networkx 解决CTF_RE图最短路径问题
networkx 解决CTF_RE图最短路径问题
前言
最近复现了了下今年L3HCTF的IDAAAAA题,然后通过此题又联想到了之前做的一道特殊的迷宫题invisible_maze-fix,发现通过python的networkx解决此类问题相当的方便,因此记录下解题过程,方便以后查询。
2道题目附件👇
invisible_maze
常规的迷宫题目
在CTF逆向题目中,常规的迷宫题目一般是程序给你一个非常长的字符串,然后自己整理可以得到整个迷宫的全貌,比如下图这种
这种能很容易的得到整个迷宫的路径,可是这个invisible_maze这个题才可以说是是真正的迷宫题,因为它没有从上帝视角给你路径的全貌,而是把你放到了个迷宫中,每走一步,它告诉你,上下左右分别去哪
本题题解
分析
IDA打开程序分析
进入sub_401050函数, 程序告诉你上下左右走的话是什么东西,很明显,只有进入另一个函数路才是通的
直接查找字符串,交叉引用来到成功的地方
可以发现只有进入到sub_41F1E0,然后再按s才会成功,而整个迷宫的路径是非常复杂的
观察函数窗口,发现从sub_401050 到 sub_41F270 全是这样的结构,我们手动的去画出整个迷宫显然是不现实的,每个函数其实就是一个节点,然后两个节点就构成了一条边,比如:sub_401050就是一个节点,而sub_401050 ---> sub_4010E0就是一条边。
每个函数的结构基本差不多,考虑打算用IDAPython打印出每个节点,以及它对应的adsw对应的四个值,如果是进入另外一个函数的话,那么本函数和进入的那个函数就构造成了一条边,最后将节点和边传入python的networkx库就能构造出整个迷宫图,直接调用函数就能求最短路径了。
发现函数只有下面2种情况
当经过case表跳转后,如果第一条汇编指令是push xxx,那么肯定是不通的(除了成功的那个位置),如果是call sub_xxx的话,那么本条汇编指令就可以找到下一个函数(节点),如果是pop esi的话,下一条jmp xxx就是进入的下一个函数(节点)
编写IDAPython脚本
写IDAPython脚本
1 | def get_edges_from_func(func_addr): |
输入结果
1 | [[None, 4198624, None, None], [4198480, None, 4198784, None], [None, None, 4207712, 4198624], [None, 4199104, 4211312, None], [4198944, 4199264, None, None], [4199104, 4199424, None, None], [4199264, 4199584, None, None], [4199424, 4199744, None, None], [4199584, 4199904, 4211472, None], [4199744, 4200064, None, None], [4199904, 4200224, None, None], [4200064, 4200384, None, None], [4200224, 4200544, None, None], [4200384, 4200688, None, None], [4200544, 4200848, None, None], [4200688, 4201008, None, None], [4200848, 4201168, None, None], [4201008, 4201312, None, None], [4201168, 4201456, None, None], [4201312, 4201616, None, None], [4201456, 4201776, None, None], [4201616, 4201936, None, None], [4201776, 4202096, None, None], [4201936, 4202240, None, None], [4202096, 4202384, None, None], [4202240, 4202544, None, None], [4202384, 4202704, None, None], [4202544, 4202848, None, None], [4202704, 4203008, None, None], [4202848, 4203168, None, None], [4203008, 4203328, None, None], [4203168, 4203488, None, None], [4203328, 4203648, None, None], [4203488, 4203808, None, None], [4203648, 4203968, None, None], [4203808, 4204128, None, None], [4203968, 4204272, None, None], [4204128, 4204432, None, None], [4204272, 4204592, None, None], [4204432, 4204752, None, None], [4204592, 4204912, None, None], [4204752, 4205056, None, None], [4204912, 4205216, None, None], [4205056, 4205376, None, None], [4205216, 4205536, None, None], [4205376, None, 4211632, None], [None, 4205824, 4211792, None], [4205680, 4205984, None, None], [4205824, 4206144, None, None], [4205984, 4206304, None, None], [4206144, 4206448, None, None], [4206304, 4206608, None, None], [4206448, 4206768, None, None], [4206608, 4206928, None, None], [4206768, 4207088, None, None], [4206928, 4207232, None, None], [4207088, 4207392, None, None], [4207232, 4207552, None, None], [4207392, None, 4211952, None], [None, 4207872, None, 4198784], [4207712, 4208032, None, None], [4207872, 4208192, None, None], [4208032, 4208352, None, None], [4208192, 4208496, None, None], [4208352, 4208656, None, None], [4208496, 4208816, None, None], [4208656, 4208960, None, None], [4208816, 4209120, 4212112, None], [4208960, 4209280, None, None], [4209120, 4209440, None, None], [4209280, 4209600, None, None], [4209440, 4209760, None, None], [4209600, 4209904, None, None], [4209760, 4210064, None, None], [4209904, 4210224, None, None], [4210064, 4210368, None, None], [4210224, 4210528, None, None], [4210368, 