2024“蜀道山” RE 部分题解
Map_maze
题目描述
真真假假真真,你能够寻找到最后的终点吗?
附件下载
迷宫生成
v5 是一个长度为 105 的数组,被用作 15x15 的二维网格
int __cdecl sub_4010D0(_DWORD *a1, _DWORD *a2)
{
_DWORD *v2; // eax
_DWORD *v3; // eax
int result; // eax
_DWORD v5[105]; // [esp+0h] [ebp-424h] BYREF
_DWORD v6[119]; // [esp+1A4h] [ebp-280h]
_DWORD *v7; // [esp+380h] [ebp-A4h]
int i28; // [esp+384h] [ebp-A0h]
int i27; // [esp+388h] [ebp-9Ch]
int i26; // [esp+38Ch] [ebp-98h]
int i25; // [esp+390h] [ebp-94h]
int i24; // [esp+394h] [ebp-90h]
int i23; // [esp+398h] [ebp-8Ch]
int i22; // [esp+39Ch] [ebp-88h]
int i21; // [esp+3A0h] [ebp-84h]
int i20; // [esp+3A4h] [ebp-80h]
int i19; // [esp+3A8h] [ebp-7Ch]
int i18; // [esp+3ACh] [ebp-78h]
int i17; // [esp+3B0h] [ebp-74h]
int i16; // [esp+3B4h] [ebp-70h]
int i15; // [esp+3B8h] [ebp-6Ch]
int i14; // [esp+3BCh] [ebp-68h]
int i13; // [esp+3C0h] [ebp-64h]
int i12; // [esp+3C4h] [ebp-60h]
int i11; // [esp+3C8h] [ebp-5Ch]
int i10; // [esp+3CCh] [ebp-58h]
int i9; // [esp+3D0h] [ebp-54h]
int i8; // [esp+3D4h] [ebp-50h]
int i7; // [esp+3D8h] [ebp-4Ch]
int i6; // [esp+3DCh] [ebp-48h]
int i5; // [esp+3E0h] [ebp-44h]
int i4; // [esp+3E4h] [ebp-40h]
int i3; // [esp+3E8h] [ebp-3Ch]
int i2; // [esp+3ECh] [ebp-38h]
int i1; // [esp+3F0h] [ebp-34h]
int nn; // [esp+3F4h] [ebp-30h]
int mm; // [esp+3F8h] [ebp-2Ch]
int kk; // [esp+3FCh] [ebp-28h]
int jj; // [esp+400h] [ebp-24h]
int ii; // [esp+404h] [ebp-20h]
int n; // [esp+408h] [ebp-1Ch]
int m; // [esp+40Ch] [ebp-18h]
int k; // [esp+410h] [ebp-14h]
int j; // [esp+414h] [ebp-10h]
int i; // [esp+418h] [ebp-Ch]
int i30; // [esp+41Ch] [ebp-8h]
int i29; // [esp+420h] [ebp-4h]
for ( i = 0; i < 15; ++i )
{
for ( j = 0; j < 15; ++j )
v5[15 * i + j] = sub_401080(0); // 用来分配并初始化表示节点的结构
}
for ( k = 1; k < 15; ++k )
*(_DWORD *)v5[k] = 1;
for ( m = 9; m < 15; ++m )
*(_DWORD *)v5[m + 15] = 1;
for ( n = 0; n < 2; ++n )
*(_DWORD *)v5[n + 30] = 1;
for ( ii = 3; ii < 8; ++ii )
*(_DWORD *)v5[ii + 30] = 1;
for ( jj = 9; jj < 15; ++jj )
*(_DWORD *)v5[jj + 30] = 1;
for ( kk = 0; kk < 2; ++kk )
*(_DWORD *)v5[kk + 45] = 1;
for ( mm = 3; mm < 8; ++mm )
*(_DWORD *)v5[mm + 45] = 1;
for ( nn = 12; nn < 15; ++nn )
*(_DWORD *)v5[nn + 45] = 1;
