前言:
一共4个题
XXTEA(Crush's_secret)
魔方套迷宫(FunMz)
驱动题(easy_key)
JavaBase64+爆破(round)
有两个做出来了,剩下两个是赛后复现,呜呜呜,其实驱动感觉也挺简单的没想出来,赛后才恍然大悟......
魔方+迷宫就算了。似乎有佬做出来了且是唯一解,还是太强了!!
Reverse
Crush's_secret
IDA加载进去,Shift+F12找到疑似flag的字符串,双击进去
查找交叉引用(X),来到主函数入口
发现v5数组就四个值,十六进制后
这下闭着眼睛都能知道是TEA系列了,然后注意到sub_411122函数双击进去
这里的v11数组就是密文了,具体加密方法在sub_41110E处,进入函数查看
我超,红了
一看是SMC,直接动态调试
在这个地方下断点,F9运行程序
F7进入函数
运行到标记地点,会出现弹窗点Yes,然后在00418000处按P,函数就出来了
进去之后,一眼XXTEA,找个脚本直接写
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
void btea(uint32_t* v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1)
{
rounds = 6 + 52 / n;
sum = 0;
z = v[n - 1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; p < n - 1; p++)
{
y = v[p + 1];
z = v[p] += MX;
}
y = v[0];
z = v[n - 1] += MX;
} while (--rounds);
}
else if (n < -1)
{
n = -n;
rounds = 6 + 52 / n;
sum = rounds * DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
}
int main()
{
uint32_t v[12] = { 0x5A764F8A,0x5B0DF77,0xF101DF69,0xF9C14EF4,0x27F03590,0x7DF3324F,0x2E322D74,0x8F2A09BC,0xABE2A0D7,0xC2A09FE,0x35892BB2,0x53ABBA12 };
uint32_t const k[4] = { 0x5201314,0x52013140,0x5201314,0x52013140 };
int n = 2; //n的绝对值表示v的长度,取正表示加密,取负表示解密
// v为要加密的数据是32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
for (int i = 0; i < 12; i+=2)
{
btea(v+i, -n, k);
}
printf("解密后的数据:%s\n", v);
return 0;
}
解出来后面有点小瑕疵.....米关西的(doge)
最终得到D0g3xGC{The_wind_stops_at_autumn_water_and_I_stop_at_you}
round
先说几个重要部分
字符必须是这个范围内的,不然就提示
其次encodetobase64函数是被魔改过的,正常解密解不出来,但是,我手动挨个输出来了
原因:当输入rou时为cm91,与所给出的c9m1换了个位子,猜测的是每4位,中间两位互换
结果还真给我试出来了,太费时间了
结果为:round_and
然后就是encode函数
这里给出了代码,直接丢GPT,写出来iArr
[924, 967, 912, 973, 921, 936, 916, 926, 942, 963, 930, 927, 912, 971, 924, 961, 909, 956, 896, 906, 946, 991, 958, 899, 900, 991, 904, 981, 897, 944, 908, 902, 902, 1003, 906, 951, 952, 995, 948, 1001, 949, 900, 952, 946, 906, 999, 902, 955, 940, 1015, 928, 1021, 937, 920, 932, 942, 926, 1011, 914, 943, 928, 1019, 940, 1009, 989, 1004, 976, 986, 994, 911, 1006, 979, 980, 911, 984, 901, 977, 992, 988, 982, 1014, 923, 1018, 967, 968, 915, 964, 921, 965, 1012, 968, 962, 1018, 919, 1014, 971, 1020, 935, 1008, 941, 1017, 968, 1012, 1022, 974, 931, 962, 1023, 1008, 939, 1020, 929, 1005, 988, 992, 1002, 978, 959, 990, 995, 996, 959, 1000, 949, 993, 976, 1004, 998, 806, 843, 810, 791, 792, 835, 788, 841, 789, 804, 792, 786, 810, 839, 806, 795, 780, 855, 768, 861, 777, 824, 772, 782, 830, 851, 818, 783, 768, 859, 780, 849, 829, 780, 816, 826, 770, 879, 782, 819, 820, 879, 824, 869, 817, 768, 828, 822, 790, 891, 794, 807, 808, 883, 804, 889, 805, 788, 808, 802, 794, 887, 790, 811, 860, 775, 848, 781, 857, 872, 852, 862, 878, 771, 866, 863, 848, 779, 860, 769, 845, 892, 832, 842, 882, 799, 894, 835, 836, 799, 840, 789, 833, 880, 844, 838, 838, 811, 842, 887, 888, 803, 884, 809, 885, 836, 888, 882, 842, 807, 838, 891, 876, 823, 864, 829, 873, 856, 868, 878, 862, 819, 850, 879, 864, 827, 876, 817, 669, 684, 656, 666, 674, 719, 686, 659, 660, 719, 664, 709, 657, 672, 668, 662, 694, 731, 698, 647, 648, 723, 644, 729, 645, 692, 648, 642, 698, 727, 694, 651, 700, 743, 688, 749, 697, 648, 692, 702, 654, 739, 642, 703, 688, 747, 700, 737, 685, 668, 672, 682, 658, 767, 670, 675, 676, 767, 680, 757, 673, 656, 684, 678, 742, 651, 746, 727, 728, 643, 724, 649, 725, 740, 728, 722, 746, 647, 742, 731, 716, 663, 704, 669, 713, 760, 708, 718, 766, 659, 754, 719, 704, 667, 716, 657, 765, 716, 752, 762, 706, 687, 718, 755, 756, 687, 760, 677, 753, 704, 764, 758, 726, 699, 730, 743, 744, 691, 740, 697, 741, 724, 744, 738, 730, 695, 726, 747, 540, 583, 528, 589, 537, 552, 532, 542, 558, 579, 546, 543, 528, 587, 540, 577, 525, 572, 512, 522, 562, 607, 574, 515, 516, 607, 520, 597, 513, 560, 524, 518, 518, 619, 522, 567, 568, 611, 564, 617, 565, 516, 568, 562, 522, 615, 518, 571, 556, 631, 544, 637, 553, 536, 548, 558, 542, 627, 530, 559, 544, 635, 556, 625, 605, 620, 592, 602, 610, 527, 622, 595, 596, 527, 600, 517, 593, 608, 604, 598, 630, 539, 634, 583, 584, 531, 580, 537, 581, 628, 584, 578, 634, 535, 630, 587, 636, 551, 624, 557, 633, 584, 628, 638, 590, 547, 578, 639, 624, 555, 636, 545, 621, 604, 608, 618, 594, 575, 606, 611, 612, 575, 616, 565, 609, 592, 620, 614, 422, 459, 426, 407, 408, 451, 404, 457, 405, 420, 408, 402, 426, 455, 422, 411, 396, 471, 384, 477, 393, 440, 388, 398, 446, 467, 434, 399, 384, 475, 396, 465, 445, 396, 432, 442, 386, 495, 398, 435, 436, 495, 440, 485, 433, 384, 444, 438, 406, 507, 410, 423, 424, 499, 420, 505, 421, 404, 424, 418, 410, 503, 406, 427, 476, 391, 464, 397, 473, 488, 468, 478, 494, 387, 482, 479, 464, 395, 476, 385, 461, 508, 448, 458, 498, 415, 510, 451, 452, 415, 456, 405, 449, 496, 460, 454, 454, 427, 458, 503, 504, 419, 500, 425, 501, 452, 504, 498, 458, 423, 454, 507, 492, 439, 480, 445, 489, 472, 484, 494, 478, 435, 466, 495, 480, 443, 492, 433, 285, 300, 272, 282, 290, 335, 302, 275, 276, 335, 280, 325, 273, 288, 284, 278, 310, 347, 314, 263, 264, 339, 260, 345, 261, 308, 264, 258, 314, 343, 310, 267, 316, 359, 304, 365, 313, 264, 308, 318, 270, 355, 258, 319, 304, 363, 316, 353, 301, 284, 288, 298, 274, 383, 286, 291, 292, 383, 296, 373, 289, 272, 300, 294, 358, 267, 362, 343, 344, 259, 340, 265, 341, 356, 344, 338, 362, 263, 358, 347, 332, 279, 320, 285, 329, 376, 324, 334, 382, 275, 370, 335, 320, 283, 332, 273, 381, 332, 368, 378, 322, 303, 334, 371, 372, 303, 376, 293, 369, 320, 380, 374, 342, 315, 346, 359, 360, 307, 356, 313, 357, 340, 360, 354, 346, 311, 342, 363, 156, 199, 144, 205, 153, 168, 148, 158, 174, 195, 162, 159, 144, 203, 156, 193, 141, 188, 128, 138, 178, 223, 190, 131, 132, 223, 136, 213, 129, 176, 140, 134, 134, 235, 138, 183, 184, 227, 180, 233, 181, 132, 184, 178, 138, 231, 134, 187, 172, 247, 160, 253, 169, 152, 164, 174, 158, 243, 146, 175, 160, 251, 172, 241, 221, 236, 208, 218, 226, 143, 238, 211, 212, 143, 216, 133, 209, 224, 220, 214, 246, 155, 250, 199, 200, 147, 196, 153, 197, 244, 200, 194, 250, 151, 246, 203, 252, 167, 240, 173, 249, 200, 244, 254, 206, 163, 194, 255, 240, 171, 252, 161, 237, 220, 224, 234, 210, 191, 222, 227, 228, 191, 232, 181, 225, 208, 236, 230, 38, 75, 42, 23, 24, 67, 20, 