Go 언어로 만들어진 바이너리다.
사용자 함수를보면 main_main, main_print_menu, main_Login, main_id_check, main_pw_check, main_id_pw_check, main_Print_FLAG, main_init 등이 있다.
여기서 중요한 부분은 Print FLAG, 와 main_id_pw_check 이다.
login을 하고 print flag를 선택하면 id_pw를 check 한 후에 id 와 pw 루틴이 해당 함수와 일치하면 플래그를 뿜는다.
최근에 hexray를 자제하고 어셈이랑 좀 익숙해지고 친숙해지려고 어셈으로만 분석을 시작했다.
사실 goversing 자체 바이너리는 go언어로 만들어진 바이너리가 그런지 hexray가 안되서 어차피 어셈으로 분석해야한다 ㅋㅋ..
[main_id_pw_check]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 | Dump of assembler code for function main.id_pw_check: 0x0000000000401b40 <+0>: mov rcx,QWORD PTR fs:0xfffffffffffffff8 0x0000000000401b49 <+9>: lea rax,[rsp-0xc0] 0x0000000000401b51 <+17>: cmp rax,QWORD PTR [rcx+0x10] 0x0000000000401b55 <+21>: jbe 0x4021f8 <main.id_pw_check+1720> 0x0000000000401b5b <+27>: sub rsp,0x140 0x0000000000401b62 <+34>: mov QWORD PTR [rsp+0x138],rbp 0x0000000000401b6a <+42>: lea rbp,[rsp+0x138] 0x0000000000401b72 <+50>: xorps xmm0,xmm0 0x0000000000401b75 <+53>: movups XMMWORD PTR [rsp+0x118],xmm0 0x0000000000401b7d <+61>: movups XMMWORD PTR [rsp+0x128],xmm0 0x0000000000401b85 <+69>: lea rax,[rsp+0x20] 0x0000000000401b8a <+74>: mov QWORD PTR [rsp+0x100],rax 0x0000000000401b92 <+82>: xor ecx,ecx 0x0000000000401b94 <+84>: mov rdx,rcx 0x0000000000401b97 <+87>: xor ebx,ebx 0x0000000000401b99 <+89>: mov QWORD PTR [rsp+0x98],rdx 0x0000000000401ba1 <+97>: mov QWORD PTR [rsp+0xf0],rbx 0x0000000000401ba9 <+105>: mov rsi,QWORD PTR [rsp+0x148] 0x0000000000401bb1 <+113>: mov QWORD PTR [rsp],rsi 0x0000000000401bb5 <+117>: mov rdi,QWORD PTR [rsp+0x150] 0x0000000000401bbd <+125>: mov QWORD PTR [rsp+0x8],rdi 0x0000000000401bc2 <+130>: mov QWORD PTR [rsp+0x10],rcx 0x0000000000401bc7 <+135>: call 0x43e600 <runtime.stringiter2> 0x0000000000401bcc <+140>: mov rax,QWORD PTR [rsp+0x18] 0x0000000000401bd1 <+145>: mov QWORD PTR [rsp+0xa0],rax 0x0000000000401bd9 <+153>: mov ecx,DWORD PTR [rsp+0x20] 0x0000000000401bdd <+157>: test rax,rax 0x0000000000401be0 <+160>: je 0x401d0e <main.id_pw_check+462> 0x0000000000401be6 <+166>: mov rdx,QWORD PTR [rsp+0xf0] 0x0000000000401bee <+174>: mov QWORD PTR [rsp+0x108],rdx 0x0000000000401bf6 <+182>: mov rdx,QWORD PTR [rsp+0x98] 0x0000000000401bfe <+190>: mov QWORD PTR [rsp+0x110],rdx 0x0000000000401c06 <+198>: mov DWORD PTR [rsp+0x5c],ecx 0x0000000000401c0a <+202>: mov QWORD PTR [rsp+0x118],0x0 0x0000000000401c16 <+214>: mov QWORD PTR [rsp+0x120],0x0 0x0000000000401c22 <+226>: mov QWORD PTR [rsp+0x128],0x0 0x0000000000401c2e <+238>: mov QWORD PTR [rsp+0x130],0x0 0x0000000000401c3a <+250>: lea rcx,[rip+0xa285f] # 0x4a44a0 0x0000000000401c41 <+257>: mov QWORD PTR [rsp],rcx 0x0000000000401c45 <+261>: lea rcx,[rsp+0x108] 0x0000000000401c4d <+269>: mov QWORD PTR [rsp+0x8],rcx 0x0000000000401c52 <+274>: mov QWORD PTR [rsp+0x10],0x0 0x0000000000401c5b <+283>: call 0x40c750 <runtime.convT2E> 0x0000000000401c60 <+288>: mov rax,QWORD PTR [rsp+0x20] 0x0000000000401c65 <+293>: mov rcx,QWORD PTR [rsp+0x18] 0x0000000000401c6a <+298>: mov QWORD PTR [rsp+0x118],rcx 0x0000000000401c72 <+306>: mov QWORD PTR [rsp+0x120],rax 0x0000000000401c7a <+314>: lea rax,[rip+0xa23df] # 0x4a4060 0x0000000000401c81 <+321>: mov QWORD PTR [rsp],rax 0x0000000000401c85 <+325>: lea rax,[rsp+0x5c] 0x0000000000401c8a <+330>: mov QWORD PTR [rsp+0x8],rax 0x0000000000401c8f <+335>: mov QWORD PTR [rsp+0x10],0x0 0x0000000000401c98 <+344>: call 0x40c750 <runtime.convT2E> 0x0000000000401c9d <+349>: mov rax,QWORD PTR [rsp+0x20] 0x0000000000401ca2 <+354>: mov rcx,QWORD PTR [rsp+0x18] 0x0000000000401ca7 <+359>: mov QWORD PTR [rsp+0x128],rcx 0x0000000000401caf <+367>: mov QWORD PTR [rsp+0x130],rax 0x0000000000401cb7 <+375>: lea rax,[rip+0xc0acd] # 0x4c278b 0x0000000000401cbe <+382>: mov QWORD PTR [rsp],rax 0x0000000000401cc2 <+386>: mov QWORD PTR [rsp+0x8],0x6 0x0000000000401ccb <+395>: lea rax,[rsp+0x118] 0x0000000000401cd3 <+403>: mov QWORD PTR [rsp+0x10],rax 0x0000000000401cd8 <+408>: mov QWORD PTR [rsp+0x18],0x2 0x0000000000401ce1 <+417>: mov QWORD PTR [rsp+0x20],0x2 0x0000000000401cea <+426>: call 0x456f30 <fmt.Sprintf> 0x0000000000401cef <+431>: mov rdx,QWORD PTR [rsp+0x30] 0x0000000000401cf4 <+436>: mov rbx,QWORD PTR [rsp+0x28] 0x0000000000401cf9 <+441>: mov rax,QWORD PTR [rsp+0x100] 0x0000000000401d01 <+449>: mov rcx,QWORD PTR [rsp+0xa0] 0x0000000000401d09 <+457>: jmp 0x401b99 <main.id_pw_check+89> 0x0000000000401d0e <+462>: lea rdi,[rsp+0xb0] 0x0000000000401d16 <+470>: lea rsi,[rip+0xccb63] # 0x4ce880 <main.statictmp_108> 0x0000000000401d1d <+477>: mov QWORD PTR [rsp-0x10],rbp 0x0000000000401d22 <+482>: lea rbp,[rsp-0x10] 0x0000000000401d27 <+487>: call 0x453924 <runtime.duffcopy+868> 0x0000000000401d2c <+492>: mov rbp,QWORD PTR [rbp+0x0] 0x0000000000401d30 <+496>: xor eax,eax 0x0000000000401d32 <+498>: lea rcx,[rsp+0x58] 0x0000000000401d37 <+503>: xor edx,edx 0x0000000000401d39 <+505>: xor ebx,ebx 0x0000000000401d3b <+507>: mov QWORD PTR [rsp+0xf8],rcx 0x0000000000401d43 <+515>: mov QWORD PTR [rsp+0x68],rdx 0x0000000000401d48 <+520>: mov QWORD PTR [rsp+0x70],rbx 0x0000000000401d4d <+525>: mov rsi,QWORD PTR [rsp+0xf0] 0x0000000000401d55 <+533>: mov QWORD PTR [rsp],rsi 