for ( i1 = 0; i1 < 2; ++i1 )
*(_DWORD *)v5[i1 + 60] = 1;
for ( i2 = 7; i2 < 10; ++i2 )
*(_DWORD *)v5[i2 + 60] = 0;
*(_DWORD *)v5[67] = 1;
for ( i3 = 11; i3 < 15; ++i3 )
*(_DWORD *)v5[i3 + 60] = 1;
for ( i4 = 0; i4 < 2; ++i4 )
*(_DWORD *)v5[i4 + 75] = 1;
for ( i5 = 3; i5 < 6; ++i5 )
*(_DWORD *)v5[i5 + 75] = 1;
for ( i6 = 11; i6 < 15; ++i6 )
*(_DWORD *)v5[i6 + 75] = 1;
for ( i7 = 0; i7 < 2; ++i7 )
*(_DWORD *)v5[i7 + 90] = 1;
*(_DWORD *)v5[92] = 0;
for ( i8 = 3; i8 < 6; ++i8 )
*(_DWORD *)v5[i8 + 90] = 1;
for ( i9 = 7; i9 < 10; ++i9 )
*(_DWORD *)v5[i9 + 90] = 1;
for ( i10 = 11; i10 < 15; ++i10 )
*(_DWORD *)v5[i10 + 90] = 1;
*(_DWORD *)v6[0] = 1;
*(_DWORD *)v6[1] = 0;
*(_DWORD *)v6[2] = 0;
*(_DWORD *)v6[3] = 1;
for ( i11 = 4; i11 < 6; ++i11 )
*(_DWORD *)v6[i11] = 1;
for ( i12 = 7; i12 < 10; ++i12 )
*(_DWORD *)v6[i12] = 1;
for ( i13 = 11; i13 < 15; ++i13 )
*(_DWORD *)v6[i13] = 1;
for ( i14 = 0; i14 < 2; ++i14 )
*(_DWORD *)v6[i14 + 15] = 1;
for ( i15 = 7; i15 < 10; ++i15 )
*(_DWORD *)v6[i15 + 15] = 1;
for ( i16 = 11; i16 < 15; ++i16 )
*(_DWORD *)v6[i16 + 15] = 1;
for ( i17 = 0; i17 < 6; ++i17 )
*(_DWORD *)v6[i17 + 30] = 1;
for ( i18 = 7; i18 < 10; ++i18 )
*(_DWORD *)v6[i18 + 30] = 1;
for ( i19 = 11; i19 < 15; ++i19 )
*(_DWORD *)v6[i19 + 30] = 1;
for ( i20 = 0; i20 < 6; ++i20 )
*(_DWORD *)v6[i20 + 45] = 1;
for ( i21 = 11; i21 < 15; ++i21 )
*(_DWORD *)v6[i21 + 45] = 1;
for ( i22 = 0; i22 < 9; ++i22 )
*(_DWORD *)v6[i22 + 60] = 1;
for ( i23 = 13; i23 < 15; ++i23 )
*(_DWORD *)v6[i23 + 60] = 1;
for ( i24 = 0; i24 < 9; ++i24 )
*(_DWORD *)v6[i24 + 75] = 1;
*(_DWORD *)v6[84] = 0;
*(_DWORD *)v6[85] = 1;
*(_DWORD *)v6[86] = 1;
*(_DWORD *)v6[87] = 0;
for ( i25 = 13; i25 < 15; ++i25 )
*(_DWORD *)v6[i25 + 75] = 1;
for ( i26 = 0; i26 < 9; ++i26 )
*(_DWORD *)v6[i26 + 90] = 1;
*(_DWORD *)v6[99] = 0;
*(_DWORD *)v6[100] = 1;
*(_DWORD *)v6[101] = 1;
*(_DWORD *)v6[102] = 0;
for ( i27 = 13; i27 < 15; ++i27 )
*(_DWORD *)v6[i27 + 90] = 1;
for ( i28 = 0; i28 < 12; ++i28 )
*(_DWORD *)v6[i28 + 105] = 1;
for ( i29 = 0; i29 < 15; ++i29 )
{
for ( i30 = 0; i30 < 15; ++i30 )
{
if ( i29 > 0 )
*(_DWORD *)(v5[15 * i29 + i30] + 4) = v5[15 * i29 - 15 + i30];
if ( i29 < 14 )
*(_DWORD *)(v5[15 * i29 + i30] + 8) = v5[15 * i29 + 15 + i30];
if ( i30 > 0 )
*(_DWORD *)(v5[15 * i29 + i30] + 12) = v5[15 * i29 - 1 + i30];
if ( i30 < 14 )
*(_DWORD *)(v5[15 * i29 + i30] + 16) = v5[15 * i29 + 1 + i30];
}
}
v2 = (_DWORD *)v5[0];
*a1 = *(_DWORD *)v5[0];
a1[1] = v2[1];
a1[2] = v2[2];
a1[3] = v2[3];
a1[4] = v2[4];
v3 = v7;
*a2 = *v7;
a2[1] = v3[1];
a2[2] = v3[2];
a2[3] = v3[3];
result = v3[4];
a2[4] = result;
return result;
}迷宫的判断
可以写个C脚本跑一下过程
#include<stdio.h>
int maze[225]={0};
int main() {
int *v5 = maze;
int *v6 = maze + 105;
for (int k = 1; k < 15; ++k )
v5[k] = 1;
for (int m = 9; m < 15; ++m )
v5[m + 15] = 1;
for (int n = 0; n < 2; ++n )
v5[n + 30] = 1;
for (int ii = 3; ii < 8; ++ii )
v5[ii + 30] = 1;
for (int jj = 9; jj < 15; ++jj )
v5[jj + 30] = 1;
for (int kk = 0; kk < 2; ++kk )
v5[kk + 45] = 1;
for (int mm = 3; mm < 8; ++mm )
v5[mm + 45] = 1;
for (int nn = 12; nn < 15; ++nn )
v5[nn + 45] = 1;
for (int i1 = 0; i1 < 2; ++i1 )
v5[i1 + 60] = 1;
for (int i2 = 7; i2 < 10; ++i2 )
v5[i2 + 60] = 0;
v5[67] = 1;
for (int i3 = 11; i3 < 15; ++i3 )
v5[i3 + 60] = 1;
for (int i4 = 0; i4 < 2; ++i4 )
v5[i4 + 75] = 1;
for (int i5 = 3; i5 < 6; ++i5 )
v5[i5 + 75] = 1;
for (int i6 = 11; i6 < 15; ++i6 )
v5[i6 + 75] = 1;
for (int i7 = 0; i7 < 2; ++i7 )
v5[i7 + 90] = 1;
v5[92] = 0;
for (int i8 = 3; i8 < 6; ++i8 )
v5[i8 + 90] = 1;
for (int i9 = 7; i9 < 10; ++i9 )
v5[i9 + 90] = 1;
for (int i10 = 11; i10 < 15; ++i10 )
v5[i10 + 90] = 1;
v6[0] = 1;
v6[1] = 0;
v6[2] = 0;
v6[3] = 1;
for (int i11 = 4; i11 < 6; ++i11 )
v6[i11] = 1;
for (int i12 = 7; i12 < 10; ++i12 )
v6[i12] = 1;
for (int i13 = 11; i13 < 15; ++i13 )
v6[i13] = 1;
for (int i14 = 0; i14 < 2; ++i14 )
v6[i14 + 15] = 1;
for (int i15 = 7; i15 < 10; ++i15 )
v6[i15 + 15] = 1;
for (int i16 = 11; i16 < 15; ++i16 )
v6[i16 + 15] = 1;
for (int i17 = 0; i17 < 6; ++i17 )
v6[i17 + 30] = 1;
for (int i18 = 7; i18 < 10; ++i18 )
v6[i18 + 30] = 1;
for (int i19 = 11; i19 < 15; ++i19 )
v6[i19 + 30] = 1;
for (int i20 = 0; i20 < 6; ++i20 )
v6[i20 + 45] = 1;
for (int i21 = 11; i21 < 15; ++i21 )
v6[i21 + 45] = 1;
for (int i22 = 0; i22 < 9; ++i22 )
v6[i22 + 60] = 1;
for (int i23 = 13; i23 < 15; ++i23 )
v6[i23 + 60] = 1;
for (int i24 = 0; i24 < 9; ++i24 )
