이 문제를 풀어보면서 디컴파일러를 왜 써야 하는지를 알게 되었다.
문제를 보면 다음과 같이 Name, Serial에 입력 됨에 따라
맞냐 틀리냐를 출력한다.
따라서 문제는 다음과 같은 SerialNumber를 줬을때 아이디는 무엇이 되야 하느냐에 해당한다.
비밀번호는 4글자로 p로 끝난다.
string을 Correct Wrong을 기반으로 검색하면 위의 함수를 호출하면
position.5E1740에서 step in을 해보면 Name, Serial을 비교하는 값이 나올 것이다.
따라서 이를 분석해보려 했지만 이는 너무 복잡하고 어려워서 실패하였다.
다른 writeup을 보면 IDA를 이용하여 디컴파일해서 이를 분석하여 코드를 짰다.
IDA PRO를 구매할 수는 없어서 기드라를 깔아서 진행하였다.
위와 같은 양상으로 기드라로 string 검색을하여 FUN_00401740함술분석하면 답을 도출해 낼 수 있을 것이라고 생각했다.
/* WARNING: Could not reconcile some variable overlaps */
undefined4 FUN_00401740(int param_1)
{
wchar_t wVar1;
wchar_t wVar2;
wchar_t wVar3;
wchar_t wVar4;
undefined3 extraout_var;
undefined3 extraout_var_00;
undefined3 extraout_var_01;
undefined3 extraout_var_02;
undefined3 extraout_var_03;
wchar_t *pwVar5;
undefined3 extraout_var_04;
undefined3 extraout_var_05;
undefined3 extraout_var_06;
undefined3 extraout_var_07;
undefined3 extraout_var_08;
undefined3 extraout_var_09;
undefined3 extraout_var_10;
undefined3 extraout_var_11;
undefined3 extraout_var_12;
undefined3 extraout_var_13;
undefined3 extraout_var_14;
undefined3 extraout_var_15;
undefined3 extraout_var_16;
undefined3 extraout_var_17;
undefined3 extraout_var_18;
undefined3 extraout_var_19;
undefined3 extraout_var_20;
undefined3 extraout_var_21;
undefined3 extraout_var_22;
undefined3 extraout_var_23;
int iVar6;
int iVar7;
int **in_FS_OFFSET;
size_t sVar8;
int local_1c;
int local_18;
CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____ local_14 [4];
int *local_10;
undefined *puStack12;
undefined4 local_8;
local_8 = 0xffffffff;
puStack12 = &LAB_00402acb;
local_10 = *in_FS_OFFSET;
*in_FS_OFFSET = (int *)&local_10;
ATL::CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>::
CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
((CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____ *)
&local_1c);
iVar7 = 0;
local_8 = 0;
ATL::CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>::
CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
((CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____ *)
&local_18);
ATL::CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>::
CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____(local_14);
local_8 = CONCAT31(local_8._1_3_,2);
CWnd::GetWindowTextW
((CWnd *)(param_1 + 0x130),
(CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____ *)
&local_1c);
if (*(int *)(local_1c + -0xc) == 4) {
//1phase
iVar6 = 0;
do {
wVar1 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)&local_1c,iVar6);
if (((ushort)CONCAT31(extraout_var,wVar1) < 0x61) ||
(wVar1 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_1c,iVar6),
0x7a < (ushort)CONCAT31(extraout_var_00,wVar1))) goto LAB_004017ab;
iVar6 = iVar6 + 1;
} while (iVar6 < 4);
do {
//2phase
iVar6 = 0;
do {
if (iVar7 != iVar6) {
wVar1 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_1c,iVar6);
wVar2 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_1c,iVar7);
if ((short)CONCAT31(extraout_var_02,wVar2) == (short)CONCAT31(extraout_var_01,wVar1))
goto LAB_004017ab;
}
iVar6 = iVar6 + 1;
} while (iVar6 < 4);
iVar7 = iVar7 + 1;
} while (iVar7 < 4);
CWnd::GetWindowTextW
((CWnd *)(param_1 + 0x1a4),
(CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____ *
)&local_18);
if ((*(int *)(local_18 + -0xc) == 0xb) &&
(wVar1 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)&local_18,5),
(short)CONCAT31(extraout_var_03,wVar1) == 0x2d)) {
wVar1 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)&local_1c,0);
wVar2 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)&local_1c,1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 >> 2 & 1) + 1) + (uint)(byte)(((byte)wVar1 & 1) + 5),pwVar5,
sVar8,iVar7);
wVar3 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)local_14,0);
wVar4 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)&local_18,0);
if ((short)CONCAT31(extraout_var_05,wVar4) == (short)CONCAT31(extraout_var_04,wVar3)) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer((CSimpleStringT_wchar_t_1_ *)local_14,-1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer((CSimpleStringT_wchar_t_1_ *)local_14,10)
;
_itow_s((uint)(byte)(((byte)wVar2 >> 3 & 1) + 1) + (uint)(byte)(((byte)wVar1 >> 3 & 1) + 5),
pwVar5,sVar8,iVar7);
wVar3 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)&local_18,1);
wVar4 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)local_14,0);
if ((short)CONCAT31(extraout_var_06,wVar3) == (short)CONCAT31(extraout_var_07,wVar4)) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer((CSimpleStringT_wchar_t_1_ *)local_14,-1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 >> 4 & 1) + 1) +
(uint)(byte)(((byte)wVar1 >> 1 & 1) + 5),pwVar5,sVar8,iVar7);
wVar3 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)&local_18,2);
wVar4 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)local_14,0);
if ((short)CONCAT31(extraout_var_08,wVar3) == (short)CONCAT31(extraout_var_09,wVar4)) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer((CSimpleStringT_wchar_t_1_ *)local_14,-1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 & 1) + 1) + (uint)(byte)(((byte)wVar1 >> 2 & 1) + 5),
