前几天学长给了一道maze的题,动态调试过程可谓非常艰难(对我现在的水平而言),于是学长提供了一种用subprocess的方法
首先通过字符串定位到主函数那里,我们发现cmp那里其实是一个长度校验,判断路径的长度是不是为140
这里为判断路径方向
中间过程太复杂,我们直接跳到后面,我们发现他判断所处位置是不是为0,还有判断最后到达位置对不对的
经过分析我们并不知道迷宫在哪,因此我们才要尝试爆破的方法。
首先第一步,我们要把长度校验给patch掉
重点的patch在后面,我们为了一步一步进行爆破,我们要对每一步进行爆破
但是有一个问题,后面不管走不走对都会输出
我们可以先写一个简单的试验一下
我们发现根本无法判断是不是走对了,这个时候我们再patch一下
把下面那个指向wrong的地址改为指向' what()'的地址
我们这个时候可以再看一下
发现有不一样的回显了,我们根据这个可以写一个脚本,但是这里有一个问题,它在程序里面每走一步不会把走过的给标记,所以我们得自己标记一下,由于没有写这个标记,导致脚本跑了好久也没跑出来。
差不多二十秒的时间跑出来
我自己的虚拟环境是kali 2023.3 内存 4G 处理器2x2
如果师傅们有更好的思路欢迎来交流
https://docs.python.org/zh-cn/3/library/subprocess.html#using-the-subprocess-module
https://www.cnblogs.com/lordtianqiyi/articles/16588649.html
https://bbs.kanxue.com/thread-281796.html
http://z221x.cc/index.php/2024/01/06/nctf-ezvm%e6%8f%92%e6%a1%a9%e7%88%86%e7%a0%b4%e7%9a%84%e5%a4%8d%e7%8e%b0/
import
subprocess
printable
=
[
'w'
,
's'
,
'a'
,
'd'
]
for
i
in
range
(
len
(printable)):
sh
=
subprocess.Popen(
"./mapmap"
, shell
=
True
, stdout
=
subprocess.PIPE, stdin
=
subprocess.PIPE)
sh.stdin.write((printable[i]
+
'\n'
).encode())
sh.stdin.flush()
output ,_
=
sh.communicate()
print
(output)
import
subprocess
printable
=
[
'w'
,
's'
,
'a'
,
'd'
]
for
i
in
range
(
len
(printable)):
sh
=
subprocess.Popen(
"./mapmap"
, shell
=
True
, stdout
=
subprocess.PIPE, stdin
=
subprocess.PIPE)
sh.stdin.write((printable[i]
+
'\n'
).encode())
sh.stdin.flush()
output ,_
=
sh.communicate()
print
(output)
import
subprocess
def
dfs(path, n, x_location, y_location, count, try_direction, visited_paths, coordinates):
if
n < count:
for
direction
in
try_direction:
process
=
subprocess.Popen(
"./mapmap"
, shell
=
True
, stdout
=
subprocess.PIPE, stdin
=
subprocess.PIPE)
next_path
=
path
+
direction
process.stdin.write((next_path
+
'\n'
).encode())
process.stdin.flush()
output, _
=
process.communicate()
if
b
'wrong\n'
not
in
output:
new_x_location, new_y_location
=
x_location, y_location
if
direction
=
=
'd'
:
new_x_location
+
=
1
elif
direction
=
=
'a'
:
new_x_location
-
=
1
elif
direction
=
=
'w'
:
new_y_location
-
=
1
elif
direction
=
=
's'
:
new_y_location
+
=
1
if
(new_x_location, new_y_location)
not
in
coordinates:
print
(path)
coordinates[(new_x_location, new_y_location)]
=
next_path
dfs(next_path,
len
(next_path), new_x_location, new_y_location, count, try_direction, visited_paths, coordinates)
elif
n
=
=
count:
visited_paths.append(path)
coordinates[(x_location, y_location)]
=
path
if
__name__
=
=
'__main__'
:
start_path
=
''
try_direction
=
[
'w'
,
'd'
,
's'
,
'a'
]
count
=
140
visited_paths
=
[]
coordinates
=
{}
x_location
=
0
y_location
=
0
coordinates[(x_location, y_location)]
=
start_path
print
(
"\nVisit paths:"
)
dfs(start_path,
len
(start_path), x_location, y_location, count, try_direction, visited_paths, coordinates)
print
(
"\nFinal paths:"
)
for
path
in
visited_paths:
process
=
subprocess.Popen(
"./mapmap"
, shell
=
True
, stdout
=
subprocess.PIPE, stdin
=
subprocess.PIPE)
process.stdin.write((path
+
'\n'
).encode())
process.stdin.flush()
output, _
=
process.communicate()
if
b
'flag{md5(your input)}\n'
in
output:
print
(path)
import
subprocess
def
dfs(path, n, x_location, y_location, count, try_direction, visited_paths, coordinates):
if
n < count:
for
direction
in
try_direction:
process
=
subprocess.Popen(
"./mapmap"
, shell
=
True
, stdout
=
subprocess.PIPE, stdin
=
subprocess.PIPE)
next_path
=
path
+
direction
process.stdin.write((next_path
+
'\n'
).encode())
process.stdin.flush()
output, _
=
process.communicate()
if
b
'wrong\n'
not
in
output:
new_x_location, new_y_location
=
x_location, y_location
if
direction
=
=
'd'
:
new_x_location
+
=
1
elif
direction
=
=
'a'
:
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2024-6-8 21:48
被5m10v3编辑
,原因: