從Reverse題目學習IDAPython

日期: 2021-08-12

作者: Mr-hello

介紹: 在某次比賽中，遇到了一個迷宮型別逆向題目，最終發現沒有地圖資料，只能靠函式呼叫去遍歷路徑，從而引發了對IDA python的研究。

0x00 前言

就像介紹裡所說，在一次全國性質比賽中發現一個迷宮型別題目，沒有地圖資料只能依靠函式呼叫去遍歷路徑，然後篩選出正確路徑，該文章所有用例均於 python3 + IDA7.5 環境下進行測試。

0x01 基礎

拋開題目去談IDA python，它就是python，可以理解為它集成了幾個 python 模組，可以在 IDA 這款工具中使用這幾個整合的模組去輔助我們對一些程式進行分析。包括但不僅僅是一些函式呼叫的獲取，以及彙編程式碼的獲取，可以幫助我們完成一些重複繁瑣的逆向分析工作。

IDA Python 由三個獨立模組組成。第一個是 idc，它是封裝 IDA 的 IDC 函式的相容性模組。第二個模組是 idautils，這是 IDA 裡的一個高階實用函式。第三個模組是 idaapi，它可以使更多更底層資料能夠通過 IDA進行處理。

0x02 用法

1. 獲取游標所在地址

idc.get_screen_ea()

here()

idc.next_head(addr) # 獲取下一條指令所在地址
idc.prev_head(addr) # 獲取上一條指令所在地址

2. 獲取地址上指令

idc.print_insn_mnem(addr) # 獲取操作指令

idc.GetDisasm(addr) # 獲取彙編

idc.print_operand(addr,n) # 獲取第n個運算元

idc.get_segm_name(addr) # 獲取段名稱
 

3. 段操作

# 獲取段名稱，段起始地址，段結束地址
for seg in idautils.Segments():
    print (idc.get_segm_name(seg), idc.get_segm_start(seg), idc.get_segm_end(seg))

4. 函式操作

# 遍歷所有已知函式，輸出其地址以及函式名稱，get_func_name引數可為函式邊界內的任何地址
for func in idautils.Functions():
    print (hex(func), idc.get_func_name(func))
# idautils.Functions(start_addr,end_addr),可用來搜尋在地址範圍內函式

# 獲取該地址所在函式的起始地址及結束地址
func = idaapi.get_func(addr)
print(func.start_ea,func.end_ea)

# 獲取函式中的所有地址,以及獲取該函式所有的彙編程式碼
all_addr = list(idautils.FuncItems(addr))
for line in all_addr:
    print(hex(line),idc.GetDisasm(line))
 

5. 交叉引用

# 獲取某個函式的交叉引用，返回一個地址物件。
func = idaapi.get_func(address)
for addr in idautils.CodeRefsTo(func.start_ea,0):
    print(hex(addr))
    
# 獲取某個函式的交叉引用，返回一個交叉引用物件
func = idaapi.get_func(address)
for addr in idautils.XrefsTo(func.start_ea, 1):
    print(hex(addr.frm),hex(addr.to))

6. 註釋操作

idc.set_cmt(addr, strings, 0) # 設定註釋
idc.get_cmt(addr, 1) # 獲取註釋

0x03 解題

言歸正傳，前面說了那麼多，都只是在學習，學完了那就來做題吧，本題是2021年巔峰極客網路安全技能挑戰線上賽的一道迷宮題。

有始有終，可以清晰的看到最終正確的函式提示，但是本道題目未在程式本身儲存迷宮地圖，反而是通過一次次函式呼叫，來走向不同分支，其中的一條路徑達到最終正確的結果，分析了一下里面存在了7000+函式。

剛開始時，我曾想過使用最笨的方法，去嘗試畫出最終地圖，但是在嘗試半個小時後，我逐漸意識到這可能會是一個大地圖，猜測在 50*50 以上。隨後便放棄了嘗試，在本次比賽中是同事利用 IDAPython 做出這道題目，但是我覺得還是要學習一下，然後準備復現。

本題由於通過不同的函式呼叫產生分支，其解題思路其實就是找到所有的函式呼叫關係，然後找出一條路徑，從開始函式 sub_40180E 到結束函式 sub_54DE35，這裡選取從終點開始尋找。

import idautils

finish = 0x54DE35
begin = 0x40180E
path = []
cmt = []

def Xref(addr,path):
    if addr == begin: # 如果傳入的地址與開始函式重合，說明路徑已找到
        print(path)
    else:
        for Xref_addr in idautils.CodeRefsTo(addr,0): # 傳入地址被哪個地址交叉引用
            addr = idaapi.get_func(Xref_addr).start_ea # 交叉引用地址在哪個函式中
            if hex(addr) not in path: # 踢除可倒退的選項
                path.append(hex(addr)) # 先將可走的下一步加入正確路徑，假設正確
                Xref(addr,path) # 遞迴呼叫，開始遍歷
                path.remove(hex(addr)) # 踢除錯誤路徑

path.append(hex(finish)) # 從終點開始，終點先進入正確路徑
Xref(finish,path)

