97, 1/5 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   healer
   Á¦¸ñ_¾øÀ½.png (0 Byte), Download : 40     [¿À¸¥ÂÊ ¹öÆ° ´­·¯ ´Ù¿î ¹Þ±â]
   ¸®¹ö½Ì __security_cookie

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=111 [º¹»ç]



00EA16BE ºÎÅÍ 00EA16CB ±îÁö ³ë¶û»ö ¹Ú½º¿¡¼­
ÀÌÀ¯°¡ ±Ã±ÝÇÕ´Ï´Ù.

1. EAX¿¡´Ù°¡ __security_cookieÀÌ°É ³Ö´Â ÀÌÀ¯
2. ±×¸®°í XOR EAX, EBP¸¦ XORÇÏ´Â ÀÌÀ¯
3. MOV EBP-4, EAX  ¿Ö EBP-4¿¡´Ù°¡ EAX¸¦ ³Ö´Â ÀÌÀ¯
4. LEA EAX, EBP-14ÀÇ ÁÖ¼Ò¸¦ ³Ö´Â ÀÌÀ¯
5. EAX¸¦ ³Ö´Â ÀÌÀ¯
  Hit : 4443     Date : 2017/07/17 12:27


    
healer 00EA16A0 > 55 PUSH EBP ; IsPasswordOK()
00EA16A1 8BEC MOV EBP,ESP
00EA16A3 81EC DC000000 SUB ESP,0DC
00EA16A9 53 PUSH EBX
00EA16AA 56 PUSH ESI
00EA16AB 57 PUSH EDI
00EA16AC 8DBD 24FFFFFF LEA EDI,DWORD PTR SS:[EBP-DC]
00EA16B2 B9 37000000 MOV ECX,37
00EA16B7 B8 CCCCCCCC MOV EAX,CCCCCCCC
00EA16BC F3:AB REP STOS DWORD PTR ES:[EDI]
00EA16BE A1 0490EA00 MOV EAX,DWORD PTR DS:[__security_cookie]
00EA16C3 33C5 XOR EAX,EBP
00EA16C5 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00EA16C8 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00EA16CB 50 PUSH EAX

»çÁøÀÌ ¾È¿Ã¶ó°¡³×¿ä óÀ½À̶ó¼­...		 2017/07/17  
pwnnnt bof ¹æÁö°°³×¿ä. 2017/07/18  
sTRAYdOG 1. EAX¿¡´Ù°¡ __security_cookieÀÌ°É ³Ö´Â ÀÌÀ¯
2¹ø XOR ¿¬»êÀ» À§Çؼ­.
2. ±×¸®°í XOR EAX, EBP¸¦ XORÇÏ´Â ÀÌÀ¯
¾Ë¼ö¾øÁÒ. ¿¬»ê°á°ú EAX¸¦ ³ªÁß¿¡ »ç¿ëÇÏ°ÚÁÒ.
3. MOV EBP-4, EAX ¿Ö EBP-4¿¡´Ù°¡ EAX¸¦ ³Ö´Â ÀÌÀ¯
[EBP-4]´Â Áö¿ªº¯¼öÁÒ. ¿©±â´Ù ÀúÀåÇϳªº¸ÁÒ. ³ªÁß¿¡ ÇÔ¼ö¸¦ ³ª°¡¸é ÀÌ°Ô ¹ÝȯµÉÁöµµ.
4. LEA EAX, EBP-14ÀÇ ÁÖ¼Ò¸¦ ³Ö´Â ÀÌÀ¯
[EBP-14]¿¡ ¸ð°¡ ÀÖ´ÂÁö ¼Ò½º¸¸À¸·Î ¾Ë ¼ö ¾ø¾î¿ä
5. EAX¸¦ ³Ö´Â ÀÌÀ¯
½ºÅÿ¡ ³Ö´Â°ÍÀε¥ ³ªÁß¿¡ ²¨³¾¶ó´Â °ÍÀÌÁÒ.

Á¦°¡º¸±â¿£ Äڵ常º¸¸é 3¹ø XoR¿¬»êÀÌ ÇÔ¼öÀÇ ÁÖ¸ñÀûÀ̶ó°í º¸ÀÔ´Ï´Ù.		 2017/07/30