ELF64位程序,ida打开,分析后得到
进入puzzle_init函数则让我们输入flag,sub_55C0DE68DEAB函数则是迷宫的生成函数
sub_55C0DE68DEAB是将dword_55C0DE691040处的值进行tea解密后对解密后的值进行%10和/10并且逆置操作,dword_55C0DE691040处有64个uint32的数据,每8个uint32组成一个迷宫,总共有八个。
在tea函数中的密钥会随着迷宫的变化而变化,第一个迷宫的密钥为1*2313+key,第四个迷宫的密钥位4*2313+key
进入mian函数里的check函数
根据我们的输入来判定是否正确,不能换迷宫超过八次,当遇到1结束
用python列出所有迷宫后找最短路径
得到8个迷宫,算出最短路径得到flag
arruuuraaaaarrdbbuuuuuaadrrau
8+1+1+64+64+64+1+8+8+8+8+8+1+1-64-8-8+64+64+64+64+64+8+8-64+1+1+8+64
from ctypes import c_uint32
def tea_decrypt(v, k,op):
de=[]
for x in range(0,len(v),2):
v4 = c_uint32(v[x])
v5 = c_uint32(v[x+1])
delta = 0x61C88647
v3 = c_uint32(0xC6EF3720)
for i in range(32):
v5.value -= ((k[3]+op*2313) + (v4.value >> 5)) ^ (v3.value + v4.value) ^ ((k[2]+op*2313) + 16 * v4.value)
v4.value -= ((k[1]+op*2313) + (v5.value>> 5)) ^ (v3.value + v5.value) ^ ((k[0]+op*2313) + 16 * v5.value)
v3.value += delta
de.append(v4.value)
de.append(v5.value)
return de
v=[0xE7F1B194,0x52D3D521,0x3D794752,0x971C0D04,0x747F6EF3,0x0FF7539C,0xD8CFEA6A,0xF4069F6F,0x2E9EFDEA,0xF755B632]
k=[0x121212,0x343434,0x565656, 0x787878]
v=[0x9d37cd7a,0xa24c224c,0x129530db,0xf5472ee6,0x129530db,0xf5472ee6,0x129530db,0xf5472ee6,0x4712a830,0x45b97bab,0x9b0fb48,0x7c981b2f,0x9b0fb48,0x7c981b2f,0x9b0fb48,0x7c981b2f,0xecf58f25,0x5e6a0304,0xb50f2c1d,0xebd384da,0x16fef9c5,0x89528be4,0x1135d30,0x8caf8711,0x9bffc290,0x601ac7a,0xa0441bde,0xd72f809b,0xc130b370,0xfa695c51,0xd3445d89,0x10bae115,0x622c5a49,0xaf653211,0x622c5a49,0xaf653211,0xb6f56f80,0xde6591c5,0x622c5a49,0xaf653211,0x21c4510c,0xa2b25772,0x21c4510c,0xa2b25772,0x91ffca23,0xa7142eb9,0x21c4510c,0xa2b25772,0x77302dfc,0x8afece79,0x77302dfc,0x8afece79,0xe4a81e1f,0xa5a52c76,0xb20c8782,0x21cfa467,0xbb56a544,0x64f15c05,0xbb56a544,0x64f15c05,0xf91701ac,0x3e0f70ac,0xca85e6c8,0xbd9e2455]
for u in range(0,64,8):
p=v[u:u+8]
re=tea_decrypt(p,k,int(u/8))
print(u/8)
for x in re:
print("\n")
my_list=[]
for y in range(8):
my_list.append(int(x%10))
x/=10
for z in range(8):
print(my_list[7-z],end='\t')
Comments NOTHING