virus:
拖入ida32,加载符号表,进入主函数
puts("There is a long way to defeat it.");
scanf("%s", flag);
v12 = strlen(flag);
v6[0] = 0;
v6[1] = 0;
v6[2] = 0;
v6[3] = 0;
v7 = 0;
v11 = 0;
v8 = 0;
for ( i = 0; i < v9; ++i )
{
if ( flag[i] == '-' )//检测-的位置并将其记录到v6数组中
{
v3 = v11++;
v6[v3] = i;
}
if ( !v14 )
{
v5[i] = flag[i] - '0';//string转int
if ( v5[i] > 9 || v5[i] < 0 )//输入必须为0到9
return 0;
}
}
if ( v11 != 4 )//说明一共有4个-
return 0;
v10 = v12;
for ( i = 1; i <= v11; ++i )
{
v11 = v6[i] - v6[i - 1] - 1;//计算相邻两个-中共有多少个数据
if ( step[i] != v8 )//将数据长度与固定值比较(19,25,26,28)
return 0;
strncpy(&road[200 * i], &flag[v6[i - 1] + 1], v11);//按照用户输入顺序将字符按照指定长度复制到road[1024]这个数组中
}
for ( i = 0; i <= 3; ++i )
{
if ( check_flag((int)&global_map[200 * v5[i]], v5[i], &road[200 * i + 200]) )//迷宫
{
puts("How about try again?");
return 0;
}
if ( i == 3 )
printf("Great! We will defeat it!!! your flag is flag{%s}", flag);
}
进入check_flag函数
BOOL __cdecl check_flag(int a1, int a2, char *Str)
{
BOOL result; // eax
signed int v4; // [esp+10h] [ebp-18h]
int v5; // [esp+14h] [ebp-14h]
int v6; // [esp+18h] [ebp-10h]
int i; // [esp+1Ch] [ebp-Ch]
v4 = strlen(Str);
v6 = start[2 * a2];
v5 = dword_403444[2 * a2];
for ( i = 0; ; ++i )
{
result = i;
if ( i >= v4 )
break;
switch ( Str[i] )
{
case 'w':
--v6;
break;
case 's':
++v6;
break;
case 'a':
--v5;
break;
case 'd':
++v5;
break;
default:
return 1;
}
if ( v5 < 0 || v5 > 19 || v6 < 0 || v6 > 10 )
return 1;
if ( v4 - 1 == i )
return *(_BYTE *)(a1 + 20 * v6 + v5) != 'd';
if ( *(_BYTE *)(a1 + 20 * v6 + v5) != '.' )
return 1;
}
return result;
}
根据上面的代码和迷宫可得路径
| 第一个迷宫 | 第二个迷宫 | 第三个迷宫 | 第四个迷宫 |
|---|---|---|---|
| dddddddddsssssaaaaaaaaawww | sdsdsdsdsdsdsddwdwdwdwdwdwdw | aaaaaaaaasssssssddddddddd | wwwwwdddddddddsssss |
所以可得脚本
global_map = ['dddddddddsssssaaaaaaaaawww','sdsdsdsdsdsdsddwdwdwdwdwdwdw','aaaaaaaaasssssssddddddddd','wwwwwdddddddddsssss']
step = [19,25,26,28]
flag = 'flag{' + ''
tmp =[0,0,0,0]
for j in range(len(step)):
for i in range(len(global_map)):
if len(global_map[i]) == step[j]:
tmp[j] = i +1
flag += str( tmp[j])
for i in range(4):
flag += '-' + global_map[tmp[i]-1]
flag += '}'
print(flag)
#flag{4312-wwwwwdddddddddsssss-aaaaaaaaasssssssddddddddd-dddddddddsssssaaaaaaaaawww-sdsdsdsdsdsdsddwdwdwdwdwdwdw}
fu!k_py:
文件是一个pyc,找个在线解密的网站跑一下。
得到python源码
(lambda __g, __print: [ [ (lambda __after: [ (lambda __after: (__print('Error len!'), (exit(), __after())[1])[1] if len(input) != 87 else __after())(lambda : [ [ [ [ (lambda __after: (__print('Error fmt!'), (exit(0), __after())[1])[1] if fmt1 != 'flag{' or fmt2 != '}' else __after())(lambda : (d.append(context[0:9]), (d.append(context[9:18]), (d.append(context[18:27]), (d.append(context[27:36]), (d.append(context[36:45]), (d.append(context[45:54]), (d.append(context[54:63]), (d.append(context[63:72]), (d.append(context[72:81]), [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[0][2] != '5' or d[0][3] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[1][0] != '8' or d[1][7] != '2' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[2][1] != '7' or d[2][4] != '1' or d[2][6] != '5' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[3][0] != '4' or d[3][5] != '5' or d[3][6] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[4][1] != '1' or d[4][4] != '7' or d[4][8] != '6' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[5][2] != '3' or d[5][3] != '2' or d[5][7] != '8' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[6][1] != '6' or d[6][3] != '5' or d[6][8] != '9' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[7][2] != '4' or