-
-
[原创] kctf 第六题 寻回宝剑 wp
-
发表于: 2021-5-19 01:14 7954
-
拿到exe后,拿到ida中发现很多垃圾指令,不过仔细观察发现还是有固定的模式的,用idapython去了一些混淆,但是效果还是不够明显,指令还是很多,自己想了一个骚操作,就是可以利用ida的trace日志,里面是指令的执行过程等信息,然后用notepad的模糊替换,加上去除空行的功能,把指令清洗成下面这样
没截图全,只是讲下方法。
把指令清洗后,舒服了很多,不过靠上面那些还是不够,上面只是辅助我们的下断点以及调试,加快速度,然后发现算法的流程是这样的,输入84个字符,字符的范围在0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+-/%=,同时要满足相邻的4位,满足x10x2a+y1<x20x2a+y2, 然后其实这个就是一个4242的表,然后呢,我们的输入,要保证让这个表每个点行列中只有它一个,唯一性,有点类似n皇后,不过和n皇后还是有区别的,然后就是相同的行间隔,列间隔不能相同,这里有个坑点,就是最后的比较,其实已经给出了前14行的点填法了,那么就缩小了范围,否则爆破跑不出来,放下exp
#include<iostream>
#include<cstring>
#include<map>
using namespace std;
const
int
maxm
=
2e3
+
5
;
/
/
02152S3X4Z5Q6C7T819
/
ADB
%
C
*
DL
/
/
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
+
-
*
/
%
=
string temp
=
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+-*/%="
;
string pre
=
"02152S3X4Z5Q6C7T819/ADB%C*DL"
;
int
to[maxm];
char rev[maxm];
int
a[maxm];
int
n
=
42
;
int
mp[maxm][maxm];
int
cnt
=
0
;
int
used[maxm];
void init(){
int
idx
=
0
;
for
(auto i:temp) {
idx
+
+
;
to[i]
=
idx;
rev[idx]
=
i;
}
int
len
=
pre.size();
for
(
int
i
=
0
;i<
len
;i
+
=
2
){
int
pos
=
to[pre[i]];
int
val
=
to[pre[i
+
1
]];
a[pos]
=
val;
used[val]
=
1
;
}
int
j
=
1
;
for
(
int
i
=
1
;i<
=
n;i
+
+
){
if
(a[i])
continue
;
while
(used[j])j
+
+
;
a[i]
=
j;
used[j]
=
1
;
}
len
/
=
2
;
cout<<
"pre_len="
<<
len
<<endl;
for
(
int
i
=
1
;i<
=
14
;i
+
+
){
for
(
int
j
=
1
;j<i;j
+
+
){
int
x
=
i
-
j;
int
y
=
a[i]
-
a[j];
if
(y<
0
)y
=
-
y,x
=
-
x;
x
+
=
100
;
mp[x][y]
=
1
;
}
}
}
void dfs(
int
cur){
cnt
+
+
;
if
(cnt
%
1000000
=
=
0
){
cout<<
"cnt="
<<cnt<<endl;
}
/
/
cout<<cur<<
' '
<<n<<endl;
if
(cur
=
=
n
+
1
){
for
(
int
i
=
1
;i<
=
n;i
+
+
){
cout<<temp[i
-
1
]<<rev[a[i]];
}
cout<<endl;
return
;
}
for
(
int
i
=
cur;i<
=
n;i
+
+
){
/
/
cout<<cur<<
' '
<<i<<endl;
int
ok
=
1
;
for
(
int
j
=
1
;j<cur;j
+
+
){
int
x
=
cur
-
j;
int
y
=
a[i]
-
a[j];
if
(y<
0
)y
=
-
y,x
=
-
x;
x
+
=
100
;
if
(mp[x][y]){
ok
=
0
;
break
;
}
}
if
(ok){
for
(
int
j
=
1
;j<cur;j
+
+
){
int
x
=
cur
-
j;
int
y
=
a[i]
-
a[j];
if
(y<
0
)y
=
-
y,x
=
-
x;
x
+
=
100
;
mp[x][y]
=
1
;
}
swap(a[i],a[cur]);
dfs(cur
+
1
);
swap(a[i],a[cur]);
for
(
int
j
=
1
;j<cur;j
+
+
){
int
x
=
cur
-
j;
int
y
=
a[i]
-
a[j];
if
(y<
0
)y
=
-
y,x
=
-
x;
x
+
=
100
;
mp[x][y]
=
0
;
}
}
}
}
int
main(){
init();
for
(
int
i
=
1
;i<
=
n;i
+
+
){
cout<<a[i]<<
' '
;
}
cout<<endl;
dfs(
15
);
return
0
;
}
#include<iostream>
#include<cstring>
#include<map>
using namespace std;
const
int
maxm
=
2e3
+
5
;
/
/
02152S3X4Z5Q6C7T819
/
ADB
%
C
*
DL
/
/
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
+
-
*
/
%
=
string temp
=
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+-*/%="
;
string pre
=
"02152S3X4Z5Q6C7T819/ADB%C*DL"
;
int
to[maxm];
char rev[maxm];
int
a[maxm];
int
n
=
42
;
int
mp[maxm][maxm];
int
cnt
=
0
;
int
used[maxm];
void init(){
int
idx
=
0
;
for
(auto i:temp) {
idx
+
+
;
to[i]
=
idx;
rev[idx]
=
i;
}
int
len
=
pre.size();
for
(
int
i
=
0
;i<
len
;i
+
=
2
){
int
pos
=
to[pre[i]];
int
val
=
to[pre[i
+
1
]];
a[pos]
=
val;
used[val]
=
1
;
}
int
j
=
1
;
for
(
int
i
=
1
;i<
=
n;i
+
+
){
if
(a[i])
continue
;
while
(used[j])j
+
+
;
a[i]
=
j;
used[j]
=
1
;
}
len
/
=
2
;
cout<<
"pre_len="
<<
len
<<endl;
for
(
int
i
=
1
;i<
=
14
;i
+
+
){
for
(
int
j
=
1
;j<i;j
+
+
){
int
x
=
i
-
j;
int
y
=
a[i]
-
a[j];
if
(y<
0
)y
=
-
y,x
=
-
x;
x
+
=
100
;
mp[x][y]
=
1
;
}
}
}
void dfs(
int
cur){
cnt
+
+
;
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
- [原创]2022腾讯游戏安全竞赛安卓客户端决赛writeup 29457
- [原创]2022腾讯游戏安全安卓客户端初赛wp 23463
- [原创] kctf 第六题 寻回宝剑 wp 7955
- [原创]kctf 第四题英雄救美 wp 6096
- [原创]kctf 第三题统一门派 wp 3367
看原图
赞赏
雪币:
留言: