Buuctf - number_game 之数据类型 爆破

方法一直接十位数 0000000000 - 4444444444爆破

.data 段:

已初始化的全局/静态变量

.bss 段:

未初始化的全局/静态变量

.rodata 段:

只读常量数据(比如字符串)

un开头

IDA中的未识别数据块,通常是全局变量或数组

是全局数据,它代表了一块内存的起始地址

byte开头

某地址被用作一个字节数据

将unk_601060中的数据排列之后就得到一张数独表

然后需要知道填数独表的方式,跟进查看sub_400881函数,发现这个函数将unk_601060数据中的'#'依次替换位为v7中的字符,所以可以得到v7的值应该为"0421421430"

然后就是v7的生成方式了,sub_400758和sub_400807两个函数让v7以二叉树遍历的方式遍历输入的v5

其中sub_400758函数将输入的v5按先序遍历的方式生成二叉树

每个结点由长度为3的数组组成,v4[0]存放数据,v4[1]和v4[2]分别是每个结点的指向左孩子结点和右孩子结点的指针,用c语言实现这部分代码,可以得到v3的值为“0137849256”

#include <iostream>

using namespace std;

void func1(int low, int high)
{
    if (low > high)
        return;
    else
    {
        cout << low << " ";
    }
    func1(2 * low + 1, high);
    func1(2 * (low + 1), high);
}

int main()
{
    int low = 0, high = 9;
    func1(low, high);
}

写出中序遍历,按0123456789找对应的数即可,即取索引,代码如下

m = [7,3,8,1,9,4,0,5,2,6]
code = [0, 4, 2, 1, 4, 2, 1, 4, 3, 0]
flag = []
for i in range(10):
    flag.append(chr(code[m.index(i)]+48))
print(flag)
flag2 = "".join(each for each in flag)
print(flag2)

我数独自己画图解决的,有个爆破脚本

#include <iostream>
#include <stdio.h>
#include <Windows.h>

#define N 52

using namespace std;

int func(int* s) {
    bool v1 = TRUE;
    for (int i = 0; i <= 4; ++i) {
        for (int j = 0; j <= 4; ++j) {
            for (int k = j + 1; k <= 4; ++k) {
                if (s[5 * i + j] == s[5 * i + k]) {
                    v1 = FALSE;
                    return v1;
                }
                if (s[5 * j + i] == s[5 * k + i]) {
                    v1 = FALSE;
                    return v1;
                }
            }
        }
    }
    return v1;
}

int main()
{
    int s[] = { 0x31,0x34,0x23,0x32,0x33,0x33,0x30,0x23,0x31,0x23,0x30,0x23,0x32,0x33,0x23,0x23,0x33,0x23,0x23,0x30,0x34,0x32,0x23,0x23,0x31};
    for (int i = 48; i <= N; i++)
    {
        for (int j = 48; j <= N; j++)
        {
            for (int k = 48; k <= N; k++)
            {
                for (int l = 48; l <= N; l++)
                {
                    for (int m = 48; m <= N; m++)
                    {
                        for (int n = 48; n <= N; n++)
                       {
                            for (int a  = 48; a <= N; a++)
                            {
                                for (int b = 48; b <= N; b++)
                                {
                                    for (int c = 48; c <= N; c++)
                                    {
                                        for (int d = 48; d <= N; d++)
                                        {
                                            s[2] = i;
                                            s[7] = j;
                                            s[9] = k;
                                            s[11] = l;
                                            s[14] = m;
                                            s[15] = n;
                                            s[17] = a;
                                            s[18] = b;
                                            s[22] = c;
                                            s[23] = d;
                                            if (func(s)) {
                                                cout << i << " " << j << " " << k << " " << l << " " << m << " " << n << " " << a << " " << b << " " << c << " " << d << endl;
                                            }

                                        }
                                    }
                                }

                            }
                       }
                    }
                }
            }
        }
    }
}

感谢之前做出来的大佬们,有些转自他们
https://www.cnblogs.com/Mayfly-nymph/p/12859103.html#:~:text=测试文件:https://lanzous.com/icfcxtg
https://www.cnblogs.com/th1r7een/articles/14532420.html

posted @ 2025-05-02 16:20  LingWann  阅读(29)  评论(0)    收藏  举报