逆向攻防世界CTF系列42-reverse_re3
参考:CTF-reverse-reverse_re3(全网最详细wp,超4000字有效解析)_ctfreverse题目-CSDN博客
64位无壳
_int64 __fastcall main(__int64 a1, char **a2, char **a3)
{int v4; // [rsp+4h] [rbp-Ch]sub_11B4(a1, a2, a3);dov4 = sub_940();while ( v4 != 1 && v4 != -1 );return 0LL;
}
跟进sub_11B4
__readfsqword(0x28u)经常会出现,反调试,先记住
下面是dowhile v4必须要为1或者-1最后
跟进sub_940
__int64 sub_940()
{int v0; // eaxint v2; // [rsp+8h] [rbp-218h]int v3; // [rsp+Ch] [rbp-214h]char v4[520]; // [rsp+10h] [rbp-210h] BYREFunsigned __int64 v5; // [rsp+218h] [rbp-8h]v5 = __readfsqword(0x28u);v3 = 0;memset(v4, 0, 0x200uLL);_isoc99_scanf(&unk_1278, v4, v4);while ( 1 ){do{v2 = 0;sub_86C();v0 = v4[v3];if ( v0 == 100 ){v2 = sub_E23();}else if ( v0 > 100 ){if ( v0 == 115 ){v2 = sub_C5A();}else if ( v0 == 119 ){v2 = sub_A92();}}else{if ( v0 == 27 ) return 0xFFFFFFFFLL;if ( v0 == 97 ) v2 = sub_FEC();}++v3;}while ( v2 != 1 );if ( dword_202AB0 == 2 ) break;++dword_202AB0;}puts("success! the flag is flag{md5(your input)}");return 1LL;
}
一开始没反应过来后来发现是dsaw这几个判断,跟进这几个sub函数
__int64 sub_A92()
{if ( dword_202AB4 ){if ( dword_202020[225 * dword_202AB0 - 15 + 15 * dword_202AB4 + dword_202AB8] == 1 ){dword_202020[225 * dword_202AB0 - 15 + 15 * dword_202AB4 + dword_202AB8] = 3;dword_202020[225 * dword_202AB0 + 15 * dword_202AB4 + dword_202AB8] = 1;}else if ( dword_202020[225 * dword_202AB0 - 15 + 15 * dword_202AB4 + dword_202AB8] == 4 ){return 1LL;}}return 0LL;
}
在跟进dowrd_202020
_DWORD dword_202020[675]放了675个数据
dup是重复的意思 5dup(1) 就是 1 1 1 1 1
看样子是个迷宫题
if ( v0 == ‘\x1B’ ) 代表退出,记住是Esc
其实流程已经清晰了,输入可能是路径,最后要puts(“success! the flag is flag{md5(your input)}”);
还涉及md5
dword_202AB0一开始被赋值为0,可能也在计数最后要让它为2才能退出,也就是0,1,2三次才能退出
而到达这一步的条件是v2必须三次为1,最后一次通过dword_202AB0判断
unsigned __int64 sub_86C()
{int i; // [rsp+0h] [rbp-10h]int j; // [rsp+4h] [rbp-Ch]unsigned __int64 v3; // [rsp+8h] [rbp-8h]v3 = __readfsqword(0x28u);for ( i = 0; i <= 14; ++i ){for ( j = 0; j <= 14; ++j ){if ( dword_202020[225 * dword_202AB0 + 15 * i + j] == 3 ){dword_202AB4 = i;dword_202AB8 = j;break;}}}return __readfsqword(0x28u) ^ v3;
}
像个初始化(其实只是转化),再分析分析
dword_202AB0之前说了只能是0,1,2
_DWORD dword_202020[675]放了675个数据,225*3,暂时不懂为什么这么干
先看右移d
__int64 sub_E23()
{if ( dword_202AB8 != 14 ){if ( dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] == 1 ){dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] = 3;dword_202020[225 * dword_202AB0 + 15 * dword_202AB4 + dword_202AB8] = 1;}else if ( dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] == 4 ){return 1LL;}}return 0LL;
}
dword_202020只会有四种数字:0134,并且在为4的时候才会返回1
B4和B8的作用根据15 * dword_202AB4 + dword_202AB8可以才出来是行列,B4是行
if ( dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] == 1 )
{dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] = 3;dword_202020[225 * dword_202AB0 + 15 * dword_202AB4 + dword_202AB8] = 1;
因为是右移d,左边的是走过的,右边是未来要去的,那么可以推测,1代表的是走过的地方,3代表的是当前所在的地方(初始时,数组元素为3的地方,就相当于起点!),4代表的是终点
回头看之前的if ( dword_202020[225 * dword_202AB0 + 15 * i + j] == 3 ) 这就是在找最初的起点,那么一切都可以理解了,要走三个迷宫,每个迷宫都有一个初始起点
其实这里看不懂也没事,先把迷宫拿出了,已经知道是三个迷宫了,直接写程序提就行
shift+e(注意这里踩坑了,要选导出C变量)
#include<iostream>using namespace std;int dword_202020[675] =
{1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,0,3,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,0,1,1,1,1,1,0,0,0,0,0,0,0,0,4,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,3,1,1,1,1,1,0,0,0,0,0,0,1,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,1,1,1,0,0,1,1,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,0,1,1,0,1,1,0,0,0,0,0,1,0,0,1,0,1,1,0,1,1,0,0,0,0,0,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,1,0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,4,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0
};int main() {for (int i = 0; i <= 14; i++) {for (int j = 0; j <= 14; j++) {cout << dword_202020[i * 15 + j] << " ";}cout << endl;}cout << endl;for (int i = 0; i <= 14; i++) {for (int j = 0; j <= 14; j++) {cout << dword_202020[225 + i * 15 + j] << " ";}cout << endl;}cout << endl;for (int i = 0; i <= 14; i++) {for (int j = 0; j <= 14; j++) {cout << dword_202020[450 + i * 15 + j] << " ";}cout << endl;}
}
迷宫
1 1 1 1 1 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 0 3 1 1 0 0 0 0 0 0
1 1 1 1 1 0 0 0 1 0 0 0 0 0 0
1 1 1 1 1 0 0 0 1 0 0 0 0 0 0
1 1 1 1 1 0 0 0 1 1 1 1 1 0 0
1 1 1 1 1 0 0 0 0 0 0 0 1 0 0
1 1 1 1 1 0 0 0 0 0 0 0 1 0 0
1 1 1 1 1 0 0 0 0 0 0 0 1 1 0
1 1 1 1 1 0 0 0 0 0 0 0 0 1 0
1 1 1 1 1 0 0 0 0 0 0 0 0 4 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 0 3 1 1 1 1 1 0 0 0 0 0 0
1 1 0 1 1 0 0 0 1 0 0 0 0 0 0
1 1 0 0 0 0 0 0 1 0 0 0 0 0 0
1 1 0 1 1 0 0 0 1 1 1 1 1 0 0
1 1 0 1 1 0 0 0 0 0 0 0 1 0 0
1 1 0 1 1 0 0 0 0 0 0 0 1 0 0
1 1 0 1 1 0 0 0 0 0 1 1 1 1 0
1 1 0 1 1 0 0 0 0 0 1 0 0 1 0
1 1 0 1 1 0 0 0 0 0 1 0 0 0 0
1 1 0 1 1 1 1 1 1 0 1 0 1 1 0
1 1 0 1 1 1 1 1 1 1 1 1 1 1 0
1 1 0 0 0 0 0 0 0 0 0 0 0 4 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 3 1 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0 1 0 1 1 1 0 0 0 0 0 0 0
0 0 0 1 1 1 0 1 0 0 0 0 0 0 0
0 0 0 0 1 0 0 1 0 0 0 0 0 0 0
0 1 1 0 1 0 0 1 0 0 0 0 0 0 0
0 0 1 1 1 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 1 1 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 4 0
懒得搞,放大佬的吧
ddsssddddsssdssdddddsssddddsssaassssdddsddssddwddssssssdddssssdddss
给md5加密
flag{aeea66fcac7fa80ed8f79f38ad5bb953}
1 1 0 0 0 0 0 0 0 1 0 0
1 1 0 1 1 0 0 0 0 0 0 0 1 0 0
1 1 0 1 1 0 0 0 0 0 1 1 1 1 0
1 1 0 1 1 0 0 0 0 0 1 0 0 1 0
1 1 0 1 1 0 0 0 0 0 1 0 0 0 0
1 1 0 1 1 1 1 1 1 0 1 0 1 1 0
1 1 0 1 1 1 1 1 1 1 1 1 1 1 0
1 1 0 0 0 0 0 0 0 0 0 0 0 4 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 3 1 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0 1 0 1 1 1 0 0 0 0 0 0 0
0 0 0 1 1 1 0 1 0 0 0 0 0 0 0
0 0 0 0 1 0 0 1 0 0 0 0 0 0 0
0 1 1 0 1 0 0 1 0 0 0 0 0 0 0
0 0 1 1 1 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 1 1 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 4 0
懒得搞,放大佬的吧[外链图片转存中...(img-4yftBx0H-1733058965243)]ddsssddddsssdssdddddsssddddsssaassssdddsddssddwddssssssdddssssdddss给md5加密flag{aeea66fcac7fa80ed8f79f38ad5bb953}注意CTF要小写的MD5一般
![[Deep Learning] 深度学习中常用函数的整理与介绍(pytorch为例)](https://i-blog.csdnimg.cn/direct/9ca5a588f4e443dfa5b8d6bcf3b4e9ef.png)
