SeKaiCTF 2025 Reverse 方向复现

Miku Music Machine

ida 打开,找到 main 函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v5; // rax
  __int64 v6; // rbp
  int v7; // edi
  __int64 v8; // rbx
  __int64 v9; // r14
  unsigned __int8 v10; // si
  HMIDIOUT phmo; // [rsp+70h] [rbp+18h] BYREF

  if ( argc < 2 )
  {
    sub_7FF666284950("Usage: %s <prompt>\n", *argv);
    return 1;
  }
  v5 = -1LL;
  do
    ++v5;
  while ( argv[1][v5] );
  if ( v5 != 50 )
  {
    sub_7FF666284950("You should work on the length of your prompt!\n", argv, envp);
    return 1;
  }
  v6 = 0LL;
  if ( midiOutOpen(&phmo, 0, 0LL, 0LL, 0) )
  {
    sub_7FF666284950("Failed to open MIDI device.\n");
  }
  else
  {
    v7 = 22;
    v8 = 22LL;
    do
    {
      v9 = 4LL;  // 循环次数 = 4
      v10 = byte_7FF6662F3000[v6] ^ argv[1][v6];
      do
      {
        if ( (v10 & 3) != 0 ) // 取 v10 的低两位
        {
          switch ( v10 & 3 )
          {
            case 1:
              ++v7;
              ++v8;
              break;
            case 2:
              v7 += 21;
              v8 += 21LL;
              break;
            case 3:
              --v7;
              --v8;
              break;
          }
        }
        else
        {
          v7 -= 21;
          v8 -= 21LL;
        }
        off_7FF6662F3040[v8]();
        midiOutShortMsg(phmo, dwMsg);
        Sleep(0x1Eu);
        v10 >>= 2; // 每次右移两位
        --v9;
      }
      while ( v9 );
      ++v6;
    }
    while ( v6 < 50 );
    Sleep(0x3E8u);
    midiOutReset(phmo);
    midiOutClose(phmo);
    if ( v7 == 0x1A2 )
    {
      sub_7FF666284950("That was beautiful!\n");
      return 0;
    }
    sub_7FF666284950("I think you should work on your music.\n");
  }
  return 1;
}

要求命令行参数 argv[1] 的长度为 50 ,否则退出程序
尝试打开 MIDI 设备 (midiOutOpen)
对 argv[1] 的每个字节与 byte_7FF6662F3000 数组进行异或,然后把每次字节分成 4 段进行处理,每次处理 2 bit 片段,根据片段的值来修改 v7,v8;利用 v8 作为索引调用 off_7FF6662F3040v8 (函数指针表);处理完 50 个字节后,等待一秒关闭 MIDI
可以看出这是一个 21 * 21 的迷宫,后面检查 v7 是否等于 0x1A2(418)即为迷宫重点

1
2
3
4
5
6
byte_7FF6662F3000 = [
0x09, 0x40, 0x11, 0xE4, 0x1C, 0x81, 0x92, 0xDB, 0x0B, 0x75, 
0x26, 0x6A, 0x2F, 0x7F, 0xDD, 0xD2, 0x52, 0x21, 0x76, 0x9F, 
0xDF, 0x8E, 0x8F, 0xCD, 0x9F, 0x84, 0x61, 0x3F, 0x6D, 0x7A, 
0x87, 0x1E, 0x21, 0x99, 0xC7, 0x65, 0xDC, 0xC8, 0x4A, 0x22, 
0x7D, 0x28, 0x64, 0x69, 0xDC, 0x20, 0x34, 0xED, 0xFB, 0xD7]

动态调试
在 ida 的 Debugger -> Process options 里设置 50 字节长度的参数

调到一半程序异常退出
查看汇编看到有拓展控制流保护(XFG) eXtended Flow Guard

CFG 和 XFG 都是防止 Windows 上函数指针覆盖的保护;XFG 是 CFG 的强化版本,除了检查调用的函数指针是否在有效地址的位图中注册,它还使用哈希值来检查函数原型,此哈希值由参数数 、 每个参数的类型 、 函数是否为可变参数 、 调用约定和返回类型组成

XFG 保护的函数指针调用

1
2
3
mov r10, <expected_prototype_hash>    ; 把调用点期望的签名放寄存器
mov rax, [callee_ptr]                 ; 目标函数地址(来自函数指针)
call __guard_xfg_dispatch_icall_fptr  ; 由 XFG 运行时接管:比较签名、然后跳或 fail

使用 dumpbin 提取 CGuard CF Function Table, 这是由编译器/连接器生成的函数入口地址白名单,当程序执行间接调用的时候,系统会先检验这个地址是否在表中

1
dumpbin /LOADCONFIG D:\aaa\SeikaCTF2025\miku_music_machine\mmm-v2.exe

X 标记该地址在表里有效

推测出函数列表(一共 441 个函数刚好符合 21 * 21)中在有效地址内的函数是路径,其他是墙,取出是路径的函数的索引值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
white_list = [
    0x0000000140001010,
    0x0000000140001050,
    0x0000000140001070,
    0x0000000140001090,
    0x00000001400010B0,
    0x0000000140001110,
    0x0000000140001170,
    0x00000001400011B0,
    0x00000001400011F0,
    0x0000000140001250,
    0x00000001400012D0,
    0x0000000140001370,
    0x0000000140001390,
    0x00000001400013F0,
    0x0000000140001410,
    0x0000000140001430,
    0x0000000140001470,
    0x0000000140001490,
    0x00000001400014D0,
    0x00000001400014F0,
    0x0000000140001510,
    0x0000000140001570,
    0x00000001400015B0,
    0x00000001400015F0,
    0x0000000140001610,
    0x0000000140001630,
    0x00000001400016B0,
    0x00000001400016D0,
    0x0000000140001710,
    0x0000000140001730,
    0x0000000140001790,
    0x00000001400017D0,
    0x00000001400017F0,
    0x0000000140001810,
    0x00000001400018F0,
    0x0000000140001910,
    0x0000000140001990,
    0x00000001400019F0,
    0x0000000140001A50,
    0x0000000140001AF0,
    0x0000000140001B10,
    0x0000000140001B30,
    0x0000000140001BB0,
    0x0000000140001BF0,
    0x0000000140001C70,
    0x0000000140001CB0,
    0x0000000140001CF0,
    0x0000000140001D70,
    0x0000000140001DB0,
    0x0000000140001E50,
    0x0000000140001EB0,
    0x0000000140001ED0,
    0x0000000140001F50,
    0x0000000140001F70,
    0x0000000140001F90,
    0x0000000140001FD0,
    0x0000000140001FF0,
    0x0000000140002010,
    0x0000000140002030,
    0x0000000140002050,
    0x0000000140002070,
    0x0000000140002090,
    0x00000001400020F0,
    0x0000000140002110,
    0x0000000140002150,
    0x00000001400021B0,
    0x0000000140002210,
    0x0000000140002250,
    0x0000000140002270,
    0x0000000140002290,
    0x00000001400022F0,
    0x0000000140002350,
    0x0000000140002390,
    0x00000001400023D0,
    0x0000000140002410,
    0x0000000140002430,
    0x0000000140002450,
    0x0000000140002490,
    0x00000001400024B0,
    0x00000001400024D0,
    0x0000000140002530,
    0x0000000140002570,
    0x00000001400025B0,
    0x0000000140002610,
    0x0000000140002650,
    0x0000000140002690,
    0x00000001400026D0,
    0x0000000140002710,
    0x0000000140002730,
    0x0000000140002790,
    0x00000001400027F0,
    0x0000000140002850,
    0x00000001400028B0,
    0x00000001400028D0,
    0x0000000140002970,
    0x00000001400029D0,
    0x00000001400029F0,
    0x0000000140002A10,
    0x0000000140002A70,
    0x0000000140002A90,
    0x0000000140002AB0,
    0x0000000140002AF0,
    0x0000000140002BF0,
    0x0000000140002C50,
    0x0000000140002C90,
    0x0000000140002CD0,
    0x0000000140002D90,
    0x0000000140002DF0,
    0x0000000140002E90,
    0x0000000140002EB0,
    0x0000000140002ED0,
    0x0000000140002EF0,
    0x0000000140002F10,
    0x0000000140002F50,
    0x0000000140002F90,
    0x0000000140002FF0,
    0x0000000140003030,
    0x0000000140003050,
    0x0000000140003090,
    0x0000000140003110,
    0x0000000140003150,
    0x0000000140003190,
    0x00000001400031B0,
    0x0000000140003210,
    0x0000000140003270,
    0x0000000140003290,
    0x00000001400032D0,
    0x00000001400032F0,
    0x0000000140003330,
    0x0000000140003410,
    0x0000000140003430,
    0x0000000140003450,
    0x0000000140003470,
    0x0000000140003490,
    0x00000001400034B0,
    0x0000000140003590,
    0x0000000140003610,
    0x0000000140003650,
    0x0000000140003670,
    0x00000001400036B0,
    0x00000001400036D0,
    0x0000000140003710,
    0x00000001400037D0,
    0x00000001400037F0,
    0x0000000140003810,
    0x0000000140003850,
    0x0000000140003970,
    0x00000001400039D0,
    0x00000001400039F0,
    0x0000000140003A30,
    0x0000000140003AB0,
    0x0000000140003AD0,
    0x0000000140003AF0,
    0x0000000140003B10,
    0x0000000140003B30,
    0x0000000140003BD0,
    0x0000000140003C10,
    0x0000000140003C50,
    0x0000000140003C70,
    0x0000000140003CD0,
    0x0000000140003CF0,
    0x0000000140003DD0,
    0x0000000140003E10,
    0x0000000140003E50,
    0x0000000140003E70,
    0x0000000140003E90,
    0x0000000140003EF0,
    0x0000000140003F10,
    0x0000000140003F30,
    0x0000000140003F70,
    0x0000000140003FD0,
    0x0000000140003FF0,
    0x0000000140004010,
    0x0000000140004070,
    0x00000001400040B0,
    0x00000001400040F0,
    0x0000000140004170,
    0x00000001400041B0,
    0x00000001400041D0,
    0x0000000140004210,
    0x0000000140004230,
    0x0000000140004270,
    0x0000000140004290,
    0x00000001400042B0,
    0x00000001400042D0,
    0x00000001400042F0,
    0x0000000140004310,
    0x0000000140004390,
    0x00000001400043D0,
    0x0000000140004410,
    0x0000000140004430,
    0x00000001400044F0,
    0x0000000140004590,
    0x00000001400045D0,
    0x0000000140004610,
    0x0000000140004630,
    0x0000000140004650,
    0x00000001400046D0,
    0x00000001400046F0,
    0x0000000140015420,
    0x0000000140015560,
    0x000000014003ADA0,
    0x000000014003ADD0,
    0x000000014003AE90,
    0x000000014003B830,
    0x000000014003D7E0,
    0x000000014003D800,
    0x000000014003D830,
    0x000000014003D840,
    0x000000014003D850,
    0x000000014003D870,
    0x000000014003D880,
    0x000000014003D890,
    0x000000014003D8E0,
    0x000000014003D8F0,
    0x000000014003D940,
    0x000000014003D9B0,
    0x000000014003DCB0,
    0x0000000140040BC0,
    0x0000000140042670,
    0x0000000140042780,
    0x0000000140043280,
    0x00000001400432D0,
    0x0000000140046650,
    0x0000000140046E80,
    0x0000000140046ED0,
    0x0000000140047630,
    0x0000000140047650,
    0x000000014004A040,
    0x000000014004B760,
    0x000000014004B7D0,
    0x000000014004C1C0,
    0x000000014004C360,
    0x000000014004CB30,
    0x000000014004D100,
    0x000000014004D9D0,
    0x000000014004E570,
    0x000000014004E860,
    0x000000014004EE10,
    0x000000014004F120,
    0x000000014004F370,
    0x000000014004FA40,
    0x000000014004FA70,
    0x000000014004FD90,
    0x0000000140057710,
    0x000000014005C840,
    0x000000014005D270,
    0x000000014005D310
]

