【2024春节】解题领红包部分 WP
# Windows 初级fl@g{H@ppy_N3w_e@r!2o24!Fighting!!!}
```cpp
#include <iostream>
int main() {
char data[] = "ioCj~KCss|bQ6zbhCu$5r57$Iljkwlqj$$$\x80";
char* ptr = (char*)data;
while (*ptr != '\0') {
*ptr = *ptr - 3;
ptr++;
}
std::cout << data << std::endl;
return 0;
}
```
# 安卓初级
flag{happy_new_year_2024}
修改一下 AndroidManifest.xml 对应activity android:exported 改成true然后重新安装
```
<activity android:name="com.zj.wuaipojie2024_1.YSQDActivity" android:exported="true" android:screenOrientation="landscape" android:configChanges="screenSize|orientation|keyboardHidden"/>
```
adb直接启动,视频播放结束后会出现flag
```shell
adb shell am start -n com.zj.wuaipojie2024_1/com.zj.wuaipojie2024_1.YSQDActivity
```
实际上藏在视频末尾
# 安卓初级
flag{52pj_HappyNewYear2024}
直接adb启动
```
adb shell am start -n com.kbtx.redpack_simple/com.kbtx.redpack_simple.FlagActivity
```
主要是签名效验,如果修改了签名,还原出来可能乱码
```java
public class FlagActivity extends h {
public static byte[] o = {86, -18, 98, 103, 75, -73, 51, -104, 104, 94, 73, 81, 125, 118, 112, 100, -29, 63, -33, -110, 108, 115, 51, 59, 55, 52, 77};
public void onCreate(Bundle bundle) {
byte[] bArr;
Signature[] signatureArr;
super.onCreate(bundle);
setContentView(R.layout.activity_flag);
byte[] bArr2 = o;
try {
signatureArr = getPackageManager().getPackageInfo(getPackageName(), 64).signatures;
} catch (PackageManager.NameNotFoundException unused) {
bArr = new byte;
}
if (signatureArr != null && signatureArr.length >= 1) {
byte[] byteArray = signatureArr.toByteArray();
ByteBuffer allocate = ByteBuffer.allocate(bArr2.length);
for (int i = 0; i < bArr2.length; i++) {
allocate.put((byte) (bArr2 ^ byteArray));
}
bArr = allocate.array();
StringBuilder d = a.d("for honest players only: \n");
d.append(new String(bArr));
((TextView) findViewById(R.id.tvFlagHint)).setText(d.toString());
}
}
}
```
直接提取出CERT.RSA,修改后缀为p7b,双击导出证书
```java
public class cj {
public static String CertString="MIIDADCCAegCAQEwDQYJKoZIhvcNAQELBQAwRjEQMA4GA1UEAwwHa2J0eHdlcjEQ" +
"MA4GA1UECwwHNTJwb2ppZTEQMA4GA1UECgwHNTJwb2ppZTEOMAwGA1UEBwwFQ2hp" +
"bmEwHhcNMjQwMTE2MDYzMzIzWhcNNDkwMTA5MDYzMzIzWjBGMRAwDgYDVQQDDAdr" +
"YnR4d2VyMRAwDgYDVQQLDAc1MnBvamllMRAwDgYDVQQKDAc1MnBvamllMQ4wDAYD" +
"VQQHDAVDaGluYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIBIBBNf" +
"V8FTmAmp9ikd0NqDxfn8V8rxmaSM/je5oMxGoQUhMqY0TjCaMbgO5xXf/L0gf4Sw" +
"fmIMi8MjKwkwUEc/gp7LdKVF7o/UKf6uhIDkKEw1vGncQ9PBMOv3sKFsbRCFdhPC" +
"JCAq53Em/P3JZCFEFYKH/noZaWO8UqR7uULw916wWSNr+mTFJxjHNUekw2LxF07G" +
"QrmKMaTXy+jpkd+ifbcANdRRyHm13vEtu32xn9WrIREQJWxBVs0L5z0i0sBgMUTe" +
"oY5lehLAwBRrpcXrprlzoie4FfyO/tTEonVHcYVL08BEaG7L5lBaVA56+qCZkzlB" +
"C1qf64JkB0UsKIsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAXhAk7ZWZLNjYgzTq" +
"82D9VpntfSMzY03e1l6c2mIiu1rmgYnbavtYmMqfNDeVnbLlDObRn8O5gu3n6e1d" +
"2SSI3tZpKK1ZOf3zGLF7SpXwIFu22iej3k97aXANlKJegHZ9JWtjABTiVGSLKjfW" +
"iZWe9HKTp3LBUJ2zGw3e03eWT+kzZtjvgI4gfRsji7vVG2odODMODCm+4a/dBnTl" +
