写在前面:
这次解题,时间比较少,工作时间抽空解题,尽可能偷懒,以找到flag为主要目的
解题领红包之二 {Windows 初级题}
初级题,比较简单,拖进IDA,得到核心代码
int __cdecl sub_4CD130(char a1)
{
__time32_t v1; // eax
char v2; // al
char v3; // al
char v4; // dl
char v5; // cl
int v6; // eax
unsigned __int8 v8; // al
int v9; // edx
int v10; // edx
int v11; // eax
__time32_t *Time; // [esp+0h] [ebp-78h] BYREF
char **v13; // [esp+14h] [ebp-64h]
char *Str; // [esp+18h] [ebp-60h]
char v15[4]; // [esp+1Ch] [ebp-5Ch] BYREF
int v16; // [esp+20h] [ebp-58h]
int (__cdecl *v17)(int, int, int, int, int, int); // [esp+34h] [ebp-44h]
int *v18; // [esp+38h] [ebp-40h]
int *v19; // [esp+3Ch] [ebp-3Ch]
void (__noreturn *v20)(); // [esp+40h] [ebp-38h]
__time32_t **p_Time; // [esp+44h] [ebp-34h]
char *v22; // [esp+58h] [ebp-20h] BYREF
int v23; // [esp+5Ch] [ebp-1Ch]
char v24; // [esp+60h] [ebp-18h] BYREF
char *v25; // [esp+70h] [ebp-8h]
int savedregs; // [esp+78h] [ebp+0h] BYREF
v25 = &a1;
v17 = sub_4CC800;
p_Time = &Time;
v18 = dword_4CE3D4;
v19 = &savedregs;
v20 = sub_4CD4EA;
sub_40C330(v15);
sub_40A650();
v16 = -1;
v1 = time(0);
srand(v1);
SetConsoleOutputCP(0xFDE9u);
sub_4C7E50((int)&dword_4D27C0, "========================================");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, " CrackMe Challenge v2.5 - 2026 ");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, "========================================");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, "Keywords: 52pojie, 2026, Happy new year");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, "Hint: Fake flag; length is key");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, "----------------------------------------");
((void (*)(void))sub_4015B0)();
v22 = &v24;
v23 = 0;
v24 = 0;
v16 = 1;
v13 = &v22;
sub_4C7E50((int)&dword_4D27C0, "\n[?] Enter the password: ");
v13 = &v22;
v2 = sub_401560();
v13 = &v22;
sub_4C5840(&dword_4D25E0, &v22, v2);
Str = v22;
v3 = sub_401740(v22);
v4 = 53;
v5 = v3;
v6 = 0;
if ( !v5 )
{
while ( Str[v6] == v4 )
{
if ( ++v6 == 16 )
{
v16 = 1;
sub_4C7E50((int)&dword_4D27C0, "\n[!] You're getting closer...");
v16 = 1;
goto LABEL_9;
}
v4 = byte_4D3032[v6];
}
if ( strlen(Str) != 31 )
{
v16 = 1;
sub_4C7E50((int)&dword_4D27C0, "\n[!] Hint: The length is your first real challenge.");
goto LABEL_9;
}
v16 = 1;
if ( (unsigned __int8)sub_4016D0(Str, 31) )
{
Str = 0;
v8 = *v22;
if ( !*v22 )
goto LABEL_16;
v9 = 0;
do
{
Str += ++v9 * v8;
v8 = v22[v9];
}
while ( v8 );
if ( Str != (char *)44709 )
{
LABEL_16:
v16 = 1;
sub_4C7E50((int)&dword_4D27C0, "\n[!] Checksum failed! Something is wrong...");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, "[!] Expected: 44709, Got: ");
sub_47DE70(Str);
sub_4015B0(v10);
LABEL_17:
v16 = 1;
goto LABEL_10;
}
v16 = 1;
sub_4C7E50((int)&dword_4D27C0, "\n========================================");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, " *** SUCCESS! *** ");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, "========================================");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, "[+] Congratulations! You cracked it!");
((void (*)(void))sub_4015B0)();
v11 = sub_4C7E50((int)&dword_4D27C0, "[+] Correct flag: ");
sub_4C4330(v11, v22, v23);
}
else
{
v16 = 1;
sub_4C7E50((int)&dword_4D27C0, "\n[X] Access Denied!");
