α׷

 3206, 1/161 ȸ  α  
   nninni79
   http://https://blog.naver.com/nninni79
   - -

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_programming&no=6625 []



ȳϽ.



ڵŰ ̶ մϴ.





Էϼ.

̹ Ǵ غϴ.



̶,̺귯 մϴ.



ش ս softwaredebuging ʼε, ˾Ƽ

ش տ ʽÿ.

˷ֱ⿣, Ϸ ġʹԵ Ŷ ؼ Ⱦ˷ 帮ڽϴ.

͵  «̶, ˷ָ ׷ŵ...

׳ ̷и ص帳ϴ.

, Դ 鵵 Ŷ ϴ.



ư ش

߾ Ʃ ִ ε ϱ Լ ֽϴ.



ϸ ΰ...ù ̵ ٸ,

crc ǹ ٰ Ÿ ϴ.

ý Լ ϴ°͵ ѵ, Լ ұ?



̰, ٸ MD5 纻ε.

[ENABLE] //code from here to '[DISABLE]' will be used to enable the cheat createThread(find2) label(goto1) label(goto2) define(find,00C00A20) Registersymbol(find) define(find2,00C00f20) Registersymbol(find2) label(loop) label(put1) 00BFFDC0: db 2A 00BFFDC0+40: dd 59742A13 00BFFDC0+48: dd 1 00BFFDC0+4C: dd 000A7325 find: repne jne find+5 repne ret push ebp mov ebp,esp sub esp,00 push eax find2: push ebp mov ebp,esp sub esp,00000218 push ebx push esi push edi lea edi,[ebp-00000218] mov ecx,00000086 mov eax,CCCCCCCC repe stosd mov eax,[00BFFDC0+40] xor eax,ebp mov [ebp-04],eax mov ecx,00BFFDC0+48 //1 call put1 mov eax,[ebp+08] push 00BFFDC0 //42 push 00000104 mov eax,[ebp+08] push eax call 00A7C710 //7ffff // mov esi,esp lea eax,[ebp-00000148] push eax mov ecx,[ebp+08] push ecx call dword ptr [MapleStory.exe+710054] mov esi,esp call find mov [ebp-00000154],eax cmp dword ptr [ebp-00000154],-01 jne loop mov esi,esp call dword ptr [kernel32.GetLastError] cmp esi,esp call find jmp fun2 loop: mov eax,[ebp-00000148] and eax,20 je loop2 lea eax,[ebp-0000011C] loop2: mov esi,esp lea eax,[ebp-00000148] push eax mov ecx,[ebp-00000154] push ecx call dword ptr [MapleStory.exe+710054]//filae cmp esi,esp call find test eax,eax jne loop mov esi,esp mov eax,[ebp-00000154] push eax call dword ptr [MapleStory.exe+710050] //close fun2: push edx mov ecx,ebp push eax lea edx,[ConsoleApplication11.exe+11CC4]//1 call fun3 pop eax pop edx pop edi pop esi pop ebx mov ecx,[ebp-04] xor ecx,ebp call ConsoleApplication11.exe+11154 add esp,00000218 cmp ebp,esp call ConsoleApplication11.exe+11253 mov esp,ebp pop ebp ret fun3: push ebp mov ebp,esp push ecx push ebx mov ebx,edx mov [ebp-04],ecx push esi xor esi,esi cmp [ebx],esi jle get push edi xor edi,edi mov ecx,[ebx+04] mov eax,[ebp-04] mov edx,[ecx+edi] cmp [edx+eax-04],CCCCCCCC jne get2 mov eax,[ecx+edi+04] add eax,edx mov edx,[ebp-04] cmp [eax+edx],CCCCCCCC je get3 push [ecx+edi+08] mov eax,[ebp+04] push eax call ConsoleApplication11.exe+11352 get2: add esp,08 get3: inc esi add edi,0C cmp esi,[ebx] jl ConsoleApplication11.exe+12174 pop edi get: pop esi pop ebx mov esp,ebp pop ebp ret 00BFFDC0+58: dd #19 scand: label(scand2) push ebp mov ebp,esp sub esp,00000404 { 1028 } mov eax,[00BFFDC0+58] { (19) } xor eax,ebp mov [ebp-04],eax push ebx mov ebx,[ebp+08] push esi mov esi,[ebp+0C] push edi mov edi,[00BFFDC0+48] { (1) } cmp edi,-01 { 255 } je scand2 cmp byte ptr [esi],00 { 0 } je ConsoleApplication11.exe+12A88 push esi