点击蓝字 关注我们
日期: 2021-09-24
作者: Mr-hello
介绍: 在某次比赛中,遇到了一个迷宫类型逆向题目,最终发现没有地图数据,只能靠函数调用去遍历路径,从而引发了对
IDA python的研究。
0x00 前言
就像介绍里所说,在一次全国性质比赛中发现一个迷宫类型题目,没有地图数据只能依靠函数调用去遍历路径,然后筛选出正确路径,该文章所有用例均于 python3 + IDA7.5 环境下进行测试。
0x01 基础
抛开题目去谈IDA python,它就是python,可以理解为它集成了几个 python 模块,可以在 IDA 这款工具中使用这几个集成的模块去辅助我们对一些程序进行分析。包括但不仅仅是一些函数调用的获取,以及汇编代码的获取,可以帮助我们完成一些重复繁琐的逆向分析工作。
IDA Python 由三个独立模块组成。第一个是 idc,它是封装 IDA 的 IDC 函数的兼容性模块。第二个模块是 idautils,这是 IDA 里的一个高级实用函数。第三个模块是 idaapi,它可以使更多更底层数据能够通过 IDA进行处理。
0x02 用法
1. 获取光标所在地址
idc.get_screen_ea()here()idc.next_head(addr) #获取下一条指令所在地址idc.prev_head(addr) #获取上一条指令所在地址
2. 获取地址上指令
idc.print_insn_mnem(addr) #获取操作指令idc.GetDisasm(addr) #获取汇编idc.print_operand(addr,n) #获取第n个操作数idc.get_segm_name(addr) #获取段名称
3. 段操作
#获取段名称,段起始地址,段结束地址for seg in idautils.Segments():print (idc.get_segm_name(seg), idc.get_segm_start(seg), idc.get_segm_end(seg))
4. 函数操作
# 遍历所有已知函数,输出其地址以及函数名称,get_func_name参数可为函数边界内的任何地址for func in idautils.Functions():print (hex(func), idc.get_func_name(func))# idautils.Functions(start_addr,end_addr),可用来搜索在地址范围内函数# 获取该地址所在函数的起始地址及结束地址func = idaapi.get_func(addr)print(func.start_ea,func.end_ea)# 获取函数中的所有地址,以及获取该函数所有的汇编代码all_addr = list(idautils.FuncItems(addr))for line in all_addr:print(hex(line),idc.GetDisasm(line))
5. 交叉引用
# 获取某个函数的交叉引用,返回一个地址对象。func = idaapi.get_func(address)for addr in idautils.CodeRefsTo(func.start_ea,0):print(hex(addr))# 获取某个函数的交叉引用,返回一个交叉引用对象func = idaapi.get_func(address)for addr in idautils.XrefsTo(func.start_ea, 1):print(hex(addr.frm),hex(addr.to))
6. 注释操作
idc.set_cmt(addr, strings, 0) #设置注释idc.get_cmt(addr, 1) #获取注释
0x03 解题
言归正传,前面说了那么多,都只是在学习,学完了那就来做题吧,本题是2021年巅峰极客网络安全技能挑战线上赛的一道迷宫题。
有始有终,可以清晰的看到最终正确的函数提示,但是本道题目未在程序本身存储迷宫地图,反而是通过一次次函数调用,来走向不同分支,其中的一条路径达到最终正确的结果,分析了一下里面存在了7000+函数。
刚开始时,我曾想过使用最笨的方法,去尝试画出最终地图,但是在尝试半个小时后,我逐渐意识到这可能会是一个大地图,猜测在 50*50 以上。随后便放弃了尝试,在本次比赛中是同事利用 IDAPython 做出这道题目,但是我觉得还是要学习一下,然后准备复现。
本题由于通过不同的函数调用产生分支,其解题思路其实就是找到所有的函数调用关系,然后找出一条路径,从开始函数 sub_40180E 到结束函数 sub_54DE35,这里选取从终点开始寻找。
import idautilsfinish = 0x54DE35begin = 0x40180Epath = []cmt = []def Xref(addr,path):if addr == begin: #如果传入的地址与开始函数重合,说明路径已找到print(path)else:for Xref_addr in idautils.CodeRefsTo(addr,0): #传入地址被哪个地址交叉引用addr = idaapi.get_func(Xref_addr).start_ea #交叉引用地址在哪个函数中if hex(addr) not in path: #踢除可倒退的选项path.append(hex(addr)) #先将可走的下一步加入正确路径,假设正确Xref(addr,path) #递归调用,开始遍历path.remove(hex(addr)) #踢除错误路径path.append(hex(finish)) #从终点开始,终点先进入正确路径Xref(finish,path)#['0x54de35', '0x54dd7e', '0x54dcc7', '0x54dc10', '0x5490e9', '0x547f0e', '0x547fc1', '0x548078', '0x543df5', '0x54265e', '0x53e76e', '0x53cfd7', '0x538e0f', '0x537b79', '0x537ac2', '0x537a0b', '0x5339a9', '0x532212', '0x5322c9', '0x532380', '0x52e287', '0x52c8cb', '0x5289e3', '0x527303', '0x52340b', '0x521d2b', '0x51de3b', '0x51c5ed', '0x51c536', '0x51c47f', '0x51c3c8', '0x51c311', '0x51c25a', '0x51c1a3', '0x51dd84', '0x521a4b', '0x521994', '0x5218dd', '0x51dccd', '0x51c0ec', '0x518656', '0x5169ba', '0x512cfb', '0x51128c', '0x5111d5', '0x51111e', '0x511067', '0x510fb4', '0x50d5c5', '0x50b9dc', '0x50b925', '0x50b86e', '0x50b7b7', '0x50b700', '0x50b649', '0x50b592', '0x50b4db', '0x50b424', '0x507c6e', '0x505e68', '0x502759', '0x50050d', '0x4fcf5c', '0x4fb209', '0x4fb2c0', '0x4fb377', '0x4f7826', '0x4f5c45', '0x4f5b8e', '0x4f5ad7', '0x4f5a20', '0x4f5969', '0x4f58b2', '0x4f57fb', '0x4f1e1c', '0x4f0188', '0x4ec854', '0x4ea772', '0x4ea6bb', '0x4ea608', '0x4ea551', '0x4ea49a', '0x4ec6e6', '0x4f0016', '0x4f1d65', '0x4f55d6', '0x4f568d', '0x4f5744', '0x4f776f', '0x4faf2d', '0x4fae76', '0x4fadbf', '0x4fad08', '0x4fac51', '0x4f76b8', '0x4f551f', '0x4f1cae', '0x4eff5f', '0x4ec62f', '0x4ea3e3', '0x4ea32c', '0x4ea275', '0x4ec578', '0x4efea8', '0x4efdf1', '0x4efd3a', '0x4efc83', '0x4efbcc', '0x4ec4c1', '0x4ea103', '0x4ea04c', '0x4e9f99', '0x4e9ee2', '0x4e9e2b', '0x4e9d74', '0x4e9cc1', '0x4e6cd4', '0x4e4c99', '0x4e4d50', '0x4e4e07', '0x4e19d0', '0x4df119', '0x4df062', '0x4defab', '0x4dc2aa', '0x4d97d2', '0x4d9885', '0x4d993c', '0x4d6a0e', '0x4d4370', '0x4d1010', '0x4ceadc', '0x4ceb93', '0x4cbaeb', '0x4c972d', '0x4c9676', '0x4c651b', '0x4c40a6', '0x4c3fef', '0x4c3f3c', '0x4c0e98', '0x4be8b5', '0x4bb3cf', '0x4b917f', '0x4b90c8', '0x4b9015', '0x4b8f5e', '0x4b8ea7', '0x4b8df0', '0x4b8d39', '0x4b5d60', '0x4b355c', '0x4b0411', '0x4ade2a', '0x4add73', '0x4adcc0', '0x4adc09', '0x4adb52', '0x4aad8a', '0x4a8410', '0x4a56ff', '0x4a305d', '0x4a2fa6', '0x4a2eef', '0x49ffbd', '0x49d59c', '0x49a88f', '0x497e62', '0x495214', '0x4927e3', '0x49272c', '0x492675', '0x48f802', '0x48d0b1', '0x48cffa', '0x48cf43', '0x48ce8c', '0x48cdd5', '0x48a45b', '0x487255', '0x484b10', '0x481dfb', '0x481d44', '0x481c91', '0x47f264', '0x47c6c5', '0x47c60e', '0x47c557', '0x47c4a0', '0x47c3e9', '0x47c332', '0x47c27b', '0x47c1c4', '0x47c111', '0x4799c0', '0x476a96', '0x4769df', '0x476928', '0x474345', '0x471088', '0x470fd1', '0x470f1a', '0x47428e', '0x476871', '0x4767ba', '0x476703', '0x47664c', '0x476599', '0x4741d7', '0x470da8', '0x470cf1', '0x470c3a', '0x470b83', '0x470acc', '0x46ea99', '0x46b4f4', '0x469363', '0x465f34', '0x465feb', '0x4660a2', '0x4638a6', '0x460980', '0x45e22b', '0x45b0d4', '0x458c57', '0x45599e', '0x453255', '0x4505eb', '0x450534', '0x45047d', '0x45319e', '0x4558e7', '0x458ba0', '0x45b021', '0x45af6a', '0x45aeb3', '0x45e0bd', '0x46080e', '0x4637ef', '0x465e81', '0x465dca', '0x465d13', '0x4691f