BUGKU-逆向(reverse)-writeup (8)

然后将每个走法得到的值进行判断大小，最大的值就是我们要的答案。

#!usr/bin/env python #!coding=utf-8 __author__ = 'zhengjim' s = [ [77], [5628, 6232], [29052, 1558, 26150], [12947, 29926, 11981, 22371], [4078, 28629, 4665, 2229, 24699], [27370, 3081, 18012, 24965, 2064, 26890], [21054, 5225, 11777, 29853, 2956, 22439, 3341], [31337, 14755, 5689, 24855, 4173, 32304, 292, 5344], [15512, 12952, 1868, 10888, 19581, 13463, 32652, 3409, 28353], [26151, 14598, 12455, 26295, 25763, 26040, 8285, 27502, 15148, 4945], [26170, 1833, 5196, 9794, 26804, 2831, 11993, 2839, 9979, 27428, 6684], [4616, 30265, 5752, 32051, 10443, 9240, 8095, 28084, 26285, 8838, 18784, 6547], [7905, 8373, 19377, 18502, 27928, 13669, 25828, 30502, 28754, 32357, 2843, 5401, 10227], [22871, 20993, 8558, 10009, 6581, 22716, 12808, 4653, 24593, 21533, 9407, 6840, 30369, 2330], [3, 28024, 22266, 19327, 18114, 18100, 15644, 21728, 17292, 8396, 27567, 2002, 3830, 12564, 1420], [29531, 21820, 9954, 8319, 10918, 7978, 24806, 30027, 17659, 8764, 3258, 20719, 6639, 23556, 25786, 11048], [3544, 31948, 22, 1591, 644, 25981, 26918, 31716, 16427, 15551, 28157, 7107, 27297, 24418, 24384, 32438, 22224], [12285, 12601, 13235, 21606, 2516, 13095, 27080, 16331, 23295, 20696, 31580, 28758, 10697, 4730, 16055, 22208, 2391, 20143], [16325, 24537, 16778, 17119, 18198, 28537, 11813, 1490, 21034, 1978, 6451, 2174, 24812, 28772, 5283, 6429, 15484, 29353, 5942], [7299, 6961, 32019, 24731, 29103, 17887, 17338, 26840, 13216, 8789, 12474, 24299, 19818, 18218, 14564, 31409, 5256, 31930, 26804, 9736]] all_score = {} with open('all_roads.txt', 'r')as f: for line in f.readlines(): row = 0 go = 0 score = s[row][go] for i in line: if i == 'L': row += 1 score += s[row][go] elif i == 'R': row += 1 go += 1 score += s[row][go] all_score[line] = score max_road = max(all_score, key=all_score.get) print(max_road, all_score[max_road])

得到了最大路径:RRRRRLLRRRLRLRRRLRL和最大值444740。

在程序输入却还是error

不知道是哪错了，又看了一遍程序，发现第22行的sub_41114F(Str)对我们输入的数据进行了处理。
跟进去,发现又调用了sub_411900(Str)在跟进去，发现调用了sub_4110A5(nullsub_1, sub_411994 - nullsub_1, 4)。再跟进去。

再往里跟。sub_411750(lpAddress, a2, a3 = 4);

结合OD来查看。

前面几行是往内存获取值理解成获取用户输入。因为调用到了内存，所以结合OD来查看。

因为一个dword占了4字节，所以8字节为第二字符。所以就是偶数位的字符与传入的4进行xor运算。

#!usr/bin/env python #!coding=utf-8 __author__ = 'zhengjim' max_road = 'RRRRRLLRRRLRLRRRLRL' flag = '' for i, s in enumerate(max_road): if (i - 1) % 2 == 0: flag += chr(ord(s) ^ 4) else: flag += s print(flag)

得到flag：RVRVRHLVRVLVLVRVLVL