【刷题】SPC新生讲座题目wp

鸣谢

感谢sq,xc学长和cty学姐的帮助和教导！！！
除了大头像放后面做其他也是完结了，第一次wp磕磕绊绊做出来了嘻嘻

曼波曼波曼波

倒转的base，翻转脚本：

# 读取 txt 文件并翻转内容
def reverse_txt_file(input_path, output_path):
    try:
        with open(input_path, 'r', encoding='utf-8') as file:
            content = file.read()
        
        reversed_content = content[::-1]
        
        with open(output_path, 'w', encoding='utf-8') as file:
            file.write(reversed_content)
        
        print(f"成功！原文件: {input_path}")
        print(f"反转文件: {output_path}")
        print(f"原内容长度: {len(content)} 字符")
        print(f"反转内容长度: {len(reversed_content)} 字符")
        
    except FileNotFoundError:
        print(f"错误：找不到文件 {input_path}")
    except Exception as e:
        print(f"错误：{e}")

input_file = r'E:\app-down\题目工作区\mbmb\smn.txt'
output_file = r'E:\app-down\题目工作区\reversed_smn.txt'

reverse_txt_file(input_file, output_file)

AI：Base64 编码的 ZIP 文件数据，解码后就恢复成原始的 ZIP 二进制文件。
使用 CyberChef（厨子）：https://gchq.github.io/CyberChef/
- Input (Base64字符串)
- Drag “From Base64” recipe
- 得到二进制数据
- 点击右下角下载按钮保存为 .zip 文件
双图盲水印：
- 方法原地址
- 注意：在文件下打开poweshell
- 存档-电脑此工具位置：E:\app-down\双图盲水印\BlindWaterMark-master\BlindWaterMark-master

ida使用.exe

Welcome to Reverse Engineering!!!
欢迎来到逆向工程！！！

Press Enter to find flag1
按 Enter 键查找 flag1

NSSCTF{
NSSCTF{

Next, I will teach you how to use ida.
接下来，我将教你如何使用 IDA。

The first step is to open the exe file with ida.
第一步是用 IDA 打开 exe 文件。

F5 can convert the current interface into pseudo C code
F5 可以将当前界面转换为伪 C 代码

The shortcut key shfit + F12 is to view strings. We can often find the entry point here.
快捷键 Shift + F12 用于查看字符串。我们经常可以在这里找到入口点。

You can see flag2 there
你可以在那里看到 flag2

function页面找main文件，在“You can see flag2 there”处快捷键 Shift + F12 ，找到：IDA_1s_4_VeRy_Impo
双击后页面按X连接可以看到flag2
Tab 键进入伪C代码页面，双击函数可进入详细界面

The tab key can switch between the assembly and disassembly interfaces, and sometimes disassembly can interfere with our analysis.
Tab 键可以在汇编和反汇编界面之间切换，有时候反汇编会干扰我们的分析。

Tab 键进入汇编页面，观察call类型以及灰色翻译部分

In ida, shift+E can extract data in order of the size of the program
在 IDA 中，Shift+E 可以按程序大小顺序提取数据

The R key is to convert data into character form
R 键是将数据转换为字符形式

Try to find flag3
尝试找到 flag3

看mov，英文猜测important所以是倒序
断店操作：Debugger-local windows debugger-运行（如果没有窗口window-reset desktop）
直接双击找shift+E R 导出为string，得到：rTant_t0ol_iN_

The left side of ida is the function, and sometimes you can find important information from the function name.
IDA 的左侧是函数列表，有时候你可以从函数名中找到重要信息。

The patch method can achieve our goal by directly modifying the binary file
打补丁的方法可以通过直接修改二进制文件来实现我们的目标