5', '0x46b386', '0x46e92b', '0x47095e', '0x474069', '0x476206', '0x47614f', '0x476098', '0x473fb2', '0x4708a7', '0x46e874', '0x46b2cf', '0x46913e', '0x465c5c', '0x463738', '0x4605e9', '0x4606a0', '0x460757', '0x45e006', '0x45adfc', '0x458ae9', '0x4556c2', '0x455779', '0x455830', '0x4530e7', '0x4503c6', '0x45030f', '0x450258', '0x44de8a', '0x44a9ac', '0x44a8f5', '0x44a83e', '0x44a787', '0x44a6d4', '0x44a61d', '0x44a566', '0x44a4af', '0x44a3f8', '0x44a341', '0x44a28a', '0x448490', '0x444d89', '0x442a86', '0x43f4e1', '0x43f598', '0x43f64f', '0x442b3d', '0x444e40', '0x444ef7', '0x444fae', '0x442bf4', '0x43f706', '0x43d575', '0x439d08', '0x439dbf', '0x439e76', '0x437d90', '0x43496d', '0x432441', '0x42f00a', '0x42d08e', '0x429db9', '0x429e70', '0x429f27', '0x429fde', '0x42a095', '0x4279f3', '0x4247e5', '0x42472e', '0x424677', '0x4245c0', '0x424509', '0x42242f', '0x41ed2c', '0x41c8bf', '0x419547', '0x417520', '0x413e15', '0x411d2b', '0x40e565', '0x40c812', '0x408ef6', '0x408e3f', '0x408d88', '0x406bf3', '0x402b06', '0x402a4f', '0x40299c', '0x406b3c', '0x408cd1', '0x40c75b', '0x40e340', '0x40e3f7', '0x40e4ae', '0x411c74', '0x413d5e', '0x413ca7', '0x413bf0', '0x413b39', '0x413a82', '0x417469', '0x4191b4', '0x41926b', '0x419322', '0x4193d9', '0x419490', '0x41c808', '0x41ec75', '0x41ebbe', '0x41eb07', '0x41ea50', '0x41e99d', '0x41e8e6', '0x41e82f', '0x4222c1', '0x4240c3', '0x42400c', '0x423f55', '0x423e9e', '0x423deb', '0x42220a', '0x41e6bd', '0x41e606', '0x41e54f', '0x422153', '0x423d34', '0x427717', '0x429693', '0x4295dc', '0x429525', '0x427660', '0x423c7d', '0x42209c', '0x41e498', '0x41e3e1', '0x41e32e', '0x41c69a', '0x418b45', '0x418bfc', '0x418cb3', '0x41718d', '0x413638', '0x411998', '0x40de3b', '0x40c3c8', '0x408666', '0x40871d', '0x4087d4', '0x40c47f', '0x40def2', '0x411a4f', '0x4136ef', '0x4137a2', '0x413859', '0x4172fb', '0x418e25', '0x418edc', '0x418f93', '0x419046', '0x4190fd', '0x4173b2', '0x4139cb', '0x411bbd', '0x40e11b', '0x40e1d2', '0x40e289', '0x40c6a4', '0x408c1a', '0x408b63', '0x408aac', '0x406a85', '0x402773', '0x4026bc', '0x402605', '0x40254e', '0x40249b', '0x4023e4', '0x40232d', '0x402276', '0x4021bf', '0x402108', '0x402051', '0x401f9a', '0x401ee3', '0x401e2c', '0x401d79', '0x401cc2', '0x401c0f', '0x401b58', '0x401aa1', '0x4019ea', '0x401933', '0x4067a9', '0x407ff7', '0x4080aa', '0x408161', '0x40c25a', '0x40d93a', '0x40d9f1', '0x40daa8', '0x4116bc', '0x413358', '0x416f68', '0x418869', '0x4187b2', '0x4186fb', '0x418644', '0x41858d', '0x4184d6', '0x418423', '0x416eb1', '0x413078', '0x41154e', '0x40d7cc', '0x40c0ec', '0x407f40', '0x4066f2', '0x40187c', '0x40180e']
利用上面代码,即可获取最终正确路径的函数调用关系。但是获取最终的函数调用关系后,怎样转换为我们的输入呢?