func_list = [
    0x1400025F0,
    0x140001EF0,
    0x1400039B0,
    0x140004090,
    0x140002F70,
    0x140003B70,
    0x140002590,
    0x140001210,
    0x140002E70,
    0x140004370,
    0x140001E70,
    0x140003A50,
    0x140003D70,
    0x1400033F0,
    0x140002B50,
    0x140003070,
    0x140004250,
    0x140003230,
    0x1400013D0,
    0x140002E30,
    0x140002B10,
    0x140001D50,
    0x140001ED0,
    0x140002190,
    0x140001370,
    0x1400016B0,
    0x140004430,
    0x140001770,
    0x140004230,
    0x140002530,
    0x140002290,
    0x140001710,
    0x1400010B0,
    0x1400015B0,
    0x1400037D0,
    0x140003290,
    0x1400041B0,
    0x140004270,
    0x140001F70,
    0x140003F70,
    0x140003B10,
    0x1400023B0,
    0x1400034D0,
    0x140003610,
    0x1400018D0,
    0x140004490,
    0x140004450,
    0x140003E70,
    0x140003A70,
    0x140001CD0,
    0x140002D30,
    0x1400020B0,
    0x140003570,
    0x140002DB0,
    0x1400045F0,
    0x140002EF0,
    0x140003770,
    0x140001910,
    0x140002DD0,
    0x1400029D0,
    0x140002AD0,
    0x140001F50,
    0x140001A30,
    0x140003D30,
    0x140001DB0,
    0x140003AD0,
    0x140001B30,
    0x1400017D0,
    0x140002450,
    0x140003FD0,
    0x140002390,
    0x140002350,
    0x140001790,
    0x1400013B0,
    0x140003CD0,
    0x140003030,
    0x140002110,
    0x140002770,
    0x1400016D0,
    0x1400019B0,
    0x140003E10,
    0x140001A90,
    0x140003CF0,
    0x1400017B0,
    0x140002BB0,
    0x140001F10,
    0x140001890,
    0x1400045D0,
    0x140003C30,
    0x1400011D0,
    0x140001BD0,
    0x140004510,
    0x140001650,
    0x140002150,
    0x140003B50,
    0x1400040D0,
    0x140002830,
    0x140004650,
    0x1400012B0,
    0x140003AB0,
    0x140002C30,
    0x1400019D0,
    0x140003BB0,
    0x140002B90,
    0x140002370,
    0x140003930,
    0x140003810,
    0x1400042F0,
    0x140002F50,
    0x140003250,
    0x1400015F0,
    0x140002630,
    0x1400024D0,
    0x140001830,
    0x140003BD0,
    0x1400046F0,
    0x140002AF0,
    0x140001C70,
    0x140003710,
    0x140002C70,
    0x1400042D0,
    0x140004010,
    0x1400019F0,
    0x140003050,
    0x140002410,
    0x140001DD0,
    0x1400046B0,
    0x140002230,
    0x140004710,
    0x140003DF0,
    0x140001450,
    0x140004070,
    0x140003730,
    0x140001090,
    0x140003ED0,
    0x140002670,
    0x140003DB0,
    0x1400016F0,
    0x140003350,
    0x1400034B0,
    0x140004570,
    0x140002CF0,
    0x140003870,
    0x140001B10,
    0x1400032B0,
    0x140002F30,
    0x140001310,
    0x140003D10,
    0x140003850,
    0x140003430,
    0x140001430,
    0x140001010,
    0x1400042B0,
    0x140003650,
    0x140002850,
    0x1400022F0,
    0x140002710,
    0x140003F10,
    0x1400014D0,
    0x140004590,
    0x140003E90,
    0x140001810,
    0x140003E50,
    0x140003EB0,
    0x140001AF0,
    0x140002270,
    0x140002430,
    0x140004130,
    0x140003E30,
    0x1400039D0,
    0x140001970,
    0x140001870,
    0x140001290,
    0x140002130,
    0x1400035F0,
    0x140003C90,
    0x140002BD0,
    0x140003550,
    0x1400033D0,
    0x140001FF0,
    0x140002A30,
    0x140002330,
    0x1400010D0,
    0x140001190,
    0x140001530,
    0x1400015D0,
    0x140002810,
    0x140001570,
    0x1400043B0,
    0x140002B30,
    0x140002F10,
    0x140001670,
    0x140001CB0,
    0x140002930,
    0x1400040B0,
    0x1400045B0,
    0x140001730,
    0x140002210,
    0x1400017F0,
    0x1400032F0,
    0x1400046D0,
    0x140001390,
    0x1400039F0,
    0x140002550,
    0x140003590,
    0x1400035D0,
    0x1400026D0,
    0x1400022B0,
    0x140001FD0,
    0x140003CB0,
    0x140003A10,
    0x1400041F0,
    0x1400033B0,
    0x140003A30,
    0x140002910,
    0x1400024B0,
    0x140003A90,
    0x1400021B0,
    0x1400024F0,
    0x1400041D0,
    0x140004330,
    0x1400034F0,
    0x1400038D0,
    0x140001630,
    0x140001590,
    0x140002DF0,
    0x140003530,
    0x140002C90,
    0x140001F30,
    0x140002A10,
    0x1400023F0,
    0x1400044D0,
    0x140002AB0,
    0x140003130,
    0x140003DD0,
    0x140004210,
    0x140001510,
    0x1400011B0,
    0x140002030,
    0x1400030B0,
    0x140003470,
    0x140002ED0,
    0x1400040F0,
    0x140003910,
    0x1400011F0,
    0x140002170,
    0x1400012D0,
    0x140002FF0,
    0x140003C70,
    0x140002090,
    0x140003FF0,
    0x1400018B0,
    0x140002CB0,
    0x140002C50,
    0x140001550,
    0x140003B90,
    0x1400043F0,
    0x140001D10,
    0x140001D90,
    0x140004170,
    0x140003690,
    0x140003510,
    0x140003890,
    0x140002A50,
    0x140003370,
    0x1400012F0,
    0x1400037B0,
    0x1400013F0,
    0x140001C90,
    0x1400028F0,
    0x140002D10,
    0x140004390,
    0x140001DF0,
    0x140001150,
    0x140003AF0,
    0x140002490,
    0x1400043D0,
    0x140003090,
    0x140001470,
    0x140003110,
    0x1400014F0,
    0x140001410,
    0x140003EF0,
    0x140004290,
    0x140002050,
    0x1400018F0,
    0x140003270,
    0x140002470,
    0x140002610,
    0x140003F90,
    0x1400037F0,
    0x140004310,
    0x140004630,
    0x140001270,
    0x140002C10,
    0x140002A90,
    0x1400038B0,
    0x140001AB0,
    0x140001230,
    0x140002F90,
    0x140001C10,
    0x140002250,
    0x1400030F0,
    0x1400036B0,
    0x140002750,
    0x140003210,
    0x140001690,
    0x140001BF0,
    0x1400036F0,
    0x1400028D0,
    0x140004030,
    0x140002A70,
    0x1400021D0,
    0x1400029F0,
    0x140002870,
    0x140002E10,
    0x140003330,
    0x1400031F0,
    0x140001E50,
    0x140003C10,
    0x140001A50,
    0x140001A70,
    0x1400028B0,
    0x140001B70,
    0x1400025B0,
    0x1400029B0,
    0x140001990,
    0x140003FB0,
    0x140003670,
    0x140001130,
    0x140002010,
    0x1400030D0,
    0x140001F90,
    0x140004690,
    0x140001CF0,
    0x140004190,
    0x140004530,
    0x140001E30,
    0x1400027D0,
    0x1400044F0,
    0x1400025D0,
    0x140001D70,
    0x1400022D0,
    0x140001950,
    0x1400021F0,
    0x140004410,
    0x140003170,
    0x140004670,
    0x140001C50,
    0x140002730,
    0x140002B70,
    0x1400020F0,
    0x140003750,
    0x140002FD0,
    0x140001E90,
    0x140003150,
    0x1400038F0,
    0x140002D70,
    0x140001BB0,
    0x140003410,
    0x140002CD0,
    0x1400026F0,
    0x140002D90,
    0x140001B50,
    0x140002EB0,
    0x1400032D0,
    0x140002790,
    0x140002070,
    0x140002970,
    0x140001850,
    0x140001170,
    0x140002950,
    0x140001610,
    0x140003490,
    0x140004610,
    0x140004470,
    0x140001EB0,
    0x140003830,
    0x1400020D0,
    0x140002BF0,
    0x140002E50,
    0x140003C50,
    0x140004150,
    0x140003F30,
    0x140001350,
    0x140001D30,
    0x1400035B0,
    0x1400027F0,
    0x140003D90,
    0x140004550,
    0x140002FB0,
    0x140003990,
    0x140004050,
    0x140002690,
    0x140001930,
    0x140002650,
    0x140002990,
    0x1400023D0,
    0x1400044B0,
    0x140001E10,
    0x140002E90,
    0x140001FB0,
    0x140001250,
    0x140003D50,
    0x140001110,
    0x140003970,
    0x140001050,
    0x140001A10,
    0x140003450,
    0x140001070,
    0x140002570,
    0x1400026B0,
    0x1400031B0,
    0x1400036D0,
    0x140003190,
    0x140001B90,
    0x140003B30,
    0x140002D50,
    0x140001490,
    0x140001750,
    0x140001330,
    0x140001C30,
    0x140003790,
    0x140002890,
    0x140001AD0,
    0x1400031D0,
    0x1400014B0,
    0x140003BF0,
    0x140002310,
    0x1400027B0,
    0x140002510,
    0x1400010F0,
    0x140004350,
    0x140003F50,
    0x140003390,
    0x140001030,
    0x140003010,
    0x140003630,
    0x140003950,
    0x140003310,
    0x140004110
]

