SCUCTF-re4

一个迷宫题,放入IDA分析

exe文件

idb分析文件

这里的scanf函数是动调验证后得出的结论,528为map出发点

这里的rand出的数字决定了方向,这里动调好多次rand的四个数都是1 3 2 0 没有改变 验证后得到如图的(方向-数字)的对应关系

301里面进入看看

v6的初始化和输入无关 直接下断点dump 结合调用函数得出结论:该函数返回的是走的步数(往一个方向走 且大于10的数用abcedfg依次替换

这里的终止条件 要求最后的位置在95 并且输入长度为78 因为每两个字符xy循环一次 x表示方向 y表示步数 意思是我们最多拐弯39次

这里用脚本输出迷宫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
a = [120, 133, 138, 180, 120, 200, 169, 149, 120, 247, 110, 147, 120, 251, 122, 151, 120, 171, 251, 122, 120, 6, 193, 138, 120, 122, 162, 73, 120, 52, 164, 244, 120, 49, 55, 173, 120, 6, 61, 4, 120, 110, 88, 89, 120, 3, 183, 229, 120, 183, 200, 186, 120, 181, 42, 186, 120, 108, 19, 154, 120, 25, 91, 229, 120, 40, 126, 85, 120, 70, 156, 9, 120, 52, 174, 200, 120, 205, 109, 10, 120, 176, 38, 127, 120, 233, 209, 75, 120, 249, 46, 134, 120, 231, 55, 93, 120, 234, 9, 122, 120, 247, 32, 239, 120, 146, 38, 82, 120, 140, 184, 214, 120, 145, 193, 178, 120, 208, 158, 105, 120, 13, 204, 223, 120, 55, 101, 7, 120, 174, 109, 161, 120, 109, 250, 125, 120, 8, 218, 186, 120, 131, 248, 121, 120, 225, 202, 137, 120, 195, 130, 47, 120, 113, 47, 210, 120, 161, 157, 34, 120, 144, 153, 7, 120, 22, 178, 183, 120, 237, 125, 178, 120, 88, 33, 143, 120, 133, 127, 140, 120, 75, 126, 187, 120, 142, 245, 20, 120, 89, 117, 102, 120, 1, 202, 148, 120, 85, 146, 79, 46, 55, 21, 143, 46, 226, 34, 210, 46, 157, 137, 171, 46, 205, 174, 228, 46, 47, 178, 29, 46, 78, 235, 118, 46, 35, 29, 36, 46, 235, 106, 176, 46, 80, 92, 32, 46, 170, 123, 114, 46, 141, 220, 140, 46, 195, 138, 165, 46, 108, 27, 159, 46, 243, 2, 27, 46, 118, 211, 199, 46, 20, 61, 166, 46, 30, 199, 162, 46, 5, 233, 6, 46, 40, 79, 220, 46, 158, 55, 3, 46, 202, 223, 6, 46, 193, 115, 236, 46, 127, 50, 60, 46, 45, 60, 176, 46, 23, 46, 229, 46, 204, 58, 28, 46, 235, 189, 209, 46, 85, 252, 179, 120, 89, 25, 21, 120, 31, 163, 206, 120, 169, 237, 111, 46, 24, 194, 222, 120, 136, 253, 111, 120, 190, 47, 112, 120, 125, 213, 212, 120, 122, 228, 94, 120, 16, 92, 188, 120, 39, 144, 220, 120, 56, 85, 56, 120, 30, 128, 107, 120, 249, 50, 222, 120, 115, 154, 191, 120, 24, 129, 51, 120, 7, 103, 105, 46, 41, 113, 249, 46, 232, 249, 31, 120, 95, 4, 34, 46, 139, 192, 220, 46, 158, 196, 98, 120, 249, 138, 55, 120, 68, 238, 250, 120, 183, 74, 126, 120, 204, 161, 225, 120, 85, 154, 190, 120, 122, 58, 90, 120, 230, 205, 212, 120, 1, 220, 74, 120, 24, 144, 143, 120, 150, 70, 14, 120, 24, 147, 159, 120, 167, 176, 191, 120, 199, 136, 247, 