http://game.enet.org.cn/

一.第一关(unescape解码）
第一关的网址是"http://vip.hackervip.com/exp/hackervip.html"用浏览器打开会发现需要验证。HTML验证大多是使用JAVASCRIPT函数escape()和unescape()进行编码加密的。查看看源代码，发现鼠标右键给屏蔽了，但是菜单是很难屏蔽的。在源代码中我看到了下面的验证函数：
function PassConfirm() {
var x=document.password.pass.value
if (x=="*") {
window.open("hackervip.html","_self") }
else {
window.open("hackervip.html","_self") }
}
</SCRIPT>

其中第一句的是提取password表单的pass的value来验证，下面有个表单<form name="password" method="post">，是用来迷惑破解者的，要注意上面还有帧语句！
<iframe src="*.htm"></iframe></noscript>
<frameset cols="*">
<frame src="e.htm">
</frameset>

打开e.htm源代码,会发现加密在这里完成！
<SCRIPT LANGUAGE="Javascript">
<!--
var Words ="%0A%3CSCRIPT%3E%0Afunction%20stop%28%29%7B%0Areturn%20false%3B%0A%7D%0Adocument.oncontextmenu%3Dstop%3B%0A%3C/SCRIPT%3E%0A%0A%3CSCRIPT%20language%3DJavaScript%3E%0A%3C%21--%0A%0Afunction%20SymError%28%29%0A%7B%0A%20%20return%20true%3B%0A%7D%0A%0Awindow.onerror%20%3D%20SymError%3B%0A%0A//--%3E%0A%3C/SCRIPT%3E%0A%0A%3CSCRIPT%20language%3DJavascript%3E%0A%0A%0A%0Afunction%20PassConfirm%28%29%20%7B%0A%0Avar%20x%3Ddocument.password.pass.value%3B%0A%0Aif%20%28x%3D%3D%22hackervip.com%u3000%22%29%20%7Balert%28%27%u606D%u559C%u8FC7%u5173%uFF0C%u8FDB%u5165%u7B2C%u4E8C%u5173%uFF01%27%29%3B%0A%0Awindow.open%28%22errror.html%22%2C%22_self%22%29%20%7D%0A%0Aelse%20%7Bdocument.password.pass.value%3D%27%27%3Breturn%20false%3B%0A%0Awindow.open%28%22error.htm%22%2C%22_self%22%29%20%7D%0A%0A%0A%7D%0A%3C/SCRIPT%3E%0A%0A%3Ccenter%3E%u3000%3Cp%3E%3Cfont%20color%3D%22%23ff0000%22%20size%3D%226%22%3E%u300E%u4E2D%u5B89%u7F51%u57F9%u300F%u9ED1%u5BA2%u6E38%u620F%u3000%3C/font%3E%3C/p%3E%0A%3Cp%3E%3Cfont%20color%3D%22%23ff0000%22%20size%3D%226%22%3E%3Ca%20href%3D%22http%3A//www.hackervip.com/%22%3E%0Ahttp%3A//www.hackervip.com%3C/a%3E%u3000%3C/font%3E%3C/p%3E%0A%3Cp%3E%3Cfont%20color%3D%22%2300ff00%22%20size%3D%225%22%3E%u7B2C%u4E00%u5173%3C/font%3E%3C/p%3E%0A%3Cp%3E%3Cfont%20color%3D%22%2300ff00%22%20size%3D%225%22%3E%uFF08%u9ED1%u5BA2%u6E38%u620F%u7F51%u9875%u5173%uFF09%uFF01%3C/font%3E%3C/p%3E%0A%3Cform%20name%3D%22password%22%20method%3D%22post%22%3E%0A%09%3Cfont%20color%3D%22%2300ff00%22%3E%3Cbr%3E%0A%09%u8981%u6C42%uFF1A%u8FDB%u5165%u7B2C%u4E8C%u5173%uFF01%3C/font%3E%0A%09%3Cp%3E%3Cbr%3E%0A%09%3Cfont%20size%3D%225%22%3E%3Cfont%20color%3D%22%23ff0000%22%3E%u8BF7%u8F93%u5165%u5BC6%u7801%3A%3C/font%3E%3Cbr%3E%0A%09%3C/font%3E%3Cbr%3E%0A%09%3Cinput%20type%3D%22password%22%20value%20name%3D%22pass%22%3E%20%3Cbr%3E%0A%09%3Cbr%3E%0A%09%3Cinput%20onclick%3D%22return%20PassConfirm%28%29%22%20type%3D%22button%22%20value%3D%22%u786E%u5B9A%22%3E%20%3C/p%3E%0A%3C/form%3E%0A%3C/center%3E%0A%3Cp%3E%u3000%3C/p%3E%0A%3Cp%20align%3D%22center%22%3E%3Cfont%20color%3D%22%23ff0000%22%20size%3D%224%22%3E%u8BBE%u8BA1%u8005%uFF1A%u4E2D%u5B89%u7F51%u57F9%0A%3Ca%20href%3D%22http%3A//www.hackervip.com%22%3Ehttp%3A//www.hackervip.com%3C/a%3E%3C/font%3E%3C/p%3E%0A%3Cp%20align%3D%22center%22%3E%u9ED1%u5BA2%u57F9%u8BAD%uFF0C%u5B89%u5168%u57F9%u8BAD%u95E8%u6237%u7F51%u7AD9%3C/p%3E%0A%0A"
function SetNewWords()
{
var NewWords;
NewWords = unescape(Words);
document.write(NewWords);
}
SetNewWords();
</SCRIPT>

