2020 极客巅峰RE wp

virus：

拖入ida32，加载符号表，进入主函数

puts("There is a long way to defeat it.");
scanf("%s", flag);
v12 = strlen(flag);
v6[0] = 0;
v6[1] = 0;
v6[2] = 0;
v6[3] = 0;
v7 = 0;
v11 = 0;
v8 = 0;
for ( i = 0; i < v9; ++i )
  {
    if ( flag[i] == '-' )//检测-的位置并将其记录到v6数组中
    {
      v3 = v11++;
      v6[v3] = i;
    }
    if ( !v14 )
    {
      v5[i] = flag[i] - '0';//string转int
      if ( v5[i] > 9 || v5[i] < 0 )//输入必须为0到9
        return 0;
    }
  }
  if ( v11 != 4 )//说明一共有4个-
    return 0;
  v10 = v12;
  for ( i = 1; i <= v11; ++i )
  {
    v11 = v6[i] - v6[i - 1] - 1;//计算相邻两个-中共有多少个数据
    if ( step[i] != v8 )//将数据长度与固定值比较(19,25,26,28)
      return 0;
    strncpy(&road[200 * i], &flag[v6[i - 1] + 1], v11);//按照用户输入顺序将字符按照指定长度复制到road[1024]这个数组中
  }
  for ( i = 0; i <= 3; ++i )
  {
    if ( check_flag((int)&global_map[200 * v5[i]], v5[i], &road[200 * i + 200]) )//迷宫
    {
      puts("How about try again?");
      return 0;
    }
    if ( i == 3 )
      printf("Great! We will defeat it!!! your flag is flag{%s}", flag);
  }

进入check_flag函数

BOOL __cdecl check_flag(int a1, int a2, char *Str)
{
  BOOL result; // eax
  signed int v4; // [esp+10h] [ebp-18h]
  int v5; // [esp+14h] [ebp-14h]
  int v6; // [esp+18h] [ebp-10h]
  int i; // [esp+1Ch] [ebp-Ch]

  v4 = strlen(Str);
  v6 = start[2 * a2];
  v5 = dword_403444[2 * a2];
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( i >= v4 )
      break;
    switch ( Str[i] )
    {
      case 'w':
        --v6;
        break;
      case 's':
        ++v6;
        break;
      case 'a':
        --v5;
        break;
      case 'd':
        ++v5;
        break;
      default:
        return 1;
    }
    if ( v5 < 0 || v5 > 19 || v6 < 0 || v6 > 10 )
      return 1;
    if ( v4 - 1 == i )
      return *(_BYTE *)(a1 + 20 * v6 + v5) != 'd';
    if ( *(_BYTE *)(a1 + 20 * v6 + v5) != '.' )
      return 1;
  }
  return result;
}

根据上面的代码和迷宫可得路径

第一个迷宫	第二个迷宫	第三个迷宫	第四个迷宫
dddddddddsssssaaaaaaaaawww	sdsdsdsdsdsdsddwdwdwdwdwdwdw	aaaaaaaaasssssssddddddddd	wwwwwdddddddddsssss

所以可得脚本

global_map = ['dddddddddsssssaaaaaaaaawww','sdsdsdsdsdsdsddwdwdwdwdwdwdw','aaaaaaaaasssssssddddddddd','wwwwwdddddddddsssss']
step = [19,25,26,28]
flag = 'flag{' + ''
tmp =[0,0,0,0]
for j in range(len(step)):
    for i in range(len(global_map)):
         if len(global_map[i]) == step[j]:
                tmp[j] = i +1
                flag += str( tmp[j])
for i in range(4):
    flag += '-' + global_map[tmp[i]-1]
flag += '}'
print(flag)
#flag{4312-wwwwwdddddddddsssss-aaaaaaaaasssssssddddddddd-dddddddddsssssaaaaaaaaawww-sdsdsdsdsdsdsddwdwdwdwdwdwdw}

