【2024春节】解题领红包题解 Windows初级题 & Web全题
本帖最后由 QAQ~QL 于 2024-2-28 15:33 编辑# ***【2024春节】解题领红包题解2-Windows初级题***
## IDA分析
### main方法分析
根据伪代码,得知flag长度36位,逐位判断字符串是否相等(红色断点行)
## 动态调试
### 断点判断语句
查看v7地址,v8是从v20来的,即输入文本
## 凯撒分析
```c
void *Src;
void *Block;
sub_732560(Src, "ioCj~KCss|bQ6zbhCu$5r57$Iljkwlqj$$$?", 36u);
if ( v21 == 36 )
{
sub_732490(Src);
sub_731FE0();
LOBYTE(v23) = 2;
v7 = Block;
v8 = v20;
if ( v19 >= 16 )
v7 = (void **)Block;
if ( v4 >= 16 )
v8 = v5;
if ( Block == (void *)36 )
{
v9 = 32;
do
{
if ( *v8 != *v7 )
break;
++v8;
++v7;
v10 = v9 < 4;
v9 -= 4;
}
while ( !v10 );
}
...
_DWORD *__thiscall sub_732490(_DWORD *this, _DWORD *Src)
{
_OWORD *v2; // ebx
unsigned int v4; // ecx
_DWORD *result; // eax
int v6; // edi
size_t v7; // eax
void *v8; // eax
_DWORD *v9; // ecx
unsigned int v10; //
v2 = Src;
this = 0;
this = 0;
v4 = Src;
v10 = v4;
if ( Src >= 16u )
v2 = (_OWORD *)*Src;
if ( v4 >= 16 )
{
v6 = v4 | 15;
if ( (v4 | 15) > 2147483647 )
v6 = 2147483647;
if ( (unsigned int)(v6 + 1) < 4096 )
{
if ( v6 == -1 )
v9 = 0;
else
v9 = operator new(v6 + 1);
}
else
{
v7 = v6 + 36;
if ( v6 + 36 <= (unsigned int)(v6 + 1) )
v7 = -1;
v8 = operator new(v7);
if ( !v8 )
_invalid_parameter_noinfo_noreturn();
v9 = (_DWORD *)(((unsigned int)v8 + 35) & 0xFFFFFFE0);
*(v9 - 1) = v8;
}
*this = v9;
memmove(v9, v2, v10 + 1);
this = v10;
result = this;
this = v6;
}
else
{
result = this;
*(_OWORD *)this = *v2;
this = v4;
this = 15;
}
return result;
}
```
由于tip的提示过于明了,直接根据万年答案`flag{}`编写测试脚本
```py
a = "ioCj~KCss|bQ6zbhCu$5r57$Iljkwlqj$$$?"
# flag f=>102i->105
for i in a:
print(chr(ord(i)-(105-102)),end="")
```
# ***【2024春节】解题领红包题解8~10-Web***
## 题解
https://www.bilibili.com/video/BV1ap421R7VS/
从视频中得出几个易知网址
QR码
https://2024challenge.52pojie.cn/
项目地址
https://github.com/ganlvtech/52pojie-2024-challenge
## flagA
https://2024challenge.52pojie.cn/index.html
https://2024challenge.52pojie.cn/auth/login
```
HTTP/1.1 302 Found
Date: Wed, 21 Feb 2024 18:44:54 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: wzws_sessionid=gDI3LjE1NC4yMDMuOTeCZjkyZGJjoGXWRKaBYzEzNjll; Path=/; HttpOnly
Location: /
Set-Cookie: uid=2KFwj6jFf44dKlXDB+Ti88nMbWFkPXRXHFga9LtUy7ChNg==; path=/; SameSite=Lax
Set-Cookie: flagA=L6Sv7Og44YdiI+gNpgm9YF5sWDCoAa4OYlnM9AKsTQHrjEZ54tPcYWx12Q==; expires=Wed, 21 Feb 2024 18:50:00 GMT; path=/; SameSite=Lax
WZWS-RAY: 1139-1708569894.388-s4jhg
HTTP/1.1 302 Found
Date: Wed, 21 Feb 2024 19:14:08 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: wzws_sessionid=gDI3LjE1NC4yMDMuOTegZdZLgIFjMTM2OWWCZjkyZGJj; Path=/; HttpOnly
Location: /
Set-Cookie: uid=UUt56zJRESolKTW0ORX2PqGHYM3KB/J7eherP4nANd0yvA==; path=/; SameSite=Lax
Set-Cookie: flagA=RB7TyehutV08nZaXMaQADZx8WIwXjwmJkQtHqVnFjIKBNNSwGgAx7idYJg==; expires=Wed, 21 Feb 2024 19:20:00 GMT; path=/; SameSite=Lax
WZWS-RAY: 1139-1708571648.108-s5jhg
```
