250x250
Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 |
Tags
- LifeCycle
- Dialog
- drift
- 앱
- activity
- CustomScrollView
- Coroutines
- android
- Button
- tabbar
- Kotlin
- appbar
- Navigation
- textview
- 안드로이드
- binding
- DART
- data
- 테스트
- TEST
- intent
- ScrollView
- 앱바
- scroll
- Compose
- viewmodel
- Flutter
- livedata
- 계측
- textfield
Archives
- Today
- Total
Study Record
[리버싱] Hack Me 리버싱 의사코드 복원 (5,6단계) 본문
728x90
5단계 : /usr/bin/level5
☞ /usr/bin/level5 어셈블리어 분석 (gdb /usr/bin/level5)
0x0804842c <main+0>: push %ebp
0x0804842d <main+1>: mov %esp,%ebp
0x0804842f <main+3>: sub $0x8,%esp
0x08048432 <main+6>: and $0xfffffff0,%esp
0x08048435 <main+9>: mov $0x0,%eax
0x0804843a <main+14>: sub %eax,%esp
0x0804843c <main+16>: sub $0x8,%esp
0x0804843f <main+19>: push $0x180
0x08048444 <main+24>: push $0x8048580 # /tmp/level5.tmp
0x08048449 <main+29>: call 0x804832c <creat>
0x0804844e <main+34>: add $0x10,%esp
==> create("/tmp/level5.tmp", 0x180);
0x08048451 <main+37>: mov %eax,0xfffffffc(%ebp) # int f
0x08048454 <main+40>: cmpl $0x0,0xfffffffc(%ebp)
0x08048458 <main+44>: jns 0x8048484 <main+88>
==> jns : SF 가 0 이면 분기, 양수이면 분기
# if(f < 0) mina+46 else main+88
0x0804845a <main+46>: sub $0xc,%esp
0x0804845d <main+49>: push $0x80485a0 # Can not creat a temporary file.\n
0x08048462 <main+54>: call 0x804835c <printf>
0x08048467 <main+59>: add $0x10,%esp
==> printf("Can not creat a temporary file.\n");
0x0804846a <main+62>: sub $0xc,%esp
0x0804846d <main+65>: push $0x8048580 # /tmp/level5.tmp
0x08048472 <main+70>: call 0x804833c <remove>
0x08048477 <main+75>: add $0x10,%esp
==> remove("/tmp/level5.tmp")
0x0804847a <main+78>: sub $0xc,%esp
0x0804847d <main+81>: push $0x0
0x0804847f <main+83>: call 0x804836c <exit>
==> exit(0)
0x08048484 <main+88>: sub $0x4,%esp
0x08048487 <main+91>: push $0x1f
0x08048489 <main+93>: push $0x80485e0 # next password : what the hell\n
0x0804848e <main+98>: pushl 0xfffffffc(%ebp) # f
0x08048491 <main+101>: call 0x804830c <write>
0x08048496 <main+106>: add $0x10,%esp
==> write(f, "next password : what the hell\n", 0x1f)
# ssize_t wirte(int fd, const void *buf, size_t n);
0x08048499 <main+109>: sub $0xc,%esp
0x0804849c <main+112>: pushl 0xfffffffc(%ebp)
0x0804849f <main+115>: call 0x804831c <close>
0x080484a4 <main+120>: add $0x10,%esp
==> close(f)
0x080484a7 <main+123>: sub $0xc,%esp
0x080484aa <main+126>: push $0x8048580 # /tmp/level5.tmp
0x080484af <main+131>: call 0x804833c <remove>
0x080484b4 <main+136>: add $0x10,%esp
==> remove("/tmp/level5.tmp")
0x080484b7 <main+139>: leave
0x080484b8 <main+140>: ret
0x080484b9 <main+141>: nop
0x080484ba <main+142>: nop
0x080484bb <main+143>: nop
☞ 복원한 의사코드
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
main(){
int f;
f = creat("/tmp/level5.tmp", 0x180);
if(f < 0){
printf("Can not creat a temporary file.\n");
remove("/tmp/level5.tmp");
exit(0);
}
write(f, "next password : what the hell\n", 0x1f);
close(f);
remove("/tmp/level5.tmp");
}6단계 : /home/level6/tn
☞ /home/level6/tn 어셈블리어 분석 (gdb /home/level6/tn)
0x080484f8 <main+0>: push %ebp
0x080484f9 <main+1>: mov %esp,%ebp
0x080484fb <main+3>: sub $0x8,%esp # 8yte 반큼 변수공간 할당
0x080484fe <main+6>: sub $0xc,%esp
0x08048501 <main+9>: push $0x80486f2 # "cat hint"
