当前位置:网站首页>[anwangbei 2021] Rev WP
[anwangbei 2021] Rev WP
2022-07-01 13:42:00 【fa1c4】
hit_re
If the dll Missing mistakes , stay https://www.dll-files.com/ Download the corresponding 32 / 64 bits Of dll File copy to C:\Windows\System32 perhaps C:\Windows\SysWOW64 Folder to run
Shell less , Drag in IDA32, Direct inverse main function
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
int result; // eax
int v4; // eax
int v5; // [esp-4h] [ebp-414h]
int v6; // [esp-4h] [ebp-414h]
int (__cdecl *v7)(int); // [esp-4h] [ebp-414h]
int v8; // [esp+0h] [ebp-410h]
int v9; // [esp+0h] [ebp-410h]
int v10; // [esp+0h] [ebp-410h]
int v11; // [esp+0h] [ebp-410h]
int v12; // [esp+0h] [ebp-410h]
int v13; // [esp+0h] [ebp-410h]
int v14; // [esp+0h] [ebp-410h]
int v15; // [esp+0h] [ebp-410h]
int v16; // [esp+0h] [ebp-410h]
int v17; // [esp+4h] [ebp-40Ch]
int v18; // [esp+4h] [ebp-40Ch]
int v19; // [esp+4h] [ebp-40Ch]
int v20; // [esp+4h] [ebp-40Ch]
int v21; // [esp+4h] [ebp-40Ch]
int v22; // [esp+4h] [ebp-40Ch]
int v23; // [esp+10h] [ebp-400h]
int v24; // [esp+18h] [ebp-3F8h]
void *v25; // [esp+24h] [ebp-3ECh]
int v26; // [esp+30h] [ebp-3E0h]
int v27; // [esp+30h] [ebp-3E0h]
int v28; // [esp+38h] [ebp-3D8h]
int v29; // [esp+38h] [ebp-3D8h]
int v30[9]; // [esp+4Ch] [ebp-3C4h] BYREF
char v31[36]; // [esp+70h] [ebp-3A0h] BYREF
int v32[9]; // [esp+94h] [ebp-37Ch] BYREF
char v33[36]; // [esp+12Ch] [ebp-2E4h] BYREF
char T_F; // [esp+1C7h] [ebp-249h]
char act; // [esp+36Bh] [ebp-A5h]
char *q; // [esp+374h] [ebp-9Ch]
char *p; // [esp+380h] [ebp-90h]
char *str_in; // [esp+38Ch] [ebp-84h]
char v39; // [esp+39Bh] [ebp-75h]
char *j; // [esp+3A4h] [ebp-6Ch]
char *i; // [esp+3B0h] [ebp-60h]
char *moves; // [esp+3BCh] [ebp-54h]
int not_right_moves; // [esp+3C8h] [ebp-48h]
int right_moves; // [esp+3D4h] [ebp-3Ch]
char data_in[32]; // [esp+3E0h] [ebp-30h] BYREF
int v46; // [esp+40Ch] [ebp-4h]
__CheckForDebuggerJustMyCode(&unk_42E069);
print(std::cout, "your solution: ");
sub_41113B(v8, v17);
v46 = 0;
readin(std::cin, data_in);
if ( moves_count(v9, v18) != 50 ) // input count 50
goto fail;
right_moves = 0;
not_right_moves = 0;
moves = data_in;
i = (char *)sub_41105A(v10, v19);
j = (char *)sub_411005(v11, v20);
while ( i != j )
{
v39 = *i;
if ( v39 == 'd' )
{
++right_moves;
if ( not_right_moves != 6 && not_right_moves != 2 )
_exit(1);
not_right_moves = 0;
}
else
{
++not_right_moves;
}
++i;
}
if ( right_moves == 10 ) // right moves 10 times
{
str_in = data_in;
p = (char *)sub_41105A(v10, v19);
q = (char *)sub_411005(v12, v21);
while ( p != q )
{
act = *p;
switch ( act )
{
case 'a':
--left_right;
break;
case 'd':
++left_right;
break;
case 's':
++up_down;
break;
case 'w':
--up_down;
break;
default:
_exit(-1);
}
if ( map[11 * up_down + left_right] != 1 )// == 1 can move in
_exit(-2);
++p;
}
sub_4111C2((int)data_in);
v26 = sub_4113E8((int)v33);
LOBYTE(v46) = 1;
T_F = sub_4114D3("dcc1df36a15968fb206fe52294bb4130", v26);
LOBYTE(v46) = 0;
sub_4114AB(v13, v22);
if ( T_F )
{
v28 = print(std::cout, "flag is: flag{");
v27 = sub_41160E(data_in, (int)v32, 0, 0x10u);
LOBYTE(v46) = 2;
sub_4111C2(v27);
v25 = (void *)sub_4113E8((int)v31);
LOBYTE(v46) = 3;
v24 = sub_41160E(v25, (int)v30, 0, 0x10u);
LOBYTE(v46) = 4;
v4 = sub_411451(v28, v24);
v23 = print(v4, "}");
std::ostream::operator<<(v23);
LOBYTE(v46) = 3;
sub_4114AB((int)sub_411564, v14);
LOBYTE(v46) = 2;
sub_4114AB(v5, v15);
LOBYTE(v46) = 0;
sub_4114AB(v6, v16);
}
else
{
v29 = print(std::cout, "a little deviation");
v7 = sub_411564;
std::ostream::operator<<(v29);
}
system("pause");
v46 = -1;
sub_4114AB((int)v7, v14);
result = 0;
}
else
{
fail:
v46 = -1;
sub_4114AB(v10, v19);
result = -10;
}
return result;
}