4210688, 4212272, None], [4210528, 4210832, None, None], [4210688, 4210992, None, None], [4210832, 4211152, None, None], [4210992, 4211312, None, None], [4211152, None, None, 4198944], [None, None, 4212432, 4199744], [None, None, 4216832, 4205536], [None, None, 4216992, 4205680], [None, None, 4217136, 4207552], [None, None, 4218240, 4208960], [None, None, 4218400, 4210528], [None, None, 4218560, 4211472], [None, 4212752, 4218720, None], [4212592, 4212912, None, None], [4212752, 4213072, None, None], [4212912, 4213232, None, None], [4213072, 4213392, None, None], [4213232, 4213552, None, None], [4213392, 4213696, None, None], [4213552, 4213856, None, None], [4213696, 4214016, None, None], [4213856, 4214176, None, None], [4214016, 4214320, None, None], [4214176, 4214480, None, None], [4214320, 4214640, None, None], [4214480, 4214800, None, None], [4214640, 4214960, None, None], [4214800, 4215120, None, None], [4214960, 4215280, None, None], [4215120, 4215440, None, None], [4215280, 4215584, None, None], [4215440, 4215744, None, None], [4215584, 4215904, None, None], [4215744, 4216064, None, None], [4215904, 4216208, None, None], [4216064, 4216352, None, None], [4216208, 4216512, None, None], [4216352, 4216672, None, None], [4216512, None, 4218880, None], [None, None, 4219040, 4211632], [None, None, 4219200, 4211792], [None, None, 4219360, 4211952], [None, 4217440, 4219520, None], [4217296, 4217600, None, None], [4217440, 4217760, None, None], [4217600, 4217920, None, None], [4217760, 4218080, None, None], [4217920, None, 4219680, None], [None, None, 4219840, 4212112], [None, None, 4219984, 4212272], [None, None, 4220144, 4212432], [None, None, 4220304, 4212592], [None, None, 4220464, 4216672], [None, None, 4220608, 4216832], [None, None, 4220768, 4216992], [None, None, 4222032, 4217136], [None, None, 4222192, 4217296], [None, None, 4222352, 4218080], [None, None, 4222496, 4218240], [None, None, 4222640, 4218400], [None, None, 4223248, 4218560], [None, None, 4223856, 4218720], [None, None, 4225584, 4218880], [None, None, 4225744, 4219040], [None, 4220928, None, 4219200], [4220768, 4221088, None, None], [4220928, 4221232, None, None], [4221088, 4221392, None, None], [4221232, 4221552, None, None], [4221392, 4221712, None, None], [4221552, 4221872, None, None], [4221712, None, 4225888, None], [None, None, 4226048, 4219360], [None, None, 4226208, 4219520], [None, None, 4226688, 4219680], [None, None, 4227008, 4219840], [None, None, 4227168, 4219984], [None, 4222928, None, None], [4222800, 4223088, None, None], [4222928, 4223248, None, None], [4223088, 4223408, None, 4220144], [4223248, 4223568, None, None], [4223408, 4223712, None, None], [4223568, None, None, None], [None, None, 4227328, 4220304], [None, 4224176, 4227488, None], [4224016, 4224336, None, None], [4224176, 4224496, None, None], [4224336, 4224656, None, None], [4224496, 4224816, None, None], [4224656, 4224976, None, None], [4224816, 4225120, None, None], [4224976, 4225264, None, None], [4225120, 4225424, None, None], [4225264, None, 4227648, None], [None, None, 4227808, 4220464], [None, None, 4227968, 4220608], [None, None, 4228112, 4221872], [None, None, 4228272, 4222032], [None, None, 4228576, 4222192], [None, 4226528, 4228736, None], [4226368, 4226688, None, None], [4226528, None, None, 4222352], [None, 4227008, 4228896, None], [4226848, None, None, 4222496], [None, None, 4229056, 4222640], [None, None, 4229680, 4223856], [None, None, 4229840, 4224016], [None, None, 4230928, 4225424], [None, None, 4231088, 4225584], [None, None, 4231248, 4225744], [None, None, 4232208, 4225888], [None, 4228416, None, 4226048], [4228272, None, 4232368, None], [None, None, 4232672, 4226208], [None, None, 4232832, 4226368], [None, None, 4232992, 4226848], [None, None, 4233152, 4227168], [None, 4229376, 4233312, None], [4229216, 4229520, None, None], [4229376, 4229680, None, None], [4229520, None, None, 4227328], [None, 4229984, None, 4227488], [4229840, 4230144, None, None], [4229984, 4230288, None, None], [4230144, 4230448, None, None], [4230288, 4230608, None, None], [4230448, 4230768, None, None], [4230608, None, 4233472, None], [None, None, 4233616, 4227648], [None, None, 4233776, 4227808], [None, None, 4233920, 4227968], [None, 4231568, 4234080, None], [4231408, 4231728, None, None], [4231568, 4231888, None, None], [4231728, 4232048, None, None], [4231888, None, 4234240, None], [None, None, 4234400, 4228112], [None, 4232528, None, 4228416], [4232368, None, 4234560, None], [None, None, 4234880, 4228576], [None, None, 4235328, 4228736], [None, None, 4235792, 4228896], [None, None, 4236576, 4229056], [None, None, 4236736, 4229216], [None, None, 4238784, 4230768], [None, None, 4238944, 4230928], [None, None, 4239104, 4231088], [None, None, 4239264, 4231248], [None, None, 4239424, 4231408], [None, None, 4239584, 4232048], [None, None, 4239744, 4232208], [None, 4234720, None, 4232528], [4234560, None, 4239904, None], [None, 4235040, None, 4232672], [4234880, 4235200, None, None], [4235040, 4235328, None, None], [4235200, None, 4240064, 4232832], [None, 4235632, 4240368, None], [4235488, 4235792, None, None], [4235632, 4235952, None, 4232992], [4235792, 4236112, None, None], [4235952, 4236272, None, None], [4236112, 4236432, None, None], [4236272, None, None, None], [None, None, 4240528, 4233152], [None, 4236896, None, 4233312], [4236736, 4237056, None, None], [4236896, 4237216, None, None], [4237056, 4237376, None, None], [4237216, 4237520, None, None], [4237376, 4237664, None, None], [4237520, 4237824, None, None], [4237664, 4237984, None, None], [4237824, 4238144, None, None], [4237984, 4238304, None, None], [4238144, 4238464, None, None], [4238304, 4238624, None, None], [4238464, 4238784, None, None], [4238624, None, None, 4233472], [None, None, 4240688, 4233616], [None, None, 4240848, 4233776], [None, None, 4241008, 4233920], [None, None, 4241168, 4234080], [None, None, 4241312, 4234240], [None, None, 4241456, 4234400], [None, None, 4241616, 4234720], [None, 4240224, None, 4235328], [4240064, 4240368, None, None], [4240224, None, None, 4235488], [None, None, 4241776, 4236576], [None, None, 4246640, 4238944], [None, None, 4246800, 4239104], [None, None, 4246960, 4239264], [None, None, 4247120, 4239424], [None, None, 4247280, 4239584], [None, None, 4247440, 4239744], [None, None, 4247904, 4239904], [None, 4241936, None, 4240528], [4241776, 4242096, None, None], [4241936, 4242256, None, None], [4242096, 4242416, None, None], [4242256, 4242576, None, None], [4242416, 4242736, None, None], [4242576, 4242896, None, None], [4242736, 4243040, None, None], [4242896, 4243200, None, None], [4243040, 4243360, None, None], [4243200, 4243504, None, None], [4243360, 4243664, None, None], [4243504, 4243824, None, None], [4243664, 4243984, None, None], [4243824, 4244144, None, None], [4243984, 4244288, None, None], [4244144, 4244448, None, None], [4244288, 