20210929gfsj_re_maze-CFANZ编程社区

题目描述：菜鸡想要走出菜狗设计的迷宫

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  const char *v3; // rsi
  signed __int64 v4; // rbx
  signed int v5; // eax
  char v6; // bp
  char v7; // al
  const char *v8; // rdi
  __int64 v10; // [rsp+0h] [rbp-28h]

  v10 = 0LL;
  puts("Input flag:");
  scanf("%s", &s1, 0LL);//存入s1
  if ( strlen(&s1) != 24 || (v3 = "nctf{", strncmp(&s1, "nctf{", 5uLL)) || *(&byte_6010BF + 24) != 125 )//s1有24位,开头是nctf{,最后一位是}(}的ASCII码是125)
  {
LABEL_22:
    puts("Wrong flag!");
    exit(-1);
  }
  v4 = 5LL;
  if ( strlen(&s1) - 1 > 5 )//strlen(&s1)=24
  {
    while ( 1 )
    {
      v5 = *(&s1 + v4);//v5等于{后的第一个字符
      v6 = 0;
      if ( v5 > 78 )
      {
        v5 = (unsigned __int8)v5;
        if ( (unsigned __int8)v5 == 79 )//O的ASCII码为79
        {
          v7 = sub_400650((char *)&v10 + 1);//sub_400650(1)
          goto LABEL_14;
        }
        if ( v5 == 111 )//o的ASCII码为111
        {
          v7 = sub_400660((char *)&v10 + 4, v3);//sub_400660(4,"nctf{")
          goto LABEL_14;
        }
      }
      else
      {
        v5 = (unsigned __int8)v5;
        if ( (unsigned __int8)v5 == 46 )//.的ASCII码为46
        {
          v7 = sub_400670(&v10, v3);
          goto LABEL_14;
        }
        if ( v5 == 48 )//0的ASCII码为48
        {
          v7 = sub_400680(&v10, v3);
LABEL_14:
          v6 = v7;
          goto LABEL_15;
        }//综上，有效输入只有Oo.0，输入其中之一，总会去到LABEL_15
      }
LABEL_15:
      v3 = (const char *)HIDWORD(v10);
      if ( !(unsigned __int8)sub_400690(asc_601060, HIDWORD(v10), (unsigned int)v10) )//要求sub_400690()返回值非零
        goto LABEL_22;
      if ( ++v4 >= strlen(&s1) - 1 )
      {
        if ( v6 )//v6非零
          break;
LABEL_20:
        v8 = "Wrong flag!";
        goto LABEL_21;
      }
    }
  }
  if ( asc_601060[8 * (signed int)v10 + SHIDWORD(v10)] != 35 )
      //#的ASCII码是35
    goto LABEL_20;
  v8 = "Congratulations!";
LABEL_21:
  puts(v8);
  return 0LL;
}

//输入O时，左移一位(左右操控的是高32位的值)
bool __fastcall sub_400650(_DWORD *a1)
{
  int v1; // eax

  v1 = (*a1)--;
  return v1 > 0;
}

//输入o时，右移一位
bool __fastcall sub_400660(int *a1)
{
  int v1; // eax

  v1 = *a1 + 1;
  *a1 = v1;
  return v1 < 8;
}

//输入.时，上移一位(上下操控的是低32位的值)
bool __fastcall sub_400670(_DWORD *a1)
{
  int v1; // eax

  v1 = (*a1)--;
  return v1 > 0;
}

//输入0时，下移一位
bool __fastcall sub_400680(int *a1)
{
  int v1; // eax

  v1 = *a1 + 1;
  *a1 = v1;
  return v1 < 8;//和8对比防止越界
}

__int64 __fastcall sub_400690(__int64 a1, int a2, int a3)
{
  __int64 result; // rax

  result = *(unsigned __int8 *)(a1 + a2 + 8LL * a3);
  LOBYTE(result) = (_DWORD)result == 32 || (_DWORD)result == 35;
  //空格的ASCII码是32，#的ASCII码是35
  return result;
}

.data:0000000000601060 asc_601060      db '  *******   *  **** * ****  * ***  *#  *** *** ***     *********',0

由上下左右的函数可知，迷宫应该是8*8的，而数据段asc_601060的字符刚好是64个，并且有个#，这个就是迷宫。

s = "  *******   *  **** * ****  * ***  *#  *** *** ***     *********" 
x = "" 
for i in s: 
    if i == ' ': 
        x += '0' 
    elif i == '*': 
        x += '1' 
    else:
        x += i 
print(x)
#每8个一行
'''
00111111
10001001
11101011
11001011
1001#001
11011101
11000001
11111111
'''
#nctf{o0oo00O000oooo..OO}