首页
社区
课程
招聘
[原创]KCTF2021 春季赛 第二题 南冥神功 WP
发表于: 2021-5-12 21:44 4989

[原创]KCTF2021 春季赛 第二题 南冥神功 WP

2021-5-12 21:44
4989

程序丢IDA F5+F12一下,逻辑比较简单,稍微分析一下就能理清

从伪代码里能看出是一个10*9的迷宫,从S出发,最后全部不为0即可

人肉解出迷宫的步骤,结合伪代码的switch得到结果

最后随便撸份python穷举一下解出flag

解出flag为:GJ0V4LA4VKEVQZSVCNGJ00N

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v3; // al
  int inputidx; // esi
  int tableidx; // ecx
  int v7; // edx
  int v8; // eax
  unsigned int x; // ecx
  int op; // eax
  int i; // edx
  int v12; // eax
  char *v13; // eax
  char *v14; // eax
  int v15; // edx
  char *v16; // ecx
  int v17; // eax
  int v18; // eax
  int v19; // eax
  int v20; // [esp+1Ch] [ebp-60h]
  unsigned int y; // [esp+20h] [ebp-5Ch]
  unsigned int v22; // [esp+24h] [ebp-58h]
  char chr; // [esp+2Bh] [ebp-51h]
  int v24; // [esp+2Ch] [ebp-50h]
  char v25[76]; // [esp+30h] [ebp-4Ch] BYREF
 
  sub_40AD70();
  _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKa((std::ostream::sentry *)&dword_4B8860, "Input your code: ");
  sub_4B0AB0((int)&dword_4B8680, v25);
  if ( strlen(v25) <= 0x30 )
  {
    v3 = v25[0];
    if ( v25[0] )
    {
      inputidx = 0;
      y = 0;
      v22 = 0;
      v24 = dword_4B7020;
      chr = a0123456789abcd[0];
LABEL_4:
      if ( v24 > 0 )
      {
        tableidx = 0;
        if ( chr == v3 )
        {
LABEL_11:
          v7 = (inputidx + tableidx / 6) % 6;   // 将输入拆分成两个迷宫步骤
          v8 = tableidx + inputidx;
          x = v22;
          v20 = v7;
          op = 5 - v8 % 6;
          for ( i = 0; ; i = 1 )                // 走迷宫
          {
            switch ( op )
            {
              case 1:
                ++x;
                break;
              case 2:
                v17 = (y++ & 1) == 0;
                x += v17;
                break;
              case 3:
                v12 = (y++ & 1) != 0;
                x -= v12;
                break;
              case 4:
                --x;
                break;
              case 5:
                v19 = (y-- & 1) != 0;
                x -= v19;
                break;
              default:
                v18 = (y-- & 1) == 0;
                x += v18;
                break;
            }
            if ( x > 9 )
              break;
            if ( y > 8 )
              break;
            v13 = &maze[10 * y + x];
            if ( *v13 )
              break;
            *v13 = 1;
            if ( i == 1 )
            {
              ++inputidx;
              v22 = x;
              v3 = v25[inputidx];
              if ( v3 )
                goto LABEL_4;
              goto LABEL_19;
            }
            op = v20;
          }
        }
        else
        {
          while ( v24 != ++tableidx )
          {
            if ( a0123456789abcd[tableidx] == v3 )
              goto LABEL_11;
          }
        }
      }
    }
    else
    {
LABEL_19:
      v14 = maze;                               // 迷宫里没有0则成功
      v15 = 0;
      do
      {
        v16 = v14 + 10;
        do
          v15 += *v14++ == 0;
        while ( v16 != v14 );
      }
      while ( &unk_4B70DA != (_UNKNOWN *)v16 );
      if ( !v15 )
      {
        sub_4ABF30(&dword_4B8860, "Good job!", 9);
        _ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_(&dword_4B8860);
        return 0;
      }
    }
  }
  sub_4ABF30(&dword_4B8860, "Try again...", 12);
  _ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_(&dword_4B8860);
  return 0;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v3; // al
  int inputidx; // esi
  int tableidx; // ecx
  int v7; // edx
  int v8; // eax
  unsigned int x; // ecx
  int op; // eax
  int i; // edx
  int v12; // eax
  char *v13; // eax
  char *v14; // eax
  int v15; // edx
  char *v16; // ecx
  int v17; // eax
  int v18; // eax
  int v19; // eax
  int v20; // [esp+1Ch] [ebp-60h]
  unsigned int y; // [esp+20h] [ebp-5Ch]
  unsigned int v22; // [esp+24h] [ebp-58h]
  char chr; // [esp+2Bh] [ebp-51h]
  int v24; // [esp+2Ch] [ebp-50h]
  char v25[76]; // [esp+30h] [ebp-4Ch] BYREF
 
  sub_40AD70();
  _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKa((std::ostream::sentry *)&dword_4B8860, "Input your code: ");
  sub_4B0AB0((int)&dword_4B8680, v25);
  if ( strlen(v25) <= 0x30 )
  {
    v3 = v25[0];
    if ( v25[0] )
    {
      inputidx = 0;
      y = 0;
      v22 = 0;
      v24 = dword_4B7020;
      chr = a0123456789abcd[0];
LABEL_4:
      if ( v24 > 0 )
      {
        tableidx = 0;
        if ( chr == v3 )
        {
LABEL_11:
          v7 = (inputidx + tableidx / 6) % 6;   // 将输入拆分成两个迷宫步骤
          v8 = tableidx + inputidx;
          x = v22;
          v20 = v7;
          op = 5 - v8 % 6;
          for ( i = 0; ; i = 1 )                // 走迷宫
          {
            switch ( op )
            {
              case 1:
                ++x;
                break;
              case 2:
                v17 = (y++ & 1) == 0;
                x += v17;
                break;
              case 3:
                v12 = (y++ & 1) != 0;
                x -= v12;
                break;
              case 4:
                --x;
                break;
              case 5:
                v19 = (y-- & 1) != 0;
                x -= v19;
                break;
              default:
                v18 = (y-- & 1) == 0;
                x += v18;
                break;
            }

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//