4244608, None, None], [4244448, 4244768, None, None], [4244608, 4244928, None, None], [4244768, 4245072, None, None], [4244928, 4245232, None, None], [4245072, 4245392, None, None], [4245232, 4245536, None, None], [4245392, 4245696, None, None], [4245536, 4245840, None, None], [4245696, 4246000, None, None], [4245840, 4246160, None, None], [4246000, 4246320, None, None], [4246160, 4246480, None, None], [4246320, 4246640, None, None], [4246480, None, None, 4240688], [None, None, 4248064, 4240848], [None, None, 4248224, 4241008], [None, None, 4248384, 4241168], [None, None, 4248544, 4241312], [None, None, 4248704, 4241456], [None, None, 4248864, None], [None, 4247904, 4249184, None], [4247744, None, None, 4241616], [None, None, 4257312, 4246800], [None, None, 4257472, 4246960], [None, None, 4257632, 4247120], [None, None, 4257760, 4247280], [None, None, 4257920, 4247440], [None, 4249024, 4258080, 4247600], [4248864, 4249184, None, None], [4249024, None, None, 4247744], [None, 4249504, 4258240, None], [4249344, 4249664, None, None], [4249504, 4249824, None, None], [4249664, 4249984, None, None], [4249824, 4250144, None, None], [4249984, 4250304, None, None], [4250144, 4250464, None, None], [4250304, 4250624, None, None], [4250464, 4250784, None, None], [4250624, 4250944, None, None], [4250784, 4251088, None, None], [4250944, 4251248, None, None], [4251088, 4251408, None, None], [4251248, 4251568, None, None], [4251408, 4251712, None, None], [4251568, 4251872, None, None], [4251712, 4252032, None, None], [4251872, 4252192, None, None], [4252032, 4252336, None, None], [4252192, 4252496, None, None], [4252336, 4252656, None, None], [4252496, 4252816, None, None], [4252656, 4252976, None, None], [4252816, 4253136, None, None], [4252976, 4253296, None, None], [4253136, 4253456, None, None], [4253296, 4253616, None, None], [4253456, 4253776, None, None], [4253616, 4253936, None, None], [4253776, 4254096, None, None], [4253936, 4254240, None, None], [4254096, 4254400, None, None], [4254240, 4254544, None, None], [4254400, 4254704, None, None], [4254544, 4254848, None, None], [4254704, 4255008, None, None], [4254848, 4255152, None, None], [4255008, 4255312, None, None], [4255152, 4255472, None, None], [4255312, 4255616, None, None], [4255472, 4255776, None, None], [4255616, 4255936, None, None], [4255776, 4256080, None, None], [4255936, 4256240, None, None], [4256080, 4256400, None, None], [4256240, 4256560, None, None], [4256400, 4256704, None, None], [4256560, 4256848, None, None], [4256704, 4257008, None, None], [4256848, 4257152, None, None], [4257008, None, 4258400, None], [None, None, 4258544, 4248064], [None, None, 4258704, 4248224], [None, None, None, 4248384], [None, None, 4258864, 4248544], [None, None, 4259024, 4248704], [None, None, 4259184, 4248864], [None, None, 4259344, 4249344], [None, None, 4263760, 4257152], [None, None, 4263920, 4257312], [None, None, 4264080, 4257472], [None, None, 4265200, 4257760], [None, None, 4265344, 4257920], [None, None, 4265504, 4258080], [None, None, 4265648, 4258240], [None, 4259648, 4265792, None], [4259488, 4259808, None, None], [4259648, 4259968, None, None], [4259808, 4260128, None, None], [4259968, None, 4265952, None], [None, 4260448, 4266112, None], [4260288, 4260592, None, None], [4260448, 4260752, None, None], [4260592, 4260912, None, None], [4260752, 4261072, None, None], [4260912, 4261232, None, None], [4261072, 4261392, None, None], [4261232, 