0x0000000000401d59 <+537>: mov rdi,QWORD PTR [rsp+0x98] 0x0000000000401d61 <+545>: mov QWORD PTR [rsp+0x8],rdi 0x0000000000401d66 <+550>: mov QWORD PTR [rsp+0x10],rax 0x0000000000401d6b <+555>: call 0x43e600 <runtime.stringiter2> 0x0000000000401d70 <+560>: mov rcx,QWORD PTR [rsp+0x18] 0x0000000000401d75 <+565>: mov QWORD PTR [rsp+0xa0],rcx 0x0000000000401d7d <+573>: mov rdx,QWORD PTR [rsp+0x100] 0x0000000000401d85 <+581>: movsxd rbx,DWORD PTR [rdx] 0x0000000000401d88 <+584>: test rcx,rcx 0x0000000000401d8b <+587>: je 0x401ff4 <main.id_pw_check+1204> 0x0000000000401d91 <+593>: mov QWORD PTR [rsp],0x0 0x0000000000401d99 <+601>: mov QWORD PTR [rsp+0x8],rbx 0x0000000000401d9e <+606>: call 0x43e450 <runtime.intstring> 0x0000000000401da3 <+611>: mov rax,QWORD PTR [rsp+0x18] 0x0000000000401da8 <+616>: mov rcx,QWORD PTR [rsp+0x10] 0x0000000000401dad <+621>: mov QWORD PTR [rsp],rcx 0x0000000000401db1 <+625>: mov QWORD PTR [rsp+0x8],rax 0x0000000000401db6 <+630>: call 0x46e8f0 <strconv.Atoi> 0x0000000000401dbb <+635>: mov rax,QWORD PTR [rsp+0x10] 0x0000000000401dc0 <+640>: mov QWORD PTR [rsp+0x88],rax 0x0000000000401dc8 <+648>: lea rcx,[rsp+0xb8] 0x0000000000401dd0 <+656>: mov QWORD PTR [rsp],rcx 0x0000000000401dd4 <+660>: lea rcx,[rsp+0xb0] 0x0000000000401ddc <+668>: mov QWORD PTR [rsp+0x8],rcx 0x0000000000401de1 <+673>: mov QWORD PTR [rsp+0x10],0x18 0x0000000000401dea <+682>: call 0x453be0 <runtime.memmove> 0x0000000000401def <+687>: mov rax,QWORD PTR [rsp+0x88] 0x0000000000401df7 <+695>: mov QWORD PTR [rsp+0xb0],rax 0x0000000000401dff <+703>: mov rcx,QWORD PTR [rsp+0xb8] 0x0000000000401e07 <+711>: xor rcx,rax 0x0000000000401e0a <+714>: mov rdx,QWORD PTR [rsp+0xc0] 0x0000000000401e12 <+722>: xor rcx,rdx 0x0000000000401e15 <+725>: mov rdx,QWORD PTR [rsp+0xc8] 0x0000000000401e1d <+733>: xor rcx,rdx 0x0000000000401e20 <+736>: xor rcx,0x1 0x0000000000401e24 <+740>: mov QWORD PTR [rsp],rcx 0x0000000000401e28 <+744>: call 0x473210 <strconv.Itoa> 0x0000000000401e2d <+749>: mov rax,QWORD PTR [rsp+0x10] 0x0000000000401e32 <+754>: mov QWORD PTR [rsp+0x80],rax 0x0000000000401e3a <+762>: mov rcx,QWORD PTR [rsp+0x8] 0x0000000000401e3f <+767>: mov QWORD PTR [rsp+0xe8],rcx 0x0000000000401e47 <+775>: mov rdx,QWORD PTR [rsp+0xb0] 0x0000000000401e4f <+783>: mov rbx,QWORD PTR [rsp+0xb8] 0x0000000000401e57 <+791>: xor rdx,rbx 0x0000000000401e5a <+794>: mov rbx,QWORD PTR [rsp+0xc8] 0x0000000000401e62 <+802>: xor rdx,rbx 0x0000000000401e65 <+805>: xor rdx,0x1 0x0000000000401e69 <+809>: mov QWORD PTR [rsp],rdx 0x0000000000401e6d <+813>: call 