这是什么b名字啊。。。

源码：

 <?php
highlight_file(__FILE__);
error_reporting(0);

include 'flag.php';
if (sizeof($_POST['len']) == sizeof($array)) {
  ys_open($_GET['tip']);
} else {
  die("错了！就你还想玩原神？❌❌❌");
}

function ys_open($tip) {
  if ($tip != "我要玩原神") {
    die("我不管，我要玩原神！😭😭😭");
  }
  dumpFlag();
}

function dumpFlag() {
  if (!isset($_POST['m']) || sizeof($_POST['m']) != 2) {
    die("可恶的QQ人！😡😡😡");
  }
  $a = $_POST['m'][0];
  $b = $_POST['m'][1];
  if(empty($a) || empty($b) || $a != "100%" || $b != "love100%" . md5($a)) {
    die("某站崩了？肯定是某忽悠干的！😡😡😡");
  }
  include 'flag.php';
  $flag[] = array();
  for ($ii = 0;$ii < sizeof($array);$ii++) {
    $flag[$ii] = md5(ord($array[$ii]) ^ $ii);
  }
  
  echo json_encode($flag);
}

我们要突破三个难关：

第一个：

if (sizeof($_POST['len']) == sizeof($array)) {
  ys_open($_GET['tip']);
} else {
  die("错了！就你还想玩原神？❌❌❌");
}

最开始我知道要比较长度，可是不知道怎么构造

1 2	写成：len=1111111.....❌ len[]=0&len[]=1&len[]=2&len[]=3&len[]=4.... 正确

一个一个试试看：

1
2

试出：一共有45个（这居然是最难的部分吗啊喂！！！）
len[]=0&len[]=1&len[]=2&len[]=3&len[]=4&len[]=5&len[]=6&len[]=7&len[]=8&len[]=9&len[]=10&len[]=11&len[]=12&len[]=13&len[]=14&len[]=15&len[]=16&len[]=17&len[]=18&len[]=19&len[]=20&len[]=21&len[]=22&len[]=23&len[]=24&len[]=25&len[]=26&len[]=27&len[]=28&len[]=29&len[]=30&len[]=31&len[]=32&len[]=33&len[]=34&len[]=35&len[]=36&len[]=37&len[]=38&len[]=39&len[]=40&len[]=41&len[]=42&len[]=43&len[]=44

第二个：

function dumpFlag() {
  if (!isset($_POST['m']) || sizeof($_POST['m']) != 2) {
    die("可恶的QQ人！😡😡😡");
  }

只要：

1	m != 0且m = 2

第三个：

$a = $_POST['m'][0];
$b = $_POST['m'][1];
if(empty($a) || empty($b) || $a != "100%" || $b != "love100%" . md5($a)) {
die("某站崩了？肯定是某忽悠干的！😡😡😡");

这个只要把值赋值给m就行了

最终payload：

GET:
http://gz.imxbt.cn:20994/?tip=我要玩原神
POST:
len[]=0&len[]=1&len[]=2&len[]=3&len[]=4&len[]=5&len[]=6&len[]=7&len[]=8&len[]=9&len[]=10&len[]=11&len[]=12&len[]=13&len[]=14&len[]=15&len[]=16&len[]=17&len[]=18&len[]=19&len[]=20&len[]=21&len[]=22&len[]=23&len[]=24&len[]=25&len[]=26&len[]=27&len[]=28&len[]=29&len[]=30&len[]=31&len[]=32&len[]=33&len[]=34&len[]=35&len[]=36&len[]=37&len[]=38&len[]=39&len[]=40&len[]=41&len[]=42&len[]=43&len[]=44&m[0]=100%&m[1]=love100%30bd7ce7de206924302499f197c7a966

