-
-
[原创]关于爆破迷宫路径的一系列思考
-
2024-6-8 20:20
-
前几天学长给了一道maze的题,动态调试过程可谓非常艰难(对我现在的水平而言),于是学长提供了一种用subprocess的方法
程序分析
首先通过字符串定位到主函数那里,我们发现cmp那里其实是一个长度校验,判断路径的长度是不是为140
这里为判断路径方向
中间过程太复杂,我们直接跳到后面,我们发现他判断所处位置是不是为0,还有判断最后到达位置对不对的
经过分析我们并不知道迷宫在哪,因此我们才要尝试爆破的方法。
爆破处理
首先第一步,我们要把长度校验给patch掉
重点的patch在后面,我们为了一步一步进行爆破,我们要对每一步进行爆破
但是有一个问题,后面不管走不走对都会输出
我们可以先写一个简单的试验一下
1 2 3 4 5 6 7 8 | import subprocessprintable=['w','s','a','d']for i in range(len(printable)): sh=subprocess.Popen("./mapmap", shell=True, stdout=subprocess.PIPE, stdin=subprocess.PIPE) sh.stdin.write((printable[i]+'\n').encode()) sh.stdin.flush() output ,_ =sh.communicate() print(output) |
我们发现根本无法判断是不是走对了,这个时候我们再patch一下
把下面那个指向wrong的地址改为指向' what()'的地址
我们这个时候可以再看一下
发现有不一样的回显了,我们根据这个可以写一个脚本,但是这里有一个问题,它在程序里面每走一步不会把走过的给标记,所以我们得自己标记一下,由于没有写这个标记,导致脚本跑了好久也没跑出来。
Exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | import subprocessdef dfs(path, n, x_location, y_location, count, try_direction, visited_paths, coordinates): if n < count: for direction in try_direction: process = subprocess.Popen("./mapmap", shell=True, stdout=subprocess.PIPE, stdin=subprocess.PIPE) next_path = path + direction process.stdin.write((next_path + '\n').encode()) process.stdin.flush() output, _ = process.communicate() if b'wrong\n' not in output: new_x_location, new_y_location = x_location, y_location if direction == 'd': new_x_location += 1 elif direction == 'a': new_x_location -= 1 elif direction == 'w': new_y_location -= 1 elif direction == 's': new_y_location += 1 if (new_x_location, new_y_location) not in coordinates: print(path) coordinates[(new_x_location, new_y_location)] = next_path dfs(next_path, len(next_path), new_x_location, new_y_location, count, try_direction, visited_paths, coordinates) elif n == count: visited_paths.append(path) coordinates[(x_location, y_location)] = path# DFS startif __name__ == '__main__': start_path = '' try_direction = ['w', 'd', 's', 'a'] count = 140 visited_paths = [] coordinates = {} x_location = 0 y_location = 0 coordinates[(x_location, y_location)] = start_path print("\nVisit paths:") dfs(start_path, len(start_path), x_location, y_location, count, try_direction, visited_paths, coordinates) print("\nFinal paths:") for path in visited_paths: process = subprocess.Popen("./mapmap", shell=True, stdout=subprocess.PIPE, stdin=subprocess.PIPE) process.stdin.write((path + '\n').encode()) process.stdin.flush() output, _ = process.communicate() if b'flag{md5(your input)}\n' in output: print(path) |
差不多二十秒的时间跑出来
我自己的虚拟环境是kali 2023.3 内存 4G 处理器2x2
如果师傅们有更好的思路欢迎来交流
参考资料
https://docs.python.org/zh-cn/3/library/subprocess.html#using-the-subprocess-module
https://www.cnblogs.com/lordtianqiyi/articles/16588649.html
https://bbs.kanxue.com/thread-281796.html
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
