跳转至

reverse_re3 迷宫

1 Ghidra逆向

undefined8 FUN_00100940(void)

{
  char cVar1;
  undefined8 uVar2;
  long lVar3;
  undefined8 *puVar4;
  long in_FS_OFFSET;
  int local_220;
  int local_21c;
  undefined8 local_218 [65];
  long local_10;

  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_21c = 0;
  puVar4 = local_218;
  for (lVar3 = 0x40; lVar3 != 0; lVar3 = lVar3 + -1) {
    *puVar4 = 0;
    puVar4 = puVar4 + 1;
  }
  __isoc99_scanf(&DAT_00101278,local_218);
  while( true ) {
    do {
      local_220 = 0;
      FUN_0010086c();
      cVar1 = *(char *)((long)local_218 + (long)local_21c);
      if (cVar1 == 'd') {
        uVar2 = FUN_00100e23();
        local_220 = (int)uVar2;
      }
      else if (cVar1 < 'e') {
        if (cVar1 == '\x1b') {
          uVar2 = 0xffffffff;
          goto LAB_00100a7c;
        }
        if (cVar1 == 'a') {
          uVar2 = FUN_00100fec();
          local_220 = (int)uVar2;
        }
      }
      else if (cVar1 == 's') {
        uVar2 = FUN_00100c5a();
        local_220 = (int)uVar2;
      }
      else if (cVar1 == 'w') {
        uVar2 = FUN_00100a92();
        local_220 = (int)uVar2;
      }
      local_21c = local_21c + 1;
    } while (local_220 != 1);
    if (DAT_00302ab0 == 2) break;
    DAT_00302ab0 = DAT_00302ab0 + 1;
  }
  puts("success! the flag is flag{md5(your input)}");
  uVar2 = 1;
LAB_00100a7c:
  if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) {
    return uVar2;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail();
}


void FUN_0010086c(void)

{
  long in_FS_OFFSET;
  int local_18;
  int local_14;

  local_18 = 0;
  do {
    if (0xe < local_18) {
      if (*(long *)(in_FS_OFFSET + 0x28) != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
        __stack_chk_fail();
      }
      return;
    }
    for (local_14 = 0; local_14 < 0xf; local_14 = local_14 + 1) {
      if (*(int *)(&DAT_00302020 +
                  ((long)DAT_00302ab0 * 0xe1 + (long)local_18 * 0xf) * 4 + (long)local_14 * 4) == 3)
      {
        DAT_00302ab4 = local_18;
        DAT_00302ab8 = local_14;
        break;
      }
    }
    local_18 = local_18 + 1;
  } while( true );
}

获得一个输入,函数FUN_0010086c先根据3的值算出行值付给DAT_00302ab4,列值付给DAT_00302ab8,作为起点 可以看到列长度为0xf,迷宫初始值存储在DAT_00302020中,每隔4个值取一下.

从函数FUN_00100940中可以看到输入为wasd,这些值对应上左下右,进入触发的函数确实如此

2 exp

DAT_00302020中导出数据并处理后如下:

maze=[ 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, ... ]
xmazw=[]
for i in range(len(maze)):
    if i % 4 == 0:  xmaze.append(maze[i])

rm = []
for j in range(len(xmaze)//0xf):
    for i in range(0xf):
        rm.append(str(xmaze[j*0xf + i]))
    rm.append("\n")

print("".join(rm))

111110000000000
111110311000000  ddsssddddsssdss
111110001000000
111110001000000
111110001111100
111110000000100
111110000000100
111110000000110
111110000000010
111110000000040
111111111111111
111111111111111
111111111111111
111111111111111
111111111111111
110000000000000
110311111000000  dddddsssddddsssaassssddds
110110001000000
110000001000000
110110001111100
110110000000100
110110000000100
110110000011110
110110000010010
110110000010000
110111111010110
110111111111110
110000000000040 
111111111111111
111111111111111
000000000000000
031100000000000 ddssddwddssssssdddssssdddss
000101110000000
000111010000000
000010010000000
011010010000000
001110010000000
000000010000000
000000011110000
000000000010000
000000000010000
000000000010000
000000000011110
000000000000010
000000000000040

hamilton@hamilton-Lenovo-G470:~/Downloads$ ./main2 
ddsssddddsssdssdddddsssddddsssaassssdddsddssddwddssssssdddssssdddss
success! the flag is flag{md5(your input)}
hamilton@hamilton-Lenovo-G470:~/Downloads$ echo -n ddsssddddsssdssdddddsssddddsssaassssdddsddssddwddssssssdddssssdddss | md5sum 
aeea66fcac7fa80ed8f79f38ad5bb953  -

flag{aeea66fcac7fa80ed8f79f38ad5bb953}