这个加密是动态的,盲猜RSA,暴力肯定是不行的,猜测`https://2024challenge.52pojie.cn/auth/uid`接口的uid解密关系
发现只和cookie中的uid有关,遂将uid内容替换为flagA(脑洞不是一般的大)
`flagA{e3cadceb}`
此处`https://2024challenge.52pojie.cn/auth/uid`接口相当于本次2024challenge的解密接口,能看到所有cookie缓存加密的数据,比如`game2048_user_data`
```js
game2048_user_data
NtDDJugdK6TKcTmcBCnYLkelVZWMLEArgd8fsJELNZWRwJERBE9rcy9IpXysY8b4qUgdo4reIaMkT0hlKjw3/gXty+q1qx1PjxR8z3KEqsVwF2YBk8tEPnsEAsABb0sj7DforzjCJ7oAjHq4il1IZ76FFBz5jNVTT4legOKoM64=;
{"game_data":{"tiles":,"score":7572},"money_count":8194}
3+WawrjedRnS42J4x3aEDQ/whnHbIHSGbWhq3C/Vg2HBwlqCAvxreT5n2LM96ZVVQ/UCPO2QaF9TKMQiRxD5AKcaJiiuf304Fxzs3oJR03z76AYYC6xcTEZMBeBxn4t8dikJkRW+zFg=
{"game_data":{"tiles":},"money_count":7994}
Jz0gXDjJG+a1gpE1Z70m7PibK246/vtXKKMPXOfAUaHp02uCZdhwKShsHKoVVDnOO3lpN4B5qFEYmU2xRbrM1Ct1j4Tr6MoQEXyl+JloyuTHimkF/g==
{"game_data":{"tiles":}}
Oqgi98bM7Ce0E2e4n74FX9jStsvbVMkss76cfWx3ge6n5VKg7ajCMZqgp/5MWvtB8bJ/TrJkMl/R5Yg2tdRZ9YF79hRTrMSRy312GLKwgHYMKvrPj94ERE6P7Zvcw+HoROtYvlv1b2VG4xU304p6LHsuYeyc8PLO39V4dN4pZfctGsyT5bOn5Sf7Hw==
{"game_data":{"tiles":,"score":332},"money_count":282,"double_money_count":1}
```
## flagB
https://2024challenge.52pojie.cn/flagB/index.html
根据`flagB.js`页面代码知,通过访问后台接口游玩2048,获得积分
```js
//开局
const get_info = () => request('/flagB/info');
//重试
const restart = () => request('/flagB/restart', {method: 'POST'});
//运动MOVE_UP-1MOVE_DOWN-2MOVE_LEFT-3MOVE_RIGHT-4
const move = (direction) => request('/flagB/move', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `direction=${encodeURIComponent(direction)}`});
//获取商店信息
const get_shop = () => request('/flagB/shop');
//购买商品
const buy_item = (shop_item_id, buy_count) => request('/flagB/buy_item', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `shop_item_id=${encodeURIComponent(shop_item_id)}&buy_count=${encodeURIComponent(buy_count)}`});
//使用物品
const use_item = (item_id) => request('/flagB/use_item', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `item_id=${encodeURIComponent(item_id)}`});
```
思路不明确,查看网络访问,发现`set_cookie`,`game2048_user_data`一直在变,重发旧ck,发现数据直接是存储在`game2048_user_data`里的,逆加密秘钥?不现实(后来解flag2的时候发现是RSA逆个锤子,哈哈哈哈哈)
当数量填写`50000000000`购买flagB触发溢出,祭出py测试金币上限
```js
2^63-1 = 9223372036854775807
Long型的最大值
//购买商品之后钱怎么还变多了?不知道出什么 bug 了,暂时先拦一下 ^_^
//钱不够
```
```python
import requests
import numpy as np
ck = "wzws_sessionid=gmY5MmRiY6Bl1qBhgDI3LjE1NC4yMDIuMTgzgTlmZWE3MA==; uid=RReWEcPoCdv7reT42vzFbfliVdI8x0c61RdIQCsx24eidQ==; game2048_user_data=MhXwAjipQS7eWkuF0RYS6I0IoebonNW8B4Is04IblIoO0gCC3PljSd4LhpWaur8tAwJQAJwi3lKO0N3bnmg6O22er6kyQHjUH2HYBYMkKW1TW+rVavpD9vEvtRKXQliB+VKzpmlm95eRf7pgLkututvICfgH+ozWBpbRP9noYGmkrVbA4foeUogAAJAp9TH8IQ=="
session = requests.session()
headers = {
"Host": "2024challenge.52pojie.cn",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0",
"Accept": "*/*",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate, br",