fu!k_py：

文件是一个pyc，找个在线解密的网站跑一下。

得到python源码

(lambda __g, __print: [ [ (lambda __after: [ (lambda __after: (__print('Error len!'), (exit(), __after())[1])[1] if len(input) != 87 else __after())(lambda : [ [ [ [ (lambda __after: (__print('Error fmt!'), (exit(0), __after())[1])[1] if fmt1 != 'flag{' or fmt2 != '}' else __after())(lambda : (d.append(context[0:9]), (d.append(context[9:18]), (d.append(context[18:27]), (d.append(context[27:36]), (d.append(context[36:45]), (d.append(context[45:54]), (d.append(context[54:63]), (d.append(context[63:72]), (d.append(context[72:81]), [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[0][2] != '5' or d[0][3] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[1][0] != '8' or d[1][7] != '2' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[2][1] != '7' or d[2][4] != '1' or d[2][6] != '5' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[3][0] != '4' or d[3][5] != '5' or d[3][6] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[4][1] != '1' or d[4][4] != '7' or d[4][8] != '6' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[5][2] != '3' or d[5][3] != '2' or d[5][7] != '8' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[6][1] != '6' or d[6][3] != '5' or d[6][8] != '9' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[7][2] != '4' or d[7][7] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[8][5] != '9' or d[8][6] != '7' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(h1) != 45 or check(h2) != 45 or check(h3) != 45 or check(h4) != 45 or check(h5) != 45 or check(h6) != 45 or check(h7) != 45 or check(h8) != 45 or check(h9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(l1) != 45 or check(l2) != 45 or check(l3) != 45 or check(l4) != 45 or check(l5) != 45 or check(l6) != 45 or check(l7) != 45 or check(l8) != 45 or check(l9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(k1) != 45 or check(k2) != 45 or check(k3) != 45 or check(k4) != 45 or check(k5) != 45 or check(k6) != 45 or check(k7) != 45 or check(k8) != 45 or check(k9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(h1) != 1 or check1(h2) != 1 or check1(h3) != 1 or check1(h4) != 1 or check1(h5) != 1 or check1(h6) != 1 or check1(h7) != 1 or check1(h8) != 1 or check1(h9) != 1 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(l1) != 1 or check1(l2) != 1 or check1(l3) != 1 or check1(l4) != 1 or check1(l5) != 1 or check1(l6) != 1 or check1(l7) != 1 or check1(l8) != 1 or check1(l9) != 1 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(k1) != 1 or check1(k2) != 1 or check1(k3) != 1 or check1(k4) != 1 or check1(k5) != 1 or check1(k6) != 1 or check1(k7) != 1 or check1(k8) != 1 or check1(k9) != 1 else __after())(lambda : (__print('Yes! You got it!'), __after())[1]))))))))))))))) for __g['k9'] in [context[60] + context[61] + context[62] + context[69] + context[70] + context[71] + context[78] + context[79] + context[80]] ][0] for __g['k8'] in [context[57] + context[58] + context[59] + context[66] + context[67] + context[68] + context[75] + context[76] + context[77]] ][0] for __g['k7'] in [context[54] + context[55] + context[56] + context[63] + context[64] + context[65] + context[72] + context[73] + context[74]] ][0] for __g['k6'] in [context[33] + context[34] + context[35] + context[42] + context[43] + context[44] + context[51] + context[52] + context[53]] ][0] for __g['k5'] in [context[30] + context[31] + context[32] + context[39] + context[40] + context[41] + context[48] + context[49] + context[50]] ][0] for __g['k4'] in [context[27] + context[28] + context[29] + context[36] + context[37] + context[38] + context[45] + context[46] + context[47]] ][0] for __g['k3'] in [context[6] + context[7] + context[8] + context[15] + context[16] + context[17] + context[24] + context[25] + context[26]] ][0] for __g['k2'] in [context[3] + context[4] + context[5] + context[12] + context[13] + context[14] + context[21] + context[22] + context[23]] ][0] for __g['k1'] in [context[0] + context[1] + context[2] + context[9] + context[10] + context[11] + context[18] + context[19] + context[20]] ][0] for __g['l9'] in [context[8] + context[17] + context[26] + context[35] + context[44] + context[53] + context[62] + context[71] + context[80]] ][0] for __g['l8'] in [context[7] + context[16] + context[25] + context[34] + context[43] + context[52] + context[61] + context[70] + context[79]] ][0] for __g['l7'] in [context[6] + context[15] + context[24] + context[33] + context[42] + context[51] + context[60] + context[69] + context[78]] ][0] for __g['l6'] in [context[5] + context[14] + context[23] + context[32] + context[41] + context[50] + context[59] + context[68] + context[77]] ][0] for __g['l5'] in [context[4] + context[13] + context[22] + context[31] + context[40] + context[49] + context[58] + context[67] + context[76]] ][0] for __g['l4'] in [context[3] + context[12] + context[21] + context[30] + context[39] + context[48] + context[57] + context[66] + context[75]] ][0] for __g['l3'] in [context[2] + context[11] + context[20] + context[29] + context[38] + context[47] + context[56] + context[65] + context[74]] ][0] for __g['l2'] in [context[1] + context[10] + context[19] + context[28] + context[37] + context[46] + context[55] + context[64] + context[73]] ][0] for __g['l1'] in [context[0] + context[9] + context[18] + context[27] + context[36] + context[45] + context[54] + context[63] + context[72]] ][0] for __g['h9'] in [context[72:81]] ][0] for __g['h8'] in [context[63:72]] ][0] for __g['h7'] in [context[54:63]] ][0] for __g['h6'] in [context[45:54]] ][0] for __g['h5'] in [context[36:45]] ][0] for __g['h4'] in [context[27:36]] ][0] for __g['h3'] in [context[18:27]] ][0] for __g['h2'] in [context[9:18]] ][0] for __g['h1'] in [context[0:9]] ][0])[1])[1])[1])[1])[1])[1])[1])[1])[1]) for __g['d'] in [[]] ][0] for __g['context'] in [input[5:-1]] ][0] for __g['fmt2'] in [input[(-1)]] ][0] for __g['fmt1'] in [input[0:5]] ][0])
 for __g['input'] in [raw_input('Input your flag:')] ][0] if __name__ == '__main__' else __after())(lambda : None)
 for __g['check1'], check1.__name__ in [(lambda arg: (lambda __l: [ (lambda __after: 0 if len(list(set(__l['arg']))) != 9 else 1)(lambda : None) for __l['arg'] in [arg] ][0])({}), 'check1')] ][0]
 for __g['check'], check.__name__ in [(lambda arg: (lambda __l: [ sum(map(int, __l['arg'])) for __l['arg'] in [arg] ][0])({}), 'check')] ][0])(globals(), __import__('__builtin__', level=0).__dict__['print'])

