攻防世界 reverse easy_Maze
泪目了,今天又是嫖大佬博客的一天。
maze类:1.内存中画出一张地图(地图变换) 2.明确起点和终点 3.(四个字符对应上下左右)flag就是走出的路径
题目提示是maze类的,找上面三个关键点
1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3 __int64 v3; // rax 4 int v5[7]; // [rsp+0h] [rbp-270h] 5 int v6; // [rsp+C0h] [rbp-1B0h] 6 int v7[7]; // [rsp+D0h] [rbp-1A0h] 7 int v8; // [rsp+190h] [rbp-E0h] 8 int v9[7]; // [rsp+1A0h] [rbp-D0h] 9 int v10; // [rsp+1BCh] [rbp-B4h] 10 int v11; // [rsp+1C0h] [rbp-B0h] 11 int v12; // [rsp+1C4h] [rbp-ACh] 12 int v13; // [rsp+1C8h] [rbp-A8h] 13 int v14; // [rsp+1CCh] [rbp-A4h] 14 int v15; // [rsp+1D0h] [rbp-A0h] 15 int v16; // [rsp+1D4h] [rbp-9Ch] 16 int v17; // [rsp+1D8h] [rbp-98h] 17 int v18; // [rsp+1DCh] [rbp-94h] 18 int v19; // [rsp+1E0h] [rbp-90h] 19 int v20; // [rsp+1E4h] [rbp-8Ch] 20 int v21; // [rsp+1E8h] [rbp-88h] 21 int v22; // [rsp+1ECh] [rbp-84h] 22 int v23; // [rsp+1F0h] [rbp-80h] 23 int v24; // [rsp+1F4h] [rbp-7Ch] 24 int v25; // [rsp+1F8h] [rbp-78h] 25 int v26; // [rsp+1FCh] [rbp-74h] 26 int v27; // [rsp+200h] [rbp-70h] 27 int v28; // [rsp+204h] [rbp-6Ch] 28 int v29; // [rsp+208h] [rbp-68h] 29 int v30; // [rsp+20Ch] [rbp-64h] 30 int v31; // [rsp+210h] [rbp-60h] 31 int v32; // [rsp+214h] [rbp-5Ch] 32 int v33; // [rsp+218h] [rbp-58h] 33 int v34; // [rsp+21Ch] [rbp-54h] 34 int v35; // [rsp+220h] [rbp-50h] 35 int v36; // [rsp+224h] [rbp-4Ch] 36 int v37; // [rsp+228h] [rbp-48h] 37 int v38; // [rsp+22Ch] [rbp-44h] 38 int v39; // [rsp+230h] [rbp-40h] 39 int v40; // [rsp+234h] [rbp-3Ch] 40 int v41; // [rsp+238h] [rbp-38h] 41 int v42; // [rsp+23Ch] [rbp-34h] 42 int v43; // [rsp+240h] [rbp-30h] 43 int v44; // [rsp+244h] [rbp-2Ch] 44 int v45; // [rsp+248h] [rbp-28h] 45 int v46; // [rsp+24Ch] [rbp-24h] 46 int v47; // [rsp+250h] [rbp-20h] 47 int v48; // [rsp+254h] [rbp-1Ch] 48 int v49; // [rsp+258h] [rbp-18h] 49 int v50; // [rsp+25Ch] [rbp-14h] 50 int v51; // [rsp+260h] [rbp-10h] 51 52 v9[0] = 1; 53 v9[1] = 1; 54 v9[2] = -1; 55 v9[3] = 1; 56 v9[4] = -1; 57 v9[5] = 1; 58 v9[6] = -1; 59 v10 = 0; 60 v11 = 0; 61 v12 = 0; 62 v13 = 0; 63 v14 = 1; 64 v15 = -1; 65 v16 = 0; 66 v17 = 0; 67 v18 = 1; 68 v19 = 0; 69 v20 = 0; 70 v21 = 1; 71 v22 = 0; 72 v23 = -1; 73 v24 = -1; 74 v25 = 0; 75 v26 = 1; 76 v27 = 0; 77 v28 = 1; 78 v29 = -1; 79 v30 = 0; 80 v31 = -1; 81 v32 = 0; 82 v33 = 0; 83 v34 = 0; 84 v35 = 0; 85 v36 = 0; 86 v37 = 1; 87 v38 = -1; 88 v39 = -1; 89 v40 = 1; 90 v41 = -1; 91 v42 = 0; 92 v43 = -1; 93 v44 = 2; 94 v45 = 1; 95 v46 = -1; 96 v47 = 0; 97 v48 = 0; 98 v49 = -1; 99 v50 = 1; 100 v51 = 0; 101 memset(v7, 0, 0xC0uLL); 102 v8 = 0; 103 memset(v5, 0, 0xC0uLL); 104 v6 = 0; 105 Step_0((int (*)[7])v9, 7, (int (*)[7])v7); #地图变换 106 Step_1((int (*)[7])v7, 7, (int (*)[7])v5); #地图变换 107 v3 = std::operator<<<std::char_traits<char>>(&_bss_start, "Please help me out!"); 108 std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>); 109 Step_2((int (*)[7])v5); #输入,验证 110 system("pause"); 111 return 0; 112 }
进入Step_2函数
__int64 __fastcall Step_2(int (*a1)[7]) { int v1; // eax __int64 v2; // rax __int64 v3; // rax __int64 result; // rax __int64 v5; // rax char v6[35]; // [rsp+10h] [rbp-30h] char v7; // [rsp+33h] [rbp-Dh] int v8; // [rsp+34h] [rbp-Ch] int v9; // [rsp+38h] [rbp-8h] int v10; // [rsp+3Ch] [rbp-4h] v10 = 0; v9 = 0; v8 = 0; #初始位置[0][0] while ( v8 <= 29 && (*a1)[7 * v10 + v9] == 1 ) #最多30步,走1 { std::operator>><char,std::char_traits<char>>(&std::cin, &v7); v1 = v8++; v6[v1] = v7; if ( v7 == 'd' ) #向右 { ++v9; } else if ( v7 > 'd' ) { if ( v7 == 's' ) #向下 { ++v10; } else { if ( v7 != 'w' ) #向上 goto LABEL_14; --v10; } } else if ( v7 == 'a' ) #向左 { --v9; } else { LABEL_14: v2 = std::operator<<<std::char_traits<char>>(&_bss_start, "include illegal words."); std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>); } } if ( v10 != 6 || v9 != 6 ) #结束位置[6][6] { v5 = std::operator<<<std::char_traits<char>>(&_bss_start, "Oh no!,Please try again~~"); std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>); result = 0LL; } else { v3 = std::operator<<<std::char_traits<char>>(&_bss_start, "Congratulations!"); std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>); output(v6, v8); result = 1LL; } return result; }
综上:
1.地图两次变换(可通过动态调试找到)
2.起点[0][0]到[6][6]
3.wasd 对应上左下右
动态调试地图(这里小坑,需要设置显示的格式(下图))(设置成4byte_Integer和Signed)
动调dump出地图
地图整出来,走法
ssddwdwdddssaasasaaassddddwdds
UNCTF{ssddwdwdddssaasasaaassddddwdds}
PS:感谢北风大佬的博客,嘿嘿。