73, 21, 36, 24, 18, 42, 71, 38, 27, 12, 87, 0, 93, 9, 56, 4, 14, 62, 83, 50, 15, 0, 91, 12, 81, 61, 12, 48, 58, 2, 111, 14, 51, 52, 111, 56, 101, 49, 0, 60, 54, 22, 123, 26, 39, 40, 115, 36, 121, 37, 20, 40, 34, 26, 119, 22, 43, 92, 7, 80, 13, 89, 104, 84, 94, 110, 3, 98, 95, 80, 11, 92, 1, 77, 124, 64, 74, 114, 31, 126, 67, 68, 31, 72, 21, 65, 112, 76, 70, 70, 43, 74, 119, 120, 35, 116, 41, 117, 68, 120, 114, 74, 39, 70, 123, 108, 55, 96, 61, 105, 88, 100, 110, 94, 51, 82, 111, 96, 59, 108, 49]
# 初始化数组和字符串
iArr = [0] * 1024
base64 = list("c9m1bRmfY5Wk")
# 填充数组
for i in range(1024):
iArr[1023 - i] = i
# 异或操作
for i2 in range(1024):
iArr[i2] = iArr[i2] ^ ord(base64[i2 % len(base64)])
剩下部分好像和vm有点像
感觉要爆破,丢给GPT
class CryptoSystem:
def __init__(self):
self.results = []
self.transformation_matrix = [
352, 646, 752, 882, 65, 0, 122, 0, 0, 7, 350, 360
]
def initialize_array(self, input_string):
array = [0] * 1024
char_list = [ord(char) for char in input_string]
for i in range(1024):
array[1023 - i] = i
for i in range(1024):
array[i] ^= char_list[i % len(char_list)]
return array
def execute_transformation(self, array, index):
for operation in self.transformation_matrix:
yield operation, array, index
def decode(self, array, index):
for char_code in range(0x20, 0x7F):
if (char_code >= 0x41 and char_code <= 0x5A) or \
(char_code >= 0x61 and char_code <= 0x7A) or \
char_code == 0x5F:
result = self.apply_operations(array, char_code, index)
if result:
yield result
def apply_operations(self, array, char, index):
for _ in range(32):
operation, value = self.determine_operation(array, char, index)
char, index = operation(value, char, index)
return char, index
def determine_operation(self, array, char, index):
operation_index = (array[index] ^ char) % 5
operations = [
self.add, self.sub, self.xor, self.shl, self.shr
]
return operations[operation_index], array
def add(self, value, char, index):
return ((char + value[index]) % 1024, (index + char) % 1024)
def sub(self, value, char, index):
return ((char - value[index]) % 1024, (index + char) % 1024)
def xor(self, value, char, index):
return (char ^ value[index], (index + char) % 1024)
def shl(self, value, char, index):
return ((char << 3) % 1024, (index + char) % 1024)
def shr(self, value, char, index):
return ((char >> 3) % 1024, (index + char) % 1024)
def find_solution(self, array, index, count):
if count >= 12:
return True
for result in self.decode(array, index):
char, new_index = result
if char == self.transformation_matrix[count]:
print(f"[{count}] is {chr(char)}")
if self.find_solution(array, new_index, count + 1):
return True
return False
# Main execution
crypto_system = CryptoSystem()
input_string = "c9m1bRmfY5Wk"
array = crypto_system.initialize_array(input_string)
solution_found = crypto_system.find_solution(array, 33, 0)
'''
[0] is _
[1] is r
[2] is o
[3] is u
[4] is n
[5] is D
[6] is _
[7] is w
[8] is e
[9] is _
[10] is g
[11] is o
_rounD_we_go
爆破出来有很多没用的字符,通过查找,得出来密码
最终得到D0g3xGC{round_and_rounD_we_go}
easy_key(复现)
自言自语:这是个驱动题,他奶奶的搞了半天虚拟机加载驱动,加载是加载成功了,但OpenArk就是没有,真草蛋.....
