SUS十一欢乐赛 re200 maze

Author Avatar
kabeor 10月 07, 2018

SUS十一欢乐赛 re200 maze

x64的ELF,载入IDA64

题目已经告诉是迷宫了,搜索一下字符串

看到map
oooo*oooooxxxxoxxooxooooxoooxxoxxxooooxxxooxooooxooxxooooxxxoxooooxoxxxxoooooooox

但目前不知道map规格,于是跟随SUSCTF{字符跳转,F5

很明显第18行检查输入长度是否为18
if (std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length(&v12) != 18 )

下面是方向控制 awsd

for ( i = 0; i <= 17; ++i )
{
v5 = *(char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](&v12, i);
if ( v5 == 'd' )
{
++v10;
}
else if ( v5 > 'd' )
{
if ( v5 == 's' )
{
v10 += 9;
}
else if ( v5 == 'w' )
{
v10 -= 9;
}
}
else if ( v5 == 'a' )
{
--v10;
}

由上下换行加减9可以判断出,map每行9个字符,于是得到map

oooo*oooo
oxxxxoxxo
oxooooxoo
oxxoxxxoo
ooxxxooxo
oooxooxxo
oooxxxoxo
oooxoxxxx
oooooooox

判定边界o

if ( *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](&map, v10) == 'o' )
break;

到达终点
`if (
(_BYTE )std::__cxx11::basic_string<char,std::char_traits,std::allocator>::operator == ‘‘ )`

v10原值为80,从0开始为第81位,于是从最后一个x出发,到达最上面*
走的步骤为
waaawaawwawawwdddw

刚好18位,运行程序,输入步骤,拿到flag

From https://kabeor.github.io/SUS十一欢乐赛 re200 maze/ bye

This blog is under a CC BY-NC-SA 4.0 Unported License
本文链接:https://kabeor.github.io/SUS十一欢乐赛 re200 maze/