1
(函数:获取参数中的正确格式的host,要求符合红色的4个ip)
?url=http://127.0.0.0/flag.php/2
直接导出http/tcp协议,十六进制流:HEX转字符 十六进制转字符 hex gb2312 gbk utf8 汉字内码转换 - The X 在线工具
key.ws是指whitespace:
Whitelips the Esoteric Language IDE
然后利用SNOW隐写
.\SNOW.EXE -p XiAnWillBeSafe -C .\flag.txt
cazy{C4n_y0u_underSt4nd_th3_b0oK_With0ut_Str1ng}
3
除去jnz的花指令后,就是一个tea加密, 没有任何魔改
void tea(DWORD *data, const DWORD *key, int rounds1 = 4, int rounds2 = 32, DWORD DELTA = 0x9e3779b9, boolean s = false)
{DWORD l, r;DWORD sum;if (s) {for (int j = 0; j < rounds1 * 2; j = j + 2) {l = data[j];r = data[j + 1];sum = 0;for (int i = 0; i < rounds2; i++) {sum += DELTA;l += ((r << 4) + key[0]) ^ (r + sum) ^ ((r >> 5) + key[1]);r += ((l << 4) + key[2]) ^ (l + sum) ^ ((l >> 5) + key[3]);}data[j] = l;data[j + 1] = r;}} else {for (int j = 0; j < rounds1 * 2; j = j + 2) {l = data[j];r = data[j + 1];sum = rounds2 * DELTA;for (int i = 0; i < rounds2; i++) {r -= ((l << 4) + key[2]) ^ (l + sum) ^ ((l >> 5) + key[3]);l -= ((r << 4) + key[0]) ^ (r + sum) ^ ((r >> 5) + key[1]);sum -= DELTA;}data[j] = l;data[j + 1] = r;}}
}int main()
{DWORD key[5] = {0xdfe3, 0x113e, 0x5897, 0x3654};DWORD enc[] = {0x85A6892D, 0xA177B6BD, 0x89422515, 0x159AE870, 0x5BC09E5D, 0xC13F293E, 0x25B7084F, 0xADB12A4C};DWORD DELTA = -0x61C88647;tea(enc, key, 4, 32, DELTA, false);p(i, 0, 32) {printf("%c", ((char*)enc)[i]);}
}
4
5
其实已经get shell了:chmod -x;nc;remote interactive都行
执行ls;cat flag