available_functions = set(white_list)
checked = []

for i, func_addr in enumerate(func_list):
    if func_addr in available_functions:
        checked.append(i)

print(f"checked = {checked}")

得到结果

1
checked = [22, 24, 25, 26, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 43, 47, 55, 57, 59, 61, 64, 65, 66, 67, 68, 69, 70, 71, 72, 74, 75, 76, 78, 80, 82, 87, 93, 97, 99, 106, 107, 108, 110, 112, 114, 115, 116, 117, 118, 120, 121, 122, 123, 124, 131, 133, 139, 143, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 164, 165, 166, 169, 179, 187, 190, 192, 194, 196, 197, 198, 199, 200, 201, 202, 204, 206, 208, 213, 215, 217, 219, 223, 225, 227, 229, 232, 234, 235, 236, 237, 238, 240, 241, 242, 244, 246, 247, 248, 249, 250, 253, 259, 267, 271, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 288, 290, 291, 292, 295, 299, 301, 303, 305, 307, 309, 311, 313, 316, 318, 319, 320, 322, 324, 326, 328, 330, 332, 334, 339, 341, 345, 349, 351, 355, 358, 359, 360, 362, 364, 365, 366, 367, 368, 370, 372, 373, 374, 376, 379, 381, 383, 387, 393, 395, 397, 400, 402, 404, 405, 406, 408, 409, 410, 412, 413, 414, 416, 418]