((void (*)(void))sub_4015B0)();
sub_4C7E50((int)&dword_4D27C0, "[X] Wrong password. Keep trying!");
}
((void (*)(void))sub_4015B0)();
goto LABEL_17;
}
sub_4C7E50((int)&dword_4D27C0, "\n[!] Nice try, but not quite right...");
LABEL_9:
sub_4015B0(Time);
LABEL_10:
sub_4017C0();
sub_4B1AE0(v13);
sub_40C600(v15);
return 0;
}
核心检查逻辑点:
1、长度必须是31
2、sub_4016D0的返回值为非0
3、校验和为44709
查看sub_4016D0代码
bool __cdecl sub_4016D0(int a1, int a2)
{
unsigned __int8 *Block; // ebp
int v3; // eax
int v4; // ebx
bool v5; // dl
Block = (unsigned __int8 *)sub_4CB710(0x64u);
sub_401620(Block);
if ( a2 <= 0 )
{
v4 = 0;
}
else
{
v3 = 0;
v4 = 0;
do
{
v5 = *(char *)(a1 + v3) == Block[v3];
++v3;
v4 += v5;
}
while ( a2 != v3 );
}
j_j_free(Block);
return a2 == v4;
}
核心逻辑是输入的字符串逐字节与Block比对,最后确定v4是否与输入的长度相等,那Block就是要找的flag,Block是在sub_401620中赋值的
查看代码
_BYTE *__cdecl sub_401620(int a1)
{
_BYTE *result; // eax
*(_DWORD *)a1 = 0x2D327077;
*(_DWORD *)(a1 + 4) = 0x63272B28;
*(_DWORD *)(a1 + 8) = 0x701D6363;
*(_DWORD *)(a1 + 12) = 0x1D747072;
*(_DWORD *)(a1 + 16) = 0x3232230A;
*(_DWORD *)(a1 + 20) = 0x272C1D3B;
*(_DWORD *)(a1 + 24) = 0x273B1D35;
*(_BYTE *)(a1 + 30) = 0x63;
*(_WORD *)(a1 + 28) = 0x3023;
result = (_BYTE *)a1;
do
*result++ ^= 0x42u;
while ( result != (_BYTE *)(a1 + 31) );
*(_BYTE *)(a1 + 31) = 0;
return result;
}
本次都是偷懒解法,所以IDA直接调试,在19行下断点
如图得到flag
解题领红包之三 {Android 初级题}
直接玩游戏,得到flag{Wu41_P0j13_2026_Spr1ng_F3st1v4l}
解题领红包之四 {Windows 初级题}
查壳
解压
在线解字节码得到源码
# Decompiled with PyLingual (https://pylingual.io)
# Internal filename: 'crackme_easy.py'
# Bytecode version: 3.14rc3 (3627)
# Source timestamp: 1970-01-01 00:00:00 UTC (0)
import hashlib
import base64
import sys
def xor_decrypt(data, key):
"""XOR解密"""
result = bytearray()
for i, byte in enumerate(data):
result.append(byte ^ key ^ i & 255)
return result.decode('utf-8', errors='ignore')
def get_encrypted_flag():
"""获取加密的flag"""
enc_data = 'e3w+fiRvfW18fnx4ZAZ6Pj43YwB9OWMXfXo8Dg4O'
return base64.b64decode(enc_data)
def generate_flag():
"""动态生成flag"""
encrypted = get_encrypted_flag()
key = 78
result = bytearray()
for i, byte in enumerate(encrypted):
result.append(byte ^ key)
return result.decode('utf-8')
def calculate_checksum(s):
"""计算校验和"""
total = 0
for i, c in enumerate(s):
total += ord(c) * (i + 1)
return total
def hash_string(s):
"""计算字符串哈希"""
return hashlib.sha256(s.encode()).hexdigest()
def verify_flag(user_input):
"""验证flag"""
correct_flag = generate_flag()
print(f'[+] Correct flag: {correct_flag}')
if len(user_input)!= len(correct_flag):
return False
else:
for i in range(len(correct_flag)):
if user_input[i]!= correct_flag[i]:
return False
return True
def fake_check_1(user_input):
"""假检查1"""
fake_hash = 'a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890'
return hash_string(user_input) == fake_hash
def fake_check_2(user_input):
"""假检查2"""
fake_hash = '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef'
return hash_string(user_input) == fake_hash
def main():
"""主函数"""
print('==================================================')
print(' CrackMe Challenge - Python Edition')
print('==================================================')
print('Keywords: 52pojie, 2026, Happy New Year')
print('Hint: Decompile me if you can!')
