首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. CTF对抗
    3. 发新帖
[原创] 第二题 南冥神功 by Syclover
2021-5-11 23:03 10057

[原创] 第二题 南冥神功 by Syclover

无名侠 活跃值
12
2021-5-11 23:03
10057

# KCTF


## 南冥神功

.data:004B7040 a0123456789abcd db '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ',0


map1 = [0x0, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00]


for y in range(9):

line = ''

for x in range(10):

if theMap[y * 10 + x] == 0:

line = line + "."

else:

line = line + "#"

print(line)



..#..#..##

##..#..#..

..#.#####.

.##.#..#..

..#..#..##

##.###.#.#

..####.#.#

.##..#.#.#

...#..##..



loc_4B3DC5:             ; what is ecx

mov     eax, ecx

0 => 0

1 => 1

2 => 2

9 => 9

'A' => 0xA

'F' => 0xF




alpha = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'


i_1 => alpha.index(flag[flagPos])


v8 = i_1 + flagPos;

v10 = 5 - v8 % 6;

switch ( v10 )


case 1

x = x + 1

case 4

x = x - 1



case 2:

当 y 为偶数, x = x + 1

y = y + 1



default

如果 y 为偶数, x = x + 1

y = y - 1



case 3:

如果 y 为奇数, x = x - 1

y = y + 1


case 5

如果 y 为奇数, x = x - 1

y = y - 1



一位flag字符决定两个方向指令

v2 = (flagPos + flagIdx / 6) % 6;

v1 = cur = 5 - (flagPos + flagIdx ) % 6;

爆破 flagIdx 即可



```python

map1 = [0x1, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00]



def checkValid(theMap, x, y):

if x < 0 or y < 0:

return False

if x > 9 or y > 8:

return False

return theMap[y * 10 + x] == 0



def isAllClear(theMap):

return sum(theMap) == 90



def genNextValid(theMap, x, y):

insList = []

# case1

if checkValid(theMap, x + 1, y):

insList.append((1, x + 1, y))


# case4

if checkValid(theMap, x - 1, y):

insList.append((4, x - 1, y))


if y % 2 == 0:

# case2

if checkValid(theMap, x + 1, y + 1):

insList.append((2, x + 1, y + 1))

# default

if checkValid(theMap, x + 1, y - 1):

insList.append((-1, x + 1, y - 1))

# case3

if checkValid(theMap, x, y + 1):

insList.append((3, x, y + 1))

# case5

if checkValid(theMap, x, y - 1):

insList.append((5, x, y - 1))

else:

# case2

if checkValid(theMap, x, y + 1):

insList.append((2, x, y + 1))

# default

if checkValid(theMap, x, y - 1):

insList.append((-1, x, y - 1))

# case3

if checkValid(theMap, x - 1, y + 1):

insList.append((3, x - 1, y + 1))

# case5

if checkValid(theMap, x - 1, y - 1):

insList.append((5, x - 1, y - 1))

return insList



def dfs(CurMap, curX, curY, InsList):

CurMap = CurMap.copy()

CurMap[curY * 10 + curX] = 1


#if len(InsList) == 47:

if isAllClear(CurMap):

print("Find Solve.")

print(InsList)

for y in range(9):

line = ''

for x in range(10):

if CurMap[y * 10 + x] == 0:

line = line + "."

else:

line = line + "#"

print(line)

return InsList



curInsList = genNextValid(CurMap, curX, curY)

if len(curInsList) == 0:

return None


result = None

for i in curInsList:

InsList.append(i)

dfs(CurMap, i[1], i[2], InsList)

InsList.pop()

return result



dfs(map1, 0, 0, [])


# alpha = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'

# i_1 => alpha.index(flag[flagPos])

# v8 = i_1 + flagPos;

# v10 = 5 - v8 % 6;

alpha = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'

target = [(1, 1, 0), (2, 2, 1), (3, 1, 2), (4, 0, 2), (3, 0, 3), (2, 0, 4), (1, 1, 4), (2, 2, 5), (3, 1, 6), (4, 0, 6), (3, 0, 7), (2, 0, 8), (1, 1, 8), (1, 2, 8), (-1, 3, 7), (1, 4, 7), (2, 4, 8), (1, 5, 8), (-1, 6, 7), (-1, 6, 6), (5, 6, 5), (-1, 6, 4), (5, 6, 3), (4, 5, 3), (3, 4, 4), (4, 3, 4), (5, 3, 3), (-1, 3, 2), (5, 3, 1), (-1, 3, 0), (1, 4, 0), (2, 5, 1), (1, 6, 1), (-1, 6, 0), (1, 7, 0), (2, 8, 1), (1, 9, 1), (2, 9, 2), (3, 9, 3), (4, 8, 3), (3, 7, 4), (2, 8, 5), (2, 8, 6), (3, 8, 7), (2, 8, 8), (1, 9, 8)]

flagPos = 0

realPos = 0

v7 = 0

flag = ''

for i in range(0, len(target), 2):

step1 = target[i][0]

step2 = target[i + 1][0]

flagPos = i // 2


if step1 == -1:

step1 = 0


if step2 == -1:

step2 = 0


FindAns = None

for idx in range(len(alpha)):

v7 = (flagPos + idx // 6) % 6

v6 = 5 - (idx + flagPos) % 6

if v6 == step1 and v7 == step2:

FindAns = idx


flag += alpha[FindAns]

print(flag)


```







[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。

收藏
点赞2
打赏
分享
最新回复 (2)
YenKoc
雪    币: 2663
活跃值: (5215)
能力值: ( LV10,RANK:177 )
在线值:
发帖
回帖
粉丝
私信
YenKoc 2 2021-5-12 12:56
2
0
陈总,md格式乱了
yushusu
雪    币: 21
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
yushusu 2021-8-17 15:38
3
0
陈总,md格式乱了
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回