头秃的日常刷题21-4-26

最新推荐文章于 2024-09-05 11:10:46 发布

(Shangu)

最新推荐文章于 2024-09-05 11:10:46 发布

阅读量107

点赞数

分类专栏：每日刷题文章标签： python

本文链接：https://blog.csdn.net/weixin_51555115/article/details/116172753

版权

每日刷题专栏收录该内容

8 篇文章 1 订阅

订阅专栏

本文解析了XCTF比赛中的逆向工程挑战，通过IDA工具剖析了一段C++代码，揭示了控制迷宫路径的伪代码逻辑。通过'O'、'o'、'.'和'0'字符，理解了上、下、左、右的控制指令，解构了一个8x8的迷宫地图。关键点在于理解`LOBYTE`函数在方向控制中的作用。

摘要由CSDN通过智能技术生成

Preface

Before solving this maze problems , we need to know the reverse labyrinth usually means that the program defines a function of operation direction.

Maze

Type : REV

Source : XCTF

File : Click here

Check the shell:

Use IDA to check the pseudo code:

As we see , the code which is marked by blue line , is used when the flag is outputing .

So it may be the maze map.

点击展开源代码


    int64 __fastcall main(int a1, char **a2, char **a3)
{
  __int64 v3; // rbx
  int v4; // eax
  char v5; // bp
  char v6; // al
  const char *v7; // rdi
  unsigned int v9; // [rsp+0h] [rbp-28h] BYREF
  int v10[9]; // [rsp+4h] [rbp-24h] BYREF
  v10[0] = 0;
  v9 = 0;
  puts("Input flag:");
  scanf("%s", &s1);
  if ( strlen(&s1) != 24 || strncmp(&s1, "nctf{", 5uLL) || *(&byte_6010BF + 24) != 125 )
  {
LABEL_22:
    puts("Wrong flag!");
    exit(-1);
  }
  v3 = 5LL;
  if ( strlen(&s1) - 1 > 5 )
  {
    while ( 1 )
    {
      v4 = *(&s1 + v3);
      v5 = 0;
      if ( v4 > 78 )
      {
        if ( (unsigned __int8)v4 == 79 ) //O
        {
          v6 = sub_400650(v10);
          goto LABEL_14;
        }
        if ( (unsigned __int8)v4 == 111 )  //o
        {
          v6 = sub_400660(v10);
          goto LABEL_14;
        }
      }
      else
      {
        if ( (unsigned __int8)v4 == 46 )  //.
        {
          v6 = sub_400670(&v9);
          goto LABEL_14;
        }
        if ( (unsigned __int8)v4 == 48 )  //0
        {
          v6 = sub_400680(&v9);
LABEL_14:
          v5 = v6;
          goto LABEL_15;
        }
      }
LABEL_15:
      if ( !(unsigned __int8)sub_400690(asc_601060, (unsigned int)v10[0], v9) )
        goto LABEL_22;
      if ( ++v3 >= strlen(&s1) - 1 )
      {
        if ( v5 )
          break;
LABEL_20:
        v7 = "Wrong flag!";
        goto LABEL_21;
      }
    }
  }
  if ( asc_601060[8 * v9 + v10[0]] != 35 )
    goto LABEL_20;
  v7 = "Congratulations!";
LABEL_21:
  puts(v7);
  return 0LL;
}

According to the source code, we can analyze the letter of the control direction：

sub_400690(__int64 a1, int a2, int a3)
{
  __int64 result; // rax

  result = *(unsigned __int8 *)(a1 + a2 + 8LL * a3);
  LOBYTE(result) = (_DWORD)result == ' ' || (_DWORD)result == '#';
  return result;
}

The pseudo code is “LOBYTE” it has realized the direction can be controled .

These are the info about the function:

LOWORD()得到一个32bit数的低16bit
HIWORD()得到一个32bit数的高16bit
LOBYTE()得到一个16bit数最低（最右边）那个字节
HIBYTE()得到一个16bit数最高（最左边）那个字节

We can analyze the function of the corresponding letters :

O左
o右
.上
0下

The maze is in v9:

8x8:

o0******
*oo *  *
***0* **
** 0* **
**0O* **
* 0*#O.*
**0***.*
**oooo.*
********

flag get!

nctf{o0oo00O000oooo…OO}

(Shangu)

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
头秃的日常刷题21-4-26

PrefaceBefore solving this maze problems , we need to know the reverse labyrinth usually means that the program defines a function of operation direction.MazeType : REVSource : XCTFFile : Click hereCheck the shell:Use IDA to check the pseudo code:
复制链接

扫一扫

专栏目录