Mas0n
to be reverse engineer🐧
翻车鱼

Axton跨年红包Write Up

自从去年发现mdx主题后,不管是material design还是功能上的设计都戳到了我的点,于是我开始关注作者Axton,当看到“跨年红包”,我很是好奇。今年终于是赶上,体验一下“传统艺能”。

封面引自Axton制作的海报,侵删

无垠 2021 年度总结 – 无垠 (flyhigher.top)

从一张图片开始

axton提供了一张图片

https://cdn.shi1011.cn/2022/02/e85331e25f6c86fc7b0f534348f8bb41.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

下载后,胡乱检查一通:binwalkfilestrings 都没什么发现

010翻了翻,原来是改了高度

https://cdn.shi1011.cn/2022/02/f02792809daa9e7ee67d83e1d47d6184.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

原始大小为1510x1500

https://cdn.shi1011.cn/2022/02/4860fdc0342f7cec2518fdfcd7cabd41.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

看到隐藏的信息

https://cdn.shi1011.cn/2022/02/6f5438034da141ea9831b88fc0c1c889.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

二进制转为文本之后

https://cdn.shi1011.cn/2022/02/5158481ecf35ef0fcac045e4ab0ee2bb.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

游戏规则是要用JavaScript写一个15 puzzle game的sovler

https://cdn.shi1011.cn/2022/02/f44e0ddb4f7263e26e55e223b8e3d929.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

抄作业抄到了(手动狗头)

technogeek00/NPuzzleSolver

稍微改下之后能得到路径

// 带上抄的代码

let Arr = [[15,14,8,12],[10,11,9,13],[2,6,5,1],[3,7,4,0]]; // start api得到的data

let newArr = Arr.map(element=>{return element.map(el2 => {return el2 + 1 === 16 ? "" : el2 + 1;})})

const ctx = new NPuzzleSolver(newArr);
let solve = ctx.solve();

const arrs = [];
for (let i = 0; i < solve.length; i++) {
    let {x,y}=solve[i].piece;
    arrs.push([x,y]);
}

console.log(JSON.stringify(arrs));

然而第一次尝试没去判断方格移动的状态,成功的被cloudfire 429,禁止时间还挺长……

缝缝补补改用python交了

from requests import session

http = session()
res = http.get(url="https://go2022rpapi.axton.im/?action=start")
content = res.json()
maps = content["data"]
print("start =>", res.text)


def move(x, y):
    res = http.get(url="https://go2022rpapi.axton.im/?action=move&x={E}&y={j}".format(E=x, j=y))
    content = res.json()
    print("move [{x}, {y}] => {data}".format(x=x, y=y, data=content["data"]), res.text)
    if not content["status"]:
        print("error", res.text)
        return False
    return True

while 1:
    try:
        arr = eval(input())
        for (x, y) in arr:
            if not move(x, y):
                break
            sleep(3)
    except:
        continue

最后得到信息

https://cdn.shi1011.cn/2022/02/8da71663885c954c6a5d2c861be89c16.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

得到的是🎉.yrc.me,Unicode URL转Punycode

幸好没漏下(传统艺能

https://cdn.shi1011.cn/2022/02/10e67f8ffb55bf3e7c4c24e8d08a304d.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5
dig @8.8.8.8 xn--dk8h.yrc.me +noidnin +noidnout TXT
https://cdn.shi1011.cn/2022/02/59df3588cd00ff03effc8fbb8ee587a6.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

🎉彩蛋

不过,鉴于今年的题目较以往对于认真解题的人更难,我还准备了隐藏红包,在解题中收集线索即可发现隐藏红包。

Axton

彩蛋藏在了资源文件里

https://cdn.shi1011.cn/2022/02/80452510d9f24a1ca87ff1e82248269a.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

梅开二度

dig @8.8.8.8 xn--dk8hmk.yrc.me +noidnin +noidnout TXT
https://cdn.shi1011.cn/2022/02/ae95e996ba20d4cc53edefe5984d18d0.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

结尾

总的来讲,难点还是在于编写一个solver吧,不过因为我抄作业的缘故,几乎是没什么难度。

其实这篇文章当天就写好了,一直没发,结果拖到了元宵都过了,不管怎么样,还是祝大家新年快乐!

(又水了一篇)

本文链接:https://blog.shi1011.cn/diary/2205
本文采用 CC BY-NC-SA 3.0 Unported 协议进行许可

Mas0n

文章作者

发表评论

textsms
account_circle
email

翻车鱼

Axton跨年红包Write Up
自从去年发现mdx主题后,不管是material design还是功能上的设计都戳到了我的点,于是我开始关注作者Axton,当看到“跨年红包”,我很是好奇。今年终于是赶上,体验一下“传统艺能”。 封…
扫描二维码继续阅读
2022-02-17