Writeup of Mountainclimbing(reverse) in BugKu
来源:互联网 发布:原生js 触发事件 编辑:程序博客网 时间:2024/06/05 03:52
好题啊!
首先扔到IDA里大致看一下逻辑
(改了函数名,数组名,变量名)
大概就是,用伪随机序列打印了一个如下图的二维数组,然后用L和R控制方向,走到哪里就把所在位置的元素值加入score
s=[[77],[5628, 6232],[29052,1558, 26150],[12947,29926,11981,22371],[4078, 28629,4665, 2229, 24699],[27370,3081, 18012,24965,2064, 26890],[21054,5225, 11777,29853,2956, 22439,3341],[31337,14755,5689, 24855,4173, 32304,292, 5344],[15512,12952,1868, 10888,19581,13463,32652,3409, 28353],[26151,14598,12455,26295,25763,26040,8285, 27502,15148,4945],[26170,1833, 5196, 9794, 26804,2831, 11993,2839, 9979, 27428,6684],[4616, 30265,5752, 32051,10443,9240, 8095, 28084,26285,8838, 18784,6547],[7905, 8373, 19377,18502,27928,13669,25828,30502,28754,32357,2843, 5401, 10227],[22871,20993,8558, 10009,6581, 22716,12808,4653, 24593,21533,9407, 6840, 30369,2330],[3, 28024,22266,19327,18114,18100,15644,21728,17292,8396, 27567,2002, 3830, 12564,1420],[29531,21820,9954, 8319, 10918,7978, 24806,30027,17659,8764, 3258, 20719,6639, 23556,25786,11048],[3544, 31948,22, 1591, 644, 25981,26918,31716,16427,15551,28157,7107, 27297,24418,24384,32438,22224],[12285,12601,13235,21606,2516, 13095,27080,16331,23295,20696,31580,28758,10697,4730, 16055,22208,2391, 20143],[16325,24537,16778,17119,18198,28537,11813,1490, 21034,1978, 6451, 2174, 24812,28772,5283, 6429, 15484,29353,5942],[7299, 6961, 32019,24731,29103,17887,17338,26840,13216,8789, 12474,24299,19818,18218,14564,31409,5256, 31930,26804,9736]]
然后咋整呢?上脚本呗,遍历一遍所有走法,得到所有走法的score,再找出maximum,话不多说,上脚本(好像可以宽搜,但是怕麻烦没写):
(首先得生成2**19个走法,打印到mountain.txt里,这里就不给出脚本了)
其次:(寻找maximum)(找到之后加了个判断输出了正确走法)
sch=[]with open('mountain.txt','r')as f: line=f.readline() while line: row=0 col=0 score=s[row][col] for i in line: if i=='L': row+=1 score+=s[row][col] elif i=='R': row+=1 col+=1 score+=s[row][col] #if score==444740: # print line sch.append(score) line=f.readline()print max(sch)
(打码)(给各位小伙伴一个复现的机会)
但是我把正确走法提交上去却显示wrong……emmmmm为啥呢
于是动态调试,发现函数sub_41114F是个比较可疑的加密函数,多次试验之后猜测其为单表加密,于是直接多次输入,得到密码表
原来我找到的正确走法被加密之后,偶数位的L或者R被修改成了其他字符,于是对着密码表改回来,把偶数位的L换成H,R换成V
得到正确结果,提交,correct
(溜了溜了,大一狗复习四级去了)阅读全文
0 0
- Writeup of Mountainclimbing(reverse) in BugKu
- Writeup of love(reverse) in BugKu
- (未完)Writeup of Take the maze (reverse) in BugKu
- bugku ctf Reverse 逆向入门 writeup
- bugku几题writeup
- [Bugku]密码???[writeup]
- BUGKU web--writeup
- bugku writeup(misc_1)
- bugku writeup web
- bugku ctf文件包含 writeup
- bugku杂项几题writeup
- bugku CTF练习平台writeup
- bugku misc writeup(部分)
- bugku Reverse Easy_vb wirteup
- Writeup of NJUPT CTF platform's some easy Reverse
- BUGKU misc--细心的大象--writeup
- bugku CTF-练习平台 部分writeup
- Reverse step1 writeup
- for of
- window.location.href 带参数跳转 如何获取值(解决)
- 科大讯飞语音开发包上手体验(2)
- 数论函数&狄利克雷卷积
- InputManagerService之事件的初始化与分发
- Writeup of Mountainclimbing(reverse) in BugKu
- local_irq_disable,irq_disable与disable_irq的区别
- 点击事件冲突
- R语言处理日期值的数值和字符串之间的相互转换
- vue2.0单页面spa在微信中title设置
- Java 8-----默认方法(Default Methods)
- CSS
- angular实现添加,删除,查询,排序
- 【zabbix】Zabbix概述
