IDApython练习1-脚本去花

IDApython练习1-脚本去花

这里主要是练习IDApython脚本去花

1

这里
jz跳转条件是zf=1，
jnz跳转条件是zf=0，
但是zf就2种可能,所以无论如何都会跳转到loc_411DDF+3的位置,等于jmp loc_411DDF+3.
这里可以等长度的nop，我们可以手动nop，这里是脚本练习，需要我们自己写

import idc
def clear(start_ea,end_ea):
	s_o_h=[0x74,0x05,0x75,0x03,0xe8,0x11,0x00]
	while start_ea<end_ea:
		if idc.get_bytes(start_ea,7)==bytes(s_o_h):
			for i in range(7):
				idc.patch_byte(start_ea+i,0x90)
		start_ea+=1


start_ea=0x00411DC0 
end_ea=0x00411E1E
clear(start_ea,end_ea)
print("ok")

2

xor eax,eax
这个运算结果为0，zf为1
触发jz跳转

import idc
def clear(start_ea,end_ea):
	s_o_h=[0xe8,0x1a,0xe9]
	while start_ea<end_ea:
		if idc.get_bytes(start_ea,len(s_o_h))==bytes(s_o_h):
			for i in range(len(s_o_h)):
				idc.patch_byte(start_ea+i,0x90)
		start_ea+=1


start_ea=0x000411DC0
end_ea=0x00411E1E
clear(start_ea,end_ea)
print("ok")

第四届“长城杯” 信息安全铁人三项赛 初赛junk

这里call loc_400F64
会把我们的返回地址压栈

 loc_400F64:                             ; CODE XREF: sub_400F40+1E↑j
.text:0000000000400F64 58                            pop     rax           #从栈顶拿返回地址 rax=返回地址
.text:0000000000400F65 90                            nop
.text:0000000000400F66 48 83 C0 0A                   add     rax, 0Ah      #rax+=10  相当于返回地址+10
.text:0000000000400F6A 50                            push    rax           #重新把返回地址压栈
.text:0000000000400F6B C3                            retn                  #返回到返回地址

这个函数大概作用就是把返回地址+10，
我们的返回地址是.text:0000000000400F63
加10变成
.text:0000000000400F6D

import idc
def clear(start_ea,end_ea):
	s_o_h=[0xe8,0x1,0x00,0x00,0x00,0xe9,0x58,0x90,0x48,0x83,0xc0,0x0A,0x50,0xc3,0xe9]
	while start_ea<end_ea:
		if idc.get_bytes(start_ea,len(s_o_h))==bytes(s_o_h):
			for i in range(len(s_o_h)):
				idc.patch_byte(start_ea+i,0x90)
		start_ea+=1
start_ea=0x00400F40
end_ea=0x000040106F
clear(start_ea,end_ea)
print("ok")

后面发现

同样道理，但是我们写精准一点

import idc
def clear(start_ea,end_ea):
	s_o_h_head=[0xe8,0x1,0x00,0x00,0x00]
	Machine_code=0xe9
	s_o_h_tail=[0x58,0x90,0x48,0x83,0xc0,0x0A,0x50,0xc3,]
	while start_ea<end_ea:
		if idc.get_bytes(start_ea,len(s_o_h_head))==bytes(s_o_h_head):
			temp_now_ea=start_ea
			temp_now_ea+=len(s_o_h_head)+1
			if idc.get_bytes(temp_now_ea,len(s_o_h_tail))==bytes(s_o_h_tail):
				for i in range(len(s_o_h_head)+len(s_o_h_tail)+2):
					idc.patch_byte(start_ea+i,0x90)
		start_ea+=1


start_ea=0x00004009AE
end_ea=0x00000400AB7
clear(start_ea,end_ea)
print("ok")

21年WUST校赛AskforU

esp指向栈顶，而栈顶是返回地址，导致返回地址+1

确定好特征后开始写

import idc
def clear(start_ea,end_ea):
	s_o_h=[0xE8, 0x06, 0x00, 0x00, 0x00, 0xEB, 0xE9, 0x05, 0x00, 0x00, 
  0x00, 0x83, 0x04, 0x24, 0x01, 0xC3]
	while start_ea<end_ea:
		if idc.get_bytes(start_ea,len(s_o_h))==bytes(s_o_h):
			for i in range(len(s_o_h)):
				idc.patch_byte(start_ea+i,0x90)
		start_ea+=1
start_ea=0x000401490
end_ea=0x0004017CD
clear(start_ea,end_ea)
print("ok")

[SCTF2019]babyre

import idc
ea_start=0x000798 
ea_end=0x00F66
s_o_h=[0x72,0x03,0x73,0x01]
while ea_start<ea_end:
    if idc.get_bytes(ea_start,len(s_o_h))==bytes(s_o_h):
        for i in range(len(s_o_h)+1):
            idc.patch_byte(ea_start+i,0x90)
        ea_start+=i
    ea_start+=1
print("ok")

2022长城杯-rabbit_hole_release

这里面有2种花
第一种，这种只用去掉0xeb就行

第二种

按静态分析解析成这样

import idc

def s_o_h(start_ea,end_ea):
    soh=[0xeb,0xff,0xc0,0x48]
    while start_ea<end_ea:
        if idc.get_bytes(start_ea,4)==bytes(soh):
            for i in range(3):
                idc.patch_byte(start_ea+i,0x90)
            start_ea+=3
        start_ea+=1
        
def s_o_h1(start_ea,end_ea):
    soh=[0x66,0xb8,0xeb,0x05,0x31,0xc0,0x74,0xfa,0xe8]
    while start_ea<end_ea:
        if idc.get_bytes(start_ea,len(soh))==bytes(soh):
            for i in range(len(soh)):
                idc.patch_byte(start_ea+i,0x90)
            start_ea+=len(soh)
        start_ea+=1           
            
start_ea=0x0004016C0
end_ea=0x000401A3B
            
s_o_h(start_ea,end_ea)
s_o_h1(start_ea,end_ea)
print("ok")