print('--------------------------------------------------')
user_input = input('\n[?] Enter the password: ').strip()
if fake_check_1(user_input):
print('\n[!] Nice try, but not quite right...')
input('\nPress Enter to exit...')
return None
else:
if fake_check_2(user_input):
print('\n[!] You\'re getting closer...')
input('\nPress Enter to exit...')
else:
if verify_flag(user_input):
checksum = calculate_checksum(user_input)
expected_checksum = calculate_checksum(generate_flag())
if checksum == expected_checksum:
print('\n==================================================')
print(' *** SUCCESS! ***')
print('==================================================')
print('[+] Congratulations! You cracked it!')
print(f'[+] Correct flag: {user_input}')
else:
print('\n[!] Checksum failed!')
else:
print('\n[X] Access Denied!')
print('[X] Wrong password. Keep trying!')
input('\nPress Enter to exit...')
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('\n\n[!] Interrupted by user')
sys.exit(0)
在38行后面加上打印得到flag
主要逻辑就是对字符串e3w+fiRvfW18fnx4ZAZ6Pj43YwB9OWMXfXo8Dg4O进行base64解码,然后逐字节与78进行异或。
解题领红包之五 {Windows 中级题}
查壳
Nuitka打包的
运行程序,在AppData\Local\Temp\onefile_66716_134171668082778958目录下拿到crackme_hard.dll
将dll拖进IDA,直接attach process调试
调试的时候忘记截图了,最后是内存追码得到的flag,通过初级题猜测也是逐字节比较,结果和想象中的差不多
由于是输入随机flag,调试的时候需要对一些内存值做修改,才能触发目标flag生成,由于是本人自己不想写太长的脚本,建议学习其他帖子中对bcode的解析脚本来实现。
得到flag:52p0j13@2026~H4ppy_N3w_Y34r!!!
解题领红包之六 {番外篇 初级题}
查壳
没壳,但是一个zip格式的压缩文件,直接winrar打开,发现lua源码,assets文件夹中发现flag.dat
确认flag.dat,不是明文,查看main.lua,搜索flag.dat,找到getWinMessage函数。
local function getWinMessage()
local content = nil
if love.filesystem.getInfo("assets/flag.dat") then
content = love.filesystem.read("assets/flag.dat")
end
if not content or then
return "You WIN!"
end
local key = "52pojie"
local keyLen = #key
local result = {}
local bit = require("bit")
for i = 1, #content do
local b = string.byte(content, i)
local k = string.byte(key, ((i - 1) % keyLen) + 1)
table.insert(result, string.char(bit.bxor(b, k)))
end
return table.concat(result)
end
逻辑很简单,读取flag.dat文件,然后和52pojie循环异或,写一个C代码
int main(int argc, char** argv) {
system("chcp 65001");
unsigned char byteFlag[] = {
0x53, 0x5E, 0x11, 0x08, 0x11, 0x5c, 0x57, 0x45, 0x5D, 0x1A, 0x06, 0x0f, 0x36, 0x57, 0x05, 0x00,
0x46, 0x30, 0x22, 0x08, 0x15, 0x45, 0x4b, 0x2f, 0x21, 0x0f, 0x1E, 0x3A, 0x6c, 0x57, 0x11, 0x1D,
0x4B, 0x36, 0x5B, 0x42, 0x0e, 0x0D
};
unsigned char key[] = "52pojie";
char flag[39] = { 0 };
for (int i = 0; i < sizeof(byteFlag); i++)
{
flag[i] = byteFlag[i] ^ key[i % 7];
}
printf("%s\n", flag);
system("pause");
return 0;
}
运行得到flag:flag{52pojie_2026_Happy_NewYear!>w<}
解题领红包之七 {Windows 中级题}
查壳
当时没有截图,加壳的文件没保存,这里就不截图了,简单的upx -d即可解压缩成功。