可以看出，上面的密文如是用javascript的escape()函数加的密。把上面Words的值提取出来解密。解密很简单用下面的语句就可以了：
<SCRIPT LANGUAGE="JavaScript">
var code=unescape(Words);
eval(code);
</SCRIPT>

网络上有许多现成的解密网页可以进行解密，解密后得到明文代码：
if (x=="hackervip.com　") %7B
alert('恭喜过关，进入第二关！');
window.open("errror.html"%2C"_self") }
else {document.password.pass.value='';return false;
window.open("error.htm","_self")

可以看出，密码是hackervip.com。第二关地址是errror.html。其实，利用社会工程就完全可以猜到密码的。

二.第二关（Script Encoder解码）
仍然是登陆验证！查看源代码，其中的加密部分如下：
<SCRIPT language = JScript.Encode>#@~^TgAAAA==@#@&0; mDkW PkOWa`b @#@&.nDED ~0mV/ I@#@&)@#@&NGm;h xORKUmKxOnXY:nU!'dYK2p@#@&cBcAAA==^#~@</SCRIPT><script language="JScript.Encode">#@~^dAAAAA==@#@&@!Z O@#@&@#@&0!UmDkGx,?zhADDK.`*@#@&P@#@&P,D Y;DU~DD;+p@#@&)@#@&@#@&hkU[Kh W nMDGMP{P?H:A.DKDI@#@&@#@&&JOO@*@#@&fxkAAA==^#~@</script>
<script language="JScript.Encode">#@~^4wAAAA==@#@&@#@&@#@&@#@&0!x1OkKx~nm/d/Kx0b.:v#PP@#@&@#@&\mD~tOh{NGm!h+ Y 2m//AGMN wmdkR-mV!+@#@&@#@&r0,`4Ys'xECeeCMeCeJ*~`@#@&@#@&hrx[GSRGw U`rL2LctYhEBJm/ s6Jb,8@#@&@#@&+^d+, @#@&@#@&Ar NWS Wa+xvEnDMWMR4YhEBJm/ s0r#~N@#@&@#@&@#@&8@#@&JjcAAA==^#~@</SCRIPT>

是使用Microsoft出品的脚本编码器Script Encoder来进行编码加密的，解密也十分简单，用tostring方法就应该可以完成。不过有专门的解密工具，解出来后得到的明文代码中的验证函数：
function PassConfirm() {
var htm=document.password.pass.value
if (htm=="********") {
window.open("jpg.htm","_self") }
else {
window.open("error.htm","_self") }
}
</SCRIPT>

