试玩黑客游戏——game.enet.org.cn
诶...翻老帖子...翻到了这么个东西:game.enet.org.cn[不是硅谷动力哦]
<img alt="黑客游戏" height="366" src="http://xuanwobbs.com.cn/wp-content/uploads/game.PNG" width="400" />
SyntaxHighlighter.all();
那就来试试啦,优子技术不好找到第下一关的网页就算过关了
<HTML> <HEAD><title>『戴威尔』黑客游戏 http://www.hackervip.com 第一关(网页关)!
</title>
</HEAD><BODY bgcolor="#000000">
<SCRIPT LANGUAGE="Javascript">
<!--
var Words ="%0A%3CSCRIPT%3E%0Afunction%20stop%28%29%7B%0Areturn%20false%3B%0A%7D%0Adocument.oncontextmenu%3Dstop%3B%0A%3C/SCRIPT%3E%0A%0A%3CSCRIPT%20language%3DJavaScript%3E%0A%3C%21--%0A%0Afunction%20SymError%28%29%0A%7B%0A%20%20return%20true%3B%0A%7D%0A%0Awindow.onerror%20%3D%20SymError%3B%0A%0A//--%3E%0A%3C/SCRIPT%3E%0A%0A%3CSCRIPT%20language%3DJavascript%3E%0A%0A%0A%0Afunction%20PassConfirm%28%29%20%7B%0A%0Avar%20x%3Ddocument.password.pass.value%3B%0A%0Aif%20%28x%3D%3D%22hackervip.com%u3000%22%29%20%7Balert%28%27%u606D%u559C%u8FC7%u5173%uFF0C%u8FDB%u5165%u7B2C%u4E8C%u5173%uFF01%27%29%3B%0A%0Awindow.open%28%22errror.html%22%2C%22_self%22%29%20%7D%0A%0Aelse%20%7Bdocument.password.pass.value%3D%27%27%3Breturn%20false%3B%0A%0Awindow.open%28%22error.htm%22%2C%22_self%22%29%20%7D%0A%0A%0A%7D%0A%3C/SCRIPT%3E%0A%0A%3Ccenter%3E%u3000%3Cp%3E%3Cfont%20color%3D%22%23ff0000%22%20size%3D%226%22%3E%u300E%u4E2D%u5B89%u7F51%u57F9%u300F%u9ED1%u5BA2%u6E38%u620F%u3000%3C/font%3E%3C/p%3E%0A%3Cp%3E%3Cfont%20color%3D%22%23ff0000%22%20size%3D%226%22%3E%3Ca%20href%3D%22http%3A//www.hackervip.com/%22%3E%0Ahttp%3A//www.hackervip.com%3C/a%3E%u3000%3C/font%3E%3C/p%3E%0A%3Cp%3E%3Cfont%20color%3D%22%2300ff00%22%20size%3D%225%22%3E%u7B2C%u4E00%u5173%3C/font%3E%3C/p%3E%0A%3Cp%3E%3Cfont%20color%3D%22%2300ff00%22%20size%3D%225%22%3E%uFF08%u9ED1%u5BA2%u6E38%u620F%u7F51%u9875%u5173%uFF09%uFF01%3C/font%3E%3C/p%3E%0A%3Cform%20name%3D%22password%22%20method%3D%22post%22%3E%0A%09%3Cfont%20color%3D%22%2300ff00%22%3E%3Cbr%3E%0A%09%u8981%u6C42%uFF1A%u8FDB%u5165%u7B2C%u4E8C%u5173%uFF01%3C/font%3E%0A%09%3Cp%3E%3Cbr%3E%0A%09%3Cfont%20size%3D%225%22%3E%3Cfont%20color%3D%22%23ff0000%22%3E%u8BF7%u8F93%u5165%u5BC6%u7801%3A%3C/font%3E%3Cbr%3E%0A%09%3C/font%3E%3Cbr%3E%0A%09%3Cinput%20type%3D%22password%22%20value%20name%3D%22pass%22%3E%20%3Cbr%3E%0A%09%3Cbr%3E%0A%09%3Cinput%20onclick%3D%22return%20PassConfirm%28%29%22%20type%3D%22button%22%20value%3D%22%u786E%u5B9A%22%3E%20%3C/p%3E%0A%3C/form%3E%0A%3C/center%3E%0A%3Cp%3E%u3000%3C/p%3E%0A%3Cp%20align%3D%22center%22%3E%3Cfont%20color%3D%22%23ff0000%22%20size%3D%224%22%3E%u8BBE%u8BA1%u8005%uFF1A%u4E2D%u5B89%u7F51%u57F9%0A%3Ca%20href%3D%22http%3A//www.hackervip.com%22%3Ehttp%3A//www.hackervip.com%3C/a%3E%3C/font%3E%3C/p%3E%0A%3Cp%20align%3D%22center%22%3E%u9ED1%u5BA2%u57F9%u8BAD%uFF0C%u5B89%u5168%u57F9%u8BAD%u95E8%u6237%u7F51%u7AD9%3C/p%3E%0A%0A"
function SetNewWords()
{
var NewWords;
NewWords = unescape(Words);
document.write(NewWords);
}
SetNewWords();
// -->
</SCRIPT>
</BODY></HTML>ite(NewWords);
}
SetNewWords();
// -->
</SCRIPT>
</BODY></HTML>
把转义符清除一下就出来下一关的地址了呢:
http://game.enet.org.cn/errror.html
不过密码也有了呢:“hackervip.com ”【后面有一个全角空格哦】
第二关啦:
<HTML>
<HEAD>
<TITLE>戴威尔 黑客游戏 http://www.hackervip.com/bbs/第二关(网页关)!</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</HEAD>
<noscript>
<iframe src="*.htm"></iframe></noscript>
<BODY bgcolor="#000000">
