-
-
[原创]第二题 南冥神功 解题
-
发表于: 2021-5-11 18:27 4881
-
是10x9数列,IDA分析看样子要求对所有为0的字节填1就OK了,把数据列出来,分析每次仅能移动1行1列,可以斜着,最后发现路径如图,找路径都找了半天,不过非常有趣啊!
然后上python代码爆破:
发现结果GJ0V4LA4VKEVQZSVCNGJ00N
,还有另外一条路径见图,所以至少有两个值。
'''
一个char分两次操作
第1次值为5 - (index_in_string + index) %6
第2次值为(index + index_in_string / 6) % 6
{
0x53, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01,
0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00,
0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01,
0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00
};
'''
road
=
[[
0
,
1
], [
1
,
2
], [
2
,
1
], [
2
,
0
], [
3
,
0
], [
4
,
0
], [
4
,
1
],
[
5
,
2
], [
6
,
1
], [
6
,
0
], [
7
,
0
], [
8
,
0
],
[
8
,
1
], [
8
,
2
], [
7
,
3
], [
7
,
4
], [
8
,
4
], [
8
,
5
], [
7
,
6
],
[
6
,
6
], [
5
,
6
], [
4
,
6
], [
3
,
6
], [
3
,
5
], [
4
,
4
],
[
4
,
3
], [
3
,
3
], [
2
,
3
], [
1
,
3
], [
0
,
3
], [
0
,
4
], [
1
,
5
],
[
1
,
6
], [
0
,
6
], [
0
,
7
], [
1
,
8
], [
1
,
9
], [
2
,
9
],
[
3
,
9
], [
3
,
8
], [
4
,
7
], [
5
,
8
], [
6
,
8
], [
7
,
8
], [
8
,
8
], [
8
,
9
]]
string
=
b
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
def
target_value(row, column, current_row):
target
=
0
if
row
=
=
0
:
if
column <
0
:
target
=
4
elif
column >
0
:
target
=
1
else
:
print
(
"error"
)
elif
row >
0
:
if
column >
0
:
target
=
2
elif
column <
0
:
target
=
3
else
:
# print("error1")
if
current_row &
1
=
=
0
:
target
=
2
else
:
target
=
3
elif
row <
0
:
if
column >
0
:
target
=
0
elif
column <
0
:
target
=
5
else
:
# print("error2")
if
current_row &
1
=
=
0
:
target
=
0
else
:
target
=
5
return
target
def
calc(r1, r2):
row
=
r2[
0
]
-
r1[
0
]
column
=
r2[
1
]
-
r1[
1
]
return
target_value(row, column, r2[
0
])
def
search_char(index, v1, v2):
for
index_in_string, s
in
enumerate
(string):
if
v1
=
=
(
5
-
(index_in_string
+
index)
%
6
):
if
v2
=
=
((index
+
index_in_string
/
/
6
)
%
6
):
return
chr
(s)
output
=
""
last
=
[
0
,
0
]
for
i
in
range
(
len
(road)
/
/
2
):
v1
=
calc(last, road[i
*
2
])
v2
=
calc(road[i
*
2
], road[i
*
2
+
1
])
last
=
road[i
*
2
+
1
]
output
+
=
search_char(i, v1, v2)
print
(output)
'''
一个char分两次操作
第1次值为5 - (index_in_string + index) %6
第2次值为(index + index_in_string / 6) % 6
{
0x53, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01,
0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00,
0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01,
0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00
};
'''
road
=
[[
0
,
1
], [
1
,
2
], [
2
,
1
], [
2
,
0
], [
3
,
0
], [
4
,
0
], [
4
,
1
],
[
5
,
2
], [
6
,
1
], [
6
,
0
], [
7
,
0
], [
8
,
0
],
[
8
,
1
], [
8
,
2
], [
7
,
3
], [
7
,
4
], [
8
,
4
], [
8
,
5
], [
7
,
6
],
[
6
,
6
], [
5
,
6
], [
4
,
6
], [
3
,
6
], [
3
,
5
], [
4
,
4
],
[
4
,
3
], [
3
,
3
], [
2
,
3
], [
1
,
3
], [
0
,
3
], [
0
,
4
], [
1
,
5
],
[
1
,
6
], [
0
,
6
], [
0
,
7
], [
1
,
8
], [
1
,
9
], [
2
,
9
],
[
3
,
9
], [
3
,
8
], [
4
,
7
], [
5
,
8
], [
6
,
8
], [
7
,
8
], [
8
,
8
], [
8
,
9
]]
string
=
b
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
def
target_value(row, column, current_row):
target
=
0
if
row
=
=
0
:
if
column <
0
:
target
=
4
elif
column >
0
:
target
=
1
else
:
print
(
"error"
)
elif
row >
0
:
if
column >
0
:
target
=
2
elif
column <
0
:
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!
最后于 2021-6-21 11:26
被lynnux编辑
,原因:
赞赏
他的文章
谁下载
无
看原图
赞赏
雪币:
留言: