Add all remaining ones and edit readme

Author: HarukaMa

Diff for: README.md

@@ -72,6 +72,7 @@
 | [Hykilpikonna](players/Hykilpikonna/) | | (随便写写啦w) 来自未来的信笺, 狗狗银行, 超基础的数理模拟器, 超精巧的数字论证器, 超迷你的挖矿模拟器 |
 | [met](https://github.com/MetLee/hackergame2020-writeups) | 75名的菜鸡化学僧 | 签到, 猫咪问答++, 2048, 一闪而过的 Flag, 从零开始的记账工具人, 超简单的世界模拟器, 自我复读的复读机, ~~233 的字符串工具, 233 同学的 Docker, 来自一教的图片, 超简陋的 OpenGL 小程序, 生活在博弈树上-1, 狗狗银行, 超基础的数理模拟器~~, 超精巧的数字论证器, ~~不经意传输-1~~ （施工中） |
 | [WEGFan](players/WEGFan/) | | 超简陋的 OpenGL 小程序 |
+| [はるか](players/Haruka) | 思路分享 | 2048, 233 同学的 Docker, Flag 计算机, 签到, 狗狗银行, 超简陋的 OpenGL 小程序, 猫咪问答++, 一闪而过的 Flag, 从零开始的 HTTP 链接, 室友的加密硬盘, 来自一教的图片, 来自未来的信笺, 生活在博弈树上, 动态链接库检查器, 超基础的数理模拟器, 从零开始的记账工具人, 超精准的宇宙射线模拟器 |
 
 ## 其他资源
 

Diff for: players/Haruka/2048/readme.md

@@ -0,0 +1,40 @@
+# 2048
+
+好熟悉啊，但我真的不会玩 2048，还是右键看一下游戏代码好了。
+
+看了一圈代码，发现游戏胜利之后执行的逻辑代码在 `static/js/html_actuator.js` 中：
+
+```js
+HTMLActuator.prototype.message = function (won) {
+  var type    = won ? "game-won" : "game-over";
+  var message = won ? "FLXG 大成功！" : "FLXG 永不放弃！";
+
+  var url;
+  if (won) {
+    url = "/getflxg?my_favorite_fruit=" + ('b'+'a'+ +'a'+'a').toLowerCase();
+  } else {
+    url = "/getflxg?my_favorite_fruit=";
+  }
+
+  let request = new XMLHttpRequest();
+  request.open('GET', url);
+  request.responseType = 'text';
+
+  request.onload = function() {
+    document.getElementById("game-message-extra").innerHTML = request.response;
+  };
+
+  request.send();
+
+  this.messageContainer.classList.add(type);
+  this.messageContainer.getElementsByTagName("p")[0].textContent = message;
+
+  this.clearContainer(this.sharingContainer);
+  this.sharingContainer.appendChild(this.scoreTweetButton());
+  twttr.widgets.load();
+};
+```
+
+看来是经典 js 字符串拼接，于是 `'b'+'a'+ +'a'+'a'` 会变成 `"baNaNa"`（直接粘贴到下面 console 里回车也能给出来），那么直接请求 `/getflxg?my_favorite_fruit=banana` 就可以看到 flag。（这里略微 cheese 了一下，因为后端并没有验证参数大小写所以小写香蕉也可以
+
+（……果然这道题的 flag 格式还是变成了 `废理兴工{...}`

Diff for: players/Haruka/233 同学的 Docker/readme.md

@@ -0,0 +1,18 @@
+# 233 同学的 Docker
+
+首先先打开提供的 [docker hub 链接](https://hub.docker.com/layers/8b8d3c8324c7/stringtool)，看看镜像的命令列表：
+
+![image](https://user-images.githubusercontent.com/861659/98470501-58938b00-2229-11eb-8ad0-b18bcbf6928d.png)
+
+看来在 27 行产生的 layer 里是有这个 flag.txt 的，但是 docker 并不能把单独的 layer 变成 image 来直接运行。不过既然他是单独的 layer，那么在 `/var/lib/docker/overlay2` 里就会有单独的存储。于是找一台机器 pull 下来 image 然后直接：
+
+```
+# root @ raw in /var/lib/docker/overlay2 [1:19:43] C:1
+$ find . -name flag.txt
+./a157ba22c673b129100e1ce354675310999907a6aa3d401182d6096a2f78c76d/diff/code/flag.txt
+./fbb84b65568eda68e1fe72399e28de06eace16524cc8603cf8b96b6a0c84a0ab/diff/code/flag.txt
+```
+
+于是打开文件就能看到 flag 内容了。
+
+（顺便这个 flag 的内容好尬啊……