"ADtM0lVdJaDPUj8ReR0ql/99EyNUMv7wtE+3o0xpCrUd5NVLp4doEusfaRnSvS35" +
"fDfp6SfODQ9BqE9TPgEPyOGn+iA8HHw+XQhzsrn8bNdNnlOBMsbXJcMFvF92Cw+4" +
"cQGoog==";
public static byte[] o = {86, -18, 98, 103, 75, -73, 51, -104, 104, 94, 73, 81, 125, 118, 112, 100, -29, 63, -33, -110, 108, 115, 51, 59, 55, 52, 77};
public static void main(String[] args) {
byte[] Flag = new byte;
byte[] publicKeyBytes = Base64.getDecoder().decode(CertString);
for (int i = 0; i < o.length; i++) {
Flag = (byte) (o ^ publicKeyBytes);
}
System.out.println(new String(Flag));
}
}
```
# 安卓中级
简直就是终极谜语人
没啥好分析的
根据他的~~逻辑~~(完全没有逻辑)走,建议使用as或其他软件查看日志帮助调试。
首先需要手动修复classes.dex,建议使用np只修复文件头,这里建议使用frida或其他去hook文件读写,避免签名效验。
```
InputStream open = getAssets().open("classes.dex");
byte[] bArr = new byte;
open.read(bArr);
File file = new File(getDir("data", 0), "1.dex");
```
手动复制文件1.dex修改为decode.dex,同目录/data/user/0/com.zj.wuaipojie2024_2/app_data/
```
private static ByteBuffer read(Context context) {
try {
File file = new File(context.getDir("data", 0), "decode.dex");
if (file.exists()) {
FileInputStream fileInputStream = new FileInputStream(file);
byte[] bArr = new byte;
fileInputStream.read(bArr);
ByteBuffer wrap = ByteBuffer.wrap(bArr);
fileInputStream.close();
return wrap;
}
return null;
} catch (Exception unused) {
return null;
}
}
```
hook掉文件删除,主要删除了修复好了的2.dex
```
fix.delete();
new File(dir, fix.getName()).delete();
```
根据提示,还要修复B.D,hook这里修改为B的偏移,同时修改2.dex为decode.dex
```
getResources().getIntArray(R.array.A_offset)// int A_offset = 0x7f030000;int B_offset = 0x7f030001;
```
两次修复了就能看到完整代码了
```java
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class zj {
static String UID = "1372193";
public static void main(String[] args) {
String password=GetPassword();
String password_uid=password+UID;
byte[] bArr = password_uid.getBytes();
byte[] sha1 = GetSha1(bArr);
String md5 = GetMd5(sha1);
System.out.println("机缘是"+md5);
}
public static byte[] GetSha1(byte[] bArr) {
try {
return MessageDigest.getInstance("SHA-1").digest(bArr);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
return null;
}
}
public static String GetMd5(byte[] bArr) {
try {
MessageDigest instance = MessageDigest.getInstance("MD5");
instance.update(bArr);
byte[] digest = instance.digest();
StringBuffer stringBuffer = new StringBuffer();
for (byte b : digest) {
stringBuffer.append(Integer.toHexString((b & 255) | 256).substring(1, 3));
}
return stringBuffer.toString();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
return null;
}
}
public static String GetPassword() {
StringBuffer stringBuffer = new StringBuffer();
int i = 0;
while (stringBuffer.length() < 9 && i < 40) {
int i2 = i + 1;
String substring = "0485312670fb07047ebd2f19b91e1c5f".substring(i, i2);
if (!stringBuffer.toString().contains(substring)) {
stringBuffer.append(substring);
}
i = i2;
}
return stringBuffer.toString();
}
}
```
# win高级
没做出来只做记录,学会了再来
客户端 upx 脱壳参考 (https://www.52pojie.cn/thread-1534675-1-1.html),主要是