没想到，还有一关：

爆出来了：
["3295c76acbf4caaed33c36b1b5fc2cb1","26657d5ff9020d2abefe558796b99584","73278a4a86960eeb576a8fd4c9ec6997","ec8956637a99787bd197eacd77acce5e","e2c420d928d4bf8ce0ff2ec19b371514","43ec517d68b6edd3015b3edc9a11367b","ea5d2f1c4608232e07d3aa3d998e5135","c8ffe9a587b126f152ed3d89a146b445","5f93f983524def3dca464469d2cf9f3e","66f041e16a60928b05a7e228a89c3799","a3c65c2974270fd093ee8a9bf8ae7d0b","f0935e4cd5920aa6c7c996a5ee53a70f","c9e1074f5b3f9fc8ea15d152add07294","65b9eea6e1cc6bb9f0cd2a47751a186f","03afdbd66e7929b125f8597834fa83a4","72b32a1f754ba1c09b3695e0cb6cde7f","7f39f8317fbdb1988ef4c628eba02591","d67d8ab4f4c10bf22aa353e27879133c","19ca14e7ea6328a42e0eb13d585e4c22","73278a4a86960eeb576a8fd4c9ec6997","e369853df766fa44e1ed0ff613f563bd","9f61408e3afb633e50cdf1b20de6f466","e369853df766fa44e1ed0ff613f563bd","eb160de1de89d9058fcb0b968dbbbd68","c8ffe9a587b126f152ed3d89a146b445","182be0c5cdcd5072bb1864cdee4d3d6e","b53b3a3d6ab90ce0268229151c9bde11","4c56ff4ce4aaf9573aa5dff913df997a","a5bfc9e07964f8dddeb95fc584cd965d","6c8349cc7260ae62e3b1396831a8398f","67c6a1e7ce56d3d6fa748ab6d9af3fd7","c0c7c76d30bd3dcaefc96f40275bdc0a","6f4922f45568161a8cdf4ad2299f6d23","b6d767d2f8ed5d21a44b0e5886680cb9","7cbbc409ec990f19c78c75bd1e06f215","1f0e3dad99908345f7439f8ffabdffc4","ea5d2f1c4608232e07d3aa3d998e5135","1f0e3dad99908345f7439f8ffabdffc4","c16a5320fa475530d9583c34fd356ef5","735b90b4568125ed6c3f678819b6e058","fbd7939d674997cdb4692d34de8633c4","d09bf41544a3365a46c9077ebb5e35c3","02e74f10e0327ad868d138f2b4fdd6f0","32bb90e8976aab5298d5da10fe66f21d","43ec517d68b6edd3015b3edc9a11367b"]

                                     这tm是什么？

练习这个：
$flag[] = array();
  for ($ii = 0;$ii < sizeof($array);$ii++) {
    $flag[$ii] = md5(ord($array[$ii]) ^ $ii);
  }
我。。该怎么做？

问了ai，才知道，这玩意被分成一块一块的MD5加密了

使用脚本爆破：

import hashlib

# 替换为你的哈希数组
hash_list = [
    "3295c76acbf4caaed33c36b1b5fc2cb1",
    "26657d5ff9020d2abefe558796b99584",
    "73278a4a86960eeb576a8fd4c9ec6997",
    "ec8956637a99787bd197eacd77acce5e",
    "e2c420d928d4bf8ce0ff2ec19b371514",
    "43ec517d68b6edd3015b3edc9a11367b",
    "ea5d2f1c4608232e07d3aa3d998e5135",
    "c8ffe9a587b126f152ed3d89a146b445",
    "5f93f983524def3dca464469d2cf9f3e",
    "66f041e16a60928b05a7e228a89c3799",
    "a3c65c2974270fd093ee8a9bf8ae7d0b",
    "f0935e4cd5920aa6c7c996a5ee53a70f",
    "c9e1074f5b3f9fc8ea15d152add07294",
    "65b9eea6e1cc6bb9f0cd2a47751a186f",
    "03afdbd66e7929b125f8597834fa83a4",
    "72b32a1f754ba1c09b3695e0cb6cde7f",
    "7f39f8317fbdb1988ef4c628eba02591",
    "d67d8ab4f4c10bf22aa353e27879133c",
    "19ca14e7ea6328a42e0eb13d585e4c22",
    "73278a4a86960eeb576a8fd4c9ec6997",
    "e369853df766fa44e1ed0ff613f563bd",
    "9f61408e3afb633e50cdf1b20de6f466",
    "e369853df766fa44e1ed0ff613f563bd",
    "eb160de1de89d9058fcb0b968dbbbd68",
    "c8ffe9a587b126f152ed3d89a146b445",
    "182be0c5cdcd5072bb1864cdee4d3d6e",
    "b53b3a3d6ab90ce0268229151c9bde11",
    "4c56ff4ce4aaf9573aa5dff913df997a",
    "a5bfc9e07964f8dddeb95fc584cd965d",
    "6c8349cc7260ae62e3b1396831a8398f",
    "67c6a1e7ce56d3d6fa748ab6d9af3fd7",
    "c0c7c76d30bd3dcaefc96f40275bdc0a",
    "6f4922f45568161a8cdf4ad2299f6d23",
    "b6d767d2f8ed5d21a44b0e5886680cb9",
    "7cbbc409ec990f19c78c75bd1e06f215",
    "1f0e3dad99908345f7439f8ffabdffc4",
    "ea5d2f1c4608232e07d3aa3d998e5135",
    "1f0e3dad99908345f7439f8ffabdffc4",
    "c16a5320fa475530d9583c34fd356ef5",
    "735b90b4568125ed6c3f678819b6e058",
    "fbd7939d674997cdb4692d34de8633c4",
    "d09bf41544a3365a46c9077ebb5e35c3",
    "02e74f10e0327ad868d138f2b4fdd6f0",
    "32bb90e8976aab5298d5da10fe66f21d",
    "43ec517d68b6edd3015b3edc9a11367b"
]

flag = []

for ii, target_hash in enumerate(hash_list):
    for c_ord in range(32, 127):  # 尝试可打印字符
        xor_result = c_ord ^ ii
        current_hash = hashlib.md5(str(xor_result).encode()).hexdigest()
        if current_hash == target_hash:
            flag.append(chr(c_ord))
            break

print("".join(flag))

得到最终flag。