在看完题解之后学习的一发,然后全部按照自己的writeup再次整理做题,巩固一发
打开IDA和OD,希望搜索到有用的字符串(Input the flag的提示信息),但是发现根本找不到,搜索strings会找到这个:
根据查到的资料,这24个字符构成了一种编码方式:base24
学习链接:base24
所以找到这个字符串的使用的地方:00404820函数处
可以看到如下几个特征:
这儿是很明显的两位一个值,然后把v6和v7拼起来的(相当于base24解码),最终存在了v15里面(v5是个变量值,作为计数器使用的)
那么,我们需要构造的输入,是两位两位一组的,然后使用base24解码,可以得到某种需要处理的值
看到这里四个方向,然后v8的值是v15 & 0xf,主要是底下一个是加号,一个是减号,然后的跳转都是LABEL_11
上面的两个跳转都是LABEL_14,可以猜想到是不是4个方向,上下左右控制的(百度杯好多这种方向题)
那么,v8是控制步长的,v15>>4是控制方向的
看到0xC的404AA0函数,有这种的代码:
可以猜想,40A6EC这个值是记录我在迷宫里总共走了多少步的,40A018这个值是记录我在迷宫里的位置的(这个17,就会是一行总共17个元素,相当于向下走了一行)
根据这样的方向,0xC对应向下,0xE对应向上,0xD对应向左,0xF对应向右
那么地图的数据从哪儿来的?
看到v3这个值,是由四个数据构成的,然后我们找到这些数据的所在地方,根据数据计算得到地图:
所以起点在(1,0),终点在(15,16)
然后再看到我们的结束条件是什么?
我们在迷宫中总的移动步数是54步,最终的位置坐标是271,也就是(15,16)
那么我们只需要得到行走的路径(使用ACM的广搜或者深搜都是可以的)
然后得到往上走几步,往下走几步的一个移动路径,使得可以满足:从起点到终点的移动总步数为54步
因为这个会是整数值,比如3表示往右走3步,17表示往下走一步
然后根据题意得四个方向以及base24编码的加密原理,对我们的移动路径加密即可
路径为:
( 1 , 0 )--> ( 1 , 1 )--> ( 1 , 2 )--> ( 1 , 3 )--> ( 2 , 3 )--> ( 3 , 3 )--> ( 3 , 4 )--> ( 3 , 5 )--> ( 2 , 5 )--> ( 1 , 5 )--> ( 1 , 6 )--> ( 1 , 7 )--> ( 1 , 8 )--> ( 1 , 9 )--> ( 1 , 10 )--> ( 1 , 11 )--> ( 2 , 11 )--> ( 3 , 11 )--> ( 4 , 11 )--> ( 5 , 11 )--> ( 5 , 10 )--> ( 5 , 9 )--> ( 5 , 8 )--> ( 5 , 7 )--> ( 5 , 6 )--> ( 5 , 5 )--> ( 6 , 5 )--> ( 7 , 5 )--> ( 7 , 4 )--> ( 7 , 3 )--> ( 8 , 3 )--> ( 9 , 3 )--> ( 9 , 2 )--> ( 9 , 1 )--> ( 10 , 1 )--> ( 11 , 1 )--> ( 12 , 1 )--> ( 13 , 1 )--> ( 13 , 2 )--> ( 13 , 3 )--> ( 13 , 4 )--> ( 13 , 5 )--> ( 14 , 5 )--> ( 15 , 5 )--> ( 15 , 6 )--> ( 15 , 7 )--> ( 15 , 8 )--> ( 15 , 9 )--> ( 15 , 10 )--> ( 15 , 11 )--> ( 15 , 12 )--> ( 15 , 13 )--> ( 15 , 14 )--> ( 15 , 15 )--> (15 , 16)路径整数值为:
goto = [3,34,2,-34,6,68,-6,34,-2,34,-2,68,4,34,11]最终的flag为:
X6T7X7W7X2T4V2T7V7T7V7T4X4T7XT然后附录上自己的py代码:
d_6a0 = [0x87,0xae,0x99,0x3c,0x59,0x41,0x2e,0x1d,0x84,0x23,0x30,0x23,0x26,0x10,0x83,0x5,0x29,0x9d,0xa0,0x16,0xdb,0x41,0x72,0xe7,0x4f,0x64,0x7b,0x8b,0xfe,0x4b,0xff,0x8b,0xf8,0x70,0xa8,0xf3,0x1d,0x20,0x4,0x2a,0x46,0x12,0x74,0x17,0xaa,0x2f,0x23,0xd,0x8e,0xce,0xd5,0x1c,0xe8,0x34,0x7a,0xfa,0x27,0x40,0xe2,0x81,0x3a,0xcb,0xaf,0xff,0x6,0x3,0xe0,0xdd,0x43,0xe9,0xd8,0x9b,0x39,0x52,0xdb,0x57,0x9c,0x73,0x98,0x80,0x46,0xdd,0xa5,0xd8,0xec,0x51,0xde,0x98,0xd7,0x18,0x3d,0xd8,0x7e,0x6,0xdd,0xa0,0x5c,0xd0,0xcd,0x27,0x1f,0x39,0xc6,0x79,0x0,0x93,0xde,0x68,0xd8,0x57,0x53,0x7f,0x10,0x5a,0x3c,0x2c,0x58,0xd8,0x71,0xaa,0x6c,0x7c,0x2e,0x54,0x31,0x74,0x15,0x50,0xd,0xd1,0x88,0x4e,0x98,0xca,0x71,0x99,0xdc,0xf4,0x7e,0x22,0x1b,0x95,0xb,0xfb,0x18,0xea,0x70,0x41,0x8e,0x2b,0x35,0x54,0x32,0xe3,0xff,0xf4,0x75,0x2a,0xbb,0xeb,0x70,0x73,0xc,0x3b,0x90,0x9c,0x31,0x66,0x8c,0xfd,0xd6,0xe6,0x82,0x2e,0xba,0x97,0xdc,0xa2,0x8e,0xd,0xe9,0x72,0x85,0x7,0x1d,0xe2,0x20,0x6c,0x3d,0xa,0x8d,0xa9,0x1,0x5b,0x91,0xb5,0xa2,0x8b,0xd5,0xdc,0x20,0xd5,0x3f,0x7e,0x14,0xae,0x97,0x25,0xfd,0xf,0x43,0x2f,0x12,0xbc,0xc5,0x28,0x2a,0x62,0x35,0xf,0xfc,0x99,0xf6,0x35,0xda,0xc0,0xf,0xe9,0x49,0x49,0x6,0x1d,0x37,0xfa,0x0,0xab,0x47,0xd7,0xc2,0x15,0x39,0x42,0xeb,0x5e,0x13,0x16,0x66,0x82,0xc5,0x89,0x41,0xd2,0x34,0xf9,0x73,0x73,0x4a,0x6,0xcd,0x6,0xc7,0xe9,0xd2,0xc9,0xec,0x69,0xd8,0x4,0x32,0x21,0x43,0xc7,0xc6,0xf0,0x9,0x90,0x11,0xde,0xfe,0xc1,0xef,0x9e,0xac,0x22,0xfd,0x92,0x61,0x59,0x1e]
d_2c0 = [0x10,0x27,0x1b,0x44,0x2e,0x30,0x99,0x7f,0x1f,0xb8,0xb1,0xab,0x78,0x90,0x3a,0x58,0x9e,0x1d,0x9b,0x5d,0x58,0x55,0x3,0x7e,0x28,0x3,0x1a,0x13,0x1c,0x11,0x77,0x27,0x60,0x6,0x93,0x5f,0x56,0xe,0x7d,0x5c,0x29,0x7a,0x10,0x62,0x9e,0x87,0xa3,0xb9,0x6b,0x63,0xbf,0x53,0x4d,0xad,0x16,0xb0,0x15,0x7c,0x71,0xbf,0x2,0xa4,0x2b,0x46,0x55,0x74,0x9d,0x43,0xa1,0x83,0x99,0x94,0x62,0x2d,0x5b,0x14,0x4f,0x18,0x3c,0x7,0x33,0xbc,0x29,0xb8,0x78,0x22,0x94,0xa0,0x5,0x2b,0x69,0x8a,0x4a,0x55,0x44,0x75,0x18,0xba,0xa1,0x3a,0x77