索引的最后一个是 418,刚好是迷宫的终点位置

构造出迷宫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
def build_maze():
    maze = [['1' for _ in range(21)] for _ in range(21)]
    checked = [22, 24, 25, 26, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 43, 47, 55, 57, 59, 61, 64, 65, 66, 67, 68, 69, 70, 71, 72, 74, 75, 76, 78, 80, 82, 87, 93, 97, 99, 106, 107, 108, 110, 112, 114, 115, 116, 117, 118, 120, 121, 122, 123, 124, 131, 133, 139, 143, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 164, 165, 166, 169, 179, 187, 190, 192, 194, 196, 197, 198, 199, 200, 201, 202, 204, 206, 208, 213, 215, 217, 219, 223, 225, 227, 229, 232, 234, 235, 236, 237, 238, 240, 241, 242, 244, 246, 247, 248, 249, 250, 253, 259, 267, 271, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 288, 290, 291, 292, 295, 299, 301, 303, 305, 307, 309, 311, 313, 316, 318, 319, 320, 322, 324, 326, 328, 330, 332, 334, 339, 341, 345, 349, 351, 355, 358, 359, 360, 362, 364, 365, 366, 367, 368, 370, 372, 373, 374, 376, 379, 381, 383, 387, 393, 395, 397, 400, 402, 404, 405, 406, 408, 409, 410, 412, 413, 414, 416, 418]
    for idx in checked:
        x = idx // 21
        y = idx % 21

        if 0 <= x < 21 and 0 <= y <21:
           maze[x][y] = '_'

    return maze

def print_maze(maze):
    for x in maze:
        print(''.join(x))

maze = build_maze()
print_maze(maze)

得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
111111111111111111111
1_1___1_____________1
1_111_1111111_1_1_1_1
1_________1___1_1_1_1
111_11111_111_1_11111
1___1_1_1_____1_____1
11111_1_11111_111_111
1_______________1___1
1_111111111_1111111_1
1_1_1_1_______1_1_1_1
111_1_1_1_111_1_1_1_1
1_1_____1___1_1_____1
1_11111_1111111_111_1
1_____________1_1___1
1_111_1_1_1_1_1_1_1_1
1_1___1_1_1_1_1_1_1_1
111_1_111_111_1_111_1
1___1_1_____1_1___1_1
1_1_1_111_11111_1_1_1
1_1_1___1___1___1_1_1
111111111111111111111

但是目前这个迷宫只有一条路,而且一共走的路径长度也不是 200(50 * 4)

调试的时候观察到列表中的大部分函数结构如下

除此之外还有另外的结构

而最终触发异常退出的地方是是这样的,int 29h,在 Windows 8+ 上会被用作快速失败(等价 RtlFailFast(ecx)),会导致进程立即终止

x 交叉引用往上找看到

所以可以知道这种结构下有 xor 的函数就能使 int 29h 被改写成继续执行的指令

写 ida 脚本找到 6 个这种模式的函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Found XOR pattern at 0x14000157E
  Function: 0x140001570
  Instruction: xor     byte ptr cs:loc_1400014FE, 7Dh
  Target address: 0x1400014FE
  XOR value: 0x7D
--------------------------------------------------
Found XOR pattern at 0x14000297E
  Function: 0x140002970
  Instruction: xor     byte ptr cs:loc_1400023DE, 7Dh
  Target address: 0x1400023DE
  XOR value: 0x7D
--------------------------------------------------
Found XOR pattern at 0x14000365E
  Function: 0x140003650
  Instruction: xor     byte ptr cs:loc_14000141E, 7Dh
  Target address: 0x14000141E
  XOR value: 0x7D
--------------------------------------------------
Found XOR pattern at 0x140003F3E
  Function: 0x140003F30
  Instruction: xor     byte ptr cs:loc_14000271E, 7Dh
  Target address: 0x14000271E
  XOR value: 0x7D
--------------------------------------------------
Found XOR pattern at 0x14000421E
  Function: 0x140004210
  Instruction: xor     byte ptr cs:loc_14000211E, 7Dh
  Target address: 0x14000211E
  XOR value: 0x7D
--------------------------------------------------
Found XOR pattern at 0x14000443E
  Function: 0x140004430
  Instruction: xor     byte ptr cs:loc_14000179E, 7Dh
  Target address: 0x14000179E
  XOR value: 0x7D

分析出这个含有 xor 指令的函数是一个开关一样的功能,走到这里会把目标位置的阻塞消除,但是上面得到的 Target address 还不是真正的目标位置的地址,是函数内的一个标签,如下: 

1
2
3
4
5
6
7
8
9
.text:0000000140001790 sub_140001790   proc near               ; DATA XREF: .rdata:000000014006045E↓o
.text:0000000140001790                                         ; .data:0000000140073280↓o
.text:0000000140001790                 push    rbp
.text:0000000140001791                 mov     rbp, rsp
.text:0000000140001794                 mov     cs:dwMsg, 5E0D90h
.text:000000014000179E
.text:000000014000179E loc_14000179E:                          ; DATA XREF: sub_140004430+E↓w
.text:000000014000179E                 int     29h             ; Win8: RtlFailFast(ecx)
.text:000000014000179E sub_140001790   endp