过关口令是"********"，jpg.htm就是第三关的地址

三.第三关（网页源代码查看）
进入第三关，首先出现的是一个Javascript的input对话框。还是要分析源代码，但用浏览器很难做到。我以前编写过一个***集成工具，里面有查看网页代码的功能，用它得到网页的源代码：
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<script language="JavaScript">
<!--

function SymError()
{
return true;
}

window.onerror = SymError;
</script>
<SCRIPT LANGUAGE="JavaScript">
var username = "中安网培" ;
var username1 = "小鱼巫师" ;
var username2 = "myhk" ;
var username3 = "clygs" ;
var username4 = "hackervip.com/bbs" ;
var message1 = "请输入您的用户名";
var un = prompt (message1,"");
var password = "^#()@#$$$" ;
var password1 = "UE33355" ;
var password2 = "webmaster@hackervip.com" ;
var password3 = "http://www.hackervip.com" ;
var password4 = "http://vip.hackervip.com" ;
var message = "请输入密码";
var incmess = "用户名或密码错误";
var minimizemsg = "：）"
var pw = prompt (message,"");
if (un == username) {
if (pw != password) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un == username1) {
if (pw != password1) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }

}
if (un == username2) {
if (pw != password2) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un == username3) {
if (pw != password3) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un == username4) {
if (pw != password4) {
alert (incmess);
// window.content (
window.open("error.htm","_self") }
}
if (un != username) {
if (un != username1) {
if (un != username2) {
if (un != username3) {
if (un != username4) {
alert (incmess);
// window.content (
window.open("error.htm","_self")

}
}
}
}
}
//JavaScript ends ---------->

</SCRIPT>
<TITLE>中安网培***游戏　http://www.hackervip.com/第三关（网页关）！</TITLE>
</HEAD>
<noscript>
<iframe src="*.htm"></iframe></noscript>
<BODY bgcolor="#000000">
<meta http-equiv="refresh" content="0;url=error.htm">

<script language="JavaScript">
<!--

function SymError()
{
return true;
}
window.onerror = SymError;
//-->
</script>
<script language="JavaScript">
<!--
function SymError()
{
return true;
}

window.onerror = SymError;
//-->
</script>
<script language="Javascript">
function PassConfirm() {
var htm=document.password.pass.value
if (htm=="htm") {
window.open("3.14159265358979323846264.htm","_self") }
else {
window.open("error.htm","_self") }
}
</SCRIPT>
<center>
<p>　</p>
<p><font color="#FF0000" size="6">中安网培***游戏　</font></p>
<p><font color="#FF0000" size="6"><a href="http://www.hackervip.com/">http://www.hackervip.com/</a>　</font></p>
<p><font color="#00FF00" size="5">第三关</font></p>
<p><font color="#00FF00" size="5">（***游戏网页关）！</font></p>
<form name="password" method="post">
<font color="#00FF00">
<BR>
要求：进入第四关！</font><p><br>
<font size="5">
<font color="#FF0000">请输入密码:</font><br></font><br>
<input type="password" name="pass" size="20"> <BR><BR>
<input type="button" value="确定" onClick="return PassConfirm()"> </p>
</FORM>
</center>
<p>　</p>
<p align="center"><font size="4" color="#FF0000">设计者：中安网培
<a href="http://www.hackervip.com">http://www.hackervip.com</a></font></p>
<p align="center"><font size="4" color="#FF0000">***培训，安全培训门户网站</font></p>
<SCRIPT>
function stop(){
return false;
}
document.οncοntextmenu=stop;
</SCRIPT>
</BODY>
</HTML>

代码是明文的，得到第四关的地址是3.14159265358979323846264.htm。

四.第四关（构造页面）
还是登陆验证，看看代码，这回使用了自己的算法。看看他的验证函数：
function PassConfirm() {
var x=document.password.pass.value;
if (hackervip_compile(x)==unescape("%88%DF%D9%9E%96%C9%C4%CE%D0%D7%E8%DF%D9%9E%91%D2%DC%9C"))
{eval(''+he/*decodeIt("%u4E23%u9C0B%u9F73%uC7F7%uF5D5%uD691%uBD6F%u669C%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9");*/(unescape("%9F%CD%D1%D7%E6%9CO%u6094%uB609%uA4FC%uDF27%uE13A%u507F%u8EE7%uE140%uCC91%uC9C0%uA007%u5074%uFF28Pd%B2%E0%D7%D2%D3%E6%A5%9D%DF%D5%D3%96J%8F%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9%8ENN%81%D2%D8%D1%D2%88K")));
}
else {document.password.pass.value='';return false;
window.open("error.htm","_self") }
return false;
}

