import idc, idautils, ida_name\n\n# \u83b7\u53d6\u5f53\u524d\u5149\u6807\u4f4d\u7f6e\u5904\u7684\u5730\u5740\nea = idc.here()\nprint(f"current addr is: {ea:x}")\nprint("current addr is: " + hex(idc.get_screen_ea()))\n\n# \u8bbe\u7f6e\u5f53\u524d\u5149\u6807\u7684\u5730\u5740 \njump_addr = 0x40136d\nidc.jumpto(jump_addr)\n\n# \u83b7\u53d6\u6240\u6709\u7684\u6307\u4ee4\u5730\u5740\u5e76\u9644\u52a0\u4e0a\u6240\u6709\u7684\u540d\u79f0\u4fe1\u606f\nwith open("D:\\\\My Code\\\\out.txt", "wt") as file:\n for ea in idautils.Heads():\n name = ida_name.get_name(ea)\n\n try:\n file.write(hex(ea) + f" Option name is: {name}\\n")\n except Exception as e:\n print(f"Error is: {e}")\n\n# \u83b7\u53d6\u548c\u7ed9\u5b9a\u540d\u79f0\u5173\u8054\u7684\u5730\u5740\nprint(hex(ida_name.get_name_ea(0, "printf")))\n<\/code><\/pre>\n\u8bfb\u53d6\u548c\u5199\u5165\u6570\u636e<\/h2>\n
TODO ……<\/p>\n
\u4e00\u4e9b\u4f8b\u5b50<\/h1>\nRCTF Chaos<\/h2>\n
\u867d\u7136\u8fd9\u9053\u9898\u76ee\u88ab\u53c2\u8d5b\u65b9\u5f53\u6210\u7b7e\u5230\u9898\u76ee\u76f4\u63a5\u7ed9\u51faflag\u4e86,\u4f46\u662f\u6211\u4eec\u8fd8\u662f\u80fd\u591f\u770b\u5230\u5728\u7a0b\u5e8f\u91cc\u9762\u53ef\u4ee5\u770b\u5230\u5b58\u5728\u4e00\u4e9b\u82b1\u6307\u4ee4\u7684.
\n\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u5199\u4e00\u4e2a\u7b80\u5355\u7684frida\u811a\u672c\u6765\u8fd8\u539f\u539f\u6765\u7684\u51fd\u6570<\/p>\n
\u82b1\u6307\u4ee4 1<\/p>\n
.text:00B71490 83 C4 04 add esp, 4\n.text:00B71493 75 02 jnz short loc_B71497\n.text:00B71493 ; ---------------------------------------------------------------------------\n.text:00B71495 E9 db 0E9h\n.text:00B71496 ED db 0EDh\n.text:00B71497 ; ---------------------------------------------------------------------------\n.text:00B71497\n.text:00B71497 loc_B71497: ; CODE XREF: .text:00B71493\u2191j\n.text:00B71497 E8 00 00 00 00 call $+5\n.text:00B7149C 58 pop eax\n.text:00B7149D 89 85 78 FF FF FF mov [ebp-88h], eax\n<\/code><\/pre>\n\u82b1\u6307\u4ee4 2<\/p>\n
db 0EAh\ndb 0EBh, 9 --> JMP ...\n<\/code><\/pre>\n\u7136\u540e\u6211\u4eec\u5206\u6790\u5bf9\u5e94\u7684\u7279\u5f81,\u5c31\u53ef\u4ee5\u7f16\u5199\u5bf9\u5e94\u7684patch\u811a\u672c\u4e86<\/p>\n
import idc\n\nstart_addr = 0x00401000\nend_addr = 0x004914BE\n\n"""\n.text:00B71490 83 C4 04 add esp, 4\n.text:00B71493 75 02 jnz short loc_B71497\n.text:00B71493 ; ---------------------------------------------------------------------------\n.text:00B71495 E9 db 0E9h\n.text:00B71496 ED db 0EDh\n.text:00B71497 ; ---------------------------------------------------------------------------\n.text:00B71497\n.text:00B71497 loc_B71497: ; CODE XREF: .text:00B71493\u2191j\n.text:00B71497 E8 00 00 00 00 call $+5\n.text:00B7149C 58 pop eax\n.text:00B7149D 89 85 78 FF FF FF mov [ebp-88h], eax\n"""\n\n# \u6bcf\u6b21\u8bfb\u53d6\u5230\u4e00\u6bb5\u76f8\u540c\u7684\u6570\u636e\u540e,patch\u5176\u4e2d\u7684\u82b1\u6307\u4ee4\u4e3a NOP\n# 75 02 e9 ed 08 -> \u628a\u4e2d\u95f4\u7684 e9 ed \u66ff\u6362\u4e3a 90 90\ncur_addr = start_addr\nwhile cur_addr < end_addr:\n byte_val = idc.get_wide_word(cur_addr)\n if byte_val == 0x0275:\n next_next_word = idc.get_wide_word(cur_addr + 4)\n if next_next_word == 0x00e8:\n print(f"Find flower instruction at {cur_addr + 2:08x}, patching...")