4261552, None, None], [4261392, 4261712, None, None], [4261552, 4261872, None, None], [4261712, 4262032, None, None], [4261872, 4262176, None, None], [4262032, 4262320, None, None], [4262176, 4262480, None, None], [4262320, 4262640, None, None], [4262480, 4262800, None, None], [4262640, 4262960, None, None], [4262800, 4263120, None, None], [4262960, 4263280, None, None], [4263120, 4263440, None, None], [4263280, 4263600, None, None], [4263440, None, 4266272, None], [None, None, 4268496, 4258400], [None, None, 4268656, 4258544], [None, 4264240, None, 4258704], [4264080, 4264400, None, None], [4264240, 4264560, None, None], [4264400, 4264720, None, None], [4264560, 4264880, None, None], [4264720, 4265040, None, None], [4264880, 4265200, None, None], [4265040, None, None, 4258864], [None, None, 4268816, 4259024], [None, None, 4268976, 4259184], [None, None, 4269136, 4259344], [None, None, 4269296, 4259488], [None, None, 4269456, 4260128], [None, None, 4269616, 4260288], [None, 4266432, None, 4263600], [4266272, 4266592, None, None], [4266432, 4266752, None, None], [4266592, 4266912, None, None], [4266752, 4267072, None, None], [4266912, 4267232, None, None], [4267072, 4267392, None, None], [4267232, 4267552, None, None], [4267392, 4267712, None, None], [4267552, 4267872, None, None], [4267712, 4268032, None, None], [4267872, 4268192, None, None], [4268032, 4268352, None, None], [4268192, 4268496, None, None], [4268352, None, None, 4263760], [None, None, 4269760, 4263920], [None, None, 4272288, 4265344], [None, None, 4272448, 4265504], [None, None, 4272608, 4265648], [None, None, 4273392, 4265792], [None, None, 4273552, 4265952], [None, None, 4273696, 4266112], [None, 4269920, None, 4268656], [4269760, 4270080, None, None], [4269920, 4270240, None, None], [4270080, 4270400, None, None], [4270240, 4270560, None, None], [4270400, 4270720, None, None], [4270560, 4270880, None, None], [4270720, 4271040, None, None], [4270880, 4271184, None, None], [4271040, 4271328, None, None], [4271184, 4271488, None, None], [4271328, 4271648, None, None], [4271488, 4271808, None, None], [4271648, 4271968, None, None], [4271808, 4272128, None, None], [4271968, 4272288, None, None], [4272128, None, None, 4268816], [None, None, 4274480, 4268976], [None, 4272768, None, 4269136], [4272608, 4272928, None, None], [4272768, 4273088, None, None], [4272928, 4273248, None, None], [4273088, 4273392, None, None], [4273248, None, None, 4269296], [None, None, 4274640, 4269456], [None, None, 4274800, 4269616], [None, 4274000, 4277808, None], [4273840, 4274160, None, None], [4274000, 4274320, None, None], [4274160, None, 4277968, None], [None, None, 4284896, 4272448], [None, None, 4286496, 4273552], [None, 4274960, None, 4273696], [4274800, 4275120, None, None], [4274960, 4275280, None, None], [4275120, 4275440, None, None], [4275280, 4275584, None, None], [4275440, 4275744, None, None], [4275584, 4275904, None, None], [4275744, 4276064, None, None], [4275904, 4276208, None, None], [4276064, 4276368, None, None], [4276208, 4276528, None, None], [4276368, 4276688, None, None], [4276528, 4276848, None, None], [4276688, 4277008, None, None], [4276848, 4277168, None, None], [4277008, 4277328, None, None], [4277168, 4277488, None, None], [4277328, 4277648, None, None], [4277488, 4277808, None, None], [4277648, None, None, 4273840], [None, 4278128, None, 4274320], [4277968, 4278288, None, None], [4278128, 4278448, None, None], [4278288, 