babymaze

反编译源码

pyc文件,uncompy6撸不出来,看字节码

  1. import marshal, dis
  2. fp = open(r"BabyMaze.pyc", 'rb')
  3. fp.seek(16)
  4. co = marshal.load(fp)
  5. dis.dis(co)

 

使用脚本跑出字节码

发现花指令

去除花指令并修改字节码长度,使用uncompy6跑出源码

  1. _map = [
  2.  [
  3.   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1], [1, 5, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1], [1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1], [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1], [1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 7, 1], [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]]
  4.  
  5. def maze():
  6.     x = 1
  7.     y = 1
  8.     step = input()
  9.     for i in range(len(step)):
  10.         if step[i] == 'w':
  11.             x -= 1
  12.         else:
  13.             if step[i] == 's':
  14.                 x += 1
  15.             else:
  16.                 if step[i] == 'a':
  17.                     y -= 1
  18.                 else:
  19.                     if step[i] == 'd':
  20.                         y += 1
  21.                     else:
  22.                         return False
  23.         if _map[x][y] == 1:
  24.             return False
  25.         if x == 29 and y == 29:
  26.             return True
  27.  
  28. def main():
  29.     print('Welcome To VNCTF2022!!!')
  30.     print('Hello Mr. X, this time your mission is to get out of this maze this time.(FIND THAT 7!)')
  31.     print('you are still doing the mission alone, this tape will self-destruct in five seconds.')
  32.     if maze():
  33.         print('Congratulation! flag: VNCTF{md5(your input)}')
  34.     else:
  35.         print("Sorry, we won't acknowledge the existence of your squad.")
  36.  
  37. if __name__ == '__main__':
  38. main()

DFS算法

地图非常大,使用DFS算法

  1. map1 = [[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
  2. 1, 1, 1, 1], [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,
  3. 0, 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1,
  4. 1, 1, 1, 1, 1, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0,
  5. 0, 1, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1,
  6. 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0,
  7. 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1,
  8. 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1], [1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0,
  9. 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1,
  10. 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 0, 0, 1, 0, 1,
  11. 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 1, 1, 1, 1, 1, 1,
  12. 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1], [1, 0, 0, 0, 0,
  13. 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1,
  14. 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1], [1,
  15. 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0,
  16. 1], [1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1,
  17. 1, 1, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0,
  18. 0, 0, 0, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1,
  19. 1, 0, 1, 1, 1, 0, 1], [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0,
  20. 0, 0, 1, 0, 1, 0, 0, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0,
  21. 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1], [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0,
  22. 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1,
  23. 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0,
  24. 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1,
  25. 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 0, 0, 0, 1, 0, 1, 0,
  26. 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 1, 1, 1, 0, 1, 0,
  27. 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1], [1, 0, 0, 0, 1, 0,
  28. 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1], [1, 1, 1, 1,
  29. 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1], [1, 0,
  30. 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1],
  31. [1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1,
  32. 0, 1], [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0,
  33. 0, 0, 0, 1], [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
  34. 1, 1, 1, 1, 1, 1]]
  35. flag = ""
  36. map2 =  [[0 for i in range(len(map1))] for i in range(len(map1)) ]
  37. def DFS(x,y):
  38.     global flag
  39.     if x == len(map1) - 2 and y == len(map1) - 2: #判断边界
  40.         print(flag)
  41.     if map1[x+1][y] == 0 and map2[x+1][y] == 0:
  42.         map2[x][y] = 1
  43.         flag += 's'
  44.         DFS(x+1,y)
  45.         flag = flag[:-1]
  46.         map2[x][y] = 0
  47.     if map1[x-1][y] == 0 and map2[x-1][y] == 0:
  48.         map2[x][y] = 1
  49.         flag += 'w'
  50.         DFS(x-1,y)
  51.         flag = flag[:-1]
  52.         map2[x][y] = 0
  53.     if map1[x][y+1] == 0 and map2[x][y+1] == 0:
  54.         map2[x][y] = 1
  55.         flag += 'd'
  56.         DFS(x,y+1)
  57.         flag = flag[:-1]
  58.         map2[x][y] = 0
  59.     if map1[x][y-1] == 0 and map2[x][y-1] == 0:
  60.         map2[x][y] = 1
  61.         flag += 'a'
  62.         DFS(x,y-1)
  63.         flag = flag[:-1]
  64.         map2[x][y] = 0
  65. y=1
  66. x=1
  67. DFS(x,y)

得出

ssssddssaassddddwwwwddwwddddddwwddddddssddwwddddddddssssaawwaassaassaassddssaassaawwwwwwaaaaaaaassaassddddwwddssddssssaassddssssaaaaaawwddwwaawwwwaassssssssssssddddssddssddddddddwwaaaaaawwwwddssddwwwwwwwwddssddssssssssddddss、

getflag

  1. VNCTF{801f190737434100e7d2790bd5b0732e}

cm1

源码分析

APK文件,直接拖入GDA中查看

拖入GDA中查看main函数,先看导入库

发现Main$1、IHeihei及FileUtils等

安装之后查看,基本就是一个check界面

这里提示打开了asset目录下某个dex文件

这里使用FileUtils

发现调用了里面的Haha

跟入查看发现有异或,1024为一组

脚本处理

将cm1解压后进入到asset目录找到ooo

  1. key = 'vn2022'
  2. f = open('ooo','rb')
  3. f = f.read()
  4. with open('out','wb') as h:
  5.     for i in range(len(f)):
  6.         h.write((f[i]^ord(key[i % 1024 % len(key)])).to_bytes(1,byteorder='little',
  7. signed=False))
  8.  
  9. print('ok')