# ['0x54de35', '0x54dd7e', '0x54dcc7', '0x54dc10', '0x5490e9', '0x547f0e', '0x547fc1', '0x548078', '0x543df5', '0x54265e', '0x53e76e', '0x53cfd7', '0x538e0f', '0x537b79', '0x537ac2', '0x537a0b', '0x5339a9', '0x532212', '0x5322c9', '0x532380', '0x52e287', '0x52c8cb', '0x5289e3', '0x527303', '0x52340b', '0x521d2b', '0x51de3b', '0x51c5ed', '0x51c536', '0x51c47f', '0x51c3c8', '0x51c311', '0x51c25a', '0x51c1a3', '0x51dd84', '0x521a4b', '0x521994', '0x5218dd', '0x51dccd', '0x51c0ec', '0x518656', '0x5169ba', '0x512cfb', '0x51128c', '0x5111d5', '0x51111e', '0x511067', '0x510fb4', '0x50d5c5', '0x50b9dc', '0x50b925', '0x50b86e', '0x50b7b7', '0x50b700', '0x50b649', '0x50b592', '0x50b4db', '0x50b424', '0x507c6e', '0x505e68', '0x502759', '0x50050d', '0x4fcf5c', '0x4fb209', '0x4fb2c0', '0x4fb377', '0x4f7826', '0x4f5c45', '0x4f5b8e', '0x4f5ad7', '0x4f5a20', '0x4f5969', '0x4f58b2', '0x4f57fb', '0x4f1e1c', '0x4f0188', '0x4ec854', '0x4ea772', '0x4ea6bb', '0x4ea608', '0x4ea551', '0x4ea49a', '0x4ec6e6', '0x4f0016', '0x4f1d65', '0x4f55d6', '0x4f568d', '0x4f5744', '0x4f776f', '0x4faf2d', '0x4fae76', '0x4fadbf', '0x4fad08', '0x4fac51', '0x4f76b8', '0x4f551f', '0x4f1cae', '0x4eff5f', '0x4ec62f', '0x4ea3e3', '0x4ea32c', '0x4ea275', '0x4ec578', '0x4efea8', '0x4efdf1', '0x4efd3a', '0x4efc83', '0x4efbcc', '0x4ec4c1', '0x4ea103', '0x4ea04c', '0x4e9f99', '0x4e9ee2', '0x4e9e2b', '0x4e9d74', '0x4e9cc1', '0x4e6cd4', '0x4e4c99', '0x4e4d50', '0x4e4e07', '0x4e19d0', '0x4df119', '0x4df062', '0x4defab', '0x4dc2aa', '0x4d97d2', '0x4d9885', '0x4d993c', '0x4d6a0e', '0x4d4370', '0x4d1010', '0x4ceadc', '0x4ceb93', '0x4cbaeb', '0x4c972d', '0x4c9676', '0x4c651b', '0x4c40a6', '0x4c3fef', '0x4c3f3c', '0x4c0e98', '0x4be8b5', '0x4bb3cf', '0x4b917f', '0x4b90c8', '0x4b9015', '0x4b8f5e', '0x4b8ea7', '0x4b8df0', '0x4b8d39', '0x4b5d60', '0x4b355c', '0x4b0411', '0x4ade2a', '0x4add73', '0x4adcc0', '0x4adc09', '0x4adb52', '0x4aad8a', '0x4a8410', '0x4a56ff', '0x4a305d', '0x4a2fa6', '0x4a2eef', '0x49ffbd', '0x49d59c', '0x49a88f', '0x497e62', '0x495214', '0x4927e3', '0x49272c', '0x492675', '0x48f802', '0x48d0b1', '0x48cffa', '0x48cf43', '0x48ce8c', '0x48cdd5', '0x48a45b', '0x487255', '0x484b10', '0x481dfb', '0x481d44', '0x481c91', '0x47f264', '0x47c6c5', '0x47c60e', '0x47c557', '0x47c4a0', '0x47c3e9', '0x47c332', '0x47c27b', '0x47c1c4', '0x47c111', '0x4799c0', '0x476a96', '0x4769df', '0x476928', '0x474345', '0x471088', '0x470fd1', '0x470f1a', '0x47428e', '0x476871', '0x4767ba', '0x476703', '0x47664c', '0x476599', '0x4741d7', '0x470da8', '0x470cf1', '0x470c3a', '0x470b83', '0x470acc', '0x46ea99', '0x46b4f4', '0x469363', '0x465f34', '0x465feb', '0x4660a2', '0x4638a6', '0x460980', '0x45e22b', '0x45b0d4', '0x458c57', '0x45599e', '0x453255', '0x4505eb', '0x450534', '0x45047d', '0x45