4278608, None, None], [4278448, 4278768, None, None], [4278608, 4278928, None, None], [4278768, 4279072, None, None], [4278928, 4279216, None, None], [4279072, 4279376, None, None], [4279216, 4279536, None, None], [4279376, 4279696, None, None], [4279536, 4279840, None, None], [4279696, 4280000, None, None], [4279840, 4280160, None, None], [4280000, 4280304, None, None], [4280160, 4280464, None, None], [4280304, 4280624, None, None], [4280464, 4280784, None, None], [4280624, 4280944, None, None], [4280784, 4281088, None, None], [4280944, 4281248, None, None], [4281088, 4281408, None, None], [4281248, 4281568, None, None], [4281408, 4281728, None, None], [4281568, 4281888, None, None], [4281728, 4282048, None, None], [4281888, 4282208, None, None], [4282048, 4282352, None, None], [4282208, 4282512, None, None], [4282352, 4282656, None, None], [4282512, 4282816, None, None], [4282656, 4282976, None, None], [4282816, 4283136, None, None], [4282976, 4283296, None, None], [4283136, 4283456, None, None], [4283296, 4283616, None, None], [4283456, 4283776, None, None], [4283616, 4283936, None, None], [4283776, 4284096, None, None], [4283936, 4284256, None, None], [4284096, 4284416, None, None], [4284256, 4284576, None, None], [4284416, 4284736, None, None], [4284576, 4284896, None, None], [4284736, None, None, 4274480], [None, 4285216, 4286656, None], [4285056, 4285376, None, None], [4285216, 4285536, None, None], [4285376, 4285696, None, None], [4285536, 4285856, None, None], [4285696, 4286016, None, None], [4285856, 4286176, None, None], [4286016, 4286336, None, None], [4286176, 4286496, None, None], [4286336, None, None, 4274640], [None, None, 4296976, 4285056], [None, 4286976, 4297136, None], [4286816, 4287120, None, None], [4286976, 4287264, None, None], [4287120, 4287424, None, None], [4287264, 4287584, None, None], [4287424, 4287744, None, None], [4287584, 4287904, None, None], [4287744, 4288064, None, None], [4287904, 4288224, None, None], [4288064, 4288384, None, None], [4288224, 4288528, None, None], [4288384, 4288688, None, None], [4288528, 4288848, None, None], [4288688, 4288992, None, None], [4288848, 4289152, None, None], [4288992, 4289312, None, None], [4289152, 4289472, None, None], [4289312, 4289632, None, None], [4289472, 4289792, None, None], [4289632, 4289952, None, None], [4289792, 4290112, None, None], [4289952, 4290272, None, None], [4290112, 4290432, None, None], [4290272, 4290592, None, None], [4290432, 4290752, None, None], [4290592, 4290912, None, None], [4290752, 4291072, None, None], [4290912, 4291232, None, None], [4291072, 4291376, None, None], [4291232, 4291536, None, None], [4291376, 4291696, None, None], [4291536, 4291856, None, None], [4291696, 4292000, None, None], [4291856, 4292144, None, None], [4292000, 4292288, None, None], [4292144, 4292448, None, None], [4292288, 4292608, None, None], [4292448, 4292768, None, None], [4292608, 4292928, None, None], [4292768, 4293088, None, None], [4292928, 4293248, None, None], [4293088, 4293392, None, None], [4293248, 4293552, None, None], [4293392, 4293696, None, None], [4293552, 4293856, None, None], [4293696, 4294016, None, None], [4293856, 4294160, None, None], [4294016, 4294320, None, None], [4294160, 4294480, 4297296, None], [4294320, 4294640, None, None], [4294480, 4294800, None, None], [4294640, 4294944, None, None], [4294800, 4295088, None, None], [4294944, 4295232, None, None], [4295088, 4295392, None, None], [4295232, 