分析了一下他的代码，如果验证成功那么就会执行下面的语句：
eval(''+he/*decodeIt("%u4E23%u9C0B%u9F73%uC7F7%uF5D5%uD691%uBD6F%u669C%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9");*/(unescape("%9F%CD%D1%D7%E6%9CO%u6094%uB609%uA4FC%uDF27%uE13A%u507F%u8EE7%uE140%uCC91%uC9C0%uA007%u5074%uFF28Pd%B2%E0%D7%D2%D3%E6%A5%9D%DF%D5%D3%96J%8F%E6%D8%C7%C9%C4%CE%D0%D7%E8%DF%D9%9E%96%DC%E1%D9%8ENN%81%D2%D8%D1%D2%88K")));

既然如此，我们完全可以自己构造一个没有验证的页面，直接让它告诉我们下一关的地址！
最后得到第五关地址my_hackervip.html

五.第五关（算法和图片分析）
又是第三关那样的脚本input对话框。输入用户名hackervip.com/bbs密码http://vip.hackervip.com进入，接着页面验证。查看源代码发现同第四关基本相同，解法同第四关也是一样的。解密后结果得到“解密字符串cb4072ea4b3bd500a6322d得到下一关地址”的提示。要对这个字符串解密还是要分析代码，加密函数如下：
function encrypt(str, pwd) {
return str;
if(pwd == null || pwd.length <= 0) {
alert("Please enter a password with which to encrypt the message.");
return null;
}
var prand = "";
for(var i=0; i<pwd.length; i++) {
prand += pwd.charCodeAt(i).toString();
}
var sPos = Math.floor(prand.length / 5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos*2) + prand.charAt(sPos*3) + prand.charAt(sPos*4) + prand.charAt(sPos*5));
var incr = Math.ceil(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
if(mult < 2) {
alert("Algorithm cannot find a suitable hash. Please choose a different password. \nPossible considerations are to choose a more complex or longer password.");
return null;
}
var salt = Math.round(Math.random() * 1000000000) % 100000000;
prand += salt;
while(prand.length > 10) {
prand = (parseInt(prand.substring(0, 10)) + parseInt(prand.substring(10, prand.length))).toString();
}
prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for(var i=0; i<str.length; i++) {
enc_chr = parseInt(str.charCodeAt(i) ^ Math.floor((prand / modu) * 255));
if(enc_chr < 16) {
enc_str += "0" + enc_chr.toString(16);
} else enc_str += enc_chr.toString(16);
prand = (mult * prand + incr) % modu;
}
salt = salt.toString(16);
while(salt.length < 8)salt = "0" + salt;
enc_str += salt;
return enc_str;
}

是作者自己写的一个加密算法，分析了几个小时写出了一个解密页面,解出后得到的明文是vip.jpg。打开查看确实是个个图片。把图片下载到硬盘上用UE打开，在开头处看到了第六关的地址vip.html。

六.第六关（编码方式分析）
浏览vip.html,要求用户名和密码,输入前面得到的,成功进入，1秒后自动转到了错误页面。还是老办法看代码!看后发现yourip.ani这个文件相当可疑!下载回来用记事本打开发现又是加密或编码了的字符串：
5pS76Ziy5a6e6aqM5a6k55qE5Zyw5Z2A5bCx5pivaHR0cDovL2hhY2tlcnZpcC5teWRkbnMuY24NCuS4reWuiee9keWfuSDpu5HlrqLmuLjmiI8NCmh0dHA6Ly93d3cuaGFja2VydmlwLmNvbQ0K6buR5a6i5Z+56K6t77yM5a6J5YWo5Z+56K6t6Zeo5oi3572R56uZ

解密后应该就是通关提示了。