pwVar5,sVar8,iVar7);
wVar3 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)&local_18,3);
wVar4 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)local_14,0);
if ((short)CONCAT31(extraout_var_10,wVar3) == (short)CONCAT31(extraout_var_11,wVar4)) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,-1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 >> 1 & 1) + 1) +
(uint)(byte)(((byte)wVar1 >> 4 & 1) + 5),pwVar5,sVar8,iVar7);
wVar1 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_18,4);
wVar2 = ATL::CSimpleStringT<wchar_t,1>::GetAt((CSimpleStringT_wchar_t_1_ *)local_14,0)
;
if ((short)CONCAT31(extraout_var_12,wVar1) == (short)CONCAT31(extraout_var_13,wVar2))
{
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,-1);
wVar1 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_1c,2);
wVar2 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_1c,3);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 >> 2 & 1) + 1) +
(uint)(byte)(((byte)wVar1 & 1) + 5),pwVar5,sVar8,iVar7);
wVar3 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_18,6);
wVar4 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)local_14,0);
if ((short)CONCAT31(extraout_var_14,wVar3) == (short)CONCAT31(extraout_var_15,wVar4)
) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,-1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 >> 3 & 1) + 1) +
(uint)(byte)(((byte)wVar1 >> 3 & 1) + 5),pwVar5,sVar8,iVar7);
wVar3 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_18,7);
wVar4 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)local_14,0);
if ((short)CONCAT31(extraout_var_16,wVar3) ==
(short)CONCAT31(extraout_var_17,wVar4)) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,-1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 >> 4 & 1) + 1) +
(uint)(byte)(((byte)wVar1 >> 1 & 1) + 5),pwVar5,sVar8,iVar7);
wVar3 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_18,8);
wVar4 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)local_14,0);
if ((short)CONCAT31(extraout_var_18,wVar3) ==
(short)CONCAT31(extraout_var_19,wVar4)) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,-1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 & 1) + 1) +
(uint)(byte)(((byte)wVar1 >> 2 & 1) + 5),pwVar5,sVar8,iVar7);
wVar3 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_18,9);
wVar4 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)local_14,0);
if ((short)CONCAT31(extraout_var_20,wVar3) ==
(short)CONCAT31(extraout_var_21,wVar4)) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,-1);
iVar7 = 10;
sVar8 = 10;
pwVar5 = (wchar_t *)
ATL::CSimpleStringT<wchar_t,1>::GetBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,10);
_itow_s((uint)(byte)(((byte)wVar2 >> 1 & 1) + 1) +
(uint)(byte)(((byte)wVar1 >> 4 & 1) + 5),pwVar5,sVar8,iVar7);
wVar1 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)&local_18,10);
wVar2 = ATL::CSimpleStringT<wchar_t,1>::GetAt
((CSimpleStringT_wchar_t_1_ *)local_14,0);
if ((short)CONCAT31(extraout_var_22,wVar1) ==
(short)CONCAT31(extraout_var_23,wVar2)) {
ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer
((CSimpleStringT_wchar_t_1_ *)local_14,-1);
ATL::
CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>
::
_CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
(local_14);
ATL::
CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>
::
_CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
((CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
*)&local_18);
ATL::
CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>
::
_CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
((CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
*)&local_1c);
*in_FS_OFFSET = local_10;
return 1;
}
}
}
}
}
}
}
}
}
}
}
}
LAB_004017ab:
ATL::CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>::
_CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____(local_14);
ATL::CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>::
_CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
((CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____ *)
&local_18);
ATL::CStringT<wchar_t,class_StrTraitMFC_DLL<wchar_t,class_ATL::ChTraitsCRT<wchar_t>_>_>::
_CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____
((CStringT_wchar_t_class_StrTraitMFC_DLL_wchar_t_class_ATL__ChTraitsCRT_wchar_t_____ *)
&local_1c);
*in_FS_OFFSET = local_10;
return 0;
}주석으로 1phase 2phase 적용한 부분을 분석해보면
1phase 는 id에서 글자를 뽑아와서 61('a') 7a('z') 사이에 있는지 소문자영어로 적혀있는지 확인하는 부분이고
2phase 는 2중 for문으로 중복된 알파벳이 있는지 없는지 확인하는 부분이다.
위 두 개 이후에는 name과 serial을 비교하는 부분이다.
각 변수들을 헷갈리지 않게 브루트포싱으로 계산하는 코드를 파이썬으로 짜주면 답을 구 할 수 있다.
'정보보안 > Reversing.Kr' 카테고리의 다른 글
| CShop[Reversing.Kr] (0) | 2022.08.09 |
|---|---|
| EasyELF[Reversing.Kr] (0) | 2022.08.07 |
| ImagePrc[Reversing.Kr] (0) | 2022.08.03 |
| Replace[Reversing.Kr] (0) | 2022.08.01 |
| Music Player[Reversing.Kr] (0) | 2022.07.17 |