319e', '0x4558e7', '0x458ba0', '0x45b021', '0x45af6a', '0x45aeb3', '0x45e0bd', '0x46080e', '0x4637ef', '0x465e81', '0x465dca', '0x465d13', '0x4691f5', '0x46b386', '0x46e92b', '0x47095e', '0x474069', '0x476206', '0x47614f', '0x476098', '0x473fb2', '0x4708a7', '0x46e874', '0x46b2cf', '0x46913e', '0x465c5c', '0x463738', '0x4605e9', '0x4606a0', '0x460757', '0x45e006', '0x45adfc', '0x458ae9', '0x4556c2', '0x455779', '0x455830', '0x4530e7', '0x4503c6', '0x45030f', '0x450258', '0x44de8a', '0x44a9ac', '0x44a8f5', '0x44a83e', '0x44a787', '0x44a6d4', '0x44a61d', '0x44a566', '0x44a4af', '0x44a3f8', '0x44a341', '0x44a28a', '0x448490', '0x444d89', '0x442a86', '0x43f4e1', '0x43f598', '0x43f64f', '0x442b3d', '0x444e40', '0x444ef7', '0x444fae', '0x442bf4', '0x43f706', '0x43d575', '0x439d08', '0x439dbf', '0x439e76', '0x437d90', '0x43496d', '0x432441', '0x42f00a', '0x42d08e', '0x429db9', '0x429e70', '0x429f27', '0x429fde', '0x42a095', '0x4279f3', '0x4247e5', '0x42472e', '0x424677', '0x4245c0', '0x424509', '0x42242f', '0x41ed2c', '0x41c8bf', '0x419547', '0x417520', '0x413e15', '0x411d2b', '0x40e565', '0x40c812', '0x408ef6', '0x408e3f', '0x408d88', '0x406bf3', '0x402b06', '0x402a4f', '0x40299c', '0x406b3c', '0x408cd1', '0x40c75b', '0x40e340', '0x40e3f7', '0x40e4ae', '0x411c74', '0x413d5e', '0x413ca7', '0x413bf0', '0x413b39', '0x413a82', '0x417469', '0x4191b4', '0x41926b', '0x419322', '0x4193d9', '0x419490', '0x41c808', '0x41ec75', '0x41ebbe', '0x41eb07', '0x41ea50', '0x41e99d', '0x41e8e6', '0x41e82f', '0x4222c1', '0x4240c3', '0x42400c', '0x423f55', '0x423e9e', '0x423deb', '0x42220a', '0x41e6bd', '0x41e606', '0x41e54f', '0x422153', '0x423d34', '0x427717', '0x429693', '0x4295dc', '0x429525', '0x427660', '0x423c7d', '0x42209c', '0x41e498', '0x41e3e1', '0x41e32e', '0x41c69a', '0x418b45', '0x418bfc', '0x418cb3', '0x41718d', '0x413638', '0x411998', '0x40de3b', '0x40c3c8', '0x408666', '0x40871d', '0x4087d4', '0x40c47f', '0x40def2', '0x411a4f', '0x4136ef', '0x4137a2', '0x413859', '0x4172fb', '0x418e25', '0x418edc', '0x418f93', '0x419046', '0x4190fd', '0x4173b2', '0x4139cb', '0x411bbd', '0x40e11b', '0x40e1d2', '0x40e289', '0x40c6a4', '0x408c1a', '0x408b63', '0x408aac', '0x406a85', '0x402773', '0x4026bc', '0x402605', '0x40254e', '0x40249b', '0x4023e4', '0x40232d', '0x402276', '0x4021bf', '0x402108', '0x402051', '0x401f9a', '0x401ee3', '0x401e2c', '0x401d79', '0x401cc2', '0x401c0f', '0x401b58', '0x401aa1', '0x4019ea', '0x401933', '0x4067a9', '0x407ff7', '0x4080aa', '0x408161', '0x40c25a', '0x40d93a', '0x40d9f1', '0x40daa8', '0x4116bc', '0x413358', '0x416f68', '0x418869', '0x4187b2', '0x4186fb', '0x418644', '0x41858d', '0x4184d6', '0x418423', '0x416eb1', '0x413078', '0x41154e', '0x40d7cc', '0x40c0ec', '0x407f40', '0x4066f2', '0x40187c', '0x40180e']