Diff for: players/Haruka/Flag 计算机/dosflag.py

@@ -0,0 +1,93 @@
+from copy import deepcopy
+
+
+data_345c = 0
+data_3404 = 0
+
+# data_3420 = [
+#     0x7E0AD9FC, 0x7F0FB626, 0x7E0BD9FC, 0x7F0FB63D, 0x7E0CD9FC,
+#     0x7F0FB634, 0x7E0EDD23, 0x7F0FB632, 0x7F0EB637, 0x7F0FB607,
+#     0x7E06C6B1, 0x7F0FB636, 0x7FF0C6B1, 0x7F0FB636, 0x7E0DC6B1,
+# ]
+
+data_3420 = [0] * 15
+
+data_2920 = [
+    0x5075, 0x4AC5, 0x724A, 0x458C, 0x7194, 0x704A, 0x613A, 0x7133, 0x6654, 0x7C59,
+    0x6800, 0x60C6, 0x49E4, 0x7164, 0x5DE1, 0x5981, 0x5B8C, 0x6496, 0x67AB, 0x5494,
+    0x7A40, 0x57AE, 0x407A, 0x55BD, 0x58E9, 0x760D, 0x7325, 0x73B1, 0x4071, 0x59EE,
+    0x5A8B, 0x783D, 0x5D45, 0x71F3, 0x7BB1, 0x67A6, 0x7D9F, 0x5837, 0x6B85, 0x7024,
+    0x79F0, 0x4306, 0x7CF4, 0x7DBE, 0x5CC3, 0x5318, 0x531E, 0x6097, 0x7520, 0x62D7,
+    0x5B95, 0x5A4F, 0x5A73, 0x66EA, 0x6715, 0x781B, 0x7114, 0x7ABA, 0x534B, 0x7C0E,
+    0x78BF, 0x4966, 0x5340, 0x620B, 0x574C, 0x6341, 0x72AD, 0x56A4, 0x5C24, 0x707A,
+    0x46D5, 0x6418, 0x55D4, 0x5B69, 0x60F5, 0x7A89, 0x6263, 0x7B1D, 0x4D80, 0x70A4,
+    0x513A, 0x4F0F, 0x5FCB, 0x785E, 0x5DD0, 0x4622, 0x52EB, 0x4133, 0x7652, 0x5B5F,
+    0x5002, 0x60F6, 0x7CE0, 0x77BB, 0x6D04, 0x58A2, 0x789B, 0x791B, 0x7C03, 0x4E0A,
+    0x638A, 0x4883, 0x75BF, 0x6C8C, 0x6822, 0x66B7, 0x5ACC, 0x69CE, 0x6758, 0x5EBB,
+    0x6FE7, 0x58FF, 0x6B44, 0x4AF3, 0x5AD4, 0x5E0E, 0x4B03, 0x668B, 0x46C1, 0x4C56,
+    0x5FD5, 0x411A, 0x5DE6, 0x7FE8, 0x6FFE, 0x76E6, 0x670B, 0x489F, 0x759D, 0x678D,
+    0x51D3, 0x6C30, 0x59A1, 0x6B96, 0x7D80, 0x6348, 0x54AB, 0x4BBD, 0x69CD, 0x72C4,
+    0x4EC3, 0x526E, 0x78D8, 0x788E, 0x4736, 0x5590, 0x422A, 0x40C3, 0x50A1, 0x6B9F,
+    0x58D4, 0x605A, 0x41C4, 0x5B0A, 0x6C0D, 0x678A, 0x6FCF, 0x7478, 0x4EC6, 0x72DD,
+    0x5DAE, 0x755E, 0x4BA5, 0x615E, 0x4A55, 0x7EC0, 0x449F, 0x4304, 0x48F6, 0x6FB2,
+    0x4D39, 0x6FD7, 0x64A9, 0x7A4D, 0x5F89, 0x77A1, 0x5541, 0x7473, 0x42D8, 0x7A8A,
+    0x6301, 0x5F0D, 0x5DC5, 0x7B76, 0x78DE, 0x53C1, 0x7787, 0x596E, 0x465F, 0x4E1A,
