babymaze

反编译源码

pyc文件,uncompy6撸不出来,看字节码

import marshal, dis

fp = open(r"BabyMaze.pyc", 'rb')

fp.seek(16)

co = marshal.load(fp)

dis.dis(co)

 

使用脚本跑出字节码

发现花指令

去除花指令并修改字节码长度,使用uncompy6跑出源码

_map = [

 [

  1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1], [1, 5, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1], [1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1], [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1], [1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 7, 1], [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]]

def maze():

    x = 1

    y = 1

    step = input()

    for i in range(len(step)):

        if step[i] == 'w':

            x -= 1

        else:

            if step[i] == 's':

                x += 1

            else:

                if step[i] == 'a':

                    y -= 1

                else:

                    if step[i] == 'd':

                        y += 1

                    else:

                        return False

        if _map[x][y] == 1:

            return False

        if x == 29 and y == 29:

            return True

def main():

    print('Welcome To VNCTF2022!!!')

    print('Hello Mr. X, this time your mission is to get out of this maze this time.(FIND THAT 7!)')

    print('you are still doing the mission alone, this tape will self-destruct in five seconds.')

    if maze():

        print('Congratulation! flag: VNCTF{md5(your input)}')

    else:

        print("Sorry, we won't acknowledge the existence of your squad.")

if __name__ == '__main__':

main()

DFS算法

地图非常大,使用DFS算法

map1 = [[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,

1, 1, 1, 1], [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,

0, 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1,

1, 1, 1, 1, 1, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0,

0, 1, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1,

1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0,

0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1,

1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1], [1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0,

0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1,

0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 0, 0, 1, 0, 1,

0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 1, 1, 1, 1, 1, 1,

0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0,

0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1,

1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1], [1,

0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0,

1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1,

1, 1, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0,

0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1,

1, 0, 1, 1, 1, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0,

0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0,

1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0,

1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1,

1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0,

0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1,

1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0,

1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0,

1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0,

1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1], [1, 1, 1, 1,

1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1], [1, 0,

0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1],

[1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1,

0, 1], [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0,

0, 0, 0, 1], [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,

1, 1, 1, 1, 1, 1]]

flag = ""

map2 =  [[0 for i in range(len(map1))] for i in range(len(map1)) ]

def DFS(x,y):

    global flag

    if x == len(map1) - 2 and y == len(map1) - 2: #判断边界

        print(flag)

    if map1[x+1][y] == 0 and map2[x+1][y] == 0:

        map2[x][y] = 1

        flag += 's'

        DFS(x+1,y)

        flag = flag[:-1]

        map2[x][y] = 0

    if map1[x-1][y] == 0 and map2[x-1][y] == 0:

        map2[x][y] = 1

        flag += 'w'

        DFS(x-1,y)

        flag = flag[:-1]

        map2[x][y] = 0

    if map1[x][y+1] == 0 and map2[x][y+1] == 0:

        map2[x][y] = 1

        flag += 'd'

        DFS(x,y+1)

        flag = flag[:-1]

        map2[x][y] = 0

    if map1[x][y-1] == 0 and map2[x][y-1] == 0:

        map2[x][y] = 1

        flag += 'a'

        DFS(x,y-1)

        flag = flag[:-1]

        map2[x][y] = 0

y=1

x=1

DFS(x,y)

得出

ssssddssaassddddwwwwddwwddddddwwddddddssddwwddddddddssssaawwaassaassaassddssaassaawwwwwwaaaaaaaassaassddddwwddssddssssaassddssssaaaaaawwddwwaawwwwaassssssssssssddddssddssddddddddwwaaaaaawwwwddssddwwwwwwwwddssddssssssssddddss、

getflag

VNCTF{801f190737434100e7d2790bd5b0732e}

cm1

源码分析

APK文件,直接拖入GDA中查看

拖入GDA中查看main函数,先看导入库

发现Main$1、IHeihei及FileUtils等

安装之后查看,基本就是一个check界面

这里提示打开了asset目录下某个dex文件

这里使用FileUtils

发现调用了里面的Haha

跟入查看发现有异或,1024为一组

脚本处理

将cm1解压后进入到asset目录找到ooo

key = 'vn2022'

f = open('ooo','rb')

f = f.read()

with open('out','wb') as h:

    for i in range(len(f)):

        h.write((f[i]^ord(key[i % 1024 % len(key)])).to_bytes(1,byteorder='little',

signed=False))

print('ok')

写python脚本模拟

发现是个dex文件

使用dex2jar转换为jar文件进行分析

找到haha是一个xxtea加密,写xxtea脚本即可getflag

【VNCTF2022】Reverse wp的更多相关文章

  1. 【leetcode80】Reverse Vowels of a String(元音字母倒叙)

    题目描述: 写一个函数,实现输入一个字符串,然后把其中的元音字母倒叙 注意 元音字母包含大小写,元音字母有五个a,e,i,o,u 原文描述: Write a function that takes a ...