"Referer": "https://2024challenge.52pojie.cn/flagB/index.html",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "https://2024challenge.52pojie.cn",
"Connection": "keep-alive",
"Cookie": ck,
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
}
def get_headers(_ck):
# 复制一份headers,修改ck
_headers = headers.copy()
_headers["Cookie"] = _headers["Cookie"]+_ck+";"
return _headers
def buy_item(shop_item_id, buy_count):
_data = {}
try:
url = "https://2024challenge.52pojie.cn/flagB/buy_item"
data = {
"shop_item_id": shop_item_id,
"buy_count": buy_count
}
response = session.post(url, headers=get_headers(ck), data=data)
_data = response.json()
if _data["code"] == 0:
print("购买成功", shop_item_id, buy_count)
return _data
# if "msg" in _data:
# print(_data["msg"])
# toView(_data)
return _data
except Exception as e:
print(_data)
return None
# buy_item("5", num)["code"] = 0时,表示购买成功,否则购买失败
# 有两种提示
# 钱不够表示金币不够
# 购买商品之后钱怎么还变多了?不知道出什么 bug 了,暂时先拦一下 ^_^表示触发溢出
# 需要找到一个在溢出和钱不够之间的值,能购买成功
# 既然是溢出,那就直接上2^n
for i in range(10, 65):
rs = buy_item("5", str(2**i))
if rs["code"] == 0:
print("购买成功, [ 2^", i, "] ", str(2**i))
# 购买成功, [ 2^ 62 ]4611686018427387904
```
`flagB{f382d735}`
## flagC
https://2024challenge.52pojie.cn/flagC/index.html
构造图片给猜,flag肯定在`/flagC/verify`接口里
`document.querySelector('#result').textContent = hint; // 错误时显示提示,正确时显示 flag
`
暴力?你怎么天天暴力!!!哈哈哈哈哈
## flag1
`flag1{52pj2024}`
## flag2
藏得真深啊
`flag2{xHOpRP}`
## flag3
雪花屏人工识别
flag3{GRsgk2}
## flag4 & 5 & 9 & 10
https://2024challenge.52pojie.cn/flag4_flag10.png
`flag4{YvJZNS}`
`flag5{P3prqF}`
`flag9{KHTALK}`
这玩意没看到flag10,但文件名包含,盲猜隐写了,上工具 (http://www.caesum.com/handbook/Stegsolve.jar)
```
java -jar ./Stegsolve.jar
```
`flag10{6BxMkW}`
## flag6
https://2024challenge.52pojie.cn/flag6/index.html
```js
document.querySelector('button').addEventListener('click', () => {
const t0 = Date.now();
for (let i = 0; i < 1e8; i++) {
if ((i & 0x1ffff) === 0x1ffff) {
const progress = i / 1e8;
const t = Date.now() - t0;
console.log(`${(progress * 100).toFixed(2)}% ${Math.floor(t / 1000)}s ETA:${Math.floor(t / progress / 1000)}s`);
}
if (MD5(String(i)) === '1c450bbafad15ad87c32831fa1a616fc') {
document.querySelector('#result').textContent = `flag6{${i}}`;
break;
}
}
});
//flag6{20240217}
```
## flag7
https://github.com/ganlvtech/52pojie-2024-challenge
commit中包含`删除不小心提交的flag内容`
还有一个新的视频`吾爱破解2024年春节解题红包视频.mp4`
## flag8
flagB购买道具显示
`flag8{OaOjIK}`
## flag11
https://2024challenge.52pojie.cn/flag11/index.html
拼图游戏
```html
<html>
<head>
<style>
:root {
--var1: 0; /* 在 0 ~ 100 范围内找到一个合适的值 */
--var2: 0; /* 在 0 ~ 100 范围内找到一个合适的值 */
}
#a000 {
position: absolute;
left: 0;
top: 0;
width: 30px;
height: 30px;
background: url(flag11.png) 0px 0px;
