zoukankan      html  css  js  c++  java
  • 2020 极客巅峰RE wp

    virus:

    拖入ida32,加载符号表,进入主函数

    puts("There is a long way to defeat it.");
    scanf("%s", flag);
    v12 = strlen(flag);
    v6[0] = 0;
    v6[1] = 0;
    v6[2] = 0;
    v6[3] = 0;
    v7 = 0;
    v11 = 0;
    v8 = 0;
    for ( i = 0; i < v9; ++i )
      {
        if ( flag[i] == '-' )//检测-的位置并将其记录到v6数组中
        {
          v3 = v11++;
          v6[v3] = i;
        }
        if ( !v14 )
        {
          v5[i] = flag[i] - '0';//string转int
          if ( v5[i] > 9 || v5[i] < 0 )//输入必须为0到9
            return 0;
        }
      }
      if ( v11 != 4 )//说明一共有4个-
        return 0;
      v10 = v12;
      for ( i = 1; i <= v11; ++i )
      {
        v11 = v6[i] - v6[i - 1] - 1;//计算相邻两个-中共有多少个数据
        if ( step[i] != v8 )//将数据长度与固定值比较(19,25,26,28)
          return 0;
        strncpy(&road[200 * i], &flag[v6[i - 1] + 1], v11);//按照用户输入顺序将字符按照指定长度复制到road[1024]这个数组中
      }
      for ( i = 0; i <= 3; ++i )
      {
        if ( check_flag((int)&global_map[200 * v5[i]], v5[i], &road[200 * i + 200]) )//迷宫
        {
          puts("How about try again?");
          return 0;
        }
        if ( i == 3 )
          printf("Great! We will defeat it!!! your flag is flag{%s}", flag);
      }
    

    进入check_flag函数

    BOOL __cdecl check_flag(int a1, int a2, char *Str)
    {
      BOOL result; // eax
      signed int v4; // [esp+10h] [ebp-18h]
      int v5; // [esp+14h] [ebp-14h]
      int v6; // [esp+18h] [ebp-10h]
      int i; // [esp+1Ch] [ebp-Ch]
    
      v4 = strlen(Str);
      v6 = start[2 * a2];
      v5 = dword_403444[2 * a2];
      for ( i = 0; ; ++i )
      {
        result = i;
        if ( i >= v4 )
          break;
        switch ( Str[i] )
        {
          case 'w':
            --v6;
            break;
          case 's':
            ++v6;
            break;
          case 'a':
            --v5;
            break;
          case 'd':
            ++v5;
            break;
          default:
            return 1;
        }
        if ( v5 < 0 || v5 > 19 || v6 < 0 || v6 > 10 )
          return 1;
        if ( v4 - 1 == i )
          return *(_BYTE *)(a1 + 20 * v6 + v5) != 'd';
        if ( *(_BYTE *)(a1 + 20 * v6 + v5) != '.' )
          return 1;
      }
      return result;
    }
    

    根据上面的代码和迷宫可得路径

    第一个迷宫 第二个迷宫 第三个迷宫 第四个迷宫
    dddddddddsssssaaaaaaaaawww sdsdsdsdsdsdsddwdwdwdwdwdwdw aaaaaaaaasssssssddddddddd wwwwwdddddddddsssss

    所以可得脚本

    global_map = ['dddddddddsssssaaaaaaaaawww','sdsdsdsdsdsdsddwdwdwdwdwdwdw','aaaaaaaaasssssssddddddddd','wwwwwdddddddddsssss']
    step = [19,25,26,28]
    flag = 'flag{' + ''
    tmp =[0,0,0,0]
    for j in range(len(step)):
        for i in range(len(global_map)):
             if len(global_map[i]) == step[j]:
                    tmp[j] = i +1
                    flag += str( tmp[j])
    for i in range(4):
        flag += '-' + global_map[tmp[i]-1]
    flag += '}'
    print(flag)
    #flag{4312-wwwwwdddddddddsssss-aaaaaaaaasssssssddddddddd-dddddddddsssssaaaaaaaaawww-sdsdsdsdsdsdsddwdwdwdwdwdwdw}
    

    fu!k_py:

    文件是一个pyc,找个在线解密的网站跑一下。

    得到python源码

    (lambda __g, __print: [ [ (lambda __after: [ (lambda __after: (__print('Error len!'), (exit(), __after())[1])[1] if len(input) != 87 else __after())(lambda : [ [ [ [ (lambda __after: (__print('Error fmt!'), (exit(0), __after())[1])[1] if fmt1 != 'flag{' or fmt2 != '}' else __after())(lambda : (d.append(context[0:9]), (d.append(context[9:18]), (d.append(context[18:27]), (d.append(context[27:36]), (d.append(context[36:45]), (d.append(context[45:54]), (d.append(context[54:63]), (d.append(context[63:72]), (d.append(context[72:81]), [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[0][2] != '5' or d[0][3] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[1][0] != '8' or d[1][7] != '2' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[2][1] != '7' or d[2][4] != '1' or d[2][6] != '5' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[3][0] != '4' or d[3][5] != '5' or d[3][6] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[4][1] != '1' or d[4][4] != '7' or d[4][8] != '6' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[5][2] != '3' or d[5][3] != '2' or d[5][7] != '8' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[6][1] != '6' or d[6][3] != '5' or d[6][8] != '9' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[7][2] != '4' or d[7][7] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[8][5] != '9' or d[8][6] != '7' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(h1) != 45 or check(h2) != 45 or check(h3) != 45 or check(h4) != 45 or check(h5) != 45 or check(h6) != 45 or check(h7) != 45 or check(h8) != 45 or check(h9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(l1) != 45 or check(l2) != 45 or check(l3) != 45 or check(l4) != 45 or check(l5) != 45 or check(l6) != 45 or check(l7) != 45 or check(l8) != 45 or check(l9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(k1) != 45 or check(k2) != 45 or check(k3) != 45 or check(k4) != 45 or check(k5) != 45 or check(k6) != 45 or check(k7) != 45 or check(k8) != 45 or check(k9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(h1) != 1 or check1(h2) != 1 or check1(h3) != 1 or check1(h4) != 1 or check1(h5) != 1 or check1(h6) != 1 or check1(h7) != 1 or check1(h8) != 1 or check1(h9) != 1 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(l1) != 1 or check1(l2) != 1 or check1(l3) != 1 or check1(l4) != 1 or check1(l5) != 1 or check1(l6) != 1 or check1(l7) != 1 or check1(l8) != 1 or check1(l9) != 1 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(k1) != 1 or check1(k2) != 1 or check1(k3) != 1 or check1(k4) != 1 or check1(k5) != 1 or check1(k6) != 1 or check1(k7) != 1 or check1(k8) != 1 or check1(k9) != 1 else __after())(lambda : (__print('Yes! You got it!'), __after())[1]))))))))))))))) for __g['k9'] in [context[60] + context[61] + context[62] + context[69] + context[70] + context[71] + context[78] + context[79] + context[80]] ][0] for __g['k8'] in [context[57] + context[58] + context[59] + context[66] + context[67] + context[68] + context[75] + context[76] + context[77]] ][0] for __g['k7'] in [context[54] + context[55] + context[56] + context[63] + context[64] + context[65] + context[72] + context[73] + context[74]] ][0] for __g['k6'] in [context[33] + context[34] + context[35] + context[42] + context[43] + context[44] + context[51] + context[52] + context[53]] ][0] for __g['k5'] in [context[30] + context[31] + context[32] + context[39] + context[40] + context[41] + context[48] + context[49] + context[50]] ][0] for __g['k4'] in [context[27] + context[28] + context[29] + context[36] + context[37] + context[38] + context[45] + context[46] + context[47]] ][0] for __g['k3'] in [context[6] + context[7] + context[8] + context[15] + context[16] + context[17] + context[24] + context[25] + context[26]] ][0] for __g['k2'] in [context[3] + context[4] + context[5] + context[12] + context[13] + context[14] + context[21] + context[22] + context[23]] ][0] for __g['k1'] in [context[0] + context[1] + context[2] + context[9] + context[10] + context[11] + context[18] + context[19] + context[20]] ][0] for __g['l9'] in [context[8] + context[17] + context[26] + context[35] + context[44] + context[53] + context[62] + context[71] + context[80]] ][0] for __g['l8'] in [context[7] + context[16] + context[25] + context[34] + context[43] + context[52] + context[61] + context[70] + context[79]] ][0] for __g['l7'] in [context[6] + context[15] + context[24] + context[33] + context[42] + context[51] + context[60] + context[69] + context[78]] ][0] for __g['l6'] in [context[5] + context[14] + context[23] + context[32] + context[41] + context[50] + context[59] + context[68] + context[77]] ][0] for __g['l5'] in [context[4] + context[13] + context[22] + context[31] + context[40] + context[49] + context[58] + context[67] + context[76]] ][0] for __g['l4'] in [context[3] + context[12] + context[21] + context[30] + context[39] + context[48] + context[57] + context[66] + context[75]] ][0] for __g['l3'] in [context[2] + context[11] + context[20] + context[29] + context[38] + context[47] + context[56] + context[65] + context[74]] ][0] for __g['l2'] in [context[1] + context[10] + context[19] + context[28] + context[37] + context[46] + context[55] + context[64] + context[73]] ][0] for __g['l1'] in [context[0] + context[9] + context[18] + context[27] + context[36] + context[45] + context[54] + context[63] + context[72]] ][0] for __g['h9'] in [context[72:81]] ][0] for __g['h8'] in [context[63:72]] ][0] for __g['h7'] in [context[54:63]] ][0] for __g['h6'] in [context[45:54]] ][0] for __g['h5'] in [context[36:45]] ][0] for __g['h4'] in [context[27:36]] ][0] for __g['h3'] in [context[18:27]] ][0] for __g['h2'] in [context[9:18]] ][0] for __g['h1'] in [context[0:9]] ][0])[1])[1])[1])[1])[1])[1])[1])[1])[1]) for __g['d'] in [[]] ][0] for __g['context'] in [input[5:-1]] ][0] for __g['fmt2'] in [input[(-1)]] ][0] for __g['fmt1'] in [input[0:5]] ][0])
     for __g['input'] in [raw_input('Input your flag:')] ][0] if __name__ == '__main__' else __after())(lambda : None)
     for __g['check1'], check1.__name__ in [(lambda arg: (lambda __l: [ (lambda __after: 0 if len(list(set(__l['arg']))) != 9 else 1)(lambda : None) for __l['arg'] in [arg] ][0])({}), 'check1')] ][0]
     for __g['check'], check.__name__ in [(lambda arg: (lambda __l: [ sum(map(int, __l['arg'])) for __l['arg'] in [arg] ][0])({}), 'check')] ][0])(globals(), __import__('__builtin__', level=0).__dict__['print'])
    