+    0x6CFD, 0x68F4, 0x55BC, 0x6BDE, 0x5B99, 0x5329, 0x4C84, 0x4DF3, 0x6DE5, 0x4138,
+    0x7B15, 0x666B, 0x4DEA, 0x6CF7, 0x7058, 0x6F83, 0x6E9B, 0x40E6, 0x6596, 0x42E9,
+    0x60C1, 0x6020, 0x4532, 0x4512, 0x4864, 0x44BD, 0x723F, 0x7075, 0x6983, 0x7491,
+    0x7F80, 0x4464, 0x6C0E, 0x5BFC, 0x734A,
+]
+
+data_33c0 = [
+    0x00DD, 0xBFB6, 0x3094, 0x99FF, 0xAC7C, 0x63B9, 0x56A3, 0x2A9A, 0x3DDF, 0x6A1D,
+    0xB289, 0xD716, 0xE29D, 0x1BA9, 0x37E4, 0x0088, 0xBFA8, 0x30C1, 0x99EC, 0xAC36,
+    0x63B0, 0x56F7, 0x2AB1, 0x3DCA, 0x6A08, 0xB2CE, 0xD705, 0xE2F1, 0x1BF4, 0x37E9,
+]
+# data_33c0 = [0] * 30
+# data_33c0 = [
+#                     0x55aa, 0x55aa, 0xddaa, 0xdd77, 0xdd77, 0xdd77,
+#     0xdd77, 0xdd77, 0xdd77, 0xdd77, 0x1877, 0x1818, 0x1818, 0x1818,
+#     0x1818, 0x1818, 0x1818, 0x1818, 0x1818, 0x1818, 0x1818, 0x1818,
+#     0x18f8, 0x1818, 0x1818, 0x1818, 0x1818, 0x0030, 0x3810, 0xc66c,
+# ]
+
+def try_time(time):
+    global data_345c, data_3404
+    data_345c = time
+    data_3404 = 0x41c64e6d
+
+def sub_1012():
+    global data_3404
+    data_3404 = (data_3404 * data_345c + 12345678) & 0xffffffff
+    return data_3404
+
+def main():
+    count = 0
+    for time in range(58379):
+        result = [0] * 15
+        # time = 0x25b3
+        try_time(time)
+        try_data_3420 = deepcopy(data_3420)
+        for i in range(15):
+            result[i] = sub_1012()
+        for i in range(15):
+            for j in range(15):
+                try_data_3420[i] = (try_data_3420[i] + (result[j] * data_2920[i * 15 + j]) & 0xffff) & 0xffff
+        flag = bytearray()
+        flag2 = bytearray()
+        for i in range(30):
+            # flag.append((try_data_3420[i % 15]) & 0xff)
+            flag.append((try_data_3420[i % 15] ^ data_33c0[i]) & 0xff)
+        t = bytearray()
+        for i in try_data_3420:
+            t.append(i & 0xff)
+            t.append((i >> 8) & 0xff)
+        if b"flag" in flag:
+            print(time)
+            print(flag)
+            count += 1
+    print(count)
+    pass
+
+if __name__ == '__main__':
+    main()