,0x99,0x94,0x2e,0x72,0x59,0xba,0xa,0xb6,0x4b,0x6f,0x9,0x9b,0x30,0x41,0x92,0x2,0xbb,0x25,0x97,0xa0,0x58,0xa9,0x3d,0x99,0xac,0x6a,0x7d,0x51,0x5f,0x7,0xa,0x3f,0x58,0x15,0xb4,0x3,0x47,0x14,0x4c,0x79,0xa9,0x62,0x89,0x8e,0x87,0x2f,0xaa,0x12,0x40,0xb1,0x9d,0x4f,0x89,0x99,0x20,0x1a,0xb2,0x85,0x26,0x27,0xab,0x77,0x7c,0x21,0x6,0x46,0xac,0x3a,0x3e,0x13,0x21,0x0,0xb9,0x7f,0x4d,0xb2,0x8a,0x1b,0x88,0x51,0x3a,0x21,0x3a,0x7a,0x48,0xa1,0x7a,0xb2,0xae,0xbd,0x77,0x83,0x26,0x19,0x17,0x7,0xad,0xe,0x5f,0x42,0x7,0x5e,0x13,0x34,0x3,0xad,0x9e,0x6f,0x40,0x2e,0x73,0x27,0x70,0x5b,0x75,0x48,0x1c,0x69,0x95,0x8c,0x29,0x3b,0x3a,0x4c,0x19,0x56,0xa5,0x16,0x94,0x95,0x55,0x1,0x29,0x1d,0x28,0x3d,0x90,0x94,0x44,0x6e,0x32,0x8e,0x35,0xbb,0x2a,0x88,0x57,0xa1,0x4e,0x99,0x77,0x8e,0xa9,0xa5,0xb5,0x2b,0x8b,0x14,0x6c,0xb9,0x44,0x43,0x15,0x9f,0x2c,0xb9,0xa9,0x2,0x66,0x5c,0x86,0x97,0xa6,0xa4,0x14,0xb5,0xb1,0x51,0xa8,0x6f,0xa4,0x19,0xa9,0x20,0x38,0xa5,0xb1,0x7]
d_410 = [0x4c,0x11,0x29,0x16,0x5d,0x51,0x4d,0x3e,0x6f,0x3e,0x59,0x65,0x57,0x2c,0x5d,0x2c,0x46,0x56,0x3b,0x41,0x40,0x0,0x36,0x25,0x50,0x5a,0x4c,0x33,0x79,0x28,0x46,0x5e,0x6f,0x20,0xd,0x3a,0x8,0x13,0x3f,0x3e,0x6d,0x50,0x2,0x48,0x15,0x46,0x19,0x61,0x74,0x68,0x35,0x42,0x6f,0x56,0xd,0x18,0x14,0x39,0x30,0x5,0x8,0x6e,0x1a,0x67,0x40,0x68,0x6,0x5c,0x74,0x4f,0x4,0x6,0x51,0x6d,0x4b,0xb,0x6f,0x4b,0x50,0x60,0x2,0x17,0x18,0x48,0x54,0x49,0x4a,0x17,0x73,0x7,0x8,0x3c,0x26,0x45,0x7f,0x7e,0x26,0x30,0x3d,0x6,0xb,0x4d,0x43,0x1e,0x5,0x5d,0x5c,0x38,0x4c,0x5,0x2d,0x32,0x5a,0x2b,0xc,0x58,0x57,0x23,0x16,0x2b,0x55,0xb,0x7b,0x61,0x3d,0x73,0x1d,0x2c,0x9,0x42,0x5a,0x3f,0x34,0x54,0x25,0xf,0x6f,0x68,0x5c,0x56,0x16,0x3a,0x55,0x5e,0x62,0x6c,0x3b,0x7c,0x60,0x2a,0x18,0x5a,0x22,0xe,0x32,0x7a,0x34,0x41,0x1b,0x78,0x51,0x64,0x4,0x10,0x57,0x2e,0x52,0x5f,0x79,0x56,0x74,0x6e,0x34,0x33,0x73,0x6c,0x4,0x22,0x4a,0x3b,0x57,0x28,0x79,0x2f,0x42,0x58,0x55,0x12,0x73,0x77,0x22,0x6b,0x67,0x5f,0x63,0x7f,0x5d,0x21,0x71,0x19,0xa,0x6e,0x4b,0x7,0xe,0x38,0x2d,0x65,0x27,0x14,0x64,0x1e,0x24,0x63,0x60,0x2f,0x1d,0x31,0xb,0x2e,0x62,0x5d,0x59,0xb,0x31,0x7a,0x20,0x17,0x2c,0x76,0x2b,0x42,0x9,0x79,0xa,0x29,0xc,0x10,0x2b,0x50,0x32,0xb,0x2f,0x2b,0x30,0x24,0x76,0x64,0x1b,0x61,0x7c,0x58,0x69,0x3b,0x69,0x63,0x18,0x7f,0x63,0x5d,0x2d,0x75,0x27,0x64,0x60,0x40,0x58,0x5c,0x16,0x5,0x16,0x35,0xf,0x4f,0x53,0x6c,0x61,0x32,0x62,0x55,0x25,0x2f,0x51,0x17,0x70,0x58,0x79,0x78,0x5]
d_550 = [0x4a,0x77,0x58,0x61,0x19,0x1f,0x69,0x23,0x2b,0x5c,0x27,0x22,0x6,0x53,0x5b,0x30,0x70,0x2a,0x0,0xa,0x43,0x13,0x3b,0x74,0x17,0xd,0x15,0x65,0x69,0x31,0x42,0x4e,0x29,0x55,0x2d,0x72,0x42,0x1b,0x39,0x38,0x1,0x17,0x61,0x2c,0x1e,0x62,0x66,0x52,0x70,0x45,0x34,0xc,0x36,0x42,0x5f,0x32,0x1e,0x3,0x63,0x39,0x30,0x0,0x6a,0x51,0x13,0xf,0x77,0x41,0x6d,0x1b,0x3c,0x8,0x9,0x11,0x34,0x37,0x63,0x1f,0x53,0x27,0x72,0x4a,0x73,0x17,0x3f,0x29,0x0,0x21,0x5f,0x2b,0x4c,0x16,0xe,0xe,0x1a,0x57,0x1e,0x39,0x2f,0x16,0x5d,0x52,0xe,0x39,0x6c,0x6c,0x7,0x2a,0x21,0x16,0xe,0x43,0x30,0x3e,0x70,0x66,0x2,0x40,0x3d,0x11,0x77,0x18,0xc,0x8,0x6b,0x64,0x62,0x1,0x53,0x4c,0x35,0x4,0x73,0x3e,0x3f,0x1d,0x6f,0x4a,0xd,0x18,0x4b,0x1,0x13,0x14,0x33,0x0,0x23,0x6f,0x3b,0x40,0x6b,0x6f,0x5a,0x5b,0x34,0x5a,0x3b,0x56,0x23,0x55,0x6,0x73,0x77,0x36,0x5a,0x6c,0x25,0x6b,0x3d,0x6c,0x50,0x59,0x4d,0x64,0x51,0x6e,0x69,0x5,0x4a,0x4a,0x60,0x1f,0x2a,0xd,0x24,0x51,0x2b,0x3,0x1c,0x2c,0xe,0x72,0x1b,0x1e,0x25,0x23,0x48,0x4,0x6a,0x6a,0x58,0x64,0x16,0x65,0x11,0x75,0xc,0x55,0x6a,0x3a,0x8,0x3d,0x10,0x69,0x3d,0x2e,0x44,0x4c,0x50,0x6b,0xd,0x52,0x74,0x4,0x65,0x5f,0x39,0x35,0x33,0x66,0x68,0x5,0x2d,0x5a,0x13,0x5a,0x6e,0x36,0x2a,0x1,0x24,0x64,0x35,0x40,0x77,0x17,0x77,0x71,0x48,0x65,0x5b,0x4c,0x50,0x15,0x6c,0x62,0x49,0xe,0x76,0xc,0x51,0x38,0x6a,0x78,0x13,0x5,0x9,0x51,0x1a,0x42,0x9,0xc,0x41,0x6,0x59,0x17,0x42,0x3c,0x4c,0x13,0x5a,0xa,0x63,0x73,0x6c,0x51,0x4a,0x6f,0x13]
