easyre

不解释了,42位逐位异或

有些反编译很怪的[a+-k *(b/k)]这个相当于[(a+b) mod len]

而类似

1
2
3
4
if ( _mm_movemask_epi8(
       _mm_and_si128(
         _mm_cmpeq_epi8(_mm_loadu_si128(v3), (__m128i)xmmword_140021410),
         _mm_cmpeq_epi8(_mm_loadu_si128(v3 + 1), (__m128i)xmmword_140021400))) == 0xFFFF )

是memcmp两个值(wmctf里面x64打开so就是这个,在arm架构等价的就是memcmp)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from prism import *

# lsat = [0x00, 0x1B, 0x19, 0x02, 0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57, 0x05, 0x54, 0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03, 0x04, 0x0A, 0x14, 0x49, 0x05, 0x57]
# j = 1
# a = [0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03, 0x04, 0x0A, 0x14, 0x49, 0x05, 0x57]
# b = [0x00, 0x1B, 0x19, 0x02, 0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57, 0x05, 0x54]
# c = b+a
# d = [0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03, 0x04, 0x0A, 0x14, 0x49, 0x05, 0x57, 0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03, 0x04, 0x0A, 0x14, 0x49, 0x05, 0x57, 0x00, 0x1B, 0x19, 0x02, 0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57, 0x05, 0x54, 0x55, 0x03, 0x53, 0x57, 0x01, 0x03, 0x07, 0x04, 0x4A, 0x77, 0x0D,0x00, 0x1B, 0x19, 0x02, 0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57, 0x05, 0x54]
# for i in range(len(d)-2,0,-1):
#     d[i] ^= d[(i+1)]
# pl(d)


l2 = [0x00, 0x1B, 0x19, 0x02, 0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57, 0x05, 0x54]
l1 = [0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03, 0x04, 0x0A, 0x14, 0x49, 0x05, 0x57]
l = l1+l2
# m = [0x0A, 0x0D, 0x06, 0x1C, 0x1A, 0x0E, 0x04, 0x18, 0x06, 0x10, 0x0B, 0x0A, 0x0D, 0x0A, 0x09, 0x12, 0x0D, 0x0F, 0x0A, 0x01, 0x1D, 0x1B, 0x1A, 0x08, 0x0C, 0x1B, 0x07, 0x0C, 0x0D, 0x1C, 0x59, 0x01, 0x02, 0x0B, 0x0A, 0x0B, 0x0C, 0x03, 0x02, 0x03, 0x4B, 0x77, 0x0D]
# j = 0
# for i in range(len(l)-1,-1,-1):

# pl(l)

# print(ord('}')^0x77)
# print(chr(ord('K')^0x7D))
k = [0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03, 0x04, 0x0A, 0x14, 0x49, 0x05, 0x57, 0x00, 0x1B, 0x19, 0x02, 0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57, 0x05, 0x54, 0x55, 0x03, 0x53, 0x57, 0x01, 0x03, 0x07, 0x04, 0x4A, 0x77]
kk = k
kb = kk[:]
for ch in range(32,128):
    kk[len(kk)-1] = ch
    for i in range(len(kk)-2,-1,-1):
        kk[i] ^= kk[i+1]
    if kk[0]==ord('f') and kk[1] == ord('l'):
        pl(kk)
    kk = kb[:]

tmaze

根据调试分析可以知道它是一个链表(?图),有三个方向和3个标记。要走到最后一个v7的位置

node节点大概是

image-20240908215707302

前三个是指针,后面的sign是三个方向是否可以通过的标记

bef指向前一个node
next指向下一个node
tride的指向没有看懂,但是这个指针是互指的

image-20240908215931928

初始化过程

image-20240908215956884

检查输入过程

这个题当时被困在不会写idc脚本,最后学长告诉我idapython更方便,然后就试了一下idapython发现这个语法和python基本一样,感觉很爽,然后就把脚本搓出来了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import idc

class Node:
    def __init__(self, addr: int):
        self.addr = addr
        self.x = int(idc.get_qword(addr))
        self.y = int(idc.get_qword(addr + 8))
        self.z = int(idc.get_qword(addr + 16))
        self.to_x = int(idc.get_wide_byte(addr + 24)) == 0
        self.to_y = int(idc.get_wide_byte(addr + 25)) == 0
        self.to_z = int(idc.get_wide_byte(addr + 26)) == 0

    def __hash__(self):
        return hash(self.addr)

    def __eq__(self, other):
        if isinstance(other, Node):
            return self.addr == other.addr
        return False

    def get_next(self, direction):
        if direction == 'x' and self.to_x:
            return Node(self.x)
        elif direction == 'y' and self.to_y:
            return Node(self.y)
        elif direction == 'z' and self.to_z:
            return Node(self.z)
        return None

def find_way(start, end, visited=None, path='', path_length=0):
    if visited is None:
        visited = set()
    if path_length > 43:
        return None, float('inf')
    visited.add(start)

    if start == end:
        return path, path_length
    shortest_path = None
    shortest_length = float('inf')

    for situation in 'xyz':
        next_node = start.get_next(situation)
        if next_node is not None and next_node not in visited:
            new_path, new_length = find_way(next_node, end, visited.copy(), path + situation, path_length + 1)
            if new_path is not None and new_length < shortest_length:
                shortest_path = new_path
                shortest_length = new_length

    return shortest_path, shortest_length

start_node = Node(0x1B7BA6315D0)
end_node = Node(0x1B7BA632180)
path, plength = find_way(start_node, end_node)
print(path)
# yzyzyzyzyyzxzyyyzxzyzxxxzxzyyyyyyyyzxzxzyy
1
2
get_qword 获取对应地址的qword值
get_wide_bytes 获取对应地址的bytes值

比赛的时候没出,不知道最后是不是

1
2
3
4
5
import uuid

name = 'yzyzyzyzyyzxzyyyzxzyzxxxzxzyyyyyyyyzxzxzyy'
uuid3_generated = uuid.uuid3(uuid.NAMESPACE_DNS, name)