The main logic is to get out of the map , The number of steps required is exactly 50 Step , And go to the right 10 Time , And you need to go in other directions before going to the right 2 perhaps 6 Time , Extract map data
import idaapi
addr = 0x0042B008
arr = []
for i in range(275):
arr.append(idaapi.get_dword(addr + 4*i))
print(arr)
Print out the map
mapdata = [1, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
maps = []
for i in range(25):
maps.append(mapdata[i*11: i*11+11])
for _ in maps:
print(_)
''' [1, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0] [1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0] [1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1] [0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1] [0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1] [0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0] [1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0] [1, 0, 0, 1, 0, 1, 1, 1, 0, 1, 0] [1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1] [1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0] [1, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0] [1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0] [0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1] [1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1] [1, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1] [1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1] [1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1] [1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0] [1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0] [1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0] [1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1] [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] '''
Write an algorithm to search the path that meets the conditions , And finding a path requires and MD5 value dcc1df36a15968fb206fe52294bb4130 Compare , matching hash Value successful 50 Step path is the solution
This path also needs attention , because main The number of times to the right in the function flow is 10, Obviously, you can't take steps by walking to the left , Because go left 1 It takes at least 11 Go right for the second time , Then it does not meet the judgment conditions , So in order to make up the number of steps, you can only go up and down , Therefore, it can be judged that the path does not contain ’a’, Contains only ’w’, ‘s’, ‘d’, And according to the number of steps to the right from the last time before walking to the right , Or 2 Step , Or 6 Step , So we can get a fixed round-trip mode to count the steps , Next, it becomes an algorithm problem
def DFS(step, hlevel, path):
if step == 6:
if hlevel == 2:
print(path)
return
if hlevel == 0:
DFS(step + 1, hlevel + 1, path+'s')
elif hlevel == 1:
DFS(step + 1, hlevel + 1, path+'s')
DFS(step + 1, hlevel - 1, path+'w')
else:
DFS(step + 1, hlevel - 1, path+'w')
DFS(0, 0, '')
''' sswsws sswwss swssws swswss '''
You can see the up and down 6 Step mode has 4 Kind of , Then just use this 4 Just count the steps in each mode , The shortest path is ssd * 10 in total 30 Step , So we need to introduce 5 Round trip mode is more 20 Step , C 10 5 ∗ 4 5 = 258048 C_{10}^5 * 4^5 = 258048 C105∗45=258048 The possibility of backtracking blasting , In fact, it only takes about 3s
from itertools import combinations
from hashlib import *
patterns = ['swswssd','swsswsd','sswwssd','sswswsd']
L = [_ for _ in range(10)]
coms = list(combinations(L, 5))
# print(coms)
# paths = ['ssd' for _ in range(10)]
# count = 0
# path = ''.join(paths)
# print(path, len(path))
def BackTrace(step, paths, comb):
if step == 10:
path = ''.join(paths)
if md5(path.encode(encoding='UTF-8')).hexdigest() == 'dcc1df36a15968fb206fe52294bb4130':
print('find the flag!!!')
