roger 发表于 2020-5-19 16:47:23

wdb网鼎杯_2020_re_tree

找到main函数

进入到chkflag函数,发现其是将输入的flag中的xxx每一个x都换成2进制的形式,每一个4位,然后存在glockflag中


parse函数是将glockflag中的二进制拿出来,0代表左,1代表右,开始遍历叶子节点,如果找到的叶子节点是zvzjyvosgnzkbjjjypjbjdvmsjjyvsjx,就正确


我们先将 每个节点及其路径打印出来
def traverse_leaf(pnode):
    if pnode != 0:
      if Dword(pnode + 12) == 0 and Dword(pnode + 16) == 0:
            print(chr(Byte(pnode)))
            print("".join(a))
            lujing.append()
      a.append('0')
      traverse_leaf(Dword(pnode + 12))
      a.append('1')
      traverse_leaf(Dword(pnode + 16))
    if pnode != 0X0406530:
      a.pop()


traverse_leaf(0X0406530)
print(lujing)
[[‘y’, ‘0000’], [‘b’, ‘00010’], [‘q’, ‘00011’], [‘g’, ‘0010’], [‘f’, ‘0011’], [‘j’, ‘010’], [‘w’, ‘01100’], [‘p’, ‘01101’], [‘x’, ‘011100’], [‘d’, ‘0111010’], [‘i’, ‘0111011’], [‘k’, ‘01111’], [‘s’, ‘100’], [‘z’, ‘1010’], [‘n’, ‘1011’], [‘c’, ‘11000’], [‘t’, ‘110010’], [‘e’, ‘110011’], [‘h’, ‘1101’], [‘o’, ‘11100’], [‘l’, ‘1110100’], [‘u’, ‘11101010’], [‘r’, ‘111010110’], [‘a’, ‘111010111’], [‘m’, ‘111011’], [‘v’, ‘1111’]]

然后在开始写脚本,将 zvzjyvosgnzkbjjjypjbjdvmsjjyvsjx 转成路径,然后拼起来,4位4位的分开就是flag中的xxxx
lujing = [['y', '0000'], ['b', '00010'], ['q', '00011'], ['g', '0010'], ['f', '0011'], ['j', '010'], ['w', '01100'], ['p', '01101'], ['x', '011100'], ['d', '0111010'], ['i', '0111011'], ['k', '01111'], ['s', '100'], ['z', '1010'], ['n', '1011'], ['c', '11000'], ['t', '110010'], ['e', '110011'], ['h', '1101'], ['o', '11100'], ['l', '1110100'], ['u', '11101010'], ['r', '111010110'], ['a', '111010111'], ['m', '111011'], ['v', '1111']]
res = "zvzjyvosgnzkbjjjypjbjdvmsjjyvsjx"
flag01 = ""
flagx = ""
for i in res:
    for j in lujing:
      if i in j:
            flag01 += j
print(flag01)
for i in range(0, len(flag01), 4):
    tmp = "%x" % int(flag01, 2)
    flagx += tmp
print(flagx)
最终打印出flagx是afa41fc8574f12481a849d7f7120f89c
将flag{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}替换掉,即
flag为flag{afa41fc8-574f-1248-1a84-9d7f7120f89c}

页: [1]
查看完整版本: wdb网鼎杯_2020_re_tree