120, 100, 224, 197, 120, 180, 127, 119, 120, 182, 140, 195, 46, 26, 57, 176, 46, 156, 234, 47, 120, 33, 162, 230, 120, 197, 106, 103, 120, 48, 182, 143, 120, 236, 35, 40, 120, 252, 218, 122, 120, 77, 52, 173, 120, 88, 147, 22, 120, 221, 101, 69, 46, 117, 101, 225, 46, 127, 210, 145, 46, 230, 149, 252, 120, 111, 160, 111, 46, 81, 222, 207, 120, 61, 134, 148, 120, 81, 232, 180, 120, 8, 247, 188, 120, 79, 176, 137, 120, 136, 8, 109, 120, 12, 200, 42, 120, 139, 81, 56, 120, 129, 99, 234, 120, 12, 46, 188, 120, 90, 134, 152, 120, 52, 192, 5, 120, 2, 184, 218, 46, 25, 156, 62, 120, 151, 15, 220, 120, 254, 253, 64, 46, 246, 41, 185, 120, 143, 9, 107, 120, 13, 173, 15, 120, 76, 133, 46, 120, 22, 160, 24, 120, 74, 196, 38, 120, 9, 64, 178, 120, 145, 91, 42, 120, 158, 251, 25, 120, 75, 21, 49, 120, 45, 159, 121, 120, 146, 41, 175, 120, 16, 62, 162, 120, 118, 246, 19, 120, 166, 101, 194, 120, 56, 192, 65, 46, 125, 251, 23, 46, 231, 233, 94, 46, 83, 209, 202, 120, 76, 161, 57, 120, 211, 229, 114, 120, 209, 75, 183, 120, 120, 3, 232, 120, 73, 137, 111, 120, 230, 1, 170, 120, 223, 228, 167, 120, 34, 60, 145, 120, 129, 186, 191, 120, 168, 102, 48, 120, 22, 96, 190, 46, 192, 110, 162, 120, 203, 16, 75, 46, 82, 37, 52, 120, 47, 229, 211, 120, 31, 192, 169, 120, 235, 84, 148, 120, 220, 30, 244, 120, 83, 249, 15, 120, 57, 79, 148, 120, 248, 62, 63, 120, 189, 107, 111, 120, 65, 177, 143, 120, 50, 199, 151, 120, 247, 75, 163, 120, 2, 53, 166, 46, 215, 55, 50, 120, 206, 66, 170, 120, 206, 217, 228, 46, 217, 130, 49, 120, 228, 247, 110, 120, 188, 222, 112, 120, 240, 10, 216, 120, 216, 236, 237, 120, 74, 82, 211, 120, 25, 146, 220, 120, 196, 82, 104, 120, 170, 179, 172, 120, 109, 249, 248, 120, 92, 154, 119, 120, 65, 178, 154, 120, 203, 37, 203, 120, 207, 41, 122, 120, 90, 32, 149, 46, 165, 63, 30, 46, 220, 225, 90, 120, 248, 192, 233, 120, 56, 113, 79, 120, 223, 231, 104, 120, 30, 226, 230, 120, 99, 69, 59, 120, 49, 81, 172, 120, 132, 118, 53, 120, 194, 182, 140, 120, 196, 17, 129, 120, 8, 216, 191, 120, 212, 61, 154, 120, 158, 15, 83, 120, 56, 141, 169, 120, 230, 73, 19, 120, 213, 211, 118, 46, 214, 227, 138, 120, 180, 221, 250, 120, 172, 116, 64, 120, 223, 56, 70, 120, 26, 81, 25, 120, 86, 165, 228, 120, 79, 8, 16, 120, 166, 140, 76, 120, 4, 144, 113, 120, 235, 124, 41, 120, 99, 86, 241, 120, 62, 6, 49, 120, 81, 2, 73, 46, 65, 203, 178, 120, 94, 229, 40, 120, 241, 35, 185, 46, 97, 214, 139, 46, 147, 88, 43, 120, 173, 129, 106, 120, 148, 187, 249, 120, 166, 60, 189, 120, 199, 126, 202, 120, 76, 2, 150, 120, 23, 15, 151, 120, 183, 122, 101, 120, 175, 90, 64, 120, 193, 111, 239, 120, 243, 81, 89, 120, 95, 34, 114, 120, 247, 170, 68, 120, 99, 225, 133, 46, 114, 242, 220, 120, 139, 156, 116, 120, 39, 240, 192, 120, 169, 180, 127, 120, 6, 26, 116, 120, 121, 40, 121, 120, 41, 121, 16, 120, 107, 62, 180, 120, 21, 117, 20, 120, 210, 177, 101, 120, 219, 179, 55, 120, 251, 233, 82, 120, 72, 249, 104, 120, 69, 144, 166, 120, 42, 197, 173, 120, 182, 206, 244, 120, 152, 183, 225, 46, 70, 130, 10, 120, 241, 150, 151, 120, 60, 130, 26, 120, 124, 52, 226, 120, 115, 4, 180, 120, 147, 50, 233, 120, 198, 89, 30, 120, 29, 132, 191, 120, 84, 85, 215, 120, 38, 228, 142, 120, 209, 226, 204, 120, 49, 197, 230, 120, 227, 69, 55, 46, 57, 219, 198, 120, 155, 193, 176, 120, 82, 233, 190, 120, 180, 45, 35, 46, 80, 177, 4, 46, 161, 151, 30, 46, 95, 136, 160, 46, 8, 9, 1, 46, 180, 167, 130, 46, 161, 88, 38, 46, 193, 186, 121, 46, 163, 62, 220, 46, 4, 3, 170, 46, 76, 153, 140, 120, 60, 199, 112, 120, 222, 237, 74, 120, 17, 61, 190, 120, 50, 49, 197, 46, 18, 103, 43, 120, 158, 107, 4, 120, 79, 143, 182, 120, 7, 195, 28, 120, 21, 150, 4, 120, 160, 152, 111, 120, 159, 142, 204, 120, 204, 159, 44, 120, 140, 177, 211, 120, 242, 237, 175, 120, 148, 44, 185, 120, 23, 95, 157, 120, 100, 190, 148, 120, 248, 216, 62, 120, 235, 29, 11, 120, 214, 219, 111, 120, 175, 212, 143, 46, 188, 32, 187, 120, 145, 194, 148, 120, 238, 210, 173, 120, 233, 64, 77, 120, 244, 27, 253, 120, 186, 181, 114, 120, 13, 191, 228, 120, 228, 114, 3, 120, 164, 97, 16, 120, 117, 250, 146, 120, 231, 112, 65, 120, 250, 127, 188, 120, 126, 196, 7, 46, 72, 252, 61, 120, 135, 164, 129, 120, 84, 253, 229, 120, 40, 30, 139, 120, 44, 125, 156, 120, 152, 103, 216, 120, 228, 28, 128, 120, 119, 224, 242, 120, 144, 105, 170, 120, 110, 98, 214, 120, 228, 223, 182, 120, 154, 246, 151, 120, 173, 213, 147, 46, 215, 209, 86, 46, 121, 72, 253, 120, 145, 201, 141, 120, 193, 11, 233, 120, 61, 112, 192, 46, 74, 51, 140, 120, 176, 7, 69, 120, 141, 243, 197, 120, 81, 230, 109, 120, 176, 229, 70, 120, 162, 8, 53, 120, 192, 206, 32, 120, 178, 38, 158, 120, 66, 23, 251, 120, 175, 79, 34, 120, 135, 87, 133, 120, 197, 64, 183, 120, 111, 41, 13, 120, 165, 61, 17, 120, 233, 125, 136, 120, 85, 13, 63, 120, 230, 175, 51, 46, 68, 51, 161, 120, 84, 193, 224, 120, 228, 79, 101, 120, 117, 218, 201, 120, 104, 76, 181, 120, 210, 68, 199, 120, 162, 120, 94, 120, 43, 194, 29, 120, 249, 40, 39, 120, 112, 171, 120, 120, 190, 242, 147, 120, 92, 87, 6, 120, 199, 134, 139, 46, 55, 241, 76, 120, 225, 11, 201, 120, 105, 238, 182, 120, 72, 128, 174, 120, 51, 62, 117, 120, 239, 29, 66, 120, 191, 14, 160, 120, 142, 1, 201, 120, 25, 195, 206, 120, 127, 130, 32, 120, 36, 139, 123, 120, 71, 68, 29, 120, 217, 243, 163, 120, 78, 160, 221, 46, 140, 165, 100, 120, 8, 14, 12, 120, 215, 214, 9, 120, 32, 153, 58, 46, 212, 26, 250, 46, 254, 71, 40, 120, 213, 230, 165, 120, 72, 42, 118, 120, 92, 214, 156, 120, 13, 213, 141, 120, 148, 67, 110, 120, 77, 252, 43, 120, 233, 108, 124, 120, 99, 68, 219, 120, 31, 163, 74, 120, 228, 65, 153, 120, 4, 201, 211, 120, 219, 11, 17, 120, 148, 195, 26, 120, 192, 117, 222, 120, 216, 90, 214, 46, 225, 42, 210, 120, 184, 185, 10, 120, 89, 134, 185, 120, 52, 43, 184, 120, 106, 197, 72, 120, 212, 18, 208, 120, 72, 28, 104, 120, 87, 27, 95, 120, 144, 133, 245, 120, 86, 220, 149, 120, 66, 250, 77, 120, 77, 204, 22, 120, 120, 116, 248, 46, 183, 212, 50, 120, 89, 188, 215, 120, 174, 68, 236, 120, 11, 254, 233, 120, 14, 156, 147, 120, 134, 105, 113, 120, 55, 251, 243, 120, 36, 247, 190, 120, 212, 56, 239, 120, 53, 92, 198, 120, 57, 96, 25, 120, 212, 14, 32, 120, 67, 216, 119, 120, 199, 1, 81, 46, 109, 99, 219, 120, 56, 214, 87, 120, 228, 24, 71, 120, 186, 205, 118, 120, 243, 46, 133, 46, 134, 175, 115, 46, 157, 178, 112, 46, 135, 252, 9, 120, 46, 154, 49, 120, 8, 152, 165, 120, 216, 218, 121, 120, 201, 119, 149, 120, 57, 123, 72, 120, 101, 94, 134, 120, 43, 64, 137, 120, 216, 117, 65, 120, 180, 84, 178, 120, 244, 55, 80, 120, 252, 224, 120, 46, 85, 48, 161, 46, 146, 155, 126, 46, 194, 17, 160, 46, 159, 194, 222, 120, 202, 77, 93, 120, 168, 27, 25, 120, 149, 188, 240, 120, 84, 152, 167, 120, 10, 61, 232, 120, 181, 132, 249, 120, 246, 91, 61, 120, 179, 144, 240, 120, 74, 67, 78, 120, 161, 206, 213, 46, 112, 242, 3, 46, 252, 49, 212, 120, 153, 112, 49, 120, 152, 140, 26, 120, 227, 197, 55, 120, 165, 149, 29, 120, 215, 34, 14, 120, 210, 166, 246, 120, 96, 67, 66, 120, 199, 234, 43, 120, 169, 106, 244, 120, 169, 199, 165, 120, 53, 38, 144, 120, 206, 118, 56, 46, 172, 7, 163, 46, 201, 218, 28, 120, 164, 162, 225, 120, 223, 16, 92, 120, 86, 251, 78, 120, 36, 242, 237, 120, 43, 42, 229, 120, 113, 87, 62, 46, 168, 218, 233, 46, 91, 239, 155, 46, 114, 178, 58, 120, 159, 132, 248, 120, 102, 152, 113, 120, 133, 39, 242, 120, 18, 4, 109, 120, 140, 54, 51, 120, 189, 222, 203, 120, 173, 164, 198, 46, 61, 241, 28, 46, 123, 245, 197, 46, 21, 7, 214, 120, 50, 2, 182, 120, 82, 38, 174, 46, 221, 244, 15, 46, 18, 91, 75, 46, 84, 125, 61, 120, 158, 27, 225, 120, 20, 180, 69, 120, 114, 15, 246, 120, 21, 128, 172, 120, 38, 53, 190, 120, 4, 253, 220, 46, 188, 101, 6, 46, 160, 236, 117, 46, 214, 139, 241, 120, 98, 32, 106, 120, 126, 104, 184, 46, 139, 141, 68, 46, 237, 15, 61, 46, 183, 131, 243, 46, 29, 221, 115, 46, 10, 31, 84, 46, 239, 241, 13, 46, 10, 194, 77, 46, 200, 172, 101, 46, 85, 5, 153, 46, 27, 227, 206, 46, 49, 93, 64, 46, 211, 116, 174, 120, 167, 95, 243, 120, 128, 238, 28, 120, 194, 248, 37, 120, 193, 127, 86, 120, 167, 122, 73, 120, 206, 144, 81, 120, 159, 147, 202, 120, 104, 218, 238, 120, 233, 53, 129, 46, 10, 249, 178, 46, 240, 82, 61, 46, 154, 197, 57, 46, 103, 150, 91, 46, 3, 241, 164, 46, 208, 132, 70, 46, 114, 24, 156, 46, 86, 248, 46, 46, 2, 83, 40, 120, 75, 119, 47, 120, 223, 11, 228, 120, 127, 13, 78, 120, 95, 130, 21, 120, 234, 155, 200, 120, 137, 234, 248, 46, 106, 45, 99, 46, 116, 25, 81, 46, 171, 193, 24, 46, 157, 254, 241, 46, 91, 56, 79, 46, 180, 232, 103, 46, 75, 193, 165, 46, 174, 104, 127, 120, 174, 99, 244, 120, 70, 136, 219, 120, 2, 118, 7, 120, 36, 19, 202, 120, 120, 83, 130, 120, 4, 207, 131, 120, 134, 85, 93, 120, 111, 156, 208, 120, 215, 202, 132, 120, 22, 68, 76, 120, 96, 137, 134, 120, 125, 57, 119, 120, 31, 91, 115, 120, 57, 202, 188, 120, 135, 212, 188, 120, 161, 103, 69, 120, 11, 89, 250, 120, 191, 216, 145, 120, 44, 32, 69, 120, 113, 192, 1, 120, 59, 127, 164, 120, 121, 85, 195, 120, 207, 28, 16, 120, 188, 97, 37, 120, 69, 146, 47, 120, 131, 80, 76, 120, 104, 154, 207, 120, 49, 94, 110, 120, 83, 73, 63, 120, 30, 2, 40, 120, 209, 74, 118, 120, 206, 232, 115, 120, 232, 253, 160, 120, 191, 231, 158, 120, 44, 75, 135, 120, 168, 65, 114, 120, 158, 77, 222, 120, 61, 185, 140, 120, 120, 73, 94, 120, 40, 95, 106, 120, 99, 39, 86, 120, 98, 226, 168, 120, 41, 194, 160, 120, 96, 88, 161, 120, 58, 136, 132, 120, 224, 49, 107, 120, 188, 231, 29, 120, 130, 103, 137, 120, 230, 77, 218, 120, 219, 142, 168, 120, 94, 210, 76, 120, 15, 171, 95]
#a数组由IDA-python得到
b = []
for i in range(len(a)):
if i % 4 == 0:
b.append(a[i])
print (len(a))
print (528*4)
print (len(b))
for i in range(len(b)):
if i % 48 == 0:
print('')
if i == 528:
print('s',end = '')
else:
print(chr(b[i]),end = '')
'''