v6[i24 + 75] = 1;
v6[84] = 0;
v6[85] = 1;
v6[86] = 1;
v6[87] = 0;
for (int i25 = 13; i25 < 15; ++i25 )
v6[i25 + 75] = 1;
for (int i26 = 0; i26 < 9; ++i26 )
v6[i26 + 90] = 1;
v6[99] = 0;
v6[100] = 1;
v6[101] = 1;
v6[102] = 0;
for (int i27 = 13; i27 < 15; ++i27 )
v6[i27 + 90] = 1;
for (int i28 = 0; i28 < 12; ++i28 )
v6[i28 + 105] = 1;
for(int i=0;i<15;i++)
{
for(int j=0;j<15;j++)
{
printf(maze[i * 15 + j] ? "X" : " ");
}
printf("\n");
}
return 0;
}迷宫有多解但是正确的flag只有一个
DRRDDDDDDDRRRRDDRRRDRRRDDDRR
LZSDS{1979869e0c4ef6c542e54ae5c48f63ec}
Super Panda Girl
题目描述
Super Panda girl go go
附件下载
Unity游戏逆向题
找到super panda girl\Super Panda Girl_Data\Managed文件夹下的Assembly-CSharp.dll拖dnspy
找到一个RC4加密
且密文密钥已知
再找一下主要逻辑
主要逻辑就是先对 text 进行 RC4加密(密文密钥已知),
然后取 text 偶数位拼起来再进行base64编码
exp
import codecs
def decrypt(encrypted_bytes, key):
key_length = len(key)
data_length = len(encrypted_bytes)
key_bytes = key.encode('utf-8')
# Initialize array with values 0-255
array = list(range(256))
# Key Scheduling Algorithm (KSA)
num = 0
for j in range(256):
num = (num + array[j] + key_bytes[j % key_length]) % 256
array[j], array[num] = array[num], array[j]
# Pseudo-Random Generation Algorithm (PRGA)
num2 = num3 = 0
decrypted_bytes = bytearray(data_length)
for k in range(data_length):
num2 = (num2 + 1) % 256
num3 = (num3 + array[num2]) % 256
array[num2], array[num3] = array[num3], array[num2]
b3 = (array[num2] + array[num3]) % 256
decrypted_bytes[k] = encrypted_bytes[k] ^ b3
# Decode the decrypted bytes to UTF-8 string
return decrypted_bytes.decode('utf-8')
if __name__ == "__main__":
encrypted_bytes = [
57, 244, 117, 200, 213, 87, 194, 195, 164, 100, 103, 63, 19, 79,
137, 70, 201, 24, 163, 129, 237, 210, 5, 19, 35, 21
]
key = "LZSDS"
decrypted_text = decrypt(encrypted_bytes, key)
print(decrypted_text)
#put_this_in_the_true_brand取text的偶数位:ptti_ntetu_rn
再取base64
LZSDS{cHR0aV9udGV0dV9ybg==}
Potato Toolkit
题目描述
土豆哥综合利用工具
附件下载
随便输入
shift E 找一下 "Compile Error"
定位到sub_7FF6EFED12E0函数
- 通过检查用户输入的正确性,决定是否执行后续操作。
- 模拟进度条更新。
- 加密逻辑通过一组硬编码的字节和输入内容异或生成最终字符串v18
动调,分别输入字符串 "1wesa234" 和 "qwe123998244353"
注意这里循环结束后有退出
下断点的时候控制一下别直接退出去了
跟踪结果 v18
直接看到flag
LZSDS{@_v3ry_very_Ab3tr@ct_P0t@to_Guy}