观察后发现 6 个真正的目标地址都是标签地址减去 0xE

构建迷宫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
white_list = [
    0x0000000140001010, 0x0000000140001050, 0x0000000140001070, 0x0000000140001090,
    0x00000001400010B0, 0x0000000140001110, 0x0000000140001170, 0x00000001400011B0,
    0x00000001400011F0, 0x0000000140001250, 0x00000001400012D0, 0x0000000140001370,
    0x0000000140001390, 0x00000001400013F0, 0x0000000140001410, 0x0000000140001430,
    0x0000000140001470, 0x0000000140001490, 0x00000001400014D0, 0x00000001400014F0,
    0x0000000140001510, 0x0000000140001570, 0x00000001400015B0, 0x00000001400015F0,
    0x0000000140001610, 0x0000000140001630, 0x00000001400016B0, 0x00000001400016D0,
    0x0000000140001710, 0x0000000140001730, 0x0000000140001790, 0x00000001400017D0,
    0x00000001400017F0, 0x0000000140001810, 0x00000001400018F0, 0x0000000140001910,
    0x0000000140001990, 0x00000001400019F0, 0x0000000140001A50, 0x0000000140001AF0,
    0x0000000140001B10, 0x0000000140001B30, 0x0000000140001BB0, 0x0000000140001BF0,
    0x0000000140001C70, 0x0000000140001CB0, 0x0000000140001CF0, 0x0000000140001D70,
    0x0000000140001DB0, 0x0000000140001E50, 0x0000000140001EB0, 0x0000000140001ED0,
    0x0000000140001F50, 0x0000000140001F70, 0x0000000140001F90, 0x0000000140001FD0,
    0x0000000140001FF0, 0x0000000140002010, 0x0000000140002030, 0x0000000140002050,
    0x0000000140002070, 0x0000000140002090, 0x00000001400020F0, 0x0000000140002110,
    0x0000000140002150, 0x00000001400021B0, 0x0000000140002210, 0x0000000140002250,
    0x0000000140002270, 0x0000000140002290, 0x00000001400022F0, 0x0000000140002350,
    0x0000000140002390, 0x00000001400023D0, 0x0000000140002410, 0x0000000140002430,
    0x0000000140002450, 0x0000000140002490, 0x00000001400024B0, 0x00000001400024D0,
    0x0000000140002530, 0x0000000140002570, 0x00000001400025B0, 0x0000000140002610,
    0x0000000140002650, 0x0000000140002690, 0x00000001400026D0, 0x0000000140002710,
    0x0000000140002730, 0x0000000140002790, 0x00000001400027F0, 0x0000000140002850,
    0x00000001400028B0, 0x00000001400028D0, 0x0000000140002970, 0x00000001400029D0,
    0x00000001400029F0, 0x0000000140002A10, 0x0000000140002A70, 0x0000000140002A90,
    0x0000000140002AB0, 0x0000000140002AF0, 0x0000000140002BF0, 0x0000000140002C50,
    0x0000000140002C90, 0x0000000140002CD0, 0x0000000140002D90, 0x0000000140002DF0,
    0x0000000140002E90, 0x0000000140002EB0, 0x0000000140002ED0, 0x0000000140002EF0,
    0x0000000140002F10, 0x0000000140002F50, 0x0000000140002F90, 0x0000000140002FF0,
    0x0000000140003030, 0x0000000140003050, 0x0000000140003090, 0x0000000140003110,
    0x0000000140003150, 0x0000000140003190, 0x00000001400031B0, 0x0000000140003210,
    0x0000000140003270, 0x0000000140003290, 0x00000001400032D0, 0x00000001400032F0,
    0x0000000140003330, 0x0000000140003410, 0x0000000140003430, 0x0000000140003450,
    0x0000000140003470, 0x0000000140003490, 0x00000001400034B0, 0x0000000140003590,
    0x0000000140003610, 0x0000000140003650, 0x0000000140003670, 0x00000001400036B0,
    0x00000001400036D0, 0x0000000140003710, 0x00000001400037D0, 0x00000001400037F0,
    0x0000000140003810, 0x0000000140003850, 0x0000000140003970, 0x00000001400039D0,
    0x00000001400039F0, 0x0000000140003A30, 0x0000000140003AB0, 0x0000000140003AD0,
    0x0000000140003AF0, 0x0000000140003B10, 0x0000000140003B30, 0x0000000140003BD0,
    0x0000000140003C10, 0x0000000140003C50, 0x0000000140003C70, 0x0000000140003CD0,
    0x0000000140003CF0, 0x0000000140003DD0, 0x0000000140003E10, 0x0000000140003E50,
    0x0000000140003E70, 0x0000000140003E90, 0x0000000140003EF0, 0x0000000140003F10,
    0x0000000140003F30, 0x0000000140003F70, 0x0000000140003FD0, 0x0000000140003FF0,
    0x0000000140004010, 0x0000000140004070, 0x00000001400040B0, 0x00000001400040F0,
    0x0000000140004170, 0x00000001400041B0, 0x00000001400041D0, 0x0000000140004210,
    0x0000000140004230, 0x0000000140004270, 0x0000000140004290, 0x00000001400042B0,
    0x00000001400042D0, 0x00000001400042F0, 0x0000000140004310, 0x0000000140004390,
    0x00000001400043D0, 0x0000000140004410, 0x0000000140004430, 0x00000001400044F0,
    0x0000000140004590, 0x00000001400045D0, 0x0000000140004610, 0x0000000140004630,
    0x0000000140004650, 0x00000001400046D0, 0x00000001400046F0, 0x0000000140015420,
    0x0000000140015560, 0x000000014003ADA0, 0x000000014003ADD0, 0x000000014003AE90,
    0x000000014003B830, 0x000000014003D7E0, 0x000000014003D800, 0x000000014003D830,
    0x000000014003D840, 0x000000014003D850, 0x000000014003D870, 0x000000014003D880,
    0x000000014003D890, 0x000000014003D8E0, 0x000000014003D8F0, 0x000000014003D940,
    0x000000014003D9B0, 0x000000014003DCB0, 0x0000000140040BC0, 0x0000000140042670,
    0x0000000140042780, 0x0000000140043280, 0x00000001400432D0, 0x0000000140046650,
    0x0000000140046E80, 0x0000000140046ED0, 0x0000000140047630, 0x0000000140047650,
    0x000000014004A040, 0x000000014004B760, 0x000000014004B7D0, 0x000000014004C1C0,
    0x000000014004C360, 0x000000014004CB30, 0x000000014004D100, 0x000000014004D9D0,
    0x000000014004E570, 0x000000014004E860, 0x000000014004EE10, 0x000000014004F120,
    0x000000014004F370, 0x000000014004FA40, 0x000000014004FA70, 0x000000014004FD90,
    0x0000000140057710, 0x000000014005C840, 0x000000014005D270, 0x000000014005D310
]