利用上面程式碼，即可獲取最終正確路徑的函式呼叫關係。但是獲取最終的函式呼叫關係後，怎樣轉換為我們的輸入呢？

在後續分析中發現，在呼叫下一步函式時，其前一個指令後面都跟著一個程式碼註釋，可以從這裡入手，找到交叉引用時，先取前一個指令的程式碼註釋，並且獲取註釋最後兩位即可。

import idautils

finish = 0x54DE35
begin = 0x40180E
path = []
cmt = []

def Xref(addr,path):
    if addr == begin:
        print(cmt)
    else:
        for Xref_addr in idautils.CodeRefsTo(addr,0):
            addr = idaapi.get_func(Xref_addr).start_ea
            if hex(addr) not in path:
                cmt.append(idc.get_cmt(idc.prev_head(Xref_addr),1)) # 獲取前一個指令的程式碼註釋
                path.append(hex(addr))
                Xref(addr,path)
                path.remove(hex(addr))
                cmt.remove(idc.get_cmt(idc.prev_head(Xref_addr),1))
path.append(hex(finish))
Xref(finish,path)
# ['jumptable 000000000054DDF3 case 83', 'jumptable 000000000054DD3C case 68', 'jumptable 000000000054DC85 case 68', 'jumptable 000000000054915E case 83', 'jumptable 0000000000547F83 case 83', 'jumptable 0000000000548036 case 65', 'jumptable 00000000005480ED case 65', 'jumptable 0000000000543E6A case 83', 'jumptable 00000000005426D3 case 83', 'jumptable 000000000053E7E3 case 83', 'jumptable 000000000053D04C case 83', 'jumptable 0000000000538E84 case 83', 'jumptable 0000000000537BEE case 83', 'jumptable 0000000000537B37 case 68', 'jumptable 0000000000537A80 case 68', 'jumptable 0000000000533A1E case 83', 'jumptable 0000000000532287 case 83', 'jumptable 000000000053233E case 65', 'jumptable 00000000005323F5 case 65', 'jumptable 000000000052E2FC case 83', 'jumptable 000000000052C940 case 83', 'jumptable 0000000000528A58 case 83', 'jumptable 0000000000527378 case 83', 'jumptable 0000000000523480 case 83', 'jumptable 0000000000521DA0 case 83', 'jumptable 000000000051DEB0 case 83', 'jumptable 000000000051C662 case 83', 'jumptable 000000000051C5AB case 68', 'jumptable 000000000051C4F4 case 68', 'jumptable 000000000051C43D case 68', 'jumptable 000000000051C386 case 68', 'jumptable 000000000051C2CF case 68', 'jumptable 000000000051C218 case 68', 'jumptable 000000000051DDF9 case 87', 'jumptable 0000000000521AC0 case 87', 'jumptable 0000000000521A09 case 68', 'jumptable 0000000000521952 case 68', 'jumptable 000000000051DD42 case 83', 'jumptable 000000000051C161 case 83', 'jumptable 00000000005186CB case 83', 'jumptable 0000000000516A2F case 83', 'jumptable 0000000000512D70 case 83', 'jumptable 0000000000511301 case 83', 'jumptable 000000000051124A case 68', 'jumptable 0000000000511193 case 68', 'jumptable 00000000005110DC case 68', 'jumptable 0000000000511029 case 68', 'jumptable 000000000050D63A case 83', 'jumptable 000000000050BA51 case 83', 'jumptable 000000000050B99A case 68', 'jumptable 000000000050B8E3 case 68', 'jumptable 000000000050B82C case 68', 'jumptable 000000000050B775 case 68', 'jumptable 000000000050B6BE case 68', 'jumptable 000000000050B607 case 68', 'jumptable 000000000050B550 case 68', 'jumptable 000000000050B499 case 68', 'jumptable 0000000000507CE3 case 83', 'jumptable 0000000000505EDD case 83', 'jumptable 00000000005027CE case 83', 'jumptable 0000000000500582 case 83', 'jumptable 00000000004FCFD1 case 83', 'jumptable 00000000004FB27E case 83', 'jumptable 00000000004FB335 case 65', 'jumptable 00000000004FB3EC case 65', 'jumptable 00000000004F789B case 83', 'jumptable 00000000004F5CBA case 83', 'jumptable 00000000004F5C03 case 68', 'jumptable 00000000004F5B4C case 68', 'jumptable 00000000004F5A95 case 68', 'jumptable 00000000004F59DE case 68', 'jumptable 00000000004F5927 case 68', 'jumptable 00000000004F5870 case 68', 'jumptable 00000000004F1E91 case 83', 'jumptable 00000000004F01FD case 83', 'jumptable 00000000004EC8C9 case 83', 'jumptable 00000000004EA7E7 case 83', 'jumptable 00000000004EA730 case 68', 'jumptable 00000000004EA67D case 68', 'jumptable 00000000004EA5C6 case 68', 'jumptable 00000000004EA50F case 68', 'jumptable 00000000004EC75B case 87', 'jumptable 00000000004F008B case 87', 'jumptable 00000000004F1DDA case 87', 'jumptable 00000000004F564B case 87', 'jumptable 00000000004F5702 case 65', 'jumptable 00000000004F57B9 case 65', 'jumptable 00000000004F77E4 case 87', 'jumptable 00000000004FAFA2 case 87', 'jumptable 00000000004FAEEB case 68', 'jumptable 00000000004FAE34 case 68', 'jumptable 00000000004FAD7D case 68', 'jumptable 00000000004FACC6 case 68', 'jumptable 00000000004F772D case 83', 'jumptable 00000000004F5594 case 83', 'jumptable 00000000004F1D23 case 83', 'jumptable 00000000004EFFD4 case 83', 'jumptable 00000000004EC6A4 case 83', 'jumptable 00000000004EA458 case 83', 'jumptable 00000000004EA3A1 case 68', 'jumptable 