print(path)
print()
return
if step not in comb:
BackTrace(step + 1, paths, comb)
else:
paths[step] = patterns[0]
BackTrace(step + 1, paths, comb)
paths[step] = patterns[1]
BackTrace(step + 1, paths, comb)
paths[step] = patterns[2]
BackTrace(step + 1, paths, comb)
paths[step] = patterns[3]
BackTrace(step + 1, paths, comb)
# print(len(coms))
for comb in coms:
paths = ['ssd' for _ in range(10)]
BackTrace(0, paths, comb)
# path = 'ssdsswswsdssdswswssdssdswsswsdsswswsdssdssdswswssd'
# print(md5(path.encode(encoding='UTF-8')).hexdigest() == 'dcc1df36a15968fb206fe52294bb4130')
pypy
python The files are packed exe, use pyinstxtractor analysis
https://github.com/extremecoders-re/pyinstxtractor
pyinstxtractor.py Extract the folder , Here we use python3.7 Talent , Need and compress into exe The document used python Versions,
[email protected]:/mnt/k/competition/ Anwang cup /re/pypy$ python3.7 pyinstxtractor.py pypy.exe
[+] Processing pypy.exe
[+] Pyinstaller version: 2.1+
[+] Python version: 3.7
[+] Length of package: 6230873 bytes
[+] Found 61 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pypy.pyc
[+] Found 133 files in PYZ archive
[+] Successfully extracted pyinstaller archive: pypy.exe
You can now use a python decompiler on the pyc files within the extracted directory
And then use uncompyle6 hold pypy.pyc File reverse py file uncompyle6 pypy.pyc > pypy.py
Get the source code
# uncompyle6 version 3.8.0
# Python bytecode 3.7.0 (3394)
# Decompiled from: Python 3.8.10 (tags/v3.8.10:3d8993a, May 3 2021, 11:48:03) [MSC v.1928 64 bit (AMD64)]
# Embedded file name: pypy.py
import hashlib
if __name__ == '__main__':
nums = []
a, b, c = (3001, 2137, 4729)
n = 100000
num = 1
while len(nums) != n:
num_copy = num
while num_copy != 1:
if num_copy % a == 0:
num_copy //= a
elif num_copy % b == 0:
num_copy //= b
elif num_copy % c == 0:
num_copy //= c
else:
break
if num_copy == 1:
nums.append(num)
num += 1
print(nums[(n - 1)])
m = hashlib.md5()
b = str(nums[(n - 1)]).encode(encoding='utf-8')
m.update(b)
result = m.hexdigest()
print('flag{' + result + '}')
# okay decompiling pypy.pyc
Simply put, it's asking for 3001, 2137,4729 Is a multiple of factor composition , From small to large 100000 The number of MD5 value
Algorithm problem , With priority queues heapq Optimize performance , Every time you add to the priority queue Min * 3001, Min * 2137, Min * 4729 Greedy to get the current minimum multiple , When heapq eject 100000 individual Min, You get the answer
from hashlib import *
from heapq import *
ps = [3001, 2137, 4729]
heap = []
heappush(heap, 1)
occupied = set()
occupied.add(1)
count = 0
Min = 0
while True:
Min = heappop(heap)
count += 1
if count == 100000: break
for i in range(3):
tmp = Min * ps[i]
if tmp not in occupied:
heappush(heap, tmp)
occupied.add(tmp)
print(Min)
print('flag{' + md5(str(Min).encode(encoding='UTF-8')).hexdigest() + '}')
''' 16405850262570740513897217717623720600448855987320514551726154873739883293720282851034424371051874484044854674904735438772866326784386465461577479345634270005309256879590279090175542403199472872896278587926077044001237403554885317937416574659330592944654425785521663598285833017718525414609 flag{ba64f885157a04966c5173fb24590032} '''
summary
This is the first offline game played last year , I'll fill in the question after a year , At that time, due to the prohibition of networking ( Although the stadium is full of hot spots , I was caught driving a hot spot , xs), The environment doesn't match REV These two questions have not been worked out , Later, all kinds of things have not been completed , Now I feel that the accumulation is enough , You can do almost all the competition questions in the past two years .
