NetEase Youdao Nanti PWND! [Spoiler]

Posted | archive

Saw an interesting puzzle, blogging about it in English is not zhuangbility, but to avoid n00b finding solutions too easily via search engines.

  1. Sniff
  2. No packets transfered when click 'submit', so all answers must be downloaded somewhere to client
  3. Firebug analyze URL requests & responses
  4. Decompiled all .swf files, nothing found
  5. Found it's using PHP-RPC
  6. Tried phprpc-python but didn't work
  7. Worked out puzzle 2. answer is bomb
  8. Dumped all browser memory
  9. Search for keyword bomb
  10. Got all answers to 15 questions
  11. Copy, paste & submit all the right answers, but nothing happend, so just blogging about it http://initiative.yo2.cn/archives/639837
  12. ???
  13. Profit!

有道居然用PHPRPC把所有答案加密了。哼哼。任何加密都挡不住内存dump大法。

So, here's the answers:

以下是剧透,丧失游戏乐趣后果自负,没有自己动脑筋思考的同学请不要手贱,报名参加真正的TopCoder比赛吧:http://www.youdao.com/nanti/apply.php


<?xml version="1.0" encoding="utf-8" ?>
<data radius="220" a="320" b="170" skey="youdao">
<question src="questions/q1oioqzvveoalz.fa.swf" answer="o" lowcase="true" visible="true">一样的人物</question>
<question src="questions/q80afzfdqrezxc0-rwq.f0.swf" answer="bomb" lowcase="true" visible="true">湖边的回忆</question>
<question src="questions/q4098azvhlaql.f-fq53.swf" answer="0441" visible="true">危险之地</question>
<question src="questions/q3zlllweafl342laozl.swf" answer="@($" visible="true" locked="true">火星文</question>
<question src="questions/q5zpaqa.eop2-f-qe4.swf" answer="也可能" visible="true" locked="true">博客中的线索</question>
<question src="questions/q6pkltix.04.-af.swf" answer="本机地址" visible="true" locked="true">IT码农的留言</question>
<question src="questions/q70a9fdalqrexc65o.vz.swf" answer="search engine" lowcase="true" visible="true" locked="true">曲径通幽</question>
<question src="questions/q909qalzxovaltazt-fq.fq.swf" answer="为" visible="true" locked="true">手机词典的帮助</question>
<question src="questions/q10090zvalzp-f.4.swf" answer="3624087915" visible="true" locked="true">古诗中的数字</question>
<question src="questions/q2098alzraz.5.ao.swf" answer="12355331" visible="true" locked="true">彩铃包月</question>
<question src="questions/q1109zgflqre0f-aw.w2.swf" answer="2月18日||二月十八日" visible="true" locked="true">和智玲的聊天</question>
<question src="questions/q120z0fda2r.z0f-a2.swf" answer="cctv" lowcase="true" visible="true" locked="true">黑客是怎样炼成的</question>
<question src="questions/q13-zf0w2rzlf0.f43.swf" answer="圆周率||祖冲之" visible="true" open="15" locked="true">Morse的登录</question>
<question src="questions/q1409falz-fa.2aof.swf" answer="0731-5310163" visible="true" locked="true">错误的号码</question>
<question src="questions/q160z-af.4er0zafwe.swf" answer="LOVE" visible="true" locked="true">数学之美</question>
<question src="questions/q170z.gzzf-32zflgpqert.swf" answer="ONLMK" lowcase="true" visible="false">残破的画卷</question>
</data>

Seems that there's even a hidden puzzle: http://www.youdao.com/nanti/mi/questions/q170z.gzzf-32zflgpqert.swf but I haven't figured out how to invoke it (yet) . Perhaps using some .swf hook :D

转载请注明出处 http://initiative.yo2.cn/archives/639837

Comments