2022安洵杯

可能是因为看了一晚上球的原因，这天状态相当不好，赛后还是要好好反思和复现

reeee

这个题就是个rc4，没什么意思

RE1

首先主函数大概是一个加载驱动类的写法，但其实都不重要，重要的是不知道怎么调试，所以当时一直在搜索，其实找到逻辑直接分析就行。

void __stdcall sub_4015C0(int a1, int a2)
{
  SERVICE_STATUS_HANDLE v2; // eax
  _WORD *v3; // ecx
  _WORD *v4; // edx
  char v6[76]; // [esp+8h] [ebp-50h] BYREF

  v2 = RegisterServiceCtrlHandlerW(L"SvcTest", HandlerProc);
  hServiceStatus = (int)v2;
  if ( v2 )
  {
    ServiceStatus.dwCurrentState = 4;
    SetServiceStatus(v2, &ServiceStatus);
    if ( a1 != 2 )
    {
      while ( 1 )
      {
        OutputDebugStringW(L"[SvcTest] service is running...");
        OutputDebugStringW(L"maybe you should input something");
        Sleep(0xBB8u);
      }
    }
    v3 = *(_WORD **)(a2 + 4);
    v4 = v3 + 1;
    while ( *v3++ )
      ;
    if ( v3 - v4 == 12 )
    {
      dword_4055C0 = 0;
      *(_QWORD *)Dest = 0i64;
      byte_4055C4 = 0;
      wcstombs(Dest, *(const wchar_t **)(a2 + 4), 0xCu);
      memset(v6, 0, 0x48u);
      sub_4011D0(v6);
      sub_401280(v6);
      sub_4012D0();
      JUMPOUT(0x4016CB);
    }
    OutputDebugStringW(L"wrong lenth!!!");
  }
  else
  {
    OutputDebugStringW(L"RegisterServiceCtrlHandler() failed!!!");
  }
}

输入是12位，sub_4011D0是初始化，通过sub_401280函数进行对opcode的调用，sub_4012D0是进行对比

先看初始化函数

int __thiscall sub_4011D0(_DWORD *this)
{
  _DWORD *v1; // esi

  *this = 0;
  this[1] = 0;
  this[2] = 0;
  this[3] = &opcode;
  *((_BYTE *)this + 16) = 0xF1;
  this[5] = change;
  *((_BYTE *)this + 24) = 0xF2;
  this[7] = xor;
  *((_BYTE *)this + 32) = 0xF5;
  this[9] = read;
  *((_BYTE *)this + 40) = 0xF6;
  this[11] = shift;
  *((_BYTE *)this + 48) = 0xF8;
  this[13] = add;
  *((_BYTE *)this + 56) = 0xF9;
  this[15] = sub;
  v1 = malloc(0x512u);
  DstBuf = v1;
  memset(v1, 0, 0x512u);
  *(_QWORD *)v1 = *(_QWORD *)Dest;
  v1[2] = num;
  qmemcpy(v1 + 12, "abcdefghijkl", 12);
  return 1818978921;
}

再看调用方法，

void __thiscall sub_401280(_DWORD *this)
{
  char op; // dl
  int index; // eax
  _BYTE *v4; // ecx

  this[3] = &opcode;
  for ( op = opcode; op != (char)0xF4; op = *(_BYTE *)this[3] )
  {
    index = 0;
    v4 = this + 4;
    while ( op != *v4 )
    {
      ++index;
      v4 += 8;
      if ( index >= 7 )
        goto LABEL_7;
    }
    ((void (__cdecl *)(_DWORD *))this[2 * index + 5])(this);
LABEL_7:
    ;
  }
}

这个调用是通过调用this的数组进行的，判断的是op==this[4*i]，然后进行执行this[2 * index + 5]的方法，最后下图比较

void __noreturn sub_4012D0()
{
  int v0; // eax

  v0 = 0;
  while ( *((_BYTE *)DstBuf + v0 + 64) == byte_403700[v0] )
  {
    if ( ++v0 >= 12 )
    {
      OutputDebugStringW(L"you are right");
      exit(0);
    }
  }
  OutputDebugStringW(L"wrong!!!");
  exit(0);
}