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xx............................xxx.xxxxxxxxxxxx.d
x..xxxxxxxxxxxxxxxx..xxxxxxxx...x.xxxxxxxxxxxx.x
x.xxxxxxxxxxxxxxx...xxxxxxxxxxx.x.xxxxxxxxxxxx.x
x.xxxxxxxxxxxxxx..xxxxxxxxxxxxxxx.xxxxxxxxxxxx.x
x..xxxxxxxxxxxxx.xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.x
xx..........xxxx.xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.x
xxxxxxxxxxx..xxx.xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.x
xxxxxxxxxxxx.xxx..xxxxxxxxxxxxxxx.xxxxxxxxxxxx.x
xxxxxxxxxxxx.xxxx...xxxxxxxxxxx....xxxxxxxxxx..x
xxxxxxxxxxx..xxxxxx...xxxxxxx...xx...xxxxxx...xx
s...........xxxxxxxxx.........xxxxxx........xxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

显而易见的SCU。。。
'''

528为出发点(11,0)字符s所在位置 95位结束点(1,47)字符d所在位置(d是我后来加上去的 需要从s走到d

肉眼走了一遍最短路,刚好转向39次 写个搜索代码跑一下得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#include<cstdio>
#include<string>
#include<cstring>
#include<iostream>
using namespace std;
char kao[100];
string map[100] = {
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"xx............................xxx.xxxxxxxxxxxx.d",
"x..xxxxxxxxxxxxxxxx..xxxxxxxx...x.xxxxxxxxxxxx.x",
"x.xxxxxxxxxxxxxxx...xxxxxxxxxxx.x.xxxxxxxxxxxx.x",
"x.xxxxxxxxxxxxxx..xxxxxxxxxxxxxxx.xxxxxxxxxxxx.x",
"x..xxxxxxxxxxxxx.xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.x",
"xx..........xxxx.xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.x",
"xxxxxxxxxxx..xxx.xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.x",
"xxxxxxxxxxxx.xxx..xxxxxxxxxxxxxxx.xxxxxxxxxxxx.x",
"xxxxxxxxxxxx.xxxx...xxxxxxxxxxx....xxxxxxxxxx..x",
"xxxxxxxxxxx..xxxxxx...xxxxxxx...xx...xxxxxx...xx",
"s...........xxxxxxxxx.........xxxxxx........xxxx",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
};
bool vis[100][100];
int mn = 0xffff;
string res = "###";
int dx[4] = {0,0,1,-1};
int dy[4] = {-1,1,0,0};
int f[100][100];
string nxt[4]={"3","2","1","0"};
//string nxt[4]={"a","d","s","w"};
void dfs(int x,int y,int dep,string k)
{
//printf("%d\n",dep);
if(f[x][y] <= dep) return;
f[x][y] = dep;
if(dep > mn) return;
if(map[x][y] == 'd')
{
mn = dep;
res = k;
return;
}
for(int i=0;i<4;i++)
{
int xx = x + dx[i];
int yy = y + dy[i];
if(xx<0||yy<0||xx>12||yy>47) continue;
if(vis[xx][yy]) continue;
if(map[xx][yy] == 'x') continue;
vis[xx][yy] = 1;
dfs(xx,yy,dep+1,k+nxt[i]);
vis[xx][yy] = 0;
}
}
int main()
{
for(int i=0;i<50;i++)
for(int j=0;j<50;j++) f[i][j] = 0xffff;
printf("%c\n",map[11][0]);
vis[11][0] = 1;
string k = "";
dfs(11,0,0,k);
res += "#";
cout<<res<<endl;
int num = 1;
for(int i=1;i<=9;i++)
kao[i] = '0' + i;
for(int i=10;i<=18;i++)
kao[i] = 'a' + i - 10;
for(int i=1;i<res.size();i++)
{
if(res[i] == res[i-1]) num++;
else
{
printf("%c%c",res[i-1],kao[num]);
num = 1;
}

}
return 0;
}