0x473210 <strconv.Itoa> 0x0000000000401e72 <+818>: mov rax,QWORD PTR [rsp+0x10] 0x0000000000401e77 <+823>: mov QWORD PTR [rsp+0x78],rax 0x0000000000401e7c <+828>: mov rcx,QWORD PTR [rsp+0x8] 0x0000000000401e81 <+833>: mov QWORD PTR [rsp+0xe0],rcx 0x0000000000401e89 <+841>: mov rdx,QWORD PTR [rsp+0x88] 0x0000000000401e91 <+849>: xor rdx,0x1 0x0000000000401e95 <+853>: mov QWORD PTR [rsp],rdx 0x0000000000401e99 <+857>: call 0x473210 <strconv.Itoa> 0x0000000000401e9e <+862>: mov rax,QWORD PTR [rsp+0x8] 0x0000000000401ea3 <+867>: mov rcx,QWORD PTR [rsp+0x10] 0x0000000000401ea8 <+872>: mov QWORD PTR [rsp],0x0 0x0000000000401eb0 <+880>: lea rdx,[rip+0xc0542] # 0x4c23f9 0x0000000000401eb7 <+887>: mov QWORD PTR [rsp+0x8],rdx 0x0000000000401ebc <+892>: mov QWORD PTR [rsp+0x10],0x1 0x0000000000401ec5 <+901>: mov QWORD PTR [rsp+0x18],rax 0x0000000000401eca <+906>: mov QWORD PTR [rsp+0x20],rcx 0x0000000000401ecf <+911>: mov rax,QWORD PTR [rsp+0xe8] 0x0000000000401ed7 <+919>: mov QWORD PTR [rsp+0x28],rax 0x0000000000401edc <+924>: mov rax,QWORD PTR [rsp+0x80] 0x0000000000401ee4 <+932>: mov QWORD PTR [rsp+0x30],rax 0x0000000000401ee9 <+937>: mov rax,QWORD PTR [rsp+0xe0] 0x0000000000401ef1 <+945>: mov QWORD PTR [rsp+0x38],rax 0x0000000000401ef6 <+950>: mov rax,QWORD PTR [rsp+0x78] 0x0000000000401efb <+955>: mov QWORD PTR [rsp+0x40],rax 0x0000000000401f00 <+960>: call 0x43dcf0 <runtime.concatstring4> 0x0000000000401f05 <+965>: mov rax,QWORD PTR [rsp+0x50] 0x0000000000401f0a <+970>: mov QWORD PTR [rsp+0x60],rax 0x0000000000401f0f <+975>: mov rcx,QWORD PTR [rsp+0x48] 0x0000000000401f14 <+980>: mov QWORD PTR [rsp+0xd0],rcx 0x0000000000401f1c <+988>: mov rdx,QWORD PTR [rsp+0x68] 0x0000000000401f21 <+993>: lea rbx,[rdx+0x1] 0x0000000000401f25 <+997>: mov rsi,QWORD PTR [rsp+0x70] 0x0000000000401f2a <+1002>: cmp rbx,rsi 0x0000000000401f2d <+1005>: jg 0x401f9e <main.id_pw_check+1118> 0x0000000000401f2f <+1007>: mov rdi,QWORD PTR [rsp+0xf8] 0x0000000000401f37 <+1015>: mov QWORD PTR [rsp+0xd8],rdi 0x0000000000401f3f <+1023>: mov QWORD PTR [rsp+0x68],rbx 0x0000000000401f44 <+1028>: mov QWORD PTR [rsp+0x70],rsi 0x0000000000401f49 <+1033>: shl rdx,0x4 0x0000000000401f4d <+1037>: mov QWORD PTR [rdi+rdx*1+0x8],rax 0x0000000000401f52 <+1042>: lea rax,[rdi+rdx*1] 0x0000000000401f56 <+1046>: mov r8d,DWORD PTR [rip+0x148013] # 0x549f70 <runtime.writeBarrier> 0x0000000000401f5d <+1053>: test r8b,r8b 0x0000000000401f60 <+1056>: jne 0x401f7c <main.id_pw_check+1084> 0x0000000000401f62 <+1058>: mov QWORD PTR [rdi+rdx*1],rcx 0x0000000000401f66 <+1062>: mov