call ConsoleApplication11.exe+12B70 add eax,2D { 45 } add esp,04 { 4 } cmp eax,00000400 { 1024 } ja ConsoleApplication11.exe+12A88 push ConsoleApplication11.exe+17BA4 { ("Stack around the variable '") } lea eax,[ebp-00000404] push 00000400 { 1024 } push eax call ConsoleApplication11.exe+11366 push esi lea eax,[ebp-00000404] push 00000400 { 1024 } push eax call ConsoleApplication11.exe+1134D push ConsoleApplication11.exe+17BC0 { ("' was corrupted.") } lea eax,[ebp-00000404] push 00000400 { 1024 } push eax call ConsoleApplication11.exe+1134D add esp,24 { 36 } lea eax,[ebp-00000404] jmp ConsoleApplication11.exe+12A8D mov eax,ConsoleApplication11.exe+18080 { ("Stack corrupted near unknown variable") } push eax push 02 { 2 } push edi push ebx call ConsoleApplication11.exe+12B90 add esp,10 { 16 } mov ecx,[ebp-04] pop edi pop esi xor ecx,ebp pop ebx call ConsoleApplication11.exe+11154 mov esp,ebp pop ebp ret scand2: mov ecx,[ebp-04] pop edi pop esi xor ecx,ebp pop ebx call ConsoleApplication11.exe+11154 mov esp,ebp pop ebp ret scand3: cmp ecx,[ConsoleApplication11.exe+1A004] { (19) } repne jne scand3+5 repne ret repne jmp scand4 scand4: push ebp mov ebp,esp sub esp,00000324 push 17 call ConsoleApplication11.exe+111D6 //76975135 test eax,eax je scand5 mov ecx,00000002 int 29 scand5: mov [ConsoleApplication11.exe+1A248],eax mov [ConsoleApplication11.exe+1A244],ecx mov [ConsoleApplication11.exe+1A240],edx mov [ConsoleApplication11.exe+1A23C],ebx mov [ConsoleApplication11.exe+1A238],esi mov [ConsoleApplication11.exe+1A234],edi mov [ConsoleApplication11.exe+1A260],ss mov [ConsoleApplication11.exe+1A254],cs mov [ConsoleApplication11.exe+1A230],ds mov [ConsoleApplication11.exe+1A22C],es mov [ConsoleApplication11.exe+1A228],fs mov [ConsoleApplication11.exe+1A224],gs pushfd pop [ConsoleApplication11.exe+1A258] mov eax,[ebp+00] mov [ConsoleApplication11.exe+1A24C],eax mov eax,[ebp+04] mov [ConsoleApplication11.exe+1A250],eax lea eax,[ebp+08] mov [ConsoleApplication11.exe+1A25C],eax mov eax,[ebp-00000324] mov [ConsoleApplication11.exe+1A198],00010001 mov eax,[ConsoleApplication11.exe+1A250] mov [ConsoleApplication11.exe+1A154],eax mov [ConsoleApplication11.exe+1A148],C0000409 mov [ConsoleApplication11.exe+1A14C],00000001 mov [ConsoleApplication11.exe+1A158],00000001 mov ecx,00000004 imul edx,ecx,00 mov [edx+ConsoleApplication11.exe+1A15C],00000002 mov eax,00000004 imul ecx,eax,00 mov edx,[ConsoleApplication11.exe+1A004] mov [ebp+ecx-08],edx mov eax,00000004 shl eax,00 mov ecx,[ConsoleApplication11.exe+1A000] mov [ebp+eax-08],ecx push ConsoleApplication11.exe+18230 call ConsoleApplication11.exe+113C5 mov esp,ebp pop ebp ret [DISABLE]





̷ ׳ Լȣ Եȴٸ,sha-256,MD5 ȣȭ Լ鵵 ٸ ׾

iat,eip,crcȸ ׵ ʿ ׳ ȣ⸸

ȣس ִ ƽʴϱ?

ٷ ͱ Դϴ.

̷ ͱ ༺ ̿ϴ° ٷ Դϴ.



, ø Լȣ MD5 ̴ ϼ ü ø

Ȥ ̿ظ 𸣴  Ⱦ.(͵  ,«̶ϴ.)


ϸ, MD5ӵ ϴ, ư ׷ ߿ġ ?



crc?Ƽ? ? ҿ ϴ.

Լ ׳ Ŀ ϰ 糤 Ŷ, ǹ̰ ŵ.



׷. ġä̰,̶ ̺귯 Դϴ.