拖入IDA,找到核心代码sub_140008720
__int64 __fastcall sub_140008720(char *Str, FILE *Stream, FILE *a3)
{
size_t v6; // rax
__int64 v7; // rdi
char v8; // dl
__int64 result; // rax
__int64 v10; // rdi
unsigned __int64 v11; // r13
char *v12; // rax
char *v13; // r12
unsigned __int64 v14; // rax
_BYTE Buffer[16]; // [rsp+20h] [rbp-858h] BYREF
_BYTE v16[2120]; // [rsp+30h] [rbp-848h] BYREF
sub_140008640(v16);
sub_140008500(v16, "52pojie_2026_", 14);
v6 = strlen(Str);
sub_140008500(v16, Str, v6);
v7 = sub_140008580(v16);
fread(Buffer, 0x10u, 1u, Stream);
v8 = sub_140008310(v16, v7, Buffer);
result = 1;
if ( v8 )
{
fseek(Stream, 0, 2);
v10 = ftell(Stream);
result = 2;
v11 = v10 - 16;
if ( (v10 & 7) == 0 )
{
fseek(Stream, 16, 0);
v12 = (char *)malloc(v10 - 16);
v13 = v12;
if ( v12 )
{
fread(v12, 1u, v10 - 16, Stream);
sub_1400081E0(v16, v13, v10 - 16);
if ( (unsigned __int8)sub_1400082E0(v16) )
{
v14 = (unsigned __int8)v13[v10 - 17];
if ( v11 < v14 )
{
free(v13);
return 5;
}
else
{
fwrite(v13, 1u, v11 - v14, a3);
free(v13);
return 0;
}
}
else
{
free(v13);
return 4;
}
}
else
{
return 3;
}
}
}
return result;
}
sub_140008640是初始化CRC64使用的内存,sub_140008500和sub_140008580都是进行CRC64的计算,sub_140008580是针对密钥总长度、在"52pojie2026" + 输入的flag基础上,算出最终的密钥。
sub_140008310是对文件头进行处理,根据逻辑可以得到如下结论:
[]0-3字节为magic,固定值0x36324D43
[]4-7字节是被加密文件的CRC32值
- 8-15字节是加密是的初始IV
随后,将文件16字节之后的数据读入内存,调用sub_1400081E0解密并计算解密后数据的CRC32。
查壳sub_1400081E0的代码
__int64 __fastcall sub_1400081E0(__int64 a1, __int64 a2, __int64 a3)
{
unsigned __int64 v3; // rbx
unsigned __int64 v5; // rdi
__int64 v6; // r12
__int64 result; // rax
v3 = a2 - 24627;
v5 = a2 - 24627 + (a3 & 0xFFFFFFFFFFFFFFF8uLL);
if ( a2 - 24627 < v5 )
{
v6 = a1 + 288;
do
{
v3 += 8LL;
sub_140008080(a1, v3 + 24619);
result = sub_140008480(v6, v3 + 24619, 8);
}
while ( v3 < v5 );
}
return result;
}
核心逻辑是循环调用sub_140008080解密,并调用sub_140008480计算已解密部分的CRC32。
查壳sub_140008080
char __fastcall sub_140008080(unsigned __int64 *a1, __int64 *a2)
{
int v2; // r8d
__int64 v3; // r11
unsigned __int64 v5; // rax
char *v6; // rcx
unsigned __int64 v7; // rax
_QWORD *v8; // rdx
char v9; // al
char result; // al
v2 = 8;
v3 = *a2;
v5 = *a1;
v6 = (char *)a1 - 21569;
v7 = __ROL8__(v5, 3);
do
{
v7 = (v7 << 8) | *((unsigned __int8 *)a1 + (HIBYTE(v7) | 0x221300) - 2233056);
--v2;
}
while ( v2 );
*a1 = v7;
v8 = a2 + 4711;
do
{
v9 = *((_BYTE *)v8 - 37688);
++v6;
v8 = (_QWORD *)((char *)v8 + 1);
result = v6[21568] ^ v6[21584] ^ v9;
*((_BYTE *)v8 - 37689) = result;
}
while ( v6 != (char *)a1 - 21561 );
a1[2] = v3;
return result;
}
核心逻辑是将入参的key循环左移3位后,通过查表获得真正的key,然后和IV及密文进行异或运算,得到明文。
其中,密文将作为下一个8字节密文的IV。