0x08048506 <main+14>: call 0x8048384 <system>
0x0804850b <main+19>: add $0x10,%esp
==> system("\ncat hint\n")
0x0804850e <main+22>: call 0x8048354 <getchar>
==> getchar()
0x08048513 <main+27>: sub $0xc,%esp
0x08048516 <main+30>: push $0x80486fb # "clear"
0x0804851b <main+35>: call 0x8048384 <system>
0x08048520 <main+40>: add $0x10,%esp
==> system("clear")
0x08048523 <main+43>: sub $0xc,%esp
0x08048526 <main+46>: push $0x8048720 # "\n ", '#' <repeats 37 times>, "\n"
0x0804852b <main+51>: call 0x80483c4 <printf>
0x08048530 <main+56>: add $0x10,%esp
==> printf("\n #####################################\n")
0x08048533 <main+59>: sub $0xc,%esp
0x08048536 <main+62>: push $0x8048760 # " ##", ' ' <repeats 33 times>, "##\n"
0x0804853b <main+67>: call 0x80483c4 <printf>
0x08048540 <main+72>: add $0x10,%esp
==> printf(" ## ##\n")
0x08048543 <main+75>: sub $0xc,%esp
0x08048546 <main+78>: push $0x80487a0 # " ## 텔넷 접속 서비스 ##\n"
0x0804854b <main+83>: call 0x80483c4 <printf>
0x08048550 <main+88>: add $0x10,%esp
==> printf(" ## 텔넷 접속 서비스 ##\n")
0x08048553 <main+91>: sub $0xc,%esp
0x08048556 <main+94>: push $0x8048760 # " ##", ' ' <repeats 33 times>, "##\n"
0x0804855b <main+99>: call 0x80483c4 <printf>
0x08048560 <main+104>: add $0x10,%esp
==> printf(" ## ##\n")
0x08048563 <main+107>: sub $0xc,%esp
0x08048566 <main+110>: push $0x8048760 # " ##", ' ' <repeats 33 times>, "##\n"
0x0804856b <main+115>: call 0x80483c4 <printf>
0x08048570 <main+120>: add $0x10,%esp
==> printf(" ## ##\n")
0x08048573 <main+123>: sub $0xc,%esp
0x08048576 <main+126>: push $0x80487e0 # " ## 1. 하이텔 2. 나우누리 ##\n"
0x0804857b <main+131>: call 0x80483c4 <printf>
0x08048580 <main+136>: add $0x10,%esp
==> printf(" ## 1. 하이텔 2. 나우누리 ##\n")
0x08048583 <main+139>: sub $0xc,%esp
0x08048586 <main+142>: push $0x8048820 # " ## 3. 천리안", ' ' <repeats 19 times>, "##\n"
0x0804858b <main+147>: call 0x80483c4 <printf>
0x08048590 <main+152>: add $0x10,%esp
==> printf(" ## 3. 천리안 "##\n")
0x08048593 <main+155>: sub $0xc,%esp
0x08048596 <main+158>: push $0x8048760 # " ##", ' ' <repeats 33 times>, "##\n"
0x0804859b <main+163>: call 0x80483c4 <printf>
0x080485a0 <main+168>: add $0x10,%esp
==> printf(" ## ##\n")
0x080485a3 <main+171>: sub $0xc,%esp
0x080485a6 <main+174>: push $0x8048860 # " ", '#' <repeats 37 times>, "\n"
0x080485ab <main+179>: call 0x80483c4 <printf>
0x080485b0 <main+184>: add $0x10,%esp
==> printf(" #####################################\n")
0x080485b3 <main+187>: sub $0x8,%esp
0x080485b6 <main+190>: push $0x80484e0 # sig_func 함수
0x080485bb <main+195>: push $0x2
0x080485bd <main+197>: call 0x8048374 <signal>
0x080485c2 <main+202>: add $0x10,%esp
==> signal(0x2, sig_func)
0x080485c5 <main+205>: sub $0xc,%esp
0x080485c8 <main+208>: push $0x80488a0 # "\n접속하고 싶은 bbs를 선택하세요 : "
0x080485cd <main+213>: call 0x80483c4 <printf>
0x080485d2 <main+218>: add $0x10,%esp
==> printf("\n접속하고 싶은 bbs를 선택하세요 : ")
0x080485d5 <main+221>: sub $0x8,%esp
0x080485d8 <main+224>: lea 0xfffffffc(%ebp),%eax
0x080485db <main+227>: push %eax # 0xfffffffc(%ebp) : 지역변수(int s)
0x080485dc <main+228>: push $0x80488c3 # %d
0x080485e1 <main+233>: call 0x8048394 <scanf>
0x080485e6 <main+238>: add $0x10,%esp
==> scanf("%d", &s)
0x080485e9 <main+241>: cmpl $0x1,0xfffffffc(%ebp) # s == 1 ?
