seven hctf2018
这是一个驱动文件
ida载入,查找字符串
根据字符串来到函数:sub_1400012F0
__int64 __fastcall sub_1400012F0(__int64 a1, __int64 a2) { __int64 v2; // rbx _KEYBOARD_INPUT_DATA *KEYBOARD_input; // rsi unsigned __int64 v4; // rdx int index; // ecx __int16 *k_ipt; // rdi __int64 v7; // rbp __int16 k; // dx char next_c; // dl CHAR *v10; // rcx v2 = a2; if ( *(_DWORD *)(a2 + 48) >= 0 ) { KEYBOARD_input = *(_KEYBOARD_INPUT_DATA **)(a2 + 24); v4 = (unsigned __int64)(*(unsigned __int64 *)(a2 + 56) * (unsigned __int128)0xAAAAAAAAAAAAAAABui64 >> 64) >> 3; if ( (_DWORD)v4 ) { index = dword_1400030E4; k_ipt = (__int16 *)&KEYBOARD_input->MakeCode; v7 = (unsigned int)v4; while ( KEYBOARD_input->Flags ) { LABEL_30: k_ipt += 6; if ( !--v7 ) goto LABEL_31; } aO[index] = '.'; k = *k_ipt; if ( *k_ipt == 17 )//对应按键w { if ( index & 0xFFFFFFF0 ) // 大于等于16 { index -= 16; // 向上移动 goto LABEL_13; } index += 208; dword_1400030E4 = index; } if ( k != 31 )//对应按键s goto LABEL_14; if ( (index & 0xFFFFFFF0) == 208 ) index -= 208; else index += 16; // 向下移动 LABEL_13: dword_1400030E4 = index; LABEL_14: if ( k == 30 )//对应按键a { if ( index & 0xF ) --index; // 向左 else index += 15; // 最右端0位置时,+15,向左移动到最右端 dword_1400030E4 = index; } if ( k == 32 )//对应按键d { if ( (index & 0xF) == 15 ) // 右,一行0-15,16个,在最右端时,移到0位置 index -= 15; else ++index; // 右 dword_1400030E4 = index; } next_c = aO[index]; if ( next_c == '*' ) { v10 = "-1s\n"; } else { if ( next_c != '7' ) { LABEL_29: aO[index] = 'o'; goto LABEL_30; } v10 = "The input is the flag!\n"; } dword_1400030E4 = 16; DbgPrint(v10); index = dword_1400030E4; goto LABEL_29; } } LABEL_31: if ( *(_BYTE *)(v2 + 65) ) *(_BYTE *)(*(_QWORD *)(v2 + 184) + 3i64) |= 1u; return *(unsigned int *)(v2 + 48); }
简单的迷宫题,输入是通过KEYBOARD_INPUT_DATA结构体,其第二项表示按键的扫描码
17-->w; 31-->s; 30-->a; 32-->d
分别对应上,下,左,右。
迷宫:
对应输入:ddddddddddddddssaasasasasasasasasas
hctf{ddddddddddddddssaasasasasasasasasas}