00000000004EA2EA case 68', 'jumptable 00000000004EC5ED case 87', 'jumptable 00000000004EFF1D case 87', 'jumptable 00000000004EFE66 case 68', 'jumptable 00000000004EFDAF case 68', 'jumptable 00000000004EFCF8 case 68', 'jumptable 00000000004EFC41 case 68', 'jumptable 00000000004EC536 case 83', 'jumptable 00000000004EA178 case 83', 'jumptable 00000000004EA0C1 case 68', 'jumptable 00000000004EA00E case 68', 'jumptable 00000000004E9F57 case 68', 'jumptable 00000000004E9EA0 case 68', 'jumptable 00000000004E9DE9 case 68', 'jumptable 00000000004E9D36 case 68', 'jumptable 00000000004E6D49 case 83', 'jumptable 00000000004E4D0E case 83', 'jumptable 00000000004E4DC5 case 65', 'jumptable 00000000004E4E7C case 65', 'jumptable 00000000004E1A45 case 83', 'jumptable 00000000004DF18E case 83', 'jumptable 00000000004DF0D7 case 68', 'jumptable 00000000004DF020 case 68', 'jumptable 00000000004DC31F case 83', 'jumptable 00000000004D9847 case 83', 'jumptable 00000000004D98FA case 65', 'jumptable 00000000004D99B1 case 65', 'jumptable 00000000004D6A83 case 83', 'jumptable 00000000004D43E5 case 83', 'jumptable 00000000004D1085 case 83', 'jumptable 00000000004CEB51 case 83', 'jumptable 00000000004CEC08 case 65', 'jumptable 00000000004CBB60 case 83', 'jumptable 00000000004C97A2 case 83', 'jumptable 00000000004C96EB case 68', 'jumptable 00000000004C6590 case 83', 'jumptable 00000000004C411B case 83', 'jumptable 00000000004C4064 case 68', 'jumptable 00000000004C3FB1 case 68', 'jumptable 00000000004C0F0D case 83', 'jumptable 00000000004BE92A case 83', 'jumptable 00000000004BB444 case 83', 'jumptable 00000000004B91F4 case 83', 'jumptable 00000000004B913D case 68', 'jumptable 00000000004B908A case 68', 'jumptable 00000000004B8FD3 case 68', 'jumptable 00000000004B8F1C case 68', 'jumptable 00000000004B8E65 case 68', 'jumptable 00000000004B8DAE case 68', 'jumptable 00000000004B5DD5 case 83', 'jumptable 00000000004B35D1 case 83', 'jumptable 00000000004B0486 case 83', 'jumptable 00000000004ADE9F case 83', 'jumptable 00000000004ADDE8 case 68', 'jumptable 00000000004ADD35 case 68', 'jumptable 00000000004ADC7E case 68', 'jumptable 00000000004ADBC7 case 68', 'jumptable 00000000004AADFF case 83', 'jumptable 00000000004A8485 case 83', 'jumptable 00000000004A5774 case 83', 'jumptable 00000000004A30D2 case 83', 'jumptable 00000000004A301B case 68', 'jumptable 00000000004A2F64 case 68', 'jumptable 00000000004A0032 case 83', 'jumptable 000000000049D611 case 83', 'jumptable 000000000049A904 case 83', 'jumptable 0000000000497ED7 case 83', 'jumptable 0000000000495289 case 83', 'jumptable 0000000000492858 case 83', 'jumptable 00000000004927A1 case 68', 'jumptable 00000000004926EA case 68', 'jumptable 000000000048F877 case 83', 'jumptable 000000000048D126 case 83', 'jumptable 000000000048D06F case 68', 'jumptable 000000000048CFB8 case 68', 'jumptable 000000000048CF01 case 68', 'jumptable 000000000048CE4A case 68', 'jumptable 000000000048A4D0 case 83', 'jumptable 00000000004872CA case 83', 'jumptable 0000000000484B85 case 83', 'jumptable 0000000000481E70 case 83', 'jumptable 0000000000481DB9 case 68', 'jumptable 0000000000481D06 case 68', 'jumptable 000000000047F2D9 case 83', 'jumptable 000000000047C73A case 83', 'jumptable 000000000047C683 case 68', 'jumptable 000000000047C5CC case 68', 'jumptable 000000000047C515 case 68', 'jumptable 000000000047C45E case 68', 'jumptable 000000000047C3A7 case 68', 'jumptable 000000000047C2F0 case 68', 'jumptable 000000000047C239 case 68', 'jumptable 000000000047C186 case 68', 'jumptable 0000000000479A35 case 83', 'jumptable 0000000000476B0B case 83', 'jumptable 0000000000476A54 case 68', 'jumptable 000000000047699D case 68', 'jumptable 00000000004743BA case 83', 'jumptable 00000000004710FD case 83', 'jumptable 0000000000471046 case 68', 'jumptable 0000000000470F8F case 68', 'jumptable 0000000000474303 case 87', 'jumptable 00000000004768E6 case 87', 'jumptable 000000000047682F case 68', 'jumptable 0000000000476778 case 68', 'jumptable 00000000004766C1 case 68', 'jumptable 000000000047660E case 68', 'jumptable 000000000047424C case 83', 'jumptable 0000000000470E1D case 83', 'jumptable 0000000000470D66 case 68', 'jumptable 0000000000470CAF case 68', 'jumptable 0000000000470BF8 case 68', 'jumptable 0000000000470B41 case 68', 'jumptable 000000000046EB0E case 83', 'jumptable 000000000046B569 case 83', 'jumptable 00000000004693D8 case 83', 'jumptable 0000000000465FA9 case 83', 'jumptable 0000000000466060 case 65', 'jumptable 0000000000466117 case 65', 'jumptable 000000000046391B case 