先进IDA分析
Shift+F12查找字符串,双击进去交叉引用
有个列表
又有一个疑似键盘keyboard的驱动
猜测可能和键值有关百度搜索到个键盘映射表
{0x1E: "A", 0x30: "B", 0x2E: "C", 0x20: "D", 0x12: "E", 0x21: "F", 0x22: "G", 0x23: "H", 0x17: "I", 0x24: "J", 0x25: "K", 0x26: "L", 0x32: "M", 0x31: "N", 0x18: "O", 0x19: "P", 0x10: "Q", 0x13: "R", 0x1F: "S", 0x14: "T", 0x16: "U", 0x2F: "V", 0x11: "W", 0x2D: "X", 0x15: "Y", 0x2C: "Z", 0x02: "1", 0x03: "2", 0x04: "3", 0x05: "4", 0x06: "5", 0x07: "6", 0x08: "7", 0x09: "8", 0x0A: "9", 0x0B: "0", 0x2a: "[shift]", 0xc: "-"}
再把v14提取出来
[32, 42, 11, 34, 4, 45, 34, 42, 46, 42, 26, 42, 30, 7, 7, 48, 3, 4, 5, 3, 12, 11, 5, 32, 5, 12, 5, 7, 9, 30, 12, 10, 10, 32, 4, 12, 8, 18, 32, 48, 30, 5, 46, 10, 11, 11, 2, 33, 27, 42]
替换一下
keys = [32, 42, 11, 34, 4, 45, 34, 42, 46, 42, 26, 42, 30, 7, 7, 48, 3, 4, 5, 3, 12, 11, 5, 32, 5, 12, 5, 7, 9, 30, 12, 10, 10, 32, 4, 12, 8, 18, 32, 48, 30, 5, 46, 10, 11, 11, 2, 33, 27, 42]
d = {0x1E: "A", 0x30: "B", 0x2E: "C", 0x20: "D", 0x12: "E", 0x21: "F", 0x22: "G", 0x23: "H", 0x17: "I", 0x24: "J", 0x25: "K", 0x26: "L", 0x32: "M", 0x31: "N", 0x18: "O", 0x19: "P", 0x10: "Q", 0x13: "R", 0x1F: "S", 0x14: "T", 0x16: "U", 0x2F: "V", 0x11: "W", 0x2D: "X", 0x15: "Y", 0x2C: "Z", 0x02: "1", 0x03: "2", 0x04: "3", 0x05: "4", 0x06: "5", 0x07: "6", 0x08: "7", 0x09: "8", 0x0A: "9", 0x0B: "0", 0x2a: "[shift]", 0xc: "-"}
# 将列表中的键码转换为对应的字符
mapped_keys = [d.get(key, '') for key in keys]
# 将字符列表合并为一个字符串
output_string = ''.join(mapped_keys)
print(output_string)
得到D[shift]0G3XG[shift]C[shift][shift]A66B2342-04D4-468A-99D3-7EDBA4C9001F[shift]
去掉一些没用的最终得到D0g3xGC{a66b2342-04d4-468a-99d3-7edba4c9001f}
FunMz(复现)
前言:
无敌了这个题
分析
首先打开exe会让你输入一次path,输入不对,再输入一次路径。emmm,不废话直接进IDA查看
Shift+F12定位字符串Great!,找到大概的位置。
程序位置:
start_0=>sub_140030950=>sub_140030970=>sub_140030BC0=>sub_14001285C=>sub_14002E4A0
到了这里就开始出现程序事件了
这里的sub_140012B6D函数内的sub_14001E210函数则是控制
而sub_14001266D函数内的sub_140029980则是控制剩余部分
第一部分分析:
发现sub_1400121B3函数内的sub_14001C2C0类似一个魔方?
