首先进行查壳,没有壳。

随便输入,看程序执行信息。随意输入字符串,提示key error

放到IDA中打开,在左侧函数窗口中找到main0,F5反编译,进行分析。具体已在分析在图中标识。

关于main函数的逻辑是很容易理解的,但是接下来可就犯难了。我首先是打开45C748(对Str进行变换的函数)。如下图,看起来应该是在进行对Str变换之前,做一些初始化工作。

整个过程不难理解,但当我打开45DCD3函数时,就一头雾水了。

这没得分析(后来才知道是VM处理过的),于是打开OD输入012345678901234567891234,试试看(之前做过一个逆向题,印象深刻,那也是对字符串进行变换的函数,再IDA中查看,根本看不明白,拿到OD里面一跑,才知道,原来就是个base64编码啊。╮(╯▽╰)╭)经过变换,如下图所示。

我做过的逆向题不多,根据以往的经验,在IDA中看不懂,或者是不是很理解的情况下,在OD中跟进调试一下,往往会有所收获。所以就跟进了这个函数。结果,不会就是不会,一点办法都没有。╮(╯_╰)╭。之后,也是在调试的时候偶然把上图的字符串(即0000000000::>>::'&**%'%#)当作输入,进行调试,结果发现返回的竟是012345678901234567891234。当时没有细想,没感觉有什么大不了的。后来才猛然间醒悟,如果知道了正确的输入,先输入进去,得到加密后的字符串,这不就是flag了吗?于是有了往下做下去的动力。

接着分析。

再来打开其中的45CC4D函数。(其中的注释是后来看了别人的WP加的)。

之前做过类似的迷宫逆向题,知道得有一张“地图”,可找了半天也没发现。再者这个函数里面套函数,这种return,实在绕的头疼,最后还是看了别人的WP,找了找思路。原来得在if语句这里,写一个IDC内置脚本(第一次接触)。

这个脚本很容易理解。然后的话,四个函数里面的数组都是不一样的,然后一个个把Dword中的地址改掉,dump出“地图”来就行了。

 auto i;

 for(i=;i<*;i++){

     if(Dword(0x540548+*i)^Dword(0x540068+*i))

     Message("0,");

     else Message("1,");

 }

我用的python,它处理字符串不能够直接修改某个位置上的值,所以用C写会舒服一些。

 up='0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0'.replace(',','')

 down='1,1,0,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0'.replace(',','')

 left='0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1'.replace(',','')

 right='0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,0'.replace(',','')

 tmp='~`-.'

 for i in range(len(up)):

     if i%26==0:

         print '\n'

     if up[i]=='':

         tmp=tmp.replace('~','U')

     if down[i]=='':

         tmp=tmp.replace('`','D')

     if left[i]=='':

         tmp=tmp.replace('-','L')

     if right[i]=='':

         tmp=tmp.replace('.','R')

     print tmp+' ',

     tmp='~`-.'

最后在画图里面打开对应着地图,把路线画出来。

0-d
2-l
3-r
4-u
06260826062b0829072e0629

然后按照之前的想法,把06260826062b0829072e0629输进去,得到加密后的字符串,这个字符串再重新输入回去,成功,如下图。

给了张二维码,说是最终flag要加作者的名字。到此结束。

最后感觉这个题,自己感觉还是挺有趣的,其实我如果之前接触过IDC的话,不看别人的WP也会自己做出来的。

BUGKU (Take the maze)的更多相关文章

  1. 【bugku】【ZSCTF】【迷宫RE】Take The Maze WriteUp

    Take The Maze 首先拿进PEID里查一下有没有壳: 无壳,果断拖进IDA.可是Graph View中找不到主程序的位置,在函数表里寻找主函数: 函数太多阻扰了我们找到主程序,运行一下程序找 ...

  2. bugku 逆向 take the maze

    看到如果判断正确之后 会生成一个png文件 直接用idc脚本生成: auto v,begin,end,dexbyte; v = fopen("flag.png", "wb ...

