2022第五空间网络安全初赛Re赛后复现

0x00 前言

所需工具：开源逆向工具 Ghidra

下载地址(爱盘 - 最新的在线破解工具包)

0x01 re2

常规查壳 64位无壳ELF二进制文件

尝试丢IDA反编译但是失败了提示问题尚不清楚什么原因

改用Ghidra

顺利反编译出关键函数伪代码

main函数

move函数

undefined8 move(void)

{
  char cVar1;
  int local_230;
  int local_22c;
  char local_228 [528];
  undefined *local_18;

  local_18 = &_mips_gp0_value;
  local_22c = 0;
  local_228[0] = '\0';
  local_228[1] = 0;
  memset(local_228 + 2,0,0x1fe);
  printf("input: ");
  __isoc99_scanf(&DAT_120001878,local_228);
  while( true ) {
    do {
      local_230 = 0;
      find();           // 地图
      cVar1 = local_228[local_22c];
      if (cVar1 == 'w') {
        local_230 = Up();
      }
      else if (cVar1 < 'x') {
        if (cVar1 == 's') {
          local_230 = Down();
        }
        else if (cVar1 < 't') {
          if (cVar1 == 'd') {
            local_230 = Right();
          }
          else if (cVar1 < 'e') {
            if (cVar1 == '\x1b') {
              return 0xffffffffffffffff;
            }
            if (cVar1 == 'a') {
              local_230 = Left();
            }
          }
        }
      }
      local_22c = local_22c + 1;
    } while (local_230 != 1);
    if (level == 2) break;
    level = level + 1;     //level 为迷宫层数
  }
  puts("flag is ctf{md5(your input)}");
  return 1;
}

分析move函数可知此题为迷宫题,迷宫共三层

由wasd控制上下左右移动，flag为移动路径的MD5值

查看find函数可知迷宫每层大小为15*15

void find(void)

{
  int local_20;
  int local_1c;

  local_20 = 0;
  do {
    if (0xe < local_20) {
      return;
    }
    for (local_1c = 0; local_1c < 0xf; local_1c = local_1c + 1) {    // 0xf=15
      if (*(int *)(map + ((longlong)level * 0xe1 + (longlong)local_20 * 0xf) * 4 +
                         (longlong)local_1c * 4) == 3) {
        x = local_20;
        y = local_1c;
        break;
      }
    }
    local_20 = local_20 + 1;
  } while( true );
}

打印出迷宫地图

map=[1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,3,1,1,1,1,1,0,0,0,0,0,0,1,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1,0
,0,0,0,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1,0,1,1,0,0,0,0,
0,0,0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,0,1,1,0,1,1,0,0,0,0,0,1,0,0,1,0,1,1,0,1,1,0,0,0,0,0,1,0,0,0,0,
1,1,0,1,1,1,1,1,1,0,1,0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,4,0,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,0,3,1,1,1,0,0,
0,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,1,1,1,
1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,0,0,0,0,
0,0,0,0,1,0,1,1,1,1,1,0,0,0,0,0,0,0,0,4,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,3,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,
0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,4,0]
for i in range(len(map)//225):      #每层15*15共225个数字
    print("="*30)                   #层与层之间分隔
    for j in range(0xf):
        for k in range(0xf):
            if map[i*225+j*0xf+k]==1:
                print("*",end=" ")
            else:
                print(map[i*225+j*0xf+k],end=" ")
print()

地图如下

# ==============================
# * * 0 0 0 0 0 0 0 0 0 0 0 0 0 
# * * 0 3 * * * * * 0 0 0 0 0 0 
# * * 0 * * 0 0 0 * 0 0 0 0 0 0 
# * * 0 0 0 0 0 0 * * 0 0 0 0 0 
# * * 0 * * 0 0 0 0 * * * * 0 0 
# * * 0 * * 0 0 0 0 0 0 0 * 0 0 
# * * 0 * * 0 0 0 0 0 0 0 * 0 0 
# * * 0 * * 0 0 0 0 0 * * * * 0 
# * * 0 * * 0 0 0 0 0 * 0 0 * 0 
# * * 0 * * 0 0 0 0 0 * 0 0 0 0 
# * * 0 * * * * * * 0 * 0 * * 0 
# * * 0 * * * * * * * * * * * 0 
# * * 0 0 0 0 0 0 0 0 0 0 0 4 0 
# * * * * * * * * * * * * * * * 
# * * * * * * * * * * * * * * * 
# ==============================
# * * * * * 0 0 0 0 0 0 0 0 0 0 
# * * * * * 0 3 * * * 0 0 0 0 0 
# * * * * * 0 0 0 0 * 0 0 0 0 0 
# * * * * * 0 0 0 0 * 0 0 0 0 0
# * * * * * 0 0 0 0 * * * * 0 0
# * * * * * 0 0 0 0 0 0 0 * 0 0
# * * * * * 0 0 0 0 0 0 0 * 0 0
# * * * * * 0 0 0 0 0 0 0 * * 0
# * * * * * 0 0 0 0 0 0 0 0 * 0
# * * * * * 0 0 0 0 0 0 0 0 4 0
# * * * * * * * * * * * * * * *
# * * * * * * * * * * * * * * *
# * * * * * * * * * * * * * * *
# * * * * * * * * * * * * * * *
# * * * * * * * * * * * * * * *
# ==============================
# 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
# 0 3 * * 0 0 0 0 0 0 0 0 0 0 0
# 0 0 0 * 0 * * * 0 0 0 0 0 0 0
# 0 0 0 * * * 0 * 0 0 0 0 0 0 0
# 0 0 0 0 * 0 0 * 0 0 0 0 0 0 0
# 0 * * 0 * 0 0 * 0 0 0 0 0 0 0
# 0 0 * * * 0 0 * 0 0 0 0 0 0 0
# 0 0 0 0 0 0 0 * 0 0 0 0 0 0 0
# 0 0 0 0 0 0 0 * * * * 0 0 0 0
# 0 0 0 0 0 0 0 0 0 0 * 0 0 0 0
# 0 0 0 0 0 0 0 0 0 0 * 0 0 0 0
# 0 0 0 0 0 0 0 0 0 0 * 0 0 0 0
# 0 0 0 0 0 0 0 0 0 0 * * * * 0
# 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0
# 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0

每层路径分别为

1
2
3

1="dddddssdsdddsssaassssddds"
2="dddsssdddsssdss"
3="ddssddwddssssssdddssssdddss"

拉去MD5加密就得到flag