<SCRIPT language = JScript.Encode>#@~^TgAAAA==@#@&0; mDkW PkOWa`b @#@&.nDED ~0mV/I@#@&)@#@&NGm;hxORKUmKxOnXY:nU!'dYK2p@#@&cBcAAA==^#~@</SCRIPT><script language="JScript.Encode">#@~^dAAAAA==@#@&@!Z O@#@&@#@&0!UmDkGx,?zhADDK.`*@#@&P@#@&P,DY;DU~DD;+p@#@&)@#@&@#@&hkU[Kh W nMDGMP{P?H:A.DKDI@#@&@#@&&JOO@*@#@&fxkAAA==^#~@</script>
<script language="JScript.Encode">#@~^4wAAAA==@#@&@#@&@#@&@#@&0!x1OkKx~nm/d/Kx0b.:v#PP@#@&@#@&\mD~tOh{NGm!h+ Y 2m//AGMN wmdkR-mV!+@#@&@#@&r0,`4Ys'xECeeCMeCeJ*~`@#@&@#@&hrx[GSRGwU`rL2LctYhEBJm/s6Jb,8@#@&@#@&+^d+, @#@&@#@&Ar NWS Wa+xvEnDMWMR4YhEBJm/s0r#~N@#@&@#@&@#@&8@#@&JjcAAA==^#~@</SCRIPT>
<center>
<p> </p>
<p><font color="#FF0000" size="6">戴威尔 黑客游戏 </font></p>
<p><font color="#FF0000" size="6"><a href="http://www.hackervip.com/">http://www.hackervip.com/bbs/</a> </font></p>
<font SIZE="1" color="#FF0000"></font>
<p><font color="#00FF00" size="5">第二关</font></p>
<p><font color="#00FF00" size="5">(黑客游戏网页关)!</font></p>
<form name="password" method="post">
<font color="#00FF00">
<BR>
要求:进入第三关!</font><p><br>
<font size="5">
<font color="#FF0000">请输入密码:</font><br></font><br>
<input type="password" name="pass" size="20"> <BR><BR>
<input type="button" value="确定" onClick="return PassConfirm()"> </p>
</FORM>
</center>
<p> </p>
<p align="center"><font size="4" color="#FF0000">设计者:戴威尔
<a href="http://www.hackervip.com">http://www.hackervip.com</a></font></p>
<p align="center"><font size="4" color="#FF0000">安全培训门户网站</font></p>
</BODY>
</HTML>
其实只要把JS.Encode的部分解密一下就出来了呢,密码是:********[没有弄错哦,就是*呢]
地址也是明文呢:http://game.enet.org.cn/jpg.htm
第三关:
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<script language="JavaScript">
<!--
function SymError()
{
return true;
}
window.onerror = SymError;
//-->
</script>
<SCRIPT LANGUAGE="JavaScript">
var username = "戴威尔" ;
var username1 = "swd" ;
var username2 = "myhk" ;
var username3 = "clygs" ;
var username4 = "hackervip.com/bbs" ;
var message1 = "请输入您的用户名";
var un = prompt (message1,"");
var password = "^#()@#$$$" ;
var password1 = "UE33355" ;
var password2 = "webmaster@hackervip.com" ;
var password3 = "http://www.hackervip.com" ;
var password4 = "http://vip.hackervip.com" ;
var message = "请输入密码";
var incmess = "用户名或密码错误";
var minimizemsg = ":)"
var pw = prompt (message,"");
if (un == username) {
if (pw != password) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un == username1) {
if (pw != password1) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un == username2) {
if (pw != password2) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un == username3) {
if (pw != password3) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un == username4) {
if (pw != password4) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un != username) {
if (un != username1) {
if (un != username2) {
if (un != username3) {
if (un != username4) {
alert (incmess);
// window.content (
window.open("error.htm","_self")
}
}
}
}
}
//JavaScript ends ---------->
</SCRIPT>
<TITLE>脚本游戏 http://www.hackervip.com/第三关(网页关)!</TITLE>
</HEAD>
<noscript>
<iframe src="*.htm"></iframe></noscript>
<BODY bgcolor="#000000">
<meta http-equiv="refresh" content="0;url=error.htm">
<script language="JavaScript">
<!--
function SymError()
{
return true;
}
window.onerror = SymError;
//-->
</script>
<script language="JavaScript">
<!--
function SymError()
{
return true;
}
window.onerror = SymError;
//-->
</script>
