初音ミクの消失

single

字数统计: 626阅读时长: 3 min
2019/05/14 Share

single

single

思路

经观察 发现a1是一个矩阵

sub_400833

unsigned __int64 __fastcall sub_400833(__int64 a1)
{
signed int i; // [rsp+18h] [rbp-28h]
signed int j; // [rsp+1Ch] [rbp-24h]
signed int k; // [rsp+1Ch] [rbp-24h]
char s[24]; // [rsp+20h] [rbp-20h]
unsigned __int64 v6; // [rsp+38h] [rbp-8h]

v6 = __readfsqword(0x28u);
for ( i = 0; i <= 8; ++i )
{
memset(s, 0, 0xAuLL);
for ( j = 0; j <= 8; ++j )
++s[*(unsigned __int8 *)(9 * i + j + a1)];
for ( k = 1; k <= 9; ++k )
{
if ( s[k] != 1 )
sub_4006F6();
}
}
return __readfsqword(0x28u) ^ v6;
}

将a1矩阵的每一行所指向的地址加1 最后s[1] - s[9] 全部等于1

sub_4008FE

unsigned __int64 __fastcall sub_4008FE(__int64 a1)
{
signed int i; // [rsp+18h] [rbp-28h]
signed int j; // [rsp+1Ch] [rbp-24h]
signed int k; // [rsp+1Ch] [rbp-24h]
char s[24]; // [rsp+20h] [rbp-20h]
unsigned __int64 v6; // [rsp+38h] [rbp-8h]

v6 = __readfsqword(0x28u);
for ( i = 0; i <= 8; ++i )
{
memset(s, 0, 0xAuLL);
for ( j = 0; j <= 8; ++j )
++s[*(unsigned __int8 *)(9 * j + i + a1)];
for ( k = 1; k <= 9; ++k )
{
if ( s[k] != 1 )
sub_4006F6();
}
}
return __readfsqword(0x28u) ^ v6;
}

​ 将a1矩阵的每一列所指向的地址加1 最后s[1] - s[9] 全部等于1

其实做完这一步的时候我就反应出来这道题可能是一个数独了,并且验证最后一个函数的功能,发现确实是一个数独

sub_4009C9

unsigned __int64 __fastcall sub_4009C9(__int64 a1)
{
signed int i; // [rsp+1Ch] [rbp-34h]
int j; // [rsp+20h] [rbp-30h]
signed int l; // [rsp+20h] [rbp-30h]
int k; // [rsp+24h] [rbp-2Ch]
signed int v6; // [rsp+28h] [rbp-28h]
signed int v7; // [rsp+2Ch] [rbp-24h]
char s[24]; // [rsp+30h] [rbp-20h]
unsigned __int64 v9; // [rsp+48h] [rbp-8h]

v9 = __readfsqword(0x28u);
v6 = 3;
v7 = 3;
for ( i = 0; i <= 8; ++i )
{
memset(s, 0, 0xAuLL);
for ( j = v6 - 3; j < v6; ++j )
{
for ( k = v7 - 3; k < v7; ++k )
++s[*(unsigned __int8 *)(9 * j + k + a1)];
}
for ( l = 1; l <= 9; ++l )
{
if ( s[l] != 1 )
sub_4006F6();
}
if ( v7 == 9 )
{
v7 = 3;
v6 += 3;
}
else
{
v7 += 3;
}
}
return __readfsqword(0x28u) ^ v9;
}

​ 将a1矩阵分为九个正方形的小块 最后s[1] - s[9] 全部等于1

计算

程序先读入一个81位长的字符串

并且通过c -= ‘0’ 来转化为数字

如果数独的某个位置上面已经有数的话,就必须输入0

dump

addr = 0x602080
for i in range(81):
print Byte(addr+i),",",
if((i+1) % 9 == 0):
print ""

map

0 , 3 , 0 , 6 , 0 , 0 , 0 , 0 , 0 , 
6 , 0 , 0 , 0 , 3 , 2 , 4 , 9 , 0 ,
0 , 9 , 0 , 1 , 0 , 7 , 0 , 6 , 0 ,
7 , 4 , 6 , 0 , 0 , 0 , 0 , 0 , 0 ,
0 , 1 , 8 , 0 , 0 , 0 , 6 , 3 , 0 ,
0 , 0 , 0 , 0 , 0 , 0 , 1 , 4 , 7 ,
0 , 8 , 0 , 9 , 0 , 4 , 0 , 7 , 0 ,
0 , 7 , 4 , 2 , 1 , 0 , 0 , 0 , 6 ,
0 , 0 , 0 , 0 , 0 , 3 , 0 , 1 , 0 ,

solve

http://www.llang.net/sudoku/calsudoku.html 求解即可

401095728057800001802040305000321589500479002923586000105060203300008950269750804

加个flag

flag{401095728057800001802040305000321589500479002923586000105060203300008950269750804}

原文作者:mrh929

原文链接:https://mrh1s.top/posts/caa72719/

发表日期:May 14th 2019, 1:44:02 pm

更新日期:May 21st 2019, 3:55:13 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. single
    1. 1.1. 思路
      1. 1.1.1. sub_400833
      2. 1.1.2. sub_4008FE
      3. 1.1.3. sub_4009C9
    2. 1.2. 计算
      1. 1.2.0.1. dump
      2. 1.2.0.2. map
      3. 1.2.0.3. solve