-
CodeEngn Challenges : Basic 01정보보안/리버싱 2018. 2. 20. 21:27
Reverse_L01 (abex 1st)
Challenges : Basic 01 Author : abex Korean : HDD를 CD-Rom으로 인식시키기 위해서는 GetDriveTypeA의 리턴값이 무엇이 되어야 하는가 English : What value must GetDriveTypeA return in order to make the computer recognize the HDD as a CD-Rom코드엔진 Basic 1번 문제다.
00401000 >/$ 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL 00401002 |. 68 00204000 PUSH Reverse_.00402000 ; |Title = "abex' 1st crackme" 00401007 |. 68 12204000 PUSH Reverse_.00402012 ; |Text = "Make me think your HD is a CD-Rom." 0040100C |. 6A 00 PUSH 0 ; |hOwner = NULL 0040100E |. E8 4E000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA 00401013 |. 68 94204000 PUSH Reverse_.00402094 ; /RootPathName = "c:\" 00401018 |. E8 38000000 CALL <JMP.&KERNEL32.GetDriveTypeA> ; \GetDriveTypeA 0040101D |. 46 INC ESI 0040101E |. 48 DEC EAX 0040101F |. EB 00 JMP SHORT Reverse_.00401021 00401021 |> 46 INC ESI 00401022 |. 46 INC ESI 00401023 |. 48 DEC EAX 00401024 |. 3BC6 CMP EAX,ESI 00401026 |. 74 15 JE SHORT Reverse_.0040103D 00401028 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL 0040102A |. 68 35204000 PUSH Reverse_.00402035 ; |Title = "Error" 0040102F |. 68 3B204000 PUSH Reverse_.0040203B ; |Text = "Nah... This is not a CD-ROM Drive!" 00401034 |. 6A 00 PUSH 0 ; |hOwner = NULL 00401036 |. E8 26000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA 0040103B |. EB 13 JMP SHORT Reverse_.00401050 0040103D |> 6A 00 PUSH 0 ; |/Style = MB_OK|MB_APPLMODAL 0040103F |. 68 5E204000 PUSH Reverse_.0040205E ; ||Title = "YEAH!" 00401044 |. 68 64204000 PUSH Reverse_.00402064 ; ||Text = "Ok, I really think that your HD is a CD-ROM! :p" 00401049 |. 6A 00 PUSH 0 ; ||hOwner = NULL 0040104B |. E8 11000000 CALL <JMP.&USER32.MessageBoxA> ; |\MessageBoxA 00401050 \> E8 06000000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess 00401055 $-FF25 50304000 JMP DWORD PTR DS:[<&KERNEL32.GetDriveTyp>; KERNEL32.GetDriveTypeA 0040105B .-FF25 54304000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>; KERNEL32.ExitProcess 00401061 $-FF25 5C304000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA디스어셈블러로 보면 엔트리 포인트(entry point)가
00401000지점이라는 것을 알 수 있다.00401013 |. 68 94204000 PUSH Reverse_.00402094 ; /RootPathName = "c:\" 00401018 |. E8 38000000 CALL <JMP.&KERNEL32.GetDriveTypeA> ; \GetDriveTypeA스택에
GetDriveTypeA()함수의 문자열 인자"c:\"를 push하면 함수의 반환값은 EAX에 저장된다.0040101D |. 46 INC ESI 0040101E |. 48 DEC EAX 0040101F |. EB 00 JMP SHORT Reverse_.00401021 00401021 |> 46 INC ESI 00401022 |. 46 INC ESI 00401023 |. 48 DEC EAX 00401024 |. 3BC6 CMP EAX,ESI 00401026 |. 74 15 JE SHORT Reverse_.0040103D 00401028 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL 0040102A |. 68 35204000 PUSH Reverse_.00402035 ; |Title = "Error" 0040102F |. 68 3B204000 PUSH Reverse_.0040203B ; |Text = "Nah... This is not a CD-ROM Drive!" 00401034 |. 6A 00 PUSH 0 ; |hOwner = NULL 00401036 |. E8 26000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA 0040103B |. EB 13 JMP SHORT Reverse_.00401050 0040103D |> 6A 00 PUSH 0 ; |/Style = MB_OK|MB_APPLMODAL 0040103F |. 68 5E204000 PUSH Reverse_.0040205E ; ||Title = "YEAH!" 00401044 |. 68 64204000 PUSH Reverse_.00402064 ; ||Text = "Ok, I really think that your HD is a CD-ROM! :p" 00401049 |. 6A 00 PUSH 0 ; ||hOwner = NULL 0040104B |. E8 11000000 CALL <JMP.&USER32.MessageBoxA> ; |\MessageBoxAESI를 3번
INC(++)하고, EAX를 2번DEC(--)하고 두 값을CMP한다.
결과가0(False)이면JE에서 분기하여Error가 출력되고, 두 값이 같아1(True)이면JZ에서 분기하여YEAH!가 출력된다.
즉YEAH!가 나오려면 아래의 식이 True가 되어야 한다.(GetDriveTypeA()의 리턴값)-2==3따라서 GetDriveTypeA()의 리턴값은
5가 되어야 한다.'정보보안 > 리버싱' 카테고리의 다른 글
리버싱 핵심원리 1 (0) 2018.02.28 리버싱 핵심원리 0 (2) 2018.02.28 CodeEngn Challenges : Basic 02 (2) 2018.02.20