func_list = [
    0x1400025F0, 0x140001EF0, 0x1400039B0, 0x140004090, 0x140002F70, 0x140003B70,
    0x140002590, 0x140001210, 0x140002E70, 0x140004370, 0x140001E70, 0x140003A50,
    0x140003D70, 0x1400033F0, 0x140002B50, 0x140003070, 0x140004250, 0x140003230,
    0x1400013D0, 0x140002E30, 0x140002B10, 0x140001D50, 0x140001ED0, 0x140002190,
    0x140001370, 0x1400016B0, 0x140004430, 0x140001770, 0x140004230, 0x140002530,
    0x140002290, 0x140001710, 0x1400010B0, 0x1400015B0, 0x1400037D0, 0x140003290,
    0x1400041B0, 0x140004270, 0x140001F70, 0x140003F70, 0x140003B10, 0x1400023B0,
    0x1400034D0, 0x140003610, 0x1400018D0, 0x140004490, 0x140004450, 0x140003E70,
    0x140003A70, 0x140001CD0, 0x140002D30, 0x1400020B0, 0x140003570, 0x140002DB0,
    0x1400045F0, 0x140002EF0, 0x140003770, 0x140001910, 0x140002DD0, 0x1400029D0,
    0x140002AD0, 0x140001F50, 0x140001A30, 0x140003D30, 0x140001DB0, 0x140003AD0,
    0x140001B30, 0x1400017D0, 0x140002450, 0x140003FD0, 0x140002390, 0x140002350,
    0x140001790, 0x1400013B0, 0x140003CD0, 0x140003030, 0x140002110, 0x140002770,
    0x1400016D0, 0x1400019B0, 0x140003E10, 0x140001A90, 0x140003CF0, 0x1400017B0,
    0x140002BB0, 0x140001F10, 0x140001890, 0x1400045D0, 0x140003C30, 0x1400011D0,
    0x140001BD0, 0x140004510, 0x140001650, 0x140002150, 0x140003B50, 0x1400040D0,
    0x140002830, 0x140004650, 0x1400012B0, 0x140003AB0, 0x140002C30, 0x1400019D0,
    0x140003BB0, 0x140002B90, 0x140002370, 0x140003930, 0x140003810, 0x1400042F0,
    0x140002F50, 0x140003250, 0x1400015F0, 0x140002630, 0x1400024D0, 0x140001830,
    0x140003BD0, 0x1400046F0, 0x140002AF0, 0x140001C70, 0x140003710, 0x140002C70,
    0x1400042D0, 0x140004010, 0x1400019F0, 0x140003050, 0x140002410, 0x140001DD0,
    0x1400046B0, 0x140002230, 0x140004710, 0x140003DF0, 0x140001450, 0x140004070,
    0x140003730, 0x140001090, 0x140003ED0, 0x140002670, 0x140003DB0, 0x1400016F0,
    0x140003350, 0x1400034B0, 0x140004570, 0x140002CF0, 0x140003870, 0x140001B10,
    0x1400032B0, 0x140002F30, 0x140001310, 0x140003D10, 0x140003850, 0x140003430,
    0x140001430, 0x140001010, 0x1400042B0, 0x140003650, 0x140002850, 0x1400022F0,
    0x140002710, 0x140003F10, 0x1400014D0, 0x140004590, 0x140003E90, 0x140001810,
    0x140003E50, 0x140003EB0, 0x140001AF0, 0x140002270, 0x140002430, 0x140004130,
    0x140003E30, 0x1400039D0, 0x140001970, 0x140001870, 0x140001290, 0x140002130,
    0x1400035F0, 0x140003C90, 0x140002BD0, 0x140003550, 0x1400033D0, 0x140001FF0,
    0x140002A30, 0x140002330, 0x1400010D0, 0x140001190, 0x140001530, 0x1400015D0,
    0x140002810, 0x140001570, 0x1400043B0, 0x140002B30, 0x140002F10, 0x140001670,
    0x140001CB0, 0x140002930, 0x1400040B0, 0x1400045B0, 0x140001730, 0x140002210,
    0x1400017F0, 0x1400032F0, 0x1400046D0, 0x140001390, 0x1400039F0, 0x140002550,
    0x140003590, 0x1400035D0, 0x1400026D0, 0x1400022B0, 0x140001FD0, 0x140003CB0,
    0x140003A10, 0x1400041F0, 0x1400033B0, 0x140003A30, 0x140002910, 0x1400024B0,
    0x140003A90, 0x1400021B0, 0x1400024F0, 0x1400041D0, 0x140004330, 0x1400034F0,
    0x1400038D0, 0x140001630, 0x140001590, 0x140002DF0, 0x140003530, 0x140002C90,
    0x140001F30, 0x140002A10, 0x1400023F0, 0x1400044D0, 0x140002AB0, 0x140003130,
    0x140003DD0, 0x140004210, 0x140001510, 0x1400011B0, 0x140002030, 0x1400030B0,
    0x140003470, 0x140002ED0, 0x1400040F0, 0x140003910, 0x1400011F0, 0x140002170,
    0x1400012D0, 0x140002FF0, 0x140003C70, 0x140002090, 0x140003FF0, 0x1400018B0,
    0x140002CB0, 0x140002C50, 0x140001550, 0x140003B90, 0x1400043F0, 0x140001D10,
    0x140001D90, 0x140004170, 0x140003690, 0x140003510, 0x140003890, 0x140002A50,
    0x140003370, 0x1400012F0, 0x1400037B0, 0x1400013F0, 0x140001C90, 0x1400028F0,
    0x140002D10, 0x140004390, 0x140001DF0, 0x140001150, 0x140003AF0, 0x140002490,
    0x1400043D0, 0x140003090, 0x140001470, 0x140003110, 0x1400014F0, 0x140001410,
    0x140003EF0, 0x140004290, 0x140002050, 0x1400018F0, 0x140003270, 0x140002470,
    0x140002610, 0x140003F90, 0x1400037F0, 0x140004310, 0x140004630, 0x140001270,
    0x140002C10, 0x140002A90, 0x1400038B0, 0x140001AB0, 0x140001230, 0x140002F90,
    0x140001C10, 0x140002250, 0x1400030F0, 0x1400036B0, 0x140002750, 0x140003210,
    0x140001690, 0x140001BF0, 0x1400036F0, 0x1400028D0, 0x140004030, 0x140002A70,
    0x1400021D0, 0x1400029F0, 0x140002870, 0x140002E10, 0x140003330, 0x1400031F0,
    0x140001E50, 0x140003C10, 0x140001A50, 0x140001A70, 0x1400028B0, 0x140001B70,
    0x1400025B0, 0x1400029B0, 0x140001990, 0x140003FB0, 0x140003670, 0x140001130,
    0x140002010, 0x1400030D0, 0x140001F90, 0x140004690, 0x140001CF0, 0x140004190,
    0x140004530, 0x140001E30, 0x1400027D0, 0x1400044F0, 0x1400025D0, 0x140001D70,
    0x1400022D0, 0x140001950, 0x1400021F0, 0x140004410, 0x140003170, 0x140004670,
    0x140001C50, 0x140002730, 0x140002B70, 0x1400020F0, 0x140003750, 0x140002FD0,
    0x140001E90, 0x140003150, 0x1400038F0, 0x140002D70, 0x140001BB0, 0x140003410,
    0x140002CD0, 0x1400026F0, 0x140002D90, 0x140001B50, 0x140002EB0, 0x1400032D0,
    0x140002790, 0x140002070, 0x140002970, 0x140001850, 0x140001170, 0x140002950,
    0x140001610, 0x140003490, 0x140004610, 0x140004470, 0x140001EB0, 0x140003830,
    0x1400020D0, 0x140002BF0, 0x140002E50, 0x140003C50, 0x140004150, 0x140003F30,
    0x140001350, 0x140001D30, 0x1400035B0, 0x1400027F0, 0x140003D90, 0x140004550,
    0x140002FB0, 0x140003990, 0x140004050, 0x140002690, 0x140001930, 0x140002650,
    0x140002990, 0x1400023D0, 0x1400044B0, 0x140001E10, 0x140002E90, 0x140001FB0,
    0x140001250, 0x140003D50, 0x140001110, 0x140003970, 0x140001050, 0x140001A10,
    0x140003450, 0x140001070, 0x140002570, 0x1400026B0, 0x1400031B0, 0x1400036D0,
    0x140003190, 0x140001B90, 0x140003B30, 0x140002D50, 0x140001490, 0x140001750,
    0x140001330, 0x140001C30, 0x140003790, 0x140002890, 0x140001AD0, 0x1400031D0,
    0x1400014B0, 0x140003BF0, 0x140002310, 0x1400027B0, 0x140002510, 0x1400010F0,
    0x140004350, 0x140003F50, 0x140003390, 0x140001030, 0x140003010, 0x140003630,
    0x140003950, 0x140003310, 0x140004110
]

