[BUUCTF]不一样的flag

无壳, 直接拖进IDA分析, F5查看伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
char v3[29]; // [esp+17h] [ebp-35h] BYREF
int v4; // [esp+34h] [ebp-18h]
int v5; // [esp+38h] [ebp-14h] BYREF
int i; // [esp+3Ch] [ebp-10h]
_BYTE v7[12]; // [esp+40h] [ebp-Ch] BYREF

__main(); //源程序应该是C++写的, __main()函数调用了一个构造函数, 不管
v4 = 0;
strcpy(v3, "*11110100001010000101111#"); //奇怪的数字
while ( 1 )
{
puts("you can choose one action to execute");
puts("1 up");
puts("2 down");
puts("3 left");
printf("4 right\n:");
scanf("%d", &v5);
if ( v5 == 2 )
{
++*(_DWORD *)&v3[25];
}
else if ( v5 > 2 )
{
if ( v5 == 3 )
{
--v4;
}
else
{
if ( v5 != 4 )
LABEL_13:
exit(1);
++v4;
}
}
else
{
if ( v5 != 1 )
goto LABEL_13;
--*(_DWORD *)&v3[25];
}
for ( i = 0; i <= 1; ++i )
{
if ( *(int *)&v3[4 * i + 25] < 0 || *(int *)&v3[4 * i + 25] > 4 )
exit(1);
}
if ( v7[5 * *(_DWORD *)&v3[25] - 41 + v4] == 49 )
exit(1);
if ( v7[5 * *(_DWORD *)&v3[25] - 41 + v4] == 35 )
{
puts("\nok, the order you enter is the flag!"); //好家伙, 我输入的就是flag?真够不一样的
exit(0);
}
}
}

反编译出来的伪代码可读性极差, 花了很长时间写出等效形式的代码, 如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#define _CRT_SECURE_NO_WARNINGS
#include <cstdio>
#include <cstdlib>
#include <cstring>

using namespace std;

int main()
{
char char_arr[25];
int x_pos = 0;
int y_pos = 0;
strncpy(char_arr, "*11110100001010000101111#", 25);
while (1)
{
printf("you can choose one action to execute\n1 up\n2 down\n3 left\n4 right\n:");
int temp;
scanf("%d", &temp);
switch (temp)
{
case 1:
--x_pos;
break;
case 2:
++x_pos;
break;
case 3:
--y_pos;
break;
case 4:
++y_pos;
break;
}
if (x_pos < 0 || x_pos > 4 || y_pos < 0 || y_pos > 4)
exit(1);
if (char_arr[5 * x_pos + y_pos] == '1')
exit(1);
if (char_arr[5 * x_pos + y_pos] == '#')
{
puts("\nok, the order you enter is the flag!");
exit(0);
}
}
}

这样看结构清晰很多, 就是把*11110100001010000101111#这个字符串排成一个5x5的迷宫

1
2
3
4
5
6
7
8
9
    0  1  2  3  4
-------------→
0 | * 1 1 1 1
1 | 0 1 0 0 0
2 | 0 1 0 1 0
3 | 0 0 0 1 0
4 ↓ 1 1 1 1 #
横为Y轴,竖为X轴, 0是路, 1是墙,*是起点, #是终点
走出迷宫只需要"下下下右右上上右右下下下", 即"222441144222"

所以flag就是flag{222441144222}