根据密文1 = 明文1 ^ IV ^ key可知,明文1 = 密文1 ^ IV ^ key,由于文件是png格式,png头的8字节是已知的0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A
可以根据明文攻击获得第一个真实key,再逆向查表并右移3位得到CRC64的值,并调用sub_1400081E0解密文件。
unsigned char unk_14000A270[256] = {
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
};
void __fastcall sub_140008080(_BYTE* key, _BYTE* IV, _BYTE* encryptedData)
{
__int64 v3;
v3 = *(__int64*)encryptedData;
*(unsigned __int64*)key = __ROL8__(*(unsigned __int64*)key, 3);
for (int i = 0; i < 8; i++)
{
key[i] = unk_14000A270[key[i]];
}
*(__int64*)encryptedData = *(__int64*)key ^ *(__int64*)IV ^ *(__int64*)encryptedData;
*((unsigned __int64*)IV) = v3;
}
void __fastcall sub_140008480(_DWORD* crc32, _BYTE* data, __int64 len)
{
__int64 result;
result = (unsigned int)*crc32;
for (int i = 0; i < len; i++)
{
result = data[i] ^ result;
for (int j = 0; j < 8; j++)
{
result = ((unsigned int)result >> 1) ^ -(result & 1) & 0xEDB88320;
}
}
*crc32 = result;
}
void __fastcall sub_1400081E0(_BYTE* key, _BYTE* IV, _BYTE* encryptedData, __int64 len, _DWORD *crc32)
{
for (int i = 0; i < len; i += 8)
{
sub_140008080(key, IV, (encryptedData + i));
}
sub_140008480(crc32, encryptedData, len); //计算CRC32
}
int main(int argc, char** argv) {
unsigned char pngHeader[] = { 0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A };
FILE* fp = NULL;
fopen_s(&fp, "F:\\2026\\52pojie\\7\\flag.png.encrypted", "rb");
if (fp)
{
fseek(fp, 0, 2);
long filesize = ftell(fp);
fseek(fp, 0, 0);
_BYTE* fileData = (_BYTE*)malloc(filesize);
if (fileData)
{
fread(fileData, 1u, filesize, fp);
_DWORD fileCrc32 = *(_DWORD*)(fileData + 4);
unsigned char Key[8] = { 0 };
unsigned char IV[8] = { 0 };
memcpy(IV, fileData + 8, 8);
*(_QWORD*)Key = *(_QWORD*)IV ^ *(_QWORD*)pngHeader ^ *(_QWORD*)(fileData + 16);
for (int i = 0; i < 8; i++)
{
for (int j = 0; j < 256; j++)
{
if (unk_14000A270[j] == Key[i])
{
Key[i] = j;
break;
}
}
}
*(_QWORD*)Key = __ROR8__(*(_QWORD*)Key, 3);
_DWORD crc32 = -1;
sub_1400081E0(Key, IV, fileData + 16, filesize - 16, &crc32);
if (~crc32 == fileCrc32)
{
printf("OK\n");
FILE* out = NULL;
fopen_s(&out, "F:\\2026\\52pojie\\7\\flag.png", "wb+");
if (out)
{
fwrite(fileData + 16, 1u, filesize - 16, out);
fclose(out);
}
}
else
{
printf("Error\n");
}
free(fileData);
}
fclose(fp);
}
system("pause");
return 0;
}
运行后得到原图,图像显示HEX_ME,拖进随波逐流
得到flag:flag{EncrypTIoN_Is_haRd_52p0jIE_2o26_m62Tc4uj78maAq1C}
解题领红包之九 {Web 中级题}
本题只能用拉马努金风格来写了,代码较多,逻辑懒得分析,调试过程中,注意到,memory中5439744开始的200字节,是50个int值,且都为可见字符的ascii
这个值是存在var6中的
于是将50个ascii按顺序保存并转为字符串,播放语音发现完全一直,于是得到flag
解题领红包之十一 {MCP 中级题}
这道题的难点在于开始给的提示除了玄霄密令之外,其它线索完全没给,另外就是时效问题,
具体的过程就不写了,一个过程AI回复了一大堆有的没的。
根据文档提示逐步拿到access_token和audit_access后,得到flag:flag{new_year_2026_keep_warm}
发表于 2026-3-5 17:28
分享到朋友圈