<script language="Javascript">
function PassConfirm() {
var htm=document.password.pass.value
if (htm=="htm") {
window.open("3.14159265358979323846264.htm","_self") }
else {
window.open("error.htm","_self") }
}
</SCRIPT>
<center>
<p> </p>
<p><font color="#FF0000" size="6">脚本游戏 </font></p>
<p><font color="#FF0000" size="6"><a href="http://www.hackervip.com/">http://www.hackervip.com/</a> </font></p>
<p><font color="#00FF00" size="5">第三关</font></p>
<p><font color="#00FF00" size="5">(脚本游戏网页关)!</font></p>
<form name="password" method="post">
<font color="#00FF00">
<BR>
要求:进入第四关!</font><p><br>
<font size="5">
<font color="#FF0000">请输入密码:</font><br></font><br>
<input type="password" name="pass" size="20"> <BR><BR>
<input type="button" value="确定" onClick="return PassConfirm()"> </p>
</FORM>
</center>
<p> </p>
<p align="center"><font size="4" color="#FF0000">设计者:戴威尔
<a href="http://www.hackervip.com">http://www.hackervip.com</a></font></p>
<p align="center"><font size="4" color="#FF0000">安全培训门户网站</font></p>
<SCRIPT>
function stop(){
return false;
}
document.oncontextmenu=stop;
</SCRIPT>
</BODY>
</HTML>
这个访问的时候会要求输入用户名和密码的样子,但是不管怎么输入都是错误的呢...很费解也没办法啦
最后看到下一个网页是
http://game.enet.org.cn/3.14159265358979323846264.htm
看样子是圆周率呢O(∩_∩)O~
第四关:
<HTML> <HEAD><title>脚本游戏 http://www.hackervip.com 第一期第四关(网页关)!
</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</HEAD><BODY bgcolor=#000000>
<SCRIPT>
function stop(){
return false;
}
document.oncontextmenu=stop;
</SCRIPT>
<SCRIPT language=JavaSCRIPt>
<!--
function SymError()
{
return true;
}
window.onerror = SymError;
//-->
</SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
function hackervip_compile(code)
{
var c=String.fromCharCode(code.charCodeAt(0)+code.length);
for(var i=1;i<code.length;i++){
c+=String.fromCharCode(code.charCodeAt(i)+code.charCodeAt(i-1));
}
return c;
}
function PassConfirm() {
var x=document.password.pass.value;
if (hackervip_compile(x)==unescape("%88%DF%D9%9E%96%C9%C4%CE%D0%D7%E8%DF%D9%9E%91%D2%DC%9C")) {eval(''+he/*decodeIt("%u4E23%u9C0B%u9F73%uC7F7%uF5D5%uD691%uBD6F%u669C%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9");*/(unescape("%9F%CD%D1%D7%E6%9CO%u6094%uB609%uA4FC%uDF27%uE13A%u507F%u8EE7%uE140%uCC91%uC9C0%uA007%u5074%uFF28Pd%B2%E0%D7%D2%D3%E6%A5%9D%DF%D5%D3%96J%8F%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9%8ENN%81%D2%D8%D1%D2%88K")));
}
else {document.password.pass.value='';return false;
window.open("error.htm","_self") }
return false;
}
</SCRIPT>
<center> <p><font color="#ff0000" size="6">脚本游戏 </font></p>
<p><font color="#ff0000" size="6"><a href="http://www.hackervip.com/">
http://www.hackervip.com</a> </font></p>
<p><font color="#00ff00" size="5">第四关</font></p>
<p><font color="#00ff00" size="5">(脚本游戏网页关)!</font></p>
<form name="password" method="post">
<font color="#00ff00"><br>
要求:进入第五关!</font>
<p><br>
<font size="5"><font color="#ff0000">请输入密码:</font><br>
</font><br>
<input type="password" value name="pass"> <br>
<br>
<input onclick="return PassConfirm()" type="button" value="确定"> </p>
</form>
</center>
<p> </p>
<p align="center"><font color="#ff0000" size="4">设计者:戴威尔
<a href="http://www.chkh.com">http://www.hackervip.com</a></font></p>
<p align="center">安全培训门户网站</p>
<script language=javascript>
function decodeIt(textfield) {
strSelection = "";
if (document.selection) {