83', 'jumptable 00000000004609F5 case 83', 'jumptable 000000000045E2A0 case 83', 'jumptable 000000000045B149 case 83', 'jumptable 0000000000458CCC case 83', 'jumptable 0000000000455A13 case 83', 'jumptable 00000000004532CA case 83', 'jumptable 0000000000450660 case 83', 'jumptable 00000000004505A9 case 68', 'jumptable 00000000004504F2 case 68', 'jumptable 0000000000453213 case 87', 'jumptable 000000000045595C case 87', 'jumptable 0000000000458C15 case 87', 'jumptable 000000000045B096 case 87', 'jumptable 000000000045AFDF case 68', 'jumptable 000000000045AF28 case 68', 'jumptable 000000000045E132 case 87', 'jumptable 0000000000460883 case 87', 'jumptable 0000000000463864 case 87', 'jumptable 0000000000465EF6 case 87', 'jumptable 0000000000465E3F case 68', 'jumptable 0000000000465D88 case 68', 'jumptable 000000000046926A case 87', 'jumptable 000000000046B3FB case 87', 'jumptable 000000000046E9A0 case 87', 'jumptable 00000000004709D3 case 87', 'jumptable 00000000004740DE case 87', 'jumptable 000000000047627B case 87', 'jumptable 00000000004761C4 case 68', 'jumptable 000000000047610D case 68', 'jumptable 0000000000474027 case 83', 'jumptable 000000000047091C case 83', 'jumptable 000000000046E8E9 case 83', 'jumptable 000000000046B344 case 83', 'jumptable 00000000004691B3 case 83', 'jumptable 0000000000465CD1 case 83', 'jumptable 00000000004637AD case 83', 'jumptable 000000000046065E case 83', 'jumptable 0000000000460715 case 65', 'jumptable 00000000004607CC case 65', 'jumptable 000000000045E07B case 83', 'jumptable 000000000045AE71 case 83', 'jumptable 0000000000458B5E case 83', 'jumptable 0000000000455737 case 83', 'jumptable 00000000004557EE case 65', 'jumptable 00000000004558A5 case 65', 'jumptable 000000000045315C case 83', 'jumptable 000000000045043B case 83', 'jumptable 0000000000450384 case 68', 'jumptable 00000000004502CD case 68', 'jumptable 000000000044DEFF case 83', 'jumptable 000000000044AA21 case 83', 'jumptable 000000000044A96A case 68', 'jumptable 000000000044A8B3 case 68', 'jumptable 000000000044A7FC case 68', 'jumptable 000000000044A749 case 68', 'jumptable 000000000044A692 case 68', 'jumptable 000000000044A5DB case 68', 'jumptable 000000000044A524 case 68', 'jumptable 000000000044A46D case 68', 'jumptable 000000000044A3B6 case 68', 'jumptable 000000000044A2FF case 68', 'jumptable 0000000000448505 case 83', 'jumptable 0000000000444DFE case 83', 'jumptable 0000000000442AFB case 83', 'jumptable 000000000043F556 case 83', 'jumptable 000000000043F60D case 65', 'jumptable 000000000043F6C4 case 65', 'jumptable 0000000000442BB2 case 87', 'jumptable 0000000000444EB5 case 87', 'jumptable 0000000000444F6C case 65', 'jumptable 0000000000445023 case 65', 'jumptable 0000000000442C69 case 83', 'jumptable 000000000043F77B case 83', 'jumptable 000000000043D5EA case 83', 'jumptable 0000000000439D7D case 83', 'jumptable 0000000000439E34 case 65', 'jumptable 0000000000439EEB case 65', 'jumptable 0000000000437E05 case 83', 'jumptable 00000000004349E2 case 83', 'jumptable 00000000004324B6 case 83', 'jumptable 000000000042F07F case 83', 'jumptable 000000000042D103 case 83', 'jumptable 0000000000429E2E case 83', 'jumptable 0000000000429EE5 case 65', 'jumptable 0000000000429F9C case 65', 'jumptable 000000000042A053 case 65', 'jumptable 000000000042A10A case 65', 'jumptable 0000000000427A68 case 83', 'jumptable 000000000042485A case 83', 'jumptable 00000000004247A3 case 68', 'jumptable 00000000004246EC case 68', 'jumptable 0000000000424635 case 68', 'jumptable 000000000042457E case 68', 'jumptable 00000000004224A4 case 83', 'jumptable 000000000041EDA1 case 83', 'jumptable 000000000041C934 case 83', 'jumptable 00000000004195BC case 83', 'jumptable 0000000000417595 case 83', 'jumptable 0000000000413E8A case 83', 'jumptable 0000000000411DA0 case 83', 'jumptable 000000000040E5DA case 83', 'jumptable 000000000040C887 case 83', 'jumptable 0000000000408F6B case 83', 'jumptable 0000000000408EB4 case 68', 'jumptable 0000000000408DFD case 68', 'jumptable 0000000000406C68 case 83', 'jumptable 0000000000402B7B case 83', 'jumptable 0000000000402AC4 case 68', 'jumptable 0000000000402A11 case 68', 'jumptable 0000000000406BB1 case 87', 'jumptable 0000000000408D46 case 87', 'jumptable 000000000040C7D0 case 87', 'jumptable 000000000040E3B5 case 87', 'jumptable 000000000040E46C case 65', 'jumptable 000000000040E523 case 65', 'jumptable 0000000000411CE9 case 87', 'jumptable 0000000000413DD3 case 87', 'jumptable 0000000000413D1C case 68', 'jumptable 0000000000413C65 case 68', 'jumptable 0000000000413BAE