WeChall - CGX#14 - Cracking Intro - Amaze Us

Challenge

"Dear fellow Hackers,"

This time we will dive into a small windows application to get you started with cracking. We are using x64debug and analyze the crackit "Amaze Me" from bb on TBS.

README 里提到是用 x64dbg 分析，但真正的解法不需要 Windows——PE 文件的 .data 段直接包含了迷宫网格，简单字节提取 + BFS 即可。

Solution

$ file amazeme.exe
amazeme.exe: PE32+ executable (GUI) x86-64, for MS Windows

PE section 信息： - .data section: VA=0x403000, file_offset=0xC00 - 迷宫数据起始: VA 0x4030D0 = file offset 0xCD0 - 迷宫终点: VA 0x4032BE = file offset 0xEBE - 网格宽度 16 字节，高度 32 行

xxd 看 .data 段会发现一段明显的 ASCII art 迷宫的变体——字节值是 0x2e（.）作为墙，0x00 作为路：

00000cc0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e  ................
00000cd0: 0000 2e00 0000 0000 2e00 0000 0000 2e2e  ................
00000ce0: 2e00 2e00 2e2e 2e00 2e00 2e2e 2e00 2e2e  ................

这个格子逻辑在二进制中可以反汇编确认：比较指令 cmp byte [edi], 1 后跟 jge fail，即字节值 >= 1 就是墙，0x00 是路。

提取 + BFS 求解

from collections import deque

with open('amazeme.exe', 'rb') as f:
    data = f.read()

# 迷宫参数（从二进制分析得出）
ROW_WIDTH = 16
NUM_ROWS = 32
START_OFFSET = 0xCC0  # .data section 开始 + 0xC0

# 提取迷宫字节
maze_bytes = data[START_OFFSET:START_OFFSET + NUM_ROWS * ROW_WIDTH]

# 转二维网格：0=路, 1=墙
grid = []
for row in range(NUM_ROWS):
    r = []
    for col in range(ROW_WIDTH):
        b = maze_bytes[row * ROW_WIDTH + col]
        r.append(1 if b != 0 else 0)
    grid.append(r)

# 起点 (1,0)，终点 (31,14)
start = (1, 0)
goal = (31, 14)

# BFS 求最短路径
queue = deque()
queue.append((start, ""))
visited = {start}

while queue:
    (r, c), path = queue.popleft()
    if (r, c) == goal:
        print(f"Solution: {path}")
        print(f"Length: {len(path)}")
        break
    for dr, dc, ch in [(0, -1, 'L'), (0, 1, 'R'), (-1, 0, 'U'), (1, 0, 'D')]:
        nr, nc = r + dr, c + dc
        if 0 <= nr < NUM_ROWS and 0 <= nc < ROW_WIDTH:
            if grid[nr][nc] == 0 and (nr, nc) not in visited:
                visited.add((nr, nc))
                queue.append(((nr, nc), path + ch))