[SWPUCTF 2021 新生赛]老鼠走迷宫

拿到题之后

查壳

想在linux虚拟机上运行一下，发现

查了文件可以知道是x86_64，需要在windows系统上运行，但是又运行不了，文件损坏

使用HxD打开文件

是MZ开头的文件，也就是exe可执行文件，修改文件后缀，可以运行了

但是打开之后看不懂，查看字符串发现了许多py，猜测可能是pyinstaller工具打包的exe文件，使用pyinstxtractor.py 工具反编译文件，首先将文件与工具放在同一个文件夹中，在当前文件夹打开终端，输入

python pyinstxtractor.py 附件.exe

将会在该目录得到一个文件，如下

打开文件夹，你将会在该目录中看见如下两个文件

在HxD中打开两个文件

将struct这个文件E3前面的代替5文件E3前面的，保存

使用pycdc 工具，将5.pyc文件反编译成.py文件，使用（在当前文件终端）

./pycdc 5.pyc

得到如下python代码：

# Source Generated with Decompyle++
# File: 5.pyc (Python 3.7)
import random
import msvcrt
(row, col) = (12, 12)
(i, j) = (0, 0)
maze = [[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1],
        [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1],
        [1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1], 
        [1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1],
        [1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],
        [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
        [1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1],
        [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1],
        [1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1],
        [1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], 
        [1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1], 
        [1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], 
        [1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1],
        [1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1], 
        [1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], 
        [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1], 
        [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1], 
        [1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], 
        [1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1], 
        [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1], 
        [1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1], 
        [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], 
        [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], 
        [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1], 
        [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1]]

print('Mice walk in a maze: wasd to move,q to quit')
print("flag is the shortest path's md5,example:if the shortest path is wasdsdw,the flag is md5('wasdsdw')")
(i, j) = (0, 1)
n = 0
while i == row * 2 and j == col * 2 - 1:
    print('ohhhh!!!!you did it')
    break
    print('your position:({},{})'.format(i, j))
    inp = msvcrt.getch()
    n += 1
    ti = i
    tj = j
    if b'a' == inp and i > 0:
        tj -= 1
    elif b'w' == inp and j > 0:
        ti -= 1
    elif b's' == inp and j < row * 2:
        ti += 1
    elif b'd' == inp and i < col * 2:
        tj += 1
    elif b'q' == inp:
        exit('bye!!')
    else:
        print('What???')
    if maze[ti][tj] == 1:
        print(random.choice([
            'no wayy!!',
            "it's wall",
            'nop']))
        continue
    elif maze[ti][tj] == 0:
        print(random.choice([
            'nice!!',
            'yeah!!',
            'Go on']))
        i = ti
        j = tj
    return None

画路径的时候眼睛都要花了，使用脚本

import hashlib
from Crypto.Util.number import *
def valid_actions(matrix, cur_point):
    re = []
    rows = len(matrix)  # 行
    cols = len(matrix[0])   # 列
    if cur_point[1] + 1 < cols and matrix[cur_point[0]][cur_point[1] + 1] != 1:
        re.append('d')
    if cur_point[0] + 1 < rows and matrix[cur_point[0] + 1][cur_point[1]] != 1:
        re.append('s')
    if cur_point[1] - 1 >= 0 and matrix[cur_point[0]][cur_point[1] - 1] != 1:
        re.append('a')
    if cur_point[0] - 1 >= 0 and matrix[cur_point[0] - 1][cur_point[1]] != 1:
        re.append('w')
    return re


def robot_move(cur_point, action):
    if action == 'd':
        return (cur_point[0], cur_point[1] + 1)
    if action == 's':
        return (cur_point[0] + 1, cur_point[1])
    if action == 'a':
        return (cur_point[0], cur_point[1] - 1)
    if action == 'w':
        return (cur_point[0] - 1, cur_point[1])


def main(matrix, start_point, end_point):
    # 地图 起点 终点
    queue = []
    cur_point = start_point
    queue.append((cur_point, [start_point], list()))
    matrix[cur_point[0]][cur_point[1]] = 1
    while queue:
        cur_point, cur_path, path_action = queue.pop(0) # 移除列表的最后一个元素，并返回该元素的值
        if cur_point == end_point:
            return ''.join(path_action)
        else:
            acts = valid_actions(matrix, cur_point)
            if acts:
                for a in acts:
                    next_point = robot_move(cur_point, a)
                    queue.append(
                        (next_point, cur_path + [next_point], path_action + [a]))
                    matrix[next_point[0]][next_point[1]] = 1


if __name__ == '__main__':
    map=[[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1],
        [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1],
        [1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1],
        [1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1],
        [1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],
        [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
        [1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1],
        [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1],
        [1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1],
        [1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],
        [1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1],
        [1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
        [1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1],
        [1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1],
        [1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1],
        [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1],
        [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1],
        [1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
        [1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1],
        [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1],
        [1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1],
        [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],
        [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1],
        [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1],
        [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1]]
    start = (0, 1)  # 起点
    end = (24, 23)  # 终点
    path = main(map, start, end)
    print(path)  # wwdddwwwaaawwwwwwwwwddddssssdddssdsssssssdddwwwwddsssd
    encode_pwd = path.encode()  # 把字符串转为字节类型
    # 使用md5加密
    md5_pwd = hashlib.md5(encode_pwd)
    print("加密后：",md5_pwd)
    print("加密后的值：",md5_pwd.hexdigest())

69193150b15c87d39252d974bc323217