# KCTF
## 南冥神功
.data:004B7040 a0123456789abcd db '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ',0
map1 = [0x0, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00]
for y in range(9):
line = ''
for x in range(10):
if theMap[y * 10 + x] == 0:
line = line + "."
else:
line = line + "#"
print(line)
..#..#..##
##..#..#..
..#.#####.
.##.#..#..
..#..#..##
##.###.#.#
..####.#.#
.##..#.#.#
...#..##..
loc_4B3DC5: ; what is ecx
mov eax, ecx
0 => 0
1 => 1
2 => 2
9 => 9
'A' => 0xA
'F' => 0xF
alpha = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
i_1 => alpha.index(flag[flagPos])
v8 = i_1 + flagPos;
v10 = 5 - v8 % 6;
switch ( v10 )
case 1
x = x + 1
case 4
x = x - 1
case 2:
当 y 为偶数, x = x + 1
y = y + 1
default
如果 y 为偶数, x = x + 1
y = y - 1
case 3:
如果 y 为奇数, x = x - 1
y = y + 1
case 5
如果 y 为奇数, x = x - 1
y = y - 1
一位flag字符决定两个方向指令
v2 = (flagPos + flagIdx / 6) % 6;
v1 = cur = 5 - (flagPos + flagIdx ) % 6;
爆破 flagIdx 即可
```python
map1 = [0x1, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00]
def checkValid(theMap, x, y):
if x < 0 or y < 0:
return False
if x > 9 or y > 8:
return False
return theMap[y * 10 + x] == 0
def isAllClear(theMap):
return sum(theMap) == 90
def genNextValid(theMap, x, y):
insList = []
# case1
if checkValid(theMap, x + 1, y):
insList.append((1, x + 1, y))
# case4
if checkValid(theMap, x - 1, y):
insList.append((4, x - 1, y))
if y % 2 == 0:
# case2
if checkValid(theMap, x + 1, y + 1):
insList.append((2, x + 1, y + 1))
# default
if checkValid(theMap, x + 1, y - 1):
insList.append((-1, x + 1, y - 1))
# case3
if checkValid(theMap, x, y + 1):
insList.append((3, x, y + 1))
# case5
if checkValid(theMap, x, y - 1):
insList.append((5, x, y - 1))
else:
# case2
if checkValid(theMap, x, y + 1):
insList.append((2, x, y + 1))
# default
if checkValid(theMap, x, y - 1):
insList.append((-1, x, y - 1))
# case3
if checkValid(theMap, x - 1, y + 1):
insList.append((3, x - 1, y + 1))
# case5
if checkValid(theMap, x - 1, y - 1):
insList.append((5, x - 1, y - 1))
return insList
def dfs(CurMap, curX, curY, InsList):
CurMap = CurMap.copy()
CurMap[curY * 10 + curX] = 1
#if len(InsList) == 47:
if isAllClear(CurMap):
print("Find Solve.")
print(InsList)
for y in range(9):
line = ''
for x in range(10):
if CurMap[y * 10 + x] == 0:
line = line + "."
else:
line = line + "#"
print(line)
return InsList
curInsList = genNextValid(CurMap, curX, curY)
if len(curInsList) == 0:
return None
result = None
for i in curInsList:
InsList.append(i)
dfs(CurMap, i[1], i[2], InsList)
InsList.pop()
return result
dfs(map1, 0, 0, [])
# alpha = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
# i_1 => alpha.index(flag[flagPos])
# v8 = i_1 + flagPos;
# v10 = 5 - v8 % 6;
alpha = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
target = [(1, 1, 0), (2, 2, 1), (3, 1, 2), (4, 0, 2), (3, 0, 3), (2, 0, 4), (1, 1, 4), (2, 2, 5), (3, 1, 6), (4, 0, 6), (3, 0, 7), (2, 0, 8), (1, 1, 8), (1, 2, 8), (-1, 3, 7), (1, 4, 7), (2, 4, 8), (1, 5, 8), (-1, 6, 7), (-1, 6, 6), (5, 6, 5), (-1, 6, 4), (5, 6, 3), (4, 5, 3), (3, 4, 4), (4, 3, 4), (5, 3, 3), (-1, 3, 2), (5, 3, 1), (-1, 3, 0), (1, 4, 0), (2, 5, 1), (1, 6, 1), (-1, 6, 0), (1, 7, 0), (2, 8, 1), (1, 9, 1), (2, 9, 2), (3, 9, 3), (4, 8, 3), (3, 7, 4), (2, 8, 5), (2, 8, 6), (3, 8, 7), (2, 8, 8), (1, 9, 8)]
flagPos = 0
realPos = 0
v7 = 0
flag = ''
for i in range(0, len(target), 2):
step1 = target[i][0]
step2 = target[i + 1][0]
flagPos = i // 2
if step1 == -1:
step1 = 0
if step2 == -1:
step2 = 0
FindAns = None
for idx in range(len(alpha)):
v7 = (flagPos + idx // 6) % 6
v6 = 5 - (idx + flagPos) % 6
if v6 == step1 and v7 == step2:
FindAns = idx
flag += alpha[FindAns]
print(flag)
```
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。