  2. 【leetcode】Reverse Nodes in k-Group

    Reverse Nodes in k-Group Given a linked list, reverse the nodes of a linked list k at a time and ret ...

  3. 【leetcode】Reverse Linked List II

    Reverse Linked List II Reverse a linked list from position m to n. Do it in-place and in one-pass. F ...

  4. 【leetcode】Reverse Nodes in k-Group (hard)☆

    Given a linked list, reverse the nodes of a linked list k at a time and return its modified list. If ...

  5. 【leetcode】Reverse Linked List II (middle)

    Reverse a linked list from position m to n. Do it in-place and in one-pass. For example:Given 1-> ...

  6. 【leetcode】Reverse Linked List(easy)

    Reverse a singly linked list. 思路:没啥好说的.秒... ListNode* reverseList(ListNode* head) { ListNode * rList ...

  7. 【leetcode】Reverse Bits(middle)

    Reverse bits of a given 32 bits unsigned integer. For example, given input 43261596 (represented in ...

  8. 【leetcode】Reverse Words in a String(hard)☆

    Given an input string, reverse the string word by word. For example,Given s = "the sky is blue& ...

  9. 【leetcode】Reverse Integer(middle)☆

    Reverse digits of an integer. Example1: x = 123, return 321Example2: x = -123, return -321 总结:处理整数溢出 ...

随机推荐

  1. tor-browse

    https://sourceforge.net/projects/t-browser/

  2. RFC2544优化步长测试——信而泰网络测试仪实操

    一.测试拓扑 拓扑说明 1.测试仪两个端口和DUT两个端口相连 2.测试仪P1端口发出流量,经过DUT转发后,从B端口发出,进入测试仪P2端口. 二.测试思路 1.在测试仪端口上创建两个Interfa ...

  3. 目前数据可视化工具排名如何?好用的BI可视化软件

    数据可视化用专业术语来就是通过视觉的方式向人类展示数据,这种在文本基础上的图表即简单又实用,而且相关性.趋势分析都非常明确,也非常可靠,通过图表一目了然.用通俗的话说就是画一张图表,将数据以比例的方式 ...

  4. Oracle数据库的下载、安装与卸载

    Oracle数据库下载: 这里以Oracle 11g为例,推荐去Oracle官网下载 Oracle官网下载地址:https://www.oracle.com/database/technologies ...

  5. Pycharm:注释、删除所有注释

    1.# 单行注释 2. ''' 多行注释 ''' 3.删除所有注释 CTRL+R进入替换模式,勾选右上角正则表达式,然后在搜索框输入  #.*,Replace All即可

  6. Python:GUI库tkinter(一)

    学习自: Python GUI 编程(Tkinter) | 菜鸟教程 TkDocs_官方文档 1.几个常用的Python GUI库 tkinter:Python的标准Tk GUI工具包的接口. wxP ...

  7. C#控制台输入密码星号显示

    在Program类中的Main方法里: 1 public class Program 2 { 3 static void Main(string[] args) 4 { 5 Console.Write ...

  8. 制作CocoaPods公有库和私有库

    认识公有库和私有库 公有库:开源自己封装的库供别人使用,且往cocoaPods的官方Repo仓库(即CocoaPods Master Repo)中新增自己库的索引,该库索引是以*.podspec.js ...

  9. Logstash-CentOS7单机安装测试

    目录 环境&准备 安装&启动 简单配置一下,看看效果 Conf配置文件参考 完成 环境&准备 下面所有操作都基于CentOS7 官网下载安装包 logstash下载 如官网打不 ...

  10. CentOS 5.11源修改

    CentOS 5.11源 将源中所有网址替换为 http://archive.kernel.org/centos-vault/你的版本/ 一条sed命令即可解决 sed -i 's@http://xx ...