FLAG4 NOT HRER
FLAG4 不在这里

flag4(void)（？汇编文件，选取函数名称搞补丁
通过任选printf()右键Assemble，改call后为函数名称，enter修改
右键Patching-apply导出，运行新程序得到：rever5e_en8ine3ring}
注：在 IDA 中从流程图视图切换回连续的文本/表格视图用空格键
最后答案：NSSCTF{IDA_1s_4_VeRy_ImporTant_t0ol_iN_rever5e_en8ine3ring}

twoEs1

题目：

from Cryptodome.Util.number import *
import random

flag=b"SPCCTF{********}"

p, q = getPrime(512), getPrime(512)
n = p * q

e1 = random.getrandbits(32)
e2 = random.getrandbits(32)

import gmpy2
s,s1,s2=gmpy2.gcdext(e1,e2)
print(s)
#导入 gmpy2 库进行大数运算 
#gmpy2.gcdext(a,b)计算扩展欧几里得算法 返回 (g,s,t)，其中 g=gcd(a,b)，且 s*a + t*b = g

m = bytes_to_long(flag)
c1 = pow(m, e1, n)
c2 = pow(m, e2, n)

print(f'{n = }')
print(f'{e1 = }')
print(f'{e2 = }')
print(f'{c1 = }')
print(f'{c2 = }')

'''
n = 77653027019410283582708662091841984922043011758121679079881183020813164663803315218162399044305258074482737579924642303624296916990420038267507847806411365847770079739424288020008734096352715536212355610499244337263033620679172659903396470522388964976403280440005666750783772493205491694203801534799771603973
e1 = 1550550838
e2 = 4196113069
c1 = 10879882027555312937608696756143487708492509877667613620249639748606727334006539946052668627697088875994270713711095280209616987454727654075073679556671706894288288425066016765935927179268631914629763649753266424293357163466575462028472324055698901991171526421270840161635556574472647431065514324250656887711
c2 = 3011958986718808526365150648555525977083765700624932707761381505508399298854491454270664897732491521128964864382168158216240628717617068568110917894811504799962807736416471284350198523924590448858301736435406723758509936349838419125901147351088181623044341056413457153562300106346324761118425649126782967195
'''

解决方案(基于gcd = 1以及n相同加密)

import gmpy2
from Cryptodome.Util.number import long_to_bytes

n = 77653027019410283582708662091841984922043011758121679079881183020813164663803315218162399044305258074482737579924642303624296916990420038267507847806411365847770079739424288020008734096352715536212355610499244337263033620679172659903396470522388964976403280440005666750783772493205491694203801534799771603973
e1 = 1550550838
e2 = 4196113069
c1 = 10879882027555312937608696756143487708492509877667613620249639748606727334006539946052668627697088875994270713711095280209616987454727654075073679556671706894288288425066016765935927179268631914629763649753266424293357163466575462028472324055698901991171526421270840161635556574472647431065514324250656887711
c2 = 3011958986718808526365150648555525977083765700624932707761381505508399298854491454270664897732491521128964864382168158216240628717617068568110917894811504799962807736416471284350198523924590448858301736435406723758509936349838419125901147351088181623044341056413457153562300106346324761118425649126782967195

# 检查是否互质
gcd, u, v = gmpy2.gcdext(e1, e2)
print(f"gcd(e1,e2) = {gcd}")  # 应该是 1
# u × e1 + v × e2 = gcd(e1, e2)

if gcd == 1:
    # 计算明文
    if u < 0:
        c1 = gmpy2.invert(c1, n)
        u = -u
    if v < 0:
        c2 = gmpy2.invert(c2, n) 
        v = -v
    m = (pow(c1, u, n) * pow(c2, v, n)) % n
    flag = long_to_bytes(m)
    print(flag.decode())

共模攻击：[ pow(a, b, n) → n为模数 ]（详见RSA）
- 攻击原理：
  如果 gcd(e1, e2) = 1，可以通过扩展欧几里得算法找到 u, v 使得：
  u × e1 + v × e2 = 1
  c1^u × c2^v ≡ m^(u×e1) × m^(v×e2) ≡ m^(u×e1 + v×e2) ≡ m^1 ≡ m (mod n)
- 根本原因：RSA 的安全性依赖于大数分解困难性，但当使用相同模数加密相同消息时，攻击者可以利用代数关系绕过分解问题。

twoEs2

题目：

from Cryptodome.Util.number import *
import random

flag=b"SPCCTF{********}"

p, q = getPrime(512), getPrime(512)
n = p * q

e1 = random.getrandbits(32)
e2 = random.getrandbits(32)

m = bytes_to_long(flag)
c1 = pow(m, e1, n)
c2 = pow(m, e2, n)

print(f'{n = }')
print(f'{e1 = }')
print(f'{e2 = }')
print(f'{c1 = }')
print(f'{c2 = }')

