64位elf文件,运行一下
图片.png
由题目名知是一个迷宫题,关键点是找上下左右的方向字符和地图。
进入main函数,发现 1、0字符,猜测是地图,
图片.png
step_0与step_1用于两次变换地图,step_2用于确定上下左右以及地图的起点和终点。
v9 = 0;
v8 = 0;
while ( v8 <= 29 && *(&(*a1)[7 * v10] + v9) == 1 )// 三十步,7*7,走1
{
std::operator>><char,std::char_traits<char>>(&std::cin, &v7);
v1 = v8++;
v6[v1] = v7;
if ( v7 == 'd' ) // 右
{
++v9;
}
else if ( v7 > 'd' )
{
if ( v7 == 's' ) // 下
{
++v10;
}
else
{
if ( v7 != 'w' ) // 上
goto LABEL_14;
--v10;
}
}
else if ( v7 == 'a' ) // 左
{
--v9;
}
else
{
LABEL_14:
LODWORD(v2) = std::operator<<<std::char_traits<char>>(&_bss_start, "include illegal words.");
std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>);
}
}
if ( v10 != 6 || v9 != 6 ) // [6][6]终点
{
LODWORD(v5) = std::operator<<<std::char_traits<char>>(&_bss_start, "Oh no!,Please try again~~");
std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
result = 0LL;
}
else
{
LODWORD(v3) = std::operator<<<std::char_traits<char>>(&_bss_start, "Congratulations!");
std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
output(v6, v8);
result = 1LL;
}
return result;
}
- 起点[0][0]到终点[6][6].
- wasd对应上左下右。
- 通过IDA动态调试可直接找到变换后的地图。
直接动态dump出地图:
图片.png
+1 0 0 +1
+1 +1 +1 +1
0 +1 +1 0
0 +1 +1 +1
+1 0 +1 +1
+1 0 0 0
+1 +1 0 0
+1 +1 +1 +1
0 0 0 +1
0 0 0 +1
+1 +1 +1 +1
+1 +1 +1 0
+1 0 0 0
UNCTF{ssddwdwdddssaasasaaassddddwdds}