  3. Backtracking algorithm: rat in maze

    Sept. 10, 2015 Study again the back tracking algorithm using recursive solution, rat in maze, a clas ...

  4. (期望)A Dangerous Maze(Light OJ 1027)

    http://www.lightoj.com/volume_showproblem.php?problem=1027 You are in a maze; seeing n doors in fron ...

  5. 1204. Maze Traversal

    1204.   Maze Traversal A common problem in artificial intelligence is negotiation of a maze. A maze ...

  6. uva705--slash maze

    /*这道题我原本是将斜线迷宫扩大为原来的两倍,但是在这种情况下对于在斜的方向上的搜索会变的较容易出错,所以参考了别人的思路后将迷宫扩展为原来的3倍,这样就变成一般的迷宫问题了*/ #include&q ...

  7. HDU 4048 Zhuge Liang's Stone Sentinel Maze

    Zhuge Liang's Stone Sentinel Maze Time Limit: 10000/4000 MS (Java/Others)    Memory Limit: 32768/327 ...

  8. Borg Maze(MST & bfs)

    Borg Maze Time Limit: 1000MS   Memory Limit: 65536K Total Submissions: 9220   Accepted: 3087 Descrip ...

  9. poj 3026 bfs+prim Borg Maze

    Time Limit: 1000MS   Memory Limit: 65536K Total Submissions: 9718   Accepted: 3263 Description The B ...

随机推荐

  1. mybatic进阶遗留

    参考文章: MyBatis的架构设计以及实例分析 MyBatis缓存机制的设计与实现 MyBatis的一级缓存实现详解 及使用注意事项 MyBatis的二级缓存的设计原理

  2. sln、db、opendb、vcxproj、filters、user文件跟踪说明

    工程文件控制 vs工程中,往往包含:.sln ..db  ..opendb 文件 sln文件 为工程属性文件,是我们必须添加到版本控制中的, db文件,是项目编译时生成的数据库文件,非常的大,占用空间 ...

  3. excel 数据读写 Aspose.Cells.dll

    private void Form1_Load(object sender, EventArgs e) { writeExcel(); Workbook workbook = new Workbook ...

  4. MessagePack Java Jackson Dataformat 在 Map 中不使用 String 为 Key 的序列化

    当你希望在 Map 中不使用 String 为 Key,那么你需要使用 MessagePackKeySerializer 来为 key 进行序列化. 本测试方法,可以在 https://github. ...

  5. php写入文件来调试接口数据

    $fp = fopen('write.txt', 'a+b'); //a+读写方式打开,将文件指针指向文件末尾.b为强制使用二进制模式. 如果文件不存在则尝试创建之. fwrite($fp, prin ...

  6. C#重绘TabControl

    C#重绘TabControl的Tabpage标签,添加图片及关闭按钮 Code highlighting produced by Actipro CodeHighlighter (freeware)h ...

  7. 记一次关于springboot的netty版本冲突问题

    冲突的地放其实很多,大概都是类似,找不到哪个方法了: 类似于: Error starting ApplicationContext. To display the conditions report ...

  8. [题解] [AHOI2009] 跳棋

    题面 题解 分类讨论, 考虑到只要所有的偶数点上都有棋子, 最左边的棋子就可以跳到最右边 题目第一问让我们求最少的在白格子上必须放的棋子数(不用考虑行动中放的棋子数) 考虑到这几种情况 有不少于两个红 ...

  9. 「CF442C」 Artem and Array

    题目链接 戳我 \(Solution\) 观察发现如果一个数两边都比他大,删掉他可以保证最优,这个应该是显然的.这个东西用单调栈维护一下,最后剩下的就是个单调递减或单调递增的数列,从小到大排个序取前面 ...

  10. cocos2dx热更新之后,闪退问题记录。

    如果使用cocos2dx的3.17.2版本的官方热更新. 然后有玩家反馈说热更新之后游戏闪退,游戏内有部分资源没更到. 考虑如下几个方面调整. 1,在文件下载失败的时候,直接调用重新下载. 2,把下载 ...