首页 > 分享 > IDApython练习1

IDApython练习1

花匠小妙招
2025-06-17 03:15

IDApython练习1-脚本去花

这里主要是练习IDApython脚本去花

1

这里
jz跳转条件是zf=1，
jnz跳转条件是zf=0，
但是zf就2种可能,所以无论如何都会跳转到loc_411DDF+3的位置,等于jmp loc_411DDF+3.
这里可以等长度的nop，我们可以手动nop，这里是脚本练习，需要我们自己写

import idc def clear(start_ea,end_ea):s_o_h=[0x74,0x05,0x75,0x03,0xe8,0x11,0x00]while start_ea<end_ea:if idc.get_bytes(start_ea,7)==bytes(s_o_h):for i in range(7):idc.patch_byte(start_ea+i,0x90)start_ea+=1 start_ea=0x00411DC0 end_ea=0x00411E1E clear(start_ea,end_ea) print("ok")

2

xor eax,eax
这个运算结果为0，zf为1
触发jz跳转

import idc def clear(start_ea,end_ea):s_o_h=[0xe8,0x1a,0xe9]while start_ea<end_ea:if idc.get_bytes(start_ea,len(s_o_h))==bytes(s_o_h):for i in range(len(s_o_h)):idc.patch_byte(start_ea+i,0x90)start_ea+=1 start_ea=0x000411DC0 end_ea=0x00411E1E clear(start_ea,end_ea) print("ok")

第四届“长城杯” 信息安全铁人三项赛初赛junk

这里call loc_400F64
会把我们的返回地址压栈

loc_400F64: ; CODE XREF: sub_400F40+1E↑j .text:0000000000400F64 58 pop rax #从栈顶拿返回地址 rax=返回地址 .text:0000000000400F65 90 nop .text:0000000000400F66 48 83 C0 0A add rax, 0Ah #rax+=10 相当于返回地址+10 .text:0000000000400F6A 50 push rax #重新把返回地址压栈 .text:0000000000400F6B C3 retn #返回到返回地址

这个函数大概作用就是把返回地址+10，
我们的返回地址是.text:0000000000400F63
加10变成
.text:0000000000400F6D

import idc def clear(start_ea,end_ea):s_o_h=[0xe8,0x1,0x00,0x00,0x00,0xe9,0x58,0x90,0x48,0x83,0xc0,0x0A,0x50,0xc3,0xe9]while start_ea<end_ea:if idc.get_bytes(start_ea,len(s_o_h))==bytes(s_o_h):for i in range(len(s_o_h)):idc.patch_byte(start_ea+i,0x90)start_ea+=1 start_ea=0x00400F40 end_ea=0x000040106F clear(start_ea,end_ea) print("ok")

后面发现

同样道理，但是我们写精准一点

import idc def clear(start_ea,end_ea):s_o_h_head=[0xe8,0x1,0x00,0x00,0x00]Machine_code=0xe9s_o_h_tail=[0x58,0x90,0x48,0x83,0xc0,0x0A,0x50,0xc3,]while start_ea<end_ea:if idc.get_bytes(start_ea,len(s_o_h_head))==bytes(s_o_h_head):temp_now_ea=start_eatemp_now_ea+=len(s_o_h_head)+1if idc.get_bytes(temp_now_ea,len(s_o_h_tail))==bytes(s_o_h_tail):for i in range(len(s_o_h_head)+len(s_o_h_tail)+2):idc.patch_byte(start_ea+i,0x90)start_ea+=1 start_ea=0x00004009AE end_ea=0x00000400AB7 clear(start_ea,end_ea) print("ok")

21年WUST校赛AskforU

esp指向栈顶，而栈顶是返回地址，导致返回地址+1

确定好特征后开始写

import idc def clear(start_ea,end_ea):s_o_h=[0xE8, 0x06, 0x00, 0x00, 0x00, 0xEB, 0xE9, 0x05, 0x00, 0x00, 0x00, 0x83, 0x04, 0x24, 0x01, 0xC3]while start_ea<end_ea:if idc.get_bytes(start_ea,len(s_o_h))==bytes(s_o_h):for i in range(len(s_o_h)):idc.patch_byte(start_ea+i,0x90)start_ea+=1 start_ea=0x000401490 end_ea=0x0004017CD clear(start_ea,end_ea) print("ok")

[SCTF2019]babyre

import idc ea_start=0x000798 ea_end=0x00F66 s_o_h=[0x72,0x03,0x73,0x01] while ea_start<ea_end: if idc.get_bytes(ea_start,len(s_o_h))==bytes(s_o_h): for i in range(len(s_o_h)+1): idc.patch_byte(ea_start+i,0x90) ea_start+=i ea_start+=1 print("ok")

2022长城杯-rabbit_hole_release

这里面有2种花
第一种，这种只用去掉0xeb就行

第二种

按静态分析解析成这样

import idc def s_o_h(start_ea,end_ea): soh=[0xeb,0xff,0xc0,0x48] while start_ea<end_ea: if idc.get_bytes(start_ea,4)==bytes(soh): for i in range(3): idc.patch_byte(start_ea+i,0x90) start_ea+=3 start_ea+=1 def s_o_h1(start_ea,end_ea): soh=[0x66,0xb8,0xeb,0x05,0x31,0xc0,0x74,0xfa,0xe8] while start_ea<end_ea: if idc.get_bytes(start_ea,len(soh))==bytes(soh): for i in range(len(soh)): idc.patch_byte(start_ea+i,0x90) start_ea+=len(soh) start_ea+=1 start_ea=0x0004016C0 end_ea=0x000401A3B s_o_h(start_ea,end_ea) s_o_h1(start_ea,end_ea) print("ok")