\n idc.patch_byte(cur_addr + 2, 0x90)\n idc.patch_byte(cur_addr + 3, 0x90)\n cur_addr += 1\nprint("First pass done.")\n\n"""\n db 0EAh, 0EBh, 9\n"""\ncur_addr = start_addr\nwhile cur_addr < end_addr:\n byte_fir = idc.get_wide_byte(cur_addr)\n byte_sec = idc.get_wide_byte(cur_addr + 1)\n byte_thi = idc.get_wide_byte(cur_addr + 2)\n if byte_fir == 0xEA and byte_sec == 0xEB and byte_thi == 0x09:\n print(f"Find flower instruction at {cur_addr:08x}, patching...")\n idc.patch_byte(cur_addr, 0x90)\n cur_addr += 1\nprint("Second pass done.")\n<\/code><\/pre>\n\u7136\u540e\u5728ida\u4e2d\u5c31\u53ef\u4ee5\u770b\u5230\u7ed3\u679c\u4e86<\/p>\n
![\"image.png|500\"](\"https:\/\/cloud-map-bed-1351541725.cos.ap-nanjing.myqcloud.com\/pic\/20251124190832.png\")
<\/p>\n
\u4f46\u662f\u6211\u7684\u5df2\u7ecfpatch\u8fc7\u4e86,\u6240\u4ee5\u6ca1\u6709\u663e\u793a\u51fapatch\u7684\u5730\u5740,\u5982\u679c\u662f\u6ca1\u6709patch\u8fc7\u7684\u7a0b\u5e8f\u4f1a\u663e\u793a\u51fa\u5730\u5740,\u53cc\u51fb\u53ef\u4ee5\u8df3\u8f6c\u5230\u5730\u5740\u5904\u67e5\u770b\u662f\u5426patch\u9519\u4e86\u4f4d\u7f6e.<\/p>\n
\u63a5\u4e0b\u6765\u5c31\u53ef\u4ee5\u5220\u9664i64,\u4fdd\u5b58patch,\u8ba9ida\u91cd\u65b0\u5206\u6790\u4e86<\/p>\n
![\"image.png\"](\"https:\/\/cloud-map-bed-1351541725.cos.ap-nanjing.myqcloud.com\/pic\/20251124191152.png\")
<\/p>\n
\u53ef\u4ee5\u770b\u5230\u5df2\u7ecf\u80fd\u8fd8\u539f\u539f\u6765\u7684\u903b\u8f91\u4e86.<\/p>\n","protected":false},"excerpt":{"rendered":"
\u73af\u5883\u642d\u5efa \u4e3a\u4e86\u65b9\u4fbfida ipython\u811a\u672c\u7b49\u7684\u5b66\u4e60,\u5148\u5728vscode\u4e2d\u642d\u5efa\u4e00\u4e0bida python\u73af\u5883\u65b9\u4fbf\u6211 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-52","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/52","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/comments?post=52"}],"version-history":[{"count":1,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/52\/revisions"}],"predecessor-version":[{"id":53,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/52\/revisions\/53"}],"wp:attachment":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/media?parent=52"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/categories?post=52"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/tags?post=52"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image.png\"](\"https:\/\/cloud-map-bed-1351541725.cos.ap-nanjing.myqcloud.com\/pic\/20251031134716.png\")
<\/p>\n