    由此代码

    if d[0][2] != '5' or d[0][3] != '3':
    if d[1][0] != '8' or d[1][7] != '2':
    if d[2][1] != '7' and d[2][4] != '1' or d[2][6] != '5':
    if d[3][0] != '4' and d[3][5] != '5' or d[3][6] != '3':
    if d[4][1] != '1' and d[4][4] != '7' or d[4][8] != '6':
    if d[5][2] != '3' and d[5][3] != '2' or d[5][7] != '8':
    if d[6][1] != '6' and d[6][3] != '5' or d[6][8] != '9':
    if d[7][2] != '4' or d[7][7] != '3':
    if d[8][5] != '9' or d[8][6] != '7':
    

    可得一个表

    行/列 1 2 3 4 5 6 7 8 9
    1 5 3
    2 8 2
    3 7 1 5
    4 4 5 3
    5 1 7 6
    6 3 2 8
    7 6 5 9
    8 4 3
    9 9 7

    9x9的表加上flag{}正好是87个字符,满足python源码第一行的对长度的判断。

    而下面的代码

    if check(h1) != 45 and check(h2) != 45 and check(h3) != 45 and check(h4) != 45 and check(h5) != 45 and check(h6) != 45 and check(h7) != 45 and check(h8) != 45 or check(h9) != 45:
    if check(l1) != 45 and check(l2) != 45 and check(l3) != 45 and check(l4) != 45 and check(l5) != 45 and check(l6) != 45 and check(l7) != 45 and check(l8) != 45 or check(l9) != 45:
    if check(k1) != 45 and check(k2) != 45 and check(k3) != 45 and check(k4) != 45 and check(k5) != 45 and check(k6) != 45 and check(k7) != 45 and check(k8) != 45 or check(k9) != 45:
    if check1(h1) != 1 and check1(h2) != 1 and check1(h3) != 1 and check1(h4) != 1 and check1(h5) != 1 and check1(h6) != 1 and check1(h7) != 1 and check1(h8) != 1 or check1(h9) != 1:
    if check1(l1) != 1 and check1(l2) != 1 and check1(l3) != 1 and check1(l4) != 1 and check1(l5) != 1 and check1(l6) != 1 and check1(l7) != 1 and check1(l8) != 1 or check1(l9) != 1:
    if check1(k1) != 1 and check1(k2) != 1 and check1(k3) != 1 and check1(k4) != 1 and check1(k5) != 1 and check1(k6) != 1 and check1(k7) != 1 and check1(k8) != 1 or check1(k9) != 1:
    

    则是对每一列和以三行三列为一个块的数据和,进行判断.且刚好就是1+2+3+4+5+6+7+8=45,猜测是数独表,网上数独在线解密

    解得145327698839654127672918543496185372218473956753296481367542819984761235521839764,套上flag即可得到答案。

  • 相关阅读:
    MyMacro
    CConfigXmlFile02
    “十步一杀” 干掉你的职场压力
    只有聪明人才悟到:通向成功的饥饿法则
    高层管理者应具备什么样的特点? (转)
    两个小故事,告诉你不可不知的成功密码
    中秋望月
    锦里中秋有感
    支招:如何增强创业信心,克服创业恐惧?
    创业者必看:创业得出的10条血泪经验
  • 原文地址:https://www.cnblogs.com/b1ank/p/13739115.html
Copyright © 2011-2022 走看看