在后续分析中发现,在调用下一步函数时,其前一个指令后面都跟着一个代码注释,可以从这里入手,找到交叉引用时,先取前一个指令的代码注释,并且获取注释最后两位即可。
import idautilsfinish = 0x54DE35begin = 0x40180Epath = []cmt = []def Xref(addr,path):if addr == begin:print(cmt)else:for Xref_addr in idautils.CodeRefsTo(addr,0):addr = idaapi.get_func(Xref_addr).start_eaif hex(addr) not in path:cmt.append(idc.get_cmt(idc.prev_head(Xref_addr),1)) #获取前一个指令的代码注释path.append(hex(addr))Xref(addr,path)path.remove(hex(addr))cmt.remove(idc.get_cmt(idc.prev_head(Xref_addr),1))path.append(hex(finish))Xref(finish,path)#['jumptable 000000000054DDF3 case 83', 'jumptable 000000000054DD3C case 68', 'jumptable 000000000054DC85 case 68', 'jumptable 000000000054915E case 83', 'jumptable 0000000000547F83 case 83', 'jumptable 0000000000548036 case 65', 'jumptable 00000000005480ED case 65', 'jumptable 0000000000543E6A case 83', 'jumptable 00000000005426D3 case 83', 'jumptable 000000000053E7E3 case 83', 'jumptable 000000000053D04C case 83', 'jumptable 0000000000538E84 case 83', 'jumptable 0000000000537BEE case 83', 'jumptable 0000000000537B37 case 68', 'jumptable 0000000000537A80 case 68', 'jumptable 0000000000533A1E case 83', 'jumptable 0000000000532287 case 83', 'jumptable 000000000053233E case 65', 'jumptable 00000000005323F5 case 65', 'jumptable 000000000052E2FC case 83', 'jumptable 000000000052C940 case 83', 'jumptable 0000000000528A58 case 83', 'jumptable 0000000000527378 case 83', 'jumptable 0000000000523480 case 83', 'jumptable 0000000000521DA0 case 83', 'jumptable 000000000051DEB0 case 83', 'jumptable 000000000051C662 case 83', 'jumptable 000000000051C5AB case 68', 'jumptable 000000000051C4F4 case 68', 'jumptable 000000000051C43D case 68', 'jumptable 000000000051C386 case 68', 'jumptable 000000000051C2CF case 68', 'jumptable 000000000051C218 case 68', 'jumptable 000000000051DDF9 case 87', 'jumptable 0000000000521AC0 case 87', 'jumptable 0000000000521A09 case 68', 'jumptable 0000000000521952 case 68', 'jumptable 000000000051DD42 case 83', 'jumptable 000000000051C161 case 83', 'jumptable 00000000005186CB case 83', 'jumptable 0000000000516A2F case 83', 'jumptable 0000000000512D70 case 83', 'jumptable 0000000000511301 case 83', 'jumptable 000000000051124A case 68', 'jumptable 0000000000511193 case 68', 'jumptable 00000000005110DC case 68', 'jumptable 0000000000511029 case 68', 'jumptable 000000000050D63A case 83', 'jumptable 000000000050BA51 case 83', 'jumptable 000000000050B99A case 68', 'jumptable 000000000050B8E3 case 68', 'jumptable 000000000050B82C case 68', 'jumptable 000000000050B775 case 68', 'jumptable 000000000050B6BE case 68', 'jumptable 000000000050B607 case 68', 'jumptable 000000000050B550 case 68', 'jumptable 000000000050B499 case 68', 'jumptable 0000000000507CE3 case 83', 'jumptable 0000000000505EDD case 83', 'jumptable 00000000005027CE case 83', 'jumptable 0000000000500582 case 83', 'jumptable 00000000004FCFD1 case 83', 'jumptable 00000000004FB27E case 83', 'jumptable 00000000004FB335 case 65', 'jumptable 00000000004FB3EC case 65', 'jumptable 00000000004F789B case 83', 'jumptable 00000000004F5CBA case 83', 'jumptable 00000000004F5C03 case 68', 'jumptable 00000000004F5B4C case 68', 'jumptable 00000000004F5A95 case 68', 'jumptable 00000000004F59DE case 68', 'jumptable 00000000004F5927 case 68', 'jumptable 00000000004F5870 case 68', 'jumptable 00000000004F1E91 case 83', 'jumptable 00000000004F01FD case 83', 'jumptable 00000000004EC8C9 case 83', 'jumptable 00000000004EA7E7 case 83', 'jumptable 00000000004EA730 case 68', 'jumptable 00000000004EA67D case 68', 'jumptable 00000000004EA5C6 case 68', 'jumptable 00000000004EA50F case 68', 'jumptable 00000000004EC75B case 87', 'jumptable 00000000004F008B case 87', 'jumptable 00000000004F1DDA case 87', 'jumptable 00000000004F564B case 87', 'jumptable 00000000004F5702 case 65', 'jumptable 00000000004F57B9 case 65', 'jumptable 00000000004F77E4 case 87', 'jumptable 