t = []
for i in xrange(289):
tmp = ((d_6a0[i] ^ d_2c0[i]) - d_410[i]) & 0xff
if tmp == d_550[i]:
t += [i]
#print t
s = ''
mp = ''
for i in xrange(289):
if i in t:
s += '0'
mp += '0'
else:
s += '1'
mp += '1'
if i % 17 == 16:
s += '\n'
else:
s += ' '
print s
mapsize = 30
dirsize = 4
a = [[0] * mapsize for i in range(mapsize)]
dx = [1,0,0,-1]
dy = [0,1,-1,0]
def printans(i,j):
global point
point += 1
x = i - dx[a[i][j] - 1]
y = j - dy[a[i][j] - 1]
if x == 1 and y== 0:
print '(',x,',',y,')-->',
return
else:
printans(x,y)
print '(',x,',',y,')-->',
def printans2(i,j):
global goto
x = i - dx[a[i][j] - 1]
y = j - dy[a[i][j] - 1]
if x == 1 and y== 0:
goto += [a[i][j]]
return
else:
printans2(x,y)
#print a[i][j],
goto += [a[i][j]]
def getans(i,j):
global a
#global flag
#if flag == True:
#return
if i==15 and j==16:
print 'Yes'
printans(i,j)
print '(15 , 16)'
printans2(i,j)
#flag = True
return
else:
for k in range(0,dirsize):
newi = i + dx[k]
newj = j + dy[k]
if (newi > 0 and newi < 17 and newj > 0 and newj < 17 and mp[newi*17+newj] == '0' and a[newi][newj] == 0):
a[newi][newj] = k+1
getans(newi,newj)
point = 1
goto = []
simple = []
getans(1,0)
print goto
dirc = [0,17,1,-1,-17]
tmp = 0
number = 0
for i in goto:
if number == 0:
tmp = i
number += 1
elif i == tmp:
number += 1
else:
simple += [dirc[tmp] * number]
tmp = i
number = 1
simple += [dirc[tmp] * number]
print simple
string = 'BCDFGHJKMPQRTVWXY2346789'
def decode(num):
global flag
if num > 0:
if num % 17 == 0:
flag += string[0xc] + string[23 - num / 17]
else:
flag += string[0xf] + string[23 - num]
else:
if num % 17 == 0:
flag += string[0xe] + string[23 + num / 17]
else:
flag += string[0xd] + string[23 + num]
flag = ''
for i in simple:
decode(i)
print flag
题目链接:
官方题解:
京公网安备 11010502036488号