4295552, None, None], [4295392, 4295696, None, None], [4295552, 4295856, None, None], [4295696, 4296016, None, None], [4295856, 4296176, None, None], [4296016, 4296336, None, None], [4296176, 4296496, None, None], [4296336, 4296656, None, None], [4296496, 4296816, None, None], [4296656, None, 4297424, None], [None, None, 4297584, 4286656], [None, None, 4297744, 4286816], [None, None, 4297904, 4294320], [None, None, 4299472, 4296816], [None, None, 4300720, 4296976], [None, None, 4302288, 4297136], [None, None, 4308576, 4297296], [None, 4298224, 4308720, None], [4298064, 4298384, None, None], [4298224, 4298528, None, None], [4298384, 4298688, None, None], [4298528, 4298848, None, None], [4298688, 4299008, None, None], [4298848, 4299168, None, None], [4299008, 4299312, None, None], [4299168, 4299472, None, None], [4299312, 4299632, None, 4297424], [4299472, 4299792, None, None], [4299632, 4299936, None, None], [4299792, 4300096, None, None], [4299936, 4300256, None, None], [4300096, 4300416, None, None], [4300256, 4300576, None, None], [4300416, None, None, None], [None, 4300864, None, 4297584], [4300720, 4301024, None, None], [4300864, 4301184, None, None], [4301024, 4301344, None, None], [4301184, 4301504, None, None], [4301344, 4301648, None, None], [4301504, 4301808, None, None], [4301648, 4301968, None, None], [4301808, 4302128, None, None], [4301968, 4302288, None, None], [4302128, 4302448, None, 4297744], [4302288, 4302608, None, None], [4302448, 4302768, None, None], [4302608, 4302912, None, None], [4302768, 4303072, None, None], [4302912, 4303232, None, None], [4303072, 4303392, None, None], [4303232, 4303552, None, None], [4303392, 4303712, None, None], [4303552, 4303872, None, None], [4303712, 4304032, None, None], [4303872, 4304192, None, None], [4304032, 4304352, None, None], [4304192, 4304496, None, None], [4304352, 4304656, None, None], [4304496, 4304816, None, None], [4304656, 4304976, None, None], [4304816, 4305136, None, None], [4304976, 4305296, None, None], [4305136, 4305456, None, None], [4305296, 4305616, None, None], [4305456, 4305776, None, None], [4305616, 4305936, None, None], [4305776, 4306096, None, None], [4305936, 4306256, None, None], [4306096, 4306400, None, None], [4306256, 4306560, None, None], [4306400, 4306720, None, None], [4306560, 4306880, None, None], [4306720, 4307024, None, None], [4306880, 4307184, None, None], [4307024, 4307344, None, None], [4307184, 4307504, None, None], [4307344, 4307664, None, None], [4307504, 4307808, None, None], [4307664, 4307968, None, None], [4307808, 4308128, None, None], [4307968, 4308288, None, None], [4308128, 4308448, None, None], [4308288, None, None, None], [None, None, 4308880, 4297904], [None, None, 4309040, 4298064], [None, None, 4311264, 4308576], [None, None, 4311888, 4308720], [None, 4309360, 4312336, None], [4309200, 4309520, 4312496, None], [4309360, None, 4312624, None], [None, None, 4313872, None], [None, 4309984, 4315312, None], [4309824, None, 4315472, None], [None, 4310304, 4316112, None], [4310144, 4310464, 4316272, None], [4310304, 4310624, 4316432, None], [4310464, 4310784, 4316592, None], [4310624, 4310944, 4316736, None], [4310784, 4311104, 4316896, None], [4310944, None, 4317024, None], [None, 4311424, 4317664, 4308880], [4311264, 4311584, 4317824, None], [4311424, 4311744, 4317984, None], [4311584, None, 4318112, None], [None, None, 4318752, 4309040], [None, 4312176, None, None], [4312048, 4312336, 4318896, None], [4312176, 