00000000004FAFA2 case 87', 'jumptable 00000000004FAEEB case 68', 'jumptable 00000000004FAE34 case 68', 'jumptable 00000000004FAD7D case 68', 'jumptable 00000000004FACC6 case 68', 'jumptable 00000000004F772D case 83', 'jumptable 00000000004F5594 case 83', 'jumptable 00000000004F1D23 case 83', 'jumptable 00000000004EFFD4 case 83', 'jumptable 00000000004EC6A4 case 83', 'jumptable 00000000004EA458 case 83', 'jumptable 00000000004EA3A1 case 68', 'jumptable 00000000004EA2EA case 68', 'jumptable 00000000004EC5ED case 87', 'jumptable 00000000004EFF1D case 87', 'jumptable 00000000004EFE66 case 68', 'jumptable 00000000004EFDAF case 68', 'jumptable 00000000004EFCF8 case 68', 'jumptable 00000000004EFC41 case 68', 'jumptable 00000000004EC536 case 83', 'jumptable 00000000004EA178 case 83', 'jumptable 00000000004EA0C1 case 68', 'jumptable 00000000004EA00E case 68', 'jumptable 00000000004E9F57 case 68', 'jumptable 00000000004E9EA0 case 68', 'jumptable 00000000004E9DE9 case 68', 'jumptable 00000000004E9D36 case 68', 'jumptable 00000000004E6D49 case 83', 'jumptable 00000000004E4D0E case 83', 'jumptable 00000000004E4DC5 case 65', 'jumptable 00000000004E4E7C case 65', 'jumptable 00000000004E1A45 case 83', 'jumptable 00000000004DF18E case 83', 'jumptable 00000000004DF0D7 case 68', 'jumptable 00000000004DF020 case 68', 'jumptable 00000000004DC31F case 83', 'jumptable 00000000004D9847 case 83', 'jumptable 00000000004D98FA case 65', 'jumptable 00000000004D99B1 case 65', 'jumptable 00000000004D6A83 case 83', 'jumptable 00000000004D43E5 case 83', 'jumptable 00000000004D1085 case 83', 'jumptable 00000000004CEB51 case 83', 'jumptable 00000000004CEC08 case 65', 'jumptable 00000000004CBB60 case 83', 'jumptable 00000000004C97A2 case 83', 'jumptable 00000000004C96EB case 68', 'jumptable 00000000004C6590 case 83', 'jumptable 00000000004C411B case 83', 'jumptable 00000000004C4064 case 68', 'jumptable 00000000004C3FB1 case 68', 'jumptable 00000000004C0F0D case 83', 'jumptable 00000000004BE92A case 83', 'jumptable 00000000004BB444 case 83', 'jumptable 00000000004B91F4 case 83', 'jumptable 00000000004B913D case 68', 'jumptable 00000000004B908A case 68', 'jumptable 00000000004B8FD3 case 68', 'jumptable 00000000004B8F1C case 68', 'jumptable 00000000004B8E65 case 68', 'jumptable 00000000004B8DAE case 68', 'jumptable 00000000004B5DD5 case 83', 'jumptable 00000000004B35D1 case 83', 'jumptable 00000000004B0486 case 83', 'jumptable 00000000004ADE9F case 83', 'jumptable 00000000004ADDE8 case 68', 'jumptable 00000000004ADD35 case 68', 'jumptable 00000000004ADC7E case 68', 'jumptable 00000000004ADBC7 case 68', 'jumptable 00000000004AADFF case 83', 'jumptable 00000000004A8485 case 83', 'jumptable 00000000004A5774 case 83', 'jumptable 00000000004A30D2 case 83', 'jumptable 00000000004A301B case 68', 'jumptable 00000000004A2F64 case 68', 'jumptable 00000000004A0032 case 83', 'jumptable 000000000049D611 case 83', 'jumptable 000000000049A904 case 83', 'jumptable 0000000000497ED7 case 83', 'jumptable 0000000000495289 case 83', 'jumptable 0000000000492858 case 83', 'jumptable 00000000004927A1 case 68', 'jumptable 00000000004926EA case 68', 'jumptable 000000000048F877 case 83', 'jumptable 000000000048D126 case 83', 'jumptable 000000000048D06F case 68', 'jumptable 000000000048CFB8 case 68', 'jumptable 000000000048CF01 case 68', 'jumptable 000000000048CE4A case 68', 'jumptable 000000000048A4D0 case 83', 'jumptable 00000000004872CA case 83', 'jumptable 0000000000484B85 case 83', 'jumptable 0000000000481E70 case 83', 'jumptable 0000000000481DB9 case 68', 'jumptable 0000000000481D06 case 68', 'jumptable 000000000047F2D9 case 83', 'jumptable 000000000047C73A case 83', 'jumptable 000000000047C683 case 68', 'jumptable 000000000047C5CC case 68', 'jumptable 000000000047C515 case 68', 'jumptable 000000000047C45E case 68', 'jumptable 000000000047C3A7 case 68', 'jumptable 000000000047C2F0 