3 - key[3] ^ key[1] + (key[3] << 2) + key[2] * 6 - key[7] & key[6] - 1000) - 14)
key_cmp += chr((key[5] * 7 + key[3] * 3 + key[2] + key[6] - (key[2] >> 2) - key[1] ^ key[0] + key[7] + (key[4] ^ key[1]) + (key[4] | key[7])) - 801)
key_cmp += chr((key[6] * 5 + key[2] * 6 - key[3] * 7 + key[4] | key[5] + key[4] * 10 + key[0] ^ key[1] * 3 - key[7] + key[0] + key[1]) - 924)
key_cmp += chr(key[1] * 3 + key[5] * 9 + key[0] + key[2] * 2 + key[3] * 5 - key[4] * (key[6] ^ key[7]) + 321 - 16)
key_cmp += chr((key[5] * 12 - key[0] ^ key[6] - key[3] * 23 + key[4] * 3 + key[2] * 8 + key[1] - key[7] * 2 + key[6] * 4 + 1324) + 1)
key_cmp += chr(key[3] * 54 - key[1] * 3 + key[2] * 3 + key[4] * 11 - key[5] * 2 + key[0] + key[7] * 3 - key[6] - 6298 + 40)
key_cmp += chr(key[7] - key[6] * key[3] + key[2] * key[2] - key[4] * 32 + key[5] * (key[0] >> 2) - key[1] * key[1] - 6689 + 41)
key_cmp += chr((key[5] - key[3] * 41 + key[6] * 41 + key[5] ^ (key[4] & key[6] | key[0]) - (key[7] * 24 | key[2]) + key[1] - 589) - 36)
except ValueError:
print("You know what I'm going to say...")
sys.exit()
if key_cmp != KEY_cmp:
print("You know what I'm going to say...")
sys.exit()
flag = [
113, 74, 71, 35, 29, 91, 29, 12, 114, 73, 60, 52, 69, 5, 113, 35, 95, 38, 20, 112, 95, 7, 74, 12, 102, 23, 7, 31, 87, 5, 113, 98, 85, 38, 16, 112, 29, 6, 30, 12, 65, 73, 83, 36, 12, 23]
for i in range(46):
if ord(tmp[i]) ^ key[((i + 1) % len(key))] != flag[i]:
print("You know what I'm going to say...")
sys.exit()
print('Yeah!Submit your flag in a hurry~')
Challenge()
关键就在于拿到 key,用 z3 进行爆破:
from z3 import *
KEY_cmp = 'Syclover'
key = [BitVec('u%d'%i,32) for i in range(0,8)]
s = Solver()
s.add( ((key[1] * key[2] - key[5] * 72 - key[4] * 3 - key[3] ^ key[1] + (key[3] << 2) + key[2] * 6 - key[7] & key[6] - 1000) - 14) == ord(KEY_cmp[0]))
s.add( ((key[5] * 7 + key[3] * 3 + key[2] + key[6] - (key[2] >> 2) - key[1] ^ key[0] + key[7] + (key[4] ^ key[1]) + (key[4] | key[7])) - 801) == ord(KEY_cmp[1]))
s.add( ((key[6] * 5 + key[2] * 6 - key[3] * 7 + key[4] | key[5] + key[4] * 10 + key[0] ^ key[1] * 3 - key[7] + key[0] + key[1]) - 924) == ord(KEY_cmp[2]))
s.add( (key[1] * 3 + key[5] * 9 + key[0] + key[2] * 2 + key[3] * 5 - key[4] * (key[6] ^ key[7]) + 321 - 16) == ord(KEY_cmp[3]))
s.add( ((key[5] * 12 - key[0] ^ key[6] - key[3] * 23 + key[4] * 3 + key[2] * 8 + key[1] - key[7] * 2 + key[6] * 4 + 1324) + 1) == ord(KEY_cmp[4]))
s.add( (key[3] * 54 - key[1] * 3 + key[2] * 3 + key[4] * 11 - key[5] * 2 + key[0] + key[7] * 3 - key[6] - 6298 + 40) == ord(KEY_cmp[5]))
s.add( (key[7] - key[6] * key[3] + key[2] * key[2] - key[4] * 32 + key[5] * (key[0] >> 2) - key[1] * key[1] - 6689 + 41) == ord(KEY_cmp[6]))
s.add( ((key[5] - key[3] * 41 + key[6] * 41 + key[5] ^ (key[4] & key[6] | key[0]) - (key[7] * 24 | key[2]) + key[1] - 589) - 36) == ord(KEY_cmp[7]))
if s.check() == sat:
result = s.model()
print (result)
