下载附件拉进IDA
main函数流程还是蛮清晰的,先接收输入,然后比对前五个字符是否为 "actf{" 然后传入check函数比对剩下的字符:
一进到check函数就看到了四个分支,基本可以确定是迷宫题目了,函数逻辑分内外两层循环,外循环确定方向,内循环位移。与常见迷宫题目不同的是,这里的位移是一直移动,直到碰到非0字符。这里的代码逻辑有点绕,主要是外循环中的posi-=step给我搞懵了,实际上这行代码是为了解决内循环中多余的一次位移。迷宫题目两个要素:迷宫地图和方向键。由内循环的跳出条件可以确定迷宫本体。由代码逻辑可以确定WEMJ与上下左右的对应关系,+1向右,-1向左,+16向下,-16向上;分析确定JMEW分别对应着左下右上。
然后写脚本还原迷宫地图:
#!/usr/python2 s=[ 0, 0, 0, 0, 35, 0, 0, 0, 0, 0, 0, 0, 35, 35, 35, 35, 0, 0, 0, 35, 35, 0, 0, 0, 79, 79, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 79, 79, 0, 80, 80, 0, 0, 0, 0, 0, 0, 76, 0, 79, 79, 0, 79, 79, 0, 80, 80, 0, 0, 0, 0, 0, 0, 76, 0, 79, 79, 0, 79, 79, 0, 80, 0, 0, 0, 0, 0, 0, 76, 76, 0, 79, 79, 0, 0, 0, 0, 80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 79, 79, 0, 0, 0, 0, 80, 0, 0, 0, 0, 35, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 35, 0, 0, 0, 0, 0, 0, 0, 0, 0, 77, 77, 77, 0, 0, 0, 35, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 77, 77, 77, 0, 0, 0, 0, 69, 69, 0, 0, 0, 48, 0, 77, 0, 77, 0, 77, 0, 0, 0, 0, 69, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 69, 69, 84, 84, 84, 73, 0, 77, 0, 77, 0, 77, 0, 0, 0, 0, 69, 0, 0, 84, 0, 73, 0, 77, 0, 77, 0, 77, 0, 0, 0, 0, 69, 0, 0, 84, 0, 73, 0, 77, 0, 77, 0, 77, 33, 0, 0, 0, 69, 69] for i in range(16): for j in range(16): if s[16*i+j] == 0: print(end='.') continue print(chr(s[16*i+j]),end='') print(end='\n')
....#.......#### ...##...OO...... ........OO.PP... ...L.OO.OO.PP... ...L.OO.OO.P.... ..LL.OO....P.... .....OO....P.... #............... ............#... ......MMM...#... .......MMM....EE ...0.M.M.M....E. ..............EE TTTI.M.M.M....E. .T.I.M.M.M....E. .T.I.M.M.M!...EE
这里有个小技巧,先用习惯的AWDS来描述位移,得出目标结果后再用原本的方向键替换下就ok了,最后得到flag:actf{MEWEMEWJMEWJM},再将actf换成flag上交即可