case 68', 'jumptable 000000000047C239 case 68', 'jumptable 000000000047C186 case 68', 'jumptable 0000000000479A35 case 83', 'jumptable 0000000000476B0B case 83', 'jumptable 0000000000476A54 case 68', 'jumptable 000000000047699D case 68', 'jumptable 00000000004743BA case 83', 'jumptable 00000000004710FD case 83', 'jumptable 0000000000471046 case 68', 'jumptable 0000000000470F8F case 68', 'jumptable 0000000000474303 case 87', 'jumptable 00000000004768E6 case 87', 'jumptable 000000000047682F case 68', 'jumptable 0000000000476778 case 68', 'jumptable 00000000004766C1 case 68', 'jumptable 000000000047660E case 68', 'jumptable 000000000047424C case 83', 'jumptable 0000000000470E1D case 83', 'jumptable 0000000000470D66 case 68', 'jumptable 0000000000470CAF case 68', 'jumptable 0000000000470BF8 case 68', 'jumptable 0000000000470B41 case 68', 'jumptable 000000000046EB0E case 83', 'jumptable 000000000046B569 case 83', 'jumptable 00000000004693D8 case 83', 'jumptable 0000000000465FA9 case 83', 'jumptable 0000000000466060 case 65', 'jumptable 0000000000466117 case 65', 'jumptable 000000000046391B case 83', 'jumptable 00000000004609F5 case 83', 'jumptable 000000000045E2A0 case 83', 'jumptable 000000000045B149 case 83', 'jumptable 0000000000458CCC case 83', 'jumptable 0000000000455A13 case 83', 'jumptable 00000000004532CA case 83', 'jumptable 0000000000450660 case 83', 'jumptable 00000000004505A9 case 68', 'jumptable 00000000004504F2 case 68', 'jumptable 0000000000453213 case 87', 'jumptable 000000000045595C case 87', 'jumptable 0000000000458C15 case 87', 'jumptable 000000000045B096 case 87', 'jumptable 000000000045AFDF case 68', 'jumptable 000000000045AF28 case 68', 'jumptable 000000000045E132 case 87', 'jumptable 0000000000460883 case 87', 'jumptable 0000000000463864 case 87', 'jumptable 0000000000465EF6 case 87', 'jumptable 0000000000465E3F case 68', 'jumptable 0000000000465D88 case 68', 'jumptable 000000000046926A case 87', 'jumptable 000000000046B3FB case 87', 'jumptable 000000000046E9A0 case 87', 'jumptable 00000000004709D3 case 87', 'jumptable 00000000004740DE case 87', 'jumptable 000000000047627B case 87', 'jumptable 00000000004761C4 case 68', 'jumptable 000000000047610D case 68', 'jumptable 0000000000474027 case 83', 'jumptable 000000000047091C case 83', 'jumptable 000000000046E8E9 case 83', 'jumptable 000000000046B344 case 83', 'jumptable 00000000004691B3 case 83', 'jumptable 0000000000465CD1 case 83', 'jumptable 00000000004637AD case 83', 'jumptable 000000000046065E case 83', 'jumptable 0000000000460715 case 65', 'jumptable 00000000004607CC case 65', 'jumptable 000000000045E07B case 83', 'jumptable 000000000045AE71 case 83', 'jumptable 0000000000458B5E case 83', 'jumptable 0000000000455737 case 83', 'jumptable 00000000004557EE case 65', 'jumptable 00000000004558A5 case 65', 'jumptable 000000000045315C case 83', 'jumptable 000000000045043B case 83', 'jumptable 0000000000450384 case 68', 'jumptable 00000000004502CD case 68', 'jumptable 000000000044DEFF case 83', 'jumptable 000000000044AA21 case 83', 'jumptable 000000000044A96A case 68', 'jumptable 000000000044A8B3 case 68', 'jumptable 000000000044A7FC case 68', 'jumptable 000000000044A749 case 68', 'jumptable 000000000044A692 case 68', 'jumptable 000000000044A5DB case 68', 'jumptable 000000000044A524 case 68', 'jumptable 000000000044A46D case 68', 'jumptable 000000000044A3B6 case 68', 'jumptable 000000000044A2FF case 68', 'jumptable 0000000000448505 case 83', 'jumptable 0000000000444DFE case 83', 'jumptable 0000000000442AFB case 83', 'jumptable 000000000043F556 case 83', 'jumptable 000000000043F60D case 65', 'jumptable 000000000043F6C4 case 65', 'jumptable 0000000000442BB2 case 87', 'jumptable 0000000000444EB5 case 87', 'jumptable 0000000000444F6C case 65', 'jumptable 0000000000445023 case 65', 'jumptable 0000000000442C69 case 83', 'jumptable 000000000043F77B case 83', 'jumptable 000000000043D5EA case 83', 'jumptable 0000000000439D7D case 83', 'jumptable 0000000000439E34 case 65', 'jumptable 0000000000439EEB case 65', 'jumptable 0000000000437E05 case 83', 'jumptable 00000000004349E2 case 83', 'jumptable 00000000004324B6 case 83', 'jumptable 000000000042F07F case 83', 'jumptable 000000000042D103 case 83', 'jumptable 0000000000429E2E case 83', 'jumptable 0000000000429EE5 case 65', 'jumptable 0000000000429F9C case 65', 'jumptable 000000000042A053 case 65', 'jumptable 000000000042A10A case 65', 'jumptable 0000000000427A68 case 83', 'jumptable 000000000042485A case 83', 'jumptable 00000000004247A3 case 68', 'jumptable 00000000004246EC case 68', 'jumptable 0000000000424635 case 68', 'jumptable 000000000042457E case 68', 'jumptable 00000000004224A4 case 83', 'jumptable 000000000041EDA1 case 83', 'jumptable 000000000041C934 case 83', 'jumptable 00000000004195BC case 83', 'jumptable 0000000000417595 case 83', 'jumptable 0000000000413E8A case 83', 'jumptable 0000000000411DA0 case 83', 'jumptable 000000000040E5DA case 83', 'jumptable 000000000040C887 case 83', 'jumptable 0000000000408F6B case 83', 'jumptable 0000000000408EB4 case 68', 'jumptable 0000000000408DFD case 68', 'jumptable 0000000000406C68 case 83', 'jumptable 0000000000402B7B case 83', 'jumptable 0000000000402AC4 case 68', 'jumptable 0000000000402A11 case 68', 'jumptable 0000000000406BB1 case 87', 'jumptable 0000000000408D46 case 87', 'jumptable 000000000040C7D0 case 87', 'jumptable 000000000040E3B5 case 87', 'jumptable 000000000040E46C case 65', 'jumptable 000000000040E523 case 65', 'jumptable 0000000000411CE9 case 87', 'jumptable 0000000000413DD3 case 87', 'jumptable 0000000000413D1C case 68', 'jumptable 0000000000413C65 case 68', 'jumptable 0000000000413BAE case 68', 'jumptable 0000000000413AF7 case 68', 'jumptable 00000000004174DE case 87', 'jumptable 0000000000419229 case 87', 'jumptable 00000000004192E0 case 65', 'jumptable 0000000000419397 case 65', 'jumptable 000000000041944E case 65', 'jumptable 0000000000419505 case 65', 'jumptable 000000000041C87D case 87', 'jumptable 000000000041ECEA case 87', 'jumptable 000000000041EC33 case 68', 'jumptable 000000000041EB7C case 68', 'jumptable 000000000041EAC5 case 68', 'jumptable 000000000041EA12 case 68', 'jumptable 000000000041E95B case 68', 'jumptable 000000000041E8A4 case 68', 'jumptable 0000000000422336 case 87', 'jumptable 0000000000424138 case 87', 'jumptable 0000000000424081 case 68', 'jumptable 0000000000423FCA case 68', 'jumptable 0000000000423F13 case 68', 'jumptable 0000000000423E60 case 68', 'jumptable 000000000042227F case 83', 'jumptable 000000000041E732 case 83', 'jumptable 000000000041E67B case 68', 'jumptable 000000000041E5C4 case 68', 'jumptable 00000000004221C8 case 87', 'jumptable 0000000000423DA9 case 87', 'jumptable 000000000042778C case 87', 'jumptable 0000000000429708 case 87', 'jumptable 0000000000429651 case 68', 'jumptable 000000000042959A case 68', 'jumptable 00000000004276D5 case 83', 'jumptable 0000000000423CF2 case 83', 'jumptable 0000000000422111 case 83', 'jumptable 000000000041E50D case 83', 'jumptable 000000000041E456 case 68', 'jumptable 000000000041E3A3 case 68', 'jumptable 000000000041C70F case 83', 'jumptable 0000000000418BBA case 83', 'jumptable 0000000000418C71 case 65', 'jumptable 0000000000418D28 case 65', 'jumptable 0000000000417202 case 83', 'jumptable 00000000004136AD case 83', 'jumptable 0000000000411A0D case 83', 'jumptable 000000000040DEB0 case 83', 'jumptable 000000000040C43D case 83', 'jumptable 00000000004086DB case 83', 'jumptable 0000000000408792 case 65', 'jumptable 0000000000408849 case 65', 'jumptable 000000000040C4F4 case 87', 'jumptable 000000000040DF67 case 87', 'jumptable 0000000000411AC4 case 87', 'jumptable 0000000000413764 case 87', 'jumptable 0000000000413817 case 65', 'jumptable 00000000004138CE case 65', 'jumptable 0000000000417370 case 87', 'jumptable 0000000000418E9A case 87', 'jumptable 0000000000418F51 case 65', 'jumptable 0000000000419008 case 65', 'jumptable 00000000004190BB case 65', 'jumptable 0000000000419172 case 65', 'jumptable 0000000000417427 case 83', 'jumptable 0000000000413A40 case 83', 'jumptable 0000000000411C32 case 83', 'jumptable 000000000040E190 case 83', 'jumptable 000000000040E247 case 65', 'jumptable 000000000040E2FE case 65', 'jumptable 000000000040C719 case 83', 'jumptable 0000000000408C8F case 83', 'jumptable 0000000000408BD8 case 68', 'jumptable 0000000000408B21 case 68', 'jumptable 0000000000406AFA case 83', 'jumptable 00000000004027E8 case 83', 'jumptable 0000000000402731 case 68', 'jumptable 000000000040267A case 68', 'jumptable 00000000004025C3 case 68', 'jumptable 0000000000402510 case 68', 'jumptable 0000000000402459 case 68', 'jumptable 00000000004023A2 case 68', 'jumptable 00000000004022EB case 68', 'jumptable 0000000000402234 case 68', 'jumptable 000000000040217D case 68', 'jumptable 00000000004020C6 case 68', 'jumptable 000000000040200F case 68', 'jumptable 0000000000401F58 case 68', 'jumptable 0000000000401EA1 case 68', 'jumptable 0000000000401DEE case 68', 'jumptable 0000000000401D37 case 68', 'jumptable 0000000000401C84 case 68', 'jumptable 0000000000401BCD case 68', 'jumptable 0000000000401B16 case 68', 'jumptable 0000000000401A5F case 68', 'jumptable 00000000004019A8 case 68', 'jumptable 000000000040681E case 87', 'jumptable 000000000040806C case 87', 'jumptable 000000000040811F case 65', 'jumptable 00000000004081D6 case 65', 'jumptable 000000000040C2CF case 87', 'jumptable 000000000040D9AF case 87', 'jumptable 000000000040DA66 case 65', 'jumptable 000000000040DB1D case 65', 'jumptable 0000000000411731 case 87', 'jumptable 00000000004133CD case 87', 'jumptable 0000000000416FDD case 87', 'jumptable 00000000004188DE case 87', 'jumptable 0000000000418827 case 68', 'jumptable 0000000000418770 case 68', 'jumptable 00000000004186B9 case 68', 'jumptable 0000000000418602 case 68', 'jumptable 000000000041854B case 68', 'jumptable 0000000000418498 case 68', 'jumptable 0000000000416F26 case 83', 'jumptable 00000000004130ED case 83', 'jumptable 00000000004115C3 case 83', 'jumptable 000000000040D841 case 83', 'jumptable 000000000040C161 case 83', 'jumptable 0000000000407FB5 case 83', 'jumptable 0000000000406767 case 83', 'jumptable 00000000004018F1 case 83', None]
这里最后一位出现了 None,经过分析代码发现,是由于开始函数处,代码设计不同。
最后处理的时候,将 None 删除最后补上 S 即可。
def mut(op):if op == '83':return 'S'if op == '68':return 'D'if op == '65':return 'A'if op == '87':return 'W'def Xref(addr,path):if addr == begin:flag = ''for i in cmt:flag += mut(i[-2:])print(flag[::-1])#SSSSSSSSDDDDDDWWWWAAWWAAWWDDDDDDDDDDDDDDDDDDDDSSDDSSAASSSSAAAAWWAAWWWWAASSSSSSAASSDDSSSSDDWWWWDDSSDDDDWWDDDDDDWWAAAAWWDDDDWWAAWWWWDDSSDDSSSSSSSSSSDDDDSSAAAASSSSSSAASSSSAAWWAASSSSDDDDDDDDDDSSDDSSAASSSSAASSSSSSSSDDWWWWWWDDWWWWDDWWWWDDSSSSSSSSAASSSSDDDDSSDDDDWWDDSSDDSSDDDDDDDDSSDDSSSSDDDDSSDDSSSSSSDDSSSSDDDDSSSSDDDDDDSSSSDDSSDSSASSSSAASSDDSSAASSDDDDDDSSDDDDWWDDSSSSSSDDDDWWAAWWWWDDDDSSSSDDDDDDSSAASSSSSSDDDDDDDDSSDDDDSSSSSSDDWWDDDDDDSSSSSSSSAASSDDSSSSSSAASSDDS
0x04 总结
上面我只是列举了一些常用方法的使用实例,也是为自己做一下笔记,如果大家有兴趣去研究,或者是需要更多方法用例,可以在公众号回复 0924-IDA,获取翻译自 y0n 的 IDAPython中文手册,但是由于翻译相对久远,IDA7.4中支持的 idc 库方法名称进行了变更,可以在Porting from IDAPython 6.x-7.3, to 7.4[1]进行对照翻译。
分析到这里,这个题目已经做完,前面的 IDAPython 知识是一个铺垫,其实最麻烦的地方是求取函数调用关系的代码,构思如何存储路径,如何踢除错误路径是本题难点。写代码还是太少,代码逻辑搞不通,举步维艰。
References
[1] Porting from IDAPython 6.x-7.3, to 7.4: https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
免责声明:本文仅供安全研究与讨论之用,严禁用于非法用途,违者后果自负。
宸极实验室
宸极实验室隶属山东九州信泰信息科技股份有限公司,致力于网络安全对抗技术研究,是山东省发改委认定的“网络安全对抗关键技术山东省工程实验室”。团队成员专注于 Web 安全、移动安全、红蓝对抗等领域,善于利用黑客视角发现和解决网络安全问题。
团队自成立以来,圆满完成了多次国家级、省部级重要网络安全保障和攻防演习活动,并积极参加各类网络安全竞赛,屡获殊荣。
对信息安全感兴趣的小伙伴欢迎加入宸极实验室,关注公众号,回复『招聘』,获取联系方式。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论