strSelection = document.selection.createRange().text;
strSelection = strSelection.replace(new RegExp("<","g"), "<");
strSelection = strSelection.replace(new RegExp(">","g"), ">");
document.selection.createRange().text = strSelection;
}
//MOZILLA/NETSCAPE support
else if (textfield.selectionStart || textfield.selectionStart == '0') {
textfield.focus();
var startPos = textfield.selectionStart;
var endPos = textfield.selectionEnd;
strSelection = textfield.value.substring(startPos, endPos)
strSelection = strSelection.replace(new RegExp("<","g"), "<");
strSelection = strSelection.replace(new RegExp(">","g"), ">");
textfield.value = textfield.value.substring(0, startPos) + strSelection + textfield.value.substring(endPos, textfield.value.length);
}
}
function decrypt(str, pwd) {
if(str == null || str.length < 8) {
alert("A salt value could not be extracted from the encrypted message because it's length is too short. The message cannot be decrypted.");
return;
}
if(pwd == null || pwd.length <= 0) {
alert("Please enter a password with which to decrypt the message.");
return;
}
var prand = "";
for(var i=0; i<pwd.length; i++) {
prand += pwd.charCodeAt(i).toString();
}
var sPos = Math.floor(prand.length / 5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos*2) + prand.charAt(sPos*3) + prand.charAt(sPos*4) + prand.charAt(sPos*5));
var incr = Math.round(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
var salt = parseInt(str.substring(str.length - 8, str.length), 16);
str = str.substring(0, str.length - 8);
prand += salt;
while(prand.length > 10) {
prand = (parseInt(prand.substring(0, 10)) + parseInt(prand.substring(10, prand.length))).toString();
}
prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for(var i=0; i<str.length; i+=2) {
enc_chr = parseInt(parseInt(str.substring(i, i+2), 16) ^ Math.floor((prand / modu) * 255));
enc_str += String.fromCharCode(enc_chr);
prand = (mult * prand + incr) % modu;
}
return enc_str;
}
function he(dd)
{
code=unescape(dd);
var c=String.fromCharCode(dd.charCodeAt(0)-dd.length);
for(var i=1;i<dd.length;i++){
c+=String.fromCharCode(dd.charCodeAt(i)-c.charCodeAt(i-1));
}
return c;
}
</script>
</BODY></HTML>
这关可就难多了呢,慢慢来哦
<input onclick="return PassConfirm()" type="button" value="确定">
点击确定后执行PassConfirm()函数呢
PassConfirm()函数分析:
function PassConfirm() {
var x=document.password.pass.value;//获取输入的密码呢
if (hackervip_compile(x)==unescape("%88%DF%D9%9E%96%C9%C4%CE%D0%D7%E8%DF%D9%9E%91%D2%DC%9C")) {eval(''+he/*decodeIt("%u4E23%u9C0B%u9F73%uC7F7%uF5D5%uD691%uBD6F%u669C%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9");*/(unescape("%9F%CD%D1%D7%E6%9CO%u6094%uB609%uA4FC%uDF27%uE13A%u507F%u8EE7%uE140%uCC91%uC9C0%uA007%u5074%uFF28Pd%B2%E0%D7%D2%D3%E6%A5%9D%DF%D5%D3%96J%8F%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9%8ENN%81%D2%D8%D1%D2%88K")));
//将获取到的密码用hackervip_compile加密,如果等于%88%DF%D9%9E%96%C9%C4%CE%D0%D7%E8%DF%D9%9E%91%D2%DC%9C的Unescape后的数据
//则Unescape这段%9F%CD%D1%D7%E6%9CO%u6094%uB609%uA4FC%uDF27%uE13A%u507F%u8EE7%uE140%uCC91%uC9C0%uA007%u5074%uFF28Pd%B2%E0%D7%D2%D3%E6%A5%9D%DF%D5%D3%96J%8F%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9%8ENN%81%D2%D8%D1%D2%88K然后交给he函数解密并将结果执行
else {document.password.pass.value='';return false;
window.open("error.htm","_self") }//如果密码错误则打开error页面呢
return false;
}
知道了原理就可以解决啦,要知道他会打开什么网页其实很简单呢...
把eval改成alert然后把解密函数都拿过来就行了呢
把下面网页保存为html然后执行就可以看到弹出的结果啦
<script language=javascript>
function he(dd)
{
code=unescape(dd);
var c=String.fromCharCode(dd.charCodeAt(0)-dd.length);
for(var i=1;i<dd.length;i++){
c+=String.fromCharCode(dd.charCodeAt(i)-c.charCodeAt(i-1));
}
return c;
}
alert(''+he(unescape("%9F%CD%D1%D7%E6%9CO%u6094%uB609%uA4FC%uDF27%uE13A%u507F%u8EE7%uE140%uCC91%uC9C0%uA007%u5074%uFF28Pd%B2%E0%D7%D2%D3%E6%A5%9D%DF%D5%D3%96J%8F%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9%8ENN%81%D2%D8%D1%D2%88K")));
</script>
弹出窗口是
alert('恭喜你过关,进入第五关!');window.open("my_hackervip.html","_self")
意思是弹出窗口“恭喜你过关,进入第五关!”然后打开my_hackervip.html这个下一关的网页呢
但是不知道为什么打开的页面是一片乱码呢...也不是GZIP压缩的样子...好奇怪呢...
所以优子也不能确定到底是不是过关了呢...不管啦
有些人会注意到我在解密函数那里删掉了一段
/*decodeIt("%u4E23%u9C0B%u9F73%uC7F7%uF5D5%uD691%uBD6F%u669C%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9");*/
这段其实是一段注释...用来迷惑你的呢...他是不会执行的哦...所以优子就放心的删掉啦...
PS:好久没更新了呢,很对不起大家的样子,因为代码高亮弄去了优子很长的时间呢...现在终于不完美的搞定啦,这篇文章迟到了10天可以发出来了呢
查看完整版本: 试玩黑客游戏——game.enet.org.cn
沙发~~~~~~~ 高深了,不玩黑客,偶尔被玩。 topchun~~~好眼熟呢 :tie 网络安全还是很重要的呢 谢谢分享 伪娘~~求黑Chinanet 我也是卡在第五关不能动了,显示一片乱码。 [...] 刚刚在雷锋群群友优子的博客上看到一篇文章《试玩黑客游戏》,心里一阵激动,我激动个啥呢?因为高中的时候曾玩过这个,那个时候马马虎虎只能过第一关,而且还花了我不少时间。事隔多年,我又回来了,看看技术有没有长进。 [...] [...] 刚刚在雷锋群群友优子的博客上看到一篇文章《试玩黑客游戏》,心里一阵激动,我激动个啥呢?因为高中的时候曾玩过这个,那个时候马马虎虎只能过第一关,而且还花了我不少时间。事隔多年,我又回来了,看看技术有没有长进。 [...] 博主不错哦~呵呵。 路过~~~相当的巨规模。有事情回访~妥妥的~~加了个油 你的博客写的不错,向你学习~~~,我马上转到我的博客上! 喜欢美女的都来玩下啊 x1.umdvd.info 参观学习一下,呵呵。 互访。 咱的小站:http://www.taobaowanggo.com/ 这个博客就不更新了么? 有些时日没有过来看看了. 这么多代码,看得头都晕了。。 写的很好啊!! 很好的文章 值得珍藏 http://www.cne.cc 你好换友情连接吗? QQ29741五557 这个分析太好了 可是第一关如何去掉转义符 还有第二关 用什么 解密那段code后面的代码才能变成*啊? 关注 其实如果熟悉JS的话要不了多少时间。甚至于,网上还有JScript.Decode的在线页面。 当然当时我是直接挂了一个DIV标签然后换了他的innerText就什么都显示出来了呢。 不过最后那一关,确实把人看得很费解……真该别是他传文件中途出错了吧。 哇, 代码高亮好漂亮, 怎么弄的? 很好玩的游戏 这是测试大家的网络基础功底 呵呵 :zida 这个弄起来比较麻烦的... 没有丑女人,只有懒女人。只要你会打扮,你就是气质美女,你就可以走到哪里都吸引男人的眼球。皇冠店铺大全(精品馆) 超过万人转载 你怎么能错过http://www.54dsb.tk/shops.php 我故意放过你.... 这个是什么 :yun :wuliao 第五关乱码先改为uri编码,然后....好久没玩了 算了不管了