bbox
主函数目测是一个类似迷宫,点进去看了逻辑,发现是推箱子,简单来说2是人,3是箱子,4是目的地
这个是d的逻辑,如果不是最右边(19),就会+1,y_1是新的横坐标索引,x是纵坐标索引,n应该是挑战的个数,5600/400=14个挑战。
前九个的最短路径字符串拼接成是212139211325313,MD5值是fec2d316d20dbacbe0cdff8fb6ff07b9,后五个目测不是推箱子,是qwb!还有一个是纯0填充
组成flag:flag {qwb!_fec2d316d20dbacbe0cdff8fb6ff07b9}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
|
11111111111111111111
11111111111111111111
11411111111111111111
11030011111111111111
11011011111111111111
00000211111111111111
11101111111111111111
11101111111111111111
01100110001000100010
01000000001000100010
01000000001000111110
01111111111000000010
00000000001000000010
00001111111000111110
00001000001000100010
01111000001000100010
01000000001111100010
01000000000000000010
01000000001111100010
01000000000000000010//2
00000000000000000000
01111111111111111110
01000000000000000010
01200300040000000010
01000000000000000010
01111111111111101110
01000000000000000010
01000011111000111110
01000010001000100010
01111110001000100010
00000010000000100010
00111110001000111110
00100000001000000010
00100010111000111110
00100030001000100010
00111100001000100010
00400000001000100010
01111111111000100010
01000000000000000010
01000000000000000010//4+8=12
11111111111111111111
14000000000000000001
10111111111111100001
10100000000000100001
10100000000000100001
10103000000000100001
10111011101111100001
10000000000000000001
10111111111111011111
10000000100000000001
10000000000000001001
10000000100000001001
11111111100000001001
10000000000000002001
11111111111111111111
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000//13
11111111111111111111
14000000000000000001
10000001111111000001
10000000300001000001
10000001000001000001
10000001000021000001
10000001111111000001
10000000000000000001
11111111111111111111
10000000100000000001
10000000100000000111
10000000100000000100
10111111100000000100
10000000000000000100
11111111111111111111
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000//9
11111111111111111111
10000000000000000001
10111111111111111001
10100000000000001001
10101111111111111001
10101000000000001001
10101011111111111001
10101010000000000001
10101010111111111101
10001000100000000001
11111111111111111111
10000000000000100001
10000001111111101101
10000001000000001001
11111111111111111111
10000000000000040001
10000001111111110101
10000000000000300001
11111011111111101111
10000000000000020001//21
11111111111111111111
14000003000000000001
10111111111111100001
10100000002000000001
10101111111111101101
10101000001000001001
10101011111011101001
10001010001010001001
10111010101010101101
10100000000000000001
11111111111111101111
10000001000000000001
10000001111111011101
10000001000000301001
11111111400000001001
10000000000000001001
10111111111111111001
10100000000000000001
11111111111111111111
10000000000000000001//6+7=13
11111111111111111111
10000010000000000001
10111111111111111001
10100000000000001001
10101111111111111001
10101000021000000001
10101011111011111101
10101010000010000001
10001010111110111101
11111010100000100001
10000010101111101101
10111110101000001001
10100000101011111001
10101111101010000001
10003000000000111111
11111011111010100001
10000000000010101111
10111111111110001001
14000000000000001001
11111111111111111111//25
11111111111111111111
14000000000002003001
10111011111111111001
10100000000000000001
10101111111011111001
10101400001000001001
10101011111010101001
10101010001010101001
10101010111010101101
10003000100000000001
10111011111111111101
10000001000010000001
11111111111111111101
10003000000000041001
10111111111111111001
10100000001000000001
10101111111011111101
10101000001000001001
10101011111111111001
10000000000000000001//15+5+11=31
11111111111111111111
10000000000000100001
10111111111111111001
10100000000000001001
10101111111111111001
10101000000000000001
10101110111011111101
10001013001010001001
11111002111010101001
10000010100000101001
10111114101111111001
10100000001000000001
10101111101111111101
10101000000000001001
10001111111111111001
11111000000000000001
10000011111111111101
10111110000000000001
10100000000000000001
11111111111111111111//3
11111111111111111111
11111111111111111111
11111111111111111111
11100000000001111111
11101111111101111111
11101111111101111111
11101111111101111111
11101111111101111111
11101111111101111111
11100000000001111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111101111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11011110111101111111
11011110111101111111
11011110111101111111
11011110111101111111
11011110111101111111
11101110111011111111
11101110111011111111
11101101010111111111
11110101010111111111
11110101010111111111
11111011101111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11101111111111111111
11101111111111111111
11101111111111111111
11101111111111111111
11101111111111111111
11100000000011111111
11101111111011111111
11101111111011111111
11101111111011111111
11101111111011111111
11101111111011111111
11101111111011111111
11100000000011111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111111111111111111
11111110000011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110111011111111
11111110000011111111
11111111111111111111
11111111111111111111
11111111000111111111
11111111010111111111
11111111010111111111
11111111000111111111
11111111111111111111
11111111111111111111
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
00000000000000000000
0000000000000000000
|
snake
文件打开后发现大概是一个贪吃蛇游戏
在绑定上下左右方向键中,学到windows的虚拟键位
| 符号常量名称 |
十六进制值 |
ascii值 |
描述 |
VK_LEFT |
0x25 |
‘%’ |
向左键 |
VK_UP |
0x26 |
‘&’ |
向上键 |
VK_RIGHT |
0x27 |
‘\’ |
向右键 |
VK_DOWN |
0x28 |
‘(’ |
向下键 |
看别人的wp知道
然后就直接玩,保证最短路径就行,到第十分的时候就会自动断下来,进入lpAddress指向的地址2373D8A000h
写了一段 idc 脚本dump出来得到1.bin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
// 定义需要提取的起始地址和结束地址(替换为你的实际地址)
auto start_addr = 0x000002373D8A0000;
auto end_addr = 0x000002373D8A047F;
auto file_handle, byte_count, i;
// 创建/打开1.bin文件("wb"表示二进制写入模式)
file_handle = fopen("1.bin", "wb");
if (file_handle == 0)
{
Message("创建文件失败!请检查路径\n");
return;
}
// 计算需要导出的字节数(结束地址 - 起始地址 + 1,确保包含最后一个字节)
byte_count = end_addr - start_addr + 1;
// 循环读取每个地址的字节并写入文件
for (i = 0; i < byte_count; i++)
{
fputc(Byte(start_addr + i), file_handle);
}
// 关闭文件并提示成功
fclose(file_handle);
Message("导出成功!共导出 %d 字节到 1.bin\n", byte_count);
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
char __fastcall sub_0(__int64 a1, __int64 a2, __int64 a3, unsigned int *a4)
{
char *v4; // rdi
__int64 n78; // rcx
char v7; // [rsp+20h] [rbp+0h] BYREF
unsigned int v8; // [rsp+24h] [rbp+4h]
int v9; // [rsp+44h] [rbp+24h]
_DWORD v10[12]; // [rsp+68h] [rbp+48h] BYREF
unsigned int v11; // [rsp+98h] [rbp+78h]
unsigned int v12; // [rsp+9Ch] [rbp+7Ch]
unsigned int v13; // [rsp+A0h] [rbp+80h]
unsigned int v14; // [rsp+A4h] [rbp+84h]
unsigned int n0x20; // [rsp+C4h] [rbp+A4h]
unsigned int n0x20_1; // [rsp+E4h] [rbp+C4h]
_BYTE v17[44]; // [rsp+108h] [rbp+E8h]
int n16; // [rsp+134h] [rbp+114h]
v4 = &v7;
for ( n78 = 78; n78; --n78 )
{
*(_DWORD *)v4 = -858993460;
v4 += 4;
}
v8 = 0;
v9 = -1640531527;
qmemcpy(v10, "W31c0m3. 2 QWBs8", 16);
v11 = *a4;
v12 = a4[1];
v13 = a4[2];
v14 = a4[3];
for ( n0x20 = 0; n0x20 < 0x20; ++n0x20 )
{
v11 += (v10[v8 & 3] + v8) ^ (v12 + ((v12 >> 5) ^ (16 * v12)));
v8 += v9;
v12 += (v10[(v8 >> 11) & 3] + v8) ^ (v11 + ((v11 >> 5) ^ (16 * v11)));
}
for ( n0x20_1 = 0; n0x20_1 < 0x20; ++n0x20_1 )
{
v13 += (v10[v8 & 3] + v8) ^ (v14 + ((v14 >> 5) ^ (16 * v14)));
v8 += v9;
v14 += (v10[(v8 >> 11) & 3] + v8) ^ (v13 + ((v13 >> 5) ^ (16 * v13)));
}
v11 ^= v13;
v12 ^= v14;
v14 ^= v11;
v13 ^= v12;
v17[0] = -104;
v17[1] = -96;
v17[2] = -39;
v17[3] = -104;
v17[4] = -70;
v17[5] = -105;
v17[6] = 27;
v17[7] = 113;
v17[8] = -101;
v17[9] = -127;
v17[10] = 68;
v17[11] = 47;
v17[12] = 85;
v17[13] = -72;
v17[14] = 55;
v17[15] = -33;
for ( n16 = 0; n16 < 16; ++n16 )
{
if ( *((char *)&v11 + n16) != (char)v17[n16] )
return 0;
}
return 1;
}
|
魔改tea,脚本如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
from ctypes import *
delta = 0x9e3779b9
sum1 = c_uint32(delta * 64)
def decrypt(v, k):
v0 = c_uint32(v[0])
v1 = c_uint32(v[1])
for i in range(32):
# 解密轮次运算
v1.value -= (((v0.value << 4) ^ (v0.value >> 5)) + v0.value) ^ (sum1.value + k[(sum1.value >> 11) & 3])
sum1.value -= delta
v0.value -= (((v1.value << 4) ^ (v1.value >> 5)) + v1.value) ^ (sum1.value + k[sum1.value & 3])
return v0.value, v1.value
def long_to_bytes(n):
return n.to_bytes((n.bit_length() + 7) // 8, byteorder='big') or b'\x00'
if __name__ == '__main__':
a = [0x98D9A098, 0x711B97BA, 0x2F44819B, 0xDF37B855]
k = [0x63313357, 0x2E336D30, 0x51203220, 0x38734257]
# 预处理异或操作
a[2] ^= a[1]
a[3] ^= a[0]
a[1] ^= a[3]
a[0] ^= a[2]
temp = [0] * 2
# 分块解密
for i in range(1, -1, -1):
temp[0] = a[i * 2]
temp[1] = a[i * 2 + 1]
res = decrypt(temp, k)
a[i * 2] = res[0]
a[i * 2 + 1] = res[1]
# 转换为字符串并输出
for i in range(len(a)):
# 使用自定义的long_to_bytes并处理字节顺序
print(long_to_bytes(a[i])[::-1].decode(errors='ignore'), end='')
#flag{G0@d_Snake}
|
2024-强网杯-初赛-Writeup-By-Xp0int
强网杯 2024 All RE wp
2024 强网杯 - Reverse
2024强网杯 web&re 部分wp
mips
1
|
strings ./emu | grep -i "qemu.*version\|version.*qemu"
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
#下载官方完整包(已含子模块)
wget https://download.qemu.org/qemu-6.2.0.tar.xz # 官方源,子模块都齐了
tar -xf qemu-6.2.0.tar.xz
cd qemu-6.2.0
#一次性配置 + 编译
export CFLAGS="-g -O0"
export CXXFLAGS="-g -O0"
./configure --target-list=x86_64-softmmu \
--disable-werror \
--enable-debug \
--disable-strip
make -j$(nproc)
|
然后就可以在~/qemu-6.2.0/build 目录下找到qemu-system-x86_64
右键全部 import model ,可以看到一个魔改的RC4
mips64逆向新手入门(从jarvisoj一道mips64题目说起)