case 68', 'jumptable 0000000000413AF7 case 68', 'jumptable 00000000004174DE case 87', 'jumptable 0000000000419229 case 87', 'jumptable 00000000004192E0 case 65', 'jumptable 0000000000419397 case 65', 'jumptable 000000000041944E case 65', 'jumptable 0000000000419505 case 65', 'jumptable 000000000041C87D case 87', 'jumptable 000000000041ECEA case 87', 'jumptable 000000000041EC33 case 68', 'jumptable 000000000041EB7C case 68', 'jumptable 000000000041EAC5 case 68', 'jumptable 000000000041EA12 case 68', 'jumptable 000000000041E95B case 68', 'jumptable 000000000041E8A4 case 68', 'jumptable 0000000000422336 case 87', 'jumptable 0000000000424138 case 87', 'jumptable 0000000000424081 case 68', 'jumptable 0000000000423FCA case 68', 'jumptable 0000000000423F13 case 68', 'jumptable 0000000000423E60 case 68', 'jumptable 000000000042227F case 83', 'jumptable 000000000041E732 case 83', 'jumptable 000000000041E67B case 68', 'jumptable 000000000041E5C4 case 68', 'jumptable 00000000004221C8 case 87', 'jumptable 0000000000423DA9 case 87', 'jumptable 000000000042778C case 87', 'jumptable 0000000000429708 case 87', 'jumptable 0000000000429651 case 68', 'jumptable 000000000042959A case 68', 'jumptable 00000000004276D5 case 83', 'jumptable 0000000000423CF2 case 83', 'jumptable 0000000000422111 case 83', 'jumptable 000000000041E50D case 83', 'jumptable 000000000041E456 case 68', 'jumptable 000000000041E3A3 case 68', 'jumptable 000000000041C70F case 83', 'jumptable 0000000000418BBA case 83', 'jumptable 0000000000418C71 case 65', 'jumptable 0000000000418D28 case 65', 'jumptable 0000000000417202 case 83', 'jumptable 00000000004136AD case 83', 'jumptable 0000000000411A0D case 83', 'jumptable 000000000040DEB0 case 83', 'jumptable 000000000040C43D case 83', 'jumptable 00000000004086DB case 83', 'jumptable 0000000000408792 case 65', 'jumptable 0000000000408849 case 65', 'jumptable 000000000040C4F4 case 87', 'jumptable 000000000040DF67 case 87', 'jumptable 0000000000411AC4 case 87', 'jumptable 0000000000413764 case 87', 'jumptable 0000000000413817 case 65', 'jumptable 00000000004138CE case 65', 'jumptable 0000000000417370 case 87', 'jumptable 0000000000418E9A case 87', 'jumptable 0000000000418F51 case 65', 'jumptable 0000000000419008 case 65', 'jumptable 00000000004190BB case 65', 'jumptable 0000000000419172 case 65', 'jumptable 0000000000417427 case 83', 'jumptable 0000000000413A40 case 83', 'jumptable 0000000000411C32 case 83', 'jumptable 000000000040E190 case 83', 'jumptable 000000000040E247 case 65', 'jumptable 000000000040E2FE case 65', 'jumptable 000000000040C719 case 83', 'jumptable 0000000000408C8F case 83', 'jumptable 0000000000408BD8 case 68', 'jumptable 0000000000408B21 case 68', 'jumptable 0000000000406AFA case 83', 'jumptable 00000000004027E8 case 83', 'jumptable 0000000000402731 case 68', 'jumptable 000000000040267A case 68', 'jumptable 00000000004025C3 case 68', 'jumptable 0000000000402510 case 68', 'jumptable 0000000000402459 case 68', 'jumptable 00000000004023A2 case 68', 'jumptable 00000000004022EB case 68', 'jumptable 0000000000402234 case 68', 'jumptable 000000000040217D case 68', 'jumptable 00000000004020C6 case 68', 'jumptable 000000000040200F case 68', 'jumptable 0000000000401F58 case 68', 'jumptable 0000000000401EA1 case 68', 'jumptable 0000000000401DEE case 68', 'jumptable 0000000000401D37 case 68', 'jumptable 0000000000401C84 case 68', 'jumptable 0000000000401BCD case 68', 'jumptable 0000000000401B16 case 68', 'jumptable 0000000000401A5F case 68', 'jumptable 00000000004019A8 case 68', 'jumptable 000000000040681E case 87', 'jumptable 000000000040806C case 87', 'jumptable 000000000040811F case 65', 'jumptable 00000000004081D6 case 65', 'jumptable 000000000040C2CF case 87', 'jumptable 000000000040D9AF case 87', 'jumptable 000000000040DA66 case 65', 'jumptable 000000000040DB1D case 65', 'jumptable 0000000000411731 case 87', 'jumptable 00000000004133CD case 87', 'jumptable 0000000000416FDD case 87', 'jumptable 00000000004188DE case 87', 'jumptable 0000000000418827 case 68', 'jumptable 0000000000418770 case 68', 'jumptable 00000000004186B9 case 68', 'jumptable 0000000000418602 case 68', 'jumptable 000000000041854B case 68', 'jumptable 0000000000418498 case 68', 'jumptable 0000000000416F26 case 83', 'jumptable 00000000004130ED case 83', 'jumptable 00000000004115C3 case 83', 'jumptable 000000000040D841 case 83', 'jumptable 000000000040C161 case 83', 'jumptable 0000000000407FB5 case 83', 'jumptable 0000000000406767 case 83', 'jumptable 00000000004018F1 case 83', None]