__int64 __fastcall sub_14001C2C0(__int64 a1)
{
unsigned __int64 v1; // rax
__int64 v2; // r8
__int64 v3; // r8
__int64 v4; // r8
__int64 v5; // r8
__int64 v6; // r8
__int64 v7; // r8
int i; // [rsp+24h] [rbp+4h]
char v10[48]; // [rsp+1D0h] [rbp+1B0h] BYREF
char v11[48]; // [rsp+200h] [rbp+1E0h] BYREF
char v12[48]; // [rsp+230h] [rbp+210h] BYREF
char v13[48]; // [rsp+260h] [rbp+240h] BYREF
char v14[48]; // [rsp+290h] [rbp+270h] BYREF
char v15[48]; // [rsp+2C0h] [rbp+2A0h] BYREF
char v16[48]; // [rsp+2F0h] [rbp+2D0h] BYREF
char v17[48]; // [rsp+320h] [rbp+300h] BYREF
char v18[48]; // [rsp+350h] [rbp+330h] BYREF
char v19[48]; // [rsp+380h] [rbp+360h] BYREF
char v20[48]; // [rsp+3B0h] [rbp+390h] BYREF
char v21[24]; // [rsp+3E0h] [rbp+3C0h] BYREF
unsigned __int64 v22; // [rsp+3F8h] [rbp+3D8h]
sub_140012CF8(&unk_14004A0FF);
for ( i = 0; ; ++i )
{
v22 = i;
v1 = sub_140012AEB(a1 + 4096);
if ( v22 >= v1 )
break;
if ( *sub_14001215E(a1 + 4096, i) == 'R' )
{
if ( *sub_14001215E(a1 + 4096, i + 1) == 39 )
{
++i;
qmemcpy(v10, sub_1400121C7(&unk_140043010, 3i64), 0xCui64);
sub_14001204B(a1, v10, 0i64);
}
else
{
qmemcpy(v11, sub_1400121C7(&unk_140043010, 3i64), 0xCui64);
LOBYTE(v2) = 1;
sub_14001204B(a1, v11, v2);
}
}
else if ( *sub_14001215E(a1 + 4096, i) == 'U' )
{
if ( *sub_14001215E(a1 + 4096, i + 1) == 39 )
{
qmemcpy(v12, sub_1400121C7(&unk_140043010, 4i64), 0xCui64);
sub_14001204B(a1, v12, 0i64);
++i;
}
else
{
qmemcpy(v13, sub_1400121C7(&unk_140043010, 4i64), 0xCui64);
LOBYTE(v3) = 1;
sub_14001204B(a1, v13, v3);
}
}
else if ( *sub_14001215E(a1 + 4096, i) == 'F' )
{
if ( *sub_14001215E(a1 + 4096, i + 1) == 39 )
{
qmemcpy(v14, sub_1400121C7(&unk_140043010, 0i64), 0xCui64);
sub_14001204B(a1, v14, 0i64);
++i;
}
else
{
qmemcpy(v15, sub_1400121C7(&unk_140043010, 0i64), 0xCui64);
LOBYTE(v4) = 1;
sub_14001204B(a1, v15, v4);
}
}
else if ( *sub_14001215E(a1 + 4096, i) == 'L' )
{
if ( *sub_14001215E(a1 + 4096, i + 1) == 39 )
{
qmemcpy(v16, sub_1400121C7(&unk_140043010, 2i64), 0xCui64);
LOBYTE(v5) = 1;
sub_14001204B(a1, v16, v5);
++i;
}
else
{
qmemcpy(v17, sub_1400121C7(&unk_140043010, 2i64), 0xCui64);
sub_14001204B(a1, v17, 0i64);
}
}
else if ( *sub_14001215E(a1 + 4096, i) == 'D' )
{
if ( *sub_14001215E(a1 + 4096, i + 1) == 39 )
{
qmemcpy(v18, sub_1400121C7(&unk_140043010, 5i64), 0xCui64);
sub_14001204B(a1, v18, 0i64);
++i;
}
else
{
qmemcpy(v19, sub_1400121C7(&unk_140043010, 5i64), 0xCui64);
LOBYTE(v6) = 1;
sub_14001204B(a1, v19, v6);
}
}
else if ( *sub_14001215E(a1 + 4096, i) == 'B' )
{
if ( *sub_14001215E(a1 + 4096, i + 1) == 39 )
{
qmemcpy(v20, sub_1400121C7(&unk_140043010, 1i64), 0xCui64);
sub_14001204B(a1, v20, 0i64);
++i;
}
else
{