# 创建地址到索引的映射字典
func_to_index = {addr: i for i, addr in enumerate(func_list)}

# 使用集合操作提高效率
available_functions = set(white_list)
switch_func = [0x140001570, 0x140002970, 0x140003650, 0x140003F30, 0x140004210, 0x140004430]
target_func = [0x1400014F0, 0x1400023D0, 0x140001410, 0x140002710, 0x140002110, 0x140001790]

# 获取索引
checked = [i for i, addr in enumerate(func_list) if addr in available_functions]
switch = [func_to_index[addr] for addr in switch_func if addr in func_to_index]
target = [func_to_index[addr] for addr in target_func if addr in func_to_index]

print(f"switch = {switch}")
print(f"target = {target}")

def build_maze():
    maze = [['#' for _ in range(21)] for _ in range(21)]
    
    for idx in checked:
        x, y = divmod(idx, 21)
        if 0 <= x < 21 and 0 <= y < 21:
            maze[x][y] = '_'

    for i, idx in enumerate(switch):
        x, y = divmod(idx, 21)
        if 0 <= x < 21 and 0 <= y < 21:
            maze[x][y] = f'S{i+1}'

    for i, idx in enumerate(target):
        x, y = divmod(idx, 21)
        if 0 <= x < 21 and 0 <= y < 21:
            maze[x][y] = f'T{i+1}'

    return maze

def print_maze(maze):
    for row in maze:
        formatted_row = [f"{cell:<3}" for cell in row]
        print(''.join(formatted_row))

# def print_mapping():
#     for i in range(len(switch)):
#         switch_pos = divmod(switch[i], 21)
#         target_pos = divmod(target[i], 21)
#         print(f"S{i+1} at {switch_pos} -> T{i+1} at {target_pos}")

maze = build_maze()
print_maze(maze)
# print_mapping()

手动走了一下

CTF
#Reverse
SeKaiCTF 2025 Reverse 方向复现
http://example.com/2025/09/21/SekaiCTF2025/
作者
Eleven
发布于
2025年9月21日
许可协议