```
sub_140001CF0(uid, flag) //分别传入了int uid 和 char *flag
```
避免每次都去手动输入使用frida调用
```
fridacrackme2024g_dump_SCY.exe
var sub_140001CF0 = new NativeFunction(ptr(0x140001CF0), 'int64', ['int64', 'pointer']);
var uid = 1372193;
console.log(sub_140001CF0(uid, Memory.allocUtf8String("12345678-56789ABC-9ABDEF0C-12345678=")));
```
服务端Themida壳,看不懂,找了个现成的https://github.com/bobalkkagi/bobalkkagi
只找了部分对应函数,能力有限看不懂做了啥
```
401360 verify (ppv a1,bool *a2)//成功后给a2赋值
4012B0 set_flag(ppv a1,char *a2)
401280 set_uid(ppv a1,int *a2)
```
# 安卓高级
没做出来只做记录,学会了再来
因为只有arm64的so,真机刷废了,新的还没买,所以只有用unidbg跑
利用unidbg先知道函数地址
```
RegisterNative(com/wuaipojie/crackme2024/MainActivity, checkSn(0x1befc)
```
可以看见大部分都是间接跳转,参考 [记一次基于unidbg模拟执行的去除ollvm混淆](https://bbs.kanxue.com/thread-277086.htm) 来还原部分,需要注意的是并不完全一样,不一定寄存器全部相同,建议直接遍历。
第一次还原后,仍有很多看不懂,参考往年(https://www.52pojie.cn/forum.php?mod=viewthread&tid=1588403&highlight=2022%B4%BA%BD%DA#41606231_android-%E4%B8%AD%E7%BA%A7%E9%A2%98-2/4)
首先把`.bss`段patch 0,参考周易大佬的 https://www.52pojie.cn/forum.php?mod=redirect&goto=findpost&ptid=1742334&pid=45551435,修改下就行
```
import ida_bytes
import ida_idaapi
import ida_xref
import struct
def do_patch(ea):
if ida_bytes.get_bytes(ea + 3, 1) == b"\xB9":
reg = ord(ida_bytes.get_bytes(ea, 1)) & 0b00011111
ida_bytes.patch_bytes(ea, struct.pack("<I", (0x4A000000 | (reg << 16) | (reg << 5) | reg)))
print("PATCH@{:016X}".format(ea))
else:
print("ERROR@{:016X}".format(ea))
start = 0x0000000000059CC0
end = 0x000000000005A250
for addr in range(start, end, 4):
print("=={:016X}==".format(addr))
ref = ida_xref.get_first_dref_to(addr)
while ref != ida_idaapi.BADADDR:
if 0x000000000000D5C0 <= ref < 0x000000000004D21C:
do_patch(ref)
ref = ida_xref.get_next_dref_to(addr, ref)
print("=" * 20)59DB4
```
然后吧.data设置只读
形如`MOV W9, #(off_55398 - 0xFFFFFFFF86761E84)`,的鼠标点击一下,按下Q `MOV W9, #0x798F3514`
大部分还是勉强可以阅读了
首先获取输入md5后uid的字节长度,判断是否是16
```
v35 = sub_1DFE0(a1, v32);
v7 = v33 + 1548783866;
if ( v35 == 16 )
v7 = v33 + 949588317;
__int64 __fastcall sub_1DFE0(JNIEnv *a1)
{
return ((*a1)->GetArrayLength)(a1);
}
```
然后是读取输入,以及判断某个东西
v11 = v32;
v12 = sub_1E02C(a1, v32, v5);//GetByteArrayElements
v36 = &v22;
v22 = 0uLL;
v37 = &v22;
v22 = *v12;
sub_1E0DC(a1, v11, v12, 0);//ReleaseByteArrayElements
v38 = sub_1E1A0(a1, v31, 0LL);//GetStringUTFChars
v24 = v33 + 1056209953;
v13 = sub_1E24C(&v24);
v7 = v33 - 783467553;
v5 = v28;
if ( (v13 & 1) == 0 )
v7 = v33 - 2063012219;
第一次trace就结束了,只有几千行就退出了
根据上面内容判断sub_1E24C函数返回值,走不同分支,根据trace代码,hook一下部分函数
```
int ptrs[]={0x1E924,0x23D8C,0x21260,0x217f8,0x23f28,0x219cc,0x21c34,0x21020};
for(int ptr:ptrs)
{
addHook(ptr);
}
public void addHook(int address) {
emulator.attach().addBreakPoint(module.base + address, new BreakPointCallback() {
@Override
public boolean onHit(Emulator<?> emulator, long address) {
RegisterContext context = emulator.getContext();
System.out.println("addBreakPoint: 0x" + Long.toHexString(address) + ", LR=" + context.getLRPointer());