qmemcpy(v21, sub_1400121C7(&unk_140043010, 1i64), 0xCui64);
LOBYTE(v7) = 1;
sub_14001204B(a1, v21, v7);
}
}
}
return 0i64;
}
有魔方必有魔方图,花了大量时间来找魔方图发现
他这个图其实是由27×36的列表组成的,动态调试一下发现有个(11,1)与(13,31)这么个玩意儿,于是dump下来
dump的python脚本:
import struct
def read_signed_dwords_from_addr(addr, length):
print("")
for i in range(0, length, 4):
dword_value = get_wide_dword(addr + i)
signed_value = struct.unpack('i', struct.pack('I', dword_value))[0]
print(f"{signed_value},", end="")
read_signed_dwords_from_addr(0x14C8B0, 0xF30)
和矩阵排列
numbers = [
-1,-1,-1,-1,-1,-1,-1,-1,-1,5,5,5,6,6,6,5,5,5,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,5,0,0,0,0,0,5,0,5,-1,-1,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,5,0,5,0,6,6,5,5,5,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,6,6,0,0,0,5,
6,6,6,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,6,0,0,5,5,5,6,6,6,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,6,6,6,0,0,0,6,6,6,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,5,5,5,6,6,6,0,5,5,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,5,0,5,0,0,0,5,5,5,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,5,5,5,6,6,6,5,5,5,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,4,4,4,3,3,3,4,4,4,1,1,1,2,2,2,0,
0,1,3,3,3,4,4,4,3,3,3,2,2,2,1,1,1,2,2,2,4,4,4,0,0,0,0,4,0,0,0,1,2,0,2,0,1,1,0,3,3,4
,4,0,0,3,3,2,0,0,0,0,0,2,0,2,4,0,0,3,3,3,4,4,4,1,0,1,2,2,2,1,1,1,0,3,3,4,4,0,0,3,3,
2,0,2,1,1,0,2,2,2,0,0,0,4,4,0,0,3,3,2,0,2,1,1,0,2,2,2,4,4,4,3,3,3,4,4,4,1,0,0,2,2,2,
0,0,0,3,0,3,0,0,0,0,0,0,0,0,2,1,1,1,2,0,2,4,0,4,3,3,0,0,0,0,0,0,1,2,0,2,0,1,1,3,0,3,
4,4,0,0,3,0,2,2,2,0,0,0,2,2,2,4,4,4,3,3,0,4,4,4,1,0,1,2,0,2,0,1,1,4,4,4,3,3,3,4,4,4,
1,0,1,2,0,2,0,1,1,3,0,0,4,4,0,0,3,0,2,2,2,1,0,1,2,2,2,4,0,4,0,3,3,4,0,4,1,0,1,2,0,0,
0,1,1,3,3,0,4,4,4,0,3,0,2,2,2,0,0,1,2,0,2,4,4,4,3,3,3,4,4,4,1,0,1,2,2,2,1,1,1,3,3,3,
4,4,4,3,3,3,2,2,2,1,0,1,2,2,2,-1,-1,-1,-1,-1,-1,-1,-1,-1,6,0,6,5,5,5,6,6,6,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,6,0,0,0,5,0,
6,6,6,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,6,0,6,5,5,0,6,6,6,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,5,5,0,6,6,6,5,5,5,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,5,5,5,0,6,0,5,5,5,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1
]
#print(len(numbers))
# 将一维列表转换为27x36的二维矩阵
matrix = [numbers[i:i+36] for i in range(0, len(numbers), 36)]
# 打印矩阵以验证结果
for row in matrix:
print(row)
结果为:
然后密密麻麻的瞎了眼,放到其他地方看了一下大概是这样的魔方
合起来是
直接在线求解
得到UUDDLLRRFFBB
那么再在程序里输入一次,再次dump下来是
然后起点是B(11,1)终点E(13,31)
得到
然后迷宫的相关函数在
路径lljjlllllllkllllllllljjjljllllkkkllllkkkllljjj
最后MD5有D0g3xGC{17A2D9ADF83E739AF392D287178A6C96}
发表于 2024-12-9 14:59
|
发表于 2024-12-10 12:06
发表于 2024-12-9 15:04