Generally speaking, the logic of these two questions is not very complicated , Some function call chains are too deep for logic to judge , Just intuitively guess and add the tone verification , Software encryption is also decorated with anti debugging instructions or protective shells ( Although there is no interference ), If you reverse it, it becomes an algorithm problem , It's not particularly difficult to brush more algorithm problems , Mainly networking , The difficulty will be much lower .
边栏推荐
- Analysis report on the development trend and Prospect of new ceramic materials in the world and China Ⓐ 2022 ~ 2027
- Some summary of pyqt5 learning (overview of the general meaning of some signals and methods)
- Asp. NETCORE uses dynamic to simplify database access
- Liu Dui (fire line safety) - risk discovery in cloudy environment
- 用命令行 给 apk 签名
- Build a vc2010 development environment and create a tutorial of "realizing Tetris game in C language"
- French Data Protection Agency: using Google Analytics or violating gdpr
- 8款最佳实践,保护你的 IaC 安全!
- 二传感器尺寸「建议收藏」
- Learning to use livedata and ViewModel will make it easier for you to write business
猜你喜欢
Colorful five pointed star SVG dynamic web page background JS special effect
The best landing practice of cave state in an Internet ⽹⾦ financial technology enterprise
内容审计技术
SAP 智能机器人流程自动化(iRPA)解决方案分享
04-Redis源码数据结构之字典
Self cultivation of open source programmers who contributed tens of millions of lines of code to shardingsphere and later became CEO
啟動solr報錯The stack size specified is too small,Specify at least 328k
Liu Dui (fire line safety) - risk discovery in cloudy environment
Fiori 应用通过 Adaptation Project 的增强方式分享
分布式事务简介(seata)
随机推荐
Simplex, half duplex, full duplex, TDD and FDD
SAP 智能机器人流程自动化(iRPA)解决方案分享
3.4 data query in introduction to database system - select (single table query, connection query, nested query, set query, multi table query)
【剑指 Offer】55 - II. 平衡二叉树
分布式事务简介(seata)
进入前六!博云在中国云管理软件市场销量排行持续上升
20个实用的 TypeScript 单行代码汇总
Google Earth Engine(GEE)——全球人类居住区网格数据 1975-1990-2000-2014 (P2016)
Word2vec training Chinese word vector
当你真的学会DataBinding后,你会发现“这玩意真香”!
Flow management technology
Asp. NETCORE uses dynamic to simplify database access
Blind box NFT digital collection platform system development (build source code)
Listen in the network
[machine learning] VAE variational self encoder learning notes
spark源码(五)DAGScheduler TaskScheduler如何配合提交任务,application、job、stage、taskset、task对应关系是什么?
Nexus builds NPM dependent private database
La taille de la pile spécifiée est petite, spécifiée à la sortie 328k
Kongsong (Xintong Institute) - cloud security capacity building and trend in the digital era
Analysis report on the development pattern of China's smart emergency industry and the 14th five year plan Ⓠ 2022 ~ 2028