for (int i = 0; i < 3; i++) {
try {
Inspector.inspect(context.getPointerArg(i).getByteArray(0, 16), "bytes");
} catch (Exception e) {
System.out.println(context.getLongArg(i));
}
}
return true;
}
});
}
```
可以看出来主要检测adb ,通过init.svc.adbd判断running,其余作用没看出来,直接hook
```
emulator.attach().addBreakPoint(module.base + 0x1E24C, new BreakPointCallback() {
@Override
public boolean onHit(Emulator<?> emulator, long address) {
RegisterContext context = emulator.getContext();
emulator.getBackend().reg_write(Arm64Const.UC_ARM64_REG_PC, context.getLRPointer().peer);
emulator.getBackend().reg_write(Arm64Const.UC_ARM64_REG_X0, 0);
return true;
}
});
```
然后他就崩了,在1E924函数里面,根据某位大佬提示,这里面就核心部分,主要涉及签名以及flag,但是手上没手机调试不了,也没看出为啥崩了
v24 = sub_1E924(v31, v50, v22, v20, v26);
v8 = v41;
v5 = v38;
v6 = v39;
v9 = v43 + 2021858523;
if ( !v24 )
v9 = v43 - 1030713484;
通样的这里根据不同返回值走不同分支
```
emulator.attach().addBreakPoint(module.base + 0x1E24C, new BreakPointCallback() {
@Override
public boolean onHit(Emulator<?> emulator, long address) {
RegisterContext context = emulator.getContext();
emulator.getBackend().reg_write(Arm64Const.UC_ARM64_REG_PC, context.getLRPointer().peer);
emulator.getBackend().reg_write(Arm64Const.UC_ARM64_REG_X0, 0);
return true;
}
});
```
同样的操作,可以看到这次主函数基本跳转至少是还原了
在子函数里面还有一种,通过传递常量,来跳转,不多,直接手动就行,也可以自动,不过没啥明显特征,就是多了几个add
根据trace代码基本可以判断大致逻辑了,接着上面的读取了md5(uid)和flag
先base64解码flag
v49 = v6;
v50 = sub_24290(v48, v44, v6);
(sub_1E85C)(a1, v8, v48);
v8 = v41;
if ( v50 )
v9 = v43 + 1818917099;
else
v9 = v43 - 1972945260;
然后进行一系列运算
```
sub_1E924(v31, v50, v22, v20, v26)
```
然后对比md5(uid)和解密后的flag
v19 = sub_21020(v31, v53, v47, v45);//xor
v8 = v41;
v5 = v38;
v36 = v19 == 0;
```
emulator.attach().addBreakPoint(module.base + 0x21020,new BreakPointCallback() {
@Override
public boolean onHit(Emulator<?> emulator, long address) {
RegisterContext context = emulator.getContext();
int x0 = context.getIntArg(0);
System.out.println("x0: " + x0);
Pointer pointer1 = context.getPointerArg(1);
byte[] bytes1 = pointer1.getByteArray(0, 16);
Inspector.inspect(bytes1, "bytes");
Pointer pointer2 = context.getPointerArg(2);
byte[] bytes2 = pointer2.getByteArray(0, 16);
Inspector.inspect(bytes2, "bytes");
int x3 = context.getIntArg(3);
System.out.println("x3: " + x3);
//emulator.getBackend().reg_write(Arm64Const.UC_ARM64_REG_PC, context.getLRPointer().peer);
//emulator.getBackend().reg_write(Arm64Const.UC_ARM64_REG_X0, 0);
return true;
}
});
```
能力有限搞不定sub_1E924函数,等大佬来。
# web
## 初级
```
flag1{52pj2024}视频开头
flag3{GRsgk2}视频开头
```
flag2{xHOpRP} 扫描二维码重定向
```
flag4{YvJZNS}打开网站加载了图片flag4_flag10.png直接下载下来,或者浏览器改成黑暗模式
```
```
flagA
登录的时候,返回了加密flag, 然后又请求了一个地址,返回了uid,uid和flag格式类似,猜测加密算法一样,所以直接修改uid
```
```
import requests
headers = {
"Accept": "*/*",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
"Cache-Control": "no-cache",
"Connection": "keep-alive",
"Pragma": "no-cache",