写python脚本模拟

发现是个dex文件

使用dex2jar转换为jar文件进行分析

找到haha是一个xxtea加密,写xxtea脚本即可getflag

【VNCTF2022】Reverse wp的更多相关文章

  1. 【leetcode80】Reverse Vowels of a String(元音字母倒叙)

    题目描述: 写一个函数,实现输入一个字符串,然后把其中的元音字母倒叙 注意 元音字母包含大小写,元音字母有五个a,e,i,o,u 原文描述: Write a function that takes a ...

  2. 【leetcode】Reverse Nodes in k-Group

    Reverse Nodes in k-Group Given a linked list, reverse the nodes of a linked list k at a time and ret ...

  3. 【leetcode】Reverse Linked List II

    Reverse Linked List II Reverse a linked list from position m to n. Do it in-place and in one-pass. F ...

  4. 【leetcode】Reverse Nodes in k-Group (hard)☆

    Given a linked list, reverse the nodes of a linked list k at a time and return its modified list. If ...

  5. 【leetcode】Reverse Linked List II (middle)

    Reverse a linked list from position m to n. Do it in-place and in one-pass. For example:Given 1-> ...

  6. 【leetcode】Reverse Linked List(easy)

    Reverse a singly linked list. 思路:没啥好说的.秒... ListNode* reverseList(ListNode* head) { ListNode * rList ...

  7. 【leetcode】Reverse Bits(middle)

    Reverse bits of a given 32 bits unsigned integer. For example, given input 43261596 (represented in ...

  8. 【leetcode】Reverse Words in a String(hard)☆

    Given an input string, reverse the string word by word. For example,Given s = "the sky is blue& ...

  9. 【leetcode】Reverse Integer(middle)☆

    Reverse digits of an integer. Example1: x = 123, return 321Example2: x = -123, return -321 总结:处理整数溢出 ...

随机推荐

  1. CentOS 7 部署 KVM 虚拟化

    文章目录 KVM的组件 KVM模块load进内存之后,系统的运行模式 部署KVM 基础配置 判断CPU是否支持硬件虚拟化 检测 kvm 模块是否装载 安装用户端工具 qemu-kvm 启动服务 查看网 ...

  2. Python中模块、类、函数、实例调用案例

    19 a = '我是模块中的变量a' 20 21 def hi(): 22 a = '我是函数里的变量a' 23 print('函数"hi"已经运行!') 24 25 class ...

  3. 一个杂项PDF

    不是很难,但是就是比较考虑个人的细心程度,下载压缩包解压得到一个pdf文件,直接打开发现没有什么隐藏的信息,准换成word也是,没有什么东西,使用winhex打开看一下,一开始是没有注意到什么的,这里 ...

  4. 【C# 调试】.net中的 .pdb文件是什么,有什么用

    mscn:在 Visual Studio 调试器(C#)中指定符号 (.pdb) 和源文件 PDB全称Program Database,程序数据库 ( .pdb) 文件(也称为符号文件)将项目源代码中 ...

  5. 【C# IO 操作】C#修改文件或文件夹的权限,为指定用户、用户组添加完全控制权限

    代码实现 在C盘添加一个文件夹,并在文件夹内部,新建一个文本文件,如图所示: 该文件夹下,新建一个文本文件,如图所示: 为文件添加完全控制权限: /// <summary> /// 为文件 ...

  6. 痞子衡嵌入式:揭秘i.MXRTxxx系列上串行NOR Flash双程序可交替启动设计

    大家好,我是痞子衡,是正经搞技术的痞子.今天痞子衡给大家介绍的是i.MXRT500/600上串行NOR Flash双程序可交替启动设计. 在上一篇文章 <i.MXRT1170上串行NOR Fla ...

  7. Mysql基础学习第二天

    Mysql基础学习第二天 函数 函数:是指一段可以直接被另一段程序调用的程序或代码. 字符串函数 数值函数 日期函数 流程函数 字符串函数 MySQL内置很多字符串函数,常用的几个如下: 函数 功能 ...

  8. vue如何全局引用公共js

    在项目开发中需要调用一些工具类方法,所以需要将公共方法放在公共js中,并且需要全局引用这些公共js 1:创建公共JS(utils.js)  src/common/utils.js export def ...

  9. docker学习笔记(4)——Dockerfile

    参考资料: 1.官网教程:https://docs.docker.com/engine/reference/builder/ (官网教程,稍后我做一下总结和翻译输出到本文) 2.官网练习推荐:http ...

  10. SqlServer 取表某一列相同ID最大时的数据

    SELECT * FROM(SELECT *,ROW_NUMBER() OVER(PARTITION BY UserName ORDER BY Id DESC) Num FROM dbo.[User] ...