'''
n = 97600241525101615748091592571664660926639880623676630098513390980179339048294452878617774530804846547759693682625720452045482941031433063601264167464483345140203593650062234011147495096867025786848883396312986373098722431552517575960894385653813275110519118159478403718867113163144951756435064109978693850991
e1 = 3739335288
e2 = 3124897683
c1 = 33002001040793361121205743705051566694083960204437803400110996553874970546459769940895274538944142911035661180721041433582055055901827086366079458238180515982882281159369335115689197909674012289803866694817803339799332165760217770985620911446230237865457225365735286754884597360255964535103536362788889343153
c2 = 28612632923221914052449458260170537094022260373135401108346955487860713981145320349945832078855063911329616383875004373295934310132767249858424266864981319085969453037587482565982836138763906635775429377847559657878241052164215585546465219419202751784070881845017799754069244601020027997406547478196338470880
'''

解法：

from Cryptodome.Util.number import *
import random
import gmpy2
#from Crypto.Util.number import *
from gmpy2 import *

n = 97600241525101615748091592571664660926639880623676630098513390980179339048294452878617774530804846547759693682625720452045482941031433063601264167464483345140203593650062234011147495096867025786848883396312986373098722431552517575960894385653813275110519118159478403718867113163144951756435064109978693850991
e1 = 3739335288
e2 = 3124897683
c1 = 33002001040793361121205743705051566694083960204437803400110996553874970546459769940895274538944142911035661180721041433582055055901827086366079458238180515982882281159369335115689197909674012289803866694817803339799332165760217770985620911446230237865457225365735286754884597360255964535103536362788889343153
c2 = 28612632923221914052449458260170537094022260373135401108346955487860713981145320349945832078855063911329616383875004373295934310132767249858424266864981319085969453037587482565982836138763906635775429377847559657878241052164215585546465219419202751784070881845017799754069244601020027997406547478196338470880

s,s1,s2=gmpy2.gcdext(e1,e2)
print('s = ',s)

m = pow(c1, s1, n)*pow(c2, s2, n) % n  # 最后别忘记再模上一个n，整体都在模n中
#flag = long_to_bytes(m).decode()
print(long_to_bytes(iroot(m, 3)[0]))
#print(flag)

参考；未看

签个到吧！

题目：

>+++++++++++++++++[<++++++>-+-+-+-]<[-]>++++++++++++[<+++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++[<+++>-+-+-+-]<[-]>++++++++++++[<+++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++[<++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>++++++++++++[<+++++++>-+-+-+-]<[-]>++++++++++[<+++++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>++++++++++[<+++++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++[<++++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++[<+++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<[-]>+++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++++++++++[<+++++>-+-+-+-]<[-]

试图解释：
- 快速笔记：“.”为指针位置
- >+[<>-±±±]<[-]>[<+++++++>-±±±]
  - >+17 ; [<+6>-1] ; ; >+12 ; [<+9>-] ;
  - 0 17. ; 176 = 102 0. ; 0. 0 ; 0 12. ; 912 = 108 0. ;
  - 102 0. → 108 0.
- <[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-±±±]
  - < ; >+97 ; [<+>-]
  - 108. 0 ; 108 97. ; 108 + 97 = 205 0.
大概理解了，开造

def brainfuck(a):
    li = [0]
    index = 0
    kuo = []
    output = []
    i = 0
    while i < len(a):
        if a[i] == '+' or a[i] == '-':
            li[index] = eval(str(li[index]) + a[i] + '1')
        elif a[i] == '>':
            index += 1
            if len(li) <= index:
                li.append(0)
        elif a[i] == '<':
            index -= 1
        elif a[i] == '.':
            print(li[index], end=' ')
            output.append(li[index])
        elif a[i] == ',':
            i += 1
            li[index] = ord(a[i])
        elif a[i] == '[':
            if li[index] == 0:
                while a[i] != ']':
                    i += 1
                i += 1
            else:
                kuo.append(i)
        elif a[i] == ']':
            if li[index] != 0:
                i = kuo.pop()-1
            else:
                temp = kuo.pop()
        i += 1
    return output