拿到 key 值为 [83, 38, 121, 99, 64, 45, 54, 46],重新异或一下即可:
key = [83, 38, 121, 99, 64, 45, 54, 46]
flag = 'SYC{'
tmp = [
113, 74, 71, 35, 29, 91, 29, 12, 114, 73, 60, 52, 69, 5, 113, 35, 95, 38, 20, 112, 95, 7, 74, 12, 102, 23, 7, 31, 87, 5, 113, 98, 85, 38, 16, 112, 29, 6, 30, 12, 65, 73, 83, 36, 12, 23]
for i in range(46):
flag += chr((tmp[i]) ^ key[((i + 1) % len(key))])
flag += '}'
print(flag)
# SYC{W3$c0m3_T0_th3_py_w0r1d_@nd_z3_1s_s0000_g00d!!}
new_language
可能是好久没做题了,生疏了,看到 .net,我还扔进 ida,我就是傻逼;
扔进 dnSpy 这就是道签到题,扔进 ida 这就是道进阶题,源码如下:
using System;
namespace new___language
{
// Token: 0x02000002 RID: 2
internal class geek
{
// Token: 0x06000002 RID: 2 RVA: 0x00002058 File Offset: 0x00000258
public static int getNumFromSBox(char index)
{
int num = (int)(index >> 4);
int num2 = (int)(index & '\u000f');
return geek.sbox[num * 16 + num2];
}
// Token: 0x06000003 RID: 3 RVA: 0x00002080 File Offset: 0x00000280
private static void Main(string[] args)
{
Console.WriteLine("input:");
string text = Console.ReadLine();
int[] array = new int[34];
int[] array2 = new int[]
{
64,
249,
133,
69,
146,
253,
253,
207,
182,
4,
157,
207,
251,
4,
60,
81,
59,
77,
146,
77,
207,
26,
38,
207,
64,
77,
177,
77,
64,
195,
77,
253,
253
};
bool flag = text.Length != 38;
if (!flag)
{
bool flag2 = text.Substring(0, 4) != "SYC{" || text.Substring(37, 1) != "}";
if (!flag2)
{
text = text.Substring(4, 33);
for (int i = 0; i < 33; i++)
{
array[i] = geek.getNumFromSBox(text[i]);
}
for (int j = 0; j < 33; j++)
{
bool flag3 = array[j] != array2[j];
if (flag3)
{
return;
}
}
Console.WriteLine("good");
}
}
}
// Token: 0x04000001 RID: 1
private static int[] sbox = new int[]
{
99,
124,
119,
123,
242,
107,
111,
197,
48,
1,
103,
43,
254,
215,
171,
118,
202,
130,
201,
125,
250,
89,
71,
240,
173,
212,
162,
175,
156,
164,
114,
192,
183,
253,
147,
38,
54,
63,
247,
204,
52,
165,
229,
241,
113,
216,
49,
21,
4,
199,
35,
195,
24,
150,
5,
154,
7,
18,
128,
226,
235,
39,
178,
117,
9,
131,
44,
26,
27,
110,
90,
160,
82,
59,
214,
179,
41,
227,
47,
132,
83,
209,
0,
237,
32,
252,
177,
91,
106,
203,
190,
57,
74,
76,
88,
207,
208,
239,
170,
251,
67,
77,
51,
133,
69,
249,
2,
127,
80,
60,
159,
168,
81,
163,
64,
143,
146,
157,
56,
245,
188,
182,
218,
33,
16,
255,
243,
210,
205,
12,
19,
236,
95,
151,
68,
23,
196,
167,
126,
61,
100,
93,
25,
115,
96,
129,
79,
220,
34,
42,
144,
136,
70,
238,
184,
20,
222,
94,
11,
219,
224,
50,
58,
10,
73,
6,
36,
92,
194,
211,
172,
98,
145,
149,
228,
121,
231,
200,
55,
109,
141,
213,
78,
169,
108,
86,
244,
234,
101,
122,
174,
8,
186,
120,
37,
46,
28,
166,
180,
198,
232,
221,
116,
31,
75,
189,
139,
138,
112,
62,
181,
102,
72,
3,
246,
14,
97,
53,
87,
185,
134,
193,
29,
158,
225,
248,
152,
17,
105,
217,
142,
148,
155,
30,
135,
233,
206,
85,
40,
223,
140,
161,
137,
13,
191,
230,
66,
104,
65,
153,
45,
15,
176,
84,
187,
22
};
}
}
题面已经说是某种加密算法的一部分了,关键就是这两个循环:
for (int i = 0; i < 33; i++)