ϴ ⷮ, Ἥ ش ڵ ˾Ƴ

ȯ goto,ý Լ,ó ؾ Ϸ,ü ʰ, ڴ ϳ óϴ ϸ鼭

ͱ Լ ĿβԼ ٲԴ մϴ.



, , ͱ ̿Ͽ, Ѳĥ ̴ Լ ϰ 鶧 ϰ ־, Ŀ ġ ݴϴ...

Ŀα ġ ִ ϳ ϴ.



ƸϿ ȵ 깰̶ ְ, ϵ ޸𸮿crc ư ű Ѱ ƴ, ̶ ý Լ ߵ Լ ý Լ ÷ Ÿ ְڽϴ.



, ̹ Լ ̰ ٴϸ, ش޶

ý Լ û ϴ ߵ , ְ

ý Ѵٸ,ӽ ȿ÷ cpu crc ų ְ ̹ ϴٰ ˷Ͱ ޸, ⱳε ٴ Դϴ.



̴ IAT ͱ ̿ ش ä ƾ մϴ.

IAT ,,õ IAT  ̶ ְ...



ٸ, ̿Ͱ ٸ չ ڵ 翬,ϸ, ٺٰ մϴ.

̹ ø ť ذǰŵ.



׵ ׷ չ ڰ , ms翡 ,ü ִ ̺귯 Ⱦ,̺귯 ϴ Ͽ Ѵٰ ϸ, Ƹ  ̴ϴ.



" ,xڵ帶 ׳ Ŀε̹ ÷ ġ ڳ? ʴ ٺ."

ο...

׷, Ե ȸ ƴ϶, ȣȯ ؼϸ,

۸ս ϴ.



̷ Լ ɾ XP닚 Ŀ Ǽڵ ļ

ȵ ̺긦 win7ķκ ̹ ø Ƴ ׷ϴ.



׷ xp닚 Ƹ, ɷ¦ ׎ɰſ.



׷ Ͱ Լ ͱ Ͽ, ٲٴ ̶ ̹ ȿ÷ ġ 뼺, ⱳ մϴ.

Ʒ , Լ ɸ Ǯ ִٴ° ش ο췹 ڵ ̿ ٴٸ 鵵 ȭ µ, װ ׳ ý Լٰ ϴ ٷ ̶ ְڽϴ.



غٸ ý Լ Ѱ ƴ,

ϳ %08X ̿ ڿ ȯ Լ 16 Ѿ,

ִ ̺귯 ý ϰԵȴٸ, ó ־ ƨ ݴϴ.

Ʒ ׳ ۸鶧 ٸ ƷͰ ũƮ

׳ ڷ ÷ڽϴ.





push ebp

mov ebp,esp

sub esp,000000D8

push ebx

push esi

push edi

lea edi,[ebp-000000D8]

mov ecx,00000036

mov eax,CCCCCCCC

repe stosd

mov ecx,Dll1.dll+2302D

call Dll1.dll+114F1

lea eax,[ebp+10]

mov [ebp-08],eax

mov eax,[ebp-08]

push eax

mov ecx,[ebp+0C]

push ecx

push F //<<16 ڿ Ŵ Դϴ.

mov edx,[ebp+08]

push edx

call Dll1.dll+16B9D

add esp,10

pop edi

pop esi

pop ebx

add esp,000000D8

cmp ebp,esp

call Dll1.dll+113AC

mov esp,ebp

pop ebp

ret



̴ پ, Ϸ ȶؼ ó 16 ش ̺귯

16̻ ڿ ð ش ڿ  о, 16ڰ Ѿ óϴ ڸ ƴ, ڿ зؼ ھƳ־ִ ݴϴ.

ü ִ Լ鵵 ׷ٸ ?



Լ ٲٸ ش Ǯ ְ.

ٸ, ý ϴ Լ ü ư ׵ ݾƿ?

ص Ŀ ư, ٸ ư ȭ .




Էϼ.





ϰ ȴٸ,




Էϼ.

̷ ýݿ ϴ Լ ִ

ٲ Ἥ ٲ ֽϴ.

̷ ý ϴ Լ Ѱ Դϴ.

ؼ Ŀ΃ ä,  Լ ϴ Ͷ

 Ŀβ ġ° ϴ.



ٵ, ƹ , ãƺ ̷ ,͸ ãƺ ϴ.

ϰŵ.

ý ϴԼ ִ Ű ̶ .



