题目描述:菜鸡想要走出菜狗设计的迷宫
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
const char *v3; // rsi
signed __int64 v4; // rbx
signed int v5; // eax
char v6; // bp
char v7; // al
const char *v8; // rdi
__int64 v10; // [rsp+0h] [rbp-28h]
v10 = 0LL;
puts("Input flag:");
scanf("%s", &s1, 0LL);//存入s1
if ( strlen(&s1) != 24 || (v3 = "nctf{", strncmp(&s1, "nctf{", 5uLL)) || *(&byte_6010BF + 24) != 125 )//s1有24位,开头是nctf{,最后一位是}(}的ASCII码是125)
{
LABEL_22:
puts("Wrong flag!");
exit(-1);
}
v4 = 5LL;
if ( strlen(&s1) - 1 > 5 )//strlen(&s1)=24
{
while ( 1 )
{
v5 = *(&s1 + v4);//v5等于{后的第一个字符
v6 = 0;
if ( v5 > 78 )
{
v5 = (unsigned __int8)v5;
if ( (unsigned __int8)v5 == 79 )//O的ASCII码为79
{
v7 = sub_400650((char *)&v10 + 1);//sub_400650(1)
goto LABEL_14;
}
if ( v5 == 111 )//o的ASCII码为111
{
v7 = sub_400660((char *)&v10 + 4, v3);//sub_400660(4,"nctf{")
goto LABEL_14;
}
}
else
{
v5 = (unsigned __int8)v5;
if ( (unsigned __int8)v5 == 46 )//.的ASCII码为46
{
v7 = sub_400670(&v10, v3);
goto LABEL_14;
}
if ( v5 == 48 )//0的ASCII码为48
{
v7 = sub_400680(&v10, v3);
LABEL_14:
v6 = v7;
goto LABEL_15;
}//综上,有效输入只有Oo.0,输入其中之一,总会去到LABEL_15
}
LABEL_15:
v3 = (const char *)HIDWORD(v10);
if ( !(unsigned __int8)sub_400690(asc_601060, HIDWORD(v10), (unsigned int)v10) )//要求sub_400690()返回值非零
goto LABEL_22;
if ( ++v4 >= strlen(&s1) - 1 )
{
if ( v6 )//v6非零
break;
LABEL_20:
v8 = "Wrong flag!";
goto LABEL_21;
}
}
}
if ( asc_601060[8 * (signed int)v10 + SHIDWORD(v10)] != 35 )
//#的ASCII码是35
goto LABEL_20;
v8 = "Congratulations!";
LABEL_21:
puts(v8);
return 0LL;
}
//输入O时,左移一位(左右操控的是高32位的值)
bool __fastcall sub_400650(_DWORD *a1)
{
int v1; // eax
v1 = (*a1)--;
return v1 > 0;
}
//输入o时,右移一位
bool __fastcall sub_400660(int *a1)
{
int v1; // eax
v1 = *a1 + 1;
*a1 = v1;
return v1 < 8;
}
//输入.时,上移一位(上下操控的是低32位的值)
bool __fastcall sub_400670(_DWORD *a1)
{
int v1; // eax
v1 = (*a1)--;
return v1 > 0;
}
//输入0时,下移一位
bool __fastcall sub_400680(int *a1)
{
int v1; // eax
v1 = *a1 + 1;
*a1 = v1;
return v1 < 8;//和8对比防止越界
}
__int64 __fastcall sub_400690(__int64 a1, int a2, int a3)
{
__int64 result; // rax
result = *(unsigned __int8 *)(a1 + a2 + 8LL * a3);
LOBYTE(result) = (_DWORD)result == 32 || (_DWORD)result == 35;
//空格的ASCII码是32,#的ASCII码是35
return result;
}
.data:0000000000601060 asc_601060 db ' ******* * **** * **** * *** *# *** *** *** *********',0
由上下左右的函数可知,迷宫应该是8*8的,而数据段asc_601060的字符刚好是64个,并且有个#,这个就是迷宫。
s = " ******* * **** * **** * *** *# *** *** *** *********"
x = ""
for i in s:
if i == ' ':
x += '0'
elif i == '*':
x += '1'
else:
x += i
print(x)
#每8个一行
'''
00111111
10001001
11101011
11001011
1001#001
11011101
11000001
11111111
'''
#nctf{o0oo00O000oooo..OO}