d[7][7] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[8][5] != '9' or d[8][6] != '7' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(h1) != 45 or check(h2) != 45 or check(h3) != 45 or check(h4) != 45 or check(h5) != 45 or check(h6) != 45 or check(h7) != 45 or check(h8) != 45 or check(h9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(l1) != 45 or check(l2) != 45 or check(l3) != 45 or check(l4) != 45 or check(l5) != 45 or check(l6) != 45 or check(l7) != 45 or check(l8) != 45 or check(l9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(k1) != 45 or check(k2) != 45 or check(k3) != 45 or check(k4) != 45 or check(k5) != 45 or check(k6) != 45 or check(k7) != 45 or check(k8) != 45 or check(k9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(h1) != 1 or check1(h2) != 1 or check1(h3) != 1 or check1(h4) != 1 or check1(h5) != 1 or check1(h6) != 1 or check1(h7) != 1 or check1(h8) != 1 or check1(h9) != 1 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(l1) != 1 or check1(l2) != 1 or check1(l3) != 1 or check1(l4) != 1 or check1(l5) != 1 or check1(l6) != 1 or check1(l7) != 1 or check1(l8) != 1 or check1(l9) != 1 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(k1) != 1 or check1(k2) != 1 or check1(k3) != 1 or check1(k4) != 1 or check1(k5) != 1 or check1(k6) != 1 or check1(k7) != 1 or check1(k8) != 1 or check1(k9) != 1 else __after())(lambda : (__print('Yes! You got it!'), __after())[1]))))))))))))))) for __g['k9'] in [context[60] + context[61] + context[62] + context[69] + context[70] + context[71] + context[78] + context[79] + context[80]] ][0] for __g['k8'] in [context[57] + context[58] + context[59] + context[66] + context[67] + context[68] + context[75] + context[76] + context[77]] ][0] for __g['k7'] in [context[54] + context[55] + context[56] + context[63] + context[64] + context[65] + context[72] + context[73] + context[74]] ][0] for __g['k6'] in [context[33] + context[34] + context[35] + context[42] + context[43] + context[44] + context[51] + context[52] + context[53]] ][0] for __g['k5'] in [context[30] + context[31] + context[32] + context[39] + context[40] + context[41] + context[48] + context[49] + context[50]] ][0] for __g['k4'] in [context[27] + context[28] + context[29] + context[36] + context[37] + context[38] + context[45] + context[46] + context[47]] ][0] for __g['k3'] in [context[6] + context[7] + context[8] + context[15] + context[16] + context[17] + context[24] + context[25] + context[26]] ][0] for __g['k2'] in [context[3] + context[4] + context[5] + context[12] + context[13] + context[14] + context[21] + context[22] + context[23]] ][0] for __g['k1'] in [context[0] + context[1] + context[2] + context[9] + context[10] + context[11] + context[18] + context[19] + context[20]] ][0] for __g['l9'] in [context[8] + context[17] + context[26] + context[35] + context[44] + context[53] + context[62] + context[71] + context[80]] ][0] for __g['l8'] in [context[7] + context[16] + context[25] + context[34] + context[43] + context[52] + context[61] + context[70] + context[79]] ][0] for __g['l7'] in [context[6] + context[15] + context[24] + context[33] + context[42] + context[51] + context[60] + context[69] + context[78]] ][0] for __g['l6'] in [context[5] + context[14] + context[23] + context[32] + context[41] + context[50] + context[59] + context[68] + context[77]] ][0] for __g['l5'] in [context[4] + context[13] + context[22] + context[31] + context[40] + context[49] + context[58] + context[67] + context[76]] ][0] for __g['l4'] in [context[3] + context[12] + context[21] + context[30] + context[39] + context[48] + context[57] + context[66] + context[75]] ][0] for __g['l3'] in [context[2] + context[11] + context[20] + context[29] + context[38] + context[47] + context[56] + context[65] + context[74]] ][0] for __g['l2'] in [context[1] + context[10] + context[19] + context[28] + context[37] + context[46] + context[55] + context[64] + context[73]] ][0] for __g['l1'] in [context[0] + context[9] + context[18] + context[27] + context[36] + context[45] + context[54] + context[63] + context[72]] ][0] for __g['h9'] in [context[72:81]] ][0] for __g['h8'] in [context[63:72]] ][0] for __g['h7'] in [context[54:63]] ][0] for __g['h6'] in [context[45:54]] ][0] for __g['h5'] in [context[36:45]] ][0] for __g['h4'] in [context[27:36]] ][0] for __g['h3'] in [context[18:27]] ][0] for __g['h2'] in [context[9:18]] ][0] for __g['h1'] in [context[0:9]] ][0])[1])[1])[1])[1])[1])[1])[1])[1])[1]) for __g['d'] in [[]] ][0] for __g['context'] in [input[5:-1]] ][0] for __g['fmt2'] in [input[(-1)]] ][0] for __g['fmt1'] in [input[0:5]] ][0])
for __g['input'] in [raw_input('Input your flag:')] ][0] if __name__ == '__main__' else __after())(lambda : None)
for __g['check1'], check1.__name__ in [(lambda arg: (lambda __l: [ (lambda __after: 0 if len(list(set(__l['arg']))) != 9 else 1)(lambda : None) for __l['arg'] in [arg] ][0])({}), 'check1')] ][0]
for __g['check'], check.__name__ in [(lambda arg: (lambda __l: [ sum(map(int, __l['arg'])) for __l['arg'] in [arg] ][0])({}), 'check')] ][0])(globals(), __import__('__builtin__', level=0).__dict__['print'])
由此代码
if d[0][2] != '5' or d[0][3] != '3':
if d[1][0] != '8' or d[1][7] != '2':
if d[2][1] != '7' and d[2][4] != '1' or d[2][6] != '5':
if d[3][0] != '4' and d[3][5] != '5' or d[3][6] != '3':
if d[4][1] != '1' and d[4][4] != '7' or d[4][8] != '6':
if d[5][2] != '3' and d[5][3] != '2' or d[5][7] != '8':
if d[6][1] != '6' and d[6][3] != '5' or d[6][8] != '9':
if d[7][2] != '4' or d[7][7] != '3':
if d[8][5] != '9' or d[8][6] != '7':
可得一个表
| 行/列 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
|---|---|---|---|---|---|---|---|---|---|
| 1 | 5 | 3 | |||||||
| 2 | 8 | 2 | |||||||
| 3 | 7 | 1 | 5 | ||||||
| 4 | 4 | 5 | 3 | ||||||
| 5 | 1 | 7 | 6 | ||||||
| 6 | 3 | 2 | 8 | ||||||
| 7 | 6 | 5 | 9 | ||||||
| 8 | 4 | 3 | |||||||
| 9 | 9 | 7 |
9x9的表加上flag{}正好是87个字符,满足python源码第一行的对长度的判断。
而下面的代码
if check(h1) != 45 and check(h2) != 45 and check(h3) != 45 and check(h4) != 45 and check(h5) != 45 and check(h6) != 45 and check(h7) != 45 and check(h8) != 45 or check(h9) != 45:
if check(l1) != 45 and check(l2) != 45 and check(l3) != 45 and check(l4) != 45 and check(l5) != 45 and check(l6) != 45 and check(l7) != 45 and check(l8) != 45 or check(l9) != 45:
if check(k1) != 45 and check(k2) != 45 and check(k3) != 45 and check(k4) != 45 and check(k5) != 45 and check(k6) != 45 and check(k7) != 45 and check(k8) != 45 or check(k9) != 45:
if check1(h1) != 1 and check1(h2) != 1 and check1(h3) != 1 and check1(h4) != 1 and check1(h5) != 1 and check1(h6) != 1 and check1(h7) != 1 and check1(h8) != 1 or check1(h9) != 1:
if check1(l1) != 1 and check1(l2) != 1 and check1(l3) != 1 and check1(l4) != 1 and check1(l5) != 1 and check1(l6) != 1 and check1(l7) != 1 and check1(l8) != 1 or check1(l9) != 1:
if check1(k1) != 1 and check1(k2) != 1 and check1(k3) != 1 and check1(k4) != 1 and check1(k5) != 1 and check1(k6) != 1 and check1(k7) != 1 and check1(k8) != 1 or check1(k9) != 1:
则是对每一列和以三行三列为一个块的数据和,进行判断.且刚好就是1+2+3+4+5+6+7+8=45,猜测是数独表,网上数独在线解密
解得145327698839654127672918543496185372218473956753296481367542819984761235521839764,套上flag即可得到答案。