這裡最後一位出現了 None，經過分析程式碼發現，是由於開始函式處，程式碼設計不同。

最後處理的時候，將 None 刪除最後補上 S 即可。

def mut(op):
    if op == '83':
        return 'S'
    if op == '68':
        return 'D'
    if op == '65':
        return 'A'
    if op == '87':
        return 'W'

def Xref(addr,path):
    if addr == begin:
        flag = ''
        for i in cmt:
            flag += mut(i[-2:])
        print(flag[::-1])
        
# SSSSSSSSDDDDDDWWWWAAWWAAWWDDDDDDDDDDDDDDDDDDDDSSDDSSAASSSSAAAAWWAAWWWWAASSSSSSAASSDDSSSSDDWWWWDDSSDDDDWWDDDDDDWWAAAAWWDDDDWWAAWWWWDDSSDDSSSSSSSSSSDDDDSSAAAASSSSSSAASSSSAAWWAASSSSDDDDDDDDDDSSDDSSAASSSSAASSSSSSSSDDWWWWWWDDWWWWDDWWWWDDSSSSSSSSAASSSSDDDDSSDDDDWWDDSSDDSSDDDDDDDDSSDDSSSSDDDDSSDDSSSSSSDDSSSSDDDDSSSSDDDDDDSSSSDDSSDSSASSSSAASSDDSSAASSDDDDDDSSDDDDWWDDSSSSSSDDDDWWAAWWWWDDDDSSSSDDDDDDSSAASSSSSSDDDDDDDDSSDDDDSSSSSSDDWWDDDDDDSSSSSSSSAASSDDSSSSSSAASSDDS

0x04 總結

上面我只是列舉了一些常用方法的使用例項，也是為自己做一下筆記，如果大家有興趣去研究，或者是需要更多方法用例，可以在公眾號回覆 IDA中文手冊，獲取翻譯自 y0n 的 IDAPython中文手冊，但是由於翻譯相對久遠，IDA7.4中支援的 idc 庫方法名稱進行了變更，可以在這裡進行對照翻譯。

分析到這裡，這個題目已經做完，前面的 IDAPython 知識是一個鋪墊，其實最麻煩的地方是求取函式呼叫關係的程式碼，構思如何儲存路徑，如何踢除錯誤路徑是本題難點。寫程式碼還是太少，程式碼邏輯搞不通，舉步維艱。