Snowfall

有些題，你用記事本直接打開，發(fā)現(xiàn)根本不會(huì)得到什么，這就說明有問題了

但是該怎么解決有需要思路。

我們這里用subtimetext打開，但是我是剛下的sublime text 所以編碼沒開

在設(shè)置里面可以調(diào)

右下角就可以調(diào)了

ctrl+a? ? 全選

發(fā)現(xiàn)文字后面是有東西的

我們來查一下

WhiteSpace，是一種只用空白字符(空格，TAB和回車)編程的語言，而其它可見字符統(tǒng)統(tǒng)為注釋。

下面這個(gè)網(wǎng)站做處理

https://vii5ard.github.io/whitespace/

這個(gè)是step1.txt解析

相關(guān)知識(shí)：

push:將數(shù)字壓入棧頂
printc:將棧頂元素彈出并以ASCII字符形式輸出
dup:復(fù)制棧頂元素后壓入棧頂
drop:彈出棧頂元素
add:將堆棧最上方的兩個(gè)元素彈出，二者做加法運(yùn)算,得到的結(jié)果入棧

在試試step2.txt

第二個(gè)的結(jié)果? ?有flag.txt

這個(gè)肯定是我們要的，那么這個(gè)輸出到底是什么，亂碼，考慮解壓文件，加壓之后出來這個(gè)flag.txt

但是這個(gè)輸出的還是有問題，所以我看大家用的是python在實(shí)現(xiàn)一邊

那我把put ,push 的過程保存一下

push 0

push 55

add

dup

printc

push 175

push 188

push 122

printc

printc

dup

printc

push -136

add

dup

printc

push 0

push 28

printc

dup

printc

push 148

push 103

push 178

push 233

push 4

printc

printc

printc

printc

dup

printc

push 0

push 176

printc

dup

printc

push 0

add

dup

printc

push 0

add

dup

printc

push 0

add

dup

printc

push 0

push 106

push 0

push 0

push 0

printc

printc

printc

printc

dup

printc

push 0

add

dup

printc

push 0

push 0

push 0

push 0

push 0

printc

printc

printc

printc

dup

printc

push 148

push 91

push 162

push 61

push 205

printc

printc

printc

printc

dup

printc

push 163

dup

printc

push -153

add

dup

printc

push 151

add

dup

printc

push 146

push 111

push 123

push 6

printc

printc

printc

dup

printc

push 49

add

dup

printc

push 34

add

dup

printc

push 199

dup

printc

push 77

dup

printc

push 227

push 226

push 176

push 197

printc

printc

printc

dup

printc

push 44

dup

printc

push 96

push 43

push 177

printc

printc

dup

printc

push 65

add

dup

printc

push 125

push 211

push 95

push 25

push 183

printc

printc

printc

printc

dup

printc

push 96

add

dup

printc

push 157

push 117

push 102

push 70

printc

printc

printc

dup

printc

push 62

add

dup

printc

push 89

push 113

push 2

printc

printc

dup

printc

push 90

push 190

push 199

push 134

printc

printc

printc

dup

printc

push 208

dup

printc

push -95

add

dup

printc

push -111

add

dup

printc

push 158

push 134

push 131

push 30

printc

printc

printc

dup

printc

push 200

push 130

push 184

push 192

printc

printc

printc

dup

printc

push -151

add

dup

printc

push 169

push 95

printc

dup

printc

push 69

dup

printc

push 202

push 36

push 184

printc

printc

dup

printc

push -133

add

dup

printc

push 2

dup

printc

push 67

add

dup

printc

push 160

dup

printc

push 36

push 13

printc

dup

printc

push 55

push 115

push 176

push 13

printc

printc

printc

dup

printc

push 181

push 167

printc

dup

printc

push 220

dup

printc

push -76

add

dup

printc

push 159

push 128

push 156

push 24

printc

printc

printc

dup

printc

push 52

dup

printc

push 143

dup

printc

push -79

add

dup

printc

push 64

push 177

push 170

printc

printc

dup

printc

push 169

push 122

push 83

push 129

printc

printc

printc

dup

printc

push 83

add

dup

printc

push 53

push 201

push 33

push 170

push 159

printc

printc

printc

printc

dup

printc

push 149

push 35

push 73

push 86

push 141

printc

printc

printc

printc

dup

printc

push 111

push 209

push 56

printc

printc

dup

printc

push 218

push 146

push 46

push 227

printc

printc

printc

dup

printc

push 165

push 77

push 60

push 18

printc

printc

printc

dup

printc

push -142

add

dup

printc

push 248

dup

printc

push -210

add

dup

printc

push 175

add

dup

printc

push 18

push 136

push 201

printc

printc

dup

printc

push 231

add

dup

printc

push 90

push 150

printc

dup

printc

push 225

dup

printc

push 30

add

dup

printc

push -60

add

dup

printc

push 101

dup

printc

push 23

dup

printc

push 93

push 238

push 144

push 13

push 65

printc

printc

printc

printc

dup

printc