{
array[i] = geek.getNumFromSBox(text[i]);
}
for (int j = 0; j < 33; j++)
{
bool flag3 = array[j] != array2[j];
if (flag3)
{
return;
}
}
通过 getNumFromSBox 函数对输入的值进行逐个加密,然后再将这个加密的值作为索引,返回沙盒 sbox 对应下标的值,很简单,直接上 poc 脚本:
public static void main(String[] args) {
int[] array2 = new int[]
{
64,
249,
133,
69,
146,
253,
253,
207,
182,
4,
157,
207,
251,
4,
60,
81,
59,
77,
146,
77,
207,
26,
38,
207,
64,
77,
177,
77,
64,
195,
77,
253,
253
};
String flag = "SYC{";
for (int num : array2) {
for (int i = 0; i < 128; i++) {
char str = (char) i;
if (getNumFromSBox(str) == num){
flag += str;
}
}
}
flag += "}";
System.out.println(flag);
}
/*
SYC{right!!_y0u_c0mpIete_C#_reVer3e!!}
*/
沙盒 sbox 和 getNumFromSBox 函数自己记得加上去,太长了,这里就不放了;
win32
一个奇奇怪怪的 exe 文件,查壳,EP 区段:UPX1,
尝试 UPX 脱壳,拖进ida,
看一下主要功能函数,
LRESULT __fastcall sub_140011B80(HWND a1, UINT a2, WPARAM a3, LPARAM a4)
{
char *v4; // rdi
__int64 i; // rcx
unsigned int v6; // eax
LRESULT v7; // rax
LRESULT v8; // rdi
char v10[32]; // [rsp+0h] [rbp-60h] BYREF
char v11; // [rsp+60h] [rbp+0h] BYREF
CHAR String[136]; // [rsp+70h] [rbp+10h] BYREF
char v13[48]; // [rsp+F8h] [rbp+98h] BYREF
char *Str1; // [rsp+128h] [rbp+C8h] BYREF
struct tagPAINTSTRUCT Paint; // [rsp+150h] [rbp+F0h] BYREF
HDC v16; // [rsp+1B8h] [rbp+158h]
UINT v17; // [rsp+284h] [rbp+224h]
v4 = &v11;
for ( i = 92i64; i; --i )
{
*(_DWORD *)v4 = -858993460;
v4 += 4;
}
sub_1400113DE(&unk_1400240BE);
strcpy(v13, "0123456789+/");
Str1 = 0i64;
v17 = a2;
if ( a2 == 1 )
{
hWnd = CreateWindowExW(0, L"EDIT", 0i64, 0x50810000u, 0, 0, 390, 30, a1, (HMENU)0x12C, hInstance, 0i64);
qword_14001E2B8 = (__int64)CreateWindowExW(
0,
L"BUTTON",
&word_14001AEB8,
0x50000000u,
0,
31,
390,
33,
a1,
(HMENU)0xC8,
hInstance,
0i64);
LABEL_17:
v7 = 0i64;
goto LABEL_18;
}
switch ( v17 )
{
case 2u:
PostQuitMessage(0);
goto LABEL_17;
case 0xFu:
v16 = BeginPaint(a1, &Paint);
EndPaint(a1, &Paint);
goto LABEL_17;
case 0x111u:
v17 = (unsigned __int16)a3;
if ( (unsigned __int16)a3 == 200 )
{
GetWindowTextA(hWnd, String, 100);
v6 = j_strlen(String);
sub_1400110F5(String, v6, &Str1, v13);
if ( !j_strcmp(Str1, Str2) )
MessageBoxW(0i64, &Text, &Caption, 0);
else
MessageBoxW(0i64, &word_14001AF20, &word_14001AF18, 0);
}
goto LABEL_17;
}
v7 = DefWindowProcW(a1, a2, a3, a4);
LABEL_18:
v8 = v7;
sub_140011366(v10, &unk_14001ADD0);
return v8;
}
主要就是发送信息,对信息内容进行一个 base64 的加密,
import base64
str = 'U1lDe3kwdV9nM3RfQV9mMWFnX2J5X2N5YmVybG9hZmluZ19hdXRoMHJ9'
print(base64.b64decode(str))
# SYC{y0u_g3t_A_f1ag_by_cyberloafing_auth0r}
WEB
Dark
就用 tor 浏览器打开即可,其他浏览器应该是无法加载的,毕竟顾名思义嘛,SYC{hav3_fUn_1n_darK};
Welcome2021
题目提示看源码,
很清楚的说用 WELCOME 方式发送请求,
接着请求 f1111aaaggg9.php,
babysql
一道 SQL 注入题,
直接 SQLMAP,懂得都懂,
蜜雪冰城甜蜜蜜
看到提示可以知道,点到第九号饮料就直接出 flag,但这里只有8个,然而它是有 id 的,根据 JS 分析得出,在提交时会获取被点击的图片的 id 号,直接修改前端页面的 id=9,在点击一下,
后记
后面出来的题就没有做了,现在做 RE 就是图一乐罢了🤪
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