"Referer": "https://2024challenge.52pojie.cn/index.html",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0",
"sec-ch-ua": "\"Microsoft Edge\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "\"Windows\""
}
cookies = {
"Hm_lvt_46d556462595ed05e05f009cdafff31a": "1708659720,1708672297,1708674684,1708680758",
"wzws_sessionid": "gDExMC4xOTEuMTA2LjE1MoFjMDJmY2GgZdhm5YJmOTJkYmM=",
"Hm_lpvt_46d556462595ed05e05f009cdafff31a": "1708681305",
"uid": "Gd4Tluu3chgIlI4T05GgaCKkkj1Kq1hHC687aNvWDXYZYV0jIGKuBDUTUg==",
"flagA": "Gd4Tluu3chgIlI4T05GgaCKkkj1Kq1hHC687aNvWDXYZYV0jIGKuBDUTUg=="
}
url = "https://2024challenge.52pojie.cn/auth/uid"
response = requests.get(url, headers=headers, cookies=cookies)
print(response.text)
//flagA{55dd466e}
```
## 中级
flag5{P3prqF} -flag9{KHTALK}网页源码中有提示
用记事本打开,一个字符一行,调整一下缩进
flag6{20240217}计算md5
for (let i = 0; i < 1e8; i++) {
if ((i & 0x1ffff) === 0x1ffff) {
const progress = i / 1e8;
const t = Date.now() - t0;
console.log(`${(progress * 100).toFixed(2)}% ${Math.floor(t / 1000)}s ETA:${Math.floor(t / progress / 1000)}s`);
}
if (MD5(String(i)) === '1c450bbafad15ad87c32831fa1a616fc') {
document.querySelector('#result').textContent = `flag6{${i}}`;
break;
}
}
直接跑一会或者https://www.cmd5.com/查询
flag7{Djl9NQ} 视频中出现的git地址,根据历史提交记录找到https://github.com/ganlvtech/52pojie-2024-challenge/commit/6bbac038c4813fbc5d129a8d605471ea2e374786
flag8{OaOjIK} flagB ~~直接玩游戏干他丫的~~,根据v50的提示溢出
首先要知道多少溢出,直接从2^1-2^64次方买一遍5,买到2^34 17179869184 时提示变了
```
{"code":1,"msg":"购买商品之后钱怎么还变多了?不知道出什么 bug 了,暂时先拦一下 ^_^"}
```
钱变多了肯定是有负号,说明需要钱不增加的情况下购买。
首先是数据类型,很容易判断出是i64 -2^63 到 2^63-1
```
#include <iostream>
#include <cstdint>
int main() {
int64_t a,b,c;
a=999063388;
b=8589934592;
c=17179869184;
std::cout << a*b;
std::cout << a*c;
return 0;
}
8581889156181917696
-1282965761345716224
```
| ID | 商品名称 | 商品描述 | 价格 |
| ---- | -------- | --------------- | -------------- |
| 4 | flag8 | 获取 flag8 内容 | 10000 金币 |
| 5 | flagB | 获取 flagB 内容 | 999063388 金币 |
所以要想实现零元购 单价乘以数量 必须等于2^64 *n (n=1,2,3……)
刚好8和b都是4的倍数,所以直接购买 2^62个( 2^62 X 4 )X (999063388%4)
## 高级
flag10{6BxMkW}
上面那张图片
```
from PIL import Image
png="flag4_flag10.png"
img = Image.open(png)
img = img.convert("CMYK")
img.show()
```
flag11{HPQfVF} 拼图,根据css,按30*30切分了,所以transform里面应该是整数
```css
:root {
--var1: 0; /* 在 0 ~ 100 范围内找到一个合适的值 */
--var2: 0; /* 在 0 ~ 100 范围内找到一个合适的值 */
}
#a000 {
position: absolute;
left: 0;
top: 0;
width: 30px;
height: 30px;
background: url(flag11.png) 0px 0px;
transform: translate(calc(942.5135817416999px + 1.0215884355337748px * var(--var1) + 0.24768196677010001px * var(--var2)), calc(224.16483995058888px + 2.9293942195858147px * var(--var1) + 0.8924085229409133px * var(--var2)));
}
```
```
#include <iostream>
int main() {
float a = 942.5135817416999;
float b = 1.0215884355337748;
float c = 0.24768196677010001;
float d = 224.16483995058888;
float e = 2.9293942195858147;
float f = 0.8924085229409133;
for (int i = 0; i < 100; i++) {