push -62

add

dup

printc

push 119

add

dup

printc

push 73

push 40

push 136

push 182

printc

printc

printc

dup

printc

push 218

push 105

push 137

printc

printc

dup

printc

push -218

add

dup

printc

push 3

add

dup

printc

push 123

push 92

push 2

printc

printc

dup

printc

push 127

add

dup

printc

push 128

dup

printc

push 137

dup

printc

push 15

push 187

push 217

push 207

printc

printc

printc

dup

printc

push 187

add

dup

printc

push -48

add

dup

printc

push 229

push 172

push 187

printc

printc

dup

printc

push 221

dup

printc

push 58

push 77

push 223

printc

printc

dup

printc

push 62

push 56

printc

dup

printc

push 238

push 234

printc

dup

printc

push -63

add

dup

printc

push 206

dup

printc

push 236

dup

printc

push 197

push 65

push 90

printc

printc

dup

printc

push 242

push 53

push 234

printc

printc

dup

printc

push 189

push 98

printc

dup

printc

push 93

dup

printc

push 1

push 58

push 135

push 69

printc

printc

printc

dup

printc

push 3

add

dup

printc

push 0

push 6

printc

dup

printc

push 1

dup

printc

push 9

dup

printc

push 176

push 128

printc

dup

printc

push 1

push 11

push 7

push 0

printc

printc

printc

dup

printc

push -1

add

dup

printc

push 2

dup

printc

push 34

add

dup

printc

push 6

dup

printc

push 235

add

dup

printc

push 18

push 1

push 7

printc

printc

dup

printc

push 65

add

dup

printc

push 250

push 78

push 85

push 181

push 15

printc

printc

printc

printc

dup

printc

push 249

dup

printc

push 199

push 198

printc

dup

printc

push 185

push 81

push 74

push 171

push 186

printc

printc

printc

printc

dup

printc

push 136

push 245

push 229

push 17

printc

printc

printc

dup

printc

push 0

push 1

push 33

push 33

printc

printc

printc

dup

printc

push 1

add

dup

printc

push -1

add

dup

printc

push 12

add

dup

printc

push 128

dup

printc

push 0

push 85

push 131

push 162

printc

printc

printc

dup

printc

push 1

push 10

push 8

printc

printc

dup

printc

push 125

add

dup

printc

push 78

dup

printc

push -65

add

dup

printc

push 0

push 0

push 98

printc

printc

dup

printc

push 5

dup

printc

push 1

dup

printc

push 16

add

dup

printc

push 19

dup

printc

push 0

dup

printc

push 108

push 0

push 102

printc

printc

dup

printc

push 0

push 103

push 0

push 97

push 0

printc

printc

printc

printc

dup

printc

push 46

dup

printc

push -46

add

dup

printc

push 116

push 0

push 120

push 0

push 116

printc

printc

printc

printc

dup

printc

push 25

push 0

push 0

push 0

printc

printc

printc

dup

printc

push 1

push 10

push 20

push 0

printc

printc

printc

dup

printc

push 92

push 50

push 0

printc

printc

dup

printc

push 151

dup

printc

push 119

push 148

push 50

printc

printc

dup

printc

push 96

add

dup

printc

push 21

push 1

printc

dup

printc

push 6

dup

printc

push -5

add

dup

printc

push 0

dup

printc

push 32

add

dup

printc

push 0

dup

printc

push 0

push 0

push 0

printc

printc

dup

printc

push 0

dup

printc

end

使用的python? 腳本也是遵循一定的格式的

直接給別人的代碼了?

import re
from queue import LifoQueue


with open("test.txt", "r") as f:
? data = f.read()
? data = data.splitlines()

stack = LifoQueue()

ret = ""
for line in data:
? if "push" in line:
? ? ?num = int(re.findall("push (.*?)$", line)[0])
? ? ?stack.put(num)
? elif line == "add":
? ? ?stack.put(stack.get() + stack.get())
? elif line == "dup":
? ? ?num = stack.get()
? ? ?stack.put(num)
? ? ?stack.put(num)
? elif line == "drop":
? ? ?stack.get()
? elif line == "printc":
? ? ?asc = chr(stack.get())
? ? ?# print(asc, end="")
? ? ?ret += asc

# save file
bin_data = ret.encode("latin1")
with open("1.7z", "wb") as f:
? f.write(bin_data)

test.txt ：

得到一個(gè)壓縮包

然后用step1.txt得到的密碼來打開，一般的邏輯

H0wt0Pr1ntAWh17e5p4ceC0de

解壓之后打開

可以看到空白格

但是輸出啥也沒有，把棧操作復(fù)制一下，命名test2.txt?