Diff for: players/Haruka/Flag 计算机/get_flag_system_1.c

@@ -0,0 +1,185 @@
+#include <stdlib.h>
+#include <string.h>
+
+int VGA_256 = 0x13;
+int TEXT_80_25 = 0x3;
+
+uint8_t vga_mem[200][320];
+
+// ds = cs - 0010
+// naked literal pointers are ds
+
+typedef struct {
+    short x;
+    short y;
+} Coord;
+
+typedef struct {
+    union {
+        struct {
+            uint8_t hour;
+            uint8_t minute;
+            uint8_t second;
+            uint8_t ss;
+        };
+        uint32_t value;
+    };
+} Time;
+
+void set_video_mode_vga() {
+    set_video_mode(VGA_256);
+}
+
+void set_video_mode_text() {
+    set_video_mode(TEXT_80_25);
+}
+
+void remove_screen_with_color(int color) {
+    memset(vga_mem, color & 0xff, 64000); // 320x200
+}
+
+void wait_vsync() {
+    uint8_t status;
+    do {
+        status = get_vga_status();
+    } while (status & 8); // vsync pulse
+    do {
+        status = get_vga_status();
+    } while (!(status & 8));
+}
+
+short _strlen(char *a1) {
+    return strlen(a1);
+}
+
+short get_centered_x_coord(int len) {
+/*  eax = 0x35 - a1 & 0xffff;
+    edx = (unsigned int)eax >> 31;
+    eax += edx;
+    eax >>= 1;
+    edx = eax;
+    eax <<= 1;
+    eax += edx;
+    eax <<= 1;
+    return eax; */
+    return 6 * ((uint16_t)(0x35 - len) / 2);
+}
+
+int sub_057c(uint8_t ch, int a2) {
+    if (ch == ' ') {
+        return 0;
+    }
+    int tmp = a2 + ch * 7 - 0x1c7;
+    int res = *((char *)0x2d00 + tmp) - 'A';
+    res = *((char *)0x2ce0 + tmp) - 'A';
+    return res;
+}
+
+void paint_coord(Coord coord, uint8_t color) {
+    if (coord.x < 0 || coord.x >= 320) {
+        return;
+    }
+    if (coord.y < 0 || coord.y >= 200) {
+        return;
+    }
+    vga_mem[coord.y][coord.x] = color;
+}
+
+void paint_line(Coord anchor, uint8_t color, char *data) {
+    int i, col, ch, v5, x, y;
+    Coord coord;
+    for (int line = 0; line <= 6; line ++) {
+        for (i = 0; data[i]; i ++) {
+            char ch = data[i];
+            v5 = sub_057c(ch, line);
+            for (col = 0; col <= 4; col ++) {
+                if (!((v5 >> (col & 0xff)) & 1)) {
+                    continue;
+                }
+                x = i * 6 + anchor.x - col + 4;
+                y = line + anchor.y;
+                coord.x = x;
+                coord.y = y;
+                paint_coord(coord, color);
+            }
+        }
+    }
+}
+
+void sleep(int time) {
+    system_wait(time >> 16, time & 0x16);
+}
+
+void _wait() {
+    for (short v1 = 0; v1 <= 14; v1 ++) {
+        sleep(800);
+    }
+
+}
+
+Time get_current_time() {
+    return *(Time *)dos_get_current_time(); // fake signature!
+}
+
+void init_time() {
+    Time time = get_current_time();
+    *(uint32_t *)0x345c = time.value % 58379;
+    *(uint32_t *)0x3404 = 0x41c64e6d;
+}
+
+int sub_1012() {
+    *(uint32_t *)0x3404 = *(uint32_t *)0x3404 * *(uint32_t *)0x345c + 12345678;
+    return *(uint32_t *)0x3404;
+} 
+
+int main() {
+    set_video_mode_vga();
+    remove_screen_with_color(0x11); // 01 gray
+    wait_vsync();
+    short len = _strlen((char *)0x2e04);
+    short res2 = get_centered_x_coord((int)len);
+    Coord coord = { .x = res2, .y = 0xe };
+    paint_line(coord, 5, (char *)0x2e04);
+    // painting first circle
+    _wait();
+    remove_screen_with_color(0x11);
+    init_time();
+    uint32_t result[15] = { 0 };
+    for (int v1 = 0; v1 <= 14; v1 ++) {
+        result[v1] = sub_1012();
+    }
+    for (int v2 = 0; v2 <= 14; v2 ++) {
+        for (int v3 = 0; v3 <= 14; v3 ++) {
+            ((uint32_t *)0x3420)[v2] = (
+                ((uint32_t *)0x3420)[v2] + (
+                    result[v3] * ((uint32_t *)0x2920)[v3 + v2 * 15]
+                ) & 0xffff
+            ) & 0xffff;
+            remove_screen_with_color(0x11);
+            // paint progress
+            for (int v4 = 0; v4 < 0xff; v4 ++) {
+                // waste time
+            }
+        }
+    }
+    remove_screen_with_color(0x11);
+    // paint progress again
+    for (int v5 = 0; v5 < 0xff; v5 ++) {
+        for (int v6 = 0; v6 < 160; v6 ++) {
+            // really empty
+        }
+    }
+    _wait();
+    set_video_mode_text();
+    dos_print_string(); // ending messages
+
+    short v148[30];
+    memcpy(&v148, 0x33c0, 30 * 2);
+    
+    char flag[30];
+    for (short v7 = 0; v7 < 30; v7++) {
+        flag[v7] = (((uint32_t *)0x3420)[v7 % 15] ^ v148[v7]) & 0xff;
+    }
+    dos_print_string(flag);
+
+}