for (int j = 0; j < 100; j++) {
float dd = a + b * i + c * j;
float ww = d + e * i + f * j;
if (dd -(int)dd == 0 && ww - (int)ww == 0) {
std::cout << i << " " << j << std::endl;
}
}
}
return 0;
}
//71 20
```
flag12{HOXI} 很简单的wasm
```
let num = 1213159497;//(int32)(secret* 1103515245)!= 1 ? 0: 1213159497
let str = '';
while (num > 0) {
str = String.fromCodePoint(num & 0xff) + str;
num >>= 8;
}
console.log(`flag12{${str}}`);
```
直接跑也行,也就几秒钟
```
#include <iostream>
#include <cstdint>
int main() {
int32_t a,b,c;
a=1103515245;
for (uint32_t i=0; i<4294967295; i++) {
b = i*a;
if (b==1) {
c = i;
printf("secret
: %lu\n", c);
break;
}
}
return 0;
}//secret :4005161828
```
flagC 每个人的不一样仅供参考
识别图片后提交了三个参数
boxes 坐标 用来画框 四个一组分别是左上(boxes,boxes) 右下 (boxes,boxes)
scores 置信度
classes 种类
结合响应可以模仿画一画,虽然也没啥用
```
import cv2
data = {
"boxes": [
],
"scores": [
],
"classes": [
],
"labels": [
],
"colors": [
]
}
png ="test.png"
img = cv2.imread(png)
h, w, _ = img.shape
for i, box in enumerate(data["classes"]):
x1, y1, x2, y2 = int(data["boxes"] * w), int(data["boxes"] * h), int(data["boxes"] * w), int(data["boxes"] * h)
color = tuple(int(data["colors"], 16) for j in (0, 2, 4))[::-1]
cv2.rectangle(img, (x1, y1), (x2, y2), color, 2)
cv2.putText(img, str(i)+"_"+data["labels"].split(" ") + " " + str(data["scores"]), (x1, y1), cv2.FONT_HERSHEY_SIMPLEX, 0.5, (255, 0, 255), 1)
cv2.imshow("img", img)
for i, box in enumerate(data["classes"]):
x1, y1, x2, y2 = int(data["boxes"] * w), int(data["boxes"] * h), int(data["boxes"] * w), int(data["boxes"] * h)
crop = img
name = data["labels"].split(" ")
cv2.imwrite(f"{i}-{name}.png", crop)
cv2.waitKey(0)
```
根据提示修改,第一次提示种类过多,减到4个没有问题了
然后跑一下有哪些种类
```
for i in range(0,80):
data = {
"boxes": [
0.00,
0.00,
0.50,
0.50,
0.50,
0.00,
1.00,
0.50,
0.00,
0.50,
0.50,
1.00,
0.50,
0.50,
1.00,
1.00,
],
"scores": [
0.8933814167976379,
0.8905049562454224,
0.884631872177124,
0.8726911544799805
],
"classes": [
0,
i,
9,
9
]
}
response = session.post(url, headers=headers,json=data)
text = response.text
if "种类错误" in text:
continue
else:
print(i)
```
跑完了我也只有0和9 那么根据排列组合
已知四位数,由0和9构成,0可以是首位,0和9至少出现1次,这个四位数有多少种可能
高中知识全换给老师了,交给各位了
最终我提交的内容,也就是两个人等traffic light
```
data = {
"boxes": [
0.00,
0.00,
0.50,
0.50,
0.50,
0.00,
1.00,
0.50,
0.00,
0.50,
0.50,
1.00,
0.50,
0.50,
1.00,
1.00,
],
"scores": [
1,
1,
1,
1
],
"classes": [
0,
9,
0,
9
]
}
``` 安卓中级知道还有二次修复,还有自己偏移,这个做不到了 感谢感谢,有几处没弄懂的学习了 本帖最后由 gzwzj 于 2024-2-25 00:44 编辑
Windows初始,内存 x86dbg 找的
安卓初级1,jadx 看源码,找到是视频尾
安卓初级2,jadx 看源码,frida hook 暴力改属性值为 o =
web 玩了初级和中级,其中cookie 那里,我是直接把 flagA 的值,改到 uid 里,刷新一下页面,就出来了
其他实在没能力了,还需要学习 这次windows高级题实在是搞不出来了 server不知道淦哪里给我整不会了 风子09 发表于 2024-2-25 00:20
安卓中级知道还有二次修复,还有自己偏移,这个做不到了
直接扣代码修复就行 debug_cat 发表于 2024-2-25 09:10
直接扣代码修复就行
刚刚看了其他大神分析,原来🈶AB两处偏移,改成B就二次修复了,心服口服 大佬太强了{:1_887:},混淆真的令人头疼 DNLINYJ 发表于 2024-2-25 00:59
这次windows高级题实在是搞不出来了 server不知道淦哪里给我整不会了
哈哈哈,看来确实比较难,com的方式不太熟不太好找。 用心讨论,共获提升!
页:
[1]