里面是沒有printc的也就沒東西輸出了

改一下代碼：

還是別人的，等會(huì)我就研究一下自己寫一個(gè)出來

import re
from queue import LifoQueue


with open("test2.txt", "r") as f:
? data = f.read()
? data = data.splitlines()

stack = LifoQueue()

ret = ""
for line in data:
? if "push" in line:
? ? ?num = int(re.findall("push (.*?)$", line)[0])
? ? ?stack.put(num)
? elif line == "add":
? ? ?stack.put(stack.get() + stack.get())
? elif line == "dup":
? ? ?num = stack.get()
? ? ?stack.put(num)
? ? ?stack.put(num)
? elif line == "drop":
? ? ?asc = chr(stack.get())
? ? ?print(asc, end="")

然后輸出得到

關(guān)于代碼：

總得來說代碼很簡(jiǎn)單，儲(chǔ)存操作信息，然后根據(jù)操作信息寫出代碼，

讀的方式為一行一行的讀，一行作為一個(gè)字符串

然后開始遍歷每一行數(shù)據(jù)，因?yàn)槭亲址木壒?，判斷字符串是否有相關(guān)操作，然后調(diào)用stack的相關(guān)函數(shù)

對(duì)于拿到數(shù)字，也是一種處理

push操作才會(huì)操作數(shù)字，我的寫法是

這里的意思是：

對(duì)printc儲(chǔ)存的數(shù)據(jù)進(jìn)行編碼以Latin1的形式

Latin1是ISO-8859-1的別名，有些環(huán)境下寫作Latin-1。ISO-8859-1編碼是單字節(jié)編碼，向下兼容ASCII，其編碼范圍是0x00-0xFF，0x00-0x7F之間完全和ASCII一致，0x80-0x9F之間是控制字符，0xA0-0xFF之間是文字符號(hào)。

當(dāng)然這也是根據(jù)我們輸出的數(shù)據(jù)而定

處理前:

7z?ˉ' é2g?°? ? ? ?j? ? ? ?í=￠[?￡

??]???(I?iú \{ú???ù?ê????Y?M:8>ê?ˉ?ìZA?ê5òb?]E?:

?° 
$?
SμUNúù??o?JQ1???!!

?￠?U

b? 
 f l a g . t x t? ? 

2\?2?w×


這個(gè)輸出但是又跟直接在網(wǎng)站輸出一樣哎，那我是不是直接可以將網(wǎng)站的數(shù)據(jù)復(fù)制之后，然后只用處加密就可以了，變成壓縮包就好了呢，當(dāng)然這個(gè)python存在的意義也很多，也讓我們認(rèn)識(shí)到了一些操作方式? ? ? ?

主要了解這個(gè)whitespqce吧，是一個(gè)很不錯(cuò)的加密的程序

game1

先試試，看看F12

檢查下代碼：

這里有base64的字樣注意

看看控制臺(tái)呀，請(qǐng)求啊這種

然后在負(fù)載中看到有點(diǎn)不一樣的了。出來呢了分?jǐn)?shù)和一個(gè)字母

我們?cè)趤碓囋?/p>

ZM沒變，等于號(hào)缺少了一個(gè)

很有是是字母或者字母=？

或者跟等于沒關(guān)系

然后我們?cè)谥翱吹竭@里是用base64做編碼的

我們?cè)囋?/p>

那估計(jì)是想分?jǐn)?shù)最大才會(huì)出來flag

我們看一下直接325? base64編碼

而MzI1==解密也是325

那么我就想==可能是附加物了

然后開始試到99999，sign為OTk5OTk=

ok我們換種方式看看這道題

更好找規(guī)律

值的話，就設(shè)置一下然后發(fā)送看看有沒效果出來得慢慢的

網(wǎng)站被黑

拿到網(wǎng)站，提示說留了后門

用御劍掃一下吧看看是那個(gè)鏈接

http://114.67.175.224:18574/shell.php

打開是需要密碼的

我在相應(yīng)中或者抓包的一些都沒有看到什么線索

那只能用bur爆破了

通過根據(jù)網(wǎng)頁的設(shè)置來設(shè)置爆破模塊的東西

flag{4c336a7df875f0064e187b514fc9f568}