-
-
[原创]KCTF2021 春季赛 第二题 南冥神功 WP
-
发表于: 2021-5-12 21:44 4981
-
程序丢IDA F5+F12一下,逻辑比较简单,稍微分析一下就能理清
从伪代码里能看出是一个10*9的迷宫,从S出发,最后全部不为0即可
人肉解出迷宫的步骤,结合伪代码的switch得到结果
最后随便撸份python穷举一下解出flag
解出flag为:GJ0V4LA4VKEVQZSVCNGJ00N
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
char v3;
/
/
al
int
inputidx;
/
/
esi
int
tableidx;
/
/
ecx
int
v7;
/
/
edx
int
v8;
/
/
eax
unsigned
int
x;
/
/
ecx
int
op;
/
/
eax
int
i;
/
/
edx
int
v12;
/
/
eax
char
*
v13;
/
/
eax
char
*
v14;
/
/
eax
int
v15;
/
/
edx
char
*
v16;
/
/
ecx
int
v17;
/
/
eax
int
v18;
/
/
eax
int
v19;
/
/
eax
int
v20;
/
/
[esp
+
1Ch
] [ebp
-
60h
]
unsigned
int
y;
/
/
[esp
+
20h
] [ebp
-
5Ch
]
unsigned
int
v22;
/
/
[esp
+
24h
] [ebp
-
58h
]
char
chr
;
/
/
[esp
+
2Bh
] [ebp
-
51h
]
int
v24;
/
/
[esp
+
2Ch
] [ebp
-
50h
]
char v25[
76
];
/
/
[esp
+
30h
] [ebp
-
4Ch
] BYREF
sub_40AD70();
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKa((std::ostream::sentry
*
)&dword_4B8860,
"Input your code: "
);
sub_4B0AB0((
int
)&dword_4B8680, v25);
if
( strlen(v25) <
=
0x30
)
{
v3
=
v25[
0
];
if
( v25[
0
] )
{
inputidx
=
0
;
y
=
0
;
v22
=
0
;
v24
=
dword_4B7020;
chr
=
a0123456789abcd[
0
];
LABEL_4:
if
( v24 >
0
)
{
tableidx
=
0
;
if
(
chr
=
=
v3 )
{
LABEL_11:
v7
=
(inputidx
+
tableidx
/
6
)
%
6
;
/
/
将输入拆分成两个迷宫步骤
v8
=
tableidx
+
inputidx;
x
=
v22;
v20
=
v7;
op
=
5
-
v8
%
6
;
for
( i
=
0
; ; i
=
1
)
/
/
走迷宫
{
switch ( op )
{
case
1
:
+
+
x;
break
;
case
2
:
v17
=
(y
+
+
&
1
)
=
=
0
;
x
+
=
v17;
break
;
case
3
:
v12
=
(y
+
+
&
1
) !
=
0
;
x
-
=
v12;
break
;
case
4
:
-
-
x;
break
;
case
5
:
v19
=
(y
-
-
&
1
) !
=
0
;
x
-
=
v19;
break
;
default:
v18
=
(y
-
-
&
1
)
=
=
0
;
x
+
=
v18;
break
;
}
if
( x >
9
)
break
;
if
( y >
8
)
break
;
v13
=
&maze[
10
*
y
+
x];
if
(
*
v13 )
break
;
*
v13
=
1
;
if
( i
=
=
1
)
{
+
+
inputidx;
v22
=
x;
v3
=
v25[inputidx];
if
( v3 )
goto LABEL_4;
goto LABEL_19;
}
op
=
v20;
}
}
else
{
while
( v24 !
=
+
+
tableidx )
{
if
( a0123456789abcd[tableidx]
=
=
v3 )
goto LABEL_11;
}
}
}
}
else
{
LABEL_19:
v14
=
maze;
/
/
迷宫里没有
0
则成功
v15
=
0
;
do
{
v16
=
v14
+
10
;
do
v15
+
=
*
v14
+
+
=
=
0
;
while
( v16 !
=
v14 );
}
while
( &unk_4B70DA !
=
(_UNKNOWN
*
)v16 );
if
( !v15 )
{
sub_4ABF30(&dword_4B8860,
"Good job!"
,
9
);
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_(&dword_4B8860);
return
0
;
}
}
}
sub_4ABF30(&dword_4B8860,
"Try again..."
,
12
);
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_(&dword_4B8860);
return
0
;
}
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
char v3;
/
/
al
int
inputidx;
/
/
esi
int
tableidx;
/
/
ecx
int
v7;
/
/
edx
int
v8;
/
/
eax
unsigned
int
x;
/
/
ecx
int
op;
/
/
eax
int
i;
/
/
edx
int
v12;
/
/
eax
char
*
v13;
/
/
eax
char
*
v14;
/
/
eax
int
v15;
/
/
edx
char
*
v16;
/
/
ecx
int
v17;
/
/
eax
int
v18;
/
/
eax
int
v19;
/
/
eax
int
v20;
/
/
[esp
+
1Ch
] [ebp
-
60h
]
unsigned
int
y;
/
/
[esp
+
20h
] [ebp
-
5Ch
]
unsigned
int
v22;
/
/
[esp
+
24h
] [ebp
-
58h
]
char
chr
;
/
/
[esp
+
2Bh
] [ebp
-
51h
]
int
v24;
/
/
[esp
+
2Ch
] [ebp
-
50h
]
char v25[
76
];
/
/
[esp
+
30h
] [ebp
-
4Ch
] BYREF
sub_40AD70();
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKa((std::ostream::sentry
*
)&dword_4B8860,
"Input your code: "
);
sub_4B0AB0((
int
)&dword_4B8680, v25);
if
( strlen(v25) <
=
0x30
)
{
v3
=
v25[
0
];
if
( v25[
0
] )
{
inputidx
=
0
;
y
=
0
;
v22
=
0
;
v24
=
dword_4B7020;
chr
=
a0123456789abcd[
0
];
LABEL_4:
if
( v24 >
0
)
{
tableidx
=
0
;
if
(
chr
=
=
v3 )
{
LABEL_11:
v7
=
(inputidx
+
tableidx
/
6
)
%
6
;
/
/
将输入拆分成两个迷宫步骤
v8
=
tableidx
+
inputidx;
x
=
v22;
v20
=
v7;
op
=
5
-
v8
%
6
;
for
( i
=
0
; ; i
=
1
)
/
/
走迷宫
{
switch ( op )
{
case
1
:
+
+
x;
break
;
case
2
:
v17
=
(y
+
+
&
1
)
=
=
0
;
x
+
=
v17;
break
;
case
3
:
v12
=
(y
+
+
&
1
) !
=
0
;
x
-
=
v12;
break
;
case
4
:
-
-
x;
break
;
case
5
:
v19
=
(y
-
-
&
1
) !
=
0
;
x
-
=
v19;
break
;
default:
v18
=
(y
-
-
&
1
)
=
=
0
;
x
+
=
v18;
break
;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
看原图
赞赏
雪币:
留言: