Download test files: https://adworld.xctf.org.cn/media/task/attachments/fa4c78d25eea4081864918803996e615
1. Prepare
get information
- 64 files
2.IDA Open
Selected main function, decompile into C code.
1 __int64 __fastcall main(__int64 a1, char **a2, char **a3) 2 { 3 const char *v3; // rsi 4 signed __int64 v4; // rbx 5 signed int v5; // eax 6 char v6; // bp 7 char v7; // al 8 const char *v8; // rdi 9 __int64 v10; // [rsp+0h] [rbp-28h] 10 11 v10 = 0LL; 12 puts("Input flag:"); 13 scanf("%s", &s1, 0LL); 14 if ( strlen(&s1) != 24 || (v3 = "nctf{", strncmp(&s1, "nctf{", 5uLL)) || *(&byte_6010BF + 24) != 125 ) 15 { 16 LABEL_22: 17 puts("Wrong flag!"); 18 exit(-1); 19 } 20 v4 = 5LL; 21 if ( strlen(&s1) - 1 > 5 ) 22 { 23 while ( 1 ) 24 { 25 v5 = *(&s1 + v4); 26 v6 = 0; 27 if ( v5 > 78 ) 28 { 29 v5 = (unsigned __int8)v5; 30 if ( (unsigned __int8)v5 == 79 ) 31 { 32 v7 = sub_400650((char *)&v10 + 4, v3); 33 goto LABEL_14; 34 } 35 if ( v5 == 111 ) 36 { 37 v7 = sub_400660((char *)&v10 + 4, v3); 38 goto LABEL_14; 39 } 40 } 41 else 42 { 43 v5 = (unsigned __int8)v5; 44 if ( (unsigned __int8)v5 == 46 ) 45 { 46 v7 = sub_400670(&v10, v3); 47 goto LABEL_14; 48 } 49 if ( v5 == 48 ) 50 { 51 v7 = sub_400680(&v10, v3); 52 LABEL_14: 53 v6 = v7; 54 goto LABEL_15; 55 } 56 } 57 LABEL_15: 58 v3 = (const char *)HIDWORD(v10); 59 if ( !(unsigned __int8)sub_400690(asc_601060, HIDWORD(v10), (unsigned int)v10) ) 60 goto LABEL_22; 61 if ( ++v4 >= strlen(&s1) - 1 ) 62 { 63 if ( v6 ) 64 break; 65 LABEL_20: 66 v8 = "Wrong flag!"; 67 goto LABEL_21; 68 } 69 } 70 } 71 if ( asc_601060[8 * (signed int)v10 + SHIDWORD(v10)] != 35 ) 72 goto LABEL_20; 73 v8 = "Congratulations!"; 74 LABEL_21: 75 puts(v8); 76 return 0LL; 77 }
Open view of the string, we can see
.data:0000000000601060 asc_601060 db ' ******* * **** * **** * *** *# *** *** *** *********',0
2.1 Code Analysis
1 __int64 __fastcall main(__int64 a1, char **a2, char **a3) 2 { 3 signed __int64 v4; // rbx 4 signed int v5; // eax 5 char v6; // bp 6 char v7; // al 7 const char *v8; // rdi 8 __int64 v10; // [rsp+0h] [rbp-28h] 9 10 v10 = 0LL; 11 puts("Input flag:"); 12 scanf("%s", &s1, 0LL); 13 14 15 if ( strlen(&s1) != 24 || strncmp(&s1, "nctf{", 5uLL) || *(&byte_6010BF + 24) != 125 ) //len(s1) = 24, s1开头为'nctf', 16 { 17 LABEL_22: 18 puts("Wrong flag!"); 19 exit(-1); 20 } 215LL = V4; // number of characters in the total length of flag 24 is known a length of 5, v4 denotes indicates the direction input. 22 is IF (strlen (& S1) - . 1 > . 5 ) 23 is { 24 the while ( . 1 ) 25 { 26 is V5 = * (& S1 + V4); // V5 = S1 [. 5] 27 V6 = 0 ; 28 IF (V5> ' N ' ) // V5>' N ' 29 { 30 V5 =(unsigned __int8) V5; 31 is IF ((unsigned __int8) == V5 ' O ' ) // 1. When v5 == 'O', it indicates left 32 { 33 is V7 = sub_400650 (( char *) & V10 + . 4 , V3); // v10--, indicates the position number of columns -1, v7 determines whether or bounds (out of range returns: FALSE, not out of range returns: TRUE) 34 is GOTO LABEL_14; 35 } 36 iF (V5 == ' O ' ) // 2. when the case v5 == 'o', showing the right 37 [ { 38 is V7 = sub_400660 (( char *) & + V10 . 4 , V3); // V10 ++, + 1 represents the number of column positions, 39 GOTO LABEL_14; 40 } 41 is } 42 is 43 is the else // V5 < 'N' 44 is { 45 V5 = (unsigned __int8) V5; 46 is IF ((unsigned __int8) == V5 ' . ' ) // '.' 