4312496, None, 4309200], [4312336, 4312624, None, 4309360], [4312496, 4312784, None, 4309520], [4312624, 4312928, None, None], [4312784, 4313088, None, None], [4312928, 4313248, None, None], [4313088, 4313408, None, None], [4313248, 4313568, None, None], [4313408, 4313712, None, None], [4313568, 4313872, 4319056, None], [4313712, 4314032, None, 4309680], [4313872, 4314192, 4319200, None], [4314032, 4314352, None, None], [4314192, 4314512, None, None], [4314352, 4314672, None, None], [4314512, 4314832, None, None], [4314672, 4314992, None, None], [4314832, 4315152, None, None], [4314992, 4315312, 4319328, None], [4315152, 4315472, None, 4309824], [4315312, 4315632, None, 4309984], [4315472, 4315792, 4319472, None], [4315632, 4315952, None, None], [4315792, 4316112, None, None], [4315952, 4316272, None, 4310144], [4316112, 4316432, None, 4310304], [4316272, 4316592, None, 4310464], [4316432, 4316736, 4319616, 4310624], [4316592, 4316896, None, 4310784], [4316736, 4317024, None, 4310944], [4316896, 4317184, None, 4311104], [4317024, 4317344, None, None], [4317184, 4317504, None, None], [4317344, 4317664, 4319760, None], [4317504, 4317824, None, 4311264], [4317664, 4317984, None, 4311424], [4317824, 4318112, None, 4311584], [4317984, 4318272, None, 4311744], [4318112, 4318432, None, None], [4318272, 4318592, None, None], [4318432, 4318752, None, None], [4318592, None, None, 4311888], [None, None, 4319920, 4312176], [None, None, None, 4313712], [None, None, None, 4314032], [None, None, None, 4315152], [None, None, None, 4315632], [None, None, 4320080, 4316592], [None, None, 4320240, 4317504], [None, None, 4321472, 4318896], [None, None, 4321600, 4319616], [None, 4320400, 4321760, 4319760], [4320240, 4320560, None, None], [4320400, 4320720, None, None], [4320560, 4320880, None, None], [4320720, 4321024, None, None], [4320880, 4321184, None, None], [4321024, 4321344, None, None], [4321184, None, None, None], [None, None, None, 4319920], [None, None, 4321904, 4320080], [None, None, None, 4320240], [None, None, None, 4321600]] |
对于IDAPython简单函数的学习,可以参考 https://zzzzsky.com/2021/12/08/LearnIDAPython/
至此,我们找到了所有的节点,以及每个节点对应的adsw对应的4个值,如果为None说明不通,如果不为None,说明是进入的另外一个函数,就可以构造一条边
networkx求最短路径
写python脚本
1 | import networkx as nx |
输出
1 | 496 |
对于networkx的学习,可以参考此文档 https://www.osgeo.cn/networkx/tutorial.html
对于求最短路径来说,基本就是
- 创建合适的图
- 添加节点,添加边
- 调用shortest_path,求出最短路径,这里求出的是经过的节点
- 然后再根据具体题目要求,根据经过的节点,把操作的步骤打印出来即可
IDAAAAAA
分析
此题为今年L3HCTF的一道re题,题目仅给了一个i64文件,没有给可执行文件,IDA打开分析
sub_401E97函数返回1,则正确, 进入此函数发现有5个方程,用z3解
发现无解
再次观察,发现这里有个断点,来到断点窗口
发现是个条件断点,将conditon的数据复制出来
1 | global jIS40A |
可以发现,大致流程为,触发0x40201F处的断点的时候,设置一个新的条件断点,跳转过去,触发新的条件断点的condition,由此可见验证flag的算法全部在这些condition中
将uwGgnM.condition 稍作整理,然后分析
1 | N4QKUt = 0 |
可以发现流程就是,根据输入的flag的每个字符,来判断进入下一个节点
解密函数是一个简单的异或, 先随便找几个解密看看,key的长度都是11
1 | def dec(_x, _key): |
1 | NyPGpw = idaapi.get_byte(5127584 + N4QKUt) |
可以发现都符合一个框架
1 | xxxx = idaapi.get_byte(5127584 + N4QKUt) |
因为解密出来都含有idaapi.get_byte(5127584 + N4QKUt),而key的长度都是11,因此可以对key全部爆破出来
1 | encs = [....] |
只有1个节点没有解密成功,即没有指向,应该就是终点,结合题目,是个最短路径问题
终点的索引是426,写脚本找到索引426的key
1 | def dec(_src, _key): |
key为akUx3IWl29V, 解密得到
1 | idaapi.del_bpt(cpu.rip) |
是终点无疑了,现在需要找出所有的节点,以及边(2个节点就是1个边,有方向),然后用networkx求解
networkx求最短路径
直接贴脚本了,就是通过正则表达式匹配出node,然后构造边,添加边,用networkx求出路径,再写出控制方向的的flag字符即可
1 | import re |
flag为 L3HCTF{6584ed9fd9497981117f22a6c572caee}
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 zsky's Blog!
微信
支付宝
评论