a = '''
>+++++++++++++++++[<++++++>-+-+-+-]<[-]>++++++++++++[<+++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++[<+++>-+-+-+-]<[-]>++++++++++++[<+++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++[<++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>++++++++++++[<+++++++>-+-+-+-]<[-]>++++++++++[<+++++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>++++++++++[<+++++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++++++[<+++>-+-+-+-]<[-]>+++++++++++[<++++++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++[<++>-+-+-+-]<[-]>++++++++[<++++++>-+-+-+-]<[-]>+++++++++++[<+++++>-+-+-+-]<[-]>+++++++++++++++++++[<+++++>-+-+-+-]<[-]>+++++++[<+++++++>-+-+-+-]<[-]>+++++++++++++++++++++++++++++[<++++>-+-+-+-]<[-]>+++++++++++[<+++>-+-+-+-]<[-]>+++++++++++++++++++++++++[<+++++>-+-+-+-]<[-]
'''
a = a.replace('[-]', '.[-]')
output = brainfuck(a)
for i in output:
    print(chr(i), end='')

解释：就是指针内容没有用.输出，所以在[-]删除前加输出从而得到结果
教训：人要好好学习不要偷懒用AI哈哈哈讲的差不多理解就是完全没理解

xor

第一步

alt text

循环28次（i从0到27）说明flag长度为28个字符
验证条件
- v4[i]：用户输入的第i个字符
- (unsigned __int8)：将字符转换为无符号8位整数（0-255）
- ^ 0x7A：与十六进制0x7A（十进制122）进行异或运算
- enc_0[i]：预设的正确加密值的第i个元素
- !=：比较是否不相等

第二步

alt text

db：Define Byte 表示定义字节数据
有 h 后缀：明确表示十六进制
n dup (a)：表示n个a

解密代码

enc_0 = [
    0x34, 0x29, 0x29, 0x39, 0x2E, 0x3C, 0x01, 0x22, 0x15, 0x08, 0x25,
    0x13, 0x09, 0x25, 0x18, 0x1B, 0x09, 0x13, 0x19, 0x25, 0x08, 0x1F, 0x0C,
    0x1F, 0x08, 0x09, 0x1F, 0x07
]

def decrypt_flag(enc_data):
    flag = ''
    for encrypted in enc_data:
        # 异或解密：encrypted ^ 0x7A
        original_char = encrypted ^ 0x7A
        flag += chr(original_char)
    return flag

# 解密
flag = decrypt_flag(enc_0)
print("解密后的flag:", flag)

这羽毛球怎么只有一半啊（恼）

crc高度题 010editor打开下方有报错信息，记得拉上来看！
代码

import binascii
import struct
 
 
 
crcbp = open("./羽毛球.png", "rb").read()    #打开图片
crc32frombp = int(crcbp[29:33].hex(),16)     #读取图片中的CRC校验值
print(crc32frombp)
 
for i in range(4000):                        #宽度1-4000进行枚举
    for j in range(4000):                    #高度1-4000进行枚举
        data = crcbp[12:16] + \
            struct.pack('>i', i)+struct.pack('>i', j)+crcbp[24:29]
        crc32 = binascii.crc32(data) & 0xffffffff
        #print(crc32)
        if(crc32 == crc32frombp):            #计算当图片大小为i:j时的CRC校验值，与图片中的CRC比较，当相同，则图片大小已经确定
            print(i, j)
            print('hex:', hex(i), hex(j))
            exit(0)

【待】

修改高度（额看了wp改的怎么找）bushi没法理解为什么修改这里

掩码爆破

如题，简单

F12?

