2024“蜀道山” RE 部分题解

Map_maze

题目描述

真真假假真真,你能够寻找到最后的终点吗?

附件下载

迷宫生成

v5 是一个长度为 105 的数组，被用作 15x15 的二维网格

int __cdecl sub_4010D0(_DWORD *a1, _DWORD *a2)
{_DWORD *v2; // eax_DWORD *v3; // eaxint result; // eax_DWORD v5[105]; // [esp+0h] [ebp-424h] BYREF_DWORD v6[119]; // [esp+1A4h] [ebp-280h]_DWORD *v7; // [esp+380h] [ebp-A4h]int i28; // [esp+384h] [ebp-A0h]int i27; // [esp+388h] [ebp-9Ch]int i26; // [esp+38Ch] [ebp-98h]int i25; // [esp+390h] [ebp-94h]int i24; // [esp+394h] [ebp-90h]int i23; // [esp+398h] [ebp-8Ch]int i22; // [esp+39Ch] [ebp-88h]int i21; // [esp+3A0h] [ebp-84h]int i20; // [esp+3A4h] [ebp-80h]int i19; // [esp+3A8h] [ebp-7Ch]int i18; // [esp+3ACh] [ebp-78h]int i17; // [esp+3B0h] [ebp-74h]int i16; // [esp+3B4h] [ebp-70h]int i15; // [esp+3B8h] [ebp-6Ch]int i14; // [esp+3BCh] [ebp-68h]int i13; // [esp+3C0h] [ebp-64h]int i12; // [esp+3C4h] [ebp-60h]int i11; // [esp+3C8h] [ebp-5Ch]int i10; // [esp+3CCh] [ebp-58h]int i9; // [esp+3D0h] [ebp-54h]int i8; // [esp+3D4h] [ebp-50h]int i7; // [esp+3D8h] [ebp-4Ch]int i6; // [esp+3DCh] [ebp-48h]int i5; // [esp+3E0h] [ebp-44h]int i4; // [esp+3E4h] [ebp-40h]int i3; // [esp+3E8h] [ebp-3Ch]int i2; // [esp+3ECh] [ebp-38h]int i1; // [esp+3F0h] [ebp-34h]int nn; // [esp+3F4h] [ebp-30h]int mm; // [esp+3F8h] [ebp-2Ch]int kk; // [esp+3FCh] [ebp-28h]int jj; // [esp+400h] [ebp-24h]int ii; // [esp+404h] [ebp-20h]int n; // [esp+408h] [ebp-1Ch]int m; // [esp+40Ch] [ebp-18h]int k; // [esp+410h] [ebp-14h]int j; // [esp+414h] [ebp-10h]int i; // [esp+418h] [ebp-Ch]int i30; // [esp+41Ch] [ebp-8h]int i29; // [esp+420h] [ebp-4h]for ( i = 0; i < 15; ++i ){for ( j = 0; j < 15; ++j )v5[15 * i + j] = sub_401080(0);           // 用来分配并初始化表示节点的结构}for ( k = 1; k < 15; ++k )*(_DWORD *)v5[k] = 1;for ( m = 9; m < 15; ++m )*(_DWORD *)v5[m + 15] = 1;for ( n = 0; n < 2; ++n )*(_DWORD *)v5[n + 30] = 1;for ( ii = 3; ii < 8; ++ii )*(_DWORD *)v5[ii + 30] = 1;for ( jj = 9; jj < 15; ++jj )*(_DWORD *)v5[jj + 30] = 1;for ( kk = 0; kk < 2; ++kk )*(_DWORD *)v5[kk + 45] = 1;for ( mm = 3; mm < 8; ++mm )*(_DWORD *)v5[mm + 45] = 1;for ( nn = 12; nn < 15; ++nn )*(_DWORD *)v5[nn + 45] = 1;for ( i1 = 0; i1 < 2; ++i1 )*(_DWORD *)v5[i1 + 60] = 1;for ( i2 = 7; i2 < 10; ++i2 )*(_DWORD *)v5[i2 + 60] = 0;*(_DWORD *)v5[67] = 1;for ( i3 = 11; i3 < 15; ++i3 )*(_DWORD *)v5[i3 + 60] = 1;for ( i4 = 0; i4 < 2; ++i4 )*(_DWORD *)v5[i4 + 75] = 1;for ( i5 = 3; i5 < 6; ++i5 )*(_DWORD *)v5[i5 + 75] = 1;for ( i6 = 11; i6 < 15; ++i6 )*(_DWORD *)v5[i6 + 75] = 1;for ( i7 = 0; i7 < 2; ++i7 )*(_DWORD *)v5[i7 + 90] = 1;*(_DWORD *)v5[92] = 0;for ( i8 = 3; i8 < 6; ++i8 )*(_DWORD *)v5[i8 + 90] = 1;for ( i9 = 7; i9 < 10; ++i9 )*(_DWORD *)v5[i9 + 90] = 1;for ( i10 = 11; i10 < 15; ++i10 )*(_DWORD *)v5[i10 + 90] = 1;*(_DWORD *)v6[0] = 1;*(_DWORD *)v6[1] = 0;*(_DWORD *)v6[2] = 0;*(_DWORD *)v6[3] = 1;for ( i11 = 4; i11 < 6; ++i11 )*(_DWORD *)v6[i11] = 1;for ( i12 = 7; i12 < 10; ++i12 )*(_DWORD *)v6[i12] = 1;for ( i13 = 11; i13 < 15; ++i13 )*(_DWORD *)v6[i13] = 1;for ( i14 = 0; i14 < 2; ++i14 )*(_DWORD *)v6[i14 + 15] = 1;for ( i15 = 7; i15 < 10; ++i15 )*(_DWORD *)v6[i15 + 15] = 1;for ( i16 = 11; i16 < 15; ++i16 )*(_DWORD *)v6[i16 + 15] = 1;for ( i17 = 0; i17 < 6; ++i17 )*(_DWORD *)v6[i17 + 30] = 1;for ( i18 = 7; i18 < 10; ++i18 )*(_DWORD *)v6[i18 + 30] = 1;for ( i19 = 11; i19 < 15; ++i19 )*(_DWORD *)v6[i19 + 30] = 1;for ( i20 = 0; i20 < 6; ++i20 )*(_DWORD *)v6[i20 + 45] = 1;for ( i21 = 11; i21 < 15; ++i21 )*(_DWORD *)v6[i21 + 45] = 1;for ( i22 = 0; i22 < 9; ++i22 )*(_DWORD *)v6[i22 + 60] = 1;for ( i23 = 13; i23 < 15; ++i23 )*(_DWORD *)v6[i23 + 60] = 1;for ( i24 = 0; i24 < 9; ++i24 )*(_DWORD *)v6[i24 + 75] = 1;*(_DWORD *)v6[84] = 0;*(_DWORD *)v6[85] = 1;*(_DWORD *)v6[86] = 1;*(_DWORD *)v6[87] = 0;for ( i25 = 13; i25 < 15; ++i25 )*(_DWORD *)v6[i25 + 75] = 1;for ( i26 = 0; i26 < 9; ++i26 )*(_DWORD *)v6[i26 + 90] = 1;*(_DWORD *)v6[99] = 0;*(_DWORD *)v6[100] = 1;*(_DWORD *)v6[101] = 1;*(_DWORD *)v6[102] = 0;for ( i27 = 13; i27 < 15; ++i27 )*(_DWORD *)v6[i27 + 90] = 1;for ( i28 = 0; i28 < 12; ++i28 )*(_DWORD *)v6[i28 + 105] = 1;for ( i29 = 0; i29 < 15; ++i29 ){for ( i30 = 0; i30 < 15; ++i30 ){if ( i29 > 0 )*(_DWORD *)(v5[15 * i29 + i30] + 4) = v5[15 * i29 - 15 + i30];if ( i29 < 14 )*(_DWORD *)(v5[15 * i29 + i30] + 8) = v5[15 * i29 + 15 + i30];if ( i30 > 0 )*(_DWORD *)(v5[15 * i29 + i30] + 12) = v5[15 * i29 - 1 + i30];if ( i30 < 14 )*(_DWORD *)(v5[15 * i29 + i30] + 16) = v5[15 * i29 + 1 + i30];}}v2 = (_DWORD *)v5[0];*a1 = *(_DWORD *)v5[0];a1[1] = v2[1];a1[2] = v2[2];a1[3] = v2[3];a1[4] = v2[4];v3 = v7;*a2 = *v7;a2[1] = v3[1];a2[2] = v3[2];a2[3] = v3[3];result = v3[4];a2[4] = result;return result;
}

迷宫的判断

可以写个C脚本跑一下过程

#include<stdio.h>int maze[225]={0};int main() {int *v5 = maze;int *v6 = maze + 105;for (int k = 1; k < 15; ++k )v5[k] = 1;for (int m = 9; m < 15; ++m )v5[m + 15] = 1;for (int n = 0; n < 2; ++n )v5[n + 30] = 1;for (int ii = 3; ii < 8; ++ii )v5[ii + 30] = 1;for (int jj = 9; jj < 15; ++jj )v5[jj + 30] = 1;for (int kk = 0; kk < 2; ++kk )v5[kk + 45] = 1;for (int mm = 3; mm < 8; ++mm )v5[mm + 45] = 1;for (int nn = 12; nn < 15; ++nn )v5[nn + 45] = 1;for (int i1 = 0; i1 < 2; ++i1 )v5[i1 + 60] = 1;for (int i2 = 7; i2 < 10; ++i2 )v5[i2 + 60] = 0;v5[67] = 1;for (int i3 = 11; i3 < 15; ++i3 )v5[i3 + 60] = 1;for (int i4 = 0; i4 < 2; ++i4 )v5[i4 + 75] = 1;for (int i5 = 3; i5 < 6; ++i5 )v5[i5 + 75] = 1;for (int i6 = 11; i6 < 15; ++i6 )v5[i6 + 75] = 1;for (int i7 = 0; i7 < 2; ++i7 )v5[i7 + 90] = 1;v5[92] = 0;for (int i8 = 3; i8 < 6; ++i8 )v5[i8 + 90] = 1;for (int i9 = 7; i9 < 10; ++i9 )v5[i9 + 90] = 1;for (int i10 = 11; i10 < 15; ++i10 )v5[i10 + 90] = 1;v6[0] = 1;v6[1] = 0;v6[2] = 0;v6[3] = 1;for (int i11 = 4; i11 < 6; ++i11 )v6[i11] = 1;for (int i12 = 7; i12 < 10; ++i12 )v6[i12] = 1;for (int i13 = 11; i13 < 15; ++i13 )v6[i13] = 1;for (int i14 = 0; i14 < 2; ++i14 )v6[i14 + 15] = 1;for (int i15 = 7; i15 < 10; ++i15 )v6[i15 + 15] = 1;for (int i16 = 11; i16 < 15; ++i16 )v6[i16 + 15] = 1;for (int i17 = 0; i17 < 6; ++i17 )v6[i17 + 30] = 1;for (int i18 = 7; i18 < 10; ++i18 )v6[i18 + 30] = 1;for (int i19 = 11; i19 < 15; ++i19 )v6[i19 + 30] = 1;for (int i20 = 0; i20 < 6; ++i20 )v6[i20 + 45] = 1;for (int i21 = 11; i21 < 15; ++i21 )v6[i21 + 45] = 1;for (int i22 = 0; i22 < 9; ++i22 )v6[i22 + 60] = 1;for (int i23 = 13; i23 < 15; ++i23 )v6[i23 + 60] = 1;for (int i24 = 0; i24 < 9; ++i24 )v6[i24 + 75] = 1;v6[84] = 0;v6[85] = 1;v6[86] = 1;v6[87] = 0;for (int i25 = 13; i25 < 15; ++i25 )v6[i25 + 75] = 1;for (int i26 = 0; i26 < 9; ++i26 )v6[i26 + 90] = 1;v6[99] = 0;v6[100] = 1;v6[101] = 1;v6[102] = 0;for (int i27 = 13; i27 < 15; ++i27 )v6[i27 + 90] = 1;for (int i28 = 0; i28 < 12; ++i28 )v6[i28 + 105] = 1;for(int i=0;i<15;i++){for(int j=0;j<15;j++){printf(maze[i * 15 + j] ? "X" : " ");}printf("\n");}return 0;
}

迷宫有多解但是正确的flag只有一个

DRRDDDDDDDRRRRDDRRRDRRRDDDRR
LZSDS{1979869e0c4ef6c542e54ae5c48f63ec}

Super Panda Girl

题目描述

Super Panda girl go go

附件下载

Unity游戏逆向题

找到super panda girl\Super Panda Girl_Data\Managed文件夹下的Assembly-CSharp.dll拖dnspy

找到一个RC4加密

且密文密钥已知

再找一下主要逻辑

主要逻辑就是先对 text 进行 RC4加密（密文密钥已知），

然后取 text 偶数位拼起来再进行base64编码

exp

import codecsdef decrypt(encrypted_bytes, key):key_length = len(key)data_length = len(encrypted_bytes)key_bytes = key.encode('utf-8')# Initialize array with values 0-255array = list(range(256))# Key Scheduling Algorithm (KSA)num = 0for j in range(256):num = (num + array[j] + key_bytes[j % key_length]) % 256array[j], array[num] = array[num], array[j]# Pseudo-Random Generation Algorithm (PRGA)num2 = num3 = 0decrypted_bytes = bytearray(data_length)for k in range(data_length):num2 = (num2 + 1) % 256num3 = (num3 + array[num2]) % 256array[num2], array[num3] = array[num3], array[num2]b3 = (array[num2] + array[num3]) % 256decrypted_bytes[k] = encrypted_bytes[k] ^ b3# Decode the decrypted bytes to UTF-8 stringreturn decrypted_bytes.decode('utf-8')if __name__ == "__main__":encrypted_bytes = [57, 244, 117, 200, 213, 87, 194, 195, 164, 100, 103, 63, 19, 79,137, 70, 201, 24, 163, 129, 237, 210, 5, 19, 35, 21]key = "LZSDS"decrypted_text = decrypt(encrypted_bytes, key)print(decrypted_text)#put_this_in_the_true_brand

取text的偶数位：ptti_ntetu_rn

再取base64