transform: translate(calc(942.5135817416999px + 1.0215884355337748px * var(--var1) + 0.24768196677010001px * var(--var2)), calc(224.16483995058888px + 2.9293942195858147px * var(--var1) + 0.8924085229409133px * var(--var2)));
}
</style>
</head>
<body>
<div>
<div id="a000"></div>
<div id="a319"></div>
</div>
</body>
</html>
```
才100*100,直接暴力解
```js
const root = document.documentElement;
let i = 0;
let j = 0;
function updateValues() {
root.style.setProperty('--var1', i);
root.style.setProperty('--var2', j);
console.log("i: " + i + ", j: " + j);
j++; // 更新j的值
if (j === 100) {
j = 0;
i++; // 更新i的值
}
if (i === 100) {
clearInterval(interval); // 当i达到100时停止定时器
}
}
let interval = setInterval(updateValues, 50);
//答案
let i = 71;
let j = 20;
document.documentElement.style.setProperty('--var1', i);
document.documentElement.style.setProperty('--var2', j);
```
## flag12
https://2024challenge.52pojie.cn/flag12/index.html
`https://2024challenge.52pojie.cn/flag12/flag12.wasm`
暴力?
```js
//密码范围: 0 ~ 4294967295
const get_flag = (secret) => {
let num = instance.exports.get_flag12(secret);
let str = '';
while (num > 0) {
str = String.fromCodePoint(num & 0xff) + str;
num >>= 8;
}
//console.log(str)
if(str.length>0)throw Error(str)
//return `flag12{${str}}`;
}
for(i=0;i<=4294967295;i++){
get_flag(i)
}
<meta charset="UTF-8">
<div>输入密码获取 flag12 (密码范围: 0 ~ 4294967295): <input type="text"><button>获取 flag12</button></div>
<div id="result"></div>
<script>
WebAssembly.instantiateStreaming(fetch('flag12.wasm'))
.then(({instance}) => {
const get_flag = (secret) => {
let num = instance.exports.get_flag12(secret);
let str = '';
while (num > 0) {
str = String.fromCodePoint(num & 0xff) + str;
num >>= 8;
}
//console.log(str)
if(str.length>0)throw Error(str)
//return `flag12{${str}}`;
}
document.querySelector('button').addEventListener('click', (e) => {
for(i=0;i<=4294967295;i++){
get_flag(i)
}
e.preventDefault();
document.querySelector('#result').textContent = get_flag12(parseInt(document.querySelector('input').value));
});
});
</script>
//index.html:15 Uncaught Error: HOXI
```
## 汇总
```bash
flagA{e3cadceb}
flagB{f382d735}
flagC{d466f41e}
flag1{52pj2024}
flag2{xHOpRP}
flag3{GRsgk2}
flag4{YvJZNS}
flag5{P3prqF}
flag6{20240217}
flag7{Djl9NQ}
flag8{OaOjIK}
flag9{KHTALK}
flag10{6BxMkW}
flag11{HPQfVF}
flag12{HOXI}
# flagABC有时效,需即用即取
flag1{52pj2024} flag2{xHOpRP} flag3{GRsgk2} flag4{YvJZNS} flag5{P3prqF} flagA{e3cadceb}
flag5{P3prqF} flag6{20240217} flag7{Djl9NQ} flag8{OaOjIK} flagB{f382d735}
flag9{KHTALK} flag10{6BxMkW} flag11{HPQfVF} flag12{HOXI} flagC{d466f41e}
```
本帖最后由 平淡最真 于 2024-2-26 01:21 编辑
发现大家都在用同一个工具解这个10
https://file.miniclouds.cn:27777/file/down/group1/M01/21/72/rBAL6WXbdsKASXlEAAEwfytu9_w417.png https://file.miniclouds.cn:27777/file/down/group1/M00/21/76/rBAbDGXbd6KAUEXNAARE3AUD6jY079.png 节日都不闲,给力! 厉害,跟着大佬学习 太暴力了 平淡最真 发表于 2024-2-26 01:23
他是alpha通道的隐写,基本上是殊途同归了 厉害,跟着大佬学习 来学习,提高成绩。 学习了很有帮助
页:
[1]
2