1

（函数：获取参数中的正确格式的host，要求符合红色的4个ip）

?url=http://127.0.0.0/flag.php/

2

 直接导出http/tcp协议，十六进制流：HEX转字符 十六进制转字符 hex gb2312 gbk utf8 汉字内码转换 - The X 在线工具

key.ws是指whitespace: 

Whitelips the Esoteric Language IDE

然后利用SNOW隐写

.\SNOW.EXE -p XiAnWillBeSafe -C .\flag.txt
cazy{C4n_y0u_underSt4nd_th3_b0oK_With0ut_Str1ng}

3

 除去jnz的花指令后，就是一个tea加密， 没有任何魔改

void tea(DWORD *data, const DWORD *key, int rounds1 = 4, int rounds2 = 32, DWORD DELTA = 0x9e3779b9, boolean s = false)
{DWORD l, r;DWORD sum;if (s) {for (int j = 0; j < rounds1 * 2; j = j + 2) {l = data[j];r = data[j + 1];sum = 0;for (int i = 0; i < rounds2; i++) {sum += DELTA;l += ((r << 4) + key[0]) ^ (r + sum) ^ ((r >> 5) + key[1]);r += ((l << 4) + key[2]) ^ (l + sum) ^ ((l >> 5) + key[3]);}data[j] = l;data[j + 1] = r;}} else {for (int j = 0; j < rounds1 * 2; j = j + 2) {l = data[j];r = data[j + 1];sum = rounds2 * DELTA;for (int i = 0; i < rounds2; i++) {r -= ((l << 4) + key[2]) ^ (l + sum) ^ ((l >> 5) + key[3]);l -= ((r << 4) + key[0]) ^ (r + sum) ^ ((r >> 5) + key[1]);sum -= DELTA;}data[j] = l;data[j + 1] = r;}}
}int main()
{DWORD key[5] = {0xdfe3, 0x113e, 0x5897, 0x3654};DWORD enc[] = {0x85A6892D, 0xA177B6BD, 0x89422515, 0x159AE870, 0x5BC09E5D, 0xC13F293E, 0x25B7084F, 0xADB12A4C};DWORD DELTA = -0x61C88647;tea(enc, key, 4, 32, DELTA, false);p(i, 0, 32) {printf("%c", ((char*)enc)[i]);}
}

4

5.1Aura酱的礼物

第一个参数：读取文件后内容是Aura(fie_get_content判断)

data://text/plain;base64,QXVyYQ==
data://text/plain,Aura

第二个参数：要求页面的开头为（strpos）

利用@进行隔断（将@前面的内容当作用户名）

5.2

修改js代码：accept修改为exts:'php'