由此代码

if d[0][2] != '5' or d[0][3] != '3':
if d[1][0] != '8' or d[1][7] != '2':
if d[2][1] != '7' and d[2][4] != '1' or d[2][6] != '5':
if d[3][0] != '4' and d[3][5] != '5' or d[3][6] != '3':
if d[4][1] != '1' and d[4][4] != '7' or d[4][8] != '6':
if d[5][2] != '3' and d[5][3] != '2' or d[5][7] != '8':
if d[6][1] != '6' and d[6][3] != '5' or d[6][8] != '9':
if d[7][2] != '4' or d[7][7] != '3':
if d[8][5] != '9' or d[8][6] != '7':

可得一个表

行/列	1	2	3	4	5	6	7	8	9
1			5	3
2	8							2
3		7			1		5
4	4					5	3
5		1			7				6
6			3	2				8
7		6		5					9
8			4					3
9						9	7

9x9的表加上flag{}正好是87个字符，满足python源码第一行的对长度的判断。

而下面的代码

if check(h1) != 45 and check(h2) != 45 and check(h3) != 45 and check(h4) != 45 and check(h5) != 45 and check(h6) != 45 and check(h7) != 45 and check(h8) != 45 or check(h9) != 45:
if check(l1) != 45 and check(l2) != 45 and check(l3) != 45 and check(l4) != 45 and check(l5) != 45 and check(l6) != 45 and check(l7) != 45 and check(l8) != 45 or check(l9) != 45:
if check(k1) != 45 and check(k2) != 45 and check(k3) != 45 and check(k4) != 45 and check(k5) != 45 and check(k6) != 45 and check(k7) != 45 and check(k8) != 45 or check(k9) != 45:
if check1(h1) != 1 and check1(h2) != 1 and check1(h3) != 1 and check1(h4) != 1 and check1(h5) != 1 and check1(h6) != 1 and check1(h7) != 1 and check1(h8) != 1 or check1(h9) != 1:
if check1(l1) != 1 and check1(l2) != 1 and check1(l3) != 1 and check1(l4) != 1 and check1(l5) != 1 and check1(l6) != 1 and check1(l7) != 1 and check1(l8) != 1 or check1(l9) != 1:
if check1(k1) != 1 and check1(k2) != 1 and check1(k3) != 1 and check1(k4) != 1 and check1(k5) != 1 and check1(k6) != 1 and check1(k7) != 1 and check1(k8) != 1 or check1(k9) != 1:

则是对每一列和以三行三列为一个块的数据和,进行判断.且刚好就是1+2+3+4+5+6+7+8=45，猜测是数独表，网上数独在线解密

解得145327698839654127672918543496185372218473956753296481367542819984761235521839764，套上flag即可得到答案。