Writeup of Mountainclimbing(reverse) in BugKu

好题啊！

首先扔到IDA里大致看一下逻辑

（改了函数名，数组名，变量名）

大概就是，用伪随机序列打印了一个如下图的二维数组，然后用L和R控制方向，走到哪里就把所在位置的元素值加入score

s=[
[77],
[5628, 6232],
[29052,1558, 26150],
[12947,29926,11981,22371],
[4078, 28629,4665, 2229, 24699],
[27370,3081, 18012,24965,2064, 26890],
[21054,5225, 11777,29853,2956, 22439,3341],
[31337,14755,5689, 24855,4173, 32304,292,  5344],
[15512,12952,1868, 10888,19581,13463,32652,3409, 28353],
[26151,14598,12455,26295,25763,26040,8285, 27502,15148,4945],
[26170,1833, 5196, 9794, 26804,2831, 11993,2839, 9979, 27428,6684],
[4616, 30265,5752, 32051,10443,9240, 8095, 28084,26285,8838, 18784,6547],
[7905, 8373, 19377,18502,27928,13669,25828,30502,28754,32357,2843, 5401, 10227],
[22871,20993,8558, 10009,6581, 22716,12808,4653, 24593,21533,9407, 6840, 30369,2330],
[3,    28024,22266,19327,18114,18100,15644,21728,17292,8396, 27567,2002, 3830, 12564,1420],
[29531,21820,9954, 8319, 10918,7978, 24806,30027,17659,8764, 3258, 20719,6639, 23556,25786,11048],
[3544, 31948,22,   1591, 644,  25981,26918,31716,16427,15551,28157,7107, 27297,24418,24384,32438,22224],
[12285,12601,13235,21606,2516, 13095,27080,16331,23295,20696,31580,28758,10697,4730, 16055,22208,2391, 20143],
[16325,24537,16778,17119,18198,28537,11813,1490, 21034,1978, 6451, 2174, 24812,28772,5283, 6429, 15484,29353,5942],
[7299, 6961, 32019,24731,29103,17887,17338,26840,13216,8789, 12474,24299,19818,18218,14564,31409,5256, 31930,26804,9736]]

然后咋整呢？上脚本呗，遍历一遍所有走法，得到所有走法的score，再找出maximum，话不多说，上脚本（好像可以宽搜，但是怕麻烦没写）：

（首先得生成2**19个走法，打印到mountain.txt里，这里就不给出脚本了）

其次：（寻找maximum）（找到之后加了个判断输出了正确走法）

sch=[]
with open('mountain.txt','r')as f:
    line=f.readline()
    while line:
        row=0
        col=0
        score=s[row][col]
        for i in line:
            if i=='L':
                row+=1
                score+=s[row][col]
            elif i=='R':
                row+=1
                col+=1
                score+=s[row][col]
        #if score==444740:
        #    print line
        sch.append(score)
        line=f.readline()
print max(sch)

(打码)（给各位小伙伴一个复现的机会）

但是我把正确走法提交上去却显示wrong……emmmmm为啥呢

于是动态调试，发现函数sub_41114F是个比较可疑的加密函数，多次试验之后猜测其为单表加密，于是直接多次输入，得到密码表

原来我找到的正确走法被加密之后，偶数位的L或者R被修改成了其他字符，于是对着密码表改回来，把偶数位的L换成H，R换成V

得到正确结果，提交，correct

（溜了溜了，大一狗复习四级去了）