考点:

塔珀自指公式

多图信息提取

ban CE的game题的做法

整数溢出

jsfuck

vol3的插件使用

https://www.bilibili.com/read/cv20634842?spm_id_from=333.999.0.0(鼠标动态指针的制作原理)

tiff文件的认识

SSTI漏洞

LSB加密

suid提权

MISC

验证码

手搓数字

1594199391770250354455183081054802631580554590456781276981302978243348088576774816981145460077422136047780972200375212293357383685099969525103172039042888918139627966684645793042724447954308373948403404873262837470923601139156304668538304057819343713500158029312192443296076902692735780417298059011568971988619463802818660736654049870484193411780158317168232187100668526865378478661078082009408188033574841574337151898932291631715135266804518790328831268881702387643369637508117317249879868707531954723945940226278368605203277838681081840279552

然后根据hint:tupper

知道是塔珀自指公式画图(这里记得套神的博客里有过这个知识点的题的wp来着,所以马上理解了意思)

https://tuppers-formula.ovh/

Snake on web

手搓100分

差点就不想摁了(wasm狗都不看

看别的师傅们做题才知道还可以用python和按键精灵来遍历地图

LSSTIB(复现)

你看这个指针它可爱嘛(复现)

来一把紧张刺激的CS(复现)

复现zysgmzb师傅的两个工具直接梭(好方便

预期解:

WEB

象棋王子

F12查看源码发现jsfuck

(当然硬下也能下赢)

控制台输入即可

电子木鱼

下载源码查看

  if let Some(payload) = PAYLOADS.iter().find(|u| u.name == body.name) {
        let mut cost = payload.cost;

        if payload.name == "Donate" || payload.name == "Cost" {
            cost *= body.quantity;
        }

        if GONGDE.get() < cost as i32 {
            return web::Json(APIResult {
                success: false,
                message: "功德不足",
            });
        }

        if cost != 0 {
            GONGDE.set(GONGDE.get() - cost as i32);
        }

        if payload.name == "Cost" {
            return web::Json(APIResult {
                success: true,
                message: "小扣一手功德",
            });

看到i32,一眼整数溢出漏洞,然后cost是减去功德,所以使name=Cost&quantity为32位的最大值2147483648就行


醉后不知天在水,满船清梦压星河