3. v5 == upper case shift represents 47 { 48 sub_400670 = V7 (& V10, V3); // v10--, the row number indicates the position of -1, 49 GOTO LABEL_14; 50 } 51 is IF (V5 == ' 0 ' ) // 4. V5 == '0' is , it indicates down 52 is { 53 is V7 = sub_400680 (& V10, V3); // V10 ++, showing the position of a line + 1'd 54 is LABEL_14: 55 V6 = V7; // assigned to V6, it is determined that the following maze, whether cross-border 56 is GOTO LABEL_15; 57 is } 58 } 59 60 61 is LABEL_15: 62 is IF (! (Unsigned __int8) sub_400690 ((__ Int64) asc_601060, SHIDWORD (V10), V10)) // determines character at that position is', '#' or '*' in which, if a '*' is returned again to find the path 63 is GOTO LABEL_22; 64 IF (++ V4> = strlen (& S1) - . 1 ) // because the final end with '}', so strlen (s1) - 1. We need to find the middle 18 characters 65 { 66 IF (V6) // determine whether cross-border (not out of range exit the loop) 67 BREAK ; 68 LABEL_20: 69 V8 = " ! Wrong In Flag " ; 70 GOTO LABEL_21; 71 is } 72 } 73 is } 74 IF (asc_601060 [ . 8 * (Signed int !) SHIDWORD + V10 (V10)] = 35 ) // determines whether arrival '# ', the not reached, continue to return cycle, moving 75 GOTO LABEL_20; 76 V8 = " Congratulations! " ; 77 LABEL_21: 78 the puts (V8); 79 return 0LL; 80 }
By the code analysis, it can be determined that a labyrinth is actually a string of characters, by '.', '0', 'O', 'o' to control the movement, V10 is actually a two-dimensional array, one-dimensional representation X axis, a Y-axis two-dimensional.
Direction determination 2.2
In assembly code
.text:00000000004006B7 mov dword ptr [rsp+28h+var_28+4], 0 .text:00000000004006BF mov dword ptr [rsp+28h+var_28], 0
We can know, v9 high represents the x-axis, v9 y-axis represents a low,
By function
__fastcall sub_400690 the __int64 (__ Int64 A1, int A2, int A3) { the __int64 Result; // RAX Result = * (unsigned __int8 *) (A1 + A2 + A3 * 8LL); // A1 maze, a2 is the column, a3 is Row. Calculating a position corresponding to the labyrinth by the character row LOBYTE (Result) = (_DWORD) Result == 32 || (_DWORD) Result == 35 ; // if 'or' # 'returns TRUE, a' * 'to return FALSE return Result; }
sub_400690 function is a2 + a3 * 8, i.e., a3 represents row, a2 represents the column. Return to the calling function at that high v10 represents the column, the low representation row. Then it can be judged that the 'O', 'o' represents the left and right, '.', '0' indicates the vertical
2.3 represents a maze
By a2 + a3 * 8 we can understand the maze there are eight rows, a total of 64 characters, which is 8x8 maze, is represented.
00****** *000*00* ***0*0** **00*0** *00*#00* **0***0* **00000* ********
2.4 Solution of maze
The starting point (1,1), can only take 0, to come to the '#' to find the path to the lower right lower left and right at the bottom right under the bottom right right right right upper left up
Write the script
= STR " lower right lower right Right Right Right left lower and right upper right under the left up " STR = str.replace ( ' a ' , ' . ' ) STR = str.replace ( ' lower ' , ' 0 ' ) STR = str.replace ( ' left ' , ' O ' ) STR = str.replace ( ' Right ' , ' O ' ) STR = ' NCTF { ' + STR + '}' print(str)
3.get flag!
nctf {oo0oo00O000oooo..OO}