rax,QWORD PTR [rsp+0xa0] 0x0000000000401f6e <+1070>: mov rcx,rdi 0x0000000000401f71 <+1073>: mov rdx,rbx 0x0000000000401f74 <+1076>: mov rbx,rsi 0x0000000000401f77 <+1079>: jmp 0x401d3b <main.id_pw_check+507> 0x0000000000401f7c <+1084>: mov QWORD PTR [rsp],rax 0x0000000000401f80 <+1088>: mov QWORD PTR [rsp+0x8],rcx 0x0000000000401f85 <+1093>: call 0x40fe50 <runtime.writebarrierptr> 0x0000000000401f8a <+1098>: mov rbx,QWORD PTR [rsp+0x68] 0x0000000000401f8f <+1103>: mov rsi,QWORD PTR [rsp+0x70] 0x0000000000401f94 <+1108>: mov rdi,QWORD PTR [rsp+0xd8] 0x0000000000401f9c <+1116>: jmp 0x401f66 <main.id_pw_check+1062> 0x0000000000401f9e <+1118>: lea rdi,[rip+0xa24fb] # 0x4a44a0 0x0000000000401fa5 <+1125>: mov QWORD PTR [rsp],rdi 0x0000000000401fa9 <+1129>: mov rdi,QWORD PTR [rsp+0xf8] 0x0000000000401fb1 <+1137>: mov QWORD PTR [rsp+0x8],rdi 0x0000000000401fb6 <+1142>: mov QWORD PTR [rsp+0x10],rdx 0x0000000000401fbb <+1147>: mov QWORD PTR [rsp+0x18],rsi 0x0000000000401fc0 <+1152>: mov QWORD PTR [rsp+0x20],rbx 0x0000000000401fc5 <+1157>: call 0x439ec0 <runtime.growslice> 0x0000000000401fca <+1162>: mov rdi,QWORD PTR [rsp+0x28] 0x0000000000401fcf <+1167>: mov r8,QWORD PTR [rsp+0x30] 0x0000000000401fd4 <+1172>: mov rsi,QWORD PTR [rsp+0x38] 0x0000000000401fd9 <+1177>: lea rbx,[r8+0x1] 0x0000000000401fdd <+1181>: mov rax,QWORD PTR [rsp+0x60] 0x0000000000401fe2 <+1186>: mov rcx,QWORD PTR [rsp+0xd0] 0x0000000000401fea <+1194>: mov rdx,QWORD PTR [rsp+0x68] 0x0000000000401fef <+1199>: jmp 0x401f37 <main.id_pw_check+1015> 0x0000000000401ff4 <+1204>: xor eax,eax 0x0000000000401ff6 <+1206>: xor ecx,ecx 0x0000000000401ff8 <+1208>: mov QWORD PTR [rsp+0x90],rax 0x0000000000402000 <+1216>: mov QWORD PTR [rsp+0xa8],rcx 0x0000000000402008 <+1224>: mov rdx,QWORD PTR [rsp+0x68] 0x000000000040200d <+1229>: cmp rax,rdx 0x0000000000402010 <+1232>: jge 0x4021ed <main.id_pw_check+1709> 0x0000000000402016 <+1238>: mov rbx,rax 0x0000000000402019 <+1241>: shl rax,0x4 0x000000000040201d <+1245>: mov rsi,QWORD PTR [rsp+0xf8] 0x0000000000402025 <+1253>: mov rdi,QWORD PTR [rsi+rax*1+0x8] 0x000000000040202a <+1258>: mov rax,QWORD PTR [rsi+rax*1] 0x000000000040202e <+1262>: mov QWORD PTR [rsp],rax 0x0000000000402032 <+1266>: mov QWORD PTR [rsp+0x8],rdi 0x0000000000402037 <+1271>: mov QWORD PTR [rsp+0x10],0x2 0x0000000000402040 <+1280>: mov QWORD PTR [rsp+0x18],0x20 0x0000000000402049 <+1289>: call 0x46e290 <strconv.ParseInt> 0x000000000040204e <+1294>: mov rcx,QWORD PTR [rsp+0x20] 0x0000000000402053 <+1299>: mov rdx,QWORD PTR [rip+0x127fee] # 0x52a048 <main.ID_KEY+8> 0x000000000040205a <+1306>: mov rbx,QWORD PTR [rip+0x127fdf] # 0x52a040 <main.ID_KEY> 0x0000000000402061 <+1313>: lea rsi,[rdx-0x1] 0x0000000000402065 <+1317>: mov rdi,QWORD PTR [rsp+0x90] 0x000000000040206d <+1325>: cmp rdi,rsi 0x0000000000402070 <+1328>: jg 0x4020a6 <main.id_pw_check+1382> 0x0000000000402072 <+1330>: cmp rdi,rdx 0x0000000000402075 <+1333>: jae 0x40209f <main.id_pw_check+1375> 0x0000000000402077 <+1335>: movzx edx,BYTE PTR [rbx+rdi*1] 0x000000000040207b <+1339>: cmp dl,cl 0x000000000040207d <+1341>: je 0x402095 <main.id_pw_check+1365> 0x000000000040207f <+1343>: mov rax,0xffffffffffffffff 0x0000000000402086 <+1350>: lea rdx,[rdi+0x1] 0x000000000040208a <+1354>: mov rcx,rax 0x000000000040208d <+1357>: mov rax,rdx 0x0000000000402090 <+1360>: jmp 0x401ff8 <main.id_pw_check+1208> 0x0000000000402095 <+1365>: mov rax,QWORD PTR [rsp+0xa8] 0x000000000040209d <+1373>: jmp 0x402086 <main.id_pw_check+1350> 0x000000000040209f <+1375>: call 0x426350 <runtime.panicindex> 0x00000000004020a4 <+1380>: ud2 0x00000000004020a6 <+1382>: mov rax,0xffffffffffffffff 0x00000000004020ad <+1389>: mov rcx,QWORD PTR [rip+0x127f94] # 0x52a048 <main.ID_KEY+8> 0x00000000004020b4 <+1396>: cmp rdi,rcx 0x00000000004020b7 <+1399>: je 0x4020c0 <main.id_pw_check+1408> 0x00000000004020b9 <+1401>: mov rax,0xffffffffffffffff 0x00000000004020c0 <+1408>: mov rcx,QWORD PTR [rsp+0x158] 0x00000000004020c8 <+1416>: mov rdx,QWORD PTR [rsp+0x160] 0x00000000004020d0 <+1424>: mov rbx,QWORD PTR [rsp+0x150] 0x00000000004020d8 <+1432>: mov rsi,QWORD PTR [rsp+0x148] 0x00000000004020e0 <+1440>: xor edi,edi 0x00000000004020e2 <+1442>: mov QWORD PTR [rsp+0xa8],rax 0x00000000004020ea <+1450>: cmp rdi,rdx 0x00000000004020ed <+1453>: jge 0x402173 <main.id_pw_check+1587> 0x00000000004020f3 <+1459>: mov r8,QWORD PTR [rip+0x127f6e] # 0x52a068 <main.PW_KEY+8> 0x00000000004020fa <+1466>: mov r9,QWORD PTR [rip+0x127f5f] # 0x52a060 <main.PW_KEY> 0x0000000000402101 <+1473>: lea r10,[r8-0x1] 0x0000000000402105 <+1477>: cmp rdi,r10 0x0000000000402108 <+1480>: jg 0x4021e4 <main.id_pw_check+1700> 0x000000000040210e <+1486>: movzx r10d,BYTE PTR [rcx+rdi*1] 0x0000000000402113 <+1491>: test rbx,rbx 0x0000000000402116 <+1494>: je 0x4021dd <main.id_pw_check+1693> 0x000000000040211c <+1500>: mov rax,rdi 0x000000000040211f <+1503>: cmp rbx,0xffffffffffffffff 0x0000000000402123 <+1507>: je 0x4021d5 <main.id_pw_check+1685> 0x0000000000402129 <+1513>: cqo 0x000000000040212b <+1515>: idiv rbx 0x000000000040212e <+1518>: cmp rdx,rbx 0x0000000000402131 <+1521>: jae 0x4021ce <main.id_pw_check+1678> 0x0000000000402137 <+1527>: movzx edx,BYTE PTR [rsi+rdx*1] 0x000000000040213b <+1531>: xor rdx,r10 0x000000000040213e <+1534>: cmp rdi,r8 0x0000000000402141 <+1537>: jae 0x4021ce <main.id_pw_check+1678> 0x0000000000402147 <+1543>: movzx r8d,BYTE PTR [r9+rdi*1] 0x000000000040214c <+1548>: cmp dl,r8b 0x000000000040214f <+1551>: je 0x4021c4 <main.id_pw_check+1668> 0x0000000000402151 <+1553>: mov rax,0xffffffffffffffff 0x0000000000402158 <+1560>: inc rdi 0x000000000040215b <+1563>: mov r8,QWORD PTR [rsp+0x160] 0x0000000000402163 <+1571>: mov rdx,r8 0x0000000000402166 <+1574>: mov QWORD PTR [rsp+0xa8],rax 0x000000000040216e <+1582>: cmp rdi,rdx 0x0000000000402171 <+1585>: jl 0x4020f3 <main.id_pw_check+1459> 0x0000000000402173 <+1587>: mov rcx,QWORD PTR [rip+0x127eee] # 0x52a068 <main.PW_KEY+8> 0x000000000040217a <+1594>: cmp rdi,rcx 0x000000000040217d <+1597>: je 0x402186 <main.id_pw_check+1606> 0x000000000040217f <+1599>: mov rax,0xffffffffffffffff 0x0000000000402186 <+1606>: cmp rax,0xffffffffffffffff 0x000000000040218a <+1610>: jne 0x4021a8 <main.id_pw_check+1640> 0x000000000040218c <+1612>: mov QWORD PTR [rsp+0x168],0x0 0x0000000000402198 <+1624>: mov rbp,QWORD PTR [rsp+0x138] 0x00000000004021a0 <+1632>: add rsp,0x140 0x00000000004021a7 <+1639>: ret 0x00000000004021a8 <+1640>: mov QWORD PTR [rsp+0x168],0x1 0x00000000004021b4 <+1652>: mov rbp,QWORD PTR [rsp+0x138] 0x00000000004021bc <+1660>: add rsp,0x140 0x00000000004021c3 <+1667>: ret 0x00000000004021c4 <+1668>: mov rax,QWORD PTR [rsp+0xa8] 0x00000000004021cc <+1676>: jmp 0x402158 <main.id_pw_check+1560> 0x00000000004021ce <+1678>: call 0x426350 <runtime.panicindex> 0x00000000004021d3 <+1683>: ud2 0x00000000004021d5 <+1685>: xor rdx,rdx 0x00000000004021d8 <+1688>: jmp 0x40212e <main.id_pw_check+1518> 0x00000000004021dd <+1693>: call 0x426450 <runtime.panicdivide> 0x00000000004021e2 <+1698>: ud2 0x00000000004021e4 <+1700>: mov rax,0xffffffffffffffff 0x00000000004021eb <+1707>: jmp 0x402173 <main.id_pw_check+1587> 0x00000000004021ed <+1709>: mov rdi,rax 0x00000000004021f0 <+1712>: mov rax,rcx 0x00000000004021f3 <+1715>: jmp 0x4020ad <main.id_pw_check+1389> 0x00000000004021f8 <+1720>: call 0x450af0 <runtime.morestack_noctxt> 0x00000000004021fd <+1725>: jmp 0x401b40 <main.id_pw_check> | cs |
위 코드가 하는 일을 간단하게 요약해보면
1. id, pw를 입력하고 Print_FLAG 선택했을 때 id, pw가 루틴과 알맞는지 검사
2. id를 2진수 값으로 나타내 저장
3. 해당 2진수 값을 이용해 암호화(xor) 등 을 한후 규칙대로 이어 붙여 마지막에 id_key와 비교
4. 입력한 id와 pw를 하나하나 xor하여 pw_key와 맞는지 비교
5. 3,4번에서 하나라도 틀리면 0xffffffff을 반환 맞다면 1을 반환
이제 의사코드 짜고 풀면된다.