接下来就是逆了

opcode = [0xF1, 0xE1, 0x00, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x30, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x20, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x01, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x31, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x21, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x02, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x32, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x22, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x03, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x33, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x23, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x04, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x34, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x24, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x05, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x35, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x25, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x06, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x36, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x26, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x07, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x37, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x27, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x08, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x38, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x28, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x09, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x39, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x29, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x0A, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x3A, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x2A, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x0B, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x3B, 0x00, 0x00, 0x00, 0xF2, 0xF6, 0xF1, 0xE4, 0x2B, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x20, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x21, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0xA4, 0xF2, 0xF9, 0xE1, 0x05, 0xF1, 0xE4, 0x40, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x21, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x22, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x70, 0xF2, 0xF9, 0xE1, 0x97, 0xF1, 0xE4, 0x41, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x22, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x23, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x4F, 0xF2, 0xF9, 0xE1, 0x79, 0xF1, 0xE4, 0x42, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x23, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x24, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0xD3, 0xF2, 0xF9, 0xE1, 0x47, 0xF1, 0xE4, 0x43, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x24, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x25, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x5F, 0xF2, 0xF9, 0xE1, 0x92, 0xF1, 0xE4, 0x44, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x25, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x26, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x03, 0xF2, 0xF9, 0xE1, 0x4A, 0xF1, 0xE4, 0x45, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x26, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x27, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x08, 0xF2, 0xF9, 0xE1, 0xBD, 0xF1, 0xE4, 0x46, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x27, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x28, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x28, 0xF2, 0xF9, 0xE1, 0x39, 0xF1, 0xE4, 0x47, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x28, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x29, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x7F, 0xF2, 0xF9, 0xE1, 0x29, 0xF1, 0xE4, 0x48, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x29, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x2A, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x29, 0xF2, 0xF9, 0xE1, 0x3B, 0xF1, 0xE4, 0x49, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x2A, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x2B, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0x37, 0xF2, 0xF9, 0xE1, 0xC1, 0xF1, 0xE4, 0x4A, 0x00, 0x00, 0x00, 0xF1, 0xE1, 0x2B, 0x00, 0x00, 0x00, 0xF1, 0xE2, 0x40, 0x00, 0x00, 0x00, 0xF8, 0xE2, 0xBA, 0xF2, 0xF9, 0xE1, 0xD1, 0xF1, 0xE4, 0x4B, 0x00, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00]
this = [0] * 16
this[0] = 0
this[1] = 0
this[2] = 0
this[3] = "opcode"
this[4] = 0xf1
this[5] = "change"
this[6] = 0xf2
this[7] = "xor"
this[8] = 0xf5
this[9] = "mov"
this[10] = 0xf6
this[11] = "shift"
this[12] = 0xf8
this[13] = "add"
this[14] = 0xf9
this[15] = "sub"
v1 = "xxxxxxxxxxxxabcdefghijkl"
print(len(v1))
i = 0
arr = [0] * 300 
while (opcode[i] != 0xf4):
    op = opcode[i]
    if op == 0xf1:
        a1 = opcode[i + 1]
        a2 = opcode[i + 2]
        if a1 == 0xe1:
            print("arr[0] = dstbuf[%d]" % a2)
        if a1 == 0xe2:
            print("arr[1] = dstbuf[%d]" % a2) 
        if a1 == 0xe3:
            print("arr[2] = dstbuf[%d]" % a2)
        if a1 == 0xe4:
            print("dstbuf[%d] = arr[0]" % a2)
        i += 6
    
    elif op == 0xf2:
        a2 = opcode[i + 1]
        print("arr[0] ^= arr[1]")
        i += 1
    
    elif op == 0xf5:
        print("read input")
        i += 1

    elif op == 0xf6:
        a2 = opcode[i + 1]
        print("arr[0] = (2 << arr[0]) | (arr[0] >> 6)")
        i += 1
    
    elif op == 0xf8:
        a1 = opcode[i + 1]
        a2 = opcode[i + 2]
        if a1 == 0xe1:
            print("arr[0] += %d" % a2)
        if a1 == 0xe2:
            print("arr[1] += %d" % a2)
        if a1 == 0xe3:
            print("arr[2] += %d" % a2)
        i += 3
    elif op == 0xf9:
        a1 = opcode[i + 1]
        a2 = opcode[i + 2]
        if a1 == 0xe1:
            print("arr[0] -= %d" % a2)
        if a1 == 0xe2:
            print("arr[1] -= %d" % a2)
        if a1 == 0xe3:
            print("arr[2] -= %d" % a2)
        i += 3

跑出来的用z3解密

from z3 import *
data=[0xA7, 0x3A, 0x19, 0xB4, 0xF1, 0x49, 0x2B, 0xCB, 0xEA, 0x0E, 0x0E, 0x14]
s = Solver()
dstbuf=[0]*76
for i in range(12):
    dstbuf[32+i] = BitVec("dstbuf[%d]"%(i+1),8)
arr=[0]*4
arr[0] = dstbuf[32]
arr[1] = dstbuf[33]
arr[1] += 164
arr[0] ^= arr[1]
arr[0] -= 5
dstbuf[64] = arr[0]
arr[0] = dstbuf[33]
arr[1] = dstbuf[34]
arr[1] += 112
arr[0] ^= arr[1]
arr[0] -= 151
dstbuf[65] = arr[0]
arr[0] = dstbuf[34]
arr[1] = dstbuf[35]
arr[1] += 79
arr[0] ^= arr[1]
arr[0] -= 121
dstbuf[66] = arr[0]
arr[0] = dstbuf[35]
arr[1] = dstbuf[36]
arr[1] += 211
arr[0] ^= arr[1]
arr[0] -= 71
dstbuf[67] = arr[0]
arr[0] = dstbuf[36]
arr[1] = dstbuf[37]
arr[1] += 95
arr[0] ^= arr[1]
arr[0] -= 146
dstbuf[68] = arr[0]
arr[0] = dstbuf[37]
arr[1] = dstbuf[38]
arr[1] += 3
arr[0] ^= arr[1]
arr[0] -= 74
dstbuf[69] = arr[0]
arr[0] = dstbuf[38]
arr[1] = dstbuf[39]
arr[1] += 8
arr[0] ^= arr[1]
arr[0] -= 189
dstbuf[70] = arr[0]
arr[0] = dstbuf[39]
arr[1] = dstbuf[40]
arr[1] += 40
arr[0] ^= arr[1]
arr[0] -= 57
dstbuf[71] = arr[0]
arr[0] = dstbuf[40]
arr[1] = dstbuf[41]
arr[1] += 127
arr[0] ^= arr[1]
arr[0] -= 41
dstbuf[72] = arr[0]
arr[0] = dstbuf[41]
arr[1] = dstbuf[42]
arr[1] += 41
arr[0] ^= arr[1]
arr[0] -= 59
dstbuf[73] = arr[0]
arr[0] = dstbuf[42]
arr[1] = dstbuf[43]
arr[1] += 55
arr[0] ^= arr[1]
arr[0] -= 193
dstbuf[74] = arr[0]
arr[0] = dstbuf[43]
arr[1] = dstbuf[64]
arr[1] += 186
arr[0] ^= arr[1]
arr[0] -= 209
dstbuf[75] = arr[0]

for i in range(12):
    s.add(dstbuf[64+i]==data[i])
s.check()
print(s.model())
dstbuf[1] = 172
dstbuf[4] = 64
dstbuf[9] = 64
dstbuf[3] = 29
dstbuf[11] = 116
dstbuf[12] = 132
dstbuf[6] = 12
dstbuf[10] = 212
dstbuf[7] = 156
dstbuf[5] = 232
dstbuf[8] = 108
dstbuf[2] = 92

然后进行第一步的移位和异或

for i in range(13):
    tmp = dstbuf[i]
    tmp = ((tmp<<6)|(tmp>>2)) &0xff
    tmp ^= (ord("a")+i-1)
    print(chr(tmp),end='')
#  Ju$t_e@sy_vM

不过在分析过程中，并没有发现在什么地方执行了read，而且最后异或的时候也有一定蒙的成分，不知道字符串abcdefghijkl放在了什么位置。

RE2

连续三道题出题模式都一样，不好评价了有点。。。

这个题前面的逻辑全是假的，他又开了一个线程，真正逻辑在那个线程中，是一个经典的花指令，patch之后就能看到是个迷宫。

int __cdecl sub_4027F0(int *a1)
{
  int v2; // [esp+Ch] [ebp-3Ch]
  char v3[12]; // [esp+38h] [ebp-10h] BYREF

  v2 = *a1;
  strcpy(v3, "Success!!!");
  switch ( v2 )
  {
    case 'A':
      --x;
      Sleep(0x13u);
      break;
    case 'D':
      ++x;
      Sleep(0x14u);
      break;
    case 'S':
      ++y;
      Sleep(0x12u);
      break;
    case 'W':
      --y;
      Sleep(0x11u);
      break;
    default:
      break;
  }
  if ( y < 0 || y >= 40 || x < 0 || x >= 40 || map[40 * y + x] == 1 )
    exit(0);
  ++dword_4068A4;
  if ( map[40 * y + x] == 2 && dword_4068A4 == 75 )
  {
    printf("\n%s", v3);
    system("pause");
  }
  return 1;
}

map：

0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 0 1 1 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 0 1 1 1 1 0 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 0 1 1 1 1 1 0 1 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 0 1 1 1 1 0 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 0 1 1 1 1 1 0 1 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 0 1 1 1 1 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 0 1 0 1 0 1 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 0 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 0 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 0 0 0 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 0 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 0 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 1 1 0 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 0 1 1 1 0 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 0 1 0 1 0 1 1 1 1 1 1 1 1 0 0 0 0 0 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 0 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 0 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 0 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 0 1 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 0 1 0 1 1 1 1 0 0 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 1 0 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 0 1 1 1 1 1 0 1 1 1 0 1  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 1 1 1 1 0 1 1 1 0 0 0  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 0 1 0 1 0 0  
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 1 0 1 1 1 1

不过怎么走都好像不能走75到终点，查看交叉引用

发现，起点被改了（2，2），终点位置也变了，但发现好像还是走不到75步，最后发现sleep好像被hook了，

int __stdcall sub_402330(int a1)
{
  switch ( a1 )
  {
    case 0x11:
      --x;
      a1 = 0;
      break;
    case 0x12:
      ++x;
      a1 = 0;
      break;
    case 0x13:
      ++y;
      a1 = 0;
      break;
    case 0x14:
      --y;
      a1 = 0;
      break;
    default:
      return dword_406890(a1);
  }
  return dword_406890(a1);
}

发现了原来这个东西是斜着走的，比如当输入为A,是向左下走的，输入为D,是向右上角走的，输入为S,是向右下角走的，输入为W,是向左上角走的，得到路线：dssaaasasssdsddddwddssasaaassdsssaasssddssasaassaaassdsdsssaaassddddsdssasa

bj777的blog

2022安洵杯

2022安洵杯

reeee

RE1

RE2

PYC.pyc