0x080485ed <main+245>: jne 0x80485ff <main+263>
# if s == 1 main_247 else main+263
0x080485ef <main+247>: sub $0xc,%esp
0x080485f2 <main+250>: push $0x80488c6 # "telnet 203.245.15.76"
0x080485f7 <main+255>: call 0x8048384 <system>
0x080485fc <main+260>: add $0x10,%esp
==> system("telnet 203.245.15.76")
0x080485ff <main+263>: cmpl $0x2,0xfffffffc(%ebp) # s == 2 ?
0x08048603 <main+267>: jne 0x8048615 <main+285>
# if s == 2 main_269 else main+285
0x08048605 <main+269>: sub $0xc,%esp
0x08048608 <main+272>: push $0x80488db # "telnet 203.238.129.97"
0x0804860d <main+277>: call 0x8048384 <system>
0x08048612 <main+282>: add $0x10,%esp
==> system("telnet 203.238.129.97")
0x08048615 <main+285>: cmpl $0x3,0xfffffffc(%ebp)
0x08048619 <main+289>: jne 0x804862b <main+307>
# if s == 3 main+291 else main+307
0x0804861b <main+291>: sub $0xc,%esp
0x0804861e <main+294>: push $0x80488f1 # "telnet 210.120.128.180"
0x08048623 <main+299>: call 0x8048384 <system>
0x08048628 <main+304>: add $0x10,%esp
==> system("telnet 210.120.128.180")
0x0804862b <main+307>: cmpl $0x1,0xfffffffc(%ebp)
0x0804862f <main+311>: je 0x804864d <main+341>
0x08048631 <main+313>: cmpl $0x2,0xfffffffc(%ebp)
0x08048635 <main+317>: je 0x804864d <main+341>
0x08048637 <main+319>: cmpl $0x3,0xfffffffc(%ebp)
0x0804863b <main+323>: je 0x804864d <main+341>
# if !(s in 1,2,3) main_325 else main+341 => s가 1,2,3이 아닐경우 main+325를 실행한다.
0x0804863d <main+325>: sub $0xc,%esp
0x08048640 <main+328>: push $0x8048920 # "잘못 입력하셨습니다. 접속을 종료합니다.\n"
0x08048645 <main+333>: call 0x80483c4 <printf>
0x0804864a <main+338>: add $0x10,%esp
==> printf("잘못 입력하셨습니다. 접속을 종료합니다.\n");
0x0804864d <main+341>: leave
0x0804864e <main+342>: ret
0x0804864f <main+343>: nopsng__func 함수 분석
(gdb) disas sig_func
0x080484e0 <sig_func+0>: push %ebp
0x080484e1 <sig_func+1>: mov %esp,%ebp
0x080484e3 <sig_func+3>: sub $0x8,%esp
0x080484e6 <sig_func+6>: sub $0xc,%esp
0x080484e9 <sig_func+9>: push $0x80486e0 # "Can't use ctrl+c\n"
0x080484ee <sig_func+14>: call 0x80483c4 <printf>
0x080484f3 <sig_func+19>: add $0x10,%esp
==> printf("Can't use ctrl+c\n");
0x080484f6 <sig_func+22>: leave
0x080484f7 <sig_func+23>: ret
☞ 복원한 의사코드
#include <stdlib.h>
#include <stdio.h>
#include <signal.h>
void sig_func(int signo){
printf("Can't use ctrl+c\n");
}
main(){
int s;
system("cat hint");
getchar();
system("clear");
printf("\n #####################################\n");
printf(" ## ##\n");
printf(" ## 텔넷 접속 서비스 ##\n");
printf(" ## ##\n");
printf(" ## ##\n");
printf(" ## 1. 하이텔 2. 나우누리 ##\n");
printf(" ## 3. 천리안 ##\n");
printf(" ## ##\n");
printf(" #####################################\n");
signal(0x2, sig_func);
printf("\n접속하고 싶은 bbs를 선택하세요 : ");
scanf("%d", &s);
if(s == 1){
system("telnet 203.245.15.76");
}
else if( s == 2){
system("telnet 203.238.129.97");
}
else if( s == 3) {
system("telnet 210.120.128.180");
}
else {
printf("잘못 입력하셨습니다. 접속을 종료합니다.\n");
}
}
728x90
'리버싱 > 기본' 카테고리의 다른 글
| [리버싱] Hack Me 리버싱 의사코드 복원 (7,10단계) (0) | 2021.11.16 |
|---|---|
| [리버싱] 참고 CMD(readelf, nm, objdump/objcopy, strings, binwalk, as, ld) (0) | 2021.11.15 |
| [리버싱] netcat(nc) CMD (0) | 2021.11.15 |
| [리버싱] 간단한 어셈블리 코드 분석 후 복원 (0) | 2021.11.12 |
| [리버싱] 어셈블리어 문법 (0) | 2021.11.12 |
'리버싱/기본' Related Articles
more