[의사코드]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | id_key = [7, 0, 4, 5, 4, 7, 7, 0, 4, 2, 0, 6, 6, 3, 4, 5, 4, 0, 3, 6, 1, 0, 6, 1, 7, 2, 0, 6, 1, 7, 5, 3, 4, 2, 0, 6, 1, 0, 1, 5, 6, 3, 4, 5, 4, 7, 7, 7, 7, 0, 4, 5, 4, 0, 3, 1, 5, 6, 3, 3, 6, 6, 4, 7] pw_key = [0x12, 0x56, 0x2e, 0x1B, 0x5C, 0x34, 0x6A, 0x5D, 0x73, 0x29, 0x0F, 0x5B, 0x1C, 0x67, 0x34, 0x6F, 0x11, 0x50, 0x1E, 0x3A, 0x19, 0x70, 0x35, 0x54, 0x3F, 0x45, 0x2D, 0x47, 0x2E] id = raw_input('input id : ') pw = raw_input('input pw : ') mem = ['0' for i in range(4)] id_bin = '' c = 1 for i in id: tmp = bin(ord(i))[2:].rjust(8, '0') id_bin += tmp for j in range(8): mem.append(tmp[j]) check = [] for i in range(4, len(mem)): a1 = str(int(mem[i]) ^ int(mem[i - 1]) ^ int(mem[i - 2]) ^ int(mem[i - 3]) ^ 1) a2 = str(int(mem[i]) ^ int(mem[i - 1]) ^ int(mem[i - 3]) ^ 1) a3 = str(int(mem[i]) ^ 1) check.append('0' + a3 + a1 + a2) for i in range(len(id_key)): if int(check[i], 2) != id_key[i]: c = 0xffffffff for i in range(len(pw_key)): if ord(id[i % 8]) ^ ord(pw[i]) != pw_key[i]: c = 0xffffffff if c == 1: print 'correct' else: print 'wrong' | cs |
[Solve]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | id_key = [7, 0, 4, 5, 4, 7, 7, 0, 4, 2, 0, 6, 6, 3, 4, 5, 4, 0, 3, 6, 1, 0, 6, 1, 7, 2, 0, 6, 1, 7, 5, 3, 4, 2, 0, 6, 1, 0, 1, 5, 6, 3, 4, 5, 4, 7, 7, 7, 7, 0, 4, 5, 4, 0, 3, 1, 5, 6, 3, 3, 6, 6, 4, 7] pw_key = [0x12, 0x56, 0x2e, 0x1B, 0x5C, 0x34, 0x6A, 0x5D, 0x73, 0x29, 0x0F, 0x5B, 0x1C, 0x67, 0x34, 0x6F, 0x11, 0x50, 0x1E, 0x3A, 0x19, 0x70, 0x35, 0x54, 0x3F, 0x45, 0x2D, 0x47, 0x2E] id = ['0' for i in range(8)] mem = ['0' for i in range(4)] id_bin = '' ID = '' PW = '' for length in range(len(id_key) / 8): for bf in range(32, 127): id[length] = chr(bf) mem = ['0' for i in range(4)] for i in id: tmp = bin(ord(i))[2:].rjust(8, '0') for i in range(8): mem.append(tmp[i]) check = [] for i in range(4, len(mem)): a1 = str(int(mem[i]) ^ int(mem[i - 1]) ^ int(mem[i - 2]) ^ int(mem[i - 3]) ^ 1) a2 = str(int(mem[i]) ^ int(mem[i - 1]) ^ int(mem[i - 3]) ^ 1) a3 = str(int(mem[i]) ^ 1) check.append('0' + a3 + a1 + a2) for i in range(8): if int(check[8 * length + i], 2) == id_key[8 * length + i]: c = 1 else: c = 0 break if c == 1: c = 0 ID += chr(bf) id[length] = chr(bf) break print 'id : ' + ID for i in range(len(pw_key)): PW += chr(pw_key[i] ^ ord(id[i % 8])) print 'pw : ' + PW #id : Admin@G0 #pw : S2Cr2t-m2Mb2r's_P4sSw0rd~!@.@ | cs |
'CTF' 카테고리의 다른 글
| [Codegate final 2018] G0Crack (0) | 2018.04.06 |
|---|---|
| [Codegate final 2018] betting (0) | 2018.04.06 |
| [angstromctf 2017] Product Key (0) | 2018.03.18 |
| [White Hacker League 2017] Medic (0) | 2018.03.09 |
| [White Hacker League 2017] Ghost (0) | 2018.03.05 |
