buuctf re [ACTF新生赛2020]Oruga
__int64 __fastcall main(int a1, char **a2, char **a3)
{
int i; // [rsp+0h] [rbp-40h]
char s1[6]; // [rsp+4h] [rbp-3Ch] BYREF
char s2[6]; // [rsp+Ah] [rbp-36h] BYREF
char s[40]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v8; // [rsp+38h] [rbp-8h]
v8 = __readfsqword(0x28u);
memset(s, 0, 0x19uLL);
printf("Tell me the flag:");
scanf("%s", s);
strcpy(s2, "actf{");
for ( i = 0; i <= 4; ++i )
s1[i] = s[i];
s1[5] = 0;
if ( !strcmp(s1, s2) )
{
if ( sub_78A((__int64)s) )
printf("That's True Flag!");
else
printf("don't stop trying...");
return 0LL;
}
else
{
printf("Format false!");
return 0LL;
}
}
查看函数sub_78A((__int64)s)
_BOOL8 __fastcall sub_78A(__int64 a1)
{
int v2; // [rsp+Ch] [rbp-Ch]
int v3; // [rsp+10h] [rbp-8h]
int v4; // [rsp+14h] [rbp-4h]
v2 = 0;
v3 = 5;
v4 = 0;
while ( byte_201020[v2] != 33 )
{
v2 -= v4;
if ( *(_BYTE *)(v3 + a1) != 87 || v4 == -16 ) w
{
if ( *(_BYTE *)(v3 + a1) != 69 || v4 == 1 ) e
{
if ( *(_BYTE *)(v3 + a1) != 77 || v4 == 16 ) m
{
if ( *(_BYTE *)(v3 + a1) != 74 || v4 == -1 ) j
return 0LL;
v4 = -1;
}
else
{
v4 = 16;
}
}
else
{
v4 = 1;
}
}
else
{
v4 = -16;
}
++v3;
while ( !byte_201020[v2] )
{
if ( v4 == -1 && (v2 & 0xF) == 0 )
return 0LL;
if ( v4 == 1 && v2 % 16 == 15 )
return 0LL;
if ( v4 == 16 && (unsigned int)(v2 - 240) <= 0xF )
return 0LL;
if ( v4 == -16 && (unsigned int)(v2 + 15) <= 0x1E )
return 0LL;
v2 += v4;
}
}
return *(_BYTE *)(v3 + a1) == 125;
}
由 while ( byte_201020[v2] != 33 ) 可看出是0x21为终点
其
byte_201020 db 4 dup(0), 23h, 7 dup(0), 4 dup(23h), 3 dup(0), 2 dup(23h)
.data:0000000000201020 ; DATA XREF: sub_78A+23↑o
.data:0000000000201020 ; sub_78A+DC↑o
.data:0000000000201020 db 3 dup(0), 2 dup(4Fh), 0Eh dup(0), 2 dup(4Fh), 0, 2 dup(50h)
.data:0000000000201020 db 6 dup(0), 4Ch, 0, 2 dup(4Fh), 0, 2 dup(4Fh), 0, 2 dup(50h)
.data:0000000000201020 db 6 dup(0), 4Ch, 0, 2 dup(4Fh), 0, 2 dup(4Fh), 0, 50h
.data:0000000000201020 db 6 dup(0), 2 dup(4Ch), 0, 2 dup(4Fh), 4 dup(0), 50h
.data:0000000000201020 db 9 dup(0), 2 dup(4Fh), 4 dup(0), 50h, 4 dup(0), 23h
.data:0000000000201020 db 1Bh dup(0), 23h, 9 dup(0), 3 dup(4Dh), 3 dup(0), 23h
.data:0000000000201020 db 0Ah dup(0), 3 dup(4Dh), 4 dup(0), 2 dup(45h), 3 dup(0)
.data:0000000000201020 db 30h, 0, 4Dh, 0, 4Dh, 0, 4Dh, 4 dup(0), 45h, 0Fh dup(0)
.data:0000000000201020 db 2 dup(45h), 3 dup(54h), 49h, 0, 4Dh, 0, 4Dh, 0, 4Dh
.data:0000000000201020 db 4 dup(0), 45h, 2 dup(0), 54h, 0, 49h, 0, 4Dh, 0, 4Dh
.data:0000000000201020 db 0, 4Dh, 4 dup(0), 45h, 2 dup(0), 54h, 0, 49h, 0, 4Dh
.data:0000000000201020 db 0, 4Dh, 0, 4Dh, 21h, 3 dup(0), 2 dup(45h)
迷宫如上表所示
00 00 00 00 23 00 00 00 00 00 00 00 23 23 23 23
00 00 00 23 23 00 00 00 4F 4F 00 00 00 00 00 00
00 00 00 00 00 00 00 00 4F 4F 00 50 50 00 00 00
00 00 00 4C 00 4F 4F 00 4F 4F 00 50 50 00 00 00
00 00 00 4C 00 4F 4F 00 4F 4F 00 50 00 00 00 00
00 00 4C 4C 00 4F 4F 00 00 00 00 50 00 00 00 00
00 00 00 00 00 4F 4F 00 00 00 00 50 00 00 00 00
23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00
00 00 00 00 00 00 4D 4D 4D 00 00 00 23 00 00 00
00 00 00 00 00 00 00 4D 4D 4D 00 00 00 00 45 45
00 00 00 30 00 4D 00 4D 00 4D 00 00 00 00 45 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 45
54 54 54 49 00 4D 00 4D 00 4D 00 00 00 00 45 00
00 54 00 49 00 4D 00 4D 00 4D 00 00 00 00 45 00
00 54 00 49 00 4D 00 4D 00 4D 21 00 00 00 45 45
MEWEMEWJMEWJM