ư ձ ƴٴ 밳 ¶ ɷ¦ ,

Լ Ϻκ уġ° ,

Ȥ ش ʿ κ ν ü MS簡 ִ Լ ӵ ϴ° ϴ.

sleepde ü ִ sleepex ξ ӵ ɿ?



alloc(sleepdefine,188)

alloc(sleepdefine2,900)

alloc(sleepdefine3,900)

Registersymbol(sleepdefine)







sleepdefine3:

push 38

push KERNELBASE.BemFreeContract+3FE

call KERNELBASE.IsNLSDefinedString+473

mov [ebp-48],00000024

mov [ebp-44],00000001

push 07

pop ecx

xor eax,eax

lea edi,[ebp-40]

repe stosd

xor edi,edi

mov [ebp-1C],edi

cmp [ebp+0C],edi

je sleepdefine3+39

xor edx,edx

lea ecx,[ebp-48]

call dword ptr [KERNELBASE.dll+1058]

mov [ebp-04],edi

push [ebp+08]

lea eax,[ebp-24]

push eax

call KERNELBASE.IsNLSDefinedString+C81

mov esi,eax

cmp esi,edi

jne sleepdefine3+5B

mov [ebp-24],edi

mov [ebp-20],80000000

lea esi,[ebp-24]

push esi

push [ebp+0C]

call dword ptr [KERNELBASE.dll+10FC]

mov [ebp-1C],eax

cmp [ebp+0C],edi

je KERNELBASE.SleepEx+74

cmp eax,00000101

je sleepdefine3+5B

mov [ebp-04],FFFFFFFE

call sleepdefine3+96

mov eax,000000C0

cmp [ebp-1C],eax

je sleepdefine3+8C

xor eax,eax

call KERNELBASE.IsNLSDefinedString+4B8

ret 0008

xor edi,edi

cmp [ebp+0C],edi

je sleepdefine3+A4

lea ecx,[ebp-48]

call dword ptr [KERNELBASE.dll+1050]

ret

int 3

int 3

int 3

int 3

int 3



sleepdefine2:

mov edi,edi

push ebp

mov ebp,esp

push 00

push [ebp+08]

call sleepdefine3

pop ebp

ret 0004

int 3

int 3

int 3

int 3

int 3



sleepDefine:

mov edi,edi

push ebp

mov ebp,esp

pop ebp

jmp sleepdefine2............

mv.....





׳ Լ Դϴ.

״ Ŀδܿ ̴ Լ ϸ,

ϴ ̿ Լȣ ༺ ̿,

⿹ ƾ մϴ.



̿Ͱ Լ û ɾ ý ٲóԴ ġ° Լ ͱ ֽϴ.



Լ ̸,ٸ Լ Ʈϸ ڸ û ϴش޶ û մϴ.

׸ ش Լ, ϳ Լ û ֱ⿡,

ǻ ش Լ , ϳ ̺귯, ¿¿ŵ,̷ ó ش޶ û ϴ ܼ Լ Ͽ Լ ý Լ ٲԴ° ϴ.







մϴ.

, Ŀα Ϻκ̱ , Ǯ鼭,

Ѳ, , ̺귯, ְ Ѱ

Ͱ ̶ Ͽ ϴ.





  Hit : 2231     Date : 2021/04/20 05:28



    
3206   SNSŷ dz? ּ ФФ [1]     ä
02/28 203
3205   ġƮ DZ[1]     rjsdudals123
02/15 117
3204   ãּ [1]     marunim
05/30 844
3203 бԴϴ  124     minsub87
08/17 1
3202   c segmentation fault:11 帳ϴ![2]     leebk1124
05/21 1944
3201   C++Լ ̿!![3]     1999dylee
05/11 1788
3200   ̽ 帳ϴ.[1]     kksh1107
04/24 1535
  - -     nninni79
04/20 2230
3198   ް ڵ[1]     ghjk645
03/24 1554
3197 бԴϴ  c Ҽ      adwefq
04/29 0
3196   C ҽԴϴ![5]     an0088
01/05 4974
3195   C++ /// Ф[1]     guichanta
08/23 2351
3194     [re] c ˰ Դϴ.     dafher
05/13 1558
3193 бԴϴ  c ּФ     su6339
04/06 0
3192   ŷ ϴµ[3]     zoodem04
03/26 4125
3191   c ; ![7]     dwc07238
02/11 3981
3190   ̴ ⿡ ؼ!![1]     hackxx123
12/10 3455
3189   ŷ ip ϵ忡 ɴ°ſ  ?[2]     aowlrgmlals
11/27 4132
3188   C ϴµ double Ǽ ڲ 0.0 Ϳ[2]     fatou10336
11/20 3611
3187   dumpcode.h ּ .[1]     cm6418
11/06 3588
1 [2][3][4][5][6][7][8][9][10]..[161]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org