当个别网页禁用F12，无法查看网页源代码时，可以通过地址栏操作后使用F12：
打开目标网页后，不要直接按F12，而是先用鼠标点击浏览器地址栏，全选当前网址。在全选网址的状态下，按下F12键。此时，部分网页可能会因为这一操作而解除对F12的禁用，从而允许你打开开发者工具查看源代码。

F12

极其简单，如题

test

极其简单，如题

word-03

伪加密参考
- 特征：
  - 压缩源文件数据区的全局方式位标记应当为 00 00 （50 4B 03 04 14 00 后）
  - 且压缩源文件目录区的全局方式位标记应当为 09 00 （50 4B 01 02 14 00 后）
- 修改方法：
  - 确定是伪加密后就需要将其修改为无加密，方法很简单，就是将压缩源文件目录区的全局方式位标记从09 00改为00 00。
将这个word文件重命名为zip后，发现还能继续解压
找到flag
反思：搜索时注意是搜索文本还是十六进制，好愚蠢的问题已经第二次犯了|-_-··|

Basic Number theory

同余基本性质
- ‌反身性‌：a ≡ a (mod m)，任何整数与其自身同余。
- ‌对称性‌：若a ≡ b (mod m)，则b ≡ a (mod m)，同余关系可逆。‌
- ‌传递性‌：若a ≡ b (mod m)且b ≡ c (mod m)，则a ≡ c (mod m)，允许链式推导。
- ‌运算性质‌：
  - 加减性：若a ≡ b (mod m)且c ≡ d (mod m)，则a±c ≡ b±d (mod m)。‌
  - 乘性：若a ≡ b (mod m)且c ≡ d (mod m)，则ac ≡ bd (mod m)，推广至幂次有aⁿ ≡ bⁿ (mod m)。‌
  - 消去律‌：若ca ≡ cb (mod m)且(c,m)=1（c与m互质），则a ≡ b (mod m)。‌‌
解决代码+详细计算过程

p = 105567001902149483225233801278030547652749833525571608392930512645364400245999
q = 81511997683966846473333390828680375856568631631277717336250575831122994340471
gift1 = 105419799642658114984760815640014033297217363704585842609128111376906603236722
gift2 = 81364795424475478232860405190663861501036161810291951552448174562665197331194
#根据模运算的基本性质：如果 a ≡ b (mod n)，那么 a² ≡ b² (mod n)
from Cryptodome.Util.number import *
print(gift1 == pow(gift1,1,p))
# >>> True
# 所以gift1² ≡ m^(q+1) (mod q)
# 继续用费马小定理：
# gift1² ≡ m^(q+1) (mod q)
#        ≡ m^q × m (mod q)
# 根据费马小定理：m^q ≡ m (mod q)（当 q 是素数时）
# gift1² ≡ m × m (mod q) ≡ m² (mod q)
# 实际上我们有：gift1^2 ≡ m^2 mod q ; gift2^2 ≡ m^2 mod p
# 这意味着：gift1^2 - m^2 ≡ 0 mod q  => q | (gift1^2 - m^2)
#          gift2^2 - m^2 ≡ 0 mod p  => p | (gift2^2 - m^2)
# 所以(gift1 - m)(gift1 + m) ≡ 0 mod q
#     (gift2 - m)(gift2 + m) ≡ 0 mod p
# 关键数学原理：在模素数的情况下，如果 a × b ≡ 0 mod p（其中 p 是素数），那么：
# 要么 a ≡ 0 mod p
# 要么 b ≡ 0 mod p
# 这是因为素数的一个重要性质：模素数的环是整环，没有零因子。
# 因此 m ≡ ±gift1 mod q ; m ≡ ±gift2 mod p
import math
print(math.gcd(p,q))
# >>> 1
# https://oi-wiki.org/math/number-theory/crt/#%E8%BF%87%E7%A8%8B

from sympy.ntheory.modular import crt

a = [-gift1,-gift2]
r = [p,q]

m = crt(r, a)[0]
flag = long_to_bytes(m)
print(flag.decode())

basic-RSA

在RAS笔记里学长给做过，考察inverse()函数的应用

hackbar

hackbar浏览器插件使用方法：先LOAD后Use POST method加载网页
直接URL后面添加，插件里添加后按EXECUTE执行
讲座后复刻，好像和学姐教的不一样？（但成功了~~后面问下
愚蠢，只需要下面部分，<?php>
第三关：浏览器身份挑战-要求：我要battlefield_six浏览器
直接更改User-Agent
要求：我要本地访问
解法：如图

super_baby_eval

网页

<?php
if(isset($_GET['eval']) && $_GET['eval'] === 'gogogo'){
    echo "666";
    if(isset($_POST['evalpost'])){
        eval($_POST['evalpost']);
    }
} else {
    show_source(__FILE__);
}
?>